From: Amos Jeffries <squid3@treenet.co.nz>
Date: Thu, 22 May 2008 03:05:40 +0000 (+1200)
Subject: Update interception documentation and debugging.
X-Git-Tag: SQUID_3_1_0_1~49^2~230
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=13b5cd0ca5992342694a205aad38aa51dcdd9d32;p=thirdparty%2Fsquid.git

Update interception documentation and debugging.

Adds better documentation on effects of intercept and tproxy flags.

Alters debugging to clearly log components enabled/disabled on startup and
reconfigure of http(s)_port's using interception flags.
---

diff --git a/src/cache_cf.cc b/src/cache_cf.cc
index f41466343a..3ce9a2c059 100644
--- a/src/cache_cf.cc
+++ b/src/cache_cf.cc
@@ -2935,20 +2935,30 @@ parse_http_port_option(http_port_list * s, char *token)
     } else if (strcmp(token, "transparent") == 0 || strcmp(token, "intercept") == 0) {
         s->intercepted = 1;
         IPInterceptor.StartInterception();
+        /* Log information regarding the port modes under interception. */
+        debugs(3, DBG_IMPORTANT, "Starting Authentication on port " << s->s);
+        debugs(3, DBG_IMPORTANT, "Disabling Authentication on port " << s->s << " (interception enabled)");
+
 #if USE_IPV6
         /* INET6: until transparent REDIRECT works on IPv6 SOCKET, force wildcard to IPv4 */
+        debugs(3, DBG_IMPORTANT, "Disabling IPv6 on port " << s->s << " (interception enabled)");
         if( !s->s.SetIPv4() ) {
-            debugs(3, 0, "http(s)_port: IPv6 addresses cannot be 'transparent' (protocol does not provide NAT)" << s->s );
+            debugs(3, DBG_CRITICAL, "http(s)_port: IPv6 addresses cannot be transparent (protocol does not provide NAT)" << s->s );
             self_destruct();
         }
 #endif
     } else if (strcmp(token, "tproxy") == 0) {
         s->spoof_client_ip = 1;
         IPInterceptor.StartTransparency();
+        /* Log information regarding the port modes under transparency. */
+        debugs(3, DBG_IMPORTANT, "Starting IP Spoofing on port " << s->s);
+        debugs(3, DBG_IMPORTANT, "Disabling Authentication on port " << s->s << " (Ip spoofing enabled)");
+
 #if USE_IPV6
         /* INET6: until target TPROXY is known to work on IPv6 SOCKET, force wildcard to IPv4 */
+        debugs(3, DBG_IMPORTANT, "Disabling IPv6 on port " << s->s << " (interception enabled)");
         if( s->s.IsIPv6() && !s->s.SetIPv4() ) {
-            debugs(3, 0, "http(s)_port: IPv6 addresses cannot be transparent (protocol does not provide NAT)" << s->s );
+            debugs(3, DBG_CRITICAL, "http(s)_port: IPv6 addresses cannot be transparent (protocol does not provide NAT)" << s->s );
             self_destruct();
         }
 #endif
diff --git a/src/cf.data.pre b/src/cf.data.pre
index 172ebe42fc..da98a127f3 100644
--- a/src/cf.data.pre
+++ b/src/cf.data.pre
@@ -106,6 +106,8 @@ DOC_START
 	proxy as the client then thinks it is talking to an origin server and
 	not the proxy. This is a limitation of bending the TCP/IP protocol to
 	transparently intercepting port 80, not a limitation in Squid.
+	Ports flagged 'transparent', 'intercept', or 'tproxy' have authentication
+	disabled.
 
 	=== Parameters for the basic scheme follow. ===
 
@@ -900,9 +902,11 @@ DOC_START
 
 	   intercept	Support for IP-Layer interception of
 			outgoing requests without browser settings.
+			NP: disables authentication and IPv6 on the port.
 
 	   tproxy	Support Linux TPROXY for spoofing outgoing
 			connections using the client IP address.
+			NP: disables authentication and IPv6 on the port.
 
 	   accel	Accelerator mode. Also needs at least one of
 			vhost / vport / defaultsite.