]>
Commit | Line | Data |
---|---|---|
edce4d98 | 1 | |
2 | /* | |
262a0e14 | 3 | * $Id$ |
26ac0430 | 4 | * |
ae45c4de | 5 | * DEBUG: section 85 Client-side Request Routines |
6 | * AUTHOR: Robert Collins (Originally Duane Wessels in client_side.c) | |
26ac0430 | 7 | * |
edce4d98 | 8 | * SQUID Web Proxy Cache http://www.squid-cache.org/ |
9 | * ---------------------------------------------------------- | |
0a9297f6 | 10 | * |
11 | * Squid is the result of efforts by numerous individuals from | |
12 | * the Internet community; see the CONTRIBUTORS file for full | |
13 | * details. Many organizations have provided support for Squid's | |
14 | * development; see the SPONSORS file for full details. Squid is | |
15 | * Copyrighted (C) 2001 by the Regents of the University of | |
16 | * California; see the COPYRIGHT file for full details. Squid | |
17 | * incorporates software developed and/or copyrighted by other | |
18 | * sources; see the CREDITS file for full details. | |
19 | * | |
20 | * This program is free software; you can redistribute it and/or modify | |
21 | * it under the terms of the GNU General Public License as published by | |
22 | * the Free Software Foundation; either version 2 of the License, or | |
23 | * (at your option) any later version. | |
24 | * | |
25 | * This program is distributed in the hope that it will be useful, | |
26 | * but WITHOUT ANY WARRANTY; without even the implied warranty of | |
27 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | |
28 | * GNU General Public License for more details. | |
29 | * | |
30 | * You should have received a copy of the GNU General Public License | |
31 | * along with this program; if not, write to the Free Software | |
32 | * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111, USA. | |
33 | * | |
edce4d98 | 34 | */ |
35 | ||
36 | ||
69660be0 | 37 | /* |
38 | * General logic of request processing: | |
26ac0430 | 39 | * |
69660be0 | 40 | * We run a series of tests to determine if access will be permitted, and to do |
41 | * any redirection. Then we call into the result clientStream to retrieve data. | |
42 | * From that point on it's up to reply management. | |
edce4d98 | 43 | */ |
44 | ||
45 | #include "squid.h" | |
c0941a6a AR |
46 | #include "acl/FilledChecklist.h" |
47 | #include "acl/Gadgets.h" | |
a83c6ed6 | 48 | #if USE_ADAPTATION |
62c7f90e | 49 | #include "adaptation/AccessCheck.h" |
1adcebc3 | 50 | #include "adaptation/Answer.h" |
a22e6cd3 | 51 | #include "adaptation/Iterator.h" |
abd4b611 | 52 | #include "adaptation/Service.h" |
3ff65596 AR |
53 | #if ICAP_CLIENT |
54 | #include "adaptation/icap/History.h" | |
55 | #endif | |
de31d06f | 56 | #endif |
2f1431ea | 57 | #if USE_AUTH |
27bc2077 | 58 | #include "auth/UserRequest.h" |
2f1431ea | 59 | #endif |
27bc2077 AJ |
60 | #include "clientStream.h" |
61 | #include "client_side.h" | |
62 | #include "client_side_reply.h" | |
63 | #include "client_side_request.h" | |
64 | #include "ClientRequestContext.h" | |
5c336a3b | 65 | #include "comm/Connection.h" |
ec41b64c | 66 | #include "comm/Write.h" |
27bc2077 AJ |
67 | #include "compat/inet_pton.h" |
68 | #include "fde.h" | |
38e16f92 | 69 | #include "format/Tokens.h" |
27bc2077 AJ |
70 | #include "HttpReply.h" |
71 | #include "HttpRequest.h" | |
425de4c8 | 72 | #include "ip/QosConfig.h" |
27bc2077 AJ |
73 | #include "MemObject.h" |
74 | #include "ProtoPort.h" | |
75 | #include "Store.h" | |
76 | #include "SquidTime.h" | |
77 | #include "wordlist.h" | |
64b66b76 | 78 | #include "err_detail_type.h" |
4db984be CT |
79 | #if USE_SSL |
80 | #include "ssl/support.h" | |
81 | #endif | |
3ff65596 AR |
82 | |
83 | ||
edce4d98 | 84 | #if LINGERING_CLOSE |
85 | #define comm_close comm_lingering_close | |
86 | #endif | |
87 | ||
88 | static const char *const crlf = "\r\n"; | |
89 | ||
609c620a | 90 | #if FOLLOW_X_FORWARDED_FOR |
2efeb0b7 | 91 | static void clientFollowXForwardedForCheck(allow_t answer, void *data); |
609c620a | 92 | #endif /* FOLLOW_X_FORWARDED_FOR */ |
3d674977 | 93 | |
8e2745f4 | 94 | CBDATA_CLASS_INIT(ClientRequestContext); |
95 | ||
96 | void * | |
97 | ClientRequestContext::operator new (size_t size) | |
98 | { | |
99 | assert (size == sizeof(ClientRequestContext)); | |
100 | CBDATA_INIT_TYPE(ClientRequestContext); | |
101 | ClientRequestContext *result = cbdataAlloc(ClientRequestContext); | |
aa625860 | 102 | return result; |
8e2745f4 | 103 | } |
62e76326 | 104 | |
8e2745f4 | 105 | void |
106 | ClientRequestContext::operator delete (void *address) | |
107 | { | |
108 | ClientRequestContext *t = static_cast<ClientRequestContext *>(address); | |
aa625860 | 109 | cbdataFree(t); |
8e2745f4 | 110 | } |
111 | ||
edce4d98 | 112 | /* Local functions */ |
edce4d98 | 113 | /* other */ |
2efeb0b7 | 114 | static void clientAccessCheckDoneWrapper(allow_t, void *); |
e0c0d54c | 115 | #if USE_SSL |
2efeb0b7 | 116 | static void sslBumpAccessCheckDoneWrapper(allow_t, void *); |
e0c0d54c | 117 | #endif |
59a1efb2 | 118 | static int clientHierarchical(ClientHttpRequest * http); |
119 | static void clientInterpretRequestHeaders(ClientHttpRequest * http); | |
de31d06f | 120 | static RH clientRedirectDoneWrapper; |
2efeb0b7 | 121 | static void checkNoCacheDoneWrapper(allow_t, void *); |
e6ccf245 | 122 | extern "C" CSR clientGetMoreData; |
123 | extern "C" CSS clientReplyStatus; | |
124 | extern "C" CSD clientReplyDetach; | |
528b2c61 | 125 | static void checkFailureRatio(err_type, hier_code); |
edce4d98 | 126 | |
8e2745f4 | 127 | ClientRequestContext::~ClientRequestContext() |
128 | { | |
de31d06f | 129 | /* |
a546b04b | 130 | * Release our "lock" on our parent, ClientHttpRequest, if we |
131 | * still have one | |
de31d06f | 132 | */ |
a546b04b | 133 | |
134 | if (http) | |
135 | cbdataReferenceDone(http); | |
62e76326 | 136 | |
5f8252d2 | 137 | debugs(85,3, HERE << this << " ClientRequestContext destructed"); |
8e2745f4 | 138 | } |
139 | ||
4e2eb5c3 | 140 | ClientRequestContext::ClientRequestContext(ClientHttpRequest *anHttp) : http(cbdataReference(anHttp)), acl_checklist (NULL), redirect_state (REDIRECT_NONE) |
edce4d98 | 141 | { |
57abaac0 | 142 | http_access_done = false; |
143 | redirect_done = false; | |
144 | no_cache_done = false; | |
145 | interpreted_req_hdrs = false; | |
e0c0d54c CT |
146 | #if USE_SSL |
147 | sslBumpCheckDone = false; | |
148 | #endif | |
0b86805b | 149 | debugs(85,3, HERE << this << " ClientRequestContext constructed"); |
edce4d98 | 150 | } |
151 | ||
528b2c61 | 152 | CBDATA_CLASS_INIT(ClientHttpRequest); |
8e2745f4 | 153 | |
528b2c61 | 154 | void * |
155 | ClientHttpRequest::operator new (size_t size) | |
156 | { | |
157 | assert (size == sizeof (ClientHttpRequest)); | |
158 | CBDATA_INIT_TYPE(ClientHttpRequest); | |
159 | ClientHttpRequest *result = cbdataAlloc(ClientHttpRequest); | |
aa625860 | 160 | return result; |
528b2c61 | 161 | } |
162 | ||
62e76326 | 163 | void |
528b2c61 | 164 | ClientHttpRequest::operator delete (void *address) |
165 | { | |
aa625860 | 166 | ClientHttpRequest *t = static_cast<ClientHttpRequest *>(address); |
167 | cbdataFree(t); | |
528b2c61 | 168 | } |
169 | ||
26ac0430 | 170 | ClientHttpRequest::ClientHttpRequest(ConnStateData * aConn) : |
a83c6ed6 | 171 | #if USE_ADAPTATION |
26ac0430 | 172 | AsyncJob("ClientHttpRequest"), |
1cf238db | 173 | #endif |
26ac0430 | 174 | loggingEntry_(NULL) |
528b2c61 | 175 | { |
1cf238db | 176 | start_time = current_time; |
a0355e95 | 177 | setConn(aConn); |
a14f38d0 | 178 | al.tcpClient = clientConnection = aConn->clientConnection; |
a0355e95 | 179 | dlinkAdd(this, &active, &ClientActiveRequests); |
a83c6ed6 | 180 | #if USE_ADAPTATION |
b044675d | 181 | request_satisfaction_mode = false; |
182 | #endif | |
e0c0d54c CT |
183 | #if USE_SSL |
184 | sslBumpNeed = needUnknown; | |
185 | #endif | |
528b2c61 | 186 | } |
187 | ||
0655fa4d | 188 | /* |
189 | * returns true if client specified that the object must come from the cache | |
190 | * without contacting origin server | |
191 | */ | |
192 | bool | |
193 | ClientHttpRequest::onlyIfCached()const | |
194 | { | |
195 | assert(request); | |
196 | return request->cache_control && | |
197 | EBIT_TEST(request->cache_control->mask, CC_ONLY_IF_CACHED); | |
198 | } | |
199 | ||
528b2c61 | 200 | /* |
201 | * This function is designed to serve a fairly specific purpose. | |
202 | * Occasionally our vBNS-connected caches can talk to each other, but not | |
203 | * the rest of the world. Here we try to detect frequent failures which | |
204 | * make the cache unusable (e.g. DNS lookup and connect() failures). If | |
205 | * the failure:success ratio goes above 1.0 then we go into "hit only" | |
206 | * mode where we only return UDP_HIT or UDP_MISS_NOFETCH. Neighbors | |
207 | * will only fetch HITs from us if they are using the ICP protocol. We | |
208 | * stay in this mode for 5 minutes. | |
26ac0430 | 209 | * |
528b2c61 | 210 | * Duane W., Sept 16, 1996 |
211 | */ | |
212 | ||
213 | #define FAILURE_MODE_TIME 300 | |
214 | ||
215 | static void | |
216 | checkFailureRatio(err_type etype, hier_code hcode) | |
217 | { | |
218 | static double magic_factor = 100.0; | |
219 | double n_good; | |
220 | double n_bad; | |
62e76326 | 221 | |
528b2c61 | 222 | if (hcode == HIER_NONE) |
62e76326 | 223 | return; |
224 | ||
528b2c61 | 225 | n_good = magic_factor / (1.0 + request_failure_ratio); |
62e76326 | 226 | |
528b2c61 | 227 | n_bad = magic_factor - n_good; |
62e76326 | 228 | |
528b2c61 | 229 | switch (etype) { |
62e76326 | 230 | |
528b2c61 | 231 | case ERR_DNS_FAIL: |
62e76326 | 232 | |
528b2c61 | 233 | case ERR_CONNECT_FAIL: |
3712be3f | 234 | case ERR_SECURE_CONNECT_FAIL: |
62e76326 | 235 | |
528b2c61 | 236 | case ERR_READ_ERROR: |
62e76326 | 237 | n_bad++; |
238 | break; | |
239 | ||
528b2c61 | 240 | default: |
62e76326 | 241 | n_good++; |
