Centos Squid Proxy Server for Windows Updates

I'm running Centos 7 as my OS and have installed squid to cache windows updates for my company.

Going through the log file, it shows that everything is tcp_miss, including when it's accessing the windows update servers.

I'm wanting my squid install to only cache windows updates. Anyone have any ideas what's happening and why it's not caching windows updates?

Here is an extract of the access.log file:

1432161438.306 109488 192.168.5.163 TCP_MISS/200 4739 CONNECT exchange.heffron-it.com.au:443 - HIER_DIRECT/10.50.10.48 -
1432161441.375 110041 192.168.5.163 TCP_MISS/200 77216 CONNECT exchange.heffron-it.com.au:443 - HIER_DIRECT/10.50.10.48 -
1432161462.843    642 192.168.5.163 TCP_MISS/200 528 GET http://csm90-en.url.trendmicro.com/T/344/eqO8qdreMFHVsZPQHJe0cJKbush61hKMNSLH-GHMhZNC0gyHuu0CiOxud1YD3SlseyJzwmgic9qMFKrJvi2iP_ZVPlXHsmBt-a8QqO6MKTbQ5melaEY1Atd9fYSAYQRQgrChDZuAfCvHu2U5ddX40KEKuZF8YPclvhCb0giJpRgy7jPMiOyYA_wMJVDfGp5sGSbAVFEYRdJAR3hykIDkCPXPsQluymS-Y3axrSHHJzYG1b_F8GB04cbdakDlGZSBxwyHXbwiLzjcYfQ7K1ASldegziZO9ZUfRcZh1ce6txSK6qOZiDy45zaEUg63wIEEEM__EWcaJQmYIXIVS69vwQ== - HIER_DIRECT/104.72.70.19 text/html
1432161464.121      7 192.168.5.163 TCP_MISS/200 528 GET http://csm90-en.url.trendmicro.com/T/88/eqO8qdreMFHVsZPQHJe0cKMe63vDoh5niNui_qK5WZVN6azyvqm3qkTNA4CeLlgfBLjs_woCLvmIDOVQwkWfzQ== - HIER_DIRECT/104.72.70.19 text/html
1432161475.490   1793 192.168.5.163 TCP_MISS/200 6947 CONNECT www.windowssearch.com:443 - HIER_DIRECT/204.79.197.200 -
1432161475.892    399 192.168.5.163 TCP_MISS/200 5545 CONNECT www.windowssearch.com:443 - HIER_DIRECT/204.79.197.200 -
1432161487.787   1383 192.168.5.163 TCP_MISS/200 3074 CONNECT ieonlinews.microsoft.com:443 - HIER_DIRECT/131.253.34.240 -
1432161539.434  63609 192.168.5.163 TCP_MISS/200 8498 CONNECT www.windowssearch.com:443 - HIER_DIRECT/204.79.197.200 -
1432161578.224    235 192.168.5.206 TCP_MISS/200 839 GET http://wfbs900-en.census.trendmicro.com/CENSUS/192/628a34bf49944a0519fedb6d65cafaf0399b98e5d08e025bf6a03eddead1cef7af0edf488fd174e494ae518835ff9da21915bbe7aa372ec1c81e135a6361da635d174ae8fe5adb5f5d174ae8fe5adb5f5d174ae8fe5adb5ffd3c35acca94bf90 - HIER_DIRECT/104.72.70.19 text/html
1432161578.559      6 192.168.5.206 TCP_MISS/200 839 GET http://wfbs900-en.census.trendmicro.com/CENSUS/192/628a34bf49944a0519fedb6d65cafaf09a839741bab62522e6bf975b8a4f628051bd7ab79e147e846b4fa2b6ca99524eb805125d90361b4738af1be64789a8e65d174ae8fe5adb5f5d174ae8fe5adb5f5d174ae8fe5adb5ffd3c35acca94bf90 - HIER_DIRECT/104.72.70.19 text/html
1432161600.474    331 192.168.5.206 TCP_MISS/200 626 GET http://csm90-en.url.trendmicro.com/T/364/Q6aqjhhr3YQMpi9B-doTwi4FWHDaRESyTNq3zZ_1sX_X-hiFqggD7pEESKNYWwTGUOzuehXAiA3LwMcj4ro0WYN6zsxLXe4g-DX2HZ9dHAz7iA-

