2 * Copyright (C) 1996-2016 The Squid Software Foundation and contributors
4 * Squid software is distributed under GPLv2+ license and includes
5 * contributions from numerous individuals and organizations.
6 * Please see the COPYING and CONTRIBUTORS files for details.
9 /* DEBUG: section 33 Client-side Routines */
11 #ifndef SQUID_CLIENTSIDE_H
12 #define SQUID_CLIENTSIDE_H
14 #include "base/RunnersRegistry.h"
15 #include "clientStreamForward.h"
17 #include "helper/forward.h"
18 #include "http/forward.h"
19 #include "HttpControlMsg.h"
20 #include "ipc/FdNotes.h"
21 #include "sbuf/SBuf.h"
22 #include "servers/Server.h"
24 #include "auth/UserRequest.h"
27 #include "ssl/support.h"
30 class ClientHttpRequest
;
31 class HttpHdrRangeSpec
;
41 * Legacy Server code managing a connection to a client.
43 * NP: presents AsyncJob API but does not operate autonomously as a Job.
44 * So Must() is not safe to use.
46 * Multiple requests (up to pipeline_prefetch) can be pipelined.
47 * This object is responsible for managing which one is currently being
48 * fulfilled and what happens to the queue if the current one causes the client
49 * connection to be closed early.
51 * Act as a manager for the client connection and passes data in buffer to a
52 * Parser relevant to the state (message headers vs body) that is being
55 * Performs HTTP message processing to kick off the actual HTTP request
56 * handling objects (Http::Stream, ClientHttpRequest, HttpRequest).
58 * Performs SSL-Bump processing for switching between HTTP and HTTPS protocols.
60 * To terminate a ConnStateData close() the client Comm::Connection it is
61 * managing, or for graceful half-close use the stopReceiving() or
62 * stopSending() methods.
64 class ConnStateData
: public Server
, public HttpControlMsgSink
, public RegisteredRunner
68 explicit ConnStateData(const MasterXaction::Pointer
&xact
);
69 virtual ~ConnStateData();
72 virtual void receivedFirstByte();
73 virtual bool handleReadData();
74 virtual void afterClientRead();
75 virtual void afterClientWrite(size_t);
77 /* HttpControlMsgSink API */
78 virtual void sendControlMsg(HttpControlMsg
);
81 bool clientParseRequests();
82 void readNextRequest();
84 /// try to make progress on a transaction or read more I/O
87 virtual bool isOpen() const;
89 Http1::TeChunkedParser
*bodyParser
; ///< parses HTTP/1.1 chunked request body
91 /** number of body bytes we need to comm_read for the "current" request
93 * \retval 0 We do not need to read any [more] body bytes
94 * \retval negative May need more but do not know how many; could be zero!
95 * \retval positive Need to read exactly that many more body bytes
97 int64_t mayNeedToReadMoreBody() const;
101 * Fetch the user details for connection based authentication
102 * NOTE: this is ONLY connection based because NTLM and Negotiate is against HTTP spec.
104 const Auth::UserRequest::Pointer
&getAuth() const { return auth_
; }
107 * Set the user details for connection-based authentication to use from now until connection closure.
