Re: CACHEMGR - user not importent ???

From: Henrik Nordstrom <hno@dont-contact.us>
Date: Sat, 06 Feb 1999 01:47:54 +0100

Alex Rousskov wrote:

> It is not checked. IMO, there is sense in using it when more than
> one person can access your manager. The cache.log will contain
> the name of the person accessing the manager. Yes, it is not secure;
> it is for informational purposes only.

With a one line change to cachemgr.c (Send Proxy-Authorization header,
see http://hem.passagen.se/hno/squid/) plus some clever ACL lines you
can get per user manager access control based on proxy_auth instead of
having the password hardcoded in squid.conf. I have tried now for some
months to get Duane to add this one line but so far he has refused from
some religous point of view.

Example ACL lines for proxy_auth based manager access control:

  # Disable the hardcoded manager passwords
cachemgr_passwd all none
  # A quick match for manager type URLs
acl manager proto cache_object
  # List of users with full manager privilegies
acl managers proxy_auth "/usr/local/squid/etc/acl.managers.txt"
  # List of users with restricted manager privilegies
acl operators proxy_auth "/usr/local/squid/etc/acl.operators.txt"
  # List of cache manager operations allowed to operators
acl operator-commands urlpath_regex ^/menu ^/5min ^/60min ^/info

  # Allow managers full manager access
http_access allow manager managers
  # Allow operators limited manager access
http_access allow manager operators operator-commands
  # Deny all else manager access
http_access deny manager

And yes, the above use of proxy_auth to make user groups requires Squid
2.2, or a patch to 2.1 available from the above mentioned page.

---
Henrik Nordstrom
Spare time Squid hacker
Received on Fri Feb 05 1999 - 18:14:55 MST

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:44:28 MST