Hi,
I'm trying to use a Squid 3.1.20 to update several Windows Clientes
(some are Vista, some are 7, some are 10).
We're using NTLM authentication, and some groups (some users can use
full internet, some can only on some sites) and this is working fine.
The issue arises when trying to update Windows, using automatic
updates. We see, on the log files, messages like the following:
1550954462.404 0 192.168.42.121 TCP_DENIED/407 3980 GET
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?
- NONE/- text/html
1550954462.410 0 192.168.42.121 TCP_DENIED/407 4261 GET
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?
- NONE/- text/html
1550954462.415 0 192.168.42.121 TCP_DENIED/407 4635 GET
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?
- NONE/- text/html
Some aspects concerns me...first of all, that our users cannot update
Windows. But then I noticed there is no user on that connection, as we have
in other:
1550954433.432 581 192.168.62.58 TCP_MISS/200 2853 CONNECT
gameplay.intel.com:443 *jperez* DIRECT/23.198.191.99 -
I don't know if this is a known issue, or not...anybody can point me in
the right direction to understand the nature of this issue, and how to
solve/mitigate it?
Thanks a lot in advance for your time and attention and best regards,
---
Some information about this installation:
root@pxyserver:/var/log/squid3# squid3 -version
Squid Cache: Version 3.1.20
configure options: '--build=i486-linux-gnu' '--prefix=/usr'
'--includedir=${prefix}/include' '--mandir=${prefix}/share/man'
'--infodir=${prefix}/share/info' '--sysconfdir=/etc' '--localstatedir=/var'
'--libexecdir=${prefix}/lib/squid3' '--srcdir=.'
'--disable-maintainer-mode' '--disable-dependency-tracking'
'--disable-silent-rules' '--datadir=/usr/share/squid3'
'--sysconfdir=/etc/squid3' '--mandir=/usr/share/man'
'--with-cppunit-basedir=/usr' '--enable-inline' '--enable-async-io=8'
'--enable-storeio=ufs,aufs,diskd' '--enable-removal-policies=lru,heap'
'--enable-delay-pools' '--enable-cache-digests' '--enable-underscores'
'--enable-icap-client' '--enable-follow-x-forwarded-for'
'--enable-auth=basic,digest,ntlm,negotiate'
'--enable-basic-auth-helpers=LDAP,MSNT,NCSA,PAM,SASL,SMB,YP,DB,POP3,getpwnam,squid_radius_auth,multi-domain-NTLM'
'--enable-ntlm-auth-helpers=smb_lm,'
'--enable-digest-auth-helpers=ldap,password'
'--enable-negotiate-auth-helpers=squid_kerb_auth'
'--enable-external-acl-helpers=ip_user,ldap_group,session,unix_group,wbinfo_group'
'--enable-arp-acl' '--enable-esi' '--enable-zph-qos' '--enable-wccpv2'
'--disable-translation' '--with-logdir=/var/log/squid3'
'--with-pidfile=/var/run/squid3.pid' '--with-filedescriptors=65536'
'--with-large-files' '--with-default-user=proxy' '--enable-linux-netfilter'
'build_alias=i486-linux-gnu' 'CFLAGS=-g -O2 -fPIE -fstack-protector
--param=ssp-buffer-size=4 -Wformat -Werror=format-security -Wall'
'LDFLAGS=-fPIE -pie -Wl,-z,relro -Wl,-z,now' 'CPPFLAGS=-D_FORTIFY_SOURCE=2'
'CXXFLAGS=-g -O2 -fPIE -fstack-protector --param=ssp-buffer-size=4 -Wformat
-Werror=format-security'
--with-squid=/build/buildd-squid3_3.1.20-2.2-i386-3NN6Xn/squid3-3.1.20
/etc/squid3/squid.conf:
cache_mgr cache@mydomain.local
auth_param negotiate program /usr/local/bin/negotiate_wrapper --ntlm
/usr/bin/ntlm_auth --diagnostics --helper-protocol=squid-2.5-ntlmssp
--domain=MYDOMAIN --kerberos /usr/lib/squid3/squid_kerb_auth -d -s
GSS_C_NO_NAME
auth_param negotiate children 10
auth_param negotiate keep_alive off
auth_param ntlm program /usr/bin/ntlm_auth --diagnostics
--helper-protocol=squid-2.5-ntlmssp --domain=MYDOMAIN
auth_param ntlm children 10
auth_param ntlm keep_alive off
auth_param basic program /usr/lib/squid3/squid_ldap_auth -R -b
"dc=mydomain,dc=local" -D squid@mydomain.local -W /etc/squid3/ldappass.txt
-f sAMAccountName=%s -h ARBERN005M.mydomain.local
auth_param basic children 10
auth_param basic realm Internet Proxy
auth_param basic credentialsttl 1 minute
external_acl_type memberof %LOGIN /usr/lib/squid3/squid_ldap_group -R -K -b
"dc=mydomain,dc=local" -D squid@mydomain.local -W /etc/squid3/ldappass.txt
-f
"(&(objectclass=person)(sAMAccountName=%v)(memberof=cn=%g,cn=Users,dc=mydomain,dc=local))"
-h ARBERN005M.mydomain.local
acl company src "/etc/squid3/full"
acl limitados src "/etc/squid3/limitados"
acl lentos src "/etc/squid3/lento"
acl all src all
acl manager proto cache_object
acl localhost src 127.0.0.1/32
acl to_localhost dst 127.0.0.0/8
acl purge method PURGE
acl dnld url_regex -i \.avi
acl dnld url_regex -i \.mp3
acl dnld url_regex -i \.fla
acl dnld url_regex -i \.flv
acl dnld url_regex -i \.wav
acl dnld url_regex -i \.asf
acl dnld url_regex -i \.wmf
acl dnld url_regex -i \.pif
acl dnld url_regex -i \.bat
acl dnld url_regex -i \.scr
acl dnld url_regex -i \.wdm
acl dnld url_regex -i \.wmv
acl dnld url_regex -i \.mid
acl dnld url_regex -i \.mpg
acl dnld url_regex -i \.mpg
acl dnld url_regex -i \.mpeg
acl dnld url_regex -i \.ogg
acl dnld url_regex -i \.ogm
acl dnld url_regex -i \.exe
acl dnld url_regex -i \.arj
acl dnld url_regex -i \.iso
acl dnld url_regex -i \.nrg
acl dnld url_regex -i \.bin
acl dnld url_regex -i \.dmg
acl dnld url_regex -i \.img
acl dnld url_regex -i \.pl
acl dnld_full url_regex -i \.avi
acl dnld_full url_regex -i \.mp3
acl dnld_full url_regex -i \.wav
acl dnld_full url_regex -i \.asf
acl dnld_full url_regex -i \.wmf
acl dnld_full url_regex -i \.mpg
acl dnld_full url_regex -i \.mpg
acl dnld_full url_regex -i \.mpeg
acl dnld_full url_regex -i \.ogg
acl dnld_full url_regex -i \.ogm
acl streaming browser -i ^.*NSPlayer.*
acl streaming browser -i ^.*Player.*
acl streaming browser -i ^.*Windows-Media-Player.*
acl streaming1 browser -i ^video/x-ms-asf$
acl streaming1 browser -i ^application/vnd.ms.wms-hdr.asfv1$
acl streaming1 browser -i ^application/x-mms-framed$
acl streaming1 browser -i ^audio/x-pn-realaudio$
acl streaming1 browser ^.*mms.*
acl streaming1 browser ^.*ms-hdr.*
acl streaming1 browser ^.*x-fcs.*
acl streaming1 browser ^.*x-ms-asf.*
acl streaming1 browser -i ^application/octet-stream$
acl streaming1 browser -i application/octet-stream
delay_pools 1
delay_class 1 1
delay_parameters 1 1000/100
acl dp url_regex \.flv$
acl dp url_regex -i watch?
acl dp url_regex -i youtube
acl dp url_regex -i facebook
delay_access 1 allow dp lentos
acl auth proxy_auth REQUIRED
acl internet_full external memberof "/etc/squid3/internet_full.txt"
acl internet_limitado external memberof
"/etc/squid3/internet_limitado.txt"
acl internet_limitado2 external memberof
"/etc/squid3/internet_limitado2.txt"
acl destinos_permitidos dstdomain "/etc/squid3/destinos_permitidos"
acl destinos_permitidos2 dstdomain "/etc/squid3/destinos_permitidos2"
acl sitios_denegados dstdomain "/etc/squid3/sitios_denegados"
acl prohibidos dstdomain "/etc/squid3/prohibidos.txt"
acl prohibidos-full dstdomain "/etc/squid3/prohibidos-full.txt"
acl intfull- dstdomain "/etc/squid3/intfull-"
acl allowedsites dstdomain "/etc/squid3/allowedsites.txt"
acl manager proto cache_object
acl SSL_ports port 443
acl CONNECT method CONNECT
http_access allow manager localhost
http_access deny manager
http_access allow localhost
http_access deny !auth
http_access deny sitios_denegados all
http_access allow allowedsites
http_access allow limitados !dnld !streaming !streaming1 !sitios_denegados
http_access allow !dnld !streaming !streaming1 destinos_permitidos
internet_limitado
http_access allow !dnld !streaming !streaming1 destinos_permitidos2
internet_limitado2
http_access allow !dnld_full !streaming !streaming1 !prohibidos-full
internet_full
http_access deny all
access_log /var/log/squid3/access.log squid !allowedsites
http_port 3128
hierarchy_stoplist cgi-bin ?
coredump_dir /var/spool/squid3
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320
--
HeCSa
_______________________________________________
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
