]> git.ipfire.org Git - thirdparty/squid.git/blame - src/client_side_request.cc
projects / thirdparty / squid.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
When using OpenSSL, trust intermediate CAs from trusted stores (#383)
[thirdparty/squid.git] / src / client_side_request.cc
CommitLineData
edce4d98 1/*
f6e9a3ee 2 * Copyright (C) 1996-2019 The Squid Software Foundation and contributors
0a9297f6 3 *
bbc27441
AJ		 4 * Squid software is distributed under GPLv2+ license and includes
5 * contributions from numerous individuals and organizations.
6 * Please see the COPYING and CONTRIBUTORS files for details.
edce4d98 7 */
8
bbc27441
AJ		 9/* DEBUG: section 85 Client-side Request Routines */
10
69660be0 11/*
12 * General logic of request processing:
26ac0430 13 *
69660be0 14 * We run a series of tests to determine if access will be permitted, and to do
15 * any redirection. Then we call into the result clientStream to retrieve data.
16 * From that point on it's up to reply management.
edce4d98 17 */
18
582c2af2 19#include "squid.h"
c0941a6a
AR		 20#include "acl/FilledChecklist.h"
21#include "acl/Gadgets.h"
65d448bc 22#include "anyp/PortCfg.h"
9e104535 23#include "base/AsyncJobCalls.h"
27bc2077
AJ		 24#include "client_side.h"
25#include "client_side_reply.h"
26#include "client_side_request.h"
602d9612 27#include "ClientRequestContext.h"
582c2af2 28#include "clientStream.h"
5c336a3b 29#include "comm/Connection.h"
ec41b64c 30#include "comm/Write.h"
582c2af2 31#include "err_detail_type.h"
2bd84e5f 32#include "errorpage.h"
c4ad1349 33#include "fd.h"
27bc2077 34#include "fde.h"
31971e6a 35#include "format/Token.h"
d05c079c 36#include "gopher.h"
e166785a 37#include "helper.h"
24438ec5 38#include "helper/Reply.h"
5c0c642e 39#include "http.h"
d3dddfb5 40#include "http/Stream.h"
ce394734 41#include "HttpHdrCc.h"
27bc2077
AJ		 42#include "HttpReply.h"
43#include "HttpRequest.h"
244da4ad 44#include "ip/NfMarkConfig.h"
425de4c8 45#include "ip/QosConfig.h"
602d9612 46#include "ipcache.h"
1c7ae5ff 47#include "log/access_log.h"
27bc2077 48#include "MemObject.h"
8a01b99e 49#include "Parsing.h"
582c2af2 50#include "profiler/Profiler.h"
36c774f7 51#include "proxyp/Header.h"
e166785a 52#include "redirect.h"
bec110e4 53#include "rfc1738.h"
4d5904f7 54#include "SquidConfig.h"
27bc2077 55#include "SquidTime.h"
582c2af2 56#include "Store.h"
28204b3b 57#include "StrList.h"
685c6ff5 58#include "tools.h"
27bc2077 59#include "wordlist.h"
582c2af2
FC		 60#if USE_AUTH
61#include "auth/UserRequest.h"
62#endif
63#if USE_ADAPTATION
64#include "adaptation/AccessCheck.h"
65#include "adaptation/Answer.h"
66#include "adaptation/Iterator.h"
67#include "adaptation/Service.h"
68#if ICAP_CLIENT
69#include "adaptation/icap/History.h"
70#endif
71#endif
cb4f4424 72#if USE_OPENSSL
2bd84e5f 73#include "ssl/ServerBump.h"
602d9612 74#include "ssl/support.h"
4db984be 75#endif
3ff65596 76
edce4d98 77#if LINGERING_CLOSE
78#define comm_close comm_lingering_close
79#endif
80
81static const char *const crlf = "\r\n";
82
609c620a 83#if FOLLOW_X_FORWARDED_FOR
2efeb0b7 84static void clientFollowXForwardedForCheck(allow_t answer, void *data);
609c620a 85#endif /* FOLLOW_X_FORWARDED_FOR */
3d674977 86
7e6eabbc 87ErrorState *clientBuildError(err_type, Http::StatusCode, char const *url, Ip::Address &, HttpRequest *, const AccessLogEntry::Pointer &);
2bd84e5f 88
8e2745f4 89CBDATA_CLASS_INIT(ClientRequestContext);
90
edce4d98 91/* Local functions */
edce4d98 92/* other */
2efeb0b7 93static void clientAccessCheckDoneWrapper(allow_t, void *);
cb4f4424 94#if USE_OPENSSL
2efeb0b7 95static void sslBumpAccessCheckDoneWrapper(allow_t, void *);
e0c0d54c 96#endif
59a1efb2 97static int clientHierarchical(ClientHttpRequest * http);
98static void clientInterpretRequestHeaders(ClientHttpRequest * http);
e166785a 99static HLPCB clientRedirectDoneWrapper;
a8a0b1c2 100static HLPCB clientStoreIdDoneWrapper;
2efeb0b7 101static void checkNoCacheDoneWrapper(allow_t, void *);
82afb125
FC		 102SQUIDCEXTERN CSR clientGetMoreData;
103SQUIDCEXTERN CSS clientReplyStatus;
104SQUIDCEXTERN CSD clientReplyDetach;
528b2c61 105static void checkFailureRatio(err_type, hier_code);
edce4d98 106
8e2745f4 107ClientRequestContext::~ClientRequestContext()
108{
de31d06f 109 /*
a546b04b 110 * Release our "lock" on our parent, ClientHttpRequest, if we
111 * still have one
de31d06f 112 */
a546b04b 113
114 if (http)
115 cbdataReferenceDone(http);
62e76326 116
2bd84e5f 117 delete error;
cc8c4af2 118 debugs(85,3, "ClientRequestContext destructed, this=" << this);
8e2745f4 119}
120
cc8c4af2
AJ		 121ClientRequestContext::ClientRequestContext(ClientHttpRequest *anHttp) :
122 http(cbdataReference(anHttp)),
123 acl_checklist(NULL),
124 redirect_state(REDIRECT_NONE),
125 store_id_state(REDIRECT_NONE),
126 host_header_verify_done(false),
127 http_access_done(false),
128 adapted_http_access_done(false),
129#if USE_ADAPTATION
130 adaptation_acl_check_done(false),
131#endif
132 redirect_done(false),
133 store_id_done(false),
134 no_cache_done(false),
135 interpreted_req_hdrs(false),
244da4ad 136 toClientMarkingDone(false),
cb4f4424 137#if USE_OPENSSL
cc8c4af2 138 sslBumpCheckDone(false),
e0c0d54c 139#endif
cc8c4af2
AJ		 140 error(NULL),
141 readNextRequest(false)
142{
143 debugs(85, 3, "ClientRequestContext constructed, this=" << this);
edce4d98 144}
145
528b2c61 146CBDATA_CLASS_INIT(ClientHttpRequest);
8e2745f4 147
26ac0430 148ClientHttpRequest::ClientHttpRequest(ConnStateData * aConn) :
a83c6ed6 149#if USE_ADAPTATION
f53969cc 150 AsyncJob("ClientHttpRequest"),
1cf238db 151#endif
cc8c4af2
AJ		 152 request(NULL),
153 uri(NULL),
154 log_uri(NULL),
155 req_sz(0),
cc8c4af2
AJ		 156 calloutContext(NULL),
157 maxReplyBodySize_(0),
158 entry_(NULL),
159 loggingEntry_(NULL),
160 conn_(NULL)
161#if USE_OPENSSL
162 , sslBumpNeed_(Ssl::bumpEnd)
163#endif
164#if USE_ADAPTATION
165 , request_satisfaction_mode(false)
166 , request_satisfaction_offset(0)
167#endif
528b2c61 168{
a0355e95 169 setConn(aConn);
41ebd397 170 al = new AccessLogEntry;
af0ded40 171 al->cache.start_time = current_time;
70b0f938
AJ		 172 if (aConn) {
173 al->tcpClient = clientConnection = aConn->clientConnection;
174 al->cache.port = aConn->port;
175 al->cache.caddr = aConn->log_addr;
36c774f7 176 al->proxyProtocolHeader = aConn->proxyProtocolHeader();
d4806c91 177
cb4f4424 178#if USE_OPENSSL
70b0f938
AJ		 179 if (aConn->clientConnection != NULL && aConn->clientConnection->isOpen()) {
180 if (auto ssl = fd_table[aConn->clientConnection->fd].ssl.get())
35b3559c 181 al->cache.sslClientCert.resetWithoutLocking(SSL_get_peer_certificate(ssl));
70b0f938 182 }
f4698e0b 183#endif
70b0f938 184 }
a0355e95 185 dlinkAdd(this, &active, &ClientActiveRequests);
528b2c61 186}
187
0655fa4d 188/*
189 * returns true if client specified that the object must come from the cache
190 * without contacting origin server
191 */
192bool
193ClientHttpRequest::onlyIfCached()const
194{
195 assert(request);
196 return request->cache_control &&
810d879f 197 request->cache_control->hasOnlyIfCached();
0655fa4d 198}
199
77aacca5 200/**
528b2c61 201 * This function is designed to serve a fairly specific purpose.
202 * Occasionally our vBNS-connected caches can talk to each other, but not
203 * the rest of the world. Here we try to detect frequent failures which
204 * make the cache unusable (e.g. DNS lookup and connect() failures). If
205 * the failure:success ratio goes above 1.0 then we go into "hit only"
206 * mode where we only return UDP_HIT or UDP_MISS_NOFETCH. Neighbors
207 * will only fetch HITs from us if they are using the ICP protocol. We
208 * stay in this mode for 5 minutes.
26ac0430 209 *
528b2c61 210 * Duane W., Sept 16, 1996
211 */
528b2c61 212static void
213checkFailureRatio(err_type etype, hier_code hcode)
214{
77aacca5
AJ		 215 // Can be set at compile time with -D compiler flag
216#ifndef FAILURE_MODE_TIME
217#define FAILURE_MODE_TIME 300
218#endif
219
8d74a311
AJ		 220 if (hcode == HIER_NONE)
221 return;
222
223 // don't bother when ICP is disabled.
224 if (Config.Port.icp <= 0)
225 return;
226
528b2c61 227 static double magic_factor = 100.0;
228 double n_good;
229 double n_bad;
62e76326 230
528b2c61 231 n_good = magic_factor / (1.0 + request_failure_ratio);
62e76326 232
528b2c61 233 n_bad = magic_factor - n_good;
62e76326 234
528b2c61 235 switch (etype) {
62e76326 236
528b2c61 237 case ERR_DNS_FAIL:
62e76326 238
528b2c61 239 case ERR_CONNECT_FAIL:
3712be3f 240 case ERR_SECURE_CONNECT_FAIL:
62e76326 241
528b2c61 242 case ERR_READ_ERROR:
5086523e 243 ++n_bad;
62e76326 244 break;
245
528b2c61 246 default:
5086523e 247 ++n_good;
528b2c61 248 }
62e76326 249
528b2c61 250 request_failure_ratio = n_bad / n_good;
62e76326 251
528b2c61 252 if (hit_only_mode_until > squid_curtime)
62e76326 253 return;
254
528b2c61 255 if (request_failure_ratio < 1.0)
62e76326 256 return;
257
77aacca5 258 debugs(33, DBG_CRITICAL, "WARNING: Failure Ratio at "<< std::setw(4)<<
bf8fe701 259 std::setprecision(3) << request_failure_ratio);
62e76326 260
8d74a311 261 debugs(33, DBG_CRITICAL, "WARNING: ICP going into HIT-only mode for " <<
bf8fe701 262 FAILURE_MODE_TIME / 60 << " minutes...");
62e76326 263
528b2c61 264 hit_only_mode_until = squid_curtime + FAILURE_MODE_TIME;
62e76326 265
f53969cc 266 request_failure_ratio = 0.8; /* reset to something less than 1.0 */
528b2c61 267}
268
269ClientHttpRequest::~ClientHttpRequest()
270{
bf8fe701 271 debugs(33, 3, "httpRequestFree: " << uri);
72bdee4c 272 PROF_start(httpRequestFree);
62e76326 273
5f8252d2 274 // Even though freeResources() below may destroy the request,
275 // we no longer set request->body_pipe to NULL here
276 // because we did not initiate that pipe (ConnStateData did)
62e76326 277
528b2c61 278 /* the ICP check here was erroneous
26ac0430 279 * - StoreEntry::releaseRequest was always called if entry was valid
528b2c61 280 */
9ce7856a 281
528b2c61 282 logRequest();
9ce7856a 283
0976f8db 284 loggingEntry(NULL);
285
528b2c61 286 if (request)
41ebd397 287 checkFailureRatio(request->errType, al->hier.code);
62e76326 288
528b2c61 289 freeResources();
62e76326 290
a83c6ed6
AR		 291#if USE_ADAPTATION
292 announceInitiatorAbort(virginHeadSource);
9d4d7c5e 293
a83c6ed6
AR		 294 if (adaptedBodySource != NULL)
295 stopConsumingFrom(adaptedBodySource);
de31d06f 296#endif
9ce7856a 297
de31d06f 298 if (calloutContext)
299 delete calloutContext;
300
be364179
AJ		 301 clientConnection = NULL;
302
26ac0430
AJ		 303 if (conn_)
304 cbdataReferenceDone(conn_);
1cf238db 305
528b2c61 306 /* moving to the next connection is handled by the context free */
307 dlinkDelete(&active, &ClientActiveRequests);
9ce7856a 308
72bdee4c 309 PROF_stop(httpRequestFree);
528b2c61 310}
62e76326 311
11992b6f
AJ		 312/**
313 * Create a request and kick it off
314 *
315 * \retval 0 success
316 * \retval -1 failure
317 *
69660be0 318 * TODO: Pass in the buffers to be used in the inital Read request, as they are
319 * determined by the user
edce4d98 320 */
11992b6f 321int
60745f24 322clientBeginRequest(const HttpRequestMethod& method, char const *url, CSCB * streamcallback,
0655fa4d 323 CSD * streamdetach, ClientStreamData streamdata, HttpHeader const *header,
5ceaee75 324 char *tailbuf, size_t taillen, const MasterXaction::Pointer &mx)
edce4d98 325{
326 size_t url_sz;
a0355e95 327 ClientHttpRequest *http = new ClientHttpRequest(NULL);
190154cf 328 HttpRequest *request;
528b2c61 329 StoreIOBuffer tempBuffer;
af0ded40
CT		 330 if (http->al != NULL)
331 http->al->cache.start_time = current_time;
edce4d98 332 /* this is only used to adjust the connection offset in client_side.c */
333 http->req_sz = 0;
c8be6d7b 334 tempBuffer.length = taillen;
335 tempBuffer.data = tailbuf;
edce4d98 336 /* client stream setup */
337 clientStreamInit(&http->client_stream, clientGetMoreData, clientReplyDetach,
0655fa4d 338 clientReplyStatus, new clientReplyContext(http), streamcallback,
62e76326 339 streamdetach, streamdata, tempBuffer);
edce4d98 340 /* make it visible in the 'current acctive requests list' */
edce4d98 341 /* Set flags */
a46d2c0e 342 /* internal requests only makes sense in an
343 * accelerator today. TODO: accept flags ? */
be4d35dc 344 http->flags.accel = true;
edce4d98 345 /* allow size for url rewriting */
346 url_sz = strlen(url) + Config.appendDomainLen + 5;
e6ccf245 347 http->uri = (char *)xcalloc(url_sz, 1);
8babada0 348 strcpy(http->uri, url); // XXX: polluting http->uri before parser validation
edce4d98 349
5ceaee75 350 if ((request = HttpRequest::FromUrl(http->uri, mx, method)) == NULL) {
bf8fe701 351 debugs(85, 5, "Invalid URL: " << http->uri);
62e76326 352 return -1;
edce4d98 353 }
62e76326 354
69660be0 355 /*
91489e45
AJ		 356 * now update the headers in request with our supplied headers.
