Merged from trunk (r12181, v3.2.0.17+)

diff --cc src/Makefile.am
Simple merge

diff --cc src/Server.cc
Simple merge

diff --cc src/adaptation/icap/ModXact.cc
Simple merge

diff --cc src/cache_cf.cc
index 92b5c10f6bb68cd92d9e6b2e37df04a3a69c4bd6,6a65f60ebdadda530b8d0bf686dc4f01b4007718..893bd6b52de90a3b5a58e48db7e384e451d42d19
--- 1/src/cache_cf.cc
--- 2/src/cache_cf.cc
+++ b/src/cache_cf.cc
@@@ -3805,24 -3803,9 +3806,24 @@@ parsePortCfg(AnyP::PortCfg ** head, con
          parse_port_option(s, token);
      }
  
 +#if USE_SSL
 +    if (strcasecmp(protocol, "https") == 0) {
 +        /* ssl-bump on https_port configuration requires either tproxy or intercepted, and vice versa */
 +        const bool hijacked = s->spoof_client_ip || s->intercepted;
 +        if (s->sslBump && !hijacked) {
 +            debugs(3, DBG_CRITICAL, "FATAL: ssl-bump on https_port requires tproxy/intercepted which is missing.");
 +            self_destruct();
 +        }
 +        if (hijacked && !s->sslBump) {
 +            debugs(3, DBG_CRITICAL, "FATAL: tproxy/intercepted on https_port requires ssl-bump which is missing.");
 +            self_destruct();
 +        }
 +    }
 +#endif
 +
      if (Ip::EnableIpv6&IPV6_SPECIAL_SPLITSTACK && s->s.IsAnyAddr()) {
          // clone the port options from *s to *(s->next)
-         s->next = s->clone();
+         s->next = cbdataReference(s->clone());
          s->next->s.SetIPv4();
          debugs(3, 3, protocol << "_port: clone wildcard address for split-stack: " << s->s << " and " << s->next->s);
      }

diff --cc src/client_side.cc
Simple merge

diff --cc src/errorpage.cc
Simple merge

diff --cc src/forward.cc
index 2cabf4c71aef983a289153d7f25b798ae4252365,d55cce5cd194639d2a479880b2c079e7ddc617b1..cac6531a7f63214a037bc9a99e667c9c1addf47a
--- 1/src/forward.cc
--- 2/src/forward.cc
+++ b/src/forward.cc
@@@ -834,19 -758,13 +834,21 @@@ FwdState::connectDone(const Comm::Conne
      if (serverConnection()->getPeer())
          peerConnectSucceded(serverConnection()->getPeer());
  
 +    if (request->flags.canRePin && request->clientConnectionManager.valid()) {
 +        debugs(17, 3, HERE << "repinning " << serverConn);
 +        request->clientConnectionManager->pinConnection(serverConn,
 +            request, serverConn->getPeer(), request->flags.auth);
 +        request->flags.pinned = 1;
 +    }
 +
  #if USE_SSL
-     if ((serverConnection()->getPeer() && serverConnection()->getPeer()->use_ssl) ||
-             (!serverConnection()->getPeer() && request->protocol == AnyP::PROTO_HTTPS) ||
-             (request->flags.sslPeek)) {
-         initiateSSL();
-         return;
+     if (!request->flags.pinned) {
+         if ((serverConnection()->getPeer() && serverConnection()->getPeer()->use_ssl) ||
 -                (!serverConnection()->getPeer() && request->protocol == AnyP::PROTO_HTTPS)) {
++                (!serverConnection()->getPeer() && request->protocol == AnyP::PROTO_HTTPS) ||
++                request->flags.sslPeek) {
+             initiateSSL();
+             return;
+         }
      }
  #endif
  

diff --cc src/ssl/Makefile.am
Simple merge

diff --cc src/url.cc
Simple merge