[squid-dev] [RFC] Changes to http_access defaults

Alex Rousskov rousskov at measurement-factory.com
Thu Apr 13 01:15:22 UTC 2017 

On 04/12/2017 12:16 PM, Amos Jeffries wrote:

> Changes to http_access defaults

Clearly stating what you are trying to accomplish with these changes may
help others evaluate your proposal. Your initial email focuses on _how_
you are going to accomplish some implied/vague goal. What is the goal here?


> I have become convinced that Squid always checks those
> security rules, then do the custom access rules. All other orderings
> seem to have turned out to be problematic and security-buggy in some
> edge cases or another.

s/Squid always checks/Squid should always check/


> What are peoples opinions about making the following items built-in
> defaults?
> 
>  acl Safe_ports port 21 80 443
>  acl CONNECT_ports port 443
>  acl CONNECT method CONNECT
> 
>  http_acces deny !Safe_ports
>  http_access deny CONNECT !CONNECT_ports

> The above change will have some effect on installations that try to use
> an empty squid.conf.

And on many other existing installations, of course, especially on those
with complex access rules which are usually the most difficult to
modify/adjust. In other words, this is a pretty serious change.


> If the proposal goes ahead some extra additions
> would be included to retain that default-reject behaviour.

It is difficult to properly evaluate your proposal until it details how
one would be able to override the proposed defaults. These defaults, in
some shape or form, make sense for most installations, of course. The
difficult parts are:

* minimizing surprises (e.g, when the hidden defaults change, are wrong,
and/or interact with deny_info rules in surprising ways);

* avoiding configurations that compute essentially the same rules
multiple times (hidden defaults + explicit defaults); and

* designing a configuration approach to overwrite defaults without
either screwing up a lot of admins or virtually eliminating the positive
effect of those defaults in new configurations.


To address the last bullet, we could add a

  deny_unsafe_ports <on|off>

directive.

If that directive is "on" by default [for any squid.conf that does not
define a Safe_ports ACL??], then it does not address the first two
bullets well.

Perhaps it should be off by default but explicitly added (and turned
"on") to every newly generated squid.conf.default?


Also, how will the http_access rules in newly generated
squid.conf.default look like if we add default http_access rules?


I am worried that adding hidden default http_access rules will make
things overall worse rather than solving the problem you are trying to
solve. I wonder if fiddling with http_access internals might be the
wrong direction here.


Thank you,

Alex.

More information about the squid-dev mailing list