Squid Proxy with SSL and Gmail

Question

I am trying to get squid to work with SSL so i can open up gmail but only with access to our domain, here is my config

coredump_dir /var/spool/squid

workers 4


http_port 3128 ssl-bump \
  dynamic_cert_mem_cache_size=16MB \
  generate-host-certificates=on \
  cert=/etc/squid/certs/squid-ca-cert-key.pem \
  require-proxy-header

sslcrtd_program /usr/lib64/squid/security_file_certgen -s /var/spool/squid/ssl -M 16MB
tls_outgoing_options options=NO_SSLv3,SINGLE_DH_USE
shutdown_lifetime 1 second


forwarded_for delete
via off

cache allow all
cache_mem 4 GB
cache_dir rock /var/spool/squid 1024
always_direct allow all
refresh_pattern -i (/cgi-bin/|\?) 0     0%      0
refresh_pattern .               0       20%     4320 ignore-reload

debug_options ALL,2 28,3

#
# Add any of your own refresh_pattern entries above these.
#
refresh_pattern ^ftp:           1440    20%     10080
refresh_pattern ^gopher:        1440    0%      1440
refresh_pattern -i (/cgi-bin/|\?) 0     0%      0
refresh_pattern .               0       20%     4320

acl internal src 10.0.0.0/8


acl SSL_ports port 443
acl Safe_ports port 80          # http
acl Safe_ports port 443         # https
acl Safe_ports port 3128        # cachemgr
acl CONNECT method CONNECT
acl SSL method CONNECT
acl no_bump ssl::server_name_regex blah\.com$


acl step1 at_step SslBump1
acl step2 at_step SslBump2
acl step3 at_step SslBump3
ssl_bump peek step1 all
ssl_bump peek step2 no_bump
ssl_bump splice step3 no_bump
ssl_bump stare step2
ssl_bump bump

# allow replies to all
http_reply_access allow all
http_access deny !Safe_ports

# Deny CONNECT to other than secure SSL ports
http_access deny CONNECT !SSL_ports

# Only allow cachemgr access from localhost
http_access allow localhost manager
http_access deny manager


acl dst_google_http ssl::server_name accounts.google.com
acl dst_google_http ssl::server_name admin.google.com
acl dst_google_http ssl::server_name calendar.google.com
acl dst_google_http ssl::server_name fonts.googleapis.com

acl dst_google_http_re ssl::server_name_regex gstatic\.com$

acl dst_google_http_url url_regex ^http(s)?://www.google.com/accounts/(.+)?$
acl dst_google_http_url url_regex ^http(s)?://www.google.com/a/DOMAIN.com/(.+)?$

acl dst_google_connect ssl::server_name www.google.com
acl dst_google_connect_re ssl::server_name_regex gstatic\.com$


http_access allow CONNECT internal dst_google_connect
http_access allow CONNECT internal dst_google_connect_re
http_access allow CONNECT internal dst_google_http
http_access allow CONNECT internal dst_google_http_re

request_header_access Surrogate-Capability deny all
request_header_access X-GoogApps-Allowed-Domains deny all

request_header_add X-GoogApps-Allowed-Domains "DOMAIN.com" dst_google_http dst_google_http_re dst_google_connect dst_google_connect_re


# And finally deny all other access to this proxy
http_access deny all

When i remove the require-proxy-header option i can go straight out to the internet and connect to google/bbc/etc

If i add them back in i get

2021/01/18 18:01:27.103| PROXY client not permitted by default ACL from local= <IP> remote=<IP>
FD 19 flags=1

and the squid access logs says

1610993061.230      0  NONE/000 0 NONE error:transaction-end-before-headers - HIER_NONE/- -

I made sure i import the certificate into my browser, am i doing something else wrong

Answer 1

PROXY protocol is used to transfer the connecting client information (IP address) from load-balancer (haproxy) to Squid or a web server (see https://docs.diladele.com/administrator_guide_stable/active_directory_extra/redundancy/haproxy_proxy_protocol.html).

What you actually need is to insert a specific header into all requests to gmail to force the browser to use corporate domains only. If so this should be possible with request_header_add directive (note it can also be done in ICAP if needed).