pfSense and Squid: caching Windows Updates

C

criccio

Fully Equipped
Joined
Mar 26, 2008
Messages
14,218
I followed this link to a T and that was over a week ago but I still don't think my pfSense box is caching anything at all.

squid.conf:

Code: 
# Do not edit manually !
http_port 192.168.2.1:3128
icp_port 0

pid_filename /var/run/squid.pid
cache_effective_user proxy
cache_effective_group proxy
error_directory /usr/local/etc/squid/errors/English
icon_directory /usr/local/etc/squid/icons
visible_hostname pfSense
cache_mgr [email protected]
access_log /dev/null
cache_log /var/squid/logs/cache.log
cache_store_log none
shutdown_lifetime 3 seconds
# Allow local network(s) on interface(s)
acl localnet src  192.168.2.0/255.255.255.0
uri_whitespace strip

cache_mem 1024 MB
maximum_object_size_in_memory 1024 KB
memory_replacement_policy heap GDSF
cache_replacement_policy heap LFUDA
cache_dir ufs /var/squid/cache 15000 16 256
minimum_object_size 0 KB
maximum_object_size 1048576 KB
offline_mode off
cache_swap_low 90
cache_swap_high 95

# No redirector configured



# Setup some default acls
acl all src 0.0.0.0/0.0.0.0
acl localhost src 127.0.0.1/255.255.255.255
acl safeports port 21 70 80 210 280 443 488 563 591 631 777 901  3128 1025-65535 
acl sslports port 443 563  
acl manager proto cache_object
acl purge method PURGE
acl connect method CONNECT
acl dynamic urlpath_regex cgi-bin \?
cache deny dynamic
http_access allow manager localhost

# Allow external cache managers
acl ext_manager_1 src 192.168.2.1 
http_access allow manager ext_manager_1
  
http_access deny manager
http_access allow purge localhost
http_access deny purge
http_access deny !safeports
http_access deny CONNECT !sslports

# Always allow localhost connections
http_access allow localhost

request_body_max_size 0 KB
reply_body_max_size 0 deny all
delay_pools 1
delay_class 1 2
delay_parameters 1 -1/-1 -1/-1
delay_initial_bucket_level 100
delay_access 1 allow all

# Custom options
refresh_pattern ([^.]+.|)(download|(windows|)update|).(microsoft.|)com/.*\.(cab|exe|msi|msp) 4320 100% 43200 reload-into-ims
range_offset_limit -1

# Setup allowed acls
# Allow local network(s) on interface(s)
http_access allow localnet
# Default block all to be sure
http_access deny all

After over a week, here is the output of Store Directory Stats in Cache Manager:

Code: 
Store Directory Statistics:
Store Entries          : 52
Maximum Swap Size      : 15360000 KB
Current Store Swap Size:        0 KB
Current Capacity       : 0% used, 100% free

Store Directory #0 (ufs): /var/squid/cache
FS Block Size 2048 Bytes
First level subdirectories: 16
Second level subdirectories: 256
Maximum Size: 15360000 KB
Current Size: 0 KB
Percent Used: 0.00%
Current load metric: 500 / 1000
Filemap bits in use: 0 of 16384 (0%)
Filesystem Space in use: 720250/143243122 KB (1%)
Filesystem Inodes in use: 33055/18535422 (0%)
Flags:
Accepted object sizes: 0 - (unlimited) bytes
Removal policy: heap

Am I missing something? I'm pretty new to pfSense. I used Untangle previously and this was all pretty painless.
 
In larger deployments I believe Windows Updates are the main reason Squid web cache is used.
 
I'd go ahead and strongly recommend WSUS instead of squid caching updates...

Much better control.
 
Jaffa Cakes! said:
Doesn't WSUS rely on an AD environment?
Click to expand...

No I don't think so, but I know a lot of the handy features in WSUS rely on AD and so without it administration and deployment are probably more difficult.

Life is pretty tough if you can't find a 1GHz machine with 1 gig of memory and 500 gigs HD space:p
 
Volcanon said:
Life is pretty tough if you can't find a 1GHz machine with 1 gig of memory and 500 gigs HD space:p
Click to expand...

I'm sure most of us have spare parts, but why would someone want to build and manage another machine that adds will add more electicity and heat to the equation when there is a perfectly good webcache on an existing pfsense that is capable of accomplishing the same end result?
 
jadams said:
I'm sure most of us have spare parts, but why would someone want to build and manage another machine that adds will add more electicity and heat to the equation when there is a perfectly good webcache on an existing pfsense that is capable of accomplishing the same end result?
Click to expand...

The end result wouldn't be the same.

Additionally, I think managing squid caching windows updates would be more bothersome.

Doing it right is always better than doing it cheap and easy.


On topic:

If you want to check to see what squid is doing, you usually need to go pay a visit to a few key squid files. cache.log and access.log will tell you a lot about what is actually going on. I realize that this is not as easy as Untangle, but pfSense is not as easy as Untangle, but I feel pfSense is far more powerful.

According to your config, your cache log is /var/squid/logs/cache.log

Not sure about your access.log
 
Did you set up transparent proxy, otherwise you need to do registry hacks to have windows update use the proxy.
 
Volcanon said:
The end result wouldn't be the same.
Click to expand...
Yes.... it is the same end result. Updates not needed to be downloaded by clients multiple times. That's where it ends and that's what he's trying to do. No need for an extra box. Period.
Additionally, I think managing squid caching windows updates would be more bothersome.

Doing it right is always better than doing it cheap and easy.
Click to expand...

Additionally................ the extra[H] route is not always the most practical way to do things. Seriously? An extra box for windows updates at home? Give me a break. I (and the OP) would probably say screw it before going that route.
 
How well does this actually work?
I tried this using Squid about 1½-2 years ago and it worked poorly at best.
Most of the time downloads were very slow since Squid tried to (pre-download) cache files but failed due to unique names/paths and the content length requests while the client had to wait on Squid. I managed to get it somewhat working after a while but I think Squid was having a cache hitrate of ~25% tops and I was very generous with limits regarding file sizes and total cache size. I kept this for about 2 weeks before deciding to scrap the project, this was not a huge client base though but about 3-6 computers a day running Windows Update. Given my past experience I would recommend you to go for WSUS directly even if I haven't tried it out myself.
//Danne
 
Typical....

OP doesnt want WSUS, and now we got 3 people suggesting WSUS even after its said its not wanted.

-1 to reading comprehension
 
Well, from my point of view (based on my experience and most "issues" reported trying to cache WU) it's kinda like using a hammer to fasten a screw instead of a screwdriver. Untangle uses Polipo instead of Squid but seems to have the same issues that I had when trying to use Squid.
//Danne
 
I set it up about a year ago and at that time it seemed to work pretty well with Windows XP machines. I haven't followed up with it, but with automatic updates on 10-15 machines you would figure if it wasn't working you would see the bandwidth saturated at certain times, which it doesn't. It certainly caches the definitions for Microsoft Security Essentials and when I do manual updates on a machine it downloads way faster than if it was going over the internet connection.

Same situation, there's no need for Windows servers so it's not effective to run them just for WSUS.
 
You must log in or register to reply here.
Back
Top