Hello and thanks for your answers!
My question was:
>> I just realised something. Even if I put access control on my own
>> cachemgr.cgi so that only I can use it, people outside of us can
>> use their own cachemgr.cgi and access information about my Squid-server
>> by giving my servers FQDN and port.
>>
>> Please tell me I have gone completely crazy and this is impossible.
>> Or what I can do about it.
22:36 1996-10-26 +1000 Tom Minchin <tom@iacom.com.au> wrote:
>Yes. By accessing the cachemgr.cgi that you have given permission to
>access the cache info object, a user can bypass the ACL protection you
>have placed on people accessing the cache object from anywhere else.
>
>You can avoid this by protecting cachemgr.cgi using your web server
>security, or change the cgi to something else (security by obscurity).
>
>Ideally the cachemgr.cgi should have a builtin check that compares
>HTTP_HOST with the ACL on Squid.
07:47 1996-10-28 +0100 Martin Ibert <mib@ppe.bb-data.de> wrote:
>You have gone completely crazy and this is impossible. At least not as
>long as you put access control on the cache_object protocol.
>
>As far as I understand things, things are meant to work as follows:
>
>- Within squid, restrict access to the cache_object protocol to a host
> which you control.
>- Within that host's HTTP server, restrict access to your cachemgr.cgi
> program as needed.
>
>Then only you can get at the data, because only you can run the
>cachemgr.cgi program on the trusted host, and squid won't honor requests
>coming from other hosts.
I don't understand these answers. When I read the cachemgr.cgi-part of the
FAQ, I thought it said that in squid.conf I allow the squid-server to be
queried by cachemgr.cgi. Not just my cachemgr.cgi but ANY cachemgr.cgi.
Where did I get it wrong?
Thanks for your time!
-----------------------------------------------------------------
Peter Olsson Email: pol@leissner.se
Leissner Data AB, Sweden Phone: +46 520 200 00
Fax: +46 520 200 89
Received on Mon Oct 28 1996 - 11:55:30 MST
This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:33:23 MST