[squid-users] GET cache_object://localhost/info on a reverse proxy setup
Dear all,
I'm using Squid as a reverse proxy in a Squid/Pound/Zope/Plone-setup.
Squid is running on port 80.
I would like to access the cache manager with the munin plugins to
monitor Squid. The plugins use a HTTP request
"GET cache_object://localhost/info HTTP/1.0".
Standard port 3128 isn't active, when asking port 80 I get a 404-error
from zope.
How can I access the cache manager in such a setup?
My squid.conf is:
hierarchy_stoplist cgi-bin ?
#acl QUERY urlpath_regex cgi-bin \?
#no_cache deny QUERY
auth_param basic children 5
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours
auth_param basic casesensitive off
refresh_pattern (/cgi-bin/|\?) 0 0% 0
refresh_pattern ^ftp: 144020% 10080
refresh_pattern ^gopher:1440 0% 1440
refresh_pattern . 020% 4320
# Basic ACLs
acl all src 0.0.0.0/0.0.0.0
acl localhost src 127.0.0.1/32
acl ssl_ports port 443 563
acl safe_ports port 8080 80 443
#acl zope_servers src 127.0.0.2 127.0.0.1
acl manager proto cache_object
acl connect method connect
# deny requests to unknown ports
http_access deny !safe_ports
acl accelerated_protocols proto http https
acl accelerated_domains dstdomain lb.xxx.de
acl accelerated_domains dstdomain lb1.xxx.de
acl accelerated_domains dstdomain lb2.xxx.de
acl accelerated_domains dstdomain xxx.de
acl accelerated_domains dstdomain www.xxx.de
acl accelerated_ports myport 80 443
http_access allow accelerated_domains accelerated_ports
accelerated_protocols
# Purge access - zope servers can purge but nobody else
acl purge method PURGE
#http_access allow zope_servers purge
http_access deny purge
# Reply access
http_reply_access allow all
# Cache manager setup - cache manager can only connect from localhost
# only allow cache manager access from localhost
http_access allow manager localhost
http_access deny manager
# deny connect to other than ssl ports
http_access deny connect !ssl_ports
# ICP access - anybody can access icp methods
icp_access allow localhost
# And finally deny all other access to this proxy
http_access deny all
coredump_dir /usr/local/squid/cache
http_port 80 defaultsite=www.xxx.de
#http_port 80 defaultsite=lb.xxx.de
#http_port 80
cache_peer 127.0.0.1 parent 8080 0 no-query originserver
#cache_peer 127.0.0.1 parent 8080 0 no-query originserver round-robin
#cache_peer 127.0.0.1 parent 8080 0 no-query
visible_hostname www.xxx.de
cache_mem 2000 MB
maximum_object_size 40960 KB
maximum_object_size_in_memory 100 KB
cache_replacement_policy heap LFUDA
memory_replacement_policy heap LFUDA
cache_dir aufs /var/spool/squid 1 16 256
logformat combined %>a %ui %un [%tl] "%rm %ru HTTP/%rv" %Hs %"%{Referer}>h" "%{User-Agent}>h" %Ss:%Sh
access_log /var/log/squid/access.log combined
redirect_program /usr/bin/squidGuard -c /etc/squid/squidGuard.conf
#redirect_program /etc/squid/redirector.pl
negative_ttl 0 minutes
positive_dns_ttl 60 minutes
negative_dns_ttl 1 minutes
Thanks for your support,
David
--
The day microsoft makes something that doesn't suck is the day they start
making vacuum cleaners.
gpg --keyserver pgp.mit.edu --recv-keys 1920BD87
Key fingerprint = 3326 32CE 888B DFF1 DED3 B8D2 105F 29CB 1920 BD87
Re: [squid-users] GET cache_object://localhost/info on a reverse proxy setup
On tor, 2008-07-03 at 17:01 +0200, David Obando wrote: > Dear all, > > I'm using Squid as a reverse proxy in a Squid/Pound/Zope/Plone-setup. > Squid is running on port 80. > > I would like to access the cache manager with the munin plugins to > monitor Squid. The plugins use a HTTP request > "GET cache_object://localhost/info HTTP/1.0". > Standard port 3128 isn't active, when asking port 80 I get a 404-error > from zope. > > How can I access the cache manager in such a setup? Are you sending the query to Squid, or directly to Zope? What I usually do in reverse proxy setups is to set up a normal 3128 listening port on loopback for cachemgr and squidclient to use. http_port 127.0.0.1:3128 Regards Henrik signature.asc Description: This is a digitally signed message part
Re: [squid-users] GET cache_object://localhost/info on a reverse proxy setup
