Great, forgotten the attachement ... sorry ,-(
-steven
-----Original Message-----
From: Glogger Steven, SCS-NIT-NIO-SVO-DNW-NEO
Sent: Thursday, June 11, 2009 4:38 PM
To: 'squid-users@xxxxxxxxxxxxxxx'
Subject: Transparent Proxy - Windows Update - 0x80072F8F
hi all
i've tried to google around for this topic and to search the archives the last 2 hours, but it seemes, i'm not able to solve the problem.
my issue is this:
i'm using a transparent proxy (squid 3.0) to regulate internet access.
my server (freebsd 7.2) is forwarding all http AND https traffic to a squid (compiled with transparent option), but using ipfw:
add 15000 fwd 127.0.0.1,3128 tcp from table(10) to any 80,8080 recv xl0 keep-state add 15001 fwd 127.0.0.1,3129 tcp from table(10) to any 443 recv xl0 keep-state
squid is listening on 3128 for http and 3129 for https.
this works perfect and my users can surf normally the internet, also websites with SSL are working (getting an error of the SSL, because the certificate does not really matches. but anyway.
i've atteched my squid.conf for reference.
but anyway, testing apple updates -> no problem.
trying to update windows -> error.
i get error 0x80072F8F complaining about the date/time of the update certificate.
is there a way to solve my problems? i've tried using no-cache, allow_direct, etc.. and I failed.
-steven
acl manager proto cache_object
acl localhost src 127.0.0.1/32
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 8080 # http2
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 563 # snews
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl Safe_ports port 901 # SWAT
acl purge method PURGE
acl CONNECT method CONNECT
acl cyb_methods method GET POST CONNECT SSL
acl cyb_pools src localhost
acl cyb_pools src 10.0.0.0/8
acl cyb_pools src 172.16.0.0/30
acl cyb_urls url_regex -i "/usr/local/etc/squid/urls.allow"
http_access allow manager localhost
http_access deny manager
http_access allow purge localhost
http_access deny purge
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
deny_info http://212.90.x.x:8100 cyb_methods
deny_info http://212.90.x.x:8100 cyb_urls
http_access allow cyb_pools Safe_ports cyb_methods cyb_urls
http_access deny !cyb_urls
http_access allow localhost
http_access deny all
http_reply_access allow all
icp_access allow all
htcp_access deny all
http_port 127.0.0.1:3128 transparent
https_port 127.0.0.1:3129 cert=/usr/local/etc/ssl/_.cybernet.ch.crt key=/usr/local/etc/ssl/_.cybernet.ch.key cafile=/usr/local/etc/ssl/ca-bundle.crt transparent
tcp_outgoing_address 212.90.x.x
ssl_unclean_shutdown on
sslproxy_flags DONT_VERIFY_PEER NO_DEFAULT_CA
hierarchy_stoplist cgi-bin ?
access_log /usr/local/squid/logs/access.log squid
debug_options ALL,1 33,2
url_rewrite_host_header off
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern (cgi-bin|\?) 0 0% 0
refresh_pattern . 0 20% 4320
cache_mgr support@xxxxxxxxxx
httpd_suppress_version_string off
visible_hostname somehostname.boxname.ch
icp_port 0
forwarded_for off
coredump_dir /usr/local/squid/cache
