Re: Windows updates please help

[Amos Jeffries <squid3@xxxxxxxxxxxxx>]

Hubert Choma wrote:
>  Hello
> > > > My squid ver. 2.6 stable Centos 2.6.18-164.el5 .
> > > >
> > > > I'm using the configuration of the WU from the example
> > > > http://wiki.squid-cache.org/SquidFaq/WindowsUpdate
> > > >
> > > > I would like to force squid to cache all windows update (version V6)
> > > > files e.g .cab .exe and 700MB ISO files
> > > >
> > > > I am noticed that windows media player does not update via squid. WU
> > > > generates error 0x8024402F.
> > > >
> > > > I would like to setup squid cache maximum web content, antivirus updates
> > > > and WU.
> > > >
> > > > Where can I find example how to cache dynamic pages ?
> > > >
> > > > hierarchy_stoplist cgi-bin ?
> > > > acl QUERY urlpath_regex cgi-bin \?
> > > By deleting the above. And the lines which make use of QUERY they begin
> > > to cache.
>
>  I understand that I must hash these lines. Is that you meant ?
>  
> # hierarchy_stoplist cgi-bin ?
> # acl QUERY urlpath_regex cgi-bin \?
> # cache deny QUERY
>
> Thaht's correct ?


<snip>
> > > > mime_table /etc/squid/mime.conf
> > > > refresh_pattern ^ftp: 1440 20% 10080
> > > Right here between the FTP default handling and the general traffic
> > > default handing (.) you need to add this:
> > >
> > > refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
> > >
> > > to properly prevent evil dynamic content from sticking around longer
> > > than it should (ie if its not giving cache-control and/or expiry, drop
> > > it. if it is okay then).
> > >
> > > > refresh_pattern . 0 20% 4320
>  You mean like this ??
>
> > refresh_pattern ^ftp: 1440 20% 10080
> > refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
> > refresh_pattern . 0 20% 4320
> >
> > "ie if its not giving cache-control and/or expiry, drop
> > > it."
>
>  What to drop ?

Nevermind. My small attempt to educate you what the config means seems 
to have failed.

> > > Hmm. "." matches every URL. Squid stops processing refresh_pattern at
> > > the first matching pattern.
> > >
> > > --> point: no refresh_pattern below here will ever be used.
> > "point: no refresh_pattern below here will ever be used."
> So what to do with this ?

Only you know what the proxy needs to be doing. Nobody can answer that 
question for you.

I do not know what or why you wrote the refresh_pattern lines the way 
they were. All I can do is tell you what they are doing because they are 
obviously not doing what you want, whatever that is.


> What makes "." ??

  refresh_pattern . 0 20% 4320

> Remove first line and leave
>  yours ? I didn't understand.

"." aka "refresh_pattern ."  aka  "refresh_pattern -i ." are all the 
'dot' pattern.

Like I said earlier, the "." pattern matches every URL that exists. 
Squid will stop processing the refresh_pattern list at the first 
matching pattern.

Those two facts together mean that the dot "." pattern is _always_ the 
last refresh_pattern Squid will use. Even if you happen to put others 
below it. The ones below it will never be used.

Understand now?

> refresh_pattern -i \.(gif|jpg|jpeg|png|js|css|flv|bmp|)(\?.*)?$ 0 50% 
> 7200 what with reload-into-ims ?

I just left it off. No special reason. My point was to demonstrate the 
tricky (\?.*)?$  bit at the end of the pattern. It's needed to catch 
nasty websites obfuscating their URLs.

I don't like reload-into-ims. It prevents the users, who are the 
authoritative peoples able to actually see and know when the page is 
displaying badly from refreshing the objects and causing the page to 
display properly.

Sadly some broken software sends the reload at bad times, causing 
bandwidth waste but no actual problems. So its up to you.


