Quoting Alex Rousskov <rousskov@xxxxxxxxxxxxxxxxxxxxxxx>:
On 04/12/2017 12:16 PM, Amos Jeffries wrote:Changes to http_access defaultsClearly stating what you are trying to accomplish with these changes may help others evaluate your proposal. Your initial email focuses on _how_ you are going to accomplish some implied/vague goal. What is the goal here?I have become convinced that Squid always checks those security rules, then do the custom access rules. All other orderings seem to have turned out to be problematic and security-buggy in some edge cases or another.s/Squid always checks/Squid should always check/What are peoples opinions about making the following items built-in defaults? acl Safe_ports port 21 80 443 acl CONNECT_ports port 443 acl CONNECT method CONNECT http_acces deny !Safe_ports http_access deny CONNECT !CONNECT_portsThe above change will have some effect on installations that try to use an empty squid.conf.And on many other existing installations, of course, especially on those with complex access rules which are usually the most difficult to modify/adjust. In other words, this is a pretty serious change.
How would a "built-in default" alter an existing setup? I mean, in every other instance that I can think of, if the config file includes the directive, the config file's version overrides the default ...
-- |_|O|_| Registered Linux user #585947 |_|_|O| Github: https://github.com/dpurgert |O|O|O| PGP: 05CA 9A50 3F2E 1335 4DC5 4AEE 8E11 DDF3 1279 A281
Attachment:
binXgxd5EC4EH.bin
Description: PGP Public Key
Attachment:
pgpZHPeB8ya0s.pgp
Description: PGP Digital Signature
_______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
