Ss Squid request status (TCP_MISS etc)
Sh Squid hierarchy status (DEFAULT_PARENT etc)
+ SSL-related format codes:
+
+ ssl::bump_mode SslBump decision for the transaction:
+
+ For CONNECT requests that initiated bumping of
+ a connection and for any request received on
+ an already bumped connection, Squid logs the
+ corresponding SslBump mode ("server-first" or
+ "client-first"). See the ssl_bump option for
+ more information about these modes.
+
+ A "none" token is logged for requests that
+ triggered "ssl_bump" ACL evaluation matching
+ either a "none" rule or no rules at all.
+
+ In all other cases, a single dash ("-") is
+ logged.
+
If ICAP is enabled, the following code becomes available (as
well as ICAP log codes documented with the icap_log option):
// Require both a match and a positive bump mode to work around exceptional
// cases where ACL code may return ACCESS_ALLOWED with zero answer.kind.
if (answer == ACCESS_ALLOWED && answer.kind != Ssl::bumpNone) {
- debugs(33, 2, HERE << "sslBump done data: " << connState->clientConnection);
+ debugs(33, 2, HERE << "sslBump needed for " << connState->clientConnection);
+ connState->sslBumpMode = static_cast<Ssl::BumpMode>(answer.kind);
httpsEstablish(connState, NULL, (Ssl::BumpMode)answer.kind);
} else {
- // fake a CONNECT request to force connState to tunnel
+ debugs(33, 2, HERE << "sslBump not needed for " << connState->clientConnection);
+ connState->sslBumpMode = Ssl::bumpNone;
- debugs(33, 2, HERE << " SslBump denied: " << connState->clientConnection << " revert to tunnel mode");
+ // fake a CONNECT request to force connState to tunnel
static char ip[MAX_IPSTRLEN];
static char reqStr[MAX_IPSTRLEN + 80];
connState->clientConnection->local.NtoA(ip, sizeof(ip));
ConnStateData::ConnStateData() :
AsyncJob("ConnStateData"),
#if USE_SSL
+ sslBumpMode(Ssl::bumpEnd),
switchedToHttps_(false),
sslServerBump(NULL),
#endif
request_satisfaction_mode = false;
#endif
#if USE_SSL
- sslBumpNeed = Ssl::bumpEnd;
+ sslBumpNeed_ = Ssl::bumpEnd;
#endif
}
bool
ClientRequestContext::sslBumpAccessCheck()
{
- if (http->request->method == METHOD_CONNECT &&
- !http->request->flags.spoof_client_ip && // not a fake bumped request from an https port
- Config.accessList.ssl_bump && http->getConn()->port->sslBump) {
- debugs(85, 5, HERE << "SslBump possible, checking ACL");
+ // If SSL connection tunneling or bumping decision has been made, obey it.
+ const Ssl::BumpMode bumpMode = http->getConn()->sslBumpMode;
+ if (bumpMode != Ssl::bumpEnd) {
+ debugs(85, 5, HERE << "SslBump already decided (" << bumpMode <<
+ "), " << "ignoring ssl_bump for " << http->getConn());
+ http->al.ssl.bumpMode = bumpMode; // inherited from bumped connection
+ return false;
+ }
- ACLFilledChecklist *acl_checklist = clientAclChecklistCreate(Config.accessList.ssl_bump, http);
- acl_checklist->nonBlockingCheck(sslBumpAccessCheckDoneWrapper, this);
- return true;
- } else {
- http->sslBumpNeeded(Ssl::bumpNone);
+ // If we have not decided yet, decide whether to bump now.
+
+ // Bumping here can only start with a CONNECT request on a bumping port
+ // (bumping of intercepted SSL conns is decided before we get 1st request).
+ // We also do not bump redirected CONNECT requests.
