Hi Alex! Thanks for the reply.
It seems to see the CONNECT yes.. but still no joy.
192.168.99.100 TCP_MISS/200 114940 CONNECT mail.google.com:443
I'm running - Squid Cache: Version 3.3.1
ssl_crtd is running having configured it using the example from
http://wiki.squid-cache.org/Features/DynamicSslCert
My config now looks like:
https_port 3128 intercept ssl-bump generate-host-certificates=on
dynamic_cert_mem_cache_size=4MB cert=/etc/squid/ssl_cert/myCA.pem
ssl_bump server-first
sslproxy_cert_error allow all
sslproxy_flags DONT_VERIFY_PEER
sslcrtd_program /libexec/squid/ssl_crtd -s /var/lib/ssl_db -M 4MB
sslcrtd_children 5
append_domain .mtl.fruitbat.ca
#debug_options ALL,2
request_header_add X-GoogApps-Allowed-Domains mydomain.com all
as you can see there I tried to enable debug but it was just too much
chatter so I turned it off.
On Fri, Mar 22, 2013 at 12:19 AM, Alex Rousskov
<rousskov_at_measurement-factory.com> wrote:
> On 03/21/2013 04:21 PM, Robert Mason wrote:
>> Hi all,
>>
>> I've been trying to setup a system to do ssl interception and dynamic
>> certificate generation in order to prevent our users from signing in
>> to their personal gmail accounts (our company mail is through gmail).
>>
>>>From the info here
>> http://support.google.com/a/bin/answer.py?hl=en&answer=1668854 I found
>> that I needed to add a header in the request and have that working:
>>
>> request_header_add X-GoogApps-Allowed-Domains rodeofx.com all
>>
>> adds it to every http request which I'm fine with but I need to add it
>> to https requests and that's not happening.
>>
>> I have tried things like:
>>
>> http_port 192.168.168.253:3128 ssl-bump generate-host-certificates=on
>> dynamic_cert_mem_cache_size=4MB cert=/etc/squid/ssl_cert/myCA.pem
>>
>> always_direct allow all
>> ssl_bump allow all
>> # the following two options are unsafe and not always necessary:
>> #sslproxy_cert_error allow all
>> #sslproxy_flags DONT_VERIFY_PEER
>>
>> sslcrtd_program /etc/squid/libexec/squid/ssl_crtd -s
>> /etc/squid/var/lib/ssl_db -M 4MB
>> sslcrtd_children 5
>>
>> No love though.. I still get the regular google cert and don't see
>> certs in my ssl_db folder.
>>
>> If anyone has suggestions to offer I'd really appreciate it.
>
> Does Squid get CONNECT requests for Google domains? Check access.log.
>
> If it does, are there any errors or warnings in cache.log?
>
> Alex.
>
Received on Sun Mar 24 2013 - 07:39:52 MDT
This archive was generated by hypermail 2.2.0 : Wed Mar 27 2013 - 12:00:13 MDT