528b2c61 | 242 | } |
62e76326 | 243 | |
528b2c61 | 244 | request_failure_ratio = n_bad / n_good; |
62e76326 | 245 | |
528b2c61 | 246 | if (hit_only_mode_until > squid_curtime) |
62e76326 | 247 | return; |
248 | ||
528b2c61 | 249 | if (request_failure_ratio < 1.0) |
62e76326 | 250 | return; |
251 | ||
bf8fe701 | 252 | debugs(33, 0, "Failure Ratio at "<< std::setw(4)<< |
253 | std::setprecision(3) << request_failure_ratio); | |
62e76326 | 254 | |
bf8fe701 | 255 | debugs(33, 0, "Going into hit-only-mode for " << |
256 | FAILURE_MODE_TIME / 60 << " minutes..."); | |
62e76326 | 257 | |
528b2c61 | 258 | hit_only_mode_until = squid_curtime + FAILURE_MODE_TIME; |
62e76326 | 259 | |
528b2c61 | 260 | request_failure_ratio = 0.8; /* reset to something less than 1.0 */ |
261 | } | |
262 | ||
263 | ClientHttpRequest::~ClientHttpRequest() | |
264 | { | |
bf8fe701 | 265 | debugs(33, 3, "httpRequestFree: " << uri); |
72bdee4c | 266 | PROF_start(httpRequestFree); |
62e76326 | 267 | |
5f8252d2 | 268 | // Even though freeResources() below may destroy the request, |
269 | // we no longer set request->body_pipe to NULL here | |
270 | // because we did not initiate that pipe (ConnStateData did) | |
62e76326 | 271 | |
528b2c61 | 272 | /* the ICP check here was erroneous |
26ac0430 | 273 | * - StoreEntry::releaseRequest was always called if entry was valid |
528b2c61 | 274 | */ |
275 | assert(logType < LOG_TYPE_MAX); | |
9ce7856a | 276 | |
528b2c61 | 277 | logRequest(); |
9ce7856a | 278 | |
0976f8db | 279 | loggingEntry(NULL); |
280 | ||
528b2c61 | 281 | if (request) |
62e76326 | 282 | checkFailureRatio(request->errType, al.hier.code); |
283 | ||
528b2c61 | 284 | freeResources(); |
62e76326 | 285 | |
a83c6ed6 AR |
286 | #if USE_ADAPTATION |
287 | announceInitiatorAbort(virginHeadSource); | |
9d4d7c5e | 288 | |
a83c6ed6 AR |
289 | if (adaptedBodySource != NULL) |
290 | stopConsumingFrom(adaptedBodySource); | |
de31d06f | 291 | #endif |
9ce7856a | 292 | |
de31d06f | 293 | if (calloutContext) |
294 | delete calloutContext; | |
295 | ||
be364179 AJ |
296 | clientConnection = NULL; |
297 | ||
26ac0430 AJ |
298 | if (conn_) |
299 | cbdataReferenceDone(conn_); | |
1cf238db | 300 | |
528b2c61 | 301 | /* moving to the next connection is handled by the context free */ |
302 | dlinkDelete(&active, &ClientActiveRequests); | |
9ce7856a | 303 | |
72bdee4c | 304 | PROF_stop(httpRequestFree); |
528b2c61 | 305 | } |
62e76326 | 306 | |
11992b6f AJ |
307 | /** |
308 | * Create a request and kick it off | |
309 | * | |
310 | * \retval 0 success | |
311 | * \retval -1 failure | |
312 | * | |
69660be0 | 313 | * TODO: Pass in the buffers to be used in the inital Read request, as they are |
314 | * determined by the user | |
edce4d98 | 315 | */ |
11992b6f | 316 | int |
60745f24 | 317 | clientBeginRequest(const HttpRequestMethod& method, char const *url, CSCB * streamcallback, |
0655fa4d | 318 | CSD * streamdetach, ClientStreamData streamdata, HttpHeader const *header, |
62e76326 | 319 | char *tailbuf, size_t taillen) |
edce4d98 | 320 | { |
321 | size_t url_sz; | |
a0355e95 | 322 | ClientHttpRequest *http = new ClientHttpRequest(NULL); |
190154cf | 323 | HttpRequest *request; |
528b2c61 | 324 | StoreIOBuffer tempBuffer; |
1cf238db | 325 | http->start_time = current_time; |
edce4d98 | 326 | /* this is only used to adjust the connection offset in client_side.c */ |
327 | http->req_sz = 0; | |
c8be6d7b | 328 | tempBuffer.length = taillen; |
329 | tempBuffer.data = tailbuf; | |
edce4d98 | 330 | /* client stream setup */ |
331 | clientStreamInit(&http->client_stream, clientGetMoreData, clientReplyDetach, | |
0655fa4d | 332 | clientReplyStatus, new clientReplyContext(http), streamcallback, |
62e76326 | 333 | streamdetach, streamdata, tempBuffer); |
edce4d98 | 334 | /* make it visible in the 'current acctive requests list' */ |
edce4d98 | 335 | /* Set flags */ |
a46d2c0e | 336 | /* internal requests only makes sense in an |
337 | * accelerator today. TODO: accept flags ? */ | |
338 | http->flags.accel = 1; | |
edce4d98 | 339 | /* allow size for url rewriting */ |
340 | url_sz = strlen(url) + Config.appendDomainLen + 5; | |
e6ccf245 | 341 | http->uri = (char *)xcalloc(url_sz, 1); |
edce4d98 | 342 | strcpy(http->uri, url); |
343 | ||
c21ad0f5 | 344 | if ((request = HttpRequest::CreateFromUrlAndMethod(http->uri, method)) == NULL) { |
bf8fe701 | 345 | debugs(85, 5, "Invalid URL: " << http->uri); |
62e76326 | 346 | return -1; |
edce4d98 | 347 | } |
62e76326 | 348 | |
69660be0 | 349 | /* |
11992b6f | 350 | * now update the headers in request with our supplied headers. urlParse |
69660be0 | 351 | * should return a blank header set, but we use Update to be sure of |
352 | * correctness. | |
edce4d98 | 353 | */ |
354 | if (header) | |
a9925b40 | 355 | request->header.update(header, NULL); |
62e76326 | 356 | |
edce4d98 | 357 | http->log_uri = xstrdup(urlCanonicalClean(request)); |
62e76326 | 358 | |
edce4d98 | 359 | /* http struct now ready */ |
360 | ||
69660be0 | 361 | /* |
362 | * build new header list *? TODO | |
edce4d98 | 363 | */ |
364 | request->flags.accelerated = http->flags.accel; | |
62e76326 | 365 | |
a46d2c0e | 366 | request->flags.internalclient = 1; |
367 | ||
368 | /* this is an internally created | |
369 | * request, not subject to acceleration | |
370 | * target overrides */ | |
69660be0 | 371 | /* |
372 | * FIXME? Do we want to detect and handle internal requests of internal | |
373 | * objects ? | |
374 | */ | |
edce4d98 | 375 | |
376 | /* Internally created requests cannot have bodies today */ | |
377 | request->content_length = 0; | |
62e76326 | 378 | |
cc192b50 | 379 | request->client_addr.SetNoAddr(); |
62e76326 | 380 | |
3d674977 AJ |
381 | #if FOLLOW_X_FORWARDED_FOR |
382 | request->indirect_client_addr.SetNoAddr(); | |
383 | #endif /* FOLLOW_X_FORWARDED_FOR */ | |
26ac0430 | 384 | |
cc192b50 | 385 | request->my_addr.SetNoAddr(); /* undefined for internal requests */ |
62e76326 | 386 | |
cc192b50 | 387 | request->my_addr.SetPort(0); |
62e76326 | 388 | |
3872be7c AJ |
389 | /* Our version is HTTP/1.1 */ |
390 | HttpVersion http_ver(1,1); | |
edce4d98 | 391 | request->http_ver = http_ver; |
62e76326 | 392 | |
6dd9f4bd | 393 | http->request = HTTPMSGLOCK(request); |
edce4d98 | 394 | |
395 | /* optional - skip the access check ? */ | |
de31d06f | 396 | http->calloutContext = new ClientRequestContext(http); |
397 | ||
57abaac0 | 398 | http->calloutContext->http_access_done = false; |
de31d06f | 399 | |
57abaac0 | 400 | http->calloutContext->redirect_done = true; |
de31d06f | 401 | |
57abaac0 | 402 | http->calloutContext->no_cache_done = true; |
de31d06f | 403 | |
404 | http->doCallouts(); | |
62e76326 | 405 | |
edce4d98 | 406 | return 0; |
407 | } | |
408 | ||
de31d06f | 409 | bool |
410 | ClientRequestContext::httpStateIsValid() | |
411 | { | |
412 | ClientHttpRequest *http_ = http; | |
413 | ||
414 | if (cbdataReferenceValid(http_)) | |
415 | return true; | |
416 | ||
417 | http = NULL; | |
418 | ||
419 | cbdataReferenceDone(http_); | |
420 | ||
421 | return false; | |
422 | } | |
423 | ||
3d674977 AJ |
424 | #if FOLLOW_X_FORWARDED_FOR |
425 | /** | |
a9044668 | 426 | * clientFollowXForwardedForCheck() checks the content of X-Forwarded-For: |
3d674977 AJ |
427 | * against the followXFF ACL, or cleans up and passes control to |
428 | * clientAccessCheck(). | |
d096ace1 AJ |
429 | * |
430 | * The trust model here is a little ambiguous. So to clarify the logic: | |
431 | * - we may always use the direct client address as the client IP. | |
a9044668 | 432 | * - these trust tests merey tell whether we trust given IP enough to believe the |
d096ace1 AJ |
433 | * IP string which it appended to the X-Forwarded-For: header. |
434 | * - if at any point we don't trust what an IP adds we stop looking. | |
435 | * - at that point the current contents of indirect_client_addr are the value set | |
436 | * by the last previously trusted IP. | |
437 | * ++ indirect_client_addr contains the remote direct client from the trusted peers viewpoint. | |
3d674977 | 438 | */ |
3d674977 | 439 | static void |
2efeb0b7 | 440 | clientFollowXForwardedForCheck(allow_t answer, void *data) |
3d674977 AJ |
441 | { |
442 | ClientRequestContext *calloutContext = (ClientRequestContext *) data; | |
3d674977 AJ |
443 | |
444 | if (!calloutContext->httpStateIsValid()) | |
445 | return; | |
446 | ||
d096ace1 AJ |
447 | ClientHttpRequest *http = calloutContext->http; |
448 | HttpRequest *request = http->request; | |
449 | ||
3d674977 AJ |
450 | /* |
451 | * answer should be be ACCESS_ALLOWED or ACCESS_DENIED if we are | |
452 | * called as a result of ACL checks, or -1 if we are called when | |
453 | * there's nothing left to do. | |
454 | */ | |
455 | if (answer == ACCESS_ALLOWED && | |
26ac0430 | 456 | request->x_forwarded_for_iterator.size () != 0) { |
d096ace1 | 457 | |
3d674977 | 458 | /* |
d096ace1 AJ |
459 | * Remove the last comma-delimited element from the |
460 | * x_forwarded_for_iterator and use it to repeat the cycle. | |
461 | */ | |
3d674977 AJ |
462 | const char *p; |
463 | const char *asciiaddr; | |
464 | int l; | |
b7ac5457 | 465 | Ip::Address addr; |
bb790702 | 466 | p = request->x_forwarded_for_iterator.termedBuf(); |
3d674977 AJ |
467 | l = request->x_forwarded_for_iterator.size(); |
468 | ||
469 | /* | |
470 | * XXX x_forwarded_for_iterator should really be a list of | |
471 | * IP addresses, but it's a String instead. We have to | |
472 | * walk backwards through the String, biting off the last | |
473 | * comma-delimited part each time. As long as the data is in | |
474 | * a String, we should probably implement and use a variant of | |
475 | * strListGetItem() that walks backwards instead of forwards | |
476 | * through a comma-separated list. But we don't even do that; | |
