Making the access unrestricted should be easy with the following lines: === modified file 'squid-deb-proxy.conf' --- squid-deb-proxy.conf 2012-04-02 20:01:03 +0000 +++ squid-deb-proxy.conf 2012-04-02 20:23:31 +0000 @@ -79,7 +79,7 @@ # allow access only to official ubuntu mirrors # uncomment the third and fouth line to permit any unlisted domain http_access deny !to_ubuntu_mirrors -#http_access allow !to_ubuntu_mirrors +http_access allow !to_ubuntu_mirrors # don't cache domains not listed in the mirrors file # uncomment the third and fourth line to cache any unlisted domains
from irc: <mvo> jcastro: so the only reason unrestricted access is not enabled by default currently is to allow this to be dropped into a already restricted network without opening up generic http access via this squid-deb-proxy, I guess it could be argued that this is something that a admin should restirct himself/herself and that convinence is better. or we add another debconf question, but that is not very discoverable either :/ <jcastro> I think not having an unrestricted proxy is reasonable; ideally the proxy saying "fine, go download from this random repository, I will neither help you nor hinder you" sounds like a good middle ground to me <rbasak> jcastro: the security issue isn't whether it caches your deb or not (pretty minor, just a DoS of the cache), but whether you can get the deb or not (pretty major - could subvert an existing security policy controlling general access). I favour a debconf option. <mvo> jcastro: right, my thinking (but bear in mind that I'm not a sysadmin :) was that the proxy host has usually different network restrictions than the regular clients, so opening up the proxy sounds potentially dangerous to me <jcastro> mvo: we should just ask elmo what to do. :) Or perhaps grab a -security guy at UDS or something, whatever works for me. <mvo> jcastro: yeah, someone more experienced than me on this and I will happly implement whatever they suggest, for now I'm totally fine with a debconf prompt jcastro: note that I want this to be as simple as possible really -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/952364 Title: Default to not caching a deb instead of 403'ing. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/squid-deb-proxy/+bug/952364/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
