Need help with cachemgr.cgi (Squid server)

Can anybody please help me with the configuration of cachemgr.cgi on Squid server (6.6)?

  1. I cannot figure out how to password protect this module. When I add a password to squid.conf like this:

cachemgr_passwd password all

I’m able to access the initial index page (from outside the server through Webmin interface), but all the other pages generate an error.

On the other hand If I remove the password completely (by commenting the above line) I’m able to access both the index and the inner pages (those available without a password by default).

  1. Moreover If I get it right I shouldn’t be able to connect to the Cache Manager from the outside because I have the rules in my Squid conf file in the following order:
http_access deny !Safe_ports
http_access allow localhost manager
http_access deny manager
http_access deny !auth
http_access allow localhost
http_access deny to_localhost
http_access deny to_linklocal
http_access allow all_ips
http_access deny all

But I can.

Ubuntu 24.04.1
Webmin 2.202
Squid 6.6
squid-cgi 6.6-1ubuntu5

Here’s the password protected index:

And without the password:

And here’s the whole Squid conf:

acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http

auth_param basic program /etc/webmin/squid/squid-auth.pl /etc/webmin/squid/users
acl auth proxy_auth REQUIRED
acl all_ips src 0.0.0.0/0 ::/0

http_access deny !Safe_ports
http_access allow localhost manager
http_access deny manager
http_access deny !auth
http_access allow localhost
http_access deny to_localhost
http_access deny to_linklocal

include /etc/squid/conf.d/*.conf

http_access allow all_ips
http_access deny all

http_port 3128

cache_dir ufs /var/spool/squid 100 16 256

access_log daemon:/var/log/squid/access.log squid

coredump_dir /var/spool/squid

refresh_pattern ^ftp:		1440	20%	10080
refresh_pattern -i (/cgi-bin/|\?) 0	0%	0
refresh_pattern \/(Packages|Sources)(|\.bz2|\.gz|\.xz)$ 0 0% 0 refresh-ims
refresh_pattern \/Release(|\.gpg)$ 0 0% 0 refresh-ims
refresh_pattern \/InRelease$ 0 0% 0 refresh-ims
refresh_pattern \/(Translation-.*)(|\.bz2|\.gz|\.xz)$ 0 0% 0 refresh-ims
refresh_pattern .		0	20%	4320

cache_effective_user proxy
cache_effective_group proxy

cachemgr_passwd password all

max_filedescriptors 65535

wow squid, a very log time since I used that, the time of dial-up :slight_smile:
I found this docs.

one line that may help and I don’t see on yours is
acl managerAdmin src 192.0.2.1

Not sure how many users on here are still using squid, maybe see if there is a squid forum somewhere.

1 Like

long before I retired! (does anyone still?) is it even maintained?

In October 2023, it was revealed that Squid continued to suffer from 
35 security vulnerabilities which had not been fixed for two and a half
years after their initial reporting

I guess not

1 Like