SQUID_DEFINE_BOOL(FOLLOW_X_FORWARDED_FOR,$enable_follow_x_forwarded_for,
[Enable following X-Forwarded-For headers])
-AC_ARG_ENABLE(ident-lookups,
- AS_HELP_STRING([--disable-ident-lookups],
- [Remove code that supports performing Ident (RFC 931) lookups.]), [
- SQUID_YESNO([$enableval],[--enable-ident-lookups])
-])
-AC_MSG_NOTICE([Support for Ident lookups enabled: ${enable_ident_lookups:=yes}])
-SQUID_DEFINE_BOOL(USE_IDENT,$enable_ident_lookups,[Support for Ident (RFC 931) lookups])
-
dnl Select Default hosts file location
AC_ARG_ENABLE(default-hostsfile,
AS_HELP_STRING([--enable-default-hostsfile=path],
src/http/url_rewriters/fake/Makefile
src/http/url_rewriters/LFS/Makefile
src/icmp/Makefile
- src/ident/Makefile
src/ip/Makefile
src/ipc/Makefile
src/log/Makefile
format.
TODO: get RFCs linked from ietf
-\section IdentLookups Ident Lookups
-\par
- These routines support RFC 931 (http://www.ietf.org/rfc/rfc931.txt)
- "Ident" lookups. An ident
- server running on a host will report the user name associated
- with a connected TCP socket. Some sites use this facility for
- access control and logging purposes.
-
\section MemoryManagement Memory Management
\par
These routines allocate and manage pools of memory for
section 29 Authenticator
section 29 NTLM Authenticator
section 29 Negotiate Authenticator
-section 30 Ident (RFC 931)
section 31 Hypertext Caching Protocol
section 32 Asynchronous Disk I/O
section 33 Client Request Pipeline
msgid ""
"User is just a unique key value. The above example uses %LOGIN and the "
"username but any of the B<external_acl_type> format tags can be substituted "
-"in its place. B<%EXT_TAG> , B<%LOGIN> , B<%IDENT> , B<%EXT_USER> , B<"
+"in its place. B<%EXT_TAG> , B<%LOGIN> , B<%EXT_USER> , B<"
"%SRC> , B<%SRCEUI48> , and B<%SRCEUI64> are all likely candidates for client "
"identification. The Squid wiki has more examples at https://wiki.squid-cache."
"org/ConfigExamples."
msgid ""
"User is just a unique key value. The above example uses %LOGIN and the "
"username but any of the B<external_acl_type> format tags can be substituted "
-"in its place. B<%EXT_TAG> , B<%LOGIN> , B<%IDENT> , B<%EXT_USER> , B<"
+"in its place. B<%EXT_TAG> , B<%LOGIN> , B<%EXT_USER> , B<"
"%SRC> , B<%SRCEUI48> , and B<%SRCEUI64> are all likely candidates for client "
"identification. The Squid wiki has more examples at https://wiki.squid-cache."
"org/ConfigExamples."
msgid ""
"User is just a unique key value. The above example uses %LOGIN and the "
"username but any of the B<external_acl_type> format tags can be substituted "
-"in its place. B<%EXT_TAG> , B<%LOGIN> , B<%IDENT> , B<%EXT_USER> , B<"
+"in its place. B<%EXT_TAG> , B<%LOGIN> , B<%EXT_USER> , B<"
"%SRC> , B<%SRCEUI48> , and B<%SRCEUI64> are all likely candidates for client "
"identification. The Squid wiki has more examples at https://wiki.squid-cache."
"org/ConfigExamples."
msgid ""
"User is just a unique key value. The above example uses %LOGIN and the "
"username but any of the B<external_acl_type> format tags can be substituted "
-"in its place. B<%EXT_TAG> , B<%LOGIN> , B<%IDENT> , B<%EXT_USER> , B<"
+"in its place. B<%EXT_TAG> , B<%LOGIN> , B<%EXT_USER> , B<"
"%SRC> , B<%SRCEUI48> , and B<%SRCEUI64> are all likely candidates for client "
"identification. The Squid wiki has more examples at https://wiki.squid-cache."
"org/ConfigExamples."
msgid ""
"User is just a unique key value. The above example uses %LOGIN and the "
"username but any of the B<external_acl_type> format tags can be substituted "
-"in its place. B<%EXT_TAG> , B<%LOGIN> , B<%IDENT> , B<%EXT_USER> , B<"
+"in its place. B<%EXT_TAG> , B<%LOGIN> , B<%EXT_USER> , B<"
"%SRC> , B<%SRCEUI48> , and B<%SRCEUI64> are all likely candidates for client "
"identification. The Squid wiki has more examples at https://wiki.squid-cache."
"org/ConfigExamples."
msgid ""
"User is just a unique key value. The above example uses %LOGIN and the "
"username but any of the B<external_acl_type> format tags can be substituted "
-"in its place. B<%EXT_TAG> , B<%LOGIN> , B<%IDENT> , B<%EXT_USER> , B<%SRC> "
+"in its place. B<%EXT_TAG> , B<%LOGIN> , B<%EXT_USER> , B<%SRC> "
", B<%SRCEUI48> , and B<%SRCEUI64> are all likely candidates for client "
"identification. The Squid wiki has more examples at "
"https://wiki.squid-cache.org/ConfigExamples."
msgid ""
"User is just a unique key value. The above example uses %LOGIN and the "
"username but any of the B<external_acl_type> format tags can be substituted "
-"in its place. B<%EXT_TAG> , B<%LOGIN> , B<%IDENT> , B<%EXT_USER> , B<"
+"in its place. B<%EXT_TAG> , B<%LOGIN> , B<%EXT_USER> , B<"
"%SRC> , B<%SRCEUI48> , and B<%SRCEUI64> are all likely candidates for client "
"identification. The Squid wiki has more examples at https://wiki.squid-cache."
"org/ConfigExamples."
<item>Cache Manager changes
<item>Removed purge tool
<item>Remove deprecated languages
+ <item>Remove Ident protocol support
</itemize>
<p>Most user-facing changes are reflected in squid.conf (see further below).
<p>See <url url="https://en.wikipedia.org/wiki/List_of_ISO_639_language_codes"> for
the full ISO-639 list. HTTP uses the 2-letter (set 1) codes.
+<sect1>Removed Ident protocol support
+
+<p>Ident protocol (RFC 931 obsoleted by RFC 1413) has been considered
+seriously insecure and broken since at least 2009 when SANS issued an update
+recommending its removal from all networks. Squid Ident implementation had its
+own set of problems (that could not be addressed without significant code
+refactoring).
+
+<p>Configurations using ident/ident_regex ACLs, %ui logformat codes, %IDENT
+external_acl_type format code, or ident_lookup_access/ident_timeout directives
+are now rejected, leading to fatal startup failures.
+
+<p>To avoid inconveniencing admins that do <em>not</em> use Ident features,
+access logs with "common" and "combined" logformats now always receive a dash
+in the position of what used to be a %ui record field.
+
+<p>If necessary, an external ACL helper can be written to perform Ident transactions
+and deliver the user identity to Squid through the **user=** annotation.
<sect>Changes to squid.conf since Squid-@SQUID_RELEASE_OLD@
<p>
necessary.
<p>Changed <em>http_status</em> to detect and handle overlapping
status and status-range values. Merging where necessary.
+ <p>Removed <em>ident</em> with Ident protocol support.
+ <p>Removed <em>ident_regex</em> with Ident protocol support.
<tag>buffered_logs</tag>
<p>Honor the <em>off</em> setting in 'udp' access_log module.
<p>Removed the <em>non_peers</em> action. See the Cache Manager
<ref id="mgr" name="section"> for details.
+ <tag>access_log</tag>
+ <p>Built-in <em>common</em> and <em>combined</em> logformats now always
+ receive a dash character ("-") in the position of what used to be a
+ <em>%ui</em> record field.
+
+ <tag>logformat</tag>
+ <p>Removed <em>%ui</em> format code with Ident protocol support.
+
+ <tag>external_acl_type</tag>
+ <p>Removed <em>%IDENT</em> format code with Ident protocol support.
