[squid-users] cant download microsoft cert file

robert k Wild robertkwild at gmail.com
Sun Dec 15 16:24:27 UTC 2019 

hi Amos,

so this is my new config -

#
# Recommended minimum configuration:
#

#SSL
http_port 3128 ssl-bump \
cert=/usr/local/squid/ssl_cert/myCA.pem \
cipher=HIGH:MEDIUM:RC4:3DES:!aNULL:!eNULL:!LOW:!MD5:!EXP:!PSK:!SRP:!DSS \
generate-host-certificates=on dynamic_cert_mem_cache_size=4MB
sslcrtd_program /usr/local/squid/libexec/security_file_certgen -s
/var/lib/ssl_db -M 4MB
acl step1 at_step SslBump1
ssl_bump peek step1
ssl_bump bump all

# Example rule allowing access from your local networks.
# Adapt to list your (internal) IP networks from where browsing
# should be allowed
acl localnet src 0.0.0.1-0.255.255.255 # RFC 1122 "this" network (LAN)
acl localnet src 10.0.0.0/8 # RFC 1918 local private network (LAN)
acl localnet src 100.64.0.0/10 # RFC 6598 shared address space (CGN)
acl localnet src 169.254.0.0/16 # RFC 3927 link-local (directly plugged)
machines
acl localnet src 172.16.0.0/12 # RFC 1918 local private network (LAN)
acl localnet src 192.168.0.0/16 # RFC 1918 local private network (LAN)
acl localnet src fc00::/7       # RFC 4193 local private network range
acl localnet src fe80::/10       # RFC 4291 link-local (directly plugged)
machines

acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT

#
# Recommended minimum Access Permission configuration:
#
# Deny requests to certain unsafe ports
http_access deny !Safe_ports

# Deny CONNECT to other than secure SSL ports
http_access deny CONNECT !SSL_ports

# Only allow cachemgr access from localhost
http_access allow localhost manager
http_access deny manager

# We strongly recommend the following be uncommented to protect innocent
# web applications running on the proxy server who think the only
# one who can access services on "localhost" is a local user
#http_access deny to_localhost

#
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
#
#Windows Update
acl windowsupdate dstdomain .microsoft.com .windows.com .windowsupdate.com .
windows.net
acl CONNECT method CONNECT
acl wuCONNECT dstdomain .microsoft.com .windows.com .windowsupdate.com .
windows.net
http_access allow CONNECT wuCONNECT
http_access allow windowsupdate

acl DiscoverSNIHost at_step SslBump1
acl NoSSLIntercept ssl::server_name_regex -i .microsoft.com .windows.com .
windowsupdate.com .windows.net
ssl_bump splice NoSSLIntercept
ssl_bump peek DiscoverSNIHost
ssl_bump bump all

acl BrokenButTrustedServers dstdomain .microsoft.com .windows.com .
windowsupdate.com .windows.net
acl DomainMismatch ssl_error SQUID_X509_V_ERR_DOMAIN_MISMATCH
sslproxy_cert_error allow BrokenButTrustedServers DomainMismatch
sslproxy_cert_error deny all

#HTTP_HTTPS whitelist websites
acl whitelist ssl::server_name "/usr/local/squid/etc/urlwhite.txt"
http_access allow whitelist

#URL deny MIME types
acl mimetype rep_mime_type "/usr/local/squid/etc/mimedeny.txt"
http_reply_access deny mimetype
http_access deny all

# Example rule allowing access from your local networks.
# Adapt localnet in the ACL section to list your (internal) IP networks
# from where browsing should be allowed
http_access allow localnet
http_access allow localhost

# Uncomment and adjust the following to add a disk cache directory.
#cache_dir ufs /usr/local/squid/var/cache/squid 100 16 256

# Leave coredumps in the first cache dir
coredump_dir /usr/local/squid/var/cache/squid

#
# Add any of your own refresh_pattern entries above these.
#
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320

but im still getting the exact same logs

error 503 means

503

Service Unavailable

1945 <http://tools.ietf.org/rfc/rfc1945>, 2616
<http://tools.ietf.org/rfc/rfc2616>
thanks,
rob

