[squid-users] Issues With 3.1.20 and Windows Update

Amos Jeffries squid3 at treenet.co.nz
Sun Feb 24 07:05:35 UTC 2019 

On 24/02/19 9:55 am, Hernan Saltiel wrote:
> Hi,
>     I'm trying to use a Squid 3.1.20 to update several Windows Clientes
> (some are Vista, some are 7, some are 10).
>     We're using NTLM authentication, and some groups (some users can use
> full internet, some can only on some sites) and this is working fine.
>     The issue arises when trying to update Windows, using automatic
> updates. We see, on the log files, messages like the following:
> 
> 1550954462.404      0 192.168.42.121 TCP_DENIED/407 3980 GET
> http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?
> - NONE/- text/html
> 1550954462.410      0 192.168.42.121 TCP_DENIED/407 4261 GET
> http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?
> - NONE/- text/html
> 1550954462.415      0 192.168.42.121 TCP_DENIED/407 4635 GET
> http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?
> - NONE/- text/html
>   
>     Some aspects concerns me...first of all, that our users cannot
> update Windows. But then I noticed there is no user on that connection,
> as we have in other:
> 
> 1550954433.432    581 192.168.62.58 TCP_MISS/200 2853 CONNECT
> gameplay.intel.com:443  *jperez*
> DIRECT/23.198.191.99 -
> 
>     I don't know if this is a known issue, or not...anybody can point me
> in the right direction to understand the nature of this issue, and how
> to solve/mitigate it?

This is how NTLM works. Multiple HTTP requests exchanging type-1,2,3
tickets. Only the last one has a user name.

The absence of these multiple exchanges and all the time and bandwidth
they consume is what makes Negotiate/Kerberos have better performance.


However, if you are *only* seeing lack of username and 407/403 on the
update requests the WU agent is having problems logging in thorugh a
proxy. See
<https://wiki.squid-cache.org/SquidFaq/WindowsUpdate#Squid_problems_with_Windows_Update_v5>
and maybe
<https://wiki.squid-cache.org/SquidFaq/WindowsUpdate#How_do_I_stop_Squid_popping_up_the_Authentication_box_for_Windows_Update.3F>
for some things that may help.


Microsoft products since 2006 (Windows XP) have all had Kerberos support
and deprecated use of NTLM. If you do not have anything older to support
you may find it very useful to remove NTLM usage from the network
entirely. Remove from clients first, then servers and proxy.



Also, if you can upgrade the proxy please do. Latest release of Squid is
v4.6. There are large numbers of bugs and at least several major
security issues with all releases older than v3.5.28.


Below are some config changes you may find useful:

> /etc/squid3/squid.conf:
> 
> cache_mgr cache at mydomain.local
> auth_param negotiate program /usr/local/bin/negotiate_wrapper --ntlm
> /usr/bin/ntlm_auth --diagnostics --helper-protocol=squid-2.5-ntlmssp
> --domain=MYDOMAIN --kerberos /usr/lib/squid3/squid_kerb_auth -d -s
> GSS_C_NO_NAME
> auth_param negotiate children 10
> auth_param negotiate keep_alive off
> auth_param ntlm program /usr/bin/ntlm_auth --diagnostics
> --helper-protocol=squid-2.5-ntlmssp --domain=MYDOMAIN
> auth_param ntlm children 10
> auth_param ntlm keep_alive off
> auth_param basic program /usr/lib/squid3/squid_ldap_auth -R -b
> "dc=mydomain,dc=local" -D squid at mydomain.local -W
> /etc/squid3/ldappass.txt -f sAMAccountName=%s -h ARBERN005M.mydomain.local
> auth_param basic children 10
> auth_param basic realm Internet Proxy
> auth_param basic credentialsttl 1 minute
> external_acl_type memberof %LOGIN /usr/lib/squid3/squid_ldap_group -R -K
> -b "dc=mydomain,dc=local" -D squid at mydomain.local -W
> /etc/squid3/ldappass.txt -f
> "(&(objectclass=person)(sAMAccountName=%v)(memberof=cn=%g,cn=Users,dc=mydomain,dc=local))"
> -h ARBERN005M.mydomain.local
> acl company src "/etc/squid3/full"
> acl limitados src "/etc/squid3/limitados"
> acl lentos src "/etc/squid3/lento"
> acl all src all
> acl manager proto cache_object
> acl localhost src 127.0.0.1/32
> acl to_localhost dst 127.0.0.0/8
> acl purge method PURGE
> acl dnld url_regex -i \.avi
> acl dnld url_regex -i \.mp3
> acl dnld url_regex -i \.fla
> acl dnld url_regex -i \.flv
> acl dnld url_regex -i \.wav
> acl dnld url_regex -i \.asf
> acl dnld url_regex -i \.wmf
> acl dnld url_regex -i \.pif
> acl dnld url_regex -i \.bat
> acl dnld url_regex -i \.scr
> acl dnld url_regex -i \.wdm
> acl dnld url_regex -i \.wmv
> acl dnld url_regex -i \.mid
> acl dnld url_regex -i \.mpg
> acl dnld url_regex -i \.mpg
> acl dnld url_regex -i \.mpeg
> acl dnld url_regex -i \.ogg
> acl dnld url_regex -i \.ogm
> acl dnld url_regex -i \.exe
> acl dnld url_regex -i \.arj
> acl dnld url_regex -i \.iso
> acl dnld url_regex -i \.nrg
> acl dnld url_regex -i \.bin
> acl dnld url_regex -i \.dmg
> acl dnld url_regex -i \.img
> acl dnld url_regex -i \.pl

Regex is very slow to test. Especially when so many separate tests need
to be run just to test the ACL.

