Alex, The only ACL i have in squid.conf is: --- acl all_cache src 0.0.0.0/0.0.0.0 no_cache deny all_cache --- I'm one of the people who's having this problems. Now I'm using 3.0.PRE6 until this is fixed. -----Original Message----- From: Alex Rousskov [mailto:rousskov@xxxxxxxxxxxxxxxxxxxxxxx] Sent: segunda-feira, 5 de Novembro de 2007 16:31 To: Amos Jeffries Cc: John Mok; squid-users@xxxxxxxxxxxxxxx Subject: Re: squid3 WindowsUpdate failed On Sun, 2007-11-04 at 19:30 +1300, Amos Jeffries wrote: > I have just had the opportunity to do WU on a customers box and > managed to reproduce one of the possible WU failures. > > This one was using WinXP, and the old WindowsUpdate (NOT > MicrosoftUpdate, teht remains untested). With squid configured to > permit > client access to: > > # Windows Update / Microsoft Update > # > redir.metaservices.microsoft.com > images.metaservices.microsoft.com > c.microsoft.com > windowsupdate.microsoft.com > # > # WinXP / Win2k > .update.microsoft.com > download.windowsupdate.com > # Win Vista > .download.windowsupdate.com > # Win98 > wustat.windows.com > crl.microsoft.com > > AND also CONNECT access to www.update.microsoft.com:443 > > PROBLEM: > The client box detects a needed update, > then during the "Download Updates" phase it says "...failed!" and > stops. > > CAUSE: > > This was caused by a bug in squid reading the ACL: > download.windowsupdate.com > ... > .download.windowsupdate.com > > - squid would detect that download.windowsupdate.com was a > subdomain > of .download.windowsupdate.com and .download.windowsupdate.com would > be > culled off the ACL as unneeded. > > - That culled bit held the wildcard letting v4.download.* and > www.download.* be retrieved later in the process. > > - BUT, specifying JUST .download.windowsupdate.com would cause > download.windowsupdate.com/fubar to FAIL under the same circumstances. > > during the WU process requests for application at > www.download.windowsupdate.com/fubar and K/Q updates at > v(3|4|5).download.windowsupdate.com/fubar2 > would result in a 403 and thus the FAIL. > > > SOLUTION: > Changing the wildcard match to an explicit for fixes this and WU > succeeds again. > OR, > Changing the wildcard to .windowsupdate.com also fixes the problem > for this test. Can other folks experiencing Windows Update troubles with Squid3 confirm that their setup does not have the same ACL problem? In general, if we do not find a way to get more information about the Windows Update problem, we would have to assume it does not exist in most environments and release Squid3 STABLE "as is". If you want the problem fixed before the stable Squid3 release, please help us reproduce or debug the problem. Thank you, Alex.
