Hi,
I’ve just setup an hotspot and all works correctly…I also setup the proxy so all user requests are logged to a remote db. Now I want to log https requests too…ho can I do??
In other words…Is there a way to log https pages requested by hotspot users?
THANKS a lot…
The proxy can’t proxy HTTPS, so it’s not going to log it. Use Traffic Flow to see IP addresses involved in TCP/443 traffic, but that’s not going to give you the path request.
They would have to configure their browser to use the proxy directly and not transparently. Not really feasible in a hotspot environment.
EDIT: The proxy can proxy HTTPS, just not transparently.
So…If I want to use the transparent proxy configuration…there is no workaround…even if the only thing that I need is to log https pages requested by users?
It is technically impossible to transparently proxy https pages. It is encrypted from start to finish, so the only 2 devices that know what the http headers contain are the client and the server.
Hence, SECURE. 
If you use a proxy, the https client issues a connect to the proxy asking it to create a tunnel to x.y.z:443 on its behalf, then the https session begins. This CAN be logged, but only if the client is configured to use ip.of.pro.xy:8080 in its browser/os configuration.
You could log any NEW outgoing connections on port 443 (make sure you do new only or every packet will be logged)
/ip firewall filter add chain=forward connection-state=new in-interface=etherx(nat facing) out-interface=ethery(internet facing) src-address=ip.of.nat.subnet/mask dst-port=443 protocol=tcp action=log
This will log the nat users ip address and the destination ip address of the port 443 HTTPS server. You wouldnt know the actual hostname or url, though.
It is technically impossible to transparently proxy https pages.
That’s not entirely true.
Using a transparent proxy you can end HTTPS, inspect the traffic and reencrypt the connection.
That is something supported by many business firewalls like Forefront TMG.
The only limitation here is that a browser would normally warn about the certificate issue but as companies can control which certificates their browsers trust the only means of reliably knowing of such an attack is by verifying the fingerprint.
Yes, I understand, but I dont consider breaking the security of an SSL connection a good thing. Businesses can also set proxy configuration and not break SSL.