[squid-users] [squid-dev] [RFC] Changes to http_access defaults

Fri Apr 14 12:22:48 UTC 2017

On 14/04/2017 3:58 a.m., Yuri Voinov wrote:
> 
> 
> 13.04.2017 21:14, Dan Purgert пишет:
>> Quoting Alex Rousskov <rousskov at measurement-factory.com>:
>>
>>> On 04/12/2017 12:16 PM, Amos Jeffries wrote:
>>>
>>>> Changes to http_access defaults
>>>
>>> Clearly stating what you are trying to accomplish with these changes may
>>> help others evaluate your proposal. Your initial email focuses on _how_
>>> you are going to accomplish some implied/vague goal. What is the goal
>>> here?
>>>
>>>
>>>> I have become convinced that Squid always checks those
>>>> security rules, then do the custom access rules. All other orderings
>>>> seem to have turned out to be problematic and security-buggy in some
>>>> edge cases or another.
>>>
>>> s/Squid always checks/Squid should always check/
>>>
>>>
>>>> What are peoples opinions about making the following items built-in
>>>> defaults?
>>>>
>>>>  acl Safe_ports port 21 80 443
>>>>  acl CONNECT_ports port 443
>>>>  acl CONNECT method CONNECT
>>>>
>>>>  http_acces deny !Safe_ports
>>>>  http_access deny CONNECT !CONNECT_ports
>>>
>>>> The above change will have some effect on installations that try to use
>>>> an empty squid.conf.
>>>
>>> And on many other existing installations, of course, especially on those
>>> with complex access rules which are usually the most difficult to
>>> modify/adjust. In other words, this is a pretty serious change.
>>>
>>>
>>
>> How would a "built-in default" alter an existing setup? I mean, in
>> every other instance that I can think of, if the config file includes
>> the directive, the config file's version overrides the default ...
> This is normal behaviour. System administrator should have possibility
> to override ANY default.

Yes, and override remains possible. Just in a way that does not involve
deleting lines from squid.conf.

To override the propsed default you *add* ports to the Safe_ports and
CONNECT_ports (ala SSL_Ports) lines to make them no longer be denied.

For example;

 today to make Squid an open proxy you _erase_ these lines:

  http_access deny !Safe_ports
  http_access deny CONNECT !SSL_ports

Alternatively you can also *add* these lines:

 acl Safe_ports port 0-65535
 acl SSL_Ports port 0-65535

That second way will work both before and after the proposed change.
(Module the proposed rename of SSL_ports to CONNECT_ports). This makes
it a little but harder for newbies or naive people to get themselves
into trouble, without removing ability for advanced needs.

As Alex pointed out it does mean change for anyone with those advanced
configs. So it is a matter of whether the pain is too great or there is
a better way. Thus 'RFC' to everyone.

Amos