Bug 2862: add http(s):// support to cache manager

via http://$visible_hostname/ requests intercepted by the internal
server feature. Also https:// if SSL/TLS is available on the receiving
port.

In order to safely identify the manager reports the path prefix
/squid-internal-mgr/ is added. The old cache_oject:// scheme format
paths follow that identifier prefix.

To retrieve pages the proxy visible_hostname, management port (first
forward-proxy port), and the path prefix must all be present in the URL.

The "manager" ACL is altered to url_regex in order to match the new
protocol+path URL syntax.

Unlike the cache_object:// scheme, http[s]:// do not accept password
as part of the URL. If one is needed it must be sent via the HTTP
Authorization: Basic authentication header.

NP: use of this per-action cachemgr_passwd is not secure and should be
avoided. Stronger security can be gained via http_access with regular
proxy_auth and other ACLs.

diff --git a/src/cache_manager.cc b/src/cache_manager.cc
index fed773e6c5ed20b13cb180b2e508c0687e85f2ab..efe8caf85e258f466f395f0d9173611ba3ee3f05 100644 (file)
--- a/src/cache_manager.cc
+++ b/src/cache_manager.cc
@@ -193,6 +193,14 @@ CacheManager::ParseUrl(const char *url)
     int len = strlen(url);
     Must(len > 0);
     t = sscanf(url, "cache_object://%[^/]/%[^@?]%n@%[^?]?%s", host, request, &pos, password, params);
+    if (t < 1) {
+        t = sscanf(url, "http://%[^/]/squid-internal-mgr/%[^?]%n?%s", host, request, &pos, params);
+    }
+    if (t < 1) {
+        t = sscanf(url, "https://%[^/]/squid-internal-mgr/%[^?]%n?%s", host, request, &pos, params);
+    }
+    debugs(16, 3, HERE << "HTTPS: t=" << t << ", host='" << host << "', request='" << request << "', pos=" << pos <<
+           ", password='" << password << "', params='" << params << "'");
 
     if (pos >0 && url[pos] == '?') {
         ++pos;

diff --git a/src/cf.data.pre b/src/cf.data.pre
index 764c5ca52fae7439b0a05192080732e5a3eaaedf..de46490bc41240aba6a5e9b29374c0137e8fe07b 100644 (file)
--- a/src/cf.data.pre
+++ b/src/cf.data.pre
@@ -862,7 +862,7 @@ NOCOMMENT_START
 #
 # Recommended minimum configuration:
 #
-acl manager proto cache_object
+acl manager url_regex -i ^cache_object:// +i ^https?://[^/]+/squid-internal-mgr/
 acl localhost src 127.0.0.1/32 ::1
 acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1
 

diff --git a/src/forward.cc b/src/forward.cc
index d043092813f539fef8e6485e0648eb4b18eeb53e..8e71279c029bc125effcff105ebf6fb816fb20ed 100644 (file)
--- a/src/forward.cc
+++ b/src/forward.cc
@@ -247,7 +247,7 @@ FwdState::fwdStart(const Comm::ConnectionPointer &clientConn, StoreEntry *entry,
     switch (request->protocol) {
 
     case AnyP::PROTO_INTERNAL:
-        internalStart(request, entry);
+        internalStart(clientConn, request, entry);
         return;
 
     case AnyP::PROTO_CACHE_OBJECT:

diff --git a/src/internal.cc b/src/internal.cc
index 765d67f3ce4bdaae89810840830004d5fd08b509..4e5be31c044edcd576ea12e875557782eee76d8f 100644 (file)
--- a/src/internal.cc
+++ b/src/internal.cc
@@ -34,6 +34,8 @@
  */
 
 #include "squid.h"
+#include "CacheManager.h"
+#include "comm/Connection.h"
 #include "errorpage.h"
 #include "Store.h"
 #include "HttpRequest.h"
@@ -48,11 +50,11 @@
  * return HTTP_NOT_FOUND for others
  */
 void
-internalStart(HttpRequest * request, StoreEntry * entry)
+internalStart(const Comm::ConnectionPointer &clientConn, HttpRequest * request, StoreEntry * entry)
 {
     ErrorState *err;
     const char *upath = request->urlpath.termedBuf();
-    debugs(76, 3, "internalStart: " << request->client_addr << " requesting '" << upath << "'");
+    debugs(76, 3, HERE << clientConn << " requesting '" << upath << "'");
 
     if (0 == strcmp(upath, "/squid-internal-dynamic/netdb")) {
         netdbBinaryExchange(entry);
@@ -69,6 +71,8 @@ internalStart(HttpRequest * request, StoreEntry * entry)
         entry->replaceHttpReply(reply);
         entry->append(msgbuf, strlen(msgbuf));
         entry->complete();
+    } else if (0 == strncmp(upath, "/squid-internal-mgr/", 20)) {
+        CacheManager::GetInstance()->Start(clientConn, request, entry);
     } else {
         debugObj(76, 1, "internalStart: unknown request:\n",
                  request, (ObjPackMethod) & httpRequestPack);

diff --git a/src/protos.h b/src/protos.h
index 446018f7330b4a0a8919e4e3392c3ff1311b358c..854d7d765c7a0b67181533e3c91dd23f53192f11 100644 (file)
--- a/src/protos.h
+++ b/src/protos.h
@@ -662,7 +662,7 @@ SQUIDCEXTERN void cacheDigestGuessStatsUpdate(cd_guess_stats * stats, int real_h
 SQUIDCEXTERN void cacheDigestGuessStatsReport(const cd_guess_stats * stats, StoreEntry * sentry, const char *label);
 SQUIDCEXTERN void cacheDigestReport(CacheDigest * cd, const char *label, StoreEntry * e);
 
-SQUIDCEXTERN void internalStart(HttpRequest *, StoreEntry *);
+SQUIDCEXTERN void internalStart(const Comm::ConnectionPointer &clientConn, HttpRequest *, StoreEntry *);
 SQUIDCEXTERN int internalCheck(const char *urlpath);
 SQUIDCEXTERN int internalStaticCheck(const char *urlpath);
 SQUIDCEXTERN char *internalLocalUri(const char *dir, const char *name);