Feature #4461
closed
Squid options too late in squid.conf
Added by Volker Kuhlmann almost 10 years ago.
Updated almost 8 years ago.
Description
The UI on Services->Proxy server->ACL has a good list list of ACL types to add.
Unfortunately most of these are not going to do anything because the UI inserts them at the end of squid.conf, by which all the previsouly defined http_access directives have already been evaluated.
Likewise, Services->Proxy server->Common allows to enter custom ACLs, which are also inserted at the end of squid.conf where they are most likely not going to be effective.
There is no way to insert directives in squid.conf before
http_access deny !safeports
http_access deny CONNECT !sslports
to influence those two.
I would like to allow some specific exceptions to destination domain and destination port (e.g. plesk control panels) but don't like to allow extra ports for all destinations.
Tested squid3-dev 3.3.10 pkg 2.2.8 on 2.1.5.
Not sure whether this is a bug or feature request.
- Target version deleted (
2.2.1)
- Affected Version deleted (
2.1.5)
I have hard time understanding what kind of exceptions is being requested here or what's being used by the OP that's too late for the purpose. Best to move this to forums.
- Status changed from New to Feedback
Services like plesk control panels do not run on a standard SSL port like 443. Rather than opening several other ports for SSL use (what's the point of a "http_access deny CONNECT !sslports" statement then?) I want to open those ports (often 8443) only to the plesk control panel hosts, which are all well known.
I'm not moving anything to forums, and if Kill Bill doesn't understand the problem then IMNSHO (s)he shouldn't be working on security-relevant projects. It was obvious from the description that blanket deny rules can't be overridden by more specific rules because of config file ordering by the pfsense UI.
2 years and nothing happening because devs don't even understand a problem... I'm having a hard time being impressed.
No such luck needed, said deficient software is no longer involved, and no loss for me, no-one would have done anything anyway.
- Status changed from Feedback to Rejected
Also available in: Atom
PDF