Enable logging of HTTPS URL
search cancel

Enable logging of HTTPS URL

book

Article ID: 166412

calendar_today

Updated On:

Products

ProxySG Software - SGOS

Issue/Introduction

Access log is not showing HTTPS URL although SSL is intercepted.

Environment

When SSL interception is implemented, ProxySG decrypts HTTPS traffic and as a result the transaction details of HTTPS URL (URL path and others) become available for logging.
 

Resolution

To be able to log these details along with the useful SSL components of it, a log format with relevant fields from both ‘main’ and ‘ssl’ can be used.
 
An example Extended log file format(ELFF) string is given below:
date time time-taken c-ip s-action x-rs-certificate-validate-status x-rs-certificate-observed-errors cs-uri-scheme s-ip cs-host cs-uri-port cs-uri-path
cs-uri-query cs-username cs-auth-groups s-hierarchy s-supplier-name rs(Content-Type) cs(Referer) cs(User-Agent) x-rs-connection-negotiated-ssl-version
x-rs-connection-negotiated-cipher x-rs-connection-negotiated-cipher-size x-rs-certificate-hostname x-rs-certificate-hostname-category cs-categories
x-cs-connection-negotiated-ssl-version x-cs-connection-negotiated-cipher x-cs-connection-negotiated-cipher-size
 
Please follow the below steps to create a log format with above string, assign this log format to a log and apply the log to HTTPS Forward Proxy.
  • Create a new log format named “sample” from Configuration>Access Logging> Log Format > New.
  • Create a new log “sample” and assign the log format created in step 1 to this log from Configuration>Access Logging> Log > New.
  • To enable access logging for this log, apply the newly created log to HTTPS Forward Proxy. Go to Access Logging > General. Select “HTTPS Forward Proxy” and edit. Select the default log “sample”.
 
Now access logging is enabled for log “sample” and Complete HTTPS URL along with the SSL components of the transaction can be accessed from this log.

Additional Information

Please note that adding the cs-uri-query(the query string) , cs-uri-path and cs(Referer) to the SSL access logs might inadvertently expose sensitive user data to the access logs, such as user names and passwords. 
Typically this data would be encrypted but if the ProxySG is doing SSL interception it will unencrypt the contents and write the results to the access logs which will then be visible in clear text."
So we don't recommend this operation if not a special reason.

Powered by Wolken Software