+
</descrip>
<sect1>Removed directives<label id="removeddirectives">
<p>The corresponding code has not built for many years, indicating that the
feature is unused.
+ <tag>ident_lookup_access</tag>
+ <p>Ident protocol is no longer supported natively.
+
+ <tag>ident_timeout</tag>
+ <p>Ident protocol is no longer supported natively.
+
</descrip>
<p>The code enabled by this preprocessor macro has not built for many
years, indicating that the feature is unused.
+ <tag>--disable-ident-lookups</tag>
+ <p>The option was dropped during Ident protocol support removal.
+
</descrip>
<sect>Copyright
USE_HTCP \
USE_HTTP_VIOLATIONS \
USE_ICMP \
- USE_IDENT \
USE_IPV6 \
USE_KQUEUE \
USE_LOADABLE_MODULES \
assert(notes == req->notes());
}
-const char *
-AccessLogEntry::getClientIdent() const
-{
- if (tcpClient)
- return tcpClient->rfc931;
-
- if (cache.rfc931 && *cache.rfc931)
- return cache.rfc931;
-
- return nullptr;
-}
-
const char *
AccessLogEntry::getExtUser() const
{
/// Side effect: Enables reverse DNS lookups of future client addresses.
const char *getLogClientFqdn(char *buf, size_t bufSize) const;
- /// Fetch the client IDENT string, or nil if none is available.
- const char *getClientIdent() const;
-
/// Fetch the external ACL provided 'user=' string, or nil if none is available.
const char *getExtUser() const;
LogTags code;
struct timeval start_time; ///< The time the master transaction started
struct timeval trTime; ///< The response time
- const char *rfc931 = nullptr;
const char *extuser = nullptr;
#if USE_OPENSSL
const char *ssluser = nullptr;
#endif
#include "base/RegexPattern.h"
#include "ExternalACL.h"
-#if USE_IDENT
-#include "ident/AclIdent.h"
-#endif
#if SQUID_SNMP
#include "snmp_core.h"
#endif
RegisterMaker("eui64", [](TypeName name)->Node* { return new ACLEui64(name); });
#endif
-#if USE_IDENT
- RegisterMaker("ident", [](TypeName name)->Node* { return new ACLIdent(new ACLUserData, name); });
- RegisterMaker("ident_regex", [](TypeName name)->Node* { return new ACLIdent(new ACLRegexData, name); });
-#endif
-
#if USE_AUTH
RegisterMaker("ext_user", [](TypeName name)->Node* { return new ACLExtUser(new ACLUserData, name); });
RegisterMaker("ext_user_regex", [](TypeName name)->Node* { return new ACLExtUser(new ACLRegexData, name); });
continue;
}
- ACLFilledChecklist ch(DelayPools::delay_data[pool].access, r, nullptr);
+ ACLFilledChecklist ch(DelayPools::delay_data[pool].access, r);
clientAclChecklistFill(ch, http);
ch.updateReply(reply);
// overwrite ACLFilledChecklist acl_uses_indirect_client-based decision
* Intentionally replace the src_addr automatically selected by the checklist code
* we do NOT want the indirect client address to be tested here.
*/
- ACLFilledChecklist ch(Config.accessList.miss, request, nullptr);
+ ACLFilledChecklist ch(Config.accessList.miss, request);
ch.al = al;
ch.src_addr = request->client_addr;
ch.syncAle(request, nullptr);
cs->setHost(request->url.host());
bool retriable = checkRetriable();
if (!retriable && Config.accessList.serverPconnForNonretriable) {
- ACLFilledChecklist ch(Config.accessList.serverPconnForNonretriable, request, nullptr);
+ ACLFilledChecklist ch(Config.accessList.serverPconnForNonretriable, request);
ch.al = al;
ch.syncAle(request, nullptr);
retriable = ch.fastCheck().allowed();
return; // anything will do.
}
- ACLFilledChecklist ch(nullptr, request, nullptr);
+ ACLFilledChecklist ch(nullptr, request);
ch.dst_peer_name = conn->getPeer() ? conn->getPeer()->name : nullptr;
ch.dst_addr = conn->remote;
if (!Ip::Qos::TheConfig.tosToServer)
return 0;
- ACLFilledChecklist ch(nullptr, request, nullptr);
+ ACLFilledChecklist ch(nullptr, request);
ch.dst_peer_name = conn.getPeer() ? conn.getPeer()->name : nullptr;
ch.dst_addr = conn.remote;
return aclMapTOS(Ip::Qos::TheConfig.tosToServer, &ch);
if (!Ip::Qos::TheConfig.nfmarkToServer)
return 0;
- ACLFilledChecklist ch(nullptr, request, nullptr);
+ ACLFilledChecklist ch(nullptr, request);
ch.dst_peer_name = conn.getPeer() ? conn.getPeer()->name : nullptr;
ch.dst_addr = conn.remote;
const auto mc = aclFindNfMarkConfig(Ip::Qos::TheConfig.nfmarkToServer, &ch);
return 1;
}
- ACLFilledChecklist checklist(hm->access_list, request, nullptr);
+ ACLFilledChecklist checklist(hm->access_list, request);
checklist.updateAle(al);
// XXX: The two "It was denied" clauses below mishandle cases with no
void
httpHdrAdd(HttpHeader *heads, HttpRequest *request, const AccessLogEntryPointer &al, HeaderWithAclList &headersAdd)
{
- ACLFilledChecklist checklist(nullptr, request, nullptr);
+ ACLFilledChecklist checklist(nullptr, request);
checklist.updateAle(al);
for (HeaderWithAclList::const_iterator hwa = headersAdd.begin(); hwa != headersAdd.end(); ++hwa) {
if (!Config.ReplyBodySize)
return;
- ACLFilledChecklist ch(nullptr, &request, nullptr);
+ ACLFilledChecklist ch(nullptr, &request);
ch.updateReply(this);
for (AclSizeLimit *l = Config.ReplyBodySize; l; l = l -> next) {
/* if there is no ACL list or if the ACLs listed match use this size value */
rangeOffsetLimit = 0; // default value for rangeOffsetLimit
- ACLFilledChecklist ch(nullptr, this, nullptr);
+ ACLFilledChecklist ch(nullptr, this);
ch.src_addr = client_addr;
ch.my_addr = my_addr;
const bool proxyProtocolPort = port ? port->flags.proxySurrogate : false;
if (flags.interceptTproxy && !proxyProtocolPort) {
if (Config.accessList.spoof_client_ip) {
- ACLFilledChecklist *checklist = new ACLFilledChecklist(Config.accessList.spoof_client_ip, this, clientConnection->rfc931);
+ const auto checklist = new ACLFilledChecklist(Config.accessList.spoof_client_ip, this);
checklist->al = al;
checklist->syncAle(this, nullptr);
flags.spoofClientIp = checklist->fastCheck().allowed();
AUTH_ACL_LIBS= auth/libacls.la
endif
-SUBDIRS += http ip icmp ident log ipc mgr
+SUBDIRS += http ip icmp log ipc mgr
SSL_LIBS=
if ENABLE_SSL
squid_LDADD = \
$(AUTH_ACL_LIBS) \
- ident/libident.la \
acl/libacls.la \
acl/libstate.la \
$(AUTH_LIBS) \
LDADD = \
$(AUTH_ACL_LIBS) \
- ident/libident.la \
acl/libacls.la \
eui/libeui.la \
acl/libstate.la \
http/libhttp.la \
parser/libparser.la \
CommCalls.o \
- ident/libident.la \
acl/libacls.la \
acl/libstate.la \
acl/libapi.la \
libsquid.la \
http/libhttp.la \
parser/libparser.la \
- ident/libident.la \
acl/libacls.la \
acl/libstate.la \
acl/libapi.la \
parser/libparser.la \
SquidConfig.o \
CommCalls.o \
- ident/libident.la \
acl/libacls.la \
acl/libstate.la \
comm/libcomm.la \
helper/libhelper.la \
http/libhttp.la \
parser/libparser.la \
- ident/libident.la \
acl/libacls.la \
acl/libstate.la \
acl/libapi.la \
helper/libhelper.la \
ftp/libftp.la \
http/libhttp.la \
- ident/libident.la \
acl/libacls.la \
acl/libstate.la \
acl/libapi.la \
http/libhttp.la \
proxyp/libproxyp.la \
parser/libparser.la \
- ident/libident.la \
acl/libacls.la \
acl/libstate.la \
acl/libapi.la \
bool
Note::match(HttpRequest *request, HttpReply *reply, const AccessLogEntry::Pointer &al, SBuf &matched)
{
- ACLFilledChecklist ch(nullptr, request, nullptr);
+ ACLFilledChecklist ch(nullptr, request);
ch.updateAle(al);
ch.updateReply(reply);
ch.syncAle(request, nullptr);
my_addr.setEmpty();
src_addr.setEmpty();
dst_addr.setEmpty();
- rfc931[0] = '\0';
}
ACLFilledChecklist::~ACLFilledChecklist()
showDebugWarning("HttpReply object");
al->reply = reply_;
}
-
-#if USE_IDENT
- if (*rfc931 && !al->cache.rfc931) {
- showDebugWarning("IDENT");
- al->cache.rfc931 = xstrdup(rfc931);
- }
-#endif
}
void
* *not* delete the list. After the callback function returns,
* checkCallback() will delete the list (i.e., self).
