RE: [squid-users] cache manager access from web

As a side note....
 
>> http_access allow ncsa_users
>> http_access allow manager localhost
>> http_access allow manager cacheadmin
>> http_access deny manager
 
cache_manager access (any access, really) is already allowed to
ncsa_users, no matter if they are accessing from localhost,
88.xxx.xxx.xx9 or any other IP. You might want to have a gander at the
FAQ section on ACLs (http://wiki.squid-cache.org/SquidFaq/SquidAcl).

Doesn't the fact that the manager needs a password in previous config lines mean that they can't access it?
the ncsa_users is only for http access?

----------------------------------------
> Date: Tue, 9 Feb 2010 16:14:31 -0900
> From: crobertson_at_gci.net
> To: squid-users_at_squid-cache.org
> Subject: Re: [squid-users] cache manager access from web
>
> Amos Jeffries wrote:
>> J. Webster wrote:
>>> I have followed the tutorial here:
>>> http://wiki.squid-cache.org/SquidFaq/CacheManager
>>> and set up acls to access the cache manager cgi on my server. I have
>>> to access this externally for the moment as that is the only access
>>> to the server that I have (SSH or web). The cache manager login
>>> appears when I access: http://myexternalipaddress/cgi-bin/cachemgr.cgi
>>> I have set the cache manager login and password in the squid.conf
>>> # TAG: cache_mgr
>>> # Email-address of local cache manager who will receive
>>> # mail if the cache dies. The default is "root".
>>> #
>>> #Default:
>>> # cache_mgr root
>>> cache_mgr aaa_at_aaa.com
>>> cachemgr_passwd aaa all
>>> #Recommended minimum configuration:
>>> acl all src 0.0.0.0/0.0.0.0
>>> acl manager proto cache_object
>>> acl localhost src 127.0.0.1/255.255.255.255
>>> acl cacheadmin src 88.xxx.xxx.xx9/255.255.255.255 #external IP address?
>>
>> You don't need the /255.255.255.255 bit. Just a single IP address will
>> do.
>>
>>> acl to_localhost dst 127.0.0.0/8
>>> # Only allow cachemgr access from localhost
>
> As a side note....
>
>>> http_access allow ncsa_users
>>> http_access allow manager localhost
>>> http_access allow manager cacheadmin
>>> http_access deny manager
>
> cache_manager access (any access, really) is already allowed to
> ncsa_users, no matter if they are accessing from localhost,
> 88.xxx.xxx.xx9 or any other IP. You might want to have a gander at the
> FAQ section on ACLs (http://wiki.squid-cache.org/SquidFaq/SquidAcl).
>
>>>
>>> However, whenever I enter the password and select localhost port 8080
>>> from the cgi script I get:
>>> The following error was encountered:
>>> Cache Access Denied.
>>> Sorry, you are not currently allowed to request:
>>> cache_object://localhost/
>>> from this cache until you have authenticated yourself.
>>
>> Looks like the CGI script does its own internal access to Squid to
>> fetch the page data. But does not have the right login details to pass
>> your "http_access allow ncsa_auth" security config.
>>
>> Amos
>
> Chris
>
                                               
_________________________________________________________________
Got a cool Hotmail story? Tell us now
http://clk.atdmt.com/UKM/go/195013117/direct/01/
Received on Wed Feb 10 2010 - 10:58:05 MST