Re: [squid-users] how to force windows update to cache all updates from Hubert Choma on 2010-02-02 (squid-users)

From: Hubert Choma <hubert.ch_at_wp.pl>
Date: Tue, 02 Feb 2010 10:10:28 +0100

Dnia 28-01-2010 o godz. 15:20 Amos Jeffries napisał(a):
> Hubert Choma wrote:
> > Hello
> >
> > My squid ver. 2.6 stable Centos 2.6.18-164.el5 .
> >
> > I'm using the configuration of the WU from the example
> > http://wiki.squid-cache.org/SquidFaq/WindowsUpdate
> >
> > I would like to force squid to cache all windows update (version V6)
> > files e.g .cab .exe and 700MB ISO files
> >
> > I am noticed that windows media player does not update via squid. WU
> > generates error 0x8024402F.
> >
> > I would like to setup squid cache maximum web content, antivirus updates
> > and WU.
> >
> > Where can I find example how to cache dynamic pages ?
> >
> > hierarchy_stoplist cgi-bin ?
> > acl QUERY urlpath_regex cgi-bin \?
>
> By deleting the above. And the lines which make use of QUERY they begin
> to cache.
I understand that I must hash these lines. Is that you meant ?

# hierarchy_stoplist cgi-bin ?
# acl QUERY urlpath_regex cgi-bin \?
# cache deny QUERY

Thaht's correct ?

> Also see my notes in your refresh_pattern config below....
>
> >
> >
> > Please correct my config
> >
> > windowsupdate.txt
> > .go.microsoft.com
> > .windowsupdate.microsoft.com
> > .update.microsoft.com
> > .update.microsoft.com/windowsupdate/v7/default.aspx
> > download.windowsupdate.com
> > .download.microsoft.com
> > ntservicepack.microsoft.com
> > activex.microsoft.com
> > redir.metaservices.microsoft.com
> > images.metaservices.microsoft.com
> > c.microsoft.com
> > crl.microsoft.com
> > codecs.microsoft.com
> > urs.microsoft.com
> > wustat.windows.com
> >
> >
> > squid.conf
> >
> >
> > http_port 192.168.0.12:8080
> > hierarchy_stoplist cgi-bin ?
> > acl QUERY urlpath_regex cgi-bin \?
> > cache deny QUERY
> > acl apache rep_header Server ^Apache
> > broken_vary_encoding allow apache
> > cache_mem 650 MB
> > maximum_object_size 4194240 KB
> > cache_dir ufs /var/spool/squid 6500 16 256
> > #logformat squid %tl %6tr %>a %Ss/%03Hs %<st %rm %ru %un %Sh/%<A &mt
> > access_log /var/log/squid/access.log squid
> > mime_table /etc/squid/mime.conf
> > refresh_pattern ^ftp: 1440 20% 10080
>
> Right here between the FTP default handling and the general traffic
> default handing (.) you need to add this:
>
> refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
>
> to properly prevent evil dynamic content from sticking around longer
> than it should (ie if its not giving cache-control and/or expiry, drop
> it. if it is okay then).
>
> > refresh_pattern . 0 20% 4320

You mean like this ??

refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320

"ie if its not giving cache-control and/or expiry, drop
> it." What to drop ?

> Hmm. "." matches every URL. Squid stops processing refresh_pattern at
> the first matching pattern.
>
> --> point: no refresh_pattern below here will ever be used.
"point: no refresh_pattern below here will ever be used."

So what to do with this ? What makes "." ?? Remove first line and leave
yours ? I didn't understand.
refresh_pattern -i \.(gif|jpg|jpeg|png|js|css|flv|bmp|)(\?.*)?$ 0
> 50% 7200 what with reload-into-ims ?

> > refresh_pattern -i \.(gif|jpg|jpeg|png|js|css|flv|bmp|) 0 50% 7200
> > reload-into-ims
>
> Ahm...
> refresh_pattern -i \.(gif|jpg|jpeg|png|js|css|flv|bmp|)(\?.*)?$ 0
> 50% 7200
>
> > refresh_pattern update.microsoft.com/windowsupdate/v6/.*\.(cab|exe|dll)
> > 43200 100% 43200 reload-into-ims
> > refresh_pattern windowsupdate.com/.*\.(cab|exe|dll) 43200 100% 43200
> > reload-into-ims
> > refresh_pattern windowsupdate.microsoft.com/.*\.(cab|exe|dll) 43200 100%
> > 43200 reload-into-ims
> > refresh_pattern download.microsoft.com/.*\.(cab|exe|dll) 43200 100%
> > 43200 reload-into-ims
> > refresh_pattern au.download.windowsupdate.com/.*\.(cab|exe|dll) 43200
> > 100% 43200 reload-into-ims
> > refresh_pattern symantecliveupdate.com/.*\.(zip|exe) 43200 100% 43200
> > reload-into-ims
> > refresh_pattern windowsupdate.com/.*\.(cab|exe) 43200 100% 43200
> > reload-into-ims
> > refresh_pattern download.microsoft.com/.*\.(cab|exe) 43200 100% 43200
> > reload-into-ims
> > refresh_pattern avast.com/.*\.(vpu|vpaa) 4320 100% 43200 reload-into-ims
> > refresh_pattern . 0 20% 4320
>
> Aha!. The dot pattern did get copied down. (or cut-n-pasted from the
> wiki?)
On Wiki I cant' find this patterns where are they ?

