[squid-users] [squid-dev] [RFC] Changes to http_access defaults

Dan Purgert dan at djph.net
Thu Apr 13 15:14:14 UTC 2017


Quoting Alex Rousskov <rousskov at measurement-factory.com>:

> On 04/12/2017 12:16 PM, Amos Jeffries wrote:
>
>> Changes to http_access defaults
>
> Clearly stating what you are trying to accomplish with these changes may
> help others evaluate your proposal. Your initial email focuses on _how_
> you are going to accomplish some implied/vague goal. What is the goal here?
>
>
>> I have become convinced that Squid always checks those
>> security rules, then do the custom access rules. All other orderings
>> seem to have turned out to be problematic and security-buggy in some
>> edge cases or another.
>
> s/Squid always checks/Squid should always check/
>
>
>> What are peoples opinions about making the following items built-in
>> defaults?
>>
>>  acl Safe_ports port 21 80 443
>>  acl CONNECT_ports port 443
>>  acl CONNECT method CONNECT
>>
>>  http_acces deny !Safe_ports
>>  http_access deny CONNECT !CONNECT_ports
>
>> The above change will have some effect on installations that try to use
>> an empty squid.conf.
>
> And on many other existing installations, of course, especially on those
> with complex access rules which are usually the most difficult to
> modify/adjust. In other words, this is a pretty serious change.
>
>

How would a "built-in default" alter an existing setup? I mean, in  
every other instance that I can think of, if the config file includes  
the directive, the config file's version overrides the default ...

-- 
|_|O|_| Registered Linux user #585947
|_|_|O| Github: https://github.com/dpurgert
|O|O|O| PGP: 05CA 9A50 3F2E 1335 4DC5  4AEE 8E11 DDF3 1279 A281
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-keys
Size: 1734 bytes
Desc: PGP Public Key
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20170413/2751abee/attachment.key>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 473 bytes
Desc: PGP Digital Signature
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20170413/2751abee/attachment.sig>


More information about the squid-users mailing list