On 03/21/2013 04:21 PM, Robert Mason wrote:
> Hi all,
>
> I've been trying to setup a system to do ssl interception and dynamic
> certificate generation in order to prevent our users from signing in
> to their personal gmail accounts (our company mail is through gmail).
>
>>From the info here
> http://support.google.com/a/bin/answer.py?hl=en&answer=1668854 I found
> that I needed to add a header in the request and have that working:
>
> request_header_add X-GoogApps-Allowed-Domains rodeofx.com all
>
> adds it to every http request which I'm fine with but I need to add it
> to https requests and that's not happening.
>
> I have tried things like:
>
> http_port 192.168.168.253:3128 ssl-bump generate-host-certificates=on
> dynamic_cert_mem_cache_size=4MB cert=/etc/squid/ssl_cert/myCA.pem
>
> always_direct allow all
> ssl_bump allow all
> # the following two options are unsafe and not always necessary:
> #sslproxy_cert_error allow all
> #sslproxy_flags DONT_VERIFY_PEER
>
> sslcrtd_program /etc/squid/libexec/squid/ssl_crtd -s
> /etc/squid/var/lib/ssl_db -M 4MB
> sslcrtd_children 5
>
> No love though.. I still get the regular google cert and don't see
> certs in my ssl_db folder.
>
> If anyone has suggestions to offer I'd really appreciate it.
Does Squid get CONNECT requests for Google domains? Check access.log.
If it does, are there any errors or warnings in cache.log?
Alex.
Received on Fri Mar 22 2013 - 04:19:13 MDT
This archive was generated by hypermail 2.2.0 : Sun Mar 24 2013 - 12:00:05 MDT