Project

General

Profile

Actions

Feature #11060

closed

Block access to consumer Google accounts

Added by Viktor Gurov about 4 years ago. Updated over 3 years ago.

Status:
Resolved
Priority:
Normal
Assignee:
Viktor Gurov
Category:
Squid
Target version:
-
Start date:
11/12/2020
Due date:
% Done:

0%

Estimated time:
Plus Target Version:

Description

WebGUI feature for:

https://support.google.com/a/answer/1668854?hl=en:

To prevent users from signing in to Google services using Google Accounts other than those you explicitly specify:
1. Route all traffic outbound to google.com through your web proxy servers.
2. Enable SSL interception on the proxy server.
3. Configure every client device to trust your SSL proxy:
a. Deploy the Internal Root Certificate Authority used by the proxy.
b. Mark it as trusted.
4. For each google.com request:
a. Intercept the request.
b. Add the HTTP header X-GoogApps-Allowed-Domains: followed by a comma-separated list with allowed domain names.
Make sure that the list includes the domain you registered with G Suite and any secondary domains you added.
Example: X-GoogApps-Allowed-Domains: mydomain1.com, mydomain2.com
5. To allow users to sign in to specific accounts, add the following values to the header:
domain_name for accounts on specific domains, such as altostrat.com and tenorstrat.com for accounts ending in @altostrat.com and tenorstrat.com
consumer_accounts for consumer Google Accounts, such as @gmail.com and @googlemail.com
gserviceaccounts.com for authenticated service accounts
6. (Optional) Create a proxy policy to prevent users from inserting their own headers.

Note: This approach blocks sign-in access to Google consumer services other than Google Search, but doesn’t necessarily prohibit anonymous access.

Actions

Also available in: Atom PDF