Thursday, November 19, 2009
Getting Windows Update to Work With Squid
(This blog entry is for techies only)
Caching Windows Update with Squid 2.6
Windows Update has historically been a problem for Squid administrators, particularly those that want to firewall 80/443 from their network and force traffic through the proxy.
This guide will let you set up a PARENT/CHILD pair of Squid Caches in order to enforce the never_direct directives and minimise your bandwidth usage for updates. This method works, but it does require two squid proxies, either configured to run on the same system, or on separate systems.
NEVER_DIRECT
I’m going to address this directive first, since it probably doesn’t do what you think it does.
What you probably think it does:
Never go direct to the origin server, always connect with Squid and pass on the data.
What it actually does (from the Squid FAQ):
If you are behind a firewall then you can't make direct connections to the outside world, so you must use a parent cache.
You can use the never_direct access list in squid.conf to specify which requests must be forwarded to your PARENT CACHE outside the firewall, and the always_direct access list to specify which requests must not be forwarded.
The emphasis on PARENT CACHE above is mine. If you attempt to use this directive without a parent, it will give you a NO_PARENT_DIRECT error.
REQUIREMENTS
From the above, we determine that we need at least one Squid Parent instance and one Squid Child instance.
These can be two physical servers, two virtual servers, or a multiple instance configuration on one server (http://wiki.squid-cache.org/MultipleInstances). However, for simplicity and security, we used two physical servers and the Firewall shown in the diagram below is actually on the Parent.
The network layout we’ll use in this example is:
SQUID CONFIGURATION
From the above diagram, we get the following Squid configurations.
THE PARENT
The parent configuration is simple; add the bolded directives to squid.conf:
|
acl Safe_ports port 777 #
multiling http
acl firewalled_clients src
192.168.0.0/24
http_access allow firewalled_clients
# And finally deny all other
access to this proxy
http_access allow localhost
http_access deny all
|
We also define:
|
http_port 3128
cache_dir ufs /var/spool/squid 50000
16 256
maximum_object_size 1000 MB
|
That is:
- the default http_port, referenced below by the child.
- a cache of 50Gb, more than enough but you may need to allocate less on a small disk.
- a maximum_object_size of 1Gb, large enough to cache any update.
Either cache may also require a “visible_hostname” directive, depending on how you have configured the underlying machine.
Also note “firewalled_clients 192.168.0.0/24” above would need to reflect your client network - we’ll call this “localnet” on the Child and this would also need to reflect your network addresses.
THE CHILD
First we need to define the Windows Update servers, and our local network. In the same place as the acl above:
|
acl localnet src 192.168.0.0/24
acl windowsupdate dstdomain windowsupdate.microsoft.com
acl windowsupdate dstdomain
au.download.windowsupdate.com
acl windowsupdate dstdomain
.update.microsoft.com
acl windowsupdate dstdomain
download.windowsupdate.com
acl windowsupdate dstdomain
redir.metaservices.microsoft.com
acl windowsupdate dstdomain
images.metaservices.microsoft.com
acl windowsupdate dstdomain
c.microsoft.com
acl windowsupdate dstdomain
www.download.windowsupdate.com
acl windowsupdate dstdomain
wustat.windows.com
acl windowsupdate dstdomain
crl.microsoft.com
acl windowsupdate dstdomain
sls.microsoft.com
acl windowsupdate dstdomain
productactivation.one.microsoft.com
acl windowsupdate dstdomain
ntservicepack.microsoft.com
acl CONNECT method CONNECT
acl wuCONNECT dstdomain
www.update.microsoft.com
acl wuCONNECT dstdomain
sls.microsoft.com
acl wuCONNECT dstdomain
wpa.one.microsoft.com
|
Then in the http_access section:
|
http_access allow CONNECT wuCONNECT
localnet
http_access allow windowsupdate
localnet
|
Also in this section, to force using the Parent cache:
| never_direct allow localnet |
We also need to define the Parent, and allow access to it:
|
cache_peer 10.0.0.1 parent 3128 3130
proxy-only no-query
cache_peer_access 10.0.0.1 allow all
|
Whilst we have to specify an ICP port, we aren’t interested in checking if the Parent has the object cached as it is the only available source anyway, hence “no-query”.
We also set “proxy-only” as there is no benefit in caching the results here and on the Parent.
NB, 10.0.0.1 is the IP address of the Parent from the diagram, adjust it to match your Parent if necessary.
CLIENT CONFIGURATION
For this example the client network will need to point to this proxy server: 192.168.0.1:3128
Setting this proxy in Internet Explorer will also allow Windows to do automatic updates through the proxy.
FIREWALL CONFIGURATION
The firewall can be configured on either of the proxy servers, the main firewall, or all three if desired (perhaps because you don’t administer all those machines). However, this is outside the scope of this article.
AUTOMATIC PROXY CONFIGURATION IN WINDOWS
The next question most people ask is how to set up WPAD (Web Proxy Autodiscovery Protocol) so they don’t have to configure each Windows client on their network.
You will likely want to achieve this with a combination of DHCP and HTTP servers.
There is an excellent post explaining this by David W. Hankins at http://www.mercenary.net/blog/index.php?/archives/42-HOWTO-WPAD.html
Please read carefully however, as the default configuration will simply stop WPAD from trying DNS should DHCP fail to reply to the request as a security measure to guard against DNS poisoning.