]>
Commit | Line | Data |
---|---|---|
41462d93 | 1 | /* |
41462d93 | 2 | * DEBUG: section 17 Request Forwarding |
3 | * AUTHOR: Duane Wessels | |
4 | * | |
2b6662ba | 5 | * SQUID Web Proxy Cache http://www.squid-cache.org/ |
e25c139f | 6 | * ---------------------------------------------------------- |
41462d93 | 7 | * |
2b6662ba | 8 | * Squid is the result of efforts by numerous individuals from |
9 | * the Internet community; see the CONTRIBUTORS file for full | |
10 | * details. Many organizations have provided support for Squid's | |
11 | * development; see the SPONSORS file for full details. Squid is | |
12 | * Copyrighted (C) 2001 by the Regents of the University of | |
13 | * California; see the COPYRIGHT file for full details. Squid | |
14 | * incorporates software developed and/or copyrighted by other | |
15 | * sources; see the CREDITS file for full details. | |
41462d93 | 16 | * |
17 | * This program is free software; you can redistribute it and/or modify | |
18 | * it under the terms of the GNU General Public License as published by | |
19 | * the Free Software Foundation; either version 2 of the License, or | |
20 | * (at your option) any later version. | |
26ac0430 | 21 | * |
41462d93 | 22 | * This program is distributed in the hope that it will be useful, |
23 | * but WITHOUT ANY WARRANTY; without even the implied warranty of | |
24 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | |
25 | * GNU General Public License for more details. | |
26ac0430 | 26 | * |
41462d93 | 27 | * You should have received a copy of the GNU General Public License |
28 | * along with this program; if not, write to the Free Software | |
cbdec147 | 29 | * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111, USA. |
e25c139f | 30 | * |
41462d93 | 31 | */ |
32 | ||
33 | ||
34 | #include "squid.h" | |
b6b6f466 | 35 | #include "forward.h" |
c0941a6a AR |
36 | #include "acl/FilledChecklist.h" |
37 | #include "acl/Gadgets.h" | |
25b481e6 | 38 | #include "CacheManager.h" |
f9b72e0c | 39 | #include "comm/Connection.h" |
aed188fd | 40 | #include "comm/ConnOpener.h" |
cfd66529 | 41 | #include "CommCalls.h" |
d841c88d | 42 | #include "comm/Loops.h" |
aa839030 | 43 | #include "event.h" |
44 | #include "errorpage.h" | |
45 | #include "fde.h" | |
bbaf2685 | 46 | #include "hier_code.h" |
924f73bc | 47 | #include "HttpReply.h" |
aa839030 | 48 | #include "HttpRequest.h" |
425de4c8 | 49 | #include "ip/QosConfig.h" |
aa839030 | 50 | #include "MemObject.h" |
781ce8ff | 51 | #include "pconn.h" |
cfd66529 | 52 | #include "PeerSelectState.h" |
aa839030 | 53 | #include "SquidTime.h" |
54 | #include "Store.h" | |
9b5c4a9a | 55 | #include "icmp/net_db.h" |
96d89ea0 | 56 | #include "ip/Intercept.h" |
407b9bb1 | 57 | #include "ip/tools.h" |
8822ebee | 58 | #include "mgr/Registration.h" |
4db984be CT |
59 | #if USE_SSL |
60 | #include "ssl/support.h" | |
4d16918e | 61 | #include "ssl/ErrorDetail.h" |
4db984be | 62 | #endif |
cfd66529 | 63 | |
6b679a01 | 64 | static PSC fwdPeerSelectionCompleteWrapper; |
b6b6f466 | 65 | static PF fwdServerClosedWrapper; |
66 | #if USE_SSL | |
67 | static PF fwdNegotiateSSLWrapper; | |
68 | #endif | |
b6b6f466 | 69 | static CNCB fwdConnectDoneWrapper; |
70 | ||
8ddcc35d | 71 | static OBJH fwdStats; |
72 | ||
73 | #define MAX_FWD_STATS_IDX 9 | |
9977e14b | 74 | static int FwdReplyCodes[MAX_FWD_STATS_IDX + 1][HTTP_INVALID_HEADER + 1]; |
db1cd23c | 75 | |
781ce8ff | 76 | static PconnPool *fwdPconnPool = new PconnPool("server-side"); |
b6b6f466 | 77 | CBDATA_CLASS_INIT(FwdState); |
781ce8ff | 78 | |
429871db | 79 | void |
80 | FwdState::abort(void* d) | |
81 | { | |
82 | FwdState* fwd = (FwdState*)d; | |
6ecaf21a | 83 | Pointer tmp = fwd; // Grab a temporary pointer to keep the object alive during our scope. |
429871db | 84 | |
6b679a01 | 85 | if (Comm::IsConnOpen(fwd->serverConnection())) { |
5229395c | 86 | comm_remove_close_handler(fwd->serverConnection()->fd, fwdServerClosedWrapper, fwd); |
cff02fa6 | 87 | } |
00ae51e4 | 88 | fwd->serverDestinations.clean(); |
429871db | 89 | fwd->self = NULL; |
90 | } | |
91 | ||
b6b6f466 | 92 | /**** PUBLIC INTERFACE ********************************************************/ |
c7f9eb6d | 93 | |
be364179 | 94 | FwdState::FwdState(const Comm::ConnectionPointer &client, StoreEntry * e, HttpRequest * r) |
db1cd23c | 95 | { |
3157a816 | 96 | debugs(17, 2, HERE << "Forwarding client request " << client << ", url=" << e->url() ); |
b6b6f466 | 97 | entry = e; |
5c336a3b | 98 | clientConn = client; |
6dd9f4bd | 99 | request = HTTPMSGLOCK(r); |
b6b6f466 | 100 | start_t = squid_curtime; |
00ae51e4 | 101 | serverDestinations.reserve(Config.forward_max_tries); |
3d0ac046 | 102 | e->lock(); |
b6b6f466 | 103 | EBIT_SET(e->flags, ENTRY_FWD_HDR_WAIT); |
7a0fb323 | 104 | } |
105 | ||
106 | // Called once, right after object creation, when it is safe to set self | |
fc68f6b1 | 107 | void FwdState::start(Pointer aSelf) |
108 | { | |
7a0fb323 | 109 | // Protect ourselves from being destroyed when the only Server pointing |
110 | // to us is gone (while we expect to talk to more Servers later). | |
111 | // Once we set self, we are responsible for clearing it when we do not | |
112 | // expect to talk to any servers. | |
113 | self = aSelf; // refcounted | |
114 | ||
115 | // We hope that either the store entry aborts or peer is selected. | |
116 | // Otherwise we are going to leak our object. | |
34266cde | 117 | |
3900307b | 118 | entry->registerAbort(FwdState::abort, this); |
bfe4e2fe AJ |
119 | |
120 | // Bug 3243: CVE 2009-0801 | |
121 | // Bypass of browser same-origin access control in intercepted communication | |
122 | // To resolve this we must force DIRECT and only to the original client destination. | |
123 | if (Config.onoff.client_dst_passthru && request && | |
124 | (request->flags.intercepted || request->flags.spoof_client_ip)) { | |
125 | Comm::ConnectionPointer p = new Comm::Connection(); | |
126 | p->remote = clientConn->local; | |
127 | p->peerType = ORIGINAL_DST; | |
128 | getOutgoingAddress(request, p); | |
129 | serverDestinations.push_back(p); | |
130 | ||
131 | // destination "found". continue with the forwarding. | |
132 | startConnectionOrFail(); | |
133 | } else { | |
134 | // do full route options selection | |
135 | peerSelect(&serverDestinations, request, entry, fwdPeerSelectionCompleteWrapper, this); | |
136 | } | |
db1cd23c | 137 | } |
138 | ||
802a8c1d | 139 | void |
140 | FwdState::completed() | |
41462d93 | 141 | { |
fc68f6b1 | 142 | if (flags.forward_completed == 1) { |
143 | debugs(17, 1, HERE << "FwdState::completed called on a completed request! Bad!"); | |
144 | return; | |
145 | } | |
146 | ||
147 | flags.forward_completed = 1; | |
802a8c1d | 148 | |
bc87dc25 | 149 | #if URL_CHECKSUM_DEBUG |
62e76326 | 150 | |
b6b6f466 | 151 | entry->mem_obj->checkUrlChecksum(); |
225644d7 | 152 | #endif |
62e76326 | 153 | |
b6b6f466 | 154 | if (entry->store_status == STORE_PENDING) { |
155 | if (entry->isEmpty()) { | |
156 | assert(err); | |
157 | errorAppendEntry(entry, err); | |
158 | err = NULL; | |
62e76326 | 159 | } else { |
b6b6f466 | 160 | EBIT_CLR(entry->flags, ENTRY_FWD_HDR_WAIT); |
161 | entry->complete(); | |
d88e3c49 | 162 | entry->releaseRequest(); |
62e76326 | 163 | } |
f563eea9 | 164 | } |
62e76326 | 165 | |
b6b6f466 | 166 | if (storePendingNClients(entry) > 0) |
167 | assert(!EBIT_TEST(entry->flags, ENTRY_FWD_HDR_WAIT)); | |
62e76326 | 168 | |
802a8c1d | 169 | } |
170 | ||
171 | FwdState::~FwdState() | |
172 | { | |
173 | debugs(17, 3, HERE << "FwdState destructor starting"); | |
fc68f6b1 | 174 | |
802a8c1d | 175 | if (! flags.forward_completed) |
fc68f6b1 | 176 | completed(); |
802a8c1d | 177 | |
9d2760b6 AR |
178 | doneWithRetries(); |
179 | ||
6dd9f4bd | 180 | HTTPMSGUNLOCK(request); |
62e76326 | 181 | |
b6b6f466 | 182 | if (err) |
183 | errorStateFree(err); | |
62e76326 | 184 | |
3900307b | 185 | entry->unregisterAbort(); |
429871db | 186 | |
97b5e68f | 187 | entry->unlock(); |
62e76326 | 188 | |
b6b6f466 | 189 | entry = NULL; |
62e76326 | 190 | |
e3a4aecc AJ |
191 | if (calls.connector != NULL) { |
192 | calls.connector->cancel("FwdState destructed"); | |
193 | calls.connector = NULL; | |
194 | } | |
195 | ||
6b679a01 | 196 | if (Comm::IsConnOpen(serverConn)) { |
5229395c AJ |
197 | comm_remove_close_handler(serverConnection()->fd, fwdServerClosedWrapper, this); |
198 | debugs(17, 3, HERE << "closing FD " << serverConnection()->fd); | |
00ae51e4 | 199 | serverConn->close(); |
b6b6f466 | 200 | } |
fc68f6b1 | 201 | |
00ae51e4 | 202 | serverDestinations.clean(); |
cfd66529 | 203 | |
b6b6f466 | 204 | debugs(17, 3, HERE << "FwdState destructor done"); |
205 | } | |
62e76326 | 206 | |
38413773 | 207 | /** |
b6b6f466 | 208 | * This is the entry point for client-side to start forwarding |
209 | * a transaction. It is a static method that may or may not | |
210 | * allocate a FwdState. | |
211 | */ | |
be0c6690 | 212 | void |
be364179 | 213 | FwdState::fwdStart(const Comm::ConnectionPointer &clientConn, StoreEntry *entry, HttpRequest *request) |
b6b6f466 | 214 | { |
b50e327b | 215 | /** \note |
b6b6f466 | 216 | * client_addr == no_addr indicates this is an "internal" request |
217 | * from peer_digest.c, asn.c, netdb.c, etc and should always | |
218 | * be allowed. yuck, I know. | |
219 | */ | |
62e76326 | 220 | |
b50e327b | 221 | if ( Config.accessList.miss && !request->client_addr.IsNoAddr() && |
39a19cb7 | 222 | request->protocol != AnyP::PROTO_INTERNAL && request->protocol != AnyP::PROTO_CACHE_OBJECT) { |
b50e327b | 223 | /** |
b6b6f466 | 224 | * Check if this host is allowed to fetch MISSES from us (miss_access) |
225 | */ | |
c0941a6a | 226 | ACLFilledChecklist ch(Config.accessList.miss, request, NULL); |
b6b6f466 | 227 | ch.src_addr = request->client_addr; |
228 | ch.my_addr = request->my_addr; | |
2efeb0b7 | 229 | if (ch.fastCheck() == ACCESS_DENIED) { |
b6b6f466 | 230 | err_type page_id; |
9ce7856a | 231 | page_id = aclGetDenyInfoPage(&Config.denyInfoList, AclMatchedName, 1); |
b6b6f466 | 232 | |
233 | if (page_id == ERR_NONE) | |
234 | page_id = ERR_FORWARDING_DENIED; | |
235 | ||
2cc81f1f | 236 | ErrorState *anErr = errorCon(page_id, HTTP_FORBIDDEN, request); |
b6b6f466 | 237 | |
238 | errorAppendEntry(entry, anErr); // frees anErr | |
239 | ||
be0c6690 | 240 | return; |
b6b6f466 | 241 | } |
242 | } | |
243 | ||
cfd66529 | 244 | debugs(17, 3, HERE << "'" << entry->url() << "'"); |
f4ef658f | 245 | /* |
246 | * This seems like an odd place to bind mem_obj and request. | |
247 | * Might want to assert that request is NULL at this point | |
248 | */ | |
6dd9f4bd | 249 | entry->mem_obj->request = HTTPMSGLOCK(request); |
b6b6f466 | 250 | #if URL_CHECKSUM_DEBUG |
251 | ||
252 | entry->mem_obj->checkUrlChecksum(); | |
253 | #endif | |
254 | ||
255 | if (shutting_down) { | |
256 | /* more yuck */ | |
2cc81f1f | 257 | ErrorState *anErr = errorCon(ERR_SHUTTING_DOWN, HTTP_SERVICE_UNAVAILABLE, request); |
b6b6f466 | 258 | errorAppendEntry(entry, anErr); // frees anErr |
be0c6690 | 259 | return; |
6801f8a8 | 260 | } |
62e76326 | 261 | |
b6b6f466 | 262 | switch (request->protocol) { |
263 | ||
0c3d3f65 | 264 | case AnyP::PROTO_INTERNAL: |
e37bd29b | 265 | internalStart(clientConn, request, entry); |
be0c6690 | 266 | return; |
b6b6f466 | 267 | |
39a19cb7 | 268 | case AnyP::PROTO_CACHE_OBJECT: |
5c336a3b | 269 | CacheManager::GetInstance()->Start(clientConn, request, entry); |
be0c6690 | 270 | return; |
b6b6f466 | 271 | |
0c3d3f65 | 272 | case AnyP::PROTO_URN: |
b6b6f466 | 273 | urnStart(request, entry); |
be0c6690 | 274 | return; |
b6b6f466 | 275 | |
276 | default: | |
5c336a3b | 277 | FwdState::Pointer fwd = new FwdState(clientConn, entry, request); |
7a0fb323 | 278 | fwd->start(fwd); |
be0c6690 | 279 | return; |
b6b6f466 | 280 | } |
281 | ||
282 | /* NOTREACHED */ | |
41462d93 | 283 | } |
284 | ||
cfd66529 | 285 | void |
6b679a01 | 286 | FwdState::startConnectionOrFail() |
cfd66529 | 287 | { |
8652f8e7 | 288 | debugs(17, 3, HERE << entry->url()); |
cfd66529 | 289 | |
00ae51e4 | 290 | if (serverDestinations.size() > 0) { |
8652f8e7 AJ |
291 | // Ditch error page if it was created before. |
292 | // A new one will be created if there's another problem | |
293 | if (err) { | |
294 | errorStateFree(err); | |
295 | err = NULL; | |
296 | } | |
297 | ||
298 | // Update the logging information about this new server connection. | |
299 | // Done here before anything else so the errors get logged for | |
300 | // this server link regardless of what happens when connecting to it. | |
301 | // IF sucessfuly connected this top destination will become the serverConnection(). | |
302 | request->hier.note(serverDestinations[0], request->GetHost()); | |
303 | ||
cfd66529 AJ |
304 | connectStart(); |
305 | } else { | |
95b83010 CT |
306 | debugs(17, 3, HERE << "Connection failed: " << entry->url()); |
307 | if (!err) { | |
308 | ErrorState *anErr = NULL; | |