Newer Squid have optimizations that can help remove the duplicate
entries from above. But you should still combine these for less tests,
especially if you are staying with this Squid.

Also, are you really wanting to check these strings in the domain name
portion of URLs? url_path_regex is better for matching strings in the
URL-path area.

  acl dnld urlpath_regex -i \
      \.(avi|mp3|fl[av]|wav|asf|wm[fv]|pif|bat) \
      \.(scr|wdm|mid|mpe?g|og[gm]|exe|arj|iso|nrg) \
      \.(bin|[di]mg|pl)


> acl dnld_full url_regex -i \.avi
> acl dnld_full url_regex -i \.mp3
> acl dnld_full url_regex -i \.wav
> acl dnld_full url_regex -i \.asf
> acl dnld_full url_regex -i \.wmf
> acl dnld_full url_regex -i \.mpg
> acl dnld_full url_regex -i \.mpg
> acl dnld_full url_regex -i \.mpeg
> acl dnld_full url_regex -i \.ogg
> acl dnld_full url_regex -i \.ogm
> acl streaming browser -i ^.*NSPlayer.*
> acl streaming browser -i ^.*Player.*
> acl streaming browser -i ^.*Windows-Media-Player.*
> acl streaming1 browser -i ^video/x-ms-asf$
> acl streaming1 browser -i ^application/vnd.ms.wms-hdr.asfv1$
> acl streaming1 browser -i ^application/x-mms-framed$
> acl streaming1 browser -i ^audio/x-pn-realaudio$
> acl streaming1 browser ^.*mms.*
> acl streaming1 browser ^.*ms-hdr.*
> acl streaming1 browser ^.*x-fcs.*
> acl streaming1 browser ^.*x-ms-asf.*
> acl streaming1 browser -i ^application/octet-stream$
> acl streaming1 browser -i application/octet-stream

There are two problems above.

Firstly the 'browser' ACL type only matches the User-Agent HTTP header.
A lot of those regex are patterns matching Content-Type header values.
Something is very weirdly broken if they are being placed into User-Agent.

Secondly there are large overlaps in the patterns.

It looks to me like the proper value for this should be:

  acl streaming browser -i Player

  acl streaming1 req_header Content-Type -i ^audio/x-pn-realaudio$
  acl streaming1 req_header Content-Type -i mms|ms-hdr|x-ms-asf
  acl streaming1 req_header Content-Type -i application/octet-stream


> delay_pools 1
> delay_class 1 1
> delay_parameters 1 1000/100
> acl dp url_regex \.flv$
> acl dp url_regex -i watch?

Regex typo. This will match any URL with "watc" *anywhere* in it.

I think you meant  "watch\?"


> acl dp url_regex -i youtube
> acl dp url_regex -i facebook
> delay_access 1 allow dp lentos
> acl auth proxy_auth REQUIRED
> acl internet_full       external memberof "/etc/squid3/internet_full.txt"
> acl internet_limitado   external memberof
> "/etc/squid3/internet_limitado.txt"
> acl internet_limitado2  external memberof
> "/etc/squid3/internet_limitado2.txt"
> acl destinos_permitidos         dstdomain "/etc/squid3/destinos_permitidos"
> acl destinos_permitidos2        dstdomain "/etc/squid3/destinos_permitidos2"
> acl sitios_denegados            dstdomain "/etc/squid3/sitios_denegados"
> acl prohibidos                  dstdomain "/etc/squid3/prohibidos.txt"
> acl prohibidos-full             dstdomain "/etc/squid3/prohibidos-full.txt"
> acl intfull-                    dstdomain "/etc/squid3/intfull-"
> acl allowedsites        dstdomain "/etc/squid3/allowedsites.txt"
> acl manager proto cache_object
> acl SSL_ports port 443
> acl CONNECT method CONNECT

You are missing the rules that prevent security attacks against the
proxy. DoS and such. Please re-add them.

If there is traffic you want to go through which those rules deny you
should adjust the Safe_ports and/or SSL_ports ACLs instead of removing
these lines.

 http_access deny !Safe_ports
 http_access deny CONNECT !SSL_ports


> http_access allow manager localhost
> http_access deny manager
> http_access allow localhost
> http_access deny !auth
> http_access deny sitios_denegados all

The "all" on the line above is not useful.

> http_access allow allowedsites
> http_access allow limitados !dnld !streaming !streaming1 !sitios_denegados
> http_access allow !dnld !streaming !streaming1 destinos_permitidos
> internet_limitado
> http_access allow !dnld !streaming !streaming1 destinos_permitidos2
> internet_limitado2
> http_access allow !dnld_full !streaming !streaming1 !prohibidos-full
> internet_full


Rather than long lists of exceptions to be re-checked on every request
it would be better to order the groups by increasing level of
restrictions and deny things early.



Like this:

  http_access allow allowedsites
  http_access deny streaming
  http_access deny streaming1

  http_access allow !dnld_full !prohibidos-full internet_full

  http_access deny !dnld

  http_access allow limitados !sitios_denegados

  http_access allow destinos_permitidos internet_limitado

  http_access allow destinos_permitidos2 internet_limitado2


> http_access deny all



Cheers
Amos

More information about the squid-users mailing list