Bug 3478: workaround: better default handling without -DSTRICT_ORIGINAL_DST

This extends the -DSTRICT_ORIGINAL_DST compile-time flag to include the
logics listing ORIGINAL_DST as first preferred destination.

Which makes ORIGINAL_DST a swap-in replacement for DIRECT and enables
never_direct, always_direct, prefer_direct configuration to apply.

diff --git a/src/cf.data.pre b/src/cf.data.pre
index 6347c4b0e0ebe691e8f8bf29ddc3cce90b83b431..b268f5c61a1e0041fe8dced21912440543af4216 100644 (file)
--- a/src/cf.data.pre
+++ b/src/cf.data.pre
@@ -1920,7 +1920,7 @@ DOC_START
                 * Reverse-proxy traffic is not checked at all.
        
                 * Intercepted traffic which passes verification is handled
-                  normally.
+                  according to client_dst_passthru.
        
                 * Intercepted requests which fail verification are sent
                   to the client original destination instead of DIRECT.

diff --git a/src/forward.cc b/src/forward.cc
index d244da344bc8bde58fe8e297efcb420c677e7e4d..c4b69950b8ba5cd811d4c1361a87735dd0c68367 100644 (file)
--- a/src/forward.cc
+++ b/src/forward.cc
@@ -127,6 +127,7 @@ void FwdState::start(Pointer aSelf)
 
     entry->registerAbort(FwdState::abort, this);
 
+#if STRICT_ORIGINAL_DST
     // Bug 3243: CVE 2009-0801
     // Bypass of browser same-origin access control in intercepted communication
     // To resolve this we must force DIRECT and only to the original client destination.
@@ -134,17 +135,18 @@ void FwdState::start(Pointer aSelf)
     const bool useOriginalDst = Config.onoff.client_dst_passthru || (request && !request->flags.hostVerified);
     if (isIntercepted && useOriginalDst) {
         selectPeerForIntercepted();
-#if STRICT_ORIGINAL_DST
         // 3.2 does not suppro re-wrapping inside CONNECT.
         // our only alternative is to fake destination "found" and continue with the forwarding.
         startConnectionOrFail();
         return;
-#endif
     }
+#endif
+
     // do full route options selection
     peerSelect(&serverDestinations, request, entry, fwdPeerSelectionCompleteWrapper, this);
 }
 
+#if STRICT_ORIGINAL_DST
 /// bypasses peerSelect() when dealing with intercepted requests
 void
 FwdState::selectPeerForIntercepted()
@@ -172,6 +174,7 @@ FwdState::selectPeerForIntercepted()
     debugs(17, 3, HERE << "using client original destination: " << *p);
     serverDestinations.push_back(p);
 }
+#endif
 
 void
 FwdState::completed()

diff --git a/src/forward.h b/src/forward.h
index fde9b75bfc6dba7afb7936efc148ad7d88e4b2b5..f2d0fbf2fc8f557577aa90e2bc46636a079a81c6 100644 (file)
--- a/src/forward.h
+++ b/src/forward.h
@@ -74,7 +74,9 @@ private:
     FwdState(const Comm::ConnectionPointer &client, StoreEntry *, HttpRequest *, const AccessLogEntryPointer &alp);
     void start(Pointer aSelf);
 
+#if STRICT_ORIGINAL_DST
     void selectPeerForIntercepted();
+#endif
     static void logReplyStatus(int tries, http_status status);
     void doneWithRetries();
     void completed();