Hubert Choma wrote:
Hello
My squid ver. 2.6 stable Centos 2.6.18-164.el5 .
I'm using the configuration of the WU from the example
http://wiki.squid-cache.org/SquidFaq/WindowsUpdate
I would like to force squid to cache all windows update (version V6)
files e.g .cab .exe and 700MB ISO files
I am noticed that windows media player does not update via squid. WU
generates error 0x8024402F.
I would like to setup squid cache maximum web content, antivirus updates
and WU.
Where can I find example how to cache dynamic pages ?
hierarchy_stoplist cgi-bin ?
acl QUERY urlpath_regex cgi-bin \?
By deleting the above. And the lines which make use of QUERY they begin
to cache.
Also see my notes in your refresh_pattern config below....
Please correct my config
windowsupdate.txt
.go.microsoft.com
.windowsupdate.microsoft.com
.update.microsoft.com
.update.microsoft.com/windowsupdate/v7/default.aspx
download.windowsupdate.com
.download.microsoft.com
ntservicepack.microsoft.com
activex.microsoft.com
redir.metaservices.microsoft.com
images.metaservices.microsoft.com
c.microsoft.com
crl.microsoft.com
codecs.microsoft.com
urs.microsoft.com
wustat.windows.com
squid.conf
http_port 192.168.0.12:8080
hierarchy_stoplist cgi-bin ?
acl QUERY urlpath_regex cgi-bin \?
cache deny QUERY
acl apache rep_header Server ^Apache
broken_vary_encoding allow apache
cache_mem 650 MB
maximum_object_size 4194240 KB
cache_dir ufs /var/spool/squid 6500 16 256
#logformat squid %tl %6tr %>a %Ss/%03Hs %<st %rm %ru %un %Sh/%<A &mt
access_log /var/log/squid/access.log squid
mime_table /etc/squid/mime.conf
refresh_pattern ^ftp: 1440 20% 10080
Right here between the FTP default handling and the general traffic
default handing (.) you need to add this:
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
to properly prevent evil dynamic content from sticking around longer
than it should (ie if its not giving cache-control and/or expiry, drop
it. if it is okay then).
refresh_pattern . 0 20% 4320
Hmm. "." matches every URL. Squid stops processing refresh_pattern at
the first matching pattern.
--> point: no refresh_pattern below here will ever be used.
refresh_pattern -i \.(gif|jpg|jpeg|png|js|css|flv|bmp|) 0 50% 7200
reload-into-ims
Ahm...
refresh_pattern -i \.(gif|jpg|jpeg|png|js|css|flv|bmp|)(\?.*)?$ 0
50% 7200
refresh_pattern update.microsoft.com/windowsupdate/v6/.*\.(cab|exe|dll)
43200 100% 43200 reload-into-ims
refresh_pattern windowsupdate.com/.*\.(cab|exe|dll) 43200 100% 43200
reload-into-ims
refresh_pattern windowsupdate.microsoft.com/.*\.(cab|exe|dll) 43200 100%
43200 reload-into-ims
refresh_pattern download.microsoft.com/.*\.(cab|exe|dll) 43200 100%
43200 reload-into-ims
refresh_pattern au.download.windowsupdate.com/.*\.(cab|exe|dll) 43200
100% 43200 reload-into-ims
refresh_pattern symantecliveupdate.com/.*\.(zip|exe) 43200 100% 43200
reload-into-ims
refresh_pattern windowsupdate.com/.*\.(cab|exe) 43200 100% 43200
reload-into-ims
refresh_pattern download.microsoft.com/.*\.(cab|exe) 43200 100% 43200
reload-into-ims
refresh_pattern avast.com/.*\.(vpu|vpaa) 4320 100% 43200 reload-into-ims
refresh_pattern . 0 20% 4320
Aha!. The dot pattern did get copied down. (or cut-n-pasted from the wiki?)
range_offset_limit -1 KB
## MOJE ACL #####
acl mojasiec src 192.168.0.0/255.255.255.0
thats 192.168.0.0/24.
acl dozwolone dstdomain -i "/etc/squid/dozwolone.txt"
acl ograniczone_komputery src 192.168.0.3 192.168.0.6 192.168.0.17
192.168.0.12 192.168.0.15 192.168.0.16
acl poczta dstdom_regex .*poczta.* .*mail.*
Hmm. you can drop the .* at beginning and end of squid patterns. They
are added automatically.
#acl sm9 src 192.168.0.3
#http_access allow sm9
acl WindowsUpdate dstdomain -i "/etc/squid/windowsupdate.txt"
acl CONNECT method CONNECT
http_access allow dozwolone ograniczone_komputery !poczta
http_access allow CONNECT WindowsUpdate mojasiec
http_access allow WindowsUpdate mojasiec
A bunch of download site which are allowed regardless of any other
http_access security. Open WU proxy! yay.
Your Internet connection does not get NAT'd to something inside
192.168.0.0/24 ... right?
acl javascript rep_mime_type -i ^application/x-javascript$
http_access allow javascript
http_access _request_ test allowed if _reply_ contains... WTF?
acl all src 0.0.0.0/0.0.0.0
acl hubert proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl Safe_ports port 8080
acl CONNECT method CONNECT
http_access allow hubert localhost
http_access deny hubert
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access deny to_localhost
http_access allow localhost
http_access deny all
http_reply_access allow all
icp_access allow all
cache_mgr hubert.ch@xxxxx
visible_hostname proliant
log_icp_queries off
cachemgr_passwd mojehasło all
Um. Bugger. You may want to change that password now.
I know you have it locked down so only localhost can request the mgr:
protocol, but still...
Amos
--
Please be using
Current Stable Squid 2.7.STABLE7 or 3.0.STABLE21
Current Beta Squid 3.1.0.15
