]>
Commit | Line | Data |
---|---|---|
1 | /* | |
2 | * DEBUG: section 17 Request Forwarding | |
3 | * AUTHOR: Duane Wessels | |
4 | * | |
5 | * SQUID Web Proxy Cache http://www.squid-cache.org/ | |
6 | * ---------------------------------------------------------- | |
7 | * | |
8 | * Squid is the result of efforts by numerous individuals from | |
9 | * the Internet community; see the CONTRIBUTORS file for full | |
10 | * details. Many organizations have provided support for Squid's | |
11 | * development; see the SPONSORS file for full details. Squid is | |
12 | * Copyrighted (C) 2001 by the Regents of the University of | |
13 | * California; see the COPYRIGHT file for full details. Squid | |
14 | * incorporates software developed and/or copyrighted by other | |
15 | * sources; see the CREDITS file for full details. | |
16 | * | |
17 | * This program is free software; you can redistribute it and/or modify | |
18 | * it under the terms of the GNU General Public License as published by | |
19 | * the Free Software Foundation; either version 2 of the License, or | |
20 | * (at your option) any later version. | |
21 | * | |
22 | * This program is distributed in the hope that it will be useful, | |
23 | * but WITHOUT ANY WARRANTY; without even the implied warranty of | |
24 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | |
25 | * GNU General Public License for more details. | |
26 | * | |
27 | * You should have received a copy of the GNU General Public License | |
28 | * along with this program; if not, write to the Free Software | |
29 | * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111, USA. | |
30 | * | |
31 | */ | |
32 | ||
33 | #include "squid.h" | |
34 | #include "AccessLogEntry.h" | |
35 | #include "acl/AclAddress.h" | |
36 | #include "acl/FilledChecklist.h" | |
37 | #include "acl/Gadgets.h" | |
38 | #include "anyp/PortCfg.h" | |
39 | #include "CacheManager.h" | |
40 | #include "CachePeer.h" | |
41 | #include "client_side.h" | |
42 | #include "comm/Connection.h" | |
43 | #include "comm/ConnOpener.h" | |
44 | #include "comm/Loops.h" | |
45 | #include "CommCalls.h" | |
46 | #include "errorpage.h" | |
47 | #include "event.h" | |
48 | #include "fd.h" | |
49 | #include "fde.h" | |
50 | #include "ftp.h" | |
51 | #include "FwdState.h" | |
52 | #include "globals.h" | |
53 | #include "gopher.h" | |
54 | #include "hier_code.h" | |
55 | #include "http.h" | |
56 | #include "HttpReply.h" | |
57 | #include "HttpRequest.h" | |
58 | #include "icmp/net_db.h" | |
59 | #include "internal.h" | |
60 | #include "ip/Intercept.h" | |
61 | #include "ip/QosConfig.h" | |
62 | #include "ip/tools.h" | |
63 | #include "MemObject.h" | |
64 | #include "mgr/Registration.h" | |
65 | #include "neighbors.h" | |
66 | #include "pconn.h" | |
67 | #include "PeerSelectState.h" | |
68 | #include "SquidConfig.h" | |
69 | #include "SquidTime.h" | |
70 | #include "Store.h" | |
71 | #include "StoreClient.h" | |
72 | #include "urn.h" | |
73 | #include "whois.h" | |
74 | #if USE_SSL | |
75 | #include "ssl/cert_validate_message.h" | |
76 | #include "ssl/Config.h" | |
77 | #include "ssl/ErrorDetail.h" | |
78 | #include "ssl/helper.h" | |
79 | #include "ssl/ServerBump.h" | |
80 | #include "ssl/support.h" | |
81 | #endif | |
82 | #if HAVE_ERRNO_H | |
83 | #include <errno.h> | |
84 | #endif | |
85 | ||
86 | static PSC fwdPeerSelectionCompleteWrapper; | |
87 | static CLCB fwdServerClosedWrapper; | |
88 | #if USE_SSL | |
89 | static PF fwdNegotiateSSLWrapper; | |
90 | #endif | |
91 | static CNCB fwdConnectDoneWrapper; | |
92 | ||
93 | static OBJH fwdStats; | |
94 | ||
95 | #define MAX_FWD_STATS_IDX 9 | |
96 | static int FwdReplyCodes[MAX_FWD_STATS_IDX + 1][Http::scInvalidHeader + 1]; | |
97 | ||
98 | static PconnPool *fwdPconnPool = new PconnPool("server-side"); | |
99 | CBDATA_CLASS_INIT(FwdState); | |
100 | ||
101 | void | |
102 | FwdState::abort(void* d) | |
103 | { | |
104 | FwdState* fwd = (FwdState*)d; | |
105 | Pointer tmp = fwd; // Grab a temporary pointer to keep the object alive during our scope. | |
106 | ||
107 | if (Comm::IsConnOpen(fwd->serverConnection())) { | |
108 | comm_remove_close_handler(fwd->serverConnection()->fd, fwdServerClosedWrapper, fwd); | |
109 | debugs(17, 3, HERE << "store entry aborted; closing " << | |
110 | fwd->serverConnection()); | |
111 | fwd->serverConnection()->close(); | |
112 | } else { | |
113 | debugs(17, 7, HERE << "store entry aborted; no connection to close"); | |
114 | } | |
115 | fwd->serverDestinations.clean(); | |
116 | fwd->self = NULL; | |
117 | } | |
118 | ||
119 | /**** PUBLIC INTERFACE ********************************************************/ | |
120 | ||
121 | FwdState::FwdState(const Comm::ConnectionPointer &client, StoreEntry * e, HttpRequest * r, const AccessLogEntryPointer &alp): | |
122 | al(alp) | |
123 | { | |
124 | debugs(17, 2, HERE << "Forwarding client request " << client << ", url=" << e->url() ); | |
125 | entry = e; | |
126 | clientConn = client; | |
127 | request = r; | |
128 | HTTPMSGLOCK(request); | |
129 | pconnRace = raceImpossible; | |
130 | start_t = squid_curtime; | |
131 | serverDestinations.reserve(Config.forward_max_tries); | |
132 | e->lock(); | |
133 | EBIT_SET(e->flags, ENTRY_FWD_HDR_WAIT); | |
134 | } | |
135 | ||
136 | // Called once, right after object creation, when it is safe to set self | |
137 | void FwdState::start(Pointer aSelf) | |
138 | { | |
139 | // Protect ourselves from being destroyed when the only Server pointing | |
140 | // to us is gone (while we expect to talk to more Servers later). | |
141 | // Once we set self, we are responsible for clearing it when we do not | |
142 | // expect to talk to any servers. | |
143 | self = aSelf; // refcounted | |
144 | ||
145 | // We hope that either the store entry aborts or peer is selected. | |
146 | // Otherwise we are going to leak our object. | |
147 | ||
148 | entry->registerAbort(FwdState::abort, this); | |
149 | ||
150 | #if STRICT_ORIGINAL_DST | |
151 | // Bug 3243: CVE 2009-0801 | |
152 | // Bypass of browser same-origin access control in intercepted communication | |
153 | // To resolve this we must force DIRECT and only to the original client destination. | |
154 | const bool isIntercepted = request && !request->flags.redirected && (request->flags.intercepted || request->flags.interceptTproxy); | |
155 | const bool useOriginalDst = Config.onoff.client_dst_passthru || (request && !request->flags.hostVerified); | |
156 | if (isIntercepted && useOriginalDst) { | |
157 | selectPeerForIntercepted(); | |
158 | // 3.2 does not suppro re-wrapping inside CONNECT. | |
159 | // our only alternative is to fake destination "found" and continue with the forwarding. | |
160 | startConnectionOrFail(); | |
161 | return; | |
162 | } | |
163 | #endif | |
164 | ||
165 | // do full route options selection | |
166 | peerSelect(&serverDestinations, request, entry, fwdPeerSelectionCompleteWrapper, this); | |
167 | } | |
168 | ||
169 | #if STRICT_ORIGINAL_DST | |
170 | /// bypasses peerSelect() when dealing with intercepted requests | |
171 | void | |
172 | FwdState::selectPeerForIntercepted() | |
173 | { | |
174 | // use pinned connection if available | |
175 | Comm::ConnectionPointer p; | |
176 | if (ConnStateData *client = request->pinnedConnection()) { | |
177 | p = client->validatePinnedConnection(request, NULL); | |
178 | if (Comm::IsConnOpen(p)) { | |
179 | /* duplicate peerSelectPinned() effects */ | |
180 | p->peerType = PINNED; | |
181 | entry->ping_status = PING_DONE; /* Skip ICP */ | |
182 | ||
