Re: [squid-users] Display Squid Errors on browsers in transparent mode

From: David Touzeau <david_at_touzeau.eu>
Date: Mon, 28 Nov 2011 19:28:17 +0100

Le lundi 28 novembre 2011 à 12:36 +1300, Amos Jeffries a écrit :
> On Sun, 27 Nov 2011 23:59:15 +0100, David Touzeau wrote:
> > Le lundi 28 novembre 2011 à 11:45 +1300, Amos Jeffries a écrit :
> >> On Sun, 27 Nov 2011 20:54:13 +0100, David Touzeau wrote:
> >> > Thanks AMos,
> >> >
> >> > here it is my settings
> >>
> >> And the particular wrong messages which you are seeing?
> >>
> >>
> >> From this I would guess your browser displays unable to connect, or
> >> a
> >> timeout message of its own. Yes?
> >
> > Yes this that.. none of squid error templates are seen, just the
> > error
> > browser itself.
> >
>
> Then I think the problem is the absence of a 'bypass' iptables rule
> Squid outgoing packets to service the request can looped back at Squid.
> The browser sees this as no response timeout after sending the request.
> Squid sees it as the server never responding.
>
> You solve this one by configuring iptables to bypass the Squid IP on
> NAT rules (as mentioned in the wiki link).
> You ensure "via on" is configured (the default setting), to get Squid
> to detect these looping back and produce an error instead of hanging.
>
>
> >>
> >> (I've done a general checkup and made some comments below, though
> >> only
> >> the iptables bits seem related to any errors).
> >>
> >> > The server that handle squid is the main gateway of the entire
> >> > network.
> >> > I'm using iptables with a rule that forward 80 port requests to
> >> the
> >> > 3128
> >> > squid port
> >> > -A PREROUTING -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128
> >>
> >> There are a few other rules needed for REDIRECT to work and safely:
> >>
> >> http://wiki.squid-cache.org/ConfigExamples/Intercept/LinuxRedirect
> >
> > You are right !, i have seen that in 3.1x or 3.2x it should be
> > changed
> > to "intercept" instead "transparent".
> > I will check before iptables and this new configuration and come back
> > to
> > you...
> >
> > When you say " On Linux you can gain a fair bit of speed with
> > altering
> > that to AUFS"
> > I think changing to diskd
> > Is diskd should obtain better performances than AUFS ??
>
> On Linux AUFS is faster. diskd is in between UFS (slowest) and AUFS
> (fastest).
> There is a bug which makes AUFS as slow as UFS on BSD based systems.
> Which is where the diskd being fastest perception is apparently coming
> from.
>
>
> >
> >> connect_timeout 1600 seconds
> > In 3.1 this is the time for DNS lookup + TCP SYN-ACK to the found
> > IPs.
> > Are you sure you want to make it a half hour?
> > Ok but for you, is it better to increase or decrease this value ?
> >
>
> IMO lower.
>
> The users notoriously don't like waiting more than a few seconds for
> things to load. With a minute or two on the more patient users. So any
> increase above that needs to be considered in light of the connectivity
> speed and desired response times (accepting that an error is a
> response).
> The Squid defaults are set at 1 minute here to be responsive at the
> outer bound of user patience.
>
> >> >
> >> > squid is just set has http_port 3128 transparent
> >> >
> >> > squid version:
> >> > Squid Cache: Version 3.1.11
> >> > configure options: '--prefix=/usr' '--includedir=/include'
> >> > '--mandir=/share/man' '--infodir=/share/info' '--sysconfdir=/etc'
> >> > '--localstatedir=/var' '--libexecdir=/lib/squid3'
> >> > '--disable-maintainer-mode' '--disable-dependency-tracking'
> >> > '--srcdir=.'
> >> > '--datadir=/usr/share/squid3' '--sysconfdir=/etc/squid3'
> >> > '--mandir=/usr/share/man' '--enable-gnuregex'
> >> '--enable-forward-log'
> >> > '--enable-removal-policy=heap' '--enable-follow-x-forwarded-for'
> >> > '--enable-http-violations' '--enable-large-cache-files'
> >> > '--enable-removal-policies=lru,heap'
> >> '--enable-err-languages=English'
> >> > '--enable-default-err-language=English' '--with-maxfd=32000'
> >> > '--with-large-files' '--disable-dlmalloc' '--with-pthreads'
> >> > '--enable-esi' '--enable-storeio=aufs,diskd,ufs'
> >> > '--with-aufs-threads=10' '--with-maxfd=16384'
> >> > '--enable-useragent-log'
> >> > '--enable-referer-log' '--enable-x-accelerator-vary' '--with-dl'
> >> > '--enable-truncate' '--enable-linux-netfilter'
> >> > '--with-filedescriptors=16384' '--enable-wccpv2'
> >> '--enable-arp-acl'
> >> > '--enable-auth=basic,digest'
> >> > '--enable-digest-auth-helpers=ldap,password'
> >> >
> >> >
> >> '--enable-external-acl-helpers=ip_user,ldap_group,unix_group,wbinfo_group'
> >> > '--enable-basic-auth-helpers=LDAP' '--with-default-user=squid'
> >> > '--enable-icap-client' '--enable-cache-digests'
> >> > '--enable-icap-support' '--enable-poll' '--enable-epoll'
> >> > '--enable-async-io' '--enable-delay-pools' '--enable-ssl'
> >> > '--enable-ssl-crtd' 'CFLAGS=-DNUMTHREADS=60 -O3 -pipe
> >> > -fomit-frame-pointer -funroll-loops -ffast-math -fno-exceptions'
> >> > 'CPPFLAGS=-I../libltdl'
>
> Hmm, just noticed '--with-maxfd=32000' '--with-maxfd=16384'
> '--with-filedescriptors=16384' might be worth fixing. These three
> settings all change the same config value.
>
>
> Amos
>

Amos,

I would like to thank you about your technical answers and your huge
squid technical skills.

Your answers resolve my issue easly !! I'm your fan !
Received on Mon Nov 28 2011 - 18:28:27 MST

This archive was generated by hypermail 2.2.0 : Tue Nov 29 2011 - 12:00:03 MST