109 * Any change to existing credentials shows that something invalid has happened. Such as:
110 * - NTLM/Negotiate auth was violated by the per-request headers missing a revalidation token
111 * - NTLM/Negotiate auth was violated by the per-request headers being for another user
112 * - SSL-Bump CONNECT tunnel with persistent credentials has ended
114 void setAuth(const Auth::UserRequest::Pointer
&aur
, const char *cause
);
117 Ip::Address log_addr
;
120 bool readMore
; ///< needs comm_read (for this request or new requests)
121 bool swanSang
; // XXX: temporary flag to check proper cleanup
124 Comm::ConnectionPointer serverConnection
; /* pinned server side connection */
125 char *host
; /* host name of pinned connection */
126 int port
; /* port of pinned connection */
127 bool pinned
; /* this connection was pinned */
128 bool auth
; /* pinned for www authentication */
129 bool reading
; ///< we are monitoring for peer connection closure
130 bool zeroReply
; ///< server closed w/o response (ERR_ZERO_SIZE_OBJECT)
131 CachePeer
*peer
; /* CachePeer the connection goes via */
132 AsyncCall::Pointer readHandler
; ///< detects serverConnection closure
133 AsyncCall::Pointer closeHandler
; /*The close handler for pinned server side connection*/
136 /// If the port is not set then it is a connection-less object
137 /// created by an internal squid subsystem
138 bool connectionless() const { return port
== nullptr; }
140 bool transparent() const;
142 /// true if we stopped receiving the request
143 const char *stoppedReceiving() const { return stoppedReceiving_
; }
144 /// true if we stopped sending the response
145 const char *stoppedSending() const { return stoppedSending_
; }
146 /// note request receiving error and close as soon as we write the response
147 void stopReceiving(const char *error
);
148 /// note response sending error and close as soon as we read the request
149 void stopSending(const char *error
);
151 void expectNoForwarding(); ///< cleans up virgin request [body] forwarding state
154 BodyPipe::Pointer
expectRequestBody(int64_t size
);
155 virtual void noteMoreBodySpaceAvailable(BodyPipe::Pointer
) = 0;
156 virtual void noteBodyConsumerAborted(BodyPipe::Pointer
) = 0;
158 bool handleRequestBodyData();
160 /// Forward future client requests using the given server connection.
161 /// Optionally, monitor pinned server connection for remote-end closures.
162 void pinConnection(const Comm::ConnectionPointer
&pinServerConn
, HttpRequest
*request
, CachePeer
*peer
, bool auth
, bool monitor
= true);
163 /// Undo pinConnection() and, optionally, close the pinned connection.
164 void unpinConnection(const bool andClose
);
165 /// Returns validated pinnned server connection (and stops its monitoring).
166 Comm::ConnectionPointer
borrowPinnedConnection(HttpRequest
*request
, const CachePeer
*aPeer
);
168 * Checks if there is pinning info if it is valid. It can close the server side connection
169 * if pinned info is not valid.
170 \param request if it is not NULL also checks if the pinning info refers to the request client side HttpRequest
171 \param CachePeer if it is not NULL also check if the CachePeer is the pinning CachePeer
172 \return The details of the server side connection (may be closed if failures were present).
174 const Comm::ConnectionPointer
validatePinnedConnection(HttpRequest
*request
, const CachePeer
*peer
);
176 * returts the pinned CachePeer if exists, NULL otherwise
178 CachePeer
*pinnedPeer() const {return pinning
.peer
;}
179 bool pinnedAuth() const {return pinning
.auth
;}
181 /// called just before a FwdState-dispatched job starts using connection
182 virtual void notePeerConnection(Comm::ConnectionPointer
) {}
184 // pining related comm callbacks
185 virtual void clientPinnedConnectionClosed(const CommCloseCbParams
&io
);
188 void clientReadFtpData(const CommIoCbParams
&io
);
189 void connStateClosed(const CommCloseCbParams
&io
);
190 void requestTimeout(const CommTimeoutCbParams
¶ms
);
193 virtual void start();
194 virtual bool doneAll() const { return BodyProducer::doneAll() && false;}
195 virtual void swanSong();
197 /// Do the related hooks related to start retrieving requests from
198 /// client connection
199 virtual void prepUserConnection();
201 /// Changes state so that we close the connection and quit after serving
202 /// the client-side-detected error response instead of getting stuck.
203 void quitAfterError(HttpRequest
*request
); // meant to be private
205 /// The caller assumes responsibility for connection closure detection.
206 void stopPinnedConnectionMonitoring();
209 /// the second part of old httpsAccept, waiting for future HttpsServer home
210 void postHttpsAccept();
212 /// Initializes and starts a peek-and-splice negotiation with the SSL client
213 void startPeekAndSplice();
214 /// Called when the initialization of peek-and-splice negotiation finidhed
215 void startPeekAndSpliceDone();
216 /// Called when a peek-and-splice step finished. For example after
217 /// server SSL certificates received and fake server SSL certificates
219 void doPeekAndSpliceStep();
220 /// called by FwdState when it is done bumping the server
221 void httpsPeeked(Comm::ConnectionPointer serverConnection
);
223 /// Splice a bumped client connection on peek-and-splice mode
226 /// Check on_unsupported_protocol access list and splice if required
227 /// \retval true on splice
228 /// \retval false otherwise
229 bool spliceOnError(const err_type err
);
231 /// Start to create dynamic Security::ContextPtr for host or uses static port SSL context.