+ if (http->request->method != METHOD_CONNECT || http->redirect.status ||
+ !Config.accessList.ssl_bump || !http->getConn()->port->sslBump) {
+ http->al.ssl.bumpMode = Ssl::bumpEnd; // SslBump does not apply; log -
+ debugs(85, 5, HERE << "cannot SslBump this request");
return false;
}
+
+ // Do not bump during authentication: clients would not proxy-authenticate
+ // if we delay a 407 response and respond with 200 OK to CONNECT.
+ if (error && error->httpStatus == HTTP_PROXY_AUTHENTICATION_REQUIRED) {
+ http->al.ssl.bumpMode = Ssl::bumpEnd; // SslBump does not apply; log -
+ debugs(85, 5, HERE << "no SslBump during proxy authentication");
+ return false;
+ }
+
+ debugs(85, 5, HERE << "SslBump possible, checking ACL");
+
+ ACLFilledChecklist *acl_checklist = clientAclChecklistCreate(Config.accessList.ssl_bump, http);
+ acl_checklist->nonBlockingCheck(sslBumpAccessCheckDoneWrapper, this);
+ return true;
}
/**
if (!httpStateIsValid())
return;
- if (answer == ACCESS_ALLOWED)
- http->sslBumpNeeded(static_cast<Ssl::BumpMode>(answer.kind));
- else
- http->sslBumpNeeded(Ssl::bumpNone);
+ const Ssl::BumpMode bumpMode = answer == ACCESS_ALLOWED ?
+ static_cast<Ssl::BumpMode>(answer.kind) : Ssl::bumpNone;
+ http->sslBumpNeed(bumpMode); // for processRequest() to bump if needed
+ http->al.ssl.bumpMode = bumpMode; // for logging
http->doCallouts();
}
#if USE_SSL
-Ssl::BumpMode
-ClientHttpRequest::sslBumpNeeded() const
-{
- assert(sslBumpNeed != Ssl::bumpEnd);
- return sslBumpNeed;
-}
-
void
-ClientHttpRequest::sslBumpNeeded(Ssl::BumpMode mode)
+ClientHttpRequest::sslBumpNeed(Ssl::BumpMode mode)
{
debugs(83, 3, HERE << "sslBump required: "<< Ssl::bumpMode(mode));
- sslBumpNeed = mode;
+ sslBumpNeed_ = mode;
}
// called when comm_write has completed
getConn()->auth_user_request = request->auth_user_request;
#endif
- getConn()->switchToHttps(request, sslBumpNeeded());
+ assert(sslBumpNeeded());
+ getConn()->switchToHttps(request, sslBumpNeed_);
}
void
ClientHttpRequest::sslBumpStart()
{
- debugs(85, 5, HERE << "Confirming CONNECT tunnel on FD " << getConn()->clientConnection);
- // send an HTTP 200 response to kick client SSL negotiation
- debugs(33, 7, HERE << "Confirming CONNECT tunnel on FD " << getConn()->clientConnection);
+ debugs(85, 5, HERE << "Confirming " << Ssl::bumpMode(sslBumpNeed_) <<
+ "-bumped CONNECT tunnel on FD " << getConn()->clientConnection);
+ getConn()->sslBumpMode = sslBumpNeed_;
+ // send an HTTP 200 response to kick client SSL negotiation
// TODO: Unify with tunnel.cc and add a Server(?) header
static const char *const conn_established = "HTTP/1.1 200 Connection established\r\n\r\n";
AsyncCall::Pointer call = commCbCall(85, 5, "ClientSocketContext::sslBumpEstablish",
const char *uri = urlCanonical(request);
StoreEntry *e= storeCreateEntry(uri, uri, request->flags, request->method);
#if USE_SSL
- if (sslBumpNeeded() &&
- calloutContext->error->httpStatus != HTTP_PROXY_AUTHENTICATION_REQUIRED) {
+ if (sslBumpNeeded()) {
// set final error but delay sending until we bump
Ssl::ServerBump *srvBump = new Ssl::ServerBump(request, e);
errorAppendEntry(e, calloutContext->error);
projects / thirdparty / squid.git / commitdiff
