[squid-users] Squid 3.4.10 cachemgr.cgi permission denied
Amos Jeffries
squid3 at treenet.co.nz
Sat Dec 27 00:53:05 UTC 2014
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 27/12/2014 10:33 a.m., Yuri Voinov wrote:
>
> Hi, gents.
>
> Now I have another problem. Cachemgr.cgi with password does not
> access to Squid when password specified.
>
> Look at squid.conf frag (this configuration ffragments derived
> from working Squid2 installation):
>
> # Only allow cachemgr access from localhost http_access allow
> localhost manager http_access deny manager
>
> # Cache manager cache_mgr yvoinov at gmail.com
>
> # Cache manager password cachemgr_passwd secret all
>
> and when I login through local Apache - I've got Squid access
> denied page and message in cache.log:
>
> 2014/12/24 17:44:17 kid1| CacheManager:
> unknown at local=127.0.0.1:3127 remote=127.0.0.1:35146 FD 40 flags=1:
> password needed for 'menu'
>
> Also, Munin plugins cannot work too - they use authenticated
> cachemgr login.
>
> AFAIK, this means unknown user.
>
> Ok,
>
> now - what username I must use in cachemgr login form?
You should get the administrators to use their normal username and the
mgr password. The cachemgr itself only checks the password matches the
one in squid.conf for that manager action. Username is used if some
other security checks are in place such as proxy_auth ACLs, and for
logging.
The cachemgr now has three methods of access. Direct http:// and
https:// URLs from the browser to Squid, and the old cache_object://
URLs sent by cachemgr and existing tools (Munin?). Though HTTPS only
works properly in reverse-proxy at the moment and it is all a bit
picky about the URL matching Squids public domain name (visible_hostname).
All of those methods can have user:password in a Basic www-auth header
(not proxy-auth), or the @password tacked on the end of the URL. Squid
should be generating a 401 auth challenge to get that Basic header,
not a full 403 Forbidden access denied.
Amos
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (MingW32)
iQEcBAEBAgAGBQJUngLxAAoJELJo5wb/XPRjpUQIAId3lEcO8aIxMeP3wuW2//fg
2z4klihTpTcSD1ZxMrLMfDyS0JAAaZr967MQc9+txPThwZ9GL13uFiBhrfbvJmoT
7MS35K5aLHTP0CpbbxYwIv9Frah7GtFGiyslV8+m0l67428JIgDYIxm9wOcW5LLL
LiyK8taI4bBa5SmALD7gM1kP2hUERCRqq8rxelz/fVHN4eqjFSie2ELZu090R/Fc
riQut3W4r6LT30S3vS2+koFFce+cYNFyCYMn1NxAtOmnejkIAh/SkHFphNLT1/wy
6yh6iRMl43pi84/UzQK4Jq5ZGjbRcsgGSxMO31W4PEgCMD9U2R8Uw+qyRA82pnU=
=UgC2
-----END PGP SIGNATURE-----
More information about the squid-users
mailing list