]> git.ipfire.org Git - thirdparty/squid.git/blob - src/http.cc
projects / thirdparty / squid.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
SourceLayout: shuffle HttpStatusLine into http/libsquid-http.la
[thirdparty/squid.git] / src / http.cc
1 /*
2 * DEBUG: section 11 Hypertext Transfer Protocol (HTTP)
3 * AUTHOR: Harvest Derived
4 *
5 * SQUID Web Proxy Cache http://www.squid-cache.org/
6 * ----------------------------------------------------------
7 *
8 * Squid is the result of efforts by numerous individuals from
9 * the Internet community; see the CONTRIBUTORS file for full
10 * details. Many organizations have provided support for Squid's
11 * development; see the SPONSORS file for full details. Squid is
12 * Copyrighted (C) 2001 by the Regents of the University of
13 * California; see the COPYRIGHT file for full details. Squid
14 * incorporates software developed and/or copyrighted by other
15 * sources; see the CREDITS file for full details.
16 *
17 * This program is free software; you can redistribute it and/or modify
18 * it under the terms of the GNU General Public License as published by
19 * the Free Software Foundation; either version 2 of the License, or
20 * (at your option) any later version.
21 *
22 * This program is distributed in the hope that it will be useful,
23 * but WITHOUT ANY WARRANTY; without even the implied warranty of
24 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
25 * GNU General Public License for more details.
26 *
27 * You should have received a copy of the GNU General Public License
28 * along with this program; if not, write to the Free Software
29 * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111, USA.
30 */
31
32 /*
33 * Anonymizing patch by lutz@as-node.jena.thur.de
34 * have a look into http-anon.c to get more informations.
35 */
36
37 #include "squid.h"
38 #include "acl/FilledChecklist.h"
39 #include "base64.h"
40 #include "base/AsyncJobCalls.h"
41 #include "base/TextException.h"
42 #include "CachePeer.h"
43 #include "ChunkedCodingParser.h"
44 #include "client_side.h"
45 #include "comm/Connection.h"
46 #include "comm/Write.h"
47 #include "err_detail_type.h"
48 #include "errorpage.h"
49 #include "fd.h"
50 #include "fde.h"
51 #include "globals.h"
52 #include "HttpControlMsg.h"
53 #include "http.h"
54 #include "HttpHdrCc.h"
55 #include "HttpHdrContRange.h"
56 #include "HttpHdrSc.h"
57 #include "HttpHdrScTarget.h"
58 #include "HttpHeaderTools.h"
59 #include "HttpReply.h"
60 #include "HttpRequest.h"
61 #include "HttpStateFlags.h"
62 #include "log/access_log.h"
63 #include "MemBuf.h"
64 #include "MemObject.h"
65 #include "mime_header.h"
66 #include "neighbors.h"
67 #include "peer_proxy_negotiate_auth.h"
68 #include "profiler/Profiler.h"
69 #include "refresh.h"
70 #include "RefreshPattern.h"
71 #include "rfc1738.h"
72 #include "SquidConfig.h"
73 #include "SquidTime.h"
74 #include "StatCounters.h"
75 #include "Store.h"
76 #include "StrList.h"
77 #include "tools.h"
78 #include "URL.h"
79
80 #if USE_AUTH
81 #include "auth/UserRequest.h"
82 #endif
83 #if USE_DELAY_POOLS
84 #include "DelayPools.h"
85 #endif
86
87 #define SQUID_ENTER_THROWING_CODE() try {
88 #define SQUID_EXIT_THROWING_CODE(status) \
89 status = true; \
90 } \
91 catch (const std::exception &e) { \
92 debugs (11, 1, "Exception error:" << e.what()); \
93 status = false; \
94 }
95
96 CBDATA_CLASS_INIT(HttpStateData);
97
98 static const char *const crlf = "\r\n";
99
100 static void httpMaybeRemovePublic(StoreEntry *, Http::StatusCode);
101 static void copyOneHeaderFromClientsideRequestToUpstreamRequest(const HttpHeaderEntry *e, const String strConnection, const HttpRequest * request,
102 HttpHeader * hdr_out, const int we_do_ranges, const HttpStateFlags &);
103 //Declared in HttpHeaderTools.cc
104 void httpHdrAdd(HttpHeader *heads, HttpRequest *request, const AccessLogEntryPointer &al, HeaderWithAclList &headers_add);
105
106 HttpStateData::HttpStateData(FwdState *theFwdState) : AsyncJob("HttpStateData"), ServerStateData(theFwdState),
107 lastChunk(0), header_bytes_read(0), reply_bytes_read(0),
108 body_bytes_truncated(0), httpChunkDecoder(NULL)
109 {
110 debugs(11,5,HERE << "HttpStateData " << this << " created");
111 ignoreCacheControl = false;
112 surrogateNoStore = false;
113 serverConnection = fwd->serverConnection();
114 readBuf = new MemBuf;
115 readBuf->init(16*1024, 256*1024);
116
117 // reset peer response time stats for %<pt
118 request->hier.peer_http_request_sent.tv_sec = 0;
119 request->hier.peer_http_request_sent.tv_usec = 0;
120
121 if (fwd->serverConnection() != NULL)
122 _peer = cbdataReference(fwd->serverConnection()->getPeer()); /* might be NULL */
123
124 if (_peer) {
125 request->flags.proxying = true;
126 /*
127 * This NEIGHBOR_PROXY_ONLY check probably shouldn't be here.
128 * We might end up getting the object from somewhere else if,
129 * for example, the request to this neighbor fails.
130 */
131 if (_peer->options.proxy_only)
132 entry->releaseRequest();
133
134 #if USE_DELAY_POOLS
135 entry->setNoDelay(_peer->options.no_delay);
136 #endif
137 }
138
139 /*
140 * register the handler to free HTTP state data when the FD closes
141 */
142 typedef CommCbMemFunT<HttpStateData, CommCloseCbParams> Dialer;
143 closeHandler = JobCallback(9, 5, Dialer, this, HttpStateData::httpStateConnClosed);
144 comm_add_close_handler(serverConnection->fd, closeHandler);
145 }
146
147 HttpStateData::~HttpStateData()
148 {
149 /*
150 * don't forget that ~ServerStateData() gets called automatically
151 */
152
153 if (!readBuf->isNull())
154 readBuf->clean();
155
156 delete readBuf;
157
158 if (httpChunkDecoder)
159 delete httpChunkDecoder;
160
161 cbdataReferenceDone(_peer);
162
163 debugs(11,5, HERE << "HttpStateData " << this << " destroyed; " << serverConnection);
164 }
165
166 const Comm::ConnectionPointer &
167 HttpStateData::dataConnection() const
168 {
169 return serverConnection;
170 }
171
172 void
173 HttpStateData::httpStateConnClosed(const CommCloseCbParams &params)
174 {
175 debugs(11, 5, "httpStateFree: FD " << params.fd << ", httpState=" << params.data);
176 mustStop("HttpStateData::httpStateConnClosed");
177 }
178
179 void
180 HttpStateData::httpTimeout(const CommTimeoutCbParams &params)
181 {
182 debugs(11, 4, HERE << serverConnection << ": '" << entry->url() << "'" );
183
184 if (entry->store_status == STORE_PENDING) {
185 fwd->fail(new ErrorState(ERR_READ_TIMEOUT, Http::scGateway_Timeout, fwd->request));
186 }
187
188 serverConnection->close();
189 }
190
191 static void
192 httpMaybeRemovePublic(StoreEntry * e, Http::StatusCode status)
193 {
194 int remove = 0;
195 int forbidden = 0;
196 StoreEntry *pe;
197
198 if (!EBIT_TEST(e->flags, KEY_PRIVATE))
199 return;
200
201 switch (status) {
202
203 case Http::scOkay:
204
205 case Http::scNonAuthoritativeInformation:
206
207 case Http::scMultipleChoices:
208
209 case Http::scMovedPermanently:
210
211 case Http::scMovedTemporarily:
212
213 case Http::scGone:
214
215 case Http::scNotFound:
216 remove = 1;
217
218 break;
219
220 case Http::scForbidden:
221
222 case Http::scMethodNotAllowed:
223 forbidden = 1;
224
225 break;
226
227 #if WORK_IN_PROGRESS
228
229 case Http::scUnauthorized:
230 forbidden = 1;
231
232 break;
233
234 #endif
235
236 default:
237 #if QUESTIONABLE
238 /*
239 * Any 2xx response should eject previously cached entities...
240 */
241
242 if (status >= 200 && status < 300)
243 remove = 1;
244
245 #endif
246
247 break;
248 }
249
250 if (!remove && !forbidden)
251 return;
252
253 assert(e->mem_obj);
254
255 if (e->mem_obj->request)
256 pe = storeGetPublicByRequest(e->mem_obj->request);
257 else
258 pe = storeGetPublic(e->mem_obj->url, e->mem_obj->method);
259
260 if (pe != NULL) {
261 assert(e != pe);
262 #if USE_HTCP
263 neighborsHtcpClear(e, NULL, e->mem_obj->request, e->mem_obj->method, HTCP_CLR_INVALIDATION);
264 #endif
265 pe->release();
266 }
267
268 /** \par
269 * Also remove any cached HEAD response in case the object has
270 * changed.
271 */
272 if (e->mem_obj->request)
273 pe = storeGetPublicByRequestMethod(e->mem_obj->request, Http::METHOD_HEAD);
274 else
275 pe = storeGetPublic(e->mem_obj->url, Http::METHOD_HEAD);
276
277 if (pe != NULL) {
278 assert(e != pe);
279 #if USE_HTCP
280 neighborsHtcpClear(e, NULL, e->mem_obj->request, HttpRequestMethod(Http::METHOD_HEAD), HTCP_CLR_INVALIDATION);
281 #endif
282 pe->release();
283 }
284 }
285
286 void
287 HttpStateData::processSurrogateControl(HttpReply *reply)
288 {
289 if (request->flags.accelerated && reply->surrogate_control) {
290 HttpHdrScTarget *sctusable = reply->surrogate_control->getMergedTarget(Config.Accel.surrogate_id);
291
292 if (sctusable) {
293 if (sctusable->noStore() ||
294 (Config.onoff.surrogate_is_remote
295 && sctusable->noStoreRemote())) {
296 surrogateNoStore = true;
297 entry->makePrivate();
298 }
299
300 /* The HttpHeader logic cannot tell if the header it's parsing is a reply to an
301 * accelerated request or not...
302 * Still, this is an abstraction breach. - RC
303 */
304 if (sctusable->hasMaxAge()) {
305 if (sctusable->maxAge() < sctusable->maxStale())
306 reply->expires = reply->date + sctusable->maxAge();
307 else
308 reply->expires = reply->date + sctusable->maxStale();
309
310 /* And update the timestamps */
311 entry->timestampsSet();
312 }
313
314 /* We ignore cache-control directives as per the Surrogate specification */
315 ignoreCacheControl = true;
316
317 delete sctusable;
318 }
319 }
320 }
321
322 int
323 HttpStateData::cacheableReply()
324 {
325 HttpReply const *rep = finalReply();
326 HttpHeader const *hdr = &rep->header;
327 const char *v;
328 #if USE_HTTP_VIOLATIONS
329
330 const RefreshPattern *R = NULL;
331
332 /* This strange looking define first looks up the refresh pattern
333 * and then checks if the specified flag is set. The main purpose
334 * of this is to simplify the refresh pattern lookup and USE_HTTP_VIOLATIONS
335 * condition
336 */
337 #define REFRESH_OVERRIDE(flag) \
338 ((R = (R ? R : refreshLimits(entry->mem_obj->url))) , \
339 (R && R->flags.flag))
340 #else
341 #define REFRESH_OVERRIDE(flag) 0
342 #endif
343
344 // Check for Surrogate/1.0 protocol conditions
345 // NP: reverse-proxy traffic our parent server has instructed us never to cache
346 if (surrogateNoStore) {
347 debugs(22, 3, HERE << "NO because Surrogate-Control:no-store");
348 return 0;
349 }
350
351 // RFC 2616: HTTP/1.1 Cache-Control conditions
352 if (!ignoreCacheControl) {
353 // XXX: check to see if the request headers alone were enough to prevent caching earlier
354 // (ie no-store request header) no need to check those all again here if so.
