<div dir="ltr"><div>i have done it</div><div><br></div><div>i can now whitelist urls, block mime types and now i can download/install windows updates</div><div><br></div><div>#<br>#<br>#Windows Update Download<br>acl windowsupdate dstdomain .<a href="http://microsoft.com">microsoft.com</a> .<a href="http://windows.com">windows.com</a> .<a href="http://windowsupdate.com">windowsupdate.com</a><br>acl CONNECT method CONNECT<br>acl wuCONNECT dstdomain .<a href="http://microsoft.com">microsoft.com</a> .<a href="http://windows.com">windows.com</a> .<a href="http://windowsupdate.com">windowsupdate.com</a><br>http_access allow CONNECT wuCONNECT<br>http_access allow windowsupdate<br><br>range_offset_limit 200 MB windowsupdate<br>maximum_object_size 200 MB<br>quick_abort_min -1<br><br>refresh_pattern -i .<a href="http://microsoft.com/.*\.(cab|exe|ms[i|u|f]|[ap]sf|wm[v|a]|dat|zip)">microsoft.com/.*\.(cab|exe|ms[i|u|f]|[ap]sf|wm[v|a]|dat|zip)</a> 4320 80% 43200 reload-into-ims<br>refresh_pattern -i .<a href="http://windows.com/.*\.(cab|exe|ms[i|u|f]|[ap]sf|wm[v|a]|dat|zip)">windows.com/.*\.(cab|exe|ms[i|u|f]|[ap]sf|wm[v|a]|dat|zip)</a> 4320 80% 43200 reload-into-ims<br>refresh_pattern -i .<a href="http://windowsupdate.com/.*\.(cab|exe|ms[i|u|f]|[ap]sf|wm[v|a]|dat|zip)">windowsupdate.com/.*\.(cab|exe|ms[i|u|f]|[ap]sf|wm[v|a]|dat|zip)</a> 4320 80% 43200 reload-into-ims<br><br>acl DiscoverSNIHost at_step SslBump1<br>acl NoSSLIntercept ssl::server_name_regex -i .<a href="http://microsoft.com">microsoft.com</a> .<a href="http://windows.com">windows.com</a> .<a href="http://windowsupdate.com">windowsupdate.com</a><br>ssl_bump splice NoSSLIntercept<br>ssl_bump peek DiscoverSNIHost<br>ssl_bump bump all<br><br>acl BrokenButTrustedServers dstdomain .<a href="http://microsoft.com">microsoft.com</a> .<a href="http://windows.com">windows.com</a> .<a href="http://windowsupdate.com">windowsupdate.com</a><br>acl DomainMismatch ssl_error SQUID_X509_V_ERR_DOMAIN_MISMATCH<br>sslproxy_cert_error allow BrokenButTrustedServers DomainMismatch<br>sslproxy_cert_error deny all<br>#<br>#SSL<br>http_port 3128 ssl-bump \<br>cert=/usr/local/squid/etc/ssl_cert/myCA.pem \<br>cipher=HIGH:MEDIUM:RC4:3DES:!aNULL:!eNULL:!LOW:!MD5:!EXP:!PSK:!SRP:!DSS \<br>generate-host-certificates=on dynamic_cert_mem_cache_size=4MB<br>sslcrtd_program /usr/local/squid/libexec/security_file_certgen -s /var/lib/ssl_db -M 4MB<br>acl step1 at_step SslBump1<br>ssl_bump peek step1<br>ssl_bump bump all<br><br>#<br># Recommended minimum configuration:<br>#<br><br># Example rule allowing access from your local networks.<br># Adapt to list your (internal) IP networks from where browsing<br># should be allowed<br>acl localnet src 0.0.0.1-0.255.255.255 # RFC 1122 "this" network (LAN)<br>acl localnet src <a href="http://10.0.0.0/8">10.0.0.0/8</a> # RFC 1918 local private network (LAN)<br>acl localnet src <a href="http://100.64.0.0/10">100.64.0.0/10</a> # RFC 6598 shared address space (CGN)<br>acl localnet src <a href="http://169.254.0.0/16">169.254.0.0/16</a> # RFC 3927 link-local (directly plugged) machines<br>acl localnet src <a href="http://172.16.0.0/12">172.16.0.0/12</a> # RFC 1918 local private network (LAN)<br>acl localnet src <a href="http://192.168.0.0/16">192.168.0.0/16</a> # RFC 1918 local private network (LAN)<br>acl localnet src fc00::/7 # RFC 4193 local private network