[squid-users] squidclient -h 127.0.0.1 -p 3128 mgr:info shows access denined
Jonathan Lee
jonathanlee571 at gmail.com
Thu Jul 11 18:13:44 UTC 2024
Could this cause the issue?
acl https_login url_regex -i ^https.*(login|Login).*
cache deny https_login
> On Jul 11, 2024, at 11:12, Jonathan Lee <jonathanlee571 at gmail.com> wrote:
>
> cachemgr_passwd disable offline_toggle reconfigure shutdown
> cachemgr_passwd PASSWORDREDCATED all
> eui_lookup on
> acl no_miss url_regex -i gateway\.facebook\.com\/ws\/realtime\?
> acl no_miss url_regex -i web-chat-e2ee\.facebook\.com\/ws\/chat
> acl CONNECT method CONNECT
> acl wuCONNECT dstdomain www.update.microsoft.com
> acl wuCONNECT dstdomain sls.microsoft.com
> http_access allow CONNECT wuCONNECT localnet
> http_access allow CONNECT wuCONNECT localhost
> http_access allow windowsupdate localnet
> http_access allow windowsupdate localhost
> http_access allow HttpAccess localnet
> http_access allow HttpAccess localhost
> http_access deny manager
> http_access deny to_ipv6
> http_access deny from_ipv6
>
> acl BrokenButTrustedServers dstdomain "/usr/local/pkg/dstdom.broken"
> acl DomainMismatch ssl_error SQUID_X509_V_ERR_DOMAIN_MISMATCH
> sslproxy_cert_error allow BrokenButTrustedServers DomainMismatch
> sslproxy_cert_error deny all
>
> acl splice_only src 192.168.1.8 #Tasha iPhone
> acl splice_only src 192.168.1.10 #Jon iPhone
> acl splice_only src 192.168.1.11 #Amazon Fire
> acl splice_only src 192.168.1.15 #Tasha HP
> acl splice_only src 192.168.1.16 #iPad
>
> acl splice_only_mac arp MACADDRESSREDACTED
> acl splice_only_mac arp MACADDRESSREDACTED
> acl splice_only_mac arp MACADDRESSREDACTED
> acl splice_only_mac arp MACADDRESSREDACTED
> acl splice_only_mac arp MACADDRESSREDACTED
>
> acl NoSSLIntercept ssl::server_name_regex -i "/usr/local/pkg/reg.url.nobump"
> acl NoBumpDNS dstdomain "/usr/local/pkg/dns.nobump"
>
> acl markBumped annotate_client bumped=true
> acl active_use annotate_client active=true
> acl bump_only src 192.168.1.3 #webtv
> acl bump_only src 192.168.1.4 #toshiba
> acl bump_only src 192.168.1.5 #imac
> acl bump_only src 192.168.1.9 #macbook
> acl bump_only src 192.168.1.13 #dell
>
> acl bump_only_mac arp MACADDRESSREDACTED
> acl bump_only_mac arp MACADDRESSREDACTED
> acl bump_only_mac arp MACADDRESSREDACTED
> acl bump_only_mac arp MACADDRESSREDACTED
> acl bump_only_mac arp MACADDRESSREDACTED
> sslproxy_cert_sign signTrusted bump_only_mac
>
> ssl_bump peek step1
> miss_access deny no_miss active_use
> ssl_bump splice https_login active_use
> ssl_bump splice splice_only_mac splice_only active_use
> ssl_bump splice NoBumpDNS active_use
> ssl_bump splice NoSSLIntercept active_use
> ssl_bump bump bump_only_mac bump_only active_use
> acl activated note active_use true
> ssl_bump terminate !activated
>
> shutdown_lifetime 1 seconds
> negative_dns_ttl 5 minutes
>
>
> Does the MAC address and bump have anything to do with it? This worked in the older versions without having to input a MAC for the loopback
>
>> On Jul 11, 2024, at 11:08, Jonathan Lee <jonathanlee571 at gmail.com> wrote:
>>
>> I use http access acl set as followed
>>
>> acl getmethod method GET
>> acl to_ipv6 dst ipv6
>> acl from_ipv6 src ipv6
>> acl HttpAccess dstdomain "/usr/local/pkg/http.access”
>>
>>
>> /usr/local/pkg/http.access
>> contains:
>> office.com
>> data.microsoft.com
>> windowsupdate.com
