* - peer relay prohibited. TODO: re-encrypt and re-wrap with CONNECT
*/
bool tunnelSslBumping;
+
+ /** true if the traffic is in any way intercepted
+ *
+ */
+ bool isIntercepted() { return natIntercept||tproxyIntercept ;}
};
} // namespace AnyP
/* modes first */
if (strcmp(token, "accel") == 0) {
- if (s->flags.natIntercept || s->flags.tproxyIntercept) {
+ if (s->flags.isIntercepted()) {
debugs(3, DBG_CRITICAL, "FATAL: http(s)_port: Accelerator mode requires its own port. It cannot be shared with other modes.");
self_destruct();
}
} else if (strcmp(token, "ignore-cc") == 0) {
#if !USE_HTTP_VIOLATIONS
if (!s->flags.accelSurrogate) {
- debugs(3, DBG_CRITICAL, "FATAL: http(s)_port: ignore-cc option requires Scceleration mode flag.");
+ debugs(3, DBG_CRITICAL, "FATAL: http(s)_port: ignore-cc option requires Acceleration mode flag.");
self_destruct();
}
#endif
} else if (strcasecmp(token, "sslBump") == 0) {
debugs(3, DBG_CRITICAL, "WARNING: '" << token << "' is deprecated " <<
"in http_port. Use 'ssl-bump' instead.");
- s->flags.tunnelSslBumping = true; // accelerated when bumped, otherwise not
+ s->flags.tunnelSslBumping = true;
} else if (strcmp(token, "ssl-bump") == 0) {
- s->flags.tunnelSslBumping = true; // accelerated when bumped, otherwise not
+ s->flags.tunnelSslBumping = true;
} else if (strncmp(token, "cert=", 5) == 0) {
safe_free(s->cert);
s->cert = xstrdup(token + 5);
#if USE_SSL
if (strcasecmp(protocol, "https") == 0) {
/* ssl-bump on https_port configuration requires either tproxy or intercept, and vice versa */
- const bool hijacked = s->flags.tproxyIntercept || s->flags.natIntercept;
+ const bool hijacked = s->flags.isIntercepted();
if (s->flags.tunnelSslBumping && !hijacked) {
debugs(3, DBG_CRITICAL, "FATAL: ssl-bump on https_port requires tproxy/intercept which is missing.");
self_destruct();
debugs(33, 5, HERE << "Error while bumping: " << sslConnectHostOrIp);
Ip::Address intendedDest;
intendedDest = sslConnectHostOrIp.termedBuf();
- const bool isConnectRequest = !port->flags.tproxyIntercept && !port->flags.natIntercept;
+ const bool isConnectRequest = !port->flags.isIntercepted();
// Squid serves its own error page and closes, so we want
// a CN that causes no additional browser errors. Possible
// For intercepted connections, set the host name to the server
// certificate CN. Otherwise, we just hope that CONNECT is using
// a user-entered address (a host name or a user-entered IP).
- const bool isConnectRequest = !request->clientConnectionManager->port->flags.tproxyIntercept &&
- !request->clientConnectionManager->port->flags.natIntercept;
+ const bool isConnectRequest = !request->clientConnectionManager->port->flags.isIntercepted();
if (request->flags.sslPeek && !isConnectRequest) {
if (X509 *srvX509 = errDetails->peerCert()) {
if (const char *name = Ssl::CommonHostName(srvX509)) {
// unless it was the CONNECT request with a user-typed address.
const char *hostname = request->GetHost();
const bool hostnameIsIp = request->GetHostIsNumeric();
- const bool isConnectRequest = !request->clientConnectionManager->port->flags.tproxyIntercept &&
- !request->clientConnectionManager->port->flags.natIntercept;
+ const bool isConnectRequest = !request->clientConnectionManager->port->flags.isIntercepted();
if (!request->flags.sslPeek || isConnectRequest)
SSL_set_ex_data(ssl, ssl_ex_index_server, (void*)hostname);
AnyP::PortCfg *p = NULL;
if ((p = Config.Sockaddr.http)) {
// skip any special interception ports
- while (p && (p->flags.natIntercept || p->flags.tproxyIntercept))
+ while (p && p->flags.isIntercepted())
p = p->next;
if (p)
return p->s.GetPort();
#if USE_SSL
if ((p = Config.Sockaddr.https)) {
// skip any special interception ports
- while (p && (p->flags.natIntercept || p->flags.tproxyIntercept))
+ while (p && p->flags.isIntercepted())
p = p->next;
if (p)
return p->s.GetPort();
projects / thirdparty / squid.git / commitdiff
