]> git.ipfire.org Git - thirdparty/squid.git/blame - src/FwdState.cc
projects / thirdparty / squid.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
SourceFormat Enforcement
[thirdparty/squid.git] / src / FwdState.cc
CommitLineData
41462d93 1/*
4ac4a490 2 * Copyright (C) 1996-2017 The Squid Software Foundation and contributors
e25c139f 3 *
bbc27441
AJ		 4 * Squid software is distributed under GPLv2+ license and includes
5 * contributions from numerous individuals and organizations.
6 * Please see the COPYING and CONTRIBUTORS files for details.
41462d93 7 */
8
bbc27441
AJ		 9/* DEBUG: section 17 Request Forwarding */
10
582c2af2 11#include "squid.h"
4bf68cfa 12#include "AccessLogEntry.h"
289848ca 13#include "acl/Address.h"
c0941a6a
AR		 14#include "acl/FilledChecklist.h"
15#include "acl/Gadgets.h"
5ae65581 16#include "anyp/PortCfg.h"
25b481e6 17#include "CacheManager.h"
602d9612 18#include "CachePeer.h"
582c2af2 19#include "client_side.h"
92ae4c86 20#include "clients/forward.h"
f9b72e0c 21#include "comm/Connection.h"
aed188fd 22#include "comm/ConnOpener.h"
d841c88d 23#include "comm/Loops.h"
582c2af2 24#include "CommCalls.h"
aa839030 25#include "errorpage.h"
582c2af2 26#include "event.h"
fc54b8d2 27#include "fd.h"
aa839030 28#include "fde.h"
eb13c21e 29#include "FwdState.h"
582c2af2 30#include "globals.h"
fc54b8d2 31#include "gopher.h"
bbaf2685 32#include "hier_code.h"
fc54b8d2 33#include "http.h"
d3dddfb5 34#include "http/Stream.h"
924f73bc 35#include "HttpReply.h"
aa839030 36#include "HttpRequest.h"
582c2af2 37#include "icmp/net_db.h"
fc54b8d2 38#include "internal.h"
582c2af2 39#include "ip/Intercept.h"
425de4c8 40#include "ip/QosConfig.h"
582c2af2 41#include "ip/tools.h"
aa839030 42#include "MemObject.h"
582c2af2 43#include "mgr/Registration.h"
fc54b8d2 44#include "neighbors.h"
781ce8ff 45#include "pconn.h"
e8dca475 46#include "PeerPoolMgr.h"
cfd66529 47#include "PeerSelectState.h"
a72b6e88 48#include "security/BlindPeerConnector.h"
4d5904f7 49#include "SquidConfig.h"
aa839030 50#include "SquidTime.h"
32f1ca3f 51#include "ssl/PeekingPeerConnector.h"
aa839030 52#include "Store.h"
e87137f1 53#include "StoreClient.h"
5eb529cb 54#include "urn.h"
fc54b8d2 55#include "whois.h"
cb4f4424 56#if USE_OPENSSL
2cef0ca6
AR		 57#include "ssl/cert_validate_message.h"
58#include "ssl/Config.h"
4d16918e 59#include "ssl/ErrorDetail.h"
602d9612 60#include "ssl/helper.h"
fd4624d7 61#include "ssl/ServerBump.h"
602d9612 62#include "ssl/support.h"
fcfdf7f9
AJ		 63#else
64#include "security/EncryptorAnswer.h"
4db984be 65#endif
1a30fdf5
AJ		 66
67#include <cerrno>
cfd66529 68
6b679a01 69static PSC fwdPeerSelectionCompleteWrapper;
575d05c4 70static CLCB fwdServerClosedWrapper;
b6b6f466 71static CNCB fwdConnectDoneWrapper;
72
8ddcc35d 73static OBJH fwdStats;
74
75#define MAX_FWD_STATS_IDX 9
955394ce 76static int FwdReplyCodes[MAX_FWD_STATS_IDX + 1][Http::scInvalidHeader + 1];
db1cd23c 77
d5430dc8 78static PconnPool *fwdPconnPool = new PconnPool("server-peers", NULL);
b6b6f466 79CBDATA_CLASS_INIT(FwdState);
781ce8ff 80
a72b6e88 81class FwdStatePeerAnswerDialer: public CallDialer, public Security::PeerConnector::CbDialer
a23223bf
CT		 82{
83public:
fcfdf7f9 84 typedef void (FwdState::*Method)(Security::EncryptorAnswer &);
a23223bf
CT		 85
86 FwdStatePeerAnswerDialer(Method method, FwdState *fwd):
f53969cc 87 method_(method), fwd_(fwd), answer_() {}
a23223bf
CT		 88
89 /* CallDialer API */
90 virtual bool canDial(AsyncCall &call) { return fwd_.valid(); }
91 void dial(AsyncCall &call) { ((&(*fwd_))->*method_)(answer_); }
92 virtual void print(std::ostream &os) const {
e2849af8
A		 93 os << '(' << fwd_.get() << ", " << answer_ << ')';
94 }
a23223bf 95
a72b6e88 96 /* Security::PeerConnector::CbDialer API */
fcfdf7f9 97 virtual Security::EncryptorAnswer &answer() { return answer_; }
a23223bf
CT		 98
99private:
100 Method method_;
101 CbcPointer<FwdState> fwd_;
fcfdf7f9 102 Security::EncryptorAnswer answer_;
a23223bf 103};
a23223bf 104
429871db 105void
106FwdState::abort(void* d)
107{
108 FwdState* fwd = (FwdState*)d;
6ecaf21a 109 Pointer tmp = fwd; // Grab a temporary pointer to keep the object alive during our scope.
429871db 110
6b679a01 111 if (Comm::IsConnOpen(fwd->serverConnection())) {
e8dca475 112 fwd->closeServerConnection("store entry aborted");
6dd9a2e4
AJ		 113 } else {
114 debugs(17, 7, HERE << "store entry aborted; no connection to close");
cff02fa6 115 }
c33a88ca 116 fwd->serverDestinations.clear();
429871db 117 fwd->self = NULL;
118}
119
e8dca475
CT		 120void
121FwdState::closeServerConnection(const char *reason)
122{
123 debugs(17, 3, "because " << reason << "; " << serverConn);
398bc066
CT		 124 comm_remove_close_handler(serverConn->fd, closeHandler);
125 closeHandler = NULL;
e8dca475
CT		 126 fwdPconnPool->noteUses(fd_table[serverConn->fd].pconn.uses);
127 serverConn->close();
128}
129
b6b6f466 130/**** PUBLIC INTERFACE ********************************************************/
c7f9eb6d 131
4bf68cfa 132FwdState::FwdState(const Comm::ConnectionPointer &client, StoreEntry * e, HttpRequest * r, const AccessLogEntryPointer &alp):
cc8c4af2
AJ		 133 entry(e),
134 request(r),
135 al(alp),
136 err(NULL),
137 clientConn(client),
138 start_t(squid_curtime),
139 n_tries(0),
140 pconnRace(raceImpossible)
db1cd23c 141{
cc8c4af2 142 debugs(17, 2, "Forwarding client request " << client << ", url=" << e->url());
b248c2a3 143 HTTPMSGLOCK(request);
00ae51e4 144 serverDestinations.reserve(Config.forward_max_tries);
1bfe9ade 145 e->lock("FwdState");
b6b6f466 146 EBIT_SET(e->flags, ENTRY_FWD_HDR_WAIT);
cc8c4af2
AJ		 147 flags.connected_okay = false;
148 flags.dont_retry = false;
149 flags.forward_completed = false;
150 debugs(17, 3, "FwdState constructed, this=" << this);
7a0fb323 151}
152
153// Called once, right after object creation, when it is safe to set self
fc68f6b1 154void FwdState::start(Pointer aSelf)
155{
7a0fb323 156 // Protect ourselves from being destroyed when the only Server pointing
157 // to us is gone (while we expect to talk to more Servers later).
