[squid-users] Empty ACL technical risks

Nikita Seregin nick.srg at yandex.ru
Fri Jun 14 12:27:45 UTC 2019 

Hi again.

Thank you for the answer.

So, as i understood, the empty acl files isn't the best option.


And may i include config files, which sometimes can become empty?


For example:

I put into /etc/squid/squid.conf next string:

       include /etc/squid/certificates.conf

And in the /etc/squid/certificates.conf i put:
       acl TRUSTED_FINGERPRINTS server_cert_fingerprint 7A:29:27:9A:DF:C4:4E:18:4D:94:E1:BB:2A:D9:09:3A:70:B1:AB:16
       acl TRUSTED_FINGERPRINTS server_cert_fingerprint 70:B1:AB:16:7A:29:27:9A:DF:C4:4E:18:4D:94:E1:BB:2A:D9:09:3A
       sslproxy_cert_sign signTrusted TRUSTED_FINGERPRINTS

Will it be OK, if i will just clear the /etc/squid/certificates.conf file in case if i don't have any fingerprints to put in, and keep the include /etc/squid/certificates.conf directive in squid.conf untouched? So in fact it will include the empty file.
Are there any technical risks?


12.06.2019, 08:58, "Amos Jeffries" <squid3 at treenet.co.nz>:
> On 11/06/19 11:36 pm, Никита Серёгин wrote:
>>  Hi All,
>>
>>  If there is an empty acl in squid.conf, squid gives us warning message during restart/reconfigure.
>>
>>  We wonder if these warnings are just notifications for administrator, or there are some really technical risks.
>>
>>  Like here for example: https://bugs.launchpad.net/ubuntu/+source/squid-deb-proxy/+bug/1659567
>>  Amos Jeffries wrote: "The check is a generic validity check used for all ACLs. Whether it is 'harmless' depends on future events at the time of checking. So just silencing or ignoring would leave a lot of nasty misconfigurations quietly accepted"
>>
>>  Could these "nasty misconfigurations" be made only by administrator, or is it about squid possible wrong behavior?
>
> The Ubuntu bug report you referenced is a good example why. The file
> which is initially empty is explicitly being added to by non-admin
> entities. Who then have an automated action to trigger reconfigure of
> the running proxy.
>
> The risk there is that those entities are not necessarily knowing what
> valid ACL data is. Nor in a position to fix the resulting DoS if they
> get it wrong and make Squid exit on the reconfigure.
>  That breaking reconfigure may be a long time after the config change
> was made.
>
>>  Are there any strong technical reasons to avoid using of empty ACLs in production environment?
>
> The main reason is that risk of DoS-ing the proxy and everyone using it
> for an indeterminate amount of time until the admin can be summoned and
> track down why the proxy is not running.
>
> Another reason is every transaction handled by Squid has to spend CPU
> cycles setting up access checklists, fetching the data to be tested,
> then calling the processing code - even if the ACL is empty and thus
> immediately returns its DUNNO result.
>
> Which brings us to DUNNO being the third match state. So things like:
>
>  acl foo src "/some/empty.file"
>  http_access allow foo
>  http_access allow !foo
>
> ... results in the surprise *access denied*.
>
>>  And are there any news about explicit flag to indicate whether an ACL is allowed to be empty or not?
>
> Nobody has submitted anything towards one.
>
> As you noted at the start it is a *warning* message. Squid should
> continue to run "fine". Provided your definition of "fine" accounts for
> the above technical issues and odd behaviour.
>
> Cheers,
> Amos
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users

More information about the squid-users mailing list