477 | * we just do the work in-line here. | |
478 | */ | |
479 | /* skip trailing space and commas */ | |
480 | while (l > 0 && (p[l-1] == ',' || xisspace(p[l-1]))) | |
481 | l--; | |
482 | request->x_forwarded_for_iterator.cut(l); | |
483 | /* look for start of last item in list */ | |
484 | while (l > 0 && ! (p[l-1] == ',' || xisspace(p[l-1]))) | |
485 | l--; | |
486 | asciiaddr = p+l; | |
fafd0efa | 487 | if ((addr = asciiaddr)) { |
3d674977 AJ |
488 | request->indirect_client_addr = addr; |
489 | request->x_forwarded_for_iterator.cut(l); | |
d096ace1 AJ |
490 | calloutContext->acl_checklist = clientAclChecklistCreate(Config.accessList.followXFF, http); |
491 | if (!Config.onoff.acl_uses_indirect_client) { | |
492 | /* override the default src_addr tested if we have to go deeper than one level into XFF */ | |
493 | Filled(calloutContext->acl_checklist)->src_addr = request->indirect_client_addr; | |
3d674977 | 494 | } |
d096ace1 | 495 | calloutContext->acl_checklist->nonBlockingCheck(clientFollowXForwardedForCheck, data); |
3d674977 AJ |
496 | return; |
497 | } | |
498 | } /*if (answer == ACCESS_ALLOWED && | |
499 | request->x_forwarded_for_iterator.size () != 0)*/ | |
500 | ||
501 | /* clean up, and pass control to clientAccessCheck */ | |
26ac0430 | 502 | if (Config.onoff.log_uses_indirect_client) { |
3d674977 AJ |
503 | /* |
504 | * Ensure that the access log shows the indirect client | |
505 | * instead of the direct client. | |
506 | */ | |
507 | ConnStateData *conn = http->getConn(); | |
508 | conn->log_addr = request->indirect_client_addr; | |
509 | } | |
510 | request->x_forwarded_for_iterator.clean(); | |
511 | request->flags.done_follow_x_forwarded_for = 1; | |
512 | ||
d096ace1 AJ |
513 | if (answer != ACCESS_ALLOWED && answer != ACCESS_DENIED) { |
514 | debugs(28, DBG_CRITICAL, "ERROR: Processing X-Forwarded-For. Stopping at IP address: " << request->indirect_client_addr ); | |
493d3865 AJ |
515 | } |
516 | ||
517 | /* process actual access ACL as normal. */ | |
518 | calloutContext->clientAccessCheck(); | |
3d674977 AJ |
519 | } |
520 | #endif /* FOLLOW_X_FORWARDED_FOR */ | |
521 | ||
fe97983f AJ |
522 | static void |
523 | hostHeaderIpVerifyWrapper(const ipcache_addrs* ia, const DnsLookupDetails &dns, void *data) | |
524 | { | |
525 | ClientRequestContext *c = static_cast<ClientRequestContext*>(data); | |
526 | c->hostHeaderIpVerify(ia, dns); | |
527 | } | |
528 | ||
529 | void | |
530 | ClientRequestContext::hostHeaderIpVerify(const ipcache_addrs* ia, const DnsLookupDetails &dns) | |
531 | { | |
532 | Comm::ConnectionPointer clientConn = http->getConn()->clientConnection; | |
533 | ||
534 | // note the DNS details for the transaction stats. | |
535 | http->request->recordLookup(dns); | |
536 | ||
537 | if (ia != NULL && ia->count > 0) { | |
538 | // Is the NAT destination IP in DNS? | |
539 | for (int i = 0; i < ia->count; i++) { | |
540 | if (clientConn->local.matchIPAddr(ia->in_addrs[i]) == 0) { | |
541 | debugs(85, 3, HERE << "validate IP " << clientConn->local << " possible from Host:"); | |
542 | http->doCallouts(); | |
543 | return; | |
544 | } | |
545 | debugs(85, 3, HERE << "validate IP " << clientConn->local << " non-match from Host: IP " << ia->in_addrs[i]); | |
546 | } | |
547 | } | |
548 | debugs(85, 3, HERE << "FAIL: validate IP " << clientConn->local << " possible from Host:"); | |
05b28f84 | 549 | hostHeaderVerifyFailed("local IP", "any domain IP"); |
fe97983f AJ |
550 | } |
551 | ||
552 | void | |
05b28f84 | 553 | ClientRequestContext::hostHeaderVerifyFailed(const char *A, const char *B) |
fe97983f | 554 | { |
8f489ad7 AJ |
555 | debugs(85, DBG_IMPORTANT, "SECURITY ALERT: Host header forgery detected on " << |
556 | http->getConn()->clientConnection << " (" << A << " does not match " << B << ")"); | |
557 | debugs(85, DBG_IMPORTANT, "SECURITY ALERT: By user agent: " << http->request->header.getStr(HDR_USER_AGENT)); | |
558 | debugs(85, DBG_IMPORTANT, "SECURITY ALERT: on URL: " << urlCanonical(http->request)); | |
fe97983f AJ |
559 | |
560 | // IP address validation for Host: failed. reject the connection. | |
561 | clientStreamNode *node = (clientStreamNode *)http->client_stream.tail->prev->data; | |
562 | clientReplyContext *repContext = dynamic_cast<clientReplyContext *>(node->data.getRaw()); | |
563 | assert (repContext); | |
564 | repContext->setReplyToError(ERR_INVALID_REQ, HTTP_CONFLICT, | |
565 | http->request->method, NULL, | |
566 | http->getConn()->clientConnection->remote, | |
567 | http->request, | |
568 | NULL, | |
569 | #if USE_AUTH | |
570 | http->getConn() != NULL && http->getConn()->auth_user_request != NULL ? | |
571 | http->getConn()->auth_user_request : http->request->auth_user_request); | |
572 | #else | |
573 | NULL); | |
574 | #endif | |
575 | node = (clientStreamNode *)http->client_stream.tail->data; | |
576 | clientStreamRead(node, http, node->readBuffer); | |
577 | } | |
578 | ||
579 | void | |
580 | ClientRequestContext::hostHeaderVerify() | |
581 | { | |
582 | // Require a Host: header. | |
583 | const char *host = http->request->header.getStr(HDR_HOST); | |
584 | char *hostB = NULL; | |
585 | ||
586 | if (!host) { | |
587 | // TODO: dump out the HTTP/1.1 error about missing host header. | |
588 | // otherwise this is fine, can't forge a header value when its not even set. | |
589 | debugs(85, 3, HERE << "validate skipped with no Host: header present."); | |
590 | http->doCallouts(); | |
591 | return; | |
592 | } | |
593 | ||
8f489ad7 AJ |
594 | if (http->request->flags.internal) { |
595 | // TODO: kill this when URL handling allows partial URLs out of accel mode | |
596 | // and we no longer screw with the URL just to add our internal host there | |
597 | debugs(85, 6, HERE << "validate skipped due to internal composite URL."); | |
598 | http->doCallouts(); | |
599 | return; | |
600 | } | |
601 | ||
fe97983f AJ |
602 | // Locate if there is a port attached, strip ready for IP lookup |
603 | char *portStr = NULL; | |
604 | uint16_t port = 0; | |
605 | if (host[0] == '[') { | |
606 | // IPv6 literal. | |
8f489ad7 | 607 | hostB = xstrdup(host); |
fe97983f | 608 | portStr = strchr(hostB, ']'); |
8f489ad7 AJ |
609 | if (portStr) { |
610 | if (*(++portStr) == ':') { | |
611 | *portStr = '\0'; | |
fe97983f | 612 | port = xatoi(++portStr); |
8f489ad7 | 613 | } else { |
fe97983f | 614 | portStr=NULL; // no port to check. |
8f489ad7 | 615 | } |
fe97983f | 616 | } |
8f489ad7 | 617 | host = hostB; // point host at the local version for lookup |
fe97983f AJ |
618 | } else if (strrchr(host, ':') != NULL) { |
619 | // Domain or IPv4 literal with port | |
620 | hostB = xstrdup(host); | |
621 | portStr = strrchr(hostB, ':'); | |
622 | *portStr = '\0'; | |
623 | port = xatoi(++portStr); | |
624 | host = hostB; // point host at the local version for lookup | |
625 | } | |
626 | ||
627 | debugs(85, 3, HERE << "validate host=" << host << ", port=" << port << ", portStr=" << (portStr?portStr:"NULL")); | |
628 | if (http->request->flags.intercepted || http->request->flags.spoof_client_ip) { | |
ba4d9da0 | 629 | // verify the Host: port (if any) matches the apparent destination |
fe97983f | 630 | if (portStr && port != http->getConn()->clientConnection->local.GetPort()) { |
05b28f84 AJ |
631 | debugs(85, 3, HERE << "FAIL on validate port " << http->getConn()->clientConnection->local.GetPort() << |
632 | " matches Host: port " << port << " (" << portStr << ")"); | |
633 | hostHeaderVerifyFailed("intercepted port", portStr); | |
ba4d9da0 AJ |
634 | } else { |
635 | // XXX: match the scheme default port against the apparent destination | |
fe97983f | 636 | |
ba4d9da0 AJ |
637 | // verify the destination DNS is one of the Host: headers IPs |
638 | ipcache_nbgethostbyname(host, hostHeaderIpVerifyWrapper, this); | |
639 | } | |
8f489ad7 AJ |
640 | } else if (strlen(host) != strlen(http->request->GetHost())) { |
641 | // Verify forward-proxy requested URL domain matches the Host: header | |
642 | debugs(85, 3, HERE << "FAIL on validate URL domain length " << http->request->GetHost() << " matches Host: " << host); | |
643 | hostHeaderVerifyFailed(host, http->request->GetHost()); | |
644 | } else if (matchDomainName(host, http->request->GetHost()) != 0) { | |
ba4d9da0 | 645 | // Verify forward-proxy requested URL domain matches the Host: header |
fe97983f | 646 | debugs(85, 3, HERE << "FAIL on validate URL domain " << http->request->GetHost() << " matches Host: " << host); |
05b28f84 | 647 | hostHeaderVerifyFailed(host, http->request->GetHost()); |
ba4d9da0 AJ |
648 | } else if (portStr && port != http->request->port) { |
649 | // Verify forward-proxy requested URL domain matches the Host: header | |
650 | debugs(85, 3, HERE << "FAIL on validate URL port " << http->request->port << " matches Host: port " << portStr); | |
651 | hostHeaderVerifyFailed("URL port", portStr); | |
65d2fdbf | 652 | } else if (!portStr && http->request->method != METHOD_CONNECT && http->request->port != urlDefaultPort(http->request->protocol)) { |
ba4d9da0 | 653 | // Verify forward-proxy requested URL domain matches the Host: header |
65d2fdbf | 654 | // Special case: we don't have a default-port to check for CONNECT. Assume URL is correct. |
ba4d9da0 AJ |
655 | debugs(85, 3, HERE << "FAIL on validate URL port " << http->request->port << " matches Host: default port " << urlDefaultPort(http->request->protocol)); |
656 | hostHeaderVerifyFailed("URL port", "default port"); | |
657 | } else { | |
658 | // Okay no problem. | |
659 | debugs(85, 3, HERE << "validate passed."); | |
660 | http->doCallouts(); | |
fe97983f | 661 | } |
ba4d9da0 | 662 | safe_free(hostB); |
fe97983f AJ |
663 | } |
664 | ||
edce4d98 | 665 | /* This is the entry point for external users of the client_side routines */ |
666 | void | |
de31d06f | 667 | ClientRequestContext::clientAccessCheck() |
