squid 0.5.3 causes "some update files aren't signed correctly. error code 0x800b0109" on windows update

dauhee

squid 0.5.3 causes "some update files aren't signed correctly. error code 0x800b0109" on windows update

I get this on all windows computers, even though proxy is turned off on them. when I disable squid on pfsense, error goes away

any advice?

JonathanLee

@dauhee splice some of the windows URL’s, and or make sure Microsoft’s DoH server is accessible if you blanket block DoH with MIME ACLs in Squid it will stop working. Also get a raspberry pi zero and run a WPAD on it

dauhee

My clients are set to not use proxy so they don't need rpi WPAD (however I did have WPAD on a local server). Even though clients do not use proxy, issue still happens so I have to disable squid

I have no block settings configured in squid. This worked all along and issue came about with the new version recently

JonathanLee

Some certificates get broken for updates they also must be adapted from time to time to allow them to still work with squid. I have a specific set of update servers that is allowed all Microsoft based as I cache updates and reuse them

dauhee

regardless of certificates and whitelists, if proxy is not set on client it shouldn't matter. but when squid is running, the issue occurs

JonathanLee

@dauhee

#if ${process_number} = 2
#cache_dir diskd /nvme/LOGS_Optane/Squid_Cache_B 32000 64 256
#endif

# --- Block access during off hours (e.g. maintenance) ---
acl block_hours time 00:30-05:00
http_access deny all block_hours
deny_info TCP_RESET block_hours

# --- Disable unused services ---
icp_port 0
htcp_port 0
snmp_port 0
icp_access deny all
htcp_access deny all
snmp_access deny all

# --- HTTP Method and IPv6 ACLs ---
acl getmethod method GET
acl to_ipv4 dst ipv4
acl to_ipv6 dst ipv6

# --- TLS Outgoing Options ---
tls_outgoing_options options=NO_SSLv3,NO_TLSv1,NO_TLSv1_1,SINGLE_DH_USE,SINGLE_ECDH_USE,NO_TICKET
tls_outgoing_options min-version=1.2
tls_outgoing_options cipher=ECDHE+AESGCM:ECDHE+CHACHA20
tls_outgoing_options default-ca=on
request_header_access Proxy-Auto-Config deny all
request_header_access Proxy-Authorization deny all
request_header_access Proxy-Authenticate deny all
request_header_access Proxy-Connection deny all
request_header_access X-Forwarded-For deny all

# --- Domain ACLs ---
acl HttpAccess dstdomain "/usr/local/pkg/http.access"
acl windowsupdate dstdomain "/usr/local/pkg/windowsupdate"

# --- Store ID Config (if needed) ---
#acl rewritedoms dstdomain "/usr/local/pkg/desdom"
#store_id_program /usr/local/libexec/squid/storeid_file_rewrite /var/squid/storeid/storeid_rewrite.txt
#store_id_children 2 startup=1 idle=1 concurrency=5
#store_id_access deny connect
#store_id_access deny !getmethod
#store_id_access allow rewritedoms
#store_id_access deny all

# --- Cache Behavior ---
# Only go direct for update CDNs
always_direct allow windowsupdate
always_direct allow HttpAccess
collapsed_forwarding on
# And remove or comment out "allow all"
#always_direct allow all
refresh_all_ims off
reload_into_ims on
max_stale 1 day
minimum_expiry_time 0

#----timeouts to help with large downloads windows updates
read_timeout 15 minutes
request_timeout 10 minutes
connect_timeout 45 seconds
client_lifetime 30 minutes
pconn_lifetime 20 minutes
client_idle_pconn_timeout 10 minutes
server_idle_pconn_timeout 10 minutes

