[squid-users] [squid-dev] [RFC] Changes to http_access defaults

Amos Jeffries squid3 at treenet.co.nz
Fri Apr 14 12:15:04 UTC 2017 

On 14/04/2017 3:14 a.m., Dan Purgert wrote:
> Quoting Alex Rousskov <rousskov at measurement-factory.com>:
> 
>> On 04/12/2017 12:16 PM, Amos Jeffries wrote:
>>
>>> Changes to http_access defaults
>>
>> Clearly stating what you are trying to accomplish with these changes may
>> help others evaluate your proposal. Your initial email focuses on _how_
>> you are going to accomplish some implied/vague goal. What is the goal
>> here?
>>
>>
>>> I have become convinced that Squid always checks those
>>> security rules, then do the custom access rules. All other orderings
>>> seem to have turned out to be problematic and security-buggy in some
>>> edge cases or another.
>>
>> s/Squid always checks/Squid should always check/
>>
>>
>>> What are peoples opinions about making the following items built-in
>>> defaults?
>>>
>>>  acl Safe_ports port 21 80 443
>>>  acl CONNECT_ports port 443
>>>  acl CONNECT method CONNECT
>>>
>>>  http_acces deny !Safe_ports
>>>  http_access deny CONNECT !CONNECT_ports
>>
>>> The above change will have some effect on installations that try to use
>>> an empty squid.conf.
>>
>> And on many other existing installations, of course, especially on those
>> with complex access rules which are usually the most difficult to
>> modify/adjust. In other words, this is a pretty serious change.
>>
>>
> 
> How would a "built-in default" alter an existing setup? I mean, in every
> other instance that I can think of, if the config file includes the
> directive, the config file's version overrides the default ...
> 

The way built-in's are generally done in Squid is to have a set of lines
that are hard-coded and treated as existing "above" the first line of
squid.conf.

For existing setups where non-443 ports were desired with CONNECT this
approach would mean admin have to list them in SSL_ports/CONNECT_ports
instead of simply removing all lines mentioning "SSL_Ports".

That is really a practice people should be doing anyway, so is this
change from whatever you are doing to a way that enforces best-practice
going to be a major issue for anyone?


[That is part of the reason I've sent this RFC to all of squid-users,
instead of just squid-dev. To see what sort of issues people will have
with that kind of change, and how widespread the trouble would be.]

Amos

More information about the squid-users mailing list