edce4d98 | 668 | { |
3d674977 AJ |
669 | #if FOLLOW_X_FORWARDED_FOR |
670 | if (!http->request->flags.done_follow_x_forwarded_for && | |
26ac0430 AJ |
671 | Config.accessList.followXFF && |
672 | http->request->header.has(HDR_X_FORWARDED_FOR)) { | |
d096ace1 AJ |
673 | |
674 | /* we always trust the direct client address for actual use */ | |
675 | http->request->indirect_client_addr = http->request->client_addr; | |
fafd0efa | 676 | http->request->indirect_client_addr.SetPort(0); |
d096ace1 AJ |
677 | |
678 | /* setup the XFF iterator for processing */ | |
679 | http->request->x_forwarded_for_iterator = http->request->header.getList(HDR_X_FORWARDED_FOR); | |
680 | ||
681 | /* begin by checking to see if we trust direct client enough to walk XFF */ | |
682 | acl_checklist = clientAclChecklistCreate(Config.accessList.followXFF, http); | |
683 | acl_checklist->nonBlockingCheck(clientFollowXForwardedForCheck, this); | |
3d674977 AJ |
684 | return; |
685 | } | |
686 | #endif /* FOLLOW_X_FORWARDED_FOR */ | |
493d3865 | 687 | |
b50e327b AJ |
688 | if (Config.accessList.http) { |
689 | acl_checklist = clientAclChecklistCreate(Config.accessList.http, http); | |
690 | acl_checklist->nonBlockingCheck(clientAccessCheckDoneWrapper, this); | |
691 | } else { | |
692 | debugs(0, DBG_CRITICAL, "No http_access configuration found. This will block ALL traffic"); | |
693 | clientAccessCheckDone(ACCESS_DENIED); | |
694 | } | |
edce4d98 | 695 | } |
696 | ||
533493da AJ |
697 | /** |
698 | * Identical in operation to clientAccessCheck() but performed later using different configured ACL list. | |
699 | * The default here is to allow all. Since the earlier http_access should do a default deny all. | |
700 | * This check is just for a last-minute denial based on adapted request headers. | |
701 | */ | |
702 | void | |
703 | ClientRequestContext::clientAccessCheck2() | |
704 | { | |
705 | if (Config.accessList.adapted_http) { | |
706 | acl_checklist = clientAclChecklistCreate(Config.accessList.adapted_http, http); | |
707 | acl_checklist->nonBlockingCheck(clientAccessCheckDoneWrapper, this); | |
708 | } else { | |
327e2131 | 709 | debugs(85, 2, HERE << "No adapted_http_access configuration. default: ALLOW"); |
533493da AJ |
710 | clientAccessCheckDone(ACCESS_ALLOWED); |
711 | } | |
712 | } | |
713 | ||
edce4d98 | 714 | void |
2efeb0b7 | 715 | clientAccessCheckDoneWrapper(allow_t answer, void *data) |
edce4d98 | 716 | { |
de31d06f | 717 | ClientRequestContext *calloutContext = (ClientRequestContext *) data; |
fbade053 | 718 | |
de31d06f | 719 | if (!calloutContext->httpStateIsValid()) |
62e76326 | 720 | return; |
62e76326 | 721 | |
de31d06f | 722 | calloutContext->clientAccessCheckDone(answer); |
723 | } | |
724 | ||
725 | void | |
2efeb0b7 | 726 | ClientRequestContext::clientAccessCheckDone(const allow_t &answer) |
de31d06f | 727 | { |
728 | acl_checklist = NULL; | |
edce4d98 | 729 | err_type page_id; |
730 | http_status status; | |
26ac0430 AJ |
731 | debugs(85, 2, "The request " << |
732 | RequestMethodStr(http->request->method) << " " << | |
2efeb0b7 | 733 | http->uri << " is " << answer << |
26ac0430 AJ |
734 | ", because it matched '" << |
735 | (AclMatchedName ? AclMatchedName : "NO ACL's") << "'" ); | |
f5691f9c | 736 | |
2f1431ea AJ |
737 | #if USE_AUTH |
738 | char const *proxy_auth_msg = "<null>"; | |
94a396a3 | 739 | if (http->getConn() != NULL && http->getConn()->auth_user_request != NULL) |
f5691f9c | 740 | proxy_auth_msg = http->getConn()->auth_user_request->denyMessage("<null>"); |
741 | else if (http->request->auth_user_request != NULL) | |
742 | proxy_auth_msg = http->request->auth_user_request->denyMessage("<null>"); | |
2f1431ea | 743 | #endif |
62e76326 | 744 | |
309347ef AJ |
745 | if (answer != ACCESS_ALLOWED && answer != ACCESS_AUTH_EXPIRED_OK) { |
746 | // auth has a grace period where credentials can be expired but okay not to challenge. | |
747 | ||
748 | /* Send an auth challenge or error */ | |
749 | // XXX: do we still need aclIsProxyAuth() ? | |
750 | bool auth_challenge = (answer == ACCESS_AUTH_REQUIRED || answer == ACCESS_AUTH_EXPIRED_BAD || aclIsProxyAuth(AclMatchedName)); | |
bf8fe701 | 751 | debugs(85, 5, "Access Denied: " << http->uri); |
752 | debugs(85, 5, "AclMatchedName = " << (AclMatchedName ? AclMatchedName : "<null>")); | |
2f1431ea | 753 | #if USE_AUTH |
309347ef | 754 | if (auth_challenge) |
bf8fe701 | 755 | debugs(33, 5, "Proxy Auth Message = " << (proxy_auth_msg ? proxy_auth_msg : "<null>")); |
2f1431ea | 756 | #endif |
9ce7856a | 757 | |
62e76326 | 758 | /* |
759 | * NOTE: get page_id here, based on AclMatchedName because if | |
760 | * USE_DELAY_POOLS is enabled, then AclMatchedName gets clobbered in | |
761 | * the clientCreateStoreEntry() call just below. Pedro Ribeiro | |
762 | * <pribeiro@isel.pt> | |
763 | */ | |
7dfddb79 | 764 | page_id = aclGetDenyInfoPage(&Config.denyInfoList, AclMatchedName, answer != ACCESS_AUTH_REQUIRED); |
9ce7856a | 765 | |
62e76326 | 766 | http->logType = LOG_TCP_DENIED; |
767 | ||
309347ef | 768 | if (auth_challenge) { |
2f1431ea | 769 | #if USE_AUTH |
62e76326 | 770 | if (!http->flags.accel) { |
771 | /* Proxy authorisation needed */ | |
772 | status = HTTP_PROXY_AUTHENTICATION_REQUIRED; | |
773 | } else { | |
774 | /* WWW authorisation needed */ | |
775 | status = HTTP_UNAUTHORIZED; | |
776 | } | |
2f1431ea AJ |
777 | #else |
778 | // need auth, but not possible to do. | |
779 | status = HTTP_FORBIDDEN; | |
780 | #endif | |
62e76326 | 781 | if (page_id == ERR_NONE) |
782 | page_id = ERR_CACHE_ACCESS_DENIED; | |
783 | } else { | |
784 | status = HTTP_FORBIDDEN; | |
785 | ||
786 | if (page_id == ERR_NONE) | |
787 | page_id = ERR_ACCESS_DENIED; | |
788 | } | |
789 | ||
de31d06f | 790 | clientStreamNode *node = (clientStreamNode *)http->client_stream.tail->prev->data; |
0655fa4d | 791 | clientReplyContext *repContext = dynamic_cast<clientReplyContext *>(node->data.getRaw()); |
792 | assert (repContext); | |
b7ac5457 | 793 | Ip::Address tmpnoaddr; |
26ac0430 | 794 | tmpnoaddr.SetNoAddr(); |
0655fa4d | 795 | repContext->setReplyToError(page_id, status, |
796 | http->request->method, NULL, | |
73c36fd9 | 797 | http->getConn() != NULL ? http->getConn()->clientConnection->remote : tmpnoaddr, |
cc192b50 | 798 | http->request, |
799 | NULL, | |
2f1431ea | 800 | #if USE_AUTH |
a33a428a | 801 | http->getConn() != NULL && http->getConn()->auth_user_request != NULL ? |
cc192b50 | 802 | http->getConn()->auth_user_request : http->request->auth_user_request); |
2f1431ea AJ |
803 | #else |
804 | NULL); | |
805 | #endif | |
6b355e5a | 806 | http->getConn()->flags.readMore = true; // resume any pipeline reads. |
62e76326 | 807 | node = (clientStreamNode *)http->client_stream.tail->data; |
808 | clientStreamRead(node, http, node->readBuffer); | |
a546b04b | 809 | return; |
edce4d98 | 810 | } |
de31d06f | 811 | |
309347ef | 812 | /* ACCESS_ALLOWED (or auth in grace period ACCESS_AUTH_EXPIRED_OK) continues here ... */ |
de31d06f | 813 | safe_free(http->uri); |
814 | ||
815 | http->uri = xstrdup(urlCanonical(http->request)); | |
816 | ||
817 | http->doCallouts(); | |
818 | } | |
819 | ||
a83c6ed6 | 820 | #if USE_ADAPTATION |
de31d06f | 821 | static void |
a22e6cd3 | 822 | adaptationAclCheckDoneWrapper(Adaptation::ServiceGroupPointer g, void *data) |
de31d06f | 823 | { |
824 | ClientRequestContext *calloutContext = (ClientRequestContext *)data; | |
825 | ||
826 | if (!calloutContext->httpStateIsValid()) | |
827 | return; | |
828 | ||
a22e6cd3 | 829 | calloutContext->adaptationAclCheckDone(g); |
de31d06f | 830 | } |
831 | ||
832 | void | |
a22e6cd3 | 833 | ClientRequestContext::adaptationAclCheckDone(Adaptation::ServiceGroupPointer g) |
de31d06f | 834 | { |
a83c6ed6 | 835 | debugs(93,3,HERE << this << " adaptationAclCheckDone called"); |
6ec67de9 | 836 | assert(http); |
837 | ||
e1381638 | 838 | #if ICAP_CLIENT |
3ff65596 | 839 | Adaptation::Icap::History::Pointer ih = http->request->icapHistory(); |
e1381638 AJ |
840 | if (ih != NULL) { |
841 | if (http->getConn() != NULL) { | |
73c36fd9 | 842 | ih->rfc931 = http->getConn()->clientConnection->rfc931; |
e1381638 | 843 | #if USE_SSL |
73c36fd9 AJ |
844 | assert(http->getConn()->clientConnection != NULL); |
845 | ih->ssluser = sslGetUserEmail(fd_table[http->getConn()->clientConnection->fd].ssl); | |
e1381638 | 846 | #endif |
3ff65596 AR |
847 | } |
848 | ih->log_uri = http->log_uri; | |
849 | ih->req_sz = http->req_sz; | |
850 | } | |
851 | #endif | |
852 | ||
a22e6cd3 AR |
853 | if (!g) { |
854 | debugs(85,3, HERE << "no adaptation needed"); | |
5f8252d2 | 855 | http->doCallouts(); |
856 | return; | |
857 | } | |
de31d06f | 858 | |
a22e6cd3 | 859 | http->startAdaptation(g); |
edce4d98 | 860 | } |
861 | ||
de31d06f | 862 | #endif |
863 | ||
14cc8559 | 864 | static void |
2efeb0b7 | 865 | clientRedirectAccessCheckDone(allow_t answer, void *data) |
14cc8559 | 866 | { |
867 | ClientRequestContext *context = (ClientRequestContext *)data; | |
59a1efb2 | 868 | ClientHttpRequest *http = context->http; |
14cc8559 | 869 | context->acl_checklist = NULL; |
870 | ||
871 | if (answer == ACCESS_ALLOWED) | |
de31d06f | 872 | redirectStart(http, clientRedirectDoneWrapper, context); |
14cc8559 | 873 | else |
de31d06f | 874 | context->clientRedirectDone(NULL); |
14cc8559 | 875 | } |
876 | ||
de31d06f | 877 | void |
878 | ClientRequestContext::clientRedirectStart() | |
14cc8559 | 879 | { |
bf8fe701 | 880 | debugs(33, 5, "clientRedirectStart: '" << http->uri << "'"); |
14cc8559 | 881 | |
14cc8559 | 882 | if (Config.accessList.redirector) { |
de31d06f | 883 | acl_checklist = clientAclChecklistCreate(Config.accessList.redirector, http); |
884 | acl_checklist->nonBlockingCheck(clientRedirectAccessCheckDone, this); | |
14cc8559 | 885 | } else |
