Bug #15410
opencache_object://URL Scheme is removed in Squid-6
0%
Description
Hello fellow pfSense Squid Proxy Users can you please help?
I am so happy 6.6 is part of pfSense 24 however some small changes are made in 6.6
cache_object://URL Scheme is not removed in Squid-6
cache_object://hostname/request@password
Is used to check status inside the pfSense GUI for this package
It has been replaced with 
http://hostname/squid-internal-mgr URL-prefix.
Therefore it will now say access denied when checking status
The status page needs to be updated to reflect the new URL scheme
I spoke with Squid user support and they have confirmed the new URL scheme
Ref:
https://wiki.squid-cache.org/Features/CacheManager/CacheObjectScheme
Files
       Updated by Jonathan Lee over 1 year ago
      Updated by Jonathan Lee over 1 year ago
      
    
    this calls /usr/local/sbin/squidclient with the older URI scheme 
to access mgr:info
       Updated by Jonathan Lee over 1 year ago
      Updated by Jonathan Lee over 1 year ago
      
    
    @function squid_status() {
    if (is_service_running('squid')) {
        init_config_arr(array('installedpackages', 'squidcache','config'));
        $proxy_ifaces = explode(",", config_get_path('installedpackages/squid/config/0/active_interface', ''));
        foreach ($proxy_ifaces as $iface) {
            if (get_interface_ip($iface)) {
                $ip = get_interface_ip($iface);
                $lip = '127.0.0.1';
            } else {
                $ip = get_interface_ipv6($iface);
                $lip = '::1';
            }
            exec("/usr/local/sbin/squidclient -l " . escapeshellarg($lip) .
                " -h " . escapeshellarg($ip) . " mgr:info", $result);
        }
    } else {
        return(gettext('Squid Proxy is not running.'));
    }
    $i = 0;
    $matchbegin = "Squid Object Cache";
    foreach ($result as $line) {
        if (preg_match("/{$matchbegin}/", $line)) {
            $begin = $i;
        }
        $i++;
    }
$output = "";
    $i = 0;foreach ($result as $line) {
        if ($i >= $begin) {
            $output .= $line . "\n";
        }
        $i++;
    }
    return $output;
}    @this is using the old version here with mgr:info
       Updated by Jonathan Lee over 1 year ago
      Updated by Jonathan Lee over 1 year ago
      
    
    squidclient mgr:info
no longer works this should be changed to reflect the new use with
squidclient -h 127.0.0.1 -p 3128 mgr:info shows access denined
@
You do have direct proxy (and thus manager) access via the 192.168.1.1:3128 so this URL should work:
 http://192.168.1.1:3128/squid-internal-mgr/menu
.. or substitute the raw-IP for the visible_hostname setting if that hostname actually resolves to that IP.
HTH
Amos@
I think this should be 
should be changed to reflect squid-internal-mgr:info
I am going to test
       Updated by Jonathan Lee over 1 year ago
      Updated by Jonathan Lee over 1 year ago
      
    
    
      
    Test failed it still says no access
       Updated by Jonathan Lee over 1 year ago
      Updated by Jonathan Lee over 1 year ago
      
    
    
      
    
Testing
       Updated by Jonathan Lee over 1 year ago
      Updated by Jonathan Lee over 1 year ago
      
    
    
      
    
I can access the cachemgr.cgi if you are using it within the lightsquid area however.
I will find my issue and post a pull still researching
       Updated by Jonathan Lee over 1 year ago
      Updated by Jonathan Lee over 1 year ago
      
    
    
      
    Sorry This is the issue I am researching on how to resolve do to the cache_object change
I just have to find the line of code that references cache_object and replace it with the new URI scheme use

       Updated by Jonathan Lee over 1 year ago
      Updated by Jonathan Lee over 1 year ago
      
