On 04/14/2017 06:22 AM, Amos Jeffries wrote: > To override the propsed default you *add* ports to the Safe_ports and > CONNECT_ports (ala SSL_Ports) lines to make them no longer be denied. > acl Safe_ports port 0-65535 > acl SSL_Ports port 0-65535 Thank you for sharing this important detail! I like this clever design and agree that this approach allows admins to overwrite the proposed default behavior/functionality. This approach carries the following overwriting price: * For every access, Squid will pointlessly evaluate the following: http_access deny !all_ports http_access deny CONNECT !all_ports Is this an acceptable price to pay? (The evaluation is pointless because the rules never match (because all_ports always matches). In this context, the admin wants the rules to never match, so that she can insert her own rules overwriting the default. So the functionality is correct, but the default rules cannot be removed and are evaluated.) We could add a rule optimizer that will detect and remove some never-matching rules, including the above ones. If the overwriting price is too high, adding such an optimizer may become a precondition. The optimizing logic is straightforward, but things like deny_info will complicate implementation. All other alternatives proposed so far do not have this performance penalty. > I've have two goals here: > > 1) reduce peoples ability to shoot themselves in the foot. > 2) further reduce the things people are required to manually configure All three proposed options satisfy #1. All three proposed options satisfy #2 if "manual configuration" is defined as editing squid.conf.default. The lint option does not satisfy #2 if "manual configuration" is defined as editing squid.conf.empty. How should we define "manual configuration" in this context so that we can compare options using a common set of criteria? > I expect [squid.conf.default to look like this]: > http_access allow localhost manager > http_access deny manager > > # INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS > > http_access allow localnet > http_access allow localhost > http_access deny all I think the proposal would be a lot more attractive if it results in elimination of all of the http_access rules from squid.conf.default. As it currently stands, the changes imply many headaches, but still do not solve the "reasonable default access restrictions" problem. In other words, we are already paying a lot but still gaining little. What if we raise the bar and declare reaching the "reasonable default access restrictions" as the goal? Can we solve that problem instead, with comparable headache severity of the original proposal? For example, Squid could automatically add something like the following: # always added at the top of user-configured http_access rules http_access deny usuallyDenied http_access allow manager # always added at the bottom of user-configured http_access rules http_access allow usuallyAllowed http_access deny all And remove all of the http_access rules from squid.conf.default. The admin will be able to adjust usuallyDenied, usuallyAllowed, and manager any-of ACLs to effectively disable them (just like in your proposal). And we can add an optimizer to remove effectively disabled ACLs. > the proposed rename of SSL_ports to CONNECT_ports Let's discuss the exact ACL names later (when/if there is a principle agreement to implement the proposed changes). For now, I will only note that we should not use ACL names that might clash with those used by existing configurations (for hopefully obvious reasons). Thank you, Alex. _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
