[squid-users] Unable to cache Windows Update

davide.motti davide.motti at modomoto.com
Wed Oct 11 15:10:23 UTC 2017


Hi to everybody,

hope that someone can help me with this issue.

I've set up squid as transparent proxy and I would like to cache the
Windows Update in order to gain bandwidth. I follow step by step the
related page on the wiki but every time I try to download the windows
updates from the setting page I get the message that because of internet
connection the download of the updates is not possible.

I would like to tell that I'm able to cache everything else comes from
the win machine, just with the windows update I got this problem.

I'm running Squid-3.5.27 on Ubuntu Server 16.04 LTS and the Win machine
is on a VM bridged with a Debian client that is cached by Squid.

Attached my config file.

Best,

Davide

-------------- next part --------------
# HTTP Rules
http_port 3128
http_port 192.168.21.111:3129 intercept
https_port 192.168.21.111:13130 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/etc/squid/ssl_cert/myROOTCA.pem


# ACL Rules 
acl localnet src 192.168.7.112          	# RFC1918 internal network
acl localnet src fe80::a2ce:c8ff:fe1e:bfb8	# RFC1918  internal network
acl localwin src 10.0.2.15                      # Win VM
acl localhost src 127.0.0.0/32                  # locahost 

acl windowsupdate dstdomain windowsupdate.com
acl windowsupdate dstdomain microsoft.com
acl windowsupdate dstdomain windows.com
acl windowsupdate dstdomain .update.microsoft.com
acl windowsupdate dstdomain sls.microsoft.com
acl windowsupdate dstdomain windowsupdate.microsoft.com
acl windowsupdate dstdomain download.windowsupdate.com
acl windowsupdate dstdomain download.microsoft.com
acl windowsupdate dstdomain test.stats.update.microsoft.com
acl windowsupdate dstdomain ntservicepack.microsoft.com

acl CONNECT method CONNECT
acl wuCONNECT dstdomain www.update.microsoft.com
acl wuCONNECT dstdomain sls.microsoft.com
acl wuCONNECT dstdomain microsoft.com
acl wuCONNECT dstdomain windows.com
acl wuCONNECT dstdomain windowsupdate.microsoft.com
acl wuCONNECT dstdomain www.windowsupdate.com
acl wuCONNECT dstdomain download.windowsupdate.com
acl wuCONNECT dstdomain download.microsoft.com
acl wuCONNECT dstdomain www.download.windowsupdate.com
acl wuCONNECT dstdomain test.stats.update.microsoft.com
acl wuCONNECT dstdomain ntservicepack.microsoft.com

http_access allow CONNECT wuCONNECT localwin
http_access allow windowsupdate localwin

acl SSL_ports port 443
acl Safe_ports port 80		# http
acl Safe_ports port 21		# ftp
acl Safe_ports port 443		# https
acl Safe_ports port 70		# gopher
acl Safe_ports port 210		# wais
acl Safe_ports port 1025-65535	# unregistered ports
acl Safe_ports port 280		# http-mgmt
acl Safe_ports port 488		# gss-http
acl Safe_ports port 591		# filemaker
acl Safe_ports port 777		# multiling http

acl step1 at_step SslBump1
#
# HTTP_ACCESS RULES
#
# Deny requests to certain unsafe ports
http_access deny !Safe_ports

# Deny CONNECT to other than secure SSL ports
http_access deny CONNECT !SSL_ports

# Only allow cachemgr access from localhost
http_access allow localhost manager
http_access deny manager

# We strongly recommend the following be uncommented to protect innocent
# web applications running on the proxy server who think the only
# one who can access services on "localhost" is a local user
#http_access deny to_localhost
http_access allow localnet
http_access allow localwin
http_access allow localhost

# And finally deny all other access to this proxy
http_access deny all

# CACHE MANAGER
visible_hostname 20150604-004.intern.modomoto.de

# SSL DIRECTIVES
ssl_bump peek step1
ssl_bump bump all
sslcrtd_program /lib/squid/ssl_crtd -s /var/lib/squid/ssl_db -M 4MB
sslcrtd_children 10
sslproxy_cert_error allow all