183 | debugs(17, 3, "reusing a pinned conn: " << *p); | |
184 | serverDestinations.push_back(p); | |
185 | } else { | |
186 | debugs(17,2, "Pinned connection is not valid: " << p); | |
187 | ErrorState *anErr = new ErrorState(ERR_ZERO_SIZE_OBJECT, Http::scServiceUnavailable, request); | |
188 | fail(anErr); | |
189 | } | |
190 | // Either use the valid pinned connection or fail if it is invalid. | |
191 | return; | |
192 | } | |
193 | ||
194 | // use client original destination as second preferred choice | |
195 | p = new Comm::Connection(); | |
196 | p->peerType = ORIGINAL_DST; | |
197 | p->remote = clientConn->local; | |
198 | getOutgoingAddress(request, p); | |
199 | ||
200 | debugs(17, 3, HERE << "using client original destination: " << *p); | |
201 | serverDestinations.push_back(p); | |
202 | } | |
203 | #endif | |
204 | ||
205 | void | |
206 | FwdState::completed() | |
207 | { | |
208 | if (flags.forward_completed) { | |
209 | debugs(17, DBG_IMPORTANT, HERE << "FwdState::completed called on a completed request! Bad!"); | |
210 | return; | |
211 | } | |
212 | ||
213 | flags.forward_completed = true; | |
214 | ||
215 | if (EBIT_TEST(entry->flags, ENTRY_ABORTED)) { | |
216 | debugs(17, 3, HERE << "entry aborted"); | |
217 | return ; | |
218 | } | |
219 | ||
220 | #if URL_CHECKSUM_DEBUG | |
221 | ||
222 | entry->mem_obj->checkUrlChecksum(); | |
223 | #endif | |
224 | ||
225 | if (entry->store_status == STORE_PENDING) { | |
226 | if (entry->isEmpty()) { | |
227 | if (!err) // we quit (e.g., fd closed) before an error or content | |
228 | fail(new ErrorState(ERR_READ_ERROR, Http::scBadGateway, request)); | |
229 | assert(err); | |
230 | errorAppendEntry(entry, err); | |
231 | err = NULL; | |
232 | #if USE_SSL | |
233 | if (request->flags.sslPeek && request->clientConnectionManager.valid()) { | |
234 | CallJobHere1(17, 4, request->clientConnectionManager, ConnStateData, | |
235 | ConnStateData::httpsPeeked, Comm::ConnectionPointer(NULL)); | |
236 | } | |
237 | #endif | |
238 | } else { | |
239 | EBIT_CLR(entry->flags, ENTRY_FWD_HDR_WAIT); | |
240 | entry->complete(); | |
241 | entry->releaseRequest(); | |
242 | } | |
243 | } | |
244 | ||
245 | if (storePendingNClients(entry) > 0) | |
246 | assert(!EBIT_TEST(entry->flags, ENTRY_FWD_HDR_WAIT)); | |
247 | ||
248 | } | |
249 | ||
250 | FwdState::~FwdState() | |
251 | { | |
252 | debugs(17, 3, HERE << "FwdState destructor starting"); | |
253 | ||
254 | if (! flags.forward_completed) | |
255 | completed(); | |
256 | ||
257 | doneWithRetries(); | |
258 | ||
259 | HTTPMSGUNLOCK(request); | |
260 | ||
261 | delete err; | |
262 | ||
263 | entry->unregisterAbort(); | |
264 | ||
265 | entry->unlock(); | |
266 | ||
267 | entry = NULL; | |
268 | ||
269 | if (calls.connector != NULL) { | |
270 | calls.connector->cancel("FwdState destructed"); | |
271 | calls.connector = NULL; | |
272 | } | |
273 | ||
274 | if (Comm::IsConnOpen(serverConn)) { | |
275 | comm_remove_close_handler(serverConnection()->fd, fwdServerClosedWrapper, this); | |
276 | debugs(17, 3, HERE << "closing FD " << serverConnection()->fd); | |
277 | serverConn->close(); | |
278 | } | |
279 | ||
280 | serverDestinations.clean(); | |
281 | ||
282 | debugs(17, 3, HERE << "FwdState destructor done"); | |
283 | } | |
284 | ||
285 | /** | |
286 | * This is the entry point for client-side to start forwarding | |
287 | * a transaction. It is a static method that may or may not | |
288 | * allocate a FwdState. | |
289 | */ | |
290 | void | |
291 | FwdState::Start(const Comm::ConnectionPointer &clientConn, StoreEntry *entry, HttpRequest *request, const AccessLogEntryPointer &al) | |
292 | { | |
293 | /** \note | |
294 | * client_addr == no_addr indicates this is an "internal" request | |
295 | * from peer_digest.c, asn.c, netdb.c, etc and should always | |
296 | * be allowed. yuck, I know. | |
297 | */ | |
298 | ||
299 | if ( Config.accessList.miss && !request->client_addr.isNoAddr() && | |
300 | request->protocol != AnyP::PROTO_INTERNAL && request->protocol != AnyP::PROTO_CACHE_OBJECT) { | |
301 | /** | |
302 | * Check if this host is allowed to fetch MISSES from us (miss_access). | |
303 | * Intentionally replace the src_addr automatically selected by the checklist code | |
304 | * we do NOT want the indirect client address to be tested here. | |
305 | */ | |
306 | ACLFilledChecklist ch(Config.accessList.miss, request, NULL); | |
307 | ch.src_addr = request->client_addr; | |
308 | if (ch.fastCheck() == ACCESS_DENIED) { | |
309 | err_type page_id; | |
310 | page_id = aclGetDenyInfoPage(&Config.denyInfoList, AclMatchedName, 1); | |
311 | ||
312 | if (page_id == ERR_NONE) | |
313 | page_id = ERR_FORWARDING_DENIED; | |
314 | ||
315 | ErrorState *anErr = new ErrorState(page_id, Http::scForbidden, request); | |
316 | errorAppendEntry(entry, anErr); // frees anErr | |
317 | return; | |
318 | } | |
319 | } | |
320 | ||
321 | debugs(17, 3, HERE << "'" << entry->url() << "'"); | |
322 | /* | |
323 | * This seems like an odd place to bind mem_obj and request. | |
324 | * Might want to assert that request is NULL at this point | |
325 | */ | |
326 | entry->mem_obj->request = request; | |
327 | HTTPMSGLOCK(entry->mem_obj->request); | |
328 | #if URL_CHECKSUM_DEBUG | |
329 | ||
330 | entry->mem_obj->checkUrlChecksum(); | |
331 | #endif | |
332 | ||
333 | if (shutting_down) { | |
334 | /* more yuck */ | |
335 | ErrorState *anErr = new ErrorState(ERR_SHUTTING_DOWN, Http::scServiceUnavailable, request); | |
336 | errorAppendEntry(entry, anErr); // frees anErr | |
337 | return; | |
338 | } | |
339 | ||
340 | switch (request->protocol) { | |
341 | ||
342 | case AnyP::PROTO_INTERNAL: | |
343 | internalStart(clientConn, request, entry); | |
344 | return; | |
345 | ||
346 | case AnyP::PROTO_CACHE_OBJECT: | |
347 | CacheManager::GetInstance()->Start(clientConn, request, entry); | |
348 | return; | |
349 | ||
350 | case AnyP::PROTO_URN: | |
351 | urnStart(request, entry); | |
352 | return; | |
353 | ||
354 | default: | |
355 | FwdState::Pointer fwd = new FwdState(clientConn, entry, request, al); | |
356 | fwd->start(fwd); | |
357 | return; | |
358 | } | |
359 | ||
360 | /* NOTREACHED */ | |
361 | } | |
362 | ||
363 | void | |
364 | FwdState::fwdStart(const Comm::ConnectionPointer &clientConn, StoreEntry *entry, HttpRequest *request) | |
365 | { | |
366 | // Hides AccessLogEntry.h from code that does not supply ALE anyway. | |
367 | Start(clientConn, entry, request, NULL); | |
368 | } | |
369 | ||
370 | void | |
371 | FwdState::startConnectionOrFail() | |
372 | { | |
373 | debugs(17, 3, HERE << entry->url()); | |
374 | ||
375 | if (serverDestinations.size() > 0) { | |
376 | // Ditch error page if it was created before. | |
377 | // A new one will be created if there's another problem | |
378 | delete err; | |
379 | err = NULL; | |
380 | ||
381 | // Update the logging information about this new server connection. | |
382 | // Done here before anything else so the errors get logged for | |
383 | // this server link regardless of what happens when connecting to it. | |
384 | // IF sucessfuly connected this top destination will become the serverConnection(). | |
385 | request->hier.note(serverDestinations[0], request->GetHost()); | |
386 | request->clearError(); | |
387 | ||
388 | connectStart(); | |
389 | } else { | |
390 | debugs(17, 3, HERE << "Connection failed: " << entry->url()); | |
391 | if (!err) { | |
392 | ErrorState *anErr = new ErrorState(ERR_CANNOT_FORWARD, Http::scInternalServerError, request); | |
393 | fail(anErr); | |
