Howto: enabling cachemgr with squid



  • I found out how I can use the cachemgr.cgi with squid:

    In the following howto the hostname of my pfsense is 'pfsense' and the IP is 10.0.0.1 (use your settings here):

    1. set the following link under '/usr/local/www':

    cd /usr/local/www
    ln -s  /usr/local/libexec/squid/cachemgr.cgi cachemgr.cgi

    2. change '/usr/local/etc/squid/cachemgr.conf'

    # This file controls which servers may be managed by
    # the cachemgr.cgi script
    #
    # The file consists of one server per line on the format
    #   hostname:port  description
    #
    # Specifying :port is optional. If not specified then
    # the default proxy port is assumed. :* or :any matches
    # any port on the target server.
    #
    # hostname is matched using shell filename matching, allowing
    # * and other shell wildcards.
    pfsense
    

    3. change /usr/local/pkg/squid.inc

    Setup some default acls

    acl localhost src 127.0.0.1/255.255.255.255 to acl localhost src 10.0.0.1/255.255.255.255
    cachemgr_passwd disable offline_toggle reconfigure shutdown
    cachemgr_passwd none all

    that's it!
    To activate the new settings go to 'Services/Proxy-Services' press 'save' and a new squid.conf is written and also squid is reconfigured (you can also restart your pfsense ;-) )

    the cachemgr is reached with 'http://pfsense/cachemgr.cgi'

    By the way - to make squid more anonymous, you can also put in the follwing statements to 'squid.inc':

    request_header_access Via deny all
    request_header_access X-Forwarded-For deny all
    request_header_access From deny all
    request_header_access Referer deny all
    request_header_access Server deny all
    request_header_access WWW-Authenticate deny all
    request_header_access Link deny all

    This gives you following results (checked by http://checker.samair.ru/):

    Proxy checking Report
    
    With your current IP/proxy settings any host can get following info about you:
    
    IP detected: 91.67.81.116
    Country: Click here to find out what country your proxy belongs to
    Resume: You are using high-anonymous (elite) proxy (if you are using proxy).
    Tired of nonworking and slow proxies?
    Try Paid Proxy
    Free Trial accounts!
    Main anonymous proxy test variables (all must be "none")
    HTTP_FORWARDED: (none)
    HTTP_X_FORWARDED_FOR: (none)
    HTTP_CLIENT_IP: (none)
    Additional proxy variables
    HTTP_VIA: (none)
    HTTP_XROXY_CONNECTION: (none)
    HTTP_PROXY_CONNECTION: (none)
    Other interesting info about you
    HTTP_USERAGENT_VIA: (none)
    HTTP_USER_AGENT: Mozilla/5.0 (Windows; U; Windows NT 5.1; de; rv:1.9.0.6) Gecko/2009011913 Firefox/3.0.6
    HTTP_ACCEPT_LANGUAGE: de-de,de;q=0.8,en-us;q=0.5,en;q=0.3
    REMOTE_HOST: (none)
    HTTP_CONNECTION: keep-alive
    SERVER_PROTOCOL: HTTP/1.0
    HTTP_REFERER: (none)
    HTTP_ACCEPT: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
    HTTP_CACHE_CONTROL: max-age=259200
    HTTP_CACHE_INFO: (none)
    Anonymity types
    Anonymous  - HTTP Proxy server does not send HTTP_X_FORWARDED_FOR variable to host, this improves privacy since your IP address can not be logged.
    High-anonymous (elite proxy) - HTTP Servers of this type do not send HTTP_X_FORWARDED_FOR, HTTP_VIA and HTTP_PROXY_CONNECTION variables. Host doesn't even know you are using proxy server an of course it doesn't know your IP address. 
    
    


  • Hmm the first part worked like a champ I can look through the cache now but the second part doesn't change my result on that proxy checked, not anonymouse. :(

    oh btw I'm running the pfS 2.0 alpha and squid 3



  • Put the statements in front of the delay_pool parms of squid.inc:

    
    ...
            $conf .= <<<eod<br>...
    request_header_access Via deny all
    request_header_access X-Forwarded-For deny all
    request_header_access From deny all
    request_header_access Referer deny all
    request_header_access Server deny all
    request_header_access WWW-Authenticate deny all
    request_header_access Link deny all
    ...
    delay_pools 1
    delay_class 1 2
    delay_parameters 1 $overall/$overall $perhost/$perhost
    delay_initial_bucket_level 100</eod<br> 
    

Log in to reply