Comment 1 Sune Kloppenborg Jeppesen (RETIRED) 2004-11-01 06:21:25 UTC

Andrew please verify and patch if needed.

Comment 2 Thierry Carrez (RETIRED) 2004-11-01 07:21:25 UTC

In fact there is no patch... The solution is not to enable cachemgr.cgi access to anyone. RedHat used to ship with cachemgr.cgi accessible in Apache cgi-bin.

I don't have squid installed, but I don't think we install cachemgr.cgi world-accessible by default... Andrew, please confirm/debunk.

Comment 3 Sune Kloppenborg Jeppesen (RETIRED) 2004-11-02 13:45:05 UTC

cyfred was last on irc over two weeks ago and has no devaway.

I guess this snippet from default configuration file squid.conf is enough:

# Only allow cachemgr access from localhost
http_access allow manager localhost
http_access deny manager

Im buried up to my armpits in assignments (checked mail today for first time in a week or so) until at least this monday, feel free to change this anyone that wants to.

Comment 5 Sune Kloppenborg Jeppesen (RETIRED) 2004-11-04 11:34:16 UTC

I'm not sure wether the default configuration options from comment #3 is enough. Someone with Squid knowledge please verify.

Comment 6 Thierry Carrez (RETIRED) 2004-11-05 05:44:54 UTC

Default configuration in Gentoo is to allow only cachemgr access from localhost. Furthermore most actions require a password... The old bug was about putting cachemgr.cgi directly in an accessible cgi-bin, and it's definitely not the case here.

Closing as WORKSFORME... Please prove me wrong by detailing how this applies to Gentoo default Squid.