394 | } // else use actual error from last connection attempt | |
395 | self = NULL; // refcounted | |
396 | } | |
397 | } | |
398 | ||
399 | void | |
400 | FwdState::fail(ErrorState * errorState) | |
401 | { | |
402 | debugs(17, 3, err_type_str[errorState->type] << " \"" << Http::StatusCodeString(errorState->httpStatus) << "\"\n\t" << entry->url()); | |
403 | ||
404 | delete err; | |
405 | err = errorState; | |
406 | ||
407 | if (!errorState->request) { | |
408 | errorState->request = request; | |
409 | HTTPMSGLOCK(errorState->request); | |
410 | } | |
411 | ||
412 | if (err->type != ERR_ZERO_SIZE_OBJECT) | |
413 | return; | |
414 | ||
415 | if (pconnRace == racePossible) { | |
416 | debugs(17, 5, HERE << "pconn race happened"); | |
417 | pconnRace = raceHappened; | |
418 | } | |
419 | ||
420 | if (ConnStateData *pinned_connection = request->pinnedConnection()) { | |
421 | pinned_connection->pinning.zeroReply = true; | |
422 | flags.dont_retry = true; // we want to propagate failure to the client | |
423 | debugs(17, 4, "zero reply on pinned connection"); | |
424 | } | |
425 | } | |
426 | ||
427 | /** | |
428 | * Frees fwdState without closing FD or generating an abort | |
429 | */ | |
430 | void | |
431 | FwdState::unregister(Comm::ConnectionPointer &conn) | |
432 | { | |
433 | debugs(17, 3, HERE << entry->url() ); | |
434 | assert(serverConnection() == conn); | |
435 | assert(Comm::IsConnOpen(conn)); | |
436 | comm_remove_close_handler(conn->fd, fwdServerClosedWrapper, this); | |
437 | serverConn = NULL; | |
438 | } | |
439 | ||
440 | // Legacy method to be removed in favor of the above as soon as possible | |
441 | void | |
442 | FwdState::unregister(int fd) | |
443 | { | |
444 | debugs(17, 3, HERE << entry->url() ); | |
445 | assert(fd == serverConnection()->fd); | |
446 | unregister(serverConn); | |
447 | } | |
448 | ||
449 | /** | |
450 | * server-side modules call fwdComplete() when they are done | |
451 | * downloading an object. Then, we either 1) re-forward the | |
452 | * request somewhere else if needed, or 2) call storeComplete() | |
453 | * to finish it off | |
454 | */ | |
455 | void | |
456 | FwdState::complete() | |
457 | { | |
458 | debugs(17, 3, HERE << entry->url() << "\n\tstatus " << entry->getReply()->sline.status()); | |
459 | #if URL_CHECKSUM_DEBUG | |
460 | ||
461 | entry->mem_obj->checkUrlChecksum(); | |
462 | #endif | |
463 | ||
464 | logReplyStatus(n_tries, entry->getReply()->sline.status()); | |
465 | ||
466 | if (reforward()) { | |
467 | debugs(17, 3, HERE << "re-forwarding " << entry->getReply()->sline.status() << " " << entry->url()); | |
468 | ||
469 | if (Comm::IsConnOpen(serverConn)) | |
470 | unregister(serverConn); | |
471 | ||
472 | entry->reset(); | |
473 | ||
474 | // drop the last path off the selection list. try the next one. | |
475 | serverDestinations.shift(); | |
476 | startConnectionOrFail(); | |
477 | ||
478 | } else { | |
479 | if (Comm::IsConnOpen(serverConn)) | |
480 | debugs(17, 3, HERE << "server FD " << serverConnection()->fd << " not re-forwarding status " << entry->getReply()->sline.status()); | |
481 | else | |
482 | debugs(17, 3, HERE << "server (FD closed) not re-forwarding status " << entry->getReply()->sline.status()); | |
483 | EBIT_CLR(entry->flags, ENTRY_FWD_HDR_WAIT); | |
484 | entry->complete(); | |
485 | ||
486 | if (!Comm::IsConnOpen(serverConn)) | |
487 | completed(); | |
488 | ||
489 | self = NULL; // refcounted | |
490 | } | |
491 | } | |
492 | ||
493 | /**** CALLBACK WRAPPERS ************************************************************/ | |
494 | ||
495 | static void | |
496 | fwdPeerSelectionCompleteWrapper(Comm::ConnectionList * unused, ErrorState *err, void *data) | |
497 | { | |
498 | FwdState *fwd = (FwdState *) data; | |
499 | if (err) | |
500 | fwd->fail(err); | |
501 | fwd->startConnectionOrFail(); | |
502 | } | |
503 | ||
504 | static void | |
505 | fwdServerClosedWrapper(const CommCloseCbParams ¶ms) | |
506 | { | |
507 | FwdState *fwd = (FwdState *)params.data; | |
508 | fwd->serverClosed(params.fd); | |
509 | } | |
510 | ||
511 | #if USE_SSL | |
512 | static void | |
513 | fwdNegotiateSSLWrapper(int fd, void *data) | |
514 | { | |
515 | FwdState *fwd = (FwdState *) data; | |
516 | fwd->negotiateSSL(fd); | |
517 | } | |
518 | ||
519 | #endif | |
520 | ||
521 | void | |
522 | fwdConnectDoneWrapper(const Comm::ConnectionPointer &conn, comm_err_t status, int xerrno, void *data) | |
523 | { | |
524 | FwdState *fwd = (FwdState *) data; | |
525 | fwd->connectDone(conn, status, xerrno); | |
526 | } | |
527 | ||
528 | /**** PRIVATE *****************************************************************/ | |
529 | ||
530 | /* | |
531 | * FwdState::checkRetry | |
532 | * | |
533 | * Return TRUE if the request SHOULD be retried. This method is | |
534 | * called when the HTTP connection fails, or when the connection | |
535 | * is closed before server-side read the end of HTTP headers. | |
536 | */ | |
537 | bool | |
538 | FwdState::checkRetry() | |
539 | { | |
540 | if (shutting_down) | |
541 | return false; | |
542 | ||
543 | if (!self) { // we have aborted before the server called us back | |
544 | debugs(17, 5, HERE << "not retrying because of earlier abort"); | |
545 | // we will be destroyed when the server clears its Pointer to us | |
546 | return false; | |
547 | } | |
548 | ||
549 | if (entry->store_status != STORE_PENDING) | |
550 | return false; | |
551 | ||
552 | if (!entry->isEmpty()) | |
553 | return false; | |
554 | ||
555 | if (n_tries > Config.forward_max_tries) | |
556 | return false; | |
557 | ||
558 | if (squid_curtime - start_t > Config.Timeout.forward) | |
559 | return false; | |
560 | ||
561 | if (flags.dont_retry) | |
562 | return false; | |
563 | ||
564 | if (request->bodyNibbled()) | |
565 | return false; | |
566 | ||
567 | // NP: not yet actually connected anywhere. retry is safe. | |
568 | if (!flags.connected_okay) | |
569 | return true; | |
570 | ||
571 | if (!checkRetriable()) | |
572 | return false; | |
573 | ||
574 | return true; | |
575 | } | |
576 | ||
577 | /* | |
578 | * FwdState::checkRetriable | |
579 | * | |
580 | * Return TRUE if this is the kind of request that can be retried | |
581 | * after a failure. If the request is not retriable then we don't | |
582 | * want to risk sending it on a persistent connection. Instead we'll | |
583 | * force it to go on a new HTTP connection. | |
584 | */ | |
585 | bool | |
586 | FwdState::checkRetriable() | |
587 | { | |
588 | // Optimize: A compliant proxy may retry PUTs, but Squid lacks the [rather | |
589 | // complicated] code required to protect the PUT request body from being | |
590 | // nibbled during the first try. Thus, Squid cannot retry some PUTs today. | |
591 | if (request->body_pipe != NULL) | |
592 | return false; | |
593 | ||
594 | // RFC2616 9.1 Safe and Idempotent Methods | |
595 | return (request->method.isHttpSafe() || request->method.isIdempotent()); | |
596 | } | |
597 | ||
598 | void | |
599 | FwdState::serverClosed(int fd) | |
600 | { | |
601 | debugs(17, 2, HERE << "FD " << fd << " " << entry->url()); | |
602 | retryOrBail(); | |
603 | } | |
604 | ||
605 | void | |
606 | FwdState::retryOrBail() | |
607 | { | |
608 | if (checkRetry()) { | |
609 | debugs(17, 3, HERE << "re-forwarding (" << n_tries << " tries, " << (squid_curtime - start_t) << " secs)"); | |
610 | // we should retry the same destination if it failed due to pconn race | |
611 | if (pconnRace == raceHappened) | |
612 | debugs(17, 4, HERE << "retrying the same destination"); | |