8652f8e7 AJ |
309 | anErr = errorCon(ERR_CANNOT_FORWARD, HTTP_INTERNAL_SERVER_ERROR, request); |
310 | anErr->xerrno = errno; | |
95b83010 | 311 | fail(anErr); |
8652f8e7 | 312 | } // else use actual error from last connection attempt |
cfd66529 AJ |
313 | self = NULL; // refcounted |
314 | } | |
315 | } | |
316 | ||
b6b6f466 | 317 | void |
318 | FwdState::fail(ErrorState * errorState) | |
319 | { | |
38413773 | 320 | debugs(17, 3, HERE << err_type_str[errorState->type] << " \"" << httpStatusString(errorState->httpStatus) << "\"\n\t" << entry->url() ); |
b6b6f466 | 321 | |
322 | if (err) | |
323 | errorStateFree(err); | |
324 | ||
325 | err = errorState; | |
326 | ||
327 | if (!errorState->request) | |
6dd9f4bd | 328 | errorState->request = HTTPMSGLOCK(request); |
64b66b76 CT |
329 | |
330 | request->detailError(errorState->type, errorState->xerrno); | |
b6b6f466 | 331 | } |
332 | ||
38413773 | 333 | /** |
b6b6f466 | 334 | * Frees fwdState without closing FD or generating an abort |
335 | */ | |
336 | void | |
00ae51e4 | 337 | FwdState::unregister(Comm::ConnectionPointer &conn) |
5229395c AJ |
338 | { |
339 | debugs(17, 3, HERE << entry->url() ); | |
340 | assert(serverConnection() == conn); | |
6b679a01 | 341 | assert(Comm::IsConnOpen(conn)); |
5229395c | 342 | comm_remove_close_handler(conn->fd, fwdServerClosedWrapper, this); |
00ae51e4 | 343 | serverConn = NULL; |
5229395c AJ |
344 | } |
345 | ||
346 | // Legacy method to be removed in favor of the above as soon as possible | |
347 | void | |
b6b6f466 | 348 | FwdState::unregister(int fd) |
349 | { | |
5229395c AJ |
350 | debugs(17, 3, HERE << entry->url() ); |
351 | assert(fd == serverConnection()->fd); | |
00ae51e4 | 352 | unregister(serverConn); |
b6b6f466 | 353 | } |
354 | ||
38413773 | 355 | /** |
b6b6f466 | 356 | * server-side modules call fwdComplete() when they are done |
357 | * downloading an object. Then, we either 1) re-forward the | |
358 | * request somewhere else if needed, or 2) call storeComplete() | |
359 | * to finish it off | |
360 | */ | |
361 | void | |
362 | FwdState::complete() | |
363 | { | |
b6b6f466 | 364 | assert(entry->store_status == STORE_PENDING); |
cfd66529 | 365 | debugs(17, 3, HERE << entry->url() << "\n\tstatus " << entry->getReply()->sline.status ); |
b6b6f466 | 366 | #if URL_CHECKSUM_DEBUG |
367 | ||
368 | entry->mem_obj->checkUrlChecksum(); | |
369 | #endif | |
370 | ||
371 | logReplyStatus(n_tries, entry->getReply()->sline.status); | |
372 | ||
373 | if (reforward()) { | |
cfd66529 | 374 | debugs(17, 3, HERE << "re-forwarding " << entry->getReply()->sline.status << " " << entry->url()); |
b6b6f466 | 375 | |
6b679a01 | 376 | if (Comm::IsConnOpen(serverConn)) |
00ae51e4 | 377 | unregister(serverConn); |
b6b6f466 | 378 | |
cfd66529 AJ |
379 | entry->reset(); |
380 | ||
8652f8e7 AJ |
381 | // drop the last path off the selection list. try the next one. |
382 | serverDestinations.shift(); | |
383 | startConnectionOrFail(); | |
384 | ||
b6b6f466 | 385 | } else { |
6b679a01 AJ |
386 | if (Comm::IsConnOpen(serverConn)) |
387 | debugs(17, 3, HERE << "server FD " << serverConnection()->fd << " not re-forwarding status " << entry->getReply()->sline.status); | |
388 | else | |
389 | debugs(17, 3, HERE << "server (FD closed) not re-forwarding status " << entry->getReply()->sline.status); | |
9e5c22cf AJ |
390 | EBIT_CLR(entry->flags, ENTRY_FWD_HDR_WAIT); |
391 | entry->complete(); | |
fc68f6b1 | 392 | |
6b679a01 | 393 | if (!Comm::IsConnOpen(serverConn)) |
fc68f6b1 | 394 | completed(); |
395 | ||
7a0fb323 | 396 | self = NULL; // refcounted |
b6b6f466 | 397 | } |
398 | } | |
399 | ||
400 | ||
401 | /**** CALLBACK WRAPPERS ************************************************************/ | |
402 | ||
403 | static void | |
6b679a01 | 404 | fwdPeerSelectionCompleteWrapper(Comm::ConnectionList * unused, void *data) |
b6b6f466 | 405 | { |
406 | FwdState *fwd = (FwdState *) data; | |
6b679a01 | 407 | fwd->startConnectionOrFail(); |
b6b6f466 | 408 | } |
409 | ||
410 | static void | |
411 | fwdServerClosedWrapper(int fd, void *data) | |
412 | { | |
413 | FwdState *fwd = (FwdState *) data; | |
414 | fwd->serverClosed(fd); | |
415 | } | |
416 | ||
b6b6f466 | 417 | #if USE_SSL |
418 | static void | |
419 | fwdNegotiateSSLWrapper(int fd, void *data) | |
420 | { | |
421 | FwdState *fwd = (FwdState *) data; | |
422 | fwd->negotiateSSL(fd); | |
423 | } | |
424 | ||
425 | #endif | |
426 | ||
cfd66529 | 427 | void |
f01d4b80 | 428 | fwdConnectDoneWrapper(const Comm::ConnectionPointer &conn, comm_err_t status, int xerrno, void *data) |
b6b6f466 | 429 | { |
430 | FwdState *fwd = (FwdState *) data; | |
aed188fd | 431 | fwd->connectDone(conn, status, xerrno); |
b6b6f466 | 432 | } |
433 | ||
434 | /**** PRIVATE *****************************************************************/ | |
435 | ||
545782b8 | 436 | /* |
437 | * FwdState::checkRetry | |
26ac0430 | 438 | * |
545782b8 | 439 | * Return TRUE if the request SHOULD be retried. This method is |
440 | * called when the HTTP connection fails, or when the connection | |
441 | * is closed before server-side read the end of HTTP headers. | |
442 | */ | |
b6b6f466 | 443 | bool |
444 | FwdState::checkRetry() | |
68bd6892 | 445 | { |
d8fd0f18 | 446 | if (shutting_down) |
b6b6f466 | 447 | return false; |
62e76326 | 448 | |
9d2760b6 AR |
449 | if (!self) { // we have aborted before the server called us back |
450 | debugs(17, 5, HERE << "not retrying because of earlier abort"); | |
451 | // we will be destroyed when the server clears its Pointer to us | |
452 | return false; | |
453 | } | |
454 | ||
b6b6f466 | 455 | if (entry->store_status != STORE_PENDING) |
456 | return false; | |
62e76326 | 457 | |
b6b6f466 | 458 | if (!entry->isEmpty()) |
459 | return false; | |
62e76326 | 460 | |
b6b6f466 | 461 | if (n_tries > 10) |
462 | return false; | |
62e76326 | 463 | |
b6b6f466 | 464 | if (origin_tries > 2) |
465 | return false; | |
4ed0e075 | 466 | |
b6b6f466 | 467 | if (squid_curtime - start_t > Config.Timeout.forward) |
468 | return false; | |
62e76326 | 469 | |
b6b6f466 | 470 | if (flags.dont_retry) |
471 | return false; | |
62e76326 | 472 | |
0bbd5532 AJ |
473 | // NP: not yet actually connected anywhere. retry is safe. |
474 | if (!flags.connected_okay) | |
475 | return true; | |
476 | ||
5d4989a8 | 477 | if (!checkRetriable()) |
478 | return false; | |
479 | ||
58217e94 | 480 | if (request->bodyNibbled()) |
b6b6f466 | 481 | return false; |
