[squid-users] Windows 10 Feature Updates not coming through

Paul Hackmann phackmann at gmail.com
Wed Jun 27 14:57:05 UTC 2018 

Hello.  I can't figure out why, but I can get regular windows 10 updates
through the proxy without problem, but the larger feature updates (1803)
always fail to download.  I can do the windows 10 update assistant
manually, and that seems to work ok.  I'm not sure what I am missing.  Do I
have a problem with my configuration?  I am trying to do the download
through port 4120.

http_port 3120
http_port 4120 #intercept

cache_dir ufs /var/spool/squid 10000 16 256

refresh_pattern ^ftp:           1440    20%     10080
refresh_pattern ^gopher:        1440    0%      1440
refresh_pattern -i (/cgi-bin/|\?) 0     0%      0
refresh_pattern .               0       20%     4320

acl whitelist dstdomain "/etc/squid/whitelist.conf"
#acl deny_websites dstdomain "/etc/squid/deny_websites.conf"

acl windowsupdate dstdomain windowsupdate.microsoft.com
acl windowsupdate dstdomain .update.microsoft.com
acl windowsupdate dstdomain download.windowsupdate.com
acl windowsupdate dstdomain redir.metaservices.microsoft.com
acl windowsupdate dstdomain images.metaservices.microsoft.com
acl windowsupdate dstdomain c.microsoft.com
acl windowsupdate dstdomain www.download.windowsupdate.com
acl windowsupdate dstdomain wustat.windows.com
acl windowsupdate dstdomain crl.microsoft.com
acl windowsupdate dstdomain sls.microsoft.com
acl windowsupdate dstdomain productactivation.one.microsoft.com
acl windowsupdate dstdomain ntservicepack.microsoft.com
acl windowsupdate dstdomain .live.com
acl windowsupdate dstdomain .digicert.com
acl windowsupdate dstdomain .mp.microsoft.com
acl windowsupdate dstdomain .cms.msn.com

acl CONNECT method CONNECT
acl wuCONNECT dstdomain http://www.update.microsoft.com

range_offset_limit 10000 MB windowsupdate
maximum_object_size 10000 MB
quick_abort_min -1

auth_param basic program /usr/lib/squid/basic_ncsa_auth /etc/squid/passwd
auth_param basic children 6
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 4 hours
auth_param basic casesensitive off

acl ncsa_users proxy_auth REQUIRED

#acl manager url_regex -i ^cache_object:// +i ^https?://[^/]+/squid-
internal-mgr/

#acl localhost src 127.0.0.1/32 ::1
#acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1

acl localnet src 10.0.0.0/8     # RFC 1918 possible internal network
acl localnet src 172.16.0.0/12  # RFC 1918 possible internal network
acl localnet src 192.168.0.0/16 # RFC 1918 possible internal network
acl localnet src fc00::/7       # RFC 4193 local private network range
acl localnet src fe80::/10      # RFC 4291 link-local (directly plugged)
machines

#acl http proto http
acl SSL_ports port 443
acl port_80 port 80
acl Safe_ports port 80          # http
acl Safe_ports port 21          # ftp
acl Safe_ports port 443         # https
acl Safe_ports port 70          # gopher
acl Safe_ports port 210         # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280         # http-mgmt
acl Safe_ports port 488         # gss-http
acl Safe_ports port 591         # filemaker
acl Safe_ports port 777         # multiling http

#list of computers that have access by ip address
acl allowed_clients src 192.168.0.9-192.168.0.45 192.168.0.53 192.168.0.65
192.168.0.83 192.168.0.90 192.168.0.91 192.168.0.179 192.168.0.186
192.168.0.220 192.168.0.221 192.168.0.244

acl portX myportname 4120
#ip addresses for 8x8.com webinar software
acl 8x8 dst 8.5.248.0/23 8.28.0.0/22 63.209.12.0/24 162.221.236.0/23
162.221.238.0/23 192.84.16.0/22

acl CONNECT method CONNECT

http_access allow CONNECT wuCONNECT localnet
http_access allow windowsupdate localnet

#rule allowing nonauthenticated users
#http_access allow http port_80 whitelist
http_access allow CONNECT SSL_ports whitelist

http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow manager localhost
http_access deny manager

# domains in deny_websites are DENIED for everybody.
#http_access deny deny_websites

# domains in whitelist are ALLOWED for everybody
http_access allow whitelist

# 8x8.com ip addresses are Allowed for everybody
http_access allow 8x8

# port 4120 traffic is restricted to the above whitelisted domains
http_access deny portX

# otherwise; for port 3120 traffic ...

# only specific clients with whitelisted IPs can use the proxy ...
http_access deny !allowed_clients

# ... and must also login
http_access deny !ncsa_users

http_access allow localnet

http_access deny all

Thanks.

Paul
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20180627/e9398a74/attachment.html>

More information about the squid-users mailing list