I think I may have been suffering from conceptual error... Perhaps
other people have fallen into the same trap, so I'll stick my head up
and admit it, even at risk of making myself look silly (I scanned the
mailing list, but didn't see this issue discussed).
I had set the squid configuration so that management access was only
permitted from localhost. But then I was surprised to find I could
access the management function from anywhere.
Looking at the access log, all of the accesses to these cache objects
are logged as being from 127.0.0.1
Am I now right in thinking: the squid configuration file only controls
access to the management functions in terms of where the cachemgr.cgi
program is located? Not in terms of where the client is making the
request from? Thus, if I allow folks from anywhere to access the URL
/cgi-bin/cachemgr.cgi on the host where squid is running, then anyone,
anywhere, can get access to the function. (Yes, I do know that access
can be controlled by user name and password, that's not what I'm
concerned with here).
Maybe we should control access to our copy of cachemgr.cgi by means of
a <Files...> bracket in our web server, denying access by caller IP.
Or am I still befuddled?
Now, what happens if a client configures their browser to use the
cache to access the cachemgr.cgi script? The web server then sees the
request coming to it from localhost (because the request is being
proxied through squid on the same machine), and so it permits access.
The user submits the manager request form, and the cache software then
sees the cachemgr request coming from localhost, so it too permits the
access. I tried it, and this is what seems to happen.
It seems that neither the squid configuration, nor the server <Files>
bracket, can prevent access to the management interface by anyone who
is allowed to use the cache proxy.
Or am I misinterpreting my observations?
(Version os 2.4.STABLE1, if this is an issue. I guess it's obvious
from the context that this is about a host which runs both a web
server, Apache, on port 80, and a cache proxy, squid, on another port
number).
cheers
Received on Sat Sep 15 2001 - 10:07:12 MDT
This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:02:11 MST