[squid-users] [RFC] Changes to http_access defaults
Amos Jeffries
squid3 at treenet.co.nz
Fri Apr 14 14:08:31 UTC 2017
On 14/04/2017 4:52 a.m., Alex Rousskov wrote:
> On 04/13/2017 10:39 AM, Alex Rousskov wrote:
>
>> The "many folks misconfigure access rules" problem may not have a
>> good solution (under Squid control); we should be careful not to make
>> things worse while not solving the unsolvable problem.
>
>
> Here is an alternative idea: Instead of adding default http_access rules
> inside Squid, add an optional squid.conf lint/checker.
We have a lint checker in "-k parse" and "-k check" anyway. That is not
going away and these kind of checks are a good idea regardless of what
the built-in default config is.
So that is not an exclusive alternative. It is something we will need to
do along with (or before) the config changes.
> For many
> configurations, especially the simple ones used by new Squid admins, it
> is fairly easy to _automatically_ check whether these default rules are
> violated.
>
> If these rules are violated, Squid will log a startup warning like this:
>
> WARNING: Your http_access rules allow CONNECT to unsafe port XXX.
> More info at http://...?warning=xyz&port=XXX.
>
> The URL will detail the dangers and also explain how to disable this
> specific warning or linting as a whole.
>
> I can discuss/detail this further if there is consensus that automated
> checking is overall better than built-in http_access defaults.
> Unfortunately, I do not have the time to volunteer an implementation.
>
>
> HTH,
>
> Alex.
>
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
>
More information about the squid-users
mailing list