ok think i have done it # acl DiscoverSNIHost at_step SslBump1 acl NoSSLIntercept ssl::server_name_regex -i .microsoft.com ssl_bump splice NoSSLIntercept ssl_bump peek DiscoverSNIHost ssl_bump bump all # #URL deny MIME types acl mimetype rep_mime_type application/octet-stream http_reply_access deny mimetype #
as now windows can check for updates but it cant download as i have denied the octet-stream ie cab/exe files On Sat, 11 Jan 2020 at 12:15, robert k Wild <robertkw...@gmail.com> wrote: > Hi Amos, > > ok, i have found the rule for it > > acl DiscoverSNIHost at_step SslBump1 > acl NoSSLIntercept ssl::server_name .microsoft.com > ssl_bump peek DiscoverSNIHost > ssl_bump splice NoSSLIntercept > ssl_bump bump all > > but the thing is both windows updates and office activation use the exact > same cert file > > . > microsoft.com/pkiops/certs/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crt > > im stuck > > or if i can get squid to block windows updates altogether? > > Thanks, > > Rob > > On Sat, 11 Jan 2020, 01:40 Amos Jeffries, <squ...@treenet.co.nz> wrote: > >> On 11/01/20 11:46 am, robert k Wild wrote: >> > hi all, >> > >> > i have added all these lines to my squid config as it wasnt allowing >> > office activation >> > >> > https://wiki.squid-cache.org/SquidFaq/WindowsUpdate >> > >> > but now its allowing office activation and now windows updates but i >> > dont want it to do windows updates as this is managed by our WSUS server >> > >> >> That would be right then. As the wiki page name indicates that config is >> all about allowing WindowsUpdate. >> >> >> > what are the corect lines to just do the office activation >> > >> >> This is a strong indication you still do not understand how ACLs work. >> >> So your reference points are: >> <https://wiki.squid-cache.org/SquidFaq/SquidAcl> >> and >> <http://www.squid-cache.org/Doc/config/acl/> >> >> >> > as when i comment out all the lines i get this >> > >> > 0 - TCP_DENIED/403 3810 GET >> > >> http://www.microsoft.com/pkiops/certs/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crt >> > >> >> That then is the first URL you need to let clients access. >> >> Once that is accessible the activation process will get further and >> there may be others. When you know the whole set there may be some >> optimizations your rules can use to simplify the final config. >> >> >> Amos >> _______________________________________________ >> squid-users mailing list >> squid-users@lists.squid-cache.org >> http://lists.squid-cache.org/listinfo/squid-users >> > -- Regards, Robert K Wild.
_______________________________________________ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