de31d06f | 886 | redirectStart(http, clientRedirectDoneWrapper, this); |
14cc8559 | 887 | } |
888 | ||
edce4d98 | 889 | static int |
59a1efb2 | 890 | clientHierarchical(ClientHttpRequest * http) |
edce4d98 | 891 | { |
892 | const char *url = http->uri; | |
190154cf | 893 | HttpRequest *request = http->request; |
60745f24 | 894 | HttpRequestMethod method = request->method; |
edce4d98 | 895 | const wordlist *p = NULL; |
896 | ||
69660be0 | 897 | /* |
898 | * IMS needs a private key, so we can use the hierarchy for IMS only if our | |
899 | * neighbors support private keys | |
900 | */ | |
62e76326 | 901 | |
edce4d98 | 902 | if (request->flags.ims && !neighbors_do_private_keys) |
62e76326 | 903 | return 0; |
904 | ||
69660be0 | 905 | /* |
906 | * This is incorrect: authenticating requests can be sent via a hierarchy | |
06b97e72 | 907 | * (they can even be cached if the correct headers are set on the reply) |
edce4d98 | 908 | */ |
909 | if (request->flags.auth) | |
62e76326 | 910 | return 0; |
911 | ||
edce4d98 | 912 | if (method == METHOD_TRACE) |
62e76326 | 913 | return 1; |
914 | ||
edce4d98 | 915 | if (method != METHOD_GET) |
62e76326 | 916 | return 0; |
917 | ||
edce4d98 | 918 | /* scan hierarchy_stoplist */ |
919 | for (p = Config.hierarchy_stoplist; p; p = p->next) | |
62e76326 | 920 | if (strstr(url, p->key)) |
921 | return 0; | |
922 | ||
edce4d98 | 923 | if (request->flags.loopdetect) |
62e76326 | 924 | return 0; |
925 | ||
0c3d3f65 | 926 | if (request->protocol == AnyP::PROTO_HTTP) |
62e76326 | 927 | return httpCachable(method); |
928 | ||
0c3d3f65 | 929 | if (request->protocol == AnyP::PROTO_GOPHER) |
62e76326 | 930 | return gopherCachable(request); |
931 | ||
39a19cb7 | 932 | if (request->protocol == AnyP::PROTO_CACHE_OBJECT) |
62e76326 | 933 | return 0; |
934 | ||
edce4d98 | 935 | return 1; |
936 | } | |
937 | ||
46a1f562 HN |
938 | static void |
939 | clientCheckPinning(ClientHttpRequest * http) | |
940 | { | |
941 | HttpRequest *request = http->request; | |
942 | HttpHeader *req_hdr = &request->header; | |
943 | ConnStateData *http_conn = http->getConn(); | |
944 | ||
945 | /* Internal requests such as those from ESI includes may be without | |
946 | * a client connection | |
947 | */ | |
948 | if (!http_conn) | |
f54f527e | 949 | return; |
46a1f562 HN |
950 | |
951 | request->flags.connection_auth_disabled = http_conn->port->connection_auth_disabled; | |
952 | if (!request->flags.connection_auth_disabled) { | |
73c36fd9 | 953 | if (Comm::IsConnOpen(http_conn->pinning.serverConnection)) { |
46a1f562 HN |
954 | if (http_conn->pinning.auth) { |
955 | request->flags.connection_auth = 1; | |
956 | request->flags.auth = 1; | |
957 | } else { | |
958 | request->flags.connection_proxy_auth = 1; | |
959 | } | |
b1cf2350 AJ |
960 | // These should already be linked correctly. |
961 | assert(request->clientConnectionManager == http_conn); | |
46a1f562 HN |
962 | } |
963 | } | |
964 | ||
965 | /* check if connection auth is used, and flag as candidate for pinning | |
966 | * in such case. | |
967 | * Note: we may need to set flags.connection_auth even if the connection | |
968 | * is already pinned if it was pinned earlier due to proxy auth | |
969 | */ | |
970 | if (!request->flags.connection_auth) { | |
971 | if (req_hdr->has(HDR_AUTHORIZATION) || req_hdr->has(HDR_PROXY_AUTHORIZATION)) { | |
972 | HttpHeaderPos pos = HttpHeaderInitPos; | |
973 | HttpHeaderEntry *e; | |
974 | int may_pin = 0; | |
975 | while ((e = req_hdr->getEntry(&pos))) { | |
976 | if (e->id == HDR_AUTHORIZATION || e->id == HDR_PROXY_AUTHORIZATION) { | |
977 | const char *value = e->value.rawBuf(); | |
978 | if (strncasecmp(value, "NTLM ", 5) == 0 | |
979 | || | |
980 | strncasecmp(value, "Negotiate ", 10) == 0 | |
981 | || | |
982 | strncasecmp(value, "Kerberos ", 9) == 0) { | |
983 | if (e->id == HDR_AUTHORIZATION) { | |
984 | request->flags.connection_auth = 1; | |
985 | may_pin = 1; | |
986 | } else { | |
987 | request->flags.connection_proxy_auth = 1; | |
988 | may_pin = 1; | |
989 | } | |
990 | } | |
991 | } | |
992 | } | |
993 | if (may_pin && !request->pinnedConnection()) { | |
b1cf2350 AJ |
994 | // These should already be linked correctly. Just need the ServerConnection to pinn. |
995 | assert(request->clientConnectionManager == http_conn); | |
46a1f562 HN |
996 | } |
997 | } | |
998 | } | |
999 | } | |
1000 | ||
edce4d98 | 1001 | static void |
59a1efb2 | 1002 | clientInterpretRequestHeaders(ClientHttpRequest * http) |
edce4d98 | 1003 | { |
190154cf | 1004 | HttpRequest *request = http->request; |
0ef77270 | 1005 | HttpHeader *req_hdr = &request->header; |
edce4d98 | 1006 | int no_cache = 0; |
edce4d98 | 1007 | const char *str; |
62e76326 | 1008 | |
edce4d98 | 1009 | request->imslen = -1; |
a9925b40 | 1010 | request->ims = req_hdr->getTime(HDR_IF_MODIFIED_SINCE); |
62e76326 | 1011 | |
edce4d98 | 1012 | if (request->ims > 0) |
62e76326 | 1013 | request->flags.ims = 1; |
1014 | ||
432bc83c HN |
1015 | if (!request->flags.ignore_cc) { |
1016 | if (req_hdr->has(HDR_PRAGMA)) { | |
1017 | String s = req_hdr->getList(HDR_PRAGMA); | |
62e76326 | 1018 | |
432bc83c HN |
1019 | if (strListIsMember(&s, "no-cache", ',')) |
1020 | no_cache++; | |
30abd221 | 1021 | |
432bc83c HN |
1022 | s.clean(); |
1023 | } | |
62e76326 | 1024 | |
432bc83c HN |
1025 | if (request->cache_control) |
1026 | if (EBIT_TEST(request->cache_control->mask, CC_NO_CACHE)) | |
1027 | no_cache++; | |
62e76326 | 1028 | |
432bc83c HN |
1029 | /* |
1030 | * Work around for supporting the Reload button in IE browsers when Squid | |
1031 | * is used as an accelerator or transparent proxy, by turning accelerated | |
1032 | * IMS request to no-cache requests. Now knows about IE 5.5 fix (is | |
1033 | * actually only fixed in SP1, but we can't tell whether we are talking to | |
1034 | * SP1 or not so all 5.5 versions are treated 'normally'). | |
1035 | */ | |
1036 | if (Config.onoff.ie_refresh) { | |
1037 | if (http->flags.accel && request->flags.ims) { | |
1038 | if ((str = req_hdr->getStr(HDR_USER_AGENT))) { | |
1039 | if (strstr(str, "MSIE 5.01") != NULL) | |
1040 | no_cache++; | |
1041 | else if (strstr(str, "MSIE 5.0") != NULL) | |
1042 | no_cache++; | |
1043 | else if (strstr(str, "MSIE 4.") != NULL) | |
1044 | no_cache++; | |
1045 | else if (strstr(str, "MSIE 3.") != NULL) | |
1046 | no_cache++; | |
1047 | } | |
62e76326 | 1048 | } |
1049 | } | |
edce4d98 | 1050 | } |
914b89a2 | 1051 | |
1052 | if (request->method == METHOD_OTHER) { | |
26ac0430 | 1053 | no_cache++; |
60745f24 | 1054 | } |
62e76326 | 1055 | |
edce4d98 | 1056 | if (no_cache) { |
626096be | 1057 | #if USE_HTTP_VIOLATIONS |
62e76326 | 1058 | |
1059 | if (Config.onoff.reload_into_ims) | |
1060 | request->flags.nocache_hack = 1; | |
1061 | else if (refresh_nocache_hack) | |
1062 | request->flags.nocache_hack = 1; | |
1063 | else | |
edce4d98 | 1064 | #endif |
62e76326 | 1065 | |
1066 | request->flags.nocache = 1; | |
edce4d98 | 1067 | } |
62e76326 | 1068 | |
0ef77270 | 1069 | /* ignore range header in non-GETs or non-HEADs */ |
1070 | if (request->method == METHOD_GET || request->method == METHOD_HEAD) { | |
56713d9a AR |
1071 | // XXX: initialize if we got here without HttpRequest::parseHeader() |
1072 | if (!request->range) | |
1073 | request->range = req_hdr->getRange(); | |
62e76326 | 1074 | |
1075 | if (request->range) { | |
1076 | request->flags.range = 1; | |
1077 | clientStreamNode *node = (clientStreamNode *)http->client_stream.tail->data; | |
1078 | /* XXX: This is suboptimal. We should give the stream the range set, | |
1079 | * and thereby let the top of the stream set the offset when the | |
26ac0430 | 1080 | * size becomes known. As it is, we will end up requesting from 0 |
62e76326 | 1081 | * for evey -X range specification. |
1082 | * RBC - this may be somewhat wrong. We should probably set the range | |
1083 | * iter up at this point. | |
1084 | */ | |
1085 | node->readBuffer.offset = request->range->lowestOffset(0); | |
1086 | http->range_iter.pos = request->range->begin(); | |
1087 | http->range_iter.valid = true; | |
1088 | } | |
edce4d98 | 1089 | } |
62e76326 | 1090 | |
0ef77270 | 1091 | /* Only HEAD and GET requests permit a Range or Request-Range header. |
1092 | * If these headers appear on any other type of request, delete them now. | |
1093 | */ | |
1094 | else { | |
1095 | req_hdr->delById(HDR_RANGE); | |
1096 | req_hdr->delById(HDR_REQUEST_RANGE); | |
56713d9a | 1097 | delete request->range; |
0ef77270 | 1098 | request->range = NULL; |
1099 | } | |
1100 | ||
a9925b40 | 1101 | if (req_hdr->has(HDR_AUTHORIZATION)) |
62e76326 | 1102 | request->flags.auth = 1; |
1103 | ||
46a1f562 | 1104 | clientCheckPinning(http); |
d67acb4e | 1105 | |
edce4d98 | 1106 | if (request->login[0] != '\0') |
62e76326 | 1107 | request->flags.auth = 1; |
1108 | ||
a9925b40 | 1109 | if (req_hdr->has(HDR_VIA)) { |
30abd221 | 1110 | String s = req_hdr->getList(HDR_VIA); |
62e76326 | 1111 | /* |
3c4fcf0f | 1112 | * ThisCache cannot be a member of Via header, "1.1 ThisCache" can. |
62e76326 | 1113 | * Note ThisCache2 has a space prepended to the hostname so we don't |
1114 | * accidentally match super-domains. | |
1115 | */ | |
1116 | ||
1117 | if (strListIsSubstr(&s, ThisCache2, ',')) { | |
1118 | debugObj(33, 1, "WARNING: Forwarding loop detected for:\n", | |
1119 | request, (ObjPackMethod) & httpRequestPack); | |
1120 | request->flags.loopdetect = 1; | |
1121 | } | |
1122 | ||
21f6708d | 1123 | #if USE_FORW_VIA_DB |
bb790702 | 1124 | fvdbCountVia(s.termedBuf()); |
62e76326 | 1125 | |
edce4d98 | 1126 | #endif |
62e76326 | 1127 | |
30abd221 | 1128 | s.clean(); |
edce4d98 | 1129 | } |
62e76326 | 1130 | |
21f6708d | 1131 | #if USE_FORW_VIA_DB |
62e76326 | 1132 | |
a9925b40 | 1133 | if (req_hdr->has(HDR_X_FORWARDED_FOR)) { |
