When I implemented the major changes to squid.conf in 3.1/3.2 there were a lot of installations placing custom config rules above the lines I describe now as "default security checks". The !Safe_ports and !SSL_ports deny lines. At the time I also believed reverse-proxy config had to go above that to work properly. Which was the major argument behind leaving them manually configured. That reverse-proxy reason has turned out to be incorrect and over the years since I have become convinced that Squid always checks those security rules, then do the custom access rules. All other orderings seem to have turned out to be problematic and security-buggy in some edge cases or another. What are peoples opinions about making the following items built-in defaults? acl Safe_ports port 21 80 443 acl CONNECT_ports port 443 acl CONNECT method CONNECT http_acces deny !Safe_ports http_access deny CONNECT !CONNECT_ports This makes the three protocols Squid-4/5 can officially support (HTTP, HTTPS, FTP) acceptable by default. I have excluded the other protocols that are safe, but usually not necessary to proxy in modern traffic. They can remain 'recommended' configurable defaults like today. Likewise the manager rules (for now) since local conditions can sometimes allow them to be optimized better than our current recommended default. The above change will have some effect on installations that try to use an empty squid.conf. If the proposal goes ahead some extra additions would be included to retain that default-reject behaviour. Ideas? opinions? Amos _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
