[squid-users] squidclient -h 127.0.0.1 -p 3128 mgr:info shows access denined

Jonathan Lee jonathanlee571 at gmail.com
Thu Jul 11 18:12:22 UTC 2024


cachemgr_passwd disable offline_toggle reconfigure shutdown
cachemgr_passwd PASSWORDREDCATED all
eui_lookup on
acl no_miss url_regex -i gateway\.facebook\.com\/ws\/realtime\?
acl no_miss url_regex -i web-chat-e2ee\.facebook\.com\/ws\/chat
acl CONNECT method CONNECT
acl wuCONNECT dstdomain www.update.microsoft.com
acl wuCONNECT dstdomain sls.microsoft.com
http_access allow CONNECT wuCONNECT localnet
http_access allow CONNECT wuCONNECT localhost
http_access allow windowsupdate localnet
http_access allow windowsupdate localhost
http_access allow HttpAccess localnet
http_access allow HttpAccess localhost
http_access deny manager
http_access deny to_ipv6
http_access deny from_ipv6

acl BrokenButTrustedServers dstdomain "/usr/local/pkg/dstdom.broken"
acl DomainMismatch ssl_error SQUID_X509_V_ERR_DOMAIN_MISMATCH
sslproxy_cert_error allow BrokenButTrustedServers DomainMismatch
sslproxy_cert_error deny all

acl splice_only src 192.168.1.8 #Tasha iPhone
acl splice_only src 192.168.1.10 #Jon iPhone
acl splice_only src 192.168.1.11 #Amazon Fire
acl splice_only src 192.168.1.15 #Tasha HP
acl splice_only src 192.168.1.16 #iPad

acl splice_only_mac arp MACADDRESSREDACTED
acl splice_only_mac arp MACADDRESSREDACTED
acl splice_only_mac arp MACADDRESSREDACTED
acl splice_only_mac arp MACADDRESSREDACTED
acl splice_only_mac arp MACADDRESSREDACTED

acl NoSSLIntercept ssl::server_name_regex -i "/usr/local/pkg/reg.url.nobump"
acl NoBumpDNS dstdomain "/usr/local/pkg/dns.nobump"

acl markBumped annotate_client bumped=true
acl active_use annotate_client active=true
acl bump_only src 192.168.1.3 #webtv
acl bump_only src 192.168.1.4 #toshiba
acl bump_only src 192.168.1.5 #imac
acl bump_only src 192.168.1.9 #macbook
acl bump_only src 192.168.1.13 #dell

acl bump_only_mac arp MACADDRESSREDACTED
acl bump_only_mac arp MACADDRESSREDACTED
acl bump_only_mac arp MACADDRESSREDACTED
acl bump_only_mac arp MACADDRESSREDACTED
acl bump_only_mac arp MACADDRESSREDACTED
sslproxy_cert_sign signTrusted bump_only_mac

ssl_bump peek step1
miss_access deny no_miss active_use
ssl_bump splice https_login active_use
ssl_bump splice splice_only_mac splice_only active_use
ssl_bump splice NoBumpDNS active_use
ssl_bump splice NoSSLIntercept active_use
ssl_bump bump bump_only_mac bump_only active_use
acl activated note active_use true
ssl_bump terminate !activated

shutdown_lifetime 1 seconds
negative_dns_ttl 5 minutes


Does the MAC address and bump have anything to do with it? This worked in the older versions without having to input a MAC for the loopback

