SQUID caching Windows Updates - SP1 Windows7 question/problem



  • Hi,

    I am using this in my squid config to cache updates:

    refresh_pattern -i .*avg\.com/.*\.(bin) 4320 100% 43200 reload-into-ims;
    refresh_pattern -i .*spywareblaster\.net/.*\.(dtb) 4320 100% 4320 reload-into-ims;
    refresh_pattern -i .*symantecliveupdate\.com/.*\.(zip|exe) 43200 100% 43200 reload-into-ims;
    refresh_pattern -i .*avast\.com/.*\.(vpu|vpaa) 4320 100% 43200 reload-into-ims;
    refresh_pattern -i .*adobe\.com/.*\.(exe|msi) 4320 100% 43200 reload-into-ims;
    refresh_pattern -i .*apple\.com/.*\.(pkg|dmg) 8640 100% 86400 reload-into-ims;
    refresh_pattern -i .*microsoft\.com/.*\.(cab|exe|msi|msp) 8640 100% 86400 reload-into-ims;
    refresh_pattern -i .*windowsupdate\.com/.*\.(cab|exe|msi|msp) 8640 100% 86400 reload-into-ims;
    refresh_pattern -i .*ubuntu\.com/.*\.(tar|bz|bz2|gpg|gz|zip|deb) 8640 100% 86400 reload-into-ims;
    refresh_pattern -i .*kaspersky\.com/.*\.(.*)  1440 100% 1440 reload-into-ims;
    refresh_pattern -i .*kaspersky-labs\.com/.*\.(.*)  1400 100% 1440 reload-into-ims;
    refresh_pattern -i .*update\.nai\.com/.*\.(.*)  1440 100% 1440 reload-into-ims;
    range_offset_limit -1;
    refresh_pattern ^ftp: 1440 20% 10080;
    refresh_pattern ^gopher: 1440 0% 1440;
    refresh_pattern -i (/cgi-bin/|\?) 0 0% 0;
    refresh_pattern . 0 20% 4320;
    

    But I mentioned problems with Windows 7 and Service Pack 1.
    I am not sure at all, but it seems, that the size of the SP1 varies from system to system and the before installed updates are relevant for the size.

    The maximum file cachesize is 512000 ~512MB.

    What I saw is, that the download process on the client which is installing the SP1 is very very slow and in the pfsense traffic graph there is no filetransfer to client but the squid proxy is downloading a very long time.

    Did someone else has this problem or is this only my configuration?
    Is there a possibility to excluede ONLY windows 7 updates ?
    Windows XP works fine, but with Windows 7 it takes more time than without squid caching the updates.



  • I know this topic is old, but I'm having the same problems, someone went through it, even the computer off while the download continues


  • Banned

    Yes offcourse….its a proxy! A temp. cache for any downloads.....



  • Hi,
    not sure if someone is interested in, but I modified my squid entries a little bit - visual and content:

