[squid-dev] Drop cache_object protocol support
Amos Jeffries
squid3 at treenet.co.nz
Wed Jan 25 01:57:33 UTC 2023
On 25/01/2023 8:23 am, Alex Rousskov wrote:
> On 1/24/23 12:22, Eduard Bagdasaryan wrote:
>
>> Today we can query cache manager in two ways:
>>
>> 1. with cache_object:// URL scheme
>> 2. with an HTTP request having the 'squid-internal-mgr' path prefix.
>>
>> I guess that when (2) was initially added at e37bd29, its
>> implementation was somewhat incomplete compared to the old
>> cache_object scheme (e.g., it lacked authentication
No and intentionally. It is designed to share the proxy HTTP
authentication and http_access policy instead of the obsolete userinfo@
standard that cache_object uses.
Blocker #1: The cachemgr_passwd directly still needs to be cleanly
removed, eg replaced by a manager_access ACL based mechanism.
>> ) and both methods existed. Since then, however, (2) has been
>> improved and it should be equivalent to (1) by now. If so, can we
>> completely remove the non-standard cache_object scheme support from
>> Squid? This would simplify request forwarding logic, including code
>> paths where the existing code complexity may result in vulnerability
>> issues.
>
>
> FWIW, I am not aware of any good reason to keep supporting the
> "cache_object" URI scheme.
>
Blocker #2: The squidclient tool still sends cache_object: scheme when
given "mgr:" on the CLI. We need to upgrade that first and allow admin
some time to upgrade before removing the scheme support in squid itself.
> MgrFieldChars() already calls that scheme deprecated. That special
> (and undocumented?) scheme did cause significant problems in the past.
> I am sure it will continue to cause problems if not removed. Removing
> it will simplify code in several tricky places. There will be some
> upgrade pains for admins, but we will be better off without
> cache_object long-term IMO.
Agreed.
> Needless to say, squidclient and cachemgr.cgi implementations would
> need to be adjusted to use HTTP URLs instead, but I hope those
> adjustments are straightforward.
cachemgr.cgi should already prefer http(s) and only use cache_object as
a backup.
IMO the CGI tool should stay that way, supporting the scheme for older
installations even after we drop it from the rest of Squid.
HTH
Amos
More information about the squid-dev
mailing list