<html>

  <head>

    <meta http-equiv="Content-Type" content="text/html; charset=utf-8">

  </head>

  <body text="#000000" bgcolor="#FFFFFF">

    <p><br>

    </p>

    <br>

    <div class="moz-cite-prefix">13.04.2017 21:14, Dan Purgert пишет:<br>

    </div>

    <blockquote type="cite"

      cite="mid:20170413111414.Horde.xLtNThbtK50MUyRLMNz-uWn@192.168.10.20">Quoting

      Alex Rousskov <a class="moz-txt-link-rfc2396E" href="mailto:rousskov@measurement-factory.com"><rousskov@measurement-factory.com></a>:

      <br>

      <br>

      <blockquote type="cite">On 04/12/2017 12:16 PM, Amos Jeffries

        wrote:

        <br>

        <br>

        <blockquote type="cite">Changes to http_access defaults

          <br>

        </blockquote>

        <br>

        Clearly stating what you are trying to accomplish with these

        changes may

        <br>

        help others evaluate your proposal. Your initial email focuses

        on _how_

        <br>

        you are going to accomplish some implied/vague goal. What is the

        goal here?

        <br>

        <br>

        <br>

        <blockquote type="cite">I have become convinced that Squid

          always checks those

          <br>

          security rules, then do the custom access rules. All other

          orderings

          <br>

          seem to have turned out to be problematic and security-buggy

          in some

          <br>

          edge cases or another.

          <br>

        </blockquote>

        <br>

        s/Squid always checks/Squid should always check/

        <br>

        <br>

        <br>

        <blockquote type="cite">What are peoples opinions about making

          the following items built-in

          <br>

          defaults?

          <br>

          <br>

           acl Safe_ports port 21 80 443

          <br>

           acl CONNECT_ports port 443

          <br>

           acl CONNECT method CONNECT

          <br>

          <br>

           http_acces deny !Safe_ports

          <br>

           http_access deny CONNECT !CONNECT_ports

          <br>

        </blockquote>

        <br>

        <blockquote type="cite">The above change will have some effect

          on installations that try to use

          <br>

          an empty squid.conf.

          <br>

        </blockquote>

        <br>

        And on many other existing installations, of course, especially

        on those

        <br>

        with complex access rules which are usually the most difficult

        to

        <br>

        modify/adjust. In other words, this is a pretty serious change.

        <br>

        <br>

        <br>

      </blockquote>

      <br>

      How would a "built-in default" alter an existing setup? I mean, in

      every other instance that I can think of, if the config file

      includes the directive, the config file's version overrides the

      default ...

      <br>

    </blockquote>

    This is normal behaviour. System administrator should have

    possibility to override ANY default.<br>

    <blockquote type="cite"

      cite="mid:20170413111414.Horde.xLtNThbtK50MUyRLMNz-uWn@192.168.10.20">

      <br>

      <br>

      <fieldset class="mimeAttachmentHeader"></fieldset>

      <br>

      <pre wrap="">_______________________________________________

squid-users mailing list

<a class="moz-txt-link-abbreviated" href="mailto:squid-users@lists.squid-cache.org">squid-users@lists.squid-cache.org</a>

<a class="moz-txt-link-freetext" href="http://lists.squid-cache.org/listinfo/squid-users">http://lists.squid-cache.org/listinfo/squid-users</a>

</pre>

    </blockquote>

    <br>

    <div class="moz-signature">-- <br>

      Bugs to the Future</div>

  </body>

</html>