diff -Nru squid-3.0.STABLE15.orig/src/cf.data.pre squid-3.0.STABLE15/src/cf.data.pre
--- squid-3.0.STABLE15.orig/src/cf.data.pre	2009-05-06 13:11:41.000000000 +0200
+++ squid-3.0.STABLE15/src/cf.data.pre	2009-05-18 17:13:37.000000000 +0200
@@ -123,7 +123,7 @@
 	If you want to use the traditional NCSA proxy authentication, set
 	this line to something like
 
-	auth_param basic program @DEFAULT_PREFIX@/libexec/ncsa_auth @DEFAULT_PREFIX@/etc/passwd
+	auth_param basic program @DEFAULT_PREFIX@/libexec/ncsa_auth /etc/passwd
 
 	"children" numberofchildren
 	The number of authenticator processes to spawn. If you start too few
@@ -185,7 +185,7 @@
 	If you want to use a digest authenticator, set this line to
 	something like
 
-	auth_param digest program @DEFAULT_PREFIX@/bin/digest_pw_auth @DEFAULT_PREFIX@/etc/digpass
+	auth_param digest program @DEFAULT_PREFIX@/bin/digest_pw_auth /etc/digpass
 
 	"children" numberofchildren
 	The number of authenticator processes to spawn (no default).
@@ -630,6 +630,9 @@
 
 NOCOMMENT_START
 #Recommended minimum configuration:
+acl password proxy_auth REQUIRED
+acl all src 0.0.0.0/0.0.0.0
+acl lan src 127.0.0.1/255.255.255.255 # <insert the local network here>
 acl manager proto cache_object
 acl localhost src 127.0.0.1/32
 acl to_localhost dst 127.0.0.0/8
@@ -685,6 +688,8 @@
 # Only allow cachemgr access from localhost
 http_access allow manager localhost
 http_access deny manager
+http_access deny !lan !localhost
+http_access allow password
 # Deny requests to unknown ports
 http_access deny !Safe_ports
 # Deny CONNECT to other than SSL ports