In my organisation, I am trying to allow the Google apps account and block consumer Google accounts using squid proxy. According to this link, Google says we can do it using following steps:
- Route all traffic outbound to google.com through your web proxy server(s).
- Enable SSL interception on the proxy server.
- Since you will be intercepting SSL requests, you will need to configure every client device to trust your SSL proxy by deploying the Internal Root Certificate Authority used by the proxy and marking it as trusted.
- For each google.com request:
- Intercept the request.
- Add the HTTP header X-GoogApps-Allowed-Domains, whose value is a comma-separated list with allowed domain name(s). Include the domain you registered with Google Apps and any secondary domains you might have added.
After referring few online blogs and guides I compiled and installed the squid and added the following entries in my squid.conf:
http_port 3128 intercept
http_port 3129
https_port 3130 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB
acl localnet1 dstdomain .google.com
ssl_bump server-first localnet1
always_direct allow localnet1
sslproxy_cert_error allow all
sslproxy_flags DONT_VERIFY_PEER
request_header_add X-GoogApps-Allowed-Domains "mydomain.com" localnet1
cert=/usr/local/squid/cert/server.crt key=/usr/local/squid/cert/server.key
sslcrtd_program /usr/local/squid/libexec/ssl_crtd -s /usr/local/squid/var/ssl_db -M 20MB
sslcrtd_children 100
Using above configuration every request (http and https) is routing through my proxy server but it is not able to block consumer Google account and I am able to login to it.
I have also added the proxy IP as my gateway to the node system and in my proxy server I added following rules in Iptable
iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128
iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp --dport 443 -j REDIRECT --to-ports 3130
iptables -I INPUT -p tcp -m tcp --dport 3130 -j ACCEPT
So what more I need to do to block consumer Google account? Am I missing something here?
EDIT: After working on the above issue I came to know that I was doing one mistake. My port setting in squid.conf file is like follows:
http_port 3128 intercept
http_port 3129
https_port 3130 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB
I had set the global proxy in my node system. In IP field I had put proxy server's IP and in port field I had put 3129. So, all of my requests were going through 3129 port and hence it was not getting intercepted and was able to login into consumer Google accounts. SO I removed the proxy settings from node system and only kept proxy server ip as it's gateway. After this my every request is reaching the proxy server but I think it's not getting routed to ports specified in squid.conf. i.e 80 port to 3128 and 443 port to 3130, and now because of this everything is blocked.
I have tried to set rules in Iptables for this internal routing of ports but nothing is working. I have only one Ethernet interface as eth0 to my proxy server. So will anybody guide me on this issue?
