// Because it failed verification, or someone bypassed the security tests
// we cannot cache the reponse for sharing between clients.
// TODO: update cache to store for particular clients only (going to same Host: and destination IP)
- if (!flags.hostVerified && (flags.intercepted || flags.spoof_client_ip))
+ if (!flags.hostVerified && (flags.intercepted || flags.spoofClientIp))
return false;
if (protocol == AnyP::PROTO_HTTP)
#include "RequestFlags.h"
+// When adding new flags, please update cloneAdaptationImmune() as needed.
+// returns a partial copy of the flags that includes only those flags
+// that are safe for a related (e.g., ICAP-adapted) request to inherit
RequestFlags
RequestFlags::cloneAdaptationImmune() const
{
*
*/
+/** request-related flags
+ *
+ * The bit-field contains both flags marking a request's current state,
+ * and flags requesting some processing to be done at a later stage.
+ * TODO: better distinguish the two cases.
+ */
class RequestFlags
{
public:
memset(this,0,sizeof(RequestFlags));
}
- bool nocache :1; ///< whether the response to this request may be READ from cache
+ /** true if the response to this request may not be READ from cache */
+ bool noCache :1;
+ /** request is if-modified-since */
bool ims :1;
+ /** request is authenticated */
bool auth :1;
- bool cachable :1; ///< whether the response to thie request may be stored in the cache
+ /** he response to the request may be stored in the cache */
+ bool cachable :1;
+ /** the request can be forwarded through the hierarchy */
bool hierarchical :1;
- bool loopdetect :1;
- bool proxy_keepalive :1;
- bool proxying :1; /* this should be killed, also in httpstateflags */
+ /** a loop was detected on this request */
+ bool loopDetected :1;
+ /** the connection can be kept alive */
+ bool proxyKeepalive :1;
+ /* this should be killed, also in httpstateflags */
+ bool proxying :1;
+ /** content has expired, need to refresh it */
bool refresh :1;
+ /** request was redirected by redirectors */
bool redirected :1;
- bool need_validation :1;
- bool fail_on_validation_err :1; ///< whether we should fail if validation fails
- bool stale_if_hit :1; ///< reply is stale if it is a hit
-#if USE_HTTP_VIOLATIONS
- /* for changing/ignoring no-cache requests */
- /* TODO: remove the conditional definition, move ifdef to setter */
- bool nocache_hack :1;
-#endif
+ /** the requested object needs to be validated. See client_side_reply.cc
+ * for further information.
+ */
+ bool needValidation :1;
+ /** whether we should fail if validation fails */
+ bool failOnValidationError :1;
+ /** reply is stale if it is a hit */
+ bool staleIfHit :1;
+ /** request to override no-cache directives
+ *
+ * always use noCacheHack() for reading.
+ * \note only meaningful if USE_HTTP_VIOLATIONS is defined at build time
+ */
+ bool nocacheHack :1;
+ /** this request is accelerated (reverse-proxy) */
bool accelerated :1;
- bool ignore_cc :1;
- bool intercepted :1; ///< intercepted request
- bool hostVerified :1; ///< whether the Host: header passed verification
- bool spoof_client_ip :1; /**< spoof client ip if possible */
+ /** if set, ignore Cache-Control headers */
+ bool ignoreCc :1;
+ /** set for intercepted requests */
+ bool intercepted :1;
+ /** set if the Host: header passed verification */
+ bool hostVerified :1;
+ /** request to spoof the client ip */
+ bool spoofClientIp :1;
+ /** set if the request is internal (\see ClientHttpRequest::flags.internal)*/
bool internal :1;
- bool internalclient :1;
- bool must_keepalive :1;
- bool connection_auth :1; /** Request wants connection oriented auth */
- bool connection_auth_disabled :1; /** Connection oriented auth can not be supported */
- bool connection_proxy_auth :1; /** Request wants connection oriented auth */
- bool pinned :1; /* Request sent on a pinned connection */
- bool canRePin :1; ///< OK to reopen a failed pinned connection
- bool auth_sent :1; /* Authentication forwarded */
- bool no_direct :1; /* Deny direct forwarding unless overriden by always_direct. Used in accelerator mode */
- bool chunked_reply :1; /**< Reply with chunked transfer encoding */
- bool stream_error :1; /**< Whether stream error has occured */
- bool sslPeek :1; ///< internal ssl-bump request to get server cert
- /* done_follow_x_forwarded_for set by default to the opposite of
- * compilation option FOLLOW_X_FORWARDED_FOR (so that it returns
- * always "done" if the build option is disabled.
+ /** set for internally-generated requests */
+ //XXX this is set in in clientBeginRequest, but never tested.
+ bool internalClient :1;
+ /** if set, request to try very hard to keep the connection alive */
+ bool mustKeepalive :1;
+ /** set if the rquest wants connection oriented auth */
+ bool connectionAuth :1;
+ /** set if connection oriented auth can not be supported */
+ bool connectionAuthDisabled :1;
+ /** Request wants connection oriented auth */
+ // XXX This is set in clientCheckPinning but never tested
+ bool connectionProxyAuth :1;
+ /** set if the request was sent on a pinned connection */
+ bool pinned :1;
+ /** OK to reopen a failed pinned connection */
+ bool canRePin :1;
+ /** Authentication was already sent upstream (e.g. due tcp-level auth) */
+ bool authSent :1;
+ /** Deny direct forwarding unless overriden by always_direct
+ * Used in accelerator mode */
+ bool noDirect :1;
+ /** Reply with chunked transfer encoding */
+ bool chunkedReply :1;
+ /** set if stream error has occured */
+ bool streamError :1;
+ /** internal ssl-bump request to get server cert */
+ bool sslPeek :1;
+ /** set if X-Forwarded-For checking is complete
+ *
+ * do not read directly; use doneFollowXff for reading
*/
bool done_follow_x_forwarded_for :1;
- bool sslBumped_ :1; /**< ssl-bumped request*/
- bool destinationIPLookedUp_:1;
- bool resetTCP_:1; ///< request to reset the TCP stream
- bool isRanged_ :1;
+ /** set for ssl-bumped requests */
+ bool sslBumped :1;
+ bool destinationIpLookedUp:1;
+ /** request to reset the TCP stream */
+ bool resetTcp:1;
+ /** set if the request is ranged */
+ bool isRanged :1;
- // When adding new flags, please update cloneAdaptationImmune() as needed.