range<br>acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines<br><br>acl SSL_ports port 443<br>acl Safe_ports port 80 # http<br>acl Safe_ports port 21 # ftp<br>acl Safe_ports port 443 # https<br>acl Safe_ports port 70 # gopher<br>acl Safe_ports port 210 # wais<br>acl Safe_ports port 1025-65535 # unregistered ports<br>acl Safe_ports port 280 # http-mgmt<br>acl Safe_ports port 488 # gss-http<br>acl Safe_ports port 591 # filemaker<br>acl Safe_ports port 777 # multiling http<br>acl CONNECT method CONNECT<br><br>#<br># Recommended minimum Access Permission configuration:<br>#<br># Deny requests to certain unsafe ports<br>http_access deny !Safe_ports<br><br># Deny CONNECT to other than secure SSL ports<br>http_access deny CONNECT !SSL_ports<br><br># Only allow cachemgr access from localhost<br>http_access allow localhost manager<br>http_access deny manager<br><br># We strongly recommend the following be uncommented to protect innocent<br># web applications running on the proxy server who think the only<br># one who can access services on "localhost" is a local user<br>#http_access deny to_localhost<br><br>#<br># INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS<br>#<br>#HTTP_HTTPS whitelist websites<br>acl whitelist ssl::server_name "/usr/local/squid/etc/urlwhite.txt"<br>http_access allow whitelist<br><br>#URL deny MIME types<br>acl mimetype rep_mime_type "/usr/local/squid/etc/mimedeny.txt"<br>http_reply_access deny mimetype<br>http_access deny all<br><br># Example rule allowing access from your local networks.<br># Adapt localnet in the ACL section to list your (internal) IP networks<br># from where browsing should be allowed<br>http_access allow localnet<br>http_access allow localhost<br><br># Uncomment and adjust the following to add a disk cache directory.<br>#cache_dir ufs /usr/local/squid/var/cache/squid 100 16 256<br><br># Leave coredumps in the first cache dir<br>coredump_dir /usr/local/squid/var/cache/squid<br><br>#<br># Add any of your own refresh_pattern entries above these.<br>#<br>refresh_pattern ^ftp: 1440 20% 10080<br>refresh_pattern ^gopher: 1440 0% 1440<br>refresh_pattern -i (/cgi-bin/|\?) 0 0% 0<br>refresh_pattern . 0 20% 4320</div><div><br></div><div>Amos, do you think i could make the windows update section a bit smaller or do i need all the lines in there?</div><div><br></div><div>many thanks,</div><div>rob<br></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Sun, 15 Dec 2019 at 16:24, robert k Wild <<a href="mailto:robertkwild@gmail.com">robertkwild@gmail.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div>hi Amos,</div><div><br></div><div>so this is my new config - <br></div><div><br></div><div>#<br># Recommended minimum configuration:<br>#<br><br>#SSL<br>http_port 3128 ssl-bump \<br>cert=/usr/local/squid/ssl_cert/myCA.pem \<br>cipher=HIGH:MEDIUM:RC4:3DES:!aNULL:!eNULL:!LOW:!MD5:!EXP:!PSK:!SRP:!DSS \<br>generate-host-certificates=on dynamic_cert_mem_cache_size=4MB<br>sslcrtd_program /usr/local/squid/libexec/security_file_certgen -s /var/lib/ssl_db -M 4MB<br>acl step1 at_step SslBump1<br>ssl_bump peek step1<br>ssl_bump bump all<br><br># Example rule allowing access from your local networks.