I have changed the config and can now login to the cache manager.
This was in the conf already:
http_access deny CONNECT !SSL_ports
So, the issue remains whether allowing password access to the cache manager is
enough.
How else can this be made more secure? I guess not if the only way for me to
access it is through a public IP address.
----------------------------------------
> Date: Wed, 10 Feb 2010 12:49:36 -0900
> From: crobert...@gci.net
> To: squid-users@squid-cache.org
> Subject: Re: [squid-users] cache manager access from web
>
> J. Webster wrote:
>> Doesn't the fact that the manager needs a password in previous config lines
>> mean that they can't access it?
>>
>
> Fair enough, if you are content with that.
>
>> the ncsa_users is only for http access?
>>
>
> The cachemgr interface is accessed via HTTP. It uses a specific request
> method (identified by the ACLs as manager), but it is a subset of HTTP.
>
> Changing the access rules like...
>
> http_access allow manager localhost
> http_access allow manager cacheadmin
> http_access deny manager
> http_access allow ncsa_users
>
> ...prevents those who are allowed to utilize your cache from even
> attempting access to your cachemgr interface (unless they are surfing
> from localhost, or the IP identified by the cacheadmin ACL). The
> default squid.conf has some further denies (such as preventing CONNECT
> requests to non-SSL ports) that are also missing from this configuration
> snippet, so this is not the only avenue for abuse.
>
> Chris
>
_________________________________________________________________
Got a cool Hotmail story? Tell us now
http://clk.atdmt.com/UKM/go/195013117/direct/01/
