Re: [squid-users] Display Squid Errors on browsers in transparent mode

From: David Touzeau <david_at_touzeau.eu>
Date: Sun, 27 Nov 2011 20:54:13 +0100

Thanks AMos,

here it is my settings
The server that handle squid is the main gateway of the entire network.
I'm using iptables with a rule that forward 80 port requests to the 3128
squid port
-A PREROUTING -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128

squid is just set has http_port 3128 transparent

squid version:
Squid Cache: Version 3.1.11
configure options: '--prefix=/usr' '--includedir=/include'
'--mandir=/share/man' '--infodir=/share/info' '--sysconfdir=/etc'
'--localstatedir=/var' '--libexecdir=/lib/squid3'
'--disable-maintainer-mode' '--disable-dependency-tracking' '--srcdir=.'
'--datadir=/usr/share/squid3' '--sysconfdir=/etc/squid3'
'--mandir=/usr/share/man' '--enable-gnuregex' '--enable-forward-log'
'--enable-removal-policy=heap' '--enable-follow-x-forwarded-for'
'--enable-http-violations' '--enable-large-cache-files'
'--enable-removal-policies=lru,heap' '--enable-err-languages=English'
'--enable-default-err-language=English' '--with-maxfd=32000'
'--with-large-files' '--disable-dlmalloc' '--with-pthreads'
'--enable-esi' '--enable-storeio=aufs,diskd,ufs'
'--with-aufs-threads=10' '--with-maxfd=16384' '--enable-useragent-log'
'--enable-referer-log' '--enable-x-accelerator-vary' '--with-dl'
'--enable-truncate' '--enable-linux-netfilter'
'--with-filedescriptors=16384' '--enable-wccpv2' '--enable-arp-acl'
'--enable-auth=basic,digest'
'--enable-digest-auth-helpers=ldap,password'
'--enable-external-acl-helpers=ip_user,ldap_group,unix_group,wbinfo_group' '--enable-basic-auth-helpers=LDAP' '--with-default-user=squid' '--enable-icap-client' '--enable-cache-digests' '--enable-icap-support' '--enable-poll' '--enable-epoll' '--enable-async-io' '--enable-delay-pools' '--enable-ssl' '--enable-ssl-crtd' 'CFLAGS=-DNUMTHREADS=60 -O3 -pipe -fomit-frame-pointer -funroll-loops -ffast-math -fno-exceptions' 'CPPFLAGS=-I../libltdl'

Here it is the squid configuration file

# IS 3.1 YES
acl localhost src 127.0.0.1/8 0.0.0.0/32
acl to_localhost dst 127.0.0.1/8 0.0.0.0/32
acl manager proto cache_object
auth_param basic credentialsttl 2 hour
authenticate_ttl 1 hour
authenticate_ip_ttl 60 seconds
#--------- TWEEKS PERFORMANCES
# http://blog.last.fm/2007/08/30/squid-optimization-guide
memory_pools off
quick_abort_min 0 KB
quick_abort_max 0 KB
log_icp_queries off
client_db off
buffered_logs on
half_closed_clients off

#--------- UfdbGuard
url_rewrite_program /usr/bin/ufdbgclient -l /var/log/squid
url_rewrite_children 20 startup=5 idle=1 concurrency=0

#--------- SQUID PARENTS (feature not enabled)

#--------- acls
acl blockedsites url_regex "/etc/squid3/squid-block.acl"
acl CONNECT method CONNECT
acl purge method PURGE
acl FTP proto FTP

acl office_network src all

#--------- MAIN RULES...
always_direct allow FTP
# --------- SAFE ports
acl Safe_ports port 80 #http
acl Safe_ports port 22 #ssh
acl Safe_ports port 443 563 #https, snews
acl Safe_ports port 1863 #msn
acl Safe_ports port 70 #gopher
acl Safe_ports port 210 #wais
acl Safe_ports port 1025-65535 #unregistered ports
acl Safe_ports port 280 #http-mgmt
acl Safe_ports port 488 #gss-http
acl Safe_ports port 591 #filemaker
acl Safe_ports port 777 #multiling http
acl Safe_ports port 631 #cups
acl Safe_ports port 873 #rsync
acl Safe_ports port 901 #SWAT
acl Safe_ports port 20 #ftp-data
acl Safe_ports port 21 #ftp#
# --------- Use x-forwarded-for for local Dansguardian or load balancers
log_uses_indirect_client on
follow_x_forwarded_for allow localhost
acl SSL_ports port 9000 #Artica
acl SSL_ports port 443 #HTTPS
acl SSL_ports port 563 #https, snews
acl SSL_ports port 6667 #tchat
acl whitelisted_mac_computers arp
"/etc/squid3/whitelisted-computers-by-mac.acl

# AOL Instant Messenger to connect to oscar.aol.com
acl AIM_ports port 5190 9898
acl AIM_domains dstdomain .oscar.aol.com .blue.aol.com
acl AIM_domains dstdomain .messaging.aol.com .aim.com
acl AIM_hosts dstdomain login.oscar.aol.com
login.glogin.messaging.aol.com toc.oscar.aol.com
acl AIM_nets dst 64.12.0.0/255.255.0.0
acl AIM_methods method CONNECT

