[squid-users] need help with cachemgr

Alex Rousskov rousskov at measurement-factory.com
Wed Nov 28 15:50:50 UTC 2018 

On 11/28/18 4:59 AM, jmperrote wrote:

> This is the new error that I have when I tried to squidclint via https +
> certicicate.

You have many different problems.

Problem 0: You are not responding on the mailing list. Please keep this
thread on the mailing list so that others can benefit from this triage
and so that others can help you.

Problem 1: You seem to ignore errors and warnings that you can fix on
your own. Please fix the ones you can fix before asking for help with
the remaining problems. When asking for help, explain what you think
each remaining warning/error means, and why you cannot fix that problem.
This approach shows that you invest serious effort into making this work
rather than simply abusing the mailing list as a free replacement for a
system administrator.


Problem 2:

> squidclient -vvv --https --cert /soporte/ssl/educacion.crt -h 10.0.0.4 -p 1084 mgr:info

The --cert option specifies a TLS client certificate. Your reverse
proxy, AFAICT, does not use client certificates. Remove that option. See
"man squidclient" for details about each option you use.


Problem 3:

> WARNING: Failed to load Certificate from /soporte/ssl/educacion.crt

I do not know what went wrong here because you have not provided any
relevant information like whether the file is actually there and can be
read by the user squidclient runs as.


Problem 4:

> X.509 TLS handshake ...
> VERIFY DATUM: The certificate is NOT trusted. The certificate issuer is
> unknown. The name in the certificate does not match the expected.
> WARNING: Insecure Connection

Looks self-explanatory to me: Your squidclient does not trust the server
certificate used by your reverse proxy. You may need to either

* use a --trusted-ca option or
* configure your TLS library environment to always trust the CA that
signed the https_port certificate of your reverse proxy.


Problem 5:

> HTTP/1.1 401 Unauthorized
> X-Squid-Error: ERR_CACHE_ACCESS_DENIED 0
> WWW-Authenticate: Basic realm=...

Your reverse proxy requires HTTP client authentication. Depending on
your needs, you should either

* adjust your Squid http_access rules to disable authentication for
cache manager requests or
* give a valid username and password to squidclient (search "man
squidclient" manual page for "authentication" and "WWW" to discover the
right options).


Potential problem 6:

This may not be relevant to you, but please note that Squid Cache
Manager does not yet support secure queries when Squid is running in SMP
mode. For details, please see
https://wiki.squid-cache.org/Features/CacheManager#Secure_SMP_reports


HTH,

Alex.

More information about the squid-users mailing list