[RndTbl] squid caching of Windblows Updates

Sean Cody sean at tinfoilhat.ca
Thu Apr 15 01:39:17 CDT 2010

In case one has some older versions of IE, sym-linking wpad.dat to wpad.da solve some of those corner cases.

Some versions of IE and XP (especially the freshly unpatched kind) have a bug in proxy detection where it doesn't calculate the size of the string properly and null-terminates it one character short which is why the last letter is chopped off of the end (bad coder, no cookie).

May not still be the case anymore but I remember back when we rolled out wpad it gave me a really big headache. :)

On 2010-04-15, at 1:30 AM, Trevor Cordes wrote:

> As discussed at the Apr meeting, here is my solution for having squid
> cache your Windblows (XP, mainly but should work for Vista/7) updates
> downloads.
> I have just verified this is still working at all my customer sites by
> looking at the squid access logs and seeing HITs for the big CAB files
> from windowsupdate.com.  This confirms what I have always been seeing
> while manually doing updates.
> The magic line you require in your squid.conf is:
> refresh_pattern http://www.download.windowsupdate.com/ 0 80% 525600
> reload-into-ims
> (no wrapping on the above line)
> If someone wants my entire squid.conf, let me know.  It's setup for a
> pretty common case where you want to squid all of your internal
> (192.168.*) computers.  The only other major thing is make sure you
> have a pretty big squid cache and max object size.  I recommend at
> least 3GB.  If you have tons of disk, make it 50G or something.  More
> never hurts.
> I use:
> cache_swap_low 94
> cache_swap_high 97
> maximum_object_size 800000 KB
> Which should nicely handle the Win Update case we're trying to achieve.
> Now, to make it so you don't have to configure ANYTHING on a stock
> WinXP box to make it use squid:
> Make a file on your web server's document root (ie: /var/www/html or
> similar) called wpad.dat.  Make it world readable.  Populate it thusly:
> <? header("Content-type: application/x-ns-proxy-autoconfig"); ?>
> function FindProxyForURL(url, host)
> {
>  if (	 isPlainHostName(host)
> 	|| dnsDomainIs	(host,"tecnopolis.ca")
> 	|| dnsDomainIs	(host,"nocachingdomain.whatever")
> 	|| shExpMatch	(host,"192.168.*")
> 	|| shExpMatch	(url ,"*windowsupdate.microsoft.com/*.js*")
> 	|| shExpMatch(url ,"*windowsupdate.microsoft.com/*.asp*") 
>     )
>     return "DIRECT";
>  if (url.substring(0, 5) == "http:" ||
>      url.substring(0, 4) == "ftp:"  ||
>      url.substring(0, 7) == "gopher:")
>    return "PROXY; DIRECT";
>  return "DIRECT";
> }
> Tweak the DIRECT domain/IP exclusions in the first if set.  Change the
> to your squid server's IP.  Change the 8080 to whatever
> port you want to have squid listen to.  There's a more standard default
> port, but I use 8080 as that's what Shaw used when I signed up ages ago
> and it's easy to remember :-)
> You also require some funky apache config to make it work:
> <VirtualHost *:80>
>  ServerName    wpad.tecnopolis.ca
>  ServerAlias   wpad
>  DocumentRoot  /var/www/html
>  Alias         /wpad.dat /var/www/html/wpad.dat
> </VirtualHost>
> (may be a bit redundant, but I am editing my slightly more complex
> setup to be usable by others)
> Note, wpad.dat only applies to IE (Internet Exploder) to make
> Nutscrape-based browsers (Fireflax) you need to make another identical
> file (hardlink?) called proxy.pac and do some more funky apache stuff:
> <VirtualHost *:80>
>  ServerName    proxy.tecnopolis.ca
>  ServerAlias   proxy
>  DocumentRoot  /var/www/html
>  Alias         /wpad.dat /var/www/html/wpad.dat
>  Alias         / /var/www/html/proxy.pac
> </VirtualHost>
> More redundancy, but trust me, getting this stuff to work is mystical
> voodoo so cover all your bases.
> AND, obviously add proxy and wpad as CNAMEs in your DNS server's
> config!  They must resolve to your web server's IP.
> Lastly, XP by default has the "autodetect proxy settings" enabled in
> IE, so you literally have to do nothing to have your entire network
> magically start using the proxy.  If it doesn't seem to be working,
> double-check that IE indeed has that option enabled (Tools,
> connections, lan settings).
> Like I said, it's been 10 years since I set this up and last looked it
> it, so hopefully I'm not overlooking some important point.  It
> literally has worked all these years without tweaking on dozens of
> servers.  3 cheers for UN*X and it's stability of configuration and
> migration!
> _______________________________________________
> Roundtable mailing list
> Roundtable at muug.mb.ca
> http://www.muug.mb.ca/mailman/listinfo/roundtable


More information about the Roundtable mailing list