EliiO
September 9, 2024, 11:05pm
1
Can anybody please help me with the configuration of cachemgr.cgi on Squid server (6.6)?
I cannot figure out how to password protect this module. When I add a password to squid.conf like this:
cachemgr_passwd password all
I’m able to access the initial index page (from outside the server through Webmin interface), but all the other pages generate an error.
On the other hand If I remove the password completely (by commenting the above line) I’m able to access both the index and the inner pages (those available without a password by default).
Moreover If I get it right I shouldn’t be able to connect to the Cache Manager from the outside because I have the rules in my Squid conf file in the following order:
http_access deny !Safe_ports
http_access allow localhost manager
http_access deny manager
http_access deny !auth
http_access allow localhost
http_access deny to_localhost
http_access deny to_linklocal
http_access allow all_ips
http_access deny all
But I can.
Ubuntu 24.04.1
Webmin 2.202
Squid 6.6
squid-cgi 6.6-1ubuntu5
EliiO
September 9, 2024, 11:09pm
2
Here’s the password protected index:
EliiO
September 9, 2024, 11:10pm
3
And without the password:
EliiO
September 9, 2024, 11:12pm
4
And here’s the whole Squid conf:
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
auth_param basic program /etc/webmin/squid/squid-auth.pl /etc/webmin/squid/users
acl auth proxy_auth REQUIRED
acl all_ips src 0.0.0.0/0 ::/0
http_access deny !Safe_ports
http_access allow localhost manager
http_access deny manager
http_access deny !auth
http_access allow localhost
http_access deny to_localhost
http_access deny to_linklocal
include /etc/squid/conf.d/*.conf
http_access allow all_ips
http_access deny all
http_port 3128
cache_dir ufs /var/spool/squid 100 16 256
access_log daemon:/var/log/squid/access.log squid
coredump_dir /var/spool/squid
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern \/(Packages|Sources)(|\.bz2|\.gz|\.xz)$ 0 0% 0 refresh-ims
refresh_pattern \/Release(|\.gpg)$ 0 0% 0 refresh-ims
refresh_pattern \/InRelease$ 0 0% 0 refresh-ims
refresh_pattern \/(Translation-.*)(|\.bz2|\.gz|\.xz)$ 0 0% 0 refresh-ims
refresh_pattern . 0 20% 4320
cache_effective_user proxy
cache_effective_group proxy
cachemgr_passwd password all
max_filedescriptors 65535
wow squid, a very log time since I used that, the time of dial-up
I found this docs.
one line that may help and I don’t see on yours is
acl managerAdmin src 192.0.2.1
Not sure how many users on here are still using squid, maybe see if there is a squid forum somewhere.
1 Like
Stegan
September 10, 2024, 7:26am
6
long before I retired! (does anyone still?) is it even maintained?
jimr1
September 10, 2024, 7:45am
7
Stegan:
is it even maintained?
In October 2023, it was revealed that Squid continued to suffer from
35 security vulnerabilities which had not been fixed for two and a half
years after their initial reporting
I guess not
1 Like