host_verify_strict on
#delay_pools 0
qos_flows tos local-hit=0x30
#qos_flows tos miss=0x20
ssl_engine devcrypto
email_err_data off
dns_nameservers 127.0.0.1 ::1 2001:470:8052:a::1
tcp_outgoing_address 192.168.1.1 to_ipv4
tcp_outgoing_address 2001:470:1f04:14::2 to_ipv6
# --- Prevent proxy loop to router / modem ---
acl local_router dst 192.168.1.1
acl local_router_v6 dst 2001:470:8052:a::1
acl wpad dst 192.168.1.6
always_direct allow local_router
always_direct allow local_router_v6
always_direct allow wpad
acl block_nets dst 10.0.0.0/24
acl block_nets dst 192.168.8.0/24
acl block_nets dst 192.168.1.14
http_access deny block_nets
http_access deny !safeports
acl CONNECT method CONNECT
http_access deny CONNECT !sslports
acl wuCONNECT dstdomain www.update.microsoft.com
acl wuCONNECT dstdomain sls.microsoft.com
acl localnet_v6 src 2001:470:8052:a::/64
http_access allow CONNECT wuCONNECT localnet
http_access allow CONNECT wuCONNECT localhost
http_access allow CONNECT wuCONNECT localnet_v6
http_access allow CONNECT windowsupdate localnet
http_access allow CONNECT windowsupdate localhost
http_access allow CONNECT windowsupdate localnet_v6
http_access allow CONNECT HttpAccess localnet
http_access allow CONNECT HttpAccess localhost
http_access allow CONNECT HttpAccess localnet_v6
acl block_nets_v6 dst fc00::/7       # ULA IPv6 for private LANs
acl block_nets_v6 dst fe80::/10      # Link-local
http_access deny block_nets_v6
http_access allow manager localhost
http_access deny manager
cachemgr_passwd disable offline_toggle reconfigure shutdown
cachemgr_passwd REDACTED all
eui_lookup on
acl no_miss url_regex -i gateway\.facebook\.com\/ws\/realtime\?
acl no_miss url_regex -i web-chat-e2ee\.facebook\.com\/ws\/chat

acl deny_rep_mime_doh rep_mime_type application/dns-message
acl deny_rep_mime_doh rep_mime_type text/dns
acl deny_rep_mime_doh rep_mime_type application/dns+json
http_reply_access deny deny_rep_mime_doh

acl doh_rfc8484 urlpath_regex -i ^/dns-query
acl doh_rfc8484 urlpath_regex -i dns=
acl doh_rfc8484 urlpath_regex -i ^/resolve
acl doh_group any-of deny_rep_mime_doh doh_rfc8484
http_access deny doh_group

acl BrokenButTrustedServers dstdomain "/usr/local/pkg/dstdom.broken"
acl DomainMismatch ssl_error SQUID_X509_V_ERR_DOMAIN_MISMATCH
sslproxy_cert_error allow BrokenButTrustedServers DomainMismatch
sslproxy_cert_error deny all

# --- Block caching for login URLs ---
acl https_login url_regex -i login(\.php|\.aspx|\.html|\/|$)
cache deny https_login

# --- Range Requests Limits ---
range_offset_limit 512 MB windowsupdate
range_offset_limit 0 !windowsupdate

# --- Abort thresholds ---
quick_abort_min -1

this area is what makes it work for me
acl BrokenButTrustedServers dstdomain "/usr/local/pkg/dstdom.broken"
acl DomainMismatch ssl_error SQUID_X509_V_ERR_DOMAIN_MISMATCH
sslproxy_cert_error allow BrokenButTrustedServers] DomainMismatch
sslproxy_cert_error deny all

I would read up on this

I have a file that I use that I load up the domains in
/usr/local/pkg/dstdom.broken

it holds urls like this so my updates still work, I am accelerating the updates so I cache them and reuse them so I am not downloading stuff over and over again you need to have a certificate installed for this to work and you have to have the client point to the proxy or it will fail because it will know something is wrong. You have to set it up correctly.

microsoft.com
windowsupdate.com
msftconnecttest.com
msftncsi.com
msedge.net
aka.ms
live.com
akamaiedge.net
akadns.net
akamai.net
update.microsoft.com.nsatc.net
statics.teams.cdn.live.net
oneclient.sfx.ms
microsoftonline.com
teams.microsoft.com
office.com
office.net
bitdefender.net
gsa.apple.com
apple.com
icloud.com
icloud-content.com

this is my custom options

host_verify_strict on
acl splice_ipv6 src 2001:470:8052:a::/64

acl splice_only_ip src ip   # iPad
acl splice_only_mac arp mac adder here                 # iPad

acl bump_only_ip src ipv4 here    # macbook
acl bump_only_mac arp MAC HERE                       # MacBook