355 // for now we are not reliably doing that so we waste CPU re-checking request CC
356
357 // RFC 2616 section 14.9.2 - MUST NOT cache any response with request CC:no-store
358 if (request && request->cache_control && request->cache_control->noStore() &&
359 !REFRESH_OVERRIDE(ignore_no_store)) {
360 debugs(22, 3, HERE << "NO because client request Cache-Control:no-store");
361 return 0;
362 }
363
364 // NP: request CC:no-cache only means cache READ is forbidden. STORE is permitted.
365 // NP: request CC:private is undefined. We ignore.
366 // NP: other request CC flags are limiters on HIT/MISS. We don't care about here.
367
368 // RFC 2616 section 14.9.2 - MUST NOT cache any response with CC:no-store
369 if (rep->cache_control && rep->cache_control->noStore() &&
370 !REFRESH_OVERRIDE(ignore_no_store)) {
371 debugs(22, 3, HERE << "NO because server reply Cache-Control:no-store");
372 return 0;
373 }
374
375 // RFC 2616 section 14.9.1 - MUST NOT cache any response with CC:private in a shared cache like Squid.
376 // TODO: add a shared/private cache configuration possibility.
377 if (rep->cache_control &&
378 rep->cache_control->Private() &&
379 !REFRESH_OVERRIDE(ignore_private)) {
380 debugs(22, 3, HERE << "NO because server reply Cache-Control:private");
381 return 0;
382 }
383 // NP: being conservative; CC:private overrides CC:public when both are present in a response.
384
385 }
386 // RFC 2068, sec 14.9.4 - MUST NOT cache any response with Authentication UNLESS certain CC controls are present
387 // allow HTTP violations to IGNORE those controls (ie re-block caching Auth)
388 if (request && (request->flags.auth || request->flags.authSent) && !REFRESH_OVERRIDE(ignore_auth)) {
389 if (!rep->cache_control) {
390 debugs(22, 3, HERE << "NO because Authenticated and server reply missing Cache-Control");
391 return 0;
392 }
393
394 if (ignoreCacheControl) {
395 debugs(22, 3, HERE << "NO because Authenticated and ignoring Cache-Control");
396 return 0;
397 }
398
399 bool mayStore = false;
400 // HTTPbis pt6 section 3.2: a response CC:public is present
401 if (rep->cache_control->Public()) {
402 debugs(22, 3, HERE << "Authenticated but server reply Cache-Control:public");
403 mayStore = true;
404
405 // HTTPbis pt6 section 3.2: a response CC:must-revalidate is present
406 } else if (rep->cache_control->mustRevalidate() && !REFRESH_OVERRIDE(ignore_must_revalidate)) {
407 debugs(22, 3, HERE << "Authenticated but server reply Cache-Control:public");
408 mayStore = true;
409
410 #if USE_HTTP_VIOLATIONS
411 // NP: given the must-revalidate exception we should also be able to exempt no-cache.
412 // HTTPbis WG verdict on this is that it is omitted from the spec due to being 'unexpected' by
413 // some. The caching+revalidate is not exactly unsafe though with Squids interpretation of no-cache
414 // as equivalent to must-revalidate in the reply.
415 } else if (rep->cache_control->noCache() && !REFRESH_OVERRIDE(ignore_must_revalidate)) {
416 debugs(22, 3, HERE << "Authenticated but server reply Cache-Control:no-cache (equivalent to must-revalidate)");
417 mayStore = true;
418 #endif
419
420 // HTTPbis pt6 section 3.2: a response CC:s-maxage is present
421 } else if (rep->cache_control->sMaxAge()) {
422 debugs(22, 3, HERE << "Authenticated but server reply Cache-Control:s-maxage");
423 mayStore = true;
424 }
425
426 if (!mayStore) {
427 debugs(22, 3, HERE << "NO because Authenticated transaction");
428 return 0;
429 }
430
431 // NP: response CC:no-cache is equivalent to CC:must-revalidate,max-age=0. We MAY cache, and do so.
432 // NP: other request CC flags are limiters on HIT/MISS/REFRESH. We don't care about here.
433 }
434
435 /* HACK: The "multipart/x-mixed-replace" content type is used for
436 * continuous push replies. These are generally dynamic and
437 * probably should not be cachable
438 */
439 if ((v = hdr->getStr(HDR_CONTENT_TYPE)))
440 if (!strncasecmp(v, "multipart/x-mixed-replace", 25)) {
441 debugs(22, 3, HERE << "NO because Content-Type:multipart/x-mixed-replace");
442 return 0;
443 }
444
445 switch (rep->sline.status()) {
446 /* Responses that are cacheable */
447
448 case Http::scOkay:
449
450 case Http::scNonAuthoritativeInformation:
451
452 case Http::scMultipleChoices:
453
454 case Http::scMovedPermanently:
455 case Http::scPermanentRedirect:
456
457 case Http::scGone:
458 /*
459 * Don't cache objects that need to be refreshed on next request,
460 * unless we know how to refresh it.
461 */
462
463 if (!refreshIsCachable(entry) && !REFRESH_OVERRIDE(store_stale)) {
464 debugs(22, 3, "NO because refreshIsCachable() returned non-cacheable..");
465 return 0;
466 } else {
467 debugs(22, 3, HERE << "YES because HTTP status " << rep->sline.status());
468 return 1;
469 }
470 /* NOTREACHED */
471 break;
472
473 /* Responses that only are cacheable if the server says so */
474
475 case Http::scMovedTemporarily:
476 case Http::scTemporaryRedirect:
477 if (rep->date <= 0) {
478 debugs(22, 3, HERE << "NO because HTTP status " << rep->sline.status() << " and Date missing/invalid");
479 return 0;
480 }
481 if (rep->expires > rep->date) {
482 debugs(22, 3, HERE << "YES because HTTP status " << rep->sline.status() << " and Expires > Date");
483 return 1;
484 } else {
485 debugs(22, 3, HERE << "NO because HTTP status " << rep->sline.status() << " and Expires <= Date");
486 return 0;
487 }
488 /* NOTREACHED */
489 break;
490
491 /* Errors can be negatively cached */
492
493 case Http::scNoContent:
494
495 case Http::scUseProxy:
496
497 case Http::scBadRequest:
498
499 case Http::scForbidden:
500
501 case Http::scNotFound:
502
503 case Http::scMethodNotAllowed:
504
505 case Http::scRequestUriTooLarge:
506
507 case Http::scInternalServerError:
508
509 case Http::scNotImplemented:
510
511 case Http::scBadGateway:
512
513 case Http::scServiceUnavailable:
514
515 case Http::scGateway_Timeout:
516 debugs(22, 3, HERE << "MAYBE because HTTP status " << rep->sline.status());
517 return -1;
518
519 /* NOTREACHED */
520 break;
521
522 /* Some responses can never be cached */
523
524 case Http::scPartialContent: /* Not yet supported */
525
526 case Http::scSeeOther:
527
528 case Http::scNotModified:
529
530 case Http::scUnauthorized:
531
532 case Http::scProxyAuthenticationRequired:
533
534 case Http::scInvalidHeader: /* Squid header parsing error */
535
536 case Http::scHeaderTooLarge:
537
538 case Http::scPaymentRequired:
539 case Http::scNotAcceptable:
540 case Http::scRequestTimeout:
541 case Http::scConflict:
542 case Http::scLengthRequired:
543 case Http::scPreconditionFailed:
544 case Http::scRequestEntityTooLarge:
545 case Http::scUnsupportedMediaType:
546 case Http::scUnprocessableEntity:
547 case Http::scLocked:
548 case Http::scFailedDependency:
549 case Http::scInsufficientStorage:
550 case Http::scRequestedRangeNotSatisfied:
551 case Http::scExpectationFailed:
552
553 debugs(22, 3, HERE << "NO because HTTP status " << rep->sline.status());
554 return 0;
555
556 default:
557 /* RFC 2616 section 6.1.1: an unrecognized response MUST NOT be cached. */
558 debugs (11, 3, HERE << "NO because unknown HTTP status code " << rep->sline.status());
559 return 0;
560
561 /* NOTREACHED */
562 break;
563 }
564
565 /* NOTREACHED */
566 }
567
568 /*
569 * For Vary, store the relevant request headers as
570 * virtual headers in the reply
571 * Returns false if the variance cannot be stored
572 */
573 const char *
574 httpMakeVaryMark(HttpRequest * request, HttpReply const * reply)
575 {
576 String vary, hdr;
577 const char *pos = NULL;
578 const char *item;
579 const char *value;
580 int ilen;
581 static String vstr;
582
583 vstr.clean();
584 vary = reply->header.getList(HDR_VARY);
585
586 while (strListGetItem(&vary, ',', &item, &ilen, &pos)) {
587 char *name = (char *)xmalloc(ilen + 1);
588 xstrncpy(name, item, ilen + 1);
589 Tolower(name);
590
591 if (strcmp(name, "*") == 0) {
592 /* Can not handle "Vary: *" withtout ETag support */
593 safe_free(name);
594 vstr.clean();
595 break;
596 }
597
598 strListAdd(&vstr, name, ',');
599 hdr = request->header.getByName(name);
600 safe_free(name);
601 value = hdr.termedBuf();
602
603 if (value) {
604 value = rfc1738_escape_part(value);
605 vstr.append("=\"", 2);
606 vstr.append(value);
607 vstr.append("\"", 1);
608 }
609
610 hdr.clean();
611 }
612
613 vary.clean();
614 #if X_ACCELERATOR_VARY
615
616 pos = NULL;
617 vary = reply->header.getList(HDR_X_ACCELERATOR_VARY);
618
619 while (strListGetItem(&vary, ',', &item, &ilen, &pos)) {
620 char *name = (char *)xmalloc(ilen + 1);
621 xstrncpy(name, item, ilen + 1);
622 Tolower(name);
623 strListAdd(&vstr, name, ',');
624 hdr = request->header.getByName(name);
625 safe_free(name);
626 value = hdr.termedBuf();
627
628 if (value) {
629 value = rfc1738_escape_part(value);
630 vstr.append("=\"", 2);
631 vstr.append(value);
632 vstr.append("\"", 1);
633 }
634
635 hdr.clean();
636 }
637
638 vary.clean();
639 #endif
640
641 debugs(11, 3, "httpMakeVaryMark: " << vstr);
642 return vstr.termedBuf();
643 }
644
645 void
646 HttpStateData::keepaliveAccounting(HttpReply *reply)
647 {
648 if (flags.keepalive)
649 if (_peer)
650 ++ _peer->stats.n_keepalives_sent;
651
652 if (reply->keep_alive) {
653 if (_peer)
654 ++ _peer->stats.n_keepalives_recv;
655
656 if (Config.onoff.detect_broken_server_pconns
657 && reply->bodySize(request->method) == -1 && !flags.chunked) {
658 debugs(11, DBG_IMPORTANT, "keepaliveAccounting: Impossible keep-alive header from '" << entry->url() << "'" );
659 // debugs(11, 2, "GOT HTTP REPLY HDR:\n---------\n" << readBuf->content() << "\n----------" );
