Re: [squid-users] 3.3.1 ssl-bump-server-first for google domain lockdown from Alex Rousskov on 2013-03-26 (squid-users)

From: Alex Rousskov <rousskov_at_measurement-factory.com>
Date: Tue, 26 Mar 2013 23:27:14 -0600

On 03/24/2013 01:39 AM, Robert Mason wrote:
> Hi Alex! Thanks for the reply.
>
> It seems to see the CONNECT yes.. but still no joy.
>
> 192.168.99.100 TCP_MISS/200 114940 CONNECT mail.google.com:443

Good. This means that Squid intercepts HTTPS traffic from the browser.
The next step is to figure out whether Squid bumps those intercepted
connections. Are there non-CONNECT requests for mail.google.com:443 in
access.log?

> ssl_bump server-first

Your ssl_bump directive is missing an ACL. Try adding "all":

ssl_bump server-first all

HTH,

Alex.

> On Fri, Mar 22, 2013 at 12:19 AM, Alex Rousskov wrote:
>> On 03/21/2013 04:21 PM, Robert Mason wrote:
>>> Hi all,
>>>
>>> I've been trying to setup a system to do ssl interception and dynamic
>>> certificate generation in order to prevent our users from signing in
>>> to their personal gmail accounts (our company mail is through gmail).
>>>
>>> >From the info here
>>> http://support.google.com/a/bin/answer.py?hl=en&answer=1668854 I found
>>> that I needed to add a header in the request and have that working:
>>>
>>> request_header_add X-GoogApps-Allowed-Domains rodeofx.com all
>>>
>>> adds it to every http request which I'm fine with but I need to add it
>>> to https requests and that's not happening.
>>>
>>> I have tried things like:
>>>
>>> http_port 192.168.168.253:3128 ssl-bump generate-host-certificates=on
>>> dynamic_cert_mem_cache_size=4MB cert=/etc/squid/ssl_cert/myCA.pem
>>>
>>> always_direct allow all
>>> ssl_bump allow all
>>> # the following two options are unsafe and not always necessary:
>>> #sslproxy_cert_error allow all
>>> #sslproxy_flags DONT_VERIFY_PEER
>>>
>>> sslcrtd_program /etc/squid/libexec/squid/ssl_crtd -s
>>> /etc/squid/var/lib/ssl_db -M 4MB
>>> sslcrtd_children 5
>>>
>>> No love though.. I still get the regular google cert and don't see
>>> certs in my ssl_db folder.
>>>
>>> If anyone has suggestions to offer I'd really appreciate it.
>>
>> Does Squid get CONNECT requests for Google domains? Check access.log.
>>
>> If it does, are there any errors or warnings in cache.log?
>>
>> Alex.
>>
Received on Wed Mar 27 2013 - 05:27:16 MDT

This archive was generated by hypermail 2.2.0 : Fri Mar 29 2013 - 12:00:06 MDT