[squid-users] Windows updates please help

From: Hubert Choma <hubert.ch_at_wp.pl>
Date: Thu, 04 Feb 2010 09:01:42 +0100

 Hello
> > >
> > > My squid ver. 2.6 stable Centos 2.6.18-164.el5 .
> > >
> > > I'm using the configuration of the WU from the example
> > > http://wiki.squid-cache.org/SquidFaq/WindowsUpdate
> > >
> > > I would like to force squid to cache all windows update (version V6)
> > > files e.g .cab .exe and 700MB ISO files
> > >
> > > I am noticed that windows media player does not update via squid. WU
> > > generates error 0x8024402F.
> > >
> > > I would like to setup squid cache maximum web content, antivirus updates
> > > and WU.
> > >
> > > Where can I find example how to cache dynamic pages ?
> > >
> > > hierarchy_stoplist cgi-bin ?
> > > acl QUERY urlpath_regex cgi-bin \?
> >
> > By deleting the above. And the lines which make use of QUERY they begin
> > to cache.

 I understand that I must hash these lines. Is that you meant ?
 
# hierarchy_stoplist cgi-bin ?
# acl QUERY urlpath_regex cgi-bin \?
# cache deny QUERY

Thaht's correct ?

> > Also see my notes in your refresh_pattern config below....
> >
> > >
> > >
> > > Please correct my config
> > >
> > > windowsupdate.txt
> > > .go.microsoft.com
> > > .windowsupdate.microsoft.com
> > > .update.microsoft.com
> > > .update.microsoft.com/windowsupdate/v7/default.aspx
> > > download.windowsupdate.com
> > > .download.microsoft.com
> > > ntservicepack.microsoft.com
> > > activex.microsoft.com
> > > redir.metaservices.microsoft.com
> > > images.metaservices.microsoft.com
> > > c.microsoft.com
> > > crl.microsoft.com
> > > codecs.microsoft.com
> > > urs.microsoft.com
> > > wustat.windows.com
> > >
> > >
> > > squid.conf
> > >
> > >
> > > http_port 192.168.0.12:8080
> > > hierarchy_stoplist cgi-bin ?
> > > acl QUERY urlpath_regex cgi-bin \?
> > > cache deny QUERY
> > > acl apache rep_header Server ^Apache
> > > broken_vary_encoding allow apache
> > > cache_mem 650 MB
> > > maximum_object_size 4194240 KB
> > > cache_dir ufs /var/spool/squid 6500 16 256
> > > #logformat squid %tl %6tr %>a %Ss/%03Hs %<st %rm %ru %un %Sh/%<A &mt
> > > access_log /var/log/squid/access.log squid
> > > mime_table /etc/squid/mime.conf
> > > refresh_pattern ^ftp: 1440 20% 10080
> >
> > Right here between the FTP default handling and the general traffic
> > default handing (.) you need to add this:
> >
> > refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
> >
> > to properly prevent evil dynamic content from sticking around longer
> > than it should (ie if its not giving cache-control and/or expiry, drop
> > it. if it is okay then).
> >
> > > refresh_pattern . 0 20% 4320
>
 You mean like this ??

> refresh_pattern ^ftp: 1440 20% 10080
> refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
> refresh_pattern . 0 20% 4320
>
> "ie if its not giving cache-control and/or expiry, drop
> > it."

 What to drop ?
>
>
> > Hmm. "." matches every URL. Squid stops processing refresh_pattern at
> > the first matching pattern.
> >
> > --> point: no refresh_pattern below here will ever be used.
> "point: no refresh_pattern below here will ever be used."
>
So what to do with this ? What makes "." ?? Remove first line and leave
 yours ? I didn't understand.

refresh_pattern -i \.(gif|jpg|jpeg|png|js|css|flv|bmp|)(\?.*)?$ 0 50%
7200 what with reload-into-ims ?

