Re: [squid-users] Cache Manager showing choke value
On 18/02/2013 7:42 p.m., Sokvantha YOUK wrote: Dear All, I am having squid 3.3.1-20130213-r12492 running on CenOS 6.3 x64. I enable SMP with three worker on this squid server. I am getting strange negative number from cachemgr.cgi at Cache information for squid: Hits as % of bytes sent: 5min: 9.3%, 60min: *-634.1%* Would you advice me why I am getting this negative value? That would be a math bug somewhere. Amos
[squid-users] Cache Manager showing choke value
Dear All, I am having squid 3.3.1-20130213-r12492 running on CenOS 6.3 x64. I enable SMP with three worker on this squid server. I am getting strange negative number from cachemgr.cgi at Cache information for squid: Hits as % of bytes sent: 5min: 9.3%, 60min: *-634.1%* Would you advice me why I am getting this negative value? -- Regards, YOUK Sokvantha Tell: (855) 89896589 email: sokvan...@gmail.com
RE: [squid-users] Cache Manager working on Apache server as ICP sibling
Thanks Amos and Eliezer, Again as mentioned, our Squid is somewhat customized to check for an HDD content aka "local Squid sibling", so our configuration is a bit special. Regardless to update you, we have just got a working solution, in which we "redefine" our local sibling to behave as a parent for cgi content ONLY via cache_peer_access directive. Best regards, Andrew -Original Message- From: Amos Jeffries [mailto:squ...@treenet.co.nz] Sent: Friday, September 21, 2012 9:04 PM To: squid-users@squid-cache.org Subject: Re: [squid-users] Cache Manager working on Apache server as ICP sibling On 22/09/2012 6:51 a.m., Eliezer Croitoru wrote: > On 9/21/2012 10:23 AM, Amos Jeffries wrote: >> Apache is not a server which can maintain a proxy cache. Why are you >> making it a sibling (potential alternative *cache*) instead of a >> parent (potential data *source*)? >> >> Amos > Because some people think it gives them what they need. > Which is why I asked "why", to figure out if they were mistaken or if that is a missing feature. Amos
Re: [squid-users] Cache Manager working on Apache server as ICP sibling
On 9/22/2012 4:04 AM, Amos Jeffries wrote: Which is why I asked "why", to figure out if they were mistaken or if that is a missing feature. Amos I think that they have the option to manage the files\cache or either scripts that cannot be done in squid the same way. I do remember that squid can serve static files but it's still lacking some more advanced features that a web server has. Eliezer -- Eliezer Croitoru https://www1.ngtech.co.il IT consulting for Nonprofit organizations eliezer ngtech.co.il
Re: [squid-users] Cache Manager working on Apache server as ICP sibling
On 22/09/2012 6:51 a.m., Eliezer Croitoru wrote: On 9/21/2012 10:23 AM, Amos Jeffries wrote: Apache is not a server which can maintain a proxy cache. Why are you making it a sibling (potential alternative *cache*) instead of a parent (potential data *source*)? Amos Because some people think it gives them what they need. Which is why I asked "why", to figure out if they were mistaken or if that is a missing feature. Amos
Re: [squid-users] Cache Manager working on Apache server as ICP sibling
On 9/21/2012 10:23 AM, Amos Jeffries wrote: Apache is not a server which can maintain a proxy cache. Why are you making it a sibling (potential alternative *cache*) instead of a parent (potential data *source*)? Amos Because some people think it gives them what they need. Eliezer -- Eliezer Croitoru https://www1.ngtech.co.il IT consulting for Nonprofit organizations eliezer ngtech.co.il
RE: [squid-users] Cache Manager working on Apache server as ICP sibling
Thanks Amos, Our system is a custom product design with some special requirements, so we ended up with the such configuration and somewhat customized Squid. We thought that perhaps some easy way around might be available but at the end this is not very critical issue for us. Andrew -Original Message- From: Amos Jeffries [mailto:squ...@treenet.co.nz] Sent: Friday, September 21, 2012 3:24 AM To: squid-users@squid-cache.org Subject: Re: [squid-users] Cache Manager working on Apache server as ICP sibling On 21/09/2012 3:33 a.m., Andrew Krupiczka wrote: > Thanks, > > To be more precise my Apache server peer is configured as:cache_peer > 127.0.0.1 sibling 1114 3130 no-digest originserver > > The Cache Manager only works after adding the following line: > neighbor_type_domain 127.0.0.1 parent AKDME7071BCE29DE9 > > which "transforms" my sibling peer into to the parent peer which we don't > want to do. Apache is not a server which can maintain a proxy cache. Why are you making it a sibling (potential alternative *cache*) instead of a parent (potential data *source*)? Amos
Re: [squid-users] Cache Manager working on Apache server as ICP sibling
On 21/09/2012 3:33 a.m., Andrew Krupiczka wrote: Thanks, To be more precise my Apache server peer is configured as: cache_peer 127.0.0.1 sibling 1114 3130 no-digest originserver The Cache Manager only works after adding the following line: neighbor_type_domain 127.0.0.1 parent AKDME7071BCE29DE9 which "transforms" my sibling peer into to the parent peer which we don't want to do. Apache is not a server which can maintain a proxy cache. Why are you making it a sibling (potential alternative *cache*) instead of a parent (potential data *source*)? Amos
RE: [squid-users] Cache Manager working on Apache server as ICP sibling
Thanks, To be more precise my Apache server peer is configured as: cache_peer 127.0.0.1 sibling 1114 3130 no-digest originserver The Cache Manager only works after adding the following line: neighbor_type_domain 127.0.0.1 parent AKDME7071BCE29DE9 which "transforms" my sibling peer into to the parent peer which we don't want to do. Andrew -Original Message- From: Amos Jeffries [mailto:squ...@treenet.co.nz] Sent: Wednesday, September 19, 2012 11:19 PM To: squid-users@squid-cache.org Subject: Re: [squid-users] Cache Manager working on Apache server as ICP sibling On 20/09/2012 7:46 a.m., Eliezer Croitoru wrote: > On 9/19/2012 10:26 PM, Andrew Krupiczka wrote: >> In our product we're running the Squid 2.7 and Apache http server on >> a single machine. >> The Apache server can originate a content and is configured as >> Squid's cache_peer sibling to be queried via ICP. >> We can run the Cache Manager script and access it, if the Apache >> server is reconfigured as parent but are unsuccessful otherwise. >> Do you think is that possibility at all? >> Thanks, > Siblings by default arn't queried for content unless you define a > never_direct allow acl on the url of cachemgr. > > what problem are you getting while trying to fetch cachgmgr? > In anycase I think that fetching cache mgr throw the squid from the > apache is a bad idea. No more good or bad than any other website. cachemgr.cgi is just a web page script after all. The key thing is that Apache is an *origin*, not a sibling. Origins are configured in Squid-2.7 as a parent with "originserver" flag. Amos
Re: [squid-users] Cache Manager working on Apache server as ICP sibling
On 20/09/2012 7:46 a.m., Eliezer Croitoru wrote: On 9/19/2012 10:26 PM, Andrew Krupiczka wrote: In our product we're running the Squid 2.7 and Apache http server on a single machine. The Apache server can originate a content and is configured as Squid's cache_peer sibling to be queried via ICP. We can run the Cache Manager script and access it, if the Apache server is reconfigured as parent but are unsuccessful otherwise. Do you think is that possibility at all? Thanks, Siblings by default arn't queried for content unless you define a never_direct allow acl on the url of cachemgr. what problem are you getting while trying to fetch cachgmgr? In anycase I think that fetching cache mgr throw the squid from the apache is a bad idea. No more good or bad than any other website. cachemgr.cgi is just a web page script after all. The key thing is that Apache is an *origin*, not a sibling. Origins are configured in Squid-2.7 as a parent with "originserver" flag. Amos
Re: [squid-users] Cache Manager working on Apache server as ICP sibling
On 9/19/2012 10:26 PM, Andrew Krupiczka wrote: In our product we're running the Squid 2.7 and Apache http server on a single machine. The Apache server can originate a content and is configured as Squid's cache_peer sibling to be queried via ICP. We can run the Cache Manager script and access it, if the Apache server is reconfigured as parent but are unsuccessful otherwise. Do you think is that possibility at all? Thanks, Siblings by default arn't queried for content unless you define a never_direct allow acl on the url of cachemgr. what problem are you getting while trying to fetch cachgmgr? In anycase I think that fetching cache mgr throw the squid from the apache is a bad idea. If you want to enforce Access restrictions on the apache use firewall or over SSH. Regards, Eliezer -- Eliezer Croitoru https://www1.ngtech.co.il IT consulting for Nonprofit organizations eliezer ngtech.co.il
[squid-users] Cache Manager working on Apache server as ICP sibling
Hi, In our product we're running the Squid 2.7 and Apache http server on a single machine. The Apache server can originate a content and is configured as Squid's cache_peer sibling to be queried via ICP. We can run the Cache Manager script and access it, if the Apache server is reconfigured as parent but are unsuccessful otherwise. Do you think is that possibility at all? Thanks, Andrew
Re: [squid-users] cache manager
mån 2010-02-22 klockan 12:04 +0100 skrev David C. Heitmann: > how can i configure my cachemanager with a user and a pass? It's only configured with a password set in squid.conf, and user name only used for logging/audit purposes. Alternatively you can protect the cachemgr functions with basic authentication, also set in squid.conf.. Regards Henrik
[squid-users] cache manager
Give your clients a boost Edit your /etc/hosts file to add all LAN & external hosts you plan to login from. This is optional but will give you a faster connection. /etc/hosts: 127.0.0.1 Linkstation localhost <= should be there already 192.168.0.100 MyPc1 192.168.0.101 MyPc2 ... Allow your IP address The file you need to modify is /etc/webmin/miniserv.conf , in particular the allow= or deny= lines. If the allow= line exists, it contains a list of all addresses and networks that are allowed to connect to Webmin. Similarly, the deny= line contains addresses that are not allowed to connect. After modifying this file, you need to run /etc/webmin/stop ; /etc/webmin/start for the changes to take effect. Naturally, the file can only be edited by the root user. Example: allow=0.0.0.0 my config: /etc/hosts 127.0.0.1 localhost 192.168.10.25 mypcname /etc/webmin/miniserv.conf allow=192.168.10.25 or testet allow=0.0.0.0 i cant connect over the network, only localhost! can somebody help me please?! thanks dave I AM A WINDOWS XP USER, with MAC works?? can i connect via windows THANKS
[squid-users] cache manager
Give your clients a boost Edit your /etc/hosts file to add all LAN & external hosts you plan to login from. This is optional but will give you a faster connection. /etc/hosts: 127.0.0.1 Linkstation localhost <= should be there already 192.168.0.100 MyPc1 192.168.0.101 MyPc2 ... Allow your IP address The file you need to modify is /etc/webmin/miniserv.conf , in particular the allow= or deny= lines. If the allow= line exists, it contains a list of all addresses and networks that are allowed to connect to Webmin. Similarly, the deny= line contains addresses that are not allowed to connect. After modifying this file, you need to run /etc/webmin/stop ; /etc/webmin/start for the changes to take effect. Naturally, the file can only be edited by the root user. Example: allow=0.0.0.0 my config: /etc/hosts 127.0.0.1 localhost 192.168.10.25 mypcname /etc/webmin/miniserv.conf allow=192.168.10.25 or testet allow=0.0.0.0 i cant connect over the network, only localhost! can somebody help me please?! thanks dave
[squid-users] cache manager
how can i configure my cachemanager with a user and a pass? where are the configfiles or config commands? thanks dave
RE: [squid-users] Cache manager analysis
