1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193
|
<HTML>
<HEAD>
<TITLE>SQUID Frequently Asked Questions: The Cache Manager</TITLE>
</HEAD>
<BODY>
<HR>
<H2><A NAME="s8">8. The Cache Manager</A></H2>
<P>Contributed by Jonathan Larmour <JLarmour@origin-at.co.uk></P>
<H2><A NAME="ss8.1">8.1 What is the cache manager?</A></H2>
<P>The cache manager (<EM>cachemgr.cgi</EM>) is a CGI utility for
displaying statistics about the <EM>squid</EM> process as it runs.
The cache manager is a convenient way to manage the cache and view
statistics without logging into the server.</P>
<H2><A NAME="ss8.2">8.2 How do you set it up?</A></H2>
<P>That depends on which web server you're using. Below you will
find instructions for configuring the CERN and Apache servers
to permit <EM>cachemgr.cgi</EM> usage.</P>
<P><EM>EDITOR'S NOTE: readers are encouraged to submit instructions
for configuration of cachemgr.cgi on other web server platforms, such
as Netscape.</EM></P>
<P>After you edit the server configuration files, you will probably
need to either restart your web server or or send it a <CODE>SIGHUP</CODE> signal
to tell it to re-read its configuration files.</P>
<P>When you're done configuring your web server, you'll connect to
the cache manager with a web browser, using a URL such as:
<PRE>
http://www.example.com/Squid/cgi-bin/cachemgr.cgi/
</PRE>
</P>
<H2><A NAME="ss8.3">8.3 Cache manager configuration for CERN httpd 3.0</A></H2>
<P>First, you should ensure that only specified workstations can access
the cache manager. That is done in your CERN <EM>httpd.conf</EM>, not in
<EM>squid.conf</EM>.</P>
<P>
<PRE>
Protection MGR-PROT {
Mask @(workstation.example.com)
}
</PRE>
</P>
<P>Wildcards are acceptable, IP addresses are acceptable, and others
can be added with a comma-separated list of IP addresses. There
are many more ways of protection. Your server documentation has
details.</P>
<P>You also need to add:
<PRE>
Protect /Squid/* MGR-PROT
Exec /Squid/cgi-bin/*.cgi /usr/local/squid/bin/*.cgi
</PRE>
This marks the script as executable to those in <CODE>MGR-PROT</CODE>.</P>
<H2><A NAME="ss8.4">8.4 Cache manager configuration for Apache</A></H2>
<P>First, make sure the cgi-bin directory you're using is listed with a
<CODE>ScriptAlias</CODE> in your Apache <EM>srm.conf</EM> file like this:
<PRE>
ScriptAlias /Squid/cgi-bin/ /usr/local/squid/cgi-bin/
</PRE>
It's probably a <B>bad</B> idea to <CODE>ScriptAlias</CODE>
the entire <EM></EM>usr/local/squid/bin/ directory where all the
Squid executables live.</P>
<P>Next, you should ensure that only specified workstations can access
the cache manager. That is done in your Apache <EM>access.conf</EM>,
not in <EM>squid.conf</EM>. At the bottom of <EM>access.conf</EM>
file, insert:
<PRE>
<Location /Squid/cgi-bin/cachemgr.cgi>
order deny,allow
deny from all
allow from workstation.example.com
</Location>
</PRE>
</P>
<P>You can have more than one allow line, and you can allow
domains or networks.</P>
<P>
Alternately, <EM>cachemgr.cgi</EM> can be password-protected. You'd
add the following to <EM>access.conf</EM>:</P>
<P>
<PRE>
<Location /Squid/cgi-bin/cachemgr.cgi>
AuthUserFile /path/to/password/file
AuthGroupFile /dev/null
AuthName User/Password Required
AuthType Basic
<Limit GET>
require user cachemanager
</Location>
</PRE>
</P>
<P>Consult the Apache documentation for information on using <EM>htpasswd</EM>
to set a password for this ``user.''</P>
<H2><A NAME="ss8.5">8.5 Cache manager ACLs in <EM>squid.conf</EM></A></H2>
<P>The default cache manager access configuration in <EM>squid.conf</EM> is:</P>
<P>
<PRE>
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl all src 0.0.0.0/0.0.0.0
</PRE>
</P>
<P>With the following rules:</P>
<P>
<PRE>
http_access deny manager !localhost
http_access allow all
</PRE>
</P>
<P>The first ACL is the most important as the cache manager program
interrogates squid using a special <CODE>cache_object</CODE> protocol
Try it yourself by doing:</P>
<P>
<PRE>
telnet mycache.example.com 3128
GET cache_object://mycache.example.com/info HTTP/1.0
</PRE>
</P>
<P>The default ACLs say that if the request is for a
<CODE>cache_object</CODE>, and it isn't the local host, then deny
access; otherwise allow access.</P>
<P>In fact, only allowing localhost access means that on the
initial <EM>cachemgr.cgi</EM> form you can only specify the cache
host as <CODE>localhost</CODE>. We recommend the following:</P>
<P>
<PRE>
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl example src 123.123.123.123/255.255.255.255
acl all src 0.0.0.0/0.0.0.0
</PRE>
</P>
<P>Where <CODE>123.123.123.123</CODE> is the IP address of your web server.
Then modify the rules like this:</P>
<P>
<PRE>
http_access deny manager !localhost !example
http_access allow all
</PRE>
</P>
<P>The default ACLs assume that your web server is on the same machine
as <EM>squid</EM>. Remember that the connection from the cache
manager program to squid originates at the web server, not the
browser. So if your web server lives somewhere else, you should
make sure that IP address of the web server that has <EM>cachemgr.cgi</EM>
installed on it is in the <CODE>example</CODE> ACL above.</P>
<P>Always be sure to send a <CODE>SIGHUP</CODE> signal to <EM>squid</EM>
any time you change the <EM>squid.conf</EM> file.</P>
<H2><A NAME="ss8.6">8.6 Why does it say I need a password and a URL?</A></H2>
<P>If you ``drop'' the list box, and browse it, you will see that the
password is only required to shutdown the cache, and the URL is
required to refresh an object (i.e., retrieve it from its original
source again) Otherwise these fields can be left blank: a password
is not required to obtain access to the informational aspects of
<EM>cachemgr.cgi</EM>.</P>
<H2><A NAME="ss8.7">8.7 I want to shutdown the cache remotely. What's the password?</A></H2>
<P>See the <CODE>cachemgr_passwd</CODE> directive in <EM>squid.conf</EM>.</P>
<HR>
<A HREF="FAQ-7.html">Previous</A>
<A HREF="FAQ-9.html">Next</A>
<A HREF="FAQ.html#toc8">Table of Contents</A>
</BODY>
</HTML>
|