Author: Henrik Nordstrom <henrik@henriknordstrom.net>

http_port allow-direct option to allow direct forwarding in accelerator mode

normally direct forwarding is disabled in accelerator mode unless overridden
by always_direct, to avoid unintentional security loops. But there is setups
where it makes sense to not have this restriction as this has effects on
peer selection as well.

diff --git a/doc/release-notes/release-3.1.sgml b/doc/release-notes/release-3.1.sgml
index f1112a61bbefc0e52c7536b0f019032e91956552..2e7573526096b798803fcc31e3030d2beadb2980 100644 (file)
--- a/doc/release-notes/release-3.1.sgml
+++ b/doc/release-notes/release-3.1.sgml
@@ -946,6 +946,10 @@ NOCOMMENT_START
         <verb>
            intercept    Rename of old 'transparent' option to indicate proper functionality.
 
+          allow-direct Allow direct forwarding in accelerator mode. Normally
+                       accelerated requests are denied direct forwarding as if
+                       never_direct was used.
+
           connection-auth[=on|off]
                        use connection-auth=off to tell Squid to prevent
                        forwarding Microsoft connection oriented authentication
@@ -1352,7 +1356,6 @@ This section gives an account of those changes in three categories:
 
        <tag>http_port</tag>
        <p><em>act-as-origin</em> not yet ported from 2.7
-       <p><em>allow-direct</em> not yet ported from 2.7
        <p><em>http11</em> not yet ported from 2.7
        <p><em>urlgroup=</em> not yet ported from 2.6
 

diff --git a/src/ProtoPort.h b/src/ProtoPort.h
index 8f5384d4634275d85350f991f05a3292db5dd0ce..b421dd1267a705da99d549c59964bbc0d3c2f6c9 100644 (file)
--- a/src/ProtoPort.h
+++ b/src/ProtoPort.h
@@ -21,6 +21,7 @@ struct http_port_list {
     unsigned int intercepted:1;        /**< intercepting proxy port */
     unsigned int spoof_client_ip:1;    /**< spoof client ip if possible */
     unsigned int accel:1;              /**< HTTP accelerator */
+    unsigned int allow_direct:1;       /**< Allow direct forwarding in accelerator mode */
     unsigned int vhost:1;              /**< uses host header */
     unsigned int sslBump:1;            /**< intercepts CONNECT requests */
 

diff --git a/src/cache_cf.cc b/src/cache_cf.cc
index 3f379b7315f6e1e0435c1710aa430e580654077b..536234ad91f4d2de6f4efa9d90afcce0100be2b9 100644 (file)
--- a/src/cache_cf.cc
+++ b/src/cache_cf.cc
@@ -2992,6 +2992,8 @@ parse_http_port_option(http_port_list * s, char *token)
         s->accel = 1;
     } else if (strcmp(token, "accel") == 0) {
         s->accel = 1;
+    } else if (strcmp(token, "allow-direct") == 0) {
+        s->allow_direct = 1;
     } else if (strcmp(token, "no-connection-auth") == 0) {
         s->connection_auth_disabled = true;
     } else if (strcmp(token, "connection-auth=off") == 0) {

diff --git a/src/cf.data.pre b/src/cf.data.pre
index ee7e1044040bf03cd3ee11ba5ddf0b5c8f632424..c918e394e83a7d1e326158d6c0248e31a813dc54 100644 (file)
--- a/src/cf.data.pre
+++ b/src/cf.data.pre
@@ -1039,6 +1039,10 @@ DOC_START
           accel        Accelerator mode. Also needs at least one of
                        vhost / vport / defaultsite.
 
+          allow-direct Allow direct forwarding in accelerator mode. Normally
+                       accelerated requests are denied direct forwarding as if
+                       never_direct was used.
+
           defaultsite=domainname
                        What to use for the Host: header if it is not present
                        in a request. Determines what site (not origin server)

diff --git a/src/client_side.cc b/src/client_side.cc
index 6e507fcd6ac78d0f5a311d57bfda2530ad8a770f..a6c3054322d037a0e2f400f31e5b5930ea721816 100644 (file)
--- a/src/client_side.cc
+++ b/src/client_side.cc
@@ -2275,6 +2275,7 @@ clientProcessRequest(ConnStateData *conn, HttpParser *hp, ClientSocketContext *c
     }
 
     request->flags.accelerated = http->flags.accel;
+    request->flags.no_direct = request->flags.accelerated ? !conn->port->allow_direct : 0;
 
     /** \par
      * If transparent or interception mode is working clone the transparent and interception flags

diff --git a/src/peer_select.cc b/src/peer_select.cc
index 7f2d137d0828706b9e06a20553bad451e2a4070f..7caf9c5ec5801bc4911b90b9de72d9265c58aca2 100644 (file)
--- a/src/peer_select.cc
+++ b/src/peer_select.cc
@@ -315,7 +315,7 @@ peerSelectFoo(ps_state * ps)
         } else if (ps->never_direct > 0) {
             /** if always_direct says NO, do that. */
             ps->direct = DIRECT_NO;
-        } else if (request->flags.accelerated) {
+        } else if (request->flags.no_direct) {
             /** if we are accelerating, direct is not an option. */
             ps->direct = DIRECT_NO;
         } else if (request->flags.loopdetect) {

diff --git a/src/structs.h b/src/structs.h
index dd201c54dd95e2224ace58089d38470f8c2b6af8..ab2d3057061493d026ea155eae741d3646c479cd 100644 (file)
--- a/src/structs.h
+++ b/src/structs.h
@@ -1027,6 +1027,7 @@ unsigned int proxying:
     unsigned int connection_proxy_auth:1; /** Request wants connection oriented auth */
     unsigned int pinned:1;      /* Request sent on a pinned connection */
     unsigned int auth_sent:1;   /* Authentication forwarded */
+    unsigned int no_direct:1;  /* Deny direct forwarding unless overriden by always_direct. Used in accelerator mode */
 
     // When adding new flags, please update cloneAdaptationImmune() as needed.