Re: [squid-users] update windows from Amos Jeffries on 2014-02-13 (squid-users)

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Fri, 14 Feb 2014 12:05:16 +1300

On 2014-02-14 11:44, Claudia Cruz wrote:
> hello again, I have installed squid 3.1 with Active Directory
> authentication, and I still can not download updates, now a curious
> thing happens when I try to download it asks me my user name and
> password for my proxy, which should not do.
> and within my configuration tested with the following
>
> # ACLs Windows Update HTTP
> acl WU dstdomain windowsupdate.microsoft.com
> acl WU dstdomain .update.microsoft.com
> acl WU dstdomain download.windowsupdate.com
> acl WU dstdomain redir.metaservices.microsoft.com
> acl WU dstdomain images.metaservices.microsoft.com
> acl WU dstdomain c.microsoft.com
> acl WU dstdomain www.download.windowsupdate.com
> acl WU dstdomain wustat.windows.com
> acl WU dstdomain crl.microsoft.com
> acl WU dstdomain sls.microsoft.com
> acl WU dstdomain productactivation.one.microsoft.com
> acl WU dstdomain ntservicepack.microsoft.com
>
> # ACLs Windows Update HTTPS
> acl CONNECT method CONNECT
> acl wuCONNECT dstdomain www.update.microsoft.com
> acl wuCONNECT dstdomain sls.microsoft.com
>
> acl HEAD method HEAD
>
> # ACL Para permitir pugar un objecto del cache:
> acl PURGE method PURGE

Performance Note: Unless you are actually making use of PURGE acl it is
better to remove it completely from your config. Simply defining it for
use makes Squid auto-enable extra complex/slow tracking of cached
objects on each request.

>
> http_access allow CONNECT wuCONNECT localhost
> http_access allow WU localhost

You have configured such that *only* the localhost IPs (127.0.0.1 or
::1) can do windows updates without authentication. All other traffic
MUST get past the GrupoAD_filtrado1 check below.

Note that the wiki page examples are restricting these allow rules to
*localnet* (not the "net" part). Which means the entire LAN can do
updates, not just the Squid server machine.

> http_access allow GrupoAD_filtrado1

The following two do nothing. Because a) you already allowed all
"CONNECT wuCONNECT localhost" matching traffic, AND b) you already
allowed all "GrupoAD_filtrado1" matching traffic.

> http_access allow CONNECT wuCONNECT GrupoAD_filtrado1 localhost
> http_access allow GrupoAD_filtrado1

Amos
Received on Thu Feb 13 2014 - 23:05:19 MST

This archive was generated by hypermail 2.2.0 : Fri Feb 14 2014 - 12:00:04 MST