    
    Researching with Squid Email support in Squid 6.6
On 2024-07-18 00:55, Jonathan Lee wrote:
curl http://localhost:3128/squid-internal-mgr/info Where would I place the password?
See "man curl" or online manual pages for curl. They will point you to two relevant options: --user and --proxy-user. AFAICT, your particular cache manager requests are sent to the proxy (as if it were an origin server) rather than through the proxy. Thus, you should use --user.
As I keep saying on this thread, due to Squid complications related to Bug 5283, specifying seemingly correct client parameters may not be enough to convince Squid to accept the cache manager request. I recommend the following procedure:
1. List the corresponding http_port directive first, before any other http_port, https_port, and ftp_port directives. Do not use interception of any kind for this cache manager port.
2. Use curl with absolute squid-internal-mgr URLs with http scheme (like you show above). Do not use "curl --proxy" or similar. Do not use https scheme.
3. In that absolute mgr URL, use the host name that matches visible_hostname in squid.conf. If you do not have visible_hostname in squid.conf, add it. This is not required, but, due to Squid bugs, it is often much easier to get this to work with visible_hostname than without it.
4. Make (passwordless) mgr:info use case working first, before trying to get password-protected pages working.
5. When you do specify a username and a password, remember that you are sending this request to an (equivalent of) a service running on an origin server, not a proxy (hence --user rather than --proxy-user).
If you cannot figure it out despite carefully going through the above steps, share (privately if needed) a pointer to compressed ALL,9 cache.log while reproducing the problem with throw-away credentials on an idle Squid with a single curl request. Mention which step you got stuck on.
HTH,
Alex.
       Updated by Jonathan Lee 7 months ago
      Updated by Jonathan Lee 7 months ago
      
    
    Update: I did some testing yesterday and found this status page error still occurs with the removal of all custom config and going to splice only standard config with deactivation of squid guard also.
       Updated by Jonathan Lee 7 months ago
      Updated by Jonathan Lee 7 months ago
      
    
    On 11/04/25 03:47, Jonathan Lee wrote:
Hello fellow Squid users,
Does anyone use pfSense squid package that knows a possible solution to this issue ? I have went as far as to remove all custom config and go to complete splice all and it still occurs with or without cache enabled and or squid guard enabled. It is something I just don’t know how to correct it. I worked on testing it in command line a while back but could not find a way to get the status page working again.
Show Quoted Content
On 11/04/25 03:47, Jonathan Lee wrote:
Hello fellow Squid users,
Does anyone use pfSense squid package that knows a possible solution to this issue ? I have went as far as to remove all custom config and go to complete splice all and it still occurs with or without cache enabled and or squid guard enabled. It is something I just don’t know how to correct it. I worked on testing it in command line a while back but could not find a way to get the status page working again.
Bug #15410: cache_object://URL Scheme is removed in Squid-6 - pfSense Packages - pfSense bugtracker <https://redmine.pfsense.org/issues/15410>
As discussed in that bug report the "cache_object://" scheme has been replaced by "http://(visible_hostname):3128/squid-internal-mgr/"
- The scheme can be "https://" so long as the proxy listening port is configured with the https_port directive.
- visible_hostname should be replaced by the contents of the visible_hostname directive, or listening IP address. This is just one of the many reasons that directive needs to be a DNS resolvable domain name.
- The port 3128 can be another forward-proxy or an 'accel' mode port if you wish. Cannot be an 'intercept' or 'tproxy' *_port, nor an https_port with SSL-Bump enabled.
FTR; What we are familiar with as an "index page" is not provided by the Squid cache manager by default. I provide a basic UI at <https://github.com/yadij/cachemgr.js> that makes accessing the reports a bit easier for humans.
HTH
Amos
_______________________________________
squid-users mailing list
squid-users@lists.squid-cache.org
https://lists.squid-cache.org/listinfo/squid-users
       Updated by Jonathan Lee 6 months ago
      Updated by Jonathan Lee 6 months ago
      
