// Because it failed verification, or someone bypassed the security tests
// we cannot cache the reponse for sharing between clients.
// TODO: update cache to store for particular clients only (going to same Host: and destination IP)
- if (!flags.hostVerified && (flags.intercepted || flags.spoof_client_ip))
+ if (!flags.hostVerified() && (flags.intercepted() || flags.spoofClientIp()))
return false;
if (protocol == AnyP::PROTO_HTTP)
hierarchical(0), loopdetect(0), proxy_keepalive(0), proxying(0),
refresh(0), redirected(0), need_validation(0),
fail_on_validation_err(0), stale_if_hit(0), nocache_hack(0), accelerated(0),
- ignore_cc(0), intercepted(0), hostVerified(0), spoof_client_ip(0),
- internal(0), internalclient(false), must_keepalive(false), connection_auth_wanted(false), connection_auth_disabled(false), connection_proxy_auth(false), pinned_(false),
+ ignore_cc(false), intercepted_(false), hostVerified_(false), spoof_client_ip(false),
+ internal(false), internalclient(false), must_keepalive(false), connection_auth_wanted(false), connection_auth_disabled(false), connection_proxy_auth(false), pinned_(false),
canRePin_(false), authSent_(false), noDirect_(false), chunkedReply_(false),
streamError_(false), sslPeek_(false),
doneFollowXForwardedFor(!FOLLOW_X_FORWARDED_FOR),
/* for changing/ignoring no-cache requests. Unused unless USE_HTTP_VIOLATIONS */
unsigned int nocache_hack :1;
unsigned int accelerated :1;
- unsigned int ignore_cc :1;
- unsigned int intercepted :1; ///< intercepted request
- unsigned int hostVerified :1; ///< whether the Host: header passed verification
- unsigned int spoof_client_ip :1; /**< spoof client ip if possible */
- unsigned int internal :1;
// When adding new flags, please update cloneAdaptationImmune() as needed.
bool resetTCP() const;
bool pinned() const { return pinned_; }
//XXX: oddly this is set in client_side_request.cc, but never checked.
- bool wantConnectionProxyAuth() { return connection_proxy_auth; }
+ bool wantConnectionProxyAuth() const { return connection_proxy_auth; }
void requestConnectionProxyAuth() { connection_proxy_auth=true; }
void disableConnectionAuth() { connection_auth_disabled=true; }
- bool connectionAuthDisabled() { return connection_auth_disabled; }
+ bool connectionAuthDisabled() const { return connection_auth_disabled; }
void wantConnectionAuth() { connection_auth_wanted=true; }
- bool connectionAuthWanted() { return connection_auth_wanted; }
+ bool connectionAuthWanted() const { return connection_auth_wanted; }
void setMustKeepalive() { must_keepalive = true; }
- bool mustKeepalive() { return must_keepalive; }
+ bool mustKeepalive() const { return must_keepalive; }
//XXX: oddly this is set in client_side_request.cc but never checked.
void setInternalClient() { internalclient=true;}
+
+ void markInternal() { internal=true; }
+ bool isInternal() const { return internal; }
+
+ bool spoofClientIp() const { return spoof_client_ip; }
+ void setSpoofClientIp() { spoof_client_ip = true; }
+
+ bool hostVerified() const { return hostVerified_; }
+ void markHostVerified() { hostVerified_=true; }
+
+ bool intercepted() const { return intercepted_; }
+ void markIntercepted() { intercepted_=true; }
+
+ bool ignoringCacheControl() const { return ignore_cc; }
+ void ignoreCacheControl() { ignore_cc=true; }
private:
+ bool ignore_cc :1;
+ bool intercepted_ :1; ///< intercepted request
+ bool hostVerified_ :1; ///< whether the Host: header passed verification
+ bool spoof_client_ip :1; /**< spoof client ip if possible */
+ bool internal :1;
bool internalclient :1;
bool must_keepalive :1;
bool connection_auth_wanted :1; /** Request wants connection oriented auth */
// To resolve this we will force DIRECT and only to the original client destination.
