Feature #4461

Squid options too late in squid.conf

Added by Volker Kuhlmann over 5 years ago. Updated over 3 years ago.

Target version:
Start date:
Due date:
% Done:


Estimated time:


The UI on Services->Proxy server->ACL has a good list list of ACL types to add.
Unfortunately most of these are not going to do anything because the UI inserts them at the end of squid.conf, by which all the previsouly defined http_access directives have already been evaluated.

Likewise, Services->Proxy server->Common allows to enter custom ACLs, which are also inserted at the end of squid.conf where they are most likely not going to be effective.

There is no way to insert directives in squid.conf before

http_access deny !safeports
http_access deny CONNECT !sslports

to influence those two.

I would like to allow some specific exceptions to destination domain and destination port (e.g. plesk control panels) but don't like to allow extra ports for all destinations.

Tested squid3-dev 3.3.10 pkg 2.2.8 on 2.1.5.
Not sure whether this is a bug or feature request.


#1 Updated by Chris Buechler over 5 years ago

  • Target version deleted (2.2.1)
  • Affected Version deleted (2.1.5)

#2 Updated by Kill Bill over 3 years ago

I have hard time understanding what kind of exceptions is being requested here or what's being used by the OP that's too late for the purpose. Best to move this to forums.

#3 Updated by Jim Pingle over 3 years ago

  • Status changed from New to Feedback

#4 Updated by Volker Kuhlmann over 3 years ago

Services like plesk control panels do not run on a standard SSL port like 443. Rather than opening several other ports for SSL use (what's the point of a "http_access deny CONNECT !sslports" statement then?) I want to open those ports (often 8443) only to the plesk control panel hosts, which are all well known.

I'm not moving anything to forums, and if Kill Bill doesn't understand the problem then IMNSHO (s)he shouldn't be working on security-relevant projects. It was obvious from the description that blanket deny rules can't be overridden by more specific rules because of config file ordering by the pfsense UI.

2 years and nothing happening because devs don't even understand a problem... I'm having a hard time being impressed.

#5 Updated by Kill Bill over 3 years ago

Thanks for "feedback". Pull requests go to, good luck.

#6 Updated by Volker Kuhlmann over 3 years ago

No such luck needed, said deficient software is no longer involved, and no loss for me, no-one would have done anything anyway.

#7 Updated by Jim Pingle over 3 years ago

  • Status changed from Feedback to Rejected

#8 Updated by Volker Kuhlmann over 3 years ago


Also available in: Atom PDF