[squid-users] Issues With 3.1.20 and Windows Update

eliezer at ngtech.co.il eliezer at ngtech.co.il
Sat Feb 23 22:15:20 UTC 2019 

Just add before the line:
http_access deny !auth
 
a localnet allow windows update rule.
It should be something like:
## Start of config snippet
acl windows_updates  dstdomain "/etc/squid3/windows_update"
acl src locanet 192.168.42.0/24
 
http_access allow localnet windows_updates
http_access deny !auth
 
## End of config snippet
### "/etc/squid3/windows_update” contains
.windowsupdate.com
…
#
Take the regex from the domains refresh_pattern at:
https://wiki.squid-cache.org/ConfigExamples/Caching/WindowsUpdates
and at:
http://www1.ngtech.co.il/wpe/windows-updates-a-caching-stub-zone/
(look for dstdom_regex or download\.microsoft\.com )
 
Let me know if it helps.
 
Eliezer
 
*	Try to upgrade from 3.1 if possible.
*	I probably can compile a newer version for your OS.
 
----
 <http://ngtech.co.il/main-en/> Eliezer Croitoru
Linux System Administrator
Mobile: +972-5-28704261
Email:  <mailto:eliezer at ngtech.co.il> eliezer at ngtech.co.il

 
From: squid-users <squid-users-bounces at lists.squid-cache.org> On Behalf Of Hernan Saltiel
Sent: Saturday, February 23, 2019 22:55
To: squid-users at lists.squid-cache.org
Subject: [squid-users] Issues With 3.1.20 and Windows Update
 
Hi,
    I'm trying to use a Squid 3.1.20 to update several Windows Clientes (some are Vista, some are 7, some are 10).
    We're using NTLM authentication, and some groups (some users can use full internet, some can only on some sites) and this is working fine. 
    The issue arises when trying to update Windows, using automatic updates. We see, on the log files, messages like the following: 
 
1550954462.404      0 192.168.42.121 TCP_DENIED/407 3980 GET http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab? - NONE/- text/html
1550954462.410      0 192.168.42.121 TCP_DENIED/407 4261 GET http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab? - NONE/- text/html
1550954462.415      0 192.168.42.121 TCP_DENIED/407 4635 GET http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab? - NONE/- text/html
   
    Some aspects concerns me...first of all, that our users cannot update Windows. But then I noticed there is no user on that connection, as we have in other: 
 
1550954433.432    581 192.168.62.58 TCP_MISS/200 2853 CONNECT gameplay.intel.com:443 <http://gameplay.intel.com:443>  jperez DIRECT/23.198.191.99 <http://23.198.191.99>  -
 
    I don't know if this is a known issue, or not...anybody can point me in the right direction to understand the nature of this issue, and how to solve/mitigate it?
 
    Thanks a lot in advance for your time and attention and best regards,
 
---
Some information about this installation: 
 
