[squid-users] Empty ACL technical risks
Nikita Seregin
nick.srg at yandex.ru
Fri Jun 14 12:27:45 UTC 2019
Hi again.
Thank you for the answer.
So, as i understood, the empty acl files isn't the best option.
And may i include config files, which sometimes can become empty?
For example:
I put into /etc/squid/squid.conf next string:
include /etc/squid/certificates.conf
And in the /etc/squid/certificates.conf i put:
acl TRUSTED_FINGERPRINTS server_cert_fingerprint 7A:29:27:9A:DF:C4:4E:18:4D:94:E1:BB:2A:D9:09:3A:70:B1:AB:16
acl TRUSTED_FINGERPRINTS server_cert_fingerprint 70:B1:AB:16:7A:29:27:9A:DF:C4:4E:18:4D:94:E1:BB:2A:D9:09:3A
sslproxy_cert_sign signTrusted TRUSTED_FINGERPRINTS
Will it be OK, if i will just clear the /etc/squid/certificates.conf file in case if i don't have any fingerprints to put in, and keep the include /etc/squid/certificates.conf directive in squid.conf untouched? So in fact it will include the empty file.
Are there any technical risks?
12.06.2019, 08:58, "Amos Jeffries" <squid3 at treenet.co.nz>:
> On 11/06/19 11:36 pm, Никита Серёгин wrote:
>> Hi All,
>>
>> If there is an empty acl in squid.conf, squid gives us warning message during restart/reconfigure.
>>
>> We wonder if these warnings are just notifications for administrator, or there are some really technical risks.
>>
>> Like here for example: https://bugs.launchpad.net/ubuntu/+source/squid-deb-proxy/+bug/1659567
>> Amos Jeffries wrote: "The check is a generic validity check used for all ACLs. Whether it is 'harmless' depends on future events at the time of checking. So just silencing or ignoring would leave a lot of nasty misconfigurations quietly accepted"
>>
>> Could these "nasty misconfigurations" be made only by administrator, or is it about squid possible wrong behavior?
>
> The Ubuntu bug report you referenced is a good example why. The file
> which is initially empty is explicitly being added to by non-admin
> entities. Who then have an automated action to trigger reconfigure of
> the running proxy.
>
> The risk there is that those entities are not necessarily knowing what
> valid ACL data is. Nor in a position to fix the resulting DoS if they
> get it wrong and make Squid exit on the reconfigure.
> That breaking reconfigure may be a long time after the config change
> was made.
>
>> Are there any strong technical reasons to avoid using of empty ACLs in production environment?
>
> The main reason is that risk of DoS-ing the proxy and everyone using it
> for an indeterminate amount of time until the admin can be summoned and
> track down why the proxy is not running.
>
> Another reason is every transaction handled by Squid has to spend CPU
> cycles setting up access checklists, fetching the data to be tested,
> then calling the processing code - even if the ACL is empty and thus
> immediately returns its DUNNO result.
>
> Which brings us to DUNNO being the third match state. So things like:
>
> acl foo src "/some/empty.file"
> http_access allow foo
> http_access allow !foo
>
> ... results in the surprise *access denied*.
>
>> And are there any news about explicit flag to indicate whether an ACL is allowed to be empty or not?
>
> Nobody has submitted anything towards one.
>
> As you noted at the start it is a *warning* message. Squid should
> continue to run "fine". Provided your definition of "fine" accounts for
> the above technical issues and odd behaviour.
>
> Cheers,
> Amos
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
More information about the squid-users
mailing list