*/
-ACLFilledChecklist::ACLFilledChecklist(const acl_access *A, HttpRequest *http_request, const char *ident):
+ACLFilledChecklist::ACLFilledChecklist(const acl_access *A, HttpRequest *http_request):
dst_rdns(nullptr),
#if USE_AUTH
auth_user_request(nullptr),
my_addr.setEmpty();
src_addr.setEmpty();
dst_addr.setEmpty();
- rfc931[0] = '\0';
changeAcl(A);
setRequest(http_request);
- setIdent(ident);
}
void ACLFilledChecklist::setRequest(HttpRequest *httpRequest)
}
}
-void
-ACLFilledChecklist::setIdent(const char *ident)
-{
-#if USE_IDENT
- assert(!rfc931[0]);
- if (ident)
- xstrncpy(rfc931, ident, USER_IDENT_SZ);
-#else
- (void)ident;
-#endif
-}
-
void
ACLFilledChecklist::updateAle(const AccessLogEntry::Pointer &a)
{
public:
ACLFilledChecklist();
- ACLFilledChecklist(const acl_access *, HttpRequest *, const char *ident = nullptr);
+ ACLFilledChecklist(const acl_access *, HttpRequest *);
~ACLFilledChecklist() override;
/// configure client request-related fields for the first time
void setRequest(HttpRequest *);
- /// configure rfc931 user identity for the first time
- void setIdent(const char *userIdentity);
/// Remembers the given ALE (if it is not nil) or does nothing (otherwise).
/// When (and only when) remembering ALE, populates other still-unset fields
HttpRequest::Pointer request;
- char rfc931[USER_IDENT_SZ];
#if USE_AUTH
Auth::UserRequest::Pointer auth_user_request;
#endif
err_type requestErrorType;
private:
- ConnStateData * conn_; /**< hack for ident and NTLM */
+ ConnStateData *conn_; ///< hack: client-to-Squid connection manager (if any)
int fd_; /**< may be available when conn_ is not */
HttpReply::Pointer reply_; ///< response added by updateReply() or nil
,
.B %LOGIN
,
-.B %IDENT
-,
.B %EXT_USER
,
.B %SRC
while (!candidates.empty()) {
if (AccessRule *r = FindRule(topCandidate())) {
/* BUG 2526: what to do when r->acl is empty?? */
- // XXX: we do not have access to conn->rfc931 here.
- acl_checklist = new ACLFilledChecklist(r->acl, filter.request, dash_str);
+ acl_checklist = new ACLFilledChecklist(r->acl, filter.request);
acl_checklist->updateAle(filter.al);
acl_checklist->updateReply(filter.reply);
acl_checklist->syncAle(filter.request, nullptr);
/// \param[out] total time taken for all ICAP processing
void processingTime(struct timeval &total) const;
- String rfc931; ///< the username from ident
#if USE_OPENSSL
String ssluser; ///< the username from SSL
#endif
if (info.icapReply->sline.status() == Http::scNone) // failed to parse the reply; I/O err
return true;
- ACLFilledChecklist *cl =
- new ACLFilledChecklist(TheConfig.repeat, info.icapRequest, dash_str);
+ const auto cl = new ACLFilledChecklist(TheConfig.repeat, info.icapRequest);
cl->updateReply(info.icapReply);
bool result = cl->fastCheck().allowed();
// XXX: This reply (and other ALE members!) may have been needed earlier.
al.reply = adapted_reply_;
- if (h->rfc931.size())
- al.cache.rfc931 = h->rfc931.termedBuf();
-
#if USE_OPENSSL
if (h->ssluser.size())
al.cache.ssluser = h->ssluser.termedBuf();
void icapLogLog(AccessLogEntry::Pointer &al)
{
if (IcapLogfileStatus == LOG_ENABLE) {
- ACLFilledChecklist checklist(nullptr, al->adapted_request, nullptr);
+ ACLFilledChecklist checklist(nullptr, al->adapted_request);
checklist.updateAle(al);
accessLogLogTo(Config.Log.icaplogs, al, &checklist);
}
schemesConfig(HttpRequest *request, HttpReply *rep)
{
if (!Auth::TheConfig.schemeLists.empty() && Auth::TheConfig.schemeAccess) {
- ACLFilledChecklist ch(nullptr, request, nullptr);
+ ACLFilledChecklist ch(nullptr, request);
ch.updateReply(rep);
const auto answer = ch.fastCheck(Auth::TheConfig.schemeAccess);
if (answer.allowed())
#include "HttpHeaderTools.h"
#include "HttpUpgradeProtocolAccess.h"
#include "icmp/IcmpConfig.h"
-#include "ident/Config.h"
#include "ip/Intercept.h"
#include "ip/NfMarkConfig.h"
#include "ip/QosConfig.h"
A client with credentials is requested to re-authenticate if http_access
or adapted_http_access denies its request _and_ the last evaluated ACL was
- either proxy_auth, proxy_auth_regex, ident, ident_regex, or an external
+ either proxy_auth, proxy_auth_regex, or an external
ACL with %ul or %LOGIN parameter (regardless of whether that last
evaluated ACL matched the denied request). Note that a max_user_ip ACL
does not have this effect: Requests denied after evaluating max_user_ip
# pattern match on Referer header [fast]
# Referer is highly unreliable, so use with care
- acl aclname ident [-i] username ...
- # string match on ident output [slow]
- # use REQUIRED to accept any non-null ident.
- #
- # See also: ident_regex. The two ACLs differ only in their parameter
- # syntax and ident output matching algorithm.
-
- acl aclname ident_regex [-i] username_pattern ...
- # regex match on ident output [slow]
-
acl aclname proxy_auth [-i] username ...
# perform http authentication challenge to the client and match against
# supplied credentials [slow]
See https://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
DOC_END
-NAME: ident_lookup_access
-TYPE: acl_access
-IFDEF: USE_IDENT
-DEFAULT: none
-DEFAULT_DOC: Unless rules exist in squid.conf, IDENT is not fetched.
-LOC: Ident::TheConfig.identLookup
-DOC_START
- A list of ACL elements which, if matched, cause an ident
- (RFC 931) lookup to be performed for this request. For
- example, you might choose to always perform ident lookups
- for your main multi-user Unix boxes, but not for your Macs
- and PCs. By default, ident lookups are not performed for
- any requests.
-
- To enable ident lookups for specific client addresses, you
- can follow this example:
-
- acl ident_aware_hosts src 198.168.1.0/24
- ident_lookup_access allow ident_aware_hosts
- ident_lookup_access deny all
-
- Only src type ACL checks are fully supported. A srcdomain
- ACL might work at times, but it will not always provide
- the correct result.
-
- This clause only supports fast acl types.