62e76326 | 482 | |
b6b6f466 | 483 | return true; |
68bd6892 | 484 | } |
485 | ||
545782b8 | 486 | /* |
487 | * FwdState::checkRetriable | |
488 | * | |
489 | * Return TRUE if this is the kind of request that can be retried | |
490 | * after a failure. If the request is not retriable then we don't | |
491 | * want to risk sending it on a persistent connection. Instead we'll | |
492 | * force it to go on a new HTTP connection. | |
493 | */ | |
b6b6f466 | 494 | bool |
495 | FwdState::checkRetriable() | |
cb928909 | 496 | { |
497 | /* If there is a request body then Squid can only try once | |
498 | * even if the method is indempotent | |
499 | */ | |
500 | ||
5f8252d2 | 501 | if (request->body_pipe != NULL) |
b6b6f466 | 502 | return false; |
cb928909 | 503 | |
504 | /* RFC2616 9.1 Safe and Idempotent Methods */ | |
914b89a2 | 505 | switch (request->method.id()) { |
cb928909 | 506 | /* 9.1.1 Safe Methods */ |
507 | ||
508 | case METHOD_GET: | |
509 | ||
510 | case METHOD_HEAD: | |
914b89a2 | 511 | /* 9.1.2 Idempotent Methods */ |
cb928909 | 512 | |
513 | case METHOD_PUT: | |
514 | ||
515 | case METHOD_DELETE: | |
516 | ||
517 | case METHOD_OPTIONS: | |
518 | ||
519 | case METHOD_TRACE: | |
520 | break; | |
521 | ||
522 | default: | |
b6b6f466 | 523 | return false; |
cb928909 | 524 | } |
525 | ||
b6b6f466 | 526 | return true; |
cb928909 | 527 | } |
528 | ||
b6b6f466 | 529 | void |
530 | FwdState::serverClosed(int fd) | |
910169e5 | 531 | { |
cfd66529 | 532 | debugs(17, 2, HERE << "FD " << fd << " " << entry->url()); |
3e8c047e | 533 | retryOrBail(); |
534 | } | |
535 | ||
536 | void | |
26ac0430 AJ |
537 | FwdState::retryOrBail() |
538 | { | |
b6b6f466 | 539 | if (checkRetry()) { |
cfd66529 | 540 | debugs(17, 3, HERE << "re-forwarding (" << n_tries << " tries, " << (squid_curtime - start_t) << " secs)"); |
00ae51e4 | 541 | serverDestinations.shift(); // last one failed. try another. |
8652f8e7 AJ |
542 | startConnectionOrFail(); |
543 | return; | |
d8fd0f18 | 544 | } |
62e76326 | 545 | |
9d2760b6 AR |
546 | // TODO: should we call completed() here and move doneWithRetries there? |
547 | doneWithRetries(); | |
548 | ||
549 | if (self != NULL && !err && shutting_down) { | |
f01d4b80 AJ |
550 | ErrorState *anErr = errorCon(ERR_SHUTTING_DOWN, HTTP_SERVICE_UNAVAILABLE, request); |
551 | errorAppendEntry(entry, anErr); | |
f563eea9 | 552 | } |
62e76326 | 553 | |
b6b6f466 | 554 | self = NULL; // refcounted |
910169e5 | 555 | } |
556 | ||
9d2760b6 AR |
557 | // If the Server quits before nibbling at the request body, the body sender |
558 | // will not know (so that we can retry). Call this if we will not retry. We | |
559 | // will notify the sender so that it does not get stuck waiting for space. | |
560 | void | |
561 | FwdState::doneWithRetries() | |
562 | { | |
563 | if (request && request->body_pipe != NULL) | |
564 | request->body_pipe->expectNoConsumption(); | |
565 | } | |
566 | ||
3e8c047e | 567 | // called by the server that failed after calling unregister() |
568 | void | |
569 | FwdState::handleUnregisteredServerEnd() | |
570 | { | |
cfd66529 | 571 | debugs(17, 2, HERE << "self=" << self << " err=" << err << ' ' << entry->url()); |
6b679a01 | 572 | assert(!Comm::IsConnOpen(serverConn)); |
3e8c047e | 573 | retryOrBail(); |
574 | } | |
575 | ||
a7ad6e4e | 576 | #if USE_SSL |
b6b6f466 | 577 | void |
578 | FwdState::negotiateSSL(int fd) | |
a7ad6e4e | 579 | { |
a7ad6e4e | 580 | SSL *ssl = fd_table[fd].ssl; |
581 | int ret; | |
62e76326 | 582 | |
a7ad6e4e | 583 | if ((ret = SSL_connect(ssl)) <= 0) { |
62e76326 | 584 | int ssl_error = SSL_get_error(ssl, ret); |
585 | ||
586 | switch (ssl_error) { | |
587 | ||
588 | case SSL_ERROR_WANT_READ: | |
d841c88d | 589 | Comm::SetSelect(fd, COMM_SELECT_READ, fwdNegotiateSSLWrapper, this, 0); |
62e76326 | 590 | return; |
591 | ||
592 | case SSL_ERROR_WANT_WRITE: | |
d841c88d | 593 | Comm::SetSelect(fd, COMM_SELECT_WRITE, fwdNegotiateSSLWrapper, this, 0); |
62e76326 | 594 | return; |
595 | ||
596 | default: | |
26ac0430 AJ |
597 | debugs(81, 1, "fwdNegotiateSSL: Error negotiating SSL connection on FD " << fd << |
598 | ": " << ERR_error_string(ERR_get_error(), NULL) << " (" << ssl_error << | |
599 | "/" << ret << "/" << errno << ")"); | |
2ac4f6b5 | 600 | ErrorState *const anErr = makeConnectingError(ERR_SECURE_CONNECT_FAIL); |
a7ad6e4e | 601 | #ifdef EPROTO |
62e76326 | 602 | |
b6b6f466 | 603 | anErr->xerrno = EPROTO; |
a7ad6e4e | 604 | #else |
62e76326 | 605 | |
b6b6f466 | 606 | anErr->xerrno = EACCES; |
a7ad6e4e | 607 | #endif |
62e76326 | 608 | |
4d16918e | 609 | Ssl::ErrorDetail *errFromFailure = (Ssl::ErrorDetail *)SSL_get_ex_data(ssl, ssl_ex_index_ssl_error_detail); |
e34763f4 | 610 | if (errFromFailure != NULL) { |
4d16918e CT |
611 | // The errFromFailure is attached to the ssl object |
612 | // and will be released when ssl object destroyed. | |
613 | // Copy errFromFailure to a new Ssl::ErrorDetail object | |
614 | anErr->detail = new Ssl::ErrorDetail(*errFromFailure); | |
615 | } | |
616 | ||
b6b6f466 | 617 | fail(anErr); |
62e76326 | 618 | |
5229395c AJ |
619 | if (serverConnection()->getPeer()) { |
620 | peerConnectFailed(serverConnection()->getPeer()); | |
62e76326 | 621 | } |
622 | ||
00ae51e4 | 623 | serverConn->close(); |
62e76326 | 624 | return; |
625 | } | |
a7ad6e4e | 626 | } |
62e76326 | 627 | |
5229395c AJ |
628 | if (serverConnection()->getPeer() && !SSL_session_reused(ssl)) { |
629 | if (serverConnection()->getPeer()->sslSession) | |
630 | SSL_SESSION_free(serverConnection()->getPeer()->sslSession); | |
f38c5e43 | 631 | |
5229395c | 632 | serverConnection()->getPeer()->sslSession = SSL_get1_session(ssl); |
f38c5e43 | 633 | } |
634 | ||
b6b6f466 | 635 | dispatch(); |
a7ad6e4e | 636 | } |
637 | ||
b6b6f466 | 638 | void |
639 | FwdState::initiateSSL() | |
a7ad6e4e | 640 | { |
a7ad6e4e | 641 | SSL *ssl; |
642 | SSL_CTX *sslContext = NULL; | |
5229395c AJ |
643 | const peer *peer = serverConnection()->getPeer(); |
644 | int fd = serverConnection()->fd; | |
62e76326 | 645 | |
a7ad6e4e | 646 | if (peer) { |
62e76326 | 647 | assert(peer->use_ssl); |
648 | sslContext = peer->sslContext; | |
a7ad6e4e | 649 | } else { |
62e76326 | 650 | sslContext = Config.ssl_client.sslContext; |
a7ad6e4e | 651 | } |
62e76326 | 652 | |
a7ad6e4e | 653 | assert(sslContext); |
62e76326 | 654 | |
a7ad6e4e | 655 | if ((ssl = SSL_new(sslContext)) == NULL) { |
