]>
Commit | Line | Data |
---|---|---|
41462d93 | 1 | /* |
41462d93 | 2 | * DEBUG: section 17 Request Forwarding |
3 | * AUTHOR: Duane Wessels | |
4 | * | |
2b6662ba | 5 | * SQUID Web Proxy Cache http://www.squid-cache.org/ |
e25c139f | 6 | * ---------------------------------------------------------- |
41462d93 | 7 | * |
2b6662ba | 8 | * Squid is the result of efforts by numerous individuals from |
9 | * the Internet community; see the CONTRIBUTORS file for full | |
10 | * details. Many organizations have provided support for Squid's | |
11 | * development; see the SPONSORS file for full details. Squid is | |
12 | * Copyrighted (C) 2001 by the Regents of the University of | |
13 | * California; see the COPYRIGHT file for full details. Squid | |
14 | * incorporates software developed and/or copyrighted by other | |
15 | * sources; see the CREDITS file for full details. | |
41462d93 | 16 | * |
17 | * This program is free software; you can redistribute it and/or modify | |
18 | * it under the terms of the GNU General Public License as published by | |
19 | * the Free Software Foundation; either version 2 of the License, or | |
20 | * (at your option) any later version. | |
26ac0430 | 21 | * |
41462d93 | 22 | * This program is distributed in the hope that it will be useful, |
23 | * but WITHOUT ANY WARRANTY; without even the implied warranty of | |
24 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | |
25 | * GNU General Public License for more details. | |
26ac0430 | 26 | * |
41462d93 | 27 | * You should have received a copy of the GNU General Public License |
28 | * along with this program; if not, write to the Free Software | |
cbdec147 | 29 | * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111, USA. |
e25c139f | 30 | * |
41462d93 | 31 | */ |
32 | ||
582c2af2 | 33 | #include "squid.h" |
4bf68cfa | 34 | #include "AccessLogEntry.h" |
0dc8ffa5 | 35 | #include "acl/AclAddress.h" |
c0941a6a AR |
36 | #include "acl/FilledChecklist.h" |
37 | #include "acl/Gadgets.h" | |
5ae65581 | 38 | #include "anyp/PortCfg.h" |
a011edee | 39 | #include "CachePeer.h" |
25b481e6 | 40 | #include "CacheManager.h" |
582c2af2 | 41 | #include "client_side.h" |
f9b72e0c | 42 | #include "comm/Connection.h" |
aed188fd | 43 | #include "comm/ConnOpener.h" |
d841c88d | 44 | #include "comm/Loops.h" |
582c2af2 | 45 | #include "CommCalls.h" |
aa839030 | 46 | #include "errorpage.h" |
582c2af2 | 47 | #include "event.h" |
fc54b8d2 | 48 | #include "fd.h" |
aa839030 | 49 | #include "fde.h" |
582c2af2 | 50 | #include "forward.h" |
fc54b8d2 | 51 | #include "ftp.h" |
582c2af2 | 52 | #include "globals.h" |
fc54b8d2 | 53 | #include "gopher.h" |
bbaf2685 | 54 | #include "hier_code.h" |
fc54b8d2 | 55 | #include "http.h" |
924f73bc | 56 | #include "HttpReply.h" |
aa839030 | 57 | #include "HttpRequest.h" |
582c2af2 | 58 | #include "icmp/net_db.h" |
fc54b8d2 | 59 | #include "internal.h" |
582c2af2 | 60 | #include "ip/Intercept.h" |
425de4c8 | 61 | #include "ip/QosConfig.h" |
582c2af2 | 62 | #include "ip/tools.h" |
aa839030 | 63 | #include "MemObject.h" |
582c2af2 | 64 | #include "mgr/Registration.h" |
fc54b8d2 | 65 | #include "neighbors.h" |
781ce8ff | 66 | #include "pconn.h" |
cfd66529 | 67 | #include "PeerSelectState.h" |
4d5904f7 | 68 | #include "SquidConfig.h" |
aa839030 | 69 | #include "SquidTime.h" |
70 | #include "Store.h" | |
e87137f1 | 71 | #include "StoreClient.h" |
5eb529cb | 72 | #include "urn.h" |
fc54b8d2 | 73 | #include "whois.h" |
4db984be | 74 | #if USE_SSL |
2cef0ca6 AR |
75 | #include "ssl/cert_validate_message.h" |
76 | #include "ssl/Config.h" | |
77 | #include "ssl/helper.h" | |
4db984be | 78 | #include "ssl/support.h" |
4d16918e | 79 | #include "ssl/ErrorDetail.h" |
fd4624d7 | 80 | #include "ssl/ServerBump.h" |
4db984be | 81 | #endif |
21d845b1 FC |
82 | #if HAVE_ERRNO_H |
83 | #include <errno.h> | |
84 | #endif | |
cfd66529 | 85 | |
6b679a01 | 86 | static PSC fwdPeerSelectionCompleteWrapper; |
575d05c4 | 87 | static CLCB fwdServerClosedWrapper; |
b6b6f466 | 88 | #if USE_SSL |
89 | static PF fwdNegotiateSSLWrapper; | |
90 | #endif | |
b6b6f466 | 91 | static CNCB fwdConnectDoneWrapper; |
92 | ||
8ddcc35d | 93 | static OBJH fwdStats; |
94 | ||
95 | #define MAX_FWD_STATS_IDX 9 | |
955394ce | 96 | static int FwdReplyCodes[MAX_FWD_STATS_IDX + 1][Http::scInvalidHeader + 1]; |
db1cd23c | 97 | |
781ce8ff | 98 | static PconnPool *fwdPconnPool = new PconnPool("server-side"); |
b6b6f466 | 99 | CBDATA_CLASS_INIT(FwdState); |
781ce8ff | 100 | |
429871db | 101 | void |
102 | FwdState::abort(void* d) | |
103 | { | |
104 | FwdState* fwd = (FwdState*)d; | |
6ecaf21a | 105 | Pointer tmp = fwd; // Grab a temporary pointer to keep the object alive during our scope. |
429871db | 106 | |
6b679a01 | 107 | if (Comm::IsConnOpen(fwd->serverConnection())) { |
5229395c | 108 | comm_remove_close_handler(fwd->serverConnection()->fd, fwdServerClosedWrapper, fwd); |
6dd9a2e4 AJ |
109 | debugs(17, 3, HERE << "store entry aborted; closing " << |
110 | fwd->serverConnection()); | |
111 | fwd->serverConnection()->close(); | |
112 | } else { | |
113 | debugs(17, 7, HERE << "store entry aborted; no connection to close"); | |
cff02fa6 | 114 | } |
00ae51e4 | 115 | fwd->serverDestinations.clean(); |
429871db | 116 | fwd->self = NULL; |
117 | } | |
118 | ||
b6b6f466 | 119 | /**** PUBLIC INTERFACE ********************************************************/ |
c7f9eb6d | 120 | |
4bf68cfa | 121 | FwdState::FwdState(const Comm::ConnectionPointer &client, StoreEntry * e, HttpRequest * r, const AccessLogEntryPointer &alp): |
c901ed8c | 122 | al(alp) |
db1cd23c | 123 | { |
3157a816 | 124 | debugs(17, 2, HERE << "Forwarding client request " << client << ", url=" << e->url() ); |
b6b6f466 | 125 | entry = e; |
5c336a3b | 126 | clientConn = client; |
b248c2a3 AJ |
127 | request = r; |
128 | HTTPMSGLOCK(request); | |
bc81ee68 | 129 | pconnRace = raceImpossible; |
b6b6f466 | 130 | start_t = squid_curtime; |
00ae51e4 | 131 | serverDestinations.reserve(Config.forward_max_tries); |
3d0ac046 | 132 | e->lock(); |
b6b6f466 | 133 | EBIT_SET(e->flags, ENTRY_FWD_HDR_WAIT); |
7a0fb323 | 134 | } |
135 | ||
136 | // Called once, right after object creation, when it is safe to set self | |
fc68f6b1 | 137 | void FwdState::start(Pointer aSelf) |
138 | { | |
7a0fb323 | 139 | // Protect ourselves from being destroyed when the only Server pointing |
140 | // to us is gone (while we expect to talk to more Servers later). | |
141 | // Once we set self, we are responsible for clearing it when we do not | |
142 | // expect to talk to any servers. | |
143 | self = aSelf; // refcounted | |
144 | ||
145 | // We hope that either the store entry aborts or peer is selected. | |
146 | // Otherwise we are going to leak our object. | |
34266cde | 147 | |
3900307b | 148 | entry->registerAbort(FwdState::abort, this); |
bfe4e2fe | 149 | |
32c32865 | 150 | #if STRICT_ORIGINAL_DST |
bfe4e2fe AJ |
151 | // Bug 3243: CVE 2009-0801 |
152 | // Bypass of browser same-origin access control in intercepted communication | |
153 | // To resolve this we must force DIRECT and only to the original client destination. | |
0d901ef4 | 154 | const bool isIntercepted = request && !request->flags.redirected && (request->flags.intercepted || request->flags.interceptTproxy); |
2962f8b8 AJ |
155 | const bool useOriginalDst = Config.onoff.client_dst_passthru || (request && !request->flags.hostVerified); |
156 | if (isIntercepted && useOriginalDst) { | |
d7ce0bcd | 157 | selectPeerForIntercepted(); |
7177edfb AJ |
158 | // 3.2 does not suppro re-wrapping inside CONNECT. |
159 | // our only alternative is to fake destination "found" and continue with the forwarding. | |
bfe4e2fe | 160 | startConnectionOrFail(); |
7177edfb | 161 | return; |
bfe4e2fe | 162 | } |
32c32865 AJ |
163 | #endif |
164 | ||
7177edfb AJ |
165 | // do full route options selection |
166 | peerSelect(&serverDestinations, request, entry, fwdPeerSelectionCompleteWrapper, this); | |
db1cd23c | 167 | } |
168 | ||
32c32865 | 169 | #if STRICT_ORIGINAL_DST |
d7ce0bcd AR |
170 | /// bypasses peerSelect() when dealing with intercepted requests |
171 | void | |
172 | FwdState::selectPeerForIntercepted() | |
173 | { | |
174 | // use pinned connection if available | |
175 | Comm::ConnectionPointer p; | |
693cb033 | 176 | if (ConnStateData *client = request->pinnedConnection()) { |
d7ce0bcd | 177 | p = client->validatePinnedConnection(request, NULL); |
693cb033 CT |
178 | if (Comm::IsConnOpen(p)) { |
179 | /* duplicate peerSelectPinned() effects */ | |
180 | p->peerType = PINNED; | |
181 | entry->ping_status = PING_DONE; /* Skip ICP */ | |
d7ce0bcd | 182 | |
693cb033 CT |
183 | debugs(17, 3, "reusing a pinned conn: " << *p); |
