Contributed by Jonathan Larmour <JLarmour@origin-at.co.uk>
The cache manager (cachemgr.cgi) is a CGI utility for displaying statistics about the squid process as it runs. The cache manager is a convenient way to manage the cache and view statistics without logging into the server.
That depends on which web server you're using. Below you will find instructions for configuring the CERN and Apache servers to permit cachemgr.cgi usage.
EDITOR'S NOTE: readers are encouraged to submit instructions for configuration of cachemgr.cgi on other web server platforms, such as Netscape.
After you edit the server configuration files, you will probably
need to either restart your web server or or send it a SIGHUP signal
to tell it to re-read its configuration files.
When you're done configuring your web server, you'll connect to the cache manager with a web browser, using a URL such as:
http://www.example.com/Squid/cgi-bin/cachemgr.cgi/
First, you should ensure that only specified workstations can access the cache manager. That is done in your CERN httpd.conf, not in squid.conf.
Protection MGR-PROT {
Mask @(workstation.example.com)
}
Wildcards are acceptable, IP addresses are acceptable, and others can be added with a comma-separated list of IP addresses. There are many more ways of protection. Your server documentation has details.
You also need to add:
Protect /Squid/* MGR-PROT
Exec /Squid/cgi-bin/*.cgi /usr/local/squid/bin/*.cgi
This marks the script as executable to those in MGR-PROT.
First, make sure the cgi-bin directory you're using is listed with a
ScriptAlias in your Apache srm.conf file like this:
ScriptAlias /Squid/cgi-bin/ /usr/local/squid/cgi-bin/
It's probably a bad idea to ScriptAlias
the entire usr/local/squid/bin/ directory where all the
Squid executables live.
Next, you should ensure that only specified workstations can access the cache manager. That is done in your Apache access.conf, not in squid.conf. At the bottom of access.conf file, insert:
<Location /Squid/cgi-bin/cachemgr.cgi>
order deny,allow
deny from all
allow from workstation.example.com
</Location>
You can have more than one allow line, and you can allow domains or networks.
Alternately, cachemgr.cgi can be password-protected. You'd add the following to access.conf:
<Location /Squid/cgi-bin/cachemgr.cgi>
AuthUserFile /path/to/password/file
AuthGroupFile /dev/null
AuthName User/Password Required
AuthType Basic
<Limit GET>
require user cachemanager
</Location>
Consult the Apache documentation for information on using htpasswd to set a password for this ``user.''
The default cache manager access configuration in squid.conf is:
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl all src 0.0.0.0/0.0.0.0
With the following rules:
http_access deny manager !localhost
http_access allow all
The first ACL is the most important as the cache manager program
interrogates squid using a special cache_object protocol
Try it yourself by doing:
telnet mycache.example.com 3128
GET cache_object://mycache.example.com/info HTTP/1.0
The default ACLs say that if the request is for a
cache_object, and it isn't the local host, then deny
access; otherwise allow access.
In fact, only allowing localhost access means that on the
initial cachemgr.cgi form you can only specify the cache
host as localhost. We recommend the following:
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl example src 123.123.123.123/255.255.255.255
acl all src 0.0.0.0/0.0.0.0
Where 123.123.123.123 is the IP address of your web server.
Then modify the rules like this:
http_access deny manager !localhost !example
http_access allow all
The default ACLs assume that your web server is on the same machine
as squid. Remember that the connection from the cache
manager program to squid originates at the web server, not the
browser. So if your web server lives somewhere else, you should
make sure that IP address of the web server that has cachemgr.cgi
installed on it is in the example ACL above.
Always be sure to send a SIGHUP signal to squid
any time you change the squid.conf file.
If you ``drop'' the list box, and browse it, you will see that the password is only required to shutdown the cache, and the URL is required to refresh an object (i.e., retrieve it from its original source again) Otherwise these fields can be left blank: a password is not required to obtain access to the informational aspects of cachemgr.cgi.
See the cachemgr_passwd directive in squid.conf.