WSUSProxy

= Nginx as a Proxy for Windows Update Server WSUS =

This is a proxy example to cache the distribution of the update files (.cab, .exe, .psf). Using a wpad file we tell the clients to use this special proxy for requests to the WSUS server. All other request are directly routed to the central WSUS server. Like this you only need to manage one WSUS Server, but can optimize distribution over WAN links to other sites.

This leads to have all machines behind such a proxy to show up on the WSUS server with the proxy IP address - but does not harm functionality otherwise - there's still the hostname that is reported, and the internally used ID to differentiate the clients - we did some tests - the reports were correct for missing updates, installed updates and so on...

nginx config
The config of nginx

worker_processes 1;
 * 1) user nobody;


 * 1) error_log logs/error.log;
 * 2) error_log logs/error.log  notice;
 * 3) error_log logs/error.log  info;


 * 1) pid       logs/nginx.pid;

events { worker_connections 1024; }

http { include      mime.types; default_type application/octet-stream;

log_format main  '$remote_addr - $remote_user [$time_local] "$request" ' '$status $body_bytes_sent "$http_referer" ' '"$http_user_agent" "$http_x_forwarded_for"';

access_log logs/access.log  main;

sendfile       on; #tcp_nopush    on;

#keepalive_timeout 0; keepalive_timeout 65;

#gzip on; server { listen      8081; server_name theproxyserver.domain.net;

#access_log logs/host.access.log  main;

# root url - don't cache here location / { proxy_pass       http://thecentralwsusserver.domain.net:80; proxy_set_header  Host             $host; proxy_set_header  X-Real-IP        $remote_addr; proxy_set_header  X-Forwarded-For  $proxy_add_x_forwarded_for; } 		# here is static caching location ~* ^/Content.+\.(cab|exe|psf|CAB|EXE|PSF)$ { root                cache/wsus; error_page          404 = @fetch; }

location @fetch { internal;

proxy_pass        http://thecentralwsusserver.domain.net:80; proxy_set_header  Range    ''; proxy_set_header  Host             $host; proxy_set_header  X-Real-IP        $remote_addr; proxy_set_header  X-Forwarded-For  $proxy_add_x_forwarded_for; proxy_store          on;

root                cache/wsus; }	} }

add a mime type for the dat files to the mime.types config file: application/x-ns-proxy-autoconfig    dat;

wpad file for the proxy
If you do not use wpad for proxy settings, you might probably find another solution - we used wpad already to distribute internet proxies depending on the network addresses a client has.

function FindProxyForURL(url,host) { // WSUS Proxy setting: url=url.toLowerCase; if (shExpMatch(url, "*thecentralwsusserver*")) { return "PROXY theproxyserver.domain.net:8081"; } if (isPlainHostName(host) ||  // local zones     isInNet(host, "10.0.0.0", "255.0.0.0") ||     isInNet(host, "192.168.0.0", "255.255.0.0") ||     dnsDomainIs(host, ".localdomain.net") ||     dnsDomainIs(host, "127.0.0.1")) return "DIRECT"; else return "PROXY internetproxy.domain.net:8080"; }

distribution of the wapd file
You can also distribute the wpad file itself from the nginx server... add the following config to the nginx config file:

server { listen      80; server_name wpad.domain.net;

# root url location / { root		wpad; } 	}

For Windows networks, the default URL a PC tries to find the wpad file, if "search settings automatically" is enabled, is wpad.yourdomain.net/wpad.dat