Use forward-proxy port for internal URLs.

Alter the getMyPort() function to skip ports flagged for special mode
handling (intercept, tproxy, accel) when generating internal URLs.

This allows us to lock down security on these special mode ports and
still have an optional position for the forward-proxy port. Prior to
this only the first port was used, forcing an unnecessary configuration
order.

Since it is now possible to have no port available for these URLs the
fatal()/crash has been reduced to an annoying cache.log message. Port 0
will be inserted into the URLs making them invalid.

For now this is only done on http_port entries. https_port has an
incomplete merge of https_port_list/http_port_list which needs to be
completed before it is easily done there.

diff --git a/src/tools.cc b/src/tools.cc
index deb684c29ef24b88e830a06a0f77c256571b4ef6..02b4c579840d5c37f33cf79b772e0f260e14162f 100644 (file)
--- a/src/tools.cc
+++ b/src/tools.cc
@@ -1245,19 +1245,22 @@ parseEtcHosts(void)
 int
 getMyPort(void)
 {
-    if (Config.Sockaddr.http)
-        return Config.Sockaddr.http->s.GetPort();
+    if (Config.Sockaddr.http) {
+        // skip any special mode ports
+        http_port_list *p = Config.Sockaddr.http;
+        while(p->intercepted || p->accel || p->spoof_client_ip)
+            p = p->next;
+        if (p)
+            return p->s.GetPort();
+    }
 
 #if USE_SSL
-
     if (Config.Sockaddr.https)
         return Config.Sockaddr.https->http.s.GetPort();
-
 #endif
 
-    fatal("No port defined");
-
-    return 0;                  /* NOT REACHED */
+    debugs(21, DBG_CRITICAL, "ERROR: No forward-proxy ports configured.");
+    return 0; // Invalid port. This will result in invalid URLs on bad configurations.
 }
 
 /*