[squid-users] Manager access for statistics
Amos Jeffries
squid3 at treenet.co.nz
Sun Oct 29 11:54:27 UTC 2017
On 29/10/17 20:02, James Moe wrote:
> Hello,
> opensuse v42.2
> linux v4.4.87-18.29-default x86_64
> squid v3.5.21
>
> On occasion I look at the squid statistics; it has been a while since
> I last checked them, at least a month. The request was denied as not
> having access privileges. I do not see why it is now being denied.
> My understanding is that the ACL names "manager" and "manager_admin"
> would be allowed since they are first in the list (see below).
> What have I misunderstood?
>
> http://proxy1.sma.com:3128/squid-internal-mgr/info
>
> acl manager url_regex -i ^cache_object:// /squid-internal-mgr/
> acl manager_admin src 192.168.69.115
> #
...
> #
> http_access allow manager_admin manager
> http_access deny !Safe_ports
> http_access deny CONNECT !SSL_ports
> http_access allow localnet
> http_access deny all
Two things:
1) 'manager' is a pre-defined ACL. The your redefinition contradicts the
case sensitive URI path. Best not to re-define it.
2) the current recommended practice is to place the manager ACLs after
the 'CONNECT !SSL_Ports' line.
That does not affect the admin access but prevents several more attack
scenarios against Squid.
3) you are not denying manager access to any of the 'localnet' ranges.
So the whole manager ACL section is pretty pointless.
>
> # Squid normally listens to port 3128
> http_port 3128
>
What does access.log show for the manager request?
The above port is IPv6-enabled but the manager_admin ACL only allows an
IPv4.
Amos
More information about the squid-users
mailing list