Re: [squid-users] Help with cache manager in accelerator mode from Amos Jeffries on 2009-11-12 (squid-users)

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Fri, 13 Nov 2009 18:05:23 +1300

Sean SPALDING wrote:
> Hi all,
>
> I'm a squid newbie and struggling with getting Cache Manager working. I keep getting:
>
> "Access Denied.
> Access control configuration prevents your request from being allowed at this time."
>
> What am I missing?
>
> Here's our squid.conf:
>
>
> emulate_httpd_log on

Please instead use:
access_log /var/log/squid/access.log common

>
> cache_dir ufs /squid_cache/squid 2048 16 256
> cache_mem 1024 MB
>
> access_log /var/log/squid/access.log
>
> strip_query_terms off
> read_ahead_gap 128 Kb
>
> collapsed_forwarding on
> refresh_stale_hit 30 seconds
>
> retry_on_error on
>
> maximum_object_size_in_memory 1 MB
>
> acl manager proto cache_object
>
> acl all src 0.0.0.0/0.0.0.0

all src all

> acl purgehosts src 127.0.0.1/255.255.255.255

Please just leave this called "localhost".

Both the IP and the name have special meaning in networking and are
referenced by the name "localhost" in some default Squid settings.

> acl wcmshosts src 10.1.122.131-10.1.122.135/32

No need for the /32 there.

>
> acl QUERY urlpath_regex /cgi-bin /_edit /_admin /_nocache /__lib /__fudge /_login
> acl PURGE method PURGE
> acl POST method POST
> acl CONNECT method CONNECT
>
> no_cache deny QUERY
> no_cache deny POST

cache deny QUERY
cache deny POST

>
> http_access deny manager !purgehosts

The one above prevents non-localhost machines doing manager.
ie all the wcmshosts machines are blocked.

> http_access deny manager !wcmshosts

The one above prevents non-wcmshosts machines doing manager.
ie the purgehosts / localhost machine is blocked.

... leaving exactly zero machines able to do manager requests.

Use this instead:
http_access deny manager !purgehosts !wcmshosts
http_access allow manager

>
> http_access allow CONNECT purgehosts
> http_access allow CONNECT wcmshosts

missing a "http_access deny CONNECT" here?

> http_access allow PURGE purgehosts
> http_access allow PURGE wcmshosts
> http_access deny PURGE
> http_access allow all

I _really_ hope this was only for testing.

>
> http_port 3128
> http_port 10.1.122.131:80 vhost
> http_port 10.1.122.131:8443 vhost
> cache_peer 127.0.0.1 parent 80 0 originserver no-query no-digest default
>

> redirect_rewrites_host_header off
>
> read_ahead_gap 128 Kb
>
> shutdown_lifetime 5 seconds
>
> cachemgr_passwd XXXXXXXX all
>

Amos

-- 
Please be using
   Current Stable Squid 2.7.STABLE7 or 3.0.STABLE20
   Current Beta Squid 3.1.0.14

Received on Fri Nov 13 2009 - 05:06:02 MST

This archive was generated by hypermail 2.2.0 : Fri Nov 13 2009 - 12:00:04 MST