Manager access for statistics

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

Manager access for statistics

James Moe
Hello,
  opensuse v42.2
  linux v4.4.87-18.29-default x86_64
  squid v3.5.21

  On occasion I look at the squid statistics; it has been a while since
I last checked them, at least a month. The request was denied as not
having access privileges. I do not see why it is now being denied.
  My understanding is that the ACL names "manager" and "manager_admin"
would be allowed since they are first in the list (see below).
  What have I misunderstood?

http://proxy1.sma.com:3128/squid-internal-mgr/info

acl manager url_regex -i ^cache_object:// /squid-internal-mgr/
acl manager_admin src 192.168.69.115
#
acl localnet src 192.168.69.0/24
acl localnet src fc00::/7
acl localnet src fe80::/10
#
acl SSL_ports port 443
acl SSL_ports port 631
#
# Jumpline cPanel ports
acl SSL_ports port 2083
acl SSL_ports port 2096
#
acl SSL_ports port 5000 # NAS
acl SSL_ports port 9100
acl SSL_ports port 10000 # Webmin
#
acl Safe_ports port 563 # nntp
acl Safe_ports port 631 # cups
acl Safe_ports port 9100 # ?network printer?
#
# From the default conf:
acl Safe_ports port 80          # http
acl Safe_ports port 21          # ftp
acl Safe_ports port 443         # https
acl Safe_ports port 70          # gopher
acl Safe_ports port 210         # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280         # http-mgmt
acl Safe_ports port 488         # gss-http
acl Safe_ports port 591         # filemaker
acl Safe_ports port 777         # multiling http
#
acl CONNECT method CONNECT
#
http_access allow manager_admin manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localnet
http_access deny all

# Squid normally listens to port 3128
http_port 3128

access_log /var/log/squid/access.log


--
James Moe
moe dot james at sohnen-moe dot com
520.743.3936
Think.


_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users

signature.asc (188 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Manager access for statistics

Amos Jeffries
Administrator


On 29/10/17 20:02, James Moe wrote:

> Hello,
>    opensuse v42.2
>    linux v4.4.87-18.29-default x86_64
>    squid v3.5.21
>
>    On occasion I look at the squid statistics; it has been a while since
> I last checked them, at least a month. The request was denied as not
> having access privileges. I do not see why it is now being denied.
>    My understanding is that the ACL names "manager" and "manager_admin"
> would be allowed since they are first in the list (see below).
>    What have I misunderstood?
>
> http://proxy1.sma.com:3128/squid-internal-mgr/info
>
> acl manager url_regex -i ^cache_object:// /squid-internal-mgr/
> acl manager_admin src 192.168.69.115
> #
...

> #
> http_access allow manager_admin manager
> http_access deny !Safe_ports
> http_access deny CONNECT !SSL_ports
> http_access allow localnet
> http_access deny all


Two things:

1) 'manager' is a pre-defined ACL. The your redefinition contradicts the
case sensitive URI path. Best not to re-define it.


2) the current recommended practice is to place the manager ACLs after
the 'CONNECT !SSL_Ports' line.
  That does not affect the admin access but prevents several more attack
scenarios against Squid.


3) you are not denying manager access to any of the 'localnet' ranges.
So the whole manager ACL section is pretty pointless.


>
> # Squid normally listens to port 3128
> http_port 3128
>

What does access.log show for the manager request?
The above port is IPv6-enabled but the manager_admin ACL only allows an
IPv4.


Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Manager access for statistics

James Moe
On 10/29/2017 04:54 AM, Amos Jeffries wrote:

>
>> #
>> http_access allow manager_admin manager
>> http_access deny !Safe_ports
>> http_access deny CONNECT !SSL_ports
>> http_access allow localnet
>> http_access deny all
>
> Two things:
>
> 1) 'manager' is a pre-defined ACL. The your redefinition contradicts the
> case sensitive URI path. Best not to re-define it.
>
  Okay.
  I commented the "manager" line.
>
> 2) the current recommended practice is to place the manager ACLs after
> the 'CONNECT !SSL_Ports' line.
>   That does not affect the admin access but prevents several more attack
> scenarios against Squid.
>
  Okay.
>
> 3) you are not denying manager access to any of the 'localnet' ranges.
> So the whole manager ACL section is pretty pointless.
>
  I do not understand.

  I made the changes you indicated (that I understood) and restarted
Squid. No change.

# acl manager url_regex -i ^cache_object:// /squid-internal-mgr/

http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow manager_admin
http_access allow manager localhost
http_access deny manager
http_access allow localnet
http_access deny all

>
> What does access.log show for the manager request?
> The above port is IPv6-enabled but the manager_admin ACL only allows an
> IPv4.
>
1509311060.445     15 192.168.69.115 TCP_MISS/403 4464 GET
http://proxy1.sma.com:3128/squid-internal-mgr/info -
HIER_DIRECT/192.168.69.246 text/html
1509311060.822      0 192.168.69.115 TCP_IMS_HIT/304 311 GET
http://sma-server3:3128/squid-internal-static/icons/SN.png - HIER_NONE/-
image/png

--
James Moe
moe dot james at sohnen-moe dot com
520.743.3936
Think.




_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users

signature.asc (188 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Manager access for statistics

Amos Jeffries
Administrator
On 30/10/17 12:01, James Moe wrote:

> On 10/29/2017 04:54 AM, Amos Jeffries wrote:
>>
>>
>> What does access.log show for the manager request?
>> The above port is IPv6-enabled but the manager_admin ACL only allows an
>> IPv4.
>>
> 1509311060.445     15 192.168.69.115 TCP_MISS/403 4464 GET
> http://proxy1.sma.com:3128/squid-internal-mgr/info -
> HIER_DIRECT/192.168.69.246 text/html
> 1509311060.822      0 192.168.69.115 TCP_IMS_HIT/304 311 GET
> http://sma-server3:3128/squid-internal-static/icons/SN.png - HIER_NONE/-
> image/png
>

Responses which are generated by your Squid will all have that
"HEIR_NONE/-" tag on their access.log lines. Because Squid generated the
response no upstream server was involved.


The manager report request got passed on upstream to some server at
192.168.69.246 which appears to think its public domain name / hostname
is "sma-server3".

Between them these entries appear to be saying that you have very
probably configured the Squid machines host name as "sma-server3"
instead of "proxy1.sma.com". That would make the mgr request is enter a
forwarding loop when your Squid passes it on instead of generating the
wanted report.


Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Manager access for statistics

James Moe
On 10/30/2017 10:16 AM, Amos Jeffries wrote:
>
> Between them these entries appear to be saying that you have very
> probably configured the Squid machines host name as "sma-server3"
> instead of "proxy1.sma.com".
>
  "proxy1.sma.com" is an alias for sma-server3.sma.com.
  I have tried using sma-server3 directly with the same disappointing
result.
  I presume that I have mis-configured Squid somehow, a safe assumption.
I do not see the error, though.

--
James Moe
moe dot james at sohnen-moe dot com
520.743.3936
Think.


_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users

signature.asc (188 bytes) Download Attachment