Search squid archive

Re: windows updates

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

I took out the ssl bump but I added the 1 that was missing from your list below with no positive results.  Windows update just spins and eventually times out.  This is what my config looks like if you have any advice.  Again, the proxy is working for normal web traffic, just not with windows update.

visible_hostname squid
workers 6
cache_mem 1024 MB
maximum_object_size_in_memory 1024 KB
memory_cache_shared on
range_offset_limit 200 MB
maximum_object_size 200 MB
cache_dir aufs /var/scached 4096 16 256
access_log /var/log/squid/access.log squid
cache_mgr manager
cachemgr_passwd none all
http_access allow manager localhost
http_access deny manager

#Handling HTTP requests
http_port 3129 intercept
acl blocked url_regex gmail
http_access deny blocked
acl allowed_http_sites dstdomain "/etc/squid/allowed-sites.txt"
http_access allow allowed_http_sites

#Handling HTTPS requests
https_port 3130 cert=/etc/squid/ssl/squid.pem ssl-bump intercept
acl SSL_port port 443
http_access allow SSL_port
acl allowed_https_sites ssl::server_name "/etc/squid/allowed-sites.txt"
acl step1 at_step SslBump1
acl step2 at_step SslBump2
acl step3 at_step SslBump3
ssl_bump peek step1 all
ssl_bump peek step2 allowed_https_sites
ssl_bump splice step3 allowed_https_sites
ssl_bump terminate step2 all




Doug Tucker
Sr. Director of Networking and Linux Operations

o: 817.975.5832  
e: doug.tucker@xxxxxxxxxxxxxxxx  


Newscycle Solutions is now Naviga. Learn more.


CONFIDENTIALITY NOTICE: The contents of this email message and any attachments are intended solely for the addressee(s) and may contain confidential and/or privileged information and may be legally protected from disclosure. If you are not the intended recipient of this message or their agent, or if this message has been addressed to you in error, please immediately alert the sender by reply email and then delete this message and any attachments. If you are not the intended recipient, you are hereby notified that any use, dissemination, copying, or storage of this message or its attachments is strictly prohibite


From: NgTech LTD <ngtech1ltd@xxxxxxxxx>
Sent: Sunday, March 16, 2025 6:43 PM
To: Doug Tucker <doug.tucker@xxxxxxxxxxxxxxxx>
Cc: squid-users@xxxxxxxxxxxxxxxxxxxxx <squid-users@xxxxxxxxxxxxxxxxxxxxx>
Subject: Re: [squid-users] windows updates
 
You don't often get email from ngtech1ltd@xxxxxxxxx. Learn why this is important
I have not tried to use SSL bump but with a regular proxy which blocks everything else then the next list of dstdomain:
.delivery.mp.microsoft.com (http)
.dsp.mp.microsoft.com (http)
.download.windowsupdate.com (http)
static.edge.microsoftapp.net (HTTPS-connect)

The windows updates works just fine.
And as I wrote before, there are two channels: Secure for communication and plain HTTP for data transfer.

If you need more help let me know.

----
Eliezer Croitoru
Tech Support
Mobile: +972-5-28704261
Email: ngtech1ltd@xxxxxxxxx


On Sun, Mar 16, 2025 at 4:34 PM Doug Tucker <doug.tucker@xxxxxxxxxxxxxxxx> wrote:
No, no one responded.

Doug Tucker
Sr. Director of Networking and Linux Operations
From: NgTech LTD <ngtech1ltd@xxxxxxxxx>
Sent: Sunday, March 16, 2025 2:38:35 AM
To: Doug Tucker <doug.tucker@xxxxxxxxxxxxxxxx>
Cc: squid-users@xxxxxxxxxxxxxxxxxxxxx <squid-users@xxxxxxxxxxxxxxxxxxxxx>
Subject: Re: [squid-users] windows updates
 
You don't often get email from ngtech1ltd@xxxxxxxxx. Learn why this is important

Naviga WARNING: External email. Please verify sender before opening attachments or clicking on links.

Hey,

Did you manage to find a solution for your use case?
Let me know if you need assistance with this issue.

Eliezer
----
Eliezer Croitoru
Tech Support
Mobile: +972-5-28704261
Email: ngtech1ltd@xxxxxxxxx


On Tue, Mar 4, 2025 at 1:57 AM Doug Tucker <doug.tucker@xxxxxxxxxxxxxxxx> wrote:
I have read through everything I can find on this subject but still cannot seem to get around the issue of windows updates not working through the squid transparent proxy.  No matter what I try I continue to see this in the cache log and windows update will not connect.

2025/03/03 23:26:55 kid5| Error negotiating SSL on FD 25: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed (1/-1/0)

I tried adding the info from the following doc to no avail.



The relevant parts of my squid.conf:

#Handling HTTPS requests
https_port 3130 cert=/etc/squid/ssl/squid.pem ssl-bump intercept
acl SSL_port port 443
http_access allow SSL_port
acl allowed_https_sites ssl::server_name "/etc/squid/allowed-sites.txt"
acl step1 at_step SslBump1
acl step2 at_step SslBump2
acl step3 at_step SslBump3
ssl_bump peek step1 all
ssl_bump peek step2 allowed_https_sites
ssl_bump splice step3 allowed_https_sites
ssl_bump terminate step2 all

#windows update
acl DiscoverSNIHost at_step SslBump1
acl NoSSLIntercept ssl::server_name_regex -i "/etc/squid/url.nobump"
ssl_bump splice NoSSLIntercept
ssl_bump peek DiscoverSNIHost
ssl_bump bump all

I ran tcpdump and added every url i could find to the allowed-sites.txt and added the 2 sites recommended tot he url.nobump.  If anyone has gotten this to work any help would be appreciated. 






Doug Tucker
Sr. Director of Networking and Linux Operations

o: 817.975.5832  
e: doug.tucker@xxxxxxxxxxxxxxxx  


Newscycle Solutions is now Naviga. Learn more.


CONFIDENTIALITY NOTICE: The contents of this email message and any attachments are intended solely for the addressee(s) and may contain confidential and/or privileged information and may be legally protected from disclosure. If you are not the intended recipient of this message or their agent, or if this message has been addressed to you in error, please immediately alert the sender by reply email and then delete this message and any attachments. If you are not the intended recipient, you are hereby notified that any use, dissemination, copying, or storage of this message or its attachments is strictly prohibite


_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
https://lists.squid-cache.org/listinfo/squid-users
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
https://lists.squid-cache.org/listinfo/squid-users
[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux