RE: [squid-users] cache manager access from web

From: J. Webster <webster_jack_at_hotmail.com>
Date: Thu, 11 Feb 2010 10:46:52 +0000

I have changed the config and can now login to the cache manager.
This was in the conf already:
http_access deny CONNECT !SSL_ports

So, the issue remains whether allowing password access to the cache manager is enough.
How else can this be made more secure? I guess not if the only way for me to access it is through a public IP address.

----------------------------------------
> Date: Wed, 10 Feb 2010 12:49:36 -0900
> From: crobertson_at_gci.net
> To: squid-users_at_squid-cache.org
> Subject: Re: [squid-users] cache manager access from web
>
> J. Webster wrote:
>> Doesn't the fact that the manager needs a password in previous config lines mean that they can't access it?
>>
>
> Fair enough, if you are content with that.
>
>> the ncsa_users is only for http access?
>>
>
> The cachemgr interface is accessed via HTTP. It uses a specific request
> method (identified by the ACLs as manager), but it is a subset of HTTP.
>
> Changing the access rules like...
>
> http_access allow manager localhost
> http_access allow manager cacheadmin
> http_access deny manager
> http_access allow ncsa_users
>
> ...prevents those who are allowed to utilize your cache from even
> attempting access to your cachemgr interface (unless they are surfing
> from localhost, or the IP identified by the cacheadmin ACL). The
> default squid.conf has some further denies (such as preventing CONNECT
> requests to non-SSL ports) that are also missing from this configuration
> snippet, so this is not the only avenue for abuse.
>
> Chris
>
                                               
_________________________________________________________________
Got a cool Hotmail story? Tell us now
http://clk.atdmt.com/UKM/go/195013117/direct/01/
Received on Thu Feb 11 2010 - 10:46:59 MST

This archive was generated by hypermail 2.2.0 : Sun Feb 14 2010 - 12:00:04 MST