Re: [squid-users] Display Squid Errors on browsers in transparent mode

From: David Touzeau <david_at_touzeau.eu>
Date: Sun, 27 Nov 2011 23:59:15 +0100

Le lundi 28 novembre 2011 à 11:45 +1300, Amos Jeffries a écrit :
> On Sun, 27 Nov 2011 20:54:13 +0100, David Touzeau wrote:
> > Thanks AMos,
> >
> > here it is my settings
>
> And the particular wrong messages which you are seeing?
>
>
> From this I would guess your browser displays unable to connect, or a
> timeout message of its own. Yes?

Yes this that.. none of squid error templates are seen, just the error
browser itself.

>
>
> (I've done a general checkup and made some comments below, though only
> the iptables bits seem related to any errors).
>
> > The server that handle squid is the main gateway of the entire
> > network.
> > I'm using iptables with a rule that forward 80 port requests to the
> > 3128
> > squid port
> > -A PREROUTING -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128
>
> There are a few other rules needed for REDIRECT to work and safely:
> http://wiki.squid-cache.org/ConfigExamples/Intercept/LinuxRedirect

You are right !, i have seen that in 3.1x or 3.2x it should be changed
to "intercept" instead "transparent".
I will check before iptables and this new configuration and come back to
you...

When you say " On Linux you can gain a fair bit of speed with altering
that to AUFS"
I think changing to diskd
Is diskd should obtain better performances than AUFS ??

> connect_timeout 1600 seconds
 In 3.1 this is the time for DNS lookup + TCP SYN-ACK to the found IPs.
Are you sure you want to make it a half hour?
Ok but for you, is it better to increase or decrease this value ?

>
>
> >
> > squid is just set has http_port 3128 transparent
> >
> > squid version:
> > Squid Cache: Version 3.1.11
> > configure options: '--prefix=/usr' '--includedir=/include'
> > '--mandir=/share/man' '--infodir=/share/info' '--sysconfdir=/etc'
> > '--localstatedir=/var' '--libexecdir=/lib/squid3'
> > '--disable-maintainer-mode' '--disable-dependency-tracking'
> > '--srcdir=.'
> > '--datadir=/usr/share/squid3' '--sysconfdir=/etc/squid3'
> > '--mandir=/usr/share/man' '--enable-gnuregex' '--enable-forward-log'
> > '--enable-removal-policy=heap' '--enable-follow-x-forwarded-for'
> > '--enable-http-violations' '--enable-large-cache-files'
> > '--enable-removal-policies=lru,heap' '--enable-err-languages=English'
> > '--enable-default-err-language=English' '--with-maxfd=32000'
> > '--with-large-files' '--disable-dlmalloc' '--with-pthreads'
> > '--enable-esi' '--enable-storeio=aufs,diskd,ufs'
> > '--with-aufs-threads=10' '--with-maxfd=16384'
> > '--enable-useragent-log'
> > '--enable-referer-log' '--enable-x-accelerator-vary' '--with-dl'
> > '--enable-truncate' '--enable-linux-netfilter'
> > '--with-filedescriptors=16384' '--enable-wccpv2' '--enable-arp-acl'
> > '--enable-auth=basic,digest'
> > '--enable-digest-auth-helpers=ldap,password'
> >
> > '--enable-external-acl-helpers=ip_user,ldap_group,unix_group,wbinfo_group'
> > '--enable-basic-auth-helpers=LDAP' '--with-default-user=squid'
> > '--enable-icap-client' '--enable-cache-digests'
> > '--enable-icap-support' '--enable-poll' '--enable-epoll'
> > '--enable-async-io' '--enable-delay-pools' '--enable-ssl'
> > '--enable-ssl-crtd' 'CFLAGS=-DNUMTHREADS=60 -O3 -pipe
> > -fomit-frame-pointer -funroll-loops -ffast-math -fno-exceptions'
> > 'CPPFLAGS=-I../libltdl'
> >
> > Here it is the squid configuration file
> >
> > # IS 3.1 YES
> > acl localhost src 127.0.0.1/8 0.0.0.0/32
> > acl to_localhost dst 127.0.0.1/8 0.0.0.0/32
>
> Add ::1 to both of the above ACLs.
>
> > acl manager proto cache_object
> > auth_param basic credentialsttl 2 hour
> > authenticate_ttl 1 hour
> > authenticate_ip_ttl 60 seconds
>
> You seem to have no other auth settings. Those can be removed since
> there is actually no helper for them to affect.
>
> <snip>
> >
> >
> > # --------- RULES DEFINITIONS
> > url_rewrite_access deny localhost
> > url_rewrite_access deny whitelisted_mac_computers
> > url_rewrite_access allow all
> > http_access allow whitelisted_mac_computers
> > http_access allow AIM_methods AIM_ports AIM_nets
> > http_access allow AIM_methods AIM_ports AIM_hosts
> > http_access allow IRC_methods IRC_ports IRC_hosts
> > http_access allow IRC_methods IRC_ports IRC_domains
> > http_access allow YIM_methods YIM_ports YIM_hosts
> > http_access allow YIM_methods YIM_ports YIM_domains
> > http_access allow GTALK_ports GTALK_hosts GTALK_methods
> > http_access allow GTALK_methods GTALK_ports GTALK_domains
> > http_access allow MSN_ports MSN_domains MSN_methods
> > http_access deny !Safe_ports
> > http_access deny CONNECT !SSL_ports
> > http_access allow localhost
> > http_access allow manager localhost
> > http_access allow purge localhost
> > http_access deny purge
> > http_access deny blockedsites
> > http_access allow office_network
> > http_access deny to_localhost
>
> "deny to_localhost" makes no sense way down here. It should be at the
> top of the list, if you need it at all.
>
> > http_access deny all
> > # --------- ICAP Services.(0 service(s))
> >
> > # --------- ident_lookup_access
> > hierarchy_stoplist cgi-bin ?
> >
> > # --------- General settings
> > visible_hostname proxy.touzeau.com
> >
> > # --------- time-out
> > dead_peer_timeout 10 seconds
> > dns_timeout 2 minutes
> > connect_timeout 1600 seconds
>
> In 3.1 this is the time for DNS lookup + TCP SYN-ACK to the found IPs.
> Are you sure you want to make it a half hour?

Ok but for you, is it better to increase or decrease this value ?

>
> <snip>
> >
> > cache_dir ufs /var/cache/squid 2000 16 256
> > # --------- OTHER CACHES
> > cache_dir ufs /home/squid-cache/cache3 20000 16 256
> > cache_dir ufs /home/squid-cache/cache2 8000 16 256
> >
>
> On Linux you can gain a fair bit of speed with altering that to AUFS.

When you say " On Linux you can gain a fair bit of speed with altering
that to AUFS"
I think changing to diskd
Is diskd should obtain better performances than AUFS ??

>
>
> Amos
Received on Sun Nov 27 2011 - 22:59:23 MST

This archive was generated by hypermail 2.2.0 : Mon Nov 28 2011 - 12:00:02 MST