[squid-users] squid to only allow office activation and not windows updates

robert k Wild robertkwild at gmail.com
Sat Jan 11 13:19:12 UTC 2020


ok think i have done it

#
acl DiscoverSNIHost at_step SslBump1
acl NoSSLIntercept ssl::server_name_regex -i .microsoft.com
ssl_bump splice NoSSLIntercept
ssl_bump peek DiscoverSNIHost
ssl_bump bump all
#
#URL deny MIME types
acl mimetype rep_mime_type application/octet-stream
http_reply_access deny mimetype
#

as now windows can check for updates but it cant download as i have denied
the octet-stream ie cab/exe files

On Sat, 11 Jan 2020 at 12:15, robert k Wild <robertkwild at gmail.com> wrote:

> Hi Amos,
>
> ok, i have found the rule for it
>
> acl DiscoverSNIHost at_step SslBump1
> acl NoSSLIntercept ssl::server_name .microsoft.com
> ssl_bump peek DiscoverSNIHost
> ssl_bump splice NoSSLIntercept
> ssl_bump bump all
>
> but the thing is both windows updates and office activation use the exact
> same cert file
>
> .
> microsoft.com/pkiops/certs/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crt
>
> im stuck
>
> or if i can get squid to block windows updates altogether?
>
> Thanks,
>
> Rob
>
> On Sat, 11 Jan 2020, 01:40 Amos Jeffries, <squid3 at treenet.co.nz> wrote:
>
>> On 11/01/20 11:46 am, robert k Wild wrote:
>> > hi all,
>> >
>> > i have added all these lines to my squid config as it wasnt allowing
>> > office activation
>> >
>> > https://wiki.squid-cache.org/SquidFaq/WindowsUpdate
>> >
>> > but now its allowing office activation and now windows updates but i
>> > dont want it to do windows updates as this is managed by our WSUS server
>> >
>>
>> That would be right then. As the wiki page name indicates that config is
>> all about allowing WindowsUpdate.
>>
>>
>> > what are the corect lines to just do the office activation
>> >
>>
>> This is a strong indication you still do not understand how ACLs work.
>>
>> So your reference points are:
>>  <https://wiki.squid-cache.org/SquidFaq/SquidAcl>
>> and
>>  <http://www.squid-cache.org/Doc/config/acl/>
>>
>>
>> > as when i comment out all the lines i get this
>> >
>> > 0 - TCP_DENIED/403 3810 GET
>> >
>> http://www.microsoft.com/pkiops/certs/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crt
>> >
>>
>> That then is the first URL you need to let clients access.
>>
>> Once that is accessible the activation process will get further and
>> there may be others. When you know the whole set there may be some
>> optimizations your rules can use to simplify the final config.
>>
>>
>> Amos
>> _______________________________________________
>> squid-users mailing list
>> squid-users at lists.squid-cache.org
>> http://lists.squid-cache.org/listinfo/squid-users
>>
>

-- 
Regards,

Robert K Wild.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20200111/7336af28/attachment.html>


More information about the squid-users mailing list