Re: Cachemgr.cgi -- access denied

From: Neil Murray <[email protected]>
Date: Tue, 27 May 1997 19:57:14 +1000

- On Mon, 26 May 1997 squid-users-digest-request@nlanr.net wrote:
-
- >Date: Sat, 24 May 1997 09:20:15 +0800 (HKT)
- >From: Francis Vidal <francis@linux1.usls.edu>
-
- >i had a hard time making cachemgr.cgi work. i installed squid 1.1.9 on my
- >system (linux 2.0.30). here's my squid.conf file:
-
- >---BEGIN squid.conf---
-
- >acl manager proto cache_object
-
- ># Only allow access to the cache manager functions from the local host.
- >http_access deny manager !localhost
-
- This is the line that controls access to your cachemgr.cgi - this means
- only a browser running on the Squid machine which is NOT using the proxy,
- i.e Netscape with proxy options off. (this is important - "localhost"
- means a browser connecting to the localhost interface, and not the
- ethernet/PPP/whathaveyou interface).
- If you want to allow access from another machine, do
-
- acl src machineacl ip.address.of.machine/255.255.255.255
-
- http_access deny manager !machineacl
-
- This will allow a browser from that machine to connect, only if it is NOT
- using the proxy again. It has to connect to port 80 of the squid machine,
- and not 3128 (or whatever port you use).

        This is just plain wrong. You need to allow access for the HTTP server
than runs the cachemgr.cgi program NOT the web browser. Below is the
relevant section lifted from my notes. It covers more than this topic but I
think it will serve here. The key thing is to use the 'client' program it can
be used to debug access permission problems (telnet will also work).

        The problem with getting the cachemgr.cgi working is that if it doesn't
work first time you dont have much to go on as to where the problem is.
Is it squid access rules, the web server, the browser? Generally it is the
squid access rules.

                -------------------------------------
acl
http_access

        - A common request is "How do I stop other people on the internet from
          using my squid cache?". The acls and access rules can allow you to
          do that. Quite complex setups can be achieved though I will only
          detail a simple case.
          First get squid running and your browsers working though it BEFORE
          playing with the acls as they can cause subtle problems so you need
          to know that squid is working before changing things.
          The default acl setup is to be wide open and is below (minus
          comments).

 acl manager proto cache_object
 acl localhost src 127.0.0.1/255.255.255.255
 acl all src 0.0.0.0/0.0.0.0

 acl SSL_ports port 443 563
 acl Dangerous_ports port 7 9 19
 acl CONNECT method CONNECT

 http_access deny manager !localhost
 http_access deny CONNECT !SSL_ports
 http_access deny Dangerous_ports

 http_access allow all

 icp_access allow all

        Assume your IP address range is xxx.yyy.zzz.0 (class C) then you
        define an extra acl like
        
                acl ours src xxx.yyy.zzz.0/255.255.255.0
                acl web_ours src xxx.yyy.zzz.NNN/255.255.255.255

        'web_ours' is one of your web server hosts, this is needed for the
        cachemgr.cgi program (very useful and worth the hassle to setup)
        this doesnot need to be your main web server. You use the acls like
        this.

 acl manager proto cache_object
 acl localhost src 127.0.0.1/255.255.255.255
 acl all src 0.0.0.0/0.0.0.0

 acl SSL_ports port 443 563
 acl Dangerous_ports port 7 9 19
 acl CONNECT method CONNECT

 acl ours src xxx.yyy.zzz.0/255.255.255.0
 acl web_ours src xxx.yyy.zzz.0/255.255.255.255

 http_access deny manager !localhost !web_ours
 http_access deny CONNECT !SSL_ports
 http_access deny Dangerous_ports

 http_access allow localhost
 http_access allow ours
 http_access deny all

 icp_access allow ours
 icp_access deny all

        This denys all access except what you explicitly enable. In this case
        the 'ours' acl of IP addresses.

        If you take the cachemgr.cgi program and put it on a web server in the
        cgi-bin directory or anywhere executables can be run by the web
        server. Make sure your web server has been told that cachemgr.cgi is
        allowed to execute or whatever. Then from your browser try
        "http://<web_ours as listed above>/cgi-bin/cachemgr.cgi" it should
        present you with a screen like below.

 Cache Manager Interface

 This is a WWW interface to the instrumentation interface for the Squid object cache.

 Cache Host:

 Cache Port:

 Password :

 URL :

        Fill in the name of your squid machine and the port, ignore the
        password and click on "submit query". If all goes well then
        you will end up with a screen full of information. If not then
        you will get an "access denied" type message.

        If you get the access denied message you probably have a mistake in
        your acls & http access rules. A simple program that can help you
        to resolve acl problems can be found in /usr/local/squid/bin
        called client (assuming you did a standard configure and install)
        On the proxy machine itself try,

        /usr/local/squid/bin/client -p <squid port> cache_object://a/info

        If it works you should see something like the following

 {
 {Squid Object Cache: Version 1.1.8}
 {Start Time: Thu, 10 Apr 1997 08:20:45 GMT}
 {Current Time: Thu, 10 Apr 1997 10:42:09 GMT}
 {Connection information for squid:}
                ...

        If you get another access denied type message then your acls are
        definitely wrong and you need to fix them before you can have a chance
        of getting the cachemgr.cgi program to work.

                -------------------------------------

        If 'client' on the proxy server works then try 'client' from the web
server machine listed in the acl rules (web_ours in my example).

        client -p <squid port> -h <proxy machine> cache_object://a/info

        Get this working before trying a browser with

        http://<web_ours>/cgi-bin/cachemgr.cgi

        Note: if you arent getting anywhere then add a

                http_access allow all

as the first http_access rule TEMPORARILY and then see if you can access the
monitoring functions. Again use 'client'. If this doesn't work then you need
to sit down and re-check everything including assumptions. If it does work
try
                debug_options ALL,1 28,99

in your squid.conf file this will turn on acl debugging information in your
cache.log file. Wading through all that should pin-point the acl problem you
have.

-- 
Neil Murray                              Email:  Neil.Murray@aone.com.au
Access One Pty. Ltd.                     http://www.aone.net.au/
41 Malcolm Rd., Braeside                 Phone:  +61 3 9239 1444
Victoria, Australia  3195                Fax:    +61 3 9587 3954
Received on Tue May 27 1997 - 03:01:19 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:35:16 MST