Implemented some more getters/setters for RequestFlags.

Moved from a preprocessor-backed conditional code to a compiler-backed conditional code for follow-x-forwarded-for

diff --git a/src/RequestFlags.h b/src/RequestFlags.h
index 738a7284ca9545011782ba3dee1f5adb8d10c409..b9675ba2a760cd28639908ec607b254db817e3af 100644 (file)
--- a/src/RequestFlags.h
+++ b/src/RequestFlags.h
@@ -42,14 +42,12 @@ public:
         ignore_cc(0), intercepted(0), hostVerified(0), spoof_client_ip(0),
         internal(0), internalclient(0), must_keepalive(0), pinned(0),
         canRePin(0), chunked_reply(0), stream_error(0), sslPeek(0),
-        sslBumped(0), destinationIPLookedUp_(false), resetTCP_(false),
+        done_follow_x_forwarded_for(!FOLLOW_X_FORWARDED_FOR),
+        sslBumped_(false), destinationIPLookedUp_(false), resetTCP_(false),
         isRanged_(false) {
 #if USE_HTTP_VIOLATIONS
         nocache_hack = 0;
 #endif
-#if FOLLOW_X_FORWARDED_FOR
-        done_follow_x_forwarded_for = 0;
-#endif /* FOLLOW_X_FORWARDED_FOR */
     }
 
     unsigned int nocache :1; ///< whether the response to this request may be READ from cache
@@ -88,11 +86,9 @@ public:
     unsigned int chunked_reply :1; /**< Reply with chunked transfer encoding */
     unsigned int stream_error :1; /**< Whether stream error has occured */
     unsigned int sslPeek :1; ///< internal ssl-bump request to get server cert
-    unsigned int sslBumped :1; /**< ssl-bumped request*/
 
 #if FOLLOW_X_FORWARDED_FOR
     /* TODO: move from conditional definition to conditional setting */
-    unsigned int done_follow_x_forwarded_for :1;
 #endif /* FOLLOW_X_FORWARDED_FOR */
 
     // When adding new flags, please update cloneAdaptationImmune() as needed.
@@ -108,8 +104,27 @@ public:
     bool isRanged() const;
     void setRanged();
     void clearRanged();
+
+    bool sslBumped() const { return sslBumped_; }
+    void setSslBumped(bool newValue=true) { sslBumped_=newValue; }
+    void clearSslBumpeD() { sslBumped_=false; }
+
+    bool doneFollowXFF() const { return done_follow_x_forwarded_for; }
+    void setDoneFollowXFF() {
+        done_follow_x_forwarded_for = true;
+    }
+    void clearDoneFollowXFF() {
+        /* do not allow clearing if FOLLOW_X_FORWARDED_FOR is unset */
+        done_follow_x_forwarded_for = false || !FOLLOW_X_FORWARDED_FOR;
+    }
 private:
 
+    /* done_follow_x_forwarded_for set by default to the opposite of
+     * compilation option FOLLOW_X_FORWARDED_FOR (so that it returns
+     * always "done" if the build option is disabled.
+     */
+    bool done_follow_x_forwarded_for :1;
+    bool sslBumped_ :1; /**< ssl-bumped request*/
     bool destinationIPLookedUp_:1;
     bool resetTCP_:1;                ///< request to reset the TCP stream
     bool isRanged_ :1;

diff --git a/src/auth/Acl.cc b/src/auth/Acl.cc
index fd70ba3f6699e64bb7bac3758cce400058d98fa0..cc5de7b2c0f7c1fc9cf349615458bd8ac0bfe437 100644 (file)
--- a/src/auth/Acl.cc
+++ b/src/auth/Acl.cc
@@ -24,7 +24,7 @@ AuthenticateAcl(ACLChecklist *ch)
     if (NULL == request) {
         fatal ("requiresRequest SHOULD have been true for this ACL!!");
         return ACCESS_DENIED;
-    } else if (request->flags.sslBumped) {
+    } else if (request->flags.sslBumped()) {
         debugs(28, 5, "SslBumped request: It is an encapsulated request do not authenticate");
         checklist->auth_user_request = checklist->conn() != NULL ? checklist->conn()->auth_user_request : request->auth_user_request;
         if (checklist->auth_user_request != NULL)

diff --git a/src/client_side.cc b/src/client_side.cc
index 21aecf61a5b091200bfc14049b640257250e16d6..f6514f14674ea96230c5774bbdd628515193741a 100644 (file)
--- a/src/client_side.cc
+++ b/src/client_side.cc
@@ -2652,14 +2652,14 @@ clientProcessRequest(ConnStateData *conn, HttpParser *hp, ClientSocketContext *c
     request->clientConnectionManager = conn;
 
     request->flags.accelerated = http->flags.accel;
-    request->flags.sslBumped = conn->switchedToHttps();
-    request->flags.canRePin = request->flags.sslBumped && conn->pinning.pinned;
+    request->flags.setSslBumped(conn->switchedToHttps());
+    request->flags.canRePin = request->flags.sslBumped() && conn->pinning.pinned;
     request->flags.ignore_cc = conn->port->ignore_cc;
     // TODO: decouple http->flags.accel from request->flags.sslBumped
-    request->flags.no_direct = (request->flags.accelerated && !request->flags.sslBumped) ?
+    request->flags.no_direct = (request->flags.accelerated && !request->flags.sslBumped()) ?
                                !conn->port->allow_direct : 0;
 #if USE_AUTH
-    if (request->flags.sslBumped) {
+    if (request->flags.sslBumped()) {
         if (conn->auth_user_request != NULL)
             request->auth_user_request = conn->auth_user_request;
     }

diff --git a/src/client_side_reply.cc b/src/client_side_reply.cc
index 4cafe42717c2ed4cbff3056fe470e83dac3f2c3a..64fd47d9f8d3c2d8bd428681180a0fd5018cc3f9 100644 (file)
--- a/src/client_side_reply.cc
+++ b/src/client_side_reply.cc
@@ -1477,7 +1477,7 @@ clientReplyContext::buildReplyHeader()
     } else if (fdUsageHigh()&& !request->flags.must_keepalive) {
         debugs(88, 3, "clientBuildReplyHeader: Not many unused FDs, can't keep-alive");
         request->flags.proxy_keepalive = 0;
-    } else if (request->flags.sslBumped && !reply->persistent()) {
+    } else if (request->flags.sslBumped() && !reply->persistent()) {
         // We do not really have to close, but we pretend we are a tunnel.
         debugs(88, 3, "clientBuildReplyHeader: bumped reply forces close");
         request->flags.proxy_keepalive = 0;

diff --git a/src/client_side_request.cc b/src/client_side_request.cc
index 7731e9d3136ab84306b8fc75e85451c66f0e6adf..a3ebc67cc1fd337df9e8cb621d24c01061909ce8 100644 (file)
--- a/src/client_side_request.cc
+++ b/src/client_side_request.cc
@@ -534,7 +534,7 @@ clientFollowXForwardedForCheck(allow_t answer, void *data)
         conn->log_addr = request->indirect_client_addr;
     }
     request->x_forwarded_for_iterator.clean();
-    request->flags.done_follow_x_forwarded_for = 1;
+    request->flags.setDoneFollowXFF();
 
     if (answer != ACCESS_ALLOWED && answer != ACCESS_DENIED) {
         debugs(28, DBG_CRITICAL, "ERROR: Processing X-Forwarded-For. Stopping at IP address: " << request->indirect_client_addr );
@@ -709,8 +709,9 @@ ClientRequestContext::hostHeaderVerify()
 void
 ClientRequestContext::clientAccessCheck()
 {
-#if FOLLOW_X_FORWARDED_FOR
-    if (!http->request->flags.done_follow_x_forwarded_for &&
+    /* NOP if !FOLLOW_X_FORWARDED_FOR */
+    if (FOLLOW_X_FORWARDED_FOR &&
+            !http->request->flags.doneFollowXFF() &&
             Config.accessList.followXFF &&
             http->request->header.has(HDR_X_FORWARDED_FOR)) {
 
@@ -726,7 +727,6 @@ ClientRequestContext::clientAccessCheck()
         acl_checklist->nonBlockingCheck(clientFollowXForwardedForCheck, this);
         return;
     }
-#endif /* FOLLOW_X_FORWARDED_FOR */
 
     if (Config.accessList.http) {
         acl_checklist = clientAclChecklistCreate(Config.accessList.http, http);
@@ -810,7 +810,7 @@ ClientRequestContext::clientAccessCheckDone(const allow_t &answer)
 
         if (auth_challenge) {
 #if USE_AUTH
-            if (http->request->flags.sslBumped) {
+            if (http->request->flags.sslBumped()) {
                 /*SSL Bumped request, authentication is not possible*/
                 status = HTTP_FORBIDDEN;
             } else if (!http->flags.accel) {

diff --git a/src/forward.cc b/src/forward.cc
index f8b1a42b30bc44074e3d71052f44c98b5dfe8501..10f11b81e155b52af20d6af2f64120dc8b20735b 100644 (file)
--- a/src/forward.cc
+++ b/src/forward.cc
@@ -953,7 +953,7 @@ FwdState::connectStart()
     if (ftimeout < ctimeout)
         ctimeout = ftimeout;
 
-    if (serverDestinations[0]->getPeer() && request->flags.sslBumped == true) {
+    if (serverDestinations[0]->getPeer() && request->flags.sslBumped() == true) {
         debugs(50, 4, "fwdConnectStart: Ssl bumped connections through parrent proxy are not allowed");
         ErrorState *anErr = new ErrorState(ERR_CANNOT_FORWARD, HTTP_SERVICE_UNAVAILABLE, request);
         fail(anErr);