I've been tasked with preventing a client's users from accessing consumer Gmail accounts while only accessing their corporate Google Apps accounts. Google gives an overview here: https://support.google.com/a/answer/1668854?hl=en. So, I've setup Squid 3.54 on CentOS 7 with ssl-bump and dynamic certificates and "request_header_add". When manually configuring proxy settings on my browser I get the desired result. I also see TCP_MISS in the Squid access.log file -- here's a sample: 1432131282.366 85 192.168.6.134 TCP_MISS/200 521 GET https://mail.google.com/mail/images/cleardot.gif? - HIER_DIRECT/216.58.217.37 image/gif 1432131282.373 40 192.168.6.134 TCP_MISS/200 496 POST https://clients1.google.com/tbproxy/af/query? - HIER_DIRECT/216.58.217.46 text/xml 1432131286.863 109 192.168.6.134 TCP_MISS/200 1191 POST https://accounts.google.com/accountLoginInfoXhr - HIER_DIRECT/216.58.217.45 application/javascript 1432131286.930 41 192.168.6.134 TCP_MISS/200 501 POST https://clients1.google.com/tbproxy/af/query? - HIER_DIRECT/216.58.217.46 text/xml 1432131287.673 10190 192.168.6.134 TCP_TUNNEL/200 3888 CONNECT gmail.com:443 - HIER_DIRECT/216.58.217.37 - 1432131289.543 74 192.168.6.134 TCP_MISS/302 2930 POST https://accounts.google.com/ServiceLoginAuth - HIER_DIRECT/216.58.217.45 text/html 1432131289.690 140 192.168.6.134 TCP_MISS/302 2900 GET https://accounts.google.com/CheckCookie? - HIER_DIRECT/216.58.217.45 text/html 1432131289.828 82 192.168.6.134 TCP_MISS/302 891 GET https://mail.google.com/mail/? - HIER_DIRECT/216.58.217.37 text/html 1432131289.911 79 192.168.6.134 TCP_MISS/200 1884 GET https://accounts.google.com/b/0/DomainRestrictedNetwork? - HIER_DIRECT/216.58.217.45 text/html 1432131289.969 33 192.168.6.134 TCP_MISS/200 4353 GET https://www.google.com/intl/en/images/logos/accounts_logo.gif - HIER_DIRECT/216.58.217.36 image/gif I'm trying to set up this single machine as a transparent bridge with Squid so that I can go throw it in between the LAN and the router/firewall and just have it intercept web traffic without having to reconfigure clients (Windows desktops wouldn't be a big deal but mobile devices would be a problem). So, with that in mind I've got 2 NICs on the box and have configured it as a bridge. I'm using ebtables to redirect traffic for port 80 and 443 up to iptables which then in turn redirects to Squid using TPROXY. All this seems to work. Here's my ebtables entries: # inbound traffic ebtables -t broute -A BROUTING -p IPv4 --ip-proto tcp --ip-dport 80 -j redirect --redirect-target DROP ebtables -t broute -A BROUTING -p IPv4 --ip-proto tcp --ip-dport 443 -j redirect --redirect-target DROP # returning outbound traffic ebtables -t broute -A BROUTING -p IPv4 --ip-proto tcp --ip-sport 80 -j redirect --redirect-target DROP ebtables -t broute -A BROUTING -p IPv4 --ip-proto tcp --ip-sport 443 -j redirect --redirect-target DROP Here's my iptables entries: ## interface facing clients CLIENT_IFACE=ens4 ## interface facing Internet INET_IFACE=enp1s0 #Setup DIVERT chain to mark packets: iptables -t mangle -N DIVERT #Use DIVERT to prevent existing connections going through TPROXY twice: iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT #DIVERT chain: mark packets and accept iptables -t mangle -A DIVERT -j MARK --set-mark 1 iptables -t mangle -A DIVERT -j ACCEPT #Mark all other (new) packets and use TPROXY to pass into Squid: iptables -t mangle -A PREROUTING -i $CLIENT_IFACE -p tcp --dport 80 -j TPROXY --on-ip 0.0.0.0 --on-port 3126 --tproxy-mark 0x1/0x1 iptables -t mangle -A PREROUTING -i $INET_IFACE -p tcp --sport 80 -j MARK --set-mark 0x1/0x1 iptables -t mangle -A PREROUTING -i $CLIENT_IFACE -p tcp --dport 443 -j TPROXY --on-ip 0.0.0.0 --on-port 3127 --tproxy-mark 0x1/0x1 iptables -t