On Sun, 21 Feb 2010 11:43:12 +, "J. Webster" wrote: > Does this look reasonable? Mostly. I can just see one operational issue remaining... > I still have the analysis to start with after this point but will use some > linux tools to help with that... > > auth_param basic realm P*r ProxyServer > auth_param basic credentialsttl 2 hours > auth_param basic program /usr/lib/squid/ncsa_auth /etc/squid/squid_passwd > authenticate_cache_garbage_interval 1 hour > authenticate_ip_ttl 2 hours > #acl all src 0.0.0.0/0.0.0.0 > acl all src all > acl manager proto cache_object > acl localhost src 127.0.0.1 > acl cacheadmin src 88.xxx.xxx.xxx 127.0.0.1 > acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 > acl SSL_ports port 443 > acl Safe_ports port 80 # http > acl Safe_ports port 21 # ftp > acl Safe_ports port 443 # https > acl Safe_ports port 70 # gopher > acl Safe_ports port 210 # wais > acl Safe_ports port 1025-65535 # unregistered ports > acl Safe_ports port 280 # http-mgmt > acl Safe_ports port 488 # gss-http > acl Safe_ports port 591 # filemaker > acl Safe_ports port 777 # multiling http > acl Safe_ports port 1863 # MSN messenger > acl ncsa_users proxy_auth REQUIRED > acl maxuser max_user_ip -s 2 > acl CONNECT method CONNECT > http_access allow manager cacheadmin > http_access deny !Safe_ports > http_access deny CONNECT !SSL_ports > http_access deny to_localhost > http_access deny manager > http_access allow ncsa_users > http_access deny maxuser Um, the maxuser test will not be used yet, because any user who logs in will be accepted by the ncsa_users line. What I'd do here is combine the two: http_access allow !maxuser ncsa_users or if that does not work: http_access allow ncsa_users !maxuser http_access deny !ncsa_users > http_access deny all > icp_access allow all > http_port 8080 > http_port 88.xxx.xxx.xxx:80 > hierarchy_stoplist cgi-bin ? > cache_mem 256MB > maximum_object_size_in_memory 50 KB > cache_replacement_policy heap LFUDA > cache_dir aufs /var/spool/squid 4 16 256 > maximum_object_size 50 MB > cache_swap_low 90 > cache_swap_high 95 > access_log /var/log/squid/access.log squid > cache_log /var/log/squid/cache.log > buffered_logs on > refresh_pattern ^ftp: 144020% 10080 > refresh_pattern ^gopher:14400% 1440 > refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 > refresh_pattern . 0 20% 4320 > quick_abort_min 0 KB > quick_abort_max 0 KB > acl apache rep_header Server ^Apache > broken_vary_encoding allow apache > half_closed_clients off > cache_mgr ***'***.com > cachemgr_passwd all > visible_hostname P*r ProxyServer > log_icp_queries off > dns_nameservers 208.67.222.222 208.67.220.220 > hosts_file /etc/hosts > memory_pools off > forwarded_for off > client_db off > coredump_dir /var/spool/squid > >> >>> From: webster_j...@hotmail.com >>> To: squ...@treenet.co.nz; squid-users@squid-cache.org >>> Date: Sat, 13 Feb 2010 16:35:29 + >>> Subject: RE: [squid-users] Cache manager analysis >>> >>> >>> Thanks. >>> A few questions on this: >>> (a) when you said this all src all is that meant to be acl src all? >>> (b) Hint 2: if possible, define an ACL or the network ranges where you >>> accept logins. Use it like so >>> The logins are accepted form IP addresses that I never know, it is an >>> external proxy server for geo location so not sure I can do this? logins >>> will only ever by directed to the 88.xxx.xxx.xxx server though? >>> (c) cache_mem 100 MB >>> Bump this up as high as you can go without risking memory swapping. >>> Objects served from RAM are 100x faster than objects not. >>> Where can I view if memeory swapping is happening? >>> (D) maximum_object_size 50 MB >>> Bump this up too. Holding full ISO CDs and windows service packs can >>> boost performance when one is used from the cache. 40GB of disk can >>> store a few. >>> If I increase this, will the server ever try to store streamed video? I >>> had an efficiency problem with the original configuration that came with >>> squid, which meant that streamed video was buffering constantly. Not >>> sure what caused it but with the current config it does not do that. >>> If I increase the cache_mem and max object size do I also need to >>> increase this? >>> maximum_object_size_in_memory 50 KB >>> (E) >>> cache_swap_low 90 >>> ca
RE: [squid-users] Cache manager analysis
Does this look reasonable? I still have the analysis to start with after this point but will use some linux tools to help with that... auth_param basic realm P*r ProxyServer auth_param basic credentialsttl 2 hours auth_param basic program /usr/lib/squid/ncsa_auth /etc/squid/squid_passwd authenticate_cache_garbage_interval 1 hour authenticate_ip_ttl 2 hours #acl all src 0.0.0.0/0.0.0.0 acl all src all acl manager proto cache_object acl localhost src 127.0.0.1 acl cacheadmin src 88.xxx.xxx.xxx 127.0.0.1 acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 acl SSL_ports port 443 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 # https acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl Safe_ports port 1863 # MSN messenger acl ncsa_users proxy_auth REQUIRED acl maxuser max_user_ip -s 2 acl CONNECT method CONNECT http_access allow manager cacheadmin http_access deny !Safe_ports http_access deny CONNECT !SSL_ports http_access deny to_localhost http_access deny manager http_access allow ncsa_users http_access deny maxuser http_access deny all icp_access allow all http_port 8080 http_port 88.xxx.xxx.xxx:80 hierarchy_stoplist cgi-bin ? cache_mem 256MB maximum_object_size_in_memory 50 KB cache_replacement_policy heap LFUDA cache_dir aufs /var/spool/squid 4 16 256 maximum_object_size 50 MB cache_swap_low 90 cache_swap_high 95 access_log /var/log/squid/access.log squid cache_log /var/log/squid/cache.log buffered_logs on refresh_pattern ^ftp: 144020% 10080 refresh_pattern ^gopher:14400% 1440 refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 refresh_pattern . 0 20% 4320 quick_abort_min 0 KB quick_abort_max 0 KB acl apache rep_header Server ^Apache broken_vary_encoding allow apache half_closed_clients off cache_mgr ***'***.com cachemgr_passwd all visible_hostname P*r ProxyServer log_icp_queries off dns_nameservers 208.67.222.222 208.67.220.220 hosts_file /etc/hosts memory_pools off forwarded_for off client_db off coredump_dir /var/spool/squid > >> From: webster_j...@hotmail.com >> To: squ...@treenet.co.nz; squid-users@squid-cache.org >> Date: Sat, 13 Feb 2010 16:35:29 +0000 >> Subject: RE: [squid-users] Cache manager analysis >> >> >> Thanks. >> A few questions on this: >> (a) when you said this all src all is that meant to be acl src all? >> (b) Hint 2: if possible, define an ACL or the network ranges where you >> accept logins. Use it like so >> The logins are accepted form IP addresses that I never know, it is an >> external proxy server for geo location so not sure I can do this? logins >> will only ever by directed to the 88.xxx.xxx.xxx server though? >> (c) cache_mem 100 MB >> Bump this up as high as you can go without risking memory swapping. >> Objects served from RAM are 100x faster than objects not. >> Where can I view if memeory swapping is happening? >> (D) maximum_object_size 50 MB >> Bump this up too. Holding full ISO CDs and windows service packs can >> boost performance when one is used from the cache. 40GB of disk can >> store a few. >> If I increase this, will the server ever try to store streamed video? I had >> an efficiency problem with the original configuration that came with squid, >> which meant that streamed video was buffering constantly. Not sure what >> caused it but with the current config it does not do that. >> If I increase the cache_mem and max object size do I also need to increase >> this? >> maximum_object_size_in_memory 50 KB >> (E) >> cache_swap_low 90 >> cache_swap_high 95 >> access_log /var/log/squid/access.log squid >> cache_log /var/log/squid/cache.log >> buffered_logs on >> acl QUERY urlpath_regex cgi-bin \? >> cache deny QUERY >> >> Drop the QUERY bits above. It's more than halving the things your Squid can >> store. >> Remove the acl and the cache deny? >> At present, does this stop the cache from storing anything with a ?, ie >> dynamic pages? >> What if the same request is made for a dynamic page, will it retrive it from >> the cache (old page) rather then fetch the new dynamic content? >> >> current conf redone below: >> >> auth_param basic realm Proxy server >> auth_param basic credentialsttl 2 hours >> auth_param basic program /usr/lib/squid/ncsa_auth /etc/squid/squid_passwd >&
RE: [squid-users] Cache manager analysis
Does this look reasonable? auth_param basic realm P*r ProxyServer auth_param basic credentialsttl 2 hours auth_param basic program /usr/lib/squid/ncsa_auth /etc/squid/squid_passwd authenticate_cache_garbage_interval 1 hour authenticate_ip_ttl 2 hours #acl all src 0.0.0.0/0.0.0.0 acl all src all acl manager proto cache_object acl localhost src 127.0.0.1 acl cacheadmin src 88.xxx.xxx.xxx 127.0.0.1 acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 acl SSL_ports port 443 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 # https acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl Safe_ports port 1863 # MSN messenger acl ncsa_users proxy_auth REQUIRED acl maxuser max_user_ip -s 2 acl CONNECT method CONNECT http_access allow manager cacheadmin http_access deny !Safe_ports http_access deny CONNECT !SSL_ports http_access deny to_localhost http_access deny manager http_access allow ncsa_users http_access deny maxuser http_access deny all icp_access allow all http_port 8080 http_port 88.xxx.xxx.xxx:80 hierarchy_stoplist cgi-bin ? cache_mem 256MB maximum_object_size_in_memory 50 KB cache_replacement_policy heap LFUDA cache_dir aufs /var/spool/squid 4 16 256 maximum_object_size 50 MB cache_swap_low 90 cache_swap_high 95 access_log /var/log/squid/access.log squid cache_log /var/log/squid/cache.log buffered_logs on refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern ^gopher: 1440 0% 1440 refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 refresh_pattern . 0 20% 4320 quick_abort_min 0 KB quick_abort_max 0 KB acl apache rep_header Server ^Apache broken_vary_encoding allow apache half_closed_clients off cache_mgr ***'***.com cachemgr_passwd all visible_hostname P*r ProxyServer log_icp_queries off dns_nameservers 208.67.222.222 208.67.220.220 hosts_file /etc/hosts memory_pools off forwarded_for off client_db off coredump_dir /var/spool/squid > From: webster_j...@hotmail.com > To: squ...@treenet.co.nz; squid-users@squid-cache.org > Date: Sat, 13 Feb 2010 16:35:29 + > Subject: RE: [squid-users] Cache manager analysis > > > Thanks. > A few questions on this: > (a) when you said this all src all is that meant to be acl src all? > (b) Hint 2: if possible, define an ACL or the network ranges where you accept > logins. Use it like so > The logins are accepted form IP addresses that I never know, it is an > external proxy server for geo location so not sure I can do this? logins will > only ever by directed to the 88.xxx.xxx.xxx server though? > (c) cache_mem 100 MB > Bump this up as high as you can go without risking memory swapping. > Objects served from RAM are 100x faster than objects not. > Where can I view if memeory swapping is happening? > (D) maximum_object_size 50 MB > Bump this up too. Holding full ISO CDs and windows service packs can > boost performance when one is used from the cache. 40GB of disk can > store a few. > If I increase this, will the server ever try to store streamed video? I > had an efficiency problem with the original configuration that came with > squid, which meant that streamed video was buffering constantly. Not sure > what caused it but with the current config it does not do that. > If I increase the cache_mem and max object size do I also need to increase > this? > maximum_object_size_in_memory 50 KB > (E) > cache_swap_low 90 > cache_swap_high 95 > access_log /var/log/squid/access.log squid > cache_log /var/log/squid/cache.log > buffered_logs on > acl QUERY urlpath_regex cgi-bin \? > cache deny QUERY > > Drop the QUERY bits above. It's more than halving the things your Squid can > store. > Remove the acl and the cache deny? > At present, does this stop the cache from storing anything with a ?, ie > dynamic pages? > What if the same request is made for a dynamic page, will it retrive it from > the cache (old page) rather then fetch the new dynamic content? > > current conf redone below: > > auth_param basic realm Proxy server > auth_param basic credentialsttl 2 hours > auth_param basic program /usr/lib/squid/ncsa_auth /etc/squid/squid_passwd > authenticate_cache_garbage_interval 1 hour > authenticate_ip_ttl 2 hours > #acl all src 0.0.0.0/0.0.0.0 > acl src all > acl manager proto cache_object > acl localhost src 127.0.0.1 > acl cacheadmin src 88.xxx.xxx.xxx > acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 > acl
Re: [squid-users] cache manager access from web
> > On 16.02.10 13:59, Amos Jeffries wrote: > >> You may (or may not) hit a problem after trying that because the cache > >> mgr access uses its own protocol cache_object:// not htps://. An SSL > >> tunnel with mgr access going through it should not have that problem > >> but one never knows. > On Tue, 16 Feb 2010 14:20:15 +0100, Matus UHLAR - fantomas > wrote: > > but it connect to standard HTTP port, right? On 17.02.10 10:51, Amos Jeffries wrote: > Yes. > > I think that the problem itself lies in cachemgr.cgi not being able to > > connect via SSL > Yes. This should probably be reported as an enhancement bug so we don't > forget it. > CacheMgr is due for a bit more of a cleanup someday, so it would be a > shame to miss this out. here it is: http://bugs.squid-cache.org/show_bug.cgi?id=2862 -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. I feel like I'm diagonally parked in a parallel universe.
