Re: [squid-users] cache manager access from web

From: Chris Robertson <crobertson_at_gci.net>
Date: Wed, 10 Feb 2010 12:49:36 -0900

J. Webster wrote:
> Doesn't the fact that the manager needs a password in previous config lines mean that they can't access it?
>

Fair enough, if you are content with that.

> the ncsa_users is only for http access?
>

The cachemgr interface is accessed via HTTP. It uses a specific request
method (identified by the ACLs as manager), but it is a subset of HTTP.

Changing the access rules like...

http_access allow manager localhost
http_access allow manager cacheadmin
http_access deny manager
http_access allow ncsa_users

...prevents those who are allowed to utilize your cache from even
attempting access to your cachemgr interface (unless they are surfing
from localhost, or the IP identified by the cacheadmin ACL). The
default squid.conf has some further denies (such as preventing CONNECT
requests to non-SSL ports) that are also missing from this configuration
snippet, so this is not the only avenue for abuse.

Chris
Received on Wed Feb 10 2010 - 21:49:56 MST

This archive was generated by hypermail 2.2.0 : Thu Feb 11 2010 - 12:00:04 MST