Re: [squid-users] 3.3.1 ssl-bump-server-first for google domain lockdown

From: Alex Rousskov <rousskov_at_measurement-factory.com>
Date: Thu, 28 Mar 2013 16:43:22 -0600

On 03/28/2013 04:11 PM, Robert Mason wrote:

> I am seeing GET, POST and CONNECT requests to google in access.log.

Just to make sure we are on the same page, are all of the items below true?

1. You see a CONNECT request to google.com in access.log.

2. You see a non-CONNECT request to google.com from the same
client-Squid connection as CONNECT request in #1 but logged after #1.

3. You see an origin server certificate _signed_ by Google when looking
at responses for request in #2.

You can use browser tools like FireBug or %>p logformat code to make
sure that records in #1 and #2 belong to the same client-Squid connection.

If you see #1 but not #2, then your Squid is not bumping. If you also
see errors or warnings in cache.log, they may explain why.

If you see #1, #2, and #3, then check again because that combination is
not possible.

Thank you,

Alex.

> On Wed, Mar 27, 2013 at 1:27 AM, Alex Rousskov
> <rousskov_at_measurement-factory.com> wrote:
>> On 03/24/2013 01:39 AM, Robert Mason wrote:
>>> Hi Alex! Thanks for the reply.
>>>
>>> It seems to see the CONNECT yes.. but still no joy.
>>>
>>> 192.168.99.100 TCP_MISS/200 114940 CONNECT mail.google.com:443
>>
>> Good. This means that Squid intercepts HTTPS traffic from the browser.
>> The next step is to figure out whether Squid bumps those intercepted
>> connections. Are there non-CONNECT requests for mail.google.com:443 in
>> access.log?
>>
>>
>>> ssl_bump server-first
>>
>> Your ssl_bump directive is missing an ACL. Try adding "all":
>>
>> ssl_bump server-first all
>>
>>
>> HTH,
>>
>> Alex.
>>
>>
>>> On Fri, Mar 22, 2013 at 12:19 AM, Alex Rousskov wrote:
>>>> On 03/21/2013 04:21 PM, Robert Mason wrote:
>>>>> Hi all,
>>>>>
>>>>> I've been trying to setup a system to do ssl interception and dynamic
>>>>> certificate generation in order to prevent our users from signing in
>>>>> to their personal gmail accounts (our company mail is through gmail).
>>>>>
>>>>> >From the info here
>>>>> http://support.google.com/a/bin/answer.py?hl=en&answer=1668854 I found
>>>>> that I needed to add a header in the request and have that working:
>>>>>
>>>>> request_header_add X-GoogApps-Allowed-Domains rodeofx.com all
>>>>>
>>>>> adds it to every http request which I'm fine with but I need to add it
>>>>> to https requests and that's not happening.
>>>>>
>>>>> I have tried things like:
>>>>>
>>>>> http_port 192.168.168.253:3128 ssl-bump generate-host-certificates=on
>>>>> dynamic_cert_mem_cache_size=4MB cert=/etc/squid/ssl_cert/myCA.pem
>>>>>
>>>>> always_direct allow all
>>>>> ssl_bump allow all
>>>>> # the following two options are unsafe and not always necessary:
>>>>> #sslproxy_cert_error allow all
>>>>> #sslproxy_flags DONT_VERIFY_PEER
>>>>>
>>>>> sslcrtd_program /etc/squid/libexec/squid/ssl_crtd -s
>>>>> /etc/squid/var/lib/ssl_db -M 4MB
>>>>> sslcrtd_children 5
>>>>>
>>>>> No love though.. I still get the regular google cert and don't see
>>>>> certs in my ssl_db folder.
>>>>>
>>>>> If anyone has suggestions to offer I'd really appreciate it.
>>>>
>>>> Does Squid get CONNECT requests for Google domains? Check access.log.
>>>>
>>>> If it does, are there any errors or warnings in cache.log?
>>>>
>>>> Alex.
>>>>
>>
Received on Thu Mar 28 2013 - 22:43:25 MDT

This archive was generated by hypermail 2.2.0 : Fri Mar 29 2013 - 12:00:06 MDT