184 | serverDestinations.push_back(p); | |
185 | } else { | |
186 | debugs(17,2, "Pinned connection is not valid: " << p); | |
955394ce | 187 | ErrorState *anErr = new ErrorState(ERR_ZERO_SIZE_OBJECT, Http::scServiceUnavailable, request); |
693cb033 CT |
188 | fail(anErr); |
189 | } | |
190 | // Either use the valid pinned connection or fail if it is invalid. | |
191 | return; | |
d7ce0bcd AR |
192 | } |
193 | ||
7177edfb AJ |
194 | // use client original destination as second preferred choice |
195 | p = new Comm::Connection(); | |
196 | p->peerType = ORIGINAL_DST; | |
197 | p->remote = clientConn->local; | |
198 | getOutgoingAddress(request, p); | |
199 | ||
200 | debugs(17, 3, HERE << "using client original destination: " << *p); | |
d7ce0bcd AR |
201 | serverDestinations.push_back(p); |
202 | } | |
32c32865 | 203 | #endif |
d7ce0bcd | 204 | |
802a8c1d | 205 | void |
206 | FwdState::completed() | |
41462d93 | 207 | { |
e857372a | 208 | if (flags.forward_completed) { |
e0236918 | 209 | debugs(17, DBG_IMPORTANT, HERE << "FwdState::completed called on a completed request! Bad!"); |
fc68f6b1 | 210 | return; |
211 | } | |
212 | ||
e857372a | 213 | flags.forward_completed = true; |
802a8c1d | 214 | |
c4a88a3e CT |
215 | if (EBIT_TEST(entry->flags, ENTRY_ABORTED)) { |
216 | debugs(17, 3, HERE << "entry aborted"); | |
217 | return ; | |
218 | } | |
219 | ||
bc87dc25 | 220 | #if URL_CHECKSUM_DEBUG |
62e76326 | 221 | |
b6b6f466 | 222 | entry->mem_obj->checkUrlChecksum(); |
225644d7 | 223 | #endif |
62e76326 | 224 | |
b6b6f466 | 225 | if (entry->store_status == STORE_PENDING) { |
226 | if (entry->isEmpty()) { | |
a04b7e6e | 227 | if (!err) // we quit (e.g., fd closed) before an error or content |
955394ce | 228 | fail(new ErrorState(ERR_READ_ERROR, Http::scBadGateway, request)); |
b6b6f466 | 229 | assert(err); |
230 | errorAppendEntry(entry, err); | |
231 | err = NULL; | |
2cef0ca6 AR |
232 | #if USE_SSL |
233 | if (request->flags.sslPeek && request->clientConnectionManager.valid()) { | |
234 | CallJobHere1(17, 4, request->clientConnectionManager, ConnStateData, | |
235 | ConnStateData::httpsPeeked, Comm::ConnectionPointer(NULL)); | |
236 | } | |
237 | #endif | |
62e76326 | 238 | } else { |
b6b6f466 | 239 | EBIT_CLR(entry->flags, ENTRY_FWD_HDR_WAIT); |
240 | entry->complete(); | |
d88e3c49 | 241 | entry->releaseRequest(); |
62e76326 | 242 | } |
f563eea9 | 243 | } |
62e76326 | 244 | |
b6b6f466 | 245 | if (storePendingNClients(entry) > 0) |
246 | assert(!EBIT_TEST(entry->flags, ENTRY_FWD_HDR_WAIT)); | |
62e76326 | 247 | |
802a8c1d | 248 | } |
249 | ||
250 | FwdState::~FwdState() | |
251 | { | |
252 | debugs(17, 3, HERE << "FwdState destructor starting"); | |
fc68f6b1 | 253 | |
802a8c1d | 254 | if (! flags.forward_completed) |
fc68f6b1 | 255 | completed(); |
802a8c1d | 256 | |
9d2760b6 AR |
257 | doneWithRetries(); |
258 | ||
6dd9f4bd | 259 | HTTPMSGUNLOCK(request); |
62e76326 | 260 | |
913524f0 | 261 | delete err; |
62e76326 | 262 | |
3900307b | 263 | entry->unregisterAbort(); |
429871db | 264 | |
97b5e68f | 265 | entry->unlock(); |
62e76326 | 266 | |
b6b6f466 | 267 | entry = NULL; |
62e76326 | 268 | |
e3a4aecc AJ |
269 | if (calls.connector != NULL) { |
270 | calls.connector->cancel("FwdState destructed"); | |
271 | calls.connector = NULL; | |
272 | } | |
273 | ||
6b679a01 | 274 | if (Comm::IsConnOpen(serverConn)) { |
5229395c AJ |
275 | comm_remove_close_handler(serverConnection()->fd, fwdServerClosedWrapper, this); |
276 | debugs(17, 3, HERE << "closing FD " << serverConnection()->fd); | |
00ae51e4 | 277 | serverConn->close(); |
b6b6f466 | 278 | } |
fc68f6b1 | 279 | |
00ae51e4 | 280 | serverDestinations.clean(); |
cfd66529 | 281 | |
b6b6f466 | 282 | debugs(17, 3, HERE << "FwdState destructor done"); |
283 | } | |
62e76326 | 284 | |
38413773 | 285 | /** |
b6b6f466 | 286 | * This is the entry point for client-side to start forwarding |
287 | * a transaction. It is a static method that may or may not | |
288 | * allocate a FwdState. | |
289 | */ | |
be0c6690 | 290 | void |
4bf68cfa | 291 | FwdState::Start(const Comm::ConnectionPointer &clientConn, StoreEntry *entry, HttpRequest *request, const AccessLogEntryPointer &al) |
b6b6f466 | 292 | { |
b50e327b | 293 | /** \note |
b6b6f466 | 294 | * client_addr == no_addr indicates this is an "internal" request |
295 | * from peer_digest.c, asn.c, netdb.c, etc and should always | |
296 | * be allowed. yuck, I know. | |
297 | */ | |
62e76326 | 298 | |
b50e327b | 299 | if ( Config.accessList.miss && !request->client_addr.IsNoAddr() && |
39a19cb7 | 300 | request->protocol != AnyP::PROTO_INTERNAL && request->protocol != AnyP::PROTO_CACHE_OBJECT) { |
b50e327b | 301 | /** |
fbd3636b NR |
302 | * Check if this host is allowed to fetch MISSES from us (miss_access). |
303 | * Intentionally replace the src_addr automatically selected by the checklist code | |
304 | * we do NOT want the indirect client address to be tested here. | |
b6b6f466 | 305 | */ |
c0941a6a | 306 | ACLFilledChecklist ch(Config.accessList.miss, request, NULL); |
b6b6f466 | 307 | ch.src_addr = request->client_addr; |
2efeb0b7 | 308 | if (ch.fastCheck() == ACCESS_DENIED) { |
b6b6f466 | 309 | err_type page_id; |
9ce7856a | 310 | page_id = aclGetDenyInfoPage(&Config.denyInfoList, AclMatchedName, 1); |
b6b6f466 | 311 | |
312 | if (page_id == ERR_NONE) | |
313 | page_id = ERR_FORWARDING_DENIED; | |
314 | ||
955394ce | 315 | ErrorState *anErr = new ErrorState(page_id, Http::scForbidden, request); |
b6b6f466 | 316 | errorAppendEntry(entry, anErr); // frees anErr |
be0c6690 | 317 | return; |
b6b6f466 | 318 | } |
319 | } | |
320 | ||
cfd66529 | 321 | debugs(17, 3, HERE << "'" << entry->url() << "'"); |
f4ef658f | 322 | /* |
323 | * This seems like an odd place to bind mem_obj and request. | |
324 | * Might want to assert that request is NULL at this point | |
325 | */ | |
b248c2a3 AJ |
326 | entry->mem_obj->request = request; |
327 | HTTPMSGLOCK(entry->mem_obj->request); | |
b6b6f466 | 328 | #if URL_CHECKSUM_DEBUG |
329 | ||
330 | entry->mem_obj->checkUrlChecksum(); | |
331 | #endif | |
332 | ||
333 | if (shutting_down) { | |
334 | /* more yuck */ | |
955394ce | 335 | ErrorState *anErr = new ErrorState(ERR_SHUTTING_DOWN, Http::scServiceUnavailable, request); |
b6b6f466 | 336 | errorAppendEntry(entry, anErr); // frees anErr |
be0c6690 | 337 | return; |
6801f8a8 | 338 | } |
62e76326 | 339 | |
b6b6f466 | 340 | switch (request->protocol) { |
341 | ||
0c3d3f65 | 342 | case AnyP::PROTO_INTERNAL: |
e37bd29b | 343 | internalStart(clientConn, request, entry); |
be0c6690 | 344 | return; |
b6b6f466 | 345 | |
39a19cb7 | 346 | case AnyP::PROTO_CACHE_OBJECT: |
5c336a3b | 347 | CacheManager::GetInstance()->Start(clientConn, request, entry); |
be0c6690 | 348 | return; |
b6b6f466 | 349 | |
0c3d3f65 | 350 | case AnyP::PROTO_URN: |
b6b6f466 | 351 | urnStart(request, entry); |
be0c6690 | 352 | return; |
b6b6f466 | 353 | |
354 | default: | |
4bf68cfa | 355 | FwdState::Pointer fwd = new FwdState(clientConn, entry, request, al); |
7a0fb323 | 356 | fwd->start(fwd); |
be0c6690 | 357 | return; |
b6b6f466 | 358 | } |
359 | ||
360 | /* NOTREACHED */ | |
41462d93 | 361 | } |
362 | ||
4bf68cfa AR |
363 | void |
364 | FwdState::fwdStart(const Comm::ConnectionPointer &clientConn, StoreEntry *entry, HttpRequest *request) | |
365 | { | |
366 | // Hides AccessLogEntry.h from code that does not supply ALE anyway. | |
367 | Start(clientConn, entry, request, NULL); | |
368 | } | |
369 | ||
cfd66529 | 370 | void |
6b679a01 | 371 | FwdState::startConnectionOrFail() |
cfd66529 | 372 | { |
8652f8e7 | 373 | debugs(17, 3, HERE << entry->url()); |
cfd66529 | 374 | |
00ae51e4 | 375 | if (serverDestinations.size() > 0) { |
8652f8e7 AJ |
376 | // Ditch error page if it was created before. |
377 | // A new one will be created if there's another problem | |
913524f0 AJ |
378 | delete err; |
379 | err = NULL; | |
8652f8e7 AJ |
380 | |
381 | // Update the logging information about this new server connection. | |
382 | // Done here before anything else so the errors get logged for | |
383 | // this server link regardless of what happens when connecting to it. | |
384 | // IF sucessfuly connected this top destination will become the serverConnection(). | |
385 | request->hier.note(serverDestinations[0], request->GetHost()); | |
129fe2a1 | 386 | request->clearError(); |
8652f8e7 | 387 | |
cfd66529 AJ |
388 | connectStart(); |
389 | } else { | |
95b83010 CT |
390 | debugs(17, 3, HERE << "Connection failed: " << entry->url()); |
391 | if (!err) { | |
955394ce | 392 | ErrorState *anErr = new ErrorState(ERR_CANNOT_FORWARD, Http::scInternalServerError, request); |