    
    On 2025-04-11 01:08, Amos Jeffries wrote:
On 11/04/25 03:47, Jonathan Lee wrote:
Hello fellow Squid users,
Bug #15410: cache_object://URL Scheme is removed in Squid-6 - pfSense Packages - pfSense bugtracker <https://redmine.pfsense.org/issues/15410>
As discussed in that bug report the "cache_object://" scheme has been replaced by "http://(visible_hostname):3128/squid-internal-mgr/"
- The scheme can be "https://" so long as the proxy listening port is configured with the https_port directive.
 Show Quoted Content
 On 2025-04-11 01:08, Amos Jeffries wrote:
 On 11/04/25 03:47, Jonathan Lee wrote:
 Hello fellow Squid users,
Bug #15410: cache_object://URL Scheme is removed in Squid-6 - pfSense Packages - pfSense bugtracker <https://redmine.pfsense.org/issues/15410>
As discussed in that bug report the "cache_object://" scheme has been replaced by "http://(visible_hostname):3128/squid-internal-mgr/"
- The scheme can be "https://" so long as the proxy listening port is configured with the https_port directive.
... and as long as you are not using SMP Squid: SMP Squids do not yet support responding to certain(*) cache manager requests received on TLS connections.
Alex.
(*) Affected (i.e. TLS-incompatible) cache manager reports are the ones that do not fully aggregate reported information across SMP kids and, hence, have "by kidN" wrappers around kid-specific reports. For example, mgr:mem.
- visible_hostname should be replaced by the contents of the visible_hostname directive, or listening IP address. This is just one of the many reasons that directive needs to be a DNS resolvable domain name.
- The port 3128 can be another forward-proxy or an 'accel' mode port if you wish. Cannot be an 'intercept' or 'tproxy' *port, nor an https_port with SSL-Bump enabled.
 FTR; What we are familiar with as an "index page" is not provided by the Squid cache manager by default. I provide a basic UI at <https://github.com/yadij/cachemgr.js> that makes accessing the reports a bit easier for humans.
 HTH
 Amos
 ________________________________________
 squid-users mailing list
 squid-users@lists.squid-cache.org
 https://lists.squid-cache.org/listinfo/squid-users
 Show Quoted Content
- visible_hostname should be replaced by the contents of the visible_hostname directive, or listening IP address. This is just one of the many reasons that directive needs to be a DNS resolvable domain name.
- The port 3128 can be another forward-proxy or an 'accel' mode port if you wish. Cannot be an 'intercept' or 'tproxy' *port, nor an https_port with SSL-Bump enabled.
 FTR; What we are familiar with as an "index page" is not provided by the Squid cache manager by default. I provide a basic UI at <https://github.com/yadij/cachemgr.js> that makes accessing the reports a bit easier for humans.
 HTH
 Amos
 ________________________________________
 squid-users mailing list
 squid-users@lists.squid-cache.org
 https://lists.squid-cache.org/listinfo/squid-users
_______________________________________
squid-users mailing list
squid-users@lists.squid-cache.org
https://lists.squid-cache.or
       Updated by Jonathan Lee 3 months ago
      Updated by Jonathan Lee 3 months ago
      
    
    
      
    This is the same with version 2.8.0 release for CE everything works but the status page.....This is tested in UTM virtualized environment separate from the 2100 box.
Name    pfSense.home.arpa
User    admin@10.10.0.1 (Local Database)
System    QEMU Guest
Netgate Device ID: 54738323f1e55127ca07
BIOS    Vendor: EFI Development Kit II / OVMF
Version: 0.0.0
Release Date: Fri Feb 6 2015
Boot Method: UEFI
Version    2.8.0-RELEASE (amd64)
built on Wed May 21 23:12:00 UTC 2025
FreeBSD 15.0-CURRENT
The system is on the latest version.
Version information updated at Thu Jul 17 17:04:20 UTC 2025   
CPU Type    Intel Core Processor (Skylake)
2 CPUs : 1 package(s) x 2 core(s)
AES-NI CPU Crypto: Yes (inactive)
QAT Crypto: No