subject:"\[squid\-users\] squidclient ERR_ACCESS

[squid-users] squidclient ERR_ACCESS_DENIED

2024-02-27 Thread Andrea Venturoli


Hello.

I'm having trouble accessing cachemgr with squidclient.

As a test, I've added the following to my squid.conf as the first 
http_access line:

http_access manager


(I know this is dangerous and I've removed it after the test).


Opening "http://10.1.2.39:8080/squid-internal-mgr/info"; from a client, I 
see all the stats.

However, squidclient still gets an access denied error:

# squidclient -vv -p 8080 -h 10.1.2.39 mgr:info
verbosity level set to 2
Request:
GET http://10.1.2.39:8080/squid-internal-mgr/info HTTP/1.0
Host: 10.1.2.39:8080
User-Agent: squidclient/6.6
Accept: */*
Connection: close


.
Transport detected: IPv4-only
Resolving 10.1.2.39 ...
Connecting... 10.1.2.39 (10.1.2.39:8080)
Connected to: 10.1.2.39 (10.1.2.39:8080)
Sending HTTP request ... 
done.

HTTP/1.1 403 Forbidden
Server: squid
Mime-Version: 1.0
Date: Tue, 27 Feb 2024 15:33:55 GMT
Content-Type: text/html;charset=utf-8
Content-Length: 3691
X-Squid-Error: ERR_ACCESS_DENIED 0
Vary: Accept-Language
Content-Language: en
Cache-Status: proxy2.ventu;fwd=miss;detail=mismatch
Via: 1.1 proxy2.ventu (squid), 1.1 proxy2.ventu (squid)
Cache-Status: proxy2.ventu;fwd=miss;detail=no-cache
Connection: close


This happens indifferently if I run it on the cache host itself or from 
the same client where the browser works.


In cache.log I see:

2024/02/27 16:34:48 kid1| WARNING: Forwarding loop detected for:
GET /squid-internal-mgr/info HTTP/1.1
Host: proxy2.ventu:8080
User-Agent: squidclient/6.6
Accept: */*
Via: 1.0 proxy2.ventu (squid)
X-Forwarded-For: 10.1.2.18
Cache-Control: max-age=259200
Connection: keep-alive


current master transaction: master2562


Does this mean Squid is connecting to itself as a proxy in order to 
connect to himself?
I removed all "*proxy*" env vars and tried running squidclient again, 
but there was no difference.


Any hint?
Is there a way to get more debugging info from Squid on this?

 bye & Thanks
av.
___
squid-users mailing list
squid-users@lists.squid-cache.org
https://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] squidclient ERR_ACCESS_DENIED

2024-02-27 Thread Alex Rousskov


On 2024-02-27 10:36, Andrea Venturoli wrote:


I'm having trouble accessing cachemgr with squidclient.


You are suffering from one or several known problems[1,2] related to 
cache manager changes in v6+ code. Without going into complicated 
details, I recommend that you replace deprecated squidclient with curl, 
wget, or another popular client of your choice _and_ then use the URL 
host name (or IP address) and other client configuration parameters that 
"work" in your specific Squid environment. You may need to adjust them 
later, but at least you will have a temporary workaround.


AFAIK[1], a Squid developer is working on improving this ugly situation, 
but that work takes time (and will not resurrect squidclient support in 
future Squid versions).



HTH,

Alex.

[1] https://bugs.squid-cache.org/show_bug.cgi?id=5283
[2] 
https://lists.squid-cache.org/pipermail/squid-users/2023-August/026023.html


As a test, I've added the following to my squid.conf as the first 
http_access line:

http_access manager


(I know this is dangerous and I've removed it after the test).


Opening "http://10.1.2.39:8080/squid-internal-mgr/info"; from a client, I 
see all the stats.

However, squidclient still gets an access denied error:

# squidclient -vv -p 8080 -h 10.1.2.39 mgr:info
verbosity level set to 2
Request:
GET http://10.1.2.39:8080/squid-internal-mgr/info HTTP/1.0
Host: 10.1.2.39:8080
User-Agent: squidclient/6.6
Accept: */*
Connection: close


.
Transport detected: IPv4-only
Resolving 10.1.2.39 ...
Connecting... 10.1.2.39 (10.1.2.39:8080)
Connected to: 10.1.2.39 (10.1.2.39:8080)
Sending HTTP request ... done.
HTTP/1.1 403 Forbidden
Server: squid
Mime-Version: 1.0
Date: Tue, 27 Feb 2024 15:33:55 GMT
Content-Type: text/html;charset=utf-8
Content-Length: 3691
X-Squid-Error: ERR_ACCESS_DENIED 0
Vary: Accept-Language
Content-Language: en
Cache-Status: proxy2.ventu;fwd=miss;detail=mismatch
Via: 1.1 proxy2.ventu (squid), 1.1 proxy2.ventu (squid)
Cache-Status: proxy2.ventu;fwd=miss;detail=no-cache
Connection: close


This happens indifferently if I run it on the cache host itself or from 
the same client where the browser works.


In cache.log I see:

2024/02/27 16:34:48 kid1| WARNING: Forwarding loop detected for:
GET /squid-internal-mgr/info HTTP/1.1
Host: proxy2.ventu:8080
User-Agent: squidclient/6.6
Accept: */*
Via: 1.0 proxy2.ventu (squid)
X-Forwarded-For: 10.1.2.18
Cache-Control: max-age=259200
Connection: keep-alive


    current master transaction: master2562


Does this mean Squid is connecting to itself as a proxy in order to 
connect to himself?
I removed all "*proxy*" env vars and tried running squidclient again, 
but there was no difference.


Any hint?
Is there a way to get more debugging info from Squid on this?

  bye & Thanks
 av.
___
squid-users mailing list
squid-users@lists.squid-cache.org
https://lists.squid-cache.org/listinfo/squid-users


___
squid-users mailing list
squid-users@lists.squid-cache.org
https://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] squidclient ERR_ACCESS_DENIED

2024-02-27 Thread Andrea Venturoli


On 2/27/24 18:02, Alex Rousskov wrote:

Hello and thanks for answering.



You are suffering from one or several known problems[1,2] related to 
cache manager changes in v6+ code. Without going into complicated 
details, I recommend that you replace deprecated squidclient with curl, 
wget, or another popular client of your choice _and_ then use the URL 
host name (or IP address) and other client configuration parameters that 
"work" in your specific Squid environment. You may need to adjust them 
later, but at least you will have a temporary workaround.


I vaguely remembered squidclient deprecation (although I searched for it 
and could not find official info on the site).


WRT to moving to curl/wget/whatever, is there any documentation I can use?

 bye & Thanks
av.
___
squid-users mailing list
squid-users@lists.squid-cache.org
https://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] squidclient ERR_ACCESS_DENIED

2024-02-28 Thread Francesco Chemolli

>
>
> I vaguely remembered squidclient deprecation (although I searched for it
> and could not find official info on the site).
>
> WRT to moving to curl/wget/whatever, is there any documentation I can use?
>

Hi Andrea,
  there's https://wiki.squid-cache.org/Features/CacheManager/Index ,
although it could probably be more explicit

-- 
Francesco
___
squid-users mailing list
squid-users@lists.squid-cache.org
https://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] squidclient ERR_ACCESS_DENIED

2024-02-28 Thread Andrea Venturoli


On 2/28/24 12:51, Francesco Chemolli wrote:


Hi Andrea,
   there's https://wiki.squid-cache.org/Features/CacheManager/Index 
 ,

although it could probably be more explicit


Hello and thanks.

I had seen that document before posting, but, possibly due to my 
ignorance, I cannot understand how to use it.

For example I see some endpoints listed under the SMP chapter (e.g.
curl http://localhost:8080/squid-internal-mgr/info), but I guess that's 
not a complete list.

Does such a list exist? Where?

I'm in need to purge some objects from the cache and I always used 
something like:

squidclient mgr:objects | grep -i somesite | grep GET | sed "s/.*GET //"rgs -n 
1 squidclient -m PURGE


What could be an equivalent using curl/wget?

 bye & Thanks
av.


