Using Squid to Cache Windows Updates

Support
1

Hello! I recently changed over form PfSense to Nethserver. Great product, but i noticed that it specifically is NOT caching Windows updates due to an “SSL BUMP” ?

SSL bump
If the proxy us enabled in transparent SSL mode, also all traffic destined to port 443 is redirected to Squid (port 3130).
Following sites are always excluded from SSL bump:

images.metaservices.microsoft.com
crl.microsoft.com
update.microsoft.com
www.download.windowsupdate.com
windowsupdate.microsoft.com

In PFsense there was a way to allow windows updates by adding what is called a “refresh pattern”

https://doc.pfsense.org/index.php/Squid_Package_Tuning

I was wondering if anybody has tried this, and if it would work?

2

Hi @Mike_Harris

How about adding to white list ?

Pasted image1440×900 184 KB

4

Artem: It appears that your white list is for Web content filtering, which would be squidguard? Squid guard would be used for blocking of specifi sites for content filtering.

The “web Proxy” for nethserver would use “squid” for the caching of content? or am i off on that?

5

I also found this…

Nethserver Squid custom:
http://dev.nethserver.org/issues/2981

Details on Squid windows updates and ACL’s
http://wiki.squid-cache.org/SquidFaq/WindowsUpdate

6

@Mike_Harris, I’m not certain that SSL bump disables caching of windows updates.
I cannot test it now, but I’ve done tests when I worked on issue 2981 and I think caching of updates was working.
The refresh pattern is already pre-configured in squid.conf, but I vaguely remember that it may receive some tuning.

Would you like to help us to improve it? Could you send some lines from squid access.log relevant to windows updates?

7

Of coarse, please see below on the details for SQUID cache for windows and other updates.

The big issue with windows, is the “Refresh pattern”

“The refresh_pattern directive controls the disk cache only indirectly. It helps Squid decide whether or not a given request can be a cache hit or must be treated as a miss. Liberal settings increase your cache hit ratio but also increase the chance that users receive a stale response. Conservative settings, on the other hand, decrease hit
ratios and stale responses.”

Two options for refresh patterns for windows:

refresh_pattern ([^.]+.|)(download|(windows|)update|).(microsoft.|)com/.*.(cab|exe|msi|msp) 4320 100% 43200 reload-into-ims;
range_offset_limit -1;

or

refresh_pattern ([^.]+.)?(download|(windows)?update).(microsoft.)?com/.*.(cab|exe|msi|msp|psf) 4320 100% 43200 reload-into-ims; range_offset_limit -1;

MAC / APPLE UPDATES:

refresh_pattern ([^.]+.|)(download|adcdownload).(apple.|)com/.*.(pkg|dmg) 4320 100% 43200 reload-into-ims;

AVG / MSC Updates

refresh_pattern ([^.]+.|)avg.com/..(bin) 4320 100% 43200 reload-into-ims;
refresh_pattern ([^.]+.|)spywareblaster.net/..(dtb) 4320 100% 64800 reload-into-ims;
refresh_pattern ([^.]+.|)symantecliveupdate.com/..(zip|exe) 43200 100% 43200 reload-into-ims
refresh_pattern ([^.]+.|)avast.com/..(vpu|vpaa) 4320 100% 43200 reload-into-ims

Note: IT would be great of Nethserver could add a config window the same way PfSense does for their squid tuning. This way we can change the settings and it not need to be hard coded into a .conf file ?

1 Like
8

Hey @Mike_Harris I wrote a special caching proxy for windows updates and the details are at:
http://www1.ngtech.co.il/wpe/?page_id=301

it works on very big networks(10k+ clients).
Let me know if it’s any interest for you.

4 Likes