On Mon, 26 Jan 2004, Andres Kroonmaa wrote: > > Henrik Nordstrom <[EMAIL PROTECTED]> writes: > > > > > This question got me thinking, and maybe we should restrict Squid to plain > > > refuse to start if access rules say "http_access allow all". > > Wouldn't this kick in in accelerator configs?
If you are using Squid-2.5 in accel-only mode with both httpd_accel_uses_host_header and httpd_accel_with_proxy off then yes, this kicks in when it should not, but can easily be extended to know about this specific case. If you are using Squid-2.5 with any of the above two directives on then you need access controls or you will have an open proxy, which I suspect many does not know or fully understand. The Squid-3 case is a little more complex to define. There is a few types of accel mode setups where access controls is not stricly needed in Squid-3, but there is also many subtle changes in configuration which causes access controls to be needed. In all three accelerator cases I strongly advice to have access controls set up limiting what may be reached via the accelerator. If you have then the patch will most likely not trigger as it only triggers if you are using an "allow all" type access rule, not if you are using "allow these_destinations" or "allow these_clients". But the patch is overly simplistic will give false indications of open proxy configuration in case of "deny what is not allowed, allow the rest" type of configurations. It should be seen mainly as an idea and not a verified patch. If added there should at a minimum be a new configuration directive where the test can be disabled. There is also very many cases of open proxy setups the patch will not trigger upon. The idea of this test is mainly to make administrators aware that having an open proxy is not good if they attempt to set up one without knowing why it is not good, and also to trap stupid mistakes leading to open proxy type configurations. The idea is not to second-guess the administrator. If he really wants I agree he should be allowed to do whatever he pleases, but I think it is ok if he may need to put a little more effort to make configurations which seems obviously incorrect, insecure or plain bad. Regards Henrik