95b83010 | 393 | fail(anErr); |
8652f8e7 | 394 | } // else use actual error from last connection attempt |
cfd66529 AJ |
395 | self = NULL; // refcounted |
396 | } | |
397 | } | |
398 | ||
b6b6f466 | 399 | void |
400 | FwdState::fail(ErrorState * errorState) | |
401 | { | |
9b769c67 | 402 | debugs(17, 3, err_type_str[errorState->type] << " \"" << Http::StatusCodeString(errorState->httpStatus) << "\"\n\t" << entry->url()); |
b6b6f466 | 403 | |
913524f0 | 404 | delete err; |
b6b6f466 | 405 | err = errorState; |
406 | ||
b248c2a3 AJ |
407 | if (!errorState->request) { |
408 | errorState->request = request; | |
409 | HTTPMSGLOCK(errorState->request); | |
410 | } | |
64b66b76 | 411 | |
693cb033 CT |
412 | if (err->type != ERR_ZERO_SIZE_OBJECT) |
413 | return; | |
414 | ||
415 | if (pconnRace == racePossible) { | |
bc81ee68 AR |
416 | debugs(17, 5, HERE << "pconn race happened"); |
417 | pconnRace = raceHappened; | |
418 | } | |
693cb033 CT |
419 | |
420 | if (ConnStateData *pinned_connection = request->pinnedConnection()) { | |
421 | pinned_connection->pinning.zeroReply = true; | |
422 | flags.dont_retry = true; // we want to propagate failure to the client | |
423 | debugs(17, 4, "zero reply on pinned connection"); | |
424 | } | |
b6b6f466 | 425 | } |
426 | ||
38413773 | 427 | /** |
b6b6f466 | 428 | * Frees fwdState without closing FD or generating an abort |
429 | */ | |
430 | void | |
00ae51e4 | 431 | FwdState::unregister(Comm::ConnectionPointer &conn) |
5229395c AJ |
432 | { |
433 | debugs(17, 3, HERE << entry->url() ); | |
434 | assert(serverConnection() == conn); | |
6b679a01 | 435 | assert(Comm::IsConnOpen(conn)); |
5229395c | 436 | comm_remove_close_handler(conn->fd, fwdServerClosedWrapper, this); |
00ae51e4 | 437 | serverConn = NULL; |
5229395c AJ |
438 | } |
439 | ||
440 | // Legacy method to be removed in favor of the above as soon as possible | |
441 | void | |
b6b6f466 | 442 | FwdState::unregister(int fd) |
443 | { | |
5229395c AJ |
444 | debugs(17, 3, HERE << entry->url() ); |
445 | assert(fd == serverConnection()->fd); | |
00ae51e4 | 446 | unregister(serverConn); |
b6b6f466 | 447 | } |
448 | ||
38413773 | 449 | /** |
b6b6f466 | 450 | * server-side modules call fwdComplete() when they are done |
451 | * downloading an object. Then, we either 1) re-forward the | |
452 | * request somewhere else if needed, or 2) call storeComplete() | |
453 | * to finish it off | |
454 | */ | |
455 | void | |
456 | FwdState::complete() | |
457 | { | |
9b769c67 | 458 | debugs(17, 3, HERE << entry->url() << "\n\tstatus " << entry->getReply()->sline.status()); |
b6b6f466 | 459 | #if URL_CHECKSUM_DEBUG |
460 | ||
461 | entry->mem_obj->checkUrlChecksum(); | |
462 | #endif | |
463 | ||
9b769c67 | 464 | logReplyStatus(n_tries, entry->getReply()->sline.status()); |
b6b6f466 | 465 | |
466 | if (reforward()) { | |
9b769c67 | 467 | debugs(17, 3, HERE << "re-forwarding " << entry->getReply()->sline.status() << " " << entry->url()); |
b6b6f466 | 468 | |
6b679a01 | 469 | if (Comm::IsConnOpen(serverConn)) |
00ae51e4 | 470 | unregister(serverConn); |
b6b6f466 | 471 | |
cfd66529 AJ |
472 | entry->reset(); |
473 | ||
8652f8e7 AJ |
474 | // drop the last path off the selection list. try the next one. |
475 | serverDestinations.shift(); | |
476 | startConnectionOrFail(); | |
477 | ||
b6b6f466 | 478 | } else { |
6b679a01 | 479 | if (Comm::IsConnOpen(serverConn)) |
9b769c67 | 480 | debugs(17, 3, HERE << "server FD " << serverConnection()->fd << " not re-forwarding status " << entry->getReply()->sline.status()); |
6b679a01 | 481 | else |
9b769c67 | 482 | debugs(17, 3, HERE << "server (FD closed) not re-forwarding status " << entry->getReply()->sline.status()); |
9e5c22cf AJ |
483 | EBIT_CLR(entry->flags, ENTRY_FWD_HDR_WAIT); |
484 | entry->complete(); | |
fc68f6b1 | 485 | |
6b679a01 | 486 | if (!Comm::IsConnOpen(serverConn)) |
fc68f6b1 | 487 | completed(); |
488 | ||
7a0fb323 | 489 | self = NULL; // refcounted |
b6b6f466 | 490 | } |
491 | } | |
492 | ||
b6b6f466 | 493 | /**** CALLBACK WRAPPERS ************************************************************/ |
494 | ||
495 | static void | |
a37fdd8a | 496 | fwdPeerSelectionCompleteWrapper(Comm::ConnectionList * unused, ErrorState *err, void *data) |
b6b6f466 | 497 | { |
498 | FwdState *fwd = (FwdState *) data; | |
a37fdd8a AJ |
499 | if (err) |
500 | fwd->fail(err); | |
6b679a01 | 501 | fwd->startConnectionOrFail(); |
b6b6f466 | 502 | } |
503 | ||
504 | static void | |
575d05c4 | 505 | fwdServerClosedWrapper(const CommCloseCbParams ¶ms) |
b6b6f466 | 506 | { |
575d05c4 AJ |
507 | FwdState *fwd = (FwdState *)params.data; |
508 | fwd->serverClosed(params.fd); | |
b6b6f466 | 509 | } |
510 | ||
b6b6f466 | 511 | #if USE_SSL |
512 | static void | |
513 | fwdNegotiateSSLWrapper(int fd, void *data) | |
514 | { | |
515 | FwdState *fwd = (FwdState *) data; | |
516 | fwd->negotiateSSL(fd); | |
517 | } | |
518 | ||
519 | #endif | |
520 | ||
cfd66529 | 521 | void |
f01d4b80 | 522 | fwdConnectDoneWrapper(const Comm::ConnectionPointer &conn, comm_err_t status, int xerrno, void *data) |
b6b6f466 | 523 | { |
524 | FwdState *fwd = (FwdState *) data; | |
aed188fd | 525 | fwd->connectDone(conn, status, xerrno); |
b6b6f466 | 526 | } |
527 | ||
528 | /**** PRIVATE *****************************************************************/ | |
529 | ||
545782b8 | 530 | /* |
531 | * FwdState::checkRetry | |
26ac0430 | 532 | * |
545782b8 | 533 | * Return TRUE if the request SHOULD be retried. This method is |
534 | * called when the HTTP connection fails, or when the connection | |
535 | * is closed before server-side read the end of HTTP headers. | |
536 | */ | |
b6b6f466 | 537 | bool |
538 | FwdState::checkRetry() | |
68bd6892 | 539 | { |
d8fd0f18 | 540 | if (shutting_down) |
b6b6f466 | 541 | return false; |
62e76326 | 542 | |
9d2760b6 AR |
543 | if (!self) { // we have aborted before the server called us back |
544 | debugs(17, 5, HERE << "not retrying because of earlier abort"); | |
545 | // we will be destroyed when the server clears its Pointer to us | |
546 | return false; | |
547 | } | |
548 | ||
b6b6f466 | 549 | if (entry->store_status != STORE_PENDING) |
550 | return false; | |
62e76326 | 551 | |
b6b6f466 | 552 | if (!entry->isEmpty()) |
553 | return false; | |
62e76326 | 554 | |
b6b6f466 | 555 | if (n_tries > 10) |
556 | return false; | |
62e76326 | 557 | |
b6b6f466 | 558 | if (origin_tries > 2) |
559 | return false; | |
4ed0e075 | 560 | |
b6b6f466 | 561 | if (squid_curtime - start_t > Config.Timeout.forward) |
562 | return false; | |
62e76326 | 563 | |
b6b6f466 | 564 | if (flags.dont_retry) |
565 | return false; | |
62e76326 | 566 | |
3b9899f7 AR |
567 | if (request->bodyNibbled()) |
568 | return false; | |
569 | ||
0bbd5532 AJ |
570 | // NP: not yet actually connected anywhere. retry is safe. |
571 | if (!flags.connected_okay) | |
572 | return true; | |
573 | ||
5d4989a8 | 574 | if (!checkRetriable()) |
575 | return false; | |
576 | ||
b6b6f466 | 577 | return true; |
68bd6892 | 578 | } |
579 | ||
545782b8 | 580 | /* |
581 | * FwdState::checkRetriable | |
582 | * | |
583 | * Return TRUE if this is the kind of request that can be retried | |
584 | * after a failure. If the request is not retriable then we don't | |
585 | * want to risk sending it on a persistent connection. Instead we'll | |
586 | * force it to go on a new HTTP connection. | |
587 | */ | |
b6b6f466 | 588 | bool |
589 | FwdState::checkRetriable() | |
cb928909 | 590 | { |
ccbcff0e AR |
591 | // Optimize: A compliant proxy may retry PUTs, but Squid lacks the [rather |
592 | // complicated] code required to protect the PUT request body from being | |
593 | // nibbled during the first try. Thus, Squid cannot retry some PUTs today. | |
594 | if (request->body_pipe != NULL) | |
595 | return false; | |
596 | ||
c2a7cefd AJ |
597 | // RFC2616 9.1 Safe and Idempotent Methods |
598 | return (request->method.isHttpSafe() || request->method.isIdempotent()); | |
cb928909 | 599 | } |
600 | ||
b6b6f466 | 601 | void |
602 | FwdState::serverClosed(int fd) | |
910169e5 | 603 | { |
cfd66529 | 604 | debugs(17, 2, HERE << "FD " << fd << " " << entry->url()); |
3e8c047e | 605 | retryOrBail(); |
606 | } | |
607 | ||
608 | void | |
26ac0430 AJ |
609 | FwdState::retryOrBail() |
610 | { | |
b6b6f466 | 611 | if (checkRetry()) { |
cfd66529 | 612 | debugs(17, 3, HERE << "re-forwarding (" << n_tries << " tries, " << (squid_curtime - start_t) << " secs)"); |
bc81ee68 AR |
613 | // we should retry the same destination if it failed due to pconn race |
614 | if (pconnRace == raceHappened) | |
615 | debugs(17, 4, HERE << "retrying the same destination"); | |
616 | else | |
617 | serverDestinations.shift(); // last one failed. try another. | |