# Permit IRC
acl IRC_ports port 6667
acl IRC_domains dstdomain .freenode.net
acl IRC_hosts dstdomain irc.freenode.net
acl IRC_methods method CONNECT

# Permit Yahoo Messenger
acl YIM_ports port 5050
acl YIM_domains dstdomain .yahoo.com .yahoo.co.jp
acl YIM_hosts dstdomain scs.msg.yahoo.com cs.yahoo.co.jp
acl YIM_methods method CONNECT

# Permit Google Talk
acl GTALK_ports port 5222 5050 443
acl GTALK_domains dstdomain .google.com
acl GTALK_hosts dstdomain talk.google.com
acl GTALK_methods method CONNECT

# Permit MSN
acl MSN_ports port 1863 443 1503
acl MSN_domains
dstdomain .microsoft.com .hotmail.com .live.com .msft.net .msn.com .passport.com
acl MSN_methods method CONNECT

# --------- RULES DEFINITIONS
url_rewrite_access deny localhost
url_rewrite_access deny whitelisted_mac_computers
url_rewrite_access allow all
http_access allow whitelisted_mac_computers
http_access allow AIM_methods AIM_ports AIM_nets
http_access allow AIM_methods AIM_ports AIM_hosts
http_access allow IRC_methods IRC_ports IRC_hosts
http_access allow IRC_methods IRC_ports IRC_domains
http_access allow YIM_methods YIM_ports YIM_hosts
http_access allow YIM_methods YIM_ports YIM_domains
http_access allow GTALK_ports GTALK_hosts GTALK_methods
http_access allow GTALK_methods GTALK_ports GTALK_domains
http_access allow MSN_ports MSN_domains MSN_methods
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost
http_access allow manager localhost
http_access allow purge localhost
http_access deny purge
http_access deny blockedsites
http_access allow office_network
http_access deny to_localhost
http_access deny all
# --------- ICAP Services.(0 service(s))

# --------- ident_lookup_access
hierarchy_stoplist cgi-bin ?

# --------- General settings
visible_hostname proxy.touzeau.com

# --------- time-out
dead_peer_timeout 10 seconds
dns_timeout 2 minutes
connect_timeout 1600 seconds
persistent_request_timeout 3 minutes
pconn_timeout 1600 seconds

maximum_object_size 300 MB
minimum_object_size 0 KB
maximum_object_size_in_memory 2 MB

#http/https ports
http_port 3128 transparent
http_port 3129

# --------- SSL Rules

# --------- Caches
cache_effective_user squid
cache_effective_group squid
#cache_replacement_policy heap LFUDA
cache_mem 512 MB
cache_swap_high 90
cache_swap_low 95
# --------- DNS and ip caches
ipcache_size 51200
ipcache_low 90
ipcache_high 95
fqdncache_size 51200

# --------- SPECIFIC DNS SERVERS
dns_nameservers 192.168.1.1

#--------- FTP specific parameters
ftp_passive on
ftp_sanitycheck off
ftp_epsv off
ftp_epsv_all off
ftp_telnet_protocol off

debug_options ALL,1

#Logs-------------------------------------------------
coredump_dir /var/squid/cache
cache_log /var/log/squid/cache.log
pid_filename /var/run/squid.pid
error_directory /usr/share/squid-langpack/en
cache_store_log /var/log/squid/store.log
access_log none manager
access_log syslog:authpriv.info common

cache_dir ufs /var/cache/squid 2000 16 256
# --------- OTHER CACHES
cache_dir ufs /home/squid-cache/cache3 20000 16 256
cache_dir ufs /home/squid-cache/cache2 8000 16 256

Le dimanche 27 novembre 2011 à 14:21 +1300, Amos Jeffries a écrit :
> On 27/11/2011 6:33 a.m., David Touzeau wrote:
> > I think is normal but is there any tips/tweaks in order to display SQUID
> > pages error when using squid in transparent mode.
> >
> >
> > When connecting directly to the port, the error is correctly generated
> > by Squid
> >
> > When using the transparent mode only the browser display errors.
> >
> > Best regards.
> >
>
> Please avoid the fuzzy word "transparent". By itself the word is too
> fuzzy to convey much meaning. There are a many modes which are all
> called "transparent [something]" and doing very, very different things...
>
> Authentication replies (including transparent authentication) always
> supply Squid error page. The browser choice to use transparent
> authentication instead of popups prevents it being shown. There is
> nothing you can do about this browser feature except use web-form based
> authentication.
>
> None of the other "transparent" modes currently supported by Squid has
> anything particularly to do with error pages display, you configure
> error page reply bodies with deny_info the same way as with regular traffic.
>
> For any further help, you will need to supply some details about which
> "transparent" you are talking, and what errors are happening that you
> want to avoid. Probably what configuration you are using as well.
>
> Amos
Received on Sun Nov 27 2011 - 19:54:25 MST

This archive was generated by hypermail 2.2.0 : Mon Nov 28 2011 - 12:00:02 MST