- // returns a partial copy of the flags that includes only those flags
- // that are safe for a related (e.g., ICAP-adapted) request to inherit
+ /** clone the flags, resetting to default those which are not safe in
+ * a related (e.g. ICAP-adapted) request.
+ */
RequestFlags cloneAdaptationImmune() const;
// if FOLLOW_X_FORWARDED_FOR is not set, we always return "done".
bool doneFollowXff() const {
return done_follow_x_forwarded_for || !FOLLOW_X_FORWARDED_FOR;
}
+
+ // if USE_HTTP_VIOLATIONS is not set, never allow this
+ bool noCacheHack() const {
+ return USE_HTTP_VIOLATIONS && nocacheHack;
+ }
};
#endif /* SQUID_REQUESTFLAGS_H_ */
return 0;
- } else if (!checklist->request->flags.destinationIPLookedUp_) {
+ } else if (!checklist->request->flags.destinationIpLookedUp) {
/* No entry in cache, lookup not attempted */
/* XXX FIXME: allow accessing the acl name here */
debugs(28, 3, "asnMatchAcl: Can't yet compare '" << "unknown" /*name*/ << "' ACL for '" << checklist->request->GetHost() << "'");
// To resolve this we will force DIRECT and only to the original client destination.
// In which case, we also need this ACL to accurately match the destination
if (Config.onoff.client_dst_passthru && checklist->request &&
- (checklist->request->flags.intercepted || checklist->request->flags.spoof_client_ip)) {
+ (checklist->request->flags.intercepted || checklist->request->flags.spoofClientIp)) {
assert(checklist->conn() && checklist->conn()->clientConnection != NULL);
return ACLIP::match(checklist->conn()->clientConnection->local);
}
}
return 0;
- } else if (!checklist->request->flags.destinationIPLookedUp_) {
+ } else if (!checklist->request->flags.destinationIpLookedUp) {
/* No entry in cache, lookup not attempted */
debugs(28, 3, "aclMatchAcl: Can't yet compare '" << name << "' ACL for '" << checklist->request->GetHost() << "'");
checklist->changeState (DestinationIPLookup::Instance());
{
ACLFilledChecklist *checklist = Filled((ACLChecklist*)data);
assert (checklist->asyncState() == DestinationIPLookup::Instance());
- checklist->request->flags.destinationIPLookedUp_=true;
+ checklist->request->flags.destinationIpLookedUp=true;
checklist->request->recordLookup(details);
checklist->asyncInProgress(false);
checklist->changeState (ACLChecklist::NullState::Instance());
if (NULL == request) {
fatal ("requiresRequest SHOULD have been true for this ACL!!");
return ACCESS_DENIED;
- } else if (request->flags.sslBumped_) {
+ } else if (request->flags.sslBumped) {
debugs(28, 5, "SslBumped request: It is an encapsulated request do not authenticate");
checklist->auth_user_request = checklist->conn() != NULL ? checklist->conn()->auth_user_request : request->auth_user_request;
if (checklist->auth_user_request != NULL)
} else if (request->flags.accelerated) {
/* WWW authorization on accelerated requests */
headertype = HDR_AUTHORIZATION;
- } else if (request->flags.intercepted || request->flags.spoof_client_ip) {
+ } else if (request->flags.intercepted || request->flags.spoofClientIp) {
debugs(28, DBG_IMPORTANT, "NOTICE: Authentication not applicable on intercepted requests.");
return ACCESS_DENIED;
} else {
++arg;
}
safe_free(lm_request->server_blob);
- lm_request->request->flags.must_keepalive = 1;
- if (lm_request->request->flags.proxy_keepalive) {
+ lm_request->request->flags.mustKeepalive = 1;
+ if (lm_request->request->flags.proxyKeepalive) {
lm_request->server_blob = xstrdup(blob);
auth_user_request->user()->credentials(Auth::Handshake);
auth_user_request->denyMessage("Authentication in progress");
return;
/* Need keep-alive */
- if (!request->flags.proxy_keepalive && request->flags.must_keepalive)
+ if (!request->flags.proxyKeepalive && request->flags.mustKeepalive)
return;
/* New request, no user details */
if (!keep_alive) {
/* drop the connection */
rep->header.delByName("keep-alive");
- request->flags.proxy_keepalive = 0;
+ request->flags.proxyKeepalive = 0;
}
} else {
Auth::Negotiate::UserRequest *negotiate_request = dynamic_cast<Auth::Negotiate::UserRequest *>(auth_user_request.getRaw());
/* here it makes sense to drop the connection, as auth is
* tied to it, even if MAYBE the client could handle it - Kinkie */
rep->header.delByName("keep-alive");
- request->flags.proxy_keepalive = 0;
+ request->flags.proxyKeepalive = 0;
/* fall through */
case Auth::Ok:
if (strncasecmp(reply, "TT ", 3) == 0) {
/* we have been given a blob to send to the client */
safe_free(lm_request->server_blob);
- lm_request->request->flags.must_keepalive = 1;
- if (lm_request->request->flags.proxy_keepalive) {
+ lm_request->request->flags.mustKeepalive = 1;
+ if (lm_request->request->flags.proxyKeepalive) {
lm_request->server_blob = xstrdup(blob);
auth_user_request->user()->credentials(Auth::Handshake);
auth_user_request->denyMessage("Authentication in progress");
return;
/* Need keep-alive */
- if (!request->flags.proxy_keepalive && request->flags.must_keepalive)
+ if (!request->flags.proxyKeepalive && request->flags.mustKeepalive)
return;
/* New request, no user details */
if (!keep_alive) {
/* drop the connection */
- request->flags.proxy_keepalive = 0;
+ request->flags.proxyKeepalive = 0;
}
} else {
Auth::Ntlm::UserRequest *ntlm_request = dynamic_cast<Auth::Ntlm::UserRequest *>(auth_user_request.getRaw());
case Auth::Failed:
/* here it makes sense to drop the connection, as auth is
* tied to it, even if MAYBE the client could handle it - Kinkie */
- request->flags.proxy_keepalive = 0;
+ request->flags.proxyKeepalive = 0;
/* fall through */
case Auth::Ok:
}
/**
- * clientSetKeepaliveFlag() sets request->flags.proxy_keepalive.
+ * clientSetKeepaliveFlag() sets request->flags.proxyKeepalive.
* This is the client-side persistent connection flag. We need
* to set this relatively early in the request processing
* to handle hacks for broken servers and clients.
RequestMethodStr(request->method));
// TODO: move to HttpRequest::hdrCacheInit, just like HttpReply.
- request->flags.proxy_keepalive = request->persistent() ? 1 : 0;
+ request->flags.proxyKeepalive = request->persistent() ? 1 : 0;
}
static int
{
assert(rep == NULL);
- if (!multipartRangeRequest() && !http->request->flags.chunked_reply) {
+ if (!multipartRangeRequest() && !http->request->flags.chunkedReply) {
size_t length = lengthToSend(bodyData.range());
noteSentBodyBytes (length);
AsyncCall::Pointer call = commCbCall(33, 5, "clientWriteBodyComplete",
if (bodyData.data && bodyData.length) {
if (multipartRangeRequest())
packRange(bodyData, mb);
- else if (http->request->flags.chunked_reply) {
+ else if (http->request->flags.chunkedReply) {
packChunk(bodyData, *mb);
} else {
size_t length = lengthToSend(bodyData.range());
// After sending Transfer-Encoding: chunked (at least), always send
// the last-chunk if there was no error, ignoring responseFinishedOrFailed.
- const bool mustSendLastChunk = http->request->flags.chunked_reply &&
- !http->request->flags.stream_error && !context->startOfOutput();
+ const bool mustSendLastChunk = http->request->flags.chunkedReply &&
+ !http->request->flags.streamError && !context->startOfOutput();
if (responseFinishedOrFailed(rep, receivedData) && !mustSendLastChunk) {
context->writeComplete(context->clientConnection, NULL, 0, COMM_OK);
PROF_stop(clientSocketRecipient);
debugs(33, 5, HERE << "Range request at end of returnable " <<
"range sequence on " << clientConnection);
- if (http->request->flags.proxy_keepalive)
+ if (http->request->flags.proxyKeepalive)
return STREAM_COMPLETE;
else
return STREAM_UNPLANNED_COMPLETE;
// did we get at least what we expected, based on range specs?
if (bytesSent == bytesExpected) { // got everything
- if (http->request->flags.proxy_keepalive)
+ if (http->request->flags.proxyKeepalive)
return STREAM_COMPLETE;
else
return STREAM_UNPLANNED_COMPLETE;
// expected why would persistency matter? Should not this
// always be an error?
if (bytesSent > bytesExpected) { // got extra
- if (http->request->flags.proxy_keepalive)
+ if (http->request->flags.proxyKeepalive)
return STREAM_COMPLETE;
else
return STREAM_UNPLANNED_COMPLETE;
// at the client-side, but many such errors do require closure and the
// client-side code is bad at handling errors so we play it safe.
if (request)
- request->flags.proxy_keepalive = 0;
+ request->flags.proxyKeepalive = 0;
flags.readMore = false;
debugs(33,4, HERE << "Will close after error: " << clientConnection);
}
request->clientConnectionManager = conn;
request->flags.accelerated = http->flags.accel;
- request->flags.sslBumped_=conn->switchedToHttps();
- request->flags.canRePin = request->flags.sslBumped_ && conn->pinning.pinned;
- request->flags.ignore_cc = conn->port->ignore_cc;
+ request->flags.sslBumped=conn->switchedToHttps();
+ request->flags.canRePin = request->flags.sslBumped && conn->pinning.pinned;
+ request->flags.ignoreCc = conn->port->ignore_cc;
// TODO: decouple http->flags.accel from request->flags.sslBumped
- request->flags.no_direct = (request->flags.accelerated && !request->flags.sslBumped_) ?
+ request->flags.noDirect = (request->flags.accelerated && !request->flags.sslBumped) ?