8652f8e7 AJ |
618 | startConnectionOrFail(); |
619 | return; | |
d8fd0f18 | 620 | } |
62e76326 | 621 | |
9d2760b6 AR |
622 | // TODO: should we call completed() here and move doneWithRetries there? |
623 | doneWithRetries(); | |
624 | ||
625 | if (self != NULL && !err && shutting_down) { | |
955394ce | 626 | ErrorState *anErr = new ErrorState(ERR_SHUTTING_DOWN, Http::scServiceUnavailable, request); |
f01d4b80 | 627 | errorAppendEntry(entry, anErr); |
f563eea9 | 628 | } |
62e76326 | 629 | |
b6b6f466 | 630 | self = NULL; // refcounted |
910169e5 | 631 | } |
632 | ||
9d2760b6 AR |
633 | // If the Server quits before nibbling at the request body, the body sender |
634 | // will not know (so that we can retry). Call this if we will not retry. We | |
635 | // will notify the sender so that it does not get stuck waiting for space. | |
636 | void | |
637 | FwdState::doneWithRetries() | |
638 | { | |
639 | if (request && request->body_pipe != NULL) | |
640 | request->body_pipe->expectNoConsumption(); | |
641 | } | |
642 | ||
3e8c047e | 643 | // called by the server that failed after calling unregister() |
644 | void | |
645 | FwdState::handleUnregisteredServerEnd() | |
646 | { | |
cfd66529 | 647 | debugs(17, 2, HERE << "self=" << self << " err=" << err << ' ' << entry->url()); |
6b679a01 | 648 | assert(!Comm::IsConnOpen(serverConn)); |
3e8c047e | 649 | retryOrBail(); |
650 | } | |
651 | ||
a7ad6e4e | 652 | #if USE_SSL |
b6b6f466 | 653 | void |
654 | FwdState::negotiateSSL(int fd) | |
a7ad6e4e | 655 | { |
8e9bae99 | 656 | unsigned long ssl_lib_error = SSL_ERROR_NONE; |
a7ad6e4e | 657 | SSL *ssl = fd_table[fd].ssl; |
658 | int ret; | |
62e76326 | 659 | |
a7ad6e4e | 660 | if ((ret = SSL_connect(ssl)) <= 0) { |
62e76326 | 661 | int ssl_error = SSL_get_error(ssl, ret); |
8e9bae99 CT |
662 | #ifdef EPROTO |
663 | int sysErrNo = EPROTO; | |
664 | #else | |
665 | int sysErrNo = EACCES; | |
666 | #endif | |
62e76326 | 667 | |
668 | switch (ssl_error) { | |
669 | ||
670 | case SSL_ERROR_WANT_READ: | |
d841c88d | 671 | Comm::SetSelect(fd, COMM_SELECT_READ, fwdNegotiateSSLWrapper, this, 0); |
62e76326 | 672 | return; |
673 | ||
674 | case SSL_ERROR_WANT_WRITE: | |
d841c88d | 675 | Comm::SetSelect(fd, COMM_SELECT_WRITE, fwdNegotiateSSLWrapper, this, 0); |
62e76326 | 676 | return; |
677 | ||
8e9bae99 CT |
678 | case SSL_ERROR_SSL: |
679 | case SSL_ERROR_SYSCALL: | |
680 | ssl_lib_error = ERR_get_error(); | |
e0236918 | 681 | debugs(81, DBG_IMPORTANT, "fwdNegotiateSSL: Error negotiating SSL connection on FD " << fd << |
8e9bae99 | 682 | ": " << ERR_error_string(ssl_lib_error, NULL) << " (" << ssl_error << |
26ac0430 | 683 | "/" << ret << "/" << errno << ")"); |
62e76326 | 684 | |
8e9bae99 CT |
685 | // store/report errno when ssl_error is SSL_ERROR_SYSCALL, ssl_lib_error is 0, and ret is -1 |
686 | if (ssl_error == SSL_ERROR_SYSCALL && ret == -1 && ssl_lib_error == 0) | |
687 | sysErrNo = errno; | |
62e76326 | 688 | |
8e9bae99 CT |
689 | // falling through to complete error handling |
690 | ||
691 | default: | |
e7a7152c CT |
692 | // TODO: move into a method before merge |
693 | Ssl::ErrorDetail *errDetails; | |
4d16918e | 694 | Ssl::ErrorDetail *errFromFailure = (Ssl::ErrorDetail *)SSL_get_ex_data(ssl, ssl_ex_index_ssl_error_detail); |
e34763f4 | 695 | if (errFromFailure != NULL) { |
4d16918e CT |
696 | // The errFromFailure is attached to the ssl object |
697 | // and will be released when ssl object destroyed. | |
7a957a93 | 698 | // Copy errFromFailure to a new Ssl::ErrorDetail object. |
e7a7152c | 699 | errDetails = new Ssl::ErrorDetail(*errFromFailure); |
ef5fbcff | 700 | } else { |
7a957a93 | 701 | // server_cert can be NULL here |
061bbdec | 702 | X509 *server_cert = SSL_get_peer_certificate(ssl); |
de878a55 | 703 | errDetails = new Ssl::ErrorDetail(SQUID_ERR_SSL_HANDSHAKE, server_cert, NULL); |
061bbdec | 704 | X509_free(server_cert); |
8e9bae99 CT |
705 | } |
706 | ||
707 | if (ssl_lib_error != SSL_ERROR_NONE) | |
e7a7152c | 708 | errDetails->setLibError(ssl_lib_error); |
4d16918e | 709 | |
061bbdec | 710 | if (request->clientConnectionManager.valid()) { |
7a957a93 | 711 | // remember the server certificate from the ErrorDetail object |
fd4624d7 CT |
712 | if (Ssl::ServerBump *serverBump = request->clientConnectionManager->serverBump()) { |
713 | serverBump->serverCert.resetAndLock(errDetails->peerCert()); | |
fb2178bb | 714 | |
7a957a93 AR |
715 | // remember validation errors, if any |
716 | if (Ssl::Errors *errs = static_cast<Ssl::Errors*>(SSL_get_ex_data(ssl, ssl_ex_index_ssl_errors))) | |
717 | serverBump->sslErrors = cbdataReference(errs); | |
87f237a9 | 718 | } |
061bbdec CT |
719 | } |
720 | ||
7a957a93 AR |
721 | // For intercepted connections, set the host name to the server |
722 | // certificate CN. Otherwise, we just hope that CONNECT is using | |
723 | // a user-entered address (a host name or a user-entered IP). | |
c3d24490 | 724 | const bool isConnectRequest = !request->clientConnectionManager->port->flags.isIntercepted(); |
35cd4281 | 725 | if (request->flags.sslPeek && !isConnectRequest) { |
002db1fa | 726 | if (X509 *srvX509 = errDetails->peerCert()) { |
2c065fc8 AR |
727 | if (const char *name = Ssl::CommonHostName(srvX509)) { |
728 | request->SetHost(name); | |
729 | debugs(83, 3, HERE << "reset request host: " << name); | |
730 | } | |
731 | } | |
e7a7152c | 732 | } |
4d16918e | 733 | |
2c065fc8 | 734 | ErrorState *const anErr = makeConnectingError(ERR_SECURE_CONNECT_FAIL); |
e7a7152c CT |
735 | anErr->xerrno = sysErrNo; |
736 | anErr->detail = errDetails; | |
b6b6f466 | 737 | fail(anErr); |
62e76326 | 738 | |
5229395c AJ |
739 | if (serverConnection()->getPeer()) { |
740 | peerConnectFailed(serverConnection()->getPeer()); | |
62e76326 | 741 | } |
742 | ||
00ae51e4 | 743 | serverConn->close(); |
62e76326 | 744 | return; |
745 | } | |
a7ad6e4e | 746 | } |
62e76326 | 747 | |
fb2178bb | 748 | if (request->clientConnectionManager.valid()) { |
7a957a93 | 749 | // remember the server certificate from the ErrorDetail object |
fd4624d7 CT |
750 | if (Ssl::ServerBump *serverBump = request->clientConnectionManager->serverBump()) { |
751 | serverBump->serverCert.reset(SSL_get_peer_certificate(ssl)); | |
752 | ||
7a957a93 AR |
753 | // remember validation errors, if any |
754 | if (Ssl::Errors *errs = static_cast<Ssl::Errors *>(SSL_get_ex_data(ssl, ssl_ex_index_ssl_errors))) | |
755 | serverBump->sslErrors = cbdataReference(errs); | |
fd4624d7 | 756 | } |
fb2178bb | 757 | } |
62e76326 | 758 | |
5229395c AJ |
759 | if (serverConnection()->getPeer() && !SSL_session_reused(ssl)) { |
760 | if (serverConnection()->getPeer()->sslSession) | |
761 | SSL_SESSION_free(serverConnection()->getPeer()->sslSession); | |
f38c5e43 | 762 | |
5229395c | 763 | serverConnection()->getPeer()->sslSession = SSL_get1_session(ssl); |
f38c5e43 | 764 | } |
765 | ||
2cef0ca6 | 766 | if (Ssl::TheConfig.ssl_crt_validator) { |
b56756cb | 767 | Ssl::CertValidationRequest validationRequest; |
14798e73 CT |
768 | // WARNING: Currently we do not use any locking for any of the |
769 | // members of the Ssl::CertValidationRequest class. In this code the | |
b56756cb | 770 | // Ssl::CertValidationRequest object used only to pass data to |
2cef0ca6 | 771 | // Ssl::CertValidationHelper::submit method. |
14798e73 | 772 | validationRequest.ssl = ssl; |
b56756cb | 773 | validationRequest.domainName = request->GetHost(); |
2cef0ca6 | 774 | if (Ssl::Errors *errs = static_cast<Ssl::Errors *>(SSL_get_ex_data(ssl, ssl_ex_index_ssl_errors))) |
b56756cb CT |
775 | // validationRequest disappears on return so no need to cbdataReference |
776 | validationRequest.errors = errs; | |
2cef0ca6 | 777 | else |
b56756cb | 778 | validationRequest.errors = NULL; |
2cef0ca6 | 779 | try { |
4a77bb4e | 780 | debugs(83, 5, "Sending SSL certificate for validation to ssl_crtvd."); |
14798e73 | 781 | Ssl::CertValidationHelper::GetInstance()->sslSubmit(validationRequest, sslCrtvdHandleReplyWrapper, this); |
2cef0ca6 AR |
782 | return; |
783 | } catch (const std::exception &e) { | |
4a77bb4e | 784 | debugs(33, DBG_IMPORTANT, "ERROR: Failed to compose ssl_crtvd " << |
b56756cb | 785 | "request for " << validationRequest.domainName << |
2cef0ca6 AR |
786 | " certificate: " << e.what() << "; will now block to " << |
787 | "validate that certificate."); | |
788 | // fall through to do blocking in-process generation. | |
955394ce | 789 | ErrorState *anErr = new ErrorState(ERR_GATEWAY_FAILURE, Http::scInternalServerError, request); |
77dce8a5 CT |
790 | fail(anErr); |
791 | if (serverConnection()->getPeer()) { | |
792 | peerConnectFailed(serverConnection()->getPeer()); | |