>> dc1-st.ksn.kaspersky-labs.com
>> dc1-file.ksn.kaspersky-labs.com
>> dc1.ksn.kaspersky-labs.com
>> gsa.apple.com
>> apps.apple.com
>> certs.apple.com
>> crl.apple.com
>> entrust.net
>> digicert.com
>> ocsp.apple.com
>> ocsp2.apple.com
>> valid.apple.com
>> push.apple.com
>> itunes.apple.com
>> appldnld.apple.com
>> gg.apple.com
>> gs.apple.com
>> mesu.apple.com
>> oscdn.apple.com
>> osrecovery.apple.com
>> swcdn.apple.com
>> swdownload.apple.com
>> updates-http.cdn-apple.com
>> appldnld.apple.com.edgesuite.net
>> suconfig.apple.com
>> audiocontentdownload.apple.com
>> devimages-cdn.apple.com
>> download.developer.apple.com
>> sylvan.apple.com
>> static.ips.apple.com
>>
>>
>> http_access allow CONNECT wuCONNECT localnet
>> http_access allow CONNECT wuCONNECT localhost
>> http_access allow windowsupdate localnet
>> http_access allow windowsupdate localhost
>> http_access allow HttpAccess localnet
>> http_access allow HttpAccess localhost
>> http_access deny manager
>> http_access deny to_ipv6
>> http_access deny from_ipv6
>>
>>> On Jul 11, 2024, at 11:02, Jonathan Lee <jonathanlee571 at gmail.com> wrote:
>>>
>>> also
>>>
>>> Shell Output - squidclient -h 127.0.0.1 -v -U admin -W redacted mgr:info
>>> Request:
>>> GET http://127.0.0.1:3128/squid-internal-mgr/info HTTP/1.0
>>> Host: 127.0.0.1:3128
>>> User-Agent: squidclient/6.6
>>> Accept: */*
>>> Authorization: Basic YWRtaW46R09Qc3lzdGVtYWRtaW4xIQ==
>>> Connection: close
>>>
>>>
>>> .
>>> HTTP/1.1 403 Forbidden
>>> Server: squid
>>> Mime-Version: 1.0
>>> Date: Thu, 11 Jul 2024 18:01:46 GMT
>>> Content-Type: text/html;charset=utf-8
>>> Content-Length: 3788
>>> X-Squid-Error: ERR_ACCESS_DENIED 0
>>> Vary: Accept-Language
>>> Content-Language: en
>>> Cache-Status: Lee_Family.home.arpa
>>> Cache-Status: Lee_Family.home.arpa;detail=no-cache
>>> Connection: close
>>>
>>>> On Jul 11, 2024, at 10:57, Jonathan Lee <jonathanlee571 at gmail.com> wrote:
>>>>
>>>> Shell Output - squidclient -v -U admin -W REDACTED mgr:info
>>>> Request:
>>>> GET http://localhost:3128/squid-internal-mgr/info HTTP/1.0
>>>> Host: localhost:3128
>>>> User-Agent: squidclient/6.6
>>>> Accept: */*
>>>> Authorization: Basic YWRtaW46R09Qc3lzdGVtYWRtaW4xIQ==
>>>> Connection: close
>>>>
>>>>
>>>> .
>>>> HTTP/1.1 403 Forbidden
>>>> Server: squid
>>>> Mime-Version: 1.0
>>>> Date: Thu, 11 Jul 2024 17:55:05 GMT
>>>> Content-Type: text/html;charset=utf-8
>>>> Content-Length: 3788
>>>> X-Squid-Error: ERR_ACCESS_DENIED 0
>>>> Vary: Accept-Language
>>>> Content-Language: en
>>>> Cache-Status: Lee_Family.home.arpa
>>>> Cache-Status: Lee_Family.home.arpa;detail=no-cache
>>>> Connection: close
>>>>
>>>> <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
>>>> <html><head>
>>>> <meta type="copyright" content="Copyright (C) 1996-2023 The Squid Software Foundation and contributors">
>>>> <meta http-equiv="Content-Type" content="text/html; charset=utf-8">
>>>> <title>ERROR: The requested URL could not be retrieved</title>
>>>> <style type="text/css"><!--
>>>> /*
>>>> * Copyright (C) 1996-2023 The Squid Software Foundation and contributor
>>>>
>>>> Shell Output - squidclient -v -U admin -W REDACTED /squid-internal-mgr/info
>>>> Request:
>>>> GET /squid-internal-mgr/info HTTP/1.0
>>>> User-Agent: squidclient/6.6
>>>> Accept: */*
>>>> Authorization: Basic YWRtaW46R09Qc3lzdGVtYWRtaW4xIQ==
>>>> Connection: close
>>>>
>>>>
>>>> .
