Le lundi 28 novembre 2011 à 12:36 +1300, Amos Jeffries a écrit : > On Sun, 27 Nov 2011 23:59:15 +0100, David Touzeau wrote: > > Le lundi 28 novembre 2011 à 11:45 +1300, Amos Jeffries a écrit : > >> On Sun, 27 Nov 2011 20:54:13 +0100, David Touzeau wrote: > >> > Thanks AMos, > >> > > >> > here it is my settings > >> > >> And the particular wrong messages which you are seeing? > >> > >> > >> From this I would guess your browser displays unable to connect, or > >> a > >> timeout message of its own. Yes? > > > > Yes this that.. none of squid error templates are seen, just the > > error > > browser itself. > > > > Then I think the problem is the absence of a 'bypass' iptables rule > Squid outgoing packets to service the request can looped back at Squid. > The browser sees this as no response timeout after sending the request. > Squid sees it as the server never responding. > > You solve this one by configuring iptables to bypass the Squid IP on > NAT rules (as mentioned in the wiki link). > You ensure "via on" is configured (the default setting), to get Squid > to detect these looping back and produce an error instead of hanging. > > > >> > >> (I've done a general checkup and made some comments below, though > >> only > >> the iptables bits seem related to any errors). > >> > >> > The server that handle squid is the main gateway of the entire > >> > network. > >> > I'm using iptables with a rule that forward 80 port requests to > >> the > >> > 3128 > >> > squid port > >> > -A PREROUTING -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128 > >> > >> There are a few other rules needed for REDIRECT to work and safely: > >> > >> http://wiki.squid-cache.org/ConfigExamples/Intercept/LinuxRedirect > > > > You are right !, i have seen that in 3.1x or 3.2x it should be > > changed > > to "intercept" instead "transparent". > > I will check before iptables and this new configuration and come back > > to > > you... > > > > When you say " On Linux you can gain a fair bit of speed with > > altering > > that to AUFS" > > I think changing to diskd > > Is diskd should obtain better performances than AUFS ?? > > On Linux AUFS is faster. diskd is in between UFS (slowest) and AUFS > (fastest). > There is a bug which makes AUFS as slow as UFS on BSD based systems. > Which is where the diskd being fastest perception is apparently coming > from. > > > > > >> connect_timeout 1600 seconds > > In 3.1 this is the time for DNS lookup + TCP SYN-ACK to the found > > IPs. > > Are you sure you want to make it a half hour? > > Ok but for you, is it better to increase or decrease this value ? > > > > IMO lower. > > The users notoriously don't like waiting more than a few seconds for > things to load. With a minute or two on the more patient users. So any > increase above that needs to be considered in light of the connectivity > speed and desired response times (accepting that an error is a > response). > The Squid defaults are set at 1 minute here to be responsive at the > outer bound of user patience. > > >> > > >> > squid is just set has http_port 3128 transparent > >> > > >> > squid version: > >> > Squid Cache: Version 3.1.11 > >> > configure options: '--prefix=/usr' '--includedir=/include' > >> > '--mandir=/share/man' '--infodir=/share/info' '--sysconfdir=/etc' > >> > '--localstatedir=/var' '--libexecdir=/lib/squid3' > >> > '--disable-maintainer-mode' '--disable-dependency-tracking' > >> > '--srcdir=.' > >> > '--datadir=/usr/share/squid3' '--sysconfdir=/etc/squid3' > >> > '--mandir=/usr/share/man' '--enable-gnuregex' > >> '--enable-forward-log' > >> > '--enable-removal-policy=heap' '--enable-follow-x-forwarded-for' > >> > '--enable-http-violations' '--enable-large-cache-files' > >> > '--enable-removal-policies=lru,heap' > >> '--enable-err-languages=English' > >> > '--enable-default-err-language=English' '--with-maxfd=32000' > >> > '--with-large-files' '--disable-dlmalloc' '--with-pthreads' > >> > '--enable-esi' '--enable-storeio=aufs,diskd,ufs' > >> > '--with-aufs-threads=10' '--with-maxfd=16384' > >> > '--enable-useragent-log' > >> > '--enable-referer-log' '--enable-x-accelerator-vary' '--with-dl' > >> > '--enable-truncate' '--enable-linux-netfilter' > >> > '--with-filedescriptors=16384' '--enable-wccpv2' > >> '--enable-arp-acl' > >> > '--enable-auth=basic,digest' > >> > '--enable-digest-auth-helpers=ldap,password' > >> > > >> > > >> '--enable-external-acl-helpers=ip_user,ldap_group,unix_group,wbinfo_group' > >> > '--enable-basic-auth-helpers=LDAP' '--with-default-user=squid' > >> > '--enable-icap-client' '--enable-cache-digests' > >> > '--enable-icap-support' '--enable-poll' '--enable-epoll' > >> > '--enable-async-io' '--enable-delay-pools' '--enable-ssl' > >> > '--enable-ssl-crtd' 'CFLAGS=-DNUMTHREADS=60 -O3 -pipe > >> > -fomit-frame-pointer -funroll-loops -ffast-math -fno-exceptions' > >> > 'CPPFLAGS=-I../libltdl' > > Hmm, just noticed '--with-maxfd=32000' '--with-maxfd=16384' > '--with-filedescriptors=16384' might be worth fixing. These three > settings all change the same config value. > > > Amos > Amos, I would like to thank you about your technical answers and your huge squid technical skills. Your answers resolve my issue easly !! I'm your fan !
