Re: [squid-users] Access control with cachemgr.cgi

From: Alan J. Flavell <flavell@dont-contact.us>
Date: Sat, 15 Sep 2001 18:29:40 +0100 (BST)

On Sat, 15 Sep 2001, Henrik Nordstrom wrote:

> > Am I now right in thinking: the squid configuration file only controls
> > access to the management functions in terms of where the cachemgr.cgi
> > program is located?
>
> Correct.

Thanks! Could I suggest putting a note into the sample configuration
file, or the documentation (or maybe an FAQ), spelling this out? I
fear this is a trap which is easy to fall into.

[...]

> > Now, what happens if a client configures their browser to use the
> > cache to access the cachemgr.cgi script? The web server then sees the
> > request coming to it from localhost [...]

> And? localhost should not be allowed to access cachemgr.cgi I think if
> you are using IP based access controls..

Hmmm: this would then imply that e.g anadmin logged on to the
host where the server is running would be denied access to the
cachemgr interface.

Wouldn't it be possible/preferable to adjust the squid configuration
so that it refused to proxy a request to access the cachemgr CGI?
Something with url_pattern in an acl, say?

Then there would be no need to block localhost access in the web
server.

Thanks for the other suggestions.

all the best
Received on Sat Sep 15 2001 - 11:29:43 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:02:11 MST