bf8fe701 | 656 | debugs(83, 1, "fwdInitiateSSL: Error allocating handle: " << ERR_error_string(ERR_get_error(), NULL) ); |
2cc81f1f | 657 | ErrorState *anErr = errorCon(ERR_SOCKET_FAILURE, HTTP_INTERNAL_SERVER_ERROR, request); |
b6b6f466 | 658 | anErr->xerrno = errno; |
b6b6f466 | 659 | fail(anErr); |
660 | self = NULL; // refcounted | |
62e76326 | 661 | return; |
a7ad6e4e | 662 | } |
62e76326 | 663 | |
a7ad6e4e | 664 | SSL_set_fd(ssl, fd); |
62e76326 | 665 | |
a7ad6e4e | 666 | if (peer) { |
62e76326 | 667 | if (peer->ssldomain) |
668 | SSL_set_ex_data(ssl, ssl_ex_index_server, peer->ssldomain); | |
669 | ||
a7ad6e4e | 670 | #if NOT_YET |
62e76326 | 671 | |
672 | else if (peer->name) | |
673 | SSL_set_ex_data(ssl, ssl_ex_index_server, peer->name); | |
674 | ||
a7ad6e4e | 675 | #endif |
62e76326 | 676 | |
677 | else | |
678 | SSL_set_ex_data(ssl, ssl_ex_index_server, peer->host); | |
f38c5e43 | 679 | |
680 | if (peer->sslSession) | |
681 | SSL_set_session(ssl, peer->sslSession); | |
682 | ||
a7ad6e4e | 683 | } else { |
cc192b50 | 684 | SSL_set_ex_data(ssl, ssl_ex_index_server, (void*)request->GetHost()); |
253749a8 CT |
685 | |
686 | // We need to set SNI TLS extension only in the case we are | |
687 | // connecting direct to origin server | |
688 | Ssl::setClientSNI(ssl, request->GetHost()); | |
a7ad6e4e | 689 | } |
62e76326 | 690 | |
4d5a6db8 | 691 | // Create the ACL check list now, while we have access to more info. |
692 | // The list is used in ssl_verify_cb() and is freed in ssl_free(). | |
693 | if (acl_access *acl = Config.ssl_client.cert_error) { | |
c0941a6a | 694 | ACLFilledChecklist *check = new ACLFilledChecklist(acl, request, dash_str); |
4d5a6db8 | 695 | check->fd(fd); |
696 | SSL_set_ex_data(ssl, ssl_ex_index_cert_error_check, check); | |
697 | } | |
698 | ||
a7ad6e4e | 699 | fd_table[fd].ssl = ssl; |
700 | fd_table[fd].read_method = &ssl_read_method; | |
701 | fd_table[fd].write_method = &ssl_write_method; | |
b6b6f466 | 702 | negotiateSSL(fd); |
a7ad6e4e | 703 | } |
62e76326 | 704 | |
a7ad6e4e | 705 | #endif |
706 | ||
b6b6f466 | 707 | void |
f01d4b80 | 708 | FwdState::connectDone(const Comm::ConnectionPointer &conn, comm_err_t status, int xerrno) |
41462d93 | 709 | { |
2f538b78 | 710 | if (status != COMM_OK) { |
9c8a6c3b | 711 | ErrorState *const anErr = makeConnectingError(ERR_CONNECT_FAIL); |
b6b6f466 | 712 | anErr->xerrno = xerrno; |
b6b6f466 | 713 | fail(anErr); |
62e76326 | 714 | |
2f538b78 | 715 | /* it might have been a timeout with a partially open link */ |
00ae51e4 AJ |
716 | if (conn != NULL) { |
717 | if (conn->getPeer()) | |
718 | peerConnectFailed(conn->getPeer()); | |
62e76326 | 719 | |
80463bb4 | 720 | conn->close(); |
2f538b78 | 721 | } |
aed188fd | 722 | retryOrBail(); |
2f538b78 AJ |
723 | return; |
724 | } | |
62e76326 | 725 | |
00ae51e4 AJ |
726 | serverConn = conn; |
727 | ||
f01d4b80 | 728 | debugs(17, 3, HERE << serverConnection() << ": '" << entry->url() << "'" ); |
62e76326 | 729 | |
5229395c | 730 | comm_add_close_handler(serverConnection()->fd, fwdServerClosedWrapper, this); |
2f538b78 | 731 | |
5229395c AJ |
732 | if (serverConnection()->getPeer()) |
733 | peerConnectSucceded(serverConnection()->getPeer()); | |
2f538b78 AJ |
734 | |
735 | #if USE_SSL | |
5229395c | 736 | if ((serverConnection()->getPeer() && serverConnection()->getPeer()->use_ssl) || |
1b76e6c1 | 737 | (!serverConnection()->getPeer() && request->protocol == AnyP::PROTO_HTTPS)) { |
2f538b78 AJ |
738 | initiateSSL(); |
739 | return; | |
41462d93 | 740 | } |
2f538b78 AJ |
741 | #endif |
742 | ||
0bbd5532 | 743 | flags.connected_okay = true; |
2f538b78 | 744 | dispatch(); |
41462d93 | 745 | } |
746 | ||
b6b6f466 | 747 | void |
748 | FwdState::connectTimeout(int fd) | |
41462d93 | 749 | { |
bf8fe701 | 750 | debugs(17, 2, "fwdConnectTimeout: FD " << fd << ": '" << entry->url() << "'" ); |
6b679a01 AJ |
751 | assert(serverDestinations[0] != NULL); |
752 | assert(fd == serverDestinations[0]->fd); | |
62e76326 | 753 | |
528b2c61 | 754 | if (entry->isEmpty()) { |
2cc81f1f | 755 | ErrorState *anErr = errorCon(ERR_CONNECT_FAIL, HTTP_GATEWAY_TIMEOUT, request); |
b6b6f466 | 756 | anErr->xerrno = ETIMEDOUT; |
757 | fail(anErr); | |
62e76326 | 758 | |
cfd66529 | 759 | /* This marks the peer DOWN ... */ |
6b679a01 AJ |
760 | if (serverDestinations[0]->getPeer()) |
761 | peerConnectFailed(serverDestinations[0]->getPeer()); | |
41462d93 | 762 | } |
62e76326 | 763 | |
6b679a01 AJ |
764 | if (Comm::IsConnOpen(serverDestinations[0])) { |
765 | serverDestinations[0]->close(); | |
746beefe | 766 | } |
41462d93 | 767 | } |
768 | ||
cfd66529 | 769 | /** |
ae18571d AJ |
770 | * Called after Forwarding path selection (via peer select) has taken place. |
771 | * And whenever forwarding needs to attempt a new connection (routing failover) | |
772 | * We have a vector of possible localIP->remoteIP paths now ready to start being connected. | |
cfd66529 | 773 | */ |
b6b6f466 | 774 | void |
775 | FwdState::connectStart() | |
41462d93 | 776 | { |
6b679a01 AJ |
777 | assert(serverDestinations.size() > 0); |
778 | ||
cfd66529 | 779 | debugs(17, 3, "fwdConnectStart: " << entry->url()); |
62e76326 | 780 | |
3ff65596 AR |
781 | if (n_tries == 0) // first attempt |
782 | request->hier.first_conn_start = current_time; | |
783 | ||
cfd66529 AJ |
784 | /* connection timeout */ |
785 | int ctimeout; | |
6b679a01 AJ |
786 | if (serverDestinations[0]->getPeer()) { |
787 | ctimeout = serverDestinations[0]->getPeer()->connect_timeout > 0 ? | |
788 | serverDestinations[0]->getPeer()->connect_timeout : Config.Timeout.peer_connect; | |
db1cd23c | 789 | } else { |
62e76326 | 790 | ctimeout = Config.Timeout.connect; |
db1cd23c | 791 | } |
62e76326 | 792 | |
cfd66529 AJ |
793 | /* calculate total forwarding timeout ??? */ |
794 | int ftimeout = Config.Timeout.forward - (squid_curtime - start_t); | |
777831e0 | 795 | if (ftimeout < 0) |
796 | ftimeout = 5; | |
797 | ||
798 | if (ftimeout < ctimeout) | |
799 | ctimeout = ftimeout; | |
800 | ||
1b76e6c1 | 801 | if (serverDestinations[0]->getPeer() && request->flags.sslBumped == true) { |
b68415a1 CT |
802 | debugs(50, 4, "fwdConnectStart: Ssl bumped connections through parrent proxy are not allowed"); |
803 | ErrorState *anErr = errorCon(ERR_CANNOT_FORWARD, HTTP_SERVICE_UNAVAILABLE, request); | |
804 | fail(anErr); | |
805 | self = NULL; // refcounted | |
806 | return; | |
985bfe6b | 807 | } |
d67acb4e | 808 | |
2efeb0b7 AJ |
