Bug fix: src ACL broken with sslproxy_cert_error, part2

Use the original CONNECT request instead of creating the fake request.
Set flags.sslPeek to mark the CONNECT request as the one used for peeking at
the origin server certificate. Forward.cc now use that flag when special
handling is needed.

This will allow as to use original request which includes CONNECT request
headers (eg X-Forwarded-For header) and other settings, with sslproxy_*
acl checks.

diff --git a/src/client_side.cc b/src/client_side.cc
index 434095ff4aa330dc7fc1c82d1f10c8f530bc9023..1a6c6c50c7d581d3912f37bf0ce84e56814016cc 100644 (file)
--- a/src/client_side.cc
+++ b/src/client_side.cc
@@ -3552,8 +3552,18 @@ httpsEstablish(ConnStateData *connState,  SSL_CTX *sslContext)
         Comm::SetSelect(details->fd, COMM_SELECT_READ, clientNegotiateSSL, connState, 0);
     else {
         char buf[MAX_IPSTRLEN];
+        HttpRequest *fakeRequest = new HttpRequest;
+        fakeRequest->SetHost(details->local.NtoA(buf, sizeof(buf)));
+        fakeRequest->port = details->local.GetPort();
+        fakeRequest->clientConnectionManager = connState;
+        fakeRequest->client_addr = connState->clientConnection->remote;
+#if FOLLOW_X_FORWARDED_FOR
+        fakeRequest->indirect_client_addr = connState->clientConnection->remote;
+#endif
+        fakeRequest->my_addr = connState->clientConnection->local;
+
         debugs(33, 4, HERE << details << " try to generate a Dynamic SSL CTX");
-        connState->switchToHttps(details->local.NtoA(buf, sizeof(buf)), details->local.GetPort());
+        connState->switchToHttps(fakeRequest);
     }
 }
 
@@ -3690,16 +3700,9 @@ void ConnStateData::buildSslCertGenerationParams(Ssl::CertificateProperties &cer
         if (X509 *mimicCert = sslServerBump->serverCert.get())
             certProperties.mimicCert.resetAndLock(mimicCert);
 
-        HttpRequest *fakeRequest =  new HttpRequest();
-        fakeRequest->SetHost(sslConnectHostOrIp.termedBuf());
-        fakeRequest->port = clientConnection->local.GetPort();
-        fakeRequest->protocol = AnyP::PROTO_HTTPS;
- 
-        ACLFilledChecklist checklist(NULL, fakeRequest, 
+        ACLFilledChecklist checklist(NULL, sslServerBump->request, 
                                      clientConnection != NULL ? clientConnection->rfc931 : dash_str);
         checklist.conn(this);
-        checklist.src_addr = clientConnection->remote;
-        checklist.my_addr = clientConnection->local;
         checklist.sslErrorList = cbdataReference(sslServerBump->bumpSslErrorNoList);
 
         for (sslproxy_cert_adapt *ca = Config.ssl_client.cert_adapt; ca != NULL; ca = ca->next) {
@@ -3867,12 +3870,12 @@ ConnStateData::getSslContextDone(SSL_CTX * sslContext, bool isNew)
 }
 
 void
-ConnStateData::switchToHttps(const char *host, const int port)
+ConnStateData::switchToHttps(HttpRequest *request)
 {
     assert(!switchedToHttps_);
 
-    sslConnectHostOrIp = host;
-    sslCommonName = host;
+    sslConnectHostOrIp = request->GetHost();
+    sslCommonName = request->GetHost();
 
     // We are going to read new request
     flags.readMore = true;
@@ -3883,18 +3886,8 @@ ConnStateData::switchToHttps(const char *host, const int port)
     // and now want to switch to SSL to send the error to the client
     // without even peeking at the origin server certificate.
     if (alwaysBumpServerFirst && !sslServerBump) {
-        HttpRequest *fakeRequest = new HttpRequest;
-        fakeRequest->flags.sslPeek = 1;
-        fakeRequest->SetHost(sslConnectHostOrIp.termedBuf());
-        fakeRequest->port = port;
-        fakeRequest->protocol = AnyP::PROTO_HTTPS;
-        fakeRequest->clientConnectionManager = this;
-        fakeRequest->client_addr = clientConnection->remote;
-#if FOLLOW_X_FORWARDED_FOR
-        fakeRequest->indirect_client_addr = clientConnection->remote;
-#endif
-        fakeRequest->my_addr = clientConnection->local;
-        sslServerBump = new Ssl::ServerBump(fakeRequest);
+        request->flags.sslPeek = 1;
+        sslServerBump = new Ssl::ServerBump(request);
 
         // will call httpsPeeked() with certificate and connection, eventually
         FwdState::fwdStart(clientConnection, sslServerBump->entry, sslServerBump->request);

diff --git a/src/client_side.h b/src/client_side.h
index d3a14e54af335709588f2d26bb5ea59e73998abb..3efb5aa593489cb7db4fb268e66c6c3e6d10f479 100644 (file)
--- a/src/client_side.h
+++ b/src/client_side.h
@@ -340,7 +340,7 @@ public:
     /// Proccess response from ssl_crtd.
     void sslCrtdHandleReply(const char * reply);
 
-    void switchToHttps(const char *host, const int port);
+    void switchToHttps(HttpRequest *request);
     bool switchedToHttps() const { return switchedToHttps_; }
     Ssl::ServerBump *serverBump() {return sslServerBump;}
     void setServerBump(Ssl::ServerBump *srvBump) {if (!sslServerBump) sslServerBump = srvBump;}

diff --git a/src/client_side_request.cc b/src/client_side_request.cc
index 30a91aa9856f29d1b8fb8029f8fd14d135b61c5b..75975a4f94683bd2963762695ecb4d3bb2d29899 100644 (file)
--- a/src/client_side_request.cc
+++ b/src/client_side_request.cc
@@ -1423,7 +1423,7 @@ ClientHttpRequest::sslBumpEstablish(comm_err_t errflag)
         getConn()->auth_user_request = request->auth_user_request;
 #endif
 
-    getConn()->switchToHttps(request->GetHost(), request->port);
+    getConn()->switchToHttps(request);
 }
 
 void

diff --git a/src/forward.cc b/src/forward.cc
index 0a93966a1f801c16daf233400379da9a0b82448c..35528305e3dcd45b86386c1cbf0d80e5ff77ff3e 100644 (file)
--- a/src/forward.cc
+++ b/src/forward.cc
@@ -843,7 +843,8 @@ FwdState::connectDone(const Comm::ConnectionPointer &conn, comm_err_t status, in
 
 #if USE_SSL
     if ((serverConnection()->getPeer() && serverConnection()->getPeer()->use_ssl) ||
-            (!serverConnection()->getPeer() && request->protocol == AnyP::PROTO_HTTPS)) {
+            (!serverConnection()->getPeer() && request->protocol == AnyP::PROTO_HTTPS) ||
+            (request->flags.sslPeek)) {
         initiateSSL();
         return;
     }