30abd221 | 1134 | String s = req_hdr->getList(HDR_X_FORWARDED_FOR); |
bb790702 | 1135 | fvdbCountForw(s.termedBuf()); |
30abd221 | 1136 | s.clean(); |
edce4d98 | 1137 | } |
62e76326 | 1138 | |
edce4d98 | 1139 | #endif |
62e76326 | 1140 | |
610ee341 | 1141 | request->flags.cachable = http->request->cacheable(); |
62e76326 | 1142 | |
edce4d98 | 1143 | if (clientHierarchical(http)) |
62e76326 | 1144 | request->flags.hierarchical = 1; |
1145 | ||
bf8fe701 | 1146 | debugs(85, 5, "clientInterpretRequestHeaders: REQ_NOCACHE = " << |
1147 | (request->flags.nocache ? "SET" : "NOT SET")); | |
1148 | debugs(85, 5, "clientInterpretRequestHeaders: REQ_CACHABLE = " << | |
1149 | (request->flags.cachable ? "SET" : "NOT SET")); | |
1150 | debugs(85, 5, "clientInterpretRequestHeaders: REQ_HIERARCHICAL = " << | |
1151 | (request->flags.hierarchical ? "SET" : "NOT SET")); | |
62e76326 | 1152 | |
edce4d98 | 1153 | } |
1154 | ||
1155 | void | |
de31d06f | 1156 | clientRedirectDoneWrapper(void *data, char *result) |
edce4d98 | 1157 | { |
de31d06f | 1158 | ClientRequestContext *calloutContext = (ClientRequestContext *)data; |
db02222f | 1159 | |
de31d06f | 1160 | if (!calloutContext->httpStateIsValid()) |
62e76326 | 1161 | return; |
62e76326 | 1162 | |
de31d06f | 1163 | calloutContext->clientRedirectDone(result); |
1164 | } | |
1165 | ||
1166 | void | |
1167 | ClientRequestContext::clientRedirectDone(char *result) | |
1168 | { | |
190154cf | 1169 | HttpRequest *old_request = http->request; |
bf8fe701 | 1170 | debugs(85, 5, "clientRedirectDone: '" << http->uri << "' result=" << (result ? result : "NULL")); |
de31d06f | 1171 | assert(redirect_state == REDIRECT_PENDING); |
1172 | redirect_state = REDIRECT_DONE; | |
62e76326 | 1173 | |
edce4d98 | 1174 | if (result) { |
62e76326 | 1175 | http_status status = (http_status) atoi(result); |
1176 | ||
1177 | if (status == HTTP_MOVED_PERMANENTLY | |
1178 | || status == HTTP_MOVED_TEMPORARILY | |
1179 | || status == HTTP_SEE_OTHER | |
1180 | || status == HTTP_TEMPORARY_REDIRECT) { | |
1181 | char *t = result; | |
1182 | ||
1183 | if ((t = strchr(result, ':')) != NULL) { | |
1184 | http->redirect.status = status; | |
1185 | http->redirect.location = xstrdup(t + 1); | |
e5b677f0 | 1186 | // TODO: validate the URL produced here is RFC 2616 compliant absolute URI |
62e76326 | 1187 | } else { |
e5b677f0 AJ |
1188 | if (old_request->http_ver < HttpVersion(1,1)) |
1189 | debugs(85, DBG_CRITICAL, "ERROR: URL-rewrite produces invalid 302 redirect Location: " << result); | |
1190 | else | |
1191 | debugs(85, DBG_CRITICAL, "ERROR: URL-rewrite produces invalid 303 redirect Location: " << result); | |
62e76326 | 1192 | } |
e5b677f0 | 1193 | } else if (strcmp(result, http->uri)) { |
9be14530 AJ |
1194 | // XXX: validate the URL properly *without* generating a whole new request object right here. |
1195 | // XXX: the clone() should be done only AFTER we know the new URL is valid. | |
1196 | HttpRequest *new_request = old_request->clone(); | |
1197 | if (urlParse(old_request->method, result, new_request)) { | |
1198 | debugs(61,2, HERE << "URL-rewriter diverts URL from " << urlCanonical(old_request) << " to " << urlCanonical(new_request)); | |
1199 | ||
1200 | // update the new request to flag the re-writing was done on it | |
1201 | new_request->flags.redirected = 1; | |
1202 | ||
1203 | // unlink bodypipe from the old request. Not needed there any longer. | |
1204 | if (old_request->body_pipe != NULL) { | |
1205 | old_request->body_pipe = NULL; | |
1206 | debugs(61,2, HERE << "URL-rewriter diverts body_pipe " << new_request->body_pipe << | |
1207 | " from request " << old_request << " to " << new_request); | |
1208 | } | |
1209 | ||
1210 | // update the current working ClientHttpRequest fields | |
1211 | safe_free(http->uri); | |
1212 | http->uri = xstrdup(urlCanonical(new_request)); | |
1213 | HTTPMSGUNLOCK(old_request); | |
1214 | http->request = HTTPMSGLOCK(new_request); | |
1215 | } else { | |
e5b677f0 | 1216 | debugs(85, DBG_CRITICAL, "ERROR: URL-rewrite produces invalid request: " << |
c9fd01b4 | 1217 | old_request->method << " " << result << " " << old_request->http_ver); |
9be14530 AJ |
1218 | delete new_request; |
1219 | } | |
74b48915 | 1220 | } |
edce4d98 | 1221 | } |
62e76326 | 1222 | |
edce4d98 | 1223 | /* FIXME PIPELINE: This is innacurate during pipelining */ |
62e76326 | 1224 | |
73c36fd9 AJ |
1225 | if (http->getConn() != NULL && Comm::IsConnOpen(http->getConn()->clientConnection)) |
1226 | fd_note(http->getConn()->clientConnection->fd, http->uri); | |
62e76326 | 1227 | |
c8be6d7b | 1228 | assert(http->uri); |
62e76326 | 1229 | |
de31d06f | 1230 | http->doCallouts(); |
edce4d98 | 1231 | } |
1232 | ||
b50e327b AJ |
1233 | /** Test cache allow/deny configuration |
1234 | * Sets flags.cachable=1 if caching is not denied. | |
1235 | */ | |
edce4d98 | 1236 | void |
8e2745f4 | 1237 | ClientRequestContext::checkNoCache() |
edce4d98 | 1238 | { |
b50e327b AJ |
1239 | if (Config.accessList.noCache) { |
1240 | acl_checklist = clientAclChecklistCreate(Config.accessList.noCache, http); | |
1241 | acl_checklist->nonBlockingCheck(checkNoCacheDoneWrapper, this); | |
1242 | } else { | |
1243 | /* unless otherwise specified, we try to cache. */ | |
2efeb0b7 | 1244 | checkNoCacheDone(ACCESS_ALLOWED); |
b50e327b | 1245 | } |
edce4d98 | 1246 | } |
1247 | ||
de31d06f | 1248 | static void |
2efeb0b7 | 1249 | checkNoCacheDoneWrapper(allow_t answer, void *data) |
edce4d98 | 1250 | { |
de31d06f | 1251 | ClientRequestContext *calloutContext = (ClientRequestContext *) data; |
e4a67a80 | 1252 | |
de31d06f | 1253 | if (!calloutContext->httpStateIsValid()) |
1254 | return; | |
1255 | ||
1256 | calloutContext->checkNoCacheDone(answer); | |
8e2745f4 | 1257 | } |
4fb35c3c | 1258 | |
8e2745f4 | 1259 | void |
2efeb0b7 | 1260 | ClientRequestContext::checkNoCacheDone(const allow_t &answer) |
62e76326 | 1261 | { |
8e2745f4 | 1262 | acl_checklist = NULL; |
2efeb0b7 | 1263 | http->request->flags.cachable = (answer == ACCESS_ALLOWED); |
de31d06f | 1264 | http->doCallouts(); |
edce4d98 | 1265 | } |
1266 | ||
e0c0d54c CT |
1267 | #if USE_SSL |
1268 | bool | |
1269 | ClientRequestContext::sslBumpAccessCheck() | |
1270 | { | |
1271 | if (http->request->method == METHOD_CONNECT && | |
f8901ea9 | 1272 | Config.accessList.ssl_bump && http->getConn()->port->sslBump) { |
e0c0d54c CT |
1273 | debugs(85, 5, HERE << "SslBump possible, checking ACL"); |
1274 | ||
1275 | ACLFilledChecklist *acl_checklist = clientAclChecklistCreate(Config.accessList.ssl_bump, http); | |
1276 | acl_checklist->nonBlockingCheck(sslBumpAccessCheckDoneWrapper, this); | |
1277 | return true; | |
f8901ea9 | 1278 | } else { |
e0c0d54c CT |
1279 | http->sslBumpNeeded(false); |
1280 | return false; | |
1281 | } | |
1282 | } | |
1283 | ||
f8901ea9 | 1284 | /** |
e0c0d54c CT |
1285 | * A wrapper function to use the ClientRequestContext::sslBumpAccessCheckDone method |
1286 | * as ACLFilledChecklist callback | |
1287 | */ | |
1288 | static void | |
2efeb0b7 | 1289 | sslBumpAccessCheckDoneWrapper(allow_t answer, void *data) |
e0c0d54c CT |
1290 | { |
1291 | ClientRequestContext *calloutContext = static_cast<ClientRequestContext *>(data); | |
1292 | ||
1293 | if (!calloutContext->httpStateIsValid()) | |
1294 | return; | |
1295 | calloutContext->sslBumpAccessCheckDone(answer == ACCESS_ALLOWED); | |
1296 | } | |
1297 | ||
1298 | void | |
1299 | ClientRequestContext::sslBumpAccessCheckDone(bool doSslBump) | |
1300 | { | |
1301 | http->sslBumpNeeded(doSslBump); | |
1302 | http->doCallouts(); | |
1303 | } | |
1304 | #endif | |
1305 | ||
69660be0 | 1306 | /* |
1307 | * Identify requests that do not go through the store and client side stream | |
1308 | * and forward them to the appropriate location. All other requests, request | |
1309 | * them. | |
edce4d98 | 1310 | */ |
1311 | void | |
8e2745f4 | 1312 | ClientHttpRequest::processRequest() |
edce4d98 | 1313 | { |
60745f24 | 1314 | debugs(85, 4, "clientProcessRequest: " << RequestMethodStr(request->method) << " '" << uri << "'"); |
62e76326 | 1315 | |
31281814 | 1316 | if (request->method == METHOD_CONNECT && !redirect.status) { |
3712be3f | 1317 | #if USE_SSL |
31281814 AJ |
1318 | if (sslBumpNeeded()) { |
1319 | sslBumpStart(); | |
1320 | return; | |
1321 | } | |
3712be3f | 1322 | #endif |
62e76326 | 1323 | logType = LOG_TCP_MISS; |
f84dd7eb | 1324 | getConn()->stopReading(); // tunnels read for themselves |
11007d4b | 1325 | tunnelStart(this, &out.size, &al.http.code); |
62e76326 | 1326 | return; |
edce4d98 | 1327 | } |
62e76326 | 1328 | |
8e2745f4 | 1329 | httpStart(); |
1330 | } | |
1331 | ||
1332 | void | |
1333 | ClientHttpRequest::httpStart() | |
1334 | { | |
559da936 | 1335 | PROF_start(httpStart); |
8e2745f4 | 1336 | logType = LOG_TAG_NONE; |
38e16f92 | 1337 | debugs(85, 4, "ClientHttpRequest::httpStart: " << Format::log_tags[logType] << " for '" << uri << "'"); |
bf8fe701 | 1338 | |
edce4d98 | 1339 | /* no one should have touched this */ |
8e2745f4 | 1340 | assert(out.offset == 0); |
edce4d98 | 1341 | /* Use the Stream Luke */ |
8e2745f4 | 1342 | clientStreamNode *node = (clientStreamNode *)client_stream.tail->data; |
1343 | clientStreamRead(node, this, node->readBuffer); | |
559da936 | 1344 | PROF_stop(httpStart); |
edce4d98 | 1345 | } |
0655fa4d | 1346 | |
3712be3f | 1347 | #if USE_SSL |
1348 | ||
3712be3f | 1349 | bool |
26ac0430 AJ |
1350 | ClientHttpRequest::sslBumpNeeded() const |
1351 | { | |
e0c0d54c CT |
1352 | assert(sslBumpNeed != needUnknown); |
1353 | return (sslBumpNeed == needConfirmed); | |
1354 | } | |
3712be3f | 1355 | |
e0c0d54c CT |
1356 | void |
1357 | ClientHttpRequest::sslBumpNeeded(bool isNeeded) | |
1358 | { | |
1359 | debugs(83, 3, HERE << "sslBump required: "<< (isNeeded ? "Yes" : "No")); | |