<br># Adapt to list your (internal) IP networks from where browsing<br># should be allowed<br>acl localnet src 0.0.0.1-0.255.255.255 # RFC 1122 "this" network (LAN)<br>acl localnet src <a href="http://10.0.0.0/8" target="_blank">10.0.0.0/8</a> # RFC 1918 local private network (LAN)<br>acl localnet src <a href="http://100.64.0.0/10" target="_blank">100.64.0.0/10</a> # RFC 6598 shared address space (CGN)<br>acl localnet src <a href="http://169.254.0.0/16" target="_blank">169.254.0.0/16</a> # RFC 3927 link-local (directly plugged) machines<br>acl localnet src <a href="http://172.16.0.0/12" target="_blank">172.16.0.0/12</a> # RFC 1918 local private network (LAN)<br>acl localnet src <a href="http://192.168.0.0/16" target="_blank">192.168.0.0/16</a> # RFC 1918 local private network (LAN)<br>acl localnet src fc00::/7 # RFC 4193 local private network range<br>acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines<br><br>acl SSL_ports port 443<br>acl Safe_ports port 80 # http<br>acl Safe_ports port 21 # ftp<br>acl Safe_ports port 443 # https<br>acl Safe_ports port 70 # gopher<br>acl Safe_ports port 210 # wais<br>acl Safe_ports port 1025-65535 # unregistered ports<br>acl Safe_ports port 280 # http-mgmt<br>acl Safe_ports port 488 # gss-http<br>acl Safe_ports port 591 # filemaker<br>acl Safe_ports port 777 # multiling http<br>acl CONNECT method CONNECT<br><br>#<br># Recommended minimum Access Permission configuration:<br>#<br># Deny requests to certain unsafe ports<br>http_access deny !Safe_ports<br><br># Deny CONNECT to other than secure SSL ports<br>http_access deny CONNECT !SSL_ports<br><br># Only allow cachemgr access from localhost<br>http_access allow localhost manager<br>http_access deny manager<br><br># We strongly recommend the following be uncommented to protect innocent<br># web applications running on the proxy server who think the only<br># one who can access services on "localhost" is a local user<br>#http_access deny to_localhost<br><br>#<br># INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS<br>#<br>#Windows Update<br>acl windowsupdate dstdomain .<a href="http://microsoft.com" target="_blank">microsoft.com</a> .<a href="http://windows.com" target="_blank">windows.com</a> .<a href="http://windowsupdate.com" target="_blank">windowsupdate.com</a> .<a href="http://windows.net" target="_blank">windows.net</a><br>acl CONNECT method CONNECT<br>acl wuCONNECT dstdomain .<a href="http://microsoft.com" target="_blank">microsoft.com</a> .<a href="http://windows.com" target="_blank">windows.com</a> .<a href="http://windowsupdate.com" target="_blank">windowsupdate.com</a> .<a href="http://windows.net" target="_blank">windows.net</a><br>http_access allow CONNECT wuCONNECT<br>http_access allow windowsupdate<br><br>acl DiscoverSNIHost at_step SslBump1<br>acl NoSSLIntercept ssl::server_name_regex -i .<a href="http://microsoft.com" target="_blank">microsoft.com</a> .<a href="http://windows.com" target="_blank">windows.com</a> .<a href="http://windowsupdate.com" target="_blank">windowsupdate.com</a> .<a href="http://windows.net" target="_blank">windows.net</a><br>ssl_bump splice NoSSLIntercept<br>ssl_bump peek DiscoverSNIHost<br>ssl_bump bump all<br><br>acl BrokenButTrustedServers dstdomain .<a href="http://microsoft.com" target="_blank">microsoft.com</a> .<a href="http://windows.com" target="_blank">windows.com</a> .<a href="http://windowsupdate.com" target="_blank">windowsupdate.com</a> .