[squid-users] [RFC] Changes to http_access defaults

Amos Jeffries squid3 at treenet.co.nz
Wed Apr 12 18:16:36 UTC 2017


When I implemented the major changes to squid.conf in 3.1/3.2  there
were a lot of installations placing custom config rules above the lines
I describe now as "default security checks". The !Safe_ports and
!SSL_ports deny lines.

At the time I also believed reverse-proxy config had to go above that to
work properly. Which was the major argument behind leaving them manually
configured.

That reverse-proxy reason has turned out to be incorrect and over the
years since I have become convinced that Squid always checks those
security rules, then do the custom access rules. All other orderings
seem to have turned out to be problematic and security-buggy in some
edge cases or another.


What are peoples opinions about making the following items built-in
defaults?

 acl Safe_ports port 21 80 443
 acl CONNECT_ports port 443
 acl CONNECT method CONNECT

 http_acces deny !Safe_ports
 http_access deny CONNECT !CONNECT_ports


This makes the three protocols Squid-4/5 can officially support (HTTP,
HTTPS, FTP) acceptable by default.

I have excluded the other protocols that are safe, but usually not
necessary to proxy in modern traffic. They can remain 'recommended'
configurable defaults like today.

Likewise the manager rules (for now) since local conditions can
sometimes allow them to be optimized better than our current recommended
default.


The above change will have some effect on installations that try to use
an empty squid.conf. If the proposal goes ahead some extra additions
would be included to retain that default-reject behaviour.

Ideas? opinions?


Amos


More information about the squid-users mailing list