[squid-users] squid-internal-mgr not found - cannot login to cachemgr

From: brendan kearney <bpk678_at_gmail.com>
Date: Wed, 10 Apr 2013 20:28:15 -0400

resending because i got a mailer-daemon failure for HTML formatting...

all,

i am running squid 3.2.5 on fedora 16 64 bit on two separate boxes,
load balanced with HA Proxy. i am trying to access cachemgr on either
one of the squid instances, and both exhibit the behaviour where the
squid-internal-mgr URI is not found. attempts to login via the HA
Proxy VIP as well as with no proxy configured (direct access) have
been tried. both ways produce the same error. below is some header
info:

http://192.168.25.1/squid-internal-mgr/

GET /squid-internal-mgr/ HTTP/1.1
Host: 192.168.25.1
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:20.0) Gecko/20100101 Firefox/20.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Referer: http://www1.bpk2.com/Squid/cgi-bin/cachemgr.cgi
Origin: http://www1.bpk2.com
Connection: keep-alive

HTTP/1.1 404 Not Found
Date: Wed, 10 Apr 2013 23:56:51 GMT
Server: Apache
Content-Length: 217
Content-Type: text/html; charset=iso-8859-1
X-Cache: MISS from proxy1.bpk2.com
X-Cache-Lookup: MISS from proxy1.bpk2.com:3128

this used to work, but doesnt now, and i think it might be config
related. FYI www1 and proxy1 are the same box/IP. i dont know where
i could have gone wrong. below is the squid.conf for the instance in
the above header info:

# OPTIONS FOR AUTHENTICATION
# -----------------------------------------------------------------------------
# TAG: auth_param
auth_param negotiate program /usr/lib64/squid/negotiate_kerberos_auth
-s GSS_C_NO_NAME
auth_param negotiate children 10
auth_param negotiate keep_alive on

# TAG: authenticate_cache_garbage_interval
# TAG: authenticate_ttl
# TAG: authenticate_ip_ttl

# ACCESS CONTROLS
# -----------------------------------------------------------------------------
# TAG: external_acl_type
# TAG: acl
acl user_auth proxy_auth REQUIRED

acl localhost_src src 127.0.0.1/32

acl peer src 192.168.50.1/32
acl svc_chk src 192.168.25.254/32

acl vip src 192.168.37.254/32

acl net_wired_src src 192.168.1.0/24
acl net_wireless_src src 192.168.2.0/24
acl net_guest_src src 192.168.3.0/24
acl net_server_src src 192.168.25.0/24
acl net_vip_src src 192.168.37.0/24
acl net_vpn_src src 192.168.50.0/24
acl net_ipmi_src src 192.168.253.0/24
acl net_mgmt_src src 192.168.254.0/24

#acl net_clients_src src net_wired_src net_wireless_src net_vpn_src
#acl net_servers_src src net_server_src net_ipmi_src net_mgmt_src

#acl net_bpk2_src src net_wired_src net_wireless_src net_server_src
net_vpn_src net_ipmi_src net_mgmt_src

acl localhost_dst dst 127.0.0.1/32

acl host_music_dst dst music.bpk2.com

acl net_wired_dst dst 192.168.1.0/24
acl net_wireless_dst dst 192.168.2.0/24
acl net_guest_dst dst 192.168.3.0/24
acl net_server_dst dst 192.168.25.0/24
acl net_vip_dst dst 192.168.37.0/24
acl net_vpn_dst dst 192.168.50.0/24
acl net_ipmi_dst dst 192.168.253.0/24
acl net_mgmt_dst dst 192.168.254.0/24

#acl net_clients_dst dst net_wired_dst net_wireless_dst net_vpn_dst
#acl net_servers_dst dst net_server_dst net_ipmi_dst net_mgmt_dst