793 | } | |
794 | serverConn->close(); | |
795 | self = NULL; | |
796 | return; | |
2cef0ca6 AR |
797 | } |
798 | } | |
2cef0ca6 | 799 | |
b6b6f466 | 800 | dispatch(); |
a7ad6e4e | 801 | } |
802 | ||
2cef0ca6 | 803 | void |
14798e73 | 804 | FwdState::sslCrtvdHandleReplyWrapper(void *data, Ssl::CertValidationResponse const &validationResponse) |
2cef0ca6 AR |
805 | { |
806 | FwdState * fwd = (FwdState *)(data); | |
14798e73 | 807 | fwd->sslCrtvdHandleReply(validationResponse); |
2cef0ca6 AR |
808 | } |
809 | ||
810 | void | |
14798e73 | 811 | FwdState::sslCrtvdHandleReply(Ssl::CertValidationResponse const &validationResponse) |
2cef0ca6 AR |
812 | { |
813 | Ssl::Errors *errs = NULL; | |
814 | Ssl::ErrorDetail *errDetails = NULL; | |
77dce8a5 | 815 | bool validatorFailed = false; |
2cef0ca6 AR |
816 | if (!Comm::IsConnOpen(serverConnection())) { |
817 | return; | |
818 | } | |
2cef0ca6 | 819 | |
14798e73 CT |
820 | debugs(83,5, request->GetHost() << " cert validation result: " << validationResponse.resultCode); |
821 | ||
822 | if (validationResponse.resultCode == HelperReply::Error) | |
823 | errs = sslCrtvdCheckForErrors(validationResponse, errDetails); | |
824 | else if (validationResponse.resultCode != HelperReply::Okay) | |
4a77bb4e | 825 | validatorFailed = true; |
dd7167ea | 826 | |
14798e73 CT |
827 | if (!errDetails && !validatorFailed) { |
828 | dispatch(); | |
829 | return; | |
2cef0ca6 | 830 | } |
77dce8a5 CT |
831 | |
832 | ErrorState *anErr = NULL; | |
833 | if (validatorFailed) { | |
955394ce | 834 | anErr = new ErrorState(ERR_GATEWAY_FAILURE, Http::scInternalServerError, request); |
77dce8a5 CT |
835 | } else { |
836 | ||
837 | // Check the list error with | |
838 | if (errDetails && request->clientConnectionManager.valid()) { | |
839 | // remember the server certificate from the ErrorDetail object | |
840 | if (Ssl::ServerBump *serverBump = request->clientConnectionManager->serverBump()) { | |
841 | // remember validation errors, if any | |
842 | if (errs) { | |
843 | if (serverBump->sslErrors) | |
268a2e8f | 844 | cbdataReferenceDone(serverBump->sslErrors); |
77dce8a5 CT |
845 | serverBump->sslErrors = cbdataReference(errs); |
846 | } | |
2cef0ca6 AR |
847 | } |
848 | } | |
77dce8a5 CT |
849 | |
850 | anErr = makeConnectingError(ERR_SECURE_CONNECT_FAIL); | |
851 | anErr->detail = errDetails; | |
852 | /*anErr->xerrno= Should preserved*/ | |
2cef0ca6 AR |
853 | } |
854 | ||
2cef0ca6 AR |
855 | fail(anErr); |
856 | if (serverConnection()->getPeer()) { | |
857 | peerConnectFailed(serverConnection()->getPeer()); | |
858 | } | |
859 | serverConn->close(); | |
860 | self = NULL; | |
861 | return; | |
862 | } | |
268a2e8f | 863 | |
97538c72 AR |
864 | /// Checks errors in the cert. validator response against sslproxy_cert_error. |
865 | /// The first honored error, if any, is returned via errDetails parameter. | |
866 | /// The method returns all seen errors except SSL_ERROR_NONE as Ssl::Errors. | |
268a2e8f | 867 | Ssl::Errors * |
14798e73 | 868 | FwdState::sslCrtvdCheckForErrors(Ssl::CertValidationResponse const &resp, Ssl::ErrorDetail *& errDetails) |
268a2e8f CT |
869 | { |
870 | Ssl::Errors *errs = NULL; | |
268a2e8f | 871 | |
97538c72 | 872 | ACLFilledChecklist *check = NULL; |
268a2e8f CT |
873 | if (acl_access *acl = Config.ssl_client.cert_error) |
874 | check = new ACLFilledChecklist(acl, request, dash_str); | |
875 | ||
97538c72 | 876 | SSL *ssl = fd_table[serverConnection()->fd].ssl; |
b56756cb | 877 | typedef Ssl::CertValidationResponse::RecvdErrors::const_iterator SVCRECI; |
97538c72 | 878 | for (SVCRECI i = resp.errors.begin(); i != resp.errors.end(); ++i) { |
268a2e8f CT |
879 | debugs(83, 7, "Error item: " << i->error_no << " " << i->error_reason); |
880 | ||
4a77bb4e | 881 | assert(i->error_no != SSL_ERROR_NONE); |
268a2e8f | 882 | |
97538c72 | 883 | if (!errDetails) { |
268a2e8f CT |
884 | bool allowed = false; |
885 | if (check) { | |
886 | check->sslErrors = new Ssl::Errors(i->error_no); | |
887 | if (check->fastCheck() == ACCESS_ALLOWED) | |
888 | allowed = true; | |
889 | } | |
890 | // else the Config.ssl_client.cert_error access list is not defined | |
891 | // and the first error will cause the error page | |
892 | ||
893 | if (allowed) { | |
894 | debugs(83, 3, "bypassing SSL error " << i->error_no << " in " << "buffer"); | |
895 | } else { | |
896 | debugs(83, 5, "confirming SSL error " << i->error_no); | |
4a77bb4e CT |
897 | X509 *brokenCert = i->cert.get(); |
898 | Ssl::X509_Pointer peerCert(SSL_get_peer_certificate(ssl)); | |
268a2e8f | 899 | const char *aReason = i->error_reason.empty() ? NULL : i->error_reason.c_str(); |
4a77bb4e | 900 | errDetails = new Ssl::ErrorDetail(i->error_no, peerCert.get(), brokenCert, aReason); |
268a2e8f | 901 | } |
7830d88a FC |
902 | if (check) { |
903 | delete check->sslErrors; | |
904 | check->sslErrors = NULL; | |
905 | } | |
268a2e8f CT |
906 | } |
907 | ||
97538c72 | 908 | if (!errs) |
268a2e8f | 909 | errs = new Ssl::Errors(i->error_no); |
22636a68 | 910 | else |
268a2e8f CT |
911 | errs->push_back_unique(i->error_no); |
912 | } | |
c732c598 CT |
913 | if (check) |
914 | delete check; | |
268a2e8f CT |
915 | |
916 | return errs; | |
917 | } | |
918 | ||
b6b6f466 | 919 | void |
920 | FwdState::initiateSSL() | |
a7ad6e4e | 921 | { |
a7ad6e4e | 922 | SSL *ssl; |
923 | SSL_CTX *sslContext = NULL; | |
a3c6762c | 924 | const CachePeer *peer = serverConnection()->getPeer(); |
5229395c | 925 | int fd = serverConnection()->fd; |
62e76326 | 926 | |
a7ad6e4e | 927 | if (peer) { |
62e76326 | 928 | assert(peer->use_ssl); |
929 | sslContext = peer->sslContext; | |
a7ad6e4e | 930 | } else { |
62e76326 | 931 | sslContext = Config.ssl_client.sslContext; |
a7ad6e4e | 932 | } |
62e76326 | 933 | |
a7ad6e4e | 934 | assert(sslContext); |
62e76326 | 935 | |
a7ad6e4e | 936 | if ((ssl = SSL_new(sslContext)) == NULL) { |
e0236918 | 937 | debugs(83, DBG_IMPORTANT, "fwdInitiateSSL: Error allocating handle: " << ERR_error_string(ERR_get_error(), NULL) ); |
955394ce | 938 | ErrorState *anErr = new ErrorState(ERR_SOCKET_FAILURE, Http::scInternalServerError, request); |
129fe2a1 | 939 | // TODO: create Ssl::ErrorDetail with OpenSSL-supplied error code |
b6b6f466 | 940 | fail(anErr); |
941 | self = NULL; // refcounted | |
62e76326 | 942 | return; |
a7ad6e4e | 943 | } |
62e76326 | 944 | |
a7ad6e4e | 945 | SSL_set_fd(ssl, fd); |
62e76326 | 946 | |
a7ad6e4e | 947 | if (peer) { |
62e76326 | 948 | if (peer->ssldomain) |
949 | SSL_set_ex_data(ssl, ssl_ex_index_server, peer->ssldomain); | |
950 | ||
a7ad6e4e | 951 | #if NOT_YET |
62e76326 | 952 | |
953 | else if (peer->name) | |
954 | SSL_set_ex_data(ssl, ssl_ex_index_server, peer->name); | |
955 | ||
a7ad6e4e | 956 | #endif |
62e76326 | 957 | |
958 | else | |
959 | SSL_set_ex_data(ssl, ssl_ex_index_server, peer->host); | |
f38c5e43 | 960 | |
961 | if (peer->sslSession) | |
962 | SSL_set_session(ssl, peer->sslSession); | |
963 | ||
a7ad6e4e | 964 | } else { |
53650ffa CT |
965 | // While we are peeking at the certificate, we may not know the server |
966 | // name that the client will request (after interception or CONNECT) | |
35cd4281 | 967 | // unless it was the CONNECT request with a user-typed address. |
53650ffa CT |
968 | const char *hostname = request->GetHost(); |
969 | const bool hostnameIsIp = request->GetHostIsNumeric(); | |
c3d24490 | 970 | const bool isConnectRequest = !request->clientConnectionManager->port->flags.isIntercepted(); |
35cd4281 | 971 | if (!request->flags.sslPeek || isConnectRequest) |
2c065fc8 AR |
972 | SSL_set_ex_data(ssl, ssl_ex_index_server, (void*)hostname); |
973 | ||
53650ffa | 974 | // Use SNI TLS extension only when we connect directly |
7a957a93 | 975 | // to the origin server and we know the server host name. |
53650ffa CT |
976 | if (!hostnameIsIp) |
977 | Ssl::setClientSNI(ssl, hostname); | |
a7ad6e4e | 978 | } |
62e76326 | 979 | |
2cef0ca6 AR |
980 | // If CertValidation Helper used do not lookup checklist for errors, |
981 | // but keep a list of errors to send it to CertValidator | |
982 | if (!Ssl::TheConfig.ssl_crt_validator) { | |
2cef0ca6 AR |
983 | // Create the ACL check list now, while we have access to more info. |
984 | // The list is used in ssl_verify_cb() and is freed in ssl_free(). | |
985 | if (acl_access *acl = Config.ssl_client.cert_error) { | |
986 | ACLFilledChecklist *check = new ACLFilledChecklist(acl, request, dash_str); | |
2cef0ca6 AR |
987 | SSL_set_ex_data(ssl, ssl_ex_index_cert_error_check, check); |
988 | } | |
4d5a6db8 | 989 | } |
990 | ||
e7bcc25f CT |
991 | // store peeked cert to check SQUID_X509_V_ERR_CERT_CHANGE |
992 | X509 *peeked_cert; | |
fd4624d7 | 993 | if (request->clientConnectionManager.valid() && |
87f237a9 A |
994 | request->clientConnectionManager->serverBump() && |
995 | (peeked_cert = request->clientConnectionManager->serverBump()->serverCert.get())) { | |
e7bcc25f CT |
996 | CRYPTO_add(&(peeked_cert->references),1,CRYPTO_LOCK_X509); |
997 | SSL_set_ex_data(ssl, ssl_ex_index_ssl_peeked_cert, peeked_cert); | |
998 | } | |
999 | ||
a7ad6e4e | 1000 | fd_table[fd].ssl = ssl; |
1001 | fd_table[fd].read_method = &ssl_read_method; | |
1002 | fd_table[fd].write_method = &ssl_write_method; | |
b6b6f466 | 1003 | negotiateSSL(fd); |
a7ad6e4e | 1004 | } |
62e76326 | 1005 | |
a7ad6e4e | 1006 | #endif |
1007 | ||
b6b6f466 | 1008 | void |
f01d4b80 | 1009 | FwdState::connectDone(const Comm::ConnectionPointer &conn, comm_err_t status, int xerrno) |
41462d93 | 1010 | { |
2f538b78 | 1011 | if (status != COMM_OK) { |
9c8a6c3b | 1012 | ErrorState *const anErr = makeConnectingError(ERR_CONNECT_FAIL); |
b6b6f466 | 1013 | anErr->xerrno = xerrno; |
b6b6f466 | 1014 | fail(anErr); |
62e76326 | 1015 | |
2f538b78 | 1016 | /* it might have been a timeout with a partially open link */ |
00ae51e4 AJ |
1017 | if (conn != NULL) { |
1018 | if (conn->getPeer()) | |
1019 | peerConnectFailed(conn->getPeer()); | |
62e76326 | 1020 | |
80463bb4 | 1021 | conn->close(); |
2f538b78 | 1022 | } |
aed188fd | 1023 | retryOrBail(); |
2f538b78 AJ |
1024 | return; |
1025 | } | |
62e76326 | 1026 | |
00ae51e4 | 1027 | serverConn = conn; |
3b9899f7 | 1028 | flags.connected_okay = true; |
00ae51e4 | 1029 | |
f01d4b80 | 1030 | debugs(17, 3, HERE << serverConnection() << ": '" << entry->url() << "'" ); |
62e76326 | 1031 | |
5229395c | 1032 | comm_add_close_handler(serverConnection()->fd, fwdServerClosedWrapper, this); |
2f538b78 | 1033 | |
5229395c AJ |
1034 | if (serverConnection()->getPeer()) |
1035 | peerConnectSucceded(serverConnection()->getPeer()); | |
2f538b78 AJ |
1036 | |
1037 | #if USE_SSL | |
693cb033 | 1038 | if (!request->flags.pinned) { |
39322eba | 1039 | if ((serverConnection()->getPeer() && serverConnection()->getPeer()->use_ssl) || |
37276dbb AR |
1040 | (!serverConnection()->getPeer() && request->protocol == AnyP::PROTO_HTTPS) || |
1041 | request->flags.sslPeek) { | |
39322eba J |
1042 | initiateSSL(); |
1043 | return; | |
1044 | } | |
41462d93 | 1045 | } |
2f538b78 AJ |
1046 | #endif |
1047 | ||
1048 | dispatch(); | |
41462d93 | 1049 | } |
1050 | ||
b6b6f466 | 1051 | void |
1052 | FwdState::connectTimeout(int fd) | |
41462d93 | 1053 | { |
bf8fe701 | 1054 | debugs(17, 2, "fwdConnectTimeout: FD " << fd << ": '" << entry->url() << "'" ); |
6b679a01 AJ |
1055 | assert(serverDestinations[0] != NULL); |
1056 | assert(fd == serverDestinations[0]->fd); | |
62e76326 | 1057 | |
528b2c61 | 1058 | if (entry->isEmpty()) { |
955394ce | 1059 | ErrorState *anErr = new ErrorState(ERR_CONNECT_FAIL, Http::scGateway_Timeout, request); |
b6b6f466 | 1060 | anErr->xerrno = ETIMEDOUT; |
1061 | fail(anErr); | |
62e76326 | 1062 | |
cfd66529 | 1063 | /* This marks the peer DOWN ... */ |
6b679a01 AJ |
1064 | if (serverDestinations[0]->getPeer()) |
1065 | peerConnectFailed(serverDestinations[0]->getPeer()); | |
41462d93 | 1066 | } |
62e76326 | 1067 | |
6b679a01 AJ |
1068 | if (Comm::IsConnOpen(serverDestinations[0])) { |
1069 | serverDestinations[0]->close(); | |
746beefe | 1070 | } |
41462d93 | 1071 | } |
1072 | ||
cfd66529 | 1073 | /** |
ae18571d AJ |
1074 | * Called after Forwarding path selection (via peer select) has taken place. |
1075 | * And whenever forwarding needs to attempt a new connection (routing failover) | |
1076 | * We have a vector of possible localIP->remoteIP paths now ready to start being connected. | |
cfd66529 | 1077 | */ |
b6b6f466 | 1078 | void |
1079 | FwdState::connectStart() | |
41462d93 | 1080 | { |
6b679a01 AJ |
1081 | assert(serverDestinations.size() > 0); |
1082 | ||
cfd66529 | 1083 | debugs(17, 3, "fwdConnectStart: " << entry->url()); |
62e76326 | 1084 | |
3ff65596 AR |
1085 | if (n_tries == 0) // first attempt |
1086 | request->hier.first_conn_start = current_time; | |
1087 | ||
cfd66529 AJ |
1088 | /* connection timeout */ |
1089 | int ctimeout; | |
6b679a01 AJ |
1090 | if (serverDestinations[0]->getPeer()) { |
1091 | ctimeout = serverDestinations[0]->getPeer()->connect_timeout > 0 ? | |
1092 | serverDestinations[0]->getPeer()->connect_timeout : Config.Timeout.peer_connect; | |
db1cd23c | 1093 | } else { |
62e76326 | 1094 | ctimeout = Config.Timeout.connect; |
db1cd23c | 1095 | } |
62e76326 | 1096 | |
cfd66529 AJ |
1097 | /* calculate total forwarding timeout ??? */ |
1098 | int ftimeout = Config.Timeout.forward - (squid_curtime - start_t); | |
777831e0 | 1099 | if (ftimeout < 0) |
1100 | ftimeout = 5; | |
1101 | ||
1102 | if (ftimeout < ctimeout) | |
1103 | ctimeout = ftimeout; | |
1104 | ||
450fe1cb | 1105 | if (serverDestinations[0]->getPeer() && request->flags.sslBumped) { |
b68415a1 | 1106 | debugs(50, 4, "fwdConnectStart: Ssl bumped connections through parrent proxy are not allowed"); |
955394ce | 1107 | ErrorState *anErr = new ErrorState(ERR_CANNOT_FORWARD, Http::scServiceUnavailable, request); |
b68415a1 CT |
1108 | fail(anErr); |
1109 | self = NULL; // refcounted | |
1110 | return; | |
985bfe6b | 1111 | } |
d67acb4e | 1112 | |
e857372a | 1113 | request->flags.pinned = false; // XXX: what if the ConnStateData set this to flag existing credentials? |
2efeb0b7 AJ |
1114 | // XXX: answer: the peer selection *should* catch it and give us only the pinned peer. so we reverse the =0 step below. |
1115 | // XXX: also, logs will now lie if pinning is broken and leads to an error message. | |
6b679a01 | 1116 | if (serverDestinations[0]->peerType == PINNED) { |
26ac0430 | 1117 | ConnStateData *pinned_connection = request->pinnedConnection(); |
693cb033 | 1118 | debugs(17,7, "pinned peer connection: " << pinned_connection); |
bc81ee68 AR |
1119 | // pinned_connection may become nil after a pconn race |
1120 | if (pinned_connection) | |
1121 | serverConn = pinned_connection->validatePinnedConnection(request, serverDestinations[0]->getPeer()); | |
1122 | else | |
1123 | serverConn = NULL; | |
e3a4aecc | 1124 | if (Comm::IsConnOpen(serverConn)) { |
3b9899f7 | 1125 | flags.connected_okay = true; |
95dc7ff4 | 1126 | ++n_tries; |
e857372a | 1127 | request->flags.pinned = true; |
d67acb4e | 1128 | if (pinned_connection->pinnedAuth()) |
e857372a | 1129 | request->flags.auth = true; |
23211a9f | 1130 | comm_add_close_handler(serverConn->fd, fwdServerClosedWrapper, this); |
bc81ee68 AR |
1131 | // the server may close the pinned connection before this request |
1132 | pconnRace = racePossible; | |
6b679a01 | 1133 | dispatch(); |
d67acb4e AJ |
1134 | return; |
1135 | } | |
693cb033 | 1136 | // Pinned connection failure. |
85563fd9 | 1137 | debugs(17,2,HERE << "Pinned connection failed: " << pinned_connection); |
955394ce | 1138 | ErrorState *anErr = new ErrorState(ERR_ZERO_SIZE_OBJECT, Http::scServiceUnavailable, request); |
693cb033 CT |
1139 | fail(anErr); |
1140 | self = NULL; // refcounted | |
1141 | return; | |
26ac0430 | 1142 | } |
d67acb4e | 1143 | |
642a305c | 1144 | // Use pconn to avoid opening a new connection. |
7a150c71 AJ |
1145 | const char *host = NULL; |
1146 | if (!serverDestinations[0]->getPeer()) | |
06093389 | 1147 | host = request->GetHost(); |
bc81ee68 AR |
1148 | |
1149 | Comm::ConnectionPointer temp; | |
1150 | // Avoid pconns after races so that the same client does not suffer twice. | |
1151 | // This does not increase the total number of connections because we just | |
1152 | // closed the connection that failed the race. And re-pinning assumes this. | |
1153 | if (pconnRace != raceHappened) | |
1154 | temp = fwdPconnPool->pop(serverDestinations[0], host, checkRetriable()); | |
bbf706ff | 1155 | |
bc81ee68 AR |
1156 | const bool openedPconn = Comm::IsConnOpen(temp); |
1157 | pconnRace = openedPconn ? racePossible : raceImpossible; | |
cfd66529 | 1158 | |
6b679a01 | 1159 | // if we found an open persistent connection to use. use it. |
bc81ee68 | 1160 | if (openedPconn) { |
80463bb4 | 1161 | serverConn = temp; |
3b9899f7 | 1162 | flags.connected_okay = true; |
642a305c | 1163 | debugs(17, 3, HERE << "reusing pconn " << serverConnection()); |
95dc7ff4 | 1164 | ++n_tries; |
4ed0e075 | 1165 | |
5229395c | 1166 | if (!serverConnection()->getPeer()) |
95dc7ff4 | 1167 | ++origin_tries; |
74780d33 | 1168 | |
5229395c | 1169 | comm_add_close_handler(serverConnection()->fd, fwdServerClosedWrapper, this); |
b5523edc AJ |
1170 | |
1171 | /* Update server side TOS and Netfilter mark on the connection. */ | |
1172 | if (Ip::Qos::TheConfig.isAclTosActive()) { | |
1173 | temp->tos = GetTosToServer(request); | |
