On 04/13/2017 10:39 AM, Alex Rousskov wrote: > The "many folks misconfigure access rules" problem may not have a > good solution (under Squid control); we should be careful not to make > things worse while not solving the unsolvable problem. Here is an alternative idea: Instead of adding default http_access rules inside Squid, add an optional squid.conf lint/checker. For many configurations, especially the simple ones used by new Squid admins, it is fairly easy to _automatically_ check whether these default rules are violated. If these rules are violated, Squid will log a startup warning like this: WARNING: Your http_access rules allow CONNECT to unsafe port XXX. More info at http://...?warning=xyz&port=XXX. The URL will detail the dangers and also explain how to disable this specific warning or linting as a whole. I can discuss/detail this further if there is consensus that automated checking is overall better than built-in http_access defaults. Unfortunately, I do not have the time to volunteer an implementation. HTH, Alex. _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
