Hi Alex! Thanks for the reply. It seems to see the CONNECT yes.. but still no joy. 192.168.99.100 TCP_MISS/200 114940 CONNECT mail.google.com:443 I'm running - Squid Cache: Version 3.3.1 ssl_crtd is running having configured it using the example from http://wiki.squid-cache.org/Features/DynamicSslCert My config now looks like: https_port 3128 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/etc/squid/ssl_cert/myCA.pem ssl_bump server-first sslproxy_cert_error allow all sslproxy_flags DONT_VERIFY_PEER sslcrtd_program /libexec/squid/ssl_crtd -s /var/lib/ssl_db -M 4MB sslcrtd_children 5 append_domain .mtl.fruitbat.ca #debug_options ALL,2 request_header_add X-GoogApps-Allowed-Domains mydomain.com all as you can see there I tried to enable debug but it was just too much chatter so I turned it off. On Fri, Mar 22, 2013 at 12:19 AM, Alex Rousskov <rousskov@xxxxxxxxxxxxxxxxxxxxxxx> wrote: > On 03/21/2013 04:21 PM, Robert Mason wrote: >> Hi all, >> >> I've been trying to setup a system to do ssl interception and dynamic >> certificate generation in order to prevent our users from signing in >> to their personal gmail accounts (our company mail is through gmail). >> >>>From the info here >> http://support.google.com/a/bin/answer.py?hl=en&answer=1668854 I found >> that I needed to add a header in the request and have that working: >> >> request_header_add X-GoogApps-Allowed-Domains rodeofx.com all >> >> adds it to every http request which I'm fine with but I need to add it >> to https requests and that's not happening. >> >> I have tried things like: >> >> http_port 192.168.168.253:3128 ssl-bump generate-host-certificates=on >> dynamic_cert_mem_cache_size=4MB cert=/etc/squid/ssl_cert/myCA.pem >> >> always_direct allow all >> ssl_bump allow all >> # the following two options are unsafe and not always necessary: >> #sslproxy_cert_error allow all >> #sslproxy_flags DONT_VERIFY_PEER >> >> sslcrtd_program /etc/squid/libexec/squid/ssl_crtd -s >> /etc/squid/var/lib/ssl_db -M 4MB >> sslcrtd_children 5 >> >> No love though.. I still get the regular google cert and don't see >> certs in my ssl_db folder. >> >> If anyone has suggestions to offer I'd really appreciate it. > > Does Squid get CONNECT requests for Google domains? Check access.log. > > If it does, are there any errors or warnings in cache.log? > > Alex. >