158 // Once we set self, we are responsible for clearing it when we do not
159 // expect to talk to any servers.
160 self = aSelf; // refcounted
161
162 // We hope that either the store entry aborts or peer is selected.
163 // Otherwise we are going to leak our object.
34266cde 164
92cfc72f
CT		 165 // Ftp::Relay needs to preserve control connection on data aborts
166 // so it registers its own abort handler that calls ours when needed.
167 if (!request->flags.ftpNative)
168 entry->registerAbort(FwdState::abort, this);
bfe4e2fe 169
32c32865 170#if STRICT_ORIGINAL_DST
bfe4e2fe
AJ		 171 // Bug 3243: CVE 2009-0801
172 // Bypass of browser same-origin access control in intercepted communication
173 // To resolve this we must force DIRECT and only to the original client destination.
0d901ef4 174 const bool isIntercepted = request && !request->flags.redirected && (request->flags.intercepted || request->flags.interceptTproxy);
2962f8b8
AJ		 175 const bool useOriginalDst = Config.onoff.client_dst_passthru || (request && !request->flags.hostVerified);
176 if (isIntercepted && useOriginalDst) {
d7ce0bcd 177 selectPeerForIntercepted();
7177edfb
AJ		 178 // 3.2 does not suppro re-wrapping inside CONNECT.
179 // our only alternative is to fake destination "found" and continue with the forwarding.
bfe4e2fe 180 startConnectionOrFail();
7177edfb 181 return;
bfe4e2fe 182 }
32c32865
AJ		 183#endif
184
7177edfb 185 // do full route options selection
d4806c91 186 peerSelect(&serverDestinations, request, al, entry, fwdPeerSelectionCompleteWrapper, this);
db1cd23c 187}
188
32c32865 189#if STRICT_ORIGINAL_DST
d7ce0bcd
AR		 190/// bypasses peerSelect() when dealing with intercepted requests
191void
192FwdState::selectPeerForIntercepted()
193{
194 // use pinned connection if available
195 Comm::ConnectionPointer p;
693cb033 196 if (ConnStateData *client = request->pinnedConnection()) {
d7ce0bcd 197 p = client->validatePinnedConnection(request, NULL);
693cb033
CT		 198 if (Comm::IsConnOpen(p)) {
199 /* duplicate peerSelectPinned() effects */
200 p->peerType = PINNED;
201 entry->ping_status = PING_DONE; /* Skip ICP */
d7ce0bcd 202
693cb033
CT		 203 debugs(17, 3, "reusing a pinned conn: " << *p);
204 serverDestinations.push_back(p);
205 } else {
206 debugs(17,2, "Pinned connection is not valid: " << p);
955394ce 207 ErrorState *anErr = new ErrorState(ERR_ZERO_SIZE_OBJECT, Http::scServiceUnavailable, request);
693cb033
CT		 208 fail(anErr);
209 }
210 // Either use the valid pinned connection or fail if it is invalid.
211 return;
d7ce0bcd
AR		 212 }
213
7177edfb
AJ		 214 // use client original destination as second preferred choice
215 p = new Comm::Connection();
216 p->peerType = ORIGINAL_DST;
217 p->remote = clientConn->local;
218 getOutgoingAddress(request, p);
219
220 debugs(17, 3, HERE << "using client original destination: " << *p);
d7ce0bcd
AR		 221 serverDestinations.push_back(p);
222}
32c32865 223#endif
d7ce0bcd 224
802a8c1d 225void
226FwdState::completed()
41462d93 227{
e857372a 228 if (flags.forward_completed) {
e0236918 229 debugs(17, DBG_IMPORTANT, HERE << "FwdState::completed called on a completed request! Bad!");
fc68f6b1 230 return;
231 }
232
e857372a 233 flags.forward_completed = true;
802a8c1d 234
16b70e2a
CT		 235 request->hier.stopPeerClock(false);
236
c4a88a3e
CT		 237 if (EBIT_TEST(entry->flags, ENTRY_ABORTED)) {
238 debugs(17, 3, HERE << "entry aborted");
239 return ;
240 }
241
bc87dc25 242#if URL_CHECKSUM_DEBUG
62e76326 243
b6b6f466 244 entry->mem_obj->checkUrlChecksum();
225644d7 245#endif
62e76326 246
b6b6f466 247 if (entry->store_status == STORE_PENDING) {
248 if (entry->isEmpty()) {
a04b7e6e 249 if (!err) // we quit (e.g., fd closed) before an error or content
955394ce 250 fail(new ErrorState(ERR_READ_ERROR, Http::scBadGateway, request));
b6b6f466 251 assert(err);
252 errorAppendEntry(entry, err);
253 err = NULL;
cb4f4424 254#if USE_OPENSSL
2cef0ca6
AR		 255 if (request->flags.sslPeek && request->clientConnectionManager.valid()) {
256 CallJobHere1(17, 4, request->clientConnectionManager, ConnStateData,
257 ConnStateData::httpsPeeked, Comm::ConnectionPointer(NULL));
258 }
259#endif
62e76326 260 } else {
b6b6f466 261 EBIT_CLR(entry->flags, ENTRY_FWD_HDR_WAIT);
262 entry->complete();
d88e3c49 263 entry->releaseRequest();
62e76326 264 }
f563eea9 265 }
62e76326 266
b6b6f466 267 if (storePendingNClients(entry) > 0)
268 assert(!EBIT_TEST(entry->flags, ENTRY_FWD_HDR_WAIT));
62e76326 269
802a8c1d 270}
271
272FwdState::~FwdState()
273{
cc8c4af2 274 debugs(17, 3, "FwdState destructor start");
fc68f6b1 275
802a8c1d 276 if (! flags.forward_completed)
fc68f6b1 277 completed();
802a8c1d 278
9d2760b6
AR		 279 doneWithRetries();
280
6dd9f4bd 281 HTTPMSGUNLOCK(request);
62e76326 282
913524f0 283 delete err;
62e76326 284
3900307b 285 entry->unregisterAbort();
429871db 286
1bfe9ade 287 entry->unlock("FwdState");
62e76326 288
b6b6f466 289 entry = NULL;
62e76326 290
e3a4aecc
AJ		 291 if (calls.connector != NULL) {
292 calls.connector->cancel("FwdState destructed");
293 calls.connector = NULL;
294 }
295
e8dca475
CT		 296 if (Comm::IsConnOpen(serverConn))
297 closeServerConnection("~FwdState");
fc68f6b1 298
c33a88ca 299 serverDestinations.clear();
cfd66529 300
cc8c4af2 301 debugs(17, 3, "FwdState destructed, this=" << this);
b6b6f466 302}
62e76326 303
38413773 304/**
b6b6f466 305 * This is the entry point for client-side to start forwarding
306 * a transaction. It is a static method that may or may not
307 * allocate a FwdState.
308 */
be0c6690 309void
4bf68cfa 310FwdState::Start(const Comm::ConnectionPointer &clientConn, StoreEntry *entry, HttpRequest *request, const AccessLogEntryPointer &al)
b6b6f466 311{
b50e327b 312 /** \note
b6b6f466 313 * client_addr == no_addr indicates this is an "internal" request
314 * from peer_digest.c, asn.c, netdb.c, etc and should always
315 * be allowed. yuck, I know.
316 */
62e76326 317
4dd643d5 318 if ( Config.accessList.miss && !request->client_addr.isNoAddr() &&
4e3f4dc7 319 !request->flags.internal && request->url.getScheme() != AnyP::PROTO_CACHE_OBJECT) {
b50e327b 320 /**
fbd3636b
NR		 321 * Check if this host is allowed to fetch MISSES from us (miss_access).