root at pxyserver:/var/log/squid3# squid3 -version
Squid Cache: Version 3.1.20
configure options:  '--build=i486-linux-gnu' '--prefix=/usr' '--includedir=${prefix}/include' '--mandir=${prefix}/share/man' '--infodir=${prefix}/share/info' '--sysconfdir=/etc' '--localstatedir=/var' '--libexecdir=${prefix}/lib/squid3' '--srcdir=.' '--disable-maintainer-mode' '--disable-dependency-tracking' '--disable-silent-rules' '--datadir=/usr/share/squid3' '--sysconfdir=/etc/squid3' '--mandir=/usr/share/man' '--with-cppunit-basedir=/usr' '--enable-inline' '--enable-async-io=8' '--enable-storeio=ufs,aufs,diskd' '--enable-removal-policies=lru,heap' '--enable-delay-pools' '--enable-cache-digests' '--enable-underscores' '--enable-icap-client' '--enable-follow-x-forwarded-for' '--enable-auth=basic,digest,ntlm,negotiate' '--enable-basic-auth-helpers=LDAP,MSNT,NCSA,PAM,SASL,SMB,YP,DB,POP3,getpwnam,squid_radius_auth,multi-domain-NTLM' '--enable-ntlm-auth-helpers=smb_lm,' '--enable-digest-auth-helpers=ldap,password' '--enable-negotiate-auth-helpers=squid_kerb_auth' '--enable-external-acl-helpers=ip_user,ldap_group,session,unix_group,wbinfo_group' '--enable-arp-acl' '--enable-esi' '--enable-zph-qos' '--enable-wccpv2' '--disable-translation' '--with-logdir=/var/log/squid3' '--with-pidfile=/var/run/squid3.pid' '--with-filedescriptors=65536' '--with-large-files' '--with-default-user=proxy' '--enable-linux-netfilter' 'build_alias=i486-linux-gnu' 'CFLAGS=-g -O2 -fPIE -fstack-protector --param=ssp-buffer-size=4 -Wformat -Werror=format-security -Wall' 'LDFLAGS=-fPIE -pie -Wl,-z,relro -Wl,-z,now' 'CPPFLAGS=-D_FORTIFY_SOURCE=2' 'CXXFLAGS=-g -O2 -fPIE -fstack-protector --param=ssp-buffer-size=4 -Wformat -Werror=format-security' --with-squid=/build/buildd-squid3_3.1.20-2.2-i386-3NN6Xn/squid3-3.1.20
/etc/squid3/squid.conf: 
 
