On 14/04/2017 4:52 a.m., Alex Rousskov wrote: > On 04/13/2017 10:39 AM, Alex Rousskov wrote: > >> The "many folks misconfigure access rules" problem may not have a >> good solution (under Squid control); we should be careful not to make >> things worse while not solving the unsolvable problem. > > > Here is an alternative idea: Instead of adding default http_access rules > inside Squid, add an optional squid.conf lint/checker. We have a lint checker in "-k parse" and "-k check" anyway. That is not going away and these kind of checks are a good idea regardless of what the built-in default config is. So that is not an exclusive alternative. It is something we will need to do along with (or before) the config changes. > For many > configurations, especially the simple ones used by new Squid admins, it > is fairly easy to _automatically_ check whether these default rules are > violated. > > If these rules are violated, Squid will log a startup warning like this: > > WARNING: Your http_access rules allow CONNECT to unsafe port XXX. > More info at http://...?warning=xyz&port=XXX. > > The URL will detail the dangers and also explain how to disable this > specific warning or linting as a whole. > > I can discuss/detail this further if there is consensus that automated > checking is overall better than built-in http_access defaults. > Unfortunately, I do not have the time to volunteer an implementation. > > > HTH, > > Alex. > > _______________________________________________ > squid-users mailing list > squid-users@xxxxxxxxxxxxxxxxxxxxx > http://lists.squid-cache.org/listinfo/squid-users > _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
