[squid-users] Manager access for statistics
James Moe
jimoe at sohnen-moe.com
Sun Oct 29 23:01:28 UTC 2017
On 10/29/2017 04:54 AM, Amos Jeffries wrote:
>
>> #
>> http_access allow manager_admin manager
>> http_access deny !Safe_ports
>> http_access deny CONNECT !SSL_ports
>> http_access allow localnet
>> http_access deny all
>
> Two things:
>
> 1) 'manager' is a pre-defined ACL. The your redefinition contradicts the
> case sensitive URI path. Best not to re-define it.
>
Okay.
I commented the "manager" line.
>
> 2) the current recommended practice is to place the manager ACLs after
> the 'CONNECT !SSL_Ports' line.
> That does not affect the admin access but prevents several more attack
> scenarios against Squid.
>
Okay.
>
> 3) you are not denying manager access to any of the 'localnet' ranges.
> So the whole manager ACL section is pretty pointless.
>
I do not understand.
I made the changes you indicated (that I understood) and restarted
Squid. No change.
# acl manager url_regex -i ^cache_object:// /squid-internal-mgr/
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow manager_admin
http_access allow manager localhost
http_access deny manager
http_access allow localnet
http_access deny all
>
> What does access.log show for the manager request?
> The above port is IPv6-enabled but the manager_admin ACL only allows an
> IPv4.
>
1509311060.445 15 192.168.69.115 TCP_MISS/403 4464 GET
http://proxy1.sma.com:3128/squid-internal-mgr/info -
HIER_DIRECT/192.168.69.246 text/html
1509311060.822 0 192.168.69.115 TCP_IMS_HIT/304 311 GET
http://sma-server3:3128/squid-internal-static/icons/SN.png - HIER_NONE/-
image/png
--
James Moe
moe dot james at sohnen-moe dot com
520.743.3936
Think.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: OpenPGP digital signature
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20171029/c01ec258/attachment.sig>
More information about the squid-users
mailing list