log problem

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
7 messages Options
Reply | Threaded
Open this post in threaded view
|

log problem

Alex Gutiérrez Martínez

Hello comunity, im using squid 3.3.8 on ubuntu 14.04.02 LTS. I have implemented sqstat on this server to monitor my bandwidth. My problem is simple, i need to remove from my log the line created by sqstat.

1516801891.375      1 10.28.27.36 TCP_MISS/200 25526 GET cache_object://localhost/active_requests - HIER_NONE/- text/plain


I tried using "access_log" directive, but until now the only thing i acomplish is stop my squid using a bad configuration.

Does anyone have an idea of how to solve this problem?

-- 
Saludos Cordiales

Lic. Alex Gutiérrez Martínez

Tel. +53 7 2710327

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: log problem

Amos Jeffries
Administrator
On 25/01/18 02:59, Alex Gutiérrez Martínez wrote:

> Hello comunity, im using squid 3.3.8 on ubuntu 14.04.02 LTS. I have
> implemented sqstat on this server to monitor my bandwidth. My problem is
> simple, i need to remove from my log the line created by sqstat.
>
> 1516801891.375      1 10.28.27.36 TCP_MISS/200 25526 GET
> cache_object://localhost/active_requests - HIER_NONE/- text/plain
>
>
> I tried using "access_log" directive, but until now the only thing i
> acomplish is stop my squid using a bad configuration.
>
> Does anyone have an idea of how to solve this problem?
>

access_log is the way to go, using the 'manager' ACL.

Somewhat like this:

  access_log /var/log/squid/access.log squid !manager


... or if you want to log other manager access *except* for the sqstat
ones. Then you will need an ACL that uniquely identifies sqstat instead
of manager.


Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: log problem

Yuri Voinov

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
 
Everything is a little worse. If you need a password to access the cachemanager - it will shown in the logs. I believe that this is a bug and a hole in security.

Preventing by ACL can be workaround, but hardly this is feature.


24.01.2018 20:44, Amos Jeffries пишет:
> On 25/01/18 02:59, Alex Gutiérrez Martínez wrote: >> Hello comunity, im using squid 3.3.8 on ubuntu 14.04.02 LTS. I have >> implemented sqstat on this server to monitor my bandwidth. My problem is >> simple, i need to remove from my log the line created by sqstat. >> >> 1516801891.375 1 10.28.27.36 TCP_MISS/200 25526 GET >> cache_object://localhost/active_requests - HIER_NONE/- text/plain >> >> >> I tried using "access_log" directive, but until now the only thing i >> acomplish is stop my squid using a bad configuration. >> >> Does anyone have an idea of how to solve this problem? >> > > access_log is the way to go, using the 'manager' ACL. > > Somewhat like this: > > access_log /var/log/squid/access.log squid !manager > > > ... or if you want to log other manager access *except* for the sqstat > ones. Then you will need an ACL that uniquely identifies sqstat instead > of manager. > > > Amos > _______________________________________________ > squid-users mailing list > [hidden email] > http://lists.squid-cache.org/listinfo/squid-users
- --
*****************************
* C++20 : Bug to the future *
*****************************
-----BEGIN PGP SIGNATURE-----
 
iQGzBAEBCAAdFiEEUAYDxOalHloZaGP7S+6Uoz43Q6cFAlppMewACgkQS+6Uoz43
Q6f3Sgv/QAuPW4CQNrK5TGg91ZMW7DHwoLUHBpbu3VRz6WEYqaiLBHGfk2WytVKj
vprVQVtqdNqVCTbaqAa5RTL7vCH2XG8n91pRM0PWjtlN72SOOO7Cl0s2UBbBb/2Q
XJNwx/ALPAhk5AoBPm+CnuDI5pz9U3vNe6972bQK0uwRuVUWU6e+PGBJ/LeqqVnU
ngCyhzUJ5AJZiyEQyqIxqhb8kwKy0XaTzHM3lNFa8h3kFLzREc9fQnH+1P6n9Ny2
TBaIWW1WtzCePL159GYQ2TMryJ0SKOKIL45kvjzgaYoiOnWQSpykae4gRr124TMj
aJOyOr9gjlC5OXlORWXtLlU30Qad4B2hFnEwsdadUN5kxw2akPpia1NXPe4Hr7Uz
Jom88/V4fSYaTCHu3JpWP0amMNobvXTIWAo6uSbNehKNPW1Rclg11TdqHoXxjmGj
ZP9ZVZIUtH6X0gHiujnhxuFYx7STYq7D1utj/D1xZ/rtHCo8LsIA/sB0dy10bcx7
4he3sIRZ
=QD8X
-----END PGP SIGNATURE-----


_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: log problem

Yuri Voinov
In order not to be unfounded:

https://bugs.squid-cache.org/show_bug.cgi?id=4572

I found workaround more than year ago, however I believe but still exists.

PS. It's elementary to reproduce. Just specify cachemgr_passwd in squid.conf and do not disable password access to cachemgr stats. Then access to cachemgr from any tool like sqstat - with password (basic auth) - and see what will in access.log. Congrats, you just show your proxy manager password to all stats tool and anybody who watch your statistics reports.

25.01.2018 07:25, Yuri пишет:
>
Everything is a little worse. If you need a password to access the cachemanager - it will shown in the logs. I believe that this is a bug and a hole in security.

