On 21/05/2015 2:42 a.m., Nick Belnap wrote: > I've been tasked with preventing a client's users from accessing consumer Gmail accounts while only accessing their corporate Google Apps accounts. Google gives an overview here: https://support.google.com/a/answer/1668854?hl=en. <snip> > > Being a novice at Squid and iptables I've done a lot of Googling to get this far but have hit the wall I think with this problem. Can anyone see why the ssl-bump might not be working for tproxy connections? > > What am I missing? Same thing everyone seems to be missing with SSL-Bump. The fact that TCP packet headers dont contain a domain name. Only the IP:port the TCP connection is going to. So the "Google" dstdomain ACL does not work on the fake CONNECT request Squid generates from the IP:port details. Replace these: acl Google dstdomain .google.com ssl_bump server-first Google With these (in this specific order): acl GoogleBump ssl::server_name .google.com .gmail.com ssl_bump peek all ssl_bump bump GoogleBump ssl_bump splice all Amos _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
