[squid-users] still having problems with Mircosoft Update from Matt Ashfield on 2005-08-04 (squid-users)

From: Matt Ashfield <mda@dont-contact.us>
Date: Thu, 4 Aug 2005 11:36:59 -0300

Hi All,

I'm Running squid 2.5 on a RedHat Enterprise server. I'm running it as a
transparent proxy, but am having problems getting it to allow users to get
to windowsupdate properly. It can get to the site, but when it checks for
updates, it fails. I've tried adjusting my MTU size, but this did not help.
I think my issue is that WindowsUpdate uses port 443 and I'm not sure if I'm
accommodating this in my configuration correctly. Below is as much info as I
think may be useful.

My iptables rule looks like below. The first line is to redirect all port 80
requests to my squid port of 3128. The other two lines are for DNS:
iptables -t nat -A PREROUTING -s 192.168.144.0/23 -p tcp --dport 80 -j
REDIRECT --to-port 3128
iptables -t nat -A POSTROUTING -p tcp --dport 53 -j SNAT --to-source
x.x.144.200
iptables -t nat -A POSTROUTING -p udp --dport 53 -j SNAT --to-source
x.x.144.200

Within my squid.conf, I am running squid on port 3128. I have a redirector
script, and have the following lines that seem pertinent:
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl SSL_ports port 563 443
acl Safe_ports port 80 21 70 210 911 1025-65535
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT

redirector_access allow REDIRECT !SSL_ports

As well, to allow windowsupdate sites I have:
acl NoRedirect url_regex -i .*microsoft\.com
acl NoRedirect url_regex -i .*akamai\.net
acl NoRedirect url_regex -i .*akamai\.com
acl NoRedirect url_regex -i .*windows\.com
acl NoRedirect url_regex -i .*windowsupdate\.com
acl NoRedirect url_regex -i .*windowsupdate\.net
acl NoRedirect url_regex -i .*msft\.com
acl NoRedirect url_regex -i .*msft\.net
acl NoRedirect url_regex -i .*nsatc\.com
acl NoRedirect url_regex -i .*nsatc\.net
acl NoRedirect url_regex -i .*edgesuite\.net
acl NoRedirect url_regex -i .*akadns\.com
acl NoRedirect url_regex -i .*akadns\.net
acl NoRedirect url_regex -i .*207.46.*
acl NoRedirect url_regex -i .*64.2.21.*
acl NoRedirect url_regex -i .*unb\.ca.*
acl NoRedirect url_regex -i windowsupdate
redirector_access deny NoRedirect

Any help is greatly appreciated.

Cheers

Matt
Received on Thu Aug 04 2005 - 08:37:18 MDT

This archive was generated by hypermail pre-2.1.9 : Thu Sep 01 2005 - 12:00:01 MDT