660 flags.keepalive_broken = true;
661 }
662 }
663 }
664
665 void
666 HttpStateData::checkDateSkew(HttpReply *reply)
667 {
668 if (reply->date > -1 && !_peer) {
669 int skew = abs((int)(reply->date - squid_curtime));
670
671 if (skew > 86400)
672 debugs(11, 3, "" << request->GetHost() << "'s clock is skewed by " << skew << " seconds!");
673 }
674 }
675
676 /**
677 * This creates the error page itself.. its likely
678 * that the forward ported reply header max size patch
679 * generates non http conformant error pages - in which
680 * case the errors where should be 'BAD_GATEWAY' etc
681 */
682 void
683 HttpStateData::processReplyHeader()
684 {
685 /** Creates a blank header. If this routine is made incremental, this will not do */
686
687 /* NP: all exit points to this function MUST call ctx_exit(ctx) */
688 Ctx ctx = ctx_enter(entry->mem_obj->url);
689
690 debugs(11, 3, "processReplyHeader: key '" << entry->getMD5Text() << "'");
691
692 assert(!flags.headers_parsed);
693
694 if (!readBuf->hasContent()) {
695 ctx_exit(ctx);
696 return;
697 }
698
699 Http::StatusCode error = Http::scNone;
700
701 HttpReply *newrep = new HttpReply;
702 const bool parsed = newrep->parse(readBuf, eof, &error);
703
704 if (!parsed && readBuf->contentSize() > 5 && strncmp(readBuf->content(), "HTTP/", 5) != 0 && strncmp(readBuf->content(), "ICY", 3) != 0) {
705 MemBuf *mb;
706 HttpReply *tmprep = new HttpReply;
707 tmprep->setHeaders(Http::scOkay, "Gatewaying", NULL, -1, -1, -1);
708 tmprep->header.putExt("X-Transformed-From", "HTTP/0.9");
709 mb = tmprep->pack();
710 newrep->parse(mb, eof, &error);
711 delete mb;
712 delete tmprep;
713 } else {
714 if (!parsed && error > 0) { // unrecoverable parsing error
715 debugs(11, 3, "processReplyHeader: Non-HTTP-compliant header: '" << readBuf->content() << "'");
716 flags.headers_parsed = true;
717 // XXX: when sanityCheck is gone and Http::StatusLine is used to parse,
718 // the sline should be already set the appropriate values during that parser stage
719 newrep->sline.set(Http::ProtocolVersion(1,1), error);
720 HttpReply *vrep = setVirginReply(newrep);
721 entry->replaceHttpReply(vrep);
722 ctx_exit(ctx);
723 return;
724 }
725
726 if (!parsed) { // need more data
727 assert(!error);
728 assert(!eof);
729 delete newrep;
730 ctx_exit(ctx);
731 return;
732 }
733
734 debugs(11, 2, "HTTP Server " << serverConnection);
735 debugs(11, 2, "HTTP Server REPLY:\n---------\n" << readBuf->content() << "\n----------");
736
737 header_bytes_read = headersEnd(readBuf->content(), readBuf->contentSize());
738 readBuf->consume(header_bytes_read);
739 }
740
741 newrep->removeStaleWarnings();
742
743 if (newrep->sline.protocol == AnyP::PROTO_HTTP && newrep->sline.status() >= 100 && newrep->sline.status() < 200) {
744 handle1xx(newrep);
745 ctx_exit(ctx);
746 return;
747 }
748
749 flags.chunked = false;
750 if (newrep->sline.protocol == AnyP::PROTO_HTTP && newrep->header.chunked()) {
751 flags.chunked = true;
752 httpChunkDecoder = new ChunkedCodingParser;
753 }
754
755 if (!peerSupportsConnectionPinning())
756 request->flags.connectionAuthDisabled = true;
757
758 HttpReply *vrep = setVirginReply(newrep);
759 flags.headers_parsed = true;
760
761 keepaliveAccounting(vrep);
762
763 checkDateSkew(vrep);
764
765 processSurrogateControl (vrep);
766
767 request->hier.peer_reply_status = newrep->sline.status();
768
769 ctx_exit(ctx);
770 }
771
772 /// ignore or start forwarding the 1xx response (a.k.a., control message)
773 void
774 HttpStateData::handle1xx(HttpReply *reply)
775 {
776 HttpReply::Pointer msg(reply); // will destroy reply if unused
777
778 // one 1xx at a time: we must not be called while waiting for previous 1xx
779 Must(!flags.handling1xx);
780 flags.handling1xx = true;
781
782 if (!request->canHandle1xx()) {
783 debugs(11, 2, HERE << "ignoring client-unsupported 1xx");
784 proceedAfter1xx();
785 return;
786 }
787
788 #if USE_HTTP_VIOLATIONS
789 // check whether the 1xx response forwarding is allowed by squid.conf
790 if (Config.accessList.reply) {
791 ACLFilledChecklist ch(Config.accessList.reply, originalRequest(), NULL);
792 ch.reply = reply;
793 HTTPMSGLOCK(ch.reply);
794 if (ch.fastCheck() != ACCESS_ALLOWED) { // TODO: support slow lookups?
795 debugs(11, 3, HERE << "ignoring denied 1xx");
796 proceedAfter1xx();
797 return;
798 }
799 }
800 #endif // USE_HTTP_VIOLATIONS
801
802 debugs(11, 2, HERE << "forwarding 1xx to client");
803
804 // the Sink will use this to call us back after writing 1xx to the client
805 typedef NullaryMemFunT<HttpStateData> CbDialer;
806 const AsyncCall::Pointer cb = JobCallback(11, 3, CbDialer, this,
807 HttpStateData::proceedAfter1xx);
808 CallJobHere1(11, 4, request->clientConnectionManager, ConnStateData,
809 ConnStateData::sendControlMsg, HttpControlMsg(msg, cb));
810 // If the call is not fired, then the Sink is gone, and HttpStateData
811 // will terminate due to an aborted store entry or another similar error.
812 // If we get stuck, it is not handle1xx fault if we could get stuck
813 // for similar reasons without a 1xx response.
814 }
815
816 /// restores state and resumes processing after 1xx is ignored or forwarded
817 void
818 HttpStateData::proceedAfter1xx()
819 {
820 Must(flags.handling1xx);
821
822 debugs(11, 2, HERE << "consuming " << header_bytes_read <<
823 " header and " << reply_bytes_read << " body bytes read after 1xx");
824 header_bytes_read = 0;
825 reply_bytes_read = 0;
826
827 CallJobHere(11, 3, this, HttpStateData, HttpStateData::processReply);
828 }
829
830 /**
831 * returns true if the peer can support connection pinning
832 */
833 bool HttpStateData::peerSupportsConnectionPinning() const
834 {
835 const HttpReply *rep = entry->mem_obj->getReply();
836 const HttpHeader *hdr = &rep->header;
837 bool rc;
838 String header;
839
840 if (!_peer)
841 return true;
842
843 /*If this peer does not support connection pinning (authenticated
844 connections) return false
845 */
846 if (!_peer->connection_auth)
847 return false;
848
849 /*The peer supports connection pinning and the http reply status
850 is not unauthorized, so the related connection can be pinned
851 */
852 if (rep->sline.status() != Http::scUnauthorized)
853 return true;
854
855 /*The server respond with Http::scUnauthorized and the peer configured
856 with "connection-auth=on" we know that the peer supports pinned
857 connections
858 */
859 if (_peer->connection_auth == 1)
860 return true;
861
862 /*At this point peer has configured with "connection-auth=auto"
863 parameter so we need some extra checks to decide if we are going
864 to allow pinned connections or not
865 */
866
867 /*if the peer configured with originserver just allow connection
868 pinning (squid 2.6 behaviour)
869 */
870 if (_peer->options.originserver)
871 return true;
872
873 /*if the connections it is already pinned it is OK*/
874 if (request->flags.pinned)
875 return true;
876
877 /*Allow pinned connections only if the Proxy-support header exists in
878 reply and has in its list the "Session-Based-Authentication"
879 which means that the peer supports connection pinning.
880 */
881 if (!hdr->has(HDR_PROXY_SUPPORT))
882 return false;
883
884 header = hdr->getStrOrList(HDR_PROXY_SUPPORT);
885 /* XXX This ought to be done in a case-insensitive manner */
886 rc = (strstr(header.termedBuf(), "Session-Based-Authentication") != NULL);
887
888 return rc;
889 }
890
891 // Called when we parsed (and possibly adapted) the headers but
892 // had not starting storing (a.k.a., sending) the body yet.
893 void
894 HttpStateData::haveParsedReplyHeaders()
895 {
896 ServerStateData::haveParsedReplyHeaders();
897
898 Ctx ctx = ctx_enter(entry->mem_obj->url);
899 HttpReply *rep = finalReply();
900
901 if (rep->sline.status() == Http::scPartialContent && rep->content_range)
902 currentOffset = rep->content_range->spec.offset;
903
904 entry->timestampsSet();
905
906 /* Check if object is cacheable or not based on reply code */
907 debugs(11, 3, "HTTP CODE: " << rep->sline.status());
908
909 if (neighbors_do_private_keys)
910 httpMaybeRemovePublic(entry, rep->sline.status());
911
912 if (rep->header.has(HDR_VARY)
913 #if X_ACCELERATOR_VARY
914 || rep->header.has(HDR_X_ACCELERATOR_VARY)
915 #endif
916 ) {
917 const char *vary = httpMakeVaryMark(request, rep);
918
919 if (!vary) {
920 entry->makePrivate();
921 if (!fwd->reforwardableStatus(rep->sline.status()))
922 EBIT_CLR(entry->flags, ENTRY_FWD_HDR_WAIT);
923 goto no_cache;
924 }
925
926 entry->mem_obj->vary_headers = xstrdup(vary);
927 }
928
929 /*
930 * If its not a reply that we will re-forward, then
931 * allow the client to get it.
932 */
933 if (!fwd->reforwardableStatus(rep->sline.status()))
934 EBIT_CLR(entry->flags, ENTRY_FWD_HDR_WAIT);
935
936 switch (cacheableReply()) {
937
938 case 1:
939 entry->makePublic();
940 break;
941
942 case 0:
943 entry->makePrivate();
944 break;
945
946 case -1:
947
948 #if USE_HTTP_VIOLATIONS
949 if (Config.negativeTtl > 0)
950 entry->cacheNegatively();
951 else
952 #endif
953 entry->makePrivate();
954
955 break;
956
957 default:
958 assert(0);
959
960 break;
961 }
962
963 no_cache:
964
965 if (!ignoreCacheControl) {
966 if (rep->cache_control) {
967 if (rep->cache_control->proxyRevalidate() ||
968 rep->cache_control->mustRevalidate() ||
969 rep->cache_control->noCache() ||
970 rep->cache_control->hasSMaxAge())
971 EBIT_SET(entry->flags, ENTRY_REVALIDATE);
972 }
973 #if USE_HTTP_VIOLATIONS // response header Pragma::no-cache is undefined in HTTP
974 else {
975 // Expensive calculation. So only do it IF the CC: header is not present.
