How to guide for Accessing Squid's cachemgr.cgi over https
-
Squid Proxy comes pre packaged with its own cache manger.
Here is how you can access it over https.
After some research, thank you to @bnangle
One inside of pfSense go to command line and create a linker file and place it inside of
/usr/local/www/lightsquid/
commandln -s /usr/local/libexec/squid/cachemgr.cgi /usr/local/www/lightsquid/cachemgr.cgiSetup some default acls set a password or not
acl localhost src 127.0.0.1/255.255.255.255 to acl localhost src 10.0.0.1/255.255.255.255 cachemgr_passwd disable offline_toggle reconfigure shutdown cachemgr_passwd none allYou must use a password in place of none if you so choose to do so. I recommend you add one. However for testing I had it set to none
access the cachemgr from pfsense under light squid
https://192.168.1.1:7445/cachemgr.cgi
when inside of pfsense click the lightsiquid and adapt the url to access the cache manger.
-
Still make sure you adapt your /usr/local/etc/squid/cachemgr.conf
to include your firewall IP address and hostname
You don't have to change this I can access it with just local. I was very excited to share this
-
PART 2 Password Security and GUI Status page
Now that you have Squids Cache Manager accessible on the GUI, lets make sure it is secure however we have an issue with that mgr:info when Squid is build does not contain a password so if we set one we have to adapt the GUI squid status php file.It is easy.
Step 1
add your password into advanced configcachemgr_passwd disable offline_toggle reconfigure shutdown cachemgr_passwd **PASSWORDHERE!** all
Mine is "redacted"
I also disabled shutdown and reconfigure from the options.Now that it is set you might notice your status page no longer works that is ok its only because it doesn't have the password.
Step 2
Add password to
/usr/local/www/status_squid.phpIt is simple change mgr:info@redacted
after @ you need to be add a password.
Now you have a cache manger access and it is password locked plus you disabled some tools that could limit access if used incorrectly.
Enjoy
-
PART 3 Lightsquid code adaption
Also make sure you add your password here to
/usr/local/www/sqstat/sqstat.php
This file already has a line of code just waiting for your new password to help lock it down.
-
I am missing my photos here too :( Can you help with a couple of these posts the photos are vanishing ..
-
I added the photos again however it was saying invalid path also when i went to add them. I think this fixed it.
-
@JonathanLee I have try the steps, I see the login screen, input my password and get this error.
The following error was encountered while trying to retrieve the URL: http://fw.example.local:3128/squid-internal-mgr/
Access Denied.
Access control configuration prevents your request from being allowed at this time. Please contact your service provider if you feel this is incorrect.
Is like squid blocking the access.
Any ideas?
-
@periko what version of pfSense is this for? I think that the new version of Squid makes it such that cachemgr.cgi no longer works. I have not attempted this inside the new package. If you are running older software like 23.05.01 with Squid 5.8 it works. Sorry.. It did the same for me on pfsense version 24, some code needs adaption for this functionality to work again.
-
@JonathanLee Hi, running Pfsense CE 2.7.2 Squid 6.3.
Make sense what you mention, will be cool to have this feature available.
Thanks @JonathanLee