> > > > refresh_pattern -i \.(gif|jpg|jpeg|png|js|css|flv|bmp|) 0 50% 7200
> > > > reload-into-ims
> > > Ahm...
> > > refresh_pattern -i \.(gif|jpg|jpeg|png|js|css|flv|bmp|)(\?.*)?$ 0
> > > 50% 7200
> > >
> > > > refresh_pattern update.microsoft.com/windowsupdate/v6/.*\.(cab|exe|dll)
> > > > 43200 100% 43200 reload-into-ims
> > > > refresh_pattern windowsupdate.com/.*\.(cab|exe|dll) 43200 100% 43200
> > > > reload-into-ims
> > > > refresh_pattern windowsupdate.microsoft.com/.*\.(cab|exe|dll) 43200 100%
> > > > 43200 reload-into-ims
> > > > refresh_pattern download.microsoft.com/.*\.(cab|exe|dll) 43200 100%
> > > > 43200 reload-into-ims
> > > > refresh_pattern au.download.windowsupdate.com/.*\.(cab|exe|dll) 43200
> > > > 100% 43200 reload-into-ims
> > > > refresh_pattern symantecliveupdate.com/.*\.(zip|exe) 43200 100% 43200
> > > > reload-into-ims
> > > > refresh_pattern windowsupdate.com/.*\.(cab|exe) 43200 100% 43200
> > > > reload-into-ims
> > > > refresh_pattern download.microsoft.com/.*\.(cab|exe) 43200 100% 43200
> > > > reload-into-ims
> > > > refresh_pattern avast.com/.*\.(vpu|vpaa) 4320 100% 43200 reload-into-ims
> > > > refresh_pattern . 0 20% 4320
> > > Aha!. The dot pattern did get copied down. (or cut-n-pasted from the
> > > wiki?)
>
> On Wiki I cant' find this patterns where are they ?

An old example config for media content. I removed the lines from the 
wiki a while back but people still appear sometimes with errors 
cut-n-paste'd from the old examples.

> > > > range_offset_limit -1 KB
> > > > ## MOJE ACL #####
> > > > acl mojasiec src 192.168.0.0/255.255.255.0
> > > thats 192.168.0.0/24.
> > >
> > > > acl dozwolone dstdomain -i "/etc/squid/dozwolone.txt"
> > > > acl ograniczone_komputery src 192.168.0.3 192.168.0.6 192.168.0.17
> > > > 192.168.0.12 192.168.0.15 192.168.0.16
> > > > acl poczta dstdom_regex .*poczta.* .*mail.*
> > > Hmm. you can drop the .* at beginning and end of squid patterns. They
> > > are added automatically.
>  No !!
> without * eg. poczta.* .mail.* users can go on wembail and I would like
>  to denied webmail ! So * are necessary .*mail.* !!

The text "webmail" is matched by the pattern " .*mail "

In regex patterns . and .* is special code meaning "any letters or 
numbers or symbols may go here".

The only difference is that with . there is a minimum of 1 symbol. with 
.* there is a minimum of zero

<snip>
>  
> Squid (192.168.0.12) is behind NAT router redirect traffic to 80.
> Now I change my net topology and would like to set squid as a
> transparent proxy ( 2 NIC's with iptables redirect 80->8080
>  1) 192.168.0.12/24 (NIc From router)
>  2) 192.168.0.13/24 (NiC to LAN)
>
>  So I use squid for LAN users to accelerate HTTP trafic .
>
>  acl javascript rep_mime_type -i ^application/x-javascript$
>  http_access allow javascript
>
> What is it ?? I don't understand ? (line below )
>  http_access _request_ test allowed if _reply_ contains... WTF?


The "rep_" bit at the start of the ACL type label means *reply*.

It can only be used inside *_access rules which handle reply response 
data. Such as http_reply_access.

http_access handles _only_ the data available during a request. The 
reply data is empty at that point.

The configuration lines:
  acl javascript rep_mime_type -i ^application/x-javascript$
  http_access allow javascript

... are telling Squid to permit a clients requests to happen if the data 
that is going to arrive some unknown time in the future contains a 
certain text string "application/x-javascript" for the mime type header.

Squid will ignore the entire lot.


Amos
--
Please be using
  Current Stable Squid 2.7.STABLE7 or 3.0.STABLE23
  Current Beta Squid 3.1.0.16