809 | request->flags.pinned = 0; // XXX: what if the ConnStateData set this to flag existing credentials? |
810 | // XXX: answer: the peer selection *should* catch it and give us only the pinned peer. so we reverse the =0 step below. | |
811 | // XXX: also, logs will now lie if pinning is broken and leads to an error message. | |
6b679a01 | 812 | if (serverDestinations[0]->peerType == PINNED) { |
26ac0430 AJ |
813 | ConnStateData *pinned_connection = request->pinnedConnection(); |
814 | assert(pinned_connection); | |
e3a4aecc AJ |
815 | serverConn = pinned_connection->validatePinnedConnection(request, serverDestinations[0]->getPeer()); |
816 | if (Comm::IsConnOpen(serverConn)) { | |
d67acb4e | 817 | #if 0 |
e3a4aecc AJ |
818 | if (!serverConn->getPeer()) |
819 | serverConn->peerType = HIER_DIRECT; | |
d67acb4e | 820 | #endif |
d67acb4e AJ |
821 | n_tries++; |
822 | request->flags.pinned = 1; | |
823 | if (pinned_connection->pinnedAuth()) | |
824 | request->flags.auth = 1; | |
6b679a01 | 825 | dispatch(); |
d67acb4e AJ |
826 | return; |
827 | } | |
26ac0430 | 828 | /* Failure. Fall back on next path */ |
b1cf2350 | 829 | debugs(17,2,HERE << " Pinned connection " << pinned_connection << " not valid."); |
00ae51e4 | 830 | serverDestinations.shift(); |
6b679a01 | 831 | startConnectionOrFail(); |
d67acb4e | 832 | return; |
26ac0430 | 833 | } |
d67acb4e | 834 | |
642a305c | 835 | // Use pconn to avoid opening a new connection. |
cfd66529 | 836 | const char *host; |
6b679a01 AJ |
837 | if (serverDestinations[0]->getPeer()) { |
838 | host = serverDestinations[0]->getPeer()->host; | |
af6a12ee | 839 | } else { |
06093389 | 840 | host = request->GetHost(); |
06093389 | 841 | } |
80463bb4 | 842 | Comm::ConnectionPointer temp = fwdPconnPool->pop(serverDestinations[0], host, checkRetriable()); |
cfd66529 | 843 | |
6b679a01 | 844 | // if we found an open persistent connection to use. use it. |
80463bb4 AJ |
845 | if (temp != NULL && Comm::IsConnOpen(temp)) { |
846 | serverConn = temp; | |
642a305c | 847 | debugs(17, 3, HERE << "reusing pconn " << serverConnection()); |
c8ceec27 | 848 | n_tries++; |
4ed0e075 | 849 | |
5229395c | 850 | if (!serverConnection()->getPeer()) |
c8ceec27 | 851 | origin_tries++; |
74780d33 | 852 | |
5229395c | 853 | comm_add_close_handler(serverConnection()->fd, fwdServerClosedWrapper, this); |
b5523edc AJ |
854 | |
855 | /* Update server side TOS and Netfilter mark on the connection. */ | |
856 | if (Ip::Qos::TheConfig.isAclTosActive()) { | |
857 | temp->tos = GetTosToServer(request); | |
858 | Ip::Qos::setSockTos(temp, temp->tos); | |
859 | } | |
860 | #if SO_MARK | |
861 | if (Ip::Qos::TheConfig.isAclNfmarkActive()) { | |
862 | temp->nfmark = GetNfmarkToServer(request); | |
863 | Ip::Qos::setSockNfmark(temp, temp->nfmark); | |
864 | } | |
865 | #endif | |
866 | ||
c8ceec27 | 867 | dispatch(); |
c8ceec27 | 868 | return; |
41462d93 | 869 | } |
62e76326 | 870 | |
bc87dc25 | 871 | #if URL_CHECKSUM_DEBUG |
b6b6f466 | 872 | entry->mem_obj->checkUrlChecksum(); |
bc87dc25 | 873 | #endif |
62e76326 | 874 | |
b5523edc AJ |
875 | /* Get the server side TOS and Netfilter mark to be set on the connection. */ |
876 | if (Ip::Qos::TheConfig.isAclTosActive()) { | |
877 | serverDestinations[0]->tos = GetTosToServer(request); | |
878 | } | |
11e8cfe3 | 879 | #if SO_MARK && USE_LIBCAP |
a750e510 | 880 | serverDestinations[0]->nfmark = GetNfmarkToServer(request); |
25b481e6 | 881 | debugs(17, 3, "fwdConnectStart: got outgoing addr " << serverDestinations[0]->local << ", tos " << int(serverDestinations[0]->tos) |
a750e510 | 882 | << ", netfilter mark " << serverDestinations[0]->nfmark); |
425de4c8 | 883 | #else |
a750e510 | 884 | serverDestinations[0]->nfmark = 0; |
25b481e6 | 885 | debugs(17, 3, "fwdConnectStart: got outgoing addr " << serverDestinations[0]->local << ", tos " << int(serverDestinations[0]->tos)); |
b5523edc AJ |
886 | #endif |
887 | ||
e3a4aecc AJ |
888 | calls.connector = commCbCall(17,3, "fwdConnectDoneWrapper", CommConnectCbPtrFun(fwdConnectDoneWrapper, this)); |
889 | Comm::ConnOpener *cs = new Comm::ConnOpener(serverDestinations[0], calls.connector, ctimeout); | |
aed188fd | 890 | cs->setHost(host); |
855150a4 | 891 | AsyncJob::Start(cs); |
41462d93 | 892 | } |
893 | ||
b6b6f466 | 894 | void |
895 | FwdState::dispatch() | |
41462d93 | 896 | { |
5c336a3b | 897 | debugs(17, 3, HERE << clientConn << ": Fetching '" << RequestMethodStr(request->method) << " " << entry->url() << "'"); |
e0ebe27c | 898 | /* |
899 | * Assert that server_fd is set. This is to guarantee that fwdState | |
900 | * is attached to something and will be deallocated when server_fd | |
901 | * is closed. | |
902 | */ | |
6b679a01 | 903 | assert(Comm::IsConnOpen(serverConn)); |
62e76326 | 904 | |
5229395c | 905 | fd_note(serverConnection()->fd, entry->url()); |
62e76326 | 906 | |
5229395c | 907 | fd_table[serverConnection()->fd].noteUse(fwdPconnPool); |
62e76326 | 908 | |
a7ad6e4e | 909 | /*assert(!EBIT_TEST(entry->flags, ENTRY_DISPATCHED)); */ |
910 | assert(entry->ping_status != PING_WAITING); | |
62e76326 | 911 | |
a7ad6e4e | 912 | assert(entry->lock_count); |
62e76326 | 913 | |
a7ad6e4e | 914 | EBIT_SET(entry->flags, ENTRY_DISPATCHED); |
62e76326 | 915 | |
cc192b50 | 916 | netdbPingSite(request->GetHost()); |
62e76326 | 917 | |
425de4c8 | 918 | /* Retrieves remote server TOS or MARK value, and stores it as part of the |
7172612f | 919 | * original client request FD object. It is later used to forward |
425de4c8 | 920 | * remote server's TOS/MARK in the response to the client in case of a MISS. |
7172612f | 921 | */ |
425de4c8 | 922 | if (Ip::Qos::TheConfig.isHitNfmarkActive()) { |
b5523edc AJ |
923 | if (Comm::IsConnOpen(clientConn) && Comm::IsConnOpen(serverConnection())) { |
924 | fde * clientFde = &fd_table[clientConn->fd]; // XXX: move the fd_table access into Ip::Qos | |
425de4c8 | 925 | /* Get the netfilter mark for the connection */ |
b5523edc | 926 | Ip::Qos::getNfmarkFromServer(serverConnection(), clientFde); |
425de4c8 AJ |
927 | } |
928 | } | |
929 | ||
930 | #if _SQUID_LINUX_ | |
931 | /* Bug 2537: The TOS forward part of QOS only applies to patched Linux kernels. */ | |
932 | if (Ip::Qos::TheConfig.isHitTosActive()) { | |
b5523edc AJ |
933 | if (Comm::IsConnOpen(clientConn)) { |
934 | fde * clientFde = &fd_table[clientConn->fd]; // XXX: move the fd_table access into Ip::Qos | |
425de4c8 | 935 | /* Get the TOS value for the packet */ |
b5523edc | 936 | Ip::Qos::getTosFromServer(serverConnection(), clientFde); |
