On 14/04/2017 3:14 a.m., Dan Purgert wrote: > Quoting Alex Rousskov <rousskov@xxxxxxxxxxxxxxxxxxxxxxx>: > >> On 04/12/2017 12:16 PM, Amos Jeffries wrote: >> >>> Changes to http_access defaults >> >> Clearly stating what you are trying to accomplish with these changes may >> help others evaluate your proposal. Your initial email focuses on _how_ >> you are going to accomplish some implied/vague goal. What is the goal >> here? >> >> >>> I have become convinced that Squid always checks those >>> security rules, then do the custom access rules. All other orderings >>> seem to have turned out to be problematic and security-buggy in some >>> edge cases or another. >> >> s/Squid always checks/Squid should always check/ >> >> >>> What are peoples opinions about making the following items built-in >>> defaults? >>> >>> acl Safe_ports port 21 80 443 >>> acl CONNECT_ports port 443 >>> acl CONNECT method CONNECT >>> >>> http_acces deny !Safe_ports >>> http_access deny CONNECT !CONNECT_ports >> >>> The above change will have some effect on installations that try to use >>> an empty squid.conf. >> >> And on many other existing installations, of course, especially on those >> with complex access rules which are usually the most difficult to >> modify/adjust. In other words, this is a pretty serious change. >> >> > > How would a "built-in default" alter an existing setup? I mean, in every > other instance that I can think of, if the config file includes the > directive, the config file's version overrides the default ... > The way built-in's are generally done in Squid is to have a set of lines that are hard-coded and treated as existing "above" the first line of squid.conf. For existing setups where non-443 ports were desired with CONNECT this approach would mean admin have to list them in SSL_ports/CONNECT_ports instead of simply removing all lines mentioning "SSL_Ports". That is really a practice people should be doing anyway, so is this change from whatever you are doing to a way that enforces best-practice going to be a major issue for anyone? [That is part of the reason I've sent this RFC to all of squid-users, instead of just squid-dev. To see what sort of issues people will have with that kind of change, and how widespread the trouble would be.] Amos _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
