Re: cachemgr.cgi & security???

From: Balint Nagy Endre <>
Date: Tue, 29 Oct 1996 00:13:00 +0100 (MET)

> Hello and thanks for your answers!
> My question was:
> >> I just realised something. Even if I put access control on my own
> >> cachemgr.cgi so that only I can use it, people outside of us can
> >> use their own cachemgr.cgi and access information about my Squid-server
> >> by giving my servers FQDN and port.
> >>
> >> Please tell me I have gone completely crazy and this is impossible.
> >> Or what I can do about it.
> 22:36 1996-10-26 +1000 Tom Minchin <> wrote:
> >Yes. By accessing the cachemgr.cgi that you have given permission to
> >access the cache info object, a user can bypass the ACL protection you
> >have placed on people accessing the cache object from anywhere else.
> >
> >You can avoid this by protecting cachemgr.cgi using your web server
> >security, or change the cgi to something else (security by obscurity).
> >
> >Ideally the cachemgr.cgi should have a builtin check that compares
> >HTTP_HOST with the ACL on Squid.
> 07:47 1996-10-28 +0100 Martin Ibert <> wrote:
> >You have gone completely crazy and this is impossible. At least not as
> >long as you put access control on the cache_object protocol.
> >
> >As far as I understand things, things are meant to work as follows:
> >
> >- Within squid, restrict access to the cache_object protocol to a host
> > which you control.
> >- Within that host's HTTP server, restrict access to your cachemgr.cgi
> > program as needed.
> >
> >Then only you can get at the data, because only you can run the
> >cachemgr.cgi program on the trusted host, and squid won't honor requests
> >coming from other hosts.
> I don't understand these answers. When I read the cachemgr.cgi-part of the
> FAQ, I thought it said that in squid.conf I allow the squid-server to be
> queried by cachemgr.cgi. Not just my cachemgr.cgi but ANY cachemgr.cgi.
> Where did I get it wrong?
The default squid.conf contains:

acl manager proto cache_object
http_access deny manager !localhost

this configuration restricts acces to cache_object protocol
to localhost. If you want to use the host of squid to run cachemgr.cgi, then it's fine,
otherwise you should change the localhost to your host using
acl myhost src a.b.c.d/
http_access deny manager !myhost
First restrict access to cachemgr.cgi only to the host where you run your browser.
(using tcp wrappers if you use inetd based httpd or within httpd if it is standalone)
If you have untrusted users on that machine, then add some password protection
(using your httpd-s acl features) for the cachemgr.cgi.

The whole problem isn't that serious, because stopping squid needs a password,
but that goes clear to the wire unless squid, cachemgr.cgi and the browser run on the same host.
I recommend that case, if you are enough paranoid to be a system administrator.
(and dont forget to look around while type in the password! Someone may watch your fingers!)

Any unclear aspects left?

Andrew. (Endre "Balint" Nagy) <>
Received on Mon Oct 28 1996 - 16:04:40 MST

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:33:23 MST