On 7/10/2015 6:41 a.m., Tory M Blue wrote:
> So I was playing with squid-internal-mgr (replacement for cachemgr.cgi it
> seems), but I have no real authentication access , other than my ACL's
>
> acl manager url_regex -i ^cache_object:// +i
> ^https?://[^/]+/squid-internal-mgr/
>
>
> And limited to my networks obviously.
>
> But as of now those pages are wide open, so anyone could go to /menu and
> see /shutdown and type that in and bingo bango my squid server is shutdown.
>
I believe the word is "Meh.". This is one of the expected use-cases for
CacheMgr. ie how the new access methods are designed to be used.
Strictly speaking its anyone who can access those reports. You just have
one less layer of protection than default installs use.
>
> So was wondering if there is a way to make some of these pages require
> authentication? I'm not clear what "public" means in each instance below,
"public" means there is no report-specific password set by
cachemgr_passwd directive required to access it. The only control will
be the http_access rules you configure.
You create a urlpath_regex ACL to match regular (not squidclient or
cachemgr.cgi) requests for the reports like so:
acl foo urlpath_regex \
^/squid-internal-mgr/(shutdown|reconfigure|rotate|offline_toggle)
Authentication can be applied in combination with that to do whatever
reports you want authenticated. Also group limitations, external ACL,
specific src IPs, etc..
Amos
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users
