Search squid archive

Re: 3.3.1 ssl-bump-server-first for google domain lockdown

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On 03/24/2013 01:39 AM, Robert Mason wrote:
> Hi Alex!  Thanks for the reply.
> 
> It seems to see the CONNECT yes.. but still no joy.
> 
> 192.168.99.100 TCP_MISS/200 114940 CONNECT mail.google.com:443

Good. This means that Squid intercepts HTTPS traffic from the browser.
The next step is to figure out whether Squid bumps those intercepted
connections. Are there non-CONNECT requests for mail.google.com:443 in
access.log?


> ssl_bump server-first

Your ssl_bump directive is missing an ACL. Try adding "all":

    ssl_bump server-first all


HTH,

Alex.


> On Fri, Mar 22, 2013 at 12:19 AM, Alex Rousskov wrote:
>> On 03/21/2013 04:21 PM, Robert Mason wrote:
>>> Hi all,
>>>
>>> I've been trying to setup a system to do ssl interception and dynamic
>>> certificate generation in order to prevent our users from signing in
>>> to their personal gmail accounts (our company mail is through gmail).
>>>
>>> >From the info here
>>> http://support.google.com/a/bin/answer.py?hl=en&answer=1668854 I found
>>> that I needed to add a header in the request and have that working:
>>>
>>> request_header_add X-GoogApps-Allowed-Domains rodeofx.com all
>>>
>>> adds it to every http request which I'm fine with but I need to add it
>>> to https requests and that's not happening.
>>>
>>> I have tried things like:
>>>
>>> http_port 192.168.168.253:3128 ssl-bump generate-host-certificates=on
>>> dynamic_cert_mem_cache_size=4MB cert=/etc/squid/ssl_cert/myCA.pem
>>>
>>> always_direct allow all
>>> ssl_bump allow all
>>> # the following two options are unsafe and not always necessary:
>>> #sslproxy_cert_error allow all
>>> #sslproxy_flags DONT_VERIFY_PEER
>>>
>>> sslcrtd_program /etc/squid/libexec/squid/ssl_crtd -s
>>> /etc/squid/var/lib/ssl_db -M 4MB
>>> sslcrtd_children 5
>>>
>>> No love though.. I still get the regular google cert and don't see
>>> certs in my ssl_db folder.
>>>
>>> If anyone has suggestions to offer I'd really appreciate it.
>>
>> Does Squid get CONNECT requests for Google domains? Check access.log.
>>
>> If it does, are there any errors or warnings in cache.log?
>>
>> Alex.
>>
[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux