"Alan J. Flavell" wrote:
> Am I now right in thinking: the squid configuration file only controls
> access to the management functions in terms of where the cachemgr.cgi
> program is located?
Correct.
> Maybe we should control access to our copy of cachemgr.cgi by means of
> a <Files...> bracket in our web server, denying access by caller IP.
Good idea.
> Now, what happens if a client configures their browser to use the
> cache to access the cachemgr.cgi script? The web server then sees the
> request coming to it from localhost (because the request is being
> proxied through squid on the same machine), and so it permits access.
> The user submits the manager request form, and the cache software then
> sees the cachemgr request coming from localhost, so it too permits the
> access. I tried it, and this is what seems to happen.
And? localhost should not be allowed to access cachemgr.cgi I think if
you are using IP based access controls..
Web server config: Limit access to only authorized IP addresses.
Squid.conf: Limit cache_object access to only the server where you run
the protected cachemgr.cgi script, or authorized IP addresses if one
wants to retreive the statistics directly from Squid in raw format..
Another option you have is to make use of proxy authentication. This way
only authorized users can access the management functions and you are
guaranteed to get a valid username logged.
-- Henrik Nordstrom Squid HackerReceived on Sat Sep 15 2001 - 10:52:44 MDT
This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:02:11 MST