Re: Display Squid Errors on browsers in transparent mode

[Amos Jeffries <squid3@xxxxxxxxxxxxx>]

On Sun, 27 Nov 2011 20:54:13 +0100, David Touzeau wrote:
> Thanks AMos,
>
> here it is my settings

And the particular wrong messages which you are seeing?


From this I would guess your browser displays unable to connect, or a 
timeout message of its own. Yes?


(I've done a general checkup and made some comments below, though only 
the iptables bits seem related to any errors).

> The server that handle squid is the main gateway of the entire 
> network.
> I'm using iptables with a rule that forward 80 port requests to the 
> 3128
> squid port
> -A PREROUTING -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128

There are a few other rules needed for REDIRECT to work and safely:
  http://wiki.squid-cache.org/ConfigExamples/Intercept/LinuxRedirect


> squid is just set has http_port 3128 transparent
>
> squid version:
> Squid Cache: Version 3.1.11
> configure options:  '--prefix=/usr' '--includedir=/include'
> '--mandir=/share/man' '--infodir=/share/info' '--sysconfdir=/etc'
> '--localstatedir=/var' '--libexecdir=/lib/squid3'
> '--disable-maintainer-mode' '--disable-dependency-tracking' 
> '--srcdir=.'
> '--datadir=/usr/share/squid3' '--sysconfdir=/etc/squid3'
> '--mandir=/usr/share/man' '--enable-gnuregex' '--enable-forward-log'
> '--enable-removal-policy=heap' '--enable-follow-x-forwarded-for'
> '--enable-http-violations' '--enable-large-cache-files'
> '--enable-removal-policies=lru,heap' '--enable-err-languages=English'
> '--enable-default-err-language=English' '--with-maxfd=32000'
> '--with-large-files' '--disable-dlmalloc' '--with-pthreads'
> '--enable-esi' '--enable-storeio=aufs,diskd,ufs'
> '--with-aufs-threads=10' '--with-maxfd=16384' 
> '--enable-useragent-log'
> '--enable-referer-log' '--enable-x-accelerator-vary' '--with-dl'
> '--enable-truncate' '--enable-linux-netfilter'
> '--with-filedescriptors=16384' '--enable-wccpv2' '--enable-arp-acl'
> '--enable-auth=basic,digest'
> '--enable-digest-auth-helpers=ldap,password'
>
> '--enable-external-acl-helpers=ip_user,ldap_group,unix_group,wbinfo_group'
> '--enable-basic-auth-helpers=LDAP' '--with-default-user=squid'
> '--enable-icap-client' '--enable-cache-digests'
> '--enable-icap-support' '--enable-poll' '--enable-epoll'
> '--enable-async-io' '--enable-delay-pools' '--enable-ssl'
> '--enable-ssl-crtd' 'CFLAGS=-DNUMTHREADS=60 -O3 -pipe
> -fomit-frame-pointer -funroll-loops -ffast-math -fno-exceptions'
> 'CPPFLAGS=-I../libltdl'
>
> Here it is the squid configuration file
>
> # IS 3.1 YES
> acl localhost src 127.0.0.1/8 0.0.0.0/32
> acl to_localhost dst 127.0.0.1/8 0.0.0.0/32

Add ::1 to both of the above ACLs.

> acl manager proto cache_object
> auth_param basic credentialsttl 2 hour
> authenticate_ttl 1 hour
> authenticate_ip_ttl 60 seconds

You seem to have no other auth settings. Those can be removed since 
there is actually no helper for them to affect.

<snip>
> # ---------  RULES DEFINITIONS
> url_rewrite_access deny localhost
> url_rewrite_access deny whitelisted_mac_computers
> url_rewrite_access allow all
> http_access allow whitelisted_mac_computers
> http_access allow AIM_methods AIM_ports AIM_nets
> http_access allow AIM_methods AIM_ports AIM_hosts
> http_access allow IRC_methods IRC_ports IRC_hosts
> http_access allow IRC_methods IRC_ports IRC_domains
> http_access allow YIM_methods YIM_ports YIM_hosts
> http_access allow YIM_methods YIM_ports YIM_domains
> http_access allow  GTALK_ports GTALK_hosts GTALK_methods
> http_access allow GTALK_methods GTALK_ports GTALK_domains
> http_access allow MSN_ports MSN_domains MSN_methods
> http_access deny !Safe_ports
> http_access deny CONNECT !SSL_ports
> http_access allow localhost
> http_access allow manager localhost
> http_access allow purge localhost
> http_access deny purge
> http_access deny blockedsites
> http_access allow office_network
> http_access deny to_localhost

"deny to_localhost" makes no sense way down here. It should be at the 
top of the list, if you need it at all.

> http_access deny all
> # --------- ICAP Services.(0 service(s))
>
> # --------- ident_lookup_access
> hierarchy_stoplist cgi-bin ?
>
> # --------- General settings
> visible_hostname proxy.touzeau.com
>
> # --------- time-out
> dead_peer_timeout 10 seconds
> dns_timeout 2 minutes
> connect_timeout 1600 seconds

In 3.1 this is the time for DNS lookup + TCP SYN-ACK to the found IPs. 
Are you sure you want to make it a half hour?

<snip>
> cache_dir	ufs /var/cache/squid 2000 16 256
> # --------- OTHER CACHES
> cache_dir ufs /home/squid-cache/cache3 20000 16 256
> cache_dir ufs /home/squid-cache/cache2 8000 16 256

On Linux you can gain a fair bit of speed with altering that to AUFS.


Amos