[squid-users] squidguard and windows update

Amos Jeffries squid3 at treenet.co.nz
Wed Nov 25 11:51:27 UTC 2015 

On 25/11/2015 11:52 p.m., Eliezer Croitoru wrote:
> On 25/11/2015 12:14, Magic Link wrote:
>> 1448445753.714      6 10.22.100.3 TCP_MISS/200 799
>> GEThttp://officecdn.microsoft.com/pr/39168D7E-077B-48E7-872C-B232C3E72675/Office/Data/v32.cab 
>> - HIER_DIRECT/127.0.0.1 text/html
>> But i do have the denied access page, I can't download the .cab from
> the browser
>> 1448445766.529      5 10.22.100.3 TCP_MISS/200 834
>> GEThttp://au.v4.download.windowsupdate.com/d/msdownload/update/software/updt/2013/12/windows8.1-kb2909569-x64_da69540676fbda6cd24305056220322b8ef91729.cab 
>> - HIER_DIRECT/127.0.0.1 text/html
>> But i do have the denied access page, I can't download the .cab from
> the browser
>> 1448445807.418     50 10.22.100.3 TCP_MISS/200 7450
>> GEThttp://v4.download.windowsupdate.com/d/msdownload/update/others/2015/11/19457798_2c503230affa03a9d1065dbf33a681b0fd9a0176.cab 
>> - HIER_DIRECT/37.58.147.9 application/octet-stream
>> No denied access page, I can download the .cab from the browser
> 
> Hey,
> 
> From squid point of view there are two cases.
> 1 - that is being fetched from 127.0.0.1 and the other is from some
> origin server.
> Have you tried to see what happens when you test\run SquidGuard from
> command line and manually test the request?
> Can you share you squid.conf(stripped blank and comments lines)
> 

Wait up.

Magic has been fooled by the marketing words into thinking a "deny page"
from SquidGuard actually denies something. It does not.

All SG does. All it ever can do. Is tell Squid where to fetch the URL
from (rewrite), or to tell Squid to tell the client to try somewhere
else (redirect).

What Magic is thinking of as a "deny" is actually just a statement
"here, fetch the data from 127.0.0.1". Then the SG (aka. 127.0.0.1) when
asked responds by dumping out its HTML "error page" text as the reply.
This unexpected response completely breaks whatever the client needed to
fetch. If the client is a browser then it happily displays the HTML
response (as seen in the test described), otherwise it just *breaks*
whatever application was running.

I expect the real clients are seeing lots of very annoying WindowsUpdate
8002something errors, getting pissed off, and then working to bypass the
"that damn proxy" which is breaking their Windows machines.

What this means for Squid (and sarg) is that the lines above get logged.
The server SG told Squid to contact *did* respond and the response *was*
an "HTTP/1.1 200 OK" reply message.



Magic; I suggest you drop SG and use squid.conf ACLs instead. Everything
SG can do so can Squid itself.

Amos

More information about the squid-users mailing list