I have changed the config and can now login to the cache manager. This was in the conf already: http_access deny CONNECT !SSL_ports So, the issue remains whether allowing password access to the cache manager is enough. How else can this be made more secure? I guess not if the only way for me to access it is through a public IP address. ---------------------------------------- > Date: Wed, 10 Feb 2010 12:49:36 -0900 > From: crobertson@xxxxxxx > To: squid-users@xxxxxxxxxxxxxxx > Subject: Re: cache manager access from web > > J. Webster wrote: >> Doesn't the fact that the manager needs a password in previous config lines mean that they can't access it? >> > > Fair enough, if you are content with that. > >> the ncsa_users is only for http access? >> > > The cachemgr interface is accessed via HTTP. It uses a specific request > method (identified by the ACLs as manager), but it is a subset of HTTP. > > Changing the access rules like... > > http_access allow manager localhost > http_access allow manager cacheadmin > http_access deny manager > http_access allow ncsa_users > > ...prevents those who are allowed to utilize your cache from even > attempting access to your cachemgr interface (unless they are surfing > from localhost, or the IP identified by the cacheadmin ACL). The > default squid.conf has some further denies (such as preventing CONNECT > requests to non-SSL ports) that are also missing from this configuration > snippet, so this is not the only avenue for abuse. > > Chris > _________________________________________________________________ Got a cool Hotmail story? Tell us now http://clk.atdmt.com/UKM/go/195013117/direct/01/
