[squid-users] squid logging disable based on ACL & kernel: Out of memory

[Amos Jeffries]

On 3/05/20 12:58 am, Akshay Hegde wrote:
> Dear Amos,
> 
> Can you please elaborate, I didnt understand. If possible can you
> explain with one example ? I mean behaviour of security and privacy
> flaws when 
> strip_query_terms is on and when strip_query_terms is off.
> 

That directive only affects the URLs visible in your logs etc. on the
proxy machine. It's main purpose is to prevent security/privacy
information leaks when site store sensitive info in the query-string of
the URL. The benefit is that your service is not a vector for those leaks.

On the other hand, it also prevents you being able to troubleshoot a lot
of types of issue with any site using query strings. Both allowing a
range of security attacks to hide themselves, and preventing you being
aware when sensitive info is wrongly placed in the URL.

It is up to you to decide which type of security/privacy issue is the
most important to prevent.


I bring this up because there have recently been several high-profile
services caught for major credential leaks - noticed only because some
people paid attention to their query-string's.

Amos