mangle -A PREROUTING -i $INET_IFACE -p tcp --sport 443 -j MARK --set-mark 0x1/0x1 ( I have Squid listening on 3126 for HTTP and TPROXY, 3127 for HTTPS, TPROXY and SSLBUMP, and 3128 for manual connections and SSLBUMP (see Squid config below). I also have these entries among other things for TPROXY to work: ip rule add fwmark 1/1 table 100 ip route add local 0.0.0.0/0 dev lo table 100 So, with all this in place, when I access the web without manually configuring my browsers proxy settings I am able to browse using this transparent redirect mode. However, the sslbump does not seem to be working right in this mode and thus my Google "request_header_add" does not seem to be working. Here's a sample of what I see in Squid's access.log when going to Gmail through the transparent redirection: 1432132109.580 16670 192.168.6.133 TCP_TUNNEL/200 4791 CONNECT 98.139.225.168:443 - ORIGINAL_DST/98.139.225.168 - 1432132109.581 19654 192.168.6.133 TCP_TUNNEL/200 6480 CONNECT 98.137.201.111:443 - ORIGINAL_DST/98.137.201.111 - 1432132109.582 19655 192.168.6.133 TCP_TUNNEL/200 6480 CONNECT 98.137.201.111:443 - ORIGINAL_DST/98.137.201.111 - 1432132109.582 16655 192.168.6.133 TCP_TUNNEL/200 2765 CONNECT 152.163.66.141:443 - ORIGINAL_DST/152.163.66.141 - 1432132109.582 19605 192.168.6.133 TCP_TUNNEL/200 6496 CONNECT 98.138.74.35:443 - ORIGINAL_DST/98.138.74.35 - 1432132109.582 19535 192.168.6.133 TCP_TUNNEL/200 3636 CONNECT 68.142.123.254:443 - ORIGINAL_DST/68.142.123.254 - 1432132109.583 19535 192.168.6.133 TCP_TUNNEL/200 3636 CONNECT 68.142.123.254:443 - ORIGINAL_DST/68.142.123.254 - 1432132109.583 19544 192.168.6.133 TCP_TUNNEL/200 4835 CONNECT 98.138.250.100:443 - ORIGINAL_DST/98.138.250.100 - 1432132109.583 19545 192.168.6.133 TCP_TUNNEL/200 4835 CONNECT 98.138.250.100:443 - ORIGINAL_DST/98.138.250.100 - 1432132119.593 12771 192.168.6.133 TCP_TUNNEL/200 3861 CONNECT 216.58.217.36:443 - ORIGINAL_DST/216.58.217.36 - Here's my squid.conf file: acl localnet src 10.0.0.0/8 # RFC1918 possible internal network acl localnet src 172.16.0.0/12 # RFC1918 possible internal network acl localnet src 192.168.0.0/16 # RFC1918 possible internal network acl localnet src fc00::/7 # RFC 4193 local private network range acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines acl SSL_ports port 443 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 # https acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl CONNECT method CONNECT acl Google dstdomain .google.com http_access deny !Safe_ports http_access deny CONNECT !SSL_ports http_access allow localhost manager http_access deny manager http_access allow localnet http_access allow localhost http_access deny all http_port 3126 tproxy https_port 3127 tproxy ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/etc/squid/ssl_cert/myca.pem key=/etc/squid/ssl_cert/myca.pem http_port 3128 ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/etc/squid/ssl_cert/myca.pem key=/etc/squid/ssl_cert/myca.pem #always_direct allow all ssl_bump server-first Google #sslproxy_cert_error deny all #sslproxy_flags DONT_VERIFY_PEER sslcrtd_program /usr/lib64/squid/ssl_crtd -s /var/lib/ssl_db -M 4MB sslcrtd_children 8 startup=1 idle=1 coredump_dir /var/spool/squid refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern ^gopher: 1440 0% 1440 refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 refresh_pattern . 0 20% 4320 shutdown_lifetime 1 second request_header_add X-GoogApps-Allowed-Domains "mydomain.com" Google Being a novice at Squid and iptables I've done a lot of Googling to get this far but have hit the wall I think with this problem. Can anyone see why the ssl-bump might not be working for tproxy connections? What am I missing? _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