<a href="http://windows.net" target="_blank">windows.net</a><br>acl DomainMismatch ssl_error SQUID_X509_V_ERR_DOMAIN_MISMATCH<br>sslproxy_cert_error allow BrokenButTrustedServers DomainMismatch<br>sslproxy_cert_error deny all<br><br>#HTTP_HTTPS whitelist websites<br>acl whitelist ssl::server_name "/usr/local/squid/etc/urlwhite.txt"<br>http_access allow whitelist<br><br>#URL deny MIME types<br>acl mimetype rep_mime_type "/usr/local/squid/etc/mimedeny.txt"<br>http_reply_access deny mimetype<br>http_access deny all<br><br># Example rule allowing access from your local networks.<br># Adapt localnet in the ACL section to list your (internal) IP networks<br># from where browsing should be allowed<br>http_access allow localnet<br>http_access allow localhost<br><br># Uncomment and adjust the following to add a disk cache directory.<br>#cache_dir ufs /usr/local/squid/var/cache/squid 100 16 256<br><br># Leave coredumps in the first cache dir<br>coredump_dir /usr/local/squid/var/cache/squid<br><br>#<br># Add any of your own refresh_pattern entries above these.<br>#<br>refresh_pattern ^ftp: 1440 20% 10080<br>refresh_pattern ^gopher: 1440 0% 1440<br>refresh_pattern -i (/cgi-bin/|\?) 0 0% 0<br>refresh_pattern . 0 20% 4320</div><div><br></div><div>but im still getting the exact same logs</div><div><br></div><div>error 503 means</div><div><br></div><div>
<table><tbody><tr><td><p> 503 </p></td>
<td><p> Service Unavailable </p></td>
<td><p> <a href="http://tools.ietf.org/rfc/rfc1945" title="RFC" target="_blank">1945</a>, <a href="http://tools.ietf.org/rfc/rfc2616" title="RFC" target="_blank">2616</a> </p></td></tr></tbody></table>
</div><div>thanks,</div><div>rob<br></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Sun, 15 Dec 2019 at 10:40, Amos Jeffries <<a href="mailto:squid3@treenet.co.nz" target="_blank">squid3@treenet.co.nz</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">On 15/12/19 1:16 pm, robert k Wild wrote:<br>
> hi Amos,<br>
> <br>
> thank you for getting back to me about this :)<br>
> <br>
> this is my new config<br>
> <br>
> #<br>
> #SSL<br>
> http_port 3128 ssl-bump \<br>
> cert=/usr/local/squid/etc/ssl_cert/myCA.pem \<br>
> generate-host-certificates=on dynamic_cert_mem_cache_size=4MB<br>
> sslcrtd_program /usr/local/squid/libexec/security_file_certgen -s<br>
> /var/lib/ssl_db -M 4MB<br>
> acl step1 at_step SslBump1<br>
> ssl_bump peek step1<br>
> ssl_bump bump all<br>
> <br>
> #Windows Updates<br>
> acl windowsupdate dstdomain "/usr/local/squid/etc/wu.txt"<br>
> acl CONNECT method CONNECT<br>
> acl wuCONNECT dstdomain "/usr/local/squid/etc/wu.txt"<br>
> http_access allow CONNECT wuCONNECT<br>
> http_access allow windowsupdate<br>
> <br>
...<br>
> <br>
> #<br>
> # Recommended minimum Access Permission configuration:<br>
> #<br>
> # Deny requests to certain unsafe ports<br>
> http_access deny !Safe_ports<br>
> <br>
> # Deny CONNECT to other than secure SSL ports<br>
> http_access deny CONNECT !SSL_ports<br>
> <br>
> # Only allow cachemgr access from localhost<br>
> http_access allow localhost manager<br>
> http_access deny manager<br>
> <br>
> # We strongly recommend the following be uncommented to protect innocent<br>
> # web applications running on the proxy server who think the only<br>
> # one who can access services on "localhost" is a local user<br>
> #http_access deny to_localhost<br>
> <br>
> #<br>
> # INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS<br>
> #<br>
> <br>