- See https://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
-DOC_END
-
NAME: reply_body_max_size
COMMENT: size [acl acl...]
TYPE: acl_b_size_t
The requests will be distributed among the parents based on the
CARP load balancing hash function based on their weight.
- userhash Load-balance parents based on the client proxy_auth or ident username.
+ userhash Load-balance parents based on the client proxy_auth username.
sourcehash Load-balance parents based on the client source IP.
un User name (any available)
ul User name from authentication
ue User name from external acl helper
- ui User name from ident
un A user name. Expands to the first available name
from the following list of information sources:
- authenticated user name, like %ul
- user name supplied by an external ACL, like %ue
- SSL client name, like %us
- - ident user name, like %ui
credentials Client credentials. The exact meaning depends on
the authentication scheme: For Basic authentication,
it is the password; for Digest, the realm sent by the
The default formats available (which do not need re-defining) are:
logformat squid %ts.%03tu %6tr %>a %Ss/%03>Hs %<st %rm %ru %[un %Sh/%<a %mt
-logformat common %>a %[ui %[un [%tl] "%rm %ru HTTP/%rv" %>Hs %<st %Ss:%Sh
-logformat combined %>a %[ui %[un [%tl] "%rm %ru HTTP/%rv" %>Hs %<st "%{Referer}>h" "%{User-Agent}>h" %Ss:%Sh
+logformat common %>a - %[un [%tl] "%rm %ru HTTP/%rv" %>Hs %<st %Ss:%Sh
+logformat combined %>a - %[un [%tl] "%rm %ru HTTP/%rv" %>Hs %<st "%{Referer}>h" "%{User-Agent}>h" %Ss:%Sh
logformat referrer %ts.%03tu %>a %{Referer}>h %ru
logformat useragent %>a [%tl] "%{User-Agent}>h"
proxies.
DOC_END
-NAME: ident_timeout
-TYPE: time_t
-IFDEF: USE_IDENT
-LOC: Ident::TheConfig.timeout
-DEFAULT: 10 seconds
-DOC_START
- Maximum time to wait for IDENT lookups to complete.
-
- If this is too high, and you enabled IDENT lookups from untrusted
- users, you might be susceptible to denial-of-service by having
- many ident requests going at once.
-DOC_END
-
NAME: shutdown_lifetime
COMMENT: time-units
TYPE: time_t
are governed by forward_max_tries instead.
See also: connect_timeout, forward_timeout, icap_connect_timeout,
- ident_timeout, and forward_max_tries.
+ and forward_max_tries.
DOC_END
NAME: retry_on_error
define["USE_HTCP"]="--enable-htcp"
define["USE_HTTP_VIOLATIONS"]="--enable-http-violations"
define["USE_ICMP"]="--enable-icmp"
- define["USE_IDENT"]="--enable-ident-lookups"
define["USE_LOADABLE_MODULES"]="--enable-shared"
define["USE_OPENSSL"]="--with-openssl"
define["USE_QOS_TOS"]="--enable-zph-qos"
#include "HttpHeaderTools.h"
#include "HttpReply.h"
#include "HttpRequest.h"
-#include "ident/Config.h"
-#include "ident/Ident.h"
#include "internal.h"
#include "ipc/FdNotes.h"
#include "ipc/StartListening.h"
static void clientListenerConnectionOpened(AnyP::PortCfgPointer &s, const Ipc::FdNoteId portTypeNote, const Subscription::Pointer &sub);
static IOACB httpAccept;
-#if USE_IDENT
-static IDCB clientIdentDone;
-#endif
static int clientIsRequestBodyTooLargeForPolicy(int64_t bodyLength);
static void clientUpdateStatHistCounters(const LogTags &logType, int svc_time);
char *skipLeadingSpace(char *aString);
-#if USE_IDENT
-static void
-clientIdentDone(const char *ident, void *data)
-{
- ConnStateData *conn = (ConnStateData *)data;
- xstrncpy(conn->clientConnection->rfc931, ident ? ident : dash_str, USER_IDENT_SZ);
-}
-#endif
-
void
clientUpdateStatCounters(const LogTags &logType)
{
HTTPMSGLOCK(al->adapted_request);
}
- ACLFilledChecklist checklist(nullptr, request, nullptr);
+ ACLFilledChecklist checklist(nullptr, request);
checklist.updateAle(al);
// no need checklist.syncAle(): already synced
accessLogLog(al, &checklist);
bool updatePerformanceCounters = true;
if (Config.accessList.stats_collection) {
- ACLFilledChecklist statsCheck(Config.accessList.stats_collection, request, nullptr);
+ ACLFilledChecklist statsCheck(Config.accessList.stats_collection, request);
statsCheck.updateAle(al);
updatePerformanceCounters = statsCheck.fastCheck().allowed();
}
break;
// we have been waiting for PROXY to provide client-IP
- // for some lookups, ie rDNS and IDENT.
+ // for some lookups, ie rDNS
whenClientIpKnown();
// Done with PROXY protocol which has cleared preservingClientData_.
if (Dns::ResolveClientAddressesAsap)
fqdncache_gethostbyaddr(clientConnection->remote, FQDN_LOOKUP_IF_MISS);
-#if USE_IDENT
- if (Ident::TheConfig.identLookup) {
- ACLFilledChecklist identChecklist(Ident::TheConfig.identLookup, nullptr, nullptr);
- fillChecklist(identChecklist);
- if (identChecklist.fastCheck().allowed())
- Ident::Start(clientConnection, clientIdentDone, this);
- }
-#endif
-
clientdbEstablished(clientConnection->remote, 1);
#if USE_DELAY_POOLS
const auto &pools = ClientDelayPools::Instance()->pools;
if (pools.size()) {
- ACLFilledChecklist ch(nullptr, nullptr, nullptr);
+ ACLFilledChecklist ch(nullptr, nullptr);
fillChecklist(ch);
// TODO: we check early to limit error response bandwidth but we
// should recheck when we can honor delay_pool_uses_indirect
CodeContext::Reset(connectAle);
// TODO: Use these request/ALE when waiting for new bumped transactions.
- ACLFilledChecklist *acl_checklist = new ACLFilledChecklist(Config.accessList.ssl_bump, request, nullptr);
+ const auto acl_checklist = new ACLFilledChecklist(Config.accessList.ssl_bump, request);
fillChecklist(*acl_checklist);
// Build a local AccessLogEntry to allow requiresAle() acls work
acl_checklist->al = connectAle;
sslServerBump->step = XactionStep::tlsBump2;
// Run a accessList check to check if want to splice or continue bumping
- ACLFilledChecklist *acl_checklist = new ACLFilledChecklist(Config.accessList.ssl_bump, sslServerBump->request.getRaw(), nullptr);
+ const auto acl_checklist = new ACLFilledChecklist(Config.accessList.ssl_bump, sslServerBump->request.getRaw());
acl_checklist->banAction(Acl::Answer(ACCESS_ALLOWED, Ssl::bumpNone));
acl_checklist->banAction(Acl::Answer(ACCESS_ALLOWED, Ssl::bumpClientFirst));
acl_checklist->banAction(Acl::Answer(ACCESS_ALLOWED, Ssl::bumpServerFirst));
ACLFilledChecklist *
clientAclChecklistCreate(const acl_access * acl, ClientHttpRequest * http)
{
- const auto checklist = new ACLFilledChecklist(acl, nullptr, nullptr);
+ const auto checklist = new ACLFilledChecklist(acl, nullptr);
clientAclChecklistFill(*checklist, http);
return checklist;
}
if (!checklist.sslErrors && sslServerBump)
checklist.sslErrors = sslServerBump->sslErrors();
#endif
-
- if (!checklist.rfc931[0]) // checklist creator may have supplied it already
- checklist.setIdent(clientConnection->rfc931);
-
}
bool
Adaptation::Icap::History::Pointer ih = request->icapHistory();
if (ih != nullptr) {
if (getConn() != nullptr && getConn()->clientConnection != nullptr) {
- ih->rfc931 = getConn()->clientConnection->rfc931;
#if USE_OPENSSL
if (getConn()->clientConnection->isOpen()) {
ih->ssluser = sslGetUserEmail(fd_table[getConn()->clientConnection->fd].ssl.get());
// Set appropriate MARKs and CONNMARKs if needed.
if (getConn() && Comm::IsConnOpen(getConn()->clientConnection)) {
- ACLFilledChecklist ch(nullptr, request, nullptr);
+ ACLFilledChecklist ch(nullptr, request);
ch.al = calloutContext->http->al;
ch.src_addr = request->client_addr;
ch.my_addr = request->my_addr;
default: {
bool doEpsv = true;
if (Config.accessList.ftp_epsv) {
- ACLFilledChecklist checklist(Config.accessList.ftp_epsv, fwd->request, nullptr);
+ ACLFilledChecklist checklist(Config.accessList.ftp_epsv, fwd->request);
doEpsv = checklist.fastCheck().allowed();
}
if (!doEpsv) {
* Special Case: A username-only may be provided in the URL and password in the HTTP headers.
