Re: [squid-users] Display Squid Errors on browsers in transparent mode

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Mon, 28 Nov 2011 11:45:31 +1300

 On Sun, 27 Nov 2011 20:54:13 +0100, David Touzeau wrote:
> Thanks AMos,
>
> here it is my settings

 And the particular wrong messages which you are seeing?

 From this I would guess your browser displays unable to connect, or a
 timeout message of its own. Yes?

 (I've done a general checkup and made some comments below, though only
 the iptables bits seem related to any errors).

> The server that handle squid is the main gateway of the entire
> network.
> I'm using iptables with a rule that forward 80 port requests to the
> 3128
> squid port
> -A PREROUTING -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128

 There are a few other rules needed for REDIRECT to work and safely:
   http://wiki.squid-cache.org/ConfigExamples/Intercept/LinuxRedirect

>
> squid is just set has http_port 3128 transparent
>
> squid version:
> Squid Cache: Version 3.1.11
> configure options: '--prefix=/usr' '--includedir=/include'
> '--mandir=/share/man' '--infodir=/share/info' '--sysconfdir=/etc'
> '--localstatedir=/var' '--libexecdir=/lib/squid3'
> '--disable-maintainer-mode' '--disable-dependency-tracking'
> '--srcdir=.'
> '--datadir=/usr/share/squid3' '--sysconfdir=/etc/squid3'
> '--mandir=/usr/share/man' '--enable-gnuregex' '--enable-forward-log'
> '--enable-removal-policy=heap' '--enable-follow-x-forwarded-for'
> '--enable-http-violations' '--enable-large-cache-files'
> '--enable-removal-policies=lru,heap' '--enable-err-languages=English'
> '--enable-default-err-language=English' '--with-maxfd=32000'
> '--with-large-files' '--disable-dlmalloc' '--with-pthreads'
> '--enable-esi' '--enable-storeio=aufs,diskd,ufs'
> '--with-aufs-threads=10' '--with-maxfd=16384'
> '--enable-useragent-log'
> '--enable-referer-log' '--enable-x-accelerator-vary' '--with-dl'
> '--enable-truncate' '--enable-linux-netfilter'
> '--with-filedescriptors=16384' '--enable-wccpv2' '--enable-arp-acl'
> '--enable-auth=basic,digest'
> '--enable-digest-auth-helpers=ldap,password'
>
> '--enable-external-acl-helpers=ip_user,ldap_group,unix_group,wbinfo_group'
> '--enable-basic-auth-helpers=LDAP' '--with-default-user=squid'
> '--enable-icap-client' '--enable-cache-digests'
> '--enable-icap-support' '--enable-poll' '--enable-epoll'
> '--enable-async-io' '--enable-delay-pools' '--enable-ssl'
> '--enable-ssl-crtd' 'CFLAGS=-DNUMTHREADS=60 -O3 -pipe
> -fomit-frame-pointer -funroll-loops -ffast-math -fno-exceptions'
> 'CPPFLAGS=-I../libltdl'
>
> Here it is the squid configuration file
>
> # IS 3.1 YES
> acl localhost src 127.0.0.1/8 0.0.0.0/32
> acl to_localhost dst 127.0.0.1/8 0.0.0.0/32

 Add ::1 to both of the above ACLs.

> acl manager proto cache_object
> auth_param basic credentialsttl 2 hour
> authenticate_ttl 1 hour
> authenticate_ip_ttl 60 seconds

 You seem to have no other auth settings. Those can be removed since
 there is actually no helper for them to affect.

 <snip>
>
>
> # --------- RULES DEFINITIONS
> url_rewrite_access deny localhost
> url_rewrite_access deny whitelisted_mac_computers
> url_rewrite_access allow all
> http_access allow whitelisted_mac_computers
> http_access allow AIM_methods AIM_ports AIM_nets
> http_access allow AIM_methods AIM_ports AIM_hosts
> http_access allow IRC_methods IRC_ports IRC_hosts
> http_access allow IRC_methods IRC_ports IRC_domains
> http_access allow YIM_methods YIM_ports YIM_hosts
> http_access allow YIM_methods YIM_ports YIM_domains
> http_access allow GTALK_ports GTALK_hosts GTALK_methods
> http_access allow GTALK_methods GTALK_ports GTALK_domains
> http_access allow MSN_ports MSN_domains MSN_methods
> http_access deny !Safe_ports
> http_access deny CONNECT !SSL_ports
> http_access allow localhost
> http_access allow manager localhost
> http_access allow purge localhost
> http_access deny purge
> http_access deny blockedsites
> http_access allow office_network
> http_access deny to_localhost

 "deny to_localhost" makes no sense way down here. It should be at the
 top of the list, if you need it at all.

> http_access deny all
> # --------- ICAP Services.(0 service(s))
>
> # --------- ident_lookup_access
> hierarchy_stoplist cgi-bin ?
>
> # --------- General settings
> visible_hostname proxy.touzeau.com
>
> # --------- time-out
> dead_peer_timeout 10 seconds
> dns_timeout 2 minutes
> connect_timeout 1600 seconds

 In 3.1 this is the time for DNS lookup + TCP SYN-ACK to the found IPs.
 Are you sure you want to make it a half hour?

 <snip>
>
> cache_dir ufs /var/cache/squid 2000 16 256
> # --------- OTHER CACHES
> cache_dir ufs /home/squid-cache/cache3 20000 16 256
> cache_dir ufs /home/squid-cache/cache2 8000 16 256
>

 On Linux you can gain a fair bit of speed with altering that to AUFS.

 Amos
Received on Sun Nov 27 2011 - 22:45:38 MST

This archive was generated by hypermail 2.2.0 : Mon Nov 28 2011 - 12:00:02 MST