Hi, I have proxy server that use self signed certificate/basic username/password authentication for the http port 2128. Some how the windows update is not working for my proxy box. The proxy server is working fine with wget in powershell. Below are my error log, not sure why it's failing at 503. 1590640145.751 0 52.202.5.238 TCP_DENIED/407 3930 CONNECT login.live.com:443 - HIER_NONE/- text/html 1590640145.794 0 52.202.5.238 TCP_DENIED/407 3930 CONNECT login.live.com:443 - HIER_NONE/- text/html 1590640147.298 0 - TCP_DENIED/407 3720 GET http://www.microsoft.com/pki/certs/MicRooCerAut2011_2011_03_22.crt - HIER_NONE/- text/html;charset=utf-8 1590640147.305 0 - TCP_DENIED/407 3720 GET http://www.microsoft.com/pki/certs/MicRooCerAut2011_2011_03_22.crt - HIER_NONE/- text/html;charset=utf-8 1590640147.453 0 - TCP_DENIED/407 3720 GET http://www.microsoft.com/pki/certs/MicRooCerAut2011_2011_03_22.crt - HIER_NONE/- text/html;charset=utf-8 1590640147.453 966 52.202.5.238 NONE/200 0 CONNECT fe2.update.microsoft.com:443 - HIER_DIRECT/40.91.75.5 - 1590640147.483 0 52.202.5.238 NONE/503 4430 POST https://fe2.update.microsoft.com/v6/ClientWebService/client.asmx - HIER_NONE/- text/html 1590640149.511 0 - TCP_DENIED/407 3720 GET http://www.microsoft.com/pki/certs/MicRooCerAut2011_2011_03_22.crt - HIER_NONE/- text/html;charset=utf-8 1590640149.517 0 - TCP_DENIED/407 3720 GET http://www.microsoft.com/pki/certs/MicRooCerAut2011_2011_03_22.crt - HIER_NONE/- text/html;charset=utf-8 1590640149.663 0 - TCP_DENIED/407 3720 GET http://www.microsoft.com/pki/certs/MicRooCerAut2011_2011_03_22.crt - HIER_NONE/- text/html;charset=utf-8 1590640149.664 161 52.202.5.238 NONE/200 0 CONNECT fe2.update.microsoft.com:443 - HIER_DIRECT/2a01:111:f335:1792::a61 - 1590640149.671 0 52.202.5.238 NONE/503 3948 POST https://fe2.update.microsoft.com/v6/ClientWebService/client.asmx - HIER_NONE/- text/html 1590640151.697 0 - TCP_DENIED/407 3720 GET http://www.microsoft.com/pki/certs/MicRooCerAut2011_2011_03_22.crt - HIER_NONE/- text/html;charset=utf-8 1590640151.848 0 - TCP_DENIED/407 3720 GET http://www.microsoft.com/pki/certs/MicRooCerAut2011_2011_03_22.crt - HIER_NONE/- text/html;charset=utf-8 1590640151.853 0 - TCP_DENIED/407 3720 GET http://www.microsoft.com/pki/certs/MicRooCerAut2011_2011_03_22.crt - HIER_NONE/- text/html;charset=utf-8 1590640151.854 164 52.202.5.238 NONE/200 0 CONNECT fe2.update.microsoft.com:443 - HIER_DIRECT/20.185.109.208 - 1590640151.861 0 52.202.5.238 NONE/503 4434 POST https://fe2.update.microsoft.com/v6/ClientWebService/client.asmx - HIER_NONE/- text/html 1590640152.045 0 - TCP_DENIED/407 3720 GET http://www.microsoft.com/pki/certs/MicRooCerAut2011_2011_03_22.crt - HIER_NONE/- text/html;charset=utf-8 1590640152.045 179 52.202.5.238 NONE/200 0 CONNECT sls.update.microsoft.com:443 - HIER_DIRECT/13.74.179.117 - 1590640152.053 0 52.202.5.238 NONE/503 4433 GET https://sls.update.microsoft.com/SLS/%7B9482F4B4-E343-43B6-B170-9A65BC822C77%7D/x64/10.0.14393.0/0? - HIER_NONE/- text/html 1590640152.194 0 - TCP_DENIED/407 3720 GET http://www.microsoft.com/pki/certs/MicRooCerAut2011_2011_03_22.crt - HIER_NONE/- text/html;charset=utf-8 1590640152.195 137 52.202.5.238 NONE/200 0 CONNECT sls.update.microsoft.com:443 - HIER_DIRECT/2a01:111:f307:1790::f001:7a5 - 1590640152.202 0 52.202.5.238 NONE/503 3953 GET https://sls.update.microsoft.com/SLS/%7B9482F4B4-E343-43B6-B170-9A65BC822C77%7D/x64/10.0.14393.0/0? - HIER_NONE/- text/html 1590640152.342 0 - TCP_DENIED/407 3720 GET http://www.microsoft.com/pki/certs/MicRooCerAut2011_2011_03_22.crt - HIER_NONE/- text/html;charset=utf-8 1590640152.343 136 52.202.5.238 NONE/200 0 CONNECT sls.update.microsoft.com:443 - HIER_DIRECT/2a01:111:f307:1790::f001:7a5 - 1590640152.349 0 52.202.5.238 NONE/503 3953 GET https://sls.update.microsoft.com/SLS/%7B9482F4B4-E343-43B6-B170-9A65BC822C77%7D/x64/10.0.14393.0/0? - HIER_NONE/- text/html 1590640152.488 0 - TCP_DENIED/407 3720 GET http://www.microsoft.com/pki/certs/MicRooCerAut2011_2011_03_22.crt - HIER_NONE/- text/html;charset=utf-8 1590640152.489 136 52.202.5.238 NONE/200 0 CONNECT sls.update.microsoft.com:443 - HIER_DIRECT/2a01:111:f307:1790::f001:7a5 - 1590640152.496 0 52.202.5.238 NONE/503 3953 GET https://sls.update.microsoft.com/SLS/%7B9482F4B4-E343-43B6-B170-9A65BC822C77%7D/x64/10.0.14393.0/0? - HIER_NONE/- text/html 1590640152.637 0 - TCP_DENIED/407 3720 GET http://www.microsoft.com/pki/certs/MicRooCerAut2011_2011_03_22.crt - HIER_NONE/- text/html;charset=utf-8 1590640152.638 138 52.202.5.238 NONE/200 0 CONNECT sls.update.microsoft.com:443 - HIER_DIRECT/2a01:111:f307:1790::f001:7a5 - 1590640152.644 0 52.202.5.238 NONE/503 3953 GET https://sls.update.microsoft.com/SLS/%7B9482F4B4-E343-43B6-B170-9A65BC822C77%7D/x64/10.0.14393.0/0? - HIER_NONE/- text/html 1590640152.783 0 - TCP_DENIED/407 3720 GET http://www.microsoft.com/pki/certs/MicRooCerAut2011_2011_03_22.crt - HIER_NONE/- text/html;charset=utf-8 1590640152.783 136 52.202.5.238 NONE/200 0 CONNECT sls.update.microsoft.com:443 - HIER_DIRECT/2a01:111:f307:1790::f001:7a5 - 1590640152.790 0 52.202.5.238 NONE/503 3953 GET https://sls.update.microsoft.com/SLS/%7B9482F4B4-E343-43B6-B170-9A65BC822C77%7D/x64/10.0.14393.0/0? - HIER_NONE/- text/html 1590640152.930 0 - TCP_DENIED/407 3720 GET http://www.microsoft.com/pki/certs/MicRooCerAut2011_2011_03_22.crt - HIER_NONE/- text/html;charset=utf-8 1590640152.931 136 52.202.5.238 NONE/200 0 CONNECT sls.update.microsoft.com:443 - HIER_DIRECT/2a01:111:f307:1790::f001:7a5 - 1590640152.938 0 52.202.5.238 NONE/503 3953 GET https://sls.update.microsoft.com/SLS/%7B9482F4B4-E343-43B6-B170-9A65BC822C77%7D/x64/10.0.14393.0/0? - HIER_NONE/- text/html 1590640153.076 0 - TCP_DENIED/407 3720 GET http://www.microsoft.com/pki/certs/MicRooCerAut2011_2011_03_22.crt - HIER_NONE/- text/html;charset=utf-8 1590640153.077 137 52.202.5.238 NONE/200 0 CONNECT sls.update.microsoft.com:443 - HIER_DIRECT/2a01:111:f307:1790::f001:7a5 - 1590640153.084 0 52.202.5.238 NONE/503 3953 GET https://sls.update.microsoft.com/SLS/%7B9482F4B4-E343-43B6-B170-9A65BC822C77%7D/x64/10.0.14393.0/0? - HIER_NONE/- text/html I check the page in https://wiki.squid-cache.org/SquidFaq/WindowsUpdate, and add the settings on top but it still not working (only tested http_port, https_port is not working :) acl windowsupdate dstdomain windowsupdate.microsoft.com acl windowsupdate dstdomain .update.microsoft.com acl windowsupdate dstdomain download.windowsupdate.com acl windowsupdate dstdomain redir.metaservices.microsoft.com acl windowsupdate dstdomain images.metaservices.microsoft.com acl windowsupdate dstdomain c.microsoft.com acl windowsupdate dstdomain www.download.windowsupdate.com acl windowsupdate dstdomain wustat.windows.com acl windowsupdate dstdomain crl.microsoft.com acl windowsupdate dstdomain sls.microsoft.com acl windowsupdate dstdomain productactivation.one.microsoft.com acl windowsupdate dstdomain ntservicepack.microsoft.com acl CONNECT method CONNECT acl wuCONNECT dstdomain www.update.microsoft.com acl wuCONNECT dstdomain sls.microsoft.com http_access allow CONNECT wuCONNECT http_access allow windowsupdate http_port 2128 ssl-bump tls-cert=/etc/squid/ssl_cert/example.com.cert \ tls-key=/etc/squid/ssl_cert/example.com.private \ generate-host-certificates=on \ dynamic_cert_mem_cache_size=4MB https_port 3130 cert=/etc/squid/ssl_cert/example.com.cert \ key=/etc/squid/ssl_cert/example.com.private auth_param basic program /usr/lib/squid/basic_ncsa_auth /etc/squid/passwords auth_param basic children 5 startup=0 idle=1 auth_param basic credentialsttl 2 hours auth_param basic casesensitive off acl ncsa_users proxy_auth REQUIRED acl step1 at_step SslBump1 ssl_bump peek step1 ssl_bump bump all http_access deny !ncsa_users http_access allow ncsa_users Based on the instruction, it seems that we are skipping ssl bump for windows update, right? Does it mean windows server will not work with any SSL authentication? Thank you so much! -- Sent from: http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