Re: [squid-users] Cache manager analysis
J. Webster wrote: Ok - thanks. 2.HEAD - has this been included in the CentOS repository yet? It doesn't look to even be in the CentOSPlus repos. I believe CentOS only has 2.6 Using the packaged software is fine if you are willing to accept the compromises that have been made. RHEL 5 is based off of packages that were available when Fedora Core 6 was out (between October 2006 and May 2007). CentOS 5, of course uses the RHEL packages. If you want performance, (or features, or compatibility) added in newer releases of software (be it Squid, Sendmail, openldap, etc.) you are going to have to compile it yourself. Chris
Re: [squid-users] cache manager access from web
On Tue, 16 Feb 2010 14:20:15 +0100, Matus UHLAR - fantomas wrote: >> > On 14.02.10 01:32, J. Webster wrote: >> >> Would that work with: >> >> http_access deny manager CONNECT !SSL_ports > >> On Mon, 15 Feb 2010 15:32:30 +0100, Matus UHLAR - fantomas >> wrote: >> > no, the manager is not fetched by CONNECT request (unless something is >> > broken). >> > >> > you need https_port directive and acl of type "myport", then allow >> > manager only on the https port. that should work. >> > >> > note that you should access manager directly not using the proxy. > > On 16.02.10 13:59, Amos Jeffries wrote: >> You may (or may not) hit a problem after trying that because the cache >> mgr >> access uses its own protocol >> cache_object:// not htps://. An SSL tunnel with mgr access going through >> it should not have that problem but one never knows. > > but it connect to standard HTTP port, right? Yes. > > I think that the problem itself lies in cachemgr.cgi not being able to > connect via SSL Yes. This should probably be reported as an enhancement bug so we don't forget it. CacheMgr is due for a bit more of a cleanup someday, so it would be a shame to miss this out. Amos
Re: [squid-users] cache manager access from web
> > On 14.02.10 01:32, J. Webster wrote: > >> Would that work with: > >> http_access deny manager CONNECT !SSL_ports > On Mon, 15 Feb 2010 15:32:30 +0100, Matus UHLAR - fantomas > wrote: > > no, the manager is not fetched by CONNECT request (unless something is > > broken). > > > > you need https_port directive and acl of type "myport", then allow > > manager only on the https port. that should work. > > > > note that you should access manager directly not using the proxy. On 16.02.10 13:59, Amos Jeffries wrote: > You may (or may not) hit a problem after trying that because the cache mgr > access uses its own protocol > cache_object:// not htps://. An SSL tunnel with mgr access going through > it should not have that problem but one never knows. but it connect to standard HTTP port, right? I think that the problem itself lies in cachemgr.cgi not being able to connect via SSL -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Windows 2000: 640 MB ought to be enough for anybody
Re: [squid-users] cache manager access from web
J. Webster wrote: Would that work with: http_access deny manager CONNECT !SSL_ports No. (The other replies explain why). To encrypt the requests you need to setup an https_port to receive encrypted traffic, and then some form of SSL tunnel to do the encryption (the tools bundled with Squid do not encrypt or decrypt). After the above, the http_access rules apply as they would for plain HTTP traffic. Amos -- Please be using Current Stable Squid 2.7.STABLE8 or 3.0.STABLE24 Current Beta Squid 3.1.0.16
Re: [squid-users] cache manager access from web
On Mon, 15 Feb 2010 15:32:30 +0100, Matus UHLAR - fantomas wrote: > On 14.02.10 01:32, J. Webster wrote: >> Would that work with: >> http_access deny manager CONNECT !SSL_ports > > no, the manager is not fetched by CONNECT request (unless something is > broken). > > you need https_port directive and acl of type "myport", then allow manager > only on the https port. that should work. > > note that you should access manager directly not using the proxy. > You may (or may not) hit a problem after trying that because the cache mgr access uses its own protocol cache_object:// not htps://. An SSL tunnel with mgr access going through it should not have that problem but one never knows. Amos >> >> > Date: Sat, 13 Feb 2010 20:58:11 +0100 >> > From: uh...@fantomas.sk >> > To: squid-users@squid-cache.org >> > Subject: Re: [squid-users] cache manager access from web >> > >> > On 11.02.10 10:46, J. Webster wrote: >> >> I have changed the config and can now login to the cache manager. >> >> This was in the conf already: >> >> http_access deny CONNECT !SSL_ports >> >> >> >> So, the issue remains whether allowing password access to the cache >> >> manager is enough. >> >> How else can this be made more secure? I guess not if the only way >> >> for me to access it is through a public IP address. >> > >> > I think allowing managr only on https_port should work and help...
Re: [squid-users] cache manager access from web
On 14.02.10 01:32, J. Webster wrote: > Would that work with: > http_access deny manager CONNECT !SSL_ports no, the manager is not fetched by CONNECT request (unless something is broken). you need https_port directive and acl of type "myport", then allow manager only on the https port. that should work. note that you should access manager directly not using the proxy. > > > Date: Sat, 13 Feb 2010 20:58:11 +0100 > > From: uh...@fantomas.sk > > To: squid-users@squid-cache.org > > Subject: Re: [squid-users] cache manager access from web > > > > On 11.02.10 10:46, J. Webster wrote: > >> I have changed the config and can now login to the cache manager. > >> This was in the conf already: > >> http_access deny CONNECT !SSL_ports > >> > >> So, the issue remains whether allowing password access to the cache > >> manager is enough. > >> How else can this be made more secure? I guess not if the only way for me > >> to access it is through a public IP address. > > > > I think allowing managr only on https_port should work and help... -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Windows found: (R)emove, (E)rase, (D)elete
RE: [squid-users] Cache manager analysis
Ok - thanks. 2.HEAD - has this been included in the CentOS repository yet? I believe CentOS only has 2.6 So, before I even look at the optimising sections, this gives me a squid.conf of the following (does this look ok?): auth_param basic realm Proxy server auth_param basic credentialsttl 2 hours auth_param basic program /usr/lib/squid/ncsa_auth /etc/squid/squid_passwd authenticate_cache_garbage_interval 1 hour authenticate_ip_ttl 2 hours #acl all src 0.0.0.0/0.0.0.0 acl all src all acl manager proto cache_object acl localhost src 127.0.0.1 acl cacheadmin src 88.xxx.xxx.xxx 127.0.0.1 acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 acl SSL_ports port 443 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 # https acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl Safe_ports port 1863 # MSN messenger acl ncsa_users proxy_auth REQUIRED acl maxuser max_user_ip -s 2 acl CONNECT method CONNECT #http_access allow manager localhost #IP 127.0.0.1 added to cacheadmin acl above instead http_access allow manager cacheadmin http_access deny !Safe_ports http_access deny CONNECT !SSL_ports http_access deny to_localhost http_access deny manager http_access allow ncsa_users http_access deny maxuser #http_access allow localhost http_access deny all icp_access allow all http_port 8080 http_port 88.xxx.xxx.xxx:80 hierarchy_stoplist cgi-bin ? #cache_mem 100MB #maybe increase further, check top cache_mem 256MB maximum_object_size_in_memory 50 KB cache_replacement_policy heap LFUDA cache_dir aufs /var/spool/squid 4 16 256 maximum_object_size 50 MB cache_swap_low 90 cache_swap_high 95 access_log /var/log/squid/access.log squid cache_log /var/log/squid/cache.log buffered_logs on #acl QUERY urlpath_regex cgi-bin \? #cache deny QUERY refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern ^gopher: 1440 0% 1440 refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 refresh_pattern . 0 20% 4320 quick_abort_min 0 KB quick_abort_max 0 KB acl apache rep_header Server ^Apache broken_vary_encoding allow apache half_closed_clients off cache_mgr a...@aaa.com cachemgr_passwd aaa all visible_hostname ProxyServer log_icp_queries off dns_nameservers 208.67.222.222 208.67.220.220 hosts_file /etc/hosts memory_pools off forwarded_for off client_db off coredump_dir /var/spool/squid > Date: Sat, 13 Feb 2010 18:03:00 +1300 > From: squ...@treenet.co.nz > To: squid-users@squid-cache.org > Subject: Re: [squid-users] Cache manager analysis > > J. Webster wrote: >> What is the best place to start with in cache analysis? >> Would it be cache size, memory object size, IO, etc.? >> I'm looking to optimise the settings for my squid server. > > Step 0) migrate to the latest Squid 2.7 or 3.1 or if possible 2.HEAD > (that one is only nominally beta, it's very stable in reality) > > 1) Start by defining 'optimize' ... are you going to prioritize... > Faster service? > More bandwidth saving? > More client connections? > > 2a) For faster service, look at DNS delays, disk IO delays, maximizing > cacheable objects (dynamic objects etc). > > 2b) For pure bandwidth savings start with a look at object cacheablity. > Check dynamics are being cached, ranges are being fetched in full, etc > > 3) Then profile all the objects stored over a reasonably long period, > looking at size. compare with the age of objects being discarded. > > 3a) tune the storage limits to prioritize the storage locations. giving > priority to RAM, then COSS, then AUFS/diskd. > > 3b) set the storage limits as high as possible to maximize amount of > data stored. anywhere. > > 4) take a good long look at your access controls and in particular the > types speedy/fast/slow. You may get some speed benefits from fixing up > the ordering a bit. regex are killers, remote lookups (helpers, or DNS) > are second worst. > (some performance hints below) > > 5) repeat from (2b) as often as possible. concentrate traffic which > seems to logically be storeable but gets a TCP_MISS anyway. > > Objects served from cache lead to faster service ties for those objects, > so the speed vs bandwidth are inter-related somewhat. But there is a > tipping point somewhere where tuning one starts to impact the other. > > >> >> Server: about 220GB available for the cache, I'm only using 4 MB at >> present as in the config below. >> system D2812-A2 >> /0 bus D2812-A2 >> /0/0 memory 110KiB BIOS >> /0/4 p
Re: [squid-users] Cache manager analysis
J. Webster wrote: Thanks. A few questions on this: (a) when you said this all src all is that meant to be acl src all? No. "acl" acl all src all (b) Hint 2: if possible, define an ACL or the network ranges where you accept logins. Use it like so The logins are accepted form IP addresses that I never know, it is an external proxy server for geo location so not sure I can do this? logins will only ever by directed to the 88.xxx.xxx.xxx server though? Oh well. Not possible then. (c) cache_mem 100 MB Bump this up as high as you can go without risking memory swapping. Objects served from RAM are 100x faster than objects not. Where can I view if memeory swapping is happening? Operating system tools to display memory usage. I use "top" on Linux. (D) maximum_object_size 50 MB Bump this up too. Holding full ISO CDs and windows service packs can boost performance when one is used from the cache. 40GB of disk can store a few. If I increase this, will the server ever try to store streamed video? I had an efficiency problem with the original configuration that came with squid, which meant that streamed video was buffering constantly. Not sure what caused it but with the current config it does not do that. If I increase the cache_mem and max object size do I also need to increase this? maximum_object_size_in_memory 50 KB Ah, that problem. Okay. Then leave it as well. (E) cache_swap_low 90 cache_swap_high 95 access_log /var/log/squid/access.log squid cache_log /var/log/squid/cache.log buffered_logs on acl QUERY urlpath_regex cgi-bin \? cache deny QUERY Drop the QUERY bits above. It's more than halving the things your Squid can store. Remove the acl and the cache deny? At present, does this stop the cache from storing anything with a ?, ie dynamic pages? Yes _everything_ with ? or cgi-bin in the path. Dynamic or not. What if the same request is made for a dynamic page, will it retrive it from the cache (old page) rather then fetch the new dynamic content? Dynamic pages that contain correct HTTP controls for safe storage will work according to those controls saving bandwidth. The bad ones will be caught and discarded from cache properly by the new refresh_pattern. Amos -- Please be using Current Stable Squid 2.7.STABLE8 or 3.0.STABLE24 Current Beta Squid 3.1.0.16
RE: [squid-users] cache manager access from web
Would that work with: http_access deny manager CONNECT !SSL_ports > Date: Sat, 13 Feb 2010 20:58:11 +0100 > From: uh...@fantomas.sk > To: squid-users@squid-cache.org > Subject: Re: [squid-users] cache manager access from web > > On 11.02.10 10:46, J. Webster wrote: >> I have changed the config and can now login to the cache manager. >> This was in the conf already: >> http_access deny CONNECT !SSL_ports >> >> So, the issue remains whether allowing password access to the cache manager >> is enough. >> How else can this be made more secure? I guess not if the only way for me to >> access it is through a public IP address. > > I think allowing managr only on https_port should work and help... > > -- > Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ > Warning: I wish NOT to receive e-mail advertising to this address. > Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. > The 3 biggets disasters: Hiroshima 45, Tschernobyl 86, Windows 95 _ Tell us your greatest, weirdest and funniest Hotmail stories http://clk.atdmt.com/UKM/go/195013117/direct/01/
Re: [squid-users] cache manager access from web
