[squid-users] squid to only allow office activation and not windows updates
robert k Wild
robertkwild at gmail.com
Sat Jan 11 13:19:12 UTC 2020
ok think i have done it
acl DiscoverSNIHost at_step SslBump1
acl NoSSLIntercept ssl::server_name_regex -i .microsoft.com
ssl_bump splice NoSSLIntercept
ssl_bump peek DiscoverSNIHost
ssl_bump bump all
#URL deny MIME types
acl mimetype rep_mime_type application/octet-stream
http_reply_access deny mimetype
as now windows can check for updates but it cant download as i have denied
the octet-stream ie cab/exe files
On Sat, 11 Jan 2020 at 12:15, robert k Wild <robertkwild at gmail.com> wrote:
> Hi Amos,
> ok, i have found the rule for it
> acl DiscoverSNIHost at_step SslBump1
> acl NoSSLIntercept ssl::server_name .microsoft.com
> ssl_bump peek DiscoverSNIHost
> ssl_bump splice NoSSLIntercept
> ssl_bump bump all
> but the thing is both windows updates and office activation use the exact
> same cert file
> im stuck
> or if i can get squid to block windows updates altogether?
> On Sat, 11 Jan 2020, 01:40 Amos Jeffries, <squid3 at treenet.co.nz> wrote:
>> On 11/01/20 11:46 am, robert k Wild wrote:
>> > hi all,
>> > i have added all these lines to my squid config as it wasnt allowing
>> > office activation
>> > https://wiki.squid-cache.org/SquidFaq/WindowsUpdate
>> > but now its allowing office activation and now windows updates but i
>> > dont want it to do windows updates as this is managed by our WSUS server
>> That would be right then. As the wiki page name indicates that config is
>> all about allowing WindowsUpdate.
>> > what are the corect lines to just do the office activation
>> This is a strong indication you still do not understand how ACLs work.
>> So your reference points are:
>> > as when i comment out all the lines i get this
>> > 0 - TCP_DENIED/403 3810 GET
>> That then is the first URL you need to let clients access.
>> Once that is accessible the activation process will get further and
>> there may be others. When you know the whole set there may be some
>> optimizations your rules can use to simplify the final config.
>> squid-users mailing list
>> squid-users at lists.squid-cache.org
Robert K Wild.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the squid-users