!conn->port->allow_direct : 0;
#if USE_AUTH
- if (request->flags.sslBumped_) {
+ if (request->flags.sslBumped) {
if (conn->auth_user_request != NULL)
request->auth_user_request = conn->auth_user_request;
}
*/
if (http->clientConnection != NULL) {
request->flags.intercepted = ((http->clientConnection->flags & COMM_INTERCEPTION) != 0);
- request->flags.spoof_client_ip = ((http->clientConnection->flags & COMM_TRANSPARENT) != 0 ) ;
+ request->flags.spoofClientIp = ((http->clientConnection->flags & COMM_TRANSPARENT) != 0 ) ;
}
if (internalCheck(request->urlpath.termedBuf())) {
* be freed and the above connNoteUseOfBuffer() would hit an
* assertion, not to mention that we were accessing freed memory.
*/
- if (request && request->flags.resetTCP_ && Comm::IsConnOpen(conn->clientConnection)) {
+ if (request && request->flags.resetTcp && Comm::IsConnOpen(conn->clientConnection)) {
debugs(33, 3, HERE << "Sending TCP RST on " << conn->clientConnection);
conn->flags.readMore = false;
comm_reset_close(conn->clientConnection);
fakeRequest->indirect_client_addr = connState->clientConnection->remote;
#endif
fakeRequest->my_addr = connState->clientConnection->local;
- fakeRequest->flags.spoof_client_ip = ((connState->clientConnection->flags & COMM_TRANSPARENT) != 0 ) ;
+ fakeRequest->flags.spoofClientIp = ((connState->clientConnection->flags & COMM_TRANSPARENT) != 0 ) ;
fakeRequest->flags.intercepted = ((connState->clientConnection->flags & COMM_INTERCEPTION) != 0);
debugs(33, 4, HERE << details << " try to generate a Dynamic SSL CTX");
connState->switchToHttps(fakeRequest, bumpMode);
{
if (errstate->httpStatus == HTTP_NOT_IMPLEMENTED && http->request)
/* prevent confusion over whether we default to persistent or not */
- http->request->flags.proxy_keepalive = 0;
+ http->request->flags.proxyKeepalive = 0;
http->al->http.code = errstate->httpStatus;
// origin replied 304
if (status == HTTP_NOT_MODIFIED) {
http->logType = LOG_TCP_REFRESH_UNMODIFIED;
- http->request->flags.stale_if_hit = 0; // old_entry is no longer stale
+ http->request->flags.staleIfHit = 0; // old_entry is no longer stale
// update headers on existing entry
old_rep->updateOnNotModified(http->storeEntry()->getReply());
}
// origin replied with an error
- else if (http->request->flags.fail_on_validation_err) {
+ else if (http->request->flags.failOnValidationError) {
http->logType = LOG_TCP_REFRESH_FAIL_ERR;
debugs(88, 3, "handleIMSReply: origin replied with error " << status <<
", forwarding to client due to fail_on_validation_err");
}
if (e->checkNegativeHit()
-#if USE_HTTP_VIOLATIONS
- && !r->flags.nocache_hack
-#endif
+ && !r->flags.noCacheHack()
) {
http->logType = LOG_TCP_NEGATIVE_HIT;
sendMoreData(result);
* We hold a stale copy; it needs to be validated
*/
/*
- * The 'need_validation' flag is used to prevent forwarding
+ * The 'needValidation' flag is used to prevent forwarding
* loops between siblings. If our copy of the object is stale,
* then we should probably only use parents for the validation
* request. Otherwise two siblings could generate a loop if
* both have a stale version of the object.
*/
- r->flags.need_validation = 1;
+ r->flags.needValidation = 1;
if (e->lastmod < 0) {
/*
*/
http->logType = LOG_TCP_MISS;
processMiss();
- } else if (r->flags.nocache) {
+ } else if (r->flags.noCache) {
/*
* This did not match a refresh pattern that overrides no-cache
* we should honour the client no-cache header.
}
/// Deny loops
- if (r->flags.loopdetect) {
+ if (r->flags.loopDetected) {
http->al->http.code = HTTP_FORBIDDEN;
err = clientBuildError(ERR_ACCESS_DENIED, HTTP_FORBIDDEN, NULL, http->getConn()->clientConnection->remote, http->request);
createStoreEntry(r->method, RequestFlags());
if (http->flags.done_copying)
return 1;
- if (http->request->flags.chunked_reply && !flags.complete) {
+ if (http->request->flags.chunkedReply && !flags.complete) {
// last-chunk was not sent
return 0;
}
const int64_t expectedBodySize =
http->storeEntry()->getReply()->bodySize(http->request->method);
- if (!http->request->flags.proxy_keepalive && expectedBodySize < 0) {
+ if (!http->request->flags.proxyKeepalive && expectedBodySize < 0) {
debugs(88, 5, "clientReplyStatus: closing, content_length < 0");
return STREAM_FAILED;
}
return STREAM_UNPLANNED_COMPLETE;
}
- if (http->request->flags.proxy_keepalive) {
+ if (http->request->flags.proxyKeepalive) {
debugs(88, 5, "clientReplyStatus: stream complete and can keepalive");
return STREAM_COMPLETE;
}
}
// add Warnings required by RFC 2616 if serving a stale hit
- if (http->request->flags.stale_if_hit && logTypeIsATcpHit(http->logType)) {
+ if (http->request->flags.staleIfHit && logTypeIsATcpHit(http->logType)) {
hdr->putWarning(110, "Response is stale");
- if (http->request->flags.need_validation)
+ if (http->request->flags.needValidation)
hdr->putWarning(111, "Revalidation failed");
}
||
(strncasecmp(value, "Kerberos", 8) == 0 &&