> On Jul 11, 2024, at 11:08, Jonathan Lee <jonathanlee571 at gmail.com> wrote:
> 
> I use http access acl set as followed 
> 
> acl getmethod method GET
> acl to_ipv6 dst ipv6
> acl from_ipv6 src ipv6
> acl HttpAccess dstdomain "/usr/local/pkg/http.access”
> 
> 
> /usr/local/pkg/http.access
> contains:
> office.com
> data.microsoft.com
> windowsupdate.com
> dc1-st.ksn.kaspersky-labs.com
> dc1-file.ksn.kaspersky-labs.com
> dc1.ksn.kaspersky-labs.com
> gsa.apple.com
> apps.apple.com
> certs.apple.com
> crl.apple.com
> entrust.net
> digicert.com
> ocsp.apple.com
> ocsp2.apple.com
> valid.apple.com
> push.apple.com
> itunes.apple.com
> appldnld.apple.com
> gg.apple.com
> gs.apple.com
> mesu.apple.com
> oscdn.apple.com
> osrecovery.apple.com
> swcdn.apple.com
> swdownload.apple.com
> updates-http.cdn-apple.com
> appldnld.apple.com.edgesuite.net
> suconfig.apple.com
> audiocontentdownload.apple.com
> devimages-cdn.apple.com
> download.developer.apple.com
> sylvan.apple.com
> static.ips.apple.com
> 
> 
> http_access allow CONNECT wuCONNECT localnet
> http_access allow CONNECT wuCONNECT localhost
> http_access allow windowsupdate localnet
> http_access allow windowsupdate localhost
> http_access allow HttpAccess localnet
> http_access allow HttpAccess localhost
> http_access deny manager
> http_access deny to_ipv6
> http_access deny from_ipv6 
> 
>> On Jul 11, 2024, at 11:02, Jonathan Lee <jonathanlee571 at gmail.com> wrote:
>> 
>> also 
>> 
>> Shell Output - squidclient -h 127.0.0.1 -v -U admin -W redacted mgr:info
>> Request:
>> GET http://127.0.0.1:3128/squid-internal-mgr/info HTTP/1.0
>> Host: 127.0.0.1:3128
>> User-Agent: squidclient/6.6
>> Accept: */*
>> Authorization: Basic YWRtaW46R09Qc3lzdGVtYWRtaW4xIQ==
>> Connection: close
>> 
>> 
>> .
>> HTTP/1.1 403 Forbidden
>> Server: squid
>> Mime-Version: 1.0
>> Date: Thu, 11 Jul 2024 18:01:46 GMT
>> Content-Type: text/html;charset=utf-8
>> Content-Length: 3788
>> X-Squid-Error: ERR_ACCESS_DENIED 0
>> Vary: Accept-Language
>> Content-Language: en
>> Cache-Status: Lee_Family.home.arpa
>> Cache-Status: Lee_Family.home.arpa;detail=no-cache
>> Connection: close
>> 
>>> On Jul 11, 2024, at 10:57, Jonathan Lee <jonathanlee571 at gmail.com> wrote:
>>> 
>>> Shell Output - squidclient -v -U admin -W REDACTED mgr:info
>>> Request:
>>> GET http://localhost:3128/squid-internal-mgr/info HTTP/1.0
>>> Host: localhost:3128
>>> User-Agent: squidclient/6.6
>>> Accept: */*
>>> Authorization: Basic YWRtaW46R09Qc3lzdGVtYWRtaW4xIQ==
>>> Connection: close
>>> 
>>> 
>>> .
>>> HTTP/1.1 403 Forbidden
>>> Server: squid
>>> Mime-Version: 1.0
>>> Date: Thu, 11 Jul 2024 17:55:05 GMT
>>> Content-Type: text/html;charset=utf-8
>>> Content-Length: 3788
>>> X-Squid-Error: ERR_ACCESS_DENIED 0
>>> Vary: Accept-Language
>>> Content-Language: en
>>> Cache-Status: Lee_Family.home.arpa
>>> Cache-Status: Lee_Family.home.arpa;detail=no-cache
>>> Connection: close
>>> 
>>> <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
>>> <html><head>
>>> <meta type="copyright" content="Copyright (C) 1996-2023 The Squid Software Foundation and contributors">
>>> <meta http-equiv="Content-Type" content="text/html; charset=utf-8">
>>> <title>ERROR: The requested URL could not be retrieved</title>
>>> <style type="text/css"><!--
>>>  /*
>>>  * Copyright (C) 1996-2023 The Squid Software Foundation and contributor
>>> 
>>> Shell Output - squidclient -v -U admin -W REDACTED /squid-internal-mgr/info
>>> Request:
>>> GET /squid-internal-mgr/info HTTP/1.0
>>> User-Agent: squidclient/6.6
>>> Accept: */*
>>> Authorization: Basic YWRtaW46R09Qc3lzdGVtYWRtaW4xIQ==
>>> Connection: close
>>> 
>>> 
>>> .
>>> HTTP/1.1 403 Forbidden
>>> Server: squid