#acl net_bpk2_dst dst net_wired_dst net_wireless_dst net_server_dst
net_vpn_dst net_ipmi_dst net_mgmt_dst

acl bpk2 dstdomain bpk2.com

acl AnyUserAgent browser .*
acl DeniedAgents browser "/etc/squid/acl/DeniedAgents"
acl DirectAgents browser "/etc/squid/acl/DirectAgents"
acl ProxiedAgents browser "/etc/squid/acl/ProxiedAgents"
acl AuthAgents browser "/etc/squid/acl/AuthAgents"
acl NoAuthAgents browser "/etc/squid/acl/NoAuthAgents"

acl NoPrivoxyURLs urlpath_regex "/etc/squid/acl/NoPrivoxyURLs"

acl NoAuthSites dstdomain "/etc/squid/acl/NoAuthSites"
acl NoUserAgentSites dstdomain "/etc/squid/acl/NoUserAgentSites"

acl NoUserAgentSitesRegEx url_regex "/etc/squid/acl/NoUserAgentSitesRegEx"

acl DeniedSites dstdomain "/etc/squid/acl/DeniedSites"

acl DeniedSitesRegEx url_regex "/etc/squid/acl/DeniedSitesRegEx"

acl ftp proto FTP

acl AuthRequest http_status 407

#acl manager proto cache_object

acl SSL_ports port 443

acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 631 # cups
acl Safe_ports port 777 # multiling http
acl Safe_ports port 873 # rsync
acl Safe_ports port 901 # samba web admin tool

acl CONNECT method CONNECT

acl snmpread snmp_community <REMOVED>

# TAG: follow_x_forwarded_for
#follow_x_forwarded_for allow all
follow_x_forwarded_for allow svc_chk
follow_x_forwarded_for deny all

# TAG: acl_uses_indirect_client on|off
acl_uses_indirect_client on

# TAG: delay_pool_uses_indirect_client on|off
# TAG: log_uses_indirect_client on|off
log_uses_indirect_client on

# TAG: tproxy_uses_indirect_client on|off
# TAG: http_access
http_access allow net_guest_src host_music_dst
http_access deny net_guest_src net_wired_dst
http_access deny net_guest_src net_wireless_dst
http_access deny net_guest_src net_server_dst
http_access deny net_guest_src net_vpn_dst
http_access deny net_guest_src net_ipmi_dst
http_access deny net_guest_src net_mgmt_dst
http_access allow net_guest_src

http_access allow manager localhost_src
http_access allow manager net_wired_src
http_access allow manager net_wireless_src
http_access allow manager net_server_src
http_access allow manager net_vip_src
http_access allow manager net_vpn_src
http_access deny manager

http_access allow NoAuthAgents
http_access allow NoAuthSites
http_access allow peer
http_access allow svc_chk

http_access deny DeniedAgents
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access deny !CONNECT SSL_ports
http_access deny !AnyUserAgent
#http_access deny !ProxiedAgents
#http_access deny !DirectAgents
http_access deny DeniedSites
http_access deny DeniedSitesRegEx

http_access allow !user_auth net_guest_src
http_access allow !user_auth manager
http_access deny !user_auth AuthAgents

http_access allow ftp

http_access allow localhost_src

http_access allow net_wired_src
http_access allow net_wireless_src
http_access allow net_server_src
http_access allow net_vpn_src
http_access allow net_ipmi_src
http_access allow net_mgmt_src

http_access allow NoUserAgentSites
http_access allow NoUserAgentSitesRegEx
http_access allow DirectAgents
http_access allow ProxiedAgents
#http_access allow ProxiedAgents

http_access deny all

# TAG: adapted_http_access
# TAG: http_reply_access
# TAG: icp_access
# TAG: htcp_access
#htcp_access allow net_vpn_src
htcp_access allow all

# TAG: htcp_clr_access
# TAG: miss_access
# TAG: ident_lookup_access
# TAG: reply_body_max_size size [acl acl...]

# NETWORK OPTIONS
# -----------------------------------------------------------------------------
# TAG: http_port
http_port 192.168.25.1:3128

# TAG: https_port
# TAG: tcp_outgoing_tos
# TAG: clientside_tos
# TAG: tcp_outgoing_mark
# TAG: clientside_mark
# TAG: qos_flows
# TAG: tcp_outgoing_address
# TAG: host_verify_strict
# TAG: client_dst_passthru
# SSL OPTIONS
# -----------------------------------------------------------------------------
# TAG: ssl_unclean_shutdown
# TAG: ssl_engine
# TAG: sslproxy_client_certificate
#sslproxy_client_certificate /etc/pki/tls/certs/bpk2.com.crt