On 11.02.10 10:46, J. Webster wrote: > I have changed the config and can now login to the cache manager. > This was in the conf already: > http_access deny CONNECT !SSL_ports > > So, the issue remains whether allowing password access to the cache manager > is enough. > How else can this be made more secure? I guess not if the only way for me to > access it is through a public IP address. I think allowing managr only on https_port should work and help... -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. The 3 biggets disasters: Hiroshima 45, Tschernobyl 86, Windows 95
RE: [squid-users] Cache manager analysis
Thanks. A few questions on this: (a) when you said this all src all is that meant to be acl src all? (b) Hint 2: if possible, define an ACL or the network ranges where you accept logins. Use it like so The logins are accepted form IP addresses that I never know, it is an external proxy server for geo location so not sure I can do this? logins will only ever by directed to the 88.xxx.xxx.xxx server though? (c) cache_mem 100 MB Bump this up as high as you can go without risking memory swapping. Objects served from RAM are 100x faster than objects not. Where can I view if memeory swapping is happening? (D) maximum_object_size 50 MB Bump this up too. Holding full ISO CDs and windows service packs can boost performance when one is used from the cache. 40GB of disk can store a few. If I increase this, will the server ever try to store streamed video? I had an efficiency problem with the original configuration that came with squid, which meant that streamed video was buffering constantly. Not sure what caused it but with the current config it does not do that. If I increase the cache_mem and max object size do I also need to increase this? maximum_object_size_in_memory 50 KB (E) cache_swap_low 90 cache_swap_high 95 access_log /var/log/squid/access.log squid cache_log /var/log/squid/cache.log buffered_logs on acl QUERY urlpath_regex cgi-bin \? cache deny QUERY Drop the QUERY bits above. It's more than halving the things your Squid can store. Remove the acl and the cache deny? At present, does this stop the cache from storing anything with a ?, ie dynamic pages? What if the same request is made for a dynamic page, will it retrive it from the cache (old page) rather then fetch the new dynamic content? current conf redone below: auth_param basic realm Proxy server auth_param basic credentialsttl 2 hours auth_param basic program /usr/lib/squid/ncsa_auth /etc/squid/squid_passwd authenticate_cache_garbage_interval 1 hour authenticate_ip_ttl 2 hours #acl all src 0.0.0.0/0.0.0.0 acl src all acl manager proto cache_object acl localhost src 127.0.0.1 acl cacheadmin src 88.xxx.xxx.xxx acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 acl SSL_ports port 443 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 # https acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl Safe_ports port 1863 # MSN messenger acl ncsa_users proxy_auth REQUIRED acl maxuser max_user_ip -s 2 acl CONNECT method CONNECT http_access allow manager localhost http_access allow manager cacheadmin http_access deny !Safe_ports http_access deny CONNECT !SSL_ports http_access deny to_localhost http_access deny manager http_access allow ncsa_users http_access deny maxuser #http_access allow localhost http_access deny all icp_access allow all http_port 8080 http_port 88.xxx.xxx.xxx:80 hierarchy_stoplist cgi-bin ? cache_mem 100 MB maximum_object_size_in_memory 50 KB cache_replacement_policy heap LFUDA cache_dir aufs /var/spool/squid 4 16 256 maximum_object_size 50 MB cache_swap_low 90 cache_swap_high 95 access_log /var/log/squid/access.log squid cache_log /var/log/squid/cache.log buffered_logs on #acl QUERY urlpath_regex cgi-bin \? #cache deny QUERY refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern ^gopher: 1440 0% 1440 refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 refresh_pattern . 0 20% 4320 quick_abort_min 0 KB quick_abort_max 0 KB acl apache rep_header Server ^Apache broken_vary_encoding allow apache half_closed_clients off cache_mgr a...@aaa.com cachemgr_passwd aaa all visible_hostname ProxyServer log_icp_queries off dns_nameservers 208.67.222.222 208.67.220.220 hosts_file /etc/hosts memory_pools off forwarded_for off client_db off coredump_dir /var/spool/squid > Date: Sat, 13 Feb 2010 18:03:00 +1300 > From: squ...@treenet.co.nz > To: squid-users@squid-cache.org > Subject: Re: [squid-users] Cache manager analysis > > J. Webster wrote: >> What is the best place to start with in cache analysis? >> Would it be cache size, memory object size, IO, etc.? >> I'm looking to optimise the settings for my squid server. > > Step 0) migrate to the latest Squid 2.7 or 3.1 or if possible 2.HEAD > (that one is only nominally beta, it's very stable in reality) > > 1) Start by defining 'optimize' ... are you going to prioritize... > Faster service? > More bandwidth saving? > More client connections? > > 2a) For faster service, look at DNS delays, disk IO delays, maximizing > cacheable objects (dy
Re: [squid-users] Cache manager analysis
J. Webster wrote: What is the best place to start with in cache analysis? Would it be cache size, memory object size, IO, etc.? I'm looking to optimise the settings for my squid server. Step 0) migrate to the latest Squid 2.7 or 3.1 or if possible 2.HEAD (that one is only nominally beta, it's very stable in reality) 1) Start by defining 'optimize' ... are you going to prioritize... Faster service? More bandwidth saving? More client connections? 2a) For faster service, look at DNS delays, disk IO delays, maximizing cacheable objects (dynamic objects etc). 2b) For pure bandwidth savings start with a look at object cacheablity. Check dynamics are being cached, ranges are being fetched in full, etc 3) Then profile all the objects stored over a reasonably long period, looking at size. compare with the age of objects being discarded. 3a) tune the storage limits to prioritize the storage locations. giving priority to RAM, then COSS, then AUFS/diskd. 3b) set the storage limits as high as possible to maximize amount of data stored. anywhere. 4) take a good long look at your access controls and in particular the types speedy/fast/slow. You may get some speed benefits from fixing up the ordering a bit. regex are killers, remote lookups (helpers, or DNS) are second worst. (some performance hints below) 5) repeat from (2b) as often as possible. concentrate traffic which seems to logically be storeable but gets a TCP_MISS anyway. Objects served from cache lead to faster service ties for those objects, so the speed vs bandwidth are inter-related somewhat. But there is a tipping point somewhere where tuning one starts to impact the other. Server:about 220GB available for the cache, I'm only using 4 MB at present as in the config below. system D2812-A2 /0busD2812-A2 /0/0 memory 110KiB BIOS /0/4 processor Intel(R) Core(TM)2 Duo CPU E7300 @ 2.66GHz /0/4/5memory 64KiB L1 cache /0/4/6memory 3MiB L2 cache /0/4/0.1 processor Logical CPU /0/4/0.2 processor Logical CPU /0/7 memory 3MiB L3 cache /0/2a memory 1GiB System Memory /0/2a/0 memory 1GiB DIMM DDR2 Synchronous 667 MHz (1.5 ns) /0/2a/1 memory DIMM DDR2 Synchronous 667 MHz (1.5 ns) [empty] /0/2a/2 memory DIMM DDR2 Synchronous 667 MHz (1.5 ns) [empty] /0/2a/3 memory DIMM DDR2 Synchronous 667 MHz (1.5 ns) [empty] /0/1 processor /0/1/0.1 processor Logical CPU /0/1/0.2 processor Logical CPU Current squid.conf: - auth_param basic realm Proxy server auth_param basic credentialsttl 2 hours auth_param basic program /usr/lib/squid/ncsa_auth /etc/squid/squid_passwd authenticate_cache_garbage_interval 1 hour authenticate_ip_ttl 2 hours acl all src 0.0.0.0/0.0.0.0 all src all acl manager proto cache_object acl localhost src 127.0.0.1/255.255.255.255 acl localhost src 127.0.0.1 acl cacheadmin src 88.xxx.xxx.xxx acl to_localhost dst 127.0.0.0/8 acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 acl SSL_ports port 443 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 # https acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl Safe_ports port 1863 # MSN messenger acl ncsa_users proxy_auth REQUIRED acl maxuser max_user_ip -s 2 acl CONNECT method CONNECT http_access allow manager localhost http_access allow manager cacheadmin Hint: add the localhost IP to the cacheadmin ACL and drop one full set of "allow manager localhost" tests. http_access deny manager http_access allow ncsa_users Hint: drop the authentication down ... http_access deny !Safe_ports http_access deny CONNECT !SSL_ports http_access deny to_localhost ... to here. All the attacks against your proxy for bad ports and sources will be dropped quickly by the security blanket settings. Load on your auth server will reduce and may speed up it's response time. Hint 2: if possible, define an ACL or the network ranges where you accept logins. Use it like so: http_access allow localnet ncsa_users ... once again that speeds up the rejections, and helps by reducing the number of times the slow auth
[squid-users] Cache manager analysis
What is the best place to start with in cache analysis? Would it be cache size, memory object size, IO, etc.? I'm looking to optimise the settings for my squid server. Server: about 220GB available for the cache, I'm only using 4 MB at present as in the config below. system D2812-A2 /0 bus D2812-A2 /0/0 memory 110KiB BIOS /0/4 processor Intel(R) Core(TM)2 Duo CPU E7300 @ 2.66GHz /0/4/5 memory 64KiB L1 cache /0/4/6 memory 3MiB L2 cache /0/4/0.1 processor Logical CPU /0/4/0.2 processor Logical CPU /0/7 memory 3MiB L3 cache /0/2a memory 1GiB System Memory /0/2a/0 memory 1GiB DIMM DDR2 Synchronous 667 MHz (1.5 ns) /0/2a/1 memory DIMM DDR2 Synchronous 667 MHz (1.5 ns) [empty] /0/2a/2 memory DIMM DDR2 Synchronous 667 MHz (1.5 ns) [empty] /0/2a/3 memory DIMM DDR2 Synchronous 667 MHz (1.5 ns) [empty] /0/1 processor /0/1/0.1 processor Logical CPU /0/1/0.2 processor Logical CPU Current squid.conf: - auth_param basic realm Proxy server auth_param basic credentialsttl 2 hours auth_param basic program /usr/lib/squid/ncsa_auth /etc/squid/squid_passwd authenticate_cache_garbage_interval 1 hour authenticate_ip_ttl 2 hours acl all src 0.0.0.0/0.0.0.0 acl manager proto cache_object acl localhost src 127.0.0.1/255.255.255.255 acl cacheadmin src 88.xxx.xxx.xxx acl to_localhost dst 127.0.0.0/8 acl SSL_ports port 443 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 # https acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl Safe_ports port 1863 # MSN messenger acl ncsa_users proxy_auth REQUIRED acl maxuser max_user_ip -s 2 acl CONNECT method CONNECT http_access allow manager localhost http_access allow manager cacheadmin http_access deny manager http_access allow ncsa_users http_access deny !Safe_ports http_access deny CONNECT !SSL_ports http_access deny to_localhost http_access deny maxuser http_access allow localhost http_access deny all icp_access allow all http_port 8080 http_port 88.xxx.xxx.xxx:80 hierarchy_stoplist cgi-bin ? cache_mem 100 MB maximum_object_size_in_memory 50 KB cache_replacement_policy heap LFUDA cache_dir aufs /var/spool/squid 4 16 256 maximum_object_size 50 MB cache_swap_low 90 cache_swap_high 95 access_log /var/log/squid/access.log squid cache_log /var/log/squid/cache.log buffered_logs on acl QUERY urlpath_regex cgi-bin \? cache deny QUERY refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern ^gopher: 1440 0% 1440 refresh_pattern . 0 20% 4320 quick_abort_min 0 KB quick_abort_max 0 KB acl apache rep_header Server ^Apache broken_vary_encoding allow apache half_closed_clients off cache_mgr a...@aaa.com cachemgr_passwd aaa all visible_hostname ProxyServer log_icp_queries off dns_nameservers 208.67.222.222 208.67.220.220 hosts_file /etc/hosts memory_pools off forwarded_for off client_db off coredump_dir /var/spool/squid _ Do you have a story that started on Hotmail? Tell us now http://clk.atdmt.com/UKM/go/195013117/direct/01/
Re: [squid-users] cache manager access from web
J. Webster wrote: I have changed the config and can now login to the cache manager. This was in the conf already: http_access deny CONNECT !SSL_ports The placement of that line is important. Squid's access controls work on a "first match" basis. I strongly advise reading the FAQ section on ACLs for more details. So, the issue remains whether allowing password access to the cache manager is enough. That's really a personal decision. How else can this be made more secure? Only allowing access from localhost. I guess not if the only way for me to access it is through a public IP address. Use port forwarding via SSH to make a HTTP connection. The connection will (as far as Squid is concerned) originate from localhost. Chris
RE: [squid-users] cache manager access from web
I have changed the config and can now login to the cache manager. This was in the conf already: http_access deny CONNECT !SSL_ports So, the issue remains whether allowing password access to the cache manager is enough. How else can this be made more secure? I guess not if the only way for me to access it is through a public IP address. > Date: Wed, 10 Feb 2010 12:49:36 -0900 > From: crobert...@gci.net > To: squid-users@squid-cache.org > Subject: Re: [squid-users] cache manager access from web > > J. Webster wrote: >> Doesn't the fact that the manager needs a password in previous config lines >> mean that they can't access it? >> > > Fair enough, if you are content with that. > >> the ncsa_users is only for http access? >> > > The cachemgr interface is accessed via HTTP. It uses a specific request > method (identified by the ACLs as manager), but it is a subset of HTTP. > > Changing the access rules like... > > http_access allow manager localhost > http_access allow manager cacheadmin > http_access deny manager > http_access allow ncsa_users > > ...prevents those who are allowed to utilize your cache from even > attempting access to your cachemgr interface (unless they are surfing > from localhost, or the IP identified by the cacheadmin ACL). The > default squid.conf has some further denies (such as preventing CONNECT > requests to non-SSL ports) that are also missing from this configuration > snippet, so this is not the only avenue for abuse. > > Chris > _ Got a cool Hotmail story? Tell us now http://clk.atdmt.com/UKM/go/195013117/direct/01/