>
> > range_offset_limit -1 KB
> > ## MOJE ACL #####
> > acl mojasiec src 192.168.0.0/255.255.255.0
>
> thats 192.168.0.0/24.
>
> > acl dozwolone dstdomain -i "/etc/squid/dozwolone.txt"
> > acl ograniczone_komputery src 192.168.0.3 192.168.0.6 192.168.0.17
> > 192.168.0.12 192.168.0.15 192.168.0.16
> > acl poczta dstdom_regex .*poczta.* .*mail.*
>
> Hmm. you can drop the .* at beginning and end of squid patterns. They
> are added automatically.
No !!
without * eg. poczta.* .mail.* users can go on wembail and I would like
to denied webmail ! So * are necessary .*mail.* !!

> > #acl sm9 src 192.168.0.3
> > #http_access allow sm9
> > acl WindowsUpdate dstdomain -i "/etc/squid/windowsupdate.txt"
> > acl CONNECT method CONNECT
> > http_access allow dozwolone ograniczone_komputery !poczta
> > http_access allow CONNECT WindowsUpdate mojasiec
> > http_access allow WindowsUpdate mojasiec
>
> A bunch of download site which are allowed regardless of any other
> http_access security. Open WU proxy! yay.

Yes I would like to deny for some IP's access to www sites only alowed
sites which are included in file "dozwolone.txt" = "allowedsites.txt"
are allowed.
Rest of IP's must have full access to WWW.
It's wrong idea ?

> Your Internet connection does not get NAT'd to something inside
> 192.168.0.0/24 ... right?

Squid (192.168.0.12) is behind NAT router redirect traffic to 80.
Now I change my net topology and would like to set squid as a
transparent proxy ( 2 NIC's with iptables redirect 80->8080
1) 192.168.0.12/24 (NIc From router)
2) 192.168.0.13/24 (NiC to LAN)

So I use squid for LAN users to accelerate HTTP trafic .
>
> > acl javascript rep_mime_type -i ^application/x-javascript$
> > http_access allow javascript
>
What is it ?? I don't understand ?
> http_access _request_ test allowed if _reply_ contains... WTF?
>
> > acl all src 0.0.0.0/0.0.0.0
> > acl hubert proto cache_object
> > acl localhost src 127.0.0.1/255.255.255.255
> > acl to_localhost dst 127.0.0.0/8
> > acl SSL_ports port 443
> > acl Safe_ports port 80 # http
> > acl Safe_ports port 21 # ftp
> > acl Safe_ports port 443 # https
> > acl Safe_ports port 210 # wais
> > acl Safe_ports port 1025-65535 # unregistered ports
> > acl Safe_ports port 280 # http-mgmt
> > acl Safe_ports port 488 # gss-http
> > acl Safe_ports port 591 # filemaker
> > acl Safe_ports port 777 # multiling http
> > acl Safe_ports port 8080
> > acl CONNECT method CONNECT
> > http_access allow hubert localhost
> > http_access deny hubert
> > http_access deny !Safe_ports
> > http_access deny CONNECT !SSL_ports
> > http_access deny to_localhost
> > http_access allow localhost
> > http_access deny all
> > http_reply_access allow all
> > icp_access allow all
> > cache_mgr hubert.ch_at_wp.pl
> > visible_hostname proliant
> > log_icp_queries off
> > cachemgr_passwd mojehasĹ‚o all
>
> Um. Bugger. You may want to change that password now.
> I know you have it locked down so only localhost can request the mgr:
> protocol, but still...
Password is old :)

Thanks for reply :)
>
>
> Amos
> --
> Please be using
> Current Stable Squid 2.7.STABLE7 or 3.0.STABLE21
> Current Beta Squid 3.1.0.15
Received on Tue Feb 02 2010 - 09:10:36 MST

This archive was generated by hypermail 2.2.0 : Tue Feb 02 2010 - 12:00:03 MST