Bug 3209: ssl-bumped requests forwarded unencrypted to the parent proxies/caches

This patch block all ssl-bumped requests which does not forwarded directly to
origin servers.

A new flag added to the requests_flags to mark http requests which are
ssl-bumped

diff --git a/src/client_side.cc b/src/client_side.cc
index 755ac2970977bb76ba949dfe0c83bc8f08ee64c1..6b79f81e9f46b3af09287d8ef9d87001cbd38f67 100644 (file)
--- a/src/client_side.cc
+++ b/src/client_side.cc
@@ -2501,6 +2501,7 @@ clientProcessRequest(ConnStateData *conn, HttpParser *hp, ClientSocketContext *c
     }
 
     request->flags.accelerated = http->flags.accel;
+    request->flags.sslBumped = conn->switchedToHttps();
     request->flags.ignore_cc = conn->port->ignore_cc;
     request->flags.no_direct = request->flags.accelerated ? !conn->port->allow_direct : 0;
 

diff --git a/src/forward.cc b/src/forward.cc
index 0c1d27c1a290600026f28229097316b4f399ac2a..2ae2843c1bf23c0e1dac02b6505720f02cd219b8 100644 (file)
--- a/src/forward.cc
+++ b/src/forward.cc
@@ -828,6 +828,13 @@ FwdState::connectStart()
     if (ftimeout < ctimeout)
         ctimeout = ftimeout;
 
+    if (fs->_peer && request->flags.sslBumped == true) {
+        debugs(50, 4, "fwdConnectStart: Ssl bumped connections through parrent proxy are not allowed");
+        ErrorState *anErr = errorCon(ERR_CANNOT_FORWARD, HTTP_SERVICE_UNAVAILABLE, request);
+        fail(anErr);
+        self = NULL; // refcounted
+        return;
+    } 
 
     request->flags.pinned = 0;
     if (fs->code == PINNED) {

diff --git a/src/structs.h b/src/structs.h
index c99508fa863519fe4d219d3fd3dd7204a34c115d..49cf40bf4336e9c3a75e73c836ee8435c5f50588 100644 (file)
--- a/src/structs.h
+++ b/src/structs.h
@@ -1011,7 +1011,7 @@ struct _iostats {
 
 
 struct request_flags {
-    request_flags(): range(0),nocache(0),ims(0),auth(0),cachable(0),hierarchical(0),loopdetect(0),proxy_keepalive(0),proxying(0),refresh(0),redirected(0),need_validation(0),fail_on_validation_err(0),stale_if_hit(0),accelerated(0),ignore_cc(0),intercepted(0),spoof_client_ip(0),internal(0),internalclient(0),must_keepalive(0),chunked_reply(0),stream_error(0),destinationIPLookedUp_(0) {
+request_flags(): range(0),nocache(0),ims(0),auth(0),cachable(0),hierarchical(0),loopdetect(0),proxy_keepalive(0),proxying(0),refresh(0),redirected(0),need_validation(0),fail_on_validation_err(0),stale_if_hit(0),accelerated(0),ignore_cc(0),intercepted(0),spoof_client_ip(0),internal(0),internalclient(0),must_keepalive(0),chunked_reply(0),stream_error(0),sslBumped(0),destinationIPLookedUp_(0) {
 #if USE_HTTP_VIOLATIONS
         nocache_hack = 0;
 #endif
@@ -1053,6 +1053,7 @@ unsigned int proxying:
     unsigned int no_direct:1;  /* Deny direct forwarding unless overriden by always_direct. Used in accelerator mode */
     unsigned int chunked_reply:1; /**< Reply with chunked transfer encoding */
     unsigned int stream_error:1; /**< Whether stream error has occured */
+    unsigned int sslBumped:1; /**< ssl-bumped request*/
 
     // When adding new flags, please update cloneAdaptationImmune() as needed.