357 * HttpRequest::FromUrl() should return a blank header set, but
358 * we use Update to be sure of correctness.
edce4d98 359 */
360 if (header)
2d4f252d 361 request->header.update(header);
62e76326 362
edce4d98 363 /* http struct now ready */
364
69660be0 365 /*
366 * build new header list *? TODO
edce4d98 367 */
45e5102d 368 request->flags.accelerated = http->flags.accel;
62e76326 369
a46d2c0e 370 /* this is an internally created
371 * request, not subject to acceleration
372 * target overrides */
69660be0 373 /*
374 * FIXME? Do we want to detect and handle internal requests of internal
375 * objects ?
376 */
edce4d98 377
378 /* Internally created requests cannot have bodies today */
379 request->content_length = 0;
62e76326 380
4dd643d5 381 request->client_addr.setNoAddr();
62e76326 382
3d674977 383#if FOLLOW_X_FORWARDED_FOR
4dd643d5 384 request->indirect_client_addr.setNoAddr();
3d674977 385#endif /* FOLLOW_X_FORWARDED_FOR */
26ac0430 386
f53969cc 387 request->my_addr.setNoAddr(); /* undefined for internal requests */
62e76326 388
4dd643d5 389 request->my_addr.port(0);
62e76326 390
2592bc70 391 request->http_ver = Http::ProtocolVersion();
62e76326 392
bec110e4 393 http->initRequest(request);
edce4d98 394
395 /* optional - skip the access check ? */
de31d06f 396 http->calloutContext = new ClientRequestContext(http);
397
57abaac0 398 http->calloutContext->http_access_done = false;
de31d06f 399
57abaac0 400 http->calloutContext->redirect_done = true;
de31d06f 401
57abaac0 402 http->calloutContext->no_cache_done = true;
de31d06f 403
404 http->doCallouts();
62e76326 405
edce4d98 406 return 0;
407}
408
de31d06f 409bool
410ClientRequestContext::httpStateIsValid()
411{
412 ClientHttpRequest *http_ = http;
413
414 if (cbdataReferenceValid(http_))
415 return true;
416
417 http = NULL;
418
419 cbdataReferenceDone(http_);
420
421 return false;
422}
423
3d674977
AJ		 424#if FOLLOW_X_FORWARDED_FOR
425/**
a9044668 426 * clientFollowXForwardedForCheck() checks the content of X-Forwarded-For:
3d674977
AJ		 427 * against the followXFF ACL, or cleans up and passes control to
428 * clientAccessCheck().
d096ace1
AJ		 429 *
430 * The trust model here is a little ambiguous. So to clarify the logic:
431 * - we may always use the direct client address as the client IP.
a9044668 432 * - these trust tests merey tell whether we trust given IP enough to believe the
d096ace1
AJ		 433 * IP string which it appended to the X-Forwarded-For: header.
434 * - if at any point we don't trust what an IP adds we stop looking.
435 * - at that point the current contents of indirect_client_addr are the value set
436 * by the last previously trusted IP.
437 * ++ indirect_client_addr contains the remote direct client from the trusted peers viewpoint.
3d674977 438 */
3d674977 439static void
2efeb0b7 440clientFollowXForwardedForCheck(allow_t answer, void *data)
3d674977
AJ		 441{
442 ClientRequestContext *calloutContext = (ClientRequestContext *) data;
3d674977
AJ		 443
444 if (!calloutContext->httpStateIsValid())
445 return;
446
d096ace1
AJ		 447 ClientHttpRequest *http = calloutContext->http;
448 HttpRequest *request = http->request;
449
06bf5384 450 if (answer.allowed() && request->x_forwarded_for_iterator.size() != 0) {
d096ace1 451
3d674977 452 /*
d096ace1
AJ		 453 * Remove the last comma-delimited element from the
454 * x_forwarded_for_iterator and use it to repeat the cycle.
455 */
3d674977
AJ		 456 const char *p;
457 const char *asciiaddr;
458 int l;
b7ac5457 459 Ip::Address addr;
bb790702 460 p = request->x_forwarded_for_iterator.termedBuf();
3d674977
AJ		 461 l = request->x_forwarded_for_iterator.size();
462
463 /*
464 * XXX x_forwarded_for_iterator should really be a list of
465 * IP addresses, but it's a String instead. We have to
466 * walk backwards through the String, biting off the last
467 * comma-delimited part each time. As long as the data is in
468 * a String, we should probably implement and use a variant of
469 * strListGetItem() that walks backwards instead of forwards
470 * through a comma-separated list. But we don't even do that;
471 * we just do the work in-line here.
472 */
473 /* skip trailing space and commas */
474 while (l > 0 && (p[l-1] == ',' || xisspace(p[l-1])))
5e263176 475 --l;
3d674977
AJ		 476 request->x_forwarded_for_iterator.cut(l);
477 /* look for start of last item in list */
478 while (l > 0 && ! (p[l-1] == ',' || xisspace(p[l-1])))
5e263176 479 --l;
3d674977 480 asciiaddr = p+l;
fafd0efa 481 if ((addr = asciiaddr)) {
3d674977
AJ		 482 request->indirect_client_addr = addr;
483 request->x_forwarded_for_iterator.cut(l);
d096ace1
AJ		 484 calloutContext->acl_checklist = clientAclChecklistCreate(Config.accessList.followXFF, http);
485 if (!Config.onoff.acl_uses_indirect_client) {
486 /* override the default src_addr tested if we have to go deeper than one level into XFF */
487 Filled(calloutContext->acl_checklist)->src_addr = request->indirect_client_addr;
3d674977 488 }
d096ace1 489 calloutContext->acl_checklist->nonBlockingCheck(clientFollowXForwardedForCheck, data);
3d674977
AJ		 490 return;
491 }
06bf5384 492 }
3d674977
AJ		 493
494 /* clean up, and pass control to clientAccessCheck */
26ac0430 495 if (Config.onoff.log_uses_indirect_client) {
3d674977
AJ		 496 /*
497 * Ensure that the access log shows the indirect client
498 * instead of the direct client.
499 */
bdb502fb
AJ		 500 http->al->cache.caddr = request->indirect_client_addr;
501 if (ConnStateData *conn = http->getConn())
502 conn->log_addr = request->indirect_client_addr;
3d674977
AJ		 503 }
504 request->x_forwarded_for_iterator.clean();
e857372a 505 request->flags.done_follow_x_forwarded_for = true;
3d674977 506
9b537f95 507 if (answer.conflicted()) {
d096ace1 508 debugs(28, DBG_CRITICAL, "ERROR: Processing X-Forwarded-For. Stopping at IP address: " << request->indirect_client_addr );
493d3865
AJ		 509 }
510
511 /* process actual access ACL as normal. */
512 calloutContext->clientAccessCheck();
3d674977
AJ		 513}
514#endif /* FOLLOW_X_FORWARDED_FOR */
515
fe97983f 516static void
4a3b98d7 517hostHeaderIpVerifyWrapper(const ipcache_addrs* ia, const Dns::LookupDetails &dns, void *data)
fe97983f
AJ		 518{
519 ClientRequestContext *c = static_cast<ClientRequestContext*>(data);
520 c->hostHeaderIpVerify(ia, dns);
521}
522
523void
4a3b98d7 524ClientRequestContext::hostHeaderIpVerify(const ipcache_addrs* ia, const Dns::LookupDetails &dns)
fe97983f
AJ		 525{
526 Comm::ConnectionPointer clientConn = http->getConn()->clientConnection;
527
528 // note the DNS details for the transaction stats.
529 http->request->recordLookup(dns);
530
fd9c47d1
AR		 531 // Is the NAT destination IP in DNS?
532 if (ia && ia->have(clientConn->local)) {
533 debugs(85, 3, "validate IP " << clientConn->local << " possible from Host:");
534 http->request->flags.hostVerified = true;
535 http->doCallouts();
536 return;
fe97983f
AJ		 537 }
538 debugs(85, 3, HERE << "FAIL: validate IP " << clientConn->local << " possible from Host:");
05b28f84 539 hostHeaderVerifyFailed("local IP", "any domain IP");
fe97983f
AJ		 540}
541
542void
05b28f84 543ClientRequestContext::hostHeaderVerifyFailed(const char *A, const char *B)
fe97983f 544{
2962f8b8
AJ		 545 // IP address validation for Host: failed. Admin wants to ignore them.
546 // NP: we do not yet handle CONNECT tunnels well, so ignore for them
c2a7cefd 547 if (!Config.onoff.hostStrictVerify && http->request->method != Http::METHOD_CONNECT) {
2962f8b8 548 debugs(85, 3, "SECURITY ALERT: Host header forgery detected on " << http->getConn()->clientConnection <<
851feda6 549 " (" << A << " does not match " << B << ") on URL: " << http->request->effectiveRequestUri());
2962f8b8 550
450fe1cb 551 // NP: it is tempting to use 'flags.noCache' but that is all about READing cache data.
2962f8b8 552 // The problems here are about WRITE for new cache content, which means flags.cachable
e857372a 553 http->request->flags.cachable = false; // MUST NOT cache (for now)
2962f8b8 554 // XXX: when we have updated the cache key to base on raw-IP + URI this cacheable limit can go.
e857372a 555 http->request->flags.hierarchical = false; // MUST NOT pass to peers (for now)
2962f8b8 556 // XXX: when we have sorted out the best way to relay requests properly to peers this hierarchical limit can go.
567fe088 557 http->doCallouts();
2962f8b8
AJ		 558 return;
559 }
560
8f489ad7
AJ		 561 debugs(85, DBG_IMPORTANT, "SECURITY ALERT: Host header forgery detected on " <<
562 http->getConn()->clientConnection << " (" << A << " does not match " << B << ")");
d610d018
AR		 563 if (const char *ua = http->request->header.getStr(Http::HdrType::USER_AGENT))
564 debugs(85, DBG_IMPORTANT, "SECURITY ALERT: By user agent: " << ua);
851feda6 565 debugs(85, DBG_IMPORTANT, "SECURITY ALERT: on URL: " << http->request->effectiveRequestUri());
fe97983f
AJ		 566
567 // IP address validation for Host: failed. reject the connection.
568 clientStreamNode *node = (clientStreamNode *)http->client_stream.tail->prev->data;
569 clientReplyContext *repContext = dynamic_cast<clientReplyContext *>(node->data.getRaw());
570 assert (repContext);
955394ce 571 repContext->setReplyToError(ERR_CONFLICT_HOST, Http::scConflict,
fe97983f
AJ		 572 http->request->method, NULL,
573 http->getConn()->clientConnection->remote,
574 http->request,
575 NULL,
576#if USE_AUTH
cc1e110a
AJ		 577 http->getConn() != NULL && http->getConn()->getAuth() != NULL ?
