Re: [squid-users] 3.3.1 ssl-bump-server-first for google domain lockdown

From: Robert Mason <rmason_at_rodeofx.com>
Date: Thu, 28 Mar 2013 18:11:27 -0400

Hi Alex,

I was so hopeful that that missing all was all I was missing but when
I finally had a chance to test it today it's still not working as
expected.

I have moved my config to a separate machine now so I can test and not
disturb anyone. I also have the cachemgr.cgi interface working and on
there have found this:

Cached ssl certificates statistic.

PortMax mem(KB)Cert numberKB/certMem used(KB)Mem free(KB)

nothing in the list. Should I not be seeing my dynamic certs there?

I am seeing GET, POST and CONNECT requests to google in access.log.

Let me know if there are any logs that might be helpful as I now do
have debugging enabled.

Thanks again.

On Wed, Mar 27, 2013 at 1:27 AM, Alex Rousskov
<rousskov_at_measurement-factory.com> wrote:
> On 03/24/2013 01:39 AM, Robert Mason wrote:
>> Hi Alex! Thanks for the reply.
>>
>> It seems to see the CONNECT yes.. but still no joy.
>>
>> 192.168.99.100 TCP_MISS/200 114940 CONNECT mail.google.com:443
>
> Good. This means that Squid intercepts HTTPS traffic from the browser.
> The next step is to figure out whether Squid bumps those intercepted
> connections. Are there non-CONNECT requests for mail.google.com:443 in
> access.log?
>
>
>> ssl_bump server-first
>
> Your ssl_bump directive is missing an ACL. Try adding "all":
>
> ssl_bump server-first all
>
>
> HTH,
>
> Alex.
>
>
>> On Fri, Mar 22, 2013 at 12:19 AM, Alex Rousskov wrote:
>>> On 03/21/2013 04:21 PM, Robert Mason wrote:
>>>> Hi all,
>>>>
>>>> I've been trying to setup a system to do ssl interception and dynamic
>>>> certificate generation in order to prevent our users from signing in
>>>> to their personal gmail accounts (our company mail is through gmail).
>>>>
>>>> >From the info here
>>>> http://support.google.com/a/bin/answer.py?hl=en&answer=1668854 I found
>>>> that I needed to add a header in the request and have that working:
>>>>
>>>> request_header_add X-GoogApps-Allowed-Domains rodeofx.com all
>>>>
>>>> adds it to every http request which I'm fine with but I need to add it
>>>> to https requests and that's not happening.
>>>>
>>>> I have tried things like:
>>>>
>>>> http_port 192.168.168.253:3128 ssl-bump generate-host-certificates=on
>>>> dynamic_cert_mem_cache_size=4MB cert=/etc/squid/ssl_cert/myCA.pem
>>>>
>>>> always_direct allow all
>>>> ssl_bump allow all
>>>> # the following two options are unsafe and not always necessary:
>>>> #sslproxy_cert_error allow all
>>>> #sslproxy_flags DONT_VERIFY_PEER
>>>>
>>>> sslcrtd_program /etc/squid/libexec/squid/ssl_crtd -s
>>>> /etc/squid/var/lib/ssl_db -M 4MB
>>>> sslcrtd_children 5
>>>>
>>>> No love though.. I still get the regular google cert and don't see
>>>> certs in my ssl_db folder.
>>>>
>>>> If anyone has suggestions to offer I'd really appreciate it.
>>>
>>> Does Squid get CONNECT requests for Google domains? Check access.log.
>>>
>>> If it does, are there any errors or warnings in cache.log?
>>>
>>> Alex.
>>>
>
Received on Thu Mar 28 2013 - 22:11:36 MDT

This archive was generated by hypermail 2.2.0 : Fri Mar 29 2013 - 12:00:06 MDT