From: Amos Jeffries Date: Wed, 18 Nov 2015 03:23:59 +0000 (-0800) Subject: Combine the https_port list internal state with http_port state. X-Git-Tag: SQUID_4_0_3~21 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=339e4d7aa75eb99eded7ae32ac7430db52464732;p=thirdparty%2Fsquid.git Combine the https_port list internal state with http_port state. These two lists have been near identical for some time now and we can easily reduce code by simply merging the two and using either the secure.encryptTransport flag or the transport.protocol type to select the remaining non-identical code paths. --- diff --git a/src/anyp/PortCfg.cc b/src/anyp/PortCfg.cc index 1377d489d9..5209244b7d 100644 --- a/src/anyp/PortCfg.cc +++ b/src/anyp/PortCfg.cc @@ -19,9 +19,6 @@ #include AnyP::PortCfgPointer HttpPortList; -#if USE_OPENSSL -AnyP::PortCfgPointer HttpsPortList; -#endif AnyP::PortCfgPointer FtpPortList; int NHttpSockets = 0; diff --git a/src/anyp/PortCfg.h b/src/anyp/PortCfg.h index 7c77e506eb..38483b9cf1 100644 --- a/src/anyp/PortCfg.h +++ b/src/anyp/PortCfg.h @@ -91,14 +91,9 @@ public: } // namespace AnyP -/// list of Squid http_port configured +/// list of Squid http(s)_port configured extern AnyP::PortCfgPointer HttpPortList; -#if USE_OPENSSL -/// list of Squid https_port configured -extern AnyP::PortCfgPointer HttpsPortList; -#endif - /// list of Squid ftp_port configured extern AnyP::PortCfgPointer FtpPortList; diff --git a/src/cache_cf.cc b/src/cache_cf.cc index fdcbdac59d..1bce018cb5 100644 --- a/src/cache_cf.cc +++ b/src/cache_cf.cc @@ -895,18 +895,11 @@ configDoConfigure(void) #if USE_OPENSSL for (AnyP::PortCfgPointer s = HttpPortList; s != NULL; s = s->next) { - if (!s->flags.tunnelSslBumping) + if (!s->secure.encryptTransport) continue; - - debugs(3, DBG_IMPORTANT, "Initializing http_port " << s->s << " SSL context"); + debugs(3, DBG_IMPORTANT, "Initializing " << AnyP::UriScheme(s->transport.protocol) << "_port " << s->s << " TLS context"); s->configureSslServerContext(); } - - for (AnyP::PortCfgPointer s = HttpsPortList; s != NULL; s = s->next) { - debugs(3, DBG_IMPORTANT, "Initializing https_port " << s->s << " SSL context"); - s->configureSslServerContext(); - } - #endif // prevent infinite fetch loops in the request parser diff --git a/src/cf.data.pre b/src/cf.data.pre index e78da378a1..09a1f03b27 100644 --- a/src/cf.data.pre +++ b/src/cf.data.pre @@ -2027,10 +2027,10 @@ NOCOMMENT_END DOC_END NAME: https_port -IFDEF: USE_OPENSSL +IFDEF: USE_GNUTLS||USE_OPENSSL TYPE: PortCfg DEFAULT: none -LOC: HttpsPortList +LOC: HttpPortList DOC_START Usage: [ip:]port [mode] cert=certificate.pem [options] diff --git a/src/client_side.cc b/src/client_side.cc index 29908e2f2f..6972eac4bc 100644 --- a/src/client_side.cc +++ b/src/client_side.cc @@ -4264,103 +4264,74 @@ static void clientHttpConnectionsOpen(void) { for (AnyP::PortCfgPointer s = HttpPortList; s != NULL; s = s->next) { + const char *scheme = AnyP::UriScheme(s->transport.protocol).c_str(); + if (MAXTCPLISTENPORTS == NHttpSockets) { - debugs(1, DBG_IMPORTANT, "WARNING: You have too many 'http_port' lines."); + debugs(1, DBG_IMPORTANT, "WARNING: You have too many '" << scheme << "_port' lines."); debugs(1, DBG_IMPORTANT, " The limit is " << MAXTCPLISTENPORTS << " HTTP ports."); continue; } #if USE_OPENSSL - if (s->flags.tunnelSslBumping && !Config.accessList.ssl_bump) { - debugs(33, DBG_IMPORTANT, "WARNING: No ssl_bump configured. Disabling ssl-bump on " << AnyP::UriScheme(s->transport.protocol) << "_port " << s->s); - s->flags.tunnelSslBumping = false; - } - - if (s->flags.tunnelSslBumping && - !s->staticSslContext && - !s->generateHostCertificates) { - debugs(1, DBG_IMPORTANT, "Will not bump SSL at http_port " << s->s << " due to SSL initialization failure."); - s->flags.tunnelSslBumping = false; - } if (s->flags.tunnelSslBumping) { - // Create ssl_ctx cache for this port. - Ssl::TheGlobalContextStorage.addLocalStorage(s->s, s->dynamicCertMemCacheSize == std::numeric_limits::max() ? 4194304 : s->dynamicCertMemCacheSize); + if (!Config.accessList.ssl_bump) { + debugs(33, DBG_IMPORTANT, "WARNING: No ssl_bump configured. Disabling ssl-bump on " << scheme << "_port " << s->s); + s->flags.tunnelSslBumping = false; + } + if (!s->staticSslContext && !s->generateHostCertificates) { + debugs(1, DBG_IMPORTANT, "Will not bump SSL at " << scheme << "_port " << s->s << " due to TLS initialization failure."); + s->flags.tunnelSslBumping = false; + if (s->transport.protocol == AnyP::PROTO_HTTP) + s->secure.encryptTransport = false; + } + if (s->flags.tunnelSslBumping) { + // Create ssl_ctx cache for this port. + auto sz = s->dynamicCertMemCacheSize == std::numeric_limits::max() ? 4194304 : s->dynamicCertMemCacheSize; + Ssl::TheGlobalContextStorage.addLocalStorage(s->s, sz); + } } #endif + if (s->secure.encryptTransport && !s->staticSslContext) { + debugs(1, DBG_CRITICAL, "ERROR: Ignoring " << scheme << "_port " << s->s << " due to TLS context initialization failure."); + continue; + } + // Fill out a Comm::Connection which IPC will open as a listener for us // then pass back when active so we can start a TcpAcceptor subscription. s->listenConn = new Comm::Connection; s->listenConn->local = s->s; - s->listenConn->flags = COMM_NONBLOCKING | (s->flags.tproxyIntercept ? COMM_TRANSPARENT : 0) | (s->flags.natIntercept ? COMM_INTERCEPTION : 0); - // setup the subscriptions such that new connections accepted by listenConn are handled by HTTP - typedef CommCbFunPtrCallT AcceptCall; - RefCount subCall = commCbCall(5, 5, "httpAccept", CommAcceptCbPtrFun(httpAccept, CommAcceptCbParams(NULL))); - Subscription::Pointer sub = new CallSubscription(subCall); + s->listenConn->flags = COMM_NONBLOCKING | (s->flags.tproxyIntercept ? COMM_TRANSPARENT : 0) | + (s->flags.natIntercept ? COMM_INTERCEPTION : 0); - AsyncCall::Pointer listenCall = asyncCall(33,2, "clientListenerConnectionOpened", - ListeningStartedDialer(&clientListenerConnectionOpened, s, Ipc::fdnHttpSocket, sub)); - Ipc::StartListening(SOCK_STREAM, IPPROTO_TCP, s->listenConn, Ipc::fdnHttpSocket, listenCall); + typedef CommCbFunPtrCallT AcceptCall; + if (s->transport.protocol == AnyP::PROTO_HTTP) { + // setup the subscriptions such that new connections accepted by listenConn are handled by HTTP + RefCount subCall = commCbCall(5, 5, "httpAccept", CommAcceptCbPtrFun(httpAccept, CommAcceptCbParams(NULL))); + Subscription::Pointer sub = new CallSubscription(subCall); - HttpSockets[NHttpSockets] = -1; // set in clientListenerConnectionOpened - ++NHttpSockets; - } -} + AsyncCall::Pointer listenCall = asyncCall(33,2, "clientListenerConnectionOpened", + ListeningStartedDialer(&clientListenerConnectionOpened, s, Ipc::fdnHttpSocket, sub)); + Ipc::StartListening(SOCK_STREAM, IPPROTO_TCP, s->listenConn, Ipc::fdnHttpSocket, listenCall); #if