578 http->getConn()->getAuth() : http->request->auth_user_request);
fe97983f
AJ		 579#else
580 NULL);
581#endif
582 node = (clientStreamNode *)http->client_stream.tail->data;
583 clientStreamRead(node, http, node->readBuffer);
584}
585
586void
587ClientRequestContext::hostHeaderVerify()
588{
589 // Require a Host: header.
789217a2 590 const char *host = http->request->header.getStr(Http::HdrType::HOST);
fe97983f
AJ		 591
592 if (!host) {
593 // TODO: dump out the HTTP/1.1 error about missing host header.
594 // otherwise this is fine, can't forge a header value when its not even set.
595 debugs(85, 3, HERE << "validate skipped with no Host: header present.");
596 http->doCallouts();
597 return;
598 }
599
45e5102d 600 if (http->request->flags.internal) {
8f489ad7
AJ		 601 // TODO: kill this when URL handling allows partial URLs out of accel mode
602 // and we no longer screw with the URL just to add our internal host there
603 debugs(85, 6, HERE << "validate skipped due to internal composite URL.");
604 http->doCallouts();
605 return;
606 }
607
fe97983f
AJ		 608 // Locate if there is a port attached, strip ready for IP lookup
609 char *portStr = NULL;
91663dce
AJ		 610 char *hostB = xstrdup(host);
611 host = hostB;
fe97983f
AJ		 612 if (host[0] == '[') {
613 // IPv6 literal.
fe97983f 614 portStr = strchr(hostB, ']');
91663dce
AJ		 615 if (portStr && *(++portStr) != ':') {
616 portStr = NULL;
fe97983f 617 }
91663dce 618 } else {
fe97983f 619 // Domain or IPv4 literal with port
fe97983f 620 portStr = strrchr(hostB, ':');
91663dce
AJ		 621 }
622
623 uint16_t port = 0;
624 if (portStr) {
625 *portStr = '\0'; // strip the ':'
126e1dc0
AJ		 626 if (*(++portStr) != '\0') {
627 char *end = NULL;
628 int64_t ret = strtoll(portStr, &end, 10);
629 if (end == portStr || *end != '\0' || ret < 1 || ret > 0xFFFF) {
630 // invalid port details. Replace the ':'
631 *(--portStr) = ':';
632 portStr = NULL;
633 } else
634 port = (ret & 0xFFFF);
635 }
fe97983f
AJ		 636 }
637
5c51bffb 638 debugs(85, 3, "validate host=" << host << ", port=" << port << ", portStr=" << (portStr?portStr:"NULL"));
0d901ef4 639 if (http->request->flags.intercepted || http->request->flags.interceptTproxy) {
ba4d9da0 640 // verify the Host: port (if any) matches the apparent destination
4dd643d5 641 if (portStr && port != http->getConn()->clientConnection->local.port()) {
5c51bffb 642 debugs(85, 3, "FAIL on validate port " << http->getConn()->clientConnection->local.port() <<
05b28f84
AJ		 643 " matches Host: port " << port << " (" << portStr << ")");
644 hostHeaderVerifyFailed("intercepted port", portStr);
ba4d9da0
AJ		 645 } else {
646 // XXX: match the scheme default port against the apparent destination
fe97983f 647
ba4d9da0
AJ		 648 // verify the destination DNS is one of the Host: headers IPs
649 ipcache_nbgethostbyname(host, hostHeaderIpVerifyWrapper, this);
650 }
06059513 651 } else if (!Config.onoff.hostStrictVerify) {
5c51bffb 652 debugs(85, 3, "validate skipped.");
90529125 653 http->doCallouts();
5c51bffb 654 } else if (strlen(host) != strlen(http->request->url.host())) {
8f489ad7 655 // Verify forward-proxy requested URL domain matches the Host: header
5c51bffb
AJ		 656 debugs(85, 3, "FAIL on validate URL domain length " << http->request->url.host() << " matches Host: " << host);
657 hostHeaderVerifyFailed(host, http->request->url.host());
658 } else if (matchDomainName(host, http->request->url.host()) != 0) {
ba4d9da0 659 // Verify forward-proxy requested URL domain matches the Host: header
5c51bffb
AJ		 660 debugs(85, 3, "FAIL on validate URL domain " << http->request->url.host() << " matches Host: " << host);
661 hostHeaderVerifyFailed(host, http->request->url.host());
662 } else if (portStr && port != http->request->url.port()) {
ba4d9da0 663 // Verify forward-proxy requested URL domain matches the Host: header
5c51bffb 664 debugs(85, 3, "FAIL on validate URL port " << http->request->url.port() << " matches Host: port " << portStr);
ba4d9da0 665 hostHeaderVerifyFailed("URL port", portStr);
5c51bffb 666 } else if (!portStr && http->request->method != Http::METHOD_CONNECT && http->request->url.port() != http->request->url.getScheme().defaultPort()) {
ba4d9da0 667 // Verify forward-proxy requested URL domain matches the Host: header
65d2fdbf 668 // Special case: we don't have a default-port to check for CONNECT. Assume URL is correct.
5c51bffb 669 debugs(85, 3, "FAIL on validate URL port " << http->request->url.port() << " matches Host: default port " << http->request->url.getScheme().defaultPort());
ba4d9da0
AJ		 670 hostHeaderVerifyFailed("URL port", "default port");
671 } else {
672 // Okay no problem.
5c51bffb 673 debugs(85, 3, "validate passed.");
e857372a 674 http->request->flags.hostVerified = true;
ba4d9da0 675 http->doCallouts();
fe97983f 676 }
ba4d9da0 677 safe_free(hostB);
fe97983f
AJ		 678}
679
edce4d98 680/* This is the entry point for external users of the client_side routines */
681void
de31d06f 682ClientRequestContext::clientAccessCheck()
edce4d98 683{
fbe9e379 684#if FOLLOW_X_FORWARDED_FOR
f1a1f20a 685 if (!http->request->flags.doneFollowXff() &&
26ac0430 686 Config.accessList.followXFF &&
789217a2 687 http->request->header.has(Http::HdrType::X_FORWARDED_FOR)) {
d096ace1
AJ		 688
689 /* we always trust the direct client address for actual use */
690 http->request->indirect_client_addr = http->request->client_addr;
4dd643d5 691 http->request->indirect_client_addr.port(0);
d096ace1
AJ		 692
693 /* setup the XFF iterator for processing */
789217a2 694 http->request->x_forwarded_for_iterator = http->request->header.getList(Http::HdrType::X_FORWARDED_FOR);
d096ace1
AJ		 695
696 /* begin by checking to see if we trust direct client enough to walk XFF */
697 acl_checklist = clientAclChecklistCreate(Config.accessList.followXFF, http);
698 acl_checklist->nonBlockingCheck(clientFollowXForwardedForCheck, this);
3d674977
AJ		 699 return;
700 }
fbe9e379 701#endif
493d3865 702
b50e327b
AJ		 703 if (Config.accessList.http) {
704 acl_checklist = clientAclChecklistCreate(Config.accessList.http, http);
705 acl_checklist->nonBlockingCheck(clientAccessCheckDoneWrapper, this);
706 } else {
707 debugs(0, DBG_CRITICAL, "No http_access configuration found. This will block ALL traffic");
708 clientAccessCheckDone(ACCESS_DENIED);
709 }
edce4d98 710}
711
533493da
AJ		 712/**
713 * Identical in operation to clientAccessCheck() but performed later using different configured ACL list.
714 * The default here is to allow all. Since the earlier http_access should do a default deny all.
715 * This check is just for a last-minute denial based on adapted request headers.
716 */
717void
718ClientRequestContext::clientAccessCheck2()
719{
720 if (Config.accessList.adapted_http) {
721 acl_checklist = clientAclChecklistCreate(Config.accessList.adapted_http, http);
722 acl_checklist->nonBlockingCheck(clientAccessCheckDoneWrapper, this);
723 } else {
327e2131 724 debugs(85, 2, HERE << "No adapted_http_access configuration. default: ALLOW");
533493da
AJ		 725 clientAccessCheckDone(ACCESS_ALLOWED);
726 }
727}
728
edce4d98 729void
2efeb0b7 730clientAccessCheckDoneWrapper(allow_t answer, void *data)
edce4d98 731{
de31d06f 732 ClientRequestContext *calloutContext = (ClientRequestContext *) data;
fbade053 733
de31d06f 734 if (!calloutContext->httpStateIsValid())
62e76326 735 return;
62e76326 736
de31d06f 737 calloutContext->clientAccessCheckDone(answer);
738}
739
9d5e7196
AJ		 740void
741ClientRequestContext::clientAccessCheckDone(const allow_t &answer)
de31d06f 742{
743 acl_checklist = NULL;
edce4d98 744 err_type page_id;
955394ce 745 Http::StatusCode status;
7f06a3d8 746 debugs(85, 2, "The request " << http->request->method << ' ' <<
9d5e7196 747 http->uri << " is " << answer <<
6f58d7d7 748 "; last ACL checked: " << (AclMatchedName ? AclMatchedName : "[none]"));
f5691f9c 749
2f1431ea
AJ		 750#if USE_AUTH
751 char const *proxy_auth_msg = "<null>";
cc1e110a
AJ		 752 if (http->getConn() != NULL && http->getConn()->getAuth() != NULL)
753 proxy_auth_msg = http->getConn()->getAuth()->denyMessage("<null>");
f5691f9c 754 else if (http->request->auth_user_request != NULL)
755 proxy_auth_msg = http->request->auth_user_request->denyMessage("<null>");
2f1431ea 756#endif
62e76326 757
06bf5384 758 if (!answer.allowed()) {
9d5e7196 759 // auth has a grace period where credentials can be expired but okay not to challenge.
309347ef 760
9d5e7196
AJ		 761 /* Send an auth challenge or error */
762 // XXX: do we still need aclIsProxyAuth() ?
dd332b92 763 bool auth_challenge = (answer == ACCESS_AUTH_REQUIRED || aclIsProxyAuth(AclMatchedName));
9d5e7196
AJ		 764 debugs(85, 5, "Access Denied: " << http->uri);
765 debugs(85, 5, "AclMatchedName = " << (AclMatchedName ? AclMatchedName : "<null>"));
2f1431ea 766#if USE_AUTH
9d5e7196
AJ		 767 if (auth_challenge)
768 debugs(33, 5, "Proxy Auth Message = " << (proxy_auth_msg ? proxy_auth_msg : "<null>"));
2f1431ea 769#endif
9ce7856a 770
9d5e7196
AJ		 771 /*
772 * NOTE: get page_id here, based on AclMatchedName because if
773 * USE_DELAY_POOLS is enabled, then AclMatchedName gets clobbered in
774 * the clientCreateStoreEntry() call just below. Pedro Ribeiro
775 * <pribeiro@isel.pt>
776 */
777 page_id = aclGetDenyInfoPage(&Config.denyInfoList, AclMatchedName, answer != ACCESS_AUTH_REQUIRED);
9ce7856a 778
d2a6dcba 779 http->logType.update(LOG_TCP_DENIED);
62e76326 780
9d5e7196 781 if (auth_challenge) {
2f1431ea 782#if USE_AUTH
450fe1cb 783 if (http->request->flags.sslBumped) {
9d5e7196 784 /*SSL Bumped request, authentication is not possible*/
955394ce 785 status = Http::scForbidden;
9d5e7196
AJ		 786 } else if (!http->flags.accel) {
787 /* Proxy authorisation needed */
955394ce 788 status = Http::scProxyAuthenticationRequired;
9d5e7196
AJ		 789 } else {
790 /* WWW authorisation needed */
955394ce 791 status = Http::scUnauthorized;
9d5e7196 792 }
ed6163ef 793#else
9d5e7196 794 // need auth, but not possible to do.
955394ce 795 status = Http::scForbidden;
ed6163ef 796#endif
9d5e7196
AJ		 797 if (page_id == ERR_NONE)
798 page_id = ERR_CACHE_ACCESS_DENIED;
799 } else {
955394ce 800 status = Http::scForbidden;
ed6163ef 801
9d5e7196
AJ		 802 if (page_id == ERR_NONE)
803 page_id = ERR_ACCESS_DENIED;
804 }
62e76326 805
9d5e7196 806 Ip::Address tmpnoaddr;
4dd643d5 807 tmpnoaddr.setNoAddr();
87f237a9 808 error = clientBuildError(page_id, status,
68715527
CT		 809 NULL,
810 http->getConn() != NULL ? http->getConn()->clientConnection->remote : tmpnoaddr,
7e6eabbc 811 http->request, http->al
87f237a9 812 );
68715527 813
2f1431ea 814#if USE_AUTH
87f237a9 815 error->auth_user_request =
cc1e110a
AJ		 816 http->getConn() != NULL && http->getConn()->getAuth() != NULL ?
