On 11/06/19 11:36 pm, Никита Серёгин wrote: > Hi All, > > If there is an empty acl in squid.conf, squid gives us warning message during restart/reconfigure. > > We wonder if these warnings are just notifications for administrator, or there are some really technical risks. > > Like here for example: https://bugs.launchpad.net/ubuntu/+source/squid-deb-proxy/+bug/1659567 > Amos Jeffries wrote: "The check is a generic validity check used for all ACLs. Whether it is 'harmless' depends on future events at the time of checking. So just silencing or ignoring would leave a lot of nasty misconfigurations quietly accepted" > > Could these "nasty misconfigurations" be made only by administrator, or is it about squid possible wrong behavior? > The Ubuntu bug report you referenced is a good example why. The file which is initially empty is explicitly being added to by non-admin entities. Who then have an automated action to trigger reconfigure of the running proxy. The risk there is that those entities are not necessarily knowing what valid ACL data is. Nor in a position to fix the resulting DoS if they get it wrong and make Squid exit on the reconfigure. That breaking reconfigure may be a long time after the config change was made. > Are there any strong technical reasons to avoid using of empty ACLs in production environment? > The main reason is that risk of DoS-ing the proxy and everyone using it for an indeterminate amount of time until the admin can be summoned and track down why the proxy is not running. Another reason is every transaction handled by Squid has to spend CPU cycles setting up access checklists, fetching the data to be tested, then calling the processing code - even if the ACL is empty and thus immediately returns its DUNNO result. Which brings us to DUNNO being the third match state. So things like: acl foo src "/some/empty.file" http_access allow foo http_access allow !foo ... results in the surprise *access denied*. > And are there any news about explicit flag to indicate whether an ACL is allowed to be empty or not? > Nobody has submitted anything towards one. As you noted at the start it is a *warning* message. Squid should continue to run "fine". Provided your definition of "fine" accounts for the above technical issues and odd behaviour. Cheers, Amos _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
