On 10/29/2017 04:54 AM, Amos Jeffries wrote: > >> # >> http_access allow manager_admin manager >> http_access deny !Safe_ports >> http_access deny CONNECT !SSL_ports >> http_access allow localnet >> http_access deny all > > Two things: > > 1) 'manager' is a pre-defined ACL. The your redefinition contradicts the > case sensitive URI path. Best not to re-define it. > Okay. I commented the "manager" line. > > 2) the current recommended practice is to place the manager ACLs after > the 'CONNECT !SSL_Ports' line. > That does not affect the admin access but prevents several more attack > scenarios against Squid. > Okay. > > 3) you are not denying manager access to any of the 'localnet' ranges. > So the whole manager ACL section is pretty pointless. > I do not understand. I made the changes you indicated (that I understood) and restarted Squid. No change. # acl manager url_regex -i ^cache_object:// /squid-internal-mgr/ http_access deny !Safe_ports http_access deny CONNECT !SSL_ports http_access allow manager_admin http_access allow manager localhost http_access deny manager http_access allow localnet http_access deny all > > What does access.log show for the manager request? > The above port is IPv6-enabled but the manager_admin ACL only allows an > IPv4. > 1509311060.445 15 192.168.69.115 TCP_MISS/403 4464 GET http://proxy1.sma.com:3128/squid-internal-mgr/info - HIER_DIRECT/192.168.69.246 text/html 1509311060.822 0 192.168.69.115 TCP_IMS_HIT/304 311 GET http://sma-server3:3128/squid-internal-static/icons/SN.png - HIER_NONE/- image/png -- James Moe moe dot james at sohnen-moe dot com 520.743.3936 Think.
Attachment:
signature.asc
Description: OpenPGP digital signature
_______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users