1360 | sslBumpNeed = (isNeeded ? needConfirmed : needNot); | |
3712be3f | 1361 | } |
1362 | ||
1363 | // called when comm_write has completed | |
1364 | static void | |
e0d28505 | 1365 | SslBumpEstablish(const Comm::ConnectionPointer &, char *, size_t, comm_err_t errflag, int, void *data) |
3712be3f | 1366 | { |
1367 | ClientHttpRequest *r = static_cast<ClientHttpRequest*>(data); | |
1368 | debugs(85, 5, HERE << "responded to CONNECT: " << r << " ? " << errflag); | |
1369 | ||
1370 | assert(r && cbdataReferenceValid(r)); | |
1371 | r->sslBumpEstablish(errflag); | |
1372 | } | |
1373 | ||
1374 | void | |
1375 | ClientHttpRequest::sslBumpEstablish(comm_err_t errflag) | |
1376 | { | |
1377 | // Bail out quickly on COMM_ERR_CLOSING - close handlers will tidy up | |
1378 | if (errflag == COMM_ERR_CLOSING) | |
1379 | return; | |
1380 | ||
1381 | if (errflag) { | |
1fa35be8 | 1382 | debugs(85, 3, HERE << "CONNECT response failure in SslBump: " << errflag); |
bbc83914 | 1383 | getConn()->clientConnection->close(); |
3712be3f | 1384 | return; |
1385 | } | |
1386 | ||
95d2589c | 1387 | getConn()->switchToHttps(request->GetHost()); |
3712be3f | 1388 | } |
1389 | ||
1390 | void | |
1391 | ClientHttpRequest::sslBumpStart() | |
1392 | { | |
73c36fd9 | 1393 | debugs(85, 5, HERE << "Confirming CONNECT tunnel on FD " << getConn()->clientConnection); |
3712be3f | 1394 | // send an HTTP 200 response to kick client SSL negotiation |
73c36fd9 | 1395 | debugs(33, 7, HERE << "Confirming CONNECT tunnel on FD " << getConn()->clientConnection); |
3712be3f | 1396 | |
1397 | // TODO: Unify with tunnel.cc and add a Server(?) header | |
b0388924 | 1398 | static const char *const conn_established = "HTTP/1.1 200 Connection established\r\n\r\n"; |
ec41b64c AJ |
1399 | AsyncCall::Pointer call = commCbCall(85, 5, "ClientSocketContext::sslBumpEstablish", |
1400 | CommIoCbPtrFun(&SslBumpEstablish, this)); | |
73c36fd9 | 1401 | Comm::Write(getConn()->clientConnection, conn_established, strlen(conn_established), call, NULL); |
3712be3f | 1402 | } |
1403 | ||
1404 | #endif | |
1405 | ||
0655fa4d | 1406 | bool |
1407 | ClientHttpRequest::gotEnough() const | |
1408 | { | |
86a2f789 | 1409 | /** TODO: should be querying the stream. */ |
7173d5b0 | 1410 | int64_t contentLength = |
06a5ae20 | 1411 | memObject()->getReply()->bodySize(request->method); |
0655fa4d | 1412 | assert(contentLength >= 0); |
1413 | ||
1414 | if (out.offset < contentLength) | |
1415 | return false; | |
1416 | ||
1417 | return true; | |
1418 | } | |
1419 | ||
86a2f789 | 1420 | void |
1421 | ClientHttpRequest::storeEntry(StoreEntry *newEntry) | |
1422 | { | |
1423 | entry_ = newEntry; | |
1424 | } | |
1425 | ||
0976f8db | 1426 | void |
1427 | ClientHttpRequest::loggingEntry(StoreEntry *newEntry) | |
1428 | { | |
1429 | if (loggingEntry_) | |
97b5e68f | 1430 | loggingEntry_->unlock(); |
0976f8db | 1431 | |
1432 | loggingEntry_ = newEntry; | |
1433 | ||
1434 | if (loggingEntry_) | |
3d0ac046 | 1435 | loggingEntry_->lock(); |
0976f8db | 1436 | } |
86a2f789 | 1437 | |
de31d06f | 1438 | /* |
1439 | * doCallouts() - This function controls the order of "callout" | |
1440 | * executions, including non-blocking access control checks, the | |
1441 | * redirector, and ICAP. Previously, these callouts were chained | |
1442 | * together such that "clientAccessCheckDone()" would call | |
1443 | * "clientRedirectStart()" and so on. | |
1444 | * | |
1445 | * The ClientRequestContext (aka calloutContext) class holds certain | |
1446 | * state data for the callout/callback operations. Previously | |
1447 | * ClientHttpRequest would sort of hand off control to ClientRequestContext | |
1448 | * for a short time. ClientRequestContext would then delete itself | |
1449 | * and pass control back to ClientHttpRequest when all callouts | |
1450 | * were finished. | |
1451 | * | |
1452 | * This caused some problems for ICAP because we want to make the | |
1453 | * ICAP callout after checking ACLs, but before checking the no_cache | |
1454 | * list. We can't stuff the ICAP state into the ClientRequestContext | |
1455 | * class because we still need the ICAP state after ClientRequestContext | |
1456 | * goes away. | |
1457 | * | |
1458 | * Note that ClientRequestContext is created before the first call | |
1459 | * to doCallouts(). | |
1460 | * | |
1461 | * If one of the callouts notices that ClientHttpRequest is no | |
1462 | * longer valid, it should call cbdataReferenceDone() so that | |
1463 | * ClientHttpRequest's reference count goes to zero and it will get | |
1464 | * deleted. ClientHttpRequest will then delete ClientRequestContext. | |
1465 | * | |
1466 | * Note that we set the _done flags here before actually starting | |
1467 | * the callout. This is strictly for convenience. | |
1468 | */ | |
1469 | ||
425de4c8 AJ |
1470 | extern tos_t aclMapTOS (acl_tos * head, ACLChecklist * ch); |
1471 | extern nfmark_t aclMapNfmark (acl_nfmark * head, ACLChecklist * ch); | |
057f5854 | 1472 | |
de31d06f | 1473 | void |
1474 | ClientHttpRequest::doCallouts() | |
1475 | { | |
1476 | assert(calloutContext); | |
1477 | ||
6fca33e0 CT |
1478 | /*Save the original request for logging purposes*/ |
1479 | if (!calloutContext->http->al.request) | |
105d1937 | 1480 | calloutContext->http->al.request = HTTPMSGLOCK(request); |
6fca33e0 | 1481 | |
fe97983f AJ |
1482 | // CVE-2009-0801: verify the Host: header is consistent with other known details. |
1483 | if (!calloutContext->host_header_verify_done) { | |
1484 | debugs(83, 3, HERE << "Doing calloutContext->hostHeaderVerify()"); | |
1485 | calloutContext->host_header_verify_done = true; | |
1486 | calloutContext->hostHeaderVerify(); | |
1487 | return; | |
1488 | } | |
1489 | ||
de31d06f | 1490 | if (!calloutContext->http_access_done) { |
3712be3f | 1491 | debugs(83, 3, HERE << "Doing calloutContext->clientAccessCheck()"); |
57abaac0 | 1492 | calloutContext->http_access_done = true; |
de31d06f | 1493 | calloutContext->clientAccessCheck(); |
1494 | return; | |
1495 | } | |
1496 | ||
a83c6ed6 | 1497 | #if USE_ADAPTATION |
abd4b611 | 1498 | if (!calloutContext->adaptation_acl_check_done) { |
a83c6ed6 | 1499 | calloutContext->adaptation_acl_check_done = true; |
abd4b611 | 1500 | if (Adaptation::AccessCheck::Start( |
26ac0430 AJ |
1501 | Adaptation::methodReqmod, Adaptation::pointPreCache, |
1502 | request, NULL, adaptationAclCheckDoneWrapper, calloutContext)) | |
abd4b611 | 1503 | return; // will call callback |
de31d06f | 1504 | } |
de31d06f | 1505 | #endif |
1506 | ||
1507 | if (!calloutContext->redirect_done) { | |
57abaac0 | 1508 | calloutContext->redirect_done = true; |
de31d06f | 1509 | assert(calloutContext->redirect_state == REDIRECT_NONE); |
1510 | ||
1511 | if (Config.Program.redirect) { | |
3712be3f | 1512 | debugs(83, 3, HERE << "Doing calloutContext->clientRedirectStart()"); |
de31d06f | 1513 | calloutContext->redirect_state = REDIRECT_PENDING; |
1514 | calloutContext->clientRedirectStart(); | |
1515 | return; | |
1516 | } | |
1517 | } | |
1518 | ||
533493da AJ |
1519 | if (!calloutContext->adapted_http_access_done) { |
1520 | debugs(83, 3, HERE << "Doing calloutContext->clientAccessCheck2()"); | |
1521 | calloutContext->adapted_http_access_done = true; | |
1522 | calloutContext->clientAccessCheck2(); | |
1523 | return; | |
1524 | } | |
1525 | ||
57abaac0 | 1526 | if (!calloutContext->interpreted_req_hdrs) { |
3712be3f | 1527 | debugs(83, 3, HERE << "Doing clientInterpretRequestHeaders()"); |
57abaac0 | 1528 | calloutContext->interpreted_req_hdrs = 1; |
1529 | clientInterpretRequestHeaders(this); | |
1530 | } | |
1531 | ||
de31d06f | 1532 | if (!calloutContext->no_cache_done) { |
57abaac0 | 1533 | calloutContext->no_cache_done = true; |
de31d06f | 1534 | |
1535 | if (Config.accessList.noCache && request->flags.cachable) { | |
3712be3f | 1536 | debugs(83, 3, HERE << "Doing calloutContext->checkNoCache()"); |
de31d06f | 1537 | calloutContext->checkNoCache(); |
1538 | return; | |
1539 | } | |
1540 | } | |
1541 | ||
425de4c8 AJ |
1542 | if (!calloutContext->tosToClientDone) { |
1543 | calloutContext->tosToClientDone = true; | |
73c36fd9 | 1544 | if (getConn() != NULL && Comm::IsConnOpen(getConn()->clientConnection)) { |
c0941a6a | 1545 | ACLFilledChecklist ch(NULL, request, NULL); |
057f5854 | 1546 | ch.src_addr = request->client_addr; |
1547 | ch.my_addr = request->my_addr; | |
425de4c8 | 1548 | tos_t tos = aclMapTOS(Ip::Qos::TheConfig.tosToClient, &ch); |
3712be3f | 1549 | if (tos) |
73c36fd9 | 1550 | Ip::Qos::setSockTos(getConn()->clientConnection, tos); |
425de4c8 AJ |
1551 | } |
1552 | } | |
1553 | ||
1554 | if (!calloutContext->nfmarkToClientDone) { | |
1555 | calloutContext->nfmarkToClientDone = true; | |
73c36fd9 | 1556 | if (getConn() != NULL && Comm::IsConnOpen(getConn()->clientConnection)) { |
425de4c8 AJ |
1557 | ACLFilledChecklist ch(NULL, request, NULL); |
1558 | ch.src_addr = request->client_addr; | |
1559 | ch.my_addr = request->my_addr; | |
1560 | nfmark_t mark = aclMapNfmark(Ip::Qos::TheConfig.nfmarkToClient, &ch); | |
1561 | if (mark) | |
73c36fd9 | 1562 | Ip::Qos::setSockNfmark(getConn()->clientConnection, mark); |
3712be3f | 1563 | } |
057f5854 | 1564 | } |
1565 | ||
d2565320 | 1566 | #if USE_SSL |
e0c0d54c CT |
1567 | if (!calloutContext->sslBumpCheckDone) { |
1568 | calloutContext->sslBumpCheckDone = true; | |
1569 | if (calloutContext->sslBumpAccessCheck()) | |
1570 | return; | |
1571 | /* else no ssl bump required*/ | |
1572 | } | |
d2565320 | 1573 | #endif |
e0c0d54c | 1574 | |
de31d06f | 1575 | cbdataReferenceDone(calloutContext->http); |
1576 | delete calloutContext; | |
1577 | calloutContext = NULL; | |
de31d06f | 1578 | #if HEADERS_LOG |
1579 | ||
1580 | headersLog(0, 1, request->method, request); | |
1581 | #endif | |
1582 | ||
58d7150d | 1583 | debugs(83, 3, HERE << "calling processRequest()"); |
