Re: [squid-users] can't access cachemgr
On 24/05/2012 6:45 a.m., Jeff MacDonald wrote: Hi, I can't put the access rules above the acl definition if that was what you meant. but incase that isn't what you meant.. i did re-order it a bit and this is what i have now.. still no access. FYI, i'm trying to access it using the cache manager cgi which runs on the same server If you have a current squid (3.1 series) localhost is also using the IP address ::1. This may need adding to your ACL definition. For your current problem though see below ... root@proxy:~# !gre grep -e ^acl -e ^http_acc /etc/squid3/squid.conf acl manager proto cache_object acl localhost src 127.0.0.1/32 acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 acl westhants proxy_auth REQUIRED acl westhants-network src 192.168.11.0/24 acl SSL_ports port 443 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 # https acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl CONNECT method CONNECT In general you can consider squid.conf somewhat of a script programming Squid what to do with a request. As such, when needing to check whether an HTTP request is allowed to be processed by Squid it does the following... http_access allow westhants Step 1) 1a) test westhants ACL. 1b) send 407 message to locate client credentils. Step 2) - there is no 2, see 1b for why. http_access allow localhost http_access allow westhants-network http_access allow manager localhost http_access deny !Safe_ports http_access deny CONNECT !SSL_ports http_access deny all Consider the logic of: deny A deny B deny everything Why bother denying A and B individually if everything is denied anyway? There is also a disconnection between your westhaunts authentication test and the westhaunts network IPs. Simply put IMHO your ACLs should be configured as: http_access allow manager localhost http_access deny !Safe_ports http_access deny CONNECT !SSL_ports http_access allow localhost http_access allow westhants-network westhant http_access deny all If you want particulars about why I'm happy to provide. but it should be clear if you understand Squid tests http_access lines top-done, left-to-right on a first line to match wins basis. lines where one ACL does not match skip to the next immediately. Amos
Re: [squid-users] can't access cachemgr
Hi, I can't put the access rules above the acl definition if that was what you meant. but incase that isn't what you meant.. i did re-order it a bit and this is what i have now.. still no access. FYI, i'm trying to access it using the cache manager cgi which runs on the same server root@proxy:~# !gre grep -e ^acl -e ^http_acc /etc/squid3/squid.conf acl manager proto cache_object acl localhost src 127.0.0.1/32 acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 acl westhants proxy_auth REQUIRED acl westhants-network src 192.168.11.0/24 acl SSL_ports port 443 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 # https acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl CONNECT method CONNECT http_access allow westhants http_access allow localhost http_access allow westhants-network http_access allow manager localhost http_access deny !Safe_ports http_access deny CONNECT !SSL_ports http_access deny all -- Jeff MacDonald j...@terida.com 902 880 7375 On 2012-05-02, at 12:28 PM, Eliezer Croitoru wrote: On 02/05/2012 17:37, Jeff MacDonald wrote: Hi, I've seen this similar issue for a lot of people around the web, and have tried my best to debug my access rules. The error message I get is : 1335968823.335 8 127.0.0.1 TCP_DENIED/407 2201 GET cache_object://localhost/ j...@bignose.ca NONE/- text/html I'm pretty sure I'm missing something miniscule, but need help finding it. Here are my access rules in my squid.conf try to move the access rules of the manager to the top and move down the auth access rule http_access allow manager localhost http_access allow manager example http_access allow westhants by the way how are you trying to access the cache_object? using squidclient ? i'm using the basic config files on opensuse 12.1 with squid 3.1.16 and it seems to work like that. sample : squidclient cache_object://localhost/client_list Eliezer root@proxy:/etc/squid3# grep -e ^acl -e ^http_acc /etc/squid3/squid.conf acl manager proto cache_object acl localhost src 127.0.0.1/32 acl example src 192.168.11.16/32 acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 acl westhants proxy_auth REQUIRED http_access allow westhants http_access allow manager localhost http_access allow manager example http_access deny all acl westhants-network src 192.168.11.0/24 acl SSL_ports port 443 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 # https acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl CONNECT method CONNECT http_access deny !Safe_ports http_access deny CONNECT !SSL_ports http_access allow localhost http_access allow westhants-network http_access deny all Thanks! -- Jeff MacDonald j...@terida.com 902 880 7375 -- Eliezer Croitoru https://www1.ngtech.co.il IT consulting for Nonprofit organizations eliezer at ngtech.co.il