7172612f | 937 | } |
26ac0430 | 938 | } |
7172612f AJ |
939 | #endif |
940 | ||
5229395c AJ |
941 | if (serverConnection()->getPeer() != NULL) { |
942 | serverConnection()->getPeer()->stats.fetches++; | |
943 | request->peer_login = serverConnection()->getPeer()->login; | |
944 | request->peer_domain = serverConnection()->getPeer()->domain; | |
b6b6f466 | 945 | httpStart(this); |
41462d93 | 946 | } else { |
b6b6f466 | 947 | request->peer_login = NULL; |
948 | request->peer_domain = NULL; | |
62e76326 | 949 | |
950 | switch (request->protocol) { | |
a7ad6e4e | 951 | #if USE_SSL |
62e76326 | 952 | |
0c3d3f65 | 953 | case AnyP::PROTO_HTTPS: |
b6b6f466 | 954 | httpStart(this); |
62e76326 | 955 | break; |
a7ad6e4e | 956 | #endif |
62e76326 | 957 | |
0c3d3f65 | 958 | case AnyP::PROTO_HTTP: |
b6b6f466 | 959 | httpStart(this); |
62e76326 | 960 | break; |
961 | ||
0c3d3f65 | 962 | case AnyP::PROTO_GOPHER: |
b6b6f466 | 963 | gopherStart(this); |
62e76326 | 964 | break; |
965 | ||
0c3d3f65 | 966 | case AnyP::PROTO_FTP: |
b6b6f466 | 967 | ftpStart(this); |
62e76326 | 968 | break; |
969 | ||
39a19cb7 | 970 | case AnyP::PROTO_CACHE_OBJECT: |
62e76326 | 971 | |
0c3d3f65 | 972 | case AnyP::PROTO_INTERNAL: |
62e76326 | 973 | |
0c3d3f65 | 974 | case AnyP::PROTO_URN: |
62e76326 | 975 | fatal_dump("Should never get here"); |
976 | break; | |
977 | ||
0c3d3f65 | 978 | case AnyP::PROTO_WHOIS: |
b6b6f466 | 979 | whoisStart(this); |
62e76326 | 980 | break; |
981 | ||
0c3d3f65 | 982 | case AnyP::PROTO_WAIS: /* Not implemented */ |
fc68f6b1 | 983 | |
62e76326 | 984 | default: |
bf8fe701 | 985 | debugs(17, 1, "fwdDispatch: Cannot retrieve '" << entry->url() << "'" ); |
2cc81f1f | 986 | ErrorState *anErr = errorCon(ERR_UNSUP_REQ, HTTP_BAD_REQUEST, request); |
b6b6f466 | 987 | fail(anErr); |
62e76326 | 988 | /* |
989 | * Force a persistent connection to be closed because | |
990 | * some Netscape browsers have a bug that sends CONNECT | |
991 | * requests as GET's over persistent connections. | |
992 | */ | |
993 | request->flags.proxy_keepalive = 0; | |
994 | /* | |
746beefe | 995 | * Set the dont_retry flag because this is not a |
62e76326 | 996 | * transient (network) error; its a bug. |
997 | */ | |
b6b6f466 | 998 | flags.dont_retry = 1; |
6b679a01 | 999 | if (Comm::IsConnOpen(serverConn)) { |
00ae51e4 | 1000 | serverConn->close(); |
746beefe | 1001 | } |
62e76326 | 1002 | break; |
1003 | } | |
41462d93 | 1004 | } |
1005 | } | |
1006 | ||
545782b8 | 1007 | /* |
1008 | * FwdState::reforward | |
1009 | * | |
1010 | * returns TRUE if the transaction SHOULD be re-forwarded to the | |
8bbb16e3 | 1011 | * next choice in the serverDestinations list. This method is called when |
545782b8 | 1012 | * server-side communication completes normally, or experiences |
1013 | * some error after receiving the end of HTTP headers. | |
1014 | */ | |
b6b6f466 | 1015 | int |
1016 | FwdState::reforward() | |
db1cd23c | 1017 | { |
b6b6f466 | 1018 | StoreEntry *e = entry; |
db1cd23c | 1019 | http_status s; |
1020 | assert(e->store_status == STORE_PENDING); | |
1021 | assert(e->mem_obj); | |
bc87dc25 | 1022 | #if URL_CHECKSUM_DEBUG |
62e76326 | 1023 | |
528b2c61 | 1024 | e->mem_obj->checkUrlChecksum(); |
bc87dc25 | 1025 | #endif |
62e76326 | 1026 | |
cfd66529 | 1027 | debugs(17, 3, HERE << e->url() << "?" ); |
62e76326 | 1028 | |
d6eb18d6 | 1029 | if (!EBIT_TEST(e->flags, ENTRY_FWD_HDR_WAIT)) { |
cfd66529 | 1030 | debugs(17, 3, HERE << "No, ENTRY_FWD_HDR_WAIT isn't set"); |
62e76326 | 1031 | return 0; |
d6eb18d6 | 1032 | } |
62e76326 | 1033 | |
437823b4 | 1034 | if (n_tries > Config.forward_max_tries) |
62e76326 | 1035 | return 0; |
1036 | ||
b6b6f466 | 1037 | if (origin_tries > 1) |
4ed0e075 | 1038 | return 0; |
1039 | ||
58217e94 | 1040 | if (request->bodyNibbled()) |
62e76326 | 1041 | return 0; |
1042 | ||
8652f8e7 AJ |
1043 | if (serverDestinations.size() <= 1) { |
1044 | // NP: <= 1 since total count includes the recently failed one. | |
cfd66529 | 1045 | debugs(17, 3, HERE << "No alternative forwarding paths left"); |
62e76326 | 1046 | return 0; |
db1cd23c | 1047 | } |
62e76326 | 1048 | |
528b2c61 | 1049 | s = e->getReply()->sline.status; |
cfd66529 | 1050 | debugs(17, 3, HERE << "status " << s); |
b6b6f466 | 1051 | return reforwardableStatus(s); |
db1cd23c | 1052 | } |
1053 | ||
2ac4f6b5 AR |
1054 | /** |
1055 | * Create "503 Service Unavailable" or "504 Gateway Timeout" error depending | |
1056 | * on whether this is a validation request. RFC 2616 says that we MUST reply | |
1057 | * with "504 Gateway Timeout" if validation fails and cached reply has | |
1058 | * proxy-revalidate, must-revalidate or s-maxage Cache-Control directive. | |
1059 | */ | |
1060 | ErrorState * | |
1061 | FwdState::makeConnectingError(const err_type type) const | |
1062 | { | |
1063 | return errorCon(type, request->flags.need_validation ? | |
1064 | HTTP_GATEWAY_TIMEOUT : HTTP_SERVICE_UNAVAILABLE, request); | |
1065 | } | |
1066 | ||
b6b6f466 | 1067 | static void |
1068 | fwdStats(StoreEntry * s) | |
64d8034e | 1069 | { |
b6b6f466 | 1070 | int i; |
1071 | int j; | |
1072 | storeAppendPrintf(s, "Status"); | |
62e76326 | 1073 | |
b6b6f466 | 1074 | for (j = 0; j <= MAX_FWD_STATS_IDX; j++) { |
1075 | storeAppendPrintf(s, "\ttry#%d", j + 1); | |
64d8034e | 1076 | } |
64d8034e | 1077 | |
b6b6f466 | 1078 | storeAppendPrintf(s, "\n"); |
0185bd6f | 1079 | |
b6b6f466 | 1080 | for (i = 0; i <= (int) HTTP_INVALID_HEADER; i++) { |
1081 | if (FwdReplyCodes[0][i] == 0) | |
1082 | continue; | |
0185bd6f | 1083 | |
b6b6f466 | 1084 | storeAppendPrintf(s, "%3d", i); |
0185bd6f | 1085 | |
b6b6f466 | 1086 | for (j = 0; j <= MAX_FWD_STATS_IDX; j++) { |
1087 | storeAppendPrintf(s, "\t%d", FwdReplyCodes[j][i]); | |
62e76326 | 1088 | } |
62e76326 | 1089 | |
b6b6f466 | 1090 | storeAppendPrintf(s, "\n"); |
e0ebe27c | 1091 | } |
7197b20d | 1092 | } |
1093 | ||
a4bd7d1f | 1094 | |
b6b6f466 | 1095 | /**** STATIC MEMBER FUNCTIONS *************************************************/ |
db1cd23c | 1096 | |
b6b6f466 | 1097 | bool |
1098 | FwdState::reforwardableStatus(http_status s) | |
db1cd23c | 1099 | { |
b6b6f466 | 1100 | switch (s) { |
62e76326 | 1101 | |
b6b6f466 | 1102 | case HTTP_BAD_GATEWAY: |
62e76326 | 1103 | |
b6b6f466 | 1104 | case HTTP_GATEWAY_TIMEOUT: |
1105 | return true; | |
62e76326 | 1106 | |
b6b6f466 | 1107 | case HTTP_FORBIDDEN: |
62e76326 | 1108 | |
b6b6f466 | 1109 | case HTTP_INTERNAL_SERVER_ERROR: |