817 http->getConn()->getAuth() : http->request->auth_user_request;
2f1431ea 818#endif
68715527
CT		 819
820 readNextRequest = true;
9d5e7196 821 }
de31d06f 822
dd332b92 823 /* ACCESS_ALLOWED continues here ... */
3f0e38d6
AJ		 824 xfree(http->uri);
825 http->uri = SBufToCstring(http->request->effectiveRequestUri());
de31d06f 826 http->doCallouts();
827}
828
a83c6ed6 829#if USE_ADAPTATION
de31d06f 830void
79628299 831ClientHttpRequest::noteAdaptationAclCheckDone(Adaptation::ServiceGroupPointer g)
de31d06f 832{
a83c6ed6 833 debugs(93,3,HERE << this << " adaptationAclCheckDone called");
6ec67de9 834
e1381638 835#if ICAP_CLIENT
79628299 836 Adaptation::Icap::History::Pointer ih = request->icapHistory();
e1381638 837 if (ih != NULL) {
6bc2a98d 838 if (getConn() != NULL && getConn()->clientConnection != NULL) {
79628299 839 ih->rfc931 = getConn()->clientConnection->rfc931;
cb4f4424 840#if USE_OPENSSL
6bc2a98d 841 if (getConn()->clientConnection->isOpen()) {
33cc0629 842 ih->ssluser = sslGetUserEmail(fd_table[getConn()->clientConnection->fd].ssl.get());
6bc2a98d 843 }
e1381638 844#endif
3ff65596 845 }
79628299
CT		 846 ih->log_uri = log_uri;
847 ih->req_sz = req_sz;
3ff65596
AR		 848 }
849#endif
850
a22e6cd3
AR		 851 if (!g) {
852 debugs(85,3, HERE << "no adaptation needed");
79628299 853 doCallouts();
5f8252d2 854 return;
855 }
de31d06f 856
79628299 857 startAdaptation(g);
edce4d98 858}
859
de31d06f 860#endif
861
14cc8559 862static void
2efeb0b7 863clientRedirectAccessCheckDone(allow_t answer, void *data)
14cc8559 864{
865 ClientRequestContext *context = (ClientRequestContext *)data;
9d5e7196
AJ		 866 ClientHttpRequest *http = context->http;
867 context->acl_checklist = NULL;
14cc8559 868
06bf5384 869 if (answer.allowed())
9d5e7196 870 redirectStart(http, clientRedirectDoneWrapper, context);
bc98bc4b 871 else {
ddc77a2e 872 Helper::Reply const nilReply(Helper::Error);
bc98bc4b
AJ		 873 context->clientRedirectDone(nilReply);
874 }
14cc8559 875}
876
de31d06f 877void
878ClientRequestContext::clientRedirectStart()
14cc8559 879{
48e7baac 880 debugs(33, 5, HERE << "'" << http->uri << "'");
75d47340 881 http->al->syncNotes(http->request);
14cc8559 882 if (Config.accessList.redirector) {
de31d06f 883 acl_checklist = clientAclChecklistCreate(Config.accessList.redirector, http);
884 acl_checklist->nonBlockingCheck(clientRedirectAccessCheckDone, this);
14cc8559 885 } else
de31d06f 886 redirectStart(http, clientRedirectDoneWrapper, this);
14cc8559 887}
888
a8a0b1c2
EC		 889/**
890 * This methods handles Access checks result of StoreId access list.
891 * Will handle as "ERR" (no change) in a case Access is not allowed.
892 */
893static void
894clientStoreIdAccessCheckDone(allow_t answer, void *data)
895{
896 ClientRequestContext *context = static_cast<ClientRequestContext *>(data);
897 ClientHttpRequest *http = context->http;
898 context->acl_checklist = NULL;
899
06bf5384 900 if (answer.allowed())
a8a0b1c2
EC		 901 storeIdStart(http, clientStoreIdDoneWrapper, context);
902 else {
903 debugs(85, 3, "access denied expected ERR reply handling: " << answer);
ddc77a2e 904 Helper::Reply const nilReply(Helper::Error);
a8a0b1c2
EC		 905 context->clientStoreIdDone(nilReply);
906 }
907}
908
909/**
910 * Start locating an alternative storeage ID string (if any) from admin
911 * configured helper program. This is an asynchronous operation terminating in
912 * ClientRequestContext::clientStoreIdDone() when completed.
913 */
914void
915ClientRequestContext::clientStoreIdStart()
916{
917 debugs(33, 5,"'" << http->uri << "'");
918
919 if (Config.accessList.store_id) {
920 acl_checklist = clientAclChecklistCreate(Config.accessList.store_id, http);
921 acl_checklist->nonBlockingCheck(clientStoreIdAccessCheckDone, this);
922 } else
923 storeIdStart(http, clientStoreIdDoneWrapper, this);
924}
925
edce4d98 926static int
59a1efb2 927clientHierarchical(ClientHttpRequest * http)
edce4d98 928{
190154cf 929 HttpRequest *request = http->request;
60745f24 930 HttpRequestMethod method = request->method;
edce4d98 931
2962f8b8 932 // intercepted requests MUST NOT (yet) be sent to peers unless verified
0d901ef4 933 if (!request->flags.hostVerified && (request->flags.intercepted || request->flags.interceptTproxy))
2962f8b8
AJ		 934 return 0;
935
69660be0 936 /*
937 * IMS needs a private key, so we can use the hierarchy for IMS only if our
938 * neighbors support private keys
939 */
62e76326 940
45e5102d 941 if (request->flags.ims && !neighbors_do_private_keys)
62e76326 942 return 0;
943
69660be0 944 /*
945 * This is incorrect: authenticating requests can be sent via a hierarchy
06b97e72 946 * (they can even be cached if the correct headers are set on the reply)
edce4d98 947 */
45e5102d 948 if (request->flags.auth)
62e76326 949 return 0;
950
c2a7cefd 951 if (method == Http::METHOD_TRACE)
62e76326 952 return 1;
953
c2a7cefd 954 if (method != Http::METHOD_GET)
62e76326 955 return 0;
956
450fe1cb 957 if (request->flags.loopDetected)
62e76326 958 return 0;
959
4e3f4dc7 960 if (request->url.getScheme() == AnyP::PROTO_HTTP)
c2a7cefd 961 return method.respMaybeCacheable();
62e76326 962
4e3f4dc7 963 if (request->url.getScheme() == AnyP::PROTO_GOPHER)
62e76326 964 return gopherCachable(request);
965
4e3f4dc7 966 if (request->url.getScheme() == AnyP::PROTO_CACHE_OBJECT)
62e76326 967 return 0;
968
edce4d98 969 return 1;
970}
971
46a1f562
HN		 972static void
973clientCheckPinning(ClientHttpRequest * http)
974{
975 HttpRequest *request = http->request;
976 HttpHeader *req_hdr = &request->header;
977 ConnStateData *http_conn = http->getConn();
978
979 /* Internal requests such as those from ESI includes may be without
980 * a client connection
981 */
982 if (!http_conn)
f54f527e 983 return;
46a1f562 984
450fe1cb
FC		 985 request->flags.connectionAuthDisabled = http_conn->port->connection_auth_disabled;
986 if (!request->flags.connectionAuthDisabled) {
73c36fd9 987 if (Comm::IsConnOpen(http_conn->pinning.serverConnection)) {
46a1f562 988 if (http_conn->pinning.auth) {
e857372a
FC		 989 request->flags.connectionAuth = true;
990 request->flags.auth = true;
46a1f562 991 } else {
e857372a 992 request->flags.connectionProxyAuth = true;
46a1f562 993 }
b1cf2350
AJ		 994 // These should already be linked correctly.
995 assert(request->clientConnectionManager == http_conn);
46a1f562
HN		 996 }
997 }
998
999 /* check if connection auth is used, and flag as candidate for pinning
45e5102d 1000 * in such case.
450fe1cb 1001 * Note: we may need to set flags.connectionAuth even if the connection
46a1f562
HN		 1002 * is already pinned if it was pinned earlier due to proxy auth
1003 */
450fe1cb 1004 if (!request->flags.connectionAuth) {
789217a2 1005 if (req_hdr->has(Http::HdrType::AUTHORIZATION) || req_hdr->has(Http::HdrType::PROXY_AUTHORIZATION)) {
46a1f562
HN		 1006 HttpHeaderPos pos = HttpHeaderInitPos;
1007 HttpHeaderEntry *e;
1008 int may_pin = 0;
1009 while ((e = req_hdr->getEntry(&pos))) {
789217a2 1010 if (e->id == Http::HdrType::AUTHORIZATION || e->id == Http::HdrType::PROXY_AUTHORIZATION) {
46a1f562
HN		 1011 const char *value = e->value.rawBuf();
1012 if (strncasecmp(value, "NTLM ", 5) == 0
1013 ||
1014 strncasecmp(value, "Negotiate ", 10) == 0
1015 ||
1016 strncasecmp(value, "Kerberos ", 9) == 0) {
789217a2 1017 if (e->id == Http::HdrType::AUTHORIZATION) {
e857372a 1018 request->flags.connectionAuth = true;
46a1f562
HN		 1019 may_pin = 1;
1020 } else {
e857372a 1021 request->flags.connectionProxyAuth = true;
46a1f562
HN		 1022 may_pin = 1;
1023 }
1024 }
1025 }
1026 }
1027 if (may_pin && !request->pinnedConnection()) {
b1cf2350
AJ		 1028 // These should already be linked correctly. Just need the ServerConnection to pinn.
1029 assert(request->clientConnectionManager == http_conn);
46a1f562
HN		 1030 }
1031 }
1032 }
1033}
1034
edce4d98 1035static void
59a1efb2 1036clientInterpretRequestHeaders(ClientHttpRequest * http)
edce4d98 1037{
190154cf 1038 HttpRequest *request = http->request;
0ef77270 1039 HttpHeader *req_hdr = &request->header;
5086523e 1040 bool no_cache = false;
62e76326 1041
edce4d98 1042 request->imslen = -1;
789217a2 1043 request->ims = req_hdr->getTime(Http::HdrType::IF_MODIFIED_SINCE);
62e76326 1044
edce4d98 1045 if (request->ims > 0)
e857372a 1046 request->flags.ims = true;
62e76326 1047
450fe1cb 1048 if (!request->flags.ignoreCc) {
47fbd2a7 1049 if (request->cache_control) {
1259f9cf 1050 if (request->cache_control->hasNoCache())
5086523e 1051 no_cache=true;
62e76326 1052
adc2a453 1053 // RFC 2616: treat Pragma:no-cache as if it was Cache-Control:no-cache when Cache-Control is missing
789217a2
FC		 1054 } else if (req_hdr->has(Http::HdrType::PRAGMA))
1055 no_cache = req_hdr->hasListMember(Http::HdrType::PRAGMA,"no-cache",',');
edce4d98 1056 }
914b89a2 1057
c2a7cefd 1058 if (request->method == Http::METHOD_OTHER) {
5086523e 1059 no_cache=true;
60745f24 1060 }
62e76326 1061
edce4d98 1062 if (no_cache) {
626096be 1063#if USE_HTTP_VIOLATIONS
62e76326 1064
1065 if (Config.onoff.reload_into_ims)
e857372a 1066 request->flags.nocacheHack = true;
62e76326 1067 else if (refresh_nocache_hack)
e857372a 1068 request->flags.nocacheHack = true;
62e76326 1069 else
edce4d98 1070#endif
62e76326 1071
e857372a 1072 request->flags.noCache = true;
edce4d98 1073 }
62e76326 1074
0ef77270 1075 /* ignore range header in non-GETs or non-HEADs */
c2a7cefd 1076 if (request->method == Http::METHOD_GET || request->method == Http::METHOD_HEAD) {
56713d9a
AR		 1077 // XXX: initialize if we got here without HttpRequest::parseHeader()
1078 if (!request->range)
1079 request->range = req_hdr->getRange();
62e76326 1080
1081 if (request->range) {
e857372a 1082 request->flags.isRanged = true;
62e76326 1083 clientStreamNode *node = (clientStreamNode *)http->client_stream.tail->data;
1084 /* XXX: This is suboptimal. We should give the stream the range set,
1085 * and thereby let the top of the stream set the offset when the
26ac0430 1086 * size becomes known. As it is, we will end up requesting from 0
62e76326 1087 * for evey -X range specification.
1088 * RBC - this may be somewhat wrong. We should probably set the range
1089 * iter up at this point.
1090 */
1091 node->readBuffer.offset = request->range->lowestOffset(0);
1092 http->range_iter.pos = request->range->begin();
24a8eaae 1093 http->range_iter.end = request->range->end();
62e76326 1094 http->range_iter.valid = true;
1095 }
edce4d98 1096 }
62e76326 1097
0ef77270 1098 /* Only HEAD and GET requests permit a Range or Request-Range header.
1099 * If these headers appear on any other type of request, delete them now.
1100 */
1101 else {
789217a2
FC		 1102 req_hdr->delById(Http::HdrType::RANGE);
1103 req_hdr->delById(Http::HdrType::REQUEST_RANGE);
f0baf149 1104 request->ignoreRange("neither HEAD nor GET");
0ef77270 1105 }
1106
789217a2 1107 if (req_hdr->has(Http::HdrType::AUTHORIZATION))
e857372a 1108 request->flags.auth = true;
62e76326 1109
46a1f562 1110 clientCheckPinning(http);
d67acb4e 1111
92d6986d 1112 if (!request->url.userInfo().isEmpty())
e857372a 1113 request->flags.auth = true;
62e76326 1114
789217a2
FC		 1115 if (req_hdr->has(Http::HdrType::VIA)) {
1116 String s = req_hdr->getList(Http::HdrType::VIA);
62e76326 1117 /*
3c4fcf0f 1118 * ThisCache cannot be a member of Via header, "1.1 ThisCache" can.