On Sun, 15 Dec 2019 at 10:40, Amos Jeffries <squid3 at treenet.co.nz> wrote:

> On 15/12/19 1:16 pm, robert k Wild wrote:
> > hi Amos,
> >
> > thank you for getting back to me about this :)
> >
> > this is my new config
> >
> > #
> > #SSL
> > http_port 3128 ssl-bump \
> > cert=/usr/local/squid/etc/ssl_cert/myCA.pem \
> > generate-host-certificates=on dynamic_cert_mem_cache_size=4MB
> > sslcrtd_program /usr/local/squid/libexec/security_file_certgen -s
> > /var/lib/ssl_db -M 4MB
> > acl step1 at_step SslBump1
> > ssl_bump peek step1
> > ssl_bump bump all
> >
> > #Windows Updates
> > acl windowsupdate dstdomain "/usr/local/squid/etc/wu.txt"
> > acl CONNECT method CONNECT
> > acl wuCONNECT dstdomain "/usr/local/squid/etc/wu.txt"
> > http_access allow CONNECT wuCONNECT
> > http_access allow windowsupdate
> >
> ...
> >
> > #
> > # Recommended minimum Access Permission configuration:
> > #
> > # Deny requests to certain unsafe ports
> > http_access deny !Safe_ports
> >
> > # Deny CONNECT to other than secure SSL ports
> > http_access deny CONNECT !SSL_ports
> >
> > # Only allow cachemgr access from localhost
> > http_access allow localhost manager
> > http_access deny manager
> >
> > # We strongly recommend the following be uncommented to protect innocent
> > # web applications running on the proxy server who think the only
> > # one who can access services on "localhost" is a local user
> > #http_access deny to_localhost
> >
> > #
> > # INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
> > #
> >
> > # Example rule allowing access from your local networks.
> > # Adapt localnet in the ACL section to list your (internal) IP networks
> > # from where browsing should be allowed
> > http_access allow localnet
> > http_access allow localhost
> >
> ...
>
> >
> > the reason why i have added the windows update lines at the beginning is
> > that the link says so (below)
> >
> >
> https://linuxnlenux.wordpress.com/2014/10/14/howto-allow-windows-updates-through-squid/
> >
>
> That is a copy-n-paste of an old email without any of the context. See
> <https://wiki.squid-cache.org/SquidFaq/WindowsUpdate> for the full
> context and more up to date info.
>
> Note that the things that need to be first are very specifically a
> sub-set of the MS domains which use a non-443 port for call-home traffic
> so they would normally get blocked by the SSL_ports protection.
>
>
> For a generic whitelist you should still have your list where the config
> says "INSERT YOUR OWN RULES ..." .
>
>
> >
> > and when im looking at the logs real time
> >
> > 1576368417.620     48 10.100.1.5 NONE/200 0 CONNECT
> > fe3cr.delivery.mp.microsoft.com:443
> > <http://fe3cr.delivery.mp.microsoft.com:443> - HIER_DIRECT/191.232.139.2
> > <http://191.232.139.2> -
> > 1576368417.647      0 10.100.1.5 NONE/503 4363 POST
> > https://fe3cr.delivery.mp.microsoft.com/ClientWebService/client.asmx -
> > HIER_NONE/- text/html
> > 1576368419.702      0 - TCP_MEM_HIT/200 807 GET
> >
> http://www.microsoft.com/pkiops/certs/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crt
> > - HIER_NONE/- application/octet-st
> > ream
> >
>
> These show good progress from where you started off. The cert is being
> downloaded fine. The tunnel being bumped fine. But the POST request
> which was decrypted could not be serviced.
>
> Can you find out what the 503 message says?
>
>
> Amos
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
>


-- 
Regards,

Robert K Wild.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20191215/52926feb/attachment.html>

More information about the squid-users mailing list