232 void getSslContextStart();
234 * Done create dynamic ssl certificate.
236 * \param[in] isNew if generated certificate is new, so we need to add this certificate to storage.
238 void getSslContextDone(Security::ContextPtr sslContext
, bool isNew
= false);
239 /// Callback function. It is called when squid receive message from ssl_crtd.
240 static void sslCrtdHandleReplyWrapper(void *data
, const Helper::Reply
&reply
);
241 /// Proccess response from ssl_crtd.
242 void sslCrtdHandleReply(const Helper::Reply
&reply
);
244 void switchToHttps(HttpRequest
*request
, Ssl::BumpMode bumpServerMode
);
245 bool switchedToHttps() const { return switchedToHttps_
; }
246 Ssl::ServerBump
*serverBump() {return sslServerBump
;}
247 inline void setServerBump(Ssl::ServerBump
*srvBump
) {
249 sslServerBump
= srvBump
;
251 assert(sslServerBump
== srvBump
);
253 const SBuf
&sslCommonName() const {return sslCommonName_
;}
254 void resetSslCommonName(const char *name
) {sslCommonName_
= name
;}
255 /// Fill the certAdaptParams with the required data for certificate adaptation
256 /// and create the key for storing/retrieve the certificate to/from the cache
257 void buildSslCertGenerationParams(Ssl::CertificateProperties
&certProperties
);
258 /// Called when the client sends the first request on a bumped connection.
259 /// Returns false if no [delayed] error should be written to the client.
260 /// Otherwise, writes the error to the client and returns true. Also checks
261 /// for SQUID_X509_V_ERR_DOMAIN_MISMATCH on bumped requests.
262 bool serveDelayedError(Http::Stream
*);
264 Ssl::BumpMode sslBumpMode
; ///< ssl_bump decision (Ssl::bumpEnd if n/a).
267 bool switchedToHttps() const { return false; }
270 /* clt_conn_tag=tag annotation access */
271 const SBuf
&connectionTag() const { return connectionTag_
; }
272 void connectionTag(const char *aTag
) { connectionTag_
= aTag
; }
274 /// handle a control message received by context from a peer and call back
275 virtual void writeControlMsgAndCall(HttpReply
*rep
, AsyncCall::Pointer
&call
) = 0;
277 /// ClientStream calls this to supply response header (once) and data
278 /// for the current Http::Stream.
279 virtual void handleReply(HttpReply
*header
, StoreIOBuffer receivedData
) = 0;
281 /// remove no longer needed leading bytes from the input buffer
282 void consumeInput(const size_t byteCount
);
284 /* TODO: Make the methods below (at least) non-public when possible. */
286 /// stop parsing the request and create context for relaying error info
287 Http::Stream
*abortRequestParsing(const char *const errUri
);
289 /// generate a fake CONNECT request with the given payload
290 /// at the beginning of the client I/O buffer
291 void fakeAConnectRequest(const char *reason
, const SBuf
&payload
);
293 /// client data which may need to forward as-is to server after an
294 /// on_unsupported_protocol tunnel decision.
295 SBuf preservedClientData
;
297 /* Registered Runner API */
298 virtual void startShutdown();
299 virtual void endingShutdown();
302 void startDechunkingRequest();
303 void finishDechunkingRequest(bool withSuccess
);
304 void abortChunkedRequestBody(const err_type error
);
305 err_type
handleChunkedRequestBody();
307 void startPinnedConnectionMonitoring();
308 void clientPinnedConnectionRead(const CommIoCbParams
&io
);
310 /// Handles a ready-for-reading TLS squid-to-server connection that
311 /// we thought was idle.
312 /// \return false if and only if the connection should be closed.
