Hubert Choma wrote:
> Hello
>
> My squid ver. 2.6 stable Centos 2.6.18-164.el5 .
>
> I'm using the configuration of the WU from the example
> http://wiki.squid-cache.org/SquidFaq/WindowsUpdate
>
> I would like to force squid to cache all windows update (version V6)
> files e.g .cab .exe and 700MB ISO files
>
> I am noticed that windows media player does not update via squid. WU
> generates error 0x8024402F.
>
> I would like to setup squid cache maximum web content, antivirus updates
> and WU.
>
> Where can I find example how to cache dynamic pages ?
>
> hierarchy_stoplist cgi-bin ?
> acl QUERY urlpath_regex cgi-bin \?
By deleting the above. And the lines which make use of QUERY they begin
to cache.
Also see my notes in your refresh_pattern config below....
>
>
> Please correct my config
>
> windowsupdate.txt
> .go.microsoft.com
> .windowsupdate.microsoft.com
> .update.microsoft.com
> .update.microsoft.com/windowsupdate/v7/default.aspx
> download.windowsupdate.com
> .download.microsoft.com
> ntservicepack.microsoft.com
> activex.microsoft.com
> redir.metaservices.microsoft.com
> images.metaservices.microsoft.com
> c.microsoft.com
> crl.microsoft.com
> codecs.microsoft.com
> urs.microsoft.com
> wustat.windows.com
>
>
> squid.conf
>
>
> http_port 192.168.0.12:8080
> hierarchy_stoplist cgi-bin ?
> acl QUERY urlpath_regex cgi-bin \?
> cache deny QUERY
> acl apache rep_header Server ^Apache
> broken_vary_encoding allow apache
> cache_mem 650 MB
> maximum_object_size 4194240 KB
> cache_dir ufs /var/spool/squid 6500 16 256
> #logformat squid %tl %6tr %>a %Ss/%03Hs %<st %rm %ru %un %Sh/%<A &mt
> access_log /var/log/squid/access.log squid
> mime_table /etc/squid/mime.conf
> refresh_pattern ^ftp: 1440 20% 10080
Right here between the FTP default handling and the general traffic
default handing (.) you need to add this:
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
to properly prevent evil dynamic content from sticking around longer
than it should (ie if its not giving cache-control and/or expiry, drop
it. if it is okay then).
> refresh_pattern . 0 20% 4320
Hmm. "." matches every URL. Squid stops processing refresh_pattern at
the first matching pattern.
--> point: no refresh_pattern below here will ever be used.
> refresh_pattern -i \.(gif|jpg|jpeg|png|js|css|flv|bmp|) 0 50% 7200
> reload-into-ims
Ahm...
refresh_pattern -i \.(gif|jpg|jpeg|png|js|css|flv|bmp|)(\?.*)?$ 0
50% 7200
> refresh_pattern update.microsoft.com/windowsupdate/v6/.*\.(cab|exe|dll)
> 43200 100% 43200 reload-into-ims
> refresh_pattern windowsupdate.com/.*\.(cab|exe|dll) 43200 100% 43200
> reload-into-ims
> refresh_pattern windowsupdate.microsoft.com/.*\.(cab|exe|dll) 43200 100%
> 43200 reload-into-ims
> refresh_pattern download.microsoft.com/.*\.(cab|exe|dll) 43200 100%
> 43200 reload-into-ims
> refresh_pattern au.download.windowsupdate.com/.*\.(cab|exe|dll) 43200
> 100% 43200 reload-into-ims
> refresh_pattern symantecliveupdate.com/.*\.(zip|exe) 43200 100% 43200
> reload-into-ims
> refresh_pattern windowsupdate.com/.*\.(cab|exe) 43200 100% 43200
> reload-into-ims
> refresh_pattern download.microsoft.com/.*\.(cab|exe) 43200 100% 43200
> reload-into-ims
> refresh_pattern avast.com/.*\.(vpu|vpaa) 4320 100% 43200 reload-into-ims
> refresh_pattern . 0 20% 4320
Aha!. The dot pattern did get copied down. (or cut-n-pasted from the wiki?)
> range_offset_limit -1 KB
> ## MOJE ACL #####
> acl mojasiec src 192.168.0.0/255.255.255.0
thats 192.168.0.0/24.
> acl dozwolone dstdomain -i "/etc/squid/dozwolone.txt"
> acl ograniczone_komputery src 192.168.0.3 192.168.0.6 192.168.0.17
> 192.168.0.12 192.168.0.15 192.168.0.16
> acl poczta dstdom_regex .*poczta.* .*mail.*
Hmm. you can drop the .* at beginning and end of squid patterns. They
are added automatically.
> #acl sm9 src 192.168.0.3
> #http_access allow sm9
> acl WindowsUpdate dstdomain -i "/etc/squid/windowsupdate.txt"
> acl CONNECT method CONNECT
> http_access allow dozwolone ograniczone_komputery !poczta
> http_access allow CONNECT WindowsUpdate mojasiec
> http_access allow WindowsUpdate mojasiec
A bunch of download site which are allowed regardless of any other
http_access security. Open WU proxy! yay.
Your Internet connection does not get NAT'd to something inside
192.168.0.0/24 ... right?
> acl javascript rep_mime_type -i ^application/x-javascript$
> http_access allow javascript
http_access _request_ test allowed if _reply_ contains... WTF?
> acl all src 0.0.0.0/0.0.0.0
> acl hubert proto cache_object
> acl localhost src 127.0.0.1/255.255.255.255
> acl to_localhost dst 127.0.0.0/8
> acl SSL_ports port 443
> acl Safe_ports port 80 # http
> acl Safe_ports port 21 # ftp
> acl Safe_ports port 443 # https
> acl Safe_ports port 210 # wais
> acl Safe_ports port 1025-65535 # unregistered ports
> acl Safe_ports port 280 # http-mgmt
> acl Safe_ports port 488 # gss-http
> acl Safe_ports port 591 # filemaker
> acl Safe_ports port 777 # multiling http
> acl Safe_ports port 8080
> acl CONNECT method CONNECT
> http_access allow hubert localhost
> http_access deny hubert
> http_access deny !Safe_ports
> http_access deny CONNECT !SSL_ports
> http_access deny to_localhost
> http_access allow localhost
> http_access deny all
> http_reply_access allow all
> icp_access allow all
> cache_mgr hubert.ch_at_wp.pl
> visible_hostname proliant
> log_icp_queries off
> cachemgr_passwd mojehasło all
Um. Bugger. You may want to change that password now.
I know you have it locked down so only localhost can request the mgr:
protocol, but still...
Amos
-- Please be using Current Stable Squid 2.7.STABLE7 or 3.0.STABLE21 Current Beta Squid 3.1.0.15Received on Thu Jan 28 2010 - 14:20:36 MST
This archive was generated by hypermail 2.2.0 : Thu Jan 28 2010 - 12:00:04 MST