[squid-users] log problem

Amos Jeffries squid3 at treenet.co.nz
Thu Jan 25 01:55:49 UTC 2018


On 25/01/18 14:25, Yuri wrote:
> 
> Everything is a little worse. If you need a password to access the
> cachemanager - it will shown in the logs.

"worse" implies it was better some time beforehand.

The old manager API is the one which places password in clear-text in
the URLs. It may not have told you that was what it was doing, but still
the security was really crap.

If you are using the current API with http(s):// URLs they do not
contain any credentials in the URL and you can configure authentication
more secure than Basic to be used by using http_access permissions
instead of the cachemgr_passwd mechanism.


> I believe that this is a bug
> and a hole in security.
> 

Using the old insecure manager API is a hole yes. But not a new one.


> Preventing by ACL can be workaround, but hardly this is feature.
> 

This is backward compatibility feature for people still using tools that
require the old API. Making a crappy insecure API "secure" requires work.

Amos


More information about the squid-users mailing list