613 | else | |
614 | serverDestinations.shift(); // last one failed. try another. | |
615 | startConnectionOrFail(); | |
616 | return; | |
617 | } | |
618 | ||
619 | // TODO: should we call completed() here and move doneWithRetries there? | |
620 | doneWithRetries(); | |
621 | ||
622 | if (self != NULL && !err && shutting_down) { | |
623 | ErrorState *anErr = new ErrorState(ERR_SHUTTING_DOWN, Http::scServiceUnavailable, request); | |
624 | errorAppendEntry(entry, anErr); | |
625 | } | |
626 | ||
627 | self = NULL; // refcounted | |
628 | } | |
629 | ||
630 | // If the Server quits before nibbling at the request body, the body sender | |
631 | // will not know (so that we can retry). Call this if we will not retry. We | |
632 | // will notify the sender so that it does not get stuck waiting for space. | |
633 | void | |
634 | FwdState::doneWithRetries() | |
635 | { | |
636 | if (request && request->body_pipe != NULL) | |
637 | request->body_pipe->expectNoConsumption(); | |
638 | } | |
639 | ||
640 | // called by the server that failed after calling unregister() | |
641 | void | |
642 | FwdState::handleUnregisteredServerEnd() | |
643 | { | |
644 | debugs(17, 2, HERE << "self=" << self << " err=" << err << ' ' << entry->url()); | |
645 | assert(!Comm::IsConnOpen(serverConn)); | |
646 | retryOrBail(); | |
647 | } | |
648 | ||
649 | #if USE_SSL | |
650 | void | |
651 | FwdState::negotiateSSL(int fd) | |
652 | { | |
653 | unsigned long ssl_lib_error = SSL_ERROR_NONE; | |
654 | SSL *ssl = fd_table[fd].ssl; | |
655 | int ret; | |
656 | ||
657 | if ((ret = SSL_connect(ssl)) <= 0) { | |
658 | int ssl_error = SSL_get_error(ssl, ret); | |
659 | #ifdef EPROTO | |
660 | int sysErrNo = EPROTO; | |
661 | #else | |
662 | int sysErrNo = EACCES; | |
663 | #endif | |
664 | ||
665 | switch (ssl_error) { | |
666 | ||
667 | case SSL_ERROR_WANT_READ: | |
668 | Comm::SetSelect(fd, COMM_SELECT_READ, fwdNegotiateSSLWrapper, this, 0); | |
669 | return; | |
670 | ||
671 | case SSL_ERROR_WANT_WRITE: | |
672 | Comm::SetSelect(fd, COMM_SELECT_WRITE, fwdNegotiateSSLWrapper, this, 0); | |
673 | return; | |
674 | ||
675 | case SSL_ERROR_SSL: | |
676 | case SSL_ERROR_SYSCALL: | |
677 | ssl_lib_error = ERR_get_error(); | |
678 | debugs(81, DBG_IMPORTANT, "fwdNegotiateSSL: Error negotiating SSL connection on FD " << fd << | |
679 | ": " << ERR_error_string(ssl_lib_error, NULL) << " (" << ssl_error << | |
680 | "/" << ret << "/" << errno << ")"); | |
681 | ||
682 | // store/report errno when ssl_error is SSL_ERROR_SYSCALL, ssl_lib_error is 0, and ret is -1 | |
683 | if (ssl_error == SSL_ERROR_SYSCALL && ret == -1 && ssl_lib_error == 0) | |
684 | sysErrNo = errno; | |
685 | ||
686 | // falling through to complete error handling | |
687 | ||
688 | default: | |
689 | // TODO: move into a method before merge | |
690 | Ssl::ErrorDetail *errDetails; | |
691 | Ssl::ErrorDetail *errFromFailure = (Ssl::ErrorDetail *)SSL_get_ex_data(ssl, ssl_ex_index_ssl_error_detail); | |
692 | if (errFromFailure != NULL) { | |
693 | // The errFromFailure is attached to the ssl object | |
694 | // and will be released when ssl object destroyed. | |
695 | // Copy errFromFailure to a new Ssl::ErrorDetail object. | |
696 | errDetails = new Ssl::ErrorDetail(*errFromFailure); | |
697 | } else { | |
698 | // server_cert can be NULL here | |
699 | X509 *server_cert = SSL_get_peer_certificate(ssl); | |
700 | errDetails = new Ssl::ErrorDetail(SQUID_ERR_SSL_HANDSHAKE, server_cert, NULL); | |
701 | X509_free(server_cert); | |
702 | } | |
703 | ||
704 | if (ssl_lib_error != SSL_ERROR_NONE) | |
705 | errDetails->setLibError(ssl_lib_error); | |
706 | ||
707 | if (request->clientConnectionManager.valid()) { | |
708 | // remember the server certificate from the ErrorDetail object | |
709 | if (Ssl::ServerBump *serverBump = request->clientConnectionManager->serverBump()) { | |
710 | serverBump->serverCert.resetAndLock(errDetails->peerCert()); | |
711 | ||
712 | // remember validation errors, if any | |
713 | if (Ssl::CertErrors *errs = static_cast<Ssl::CertErrors*>(SSL_get_ex_data(ssl, ssl_ex_index_ssl_errors))) | |
714 | serverBump->sslErrors = cbdataReference(errs); | |
715 | } | |
716 | } | |
717 | ||
718 | // For intercepted connections, set the host name to the server | |
719 | // certificate CN. Otherwise, we just hope that CONNECT is using | |
720 | // a user-entered address (a host name or a user-entered IP). | |
721 | const bool isConnectRequest = !request->clientConnectionManager->port->flags.isIntercepted(); | |
722 | if (request->flags.sslPeek && !isConnectRequest) { | |
723 | if (X509 *srvX509 = errDetails->peerCert()) { | |
724 | if (const char *name = Ssl::CommonHostName(srvX509)) { | |
725 | request->SetHost(name); | |
726 | debugs(83, 3, HERE << "reset request host: " << name); | |
727 | } | |
728 | } | |
729 | } | |
730 | ||
731 | ErrorState *const anErr = makeConnectingError(ERR_SECURE_CONNECT_FAIL); | |
732 | anErr->xerrno = sysErrNo; | |
733 | anErr->detail = errDetails; | |
734 | fail(anErr); | |
735 | ||
736 | if (serverConnection()->getPeer()) { | |
737 | peerConnectFailed(serverConnection()->getPeer()); | |
738 | } | |
739 | ||
740 | serverConn->close(); | |
741 | return; | |
742 | } | |
743 | } | |
744 | ||
745 | if (request->clientConnectionManager.valid()) { | |
746 | // remember the server certificate from the ErrorDetail object | |
747 | if (Ssl::ServerBump *serverBump = request->clientConnectionManager->serverBump()) { | |
748 | serverBump->serverCert.reset(SSL_get_peer_certificate(ssl)); | |
749 | ||
750 | // remember validation errors, if any | |
751 | if (Ssl::CertErrors *errs = static_cast<Ssl::CertErrors *>(SSL_get_ex_data(ssl, ssl_ex_index_ssl_errors))) | |
752 | serverBump->sslErrors = cbdataReference(errs); | |
753 | } | |
754 | } | |
755 | ||
756 | if (serverConnection()->getPeer() && !SSL_session_reused(ssl)) { | |
757 | if (serverConnection()->getPeer()->sslSession) | |
758 | SSL_SESSION_free(serverConnection()->getPeer()->sslSession); | |
759 | ||
760 | serverConnection()->getPeer()->sslSession = SSL_get1_session(ssl); | |
761 | } | |
762 | ||
763 | if (Ssl::TheConfig.ssl_crt_validator) { | |
764 | Ssl::CertValidationRequest validationRequest; | |
765 | // WARNING: Currently we do not use any locking for any of the | |
766 | // members of the Ssl::CertValidationRequest class. In this code the | |
767 | // Ssl::CertValidationRequest object used only to pass data to | |
768 | // Ssl::CertValidationHelper::submit method. | |
769 | validationRequest.ssl = ssl; | |
770 | validationRequest.domainName = request->GetHost(); | |
771 | if (Ssl::CertErrors *errs = static_cast<Ssl::CertErrors *>(SSL_get_ex_data(ssl, ssl_ex_index_ssl_errors))) | |
772 | // validationRequest disappears on return so no need to cbdataReference | |
773 | validationRequest.errors = errs; | |
774 | else | |
775 | validationRequest.errors = NULL; | |
776 | try { | |
777 | debugs(83, 5, "Sending SSL certificate for validation to ssl_crtvd."); | |
778 | Ssl::CertValidationHelper::GetInstance()->sslSubmit(validationRequest, sslCrtvdHandleReplyWrapper, this); | |
779 | return; | |
780 | } catch (const std::exception &e) { | |
781 | debugs(33, DBG_IMPORTANT, "ERROR: Failed to compose ssl_crtvd " << | |
782 | "request for " << validationRequest.domainName << | |
783 | " certificate: " << e.what() << "; will now block to " << | |
784 | "validate that certificate."); | |
785 | // fall through to do blocking in-process generation. | |
786 | ErrorState *anErr = new ErrorState(ERR_GATEWAY_FAILURE, Http::scInternalServerError, request); | |
787 | fail(anErr); | |
788 | if (serverConnection()->getPeer()) { | |
789 | peerConnectFailed(serverConnection()->getPeer()); | |
790 | } | |
791 | serverConn->close(); | |
792 | self = NULL; | |
793 | return; | |
794 | } | |
795 | } | |
796 | ||
797 | dispatch(); | |
798 | } | |
799 | ||
800 | void | |
801 | FwdState::sslCrtvdHandleReplyWrapper(void *data, Ssl::CertValidationResponse const &validationResponse) | |
802 | { | |
803 | FwdState * fwd = (FwdState *)(data); | |
804 | fwd->sslCrtvdHandleReply(validationResponse); | |
805 | } | |
806 | ||
807 | void | |
808 | FwdState::sslCrtvdHandleReply(Ssl::CertValidationResponse const &validationResponse) | |
809 | { | |
810 | Ssl::CertErrors *errs = NULL; | |
811 | Ssl::ErrorDetail *errDetails = NULL; | |
812 | bool validatorFailed = false; | |
813 | if (!Comm::IsConnOpen(serverConnection())) { | |
814 | return; | |
815 | } | |
816 | ||
817 | debugs(83,5, request->GetHost() << " cert validation result: " << validationResponse.resultCode); | |
818 | ||
819 | if (validationResponse.resultCode == HelperReply::Error) | |
820 | errs = sslCrtvdCheckForErrors(validationResponse, errDetails); | |
821 | else if (validationResponse.resultCode != HelperReply::Okay) | |
822 | validatorFailed = true; | |
823 | ||
824 | if (!errDetails && !validatorFailed) { | |
825 | dispatch(); | |
826 | return; | |
827 | } | |
828 | ||
829 | ErrorState *anErr = NULL; | |
830 | if (validatorFailed) { | |
831 | anErr = new ErrorState(ERR_GATEWAY_FAILURE, Http::scInternalServerError, request); | |
832 | } else { | |
833 | ||
834 | // Check the list error with | |
835 | if (errDetails && request->clientConnectionManager.valid()) { | |
836 | // remember the server certificate from the ErrorDetail object | |
837 | if (Ssl::ServerBump *serverBump = request->clientConnectionManager->serverBump()) { | |
838 | // remember validation errors, if any | |
839 | if (errs) { | |
840 | if (serverBump->sslErrors) | |
841 | cbdataReferenceDone(serverBump->sslErrors); | |
842 | serverBump->sslErrors = cbdataReference(errs); | |
843 | } | |
844 | } | |
845 | } | |
846 | ||
847 | anErr = makeConnectingError(ERR_SECURE_CONNECT_FAIL); | |
848 | anErr->detail = errDetails; | |
849 | /*anErr->xerrno= Should preserved*/ | |
850 | } | |
851 | ||
852 | fail(anErr); | |
853 | if (serverConnection()->getPeer()) { | |
854 | peerConnectFailed(serverConnection()->getPeer()); | |
855 | } | |
856 | serverConn->close(); | |
857 | self = NULL; | |
858 | return; | |
859 | } | |
860 | ||
861 | /// Checks errors in the cert. validator response against sslproxy_cert_error. | |
862 | /// The first honored error, if any, is returned via errDetails parameter. | |
863 | /// The method returns all seen errors except SSL_ERROR_NONE as Ssl::CertErrors. | |
864 | Ssl::CertErrors * | |
865 | FwdState::sslCrtvdCheckForErrors(Ssl::CertValidationResponse const &resp, Ssl::ErrorDetail *& errDetails) | |
866 | { | |
867 | Ssl::CertErrors *errs = NULL; | |
868 | ||
869 | ACLFilledChecklist *check = NULL; | |
870 | if (acl_access *acl = Config.ssl_client.cert_error) | |
871 | check = new ACLFilledChecklist(acl, request, dash_str); | |
872 | ||
873 | SSL *ssl = fd_table[serverConnection()->fd].ssl; | |
874 | typedef Ssl::CertValidationResponse::RecvdErrors::const_iterator SVCRECI; | |
875 | for (SVCRECI i = resp.errors.begin(); i != resp.errors.end(); ++i) { | |
876 | debugs(83, 7, "Error item: " << i->error_no << " " << i->error_reason); | |
877 | ||
878 | assert(i->error_no != SSL_ERROR_NONE); | |
879 | ||
880 | if (!errDetails) { | |
881 | bool allowed = false; | |
882 | if (check) { | |
883 | check->sslErrors = new Ssl::CertErrors(Ssl::CertError(i->error_no, i->cert.get())); | |
884 | if (check->fastCheck() == ACCESS_ALLOWED) | |
885 | allowed = true; | |
886 | } | |
887 | // else the Config.ssl_client.cert_error access list is not defined | |
888 | // and the first error will cause the error page | |
889 | ||
890 | if (allowed) { | |
891 | debugs(83, 3, "bypassing SSL error " << i->error_no << " in " << "buffer"); | |
892 | } else { | |
893 | debugs(83, 5, "confirming SSL error " << i->error_no); | |
894 | X509 *brokenCert = i->cert.get(); | |
895 | Ssl::X509_Pointer peerCert(SSL_get_peer_certificate(ssl)); | |
896 | const char *aReason = i->error_reason.empty() ? NULL : i->error_reason.c_str(); | |
897 | errDetails = new Ssl::ErrorDetail(i->error_no, peerCert.get(), brokenCert, aReason); | |
898 | } | |
899 | if (check) { | |
900 | delete check->sslErrors; | |
901 | check->sslErrors = NULL; | |
902 | } | |
903 | } | |
904 | ||
905 | if (!errs) | |
906 | errs = new Ssl::CertErrors(Ssl::CertError(i->error_no, i->cert.get())); | |
907 | else | |
908 | errs->push_back_unique(Ssl::CertError(i->error_no, i->cert.get())); | |
909 | } | |
910 | if (check) | |
911 | delete check; | |
912 | ||
913 | return errs; | |
914 | } | |
915 | ||
916 | void | |
917 | FwdState::initiateSSL() | |
918 | { | |
919 | SSL *ssl; | |
920 | SSL_CTX *sslContext = NULL; | |
921 | const CachePeer *peer = serverConnection()->getPeer(); | |
922 | int fd = serverConnection()->fd; | |
923 | ||
924 | if (peer) { | |
925 | assert(peer->use_ssl); | |
926 | sslContext = peer->sslContext; | |
927 | } else { | |
928 | sslContext = Config.ssl_client.sslContext; | |
929 | } | |
930 | ||
931 | assert(sslContext); | |
932 | ||
933 | if ((ssl = SSL_new(sslContext)) == NULL) { | |
934 | debugs(83, DBG_IMPORTANT, "fwdInitiateSSL: Error allocating handle: " << ERR_error_string(ERR_get_error(), NULL) ); | |
935 | ErrorState *anErr = new ErrorState(ERR_SOCKET_FAILURE, Http::scInternalServerError, request); | |
936 | // TODO: create Ssl::ErrorDetail with OpenSSL-supplied error code | |
937 | fail(anErr); | |
938 | self = NULL; // refcounted | |
939 | return; | |
940 | } | |
941 | ||
942 | SSL_set_fd(ssl, fd); | |
943 | ||
944 | if (peer) { | |
945 | if (peer->ssldomain) | |
946 | SSL_set_ex_data(ssl, ssl_ex_index_server, peer->ssldomain); | |
947 | ||
948 | #if NOT_YET | |
949 | ||
950 | else if (peer->name) | |
951 | SSL_set_ex_data(ssl, ssl_ex_index_server, peer->name); | |
952 | ||
953 | #endif | |
954 | ||
955 | else | |
956 | SSL_set_ex_data(ssl, ssl_ex_index_server, peer->host); | |
957 | ||
958 | if (peer->sslSession) | |
959 | SSL_set_session(ssl, peer->sslSession); | |
960 | ||
961 | } else { | |
962 | // While we are peeking at the certificate, we may not know the server | |
963 | // name that the client will request (after interception or CONNECT) | |
964 | // unless it was the CONNECT request with a user-typed address. | |
965 | const char *hostname = request->GetHost(); | |
966 | const bool hostnameIsIp = request->GetHostIsNumeric(); | |
967 | const bool isConnectRequest = !request->clientConnectionManager->port->flags.isIntercepted(); | |
968 | if (!request->flags.sslPeek || isConnectRequest) | |
969 | SSL_set_ex_data(ssl, ssl_ex_index_server, (void*)hostname); | |
970 | ||
971 | // Use SNI TLS extension only when we connect directly | |
972 | // to the origin server and we know the server host name. | |
973 | if (!hostnameIsIp) | |
974 | Ssl::setClientSNI(ssl, hostname); | |
975 | } | |
976 | ||
977 | // If CertValidation Helper used do not lookup checklist for errors, | |
978 | // but keep a list of errors to send it to CertValidator | |
979 | if (!Ssl::TheConfig.ssl_crt_validator) { | |
980 | // Create the ACL check list now, while we have access to more info. | |
981 | // The list is used in ssl_verify_cb() and is freed in ssl_free(). | |