*
* TODO: we might be able to do something about locating username from other sources:
- * ie, external ACL user=* tag or ident lookup
+ * ie, external ACL user=* tag
*
\retval 1 if we have everything needed to complete this request.
\retval 0 if something is missing.
peer_(nullptr),
startTime_(squid_curtime),
tlsHistory(nullptr)
-{
- *rfc931 = 0; // quick init the head. the rest does not matter.
-}
+{}
Comm::Connection::~Connection()
{
c.nfConnmark = nfConnmark;
// COMM_ORPHANED is not a part of connection opening instructions
c.flags = flags & ~COMM_ORPHANED;
- // rfc931 is excused
#if USE_SQUID_EUI
// These are currently only set when accepting connections and never used
os << " FD " << conn.fd;
if (conn.flags != COMM_UNSET)
os << " flags=" << conn.flags;
-#if USE_IDENT
- if (*conn.rfc931)
- os << " IDENT::" << conn.rfc931;
-#endif
return os;
}
/** COMM flags set on this connection */
int flags;
- char rfc931[USER_IDENT_SZ];
-
#if USE_SQUID_EUI
Eui::Eui48 remoteEui48;
Eui::Eui64 remoteEui64;
al->tcpClient = tcpClient;
al->url = "error:accept-client-connection";
al->setVirginUrlForMissingRequest(al->url);
- ACLFilledChecklist ch(nullptr, nullptr, nullptr);
+ ACLFilledChecklist ch(nullptr, nullptr);
ch.src_addr = tcpClient->remote;
ch.my_addr = tcpClient->local;
ch.al = al;
#define FQDN_LOOKUP_IF_MISS 0x01
#define FQDN_MAX_NAMES 5
-#define USER_IDENT_SZ 64
-
#define IP_LOOKUP_IF_MISS 0x01
#define ICP_FLAG_SRC_RTT 0x40000000ul
#include "auth/Gadgets.h"
#include "auth/UserRequest.h"
#endif
-#if USE_IDENT
-#include "ident/AclIdent.h"
-#endif
#ifndef DEFAULT_EXTERNAL_ACL_TTL
#define DEFAULT_EXTERNAL_ACL_TTL 1 * 60 * 60
ch->al->lastAclData = sb;
}
-
-#if USE_IDENT
- if (t->type == Format::LFT_USER_IDENT) {
- if (!*ch->rfc931) {
- // if we fail to go async, we still return NULL and the caller
- // will detect the failure in ACLExternal::match().
- (void)ch->goAsync(ACLIdent::StartLookup, *this);
- return nullptr;
- }
- }
-#endif
}
// assemble the full helper lookup string
external_acl *def = acl->def;
const char *key = makeExternalAclKey(ch, acl);
- assert(key); // XXX: will fail if EXT_ACL_IDENT case needs an async lookup
+ assert(key);
debugs(82, 2, (inBackground ? "bg" : "fg") << " lookup in '" <<
def->name << "' for '" << key << "'");
/* client credentials */
LFT_USER_NAME, /* any source will do */
LFT_USER_LOGIN,
- LFT_USER_IDENT,
/*LFT_USER_REALM, */
/*LFT_USER_SCHEME, */
LFT_USER_EXTERNAL,
if (!out)
out = strOrNull(al->cache.ssluser);
#endif
- if (!out)
- out = strOrNull(al->getClientIdent());
break;
case LFT_USER_LOGIN:
#endif
break;
- case LFT_USER_IDENT:
- out = strOrNull(al->getClientIdent());
- break;
-
case LFT_USER_EXTERNAL:
out = strOrNull(al->getExtUser());
break;
TokenTableEntry("ul", LFT_USER_LOGIN),
/*TokenTableEntry( "ur", LFT_USER_REALM ), */
/*TokenTableEntry( "us", LFT_USER_SCHEME ), */
- TokenTableEntry("ui", LFT_USER_IDENT),
TokenTableEntry("ue", LFT_USER_EXTERNAL),
TokenTableEntry("Hs", LFT_HTTP_SENT_STATUS_CODE_OLD_30),
TokenTableEntry("EXT_LOG", LFT_EXT_LOG),
TokenTableEntry("EXT_TAG", LFT_TAG),
TokenTableEntry("EXT_USER", LFT_USER_EXTERNAL),
- TokenTableEntry("IDENT", LFT_USER_IDENT),
TokenTableEntry("LOGIN", LFT_USER_LOGIN),
TokenTableEntry("METHOD", LFT_CLIENT_REQ_METHOD),
TokenTableEntry("MYADDR", LFT_LOCAL_LISTENING_IP),
if (!acl)
return false;
- ACLFilledChecklist checklist(acl, s->request.getRaw(), nullptr);
+ ACLFilledChecklist checklist(acl, s->request.getRaw());
checklist.src_addr = from;
checklist.my_addr.setNoAddr();
return checklist.fastCheck().allowed();
return false;
}
- ACLFilledChecklist checklist(Config.accessList.icp, icp_request, nullptr);
+ ACLFilledChecklist checklist(Config.accessList.icp, icp_request);
checklist.src_addr = from;
checklist.my_addr.setNoAddr();
const auto &answer = checklist.fastCheck();
+++ /dev/null
-/*
- * Copyright (C) 1996-2023 The Squid Software Foundation and contributors
- *
- * Squid software is distributed under GPLv2+ license and includes
- * contributions from numerous individuals and organizations.
- * Please see the COPYING and CONTRIBUTORS files for details.
