Amos Jeffries [Tue, 26 Mar 2013 10:33:10 +0000 (04:33 -0600)]
HTTP/1.1: partial support for no-cache and private= controls with parameters
Since we now support HTTP/1.1 storage and revalidation of
Cache-Control:no-cache it is important that we at least detect the cases
where no-cache= and private= contain parameters.
These are likely still rare occurances due to the historic lack of
support. So for now Squid just detects and exempts these responses from
the caching performed. The basic framework for adding handling of the
header lists is made available but not at this time used.
Amos Jeffries [Wed, 20 Mar 2013 04:48:17 +0000 (22:48 -0600)]
Fix bogus 'invalid response' message on URL rewriter interface
The empty-line response from rewriter and redirector should be converted
to ERR reply code in the new API. It was being left as Unknown.
While this reply used to only be valid on URL helper interface, and it
woudl be more appropriate to map other helpers to BH the ERR response
seems to be safe for use on any of the helper interfaces for an empty
line response. At worst it will prevent the lookup being re-tried on
other possibly better working helper instance.
Amos Jeffries [Mon, 18 Mar 2013 10:10:13 +0000 (04:10 -0600)]
Polish: clarify authenticate_ip_ttl code
This patch alters the directive implementation to only perform TTL
addition when setting the expiry value. This improves speed a little when
comparing timestamps, and allows the config file to display 1 second TTL
instead of displaying 0 seconds and actually being 0-1 seconds.
Which resolves some confusion about why max_user_ip ACL still works when
the TTL is set to 0 seconds.
Also, document the AuthUserIP class used to store the IP information.
Amos Jeffries [Mon, 18 Mar 2013 04:55:51 +0000 (22:55 -0600)]
SourceLayout: shuffle HttpStatusLine into http/libsquid-http.la
* moves HttpStatusLine.* to http/StatusLine.*
* renames HttpStatusLine to Http::StatusLine
* renames httpStatusLine*() functions as members of Http::StatusLine
* shuffles StatusCode string conversion function into http/StatusCode
* makes reason parameter of StatusLine::set() function optional.
There is no logic change involved but callers now no longer need to
set it to the status code string explicitly, nor need to set it to NULL
explicitly unless intending to replace an existing status string.
* adds const-correctness and documentation to StatusLine symbols.
Alex Rousskov [Thu, 14 Mar 2013 23:04:37 +0000 (17:04 -0600)]
Fix concurrency support in stateless helpers: Parse multiple replies correctly.
When multiple helper replies were read at the same time, the old code moved \0
(former EoM mark) in front of the buffer after handling the first reply, which
prevented remaining replies from being parsed.
The code also did not terminate the remaining replies correctly after moving
them to the beginning of the buffer. As far as I could test, such termination
is accidentally(?) not necessary, but I could not figure out why and added it
anyway.
Amos Jeffries [Mon, 11 Mar 2013 23:28:51 +0000 (17:28 -0600)]
Fix SSL Bump bypass for intercepted traffic
The SSL-bump bypass code on intercepted HTTPS traffic generates a fake
CONNECT request from the original destination IP:port in an attempt to
trigger a TCP tunnel being opened for the un-bumped data to be
transferred over.
The current implementation breaks in two situations:
1) when IPv6 traffic is intercepted
The URL field generated does not account for the additional []
requirements involved when IPv6+port are combined.
The resulting fake requests look like:
CONNECT ::1:443 HTTP/1.1
Host: ::1
... which are both invalid, and will fail to parse. Breaking IPv6 HTTPS
interception bypass.
Resolve this by using Ip::Address::ToURL() function which was created
for the purpose of generating URL hostnames from raw-IP + port with
the bracketing inserted when required.
2) when a non-443 port is being intercepted
The Host: header generated is missing the port and Squid Host: header
validity will reject the outbound
CONNECT 127.0.0.1:8443 HTTP/1.1
Host: 127.0.0.1
... this is an invalid request. Squid is currently ignoring the Host
header. However Squid tunnel.cc does make use of peering and may relay
the fake request Host: to upstream peers where we cannot be so sure what
will happen.
Resolve this issue by re-using the generated IP:port string for both URL
and Host: fields, which preserves teh port in Host: regardless of value.
This also means there is an unnecessary :443 tagged on for most HTTPS
traffic, however the omission of port from the Host: header is only a MAY
and this should not cause any issues.
Amos Jeffries [Thu, 7 Mar 2013 23:40:02 +0000 (12:40 +1300)]
Regression fix: Accept-Language header parse
When handling error page negotiation the header parse to detect language
code can enter into an infinite loop. Recover the 3.1 series behaviour
and fix an additional pre-existing off-by-1 error.
The errors were introduced in trunk rev.11496 in 3.2.0.9.
Amos Jeffries [Sun, 3 Mar 2013 12:44:30 +0000 (05:44 -0700)]
Fix authentication headers sent on peer digest requests
Cache digest fetches have been sending the cache_peer login= option
value without sanitizing it for special-case values used internally
by Squid. This causes authentication failure on peers which are checking
user credentials.