Re: [squid-users] cache manager access from web
J. Webster wrote: Doesn't the fact that the manager needs a password in previous config lines mean that they can't access it? Fair enough, if you are content with that. the ncsa_users is only for http access? The cachemgr interface is accessed via HTTP. It uses a specific request method (identified by the ACLs as manager), but it is a subset of HTTP. Changing the access rules like... http_access allow manager localhost http_access allow manager cacheadmin http_access deny manager http_access allow ncsa_users ...prevents those who are allowed to utilize your cache from even attempting access to your cachemgr interface (unless they are surfing from localhost, or the IP identified by the cacheadmin ACL). The default squid.conf has some further denies (such as preventing CONNECT requests to non-SSL ports) that are also missing from this configuration snippet, so this is not the only avenue for abuse. Chris
RE: [squid-users] cache manager access from web
As a side note >> http_access allow ncsa_users >> http_access allow manager localhost >> http_access allow manager cacheadmin >> http_access deny manager cache_manager access (any access, really) is already allowed to ncsa_users, no matter if they are accessing from localhost, 88.xxx.xxx.xx9 or any other IP. You might want to have a gander at the FAQ section on ACLs (http://wiki.squid-cache.org/SquidFaq/SquidAcl). Doesn't the fact that the manager needs a password in previous config lines mean that they can't access it? the ncsa_users is only for http access? > Date: Tue, 9 Feb 2010 16:14:31 -0900 > From: crobert...@gci.net > To: squid-users@squid-cache.org > Subject: Re: [squid-users] cache manager access from web > > Amos Jeffries wrote: >> J. Webster wrote: >>> I have followed the tutorial here: >>> http://wiki.squid-cache.org/SquidFaq/CacheManager >>> and set up acls to access the cache manager cgi on my server. I have >>> to access this externally for the moment as that is the only access >>> to the server that I have (SSH or web). The cache manager login >>> appears when I access: http://myexternalipaddress/cgi-bin/cachemgr.cgi >>> I have set the cache manager login and password in the squid.conf >>> # TAG: cache_mgr >>> # Email-address of local cache manager who will receive >>> # mail if the cache dies. The default is "root". >>> # >>> #Default: >>> # cache_mgr root >>> cache_mgr a...@aaa.com >>> cachemgr_passwd aaa all >>> #Recommended minimum configuration: >>> acl all src 0.0.0.0/0.0.0.0 >>> acl manager proto cache_object >>> acl localhost src 127.0.0.1/255.255.255.255 >>> acl cacheadmin src 88.xxx.xxx.xx9/255.255.255.255 #external IP address? >> >> You don't need the /255.255.255.255 bit. Just a single IP address will >> do. >> >>> acl to_localhost dst 127.0.0.0/8 >>> # Only allow cachemgr access from localhost > > As a side note > >>> http_access allow ncsa_users >>> http_access allow manager localhost >>> http_access allow manager cacheadmin >>> http_access deny manager > > cache_manager access (any access, really) is already allowed to > ncsa_users, no matter if they are accessing from localhost, > 88.xxx.xxx.xx9 or any other IP. You might want to have a gander at the > FAQ section on ACLs (http://wiki.squid-cache.org/SquidFaq/SquidAcl). > >>> >>> However, whenever I enter the password and select localhost port 8080 >>> from the cgi script I get: >>> The following error was encountered: >>> Cache Access Denied. >>> Sorry, you are not currently allowed to request: >>> cache_object://localhost/ >>> from this cache until you have authenticated yourself. >> >> Looks like the CGI script does its own internal access to Squid to >> fetch the page data. But does not have the right login details to pass >> your "http_access allow ncsa_auth" security config. >> >> Amos > > Chris > _ Got a cool Hotmail story? Tell us now http://clk.atdmt.com/UKM/go/195013117/direct/01/
Re: [squid-users] cache manager access from web
Amos Jeffries wrote: J. Webster wrote: I have followed the tutorial here: http://wiki.squid-cache.org/SquidFaq/CacheManager and set up acls to access the cache manager cgi on my server. I have to access this externally for the moment as that is the only access to the server that I have (SSH or web). The cache manager login appears when I access: http://myexternalipaddress/cgi-bin/cachemgr.cgi I have set the cache manager login and password in the squid.conf # TAG: cache_mgr # Email-address of local cache manager who will receive # mail if the cache dies. The default is "root". # #Default: # cache_mgr root cache_mgr a...@aaa.com cachemgr_passwd aaa all #Recommended minimum configuration: acl all src 0.0.0.0/0.0.0.0 acl manager proto cache_object acl localhost src 127.0.0.1/255.255.255.255 acl cacheadmin src 88.xxx.xxx.xx9/255.255.255.255 #external IP address? You don't need the /255.255.255.255 bit. Just a single IP address will do. acl to_localhost dst 127.0.0.0/8 # Only allow cachemgr access from localhost As a side note http_access allow ncsa_users http_access allow manager localhost http_access allow manager cacheadmin http_access deny manager cache_manager access (any access, really) is already allowed to ncsa_users, no matter if they are accessing from localhost, 88.xxx.xxx.xx9 or any other IP. You might want to have a gander at the FAQ section on ACLs (http://wiki.squid-cache.org/SquidFaq/SquidAcl). However, whenever I enter the password and select localhost port 8080 from the cgi script I get: The following error was encountered: Cache Access Denied. Sorry, you are not currently allowed to request: cache_object://localhost/ from this cache until you have authenticated yourself. Looks like the CGI script does its own internal access to Squid to fetch the page data. But does not have the right login details to pass your "http_access allow ncsa_auth" security config. Amos Chris
Re: [squid-users] cache manager access from web
J. Webster wrote: I have followed the tutorial here: http://wiki.squid-cache.org/SquidFaq/CacheManager and set up acls to access the cache manager cgi on my server. I have to access this externally for the moment as that is the only access to the server that I have (SSH or web). The cache manager login appears when I access: http://myexternalipaddress/cgi-bin/cachemgr.cgi I have set the cache manager login and password in the squid.conf # TAG: cache_mgr # Email-address of local cache manager who will receive # mail if the cache dies. The default is "root". # #Default: # cache_mgr root cache_mgr a...@aaa.com cachemgr_passwd aaa all #Recommended minimum configuration: acl all src 0.0.0.0/0.0.0.0 acl manager proto cache_object acl localhost src 127.0.0.1/255.255.255.255 acl cacheadmin src 88.xxx.xxx.xx9/255.255.255.255 #external IP address? You don't need the /255.255.255.255 bit. Just a single IP address will do. acl to_localhost dst 127.0.0.0/8 # Only allow cachemgr access from localhost http_access allow ncsa_users http_access allow manager localhost http_access allow manager cacheadmin http_access deny manager However, whenever I enter the password and select localhost port 8080 from the cgi script I get: The following error was encountered: Cache Access Denied. Sorry, you are not currently allowed to request: cache_object://localhost/ from this cache until you have authenticated yourself. Looks like the CGI script does its own internal access to Squid to fetch the page data. But does not have the right login details to pass your "http_access allow ncsa_auth" security config. Amos -- Please be using Current Stable Squid 2.7.STABLE7 or 3.0.STABLE23 Current Beta Squid 3.1.0.16
[squid-users] cache manager access from web
I have followed the tutorial here: http://wiki.squid-cache.org/SquidFaq/CacheManager and set up acls to access the cache manager cgi on my server. I have to access this externally for the moment as that is the only access to the server that I have (SSH or web). The cache manager login appears when I access: http://myexternalipaddress/cgi-bin/cachemgr.cgi I have set the cache manager login and password in the squid.conf # TAG: cache_mgr # Email-address of local cache manager who will receive # mail if the cache dies. The default is "root". # #Default: # cache_mgr root cache_mgr a...@aaa.com cachemgr_passwd aaa all #Recommended minimum configuration: acl all src 0.0.0.0/0.0.0.0 acl manager proto cache_object acl localhost src 127.0.0.1/255.255.255.255 acl cacheadmin src 88.xxx.xxx.xx9/255.255.255.255 #external IP address? acl to_localhost dst 127.0.0.0/8 # Only allow cachemgr access from localhost http_access allow ncsa_users http_access allow manager localhost http_access allow manager cacheadmin http_access deny manager However, whenever I enter the password and select localhost port 8080 from the cgi script I get: The following error was encountered: Cache Access Denied. Sorry, you are not currently allowed to request: cache_object://localhost/ from this cache until you have authenticated yourself. _ Do you have a story that started on Hotmail? Tell us now http://clk.atdmt.com/UKM/go/195013117/direct/01/
[squid-users] cache manager access from web
I have followed the tutorial here: http://wiki.squid-cache.org/SquidFaq/CacheManager and set up acls to access the cache manager cgi on my server. I have to access this externally for the moment as that is the only access to the server that I have (SSH or web). The cache manager login appears when I access: http://myexternalipaddress/cgi-bin/cachemgr.cgi I have set the cache manager login and password in the squid.conf # TAG: cache_mgr # Email-address of local cache manager who will receive # mail if the cache dies. The default is "root". # #Default: # cache_mgr root cache_mgr a...@aaa.com cachemgr_passwd aaa all #Recommended minimum configuration: acl all src 0.0.0.0/0.0.0.0 acl manager proto cache_object acl localhost src 127.0.0.1/255.255.255.255 acl cacheadmin src 88.xxx.xxx.xx9/255.255.255.255 #external IP address? acl to_localhost dst 127.0.0.0/8 # Only allow cachemgr access from localhost http_access allow ncsa_users http_access allow manager localhost http_access allow manager cacheadmin http_access deny manager However, whenever I enter the password and select localhost port 8080 from the cgi script I get: The following error was encountered: Cache Access Denied. Sorry, you are not currently allowed to request: cache_object://localhost/ from this cache until you have authenticated yourself. _ Do you have a story that started on Hotmail? Tell us now http://clk.atdmt.com/UKM/go/195013117/direct/01/
Re: [squid-users] cache manager problem
David C. Heitmann wrote: how i can start the cachemanager i have copy it to the /cgi-bin/ directory and it has execute rights! owner www-data group root read and write and execute for owner and group when i type in the browser... /cgi-bin/cachemgr.cgi i see a login screen but nothing let me in :( i have configured in the squid.conf: cachemgr_passwd dave all This configures the password all the tools use to access the manager interface inside Squid. For example; squidclient mgr:m...@dave I think the bits you need now are these: http://wiki.squid-cache.org/SquidFaq/CacheManager#Cache_manager_ACLs_in_squid.conf Amos -- Please be using Current Stable Squid 2.7.STABLE7 or 3.0.STABLE23 Current Beta Squid 3.1.0.16
[squid-users] cache manager problem
how i can start the cachemanager i have copy it to the /cgi-bin/ directory and it has execute rights! owner www-data group root read and write and execute for owner and group when i type in the browser... /cgi-bin/cachemgr.cgi i see a login screen but nothing let me in :( i have configured in the squid.conf: cachemgr_passwd dave all can somebody help me please?! thanks dave
Re: [squid-users] cache manager
fre 2009-09-04 klockan 11:03 +0400 skrev Aleksey Samostrelov: > Hello. > > On squid 2.6 STABLE17 can not change cache manager email on error page. > It is always proxy_administrator though cache_mgr parameter set to custom > email. Then you have some setting setting it to proxy_administrator as well. The default is webmaster, not proxy_administrator. Regards Henrik
Re: [squid-users] cache manager
2009/9/4 Aleksey Samostrelov : > Hello. > > On squid 2.6 STABLE17 can not change cache manager email on error page. > It is always proxy_administrator though cache_mgr parameter set to custom > email. > The better solution is to upgrade it to squid-2.7 or 3.0's latest version.
[squid-users] cache manager
Hello. On squid 2.6 STABLE17 can not change cache manager email on error page. It is always proxy_administrator though cache_mgr parameter set to custom email. Regards, Alex
[squid-users] cache Manager
Hi, I want to logging to cache-manager but I keep getting the following error target localhost:80 not allowed in cachemgr.conf now I have the following line in cachemgr.conf localhost:all but still to no avail.. any Idea why?
[squid-users] Cache Manager (redirector) : What is Average service time ?
Hi, Can anyone please clarify what does ' average service time = 3 msec' signify ? I get it when I access the cache managers redirector information. Redirector Statistics: program: /home/zdn/bin/redirect_parallel.pl number running: 2 of 2 requests sent: 155697 replies received: 155692 queue length: 0 avg service time: 0 msec Also, what is the unit of time column shown in the table form of statistics and what does it signify? FD PID # Requests Flags TimeOffset Request Thanks -- View this message in context: http://www.nabble.com/Cache-Manager-%28redirector%29-%3A-What-is-Average-service-time---tp24267894p24267894.html Sent from the Squid - Users mailing list archive at Nabble.com.
