Search squid archive

Re: can't access cachemgr

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On 24/05/2012 6:45 a.m., Jeff MacDonald wrote:

Hi,

I can't put the access rules above the acl definition if that was what you meant. but incase that isn't what you meant.. i did re-order it a bit and this is what i have now.. still no access.

FYI, i'm trying to access it using the cache manager cgi which runs on the same server
If you have a current squid (3.1 series) "localhost" is also using the IP address ::1. This may need adding to your ACL definition. 

For your current problem though see below ...



root@proxy:~# !gre
grep -e ^acl -e ^http_acc /etc/squid3/squid.conf
acl manager proto cache_object
acl localhost src 127.0.0.1/32
acl to_localhost dst 127.0.0.0/8 0.0.0.0/32
acl westhants proxy_auth REQUIRED
acl westhants-network src 192.168.11.0/24
acl SSL_ports port 443
acl Safe_ports port 80          # http
acl Safe_ports port 21          # ftp
acl Safe_ports port 443         # https
acl Safe_ports port 70          # gopher
acl Safe_ports port 210         # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280         # http-mgmt
acl Safe_ports port 488         # gss-http
acl Safe_ports port 591         # filemaker
acl Safe_ports port 777         # multiling http
acl CONNECT method CONNECT
In general you can consider squid.conf somewhat of a script programming Squid what to do with a request.
As such, when needing to check whether an HTTP request is allowed to be processed by Squid it does the following... 



http_access allow westhants

Step 1)
 1a) test "westhants" ACL.
 1b) send 407 message to locate client credentils.

Step 2) - there is no 2, see 1b for why.



http_access allow localhost
http_access allow westhants-network
http_access allow manager localhost
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access deny all



Consider the logic of:

 deny A
 deny B
 deny everything

Why bother denying A and B individually if everything is denied anyway?
There is also a disconnection between your westhaunts authentication test and the westhaunts network IPs. 

Simply put IMHO your ACLs should be configured as:

  http_access allow manager localhost
  http_access deny !Safe_ports
  http_access deny CONNECT !SSL_ports
  http_access allow localhost
  http_access allow westhants-network westhant
  http_access deny all
If you want particulars about why I'm happy to provide. but it should be clear if you understand Squid tests http_access lines top-done, left-to-right on a first line to match wins basis. lines where one ACL does not match skip to the next immediately. 

Amos
[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux