Re: [squid-users] how to force windows update to cache all updates

From: Hubert Choma <hubert.ch_at_wp.pl>
Date: Tue, 02 Feb 2010 11:06:44 +0100

Dnia 2-02-2010 o godz. 10:10 Hubert Choma napisa│(a):
> Dnia 28-01-2010 o godz. 15:20 Amos Jeffries napisa│(a):
> > Hubert Choma wrote:
> > > Hello
> > >
> > > My squid ver. 2.6 stable Centos 2.6.18-164.el5 .
> > >
> > > I'm using the configuration of the WU from the example
> > > http://wiki.squid-cache.org/SquidFaq/WindowsUpdate
> > >
> > > I would like to force squid to cache all windows update (version V6)
> > > files e.g .cab .exe and 700MB ISO files
> > >
> > > I am noticed that windows media player does not update via squid. WU
> > > generates error 0x8024402F.
> > >
> > > I would like to setup squid cache maximum web content, antivirus updates
> > > and WU.
> > >
> > > Where can I find example how to cache dynamic pages ?
> > >
> > > hierarchy_stoplist cgi-bin ?
> > > acl QUERY urlpath_regex cgi-bin \?
> >
> > By deleting the above. And the lines which make use of QUERY they begin
> > to cache.
> I understand that I must hash these lines. Is that you meant ?
>
> # hierarchy_stoplist cgi-bin ?
> # acl QUERY urlpath_regex cgi-bin \?
> # cache deny QUERY
>
> Thaht's correct ?
>
> > Also see my notes in your refresh_pattern config below....
> >
> > >
> > >
> > > Please correct my config
> > >
> > > windowsupdate.txt
> > > .go.microsoft.com
> > > .windowsupdate.microsoft.com
> > > .update.microsoft.com
> > > .update.microsoft.com/windowsupdate/v7/default.aspx
> > > download.windowsupdate.com
> > > .download.microsoft.com
> > > ntservicepack.microsoft.com
> > > activex.microsoft.com
> > > redir.metaservices.microsoft.com
> > > images.metaservices.microsoft.com
> > > c.microsoft.com
> > > crl.microsoft.com
> > > codecs.microsoft.com
> > > urs.microsoft.com
> > > wustat.windows.com
> > >
> > >
> > > squid.conf
> > >
> > >
> > > http_port 192.168.0.12:8080
> > > hierarchy_stoplist cgi-bin ?
> > > acl QUERY urlpath_regex cgi-bin \?
> > > cache deny QUERY
> > > acl apache rep_header Server ^Apache
> > > broken_vary_encoding allow apache
> > > cache_mem 650 MB
> > > maximum_object_size 4194240 KB
> > > cache_dir ufs /var/spool/squid 6500 16 256
> > > #logformat squid %tl %6tr %>a %Ss/%03Hs %<st %rm %ru %un %Sh/%<A &mt
> > > access_log /var/log/squid/access.log squid
> > > mime_table /etc/squid/mime.conf
> > > refresh_pattern ^ftp: 1440 20% 10080
> >
> > Right here between the FTP default handling and the general traffic
> > default handing (.) you need to add this:
> >
> > refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
> >
> > to properly prevent evil dynamic content from sticking around longer
> > than it should (ie if its not giving cache-control and/or expiry, drop
> > it. if it is okay then).
> >
> > > refresh_pattern . 0 20% 4320
>
> You mean like this ??
>
> refresh_pattern ^ftp: 1440 20% 10080
> refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
> refresh_pattern . 0 20% 4320
>
> "ie if its not giving cache-control and/or expiry, drop
> > it." What to drop ?
>
>
> > Hmm. "." matches every URL. Squid stops processing refresh_pattern at
> > the first matching pattern.
> >
> > --> point: no refresh_pattern below here will ever be used.
> "point: no refresh_pattern below here will ever be used."
>
> So what to do with this ? What makes "." ?? Remove first line and leave
> yours ? I didn't understand.
> refresh_pattern -i \.(gif|jpg|jpeg|png|js|css|flv|bmp|)(\?.*)?$ 0
> > 50% 7200 what with reload-into-ims ?
>
> > > refresh_pattern -i \.(gif|jpg|jpeg|png|js|css|flv|bmp|) 0 50% 7200
> > > reload-into-ims
> >
> > Ahm...
> > refresh_pattern -i \.(gif|jpg|jpeg|png|js|css|flv|bmp|)(\?.*)?$ 0
> > 50% 7200
> >
> > > refresh_pattern update.microsoft.com/windowsupdate/v6/.*\.(cab|exe|dll)
> > > 43200 100% 43200 reload-into-ims
> > > refresh_pattern windowsupdate.com/.*\.(cab|exe|dll) 43200 100% 43200
> > > reload-into-ims
> > > refresh_pattern windowsupdate.microsoft.com/.*\.(cab|exe|dll) 43200 100%
> > > 43200 reload-into-ims
> > > refresh_pattern download.microsoft.com/.*\.(cab|exe|dll) 43200 100%
