Re: [squid-users] Display Squid Errors on browsers in transparent mode

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Mon, 28 Nov 2011 12:36:12 +1300

 On Sun, 27 Nov 2011 23:59:15 +0100, David Touzeau wrote:
> Le lundi 28 novembre 2011 à 11:45 +1300, Amos Jeffries a écrit :
>> On Sun, 27 Nov 2011 20:54:13 +0100, David Touzeau wrote:
>> > Thanks AMos,
>> >
>> > here it is my settings
>>
>> And the particular wrong messages which you are seeing?
>>
>>
>> From this I would guess your browser displays unable to connect, or
>> a
>> timeout message of its own. Yes?
>
> Yes this that.. none of squid error templates are seen, just the
> error
> browser itself.
>

 Then I think the problem is the absence of a 'bypass' iptables rule
 Squid outgoing packets to service the request can looped back at Squid.
 The browser sees this as no response timeout after sending the request.
 Squid sees it as the server never responding.

 You solve this one by configuring iptables to bypass the Squid IP on
 NAT rules (as mentioned in the wiki link).
 You ensure "via on" is configured (the default setting), to get Squid
 to detect these looping back and produce an error instead of hanging.

>>
>> (I've done a general checkup and made some comments below, though
>> only
>> the iptables bits seem related to any errors).
>>
>> > The server that handle squid is the main gateway of the entire
>> > network.
>> > I'm using iptables with a rule that forward 80 port requests to
>> the
>> > 3128
>> > squid port
>> > -A PREROUTING -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128
>>
>> There are a few other rules needed for REDIRECT to work and safely:
>>
>> http://wiki.squid-cache.org/ConfigExamples/Intercept/LinuxRedirect
>
> You are right !, i have seen that in 3.1x or 3.2x it should be
> changed
> to "intercept" instead "transparent".
> I will check before iptables and this new configuration and come back
> to
> you...
>
> When you say " On Linux you can gain a fair bit of speed with
> altering
> that to AUFS"
> I think changing to diskd
> Is diskd should obtain better performances than AUFS ??

 On Linux AUFS is faster. diskd is in between UFS (slowest) and AUFS
 (fastest).
 There is a bug which makes AUFS as slow as UFS on BSD based systems.
 Which is where the diskd being fastest perception is apparently coming
 from.

>
>> connect_timeout 1600 seconds
> In 3.1 this is the time for DNS lookup + TCP SYN-ACK to the found
> IPs.
> Are you sure you want to make it a half hour?
> Ok but for you, is it better to increase or decrease this value ?
>

 IMO lower.

 The users notoriously don't like waiting more than a few seconds for
 things to load. With a minute or two on the more patient users. So any
 increase above that needs to be considered in light of the connectivity
 speed and desired response times (accepting that an error is a
 response).
 The Squid defaults are set at 1 minute here to be responsive at the
 outer bound of user patience.

>> >
>> > squid is just set has http_port 3128 transparent
>> >
>> > squid version:
>> > Squid Cache: Version 3.1.11
>> > configure options: '--prefix=/usr' '--includedir=/include'
>> > '--mandir=/share/man' '--infodir=/share/info' '--sysconfdir=/etc'
>> > '--localstatedir=/var' '--libexecdir=/lib/squid3'
>> > '--disable-maintainer-mode' '--disable-dependency-tracking'
>> > '--srcdir=.'
>> > '--datadir=/usr/share/squid3' '--sysconfdir=/etc/squid3'
>> > '--mandir=/usr/share/man' '--enable-gnuregex'
>> '--enable-forward-log'
>> > '--enable-removal-policy=heap' '--enable-follow-x-forwarded-for'
>> > '--enable-http-violations' '--enable-large-cache-files'
>> > '--enable-removal-policies=lru,heap'
>> '--enable-err-languages=English'
>> > '--enable-default-err-language=English' '--with-maxfd=32000'
>> > '--with-large-files' '--disable-dlmalloc' '--with-pthreads'
>> > '--enable-esi' '--enable-storeio=aufs,diskd,ufs'
>> > '--with-aufs-threads=10' '--with-maxfd=16384'
>> > '--enable-useragent-log'
>> > '--enable-referer-log' '--enable-x-accelerator-vary' '--with-dl'
>> > '--enable-truncate' '--enable-linux-netfilter'
>> > '--with-filedescriptors=16384' '--enable-wccpv2'
>> '--enable-arp-acl'
>> > '--enable-auth=basic,digest'
>> > '--enable-digest-auth-helpers=ldap,password'
>> >
>> >
>> '--enable-external-acl-helpers=ip_user,ldap_group,unix_group,wbinfo_group'
>> > '--enable-basic-auth-helpers=LDAP' '--with-default-user=squid'
>> > '--enable-icap-client' '--enable-cache-digests'
>> > '--enable-icap-support' '--enable-poll' '--enable-epoll'
>> > '--enable-async-io' '--enable-delay-pools' '--enable-ssl'
>> > '--enable-ssl-crtd' 'CFLAGS=-DNUMTHREADS=60 -O3 -pipe
>> > -fomit-frame-pointer -funroll-loops -ffast-math -fno-exceptions'
>> > 'CPPFLAGS=-I../libltdl'

 Hmm, just noticed '--with-maxfd=32000' '--with-maxfd=16384'
 '--with-filedescriptors=16384' might be worth fixing. These three
 settings all change the same config value.

 Amos
Received on Sun Nov 27 2011 - 23:36:25 MST

This archive was generated by hypermail 2.2.0 : Mon Nov 28 2011 - 12:00:02 MST