WSUSProxy
Contents |
[edit] Nginx as a Proxy for Windows Update Server WSUS
This is a proxy example to cache the distribution of the update files (.cab, .exe, .psf). Using a wpad file we tell the clients to use this special proxy for requests to the WSUS server. All other request are directly routed to the central WSUS server. Like this you only need to manage one WSUS Server, but can optimize distribution over WAN links to other sites.
This leads to have all machines behind such a proxy to show up on the WSUS server with the proxy IP address - but does not harm functionality otherwise - there's still the hostname that is reported, and the internally used ID to differentiate the clients - we did some tests - the reports were correct for missing updates, installed updates and so on...
[edit] nginx config
The config of nginx
#user nobody;
worker_processes 1;
#error_log logs/error.log;
#error_log logs/error.log notice;
#error_log logs/error.log info;
#pid logs/nginx.pid;
events {
worker_connections 1024;
}
http {
include mime.types;
default_type application/octet-stream;
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log logs/access.log main;
sendfile on;
#tcp_nopush on;
#keepalive_timeout 0;
keepalive_timeout 65;
#gzip on;
server {
listen 8081;
server_name theproxyserver.domain.net;
#access_log logs/host.access.log main;
# root url - don't cache here
location / {
proxy_pass http://thecentralwsusserver.domain.net:80;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
# here is static caching
location ~* ^/Content.+\.(cab|exe|psf|CAB|EXE|PSF)$ {
root cache/wsus;
error_page 404 = @fetch;
}
location @fetch {
internal;
proxy_pass http://thecentralwsusserver.domain.net:80;
proxy_set_header Range '';
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_store on;
root cache/wsus;
}
}
}
add a mime type for the dat files to the mime.types config file:
application/x-ns-proxy-autoconfig dat;
[edit] wpad file for the proxy
If you do not use wpad for proxy settings, you might probably find another solution - we used wpad already to distribute internet proxies depending on the network addresses a client has.
function FindProxyForURL(url,host)
{
// WSUS Proxy setting:
url=url.toLowerCase();
if (shExpMatch(url, "*thecentralwsusserver*")) {
return "PROXY theproxyserver.domain.net:8081";
}
if (isPlainHostName(host) || // local zones
isInNet(host, "10.0.0.0", "255.0.0.0") ||
isInNet(host, "192.168.0.0", "255.255.0.0") ||
dnsDomainIs(host, ".localdomain.net") ||
dnsDomainIs(host, "127.0.0.1"))
return "DIRECT";
else
return "PROXY internetproxy.domain.net:8080";
}
[edit] distribution of the wapd file
You can also distribute the wpad file itself from the nginx server... add the following config to the nginx config file:
server {
listen 80;
server_name wpad.domain.net;
# root url
location / {
root wpad;
}
}
For Windows networks, the default URL a PC tries to find the wpad file, if "search settings automatically" is enabled, is wpad.yourdomain.net/wpad.dat
