Hello fellow Squid users I wanted to ask a quick question for use with termination would http access for cache still work with this type of setup and custom refresh patterns?
I think it would terminate all but the clients and if they use the cache it would be ok. But I think an invasive container would be blocked my goal here. acl markBumped annotate_client bumped=true acl active_use annotate_client active=true acl bump_only src 192.168.1.3 #webtv acl bump_only src 192.168.1.4 #toshiba acl bump_only src 192.168.1.5 #imac acl bump_only src 192.168.1.9 #macbook acl bump_only src 192.168.1.13 #dell acl bump_only_mac arp macaddresshere acl bump_only_mac arp macaddresshere acl bump_only_mac arp macaddresshere acl bump_only_mac arp macaddresshere acl bump_only_mac arp macaddresshere ssl_bump peek step1 miss_access deny no_miss active_use ssl_bump splice https_login active_use ssl_bump splice splice_only_mac splice_only active_use ssl_bump splice NoBumpDNS active_use ssl_bump splice NoSSLIntercept active_use ssl_bump bump bump_only_mac bump_only active_use acl activated note active_use true ssl_bump terminate !activated Sent from my iPhone > On Apr 23, 2024, at 01:03, Amos Jeffries <squ...@treenet.co.nz> wrote: > > On 23/04/24 11:52, Jonathan Lee wrote: >> Hello fellow Squid Accelerator/Dynamic Cache/Web Cache Users/PfSense users >> I think this might resolve any container based issues/fears if they happened >> to get into the cache. Ie a Docker Proxy got installed and tried to data >> marshal the network card inside of a freeBSD jail or something like that. >> Biggest fear with my cache it is a big cache now >> Please yet me know what you think or if it is wrong. >> Here is my configuration. I wanted to share it as it might help to secure >> some of this. > > FTR, this config was auto-generated by pfsense. A number of things which that > tool forces into the config could be done much better in the latest Squid, > but the tool does not do due to needing to support older Squid version. > > >> Keep in mine I use cachemgr.cgi within Squidlight so I had to set the >> password and I have to also adapt the php status file to include the >> password and also the sqlight php file. >> After that the status and gui pages work still with the new password. Only >> issues area that it shows up in clear text when it goes over the proxy I can >> see my password clear as day again that was an issue listed inside the Squid >> O’REILLY book also. > > > Please ensure you are using the latest Squid v6 release. That release has > both a number of security fixes, and working https:// URL access to the > manager reports. > > The cachemgr.cgi tool is deprecated fro a number of issues including that > style of embedding passwords in the URLs. > > Francesco and I have created a tool that can be found at > <https://github.com/yadij/cachemgr.js/blob/master/README.md> for basic access > to the reports directly from Browser. > That tool uses HTTP authentication configured via the well-documented > proxy_auth ACLs and http_access for more secure access than the old URL based > mechanism (which still exists, just deprecated). > > > > Cheers > Amos > _______________________________________________ > squid-users mailing list > squid-users@lists.squid-cache.org > https://lists.squid-cache.org/listinfo/squid-users _______________________________________________ squid-users mailing list squid-users@lists.squid-cache.org https://lists.squid-cache.org/listinfo/squid-users