Here is my current squid.conf file:

acl localnet src 172.16.0.0/12  # RFC1918 possible internal network

acl localnet src fc00::/7       # RFC 4193 local private network range

acl localnet src fe80::/10      # RFC 4291 link-local (directly plugged) machines

acl localnet src corp.heffron-it.com.au



acl SSL_ports port 443

acl Safe_ports port 80      # http

acl Safe_ports port 21      # ftp

acl Safe_ports port 443     # https

acl Safe_ports port 70      # gopher

acl Safe_ports port 210     # wais

acl Safe_ports port 1025-65535  # unregistered ports

acl Safe_ports port 280     # http-mgmt

acl Safe_ports port 488     # gss-http

acl Safe_ports port 591     # filemaker

acl Safe_ports port 777     # multiling http

acl CONNECT method CONNECT



acl all src all

acl windowsupdate dstdomain windowsupdate.microsoft.com

acl windowsupdate dstdomain au.download.windowsupdate.com

acl windowsupdate dstdomain .update.microsoft.com

acl windowsupdate dstdomain download.windowsupdate.com

acl windowsupdate dstdomain redir.metaservices.microsoft.com

acl windowsupdate dstdomain images.metaservices.microsoft.com

acl windowsupdate dstdomain c.microsoft.com

acl windowsupdate dstdomain www.download.windowsupdate.com

acl windowsupdate dstdomain wustat.windows.com

acl windowsupdate dstdomain crl.microsoft.com

acl windowsupdate dstdomain sls.microsoft.com

acl windowsupdate dstdomain productactivation.one.microsoft.com

acl windowsupdate dstdomain ntservicepack.microsoft.com



acl wuCONNECT dstdomain www.update.microsoft.com

acl wuCONNECT dstdomain sls.microsoft.com

acl wuCONNECT dstdomain wpa.one.microsoft.com



http_access allow CONNECT wuCONNECT localnet

http_access allow CONNECT wuCONNECT localhost

http_access allow windowsupdate localnet

http_access allow windowsupdate localhost



cache_effective_user squid



http_access deny !Safe_ports

http_access deny CONNECT !SSL_ports



http_access allow localhost manager
http_access deny manager



http_access allow localnet

http_access allow localhost



http_access allow WindowsUpdate


http_access allow CONNECT wuCONNECT localnet

http_access allow windowsupdate localnet



request_header_access Allow allow all

request_header_access Authorization allow all

request_header_access WWW-Authenticate allow all

request_header_access Proxy-Authorization allow all

request_header_access Proxy-Authenticate allow all

request_header_access Cache-Control allow all

request_header_access Content-Encoding allow all

request_header_access Content-Length allow all

request_header_access Content-Type allow all

request_header_access Date allow all

request_header_access Expires allow all

request_header_access Host allow all

request_header_access If-Modified-Since allow all

request_header_access Last-Modified allow all

request_header_access Location allow all

request_header_access Pragma allow all

request_header_access Accept allow all

request_header_access Accept-Charset allow all

request_header_access Accept-Encoding allow all

request_header_access Accept-Language allow all

request_header_access Content-Language allow all

request_header_access Mime-Version allow all

request_header_access Retry-After allow all

request_header_access Title allow all

request_header_access Connection allow all

request_header_access Proxy-Connection allow all

request_header_access User-Agent allow all

request_header_access Cookie allow all

request_header_access All deny all



refresh_pattern -i microsoft.com/.*\.(cab|exe|ms[i|u|f]|[ap]sf|wm[v|a]|dat|zip) 4320 80% 43200 reload-into-ims



refresh_pattern -i windowsupdate.com/.*\.(cab|exe|ms[i|u|f]|[ap]sf|wm[v|a]|dat|zip) 4320 80% 43200 reload-into-ims



refresh_pattern -i windows.com/.*\.(cab|exe|ms[i|u|f]|[ap]sf|wm[v|a]|dat|zip) 4320 80% 43200 reload-into-ims



http_access deny all


http_port 3128

cache_dir ufs /home/Cache/squid 102400 16 256





coredump_dir /home/Cache/squid

via off

forwarded_for off





refresh_pattern ^ftp:       1440    20% 10080

refresh_pattern ^gopher:    1440    0%  1440

refresh_pattern -i (/cgi-bin/|\?) 0 0%  0

refresh_pattern .       0   20% 4320

Best Answer

Based on what you already have in your config file, I'm guessing you already found this Squid FAQ about Windows Updates: http://wiki.squid-cache.org/SquidFaq/WindowsUpdate

I'd suggest specifying the following caching options to make sure larger objects can be cached. maximum_object_size needs to be large enough to allow for the largest update file. 32GB should allow for even the largest service pack, or even any ISO files you may want cached.

cache_mem 512 MB
minimum_object_size 0
maximum_object_size 32768 MB
maximum_object_size_in_memory 16384 KB
range_offset_limit 32768 MB windowsupdate
quick_abort_min -1

If that doesn't help, you may also want to investigate the following additional options to your refresh_pattern lines (in addition to reload-into-ims):

ignore-no-cache
ignore-no-store
ignore-private
override-expire
override-lastmod
ignore-reload

For example, I use a line like this to cache all doc or pdf files:

refresh_pattern -i \.(doc|pdf)$ 4320 80% 86400 ignore-no-cache ignore-no-store ignore-private override-expire override-lastmod reload-into-ims ignore-reload

Best Answer

Related Solutions

Ubuntu 9.10 and Squid 2.7 Transparent Proxy TCP_DENIED

VPN client blocked through squid server

Related Topic