    #;
    #;
    # Betriebssystem Updates;
    # Haltbarkeit 90 Tage;
    refresh_pattern -i .*apple\.com/.*\.(pkg|dmg) 129600 100% 129600 override-expire override-lastmod reload-into-ims ignore-reload ignore-no-cache ignore-private;
    refresh_pattern -i .*microsoft\.com/.*\.(cab|exe|msi|msp) 129600 100% 129600 override-expire override-lastmod reload-into-ims ignore-reload ignore-no-cache ignore-private;
    refresh_pattern -i .*windowsupdate\.com/.*\.(cab|exe|msi|msp) 129600 100% 129600 override-expire override-lastmod reload-into-ims ignore-reload ignore-no-cache ignore-private;
    refresh_pattern -i .*ubuntu\.com/.*\.(tar|bz|bz2|gpg|gz|zip|deb) 129600 100% 129600 override-expire override-lastmod reload-into-ims ignore-reload ignore-no-cache ignore-private;
    #;
    # Adobe und Pinnacle Updates;
    # Haltbarkeit 90 Tage;
    refresh_pattern -i .*adobe\.com/.*\.(exe|msi) 129600 100% 129600 override-expire override-lastmod reload-into-ims ignore-reload ignore-no-cache ignore-private;
    refresh_pattern -i .*pinnaclesys\.com/.*\.(cab|exe|msi|rar|zip) 129600 100% 129600 override-expire override-lastmod reload-into-ims ignore-reload ignore-no-cache ignore-private;
    #;
    # Bilder, Dokumente, Videos, Audio;
    # Haltbarkeit 7 Tage;
    refresh_pattern -i /.*\.(jpg|bmp|tif|gif|png|tiff|jpeg|raw|pict|psd) 10080 100% 10080 override-expire override-lastmod reload-into-ims ignore-reload ignore-no-cache ignore-private;
    refresh_pattern -i /.*\.(doc|docx|xls|xlsx|ppt|pptx|pdf|dot|txt) 10080 100% 10080 override-expire override-lastmod reload-into-ims ignore-reload ignore-no-cache ignore-private;
    refresh_pattern -i /.*\.(iso|wmv|mov|rm|avi|wav|mp3|mp4|mpeg|mpg|divx|xvid|swf|flv|x-flv) 10080 100% 10080 override-expire override-lastmod reload-into-ims ignore-reload ignore-no-cache ignore-private;
    #;
    # AntiViren Updates;
    # Haltbarkeit 1 Tag;
    refresh_pattern -i .*symantecliveupdate\.com/.*\.(zip|exe) 1440 100% 1440 override-expire override-lastmod reload-into-ims ignore-reload ignore-no-cache ignore-private;
    refresh_pattern -i .*avast\.com/.*\.(vpu|vpaa) 1440 100% 1440 override-expire override-lastmod reload-into-ims ignore-reload ignore-no-cache ignore-private;
    # refresh_pattern -i .*kaspersky\.com/.*\.(.*) 1440 100% 1440 override-expire override-lastmod reload-into-ims ignore-reload ignore-no-cache ignore-private;
    # refresh_pattern -i .*kaspersky-labs\.com/.*\.(.*) 1440 100% 1440 override-expire override-lastmod reload-into-ims ignore-reload ignore-no-cache ignore-private;
    refresh_pattern -i .*update\.nai\.com/.*\.(.*) 1440 100% 1440 override-expire override-lastmod reload-into-ims ignore-reload ignore-no-cache ignore-private;
    refresh_pattern -i .*avg\.com/.*\.(bin) 1440 100% 1440 override-expire override-lastmod reload-into-ims ignore-reload ignore-no-cache ignore-private;
    refresh_pattern -i .*spywareblaster\.net/.*\.(dtb) 1440 100% 1440 override-expire override-lastmod reload-into-ims ignore-reload ignore-no-cache ignore-private;
    #;
    # Erzwingt das Herunterladen der kompletten Datei und nicht nur eines Teils davon;
    range_offset_limit -1;
    #;
    # SQUID vorgegebe Eintraege;
    refresh_pattern -i ^ftp: 1440 20% 10080;
    refresh_pattern -i ^gopher: 1440 0% 1440;
    refresh_pattern -i (/cgi-bin/|\?) 0 0% 0;
    refresh_pattern -i . 0 20% 4320;
    #;
    # SQUID stoppt den Download wenn der Client den DL abbricht oder die Webseite verlassen hat;
    quick_abort_min 0 KB;
    quick_abort_max 0 KB;
    quick_abort_pct 100;
    #;
    # Senkt den Timer fuer die DNS Aufloesung
    negative_ttl 5 second;
    negative_dns_ttl 5 second;
    
    

    What I tried to fix the problem, that squid is downloading files even if a user is stopping the connection, is this:

    # SQUID stoppt den Download wenn der Client den DL abbricht oder die Webseite verlassen hat;
    quick_abort_min 0 KB;
    quick_abort_max 0 KB;
    quick_abort_pct 100;
    #;
    # Senkt den Timer fuer die DNS Aufloesung
    negative_ttl 5 second;
    negative_dns_ttl 5 second;
    

    At first I thought it would help but in the last few weeks I had the problem again.
    My interface statistic shows me 12GB in but only 4GB out to LAN clients. This means that it caches 8GB and no one is using this files.

    I think that "range_offset_limit -1;" is causing this problem but I do not see another solution to cache windows updates with squid. But I have to think about if it makes sense to cache 8GB overhead with less a week or not. Perhaps the ratio will get better if squid is running for weeks or months.



  • Install windows update services.  It's free and easy to use.  I use this not just to force updates on the users, but to knock down traffic.  I tried squid, but it made no sense to me to cache it in there.



  • @tester_02:

    Install windows update services.  It's free and easy to use.  I use this not just to force updates on the users, but to knock down traffic.   I tried squid, but it made no sense to me to cache it in there.

    You mean WSUS ?
    As far as I know this works only on Windows SERVER machines, right ?


  • Rebel Alliance Developer Netgate

    It depends on your environment whether or not WSUS makes sense for a given site. If you control all of the PCs, then sure it's probably fine. I thought WSUS could run on a workstation even not just a server, but I may be misremembering that.

    For things like a PC repair shop where none of the PCs are controlled locally and no changes to the machine's update settings are allowed, then squid can help with caching updates.



  • Correct.

    WSUS requires a domain, and must be run on (at the very least) a member server (Server 2003/2008) of that domain.  Only computers/servers joined to said domain will receive updates from said WSUS server.  Plugging a computer into the same network isn't enough, it must be joined to the domain.

    WSUS is geared for enterprise environments, requires a domain controller and knowledge of Active Directory, can be configured to target machines (eg by groups such as workstations, servers, laptops, or by department; Finance, Sales, etc).

    Squid caching would be ideal for a PC/tech shop, home use where bandwidth is a concern, low limit data plans etc.


Locked