As discussed at the Apr meeting, here is my solution for having squid cache your Windblows (XP, mainly but should work for Vista/7) updates downloads.
I have just verified this is still working at all my customer sites by looking at the squid access logs and seeing HITs for the big CAB files from windowsupdate.com. This confirms what I have always been seeing while manually doing updates.
The magic line you require in your squid.conf is: refresh_pattern http://www.download.windowsupdate.com/ 0 80% 525600 reload-into-ims (no wrapping on the above line)
If someone wants my entire squid.conf, let me know. It's setup for a pretty common case where you want to squid all of your internal (192.168.*) computers. The only other major thing is make sure you have a pretty big squid cache and max object size. I recommend at least 3GB. If you have tons of disk, make it 50G or something. More never hurts.
I use: cache_swap_low 94 cache_swap_high 97 maximum_object_size 800000 KB
Which should nicely handle the Win Update case we're trying to achieve.
Now, to make it so you don't have to configure ANYTHING on a stock WinXP box to make it use squid:
Make a file on your web server's document root (ie: /var/www/html or similar) called wpad.dat. Make it world readable. Populate it thusly:
<? header("Content-type: application/x-ns-proxy-autoconfig"); ?>
function FindProxyForURL(url, host) { if ( isPlainHostName(host) || dnsDomainIs (host,"tecnopolis.ca") || dnsDomainIs (host,"nocachingdomain.whatever") || shExpMatch (host,"192.168.*") || shExpMatch (url ,"*windowsupdate.microsoft.com/*.js*") || shExpMatch(url ,"*windowsupdate.microsoft.com/*.asp*") ) return "DIRECT";
if (url.substring(0, 5) == "http:" || url.substring(0, 4) == "ftp:" || url.substring(0, 7) == "gopher:") return "PROXY 192.168.1.1:8080; DIRECT";
return "DIRECT"; }
Tweak the DIRECT domain/IP exclusions in the first if set. Change the 192.168.1.1 to your squid server's IP. Change the 8080 to whatever port you want to have squid listen to. There's a more standard default port, but I use 8080 as that's what Shaw used when I signed up ages ago and it's easy to remember :-)
You also require some funky apache config to make it work: <VirtualHost *:80> ServerName wpad.tecnopolis.ca ServerAlias wpad DocumentRoot /var/www/html Alias /wpad.dat /var/www/html/wpad.dat </VirtualHost>
(may be a bit redundant, but I am editing my slightly more complex setup to be usable by others)
Note, wpad.dat only applies to IE (Internet Exploder) to make Nutscrape-based browsers (Fireflax) you need to make another identical file (hardlink?) called proxy.pac and do some more funky apache stuff:
<VirtualHost *:80> ServerName proxy.tecnopolis.ca ServerAlias proxy DocumentRoot /var/www/html Alias /wpad.dat /var/www/html/wpad.dat Alias / /var/www/html/proxy.pac </VirtualHost>
More redundancy, but trust me, getting this stuff to work is mystical voodoo so cover all your bases.
AND, obviously add proxy and wpad as CNAMEs in your DNS server's config! They must resolve to your web server's IP.
Lastly, XP by default has the "autodetect proxy settings" enabled in IE, so you literally have to do nothing to have your entire network magically start using the proxy. If it doesn't seem to be working, double-check that IE indeed has that option enabled (Tools, connections, lan settings).
Like I said, it's been 10 years since I set this up and last looked it it, so hopefully I'm not overlooking some important point. It literally has worked all these years without tweaking on dozens of servers. 3 cheers for UN*X and it's stability of configuration and migration!