>>>> HTTP/1.1 403 Forbidden
>>>> Server: squid
>>>> Mime-Version: 1.0
>>>> Date: Thu, 11 Jul 2024 17:56:48 GMT
>>>> Content-Type: text/html;charset=utf-8
>>>> Content-Length: 3788
>>>> X-Squid-Error: ERR_ACCESS_DENIED 0
>>>> Vary: Accept-Language
>>>> Content-Language: en
>>>> Cache-Status: Lee_Family.home.arpa
>>>> Cache-Status: Lee_Family.home.arpa;detail=no-cache
>>>> Connection: close
>>>>
>>>> <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
>>>> <html><head>
>>>> <meta type="copyright" content="Copyright (C) 1996-2023 The Squid Software Foundation and contributors">
>>>> <meta http-equiv="Content-Type" content="text/html; charset=utf-8">
>>>> <title>ERROR: The requested URL could not be retrieved</title>
>>>> <style type="text/css"><!--
>>>> /*
>>>> * Copyright (C) 1996-2023 The Squid Software Foundation and contributors
>>>> Tested both and they also failed
>>>>
>>>>> On Jul 11, 2024, at 10:27, Jonathan Lee <jonathanlee571 at gmail.com> wrote:
>>>>>
>>>>> Thanks what about the password is it set with@ or -p where would I place that?
>>>>> Sent from my iPhone
>>>>>
>>>>>> On Jul 11, 2024, at 10:17, Amos Jeffries <squid3 at treenet.co.nz> wrote:
>>>>>>
>>>>>>
>>>>>>> On 11/07/24 06:08, Alex Rousskov wrote:
>>>>>>> On 2024-07-10 12:55, Jonathan Lee wrote:
>>>>>>>>> Embedding a password in a cache manager command requires providing a
>>>>>>>>> username with -U
>>>>>>>> squidclient -w /squid-internal-mgr/info -u admin
>>>>>>>> squidclient -w /squid-internal-mgr/info at redacted -u admin
>>>>>>>> squidclient -w http://192.168.1.1:3128/squid-internal-mgr/info@redacted -u admin
>>>>>>>> squidclient -w http://127.0.0.1:3128/squid-internal-mgr/info@redacted -u admin
>>>>>>>> squidclient -w http://127.0.0.1:3128/squid-internal-mgr/info
>>>>>>>> squidclient http://127.0.0.1:3128/squid-internal-mgr/info
>>>>>>>> squidclient -h 127.0.0.1:3128/squid-internal-mgr/info
>>>>>>>> squidclient -h 127.0.0.1 /squid-internal-mgr/info
>>>>>>>> squidclient -h 127.0.0.1 /squid-internal-mgr/info at redcated
>>>>>>>> squidclient -w 127.0.0.1 /squid-internal-mgr/info at redacted
>>>>>>>> squidclient -w 127.0.0.1 /squid-internal-mgr/info at redcated -u admin
>>>>>>>> squidclient -h 192.168.1.1:3128 /squid-internal-mgr/info at redacted
>>>>>>>> squidclient -h 192.168.1.1 /squid-internal-mgr/info at redacted
>>>>>>>> squidclient -h 192.168.1.1 /squid-internal-mgr/info
>>>>>>>>
>>>>>>>> with -w -u -h http spaces I can’t get it to show me stats
>>>>>>>>
>>>>>>>> Squid 6.6
>>>>>>> I do not know whether this mistake is relevant, but squidclient documentation and error message imply that you should be using "-U" (capital letter U) while you are using "-u" (small letter u).
>>>>>>
>>>>>>
>>>>>> It is very relevant. As Matus already mentioned, both -U and -W.
>>>>>>
>>>>>>
>>>>>> squidclient -v -U admin -W cachemgr_password mgr:info
>>>>>> Request:
>>>>>> GET http://localhost:3128/squid-internal-mgr/info HTTP/1.0
>>>>>> Host: localhost:3128
>>>>>> User-Agent: squidclient/6.10
>>>>>> Accept: */*
>>>>>> Authorization: Basic YWRtaW46Y2FjaGVtZ3JfcGFzc3dvcmQ=
>>>>>> Connection: close
>>>>>>
>>>>>>
>>>>>> squidclient -v -U admin -W cachemgr_password /squid-internal-mgr/info
>>>>>> Request:
>>>>>> GET /squid-internal-mgr/info HTTP/1.0
>>>>>> Host: localhost:3128
>>>>>> User-Agent: squidclient/6.10
>>>>>> Accept: */*
>>>>>> Authorization: Basic YWRtaW46Y2FjaGVtZ3JfcGFzc3dvcmQ=
>>>>>> Connection: close
>>>>>>
>>>>>>
>>>>>> Cheers
>>>>>> Amos
>>>>>> _______________________________________________
>>>>>> squid-users mailing list
>>>>>> squid-users at lists.squid-cache.org
>>>>>> https://lists.squid-cache.org/listinfo/squid-users
>>>>
>>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20240711/bb94374e/attachment-0001.htm>
More information about the squid-users
mailing list