982 | if (acl_access *acl = Config.ssl_client.cert_error) { | |
983 | ACLFilledChecklist *check = new ACLFilledChecklist(acl, request, dash_str); | |
984 | SSL_set_ex_data(ssl, ssl_ex_index_cert_error_check, check); | |
985 | } | |
986 | } | |
987 | ||
988 | // store peeked cert to check SQUID_X509_V_ERR_CERT_CHANGE | |
989 | X509 *peeked_cert; | |
990 | if (request->clientConnectionManager.valid() && | |
991 | request->clientConnectionManager->serverBump() && | |
992 | (peeked_cert = request->clientConnectionManager->serverBump()->serverCert.get())) { | |
993 | CRYPTO_add(&(peeked_cert->references),1,CRYPTO_LOCK_X509); | |
994 | SSL_set_ex_data(ssl, ssl_ex_index_ssl_peeked_cert, peeked_cert); | |
995 | } | |
996 | ||
997 | fd_table[fd].ssl = ssl; | |
998 | fd_table[fd].read_method = &ssl_read_method; | |
999 | fd_table[fd].write_method = &ssl_write_method; | |
1000 | negotiateSSL(fd); | |
1001 | } | |
1002 | ||
1003 | #endif | |
1004 | ||
1005 | void | |
1006 | FwdState::connectDone(const Comm::ConnectionPointer &conn, comm_err_t status, int xerrno) | |
1007 | { | |
1008 | if (status != COMM_OK) { | |
1009 | ErrorState *const anErr = makeConnectingError(ERR_CONNECT_FAIL); | |
1010 | anErr->xerrno = xerrno; | |
1011 | fail(anErr); | |
1012 | ||
1013 | /* it might have been a timeout with a partially open link */ | |
1014 | if (conn != NULL) { | |
1015 | if (conn->getPeer()) | |
1016 | peerConnectFailed(conn->getPeer()); | |
1017 | ||
1018 | conn->close(); | |
1019 | } | |
1020 | retryOrBail(); | |
1021 | return; | |
1022 | } | |
1023 | ||
1024 | serverConn = conn; | |
1025 | flags.connected_okay = true; | |
1026 | ||
1027 | debugs(17, 3, HERE << serverConnection() << ": '" << entry->url() << "'" ); | |
1028 | ||
1029 | comm_add_close_handler(serverConnection()->fd, fwdServerClosedWrapper, this); | |
1030 | ||
1031 | if (serverConnection()->getPeer()) | |
1032 | peerConnectSucceded(serverConnection()->getPeer()); | |
1033 | ||
1034 | #if USE_SSL | |
1035 | if (!request->flags.pinned) { | |
1036 | if ((serverConnection()->getPeer() && serverConnection()->getPeer()->use_ssl) || | |
1037 | (!serverConnection()->getPeer() && request->protocol == AnyP::PROTO_HTTPS) || | |
1038 | request->flags.sslPeek) { | |
1039 | initiateSSL(); | |
1040 | return; | |
1041 | } | |
1042 | } | |
1043 | #endif | |
1044 | ||
1045 | dispatch(); | |
1046 | } | |
1047 | ||
1048 | void | |
1049 | FwdState::connectTimeout(int fd) | |
1050 | { | |
1051 | debugs(17, 2, "fwdConnectTimeout: FD " << fd << ": '" << entry->url() << "'" ); | |
1052 | assert(serverDestinations[0] != NULL); | |
1053 | assert(fd == serverDestinations[0]->fd); | |
1054 | ||
1055 | if (entry->isEmpty()) { | |
1056 | ErrorState *anErr = new ErrorState(ERR_CONNECT_FAIL, Http::scGateway_Timeout, request); | |
1057 | anErr->xerrno = ETIMEDOUT; | |
1058 | fail(anErr); | |
1059 | ||
1060 | /* This marks the peer DOWN ... */ | |
1061 | if (serverDestinations[0]->getPeer()) | |
1062 | peerConnectFailed(serverDestinations[0]->getPeer()); | |
1063 | } | |
1064 | ||
1065 | if (Comm::IsConnOpen(serverDestinations[0])) { | |
1066 | serverDestinations[0]->close(); | |
1067 | } | |
1068 | } | |
1069 | ||
1070 | /** | |
1071 | * Called after Forwarding path selection (via peer select) has taken place. | |
1072 | * And whenever forwarding needs to attempt a new connection (routing failover) | |
1073 | * We have a vector of possible localIP->remoteIP paths now ready to start being connected. | |
1074 | */ | |
1075 | void | |
1076 | FwdState::connectStart() | |
1077 | { | |
1078 | assert(serverDestinations.size() > 0); | |
1079 | ||
1080 | debugs(17, 3, "fwdConnectStart: " << entry->url()); | |
1081 | ||
1082 | if (!request->hier.first_conn_start.tv_sec) // first attempt | |
1083 | request->hier.first_conn_start = current_time; | |
1084 | ||
1085 | /* connection timeout */ | |
1086 | int ctimeout; | |
1087 | if (serverDestinations[0]->getPeer()) { | |
1088 | ctimeout = serverDestinations[0]->getPeer()->connect_timeout > 0 ? | |
1089 | serverDestinations[0]->getPeer()->connect_timeout : Config.Timeout.peer_connect; | |
1090 | } else { | |
1091 | ctimeout = Config.Timeout.connect; | |
1092 | } | |
1093 | ||
1094 | /* calculate total forwarding timeout ??? */ | |
1095 | int ftimeout = Config.Timeout.forward - (squid_curtime - start_t); | |
1096 | if (ftimeout < 0) | |
1097 | ftimeout = 5; | |
1098 | ||
1099 | if (ftimeout < ctimeout) | |
1100 | ctimeout = ftimeout; | |
1101 | ||
1102 | if (serverDestinations[0]->getPeer() && request->flags.sslBumped) { | |
1103 | debugs(50, 4, "fwdConnectStart: Ssl bumped connections through parent proxy are not allowed"); | |
1104 | ErrorState *anErr = new ErrorState(ERR_CANNOT_FORWARD, Http::scServiceUnavailable, request); | |
1105 | fail(anErr); | |
1106 | self = NULL; // refcounted | |
1107 | return; | |
1108 | } | |
1109 | ||
1110 | request->flags.pinned = false; // XXX: what if the ConnStateData set this to flag existing credentials? | |
1111 | // XXX: answer: the peer selection *should* catch it and give us only the pinned peer. so we reverse the =0 step below. | |
1112 | // XXX: also, logs will now lie if pinning is broken and leads to an error message. | |
1113 | if (serverDestinations[0]->peerType == PINNED) { | |
1114 | ConnStateData *pinned_connection = request->pinnedConnection(); | |
1115 | debugs(17,7, "pinned peer connection: " << pinned_connection); | |
1116 | // pinned_connection may become nil after a pconn race | |
1117 | if (pinned_connection) | |
1118 | serverConn = pinned_connection->validatePinnedConnection(request, serverDestinations[0]->getPeer()); | |
1119 | else | |
1120 | serverConn = NULL; | |
1121 | if (Comm::IsConnOpen(serverConn)) { | |
1122 | pinned_connection->stopPinnedConnectionMonitoring(); | |
1123 | flags.connected_okay = true; | |
1124 | ++n_tries; | |
1125 | request->flags.pinned = true; | |
1126 | request->hier.note(serverConn, pinned_connection->pinning.host); | |
1127 | if (pinned_connection->pinnedAuth()) | |
1128 | request->flags.auth = true; | |
1129 | comm_add_close_handler(serverConn->fd, fwdServerClosedWrapper, this); | |
1130 | // the server may close the pinned connection before this request | |
1131 | pconnRace = racePossible; | |
1132 | dispatch(); | |
1133 | return; | |
1134 | } | |
1135 | // Pinned connection failure. | |
1136 | debugs(17,2,HERE << "Pinned connection failed: " << pinned_connection); | |
1137 | ErrorState *anErr = new ErrorState(ERR_ZERO_SIZE_OBJECT, Http::scServiceUnavailable, request); | |
1138 | fail(anErr); | |
1139 | self = NULL; // refcounted | |
1140 | return; | |
1141 | } | |
1142 | ||
1143 | // Use pconn to avoid opening a new connection. | |
1144 | const char *host = NULL; | |
1145 | if (!serverDestinations[0]->getPeer()) | |
1146 | host = request->GetHost(); | |
1147 | ||
1148 | Comm::ConnectionPointer temp; | |
1149 | // Avoid pconns after races so that the same client does not suffer twice. | |
1150 | // This does not increase the total number of connections because we just | |
1151 | // closed the connection that failed the race. And re-pinning assumes this. | |
1152 | if (pconnRace != raceHappened) | |
1153 | temp = fwdPconnPool->pop(serverDestinations[0], host, checkRetriable()); | |
1154 | ||
1155 | const bool openedPconn = Comm::IsConnOpen(temp); | |
1156 | pconnRace = openedPconn ? racePossible : raceImpossible; | |
1157 | ||
1158 | // if we found an open persistent connection to use. use it. | |
1159 | if (openedPconn) { | |
