Le lundi 28 novembre 2011 à 11:45 +1300, Amos Jeffries a écrit : > On Sun, 27 Nov 2011 20:54:13 +0100, David Touzeau wrote: > > Thanks AMos, > > > > here it is my settings > > And the particular wrong messages which you are seeing? > > > From this I would guess your browser displays unable to connect, or a > timeout message of its own. Yes? Yes this that.. none of squid error templates are seen, just the error browser itself. > > > (I've done a general checkup and made some comments below, though only > the iptables bits seem related to any errors). > > > The server that handle squid is the main gateway of the entire > > network. > > I'm using iptables with a rule that forward 80 port requests to the > > 3128 > > squid port > > -A PREROUTING -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128 > > There are a few other rules needed for REDIRECT to work and safely: > http://wiki.squid-cache.org/ConfigExamples/Intercept/LinuxRedirect You are right !, i have seen that in 3.1x or 3.2x it should be changed to "intercept" instead "transparent". I will check before iptables and this new configuration and come back to you... When you say " On Linux you can gain a fair bit of speed with altering that to AUFS" I think changing to diskd Is diskd should obtain better performances than AUFS ?? > connect_timeout 1600 seconds In 3.1 this is the time for DNS lookup + TCP SYN-ACK to the found IPs. Are you sure you want to make it a half hour? Ok but for you, is it better to increase or decrease this value ? > > > > > > squid is just set has http_port 3128 transparent > > > > squid version: > > Squid Cache: Version 3.1.11 > > configure options: '--prefix=/usr' '--includedir=/include' > > '--mandir=/share/man' '--infodir=/share/info' '--sysconfdir=/etc' > > '--localstatedir=/var' '--libexecdir=/lib/squid3' > > '--disable-maintainer-mode' '--disable-dependency-tracking' > > '--srcdir=.' > > '--datadir=/usr/share/squid3' '--sysconfdir=/etc/squid3' > > '--mandir=/usr/share/man' '--enable-gnuregex' '--enable-forward-log' > > '--enable-removal-policy=heap' '--enable-follow-x-forwarded-for' > > '--enable-http-violations' '--enable-large-cache-files' > > '--enable-removal-policies=lru,heap' '--enable-err-languages=English' > > '--enable-default-err-language=English' '--with-maxfd=32000' > > '--with-large-files' '--disable-dlmalloc' '--with-pthreads' > > '--enable-esi' '--enable-storeio=aufs,diskd,ufs' > > '--with-aufs-threads=10' '--with-maxfd=16384' > > '--enable-useragent-log' > > '--enable-referer-log' '--enable-x-accelerator-vary' '--with-dl' > > '--enable-truncate' '--enable-linux-netfilter' > > '--with-filedescriptors=16384' '--enable-wccpv2' '--enable-arp-acl' > > '--enable-auth=basic,digest' > > '--enable-digest-auth-helpers=ldap,password' > > > > '--enable-external-acl-helpers=ip_user,ldap_group,unix_group,wbinfo_group' > > '--enable-basic-auth-helpers=LDAP' '--with-default-user=squid' > > '--enable-icap-client' '--enable-cache-digests' > > '--enable-icap-support' '--enable-poll' '--enable-epoll' > > '--enable-async-io' '--enable-delay-pools' '--enable-ssl' > > '--enable-ssl-crtd' 'CFLAGS=-DNUMTHREADS=60 -O3 -pipe > > -fomit-frame-pointer -funroll-loops -ffast-math -fno-exceptions' > > 'CPPFLAGS=-I../libltdl' > > > > Here it is the squid configuration file > > > > # IS 3.1 YES > > acl localhost src 127.0.0.1/8 0.0.0.0/32 > > acl to_localhost dst 127.0.0.1/8 0.0.0.0/32 > > Add ::1 to both of the above ACLs. > > > acl manager proto cache_object > > auth_param basic credentialsttl 2 hour > > authenticate_ttl 1 hour > > authenticate_ip_ttl 60 seconds > > You seem to have no other auth settings. Those can be removed since > there is actually no helper for them to affect. > > <snip> > > > > > > # --------- RULES DEFINITIONS > > url_rewrite_access deny localhost > > url_rewrite_access deny whitelisted_mac_computers > > url_rewrite_access allow all > > http_access allow whitelisted_mac_computers > > http_access allow AIM_methods AIM_ports AIM_nets > > http_access allow AIM_methods AIM_ports AIM_hosts > > http_access allow IRC_methods IRC_ports IRC_hosts > > http_access allow IRC_methods IRC_ports IRC_domains > > http_access allow YIM_methods YIM_ports YIM_hosts > > http_access allow YIM_methods YIM_ports YIM_domains > > http_access allow GTALK_ports GTALK_hosts GTALK_methods > > http_access allow GTALK_methods GTALK_ports GTALK_domains > > http_access allow MSN_ports MSN_domains MSN_methods > > http_access deny !Safe_ports > > http_access deny CONNECT !SSL_ports > > http_access allow localhost > > http_access allow manager localhost > > http_access allow purge localhost > > http_access deny purge > > http_access deny blockedsites > > http_access allow office_network > > http_access deny to_localhost > > "deny to_localhost" makes no sense way down here. It should be at the > top of the list, if you need it at all. > > > http_access deny all > > # --------- ICAP Services.(0 service(s)) > > > > # --------- ident_lookup_access > > hierarchy_stoplist cgi-bin ? > > > > # --------- General settings > > visible_hostname proxy.touzeau.com > > > > # --------- time-out > > dead_peer_timeout 10 seconds > > dns_timeout 2 minutes > > connect_timeout 1600 seconds > > In 3.1 this is the time for DNS lookup + TCP SYN-ACK to the found IPs. > Are you sure you want to make it a half hour? Ok but for you, is it better to increase or decrease this value ? > > <snip> > > > > cache_dir ufs /var/cache/squid 2000 16 256 > > # --------- OTHER CACHES > > cache_dir ufs /home/squid-cache/cache3 20000 16 256 > > cache_dir ufs /home/squid-cache/cache2 8000 16 256 > > > > On Linux you can gain a fair bit of speed with altering that to AUFS. When you say " On Linux you can gain a fair bit of speed with altering that to AUFS" I think changing to diskd Is diskd should obtain better performances than AUFS ?? > > > Amos