Tianyin Xu [Sun, 3 Mar 2013 07:10:22 +0000 (00:10 -0700)]
Make all the parameter names and options case sensitive
Changes "strcasecmp" to "strcmp".
This mainly deals with constant configuration options (e.g., enumerative
options and boolean options). For directive names, it's already
consistent (case sensitive), the parser functions are auto-generated.
The case sensitivity of the following parameter values is not changed:
- user and group names
- host names
- domain and realm names
- ACL names
- filesystem names
- options in request/response/digest messages
The cases which were earlier causing a lot of RAM 'leaks' have been
resolved already and the remaining causes appear to all be in components
with short packet handling pathways where the orphan is not wasting much
in the way of RAM bytes or FD time.
The trace is left at level-4 for future debugging if necessary.
Amos Jeffries [Tue, 26 Feb 2013 00:34:52 +0000 (13:34 +1300)]
MacOS: reduce the testRock unit test UDS path
On MacOS shm_open() requires the name entry to be less than 31 bytes
long. The garbage name used by testRock was 35 bytes and not really
describing what it was used for in the test anyway.
TODO: find out and fix why MacOS still responds EINVAL once the path
is set to a usable length.
Amos Jeffries [Sun, 24 Feb 2013 07:26:26 +0000 (00:26 -0700)]
MacOS: workaround compiler errors and case-insensitivity
MacOS GCC version implicitly searches the local directory for .h includes
despite the absence of -I. in the provided options.
Furthermore it searches with case-insensitive filenames due to the
underlying case-insensitive filesystem.
The combined result is that libacl .cc files include their local copy of
acl/Url.h instead of the base directories src/URL.h which was needed.
The long term fix will be to shuffle URL.h and its related code into
a convenience library. For now we can avoid issues by prefixing the full
src/ path to the includes.
Amos Jeffries [Fri, 22 Feb 2013 13:26:12 +0000 (02:26 +1300)]
SourceLayout: shuffle BasicAuthQueueNode to Auth:: namespace
... and document what it is used for by authentication.
There is only one logic change in this patch. The QueueNode destructor
is added to clear the queued CBDATA entries when the queue is deleted.
Previously the pointer was just erased in hopes that the queue was
notified prior to deletion.
Amos Jeffries [Mon, 18 Feb 2013 13:02:42 +0000 (02:02 +1300)]
Removes the domain from the cache_peer server pconn key
Under the squid-3.2 pconn model the IP:port specifying the destination
are part of the key and can be used to strictly filter selection when
locating pconn. This means the domain is no longer a necessary part
of the key.
Squid using cache_peer can see a large number of wasted idle connections
to their peers due to the key domain value if the peer hostname is not
substituted properly. There is also a similar affect when contacting
servers with virtual hosted domains.
Also a bug was located with peer host and name= values being used
inconsistently as the domain marker. Resulting in failed pop() operations
and extra FD usage.
This has been tested for several months now with only socket usage
benefits seen in several production networks.
NOTE: previous experience some years back with pconn has demonstrated
several broken web servers which assume all requests on a persistent
connection are for the same virtual host. For now this change avoids
altering the behaviour on DIRECT traffic for this reason.
Since debugs() is a macro, it should not change static Debugs::level
before putting the debug message to the internal stream. Otherwise we
encounter problems when debug message itself containg calls to debugs().
Amos Jeffries [Tue, 12 Feb 2013 11:34:35 +0000 (00:34 +1300)]
Polish: Drop redundant HttpMsgPointerT template
Despite the object and API changes being rather extensive
there are no logic changes in this patch.
The HttpMsgPointerT template was used to ref-count HttpMsg
objects and its children. It provided an API identical to
the RefCount API plus a few extensions for handling
polymorphism cast operations in the background.
This patch:
* update HttpMsg class hierarchy to use Lock API directly
removing the _lock() and _unlock() virtual functions.
* update HttpControlMsg to use a HttpReply::Pointer directly
since this type is available to that class a re-definition
using HttpMsg* casting was not needed.
* update HTTPMSGLOCK() macro not to return a HttpMsg*
The API polymorphism extensions provided by
HttpMsgPointerT<> were only necessary to handle the
HttpMsg* object casting this macro made a requirement.
Once that assignment casting is removed the entire
API extensions are no longer used.
Amos Jeffries [Mon, 11 Feb 2013 23:11:12 +0000 (16:11 -0700)]
SourceLayout: Shuffle and collate the log result codes symbols
This collates all the small definitions spread around Squid for defining
and handling the TCP_* and UDP_* result code tags logged by Squid.
* log_type enumeration shuffled from enums.h
* log_type increment operator shuffled from client_db
* log_type strings shuffled from Format:: and built automatically
* is-HIT lookup test shuffled from ICP
Due to LogTags.cc being automatically built from the enum list we define
the shuffled functions as inline. This is not a problem due to their small
size. When the LogTags type is converted to a class thay can be de-inlined.
