[squid-users] Access Denied for manager

Amos Jeffries squid3 at treenet.co.nz
Thu Apr 19 07:15:12 UTC 2018 

[ please keep replies on-list so others having this problem can also get
answers. ]


On 19/04/18 05:39, James Moe wrote:
> On 04/18/2018 12:08 AM, Amos Jeffries wrote:
> 
>> For better ideas look as what your access.log states when the manager
>> report is attempted.
>>
>   I commented the IPv6 "localnet" ACLs, reloaded squid.
>   Still denied access. I do not see any new information here:
> 
> 1524072494.191      1 192.168.69.246 TCP_DENIED/403 4361 GET
> http://sma-server3:3128/squid-internal-mgr/info - HIER_NONE/- text/html
> 1524072494.193   5508 192.168.69.115 TCP_MISS/403 4469 GET
> http://proxy1.sma.com:3128/squid-internal-mgr/info -
> HIER_DIRECT/192.168.69.246 text/html


I see you have a forwarding loop:

 192.168.69.115 -> Squid -> 192.168.69.246 -> Squid -> DENIED.


That 192.168.69.115 is trying to fetch "http://proxy1.sma.com". But the
Squid appears to think its hostname is "sma-server3".


Hmm, "sma-server" name rings a bell. I see you brought this same issue
up on 1 Nov 2017 as well and we do not seem to have resolved the issue then.

[ the following requires an understanding of host vs domain vs FQDN names
<https://support.suso.com/supki/What_is_the_difference_between_a_hostname_and_a_domain_name>
]


To get any type of access to Squid internal resources working properly
you need both Squid and the external tools to be aware of what its
machines host name is AND that hostname to be publicly resolvable -
meaning it also has to be an FQDN.

 - for the icons ANY receiving Squid can (and usually will) respond if
it has the relevant icon.

 - for manager reports ONLY the individual proxy targeted by the URL
will respond with a successful report. The reasons for that should be
obvious.

If the machines hostname service is broken and cannot be fixed. For
example; producing something like "sma-server3" instead of the proper
sma-server3.sma.com hostname. You can workaround that with
visible_hostname and/or unique_hostname in squid.conf.
 <http://www.squid-cache.org/Doc/config/visible_hostname/>
 <http://www.squid-cache.org/Doc/config/unique_hostname/>

Be aware that any tools running on the localhost will probably still use
the machines hostname and may now appear to be broken when they "worked"
before. Those directives in squid.conf are _workarounds_ not fixes.

Amos

More information about the squid-users mailing list