[squid-users] SSL certificate not working for windows update
saiyan_gc
gengchao62 at gmail.com
Thu May 28 04:36:23 UTC 2020
Hi, I have proxy server that use self signed certificate/basic
username/password authentication for the http port 2128. Some how the
windows update is not working for my proxy box.
The proxy server is working fine with wget in powershell.
Below are my error log, not sure why it's failing at 503.
1590640145.751 0 52.202.5.238 TCP_DENIED/407 3930 CONNECT
login.live.com:443 - HIER_NONE/- text/html
1590640145.794 0 52.202.5.238 TCP_DENIED/407 3930 CONNECT
login.live.com:443 - HIER_NONE/- text/html
1590640147.298 0 - TCP_DENIED/407 3720 GET
http://www.microsoft.com/pki/certs/MicRooCerAut2011_2011_03_22.crt -
HIER_NONE/- text/html;charset=utf-8
1590640147.305 0 - TCP_DENIED/407 3720 GET
http://www.microsoft.com/pki/certs/MicRooCerAut2011_2011_03_22.crt -
HIER_NONE/- text/html;charset=utf-8
1590640147.453 0 - TCP_DENIED/407 3720 GET
http://www.microsoft.com/pki/certs/MicRooCerAut2011_2011_03_22.crt -
HIER_NONE/- text/html;charset=utf-8
1590640147.453 966 52.202.5.238 NONE/200 0 CONNECT
fe2.update.microsoft.com:443 - HIER_DIRECT/40.91.75.5 -
1590640147.483 0 52.202.5.238 NONE/503 4430 POST
https://fe2.update.microsoft.com/v6/ClientWebService/client.asmx -
HIER_NONE/- text/html
1590640149.511 0 - TCP_DENIED/407 3720 GET
http://www.microsoft.com/pki/certs/MicRooCerAut2011_2011_03_22.crt -
HIER_NONE/- text/html;charset=utf-8
1590640149.517 0 - TCP_DENIED/407 3720 GET
http://www.microsoft.com/pki/certs/MicRooCerAut2011_2011_03_22.crt -
HIER_NONE/- text/html;charset=utf-8
1590640149.663 0 - TCP_DENIED/407 3720 GET
http://www.microsoft.com/pki/certs/MicRooCerAut2011_2011_03_22.crt -
HIER_NONE/- text/html;charset=utf-8
1590640149.664 161 52.202.5.238 NONE/200 0 CONNECT
fe2.update.microsoft.com:443 - HIER_DIRECT/2a01:111:f335:1792::a61 -
1590640149.671 0 52.202.5.238 NONE/503 3948 POST
https://fe2.update.microsoft.com/v6/ClientWebService/client.asmx -
HIER_NONE/- text/html
1590640151.697 0 - TCP_DENIED/407 3720 GET
http://www.microsoft.com/pki/certs/MicRooCerAut2011_2011_03_22.crt -
HIER_NONE/- text/html;charset=utf-8
1590640151.848 0 - TCP_DENIED/407 3720 GET
http://www.microsoft.com/pki/certs/MicRooCerAut2011_2011_03_22.crt -
HIER_NONE/- text/html;charset=utf-8
1590640151.853 0 - TCP_DENIED/407 3720 GET
http://www.microsoft.com/pki/certs/MicRooCerAut2011_2011_03_22.crt -
HIER_NONE/- text/html;charset=utf-8
1590640151.854 164 52.202.5.238 NONE/200 0 CONNECT
fe2.update.microsoft.com:443 - HIER_DIRECT/20.185.109.208 -
1590640151.861 0 52.202.5.238 NONE/503 4434 POST
https://fe2.update.microsoft.com/v6/ClientWebService/client.asmx -
HIER_NONE/- text/html
1590640152.045 0 - TCP_DENIED/407 3720 GET
http://www.microsoft.com/pki/certs/MicRooCerAut2011_2011_03_22.crt -
HIER_NONE/- text/html;charset=utf-8
1590640152.045 179 52.202.5.238 NONE/200 0 CONNECT
sls.update.microsoft.com:443 - HIER_DIRECT/13.74.179.117 -
1590640152.053 0 52.202.5.238 NONE/503 4433 GET
https://sls.update.microsoft.com/SLS/%7B9482F4B4-E343-43B6-B170-9A65BC822C77%7D/x64/10.0.14393.0/0?
- HIER_NONE/- text/html
1590640152.194 0 - TCP_DENIED/407 3720 GET
http://www.microsoft.com/pki/certs/MicRooCerAut2011_2011_03_22.crt -
HIER_NONE/- text/html;charset=utf-8
1590640152.195 137 52.202.5.238 NONE/200 0 CONNECT
sls.update.microsoft.com:443 - HIER_DIRECT/2a01:111:f307:1790::f001:7a5 -
1590640152.202 0 52.202.5.238 NONE/503 3953 GET
https://sls.update.microsoft.com/SLS/%7B9482F4B4-E343-43B6-B170-9A65BC822C77%7D/x64/10.0.14393.0/0?
- HIER_NONE/- text/html
1590640152.342 0 - TCP_DENIED/407 3720 GET
http://www.microsoft.com/pki/certs/MicRooCerAut2011_2011_03_22.crt -
HIER_NONE/- text/html;charset=utf-8
1590640152.343 136 52.202.5.238 NONE/200 0 CONNECT
sls.update.microsoft.com:443 - HIER_DIRECT/2a01:111:f307:1790::f001:7a5 -
1590640152.349 0 52.202.5.238 NONE/503 3953 GET
https://sls.update.microsoft.com/SLS/%7B9482F4B4-E343-43B6-B170-9A65BC822C77%7D/x64/10.0.14393.0/0?
