如何通过ACL和cache manager指令控制客户端对Squid Web管理接口的访问?
一)在/usr/local/squid/etc/squid.conf(具体位置要看编译时的prefix参数),注意和cache manager相关的行:
- #Recommended minimum configuration:
- acl all src 0.0.0.0/0.0.0.0
- acl manager proto cache_object
- acl localhost src 127.0.0.1/255.255.255.255
- acl to_localhost dst 127.0.0.0/8
- acl SSL_ports port 443
- acl Safe_ports port 80 # http
- acl Safe_ports port 21 # ftp
- acl Safe_ports port 443 # https
- acl Safe_ports port 70 # gopher
- acl Safe_ports port 210 # wais
- acl Safe_ports port 1025-65535 # unregistered ports
- acl Safe_ports port 280 # http-mgmt
- acl Safe_ports port 488 # gss-http
- acl Safe_ports port 591 # filemaker
- acl Safe_ports port 777 # multiling http
- acl CONNECT method CONNECT
- #
- # Only allow cachemgr access from localhost
- http_access allow manager localhost
- http_access deny manager
- # Deny requests to unknown ports
- http_access deny !Safe_ports
- # Deny CONNECT to other than SSL ports
- http_access deny CONNECT !SSL_ports
- # And finally deny all other access to this proxy
- http_access deny all
- # TAG: cachemgr_passwd
- # Specify passwords for cachemgr operations.
- #
- # Usage: cachemgr_passwd password action action ...
- #
- # Some valid actions are (see cache manager menu for a full list):
- # 5min
- # 60min
- # asndb
- # authenticator
- # cbdata
- # client_list
- # comm_incoming
- # config *
- # counters
- # delay
- # digest_stats
- # dns
- # events
- # filedescriptors
- # fqdncache
- # histograms
- # http_headers
- # info
- # io
- # ipcache
- # mem
- # menu
- # netdb
- # non_peers
- # objects
- # offline_toggle *
- # pconn
- # peer_select
- # redirector
- # refresh
- # server_list
- # shutdown *
- # store_digest
- # storedir
- # utilization
- # via_headers
- # vm_objects
- #
- # * Indicates actions which will not be performed without a
- # valid password, others can be performed if not listed here.
- #
- # To disable an action, set the password to "disable".
- # To allow performing an action without a password, set the
- # password to "none".
- #
- # Use the keyword "all" to set the same password for all actions.
- #
- #Example:
- # cachemgr_passwd secret shutdown
- # cachemgr_passwd lesssssssecret info stats/objects
- # cachemgr_passwd disable all
- #
- #Default:
- # none
我们需要在acl指令、http_access指令和cachemgr_passwd指令都添加相关的参数。
起作用的是以下的指令:
- acl localhost src 127.0.0.1/255.255.255.255
- acl manager proto cache_object
- # 允许本地用户清除缓存
- acl Purge method PURGE
- http_access allow Purge localhost
- http_access deny Purge
- # Only allow cachemgr access from localhost
- http_access allow manager localhost
- http_access deny manager
- # 对于查看配置,关闭Squid等这类重要操作禁用掉
- cachemgr_passwd disable config shutdown authenticator offline_toggle
- # 对于不大查询的操作使用不使用密码
- cachemgr_passwd none info stats/objects
- # 对于其它操作密码保护
- # cachemgr_passwd secretP all
二)检验我们的配置
访问不需要密码的项:
- squidclient -p80 cache_object://localhost/info
或者
- squidclient -p80 -h localhost mgr:info
访问需要密码的项:
- squidclient -p80 cache_object://localhost/menu@secretP
注:该命令常用来有权限访问的项
或者
- squidclient -p80 -h localhost mgr:menu@secretP
删除缓存:
- squidclient -m PURGE http://url
下面是默认的权限(未做配置):
- # squidclient -p80 -h localhost mgr:menu@secretP
- HTTP/1.0 200 OK
- ... 此处省略部分内容
- mem Memory Utilization protected
- cbdata Callback Data Registry Contents protected
- events Event Queue protected
- squidaio_counts Async IO Function Counters protected
- config Current Squid Configuration disabled
- ipcache IP Cache Stats and Contents protected
- fqdncache FQDN Cache Stats and Contents protected
- idns Internal DNS Statistics protected
- external_acl External ACL stats protected
- http_headers HTTP Header Statistics protected
- menu This Cachemanager Menu protected
- shutdown Shut Down the Squid Process disabled
- offline_toggle Toggle offline_mode setting disabled
- info General Runtime Information public
- filedescriptors Process Filedescriptor Allocation protected
- objects All Cache Objects protected
- vm_objects In-Memory and In-Transit Objects protected
- openfd_objects Objects with Swapout files open protected
- pending_objects Objects being retreived from the network protected
- client_objects Objects being sent to clients protected
- io Server-side network read() size histograms protected
- counters Traffic and Resource Counters public
- peer_select Peer Selection Algorithms protected
- digest_stats Cache Digest and ICP blob protected
- 5min 5 Minute Average of Counters protected
- 60min 60 Minute Average of Counters protected
- utilization Cache Utilization protected
- histograms Full Histogram Counts protected
- active_requests Client-side Active Requests protected
- store_digest Store Digest protected
- storedir Store Directory Stats protected
- store_check_cachable_stats storeCheckCachable() Stats protected
- store_io Store IO Interface Stats protected
- pconn Persistent Connection Utilization Histograms protected
- refresh Refresh Algorithm Statistics protected
- delay Delay Pool Levels protected
- forward Request Forwarding Statistics protected
- client_list Cache Client List protected
- netdb Network Measurement Database protected
- asndb AS Number Database protected
- server_list Peer Cache Statistics protected
- non_peers List of Unknown sites sending ICP messages protected
即:
默认设置hidden的项为:
- config shutdown offline_toggle
它的含意是,如果服务端不配置密码,将不能被访问,默认是隐藏的。
这不同于配置为,这样不允许客户端访问这几个项,访问时状态为disable
- http_access disable config shutdown offline_toggle
这也不同于被配置为hidden,这样也不允许客户端访问这几个项,不过访问时状态为protected
- http_access protected config shutdown offline_toggle
三)配置允许以哪些域名和端口访问cache manager
修改/usr/local/squid/etc/squid/etc/cachemgr.conf(文件位置依赖于我们的编译选项)文件
,增加Host:Port的行。
例如我的配置:
# grep ^[^#] /etc/squid/etc/cachemgr.conf
- localhost:80
- 192.168.88.51:80
- squid01.wangxiaoyu.org:80