Re: [squid-dev] Drop cache_object protocol support

Tue, 24 Jan 2023 17:57:52 -0800 

On 25/01/2023 8:23 am, Alex Rousskov wrote:

On 1/24/23 12:22, Eduard Bagdasaryan wrote:


Today we can query cache manager in two ways:

1. with cache_object:// URL scheme
2. with an HTTP request having the 'squid-internal-mgr' path prefix.
I guess that when (2) was initially added at e37bd29, its implementation was somewhat incomplete compared to the old cache_object scheme (e.g., it lacked authentication
No and intentionally. It is designed to share the proxy HTTP authentication and http_access policy instead of the obsolete userinfo@ standard that cache_object uses.
Blocker #1:  The cachemgr_passwd directly still needs to be cleanly removed, eg replaced by a manager_access ACL based mechanism.
) and both methods existed. Since then, however, (2) has been improved and it should be equivalent to (1) by now.  If so, can we completely remove the non-standard cache_object scheme support from Squid? This would simplify request forwarding logic, including code paths where the existing code complexity may result in vulnerability issues.
FWIW, I am not aware of any good reason to keep supporting the "cache_object" URI scheme.
Blocker #2: The squidclient tool still sends cache_object: scheme when given "mgr:" on the CLI. We need to upgrade that first and allow admin some time to upgrade before removing the scheme support in squid itself.
MgrFieldChars() already calls that scheme deprecated. That special (and undocumented?) scheme did cause significant problems in the past. I am sure it will continue to cause problems if not removed. Removing it will simplify code in several tricky places. There will be some upgrade pains for admins, but we will be better off without cache_object long-term IMO. 

Agreed.
Needless to say, squidclient and cachemgr.cgi implementations would need to be adjusted to use HTTP URLs instead, but I hope those adjustments are straightforward.
cachemgr.cgi should already prefer http(s) and only use cache_object as a backup.
IMO the CGI tool should stay that way, supporting the scheme for older installations even after we drop it from the rest of Squid. 

HTH
Amos

_______________________________________________
squid-dev mailing list
squid-dev@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-dev

Reply via email to