-/*
- * $Id$
- */
-
-#include "squid.h"
+#include "config.h"
#include "comm.h"
#include "ProtoPort.h"
#if HAVE_LIMITS
http_port_list::http_port_list(const char *aProtocol)
#if USE_SSL
- :
- http(*this),
- dynamicCertMemCacheSize(std::numeric_limits<size_t>::max())
+ : dynamicCertMemCacheSize(std::numeric_limits<size_t>::max())
#endif
{
protocol = xstrdup(aProtocol);
safe_free(sslContextSessionId);
#endif
}
-
-
-#if USE_SSL
-
-https_port_list::https_port_list(): http_port_list("https")
-{
-}
-
-#endif
Comm::ConnectionPointer listenConn;
#if USE_SSL
- // XXX: temporary hack to ease move of SSL options to http_port
- http_port_list &http;
-
char *cert;
char *key;
int version;
CBDATA_CLASS2(http_port_list);
};
-
-#if USE_SSL
-
-struct https_port_list: public http_port_list {
- https_port_list();
-};
-
-#endif
-
#endif /* SQUID_PROTO_PORT_H */
#endif /* CURRENTLY_UNUSED */
#endif /* USE_WCCPv2 */
-static void parse_http_port_list(http_port_list **);
+static void parsePortList(http_port_list **, const char *protocol);
+#define parse_http_port_list(l) parsePortList((l),"http")
static void dump_http_port_list(StoreEntry *, const char *, const http_port_list *);
static void free_http_port_list(http_port_list **);
#if USE_SSL
-static void parse_https_port_list(https_port_list **);
-static void dump_https_port_list(StoreEntry *, const char *, const https_port_list *);
-static void free_https_port_list(https_port_list **);
-#if 0
-static int check_null_https_port_list(const https_port_list *);
-#endif
+#define parse_https_port_list(l) parsePortList((l),"https")
+#define dump_https_port_list(e,n,l) dump_http_port_list((e),(n),(l))
+#define free_https_port_list(l) free_http_port_list((l))
+#define check_null_https_port_list(l) check_null_http_port_list((l))
#endif /* USE_SSL */
static void parse_b_size_t(size_t * var);
if (!s->cert && !s->key)
continue;
- debugs(3, 1, "Initializing http_port " << s->http.s << " SSL context");
+ debugs(3, 1, "Initializing http_port " << s->s << " SSL context");
s->staticSslContext.reset(
sslCreateServerContext(s->cert, s->key,
{
- https_port_list *s;
+ http_port_list *s;
- for (s = Config.Sockaddr.https; s != NULL; s = (https_port_list *) s->http.next) {
- debugs(3, 1, "Initializing https_port " << s->http.s << " SSL context");
+ for (s = Config.Sockaddr.https; s != NULL; s = s->next) {
+ debugs(3, 1, "Initializing https_port " << s->s << " SSL context");
s->staticSslContext.reset(
sslCreateServerContext(s->cert, s->key,
CBDATA_CLASS_INIT(http_port_list);
static void
-parse_http_port_specification(http_port_list * s, char *token)
+parsePortSpecification(http_port_list * s, char *token)
{
char *host = NULL;
unsigned short port = 0;
host = token + 1;
t = strchr(host, ']');
if (!t) {
- debugs(3, 0, "http(s)_port: missing ']' on IPv6 address: " << token);
+ debugs(3, DBG_CRITICAL, s->protocol << "_port: missing ']' on IPv6 address: " << token);
self_destruct();
}
*t++ = '\0';
if (*t != ':') {
- debugs(3, 0, "http(s)_port: missing Port in: " << token);
+ debugs(3, DBG_CRITICAL, s->protocol << "_port: missing Port in: " << token);
self_destruct();
}
if (!Ip::EnableIpv6) {
- debugs(3, DBG_CRITICAL, "FATAL: http(s)_port: IPv6 is not available.");
+ debugs(3, DBG_CRITICAL, "FATAL: " << s->protocol << "_port: IPv6 is not available.");
self_destruct();
}
port = xatos(t + 1);
} else if ((port = strtol(token, &junk, 10)), !*junk) {
/* port */
- debugs(3, 3, "http(s)_port: found Listen on Port: " << port);
+ debugs(3, 3, s->protocol << "_port: found Listen on Port: " << port);
} else {
- debugs(3, 0, "http(s)_port: missing Port: " << token);
+ debugs(3, DBG_CRITICAL, s->protocol << "_port: missing Port: " << token);
self_destruct();
}
- if (port == 0) {
- debugs(3, 0, "http(s)_port: Port cannot be 0: " << token);
+ if (port == 0 && host != NULL) {
+ debugs(3, DBG_CRITICAL, s->protocol << "_port: Port cannot be 0: " << token);
self_destruct();
}
s->s.SetPort(port);
if (!Ip::EnableIpv6)
s->s.SetIPv4();
- debugs(3, 3, "http(s)_port: found Listen on wildcard address: *:" << s->s.GetPort() );
+ debugs(3, 3, s->protocol << "_port: found Listen on wildcard address: *:" << s->s.GetPort() );
} else if ( (s->s = host) ) { /* check/parse numeric IPA */
s->s.SetPort(port);
if (!Ip::EnableIpv6)
s->s.SetIPv4();
- debugs(3, 3, "http(s)_port: Listen on Host/IP: " << host << " --> " << s->s);
+ debugs(3, 3, s->protocol << "_port: Listen on Host/IP: " << host << " --> " << s->s);
} else if ( s->s.GetHostByName(host) ) { /* check/parse for FQDN */
/* dont use ipcache */
s->defaultsite = xstrdup(host);
s->s.SetPort(port);
if (!Ip::EnableIpv6)
s->s.SetIPv4();
- debugs(3, 3, "http(s)_port: found Listen as Host " << s->defaultsite << " on IP: " << s->s);
+ debugs(3, 3, s->protocol << "_port: found Listen as Host " << s->defaultsite << " on IP: " << s->s);
} else {
- debugs(3, 0, "http(s)_port: failed to resolve Host/IP: " << host);
+ debugs(3, DBG_CRITICAL, s->protocol << "_port: failed to resolve Host/IP: " << host);
self_destruct();
}
}
}
}
-static http_port_list *
-create_http_port(char *portspec)
-{
- http_port_list *s = new http_port_list("http");
- parse_http_port_specification(s, portspec);
- return s;
-}
-
void
add_http_port(char *portspec)
{
- http_port_list *s = create_http_port(portspec);
+ http_port_list *s = new http_port_list("http");
+ parsePortSpecification(s, portspec);
// we may need to merge better of the above returns a list with clones
assert(s->next == NULL);
s->next = Config.Sockaddr.http;
}
static void
-parse_http_port_list(http_port_list ** head)
+parsePortList(http_port_list ** head, const char *protocol)
{
char *token = strtok(NULL, w_space);
return;
}
- http_port_list *s = create_http_port(token);
+ http_port_list *s = new http_port_list(protocol);
+ parsePortSpecification(s, token);
/* parse options ... */
while ((token = strtok(NULL, w_space))) {
// clone the port options from *s to *(s->next)
s->next = clone_http_port_list(s);
s->next->s.SetIPv4();
- debugs(3, 3, "http(s)_port: clone wildcard address for split-stack: " << s->s << " and " << s->next->s);
+ debugs(3, 3, protocol << "_port: clone wildcard address for split-stack: " << s->s << " and " << s->next->s);
}
while (*head)
}
}
-#if USE_SSL
-
-// TODO: merge better with parse_http_port_list
-static void
-parse_https_port_list(https_port_list ** head)
-{
- char *token;
- https_port_list *s;
-
- token = strtok(NULL, w_space);
-
- if (!token)
- self_destruct();
-
- s = new https_port_list;
- parse_http_port_specification(&s->http, token);
-
- /* parse options ... */
- while ((token = strtok(NULL, w_space))) {
- parse_http_port_option(s, token);
- }
-
- while (*head) {
- http_port_list ** headTmp = &(*head)->http.next;
- head = (https_port_list **)headTmp;
- }
-
- *head = s;
-}
-
-static void
-dump_https_port_list(StoreEntry * e, const char *n, const https_port_list * s)
-{
- dump_http_port_list(e, n, s);
-}
-
-static void
-free_https_port_list(https_port_list ** head)
-{
- free_http_port_list((http_port_list**)head);
-}
-
-#if 0
-static int
-check_null_https_port_list(const https_port_list * s)
-{
- return NULL == s;
-}
-
-#endif
-
-#endif /* USE_SSL */
-
void
configFreeMemory(void)
{
SSL Bump Mode Options:
+ In addition to these options ssl-bump requires TLS/SSL options.
+
+ generate-host-certificates[=<on|off>]
+ Dynamically create SSL server certificates for the
+ destination hosts of bumped CONNECT requests.When
+ enabled, the cert and key options are used to sign
+ generated certificates. Otherwise generated
+ certificate will be selfsigned.
+ If there is a CA certificate lifetime of the generated
+ certificate equals lifetime of the CA certificate. If
+ generated certificate is selfsigned lifetime is three
+ years.
+ This option is enabled by default when ssl-bump is used.
+ See the ssl-bump option above for more information.
+
+ dynamic_cert_mem_cache_size=SIZE
+ Approximate total RAM size spent on cached generated
+ certificates. If set to zero, caching is disabled. The
+ default value is 4MB. An average XXX-bit certificate
+ consumes about XXX bytes of RAM.
+
+ TLS / SSL Options:
cert= Path to SSL certificate (PEM format).
sslcontext= SSL session ID context identifier.
- generate-host-certificates[=<on|off>]
- Dynamically create SSL server certificates for the
- destination hosts of bumped CONNECT requests.When
- enabled, the cert and key options are used to sign
- generated certificates. Otherwise generated
- certificate will be selfsigned.
- If there is CA certificate life time of generated
- certificate equals lifetime of CA certificate. If
- generated certificate is selfsigned lifetime is three
- years.
- This option is enabled by default when SslBump is used.
- See the sslBump option above for more information.
-
- dynamic_cert_mem_cache_size=SIZE
- Approximate total RAM size spent on cached generated
- certificates. If set to zero, caching is disabled. The
- default value is 4MB. An average XXX-bit certificate
- consumes about XXX bytes of RAM.
-
Other Options:
connection-auth[=on|off]
DOC_START
Usage: [ip:]port cert=certificate.pem [key=key.pem] [mode] [options...]
- The socket address where Squid will listen for HTTPS client
- requests.
+ The socket address where Squid will listen for client requests made
+ over TLS or SSL connections. Commonly referred to as HTTPS.
- This is really only useful for situations where you are running
- squid in accelerator mode and you want to do the SSL work at the
- accelerator level.
+ This is most useful for situations where you are running squid in
+ accelerator mode and you want to do the SSL work at the accelerator level.
You may specify multiple socket addresses on multiple lines,
each with their own SSL certificate and/or options.
- Modes:
-
- accel Accelerator / reverse proxy mode
-
- Omitting the mode flag causes default forward proxy mode to be used.
-
-
- See http_port for a list of generic options
-
-
- SSL Options:
-
- cert= Path to SSL certificate (PEM format).
-
- key= Path to SSL private key file (PEM format)
- if not specified, the certificate file is
- assumed to be a combined certificate and
- key file.
-
- version= The version of SSL/TLS supported
- 1 automatic (default)
- 2 SSLv2 only
- 3 SSLv3 only
- 4 TLSv1 only
-
- cipher= Colon separated list of supported ciphers.
-
- options= Various SSL engine options. The most important
- being:
- NO_SSLv2 Disallow the use of SSLv2
- NO_SSLv3 Disallow the use of SSLv3
- NO_TLSv1 Disallow the use of TLSv1
- SINGLE_DH_USE Always create a new key when using
- temporary/ephemeral DH key exchanges
- See src/ssl_support.c or OpenSSL SSL_CTX_set_options
- documentation for a complete list of options.
-
- clientca= File containing the list of CAs to use when
- requesting a client certificate.
-
- cafile= File containing additional CA certificates to
- use when verifying client certificates. If unset
- clientca will be used.
-
- capath= Directory containing additional CA certificates
- and CRL lists to use when verifying client certificates.
-
- crlfile= File of additional CRL lists to use when verifying
- the client certificate, in addition to CRLs stored in
- the capath. Implies VERIFY_CRL flag below.
-
- dhparams= File containing DH parameters for temporary/ephemeral
- DH key exchanges.
-
- sslflags= Various flags modifying the use of SSL:
- DELAYED_AUTH
- Don't request client certificates
- immediately, but wait until acl processing
- requires a certificate (not yet implemented).
- NO_DEFAULT_CA
- Don't use the default CA lists built in
- to OpenSSL.
- NO_SESSION_REUSE
- Don't allow for session reuse. Each connection
- will result in a new SSL session.
- VERIFY_CRL
- Verify CRL lists when accepting client
- certificates.
- VERIFY_CRL_ALL
- Verify CRL lists for all certificates in the
- client certificate chain.
-
- sslcontext= SSL session ID context identifier.
-
+ See http_port for a list of available options.
DOC_END
NAME: tcp_outgoing_tos tcp_outgoing_ds tcp_outgoing_dscp
static void
httpsAccept(const CommAcceptCbParams ¶ms)
{
- https_port_list *s = (https_port_list *)params.data;
+ http_port_list *s = (http_port_list *)params.data;
if (params.flag != COMM_OK) {
// Its possible the call was still queued when the client disconnected
debugs(33, 4, HERE << params.conn << " accepted, starting SSL negotiation.");
fd_note(params.conn->fd, "client https connect");
- if (s->http.tcp_keepalive.enabled) {
- commSetTcpKeepalive(params.conn->fd, s->http.tcp_keepalive.idle, s->http.tcp_keepalive.interval, s->http.tcp_keepalive.timeout);
+ if (s->tcp_keepalive.enabled) {
+ commSetTcpKeepalive(params.conn->fd, s->tcp_keepalive.idle, s->tcp_keepalive.interval, s->tcp_keepalive.timeout);
}
incoming_sockets_accepted++;
// Socket is ready, setup the connection manager to start using it
- ConnStateData *connState = connStateCreate(params.conn, &s->http);
+ ConnStateData *connState = connStateCreate(params.conn, s);
typedef CommCbMemFunT<ConnStateData, CommTimeoutCbParams> TimeoutDialer;
AsyncCall::Pointer timeoutCall = JobCallback(33, 5,
#if USE_SSL
if (s->sslBump && !Config.accessList.ssl_bump) {
- debugs(33, DBG_IMPORTANT, "WARNING: No ssl_bump configured. Disabling ssl-bump on " << s->protocol << "_port " << s->http.s);
+ debugs(33, DBG_IMPORTANT, "WARNING: No ssl_bump configured. Disabling ssl-bump on " << s->protocol << "_port " << s->s);
s->sslBump = 0;
}
if (s->sslBump && !s->staticSslContext && !s->generateHostCertificates) {
- debugs(1, DBG_IMPORTANT, "Will not bump SSL at http_port " << s->http.s << " due to SSL initialization failure.");
+ debugs(1, DBG_IMPORTANT, "Will not bump SSL at http_port " << s->s << " due to SSL initialization failure.");
s->sslBump = 0;
}
if (s->sslBump) {
static void
clientHttpsConnectionsOpen(void)
{
- https_port_list *s;
+ http_port_list *s;
- for (s = Config.Sockaddr.https; s; s = (https_port_list *)s->http.next) {
+ for (s = Config.Sockaddr.https; s; s = s->next) {
if (MAXHTTPPORTS == NHttpSockets) {
debugs(1, 1, "Ignoring 'https_port' lines exceeding the limit.");
debugs(1, 1, "The limit is " << MAXHTTPPORTS << " HTTPS ports.");
}
if (!s->staticSslContext) {
- debugs(1, 1, "Ignoring https_port " << s->http.s <<
+ debugs(1, 1, "Ignoring https_port " << s->s <<
" due to SSL initialization failure.");
continue;
}
// Fill out a Comm::Connection which IPC will open as a listener for us
- s->http.listenConn = new Comm::Connection;
- s->http.listenConn->local = s->http.s;
- s->http.listenConn->flags = COMM_NONBLOCKING | (s->http.spoof_client_ip ? COMM_TRANSPARENT : 0) |
- (s->http.intercepted ? COMM_INTERCEPTION : 0);
+ s->listenConn = new Comm::Connection;
+ s->listenConn->local = s->s;
+ s->listenConn->flags = COMM_NONBLOCKING | (s->spoof_client_ip ? COMM_TRANSPARENT : 0) |
+ (s->intercepted ? COMM_INTERCEPTION : 0);
// setup the subscriptions such that new connections accepted by listenConn are handled by HTTPS
typedef CommCbFunPtrCallT<CommAcceptCbPtrFun> AcceptCall;
AsyncCall::Pointer listenCall = asyncCall(33, 2, "clientListenerConnectionOpened",
ListeningStartedDialer(&clientListenerConnectionOpened,
- &s->http, Ipc::fdnHttpsSocket, sub));
+ s, Ipc::fdnHttpsSocket, sub));
Ipc::StartListening(SOCK_STREAM, IPPROTO_TCP, s->listenConn, Ipc::fdnHttpsSocket, listenCall);
HttpSockets[NHttpSockets++] = -1;
}
class CpuAffinityMap;
class RemovalPolicySettings;
class external_acl;
+class Store;
+struct http_port_list;
class SwapDir;
/// Used for boolean enabled/disabled options with complex default logic.
struct {
http_port_list *http;
#if USE_SSL
-
- https_port_list *https;
+ http_port_list *https;
#endif
} Sockaddr;
#if USE_SSL
if (Config.Sockaddr.https && sa.IsAnyAddr())
- sa = Config.Sockaddr.https->http.s;
+ sa = Config.Sockaddr.https->s;
#endif
#if USE_SSL
if (Config.Sockaddr.https)
- return Config.Sockaddr.https->http.s.GetPort();
+ return Config.Sockaddr.https->s.GetPort();
#endif
debugs(21, DBG_CRITICAL, "ERROR: No forward-proxy ports configured.");
size_t kb;
} kb_t;
-struct http_port_list;
-struct https_port_list;
-
typedef struct _close_handler close_handler;
typedef struct _dread_ctrl dread_ctrl;
projects / thirdparty / squid.git / commitdiff
