Proposals: default access deny, test acl lists, man page

From: Oskar Pearson <oskar@dont-contact.us>
Date: Tue, 27 Oct 1998 07:06:40 +0200

Hi Guys

I don't know if you remember my last mail: I went through and listed
a whole lot of things that could probably do with changing in Squid.

Well, here is the second installment. It's much shorter than the last
one.

Last time I hinted that I was working on a project that involved going
through Squid from basics again (but didn't involve fixing any of the rough
edges). Well: I am writing a book on Squid for O'Reilly.

--------------------------------------------
Issue:
Squid config file allows random access to cache with the default config
file

Rationale for change:
Many system admins out there have been through the 'change from random
relay mode of sendmail' to 'having a list of domains/IPs' that are allowed
access.

Back in the early days of Sendmail, nobody thought of allowing random
access to everyone as a problem. Eventually (say "hellooo, spam") people
realised that it was a problem. By this time, however, there was a huge
installed base of sendmail machines, and changing sendmail's default config
to include access control has involved huge amounts of work for people who
simply wish to upgrade sendmail.

Proposal:
I suggest that we change the Squid config file to deny access by default.
This should happen at the next major version release (2.2?)

--------------------------------------------
Issue:

Allow test acl operators

Rationale for change:
My access control lists are very complex. Occasionally, I wish to move a
whole bunch of people to a new class (one that I have just created, for
example).

Whenever I do so, I find someone that has malconfigured their cache, or
some user one a subnet has their browser pointed at our cache (or some
other such thing).

Proposal:
It would be really nice to be able to say something like

acl_test <logfilename> myacl src 10.0.0.0/255.255.255.0

and then:

http_access deny acl_test

I could run things like this for a week. At the end of the week I
could simply 'cat logfilename | sort | uniq -c | sort -n' and see
who the rule would have broken.

--------------------------------------------
Issue:
Squid has no man page

Rationale for change:
Just a good idea, I suppose. Someone was complaining about it to me the
other day.

Proposal:
I write one. I am using troff for the book, so a man page should be
no problem. I'll write one sometime in the next couple of weeks.

If you want something included in it, please give me a shout.

I guess it will cover:

location of config files (will have to be read from the prefix)
Running squid for the first time
command line options
hmmm - possibles (or should we leave this to the Users Guide and FAQ?):
        Intro to access control
        Intro to hierarchies

Oskar

---
"Haven't slept at all. I don't see why people insist on sleeping. You feel
so much better if you don't. And how can anyone want to lose a minute -
a single minute of being alive?"				-- Think Twice
Received on Tue Jul 29 2003 - 13:15:54 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:11:57 MST