976
977 /* HACK: Pragma: no-cache in _replies_ is not documented in HTTP,
978 * but servers like "Active Imaging Webcast/2.0" sure do use it */
979 if (rep->header.has(HDR_PRAGMA) &&
980 rep->header.hasListMember(HDR_PRAGMA,"no-cache",','))
981 EBIT_SET(entry->flags, ENTRY_REVALIDATE);
982 }
983 #endif
984 }
985
986 #if HEADERS_LOG
987 headersLog(1, 0, request->method, rep);
988
989 #endif
990
991 ctx_exit(ctx);
992 }
993
994 HttpStateData::ConnectionStatus
995 HttpStateData::statusIfComplete() const
996 {
997 const HttpReply *rep = virginReply();
998 /** \par
999 * If the reply wants to close the connection, it takes precedence */
1000
1001 if (httpHeaderHasConnDir(&rep->header, "close"))
1002 return COMPLETE_NONPERSISTENT_MSG;
1003
1004 /** \par
1005 * If we didn't send a keep-alive request header, then this
1006 * can not be a persistent connection.
1007 */
1008 if (!flags.keepalive)
1009 return COMPLETE_NONPERSISTENT_MSG;
1010
1011 /** \par
1012 * If we haven't sent the whole request then this can not be a persistent
1013 * connection.
1014 */
1015 if (!flags.request_sent) {
1016 debugs(11, 2, "statusIfComplete: Request not yet fully sent \"" << RequestMethodStr(request->method) << " " << entry->url() << "\"" );
1017 return COMPLETE_NONPERSISTENT_MSG;
1018 }
1019
1020 /** \par
1021 * What does the reply have to say about keep-alive?
1022 */
1023 /**
1024 \bug XXX BUG?
1025 * If the origin server (HTTP/1.0) does not send a keep-alive
1026 * header, but keeps the connection open anyway, what happens?
1027 * We'll return here and http.c waits for an EOF before changing
1028 * store_status to STORE_OK. Combine this with ENTRY_FWD_HDR_WAIT
1029 * and an error status code, and we might have to wait until
1030 * the server times out the socket.
1031 */
1032 if (!rep->keep_alive)
1033 return COMPLETE_NONPERSISTENT_MSG;
1034
1035 return COMPLETE_PERSISTENT_MSG;
1036 }
1037
1038 HttpStateData::ConnectionStatus
1039 HttpStateData::persistentConnStatus() const
1040 {
1041 debugs(11, 3, HERE << serverConnection << " eof=" << eof);
1042 if (eof) // already reached EOF
1043 return COMPLETE_NONPERSISTENT_MSG;
1044
1045 /* If server fd is closing (but we have not been notified yet), stop Comm
1046 I/O to avoid assertions. TODO: Change Comm API to handle callers that
1047 want more I/O after async closing (usually initiated by others). */
1048 // XXX: add canReceive or s/canSend/canTalkToServer/
1049 if (!Comm::IsConnOpen(serverConnection))
1050 return COMPLETE_NONPERSISTENT_MSG;
1051
1052 /** \par
1053 * In chunked response we do not know the content length but we are absolutely
1054 * sure about the end of response, so we are calling the statusIfComplete to
1055 * decide if we can be persistant
1056 */
1057 if (lastChunk && flags.chunked)
1058 return statusIfComplete();
1059
1060 const HttpReply *vrep = virginReply();
1061 debugs(11, 5, "persistentConnStatus: content_length=" << vrep->content_length);
1062
1063 const int64_t clen = vrep->bodySize(request->method);
1064
1065 debugs(11, 5, "persistentConnStatus: clen=" << clen);
1066
1067 /* If the body size is unknown we must wait for EOF */
1068 if (clen < 0)
1069 return INCOMPLETE_MSG;
1070
1071 /** \par
1072 * If the body size is known, we must wait until we've gotten all of it. */
1073 if (clen > 0) {
1074 // old technique:
1075 // if (entry->mem_obj->endOffset() < vrep->content_length + vrep->hdr_sz)
1076 const int64_t body_bytes_read = reply_bytes_read - header_bytes_read;
1077 debugs(11,5, "persistentConnStatus: body_bytes_read=" <<
1078 body_bytes_read << " content_length=" << vrep->content_length);
1079
1080 if (body_bytes_read < vrep->content_length)
1081 return INCOMPLETE_MSG;
1082
1083 if (body_bytes_truncated > 0) // already read more than needed
1084 return COMPLETE_NONPERSISTENT_MSG; // disable pconns
1085 }
1086
1087 /** \par
1088 * If there is no message body or we got it all, we can be persistent */
1089 return statusIfComplete();
1090 }
1091
1092 /*
1093 * This is the callback after some data has been read from the network
1094 */
1095 /*
1096 void
1097 HttpStateData::ReadReplyWrapper(int fd, char *buf, size_t len, comm_err_t flag, int xerrno, void *data)
1098 {
1099 HttpStateData *httpState = static_cast<HttpStateData *>(data);
1100 assert (fd == httpState->serverConnection->fd);
1101 // assert(buf == readBuf->content());
1102 PROF_start(HttpStateData_readReply);
1103 httpState->readReply(len, flag, xerrno);
1104 PROF_stop(HttpStateData_readReply);
1105 }
1106 */
1107
1108 /* XXX this function is too long! */
1109 void
1110 HttpStateData::readReply(const CommIoCbParams &io)
1111 {
1112 int bin;
1113 int clen;
1114 int len = io.size;
1115
1116 flags.do_next_read = false;
1117
1118 debugs(11, 5, HERE << io.conn << ": len " << len << ".");
1119
1120 // Bail out early on COMM_ERR_CLOSING - close handlers will tidy up for us
1121 if (io.flag == COMM_ERR_CLOSING) {
1122 debugs(11, 3, "http socket closing");
1123 return;
1124 }
1125
1126 if (EBIT_TEST(entry->flags, ENTRY_ABORTED)) {
1127 abortTransaction("store entry aborted while reading reply");
1128 return;
1129 }
1130
1131 // handle I/O errors
1132 if (io.flag != COMM_OK || len < 0) {
1133 debugs(11, 2, HERE << io.conn << ": read failure: " << xstrerror() << ".");
1134
1135 if (ignoreErrno(io.xerrno)) {
1136 flags.do_next_read = true;
1137 } else {
1138 ErrorState *err = new ErrorState(ERR_READ_ERROR, Http::scBadGateway, fwd->request);
1139 err->xerrno = io.xerrno;
1140 fwd->fail(err);
1141 flags.do_next_read = false;
1142 serverConnection->close();
1143 }
1144
1145 return;
1146 }
1147
1148 // update I/O stats
1149 if (len > 0) {
1150 readBuf->appended(len);
1151 reply_bytes_read += len;
1152 #if USE_DELAY_POOLS
1153 DelayId delayId = entry->mem_obj->mostBytesAllowed();
1154 delayId.bytesIn(len);
1155 #endif
1156
1157 kb_incr(&(statCounter.server.all.kbytes_in), len);
1158 kb_incr(&(statCounter.server.http.kbytes_in), len);
1159 ++ IOStats.Http.reads;
1160
1161 for (clen = len - 1, bin = 0; clen; ++bin)
1162 clen >>= 1;
1163
1164 ++ IOStats.Http.read_hist[bin];
1165
1166 // update peer response time stats (%<pt)
1167 const timeval &sent = request->hier.peer_http_request_sent;
1168 request->hier.peer_response_time =
1169 sent.tv_sec ? tvSubMsec(sent, current_time) : -1;
1170 }
1171
1172 /** \par
1173 * Here the RFC says we should ignore whitespace between replies, but we can't as
1174 * doing so breaks HTTP/0.9 replies beginning with witespace, and in addition
1175 * the response splitting countermeasures is extremely likely to trigger on this,
1176 * not allowing connection reuse in the first place.
1177 *
1178 * 2012-02-10: which RFC? not 2068 or 2616,
1179 * tolerance there is all about whitespace between requests and header tokens.
1180 */
1181
1182 if (len == 0) { // reached EOF?
1183 eof = 1;
1184 flags.do_next_read = false;
1185
1186 /* Bug 2879: Replies may terminate with \r\n then EOF instead of \r\n\r\n
1187 * Ensure here that we have at minimum two \r\n when EOF is seen.
1188 * TODO: Add eof parameter to headersEnd() and move this hack there.
1189 */
1190 if (readBuf->contentSize() && !flags.headers_parsed) {
1191 /*
1192 * Yes Henrik, there is a point to doing this. When we
1193 * called httpProcessReplyHeader() before, we didn't find
1194 * the end of headers, but now we are definately at EOF, so
1195 * we want to process the reply headers.
1196 */
1197 /* Fake an "end-of-headers" to work around such broken servers */
1198 readBuf->append("\r\n", 2);
1199 }
1200 }
1201
1202 processReply();
1203 }
1204
1205 /// processes the already read and buffered response data, possibly after
1206 /// waiting for asynchronous 1xx control message processing
1207 void
1208 HttpStateData::processReply()
1209 {
1210
1211 if (flags.handling1xx) { // we came back after handling a 1xx response
1212 debugs(11, 5, HERE << "done with 1xx handling");
1213 flags.handling1xx = false;
1214 Must(!flags.headers_parsed);
1215 }
1216
1217 if (!flags.headers_parsed) { // have not parsed headers yet?
1218 PROF_start(HttpStateData_processReplyHeader);
1219 processReplyHeader();
1220 PROF_stop(HttpStateData_processReplyHeader);
1221
1222 if (!continueAfterParsingHeader()) // parsing error or need more data
1223 return; // TODO: send errors to ICAP
1224
1225 adaptOrFinalizeReply(); // may write to, abort, or "close" the entry
1226 }
1227
1228 // kick more reads if needed and/or process the response body, if any
1229 PROF_start(HttpStateData_processReplyBody);
1230 processReplyBody(); // may call serverComplete()
1231 PROF_stop(HttpStateData_processReplyBody);
1232 }
1233
1234 /**
1235 \retval true if we can continue with processing the body or doing ICAP.
1236 */
1237 bool
1238 HttpStateData::continueAfterParsingHeader()
1239 {
1240 if (flags.handling1xx) {
1241 debugs(11, 5, HERE << "wait for 1xx handling");
1242 Must(!flags.headers_parsed);
1243 return false;
1244 }
1245
1246 if (!flags.headers_parsed && !eof) {
1247 debugs(11, 9, HERE << "needs more at " << readBuf->contentSize());
1248 flags.do_next_read = true;
1249 /** \retval false If we have not finished parsing the headers and may get more data.
1250 * Schedules more reads to retrieve the missing data.