- */
-
-/* DEBUG: section 28 Access Control */
-
-#include "squid.h"
-
-#if USE_IDENT
-
-#include "acl/FilledChecklist.h"
-#include "acl/RegexData.h"
-#include "acl/UserData.h"
-#include "client_side.h"
-#include "comm/Connection.h"
-#include "globals.h"
-#include "http/Stream.h"
-#include "ident/AclIdent.h"
-#include "ident/Ident.h"
-
-ACLIdent::~ACLIdent()
-{
- delete data;
-}
-
-ACLIdent::ACLIdent(ACLData<char const *> *newData, char const *newType) : data (newData), type_ (newType) {}
-
-char const *
-ACLIdent::typeString() const
-{
- return type_;
-}
-
-const Acl::Options &
-ACLIdent::lineOptions()
-{
- return data->lineOptions();
-}
-
-void
-ACLIdent::parse()
-{
- if (!data) {
- debugs(28, 3, "current is null. Creating");
- data = new ACLUserData;
- }
-
- data->parse();
-}
-
-int
-ACLIdent::match(ACLChecklist *cl)
-{
- const auto checklist = Filled(cl);
- if (checklist->rfc931[0]) {
- return data->match(checklist->rfc931);
- } else if (checklist->conn() != nullptr && checklist->conn()->clientConnection != nullptr && checklist->conn()->clientConnection->rfc931[0]) {
- return data->match(checklist->conn()->clientConnection->rfc931);
- } else if (checklist->conn() != nullptr && Comm::IsConnOpen(checklist->conn()->clientConnection)) {
- if (checklist->goAsync(StartLookup, *this)) {
- debugs(28, 3, "switching to ident lookup state");
- return -1;
- }
- // else fall through to ACCESS_DUNNO failure below
- } else {
- debugs(28, DBG_IMPORTANT, "ERROR: Cannot start ident lookup. No client connection" );
- // fall through to ACCESS_DUNNO failure below
- }
-
- checklist->markFinished(ACCESS_DUNNO, "cannot start ident lookup");
- return -1;
-}
-
-SBufList
-ACLIdent::dump() const
-{
- return data->dump();
-}
-
-bool
-ACLIdent::empty () const
-{
- return data->empty();
-}
-
-void
-ACLIdent::StartLookup(ACLFilledChecklist &cl, const Acl::Node &)
-{
- const ConnStateData *conn = cl.conn();
- // check that ACLIdent::match() tested this lookup precondition
- assert(conn && Comm::IsConnOpen(conn->clientConnection));
- debugs(28, 3, "Doing ident lookup" );
- Ident::Start(cl.conn()->clientConnection, LookupDone, &cl);
-}
-
-void
-ACLIdent::LookupDone(const char *ident, void *data)
-{
- ACLFilledChecklist *checklist = Filled(static_cast<ACLChecklist*>(data));
-
- if (ident) {
- xstrncpy(checklist->rfc931, ident, USER_IDENT_SZ);
- } else {
- xstrncpy(checklist->rfc931, dash_str, USER_IDENT_SZ);
- }
-
- /*
- * Cache the ident result in the connection, to avoid redoing ident lookup
- * over and over on persistent connections
- */
- if (checklist->conn() != nullptr && checklist->conn()->clientConnection != nullptr && !checklist->conn()->clientConnection->rfc931[0])
- xstrncpy(checklist->conn()->clientConnection->rfc931, checklist->rfc931, USER_IDENT_SZ);
-
- checklist->resumeNonBlockingCheck();
-}
-
-#endif /* USE_IDENT */
-
+++ /dev/null
-/*
- * Copyright (C) 1996-2023 The Squid Software Foundation and contributors
- *
- * Squid software is distributed under GPLv2+ license and includes
- * contributions from numerous individuals and organizations.
- * Please see the COPYING and CONTRIBUTORS files for details.
- */
-
-#ifndef SQUID_SRC_IDENT_ACLIDENT_H
-#define SQUID_SRC_IDENT_ACLIDENT_H
-
-#if USE_IDENT
-
-#include "acl/Acl.h"
-#include "acl/Checklist.h"
-#include "acl/Data.h"
-
-/// \ingroup ACLAPI
-class ACLIdent : public Acl::Node
-{
- MEMPROXY_CLASS(ACLIdent);
-
-public:
- static void StartLookup(ACLFilledChecklist &, const Acl::Node &);
-
- ACLIdent(ACLData<char const *> *newData, char const *);
- ~ACLIdent() override;
-
- /* Acl::Node API */
- char const *typeString() const override;
- void parse() override;
- bool isProxyAuth() const override {return true;}
- int match(ACLChecklist *checklist) override;
- SBufList dump() const override;
- bool empty () const override;
-
-private:
- static void LookupDone(const char *ident, void *data);
-
- /* Acl::Node API */
- const Acl::Options &lineOptions() override;
-
- ACLData<char const *> *data;
- char const *type_;
-};
-
-#endif /* USE_IDENT */
-#endif /* SQUID_SRC_IDENT_ACLIDENT_H */
-
+++ /dev/null
-/*
- * Copyright (C) 1996-2023 The Squid Software Foundation and contributors
- *
- * Squid software is distributed under GPLv2+ license and includes
- * contributions from numerous individuals and organizations.
- * Please see the COPYING and CONTRIBUTORS files for details.
- */
-
-#ifndef SQUID_SRC_IDENT_CONFIG_H
-#define SQUID_SRC_IDENT_CONFIG_H
-
-#if USE_IDENT
-
-#include "acl/Acl.h"
-
-namespace Ident
-{
-
-class IdentConfig
-{
-public:
- acl_access *identLookup;
- time_t timeout;
-};
-
-extern IdentConfig TheConfig;
-
-} // namespace Ident
-
-#endif /* USE_IDENT */
-#endif /* SQUID_SRC_IDENT_CONFIG_H */
-
+++ /dev/null
-/*
- * Copyright (C) 1996-2023 The Squid Software Foundation and contributors
- *
- * Squid software is distributed under GPLv2+ license and includes
- * contributions from numerous individuals and organizations.
- * Please see the COPYING and CONTRIBUTORS files for details.
- */
-
-/* DEBUG: section 30 Ident (RFC 931) */
-
-#include "squid.h"
-
-#if USE_IDENT
-#include "base/JobWait.h"
-#include "comm.h"
-#include "comm/Connection.h"
-#include "comm/ConnOpener.h"
-#include "comm/Read.h"
-#include "comm/Write.h"
-#include "CommCalls.h"
-#include "globals.h"
-#include "ident/Config.h"
-#include "ident/Ident.h"
-#include "MemBuf.h"
-
-namespace Ident
-{
-
-#define IDENT_PORT 113
-#define IDENT_KEY_SZ 50
-#define IDENT_BUFSIZE 4096
-
-typedef struct _IdentClient {
- IDCB *callback;
- void *callback_data;
-
- struct _IdentClient *next;
-} IdentClient;
-
-class IdentStateData
-{
-public:
- hash_link hash; /* must be first */
-private:
- CBDATA_CLASS(IdentStateData);
-
-public:
- /* AsyncJob API emulated */
- void deleteThis(const char *aReason);
- void swanSong();
-
- /// notify all waiting IdentClient callbacks
- void notify(const char *result);
-
- Comm::ConnectionPointer conn;
- MemBuf queryMsg; ///< the lookup message sent to IDENT server
- IdentClient *clients = nullptr;
- char buf[IDENT_BUFSIZE];
-
- /// waits for a connection to the IDENT server to be established/opened
- JobWait<Comm::ConnOpener> connWait;
-
-private:
- // use deleteThis() to destroy
- ~IdentStateData();
-};
-
-CBDATA_CLASS_INIT(IdentStateData);
-
-// TODO: make these all a series of Async job calls. They are self-contained callbacks now.
-static IOCB ReadReply;
-static IOCB WriteFeedback;
-static CLCB Close;
-static CTCB Timeout;
-static CNCB ConnectDone;
-static hash_table *ident_hash = nullptr;
-static void ClientAdd(IdentStateData * state, IDCB * callback, void *callback_data);
-
-} // namespace Ident
-
-Ident::IdentConfig Ident::TheConfig;
-
-void
-Ident::IdentStateData::deleteThis(const char *reason)
-{
- debugs(30, 3, reason);
- swanSong();
- delete this;
-}
-
-void
-Ident::IdentStateData::swanSong()
-{
- if (clients != nullptr)
- notify(nullptr);
-}
-
-Ident::IdentStateData::~IdentStateData() {
- assert(!clients);
-
- if (Comm::IsConnOpen(conn)) {
- comm_remove_close_handler(conn->fd, Ident::Close, this);
- conn->close();
- }
-
- hash_remove_link(ident_hash, (hash_link *) this);
- xfree(hash.key);
-}
-
-void
-Ident::IdentStateData::notify(const char *result)
-{
- while (IdentClient *client = clients) {
- void *cbdata;
- clients = client->next;
-
- if (cbdataReferenceValidDone(client->callback_data, &cbdata))
- client->callback(result, cbdata);
-
- xfree(client);
- }
-}
-
-void
-Ident::Close(const CommCloseCbParams ¶ms)
-{
- IdentStateData *state = (IdentStateData *)params.data;
- if (state->conn) {
- state->conn->noteClosure();
- state->conn = nullptr;
- }
- state->deleteThis("connection closed");
-}
-
-void
-Ident::Timeout(const CommTimeoutCbParams &io)
-{
- debugs(30, 3, io.conn);
- IdentStateData *state = (IdentStateData *)io.data;
- state->deleteThis("timeout");
-}
-
-void
-Ident::ConnectDone(const Comm::ConnectionPointer &conn, Comm::Flag status, int, void *data)
-{
- IdentStateData *state = (IdentStateData *)data;
- state->connWait.finish();
-
- // Start owning the supplied connection (so that it is not orphaned if this
- // function bails early). As a (tiny) optimization or perhaps just diff
- // minimization, the close handler is added later, when we know we are not
- // bailing. This delay is safe because comm_remove_close_handler() forgives
- // missing handlers.