# TAG: sslproxy_client_key
# TAG: sslproxy_version
# TAG: sslproxy_options
# TAG: sslproxy_cipher
# TAG: sslproxy_cafile
# TAG: sslproxy_capath
# TAG: ssl_bump
# TAG: sslproxy_flags
# TAG: sslproxy_cert_error
# TAG: sslpassword_program
# OPTIONS RELATING TO EXTERNAL SSL_CRTD
# -----------------------------------------------------------------------------
# TAG: sslcrtd_program
# TAG: sslcrtd_children
# OPTIONS WHICH AFFECT THE NEIGHBOR SELECTION ALGORITHM
# -----------------------------------------------------------------------------
# TAG: cache_peer
cache_peer 192.168.50.1 sibling 3128 4827 htcp=no-clr
cache_peer 127.0.0.1 parent 8080 7 no-query no-digest login=PASSTHRU

# TAG: cache_peer_domain
# TAG: cache_peer_access
# TAG: neighbor_type_domain
# TAG: dead_peer_timeout (seconds)
# TAG: forward_max_tries
# TAG: hierarchy_stoplist
hierarchy_stoplist cgi-bin ?

# MEMORY CACHE OPTIONS
# -----------------------------------------------------------------------------
# TAG: cache_mem (bytes)
cache_mem 1024 MB

# TAG: maximum_object_size_in_memory (bytes)
maximum_object_size_in_memory 100 MB

# TAG: memory_cache_shared on|off
# TAG: memory_cache_mode
# TAG: memory_replacement_policy
memory_replacement_policy heap LFUDA

# DISK CACHE OPTIONS
# -----------------------------------------------------------------------------
# TAG: cache_replacement_policy
cache_replacement_policy heap LFUDA

# TAG: cache_dir
cache_dir ufs /var/spool/squid 1500 32 512

# TAG: store_dir_select_algorithm
# TAG: max_open_disk_fds
# TAG: minimum_object_size (bytes)
# TAG: maximum_object_size (bytes)
maximum_object_size 81920 KB

# TAG: cache_swap_low (percent, 0-100)
# TAG: cache_swap_high (percent, 0-100)

# LOGFILE OPTIONS
# -----------------------------------------------------------------------------
# TAG: logformat
logformat custom
%>a,%>A,%un,%tl,%la,%lp,%<A,"%{Server}<h",%rm,"HTTP/%rv","%ru","%{User-Agent}>h",%>Hs,%<st,%<tt,"%Ss/%Sh","%mt"

# TAG: access_log
#access_log daemon:/var/log/squid/access.log custom
access_log syslog:local4.info custom !AuthRequest !DeniedSites !svc_chk

# TAG: icap_log
# TAG: logfile_daemon
# TAG: log_access allow|deny acl acl...
# TAG: log_icap
# TAG: cache_store_log
# TAG: cache_swap_state
# TAG: logfile_rotate
# TAG: emulate_httpd_log
# TAG: log_ip_on_direct
# TAG: mime_table
# TAG: log_mime_hdrs on|off
# TAG: useragent_log
# TAG: referer_log
# TAG: pid_filename
# TAG: log_fqdn
# TAG: client_netmask
# TAG: forward_log
# TAG: strip_query_terms
strip_query_terms off

# TAG: buffered_logs on|off
# TAG: netdb_filename

# OPTIONS FOR TROUBLESHOOTING
# -----------------------------------------------------------------------------
# TAG: cache_log
# TAG: debug_options
# TAG: coredump_dir
coredump_dir /var/spool/squid

# OPTIONS FOR FTP GATEWAYING
# -----------------------------------------------------------------------------
# TAG: ftp_user
# TAG: ftp_list_width
# TAG: ftp_passive
# TAG: ftp_epsv_all
# TAG: ftp_epsv
# TAG: ftp_eprt
# TAG: ftp_sanitycheck
# TAG: ftp_telnet_protocol