1251 */
1252 maybeReadVirginBody(); // schedules all kinds of reads; TODO: rename
1253 return false;
1254 }
1255
1256 /** If we are done with parsing, check for errors */
1257
1258 err_type error = ERR_NONE;
1259
1260 if (flags.headers_parsed) { // parsed headers, possibly with errors
1261 // check for header parsing errors
1262 if (HttpReply *vrep = virginReply()) {
1263 const Http::StatusCode s = vrep->sline.status();
1264 const Http::ProtocolVersion &v = vrep->sline.version;
1265 if (s == Http::scInvalidHeader && v != Http::ProtocolVersion(0,9)) {
1266 debugs(11, DBG_IMPORTANT, "WARNING: HTTP: Invalid Response: Bad header encountered from " << entry->url() << " AKA " << request->GetHost() << request->urlpath.termedBuf() );
1267 error = ERR_INVALID_RESP;
1268 } else if (s == Http::scHeaderTooLarge) {
1269 fwd->dontRetry(true);
1270 error = ERR_TOO_BIG;
1271 } else {
1272 return true; // done parsing, got reply, and no error
1273 }
1274 } else {
1275 // parsed headers but got no reply
1276 debugs(11, DBG_IMPORTANT, "WARNING: HTTP: Invalid Response: No reply at all for " << entry->url() << " AKA " << request->GetHost() << request->urlpath.termedBuf() );
1277 error = ERR_INVALID_RESP;
1278 }
1279 } else {
1280 assert(eof);
1281 if (readBuf->hasContent()) {
1282 error = ERR_INVALID_RESP;
1283 debugs(11, DBG_IMPORTANT, "WARNING: HTTP: Invalid Response: Headers did not parse at all for " << entry->url() << " AKA " << request->GetHost() << request->urlpath.termedBuf() );
1284 } else {
1285 error = ERR_ZERO_SIZE_OBJECT;
1286 debugs(11, (request->flags.accelerated?DBG_IMPORTANT:2), "WARNING: HTTP: Invalid Response: No object data received for " <<
1287 entry->url() << " AKA " << request->GetHost() << request->urlpath.termedBuf() );
1288 }
1289 }
1290
1291 assert(error != ERR_NONE);
1292 entry->reset();
1293 fwd->fail(new ErrorState(error, Http::scBadGateway, fwd->request));
1294 flags.do_next_read = false;
1295 serverConnection->close();
1296 return false; // quit on error
1297 }
1298
1299 /** truncate what we read if we read too much so that writeReplyBody()
1300 writes no more than what we should have read */
1301 void
1302 HttpStateData::truncateVirginBody()
1303 {
1304 assert(flags.headers_parsed);
1305
1306 HttpReply *vrep = virginReply();
1307 int64_t clen = -1;
1308 if (!vrep->expectingBody(request->method, clen) || clen < 0)
1309 return; // no body or a body of unknown size, including chunked
1310
1311 const int64_t body_bytes_read = reply_bytes_read - header_bytes_read;
1312 if (body_bytes_read - body_bytes_truncated <= clen)
1313 return; // we did not read too much or already took care of the extras
1314
1315 if (const int64_t extras = body_bytes_read - body_bytes_truncated - clen) {
1316 // server sent more that the advertised content length
1317 debugs(11,5, HERE << "body_bytes_read=" << body_bytes_read <<
1318 " clen=" << clen << '/' << vrep->content_length <<
1319 " body_bytes_truncated=" << body_bytes_truncated << '+' << extras);
1320
1321 readBuf->truncate(extras);
1322 body_bytes_truncated += extras;
1323 }
1324 }
1325
1326 /**
1327 * Call this when there is data from the origin server
1328 * which should be sent to either StoreEntry, or to ICAP...
1329 */
1330 void
1331 HttpStateData::writeReplyBody()
1332 {
1333 truncateVirginBody(); // if needed
1334 const char *data = readBuf->content();
1335 int len = readBuf->contentSize();
1336 addVirginReplyBody(data, len);
1337 readBuf->consume(len);
1338 }
1339
1340 bool
1341 HttpStateData::decodeAndWriteReplyBody()
1342 {
1343 const char *data = NULL;
1344 int len;
1345 bool wasThereAnException = false;
1346 assert(flags.chunked);
1347 assert(httpChunkDecoder);
1348 SQUID_ENTER_THROWING_CODE();
1349 MemBuf decodedData;
1350 decodedData.init();
1351 const bool doneParsing = httpChunkDecoder->parse(readBuf,&decodedData);
1352 len = decodedData.contentSize();
1353 data=decodedData.content();
1354 addVirginReplyBody(data, len);
1355 if (doneParsing) {
1356 lastChunk = 1;
1357 flags.do_next_read = false;
1358 }
1359 SQUID_EXIT_THROWING_CODE(wasThereAnException);
1360 return wasThereAnException;
1361 }
1362
1363 /**
1364 * processReplyBody has two purposes:
1365 * 1 - take the reply body data, if any, and put it into either
1366 * the StoreEntry, or give it over to ICAP.
1367 * 2 - see if we made it to the end of the response (persistent
1368 * connections and such)
1369 */
1370 void
1371 HttpStateData::processReplyBody()
1372 {
1373 Ip::Address client_addr;
1374 bool ispinned = false;
1375
1376 if (!flags.headers_parsed) {
1377 flags.do_next_read = true;
1378 maybeReadVirginBody();
1379 return;
1380 }
1381
1382 #if USE_ADAPTATION
1383 debugs(11,5, HERE << "adaptationAccessCheckPending=" << adaptationAccessCheckPending);
1384 if (adaptationAccessCheckPending)
1385 return;
1386
1387 #endif
1388
1389 /*
1390 * At this point the reply headers have been parsed and consumed.
1391 * That means header content has been removed from readBuf and
1392 * it contains only body data.
1393 */
1394 if (entry->isAccepting()) {
1395 if (flags.chunked) {
1396 if (!decodeAndWriteReplyBody()) {
1397 flags.do_next_read = false;
1398 serverComplete();
1399 return;
1400 }
1401 } else
1402 writeReplyBody();
1403 }
1404
1405 if (EBIT_TEST(entry->flags, ENTRY_ABORTED)) {
1406 // The above writeReplyBody() call may have aborted the store entry.
1407 abortTransaction("store entry aborted while storing reply");
1408 return;
1409 } else
1410 switch (persistentConnStatus()) {
1411 case INCOMPLETE_MSG: {
1412 debugs(11, 5, "processReplyBody: INCOMPLETE_MSG from " << serverConnection);
1413 /* Wait for more data or EOF condition */
1414 AsyncCall::Pointer nil;
1415 if (flags.keepalive_broken) {
1416 commSetConnTimeout(serverConnection, 10, nil);
1417 } else {
1418 commSetConnTimeout(serverConnection, Config.Timeout.read, nil);
1419 }
1420
1421 flags.do_next_read = true;
1422 }
1423 break;
1424
1425 case COMPLETE_PERSISTENT_MSG:
1426 debugs(11, 5, "processReplyBody: COMPLETE_PERSISTENT_MSG from " << serverConnection);
1427 /* yes we have to clear all these! */
1428 commUnsetConnTimeout(serverConnection);
1429 flags.do_next_read = false;
1430
1431 comm_remove_close_handler(serverConnection->fd, closeHandler);
1432 closeHandler = NULL;
1433 fwd->unregister(serverConnection);
1434
1435 if (request->flags.spoofClientIp)
1436 client_addr = request->client_addr;
1437
1438 if (request->flags.pinned) {
1439 ispinned = true;
1440 } else if (request->flags.connectionAuth && request->flags.authSent) {
1441 ispinned = true;
1442 }
1443
1444 if (ispinned && request->clientConnectionManager.valid()) {
1445 request->clientConnectionManager->pinConnection(serverConnection, request, _peer,
1446 (request->flags.connectionAuth));
1447 } else {
1448 fwd->pconnPush(serverConnection, request->GetHost());
1449 }
1450
1451 serverConnection = NULL;
1452 serverComplete();
1453 return;
1454
1455 case COMPLETE_NONPERSISTENT_MSG:
1456 debugs(11, 5, "processReplyBody: COMPLETE_NONPERSISTENT_MSG from " << serverConnection);
1457 serverComplete();
1458 return;
1459 }
1460
1461 maybeReadVirginBody();
1462 }
1463
1464 void
1465 HttpStateData::maybeReadVirginBody()
1466 {
1467 // too late to read
1468 if (!Comm::IsConnOpen(serverConnection) || fd_table[serverConnection->fd].closing())
1469 return;
1470
1471 // we may need to grow the buffer if headers do not fit
1472 const int minRead = flags.headers_parsed ? 0 :1024;
1473 const int read_size = replyBodySpace(*readBuf, minRead);
1474
1475 debugs(11,9, HERE << (flags.do_next_read ? "may" : "wont") <<
1476 " read up to " << read_size << " bytes from " << serverConnection);
1477
1478 /*
1479 * why <2? Because delayAwareRead() won't actually read if
1480 * you ask it to read 1 byte. The delayed read request
1481 * just gets re-queued until the client side drains, then
1482 * the I/O thread hangs. Better to not register any read
1483 * handler until we get a notification from someone that
1484 * its okay to read again.
1485 */
1486 if (read_size < 2)
1487 return;
1488
1489 if (flags.do_next_read) {
1490 flags.do_next_read = false;
1491 typedef CommCbMemFunT<HttpStateData, CommIoCbParams> Dialer;
1492 entry->delayAwareRead(serverConnection, readBuf->space(read_size), read_size,
1493 JobCallback(11, 5, Dialer, this, HttpStateData::readReply));
1494 }
1495 }
1496
1497 /// called after writing the very last request byte (body, last-chunk, etc)
1498 void
1499 HttpStateData::wroteLast(const CommIoCbParams &io)
1500 {
1501 debugs(11, 5, HERE << serverConnection << ": size " << io.size << ": errflag " << io.flag << ".");
1502 #if URL_CHECKSUM_DEBUG
1503
1504 entry->mem_obj->checkUrlChecksum();
1505 #endif
1506
1507 if (io.size > 0) {
1508 fd_bytes(io.fd, io.size, FD_WRITE);
1509 kb_incr(&(statCounter.server.all.kbytes_out), io.size);
1510 kb_incr(&(statCounter.server.http.kbytes_out), io.size);
1511 }
1512
1513 if (io.flag == COMM_ERR_CLOSING)
1514 return;
1515
1516 if (io.flag) {
1517 ErrorState *err = new ErrorState(ERR_WRITE_ERROR, Http::scBadGateway, fwd->request);
1518 err->xerrno = io.xerrno;
1519 fwd->fail(err);
1520 serverConnection->close();
1521 return;
1522 }
1523
1524 sendComplete();
1525 }
1526
1527 /// successfully wrote the entire request (including body, last-chunk, etc.)
1528 void
1529 HttpStateData::sendComplete()
1530 {
1531 /*
1532 * Set the read timeout here because it hasn't been set yet.
1533 * We only set the read timeout after the request has been
1534 * fully written to the server-side. If we start the timeout
1535 * after connection establishment, then we are likely to hit
1536 * the timeout for POST/PUT requests that have very large
1537 * request bodies.
1538 */
1539 typedef CommCbMemFunT<HttpStateData, CommTimeoutCbParams> TimeoutDialer;
1540 AsyncCall::Pointer timeoutCall = JobCallback(11, 5,
1541 TimeoutDialer, this, HttpStateData::httpTimeout);
1542
1543 commSetConnTimeout(serverConnection, Config.Timeout.read, timeoutCall);
1544 flags.request_sent = true;
1545 request->hier.peer_http_request_sent = current_time;
1546 }
1547
1548 // Close the HTTP server connection. Used by serverComplete().