1174 | Ip::Qos::setSockTos(temp, temp->tos); | |
1175 | } | |
1176 | #if SO_MARK | |
1177 | if (Ip::Qos::TheConfig.isAclNfmarkActive()) { | |
1178 | temp->nfmark = GetNfmarkToServer(request); | |
1179 | Ip::Qos::setSockNfmark(temp, temp->nfmark); | |
1180 | } | |
1181 | #endif | |
1182 | ||
c8ceec27 | 1183 | dispatch(); |
c8ceec27 | 1184 | return; |
41462d93 | 1185 | } |
62e76326 | 1186 | |
bc81ee68 AR |
1187 | // We will try to open a new connection, possibly to the same destination. |
1188 | // We reset serverDestinations[0] in case we are using it again because | |
1189 | // ConnOpener modifies its destination argument. | |
1190 | serverDestinations[0]->local.SetPort(0); | |
1191 | serverConn = NULL; | |
1192 | ||
bc87dc25 | 1193 | #if URL_CHECKSUM_DEBUG |
b6b6f466 | 1194 | entry->mem_obj->checkUrlChecksum(); |
bc87dc25 | 1195 | #endif |
62e76326 | 1196 | |
b5523edc AJ |
1197 | /* Get the server side TOS and Netfilter mark to be set on the connection. */ |
1198 | if (Ip::Qos::TheConfig.isAclTosActive()) { | |
1199 | serverDestinations[0]->tos = GetTosToServer(request); | |
1200 | } | |
11e8cfe3 | 1201 | #if SO_MARK && USE_LIBCAP |
a750e510 | 1202 | serverDestinations[0]->nfmark = GetNfmarkToServer(request); |
25b481e6 | 1203 | debugs(17, 3, "fwdConnectStart: got outgoing addr " << serverDestinations[0]->local << ", tos " << int(serverDestinations[0]->tos) |
a750e510 | 1204 | << ", netfilter mark " << serverDestinations[0]->nfmark); |
425de4c8 | 1205 | #else |
a750e510 | 1206 | serverDestinations[0]->nfmark = 0; |
25b481e6 | 1207 | debugs(17, 3, "fwdConnectStart: got outgoing addr " << serverDestinations[0]->local << ", tos " << int(serverDestinations[0]->tos)); |
b5523edc AJ |
1208 | #endif |
1209 | ||
e3a4aecc AJ |
1210 | calls.connector = commCbCall(17,3, "fwdConnectDoneWrapper", CommConnectCbPtrFun(fwdConnectDoneWrapper, this)); |
1211 | Comm::ConnOpener *cs = new Comm::ConnOpener(serverDestinations[0], calls.connector, ctimeout); | |
7a150c71 AJ |
1212 | if (host) |
1213 | cs->setHost(host); | |
855150a4 | 1214 | AsyncJob::Start(cs); |
41462d93 | 1215 | } |
1216 | ||
b6b6f466 | 1217 | void |
1218 | FwdState::dispatch() | |
41462d93 | 1219 | { |
5c336a3b | 1220 | debugs(17, 3, HERE << clientConn << ": Fetching '" << RequestMethodStr(request->method) << " " << entry->url() << "'"); |
e0ebe27c | 1221 | /* |
1222 | * Assert that server_fd is set. This is to guarantee that fwdState | |
1223 | * is attached to something and will be deallocated when server_fd | |
1224 | * is closed. | |
1225 | */ | |
6b679a01 | 1226 | assert(Comm::IsConnOpen(serverConn)); |
62e76326 | 1227 | |
5229395c | 1228 | fd_note(serverConnection()->fd, entry->url()); |
62e76326 | 1229 | |
5229395c | 1230 | fd_table[serverConnection()->fd].noteUse(fwdPconnPool); |
62e76326 | 1231 | |
a7ad6e4e | 1232 | /*assert(!EBIT_TEST(entry->flags, ENTRY_DISPATCHED)); */ |
1233 | assert(entry->ping_status != PING_WAITING); | |
62e76326 | 1234 | |
a7ad6e4e | 1235 | assert(entry->lock_count); |
62e76326 | 1236 | |
a7ad6e4e | 1237 | EBIT_SET(entry->flags, ENTRY_DISPATCHED); |
62e76326 | 1238 | |
cc192b50 | 1239 | netdbPingSite(request->GetHost()); |
62e76326 | 1240 | |
425de4c8 | 1241 | /* Retrieves remote server TOS or MARK value, and stores it as part of the |
7172612f | 1242 | * original client request FD object. It is later used to forward |
425de4c8 | 1243 | * remote server's TOS/MARK in the response to the client in case of a MISS. |
7172612f | 1244 | */ |
425de4c8 | 1245 | if (Ip::Qos::TheConfig.isHitNfmarkActive()) { |
b5523edc AJ |
1246 | if (Comm::IsConnOpen(clientConn) && Comm::IsConnOpen(serverConnection())) { |
1247 | fde * clientFde = &fd_table[clientConn->fd]; // XXX: move the fd_table access into Ip::Qos | |
425de4c8 | 1248 | /* Get the netfilter mark for the connection */ |
b5523edc | 1249 | Ip::Qos::getNfmarkFromServer(serverConnection(), clientFde); |
425de4c8 AJ |
1250 | } |
1251 | } | |
1252 | ||
1253 | #if _SQUID_LINUX_ | |
1254 | /* Bug 2537: The TOS forward part of QOS only applies to patched Linux kernels. */ | |
1255 | if (Ip::Qos::TheConfig.isHitTosActive()) { | |
b5523edc AJ |
1256 | if (Comm::IsConnOpen(clientConn)) { |
1257 | fde * clientFde = &fd_table[clientConn->fd]; // XXX: move the fd_table access into Ip::Qos | |
425de4c8 | 1258 | /* Get the TOS value for the packet */ |
b5523edc | 1259 | Ip::Qos::getTosFromServer(serverConnection(), clientFde); |
7172612f | 1260 | } |
26ac0430 | 1261 | } |
7172612f AJ |
1262 | #endif |
1263 | ||
d7ce0bcd | 1264 | #if USE_SSL |
2c065fc8 | 1265 | if (request->flags.sslPeek) { |
d7ce0bcd | 1266 | CallJobHere1(17, 4, request->clientConnectionManager, ConnStateData, |
061bbdec | 1267 | ConnStateData::httpsPeeked, serverConnection()); |
d7ce0bcd AR |
1268 | unregister(serverConn); // async call owns it now |
1269 | complete(); // destroys us | |
1270 | return; | |
061bbdec | 1271 | } |
d7ce0bcd AR |
1272 | #endif |
1273 | ||
5229395c | 1274 | if (serverConnection()->getPeer() != NULL) { |
95dc7ff4 | 1275 | ++ serverConnection()->getPeer()->stats.fetches; |
5229395c AJ |
1276 | request->peer_login = serverConnection()->getPeer()->login; |
1277 | request->peer_domain = serverConnection()->getPeer()->domain; | |
b6b6f466 | 1278 | httpStart(this); |
41462d93 | 1279 | } else { |
2c065fc8 | 1280 | assert(!request->flags.sslPeek); |
b6b6f466 | 1281 | request->peer_login = NULL; |
1282 | request->peer_domain = NULL; | |
62e76326 | 1283 | |
1284 | switch (request->protocol) { | |
a7ad6e4e | 1285 | #if USE_SSL |
62e76326 | 1286 | |
0c3d3f65 | 1287 | case AnyP::PROTO_HTTPS: |
b6b6f466 | 1288 | httpStart(this); |
62e76326 | 1289 | break; |
a7ad6e4e | 1290 | #endif |
62e76326 | 1291 | |
0c3d3f65 | 1292 | case AnyP::PROTO_HTTP: |
b6b6f466 | 1293 | httpStart(this); |
62e76326 | 1294 | break; |
1295 | ||
0c3d3f65 | 1296 | case AnyP::PROTO_GOPHER: |
b6b6f466 | 1297 | gopherStart(this); |
62e76326 | 1298 | break; |
1299 | ||
0c3d3f65 | 1300 | case AnyP::PROTO_FTP: |
b6b6f466 | 1301 | ftpStart(this); |
62e76326 | 1302 | break; |
1303 | ||
39a19cb7 | 1304 | case AnyP::PROTO_CACHE_OBJECT: |
62e76326 | 1305 | |
0c3d3f65 | 1306 | case AnyP::PROTO_INTERNAL: |
62e76326 | 1307 | |
0c3d3f65 | 1308 | case AnyP::PROTO_URN: |
62e76326 | 1309 | fatal_dump("Should never get here"); |
1310 | break; | |
1311 | ||
0c3d3f65 | 1312 | case AnyP::PROTO_WHOIS: |
b6b6f466 | 1313 | whoisStart(this); |
62e76326 | 1314 | break; |
1315 | ||
0c3d3f65 | 1316 | case AnyP::PROTO_WAIS: /* Not implemented */ |
fc68f6b1 | 1317 | |
62e76326 | 1318 | default: |
7be06178 | 1319 | debugs(17, DBG_IMPORTANT, "WARNING: Cannot retrieve '" << entry->url() << "'."); |
955394ce | 1320 | ErrorState *anErr = new ErrorState(ERR_UNSUP_REQ, Http::scBadRequest, request); |
b6b6f466 | 1321 | fail(anErr); |
7be06178 | 1322 | // Set the dont_retry flag because this is not a transient (network) error. |
e857372a | 1323 | flags.dont_retry = true; |
6b679a01 | 1324 | if (Comm::IsConnOpen(serverConn)) { |
00ae51e4 | 1325 | serverConn->close(); |
746beefe | 1326 | } |
62e76326 | 1327 | break; |
1328 | } | |
41462d93 | 1329 | } |
1330 | } | |
1331 | ||
545782b8 | 1332 | /* |
1333 | * FwdState::reforward | |
1334 | * | |
1335 | * returns TRUE if the transaction SHOULD be re-forwarded to the | |
8bbb16e3 | 1336 | * next choice in the serverDestinations list. This method is called when |
545782b8 | 1337 | * server-side communication completes normally, or experiences |
1338 | * some error after receiving the end of HTTP headers. | |
1339 | */ | |
b6b6f466 | 1340 | int |
1341 | FwdState::reforward() | |
db1cd23c | 1342 | { |
b6b6f466 | 1343 | StoreEntry *e = entry; |
c4a88a3e CT |
1344 | |
1345 | if (EBIT_TEST(e->flags, ENTRY_ABORTED)) { | |
1346 | debugs(17, 3, HERE << "entry aborted"); | |
1347 | return 0; | |
1348 | } | |
1349 | ||
db1cd23c | 1350 | assert(e->store_status == STORE_PENDING); |
1351 | assert(e->mem_obj); | |
bc87dc25 | 1352 | #if URL_CHECKSUM_DEBUG |
62e76326 | 1353 | |
528b2c61 | 1354 | e->mem_obj->checkUrlChecksum(); |
bc87dc25 | 1355 | #endif |
62e76326 | 1356 | |
cfd66529 | 1357 | debugs(17, 3, HERE << e->url() << "?" ); |
62e76326 | 1358 | |
d6eb18d6 | 1359 | if (!EBIT_TEST(e->flags, ENTRY_FWD_HDR_WAIT)) { |
cfd66529 | 1360 | debugs(17, 3, HERE << "No, ENTRY_FWD_HDR_WAIT isn't set"); |
62e76326 | 1361 | return 0; |
d6eb18d6 | 1362 | } |
62e76326 | 1363 | |
437823b4 | 1364 | if (n_tries > Config.forward_max_tries) |
62e76326 | 1365 | return 0; |
1366 | ||
b6b6f466 | 1367 | if (origin_tries > 1) |
4ed0e075 | 1368 | return 0; |
1369 | ||
58217e94 | 1370 | if (request->bodyNibbled()) |
62e76326 | 1371 | return 0; |
1372 | ||
8652f8e7 AJ |