de31d06f | 1584 | processRequest(); |
3ff65596 AR |
1585 | |
1586 | #if ICAP_CLIENT | |
1587 | Adaptation::Icap::History::Pointer ih = request->icapHistory(); | |
1588 | if (ih != NULL) | |
1589 | ih->logType = logType; | |
1590 | #endif | |
de31d06f | 1591 | } |
1592 | ||
32d002cb | 1593 | #if !_USE_INLINE_ |
86a2f789 | 1594 | #include "client_side_request.cci" |
1595 | #endif | |
de31d06f | 1596 | |
a83c6ed6 | 1597 | #if USE_ADAPTATION |
a22e6cd3 AR |
1598 | /// Initiate an asynchronous adaptation transaction which will call us back. |
1599 | void | |
1600 | ClientHttpRequest::startAdaptation(const Adaptation::ServiceGroupPointer &g) | |
3b299123 | 1601 | { |
a22e6cd3 | 1602 | debugs(85, 3, HERE << "adaptation needed for " << this); |
a83c6ed6 AR |
1603 | assert(!virginHeadSource); |
1604 | assert(!adaptedBodySource); | |
a22e6cd3 | 1605 | virginHeadSource = initiateAdaptation( |
4cb2536f | 1606 | new Adaptation::Iterator(request, NULL, g)); |
a83c6ed6 | 1607 | |
e1381638 | 1608 | // we could try to guess whether we can bypass this adaptation |
a22e6cd3 | 1609 | // initiation failure, but it should not really happen |
4299f876 | 1610 | Must(initiated(virginHeadSource)); |
de31d06f | 1611 | } |
1612 | ||
1613 | void | |
3af10ac0 | 1614 | ClientHttpRequest::noteAdaptationAnswer(const Adaptation::Answer &answer) |
de31d06f | 1615 | { |
de31d06f | 1616 | assert(cbdataReferenceValid(this)); // indicates bug |
3af10ac0 AR |
1617 | clearAdaptation(virginHeadSource); |
1618 | assert(!adaptedBodySource); | |
1619 | ||
1620 | switch (answer.kind) { | |
1621 | case Adaptation::Answer::akForward: | |
1622 | handleAdaptedHeader(answer.message); | |
1623 | break; | |
1624 | ||
1625 | case Adaptation::Answer::akBlock: | |
1626 | handleAdaptationBlock(answer); | |
1627 | break; | |
1628 | ||
1629 | case Adaptation::Answer::akError: | |
1630 | handleAdaptationFailure(ERR_DETAIL_CLT_REQMOD_ABORT, !answer.final); | |
1631 | break; | |
1632 | } | |
1633 | } | |
1634 | ||
1635 | void | |
ec4d1a1d | 1636 | ClientHttpRequest::handleAdaptedHeader(HttpMsg *msg) |
3af10ac0 | 1637 | { |
5f8252d2 | 1638 | assert(msg); |
1639 | ||
b044675d | 1640 | if (HttpRequest *new_req = dynamic_cast<HttpRequest*>(msg)) { |
200ac359 | 1641 | /* |
5f8252d2 | 1642 | * Replace the old request with the new request. |
200ac359 | 1643 | */ |
6dd9f4bd | 1644 | HTTPMSGUNLOCK(request); |
1645 | request = HTTPMSGLOCK(new_req); | |
200ac359 | 1646 | /* |
1647 | * Store the new URI for logging | |
1648 | */ | |
1649 | xfree(uri); | |
1650 | uri = xstrdup(urlCanonical(request)); | |
1651 | setLogUri(this, urlCanonicalClean(request)); | |
914b89a2 | 1652 | assert(request->method.id()); |
b044675d | 1653 | } else if (HttpReply *new_rep = dynamic_cast<HttpReply*>(msg)) { |
1654 | debugs(85,3,HERE << "REQMOD reply is HTTP reply"); | |
1655 | ||
5f8252d2 | 1656 | // subscribe to receive reply body |
1657 | if (new_rep->body_pipe != NULL) { | |
a83c6ed6 | 1658 | adaptedBodySource = new_rep->body_pipe; |
d222a56c HN |
1659 | int consumer_ok = adaptedBodySource->setConsumerIfNotLate(this); |
1660 | assert(consumer_ok); | |
5f8252d2 | 1661 | } |
1662 | ||
b044675d | 1663 | clientStreamNode *node = (clientStreamNode *)client_stream.tail->prev->data; |
1664 | clientReplyContext *repContext = dynamic_cast<clientReplyContext *>(node->data.getRaw()); | |
1665 | repContext->createStoreEntry(request->method, request->flags); | |
1666 | ||
1667 | EBIT_CLR(storeEntry()->flags, ENTRY_FWD_HDR_WAIT); | |
1668 | request_satisfaction_mode = true; | |
1669 | request_satisfaction_offset = 0; | |
1670 | storeEntry()->replaceHttpReply(new_rep); | |
97ae5196 | 1671 | storeEntry()->timestampsSet(); |
cb4c4288 | 1672 | |
a83c6ed6 | 1673 | if (!adaptedBodySource) // no body |
cb4c4288 | 1674 | storeEntry()->complete(); |
b044675d | 1675 | clientGetMoreData(node, this); |
200ac359 | 1676 | } |
de31d06f | 1677 | |
5f8252d2 | 1678 | // we are done with getting headers (but may be receiving body) |
a83c6ed6 | 1679 | clearAdaptation(virginHeadSource); |
5f8252d2 | 1680 | |
b044675d | 1681 | if (!request_satisfaction_mode) |
1682 | doCallouts(); | |
de31d06f | 1683 | } |
1684 | ||
1685 | void | |
3af10ac0 | 1686 | ClientHttpRequest::handleAdaptationBlock(const Adaptation::Answer &answer) |
de31d06f | 1687 | { |
3af10ac0 AR |
1688 | request->detailError(ERR_ACCESS_DENIED, ERR_DETAIL_REQMOD_BLOCK); |
1689 | AclMatchedName = answer.ruleId.termedBuf(); | |
1690 | assert(calloutContext); | |
1691 | calloutContext->clientAccessCheckDone(ACCESS_DENIED); | |
1692 | AclMatchedName = NULL; | |
de31d06f | 1693 | } |
1694 | ||
1695 | void | |
1cf238db | 1696 | ClientHttpRequest::noteMoreBodyDataAvailable(BodyPipe::Pointer) |
de31d06f | 1697 | { |
5f8252d2 | 1698 | assert(request_satisfaction_mode); |
a83c6ed6 | 1699 | assert(adaptedBodySource != NULL); |
5f8252d2 | 1700 | |
4ce0e99b | 1701 | if (const size_t contentSize = adaptedBodySource->buf().contentSize()) { |
a83c6ed6 | 1702 | BodyPipeCheckout bpc(*adaptedBodySource); |
4ce0e99b | 1703 | const StoreIOBuffer ioBuf(&bpc.buf, request_satisfaction_offset); |
5f8252d2 | 1704 | storeEntry()->write(ioBuf); |
1705 | // assume can write everything | |
1706 | request_satisfaction_offset += contentSize; | |
4ce0e99b | 1707 | bpc.buf.consume(contentSize); |
5f8252d2 | 1708 | bpc.checkIn(); |
1709 | } | |
1710 | ||
a83c6ed6 | 1711 | if (adaptedBodySource->exhausted()) |
5f8252d2 | 1712 | endRequestSatisfaction(); |
1713 | // else wait for more body data | |
de31d06f | 1714 | } |
1715 | ||
1716 | void | |
1cf238db | 1717 | ClientHttpRequest::noteBodyProductionEnded(BodyPipe::Pointer) |
de31d06f | 1718 | { |
a83c6ed6 AR |
1719 | assert(!virginHeadSource); |
1720 | if (adaptedBodySource != NULL) { // did not end request satisfaction yet | |
26ac0430 | 1721 | // We do not expect more because noteMoreBodyDataAvailable always |
5f8252d2 | 1722 | // consumes everything. We do not even have a mechanism to consume |
1723 | // leftovers after noteMoreBodyDataAvailable notifications seize. | |
a83c6ed6 | 1724 | assert(adaptedBodySource->exhausted()); |
5f8252d2 | 1725 | endRequestSatisfaction(); |
1726 | } | |
1727 | } | |
3b299123 | 1728 | |
5f8252d2 | 1729 | void |
26ac0430 AJ |
1730 | ClientHttpRequest::endRequestSatisfaction() |
1731 | { | |
5f8252d2 | 1732 | debugs(85,4, HERE << this << " ends request satisfaction"); |
1733 | assert(request_satisfaction_mode); | |
a83c6ed6 | 1734 | stopConsumingFrom(adaptedBodySource); |
3b299123 | 1735 | |
5f8252d2 | 1736 | // TODO: anything else needed to end store entry formation correctly? |
1737 | storeEntry()->complete(); | |
1738 | } | |
de31d06f | 1739 | |
5f8252d2 | 1740 | void |
1cf238db | 1741 | ClientHttpRequest::noteBodyProducerAborted(BodyPipe::Pointer) |
5f8252d2 | 1742 | { |
a83c6ed6 AR |
1743 | assert(!virginHeadSource); |
1744 | stopConsumingFrom(adaptedBodySource); | |
eae3a9a6 AR |
1745 | |
1746 | debugs(85,3, HERE << "REQMOD body production failed"); | |
1747 | if (request_satisfaction_mode) { // too late to recover or serve an error | |
1748 | request->detailError(ERR_ICAP_FAILURE, ERR_DETAIL_CLT_REQMOD_RESP_BODY); | |
73c36fd9 | 1749 | const Comm::ConnectionPointer c = getConn()->clientConnection; |
e7cea0ed AJ |
1750 | Must(Comm::IsConnOpen(c)); |
1751 | c->close(); // drastic, but we may be writing a response already | |
eae3a9a6 AR |
1752 | } else { |
1753 | handleAdaptationFailure(ERR_DETAIL_CLT_REQMOD_REQ_BODY); | |
1754 | } | |
5f8252d2 | 1755 | } |
3b299123 | 1756 | |
5f8252d2 | 1757 | void |
64b66b76 | 1758 | ClientHttpRequest::handleAdaptationFailure(int errDetail, bool bypassable) |
5f8252d2 | 1759 | { |
a83c6ed6 | 1760 | debugs(85,3, HERE << "handleAdaptationFailure(" << bypassable << ")"); |
3b299123 | 1761 | |
5f8252d2 | 1762 | const bool usedStore = storeEntry() && !storeEntry()->isEmpty(); |
1763 | const bool usedPipe = request->body_pipe != NULL && | |
26ac0430 | 1764 | request->body_pipe->consumedSize() > 0; |
3b299123 | 1765 | |
9d4d7c5e | 1766 | if (bypassable && !usedStore && !usedPipe) { |
1767 | debugs(85,3, HERE << "ICAP REQMOD callout failed, bypassing: " << calloutContext); | |
5f8252d2 | 1768 | if (calloutContext) |
1769 | doCallouts(); | |
1770 | return; | |
1771 | } | |
3b299123 | 1772 | |
5f8252d2 | 1773 | debugs(85,3, HERE << "ICAP REQMOD callout failed, responding with error"); |
3b299123 | 1774 | |
5f8252d2 | 1775 | clientStreamNode *node = (clientStreamNode *)client_stream.tail->prev->data; |
1776 | clientReplyContext *repContext = dynamic_cast<clientReplyContext *>(node->data.getRaw()); | |
1777 | assert(repContext); | |
de31d06f | 1778 | |
26ac0430 | 1779 | // The original author of the code also wanted to pass an errno to |
5f8252d2 | 1780 | // setReplyToError, but it seems unlikely that the errno reflects the |
1781 | // true cause of the error at this point, so I did not pass it. | |
b7ac5457 | 1782 | Ip::Address noAddr; |
b70ba605 | 1783 | noAddr.SetNoAddr(); |
1cf238db | 1784 | ConnStateData * c = getConn(); |
5f8252d2 | 1785 | repContext->setReplyToError(ERR_ICAP_FAILURE, HTTP_INTERNAL_SERVER_ERROR, |
26ac0430 | 1786 | request->method, NULL, |
73c36fd9 | 1787 | (c != NULL ? c->clientConnection->remote : noAddr), request, NULL, |
79fc6915 | 1788 | #if USE_AUTH |
a33a428a | 1789 | (c != NULL && c->auth_user_request != NULL ? |
26ac0430 | 1790 | c->auth_user_request : request->auth_user_request)); |
79fc6915 AJ |
1791 | #else |
1792 | NULL); | |
1793 | #endif | |
de31d06f | 1794 | |
64b66b76 | 1795 | request->detailError(ERR_ICAP_FAILURE, errDetail); |
378e20f3 | 1796 | c->flags.readMore = true; |
5f8252d2 | 1797 | node = (clientStreamNode *)client_stream.tail->data; |
1798 | clientStreamRead(node, this, node->readBuffer); | |
de31d06f | 1799 | } |
1800 | ||
1801 | #endif |