Alex Rousskov wrote > On 04/13/2017 10:39 AM, Alex Rousskov wrote: > >> The "many folks misconfigure access rules" problem may not have a >> good solution (under Squid control); we should be careful not to make >> things worse while not solving the unsolvable problem. > > > Here is an alternative idea: Instead of adding default http_access rules > inside Squid, add an optional squid.conf lint/checker. For many > configurations, especially the simple ones used by new Squid admins, it > is fairly easy to _automatically_ check whether these default rules are > violated. > > If these rules are violated, Squid will log a startup warning like this: > > WARNING: Your http_access rules allow CONNECT to unsafe port XXX. > More info at http://...?warning=xyz&port=XXX. > > The URL will detail the dangers and also explain how to disable this > specific warning or linting as a whole. > > I can discuss/detail this further if there is consensus that automated > checking is overall better than built-in http_access defaults. > Unfortunately, I do not have the time to volunteer an implementation. > > > HTH, > > Alex. > > _______________________________________________ > squid-users mailing list > squid-users@.squid-cache > http://lists.squid-cache.org/listinfo/squid-users agreed on the warning part only :) as yuri said --> System administrator should have possibility to override ANY default. {ANY == ANY} -- View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/RFC-Changes-to-http-access-defaults-tp4682073p4682087.html Sent from the Squid - Users mailing list archive at Nabble.com. _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
