5

I want to permit my users to login to Google apps only for my domain. I found a solution by adding the HTTP header X-GoogApps-Allowed-Domains as described in this Google help page.

I use Squid, but can't figure out how to configure Squid to do this. How can I add this request header using Squid?

sysadmin1138
  • 131,083
  • 18
  • 173
  • 296
boblin
  • 151
  • 1
  • 1
  • 4

7 Answers7

7

Do you can with new Squid 3.3 that support the command "request_header_add". I used CentOS for do it.

My Squid.conf is:

acl CONNECT method CONNECT
visible_hostname MySERVER.local
acl local src 192.168.0.0/24
http_access allow local
ssl_bump client-first all
always_direct allow all
http_port 3128 ssl_bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/usr/local/squid/etc/cert.pem
request_header_add X-GoogApps-Allowed-Domains "mycompany.com" all
cache_dir ufs /usr/local/squid/var/cache 8192 32 256

For SSL certificates, do you need to generate with openSSL:

openssl req -new -newkey rsa:1024 -days 36500 -nodes -x509 -keyout /usr/local/squid/etc/cert.pem -out /usr/local/squid/etc/cert.pem 

And for users can't view errors in browsers, install this as a root trusted in each computer or add into your Active Directory (google may help for this).

openssl x509 -in /usr/local/squid/etc/cert.pem -outform DER -out /usr/local/squid/etc/cert.der
3

As per the Squid FAQ:

Squid.conf ACLs

Header modification via Squid ACLs is limited to deleting a header or replacing a matching header with a constant string.

In other words, you won't be able to add arbitrary request headers simply by using Squid ACLs. The Squid ACLs limit you to deleting existing headers or replacing existing headers, but don't allow addition of new headers. The only way to add new headers is by making use of an ICAP server together with Squid. For more information, see the ICAP section in the Squid FAQ.

Richard Keller
  • 2,270
  • 2
  • 18
  • 31
1

Using squid, you will:

  1. Set up dyanmic SSL certificate generation. Install the root certificate in the web clients' browsers.
  2. Set up SSL Bump to intercept proxied SSL/TLS traffic.
  3. Use ACLs to insert your desired header(s).
Michael Hampton
  • 237,123
  • 42
  • 477
  • 940
0

Apparently can be done with ICAP

Server: http://icap-server.sourceforge.net/irml.html

The client is in squid3: http://ftp.meisei-u.ac.jp/mirror/squid/squid-3.0-RELEASENOTES.html#ss4.1

Config from above: (squid.conf)

icap_enable on
icap_service service_req reqmod_precache 1 icap://127.0.0.1:1344/request
icap_service service_resp respmod_precache 0 icap://127.0.0.1:1344/response
icap_class class_req service_req
icap_class class_resp service_resp
icap_access class_req allow all
icap_access class_resp allow all

Then configure the server to determine whether to modify the header or not based on destination domain:

????+

Profit? Can't figure out how to write the rules that would do this.. maybe you'll would have more luck.

Grizly
  • 2,053
  • 15
  • 20
0

So you can do this with a combination of a web proxy and an ICAP server. I'm most familiar with Squid Proxy & GreasySpoon for the ICAP. I am using Squid v3.2.1 & GreasySpoon 1.0.8.

  • Squid: http://www.squid-cache.org/
  • GreasySpoon: Defunct! :( The idea will be the same on other ICAP servers just with different impl's. It used to be hosted on sourceforge so maybe the Wayback Machine will have it. Not sure.

Squid Configuration

Anyways, configure Squid to act as a standard cache. Here's a sample configuration. For more details on proper squid configuration, check out the extensive docs out there. The section you care about for this question is the # ICAP Configurations at the bottom.

cache_effective_user squid
cache_effective_group squid

acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
acl localnet src 172.16.0.0/12  # RFC1918 possible internal network
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
acl localnet src fc00::/7       # RFC 4193 local private network range
acl localnet src fe80::/10      # RFC 4291 link-local (directly plugged) machines

acl SSL_ports port 443
acl Safe_ports port 80      # http
acl Safe_ports port 81      # http - public
acl Safe_ports port 21      # ftp
acl Safe_ports port 443     # https
acl Safe_ports port 70      # gopher
acl Safe_ports port 210     # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280     # http-mgmt
acl Safe_ports port 488     # gss-http
acl Safe_ports port 591     # filemaker
acl Safe_ports port 777     # multiling http
acl CONNECT method CONNECT

http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports

http_access deny blocksites
http_access allow localnet
http_access allow localhost

http_access deny all

http_port 3128 transparent

# Leave coredumps in the first cache dir
core dump_dir /var/cache/squid

# ICAP Configurations
icap_enable on
icap_preview_enable on
icap_service service_req reqmod_precache bypass=0 icap://127.0.0.1:1344/reqmod
adaptation_access service_req allow all
icap_service service_resp respmod_precache bypass=0 icap://127.0.0.1:1344/respmod
adaptation_access service_resp allow all

Note that the ICAP server I used was on the same host as the squid proxy so I used 127.0.0.1. If your proxy & ICAP are on different hosts then be sure to swap out the loopback for the other server's IP or server name.

ICAP Configuration

This is the easy part.

Again, I'm using the now defunct "Greasy Spoon" ICAP server. I found it to be very straight forward and did what I wanted with minimal headache. Also, while other options are available, I use the Java plugin capabilities.

For the case of GreasySpoon, I just created a small Java script (not javascript, although that is possible with many ICAP servers) that targets the HTTP request and added the needed header (Note the leading comments provide meta-data to the GS server. Probably not needed for others):

//------------------------------------------------------------------- 
// ==ServerScript==
// @name            Add_Header
// @status on
// @description     
// @include        .*
// @exclude        
// @order           0
// ==/ServerScript==
// --------------------------------------------------------------------

public void main(HttpMessage httpMessage){
    // Add the "my-header" header with a value of "test.server.com"
    httpMessage.addHeader("my-header", "test.server.com");
}

This adds the my-header header element into every request.

Lorin S.
  • 95
  • 2
  • 10
0

Using Squid to add a custom header is very difficult. I tried but failed, however I found another solution to block consumer account using following method:

  1. Download burp Suit (a standalone proxy that can add custom headers).
  2. Read this article I wrote: http://computech.in/2013/09/block-access-to-consumer-gmail-accounts-but-allow-google-apps/

In a small organisation I think Burp proxy is better and that is what we are currently using.

Ladadadada
  • 25,847
  • 7
  • 57
  • 90
-1

You will probably need to get a full-on commercial web filter for a job like this - unless you want to go fairly deep into rolling your own ICAP stuff like @Richard Keller appears to be suggesting. I work for Smoothwall who produce a filter which does the job - if it's really all you need it for (ie no other filtering) namecheck me with the sales guys and we can licence appropriately. In the interests of fairness there are competing products which also have this feature - youtube uses it too.

Tom Newton
  • 4,021
  • 2
  • 23
  • 28