[squid-users] Container Based Issues Lock Down Password and Terminate SSL
Jonathan Lee
jonathanlee571 at gmail.com
Wed Apr 24 05:27:20 UTC 2024
Hello fellow Squid users I wanted to ask a quick question for use with termination would http access for cache still work with this type of setup and custom refresh patterns?
I think it would terminate all but the clients and if they use the cache it would be ok.
But I think an invasive container would be blocked my goal here.
acl markBumped annotate_client bumped=true
acl active_use annotate_client active=true
acl bump_only src 192.168.1.3 #webtv
acl bump_only src 192.168.1.4 #toshiba
acl bump_only src 192.168.1.5 #imac
acl bump_only src 192.168.1.9 #macbook
acl bump_only src 192.168.1.13 #dell
acl bump_only_mac arp macaddresshere
acl bump_only_mac arp macaddresshere
acl bump_only_mac arp macaddresshere
acl bump_only_mac arp macaddresshere
acl bump_only_mac arp macaddresshere
ssl_bump peek step1
miss_access deny no_miss active_use
ssl_bump splice https_login active_use
ssl_bump splice splice_only_mac splice_only active_use
ssl_bump splice NoBumpDNS active_use
ssl_bump splice NoSSLIntercept active_use
ssl_bump bump bump_only_mac bump_only active_use
acl activated note active_use true
ssl_bump terminate !activated
Sent from my iPhone
> On Apr 23, 2024, at 01:03, Amos Jeffries <squid3 at treenet.co.nz> wrote:
>
> On 23/04/24 11:52, Jonathan Lee wrote:
>> Hello fellow Squid Accelerator/Dynamic Cache/Web Cache Users/PfSense users
>> I think this might resolve any container based issues/fears if they happened to get into the cache. Ie a Docker Proxy got installed and tried to data marshal the network card inside of a freeBSD jail or something like that. Biggest fear with my cache it is a big cache now
>> Please yet me know what you think or if it is wrong.
>> Here is my configuration. I wanted to share it as it might help to secure some of this.
>
> FTR, this config was auto-generated by pfsense. A number of things which that tool forces into the config could be done much better in the latest Squid, but the tool does not do due to needing to support older Squid version.
>
>
>> Keep in mine I use cachemgr.cgi within Squidlight so I had to set the password and I have to also adapt the php status file to include the password and also the sqlight php file.
>> After that the status and gui pages work still with the new password. Only issues area that it shows up in clear text when it goes over the proxy I can see my password clear as day again that was an issue listed inside the Squid O’REILLY book also.
>
>
> Please ensure you are using the latest Squid v6 release. That release has both a number of security fixes, and working https:// URL access to the manager reports.
>
> The cachemgr.cgi tool is deprecated fro a number of issues including that style of embedding passwords in the URLs.
>
> Francesco and I have created a tool that can be found at <https://github.com/yadij/cachemgr.js/blob/master/README.md> for basic access to the reports directly from Browser.
> That tool uses HTTP authentication configured via the well-documented proxy_auth ACLs and http_access for more secure access than the old URL based mechanism (which still exists, just deprecated).
>
>
>
> Cheers
> Amos
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> https://lists.squid-cache.org/listinfo/squid-users
More information about the squid-users
mailing list