# OPTIONS FOR EXTERNAL SUPPORT PROGRAMS
# -----------------------------------------------------------------------------
# TAG: diskd_program
# TAG: unlinkd_program
# TAG: pinger_program
# TAG: pinger_enable

# OPTIONS FOR URL REWRITING
# -----------------------------------------------------------------------------
# TAG: url_rewrite_program
# TAG: url_rewrite_children
# TAG: url_rewrite_concurrency
# TAG: url_rewrite_host_header
# TAG: url_rewrite_access
# TAG: url_rewrite_bypass

# OPTIONS FOR TUNING THE CACHE
# -----------------------------------------------------------------------------
# TAG: cache
cache allow NoAuthAgents
cache allow NoAuthSites

# TAG: max_stale time-units
# TAG: refresh_pattern
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern (cgi-bin|\?) 0 0% 0
refresh_pattern . 0 20% 4320

# TAG: quick_abort_min (KB)
# TAG: quick_abort_max (KB)
# TAG: quick_abort_pct (percent)
# TAG: read_ahead_gap buffer-size
# TAG: negative_ttl time-units
# TAG: positive_dns_ttl time-units
# TAG: negative_dns_ttl time-units
# TAG: range_offset_limit size [acl acl...]
# TAG: minimum_expiry_time (seconds)
# TAG: store_avg_object_size (bytes)
# TAG: store_objects_per_bucket

# HTTP OPTIONS
# -----------------------------------------------------------------------------
# TAG: request_header_max_size (KB)
# TAG: reply_header_max_size (KB)
# TAG: request_body_max_size (bytes)
# TAG: client_request_buffer_max_size (bytes)
# TAG: chunked_request_body_max_size (bytes)
# TAG: broken_posts
# TAG: adaptation_uses_indirect_client on|off
# TAG: via on|off
via off

# TAG: ie_refresh on|off
# TAG: vary_ignore_expire on|off
# TAG: request_entities
# TAG: request_header_access
# TAG: reply_header_access
# TAG: header_replace
# TAG: relaxed_header_parser on|off|warn
# TAG: ignore_expect_100 on|off

# TIMEOUTS
# -----------------------------------------------------------------------------
# TAG: forward_timeout time-units
# TAG: connect_timeout time-units
# TAG: peer_connect_timeout time-units
# TAG: read_timeout time-units
# TAG: write_timeout time-units
# TAG: request_timeout
# TAG: client_idle_pconn_timeout
# TAG: client_lifetime time-units
# TAG: half_closed_clients
# TAG: server_idle_pconn_timeout
# TAG: ident_timeout
# TAG: shutdown_lifetime time-units
shutdown_lifetime 1 seconds

# ADMINISTRATIVE PARAMETERS
# -----------------------------------------------------------------------------
# TAG: cache_mgr
# TAG: mail_from
# TAG: mail_program
# TAG: cache_effective_user
# TAG: cache_effective_group
# TAG: httpd_suppress_version_string on|off
httpd_suppress_version_string on

# TAG: visible_hostname
visible_hostname proxy1.bpk2.com

# TAG: unique_hostname
# TAG: hostname_aliases
# TAG: umask

# OPTIONS FOR THE CACHE REGISTRATION SERVICE
# -----------------------------------------------------------------------------
# TAG: announce_period
# TAG: announce_host
# TAG: announce_file
# TAG: announce_port

# HTTPD-ACCELERATOR OPTIONS
# -----------------------------------------------------------------------------
# TAG: httpd_accel_surrogate_id
# TAG: http_accel_surrogate_remote on|off
# TAG: esi_parser libxml2|expat|custom

