Hi Alex, I was so hopeful that that missing all was all I was missing but when I finally had a chance to test it today it's still not working as expected. I have moved my config to a separate machine now so I can test and not disturb anyone. I also have the cachemgr.cgi interface working and on there have found this: Cached ssl certificates statistic. PortMax mem(KB)Cert numberKB/certMem used(KB)Mem free(KB) nothing in the list. Should I not be seeing my dynamic certs there? I am seeing GET, POST and CONNECT requests to google in access.log. Let me know if there are any logs that might be helpful as I now do have debugging enabled. Thanks again. On Wed, Mar 27, 2013 at 1:27 AM, Alex Rousskov <rousskov@xxxxxxxxxxxxxxxxxxxxxxx> wrote: > On 03/24/2013 01:39 AM, Robert Mason wrote: >> Hi Alex! Thanks for the reply. >> >> It seems to see the CONNECT yes.. but still no joy. >> >> 192.168.99.100 TCP_MISS/200 114940 CONNECT mail.google.com:443 > > Good. This means that Squid intercepts HTTPS traffic from the browser. > The next step is to figure out whether Squid bumps those intercepted > connections. Are there non-CONNECT requests for mail.google.com:443 in > access.log? > > >> ssl_bump server-first > > Your ssl_bump directive is missing an ACL. Try adding "all": > > ssl_bump server-first all > > > HTH, > > Alex. > > >> On Fri, Mar 22, 2013 at 12:19 AM, Alex Rousskov wrote: >>> On 03/21/2013 04:21 PM, Robert Mason wrote: >>>> Hi all, >>>> >>>> I've been trying to setup a system to do ssl interception and dynamic >>>> certificate generation in order to prevent our users from signing in >>>> to their personal gmail accounts (our company mail is through gmail). >>>> >>>> >From the info here >>>> http://support.google.com/a/bin/answer.py?hl=en&answer=1668854 I found >>>> that I needed to add a header in the request and have that working: >>>> >>>> request_header_add X-GoogApps-Allowed-Domains rodeofx.com all >>>> >>>> adds it to every http request which I'm fine with but I need to add it >>>> to https requests and that's not happening. >>>> >>>> I have tried things like: >>>> >>>> http_port 192.168.168.253:3128 ssl-bump generate-host-certificates=on >>>> dynamic_cert_mem_cache_size=4MB cert=/etc/squid/ssl_cert/myCA.pem >>>> >>>> always_direct allow all >>>> ssl_bump allow all >>>> # the following two options are unsafe and not always necessary: >>>> #sslproxy_cert_error allow all >>>> #sslproxy_flags DONT_VERIFY_PEER >>>> >>>> sslcrtd_program /etc/squid/libexec/squid/ssl_crtd -s >>>> /etc/squid/var/lib/ssl_db -M 4MB >>>> sslcrtd_children 5 >>>> >>>> No love though.. I still get the regular google cert and don't see >>>> certs in my ssl_db folder. >>>> >>>> If anyone has suggestions to offer I'd really appreciate it. >>> >>> Does Squid get CONNECT requests for Google domains? Check access.log. >>> >>> If it does, are there any errors or warnings in cache.log? >>> >>> Alex. >>> >
