Re: [squid-users] can't access cachemgr

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Sun, 27 May 2012 22:37:32 +1200

On 24/05/2012 6:45 a.m., Jeff MacDonald wrote:
> Hi,
>
> I can't put the access rules above the acl definition if that was what you meant. but incase that isn't what you meant.. i did re-order it a bit and this is what i have now.. still no access.
>
> FYI, i'm trying to access it using the cache manager cgi which runs on the same server

If you have a current squid (3.1 series) "localhost" is also using the
IP address ::1. This may need adding to your ACL definition.

For your current problem though see below ...

>
> root_at_proxy:~# !gre
> grep -e ^acl -e ^http_acc /etc/squid3/squid.conf
> acl manager proto cache_object
> acl localhost src 127.0.0.1/32
> acl to_localhost dst 127.0.0.0/8 0.0.0.0/32
> acl westhants proxy_auth REQUIRED
> acl westhants-network src 192.168.11.0/24
> acl SSL_ports port 443
> acl Safe_ports port 80 # http
> acl Safe_ports port 21 # ftp
> acl Safe_ports port 443 # https
> acl Safe_ports port 70 # gopher
> acl Safe_ports port 210 # wais
> acl Safe_ports port 1025-65535 # unregistered ports
> acl Safe_ports port 280 # http-mgmt
> acl Safe_ports port 488 # gss-http
> acl Safe_ports port 591 # filemaker
> acl Safe_ports port 777 # multiling http
> acl CONNECT method CONNECT

In general you can consider squid.conf somewhat of a script programming
Squid what to do with a request.

As such, when needing to check whether an HTTP request is allowed to be
processed by Squid it does the following...

> http_access allow westhants
Step 1)
  1a) test "westhants" ACL.
  1b) send 407 message to locate client credentils.

Step 2) - there is no 2, see 1b for why.

> http_access allow localhost
> http_access allow westhants-network
> http_access allow manager localhost
> http_access deny !Safe_ports
> http_access deny CONNECT !SSL_ports
> http_access deny all

Consider the logic of:

  deny A
  deny B
  deny everything

Why bother denying A and B individually if everything is denied anyway?

There is also a disconnection between your westhaunts authentication
test and the westhaunts network IPs.

Simply put IMHO your ACLs should be configured as:

   http_access allow manager localhost
   http_access deny !Safe_ports
   http_access deny CONNECT !SSL_ports
   http_access allow localhost
   http_access allow westhants-network westhant
   http_access deny all

If you want particulars about why I'm happy to provide. but it should be
clear if you understand Squid tests http_access lines top-done,
left-to-right on a first line to match wins basis. lines where one ACL
does not match skip to the next immediately.

Amos
Received on Sun May 27 2012 - 10:37:49 MDT

This archive was generated by hypermail 2.2.0 : Sun May 27 2012 - 12:00:04 MDT