Jason Lee wrote:
>Stephane Bortzmeyer writes:
>] As Martin Gleeson said, Squid will see the request coming from the Web
>] server so you should authorize its address (and tune httpd.conf to be
>] sure the Web server allows only your station to run that cachemgr.cgi
>] script).
>Is there anything wrong with letting normal pleb users access
>cachemgr.cgi? I can't think of any obvious security concerns, there is
>nothing too secret about squid.conf. Is performance a problem? I guess
>while users are looking at cache_object URLs they're not looking at
>others.
The problems that I can see are:
1) access to the remote shutdown facility
2) access to who is downloading what could be fairly sensitive information
(Cache information shows FDs with the IP and the URL they are accessing)
3) maybe a resource drain while listing Objects
Some of the information about who accesses what (point 2 above) can be
sensitive, and I believe proxy admins have a duty of care to ensure this
information is kept away from prying eyes, so it would be better to err
on the side of caution and block off access to the cache manager to all,
and only allow those that need to have access.
Cheers,
Marty.
-------------------------------------------------------------------------
Martin Gleeson Webmeister | http://www.unimelb.edu.au/%7Egleeson/
Information Technology Services | Email : gleeson@unimelb.edu.au
The University of Melbourne, Oz. | Phone : +61 3 9344 7407
"I hate quotations" -- Ralph Waldo Emerson; Journals (1843)
-------------------------------------------------------------------------
Received on Sun Aug 25 1996 - 19:54:24 MDT
This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:32:51 MST