RE: [squid-users] Cache Manager query (objects/vm_objects)
On fre, 2008-08-29 at 16:07 +0100, Joe Tiedeman wrote: > Having relooked at cache_object://localhost/objects, it appears that > there are quite a few objects listed as "NOT_IN_MEMORY", I assume that > these are cached on disk, but they don't include the URL and method > which the "IN_MEMORY" objects do, is there any way to determine this? Only by reading it from disk.. the purge utility can do this task. Regards Henrik signature.asc Description: This is a digitally signed message part
Re: [squid-users] Cache Manager query (objects/vm_objects)
On fre, 2008-08-29 at 15:55 +0100, Joe Tiedeman wrote: > > I'm currently trying to write an internal web application to manage our > proxies (specifically our reverse proxy) and have hit a bit of a > stumbling block. It appears that the objects and vm_objects listing from > the cache manager only list objects cached in memory and not on disk. > i.e. looking in our access logs, urls which appear as tcp_mem_hit show > up in both listings, but urls which show up as tcp_hit don't. The URL is only known for in-memory objects. On-disk objects show up with only their hash in the objects listing. Note: The vm_objects list is only in-memory objects. Regards Henrik signature.asc Description: This is a digitally signed message part
RE: [squid-users] Cache Manager query (objects/vm_objects)
Having relooked at cache_object://localhost/objects, it appears that there are quite a few objects listed as "NOT_IN_MEMORY", I assume that these are cached on disk, but they don't include the URL and method which the "IN_MEMORY" objects do, is there any way to determine this? Cheers Joe Joe Tiedeman Support Analyst Higher Education Statistics Agency (HESA) 95 Promenade, Cheltenham, Gloucestershire GL50 1HZ T 01242 211167 F 01242 211122 W www.hesa.ac.uk -Original Message- From: Joe Tiedeman [mailto:[EMAIL PROTECTED] Sent: Friday 29 August 2008 15:56 To: squid-users@squid-cache.org Subject: [squid-users] Cache Manager query (objects/vm_objects) Hi Guys, I'm currently trying to write an internal web application to manage our proxies (specifically our reverse proxy) and have hit a bit of a stumbling block. It appears that the objects and vm_objects listing from the cache manager only list objects cached in memory and not on disk. i.e. looking in our access logs, urls which appear as tcp_mem_hit show up in both listings, but urls which show up as tcp_hit don't. If I'm correct on this assumption, is there any way of listing in a similar fashion all objects, including those on disk, and if so, a way to distinguish between those in memory and those on disk. If none of the above is true, please feel free to correct me and point me in the right direction! Cheers Joe Joe Tiedeman Support Analyst Higher Education Statistics Agency (HESA) 95 Promenade, Cheltenham, Gloucestershire GL50 1HZ T 01242 211167 F 01242 211122 W www.hesa.ac.uk _ Higher Education Statistics Agency Ltd (HESA) is a company limited by guarantee, registered in England at 95 Promenade Cheltenham GL50 1HZ. Registered No. 2766993. The members are Universities UK and GuildHE. Registered Charity No. 1039709. Certified to ISO 9001 and BS 7799. HESA Services Ltd (HSL) is a wholly owned subsidiary of HESA, registered in England at the same address. Registered No. 3109219. _ This outgoing email was virus scanned for HESA by MessageLabs. _ __ This incoming email was virus scanned for HESA by MessageLabs. __ _ Higher Education Statistics Agency Ltd (HESA) is a company limited by guarantee, registered in England at 95 Promenade Cheltenham GL50 1HZ. Registered No. 2766993. The members are Universities UK and GuildHE. Registered Charity No. 1039709. Certified to ISO 9001 and BS 7799. HESA Services Ltd (HSL) is a wholly owned subsidiary of HESA, registered in England at the same address. Registered No. 3109219. _ This outgoing email was virus scanned for HESA by MessageLabs. _
[squid-users] Cache Manager query (objects/vm_objects)
Hi Guys, I'm currently trying to write an internal web application to manage our proxies (specifically our reverse proxy) and have hit a bit of a stumbling block. It appears that the objects and vm_objects listing from the cache manager only list objects cached in memory and not on disk. i.e. looking in our access logs, urls which appear as tcp_mem_hit show up in both listings, but urls which show up as tcp_hit don't. If I'm correct on this assumption, is there any way of listing in a similar fashion all objects, including those on disk, and if so, a way to distinguish between those in memory and those on disk. If none of the above is true, please feel free to correct me and point me in the right direction! Cheers Joe Joe Tiedeman Support Analyst Higher Education Statistics Agency (HESA) 95 Promenade, Cheltenham, Gloucestershire GL50 1HZ T 01242 211167 F 01242 211122 W www.hesa.ac.uk _ Higher Education Statistics Agency Ltd (HESA) is a company limited by guarantee, registered in England at 95 Promenade Cheltenham GL50 1HZ. Registered No. 2766993. The members are Universities UK and GuildHE. Registered Charity No. 1039709. Certified to ISO 9001 and BS 7799. HESA Services Ltd (HSL) is a wholly owned subsidiary of HESA, registered in England at the same address. Registered No. 3109219. _ This outgoing email was virus scanned for HESA by MessageLabs. _
Re: [squid-users] cache manager access
On fre, 2008-05-30 at 13:21 +0800, cc wrote: > I've set it to *:*, and visually, the form looks just > like the old version. However, when I enter the manager's > password, it still gives me an Error Access Denied. That error is from your Squid http_access rules. What is said in access.log? And does this match your http_access rules? Regards Henrik signature.asc Description: This is a digitally signed message part
Re: [squid-users] cache manager access
Chris Robertson wrote: cc wrote: Hi, I have "Squid: The Definitive guide" and have installed v2.6STABLE 16 installed. I'm *quite* confused as to how to access the cache-manager. The book has the following: Cache Host: localhost Cache Port: 3128 Manager Name: Password: Whereas the new version has: Cache Server: localhost:3128 Cache Host: Cache Port: Manager Name: Password: What is the difference between Cache Server and Cache host? The cachemgr.cgi included with 2.6 has its own config file (cachemgr.conf, stored in the same directory as the squid.conf file). In this config file you can specify which Squid caches the CGI is allowed to query. If you want the functionality of the old version, a cachemgr.conf containing the string *:* (asterix colon asterix) will give you the option of specifying the host and port. I've set it to *:*, and visually, the form looks just like the old version. However, when I enter the manager's password, it still gives me an Error Access Denied. Is there some configuration option that I've forgotten about? I've looked at all the options and aside for the 'manager name', which I've assumed to be cachemgr, and the password, I can't find anything else. Any help appreciated. Ed
Re: [squid-users] cache manager access
cc wrote: Hi, I have "Squid: The Definitive guide" and have installed v2.6STABLE 16 installed. I'm *quite* confused as to how to access the cache-manager. The book has the following: Cache Host: localhost Cache Port: 3128 Manager Name: Password: Whereas the new version has: Cache Server: localhost:3128 Cache Host: Cache Port: Manager Name: Password: What is the difference between Cache Server and Cache host? The cachemgr.cgi included with 2.6 has its own config file (cachemgr.conf, stored in the same directory as the squid.conf file). In this config file you can specify which Squid caches the CGI is allowed to query. If you want the functionality of the old version, a cachemgr.conf containing the string *:* (asterix colon asterix) will give you the option of specifying the host and port. Anyway, I've set the Cache Server to the server which has Squid running. Cache host the same value. Port 3128. I enter the manager name, and then the password. I click Continue. I'm then given the following page: Security Hazard Access to cache_object://system/ is not permitted. Due to security issues, access to this site has been reevoked until further notice. Your cache administrator is the webmaster. I don't remember the last time I tried doing this, but I do recall also having trouble figuring this out. But I don't recall having this security hazard message shown. According to the squid.conf, I have: http_access allow manager localhost http_access allow manager admin_sys http_access allow manager system http_access deny manager !admin_sys !system Am I missing something else? Any help appreciated. Ed Chris
[squid-users] cache manager access
Hi, I have "Squid: The Definitive guide" and have installed v2.6STABLE 16 installed. I'm *quite* confused as to how to access the cache-manager. The book has the following: Cache Host: localhost Cache Port: 3128 Manager Name: Password: Whereas the new version has: Cache Server: localhost:3128 Cache Host: Cache Port: Manager Name: Password: What is the difference between Cache Server and Cache host? Anyway, I've set the Cache Server to the server which has Squid running. Cache host the same value. Port 3128. I enter the manager name, and then the password. I click Continue. I'm then given the following page: Security Hazard Access to cache_object://system/ is not permitted. Due to security issues, access to this site has been reevoked until further notice. Your cache administrator is the webmaster. I don't remember the last time I tried doing this, but I do recall also having trouble figuring this out. But I don't recall having this security hazard message shown. According to the squid.conf, I have: http_access allow manager localhost http_access allow manager admin_sys http_access allow manager system http_access deny manager !admin_sys !system Am I missing something else? Any help appreciated. Ed
Re: [squid-users] Cache Manager FAQ wiki - updated info
> Hi, > > I was trying to set up my squid manager client by following the > instructions > at http://wiki.squid-cache.org/SquidFaq/CacheManager > > Unfortunately these instructions do not appear to correspond to my set-up. > > I have squid 2.6.STABLE9, Apache/2.0.55 running on Ubuntu 6.10 (kernel > 2.6.17-10-generic) 64-bit. > Ah, thank you for locating this oversight. I have corrected it by splitting the Apache section for 1.x and 2.x specific configs. Amos
[squid-users] Cache Manager FAQ wiki - updated info
Hi, I was trying to set up my squid manager client by following the instructions at http://wiki.squid-cache.org/SquidFaq/CacheManager Unfortunately these instructions do not appear to correspond to my set-up. I have squid 2.6.STABLE9, Apache/2.0.55 running on Ubuntu 6.10 (kernel 2.6.17-10-generic) 64-bit. On the instructions it says to set up a ScriptAlias in my httpd.conf file, but I do not have a httpd.conf file. Instead, I had to create a new "site" under /etc/apache2/sites-available. Then you have to make a symlink to the file you just made under /etc/apache2/sites-enabled. I also had to edit "ports.conf" to add the port I wanted to listen for (I think this is an optional step). Here is my site configuration: NameVirtualHost *: # port number I chose ServerAdmin [EMAIL PROTECTED] DocumentRoot /var/www/squid Options FollowSymLinks AllowOverride None Options Indexes FollowSymLinks MultiViews ExecCGI AllowOverride None Order allow,deny allow from all # Uncomment this directive if you want to see apache2's # default start page (in /apache2-default) when you go to / #RedirectMatch ^/$ /apache2-default/ ScriptAlias /Squid/cgi-bin/ /var/www/squid/cgi-bin/ AllowOverride None Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch Order allow,deny Allow from 192.168.1 ErrorLog /var/log/apache2/squid/error.log # Possible values include: debug, info, notice, warn, error, crit, # alert, emerg. LogLevel warn CustomLog /var/log/apache2/squid/access.log combined ServerSignature On Alias /doc/ "/usr/share/doc/" Options Indexes MultiViews FollowSymLinks AllowOverride None Order deny,allow Deny from all Allow from 127.0.0.0/255.0.0.0 ::1/128 The script alias is supposed to point to /usr/share/squid/cgi-bin. I have /usr/share but NOT /usr/share/squid. My cachemgr.cgi was located in /usr/lib/squid/cachemgr.cgi, while the example on the wiki has it at /usr/share/squid/cgi-bin/cachemgr.cgi. I copied my cachemgr.cgi to /var/www/squid/cgi-bin/cachemgr.cgi so it would run. Now my cache manager runs at http://localhost:port/Squid/cgi-bin/cachemgr.cgi as it should. I hope this can help someone else trying to set up their Cache Manager Angela Burrell Computer Systems Administrator Lambton County Human Resource Admin Services, Inc Bayside Centre, Sarnia, Ontario (519) 344-2062 ext. 2348
Re: [squid-users] Cache Manager CGI Interface on IIS - I got issues I don't understand
tis 2007-05-01 klockan 13:09 -0400 skrev Andreas Woll: > Squid is just listening to the http_port 3128. > All other ports are disabled. Well, the error says that cachemgr.cgi didn't succeed in connecting to the http_port. Make sure your http_port specification and cachemgr.conf (or manual server entry) matches. Regards Henrik signature.asc Description: Detta är en digitalt signerad meddelandedel
Re: [squid-users] Cache Manager CGI Interface on IIS - I got issues I don't understand
Squid is just listening to the http_port 3128. All other ports are disabled. Andreas At 11:34 01.05.2007, Henrik Nordstrom wrote: tis 2007-05-01 klockan 09:02 -0400 skrev Andreas Woll: > Hi all, > > I didn't found a subject in the newsgroup, so I ask again for a little help. > Now the SquidNT service is running I tried to access it through the > CGI interface. > > But I always get: > > connect: (10061) WSAECONNREFUSED, connection refused. Then you didn't specify a correct address:port for cachemgr to connect to. Needs to point to a http_port where Squid is listening for requests. > In cachemgr.conf is just "localhost". And what do you use for http_port in squid.conf? Regards Henrik