# Tag: minimum_object_size
# Object smaller than this size will NOT be saved on disk.
# Default:
# no limit

# Tag: maximun_object_size
# Set the default parameter for maxi-size on any cache_dir.
range_offset_limit 10 GB windowsupdate
maximum_object_size 10 GB
quick_abort_min -1
# range_offset_limit none

# Tag: cache_dir 
# Directives about storawge system in use.
# Usage: cache_dir Sotrage_Format Directory Mbytes L1 L2.
# "ufs" (Universal Flash Storage) is Squid default storage format.
# 'mbytes' ist the amount of disk space (MB) tu use under this directory.
# 'L1' is the number of first-level subdirectories which will be created under the 'Directory'.
# 'L2' is the number of second-level subdirectories which will be created under each first-level directory.
cache_dir ufs /var/spool/squid 200000 16 256


# OPTION FOR TROUBLESHOOTING
# ----------------------------------------------------------------------------
#
#Tag: cache_log
# Squid administrative loggin file.
# Default:
# cache_log /var/log/squid/cache.log

# Tag: coredump_dir
# Directory where Squid dump core files.
coredump_dir /var/spool/squid

# MEMORY CACHE OPTIONS
# --------------------------------------------------------------------------------
# Tag: cache_mem
# Memory to use for caching very popular replies.
cache_mem 2 GB

#LOG OPTIONS
# --------------------------------------------------------------------------------
# Tag: logformat
# Logformat: client IP, client FQDN, client source port, local IP addr the client
# connected to, request URL from client, HTTP status code sent to the client
# logformat agix %>a %>A %>p %>la %>ul %>ru %>Hs

# Tag: access_log
# Configure whether and how Squid logs HTTP and ICP transactions.
access_log /var/log/squid/access.log    #agix

# OPTIONS FOR TUNING THE CACHE
# 
#
refresh_pattern -i windowsupdate.com/.*\.(cab|exe|ms[i|u|f|p]|[ap]sf|wm[v|a]|dat|zip|psf) 4320  80% 43200 reload-into-ims
refresh_pattern -i microsoft.com/.*\.(cab|exe|ms[i|u|f]|[ap]sf|wm[v|a]|dat|zip) 4320 80%  43200 reload-into-ims
refresh_pattern -i windows.com/.*\.(cab|exe|ms[i|u|f]|[ap]sf|wm[v|a]|dat|zip) 4320 80%  43200 reload-into-ims
refresh_pattern ^ftp:		  1440	20%	10080 reload-into-ims
refresh_pattern ^gopher:          1440	20%	7200  reload-into-ims 
refresh_pattern -i (/cgi-bin/|\?) 1400	20%	7200  reload-into-ims
refresh_pattern .		  1400	20%	7200  reload-into-ims



# Tag: minimum_expiry_time  (seconds)
# The minimum caching time according to (Expires - Date) headers Squid
# honors if the object can't be revalidated.
# Default:
# minimum_expiry_time 60 seconds
minimum_expiry_time 600 seconds

# Tag: request_header_max_size  (KB)
# This specifies the maximum size for HTTP headers in a request.
# Request headers are usually relatively small (about 512 bytes).
# Placing a limit on the request header size will cacth certain
# bugs (persistent connection) and possibly bufferin-overflow
# or denial-of-service attacks.
# Default:
# request_headers_max_size 64 KB

# Tag: reply_headers_max_size  (KB)
# This specifies the maximum size for HTTP headers in a request.
# Reply headers are usually relatively small (about 512 bytes).
# Placing a limit on the reply header size will cacth certain
# bugs (persistent connection) and possibly bufferin-overflow
# or denial-of-service attacks.
# Default:
# reply_headers_max_size 64 KB


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 870 bytes
Desc: OpenPGP digital signature
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20171011/563e4037/attachment.sig>


More information about the squid-users mailing list