]> git.ipfire.org Git - thirdparty/squid.git/blame - src/client_side.cc
Simplify appending SBuf to String (#2108)
[thirdparty/squid.git] / src / client_side.cc
CommitLineData
dd11e0b7 1/*
1f7b830e 2 * Copyright (C) 1996-2025 The Squid Software Foundation and contributors
dd11e0b7 3 *
bbc27441
AJ
4 * Squid software is distributed under GPLv2+ license and includes
5 * contributions from numerous individuals and organizations.
6 * Please see the COPYING and CONTRIBUTORS files for details.
dd11e0b7 7 */
f88bb09c 8
bbc27441
AJ
9/* DEBUG: section 33 Client-side Routines */
10
63be0a78 11/**
12 \defgroup ClientSide Client-Side Logics
13 *
d85b8894 14 \section cserrors Errors and client side
edce4d98 15 *
63be0a78 16 \par Problem the first:
17 * the store entry is no longer authoritative on the
edce4d98 18 * reply status. EBITTEST (E_ABORT) is no longer a valid test outside
19 * of client_side_reply.c.
20 * Problem the second: resources are wasted if we delay in cleaning up.
21 * Problem the third we can't depend on a connection close to clean up.
9e008dda 22 *
63be0a78 23 \par Nice thing the first:
9e008dda 24 * Any step in the stream can callback with data
edce4d98 25 * representing an error.
26 * Nice thing the second: once you stop requesting reads from upstream,
27 * upstream can be stopped too.
28 *
63be0a78 29 \par Solution #1:
30 * Error has a callback mechanism to hand over a membuf
9e008dda 31 * with the error content. The failing node pushes that back as the
edce4d98 32 * reply. Can this be generalised to reduce duplicate efforts?
33 * A: Possibly. For now, only one location uses this.
34 * How to deal with pre-stream errors?
35 * Tell client_side_reply that we *want* an error page before any
36 * stream calls occur. Then we simply read as normal.
63be0a78 37 *
38 *
d85b8894 39 \section pconn_logic Persistent connection logic:
63be0a78 40 *
41 \par
42 * requests (httpClientRequest structs) get added to the connection
43 * list, with the current one being chr
9e008dda 44 *
63be0a78 45 \par
46 * The request is *immediately* kicked off, and data flows through
47 * to clientSocketRecipient.
9e008dda 48 *
63be0a78 49 \par
50 * If the data that arrives at clientSocketRecipient is not for the current
51 * request, clientSocketRecipient simply returns, without requesting more
52 * data, or sending it.
53 *
54 \par
4a4fbcef 55 * ConnStateData::kick() will then detect the presence of data in
9e008dda 56 * the next ClientHttpRequest, and will send it, restablishing the
63be0a78 57 * data flow.
edce4d98 58 */
59
582c2af2 60#include "squid.h"
04f55905 61#include "acl/FilledChecklist.h"
22b2a7a0 62#include "anyp/Host.h"
65d448bc 63#include "anyp/PortCfg.h"
e5ddd4ce 64#include "base/AsyncCallbacks.h"
00406b24 65#include "base/Subscription.h"
d841c88d 66#include "base/TextException.h"
a011edee 67#include "CachePeer.h"
95e6d864 68#include "client_db.h"
602d9612 69#include "client_side.h"
04f55905
AJ
70#include "client_side_reply.h"
71#include "client_side_request.h"
72#include "ClientRequestContext.h"
c8be6d7b 73#include "clientStream.h"
c4b7a5a9 74#include "comm.h"
cfd66529 75#include "comm/Connection.h"
d841c88d 76#include "comm/Loops.h"
7e66d5e2 77#include "comm/Read.h"
cbff89ba 78#include "comm/TcpAcceptor.h"
582c2af2
FC
79#include "comm/Write.h"
80#include "CommCalls.h"
675b8408 81#include "debug/Messages.h"
83b053a0 82#include "error/ExceptionErrorDetail.h"
8eb0a7ee 83#include "errorpage.h"
c4ad1349 84#include "fd.h"
04f55905 85#include "fde.h"
95e6d864 86#include "fqdncache.h"
eb13c21e 87#include "FwdState.h"
67679543 88#include "globals.h"
24438ec5
AJ
89#include "helper.h"
90#include "helper/Reply.h"
5c0c642e 91#include "http.h"
c99510dd 92#include "http/one/RequestParser.h"
db1720f8 93#include "http/one/TeChunkedParser.h"
d3dddfb5 94#include "http/Stream.h"
25b6a907 95#include "HttpHdrContRange.h"
a5bac1d2 96#include "HttpHeaderTools.h"
528b2c61 97#include "HttpReply.h"
98#include "HttpRequest.h"
308e60be 99#include "internal.h"
cbff89ba 100#include "ipc/FdNotes.h"
fe090a86 101#include "ipc/StartListening.h"
1c7ae5ff 102#include "log/access_log.h"
0eb49b6d 103#include "MemBuf.h"
04f55905 104#include "MemObject.h"
b6149797 105#include "mime_header.h"
b1cef121 106#include "parser/Tokenizer.h"
36c774f7
EB
107#include "proxyp/Header.h"
108#include "proxyp/Parser.h"
83b053a0 109#include "sbuf/Stream.h"
907831e6 110#include "security/Certificate.h"
e227da8d 111#include "security/CommunicationSecrets.h"
4106be3f 112#include "security/Io.h"
e227da8d 113#include "security/KeyLog.h"
4106be3f 114#include "security/NegotiationHistory.h"
92ae4c86 115#include "servers/forward.h"
4d5904f7 116#include "SquidConfig.h"
e1656dc4 117#include "StatCounters.h"
00a7574e 118#include "StatHist.h"
582c2af2
FC
119#include "Store.h"
120#include "TimeOrTag.h"
4e540555 121#include "tools.h"
582c2af2
FC
122
123#if USE_AUTH
124#include "auth/UserRequest.h"
125#endif
126#if USE_DELAY_POOLS
127#include "ClientInfo.h"
b27668ec 128#include "MessageDelayPools.h"
582c2af2 129#endif
cb4f4424 130#if USE_OPENSSL
d620ae0e 131#include "ssl/bio.h"
95d2589c 132#include "ssl/context_storage.h"
602d9612 133#include "ssl/gadgets.h"
95d2589c 134#include "ssl/helper.h"
602d9612 135#include "ssl/ProxyCerts.h"
fd4624d7 136#include "ssl/ServerBump.h"
4db984be 137#include "ssl/support.h"
95d2589c 138#endif
95d2589c 139
074d6a40
AJ
140#include <climits>
141#include <cmath>
95d2589c 142#include <limits>
95d2589c 143
6fa8c664
MM
144#if HAVE_SYSTEMD_SD_DAEMON_H
145#include <systemd/sd-daemon.h>
146#endif
147
e5ddd4ce
AR
148// TODO: Remove this custom dialer and simplify by creating the TcpAcceptor
149// subscription later, inside clientListenerConnectionOpened() callback, just
150// like htcpOpenPorts(), icpOpenPorts(), and snmpPortOpened() do it.
cbff89ba 151/// dials clientListenerConnectionOpened call
e5ddd4ce
AR
152class ListeningStartedDialer:
153 public CallDialer,
154 public WithAnswer<Ipc::StartListeningAnswer>
fe090a86
AR
155{
156public:
fa720bfb
AJ
157 typedef void (*Handler)(AnyP::PortCfgPointer &portCfg, const Ipc::FdNoteId note, const Subscription::Pointer &sub);
158 ListeningStartedDialer(Handler aHandler, AnyP::PortCfgPointer &aPortCfg, const Ipc::FdNoteId note, const Subscription::Pointer &aSub):
f53969cc 159 handler(aHandler), portCfg(aPortCfg), portTypeNote(note), sub(aSub) {}
fe090a86 160
e5ddd4ce 161 /* CallDialer API */
337b9aa4 162 void print(std::ostream &os) const override {
e5ddd4ce 163 os << '(' << answer_ << ", " << FdNote(portTypeNote) << " port=" << (void*)&portCfg << ')';
5667a628 164 }
fe090a86
AR
165
166 virtual bool canDial(AsyncCall &) const { return true; }
8bbb16e3 167 virtual void dial(AsyncCall &) { (handler)(portCfg, portTypeNote, sub); }
fe090a86 168
e5ddd4ce 169 /* WithAnswer API */
337b9aa4 170 Ipc::StartListeningAnswer &answer() override { return answer_; }
e5ddd4ce 171
fe090a86
AR
172public:
173 Handler handler;
174
175private:
e5ddd4ce
AR
176 // answer_.conn (set/updated by IPC code) is portCfg.listenConn (used by us)
177 Ipc::StartListeningAnswer answer_; ///< StartListening() results
fa720bfb 178 AnyP::PortCfgPointer portCfg; ///< from HttpPortList
cbff89ba 179 Ipc::FdNoteId portTypeNote; ///< Type of IPC socket being opened
2f8abb64 180 Subscription::Pointer sub; ///< The handler to be subscribed for this connection listener
fe090a86
AR
181};
182
fa720bfb 183static void clientListenerConnectionOpened(AnyP::PortCfgPointer &s, const Ipc::FdNoteId portTypeNote, const Subscription::Pointer &sub);
fe090a86 184
e0d28505 185static IOACB httpAccept;
47f6e231 186static int clientIsRequestBodyTooLargeForPolicy(int64_t bodyLength);
50c09fc4 187
91369933
AJ
188static void clientUpdateStatHistCounters(const LogTags &logType, int svc_time);
189static void clientUpdateStatCounters(const LogTags &logType);
c8be6d7b 190static void clientUpdateHierCounters(HierarchyLogEntry *);
528b2c61 191static bool clientPingHasFinished(ping_data const *aPing);
63ed9e8e 192void prepareLogWithRequestDetails(HttpRequest *, const AccessLogEntryPointer &);
d3dddfb5 193static void ClientSocketContextPushDeferredIfNeeded(Http::StreamPointer deferredRequest, ConnStateData * conn);
c8be6d7b 194
84cc2635 195char *skipLeadingSpace(char *aString);
62e76326 196
c8be6d7b 197void
91369933 198clientUpdateStatCounters(const LogTags &logType)
a7c05555 199{
e4f1fdae 200 ++statCounter.client_http.requests;
62e76326 201
91369933 202 if (logType.isTcpHit())
e4f1fdae 203 ++statCounter.client_http.hits;
62e76326 204
91369933 205 if (logType.oldType == LOG_TCP_HIT)
e4f1fdae 206 ++statCounter.client_http.disk_hits;
91369933 207 else if (logType.oldType == LOG_TCP_MEM_HIT)
e4f1fdae 208 ++statCounter.client_http.mem_hits;
c8be6d7b 209}
210
211void
91369933 212clientUpdateStatHistCounters(const LogTags &logType, int svc_time)
c8be6d7b 213{
e8baef82 214 statCounter.client_http.allSvcTime.count(svc_time);
63be0a78 215 /**
ee1679df 216 * The idea here is not to be complete, but to get service times
217 * for only well-defined types. For example, we don't include
1d7ab0f4 218 * LOG_TCP_REFRESH_FAIL because its not really a cache hit
ee1679df 219 * (we *tried* to validate it, but failed).
220 */
62e76326 221
91369933 222 switch (logType.oldType) {
62e76326 223
1d7ab0f4 224 case LOG_TCP_REFRESH_UNMODIFIED:
e8baef82 225 statCounter.client_http.nearHitSvcTime.count(svc_time);
62e76326 226 break;
227
787ea68c 228 case LOG_TCP_INM_HIT:
ee1679df 229 case LOG_TCP_IMS_HIT:
e8baef82 230 statCounter.client_http.nearMissSvcTime.count(svc_time);
62e76326 231 break;
232
ee1679df 233 case LOG_TCP_HIT:
62e76326 234
ee1679df 235 case LOG_TCP_MEM_HIT:
62e76326 236
b540e168 237 case LOG_TCP_OFFLINE_HIT:
e8baef82 238 statCounter.client_http.hitSvcTime.count(svc_time);
62e76326 239 break;
240
ee1679df 241 case LOG_TCP_MISS:
62e76326 242
ee1679df 243 case LOG_TCP_CLIENT_REFRESH_MISS:
e8baef82 244 statCounter.client_http.missSvcTime.count(svc_time);
62e76326 245 break;
246
ee1679df 247 default:
62e76326 248 /* make compiler warnings go away */
249 break;
ee1679df 250 }
c8be6d7b 251}
252
528b2c61 253bool
c8be6d7b 254clientPingHasFinished(ping_data const *aPing)
255{
256 if (0 != aPing->stop.tv_sec && 0 != aPing->start.tv_sec)
62e76326 257 return true;
258
528b2c61 259 return false;
c8be6d7b 260}
261
262void
263clientUpdateHierCounters(HierarchyLogEntry * someEntry)
264{
265 ping_data *i;
62e76326 266
c8547a11 267 switch (someEntry->code) {
268#if USE_CACHE_DIGESTS
62e76326 269
c8547a11 270 case CD_PARENT_HIT:
62e76326 271
a196e1e4 272 case CD_SIBLING_HIT:
95dc7ff4 273 ++ statCounter.cd.times_used;
62e76326 274 break;
c8547a11 275#endif
62e76326 276
c8547a11 277 case SIBLING_HIT:
62e76326 278
c8547a11 279 case PARENT_HIT:
62e76326 280
c8547a11 281 case FIRST_PARENT_MISS:
62e76326 282
c8547a11 283 case CLOSEST_PARENT_MISS:
95dc7ff4 284 ++ statCounter.icp.times_used;
62e76326 285 i = &someEntry->ping;
286
287 if (clientPingHasFinished(i))
e8baef82 288 statCounter.icp.querySvcTime.count(tvSubUsec(i->start, i->stop));
62e76326 289
290 if (i->timeout)
95dc7ff4 291 ++ statCounter.icp.query_timeouts;
62e76326 292
293 break;
294
c8547a11 295 case CLOSEST_PARENT:
62e76326 296
c8547a11 297 case CLOSEST_DIRECT:
95dc7ff4 298 ++ statCounter.netdb.times_used;
62e76326 299
300 break;
301
69c95dd3 302 default:
62e76326 303 break;
17b6e784 304 }
a7c05555 305}
306
528b2c61 307void
308ClientHttpRequest::updateCounters()
c8be6d7b 309{
12f5a662 310 clientUpdateStatCounters(loggingTags());
62e76326 311
83b053a0 312 if (request->error)
95dc7ff4 313 ++ statCounter.client_http.errors;
62e76326 314
12f5a662 315 clientUpdateStatHistCounters(loggingTags(),
af0ded40 316 tvSubMsec(al->cache.start_time, current_time));
62e76326 317
528b2c61 318 clientUpdateHierCounters(&request->hier);
c8be6d7b 319}
320
edce4d98 321void
63ed9e8e 322prepareLogWithRequestDetails(HttpRequest *request, const AccessLogEntryPointer &aLogEntry)
7a2f978b 323{
c8be6d7b 324 assert(request);
aee3523a 325 assert(aLogEntry != nullptr);
7684c4b1 326
327 if (Config.onoff.log_mime_hdrs) {
7684c4b1 328 MemBuf mb;
2fe7eff9 329 mb.init();
10201568 330 request->header.packInto(&mb);
105d1937
A
331 //This is the request after adaptation or redirection
332 aLogEntry->headers.adapted_request = xstrdup(mb.buf);
333
334 // the virgin request is saved to aLogEntry->request
335 if (aLogEntry->request) {
105d1937 336 mb.reset();
10201568 337 aLogEntry->request->header.packInto(&mb);
105d1937
A
338 aLogEntry->headers.request = xstrdup(mb.buf);
339 }
3ff65596 340
5038f9d8
AR
341#if USE_ADAPTATION
342 const Adaptation::History::Pointer ah = request->adaptLogHistory();
aee3523a 343 if (ah != nullptr) {
5038f9d8 344 mb.reset();
10201568 345 ah->lastMeta.packInto(&mb);
99690f32 346 aLogEntry->adapt.last_meta = xstrdup(mb.buf);
5038f9d8 347 }
3ff65596
AR
348#endif
349
2fe7eff9 350 mb.clean();
7684c4b1 351 }
352
3ff65596 353#if ICAP_CLIENT
5038f9d8 354 const Adaptation::Icap::History::Pointer ih = request->icapHistory();
aee3523a 355 if (ih != nullptr)
01bd87d8 356 ih->processingTime(aLogEntry->icap.processingTime);
3ff65596
AR
357#endif
358
c8be6d7b 359 aLogEntry->http.method = request->method;
360 aLogEntry->http.version = request->http_ver;
c8be6d7b 361 aLogEntry->hier = request->hier;
5b4117d8 362 aLogEntry->cache.extuser = request->extacl_user.termedBuf();
abb929f0 363
a119c6ad
AR
364 // Adapted request, if any, inherits and then collects all the stats, but
365 // the virgin request gets logged instead; copy the stats to log them.
366 // TODO: avoid losses by keeping these stats in a shared history object?
64b66b76 367 if (aLogEntry->request) {
a119c6ad 368 aLogEntry->request->dnsWait = request->dnsWait;
83b053a0 369 aLogEntry->request->error = request->error;
64b66b76 370 }
c8be6d7b 371}
372
373void
528b2c61 374ClientHttpRequest::logRequest()
375{
12f5a662 376 if (!out.size && loggingTags().oldType == LOG_TAG_NONE)
91369933 377 debugs(33, 5, "logging half-baked transaction: " << log_uri);
6fd1086a 378
41ebd397
CT
379 al->icp.opcode = ICP_INVALID;
380 al->url = log_uri;
381 debugs(33, 9, "clientLogRequest: al.url='" << al->url << "'");
62e76326 382
66d51f4f
AR
383 const auto findReply = [this]() -> const HttpReply * {
384 if (al->reply)
385 return al->reply.getRaw();
386 if (const auto le = loggingEntry())
387 return le->hasFreshestReply();
388 return nullptr;
389 };
390 if (const auto reply = findReply()) {
391 al->http.code = reply->sline.status();
392 al->http.content_type = reply->content_type.termedBuf();
6fd1086a 393 }
5f8252d2 394
41ebd397 395 debugs(33, 9, "clientLogRequest: http.code='" << al->http.code << "'");
90a8964c 396
3a646078 397 if (loggingEntry() && loggingEntry()->mem_obj && loggingEntry()->objectLen() >= 0)
d6df21d2 398 al->cache.objectSize = loggingEntry()->contentLen(); // payload duplicate ?? with or without TE ?
90a8964c 399
cc0ca3b9 400 al->http.clientRequestSz.header = req_sz;
bd59d61c
EB
401 // the virgin request is saved to al->request
402 if (al->request && al->request->body_pipe)
403 al->http.clientRequestSz.payloadData = al->request->body_pipe->producedSize();
cc0ca3b9 404 al->http.clientReplySz.header = out.headers_sz;
d6df21d2 405 // XXX: calculate without payload encoding or headers !!
cc0ca3b9 406 al->http.clientReplySz.payloadData = out.size - out.headers_sz; // pretend its all un-encoded data for now.
90a8964c 407
41ebd397 408 al->cache.highOffset = out.offset;
90a8964c 409
01bd87d8 410 tvSub(al->cache.trTime, al->cache.start_time, current_time);
62e76326 411
6fd1086a 412 if (request)
41ebd397 413 prepareLogWithRequestDetails(request, al);
62e76326 414
cb4f4424 415#if USE_OPENSSL && 0
62e76326 416
6fd1086a
AR
417 /* This is broken. Fails if the connection has been closed. Needs
418 * to snarf the ssl details some place earlier..
419 */
420 if (getConn() != NULL)
41ebd397 421 al->cache.ssluser = sslGetUserEmail(fd_table[getConn()->fd].ssl);
62e76326 422
a7ad6e4e 423#endif
62e76326 424
f8a2338f 425 if (request) {
75d47340
CT
426 SBuf matched;
427 for (auto h: Config.notes) {
49f57088 428 if (h->match(request, al->reply.getRaw(), al, matched)) {
75d47340
CT
429 request->notes()->add(h->key(), matched);
430 debugs(33, 3, h->key() << " " << matched);
f8a2338f 431 }
d7f4a0b7 432 }
75d47340
CT
433 // The al->notes and request->notes must point to the same object.
434 al->syncNotes(request);
d7f4a0b7 435
542e1a7a 436 HTTPMSGUNLOCK(al->adapted_request);
8ebad780
CT
437 al->adapted_request = request;
438 HTTPMSGLOCK(al->adapted_request);
439 }
b1c2ea7a 440
e94ff527 441 ACLFilledChecklist checklist(nullptr, request);
b1c2ea7a 442 checklist.updateAle(al);
cb365059 443 // no need checklist.syncAle(): already synced
8ebad780
CT
444 accessLogLog(al, &checklist);
445
446 bool updatePerformanceCounters = true;
447 if (Config.accessList.stats_collection) {
e94ff527 448 ACLFilledChecklist statsCheck(Config.accessList.stats_collection, request);
b1c2ea7a 449 statsCheck.updateAle(al);
06bf5384 450 updatePerformanceCounters = statsCheck.fastCheck().allowed();
8ebad780
CT
451 }
452
453 if (updatePerformanceCounters) {
2ae98e09
TH
454 if (request)
455 updateCounters();
7684c4b1 456
aee3523a 457 if (getConn() != nullptr && getConn()->clientConnection != nullptr)
12f5a662 458 clientdbUpdate(getConn()->clientConnection->remote, loggingTags(), AnyP::PROTO_HTTP, out.size);
7a2f978b 459 }
c8be6d7b 460}
461
462void
528b2c61 463ClientHttpRequest::freeResources()
c8be6d7b 464{
528b2c61 465 safe_free(uri);
528b2c61 466 safe_free(redirect.location);
30abd221 467 range_iter.boundary.clean();
bec110e4 468 clearRequest();
62e76326 469
528b2c61 470 if (client_stream.tail)
62e76326 471 clientStreamAbort((clientStreamNode *)client_stream.tail->data, this);
c8be6d7b 472}
473
474void
475httpRequestFree(void *data)
476{
59a1efb2 477 ClientHttpRequest *http = (ClientHttpRequest *)data;
aee3523a 478 assert(http != nullptr);
528b2c61 479 delete http;
7a2f978b 480}
481
482/* This is a handler normally called by comm_close() */
ced8def3 483void ConnStateData::connStateClosed(const CommCloseCbParams &)
7a2f978b 484{
2b6b1bcb
AR
485 if (clientConnection) {
486 clientConnection->noteClosure();
487 // keep closed clientConnection for logging, clientdb cleanup, etc.
488 }
6e1d409c 489 deleteThis("ConnStateData::connStateClosed");
a46d2c0e 490}
62e76326 491
cc1e110a
AJ
492#if USE_AUTH
493void
494ConnStateData::setAuth(const Auth::UserRequest::Pointer &aur, const char *by)
495{
aee3523a
AR
496 if (auth_ == nullptr) {
497 if (aur != nullptr) {
cc1e110a
AJ
498 debugs(33, 2, "Adding connection-auth to " << clientConnection << " from " << by);
499 auth_ = aur;
500 }
501 return;
502 }
503
504 // clobered with self-pointer
505 // NP: something nasty is going on in Squid, but harmless.
506 if (aur == auth_) {
507 debugs(33, 2, "WARNING: Ignoring duplicate connection-auth for " << clientConnection << " from " << by);
508 return;
509 }
510
511 /*
512 * Connection-auth relies on a single set of credentials being preserved
513 * for all requests on a connection once they have been setup.
514 * There are several things which need to happen to preserve security
515 * when connection-auth credentials change unexpectedly or are unset.
516 *
517 * 1) auth helper released from any active state
518 *
519 * They can only be reserved by a handshake process which this
520 * connection can now never complete.
521 * This prevents helpers hanging when their connections close.
522 *
523 * 2) pinning is expected to be removed and server conn closed
524 *
525 * The upstream link is authenticated with the same credentials.
526 * Expecting the same level of consistency we should have received.
527 * This prevents upstream being faced with multiple or missing
528 * credentials after authentication.
529 * NP: un-pin is left to the cleanup in ConnStateData::swanSong()
530 * we just trigger that cleanup here via comm_reset_close() or
531 * ConnStateData::stopReceiving()
532 *
533 * 3) the connection needs to close.
534 *
535 * This prevents attackers injecting requests into a connection,
536 * or gateways wrongly multiplexing users into a single connection.
537 *
538 * When credentials are missing closure needs to follow an auth
539 * challenge for best recovery by the client.
540 *
541 * When credentials change there is nothing we can do but abort as
542 * fast as possible. Sending TCP RST instead of an HTTP response
543 * is the best-case action.
544 */
545
546 // clobbered with nul-pointer
aee3523a 547 if (aur == nullptr) {
cc1e110a
AJ
548 debugs(33, 2, "WARNING: Graceful closure on " << clientConnection << " due to connection-auth erase from " << by);
549 auth_->releaseAuthServer();
aee3523a 550 auth_ = nullptr;
cc1e110a
AJ
551 // XXX: need to test whether the connection re-auth challenge is sent. If not, how to trigger it from here.
552 // NP: the current situation seems to fix challenge loops in Safari without visible issues in others.
553 // we stop receiving more traffic but can leave the Job running to terminate after the error or challenge is delivered.
554 stopReceiving("connection-auth removed");
555 return;
556 }
557
558 // clobbered with alternative credentials
559 if (aur != auth_) {
560 debugs(33, 2, "ERROR: Closing " << clientConnection << " due to change of connection-auth from " << by);
561 auth_->releaseAuthServer();
aee3523a 562 auth_ = nullptr;
cc1e110a
AJ
563 // this is a fatal type of problem.
564 // Close the connection immediately with TCP RST to abort all traffic flow
565 comm_reset_close(clientConnection);
566 return;
567 }
568
569 /* NOT REACHABLE */
570}
571#endif
572
83b053a0
CT
573void
574ConnStateData::resetReadTimeout(const time_t timeout)
575{
576 typedef CommCbMemFunT<ConnStateData, CommTimeoutCbParams> TimeoutDialer;
577 AsyncCall::Pointer callback = JobCallback(33, 5, TimeoutDialer, this, ConnStateData::requestTimeout);
578 commSetConnTimeout(clientConnection, timeout, callback);
579}
580
581void
582ConnStateData::extendLifetime()
583{
584 typedef CommCbMemFunT<ConnStateData, CommTimeoutCbParams> TimeoutDialer;
585 AsyncCall::Pointer callback = JobCallback(5, 4, TimeoutDialer, this, ConnStateData::lifetimeTimeout);
586 commSetConnTimeout(clientConnection, Config.Timeout.lifetime, callback);
587}
588
6e1d409c 589// cleans up before destructor is called
a2ac85d9 590void
6e1d409c 591ConnStateData::swanSong()
a46d2c0e 592{
bf95c10a 593 debugs(33, 2, clientConnection);
da6dbcd1 594
f35961af 595 flags.readMore = false;
f53969cc 596 clientdbEstablished(clientConnection->remote, -1); /* decrement */
83b053a0
CT
597
598 terminateAll(ERR_NONE, LogTagsErrors());
599 checkLogging();
6e1d409c 600
801cfc26 601 // XXX: Closing pinned conn is too harsh: The Client may want to continue!
89b1d7a2 602 unpinConnection(true);
e3a4aecc 603
83b053a0 604 Server::swanSong();
d67acb4e 605
cc1e110a
AJ
606#if USE_AUTH
607 // NP: do this bit after closing the connections to avoid side effects from unwanted TCP RST
aee3523a 608 setAuth(nullptr, "ConnStateData::SwanSong cleanup");
cc1e110a
AJ
609#endif
610
6e1d409c 611 flags.swanSang = true;
a2ac85d9 612}
613
83b053a0
CT
614void
615ConnStateData::callException(const std::exception &ex)
616{
617 Server::callException(ex); // logs ex and stops the job
618
619 ErrorDetail::Pointer errorDetail;
620 if (const auto tex = dynamic_cast<const TextException*>(&ex))
621 errorDetail = new ExceptionErrorDetail(tex->id());
622 else
623 errorDetail = new ExceptionErrorDetail(Here().id());
624 updateError(ERR_GATEWAY_FAILURE, errorDetail);
625}
626
627void
628ConnStateData::updateError(const Error &error)
629{
630 if (const auto context = pipeline.front()) {
631 const auto http = context->http;
632 assert(http);
633 http->updateError(error);
634 } else {
635 bareError.update(error);
636 }
637}
638
a2ac85d9 639bool
640ConnStateData::isOpen() const
641{
10b06767 642 return cbdataReferenceValid(this) && // XXX: checking "this" in a method
73c36fd9
AJ
643 Comm::IsConnOpen(clientConnection) &&
644 !fd_table[clientConnection->fd].closing();
a2ac85d9 645}
646
647ConnStateData::~ConnStateData()
648{
bf95c10a 649 debugs(33, 3, clientConnection);
a2ac85d9 650
651 if (isOpen())
d816f28d 652 debugs(33, DBG_IMPORTANT, "ERROR: Squid BUG: ConnStateData did not close " << clientConnection);
6e1d409c
AR
653
654 if (!flags.swanSang)
d816f28d 655 debugs(33, DBG_IMPORTANT, "ERROR: Squid BUG: ConnStateData was not destroyed properly; " << clientConnection);
62e76326 656
aee3523a 657 if (bodyPipe != nullptr)
279152e7 658 stopProducingFor(bodyPipe, false);
87f237a9 659
fcc444e3
AJ
660 delete bodyParser; // TODO: pool
661
cb4f4424 662#if USE_OPENSSL
fd4624d7 663 delete sslServerBump;
8a7fe008 664#endif
7a2f978b 665}
666
63be0a78 667/**
450fe1cb 668 * clientSetKeepaliveFlag() sets request->flags.proxyKeepalive.
c68e9c6b 669 * This is the client-side persistent connection flag. We need
670 * to set this relatively early in the request processing
671 * to handle hacks for broken servers and clients.
672 */
92ae4c86 673void
59a1efb2 674clientSetKeepaliveFlag(ClientHttpRequest * http)
c68e9c6b 675{
190154cf 676 HttpRequest *request = http->request;
f6329bc3 677
7f06a3d8
AJ
678 debugs(33, 3, "http_ver = " << request->http_ver);
679 debugs(33, 3, "method = " << request->method);
62e76326 680
4a1acc56 681 // TODO: move to HttpRequest::hdrCacheInit, just like HttpReply.
e857372a 682 request->flags.proxyKeepalive = request->persistent();
c68e9c6b 683}
684
c8be6d7b 685int
47f6e231 686clientIsRequestBodyTooLargeForPolicy(int64_t bodyLength)
efd900cb 687{
c8be6d7b 688 if (Config.maxRequestBodySize &&
62e76326 689 bodyLength > Config.maxRequestBodySize)
f53969cc 690 return 1; /* too large */
62e76326 691
efd900cb 692 return 0;
693}
694
528b2c61 695bool
696ClientHttpRequest::multipartRangeRequest() const
697{
698 return request->multipartRangeRequest();
699}
700
4ad60609 701void
d6fdeb41 702clientPackTermBound(String boundary, MemBuf *mb)
528b2c61 703{
4391cd15 704 mb->appendf("\r\n--" SQUIDSTRINGPH "--\r\n", SQUIDSTRINGPRINT(boundary));
d6fdeb41 705 debugs(33, 6, "buf offset: " << mb->size);
528b2c61 706}
707
d6fdeb41 708void
a0c227a9 709clientPackRangeHdr(const HttpReplyPointer &rep, const HttpHdrRangeSpec * spec, String boundary, MemBuf * mb)
528b2c61 710{
75faaa7a 711 HttpHeader hdr(hoReply);
528b2c61 712 assert(rep);
713 assert(spec);
714
715 /* put boundary */
d6fdeb41 716 debugs(33, 5, "appending boundary: " << boundary);
528b2c61 717 /* rfc2046 requires to _prepend_ boundary with <crlf>! */
4391cd15 718 mb->appendf("\r\n--" SQUIDSTRINGPH "\r\n", SQUIDSTRINGPRINT(boundary));
528b2c61 719
720 /* stuff the header with required entries and pack it */
62e76326 721
789217a2
FC
722 if (rep->header.has(Http::HdrType::CONTENT_TYPE))
723 hdr.putStr(Http::HdrType::CONTENT_TYPE, rep->header.getStr(Http::HdrType::CONTENT_TYPE));
62e76326 724
528b2c61 725 httpHeaderAddContRange(&hdr, *spec, rep->content_length);
62e76326 726
10201568 727 hdr.packInto(mb);
519e0948 728 hdr.clean();
528b2c61 729
730 /* append <crlf> (we packed a header, not a reply) */
10201568 731 mb->append("\r\n", 2);
528b2c61 732}
733
63be0a78 734/** returns expected content length for multi-range replies
528b2c61 735 * note: assumes that httpHdrRangeCanonize has already been called
736 * warning: assumes that HTTP headers for individual ranges at the
737 * time of the actuall assembly will be exactly the same as
738 * the headers when clientMRangeCLen() is called */
7024fb73
AR
739int64_t
740ClientHttpRequest::mRangeCLen() const
c8be6d7b 741{
47f6e231 742 int64_t clen = 0;
c8be6d7b 743 MemBuf mb;
528b2c61 744
86a2f789 745 assert(memObject());
528b2c61 746
2fe7eff9 747 mb.init();
528b2c61 748 HttpHdrRange::iterator pos = request->range->begin();
62e76326 749
528b2c61 750 while (pos != request->range->end()) {
62e76326 751 /* account for headers for this range */
2fe7eff9 752 mb.reset();
66d51f4f 753 clientPackRangeHdr(&storeEntry()->mem().freshestReply(),
62e76326 754 *pos, range_iter.boundary, &mb);
755 clen += mb.size;
528b2c61 756
62e76326 757 /* account for range content */
758 clen += (*pos)->length;
528b2c61 759
4a7a3d56 760 debugs(33, 6, "clientMRangeCLen: (clen += " << mb.size << " + " << (*pos)->length << ") == " << clen);
62e76326 761 ++pos;
528b2c61 762 }
62e76326 763
528b2c61 764 /* account for the terminating boundary */
2fe7eff9 765 mb.reset();
62e76326 766
528b2c61 767 clientPackTermBound(range_iter.boundary, &mb);
62e76326 768
528b2c61 769 clen += mb.size;
770
2fe7eff9 771 mb.clean();
62e76326 772
528b2c61 773 return clen;
774}
775
63be0a78 776/**
777 * generates a "unique" boundary string for multipart responses
528b2c61 778 * the caller is responsible for cleaning the string */
30abd221 779String
528b2c61 780ClientHttpRequest::rangeBoundaryStr() const
781{
528b2c61 782 const char *key;
c81de627 783 String b(visible_appname_string);
7dbca7a4 784 b.append(":",1);
86a2f789 785 key = storeEntry()->getMD5Text();
528b2c61 786 b.append(key, strlen(key));
787 return b;
788}
789
63be0a78 790/**
7dc5f514 791 * Write a chunk of data to a client socket. If the reply is present,
792 * send the reply headers down the wire too, and clean them up when
793 * finished.
9e008dda 794 * Pre-condition:
edce4d98 795 * The request is one backed by a connection, not an internal request.
796 * data context is not NULL
797 * There are no more entries in the stream chain.
2246b732 798 */
92ae4c86 799void
59a1efb2 800clientSocketRecipient(clientStreamNode * node, ClientHttpRequest * http,
2324cda2 801 HttpReply * rep, StoreIOBuffer receivedData)
edce4d98 802{
61beade2 803 // do not try to deliver if client already ABORTED
51571330
AJ
804 if (!http->getConn() || !cbdataReferenceValid(http->getConn()) || !Comm::IsConnOpen(http->getConn()->clientConnection))
805 return;
806
edce4d98 807 /* Test preconditions */
aee3523a 808 assert(node != nullptr);
62e76326 809 /* TODO: handle this rather than asserting
9e008dda
AJ
810 * - it should only ever happen if we cause an abort and
811 * the callback chain loops back to here, so we can simply return.
812 * However, that itself shouldn't happen, so it stays as an assert for now.
edce4d98 813 */
814 assert(cbdataReferenceValid(node));
aee3523a 815 assert(node->node.next == nullptr);
d3dddfb5 816 Http::StreamPointer context = dynamic_cast<Http::Stream *>(node->data.getRaw());
aee3523a 817 assert(context != nullptr);
5c336a3b 818
528b2c61 819 /* TODO: check offset is what we asked for */
62e76326 820
efd5e784
AJ
821 // TODO: enforces HTTP/1 MUST on pipeline order, but is irrelevant to HTTP/2
822 if (context != http->getConn()->pipeline.front())
2324cda2 823 context->deferRecipientForLater(node, rep, receivedData);
24e1fd72
CT
824 else if (http->getConn()->cbControlMsgSent) // 1xx to the user is pending
825 context->deferRecipientForLater(node, rep, receivedData);
92ae4c86
AR
826 else
827 http->getConn()->handleReply(rep, receivedData);
edce4d98 828}
829
63be0a78 830/**
831 * Called when a downstream node is no longer interested in
edce4d98 832 * our data. As we are a terminal node, this means on aborts
833 * only
834 */
835void
59a1efb2 836clientSocketDetach(clientStreamNode * node, ClientHttpRequest * http)
edce4d98 837{
edce4d98 838 /* Test preconditions */
aee3523a 839 assert(node != nullptr);
62e76326 840 /* TODO: handle this rather than asserting
9e008dda
AJ
841 * - it should only ever happen if we cause an abort and
842 * the callback chain loops back to here, so we can simply return.
edce4d98 843 * However, that itself shouldn't happen, so it stays as an assert for now.
844 */
845 assert(cbdataReferenceValid(node));
846 /* Set null by ContextFree */
aee3523a 847 assert(node->node.next == nullptr);
0655fa4d 848 /* this is the assert discussed above */
aee3523a 849 assert(nullptr == dynamic_cast<Http::Stream *>(node->data.getRaw()));
edce4d98 850 /* We are only called when the client socket shutsdown.
851 * Tell the prev pipeline member we're finished
852 */
853 clientStreamDetach(node, http);
7a2f978b 854}
855
c8be6d7b 856void
a46d2c0e 857ConnStateData::readNextRequest()
c8be6d7b 858{
bf95c10a 859 debugs(33, 5, clientConnection << " reading next req");
bf8fe701 860
97b32442 861 fd_note(clientConnection->fd, "Idle client: Waiting for next request");
63be0a78 862 /**
5ddf7edc 863 * Set the timeout BEFORE calling readSomeData().
c8be6d7b 864 */
83b053a0 865 resetReadTimeout(clientConnection->timeLeft(idleTimeout()));
1cf238db 866
a46d2c0e 867 readSomeData();
63be0a78 868 /** Please don't do anything with the FD past here! */
c8be6d7b 869}
870
09d3938c 871static void
d3dddfb5 872ClientSocketContextPushDeferredIfNeeded(Http::StreamPointer deferredRequest, ConnStateData * conn)
c8be6d7b 873{
bf95c10a 874 debugs(33, 2, conn->clientConnection << " Sending next");
bf8fe701 875
63be0a78 876 /** If the client stream is waiting on a socket write to occur, then */
62e76326 877
c8be6d7b 878 if (deferredRequest->flags.deferred) {
63be0a78 879 /** NO data is allowed to have been sent. */
62e76326 880 assert(deferredRequest->http->out.size == 0);
63be0a78 881 /** defer now. */
62e76326 882 clientSocketRecipient(deferredRequest->deferredparams.node,
883 deferredRequest->http,
884 deferredRequest->deferredparams.rep,
885 deferredRequest->deferredparams.queuedBuffer);
c8be6d7b 886 }
62e76326 887
63be0a78 888 /** otherwise, the request is still active in a callbacksomewhere,
c8be6d7b 889 * and we are done
f4f278b5 890 */
f4f278b5 891}
892
0655fa4d 893void
f4a53cf7 894ConnStateData::kick()
1a92a1e2 895{
4a4fbcef
AJ
896 if (!Comm::IsConnOpen(clientConnection)) {
897 debugs(33, 2, clientConnection << " Connection was closed");
898 return;
899 }
0655fa4d 900
f4a53cf7
AJ
901 if (pinning.pinned && !Comm::IsConnOpen(pinning.serverConnection)) {
902 debugs(33, 2, clientConnection << " Connection was pinned but server side gone. Terminating client connection");
903 clientConnection->close();
d67acb4e
AJ
904 return;
905 }
906
cf6eb29e
CT
907 /** \par
908 * We are done with the response, and we are either still receiving request
909 * body (early response!) or have already stopped receiving anything.
910 *
5da786ef 911 * If we are still receiving, then parseRequests() below will fail.
cf6eb29e
CT
912 * (XXX: but then we will call readNextRequest() which may succeed and
913 * execute a smuggled request as we are not done with the current request).
914 *
915 * If we stopped because we got everything, then try the next request.
916 *
917 * If we stopped receiving because of an error, then close now to avoid
918 * getting stuck and to prevent accidental request smuggling.
919 */
920
f4a53cf7
AJ
921 if (const char *reason = stoppedReceiving()) {
922 debugs(33, 3, "closing for earlier request error: " << reason);
923 clientConnection->close();
cf6eb29e
CT
924 return;
925 }
926
63be0a78 927 /** \par
f900210a 928 * Attempt to parse a request from the request buffer.
929 * If we've been fed a pipelined request it may already
930 * be in our read buffer.
f900210a 931 */
932
5da786ef 933 parseRequests();
f900210a 934
5da786ef 935 if (!isOpen())
f900210a 936 return;
f900210a 937
63be0a78 938 /** \par
f900210a 939 * At this point we either have a parsed request (which we've
940 * kicked off the processing for) or not. If we have a deferred
941 * request (parsed but deferred for pipeling processing reasons)
942 * then look at processing it. If not, simply kickstart
943 * another read.
944 */
d3dddfb5 945 Http::StreamPointer deferredRequest = pipeline.front();
efd5e784 946 if (deferredRequest != nullptr) {
f4a53cf7
AJ
947 debugs(33, 3, clientConnection << ": calling PushDeferredIfNeeded");
948 ClientSocketContextPushDeferredIfNeeded(deferredRequest, this);
949 } else if (flags.readMore) {
950 debugs(33, 3, clientConnection << ": calling readNextRequest()");
951 readNextRequest();
f35961af
AR
952 } else {
953 // XXX: Can this happen? CONNECT tunnels have deferredRequest set.
f4a53cf7 954 debugs(33, DBG_IMPORTANT, MYNAME << "abandoning " << clientConnection);
f900210a 955 }
1a92a1e2 956}
957
cf6eb29e
CT
958void
959ConnStateData::stopSending(const char *error)
960{
bf95c10a 961 debugs(33, 4, "sending error (" << clientConnection << "): " << error <<
cf6eb29e
CT
962 "; old receiving error: " <<
963 (stoppedReceiving() ? stoppedReceiving_ : "none"));
fc68f6b1 964
cf6eb29e 965 if (const char *oldError = stoppedSending()) {
bf95c10a 966 debugs(33, 3, "already stopped sending: " << oldError);
cf6eb29e
CT
967 return; // nothing has changed as far as this connection is concerned
968 }
969 stoppedSending_ = error;
fc68f6b1 970
cf6eb29e
CT
971 if (!stoppedReceiving()) {
972 if (const int64_t expecting = mayNeedToReadMoreBody()) {
bf95c10a 973 debugs(33, 5, "must still read " << expecting <<
fcc444e3 974 " request body bytes with " << inBuf.length() << " unused");
cf6eb29e 975 return; // wait for the request receiver to finish reading
3b299123 976 }
55e44db9 977 }
978
cf6eb29e 979 clientConnection->close();
55e44db9 980}
981
0655fa4d 982void
21cd3227
AJ
983ConnStateData::afterClientWrite(size_t size)
984{
985 if (pipeline.empty())
986 return;
987
d6fdeb41
AJ
988 auto ctx = pipeline.front();
989 if (size) {
990 statCounter.client_http.kbytes_out += size;
12f5a662 991 if (ctx->http->loggingTags().isTcpHit())
d6fdeb41 992 statCounter.client_http.hit_kbytes_out += size;
7a2f978b 993 }
d6fdeb41 994 ctx->writeComplete(size);
7a2f978b 995}
996
d3dddfb5 997Http::Stream *
eacfca83 998ConnStateData::abortRequestParsing(const char *const uri)
038eb4ed 999{
eacfca83 1000 ClientHttpRequest *http = new ClientHttpRequest(this);
fcc444e3 1001 http->req_sz = inBuf.length();
bec110e4 1002 http->setErrorUri(uri);
d3dddfb5 1003 auto *context = new Http::Stream(clientConnection, http);
942b1c39
AJ
1004 StoreIOBuffer tempBuffer;
1005 tempBuffer.data = context->reqbuf;
1006 tempBuffer.length = HTTP_REQBUF_SZ;
edce4d98 1007 clientStreamInit(&http->client_stream, clientGetMoreData, clientReplyDetach,
0655fa4d 1008 clientReplyStatus, new clientReplyContext(http), clientSocketRecipient,
942b1c39 1009 clientSocketDetach, context, tempBuffer);
edce4d98 1010 return context;
038eb4ed 1011}
1012
d442618d
AJ
1013void
1014ConnStateData::startShutdown()
1015{
1016 // RegisteredRunner API callback - Squid has been shut down
1017
1018 // if connection is idle terminate it now,
1019 // otherwise wait for grace period to end
e500cc89 1020 if (pipeline.empty())
d442618d
AJ
1021 endingShutdown();
1022}
1023
1024void
1025ConnStateData::endingShutdown()
1026{
1027 // RegisteredRunner API callback - Squid shutdown grace period is over
1028
1029 // force the client connection to close immediately
1030 // swanSong() in the close handler will cleanup.
1031 if (Comm::IsConnOpen(clientConnection))
1032 clientConnection->close();
d442618d
AJ
1033}
1034
c8be6d7b 1035char *
1036skipLeadingSpace(char *aString)
1037{
1038 char *result = aString;
62e76326 1039
c8be6d7b 1040 while (xisspace(*aString))
62e76326 1041 ++aString;
1042
c8be6d7b 1043 return result;
1044}
1045
63be0a78 1046/**
d4a04ed5 1047 * 'end' defaults to NULL for backwards compatibility
1048 * remove default value if we ever get rid of NULL-terminated
1049 * request buffers.
1050 */
1051const char *
1052findTrailingHTTPVersion(const char *uriAndHTTPVersion, const char *end)
c8be6d7b 1053{
aee3523a 1054 if (nullptr == end) {
d4a04ed5 1055 end = uriAndHTTPVersion + strcspn(uriAndHTTPVersion, "\r\n");
1056 assert(end);
1057 }
62e76326 1058
5e263176 1059 for (; end > uriAndHTTPVersion; --end) {
d4a04ed5 1060 if (*end == '\n' || *end == '\r')
62e76326 1061 continue;
1062
d4a04ed5 1063 if (xisspace(*end)) {
1064 if (strncasecmp(end + 1, "HTTP/", 5) == 0)
1065 return end + 1;
62e76326 1066 else
1067 break;
1068 }
c8be6d7b 1069 }
62e76326 1070
aee3523a 1071 return nullptr;
c8be6d7b 1072}
1073
0a57a661
CT
1074static char *
1075prepareAcceleratedURL(ConnStateData * conn, const Http1::RequestParserPointer &hp)
62e76326 1076{
3f38a55e 1077 int vhost = conn->port->vhost;
1078 int vport = conn->port->vport;
9ff1b8ca 1079 static char ipbuf[MAX_IPSTRLEN];
c8be6d7b 1080
3f38a55e 1081 /* BUG: Squid cannot deal with '*' URLs (RFC2616 5.1.2) */
c8be6d7b 1082
b1cef121 1083 // XXX: re-use proper URL parser for this
9bafa70d 1084 SBuf url = hp->requestUri(); // use full provided URI if we abort
b1cef121
AJ
1085 do { // use a loop so we can break out of it
1086 ::Parser::Tokenizer tok(url);
f9688132 1087 if (tok.skip('/')) // origin-form URL already.
b1cef121
AJ
1088 break;
1089
62e76326 1090 if (conn->port->vhost)
0a57a661 1091 return nullptr; /* already in good shape */
62e76326 1092
b1cef121 1093 // skip the URI scheme
9bafa70d 1094 static const CharacterSet uriScheme = CharacterSet("URI-scheme","+-.") + CharacterSet::ALPHA + CharacterSet::DIGIT;
b1cef121 1095 static const SBuf uriSchemeEnd("://");
9bafa70d 1096 if (!tok.skipAll(uriScheme) || !tok.skip(uriSchemeEnd))
b1cef121 1097 break;
62e76326 1098
b1cef121
AJ
1099 // skip the authority segment
1100 // RFC 3986 complex nested ABNF for "authority" boils down to this:
1101 static const CharacterSet authority = CharacterSet("authority","-._~%:@[]!$&'()*+,;=") +
f53969cc 1102 CharacterSet::HEXDIG + CharacterSet::ALPHA + CharacterSet::DIGIT;
9bafa70d 1103 if (!tok.skipAll(authority))
b1cef121 1104 break;
62e76326 1105
63ccea28 1106 static const SBuf slashUri("/");
83e3a594 1107 const SBuf t = tok.remaining();
b1cef121 1108 if (t.isEmpty())
63ccea28 1109 url = slashUri;
b1cef121
AJ
1110 else if (t[0]=='/') // looks like path
1111 url = t;
1112 else if (t[0]=='?' || t[0]=='#') { // looks like query or fragment. fix '/'
63ccea28 1113 url = slashUri;
b1cef121
AJ
1114 url.append(t);
1115 } // else do nothing. invalid path
62e76326 1116
b1cef121 1117 } while(false);
62e76326 1118
b1cef121
AJ
1119#if SHOULD_REJECT_UNKNOWN_URLS
1120 // reject URI which are not well-formed even after the processing above
f9688132 1121 if (url.isEmpty() || url[0] != '/') {
f1d5359e 1122 hp->parseStatusCode = Http::scBadRequest;
943cdf6d 1123 return conn->abortRequestParsing("error:invalid-request");
3f38a55e 1124 }
b1cef121 1125#endif
3f38a55e 1126
5463e4b9 1127 if (vport < 0)
0a57a661 1128 vport = conn->clientConnection->local.port();
5463e4b9 1129
8df30f0b
GV
1130 char *receivedHost = nullptr;
1131 if (vhost && (receivedHost = hp->getHostHeaderField())) {
1132 SBuf host(receivedHost);
5463e4b9 1133 debugs(33, 5, "ACCEL VHOST REWRITE: vhost=" << host << " + vport=" << vport);
5463e4b9 1134 if (vport > 0) {
8df30f0b
GV
1135 // remove existing :port (if any), cope with IPv6+ without port
1136 const auto lastColonPos = host.rfind(':');
1137 if (lastColonPos != SBuf::npos && *host.rbegin() != ']') {
1138 host.chop(0, lastColonPos); // truncate until the last colon
5463e4b9 1139 }
8df30f0b 1140 host.appendf(":%d", vport);
5463e4b9 1141 } // else nothing to alter port-wise.
d31d59d8 1142 const SBuf &scheme = AnyP::UriScheme(conn->transferProtocol.protocol).image();
8df30f0b 1143 const auto url_sz = scheme.length() + host.length() + url.length() + 32;
0a57a661 1144 char *uri = static_cast<char *>(xcalloc(url_sz, 1));
8df30f0b 1145 snprintf(uri, url_sz, SQUIDSBUFPH "://" SQUIDSBUFPH SQUIDSBUFPH, SQUIDSBUFPRINT(scheme), SQUIDSBUFPRINT(host), SQUIDSBUFPRINT(url));
0a57a661
CT
1146 debugs(33, 5, "ACCEL VHOST REWRITE: " << uri);
1147 return uri;
5463e4b9
AJ
1148 } else if (conn->port->defaultsite /* && !vhost */) {
1149 debugs(33, 5, "ACCEL DEFAULTSITE REWRITE: defaultsite=" << conn->port->defaultsite << " + vport=" << vport);
5463e4b9
AJ
1150 char vportStr[32];
1151 vportStr[0] = '\0';
1152 if (vport > 0) {
1153 snprintf(vportStr, sizeof(vportStr),":%d",vport);
1154 }
d31d59d8 1155 const SBuf &scheme = AnyP::UriScheme(conn->transferProtocol.protocol).image();
0a57a661
CT
1156 const int url_sz = scheme.length() + strlen(conn->port->defaultsite) + sizeof(vportStr) + url.length() + 32;
1157 char *uri = static_cast<char *>(xcalloc(url_sz, 1));
1158 snprintf(uri, url_sz, SQUIDSBUFPH "://%s%s" SQUIDSBUFPH,
d31d59d8 1159 SQUIDSBUFPRINT(scheme), conn->port->defaultsite, vportStr, SQUIDSBUFPRINT(url));
0a57a661
CT
1160 debugs(33, 5, "ACCEL DEFAULTSITE REWRITE: " << uri);
1161 return uri;
5463e4b9 1162 } else if (vport > 0 /* && (!vhost || no Host:) */) {
3cc0f4e7 1163 debugs(33, 5, "ACCEL VPORT REWRITE: *_port IP + vport=" << vport);
5463e4b9 1164 /* Put the local socket IP address as the hostname, with whatever vport we found */
0a57a661 1165 conn->clientConnection->local.toHostStr(ipbuf,MAX_IPSTRLEN);
d31d59d8 1166 const SBuf &scheme = AnyP::UriScheme(conn->transferProtocol.protocol).image();
0a57a661
CT
1167 const int url_sz = scheme.length() + sizeof(ipbuf) + url.length() + 32;
1168 char *uri = static_cast<char *>(xcalloc(url_sz, 1));
1169 snprintf(uri, url_sz, SQUIDSBUFPH "://%s:%d" SQUIDSBUFPH,
d31d59d8 1170 SQUIDSBUFPRINT(scheme), ipbuf, vport, SQUIDSBUFPRINT(url));
0a57a661
CT
1171 debugs(33, 5, "ACCEL VPORT REWRITE: " << uri);
1172 return uri;
3f38a55e 1173 }
0a57a661
CT
1174
1175 return nullptr;
3f38a55e 1176}
1177
0a57a661
CT
1178static char *
1179buildUrlFromHost(ConnStateData * conn, const Http1::RequestParserPointer &hp)
62e76326 1180{
0a57a661 1181 char *uri = nullptr;
3f38a55e 1182 /* BUG: Squid cannot deal with '*' URLs (RFC2616 5.1.2) */
2a51e34e 1183 if (const char *host = hp->getHostHeaderField()) {
d31d59d8 1184 const SBuf &scheme = AnyP::UriScheme(conn->transferProtocol.protocol).image();
0a57a661
CT
1185 const int url_sz = scheme.length() + strlen(host) + hp->requestUri().length() + 32;
1186 uri = static_cast<char *>(xcalloc(url_sz, 1));
1187 snprintf(uri, url_sz, SQUIDSBUFPH "://%s" SQUIDSBUFPH,
1188 SQUIDSBUFPRINT(scheme),
1189 host,
1190 SQUIDSBUFPRINT(hp->requestUri()));
1191 }
1192 return uri;
1193}
1194
1195char *
1196ConnStateData::prepareTlsSwitchingURL(const Http1::RequestParserPointer &hp)
1197{
1198 Must(switchedToHttps());
1199
1200 if (!hp->requestUri().isEmpty() && hp->requestUri()[0] != '/')
1201 return nullptr; /* already in good shape */
1202
1203 char *uri = buildUrlFromHost(this, hp);
1204#if USE_OPENSSL
1205 if (!uri) {
1206 Must(tlsConnectPort);
9ce4a1eb 1207 Must(!tlsConnectHostOrIp.isEmpty());
0a57a661
CT
1208 SBuf useHost;
1209 if (!tlsClientSni().isEmpty())
1210 useHost = tlsClientSni();
1211 else
9ce4a1eb 1212 useHost = tlsConnectHostOrIp;
0a57a661
CT
1213
1214 const SBuf &scheme = AnyP::UriScheme(transferProtocol.protocol).image();
1215 const int url_sz = scheme.length() + useHost.length() + hp->requestUri().length() + 32;
1216 uri = static_cast<char *>(xcalloc(url_sz, 1));
380b09ae 1217 snprintf(uri, url_sz, SQUIDSBUFPH "://" SQUIDSBUFPH ":%hu" SQUIDSBUFPH,
0a57a661
CT
1218 SQUIDSBUFPRINT(scheme),
1219 SQUIDSBUFPRINT(useHost),
380b09ae 1220 *tlsConnectPort,
0a57a661
CT
1221 SQUIDSBUFPRINT(hp->requestUri()));
1222 }
1223#endif
1224 if (uri)
1225 debugs(33, 5, "TLS switching host rewrite: " << uri);
1226 return uri;
1227}
1228
1229static char *
1230prepareTransparentURL(ConnStateData * conn, const Http1::RequestParserPointer &hp)
1231{
1232 // TODO Must() on URI !empty when the parser supports throw. For now avoid assert().
1233 if (!hp->requestUri().isEmpty() && hp->requestUri()[0] != '/')
1234 return nullptr; /* already in good shape */
1235
1236 char *uri = buildUrlFromHost(conn, hp);
1237 if (!uri) {
62e76326 1238 /* Put the local socket IP address as the hostname. */
f9688132 1239 static char ipbuf[MAX_IPSTRLEN];
0a57a661
CT
1240 conn->clientConnection->local.toHostStr(ipbuf,MAX_IPSTRLEN);
1241 const SBuf &scheme = AnyP::UriScheme(conn->transferProtocol.protocol).image();
1242 const int url_sz = sizeof(ipbuf) + hp->requestUri().length() + 32;
1243 uri = static_cast<char *>(xcalloc(url_sz, 1));
1244 snprintf(uri, url_sz, SQUIDSBUFPH "://%s:%d" SQUIDSBUFPH,
d31d59d8 1245 SQUIDSBUFPRINT(scheme),
0a57a661 1246 ipbuf, conn->clientConnection->local.port(), SQUIDSBUFPRINT(hp->requestUri()));
c8be6d7b 1247 }
0a57a661
CT
1248
1249 if (uri)
1250 debugs(33, 5, "TRANSPARENT REWRITE: " << uri);
1251 return uri;
c8be6d7b 1252}
1253
d3dddfb5 1254Http::Stream *
9ce4a1eb 1255ConnStateData::parseHttpRequest(const Http1::RequestParserPointer &hp)
7a2f978b 1256{
87abd755
AJ
1257 /* Attempt to parse the first line; this will define where the method, url, version and header begin */
1258 {
9ce4a1eb
CT
1259 Must(hp);
1260
1261 if (preservingClientData_)
1262 preservedClientData = inBuf;
1263
1264 const bool parsedOk = hp->parse(inBuf);
fc68f6b1 1265
36a9c964 1266 // sync the buffers after parsing.
9ce4a1eb 1267 inBuf = hp->remaining();
7a4fa6a0 1268
9bafa70d 1269 if (hp->needsMoreData()) {
87abd755 1270 debugs(33, 5, "Incomplete request, waiting for end of request line");
aee3523a 1271 return nullptr;
87abd755 1272 }
fc68f6b1 1273
016a316b 1274 if (!parsedOk) {
fc10bc7d
AR
1275 const bool tooBig =
1276 hp->parseStatusCode == Http::scRequestHeaderFieldsTooLarge ||
1277 hp->parseStatusCode == Http::scUriTooLong;
9ce4a1eb 1278 auto result = abortRequestParsing(
a70e75b7 1279 tooBig ? "error:request-too-large" : "error:invalid-request");
fc10bc7d 1280 // assume that remaining leftovers belong to this bad request
9ce4a1eb
CT
1281 if (!inBuf.isEmpty())
1282 consumeInput(inBuf.length());
fc10bc7d 1283 return result;
016a316b 1284 }
84cc2635 1285 }
fc68f6b1 1286
6d0613b2 1287 /* We know the whole request is in parser now */
9ce4a1eb 1288 debugs(11, 2, "HTTP Client " << clientConnection);
6d0613b2 1289 debugs(11, 2, "HTTP Client REQUEST:\n---------\n" <<
9bafa70d
AJ
1290 hp->method() << " " << hp->requestUri() << " " << hp->messageProtocol() << "\n" <<
1291 hp->mimeHeader() <<
6d0613b2 1292 "\n----------");
fc68f6b1 1293
adf29627 1294 /* deny CONNECT via accelerated ports */
aee3523a 1295 if (hp->method() == Http::METHOD_CONNECT && port != nullptr && port->flags.accelSurrogate) {
9ce4a1eb 1296 debugs(33, DBG_IMPORTANT, "WARNING: CONNECT method received on " << transferProtocol << " Accelerator port " << port->s.port());
9bafa70d 1297 debugs(33, DBG_IMPORTANT, "WARNING: for request: " << hp->method() << " " << hp->requestUri() << " " << hp->messageProtocol());
f1d5359e 1298 hp->parseStatusCode = Http::scMethodNotAllowed;
9ce4a1eb 1299 return abortRequestParsing("error:method-not-allowed");
adf29627
AJ
1300 }
1301
25237905 1302 /* HTTP/2 connection magic prefix starts with "PRI ".
5de5c2d0
AJ
1303 * Deny "PRI" method if used in HTTP/1.x or 0.9 versions.
1304 * If seen it signals a broken client or proxy has corrupted the traffic.
1305 */
1306 if (hp->method() == Http::METHOD_PRI && hp->messageProtocol() < Http::ProtocolVersion(2,0)) {
9ce4a1eb 1307 debugs(33, DBG_IMPORTANT, "WARNING: PRI method received on " << transferProtocol << " port " << port->s.port());
5de5c2d0 1308 debugs(33, DBG_IMPORTANT, "WARNING: for request: " << hp->method() << " " << hp->requestUri() << " " << hp->messageProtocol());
093c6381 1309 hp->parseStatusCode = Http::scMethodNotAllowed;
9ce4a1eb 1310 return abortRequestParsing("error:method-not-allowed");
5de5c2d0
AJ
1311 }
1312
9bafa70d
AJ
1313 if (hp->method() == Http::METHOD_NONE) {
1314 debugs(33, DBG_IMPORTANT, "WARNING: Unsupported method: " << hp->method() << " " << hp->requestUri() << " " << hp->messageProtocol());
f1d5359e 1315 hp->parseStatusCode = Http::scMethodNotAllowed;
9ce4a1eb 1316 return abortRequestParsing("error:unsupported-request-method");
3f38a55e 1317 }
7a2f978b 1318
6d0613b2
AJ
1319 // Process headers after request line
1320 debugs(33, 3, "complete request received. " <<
9bafa70d
AJ
1321 "prefix_sz = " << hp->messageHeaderSize() <<
1322 ", request-line-size=" << hp->firstLineSize() <<
1323 ", mime-header-size=" << hp->headerBlockSize() <<
1324 ", mime header block:\n" << hp->mimeHeader() << "\n----------");
62e76326 1325
7a2f978b 1326 /* Ok, all headers are received */
9ce4a1eb 1327 ClientHttpRequest *http = new ClientHttpRequest(this);
9ff1b8ca 1328
9bafa70d 1329 http->req_sz = hp->messageHeaderSize();
9ce4a1eb 1330 Http::Stream *result = new Http::Stream(clientConnection, http);
62e76326 1331
942b1c39
AJ
1332 StoreIOBuffer tempBuffer;
1333 tempBuffer.data = result->reqbuf;
1334 tempBuffer.length = HTTP_REQBUF_SZ;
1335
0655fa4d 1336 ClientStreamData newServer = new clientReplyContext(http);
0655fa4d 1337 ClientStreamData newClient = result;
edce4d98 1338 clientStreamInit(&http->client_stream, clientGetMoreData, clientReplyDetach,
0655fa4d 1339 clientReplyStatus, newServer, clientSocketRecipient,
942b1c39 1340 clientSocketDetach, newClient, tempBuffer);
62e76326 1341
3ff65596 1342 /* set url */
450e09f9 1343 debugs(33,5, "Prepare absolute URL from " <<
9ce4a1eb 1344 (transparent()?"intercept":(port->flags.accelSurrogate ? "accel":"")));
3f38a55e 1345 /* Rewrite the URL in transparent or accelerator mode */
89272111
AJ
1346 /* NP: there are several cases to traverse here:
1347 * - standard mode (forward proxy)
1348 * - transparent mode (TPROXY)
1349 * - transparent mode with failures
1350 * - intercept mode (NAT)
1351 * - intercept mode with failures
1352 * - accelerator mode (reverse proxy)
51b5dcf5 1353 * - internal relative-URL
89272111 1354 * - mixed combos of the above with internal URL
151ba0d4
AJ
1355 * - remote interception with PROXY protocol
1356 * - remote reverse-proxy with PROXY protocol
89272111 1357 */
9ce4a1eb
CT
1358 if (switchedToHttps()) {
1359 http->uri = prepareTlsSwitchingURL(hp);
1360 } else if (transparent()) {
89272111 1361 /* intercept or transparent mode, properly working with no failures */
9ce4a1eb 1362 http->uri = prepareTransparentURL(this, hp);
89272111 1363
51b5dcf5 1364 } else if (internalCheck(hp->requestUri())) { // NP: only matches relative-URI
89272111 1365 /* internal URL mode */
101694e4
AJ
1366 // XXX: By prepending our name and port, we create an absolute URL
1367 // that may mismatch the (yet unparsed) Host header in the request.
aee3523a 1368 http->uri = xstrdup(internalLocalUri(nullptr, hp->requestUri()));
59c59acf 1369
9ce4a1eb 1370 } else if (port->flags.accelSurrogate) {
59c59acf 1371 /* accelerator mode */
9ce4a1eb 1372 http->uri = prepareAcceleratedURL(this, hp);
0a57a661 1373 http->flags.accel = true;
3f38a55e 1374 }
1375
1376 if (!http->uri) {
62e76326 1377 /* No special rewrites have been applied above, use the
1378 * requested url. may be rewritten later, so make extra room */
9bafa70d 1379 int url_sz = hp->requestUri().length() + Config.appendDomainLen + 5;
62e76326 1380 http->uri = (char *)xcalloc(url_sz, 1);
3f0e38d6 1381 SBufToCstring(http->uri, hp->requestUri());
3f38a55e 1382 }
62e76326 1383
c4b7a5a9 1384 result->flags.parsed_ok = 1;
c8be6d7b 1385 return result;
7a2f978b 1386}
1387
fcc444e3 1388bool
83b053a0
CT
1389ConnStateData::shouldCloseOnEof() const
1390{
1391 if (pipeline.empty() && inBuf.isEmpty()) {
1392 debugs(33, 4, "yes, without active requests and unparsed input");
1393 return true;
1394 }
1395
1396 if (!Config.onoff.half_closed_clients) {
1397 debugs(33, 3, "yes, without half_closed_clients");
1398 return true;
c8be6d7b 1399 }
62e76326 1400
83b053a0
CT
1401 // Squid currently tries to parse (possibly again) a partially received
1402 // request after an EOF with half_closed_clients. To give that last parse in
1403 // afterClientRead() a chance, we ignore partially parsed requests here.
1404 debugs(33, 3, "no, honoring half_closed_clients");
fcc444e3 1405 return false;
c8be6d7b 1406}
1407
92ae4c86
AR
1408void
1409ConnStateData::consumeInput(const size_t byteCount)
1410{
fcc444e3
AJ
1411 assert(byteCount > 0 && byteCount <= inBuf.length());
1412 inBuf.consume(byteCount);
1413 debugs(33, 5, "inBuf has " << inBuf.length() << " unused bytes");
92ae4c86
AR
1414}
1415
1cf238db 1416void
f35961af 1417ConnStateData::clientAfterReadingRequests()
c4b7a5a9 1418{
39cb8c41 1419 // Were we expecting to read more request body from half-closed connection?
73c36fd9 1420 if (mayNeedToReadMoreBody() && commIsHalfClosed(clientConnection->fd)) {
bf95c10a 1421 debugs(33, 3, "truncated body: closing half-closed " << clientConnection);
73c36fd9 1422 clientConnection->close();
39cb8c41 1423 return;
c4b7a5a9 1424 }
1425
f35961af
AR
1426 if (flags.readMore)
1427 readSomeData();
c4b7a5a9 1428}
1429
84c77748
AR
1430void
1431ConnStateData::quitAfterError(HttpRequest *request)
1432{
1433 // From HTTP p.o.v., we do not have to close after every error detected
1434 // at the client-side, but many such errors do require closure and the
1435 // client-side code is bad at handling errors so we play it safe.
1436 if (request)
e857372a 1437 request->flags.proxyKeepalive = false;
84c77748 1438 flags.readMore = false;
bf95c10a 1439 debugs(33,4, "Will close after error: " << clientConnection);
84c77748
AR
1440}
1441
cb4f4424 1442#if USE_OPENSSL
d3dddfb5 1443bool ConnStateData::serveDelayedError(Http::Stream *context)
8eb0a7ee
CT
1444{
1445 ClientHttpRequest *http = context->http;
fd4624d7
CT
1446
1447 if (!sslServerBump)
8eb0a7ee
CT
1448 return false;
1449
fd4624d7 1450 assert(sslServerBump->entry);
7a957a93 1451 // Did we create an error entry while processing CONNECT?
fd4624d7 1452 if (!sslServerBump->entry->isEmpty()) {
84c77748
AR
1453 quitAfterError(http->request);
1454
7a957a93
AR
1455 // Get the saved error entry and send it to the client by replacing the
1456 // ClientHttpRequest store entry with it.
8eb0a7ee
CT
1457 clientStreamNode *node = context->getClientReplyContext();
1458 clientReplyContext *repContext = dynamic_cast<clientReplyContext *>(node->data.getRaw());
7a957a93
AR
1459 assert(repContext);
1460 debugs(33, 5, "Responding with delated error for " << http->uri);
f0baf149 1461 repContext->setReplyToStoreEntry(sslServerBump->entry, "delayed SslBump error");
7a957a93 1462
7a957a93 1463 // Get error details from the fake certificate-peeking request.
83b053a0 1464 http->request->error.update(sslServerBump->request->error);
8eb0a7ee 1465 context->pullData();
8eb0a7ee
CT
1466 return true;
1467 }
1468
7a957a93
AR
1469 // In bump-server-first mode, we have not necessarily seen the intended
1470 // server name at certificate-peeking time. Check for domain mismatch now,
1471 // when we can extract the intended name from the bumped HTTP request.
92e3827b 1472 if (const Security::CertPointer &srvCert = sslServerBump->serverCert) {
8eb0a7ee 1473 HttpRequest *request = http->request;
22b2a7a0
TW
1474 const auto host = request->url.parsedHost();
1475 if (host && Ssl::HasSubjectName(*srvCert, *host)) {
1476 debugs(33, 5, "certificate matches requested host: " << *host);
1477 return false;
1478 } else {
7a957a93 1479 debugs(33, 2, "SQUID_X509_V_ERR_DOMAIN_MISMATCH: Certificate " <<
22b2a7a0 1480 "does not match request target " << RawPointer(host));
8eb0a7ee 1481
d4a56c34 1482 bool allowDomainMismatch = false;
638402dd 1483 if (Config.ssl_client.cert_error) {
e227da8d 1484 ACLFilledChecklist check(Config.ssl_client.cert_error, nullptr);
27a1c6de
AR
1485 const auto sslErrors = std::make_unique<Security::CertErrors>(Security::CertError(SQUID_X509_V_ERR_DOMAIN_MISMATCH, srvCert));
1486 check.sslErrors = sslErrors.get();
e227da8d 1487 clientAclChecklistFill(check, http);
06bf5384 1488 allowDomainMismatch = check.fastCheck().allowed();
638402dd 1489 }
8eb0a7ee 1490
7d82c5b8 1491 if (!allowDomainMismatch) {
84c77748
AR
1492 quitAfterError(request);
1493
8eb0a7ee
CT
1494 clientStreamNode *node = context->getClientReplyContext();
1495 clientReplyContext *repContext = dynamic_cast<clientReplyContext *>(node->data.getRaw());
1496 assert (repContext);
1497
d8165775 1498 request->hier = sslServerBump->request->hier;
7a957a93 1499
8eb0a7ee 1500 // Create an error object and fill it
7e6eabbc 1501 const auto err = new ErrorState(ERR_SECURE_CONNECT_FAIL, Http::scServiceUnavailable, request, http->al);
8eb0a7ee 1502 err->src_addr = clientConnection->remote;
83b053a0 1503 const Security::ErrorDetail::Pointer errDetail = new Security::ErrorDetail(
7a957a93 1504 SQUID_X509_V_ERR_DOMAIN_MISMATCH,
83b053a0
CT
1505 srvCert, nullptr);
1506 updateError(ERR_SECURE_CONNECT_FAIL, errDetail);
8eb0a7ee
CT
1507 repContext->setReplyToError(request->method, err);
1508 assert(context->http->out.offset == 0);
1509 context->pullData();
8eb0a7ee
CT
1510 return true;
1511 }
1512 }
1513 }
1514
1515 return false;
1516}
cb4f4424 1517#endif // USE_OPENSSL
8eb0a7ee 1518
9ce4a1eb
CT
1519/// initiate tunneling if possible or return false otherwise
1520bool
eb026889 1521ConnStateData::tunnelOnError(const err_type requestError)
9ce4a1eb
CT
1522{
1523 if (!Config.accessList.on_unsupported_protocol) {
1524 debugs(33, 5, "disabled; send error: " << requestError);
1525 return false;
3248e962
CT
1526 }
1527
9ce4a1eb
CT
1528 if (!preservingClientData_) {
1529 debugs(33, 3, "may have forgotten client data; send error: " << requestError);
1530 return false;
1531 }
1532
e227da8d 1533 ACLFilledChecklist checklist(Config.accessList.on_unsupported_protocol, nullptr);
9ce4a1eb 1534 checklist.requestErrorType = requestError;
e227da8d 1535 fillChecklist(checklist);
17e41e03 1536 const auto &answer = checklist.fastCheck();
9ce4a1eb
CT
1537 if (answer.allowed() && answer.kind == 1) {
1538 debugs(33, 3, "Request will be tunneled to server");
e227da8d
AR
1539 const auto context = pipeline.front();
1540 const auto http = context ? context->http : nullptr;
1541 const auto request = http ? http->request : nullptr;
9ce4a1eb
CT
1542 if (context)
1543 context->finished(); // Will remove from pipeline queue
aee3523a 1544 Comm::SetSelect(clientConnection->fd, COMM_SELECT_READ, nullptr, nullptr, 0);
eb026889 1545 return initiateTunneledRequest(request, "unknown-protocol", preservedClientData);
9ce4a1eb
CT
1546 }
1547 debugs(33, 3, "denied; send error: " << requestError);
3248e962
CT
1548 return false;
1549}
1550
ec69bdb2 1551void
28fd6d0b
AJ
1552clientProcessRequestFinished(ConnStateData *conn, const HttpRequest::Pointer &request)
1553{
1554 /*
1555 * DPW 2007-05-18
1556 * Moved the TCP_RESET feature from clientReplyContext::sendMoreData
1557 * to here because calling comm_reset_close() causes http to
48a37aee 1558 * be freed before accessing.
28fd6d0b 1559 */
aee3523a 1560 if (request != nullptr && request->flags.resetTcp && Comm::IsConnOpen(conn->clientConnection)) {
bf95c10a 1561 debugs(33, 3, "Sending TCP RST on " << conn->clientConnection);
28fd6d0b
AJ
1562 conn->flags.readMore = false;
1563 comm_reset_close(conn->clientConnection);
1564 }
1565}
1566
9bafa70d 1567void
d3dddfb5 1568clientProcessRequest(ConnStateData *conn, const Http1::RequestParserPointer &hp, Http::Stream *context)
c4b7a5a9 1569{
59a1efb2 1570 ClientHttpRequest *http = context->http;
e18b8316 1571 bool mustReplyToOptions = false;
39cb8c41 1572 bool expectBody = false;
5f8252d2 1573
ec69bdb2
CT
1574 // We already have the request parsed and checked, so we
1575 // only need to go through the final body/conn setup to doCallouts().
