[squid-users] log problem

Yuri yvoinov at gmail.com
Thu Jan 25 01:59:10 UTC 2018


Amos, this is good news.

Is this clear documented anywhere to write good article in wiki about it?


25.01.2018 07:55, Amos Jeffries пишет:
> On 25/01/18 14:25, Yuri wrote:
>> Everything is a little worse. If you need a password to access the
>> cachemanager - it will shown in the logs.
> "worse" implies it was better some time beforehand.
>
> The old manager API is the one which places password in clear-text in
> the URLs. It may not have told you that was what it was doing, but still
> the security was really crap.
>
> If you are using the current API with http(s):// URLs they do not
> contain any credentials in the URL and you can configure authentication
> more secure than Basic to be used by using http_access permissions
> instead of the cachemgr_passwd mechanism.
>
>
>> I believe that this is a bug
>> and a hole in security.
>>
> Using the old insecure manager API is a hole yes. But not a new one.
>
>
>> Preventing by ACL can be workaround, but hardly this is feature.
>>
> This is backward compatibility feature for people still using tools that
> require the old API. Making a crappy insecure API "secure" requires work.
>
> Amos
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users

-- 
*****************************
* C++20 : Bug to the future *
*****************************



More information about the squid-users mailing list