Squid transparente + Squidguard + windows update
-
Buenos días
Tengo la siguiente configuración de proxy
"# This file is automatically generated by pfSense
Do not edit manually !
This file is automatically generated by pfSense
Do not edit manually !
http_port 192.168.1.1:3128 ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=60MB cert=/usr/pbi/squid-amd64/local/c/squid/serverkey.pem capath=/usr/pbi/squid-amd64/local/share/certs/
http_port 127.0.0.1:3128 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=60MB cert=/usr/pbi/squid-amd6local/etc/squid/serverkey.pem capath=/usr/pbi/squid-amd64/local/share/certs/
https_port 127.0.0.1:3129 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=60MB cert=/usr/pbi/squid-amd/local/etc/squid/serverkey.pem capath=/usr/pbi/squid-amd64/local/share/certs/
icp_port 0
dns_v4_first on
pid_filename /var/run/squid/squid.pid
cache_effective_user proxy
cache_effective_group proxy
error_default_language es-co
icon_directory /usr/pbi/squid-amd64/local/etc/squid/icons
visible_hostname
cache_mgr
access_log /var/squid/logs/access.log
cache_log /var/squid/logs/cache.log
cache_store_log none
netdb_filename /var/squid/logs/netdb.state
pinger_enable on
pinger_program /usr/pbi/squid-amd64/local/libexec/squid/pinger
sslcrtd_program /usr/pbi/squid-amd64/local/libexec/squid/ssl_crtd -s /var/squid/lib/ssl_db -M 4MB -b 2048
sslcrtd_children 30
sslproxy_capath /usr/pbi/squid-amd64/local/share/certs/
sslproxy_flags DONT_VERIFY_PEER
sslproxy_cert_adapt setValidAfter alllogfile_rotate 30
debug_options rotate=30
shutdown_lifetime 3 secondsAllow local network(s) on interface(s)
acl localnet src 192.168.1.0/24
forwarded_for on
httpd_suppress_version_string on
uri_whitespace stripWindows Update refresh_pattern
range_offset_limit -1
refresh_pattern -i microsoft.com/..(cab|exe|ms[i|u|f]|asf|wm[v|a]|dat|zip) 4320 80% 43200 reload-into-ims
refresh_pattern -i windowsupdate.com/..(cab|exe|ms[i|u|f]|asf|wm[v|a]|dat|zip) 4320 80% 43200 reload-into-ims
refresh_pattern -i windows.com/.*.(cab|exe|ms[i|u|f]|asf|wm[v|a]|dat|zip) 4320 80% 43200 reload-into-imscache_mem 3000 MB
maximum_object_size_in_memory 512000 KB
memory_replacement_policy heap GDSF
cache_replacement_policy heap LFUDA
cache_dir aufs /var/squid/cache 10000 16 256
minimum_object_size 0 KB
maximum_object_size 512000 KB
offline_mode off
cache_swap_low 90
cache_swap_high 95
cache allow allAdd any of your own refresh_pattern entries above these.
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|?) 0 0% 0
refresh_pattern . 0 20% 4320No redirector configured
#Remote proxies
Setup some default acls
From 3.2 further configuration cleanups have been done to make things easier and safer. The manager, localhost, and to_localhost L definitions are now built-in.
acl localhost src 127.0.0.1/32
acl allsrc src all
acl safeports port 21 70 80 210 280 443 488 563 591 631 777 901 8443 3128 3127 1025-65535
acl sslports port 443 563 8443 10443From 3.2 further configuration cleanups have been done to make things easier and safer. The manager, localhost, and to_localhost L definitions are now built-in.
#acl manager proto cache_object
acl purge method PURGE
acl connect method CONNECTDefine protocols used for redirects
acl HTTP proto HTTP
acl HTTPS proto HTTPS
acl allowed_subnets src 192.168.1.0/24 192.168.2.0/24 192.168.4.0/24
acl whitelist dstdom_regex -i "/var/squid/acl/whitelist.acl"
http_access allow manager localhosthttp_access deny manager
http_access allow purge localhost
http_access deny purge
http_access deny !safeports
http_access deny CONNECT !sslportsAlways allow localhost connections
From 3.2 further configuration cleanups have been done to make things easier and safer.