(value[8] == '\0' || value[8] == ' '))) {
- if (request->flags.connection_auth_disabled) {
+ if (request->flags.connectionAuthDisabled) {
hdr->delAt(pos, connection_auth_blocked);
continue;
}
- request->flags.must_keepalive = 1;
+ request->flags.mustKeepalive = 1;
if (!request->flags.accelerated && !request->flags.intercepted) {
httpHeaderPutStrf(hdr, HDR_PROXY_SUPPORT, "Session-Based-Authentication");
/*
(request->http_ver >= HttpVersion(1, 1));
/* Check whether we should send keep-alive */
- if (!Config.onoff.error_pconns && reply->sline.status >= 400 && !request->flags.must_keepalive) {
+ if (!Config.onoff.error_pconns && reply->sline.status >= 400 && !request->flags.mustKeepalive) {
debugs(33, 3, "clientBuildReplyHeader: Error, don't keep-alive");
- request->flags.proxy_keepalive = 0;
- } else if (!Config.onoff.client_pconns && !request->flags.must_keepalive) {
+ request->flags.proxyKeepalive = 0;
+ } else if (!Config.onoff.client_pconns && !request->flags.mustKeepalive) {
debugs(33, 2, "clientBuildReplyHeader: Connection Keep-Alive not requested by admin or client");
- request->flags.proxy_keepalive = 0;
- } else if (request->flags.proxy_keepalive && shutting_down) {
+ request->flags.proxyKeepalive = 0;
+ } else if (request->flags.proxyKeepalive && shutting_down) {
debugs(88, 3, "clientBuildReplyHeader: Shutting down, don't keep-alive.");
- request->flags.proxy_keepalive = 0;
- } else if (request->flags.connection_auth && !reply->keep_alive) {
+ request->flags.proxyKeepalive = 0;
+ } else if (request->flags.connectionAuth && !reply->keep_alive) {
debugs(33, 2, "clientBuildReplyHeader: Connection oriented auth but server side non-persistent");
- request->flags.proxy_keepalive = 0;
+ request->flags.proxyKeepalive = 0;
} else if (reply->bodySize(request->method) < 0 && !maySendChunkedReply) {
debugs(88, 3, "clientBuildReplyHeader: can't keep-alive, unknown body size" );
- request->flags.proxy_keepalive = 0;
- } else if (fdUsageHigh()&& !request->flags.must_keepalive) {
+ request->flags.proxyKeepalive = 0;
+ } else if (fdUsageHigh()&& !request->flags.mustKeepalive) {
debugs(88, 3, "clientBuildReplyHeader: Not many unused FDs, can't keep-alive");
- request->flags.proxy_keepalive = 0;
- } else if (request->flags.sslBumped_ && !reply->persistent()) {
+ request->flags.proxyKeepalive = 0;
+ } else if (request->flags.sslBumped && !reply->persistent()) {
// We do not really have to close, but we pretend we are a tunnel.
debugs(88, 3, "clientBuildReplyHeader: bumped reply forces close");
- request->flags.proxy_keepalive = 0;
+ request->flags.proxyKeepalive = 0;
}
// Decide if we send chunked reply
if (maySendChunkedReply &&
- request->flags.proxy_keepalive &&
+ request->flags.proxyKeepalive &&
reply->bodySize(request->method) < 0) {
debugs(88, 3, "clientBuildReplyHeader: chunked reply");
- request->flags.chunked_reply = 1;
+ request->flags.chunkedReply = 1;
hdr->putStr(HDR_TRANSFER_ENCODING, "chunked");
}
hdr->putStr(HDR_VIA, strVia.termedBuf());
}
/* Signal keep-alive or close explicitly */
- hdr->putStr(HDR_CONNECTION, request->flags.proxy_keepalive ? "keep-alive" : "close");
+ hdr->putStr(HDR_CONNECTION, request->flags.proxyKeepalive ? "keep-alive" : "close");
#if ADD_X_REQUEST_URI
/*
/** \li If the request has no-cache flag set or some no_cache HACK in operation we
* 'invalidate' the cached IP entries for this request ???
*/
- if (r->flags.nocache) {
+ if (r->flags.noCache) {
#if USE_DNSHELPER
ipcacheInvalidate(r->GetHost());
ipcacheInvalidateNegative(r->GetHost());
#endif /* USE_DNSHELPER */
- }
-
-#if USE_HTTP_VIOLATIONS
-
- else if (r->flags.nocache_hack) {
+ } else if (r->flags.noCacheHack()) {
#if USE_DNSHELPER
ipcacheInvalidate(r->GetHost());
}
-#endif /* USE_HTTP_VIOLATIONS */
#if USE_CACHE_DIGESTS
-
lookup_type = http->storeEntry() ? "HIT" : "MISS";
-
#endif
if (NULL == http->storeEntry()) {
return;
}
- if (r->flags.nocache) {
+ if (r->flags.noCache) {
debugs(85, 3, "clientProcessRequest2: no-cache REFRESH MISS");
http->storeEntry(NULL);
http->logType = LOG_TCP_CLIENT_REFRESH_MISS;
debugs(88, 5, "clientReplyContext::sendStreamError: A stream error has occured, marking as complete and sending no data.");
StoreIOBuffer localTempBuffer;
flags.complete = 1;
- http->request->flags.stream_error = 1;
+ http->request->flags.streamError = 1;
localTempBuffer.flags.error = result.flags.error;
clientStreamCallback((clientStreamNode*)http->client_stream.head->data, http, NULL,
localTempBuffer);
*/
request->flags.accelerated = http->flags.accel;
- request->flags.internalclient = 1;
+ request->flags.internalClient = 1;
/* this is an internally created
* request, not subject to acceleration
debugs(85, 3, "SECURITY ALERT: Host header forgery detected on " << http->getConn()->clientConnection <<
" (" << A << " does not match " << B << ") on URL: " << urlCanonical(http->request));
- // NP: it is tempting to use 'flags.nocache' but that is all about READing cache data.