1576 assert(http->request);
1577 HttpRequest::Pointer request = http->request;
1578
92ae4c86 1579 // temporary hack to avoid splitting this huge function with sensitive code
f9688132 1580 const bool isFtp = !hp;
9bafa70d 1581
92ae4c86
AR
1582 // Some blobs below are still HTTP-specific, but we would have to rewrite
1583 // this entire function to remove them from the FTP code path. Connection
1584 // setup and body_pipe preparation blobs are needed for FTP.
1585
cd4a5c60 1586 request->manager(conn, http->al);
40d34a62 1587
c4b7a5a9 1588 request->flags.accelerated = http->flags.accel;
450fe1cb 1589 request->flags.sslBumped=conn->switchedToHttps();
7fb65ee4 1590 // TODO: decouple http->flags.accel from request->flags.sslBumped
450fe1cb 1591 request->flags.noDirect = (request->flags.accelerated && !request->flags.sslBumped) ?
e4a14600 1592 !conn->port->allow_direct : 0;
63df1d28
AJ
1593 request->sources |= isFtp ? Http::Message::srcFtp :
1594 ((request->flags.sslBumped || conn->port->transport.protocol == AnyP::PROTO_HTTPS) ? Http::Message::srcHttps : Http::Message::srcHttp);
21512911
CT
1595#if USE_AUTH
1596 if (request->flags.sslBumped) {
aee3523a 1597 if (conn->getAuth() != nullptr)
cc1e110a 1598 request->auth_user_request = conn->getAuth();
21512911
CT
1599 }
1600#endif
2ad20b4f 1601
333c433b 1602 http->checkForInternalAccess();
e72a0ec0 1603
9bafa70d 1604 if (!isFtp) {
63df1d28 1605 // XXX: for non-HTTP messages instantiate a different Http::Message child type
9bafa70d
AJ
1606 // for now Squid only supports HTTP requests
1607 const AnyP::ProtocolVersion &http_ver = hp->messageProtocol();
1608 assert(request->http_ver.protocol == http_ver.protocol);
1609 request->http_ver.major = http_ver.major;
1610 request->http_ver.minor = http_ver.minor;
1611 }
62e76326 1612
f9688132 1613 mustReplyToOptions = (request->method == Http::METHOD_OPTIONS) &&
789217a2 1614 (request->header.getInt64(Http::HdrType::MAX_FORWARDS) == 0);
4bd88eb4 1615 if (!urlCheckRequest(request.getRaw()) || mustReplyToOptions) {
62e76326 1616 clientStreamNode *node = context->getClientReplyContext();
b248c2a3 1617 conn->quitAfterError(request.getRaw());
0655fa4d 1618 clientReplyContext *repContext = dynamic_cast<clientReplyContext *>(node->data.getRaw());
1619 assert (repContext);
eb026889 1620 repContext->setReplyToError(ERR_UNSUP_REQ, Http::scNotImplemented, nullptr,
7976fed3 1621 conn, request.getRaw(), nullptr, nullptr);
62e76326 1622 assert(context->http->out.offset == 0);
1623 context->pullData();
28fd6d0b
AJ
1624 clientProcessRequestFinished(conn, request);
1625 return;
c4b7a5a9 1626 }
1627
4bd88eb4
AJ
1628 const auto frameStatus = request->checkEntityFraming();
1629 if (frameStatus != Http::scNone) {
62e76326 1630 clientStreamNode *node = context->getClientReplyContext();
0655fa4d 1631 clientReplyContext *repContext = dynamic_cast<clientReplyContext *>(node->data.getRaw());
1632 assert (repContext);
b248c2a3 1633 conn->quitAfterError(request.getRaw());
eb026889 1634 repContext->setReplyToError(ERR_INVALID_REQ, frameStatus, nullptr, conn, request.getRaw(), nullptr, nullptr);
62e76326 1635 assert(context->http->out.offset == 0);
1636 context->pullData();
28fd6d0b
AJ
1637 clientProcessRequestFinished(conn, request);
1638 return;
c4b7a5a9 1639 }
1640
92ae4c86 1641 clientSetKeepaliveFlag(http);
f35961af 1642 // Let tunneling code be fully responsible for CONNECT requests
c2a7cefd 1643 if (http->request->method == Http::METHOD_CONNECT) {
b66e0e86 1644 context->mayUseConnection(true);
f35961af
AR
1645 conn->flags.readMore = false;
1646 }
fc68f6b1 1647
cb4f4424 1648#if USE_OPENSSL
28fd6d0b 1649 if (conn->switchedToHttps() && conn->serveDelayedError(context)) {
28fd6d0b
AJ
1650 clientProcessRequestFinished(conn, request);
1651 return;
1652 }
061bbdec
CT
1653#endif
1654
b66e0e86 1655 /* Do we expect a request-body? */
4bd88eb4 1656 const auto chunked = request->header.chunked();
39cb8c41
AR
1657 expectBody = chunked || request->content_length > 0;
1658 if (!context->mayUseConnection() && expectBody) {
1659 request->body_pipe = conn->expectRequestBody(
de48b288 1660 chunked ? -1 : request->content_length);
5f8252d2 1661
62e76326 1662 /* Is it too large? */
39cb8c41 1663 if (!chunked && // if chunked, we will check as we accumulate
de48b288 1664 clientIsRequestBodyTooLargeForPolicy(request->content_length)) {
62e76326 1665 clientStreamNode *node = context->getClientReplyContext();
0655fa4d 1666 clientReplyContext *repContext = dynamic_cast<clientReplyContext *>(node->data.getRaw());
1667 assert (repContext);
b248c2a3 1668 conn->quitAfterError(request.getRaw());
0655fa4d 1669 repContext->setReplyToError(ERR_TOO_BIG,
5a3b42b1 1670 Http::scContentTooLarge, nullptr,
7976fed3 1671 conn, http->request, nullptr, nullptr);
62e76326 1672 assert(context->http->out.offset == 0);
1673 context->pullData();
28fd6d0b
AJ
1674 clientProcessRequestFinished(conn, request);
1675 return;
62e76326 1676 }
1677
92ae4c86 1678 if (!isFtp) {
a5d444a5
DK
1679 // We may stop producing, comm_close, and/or call setReplyToError()
1680 // below, so quit on errors to avoid http->doCallouts()
28fd6d0b
AJ
1681 if (!conn->handleRequestBodyData()) {
1682 clientProcessRequestFinished(conn, request);
1683 return;
1684 }
39cb8c41 1685
a5d444a5 1686 if (!request->body_pipe->productionEnded()) {
e7ce227f 1687 debugs(33, 5, "need more request body");
a5d444a5
DK
1688 context->mayUseConnection(true);
1689 assert(conn->flags.readMore);
1690 }
f35961af 1691 }
c4b7a5a9 1692 }
1693
de31d06f 1694 http->calloutContext = new ClientRequestContext(http);
1695
1696 http->doCallouts();
9e008dda 1697
28fd6d0b 1698 clientProcessRequestFinished(conn, request);
c4b7a5a9 1699}
1700
83b053a0
CT
1701void
1702ConnStateData::add(const Http::StreamPointer &context)
1703{
1704 debugs(33, 3, context << " to " << pipeline.count() << '/' << pipeline.nrequests);
1705 if (bareError) {
1706 debugs(33, 5, "assigning " << bareError);
1707 assert(context);
1708 assert(context->http);
1709 context->http->updateError(bareError);
1710 bareError.clear();
1711 }
1712 pipeline.add(context);
1713}
1714
92ae4c86
AR
1715int
1716ConnStateData::pipelinePrefetchMax() const
1717{
efbea402
CT
1718 // TODO: Support pipelined requests through pinned connections.
1719 if (pinning.pinned)
1720 return 0;
92ae4c86
AR
1721 return Config.pipeline_max_prefetch;
1722}
1723
079a8480
AJ
1724/**
1725 * Limit the number of concurrent requests.
1726 * \return true when there are available position(s) in the pipeline queue for another request.
1727 * \return false when the pipeline queue is full or disabled.
1728 */
1729bool
1730ConnStateData::concurrentRequestQueueFilled() const
c4b7a5a9 1731{
e500cc89 1732 const int existingRequestCount = pipeline.count();
079a8480
AJ
1733
1734 // default to the configured pipeline size.
1735 // add 1 because the head of pipeline is counted in concurrent requests and not prefetch queue
0de57497 1736#if USE_OPENSSL
43b43c46 1737 const int internalRequest = (transparent() && sslBumpMode == Ssl::bumpSplice) ? 1 : 0;
0de57497 1738#else
06211564 1739 const int internalRequest = 0;
0de57497 1740#endif
43b43c46 1741 const int concurrentRequestLimit = pipelinePrefetchMax() + 1 + internalRequest;
62e76326 1742
2f8abb64 1743 // when queue filled already we can't add more.
079a8480
AJ
1744 if (existingRequestCount >= concurrentRequestLimit) {
1745 debugs(33, 3, clientConnection << " max concurrent requests reached (" << concurrentRequestLimit << ")");
1746 debugs(33, 5, clientConnection << " deferring new request until one is done");
1747 return true;
c4b7a5a9 1748 }
62e76326 1749
079a8480 1750 return false;
c4b7a5a9 1751}
1752
00d0ce87 1753/**
d3d92daa 1754 * Perform proxy_protocol_access ACL tests on the client which
3bd97e7e
AJ
1755 * connected to PROXY protocol port to see if we trust the
1756 * sender enough to accept their PROXY header claim.
00d0ce87 1757 */
6658cc16 1758bool
00d0ce87
AJ
1759ConnStateData::proxyProtocolValidateClient()
1760{
d3d92daa
AJ
1761 if (!Config.accessList.proxyProtocol)
1762 return proxyProtocolError("PROXY client not permitted by default ACL");
1763
e227da8d
AR
1764 ACLFilledChecklist ch(Config.accessList.proxyProtocol, nullptr);
1765 fillChecklist(ch);
06bf5384 1766 if (!ch.fastCheck().allowed())
3bd97e7e
AJ
1767 return proxyProtocolError("PROXY client not permitted by ACLs");
1768
6658cc16 1769 return true;
00d0ce87
AJ
1770}
1771
1772/**
1773 * Perform cleanup on PROXY protocol errors.
1774 * If header parsing hits a fatal error terminate the connection,
1775 * otherwise wait for more data.
1776 */
1777bool
3bd97e7e 1778ConnStateData::proxyProtocolError(const char *msg)
00d0ce87 1779{
3c082dbe 1780 if (msg) {
70a16fea
AJ
1781 // This is important to know, but maybe not so much that flooding the log is okay.
1782#if QUIET_PROXY_PROTOCOL
2f8abb64 1783 // display the first of every 32 occurrences at level 1, the others at level 2.
70a16fea
AJ
1784 static uint8_t hide = 0;
1785 debugs(33, (hide++ % 32 == 0 ? DBG_IMPORTANT : 2), msg << " from " << clientConnection);
1786#else
1787 debugs(33, DBG_IMPORTANT, msg << " from " << clientConnection);
1788#endif
3bd97e7e 1789 mustStop(msg);
3c082dbe 1790 }
00d0ce87
AJ
1791 return false;
1792}
1793
36c774f7
EB
1794/// Attempts to extract a PROXY protocol header from the input buffer and,
1795/// upon success, stores the parsed header in proxyProtocolHeader_.
1796/// \returns true if the header was successfully parsed
1797/// \returns false if more data is needed to parse the header or on error
00d0ce87 1798bool
3d74cb1f 1799ConnStateData::parseProxyProtocolHeader()
00d0ce87 1800{
36c774f7
EB
1801 try {
1802 const auto parsed = ProxyProtocol::Parse(inBuf);
1803 proxyProtocolHeader_ = parsed.header;
1804 assert(bool(proxyProtocolHeader_));
1805 inBuf.consume(parsed.size);
1806 needProxyProtocolHeader_ = false;
1807 if (proxyProtocolHeader_->hasForwardedAddresses()) {
1808 clientConnection->local = proxyProtocolHeader_->destinationAddress;
1809 clientConnection->remote = proxyProtocolHeader_->sourceAddress;
1810 if ((clientConnection->flags & COMM_TRANSPARENT))
1811 clientConnection->flags ^= COMM_TRANSPARENT; // prevent TPROXY spoofing of this new IP.
1812 debugs(33, 5, "PROXY/" << proxyProtocolHeader_->version() << " upgrade: " << clientConnection);
1813 }
1814 } catch (const Parser::BinaryTokenizer::InsufficientInput &) {
1815 debugs(33, 3, "PROXY protocol: waiting for more than " << inBuf.length() << " bytes");
1816 return false;
1817 } catch (const std::exception &e) {
1818 return proxyProtocolError(e.what());
00d0ce87 1819 }
3bd97e7e 1820 return true;
00d0ce87
AJ
1821}
1822
3248e962
CT
1823void
1824ConnStateData::receivedFirstByte()
1825{
1826 if (receivedFirstByte_)
1827 return;
1828
1829 receivedFirstByte_ = true;
83b053a0 1830 resetReadTimeout(Config.Timeout.request);
3248e962
CT
1831}
1832
5da786ef
AR
1833/// Attempt to parse one or more requests from the input buffer.
1834/// May close the connection.
1835void
1836ConnStateData::parseRequests()
f900210a 1837{
bf95c10a 1838 debugs(33, 5, clientConnection << ": attempting to parse");
f900210a 1839
39cb8c41 1840 // Loop while we have read bytes that are not needed for producing the body
f35961af 1841 // On errors, bodyPipe may become nil, but readMore will be cleared
fcc444e3 1842 while (!inBuf.isEmpty() && !bodyPipe && flags.readMore) {
f900210a 1843
801cfc26
CT
1844 // Prohibit concurrent requests when using a pinned to-server connection
1845 // because our Client classes do not support request pipelining.
1846 if (pinning.pinned && !pinning.readHandler) {
1847 debugs(33, 3, clientConnection << " waits for busy " << pinning.serverConnection);
1848 break;
1849 }
1850
079a8480
AJ
1851 /* Limit the number of concurrent requests */
1852 if (concurrentRequestQueueFilled())
f900210a 1853 break;
f900210a 1854
00d0ce87 1855 // try to parse the PROXY protocol header magic bytes
42cbf844
AJ
1856 if (needProxyProtocolHeader_) {
1857 if (!parseProxyProtocolHeader())
1858 break;
1859
1860 // we have been waiting for PROXY to provide client-IP
e94ff527 1861 // for some lookups, ie rDNS
42cbf844 1862 whenClientIpKnown();
9ce4a1eb
CT
1863
1864 // Done with PROXY protocol which has cleared preservingClientData_.
1865 // If the next protocol supports on_unsupported_protocol, then its
1866 // parseOneRequest() must reset preservingClientData_.
1867 assert(!preservingClientData_);
42cbf844 1868 }
00d0ce87 1869
6b2b6cfe 1870 if (Http::StreamPointer context = parseOneRequest()) {
eacfca83 1871 debugs(33, 5, clientConnection << ": done parsing a request");
83b053a0 1872 extendLifetime();
eacfca83
AR
1873 context->registerWithConn();
1874
9ce4a1eb
CT
1875#if USE_OPENSSL
1876 if (switchedToHttps())
1877 parsedBumpedRequestCount++;
1878#endif
1879
9bafa70d 1880 processParsedRequest(context);
f900210a 1881
f900210a 1882 if (context->mayUseConnection()) {
bf95c10a 1883 debugs(33, 3, "Not parsing new requests, as this request may need the connection");
f900210a 1884 break;
1885 }
eacfca83
AR
1886 } else {
1887 debugs(33, 5, clientConnection << ": not enough request data: " <<
fcc444e3
AJ
1888 inBuf.length() << " < " << Config.maxRequestHeaderSize);
1889 Must(inBuf.length() < Config.maxRequestHeaderSize);
eacfca83 1890 break;
f900210a 1891 }
39cb8c41 1892 }
fc68f6b1 1893
5da786ef
AR
1894 debugs(33, 7, "buffered leftovers: " << inBuf.length());
1895
1896 if (isOpen() && commIsHalfClosed(clientConnection->fd)) {
1897 if (pipeline.empty()) {
1898 // we processed what we could parse, and no more data is coming
1899 debugs(33, 5, "closing half-closed without parsed requests: " << clientConnection);
1900 clientConnection->close();
1901 } else {
1902 // we parsed what we could, and no more data is coming
1903 debugs(33, 5, "monitoring half-closed while processing parsed requests: " << clientConnection);
1904 flags.readMore = false; // may already be false
1905 }
1906 }
f900210a 1907}
1908
1cf238db 1909void
fcc444e3 1910ConnStateData::afterClientRead()
c4b7a5a9 1911{
3cae14a6 1912#if USE_OPENSSL
d20cf186
AR
1913 if (parsingTlsHandshake) {
1914 parseTlsHandshake();
3cae14a6
CT
1915 return;
1916 }
1917#endif
d20cf186 1918
94439e4e 1919 /* Process next request */
e500cc89 1920 if (pipeline.empty())
fcc444e3 1921 fd_note(clientConnection->fd, "Reading next request");
c8be6d7b 1922
5da786ef 1923 parseRequests();
ee6f0213 1924
1cf238db 1925 if (!isOpen())
2e216b1d 1926 return;
1927
f35961af 1928 clientAfterReadingRequests();
94439e4e 1929}
1930
63be0a78 1931/**
1932 * called when new request data has been read from the socket
39cb8c41
AR
1933 *
1934 * \retval false called comm_close or setReplyToError (the caller should bail)
1935 * \retval true we did not call comm_close or setReplyToError
63be0a78 1936 */
39cb8c41 1937bool
7e66d5e2 1938ConnStateData::handleReadData()
94439e4e 1939{
5f8252d2 1940 // if we are reading a body, stuff data into the body pipe
aee3523a 1941 if (bodyPipe != nullptr)
39cb8c41
AR
1942 return handleRequestBodyData();
1943 return true;
94439e4e 1944}
1945
63be0a78 1946/**
fcc444e3 1947 * called when new request body data has been buffered in inBuf
63be0a78 1948 * may close the connection if we were closing and piped everything out
39cb8c41
AR
1949 *
1950 * \retval false called comm_close or setReplyToError (the caller should bail)
1951 * \retval true we did not call comm_close or setReplyToError
63be0a78 1952 */
39cb8c41 1953bool
5f8252d2 1954ConnStateData::handleRequestBodyData()
94439e4e 1955{
aee3523a 1956 assert(bodyPipe != nullptr);
5f8252d2 1957
fcc444e3 1958 if (bodyParser) { // chunked encoding
be29ee33 1959 if (const err_type error = handleChunkedRequestBody()) {
39cb8c41
AR
1960 abortChunkedRequestBody(error);
1961 return false;
3ff65596 1962 }
39cb8c41 1963 } else { // identity encoding
bf95c10a 1964 debugs(33,5, "handling plain request body for " << clientConnection);
46b10098 1965 const auto putSize = bodyPipe->putMoreData(inBuf.rawContent(), inBuf.length());
be29ee33
AJ
1966 if (putSize > 0)
1967 consumeInput(putSize);
1968
3ff65596
AR
1969 if (!bodyPipe->mayNeedMoreData()) {
1970 // BodyPipe will clear us automagically when we produced everything
aee3523a 1971 bodyPipe = nullptr;
3ff65596
AR
1972 }
1973 }
1974
3ff65596 1975 if (!bodyPipe) {
bf95c10a 1976 debugs(33,5, "produced entire request body for " << clientConnection);
62e76326 1977
cf6eb29e 1978 if (const char *reason = stoppedSending()) {
5f8252d2 1979 /* we've finished reading like good clients,
1980 * now do the close that initiateClose initiated.
5f8252d2 1981 */
bf95c10a 1982 debugs(33, 3, "closing for earlier sending error: " << reason);
73c36fd9 1983 clientConnection->close();
39cb8c41
AR
1984 return false;
1985 }
1986 }
1987
1988 return true;
1989}
1990
1991/// parses available chunked encoded body bytes, checks size, returns errors
1992err_type
be29ee33 1993ConnStateData::handleChunkedRequestBody()
39cb8c41 1994{
fcc444e3 1995 debugs(33, 7, "chunked from " << clientConnection << ": " << inBuf.length());
39cb8c41
AR
1996
1997 try { // the parser will throw on errors
1998
fcc444e3 1999 if (inBuf.isEmpty()) // nothing to do
39cb8c41
AR
2000 return ERR_NONE;
2001
39cb8c41 2002 BodyPipeCheckout bpc(*bodyPipe);
fcc444e3
AJ
2003 bodyParser->setPayloadBuffer(&bpc.buf);
2004 const bool parsed = bodyParser->parse(inBuf);
2005 inBuf = bodyParser->remaining(); // sync buffers
39cb8c41 2006 bpc.checkIn();
39cb8c41
AR
2007
2008 // dechunk then check: the size limit applies to _dechunked_ content
2009 if (clientIsRequestBodyTooLargeForPolicy(bodyPipe->producedSize()))
2010 return ERR_TOO_BIG;
2011
2012 if (parsed) {
2013 finishDechunkingRequest(true);
2014 Must(!bodyPipe);
2015 return ERR_NONE; // nil bodyPipe implies body end for the caller
5f8252d2 2016 }
39cb8c41
AR
2017
2018 // if chunk parser needs data, then the body pipe must need it too
fcc444e3 2019 Must(!bodyParser->needsMoreData() || bodyPipe->mayNeedMoreData());
39cb8c41
AR
2020
2021 // if parser needs more space and we can consume nothing, we will stall
fcc444e3 2022 Must(!bodyParser->needsMoreSpace() || bodyPipe->buf().hasContent());
39cb8c41 2023 } catch (...) { // TODO: be more specific
bf95c10a 2024 debugs(33, 3, "malformed chunks" << bodyPipe->status());
39cb8c41 2025 return ERR_INVALID_REQ;
94439e4e 2026 }
39cb8c41 2027
bf95c10a 2028 debugs(33, 7, "need more chunked data" << *bodyPipe->status());
39cb8c41
AR
2029 return ERR_NONE;
2030}
2031
2032/// quit on errors related to chunked request body handling
2033void
2034ConnStateData::abortChunkedRequestBody(const err_type error)
2035{
2036 finishDechunkingRequest(false);
2037
2038 // XXX: The code below works if we fail during initial request parsing,
d5430dc8 2039 // but if we fail when the server connection is used already, the server may send
39cb8c41
AR
2040 // us its response too, causing various assertions. How to prevent that?
2041#if WE_KNOW_HOW_TO_SEND_ERRORS
d3dddfb5 2042 Http::StreamPointer context = pipeline.front();
39cb8c41
AR
2043 if (context != NULL && !context->http->out.offset) { // output nothing yet
2044 clientStreamNode *node = context->getClientReplyContext();
2045 clientReplyContext *repContext = dynamic_cast<clientReplyContext*>(node->data.getRaw());
2046 assert(repContext);
955394ce 2047 const Http::StatusCode scode = (error == ERR_TOO_BIG) ?
5a3b42b1 2048 Http::scContentTooLarge : HTTP_BAD_REQUEST;
39cb8c41 2049 repContext->setReplyToError(error, scode,
39cb8c41 2050 repContext->http->uri,
a3c6762c 2051 CachePeer,
39cb8c41 2052 repContext->http->request,
a1b1756c 2053 inBuf, nullptr);
39cb8c41
AR
2054 context->pullData();
2055 } else {
2056 // close or otherwise we may get stuck as nobody will notice the error?
73c36fd9 2057 comm_reset_close(clientConnection);
39cb8c41
AR
2058 }
2059#else
bf95c10a 2060 debugs(33, 3, "aborting chunked request without error " << error);
73c36fd9 2061 comm_reset_close(clientConnection);
39cb8c41 2062#endif
f35961af 2063 flags.readMore = false;
5f8252d2 2064}
55e44db9 2065
5f8252d2 2066void
1cf238db 2067ConnStateData::noteBodyConsumerAborted(BodyPipe::Pointer )
5f8252d2 2068{
cf6eb29e 2069 // request reader may get stuck waiting for space if nobody consumes body
aee3523a 2070 if (bodyPipe != nullptr)
cf6eb29e
CT
2071 bodyPipe->enableAutoConsumption();
2072
92ae4c86 2073 // kids extend
94439e4e 2074}
2075
63be0a78 2076/** general lifetime handler for HTTP requests */
1cf238db 2077void
2078ConnStateData::requestTimeout(const CommTimeoutCbParams &io)
7a2f978b 2079{
d5b97346
AJ
2080 if (!Comm::IsConnOpen(io.conn))
2081 return;
2082
9ce4a1eb 2083 const err_type error = receivedFirstByte_ ? ERR_REQUEST_PARSE_TIMEOUT : ERR_REQUEST_START_TIMEOUT;
83b053a0 2084 updateError(error);
eb026889 2085 if (tunnelOnError(error))
9ce4a1eb
CT
2086 return;
2087
af57a2e3 2088 /*
62e76326 2089 * Just close the connection to not confuse browsers
6177a89f
HN
2090 * using persistent connections. Some browsers open
2091 * a connection and then do not use it until much
62e76326 2092 * later (presumeably because the request triggering
2093 * the open has already been completed on another
2094 * connection)
2095 */
1cf238db 2096 debugs(33, 3, "requestTimeout: FD " << io.fd << ": lifetime is expired.");
8d77a37c 2097 io.conn->close();
7a2f978b 2098}
2099
83b053a0
CT
2100void
2101ConnStateData::lifetimeTimeout(const CommTimeoutCbParams &io)
b5c39993 2102{
83b053a0
CT
2103 debugs(33, DBG_IMPORTANT, "WARNING: Closing client connection due to lifetime timeout" <<
2104 Debug::Extra << "connection: " << io.conn);
2105
2106 LogTagsErrors lte;
2107 lte.timedout = true;
2108 terminateAll(ERR_LIFETIME_EXP, lte);
b5c39993 2109}
2110
94bfd31f 2111ConnStateData::ConnStateData(const MasterXaction::Pointer &xact) :
f53969cc 2112 AsyncJob("ConnStateData"), // kids overwrite
ca0d7ed6 2113 Server(xact)
cb4f4424 2114#if USE_OPENSSL
ca0d7ed6 2115 , tlsParser(Security::HandshakeParser::fromClient)
4579a6d0 2116#endif
c8be6d7b 2117{
94bfd31f 2118 // store the details required for creating more MasterXaction objects as new requests come in
94bfd31f 2119 log_addr = xact->tcpClient->remote;
36c774f7 2120 log_addr.applyClientMask(Config.Addrs.client_netmask);
d442618d
AJ
2121
2122 // register to receive notice of Squid signal events
2123 // which may affect long persisting client connections
b856803f 2124 registerRunner();
92ae4c86
AR
2125}
2126
2127void
2128ConnStateData::start()
2129{
2130 BodyProducer::start();
2131 HttpControlMsgSink::start();
2132
5529ca8a 2133 if (port->disable_pmtu_discovery != DISABLE_PMTU_OFF &&
94bfd31f 2134 (transparent() || port->disable_pmtu_discovery == DISABLE_PMTU_ALWAYS)) {
5529ca8a 2135#if defined(IP_MTU_DISCOVER) && defined(IP_PMTUDISC_DONT)
2136 int i = IP_PMTUDISC_DONT;
b69e9ffa
AJ
2137 if (setsockopt(clientConnection->fd, SOL_IP, IP_MTU_DISCOVER, &i, sizeof(i)) < 0) {
2138 int xerrno = errno;
2139 debugs(33, 2, "WARNING: Path MTU discovery disabling failed on " << clientConnection << " : " << xstrerr(xerrno));
2140 }
5529ca8a 2141#else
9bb67276 2142 static bool reported = false;
5529ca8a 2143
2144 if (!reported) {
d816f28d 2145 debugs(33, DBG_IMPORTANT, "WARNING: Path MTU discovery disabling is not supported on your platform.");
9bb67276 2146 reported = true;
5529ca8a 2147 }
89aec9b6
AJ
2148#endif
2149 }
5529ca8a 2150
89aec9b6 2151 typedef CommCbMemFunT<ConnStateData, CommCloseCbParams> Dialer;
94bfd31f
AJ
2152 AsyncCall::Pointer call = JobCallback(33, 5, Dialer, this, ConnStateData::connStateClosed);
2153 comm_add_close_handler(clientConnection->fd, call);
5529ca8a 2154
42cbf844
AJ
2155 needProxyProtocolHeader_ = port->flags.proxySurrogate;
2156 if (needProxyProtocolHeader_) {
2157 if (!proxyProtocolValidateClient()) // will close the connection on failure
2158 return;
2159 } else
2160 whenClientIpKnown();
2161
9ce4a1eb
CT
2162 // requires needProxyProtocolHeader_ which is initialized above
2163 preservingClientData_ = shouldPreserveClientData();
42cbf844
AJ
2164}
2165
2166void
2167ConnStateData::whenClientIpKnown()
2168{
a8c7a110
AR
2169 debugs(33, 7, clientConnection->remote);
2170 if (Dns::ResolveClientAddressesAsap)
94bfd31f 2171 fqdncache_gethostbyaddr(clientConnection->remote, FQDN_LOOKUP_IF_MISS);
89aec9b6 2172
94bfd31f 2173 clientdbEstablished(clientConnection->remote, 1);
5529ca8a 2174
9a0a18de 2175#if USE_DELAY_POOLS
aee3523a 2176 fd_table[clientConnection->fd].clientInfo = nullptr;
b4cd430a 2177
e37f1cd4
EB
2178 if (!Config.onoff.client_db)
2179 return; // client delay pools require client_db
b4cd430a 2180
e37f1cd4
EB
2181 const auto &pools = ClientDelayPools::Instance()->pools;
2182 if (pools.size()) {
e94ff527 2183 ACLFilledChecklist ch(nullptr, nullptr);
e227da8d 2184 fillChecklist(ch);
2f8abb64 2185 // TODO: we check early to limit error response bandwidth but we
2efeb0b7 2186 // should recheck when we can honor delay_pool_uses_indirect
95dc7ff4 2187 for (unsigned int pool = 0; pool < pools.size(); ++pool) {
b4cd430a 2188
2efeb0b7 2189 /* pools require explicit 'allow' to assign a client into them */
b27668ec
EB
2190 if (pools[pool]->access) {
2191 ch.changeAcl(pools[pool]->access);
17e41e03 2192 const auto &answer = ch.fastCheck();
06bf5384 2193 if (answer.allowed()) {
2efeb0b7
AJ
2194
2195 /* request client information from db after we did all checks
2196 this will save hash lookup if client failed checks */
92ae4c86 2197 ClientInfo * cli = clientdbGetInfo(clientConnection->remote);
2efeb0b7
AJ
2198 assert(cli);
2199
2200 /* put client info in FDE */
92ae4c86 2201 fd_table[clientConnection->fd].clientInfo = cli;
2efeb0b7
AJ
2202
2203 /* setup write limiter for this request */
2204 const double burst = floor(0.5 +
b27668ec
EB
2205 (pools[pool]->highwatermark * Config.ClientDelay.initial)/100.0);
2206 cli->setWriteLimiter(pools[pool]->rate, burst, pools[pool]->highwatermark);
2efeb0b7
AJ
2207 break;
2208 } else {
bf95c10a 2209 debugs(83, 4, "Delay pool " << pool << " skipped because ACL " << answer);
2efeb0b7 2210 }
b4cd430a
CT
2211 }
2212 }
2213 }
2214#endif
92ae4c86
AR
2215
2216 // kids must extend to actually start doing something (e.g., reading)
7a2f978b 2217}
2218
e227da8d
AR
2219Security::IoResult
2220ConnStateData::acceptTls()
2221{
2222 const auto handshakeResult = Security::Accept(*clientConnection);
2223
2224#if USE_OPENSSL
2225 // log ASAP, even if the handshake has not completed (or failed)
2226 const auto fd = clientConnection->fd;
2227 assert(fd >= 0);
2228 keyLogger.checkpoint(*fd_table[fd].ssl, *this);
2229#else
2230 // TODO: Support fd_table[fd].ssl dereference in other builds.
2231#endif
2232
2233 return handshakeResult;
2234}
2235
e7ce227f 2236/** Handle a new connection on an HTTP socket. */
92ae4c86
AR
2237void
2238httpAccept(const CommAcceptCbParams &params)
6afea0a4 2239{
ad05b958 2240 Assure(params.port);
6afea0a4
AR
2241
2242 // NP: it is possible the port was reconfigured when the call or accept() was queued.
2243
2244 if (params.flag != Comm::OK) {
2245 // Its possible the call was still queued when the client disconnected
ad05b958 2246 debugs(33, 2, params.port->listenConn << ": accept failure: " << xstrerr(params.xerrno));
6afea0a4
AR
2247 return;
2248 }
2249
e7ce227f 2250 debugs(33, 4, params.conn << ": accepted");
92ae4c86 2251 fd_note(params.conn->fd, "client http connect");
ad05b958
EB
2252 const auto xact = MasterXaction::MakePortful(params.port);
2253 xact->tcpClient = params.conn;
6afea0a4 2254
6afea0a4 2255 // Socket is ready, setup the connection manager to start using it
5e77f674 2256 auto *srv = Http::NewServer(xact);
ad05b958 2257 // XXX: do not abandon the MasterXaction object
5e77f674 2258 AsyncJob::Start(srv); // usually async-calls readSomeData()
7a2f978b 2259}
2260
86f77270 2261/// Create TLS connection structure and update fd_table
157c5ace 2262static bool
60fcfadf 2263httpsCreate(const ConnStateData *connState, const Security::ContextPointer &ctx)
ae7ff0b8 2264{
60fcfadf
AJ
2265 const auto conn = connState->clientConnection;
2266 if (Security::CreateServerSession(ctx, conn, connState->port->secure, "client https start")) {
ca2526bd 2267 debugs(33, 5, "will negotiate TLS on " << conn);
157c5ace 2268 return true;
ae7ff0b8 2269 }
2270
51e09c08 2271 debugs(33, DBG_IMPORTANT, "ERROR: could not create TLS server context for " << conn);
b3a8ae1b 2272 conn->close();
157c5ace 2273 return false;
ae7ff0b8 2274}
2275
d620ae0e
CT
2276/** negotiate an SSL connection */
2277static void
2278clientNegotiateSSL(int fd, void *data)
2279{
2280 ConnStateData *conn = (ConnStateData *)data;
51e09c08 2281
e227da8d 2282 const auto handshakeResult = conn->acceptTls();
83b053a0
CT
2283 switch (handshakeResult.category) {
2284 case Security::IoResult::ioSuccess:
2285 break;
2286
2287 case Security::IoResult::ioWantRead:
2288 Comm::SetSelect(conn->clientConnection->fd, COMM_SELECT_READ, clientNegotiateSSL, conn, 0);
2289 return;
2290
2291 case Security::IoResult::ioWantWrite:
2292 Comm::SetSelect(conn->clientConnection->fd, COMM_SELECT_WRITE, clientNegotiateSSL, conn, 0);
2293 return;
2294
2295 case Security::IoResult::ioError:
fff4502b
AR
2296 debugs(83, (handshakeResult.important ? Important(62) : 2), "ERROR: Cannot accept a TLS connection" <<
2297 Debug::Extra << "problem: " << WithExtras(handshakeResult));
83b053a0
CT
2298 // TODO: No ConnStateData::tunnelOnError() on this forward-proxy code
2299 // path because we cannot know the intended connection target?
2300 conn->updateError(ERR_SECURE_ACCEPT_FAIL, handshakeResult.errorDetail);
2301 conn->clientConnection->close();
d620ae0e 2302 return;
1700fab7 2303 }
62e76326 2304
ad23e748 2305 Security::SessionPointer session(fd_table[fd].ssl);
51e09c08
AJ
2306
2307#if USE_OPENSSL
ad23e748
AJ
2308 if (Security::SessionIsResumed(session)) {
2309 debugs(83, 2, "Session " << SSL_get_session(session.get()) <<
2310 " reused on FD " << fd << " (" << fd_table[fd].ipaddr <<
2311 ":" << (int)fd_table[fd].remote_port << ")");
6de9e64b 2312 } else {
014adac1 2313 if (Debug::Enabled(83, 4)) {
6de9e64b 2314 /* Write out the SSL session details.. actually the call below, but
2315 * OpenSSL headers do strange typecasts confusing GCC.. */
016c612a 2316 /* PEM_write_SSL_SESSION(DebugStream(), SSL_get_session(ssl)); */
afdd443f 2317#if defined(OPENSSL_VERSION_NUMBER) && OPENSSL_VERSION_NUMBER >= 0x00908000L
ad23e748 2318 PEM_ASN1_write(reinterpret_cast<i2d_of_void *>(i2d_SSL_SESSION),
016c612a 2319 PEM_STRING_SSL_SESSION, DebugStream(),
bba00f17 2320 reinterpret_cast<char *>(SSL_get_session(session.get())),
ad23e748 2321 nullptr, nullptr, 0, nullptr, nullptr);
2930f303 2322
0fd2205b 2323#elif (ALLOW_ALWAYS_SSL_SESSION_DETAIL == 1)
2930f303 2324
0fd2205b 2325 /* When using gcc 3.3.x and OpenSSL 0.9.7x sometimes a compile error can occur here.
2326 * This is caused by an unpredicatble gcc behaviour on a cast of the first argument
2327 * of PEM_ASN1_write(). For this reason this code section is disabled. To enable it,
2328 * define ALLOW_ALWAYS_SSL_SESSION_DETAIL=1.
2329 * Because there are two possible usable cast, if you get an error here, try the other
2330 * commented line. */
2331
ad23e748 2332 PEM_ASN1_write((int(*)())i2d_SSL_SESSION, PEM_STRING_SSL_SESSION,
016c612a 2333 DebugStream(),
bba00f17 2334 reinterpret_cast<char *>(SSL_get_session(session.get())),
ad23e748
AJ
2335 nullptr, nullptr, 0, nullptr, nullptr);
2336 /* PEM_ASN1_write((int(*)(...))i2d_SSL_SESSION, PEM_STRING_SSL_SESSION,
016c612a 2337 DebugStream(),
bba00f17 2338 reinterpret_cast<char *>(SSL_get_session(session.get())),
ad23e748
AJ
2339 nullptr, nullptr, 0, nullptr, nullptr);
2340 */
0e33d58c 2341#else
ad23e748 2342 debugs(83, 4, "With " OPENSSL_VERSION_TEXT ", session details are available only defining ALLOW_ALWAYS_SSL_SESSION_DETAIL=1 in the source.");
0fd2205b 2343
0e33d58c 2344#endif
6de9e64b 2345 /* Note: This does not automatically fflush the log file.. */
2346 }
2347
ad23e748
AJ
2348 debugs(83, 2, "New session " << SSL_get_session(session.get()) <<
2349 " on FD " << fd << " (" << fd_table[fd].ipaddr << ":" <<
2350 fd_table[fd].remote_port << ")");
6de9e64b 2351 }
51e09c08
AJ
2352#else
2353 debugs(83, 2, "TLS session reuse not yet implemented.");
2354#endif
6de9e64b 2355
2bcab852 2356 // Connection established. Retrieve TLS connection parameters for logging.
ad23e748 2357 conn->clientConnection->tlsNegotiations()->retrieveNegotiatedInfo(session);
1f7c9178 2358
51e09c08 2359#if USE_OPENSSL
ad23e748 2360 X509 *client_cert = SSL_get_peer_certificate(session.get());
62e76326 2361
ad23e748
AJ
2362 if (client_cert) {
2363 debugs(83, 3, "FD " << fd << " client certificate: subject: " <<
907831e6 2364 Security::SubjectName(*client_cert));
bf8fe701 2365
ad23e748 2366 debugs(83, 3, "FD " << fd << " client certificate: issuer: " <<
907831e6 2367 Security::IssuerName(*client_cert));
1f7c9178 2368
62e76326 2369 X509_free(client_cert);
1f7c9178 2370 } else {
51e09c08 2371 debugs(83, 5, "FD " << fd << " has no client certificate.");
1f7c9178 2372 }
51e09c08
AJ
2373#else
2374 debugs(83, 2, "Client certificate requesting not yet implemented.");
2375#endif
1f7c9178 2376
83b053a0
CT
2377 // If we are called, then bumped CONNECT has succeeded. Finalize it.
2378 if (auto xact = conn->pipeline.front()) {
2379 if (xact->http && xact->http->request && xact->http->request->method == Http::METHOD_CONNECT)
2380 xact->finished();
2381 // cannot proceed with encryption if requests wait for plain responses
2382 Must(conn->pipeline.empty());
2383 }
2384 /* careful: finished() above frees request, host, etc. */
2385
a46d2c0e 2386 conn->readSomeData();
1f7c9178 2387}
2388
379e8c1c 2389/**
0476ec45
AJ
2390 * If Security::ContextPointer is given, starts reading the TLS handshake.
2391 * Otherwise, calls switchToHttps to generate a dynamic Security::ContextPointer.
379e8c1c
AR
2392 */
2393static void
0476ec45 2394httpsEstablish(ConnStateData *connState, const Security::ContextPointer &ctx)
379e8c1c 2395{
379e8c1c
AR
2396 assert(connState);
2397 const Comm::ConnectionPointer &details = connState->clientConnection;
2398
60fcfadf 2399 if (!ctx || !httpsCreate(connState, ctx))
379e8c1c
AR
2400 return;
2401
83b053a0 2402 connState->resetReadTimeout(Config.Timeout.request);
379e8c1c 2403
36048c42 2404 Comm::SetSelect(details->fd, COMM_SELECT_READ, clientNegotiateSSL, connState, 0);
379e8c1c
AR
2405}
2406
51e09c08 2407#if USE_OPENSSL
379e8c1c 2408/**
87f237a9 2409 * A callback function to use with the ACLFilledChecklist callback.
379e8c1c
AR
2410 */
2411static void
329c128c 2412httpsSslBumpAccessCheckDone(Acl::Answer answer, void *data)
379e8c1c
AR
2413{
2414 ConnStateData *connState = (ConnStateData *) data;
2415
7a957a93 2416 // if the connection is closed or closing, just return.
379e8c1c
AR
2417 if (!connState->isOpen())
2418 return;
2419
06bf5384 2420 if (answer.allowed()) {
bf352fb2 2421 debugs(33, 2, "sslBump action " << Ssl::bumpMode(answer.kind) << "needed for " << connState->clientConnection);
08097970 2422 connState->sslBumpMode = static_cast<Ssl::BumpMode>(answer.kind);
379e8c1c 2423 } else {
bf352fb2
CT
2424 debugs(33, 3, "sslBump not needed for " << connState->clientConnection);
2425 connState->sslBumpMode = Ssl::bumpSplice;
2426 }
2427
2428 if (connState->sslBumpMode == Ssl::bumpTerminate) {
2429 connState->clientConnection->close();
2430 return;
9e104535 2431 }
bf352fb2 2432
efda53c5
CT
2433 if (!connState->fakeAConnectRequest("ssl-bump", connState->inBuf))
2434 connState->clientConnection->close();
a30b692c 2435}
51e09c08 2436#endif
379e8c1c 2437
63be0a78 2438/** handle a new HTTPS connection */
1f7c9178 2439static void
449f0115 2440httpsAccept(const CommAcceptCbParams &params)
1f7c9178 2441{
ad05b958 2442 Assure(params.port);
94bfd31f 2443
c0ff709f 2444 // NP: it is possible the port was reconfigured when the call or accept() was queued.
c4b7a5a9 2445
c8407295 2446 if (params.flag != Comm::OK) {
cbff89ba 2447 // Its possible the call was still queued when the client disconnected
ad05b958 2448 debugs(33, 2, "httpsAccept: " << params.port->listenConn << ": accept failure: " << xstrerr(params.xerrno));
62e76326 2449 return;
c4b7a5a9 2450 }
62e76326 2451
ad05b958
EB
2452 const auto xact = MasterXaction::MakePortful(params.port);
2453 xact->tcpClient = params.conn;
2454
bf95c10a 2455 debugs(33, 4, params.conn << " accepted, starting SSL negotiation.");
449f0115 2456 fd_note(params.conn->fd, "client https connect");
62e76326 2457
89aec9b6 2458 // Socket is ready, setup the connection manager to start using it
5e77f674 2459 auto *srv = Https::NewServer(xact);
ad05b958 2460 // XXX: do not abandon the MasterXaction object
5e77f674 2461 AsyncJob::Start(srv); // usually async-calls postHttpsAccept()
92ae4c86 2462}
62e76326 2463
92ae4c86
AR
2464void
2465ConnStateData::postHttpsAccept()
2466{
b3cb9958 2467 if (port->flags.tunnelSslBumping) {
51e09c08 2468#if USE_OPENSSL
e7ce227f 2469 debugs(33, 5, "accept transparent connection: " << clientConnection);
62e76326 2470
379e8c1c 2471 if (!Config.accessList.ssl_bump) {
b3cb9958 2472 httpsSslBumpAccessCheckDone(ACCESS_DENIED, this);
379e8c1c
AR
2473 return;
2474 }
87f237a9 2475
ad05b958 2476 const auto mx = MasterXaction::MakePortful(port);
5ceaee75 2477 mx->tcpClient = clientConnection;
ccfbe8f4 2478 // Create a fake HTTP request and ALE for the ssl_bump ACL check,
38450a50 2479 // using tproxy/intercept provided destination IP and port.
ccfbe8f4
AR
2480 // XXX: Merge with subsequent fakeAConnectRequest(), buildFakeRequest().
2481 // XXX: Do this earlier (e.g., in Http[s]::One::Server constructor).
5ceaee75 2482 HttpRequest *request = new HttpRequest(mx);
379e8c1c 2483 static char ip[MAX_IPSTRLEN];
92ae4c86 2484 assert(clientConnection->flags & (COMM_TRANSPARENT | COMM_INTERCEPTION));
851feda6 2485 request->url.host(clientConnection->local.toStr(ip, sizeof(ip)));
5c51bffb 2486 request->url.port(clientConnection->local.port());
b3cb9958 2487 request->myportname = port->name;
ccfbe8f4
AR
2488 const AccessLogEntry::Pointer connectAle = new AccessLogEntry;
2489 CodeContext::Reset(connectAle);
2490 // TODO: Use these request/ALE when waiting for new bumped transactions.
87f237a9 2491
c56edb4a 2492 auto acl_checklist = ACLFilledChecklist::Make(Config.accessList.ssl_bump, request);
e227da8d 2493 fillChecklist(*acl_checklist);
d4ddb3e6 2494 // Build a local AccessLogEntry to allow requiresAle() acls work
ccfbe8f4 2495 acl_checklist->al = connectAle;
d4ddb3e6
CT
2496 acl_checklist->al->cache.start_time = current_time;
2497 acl_checklist->al->tcpClient = clientConnection;
2498 acl_checklist->al->cache.port = port;
2499 acl_checklist->al->cache.caddr = log_addr;
36c774f7 2500 acl_checklist->al->proxyProtocolHeader = proxyProtocolHeader_;
83b053a0 2501 acl_checklist->al->updateError(bareError);
542e1a7a 2502 HTTPMSGUNLOCK(acl_checklist->al->request);
d4ddb3e6
CT
2503 acl_checklist->al->request = request;
2504 HTTPMSGLOCK(acl_checklist->al->request);
cb365059
EB
2505 Http::StreamPointer context = pipeline.front();
2506 ClientHttpRequest *http = context ? context->http : nullptr;
2507 const char *log_uri = http ? http->log_uri : nullptr;
2508 acl_checklist->syncAle(request, log_uri);
c56edb4a 2509 ACLFilledChecklist::NonBlockingCheck(std::move(acl_checklist), httpsSslBumpAccessCheckDone, this);
51e09c08
AJ
2510#else
2511 fatal("FATAL: SSL-Bump requires --with-openssl");
2512#endif
379e8c1c
AR
2513 return;
2514 } else {
0476ec45 2515 httpsEstablish(this, port->secure.staticContext);
379e8c1c 2516 }
1f7c9178 2517}
2518
51e09c08 2519#if USE_OPENSSL
95d2589c 2520void
24438ec5 2521ConnStateData::sslCrtdHandleReplyWrapper(void *data, const Helper::Reply &reply)
ae7ff0b8 2522{
95d2589c
CT
2523 ConnStateData * state_data = (ConnStateData *)(data);
2524 state_data->sslCrtdHandleReply(reply);
2525}
ae7ff0b8 2526
95d2589c 2527void
24438ec5 2528ConnStateData::sslCrtdHandleReply(const Helper::Reply &reply)
95d2589c 2529{
b418d9c8
CT
2530 if (!isOpen()) {
2531 debugs(33, 3, "Connection gone while waiting for ssl_crtd helper reply; helper reply:" << reply);
2532 return;
2533 }
2534
2428ce02 2535 if (reply.result == Helper::BrokenHelper) {
9ce4a1eb 2536 debugs(33, 5, "Certificate for " << tlsConnectHostOrIp << " cannot be generated. ssl_crtd response: " << reply);
5955f162 2537 } else if (!reply.other().hasContent()) {
bf95c10a 2538 debugs(1, DBG_IMPORTANT, "\"ssl_crtd\" helper returned <NULL> reply.");
95d2589c 2539 } else {
ff2d7d92 2540 Ssl::CrtdMessage reply_message(Ssl::CrtdMessage::REPLY);
0272dd08 2541 if (reply_message.parse(reply.other().content(), reply.other().contentSize()) != Ssl::CrtdMessage::OK) {
9ce4a1eb 2542 debugs(33, 5, "Reply from ssl_crtd for " << tlsConnectHostOrIp << " is incorrect");
95d2589c 2543 } else {
2428ce02 2544 if (reply.result != Helper::Okay) {
9ce4a1eb 2545 debugs(33, 5, "Certificate for " << tlsConnectHostOrIp << " cannot be generated. ssl_crtd response: " << reply_message.getBody());
95d2589c 2546 } else {
2f8abb64 2547 debugs(33, 5, "Certificate for " << tlsConnectHostOrIp << " was successfully received from ssl_crtd");
a9c2dd2f 2548 if (sslServerBump && (sslServerBump->act.step1 == Ssl::bumpPeek || sslServerBump->act.step1 == Ssl::bumpStare)) {
d620ae0e 2549 doPeekAndSpliceStep();
33cc0629 2550 auto ssl = fd_table[clientConnection->fd].ssl.get();
d620ae0e
CT
2551 bool ret = Ssl::configureSSLUsingPkeyAndCertFromMemory(ssl, reply_message.getBody().c_str(), *port);
2552 if (!ret)
e4f14091 2553 debugs(33, 5, "Failed to set certificates to ssl object for PeekAndSplice mode");
d8f0ceab 2554
1c1fae0f 2555 Security::ContextPointer ctx(Security::GetFrom(fd_table[clientConnection->fd].ssl));
b23f5f9c 2556 Ssl::configureUnconfiguredSslContext(ctx, signAlgorithm, *port);
d620ae0e 2557 } else {
cf487124 2558 Security::ContextPointer ctx(Ssl::GenerateSslContextUsingPkeyAndCertFromMemory(reply_message.getBody().c_str(), port->secure, (signAlgorithm == Ssl::algSignTrusted)));
5107d2c4
CT
2559 if (ctx && !sslBumpCertKey.isEmpty())
2560 storeTlsContextToCache(sslBumpCertKey, ctx);
2561 getSslContextDone(ctx);
d620ae0e 2562 }
95d2589c
CT
2563 return;
2564 }
2565 }
2566 }
0476ec45
AJ
2567 Security::ContextPointer nil;
2568 getSslContextDone(nil);
95d2589c 2569}
ae7ff0b8 2570
06997a38 2571void ConnStateData::buildSslCertGenerationParams(Ssl::CertificateProperties &certProperties)
fb2178bb 2572{
9ce4a1eb 2573 certProperties.commonName = sslCommonName_.isEmpty() ? tlsConnectHostOrIp.c_str() : sslCommonName_.c_str();
fb2178bb 2574
5107d2c4
CT
2575 const bool connectedOk = sslServerBump && sslServerBump->connectedOk();
2576 if (connectedOk) {
fd4624d7 2577 if (X509 *mimicCert = sslServerBump->serverCert.get())
59a49556
CT
2578 certProperties.mimicCert.resetAndLock(mimicCert);
2579
e227da8d
AR
2580 ACLFilledChecklist checklist(nullptr, sslServerBump->request.getRaw());
2581 fillChecklist(checklist);
59a49556 2582
aee3523a 2583 for (sslproxy_cert_adapt *ca = Config.ssl_client.cert_adapt; ca != nullptr; ca = ca->next) {
7a957a93 2584 // If the algorithm already set, then ignore it.
a06042fa 2585 if ((ca->alg == Ssl::algSetCommonName && certProperties.setCommonName) ||
87f237a9
A
2586 (ca->alg == Ssl::algSetValidAfter && certProperties.setValidAfter) ||
2587 (ca->alg == Ssl::algSetValidBefore && certProperties.setValidBefore) )
a06042fa
CT
2588 continue;
2589
06bf5384 2590 if (ca->aclList && checklist.fastCheck(ca->aclList).allowed()) {
59a49556
CT
2591 const char *alg = Ssl::CertAdaptAlgorithmStr[ca->alg];
2592 const char *param = ca->param;
87f237a9 2593
7a957a93
AR
2594 // For parameterless CN adaptation, use hostname from the
2595 // CONNECT request.
a06042fa 2596 if (ca->alg == Ssl::algSetCommonName) {
59a49556 2597 if (!param)
9ce4a1eb 2598 param = tlsConnectHostOrIp.c_str();
59a49556
CT
2599 certProperties.commonName = param;
2600 certProperties.setCommonName = true;
87f237a9 2601 } else if (ca->alg == Ssl::algSetValidAfter)
59a49556 2602 certProperties.setValidAfter = true;
87f237a9 2603 else if (ca->alg == Ssl::algSetValidBefore)
59a49556
CT
2604 certProperties.setValidBefore = true;
2605
bf95c10a 2606 debugs(33, 5, "Matches certificate adaptation aglorithm: " <<
8f9720ce 2607 alg << " param: " << (param ? param : "-"));
aebe6888 2608 }
fb2178bb 2609 }
aebe6888 2610
59a49556 2611 certProperties.signAlgorithm = Ssl::algSignEnd;
aee3523a 2612 for (sslproxy_cert_sign *sg = Config.ssl_client.cert_sign; sg != nullptr; sg = sg->next) {
06bf5384 2613 if (sg->aclList && checklist.fastCheck(sg->aclList).allowed()) {
59a49556
CT
2614 certProperties.signAlgorithm = (Ssl::CertSignAlgorithm)sg->alg;
2615 break;
2616 }
aebe6888 2617 }
6b2b6cfe
CT
2618 } else {// did not try to connect (e.g. client-first) or failed to connect
2619 // In case of an error while connecting to the secure server, use a
2620 // trusted certificate, with no mimicked fields and no adaptation
2621 // algorithms. There is nothing we can mimic, so we want to minimize the
2622 // number of warnings the user will have to see to get to the error page.
2623 // We will close the connection, so that the trust is not extended to
2624 // non-Squid content.
59a49556 2625 certProperties.signAlgorithm = Ssl::algSignTrusted;
aebe6888
CT
2626 }
2627
10d914f6 2628 assert(certProperties.signAlgorithm != Ssl::algSignEnd);
aebe6888
CT
2629
2630 if (certProperties.signAlgorithm == Ssl::algSignUntrusted) {
51e09c08
AJ
2631 assert(port->secure.untrustedSigningCa.cert);
2632 certProperties.signWithX509.resetAndLock(port->secure.untrustedSigningCa.cert.get());
2633 certProperties.signWithPkey.resetAndLock(port->secure.untrustedSigningCa.pkey.get());
87f237a9 2634 } else {
51e09c08
AJ
2635 assert(port->secure.signingCa.cert.get());
2636 certProperties.signWithX509.resetAndLock(port->secure.signingCa.cert.get());
aebe6888 2637
51e09c08
AJ
2638 if (port->secure.signingCa.pkey)
2639 certProperties.signWithPkey.resetAndLock(port->secure.signingCa.pkey.get());
aebe6888
CT
2640 }
2641 signAlgorithm = certProperties.signAlgorithm;
3c26b00a
CT
2642
2643 certProperties.signHash = Ssl::DefaultSignHash;
fb2178bb
CT
2644}
2645
5107d2c4
CT
2646Security::ContextPointer
2647ConnStateData::getTlsContextFromCache(const SBuf &cacheKey, const Ssl::CertificateProperties &certProperties)
2648{
2649 debugs(33, 5, "Finding SSL certificate for " << cacheKey << " in cache");
9e779e40 2650 const auto ssl_ctx_cache = Ssl::TheGlobalContextStorage().getLocalStorage(port->s);
72247610 2651 if (const auto ctx = ssl_ctx_cache ? ssl_ctx_cache->get(cacheKey) : nullptr) {
5107d2c4
CT
2652 if (Ssl::verifySslCertificate(*ctx, certProperties)) {
2653 debugs(33, 5, "Cached SSL certificate for " << certProperties.commonName << " is valid");
2654 return *ctx;
2655 } else {
2656 debugs(33, 5, "Cached SSL certificate for " << certProperties.commonName << " is out of date. Delete this certificate from cache");
2657 if (ssl_ctx_cache)
2658 ssl_ctx_cache->del(cacheKey);
2659 }
2660 }
2661 return Security::ContextPointer(nullptr);
2662}
2663
2664void
2665ConnStateData::storeTlsContextToCache(const SBuf &cacheKey, Security::ContextPointer &ctx)
2666{
9e779e40 2667 const auto ssl_ctx_cache = Ssl::TheGlobalContextStorage().getLocalStorage(port->s);
72247610 2668 if (!ssl_ctx_cache || !ssl_ctx_cache->add(cacheKey, ctx)) {
5107d2c4
CT
2669 // If it is not in storage delete after using. Else storage deleted it.
2670 fd_table[clientConnection->fd].dynamicTlsContext = ctx;
2671 }
2672}
2673
1ce2822d 2674void
95d2589c
CT
2675ConnStateData::getSslContextStart()
2676{
cf487124 2677 if (port->secure.generateHostCertificates) {
aebe6888 2678 Ssl::CertificateProperties certProperties;
06997a38 2679 buildSslCertGenerationParams(certProperties);
fb2178bb 2680
d620ae0e 2681 // Disable caching for bumpPeekAndSplice mode
a9c2dd2f 2682 if (!(sslServerBump && (sslServerBump->act.step1 == Ssl::bumpPeek || sslServerBump->act.step1 == Ssl::bumpStare))) {
5107d2c4
CT
2683 sslBumpCertKey.clear();
2684 Ssl::InRamCertificateDbKey(certProperties, sslBumpCertKey);
2685 assert(!sslBumpCertKey.isEmpty());
2686
2687 Security::ContextPointer ctx(getTlsContextFromCache(sslBumpCertKey, certProperties));
2688 if (ctx) {
2689 getSslContextDone(ctx);
2690 return;
95d2589c 2691 }
95d2589c
CT
2692 }
2693
b5faa519 2694#if USE_SSL_CRTD
00fc192d 2695 try {
bf95c10a 2696 debugs(33, 5, "Generating SSL certificate for " << certProperties.commonName << " using ssl_crtd.");
ff2d7d92 2697 Ssl::CrtdMessage request_message(Ssl::CrtdMessage::REQUEST);
87f237a9
A
2698 request_message.setCode(Ssl::CrtdMessage::code_new_certificate);
2699 request_message.composeRequest(certProperties);
bf95c10a 2700 debugs(33, 5, "SSL crtd request: " << request_message.compose().c_str());
23da195f 2701 Ssl::Helper::Submit(request_message, sslCrtdHandleReplyWrapper, this);
87f237a9
A
2702 return;
2703 } catch (const std::exception &e) {
00fc192d
AR
2704 debugs(33, DBG_IMPORTANT, "ERROR: Failed to compose ssl_crtd " <<
2705 "request for " << certProperties.commonName <<
2706 " certificate: " << e.what() << "; will now block to " <<
2707 "generate that certificate.");
2708 // fall through to do blocking in-process generation.
2709 }
2710#endif // USE_SSL_CRTD
2711
bf95c10a 2712 debugs(33, 5, "Generating SSL certificate for " << certProperties.commonName);
a9c2dd2f 2713 if (sslServerBump && (sslServerBump->act.step1 == Ssl::bumpPeek || sslServerBump->act.step1 == Ssl::bumpStare)) {
d620ae0e 2714 doPeekAndSpliceStep();
33cc0629 2715 auto ssl = fd_table[clientConnection->fd].ssl.get();
d620ae0e 2716 if (!Ssl::configureSSL(ssl, certProperties, *port))
e4f14091 2717 debugs(33, 5, "Failed to set certificates to ssl object for PeekAndSplice mode");
d8f0ceab 2718
1c1fae0f 2719 Security::ContextPointer ctx(Security::GetFrom(fd_table[clientConnection->fd].ssl));
b23f5f9c 2720 Ssl::configureUnconfiguredSslContext(ctx, certProperties.signAlgorithm, *port);
d620ae0e 2721 } else {
cf487124 2722 Security::ContextPointer dynCtx(Ssl::GenerateSslContext(certProperties, port->secure, (signAlgorithm == Ssl::algSignTrusted)));
5107d2c4
CT
2723 if (dynCtx && !sslBumpCertKey.isEmpty())
2724 storeTlsContextToCache(sslBumpCertKey, dynCtx);
2725 getSslContextDone(dynCtx);
d620ae0e 2726 }
1ce2822d 2727 return;
95d2589c 2728 }
0476ec45
AJ
2729
2730 Security::ContextPointer nil;
2731 getSslContextDone(nil);
95d2589c
CT
2732}
2733
1ce2822d 2734void
5107d2c4 2735ConnStateData::getSslContextDone(Security::ContextPointer &ctx)
95d2589c 2736{
cf487124 2737 if (port->secure.generateHostCertificates && !ctx) {
9ce4a1eb 2738 debugs(33, 2, "Failed to generate TLS context for " << tlsConnectHostOrIp);
95d2589c
CT
2739 }
2740
a1b1756c 2741 // If generated ssl context = nullptr, try to use static ssl context.
0476ec45 2742 if (!ctx) {
80b5995a
AJ
2743 if (!port->secure.staticContext) {
2744 debugs(83, DBG_IMPORTANT, "Closing " << clientConnection->remote << " as lacking TLS context");
73c36fd9 2745 clientConnection->close();
1ce2822d 2746 return;
95d2589c 2747 } else {
80b5995a 2748 debugs(33, 5, "Using static TLS context.");
0476ec45 2749 ctx = port->secure.staticContext;
95d2589c
CT
2750 }
2751 }
ae7ff0b8 2752
60fcfadf 2753 if (!httpsCreate(this, ctx))
1ce2822d 2754 return;
ae7ff0b8 2755
4e67d484
CT
2756 // bumped intercepted conns should already have Config.Timeout.request set
2757 // but forwarded connections may only have Config.Timeout.lifetime. [Re]set
2758 // to make sure the connection does not get stuck on non-SSL clients.
83b053a0 2759 resetReadTimeout(Config.Timeout.request);
ae7ff0b8 2760
ae7ff0b8 2761 switchedToHttps_ = true;
36698640
CT
2762
2763 auto ssl = fd_table[clientConnection->fd].ssl.get();
2764 BIO *b = SSL_get_rbio(ssl);
2a268a06 2765 Ssl::ClientBio *bio = static_cast<Ssl::ClientBio *>(BIO_get_data(b));
36698640
CT
2766 bio->setReadBufData(inBuf);
2767 inBuf.clear();
2768 clientNegotiateSSL(clientConnection->fd, this);
ae7ff0b8 2769}
2770
1ce2822d 2771void
f5e17947 2772ConnStateData::switchToHttps(ClientHttpRequest *http, Ssl::BumpMode bumpServerMode)
95d2589c
CT
2773{
2774 assert(!switchedToHttps_);
f5e17947
CT
2775 Must(http->request);
2776 auto &request = http->request;
95d2589c 2777
9ce4a1eb
CT
2778 // Depending on receivedFirstByte_, we are at the start of either an
2779 // established CONNECT tunnel with the client or an intercepted TCP (and
2780 // presumably TLS) connection from the client. Expect TLS Client Hello.
2781 const auto insideConnectTunnel = receivedFirstByte_;
2782 debugs(33, 5, (insideConnectTunnel ? "post-CONNECT " : "raw TLS ") << clientConnection);
2783
2784 tlsConnectHostOrIp = request->url.hostOrIp();
0a57a661 2785 tlsConnectPort = request->url.port();
5c51bffb 2786 resetSslCommonName(request->url.host());
95d2589c 2787
83d4cd15
CT
2788 // We are going to read new request
2789 flags.readMore = true;
95d2589c 2790
4599cded
AJ
2791 // keep version major.minor details the same.
2792 // but we are now performing the HTTPS handshake traffic
2793 transferProtocol.protocol = AnyP::PROTO_HTTPS;
2794
2bd84e5f
CT
2795 // If sslServerBump is set, then we have decided to deny CONNECT
2796 // and now want to switch to SSL to send the error to the client
2797 // without even peeking at the origin server certificate.
caf3666d 2798 if (bumpServerMode == Ssl::bumpServerFirst && !sslServerBump) {
e857372a 2799 request->flags.sslPeek = true;
f5e17947 2800 sslServerBump = new Ssl::ServerBump(http);
e1f72a8b 2801 } else if (bumpServerMode == Ssl::bumpPeek || bumpServerMode == Ssl::bumpStare) {
d620ae0e 2802 request->flags.sslPeek = true;
f5e17947 2803 sslServerBump = new Ssl::ServerBump(http, nullptr, bumpServerMode);
36698640 2804 }
3cae14a6 2805
36698640
CT
2806 // commSetConnTimeout() was called for this request before we switched.
2807 // Fix timeout to request_start_timeout
83b053a0 2808 resetReadTimeout(Config.Timeout.request_start_timeout);
36698640
CT
2809 // Also reset receivedFirstByte_ flag to allow this timeout work in the case we have
2810 // a bumbed "connect" request on non transparent port.
2811 receivedFirstByte_ = false;
2812 // Get more data to peek at Tls
d20cf186 2813 parsingTlsHandshake = true;
9ce4a1eb
CT
2814
2815 // If the protocol has changed, then reset preservingClientData_.
2816 // Otherwise, its value initially set in start() is still valid/fresh.
2817 // shouldPreserveClientData() uses parsingTlsHandshake which is reset above.
2818 if (insideConnectTunnel)
2819 preservingClientData_ = shouldPreserveClientData();
2820
36698640
CT
2821 readSomeData();
2822}
2823
2824void
d20cf186 2825ConnStateData::parseTlsHandshake()
36698640 2826{
d20cf186
AR
2827 Must(parsingTlsHandshake);
2828
2829 assert(!inBuf.isEmpty());
36698640 2830 receivedFirstByte();
d20cf186
AR
2831 fd_note(clientConnection->fd, "Parsing TLS handshake");
2832
83b053a0
CT
2833 // stops being nil if we fail to parse the handshake
2834 ErrorDetail::Pointer parseErrorDetails;
2835
d20cf186
AR
2836 try {
2837 if (!tlsParser.parseHello(inBuf)) {
2838 // need more data to finish parsing
2839 readSomeData();
2840 return;
2841 }
2842 }
83b053a0
CT
2843 catch (const TextException &ex) {
2844 debugs(83, 2, "exception: " << ex);
2845 parseErrorDetails = new ExceptionErrorDetail(ex.id());
2846 }
2847 catch (...) {
2848 debugs(83, 2, "exception: " << CurrentException);
2849 static const auto d = MakeNamedErrorDetail("TLS_ACCEPT_PARSE");
2850 parseErrorDetails = d;
d20cf186 2851 }
36698640 2852
d20cf186 2853 parsingTlsHandshake = false;
36698640 2854
75f6c253
CT
2855 // client data may be needed for splicing and for
2856 // tunneling unsupportedProtocol after an error
2857 preservedClientData = inBuf;
6b2b6cfe 2858
d20cf186
AR
2859 // Even if the parser failed, each TLS detail should either be set
2860 // correctly or still be "unknown"; copying unknown detail is a no-op.
8d9e6d7f
CT
2861 Security::TlsDetails::Pointer const &details = tlsParser.details;
2862 clientConnection->tlsNegotiations()->retrieveParsedInfo(details);
2863 if (details && !details->serverName.isEmpty()) {
2864 resetSslCommonName(details->serverName.c_str());
4f6990ec 2865 tlsClientSni_ = details->serverName;
8d9e6d7f 2866 }
36698640
CT
2867
2868 // We should disable read/write handlers
508e3438 2869 Comm::ResetSelect(clientConnection->fd);
36698640 2870
83b053a0 2871 if (parseErrorDetails) {
6b2b6cfe
CT
2872 Http::StreamPointer context = pipeline.front();
2873 Must(context && context->http);
2874 HttpRequest::Pointer request = context->http->request;
2875 debugs(83, 5, "Got something other than TLS Client Hello. Cannot SslBump.");
83b053a0 2876 updateError(ERR_PROTOCOL_UNKNOWN, parseErrorDetails);
eb026889 2877 if (!tunnelOnError(ERR_PROTOCOL_UNKNOWN))
6b2b6cfe
CT
2878 clientConnection->close();
2879 return;
2880 }
2881
2882 if (!sslServerBump || sslServerBump->act.step1 == Ssl::bumpClientFirst) { // Either means client-first.
36698640 2883 getSslContextStart();
e1f72a8b 2884 return;
36698640 2885 } else if (sslServerBump->act.step1 == Ssl::bumpServerFirst) {
4647c8bd
CT
2886 debugs(83, 5, "server-first skips step2; start forwarding the request");
2887 sslServerBump->step = XactionStep::tlsBump3;
f5e17947
CT
2888 Http::StreamPointer context = pipeline.front();
2889 ClientHttpRequest *http = context ? context->http : nullptr;
36698640 2890 // will call httpsPeeked() with certificate and connection, eventually
f5e17947 2891 FwdState::Start(clientConnection, sslServerBump->entry, sslServerBump->request.getRaw(), http ? http->al : nullptr);
36698640
CT
2892 } else {
2893 Must(sslServerBump->act.step1 == Ssl::bumpPeek || sslServerBump->act.step1 == Ssl::bumpStare);
6b2b6cfe 2894 startPeekAndSplice();
3248e962 2895 }
d620ae0e
CT
2896}
2897
8b082ed9
FC
2898static void
2899httpsSslBumpStep2AccessCheckDone(Acl::Answer answer, void *data)
5d65362c
CT
2900{
2901 ConnStateData *connState = (ConnStateData *) data;
2902
2903 // if the connection is closed or closing, just return.
2904 if (!connState->isOpen())
2905 return;
2906
e4f14091 2907 debugs(33, 5, "Answer: " << answer << " kind:" << answer.kind);
a9c2dd2f
CT
2908 assert(connState->serverBump());
2909 Ssl::BumpMode bumpAction;
06bf5384 2910 if (answer.allowed()) {
640fe8fb 2911 bumpAction = (Ssl::BumpMode)answer.kind;
a9c2dd2f
CT
2912 } else
2913 bumpAction = Ssl::bumpSplice;
2914
2915 connState->serverBump()->act.step2 = bumpAction;
2916 connState->sslBumpMode = bumpAction;
bf352fb2
CT
2917 Http::StreamPointer context = connState->pipeline.front();
2918 if (ClientHttpRequest *http = (context ? context->http : nullptr))
2919 http->al->ssl.bumpMode = bumpAction;
a9c2dd2f
CT
2920
2921 if (bumpAction == Ssl::bumpTerminate) {
b54a7c5a 2922 connState->clientConnection->close();
a9c2dd2f 2923 } else if (bumpAction != Ssl::bumpSplice) {
6b2b6cfe 2924 connState->startPeekAndSplice();
efda53c5
CT
2925 } else if (!connState->splice())
2926 connState->clientConnection->close();
3248e962 2927}
5d65362c 2928
efda53c5 2929bool
3248e962
CT
2930ConnStateData::splice()
2931{
33cc0629 2932 // normally we can splice here, because we just got client hello message
2bcab852 2933
ed4c6863
EB
2934 // fde::ssl/tls_read_method() probably reads from our own inBuf. If so, then
2935 // we should not lose any raw bytes when switching to raw I/O here.
2936 if (fd_table[clientConnection->fd].ssl.get())
2937 fd_table[clientConnection->fd].useDefaultIo();
3248e962 2938
6b2b6cfe
CT
2939 // XXX: assuming that there was an HTTP/1.1 CONNECT to begin with...
2940 // reset the current protocol to HTTP/1.1 (was "HTTPS" for the bumping process)
2941 transferProtocol = Http::ProtocolVersion();
2942 assert(!pipeline.empty());
2943 Http::StreamPointer context = pipeline.front();
75f6c253
CT
2944 Must(context);
2945 Must(context->http);
6b2b6cfe 2946 ClientHttpRequest *http = context->http;
75f6c253
CT
2947 HttpRequest::Pointer request = http->request;
2948 context->finished();
2949 if (transparent()) {
2950 // For transparent connections, make a new fake CONNECT request, now
2951 // with SNI as target. doCallout() checks, adaptations may need that.
2952 return fakeAConnectRequest("splice", preservedClientData);
2953 } else {
2954 // For non transparent connections make a new tunneled CONNECT, which
2955 // also sets the HttpRequest::flags::forceTunnel flag to avoid
2956 // respond with "Connection Established" to the client.
2957 // This fake CONNECT request required to allow use of SNI in
2958 // doCallout() checks and adaptations.
eb026889 2959 return initiateTunneledRequest(request, "splice", preservedClientData);
75f6c253 2960 }
5d65362c
CT
2961}
2962
d620ae0e 2963void
6b2b6cfe 2964ConnStateData::startPeekAndSplice()
d620ae0e 2965{
5d65362c
CT
2966 // This is the Step2 of the SSL bumping
2967 assert(sslServerBump);
d4ddb3e6 2968 Http::StreamPointer context = pipeline.front();
2f0d171f 2969 ClientHttpRequest *http = context ? context->http : nullptr;
d4ddb3e6 2970
090f1d3c
CT
2971 if (sslServerBump->at(XactionStep::tlsBump1)) {
2972 sslServerBump->step = XactionStep::tlsBump2;
5d65362c
CT
2973 // Run a accessList check to check if want to splice or continue bumping
2974
c56edb4a 2975 auto acl_checklist = ACLFilledChecklist::Make(Config.accessList.ssl_bump, sslServerBump->request.getRaw());
329c128c 2976 acl_checklist->banAction(Acl::Answer(ACCESS_ALLOWED, Ssl::bumpNone));
2977 acl_checklist->banAction(Acl::Answer(ACCESS_ALLOWED, Ssl::bumpClientFirst));
2978 acl_checklist->banAction(Acl::Answer(ACCESS_ALLOWED, Ssl::bumpServerFirst));
e227da8d 2979 fillChecklist(*acl_checklist);
c56edb4a 2980 ACLFilledChecklist::NonBlockingCheck(std::move(acl_checklist), httpsSslBumpStep2AccessCheckDone, this);
5d65362c
CT
2981 return;
2982 }
2983
3cae14a6 2984 // will call httpsPeeked() with certificate and connection, eventually
51e09c08 2985 Security::ContextPointer unConfiguredCTX(Ssl::createSSLContext(port->secure.signingCa.cert, port->secure.signingCa.pkey, port->secure));
0476ec45 2986 fd_table[clientConnection->fd].dynamicTlsContext = unConfiguredCTX;
3cae14a6 2987
60fcfadf 2988 if (!httpsCreate(this, unConfiguredCTX))
3cae14a6
CT
2989 return;
2990
2991 switchedToHttps_ = true;
2992
2993 auto ssl = fd_table[clientConnection->fd].ssl.get();
2994 BIO *b = SSL_get_rbio(ssl);
2a268a06 2995 Ssl::ClientBio *bio = static_cast<Ssl::ClientBio *>(BIO_get_data(b));
3cae14a6 2996 bio->setReadBufData(inBuf);
3cae14a6
CT
2997 bio->hold(true);
2998
83b053a0
CT
2999 // We have successfully parsed client Hello, but our TLS handshake parser is
3000 // forgiving. Now we use a TLS library to parse the same bytes, so that we
3001 // can honor on_unsupported_protocol if needed. If there are no errors, we
3002 // expect Security::Accept() to ask us to write (our) TLS server Hello. We
3003 // also allow an ioWantRead result in case some fancy TLS extension that
3004 // Squid does not yet understand requires reading post-Hello client bytes.
e227da8d 3005 const auto handshakeResult = acceptTls();
83b053a0
CT
3006 if (!handshakeResult.wantsIo())
3007 return handleSslBumpHandshakeError(handshakeResult);
3cae14a6 3008
56dacaca
CT
3009 // We need to reset inBuf here, to be used by incoming requests in the case
3010 // of SSL bump
8abcff99 3011 inBuf.clear();
3cae14a6
CT
3012
3013 debugs(83, 5, "Peek and splice at step2 done. Start forwarding the request!!! ");
4647c8bd 3014 sslServerBump->step = XactionStep::tlsBump3;
aee3523a 3015 FwdState::Start(clientConnection, sslServerBump->entry, sslServerBump->request.getRaw(), http ? http->al : nullptr);
d620ae0e
CT
3016}
3017
83b053a0
CT
3018/// process a problematic Security::Accept() result on the SslBump code path
3019void
3020ConnStateData::handleSslBumpHandshakeError(const Security::IoResult &handshakeResult)
3021{
3022 auto errCategory = ERR_NONE;
3023
3024 switch (handshakeResult.category) {
3025 case Security::IoResult::ioSuccess: {
3026 static const auto d = MakeNamedErrorDetail("TLS_ACCEPT_UNEXPECTED_SUCCESS");
3027 updateError(errCategory = ERR_GATEWAY_FAILURE, d);
3028 break;
3029 }
3030
3031 case Security::IoResult::ioWantRead: {
3032 static const auto d = MakeNamedErrorDetail("TLS_ACCEPT_UNEXPECTED_READ");
3033 updateError(errCategory = ERR_GATEWAY_FAILURE, d);
3034 break;
3035 }
3036
3037 case Security::IoResult::ioWantWrite: {
3038 static const auto d = MakeNamedErrorDetail("TLS_ACCEPT_UNEXPECTED_WRITE");
3039 updateError(errCategory = ERR_GATEWAY_FAILURE, d);
3040 break;
3041 }
3042
3043 case Security::IoResult::ioError:
fff4502b
AR
3044 debugs(83, (handshakeResult.important ? DBG_IMPORTANT : 2), "ERROR: Cannot SslBump-accept a TLS connection" <<
3045 Debug::Extra << "problem: " << WithExtras(handshakeResult));
83b053a0
CT
3046 updateError(errCategory = ERR_SECURE_ACCEPT_FAIL, handshakeResult.errorDetail);
3047 break;
3048
3049 }
3050
eb026889 3051 if (!tunnelOnError(errCategory))
83b053a0
CT
3052 clientConnection->close();
3053}
3054
d620ae0e
CT
3055void
3056ConnStateData::doPeekAndSpliceStep()
3057{
33cc0629 3058 auto ssl = fd_table[clientConnection->fd].ssl.get();
d620ae0e
CT
3059 BIO *b = SSL_get_rbio(ssl);
3060 assert(b);
2a268a06 3061 Ssl::ClientBio *bio = static_cast<Ssl::ClientBio *>(BIO_get_data(b));
d620ae0e 3062
2f8abb64 3063 debugs(33, 5, "PeekAndSplice mode, proceed with client negotiation. Current state:" << SSL_state_string_long(ssl));
d620ae0e
CT
3064 bio->hold(false);
3065
3066 Comm::SetSelect(clientConnection->fd, COMM_SELECT_WRITE, clientNegotiateSSL, this, 0);
3067 switchedToHttps_ = true;
3068}
3069
d7ce0bcd 3070void
801cfc26 3071ConnStateData::httpsPeeked(PinnedIdleContext pic)
d7ce0bcd 3072{
aee3523a 3073 Must(sslServerBump != nullptr);
801cfc26
CT
3074 Must(sslServerBump->request == pic.request);
3075 Must(pipeline.empty() || pipeline.front()->http == nullptr || pipeline.front()->http->request == pic.request.getRaw());
819c207f 3076
801cfc26
CT
3077 if (Comm::IsConnOpen(pic.connection)) {
3078 notePinnedConnectionBecameIdle(pic);
9ce4a1eb 3079 debugs(33, 5, "bumped HTTPS server: " << tlsConnectHostOrIp);
801cfc26 3080 } else
9ce4a1eb 3081 debugs(33, 5, "Error while bumping: " << tlsConnectHostOrIp);
129fe2a1 3082
1ce2822d 3083 getSslContextStart();
95d2589c
CT
3084}
3085
cb4f4424 3086#endif /* USE_OPENSSL */
1f7c9178 3087
efda53c5 3088bool
eb026889 3089ConnStateData::initiateTunneledRequest(HttpRequest::Pointer const &cause, const char *reason, const SBuf &payload)
0bd3c2a3
AJ
3090{
3091 // fake a CONNECT request to force connState to tunnel
e88bdb0e 3092 SBuf connectHost;
380b09ae 3093 AnyP::Port connectPort;
6b2b6cfe
CT
3094
3095 if (pinning.serverConnection != nullptr) {
3096 static char ip[MAX_IPSTRLEN];
9ce4a1eb 3097 connectHost = pinning.serverConnection->remote.toStr(ip, sizeof(ip));
380b09ae
AR
3098 if (const auto remotePort = pinning.serverConnection->remote.port())
3099 connectPort = remotePort;
9ce4a1eb
CT
3100 } else if (cause) {
3101 connectHost = cause->url.hostOrIp();
6b2b6cfe 3102 connectPort = cause->url.port();
9ce4a1eb
CT
3103#if USE_OPENSSL
3104 } else if (!tlsConnectHostOrIp.isEmpty()) {
3105 connectHost = tlsConnectHostOrIp;
3106 connectPort = tlsConnectPort;
3107#endif
3108 } else if (transparent()) {
3109 static char ip[MAX_IPSTRLEN];
3110 connectHost = clientConnection->local.toStr(ip, sizeof(ip));
3111 connectPort = clientConnection->local.port();
380b09ae
AR
3112 }
3113
3114 if (!connectPort) {
83b053a0
CT
3115 // Typical cases are malformed HTTP requests on http_port and malformed
3116 // TLS handshakes on non-bumping https_port. TODO: Discover these
3117 // problems earlier so that they can be classified/detailed better.
6b2b6cfe 3118 debugs(33, 2, "Not able to compute URL, abort request tunneling for " << reason);
c56edb4a 3119 // TODO: throw when NonBlockingCheck() callbacks gain job protections
83b053a0
CT
3120 static const auto d = MakeNamedErrorDetail("TUNNEL_TARGET");
3121 updateError(ERR_INVALID_REQ, d);
6b2b6cfe
CT
3122 return false;
3123 }
3124
3125 debugs(33, 2, "Request tunneling for " << reason);
380b09ae 3126 const auto http = buildFakeRequest(connectHost, *connectPort, payload);
6b2b6cfe
CT
3127 HttpRequest::Pointer request = http->request;
3128 request->flags.forceTunnel = true;
3129 http->calloutContext = new ClientRequestContext(http);
3130 http->doCallouts();
3131 clientProcessRequestFinished(this, request);
3132 return true;
3133}
3134
3135bool
3136ConnStateData::fakeAConnectRequest(const char *reason, const SBuf &payload)
3137{
3138 debugs(33, 2, "fake a CONNECT request to force connState to tunnel for " << reason);
3139
3140 SBuf connectHost;
3141 assert(transparent());
3142 const unsigned short connectPort = clientConnection->local.port();
3143
65e0c910 3144#if USE_OPENSSL
4f6990ec
CT
3145 if (!tlsClientSni_.isEmpty())
3146 connectHost.assign(tlsClientSni_);
6b2b6cfe 3147 else
65e0c910
CT
3148#endif
3149 {
e88bdb0e 3150 static char ip[MAX_IPSTRLEN];
e9b219a0
TA
3151 clientConnection->local.toHostStr(ip, sizeof(ip));
3152 connectHost.assign(ip);
0bd3c2a3 3153 }
6b2b6cfe 3154
eb026889 3155 ClientHttpRequest *http = buildFakeRequest(connectHost, connectPort, payload);
6b2b6cfe
CT
3156
3157 http->calloutContext = new ClientRequestContext(http);
3158 HttpRequest::Pointer request = http->request;
3159 http->doCallouts();
3160 clientProcessRequestFinished(this, request);
efda53c5 3161 return true;
0bd3c2a3
AJ
3162}
3163
6b2b6cfe 3164ClientHttpRequest *
380b09ae 3165ConnStateData::buildFakeRequest(SBuf &useHost, const AnyP::KnownPort usePort, const SBuf &payload)
6b2b6cfe
CT
3166{
3167 ClientHttpRequest *http = new ClientHttpRequest(this);
3168 Http::Stream *stream = new Http::Stream(clientConnection, http);
3169
3170 StoreIOBuffer tempBuffer;
3171 tempBuffer.data = stream->reqbuf;
3172 tempBuffer.length = HTTP_REQBUF_SZ;
3173
3174 ClientStreamData newServer = new clientReplyContext(http);
3175 ClientStreamData newClient = stream;
3176 clientStreamInit(&http->client_stream, clientGetMoreData, clientReplyDetach,
3177 clientReplyStatus, newServer, clientSocketRecipient,
3178 clientSocketDetach, newClient, tempBuffer);
3179
6b2b6cfe
CT
3180 stream->flags.parsed_ok = 1; // Do we need it?
3181 stream->mayUseConnection(true);
83b053a0 3182 extendLifetime();
6b2b6cfe
CT
3183 stream->registerWithConn();
3184
ad05b958 3185 const auto mx = MasterXaction::MakePortful(port);
5ceaee75 3186 mx->tcpClient = clientConnection;
6b2b6cfe
CT
3187 // Setup Http::Request object. Maybe should be replaced by a call to (modified)
3188 // clientProcessRequest
5ceaee75 3189 HttpRequest::Pointer request = new HttpRequest(mx);
eb026889
CT
3190 request->url.setScheme(AnyP::PROTO_AUTHORITY_FORM, nullptr);
3191 request->method = Http::METHOD_CONNECT;
6b2b6cfe
CT
3192 request->url.host(useHost.c_str());
3193 request->url.port(usePort);
9ce4a1eb
CT
3194
3195 http->uri = SBufToCstring(request->effectiveRequestUri());
bec110e4 3196 http->initRequest(request.getRaw());
6b2b6cfe 3197
cd4a5c60 3198 request->manager(this, http->al);
6b2b6cfe 3199
eb026889 3200 request->header.putStr(Http::HOST, useHost.c_str());
cd4a5c60 3201
63df1d28 3202 request->sources |= ((switchedToHttps() || port->transport.protocol == AnyP::PROTO_HTTPS) ? Http::Message::srcHttps : Http::Message::srcHttp);
6b2b6cfe
CT
3203#if USE_AUTH
3204 if (getAuth())
3205 request->auth_user_request = getAuth();
3206#endif
6b2b6cfe
CT
3207
3208 inBuf = payload;
3209 flags.readMore = false;
3210
6b2b6cfe
CT
3211 return http;
3212}
3213
00516be1
AR
3214/// check FD after clientHttp[s]ConnectionOpened, adjust HttpSockets as needed
3215static bool
73c36fd9 3216OpenedHttpSocket(const Comm::ConnectionPointer &c, const Ipc::FdNoteId portType)
00516be1 3217{
73c36fd9 3218 if (!Comm::IsConnOpen(c)) {
00516be1
AR
3219 Must(NHttpSockets > 0); // we tried to open some
3220 --NHttpSockets; // there will be fewer sockets than planned
3221 Must(HttpSockets[NHttpSockets] < 0); // no extra fds received
3222
3223 if (!NHttpSockets) // we could not open any listen sockets at all
cbff89ba 3224 fatalf("Unable to open %s",FdNote(portType));
00516be1
AR
3225
3226 return false;
3227 }
3228 return true;
3229}
3230
3231/// find any unused HttpSockets[] slot and store fd there or return false
3232static bool
e0d28505 3233AddOpenedHttpSocket(const Comm::ConnectionPointer &conn)
00516be1
AR
3234{
3235 bool found = false;
95dc7ff4 3236 for (int i = 0; i < NHttpSockets && !found; ++i) {
00516be1 3237 if ((found = HttpSockets[i] < 0))
e0d28505 3238 HttpSockets[i] = conn->fd;
00516be1
AR
3239 }
3240 return found;
3241}
15df8349 3242
d193a436 3243static void
15df8349 3244clientHttpConnectionsOpen(void)
3245{
f38db639 3246 const auto savedContext = CodeContext::Current();
aee3523a 3247 for (AnyP::PortCfgPointer s = HttpPortList; s != nullptr; s = s->next) {
f38db639 3248 CodeContext::Reset(s);
d31d59d8 3249 const SBuf &scheme = AnyP::UriScheme(s->transport.protocol).image();
339e4d7a 3250
65d448bc 3251 if (MAXTCPLISTENPORTS == NHttpSockets) {
ccfbe8f4
AR
3252 debugs(1, DBG_IMPORTANT, "WARNING: You have too many '" << scheme << "_port' lines." <<
3253 Debug::Extra << "The limit is " << MAXTCPLISTENPORTS << " HTTP ports.");
62e76326 3254 continue;
3255 }
3256
cb4f4424 3257#if USE_OPENSSL
6a25a046 3258 if (s->flags.tunnelSslBumping) {
339e4d7a
AJ
3259 if (!Config.accessList.ssl_bump) {
3260 debugs(33, DBG_IMPORTANT, "WARNING: No ssl_bump configured. Disabling ssl-bump on " << scheme << "_port " << s->s);
3261 s->flags.tunnelSslBumping = false;
3262 }
cf487124 3263 if (!s->secure.staticContext && !s->secure.generateHostCertificates) {
339e4d7a
AJ
3264 debugs(1, DBG_IMPORTANT, "Will not bump SSL at " << scheme << "_port " << s->s << " due to TLS initialization failure.");
3265 s->flags.tunnelSslBumping = false;
3266 if (s->transport.protocol == AnyP::PROTO_HTTP)
3267 s->secure.encryptTransport = false;
3268 }
3269 if (s->flags.tunnelSslBumping) {
3270 // Create ssl_ctx cache for this port.
9e779e40 3271 Ssl::TheGlobalContextStorage().addLocalStorage(s->s, s->secure.dynamicCertMemCacheSize);
339e4d7a 3272 }
95d2589c 3273 }
51e09c08 3274#endif
ae7ff0b8 3275
80b5995a 3276 if (s->secure.encryptTransport && !s->secure.staticContext) {
339e4d7a
AJ
3277 debugs(1, DBG_CRITICAL, "ERROR: Ignoring " << scheme << "_port " << s->s << " due to TLS context initialization failure.");
3278 continue;
3279 }
3280
71ddbf2a
EB
3281 const auto protocol = s->transport.protocol;
3282 assert(protocol == AnyP::PROTO_HTTP || protocol == AnyP::PROTO_HTTPS);
3283 const auto isHttps = protocol == AnyP::PROTO_HTTPS;
3284 using AcceptCall = CommCbFunPtrCallT<CommAcceptCbPtrFun>;
3285 RefCount<AcceptCall> subCall = commCbCall(5, 5, isHttps ? "httpsAccept" : "httpAccept",
bb4cc8e6 3286 CommAcceptCbPtrFun(isHttps ? httpsAccept : httpAccept, CommAcceptCbParams(nullptr)));
71ddbf2a 3287 clientStartListeningOn(s, subCall, isHttps ? Ipc::fdnHttpsSocket : Ipc::fdnHttpSocket);
cbff89ba 3288 }
f38db639 3289 CodeContext::Reset(savedContext);
d193a436 3290}
d193a436 3291
92ae4c86 3292void
27c841f6
AR
3293clientStartListeningOn(AnyP::PortCfgPointer &port, const RefCount< CommCbFunPtrCallT<CommAcceptCbPtrFun> > &subCall, const Ipc::FdNoteId fdNote)
3294{
92ae4c86
AR
3295 // Fill out a Comm::Connection which IPC will open as a listener for us
3296 port->listenConn = new Comm::Connection;
3297 port->listenConn->local = port->s;
e7ce227f
AR
3298 port->listenConn->flags =
3299 COMM_NONBLOCKING |
3300 (port->flags.tproxyIntercept ? COMM_TRANSPARENT : 0) |
049eeeb4
EB
3301 (port->flags.natIntercept ? COMM_INTERCEPTION : 0) |
3302 (port->workerQueues ? COMM_REUSEPORT : 0);
92ae4c86
AR
3303
3304 // route new connections to subCall
3305 typedef CommCbFunPtrCallT<CommAcceptCbPtrFun> AcceptCall;
3306 Subscription::Pointer sub = new CallSubscription<AcceptCall>(subCall);
e5ddd4ce 3307 const auto listenCall =
e7ce227f
AR
3308 asyncCall(33, 2, "clientListenerConnectionOpened",
3309 ListeningStartedDialer(&clientListenerConnectionOpened,
3310 port, fdNote, sub));
e5ddd4ce
AR
3311 AsyncCallback<Ipc::StartListeningAnswer> callback(listenCall);
3312 Ipc::StartListening(SOCK_STREAM, IPPROTO_TCP, port->listenConn, fdNote, callback);
434a79b0 3313
92ae4c86
AR
3314 assert(NHttpSockets < MAXTCPLISTENPORTS);
3315 HttpSockets[NHttpSockets] = -1;
3316 ++NHttpSockets;
434a79b0
DK
3317}
3318
e0d28505 3319/// process clientHttpConnectionsOpen result
00516be1 3320static void
fa720bfb 3321clientListenerConnectionOpened(AnyP::PortCfgPointer &s, const Ipc::FdNoteId portTypeNote, const Subscription::Pointer &sub)
00516be1 3322{
aee3523a 3323 Must(s != nullptr);
fa720bfb 3324
8bbb16e3 3325 if (!OpenedHttpSocket(s->listenConn, portTypeNote))
00516be1 3326 return;
62e76326 3327
e0d28505 3328 Must(Comm::IsConnOpen(s->listenConn));
62e76326 3329
8bbb16e3 3330 // TCP: setup a job to handle accept() with subscribed handler
fa720bfb 3331 AsyncJob::Start(new Comm::TcpAcceptor(s, FdNote(portTypeNote), sub));
8bbb16e3 3332
c59baaa8 3333 debugs(1, Important(13), "Accepting " <<
6a25a046 3334 (s->flags.natIntercept ? "NAT intercepted " : "") <<
0d901ef4 3335 (s->flags.tproxyIntercept ? "TPROXY intercepted " : "") <<
6a25a046
FC
3336 (s->flags.tunnelSslBumping ? "SSL bumped " : "") <<
3337 (s->flags.accelSurrogate ? "reverse-proxy " : "")
8bbb16e3
AJ
3338 << FdNote(portTypeNote) << " connections at "
3339 << s->listenConn);
62e76326 3340
e0d28505 3341 Must(AddOpenedHttpSocket(s->listenConn)); // otherwise, we have received a fd we did not ask for
6fa8c664 3342
553b28e7 3343#if HAVE_LIBSYSTEMD
6fa8c664
MM
3344 // When the very first port opens, tell systemd we are able to serve connections.
3345 // Subsequent sd_notify() calls, including calls during reconfiguration,
3346 // do nothing because the first call parameter is 1.
3347 // XXX: Send the notification only after opening all configured ports.
3348 if (opt_foreground || opt_no_daemon) {
3349 const auto result = sd_notify(1, "READY=1");
3350 if (result < 0) {
3351 debugs(1, DBG_IMPORTANT, "WARNING: failed to send start-up notification to systemd" <<
3352 Debug::Extra << "sd_notify() error: " << xstrerr(-result));
3353 }
3354 }
3355#endif
d193a436 3356}
3357
d193a436 3358void
3359clientOpenListenSockets(void)
3360{
3361 clientHttpConnectionsOpen();
92ae4c86 3362 Ftp::StartListening();
62e76326 3363
15df8349 3364 if (NHttpSockets < 1)
e7ce227f 3365 fatal("No HTTP, HTTPS, or FTP ports configured");
15df8349 3366}
edce4d98 3367
c0fbae16 3368void
e7ce227f 3369clientConnectionsClose()
c0fbae16 3370{
f38db639 3371 const auto savedContext = CodeContext::Current();
aee3523a 3372 for (AnyP::PortCfgPointer s = HttpPortList; s != nullptr; s = s->next) {
f38db639 3373 CodeContext::Reset(s);
aee3523a 3374 if (s->listenConn != nullptr) {
c59baaa8 3375 debugs(1, Important(14), "Closing HTTP(S) port " << s->listenConn->local);
00406b24 3376 s->listenConn->close();
aee3523a 3377 s->listenConn = nullptr;
04f55905
AJ
3378 }
3379 }
f38db639 3380 CodeContext::Reset(savedContext);
62e76326 3381
92ae4c86 3382 Ftp::StopListening();
434a79b0 3383
04f55905 3384 // TODO see if we can drop HttpSockets array entirely */
95dc7ff4 3385 for (int i = 0; i < NHttpSockets; ++i) {
04f55905
AJ
3386 HttpSockets[i] = -1;
3387 }
62e76326 3388
c0fbae16 3389 NHttpSockets = 0;
3390}
f66a9ef4 3391
3392int
190154cf 3393varyEvaluateMatch(StoreEntry * entry, HttpRequest * request)
f66a9ef4 3394{
90ab8f20 3395 SBuf vary(request->vary_headers);
66d51f4f
AR
3396 const auto &reply = entry->mem().freshestReply();
3397 auto has_vary = reply.header.has(Http::HdrType::VARY);
f66a9ef4 3398#if X_ACCELERATOR_VARY
62e76326 3399
edce4d98 3400 has_vary |=
66d51f4f 3401 reply.header.has(Http::HdrType::HDR_X_ACCELERATOR_VARY);
f66a9ef4 3402#endif
62e76326 3403
90ab8f20
AJ
3404 if (!has_vary || entry->mem_obj->vary_headers.isEmpty()) {
3405 if (!vary.isEmpty()) {
62e76326 3406 /* Oops... something odd is going on here.. */
e0236918 3407 debugs(33, DBG_IMPORTANT, "varyEvaluateMatch: Oops. Not a Vary object on second attempt, '" <<
c877c0bc 3408 entry->mem_obj->urlXXX() << "' '" << vary << "'");
90ab8f20 3409 request->vary_headers.clear();
62e76326 3410 return VARY_CANCEL;
3411 }
3412
3413 if (!has_vary) {
3414 /* This is not a varying object */
3415 return VARY_NONE;
3416 }
3417
3418 /* virtual "vary" object found. Calculate the vary key and
3419 * continue the search
3420 */
66d51f4f 3421 vary = httpMakeVaryMark(request, &reply);
62e76326 3422
90ab8f20
AJ
3423 if (!vary.isEmpty()) {
3424 request->vary_headers = vary;
62e76326 3425 return VARY_OTHER;
3426 } else {
3427 /* Ouch.. we cannot handle this kind of variance */
3428 /* XXX This cannot really happen, but just to be complete */
3429 return VARY_CANCEL;
3430 }
f66a9ef4 3431 } else {
90ab8f20 3432 if (vary.isEmpty()) {
66d51f4f 3433 vary = httpMakeVaryMark(request, &reply);
62e76326 3434
90ab8f20
AJ
3435 if (!vary.isEmpty())
3436 request->vary_headers = vary;
62e76326 3437 }
3438
90ab8f20 3439 if (vary.isEmpty()) {
62e76326 3440 /* Ouch.. we cannot handle this kind of variance */
3441 /* XXX This cannot really happen, but just to be complete */
3442 return VARY_CANCEL;
90ab8f20 3443 } else if (vary.cmp(entry->mem_obj->vary_headers) == 0) {
62e76326 3444 return VARY_MATCH;
3445 } else {
3446 /* Oops.. we have already been here and still haven't
3447 * found the requested variant. Bail out
3448 */
e0236918 3449 debugs(33, DBG_IMPORTANT, "varyEvaluateMatch: Oops. Not a Vary match on second attempt, '" <<
c877c0bc 3450 entry->mem_obj->urlXXX() << "' '" << vary << "'");
62e76326 3451 return VARY_CANCEL;
3452 }
f66a9ef4 3453 }
3454}
28d4805a 3455
c56edb4a 3456ACLFilledChecklist::MakingPointer
59a1efb2 3457clientAclChecklistCreate(const acl_access * acl, ClientHttpRequest * http)
28d4805a 3458{
c56edb4a 3459 auto checklist = ACLFilledChecklist::Make(acl, nullptr);
819be284
EB
3460 clientAclChecklistFill(*checklist, http);
3461 return checklist;
3462}
3463
3464void
3465clientAclChecklistFill(ACLFilledChecklist &checklist, ClientHttpRequest *http)
3466{
e227da8d
AR
3467 assert(http);
3468
3469 if (!checklist.request && http->request)
3470 checklist.setRequest(http->request);
3471
3472 if (!checklist.al && http->al) {
b1c2ea7a 3473 checklist.updateAle(http->al);
e227da8d 3474 checklist.syncAle(http->request, http->log_uri);
e227da8d
AR
3475 }
3476
3477 if (const auto conn = http->getConn())
3478 checklist.setConn(conn); // may already be set
3479}
3480
3481void
3482ConnStateData::fillChecklist(ACLFilledChecklist &checklist) const
3483{
3484 const auto context = pipeline.front();
3485 if (const auto http = context ? context->http : nullptr)
3486 return clientAclChecklistFill(checklist, http); // calls checklist.setConn()
3487
3488 // no requests, but we always have connection-level details
3489 // TODO: ACL checks should not require a mutable ConnStateData. Adjust the
3490 // code that accidentally violates that principle to remove this const_cast!
3491 checklist.setConn(const_cast<ConnStateData*>(this));
3492
3493 // Set other checklist fields inside our fillConnectionLevelDetails() rather
3494 // than here because clientAclChecklistFill() code path calls that method
3495 // (via ACLFilledChecklist::setConn()) rather than calling us directly.
3496}
3497
3498void
3499ConnStateData::fillConnectionLevelDetails(ACLFilledChecklist &checklist) const
3500{
3501 assert(checklist.conn() == this);
3502 assert(clientConnection);
3503
3504 if (!checklist.request) { // preserve (better) addresses supplied by setRequest()
3505 checklist.src_addr = clientConnection->remote;
3506 checklist.my_addr = clientConnection->local; // TODO: or port->s?
3507 }
3508
3509#if USE_OPENSSL
3510 if (!checklist.sslErrors && sslServerBump)
27a1c6de 3511 checklist.sslErrors = sslServerBump->sslErrors();
e227da8d 3512#endif
28d4805a 3513}
a46d2c0e 3514
a46d2c0e 3515bool
3516ConnStateData::transparent() const
3517{
aee3523a 3518 return clientConnection != nullptr && (clientConnection->flags & (COMM_TRANSPARENT|COMM_INTERCEPTION));
a46d2c0e 3519}
3520
5f8252d2 3521BodyPipe::Pointer
3e62bd58 3522ConnStateData::expectRequestBody(int64_t size)
5f8252d2 3523{
3524 bodyPipe = new BodyPipe(this);
39cb8c41
AR
3525 if (size >= 0)
3526 bodyPipe->setBodySize(size);
3527 else
3528 startDechunkingRequest();
5f8252d2 3529 return bodyPipe;
3530}
3531
39cb8c41
AR
3532int64_t
3533ConnStateData::mayNeedToReadMoreBody() const
3534{
3535 if (!bodyPipe)
3536 return 0; // request without a body or read/produced all body bytes
3537
3538 if (!bodyPipe->bodySizeKnown())
3539 return -1; // probably need to read more, but we cannot be sure
3540
3541 const int64_t needToProduce = bodyPipe->unproducedSize();
fcc444e3 3542 const int64_t haveAvailable = static_cast<int64_t>(inBuf.length());
39cb8c41
AR
3543
3544 if (needToProduce <= haveAvailable)
3545 return 0; // we have read what we need (but are waiting for pipe space)
3546
3547 return needToProduce - haveAvailable;
3548}
3549
55e44db9 3550void
cf6eb29e 3551ConnStateData::stopReceiving(const char *error)
55e44db9 3552{
bf95c10a 3553 debugs(33, 4, "receiving error (" << clientConnection << "): " << error <<
cf6eb29e
CT
3554 "; old sending error: " <<
3555 (stoppedSending() ? stoppedSending_ : "none"));
5f8252d2 3556
cf6eb29e 3557 if (const char *oldError = stoppedReceiving()) {
bf95c10a 3558 debugs(33, 3, "already stopped receiving: " << oldError);
cf6eb29e
CT
3559 return; // nothing has changed as far as this connection is concerned
3560 }
5f8252d2 3561
cf6eb29e 3562 stoppedReceiving_ = error;
5f8252d2 3563
cf6eb29e 3564 if (const char *sendError = stoppedSending()) {
bf95c10a 3565 debugs(33, 3, "closing because also stopped sending: " << sendError);
cf6eb29e
CT
3566 clientConnection->close();
3567 }
55e44db9 3568}
3569
eb44b2d7 3570void
e29ccb57
A
3571ConnStateData::expectNoForwarding()
3572{
aee3523a 3573 if (bodyPipe != nullptr) {
bf95c10a 3574 debugs(33, 4, "no consumer for virgin body " << bodyPipe->status());
eb44b2d7
CT
3575 bodyPipe->expectNoConsumption();
3576 }
3577}
3578
39cb8c41 3579/// initialize dechunking state
3ff65596 3580void
39cb8c41 3581ConnStateData::startDechunkingRequest()
3ff65596 3582{
aee3523a 3583 Must(bodyPipe != nullptr);
bf95c10a 3584 debugs(33, 5, "start dechunking" << bodyPipe->status());
fcc444e3
AJ
3585 assert(!bodyParser);
3586 bodyParser = new Http1::TeChunkedParser;
3ff65596
AR
3587}
3588
39cb8c41 3589/// put parsed content into input buffer and clean up
3ff65596 3590void
39cb8c41 3591ConnStateData::finishDechunkingRequest(bool withSuccess)
3ff65596 3592{
bf95c10a 3593 debugs(33, 5, "finish dechunking: " << withSuccess);
3ff65596 3594
aee3523a 3595 if (bodyPipe != nullptr) {
bf95c10a 3596 debugs(33, 7, "dechunked tail: " << bodyPipe->status());
39cb8c41
AR
3597 BodyPipe::Pointer myPipe = bodyPipe;
3598 stopProducingFor(bodyPipe, withSuccess); // sets bodyPipe->bodySize()
3599 Must(!bodyPipe); // we rely on it being nil after we are done with body
3600 if (withSuccess) {
3601 Must(myPipe->bodySizeKnown());
d3dddfb5 3602 Http::StreamPointer context = pipeline.front();
aee3523a 3603 if (context != nullptr && context->http && context->http->request)
39cb8c41
AR
3604 context->http->request->setContentLength(myPipe->bodySize());
3605 }
3ff65596 3606 }
3ff65596 3607
fcc444e3 3608 delete bodyParser;
aee3523a 3609 bodyParser = nullptr;
a46d2c0e 3610}
d67acb4e 3611
139a1d68 3612// XXX: this is an HTTP/1-only operation
655daa06
AR
3613void
3614ConnStateData::sendControlMsg(HttpControlMsg msg)
3615{
49f57088
EB
3616 if (const auto context = pipeline.front()) {
3617 if (context->http)
3618 context->http->al->reply = msg.reply;
3619 }
3620
eedd4182 3621 if (!isOpen()) {
bf95c10a 3622 debugs(33, 3, "ignoring 1xx due to earlier closure");
655daa06
AR
3623 return;
3624 }
3625
84540b47 3626 // HTTP/1 1xx status messages are only valid when there is a transaction to trigger them
139a1d68 3627 if (!pipeline.empty()) {
84540b47
AJ
3628 HttpReply::Pointer rep(msg.reply);
3629 Must(rep);
3630 // remember the callback
3631 cbControlMsgSent = msg.cbSuccess;
3632
3633 typedef CommCbMemFunT<HttpControlMsgSink, CommIoCbParams> Dialer;
3634 AsyncCall::Pointer call = JobCallback(33, 5, Dialer, this, HttpControlMsgSink::wroteControlMsg);
3635
2f97ab10
CT
3636 if (!writeControlMsgAndCall(rep.getRaw(), call)) {
3637 // but still inform the caller (so it may resume its operation)
3638 doneWithControlMsg();
3639 }
655daa06
AR
3640 return;
3641 }
3642
bf95c10a 3643 debugs(33, 3, " closing due to missing context for 1xx");
73c36fd9 3644 clientConnection->close();
655daa06
AR
3645}
3646
24e1fd72 3647void
2f97ab10 3648ConnStateData::doneWithControlMsg()
24e1fd72 3649{
2f97ab10 3650 HttpControlMsgSink::doneWithControlMsg();
24e1fd72
CT
3651
3652 if (Http::StreamPointer deferredRequest = pipeline.front()) {
3653 debugs(33, 3, clientConnection << ": calling PushDeferredIfNeeded after control msg wrote");
3654 ClientSocketContextPushDeferredIfNeeded(deferredRequest, this);
3655 }
3656}
3657
d7ce0bcd 3658/// Our close handler called by Comm when the pinned connection is closed
d67acb4e
AJ
3659void
3660ConnStateData::clientPinnedConnectionClosed(const CommCloseCbParams &io)
3661{
7a957a93
AR
3662 // FwdState might repin a failed connection sooner than this close
3663 // callback is called for the failed connection.
693cb033 3664 assert(pinning.serverConnection == io.conn);
aee3523a 3665 pinning.closeHandler = nullptr; // Comm unregisters handlers before calling
693cb033 3666 const bool sawZeroReply = pinning.zeroReply; // reset when unpinning
b54a7c5a 3667 pinning.serverConnection->noteClosure();
89b1d7a2 3668 unpinConnection(false);
f8e4867b 3669
aee3523a 3670 if (sawZeroReply && clientConnection != nullptr) {
693cb033
CT
3671 debugs(33, 3, "Closing client connection on pinned zero reply.");
3672 clientConnection->close();
85563fd9 3673 }
f8e4867b 3674
d67acb4e
AJ
3675}
3676
b1cf2350 3677void
801cfc26 3678ConnStateData::pinBusyConnection(const Comm::ConnectionPointer &pinServer, const HttpRequest::Pointer &request)
9e008dda 3679{
801cfc26
CT
3680 pinConnection(pinServer, *request);
3681}
d67acb4e 3682
801cfc26
CT
3683void
3684ConnStateData::notePinnedConnectionBecameIdle(PinnedIdleContext pic)
3685{
3686 Must(pic.connection);
3687 Must(pic.request);
3688 pinConnection(pic.connection, *pic.request);
3689
3690 // monitor pinned server connection for remote-end closures.
3691 startPinnedConnectionMonitoring();
3692
3693 if (pipeline.empty())
5da786ef 3694 kick(); // in case parseRequests() was blocked by a busy pic.connection
89b1d7a2 3695}
9e008dda 3696
801cfc26 3697/// Forward future client requests using the given server connection.
89b1d7a2 3698void
801cfc26 3699ConnStateData::pinConnection(const Comm::ConnectionPointer &pinServer, const HttpRequest &request)
89b1d7a2 3700{
801cfc26
CT
3701 if (Comm::IsConnOpen(pinning.serverConnection) &&
3702 pinning.serverConnection->fd == pinServer->fd) {
3703 debugs(33, 3, "already pinned" << pinServer);
3704 return;
3705 }
3706
89b1d7a2 3707 unpinConnection(true); // closes pinned connection, if any, and resets fields
9e008dda 3708
73c36fd9 3709 pinning.serverConnection = pinServer;
d7ce0bcd 3710
bf95c10a 3711 debugs(33, 3, pinning.serverConnection);
85563fd9 3712
aee3523a 3713 Must(pinning.serverConnection != nullptr);
89b1d7a2 3714
d7ce0bcd 3715 const char *pinnedHost = "[unknown]";
801cfc26
CT
3716 pinning.host = xstrdup(request.url.host());
3717 pinning.port = request.url.port();
3718 pinnedHost = pinning.host;
d67acb4e 3719 pinning.pinned = true;
801cfc26 3720 pinning.auth = request.flags.connectionAuth;
e3a4aecc 3721 char stmp[MAX_IPSTRLEN];
89b1d7a2 3722 char desc[FD_DESC_SZ];
4d8e3b83 3723 const auto peer = pinning.peer();
e3a4aecc 3724 snprintf(desc, FD_DESC_SZ, "%s pinned connection for %s (%d)",
4d8e3b83 3725 (pinning.auth || !peer) ? pinnedHost : peer->name,
4dd643d5 3726 clientConnection->remote.toUrl(stmp,MAX_IPSTRLEN),
d7ce0bcd 3727 clientConnection->fd);
73c36fd9 3728 fd_note(pinning.serverConnection->fd, desc);
9e008dda 3729
d67acb4e 3730 typedef CommCbMemFunT<ConnStateData, CommCloseCbParams> Dialer;
4299f876 3731 pinning.closeHandler = JobCallback(33, 5,
4cb2536f 3732 Dialer, this, ConnStateData::clientPinnedConnectionClosed);
85563fd9
AR
3733 // remember the pinned connection so that cb does not unpin a fresher one
3734 typedef CommCloseCbParams Params;
3735 Params &params = GetCommParams<Params>(pinning.closeHandler);
3736 params.conn = pinning.serverConnection;
73c36fd9 3737 comm_add_close_handler(pinning.serverConnection->fd, pinning.closeHandler);
7ac40923
AR
3738}
3739
e7ce227f
AR
3740/// [re]start monitoring pinned connection for peer closures so that we can
3741/// propagate them to an _idle_ client pinned to that peer
7ac40923
AR
3742void
3743ConnStateData::startPinnedConnectionMonitoring()
3744{
aee3523a 3745 if (pinning.readHandler != nullptr)
7ac40923
AR
3746 return; // already monitoring
3747
3748 typedef CommCbMemFunT<ConnStateData, CommIoCbParams> Dialer;
3749 pinning.readHandler = JobCallback(33, 3,
3750 Dialer, this, ConnStateData::clientPinnedConnectionRead);
7e66d5e2 3751 Comm::Read(pinning.serverConnection, pinning.readHandler);
7ac40923
AR
3752}
3753
3754void
3755ConnStateData::stopPinnedConnectionMonitoring()
3756{
aee3523a 3757 if (pinning.readHandler != nullptr) {
7e66d5e2 3758 Comm::ReadCancel(pinning.serverConnection->fd, pinning.readHandler);
aee3523a 3759 pinning.readHandler = nullptr;
7ac40923
AR
3760 }
3761}
3762
96aedee5
CT
3763#if USE_OPENSSL
3764bool
3765ConnStateData::handleIdleClientPinnedTlsRead()
3766{
3767 // A ready-for-reading connection means that the TLS server either closed
3768 // the connection, sent us some unexpected HTTP data, or started TLS
3769 // renegotiations. We should close the connection except for the last case.
3770
3771 Must(pinning.serverConnection != nullptr);
33cc0629 3772 auto ssl = fd_table[pinning.serverConnection->fd].ssl.get();
96aedee5
CT
3773 if (!ssl)
3774 return false;
3775
3776 char buf[1];
3777 const int readResult = SSL_read(ssl, buf, sizeof(buf));
3778
3779 if (readResult > 0 || SSL_pending(ssl) > 0) {
3780 debugs(83, 2, pinning.serverConnection << " TLS application data read");
3781 return false;
3782 }
3783
3784 switch(const int error = SSL_get_error(ssl, readResult)) {
3785 case SSL_ERROR_WANT_WRITE:
3786 debugs(83, DBG_IMPORTANT, pinning.serverConnection << " TLS SSL_ERROR_WANT_WRITE request for idle pinned connection");
09835feb
AR
3787 [[fallthrough]]; // to restart monitoring, for now
3788
96aedee5
CT
3789 case SSL_ERROR_NONE:
3790 case SSL_ERROR_WANT_READ:
3791 startPinnedConnectionMonitoring();
3792 return true;
3793
3794 default:
3795 debugs(83, 2, pinning.serverConnection << " TLS error: " << error);
3796 return false;
3797 }
3798
3799 // not reached
3800 return true;
3801}
3802#endif
3803
7ac40923
AR
3804/// Our read handler called by Comm when the server either closes an idle pinned connection or
3805/// perhaps unexpectedly sends something on that idle (from Squid p.o.v.) connection.
3806void
3807ConnStateData::clientPinnedConnectionRead(const CommIoCbParams &io)
3808{
aee3523a 3809 pinning.readHandler = nullptr; // Comm unregisters handlers before calling
7ac40923 3810
c8407295 3811 if (io.flag == Comm::ERR_CLOSING)
7ac40923
AR
3812 return; // close handler will clean up
3813
96aedee5
CT
3814 Must(pinning.serverConnection == io.conn);
3815
3816#if USE_OPENSSL
3817 if (handleIdleClientPinnedTlsRead())
3818 return;
3819#endif
3820
e500cc89 3821 const bool clientIsIdle = pipeline.empty();
7ac40923
AR
3822
3823 debugs(33, 3, "idle pinned " << pinning.serverConnection << " read " <<
3824 io.size << (clientIsIdle ? " with idle client" : ""));
3825
7ac40923
AR
3826 pinning.serverConnection->close();
3827
3828 // If we are still sending data to the client, do not close now. When we are done sending,
4a4fbcef 3829 // ConnStateData::kick() checks pinning.serverConnection and will close.
7ac40923 3830 // However, if we are idle, then we must close to inform the idle client and minimize races.
aee3523a 3831 if (clientIsIdle && clientConnection != nullptr)
7ac40923 3832 clientConnection->close();
d67acb4e
AJ
3833}
3834
daf80700
CT
3835Comm::ConnectionPointer
3836ConnStateData::borrowPinnedConnection(HttpRequest *request, const AccessLogEntryPointer &ale)
d67acb4e 3837{
daf80700
CT
3838 debugs(33, 7, pinning.serverConnection);
3839 Must(request);
85563fd9 3840
daf80700 3841 const auto pinningError = [&](const err_type type) {
89b1d7a2 3842 unpinConnection(true);
daf80700
CT
3843 HttpRequestPointer requestPointer = request;
3844 return ErrorState::NewForwarding(type, requestPointer, ale);
3845 };
3846
3847 if (!Comm::IsConnOpen(pinning.serverConnection))
3848 throw pinningError(ERR_ZERO_SIZE_OBJECT);
d67acb4e 3849
daf80700
CT
3850 if (pinning.auth && pinning.host && strcasecmp(pinning.host, request->url.host()) != 0)
3851 throw pinningError(ERR_CANNOT_FORWARD); // or generalize ERR_CONFLICT_HOST
3852
3853 if (pinning.port != request->url.port())
3854 throw pinningError(ERR_CANNOT_FORWARD); // or generalize ERR_CONFLICT_HOST
3855
4d8e3b83 3856 if (pinning.serverConnection->toGoneCachePeer())
daf80700
CT
3857 throw pinningError(ERR_ZERO_SIZE_OBJECT);
3858
3859 if (pinning.peerAccessDenied)
3860 throw pinningError(ERR_CANNOT_FORWARD); // or generalize ERR_FORWARDING_DENIED
3861
3862 stopPinnedConnectionMonitoring();
73c36fd9 3863 return pinning.serverConnection;
d67acb4e
AJ
3864}
3865
89b1d7a2 3866Comm::ConnectionPointer
daf80700 3867ConnStateData::BorrowPinnedConnection(HttpRequest *request, const AccessLogEntryPointer &ale)
89b1d7a2 3868{
daf80700
CT
3869 if (const auto connManager = request ? request->pinnedConnection() : nullptr)
3870 return connManager->borrowPinnedConnection(request, ale);
89b1d7a2 3871
daf80700
CT
3872 // ERR_CANNOT_FORWARD is somewhat misleading here; we can still forward, but
3873 // there is no point since the client connection is now gone
3874 HttpRequestPointer requestPointer = request;
3875 throw ErrorState::NewForwarding(ERR_CANNOT_FORWARD, requestPointer, ale);
89b1d7a2
AR
3876}
3877
b1cf2350 3878void
89b1d7a2 3879ConnStateData::unpinConnection(const bool andClose)
d67acb4e 3880{
bf95c10a 3881 debugs(33, 3, pinning.serverConnection);
85563fd9 3882
d7ce0bcd 3883 if (Comm::IsConnOpen(pinning.serverConnection)) {
aee3523a 3884 if (pinning.closeHandler != nullptr) {
87f237a9 3885 comm_remove_close_handler(pinning.serverConnection->fd, pinning.closeHandler);
aee3523a 3886 pinning.closeHandler = nullptr;
87f237a9 3887 }
89b1d7a2 3888
f8e4867b 3889 stopPinnedConnectionMonitoring();
89b1d7a2
AR
3890
3891 // close the server side socket if requested
3892 if (andClose)
3893 pinning.serverConnection->close();
aee3523a 3894 pinning.serverConnection = nullptr;
d67acb4e 3895 }
d7ce0bcd 3896
d67acb4e 3897 safe_free(pinning.host);
e3a4aecc 3898
693cb033 3899 pinning.zeroReply = false;
daf80700 3900 pinning.peerAccessDenied = false;
693cb033 3901
e3a4aecc
AJ
3902 /* NOTE: pinning.pinned should be kept. This combined with fd == -1 at the end of a request indicates that the host
3903 * connection has gone away */
d67acb4e 3904}
44352c16 3905
da6dbcd1 3906void
ba3fe8d9 3907ConnStateData::terminateAll(const Error &rawError, const LogTagsErrors &lte)
da6dbcd1 3908{
ba3fe8d9
EB
3909 auto error = rawError; // (cheap) copy so that we can detail
3910 // We detail even ERR_NONE: There should be no transactions left, and
3911 // detailed ERR_NONE will be unused. Otherwise, this detail helps in triage.
ea3f56e2 3912 if (error.details.empty()) {
ba3fe8d9 3913 static const auto d = MakeNamedErrorDetail("WITH_CLIENT");
ea3f56e2 3914 error.details.push_back(d);
ba3fe8d9
EB
3915 }
3916
83b053a0 3917 debugs(33, 3, pipeline.count() << '/' << pipeline.nrequests << " after " << error);
da6dbcd1 3918
83b053a0
CT
3919 if (pipeline.empty()) {
3920 bareError.update(error); // XXX: bareLogTagsErrors
3921 } else {
3922 // We terminate the current CONNECT/PUT/etc. context below, logging any
3923 // error details, but that context may leave unparsed bytes behind.
3924 // Consume them to stop checkLogging() from logging them again later.
3925 const auto intputToConsume =
3926#if USE_OPENSSL
3927 parsingTlsHandshake ? "TLS handshake" : // more specific than CONNECT
3928#endif
3929 bodyPipe ? "HTTP request body" :
3930 pipeline.back()->mayUseConnection() ? "HTTP CONNECT" :
3931 nullptr;
3932
3933 while (const auto context = pipeline.front()) {
3934 context->noteIoError(error, lte);
3935 context->finished(); // cleanup and self-deregister
3936 assert(context != pipeline.front());
3937 }
da6dbcd1 3938
83b053a0
CT
3939 if (intputToConsume && !inBuf.isEmpty()) {
3940 debugs(83, 5, "forgetting client " << intputToConsume << " bytes: " << inBuf.length());
3941 inBuf.clear();
3942 }
3943 }
3944
3945 clientConnection->close();
3946}
3947
3948/// log the last (attempt at) transaction if nobody else did
3949void
3950ConnStateData::checkLogging()
3951{
3952 // to simplify our logic, we assume that terminateAll() has been called
3953 assert(pipeline.empty());
da6dbcd1
EB
3954
3955 // do not log connections that closed after a transaction (it is normal)
3956 // TODO: access_log needs ACLs to match received-no-bytes connections
6b2b6cfe 3957 if (pipeline.nrequests && inBuf.isEmpty())
da6dbcd1
EB
3958 return;
3959
3960 /* Create a temporary ClientHttpRequest object. Its destructor will log. */
3961 ClientHttpRequest http(this);
3962 http.req_sz = inBuf.length();
801cfc26 3963 // XXX: Or we died while waiting for the pinned connection to become idle.
bec110e4 3964 http.setErrorUri("error:transaction-end-before-headers");
83b053a0 3965 http.updateError(bareError);
da6dbcd1 3966}
a6678149 3967
6b2b6cfe 3968bool
9ce4a1eb 3969ConnStateData::shouldPreserveClientData() const
6b2b6cfe 3970{
9ce4a1eb
CT
3971 // PROXY protocol bytes are meant for us and, hence, cannot be tunneled
3972 if (needProxyProtocolHeader_)
3973 return false;
3974
3975 // If our decision here is negative, configuration changes are irrelevant.
3976 // Otherwise, clientTunnelOnError() rechecks configuration before tunneling.
3977 if (!Config.accessList.on_unsupported_protocol)
3978 return false;
3979
3980 // TODO: Figure out whether/how we can support FTP tunneling.
3981 if (port->transport.protocol == AnyP::PROTO_FTP)
3982 return false;
3983
6b2b6cfe 3984#if USE_OPENSSL
9ce4a1eb
CT
3985 if (parsingTlsHandshake)
3986 return true;
3987
3988 // the 1st HTTP request on a bumped connection
3989 if (!parsedBumpedRequestCount && switchedToHttps())
3990 return true;
6b2b6cfe 3991#endif
9ce4a1eb 3992
6ed68767
AR
3993 // the 1st HTTP(S) request on a connection to an intercepting port
3994 if (!pipeline.nrequests && transparent())
9ce4a1eb
CT
3995 return true;
3996
3997 return false;
6b2b6cfe 3998}
aff439e0 3999
75d47340
CT
4000NotePairs::Pointer
4001ConnStateData::notes()
4002{
4003 if (!theNotes)
4004 theNotes = new NotePairs;
4005 return theNotes;
4006}
4007
801cfc26
CT
4008std::ostream &
4009operator <<(std::ostream &os, const ConnStateData::PinnedIdleContext &pic)
4010{
4011 return os << pic.connection << ", request=" << pic.request;
4012}
9f107d9a 4013
1c2b4465
CT
4014std::ostream &
4015operator <<(std::ostream &os, const ConnStateData::ServerConnectionContext &scc)
4016{
4017 return os << scc.conn_ << ", srv_bytes=" << scc.preReadServerBytes.length();
4018}
4019