[squid-users] squid to only allow office activation and not windows updates

robert k Wild robertkwild at gmail.com
Sat Jan 11 12:15:03 UTC 2020 

Hi Amos,

ok, i have found the rule for it

acl DiscoverSNIHost at_step SslBump1
acl NoSSLIntercept ssl::server_name .microsoft.com
ssl_bump peek DiscoverSNIHost
ssl_bump splice NoSSLIntercept
ssl_bump bump all

but the thing is both windows updates and office activation use the exact
same cert file

.
microsoft.com/pkiops/certs/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crt

im stuck

or if i can get squid to block windows updates altogether?

Thanks,

Rob

On Sat, 11 Jan 2020, 01:40 Amos Jeffries, <squid3 at treenet.co.nz> wrote:

> On 11/01/20 11:46 am, robert k Wild wrote:
> > hi all,
> >
> > i have added all these lines to my squid config as it wasnt allowing
> > office activation
> >
> > https://wiki.squid-cache.org/SquidFaq/WindowsUpdate
> >
> > but now its allowing office activation and now windows updates but i
> > dont want it to do windows updates as this is managed by our WSUS server
> >
>
> That would be right then. As the wiki page name indicates that config is
> all about allowing WindowsUpdate.
>
>
> > what are the corect lines to just do the office activation
> >
>
> This is a strong indication you still do not understand how ACLs work.
>
> So your reference points are:
>  <https://wiki.squid-cache.org/SquidFaq/SquidAcl>
> and
>  <http://www.squid-cache.org/Doc/config/acl/>
>
>
> > as when i comment out all the lines i get this
> >
> > 0 - TCP_DENIED/403 3810 GET
> >
> http://www.microsoft.com/pkiops/certs/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crt
> >
>
> That then is the first URL you need to let clients access.
>
> Once that is accessible the activation process will get further and
> there may be others. When you know the whole set there may be some
> optimizations your rules can use to simplify the final config.
>
>
> Amos
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20200111/7f2eeea4/attachment.html>

More information about the squid-users mailing list