[squid-users] 3.3.1 ssl-bump-server-first for google domain lockdown

From: Robert Mason <rmason_at_rodeofx.com>
Date: Thu, 21 Mar 2013 18:21:23 -0400

Hi all,

I've been trying to setup a system to do ssl interception and dynamic
certificate generation in order to prevent our users from signing in
to their personal gmail accounts (our company mail is through gmail).

From the info here
http://support.google.com/a/bin/answer.py?hl=en&answer=1668854 I found
that I needed to add a header in the request and have that working:

request_header_add X-GoogApps-Allowed-Domains rodeofx.com all

adds it to every http request which I'm fine with but I need to add it
to https requests and that's not happening.

I have tried things like:

http_port 192.168.168.253:3128 ssl-bump generate-host-certificates=on
dynamic_cert_mem_cache_size=4MB cert=/etc/squid/ssl_cert/myCA.pem

always_direct allow all
ssl_bump allow all
# the following two options are unsafe and not always necessary:
#sslproxy_cert_error allow all
#sslproxy_flags DONT_VERIFY_PEER

sslcrtd_program /etc/squid/libexec/squid/ssl_crtd -s
/etc/squid/var/lib/ssl_db -M 4MB
sslcrtd_children 5

No love though.. I still get the regular google cert and don't see
certs in my ssl_db folder.

If anyone has suggestions to offer I'd really appreciate it.

TIA,
R
Received on Thu Mar 21 2013 - 22:21:30 MDT

This archive was generated by hypermail 2.2.0 : Fri Mar 22 2013 - 12:00:05 MDT