-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Robert Collins wrote:
>>> P.S. So every time that I set up squid on my machine to test something, >>> it always denies access to me out of the box. I finally figured out >>> it's because you don't allow localhost connections by default. Should >>> you be adding a line like >>> >>> acl localnet src localhost >>> >>> to squid.conf? Is there a reason why you're allowing 10.0.0.1, etc. to >>> connect, but not localhost? > > I'd be open to us changing this. It is a [small] risk for a bastion host > to allow connections from itself because a different account being > compromised then allows access via the proxy. I have no evidence to make > an assertion about the frequency of deployments on a bastion host vs > behind one, and so the only argument I have for preserving it is 'secure > as possible by default', which while a good argument isn't the end of > the discussion. Your argument is subject to reductio ad absurdam: if you want "secure as possible by default", then the default config shold not allow proxied access from *any host at all*. Any host other than localhost should be *less* trusted than localhost. I would argue that enabling only localhost for the default "forward proxy" configuration is a sane default: people configuring things like bastions ought not to expect to use out-of-the box configs without review / tweakage, while people using Squid as a personal cache ought not to have to do such tweaks. Tres. - -- =================================================================== Tres Seaver +1 540-429-0999 [email protected] Palladion Software "Excellence by Design" http://palladion.com -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFKVARQ+gerLs4ltQ4RAhlJAKDWsjrr/7IT45r4IPXsXt5Xyfa0zwCffrfr hLbI2vMOIWeHA09Mf+Kdg2k= =bVwt -----END PGP SIGNATURE-----
