On Wed, 05 May 2010 18:46:18 +0200, b1 <forum@xxxxxxxxxxx> wrote: > Hello everybody > > At our school we are using squid 2.7 stable on a Debian Lenny machine. > Users are authenticated via an Active Directory. Users without > Authentication are denied Internet access. > > Unfortunately we have some Windows Desktops, which are trying to pull > their updates, without using the Credentials of the users Domain-Logon. > These updates were consequently denied. Therefore we wanted to add > exceptions to always allow connections to the Microsoft update sites. > This is how I tried to implement this, by putting the following lines at > the top of our squid.conf: > > acl windowsupdate dstdomain .microsoft.com > acl windowsupdate dstdomain download.windowsupdate.com > acl windowsupdate dstdomain wustat.windows.com > acl windowsupdate2 dst 89.202.157.135 > acl windowsupdate2 dst 89.202.157.136 > acl windowsupdate2 dst 89.202.157.137 > acl windowsupdate2 dst 89.202.157.138 > acl windowsupdate2 dst 89.202.157.139 > acl windowsupdate dstdomain .eset.com > acl windowsupdate dstdomain microsoftwga.112.207.net > acl windowsupdate dstdomain .msft.net > > acl CONNECT method CONNECT > acl wuCONNECT dstdomain www.update.microsoft.com > acl wuCONNECT dstdomain sls.microsoft.com > > acl localnet src 172.16.0.0/12 > acl localhost src 127.0.0.1/32 > > http_access allow CONNECT wuCONNECT localnet > http_access allow CONNECT wuCONNECT localhost > http_reply_access allow CONNECT wuCONNECT localnet > http_reply_access allow CONNECT wuCONNECT localhost > http_access allow windowsupdate localnet > http_access allow windowsupdate localhost > http_reply_access allow windowsupdate localnet > http_reply_access allow windowsupdate localhost > > Unfortunately its not working. It would be great, if anybody had some > hints why this is > not working, or if anybody has a working configuration himself. > Works for me. Order is very important though when mixing with auth. To avoid auth the whole set needs to be in the config file before the first http_access line which uses auth. I also note your addition of a "windowsupdate2" ACL. If that is some local WSUS server it needs it's own copy of the each WU *_access line to be treated the same as regular WU. Amos