> > > 43200 reload-into-ims
> > > refresh_pattern au.download.windowsupdate.com/.*\.(cab|exe|dll) 43200
> > > 100% 43200 reload-into-ims
> > > refresh_pattern symantecliveupdate.com/.*\.(zip|exe) 43200 100% 43200
> > > reload-into-ims
> > > refresh_pattern windowsupdate.com/.*\.(cab|exe) 43200 100% 43200
> > > reload-into-ims
> > > refresh_pattern download.microsoft.com/.*\.(cab|exe) 43200 100% 43200
> > > reload-into-ims
> > > refresh_pattern avast.com/.*\.(vpu|vpaa) 4320 100% 43200 reload-into-ims
> > > refresh_pattern . 0 20% 4320
> >
> > Aha!. The dot pattern did get copied down. (or cut-n-pasted from the
> > wiki?)
> On Wiki I cant' find this patterns where are they ?
>
> >
> > > range_offset_limit -1 KB
> > > ## MOJE ACL #####
> > > acl mojasiec src 192.168.0.0/255.255.255.0
> >
> > thats 192.168.0.0/24.
> >
> > > acl dozwolone dstdomain -i "/etc/squid/dozwolone.txt"
> > > acl ograniczone_komputery src 192.168.0.3 192.168.0.6 192.168.0.17
> > > 192.168.0.12 192.168.0.15 192.168.0.16
> > > acl poczta dstdom_regex .*poczta.* .*mail.*
> >
> > Hmm. you can drop the .* at beginning and end of squid patterns. They
> > are added automatically.
> No !!
> without * eg. poczta.* .mail.* users can go on wembail and I would like
> to denied webmail ! So * are necessary .*mail.* !!
>
> > > #acl sm9 src 192.168.0.3
> > > #http_access allow sm9
> > > acl WindowsUpdate dstdomain -i "/etc/squid/windowsupdate.txt"
> > > acl CONNECT method CONNECT
> > > http_access allow dozwolone ograniczone_komputery !poczta
> > > http_access allow CONNECT WindowsUpdate mojasiec
> > > http_access allow WindowsUpdate mojasiec
> >
> > A bunch of download site which are allowed regardless of any other
> > http_access security. Open WU proxy! yay.
>
> Yes I would like to deny for some IP's access to www sites only alowed
> sites which are included in file "dozwolone.txt" = "allowedsites.txt"
> are allowed.
> Rest of IP's must have full access to WWW.
> It's wrong idea ?
>
> > Your Internet connection does not get NAT'd to something inside
> > 192.168.0.0/24 ... right?
>
> Squid (192.168.0.12) is behind NAT router redirect traffic to 80.
> Now I change my net topology and would like to set squid as a
> transparent proxy ( 2 NIC's with iptables redirect 80->8080
> 1) 192.168.0.12/24 (NIc From router)
> 2) 192.168.0.13/24 (NiC to LAN)
>
> So I use squid for LAN users to accelerate HTTP trafic .
> >
> > > acl javascript rep_mime_type -i ^application/x-javascript$
> > > http_access allow javascript
> >
> What is it ?? I don't understand ?
> > http_access _request_ test allowed if _reply_ contains... WTF?
> >
> > > acl all src 0.0.0.0/0.0.0.0
> > > acl hubert proto cache_object
> > > acl localhost src 127.0.0.1/255.255.255.255
> > > acl to_localhost dst 127.0.0.0/8
> > > acl SSL_ports port 443
> > > acl Safe_ports port 80 # http
> > > acl Safe_ports port 21 # ftp
> > > acl Safe_ports port 443 # https
> > > acl Safe_ports port 210 # wais
> > > acl Safe_ports port 1025-65535 # unregistered ports
> > > acl Safe_ports port 280 # http-mgmt
> > > acl Safe_ports port 488 # gss-http
> > > acl Safe_ports port 591 # filemaker
> > > acl Safe_ports port 777 # multiling http
> > > acl Safe_ports port 8080
> > > acl CONNECT method CONNECT
> > > http_access allow hubert localhost
> > > http_access deny hubert
> > > http_access deny !Safe_ports
> > > http_access deny CONNECT !SSL_ports
> > > http_access deny to_localhost
> > > http_access allow localhost
> > > http_access deny all
> > > http_reply_access allow all
> > > icp_access allow all
> > > cache_mgr hubert.ch_at_wp.pl
> > > visible_hostname proliant
> > > log_icp_queries off
> > > cachemgr_passwd mojehas┼&#8218;o all
> >
> > Um. Bugger. You may want to change that password now.
> > I know you have it locked down so only localhost can request the mgr:
> > protocol, but still...
> Password is old :)
>
> Thanks for reply :)
> >
> >
> > Amos
> > --
> > Please be using
> > Current Stable Squid 2.7.STABLE7 or 3.0.STABLE21
> > Current Beta Squid 3.1.0.15
Received on Tue Feb 02 2010 - 10:06:52 MST

This archive was generated by hypermail 2.2.0 : Tue Feb 02 2010 - 12:00:03 MST