62e76326 1119 * Note ThisCache2 has a space prepended to the hostname so we don't
1120 * accidentally match super-domains.
1121 */
1122
1123 if (strListIsSubstr(&s, ThisCache2, ',')) {
1124 debugObj(33, 1, "WARNING: Forwarding loop detected for:\n",
1125 request, (ObjPackMethod) & httpRequestPack);
e857372a 1126 request->flags.loopDetected = true;
62e76326 1127 }
1128
21f6708d 1129#if USE_FORW_VIA_DB
bb790702 1130 fvdbCountVia(s.termedBuf());
62e76326 1131
edce4d98 1132#endif
62e76326 1133
30abd221 1134 s.clean();
edce4d98 1135 }
62e76326 1136
21f6708d 1137#if USE_FORW_VIA_DB
62e76326 1138
789217a2
FC		 1139 if (req_hdr->has(Http::HdrType::X_FORWARDED_FOR)) {
1140 String s = req_hdr->getList(Http::HdrType::X_FORWARDED_FOR);
bb790702 1141 fvdbCountForw(s.termedBuf());
30abd221 1142 s.clean();
edce4d98 1143 }
62e76326 1144
edce4d98 1145#endif
62e76326 1146
c2a7cefd 1147 request->flags.cachable = http->request->maybeCacheable();
62e76326 1148
edce4d98 1149 if (clientHierarchical(http))
e857372a 1150 request->flags.hierarchical = true;
62e76326 1151
bf8fe701 1152 debugs(85, 5, "clientInterpretRequestHeaders: REQ_NOCACHE = " <<
450fe1cb 1153 (request->flags.noCache ? "SET" : "NOT SET"));
bf8fe701 1154 debugs(85, 5, "clientInterpretRequestHeaders: REQ_CACHABLE = " <<
45e5102d 1155 (request->flags.cachable ? "SET" : "NOT SET"));
bf8fe701 1156 debugs(85, 5, "clientInterpretRequestHeaders: REQ_HIERARCHICAL = " <<
45e5102d 1157 (request->flags.hierarchical ? "SET" : "NOT SET"));
62e76326 1158
edce4d98 1159}
1160
1161void
24438ec5 1162clientRedirectDoneWrapper(void *data, const Helper::Reply &result)
edce4d98 1163{
de31d06f 1164 ClientRequestContext *calloutContext = (ClientRequestContext *)data;
db02222f 1165
de31d06f 1166 if (!calloutContext->httpStateIsValid())
62e76326 1167 return;
62e76326 1168
de31d06f 1169 calloutContext->clientRedirectDone(result);
1170}
1171
a8a0b1c2 1172void
24438ec5 1173clientStoreIdDoneWrapper(void *data, const Helper::Reply &result)
a8a0b1c2
EC		 1174{
1175 ClientRequestContext *calloutContext = (ClientRequestContext *)data;
1176
1177 if (!calloutContext->httpStateIsValid())
1178 return;
1179
1180 calloutContext->clientStoreIdDone(result);
1181}
1182
de31d06f 1183void
24438ec5 1184ClientRequestContext::clientRedirectDone(const Helper::Reply &reply)
de31d06f 1185{
190154cf 1186 HttpRequest *old_request = http->request;
e166785a 1187 debugs(85, 5, HERE << "'" << http->uri << "' result=" << reply);
de31d06f 1188 assert(redirect_state == REDIRECT_PENDING);
1189 redirect_state = REDIRECT_DONE;
62e76326 1190
cf9f0261 1191 // Put helper response Notes into the transaction state record (ALE) eventually
d06e17ea 1192 // do it early to ensure that no matter what the outcome the notes are present.
75d47340
CT		 1193 if (http->al)
1194 http->al->syncNotes(old_request);
457857fe
CT		 1195
1196 UpdateRequestNotes(http->getConn(), *old_request, reply.notes);
d06e17ea 1197
63fc9fb5 1198 switch (reply.result) {
32fd6d8a
CT		 1199 case Helper::TimedOut:
1200 if (Config.onUrlRewriteTimeout.action != toutActBypass) {
1201 http->calloutsError(ERR_GATEWAY_FAILURE, ERR_DETAIL_REDIRECTOR_TIMEDOUT);
1202 debugs(85, DBG_IMPORTANT, "ERROR: URL rewrite helper: Timedout");
1203 }
1204 break;
1205
2428ce02
AJ		 1206 case Helper::Unknown:
1207 case Helper::TT:
d06e17ea
AJ		 1208 // Handler in redirect.cc should have already mapped Unknown
1209 // IF it contained valid entry for the old URL-rewrite helper protocol
1210 debugs(85, DBG_IMPORTANT, "ERROR: URL rewrite helper returned invalid result code. Wrong helper? " << reply);
1211 break;
1212
2428ce02 1213 case Helper::BrokenHelper:
32fd6d8a 1214 debugs(85, DBG_IMPORTANT, "ERROR: URL rewrite helper: " << reply);
d06e17ea
AJ		 1215 break;
1216
2428ce02 1217 case Helper::Error:
d06e17ea
AJ		 1218 // no change to be done.
1219 break;
62e76326 1220
2428ce02 1221 case Helper::Okay: {
d06e17ea
AJ		 1222 // #1: redirect with a specific status code OK status=NNN url="..."
1223 // #2: redirect with a default status code OK url="..."
1224 // #3: re-write the URL OK rewrite-url="..."
1225
cf9f0261
CT		 1226 const char *statusNote = reply.notes.findFirst("status");
1227 const char *urlNote = reply.notes.findFirst("url");
d06e17ea
AJ		 1228
1229 if (urlNote != NULL) {
1230 // HTTP protocol redirect to be done.
1231
1232 // TODO: change default redirect status for appropriate requests
1233 // Squid defaults to 302 status for now for better compatibility with old clients.
f11c8e2f 1234 // HTTP/1.0 client should get 302 (Http::scFound)
955394ce
AJ		 1235 // HTTP/1.1 client contacting reverse-proxy should get 307 (Http::scTemporaryRedirect)
1236 // HTTP/1.1 client being diverted by forward-proxy should get 303 (Http::scSeeOther)
f11c8e2f 1237 Http::StatusCode status = Http::scFound;
d06e17ea 1238 if (statusNote != NULL) {
cf9f0261 1239 const char * result = statusNote;
955394ce 1240 status = static_cast<Http::StatusCode>(atoi(result));
d06e17ea 1241 }
62e76326 1242
955394ce 1243 if (status == Http::scMovedPermanently
f11c8e2f 1244 || status == Http::scFound
955394ce
AJ		 1245 || status == Http::scSeeOther
1246 || status == Http::scPermanentRedirect
1247 || status == Http::scTemporaryRedirect) {
62e76326 1248 http->redirect.status = status;
cf9f0261 1249 http->redirect.location = xstrdup(urlNote);
e5b677f0 1250 // TODO: validate the URL produced here is RFC 2616 compliant absolute URI
62e76326 1251 } else {
cf9f0261 1252 debugs(85, DBG_CRITICAL, "ERROR: URL-rewrite produces invalid " << status << " redirect Location: " << urlNote);
62e76326 1253 }
d06e17ea
AJ		 1254 } else {
1255 // URL-rewrite wanted. Ew.
cf9f0261 1256 urlNote = reply.notes.findFirst("rewrite-url");
d06e17ea
AJ		 1257
1258 // prevent broken helpers causing too much damage. If old URL == new URL skip the re-write.
cf9f0261 1259 if (urlNote != NULL && strcmp(urlNote, http->uri)) {
c8ab5ec6 1260 AnyP::Uri tmpUrl;
8babada0 1261 if (tmpUrl.parse(old_request->method, urlNote)) {
91489e45
AJ		 1262 HttpRequest *new_request = old_request->clone();
1263 new_request->url = tmpUrl;
851feda6 1264 debugs(61, 2, "URL-rewriter diverts URL from " << old_request->effectiveRequestUri() << " to " << new_request->effectiveRequestUri());
d06e17ea
AJ		 1265
1266 // update the new request to flag the re-writing was done on it
e857372a 1267 new_request->flags.redirected = true;
d06e17ea
AJ		 1268
1269 // unlink bodypipe from the old request. Not needed there any longer.
1270 if (old_request->body_pipe != NULL) {
1271 old_request->body_pipe = NULL;
1272 debugs(61,2, HERE << "URL-rewriter diverts body_pipe " << new_request->body_pipe <<
1273 " from request " << old_request << " to " << new_request);
1274 }
9be14530 1275
bec110e4
EB		 1276 http->resetRequest(new_request);
1277 old_request = nullptr;
d06e17ea
AJ		 1278 } else {
1279 debugs(85, DBG_CRITICAL, "ERROR: URL-rewrite produces invalid request: " <<
cf9f0261 1280 old_request->method << " " << urlNote << " " << old_request->http_ver);
d06e17ea 1281 }
9be14530 1282 }
74b48915 1283 }
edce4d98 1284 }
d06e17ea
AJ		 1285 break;
1286 }
62e76326 1287
edce4d98 1288 /* FIXME PIPELINE: This is innacurate during pipelining */
62e76326 1289
73c36fd9
AJ		 1290 if (http->getConn() != NULL && Comm::IsConnOpen(http->getConn()->clientConnection))
1291 fd_note(http->getConn()->clientConnection->fd, http->uri);
62e76326 1292
c8be6d7b 1293 assert(http->uri);
62e76326 1294
de31d06f 1295 http->doCallouts();
edce4d98 1296}
1297
a8a0b1c2
EC		 1298/**
1299 * This method handles the different replies from StoreID helper.
1300 */
1301void
24438ec5 1302ClientRequestContext::clientStoreIdDone(const Helper::Reply &reply)
a8a0b1c2
EC		 1303{
1304 HttpRequest *old_request = http->request;
1305 debugs(85, 5, "'" << http->uri << "' result=" << reply);
1306 assert(store_id_state == REDIRECT_PENDING);
1307 store_id_state = REDIRECT_DONE;
1308
cf9f0261 1309 // Put helper response Notes into the transaction state record (ALE) eventually
a8a0b1c2 1310 // do it early to ensure that no matter what the outcome the notes are present.
75d47340
CT		 1311 if (http->al)
1312 http->al->syncNotes(old_request);
457857fe
CT		 1313
1314 UpdateRequestNotes(http->getConn(), *old_request, reply.notes);
a8a0b1c2
EC		 1315
1316 switch (reply.result) {
2428ce02
AJ		 1317 case Helper::Unknown:
1318 case Helper::TT:
a8a0b1c2
EC		 1319 // Handler in redirect.cc should have already mapped Unknown
1320 // IF it contained valid entry for the old helper protocol
1321 debugs(85, DBG_IMPORTANT, "ERROR: storeID helper returned invalid result code. Wrong helper? " << reply);
1322 break;
1323
32fd6d8a 1324 case Helper::TimedOut:
f53969cc 1325 // Timeouts for storeID are not implemented
2428ce02 1326 case Helper::BrokenHelper:
32fd6d8a 1327 debugs(85, DBG_IMPORTANT, "ERROR: storeID helper: " << reply);
a8a0b1c2
EC		 1328 break;
1329
2428ce02 1330 case Helper::Error:
a8a0b1c2
EC		 1331 // no change to be done.
1332 break;
1333
2428ce02 1334 case Helper::Okay: {
cf9f0261 1335 const char *urlNote = reply.notes.findFirst("store-id");
a8a0b1c2
EC		 1336
1337 // prevent broken helpers causing too much damage. If old URL == new URL skip the re-write.
cf9f0261 1338 if (urlNote != NULL && strcmp(urlNote, http->uri) ) {
a8a0b1c2 1339 // Debug section required for some very specific cases.
cf9f0261
CT		 1340 debugs(85, 9, "Setting storeID with: " << urlNote );
1341 http->request->store_id = urlNote;
1342 http->store_id = urlNote;
a8a0b1c2
EC		 1343 }
1344 }
1345 break;
1346 }
1347
1348 http->doCallouts();
1349}
1350
b50e327b
AJ		 1351/** Test cache allow/deny configuration
1352 * Sets flags.cachable=1 if caching is not denied.
