On 15/04/2017 3:22 a.m., Matus UHLAR - fantomas wrote:
> On 13.04.17 06:16, Amos Jeffries wrote:
>> What are peoples opinions about making the following items built-in
>> defaults?
>>
>> acl Safe_ports port 21 80 443
>> acl CONNECT_ports port 443
>> acl CONNECT method CONNECT
>
> shouldn't that be
On 04/14/2017 06:22 AM, Amos Jeffries wrote:
> To override the propsed default you *add* ports to the Safe_ports and
> CONNECT_ports (ala SSL_Ports) lines to make them no longer be denied.
> acl Safe_ports port 0-65535
> acl SSL_Ports port 0-65535
Thank you for sharing this important detail! I
On 13.04.17 06:16, Amos Jeffries wrote:
What are peoples opinions about making the following items built-in
defaults?
acl Safe_ports port 21 80 443
acl CONNECT_ports port 443
acl CONNECT method CONNECT
shouldn't that be more like following?
acl Safe_ports port 80
acl CONNECT_ports port 21 443
On 04/14/2017 04:19 AM, joseph wrote:
> System administrator should have possibility to override ANY default.
I do not know why you are saying the above. AFAIK, everybody is in
agreement that admins should be able to overwrite any defaults, at least
at the level of the configured Squid functional
On 14/04/2017 4:52 a.m., Alex Rousskov wrote:
> On 04/13/2017 10:39 AM, Alex Rousskov wrote:
>
>> The "many folks misconfigure access rules" problem may not have a
>> good solution (under Squid control); we should be careful not to make
>> things worse while not solving the unsolvable problem.
>
Alex Rousskov wrote
> On 04/13/2017 10:39 AM, Alex Rousskov wrote:
>
>> The "many folks misconfigure access rules" problem may not have a
>> good solution (under Squid control); we should be careful not to make
>> things worse while not solving the unsolvable problem.
>
>
> Here is an alternativ
On 04/13/2017 10:39 AM, Alex Rousskov wrote:
> The "many folks misconfigure access rules" problem may not have a
> good solution (under Squid control); we should be careful not to make
> things worse while not solving the unsolvable problem.
Here is an alternative idea: Instead of adding default
When I implemented the major changes to squid.conf in 3.1/3.2 there
were a lot of installations placing custom config rules above the lines
I describe now as "default security checks". The !Safe_ports and
!SSL_ports deny lines.
At the time I also believed reverse-proxy config had to go above that