[squid-users] can't access cachemgr
Hi, I've seen this similar issue for a lot of people around the web, and have tried my best to debug my access rules. The error message I get is : 1335968823.335 8 127.0.0.1 TCP_DENIED/407 2201 GET cache_object://localhost/ j...@bignose.ca NONE/- text/html I'm pretty sure I'm missing something miniscule, but need help finding it. Here are my access rules in my squid.conf root@proxy:/etc/squid3# grep -e ^acl -e ^http_acc /etc/squid3/squid.conf acl manager proto cache_object acl localhost src 127.0.0.1/32 acl example src 192.168.11.16/32 acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 acl westhants proxy_auth REQUIRED http_access allow westhants http_access allow manager localhost http_access allow manager example http_access deny all acl westhants-network src 192.168.11.0/24 acl SSL_ports port 443 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 # https acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl CONNECT method CONNECT http_access deny !Safe_ports http_access deny CONNECT !SSL_ports http_access allow localhost http_access allow westhants-network http_access deny all Thanks! -- Jeff MacDonald j...@terida.com 902 880 7375
Re: [squid-users] can't access cachemgr
On 02/05/2012 17:37, Jeff MacDonald wrote: Hi, I've seen this similar issue for a lot of people around the web, and have tried my best to debug my access rules. The error message I get is : 1335968823.335 8 127.0.0.1 TCP_DENIED/407 2201 GET cache_object://localhost/ j...@bignose.ca NONE/- text/html I'm pretty sure I'm missing something miniscule, but need help finding it. Here are my access rules in my squid.conf try to move the access rules of the manager to the top and move down the auth access rule http_access allow manager localhost http_access allow manager example http_access allow westhants by the way how are you trying to access the cache_object? using squidclient ? i'm using the basic config files on opensuse 12.1 with squid 3.1.16 and it seems to work like that. sample : squidclient cache_object://localhost/client_list Eliezer root@proxy:/etc/squid3# grep -e ^acl -e ^http_acc /etc/squid3/squid.conf acl manager proto cache_object acl localhost src 127.0.0.1/32 acl example src 192.168.11.16/32 acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 acl westhants proxy_auth REQUIRED http_access allow westhants http_access allow manager localhost http_access allow manager example http_access deny all acl westhants-network src 192.168.11.0/24 acl SSL_ports port 443 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 # https acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl CONNECT method CONNECT http_access deny !Safe_ports http_access deny CONNECT !SSL_ports http_access allow localhost http_access allow westhants-network http_access deny all Thanks! -- Jeff MacDonald j...@terida.com 902 880 7375 -- Eliezer Croitoru https://www1.ngtech.co.il IT consulting for Nonprofit organizations eliezer at ngtech.co.il
Re: [squid-users] can't access cachemgr
On 03.05.2012 03:28, Eliezer Croitoru wrote: On 02/05/2012 17:37, Jeff MacDonald wrote: Hi, I've seen this similar issue for a lot of people around the web, and have tried my best to debug my access rules. The error message I get is : 1335968823.335 8 127.0.0.1 TCP_DENIED/407 2201 GET cache_object://localhost/ j...@bignose.ca NONE/- text/html I'm pretty sure I'm missing something miniscule, but need help finding it. Here are my access rules in my squid.conf try to move the access rules of the manager to the top and move down the auth access rule http_access allow manager localhost http_access allow manager example http_access allow westhants by the way how are you trying to access the cache_object? using squidclient ? i'm using the basic config files on opensuse 12.1 with squid 3.1.16 and it seems to work like that. sample : squidclient cache_object://localhost/client_list squidclient can handle Basic or recently Negotiate/Kerberos authentication. See squidclient -h for the command line options. If you have squid-3.2+, you can use the http:// or https:// cachemgr access URI and have any HTTP authentication method the browser supports. Amos