- assert(conn); // but may be closed
- assert(!state->conn);
- state->conn = conn;
-
- if (status != Comm::OK) {
- if (status == Comm::TIMEOUT)
- debugs(30, 3, "IDENT connection timeout to " << state->conn->remote);
- state->deleteThis(status == Comm::TIMEOUT ? "connect timeout" : "connect error");
- return;
- }
-
- /*
- * see if any of our clients still care
- */
- IdentClient *c;
- for (c = state->clients; c; c = c->next) {
- if (cbdataReferenceValid(c->callback_data))
- break;
- }
-
- if (c == nullptr) {
- state->deleteThis("client(s) aborted");
- return;
- }
-
- assert(state->conn->isOpen());
- comm_add_close_handler(state->conn->fd, Ident::Close, state);
-
- AsyncCall::Pointer writeCall = commCbCall(5,4, "Ident::WriteFeedback",
- CommIoCbPtrFun(Ident::WriteFeedback, state));
- Comm::Write(conn, &state->queryMsg, writeCall);
- AsyncCall::Pointer readCall = commCbCall(5,4, "Ident::ReadReply",
- CommIoCbPtrFun(Ident::ReadReply, state));
- comm_read(conn, state->buf, IDENT_BUFSIZE, readCall);
- AsyncCall::Pointer timeoutCall = commCbCall(5,4, "Ident::Timeout",
- CommTimeoutCbPtrFun(Ident::Timeout, state));
- commSetConnTimeout(conn, Ident::TheConfig.timeout, timeoutCall);
-}
-
-void
-Ident::WriteFeedback(const Comm::ConnectionPointer &conn, char *, size_t len, Comm::Flag flag, int xerrno, void *data)
-{
- debugs(30, 5, conn << ": Wrote IDENT request " << len << " bytes.");
-
- // TODO handle write errors better. retry or abort?
- if (flag != Comm::OK) {
- debugs(30, 2, conn << " err-flags=" << flag << " IDENT write error: " << xstrerr(xerrno));
- IdentStateData *state = (IdentStateData *)data;
- state->deleteThis("write error");
- }
-}
-
-void
-Ident::ReadReply(const Comm::ConnectionPointer &conn, char *buf, size_t len, Comm::Flag flag, int, void *data)
-{
- IdentStateData *state = (IdentStateData *)data;
- char *ident = nullptr;
- char *t = nullptr;
-
- assert(buf == state->buf);
- assert(conn->fd == state->conn->fd);
-
- if (flag != Comm::OK || len <= 0) {
- state->deleteThis("read error");
- return;
- }
-
- /*
- * XXX This isn't really very tolerant. It should read until EOL
- * or EOF and then decode the answer... If the reply is fragmented
- * then this will fail
- */
- buf[len] = '\0';
-
- if ((t = strchr(buf, '\r')))
- *t = '\0';
-
- if ((t = strchr(buf, '\n')))
- *t = '\0';
-
- debugs(30, 5, conn << ": Read '" << buf << "'");
-
- if (strstr(buf, "USERID")) {
- if ((ident = strrchr(buf, ':'))) {
- while (xisspace(*++ident));
- if (ident && *ident == '\0')
- ident = nullptr;
- state->notify(ident);
- }
- }
-
- state->deleteThis("completed");
-}
-
-void
-Ident::ClientAdd(IdentStateData * state, IDCB * callback, void *callback_data)
-{
- IdentClient *c = (IdentClient *)xcalloc(1, sizeof(*c));
- IdentClient **C;
- c->callback = callback;
- c->callback_data = cbdataReference(callback_data);
-
- for (C = &state->clients; *C; C = &(*C)->next);
- *C = c;
-}
-
-/*
- * start a TCP connection to the peer host on port 113
- */
-void
-Ident::Start(const Comm::ConnectionPointer &conn, IDCB * callback, void *data)
-{
- IdentStateData *state;
- char key1[IDENT_KEY_SZ];
- char key2[IDENT_KEY_SZ];
- char key[IDENT_KEY_SZ*2+2]; // key1 + ',' + key2 + terminator
-
- conn->local.toUrl(key1, IDENT_KEY_SZ);
- conn->remote.toUrl(key2, IDENT_KEY_SZ);
- int res = snprintf(key, sizeof(key), "%s,%s", key1, key2);
- assert(res > 0);
- assert(static_cast<unsigned int>(res) < sizeof(key));
-
- if (!ident_hash) {
- ident_hash = hash_create((HASHCMP *) strcmp,
- hashPrime(Squid_MaxFD / 8),
- hash4);
- }
- if ((state = (IdentStateData *)hash_lookup(ident_hash, key)) != nullptr) {
- ClientAdd(state, callback, data);
- return;
- }
-
- state = new IdentStateData;
- state->hash.key = xstrdup(key);
-
- // copy the conn details. We do not want the original FD to be re-used by IDENT.
- const auto identConn = conn->cloneProfile();
- // NP: use random port for secure outbound to IDENT_PORT
- identConn->local.port(0);
- identConn->remote.port(IDENT_PORT);
-
- // build our query from the original connection details
- state->queryMsg.init();
- state->queryMsg.appendf("%d, %d\r\n", conn->remote.port(), conn->local.port());
-
- ClientAdd(state, callback, data);
- hash_join(ident_hash, &state->hash);
-
- AsyncCall::Pointer call = commCbCall(30,3, "Ident::ConnectDone", CommConnectCbPtrFun(Ident::ConnectDone, state));
- const auto connOpener = new Comm::ConnOpener(identConn, call, Ident::TheConfig.timeout);
- state->connWait.start(connOpener, call);
-}
-
-#endif /* USE_IDENT */
-
+++ /dev/null
-/*
- * Copyright (C) 1996-2023 The Squid Software Foundation and contributors
- *
- * Squid software is distributed under GPLv2+ license and includes
- * contributions from numerous individuals and organizations.
- * Please see the COPYING and CONTRIBUTORS files for details.
- */
-
-#ifndef SQUID_SRC_IDENT_IDENT_H
-#define SQUID_SRC_IDENT_IDENT_H
-
-#if USE_IDENT
-
-#include "cbdata.h"
-#include "comm/forward.h"
-
-typedef void IDCB(const char *ident, void *data);
-
-/// Ident Lookup API
-namespace Ident
-{
-
-/**
- * Open a connection and request IDENT information from a peer machine.
- * Callback will be called when the lookup is completed.
- */
-void Start(const Comm::ConnectionPointer &conn, IDCB * callback, void *cbdata);
-
-} // namespace Ident
-
-#endif /* USE_IDENT */
-#endif /* SQUID_SRC_IDENT_IDENT_H */
-
+++ /dev/null
-## Copyright (C) 1996-2023 The Squid Software Foundation and contributors
-##
-## Squid software is distributed under GPLv2+ license and includes
-## contributions from numerous individuals and organizations.
-## Please see the COPYING and CONTRIBUTORS files for details.