# DELAY POOL PARAMETERS
# -----------------------------------------------------------------------------
# TAG: delay_pools
# TAG: delay_class
# TAG: delay_access
# TAG: delay_parameters
# TAG: delay_initial_bucket_level (percent, 0-100)
# CLIENT DELAY POOL PARAMETERS
# -----------------------------------------------------------------------------
# TAG: client_delay_pools
# TAG: client_delay_initial_bucket_level (percent, 0-no_limit)
# TAG: client_delay_parameters
# TAG: client_delay_access
# WCCPv1 AND WCCPv2 CONFIGURATION OPTIONS
# -----------------------------------------------------------------------------
# TAG: wccp_router
# TAG: wccp2_router
# TAG: wccp_version
# TAG: wccp2_rebuild_wait
# TAG: wccp2_forwarding_method
# TAG: wccp2_return_method
# TAG: wccp2_assignment_method
# TAG: wccp2_service
# TAG: wccp2_service_info
# TAG: wccp2_weight
# TAG: wccp_address
# TAG: wccp2_address

# PERSISTENT CONNECTION HANDLING
# -----------------------------------------------------------------------------
# TAG: client_persistent_connections
# TAG: server_persistent_connections
# TAG: persistent_connection_after_error
# TAG: detect_broken_pconn

# CACHE DIGEST OPTIONS
# -----------------------------------------------------------------------------
# TAG: digest_generation
# TAG: digest_bits_per_entry
# TAG: digest_rebuild_period (seconds)
# TAG: digest_rewrite_period (seconds)
# TAG: digest_swapout_chunk_size (bytes)
# TAG: digest_rebuild_chunk_percentage (percent, 0-100)

# SNMP OPTIONS
# -----------------------------------------------------------------------------
# TAG: snmp_port
snmp_port 3401

# TAG: snmp_access
snmp_access allow snmpread localhost_src
snmp_access allow snmpread net_wired_src
snmp_access allow snmpread net_wireless_src
snmp_access allow snmpread net_server_src
snmp_access deny all

# TAG: snmp_incoming_address
snmp_incoming_address 0.0.0.0

# TAG: snmp_outgoing_address
snmp_outgoing_address 255.255.255.255

# ICP OPTIONS
# -----------------------------------------------------------------------------
# TAG: icp_port
#icp_port 3130

# TAG: htcp_port
htcp_port 4827

# TAG: log_icp_queries on|off
# TAG: udp_incoming_address
udp_incoming_address 127.0.0.1

# TAG: udp_outgoing_address
udp_outgoing_address 0.0.0.0

# TAG: icp_hit_stale on|off
# TAG: minimum_direct_hops
# TAG: minimum_direct_rtt
# TAG: netdb_low
# TAG: netdb_high
# TAG: netdb_ping_period
# TAG: query_icmp on|off
# TAG: test_reachability on|off
# TAG: icp_query_timeout (msec)
# TAG: maximum_icp_query_timeout (msec)
# TAG: minimum_icp_query_timeout (msec)
# TAG: background_ping_rate time-units

# MULTICAST ICP OPTIONS
# -----------------------------------------------------------------------------
# TAG: mcast_groups
# TAG: mcast_miss_addr
# TAG: mcast_miss_ttl
# TAG: mcast_miss_port
# TAG: mcast_miss_encode_key
# TAG: mcast_icp_query_timeout (msec)

# INTERNAL ICON OPTIONS
# -----------------------------------------------------------------------------
# TAG: icon_directory
# TAG: global_internal_static
# TAG: short_icon_urls

# ERROR PAGE OPTIONS
# -----------------------------------------------------------------------------
# TAG: error_directory
# TAG: error_default_language
# TAG: error_log_languages
# TAG: err_page_stylesheet
# TAG: err_html_text
# TAG: email_err_data on|off
# TAG: deny_info

# OPTIONS INFLUENCING REQUEST FORWARDING
# -----------------------------------------------------------------------------
# TAG: nonhierarchical_direct
nonhierarchical_direct off

# TAG: prefer_direct
# TAG: always_direct
always_direct allow DirectAgents
always_direct allow NoPrivoxyURLs
always_direct allow net_guest_src
always_direct allow net_wired_dst
always_direct allow net_wireless_dst
always_direct allow net_guest_dst
always_direct allow net_server_dst
always_direct allow net_vpn_dst
always_direct allow net_ipmi_dst
always_direct allow net_mgmt_dst
always_direct allow bpk2
always_direct allow FTP
always_direct deny all

