hi Amos,
thank you for getting back to me about this :)
this is my new config
#
#SSL
http_port 3128 ssl-bump \
cert=/usr/local/squid/etc/ssl_cert/myCA.pem \
generate-host-certificates=on dynamic_cert_mem_cache_size=4MB
sslcrtd_program /usr/local/squid/libexec/security_file_certgen -s /var/lib/ssl_db -M 4MB
acl step1 at_step SslBump1
ssl_bump peek step1
ssl_bump bump all
#Windows Updates
acl windowsupdate dstdomain "/usr/local/squid/etc/wu.txt"
acl CONNECT method CONNECT
acl wuCONNECT dstdomain "/usr/local/squid/etc/wu.txt"
http_access allow CONNECT wuCONNECT
http_access allow windowsupdate
#
# Recommended minimum configuration:
#
# Example rule allowing access from your local networks.
# Adapt to list your (internal) IP networks from where browsing
# should be allowed
acl localnet src 0.0.0.1-0.255.255.255 # RFC 1122 "this" network (LAN)
acl localnet src 10.0.0.0/8 # RFC 1918 local private network (LAN)
acl localnet src 100.64.0.0/10 # RFC 6598 shared address space (CGN)
acl localnet src 169.254.0.0/16 # RFC 3927 link-local (directly plugged) machines
acl localnet src 172.16.0.0/12 # RFC 1918 local private network (LAN)
acl localnet src 192.168.0.0/16 # RFC 1918 local private network (LAN)
acl localnet src fc00::/7 # RFC 4193 local private network range
acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
#
# Recommended minimum Access Permission configuration:
#
# Deny requests to certain unsafe ports
http_access deny !Safe_ports
# Deny CONNECT to other than secure SSL ports
http_access deny CONNECT !SSL_ports
# Only allow cachemgr access from localhost
http_access allow localhost manager
http_access deny manager
# We strongly recommend the following be uncommented to protect innocent
# web applications running on the proxy server who think the only
# one who can access services on "localhost" is a local user
#http_access deny to_localhost
#
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
#
# Example rule allowing access from your local networks.
# Adapt localnet in the ACL section to list your (internal) IP networks
# from where browsing should be allowed
http_access allow localnet
http_access allow localhost
# Uncomment and adjust the following to add a disk cache directory.
#cache_dir ufs /usr/local/squid/var/cache/squid 100 16 256
# Leave coredumps in the first cache dir
coredump_dir /usr/local/squid/var/cache/squid
#
# Add any of your own refresh_pattern entries above these.
#
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320
#SSL
http_port 3128 ssl-bump \
cert=/usr/local/squid/etc/ssl_cert/myCA.pem \
generate-host-certificates=on dynamic_cert_mem_cache_size=4MB
sslcrtd_program /usr/local/squid/libexec/security_file_certgen -s /var/lib/ssl_db -M 4MB
acl step1 at_step SslBump1
ssl_bump peek step1
ssl_bump bump all
#Windows Updates
acl windowsupdate dstdomain "/usr/local/squid/etc/wu.txt"
acl CONNECT method CONNECT
acl wuCONNECT dstdomain "/usr/local/squid/etc/wu.txt"
http_access allow CONNECT wuCONNECT
http_access allow windowsupdate
#
# Recommended minimum configuration:
#
# Example rule allowing access from your local networks.
# Adapt to list your (internal) IP networks from where browsing
# should be allowed
acl localnet src 0.0.0.1-0.255.255.255 # RFC 1122 "this" network (LAN)
acl localnet src 10.0.0.0/8 # RFC 1918 local private network (LAN)
acl localnet src 100.64.0.0/10 # RFC 6598 shared address space (CGN)
acl localnet src 169.254.0.0/16 # RFC 3927 link-local (directly plugged) machines
acl localnet src 172.16.0.0/12 # RFC 1918 local private network (LAN)
acl localnet src 192.168.0.0/16 # RFC 1918 local private network (LAN)