+ // NP: it is tempting to use 'flags.noCache' but that is all about READing cache data.
// The problems here are about WRITE for new cache content, which means flags.cachable
http->request->flags.cachable = 0; // MUST NOT cache (for now)
// XXX: when we have updated the cache key to base on raw-IP + URI this cacheable limit can go.
}
debugs(85, 3, HERE << "validate host=" << host << ", port=" << port << ", portStr=" << (portStr?portStr:"NULL"));
- if (http->request->flags.intercepted || http->request->flags.spoof_client_ip) {
+ if (http->request->flags.intercepted || http->request->flags.spoofClientIp) {
// verify the Host: port (if any) matches the apparent destination
if (portStr && port != http->getConn()->clientConnection->local.GetPort()) {
debugs(85, 3, HERE << "FAIL on validate port " << http->getConn()->clientConnection->local.GetPort() <<
if (auth_challenge) {
#if USE_AUTH
- if (http->request->flags.sslBumped_) {
+ if (http->request->flags.sslBumped) {
/*SSL Bumped request, authentication is not possible*/
status = HTTP_FORBIDDEN;
} else if (!http->flags.accel) {
const wordlist *p = NULL;
// intercepted requests MUST NOT (yet) be sent to peers unless verified
- if (!request->flags.hostVerified && (request->flags.intercepted || request->flags.spoof_client_ip))
+ if (!request->flags.hostVerified && (request->flags.intercepted || request->flags.spoofClientIp))
return 0;
/*
if (strstr(url, p->key))
return 0;
- if (request->flags.loopdetect)
+ if (request->flags.loopDetected)
return 0;
if (request->protocol == AnyP::PROTO_HTTP)
if (!http_conn)
return;
- request->flags.connection_auth_disabled = http_conn->port->connection_auth_disabled;
- if (!request->flags.connection_auth_disabled) {
+ request->flags.connectionAuthDisabled = http_conn->port->connection_auth_disabled;
+ if (!request->flags.connectionAuthDisabled) {
if (Comm::IsConnOpen(http_conn->pinning.serverConnection)) {
if (http_conn->pinning.auth) {
- request->flags.connection_auth = 1;
+ request->flags.connectionAuth = 1;
request->flags.auth = 1;
} else {
- request->flags.connection_proxy_auth = 1;
+ request->flags.connectionProxyAuth = 1;
}
// These should already be linked correctly.
assert(request->clientConnectionManager == http_conn);
/* check if connection auth is used, and flag as candidate for pinning
* in such case.
- * Note: we may need to set flags.connection_auth even if the connection
+ * Note: we may need to set flags.connectionAuth even if the connection
* is already pinned if it was pinned earlier due to proxy auth
*/
- if (!request->flags.connection_auth) {
+ if (!request->flags.connectionAuth) {
if (req_hdr->has(HDR_AUTHORIZATION) || req_hdr->has(HDR_PROXY_AUTHORIZATION)) {
HttpHeaderPos pos = HttpHeaderInitPos;
HttpHeaderEntry *e;
||
strncasecmp(value, "Kerberos ", 9) == 0) {
if (e->id == HDR_AUTHORIZATION) {
- request->flags.connection_auth = 1;
+ request->flags.connectionAuth = 1;
may_pin = 1;
} else {
- request->flags.connection_proxy_auth = 1;
+ request->flags.connectionProxyAuth = 1;
may_pin = 1;
}
}
if (request->ims > 0)
request->flags.ims = 1;
- if (!request->flags.ignore_cc) {
+ if (!request->flags.ignoreCc) {
if (req_hdr->has(HDR_PRAGMA)) {
String s = req_hdr->getList(HDR_PRAGMA);
#if USE_HTTP_VIOLATIONS
if (Config.onoff.reload_into_ims)
- request->flags.nocache_hack = 1;
+ request->flags.nocacheHack = 1;
else if (refresh_nocache_hack)
- request->flags.nocache_hack = 1;
+ request->flags.nocacheHack = 1;
else
#endif
- request->flags.nocache = 1;
+ request->flags.noCache = 1;
}
/* ignore range header in non-GETs or non-HEADs */
request->range = req_hdr->getRange();
if (request->range) {
- request->flags.isRanged_=true;
+ request->flags.isRanged=true;
clientStreamNode *node = (clientStreamNode *)http->client_stream.tail->data;
/* XXX: This is suboptimal. We should give the stream the range set,
* and thereby let the top of the stream set the offset when the
if (strListIsSubstr(&s, ThisCache2, ',')) {
debugObj(33, 1, "WARNING: Forwarding loop detected for:\n",
request, (ObjPackMethod) & httpRequestPack);
- request->flags.loopdetect = 1;
+ request->flags.loopDetected = 1;
}
#if USE_FORW_VIA_DB
request->flags.hierarchical = 1;
debugs(85, 5, "clientInterpretRequestHeaders: REQ_NOCACHE = " <<
- (request->flags.nocache ? "SET" : "NOT SET"));
+ (request->flags.noCache ? "SET" : "NOT SET"));
debugs(85, 5, "clientInterpretRequestHeaders: REQ_CACHABLE = " <<
(request->flags.cachable ? "SET" : "NOT SET"));
debugs(85, 5, "clientInterpretRequestHeaders: REQ_HIERARCHICAL = " <<
if (err->page_id == TCP_RESET) {
if (err->request) {
debugs(4, 2, "RSTing this reply");
- err->request->flags.resetTCP_=true;
+ err->request->flags.resetTcp=true;
}
}
case LFT_LOCAL_LISTENING_IP: {
// avoid logging a dash if we have reliable info
const bool interceptedAtKnownPort = al->request ?
