|
13.04.2017 21:14, Dan Purgert пишет:
Quoting
Alex Rousskov <rousskov@xxxxxxxxxxxxxxxxxxxxxxx>:
On 04/12/2017 12:16 PM, Amos Jeffries
wrote:
Changes to http_access defaults
Clearly stating what you are trying to accomplish with these
changes may
help others evaluate your proposal. Your initial email focuses
on _how_
you are going to accomplish some implied/vague goal. What is the
goal here?
I have become convinced that Squid
always checks those
security rules, then do the custom access rules. All other
orderings
seem to have turned out to be problematic and security-buggy
in some
edge cases or another.
s/Squid always checks/Squid should always check/
What are peoples opinions about making
the following items built-in
defaults?
acl Safe_ports port 21 80 443
acl CONNECT_ports port 443
acl CONNECT method CONNECT
http_acces deny !Safe_ports
http_access deny CONNECT !CONNECT_ports
The above change will have some effect
on installations that try to use
an empty squid.conf.
And on many other existing installations, of course, especially
on those
with complex access rules which are usually the most difficult
to
modify/adjust. In other words, this is a pretty serious change.
How would a "built-in default" alter an existing setup? I mean, in
every other instance that I can think of, if the config file
includes the directive, the config file's version overrides the
default ...
This is normal behaviour. System administrator should have
possibility to override ANY default.
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users
--
Bugs to the Future
|
Attachment:
0x613DEC46.asc
Description: application/pgp-keys
Attachment:
signature.asc
Description: OpenPGP digital signature
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users
