[squid-users] Issues With 3.1.20 and Windows Update

Hernan Saltiel hsaltiel at gmail.com
Sat Feb 23 20:55:23 UTC 2019 

Hi,
    I'm trying to use a Squid 3.1.20 to update several Windows Clientes
(some are Vista, some are 7, some are 10).
    We're using NTLM authentication, and some groups (some users can use
full internet, some can only on some sites) and this is working fine.
    The issue arises when trying to update Windows, using automatic
updates. We see, on the log files, messages like the following:

1550954462.404      0 192.168.42.121 TCP_DENIED/407 3980 GET
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?
- NONE/- text/html
1550954462.410      0 192.168.42.121 TCP_DENIED/407 4261 GET
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?
- NONE/- text/html
1550954462.415      0 192.168.42.121 TCP_DENIED/407 4635 GET
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?
- NONE/- text/html

    Some aspects concerns me...first of all, that our users cannot update
Windows. But then I noticed there is no user on that connection, as we have
in other:

1550954433.432    581 192.168.62.58 TCP_MISS/200 2853 CONNECT
gameplay.intel.com:443 *jperez* DIRECT/23.198.191.99 -

    I don't know if this is a known issue, or not...anybody can point me in
the right direction to understand the nature of this issue, and how to
solve/mitigate it?

    Thanks a lot in advance for your time and attention and best regards,

---
Some information about this installation:

root at pxyserver:/var/log/squid3# squid3 -version
Squid Cache: Version 3.1.20
configure options:  '--build=i486-linux-gnu' '--prefix=/usr'
'--includedir=${prefix}/include' '--mandir=${prefix}/share/man'
'--infodir=${prefix}/share/info' '--sysconfdir=/etc' '--localstatedir=/var'
'--libexecdir=${prefix}/lib/squid3' '--srcdir=.'
'--disable-maintainer-mode' '--disable-dependency-tracking'
'--disable-silent-rules' '--datadir=/usr/share/squid3'
'--sysconfdir=/etc/squid3' '--mandir=/usr/share/man'
'--with-cppunit-basedir=/usr' '--enable-inline' '--enable-async-io=8'
'--enable-storeio=ufs,aufs,diskd' '--enable-removal-policies=lru,heap'
'--enable-delay-pools' '--enable-cache-digests' '--enable-underscores'
'--enable-icap-client' '--enable-follow-x-forwarded-for'
'--enable-auth=basic,digest,ntlm,negotiate'
'--enable-basic-auth-helpers=LDAP,MSNT,NCSA,PAM,SASL,SMB,YP,DB,POP3,getpwnam,squid_radius_auth,multi-domain-NTLM'
'--enable-ntlm-auth-helpers=smb_lm,'
'--enable-digest-auth-helpers=ldap,password'
'--enable-negotiate-auth-helpers=squid_kerb_auth'
'--enable-external-acl-helpers=ip_user,ldap_group,session,unix_group,wbinfo_group'
'--enable-arp-acl' '--enable-esi' '--enable-zph-qos' '--enable-wccpv2'
'--disable-translation' '--with-logdir=/var/log/squid3'
'--with-pidfile=/var/run/squid3.pid' '--with-filedescriptors=65536'
'--with-large-files' '--with-default-user=proxy' '--enable-linux-netfilter'
'build_alias=i486-linux-gnu' 'CFLAGS=-g -O2 -fPIE -fstack-protector
--param=ssp-buffer-size=4 -Wformat -Werror=format-security -Wall'
'LDFLAGS=-fPIE -pie -Wl,-z,relro -Wl,-z,now' 'CPPFLAGS=-D_FORTIFY_SOURCE=2'
'CXXFLAGS=-g -O2 -fPIE -fstack-protector --param=ssp-buffer-size=4 -Wformat
-Werror=format-security'
--with-squid=/build/buildd-squid3_3.1.20-2.2-i386-3NN6Xn/squid3-3.1.20

/etc/squid3/squid.conf:

