Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    Squid transparente + Squidguard + windows update

    Español
    3
    6
    2793
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • A
      Aleximper last edited by

      Buenos días

      Tengo la siguiente configuración de proxy

      "# This file is automatically generated by pfSense

      Do not edit manually !

      This file is automatically generated by pfSense

      Do not edit manually !

      http_port 192.168.1.1:3128 ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=60MB cert=/usr/pbi/squid-amd64/local/c/squid/serverkey.pem capath=/usr/pbi/squid-amd64/local/share/certs/

      http_port 127.0.0.1:3128 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=60MB cert=/usr/pbi/squid-amd6local/etc/squid/serverkey.pem capath=/usr/pbi/squid-amd64/local/share/certs/

      https_port 127.0.0.1:3129 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=60MB cert=/usr/pbi/squid-amd/local/etc/squid/serverkey.pem capath=/usr/pbi/squid-amd64/local/share/certs/

      icp_port 0
      dns_v4_first on
      pid_filename /var/run/squid/squid.pid
      cache_effective_user proxy
      cache_effective_group proxy
      error_default_language es-co
      icon_directory /usr/pbi/squid-amd64/local/etc/squid/icons
      visible_hostname
      cache_mgr
      access_log /var/squid/logs/access.log
      cache_log /var/squid/logs/cache.log
      cache_store_log none
      netdb_filename /var/squid/logs/netdb.state
      pinger_enable on
      pinger_program /usr/pbi/squid-amd64/local/libexec/squid/pinger
      sslcrtd_program /usr/pbi/squid-amd64/local/libexec/squid/ssl_crtd -s /var/squid/lib/ssl_db -M 4MB -b 2048
      sslcrtd_children 30
      sslproxy_capath /usr/pbi/squid-amd64/local/share/certs/
      sslproxy_flags DONT_VERIFY_PEER
      sslproxy_cert_adapt setValidAfter all

      logfile_rotate 30
      debug_options rotate=30
      shutdown_lifetime 3 seconds

      Allow local network(s) on interface(s)

      acl localnet src  192.168.1.0/24
      forwarded_for on
      httpd_suppress_version_string on
      uri_whitespace strip

      Windows Update refresh_pattern

      range_offset_limit -1
      refresh_pattern -i microsoft.com/..(cab|exe|ms[i|u|f]|asf|wm[v|a]|dat|zip) 4320 80% 43200 reload-into-ims
      refresh_pattern -i windowsupdate.com/.
      .(cab|exe|ms[i|u|f]|asf|wm[v|a]|dat|zip) 4320 80% 43200 reload-into-ims
      refresh_pattern -i windows.com/.*.(cab|exe|ms[i|u|f]|asf|wm[v|a]|dat|zip) 4320 80% 43200 reload-into-ims

      cache_mem 3000 MB
      maximum_object_size_in_memory 512000 KB
      memory_replacement_policy heap GDSF
      cache_replacement_policy heap LFUDA
      cache_dir aufs /var/squid/cache 10000 16 256
      minimum_object_size 0 KB
      maximum_object_size 512000 KB
      offline_mode off
      cache_swap_low 90
      cache_swap_high 95
      cache allow all

      Add any of your own refresh_pattern entries above these.

      refresh_pattern ^ftp:    1440  20%  10080
      refresh_pattern ^gopher:  1440  0%  1440
      refresh_pattern -i (/cgi-bin/|?) 0  0%  0
      refresh_pattern .    0  20%  4320

      No redirector configured

      #Remote proxies

      Setup some default acls

      From 3.2 further configuration cleanups have been done to make things easier and safer. The manager, localhost, and to_localhost L definitions are now built-in.

      acl localhost src 127.0.0.1/32

      acl allsrc src all
      acl safeports port 21 70 80 210 280 443 488 563 591 631 777 901 8443 3128 3127 1025-65535
      acl sslports port 443 563 8443 10443

      From 3.2 further configuration cleanups have been done to make things easier and safer. The manager, localhost, and to_localhost L definitions are now built-in.

      #acl manager proto cache_object

      acl purge method PURGE
      acl connect method CONNECT

      Define protocols used for redirects

      acl HTTP proto HTTP
      acl HTTPS proto HTTPS
      acl allowed_subnets src 192.168.1.0/24 192.168.2.0/24 192.168.4.0/24
      acl whitelist dstdom_regex -i "/var/squid/acl/whitelist.acl"
      http_access allow manager localhost

      http_access deny manager
      http_access allow purge localhost
      http_access deny purge
      http_access deny !safeports
      http_access deny CONNECT !sslports

      Always allow localhost connections

      From 3.2 further configuration cleanups have been done to make things easier and safer.