- HIER_NONE/- text/html
1590640152.488 0 - TCP_DENIED/407 3720 GET
http://www.microsoft.com/pki/certs/MicRooCerAut2011_2011_03_22.crt -
HIER_NONE/- text/html;charset=utf-8
1590640152.489 136 52.202.5.238 NONE/200 0 CONNECT
sls.update.microsoft.com:443 - HIER_DIRECT/2a01:111:f307:1790::f001:7a5 -
1590640152.496 0 52.202.5.238 NONE/503 3953 GET
https://sls.update.microsoft.com/SLS/%7B9482F4B4-E343-43B6-B170-9A65BC822C77%7D/x64/10.0.14393.0/0?
- HIER_NONE/- text/html
1590640152.637 0 - TCP_DENIED/407 3720 GET
http://www.microsoft.com/pki/certs/MicRooCerAut2011_2011_03_22.crt -
HIER_NONE/- text/html;charset=utf-8
1590640152.638 138 52.202.5.238 NONE/200 0 CONNECT
sls.update.microsoft.com:443 - HIER_DIRECT/2a01:111:f307:1790::f001:7a5 -
1590640152.644 0 52.202.5.238 NONE/503 3953 GET
https://sls.update.microsoft.com/SLS/%7B9482F4B4-E343-43B6-B170-9A65BC822C77%7D/x64/10.0.14393.0/0?
- HIER_NONE/- text/html
1590640152.783 0 - TCP_DENIED/407 3720 GET
http://www.microsoft.com/pki/certs/MicRooCerAut2011_2011_03_22.crt -
HIER_NONE/- text/html;charset=utf-8
1590640152.783 136 52.202.5.238 NONE/200 0 CONNECT
sls.update.microsoft.com:443 - HIER_DIRECT/2a01:111:f307:1790::f001:7a5 -
1590640152.790 0 52.202.5.238 NONE/503 3953 GET
https://sls.update.microsoft.com/SLS/%7B9482F4B4-E343-43B6-B170-9A65BC822C77%7D/x64/10.0.14393.0/0?
- HIER_NONE/- text/html
1590640152.930 0 - TCP_DENIED/407 3720 GET
http://www.microsoft.com/pki/certs/MicRooCerAut2011_2011_03_22.crt -
HIER_NONE/- text/html;charset=utf-8
1590640152.931 136 52.202.5.238 NONE/200 0 CONNECT
sls.update.microsoft.com:443 - HIER_DIRECT/2a01:111:f307:1790::f001:7a5 -
1590640152.938 0 52.202.5.238 NONE/503 3953 GET
https://sls.update.microsoft.com/SLS/%7B9482F4B4-E343-43B6-B170-9A65BC822C77%7D/x64/10.0.14393.0/0?
- HIER_NONE/- text/html
1590640153.076 0 - TCP_DENIED/407 3720 GET
http://www.microsoft.com/pki/certs/MicRooCerAut2011_2011_03_22.crt -
HIER_NONE/- text/html;charset=utf-8
1590640153.077 137 52.202.5.238 NONE/200 0 CONNECT
sls.update.microsoft.com:443 - HIER_DIRECT/2a01:111:f307:1790::f001:7a5 -
1590640153.084 0 52.202.5.238 NONE/503 3953 GET
https://sls.update.microsoft.com/SLS/%7B9482F4B4-E343-43B6-B170-9A65BC822C77%7D/x64/10.0.14393.0/0?
- HIER_NONE/- text/html
I check the page in https://wiki.squid-cache.org/SquidFaq/WindowsUpdate, and
add the settings on top but it still not working (only tested http_port,
https_port is not working :)
acl windowsupdate dstdomain windowsupdate.microsoft.com
acl windowsupdate dstdomain .update.microsoft.com
acl windowsupdate dstdomain download.windowsupdate.com
acl windowsupdate dstdomain redir.metaservices.microsoft.com
acl windowsupdate dstdomain images.metaservices.microsoft.com
acl windowsupdate dstdomain c.microsoft.com
acl windowsupdate dstdomain www.download.windowsupdate.com
acl windowsupdate dstdomain wustat.windows.com
acl windowsupdate dstdomain crl.microsoft.com
acl windowsupdate dstdomain sls.microsoft.com
acl windowsupdate dstdomain productactivation.one.microsoft.com
acl windowsupdate dstdomain ntservicepack.microsoft.com
acl CONNECT method CONNECT
acl wuCONNECT dstdomain www.update.microsoft.com
acl wuCONNECT dstdomain sls.microsoft.com
http_access allow CONNECT wuCONNECT
http_access allow windowsupdate
http_port 2128 ssl-bump tls-cert=/etc/squid/ssl_cert/example.com.cert \
tls-key=/etc/squid/ssl_cert/example.com.private \
generate-host-certificates=on \
dynamic_cert_mem_cache_size=4MB
https_port 3130 cert=/etc/squid/ssl_cert/example.com.cert \
key=/etc/squid/ssl_cert/example.com.private
auth_param basic program /usr/lib/squid/basic_ncsa_auth /etc/squid/passwords
auth_param basic children 5 startup=0 idle=1
auth_param basic credentialsttl 2 hours
auth_param basic casesensitive off
acl ncsa_users proxy_auth REQUIRED
acl step1 at_step SslBump1
ssl_bump peek step1
ssl_bump bump all
http_access deny !ncsa_users
http_access allow ncsa_users
Based on the instruction, it seems that we are skipping ssl bump for windows
update, right? Does it mean windows server will not work with any SSL
authentication?
Thank you so much!
--
Sent from: http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html
More information about the squid-users
mailing list