Hi again.
Thank you for the answer.
So, as i understood, the empty acl files isn't the best option.
And may i include config files, which sometimes can become empty?
For example:
I put into /etc/squid/squid.conf next string:
include /etc/squid/certificates.conf
And in the /etc/squid/certificates.conf i put:
acl TRUSTED_FINGERPRINTS server_cert_fingerprint
7A:29:27:9A:DF:C4:4E:18:4D:94:E1:BB:2A:D9:09:3A:70:B1:AB:16
acl TRUSTED_FINGERPRINTS server_cert_fingerprint
70:B1:AB:16:7A:29:27:9A:DF:C4:4E:18:4D:94:E1:BB:2A:D9:09:3A
sslproxy_cert_sign signTrusted TRUSTED_FINGERPRINTS
Will it be OK, if i will just clear the /etc/squid/certificates.conf file in
case if i don't have any fingerprints to put in, and keep the include
/etc/squid/certificates.conf directive in squid.conf untouched? So in fact it
will include the empty file.
Are there any technical risks?
12.06.2019, 08:58, "Amos Jeffries" <squ...@treenet.co.nz>:
> On 11/06/19 11:36 pm, Никита Серёгин wrote:
>> Hi All,
>>
>> If there is an empty acl in squid.conf, squid gives us warning message
>> during restart/reconfigure.
>>
>> We wonder if these warnings are just notifications for administrator, or
>> there are some really technical risks.
>>
>> Like here for example:
>> https://bugs.launchpad.net/ubuntu/+source/squid-deb-proxy/+bug/1659567
>> Amos Jeffries wrote: "The check is a generic validity check used for all
>> ACLs. Whether it is 'harmless' depends on future events at the time of
>> checking. So just silencing or ignoring would leave a lot of nasty
>> misconfigurations quietly accepted"
>>
>> Could these "nasty misconfigurations" be made only by administrator, or is
>> it about squid possible wrong behavior?
>
> The Ubuntu bug report you referenced is a good example why. The file
> which is initially empty is explicitly being added to by non-admin
> entities. Who then have an automated action to trigger reconfigure of
> the running proxy.
>
> The risk there is that those entities are not necessarily knowing what
> valid ACL data is. Nor in a position to fix the resulting DoS if they
> get it wrong and make Squid exit on the reconfigure.
> That breaking reconfigure may be a long time after the config change
> was made.
>
>> Are there any strong technical reasons to avoid using of empty ACLs in
>> production environment?
>
> The main reason is that risk of DoS-ing the proxy and everyone using it
> for an indeterminate amount of time until the admin can be summoned and
> track down why the proxy is not running.
>
> Another reason is every transaction handled by Squid has to spend CPU
> cycles setting up access checklists, fetching the data to be tested,
> then calling the processing code - even if the ACL is empty and thus
> immediately returns its DUNNO result.
>
> Which brings us to DUNNO being the third match state. So things like:
>
> acl foo src "/some/empty.file"
> http_access allow foo
> http_access allow !foo
>
> ... results in the surprise *access denied*.
>
>> And are there any news about explicit flag to indicate whether an ACL is
>> allowed to be empty or not?
>
> Nobody has submitted anything towards one.
>
> As you noted at the start it is a *warning* message. Squid should
> continue to run "fine". Provided your definition of "fine" accounts for
> the above technical issues and odd behaviour.
>
> Cheers,
> Amos
> _______________________________________________
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
_______________________________________________
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