1160 | serverConn = temp; | |
1161 | flags.connected_okay = true; | |
1162 | debugs(17, 3, HERE << "reusing pconn " << serverConnection()); | |
1163 | ++n_tries; | |
1164 | ||
1165 | comm_add_close_handler(serverConnection()->fd, fwdServerClosedWrapper, this); | |
1166 | ||
1167 | /* Update server side TOS and Netfilter mark on the connection. */ | |
1168 | if (Ip::Qos::TheConfig.isAclTosActive()) { | |
1169 | const tos_t tos = GetTosToServer(request); | |
1170 | Ip::Qos::setSockTos(temp, tos); | |
1171 | } | |
1172 | #if SO_MARK | |
1173 | if (Ip::Qos::TheConfig.isAclNfmarkActive()) { | |
1174 | const nfmark_t nfmark = GetNfmarkToServer(request); | |
1175 | Ip::Qos::setSockNfmark(temp, nfmark); | |
1176 | } | |
1177 | #endif | |
1178 | ||
1179 | dispatch(); | |
1180 | return; | |
1181 | } | |
1182 | ||
1183 | // We will try to open a new connection, possibly to the same destination. | |
1184 | // We reset serverDestinations[0] in case we are using it again because | |
1185 | // ConnOpener modifies its destination argument. | |
1186 | serverDestinations[0]->local.port(0); | |
1187 | serverConn = NULL; | |
1188 | ||
1189 | #if URL_CHECKSUM_DEBUG | |
1190 | entry->mem_obj->checkUrlChecksum(); | |
1191 | #endif | |
1192 | ||
1193 | /* Get the server side TOS and Netfilter mark to be set on the connection. */ | |
1194 | if (Ip::Qos::TheConfig.isAclTosActive()) { | |
1195 | serverDestinations[0]->tos = GetTosToServer(request); | |
1196 | } | |
1197 | #if SO_MARK && USE_LIBCAP | |
1198 | serverDestinations[0]->nfmark = GetNfmarkToServer(request); | |
1199 | debugs(17, 3, "fwdConnectStart: got outgoing addr " << serverDestinations[0]->local << ", tos " << int(serverDestinations[0]->tos) | |
1200 | << ", netfilter mark " << serverDestinations[0]->nfmark); | |
1201 | #else | |
1202 | serverDestinations[0]->nfmark = 0; | |
1203 | debugs(17, 3, "fwdConnectStart: got outgoing addr " << serverDestinations[0]->local << ", tos " << int(serverDestinations[0]->tos)); | |
1204 | #endif | |
1205 | ||
1206 | calls.connector = commCbCall(17,3, "fwdConnectDoneWrapper", CommConnectCbPtrFun(fwdConnectDoneWrapper, this)); | |
1207 | Comm::ConnOpener *cs = new Comm::ConnOpener(serverDestinations[0], calls.connector, ctimeout); | |
1208 | if (host) | |
1209 | cs->setHost(host); | |
1210 | AsyncJob::Start(cs); | |
1211 | } | |
1212 | ||
1213 | void | |
1214 | FwdState::dispatch() | |
1215 | { | |
1216 | debugs(17, 3, HERE << clientConn << ": Fetching '" << RequestMethodStr(request->method) << " " << entry->url() << "'"); | |
1217 | /* | |
1218 | * Assert that server_fd is set. This is to guarantee that fwdState | |
1219 | * is attached to something and will be deallocated when server_fd | |
1220 | * is closed. | |
1221 | */ | |
1222 | assert(Comm::IsConnOpen(serverConn)); | |
1223 | ||
1224 | fd_note(serverConnection()->fd, entry->url()); | |
1225 | ||
1226 | fd_table[serverConnection()->fd].noteUse(fwdPconnPool); | |
1227 | ||
1228 | /*assert(!EBIT_TEST(entry->flags, ENTRY_DISPATCHED)); */ | |
1229 | assert(entry->ping_status != PING_WAITING); | |
1230 | ||
1231 | assert(entry->lock_count); | |
1232 | ||
1233 | EBIT_SET(entry->flags, ENTRY_DISPATCHED); | |
1234 | ||
1235 | netdbPingSite(request->GetHost()); | |
1236 | ||
1237 | /* Retrieves remote server TOS or MARK value, and stores it as part of the | |
1238 | * original client request FD object. It is later used to forward | |
1239 | * remote server's TOS/MARK in the response to the client in case of a MISS. | |
1240 | */ | |
1241 | if (Ip::Qos::TheConfig.isHitNfmarkActive()) { | |
1242 | if (Comm::IsConnOpen(clientConn) && Comm::IsConnOpen(serverConnection())) { | |
1243 | fde * clientFde = &fd_table[clientConn->fd]; // XXX: move the fd_table access into Ip::Qos | |
1244 | /* Get the netfilter mark for the connection */ | |
1245 | Ip::Qos::getNfmarkFromServer(serverConnection(), clientFde); | |
1246 | } | |
1247 | } | |
1248 | ||
1249 | #if _SQUID_LINUX_ | |
1250 | /* Bug 2537: The TOS forward part of QOS only applies to patched Linux kernels. */ | |
1251 | if (Ip::Qos::TheConfig.isHitTosActive()) { | |
1252 | if (Comm::IsConnOpen(clientConn)) { | |
1253 | fde * clientFde = &fd_table[clientConn->fd]; // XXX: move the fd_table access into Ip::Qos | |
1254 | /* Get the TOS value for the packet */ | |
1255 | Ip::Qos::getTosFromServer(serverConnection(), clientFde); | |
1256 | } | |
1257 | } | |
1258 | #endif | |
1259 | ||
1260 | #if USE_SSL | |
1261 | if (request->flags.sslPeek) { | |
1262 | CallJobHere1(17, 4, request->clientConnectionManager, ConnStateData, | |
1263 | ConnStateData::httpsPeeked, serverConnection()); | |
1264 | unregister(serverConn); // async call owns it now | |
1265 | complete(); // destroys us | |
1266 | return; | |
1267 | } | |
1268 | #endif | |
1269 | ||
1270 | if (serverConnection()->getPeer() != NULL) { | |
1271 | ++ serverConnection()->getPeer()->stats.fetches; | |
1272 | request->peer_login = serverConnection()->getPeer()->login; | |
1273 | request->peer_domain = serverConnection()->getPeer()->domain; | |
1274 | httpStart(this); | |
1275 | } else { | |
1276 | assert(!request->flags.sslPeek); | |
1277 | request->peer_login = NULL; | |
1278 | request->peer_domain = NULL; | |
1279 | ||
1280 | switch (request->protocol) { | |
1281 | #if USE_SSL | |
1282 | ||
1283 | case AnyP::PROTO_HTTPS: | |
1284 | httpStart(this); | |
1285 | break; | |
1286 | #endif | |
1287 | ||
1288 | case AnyP::PROTO_HTTP: | |
1289 | httpStart(this); | |
1290 | break; | |
1291 | ||
1292 | case AnyP::PROTO_GOPHER: | |
1293 | gopherStart(this); | |
1294 | break; | |
1295 | ||
1296 | case AnyP::PROTO_FTP: | |
1297 | ftpStart(this); | |
1298 | break; | |
1299 | ||
1300 | case AnyP::PROTO_CACHE_OBJECT: | |
1301 | ||
1302 | case AnyP::PROTO_INTERNAL: | |
1303 | ||
1304 | case AnyP::PROTO_URN: | |
1305 | fatal_dump("Should never get here"); | |
1306 | break; | |
1307 | ||
1308 | case AnyP::PROTO_WHOIS: | |
1309 | whoisStart(this); | |
1310 | break; | |
1311 | ||
1312 | case AnyP::PROTO_WAIS: /* Not implemented */ | |
1313 | ||
1314 | default: | |
1315 | debugs(17, DBG_IMPORTANT, "WARNING: Cannot retrieve '" << entry->url() << "'."); | |
1316 | ErrorState *anErr = new ErrorState(ERR_UNSUP_REQ, Http::scBadRequest, request); | |
1317 | fail(anErr); | |
1318 | // Set the dont_retry flag because this is not a transient (network) error. | |
1319 | flags.dont_retry = true; | |
1320 | if (Comm::IsConnOpen(serverConn)) { | |
1321 | serverConn->close(); | |
1322 | } | |
1323 | break; | |
1324 | } | |
1325 | } | |
1326 | } | |
1327 | ||
1328 | /* | |
1329 | * FwdState::reforward | |
1330 | * | |
1331 | * returns TRUE if the transaction SHOULD be re-forwarded to the | |
1332 | * next choice in the serverDestinations list. This method is called when | |
1333 | * server-side communication completes normally, or experiences | |
1334 | * some error after receiving the end of HTTP headers. | |
1335 | */ | |
1336 | int | |
1337 | FwdState::reforward() | |
1338 | { | |
1339 | StoreEntry *e = entry; | |
1340 | ||
1341 | if (EBIT_TEST(e->flags, ENTRY_ABORTED)) { | |
1342 | debugs(17, 3, HERE << "entry aborted"); | |
1343 | return 0; | |
1344 | } | |
1345 | ||
1346 | assert(e->store_status == STORE_PENDING); | |
1347 | assert(e->mem_obj); | |
1348 | #if URL_CHECKSUM_DEBUG | |
1349 | ||
1350 | e->mem_obj->checkUrlChecksum(); | |
1351 | #endif | |
1352 | ||
1353 | debugs(17, 3, HERE << e->url() << "?" ); | |
1354 | ||
1355 | if (!EBIT_TEST(e->flags, ENTRY_FWD_HDR_WAIT)) { | |
1356 | debugs(17, 3, HERE << "No, ENTRY_FWD_HDR_WAIT isn't set"); | |