1353 */
edce4d98 1354void
8e2745f4 1355ClientRequestContext::checkNoCache()
edce4d98 1356{
b50e327b
AJ		 1357 if (Config.accessList.noCache) {
1358 acl_checklist = clientAclChecklistCreate(Config.accessList.noCache, http);
1359 acl_checklist->nonBlockingCheck(checkNoCacheDoneWrapper, this);
1360 } else {
1361 /* unless otherwise specified, we try to cache. */
2efeb0b7 1362 checkNoCacheDone(ACCESS_ALLOWED);
b50e327b 1363 }
edce4d98 1364}
1365
de31d06f 1366static void
2efeb0b7 1367checkNoCacheDoneWrapper(allow_t answer, void *data)
edce4d98 1368{
de31d06f 1369 ClientRequestContext *calloutContext = (ClientRequestContext *) data;
e4a67a80 1370
de31d06f 1371 if (!calloutContext->httpStateIsValid())
1372 return;
1373
1374 calloutContext->checkNoCacheDone(answer);
8e2745f4 1375}
4fb35c3c 1376
8e2745f4 1377void
2efeb0b7 1378ClientRequestContext::checkNoCacheDone(const allow_t &answer)
62e76326 1379{
8e2745f4 1380 acl_checklist = NULL;
06bf5384 1381 if (answer.denied()) {
61beade2
AJ		 1382 http->request->flags.noCache = true; // do not read reply from cache
1383 http->request->flags.cachable = false; // do not store reply into cache
58e1b950 1384 }
de31d06f 1385 http->doCallouts();
edce4d98 1386}
1387
cb4f4424 1388#if USE_OPENSSL
e0c0d54c
CT		 1389bool
1390ClientRequestContext::sslBumpAccessCheck()
1391{
4b5ea8a6
CT		 1392 if (!http->getConn()) {
1393 http->al->ssl.bumpMode = Ssl::bumpEnd; // SslBump does not apply; log -
1394 return false;
1395 }
1396
75f6c253 1397 const Ssl::BumpMode bumpMode = http->getConn()->sslBumpMode;
6b2b6cfe
CT		 1398 if (http->request->flags.forceTunnel) {
1399 debugs(85, 5, "not needed; already decided to tunnel " << http->getConn());
75f6c253
CT		 1400 if (bumpMode != Ssl::bumpEnd)
1401 http->al->ssl.bumpMode = bumpMode; // inherited from bumped connection
6b2b6cfe
CT		 1402 return false;
1403 }
1404
08097970 1405 // If SSL connection tunneling or bumping decision has been made, obey it.
08097970
AR		 1406 if (bumpMode != Ssl::bumpEnd) {
1407 debugs(85, 5, HERE << "SslBump already decided (" << bumpMode <<
1408 "), " << "ignoring ssl_bump for " << http->getConn());
91d7e7c4 1409
e1241cd3
CT		 1410 // We need the following "if" for transparently bumped TLS connection,
1411 // because in this case we are running ssl_bump access list before
1412 // the doCallouts runs. It can be removed after the bug #4340 fixed.
1413 // We do not want to proceed to bumping steps:
1414 // - if the TLS connection with the client is already established
1415 // because we are accepting normal HTTP requests on TLS port,
1416 // or because of the client-first bumping mode
1417 // - When the bumping is already started
1418 if (!http->getConn()->switchedToHttps() &&
91d7e7c4 1419 !http->getConn()->serverBump())
b4049e38 1420 http->sslBumpNeed(bumpMode); // for processRequest() to bump if needed and not already bumped
71cae389 1421 http->al->ssl.bumpMode = bumpMode; // inherited from bumped connection
08097970
AR		 1422 return false;
1423 }
e0c0d54c 1424
08097970
AR		 1425 // If we have not decided yet, decide whether to bump now.
1426
1427 // Bumping here can only start with a CONNECT request on a bumping port
1428 // (bumping of intercepted SSL conns is decided before we get 1st request).
1429 // We also do not bump redirected CONNECT requests.
c2a7cefd 1430 if (http->request->method != Http::METHOD_CONNECT || http->redirect.status ||
6a25a046
FC		 1431 !Config.accessList.ssl_bump ||
1432 !http->getConn()->port->flags.tunnelSslBumping) {
71cae389 1433 http->al->ssl.bumpMode = Ssl::bumpEnd; // SslBump does not apply; log -
08097970 1434 debugs(85, 5, HERE << "cannot SslBump this request");
e0c0d54c
CT		 1435 return false;
1436 }
08097970
AR		 1437
1438 // Do not bump during authentication: clients would not proxy-authenticate
1439 // if we delay a 407 response and respond with 200 OK to CONNECT.
955394ce 1440 if (error && error->httpStatus == Http::scProxyAuthenticationRequired) {
71cae389 1441 http->al->ssl.bumpMode = Ssl::bumpEnd; // SslBump does not apply; log -
08097970
AR		 1442 debugs(85, 5, HERE << "no SslBump during proxy authentication");
1443 return false;
1444 }
1445
93046e07
CT		 1446 if (error) {
1447 debugs(85, 5, "SslBump applies. Force bump action on error " << errorTypeName(error->type));
1448 http->sslBumpNeed(Ssl::bumpBump);
1449 http->al->ssl.bumpMode = Ssl::bumpBump;
1450 return false;
1451 }
1452
08097970
AR		 1453 debugs(85, 5, HERE << "SslBump possible, checking ACL");
1454
eb898410
AJ		 1455 ACLFilledChecklist *aclChecklist = clientAclChecklistCreate(Config.accessList.ssl_bump, http);
1456 aclChecklist->nonBlockingCheck(sslBumpAccessCheckDoneWrapper, this);
08097970 1457 return true;
e0c0d54c
CT		 1458}
1459
f8901ea9 1460/**
e0c0d54c
CT		 1461 * A wrapper function to use the ClientRequestContext::sslBumpAccessCheckDone method
1462 * as ACLFilledChecklist callback
1463 */
1464static void
2efeb0b7 1465sslBumpAccessCheckDoneWrapper(allow_t answer, void *data)
e0c0d54c
CT		 1466{
1467 ClientRequestContext *calloutContext = static_cast<ClientRequestContext *>(data);
9d5e7196
AJ		 1468
1469 if (!calloutContext->httpStateIsValid())
1470 return;
ed6163ef 1471 calloutContext->sslBumpAccessCheckDone(answer);
e0c0d54c
CT		 1472}
1473
1474void
ed6163ef 1475ClientRequestContext::sslBumpAccessCheckDone(const allow_t &answer)
e0c0d54c 1476{
ed6163ef
AJ		 1477 if (!httpStateIsValid())
1478 return;
1479
06bf5384 1480 const Ssl::BumpMode bumpMode = answer.allowed() ?
bf352fb2 1481 static_cast<Ssl::BumpMode>(answer.kind) : Ssl::bumpSplice;
08097970 1482 http->sslBumpNeed(bumpMode); // for processRequest() to bump if needed
71cae389 1483 http->al->ssl.bumpMode = bumpMode; // for logging
caf3666d 1484
bf352fb2
CT		 1485 if (bumpMode == Ssl::bumpTerminate) {
1486 const Comm::ConnectionPointer clientConn = http->getConn() ? http->getConn()->clientConnection : nullptr;
1487 if (Comm::IsConnOpen(clientConn)) {
1488 debugs(85, 3, "closing after Ssl::bumpTerminate ");
1489 clientConn->close();
1490 }
1491 return;
1492 }
1493
e0c0d54c
CT		 1494 http->doCallouts();
1495}
1496#endif
1497
69660be0 1498/*
1499 * Identify requests that do not go through the store and client side stream
1500 * and forward them to the appropriate location. All other requests, request
1501 * them.
edce4d98 1502 */
1503void
8e2745f4 1504ClientHttpRequest::processRequest()
edce4d98 1505{
7f06a3d8 1506 debugs(85, 4, request->method << ' ' << uri);
62e76326 1507
6b2b6cfe
CT		 1508 const bool untouchedConnect = request->method == Http::METHOD_CONNECT && !redirect.status;
1509
cb4f4424 1510#if USE_OPENSSL
6b2b6cfe
CT		 1511 if (untouchedConnect && sslBumpNeeded()) {
1512 assert(!request->flags.forceTunnel);
1513 sslBumpStart();
1514 return;
1515 }
3712be3f 1516#endif
6b2b6cfe
CT		 1517
1518 if (untouchedConnect || request->flags.forceTunnel) {
f84dd7eb 1519 getConn()->stopReading(); // tunnels read for themselves
ac9f46af 1520 tunnelStart(this);
62e76326 1521 return;
edce4d98 1522 }
62e76326 1523
8e2745f4 1524 httpStart();
1525}
1526
1527void
1528ClientHttpRequest::httpStart()
1529{
559da936 1530 PROF_start(httpStart);
d2a6dcba
EB		 1531 // XXX: Re-initializes rather than updates. Should not be needed at all.
1532 logType.update(LOG_TAG_NONE);
91369933 1533 debugs(85, 4, logType.c_str() << " for '" << uri << "'");
bf8fe701 1534
edce4d98 1535 /* no one should have touched this */
8e2745f4 1536 assert(out.offset == 0);
edce4d98 1537 /* Use the Stream Luke */
8e2745f4 1538 clientStreamNode *node = (clientStreamNode *)client_stream.tail->data;
1539 clientStreamRead(node, this, node->readBuffer);
559da936 1540 PROF_stop(httpStart);
edce4d98 1541}
0655fa4d 1542
cb4f4424 1543#if USE_OPENSSL
3712be3f 1544
e0c0d54c 1545void
08097970 1546ClientHttpRequest::sslBumpNeed(Ssl::BumpMode mode)
e0c0d54c 1547{
caf3666d 1548 debugs(83, 3, HERE << "sslBump required: "<< Ssl::bumpMode(mode));
08097970 1549 sslBumpNeed_ = mode;
3712be3f 1550}
1551
1552// called when comm_write has completed
1553static void
c8407295 1554SslBumpEstablish(const Comm::ConnectionPointer &, char *, size_t, Comm::Flag errflag, int, void *data)
3712be3f 1555{
1556 ClientHttpRequest *r = static_cast<ClientHttpRequest*>(data);
1557 debugs(85, 5, HERE << "responded to CONNECT: " << r << " ? " << errflag);
1558
1559 assert(r && cbdataReferenceValid(r));
1560 r->sslBumpEstablish(errflag);
1561}
1562
1563void
c8407295 1564ClientHttpRequest::sslBumpEstablish(Comm::Flag errflag)
3712be3f 1565{
c8407295
AJ		 1566 // Bail out quickly on Comm::ERR_CLOSING - close handlers will tidy up
1567 if (errflag == Comm::ERR_CLOSING)
3712be3f 1568 return;
1569
1570 if (errflag) {
1fa35be8 1571 debugs(85, 3, HERE << "CONNECT response failure in SslBump: " << errflag);
bbc83914 1572 getConn()->clientConnection->close();
3712be3f 1573 return;
1574 }
1575
40d8be97
AR		 1576 // We lack HttpReply which logRequest() uses to log the status code.
1577 // TODO: Use HttpReply instead of the "200 Connection established" string.
71cae389 1578 al->http.code = 200;
40d8be97 1579
21512911
CT		 1580#if USE_AUTH
1581 // Preserve authentication info for the ssl-bumped request
1582 if (request->auth_user_request != NULL)
cc1e110a 1583 getConn()->setAuth(request->auth_user_request, "SSL-bumped CONNECT");
21512911 1584#endif
03f00a11 1585
08097970
AR		 1586 assert(sslBumpNeeded());
1587 getConn()->switchToHttps(request, sslBumpNeed_);
3712be3f 1588}
1589
1590void
1591ClientHttpRequest::sslBumpStart()
1592{
08097970
AR		 1593 debugs(85, 5, HERE << "Confirming " << Ssl::bumpMode(sslBumpNeed_) <<
1594 "-bumped CONNECT tunnel on FD " << getConn()->clientConnection);
1595 getConn()->sslBumpMode = sslBumpNeed_;
3712be3f 1596
9e104535 1597 AsyncCall::Pointer bumpCall = commCbCall(85, 5, "ClientSocketContext::sslBumpEstablish",
f53969cc 1598 CommIoCbPtrFun(&SslBumpEstablish, this));
9e104535
CT		 1599
1600 if (request->flags.interceptTproxy || request->flags.intercepted) {
1601 CommIoCbParams &params = GetCommParams<CommIoCbParams>(bumpCall);
1602 params.flag = Comm::OK;
1603 params.conn = getConn()->clientConnection;
1604 ScheduleCallHere(bumpCall);
1605 return;
1606 }
1607
08097970 1608 // send an HTTP 200 response to kick client SSL negotiation
3712be3f 1609 // TODO: Unify with tunnel.cc and add a Server(?) header
b0388924 1610 static const char *const conn_established = "HTTP/1.1 200 Connection established\r\n\r\n";
9e104535 1611 Comm::Write(getConn()->clientConnection, conn_established, strlen(conn_established), bumpCall, NULL);
3712be3f 1612}
1613
1614#endif
1615
0655fa4d 1616bool
1617ClientHttpRequest::gotEnough() const
1618{
86a2f789 1619 /** TODO: should be querying the stream. */
7173d5b0 1620 int64_t contentLength =
06a5ae20 1621 memObject()->getReply()->bodySize(request->method);
0655fa4d 1622 assert(contentLength >= 0);
1623
1624 if (out.offset < contentLength)
1625 return false;
1626
1627 return true;
1628}
1629
86a2f789 1630void
1631ClientHttpRequest::storeEntry(StoreEntry *newEntry)
1632{
1633 entry_ = newEntry;
1634}
1635
0976f8db 1636void
1637ClientHttpRequest::loggingEntry(StoreEntry *newEntry)
1638{
1639 if (loggingEntry_)
1bfe9ade 1640 loggingEntry_->unlock("ClientHttpRequest::loggingEntry");
0976f8db 1641
1642 loggingEntry_ = newEntry;
1643
1644 if (loggingEntry_)
1bfe9ade 1645 loggingEntry_->lock("ClientHttpRequest::loggingEntry");
0976f8db 1646}
86a2f789 1647
bec110e4
EB		 1648void
1649ClientHttpRequest::initRequest(HttpRequest *aRequest)
1650{
1651 assignRequest(aRequest);
1652 if (const auto csd = getConn()) {
1653 if (!csd->notes()->empty())
1654 request->notes()->appendNewOnly(csd->notes().getRaw());
1655 }
1656 // al is created in the constructor
1657 assert(al);
1658 if (!al->request) {
1659 al->request = request;
1660 HTTPMSGLOCK(al->request);
1661 al->syncNotes(request);
1662 }
1663}
1664
1665void
1666ClientHttpRequest::resetRequest(HttpRequest *newRequest)
1667{
1668 assert(request != newRequest);
1669 clearRequest();
1670 assignRequest(newRequest);
1671 xfree(uri);
1672 uri = SBufToCstring(request->effectiveRequestUri());
1673}
1674
1675void
1676ClientHttpRequest::assignRequest(HttpRequest *newRequest)
1677{
1678 assert(newRequest);
1679 assert(!request);
1680 const_cast<HttpRequest *&>(request) = newRequest;
1681 HTTPMSGLOCK(request);
1682 setLogUriToRequestUri();
1683}
1684
1685void
1686ClientHttpRequest::clearRequest()
1687{
1688 HttpRequest *oldRequest = request;
1689 HTTPMSGUNLOCK(oldRequest);
1690 const_cast<HttpRequest *&>(request) = nullptr;
1691 absorbLogUri(nullptr);
1692}
1693
de31d06f 1694/*
1695 * doCallouts() - This function controls the order of "callout"
1696 * executions, including non-blocking access control checks, the
1697 * redirector, and ICAP. Previously, these callouts were chained
1698 * together such that "clientAccessCheckDone()" would call
1699 * "clientRedirectStart()" and so on.