1549 void
1550 HttpStateData::closeServer()
1551 {
1552 debugs(11,5, HERE << "closing HTTP server " << serverConnection << " this " << this);
1553
1554 if (Comm::IsConnOpen(serverConnection)) {
1555 fwd->unregister(serverConnection);
1556 comm_remove_close_handler(serverConnection->fd, closeHandler);
1557 closeHandler = NULL;
1558 serverConnection->close();
1559 }
1560 }
1561
1562 bool
1563 HttpStateData::doneWithServer() const
1564 {
1565 return !Comm::IsConnOpen(serverConnection);
1566 }
1567
1568 /*
1569 * Fixup authentication request headers for special cases
1570 */
1571 static void
1572 httpFixupAuthentication(HttpRequest * request, const HttpHeader * hdr_in, HttpHeader * hdr_out, const HttpStateFlags &flags)
1573 {
1574 http_hdr_type header = flags.originpeer ? HDR_AUTHORIZATION : HDR_PROXY_AUTHORIZATION;
1575
1576 /* Nothing to do unless we are forwarding to a peer */
1577 if (!request->flags.proxying)
1578 return;
1579
1580 /* Needs to be explicitly enabled */
1581 if (!request->peer_login)
1582 return;
1583
1584 /* Maybe already dealt with? */
1585 if (hdr_out->has(header))
1586 return;
1587
1588 /* Nothing to do here for PASSTHRU */
1589 if (strcmp(request->peer_login, "PASSTHRU") == 0)
1590 return;
1591
1592 /* PROXYPASS is a special case, single-signon to servers with the proxy password (basic only) */
1593 if (flags.originpeer && strcmp(request->peer_login, "PROXYPASS") == 0 && hdr_in->has(HDR_PROXY_AUTHORIZATION)) {
1594 const char *auth = hdr_in->getStr(HDR_PROXY_AUTHORIZATION);
1595
1596 if (auth && strncasecmp(auth, "basic ", 6) == 0) {
1597 hdr_out->putStr(header, auth);
1598 return;
1599 }
1600 }
1601
1602 /* Special mode to pass the username to the upstream cache */
1603 if (*request->peer_login == '*') {
1604 char loginbuf[256];
1605 const char *username = "-";
1606
1607 if (request->extacl_user.size())
1608 username = request->extacl_user.termedBuf();
1609 #if USE_AUTH
1610 else if (request->auth_user_request != NULL)
1611 username = request->auth_user_request->username();
1612 #endif
1613
1614 snprintf(loginbuf, sizeof(loginbuf), "%s%s", username, request->peer_login + 1);
1615
1616 httpHeaderPutStrf(hdr_out, header, "Basic %s",
1617 old_base64_encode(loginbuf));
1618 return;
1619 }
1620
1621 /* external_acl provided credentials */
1622 if (request->extacl_user.size() && request->extacl_passwd.size() &&
1623 (strcmp(request->peer_login, "PASS") == 0 ||
1624 strcmp(request->peer_login, "PROXYPASS") == 0)) {
1625 char loginbuf[256];
1626 snprintf(loginbuf, sizeof(loginbuf), SQUIDSTRINGPH ":" SQUIDSTRINGPH,
1627 SQUIDSTRINGPRINT(request->extacl_user),
1628 SQUIDSTRINGPRINT(request->extacl_passwd));
1629 httpHeaderPutStrf(hdr_out, header, "Basic %s",
1630 old_base64_encode(loginbuf));
1631 return;
1632 }
1633 // if no external user credentials are available to fake authentication with PASS acts like PASSTHRU
1634 if (strcmp(request->peer_login, "PASS") == 0)
1635 return;
1636
1637 /* Kerberos login to peer */
1638 #if HAVE_AUTH_MODULE_NEGOTIATE && HAVE_KRB5 && HAVE_GSSAPI
1639 if (strncmp(request->peer_login, "NEGOTIATE",strlen("NEGOTIATE")) == 0) {
1640 char *Token=NULL;
1641 char *PrincipalName=NULL,*p;
1642 if ((p=strchr(request->peer_login,':')) != NULL ) {
1643 PrincipalName=++p;
1644 }
1645 Token = peer_proxy_negotiate_auth(PrincipalName, request->peer_host);
1646 if (Token) {
1647 httpHeaderPutStrf(hdr_out, header, "Negotiate %s",Token);
1648 }
1649 return;
1650 }
1651 #endif /* HAVE_KRB5 && HAVE_GSSAPI */
1652
1653 httpHeaderPutStrf(hdr_out, header, "Basic %s",
1654 old_base64_encode(request->peer_login));
1655 return;
1656 }
1657
1658 /*
1659 * build request headers and append them to a given MemBuf
1660 * used by buildRequestPrefix()
1661 * note: initialised the HttpHeader, the caller is responsible for Clean()-ing
1662 */
1663 void
1664 HttpStateData::httpBuildRequestHeader(HttpRequest * request,
1665 StoreEntry * entry,
1666 const AccessLogEntryPointer &al,
1667 HttpHeader * hdr_out,
1668 const HttpStateFlags &flags)
1669 {
1670 /* building buffer for complex strings */
1671 #define BBUF_SZ (MAX_URL+32)
1672 LOCAL_ARRAY(char, bbuf, BBUF_SZ);
1673 LOCAL_ARRAY(char, ntoabuf, MAX_IPSTRLEN);
1674 const HttpHeader *hdr_in = &request->header;
1675 const HttpHeaderEntry *e = NULL;
1676 HttpHeaderPos pos = HttpHeaderInitPos;
1677 assert (hdr_out->owner == hoRequest);
1678
1679 /* append our IMS header */
1680 if (request->lastmod > -1)
1681 hdr_out->putTime(HDR_IF_MODIFIED_SINCE, request->lastmod);
1682
1683 bool we_do_ranges = decideIfWeDoRanges (request);
1684
1685 String strConnection (hdr_in->getList(HDR_CONNECTION));
1686
1687 while ((e = hdr_in->getEntry(&pos)))
1688 copyOneHeaderFromClientsideRequestToUpstreamRequest(e, strConnection, request, hdr_out, we_do_ranges, flags);
1689
1690 /* Abstraction break: We should interpret multipart/byterange responses
1691 * into offset-length data, and this works around our inability to do so.
1692 */
1693 if (!we_do_ranges && request->multipartRangeRequest()) {
1694 /* don't cache the result */
1695 request->flags.cachable = false;
1696 /* pretend it's not a range request */
1697 delete request->range;
1698 request->range = NULL;
1699 request->flags.isRanged = false;
1700 }
1701
1702 /* append Via */
1703 if (Config.onoff.via) {
1704 String strVia;
1705 strVia = hdr_in->getList(HDR_VIA);
1706 snprintf(bbuf, BBUF_SZ, "%d.%d %s",
1707 request->http_ver.major,
1708 request->http_ver.minor, ThisCache);
1709 strListAdd(&strVia, bbuf, ',');
1710 hdr_out->putStr(HDR_VIA, strVia.termedBuf());
1711 strVia.clean();
1712 }
1713
1714 if (request->flags.accelerated) {
1715 /* Append Surrogate-Capabilities */
1716 String strSurrogate(hdr_in->getList(HDR_SURROGATE_CAPABILITY));
1717 #if USE_SQUID_ESI
1718 snprintf(bbuf, BBUF_SZ, "%s=\"Surrogate/1.0 ESI/1.0\"", Config.Accel.surrogate_id);
1719 #else
1720 snprintf(bbuf, BBUF_SZ, "%s=\"Surrogate/1.0\"", Config.Accel.surrogate_id);
1721 #endif
1722 strListAdd(&strSurrogate, bbuf, ',');
1723 hdr_out->putStr(HDR_SURROGATE_CAPABILITY, strSurrogate.termedBuf());
1724 }
1725
1726 /** \pre Handle X-Forwarded-For */
1727 if (strcmp(opt_forwarded_for, "delete") != 0) {
1728
1729 String strFwd = hdr_in->getList(HDR_X_FORWARDED_FOR);
1730
1731 if (strFwd.size() > 65536/2) {
1732 // There is probably a forwarding loop with Via detection disabled.
1733 // If we do nothing, String will assert on overflow soon.
1734 // TODO: Terminate all transactions with huge XFF?
1735 strFwd = "error";
1736
1737 static int warnedCount = 0;
1738 if (warnedCount++ < 100) {
1739 const char *url = entry ? entry->url() : urlCanonical(request);
1740 debugs(11, DBG_IMPORTANT, "Warning: likely forwarding loop with " << url);
1741 }
1742 }
1743
1744 if (strcmp(opt_forwarded_for, "on") == 0) {
1745 /** If set to ON - append client IP or 'unknown'. */
1746 if ( request->client_addr.IsNoAddr() )
1747 strListAdd(&strFwd, "unknown", ',');
1748 else
1749 strListAdd(&strFwd, request->client_addr.NtoA(ntoabuf, MAX_IPSTRLEN), ',');
1750 } else if (strcmp(opt_forwarded_for, "off") == 0) {
1751 /** If set to OFF - append 'unknown'. */
1752 strListAdd(&strFwd, "unknown", ',');
1753 } else if (strcmp(opt_forwarded_for, "transparent") == 0) {
1754 /** If set to TRANSPARENT - pass through unchanged. */
1755 } else if (strcmp(opt_forwarded_for, "truncate") == 0) {
1756 /** If set to TRUNCATE - drop existing list and replace with client IP or 'unknown'. */
1757 if ( request->client_addr.IsNoAddr() )
1758 strFwd = "unknown";
1759 else
1760 strFwd = request->client_addr.NtoA(ntoabuf, MAX_IPSTRLEN);
1761 }
1762 if (strFwd.size() > 0)
1763 hdr_out->putStr(HDR_X_FORWARDED_FOR, strFwd.termedBuf());
1764 }
1765 /** If set to DELETE - do not copy through. */
1766
1767 /* append Host if not there already */
1768 if (!hdr_out->has(HDR_HOST)) {
1769 if (request->peer_domain) {
1770 hdr_out->putStr(HDR_HOST, request->peer_domain);
1771 } else if (request->port == urlDefaultPort(request->protocol)) {
1772 /* use port# only if not default */
1773 hdr_out->putStr(HDR_HOST, request->GetHost());
1774 } else {
1775 httpHeaderPutStrf(hdr_out, HDR_HOST, "%s:%d",
1776 request->GetHost(),
1777 (int) request->port);
1778 }
1779 }
1780
1781 /* append Authorization if known in URL, not in header and going direct */
1782 if (!hdr_out->has(HDR_AUTHORIZATION)) {
1783 if (!request->flags.proxying && request->login[0] != '\0') {
1784 httpHeaderPutStrf(hdr_out, HDR_AUTHORIZATION, "Basic %s",
1785 old_base64_encode(request->login));
1786 }
1787 }
1788
1789 /* Fixup (Proxy-)Authorization special cases. Plain relaying dealt with above */
1790 httpFixupAuthentication(request, hdr_in, hdr_out, flags);
1791
1792 /* append Cache-Control, add max-age if not there already */
1793 {
1794 HttpHdrCc *cc = hdr_in->getCc();
1795
1796 if (!cc)
1797 cc = new HttpHdrCc();
1798
1799 #if 0 /* see bug 2330 */
1800 /* Set no-cache if determined needed but not found */
1801 if (request->flags.nocache)
1802 EBIT_SET(cc->mask, CC_NO_CACHE);
1803 #endif
1804
1805 /* Add max-age only without no-cache */
1806 if (!cc->hasMaxAge() && !cc->noCache()) {
1807 const char *url =
1808 entry ? entry->url() : urlCanonical(request);
1809 cc->maxAge(getMaxAge(url));
1810
1811 }
1812
1813 /* Enforce sibling relations */
1814 if (flags.only_if_cached)
1815 cc->onlyIfCached(true);
1816
1817 hdr_out->putCc(cc);
1818
1819 delete cc;
1820 }
1821
1822 /* maybe append Connection: keep-alive */
1823 if (flags.keepalive) {
1824 hdr_out->putStr(HDR_CONNECTION, "keep-alive");
1825 }
1826
1827 /* append Front-End-Https */
1828 if (flags.front_end_https) {
1829 if (flags.front_end_https == 1 || request->protocol == AnyP::PROTO_HTTPS)
1830 hdr_out->putStr(HDR_FRONT_END_HTTPS, "On");
1831 }
1832
1833 if (flags.chunked_request) {
1834 // Do not just copy the original value so that if the client-side
1835 // starts decode other encodings, this code may remain valid.
