>I'm having trouble understanding the format of acl commands. The default
>configuration file, with "http_access deny manager !localhost" made the
>manager inaccessible from anywhere, so I defined a new aclname thus:
>
>acl ns srcdomain .ns.utk.edu .cs.utk.edu
>http_access deny manager !ns
>
>I thought that this would make the manager accessible to clients from the
>two domains specified, but it actually made it accessible from every
>domain I have been able to test. I also tried
>
>acl ns srcdomain ns.utk.edu cs.utk.edu (no leading dots)
>
>but I can still access the manager functions from outside these domains.
>I don't understand the format of the http_access statement, as "manager"
>seems to take the role of an object, while "!ns" takes the role of a
>specifier. No such roles are given in the format description.
>
>I have enabled fqdn_log as per the Release Notes.
>
>So how should I accomplish what I am trying to do? Thanks.
There are two parts to configuring the access controls on the cache
manager, the first is to tell squid which cache managers it should
listen to this you do in squid.conf. You've told it to listen to any
cachemgr in .ns.utk.edu and .cs.utk.edu.
The next step is to tell the web servers running cachemgr.cgi whom
they will talk to. It looks like your's is wide open so it will let
anybody connect. Since the cgi process is connecting from within one
of the allowed domains squid grants access. Tell your web server not
to do this and you've got it made. Something like this for Apache:
# In httpd.conf
ScriptAlias /squid-status /var/www/squid/bin/cachemgr.cgi
# In access.conf
<Location /squid-status>
<Limit GET>
order deny,allow
deny from all
allow from .bsdi.com
</Limit>
</Location>
Doug
-- Douglas L. Urner, dlu@bsdi.com, +1.503.231.4881Received on Wed Aug 14 1996 - 15:59:39 MDT
This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:32:48 MST