[squid-users] [RFC] Changes to http_access defaults
joseph
chip_pop at hotmail.com
Fri Apr 14 10:19:08 UTC 2017
Alex Rousskov wrote
> On 04/13/2017 10:39 AM, Alex Rousskov wrote:
>
>> The "many folks misconfigure access rules" problem may not have a
>> good solution (under Squid control); we should be careful not to make
>> things worse while not solving the unsolvable problem.
>
>
> Here is an alternative idea: Instead of adding default http_access rules
> inside Squid, add an optional squid.conf lint/checker. For many
> configurations, especially the simple ones used by new Squid admins, it
> is fairly easy to _automatically_ check whether these default rules are
> violated.
>
> If these rules are violated, Squid will log a startup warning like this:
>
> WARNING: Your http_access rules allow CONNECT to unsafe port XXX.
> More info at http://...?warning=xyz&port=XXX.
>
> The URL will detail the dangers and also explain how to disable this
> specific warning or linting as a whole.
>
> I can discuss/detail this further if there is consensus that automated
> checking is overall better than built-in http_access defaults.
> Unfortunately, I do not have the time to volunteer an implementation.
>
>
> HTH,
>
> Alex.
>
> _______________________________________________
> squid-users mailing list
> squid-users at .squid-cache
> http://lists.squid-cache.org/listinfo/squid-users
agreed on the warning part only :)
as yuri said --> System administrator should have possibility to override
ANY default.
{ANY == ANY}
--
View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/RFC-Changes-to-http-access-defaults-tp4682073p4682087.html
Sent from the Squid - Users mailing list archive at Nabble.com.
More information about the squid-users
mailing list