Re: Cachemgr.cgi -- access denied

From: Elfredy V. Cadapan <>
Date: Tue, 27 May 1997 16:24:58 +0800 (CST)

On Mon, 26 May 1997 wrote:

>Date: Sat, 24 May 1997 09:20:15 +0800 (HKT)
>From: Francis Vidal <>
>To: Squid Users <>
>Subject: Cachemgr.cgi -- access denied

>hello squidders!

>i had a hard time making cachemgr.cgi work. i installed squid 1.1.9 on my
>system (linux 2.0.30). here's my squid.conf file:

>---BEGIN squid.conf---

>acl manager proto cache_object

># Only allow access to the cache manager functions from the local host.
>http_access deny manager !localhost

This is the line that controls access to your cachemgr.cgi - this means
only a browser running on the Squid machine which is NOT using the proxy,
i.e Netscape with proxy options off. (this is important - "localhost"
means a browser connecting to the localhost interface, and not the
ethernet/PPP/whathaveyou interface).
If you want to allow access from another machine, do

acl src machineacl ip.address.of.machine/

http_access deny manager !machineacl

This will allow a browser from that machine to connect, only if it is NOT
using the proxy again. It has to connect to port 80 of the squid machine,
and not 3128 (or whatever port you use).

Strange feature/bug:

I've found that if you allow cachemgr access from the squid machine
itself, but using the ip address instead of localhost:

acl src squidacl ip.address.of.squidmachine/
http_access deny manager !squidacl

you effectively allow access to your manager to ALL browsers using your
cache, because the CGI program sees requests from squid, and not from the

To fix this, I think you can do one of several things:

1. add passwords to every function of the manager.
2. don't allow manager functions from the squid machine, and switch off
proxying every time you need to access cachemgr.
3. use Automatic proxy configuration, and edit your .pac file so that
cachemgr requests go DIRECT.

 Elfredy Cadapan
  Institute of Computer Science, UP at Los Banos
  Home page :
Received on Tue May 27 1997 - 01:19:25 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:35:16 MST