313 bool handleIdleClientPinnedTlsRead();
316 /// parse input buffer prefix into a single transfer protocol request
317 /// return NULL to request more header bytes (after checking any limits)
318 /// use abortRequestParsing() to handle parsing errors w/o creating request
319 virtual Http::Stream
*parseOneRequest() = 0;
321 /// start processing a freshly parsed request
322 virtual void processParsedRequest(Http::Stream
*) = 0;
324 /// returning N allows a pipeline of 1+N requests (see pipeline_prefetch)
325 virtual int pipelinePrefetchMax() const;
327 /// timeout to use when waiting for the next request
328 virtual time_t idleTimeout() const = 0;
330 BodyPipe::Pointer bodyPipe
; ///< set when we are reading request body
334 virtual bool connFinishedWithConn(int size
);
336 void clientAfterReadingRequests();
337 bool concurrentRequestQueueFilled() const;
339 void pinNewConnection(const Comm::ConnectionPointer
&pinServer
, HttpRequest
*request
, CachePeer
*aPeer
, bool auth
);
341 /* PROXY protocol functionality */
342 bool proxyProtocolValidateClient();
343 bool parseProxyProtocolHeader();
344 bool parseProxy1p0();
345 bool parseProxy2p0();
346 bool proxyProtocolError(const char *reason
);
348 /// whether PROXY protocol header is still expected
349 bool needProxyProtocolHeader_
;
352 /// some user details that can be used to perform authentication on this connection
353 Auth::UserRequest::Pointer auth_
;
356 /// the parser state for current HTTP/1.x input buffer processing
357 Http1::RequestParserPointer parser_
;
360 bool switchedToHttps_
;
361 /// The SSL server host name appears in CONNECT request or the server ip address for the intercepted requests
362 String sslConnectHostOrIp
; ///< The SSL server host name as passed in the CONNECT request
363 SBuf sslCommonName_
; ///< CN name for SSL certificate generation
364 String sslBumpCertKey
; ///< Key to use to store/retrieve generated certificate
366 /// HTTPS server cert. fetching state for bump-ssl-server-first
367 Ssl::ServerBump
*sslServerBump
;
368 Ssl::CertSignAlgorithm signAlgorithm
; ///< The signing algorithm to use
371 /// the reason why we no longer write the response or nil
372 const char *stoppedSending_
;
373 /// the reason why we no longer read the request or nil
374 const char *stoppedReceiving_
;
376 SBuf connectionTag_
; ///< clt_conn_tag=Tag annotation for client connection
379 void setLogUri(ClientHttpRequest
* http
, char const *uri
, bool cleanUrl
= false);
381 const char *findTrailingHTTPVersion(const char *uriAndHTTPVersion
, const char *end
= NULL
);
383 int varyEvaluateMatch(StoreEntry
* entry
, HttpRequest
* req
);
385 /// accept requests to a given port and inform subCall about them
386 void clientStartListeningOn(AnyP::PortCfgPointer
&port
, const RefCount
< CommCbFunPtrCallT
<CommAcceptCbPtrFun
> > &subCall
, const Ipc::FdNoteId noteId
);
388 void clientOpenListenSockets(void);
389 void clientConnectionsClose(void);
390 void httpRequestFree(void *);
392 /// decide whether to expect multiple requests on the corresponding connection
393 void clientSetKeepaliveFlag(ClientHttpRequest
*http
);
395 /// append a "part" HTTP header (as in a multi-part/range reply) to the buffer
396 void clientPackRangeHdr(const HttpReply
*, const HttpHdrRangeSpec
*, String boundary
, MemBuf
*);
398 /// put terminating boundary for multiparts to the buffer
399 void clientPackTermBound(String boundary
, MemBuf
*);
401 /* misplaced declaratrions of Stream callbacks provided/used by client side */
402 SQUIDCEXTERN CSR clientGetMoreData
;
403 SQUIDCEXTERN CSS clientReplyStatus
;
404 SQUIDCEXTERN CSD clientReplyDetach
;
405 CSCB clientSocketRecipient
;
406 CSD clientSocketDetach
;
408 /* TODO: Move to HttpServer. Warning: Move requires large code nonchanges! */
409 Http::Stream
*parseHttpRequest(ConnStateData
*, const Http1::RequestParserPointer
&);
410 void clientProcessRequest(ConnStateData
*, const Http1::RequestParserPointer
&, Http::Stream
*);
411 void clientPostHttpsAccept(ConnStateData
*);
413 #endif /* SQUID_CLIENTSIDE_H */