"SSL no bump sites" doesn't work for Win Updates

[netranger]

Hi,

Goal
Get Windows Updates working over transparent HTTPS Squid Proxy.

Problem
Some entries in the "SSL no bump sites" list seem to be inactive.

Version
19.7.4_1

Description
For example, one of the sites used for windows updates seems to be settings-win.data.microsoft.com. No matter what I tried, I could not get this site to not be intercepted. The reason I know it is not intercepted is because I can see the full path in the logs. I tried the following no-bump configurations:

.microsoft.com -> Log shows https://settings-win.data.microsoft.com/settings/v2.0/WSD/WaaSAssessment? is being accessed.

settings-win.data.microsoft.com -> Log shows https://settings-win.data.microsoft.com/settings/v2.0/FlightSettings/FSService? is being accessed.

.data.microsoft.com -> Log shows https://settings-win.data.microsoft.com/settings/v2.0/wsd/muse? is being accessed.


So does it work at all? Yes it does. For example with a bank site:

.db.com -> Log shows 160.83.8.143:443 is being accessed. No path visible which means no-bump entry works.
Removed the .db.com entry again -> Log shows https://www.db.com/company/img/favicon.ico is being accessed.

In between I checked the content of the config file, looked good to me:

Code Select Expand

# less /usr/local/etc/squid/nobumpsites.acl
.data.microsoft.com
.db.com

Any hints will be greatly appreciated.

BR,
NR

[lfirewall1243]

I created an Alias with the Domains for Windows Updates an these Alias isnt Portforwarded to the Proxy.

[netranger]

Ok that would at least be a work around. Could you provide a screenshot of how you did it?

BR,
NR

[lfirewall1243]

I created .txt files on a Webserver (but just to manage them central)

I'll send you the config tomorrow.

Gesendet von meinem MI 9 mit Tapatalk

[lfirewall1243]

1. create an Alias with the Domains you dont want to route over the Proxy. (no wildcards, just full domains or IP adresses)

2. Create the NAT Rule (Picture "NAT") the Rule have to stand before the other Proxy NAT rules.

3. Create the Firewall Rule to allow Proxy bypass (Picture: "Rule") the rule have to stand before the "deny Proxy bypass" Rule


Now it should work to bypass the Proxy for the Domains.

Important is that your Windows devices are using the same DNS-Server as your OPNsense

[netranger]

thank you for the screenshots!
according to https://docs.microsoft.com/en-us/windows-server/administration/windows-server-update-services/deploy/2-configure-wsus I would need to put some wildcard entries  :-\ for you it worked without that?

[lfirewall1243]

Wildcards will not work. Just full domain names

Gesendet von meinem MI 9 mit Tapatalk

[AlexV]

Hi,
Can you post the screen shot of the page of nat configuration, not only the line of the rule but the page with the configuration of the rule ?
and the list of domain that you have put in the alias ?

I have the same problem with squid but seems that i am unable to set correctly the aliases, the nat and the firewall roule .

[lfirewall1243]

That are my 2 NAT Rules.
My Alias is a remote .txt file on a WebServer with the Microsoft Domains.

[AlexV]

so in my rules  is the alias the problem, if i try to use ip address instead of domain can i solve the problem ?

[lfirewall1243]

so in my rules  is the alias the problem, if i try to use ip address instead of domain can i solve the problem ?

Take a screenshot of your Alias and Rules :)

Gesendet von meinem MI 9 mit Tapatalk

[AlexV]

Here there are mi alias... i suppose that  i have do a mistake with the alias of sistes i use a FQDN instead of ip address.

[AlexV]

and here my nat configuration

[lfirewall1243]

and here my nat configuration

Looks good!

Try to change you Alias to "Hosts" and look under Firewall -> Diagnosis -> pftables if your Alias is showing IP addresses :)

Gesendet von meinem MI 9 mit Tapatalk

[AlexV]

Thank you.

now i will use HOST and the  Ip address  of fqdn domain are seen in pf tables  and i think that all will works fine

Best regards

A.V.