# --- Always splice pfSense admin IP (avoid certificate mismatch) ---
acl no_bump_pfsense dst 192.168.1.1

#===SSL Intercept Rules===
acl NoSSLIntercept ssl::server_name_regex -i "/usr/local/pkg/reg.url.nobump"
acl NoBumpDNS dstdomain -n "/usr/local/pkg/dns.nobump"
#acl SSL_Intercept_Terminate dstdomain -n "/usr/local/pkg/url.bump"

acl active_use annotate_client active=true
acl terminate_group any-of deny_rep_mime_doh doh_rfc8484 
#acl terminate_group any-of to_ipv6 from_ipv6
acl splice_group any-of https_login NoBumpDNS NoSSLIntercept
acl splice_only_local_group all-of splice_only_mac splice_only_ip
acl splice_main any-of splice_group splice_only_local_group splice_ipv6
acl bump_main all-of bump_only_mac bump_only_ip

ssl_bump terminate all block_hours
miss_access deny no_miss active_use
ssl_bump peek step1
ssl_bump splice no_bump_pfsense active_use
ssl_bump terminate terminate_group
ssl_bump splice splice_main active_use
ssl_bump bump bump_main active_use
acl activated note active_use true
ssl_bump terminate !activated

after custom options

#===Performance==
server_persistent_connections on
client_persistent_connections on
client_idle_pconn_timeout 5 minutes
server_idle_pconn_timeout 5 minutes
collapsed_forwarding on
dns_timeout 15 seconds
connect_timeout 20 seconds
shutdown_lifetime 5 seconds
negative_dns_ttl 1 minutes
read_ahead_gap 256 KB
pipeline_prefetch 15
happy_eyeballs_connect_timeout 150
memory_pools on
memory_pools_limit 128 MB
tcp_outgoing_tos 0x10 localnet
coredump_dir /nvme/LOGS_Optane/Squid_Dump
# === Final required closing rule for CONNECT ===
http_access deny CONNECT
#====Debugging=====
#debug_options 28,9,33,2

custom refresh patterns

# ---- SOFTWARE UPDATES ----
# Microsoft Windows Updates, Office 365, Defender, and common update files
refresh_pattern -i (download\.microsoft\.com|update\.microsoft\.com|windowsupdate\.com|windows\.com|officecdn\.microsoft\.com|officecdn\.microsoftonline\.com|officeclient\.officeapps\.live\.com|akamaiedge\.net|download\.windowsupdate\.com|download\.windowsupdate\.com\.msedge\.net|wustat\.windows\.com|microsoftedge\.com|edgecastcdn\.net|azureedge\.net)/.*\.(cab|exe|msi|msu|msf|psf|zip|dat|mum|manifest|manifest\.xml|json|cat|xml) 4320 80% 43200 reload-into-ims

# Microsoft Store app updates and edge CDN domains
refresh_pattern -i (storeedge\.fd\.dsp\.ms|storeedgefd\.azureedge\.net|dl\.delivery\.mp\.microsoft\.com)/.*\.(appx|appxbundle|msixbundle|msix|eappx) 4320 80% 43200 reload-into-ims

# Microsoft telemetry and diagnostics domains - do NOT cache
refresh_pattern -i (telemetry\.microsoft\.com|vortex\.data\.microsoft\.com|watson\.telemetry\.microsoft\.com|settings\.win\.microsoft\.com|watson\.microsoft\.com|feedback\.microsoft\.com|sqm\.users\.office\.com|compatexchange\.cloudapp\.net|diagnostics\.support\.microsoft\.com|telemetry\.office\.com|telemetry\.cdn\.microsoft\.com|.*\.cdn\.microsoft\.com\/telemetry|mobile\.settings\.windows\.com|sqm\.telemetry\.microsoft\.com|ntservicepacks\.blob\.core\.windows\.net)/ 0 0% 0 reload-into-ims

this took years to make this work I hope this helps

JonathanLee

@dauhee if the proxy is not set on the client the firewall rules come into play if you allow 443 and 80 no client will use the proxy they will bypass it. I also use a WPAD server that is outside of pfsense that directs clients to the proxy and to use that you have to have host overrides to point clients to that with the dns because clients will ask for wpad automatically if proxy is set to auto, I got tired of back and forth with windows 11 issues.