___
squid-users mailing list
squid-users@lists.squid-cache.org
https://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] squidclient ERR_ACCESS_DENIED

2024-02-28 Thread Francesco Chemolli

On Wed, Feb 28, 2024 at 8:05 PM Andrea Venturoli  wrote:

> On 2/28/24 12:51, Francesco Chemolli wrote:
>
> > Hi Andrea,
> >there's https://wiki.squid-cache.org/Features/CacheManager/Index
> >  ,
> > although it could probably be more explicit
>
> Hello and thanks.
>
> I had seen that document before posting, but, possibly due to my
> ignorance, I cannot understand how to use it.
> For example I see some endpoints listed under the SMP chapter (e.g.
> curl http://localhost:8080/squid-internal-mgr/info), but I guess that's
> not a complete list.
> Does such a list exist? Where?
>
> I'm in need to purge some objects from the cache and I always used
> something like:
> > squidclient mgr:objects | grep -i somesite | grep GET | sed "s/.*GET
> //"rgs -n 1 squidclient -m PURGE
>

Hi Andrea,
  just replace

squidclient mgr:objects

with

curl --silent --user squid_cachemgr_user:squd_cachemgr_password
http://squid.host.name:3128/squid-internal-mgr/objects

(and of course replace port 3128 with whatever port you're using for Squid)
Everything else is the same as previously.

Also, the same applies to all other cachemgr reports:

curl --silent --user squid_cachemgr_user:squd_cachemgr_password
http://squid.host.name:3128/squid-internal-mgr/menu

will give you the list of available subpages; replace menu with the subpage
name to access any




>
> What could be an equivalent using curl/wget?
>
>   bye & Thanks
> av.
>
>
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> https://lists.squid-cache.org/listinfo/squid-users
>


-- 
Francesco
___
squid-users mailing list
squid-users@lists.squid-cache.org
https://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] squidclient ERR_ACCESS_DENIED

2024-02-28 Thread Alex Rousskov


On 2024-02-28 08:52, Francesco Chemolli wrote:


just replace

squidclient mgr:objects

with

curl --silent --user squid_cachemgr_user:squd_cachemgr_password 
http://squid.host.name:3128/squid-internal-mgr/objects 


Neither is required for basic cases, but it is better, IMHO, to use 
--no-progress-meter instead of error-hiding --silent.


One only needs --user when accessing password-protected reports.

The biggest difficulty in this conversion is with guessing what hostname 
a modern Squid will recognize as its own. And the correct guess is 
likely to change when we fix the remaining bugs.



Cheers,

Alex.



(and of course replace port 3128 with whatever port you're using for Squid)
Everything else is the same as previously.

Also, the same applies to all other cachemgr reports:

curl --silent --user squid_cachemgr_user:squd_cachemgr_password 
http://squid.host.name:3128/squid-internal-mgr/menu 



will give you the list of available subpages; replace menuwith the 
subpage name to access any




What could be an equivalent using curl/wget?

   bye & Thanks
         av.


___
squid-users mailing list
squid-users@lists.squid-cache.org

https://lists.squid-cache.org/listinfo/squid-users




--
     Francesco

___
squid-users mailing list
squid-users@lists.squid-cache.org
https://lists.squid-cache.org/listinfo/squid-users


___
squid-users mailing list
squid-users@lists.squid-cache.org
https://lists.squid-cache.org/listinfo/squid-users

[squid-users] squidclient ERR_ACCESS_DENIED

Re: [squid-users] squidclient ERR_ACCESS_DENIED

Re: [squid-users] squidclient ERR_ACCESS_DENIED

Re: [squid-users] squidclient ERR_ACCESS_DENIED

Re: [squid-users] squidclient ERR_ACCESS_DENIED

Re: [squid-users] squidclient ERR_ACCESS_DENIED

Re: [squid-users] squidclient ERR_ACCESS_DENIED

7 matches

Site Navigation

Mail list logo

Footer information