1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
|
<HTML>
<HEAD>
<TITLE>SQUID Frequently Asked Questions: The Cache Manager</TITLE>
</HEAD>
<BODY>
<HR>
<H2><A NAME="s8">8. The Cache Manager</A></H2>
<P>Contributed by Jonathan Larmour <JLarmour@origin-at.co.uk></P>
<H2><A NAME="ss8.1">8.1 What is the cache manager?</A></H2>
<P>The cache manager (<EM>cachemgr.cgi</EM>) is a CGI utility for
displaying statistics about the <EM>squid</EM> process as it runs.
The cache manager is a convenient way to manage the cache and view
statistics without logging into the server.</P>
<H2><A NAME="ss8.2">8.2 How do you set it up?</A></H2>
<P>That depends on which web server you're using. Below you will
find instructions for configuring the CERN and Apache servers
to permit <EM>cachemgr.cgi</EM> usage.</P>
<P><EM>EDITOR'S NOTE: readers are encouraged to submit instructions
for configuration of cachemgr.cgi on other web server platforms, such
as Netscape.</EM></P>
<P>After you edit the server configuration files, you will probably
need to either restart your web server or or send it a <CODE>SIGHUP</CODE> signal
to tell it to re-read its configuration files.</P>
<P>When you're done configuring your web server, you'll connect to
the cache manager with a web browser, using a URL such as:
<PRE>
http://www.example.com/Squid/cgi-bin/cachemgr.cgi/
</PRE>
</P>
<H2><A NAME="ss8.3">8.3 Cache manager configuration for CERN httpd 3.0</A></H2>
<P>First, you should ensure that only specified workstations can access
the cache manager. That is done in your CERN <EM>httpd.conf</EM>, not in
<EM>squid.conf</EM>.</P>
<P>
<PRE>
Protection MGR-PROT {
Mask @(workstation.example.com)
}
</PRE>
</P>
<P>Wildcards are acceptable, IP addresses are acceptable, and others
can be added with a comma-separated list of IP addresses. There
are many more ways of protection. Your server documentation has
details.</P>
<P>You also need to add:
<PRE>
Protect /Squid/* MGR-PROT
Exec /Squid/cgi-bin/*.cgi /usr/local/squid/bin/*.cgi
</PRE>
This marks the script as executable to those in <CODE>MGR-PROT</CODE>.</P>
<H2><A NAME="ss8.4">8.4 Cache manager configuration for Apache</A></H2>
<P>First, make sure the cgi-bin directory you're using is listed with a
<CODE>ScriptAlias</CODE> in your Apache <EM>srm.conf</EM> file like this:
<PRE>
ScriptAlias /Squid/cgi-bin/ /usr/local/squid/cgi-bin/
</PRE>
It's probably a <B>bad</B> idea to <CODE>ScriptAlias</CODE>
the entire <EM></EM>usr/local/squid/bin/ directory where all the
Squid executables live.</P>
<P>Next, you should ensure that only specified workstations can access
the cache manager. That is done in your Apache <EM>access.conf</EM>,
not in <EM>squid.conf</EM>. At the bottom of <EM>access.conf</EM>
file, insert:
<PRE>
<Location /Squid/cgi-bin/cachemgr.cgi>
order deny,allow
deny from all
allow from workstation.example.com
</Location>
</PRE>
</P>
<P>You can have more than one allow line, and you can allow
domains or networks.</P>
<P>
Alternately, <EM>cachemgr.cgi</EM> can be password-protected. You'd
add the following to <EM>access.conf</EM>:</P>
<P>
<PRE>
<Location /Squid/cgi-bin/cachemgr.cgi>
AuthUserFile /path/to/password/file
AuthGroupFile /dev/null
AuthName User/Password Required
AuthType Basic
<Limit GET>
require user cachemanager
</Location>
</PRE>
</P>
<P>Consult the Apache documentation for information on using <EM>htpasswd</EM>
to set a password for this ``user.''</P>
<H2><A NAME="ss8.5">8.5 Cache manager ACLs in <EM>squid.conf</EM></A></H2>
<P>The default cache manager access configuration in <EM>squid.conf</EM> is:</P>
<P>
<PRE>
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl all src 0.0.0.0/0.0.0.0
</PRE>
</P>
<P>With the following rules:</P>
<P>
<PRE>
http_access deny manager !localhost
http_access allow all
</PRE>
</P>
<P>The first ACL is the most important as the cache manager program
interrogates squid using a special <CODE>cache_object</CODE> protocol
Try it yourself by doing:</P>
<P>
<PRE>
telnet mycache.example.com 3128
GET cache_object://mycache.example.com/info HTTP/1.0
</PRE>
</P>
<P>The default ACLs say that if the request is for a
<CODE>cache_object</CODE>, and it isn't the local host, then deny
access; otherwise allow access.</P>
<P>In fact, only allowing localhost access means that on the
initial <EM>cachemgr.cgi</EM> form you can only specify the cache
host as <CODE>localhost</CODE>. We recommend the following:</P>
<P>
<PRE>
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl example src 123.123.123.123/255.255.255.255
acl all src 0.0.0.0/0.0.0.0
</PRE>
</P>
<P>Where <CODE>123.123.123.123</CODE> is the IP address of your web server.
Then modify the rules like this:</P>
<P>
<PRE>
http_access deny manager !localhost !example
http_access allow all
</PRE>
</P>
<P>The default ACLs assume that your web server is on the same machine
as <EM>squid</EM>. Remember that the connection from the cache
manager program to squid originates at the web server, not the
browser. So if your web server lives somewhere else, you should
make sure that IP address of the web server that has <EM>cachemgr.cgi</EM>
installed on it is in the <CODE>example</CODE> ACL above.</P>
<P>Always be sure to send a <CODE>SIGHUP</CODE> signal to <EM>squid</EM>
any time you change the <EM>squid.conf</EM> file.</P>
<H2><A NAME="ss8.6">8.6 Why does it say I need a password and a URL?</A></H2>
<P>If you ``drop'' the list box, and browse it, you will see that the
password is only required to shutdown the cache, and the URL is
required to refresh an object (i.e., retrieve it from its original
source again) Otherwise these fields can be left blank: a password
is not required to obtain access to the informational aspects of
<EM>cachemgr.cgi</EM>.</P>
<H2><A NAME="ss8.7">8.7 I want to shutdown the cache remotely. What's the password?</A></H2>
<P>See the <CODE>cachemgr_passwd</CODE> directive in <EM>squid.conf</EM>.</P>
<HR>
<A HREF="FAQ-7.html">Previous</A>
<A HREF="FAQ-9.html">Next</A>
<A HREF="FAQ.html#toc8">Table of Contents</A>
</BODY>
</HTML>
|