Amos Jeffries [Sat, 9 Feb 2013 10:45:25 +0000 (03:45 -0700)]
Attempt alternative method of snapshot cleanup.
Something in the sed regex patterns is not matching the snapshots detected
by the ls pattern. We can skip the sed and use the full file path ls
found to remove the snapshot.
Amos Jeffries [Sat, 9 Feb 2013 05:16:04 +0000 (22:16 -0700)]
Polish: call maxObjectSze virtual in SwapDir.
Say "virtual" explicitly in this
case to remind us that maxObjectSize() is a part of the [semi-broken]
Store API and not some SwapDir "own" method. This will help us when we
polish the API to remove the common Store root.
Amos Jeffries [Sat, 9 Feb 2013 00:44:07 +0000 (17:44 -0700)]
Bug 3686: cache_dir max-size default fails
If some cache_dir are configured with max-size and some not the default
maximum_object_size limit fails.
This refactors the max-size management code such that each SwapDir always
has a value maxObjectSize(). This value is calculated from the SwapDir
local setting or global limit as appropriate.
The global maximum_object_size directive is migrated to simply be a default
for cache_dir max-size= option.
The global store_maxobjsize variable is altered to be the overall global
limit on how big an object may be cache by this proxy. It now takes into
account the max-size for all cache_dir and cache_mem limitation.
NP: The slow accumulation of these and earlier changes means Squid no
longer immediately caches unknown-length objects. The unit-tests are
therefore changed to test using explicit 0-length objects to ensure the
test is on a cached object not bypassing the apparently ested logic.
They are also provided with a large global store_maxobjsize limit in order
to do a weak test of the SwapDir types max-size in the presence of other
larger cache_dir or maximum_object_size settings.
Alex Rousskov [Fri, 8 Feb 2013 04:14:50 +0000 (21:14 -0700)]
Make squid -z for cache_dir rock work like UFS instead of like COSS.
Polish -z documentation and cache.log reporting.
When a startup script runs squid -z by mistake against a cache_dir that is
already initialized and full of cached entries, some admins prefer that
nothing happens. Rock store now skips reinitialization if both the cache_dir
directory and the db file in that directory exist. If one or both are missing,
the missing pieces are created.
UFS does something similar because it creates missing L1 and L2 directories
but does not erase any entries already present in the cache_dir path. COSS,
OTOH, re-initializes the existing db. Rock behavior will now be closer to UFS.
To clean a corrupted cache_dir, the admin must remove its top-level directory
before running squid -z.
Squid now logs "Creating missing swap directories" instead of "Creating Swap
Directories", and our documentation now reflects the "if missing" part of the
-z algorithm.
Also documented that recent Squid versions run -z in daemon mode (so that SMP
configuration macros continue to work).
Amos Jeffries [Tue, 5 Feb 2013 07:47:28 +0000 (20:47 +1300)]
Migrate HttpMsg to Lock refcounting
First stage of the conversion to RefCount<>. This replaces the custom
attempt at ref-count locking in HttpMsg with the locking mechanism
presented by class Lock.
Alex Rousskov [Mon, 4 Feb 2013 17:39:23 +0000 (10:39 -0700)]
Bug 3752: objects that cannot be cached in memory are not cached on disk
if cache_dir max-size is used.
This fix contains four related changes:
1) When fixing "trimMemory for unswappable objects" (trunk r11969), we
replaced swapoutPossible() with swappingOut()||mayStartSwapOut() but missed
the fact that swapoutPossible() had "possible now" semantics while
mayStartSwapOut() has "may start now or in the future" semantics. When all
cache_dirs had max-size set, mayStartSwapOut() returned false for objects of
unknown size and even for smaller-than-maximum but not-yet-received objects,
despite the fact that those objects could be swapped out later.
That false mayStartSwapOut() result allowed maybeTrimMemory() to trim those
objects memory and mark the objects for release, preventing their subsequent
disk caching.
2) To fix (1) above, mayStartSwapOut() had to return true for not-yet-received
objects of unknown size. However, returning true is correct only if no
subsequent check can return false. Thus, we had to move all lower/later checks
that could return false up, placing them before the maximum-of-all-max-sizes
check.
3) Once (2) was done, the end of mayStartSwapOut() had (a) a loop that could
return true while setting decision to MemObject::SwapOut::swPossible and (b)
an unconditional code that did ... the same thing. Thus, the loop could no
longer change the method outcome. The loop also had a lot of doubts and XXXs
attached to it. We removed it. If that loop is needed, it is needed and must
be resurrected elsewhere.
4) Since mayStartSwapOut() returns true if swapout is possible in the future
(but not necessarily now), we cannot rely on its return value to initiate
swapout code. We need to test whether swapout.decision is swPossible instead.