On 29/10/17 20:02, James Moe wrote:
Hello,
opensuse v42.2
linux v4.4.87-18.29-default x86_64
squid v3.5.21
On occasion I look at the squid statistics; it has been a while since
I last checked them, at least a month. The request was denied as not
having access privileges. I do not see why it is now being denied.
My understanding is that the ACL names "manager" and "manager_admin"
would be allowed since they are first in the list (see below).
What have I misunderstood?
http://proxy1.sma.com:3128/squid-internal-mgr/info
acl manager url_regex -i ^cache_object:// /squid-internal-mgr/
acl manager_admin src 192.168.69.115
#
...
#
http_access allow manager_admin manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localnet
http_access deny all
Two things:
1) 'manager' is a pre-defined ACL. The your redefinition contradicts the
case sensitive URI path. Best not to re-define it.
2) the current recommended practice is to place the manager ACLs after
the 'CONNECT !SSL_Ports' line.
That does not affect the admin access but prevents several more attack
scenarios against Squid.
3) you are not denying manager access to any of the 'localnet' ranges.
So the whole manager ACL section is pretty pointless.
# Squid normally listens to port 3128
http_port 3128
What does access.log show for the manager request?
The above port is IPv6-enabled but the manager_admin ACL only allows an
IPv4.
Amos
_______________________________________________
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users