[squid-users] Empty ACL technical risks

Amos Jeffries squid3 at treenet.co.nz
Wed Jun 12 05:58:19 UTC 2019 

On 11/06/19 11:36 pm, Никита Серёгин wrote:
> Hi All,
> 
> If there is an empty acl in squid.conf, squid gives us warning message during restart/reconfigure.
> 
> We wonder if these warnings are just notifications for administrator, or there are some really technical risks.
> 
> Like here for example: https://bugs.launchpad.net/ubuntu/+source/squid-deb-proxy/+bug/1659567
> Amos Jeffries wrote: "The check is a generic validity check used for all ACLs. Whether it is 'harmless' depends on future events at the time of checking. So just silencing or ignoring would leave a lot of nasty misconfigurations quietly accepted"
> 
> Could these "nasty misconfigurations" be made only by administrator, or is it about squid possible wrong behavior?
> 

The Ubuntu bug report you referenced is a good example why. The file
which is initially empty is explicitly being added to by non-admin
entities. Who then have an automated action to trigger reconfigure of
the running proxy.

The risk there is that those entities are not necessarily knowing what
valid ACL data is. Nor in a position to fix the resulting DoS if they
get it wrong and make Squid exit on the reconfigure.
 That breaking reconfigure may be a long time after the config change
was made.



> Are there any strong technical reasons to avoid using of empty ACLs in production environment?
> 

The main reason is that risk of DoS-ing the proxy and everyone using it
for an indeterminate amount of time until the admin can be summoned and
track down why the proxy is not running.


Another reason is every transaction handled by Squid has to spend CPU
cycles setting up access checklists, fetching the data to be tested,
then calling the processing code - even if the ACL is empty and thus
immediately returns its DUNNO result.


Which brings us to DUNNO being the third match state. So things like:

 acl foo src "/some/empty.file"
 http_access allow foo
 http_access allow !foo

... results in the surprise *access denied*.


> And are there any news about explicit flag to indicate whether an ACL is allowed to be empty or not?
> 

Nobody has submitted anything towards one.

As you noted at the start it is a *warning* message. Squid should
continue to run "fine". Provided your definition of "fine" accounts for
the above technical issues and odd behaviour.

Cheers,
Amos

More information about the squid-users mailing list