acl localnet src fc00::/7 # RFC 4193 local private network range
acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
#
# Recommended minimum Access Permission configuration:
#
# Deny requests to certain unsafe ports
http_access deny !Safe_ports
# Deny CONNECT to other than secure SSL ports
http_access deny CONNECT !SSL_ports
# Only allow cachemgr access from localhost
http_access allow localhost manager
http_access deny manager
# We strongly recommend the following be uncommented to protect innocent
# web applications running on the proxy server who think the only
# one who can access services on "localhost" is a local user
#http_access deny to_localhost
#
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
#
# Example rule allowing access from your local networks.
# Adapt localnet in the ACL section to list your (internal) IP networks
# from where browsing should be allowed
http_access allow localnet
http_access allow localhost
# Uncomment and adjust the following to add a disk cache directory.
#cache_dir ufs /usr/local/squid/var/cache/squid 100 16 256
# Leave coredumps in the first cache dir
coredump_dir /usr/local/squid/var/cache/squid
#
# Add any of your own refresh_pattern entries above these.
#
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320
the reason why i have added the windows update lines at the beginning is that the link says so (below)
this is my domain list
#Microsoft
.bing.com
.msn.com
.msedge.net
.msftauth.net
.msauth.net
.msocdn.com
.outlook.com
.onedrive.com
.office.net
.office.com
.office365.com
.microsoft.com
.microsoftonline.com
.c.s-microsoft.com
.live.com
.live.net
.akamaized.net
.akamaihd.net
.svc.ms
.lync.com
.skype.com
.gfx.ms
.sharepoint.com
.sharepointonline.com
.windowsupdate.com
.windows.net
.edgesuite.net
.a-msedge.net
.akamaiedge.net
.sfx.ms
.azureedge.net
.trafficmanager.net
.azure.com
#Google
.google.com
.google.co.uk
.googleusercontent.com
.googleapis.com
.withgoogle.com
.gstatic.com
#Adobe
.adobedtm.com
.adobe.io
.adobe.com
.adobelogin.com
.bing.com
.msn.com
.msedge.net
.msftauth.net
.msauth.net
.msocdn.com
.outlook.com
.onedrive.com
.office.net
.office.com
.office365.com
.microsoft.com
.microsoftonline.com
.c.s-microsoft.com
.live.com
.live.net
.akamaized.net
.akamaihd.net
.svc.ms
.lync.com
.skype.com
.gfx.ms
.sharepoint.com
.sharepointonline.com
.windowsupdate.com
.windows.net
.edgesuite.net
.a-msedge.net
.akamaiedge.net
.sfx.ms
.azureedge.net
.trafficmanager.net
.azure.com
.google.com
.google.co.uk
.googleusercontent.com
.googleapis.com
.withgoogle.com
.gstatic.com
#Adobe
.adobedtm.com
.adobe.io
.adobe.com
.adobelogin.com
and when im looking at the logs real time
1576368417.620 48 10.100.1.5 NONE/200 0 CONNECT fe3cr.delivery.mp.microsoft.com:443 - HIER_DIRECT/191.232.139.2 -
1576368417.647 0 10.100.1.5 NONE/503 4363 POST https://fe3cr.delivery.mp.microsoft.com/ClientWebService/client.asmx - HIER_NONE/- text/html
1576368419.702 0 - TCP_MEM_HIT/200 807 GET http://www.microsoft.com/pkiops/certs/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crt - HIER_NONE/- application/octet-st
ream
1576368417.647 0 10.100.1.5 NONE/503 4363 POST https://fe3cr.delivery.mp.microsoft.com/ClientWebService/client.asmx - HIER_NONE/- text/html
1576368419.702 0 - TCP_MEM_HIT/200 807 GET http://www.microsoft.com/pkiops/certs/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crt - HIER_NONE/- application/octet-st
ream
squid works fine just as you said on certain apps/programs, so im really struggling on this one
thanks,
rob
On Sat, 14 Dec 2019 at 22:35, Amos Jeffries <squid3@xxxxxxxxxxxxx> wrote:
On 15/12/19 4:21 am, robert k Wild wrote:
> so this is my config file -
>
> #
> # Recommended minimum configuration:
> #
>
> #SSL
> http_port 3128 ssl-bump \
> cert=/usr/local/squid/etc/ssl_cert/myCA.pem \
> generate-host-certificates=on dynamic_cert_mem_cache_size=4MB
> sslcrtd_program /usr/local/squid/libexec/security_file_certgen -s
> /var/lib/ssl_db -M 4MB
> acl step1 at_step SslBump1
> ssl_bump peek step1
> ssl_bump bump all
>
(elided default localnet and port ACL definitions)
>
> #
> # Recommended minimum Access Permission configuration:
> #
> # Deny requests to certain unsafe ports
> http_access deny !Safe_ports
>
> # Deny CONNECT to other than secure SSL ports
> http_access deny CONNECT !SSL_ports
>
> # Only allow cachemgr access from localhost
> http_access allow localhost manager
> http_access deny manager
>
> # We strongly recommend the following be uncommented to protect innocent
> # web applications running on the proxy server who think the only
> # one who can access services on "localhost" is a local user
> #http_access deny to_localhost
>
> #
> # INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
> #
^^^ HINT.
>
> # Example rule allowing access from your local networks.
> # Adapt localnet in the ACL section to list your (internal) IP networks
> # from where browsing should be allowed
> http_access allow localnet
> http_access allow localhost
>
> # Squid normally listens to port 3128
> http_port 3128
>
This is the second port 3128 config, and it does not match the earlier one.
>
> as you can see i have removed the whitelist/mime config lines
>
> but when i come into activating office it just cant get online to do it
> via the client app installed on my pc
If that is still happening with this default config I would be starting
to suspect things outside of Squid. Like firewall or routing rules, the
client app not supporting proxies properly - stuff like that.
Though 403 in the proxy log does indicate an explicitly forbidden
action. The way you truncated the log line cut away most of the useful
info that points at where to focus the troubleshooting efforts.
>
> but internet isnt blocked as i can go to any website
>
Do you want it to work with the whitelisting ACL you mentioned?
If yes, then you do need to show at least the http_access directives
using it and the exact entry you added for the microsoft.com domain(s).
Same for the "mime" config lines you mention, but for those any part of
it could be relevant so we will need to see the whole of that stuff.
You have omitted the default "http_access deny all" which should be the
last http_access line in your config. Not a problem in the config as
shown, but if you have other rules they can change the implicit default
into a bad situation very easily.
Amos
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users
--
Regards,
Robert K Wild.
Robert K Wild.
_______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
