[RndTbl] squid caching of Windblows Updates

Trevor Cordes trevor at tecnopolis.ca
Thu Apr 15 01:30:53 CDT 2010

As discussed at the Apr meeting, here is my solution for having squid
cache your Windblows (XP, mainly but should work for Vista/7) updates

I have just verified this is still working at all my customer sites by
looking at the squid access logs and seeing HITs for the big CAB files
from windowsupdate.com.  This confirms what I have always been seeing
while manually doing updates.

The magic line you require in your squid.conf is:
refresh_pattern http://www.download.windowsupdate.com/ 0 80% 525600
(no wrapping on the above line)

If someone wants my entire squid.conf, let me know.  It's setup for a
pretty common case where you want to squid all of your internal
(192.168.*) computers.  The only other major thing is make sure you
have a pretty big squid cache and max object size.  I recommend at
least 3GB.  If you have tons of disk, make it 50G or something.  More
never hurts.

I use:
cache_swap_low 94
cache_swap_high 97
maximum_object_size 800000 KB

Which should nicely handle the Win Update case we're trying to achieve.

Now, to make it so you don't have to configure ANYTHING on a stock
WinXP box to make it use squid:

Make a file on your web server's document root (ie: /var/www/html or
similar) called wpad.dat.  Make it world readable.  Populate it thusly:

<? header("Content-type: application/x-ns-proxy-autoconfig"); ?>

function FindProxyForURL(url, host)
  if (	 isPlainHostName(host)
	|| dnsDomainIs	(host,"tecnopolis.ca")
	|| dnsDomainIs	(host,"nocachingdomain.whatever")
	|| shExpMatch	(host,"192.168.*")
	|| shExpMatch	(url ,"*windowsupdate.microsoft.com/*.js*")
	|| shExpMatch(url ,"*windowsupdate.microsoft.com/*.asp*") 
     return "DIRECT";

  if (url.substring(0, 5) == "http:" ||
      url.substring(0, 4) == "ftp:"  ||
      url.substring(0, 7) == "gopher:")
    return "PROXY; DIRECT";

  return "DIRECT";

Tweak the DIRECT domain/IP exclusions in the first if set.  Change the to your squid server's IP.  Change the 8080 to whatever
port you want to have squid listen to.  There's a more standard default
port, but I use 8080 as that's what Shaw used when I signed up ages ago
and it's easy to remember :-)

You also require some funky apache config to make it work:
<VirtualHost *:80>
  ServerName    wpad.tecnopolis.ca
  ServerAlias   wpad
  DocumentRoot  /var/www/html
  Alias         /wpad.dat /var/www/html/wpad.dat

(may be a bit redundant, but I am editing my slightly more complex
setup to be usable by others)

Note, wpad.dat only applies to IE (Internet Exploder) to make
Nutscrape-based browsers (Fireflax) you need to make another identical
file (hardlink?) called proxy.pac and do some more funky apache stuff:

<VirtualHost *:80>
  ServerName    proxy.tecnopolis.ca
  ServerAlias   proxy
  DocumentRoot  /var/www/html
  Alias         /wpad.dat /var/www/html/wpad.dat
  Alias         / /var/www/html/proxy.pac

More redundancy, but trust me, getting this stuff to work is mystical
voodoo so cover all your bases.

AND, obviously add proxy and wpad as CNAMEs in your DNS server's
config!  They must resolve to your web server's IP.

Lastly, XP by default has the "autodetect proxy settings" enabled in
IE, so you literally have to do nothing to have your entire network
magically start using the proxy.  If it doesn't seem to be working,
double-check that IE indeed has that option enabled (Tools,
connections, lan settings).

Like I said, it's been 10 years since I set this up and last looked it
it, so hopefully I'm not overlooking some important point.  It
literally has worked all these years without tweaking on dozens of
servers.  3 cheers for UN*X and it's stability of configuration and

More information about the Roundtable mailing list