[squid-users] cachemgr.cgi isn't mgr:info ?

Fri Jul 12 16:17:53 UTC 2024

Per your subject question "cachemgr.cgi isn't mgr:info ?"

Correct.

  cachemgr.cgi is an old tool to access multiple proxies manager reports.

  "mgr:info" is a command line parameter for the squidclient tool to 
access a proxies "info" manager report.
   Also, commonly used shorthand in Squid community to refer to the 
"info" report, regardless of how it is accessed.

Responses to your other queries inline...

On 13/07/24 03:18, Brian Cook wrote:
> Picking up squid again and trying to look at what's going on inside..
> 
> Squid on OpenWRT.. wanted to look at mgr:info for file desc, etc..
> 
> trying to access the cachemgr.cgi.. as this looks like the new squidclient
> 
> Wasn't working etc..
> 

FYI, both squidclient and cachemgr.cgi are deprecated. It depends on the 
tool version vs Squid version whether you will encounter an issue.

Current recommendation for current supported Squid is to use a tool like 
this one: <https://github.com/yadij/cachemgr.js>.
(I may be a bit biased there as its author, but also not yet aware of 
any others to reference.)

> ..
> debug_options ALL,2
> cache_log /tmp/squid_cache.log
> ..
> 
> ----------
> 2024/07/12 10:57:08.388| 33,2| client_side.cc(1646) 
> clientProcessRequest: internal URL found: http://10.20.245.10:3128 
> 2024/07/12 10:57:08.388| 85,2| client_side_request.cc(715) 
> clientAccessCheckDone: The request GET 
> http://10.20.245.10:3128/squid-internal-mgr/menu is DENIED; last ACL 
> checked: Safe_ports
> # EOF
> ---------
> 
> Q: So I added 3128 to the Safe_ports.. and then it works..
> 
> image.png
> 
> Q: no password set for cachemgr_passwd.. cachemgr.cgi just open to the 
> world? unsecured?
> 

Apparently so in your setup. Unless your Browser etc did some implicit 
authentication that you overlooked.

> and is Process Filedescriptor Allocation the closest thing?
> 

That report is a list of what each filedescriptor is currently being 
used for.

> I (think) I remember something like max, in use, and something else.. 
> being in mgr:info
> 

Yes.

> fwiw openwrt starts squid with like 4096 max files..
> 
> needed something like this:
> 
> ..
>          procd_set_param file $CONFIGFILE
>          procd_set_param limits nofile="262140 262140"
>          procd_set_param respawn
> ..
> 
> to set the hard and soft limits..
> 
> any better practice than adding 3128 to the 'Safe_ports'? (can't keep 
> that in place..)

Ports 1025 to 65535 should already be listed as "Safe_ports". That ACL 
is supposed to be used to pinhole a denial of the known **non-safe** ports.

> 
> and setting a cachemgr_passwd would be the only thing to secure the cgi?
> 

No.

  The CGI tool is restricted by any configuration of the web server 
running it. And,

  Then tool requests to Squid are restricted by your http_access rules 
for what requests can be made of the proxy. And,

  Then the access to individual manager reports is controlled by 
cachemgr_passwd directive in Squid.

Cheers
Amos