- (al->request->flags.spoof_client_ip ||
+ (al->request->flags.spoofClientIp ||
al->request->flags.intercepted) && al->cache.port :
false;
if (interceptedAtKnownPort) {
// Bug 3243: CVE 2009-0801
// Bypass of browser same-origin access control in intercepted communication
// To resolve this we must force DIRECT and only to the original client destination.
- const bool isIntercepted = request && !request->flags.redirected && (request->flags.intercepted || request->flags.spoof_client_ip);
+ const bool isIntercepted = request && !request->flags.redirected && (request->flags.intercepted || request->flags.spoofClientIp);
const bool useOriginalDst = Config.onoff.client_dst_passthru || (request && !request->flags.hostVerified);
if (isIntercepted && useOriginalDst) {
selectPeerForIntercepted();
if (ftimeout < ctimeout)
ctimeout = ftimeout;
- if (serverDestinations[0]->getPeer() && request->flags.sslBumped_) {
+ if (serverDestinations[0]->getPeer() && request->flags.sslBumped) {
debugs(50, 4, "fwdConnectStart: Ssl bumped connections through parrent proxy are not allowed");
ErrorState *anErr = new ErrorState(ERR_CANNOT_FORWARD, HTTP_SERVICE_UNAVAILABLE, request);
fail(anErr);
ErrorState *
FwdState::makeConnectingError(const err_type type) const
{
- return new ErrorState(type, request->flags.need_validation ?
+ return new ErrorState(type, request->flags.needValidation ?
HTTP_GATEWAY_TIMEOUT : HTTP_SERVICE_UNAVAILABLE, request);
}
conn->local.SetIPv4();
// maybe use TPROXY client address
- if (request && request->flags.spoof_client_ip) {
+ if (request && request->flags.spoofClientIp) {
if (!conn->getPeer() || !conn->getPeer()->options.no_tproxy) {
#if FOLLOW_X_FORWARDED_FOR && LINUX_NETFILTER
if (Config.onoff.tproxy_uses_indirect_client)
}
}
- if (request->flags.auth || request->flags.auth_sent) {
+ if (request->flags.auth || request->flags.authSent) {
/*
* Responses to requests with authorization may be cached
* only if a Cache-Control: public reply header is present.
}
if (!peerSupportsConnectionPinning())
- request->flags.connection_auth_disabled = 1;
+ request->flags.connectionAuthDisabled = 1;
HttpReply *vrep = setVirginReply(newrep);
flags.headers_parsed = 1;
closeHandler = NULL;
fwd->unregister(serverConnection);
- if (request->flags.spoof_client_ip)
+ if (request->flags.spoofClientIp)
client_addr = request->client_addr;
if (request->flags.pinned) {
ispinned = true;
- } else if (request->flags.connection_auth && request->flags.auth_sent) {
+ } else if (request->flags.connectionAuth && request->flags.authSent) {
ispinned = true;
}
if (request->pinnedConnection() && ispinned) {
request->pinnedConnection()->pinConnection(serverConnection, request, _peer,
- (request->flags.connection_auth != 0));
+ (request->flags.connectionAuth != 0));
} else {
fwd->pconnPush(serverConnection, request->peer_host ? request->peer_host : request->GetHost());
}
/* pretend it's not a range request */
delete request->range;
request->range = NULL;
- request->flags.isRanged_=false;
+ request->flags.isRanged=false;
}
/* append Via */
int64_t roffLimit = request->getRangeOffsetLimit();
if (NULL == request->range || !request->flags.cachable
- || request->range->offsetLimitExceeded(roffLimit) || request->flags.connection_auth)
+ || request->range->offsetLimitExceeded(roffLimit) || request->flags.connectionAuth)
result = false;
debugs(11, 8, "decideIfWeDoRanges: range specs: " <<
Packer p;
httpBuildRequestHeader(request, entry, fwd->al, &hdr, flags);
- if (request->flags.pinned && request->flags.connection_auth)
- request->flags.auth_sent = 1;
+ if (request->flags.pinned && request->flags.connectionAuth)
+ request->flags.authSent = 1;
else if (hdr.has(HDR_AUTHORIZATION))
- request->flags.auth_sent = 1;
+ request->flags.authSent = 1;
packerToMemInit(&p, mb);
hdr.packInto(&p);
/*
* Is keep-alive okay for all request methods?
*/
- if (request->flags.must_keepalive)
+ if (request->flags.mustKeepalive)
flags.keepalive = 1;
else if (!Config.onoff.server_pconns)
flags.keepalive = 0;
tempBuffer.data = ex->buf;
storeClientCopy(ex->sc, ex->e, tempBuffer,
netdbExchangeHandleReply, ex);
- ex->r->flags.loopdetect = 1; /* cheat! -- force direct */
+ ex->r->flags.loopDetected = 1; /* cheat! -- force direct */
if (p->login)
xstrncpy(ex->r->login, p->login, MAX_LOGIN_SZ);
if (neighborType(p, request) == PEER_SIBLING) {
#if PEER_MULTICAST_SIBLINGS
if (p->type == PEER_MULTICAST && p->options.mcast_siblings &&
- (request->flags.nocache || request->flags.refresh || request->flags.loopdetect || request->flags.need_validation))
+ (request->flags.noCache || request->flags.refresh || request->flags.loopDetected || request->flags.needValidation))
debugs(15, 2, "peerAllowedToUse(" << p->name << ", " << request->GetHost() << ") : multicast-siblings optimization match");
#endif
- if (request->flags.nocache)
+ if (request->flags.noCache)
return false;
if (request->flags.refresh)
return false;
- if (request->flags.loopdetect)
+ if (request->flags.loopDetected)
return false;
- if (request->flags.need_validation)
+ if (request->flags.needValidation)
return false;
}
// on intercepted traffic which failed Host verification
const HttpRequest *req = psstate->request;
const bool isIntercepted = !req->flags.redirected &&
- (req->flags.intercepted || req->flags.spoof_client_ip);
+ (req->flags.intercepted || req->flags.spoofClientIp);
const bool useOriginalDst = Config.onoff.client_dst_passthru || !req->flags.hostVerified;
const bool choseDirect = fs && fs->code == HIER_DIRECT;
if (isIntercepted && useOriginalDst && choseDirect) {
break;
// for TPROXY we must skip unusable addresses.
