Polish: clarify authenticate_ip_ttl code

This patch alters the directive implementation to only perform TTL
addition when setting the expiry value. This improves speed a little when
comparing timestamps, and allows the config file to display 1 second TTL
instead of displaying 0 seconds and actually being 0-1 seconds.
 Which resolves some confusion about why max_user_ip ACL still works when
the TTL is set to 0 seconds.

Also, document the AuthUserIP class used to store the IP information.

diff --git a/src/auth/User.cc b/src/auth/User.cc
index d42041109d5f6a1f88ca6424e76e57651bcf978f..95fd1d49e206283c299901a51ac7f2ac5eb48a32 100644 (file)
--- a/src/auth/User.cc
+++ b/src/auth/User.cc
@@ -105,7 +105,7 @@ Auth::User::absorb(Auth::User::Pointer from)
         new_ipdata = static_cast<AuthUserIP *>(from->ip_list.head->data);
 
         /* If this IP has expired - ignore the expensive merge actions. */
-        if (new_ipdata->ip_expiretime + ::Config.authenticateIpTTL < squid_curtime) {
+        if (new_ipdata->ip_expiretime <= squid_curtime) {
             /* This IP has expired - remove from the source list */
             dlinkDelete(&new_ipdata->node, &(from->ip_list));
             cbdataFree(new_ipdata);
@@ -124,7 +124,7 @@ Auth::User::absorb(Auth::User::Pointer from)
                     /* update IP ttl and stop searching. */
                     ipdata->ip_expiretime = max(ipdata->ip_expiretime, new_ipdata->ip_expiretime);
                     break;
-                } else if (ipdata->ip_expiretime + ::Config.authenticateIpTTL < squid_curtime) {
+                } else if (ipdata->ip_expiretime <= squid_curtime) {
                     /* This IP has expired - cleanup the destination list */
                     dlinkDelete(&ipdata->node, &ip_list);
                     cbdataFree(ipdata);
@@ -309,7 +309,7 @@ Auth::User::addIp(Ip::Address ipaddr)
             found = 1;
             /* update IP ttl */
             ipdata->ip_expiretime = squid_curtime;
-        } else if (ipdata->ip_expiretime + ::Config.authenticateIpTTL < squid_curtime) {
+        } else if (ipdata->ip_expiretime <= squid_curtime) {
             /* This IP has expired - remove from the seen list */
             dlinkDelete(&ipdata->node, &ip_list);
             cbdataFree(ipdata);
@@ -327,7 +327,7 @@ Auth::User::addIp(Ip::Address ipaddr)
     /* This ip is not in the seen list */
     ipdata = cbdataAlloc(AuthUserIP);
 
-    ipdata->ip_expiretime = squid_curtime;
+    ipdata->ip_expiretime = squid_curtime + ::Config.authenticateIpTTL;
 
     ipdata->ipaddr = ipaddr;
 

diff --git a/src/auth/UserRequest.h b/src/auth/UserRequest.h
index f175573bbff3e1a3e20ee6c62168dd9df0a7dd18..a59337539f37a101b6c0298816c8926bceaca3f5 100644 (file)
--- a/src/auth/UserRequest.h
+++ b/src/auth/UserRequest.h
@@ -50,14 +50,24 @@ class HttpRequest;
 // AYJ: must match re-definition in helpers/negotiate_auth/kerberos/negotiate_kerb_auth.cc
 #define MAX_AUTHTOKEN_LEN   32768
 
-/// \ingroup AuthAPI
+/**
+ * Node used to link an IP address to some user credentials
+ * for the max_user_ip ACL feature.
+ *
+ * \ingroup AuthAPI
+ */
 class AuthUserIP
 {
 public:
     dlink_node node;
-    /* IP addr this user authenticated from */
 
+    /// IP address this user authenticated from
     Ip::Address ipaddr;
+
+    /** When this IP should be forgotten.
+     * Set to the time of last request made from this
+     * (user,IP) pair plus authenticate_ip_ttl seconds
+     */
     time_t ip_expiretime;
 };
 

diff --git a/src/cf.data.pre b/src/cf.data.pre
index 2f0b212f522f949ce488f78e2e9a9d78342f0cb6..e38603b1b52ff5124d474471261db876ff2160f8 100644 (file)
--- a/src/cf.data.pre
+++ b/src/cf.data.pre
@@ -615,7 +615,7 @@ DOC_END
 NAME: authenticate_ip_ttl
 TYPE: time_t
 LOC: Config.authenticateIpTTL
-DEFAULT: 0 seconds
+DEFAULT: 1 second
 DOC_START
        If you use proxy authentication and the 'max_user_ip' ACL,
        this directive controls how long Squid remembers the IP