squid to only allow office activation and not windows updates

General support questions
Post Reply
robertw
Posts: 188
Joined: 2012/04/25 13:26:59

squid to only allow office activation and not windows updates

Post by robertw » 2020/01/10 22:50:12

hi all,

i have added all these lines to my squid config as it wasnt allowing office activation

https://wiki.squid-cache.org/SquidFaq/WindowsUpdate

but now its allowing office activation and now windows updates but i dont want it to do windows updates as this is managed by our WSUS server

what are the corect lines to just do the office activation

as when i comment out all the lines i get this

0 - TCP_DENIED/403 3810 GET http://www.microsoft.com/pkiops/certs/M ... 202018.crt

thanks,
rob

robertw
Posts: 188
Joined: 2012/04/25 13:26:59

Re: squid to only allow office activation and not windows updates

Post by robertw » 2020/01/10 23:48:27

ok, i have found the rule for it

acl DiscoverSNIHost at_step SslBump1
acl NoSSLIntercept ssl::server_name .microsoft.com
ssl_bump peek DiscoverSNIHost
ssl_bump splice NoSSLIntercept
ssl_bump bump all

but the thing is both windows updates and office activation use the exact same cert file

.microsoft.com/pkiops/certs/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crt

im stuck

or if i can get squid to block windows updates altogether?

robertw
Posts: 188
Joined: 2012/04/25 13:26:59

Re: squid to only allow office activation and not windows updates

Post by robertw » 2020/01/11 13:18:20

ok think i have done it

#
acl DiscoverSNIHost at_step SslBump1
acl NoSSLIntercept ssl::server_name_regex -i .microsoft.com
ssl_bump splice NoSSLIntercept
ssl_bump peek DiscoverSNIHost
ssl_bump bump all
#
#URL deny MIME types
acl mimetype rep_mime_type application/octet-stream
http_reply_access deny mimetype
#

as now windows can check for updates but it cant download as i have denied the octet-stream ie cab/exe files

Post Reply

Return to “CentOS 7 - General Support”