Re: [squid-users] 3.3.1 ssl-bump-server-first for google domain lockdown from Robert Mason on 2013-03-24 (squid-users)

From: Robert Mason <rmason_at_rodeofx.com>
Date: Sun, 24 Mar 2013 03:39:43 -0400

Hi Alex! Thanks for the reply.

It seems to see the CONNECT yes.. but still no joy.

192.168.99.100 TCP_MISS/200 114940 CONNECT mail.google.com:443

I'm running - Squid Cache: Version 3.3.1

ssl_crtd is running having configured it using the example from
http://wiki.squid-cache.org/Features/DynamicSslCert

My config now looks like:

https_port 3128 intercept ssl-bump generate-host-certificates=on
dynamic_cert_mem_cache_size=4MB cert=/etc/squid/ssl_cert/myCA.pem

ssl_bump server-first
sslproxy_cert_error allow all
sslproxy_flags DONT_VERIFY_PEER

sslcrtd_program /libexec/squid/ssl_crtd -s /var/lib/ssl_db -M 4MB
sslcrtd_children 5

append_domain .mtl.fruitbat.ca

#debug_options ALL,2

request_header_add X-GoogApps-Allowed-Domains mydomain.com all

as you can see there I tried to enable debug but it was just too much
chatter so I turned it off.

On Fri, Mar 22, 2013 at 12:19 AM, Alex Rousskov
<rousskov_at_measurement-factory.com> wrote:
> On 03/21/2013 04:21 PM, Robert Mason wrote:
>> Hi all,
>>
>> I've been trying to setup a system to do ssl interception and dynamic
>> certificate generation in order to prevent our users from signing in
>> to their personal gmail accounts (our company mail is through gmail).
>>
>>>From the info here
>> http://support.google.com/a/bin/answer.py?hl=en&answer=1668854 I found
>> that I needed to add a header in the request and have that working:
>>
>> request_header_add X-GoogApps-Allowed-Domains rodeofx.com all
>>
>> adds it to every http request which I'm fine with but I need to add it
>> to https requests and that's not happening.
>>
>> I have tried things like:
>>
>> http_port 192.168.168.253:3128 ssl-bump generate-host-certificates=on
>> dynamic_cert_mem_cache_size=4MB cert=/etc/squid/ssl_cert/myCA.pem
>>
>> always_direct allow all
>> ssl_bump allow all
>> # the following two options are unsafe and not always necessary:
>> #sslproxy_cert_error allow all
>> #sslproxy_flags DONT_VERIFY_PEER
>>
>> sslcrtd_program /etc/squid/libexec/squid/ssl_crtd -s
>> /etc/squid/var/lib/ssl_db -M 4MB
>> sslcrtd_children 5
>>
>> No love though.. I still get the regular google cert and don't see
>> certs in my ssl_db folder.
>>
>> If anyone has suggestions to offer I'd really appreciate it.
>
> Does Squid get CONNECT requests for Google domains? Check access.log.
>
> If it does, are there any errors or warnings in cache.log?
>
> Alex.
>
Received on Sun Mar 24 2013 - 07:39:52 MDT

This archive was generated by hypermail 2.2.0 : Wed Mar 27 2013 - 12:00:13 MDT