-##
-
-include $(top_srcdir)/src/Common.am
-
-noinst_LTLIBRARIES = libident.la
-
-libident_la_SOURCES = \
- AclIdent.cc \
- AclIdent.h \
- Config.h \
- Ident.cc \
- Ident.h
void
Log::Format::HttpdCombined(const AccessLogEntry::Pointer &al, Logfile * logfile)
{
- const char *user_ident = ::Format::QuoteUrlEncodeUsername(al->getClientIdent());
const char *user_auth = nullptr;
const char *referer = nullptr;
const char *agent = nullptr;
logfilePrintf(logfile, "%s %s %s [%s] \"" SQUIDSBUFPH " " SQUIDSBUFPH " %s/%d.%d\" %d %" PRId64 " \"%s\" \"%s\" %s:%s%s",
clientip,
- user_ident ? user_ident : dash_str,
+ dash_str,
user_auth ? user_auth : dash_str,
Time::FormatHttpd(squid_curtime),
SQUIDSBUFPRINT(method),
hier_code_str[al->hier.code],
(Config.onoff.log_mime_hdrs?"":"\n"));
- safe_free(user_ident);
safe_free(user_auth);
if (Config.onoff.log_mime_hdrs) {
if (al->request && al->request->auth_user_request != nullptr)
user_auth = ::Format::QuoteUrlEncodeUsername(al->request->auth_user_request->username());
#endif
- const char *user_ident = ::Format::QuoteUrlEncodeUsername(al->getClientIdent());
char clientip[MAX_IPSTRLEN];
al->getLogClientIp(clientip, MAX_IPSTRLEN);
logfilePrintf(logfile, "%s %s %s [%s] \"" SQUIDSBUFPH " " SQUIDSBUFPH " %s/%d.%d\" %d %" PRId64 " %s:%s%s",
clientip,
- user_ident ? user_ident : dash_str,
+ dash_str,
user_auth ? user_auth : dash_str,
Time::FormatHttpd(squid_curtime),
SQUIDSBUFPRINT(method),
(Config.onoff.log_mime_hdrs?"":"\n"));
safe_free(user_auth);
- safe_free(user_ident);
if (Config.onoff.log_mime_hdrs) {
char *ereq = ::Format::QuoteMimeBlob(al->headers.request);
user = ::Format::QuoteUrlEncodeUsername(al->cache.ssluser);
#endif
- if (!user)
- user = ::Format::QuoteUrlEncodeUsername(al->getClientIdent());
-
if (user && !*user)
safe_free(user);
user = ::Format::QuoteUrlEncodeUsername(al->cache.ssluser);
#endif
- if (!user)
- user = ::Format::QuoteUrlEncodeUsername(al->getClientIdent());
-
if (user && !*user)
safe_free(user);
if (p->access == nullptr)
return true;
- ACLFilledChecklist checklist(p->access, request, nullptr);
+ ACLFilledChecklist checklist(p->access, request);
checklist.updateAle(ps->al);
checklist.syncAle(request, nullptr);
return checklist.fastCheck().allowed();
if (always_direct == ACCESS_DUNNO) {
debugs(44, 3, "direct = " << DirectStr[direct] << " (always_direct to be checked)");
/** check always_direct; */
- ACLFilledChecklist *ch = new ACLFilledChecklist(Config.accessList.AlwaysDirect, request, nullptr);
+ const auto ch = new ACLFilledChecklist(Config.accessList.AlwaysDirect, request);
ch->al = al;
acl_checklist = ch;
acl_checklist->syncAle(request, nullptr);
} else if (never_direct == ACCESS_DUNNO) {
debugs(44, 3, "direct = " << DirectStr[direct] << " (never_direct to be checked)");
/** check never_direct; */
- ACLFilledChecklist *ch = new ACLFilledChecklist(Config.accessList.NeverDirect, request, nullptr);
+ const auto ch = new ACLFilledChecklist(Config.accessList.NeverDirect, request);
ch->al = al;
acl_checklist = ch;
acl_checklist->syncAle(request, nullptr);
// TODO: Remove ACLFilledChecklist::sslErrors and other pre-computed
// state in favor of the ACLs accessing current/fresh info directly.
if (acl_access *acl = ::Config.ssl_client.cert_error) {
- ACLFilledChecklist *check = new ACLFilledChecklist(acl, request.getRaw(), dash_str);
+ const auto check = new ACLFilledChecklist(acl, request.getRaw());
fillChecklist(*check);
SSL_set_ex_data(serverSession.get(), ssl_ex_index_cert_error_check, check);
}
Security::SessionPointer session(fd_table[serverConnection()->fd].ssl);
if (acl_access *acl = ::Config.ssl_client.cert_error) {
- check = new ACLFilledChecklist(acl, request.getRaw(), dash_str);
+ check = new ACLFilledChecklist(acl, request.getRaw());
fillChecklist(*check);
}
if (Config.accessList.forceRequestBodyContinuation) {
ClientHttpRequest *http = pipeline.front()->http;
HttpRequest *request = http->request;
- ACLFilledChecklist bodyContinuationCheck(Config.accessList.forceRequestBodyContinuation, request, nullptr);
+ ACLFilledChecklist bodyContinuationCheck(Config.accessList.forceRequestBodyContinuation, request);
bodyContinuationCheck.al = http->al;
bodyContinuationCheck.syncAle(request, http->log_uri);
if (bodyContinuationCheck.fastCheck().allowed()) {
}
if (Config.accessList.forceRequestBodyContinuation) {
- ACLFilledChecklist bodyContinuationCheck(Config.accessList.forceRequestBodyContinuation, request.getRaw(), nullptr);
+ ACLFilledChecklist bodyContinuationCheck(Config.accessList.forceRequestBodyContinuation, request.getRaw());
bodyContinuationCheck.al = http->al;
bodyContinuationCheck.syncAle(request.getRaw(), http->log_uri);
if (bodyContinuationCheck.fastCheck().allowed()) {
/* Check if we have explicit permission to access SNMP data.
* default (set above) is to deny all */
if (Community) {
- ACLFilledChecklist checklist(Config.accessList.snmp, nullptr, nullptr);
+ ACLFilledChecklist checklist(Config.accessList.snmp, nullptr);
checklist.src_addr = rq->from;
checklist.snmp_community = (char *) Community;
{
handleServerCertificate();
- ACLFilledChecklist *acl_checklist = new ACLFilledChecklist(
- ::Config.accessList.ssl_bump,
- request.getRaw(), nullptr);
+ const auto acl_checklist = new ACLFilledChecklist(::Config.accessList.ssl_bump, request.getRaw());
acl_checklist->al = al;
acl_checklist->banAction(Acl::Answer(ACCESS_ALLOWED, Ssl::bumpNone));
acl_checklist->banAction(Acl::Answer(ACCESS_ALLOWED, Ssl::bumpPeek));
p = http->request->extacl_user.termedBuf();
}
- if (!p && conn != nullptr && conn->clientConnection->rfc931[0])
- p = conn->clientConnection->rfc931;
-
#if USE_OPENSSL
if (!p && conn != nullptr && Comm::IsConnOpen(conn->clientConnection))
p = sslGetUserEmail(fd_table[conn->clientConnection->fd].ssl.get());
if (!Config.accessList.collapsedForwardingAccess)
return true;
- ACLFilledChecklist checklist(Config.accessList.collapsedForwardingAccess, nullptr, nullptr);
+ ACLFilledChecklist checklist(Config.accessList.collapsedForwardingAccess, nullptr);
fillChecklist(checklist);
return checklist.fastCheck().allowed();
}
* Check if this host is allowed to fetch MISSES from us (miss_access)
* default is to allow.
*/
- ACLFilledChecklist ch(Config.accessList.miss, request, nullptr);
+ ACLFilledChecklist ch(Config.accessList.miss, request);
ch.al = http->al;
ch.src_addr = request->client_addr;
ch.my_addr = request->my_addr;
--disable-linux-netfilter \
--disable-linux-tproxy \
--disable-follow-x-forwarded-for \
- --disable-ident-lookups \
--disable-default-hostsfile \
--disable-auth \
--disable-basic-auth-helpers \
--enable-http-violations \
--enable-ipfw-transparent \
--enable-follow-x-forwarded-for \
- --enable-ident-lookups \
--enable-default-hostsfile=/etc/hosts \
--enable-auth \
--enable-basic-auth-helpers \
--enable-http-violations \
--enable-ipfw-transparent \
--enable-follow-x-forwarded-for \
- --enable-ident-lookups \
--enable-internal-dns \
--enable-default-hostsfile \
--disable-auth \
%EXT_USER \
%EXT_LOG \
%EXT_TAG \
- %IDENT \
%SRC \
%SRCPORT \
%URI \
projects / thirdparty / squid.git / commitdiff
