implicit http_access rules may have unintended consequences
#17
Comments
sethlyons
added a commit
to jewjitsu/puppet-squid3
that referenced
this issue
Jun 17, 2016
…, it should be added manually. closes thias#17'
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
https://github.com/thias/puppet-squid3/blob/master/templates/squid.conf.short.erb#L41-43
I've implemented Squid as a whitelist HTTP proxy for a secure network segment. the config looks like the following:
http_access allow localnetwill allow all requests from my "secure intranet segment". if I add an additionalhttp_access deny allto "user-defined http_accesses", then the behavior is consistent with my goals/expectations but results in duplicatehttp_access deny allrules.a potential fix would be to have these rules as default values on a parameter or to not include any defaults and document that adding
http_access deny allis probably a very good idea. the module seems to assume you know how to read/write squid.conf, I don't think it's unfair to tell users they need to explicitly manage all the rules.The text was updated successfully, but these errors were encountered: