Squid options too late in squid.conf
The UI on Services->Proxy server->ACL has a good list list of ACL types to add.
Unfortunately most of these are not going to do anything because the UI inserts them at the end of squid.conf, by which all the previsouly defined http_access directives have already been evaluated.
Likewise, Services->Proxy server->Common allows to enter custom ACLs, which are also inserted at the end of squid.conf where they are most likely not going to be effective.
There is no way to insert directives in squid.conf before
http_access deny !safeports
http_access deny CONNECT !sslports
to influence those two.
I would like to allow some specific exceptions to destination domain and destination port (e.g. plesk control panels) but don't like to allow extra ports for all destinations.
Tested squid3-dev 3.3.10 pkg 2.2.8 on 2.1.5.
Not sure whether this is a bug or feature request.
#4 Updated by Volker Kuhlmann over 3 years ago
Services like plesk control panels do not run on a standard SSL port like 443. Rather than opening several other ports for SSL use (what's the point of a "http_access deny CONNECT !sslports" statement then?) I want to open those ports (often 8443) only to the plesk control panel hosts, which are all well known.
I'm not moving anything to forums, and if Kill Bill doesn't understand the problem then IMNSHO (s)he shouldn't be working on security-relevant projects. It was obvious from the description that blanket deny rules can't be overridden by more specific rules because of config file ordering by the pfsense UI.
2 years and nothing happening because devs don't even understand a problem... I'm having a hard time being impressed.