Search squid archive

Re: cant download microsoft cert file

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



hi Amos,

so this is my new config -

#
# Recommended minimum configuration:
#

#SSL
http_port 3128 ssl-bump \
cert=/usr/local/squid/ssl_cert/myCA.pem \
cipher=HIGH:MEDIUM:RC4:3DES:!aNULL:!eNULL:!LOW:!MD5:!EXP:!PSK:!SRP:!DSS \
generate-host-certificates=on dynamic_cert_mem_cache_size=4MB
sslcrtd_program /usr/local/squid/libexec/security_file_certgen -s /var/lib/ssl_db -M 4MB
acl step1 at_step SslBump1
ssl_bump peek step1
ssl_bump bump all

# Example rule allowing access from your local networks.
# Adapt to list your (internal) IP networks from where browsing
# should be allowed
acl localnet src 0.0.0.1-0.255.255.255 # RFC 1122 "this" network (LAN)
acl localnet src 10.0.0.0/8 # RFC 1918 local private network (LAN)
acl localnet src 100.64.0.0/10 # RFC 6598 shared address space (CGN)
acl localnet src 169.254.0.0/16 # RFC 3927 link-local (directly plugged) machines
acl localnet src 172.16.0.0/12 # RFC 1918 local private network (LAN)
acl localnet src 192.168.0.0/16 # RFC 1918 local private network (LAN)
acl localnet src fc00::/7       # RFC 4193 local private network range
acl localnet src fe80::/10       # RFC 4291 link-local (directly plugged) machines

acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT

#
# Recommended minimum Access Permission configuration:
#
# Deny requests to certain unsafe ports
http_access deny !Safe_ports

# Deny CONNECT to other than secure SSL ports
http_access deny CONNECT !SSL_ports

# Only allow cachemgr access from localhost
http_access allow localhost manager
http_access deny manager

# We strongly recommend the following be uncommented to protect innocent
# web applications running on the proxy server who think the only
# one who can access services on "localhost" is a local user
#http_access deny to_localhost

#
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
#
#Windows Update
acl windowsupdate dstdomain .microsoft.com .windows.com .windowsupdate.com .windows.net
acl CONNECT method CONNECT
acl wuCONNECT dstdomain .microsoft.com .windows.com .windowsupdate.com .windows.net
http_access allow CONNECT wuCONNECT
http_access allow windowsupdate

acl DiscoverSNIHost at_step SslBump1
acl NoSSLIntercept ssl::server_name_regex -i .microsoft.com .windows.com .windowsupdate.com .windows.net
ssl_bump splice NoSSLIntercept
ssl_bump peek DiscoverSNIHost
ssl_bump bump all

acl BrokenButTrustedServers dstdomain .microsoft.com .windows.com .windowsupdate.com .windows.net
acl DomainMismatch ssl_error SQUID_X509_V_ERR_DOMAIN_MISMATCH
sslproxy_cert_error allow BrokenButTrustedServers DomainMismatch
sslproxy_cert_error deny all

#HTTP_HTTPS whitelist websites
acl whitelist ssl::server_name "/usr/local/squid/etc/urlwhite.txt"
http_access allow whitelist

#URL deny MIME types
acl mimetype rep_mime_type "/usr/local/squid/etc/mimedeny.txt"
http_reply_access deny mimetype
http_access deny all

# Example rule allowing access from your local networks.
# Adapt localnet in the ACL section to list your (internal) IP networks
# from where browsing should be allowed
http_access allow localnet
http_access allow localhost

# Uncomment and adjust the following to add a disk cache directory.
#cache_dir ufs /usr/local/squid/var/cache/squid 100 16 256

# Leave coredumps in the first cache dir
coredump_dir /usr/local/squid/var/cache/squid

#
# Add any of your own refresh_pattern entries above these.
#
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320

but im still getting the exact same logs

error 503 means

503

Service Unavailable

1945, 2616

thanks,
rob

On Sun, 15 Dec 2019 at 10:40, Amos Jeffries <squid3@xxxxxxxxxxxxx> wrote:
On 15/12/19 1:16 pm, robert k Wild wrote:
> hi Amos,
>
> thank you for getting back to me about this :)
>
> this is my new config
>
> #
> #SSL
> http_port 3128 ssl-bump \
> cert=/usr/local/squid/etc/ssl_cert/myCA.pem \
> generate-host-certificates=on dynamic_cert_mem_cache_size=4MB
> sslcrtd_program /usr/local/squid/libexec/security_file_certgen -s
> /var/lib/ssl_db -M 4MB
> acl step1 at_step SslBump1
> ssl_bump peek step1
> ssl_bump bump all
>
> #Windows Updates
> acl windowsupdate dstdomain "/usr/local/squid/etc/wu.txt"
> acl CONNECT method CONNECT
> acl wuCONNECT dstdomain "/usr/local/squid/etc/wu.txt"
> http_access allow CONNECT wuCONNECT
> http_access allow windowsupdate
>
...
>
> #
> # Recommended minimum Access Permission configuration:
> #
> # Deny requests to certain unsafe ports
> http_access deny !Safe_ports
>
> # Deny CONNECT to other than secure SSL ports
> http_access deny CONNECT !SSL_ports
>
> # Only allow cachemgr access from localhost
> http_access allow localhost manager
> http_access deny manager
>
> # We strongly recommend the following be uncommented to protect innocent
> # web applications running on the proxy server who think the only
> # one who can access services on "localhost" is a local user
> #http_access deny to_localhost
>
> #
> # INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
> #
>
> # Example rule allowing access from your local networks.
> # Adapt localnet in the ACL section to list your (internal) IP networks
> # from where browsing should be allowed
> http_access allow localnet
> http_access allow localhost
>
...

>
> the reason why i have added the windows update lines at the beginning is
> that the link says so (below)
>
> https://linuxnlenux.wordpress.com/2014/10/14/howto-allow-windows-updates-through-squid/
>

That is a copy-n-paste of an old email without any of the context. See
<https://wiki.squid-cache.org/SquidFaq/WindowsUpdate> for the full
context and more up to date info.

Note that the things that need to be first are very specifically a
sub-set of the MS domains which use a non-443 port for call-home traffic
so they would normally get blocked by the SSL_ports protection.


For a generic whitelist you should still have your list where the config
says "INSERT YOUR OWN RULES ..." .


>
> and when im looking at the logs real time
>
> 1576368417.620     48 10.100.1.5 NONE/200 0 CONNECT
> fe3cr.delivery.mp.microsoft.com:443
> <http://fe3cr.delivery.mp.microsoft.com:443> - HIER_DIRECT/191.232.139.2
> <http://191.232.139.2> -
> 1576368417.647      0 10.100.1.5 NONE/503 4363 POST
> https://fe3cr.delivery.mp.microsoft.com/ClientWebService/client.asmx -
> HIER_NONE/- text/html
> 1576368419.702      0 - TCP_MEM_HIT/200 807 GET
> http://www.microsoft.com/pkiops/certs/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crt
> - HIER_NONE/- application/octet-st
> ream
>

These show good progress from where you started off. The cert is being
downloaded fine. The tunnel being bumped fine. But the POST request
which was decrypted could not be serviced.

Can you find out what the 503 message says?


Amos
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users


--
Regards,

Robert K Wild.
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users

[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux