]>
Commit | Line | Data |
---|---|---|
edce4d98 | 1 | /* |
bde978a6 | 2 | * Copyright (C) 1996-2015 The Squid Software Foundation and contributors |
0a9297f6 | 3 | * |
bbc27441 AJ |
4 | * Squid software is distributed under GPLv2+ license and includes |
5 | * contributions from numerous individuals and organizations. | |
6 | * Please see the COPYING and CONTRIBUTORS files for details. | |
edce4d98 | 7 | */ |
8 | ||
bbc27441 AJ |
9 | /* DEBUG: section 85 Client-side Request Routines */ |
10 | ||
69660be0 | 11 | /* |
12 | * General logic of request processing: | |
26ac0430 | 13 | * |
69660be0 | 14 | * We run a series of tests to determine if access will be permitted, and to do |
15 | * any redirection. Then we call into the result clientStream to retrieve data. | |
16 | * From that point on it's up to reply management. | |
edce4d98 | 17 | */ |
18 | ||
582c2af2 | 19 | #include "squid.h" |
c0941a6a AR |
20 | #include "acl/FilledChecklist.h" |
21 | #include "acl/Gadgets.h" | |
65d448bc | 22 | #include "anyp/PortCfg.h" |
9e104535 | 23 | #include "base/AsyncJobCalls.h" |
27bc2077 AJ |
24 | #include "client_side.h" |
25 | #include "client_side_reply.h" | |
26 | #include "client_side_request.h" | |
602d9612 | 27 | #include "ClientRequestContext.h" |
582c2af2 | 28 | #include "clientStream.h" |
5c336a3b | 29 | #include "comm/Connection.h" |
ec41b64c | 30 | #include "comm/Write.h" |
582c2af2 | 31 | #include "err_detail_type.h" |
2bd84e5f | 32 | #include "errorpage.h" |
c4ad1349 | 33 | #include "fd.h" |
27bc2077 | 34 | #include "fde.h" |
31971e6a | 35 | #include "format/Token.h" |
d05c079c | 36 | #include "gopher.h" |
e166785a | 37 | #include "helper.h" |
24438ec5 | 38 | #include "helper/Reply.h" |
5c0c642e | 39 | #include "http.h" |
ce394734 | 40 | #include "HttpHdrCc.h" |
27bc2077 AJ |
41 | #include "HttpReply.h" |
42 | #include "HttpRequest.h" | |
425de4c8 | 43 | #include "ip/QosConfig.h" |
602d9612 | 44 | #include "ipcache.h" |
1c7ae5ff | 45 | #include "log/access_log.h" |
27bc2077 | 46 | #include "MemObject.h" |
8a01b99e | 47 | #include "Parsing.h" |
582c2af2 | 48 | #include "profiler/Profiler.h" |
e166785a | 49 | #include "redirect.h" |
4d5904f7 | 50 | #include "SquidConfig.h" |
27bc2077 | 51 | #include "SquidTime.h" |
582c2af2 | 52 | #include "Store.h" |
28204b3b | 53 | #include "StrList.h" |
685c6ff5 | 54 | #include "tools.h" |
b1bd952a | 55 | #include "URL.h" |
27bc2077 | 56 | #include "wordlist.h" |
582c2af2 FC |
57 | #if USE_AUTH |
58 | #include "auth/UserRequest.h" | |
59 | #endif | |
60 | #if USE_ADAPTATION | |
61 | #include "adaptation/AccessCheck.h" | |
62 | #include "adaptation/Answer.h" | |
63 | #include "adaptation/Iterator.h" | |
64 | #include "adaptation/Service.h" | |
65 | #if ICAP_CLIENT | |
66 | #include "adaptation/icap/History.h" | |
67 | #endif | |
68 | #endif | |
cb4f4424 | 69 | #if USE_OPENSSL |
2bd84e5f | 70 | #include "ssl/ServerBump.h" |
602d9612 | 71 | #include "ssl/support.h" |
4db984be | 72 | #endif |
3ff65596 | 73 | |
edce4d98 | 74 | #if LINGERING_CLOSE |
75 | #define comm_close comm_lingering_close | |
76 | #endif | |
77 | ||
78 | static const char *const crlf = "\r\n"; | |
79 | ||
609c620a | 80 | #if FOLLOW_X_FORWARDED_FOR |
2efeb0b7 | 81 | static void clientFollowXForwardedForCheck(allow_t answer, void *data); |
609c620a | 82 | #endif /* FOLLOW_X_FORWARDED_FOR */ |
3d674977 | 83 | |
955394ce | 84 | ErrorState *clientBuildError(err_type, Http::StatusCode, char const *url, Ip::Address &, HttpRequest *); |
2bd84e5f | 85 | |
8e2745f4 | 86 | CBDATA_CLASS_INIT(ClientRequestContext); |
87 | ||
edce4d98 | 88 | /* Local functions */ |
edce4d98 | 89 | /* other */ |
2efeb0b7 | 90 | static void clientAccessCheckDoneWrapper(allow_t, void *); |
cb4f4424 | 91 | #if USE_OPENSSL |
2efeb0b7 | 92 | static void sslBumpAccessCheckDoneWrapper(allow_t, void *); |
e0c0d54c | 93 | #endif |
59a1efb2 | 94 | static int clientHierarchical(ClientHttpRequest * http); |
95 | static void clientInterpretRequestHeaders(ClientHttpRequest * http); | |
e166785a | 96 | static HLPCB clientRedirectDoneWrapper; |
a8a0b1c2 | 97 | static HLPCB clientStoreIdDoneWrapper; |
2efeb0b7 | 98 | static void checkNoCacheDoneWrapper(allow_t, void *); |
82afb125 FC |
99 | SQUIDCEXTERN CSR clientGetMoreData; |
100 | SQUIDCEXTERN CSS clientReplyStatus; | |
101 | SQUIDCEXTERN CSD clientReplyDetach; | |
528b2c61 | 102 | static void checkFailureRatio(err_type, hier_code); |
edce4d98 | 103 | |
8e2745f4 | 104 | ClientRequestContext::~ClientRequestContext() |
105 | { | |
de31d06f | 106 | /* |
a546b04b | 107 | * Release our "lock" on our parent, ClientHttpRequest, if we |
108 | * still have one | |
de31d06f | 109 | */ |
a546b04b | 110 | |
111 | if (http) | |
112 | cbdataReferenceDone(http); | |
62e76326 | 113 | |
2bd84e5f | 114 | delete error; |
cc8c4af2 | 115 | debugs(85,3, "ClientRequestContext destructed, this=" << this); |
8e2745f4 | 116 | } |
117 | ||
cc8c4af2 AJ |
118 | ClientRequestContext::ClientRequestContext(ClientHttpRequest *anHttp) : |
119 | http(cbdataReference(anHttp)), | |
120 | acl_checklist(NULL), | |
121 | redirect_state(REDIRECT_NONE), | |
122 | store_id_state(REDIRECT_NONE), | |
123 | host_header_verify_done(false), | |
124 | http_access_done(false), | |
125 | adapted_http_access_done(false), | |
126 | #if USE_ADAPTATION | |
127 | adaptation_acl_check_done(false), | |
128 | #endif | |
129 | redirect_done(false), | |
130 | store_id_done(false), | |
131 | no_cache_done(false), | |
132 | interpreted_req_hdrs(false), | |
133 | tosToClientDone(false), | |
134 | nfmarkToClientDone(false), | |
cb4f4424 | 135 | #if USE_OPENSSL |
cc8c4af2 | 136 | sslBumpCheckDone(false), |
e0c0d54c | 137 | #endif |
cc8c4af2 AJ |
138 | error(NULL), |
139 | readNextRequest(false) | |
140 | { | |
141 | debugs(85, 3, "ClientRequestContext constructed, this=" << this); | |
edce4d98 | 142 | } |
143 | ||
528b2c61 | 144 | CBDATA_CLASS_INIT(ClientHttpRequest); |
8e2745f4 | 145 | |
26ac0430 | 146 | ClientHttpRequest::ClientHttpRequest(ConnStateData * aConn) : |
a83c6ed6 | 147 | #if USE_ADAPTATION |
f53969cc | 148 | AsyncJob("ClientHttpRequest"), |
1cf238db | 149 | #endif |
cc8c4af2 AJ |
150 | request(NULL), |
151 | uri(NULL), | |
152 | log_uri(NULL), | |
153 | req_sz(0), | |
154 | logType(LOG_TAG_NONE), | |
155 | calloutContext(NULL), | |
156 | maxReplyBodySize_(0), | |
157 | entry_(NULL), | |
158 | loggingEntry_(NULL), | |
159 | conn_(NULL) | |
160 | #if USE_OPENSSL | |
161 | , sslBumpNeed_(Ssl::bumpEnd) | |
162 | #endif | |
163 | #if USE_ADAPTATION | |
164 | , request_satisfaction_mode(false) | |
165 | , request_satisfaction_offset(0) | |
166 | #endif | |
528b2c61 | 167 | { |
a0355e95 | 168 | setConn(aConn); |
41ebd397 | 169 | al = new AccessLogEntry; |
af0ded40 | 170 | al->cache.start_time = current_time; |
41ebd397 | 171 | al->tcpClient = clientConnection = aConn->clientConnection; |
fa720bfb | 172 | al->cache.port = aConn->port; |
d4806c91 CT |
173 | al->cache.caddr = aConn->log_addr; |
174 | ||
cb4f4424 | 175 | #if USE_OPENSSL |
f4698e0b | 176 | if (aConn->clientConnection != NULL && aConn->clientConnection->isOpen()) { |
3aac8c26 | 177 | if (auto ssl = fd_table[aConn->clientConnection->fd].ssl) |
f4698e0b CT |
178 | al->cache.sslClientCert.reset(SSL_get_peer_certificate(ssl)); |
179 | } | |
180 | #endif | |
a0355e95 | 181 | dlinkAdd(this, &active, &ClientActiveRequests); |
528b2c61 | 182 | } |
183 | ||
0655fa4d | 184 | /* |
185 | * returns true if client specified that the object must come from the cache | |
186 | * without contacting origin server | |
187 | */ | |
188 | bool | |
189 | ClientHttpRequest::onlyIfCached()const | |
190 | { | |
191 | assert(request); | |
192 | return request->cache_control && | |
4ce6e3b5 | 193 | request->cache_control->onlyIfCached(); |
0655fa4d | 194 | } |
195 | ||
77aacca5 | 196 | /** |
528b2c61 | 197 | * This function is designed to serve a fairly specific purpose. |
198 | * Occasionally our vBNS-connected caches can talk to each other, but not | |
199 | * the rest of the world. Here we try to detect frequent failures which | |
200 | * make the cache unusable (e.g. DNS lookup and connect() failures). If | |
201 | * the failure:success ratio goes above 1.0 then we go into "hit only" | |
202 | * mode where we only return UDP_HIT or UDP_MISS_NOFETCH. Neighbors | |
203 | * will only fetch HITs from us if they are using the ICP protocol. We | |
204 | * stay in this mode for 5 minutes. | |
26ac0430 | 205 | * |
528b2c61 | 206 | * Duane W., Sept 16, 1996 |
207 | */ | |
528b2c61 | 208 | static void |
209 | checkFailureRatio(err_type etype, hier_code hcode) | |
210 | { | |
77aacca5 AJ |
211 | // Can be set at compile time with -D compiler flag |
212 | #ifndef FAILURE_MODE_TIME | |
213 | #define FAILURE_MODE_TIME 300 | |
214 | #endif | |
215 | ||
8d74a311 AJ |
216 | if (hcode == HIER_NONE) |
217 | return; | |
218 | ||
219 | // don't bother when ICP is disabled. | |
220 | if (Config.Port.icp <= 0) | |
221 | return; | |
222 | ||
528b2c61 | 223 | static double magic_factor = 100.0; |
224 | double n_good; | |
225 | double n_bad; | |
62e76326 | 226 | |
528b2c61 | 227 | n_good = magic_factor / (1.0 + request_failure_ratio); |
62e76326 | 228 | |
528b2c61 | 229 | n_bad = magic_factor - n_good; |
62e76326 | 230 | |
528b2c61 | 231 | switch (etype) { |
62e76326 | 232 | |
528b2c61 | 233 | case ERR_DNS_FAIL: |
62e76326 | 234 | |
528b2c61 | 235 | case ERR_CONNECT_FAIL: |
3712be3f | 236 | case ERR_SECURE_CONNECT_FAIL: |
62e76326 | 237 | |
528b2c61 | 238 | case ERR_READ_ERROR: |
5086523e | 239 | ++n_bad; |
62e76326 | 240 | break; |
241 | ||
528b2c61 | 242 | default: |
5086523e | 243 | ++n_good; |
528b2c61 | 244 | } |
62e76326 | 245 | |
528b2c61 | 246 | request_failure_ratio = n_bad / n_good; |
62e76326 | 247 | |
528b2c61 | 248 | if (hit_only_mode_until > squid_curtime) |
62e76326 | 249 | return; |
250 | ||
528b2c61 | 251 | if (request_failure_ratio < 1.0) |
62e76326 | 252 | return; |
253 | ||
77aacca5 | 254 | debugs(33, DBG_CRITICAL, "WARNING: Failure Ratio at "<< std::setw(4)<< |
bf8fe701 | 255 | std::setprecision(3) << request_failure_ratio); |
62e76326 | 256 | |
8d74a311 | 257 | debugs(33, DBG_CRITICAL, "WARNING: ICP going into HIT-only mode for " << |
bf8fe701 | 258 | FAILURE_MODE_TIME / 60 << " minutes..."); |
62e76326 | 259 | |
528b2c61 | 260 | hit_only_mode_until = squid_curtime + FAILURE_MODE_TIME; |
62e76326 | 261 | |
f53969cc | 262 | request_failure_ratio = 0.8; /* reset to something less than 1.0 */ |
528b2c61 | 263 | } |
264 | ||
265 | ClientHttpRequest::~ClientHttpRequest() | |
266 | { | |
bf8fe701 | 267 | debugs(33, 3, "httpRequestFree: " << uri); |
72bdee4c | 268 | PROF_start(httpRequestFree); |
62e76326 | 269 | |
5f8252d2 | 270 | // Even though freeResources() below may destroy the request, |
271 | // we no longer set request->body_pipe to NULL here | |
272 | // because we did not initiate that pipe (ConnStateData did) | |
62e76326 | 273 | |
528b2c61 | 274 | /* the ICP check here was erroneous |
26ac0430 | 275 | * - StoreEntry::releaseRequest was always called if entry was valid |
528b2c61 | 276 | */ |
9ce7856a | 277 | |
528b2c61 | 278 | logRequest(); |
9ce7856a | 279 | |
0976f8db | 280 | loggingEntry(NULL); |
281 | ||
528b2c61 | 282 | if (request) |
41ebd397 | 283 | checkFailureRatio(request->errType, al->hier.code); |
62e76326 | 284 | |
528b2c61 | 285 | freeResources(); |
62e76326 | 286 | |
a83c6ed6 AR |
287 | #if USE_ADAPTATION |
288 | announceInitiatorAbort(virginHeadSource); | |
9d4d7c5e | 289 | |
a83c6ed6 AR |
290 | if (adaptedBodySource != NULL) |
291 | stopConsumingFrom(adaptedBodySource); | |
de31d06f | 292 | #endif |
9ce7856a | 293 | |
de31d06f | 294 | if (calloutContext) |
295 | delete calloutContext; | |
296 | ||
be364179 AJ |
297 | clientConnection = NULL; |
298 | ||
26ac0430 AJ |
299 | if (conn_) |
300 | cbdataReferenceDone(conn_); | |
1cf238db | 301 | |
528b2c61 | 302 | /* moving to the next connection is handled by the context free */ |
303 | dlinkDelete(&active, &ClientActiveRequests); | |
9ce7856a | 304 | |
72bdee4c | 305 | PROF_stop(httpRequestFree); |
528b2c61 | 306 | } |
62e76326 | 307 | |
11992b6f AJ |
308 | /** |
309 | * Create a request and kick it off | |
310 | * | |
311 | * \retval 0 success | |
312 | * \retval -1 failure | |
313 | * | |
69660be0 | 314 | * TODO: Pass in the buffers to be used in the inital Read request, as they are |
315 | * determined by the user | |
edce4d98 | 316 | */ |
11992b6f | 317 | int |
60745f24 | 318 | clientBeginRequest(const HttpRequestMethod& method, char const *url, CSCB * streamcallback, |
0655fa4d | 319 | CSD * streamdetach, ClientStreamData streamdata, HttpHeader const *header, |
62e76326 | 320 | char *tailbuf, size_t taillen) |
edce4d98 | 321 | { |
322 | size_t url_sz; | |
a0355e95 | 323 | ClientHttpRequest *http = new ClientHttpRequest(NULL); |
190154cf | 324 | HttpRequest *request; |
528b2c61 | 325 | StoreIOBuffer tempBuffer; |
af0ded40 CT |
326 | if (http->al != NULL) |
327 | http->al->cache.start_time = current_time; | |
edce4d98 | 328 | /* this is only used to adjust the connection offset in client_side.c */ |
329 | http->req_sz = 0; | |
c8be6d7b | 330 | tempBuffer.length = taillen; |
331 | tempBuffer.data = tailbuf; | |
edce4d98 | 332 | /* client stream setup */ |
333 | clientStreamInit(&http->client_stream, clientGetMoreData, clientReplyDetach, | |
0655fa4d | 334 | clientReplyStatus, new clientReplyContext(http), streamcallback, |
62e76326 | 335 | streamdetach, streamdata, tempBuffer); |
edce4d98 | 336 | /* make it visible in the 'current acctive requests list' */ |
edce4d98 | 337 | /* Set flags */ |
a46d2c0e | 338 | /* internal requests only makes sense in an |
339 | * accelerator today. TODO: accept flags ? */ | |
be4d35dc | 340 | http->flags.accel = true; |
edce4d98 | 341 | /* allow size for url rewriting */ |
342 | url_sz = strlen(url) + Config.appendDomainLen + 5; | |
e6ccf245 | 343 | http->uri = (char *)xcalloc(url_sz, 1); |
edce4d98 | 344 | strcpy(http->uri, url); |
345 | ||
c21ad0f5 | 346 | if ((request = HttpRequest::CreateFromUrlAndMethod(http->uri, method)) == NULL) { |
bf8fe701 | 347 | debugs(85, 5, "Invalid URL: " << http->uri); |
62e76326 | 348 | return -1; |
edce4d98 | 349 | } |
62e76326 | 350 | |
69660be0 | 351 | /* |
11992b6f | 352 | * now update the headers in request with our supplied headers. urlParse |
69660be0 | 353 | * should return a blank header set, but we use Update to be sure of |
354 | * correctness. | |
edce4d98 | 355 | */ |
356 | if (header) | |
a9925b40 | 357 | request->header.update(header, NULL); |
62e76326 | 358 | |
edce4d98 | 359 | http->log_uri = xstrdup(urlCanonicalClean(request)); |
62e76326 | 360 | |
edce4d98 | 361 | /* http struct now ready */ |
362 | ||
69660be0 | 363 | /* |
364 | * build new header list *? TODO | |
edce4d98 | 365 | */ |
45e5102d | 366 | request->flags.accelerated = http->flags.accel; |
62e76326 | 367 | |
e857372a | 368 | request->flags.internalClient = true; |
a46d2c0e | 369 | |
370 | /* this is an internally created | |
371 | * request, not subject to acceleration | |
372 | * target overrides */ | |
69660be0 | 373 | /* |
374 | * FIXME? Do we want to detect and handle internal requests of internal | |
375 | * objects ? | |
376 | */ | |
edce4d98 | 377 | |
378 | /* Internally created requests cannot have bodies today */ | |
379 | request->content_length = 0; | |
62e76326 | 380 | |
4dd643d5 | 381 | request->client_addr.setNoAddr(); |
62e76326 | 382 | |
3d674977 | 383 | #if FOLLOW_X_FORWARDED_FOR |
4dd643d5 | 384 | request->indirect_client_addr.setNoAddr(); |
3d674977 | 385 | #endif /* FOLLOW_X_FORWARDED_FOR */ |
26ac0430 | 386 | |
f53969cc | 387 | request->my_addr.setNoAddr(); /* undefined for internal requests */ |
62e76326 | 388 | |
4dd643d5 | 389 | request->my_addr.port(0); |
62e76326 | 390 | |
2592bc70 | 391 | request->http_ver = Http::ProtocolVersion(); |
62e76326 | 392 | |
b248c2a3 AJ |
393 | http->request = request; |
394 | HTTPMSGLOCK(http->request); | |
edce4d98 | 395 | |
396 | /* optional - skip the access check ? */ | |
de31d06f | 397 | http->calloutContext = new ClientRequestContext(http); |
398 | ||
57abaac0 | 399 | http->calloutContext->http_access_done = false; |
de31d06f | 400 | |
57abaac0 | 401 | http->calloutContext->redirect_done = true; |
de31d06f | 402 | |
57abaac0 | 403 | http->calloutContext->no_cache_done = true; |
de31d06f | 404 | |
405 | http->doCallouts(); | |
62e76326 | 406 | |
edce4d98 | 407 | return 0; |
408 | } | |
409 | ||
de31d06f | 410 | bool |
411 | ClientRequestContext::httpStateIsValid() | |
412 | { | |
413 | ClientHttpRequest *http_ = http; | |
414 | ||
415 | if (cbdataReferenceValid(http_)) | |
416 | return true; | |
417 | ||
418 | http = NULL; | |
419 | ||
420 | cbdataReferenceDone(http_); | |
421 | ||
422 | return false; | |
423 | } | |
424 | ||
3d674977 AJ |
425 | #if FOLLOW_X_FORWARDED_FOR |
426 | /** | |
a9044668 | 427 | * clientFollowXForwardedForCheck() checks the content of X-Forwarded-For: |
3d674977 AJ |
428 | * against the followXFF ACL, or cleans up and passes control to |
429 | * clientAccessCheck(). | |
d096ace1 AJ |
430 | * |
431 | * The trust model here is a little ambiguous. So to clarify the logic: | |
432 | * - we may always use the direct client address as the client IP. | |
a9044668 | 433 | * - these trust tests merey tell whether we trust given IP enough to believe the |
d096ace1 AJ |
434 | * IP string which it appended to the X-Forwarded-For: header. |
435 | * - if at any point we don't trust what an IP adds we stop looking. | |
436 | * - at that point the current contents of indirect_client_addr are the value set | |
437 | * by the last previously trusted IP. | |
438 | * ++ indirect_client_addr contains the remote direct client from the trusted peers viewpoint. | |
3d674977 | 439 | */ |
3d674977 | 440 | static void |
2efeb0b7 | 441 | clientFollowXForwardedForCheck(allow_t answer, void *data) |
3d674977 AJ |
442 | { |
443 | ClientRequestContext *calloutContext = (ClientRequestContext *) data; | |
3d674977 AJ |
444 | |
445 | if (!calloutContext->httpStateIsValid()) | |
446 | return; | |
447 | ||
d096ace1 AJ |
448 | ClientHttpRequest *http = calloutContext->http; |
449 | HttpRequest *request = http->request; | |
450 | ||
3d674977 AJ |
451 | /* |
452 | * answer should be be ACCESS_ALLOWED or ACCESS_DENIED if we are | |
453 | * called as a result of ACL checks, or -1 if we are called when | |
454 | * there's nothing left to do. | |
455 | */ | |
456 | if (answer == ACCESS_ALLOWED && | |
26ac0430 | 457 | request->x_forwarded_for_iterator.size () != 0) { |
d096ace1 | 458 | |
3d674977 | 459 | /* |
d096ace1 AJ |
460 | * Remove the last comma-delimited element from the |
461 | * x_forwarded_for_iterator and use it to repeat the cycle. | |
462 | */ | |
3d674977 AJ |
463 | const char *p; |
464 | const char *asciiaddr; | |
465 | int l; | |
b7ac5457 | 466 | Ip::Address addr; |
bb790702 | 467 | p = request->x_forwarded_for_iterator.termedBuf(); |
3d674977 AJ |
468 | l = request->x_forwarded_for_iterator.size(); |
469 | ||
470 | /* | |
471 | * XXX x_forwarded_for_iterator should really be a list of | |
472 | * IP addresses, but it's a String instead. We have to | |
473 | * walk backwards through the String, biting off the last | |
474 | * comma-delimited part each time. As long as the data is in | |
475 | * a String, we should probably implement and use a variant of | |
476 | * strListGetItem() that walks backwards instead of forwards | |
477 | * through a comma-separated list. But we don't even do that; | |
478 | * we just do the work in-line here. | |
479 | */ | |
480 | /* skip trailing space and commas */ | |
481 | while (l > 0 && (p[l-1] == ',' || xisspace(p[l-1]))) | |
5e263176 | 482 | --l; |
3d674977 AJ |
483 | request->x_forwarded_for_iterator.cut(l); |
484 | /* look for start of last item in list */ | |
485 | while (l > 0 && ! (p[l-1] == ',' || xisspace(p[l-1]))) | |
5e263176 | 486 | --l; |
3d674977 | 487 | asciiaddr = p+l; |
fafd0efa | 488 | if ((addr = asciiaddr)) { |
3d674977 AJ |
489 | request->indirect_client_addr = addr; |
490 | request->x_forwarded_for_iterator.cut(l); | |
d096ace1 AJ |
491 | calloutContext->acl_checklist = clientAclChecklistCreate(Config.accessList.followXFF, http); |
492 | if (!Config.onoff.acl_uses_indirect_client) { | |
493 | /* override the default src_addr tested if we have to go deeper than one level into XFF */ | |
494 | Filled(calloutContext->acl_checklist)->src_addr = request->indirect_client_addr; | |
3d674977 | 495 | } |
d096ace1 | 496 | calloutContext->acl_checklist->nonBlockingCheck(clientFollowXForwardedForCheck, data); |
3d674977 AJ |
497 | return; |
498 | } | |
499 | } /*if (answer == ACCESS_ALLOWED && | |
500 | request->x_forwarded_for_iterator.size () != 0)*/ | |
501 | ||
502 | /* clean up, and pass control to clientAccessCheck */ | |
26ac0430 | 503 | if (Config.onoff.log_uses_indirect_client) { |
3d674977 AJ |
504 | /* |
505 | * Ensure that the access log shows the indirect client | |
506 | * instead of the direct client. | |
507 | */ | |
508 | ConnStateData *conn = http->getConn(); | |
509 | conn->log_addr = request->indirect_client_addr; | |
d4806c91 | 510 | http->al->cache.caddr = conn->log_addr; |
3d674977 AJ |
511 | } |
512 | request->x_forwarded_for_iterator.clean(); | |
e857372a | 513 | request->flags.done_follow_x_forwarded_for = true; |
3d674977 | 514 | |
d096ace1 AJ |
515 | if (answer != ACCESS_ALLOWED && answer != ACCESS_DENIED) { |
516 | debugs(28, DBG_CRITICAL, "ERROR: Processing X-Forwarded-For. Stopping at IP address: " << request->indirect_client_addr ); | |
493d3865 AJ |
517 | } |
518 | ||
519 | /* process actual access ACL as normal. */ | |
520 | calloutContext->clientAccessCheck(); | |
3d674977 AJ |
521 | } |
522 | #endif /* FOLLOW_X_FORWARDED_FOR */ | |
523 | ||
fe97983f | 524 | static void |
4a3b98d7 | 525 | hostHeaderIpVerifyWrapper(const ipcache_addrs* ia, const Dns::LookupDetails &dns, void *data) |
fe97983f AJ |
526 | { |
527 | ClientRequestContext *c = static_cast<ClientRequestContext*>(data); | |
528 | c->hostHeaderIpVerify(ia, dns); | |
529 | } | |
530 | ||
531 | void | |
4a3b98d7 | 532 | ClientRequestContext::hostHeaderIpVerify(const ipcache_addrs* ia, const Dns::LookupDetails &dns) |
fe97983f AJ |
533 | { |
534 | Comm::ConnectionPointer clientConn = http->getConn()->clientConnection; | |
535 | ||
536 | // note the DNS details for the transaction stats. | |
537 | http->request->recordLookup(dns); | |
538 | ||
539 | if (ia != NULL && ia->count > 0) { | |
540 | // Is the NAT destination IP in DNS? | |
5086523e | 541 | for (int i = 0; i < ia->count; ++i) { |
fe97983f AJ |
542 | if (clientConn->local.matchIPAddr(ia->in_addrs[i]) == 0) { |
543 | debugs(85, 3, HERE << "validate IP " << clientConn->local << " possible from Host:"); | |
e857372a | 544 | http->request->flags.hostVerified = true; |
fe97983f AJ |
545 | http->doCallouts(); |
546 | return; | |
547 | } | |
548 | debugs(85, 3, HERE << "validate IP " << clientConn->local << " non-match from Host: IP " << ia->in_addrs[i]); | |
549 | } | |
550 | } | |
551 | debugs(85, 3, HERE << "FAIL: validate IP " << clientConn->local << " possible from Host:"); | |
05b28f84 | 552 | hostHeaderVerifyFailed("local IP", "any domain IP"); |
fe97983f AJ |
553 | } |
554 | ||
555 | void | |
05b28f84 | 556 | ClientRequestContext::hostHeaderVerifyFailed(const char *A, const char *B) |
fe97983f | 557 | { |
2962f8b8 AJ |
558 | // IP address validation for Host: failed. Admin wants to ignore them. |
559 | // NP: we do not yet handle CONNECT tunnels well, so ignore for them | |
c2a7cefd | 560 | if (!Config.onoff.hostStrictVerify && http->request->method != Http::METHOD_CONNECT) { |
2962f8b8 | 561 | debugs(85, 3, "SECURITY ALERT: Host header forgery detected on " << http->getConn()->clientConnection << |
851feda6 | 562 | " (" << A << " does not match " << B << ") on URL: " << http->request->effectiveRequestUri()); |
2962f8b8 | 563 | |
450fe1cb | 564 | // NP: it is tempting to use 'flags.noCache' but that is all about READing cache data. |
2962f8b8 | 565 | // The problems here are about WRITE for new cache content, which means flags.cachable |
e857372a | 566 | http->request->flags.cachable = false; // MUST NOT cache (for now) |
2962f8b8 | 567 | // XXX: when we have updated the cache key to base on raw-IP + URI this cacheable limit can go. |
e857372a | 568 | http->request->flags.hierarchical = false; // MUST NOT pass to peers (for now) |
2962f8b8 | 569 | // XXX: when we have sorted out the best way to relay requests properly to peers this hierarchical limit can go. |
567fe088 | 570 | http->doCallouts(); |
2962f8b8 AJ |
571 | return; |
572 | } | |
573 | ||
8f489ad7 AJ |
574 | debugs(85, DBG_IMPORTANT, "SECURITY ALERT: Host header forgery detected on " << |
575 | http->getConn()->clientConnection << " (" << A << " does not match " << B << ")"); | |
576 | debugs(85, DBG_IMPORTANT, "SECURITY ALERT: By user agent: " << http->request->header.getStr(HDR_USER_AGENT)); | |
851feda6 | 577 | debugs(85, DBG_IMPORTANT, "SECURITY ALERT: on URL: " << http->request->effectiveRequestUri()); |
fe97983f AJ |
578 | |
579 | // IP address validation for Host: failed. reject the connection. | |
580 | clientStreamNode *node = (clientStreamNode *)http->client_stream.tail->prev->data; | |
581 | clientReplyContext *repContext = dynamic_cast<clientReplyContext *>(node->data.getRaw()); | |
582 | assert (repContext); | |
955394ce | 583 | repContext->setReplyToError(ERR_CONFLICT_HOST, Http::scConflict, |
fe97983f AJ |
584 | http->request->method, NULL, |
585 | http->getConn()->clientConnection->remote, | |
586 | http->request, | |
587 | NULL, | |
588 | #if USE_AUTH | |
cc1e110a AJ |
589 | http->getConn() != NULL && http->getConn()->getAuth() != NULL ? |
590 | http->getConn()->getAuth() : http->request->auth_user_request); | |
fe97983f AJ |
591 | #else |
592 | NULL); | |
593 | #endif | |
594 | node = (clientStreamNode *)http->client_stream.tail->data; | |
595 | clientStreamRead(node, http, node->readBuffer); | |
596 | } | |
597 | ||
598 | void | |
599 | ClientRequestContext::hostHeaderVerify() | |
600 | { | |
601 | // Require a Host: header. | |
602 | const char *host = http->request->header.getStr(HDR_HOST); | |
fe97983f AJ |
603 | |
604 | if (!host) { | |
605 | // TODO: dump out the HTTP/1.1 error about missing host header. | |
606 | // otherwise this is fine, can't forge a header value when its not even set. | |
607 | debugs(85, 3, HERE << "validate skipped with no Host: header present."); | |
608 | http->doCallouts(); | |
609 | return; | |
610 | } | |
611 | ||
45e5102d | 612 | if (http->request->flags.internal) { |
8f489ad7 AJ |
613 | // TODO: kill this when URL handling allows partial URLs out of accel mode |
614 | // and we no longer screw with the URL just to add our internal host there | |
615 | debugs(85, 6, HERE << "validate skipped due to internal composite URL."); | |
616 | http->doCallouts(); | |
617 | return; | |
618 | } | |
619 | ||
fe97983f AJ |
620 | // Locate if there is a port attached, strip ready for IP lookup |
621 | char *portStr = NULL; | |
91663dce AJ |
622 | char *hostB = xstrdup(host); |
623 | host = hostB; | |
fe97983f AJ |
624 | if (host[0] == '[') { |
625 | // IPv6 literal. | |
fe97983f | 626 | portStr = strchr(hostB, ']'); |
91663dce AJ |
627 | if (portStr && *(++portStr) != ':') { |
628 | portStr = NULL; | |
fe97983f | 629 | } |
91663dce | 630 | } else { |
fe97983f | 631 | // Domain or IPv4 literal with port |
fe97983f | 632 | portStr = strrchr(hostB, ':'); |
91663dce AJ |
633 | } |
634 | ||
635 | uint16_t port = 0; | |
636 | if (portStr) { | |
637 | *portStr = '\0'; // strip the ':' | |
126e1dc0 AJ |
638 | if (*(++portStr) != '\0') { |
639 | char *end = NULL; | |
640 | int64_t ret = strtoll(portStr, &end, 10); | |
641 | if (end == portStr || *end != '\0' || ret < 1 || ret > 0xFFFF) { | |
642 | // invalid port details. Replace the ':' | |
643 | *(--portStr) = ':'; | |
644 | portStr = NULL; | |
645 | } else | |
646 | port = (ret & 0xFFFF); | |
647 | } | |
fe97983f AJ |
648 | } |
649 | ||
5c51bffb | 650 | debugs(85, 3, "validate host=" << host << ", port=" << port << ", portStr=" << (portStr?portStr:"NULL")); |
0d901ef4 | 651 | if (http->request->flags.intercepted || http->request->flags.interceptTproxy) { |
ba4d9da0 | 652 | // verify the Host: port (if any) matches the apparent destination |
4dd643d5 | 653 | if (portStr && port != http->getConn()->clientConnection->local.port()) { |
5c51bffb | 654 | debugs(85, 3, "FAIL on validate port " << http->getConn()->clientConnection->local.port() << |
05b28f84 AJ |
655 | " matches Host: port " << port << " (" << portStr << ")"); |
656 | hostHeaderVerifyFailed("intercepted port", portStr); | |
ba4d9da0 AJ |
657 | } else { |
658 | // XXX: match the scheme default port against the apparent destination | |
fe97983f | 659 | |
ba4d9da0 AJ |
660 | // verify the destination DNS is one of the Host: headers IPs |
661 | ipcache_nbgethostbyname(host, hostHeaderIpVerifyWrapper, this); | |
662 | } | |
06059513 | 663 | } else if (!Config.onoff.hostStrictVerify) { |
5c51bffb | 664 | debugs(85, 3, "validate skipped."); |
90529125 | 665 | http->doCallouts(); |
5c51bffb | 666 | } else if (strlen(host) != strlen(http->request->url.host())) { |
8f489ad7 | 667 | // Verify forward-proxy requested URL domain matches the Host: header |
5c51bffb AJ |
668 | debugs(85, 3, "FAIL on validate URL domain length " << http->request->url.host() << " matches Host: " << host); |
669 | hostHeaderVerifyFailed(host, http->request->url.host()); | |
670 | } else if (matchDomainName(host, http->request->url.host()) != 0) { | |
ba4d9da0 | 671 | // Verify forward-proxy requested URL domain matches the Host: header |
5c51bffb AJ |
672 | debugs(85, 3, "FAIL on validate URL domain " << http->request->url.host() << " matches Host: " << host); |
673 | hostHeaderVerifyFailed(host, http->request->url.host()); | |
674 | } else if (portStr && port != http->request->url.port()) { | |
ba4d9da0 | 675 | // Verify forward-proxy requested URL domain matches the Host: header |
5c51bffb | 676 | debugs(85, 3, "FAIL on validate URL port " << http->request->url.port() << " matches Host: port " << portStr); |
ba4d9da0 | 677 | hostHeaderVerifyFailed("URL port", portStr); |
5c51bffb | 678 | } else if (!portStr && http->request->method != Http::METHOD_CONNECT && http->request->url.port() != http->request->url.getScheme().defaultPort()) { |
ba4d9da0 | 679 | // Verify forward-proxy requested URL domain matches the Host: header |
65d2fdbf | 680 | // Special case: we don't have a default-port to check for CONNECT. Assume URL is correct. |
5c51bffb | 681 | debugs(85, 3, "FAIL on validate URL port " << http->request->url.port() << " matches Host: default port " << http->request->url.getScheme().defaultPort()); |
ba4d9da0 AJ |
682 | hostHeaderVerifyFailed("URL port", "default port"); |
683 | } else { | |
684 | // Okay no problem. | |
5c51bffb | 685 | debugs(85, 3, "validate passed."); |
e857372a | 686 | http->request->flags.hostVerified = true; |
ba4d9da0 | 687 | http->doCallouts(); |
fe97983f | 688 | } |
ba4d9da0 | 689 | safe_free(hostB); |
fe97983f AJ |
690 | } |
691 | ||
edce4d98 | 692 | /* This is the entry point for external users of the client_side routines */ |
693 | void | |
de31d06f | 694 | ClientRequestContext::clientAccessCheck() |
edce4d98 | 695 | { |
fbe9e379 | 696 | #if FOLLOW_X_FORWARDED_FOR |
f1a1f20a | 697 | if (!http->request->flags.doneFollowXff() && |
26ac0430 AJ |
698 | Config.accessList.followXFF && |
699 | http->request->header.has(HDR_X_FORWARDED_FOR)) { | |
d096ace1 AJ |
700 | |
701 | /* we always trust the direct client address for actual use */ | |
702 | http->request->indirect_client_addr = http->request->client_addr; | |
4dd643d5 | 703 | http->request->indirect_client_addr.port(0); |
d096ace1 AJ |
704 | |
705 | /* setup the XFF iterator for processing */ | |
706 | http->request->x_forwarded_for_iterator = http->request->header.getList(HDR_X_FORWARDED_FOR); | |
707 | ||
708 | /* begin by checking to see if we trust direct client enough to walk XFF */ | |
709 | acl_checklist = clientAclChecklistCreate(Config.accessList.followXFF, http); | |
710 | acl_checklist->nonBlockingCheck(clientFollowXForwardedForCheck, this); | |
3d674977 AJ |
711 | return; |
712 | } | |
fbe9e379 | 713 | #endif |
493d3865 | 714 | |
b50e327b AJ |
715 | if (Config.accessList.http) { |
716 | acl_checklist = clientAclChecklistCreate(Config.accessList.http, http); | |
717 | acl_checklist->nonBlockingCheck(clientAccessCheckDoneWrapper, this); | |
718 | } else { | |
719 | debugs(0, DBG_CRITICAL, "No http_access configuration found. This will block ALL traffic"); | |
720 | clientAccessCheckDone(ACCESS_DENIED); | |
721 | } | |
edce4d98 | 722 | } |
723 | ||
533493da AJ |
724 | /** |
725 | * Identical in operation to clientAccessCheck() but performed later using different configured ACL list. | |
726 | * The default here is to allow all. Since the earlier http_access should do a default deny all. | |
727 | * This check is just for a last-minute denial based on adapted request headers. | |
728 | */ | |
729 | void | |
730 | ClientRequestContext::clientAccessCheck2() | |
731 | { | |
732 | if (Config.accessList.adapted_http) { | |
733 | acl_checklist = clientAclChecklistCreate(Config.accessList.adapted_http, http); | |
734 | acl_checklist->nonBlockingCheck(clientAccessCheckDoneWrapper, this); | |
735 | } else { | |
327e2131 | 736 | debugs(85, 2, HERE << "No adapted_http_access configuration. default: ALLOW"); |
533493da AJ |
737 | clientAccessCheckDone(ACCESS_ALLOWED); |
738 | } | |
739 | } | |
740 | ||
edce4d98 | 741 | void |
2efeb0b7 | 742 | clientAccessCheckDoneWrapper(allow_t answer, void *data) |
edce4d98 | 743 | { |
de31d06f | 744 | ClientRequestContext *calloutContext = (ClientRequestContext *) data; |
fbade053 | 745 | |
de31d06f | 746 | if (!calloutContext->httpStateIsValid()) |
62e76326 | 747 | return; |
62e76326 | 748 | |
de31d06f | 749 | calloutContext->clientAccessCheckDone(answer); |
750 | } | |
751 | ||
9d5e7196 AJ |
752 | void |
753 | ClientRequestContext::clientAccessCheckDone(const allow_t &answer) | |
de31d06f | 754 | { |
755 | acl_checklist = NULL; | |
edce4d98 | 756 | err_type page_id; |
955394ce | 757 | Http::StatusCode status; |
7f06a3d8 | 758 | debugs(85, 2, "The request " << http->request->method << ' ' << |
9d5e7196 | 759 | http->uri << " is " << answer << |
6f58d7d7 | 760 | "; last ACL checked: " << (AclMatchedName ? AclMatchedName : "[none]")); |
f5691f9c | 761 | |
2f1431ea AJ |
762 | #if USE_AUTH |
763 | char const *proxy_auth_msg = "<null>"; | |
cc1e110a AJ |
764 | if (http->getConn() != NULL && http->getConn()->getAuth() != NULL) |
765 | proxy_auth_msg = http->getConn()->getAuth()->denyMessage("<null>"); | |
f5691f9c | 766 | else if (http->request->auth_user_request != NULL) |
767 | proxy_auth_msg = http->request->auth_user_request->denyMessage("<null>"); | |
2f1431ea | 768 | #endif |
62e76326 | 769 | |
dd332b92 | 770 | if (answer != ACCESS_ALLOWED) { |
9d5e7196 | 771 | // auth has a grace period where credentials can be expired but okay not to challenge. |
309347ef | 772 | |
9d5e7196 AJ |
773 | /* Send an auth challenge or error */ |
774 | // XXX: do we still need aclIsProxyAuth() ? | |
dd332b92 | 775 | bool auth_challenge = (answer == ACCESS_AUTH_REQUIRED || aclIsProxyAuth(AclMatchedName)); |
9d5e7196 AJ |
776 | debugs(85, 5, "Access Denied: " << http->uri); |
777 | debugs(85, 5, "AclMatchedName = " << (AclMatchedName ? AclMatchedName : "<null>")); | |
2f1431ea | 778 | #if USE_AUTH |
9d5e7196 AJ |
779 | if (auth_challenge) |
780 | debugs(33, 5, "Proxy Auth Message = " << (proxy_auth_msg ? proxy_auth_msg : "<null>")); | |
2f1431ea | 781 | #endif |
9ce7856a | 782 | |
9d5e7196 AJ |
783 | /* |
784 | * NOTE: get page_id here, based on AclMatchedName because if | |
785 | * USE_DELAY_POOLS is enabled, then AclMatchedName gets clobbered in | |
786 | * the clientCreateStoreEntry() call just below. Pedro Ribeiro | |
787 | * <pribeiro@isel.pt> | |
788 | */ | |
789 | page_id = aclGetDenyInfoPage(&Config.denyInfoList, AclMatchedName, answer != ACCESS_AUTH_REQUIRED); | |
9ce7856a | 790 | |
9d5e7196 | 791 | http->logType = LOG_TCP_DENIED; |
62e76326 | 792 | |
9d5e7196 | 793 | if (auth_challenge) { |
2f1431ea | 794 | #if USE_AUTH |
450fe1cb | 795 | if (http->request->flags.sslBumped) { |
9d5e7196 | 796 | /*SSL Bumped request, authentication is not possible*/ |
955394ce | 797 | status = Http::scForbidden; |
9d5e7196 AJ |
798 | } else if (!http->flags.accel) { |
799 | /* Proxy authorisation needed */ | |
955394ce | 800 | status = Http::scProxyAuthenticationRequired; |
9d5e7196 AJ |
801 | } else { |
802 | /* WWW authorisation needed */ | |
955394ce | 803 | status = Http::scUnauthorized; |
9d5e7196 | 804 | } |
ed6163ef | 805 | #else |
9d5e7196 | 806 | // need auth, but not possible to do. |
955394ce | 807 | status = Http::scForbidden; |
ed6163ef | 808 | #endif |
9d5e7196 AJ |
809 | if (page_id == ERR_NONE) |
810 | page_id = ERR_CACHE_ACCESS_DENIED; | |
811 | } else { | |
955394ce | 812 | status = Http::scForbidden; |
ed6163ef | 813 | |
9d5e7196 AJ |
814 | if (page_id == ERR_NONE) |
815 | page_id = ERR_ACCESS_DENIED; | |
816 | } | |
62e76326 | 817 | |
9d5e7196 | 818 | Ip::Address tmpnoaddr; |
4dd643d5 | 819 | tmpnoaddr.setNoAddr(); |
87f237a9 | 820 | error = clientBuildError(page_id, status, |
68715527 CT |
821 | NULL, |
822 | http->getConn() != NULL ? http->getConn()->clientConnection->remote : tmpnoaddr, | |
823 | http->request | |
87f237a9 | 824 | ); |
68715527 | 825 | |
2f1431ea | 826 | #if USE_AUTH |
87f237a9 | 827 | error->auth_user_request = |
cc1e110a AJ |
828 | http->getConn() != NULL && http->getConn()->getAuth() != NULL ? |
829 | http->getConn()->getAuth() : http->request->auth_user_request; | |
2f1431ea | 830 | #endif |
68715527 CT |
831 | |
832 | readNextRequest = true; | |
9d5e7196 | 833 | } |
de31d06f | 834 | |
dd332b92 | 835 | /* ACCESS_ALLOWED continues here ... */ |
de31d06f | 836 | safe_free(http->uri); |
851feda6 AJ |
837 | const SBuf tmp(http->request->effectiveRequestUri()); |
838 | http->uri = xstrndup(tmp.rawContent(), tmp.length()+1); | |
de31d06f | 839 | http->doCallouts(); |
840 | } | |
841 | ||
a83c6ed6 | 842 | #if USE_ADAPTATION |
de31d06f | 843 | void |
79628299 | 844 | ClientHttpRequest::noteAdaptationAclCheckDone(Adaptation::ServiceGroupPointer g) |
de31d06f | 845 | { |
a83c6ed6 | 846 | debugs(93,3,HERE << this << " adaptationAclCheckDone called"); |
6ec67de9 | 847 | |
e1381638 | 848 | #if ICAP_CLIENT |
79628299 | 849 | Adaptation::Icap::History::Pointer ih = request->icapHistory(); |
e1381638 | 850 | if (ih != NULL) { |
6bc2a98d | 851 | if (getConn() != NULL && getConn()->clientConnection != NULL) { |
79628299 | 852 | ih->rfc931 = getConn()->clientConnection->rfc931; |
cb4f4424 | 853 | #if USE_OPENSSL |
6bc2a98d NH |
854 | if (getConn()->clientConnection->isOpen()) { |
855 | ih->ssluser = sslGetUserEmail(fd_table[getConn()->clientConnection->fd].ssl); | |
856 | } | |
e1381638 | 857 | #endif |
3ff65596 | 858 | } |
79628299 CT |
859 | ih->log_uri = log_uri; |
860 | ih->req_sz = req_sz; | |
3ff65596 AR |
861 | } |
862 | #endif | |
863 | ||
a22e6cd3 AR |
864 | if (!g) { |
865 | debugs(85,3, HERE << "no adaptation needed"); | |
79628299 | 866 | doCallouts(); |
5f8252d2 | 867 | return; |
868 | } | |
de31d06f | 869 | |
79628299 | 870 | startAdaptation(g); |
edce4d98 | 871 | } |
872 | ||
de31d06f | 873 | #endif |
874 | ||
14cc8559 | 875 | static void |
2efeb0b7 | 876 | clientRedirectAccessCheckDone(allow_t answer, void *data) |
14cc8559 | 877 | { |
878 | ClientRequestContext *context = (ClientRequestContext *)data; | |
9d5e7196 AJ |
879 | ClientHttpRequest *http = context->http; |
880 | context->acl_checklist = NULL; | |
14cc8559 | 881 | |
882 | if (answer == ACCESS_ALLOWED) | |
9d5e7196 | 883 | redirectStart(http, clientRedirectDoneWrapper, context); |
bc98bc4b | 884 | else { |
24438ec5 | 885 | Helper::Reply nilReply; |
2428ce02 | 886 | nilReply.result = Helper::Error; |
bc98bc4b AJ |
887 | context->clientRedirectDone(nilReply); |
888 | } | |
14cc8559 | 889 | } |
890 | ||
de31d06f | 891 | void |
892 | ClientRequestContext::clientRedirectStart() | |
14cc8559 | 893 | { |
48e7baac | 894 | debugs(33, 5, HERE << "'" << http->uri << "'"); |
b11724bb | 895 | (void)SyncNotes(*http->al, *http->request); |
14cc8559 | 896 | if (Config.accessList.redirector) { |
de31d06f | 897 | acl_checklist = clientAclChecklistCreate(Config.accessList.redirector, http); |
898 | acl_checklist->nonBlockingCheck(clientRedirectAccessCheckDone, this); | |
14cc8559 | 899 | } else |
de31d06f | 900 | redirectStart(http, clientRedirectDoneWrapper, this); |
14cc8559 | 901 | } |
902 | ||
a8a0b1c2 EC |
903 | /** |
904 | * This methods handles Access checks result of StoreId access list. | |
905 | * Will handle as "ERR" (no change) in a case Access is not allowed. | |
906 | */ | |
907 | static void | |
908 | clientStoreIdAccessCheckDone(allow_t answer, void *data) | |
909 | { | |
910 | ClientRequestContext *context = static_cast<ClientRequestContext *>(data); | |
911 | ClientHttpRequest *http = context->http; | |
912 | context->acl_checklist = NULL; | |
913 | ||
914 | if (answer == ACCESS_ALLOWED) | |
915 | storeIdStart(http, clientStoreIdDoneWrapper, context); | |
916 | else { | |
917 | debugs(85, 3, "access denied expected ERR reply handling: " << answer); | |
24438ec5 | 918 | Helper::Reply nilReply; |
2428ce02 | 919 | nilReply.result = Helper::Error; |
a8a0b1c2 EC |
920 | context->clientStoreIdDone(nilReply); |
921 | } | |
922 | } | |
923 | ||
924 | /** | |
925 | * Start locating an alternative storeage ID string (if any) from admin | |
926 | * configured helper program. This is an asynchronous operation terminating in | |
927 | * ClientRequestContext::clientStoreIdDone() when completed. | |
928 | */ | |
929 | void | |
930 | ClientRequestContext::clientStoreIdStart() | |
931 | { | |
932 | debugs(33, 5,"'" << http->uri << "'"); | |
933 | ||
934 | if (Config.accessList.store_id) { | |
935 | acl_checklist = clientAclChecklistCreate(Config.accessList.store_id, http); | |
936 | acl_checklist->nonBlockingCheck(clientStoreIdAccessCheckDone, this); | |
937 | } else | |
938 | storeIdStart(http, clientStoreIdDoneWrapper, this); | |
939 | } | |
940 | ||
edce4d98 | 941 | static int |
59a1efb2 | 942 | clientHierarchical(ClientHttpRequest * http) |
edce4d98 | 943 | { |
190154cf | 944 | HttpRequest *request = http->request; |
60745f24 | 945 | HttpRequestMethod method = request->method; |
edce4d98 | 946 | |
2962f8b8 | 947 | // intercepted requests MUST NOT (yet) be sent to peers unless verified |
0d901ef4 | 948 | if (!request->flags.hostVerified && (request->flags.intercepted || request->flags.interceptTproxy)) |
2962f8b8 AJ |
949 | return 0; |
950 | ||
69660be0 | 951 | /* |
952 | * IMS needs a private key, so we can use the hierarchy for IMS only if our | |
953 | * neighbors support private keys | |
954 | */ | |
62e76326 | 955 | |
45e5102d | 956 | if (request->flags.ims && !neighbors_do_private_keys) |
62e76326 | 957 | return 0; |
958 | ||
69660be0 | 959 | /* |
960 | * This is incorrect: authenticating requests can be sent via a hierarchy | |
06b97e72 | 961 | * (they can even be cached if the correct headers are set on the reply) |
edce4d98 | 962 | */ |
45e5102d | 963 | if (request->flags.auth) |
62e76326 | 964 | return 0; |
965 | ||
c2a7cefd | 966 | if (method == Http::METHOD_TRACE) |
62e76326 | 967 | return 1; |
968 | ||
c2a7cefd | 969 | if (method != Http::METHOD_GET) |
62e76326 | 970 | return 0; |
971 | ||
450fe1cb | 972 | if (request->flags.loopDetected) |
62e76326 | 973 | return 0; |
974 | ||
4e3f4dc7 | 975 | if (request->url.getScheme() == AnyP::PROTO_HTTP) |
c2a7cefd | 976 | return method.respMaybeCacheable(); |
62e76326 | 977 | |
4e3f4dc7 | 978 | if (request->url.getScheme() == AnyP::PROTO_GOPHER) |
62e76326 | 979 | return gopherCachable(request); |
980 | ||
4e3f4dc7 | 981 | if (request->url.getScheme() == AnyP::PROTO_CACHE_OBJECT) |
62e76326 | 982 | return 0; |
983 | ||
edce4d98 | 984 | return 1; |
985 | } | |
986 | ||
46a1f562 HN |
987 | static void |
988 | clientCheckPinning(ClientHttpRequest * http) | |
989 | { | |
990 | HttpRequest *request = http->request; | |
991 | HttpHeader *req_hdr = &request->header; | |
992 | ConnStateData *http_conn = http->getConn(); | |
993 | ||
994 | /* Internal requests such as those from ESI includes may be without | |
995 | * a client connection | |
996 | */ | |
997 | if (!http_conn) | |
f54f527e | 998 | return; |
46a1f562 | 999 | |
450fe1cb FC |
1000 | request->flags.connectionAuthDisabled = http_conn->port->connection_auth_disabled; |
1001 | if (!request->flags.connectionAuthDisabled) { | |
73c36fd9 | 1002 | if (Comm::IsConnOpen(http_conn->pinning.serverConnection)) { |
46a1f562 | 1003 | if (http_conn->pinning.auth) { |
e857372a FC |
1004 | request->flags.connectionAuth = true; |
1005 | request->flags.auth = true; | |
46a1f562 | 1006 | } else { |
e857372a | 1007 | request->flags.connectionProxyAuth = true; |
46a1f562 | 1008 | } |
b1cf2350 AJ |
1009 | // These should already be linked correctly. |
1010 | assert(request->clientConnectionManager == http_conn); | |
46a1f562 HN |
1011 | } |
1012 | } | |
1013 | ||
1014 | /* check if connection auth is used, and flag as candidate for pinning | |
45e5102d | 1015 | * in such case. |
450fe1cb | 1016 | * Note: we may need to set flags.connectionAuth even if the connection |
46a1f562 HN |
1017 | * is already pinned if it was pinned earlier due to proxy auth |
1018 | */ | |
450fe1cb | 1019 | if (!request->flags.connectionAuth) { |
46a1f562 HN |
1020 | if (req_hdr->has(HDR_AUTHORIZATION) || req_hdr->has(HDR_PROXY_AUTHORIZATION)) { |
1021 | HttpHeaderPos pos = HttpHeaderInitPos; | |
1022 | HttpHeaderEntry *e; | |
1023 | int may_pin = 0; | |
1024 | while ((e = req_hdr->getEntry(&pos))) { | |
1025 | if (e->id == HDR_AUTHORIZATION || e->id == HDR_PROXY_AUTHORIZATION) { | |
1026 | const char *value = e->value.rawBuf(); | |
1027 | if (strncasecmp(value, "NTLM ", 5) == 0 | |
1028 | || | |
1029 | strncasecmp(value, "Negotiate ", 10) == 0 | |
1030 | || | |
1031 | strncasecmp(value, "Kerberos ", 9) == 0) { | |
1032 | if (e->id == HDR_AUTHORIZATION) { | |
e857372a | 1033 | request->flags.connectionAuth = true; |
46a1f562 HN |
1034 | may_pin = 1; |
1035 | } else { | |
e857372a | 1036 | request->flags.connectionProxyAuth = true; |
46a1f562 HN |
1037 | may_pin = 1; |
1038 | } | |
1039 | } | |
1040 | } | |
1041 | } | |
1042 | if (may_pin && !request->pinnedConnection()) { | |
b1cf2350 AJ |
1043 | // These should already be linked correctly. Just need the ServerConnection to pinn. |
1044 | assert(request->clientConnectionManager == http_conn); | |
46a1f562 HN |
1045 | } |
1046 | } | |
1047 | } | |
1048 | } | |
1049 | ||
edce4d98 | 1050 | static void |
59a1efb2 | 1051 | clientInterpretRequestHeaders(ClientHttpRequest * http) |
edce4d98 | 1052 | { |
190154cf | 1053 | HttpRequest *request = http->request; |
0ef77270 | 1054 | HttpHeader *req_hdr = &request->header; |
5086523e | 1055 | bool no_cache = false; |
edce4d98 | 1056 | const char *str; |
62e76326 | 1057 | |
edce4d98 | 1058 | request->imslen = -1; |
a9925b40 | 1059 | request->ims = req_hdr->getTime(HDR_IF_MODIFIED_SINCE); |
62e76326 | 1060 | |
edce4d98 | 1061 | if (request->ims > 0) |
e857372a | 1062 | request->flags.ims = true; |
62e76326 | 1063 | |
450fe1cb | 1064 | if (!request->flags.ignoreCc) { |
47fbd2a7 | 1065 | if (request->cache_control) { |
1259f9cf | 1066 | if (request->cache_control->hasNoCache()) |
5086523e | 1067 | no_cache=true; |
62e76326 | 1068 | |
adc2a453 | 1069 | // RFC 2616: treat Pragma:no-cache as if it was Cache-Control:no-cache when Cache-Control is missing |
47fbd2a7 | 1070 | } else if (req_hdr->has(HDR_PRAGMA)) |
cdf55306 AJ |
1071 | no_cache = req_hdr->hasListMember(HDR_PRAGMA,"no-cache",','); |
1072 | ||
432bc83c HN |
1073 | /* |
1074 | * Work around for supporting the Reload button in IE browsers when Squid | |
1075 | * is used as an accelerator or transparent proxy, by turning accelerated | |
1076 | * IMS request to no-cache requests. Now knows about IE 5.5 fix (is | |
1077 | * actually only fixed in SP1, but we can't tell whether we are talking to | |
1078 | * SP1 or not so all 5.5 versions are treated 'normally'). | |
1079 | */ | |
1080 | if (Config.onoff.ie_refresh) { | |
45e5102d | 1081 | if (http->flags.accel && request->flags.ims) { |
432bc83c HN |
1082 | if ((str = req_hdr->getStr(HDR_USER_AGENT))) { |
1083 | if (strstr(str, "MSIE 5.01") != NULL) | |
5086523e | 1084 | no_cache=true; |
432bc83c | 1085 | else if (strstr(str, "MSIE 5.0") != NULL) |
5086523e | 1086 | no_cache=true; |
432bc83c | 1087 | else if (strstr(str, "MSIE 4.") != NULL) |
5086523e | 1088 | no_cache=true; |
432bc83c | 1089 | else if (strstr(str, "MSIE 3.") != NULL) |
5086523e | 1090 | no_cache=true; |
432bc83c | 1091 | } |
62e76326 | 1092 | } |
1093 | } | |
edce4d98 | 1094 | } |
914b89a2 | 1095 | |
c2a7cefd | 1096 | if (request->method == Http::METHOD_OTHER) { |
5086523e | 1097 | no_cache=true; |
60745f24 | 1098 | } |
62e76326 | 1099 | |
edce4d98 | 1100 | if (no_cache) { |
626096be | 1101 | #if USE_HTTP_VIOLATIONS |
62e76326 | 1102 | |
1103 | if (Config.onoff.reload_into_ims) | |
e857372a | 1104 | request->flags.nocacheHack = true; |
62e76326 | 1105 | else if (refresh_nocache_hack) |
e857372a | 1106 | request->flags.nocacheHack = true; |
62e76326 | 1107 | else |
edce4d98 | 1108 | #endif |
62e76326 | 1109 | |
e857372a | 1110 | request->flags.noCache = true; |
edce4d98 | 1111 | } |
62e76326 | 1112 | |
0ef77270 | 1113 | /* ignore range header in non-GETs or non-HEADs */ |
c2a7cefd | 1114 | if (request->method == Http::METHOD_GET || request->method == Http::METHOD_HEAD) { |
56713d9a AR |
1115 | // XXX: initialize if we got here without HttpRequest::parseHeader() |
1116 | if (!request->range) | |
1117 | request->range = req_hdr->getRange(); | |
62e76326 | 1118 | |
1119 | if (request->range) { | |
e857372a | 1120 | request->flags.isRanged = true; |
62e76326 | 1121 | clientStreamNode *node = (clientStreamNode *)http->client_stream.tail->data; |
1122 | /* XXX: This is suboptimal. We should give the stream the range set, | |
1123 | * and thereby let the top of the stream set the offset when the | |
26ac0430 | 1124 | * size becomes known. As it is, we will end up requesting from 0 |
62e76326 | 1125 | * for evey -X range specification. |
1126 | * RBC - this may be somewhat wrong. We should probably set the range | |
1127 | * iter up at this point. | |
1128 | */ | |
1129 | node->readBuffer.offset = request->range->lowestOffset(0); | |
1130 | http->range_iter.pos = request->range->begin(); | |
24a8eaae | 1131 | http->range_iter.end = request->range->end(); |
62e76326 | 1132 | http->range_iter.valid = true; |
1133 | } | |
edce4d98 | 1134 | } |
62e76326 | 1135 | |
0ef77270 | 1136 | /* Only HEAD and GET requests permit a Range or Request-Range header. |
1137 | * If these headers appear on any other type of request, delete them now. | |
1138 | */ | |
1139 | else { | |
1140 | req_hdr->delById(HDR_RANGE); | |
1141 | req_hdr->delById(HDR_REQUEST_RANGE); | |
f0baf149 | 1142 | request->ignoreRange("neither HEAD nor GET"); |
0ef77270 | 1143 | } |
1144 | ||
a9925b40 | 1145 | if (req_hdr->has(HDR_AUTHORIZATION)) |
e857372a | 1146 | request->flags.auth = true; |
62e76326 | 1147 | |
46a1f562 | 1148 | clientCheckPinning(http); |
d67acb4e | 1149 | |
92d6986d | 1150 | if (!request->url.userInfo().isEmpty()) |
e857372a | 1151 | request->flags.auth = true; |
62e76326 | 1152 | |
a9925b40 | 1153 | if (req_hdr->has(HDR_VIA)) { |
30abd221 | 1154 | String s = req_hdr->getList(HDR_VIA); |
62e76326 | 1155 | /* |
3c4fcf0f | 1156 | * ThisCache cannot be a member of Via header, "1.1 ThisCache" can. |
62e76326 | 1157 | * Note ThisCache2 has a space prepended to the hostname so we don't |
1158 | * accidentally match super-domains. | |
1159 | */ | |
1160 | ||
1161 | if (strListIsSubstr(&s, ThisCache2, ',')) { | |
1162 | debugObj(33, 1, "WARNING: Forwarding loop detected for:\n", | |
1163 | request, (ObjPackMethod) & httpRequestPack); | |
e857372a | 1164 | request->flags.loopDetected = true; |
62e76326 | 1165 | } |
1166 | ||
21f6708d | 1167 | #if USE_FORW_VIA_DB |
bb790702 | 1168 | fvdbCountVia(s.termedBuf()); |
62e76326 | 1169 | |
edce4d98 | 1170 | #endif |
62e76326 | 1171 | |
30abd221 | 1172 | s.clean(); |
edce4d98 | 1173 | } |
62e76326 | 1174 | |
21f6708d | 1175 | #if USE_FORW_VIA_DB |
62e76326 | 1176 | |
a9925b40 | 1177 | if (req_hdr->has(HDR_X_FORWARDED_FOR)) { |
30abd221 | 1178 | String s = req_hdr->getList(HDR_X_FORWARDED_FOR); |
bb790702 | 1179 | fvdbCountForw(s.termedBuf()); |
30abd221 | 1180 | s.clean(); |
edce4d98 | 1181 | } |
62e76326 | 1182 | |
edce4d98 | 1183 | #endif |
62e76326 | 1184 | |
c2a7cefd | 1185 | request->flags.cachable = http->request->maybeCacheable(); |
62e76326 | 1186 | |
edce4d98 | 1187 | if (clientHierarchical(http)) |
e857372a | 1188 | request->flags.hierarchical = true; |
62e76326 | 1189 | |
bf8fe701 | 1190 | debugs(85, 5, "clientInterpretRequestHeaders: REQ_NOCACHE = " << |
450fe1cb | 1191 | (request->flags.noCache ? "SET" : "NOT SET")); |
bf8fe701 | 1192 | debugs(85, 5, "clientInterpretRequestHeaders: REQ_CACHABLE = " << |
45e5102d | 1193 | (request->flags.cachable ? "SET" : "NOT SET")); |
bf8fe701 | 1194 | debugs(85, 5, "clientInterpretRequestHeaders: REQ_HIERARCHICAL = " << |
45e5102d | 1195 | (request->flags.hierarchical ? "SET" : "NOT SET")); |
62e76326 | 1196 | |
edce4d98 | 1197 | } |
1198 | ||
1199 | void | |
24438ec5 | 1200 | clientRedirectDoneWrapper(void *data, const Helper::Reply &result) |
edce4d98 | 1201 | { |
de31d06f | 1202 | ClientRequestContext *calloutContext = (ClientRequestContext *)data; |
db02222f | 1203 | |
de31d06f | 1204 | if (!calloutContext->httpStateIsValid()) |
62e76326 | 1205 | return; |
62e76326 | 1206 | |
de31d06f | 1207 | calloutContext->clientRedirectDone(result); |
1208 | } | |
1209 | ||
a8a0b1c2 | 1210 | void |
24438ec5 | 1211 | clientStoreIdDoneWrapper(void *data, const Helper::Reply &result) |
a8a0b1c2 EC |
1212 | { |
1213 | ClientRequestContext *calloutContext = (ClientRequestContext *)data; | |
1214 | ||
1215 | if (!calloutContext->httpStateIsValid()) | |
1216 | return; | |
1217 | ||
1218 | calloutContext->clientStoreIdDone(result); | |
1219 | } | |
1220 | ||
de31d06f | 1221 | void |
24438ec5 | 1222 | ClientRequestContext::clientRedirectDone(const Helper::Reply &reply) |
de31d06f | 1223 | { |
190154cf | 1224 | HttpRequest *old_request = http->request; |
e166785a | 1225 | debugs(85, 5, HERE << "'" << http->uri << "' result=" << reply); |
de31d06f | 1226 | assert(redirect_state == REDIRECT_PENDING); |
1227 | redirect_state = REDIRECT_DONE; | |
62e76326 | 1228 | |
cf9f0261 | 1229 | // Put helper response Notes into the transaction state record (ALE) eventually |
d06e17ea | 1230 | // do it early to ensure that no matter what the outcome the notes are present. |
457857fe CT |
1231 | if (http->al != NULL) |
1232 | (void)SyncNotes(*http->al, *old_request); | |
1233 | ||
1234 | UpdateRequestNotes(http->getConn(), *old_request, reply.notes); | |
d06e17ea | 1235 | |
63fc9fb5 | 1236 | switch (reply.result) { |
32fd6d8a CT |
1237 | case Helper::TimedOut: |
1238 | if (Config.onUrlRewriteTimeout.action != toutActBypass) { | |
1239 | http->calloutsError(ERR_GATEWAY_FAILURE, ERR_DETAIL_REDIRECTOR_TIMEDOUT); | |
1240 | debugs(85, DBG_IMPORTANT, "ERROR: URL rewrite helper: Timedout"); | |
1241 | } | |
1242 | break; | |
1243 | ||
2428ce02 AJ |
1244 | case Helper::Unknown: |
1245 | case Helper::TT: | |
d06e17ea AJ |
1246 | // Handler in redirect.cc should have already mapped Unknown |
1247 | // IF it contained valid entry for the old URL-rewrite helper protocol | |
1248 | debugs(85, DBG_IMPORTANT, "ERROR: URL rewrite helper returned invalid result code. Wrong helper? " << reply); | |
1249 | break; | |
1250 | ||
2428ce02 | 1251 | case Helper::BrokenHelper: |
32fd6d8a | 1252 | debugs(85, DBG_IMPORTANT, "ERROR: URL rewrite helper: " << reply); |
d06e17ea AJ |
1253 | break; |
1254 | ||
2428ce02 | 1255 | case Helper::Error: |
d06e17ea AJ |
1256 | // no change to be done. |
1257 | break; | |
62e76326 | 1258 | |
2428ce02 | 1259 | case Helper::Okay: { |
d06e17ea AJ |
1260 | // #1: redirect with a specific status code OK status=NNN url="..." |
1261 | // #2: redirect with a default status code OK url="..." | |
1262 | // #3: re-write the URL OK rewrite-url="..." | |
1263 | ||
cf9f0261 CT |
1264 | const char *statusNote = reply.notes.findFirst("status"); |
1265 | const char *urlNote = reply.notes.findFirst("url"); | |
d06e17ea AJ |
1266 | |
1267 | if (urlNote != NULL) { | |
1268 | // HTTP protocol redirect to be done. | |
1269 | ||
1270 | // TODO: change default redirect status for appropriate requests | |
1271 | // Squid defaults to 302 status for now for better compatibility with old clients. | |
f11c8e2f | 1272 | // HTTP/1.0 client should get 302 (Http::scFound) |
955394ce AJ |
1273 | // HTTP/1.1 client contacting reverse-proxy should get 307 (Http::scTemporaryRedirect) |
1274 | // HTTP/1.1 client being diverted by forward-proxy should get 303 (Http::scSeeOther) | |
f11c8e2f | 1275 | Http::StatusCode status = Http::scFound; |
d06e17ea | 1276 | if (statusNote != NULL) { |
cf9f0261 | 1277 | const char * result = statusNote; |
955394ce | 1278 | status = static_cast<Http::StatusCode>(atoi(result)); |
d06e17ea | 1279 | } |
62e76326 | 1280 | |
955394ce | 1281 | if (status == Http::scMovedPermanently |
f11c8e2f | 1282 | || status == Http::scFound |
955394ce AJ |
1283 | || status == Http::scSeeOther |
1284 | || status == Http::scPermanentRedirect | |
1285 | || status == Http::scTemporaryRedirect) { | |
62e76326 | 1286 | http->redirect.status = status; |
cf9f0261 | 1287 | http->redirect.location = xstrdup(urlNote); |
e5b677f0 | 1288 | // TODO: validate the URL produced here is RFC 2616 compliant absolute URI |
62e76326 | 1289 | } else { |
cf9f0261 | 1290 | debugs(85, DBG_CRITICAL, "ERROR: URL-rewrite produces invalid " << status << " redirect Location: " << urlNote); |
62e76326 | 1291 | } |
d06e17ea AJ |
1292 | } else { |
1293 | // URL-rewrite wanted. Ew. | |
cf9f0261 | 1294 | urlNote = reply.notes.findFirst("rewrite-url"); |
d06e17ea AJ |
1295 | |
1296 | // prevent broken helpers causing too much damage. If old URL == new URL skip the re-write. | |
cf9f0261 | 1297 | if (urlNote != NULL && strcmp(urlNote, http->uri)) { |
d06e17ea AJ |
1298 | // XXX: validate the URL properly *without* generating a whole new request object right here. |
1299 | // XXX: the clone() should be done only AFTER we know the new URL is valid. | |
1300 | HttpRequest *new_request = old_request->clone(); | |
cf9f0261 | 1301 | if (urlParse(old_request->method, const_cast<char*>(urlNote), new_request)) { |
851feda6 | 1302 | debugs(61, 2, "URL-rewriter diverts URL from " << old_request->effectiveRequestUri() << " to " << new_request->effectiveRequestUri()); |
d06e17ea AJ |
1303 | |
1304 | // update the new request to flag the re-writing was done on it | |
e857372a | 1305 | new_request->flags.redirected = true; |
d06e17ea AJ |
1306 | |
1307 | // unlink bodypipe from the old request. Not needed there any longer. | |
1308 | if (old_request->body_pipe != NULL) { | |
1309 | old_request->body_pipe = NULL; | |
1310 | debugs(61,2, HERE << "URL-rewriter diverts body_pipe " << new_request->body_pipe << | |
1311 | " from request " << old_request << " to " << new_request); | |
1312 | } | |
9be14530 | 1313 | |
d06e17ea AJ |
1314 | // update the current working ClientHttpRequest fields |
1315 | safe_free(http->uri); | |
851feda6 AJ |
1316 | const SBuf tmp(new_request->effectiveRequestUri()); |
1317 | http->uri = xstrndup(tmp.rawContent(), tmp.length()+1); | |
d06e17ea | 1318 | HTTPMSGUNLOCK(old_request); |
b248c2a3 AJ |
1319 | http->request = new_request; |
1320 | HTTPMSGLOCK(http->request); | |
d06e17ea AJ |
1321 | } else { |
1322 | debugs(85, DBG_CRITICAL, "ERROR: URL-rewrite produces invalid request: " << | |
cf9f0261 | 1323 | old_request->method << " " << urlNote << " " << old_request->http_ver); |
d06e17ea AJ |
1324 | delete new_request; |
1325 | } | |
9be14530 | 1326 | } |
74b48915 | 1327 | } |
edce4d98 | 1328 | } |
d06e17ea AJ |
1329 | break; |
1330 | } | |
62e76326 | 1331 | |
edce4d98 | 1332 | /* FIXME PIPELINE: This is innacurate during pipelining */ |
62e76326 | 1333 | |
73c36fd9 AJ |
1334 | if (http->getConn() != NULL && Comm::IsConnOpen(http->getConn()->clientConnection)) |
1335 | fd_note(http->getConn()->clientConnection->fd, http->uri); | |
62e76326 | 1336 | |
c8be6d7b | 1337 | assert(http->uri); |
62e76326 | 1338 | |
de31d06f | 1339 | http->doCallouts(); |
edce4d98 | 1340 | } |
1341 | ||
a8a0b1c2 EC |
1342 | /** |
1343 | * This method handles the different replies from StoreID helper. | |
1344 | */ | |
1345 | void | |
24438ec5 | 1346 | ClientRequestContext::clientStoreIdDone(const Helper::Reply &reply) |
a8a0b1c2 EC |
1347 | { |
1348 | HttpRequest *old_request = http->request; | |
1349 | debugs(85, 5, "'" << http->uri << "' result=" << reply); | |
1350 | assert(store_id_state == REDIRECT_PENDING); | |
1351 | store_id_state = REDIRECT_DONE; | |
1352 | ||
cf9f0261 | 1353 | // Put helper response Notes into the transaction state record (ALE) eventually |
a8a0b1c2 | 1354 | // do it early to ensure that no matter what the outcome the notes are present. |
457857fe CT |
1355 | if (http->al != NULL) |
1356 | (void)SyncNotes(*http->al, *old_request); | |
1357 | ||
1358 | UpdateRequestNotes(http->getConn(), *old_request, reply.notes); | |
a8a0b1c2 EC |
1359 | |
1360 | switch (reply.result) { | |
2428ce02 AJ |
1361 | case Helper::Unknown: |
1362 | case Helper::TT: | |
a8a0b1c2 EC |
1363 | // Handler in redirect.cc should have already mapped Unknown |
1364 | // IF it contained valid entry for the old helper protocol | |
1365 | debugs(85, DBG_IMPORTANT, "ERROR: storeID helper returned invalid result code. Wrong helper? " << reply); | |
1366 | break; | |
1367 | ||
32fd6d8a | 1368 | case Helper::TimedOut: |
f53969cc | 1369 | // Timeouts for storeID are not implemented |
2428ce02 | 1370 | case Helper::BrokenHelper: |
32fd6d8a | 1371 | debugs(85, DBG_IMPORTANT, "ERROR: storeID helper: " << reply); |
a8a0b1c2 EC |
1372 | break; |
1373 | ||
2428ce02 | 1374 | case Helper::Error: |
a8a0b1c2 EC |
1375 | // no change to be done. |
1376 | break; | |
1377 | ||
2428ce02 | 1378 | case Helper::Okay: { |
cf9f0261 | 1379 | const char *urlNote = reply.notes.findFirst("store-id"); |
a8a0b1c2 EC |
1380 | |
1381 | // prevent broken helpers causing too much damage. If old URL == new URL skip the re-write. | |
cf9f0261 | 1382 | if (urlNote != NULL && strcmp(urlNote, http->uri) ) { |
a8a0b1c2 | 1383 | // Debug section required for some very specific cases. |
cf9f0261 CT |
1384 | debugs(85, 9, "Setting storeID with: " << urlNote ); |
1385 | http->request->store_id = urlNote; | |
1386 | http->store_id = urlNote; | |
a8a0b1c2 EC |
1387 | } |
1388 | } | |
1389 | break; | |
1390 | } | |
1391 | ||
1392 | http->doCallouts(); | |
1393 | } | |
1394 | ||
b50e327b AJ |
1395 | /** Test cache allow/deny configuration |
1396 | * Sets flags.cachable=1 if caching is not denied. | |
1397 | */ | |
edce4d98 | 1398 | void |
8e2745f4 | 1399 | ClientRequestContext::checkNoCache() |
edce4d98 | 1400 | { |
b50e327b AJ |
1401 | if (Config.accessList.noCache) { |
1402 | acl_checklist = clientAclChecklistCreate(Config.accessList.noCache, http); | |
1403 | acl_checklist->nonBlockingCheck(checkNoCacheDoneWrapper, this); | |
1404 | } else { | |
1405 | /* unless otherwise specified, we try to cache. */ | |
2efeb0b7 | 1406 | checkNoCacheDone(ACCESS_ALLOWED); |
b50e327b | 1407 | } |
edce4d98 | 1408 | } |
1409 | ||
de31d06f | 1410 | static void |
2efeb0b7 | 1411 | checkNoCacheDoneWrapper(allow_t answer, void *data) |
edce4d98 | 1412 | { |
de31d06f | 1413 | ClientRequestContext *calloutContext = (ClientRequestContext *) data; |
e4a67a80 | 1414 | |
de31d06f | 1415 | if (!calloutContext->httpStateIsValid()) |
1416 | return; | |
1417 | ||
1418 | calloutContext->checkNoCacheDone(answer); | |
8e2745f4 | 1419 | } |
4fb35c3c | 1420 | |
8e2745f4 | 1421 | void |
2efeb0b7 | 1422 | ClientRequestContext::checkNoCacheDone(const allow_t &answer) |
62e76326 | 1423 | { |
8e2745f4 | 1424 | acl_checklist = NULL; |
45e5102d | 1425 | http->request->flags.cachable = (answer == ACCESS_ALLOWED); |
de31d06f | 1426 | http->doCallouts(); |
edce4d98 | 1427 | } |
1428 | ||
cb4f4424 | 1429 | #if USE_OPENSSL |
e0c0d54c CT |
1430 | bool |
1431 | ClientRequestContext::sslBumpAccessCheck() | |
1432 | { | |
08097970 AR |
1433 | // If SSL connection tunneling or bumping decision has been made, obey it. |
1434 | const Ssl::BumpMode bumpMode = http->getConn()->sslBumpMode; | |
1435 | if (bumpMode != Ssl::bumpEnd) { | |
1436 | debugs(85, 5, HERE << "SslBump already decided (" << bumpMode << | |
1437 | "), " << "ignoring ssl_bump for " << http->getConn()); | |
b4049e38 CT |
1438 | if (!http->getConn()->serverBump()) |
1439 | http->sslBumpNeed(bumpMode); // for processRequest() to bump if needed and not already bumped | |
71cae389 | 1440 | http->al->ssl.bumpMode = bumpMode; // inherited from bumped connection |
08097970 AR |
1441 | return false; |
1442 | } | |
e0c0d54c | 1443 | |
08097970 AR |
1444 | // If we have not decided yet, decide whether to bump now. |
1445 | ||
1446 | // Bumping here can only start with a CONNECT request on a bumping port | |
1447 | // (bumping of intercepted SSL conns is decided before we get 1st request). | |
1448 | // We also do not bump redirected CONNECT requests. | |
c2a7cefd | 1449 | if (http->request->method != Http::METHOD_CONNECT || http->redirect.status || |
6a25a046 FC |
1450 | !Config.accessList.ssl_bump || |
1451 | !http->getConn()->port->flags.tunnelSslBumping) { | |
71cae389 | 1452 | http->al->ssl.bumpMode = Ssl::bumpEnd; // SslBump does not apply; log - |
08097970 | 1453 | debugs(85, 5, HERE << "cannot SslBump this request"); |
e0c0d54c CT |
1454 | return false; |
1455 | } | |
08097970 AR |
1456 | |
1457 | // Do not bump during authentication: clients would not proxy-authenticate | |
1458 | // if we delay a 407 response and respond with 200 OK to CONNECT. | |
955394ce | 1459 | if (error && error->httpStatus == Http::scProxyAuthenticationRequired) { |
71cae389 | 1460 | http->al->ssl.bumpMode = Ssl::bumpEnd; // SslBump does not apply; log - |
08097970 AR |
1461 | debugs(85, 5, HERE << "no SslBump during proxy authentication"); |
1462 | return false; | |
1463 | } | |
1464 | ||
1465 | debugs(85, 5, HERE << "SslBump possible, checking ACL"); | |
1466 | ||
eb898410 AJ |
1467 | ACLFilledChecklist *aclChecklist = clientAclChecklistCreate(Config.accessList.ssl_bump, http); |
1468 | aclChecklist->nonBlockingCheck(sslBumpAccessCheckDoneWrapper, this); | |
08097970 | 1469 | return true; |
e0c0d54c CT |
1470 | } |
1471 | ||
f8901ea9 | 1472 | /** |
e0c0d54c CT |
1473 | * A wrapper function to use the ClientRequestContext::sslBumpAccessCheckDone method |
1474 | * as ACLFilledChecklist callback | |
1475 | */ | |
1476 | static void | |
2efeb0b7 | 1477 | sslBumpAccessCheckDoneWrapper(allow_t answer, void *data) |
e0c0d54c CT |
1478 | { |
1479 | ClientRequestContext *calloutContext = static_cast<ClientRequestContext *>(data); | |
9d5e7196 AJ |
1480 | |
1481 | if (!calloutContext->httpStateIsValid()) | |
1482 | return; | |
ed6163ef | 1483 | calloutContext->sslBumpAccessCheckDone(answer); |
e0c0d54c CT |
1484 | } |
1485 | ||
1486 | void | |
ed6163ef | 1487 | ClientRequestContext::sslBumpAccessCheckDone(const allow_t &answer) |
e0c0d54c | 1488 | { |
ed6163ef AJ |
1489 | if (!httpStateIsValid()) |
1490 | return; | |
1491 | ||
08097970 | 1492 | const Ssl::BumpMode bumpMode = answer == ACCESS_ALLOWED ? |
87f237a9 | 1493 | static_cast<Ssl::BumpMode>(answer.kind) : Ssl::bumpNone; |
08097970 | 1494 | http->sslBumpNeed(bumpMode); // for processRequest() to bump if needed |
71cae389 | 1495 | http->al->ssl.bumpMode = bumpMode; // for logging |
caf3666d | 1496 | |
e0c0d54c CT |
1497 | http->doCallouts(); |
1498 | } | |
1499 | #endif | |
1500 | ||
69660be0 | 1501 | /* |
1502 | * Identify requests that do not go through the store and client side stream | |
1503 | * and forward them to the appropriate location. All other requests, request | |
1504 | * them. | |
edce4d98 | 1505 | */ |
1506 | void | |
8e2745f4 | 1507 | ClientHttpRequest::processRequest() |
edce4d98 | 1508 | { |
7f06a3d8 | 1509 | debugs(85, 4, request->method << ' ' << uri); |
62e76326 | 1510 | |
c2a7cefd | 1511 | if (request->method == Http::METHOD_CONNECT && !redirect.status) { |
cb4f4424 | 1512 | #if USE_OPENSSL |
31281814 AJ |
1513 | if (sslBumpNeeded()) { |
1514 | sslBumpStart(); | |
1515 | return; | |
1516 | } | |
3712be3f | 1517 | #endif |
f84dd7eb | 1518 | getConn()->stopReading(); // tunnels read for themselves |
06521a10 | 1519 | tunnelStart(this, &out.size, &al->http.code, al); |
62e76326 | 1520 | return; |
edce4d98 | 1521 | } |
62e76326 | 1522 | |
8e2745f4 | 1523 | httpStart(); |
1524 | } | |
1525 | ||
1526 | void | |
1527 | ClientHttpRequest::httpStart() | |
1528 | { | |
559da936 | 1529 | PROF_start(httpStart); |
8e2745f4 | 1530 | logType = LOG_TAG_NONE; |
91369933 | 1531 | debugs(85, 4, logType.c_str() << " for '" << uri << "'"); |
bf8fe701 | 1532 | |
edce4d98 | 1533 | /* no one should have touched this */ |
8e2745f4 | 1534 | assert(out.offset == 0); |
edce4d98 | 1535 | /* Use the Stream Luke */ |
8e2745f4 | 1536 | clientStreamNode *node = (clientStreamNode *)client_stream.tail->data; |
1537 | clientStreamRead(node, this, node->readBuffer); | |
559da936 | 1538 | PROF_stop(httpStart); |
edce4d98 | 1539 | } |
0655fa4d | 1540 | |
cb4f4424 | 1541 | #if USE_OPENSSL |
3712be3f | 1542 | |
e0c0d54c | 1543 | void |
08097970 | 1544 | ClientHttpRequest::sslBumpNeed(Ssl::BumpMode mode) |
e0c0d54c | 1545 | { |
caf3666d | 1546 | debugs(83, 3, HERE << "sslBump required: "<< Ssl::bumpMode(mode)); |
08097970 | 1547 | sslBumpNeed_ = mode; |
3712be3f | 1548 | } |
1549 | ||
1550 | // called when comm_write has completed | |
1551 | static void | |
c8407295 | 1552 | SslBumpEstablish(const Comm::ConnectionPointer &, char *, size_t, Comm::Flag errflag, int, void *data) |
3712be3f | 1553 | { |
1554 | ClientHttpRequest *r = static_cast<ClientHttpRequest*>(data); | |
1555 | debugs(85, 5, HERE << "responded to CONNECT: " << r << " ? " << errflag); | |
1556 | ||
1557 | assert(r && cbdataReferenceValid(r)); | |
1558 | r->sslBumpEstablish(errflag); | |
1559 | } | |
1560 | ||
1561 | void | |
c8407295 | 1562 | ClientHttpRequest::sslBumpEstablish(Comm::Flag errflag) |
3712be3f | 1563 | { |
c8407295 AJ |
1564 | // Bail out quickly on Comm::ERR_CLOSING - close handlers will tidy up |
1565 | if (errflag == Comm::ERR_CLOSING) | |
3712be3f | 1566 | return; |
1567 | ||
1568 | if (errflag) { | |
1fa35be8 | 1569 | debugs(85, 3, HERE << "CONNECT response failure in SslBump: " << errflag); |
bbc83914 | 1570 | getConn()->clientConnection->close(); |
3712be3f | 1571 | return; |
1572 | } | |
1573 | ||
40d8be97 AR |
1574 | // We lack HttpReply which logRequest() uses to log the status code. |
1575 | // TODO: Use HttpReply instead of the "200 Connection established" string. | |
71cae389 | 1576 | al->http.code = 200; |
40d8be97 | 1577 | |
21512911 CT |
1578 | #if USE_AUTH |
1579 | // Preserve authentication info for the ssl-bumped request | |
1580 | if (request->auth_user_request != NULL) | |
cc1e110a | 1581 | getConn()->setAuth(request->auth_user_request, "SSL-bumped CONNECT"); |
21512911 | 1582 | #endif |
03f00a11 | 1583 | |
08097970 AR |
1584 | assert(sslBumpNeeded()); |
1585 | getConn()->switchToHttps(request, sslBumpNeed_); | |
3712be3f | 1586 | } |
1587 | ||
1588 | void | |
1589 | ClientHttpRequest::sslBumpStart() | |
1590 | { | |
08097970 AR |
1591 | debugs(85, 5, HERE << "Confirming " << Ssl::bumpMode(sslBumpNeed_) << |
1592 | "-bumped CONNECT tunnel on FD " << getConn()->clientConnection); | |
1593 | getConn()->sslBumpMode = sslBumpNeed_; | |
3712be3f | 1594 | |
9e104535 | 1595 | AsyncCall::Pointer bumpCall = commCbCall(85, 5, "ClientSocketContext::sslBumpEstablish", |
f53969cc | 1596 | CommIoCbPtrFun(&SslBumpEstablish, this)); |
9e104535 CT |
1597 | |
1598 | if (request->flags.interceptTproxy || request->flags.intercepted) { | |
1599 | CommIoCbParams ¶ms = GetCommParams<CommIoCbParams>(bumpCall); | |
1600 | params.flag = Comm::OK; | |
1601 | params.conn = getConn()->clientConnection; | |
1602 | ScheduleCallHere(bumpCall); | |
1603 | return; | |
1604 | } | |
1605 | ||
08097970 | 1606 | // send an HTTP 200 response to kick client SSL negotiation |
3712be3f | 1607 | // TODO: Unify with tunnel.cc and add a Server(?) header |
b0388924 | 1608 | static const char *const conn_established = "HTTP/1.1 200 Connection established\r\n\r\n"; |
9e104535 | 1609 | Comm::Write(getConn()->clientConnection, conn_established, strlen(conn_established), bumpCall, NULL); |
3712be3f | 1610 | } |
1611 | ||
1612 | #endif | |
1613 | ||
0655fa4d | 1614 | bool |
1615 | ClientHttpRequest::gotEnough() const | |
1616 | { | |
86a2f789 | 1617 | /** TODO: should be querying the stream. */ |
7173d5b0 | 1618 | int64_t contentLength = |
06a5ae20 | 1619 | memObject()->getReply()->bodySize(request->method); |
0655fa4d | 1620 | assert(contentLength >= 0); |
1621 | ||
1622 | if (out.offset < contentLength) | |
1623 | return false; | |
1624 | ||
1625 | return true; | |
1626 | } | |
1627 | ||
86a2f789 | 1628 | void |
1629 | ClientHttpRequest::storeEntry(StoreEntry *newEntry) | |
1630 | { | |
1631 | entry_ = newEntry; | |
1632 | } | |
1633 | ||
0976f8db | 1634 | void |
1635 | ClientHttpRequest::loggingEntry(StoreEntry *newEntry) | |
1636 | { | |
1637 | if (loggingEntry_) | |
1bfe9ade | 1638 | loggingEntry_->unlock("ClientHttpRequest::loggingEntry"); |
0976f8db | 1639 | |
1640 | loggingEntry_ = newEntry; | |
1641 | ||
1642 | if (loggingEntry_) | |
1bfe9ade | 1643 | loggingEntry_->lock("ClientHttpRequest::loggingEntry"); |
0976f8db | 1644 | } |
86a2f789 | 1645 | |
de31d06f | 1646 | /* |
1647 | * doCallouts() - This function controls the order of "callout" | |
1648 | * executions, including non-blocking access control checks, the | |
1649 | * redirector, and ICAP. Previously, these callouts were chained | |
1650 | * together such that "clientAccessCheckDone()" would call | |
1651 | * "clientRedirectStart()" and so on. | |
1652 | * | |
1653 | * The ClientRequestContext (aka calloutContext) class holds certain | |
1654 | * state data for the callout/callback operations. Previously | |
1655 | * ClientHttpRequest would sort of hand off control to ClientRequestContext | |
1656 | * for a short time. ClientRequestContext would then delete itself | |
1657 | * and pass control back to ClientHttpRequest when all callouts | |
1658 | * were finished. | |
1659 | * | |
1660 | * This caused some problems for ICAP because we want to make the | |
1661 | * ICAP callout after checking ACLs, but before checking the no_cache | |
1662 | * list. We can't stuff the ICAP state into the ClientRequestContext | |
1663 | * class because we still need the ICAP state after ClientRequestContext | |
1664 | * goes away. | |
1665 | * | |
1666 | * Note that ClientRequestContext is created before the first call | |
1667 | * to doCallouts(). | |
1668 | * | |
1669 | * If one of the callouts notices that ClientHttpRequest is no | |
1670 | * longer valid, it should call cbdataReferenceDone() so that | |
1671 | * ClientHttpRequest's reference count goes to zero and it will get | |
1672 | * deleted. ClientHttpRequest will then delete ClientRequestContext. | |
1673 | * | |
1674 | * Note that we set the _done flags here before actually starting | |
1675 | * the callout. This is strictly for convenience. | |
1676 | */ | |
1677 | ||
82afb125 FC |
1678 | tos_t aclMapTOS (acl_tos * head, ACLChecklist * ch); |
1679 | nfmark_t aclMapNfmark (acl_nfmark * head, ACLChecklist * ch); | |
057f5854 | 1680 | |
de31d06f | 1681 | void |
1682 | ClientHttpRequest::doCallouts() | |
1683 | { | |
1684 | assert(calloutContext); | |
1685 | ||
6fca33e0 | 1686 | /*Save the original request for logging purposes*/ |
b248c2a3 AJ |
1687 | if (!calloutContext->http->al->request) { |
1688 | calloutContext->http->al->request = request; | |
1689 | HTTPMSGLOCK(calloutContext->http->al->request); | |
457857fe CT |
1690 | |
1691 | NotePairs ¬es = SyncNotes(*calloutContext->http->al, *calloutContext->http->request); | |
1692 | // Make the previously set client connection ID available as annotation. | |
1693 | if (ConnStateData *csd = calloutContext->http->getConn()) { | |
1694 | if (!csd->connectionTag().isEmpty()) | |
1695 | notes.add("clt_conn_tag", SBuf(csd->connectionTag()).c_str()); | |
1696 | } | |
b248c2a3 | 1697 | } |
6fca33e0 | 1698 | |
38450a50 | 1699 | if (!calloutContext->error) { |
87f237a9 | 1700 | // CVE-2009-0801: verify the Host: header is consistent with other known details. |
38450a50 CT |
1701 | if (!calloutContext->host_header_verify_done) { |
1702 | debugs(83, 3, HERE << "Doing calloutContext->hostHeaderVerify()"); | |
1703 | calloutContext->host_header_verify_done = true; | |
1704 | calloutContext->hostHeaderVerify(); | |
1705 | return; | |
1706 | } | |
fe97983f | 1707 | |
38450a50 CT |
1708 | if (!calloutContext->http_access_done) { |
1709 | debugs(83, 3, HERE << "Doing calloutContext->clientAccessCheck()"); | |
1710 | calloutContext->http_access_done = true; | |
1711 | calloutContext->clientAccessCheck(); | |
1712 | return; | |
1713 | } | |
de31d06f | 1714 | |
a83c6ed6 | 1715 | #if USE_ADAPTATION |
38450a50 CT |
1716 | if (!calloutContext->adaptation_acl_check_done) { |
1717 | calloutContext->adaptation_acl_check_done = true; | |
1718 | if (Adaptation::AccessCheck::Start( | |
87f237a9 | 1719 | Adaptation::methodReqmod, Adaptation::pointPreCache, |
af0ded40 | 1720 | request, NULL, calloutContext->http->al, this)) |
38450a50 CT |
1721 | return; // will call callback |
1722 | } | |
de31d06f | 1723 | #endif |
1724 | ||
38450a50 CT |
1725 | if (!calloutContext->redirect_done) { |
1726 | calloutContext->redirect_done = true; | |
1727 | assert(calloutContext->redirect_state == REDIRECT_NONE); | |
de31d06f | 1728 | |
38450a50 CT |
1729 | if (Config.Program.redirect) { |
1730 | debugs(83, 3, HERE << "Doing calloutContext->clientRedirectStart()"); | |
1731 | calloutContext->redirect_state = REDIRECT_PENDING; | |
1732 | calloutContext->clientRedirectStart(); | |
1733 | return; | |
1734 | } | |
de31d06f | 1735 | } |
de31d06f | 1736 | |
38450a50 CT |
1737 | if (!calloutContext->adapted_http_access_done) { |
1738 | debugs(83, 3, HERE << "Doing calloutContext->clientAccessCheck2()"); | |
1739 | calloutContext->adapted_http_access_done = true; | |
1740 | calloutContext->clientAccessCheck2(); | |
1741 | return; | |
1742 | } | |
533493da | 1743 | |
a8a0b1c2 EC |
1744 | if (!calloutContext->store_id_done) { |
1745 | calloutContext->store_id_done = true; | |
1746 | assert(calloutContext->store_id_state == REDIRECT_NONE); | |
1747 | ||
1748 | if (Config.Program.store_id) { | |
1749 | debugs(83, 3,"Doing calloutContext->clientStoreIdStart()"); | |
1750 | calloutContext->store_id_state = REDIRECT_PENDING; | |
1751 | calloutContext->clientStoreIdStart(); | |
1752 | return; | |
1753 | } | |
1754 | } | |
1755 | ||
38450a50 CT |
1756 | if (!calloutContext->interpreted_req_hdrs) { |
1757 | debugs(83, 3, HERE << "Doing clientInterpretRequestHeaders()"); | |
1758 | calloutContext->interpreted_req_hdrs = 1; | |
1759 | clientInterpretRequestHeaders(this); | |
1760 | } | |
57abaac0 | 1761 | |
38450a50 CT |
1762 | if (!calloutContext->no_cache_done) { |
1763 | calloutContext->no_cache_done = true; | |
de31d06f | 1764 | |
45e5102d | 1765 | if (Config.accessList.noCache && request->flags.cachable) { |
38450a50 CT |
1766 | debugs(83, 3, HERE << "Doing calloutContext->checkNoCache()"); |
1767 | calloutContext->checkNoCache(); | |
1768 | return; | |
1769 | } | |
de31d06f | 1770 | } |
38450a50 | 1771 | } // if !calloutContext->error |
de31d06f | 1772 | |
425de4c8 AJ |
1773 | if (!calloutContext->tosToClientDone) { |
1774 | calloutContext->tosToClientDone = true; | |
73c36fd9 | 1775 | if (getConn() != NULL && Comm::IsConnOpen(getConn()->clientConnection)) { |
c0941a6a | 1776 | ACLFilledChecklist ch(NULL, request, NULL); |
057f5854 | 1777 | ch.src_addr = request->client_addr; |
1778 | ch.my_addr = request->my_addr; | |
425de4c8 | 1779 | tos_t tos = aclMapTOS(Ip::Qos::TheConfig.tosToClient, &ch); |
3712be3f | 1780 | if (tos) |
73c36fd9 | 1781 | Ip::Qos::setSockTos(getConn()->clientConnection, tos); |
425de4c8 AJ |
1782 | } |
1783 | } | |
1784 | ||
1785 | if (!calloutContext->nfmarkToClientDone) { | |
1786 | calloutContext->nfmarkToClientDone = true; | |
73c36fd9 | 1787 | if (getConn() != NULL && Comm::IsConnOpen(getConn()->clientConnection)) { |
425de4c8 AJ |
1788 | ACLFilledChecklist ch(NULL, request, NULL); |
1789 | ch.src_addr = request->client_addr; | |
1790 | ch.my_addr = request->my_addr; | |
1791 | nfmark_t mark = aclMapNfmark(Ip::Qos::TheConfig.nfmarkToClient, &ch); | |
1792 | if (mark) | |
73c36fd9 | 1793 | Ip::Qos::setSockNfmark(getConn()->clientConnection, mark); |
3712be3f | 1794 | } |
057f5854 | 1795 | } |
1796 | ||
cb4f4424 | 1797 | #if USE_OPENSSL |
7a957a93 AR |
1798 | // We need to check for SslBump even if the calloutContext->error is set |
1799 | // because bumping may require delaying the error until after CONNECT. | |
e0c0d54c CT |
1800 | if (!calloutContext->sslBumpCheckDone) { |
1801 | calloutContext->sslBumpCheckDone = true; | |
1802 | if (calloutContext->sslBumpAccessCheck()) | |
1803 | return; | |
1804 | /* else no ssl bump required*/ | |
1805 | } | |
d2565320 | 1806 | #endif |
e0c0d54c | 1807 | |
2bd84e5f | 1808 | if (calloutContext->error) { |
851feda6 AJ |
1809 | // XXX: prformance regression. c_str() reallocates |
1810 | SBuf storeUri(request->storeId()); | |
1811 | StoreEntry *e = storeCreateEntry(storeUri.c_str(), storeUri.c_str(), request->flags, request->method); | |
cb4f4424 | 1812 | #if USE_OPENSSL |
08097970 | 1813 | if (sslBumpNeeded()) { |
9e104535 CT |
1814 | // We have to serve an error, so bump the client first. |
1815 | sslBumpNeed(Ssl::bumpClientFirst); | |
2bd84e5f CT |
1816 | // set final error but delay sending until we bump |
1817 | Ssl::ServerBump *srvBump = new Ssl::ServerBump(request, e); | |
1818 | errorAppendEntry(e, calloutContext->error); | |
1819 | calloutContext->error = NULL; | |
1820 | getConn()->setServerBump(srvBump); | |
1bfe9ade | 1821 | e->unlock("ClientHttpRequest::doCallouts+sslBumpNeeded"); |
87f237a9 | 1822 | } else |
2bd84e5f CT |
1823 | #endif |
1824 | { | |
7a957a93 | 1825 | // send the error to the client now |
2bd84e5f CT |
1826 | clientStreamNode *node = (clientStreamNode *)client_stream.tail->prev->data; |
1827 | clientReplyContext *repContext = dynamic_cast<clientReplyContext *>(node->data.getRaw()); | |
1828 | assert (repContext); | |
f0baf149 | 1829 | repContext->setReplyToStoreEntry(e, "immediate SslBump error"); |
2bd84e5f CT |
1830 | errorAppendEntry(e, calloutContext->error); |
1831 | calloutContext->error = NULL; | |
1832 | if (calloutContext->readNextRequest) | |
1833 | getConn()->flags.readMore = true; // resume any pipeline reads. | |
1834 | node = (clientStreamNode *)client_stream.tail->data; | |
1835 | clientStreamRead(node, this, node->readBuffer); | |
1bfe9ade | 1836 | e->unlock("ClientHttpRequest::doCallouts-sslBumpNeeded"); |
2bd84e5f CT |
1837 | return; |
1838 | } | |
1839 | } | |
1840 | ||
de31d06f | 1841 | cbdataReferenceDone(calloutContext->http); |
1842 | delete calloutContext; | |
1843 | calloutContext = NULL; | |
de31d06f | 1844 | #if HEADERS_LOG |
1845 | ||
1846 | headersLog(0, 1, request->method, request); | |
1847 | #endif | |
1848 | ||
58d7150d | 1849 | debugs(83, 3, HERE << "calling processRequest()"); |
de31d06f | 1850 | processRequest(); |
3ff65596 AR |
1851 | |
1852 | #if ICAP_CLIENT | |
1853 | Adaptation::Icap::History::Pointer ih = request->icapHistory(); | |
1854 | if (ih != NULL) | |
1855 | ih->logType = logType; | |
1856 | #endif | |
de31d06f | 1857 | } |
1858 | ||
32d002cb | 1859 | #if !_USE_INLINE_ |
86a2f789 | 1860 | #include "client_side_request.cci" |
1861 | #endif | |
de31d06f | 1862 | |
a83c6ed6 | 1863 | #if USE_ADAPTATION |
a22e6cd3 AR |
1864 | /// Initiate an asynchronous adaptation transaction which will call us back. |
1865 | void | |
1866 | ClientHttpRequest::startAdaptation(const Adaptation::ServiceGroupPointer &g) | |
3b299123 | 1867 | { |
a22e6cd3 | 1868 | debugs(85, 3, HERE << "adaptation needed for " << this); |
a83c6ed6 AR |
1869 | assert(!virginHeadSource); |
1870 | assert(!adaptedBodySource); | |
a22e6cd3 | 1871 | virginHeadSource = initiateAdaptation( |
af0ded40 | 1872 | new Adaptation::Iterator(request, NULL, al, g)); |
a83c6ed6 | 1873 | |
e1381638 | 1874 | // we could try to guess whether we can bypass this adaptation |
a22e6cd3 | 1875 | // initiation failure, but it should not really happen |
4299f876 | 1876 | Must(initiated(virginHeadSource)); |
de31d06f | 1877 | } |
1878 | ||
1879 | void | |
3af10ac0 | 1880 | ClientHttpRequest::noteAdaptationAnswer(const Adaptation::Answer &answer) |
de31d06f | 1881 | { |
f53969cc | 1882 | assert(cbdataReferenceValid(this)); // indicates bug |
3af10ac0 AR |
1883 | clearAdaptation(virginHeadSource); |
1884 | assert(!adaptedBodySource); | |
1885 | ||
1886 | switch (answer.kind) { | |
1887 | case Adaptation::Answer::akForward: | |
b248c2a3 | 1888 | handleAdaptedHeader(const_cast<HttpMsg*>(answer.message.getRaw())); |
3af10ac0 AR |
1889 | break; |
1890 | ||
1891 | case Adaptation::Answer::akBlock: | |
1892 | handleAdaptationBlock(answer); | |
1893 | break; | |
1894 | ||
1895 | case Adaptation::Answer::akError: | |
1896 | handleAdaptationFailure(ERR_DETAIL_CLT_REQMOD_ABORT, !answer.final); | |
1897 | break; | |
1898 | } | |
1899 | } | |
1900 | ||
1901 | void | |
ec4d1a1d | 1902 | ClientHttpRequest::handleAdaptedHeader(HttpMsg *msg) |
3af10ac0 | 1903 | { |
5f8252d2 | 1904 | assert(msg); |
1905 | ||
b044675d | 1906 | if (HttpRequest *new_req = dynamic_cast<HttpRequest*>(msg)) { |
200ac359 | 1907 | /* |
5f8252d2 | 1908 | * Replace the old request with the new request. |
200ac359 | 1909 | */ |
6dd9f4bd | 1910 | HTTPMSGUNLOCK(request); |
b248c2a3 AJ |
1911 | request = new_req; |
1912 | HTTPMSGLOCK(request); | |
11f62bfb AJ |
1913 | |
1914 | // update the new message to flag whether URL re-writing was done on it | |
851feda6 | 1915 | if (request->effectiveRequestUri().cmp(uri) != 0) |
11f62bfb AJ |
1916 | request->flags.redirected = 1; |
1917 | ||
200ac359 | 1918 | /* |
1919 | * Store the new URI for logging | |
1920 | */ | |
1921 | xfree(uri); | |
851feda6 AJ |
1922 | const SBuf tmp(request->effectiveRequestUri()); |
1923 | uri = xstrndup(tmp.rawContent(), tmp.length()); | |
200ac359 | 1924 | setLogUri(this, urlCanonicalClean(request)); |
914b89a2 | 1925 | assert(request->method.id()); |
b044675d | 1926 | } else if (HttpReply *new_rep = dynamic_cast<HttpReply*>(msg)) { |
1927 | debugs(85,3,HERE << "REQMOD reply is HTTP reply"); | |
1928 | ||
5f8252d2 | 1929 | // subscribe to receive reply body |
1930 | if (new_rep->body_pipe != NULL) { | |
a83c6ed6 | 1931 | adaptedBodySource = new_rep->body_pipe; |
d222a56c HN |
1932 | int consumer_ok = adaptedBodySource->setConsumerIfNotLate(this); |
1933 | assert(consumer_ok); | |
5f8252d2 | 1934 | } |
1935 | ||
b044675d | 1936 | clientStreamNode *node = (clientStreamNode *)client_stream.tail->prev->data; |
1937 | clientReplyContext *repContext = dynamic_cast<clientReplyContext *>(node->data.getRaw()); | |
ea25a575 | 1938 | assert(repContext); |
b044675d | 1939 | repContext->createStoreEntry(request->method, request->flags); |
1940 | ||
1941 | EBIT_CLR(storeEntry()->flags, ENTRY_FWD_HDR_WAIT); | |
1942 | request_satisfaction_mode = true; | |
1943 | request_satisfaction_offset = 0; | |
1944 | storeEntry()->replaceHttpReply(new_rep); | |
97ae5196 | 1945 | storeEntry()->timestampsSet(); |
cb4c4288 | 1946 | |
a83c6ed6 | 1947 | if (!adaptedBodySource) // no body |
cb4c4288 | 1948 | storeEntry()->complete(); |
b044675d | 1949 | clientGetMoreData(node, this); |
200ac359 | 1950 | } |
de31d06f | 1951 | |
5f8252d2 | 1952 | // we are done with getting headers (but may be receiving body) |
a83c6ed6 | 1953 | clearAdaptation(virginHeadSource); |
5f8252d2 | 1954 | |
b044675d | 1955 | if (!request_satisfaction_mode) |
1956 | doCallouts(); | |
de31d06f | 1957 | } |
1958 | ||
1959 | void | |
3af10ac0 | 1960 | ClientHttpRequest::handleAdaptationBlock(const Adaptation::Answer &answer) |
de31d06f | 1961 | { |
3af10ac0 AR |
1962 | request->detailError(ERR_ACCESS_DENIED, ERR_DETAIL_REQMOD_BLOCK); |
1963 | AclMatchedName = answer.ruleId.termedBuf(); | |
1964 | assert(calloutContext); | |
1965 | calloutContext->clientAccessCheckDone(ACCESS_DENIED); | |
1966 | AclMatchedName = NULL; | |
de31d06f | 1967 | } |
1968 | ||
0ad2b63b CT |
1969 | void |
1970 | ClientHttpRequest::resumeBodyStorage() | |
1971 | { | |
e83cdc25 | 1972 | if (!adaptedBodySource) |
0ad2b63b CT |
1973 | return; |
1974 | ||
1975 | noteMoreBodyDataAvailable(adaptedBodySource); | |
1976 | } | |
1977 | ||
de31d06f | 1978 | void |
1cf238db | 1979 | ClientHttpRequest::noteMoreBodyDataAvailable(BodyPipe::Pointer) |
de31d06f | 1980 | { |
5f8252d2 | 1981 | assert(request_satisfaction_mode); |
a83c6ed6 | 1982 | assert(adaptedBodySource != NULL); |
5f8252d2 | 1983 | |
0ad2b63b | 1984 | if (size_t contentSize = adaptedBodySource->buf().contentSize()) { |
4dc2b072 | 1985 | const size_t spaceAvailable = storeEntry()->bytesWanted(Range<size_t>(0,contentSize)); |
0ad2b63b CT |
1986 | |
1987 | if (spaceAvailable < contentSize ) { | |
1988 | // No or partial body data consuming | |
1989 | typedef NullaryMemFunT<ClientHttpRequest> Dialer; | |
1990 | AsyncCall::Pointer call = asyncCall(93, 5, "ClientHttpRequest::resumeBodyStorage", | |
1991 | Dialer(this, &ClientHttpRequest::resumeBodyStorage)); | |
1992 | storeEntry()->deferProducer(call); | |
1993 | } | |
1994 | ||
4dc2b072 | 1995 | if (!spaceAvailable) |
0ad2b63b CT |
1996 | return; |
1997 | ||
1998 | if (spaceAvailable < contentSize ) | |
1999 | contentSize = spaceAvailable; | |
2000 | ||
a83c6ed6 | 2001 | BodyPipeCheckout bpc(*adaptedBodySource); |
0ad2b63b | 2002 | const StoreIOBuffer ioBuf(&bpc.buf, request_satisfaction_offset, contentSize); |
5f8252d2 | 2003 | storeEntry()->write(ioBuf); |
0ad2b63b CT |
2004 | // assume StoreEntry::write() writes the entire ioBuf |
2005 | request_satisfaction_offset += ioBuf.length; | |
4ce0e99b | 2006 | bpc.buf.consume(contentSize); |
5f8252d2 | 2007 | bpc.checkIn(); |
2008 | } | |
2009 | ||
a83c6ed6 | 2010 | if (adaptedBodySource->exhausted()) |
5f8252d2 | 2011 | endRequestSatisfaction(); |
2012 | // else wait for more body data | |
de31d06f | 2013 | } |
2014 | ||
2015 | void | |
1cf238db | 2016 | ClientHttpRequest::noteBodyProductionEnded(BodyPipe::Pointer) |
de31d06f | 2017 | { |
a83c6ed6 | 2018 | assert(!virginHeadSource); |
0ad2b63b CT |
2019 | // should we end request satisfaction now? |
2020 | if (adaptedBodySource != NULL && adaptedBodySource->exhausted()) | |
5f8252d2 | 2021 | endRequestSatisfaction(); |
5f8252d2 | 2022 | } |
3b299123 | 2023 | |
5f8252d2 | 2024 | void |
26ac0430 AJ |
2025 | ClientHttpRequest::endRequestSatisfaction() |
2026 | { | |
5f8252d2 | 2027 | debugs(85,4, HERE << this << " ends request satisfaction"); |
2028 | assert(request_satisfaction_mode); | |
a83c6ed6 | 2029 | stopConsumingFrom(adaptedBodySource); |
3b299123 | 2030 | |
5f8252d2 | 2031 | // TODO: anything else needed to end store entry formation correctly? |
2032 | storeEntry()->complete(); | |
2033 | } | |
de31d06f | 2034 | |
5f8252d2 | 2035 | void |
1cf238db | 2036 | ClientHttpRequest::noteBodyProducerAborted(BodyPipe::Pointer) |
5f8252d2 | 2037 | { |
a83c6ed6 AR |
2038 | assert(!virginHeadSource); |
2039 | stopConsumingFrom(adaptedBodySource); | |
eae3a9a6 AR |
2040 | |
2041 | debugs(85,3, HERE << "REQMOD body production failed"); | |
2042 | if (request_satisfaction_mode) { // too late to recover or serve an error | |
2043 | request->detailError(ERR_ICAP_FAILURE, ERR_DETAIL_CLT_REQMOD_RESP_BODY); | |
73c36fd9 | 2044 | const Comm::ConnectionPointer c = getConn()->clientConnection; |
e7cea0ed AJ |
2045 | Must(Comm::IsConnOpen(c)); |
2046 | c->close(); // drastic, but we may be writing a response already | |
eae3a9a6 AR |
2047 | } else { |
2048 | handleAdaptationFailure(ERR_DETAIL_CLT_REQMOD_REQ_BODY); | |
2049 | } | |
5f8252d2 | 2050 | } |
3b299123 | 2051 | |
5f8252d2 | 2052 | void |
64b66b76 | 2053 | ClientHttpRequest::handleAdaptationFailure(int errDetail, bool bypassable) |
5f8252d2 | 2054 | { |
a83c6ed6 | 2055 | debugs(85,3, HERE << "handleAdaptationFailure(" << bypassable << ")"); |
3b299123 | 2056 | |
5f8252d2 | 2057 | const bool usedStore = storeEntry() && !storeEntry()->isEmpty(); |
2058 | const bool usedPipe = request->body_pipe != NULL && | |
26ac0430 | 2059 | request->body_pipe->consumedSize() > 0; |
3b299123 | 2060 | |
9d4d7c5e | 2061 | if (bypassable && !usedStore && !usedPipe) { |
2062 | debugs(85,3, HERE << "ICAP REQMOD callout failed, bypassing: " << calloutContext); | |
5f8252d2 | 2063 | if (calloutContext) |
2064 | doCallouts(); | |
2065 | return; | |
2066 | } | |
3b299123 | 2067 | |
5f8252d2 | 2068 | debugs(85,3, HERE << "ICAP REQMOD callout failed, responding with error"); |
3b299123 | 2069 | |
5f8252d2 | 2070 | clientStreamNode *node = (clientStreamNode *)client_stream.tail->prev->data; |
2071 | clientReplyContext *repContext = dynamic_cast<clientReplyContext *>(node->data.getRaw()); | |
2072 | assert(repContext); | |
de31d06f | 2073 | |
32fd6d8a CT |
2074 | calloutsError(ERR_ICAP_FAILURE, errDetail); |
2075 | ||
2076 | if (calloutContext) | |
2077 | doCallouts(); | |
2078 | } | |
2079 | ||
5f1d7e48 CT |
2080 | #endif |
2081 | ||
32fd6d8a CT |
2082 | // XXX: modify and use with ClientRequestContext::clientAccessCheckDone too. |
2083 | void | |
2084 | ClientHttpRequest::calloutsError(const err_type error, const int errDetail) | |
2085 | { | |
26ac0430 | 2086 | // The original author of the code also wanted to pass an errno to |
5f8252d2 | 2087 | // setReplyToError, but it seems unlikely that the errno reflects the |
2088 | // true cause of the error at this point, so I did not pass it. | |
2bd84e5f CT |
2089 | if (calloutContext) { |
2090 | Ip::Address noAddr; | |
4dd643d5 | 2091 | noAddr.setNoAddr(); |
2bd84e5f | 2092 | ConnStateData * c = getConn(); |
32fd6d8a | 2093 | calloutContext->error = clientBuildError(error, Http::scInternalServerError, |
87f237a9 A |
2094 | NULL, |
2095 | c != NULL ? c->clientConnection->remote : noAddr, | |
2096 | request | |
2097 | ); | |
79fc6915 | 2098 | #if USE_AUTH |
87f237a9 | 2099 | calloutContext->error->auth_user_request = |
cc1e110a | 2100 | c != NULL && c->getAuth() != NULL ? c->getAuth() : request->auth_user_request; |
79fc6915 | 2101 | #endif |
129fe2a1 | 2102 | calloutContext->error->detailError(errDetail); |
2bd84e5f | 2103 | calloutContext->readNextRequest = true; |
7830d88a FC |
2104 | if (c != NULL) |
2105 | c->expectNoForwarding(); | |
2bd84e5f CT |
2106 | } |
2107 | //else if(calloutContext == NULL) is it possible? | |
de31d06f | 2108 | } |
2109 |