1700 *
1701 * The ClientRequestContext (aka calloutContext) class holds certain
1702 * state data for the callout/callback operations. Previously
1703 * ClientHttpRequest would sort of hand off control to ClientRequestContext
1704 * for a short time. ClientRequestContext would then delete itself
1705 * and pass control back to ClientHttpRequest when all callouts
1706 * were finished.
1707 *
1708 * This caused some problems for ICAP because we want to make the
1709 * ICAP callout after checking ACLs, but before checking the no_cache
1710 * list. We can't stuff the ICAP state into the ClientRequestContext
1711 * class because we still need the ICAP state after ClientRequestContext
1712 * goes away.
1713 *
1714 * Note that ClientRequestContext is created before the first call
1715 * to doCallouts().
1716 *
1717 * If one of the callouts notices that ClientHttpRequest is no
1718 * longer valid, it should call cbdataReferenceDone() so that
1719 * ClientHttpRequest's reference count goes to zero and it will get
1720 * deleted. ClientHttpRequest will then delete ClientRequestContext.
1721 *
1722 * Note that we set the _done flags here before actually starting
1723 * the callout. This is strictly for convenience.
1724 */
1725
82afb125 1726tos_t aclMapTOS (acl_tos * head, ACLChecklist * ch);
244da4ad 1727Ip::NfMarkConfig aclFindNfMarkConfig (acl_nfmark * head, ACLChecklist * ch);
057f5854 1728
de31d06f 1729void
1730ClientHttpRequest::doCallouts()
1731{
1732 assert(calloutContext);
1733
38450a50 1734 if (!calloutContext->error) {
87f237a9 1735 // CVE-2009-0801: verify the Host: header is consistent with other known details.
38450a50
CT		 1736 if (!calloutContext->host_header_verify_done) {
1737 debugs(83, 3, HERE << "Doing calloutContext->hostHeaderVerify()");
1738 calloutContext->host_header_verify_done = true;
1739 calloutContext->hostHeaderVerify();
1740 return;
1741 }
fe97983f 1742
38450a50
CT		 1743 if (!calloutContext->http_access_done) {
1744 debugs(83, 3, HERE << "Doing calloutContext->clientAccessCheck()");
1745 calloutContext->http_access_done = true;
1746 calloutContext->clientAccessCheck();
1747 return;
1748 }
de31d06f 1749
a83c6ed6 1750#if USE_ADAPTATION
38450a50
CT		 1751 if (!calloutContext->adaptation_acl_check_done) {
1752 calloutContext->adaptation_acl_check_done = true;
1753 if (Adaptation::AccessCheck::Start(
87f237a9 1754 Adaptation::methodReqmod, Adaptation::pointPreCache,
af0ded40 1755 request, NULL, calloutContext->http->al, this))
38450a50
CT		 1756 return; // will call callback
1757 }
de31d06f 1758#endif
1759
38450a50
CT		 1760 if (!calloutContext->redirect_done) {
1761 calloutContext->redirect_done = true;
de31d06f 1762
38450a50
CT		 1763 if (Config.Program.redirect) {
1764 debugs(83, 3, HERE << "Doing calloutContext->clientRedirectStart()");
1765 calloutContext->redirect_state = REDIRECT_PENDING;
1766 calloutContext->clientRedirectStart();
1767 return;
1768 }
de31d06f 1769 }
de31d06f 1770
38450a50
CT		 1771 if (!calloutContext->adapted_http_access_done) {
1772 debugs(83, 3, HERE << "Doing calloutContext->clientAccessCheck2()");
1773 calloutContext->adapted_http_access_done = true;
1774 calloutContext->clientAccessCheck2();
1775 return;
1776 }
533493da 1777
a8a0b1c2
EC		 1778 if (!calloutContext->store_id_done) {
1779 calloutContext->store_id_done = true;
a8a0b1c2
EC		 1780
1781 if (Config.Program.store_id) {
1782 debugs(83, 3,"Doing calloutContext->clientStoreIdStart()");
1783 calloutContext->store_id_state = REDIRECT_PENDING;
1784 calloutContext->clientStoreIdStart();
1785 return;
1786 }
1787 }
1788
38450a50
CT		 1789 if (!calloutContext->interpreted_req_hdrs) {
1790 debugs(83, 3, HERE << "Doing clientInterpretRequestHeaders()");
1791 calloutContext->interpreted_req_hdrs = 1;
1792 clientInterpretRequestHeaders(this);
1793 }
57abaac0 1794
38450a50
CT		 1795 if (!calloutContext->no_cache_done) {
1796 calloutContext->no_cache_done = true;
de31d06f 1797
45e5102d 1798 if (Config.accessList.noCache && request->flags.cachable) {
38450a50
CT		 1799 debugs(83, 3, HERE << "Doing calloutContext->checkNoCache()");
1800 calloutContext->checkNoCache();
1801 return;
1802 }
de31d06f 1803 }
38450a50 1804 } // if !calloutContext->error
de31d06f 1805
244da4ad
AG		 1806 // Set appropriate MARKs and CONNMARKs if needed.
1807 if (getConn() && Comm::IsConnOpen(getConn()->clientConnection)) {
1808 ACLFilledChecklist ch(nullptr, request, nullptr);
cb365059 1809 ch.al = calloutContext->http->al;
244da4ad
AG		 1810 ch.src_addr = request->client_addr;
1811 ch.my_addr = request->my_addr;
cb365059 1812 ch.syncAle(request, log_uri);
244da4ad
AG		 1813
1814 if (!calloutContext->toClientMarkingDone) {
1815 calloutContext->toClientMarkingDone = true;
425de4c8 1816 tos_t tos = aclMapTOS(Ip::Qos::TheConfig.tosToClient, &ch);
3712be3f 1817 if (tos)
73c36fd9 1818 Ip::Qos::setSockTos(getConn()->clientConnection, tos);
425de4c8 1819
244da4ad
AG		 1820 const auto packetMark = aclFindNfMarkConfig(Ip::Qos::TheConfig.nfmarkToClient, &ch);
1821 if (!packetMark.isEmpty())
1822 Ip::Qos::setSockNfmark(getConn()->clientConnection, packetMark.mark);
1823
1824 const auto connmark = aclFindNfMarkConfig(Ip::Qos::TheConfig.nfConnmarkToClient, &ch);
1825 if (!connmark.isEmpty())
1826 Ip::Qos::setNfConnmark(getConn()->clientConnection, Ip::Qos::dirAccepted, connmark);
3712be3f 1827 }
057f5854 1828 }
1829
cb4f4424 1830#if USE_OPENSSL
93046e07
CT		 1831 // Even with calloutContext->error, we call sslBumpAccessCheck() to decide
1832 // whether SslBump applies to this transaction. If it applies, we will
1833 // attempt to bump the client to serve the error.
e0c0d54c
CT		 1834 if (!calloutContext->sslBumpCheckDone) {
1835 calloutContext->sslBumpCheckDone = true;
1836 if (calloutContext->sslBumpAccessCheck())
1837 return;
1838 /* else no ssl bump required*/
1839 }
d2565320 1840#endif
e0c0d54c 1841
2bd84e5f 1842 if (calloutContext->error) {
851feda6 1843 // XXX: prformance regression. c_str() reallocates
81e019a0
AR		 1844 SBuf storeUriBuf(request->storeId());
1845 const char *storeUri = storeUriBuf.c_str();
1846 StoreEntry *e = storeCreateEntry(storeUri, storeUri, request->flags, request->method);
cb4f4424 1847#if USE_OPENSSL
08097970 1848 if (sslBumpNeeded()) {
9e104535
CT		 1849 // We have to serve an error, so bump the client first.
1850 sslBumpNeed(Ssl::bumpClientFirst);
2bd84e5f 1851 // set final error but delay sending until we bump
6b2b6cfe 1852 Ssl::ServerBump *srvBump = new Ssl::ServerBump(request, e, Ssl::bumpClientFirst);
2bd84e5f
CT		 1853 errorAppendEntry(e, calloutContext->error);
1854 calloutContext->error = NULL;
1855 getConn()->setServerBump(srvBump);
1bfe9ade 1856 e->unlock("ClientHttpRequest::doCallouts+sslBumpNeeded");
87f237a9 1857 } else
2bd84e5f
CT		 1858#endif
1859 {
7a957a93 1860 // send the error to the client now
2bd84e5f
CT		 1861 clientStreamNode *node = (clientStreamNode *)client_stream.tail->prev->data;
1862 clientReplyContext *repContext = dynamic_cast<clientReplyContext *>(node->data.getRaw());
1863 assert (repContext);
f0baf149 1864 repContext->setReplyToStoreEntry(e, "immediate SslBump error");
2bd84e5f
CT		 1865 errorAppendEntry(e, calloutContext->error);
1866 calloutContext->error = NULL;
c3760363 1867 if (calloutContext->readNextRequest && getConn())
2bd84e5f
CT		 1868 getConn()->flags.readMore = true; // resume any pipeline reads.
1869 node = (clientStreamNode *)client_stream.tail->data;
1870 clientStreamRead(node, this, node->readBuffer);
1bfe9ade 1871 e->unlock("ClientHttpRequest::doCallouts-sslBumpNeeded");
2bd84e5f
CT		 1872 return;
1873 }
1874 }
1875
de31d06f 1876 cbdataReferenceDone(calloutContext->http);
1877 delete calloutContext;
1878 calloutContext = NULL;
de31d06f 1879#if HEADERS_LOG
1880
1881 headersLog(0, 1, request->method, request);
1882#endif
1883
58d7150d 1884 debugs(83, 3, HERE << "calling processRequest()");
de31d06f 1885 processRequest();
3ff65596
AR		 1886
1887#if ICAP_CLIENT
1888 Adaptation::Icap::History::Pointer ih = request->icapHistory();
1889 if (ih != NULL)
1890 ih->logType = logType;
1891#endif
de31d06f 1892}
1893
bec110e4
EB		 1894void
1895ClientHttpRequest::setLogUriToRequestUri()
1896{
1897 assert(request);
1898 const auto canonicalUri = request->canonicalCleanUrl();
1899 absorbLogUri(xstrndup(canonicalUri, MAX_URL));
1900}
1901
1902void
1903ClientHttpRequest::setLogUriToRawUri(const char *rawUri, const HttpRequestMethod &method)
1904{
1905 assert(rawUri);
1906 // Should(!request);
1907
1908 // TODO: SBuf() performance regression, fix by converting rawUri to SBuf
1909 char *canonicalUri = urlCanonicalCleanWithoutRequest(SBuf(rawUri), method, AnyP::UriScheme());
1910
1911 absorbLogUri(AnyP::Uri::cleanup(canonicalUri));
1912
1913 char *cleanedRawUri = AnyP::Uri::cleanup(rawUri);
1914 al->setVirginUrlForMissingRequest(SBuf(cleanedRawUri));
1915 xfree(cleanedRawUri);
1916}
1917
1918void
1919ClientHttpRequest::absorbLogUri(char *aUri)
1920{
1921 xfree(log_uri);
1922 const_cast<char *&>(log_uri) = aUri;
1923}
1924
1925void
1926ClientHttpRequest::setErrorUri(const char *aUri)
1927{
1928 assert(!uri);
1929 assert(aUri);
1930 // Should(!request);
1931
1932 uri = xstrdup(aUri);
1933 // TODO: SBuf() performance regression, fix by converting setErrorUri() parameter to SBuf
1934 const SBuf errorUri(aUri);
1935 const auto canonicalUri = urlCanonicalCleanWithoutRequest(errorUri, HttpRequestMethod(), AnyP::UriScheme());
1936 absorbLogUri(xstrndup(canonicalUri, MAX_URL));
1937
1938 al->setVirginUrlForMissingRequest(errorUri);
1939}
1940
a83c6ed6 1941#if USE_ADAPTATION
a22e6cd3
AR		 1942/// Initiate an asynchronous adaptation transaction which will call us back.
