Re: [squid-users] Display Squid Errors on browsers in transparent mode

Thanks AMos,

here it is my settings
The server that handle squid is the main gateway of the entire network.
I'm using iptables with a rule that forward 80 port requests to the 3128
squid port
-A PREROUTING -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128

squid is just set has http_port 3128 transparent

squid version:
Squid Cache: Version 3.1.11
configure options: '--prefix=/usr' '--includedir=/include'
'--mandir=/share/man' '--infodir=/share/info' '--sysconfdir=/etc'
'--localstatedir=/var' '--libexecdir=/lib/squid3'
'--disable-maintainer-mode' '--disable-dependency-tracking' '--srcdir=.'
'--datadir=/usr/share/squid3' '--sysconfdir=/etc/squid3'
'--mandir=/usr/share/man' '--enable-gnuregex' '--enable-forward-log'
'--enable-removal-policy=heap' '--enable-follow-x-forwarded-for'
'--enable-http-violations' '--enable-large-cache-files'
'--enable-removal-policies=lru,heap' '--enable-err-languages=English'
'--enable-default-err-language=English' '--with-maxfd=32000'
'--with-large-files' '--disable-dlmalloc' '--with-pthreads'
'--enable-esi' '--enable-storeio=aufs,diskd,ufs'
'--with-aufs-threads=10' '--with-maxfd=16384' '--enable-useragent-log'
'--enable-referer-log' '--enable-x-accelerator-vary' '--with-dl'
'--enable-truncate' '--enable-linux-netfilter'
'--with-filedescriptors=16384' '--enable-wccpv2' '--enable-arp-acl'
'--enable-auth=basic,digest'
'--enable-digest-auth-helpers=ldap,password'
'--enable-external-acl-helpers=ip_user,ldap_group,unix_group,wbinfo_group' '--enable-basic-auth-helpers=LDAP' '--with-default-user=squid' '--enable-icap-client' '--enable-cache-digests' '--enable-icap-support' '--enable-poll' '--enable-epoll' '--enable-async-io' '--enable-delay-pools' '--enable-ssl' '--enable-ssl-crtd' 'CFLAGS=-DNUMTHREADS=60 -O3 -pipe -fomit-frame-pointer -funroll-loops -ffast-math -fno-exceptions' 'CPPFLAGS=-I../libltdl'

Here it is the squid configuration file

# IS 3.1 YES
acl localhost src 127.0.0.1/8 0.0.0.0/32
acl to_localhost dst 127.0.0.1/8 0.0.0.0/32
acl manager proto cache_object
auth_param basic credentialsttl 2 hour
authenticate_ttl 1 hour
authenticate_ip_ttl 60 seconds
#--------- TWEEKS PERFORMANCES
# http://blog.last.fm/2007/08/30/squid-optimization-guide
memory_pools off
quick_abort_min 0 KB
quick_abort_max 0 KB
log_icp_queries off
client_db off
buffered_logs on
half_closed_clients off

#--------- UfdbGuard
url_rewrite_program /usr/bin/ufdbgclient -l /var/log/squid
url_rewrite_children 20 startup=5 idle=1 concurrency=0

#--------- SQUID PARENTS (feature not enabled)

#--------- acls
acl blockedsites url_regex "/etc/squid3/squid-block.acl"
acl CONNECT method CONNECT
acl purge method PURGE
acl FTP proto FTP

acl office_network src all

#--------- MAIN RULES...
always_direct allow FTP
# --------- SAFE ports
acl Safe_ports port 80 #http
acl Safe_ports port 22 #ssh
acl Safe_ports port 443 563 #https, snews
acl Safe_ports port 1863 #msn
acl Safe_ports port 70 #gopher
acl Safe_ports port 210 #wais
acl Safe_ports port 1025-65535 #unregistered ports
acl Safe_ports port 280 #http-mgmt
acl Safe_ports port 488 #gss-http
acl Safe_ports port 591 #filemaker
acl Safe_ports port 777 #multiling http
acl Safe_ports port 631 #cups
acl Safe_ports port 873 #rsync
acl Safe_ports port 901 #SWAT
acl Safe_ports port 20 #ftp-data
acl Safe_ports port 21 #ftp#
# --------- Use x-forwarded-for for local Dansguardian or load balancers
log_uses_indirect_client on
follow_x_forwarded_for allow localhost
acl SSL_ports port 9000 #Artica
acl SSL_ports port 443 #HTTPS
acl SSL_ports port 563 #https, snews
acl SSL_ports port 6667 #tchat
acl whitelisted_mac_computers arp
"/etc/squid3/whitelisted-computers-by-mac.acl

# AOL Instant Messenger to connect to oscar.aol.com
acl AIM_ports port 5190 9898
acl AIM_domains dstdomain .oscar.aol.com .blue.aol.com
acl AIM_domains dstdomain .messaging.aol.com .aim.com
acl AIM_hosts dstdomain login.oscar.aol.com
login.glogin.messaging.aol.com toc.oscar.aol.com
acl AIM_nets dst 64.12.0.0/255.255.0.0
acl AIM_methods method CONNECT

