if (auth_user_request != NULL) {
/* the filled_checklist lock */
auth_user_request = NULL;
- /* it might have been connection based */
- if (conn()) {
+ // It might have been connection based
+ // In the case of sslBump we need to preserve authentication info
+ if (conn() && !conn()->switchedToHttps()) {
conn()->auth_user_request = NULL;
}
}
if (NULL == request) {
fatal ("requiresRequest SHOULD have been true for this ACL!!");
return ACCESS_DENIED;
+ } else if (request->flags.sslBumped) {
+ debugs(28, 5, "SslBumped request: It is an encapsulated request do not authenticate");
+ checklist->auth_user_request = checklist->conn() != NULL ? checklist->conn()->auth_user_request : request->auth_user_request;
+ if (checklist->auth_user_request != NULL)
+ return ACCESS_ALLOWED;
+ else
+ return ACCESS_DENIED;
} else if (request->flags.accelerated) {
/* WWW authorization on accelerated requests */
headertype = HDR_AUTHORIZATION;
request->flags.sslBumped = conn->switchedToHttps();
request->flags.ignore_cc = conn->port->ignore_cc;
request->flags.no_direct = request->flags.accelerated ? !conn->port->allow_direct : 0;
+#if USE_AUTH
+ if (request->flags.sslBumped) {
+ if (conn->auth_user_request != NULL)
+ request->auth_user_request = conn->auth_user_request;
+ }
+#endif
/** \par
* If transparent or interception mode is working clone the transparent and interception flags
if (auth_challenge) {
#if USE_AUTH
- if (!http->flags.accel) {
+ if (http->request->flags.sslBumped) {
+ /*SSL Bumped request, authentication is not possible*/
+ status = HTTP_FORBIDDEN;
+ } else if (!http->flags.accel) {
/* Proxy authorisation needed */
status = HTTP_PROXY_AUTHENTICATION_REQUIRED;
} else {
return;
}
+#if USE_AUTH
+ // Preserve authentication info for the ssl-bumped request
+ if (request->auth_user_request != NULL)
+ getConn()->auth_user_request = request->auth_user_request;
+#endif
getConn()->switchToHttps(request->GetHost());
}
projects / thirdparty / squid.git / commitdiff