1943void
1944ClientHttpRequest::startAdaptation(const Adaptation::ServiceGroupPointer &g)
3b299123 1945{
a22e6cd3 1946 debugs(85, 3, HERE << "adaptation needed for " << this);
a83c6ed6
AR		 1947 assert(!virginHeadSource);
1948 assert(!adaptedBodySource);
a22e6cd3 1949 virginHeadSource = initiateAdaptation(
af0ded40 1950 new Adaptation::Iterator(request, NULL, al, g));
a83c6ed6 1951
e1381638 1952 // we could try to guess whether we can bypass this adaptation
a22e6cd3 1953 // initiation failure, but it should not really happen
4299f876 1954 Must(initiated(virginHeadSource));
de31d06f 1955}
1956
1957void
3af10ac0 1958ClientHttpRequest::noteAdaptationAnswer(const Adaptation::Answer &answer)
de31d06f 1959{
f53969cc 1960 assert(cbdataReferenceValid(this)); // indicates bug
3af10ac0
AR		 1961 clearAdaptation(virginHeadSource);
1962 assert(!adaptedBodySource);
1963
1964 switch (answer.kind) {
1965 case Adaptation::Answer::akForward:
63df1d28 1966 handleAdaptedHeader(const_cast<Http::Message*>(answer.message.getRaw()));
3af10ac0
AR		 1967 break;
1968
1969 case Adaptation::Answer::akBlock:
1970 handleAdaptationBlock(answer);
1971 break;
1972
1973 case Adaptation::Answer::akError:
1974 handleAdaptationFailure(ERR_DETAIL_CLT_REQMOD_ABORT, !answer.final);
1975 break;
1976 }
1977}
1978
1979void
63df1d28 1980ClientHttpRequest::handleAdaptedHeader(Http::Message *msg)
3af10ac0 1981{
5f8252d2 1982 assert(msg);
1983
b044675d 1984 if (HttpRequest *new_req = dynamic_cast<HttpRequest*>(msg)) {
11f62bfb 1985 // update the new message to flag whether URL re-writing was done on it
bec110e4
EB		 1986 if (request->effectiveRequestUri() != new_req->effectiveRequestUri())
1987 new_req->flags.redirected = true;
1988 resetRequest(new_req);
914b89a2 1989 assert(request->method.id());
b044675d 1990 } else if (HttpReply *new_rep = dynamic_cast<HttpReply*>(msg)) {
1991 debugs(85,3,HERE << "REQMOD reply is HTTP reply");
1992
5f8252d2 1993 // subscribe to receive reply body
1994 if (new_rep->body_pipe != NULL) {
a83c6ed6 1995 adaptedBodySource = new_rep->body_pipe;
d222a56c
HN		 1996 int consumer_ok = adaptedBodySource->setConsumerIfNotLate(this);
1997 assert(consumer_ok);
5f8252d2 1998 }
1999
b044675d 2000 clientStreamNode *node = (clientStreamNode *)client_stream.tail->prev->data;
2001 clientReplyContext *repContext = dynamic_cast<clientReplyContext *>(node->data.getRaw());
ea25a575 2002 assert(repContext);
b044675d 2003 repContext->createStoreEntry(request->method, request->flags);
2004
b044675d 2005 request_satisfaction_mode = true;
2006 request_satisfaction_offset = 0;
2007 storeEntry()->replaceHttpReply(new_rep);
97ae5196 2008 storeEntry()->timestampsSet();
cb4c4288 2009
a83c6ed6 2010 if (!adaptedBodySource) // no body
cb4c4288 2011 storeEntry()->complete();
b044675d 2012 clientGetMoreData(node, this);
200ac359 2013 }
de31d06f 2014
5f8252d2 2015 // we are done with getting headers (but may be receiving body)
a83c6ed6 2016 clearAdaptation(virginHeadSource);
5f8252d2 2017
b044675d 2018 if (!request_satisfaction_mode)
2019 doCallouts();
de31d06f 2020}
2021
2022void
3af10ac0 2023ClientHttpRequest::handleAdaptationBlock(const Adaptation::Answer &answer)
de31d06f 2024{
3af10ac0
AR		 2025 request->detailError(ERR_ACCESS_DENIED, ERR_DETAIL_REQMOD_BLOCK);
2026 AclMatchedName = answer.ruleId.termedBuf();
2027 assert(calloutContext);
2028 calloutContext->clientAccessCheckDone(ACCESS_DENIED);
2029 AclMatchedName = NULL;
de31d06f 2030}
2031
0ad2b63b
CT		 2032void
2033ClientHttpRequest::resumeBodyStorage()
2034{
e83cdc25 2035 if (!adaptedBodySource)
0ad2b63b
CT		 2036 return;
2037
2038 noteMoreBodyDataAvailable(adaptedBodySource);
2039}
2040
de31d06f 2041void
1cf238db 2042ClientHttpRequest::noteMoreBodyDataAvailable(BodyPipe::Pointer)
de31d06f 2043{
5f8252d2 2044 assert(request_satisfaction_mode);
a83c6ed6 2045 assert(adaptedBodySource != NULL);
5f8252d2 2046
0ad2b63b 2047 if (size_t contentSize = adaptedBodySource->buf().contentSize()) {
4dc2b072 2048 const size_t spaceAvailable = storeEntry()->bytesWanted(Range<size_t>(0,contentSize));
0ad2b63b
CT		 2049
2050 if (spaceAvailable < contentSize ) {
2051 // No or partial body data consuming
2052 typedef NullaryMemFunT<ClientHttpRequest> Dialer;
2053 AsyncCall::Pointer call = asyncCall(93, 5, "ClientHttpRequest::resumeBodyStorage",
2054 Dialer(this, &ClientHttpRequest::resumeBodyStorage));
2055 storeEntry()->deferProducer(call);
2056 }
2057
4dc2b072 2058 if (!spaceAvailable)
0ad2b63b
CT		 2059 return;
2060
2061 if (spaceAvailable < contentSize )
2062 contentSize = spaceAvailable;
2063
a83c6ed6 2064 BodyPipeCheckout bpc(*adaptedBodySource);
0ad2b63b 2065 const StoreIOBuffer ioBuf(&bpc.buf, request_satisfaction_offset, contentSize);
5f8252d2 2066 storeEntry()->write(ioBuf);
0ad2b63b
CT		 2067 // assume StoreEntry::write() writes the entire ioBuf
2068 request_satisfaction_offset += ioBuf.length;
4ce0e99b 2069 bpc.buf.consume(contentSize);
5f8252d2 2070 bpc.checkIn();
2071 }
2072
a83c6ed6 2073 if (adaptedBodySource->exhausted())
5f8252d2 2074 endRequestSatisfaction();
2075 // else wait for more body data
de31d06f 2076}
2077
2078void
1cf238db 2079ClientHttpRequest::noteBodyProductionEnded(BodyPipe::Pointer)
de31d06f 2080{
a83c6ed6 2081 assert(!virginHeadSource);
0ad2b63b
CT		 2082 // should we end request satisfaction now?
2083 if (adaptedBodySource != NULL && adaptedBodySource->exhausted())
5f8252d2 2084 endRequestSatisfaction();
5f8252d2 2085}
3b299123 2086
5f8252d2 2087void
26ac0430
AJ		 2088ClientHttpRequest::endRequestSatisfaction()
2089{
5f8252d2 2090 debugs(85,4, HERE << this << " ends request satisfaction");
2091 assert(request_satisfaction_mode);
a83c6ed6 2092 stopConsumingFrom(adaptedBodySource);
3b299123 2093
5f8252d2 2094 // TODO: anything else needed to end store entry formation correctly?
2095 storeEntry()->complete();
2096}
de31d06f 2097
5f8252d2 2098void
1cf238db 2099ClientHttpRequest::noteBodyProducerAborted(BodyPipe::Pointer)
5f8252d2 2100{
a83c6ed6
AR		 2101 assert(!virginHeadSource);
2102 stopConsumingFrom(adaptedBodySource);
eae3a9a6
AR		 2103
2104 debugs(85,3, HERE << "REQMOD body production failed");
2105 if (request_satisfaction_mode) { // too late to recover or serve an error
2106 request->detailError(ERR_ICAP_FAILURE, ERR_DETAIL_CLT_REQMOD_RESP_BODY);
73c36fd9 2107 const Comm::ConnectionPointer c = getConn()->clientConnection;
e7cea0ed
AJ		 2108 Must(Comm::IsConnOpen(c));
2109 c->close(); // drastic, but we may be writing a response already
eae3a9a6
AR		 2110 } else {
2111 handleAdaptationFailure(ERR_DETAIL_CLT_REQMOD_REQ_BODY);
2112 }
5f8252d2 2113}
3b299123 2114
5f8252d2 2115void
64b66b76 2116ClientHttpRequest::handleAdaptationFailure(int errDetail, bool bypassable)
5f8252d2 2117{
a83c6ed6 2118 debugs(85,3, HERE << "handleAdaptationFailure(" << bypassable << ")");
3b299123 2119
5f8252d2 2120 const bool usedStore = storeEntry() && !storeEntry()->isEmpty();
2121 const bool usedPipe = request->body_pipe != NULL &&
26ac0430 2122 request->body_pipe->consumedSize() > 0;
3b299123 2123
9d4d7c5e 2124 if (bypassable && !usedStore && !usedPipe) {
2125 debugs(85,3, HERE << "ICAP REQMOD callout failed, bypassing: " << calloutContext);
5f8252d2 2126 if (calloutContext)
2127 doCallouts();
2128 return;
2129 }
3b299123 2130
5f8252d2 2131 debugs(85,3, HERE << "ICAP REQMOD callout failed, responding with error");
3b299123 2132
5f8252d2 2133 clientStreamNode *node = (clientStreamNode *)client_stream.tail->prev->data;
2134 clientReplyContext *repContext = dynamic_cast<clientReplyContext *>(node->data.getRaw());
2135 assert(repContext);
de31d06f 2136
32fd6d8a
CT		 2137 calloutsError(ERR_ICAP_FAILURE, errDetail);
2138
2139 if (calloutContext)
2140 doCallouts();
2141}
2142
9d52ba11
CT		 2143void
2144ClientHttpRequest::callException(const std::exception &ex)
2145{
2146 if (const auto clientConn = getConn() ? getConn()->clientConnection : nullptr) {
2147 if (Comm::IsConnOpen(clientConn)) {
2148 debugs(85, 3, "closing after exception: " << ex.what());
2149 clientConn->close(); // initiate orderly top-to-bottom cleanup
2150 return;
2151 }
2152 }
2153 debugs(85, DBG_IMPORTANT, "ClientHttpRequest exception without connection. Ignoring " << ex.what());
2154 // XXX: Normally, we mustStop() but we cannot do that here because it is
2155 // likely to leave Http::Stream and ConnStateData with a dangling http
2156 // pointer. See r13480 or XXX in Http::Stream class description.
2157}
5f1d7e48
CT		 2158#endif
2159
32fd6d8a
CT		 2160// XXX: modify and use with ClientRequestContext::clientAccessCheckDone too.
2161void
2162ClientHttpRequest::calloutsError(const err_type error, const int errDetail)
2163{
26ac0430 2164 // The original author of the code also wanted to pass an errno to
5f8252d2 2165 // setReplyToError, but it seems unlikely that the errno reflects the
2166 // true cause of the error at this point, so I did not pass it.
2bd84e5f
CT		 2167 if (calloutContext) {
2168 Ip::Address noAddr;
4dd643d5 2169 noAddr.setNoAddr();
2bd84e5f 2170 ConnStateData * c = getConn();
32fd6d8a 2171 calloutContext->error = clientBuildError(error, Http::scInternalServerError,
87f237a9
A		 2172 NULL,
2173 c != NULL ? c->clientConnection->remote : noAddr,
7e6eabbc
CT		 2174 request,
2175 al
87f237a9 2176 );
79fc6915 2177#if USE_AUTH
87f237a9 2178 calloutContext->error->auth_user_request =
cc1e110a 2179 c != NULL && c->getAuth() != NULL ? c->getAuth() : request->auth_user_request;
79fc6915 2180#endif
129fe2a1 2181 calloutContext->error->detailError(errDetail);
2bd84e5f 2182 calloutContext->readNextRequest = true;
7830d88a
FC		 2183 if (c != NULL)
2184 c->expectNoForwarding();
2bd84e5f
CT		 2185 }
2186 //else if(calloutContext == NULL) is it possible?
de31d06f 2187}
2188
Mirror of https://github.com/squid-cache/squid.git