Preventing by ACL can be workaround, but hardly this is feature.


24.01.2018 20:44, Amos Jeffries пишет:
> On 25/01/18 02:59, Alex Gutiérrez Martínez wrote:
>> Hello comunity, im using squid 3.3.8 on ubuntu 14.04.02 LTS. I have
>> implemented sqstat on this server to monitor my bandwidth. My problem is
>> simple, i need to remove from my log the line created by sqstat.
>>
>> 1516801891.375      1 10.28.27.36 TCP_MISS/200 25526 GET
>> cache_object://localhost/active_requests - HIER_NONE/- text/plain
>>
>>
>> I tried using "access_log" directive, but until now the only thing i
>> acomplish is stop my squid using a bad configuration.
>>
>> Does anyone have an idea of how to solve this problem?
>>

> access_log is the way to go, using the 'manager' ACL.

> Somewhat like this:

>   access_log /var/log/squid/access.log squid !manager


> ... or if you want to log other manager access *except* for the sqstat
> ones. Then you will need an ACL that uniquely identifies sqstat instead
> of manager.


> Amos
> _______________________________________________
> squid-users mailing list
> [hidden email]
> http://lists.squid-cache.org/listinfo/squid-users

>
--
*****************************
* C++20 : Bug to the future *
*****************************


_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users

signature.asc (673 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: log problem

Amos Jeffries
Administrator
In reply to this post by Yuri Voinov
On 25/01/18 14:25, Yuri wrote:
>
> Everything is a little worse. If you need a password to access the
> cachemanager - it will shown in the logs.

"worse" implies it was better some time beforehand.

The old manager API is the one which places password in clear-text in
the URLs. It may not have told you that was what it was doing, but still
the security was really crap.

If you are using the current API with http(s):// URLs they do not
contain any credentials in the URL and you can configure authentication
more secure than Basic to be used by using http_access permissions
instead of the cachemgr_passwd mechanism.


> I believe that this is a bug
> and a hole in security.
>

Using the old insecure manager API is a hole yes. But not a new one.


> Preventing by ACL can be workaround, but hardly this is feature.
>

This is backward compatibility feature for people still using tools that
require the old API. Making a crappy insecure API "secure" requires work.

Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: log problem

Yuri Voinov
Amos, this is good news.

Is this clear documented anywhere to write good article in wiki about it?


25.01.2018 07:55, Amos Jeffries пишет:

> On 25/01/18 14:25, Yuri wrote:
>> Everything is a little worse. If you need a password to access the
>> cachemanager - it will shown in the logs.
> "worse" implies it was better some time beforehand.
>
> The old manager API is the one which places password in clear-text in
> the URLs. It may not have told you that was what it was doing, but still
> the security was really crap.
>
> If you are using the current API with http(s):// URLs they do not
> contain any credentials in the URL and you can configure authentication
> more secure than Basic to be used by using http_access permissions
> instead of the cachemgr_passwd mechanism.
>
>
>> I believe that this is a bug
>> and a hole in security.
>>
> Using the old insecure manager API is a hole yes. But not a new one.
>
>
>> Preventing by ACL can be workaround, but hardly this is feature.
>>
> This is backward compatibility feature for people still using tools that
> require the old API. Making a crappy insecure API "secure" requires work.
>
> Amos
> _______________________________________________
> squid-users mailing list
> [hidden email]
> http://lists.squid-cache.org/listinfo/squid-users

--
*****************************
* C++20 : Bug to the future *
*****************************

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: log problem

Amos Jeffries
Administrator
The API change was documented in
<http://www.squid-cache.org/Versions/v3/3.2/RELEASENOTES.html#ss2.13>

It does not explicitly call out the authentication side effects or
provide a config example though. The expectation was that most people
use tools to access the reports and the config changes would be
documented with the tools as they changed.

(The https:// access still has a few bugs to work out related domain
aliases and cert CommonName's.)

Amos

On 25/01/18 14:59, Yuri wrote:

> Amos, this is good news.
>
> Is this clear documented anywhere to write good article in wiki about it?
>
>
> 25.01.2018 07:55, Amos Jeffries пишет:
>> On 25/01/18 14:25, Yuri wrote:
>>> Everything is a little worse. If you need a password to access the
>>> cachemanager - it will shown in the logs.
>> "worse" implies it was better some time beforehand.
>>
>> The old manager API is the one which places password in clear-text in
>> the URLs. It may not have told you that was what it was doing, but still
>> the security was really crap.
>>
>> If you are using the current API with http(s):// URLs they do not
>> contain any credentials in the URL and you can configure authentication
>> more secure than Basic to be used by using http_access permissions
>> instead of the cachemgr_passwd mechanism.
>>
>>
>>> I believe that this is a bug
>>> and a hole in security.
>>>
>> Using the old insecure manager API is a hole yes. But not a new one.
>>
>>
>>> Preventing by ACL can be workaround, but hardly this is feature.
>>>
>> This is backward compatibility feature for people still using tools that
>> require the old API. Making a crappy insecure API "secure" requires work.
>>
>> Amos
>> _______________________________________________
>> squid-users mailing list
>> [hidden email]
>> http://lists.squid-cache.org/listinfo/squid-users
>
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users