      The manager, localhost, and to_localhost ACL definitions are now built-in.

      http_access allow localhost

      request_body_max_size 0 KB
      delay_pools 1
      delay_class 1 2
      delay_parameters 1 -1/-1 -1/-1
      delay_initial_bucket_level 100
      delay_access 1 allow allsrc

      Reverse Proxy settings

      deny_info TCP_RESET allsrc

      always_direct allow whitelist
      ssl_bump none whitelist

      Package Integration

      url_rewrite_program /usr/pbi/squidguard-amd64/bin/squidGuard -c /usr/pbi/squidguard-amd64/etc/squidGuard/squidGuard.conf
      url_rewrite_bypass off
      url_rewrite_children 16 startup=8 idle=4 concurrency=0

      Custom options before auth

      always_direct allow all
      ssl_bump server-first all

      Always allow access to whitelist domains

      http_access allow whitelist
      acl sglog url_regex -i sgr=ACCESSDENIED
      http_access deny sglog
      always_direct allow all
      ssl_bump server-first all

      Setup allowed acls

      Allow local network(s) on interface(s)

      http_access allow allowed_subnets
      http_access allow localnet

      Default block all to be sure

      http_access deny allsrc

      "

      Sin embargo windows update no me funciona en ningun equipo, error: 80072F8F

      Agregue en ACL white list, todas las direcciones de microsoft y windows update.  No tengo WSUS y no puedo montarlo por ahora

      Ayuda urgente.

      1 Reply Last reply Reply Quote 0
      • A
        Aleximper last edited by

        Buen día

        Sigue sin funcionar, aun asi desactive dynamic cache, con las acl whitelist, windows update no funciona, ya no se que hacer, necesito ayuda urgenteeeee

        1 Reply Last reply Reply Quote 0
        • C
          chavarriaa last edited by

          Te aconsejo que dejes en lugar de transparentar proxy utilices WPAD. Así te olvidas los problemas que dan el proxy transparente.
          Yo tengo configurado mi pfsense con WPAD y no tengo nada de problemas con ninguna actualización

          1 Reply Last reply Reply Quote 1
          • A
            Aleximper last edited by

            Buenos días colegas

            buscando bastante, encontré la manera de lograr que funcione windows update, lo que hice fue un script, el cual se debe ejecutar en cada equipo  de la red, dicho script hecho en bloc de notas y convertido a .bat es netsh winhttp set proxy proxy-server="ip-servidor-proxy" bypass-list="*.dominio.com", despues de eso ya funciona :)

            Ojo esto solo aplica para proxy transparente.

            1 Reply Last reply Reply Quote 0
            • A
              Aleximper last edited by

              Buenos días

              El script solo funciono una vez y en 1 solo equipo, de resto ni mas, y el problema es que no puedo usar proxy explicito por los clientes vpn que esa empresa maneja.

              1 Reply Last reply Reply Quote 0
              • R
                ramalave last edited by

                Crea Aliases llamado WindowsUpdate y agregas la siguiente lista de grupo de redes
                157.54.0.0/15
                157.56.0.0/14
                157.60.0.0/16
                65.52.0.0/14
                70.37.0.0/17
                70.37.128.0/18
                207.46.0.0/16
                131.107.0.0/16
                66.119.144.0/20
                23.96.0.0/13
                204.79.195.0/24
                204.79.196.0/23
                208.76.44.0/22
                208.68.136.0/21
                216.220.208.0/20
                209.240.192.0/19
                204.14.180.0/22
                206.191.224.0/19
                192.92.90.0/24
                208.84.0.0/21
                104.40.0.0/13
                192.197.157.0/24
                204.231.192.0/24
                104.208.0.0/13
                129.75.0.0/16
                204.79.179.0/24
                64.4.0.0/18
                167.220.0.0/17
                167.220.128.0/18
                167.220.192.0/19
                192.92.214.0/24
                207.68.128.0/18
                13.64.0.0/11
                13.96.0.0/13
                13.104.0.0/14
                146.147.0.0/16
                52.145.0.0/16
                52.146.0.0/15
                52.148.0.0/14
                52.152.0.0/13
                52.160.0.0/11
                52.224.0.0/11
                52.96.0.0/12
                52.112.0.0/14
                52.120.0.0/14
                52.125.0.0/16
                52.126.0.0/15
                52.130.0.0/15
                52.132.0.0/14
                52.136.0.0/13
                138.196.0.0/16
                150.171.0.0/16
                40.74.0.0/15
                40.76.0.0/14
                40.80.0.0/12
                40.96.0.0/12
                40.112.0.0/13
                40.120.0.0/14
                40.124.0.0/16
                40.125.0.0/17
                40.64.0.0/13
                40.126.128.0/17
                40.127.0.0/16
                40.126.0.0/18
                204.13.120.0/21
                204.152.18.0/23
                Luego te diriges a Services –-> Squid Proxy Server ----> Bypass Proxy for These Destination IPs
                Escribes el alliase creado llamado WindowsUpdate
                Y de esta manera puedes actualizar todas las distribuciones de Windows con Proxy Transparente

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post

                Products

                • Platform Overview
                • TNSR
                • pfSense
                • Appliances

                Services

                • Training
                • Professional Services

                Support

                • Subscription Plans
                • Contact Support
                • Product Lifecycle
                • Documentation

                News

                • Media Coverage
                • Press
                • Events

                Resources

                • Blog
                • FAQ
                • Find a Partner
                • Resource Library
                • Security Information

                Company

                • About Us
                • Careers
                • Partners
                • Contact Us
                • Legal
                Our Mission

                We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

                Subscribe to our Newsletter

                Product information, software announcements, and special offers. See our newsletter archive to sign up for future newsletters and to read past announcements.

                © 2021 Rubicon Communications, LLC | Privacy Policy