[squid-users] cachemgr.cgi on embedded system

Mon Jul 25 08:24:42 UTC 2016

On 25/07/2016 7:16 a.m., Eliezer Croitoru wrote:
> Hey,
> 
> What version are you using?
> Squid since version 3.X has a built in interface which might fit your needs.
> You can see an example of usage at:
> http://wiki.squid-cache.org/Features/CacheManager#default
> 
> What you will need to do is to access the proxy directly using a url like:
> http://mycache.example.com:3128/squid-internal-mgr/menu
> 
> and for the info page from the menu:
> http://mycache.example.com:3128/squid-internal-mgr/info
> 
> So unless you have a special need for the cache manger cgi you should use the http one.
> 

NP: the cachemgr.cgi tool from recent Squid releases will test for and
use that http:// interface instead of the old cache_proto:// scheme.

> 
> -----Original Message-----
> From: reinerotto
> 
> I have a problem to use cachemgr.cgi on an embedded system: 
> (Cache Server: 127.0.0.1:3128; manager name: manager: Password: maypasswd)

 "maypasswd" or "mypasswd"? If that is not a typo in your email it will
be the problem.

> browser:
> The following error was encountered while trying to retrieve the URL:
> cache_object://127.0.0.1/
> Cache Manager Access Denied.
> Sorry, you are not currently allowed to request cache_object://127.0.0.1/ from this cache manager until you have authenticated yourself.
> ACL Access Denied
> 
> cache.log:
> 2016/07/24 13:19:00| CacheManager: unknown at local=127.0.0.1:3128
> remote=127.0.0.1:56590 FD 18 flags=1: password needed for 'menu'
> 
> squid.conf:
> acl manager proto cache_object
> #next just for testing
> http_access allow manager all
> cachemgr_passwd mypasswd all

Order is important. Where you put these lines in relation to any other
http_access rules matters a lot.
The current release recommend placing the http_access rules for manager
below the default "deny CONNECT !SSL_port" rule, above any other custom
rules you have.

> 
> On the embedded system, there is only a small http-server (uhttpd) running, _not_ apache or similar, so I suspect some special "requirement" not met on my system.
> It could be _either_ some special .configure option for squid (I have a downsized one, self-compiled) _or_ some speciality regarding my http-server, which otherwise works well.
> 

That should be fine as long as:

* the uhttpd can pass Basic authentication headers and the user-info
field of URLs through to the CGI tool.

* Squid is a current/recent release of Squid *and* cachemgr.cgi tool.

* Squid has Basic authentication enabled.

Note that a current Squid supporting the new interface should be warning
you about incorrect manager ACL definition and refusing to startup using
the config mentioned above. "proto" is no longer the correct ACL type
for manager. There is a built-in one instead.

In your current system setup I suggest going with the default squid.conf
http_access manager lines. They are sufficient for a cachmgr.cgi tool
running on the same machine.

However, since cachemgr.cgi does not have to run on the embeded device
you can save a fair bit of space by placing it on an administrative web
server machine. For that you need to change the "http_access allow
manager localhost" to use an ACL checking for that machines IP instead
of localhost.

Amos