[squid-users] Manager access for statistics

Sun Oct 29 23:01:28 UTC 2017

On 10/29/2017 04:54 AM, Amos Jeffries wrote:
> 
>> #
>> http_access allow manager_admin manager
>> http_access deny !Safe_ports
>> http_access deny CONNECT !SSL_ports
>> http_access allow localnet
>> http_access deny all
> 
> Two things:
> 
> 1) 'manager' is a pre-defined ACL. The your redefinition contradicts the 
> case sensitive URI path. Best not to re-define it.
> 
  Okay.
  I commented the "manager" line.
> 
> 2) the current recommended practice is to place the manager ACLs after 
> the 'CONNECT !SSL_Ports' line.
>   That does not affect the admin access but prevents several more attack 
> scenarios against Squid.
> 
  Okay.
> 
> 3) you are not denying manager access to any of the 'localnet' ranges. 
> So the whole manager ACL section is pretty pointless.
> 
  I do not understand.

  I made the changes you indicated (that I understood) and restarted
Squid. No change.

# acl manager url_regex -i ^cache_object:// /squid-internal-mgr/

http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow manager_admin
http_access allow manager localhost
http_access deny manager
http_access allow localnet
http_access deny all

> 
> What does access.log show for the manager request?
> The above port is IPv6-enabled but the manager_admin ACL only allows an 
> IPv4.
> 
1509311060.445     15 192.168.69.115 TCP_MISS/403 4464 GET
http://proxy1.sma.com:3128/squid-internal-mgr/info -
HIER_DIRECT/192.168.69.246 text/html
1509311060.822      0 192.168.69.115 TCP_IMS_HIT/304 311 GET
http://sma-server3:3128/squid-internal-static/icons/SN.png - HIER_NONE/-
image/png

-- 
James Moe
moe dot james at sohnen-moe dot com
520.743.3936
Think.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: OpenPGP digital signature
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20171029/c01ec258/attachment.sig>