Re: [squid-users] cache manager access from web

From: Chris Robertson <crobertson_at_gci.net>
Date: Tue, 09 Feb 2010 16:14:31 -0900

Amos Jeffries wrote:
> J. Webster wrote:
>> I have followed the tutorial here:
>> http://wiki.squid-cache.org/SquidFaq/CacheManager
>> and set up acls to access the cache manager cgi on my server. I have
>> to access this externally for the moment as that is the only access
>> to the server that I have (SSH or web). The cache manager login
>> appears when I access: http://myexternalipaddress/cgi-bin/cachemgr.cgi
>> I have set the cache manager login and password in the squid.conf
>> # TAG: cache_mgr
>> # Email-address of local cache manager who will receive
>> # mail if the cache dies. The default is "root".
>> #
>> #Default:
>> # cache_mgr root
>> cache_mgr aaa_at_aaa.com
>> cachemgr_passwd aaa all
>> #Recommended minimum configuration:
>> acl all src 0.0.0.0/0.0.0.0
>> acl manager proto cache_object
>> acl localhost src 127.0.0.1/255.255.255.255
>> acl cacheadmin src 88.xxx.xxx.xx9/255.255.255.255 #external IP address?
>
> You don't need the /255.255.255.255 bit. Just a single IP address will
> do.
>
>> acl to_localhost dst 127.0.0.0/8
>> # Only allow cachemgr access from localhost

As a side note....

>> http_access allow ncsa_users
>> http_access allow manager localhost
>> http_access allow manager cacheadmin
>> http_access deny manager

cache_manager access (any access, really) is already allowed to
ncsa_users, no matter if they are accessing from localhost,
88.xxx.xxx.xx9 or any other IP. You might want to have a gander at the
FAQ section on ACLs (http://wiki.squid-cache.org/SquidFaq/SquidAcl).

>>
>> However, whenever I enter the password and select localhost port 8080
>> from the cgi script I get:
>> The following error was encountered:
>> Cache Access Denied.
>> Sorry, you are not currently allowed to request:
>> cache_object://localhost/
>> from this cache until you have authenticated yourself.
>
> Looks like the CGI script does its own internal access to Squid to
> fetch the page data. But does not have the right login details to pass
> your "http_access allow ncsa_auth" security config.
>
> Amos

Chris
Received on Wed Feb 10 2010 - 01:14:46 MST

This archive was generated by hypermail 2.2.0 : Wed Feb 10 2010 - 12:00:05 MST