1
Web Proxy Filtering and Caching / "SSL no bump sites" doesn't work for Win Updates
« on: September 21, 2019, 03:25:02 pm »
Hi,
Goal
Get Windows Updates working over transparent HTTPS Squid Proxy.
Problem
Some entries in the "SSL no bump sites" list seem to be inactive.
Version
19.7.4_1
Description
For example, one of the sites used for windows updates seems to be settings-win.data.microsoft.com. No matter what I tried, I could not get this site to not be intercepted. The reason I know it is not intercepted is because I can see the full path in the logs. I tried the following no-bump configurations:
.microsoft.com -> Log shows https://settings-win.data.microsoft.com/settings/v2.0/WSD/WaaSAssessment? is being accessed.
settings-win.data.microsoft.com -> Log shows https://settings-win.data.microsoft.com/settings/v2.0/FlightSettings/FSService? is being accessed.
.data.microsoft.com -> Log shows https://settings-win.data.microsoft.com/settings/v2.0/wsd/muse? is being accessed.
So does it work at all? Yes it does. For example with a bank site:
.db.com -> Log shows 160.83.8.143:443 is being accessed. No path visible which means no-bump entry works.
Removed the .db.com entry again -> Log shows https://www.db.com/company/img/favicon.ico is being accessed.
In between I checked the content of the config file, looked good to me:
Any hints will be greatly appreciated.
BR,
NR
Goal
Get Windows Updates working over transparent HTTPS Squid Proxy.
Problem
Some entries in the "SSL no bump sites" list seem to be inactive.
Version
19.7.4_1
Description
For example, one of the sites used for windows updates seems to be settings-win.data.microsoft.com. No matter what I tried, I could not get this site to not be intercepted. The reason I know it is not intercepted is because I can see the full path in the logs. I tried the following no-bump configurations:
.microsoft.com -> Log shows https://settings-win.data.microsoft.com/settings/v2.0/WSD/WaaSAssessment? is being accessed.
settings-win.data.microsoft.com -> Log shows https://settings-win.data.microsoft.com/settings/v2.0/FlightSettings/FSService? is being accessed.
.data.microsoft.com -> Log shows https://settings-win.data.microsoft.com/settings/v2.0/wsd/muse? is being accessed.
So does it work at all? Yes it does. For example with a bank site:
.db.com -> Log shows 160.83.8.143:443 is being accessed. No path visible which means no-bump entry works.
Removed the .db.com entry again -> Log shows https://www.db.com/company/img/favicon.ico is being accessed.
In between I checked the content of the config file, looked good to me:
Code: [Select]
# less /usr/local/etc/squid/nobumpsites.acl
.data.microsoft.com
.db.com
Any hints will be greatly appreciated.
BR,
NR