Hi, thanks for the hint, I added http_port 127.0.0.1:3128 to my config. Now I can access port 3128 with telnet or squidclient, but receive an "access denied": /var/log/squid/access.log: 127.0.0.1 - - [07/Jul/2008:10:16:43 +0200] "GET cache_object://localhost/info HTTP/1.0" 403 1430 "-" "-" TCP_DENIED:NONE Regards, David Henrik Nordstrom schrieb am 04.07.2008 01:22: On tor, 2008-07-03 at 17:01 +0200, David Obando wrote: Dear all, I'm using Squid as a reverse proxy in a Squid/Pound/Zope/Plone-setup. Squid is running on port 80. I would like to access the cache manager with the munin plugins to monitor Squid. The plugins use a HTTP request "GET cache_object://localhost/info HTTP/1.0". Standard port 3128 isn't active, when asking port 80 I get a 404-error from zope. How can I access the cache manager in such a setup? Are you sending the query to Squid, or directly to Zope? What I usually do in reverse proxy setups is to set up a normal 3128 listening port on loopback for cachemgr and squidclient to use. http_port 127.0.0.1:3128 Regards Henrik -- The day microsoft makes something that doesn't suck is the day they start making vacuum cleaners. gpg --keyserver pgp.mit.edu --recv-keys 1920BD87 Key fingerprint = 3326 32CE 888B DFF1 DED3 B8D2 105F 29CB 1920 BD87
Re: [squid-users] GET cache_object://localhost/info on a reverse proxy setup
On mån, 2008-07-07 at 10:19 +0200, David Obando wrote: > Hi, > > thanks for the hint, I added > > http_port 127.0.0.1:3128 > > to my config. Now I can access port 3128 with telnet or squidclient, but > receive an "access denied": > > /var/log/squid/access.log: > 127.0.0.1 - - [07/Jul/2008:10:16:43 +0200] "GET > cache_object://localhost/info HTTP/1.0" 403 1430 "-" "-" TCP_DENIED:NONE You probably aren't allowing localhost access to the manager functions.. there is rules to allow this in the standard squid.conf installed when you install Squid, but.. Regards Henrik signature.asc Description: This is a digitally signed message part
Re: [squid-users] GET cache_object://localhost/info on a reverse proxy setup
Hi,
I found out, I had to configure an acl in squidGuard.conf:
dbhome /var/lib/squidguard/db
logdir /var/log/squid
#
# DESTINATION CLASSES:
#
src local {
ip 127.0.0.1
}
dest good {
}
dest local {
}
acl {
local {
pass all
}
default {
redirect
http://localhost:8080/VirtualHostBase/http/www.xyz.de:80/VirtualHostRoot/%p
}
}
Thanks!
David
Henrik Nordstrom schrieb am 07.07.2008 14:03:
On mån, 2008-07-07 at 10:19 +0200, David Obando wrote:
Hi,
thanks for the hint, I added
http_port 127.0.0.1:3128
to my config. Now I can access port 3128 with telnet or squidclient, but
receive an "access denied":
/var/log/squid/access.log:
127.0.0.1 - - [07/Jul/2008:10:16:43 +0200] "GET
cache_object://localhost/info HTTP/1.0" 403 1430 "-" "-" TCP_DENIED:NONE
You probably aren't allowing localhost access to the manager functions..
there is rules to allow this in the standard squid.conf installed when
you install Squid, but..
Regards
Henrik
--
The day microsoft makes something that doesn't suck is the day they start
making vacuum cleaners.
gpg --keyserver pgp.mit.edu --recv-keys 1920BD87
Key fingerprint = 3326 32CE 888B DFF1 DED3 B8D2 105F 29CB 1920 BD87
Re: [squid-users] GET cache_object://localhost/info on a reverse proxy setup
Oh, you are using a url rewriter..
I would do it differently.
url_rewrite_access deny manager
this way you can still use squidclient on your published URLs and have
Squid react like expected on them, including URL rewrites...
On mån, 2008-07-07 at 14:25 +0200, David Obando wrote:
> Hi,
>
> I found out, I had to configure an acl in squidGuard.conf:
>
>
> dbhome /var/lib/squidguard/db
> logdir /var/log/squid
>
> #
> # DESTINATION CLASSES:
> #
>
> src local {
> ip 127.0.0.1
> }
>
> dest good {
> }
>
> dest local {
> }
>
> acl {
> local {
> pass all
> }
>
> default {
> redirect
> http://localhost:8080/VirtualHostBase/http/www.xyz.de:80/VirtualHostRoot/%p
> }
> }
>
>
>
>
> Thanks!
> David
>
> Henrik Nordstrom schrieb am 07.07.2008 14:03:
> > On mån, 2008-07-07 at 10:19 +0200, David Obando wrote:
> >
> >> Hi,
> >>
> >> thanks for the hint, I added
> >>
> >> http_port 127.0.0.1:3128
> >>
> >> to my config. Now I can access port 3128 with telnet or squidclient, but
> >> receive an "access denied":
> >>
> >> /var/log/squid/access.log:
> >> 127.0.0.1 - - [07/Jul/2008:10:16:43 +0200] "GET
> >> cache_object://localhost/info HTTP/1.0" 403 1430 "-" "-" TCP_DENIED:NONE
> >>
> >
> > You probably aren't allowing localhost access to the manager functions..
> >
> > there is rules to allow this in the standard squid.conf installed when
> > you install Squid, but..
> >
> > Regards
> > Henrik
> >
>
>
signature.asc
Description: This is a digitally signed message part
