[squid-users] cant download microsoft cert file

Amos Jeffries squid3 at treenet.co.nz
Sun Dec 15 10:40:29 UTC 2019 

On 15/12/19 1:16 pm, robert k Wild wrote:
> hi Amos,
> 
> thank you for getting back to me about this :)
> 
> this is my new config
> 
> #
> #SSL
> http_port 3128 ssl-bump \
> cert=/usr/local/squid/etc/ssl_cert/myCA.pem \
> generate-host-certificates=on dynamic_cert_mem_cache_size=4MB
> sslcrtd_program /usr/local/squid/libexec/security_file_certgen -s
> /var/lib/ssl_db -M 4MB
> acl step1 at_step SslBump1
> ssl_bump peek step1
> ssl_bump bump all
> 
> #Windows Updates
> acl windowsupdate dstdomain "/usr/local/squid/etc/wu.txt"
> acl CONNECT method CONNECT
> acl wuCONNECT dstdomain "/usr/local/squid/etc/wu.txt"
> http_access allow CONNECT wuCONNECT
> http_access allow windowsupdate
> 
...
> 
> #
> # Recommended minimum Access Permission configuration:
> #
> # Deny requests to certain unsafe ports
> http_access deny !Safe_ports
> 
> # Deny CONNECT to other than secure SSL ports
> http_access deny CONNECT !SSL_ports
> 
> # Only allow cachemgr access from localhost
> http_access allow localhost manager
> http_access deny manager
> 
> # We strongly recommend the following be uncommented to protect innocent
> # web applications running on the proxy server who think the only
> # one who can access services on "localhost" is a local user
> #http_access deny to_localhost
> 
> #
> # INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
> #
> 
> # Example rule allowing access from your local networks.
> # Adapt localnet in the ACL section to list your (internal) IP networks
> # from where browsing should be allowed
> http_access allow localnet
> http_access allow localhost
> 
...

> 
> the reason why i have added the windows update lines at the beginning is
> that the link says so (below)
> 
> https://linuxnlenux.wordpress.com/2014/10/14/howto-allow-windows-updates-through-squid/
> 

That is a copy-n-paste of an old email without any of the context. See
<https://wiki.squid-cache.org/SquidFaq/WindowsUpdate> for the full
context and more up to date info.

Note that the things that need to be first are very specifically a
sub-set of the MS domains which use a non-443 port for call-home traffic
so they would normally get blocked by the SSL_ports protection.


For a generic whitelist you should still have your list where the config
says "INSERT YOUR OWN RULES ..." .


> 
> and when im looking at the logs real time
> 
> 1576368417.620     48 10.100.1.5 NONE/200 0 CONNECT
> fe3cr.delivery.mp.microsoft.com:443
> <http://fe3cr.delivery.mp.microsoft.com:443> - HIER_DIRECT/191.232.139.2
> <http://191.232.139.2> -
> 1576368417.647      0 10.100.1.5 NONE/503 4363 POST
> https://fe3cr.delivery.mp.microsoft.com/ClientWebService/client.asmx -
> HIER_NONE/- text/html
> 1576368419.702      0 - TCP_MEM_HIT/200 807 GET
> http://www.microsoft.com/pkiops/certs/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crt
> - HIER_NONE/- application/octet-st
> ream
> 

These show good progress from where you started off. The cert is being
downloaded fine. The tunnel being bumped fine. But the POST request
which was decrypted could not be serviced.

Can you find out what the 503 message says?


Amos

More information about the squid-users mailing list