Re: [squid-users] Access control with cachemgr.cgi

From: Henrik Nordstrom <hno@dont-contact.us>
Date: Sat, 15 Sep 2001 20:02:48 +0200

"Alan J. Flavell" wrote:

> > And? localhost should not be allowed to access cachemgr.cgi I think if
> > you are using IP based access controls..
>
> Hmmm: this would then imply that e.g anadmin logged on to the
> host where the server is running would be denied access to the
> cachemgr interface.

It does, but as one should not run things on a server in the first place
this should not be a problem.

If you need to allow it, then make sure to block proxying to localhost
in squid.conf.

acl to_localhost dst 127.0.0.0/8
http_access deny to_localhost

This protects you from a number of similar issues with other services
running on localhost, not only cachemgr.cgi.

--
Henrik Nordstrom
Squid Hacker
Received on Sat Sep 15 2001 - 12:09:14 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:02:11 MST