cache_mgr cache at mydomain.local
auth_param negotiate program /usr/local/bin/negotiate_wrapper --ntlm
/usr/bin/ntlm_auth --diagnostics --helper-protocol=squid-2.5-ntlmssp
--domain=MYDOMAIN --kerberos /usr/lib/squid3/squid_kerb_auth -d -s
GSS_C_NO_NAME
auth_param negotiate children 10
auth_param negotiate keep_alive off
auth_param ntlm program /usr/bin/ntlm_auth --diagnostics
--helper-protocol=squid-2.5-ntlmssp --domain=MYDOMAIN
auth_param ntlm children 10
auth_param ntlm keep_alive off
auth_param basic program /usr/lib/squid3/squid_ldap_auth -R -b
"dc=mydomain,dc=local" -D squid at mydomain.local -W /etc/squid3/ldappass.txt
-f sAMAccountName=%s -h ARBERN005M.mydomain.local
auth_param basic children 10
auth_param basic realm Internet Proxy
auth_param basic credentialsttl 1 minute
external_acl_type memberof %LOGIN /usr/lib/squid3/squid_ldap_group -R -K -b
"dc=mydomain,dc=local" -D squid at mydomain.local -W /etc/squid3/ldappass.txt
-f
"(&(objectclass=person)(sAMAccountName=%v)(memberof=cn=%g,cn=Users,dc=mydomain,dc=local))"
-h ARBERN005M.mydomain.local
acl company src "/etc/squid3/full"
acl limitados src "/etc/squid3/limitados"
acl lentos src "/etc/squid3/lento"
acl all src all
acl manager proto cache_object
acl localhost src 127.0.0.1/32
acl to_localhost dst 127.0.0.0/8
acl purge method PURGE
acl dnld url_regex -i \.avi
acl dnld url_regex -i \.mp3
acl dnld url_regex -i \.fla
acl dnld url_regex -i \.flv
acl dnld url_regex -i \.wav
acl dnld url_regex -i \.asf
acl dnld url_regex -i \.wmf
acl dnld url_regex -i \.pif
acl dnld url_regex -i \.bat
acl dnld url_regex -i \.scr
acl dnld url_regex -i \.wdm
acl dnld url_regex -i \.wmv
acl dnld url_regex -i \.mid
acl dnld url_regex -i \.mpg
acl dnld url_regex -i \.mpg
acl dnld url_regex -i \.mpeg
acl dnld url_regex -i \.ogg
acl dnld url_regex -i \.ogm
acl dnld url_regex -i \.exe
acl dnld url_regex -i \.arj
acl dnld url_regex -i \.iso
acl dnld url_regex -i \.nrg
acl dnld url_regex -i \.bin
acl dnld url_regex -i \.dmg
acl dnld url_regex -i \.img
acl dnld url_regex -i \.pl
acl dnld_full url_regex -i \.avi
acl dnld_full url_regex -i \.mp3
acl dnld_full url_regex -i \.wav
acl dnld_full url_regex -i \.asf
acl dnld_full url_regex -i \.wmf
acl dnld_full url_regex -i \.mpg
acl dnld_full url_regex -i \.mpg
acl dnld_full url_regex -i \.mpeg
acl dnld_full url_regex -i \.ogg
acl dnld_full url_regex -i \.ogm
acl streaming browser -i ^.*NSPlayer.*
acl streaming browser -i ^.*Player.*
acl streaming browser -i ^.*Windows-Media-Player.*
acl streaming1 browser -i ^video/x-ms-asf$
acl streaming1 browser -i ^application/vnd.ms.wms-hdr.asfv1$
acl streaming1 browser -i ^application/x-mms-framed$
acl streaming1 browser -i ^audio/x-pn-realaudio$
acl streaming1 browser ^.*mms.*
acl streaming1 browser ^.*ms-hdr.*
acl streaming1 browser ^.*x-fcs.*
acl streaming1 browser ^.*x-ms-asf.*
acl streaming1 browser -i ^application/octet-stream$
acl streaming1 browser -i application/octet-stream
delay_pools 1
delay_class 1 1
delay_parameters 1 1000/100
acl dp url_regex \.flv$
acl dp url_regex -i watch?
acl dp url_regex -i youtube
acl dp url_regex -i facebook
delay_access 1 allow dp lentos
acl auth proxy_auth REQUIRED
acl internet_full       external memberof "/etc/squid3/internet_full.txt"
acl internet_limitado   external memberof
"/etc/squid3/internet_limitado.txt"
acl internet_limitado2  external memberof
"/etc/squid3/internet_limitado2.txt"
acl destinos_permitidos         dstdomain "/etc/squid3/destinos_permitidos"
acl destinos_permitidos2        dstdomain "/etc/squid3/destinos_permitidos2"
acl sitios_denegados            dstdomain "/etc/squid3/sitios_denegados"
acl prohibidos                  dstdomain "/etc/squid3/prohibidos.txt"
acl prohibidos-full             dstdomain "/etc/squid3/prohibidos-full.txt"
acl intfull-                    dstdomain "/etc/squid3/intfull-"
acl allowedsites        dstdomain "/etc/squid3/allowedsites.txt"
acl manager proto cache_object
acl SSL_ports port 443
acl CONNECT method CONNECT
http_access allow manager localhost
http_access deny manager
http_access allow localhost
http_access deny !auth
http_access deny sitios_denegados all
http_access allow allowedsites
http_access allow limitados !dnld !streaming !streaming1 !sitios_denegados
http_access allow !dnld !streaming !streaming1 destinos_permitidos
internet_limitado
http_access allow !dnld !streaming !streaming1 destinos_permitidos2
internet_limitado2
http_access allow !dnld_full !streaming !streaming1 !prohibidos-full
internet_full
http_access deny all
access_log /var/log/squid3/access.log squid !allowedsites
http_port 3128
hierarchy_stoplist cgi-bin ?
coredump_dir /var/spool/squid3
refresh_pattern ^ftp:           1440    20%     10080
refresh_pattern ^gopher:        1440    0%      1440
refresh_pattern -i (/cgi-bin/|\?) 0     0%      0
refresh_pattern .               0       20%     4320



-- 
HeCSa
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20190223/57a4350c/attachment-0001.html>

More information about the squid-users mailing list