On 03/28/2013 04:11 PM, Robert Mason wrote: > I am seeing GET, POST and CONNECT requests to google in access.log. Just to make sure we are on the same page, are all of the items below true? 1. You see a CONNECT request to google.com in access.log. 2. You see a non-CONNECT request to google.com from the same client-Squid connection as CONNECT request in #1 but logged after #1. 3. You see an origin server certificate _signed_ by Google when looking at responses for request in #2. You can use browser tools like FireBug or %>p logformat code to make sure that records in #1 and #2 belong to the same client-Squid connection. If you see #1 but not #2, then your Squid is not bumping. If you also see errors or warnings in cache.log, they may explain why. If you see #1, #2, and #3, then check again because that combination is not possible. Thank you, Alex. > On Wed, Mar 27, 2013 at 1:27 AM, Alex Rousskov > <rousskov@xxxxxxxxxxxxxxxxxxxxxxx> wrote: >> On 03/24/2013 01:39 AM, Robert Mason wrote: >>> Hi Alex! Thanks for the reply. >>> >>> It seems to see the CONNECT yes.. but still no joy. >>> >>> 192.168.99.100 TCP_MISS/200 114940 CONNECT mail.google.com:443 >> >> Good. This means that Squid intercepts HTTPS traffic from the browser. >> The next step is to figure out whether Squid bumps those intercepted >> connections. Are there non-CONNECT requests for mail.google.com:443 in >> access.log? >> >> >>> ssl_bump server-first >> >> Your ssl_bump directive is missing an ACL. Try adding "all": >> >> ssl_bump server-first all >> >> >> HTH, >> >> Alex. >> >> >>> On Fri, Mar 22, 2013 at 12:19 AM, Alex Rousskov wrote: >>>> On 03/21/2013 04:21 PM, Robert Mason wrote: >>>>> Hi all, >>>>> >>>>> I've been trying to setup a system to do ssl interception and dynamic >>>>> certificate generation in order to prevent our users from signing in >>>>> to their personal gmail accounts (our company mail is through gmail). >>>>> >>>>> >From the info here >>>>> http://support.google.com/a/bin/answer.py?hl=en&answer=1668854 I found >>>>> that I needed to add a header in the request and have that working: >>>>> >>>>> request_header_add X-GoogApps-Allowed-Domains rodeofx.com all >>>>> >>>>> adds it to every http request which I'm fine with but I need to add it >>>>> to https requests and that's not happening. >>>>> >>>>> I have tried things like: >>>>> >>>>> http_port 192.168.168.253:3128 ssl-bump generate-host-certificates=on >>>>> dynamic_cert_mem_cache_size=4MB cert=/etc/squid/ssl_cert/myCA.pem >>>>> >>>>> always_direct allow all >>>>> ssl_bump allow all >>>>> # the following two options are unsafe and not always necessary: >>>>> #sslproxy_cert_error allow all >>>>> #sslproxy_flags DONT_VERIFY_PEER >>>>> >>>>> sslcrtd_program /etc/squid/libexec/squid/ssl_crtd -s >>>>> /etc/squid/var/lib/ssl_db -M 4MB >>>>> sslcrtd_children 5 >>>>> >>>>> No love though.. I still get the regular google cert and don't see >>>>> certs in my ssl_db folder. >>>>> >>>>> If anyone has suggestions to offer I'd really appreciate it. >>>> >>>> Does Squid get CONNECT requests for Google domains? Check access.log. >>>> >>>> If it does, are there any errors or warnings in cache.log? >>>> >>>> Alex. >>>> >>