1836 hdr_out->putStr(HDR_TRANSFER_ENCODING, "chunked");
1837 }
1838
1839 /* Now mangle the headers. */
1840 if (Config2.onoff.mangle_request_headers)
1841 httpHdrMangleList(hdr_out, request, ROR_REQUEST);
1842
1843 if (Config.request_header_add && !Config.request_header_add->empty())
1844 httpHdrAdd(hdr_out, request, al, *Config.request_header_add);
1845
1846 strConnection.clean();
1847 }
1848
1849 /**
1850 * Decides whether a particular header may be cloned from the received Clients request
1851 * to our outgoing fetch request.
1852 */
1853 void
1854 copyOneHeaderFromClientsideRequestToUpstreamRequest(const HttpHeaderEntry *e, const String strConnection, const HttpRequest * request, HttpHeader * hdr_out, const int we_do_ranges, const HttpStateFlags &flags)
1855 {
1856 debugs(11, 5, "httpBuildRequestHeader: " << e->name << ": " << e->value );
1857
1858 switch (e->id) {
1859
1860 /** \par RFC 2616 sect 13.5.1 - Hop-by-Hop headers which Squid should not pass on. */
1861
1862 case HDR_PROXY_AUTHORIZATION:
1863 /** \par Proxy-Authorization:
1864 * Only pass on proxy authentication to peers for which
1865 * authentication forwarding is explicitly enabled
1866 */
1867 if (!flags.originpeer && flags.proxying && request->peer_login &&
1868 (strcmp(request->peer_login, "PASS") == 0 ||
1869 strcmp(request->peer_login, "PROXYPASS") == 0 ||
1870 strcmp(request->peer_login, "PASSTHRU") == 0)) {
1871 hdr_out->addEntry(e->clone());
1872 }
1873 break;
1874
1875 /** \par RFC 2616 sect 13.5.1 - Hop-by-Hop headers which Squid does not pass on. */
1876
1877 case HDR_CONNECTION: /** \par Connection: */
1878 case HDR_TE: /** \par TE: */
1879 case HDR_KEEP_ALIVE: /** \par Keep-Alive: */
1880 case HDR_PROXY_AUTHENTICATE: /** \par Proxy-Authenticate: */
1881 case HDR_TRAILER: /** \par Trailer: */
1882 case HDR_UPGRADE: /** \par Upgrade: */
1883 case HDR_TRANSFER_ENCODING: /** \par Transfer-Encoding: */
1884 break;
1885
1886 /** \par OTHER headers I haven't bothered to track down yet. */
1887
1888 case HDR_AUTHORIZATION:
1889 /** \par WWW-Authorization:
1890 * Pass on WWW authentication */
1891
1892 if (!flags.originpeer) {
1893 hdr_out->addEntry(e->clone());
1894 } else {
1895 /** \note In accelerators, only forward authentication if enabled
1896 * (see also httpFixupAuthentication for special cases)
1897 */
1898 if (request->peer_login &&
1899 (strcmp(request->peer_login, "PASS") == 0 ||
1900 strcmp(request->peer_login, "PASSTHRU") == 0 ||
1901 strcmp(request->peer_login, "PROXYPASS") == 0)) {
1902 hdr_out->addEntry(e->clone());
1903 }
1904 }
1905
1906 break;
1907
1908 case HDR_HOST:
1909 /** \par Host:
1910 * Normally Squid rewrites the Host: header.
1911 * However, there is one case when we don't: If the URL
1912 * went through our redirector and the admin configured
1913 * 'redir_rewrites_host' to be off.
1914 */
1915 if (request->peer_domain)
1916 hdr_out->putStr(HDR_HOST, request->peer_domain);
1917 else if (request->flags.redirected && !Config.onoff.redir_rewrites_host)
1918 hdr_out->addEntry(e->clone());
1919 else {
1920 /* use port# only if not default */
1921
1922 if (request->port == urlDefaultPort(request->protocol)) {
1923 hdr_out->putStr(HDR_HOST, request->GetHost());
1924 } else {
1925 httpHeaderPutStrf(hdr_out, HDR_HOST, "%s:%d",
1926 request->GetHost(),
1927 (int) request->port);
1928 }
1929 }
1930
1931 break;
1932
1933 case HDR_IF_MODIFIED_SINCE:
1934 /** \par If-Modified-Since:
1935 * append unless we added our own;
1936 * \note at most one client's ims header can pass through */
1937
1938 if (!hdr_out->has(HDR_IF_MODIFIED_SINCE))
1939 hdr_out->addEntry(e->clone());
1940
1941 break;
1942
1943 case HDR_MAX_FORWARDS:
1944 /** \par Max-Forwards:
1945 * pass only on TRACE or OPTIONS requests */
1946 if (request->method == Http::METHOD_TRACE || request->method == Http::METHOD_OPTIONS) {
1947 const int64_t hops = e->getInt64();
1948
1949 if (hops > 0)
1950 hdr_out->putInt64(HDR_MAX_FORWARDS, hops - 1);
1951 }
1952
1953 break;
1954
1955 case HDR_VIA:
1956 /** \par Via:
1957 * If Via is disabled then forward any received header as-is.
1958 * Otherwise leave for explicit updated addition later. */
1959
1960 if (!Config.onoff.via)
1961 hdr_out->addEntry(e->clone());
1962
1963 break;
1964
1965 case HDR_RANGE:
1966
1967 case HDR_IF_RANGE:
1968
1969 case HDR_REQUEST_RANGE:
1970 /** \par Range:, If-Range:, Request-Range:
1971 * Only pass if we accept ranges */
1972 if (!we_do_ranges)
1973 hdr_out->addEntry(e->clone());
1974
1975 break;
1976
1977 case HDR_PROXY_CONNECTION: // SHOULD ignore. But doing so breaks things.
1978 break;
1979
1980 case HDR_CONTENT_LENGTH:
1981 // pass through unless we chunk; also, keeping this away from default
1982 // prevents request smuggling via Connection: Content-Length tricks
1983 if (!flags.chunked_request)
1984 hdr_out->addEntry(e->clone());
1985 break;
1986
1987 case HDR_X_FORWARDED_FOR:
1988
1989 case HDR_CACHE_CONTROL:
1990 /** \par X-Forwarded-For:, Cache-Control:
1991 * handled specially by Squid, so leave off for now.
1992 * append these after the loop if needed */
1993 break;
1994
1995 case HDR_FRONT_END_HTTPS:
1996 /** \par Front-End-Https:
1997 * Pass thru only if peer is configured with front-end-https */
1998 if (!flags.front_end_https)
1999 hdr_out->addEntry(e->clone());
2000
2001 break;
2002
2003 default:
2004 /** \par default.
2005 * pass on all other header fields
2006 * which are NOT listed by the special Connection: header. */
2007
2008 if (strConnection.size()>0 && strListIsMember(&strConnection, e->name.termedBuf(), ',')) {
2009 debugs(11, 2, "'" << e->name << "' header cropped by Connection: definition");
2010 return;
2011 }
2012
2013 hdr_out->addEntry(e->clone());
2014 }
2015 }
2016
2017 bool
2018 HttpStateData::decideIfWeDoRanges (HttpRequest * request)
2019 {
2020 bool result = true;
2021 /* decide if we want to do Ranges ourselves
2022 * and fetch the whole object now)
2023 * We want to handle Ranges ourselves iff
2024 * - we can actually parse client Range specs
2025 * - the specs are expected to be simple enough (e.g. no out-of-order ranges)
2026 * - reply will be cachable
2027 * (If the reply will be uncachable we have to throw it away after
2028 * serving this request, so it is better to forward ranges to
2029 * the server and fetch only the requested content)
2030 */
2031
2032 int64_t roffLimit = request->getRangeOffsetLimit();
2033
2034 if (NULL == request->range || !request->flags.cachable
2035 || request->range->offsetLimitExceeded(roffLimit) || request->flags.connectionAuth)
2036 result = false;
2037
2038 debugs(11, 8, "decideIfWeDoRanges: range specs: " <<
2039 request->range << ", cachable: " <<
2040 request->flags.cachable << "; we_do_ranges: " << result);
2041
2042 return result;
2043 }
2044
2045 /* build request prefix and append it to a given MemBuf;
2046 * return the length of the prefix */
2047 mb_size_t
2048 HttpStateData::buildRequestPrefix(MemBuf * mb)
2049 {
2050 const int offset = mb->size;
2051 /* Uses a local httpver variable to print the HTTP/1.1 label
2052 * since the HttpRequest may have an older version label.
2053 * XXX: This could create protocol bugs as the headers sent and
2054 * flow control should all be based on the HttpRequest version
2055 * not the one we are sending. Needs checking.