322 * Intentionally replace the src_addr automatically selected by the checklist code
323 * we do NOT want the indirect client address to be tested here.
b6b6f466 324 */
c0941a6a 325 ACLFilledChecklist ch(Config.accessList.miss, request, NULL);
b6b6f466 326 ch.src_addr = request->client_addr;
2efeb0b7 327 if (ch.fastCheck() == ACCESS_DENIED) {
b6b6f466 328 err_type page_id;
9ce7856a 329 page_id = aclGetDenyInfoPage(&Config.denyInfoList, AclMatchedName, 1);
b6b6f466 330
331 if (page_id == ERR_NONE)
332 page_id = ERR_FORWARDING_DENIED;
333
955394ce 334 ErrorState *anErr = new ErrorState(page_id, Http::scForbidden, request);
f53969cc 335 errorAppendEntry(entry, anErr); // frees anErr
be0c6690 336 return;
b6b6f466 337 }
338 }
339
cfd66529 340 debugs(17, 3, HERE << "'" << entry->url() << "'");
f4ef658f 341 /*
342 * This seems like an odd place to bind mem_obj and request.
343 * Might want to assert that request is NULL at this point
344 */
b248c2a3
AJ		 345 entry->mem_obj->request = request;
346 HTTPMSGLOCK(entry->mem_obj->request);
b6b6f466 347#if URL_CHECKSUM_DEBUG
348
349 entry->mem_obj->checkUrlChecksum();
350#endif
351
352 if (shutting_down) {
353 /* more yuck */
955394ce 354 ErrorState *anErr = new ErrorState(ERR_SHUTTING_DOWN, Http::scServiceUnavailable, request);
f53969cc 355 errorAppendEntry(entry, anErr); // frees anErr
be0c6690 356 return;
6801f8a8 357 }
62e76326 358
4e3f4dc7
AJ		 359 if (request->flags.internal) {
360 debugs(17, 2, "calling internalStart() due to request flag");
e37bd29b 361 internalStart(clientConn, request, entry);
be0c6690 362 return;
4e3f4dc7
AJ		 363 }
364
365 switch (request->url.getScheme()) {
b6b6f466 366
39a19cb7 367 case AnyP::PROTO_CACHE_OBJECT:
4e3f4dc7 368 debugs(17, 2, "calling CacheManager due to request scheme " << request->url.getScheme());
5c336a3b 369 CacheManager::GetInstance()->Start(clientConn, request, entry);
be0c6690 370 return;
b6b6f466 371
0c3d3f65 372 case AnyP::PROTO_URN:
b6b6f466 373 urnStart(request, entry);
be0c6690 374 return;
b6b6f466 375
376 default:
4bf68cfa 377 FwdState::Pointer fwd = new FwdState(clientConn, entry, request, al);
7a0fb323 378 fwd->start(fwd);
be0c6690 379 return;
b6b6f466 380 }
381
382 /* NOTREACHED */
41462d93 383}
384
4bf68cfa
AR		 385void
386FwdState::fwdStart(const Comm::ConnectionPointer &clientConn, StoreEntry *entry, HttpRequest *request)
387{
388 // Hides AccessLogEntry.h from code that does not supply ALE anyway.
389 Start(clientConn, entry, request, NULL);
390}
391
cfd66529 392void
6b679a01 393FwdState::startConnectionOrFail()
cfd66529 394{
8652f8e7 395 debugs(17, 3, HERE << entry->url());
cfd66529 396
00ae51e4 397 if (serverDestinations.size() > 0) {
8652f8e7
AJ		 398 // Ditch error page if it was created before.
399 // A new one will be created if there's another problem
913524f0
AJ		 400 delete err;
401 err = NULL;
8652f8e7
AJ		 402
403 // Update the logging information about this new server connection.
404 // Done here before anything else so the errors get logged for
405 // this server link regardless of what happens when connecting to it.
406 // IF sucessfuly connected this top destination will become the serverConnection().
7d1dac79 407 syncHierNote(serverDestinations[0], request->url.host());
129fe2a1 408 request->clearError();
8652f8e7 409
cfd66529
AJ		 410 connectStart();
411 } else {
95b83010
CT		 412 debugs(17, 3, HERE << "Connection failed: " << entry->url());
413 if (!err) {
955394ce 414 ErrorState *anErr = new ErrorState(ERR_CANNOT_FORWARD, Http::scInternalServerError, request);
95b83010 415 fail(anErr);
8652f8e7 416 } // else use actual error from last connection attempt
cfd66529
AJ		 417 self = NULL; // refcounted
418 }
419}
420
b6b6f466 421void
422FwdState::fail(ErrorState * errorState)
423{
9b769c67 424 debugs(17, 3, err_type_str[errorState->type] << " \"" << Http::StatusCodeString(errorState->httpStatus) << "\"\n\t" << entry->url());
b6b6f466 425
913524f0 426 delete err;
b6b6f466 427 err = errorState;
428
b248c2a3
AJ		 429 if (!errorState->request) {
430 errorState->request = request;
431 HTTPMSGLOCK(errorState->request);
432 }
64b66b76 433
693cb033
CT		 434 if (err->type != ERR_ZERO_SIZE_OBJECT)
435 return;
436
437 if (pconnRace == racePossible) {
bc81ee68
AR		 438 debugs(17, 5, HERE << "pconn race happened");
439 pconnRace = raceHappened;
440 }
693cb033
CT		 441
442 if (ConnStateData *pinned_connection = request->pinnedConnection()) {
443 pinned_connection->pinning.zeroReply = true;
444 flags.dont_retry = true; // we want to propagate failure to the client
445 debugs(17, 4, "zero reply on pinned connection");
446 }
b6b6f466 447}
448
38413773 449/**
b6b6f466 450 * Frees fwdState without closing FD or generating an abort
451 */
452void
00ae51e4 453FwdState::unregister(Comm::ConnectionPointer &conn)
5229395c
AJ		 454{
455 debugs(17, 3, HERE << entry->url() );
456 assert(serverConnection() == conn);
6b679a01 457 assert(Comm::IsConnOpen(conn));
398bc066
CT		 458 comm_remove_close_handler(conn->fd, closeHandler);
459 closeHandler = NULL;
00ae51e4 460 serverConn = NULL;
5229395c
AJ		 461}
462
d5430dc8 463// \deprecated use unregister(Comm::ConnectionPointer &conn) instead
5229395c 464void
b6b6f466 465FwdState::unregister(int fd)
466{
5229395c
AJ		 467 debugs(17, 3, HERE << entry->url() );
468 assert(fd == serverConnection()->fd);
00ae51e4 469 unregister(serverConn);
b6b6f466 470}
471
38413773 472/**
d5430dc8 473 * FooClient modules call fwdComplete() when they are done
b6b6f466 474 * downloading an object. Then, we either 1) re-forward the
475 * request somewhere else if needed, or 2) call storeComplete()
476 * to finish it off
477 */
478void
479FwdState::complete()
480{
9b769c67 481 debugs(17, 3, HERE << entry->url() << "\n\tstatus " << entry->getReply()->sline.status());
b6b6f466 482#if URL_CHECKSUM_DEBUG
483
484 entry->mem_obj->checkUrlChecksum();
485#endif
486
9b769c67 487 logReplyStatus(n_tries, entry->getReply()->sline.status());
b6b6f466 488
489 if (reforward()) {
9b769c67 490 debugs(17, 3, HERE << "re-forwarding " << entry->getReply()->sline.status() << " " << entry->url());
b6b6f466 491
6b679a01 492 if (Comm::IsConnOpen(serverConn))
00ae51e4 493 unregister(serverConn);
b6b6f466 494
cfd66529
AJ		 495 entry->reset();
496
8652f8e7 497 // drop the last path off the selection list. try the next one.
523c3de3 498 serverDestinations.erase(serverDestinations.begin());
8652f8e7
AJ		 499 startConnectionOrFail();
500
b6b6f466 501 } else {
6b679a01 502 if (Comm::IsConnOpen(serverConn))
9b769c67 503 debugs(17, 3, HERE << "server FD " << serverConnection()->fd << " not re-forwarding status " << entry->getReply()->sline.status());
6b679a01 504 else
9b769c67 505 debugs(17, 3, HERE << "server (FD closed) not re-forwarding status " << entry->getReply()->sline.status());
9e5c22cf
AJ		 506 EBIT_CLR(entry->flags, ENTRY_FWD_HDR_WAIT);
507 entry->complete();
fc68f6b1 508
6b679a01 509 if (!Comm::IsConnOpen(serverConn))
fc68f6b1 510 completed();
511
7a0fb323 512 self = NULL; // refcounted
b6b6f466 513 }
514}
515
b6b6f466 516/**** CALLBACK WRAPPERS ************************************************************/
517
518static void
ced8def3 519fwdPeerSelectionCompleteWrapper(Comm::ConnectionList *, ErrorState *err, void *data)
b6b6f466 520{
521 FwdState *fwd = (FwdState *) data;
a37fdd8a
AJ		 522 if (err)
523 fwd->fail(err);
6b679a01 524 fwd->startConnectionOrFail();
b6b6f466 525}
526
527static void
575d05c4 528fwdServerClosedWrapper(const CommCloseCbParams &params)
b6b6f466 529{
575d05c4
AJ		 530 FwdState *fwd = (FwdState *)params.data;
531 fwd->serverClosed(params.fd);
b6b6f466 532}
533
cfd66529 534void
c8407295 535fwdConnectDoneWrapper(const Comm::ConnectionPointer &conn, Comm::Flag status, int xerrno, void *data)
b6b6f466 536{
537 FwdState *fwd = (FwdState *) data;
aed188fd 538 fwd->connectDone(conn, status, xerrno);
b6b6f466 539}
540
541/**** PRIVATE *****************************************************************/
542
545782b8 543/*
544 * FwdState::checkRetry
26ac0430 545 *
545782b8 546 * Return TRUE if the request SHOULD be retried. This method is
547 * called when the HTTP connection fails, or when the connection
d5430dc8 548 * is closed before reading the end of HTTP headers from the server.
545782b8 549 */
b6b6f466 550bool
551FwdState::checkRetry()
68bd6892 552{
d8fd0f18 553 if (shutting_down)
b6b6f466 554 return false;
62e76326 555
9d2760b6
AR		 556 if (!self) { // we have aborted before the server called us back
557 debugs(17, 5, HERE << "not retrying because of earlier abort");
558 // we will be destroyed when the server clears its Pointer to us
559 return false;
560 }
561
b6b6f466 562 if (entry->store_status != STORE_PENDING)
563 return false;
62e76326 564
b6b6f466 565 if (!entry->isEmpty())
566 return false;
62e76326 567
23a1e39c 568 if (n_tries > Config.forward_max_tries)
b6b6f466 569 return false;
4ed0e075 570
b6b6f466 571 if (squid_curtime - start_t > Config.Timeout.forward)
572 return false;
62e76326 573
b6b6f466 574 if (flags.dont_retry)
575 return false;
62e76326 576
3b9899f7
AR		 577 if (request->bodyNibbled())
578 return false;
579
0bbd5532
AJ		 580 // NP: not yet actually connected anywhere. retry is safe.
581 if (!flags.connected_okay)
582 return true;
583
5d4989a8 584 if (!checkRetriable())
585 return false;
586
b6b6f466 587 return true;
68bd6892 588}
589
afc753f3 590/// Whether we may try sending this request again after a failure.
b6b6f466 591bool
592FwdState::checkRetriable()
cb928909 593{
ccbcff0e
AR		 594 // Optimize: A compliant proxy may retry PUTs, but Squid lacks the [rather
595 // complicated] code required to protect the PUT request body from being
596 // nibbled during the first try. Thus, Squid cannot retry some PUTs today.
597 if (request->body_pipe != NULL)
598 return false;
599
c2a7cefd
AJ		 600 // RFC2616 9.1 Safe and Idempotent Methods
601 return (request->method.isHttpSafe() || request->method.isIdempotent());
cb928909 602}
603
b6b6f466 604void
605FwdState::serverClosed(int fd)
910169e5 606{
8ed21336 607 // XXX: fd is often -1 here
e8dca475 608 debugs(17, 2, "FD " << fd << " " << entry->url() << " after " <<
8ed21336
AR		 609 (fd >= 0 ? fd_table[fd].pconn.uses : -1) << " requests");
610 if (fd >= 0 && serverConnection()->fd == fd)
e8dca475 611 fwdPconnPool->noteUses(fd_table[fd].pconn.uses);
3e8c047e 612 retryOrBail();
613}
614
615void
26ac0430
AJ		 616FwdState::retryOrBail()
617{
b6b6f466 618 if (checkRetry()) {
cfd66529 619 debugs(17, 3, HERE << "re-forwarding (" << n_tries << " tries, " << (squid_curtime - start_t) << " secs)");
bc81ee68
AR		 620 // we should retry the same destination if it failed due to pconn race
621 if (pconnRace == raceHappened)
622 debugs(17, 4, HERE << "retrying the same destination");
623 else
b181c1df 624 serverDestinations.erase(serverDestinations.begin()); // last one failed. try another.
8652f8e7
AJ		 625 startConnectionOrFail();
626 return;
d8fd0f18 627 }
62e76326 628
9d2760b6
AR		 629 // TODO: should we call completed() here and move doneWithRetries there?
630 doneWithRetries();
631
16b70e2a
CT		 632 request->hier.stopPeerClock(false);
633
8f01bdfb 634 if (self != NULL && !err && shutting_down && entry->isEmpty()) {
955394ce 635 ErrorState *anErr = new ErrorState(ERR_SHUTTING_DOWN, Http::scServiceUnavailable, request);
f01d4b80 636 errorAppendEntry(entry, anErr);
f563eea9 637 }
62e76326 638
f53969cc 639 self = NULL; // refcounted
910169e5 640}
641
9d2760b6
AR		 642// If the Server quits before nibbling at the request body, the body sender
643// will not know (so that we can retry). Call this if we will not retry. We
644// will notify the sender so that it does not get stuck waiting for space.
645void
646FwdState::doneWithRetries()
647{
648 if (request && request->body_pipe != NULL)
649 request->body_pipe->expectNoConsumption();
650}
651
3e8c047e 652// called by the server that failed after calling unregister()
653void
654FwdState::handleUnregisteredServerEnd()
655{
cfd66529 656 debugs(17, 2, HERE << "self=" << self << " err=" << err << ' ' << entry->url());
6b679a01 657 assert(!Comm::IsConnOpen(serverConn));
3e8c047e 658 retryOrBail();
659}
660
b6b6f466 661void
c8407295 662FwdState::connectDone(const Comm::ConnectionPointer &conn, Comm::Flag status, int xerrno)
41462d93 663{
c8407295 664 if (status != Comm::OK) {
9c8a6c3b 665 ErrorState *const anErr = makeConnectingError(ERR_CONNECT_FAIL);
b6b6f466 666 anErr->xerrno = xerrno;
b6b6f466 667 fail(anErr);
62e76326 668
2f538b78 669 /* it might have been a timeout with a partially open link */
00ae51e4
AJ		 670 if (conn != NULL) {
671 if (conn->getPeer())
672 peerConnectFailed(conn->getPeer());
62e76326 673
80463bb4 674 conn->close();
2f538b78 675 }
aed188fd 676 retryOrBail();
2f538b78
AJ		 677 return;
678 }
62e76326 679
00ae51e4 680 serverConn = conn;
f01d4b80 681 debugs(17, 3, HERE << serverConnection() << ": '" << entry->url() << "'" );
62e76326 682
398bc066 683 closeHandler = comm_add_close_handler(serverConnection()->fd, fwdServerClosedWrapper, this);
2f538b78 684
693cb033 685 if (!request->flags.pinned) {
d9a7bc71
CT		 686 const CachePeer *p = serverConnection()->getPeer();
687 const bool peerWantsTls = p && p->secure.encryptTransport;
b53b9f8d 688 // userWillTlsToPeerForUs assumes CONNECT == HTTPS
d9a7bc71 689 const bool userWillTlsToPeerForUs = p && p->options.originserver &&
66c60bb0 690 request->method == Http::METHOD_CONNECT;
d9a7bc71
CT		 691 const bool needTlsToPeer = peerWantsTls && !userWillTlsToPeerForUs;
692 const bool needTlsToOrigin = !p && request->url.getScheme() == AnyP::PROTO_HTTPS;
693 if (needTlsToPeer || needTlsToOrigin || request->flags.sslPeek) {
a23223bf
CT		 694 HttpRequest::Pointer requestPointer = request;
695 AsyncCall::Pointer callback = asyncCall(17,4,
e2849af8
A		 696 "FwdState::ConnectedToPeer",
697 FwdStatePeerAnswerDialer(&FwdState::connectedToPeer, this));
8aec3e1b
CT		 698 // Use positive timeout when less than one second is left.
699 const time_t sslNegotiationTimeout = max(static_cast<time_t>(1), timeLeft());
a72b6e88
AJ		 700 Security::PeerConnector *connector = nullptr;
701#if USE_OPENSSL
2e249337 702 if (request->flags.sslPeek)
d4ddb3e6 703 connector = new Ssl::PeekingPeerConnector(requestPointer, serverConnection(), clientConn, callback, al, sslNegotiationTimeout);
2e249337 704 else
a72b6e88
AJ		 705#endif
706 connector = new Security::BlindPeerConnector(requestPointer, serverConnection(), callback, al, sslNegotiationTimeout);
a23223bf 707 AsyncJob::Start(connector); // will call our callback
39322eba
J		 708 return;
709 }
41462d93 710 }
2f538b78 711
fcfdf7f9
AJ		 712 // if not encrypting just run the post-connect actions
713 Security::EncryptorAnswer nil;
714 connectedToPeer(nil);
41462d93 715}
716
a23223bf 717void
fcfdf7f9 718FwdState::connectedToPeer(Security::EncryptorAnswer &answer)
a23223bf
CT		 719{
720 if (ErrorState *error = answer.error.get()) {
721 fail(error);
722 answer.error.clear(); // preserve error for errorSendComplete()
89d7efa5
CT		 723 if (CachePeer *p = serverConnection()->getPeer())
724 peerConnectFailed(p);
4e646287 725 serverConnection()->close();
a23223bf
CT		 726 return;
727 }
728
56753478
CT		 729 if (answer.tunneled) {
730 // TODO: When ConnStateData establishes tunnels, its state changes
731 // [in ways that may affect logging?]. Consider informing
732 // ConnStateData about our tunnel or otherwise unifying tunnel
733 // establishment [side effects].
734 unregister(serverConn); // async call owns it now
735 complete(); // destroys us
736 return;
737 }
738
fcfdf7f9
AJ		 739 // should reach ConnStateData before the dispatched Client job starts
740 CallJobHere1(17, 4, request->clientConnectionManager, ConnStateData,
741 ConnStateData::notePeerConnection, serverConnection());
742
89d7efa5
CT		 743 if (serverConnection()->getPeer())
744 peerConnectSucceded(serverConnection()->getPeer());
745
746 flags.connected_okay = true;
a23223bf
CT		 747 dispatch();
748}
a23223bf 749
b6b6f466 750void
751FwdState::connectTimeout(int fd)
41462d93 752{
bf8fe701 753 debugs(17, 2, "fwdConnectTimeout: FD " << fd << ": '" << entry->url() << "'" );
6b679a01
AJ		 754 assert(serverDestinations[0] != NULL);
755 assert(fd == serverDestinations[0]->fd);
62e76326 756
528b2c61 757 if (entry->isEmpty()) {
f11c8e2f 758 ErrorState *anErr = new ErrorState(ERR_CONNECT_FAIL, Http::scGatewayTimeout, request);
b6b6f466 759 anErr->xerrno = ETIMEDOUT;
760 fail(anErr);
62e76326 761
cfd66529 762 /* This marks the peer DOWN ... */
6b679a01
AJ		 763 if (serverDestinations[0]->getPeer())
764 peerConnectFailed(serverDestinations[0]->getPeer());
41462d93 765 }
62e76326 766
6b679a01
AJ		 767 if (Comm::IsConnOpen(serverDestinations[0])) {
768 serverDestinations[0]->close();
746beefe 769 }
41462d93 770}
771
8aec3e1b
CT		 772time_t
773FwdState::timeLeft() const
41462d93 774{
cfd66529
AJ		 775 /* connection timeout */
776 int ctimeout;
6b679a01
AJ		 777 if (serverDestinations[0]->getPeer()) {
778 ctimeout = serverDestinations[0]->getPeer()->connect_timeout > 0 ?
779 serverDestinations[0]->getPeer()->connect_timeout : Config.Timeout.peer_connect;
db1cd23c 780 } else {
62e76326 781 ctimeout = Config.Timeout.connect;
db1cd23c 782 }
62e76326 783
cfd66529
AJ		 784 /* calculate total forwarding timeout ??? */
785 int ftimeout = Config.Timeout.forward - (squid_curtime - start_t);
777831e0 786 if (ftimeout < 0)
787 ftimeout = 5;
788
789 if (ftimeout < ctimeout)
8aec3e1b
CT		 790 return (time_t)ftimeout;
791 else
792 return (time_t)ctimeout;
793}
794
4b77ea6b
AR		 795/// called when serverConn is set to an _open_ to-peer connection
796void
797FwdState::syncWithServerConn(const char *host)
798{
799 if (Ip::Qos::TheConfig.isAclTosActive())
800 Ip::Qos::setSockTos(serverConn, GetTosToServer(request));
801
802#if SO_MARK
803 if (Ip::Qos::TheConfig.isAclNfmarkActive())
804 Ip::Qos::setSockNfmark(serverConn, GetNfmarkToServer(request));
805#endif
806
7d1dac79
EB		 807 syncHierNote(serverConn, host);
808}
809
810void
811FwdState::syncHierNote(const Comm::ConnectionPointer &server, const char *host)
812{
1ce66e29
AJ		 813 if (request)
814 request->hier.note(server, host);
815 if (al)
816 al->hier.note(server, host);
4b77ea6b
AR		 817}
818
8aec3e1b
CT		 819/**
820 * Called after forwarding path selection (via peer select) has taken place
821 * and whenever forwarding needs to attempt a new connection (routing failover).
822 * We have a vector of possible localIP->remoteIP paths now ready to start being connected.
823 */
824void
825FwdState::connectStart()
826{
827 assert(serverDestinations.size() > 0);
828
829 debugs(17, 3, "fwdConnectStart: " << entry->url());
830
16b70e2a 831 request->hier.startPeerClock();
777831e0 832
d9a7bc71
CT		 833 // Do not fowrward bumped connections to parent proxy unless it is an
834 // origin server
835 if (serverDestinations[0]->getPeer() && !serverDestinations[0]->getPeer()->options.originserver && request->flags.sslBumped) {
2cf8425b 836 debugs(50, 4, "fwdConnectStart: Ssl bumped connections through parent proxy are not allowed");
955394ce 837 ErrorState *anErr = new ErrorState(ERR_CANNOT_FORWARD, Http::scServiceUnavailable, request);
b68415a1
CT		 838 fail(anErr);
839 self = NULL; // refcounted
840 return;
985bfe6b 841 }
d67acb4e 842
e857372a 843 request->flags.pinned = false; // XXX: what if the ConnStateData set this to flag existing credentials?
2efeb0b7
AJ		 844 // XXX: answer: the peer selection *should* catch it and give us only the pinned peer. so we reverse the =0 step below.
845 // XXX: also, logs will now lie if pinning is broken and leads to an error message.
6b679a01 846 if (serverDestinations[0]->peerType == PINNED) {
26ac0430 847 ConnStateData *pinned_connection = request->pinnedConnection();
693cb033 848 debugs(17,7, "pinned peer connection: " << pinned_connection);
bc81ee68 849 // pinned_connection may become nil after a pconn race
60199bd7
CT		 850 serverConn = pinned_connection ? pinned_connection->borrowPinnedConnection(request, serverDestinations[0]->getPeer()) : nullptr;
851 if (Comm::IsConnOpen(serverConn)) {
852 flags.connected_okay = true;
853 ++n_tries;
854 request->flags.pinned = true;
855
856 if (pinned_connection->pinnedAuth())
857 request->flags.auth = true;
858
859 closeHandler = comm_add_close_handler(serverConn->fd, fwdServerClosedWrapper, this);
860
861 syncWithServerConn(pinned_connection->pinning.host);
862
863 // the server may close the pinned connection before this request
864 pconnRace = racePossible;
865 dispatch();
866 return;
867 }
b410d563 868
693cb033 869 // Pinned connection failure.
85563fd9 870 debugs(17,2,HERE << "Pinned connection failed: " << pinned_connection);
955394ce 871 ErrorState *anErr = new ErrorState(ERR_ZERO_SIZE_OBJECT, Http::scServiceUnavailable, request);
693cb033
CT		 872 fail(anErr);
873 self = NULL; // refcounted
874 return;
26ac0430 875 }
d67acb4e 876
642a305c 877 // Use pconn to avoid opening a new connection.
7a150c71
AJ		 878 const char *host = NULL;
879 if (!serverDestinations[0]->getPeer())
5c51bffb 880 host = request->url.host();
bc81ee68
AR		 881
882 Comm::ConnectionPointer temp;
883 // Avoid pconns after races so that the same client does not suffer twice.
884 // This does not increase the total number of connections because we just
885 // closed the connection that failed the race. And re-pinning assumes this.
886 if (pconnRace != raceHappened)
e8dca475 887 temp = pconnPop(serverDestinations[0], host);
bbf706ff 888
bc81ee68
AR		 889 const bool openedPconn = Comm::IsConnOpen(temp);
890 pconnRace = openedPconn ? racePossible : raceImpossible;
cfd66529 891
6b679a01 892 // if we found an open persistent connection to use. use it.
bc81ee68 893 if (openedPconn) {
80463bb4 894 serverConn = temp;
3b9899f7 895 flags.connected_okay = true;
642a305c 896 debugs(17, 3, HERE << "reusing pconn " << serverConnection());
95dc7ff4 897 ++n_tries;
4ed0e075 898
398bc066 899 closeHandler = comm_add_close_handler(serverConnection()->fd, fwdServerClosedWrapper, this);
b5523edc 900
4b77ea6b 901 syncWithServerConn(request->url.host());
b5523edc 902
c8ceec27 903 dispatch();
c8ceec27 904 return;
41462d93 905 }
62e76326 906
bc81ee68
AR		 907 // We will try to open a new connection, possibly to the same destination.
908 // We reset serverDestinations[0] in case we are using it again because
909 // ConnOpener modifies its destination argument.
4dd643d5 910 serverDestinations[0]->local.port(0);
bc81ee68
AR		 911 serverConn = NULL;
912
bc87dc25 913#if URL_CHECKSUM_DEBUG
b6b6f466 914 entry->mem_obj->checkUrlChecksum();
bc87dc25 915#endif
62e76326 916
6ee88490 917 GetMarkingsToServer(request, *serverDestinations[0]);
b5523edc 918
e3a4aecc 919 calls.connector = commCbCall(17,3, "fwdConnectDoneWrapper", CommConnectCbPtrFun(fwdConnectDoneWrapper, this));
8aec3e1b 920 Comm::ConnOpener *cs = new Comm::ConnOpener(serverDestinations[0], calls.connector, timeLeft());
7a150c71
AJ		 921 if (host)
922 cs->setHost(host);
855150a4 923 AsyncJob::Start(cs);
41462d93 924}
925
b6b6f466 926void
927FwdState::dispatch()
41462d93 928{
7f06a3d8 929 debugs(17, 3, clientConn << ": Fetching " << request->method << ' ' << entry->url());
e0ebe27c 930 /*
931 * Assert that server_fd is set. This is to guarantee that fwdState
932 * is attached to something and will be deallocated when server_fd
933 * is closed.
934 */
6b679a01 935 assert(Comm::IsConnOpen(serverConn));
62e76326 936
5229395c 937 fd_note(serverConnection()->fd, entry->url());
62e76326 938
e8dca475 939 fd_table[serverConnection()->fd].noteUse();
62e76326 940
a7ad6e4e 941 /*assert(!EBIT_TEST(entry->flags, ENTRY_DISPATCHED)); */
942 assert(entry->ping_status != PING_WAITING);
62e76326 943
1bfe9ade 944 assert(entry->locked());
62e76326 945
a7ad6e4e 946 EBIT_SET(entry->flags, ENTRY_DISPATCHED);
62e76326 947
5c51bffb 948 netdbPingSite(request->url.host());
62e76326 949
425de4c8 950 /* Retrieves remote server TOS or MARK value, and stores it as part of the
7172612f 951 * original client request FD object. It is later used to forward
425de4c8 952 * remote server's TOS/MARK in the response to the client in case of a MISS.
7172612f 953 */
425de4c8 954 if (Ip::Qos::TheConfig.isHitNfmarkActive()) {
b5523edc
AJ		 955 if (Comm::IsConnOpen(clientConn) && Comm::IsConnOpen(serverConnection())) {
956 fde * clientFde = &fd_table[clientConn->fd]; // XXX: move the fd_table access into Ip::Qos
425de4c8 957 /* Get the netfilter mark for the connection */
b5523edc 958 Ip::Qos::getNfmarkFromServer(serverConnection(), clientFde);
425de4c8
AJ		 959 }
960 }
961
962#if _SQUID_LINUX_
963 /* Bug 2537: The TOS forward part of QOS only applies to patched Linux kernels. */
964 if (Ip::Qos::TheConfig.isHitTosActive()) {
b5523edc
AJ		 965 if (Comm::IsConnOpen(clientConn)) {
966 fde * clientFde = &fd_table[clientConn->fd]; // XXX: move the fd_table access into Ip::Qos
425de4c8 967 /* Get the TOS value for the packet */
b5523edc 968 Ip::Qos::getTosFromServer(serverConnection(), clientFde);
7172612f 969 }
26ac0430 970 }
7172612f
AJ		 971#endif
972
cb4f4424 973#if USE_OPENSSL
2c065fc8 974 if (request->flags.sslPeek) {
d7ce0bcd 975 CallJobHere1(17, 4, request->clientConnectionManager, ConnStateData,
061bbdec 976 ConnStateData::httpsPeeked, serverConnection());
d7ce0bcd
AR		 977 unregister(serverConn); // async call owns it now
978 complete(); // destroys us
979 return;
061bbdec 980 }
d7ce0bcd
AR		 981#endif
982
5229395c 983 if (serverConnection()->getPeer() != NULL) {
95dc7ff4 984 ++ serverConnection()->getPeer()->stats.fetches;
5229395c
AJ		 985 request->peer_login = serverConnection()->getPeer()->login;
986 request->peer_domain = serverConnection()->getPeer()->domain;
9825b398 987 request->flags.auth_no_keytab = serverConnection()->getPeer()->options.auth_no_keytab;
b6b6f466 988 httpStart(this);
41462d93 989 } else {
2c065fc8 990 assert(!request->flags.sslPeek);
b6b6f466 991 request->peer_login = NULL;
992 request->peer_domain = NULL;
9825b398 993 request->flags.auth_no_keytab = 0;
62e76326 994
4e3f4dc7 995 switch (request->url.getScheme()) {
62e76326 996
0c3d3f65 997 case AnyP::PROTO_HTTPS:
b6b6f466 998 httpStart(this);
62e76326 999 break;
62e76326 1000
0c3d3f65 1001 case AnyP::PROTO_HTTP:
b6b6f466 1002 httpStart(this);
62e76326 1003 break;
1004
0c3d3f65 1005 case AnyP::PROTO_GOPHER:
b6b6f466 1006 gopherStart(this);
62e76326 1007 break;
1008
0c3d3f65 1009 case AnyP::PROTO_FTP:
92ae4c86 1010 if (request->flags.ftpNative)
5517260a 1011 Ftp::StartRelay(this);
434a79b0 1012 else
5517260a 1013 Ftp::StartGateway(this);
62e76326 1014 break;
1015
39a19cb7 1016 case AnyP::PROTO_CACHE_OBJECT:
62e76326 1017
0c3d3f65 1018 case AnyP::PROTO_URN:
62e76326 1019 fatal_dump("Should never get here");
1020 break;
1021
0c3d3f65 1022 case AnyP::PROTO_WHOIS:
b6b6f466 1023 whoisStart(this);
62e76326 1024 break;
1025
f53969cc 1026 case AnyP::PROTO_WAIS: /* Not implemented */
fc68f6b1 1027
62e76326 1028 default:
7be06178 1029 debugs(17, DBG_IMPORTANT, "WARNING: Cannot retrieve '" << entry->url() << "'.");
955394ce 1030 ErrorState *anErr = new ErrorState(ERR_UNSUP_REQ, Http::scBadRequest, request);
b6b6f466 1031 fail(anErr);
7be06178 1032 // Set the dont_retry flag because this is not a transient (network) error.
e857372a 1033 flags.dont_retry = true;
6b679a01 1034 if (Comm::IsConnOpen(serverConn)) {
00ae51e4 1035 serverConn->close();
746beefe 1036 }
62e76326 1037 break;
1038 }
41462d93 1039 }
1040}
1041
545782b8 1042/*
1043 * FwdState::reforward
1044 *
1045 * returns TRUE if the transaction SHOULD be re-forwarded to the
8bbb16e3 1046 * next choice in the serverDestinations list. This method is called when
d5430dc8 1047 * peer communication completes normally, or experiences
545782b8 1048 * some error after receiving the end of HTTP headers.
1049 */
b6b6f466 1050int
1051FwdState::reforward()
db1cd23c 1052{
b6b6f466 1053 StoreEntry *e = entry;
c4a88a3e
CT		 1054
1055 if (EBIT_TEST(e->flags, ENTRY_ABORTED)) {
1056 debugs(17, 3, HERE << "entry aborted");
1057 return 0;
1058 }
1059
db1cd23c 1060 assert(e->store_status == STORE_PENDING);
1061 assert(e->mem_obj);
bc87dc25 1062#if URL_CHECKSUM_DEBUG
62e76326 1063
528b2c61 1064 e->mem_obj->checkUrlChecksum();
bc87dc25 1065#endif
62e76326 1066
cfd66529 1067 debugs(17, 3, HERE << e->url() << "?" );
62e76326 1068
d6eb18d6 1069 if (!EBIT_TEST(e->flags, ENTRY_FWD_HDR_WAIT)) {
cfd66529 1070 debugs(17, 3, HERE << "No, ENTRY_FWD_HDR_WAIT isn't set");
62e76326 1071 return 0;
d6eb18d6 1072 }
62e76326 1073
437823b4 1074 if (n_tries > Config.forward_max_tries)
62e76326 1075 return 0;
1076
58217e94 1077 if (request->bodyNibbled())
62e76326 1078 return 0;
1079
8652f8e7
AJ		 1080 if (serverDestinations.size() <= 1) {
1081 // NP: <= 1 since total count includes the recently failed one.
cfd66529 1082 debugs(17, 3, HERE << "No alternative forwarding paths left");
62e76326 1083 return 0;
db1cd23c 1084 }
62e76326 1085
9b769c67 1086 const Http::StatusCode s = e->getReply()->sline.status();
cfd66529 1087 debugs(17, 3, HERE << "status " << s);
b6b6f466 1088 return reforwardableStatus(s);
db1cd23c 1089}
1090
2ac4f6b5
AR		 1091/**
1092 * Create "503 Service Unavailable" or "504 Gateway Timeout" error depending
1093 * on whether this is a validation request. RFC 2616 says that we MUST reply
1094 * with "504 Gateway Timeout" if validation fails and cached reply has
1095 * proxy-revalidate, must-revalidate or s-maxage Cache-Control directive.
1096 */
1097ErrorState *
1098FwdState::makeConnectingError(const err_type type) const
1099{
450fe1cb 1100 return new ErrorState(type, request->flags.needValidation ?
f11c8e2f 1101 Http::scGatewayTimeout : Http::scServiceUnavailable, request);
2ac4f6b5
AR		 1102}
1103
b6b6f466 1104static void
1105fwdStats(StoreEntry * s)
64d8034e 1106{
b6b6f466 1107 int i;
1108 int j;
1109 storeAppendPrintf(s, "Status");
62e76326 1110
95dc7ff4
FC		 1111 for (j = 1; j < MAX_FWD_STATS_IDX; ++j) {
1112 storeAppendPrintf(s, "\ttry#%d", j);
64d8034e 1113 }
64d8034e 1114
b6b6f466 1115 storeAppendPrintf(s, "\n");
0185bd6f 1116
955394ce 1117 for (i = 0; i <= (int) Http::scInvalidHeader; ++i) {
b6b6f466 1118 if (FwdReplyCodes[0][i] == 0)
1119 continue;
0185bd6f 1120
b6b6f466 1121 storeAppendPrintf(s, "%3d", i);
0185bd6f 1122
95dc7ff4 1123 for (j = 0; j <= MAX_FWD_STATS_IDX; ++j) {
b6b6f466 1124 storeAppendPrintf(s, "\t%d", FwdReplyCodes[j][i]);
62e76326 1125 }
62e76326 1126
b6b6f466 1127 storeAppendPrintf(s, "\n");
e0ebe27c 1128 }
7197b20d 1129}
1130
b6b6f466 1131/**** STATIC MEMBER FUNCTIONS *************************************************/
db1cd23c 1132
b6b6f466 1133bool
955394ce 1134FwdState::reforwardableStatus(const Http::StatusCode s) const
db1cd23c 1135{
b6b6f466 1136 switch (s) {
62e76326 1137
955394ce 1138 case Http::scBadGateway:
62e76326 1139
f11c8e2f 1140 case Http::scGatewayTimeout:
b6b6f466 1141 return true;
62e76326 1142
955394ce 1143 case Http::scForbidden:
62e76326 1144
955394ce 1145 case Http::scInternalServerError:
62e76326 1146
955394ce 1147 case Http::scNotImplemented:
62e76326 1148
955394ce 1149 case Http::scServiceUnavailable:
b6b6f466 1150 return Config.retry.onerror;
62e76326 1151
b6b6f466 1152 default:
1153 return false;
db1cd23c 1154 }
b6b6f466 1155
1156 /* NOTREACHED */
db1cd23c 1157}
8ddcc35d 1158
06093389
AJ		 1159/**
1160 * Decide where details need to be gathered to correctly describe a persistent connection.
1161 * What is needed:
642a305c
AJ		 1162 * - the address/port details about this link
1163 * - domain name of server at other end of this link (either peer or requested host)
06093389 1164 */
781ce8ff 1165void
642a305c 1166FwdState::pconnPush(Comm::ConnectionPointer &conn, const char *domain)
781ce8ff 1167{
642a305c 1168 if (conn->getPeer()) {
7a150c71 1169 fwdPconnPool->push(conn, NULL);
06093389 1170 } else {
642a305c 1171 fwdPconnPool->push(conn, domain);
06093389 1172 }
781ce8ff 1173}
1174
e8dca475
CT		 1175Comm::ConnectionPointer
1176FwdState::pconnPop(const Comm::ConnectionPointer &dest, const char *domain)
1177{
afc753f3
EB		 1178 bool retriable = checkRetriable();
1179 if (!retriable && Config.accessList.serverPconnForNonretriable) {
1180 ACLFilledChecklist ch(Config.accessList.serverPconnForNonretriable, request, NULL);
1181 retriable = (ch.fastCheck() == ACCESS_ALLOWED);
1182 }
e8dca475
CT		 1183 // always call shared pool first because we need to close an idle
1184 // connection there if we have to use a standby connection.
afc753f3 1185 Comm::ConnectionPointer conn = fwdPconnPool->pop(dest, domain, retriable);
e8dca475
CT		 1186 if (!Comm::IsConnOpen(conn)) {
1187 // either there was no pconn to pop or this is not a retriable xaction
1188 if (CachePeer *peer = dest->getPeer()) {
1189 if (peer->standby.pool)
1190 conn = peer->standby.pool->pop(dest, domain, true);
1191 }
1192 }
1193 return conn; // open, closed, or nil
1194}
1195
8ddcc35d 1196void
b6b6f466 1197FwdState::initModule()
8ddcc35d 1198{
6852be71 1199 RegisterWithCacheManager();
8ddcc35d 1200}
1201
62ee09ca 1202void
84f50787 1203FwdState::RegisterWithCacheManager(void)
62ee09ca 1204{
8822ebee 1205 Mgr::RegisterAction("forward", "Request Forwarding Statistics", fwdStats, 0, 1);
62ee09ca 1206}
1207
b6b6f466 1208void
955394ce 1209FwdState::logReplyStatus(int tries, const Http::StatusCode status)
8ddcc35d 1210{
955394ce 1211 if (status > Http::scInvalidHeader)
62e76326 1212 return;
1213
75eb730e 1214 assert(tries >= 0);
62e76326 1215
8ddcc35d 1216 if (tries > MAX_FWD_STATS_IDX)
62e76326 1217 tries = MAX_FWD_STATS_IDX;
1218
95dc7ff4 1219 ++ FwdReplyCodes[tries][status];
8ddcc35d 1220}
1221
b6b6f466 1222/**** PRIVATE NON-MEMBER FUNCTIONS ********************************************/
62e76326 1223
057f5854 1224/*
1225 * DPW 2007-05-19
1226 * Formerly static, but now used by client_side_request.cc
1227 */
425de4c8
AJ		 1228/// Checks for a TOS value to apply depending on the ACL
1229tos_t
b6b6f466 1230aclMapTOS(acl_tos * head, ACLChecklist * ch)
b6a2f15e 1231{
60019fea 1232 for (acl_tos *l = head; l; l = l->next) {
2efeb0b7 1233 if (!l->aclList || ch->fastCheck(l->aclList) == ACCESS_ALLOWED)
b6b6f466 1234 return l->tos;
1235 }
5894ad28 1236
b6b6f466 1237 return 0;
1238}
5894ad28 1239
425de4c8
AJ		 1240/// Checks for a netfilter mark value to apply depending on the ACL
1241nfmark_t
1242aclMapNfmark(acl_nfmark * head, ACLChecklist * ch)
1243{
60019fea 1244 for (acl_nfmark *l = head; l; l = l->next) {
2efeb0b7 1245 if (!l->aclList || ch->fastCheck(l->aclList) == ACCESS_ALLOWED)
425de4c8
AJ		 1246 return l->nfmark;
1247 }
1248
1249 return 0;
1250}
1251
cfd66529 1252void
f9b72e0c 1253getOutgoingAddress(HttpRequest * request, Comm::ConnectionPointer conn)
b6b6f466 1254{
07f889c1 1255 // skip if an outgoing address is already set.
4dd643d5 1256 if (!conn->local.isAnyAddr()) return;
cfd66529 1257
07f889c1 1258 // ensure that at minimum the wildcard local matches remote protocol
4dd643d5
AJ		 1259 if (conn->remote.isIPv4())
1260 conn->local.setIPv4();
07f889c1 1261
cfd66529 1262 // maybe use TPROXY client address
450fe1cb 1263 if (request && request->flags.spoofClientIp) {
739b352a 1264 if (!conn->getPeer() || !conn->getPeer()->options.no_tproxy) {
96d64448
AJ		 1265#if FOLLOW_X_FORWARDED_FOR && LINUX_NETFILTER
1266 if (Config.onoff.tproxy_uses_indirect_client)
45906573 1267 conn->local = request->indirect_client_addr;
96d64448
AJ		 1268 else
1269#endif
45906573 1270 conn->local = request->client_addr;
cfd66529
AJ		 1271 // some flags need setting on the socket to use this address
1272 conn->flags |= COMM_DOBIND;
1273 conn->flags |= COMM_TRANSPARENT;
1274 return;
1275 }
b0758e04
AJ		 1276 // else no tproxy today ...
1277 }
c303f6e3 1278
b50e327b 1279 if (!Config.accessList.outgoing_address) {
cfd66529 1280 return; // anything will do.
b50e327b
AJ		 1281 }
1282
c0941a6a 1283 ACLFilledChecklist ch(NULL, request, NULL);
1b091aec 1284 ch.dst_peer_name = conn->getPeer() ? conn->getPeer()->name : NULL;
cfd66529
AJ		 1285 ch.dst_addr = conn->remote;
1286
1287 // TODO use the connection details in ACL.
1288 // needs a bit of rework in ACLFilledChecklist to use Comm::Connection instead of ConnStateData
6db78a1a 1289
289848ca 1290 for (Acl::Address *l = Config.accessList.outgoing_address; l; l = l->next) {
cfd66529
AJ		 1291
1292 /* check if the outgoing address is usable to the destination */
4dd643d5 1293 if (conn->remote.isIPv4() != l->addr.isIPv4()) continue;
cfd66529
AJ		 1294
1295 /* check ACLs for this outgoing address */
2efeb0b7 1296 if (!l->aclList || ch.fastCheck(l->aclList) == ACCESS_ALLOWED) {
cfd66529
AJ		 1297 conn->local = l->addr;
1298 return;
1299 }
1300 }
b6b6f466 1301}
62e76326 1302
425de4c8
AJ		 1303tos_t
1304GetTosToServer(HttpRequest * request)
1305{
1306 ACLFilledChecklist ch(NULL, request, NULL);
425de4c8
AJ		 1307 return aclMapTOS(Ip::Qos::TheConfig.tosToServer, &ch);
1308}
1309
1310nfmark_t
1311GetNfmarkToServer(HttpRequest * request)
b6b6f466 1312{
c0941a6a 1313 ACLFilledChecklist ch(NULL, request, NULL);
425de4c8 1314 return aclMapNfmark(Ip::Qos::TheConfig.nfmarkToServer, &ch);
b6a2f15e 1315}
6ee88490
CT		 1316
1317void
1318GetMarkingsToServer(HttpRequest * request, Comm::Connection &conn)
1319{
1320 // Get the server side TOS and Netfilter mark to be set on the connection.
1321 if (Ip::Qos::TheConfig.isAclTosActive()) {
1322 conn.tos = GetTosToServer(request);
1323 debugs(17, 3, "from " << conn.local << " tos " << int(conn.tos));
1324 }
1325
1326#if SO_MARK && USE_LIBCAP
1327 conn.nfmark = GetNfmarkToServer(request);
1328 debugs(17, 3, "from " << conn.local << " netfilter mark " << conn.nfmark);
1329#else
1330 conn.nfmark = 0;
1331#endif
1332}
f53969cc 1333
Mirror of https://github.com/squid-cache/squid.git