- On Mon, 26 May 1997 squid-users-digest-request@nlanr.net wrote:
-
- >Date: Sat, 24 May 1997 09:20:15 +0800 (HKT)
- >From: Francis Vidal <francis@linux1.usls.edu>
-
- >i had a hard time making cachemgr.cgi work. i installed squid 1.1.9 on my
- >system (linux 2.0.30). here's my squid.conf file:
-
- >---BEGIN squid.conf---
-
- >acl manager proto cache_object
-
- ># Only allow access to the cache manager functions from the local host.
- >http_access deny manager !localhost
-
- This is the line that controls access to your cachemgr.cgi - this means
- only a browser running on the Squid machine which is NOT using the proxy,
- i.e Netscape with proxy options off. (this is important - "localhost"
- means a browser connecting to the localhost interface, and not the
- ethernet/PPP/whathaveyou interface).
- If you want to allow access from another machine, do
-
- acl src machineacl ip.address.of.machine/255.255.255.255
-
- http_access deny manager !machineacl
-
- This will allow a browser from that machine to connect, only if it is NOT
- using the proxy again. It has to connect to port 80 of the squid machine,
- and not 3128 (or whatever port you use).
This is just plain wrong. You need to allow access for the HTTP server
than runs the cachemgr.cgi program NOT the web browser. Below is the
relevant section lifted from my notes. It covers more than this topic but I
think it will serve here. The key thing is to use the 'client' program it can
be used to debug access permission problems (telnet will also work).
The problem with getting the cachemgr.cgi working is that if it doesn't
work first time you dont have much to go on as to where the problem is.
Is it squid access rules, the web server, the browser? Generally it is the
squid access rules.
-------------------------------------
acl
http_access
- A common request is "How do I stop other people on the internet from
using my squid cache?". The acls and access rules can allow you to
do that. Quite complex setups can be achieved though I will only
detail a simple case.
First get squid running and your browsers working though it BEFORE
playing with the acls as they can cause subtle problems so you need
to know that squid is working before changing things.
The default acl setup is to be wide open and is below (minus
comments).
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl all src 0.0.0.0/0.0.0.0
acl SSL_ports port 443 563
acl Dangerous_ports port 7 9 19
acl CONNECT method CONNECT
http_access deny manager !localhost
http_access deny CONNECT !SSL_ports
http_access deny Dangerous_ports
http_access allow all
icp_access allow all
Assume your IP address range is xxx.yyy.zzz.0 (class C) then you
define an extra acl like
acl ours src xxx.yyy.zzz.0/255.255.255.0
acl web_ours src xxx.yyy.zzz.NNN/255.255.255.255
'web_ours' is one of your web server hosts, this is needed for the
cachemgr.cgi program (very useful and worth the hassle to setup)
this doesnot need to be your main web server. You use the acls like
this.
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl all src 0.0.0.0/0.0.0.0
acl SSL_ports port 443 563
acl Dangerous_ports port 7 9 19
acl CONNECT method CONNECT
acl ours src xxx.yyy.zzz.0/255.255.255.0
acl web_ours src xxx.yyy.zzz.0/255.255.255.255
http_access deny manager !localhost !web_ours
http_access deny CONNECT !SSL_ports
http_access deny Dangerous_ports
http_access allow localhost
http_access allow ours
http_access deny all
icp_access allow ours
icp_access deny all
This denys all access except what you explicitly enable. In this case
the 'ours' acl of IP addresses.
If you take the cachemgr.cgi program and put it on a web server in the
cgi-bin directory or anywhere executables can be run by the web
server. Make sure your web server has been told that cachemgr.cgi is
allowed to execute or whatever. Then from your browser try
"http://<web_ours as listed above>/cgi-bin/cachemgr.cgi" it should
present you with a screen like below.
Cache Manager Interface
This is a WWW interface to the instrumentation interface for the Squid object cache.
Cache Host:
Cache Port:
Password :
URL :
Fill in the name of your squid machine and the port, ignore the
password and click on "submit query". If all goes well then
you will end up with a screen full of information. If not then
you will get an "access denied" type message.
If you get the access denied message you probably have a mistake in
your acls & http access rules. A simple program that can help you
to resolve acl problems can be found in /usr/local/squid/bin
called client (assuming you did a standard configure and install)
On the proxy machine itself try,
/usr/local/squid/bin/client -p <squid port> cache_object://a/info
If it works you should see something like the following
{
{Squid Object Cache: Version 1.1.8}
{Start Time: Thu, 10 Apr 1997 08:20:45 GMT}
{Current Time: Thu, 10 Apr 1997 10:42:09 GMT}
{Connection information for squid:}
...
If you get another access denied type message then your acls are
definitely wrong and you need to fix them before you can have a chance
of getting the cachemgr.cgi program to work.
-------------------------------------
If 'client' on the proxy server works then try 'client' from the web
server machine listed in the acl rules (web_ours in my example).
client -p <squid port> -h <proxy machine> cache_object://a/info
Get this working before trying a browser with
http://<web_ours>/cgi-bin/cachemgr.cgi
Note: if you arent getting anywhere then add a
http_access allow all
as the first http_access rule TEMPORARILY and then see if you can access the
monitoring functions. Again use 'client'. If this doesn't work then you need
to sit down and re-check everything including assumptions. If it does work
try
debug_options ALL,1 28,99
in your squid.conf file this will turn on acl debugging information in your
cache.log file. Wading through all that should pin-point the acl problem you
have.
-- Neil Murray Email: Neil.Murray@aone.com.au Access One Pty. Ltd. http://www.aone.net.au/ 41 Malcolm Rd., Braeside Phone: +61 3 9239 1444 Victoria, Australia 3195 Fax: +61 3 9587 3954Received on Tue May 27 1997 - 03:01:19 MDT
This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:35:16 MST