>>> Mime-Version: 1.0
>>> Date: Thu, 11 Jul 2024 17:56:48 GMT
>>> Content-Type: text/html;charset=utf-8
>>> Content-Length: 3788
>>> X-Squid-Error: ERR_ACCESS_DENIED 0
>>> Vary: Accept-Language
>>> Content-Language: en
>>> Cache-Status: Lee_Family.home.arpa
>>> Cache-Status: Lee_Family.home.arpa;detail=no-cache
>>> Connection: close
>>> 
>>> <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
>>> <html><head>
>>> <meta type="copyright" content="Copyright (C) 1996-2023 The Squid Software Foundation and contributors">
>>> <meta http-equiv="Content-Type" content="text/html; charset=utf-8">
>>> <title>ERROR: The requested URL could not be retrieved</title>
>>> <style type="text/css"><!--
>>>  /*
>>>  * Copyright (C) 1996-2023 The Squid Software Foundation and contributors
>>> Tested both and they also failed 
>>> 
>>>> On Jul 11, 2024, at 10:27, Jonathan Lee <jonathanlee571 at gmail.com> wrote:
>>>> 
>>>> Thanks what about the password is it set with@ or -p where would I place that?
>>>> Sent from my iPhone
>>>> 
>>>>> On Jul 11, 2024, at 10:17, Amos Jeffries <squid3 at treenet.co.nz> wrote:
>>>>> 
>>>>> 
>>>>>> On 11/07/24 06:08, Alex Rousskov wrote:
>>>>>> On 2024-07-10 12:55, Jonathan Lee wrote:
>>>>>>>> Embedding a password in a cache manager command requires providing a
>>>>>>>> username with -U
>>>>>>> squidclient -w /squid-internal-mgr/info -u admin
>>>>>>> squidclient -w /squid-internal-mgr/info at redacted -u admin
>>>>>>> squidclient -w http://192.168.1.1:3128/squid-internal-mgr/info@redacted -u admin
>>>>>>> squidclient -w http://127.0.0.1:3128/squid-internal-mgr/info@redacted -u admin
>>>>>>> squidclient -w http://127.0.0.1:3128/squid-internal-mgr/info
>>>>>>> squidclient http://127.0.0.1:3128/squid-internal-mgr/info
>>>>>>> squidclient -h 127.0.0.1:3128/squid-internal-mgr/info
>>>>>>> squidclient -h 127.0.0.1 /squid-internal-mgr/info
>>>>>>> squidclient -h 127.0.0.1 /squid-internal-mgr/info at redcated
>>>>>>> squidclient -w 127.0.0.1 /squid-internal-mgr/info at redacted
>>>>>>> squidclient -w 127.0.0.1 /squid-internal-mgr/info at redcated -u admin
>>>>>>> squidclient -h 192.168.1.1:3128  /squid-internal-mgr/info at redacted
>>>>>>> squidclient -h 192.168.1.1  /squid-internal-mgr/info at redacted
>>>>>>> squidclient -h 192.168.1.1  /squid-internal-mgr/info
>>>>>>> 
>>>>>>> with -w -u -h http spaces I can’t get it to show me stats
>>>>>>> 
>>>>>>> Squid 6.6
>>>>>> I do not know whether this mistake is relevant, but squidclient documentation and error message imply that you should be using "-U" (capital letter U) while you are using "-u" (small letter u).
>>>>> 
>>>>> 
>>>>> It is very relevant. As Matus already mentioned, both -U and -W.
>>>>> 
>>>>> 
>>>>> squidclient -v -U admin -W cachemgr_password mgr:info
>>>>> Request:
>>>>> GET http://localhost:3128/squid-internal-mgr/info HTTP/1.0
>>>>> Host: localhost:3128
>>>>> User-Agent: squidclient/6.10
>>>>> Accept: */*
>>>>> Authorization: Basic YWRtaW46Y2FjaGVtZ3JfcGFzc3dvcmQ=
>>>>> Connection: close
>>>>> 
>>>>> 
>>>>> squidclient -v -U admin -W cachemgr_password /squid-internal-mgr/info
>>>>> Request:
>>>>> GET /squid-internal-mgr/info HTTP/1.0
>>>>> Host: localhost:3128
>>>>> User-Agent: squidclient/6.10
>>>>> Accept: */*
>>>>> Authorization: Basic YWRtaW46Y2FjaGVtZ3JfcGFzc3dvcmQ=
>>>>> Connection: close
>>>>> 
>>>>> 
>>>>> Cheers
>>>>> Amos
>>>>> _______________________________________________
>>>>> squid-users mailing list
>>>>> squid-users at lists.squid-cache.org
>>>>> https://lists.squid-cache.org/listinfo/squid-users
>>> 
>> 
> 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20240711/a1fc65c6/attachment-0001.htm>


More information about the squid-users mailing list