Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    New Secure Squid version 6.6 status page issues NAT Questions

    Scheduled Pinned Locked Moved
    Cache/Proxy
    1
    2
    290
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • JonathanLeeJ
      JonathanLee
      last edited by

      Hello fellow Netgate community members, can you please help?

      I can't access

      squidclient -v -h 127.0.0.1 -U username -W redactedpassword mgr:info

      Shell Output - squidclient -v -h 127.0.0.1 -U cachemgr -W redacted mgr:info
Request:
GET http://127.0.0.1:3128/squid-internal-mgr/info HTTP/1.0
Host: 127.0.0.1:3128
User-Agent: squidclient/6.6
Accept: */*
Authorization: Basic redacted==
Connection: close


.
HTTP/1.1 403 Forbidden
Server: squid
Mime-Version: 1.0
Date: Thu, 11 Jul 2024 23:35:55 GMT
Content-Type: text/html;charset=utf-8
Content-Length: 3792
X-Squid-Error: ERR_ACCESS_DENIED 0
Vary: Accept-Language
Content-Language: en
Cache-Status: Lee_Family.home.arpa
Cache-Status: Lee_Family.home.arpa;detail=no-cache
Connection: close

      It does hit

      http://127.0.0.1:3128/squid-internal-mgr/info

      My cachemgr_password functions with https://192.168.1.1:8080/sqstat/sqstat.php

      Still accesses
      cache_object://localhost/active_requests

      However I was told cache_object was disabled in Squid 6.6 it is still working

      http://127.0.0.1:3128/squid-internal-mgr/info is called with the status page on the cache logs.

      I had to add my password. It does not allow my password for squidclient anymore...

      I am being asked to make sure my firewall has the following rules for squid

      https://wiki.squid-cache.org/ConfigExamples/Intercept/LinuxRedirect

      Per Squid user support
      "...and check your firewall has all the rules listed at https://wiki.squid-cache.org/ConfigExamples/Intercept/LinuxRedirect.
      One to note in particular is the "mangle" table rule."

      @jimp You said

      "Squid isn't on the "LAN" when it's on pfSense. It won't ever hit your LAN rules.

      The rules (especially on 1.2.3) are only evaluated when traffic comes into an interface, not when it leaves. When traffic comes into LAN, it's going to squid on port 3128. When it leaves squid it's going out WAN, and all traffic is allowed out by default from the firewall itself.

      On 2.0 you can restrict that with a floating firewall rule on the WAN with the direction set to 'out', but there isn't much reason to do so."

      # your proxy IP
SQUIDIP=192.168.0.2

# your proxy listening port
SQUIDPORT=3129


iptables -t nat -A PREROUTING -s $SQUIDIP -p tcp --dport 80 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-port $SQUIDPORT
iptables -t nat -A POSTROUTING -j MASQUERADE
iptables -t mangle -A PREROUTING -p tcp --dport $SQUIDPORT -j DROP

      Do we already have this built into pfsense?

      What rules do these equate to with NAT?

      Make sure to upvote

      1 Reply Last reply Reply Quote 0
      • JonathanLeeJ
        JonathanLee
        last edited by

        @JonathanLee said in New Secure Squid version 6.6 status page issues NAT Questions:

        cache_object

        I went as far as to add an any any rule to see if the ACL blocking port 80 caused this issue however it does not... Same result..

        Make sure to upvote

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.