[squid-users] [RFC] Changes to http_access defaults
Amos Jeffries
squid3 at treenet.co.nz
Wed Apr 12 18:16:36 UTC 2017
When I implemented the major changes to squid.conf in 3.1/3.2 there
were a lot of installations placing custom config rules above the lines
I describe now as "default security checks". The !Safe_ports and
!SSL_ports deny lines.
At the time I also believed reverse-proxy config had to go above that to
work properly. Which was the major argument behind leaving them manually
configured.
That reverse-proxy reason has turned out to be incorrect and over the
years since I have become convinced that Squid always checks those
security rules, then do the custom access rules. All other orderings
seem to have turned out to be problematic and security-buggy in some
edge cases or another.
What are peoples opinions about making the following items built-in
defaults?
acl Safe_ports port 21 80 443
acl CONNECT_ports port 443
acl CONNECT method CONNECT
http_acces deny !Safe_ports
http_access deny CONNECT !CONNECT_ports
This makes the three protocols Squid-4/5 can officially support (HTTP,
HTTPS, FTP) acceptable by default.
I have excluded the other protocols that are safe, but usually not
necessary to proxy in modern traffic. They can remain 'recommended'
configurable defaults like today.
Likewise the manager rules (for now) since local conditions can
sometimes allow them to be optimized better than our current recommended
default.
The above change will have some effect on installations that try to use
an empty squid.conf. If the proposal goes ahead some extra additions
would be included to retain that default-reject behaviour.
Ideas? opinions?
Amos
More information about the squid-users
mailing list