2056 */
2057 Http::ProtocolVersion httpver(1,1);
2058 const char * url;
2059 if (_peer && !_peer->options.originserver)
2060 url = entry->url();
2061 else
2062 url = request->urlpath.termedBuf();
2063 mb->Printf("%s %s %s/%d.%d\r\n",
2064 RequestMethodStr(request->method),
2065 url && *url ? url : "/",
2066 AnyP::ProtocolType_str[httpver.protocol],
2067 httpver.major,httpver.minor);
2068 /* build and pack headers */
2069 {
2070 HttpHeader hdr(hoRequest);
2071 Packer p;
2072 httpBuildRequestHeader(request, entry, fwd->al, &hdr, flags);
2073
2074 if (request->flags.pinned && request->flags.connectionAuth)
2075 request->flags.authSent = true;
2076 else if (hdr.has(HDR_AUTHORIZATION))
2077 request->flags.authSent = true;
2078
2079 packerToMemInit(&p, mb);
2080 hdr.packInto(&p);
2081 hdr.clean();
2082 packerClean(&p);
2083 }
2084 /* append header terminator */
2085 mb->append(crlf, 2);
2086 return mb->size - offset;
2087 }
2088
2089 /* This will be called when connect completes. Write request. */
2090 bool
2091 HttpStateData::sendRequest()
2092 {
2093 MemBuf mb;
2094
2095 debugs(11, 5, HERE << serverConnection << ", request " << request << ", this " << this << ".");
2096
2097 if (!Comm::IsConnOpen(serverConnection)) {
2098 debugs(11,3, HERE << "cannot send request to closing " << serverConnection);
2099 assert(closeHandler != NULL);
2100 return false;
2101 }
2102
2103 typedef CommCbMemFunT<HttpStateData, CommTimeoutCbParams> TimeoutDialer;
2104 AsyncCall::Pointer timeoutCall = JobCallback(11, 5,
2105 TimeoutDialer, this, HttpStateData::httpTimeout);
2106 commSetConnTimeout(serverConnection, Config.Timeout.lifetime, timeoutCall);
2107 flags.do_next_read = true;
2108 maybeReadVirginBody();
2109
2110 if (request->body_pipe != NULL) {
2111 if (!startRequestBodyFlow()) // register to receive body data
2112 return false;
2113 typedef CommCbMemFunT<HttpStateData, CommIoCbParams> Dialer;
2114 requestSender = JobCallback(11,5,
2115 Dialer, this, HttpStateData::sentRequestBody);
2116
2117 Must(!flags.chunked_request);
2118 // use chunked encoding if we do not know the length
2119 if (request->content_length < 0)
2120 flags.chunked_request = true;
2121 } else {
2122 assert(!requestBodySource);
2123 typedef CommCbMemFunT<HttpStateData, CommIoCbParams> Dialer;
2124 requestSender = JobCallback(11,5,
2125 Dialer, this, HttpStateData::wroteLast);
2126 }
2127
2128 flags.originpeer = (_peer != NULL && _peer->options.originserver);
2129 flags.proxying = (_peer != NULL && !flags.originpeer);
2130
2131 /*
2132 * Is keep-alive okay for all request methods?
2133 */
2134 if (request->flags.mustKeepalive)
2135 flags.keepalive = true;
2136 else if (request->flags.pinned)
2137 flags.keepalive = request->persistent();
2138 else if (!Config.onoff.server_pconns)
2139 flags.keepalive = false;
2140 else if (_peer == NULL)
2141 flags.keepalive = true;
2142 else if (_peer->stats.n_keepalives_sent < 10)
2143 flags.keepalive = true;
2144 else if ((double) _peer->stats.n_keepalives_recv /
2145 (double) _peer->stats.n_keepalives_sent > 0.50)
2146 flags.keepalive = true;
2147
2148 if (_peer) {
2149 /*The old code here was
2150 if (neighborType(_peer, request) == PEER_SIBLING && ...
2151 which is equivalent to:
2152 if (neighborType(_peer, NULL) == PEER_SIBLING && ...
2153 or better:
2154 if (((_peer->type == PEER_MULTICAST && p->options.mcast_siblings) ||
2155 _peer->type == PEER_SIBLINGS ) && _peer->options.allow_miss)
2156 flags.only_if_cached = 1;
2157
2158 But I suppose it was a bug
2159 */
2160 if (neighborType(_peer, request) == PEER_SIBLING &&
2161 !_peer->options.allow_miss)
2162 flags.only_if_cached = true;
2163
2164 flags.front_end_https = _peer->front_end_https;
2165 }
2166
2167 mb.init();
2168 request->peer_host=_peer?_peer->host:NULL;
2169 buildRequestPrefix(&mb);
2170
2171 debugs(11, 2, "HTTP Server " << serverConnection);
2172 debugs(11, 2, "HTTP Server REQUEST:\n---------\n" << mb.buf << "\n----------");
2173
2174 Comm::Write(serverConnection, &mb, requestSender);
2175 return true;
2176 }
2177
2178 bool
2179 HttpStateData::getMoreRequestBody(MemBuf &buf)
2180 {
2181 // parent's implementation can handle the no-encoding case
2182 if (!flags.chunked_request)
2183 return ServerStateData::getMoreRequestBody(buf);
2184
2185 MemBuf raw;
2186
2187 Must(requestBodySource != NULL);
2188 if (!requestBodySource->getMoreData(raw))
2189 return false; // no request body bytes to chunk yet
2190
2191 // optimization: pre-allocate buffer size that should be enough
2192 const mb_size_t rawDataSize = raw.contentSize();
2193 // we may need to send: hex-chunk-size CRLF raw-data CRLF last-chunk
2194 buf.init(16 + 2 + rawDataSize + 2 + 5, raw.max_capacity);
2195
2196 buf.Printf("%x\r\n", static_cast<unsigned int>(rawDataSize));
2197 buf.append(raw.content(), rawDataSize);
2198 buf.Printf("\r\n");
2199
2200 Must(rawDataSize > 0); // we did not accidently created last-chunk above
2201
2202 // Do not send last-chunk unless we successfully received everything
2203 if (receivedWholeRequestBody) {
2204 Must(!flags.sentLastChunk);
2205 flags.sentLastChunk = true;
2206 buf.append("0\r\n\r\n", 5);
2207 }
2208
2209 return true;
2210 }
2211
2212 void
2213 httpStart(FwdState *fwd)
2214 {
2215 debugs(11, 3, "httpStart: \"" << RequestMethodStr(fwd->request->method) << " " << fwd->entry->url() << "\"" );
2216 AsyncJob::Start(new HttpStateData(fwd));
2217 }
2218
2219 void
2220 HttpStateData::start()
2221 {
2222 if (!sendRequest()) {
2223 debugs(11, 3, "httpStart: aborted");
2224 mustStop("HttpStateData::start failed");
2225 return;
2226 }
2227
2228 ++ statCounter.server.all.requests;
2229 ++ statCounter.server.http.requests;
2230
2231 /*
2232 * We used to set the read timeout here, but not any more.
2233 * Now its set in httpSendComplete() after the full request,
2234 * including request body, has been written to the server.
2235 */
2236 }
2237
2238 /// if broken posts are enabled for the request, try to fix and return true
2239 bool
2240 HttpStateData::finishingBrokenPost()
2241 {
2242 #if USE_HTTP_VIOLATIONS
2243 if (!Config.accessList.brokenPosts) {
2244 debugs(11, 5, HERE << "No brokenPosts list");
2245 return false;
2246 }
2247
2248 ACLFilledChecklist ch(Config.accessList.brokenPosts, originalRequest(), NULL);
2249 if (ch.fastCheck() != ACCESS_ALLOWED) {
2250 debugs(11, 5, HERE << "didn't match brokenPosts");
2251 return false;
2252 }
2253
2254 if (!Comm::IsConnOpen(serverConnection)) {
2255 debugs(11, 3, HERE << "ignoring broken POST for closed " << serverConnection);
2256 assert(closeHandler != NULL);
2257 return true; // prevent caller from proceeding as if nothing happened
2258 }
2259
2260 debugs(11, 3, "finishingBrokenPost: fixing broken POST");
2261 typedef CommCbMemFunT<HttpStateData, CommIoCbParams> Dialer;
2262 requestSender = JobCallback(11,5,
2263 Dialer, this, HttpStateData::wroteLast);
2264 Comm::Write(serverConnection, "\r\n", 2, requestSender, NULL);
2265 return true;
2266 #else
2267 return false;
2268 #endif /* USE_HTTP_VIOLATIONS */
2269 }
2270
2271 /// if needed, write last-chunk to end the request body and return true
2272 bool
2273 HttpStateData::finishingChunkedRequest()
2274 {
2275 if (flags.sentLastChunk) {
2276 debugs(11, 5, HERE << "already sent last-chunk");
2277 return false;
2278 }
2279
2280 Must(receivedWholeRequestBody); // or we should not be sending last-chunk
2281 flags.sentLastChunk = true;
2282
2283 typedef CommCbMemFunT<HttpStateData, CommIoCbParams> Dialer;
2284 requestSender = JobCallback(11,5, Dialer, this, HttpStateData::wroteLast);
2285 Comm::Write(serverConnection, "0\r\n\r\n", 5, requestSender, NULL);
2286 return true;
2287 }
2288
2289 void
2290 HttpStateData::doneSendingRequestBody()
2291 {
2292 ServerStateData::doneSendingRequestBody();
2293 debugs(11,5, HERE << serverConnection);
2294
2295 // do we need to write something after the last body byte?
2296 if (flags.chunked_request && finishingChunkedRequest())
2297 return;
2298 if (!flags.chunked_request && finishingBrokenPost())
2299 return;
2300
2301 sendComplete();
2302 }
2303
2304 // more origin request body data is available
2305 void
2306 HttpStateData::handleMoreRequestBodyAvailable()
2307 {
2308 if (eof || !Comm::IsConnOpen(serverConnection)) {
2309 // XXX: we should check this condition in other callbacks then!
2310 // TODO: Check whether this can actually happen: We should unsubscribe
2311 // as a body consumer when the above condition(s) are detected.
2312 debugs(11, DBG_IMPORTANT, HERE << "Transaction aborted while reading HTTP body");
2313 return;
2314 }
2315
2316 assert(requestBodySource != NULL);
2317
2318 if (requestBodySource->buf().hasContent()) {
2319 // XXX: why does not this trigger a debug message on every request?
2320
2321 if (flags.headers_parsed && !flags.abuse_detected) {
2322 flags.abuse_detected = true;
2323 debugs(11, DBG_IMPORTANT, "http handleMoreRequestBodyAvailable: Likely proxy abuse detected '" << request->client_addr << "' -> '" << entry->url() << "'" );
2324
2325 if (virginReply()->sline.status() == Http::scInvalidHeader) {
2326 serverConnection->close();
2327 return;
2328 }
2329 }
2330 }
2331
2332 HttpStateData::handleMoreRequestBodyAvailable();
2333 }
2334
2335 // premature end of the request body
2336 void
2337 HttpStateData::handleRequestBodyProducerAborted()
2338 {
2339 ServerStateData::handleRequestBodyProducerAborted();
2340 if (entry->isEmpty()) {
2341 debugs(11, 3, "request body aborted: " << serverConnection);
2342 // We usually get here when ICAP REQMOD aborts during body processing.
2343 // We might also get here if client-side aborts, but then our response
2344 // should not matter because either client-side will provide its own or
2345 // there will be no response at all (e.g., if the the client has left).
2346 ErrorState *err = new ErrorState(ERR_ICAP_FAILURE, Http::scInternalServerError, fwd->request);
2347 err->detailError(ERR_DETAIL_SRV_REQMOD_REQ_BODY);
2348 fwd->fail(err);
2349 }
2350
2351 abortTransaction("request body producer aborted");
2352 }
2353
2354 // called when we wrote request headers(!) or a part of the body
2355 void
2356 HttpStateData::sentRequestBody(const CommIoCbParams &io)
2357 {
2358 if (io.size > 0)
2359 kb_incr(&statCounter.server.http.kbytes_out, io.size);
2360
2361 ServerStateData::sentRequestBody(io);
2362 }
2363
2364 // Quickly abort the transaction
2365 // TODO: destruction should be sufficient as the destructor should cleanup,
2366 // including canceling close handlers
2367 void
2368 HttpStateData::abortTransaction(const char *reason)
2369 {
2370 debugs(11,5, HERE << "aborting transaction for " << reason <<
2371 "; " << serverConnection << ", this " << this);
2372
2373 if (Comm::IsConnOpen(serverConnection)) {
2374 serverConnection->close();
2375 return;
2376 }
2377
2378 fwd->handleUnregisteredServerEnd();
2379 mustStop("HttpStateData::abortTransaction");
2380 }
Mirror of https://github.com/squid-cache/squid.git