- if (psstate->request->flags.spoof_client_ip && !(fs->_peer && fs->_peer->options.no_tproxy) ) {
+ if (psstate->request->flags.spoofClientIp && !(fs->_peer && fs->_peer->options.no_tproxy) ) {
if (ia->in_addrs[n].IsIPv4() != psstate->request->client_addr.IsIPv4()) {
// we CAN'T spoof the address on this link. find another.
continue;
ps->acl_checklist = new ACLFilledChecklist(Config.accessList.NeverDirect, request, NULL);
ps->acl_checklist->nonBlockingCheck(peerCheckNeverDirectDone, ps);
return;
- } else if (request->flags.no_direct) {
+ } else if (request->flags.noDirect) {
/** if we are accelerating, direct is not an option. */
ps->direct = DIRECT_NO;
debugs(44, 3, "peerSelectFoo: direct = " << DirectStr[ps->direct] << " (forced non-direct)");
- } else if (request->flags.loopdetect) {
+ } else if (request->flags.loopDetected) {
/** if we are in a forwarding-loop, direct is not an option. */
ps->direct = DIRECT_YES;
debugs(44, 3, "peerSelectFoo: direct = " << DirectStr[ps->direct] << " (forwarding loop detected)");
debugs(22, 3, "\tentry->timestamp:\t" << mkrfc1123(entry->timestamp));
- if (request && !request->flags.ignore_cc) {
+ if (request && !request->flags.ignoreCc) {
const HttpHdrCc *const cc = request->cache_control;
if (cc && cc->hasMinFresh()) {
const int32_t minFresh=cc->minFresh();
entry->mem_obj->getReply()->cache_control->staleIfError() < staleness) {
debugs(22, 3, "refreshCheck: stale-if-error period expired.");
- request->flags.fail_on_validation_err = 1;
+ request->flags.failOnValidationError = 1;
}
if (EBIT_TEST(entry->flags, ENTRY_REVALIDATE) && staleness > -1
) {
debugs(22, 3, "refreshCheck: YES: Must revalidate stale response");
if (request)
- request->flags.fail_on_validation_err = 1;
+ request->flags.failOnValidationError = 1;
return STALE_MUST_REVALIDATE;
}
/* request-specific checks */
- if (request && !request->flags.ignore_cc) {
+ if (request && !request->flags.ignoreCc) {
HttpHdrCc *cc = request->cache_control;
if (request->flags.ims && (R->flags.refresh_ims || Config.onoff.refresh_all_ims)) {
#if USE_HTTP_VIOLATIONS
- if (!request->flags.nocache_hack) {
+ if (!request->flags.noCacheHack()) {
(void) 0;
} else if (R->flags.ignore_reload) {
/* The clients no-cache header is ignored */
} else {
/* The clients no-cache header is not overridden on this request */
debugs(22, 3, "refreshCheck: YES: client reload");
- request->flags.nocache = 1;
+ request->flags.noCache = 1;
return STALE_FORCED_RELOAD;
}
if ( max_stale >= 0 && staleness > max_stale) {
debugs(22, 3, "refreshCheck: YES: max-stale limit");
if (request)
- request->flags.fail_on_validation_err = 1;
+ request->flags.failOnValidationError = 1;
return STALE_MAX_STALE;
}
int reason = refreshCheck(entry, request, 0);
++ refreshCounts[rcHTTP].total;
++ refreshCounts[rcHTTP].status[reason];
- request->flags.stale_if_hit = refreshIsStaleIfHit(reason);
+ request->flags.staleIfHit = refreshIsStaleIfHit(reason);
return (Config.onoff.offline || reason < 200) ? 0 : 1;
}
{
const String reqETags = request.header.getList(HDR_IF_NONE_MATCH);
// weak comparison is allowed only for HEAD or full-body GET requests
- const bool allowWeakMatch = !request.flags.isRanged_ &&
+ const bool allowWeakMatch = !request.flags.isRanged &&
(request.method == METHOD_GET || request.method == METHOD_HEAD);
return hasOneOfEtags(reqETags, allowWeakMatch);
}
TunnelStateData *tunnelState = (TunnelStateData *)data;
debugs(26, 3, HERE << server << ", tunnelState=" << tunnelState);
- if (tunnelState->request && (tunnelState->request->flags.spoof_client_ip || tunnelState->request->flags.intercepted))
+ if (tunnelState->request && (tunnelState->request->flags.spoofClientIp || tunnelState->request->flags.intercepted))
tunnelStartShoveling(tunnelState); // ssl-bumped connection, be quiet
else {
AsyncCall::Pointer call = commCbCall(5,5, "tunnelConnectedWriteDone",
projects / thirdparty / squid.git / commitdiff
