Project

General

Profile

Actions

Feature #4461

closed

Squid options too late in squid.conf

Added by Volker Kuhlmann over 9 years ago. Updated almost 8 years ago.

Status:
Rejected
Priority:
Normal
Assignee:
-
Category:
Squid
Target version:
-
Start date:
02/22/2015
Due date:
% Done:

0%

Estimated time:
Plus Target Version:

Description

The UI on Services->Proxy server->ACL has a good list list of ACL types to add.
Unfortunately most of these are not going to do anything because the UI inserts them at the end of squid.conf, by which all the previsouly defined http_access directives have already been evaluated.

Likewise, Services->Proxy server->Common allows to enter custom ACLs, which are also inserted at the end of squid.conf where they are most likely not going to be effective.

There is no way to insert directives in squid.conf before

http_access deny !safeports
http_access deny CONNECT !sslports

to influence those two.

I would like to allow some specific exceptions to destination domain and destination port (e.g. plesk control panels) but don't like to allow extra ports for all destinations.

Tested squid3-dev 3.3.10 pkg 2.2.8 on 2.1.5.
Not sure whether this is a bug or feature request.

Actions #1

Updated by Chris Buechler over 9 years ago

  • Target version deleted (2.2.1)
  • Affected Version deleted (2.1.5)
Actions #2

Updated by Kill Bill almost 8 years ago

I have hard time understanding what kind of exceptions is being requested here or what's being used by the OP that's too late for the purpose. Best to move this to forums.

Actions #3

Updated by Jim Pingle almost 8 years ago

  • Status changed from New to Feedback
Actions #4

Updated by Volker Kuhlmann almost 8 years ago

Services like plesk control panels do not run on a standard SSL port like 443. Rather than opening several other ports for SSL use (what's the point of a "http_access deny CONNECT !sslports" statement then?) I want to open those ports (often 8443) only to the plesk control panel hosts, which are all well known.

I'm not moving anything to forums, and if Kill Bill doesn't understand the problem then IMNSHO (s)he shouldn't be working on security-relevant projects. It was obvious from the description that blanket deny rules can't be overridden by more specific rules because of config file ordering by the pfsense UI.

2 years and nothing happening because devs don't even understand a problem... I'm having a hard time being impressed.

Actions #5

Updated by Kill Bill almost 8 years ago

Thanks for "feedback". Pull requests go to https://github.com/pfsense/FreeBSD-ports/, good luck.

Actions #6

Updated by Volker Kuhlmann almost 8 years ago

No such luck needed, said deficient software is no longer involved, and no loss for me, no-one would have done anything anyway.

Actions #7

Updated by Jim Pingle almost 8 years ago

  • Status changed from Feedback to Rejected
Actions #8

Updated by Volker Kuhlmann almost 8 years ago

See...

Actions

Also available in: Atom PDF