[MontelLUG] Squid e windows update

Samuele samuele.zanin a tiscali.it
Mar 10 Lug 2012 11:21:16 CEST 

  Un po' di tempo fa ho messo su un fw endian.
Poi è saltato fuori che questo fw doveva filtrare gli accessi ad 
internet in base all'utente, quindi l'ho joinato ad AD.
Funziona tutto tranne una cosa: windows update che devo per forza far 
andare (no, non posso far tenere accesi i pc la notte e schedulare gli 
aggiornamenti a quell'ora con il firewall aperto in uscita).
I client sono quasi tutti win7.
All'atto di fare windows update mi compare una continua richiesta di 
inserire username/pwd.
Alcuni dicono che il problema sia che windows update se ne frega delle 
impostazioni del proxy inserite in ie, e vada configurato manualmente 
(tramite netsh/winhttp/show proxy ecc.). Fatto ma il risultato non cambia.

Ho provato a fare quanto scritto qui:
http://wiki.squid-cache.org/SquidFaq/WindowsUpdate#How_do_I_stop_Squid_popping_up_the_Authentication_box_for_Windows_Update.3F

Però se prima riuscivo ad accedere via browse alla pagina di 
update.microsoft.com adesso ottengo l'errore 403.
Ho provato anche a mettere delle acl per bypassare l'autenticazione sui 
domini di windows update. Nisba.

Allego il mio squid.conf.

Le modifiche fatte a mano sono marcate con ## AGGIUNTA MANUALE ###

shutdown_lifetime 1 seconds
icp_port 0

http_port 0.0.0.0:8080 transparent

cache_effective_user squid
cache_effective_group squid

pid_filename /var/run/squid.pid

cache_mem 40 MB

cache_dir aufs /var/spool/squid 500 16 256

error_directory /usr/share/squid/errors/it

max_filedesc 12831

server_persistent_connections off
half_closed_clients off
buffered_logs on

# START LOG
cache_log /var/log/squid/cache.log
cache_access_log syslog:local6.info
cache_store_log none

useragent_log /var/log/squid/useragent.log
strip_query_terms off

log_mime_hdrs off
# END LOG

# FORWARD IP ADDRESS
forwarded_for off

## AGGIUNTA MANUALE ###
acl localnet src 10.0.0.0/16
acl localhost src 127.0.0.0/8
acl windowsupdate dstdomain windowsupdate.microsoft.com
acl windowsupdate dstdomain .update.microsoft.com
acl windowsupdate dstdomain download.windowsupdate.com
acl windowsupdate dstdomain redir.metaservices.microsoft.com
acl windowsupdate dstdomain images.metaservices.microsoft.com
acl windowsupdate dstdomain c.microsoft.com
acl windowsupdate dstdomain www.download.windowsupdate.com
acl windowsupdate dstdomain wustat.windows.com
acl windowsupdate dstdomain crl.microsoft.com
acl windowsupdate dstdomain sls.microsoft.com
acl windowsupdate dstdomain productactivation.one.microsoft.com
acl windowsupdate dstdomain ntservicepack.microsoft.com

acl CONNECT method CONNECT
acl wuCONNECT dstdomain www.update.microsoft.com
acl wuCONNECT dstdomain sls.microsoft.com

http_access allow CONNECT wuCONNECT localnet
http_access allow CONNECT wuCONNECT localhost
http_access allow windowsupdate localnet
http_access allow windowsupdate localhost

acl port_80 port 80
acl port_443 port 443
acl http proto http

http_access allow http port_80 windowsupdate
http_access allow CONNECT port_443 windowsupdate

## FINE AGGIUNTA MANUALE ###

# START AUTHENTICATION
# windows logon name for auth
auth_param ntlm program /usr/bin/ntlm_auth 
--helper-protocol=squid-2.5-ntlmssp
auth_param ntlm children 20
# domain user or auth
auth_param basic program /usr/bin/ntlm_auth 
--helper-protocol=squid-2.5-basic
auth_param basic children 20
auth_param basic realm supercazzola.local

external_acl_type NT_global_group children=20 ttl=300 %LOGIN 
/usr/lib/squid/wbinfo_group.pl
acl for_auth_rule0 external NT_global_group "/etc/squid/groups/rule0"

acl for_auth_users proxy_auth REQUIRED
# END AUTHENTICATION

# network - acls
acl all                     src 0.0.0.0/0.0.0.0 #seams to be needed :(
acl from_all                src 0.0.0.0/0.0.0.0
acl to_all                  dst 0.0.0.0/0.0.0.0

acl from_localhost          src 127.0.0.1/255.255.255.255
acl CONNECT                 method CONNECT

acl to_http_port            port 80
acl to_https_port           port 10443

# proxy interfaces - acls
acl to_green_interface    dst 10.0.0.254

acl from_green          src "/etc/squid/acls/green_subnets.acl"
acl to_green            dst "/etc/squid/acls/green_subnets.acl"

# allowed ports - acls
acl allowed_ports       port "/etc/squid/acls/ports.acl"
acl allowed_sslports    port "/etc/squid/acls/sslports.acl"

# allowed havp protocol - acls
acl HAVP_ALLOWED_PROTOS proto HTTP
acl HAVP_ALLOWED_PROTOS proto SSL


acl within_timeframe_rule0 time MTWHFAS 00:00-24:00

# caching settings
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern .            0 20% 4320

cache deny      from_localhost
cache deny      CONNECT
cache allow     from_all

# http access to cachemanager
acl manager proto cache_object
http_access allow manager from_localhost
http_access deny manager

# snmp access settings
acl snmppublic snmp_community public
snmp_access allow snmppublic from_localhost
snmp_access deny from_all

# http access to squid
http_access allow   from_localhost
http_access allow   from_green to_green_interface to_http_port
http_access allow   CONNECT from_green to_green_interface to_https_port
http_access deny    to_green_interface to_https_port

http_access deny    !allowed_ports !allowed_sslports
http_access deny    CONNECT !allowed_sslports

http_access allow   within_timeframe_rule0 for_auth_rule0
http_access deny    from_all

# http reply access rules
http_reply_access allow from_localhost
http_reply_access allow   within_timeframe_rule0 for_auth_rule0
http_reply_access deny from_all

# max/min object size
maximum_object_size 1024 KB
minimum_object_size 0 KB

request_body_max_size 0KB

reply_body_max_size 0KB allow from_all

visible_hostname efw.supercazzola.local

# begin custom.tmpl
# end custom.tmpl

# HAVP - cache peer
cache_peer 127.0.0.1 parent 9998 0 no-query no-digest no-netdb-exchange 
name=havp login=*:password
cache_peer_access havp           deny    from_localhost
cache_peer_access havp           deny    !HAVP_ALLOWED_PROTOS

# cache peer access
cache_peer_access havp           allow     within_timeframe_rule0 
for_auth_rule0

cache_peer_access havp           deny    from_all

never_direct deny   from_localhost
never_direct deny   !HAVP_ALLOWED_PROTOS   within_timeframe_rule0 
for_auth_rule0
never_direct deny   !HAVP_ALLOWED_PROTOS   within_timeframe_rule0 
for_auth_rule0
never_direct allow    within_timeframe_rule0 for_auth_rule0
never_direct allow  from_all

More information about the montellug mailing list