1373 | if (serverDestinations.size() <= 1) { |
1374 | // NP: <= 1 since total count includes the recently failed one. | |
cfd66529 | 1375 | debugs(17, 3, HERE << "No alternative forwarding paths left"); |
62e76326 | 1376 | return 0; |
db1cd23c | 1377 | } |
62e76326 | 1378 | |
9b769c67 | 1379 | const Http::StatusCode s = e->getReply()->sline.status(); |
cfd66529 | 1380 | debugs(17, 3, HERE << "status " << s); |
b6b6f466 | 1381 | return reforwardableStatus(s); |
db1cd23c | 1382 | } |
1383 | ||
2ac4f6b5 AR |
1384 | /** |
1385 | * Create "503 Service Unavailable" or "504 Gateway Timeout" error depending | |
1386 | * on whether this is a validation request. RFC 2616 says that we MUST reply | |
1387 | * with "504 Gateway Timeout" if validation fails and cached reply has | |
1388 | * proxy-revalidate, must-revalidate or s-maxage Cache-Control directive. | |
1389 | */ | |
1390 | ErrorState * | |
1391 | FwdState::makeConnectingError(const err_type type) const | |
1392 | { | |
450fe1cb | 1393 | return new ErrorState(type, request->flags.needValidation ? |
955394ce | 1394 | Http::scGateway_Timeout : Http::scServiceUnavailable, request); |
2ac4f6b5 AR |
1395 | } |
1396 | ||
b6b6f466 | 1397 | static void |
1398 | fwdStats(StoreEntry * s) | |
64d8034e | 1399 | { |
b6b6f466 | 1400 | int i; |
1401 | int j; | |
1402 | storeAppendPrintf(s, "Status"); | |
62e76326 | 1403 | |
95dc7ff4 FC |
1404 | for (j = 1; j < MAX_FWD_STATS_IDX; ++j) { |
1405 | storeAppendPrintf(s, "\ttry#%d", j); | |
64d8034e | 1406 | } |
64d8034e | 1407 | |
b6b6f466 | 1408 | storeAppendPrintf(s, "\n"); |
0185bd6f | 1409 | |
955394ce | 1410 | for (i = 0; i <= (int) Http::scInvalidHeader; ++i) { |
b6b6f466 | 1411 | if (FwdReplyCodes[0][i] == 0) |
1412 | continue; | |
0185bd6f | 1413 | |
b6b6f466 | 1414 | storeAppendPrintf(s, "%3d", i); |
0185bd6f | 1415 | |
95dc7ff4 | 1416 | for (j = 0; j <= MAX_FWD_STATS_IDX; ++j) { |
b6b6f466 | 1417 | storeAppendPrintf(s, "\t%d", FwdReplyCodes[j][i]); |
62e76326 | 1418 | } |
62e76326 | 1419 | |
b6b6f466 | 1420 | storeAppendPrintf(s, "\n"); |
e0ebe27c | 1421 | } |
7197b20d | 1422 | } |
1423 | ||
b6b6f466 | 1424 | /**** STATIC MEMBER FUNCTIONS *************************************************/ |
db1cd23c | 1425 | |
b6b6f466 | 1426 | bool |
955394ce | 1427 | FwdState::reforwardableStatus(const Http::StatusCode s) const |
db1cd23c | 1428 | { |
b6b6f466 | 1429 | switch (s) { |
62e76326 | 1430 | |
955394ce | 1431 | case Http::scBadGateway: |
62e76326 | 1432 | |
955394ce | 1433 | case Http::scGateway_Timeout: |
b6b6f466 | 1434 | return true; |
62e76326 | 1435 | |
955394ce | 1436 | case Http::scForbidden: |
62e76326 | 1437 | |
955394ce | 1438 | case Http::scInternalServerError: |
62e76326 | 1439 | |
955394ce | 1440 | case Http::scNotImplemented: |
62e76326 | 1441 | |
955394ce | 1442 | case Http::scServiceUnavailable: |
b6b6f466 | 1443 | return Config.retry.onerror; |
62e76326 | 1444 | |
b6b6f466 | 1445 | default: |
1446 | return false; | |
db1cd23c | 1447 | } |
b6b6f466 | 1448 | |
1449 | /* NOTREACHED */ | |
db1cd23c | 1450 | } |
8ddcc35d | 1451 | |
06093389 AJ |
1452 | /** |
1453 | * Decide where details need to be gathered to correctly describe a persistent connection. | |
1454 | * What is needed: | |
642a305c AJ |
1455 | * - the address/port details about this link |
1456 | * - domain name of server at other end of this link (either peer or requested host) | |
06093389 | 1457 | */ |
781ce8ff | 1458 | void |
642a305c | 1459 | FwdState::pconnPush(Comm::ConnectionPointer &conn, const char *domain) |
781ce8ff | 1460 | { |
642a305c | 1461 | if (conn->getPeer()) { |
7a150c71 | 1462 | fwdPconnPool->push(conn, NULL); |
06093389 | 1463 | } else { |
642a305c | 1464 | fwdPconnPool->push(conn, domain); |
06093389 | 1465 | } |
781ce8ff | 1466 | } |
1467 | ||
8ddcc35d | 1468 | void |
b6b6f466 | 1469 | FwdState::initModule() |
8ddcc35d | 1470 | { |
6852be71 | 1471 | RegisterWithCacheManager(); |
8ddcc35d | 1472 | } |
1473 | ||
62ee09ca | 1474 | void |
84f50787 | 1475 | FwdState::RegisterWithCacheManager(void) |
62ee09ca | 1476 | { |
8822ebee | 1477 | Mgr::RegisterAction("forward", "Request Forwarding Statistics", fwdStats, 0, 1); |
62ee09ca | 1478 | } |
1479 | ||
b6b6f466 | 1480 | void |
955394ce | 1481 | FwdState::logReplyStatus(int tries, const Http::StatusCode status) |
8ddcc35d | 1482 | { |
955394ce | 1483 | if (status > Http::scInvalidHeader) |
62e76326 | 1484 | return; |
1485 | ||
75eb730e | 1486 | assert(tries >= 0); |
62e76326 | 1487 | |
8ddcc35d | 1488 | if (tries > MAX_FWD_STATS_IDX) |
62e76326 | 1489 | tries = MAX_FWD_STATS_IDX; |
1490 | ||
95dc7ff4 | 1491 | ++ FwdReplyCodes[tries][status]; |
8ddcc35d | 1492 | } |
1493 | ||
b6b6f466 | 1494 | /**** PRIVATE NON-MEMBER FUNCTIONS ********************************************/ |
62e76326 | 1495 | |
057f5854 | 1496 | /* |
1497 | * DPW 2007-05-19 | |
1498 | * Formerly static, but now used by client_side_request.cc | |
1499 | */ | |
425de4c8 AJ |
1500 | /// Checks for a TOS value to apply depending on the ACL |
1501 | tos_t | |
b6b6f466 | 1502 | aclMapTOS(acl_tos * head, ACLChecklist * ch) |
b6a2f15e | 1503 | { |
b6b6f466 | 1504 | acl_tos *l; |
62e76326 | 1505 | |
b6b6f466 | 1506 | for (l = head; l; l = l->next) { |
2efeb0b7 | 1507 | if (!l->aclList || ch->fastCheck(l->aclList) == ACCESS_ALLOWED) |
b6b6f466 | 1508 | return l->tos; |
1509 | } | |
5894ad28 | 1510 | |
b6b6f466 | 1511 | return 0; |
1512 | } | |
5894ad28 | 1513 | |
425de4c8 AJ |
1514 | /// Checks for a netfilter mark value to apply depending on the ACL |
1515 | nfmark_t | |
1516 | aclMapNfmark(acl_nfmark * head, ACLChecklist * ch) | |
1517 | { | |
1518 | acl_nfmark *l; | |
1519 | ||
1520 | for (l = head; l; l = l->next) { | |
2efeb0b7 | 1521 | if (!l->aclList || ch->fastCheck(l->aclList) == ACCESS_ALLOWED) |
425de4c8 AJ |
1522 | return l->nfmark; |
1523 | } | |
1524 | ||
1525 | return 0; | |
1526 | } | |
1527 | ||
cfd66529 | 1528 | void |
f9b72e0c | 1529 | getOutgoingAddress(HttpRequest * request, Comm::ConnectionPointer conn) |
b6b6f466 | 1530 | { |
07f889c1 | 1531 | // skip if an outgoing address is already set. |
cfd66529 AJ |
1532 | if (!conn->local.IsAnyAddr()) return; |
1533 | ||
07f889c1 AJ |
1534 | // ensure that at minimum the wildcard local matches remote protocol |
1535 | if (conn->remote.IsIPv4()) | |
1536 | conn->local.SetIPv4(); | |
1537 | ||
cfd66529 | 1538 | // maybe use TPROXY client address |
450fe1cb | 1539 | if (request && request->flags.spoofClientIp) { |
739b352a | 1540 | if (!conn->getPeer() || !conn->getPeer()->options.no_tproxy) { |
96d64448 AJ |
1541 | #if FOLLOW_X_FORWARDED_FOR && LINUX_NETFILTER |
1542 | if (Config.onoff.tproxy_uses_indirect_client) | |
45906573 | 1543 | conn->local = request->indirect_client_addr; |
96d64448 AJ |
1544 | else |
1545 | #endif | |
45906573 | 1546 | conn->local = request->client_addr; |
cfd66529 AJ |
1547 | // some flags need setting on the socket to use this address |
1548 | conn->flags |= COMM_DOBIND; | |
1549 | conn->flags |= COMM_TRANSPARENT; | |
1550 | return; | |
1551 | } | |
b0758e04 AJ |
1552 | // else no tproxy today ... |
1553 | } | |
c303f6e3 | 1554 | |
b50e327b | 1555 | if (!Config.accessList.outgoing_address) { |
cfd66529 | 1556 | return; // anything will do. |
b50e327b AJ |
1557 | } |
1558 | ||
c0941a6a | 1559 | ACLFilledChecklist ch(NULL, request, NULL); |
739b352a | 1560 | ch.dst_peer = conn->getPeer(); |
cfd66529 AJ |
1561 | ch.dst_addr = conn->remote; |
1562 | ||
1563 | // TODO use the connection details in ACL. | |
1564 | // needs a bit of rework in ACLFilledChecklist to use Comm::Connection instead of ConnStateData | |
6db78a1a | 1565 | |
0dc8ffa5 | 1566 | AclAddress *l; |
cfd66529 AJ |
1567 | for (l = Config.accessList.outgoing_address; l; l = l->next) { |
1568 | ||
1569 | /* check if the outgoing address is usable to the destination */ | |
1570 | if (conn->remote.IsIPv4() != l->addr.IsIPv4()) continue; | |
1571 | ||
1572 | /* check ACLs for this outgoing address */ | |
2efeb0b7 | 1573 | if (!l->aclList || ch.fastCheck(l->aclList) == ACCESS_ALLOWED) { |
cfd66529 AJ |
1574 | conn->local = l->addr; |
1575 | return; | |
1576 | } | |
1577 | } | |
b6b6f466 | 1578 | } |
62e76326 | 1579 | |
425de4c8 AJ |
1580 | tos_t |
1581 | GetTosToServer(HttpRequest * request) | |
1582 | { | |
1583 | ACLFilledChecklist ch(NULL, request, NULL); | |
425de4c8 AJ |
1584 | return aclMapTOS(Ip::Qos::TheConfig.tosToServer, &ch); |
1585 | } | |
1586 | ||
1587 | nfmark_t | |
1588 | GetNfmarkToServer(HttpRequest * request) | |
b6b6f466 | 1589 | { |
c0941a6a | 1590 | ACLFilledChecklist ch(NULL, request, NULL); |
425de4c8 | 1591 | return aclMapNfmark(Ip::Qos::TheConfig.nfmarkToServer, &ch); |
b6a2f15e | 1592 | } |