[squid-users] How to have squid as safe as (e.g.) firefox?

Alex Rousskov rousskov at measurement-factory.com
Thu Aug 13 20:42:19 UTC 2015


On 08/13/2015 12:06 AM, Amos Jeffries wrote:

> On 13/08/2015 9:20 a.m., Jeremie Rafin wrote:
>> sslproxy_cert_error deny all


> You have also configured "sslproxy_cert_error deny all" which forces
> Squid to accept and ignore all possible origin server certificate
> errors. Including revocation.


"deny" does not force Squid to "accept and ignore". I think you are
describing the effects of the opposite setting:

  sslproxy_cert_error allow all

The actual "deny all" configuration means "do not allow any error to get
through". We should have used custom ACL verbs if the default allow/deny
are causing confusion among the best of us.

Alex.



More information about the squid-users mailing list