Re: [squid-users] Problems with squidclient

From: Chris Robertson <crobertson_at_gci.net>
Date: Fri, 16 Jan 2009 11:59:43 -0900

Andreev Nikita wrote:
> Hi.
>
> I'm trying to get basic squid info by issuing 'squidclient -p 8080
> mgr:info'. Port 8080 is where our squid is listening to connections.
> All clients works fine through the squid. But squidclient return http
> response (lets say mydomain.com is my domain):
>
>
> ERROR
> The requested URL could not be retrieved
>
> While trying to retrieve the URL:
> cache_object://localhost.mydomain.com/info
>
> The following error was encountered:
> Access Denied.
>
> Access control configuration prevents your request from
> being allowed at this time. Please contact your service provider if
> you feel this is incorrect.
>
> Your cache administrator is root_at_mydomain.com.
>
>
> Here are the squid access directives:
>
> http_access allow manager localhost
> http_access deny manager
> http_access deny !Safe_ports
> http_access deny CONNECT !SSL_ports
> http_access deny pubrooms pubrooms_ext
> http_access allow localhost
> http_access allow our_networks
> http_access deny all
>
> Here is the debug info:
>
> 2009/01/16 11:00:35| The request GET cache_object://localhost/info is ALLOWED, because it matched 'localhost'
>

Here the "http_request allow manager localhost" matched, so the request
was allowed.

> 2009/01/16 11:00:35| CACHEMGR: <unknown>@127.0.0.1 requesting 'info'
>
> 2009/01/16 11:00:35| The reply for GET
> cache_object://localhost.mydomain.com/info is DENIED, because it matched 'all'
>

What do your "reply_access" lines look like? The reply to this allowed
request is denied.

> 2009/01/16 11:00:35| The reply for GET
> cache_object://localhost.mydomain.com/info is ALLOWED, because it matched 'all'
>
> This debug output is absolutely unclear for me. Why does the same link
> hit the same acl with different results (deny and allow).

Because that ACL is used in more than one rule.

> Why are there two different links?

Squid test both the request and the reply against access rules.

> And finally. Why it doesn't work?
>

It did work. Just as you configured it to. ;o) If computers did what
we want instead of what we ask them to, I'd likely be out of a job...

> Regards,
> LPIC-1, EMCPA
> Nikita Andreev

Chris
Received on Fri Jan 16 2009 - 20:57:40 MST

This archive was generated by hypermail 2.2.0 : Tue Jan 20 2009 - 12:00:07 MST