[squid-users] windowsupdate and ssl_bump

Josep Borrell jborrell at central.aplitec.com
Sat Oct 18 07:56:11 UTC 2014 

Hi,

We are using a 3.4.8 squid Proxy in intercept mode via wccp.
Squid intercepts HTTP and HTTPS via ssl_bump.
All is working fine except that Windows Machines can't do a Windows Update.
It is not working at all giving an error  80072F8F
with HTTPS redirection disabled all work fine.

Someone knows how to maintain the SSL interception with a functional Windows Update ?

Thanks

Josep


Squid.conf:


# Disable Cache for defined domains
acl disable-dom-cache dstdomain -i "/etc/squid3/no-cache.acl"
cache deny disable-dom-cache
cache allow all

#HTTPS (SSL) trafic interception options
sslcrtd_program /usr/lib/squid3/ssl_crtd -s /var/spool/squid3_ssldb -M 4MB
sslcrtd_children 8 startup=1 idle=1
# Disable ssl_bump for defined domains (using rDNS not always work !!)
acl disable-ssl-bump dstdomain -i "/etc/squid3/no-ssl-bump.acl"
ssl_bump none disable-ssl-bump
ssl_bump server-first all

# Videos/Musics/Images/Libraries Accelerator
store_id_program /etc/squid3/ut-storeid.php
store_id_children 25 startup=10 idle=5 concurrency=0
acl storeiddoms dstdomain -i '/etc/squid3/api-storeid-trial.txt'
store_id_access allow storeiddoms
store_id_access deny all

client_dst_passthru off

http_access allow all

http_port 3128
http_port 8080 intercept
https_port 8081 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/etc/squid3/ssl_cert/squidcert.pem

forward_max_tries 25
cache_mem 2 GB
maximum_object_size_in_memory 25 MB
maximum_object_size 1 GB

visible_hostname squid-v2

coredump_dir /var/spool/squid3
cache_replacement_policy heap LFUDA
cache_dir aufs /var/spool/squid3 45000 16 256

refresh_pattern ^http:\/\/.*\.unveiltech\.internal.*  10080 80%  79900  override-expire override-lastmod refresh-ims reload-into-ims ignore-reload ignore-no-store ignore-private ignore-auth ignore-must-revalidate
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 10080
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 80% 10080


# FortiGate interface of wccp
wccp2_router 192.168.111.1
# wccp version 2 configuration
wccp2_service standard 90
# tunneling method GRE for forward traffic
wccp2_forwarding_method gre
# tunneling method GRE for return traffic
wccp2_return_method gre
# which interface to use for WCCP (0.0.0.0 determines the interface from routing)
wccp2_address 0.0.0.0

snmp_port 3401
snmp_access allow all

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20141018/3c158f10/attachment-0001.html>

More information about the squid-users mailing list