// In which case, we also need this ACL to accurately match the destination
if (Config.onoff.client_dst_passthru && checklist->request &&
- (checklist->request->flags.intercepted || checklist->request->flags.spoof_client_ip)) {
+ (checklist->request->flags.intercepted() || checklist->request->flags.spoofClientIp())) {
assert(checklist->conn() && checklist->conn()->clientConnection != NULL);
return ACLIP::match(checklist->conn()->clientConnection->local);
}
} else if (request->flags.accelerated) {
/* WWW authorization on accelerated requests */
headertype = HDR_AUTHORIZATION;
- } else if (request->flags.intercepted || request->flags.spoof_client_ip) {
+ } else if (request->flags.intercepted() || request->flags.spoofClientIp()) {
debugs(28, DBG_IMPORTANT, "NOTICE: Authentication not applicable on intercepted requests.");
return ACCESS_DENIED;
} else {
request->flags.setSslBumped(conn->switchedToHttps());
if (request->flags.sslBumped() && conn->pinning.pinned)
request->flags.allowRepinning();
- request->flags.ignore_cc = conn->port->ignore_cc;
+ if (conn->port->ignore_cc)
+ request->flags.ignoreCacheControl();
// TODO: decouple http->flags.accel from request->flags.sslBumped
if (request->flags.accelerated && !request->flags.sslBumped())
if (!conn->port->allow_direct)
* from the port settings to the request.
*/
if (http->clientConnection != NULL) {
- request->flags.intercepted = ((http->clientConnection->flags & COMM_INTERCEPTION) != 0);
- request->flags.spoof_client_ip = ((http->clientConnection->flags & COMM_TRANSPARENT) != 0 ) ;
+ if ((http->clientConnection->flags & COMM_INTERCEPTION) != 0)
+ request->flags.markIntercepted();
+ if ((http->clientConnection->flags & COMM_TRANSPARENT) != 0 )
+ request->flags.setSpoofClientIp();
}
if (internalCheck(request->urlpath.termedBuf())) {
request->login[0] = '\0';
}
- request->flags.internal = http->flags.internal;
+ if (http->flags.internal)
+ request->flags.markInternal();
setLogUri (http, urlCanonicalClean(request));
request->client_addr = conn->clientConnection->remote; // XXX: remove reuest->client_addr member.
#if FOLLOW_X_FORWARDED_FOR
fakeRequest->indirect_client_addr = connState->clientConnection->remote;
#endif
fakeRequest->my_addr = connState->clientConnection->local;
- fakeRequest->flags.spoof_client_ip = ((connState->clientConnection->flags & COMM_TRANSPARENT) != 0 ) ;
- fakeRequest->flags.intercepted = ((connState->clientConnection->flags & COMM_INTERCEPTION) != 0);
+ if ((connState->clientConnection->flags & COMM_TRANSPARENT) != 0)
+ fakeRequest->flags.setSpoofClientIp();
+ if ((connState->clientConnection->flags & COMM_INTERCEPTION) != 0)
+ fakeRequest->flags.markIntercepted();
debugs(33, 4, HERE << details << " try to generate a Dynamic SSL CTX");
connState->switchToHttps(fakeRequest, bumpMode);
}
continue;
}
request->flags.setMustKeepalive();
- if (!request->flags.accelerated && !request->flags.intercepted) {
+ if (!request->flags.accelerated && !request->flags.intercepted()) {
httpHeaderPutStrf(hdr, HDR_PROXY_SUPPORT, "Session-Based-Authentication");
/*
We send "[Proxy-]Connection: Proxy-Support" header to mark
{
HttpRequest *r = http->request;
- if (r->flags.cachable || r->flags.internal) {
+ if (r->flags.cachable || r->flags.isInternal()) {
lookingforstore = 5;
StoreEntry::getPublicByRequest (this, r);
} else {
for (int i = 0; i < ia->count; ++i) {
if (clientConn->local.matchIPAddr(ia->in_addrs[i]) == 0) {
debugs(85, 3, HERE << "validate IP " << clientConn->local << " possible from Host:");
- http->request->flags.hostVerified = 1;
+ http->request->flags.markHostVerified();
http->doCallouts();
return;
}
return;
}
- if (http->request->flags.internal) {
+ if (http->request->flags.isInternal()) {
// TODO: kill this when URL handling allows partial URLs out of accel mode
// and we no longer screw with the URL just to add our internal host there
debugs(85, 6, HERE << "validate skipped due to internal composite URL.");
}
debugs(85, 3, HERE << "validate host=" << host << ", port=" << port << ", portStr=" << (portStr?portStr:"NULL"));
- if (http->request->flags.intercepted || http->request->flags.spoof_client_ip) {
+ if (http->request->flags.intercepted() || http->request->flags.spoofClientIp()) {
// verify the Host: port (if any) matches the apparent destination
if (portStr && port != http->getConn()->clientConnection->local.GetPort()) {
debugs(85, 3, HERE << "FAIL on validate port " << http->getConn()->clientConnection->local.GetPort() <<
} else {
// Okay no problem.
debugs(85, 3, HERE << "validate passed.");
- http->request->flags.hostVerified = 1;
+ http->request->flags.markHostVerified();
http->doCallouts();
}
safe_free(hostB);
const wordlist *p = NULL;
// intercepted requests MUST NOT (yet) be sent to peers unless verified
- if (!request->flags.hostVerified && (request->flags.intercepted || request->flags.spoof_client_ip))
+ if (!request->flags.hostVerified() && (request->flags.intercepted() || request->flags.spoofClientIp()))
return 0;
/*
if (request->ims > 0)
request->flags.ims = 1;
- if (!request->flags.ignore_cc) {
+ if (!request->flags.ignoringCacheControl()) {
if (req_hdr->has(HDR_PRAGMA)) {
String s = req_hdr->getList(HDR_PRAGMA);
case LFT_LOCAL_LISTENING_IP: {
// avoid logging a dash if we have reliable info
const bool interceptedAtKnownPort = al->request ?
- (al->request->flags.spoof_client_ip ||
- al->request->flags.intercepted) && al->cache.port :
+ (al->request->flags.spoofClientIp() ||
+ al->request->flags.intercepted()) && al->cache.port :
false;
if (interceptedAtKnownPort) {
const bool portAddressConfigured = !al->cache.port->s.IsAnyAddr();
conn->local.SetIPv4();
// maybe use TPROXY client address
- if (request && request->flags.spoof_client_ip) {
+ if (request && request->flags.spoofClientIp()) {
if (!conn->getPeer() || !conn->getPeer()->options.no_tproxy) {
#if FOLLOW_X_FORWARDED_FOR && LINUX_NETFILTER
if (Config.onoff.tproxy_uses_indirect_client)
closeHandler = NULL;
fwd->unregister(serverConnection);
- if (request->flags.spoof_client_ip)
+ if (request->flags.spoofClientIp())
client_addr = request->client_addr;
if (request->flags.pinned()) {
// on intercepted traffic which failed Host verification
const HttpRequest *req = psstate->request;
const bool isIntercepted = !req->flags.redirected &&
- (req->flags.intercepted || req->flags.spoof_client_ip);
- const bool useOriginalDst = Config.onoff.client_dst_passthru || !req->flags.hostVerified;
+ (req->flags.intercepted() || req->flags.spoofClientIp());
+ const bool useOriginalDst = Config.onoff.client_dst_passthru || !req->flags.hostVerified();
const bool choseDirect = fs && fs->code == HIER_DIRECT;
if (isIntercepted && useOriginalDst && choseDirect) {
// construct a "result" adding the ORIGINAL_DST to the set instead of DIRECT
break;
// for TPROXY we must skip unusable addresses.
- if (psstate->request->flags.spoof_client_ip && !(fs->_peer && fs->_peer->options.no_tproxy) ) {
+ if (psstate->request->flags.spoofClientIp() && !(fs->_peer && fs->_peer->options.no_tproxy) ) {
if (ia->in_addrs[n].IsIPv4() != psstate->request->client_addr.IsIPv4()) {
// we CAN'T spoof the address on this link. find another.
continue;
debugs(22, 3, "\tentry->timestamp:\t" << mkrfc1123(entry->timestamp));
- if (request && !request->flags.ignore_cc) {
+ if (request && !request->flags.ignoringCacheControl()) {
const HttpHdrCc *const cc = request->cache_control;
if (cc && cc->hasMinFresh()) {
const int32_t minFresh=cc->minFresh();
}
/* request-specific checks */
- if (request && !request->flags.ignore_cc) {
+ if (request && !request->flags.ignoringCacheControl()) {
HttpHdrCc *cc = request->cache_control;
if (request->flags.ims && (R->flags.refresh_ims || Config.onoff.refresh_all_ims)) {
TunnelStateData *tunnelState = (TunnelStateData *)data;
debugs(26, 3, HERE << server << ", tunnelState=" << tunnelState);
- if (tunnelState->request && (tunnelState->request->flags.spoof_client_ip || tunnelState->request->flags.intercepted))
+ if (tunnelState->request && (tunnelState->request->flags.spoofClientIp() || tunnelState->request->flags.intercepted()))
tunnelStartShoveling(tunnelState); // ssl-bumped connection, be quiet
else {
AsyncCall::Pointer call = commCbCall(5,5, "tunnelConnectedWriteDone",
projects / thirdparty / squid.git / commitdiff