> > > refresh_pattern -i \.(gif|jpg|jpeg|png|js|css|flv|bmp|) 0 50% 7200
> > > reload-into-ims
> >
> > Ahm...
> > refresh_pattern -i \.(gif|jpg|jpeg|png|js|css|flv|bmp|)(\?.*)?$ 0
> > 50% 7200
> >
> > > refresh_pattern update.microsoft.com/windowsupdate/v6/.*\.(cab|exe|dll)
> > > 43200 100% 43200 reload-into-ims
> > > refresh_pattern windowsupdate.com/.*\.(cab|exe|dll) 43200 100% 43200
> > > reload-into-ims
> > > refresh_pattern windowsupdate.microsoft.com/.*\.(cab|exe|dll) 43200 100%
> > > 43200 reload-into-ims
> > > refresh_pattern download.microsoft.com/.*\.(cab|exe|dll) 43200 100%
> > > 43200 reload-into-ims
> > > refresh_pattern au.download.windowsupdate.com/.*\.(cab|exe|dll) 43200
> > > 100% 43200 reload-into-ims
> > > refresh_pattern symantecliveupdate.com/.*\.(zip|exe) 43200 100% 43200
> > > reload-into-ims
> > > refresh_pattern windowsupdate.com/.*\.(cab|exe) 43200 100% 43200
> > > reload-into-ims
> > > refresh_pattern download.microsoft.com/.*\.(cab|exe) 43200 100% 43200
> > > reload-into-ims
> > > refresh_pattern avast.com/.*\.(vpu|vpaa) 4320 100% 43200 reload-into-ims
> > > refresh_pattern . 0 20% 4320
> >
> > Aha!. The dot pattern did get copied down. (or cut-n-pasted from the
> > wiki?)

On Wiki I cant' find this patterns where are they ?
>
> >
> > > range_offset_limit -1 KB
> > > ## MOJE ACL #####
> > > acl mojasiec src 192.168.0.0/255.255.255.0
> >
> > thats 192.168.0.0/24.
> >
> > > acl dozwolone dstdomain -i "/etc/squid/dozwolone.txt"
> > > acl ograniczone_komputery src 192.168.0.3 192.168.0.6 192.168.0.17
> > > 192.168.0.12 192.168.0.15 192.168.0.16
> > > acl poczta dstdom_regex .*poczta.* .*mail.*
> >
> > Hmm. you can drop the .* at beginning and end of squid patterns. They
> > are added automatically.
 No !!
without * eg. poczta.* .mail.* users can go on wembail and I would like
 to denied webmail ! So * are necessary .*mail.* !!

> > > #acl sm9 src 192.168.0.3
> > > #http_access allow sm9
> > > acl WindowsUpdate dstdomain -i "/etc/squid/windowsupdate.txt"
> > > acl CONNECT method CONNECT
> > > http_access allow dozwolone ograniczone_komputery !poczta
> > > http_access allow CONNECT WindowsUpdate mojasiec
> > > http_access allow WindowsUpdate mojasiec
> >
> > A bunch of download site which are allowed regardless of any other
> > http_access security. Open WU proxy! yay.
>
Yes I would like to deny for some IP's access to www sites only alowed
sites which are included in file "dozwolone.txt" = "allowedsites.txt"
are allowed.
Rest of IP's must have full access to WWW.
It's wrong idea ?

 Your Internet connection does not get NAT'd to something inside
 192.168.0.0/24 ... right?

 
Squid (192.168.0.12) is behind NAT router redirect traffic to 80.
Now I change my net topology and would like to set squid as a
transparent proxy ( 2 NIC's with iptables redirect 80->8080
 1) 192.168.0.12/24 (NIc From router)
 2) 192.168.0.13/24 (NiC to LAN)

 So I use squid for LAN users to accelerate HTTP trafic .

 acl javascript rep_mime_type -i ^application/x-javascript$
 http_access allow javascript

What is it ?? I don't understand ? (line below )
 http_access _request_ test allowed if _reply_ contains... WTF?

acl all src 0.0.0.0/0.0.0.0
 acl hubert proto cache_object
 acl localhost src 127.0.0.1/255.255.255.255
 acl to_localhost dst 127.0.0.0/8
 acl SSL_ports port 443
 acl Safe_ports port 80 # http
 acl Safe_ports port 21 # ftp
 acl Safe_ports port 443 # https
 acl Safe_ports port 210 # wais
 acl Safe_ports port 1025-65535 # unregistered ports
 acl Safe_ports port 280 # http-mgmt
 acl Safe_ports port 488 # gss-http
 acl Safe_ports port 591 # filemaker
 acl Safe_ports port 777 # multiling http
 acl Safe_ports port 8080
 acl CONNECT method CONNECT
 http_access allow hubert localhost
 http_access deny hubert
 http_access deny !Safe_ports
> > > http_access deny CONNECT !SSL_ports
> > > http_access deny to_localhost
> > > http_access allow localhost
> > > http_access deny all
> > > http_reply_access allow all
> > > icp_access allow all
> > > cache_mgr hubert.ch_at_wp.pl
> > > visible_hostname proliant
> > > log_icp_queries off
> > > cachemgr_passwd mojehasÅ&#8218;o all
> >
> > Um. Bugger. You may want to change that password now.
> > I know you have it locked down so only localhost can request the mgr:
> > protocol, but still...

Password is old :)
 Thanks for reply :)
Received on Thu Feb 04 2010 - 08:01:48 MST

This archive was generated by hypermail 2.2.0 : Thu Feb 04 2010 - 12:00:04 MST