The manager, localhost, and to_localhost ACL definitions are now built-in.
http_access allow localhost
request_body_max_size 0 KB
delay_pools 1
delay_class 1 2
delay_parameters 1 -1/-1 -1/-1
delay_initial_bucket_level 100
delay_access 1 allow allsrcReverse Proxy settings
deny_info TCP_RESET allsrc
always_direct allow whitelist
ssl_bump none whitelistPackage Integration
url_rewrite_program /usr/pbi/squidguard-amd64/bin/squidGuard -c /usr/pbi/squidguard-amd64/etc/squidGuard/squidGuard.conf
url_rewrite_bypass off
url_rewrite_children 16 startup=8 idle=4 concurrency=0Custom options before auth
always_direct allow all
ssl_bump server-first allAlways allow access to whitelist domains
http_access allow whitelist
acl sglog url_regex -i sgr=ACCESSDENIED
http_access deny sglog
always_direct allow all
ssl_bump server-first allSetup allowed acls
Allow local network(s) on interface(s)
http_access allow allowed_subnets
http_access allow localnetDefault block all to be sure
http_access deny allsrc
"
Sin embargo windows update no me funciona en ningun equipo, error: 80072F8F
Agregue en ACL white list, todas las direcciones de microsoft y windows update. No tengo WSUS y no puedo montarlo por ahora
Ayuda urgente.
-
Buen día
Sigue sin funcionar, aun asi desactive dynamic cache, con las acl whitelist, windows update no funciona, ya no se que hacer, necesito ayuda urgenteeeee
-
Te aconsejo que dejes en lugar de transparentar proxy utilices WPAD. Así te olvidas los problemas que dan el proxy transparente.
Yo tengo configurado mi pfsense con WPAD y no tengo nada de problemas con ninguna actualización -
Buenos días colegas
buscando bastante, encontré la manera de lograr que funcione windows update, lo que hice fue un script, el cual se debe ejecutar en cada equipo de la red, dicho script hecho en bloc de notas y convertido a .bat es netsh winhttp set proxy proxy-server="ip-servidor-proxy" bypass-list="*.dominio.com", despues de eso ya funciona :)
Ojo esto solo aplica para proxy transparente.
-
Buenos días
El script solo funciono una vez y en 1 solo equipo, de resto ni mas, y el problema es que no puedo usar proxy explicito por los clientes vpn que esa empresa maneja.
-
Crea Aliases llamado WindowsUpdate y agregas la siguiente lista de grupo de redes
157.54.0.0/15
157.56.0.0/14
157.60.0.0/16
65.52.0.0/14
70.37.0.0/17
70.37.128.0/18
207.46.0.0/16
131.107.0.0/16
66.119.144.0/20
23.96.0.0/13
204.79.195.0/24
204.79.196.0/23
208.76.44.0/22
208.68.136.0/21
216.220.208.0/20
209.240.192.0/19
204.14.180.0/22
206.191.224.0/19
192.92.90.0/24
208.84.0.0/21
104.40.0.0/13
192.197.157.0/24
204.231.192.0/24
104.208.0.0/13
129.75.0.0/16
204.79.179.0/24
64.4.0.0/18
167.220.0.0/17
167.220.128.0/18
167.220.192.0/19
192.92.214.0/24
207.68.128.0/18
13.64.0.0/11
13.96.0.0/13
13.104.0.0/14
146.147.0.0/16
52.145.0.0/16
52.146.0.0/15
52.148.0.0/14
52.152.0.0/13
52.160.0.0/11
52.224.0.0/11
52.96.0.0/12
52.112.0.0/14
52.120.0.0/14
52.125.0.0/16
52.126.0.0/15
52.130.0.0/15
52.132.0.0/14
52.136.0.0/13
138.196.0.0/16
150.171.0.0/16
40.74.0.0/15
40.76.0.0/14
40.80.0.0/12
40.96.0.0/12
40.112.0.0/13
40.120.0.0/14
40.124.0.0/16
40.125.0.0/17
40.64.0.0/13
40.126.128.0/17
40.127.0.0/16
40.126.0.0/18
204.13.120.0/21
204.152.18.0/23
Luego te diriges a Services –-> Squid Proxy Server ----> Bypass Proxy for These Destination IPs
Escribes el alliase creado llamado WindowsUpdate
Y de esta manera puedes actualizar todas las distribuciones de Windows con Proxy Transparente