On 23/04/24 11:52, Jonathan Lee wrote:
Hello fellow Squid Accelerator/Dynamic Cache/Web Cache Users/PfSense users
I think this might resolve any container based issues/fears if they
happened to get into the cache. Ie a Docker Proxy got installed and
tried to data marshal the network card inside of a freeBSD jail or
something like that. Biggest fear with my cache it is a big cache now
Please yet me know what you think or if it is wrong.
Here is my configuration. I wanted to share it as it might help to
secure some of this.
FTR, this config was auto-generated by pfsense. A number of things which
that tool forces into the config could be done much better in the latest
Squid, but the tool does not do due to needing to support older Squid
version.
Keep in mine I use cachemgr.cgi within Squidlight so I had to set the
password and I have to also adapt the php status file to include the
password and also the sqlight php file.
After that the status and gui pages work still with the new password.
Only issues area that it shows up in clear text when it goes over the
proxy I can see my password clear as day again that was an issue listed
inside the Squid O’REILLY book also.
Please ensure you are using the latest Squid v6 release. That release
has both a number of security fixes, and working https:// URL access to
the manager reports.
The cachemgr.cgi tool is deprecated fro a number of issues including
that style of embedding passwords in the URLs.
Francesco and I have created a tool that can be found at
<https://github.com/yadij/cachemgr.js/blob/master/README.md> for basic
access to the reports directly from Browser.
That tool uses HTTP authentication configured via the well-documented
proxy_auth ACLs and http_access for more secure access than the old URL
based mechanism (which still exists, just deprecated).
Cheers
Amos
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
https://lists.squid-cache.org/listinfo/squid-users