# Permit IRC
acl IRC_ports port 6667
acl IRC_domains dstdomain .freenode.net
acl IRC_hosts dstdomain irc.freenode.net
acl IRC_methods method CONNECT

# Permit Yahoo Messenger
acl YIM_ports port 5050
acl YIM_domains dstdomain .yahoo.com .yahoo.co.jp
acl YIM_hosts dstdomain scs.msg.yahoo.com cs.yahoo.co.jp
acl YIM_methods method CONNECT

# Permit Google Talk
acl GTALK_ports port 5222 5050 443
acl GTALK_domains dstdomain .google.com
acl GTALK_hosts dstdomain talk.google.com
acl GTALK_methods method CONNECT

# Permit MSN
acl MSN_ports port 1863 443 1503
acl MSN_domains
dstdomain .microsoft.com .hotmail.com .live.com .msft.net .msn.com .passport.com
acl MSN_methods method CONNECT

# --------- RULES DEFINITIONS
url_rewrite_access deny localhost
url_rewrite_access deny whitelisted_mac_computers
url_rewrite_access allow all
http_access allow whitelisted_mac_computers
http_access allow AIM_methods AIM_ports AIM_nets
http_access allow AIM_methods AIM_ports AIM_hosts
http_access allow IRC_methods IRC_ports IRC_hosts
http_access allow IRC_methods IRC_ports IRC_domains
http_access allow YIM_methods YIM_ports YIM_hosts
http_access allow YIM_methods YIM_ports YIM_domains
http_access allow GTALK_ports GTALK_hosts GTALK_methods
http_access allow GTALK_methods GTALK_ports GTALK_domains
http_access allow MSN_ports MSN_domains MSN_methods
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost
http_access allow manager localhost
http_access allow purge localhost
http_access deny purge
http_access deny blockedsites
http_access allow office_network
http_access deny to_localhost
http_access deny all
# --------- ICAP Services.(0 service(s))

# --------- ident_lookup_access
hierarchy_stoplist cgi-bin ?

# --------- General settings
visible_hostname proxy.touzeau.com

# --------- time-out
dead_peer_timeout 10 seconds
dns_timeout 2 minutes
connect_timeout 1600 seconds
persistent_request_timeout 3 minutes
pconn_timeout 1600 seconds

maximum_object_size 300 MB
minimum_object_size 0 KB
maximum_object_size_in_memory 2 MB

#http/https ports
http_port 3128 transparent
http_port 3129

# --------- SSL Rules

# --------- Caches
cache_effective_user squid
cache_effective_group squid
#cache_replacement_policy heap LFUDA
cache_mem 512 MB
cache_swap_high 90
cache_swap_low 95
# --------- DNS and ip caches
ipcache_size 51200
ipcache_low 90
ipcache_high 95
fqdncache_size 51200

# --------- SPECIFIC DNS SERVERS
dns_nameservers 192.168.1.1

#--------- FTP specific parameters
ftp_passive on
ftp_sanitycheck off
ftp_epsv off
ftp_epsv_all off
ftp_telnet_protocol off

debug_options ALL,1

#Logs-------------------------------------------------
coredump_dir /var/squid/cache
cache_log /var/log/squid/cache.log
pid_filename /var/run/squid.pid
error_directory /usr/share/squid-langpack/en
cache_store_log /var/log/squid/store.log
access_log none manager
access_log syslog:authpriv.info common

cache_dir ufs /var/cache/squid 2000 16 256
# --------- OTHER CACHES
cache_dir ufs /home/squid-cache/cache3 20000 16 256
cache_dir ufs /home/squid-cache/cache2 8000 16 256

Le dimanche 27 novembre 2011 à 14:21 +1300, Amos Jeffries a écrit :
> On 27/11/2011 6:33 a.m., David Touzeau wrote:
> > I think is normal but is there any tips/tweaks in order to display SQUID
> > pages error when using squid in transparent mode.
> >
> >
> > When connecting directly to the port, the error is correctly generated
> > by Squid
> >
> > When using the transparent mode only the browser display errors.
> >
> > Best regards.
> >
>
> Please avoid the fuzzy word "transparent". By itself the word is too
> fuzzy to convey much meaning. There are a many modes which are all
> called "transparent [something]" and doing very, very different things...
>
> Authentication replies (including transparent authentication) always
> supply Squid error page. The browser choice to use transparent
> authentication instead of popups prevents it being shown. There is
> nothing you can do about this browser feature except use web-form based
> authentication.
>
> None of the other "transparent" modes currently supported by Squid has
> anything particularly to do with error pages display, you configure
> error page reply bodies with deny_info the same way as with regular traffic.
>
> For any further help, you will need to supply some details about which
> "transparent" you are talking, and what errors are happening that you
> want to avoid. Probably what configuration you are using as well.
>
> Amos
Received on Sun Nov 27 2011 - 19:54:25 MST