Page Discussion History


Revision as of 19:33, 22 September 2010 by MichaelLustfield (Talk)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)


Nginx as a Proxy for Windows Update Server WSUS

This is a proxy example to cache the distribution of the update files (.cab, .exe, .psf). Using a wpad file we tell the clients to use this special proxy for requests to the WSUS server. All other request are directly routed to the central WSUS server. Like this you only need to manage one WSUS Server, but can optimize distribution over WAN links to other sites.

This leads to have all machines behind such a proxy to show up on the WSUS server with the proxy IP address - but does not harm functionality otherwise - there's still the hostname that is reported, and the internally used ID to differentiate the clients - we did some tests - the reports were correct for missing updates, installed updates and so on...

nginx config

The config of nginx

#user  nobody;
worker_processes  1;

#error_log  logs/error.log;
#error_log  logs/error.log  notice;
#error_log  logs/error.log  info;

#pid        logs/nginx.pid;

events {
	worker_connections  1024;

http {
	include       mime.types;
	default_type  application/octet-stream;

	log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
					'$status $body_bytes_sent "$http_referer" '
					'"$http_user_agent" "$http_x_forwarded_for"';

	access_log  logs/access.log  main;

	sendfile        on;
	#tcp_nopush     on;

	#keepalive_timeout  0;
	keepalive_timeout  65;

	#gzip  on;
	server {
		listen       8081;
		server_name  theproxyserver.domain.net;

		#access_log  logs/host.access.log  main;

		# root url - don't cache here
		location /  {
			proxy_pass        http://thecentralwsusserver.domain.net:80;
			proxy_set_header   Host             $host;
			proxy_set_header   X-Real-IP        $remote_addr;
			proxy_set_header   X-Forwarded-For  $proxy_add_x_forwarded_for;
		# here is static caching
		location ~* ^/Content.+\.(cab|exe|psf|CAB|EXE|PSF)$ {
			root                 cache/wsus;
			error_page           404 = @fetch;

		location @fetch {

			proxy_pass         http://thecentralwsusserver.domain.net:80;
			proxy_set_header   Range    '';
			proxy_set_header   Host             $host;
			proxy_set_header   X-Real-IP        $remote_addr;
			proxy_set_header   X-Forwarded-For  $proxy_add_x_forwarded_for;
			proxy_store           on;

			root                 cache/wsus;

add a mime type for the dat files to the mime.types config file:

	application/x-ns-proxy-autoconfig     dat;

wpad file for the proxy

If you do not use wpad for proxy settings, you might probably find another solution - we used wpad already to distribute internet proxies depending on the network addresses a client has.

function FindProxyForURL(url,host)
 // WSUS Proxy setting:
 if (shExpMatch(url, "*thecentralwsusserver*")) {
   return "PROXY theproxyserver.domain.net:8081";
 if (isPlainHostName(host) ||   // local zones
     isInNet(host, "", "") ||
     isInNet(host, "", "") ||
     dnsDomainIs(host, ".localdomain.net") ||
     dnsDomainIs(host, ""))                
   return "DIRECT";
   return "PROXY internetproxy.domain.net:8080";

distribution of the wapd file

You can also distribute the wpad file itself from the nginx server... add the following config to the nginx config file:

    server {
        listen       80;
        server_name  wpad.domain.net;

		# root url
        location /  {
            root		wpad;

For Windows networks, the default URL a PC tries to find the wpad file, if "search settings automatically" is enabled, is wpad.yourdomain.net/wpad.dat