cache_mgr cache at mydomain.local <mailto:cache at mydomain.local> 
auth_param negotiate program /usr/local/bin/negotiate_wrapper --ntlm /usr/bin/ntlm_auth --diagnostics --helper-protocol=squid-2.5-ntlmssp --domain=MYDOMAIN --kerberos /usr/lib/squid3/squid_kerb_auth -d -s GSS_C_NO_NAME
auth_param negotiate children 10
auth_param negotiate keep_alive off
auth_param ntlm program /usr/bin/ntlm_auth --diagnostics --helper-protocol=squid-2.5-ntlmssp --domain=MYDOMAIN
auth_param ntlm children 10
auth_param ntlm keep_alive off
auth_param basic program /usr/lib/squid3/squid_ldap_auth -R -b "dc=mydomain,dc=local" -D squid at mydomain.local <mailto:squid at mydomain.local>  -W /etc/squid3/ldappass.txt -f sAMAccountName=%s -h ARBERN005M.mydomain.local
auth_param basic children 10
auth_param basic realm Internet Proxy
auth_param basic credentialsttl 1 minute
external_acl_type memberof %LOGIN /usr/lib/squid3/squid_ldap_group -R -K -b "dc=mydomain,dc=local" -D squid at mydomain.local <mailto:squid at mydomain.local>  -W /etc/squid3/ldappass.txt -f "(&(objectclass=person)(sAMAccountName=%v)(memberof=cn=%g,cn=Users,dc=mydomain,dc=local))" -h ARBERN005M.mydomain.local
acl company src "/etc/squid3/full"
acl limitados src "/etc/squid3/limitados"
acl lentos src "/etc/squid3/lento"
acl all src all
acl manager proto cache_object
acl localhost src 127.0.0.1/32 <http://127.0.0.1/32> 
acl to_localhost dst 127.0.0.0/8 <http://127.0.0.0/8> 
acl purge method PURGE
acl dnld url_regex -i \.avi
acl dnld url_regex -i \.mp3
acl dnld url_regex -i \.fla
acl dnld url_regex -i \.flv
acl dnld url_regex -i \.wav
acl dnld url_regex -i \.asf
acl dnld url_regex -i \.wmf
acl dnld url_regex -i \.pif
acl dnld url_regex -i \.bat
acl dnld url_regex -i \.scr
acl dnld url_regex -i \.wdm
acl dnld url_regex -i \.wmv
acl dnld url_regex -i \.mid
acl dnld url_regex -i \.mpg
acl dnld url_regex -i \.mpg
acl dnld url_regex -i \.mpeg
acl dnld url_regex -i \.ogg
acl dnld url_regex -i \.ogm
acl dnld url_regex -i \.exe
acl dnld url_regex -i \.arj
acl dnld url_regex -i \.iso
acl dnld url_regex -i \.nrg
acl dnld url_regex -i \.bin
acl dnld url_regex -i \.dmg
acl dnld url_regex -i \.img
acl dnld url_regex -i \.pl
acl dnld_full url_regex -i \.avi
acl dnld_full url_regex -i \.mp3
acl dnld_full url_regex -i \.wav
acl dnld_full url_regex -i \.asf
acl dnld_full url_regex -i \.wmf
acl dnld_full url_regex -i \.mpg
acl dnld_full url_regex -i \.mpg
acl dnld_full url_regex -i \.mpeg
acl dnld_full url_regex -i \.ogg
acl dnld_full url_regex -i \.ogm
acl streaming browser -i ^.*NSPlayer.*
acl streaming browser -i ^.*Player.*
acl streaming browser -i ^.*Windows-Media-Player.*
acl streaming1 browser -i ^video/x-ms-asf$
acl streaming1 browser -i ^application/vnd.ms.wms-hdr.asfv1$
acl streaming1 browser -i ^application/x-mms-framed$
acl streaming1 browser -i ^audio/x-pn-realaudio$
acl streaming1 browser ^.*mms.*
acl streaming1 browser ^.*ms-hdr.*
acl streaming1 browser ^.*x-fcs.*
acl streaming1 browser ^.*x-ms-asf.*
acl streaming1 browser -i ^application/octet-stream$
acl streaming1 browser -i application/octet-stream
delay_pools 1
delay_class 1 1
delay_parameters 1 1000/100
acl dp url_regex \.flv$
acl dp url_regex -i watch?
acl dp url_regex -i youtube
acl dp url_regex -i facebook
delay_access 1 allow dp lentos
acl auth proxy_auth REQUIRED
acl internet_full       external memberof "/etc/squid3/internet_full.txt"
acl internet_limitado   external memberof "/etc/squid3/internet_limitado.txt"
acl internet_limitado2  external memberof "/etc/squid3/internet_limitado2.txt"
acl destinos_permitidos         dstdomain "/etc/squid3/destinos_permitidos"
acl destinos_permitidos2        dstdomain "/etc/squid3/destinos_permitidos2"
acl sitios_denegados            dstdomain "/etc/squid3/sitios_denegados"
acl prohibidos                  dstdomain "/etc/squid3/prohibidos.txt"
acl prohibidos-full             dstdomain "/etc/squid3/prohibidos-full.txt"
acl intfull-                    dstdomain "/etc/squid3/intfull-"
acl allowedsites        dstdomain "/etc/squid3/allowedsites.txt"
acl manager proto cache_object
acl SSL_ports port 443
acl CONNECT method CONNECT
http_access allow manager localhost
http_access deny manager
http_access allow localhost
http_access deny !auth
http_access deny sitios_denegados all
http_access allow allowedsites
http_access allow limitados !dnld !streaming !streaming1 !sitios_denegados
http_access allow !dnld !streaming !streaming1 destinos_permitidos internet_limitado
http_access allow !dnld !streaming !streaming1 destinos_permitidos2 internet_limitado2
http_access allow !dnld_full !streaming !streaming1 !prohibidos-full internet_full
http_access deny all
access_log /var/log/squid3/access.log squid !allowedsites
http_port 3128
hierarchy_stoplist cgi-bin ?
coredump_dir /var/spool/squid3
refresh_pattern ^ftp:           1440    20%     10080
refresh_pattern ^gopher:        1440    0%      1440
refresh_pattern -i (/cgi-bin/|\?) 0     0%      0
refresh_pattern .               0       20%     4320


 
-- 
HeCSa
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20190224/f152ee2e/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 11295 bytes
Desc: not available
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20190224/f152ee2e/attachment-0001.png>

More information about the squid-users mailing list