1357 | return 0; | |
1358 | } | |
1359 | ||
1360 | if (n_tries > Config.forward_max_tries) | |
1361 | return 0; | |
1362 | ||
1363 | if (request->bodyNibbled()) | |
1364 | return 0; | |
1365 | ||
1366 | if (serverDestinations.size() <= 1) { | |
1367 | // NP: <= 1 since total count includes the recently failed one. | |
1368 | debugs(17, 3, HERE << "No alternative forwarding paths left"); | |
1369 | return 0; | |
1370 | } | |
1371 | ||
1372 | const Http::StatusCode s = e->getReply()->sline.status(); | |
1373 | debugs(17, 3, HERE << "status " << s); | |
1374 | return reforwardableStatus(s); | |
1375 | } | |
1376 | ||
1377 | /** | |
1378 | * Create "503 Service Unavailable" or "504 Gateway Timeout" error depending | |
1379 | * on whether this is a validation request. RFC 2616 says that we MUST reply | |
1380 | * with "504 Gateway Timeout" if validation fails and cached reply has | |
1381 | * proxy-revalidate, must-revalidate or s-maxage Cache-Control directive. | |
1382 | */ | |
1383 | ErrorState * | |
1384 | FwdState::makeConnectingError(const err_type type) const | |
1385 | { | |
1386 | return new ErrorState(type, request->flags.needValidation ? | |
1387 | Http::scGateway_Timeout : Http::scServiceUnavailable, request); | |
1388 | } | |
1389 | ||
1390 | static void | |
1391 | fwdStats(StoreEntry * s) | |
1392 | { | |
1393 | int i; | |
1394 | int j; | |
1395 | storeAppendPrintf(s, "Status"); | |
1396 | ||
1397 | for (j = 1; j < MAX_FWD_STATS_IDX; ++j) { | |
1398 | storeAppendPrintf(s, "\ttry#%d", j); | |
1399 | } | |
1400 | ||
1401 | storeAppendPrintf(s, "\n"); | |
1402 | ||
1403 | for (i = 0; i <= (int) Http::scInvalidHeader; ++i) { | |
1404 | if (FwdReplyCodes[0][i] == 0) | |
1405 | continue; | |
1406 | ||
1407 | storeAppendPrintf(s, "%3d", i); | |
1408 | ||
1409 | for (j = 0; j <= MAX_FWD_STATS_IDX; ++j) { | |
1410 | storeAppendPrintf(s, "\t%d", FwdReplyCodes[j][i]); | |
1411 | } | |
1412 | ||
1413 | storeAppendPrintf(s, "\n"); | |
1414 | } | |
1415 | } | |
1416 | ||
1417 | /**** STATIC MEMBER FUNCTIONS *************************************************/ | |
1418 | ||
1419 | bool | |
1420 | FwdState::reforwardableStatus(const Http::StatusCode s) const | |
1421 | { | |
1422 | switch (s) { | |
1423 | ||
1424 | case Http::scBadGateway: | |
1425 | ||
1426 | case Http::scGateway_Timeout: | |
1427 | return true; | |
1428 | ||
1429 | case Http::scForbidden: | |
1430 | ||
1431 | case Http::scInternalServerError: | |
1432 | ||
1433 | case Http::scNotImplemented: | |
1434 | ||
1435 | case Http::scServiceUnavailable: | |
1436 | return Config.retry.onerror; | |
1437 | ||
1438 | default: | |
1439 | return false; | |
1440 | } | |
1441 | ||
1442 | /* NOTREACHED */ | |
1443 | } | |
1444 | ||
1445 | /** | |
1446 | * Decide where details need to be gathered to correctly describe a persistent connection. | |
1447 | * What is needed: | |
1448 | * - the address/port details about this link | |
1449 | * - domain name of server at other end of this link (either peer or requested host) | |
1450 | */ | |
1451 | void | |
1452 | FwdState::pconnPush(Comm::ConnectionPointer &conn, const char *domain) | |
1453 | { | |
1454 | if (conn->getPeer()) { | |
1455 | fwdPconnPool->push(conn, NULL); | |
1456 | } else { | |
1457 | fwdPconnPool->push(conn, domain); | |
1458 | } | |
1459 | } | |
1460 | ||
1461 | void | |
1462 | FwdState::initModule() | |
1463 | { | |
1464 | RegisterWithCacheManager(); | |
1465 | } | |
1466 | ||
1467 | void | |
1468 | FwdState::RegisterWithCacheManager(void) | |
1469 | { | |
1470 | Mgr::RegisterAction("forward", "Request Forwarding Statistics", fwdStats, 0, 1); | |
1471 | } | |
1472 | ||
1473 | void | |
1474 | FwdState::logReplyStatus(int tries, const Http::StatusCode status) | |
1475 | { | |
1476 | if (status > Http::scInvalidHeader) | |
1477 | return; | |
1478 | ||
1479 | assert(tries >= 0); | |
1480 | ||
1481 | if (tries > MAX_FWD_STATS_IDX) | |
1482 | tries = MAX_FWD_STATS_IDX; | |
1483 | ||
1484 | ++ FwdReplyCodes[tries][status]; | |
1485 | } | |
1486 | ||
1487 | /**** PRIVATE NON-MEMBER FUNCTIONS ********************************************/ | |
1488 | ||
1489 | /* | |
1490 | * DPW 2007-05-19 | |
1491 | * Formerly static, but now used by client_side_request.cc | |
1492 | */ | |
1493 | /// Checks for a TOS value to apply depending on the ACL | |
1494 | tos_t | |
1495 | aclMapTOS(acl_tos * head, ACLChecklist * ch) | |
1496 | { | |
1497 | acl_tos *l; | |
1498 | ||
1499 | for (l = head; l; l = l->next) { | |
1500 | if (!l->aclList || ch->fastCheck(l->aclList) == ACCESS_ALLOWED) | |
1501 | return l->tos; | |
1502 | } | |
1503 | ||
1504 | return 0; | |
1505 | } | |
1506 | ||
1507 | /// Checks for a netfilter mark value to apply depending on the ACL | |
1508 | nfmark_t | |
1509 | aclMapNfmark(acl_nfmark * head, ACLChecklist * ch) | |
1510 | { | |
1511 | acl_nfmark *l; | |
1512 | ||
1513 | for (l = head; l; l = l->next) { | |
1514 | if (!l->aclList || ch->fastCheck(l->aclList) == ACCESS_ALLOWED) | |
1515 | return l->nfmark; | |
1516 | } | |
1517 | ||
1518 | return 0; | |
1519 | } | |
1520 | ||
1521 | void | |
1522 | getOutgoingAddress(HttpRequest * request, Comm::ConnectionPointer conn) | |
1523 | { | |
1524 | // skip if an outgoing address is already set. | |
1525 | if (!conn->local.isAnyAddr()) return; | |
1526 | ||
1527 | // ensure that at minimum the wildcard local matches remote protocol | |
1528 | if (conn->remote.isIPv4()) | |
1529 | conn->local.setIPv4(); | |
1530 | ||
1531 | // maybe use TPROXY client address | |
1532 | if (request && request->flags.spoofClientIp) { | |
1533 | if (!conn->getPeer() || !conn->getPeer()->options.no_tproxy) { | |
1534 | #if FOLLOW_X_FORWARDED_FOR && LINUX_NETFILTER | |
1535 | if (Config.onoff.tproxy_uses_indirect_client) | |
1536 | conn->local = request->indirect_client_addr; | |
1537 | else | |
1538 | #endif | |
1539 | conn->local = request->client_addr; | |
1540 | // some flags need setting on the socket to use this address | |
1541 | conn->flags |= COMM_DOBIND; | |
1542 | conn->flags |= COMM_TRANSPARENT; | |
1543 | return; | |
1544 | } | |
1545 | // else no tproxy today ... | |
1546 | } | |
1547 | ||
1548 | if (!Config.accessList.outgoing_address) { | |
1549 | return; // anything will do. | |
1550 | } | |
1551 | ||
1552 | ACLFilledChecklist ch(NULL, request, NULL); | |
1553 | ch.dst_peer = conn->getPeer(); | |
1554 | ch.dst_addr = conn->remote; | |
1555 | ||
1556 | // TODO use the connection details in ACL. | |
1557 | // needs a bit of rework in ACLFilledChecklist to use Comm::Connection instead of ConnStateData | |
1558 | ||
1559 | AclAddress *l; | |
1560 | for (l = Config.accessList.outgoing_address; l; l = l->next) { | |
1561 | ||
1562 | /* check if the outgoing address is usable to the destination */ | |
1563 | if (conn->remote.isIPv4() != l->addr.isIPv4()) continue; | |
1564 | ||
1565 | /* check ACLs for this outgoing address */ | |
1566 | if (!l->aclList || ch.fastCheck(l->aclList) == ACCESS_ALLOWED) { | |
1567 | conn->local = l->addr; | |
1568 | return; | |
1569 | } | |
1570 | } | |
1571 | } | |
1572 | ||
1573 | tos_t | |
1574 | GetTosToServer(HttpRequest * request) | |
1575 | { | |
1576 | ACLFilledChecklist ch(NULL, request, NULL); | |
1577 | return aclMapTOS(Ip::Qos::TheConfig.tosToServer, &ch); | |
1578 | } | |
1579 | ||
1580 | nfmark_t | |
1581 | GetNfmarkToServer(HttpRequest * request) | |
1582 | { | |
1583 | ACLFilledChecklist ch(NULL, request, NULL); | |
1584 | return aclMapNfmark(Ip::Qos::TheConfig.nfmarkToServer, &ch); | |
1585 | } |