Re: [squid-users] Cache Manager CGI Interface on IIS - I got issues I don't understand
tis 2007-05-01 klockan 09:02 -0400 skrev Andreas Woll: > Hi all, > > I didn't found a subject in the newsgroup, so I ask again for a little help. > Now the SquidNT service is running I tried to access it through the > CGI interface. > > But I always get: > > connect: (10061) WSAECONNREFUSED, connection refused. Then you didn't specify a correct address:port for cachemgr to connect to. Needs to point to a http_port where Squid is listening for requests. > In cachemgr.conf is just "localhost". And what do you use for http_port in squid.conf? Regards Henrik signature.asc Description: Detta är en digitalt signerad meddelandedel
[squid-users] Cache Manager CGI Interface on IIS - I got issues I don't understand
Hi all, I didn't found a subject in the newsgroup, so I ask again for a little help. Now the SquidNT service is running I tried to access it through the CGI interface. But I always get: connect: (10061) WSAECONNREFUSED, connection refused. IIS is bound to all IPs of the machine including loopback. ACLs in squid.conf: acl all src 0.0.0.0/0.0.0.0 acl manager proto cache_object acl localhost src 127.0.0.1/255.255.255.255 acl to_localhost dst 127.0.0.0/8 # Only allow cachemgr access from localhost http_access allow manager localhost http_access deny manager In cachemgr.conf is just "localhost". The password tag in squid.conf is set like this: cachemgr_passwd 2secure4you all The cache_mgr tag is set to webmaster. What did I wrong? Andreas
Re: [squid-users] cache manager output
nonama wrote: Dear SQUID-expert frens, We are experiencing slowness in surfing here. Just want to find out, Which part of the cache manager output that I should look into to check whether or not the problems lies within SQUID. Kindly help. Squid Object Cache: Version 2.5.STABLE12 Start Time: Tue, 26 Sep 2006 23:03:44 GMT Current Time: Wed, 27 Sep 2006 01:10:45 GMT Connection information for squid: Number of clients accessing cache: 0 Number of HTTP requests received: 49119 Number of ICP messages received:0 Number of ICP messages sent:0 Number of queued ICP replies: 0 Request failure ratio: 0.00 Average HTTP requests per minute since start: 386.7 Average ICP messages per minute since start:0.0 Select loop called: 487089 times, 15.645 ms avg Cache information for squid: Request Hit Ratios: 5min: 43.3%, 60min: 43.5% Byte Hit Ratios:5min: 19.1%, 60min: 24.1% Request Memory Hit Ratios: 5min: 6.1%, 60min: 2.2% Request Disk Hit Ratios:5min: 36.1%, 60min: 26.8% Storage Swap size: 30048680 KB Storage Mem size: 11688 KB Mean Object Size: 23.17 KB Requests given to unlinkd: 887 Median Service Times (seconds) 5 min60 min: HTTP Requests (All): 1.46131 0.94847 Cache Misses: 24.21863 10.20961 Cache Hits:0.00286 0.00463 Near Hits:24.21863 12.00465 Not-Modified Replies: 0.00379 0.00286 DNS Lookups: 0.0 0.0 ICP Queries: 0.0 0.0 Hit (the object is cached) service time in the milliseconds, miss (the object is not cached) and near hit service time (Squid had to verify the cached object is still fresh) in the tens of seconds and DNS lookups (apparently) taking no time at all. Maybe it's just me, but I think the problem lies outside of Squid. Resource usage for squid: UP Time:7620.750 seconds CPU Time: 95.623 seconds CPU Usage: 1.25% CPU Usage, 5 minute avg:2.23% CPU Usage, 60 minute avg: 1.86% Process Data Segment Size via sbrk(): 144188 KB Maximum Resident Size: 0 KB Page faults with physical i/o: 0 Memory usage for squid via mallinfo(): Total space in arena: 144188 KB Ordinary blocks: 143058 KB483 blks Small blocks: 0 KB 0 blks Holding blocks: 1492 KB 4 blks Free Small blocks: 0 KB Free Ordinary blocks:1129 KB Total in use: 144550 KB 99% Total free: 1129 KB 1% Total size:145680 KB Memory accounted for: Total accounted: 111448 KB memPoolAlloc calls: 12113723 memPoolFree calls: 8161986 File descriptor usage for squid: Maximum number of file descriptors: 1024 Largest file desc currently in use:367 Number of file desc currently in use: 314 Files queued for open: 0 Available number of file descriptors: 710 Reserved number of file descriptors: 100 Store Disk files open: 19 Internal Data Structures: 1297267 StoreEntries 2494 StoreEntries with MemObjects 2387 Hot Object Cache Items 1296981 on-disk objects I'd look at your Internet connection for congestion. Chris
[squid-users] cache manager output
Dear SQUID-expert frens, We are experiencing slowness in surfing here. Just want to find out, Which part of the cache manager output that I should look into to check whether or not the problems lies within SQUID. Kindly help. Squid Object Cache: Version 2.5.STABLE12 Start Time: Tue, 26 Sep 2006 23:03:44 GMT Current Time: Wed, 27 Sep 2006 01:10:45 GMT Connection information for squid: Number of clients accessing cache: 0 Number of HTTP requests received: 49119 Number of ICP messages received:0 Number of ICP messages sent:0 Number of queued ICP replies: 0 Request failure ratio: 0.00 Average HTTP requests per minute since start: 386.7 Average ICP messages per minute since start:0.0 Select loop called: 487089 times, 15.645 ms avg Cache information for squid: Request Hit Ratios: 5min: 43.3%, 60min: 43.5% Byte Hit Ratios:5min: 19.1%, 60min: 24.1% Request Memory Hit Ratios: 5min: 6.1%, 60min: 2.2% Request Disk Hit Ratios:5min: 36.1%, 60min: 26.8% Storage Swap size: 30048680 KB Storage Mem size: 11688 KB Mean Object Size: 23.17 KB Requests given to unlinkd: 887 Median Service Times (seconds) 5 min60 min: HTTP Requests (All): 1.46131 0.94847 Cache Misses: 24.21863 10.20961 Cache Hits:0.00286 0.00463 Near Hits:24.21863 12.00465 Not-Modified Replies: 0.00379 0.00286 DNS Lookups: 0.0 0.0 ICP Queries: 0.0 0.0 Resource usage for squid: UP Time:7620.750 seconds CPU Time: 95.623 seconds CPU Usage: 1.25% CPU Usage, 5 minute avg:2.23% CPU Usage, 60 minute avg: 1.86% Process Data Segment Size via sbrk(): 144188 KB Maximum Resident Size: 0 KB Page faults with physical i/o: 0 Memory usage for squid via mallinfo(): Total space in arena: 144188 KB Ordinary blocks: 143058 KB483 blks Small blocks: 0 KB 0 blks Holding blocks: 1492 KB 4 blks Free Small blocks: 0 KB Free Ordinary blocks:1129 KB Total in use: 144550 KB 99% Total free: 1129 KB 1% Total size:145680 KB Memory accounted for: Total accounted: 111448 KB memPoolAlloc calls: 12113723 memPoolFree calls: 8161986 File descriptor usage for squid: Maximum number of file descriptors: 1024 Largest file desc currently in use:367 Number of file desc currently in use: 314 Files queued for open: 0 Available number of file descriptors: 710 Reserved number of file descriptors: 100 Store Disk files open: 19 Internal Data Structures: 1297267 StoreEntries 2494 StoreEntries with MemObjects 2387 Hot Object Cache Items 1296981 on-disk objects __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
Re: [squid-users] Cache Manager Error... socket: (13)Permissiondenied
Sweet! That was it. Thanks! :) - louis - Original Message - From: "Henrik Nordstrom" Sent: Thursday, April 13, 2006 10:53 AM Subject: Re: [squid-users] Cache Manager Error... socket: (13)Permissiondenied Then I would guess your SELINUX policy for Apache (or whatever HTTP server you have) forbids the cgi-scripts from making TCP connections. Regards Henrik
Re: [squid-users] Cache Manager Error... socket: (13) Permissiondenied
tor 2006-04-13 klockan 09:52 -0700 skrev Louis Baumann: > > Are you running a Linux system with SELINUX enabled or similar? > Yes. Then I would guess your SELINUX policy for Apache (or whatever HTTP server you have) forbids the cgi-scripts from making TCP connections. Regards Henrik signature.asc Description: Detta är en digitalt signerad meddelandedel
Re: [squid-users] Cache Manager Error... socket: (13) Permission denied
The error is in the browser. The "continue" is the continue button on the initial cache manager page. The browser I'm using to access the cachemanager web page is not going through the proxy, so there wouldn't be a cache log entry. - louis - Original Message - From: "Mark Elsen" Sent: Wednesday, April 12, 2006 10:43 PM Subject: Re: [squid-users] Cache Manager Error... socket: (13) Permission denied On 4/12/06, Louis Baumann <[EMAIL PROTECTED]> wrote: > I'm trying to access cachemgr.cgi via my browser from the same machine that > squid is running on. I get the initial page but when I click "continue" I > get the following error: Cache Manager Error... socket: (13) Permission > denied > > - Is this error in the browser or in cache.log ? - If its' in the browser, what's in cache.log ? What do you mean by 'continue' , could you show us the page you get, and where that 'continue' link is ? M.
Re: [squid-users] Cache Manager Error... socket: (13) Permissiondenied
Yes. - Original Message - From: "Henrik Nordstrom" Sent: Thursday, April 13, 2006 2:21 AM Subject: Re: [squid-users] Cache Manager Error... socket: (13) Permissiondenied Are you running a Linux system with SELINUX enabled or similar? Regards Henrik
Re: [squid-users] Cache Manager Error... socket: (13) Permission denied
ons 2006-04-12 klockan 14:02 -0700 skrev Louis Baumann: > I'm trying to access cachemgr.cgi via my browser from the same machine that > squid is running on. I get the initial page but when I click "continue" I > get the following error: Cache Manager Error... socket: (13) Permission > denied Are you running a Linux system with SELINUX enabled or similar? Regards Henrik signature.asc Description: Detta är en digitalt signerad meddelandedel
Re: [squid-users] Cache Manager Error... socket: (13) Permission denied
On 4/12/06, Louis Baumann <[EMAIL PROTECTED]> wrote: > I'm trying to access cachemgr.cgi via my browser from the same machine that > squid is running on. I get the initial page but when I click "continue" I > get the following error: Cache Manager Error... socket: (13) Permission > denied > > - Is this error in the browser or in cache.log ? - If its' in the browser, what's in cache.log ? What do you mean by 'continue' , could you show us the page you get, and where that 'continue' link is ? M.
[squid-users] Cache Manager Error... socket: (13) Permission denied
I'm trying to access cachemgr.cgi via my browser from the same machine that squid is running on. I get the initial page but when I click "continue" I get the following error: Cache Manager Error... socket: (13) Permission denied Here's my squid.conf ACL... - acl all src 0.0.0.0/0.0.0.0 acl manager proto cache_object acl localhost src 127.0.0.1/255.255.255.255 http_access allow manager localhost http_access deny manager I copied cachemgr.cgi to /var/www/cgi-bin/ and chmod 755 it. I have the following in my httpd.conf... - ScriptAlias /cgi-bin/ "/var/www/cgi-bin/" order allow,deny allow from 127.0.0.1 allow from localhost If I do the following (as root) I get the appropriate output. /usr/local/squid/bin/squidclient -p 3128 cache_object://a/info Any ideas? - louis
Re: [squid-users] Cache manager - 2 questions
tis 2006-02-14 klockan 09:46 +0100 skrev Magali Bernard: > And of course you're right. > I'm running Debian Woody (old stable) with libc6 (Provides: glibc-2.2.5-11.8) > Hope Debian Sarge (stable) will solve the problem. According to glibc people the Linux kernel does not provide rss information. strace of the test program confirms this on the systems I have (all 0 returned from the kernel). Regards Henrik signature.asc Description: Detta är en digitalt signerad meddelandedel
Re: [squid-users] Cache manager - 2 questions
Le 13/02/2006, Henrik Nordstrom <[EMAIL PROTECTED]> a dit: > On Mon, 13 Feb 2006, Magali Bernard wrote: > > > I have noticed that cachemgr.cgi gives no more value but 0 (zero) for > > Maximum Resident Size. Could it be something in squid configuration ? > > Not configuration related.. most likely OS/libc issue. > > What does the following small C program report on your system: > > --- cut here --- > #include > #include > #include > #include > #include > > int main(int argc, char **argv) > { > char *p = malloc(1024 * 1024); > struct rusage ru; > int i; > memset(p, 0, 1024 * 1024); > memset(&ru, 0, sizeof(ru)); > getrusage(RUSAGE_SELF, &ru); > printf("My Maximum Resident size: %d\n", (int)ru.ru_maxrss); > } > --- cut here --- > > save as rsstest.c, then > >gcc -o rsstest rsstest.c >./rsstest > > My bet is that this too reports 0, where it certainly is larger... And of course you're right. I'm running Debian Woody (old stable) with libc6 (Provides: glibc-2.2.5-11.8) Hope Debian Sarge (stable) will solve the problem. > > Second, giving the next config, I thought I could not access to > > Cache Manager from a browser outside "localhost": I do, after > > providing authentication (manager/password). Is it normal ? > > Depends on your http_access rules, and what you refer to... > > The access controls in Squid restricts where cachemgr.cgi may be running, > not who may use cachemgr.cgi. Defaults to only allow access to > cachemgr.cgi running on the same box (i.e. web server on same box as > Squid). This point I didn't understand at all. > The more interesting access controls on who may call the cachemgr.cgi > application is in your web server where you call the cachemgr.cgi > application, not Squid. > > When both conditions (user allowed by webserver to call the cachemgr.cgi, > and whe webserer allowed by Squid to use the cachemgr functions) are > fulfilled the cachemgr_password settings in squid.conf further restricts > access by requiring a "secret" password as per your squid.conf. Now it's clear for me that these controls are the most important. Fortunately they already exist. Thanks a lot, > Regards > Henrik > -- __ Magali BERNARD - Centre de Ressources Informatiques Télécom et Réseaux Université Jean Monnet de Saint-Étienne - FRANCE A: Yes. >Q: Are you sure? >>A: Because it reverses the logical flow of conversation. >>>Q: Why is top posting annoying in email?
