Hi Amos,
ok, i have found the rule for it
acl DiscoverSNIHost at_step SslBump1
acl NoSSLIntercept ssl::server_name .microsoft.com
ssl_bump peek DiscoverSNIHost
ssl_bump splice NoSSLIntercept
ssl_bump bump all
but the thing is both windows updates and office activation use the exact same cert file
.microsoft.com/pkiops/certs/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crt
im stuck
or if i can get squid to block windows updates altogether?
Thanks,
Rob
On Sat, 11 Jan 2020, 01:40 Amos Jeffries, <squid3@xxxxxxxxxxxxx> wrote:
On 11/01/20 11:46 am, robert k Wild wrote:
> hi all,
>
> i have added all these lines to my squid config as it wasnt allowing
> office activation
>
> https://wiki.squid-cache.org/SquidFaq/WindowsUpdate
>
> but now its allowing office activation and now windows updates but i
> dont want it to do windows updates as this is managed by our WSUS server
>
That would be right then. As the wiki page name indicates that config is
all about allowing WindowsUpdate.
> what are the corect lines to just do the office activation
>
This is a strong indication you still do not understand how ACLs work.
So your reference points are:
<https://wiki.squid-cache.org/SquidFaq/SquidAcl>
and
<http://www.squid-cache.org/Doc/config/acl/>
> as when i comment out all the lines i get this
>
> 0 - TCP_DENIED/403 3810 GET
> http://www.microsoft.com/pkiops/certs/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crt
>
That then is the first URL you need to let clients access.
Once that is accessible the activation process will get further and
there may be others. When you know the whole set there may be some
optimizations your rules can use to simplify the final config.
Amos
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users
_______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
