Re: [squid-users] Microsoft Updates

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Thu, 06 May 2010 03:35:44 +0000

On Wed, 05 May 2010 18:46:18 +0200, b1 <forum_at_b1online.de> wrote:
> Hello everybody
>
> At our school we are using squid 2.7 stable on a Debian Lenny machine.
> Users are authenticated via an Active Directory. Users without
> Authentication are denied Internet access.
>
> Unfortunately we have some Windows Desktops, which are trying to pull
> their updates, without using the Credentials of the users Domain-Logon.
> These updates were consequently denied. Therefore we wanted to add
> exceptions to always allow connections to the Microsoft update sites.
> This is how I tried to implement this, by putting the following lines at
> the top of our squid.conf:
>
> acl windowsupdate dstdomain .microsoft.com
> acl windowsupdate dstdomain download.windowsupdate.com
> acl windowsupdate dstdomain wustat.windows.com
> acl windowsupdate2 dst 89.202.157.135
> acl windowsupdate2 dst 89.202.157.136
> acl windowsupdate2 dst 89.202.157.137
> acl windowsupdate2 dst 89.202.157.138
> acl windowsupdate2 dst 89.202.157.139
> acl windowsupdate dstdomain .eset.com
> acl windowsupdate dstdomain microsoftwga.112.207.net
> acl windowsupdate dstdomain .msft.net
>
> acl CONNECT method CONNECT
> acl wuCONNECT dstdomain www.update.microsoft.com
> acl wuCONNECT dstdomain sls.microsoft.com
>
> acl localnet src 172.16.0.0/12
> acl localhost src 127.0.0.1/32
>
> http_access allow CONNECT wuCONNECT localnet
> http_access allow CONNECT wuCONNECT localhost
> http_reply_access allow CONNECT wuCONNECT localnet
> http_reply_access allow CONNECT wuCONNECT localhost
> http_access allow windowsupdate localnet
> http_access allow windowsupdate localhost
> http_reply_access allow windowsupdate localnet
> http_reply_access allow windowsupdate localhost
>
> Unfortunately its not working. It would be great, if anybody had some
> hints why this is
> not working, or if anybody has a working configuration himself.
>

Works for me. Order is very important though when mixing with auth.

To avoid auth the whole set needs to be in the config file before the
first http_access line which uses auth.

I also note your addition of a "windowsupdate2" ACL. If that is some local
WSUS server it needs it's own copy of the each WU *_access line to be
treated the same as regular WU.

Amos
Received on Thu May 06 2010 - 03:35:49 MDT

This archive was generated by hypermail 2.2.0 : Thu May 06 2010 - 12:00:08 MDT