On 04/12/2017 12:16 PM, Amos Jeffries wrote: > Changes to http_access defaults Clearly stating what you are trying to accomplish with these changes may help others evaluate your proposal. Your initial email focuses on _how_ you are going to accomplish some implied/vague goal. What is the goal here? > I have become convinced that Squid always checks those > security rules, then do the custom access rules. All other orderings > seem to have turned out to be problematic and security-buggy in some > edge cases or another. s/Squid always checks/Squid should always check/ > What are peoples opinions about making the following items built-in > defaults? > > acl Safe_ports port 21 80 443 > acl CONNECT_ports port 443 > acl CONNECT method CONNECT > > http_acces deny !Safe_ports > http_access deny CONNECT !CONNECT_ports > The above change will have some effect on installations that try to use > an empty squid.conf. And on many other existing installations, of course, especially on those with complex access rules which are usually the most difficult to modify/adjust. In other words, this is a pretty serious change. > If the proposal goes ahead some extra additions > would be included to retain that default-reject behaviour. It is difficult to properly evaluate your proposal until it details how one would be able to override the proposed defaults. These defaults, in some shape or form, make sense for most installations, of course. The difficult parts are: * minimizing surprises (e.g, when the hidden defaults change, are wrong, and/or interact with deny_info rules in surprising ways); * avoiding configurations that compute essentially the same rules multiple times (hidden defaults + explicit defaults); and * designing a configuration approach to overwrite defaults without either screwing up a lot of admins or virtually eliminating the positive effect of those defaults in new configurations. To address the last bullet, we could add a deny_unsafe_ports <on|off> directive. If that directive is "on" by default [for any squid.conf that does not define a Safe_ports ACL??], then it does not address the first two bullets well. Perhaps it should be off by default but explicitly added (and turned "on") to every newly generated squid.conf.default? Also, how will the http_access rules in newly generated squid.conf.default look like if we add default http_access rules? I am worried that adding hidden default http_access rules will make things overall worse rather than solving the problem you are trying to solve. I wonder if fiddling with http_access internals might be the wrong direction here. Thank you, Alex. _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
