On Sun, 27 Nov 2011 23:59:15 +0100, David Touzeau wrote:
Le lundi 28 novembre 2011 à 11:45 +1300, Amos Jeffries a écrit :
On Sun, 27 Nov 2011 20:54:13 +0100, David Touzeau wrote:
> Thanks AMos,
>
> here it is my settings
And the particular wrong messages which you are seeing?
From this I would guess your browser displays unable to connect, or
a
timeout message of its own. Yes?
Yes this that.. none of squid error templates are seen, just the
error
browser itself.
Then I think the problem is the absence of a 'bypass' iptables rule
Squid outgoing packets to service the request can looped back at Squid.
The browser sees this as no response timeout after sending the request.
Squid sees it as the server never responding.
You solve this one by configuring iptables to bypass the Squid IP on
NAT rules (as mentioned in the wiki link).
You ensure "via on" is configured (the default setting), to get Squid
to detect these looping back and produce an error instead of hanging.
(I've done a general checkup and made some comments below, though
only
the iptables bits seem related to any errors).
> The server that handle squid is the main gateway of the entire
> network.
> I'm using iptables with a rule that forward 80 port requests to
the
> 3128
> squid port
> -A PREROUTING -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128
There are a few other rules needed for REDIRECT to work and safely:
http://wiki.squid-cache.org/ConfigExamples/Intercept/LinuxRedirect
You are right !, i have seen that in 3.1x or 3.2x it should be
changed
to "intercept" instead "transparent".
I will check before iptables and this new configuration and come back
to
you...
When you say " On Linux you can gain a fair bit of speed with
altering
that to AUFS"
I think changing to diskd
Is diskd should obtain better performances than AUFS ??
On Linux AUFS is faster. diskd is in between UFS (slowest) and AUFS
(fastest).
There is a bug which makes AUFS as slow as UFS on BSD based systems.
Which is where the diskd being fastest perception is apparently coming
from.
connect_timeout 1600 seconds
In 3.1 this is the time for DNS lookup + TCP SYN-ACK to the found
IPs.
Are you sure you want to make it a half hour?
Ok but for you, is it better to increase or decrease this value ?
IMO lower.
The users notoriously don't like waiting more than a few seconds for
things to load. With a minute or two on the more patient users. So any
increase above that needs to be considered in light of the connectivity
speed and desired response times (accepting that an error is a
response).
The Squid defaults are set at 1 minute here to be responsive at the
outer bound of user patience.
>
> squid is just set has http_port 3128 transparent
>
> squid version:
> Squid Cache: Version 3.1.11
> configure options: '--prefix=/usr' '--includedir=/include'
> '--mandir=/share/man' '--infodir=/share/info' '--sysconfdir=/etc'
> '--localstatedir=/var' '--libexecdir=/lib/squid3'
> '--disable-maintainer-mode' '--disable-dependency-tracking'
> '--srcdir=.'
> '--datadir=/usr/share/squid3' '--sysconfdir=/etc/squid3'
> '--mandir=/usr/share/man' '--enable-gnuregex'
'--enable-forward-log'
> '--enable-removal-policy=heap' '--enable-follow-x-forwarded-for'
> '--enable-http-violations' '--enable-large-cache-files'
> '--enable-removal-policies=lru,heap'
'--enable-err-languages=English'
> '--enable-default-err-language=English' '--with-maxfd=32000'
> '--with-large-files' '--disable-dlmalloc' '--with-pthreads'
> '--enable-esi' '--enable-storeio=aufs,diskd,ufs'
> '--with-aufs-threads=10' '--with-maxfd=16384'
> '--enable-useragent-log'
> '--enable-referer-log' '--enable-x-accelerator-vary' '--with-dl'
> '--enable-truncate' '--enable-linux-netfilter'
> '--with-filedescriptors=16384' '--enable-wccpv2'
'--enable-arp-acl'
> '--enable-auth=basic,digest'
> '--enable-digest-auth-helpers=ldap,password'
>
>
'--enable-external-acl-helpers=ip_user,ldap_group,unix_group,wbinfo_group'
> '--enable-basic-auth-helpers=LDAP' '--with-default-user=squid'
> '--enable-icap-client' '--enable-cache-digests'
> '--enable-icap-support' '--enable-poll' '--enable-epoll'
> '--enable-async-io' '--enable-delay-pools' '--enable-ssl'
> '--enable-ssl-crtd' 'CFLAGS=-DNUMTHREADS=60 -O3 -pipe
> -fomit-frame-pointer -funroll-loops -ffast-math -fno-exceptions'
> 'CPPFLAGS=-I../libltdl'
Hmm, just noticed '--with-maxfd=32000' '--with-maxfd=16384'
'--with-filedescriptors=16384' might be worth fixing. These three
settings all change the same config value.
Amos