# TAG: never_direct
never_direct deny DirectAgents
never_direct deny net_guest_src
never_direct allow all

# ADVANCED NETWORKING OPTIONS
# -----------------------------------------------------------------------------
# TAG: incoming_icp_average
# TAG: incoming_http_average
# TAG: incoming_dns_average
# TAG: min_icp_poll_cnt
# TAG: min_dns_poll_cnt
# TAG: min_http_poll_cnt
# TAG: accept_filter
# TAG: client_ip_max_connections
# TAG: tcp_recv_bufsize (bytes)

# ICAP OPTIONS
# -----------------------------------------------------------------------------
# TAG: icap_enable on|off
# TAG: icap_connect_timeout
# TAG: icap_io_timeout time-units
# TAG: icap_service_failure_limit limit [in memory-depth time-units]
# TAG: icap_service_revival_delay
# TAG: icap_preview_enable on|off
# TAG: icap_preview_size
# TAG: icap_206_enable on|off
# TAG: icap_default_options_ttl
# TAG: icap_persistent_connections on|off
# TAG: adaptation_send_client_ip on|off
# TAG: adaptation_send_username on|off
# TAG: icap_client_username_header
# TAG: icap_client_username_encode on|off
# TAG: icap_service
# TAG: icap_class
# TAG: icap_access

# eCAP OPTIONS
# -----------------------------------------------------------------------------
# TAG: ecap_enable on|off
# TAG: ecap_service
# TAG: loadable_modules

# MESSAGE ADAPTATION OPTIONS
# -----------------------------------------------------------------------------
# TAG: adaptation_service_set
# TAG: adaptation_service_chain
# TAG: adaptation_access
# TAG: adaptation_service_iteration_limit
# TAG: adaptation_masterx_shared_names
# TAG: adaptation_meta
# TAG: icap_retry
# TAG: icap_retry_limit

# DNS OPTIONS
# -----------------------------------------------------------------------------
# TAG: check_hostnames
# TAG: allow_underscore
# TAG: cache_dns_program
# TAG: dns_children
# TAG: dns_retransmit_interval
# TAG: dns_timeout
# TAG: dns_packet_max
# TAG: dns_defnames on|off
# TAG: dns_nameservers
# TAG: hosts_file
# TAG: append_domain
append_domain .bpk2.com

# TAG: ignore_unknown_nameservers
# TAG: dns_v4_first
# TAG: ipcache_size (number of entries)
ipcache_size 8192

# TAG: ipcache_low (percent)
# TAG: ipcache_high (percent)
# TAG: fqdncache_size (number of entries)
fqdncache_size 8192

# MISCELLANEOUS
# -----------------------------------------------------------------------------
# TAG: memory_pools on|off
# TAG: memory_pools_limit (bytes)
memory_pools_limit 768 MB

# TAG: forwarded_for on|off|transparent|truncate|delete
forwarded_for on

# TAG: cachemgr_passwd
cachemgr_passwd <REMOVED> all

# TAG: client_db on|off
# TAG: refresh_all_ims on|off
# TAG: reload_into_ims on|off
# TAG: connect_retries
# TAG: retry_on_error
# TAG: as_whois_server
# TAG: offline_mode
# TAG: uri_whitespace
# TAG: chroot
# TAG: balance_on_multiple_ip
# TAG: pipeline_prefetch
pipeline_prefetch on

# TAG: high_response_time_warning (msec)
# TAG: high_page_fault_warning
# TAG: high_memory_warning
# TAG: sleep_after_fork (microseconds)
# TAG: windows_ipaddrchangemonitor on|off
# TAG: eui_lookup
# TAG: max_filedescriptors
# TAG: workers
# TAG: cpu_affinity_map

can anyone tell my why i am not able to get logged into the cachemgr?
the page presents, but the login fails. cachemgr.conf has the IP of
both proxies listed, and /etc/httpd/conf.d/squid.conf has the right
access allowed by network. /usr/lib64/squid/cachemgr.cgi is chmod'd
755 (rwxr-xr-x) and is chown'd root:root.
Received on Thu Apr 11 2013 - 00:28:23 MDT

This archive was generated by hypermail 2.2.0 : Thu Apr 11 2013 - 12:00:03 MDT