Re: [squid-users] Cache manager - 2 questions
On Mon, 13 Feb 2006, Magali Bernard wrote: I have noticed that cachemgr.cgi gives no more value but 0 (zero) for Maximum Resident Size. Could it be something in squid configuration ? Not configuration related.. most likely OS/libc issue. What does the following small C program report on your system: --- cut here --- #include #include #include #include #include int main(int argc, char **argv) { char *p = malloc(1024 * 1024); struct rusage ru; int i; memset(p, 0, 1024 * 1024); memset(&ru, 0, sizeof(ru)); getrusage(RUSAGE_SELF, &ru); printf("My Maximum Resident size: %d\n", (int)ru.ru_maxrss); } --- cut here --- save as rsstest.c, then gcc -o rsstest rsstest.c ./rsstest My bet is that this too reports 0, where it certainly is larger... Second, giving the next config, I thought I could not access to Cache Manager from a browser outside "localhost": I do, after providing authentication (manager/password). Is it normal ? Depends on your http_access rules, and what you refer to... The access controls in Squid restricts where cachemgr.cgi may be running, not who may use cachemgr.cgi. Defaults to only allow access to cachemgr.cgi running on the same box (i.e. web server on same box as Squid). The more interesting access controls on who may call the cachemgr.cgi application is in your web server where you call the cachemgr.cgi application, not Squid. When both conditions (user allowed by webserver to call the cachemgr.cgi, and whe webserer allowed by Squid to use the cachemgr functions) are fulfilled the cachemgr_password settings in squid.conf further restricts access by requiring a "secret" password as per your squid.conf. Regards Henrik
[squid-users] Cache manager - 2 questions
Hello squid users, I have noticed that cachemgr.cgi gives no more value but 0 (zero) for Maximum Resident Size. Could it be something in squid configuration ? Second, giving the next config, I thought I could not access to Cache Manager from a browser outside "localhost": I do, after providing authentication (manager/password). Is it normal ? acl localhost src 127.0.0.1/255.255.255.255 # Only allow cachemgr access from localhost http_access allow manager localhost http_access deny manager > ~squid/sbin/squid -v Squid Cache: Version 2.5.STABLE12-20060109 configure options: --prefix=/usr/local/squid-2.5.STABLE12-20060109 --enable-dlmalloc --enable-storeio=diskd,ufs,aufs,null --enable-snmp --with-large-files --disable-hostname-checks --enable-underscores --enable-basic-auth-helpers=LDAP --with-maxfd=8192 Thanks in advance, -- __ Magali BERNARD - Centre de Ressources Informatiques Télécom et Réseaux Université Jean Monnet de Saint-Étienne - FRANCE A: Yes. >Q: Are you sure? >>A: Because it reverses the logical flow of conversation. >>>Q: Why is top posting annoying in email?
Re: [squid-users] Cache Manager denied access
--- Neil Loffhagen <[EMAIL PROTECTED]> wrote: > Hi, > > We have Squid running successfully, but are having > trouble getting > access to the cache manger, to see what's happening. > Squid is running > on one box and Apache2 on another box. When we type > in the IP address > of the Squid box to access the cache on it we keep > getting: > > The following error was encountered: > > * Access Denied. > > Access control configuration prevents your > request from being > allowed at this time. Please contact your service > Apache2 server is 10.182.64.123. The Squid IP is > 10.182.65.226. We are > usng port 3128 for Squid and apache2. Could that be > the problem? If you are running apache 3128 in another machine then it will not be a problem. And you can not run apache + squid in same port on same machine. > acl manager proto cache_object > acl localhost src 127.0.0.1/255.255.255.255 > acl cachemgr src 10.182.64.123/255.255.255.255 > http_access allow manager localhost > http_access allow manager cachemgr > http_access deny manager Seems acl and http_access rules are fine. Did you reconfigure your squid? ./squid -k reconfigure for reading configuration changes. == Best Regards, Squid Runner Support squidrunner_dev at yahoo dot com Web: http://geocities.com/squidrunner_dev/ Support: runnersupport at gmail dot com SquidRunner - An Automatic Squid Builder == Discover Yahoo! Get on-the-go sports scores, stock quotes, news and more. Check it out! http://discover.yahoo.com/mobile.html
[squid-users] Cache Manager denied access
Hi, We have Squid running successfully, but are having trouble getting access to the cache manger, to see what's happening. Squid is running on one box and Apache2 on another box. When we type in the IP address of the Squid box to access the cache on it we keep getting: The following error was encountered: * Access Denied. Access control configuration prevents your request from being allowed at this time. Please contact your service provider if you feel this is incorrect. Have read various web pages and the Squid book to try and sort this, but whatever changes we make in the squid.conf file nothing works. Have copied the relevant parts of the squid.conf file. The IP address of the Apache2 server is 10.182.64.123. The Squid IP is 10.182.65.226. We are usng port 3128 for Squid and apache2. Could that be the problem? So the question is what am I missing the cal or http_access lines? Any help much appreciated. Neil. acl manager proto cache_object acl localhost src 127.0.0.1/255.255.255.255 acl all src 0.0.0.0/0.0.0.0 acl cachemgr src 10.182.64.123/255.255.255.255 acl bbclocal 10.182.0.0/255.255.0.0 acl SSL_ports port 443 563 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 563 # https, snews acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl CONNECT method CONNECT http_access allow manager localhost http_access allow manager cachemgr http_access deny manager http_access allow bbclocal http_access deny all http_access deny !Safe_ports http_access allow CONNECT SSL_ports acl bbc_networks src 10.182.0.0/16 192.168.0.0/16 192.168.1.0/24 192.168.2.0/24 192.168.3.0/24 192.168.4.0/24 192.168 .5.0/24 192.168.6.0/24 http_access allow bbc_networks http_access deny all http://www.bbc.co.uk/ This e-mail (and any attachments) is confidential and may contain personal views which are not the views of the BBC unless specifically stated. If you have received it in error, please delete it from your system. Do not use, copy or disclose the information in any way nor act in reliance on it and notify the sender immediately. Please note that the BBC monitors e-mails sent or received. Further communication will signify your consent to this.
RV: [squid-users] Cache Manager Error: acl: target not allowed
On Mon, 18 Apr 2005, [iso-8859-1] Evelio Martínez wrote: > > The module that comes standard with Debian Woody > > *** Opc web squid-cgi2.4.6-2wood 2.4.6-2wood Squid cache manager > CGI program > > The distribution comes with this structure: > /. > /etc > /etc/squid > /etc/squid/cachemgr.conf > /usr > /usr/lib > /usr/lib/cgi-bin > /usr/lib/cgi-bin/cachemgr.cgi > /usr/share > /usr/share/doc > /usr/share/doc/squid-cgi > /usr/share/doc/squid-cgi/README.cachemgr.gz > /usr/share/doc/squid-cgi/changelog.gz > /usr/share/doc/squid-cgi/changelog.Debian.gz > /usr/share/doc/squid-cgi/copyright > /usr/share/doc/squid-cgi/cachemgrfaq.html > /usr/share/doc/squid-cgi/examples > /usr/share/doc/squid-cgi/examples/cachemgr.html > /usr/share/man > /usr/share/man/man8 > /usr/share/man/man8/squid-cgi.8.gz > > I have found that the file /etc/squid/cachemgr.conf did not exist. > I have purged and reinstall and now I have another problem. > > Now I have a "Denied Access to Cache Manager" > > -Mensaje original- > De: Henrik Nordstrom [mailto:[EMAIL PROTECTED] Enviado el: domingo, > 17 de abril de 2005 20:41 > Para: Evelio Martínez > CC: squid-users@squid-cache.org > Asunto: Re: [squid-users] Cache Manager Error: acl: target not allowed > > On Wed, 13 Apr 2005, [iso-8859-1] Evelio Martínez wrote: > >> When I try to access the cache object I have this message: >> >> Cache Manager Error >> acl: target not allowed > > Looks to me as if your cachemgr.cgi is a patched version with some > form of access controls built into the CGI. > > What version of Squid is this cachemgr.cgi from, and what patches have > been applied? > > Regards > Henrik > >
Re: [squid-users] Cache Manager Error: acl: target not allowed
On Wed, 13 Apr 2005, [iso-8859-1] Evelio Martínez wrote: When I try to access the cache object I have this message: Cache Manager Error acl: target not allowed Looks to me as if your cachemgr.cgi is a patched version with some form of access controls built into the CGI. What version of Squid is this cachemgr.cgi from, and what patches have been applied? Regards Henrik
Re: [squid-users] Cache Manager Error: acl: target not allowed
> > Cache Manager Error > acl: target not allowed > > acl centauri src "ip_webserver/netmask" > http_access allow manager centauri It seems your problem is related with this acl and http_access. Try to put with out quotes in centauri acl. Best Regards, Squid Runner Team SquidRunner - An Automatic Squid Builder Web: http://freshmeat.net/projects/squidrunner/ Mail: squidrunner_dev at yahoo dot com __ Do you Yahoo!? Yahoo! Small Business - Try our new resources site! http://smallbusiness.yahoo.com/resources/
RE: [squid-users] Cache Manager Error: acl: target not allowed
> > Hello! > > When I try to access the cache object I have this message: > > Cache Manager Error > acl: target not allowed > > Although the message is pretty clear, I think the squid.conf is ok. > > acl manager proto cache_object > acl localhost src 127.0.0.1/255.255.255.255 > acl centauri src "ip_webserver/netmask" > http_access allow manager localhost > http_access allow manager centauri > http_access deny manager !localhost !centauri > http_access deny manager > > The webserver and squid are in the same machine > > Thanks in advance Could you try removing this line : http_access deny manager !localhost !centauri That is implicitly included in your last line. M.
[squid-users] Cache Manager Error: acl: target not allowed
Hello! When I try to access the cache object I have this message: Cache Manager Error acl: target not allowed Although the message is pretty clear, I think the squid.conf is ok. acl manager proto cache_object acl localhost src 127.0.0.1/255.255.255.255 acl centauri src "ip_webserver/netmask" http_access allow manager localhost http_access allow manager centauri http_access deny manager !localhost !centauri http_access deny manager The webserver and squid are in the same machine Thanks in advance Evelio
RE: [squid-users] cache manager
> > Dear All, > im trying in view my cachemgr.cgi on my squid box but its not working, > i have installed the apache server on my linux box and now i > can access to > the cachemgr.cgi page, > its asking me for the server name and cache port, then cache > manager and > password, i dont know what kind of username and password i > have to put > there, plus, i dont know if i have to tune any permission to > allow it work. > your help will be highly appreciated > Thnx > Alex > - cachemgr's auth. settings must be specified in squid.conf Check squid.conf.default (look for cachemgr) : read all relevant comments. M.
[squid-users] cache manager
Dear All, im trying in view my cachemgr.cgi on my squid box but its not working, i have installed the apache server on my linux box and now i can access to the cachemgr.cgi page, its asking me for the server name and cache port, then cache manager and password, i dont know what kind of username and password i have to put there, plus, i dont know if i have to tune any permission to allow it work. your help will be highly appreciated Thnx Alex
Re: [squid-users] Cache Manager Woes
On Tuesday 15 July 2003 20.51, Mark Pelkoski wrote: > Sorry, you are not currently allowed to request: > cache_object://localhost/ > from this cache until you have authenticated yourself. > > > Here are the applicable lines from my squid.conf: > > acl manager proto cache_object > http_access allow manager all > snmp_access deny all #for T-shooting purposes# > > Any clues? Where is this located in relation to your other http_access rules? See also Squid FAQ 10.9 I set up my access controls, but they don't work! why? http://www.squid-cache.org/Doc/FAQ/FAQ-10.html#ss10.9> Regards Henrik -- Donations welcome if you consider my Free Squid support helpful. https://www.paypal.com/xclick/business=hno%40squid-cache.org If you need commercial Squid support or cost effective Squid or firewall appliances please refer to MARA Systems AB, Sweden http://www.marasystems.com/, [EMAIL PROTECTED]
[squid-users] Cache Manager Woes
List, I am having difficulty getting to my Cache Manager. When cachemgr.cgi is executed, I submit the port 8080, which is the port my squid is running on, and no user or password, and I receive this screen: ERROR Cache Access Denied While trying to retrieve the URL: cache_object://localhost/ The following error was encountered: * Cache Access Denied. Sorry, you are not currently allowed to request: cache_object://localhost/ from this cache until you have authenticated yourself. Here are the applicable lines from my squid.conf: acl manager proto cache_object http_access allow manager all snmp_access deny all #for T-shooting purposes# Any clues? TIA -Mark