> # Example rule allowing access from your local networks.<br>
> # Adapt localnet in the ACL section to list your (internal) IP networks<br>
> # from where browsing should be allowed<br>
> http_access allow localnet<br>
> http_access allow localhost<br>
> <br>
...<br>
<br>
> <br>
> the reason why i have added the windows update lines at the beginning is<br>
> that the link says so (below)<br>
> <br>
> <a href="https://linuxnlenux.wordpress.com/2014/10/14/howto-allow-windows-updates-through-squid/" rel="noreferrer" target="_blank">https://linuxnlenux.wordpress.com/2014/10/14/howto-allow-windows-updates-through-squid/</a><br>
> <br>
<br>
That is a copy-n-paste of an old email without any of the context. See<br>
<<a href="https://wiki.squid-cache.org/SquidFaq/WindowsUpdate" rel="noreferrer" target="_blank">https://wiki.squid-cache.org/SquidFaq/WindowsUpdate</a>> for the full<br>
context and more up to date info.<br>
<br>
Note that the things that need to be first are very specifically a<br>
sub-set of the MS domains which use a non-443 port for call-home traffic<br>
so they would normally get blocked by the SSL_ports protection.<br>
<br>
<br>
For a generic whitelist you should still have your list where the config<br>
says "INSERT YOUR OWN RULES ..." .<br>
<br>
<br>
> <br>
> and when im looking at the logs real time<br>
> <br>
> 1576368417.620 48 10.100.1.5 NONE/200 0 CONNECT<br>
> <a href="http://fe3cr.delivery.mp.microsoft.com:443" rel="noreferrer" target="_blank">fe3cr.delivery.mp.microsoft.com:443</a><br>
> <<a href="http://fe3cr.delivery.mp.microsoft.com:443" rel="noreferrer" target="_blank">http://fe3cr.delivery.mp.microsoft.com:443</a>> - HIER_DIRECT/<a href="http://191.232.139.2" rel="noreferrer" target="_blank">191.232.139.2</a><br>
> <<a href="http://191.232.139.2" rel="noreferrer" target="_blank">http://191.232.139.2</a>> -<br>
> 1576368417.647 0 10.100.1.5 NONE/503 4363 POST<br>
> <a href="https://fe3cr.delivery.mp.microsoft.com/ClientWebService/client.asmx" rel="noreferrer" target="_blank">https://fe3cr.delivery.mp.microsoft.com/ClientWebService/client.asmx</a> -<br>
> HIER_NONE/- text/html<br>
> 1576368419.702 0 - TCP_MEM_HIT/200 807 GET<br>
> <a href="http://www.microsoft.com/pkiops/certs/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crt" rel="noreferrer" target="_blank">http://www.microsoft.com/pkiops/certs/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crt</a><br>
> - HIER_NONE/- application/octet-st<br>
> ream<br>
> <br>
<br>
These show good progress from where you started off. The cert is being<br>
downloaded fine. The tunnel being bumped fine. But the POST request<br>
which was decrypted could not be serviced.<br>
<br>
Can you find out what the 503 message says?<br>
<br>
<br>
Amos<br>
_______________________________________________<br>
squid-users mailing list<br>
<a href="mailto:squid-users@lists.squid-cache.org" target="_blank">squid-users@lists.squid-cache.org</a><br>
<a href="http://lists.squid-cache.org/listinfo/squid-users" rel="noreferrer" target="_blank">http://lists.squid-cache.org/listinfo/squid-users</a><br>
</blockquote></div><br clear="all"><br>-- <br><div dir="ltr"><div dir="ltr">Regards, <br><br>Robert K Wild.<br></div></div>
</blockquote></div><br clear="all"><br>-- <br><div dir="ltr" class="gmail_signature"><div dir="ltr">Regards, <br><br>Robert K Wild.<br></div></div>