[squid-users] [RFC] Changes to http_access defaults
Alex Rousskov
rousskov at measurement-factory.com
Thu Apr 13 16:52:58 UTC 2017
On 04/13/2017 10:39 AM, Alex Rousskov wrote:
> The "many folks misconfigure access rules" problem may not have a
> good solution (under Squid control); we should be careful not to make
> things worse while not solving the unsolvable problem.
Here is an alternative idea: Instead of adding default http_access rules
inside Squid, add an optional squid.conf lint/checker. For many
configurations, especially the simple ones used by new Squid admins, it
is fairly easy to _automatically_ check whether these default rules are
violated.
If these rules are violated, Squid will log a startup warning like this:
WARNING: Your http_access rules allow CONNECT to unsafe port XXX.
More info at http://...?warning=xyz&port=XXX.
The URL will detail the dangers and also explain how to disable this
specific warning or linting as a whole.
I can discuss/detail this further if there is consensus that automated
checking is overall better than built-in http_access defaults.
Unfortunately, I do not have the time to volunteer an implementation.
HTH,
Alex.
More information about the squid-users
mailing list