62e76326 | 1110 | |
b6b6f466 | 1111 | case HTTP_NOT_IMPLEMENTED: |
62e76326 | 1112 | |
b6b6f466 | 1113 | case HTTP_SERVICE_UNAVAILABLE: |
1114 | return Config.retry.onerror; | |
62e76326 | 1115 | |
b6b6f466 | 1116 | default: |
1117 | return false; | |
db1cd23c | 1118 | } |
b6b6f466 | 1119 | |
1120 | /* NOTREACHED */ | |
db1cd23c | 1121 | } |
8ddcc35d | 1122 | |
06093389 AJ |
1123 | /** |
1124 | * Decide where details need to be gathered to correctly describe a persistent connection. | |
1125 | * What is needed: | |
642a305c AJ |
1126 | * - the address/port details about this link |
1127 | * - domain name of server at other end of this link (either peer or requested host) | |
06093389 | 1128 | */ |
781ce8ff | 1129 | void |
642a305c | 1130 | FwdState::pconnPush(Comm::ConnectionPointer &conn, const char *domain) |
781ce8ff | 1131 | { |
642a305c AJ |
1132 | if (conn->getPeer()) { |
1133 | fwdPconnPool->push(conn, conn->getPeer()->name); | |
06093389 | 1134 | } else { |
642a305c | 1135 | fwdPconnPool->push(conn, domain); |
06093389 | 1136 | } |
781ce8ff | 1137 | } |
1138 | ||
8ddcc35d | 1139 | void |
b6b6f466 | 1140 | FwdState::initModule() |
8ddcc35d | 1141 | { |
6852be71 | 1142 | RegisterWithCacheManager(); |
8ddcc35d | 1143 | } |
1144 | ||
62ee09ca | 1145 | void |
84f50787 | 1146 | FwdState::RegisterWithCacheManager(void) |
62ee09ca | 1147 | { |
8822ebee | 1148 | Mgr::RegisterAction("forward", "Request Forwarding Statistics", fwdStats, 0, 1); |
62ee09ca | 1149 | } |
1150 | ||
b6b6f466 | 1151 | void |
1152 | FwdState::logReplyStatus(int tries, http_status status) | |
8ddcc35d | 1153 | { |
1154 | if (status > HTTP_INVALID_HEADER) | |
62e76326 | 1155 | return; |
1156 | ||
75eb730e | 1157 | assert(tries >= 0); |
62e76326 | 1158 | |
8ddcc35d | 1159 | if (tries > MAX_FWD_STATS_IDX) |
62e76326 | 1160 | tries = MAX_FWD_STATS_IDX; |
1161 | ||
8ddcc35d | 1162 | FwdReplyCodes[tries][status]++; |
1163 | } | |
1164 | ||
b6b6f466 | 1165 | /**** PRIVATE NON-MEMBER FUNCTIONS ********************************************/ |
62e76326 | 1166 | |
057f5854 | 1167 | /* |
1168 | * DPW 2007-05-19 | |
1169 | * Formerly static, but now used by client_side_request.cc | |
1170 | */ | |
425de4c8 AJ |
1171 | /// Checks for a TOS value to apply depending on the ACL |
1172 | tos_t | |
b6b6f466 | 1173 | aclMapTOS(acl_tos * head, ACLChecklist * ch) |
b6a2f15e | 1174 | { |
b6b6f466 | 1175 | acl_tos *l; |
62e76326 | 1176 | |
b6b6f466 | 1177 | for (l = head; l; l = l->next) { |
2efeb0b7 | 1178 | if (!l->aclList || ch->fastCheck(l->aclList) == ACCESS_ALLOWED) |
b6b6f466 | 1179 | return l->tos; |
1180 | } | |
5894ad28 | 1181 | |
b6b6f466 | 1182 | return 0; |
1183 | } | |
5894ad28 | 1184 | |
425de4c8 AJ |
1185 | /// Checks for a netfilter mark value to apply depending on the ACL |
1186 | nfmark_t | |
1187 | aclMapNfmark(acl_nfmark * head, ACLChecklist * ch) | |
1188 | { | |
1189 | acl_nfmark *l; | |
1190 | ||
1191 | for (l = head; l; l = l->next) { | |
2efeb0b7 | 1192 | if (!l->aclList || ch->fastCheck(l->aclList) == ACCESS_ALLOWED) |
425de4c8 AJ |
1193 | return l->nfmark; |
1194 | } | |
1195 | ||
1196 | return 0; | |
1197 | } | |
1198 | ||
cfd66529 | 1199 | void |
f9b72e0c | 1200 | getOutgoingAddress(HttpRequest * request, Comm::ConnectionPointer conn) |
b6b6f466 | 1201 | { |
cfd66529 AJ |
1202 | /* skip if an outgoing address is already set. */ |
1203 | if (!conn->local.IsAnyAddr()) return; | |
1204 | ||
1205 | // maybe use TPROXY client address | |
b0758e04 | 1206 | if (request && request->flags.spoof_client_ip) { |
739b352a | 1207 | if (!conn->getPeer() || !conn->getPeer()->options.no_tproxy) { |
96d64448 AJ |
1208 | #if FOLLOW_X_FORWARDED_FOR && LINUX_NETFILTER |
1209 | if (Config.onoff.tproxy_uses_indirect_client) | |
45906573 | 1210 | conn->local = request->indirect_client_addr; |
96d64448 AJ |
1211 | else |
1212 | #endif | |
45906573 | 1213 | conn->local = request->client_addr; |
cfd66529 AJ |
1214 | // some flags need setting on the socket to use this address |
1215 | conn->flags |= COMM_DOBIND; | |
1216 | conn->flags |= COMM_TRANSPARENT; | |
1217 | return; | |
1218 | } | |
b0758e04 AJ |
1219 | // else no tproxy today ... |
1220 | } | |
c303f6e3 | 1221 | |
b50e327b | 1222 | if (!Config.accessList.outgoing_address) { |
cfd66529 | 1223 | return; // anything will do. |
b50e327b AJ |
1224 | } |
1225 | ||
c0941a6a | 1226 | ACLFilledChecklist ch(NULL, request, NULL); |
739b352a | 1227 | ch.dst_peer = conn->getPeer(); |
cfd66529 AJ |
1228 | ch.dst_addr = conn->remote; |
1229 | ||
1230 | // TODO use the connection details in ACL. | |
1231 | // needs a bit of rework in ACLFilledChecklist to use Comm::Connection instead of ConnStateData | |
6db78a1a | 1232 | |
26ac0430 | 1233 | if (request) { |
9aaf363a AJ |
1234 | #if FOLLOW_X_FORWARDED_FOR |
1235 | if (Config.onoff.acl_uses_indirect_client) | |
1236 | ch.src_addr = request->indirect_client_addr; | |
1237 | else | |
1238 | #endif | |
f892cbd2 | 1239 | ch.src_addr = request->client_addr; |
b6b6f466 | 1240 | ch.my_addr = request->my_addr; |
b6b6f466 | 1241 | } |
62e76326 | 1242 | |
cfd66529 AJ |
1243 | acl_address *l; |
1244 | for (l = Config.accessList.outgoing_address; l; l = l->next) { | |
1245 | ||
1246 | /* check if the outgoing address is usable to the destination */ | |
1247 | if (conn->remote.IsIPv4() != l->addr.IsIPv4()) continue; | |
1248 | ||
1249 | /* check ACLs for this outgoing address */ | |
2efeb0b7 | 1250 | if (!l->aclList || ch.fastCheck(l->aclList) == ACCESS_ALLOWED) { |
cfd66529 AJ |
1251 | conn->local = l->addr; |
1252 | return; | |
1253 | } | |
1254 | } | |
b6b6f466 | 1255 | } |
62e76326 | 1256 | |
425de4c8 AJ |
1257 | tos_t |
1258 | GetTosToServer(HttpRequest * request) | |
1259 | { | |
1260 | ACLFilledChecklist ch(NULL, request, NULL); | |
1261 | ||
1262 | if (request) { | |
1263 | ch.src_addr = request->client_addr; | |
1264 | ch.my_addr = request->my_addr; | |
1265 | } | |
1266 | ||
1267 | return aclMapTOS(Ip::Qos::TheConfig.tosToServer, &ch); | |
1268 | } | |
1269 | ||
1270 | nfmark_t | |
1271 | GetNfmarkToServer(HttpRequest * request) | |
b6b6f466 | 1272 | { |
c0941a6a | 1273 | ACLFilledChecklist ch(NULL, request, NULL); |
62e76326 | 1274 | |
b6b6f466 | 1275 | if (request) { |
1276 | ch.src_addr = request->client_addr; | |
1277 | ch.my_addr = request->my_addr; | |
b6a2f15e | 1278 | } |
62e76326 | 1279 | |
425de4c8 | 1280 | return aclMapNfmark(Ip::Qos::TheConfig.nfmarkToServer, &ch); |
b6a2f15e | 1281 | } |