Thanks AMos, here it is my settings The server that handle squid is the main gateway of the entire network. I'm using iptables with a rule that forward 80 port requests to the 3128 squid port -A PREROUTING -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128 squid is just set has http_port 3128 transparent squid version: Squid Cache: Version 3.1.11 configure options: '--prefix=/usr' '--includedir=/include' '--mandir=/share/man' '--infodir=/share/info' '--sysconfdir=/etc' '--localstatedir=/var' '--libexecdir=/lib/squid3' '--disable-maintainer-mode' '--disable-dependency-tracking' '--srcdir=.' '--datadir=/usr/share/squid3' '--sysconfdir=/etc/squid3' '--mandir=/usr/share/man' '--enable-gnuregex' '--enable-forward-log' '--enable-removal-policy=heap' '--enable-follow-x-forwarded-for' '--enable-http-violations' '--enable-large-cache-files' '--enable-removal-policies=lru,heap' '--enable-err-languages=English' '--enable-default-err-language=English' '--with-maxfd=32000' '--with-large-files' '--disable-dlmalloc' '--with-pthreads' '--enable-esi' '--enable-storeio=aufs,diskd,ufs' '--with-aufs-threads=10' '--with-maxfd=16384' '--enable-useragent-log' '--enable-referer-log' '--enable-x-accelerator-vary' '--with-dl' '--enable-truncate' '--enable-linux-netfilter' '--with-filedescriptors=16384' '--enable-wccpv2' '--enable-arp-acl' '--enable-auth=basic,digest' '--enable-digest-auth-helpers=ldap,password' '--enable-external-acl-helpers=ip_user,ldap_group,unix_group,wbinfo_group' '--enable-basic-auth-helpers=LDAP' '--with-default-user=squid' '--enable-icap-client' '--enable-cache-digests' '--enable-icap-support' '--enable-poll' '--enable-epoll' '--enable-async-io' '--enable-delay-pools' '--enable-ssl' '--enable-ssl-crtd' 'CFLAGS=-DNUMTHREADS=60 -O3 -pipe -fomit-frame-pointer -funroll-loops -ffast-math -fno-exceptions' 'CPPFLAGS=-I../libltdl' Here it is the squid configuration file # IS 3.1 YES acl localhost src 127.0.0.1/8 0.0.0.0/32 acl to_localhost dst 127.0.0.1/8 0.0.0.0/32 acl manager proto cache_object auth_param basic credentialsttl 2 hour authenticate_ttl 1 hour authenticate_ip_ttl 60 seconds #--------- TWEEKS PERFORMANCES # http://blog.last.fm/2007/08/30/squid-optimization-guide memory_pools off quick_abort_min 0 KB quick_abort_max 0 KB log_icp_queries off client_db off buffered_logs on half_closed_clients off #--------- UfdbGuard url_rewrite_program /usr/bin/ufdbgclient -l /var/log/squid url_rewrite_children 20 startup=5 idle=1 concurrency=0 #--------- SQUID PARENTS (feature not enabled) #--------- acls acl blockedsites url_regex "/etc/squid3/squid-block.acl" acl CONNECT method CONNECT acl purge method PURGE acl FTP proto FTP acl office_network src all #--------- MAIN RULES... always_direct allow FTP # --------- SAFE ports acl Safe_ports port 80 #http acl Safe_ports port 22 #ssh acl Safe_ports port 443 563 #https, snews acl Safe_ports port 1863 #msn acl Safe_ports port 70 #gopher acl Safe_ports port 210 #wais acl Safe_ports port 1025-65535 #unregistered ports acl Safe_ports port 280 #http-mgmt acl Safe_ports port 488 #gss-http acl Safe_ports port 591 #filemaker acl Safe_ports port 777 #multiling http acl Safe_ports port 631 #cups acl Safe_ports port 873 #rsync acl Safe_ports port 901 #SWAT acl Safe_ports port 20 #ftp-data acl Safe_ports port 21 #ftp# # --------- Use x-forwarded-for for local Dansguardian or load balancers log_uses_indirect_client on follow_x_forwarded_for allow localhost acl SSL_ports port 9000 #Artica acl SSL_ports port 443 #HTTPS acl SSL_ports port 563 #https, snews acl SSL_ports port 6667 #tchat acl whitelisted_mac_computers arp "/etc/squid3/whitelisted-computers-by-mac.acl # AOL Instant Messenger to connect to oscar.aol.com acl AIM_ports port 5190 9898 acl AIM_domains dstdomain .oscar.aol.com .blue.aol.com acl AIM_domains dstdomain .messaging.aol.com .aim.com acl AIM_hosts dstdomain login.oscar.aol.com login.glogin.messaging.aol.com toc.oscar.aol.com acl AIM_nets dst 64.12.0.0/255.255.0.0 acl AIM_methods method CONNECT # Permit IRC acl IRC_ports port 6667 acl IRC_domains dstdomain .freenode.net acl IRC_hosts dstdomain irc.freenode.net acl IRC_methods method CONNECT # Permit Yahoo Messenger acl YIM_ports port 5050 acl YIM_domains dstdomain .yahoo.com .yahoo.co.jp acl YIM_hosts dstdomain scs.msg.yahoo.com cs.yahoo.co.jp acl YIM_methods method CONNECT # Permit Google Talk acl GTALK_ports port 5222 5050 443 acl GTALK_domains dstdomain .google.com acl GTALK_hosts dstdomain talk.google.com acl GTALK_methods method CONNECT # Permit MSN acl MSN_ports port 1863 443 1503 acl MSN_domains dstdomain .microsoft.com .hotmail.com .live.com .msft.net .msn.com .passport.com acl MSN_methods method CONNECT # --------- RULES DEFINITIONS url_rewrite_access deny localhost url_rewrite_access deny whitelisted_mac_computers url_rewrite_access allow all http_access allow whitelisted_mac_computers http_access allow AIM_methods AIM_ports AIM_nets http_access allow AIM_methods AIM_ports AIM_hosts http_access allow IRC_methods IRC_ports IRC_hosts http_access allow IRC_methods IRC_ports IRC_domains http_access allow YIM_methods YIM_ports YIM_hosts http_access allow YIM_methods YIM_ports YIM_domains http_access allow GTALK_ports GTALK_hosts GTALK_methods http_access allow GTALK_methods GTALK_ports GTALK_domains http_access allow MSN_ports MSN_domains MSN_methods http_access deny !Safe_ports http_access deny CONNECT !SSL_ports http_access allow localhost http_access allow manager localhost http_access allow purge localhost http_access deny purge http_access deny blockedsites http_access allow office_network http_access deny to_localhost http_access deny all # --------- ICAP Services.(0 service(s)) # --------- ident_lookup_access hierarchy_stoplist cgi-bin ? # --------- General settings visible_hostname proxy.touzeau.com # --------- time-out dead_peer_timeout 10 seconds dns_timeout 2 minutes connect_timeout 1600 seconds persistent_request_timeout 3 minutes pconn_timeout 1600 seconds maximum_object_size 300 MB minimum_object_size 0 KB maximum_object_size_in_memory 2 MB #http/https ports http_port 3128 transparent http_port 3129 # --------- SSL Rules # --------- Caches cache_effective_user squid cache_effective_group squid #cache_replacement_policy heap LFUDA cache_mem 512 MB cache_swap_high 90 cache_swap_low 95 # --------- DNS and ip caches ipcache_size 51200 ipcache_low 90 ipcache_high 95 fqdncache_size 51200 # --------- SPECIFIC DNS SERVERS dns_nameservers 192.168.1.1 #--------- FTP specific parameters ftp_passive on ftp_sanitycheck off ftp_epsv off ftp_epsv_all off ftp_telnet_protocol off debug_options ALL,1 #Logs------------------------------------------------- coredump_dir /var/squid/cache cache_log /var/log/squid/cache.log pid_filename /var/run/squid.pid error_directory /usr/share/squid-langpack/en cache_store_log /var/log/squid/store.log access_log none manager access_log syslog:authpriv.info common cache_dir ufs /var/cache/squid 2000 16 256 # --------- OTHER CACHES cache_dir ufs /home/squid-cache/cache3 20000 16 256 cache_dir ufs /home/squid-cache/cache2 8000 16 256 Le dimanche 27 novembre 2011 à 14:21 +1300, Amos Jeffries a écrit : > On 27/11/2011 6:33 a.m., David Touzeau wrote: > > I think is normal but is there any tips/tweaks in order to display SQUID > > pages error when using squid in transparent mode. > > > > > > When connecting directly to the port, the error is correctly generated > > by Squid > > > > When using the transparent mode only the browser display errors. > > > > Best regards. > > > > Please avoid the fuzzy word "transparent". By itself the word is too > fuzzy to convey much meaning. There are a many modes which are all > called "transparent [something]" and doing very, very different things... > > Authentication replies (including transparent authentication) always > supply Squid error page. The browser choice to use transparent > authentication instead of popups prevents it being shown. There is > nothing you can do about this browser feature except use web-form based > authentication. > > None of the other "transparent" modes currently supported by Squid has > anything particularly to do with error pages display, you configure > error page reply bodies with deny_info the same way as with regular traffic. > > For any further help, you will need to supply some details about which > "transparent" you are talking, and what errors are happening that you > want to avoid. Probably what configuration you are using as well. > > Amos
