13.04.2017 21:14, Dan Purgert пишет: > Quoting Alex Rousskov <rouss...@measurement-factory.com>: > >> On 04/12/2017 12:16 PM, Amos Jeffries wrote: >> >>> Changes to http_access defaults >> >> Clearly stating what you are trying to accomplish with these changes may >> help others evaluate your proposal. Your initial email focuses on _how_ >> you are going to accomplish some implied/vague goal. What is the goal >> here? >> >> >>> I have become convinced that Squid always checks those >>> security rules, then do the custom access rules. All other orderings >>> seem to have turned out to be problematic and security-buggy in some >>> edge cases or another. >> >> s/Squid always checks/Squid should always check/ >> >> >>> What are peoples opinions about making the following items built-in >>> defaults? >>> >>> acl Safe_ports port 21 80 443 >>> acl CONNECT_ports port 443 >>> acl CONNECT method CONNECT >>> >>> http_acces deny !Safe_ports >>> http_access deny CONNECT !CONNECT_ports >> >>> The above change will have some effect on installations that try to use >>> an empty squid.conf. >> >> And on many other existing installations, of course, especially on those >> with complex access rules which are usually the most difficult to >> modify/adjust. In other words, this is a pretty serious change. >> >> > > How would a "built-in default" alter an existing setup? I mean, in > every other instance that I can think of, if the config file includes > the directive, the config file's version overrides the default ... This is normal behaviour. System administrator should have possibility to override ANY default. > > > > _______________________________________________ > squid-users mailing list > squid-users@lists.squid-cache.org > http://lists.squid-cache.org/listinfo/squid-users
-- Bugs to the Future
0x613DEC46.asc
Description: application/pgp-keys
signature.asc
Description: OpenPGP digital signature
_______________________________________________ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