USE_OPENSSL -static void -clientHttpsConnectionsOpen(void) -{ - for (AnyP::PortCfgPointer s = HttpsPortList; s != NULL; s = s->next) { - if (MAXTCPLISTENPORTS == NHttpSockets) { - debugs(1, DBG_IMPORTANT, "Ignoring 'https_port' lines exceeding the limit."); - debugs(1, DBG_IMPORTANT, "The limit is " << MAXTCPLISTENPORTS << " HTTPS ports."); - continue; - } - - if (!s->staticSslContext) { - debugs(1, DBG_IMPORTANT, "Ignoring https_port " << s->s << - " due to SSL initialization failure."); - continue; - } - - // TODO: merge with similar code in clientHttpConnectionsOpen() - if (s->flags.tunnelSslBumping && !Config.accessList.ssl_bump) { - debugs(33, DBG_IMPORTANT, "WARNING: No ssl_bump configured. Disabling ssl-bump on " << AnyP::UriScheme(s->transport.protocol) << "_port " << s->s); - s->flags.tunnelSslBumping = false; - } - - if (s->flags.tunnelSslBumping && !s->staticSslContext && !s->generateHostCertificates) { - debugs(1, DBG_IMPORTANT, "Will not bump SSL at https_port " << s->s << " due to SSL initialization failure."); - s->flags.tunnelSslBumping = false; - } - - if (s->flags.tunnelSslBumping) { - // Create ssl_ctx cache for this port. - Ssl::TheGlobalContextStorage.addLocalStorage(s->s, s->dynamicCertMemCacheSize == std::numeric_limits::max() ? 4194304 : s->dynamicCertMemCacheSize); + } else if (s->transport.protocol == AnyP::PROTO_HTTPS) { + // setup the subscriptions such that new connections accepted by listenConn are handled by HTTPS + RefCount subCall = commCbCall(5, 5, "httpsAccept", CommAcceptCbPtrFun(httpsAccept, CommAcceptCbParams(NULL))); + Subscription::Pointer sub = new CallSubscription(subCall); + + AsyncCall::Pointer listenCall = asyncCall(33, 2, "clientListenerConnectionOpened", + ListeningStartedDialer(&clientListenerConnectionOpened, + s, Ipc::fdnHttpsSocket, sub)); + Ipc::StartListening(SOCK_STREAM, IPPROTO_TCP, s->listenConn, Ipc::fdnHttpsSocket, listenCall); +#endif } - // Fill out a Comm::Connection which IPC will open as a listener for us - s->listenConn = new Comm::Connection; - s->listenConn->local = s->s; - s->listenConn->flags = COMM_NONBLOCKING | (s->flags.tproxyIntercept ? COMM_TRANSPARENT : 0) | - (s->flags.natIntercept ? COMM_INTERCEPTION : 0); - - // setup the subscriptions such that new connections accepted by listenConn are handled by HTTPS - typedef CommCbFunPtrCallT AcceptCall; - RefCount subCall = commCbCall(5, 5, "httpsAccept", CommAcceptCbPtrFun(httpsAccept, CommAcceptCbParams(NULL))); - Subscription::Pointer sub = new CallSubscription(subCall); - - AsyncCall::Pointer listenCall = asyncCall(33, 2, "clientListenerConnectionOpened", - ListeningStartedDialer(&clientListenerConnectionOpened, - s, Ipc::fdnHttpsSocket, sub)); - Ipc::StartListening(SOCK_STREAM, IPPROTO_TCP, s->listenConn, Ipc::fdnHttpsSocket, listenCall); - HttpSockets[NHttpSockets] = -1; + HttpSockets[NHttpSockets] = -1; // set in clientListenerConnectionOpened ++NHttpSockets; } } -#endif void clientStartListeningOn(AnyP::PortCfgPointer &port, const RefCount< CommCbFunPtrCallT > &subCall, const Ipc::FdNoteId fdNote) @@ -4416,9 +4387,6 @@ void clientOpenListenSockets(void) { clientHttpConnectionsOpen(); -#if USE_OPENSSL - clientHttpsConnectionsOpen(); -#endif Ftp::StartListening(); if (NHttpSockets < 1) @@ -4430,22 +4398,12 @@ clientConnectionsClose() { for (AnyP::PortCfgPointer s = HttpPortList; s != NULL; s = s->next) { if (s->listenConn != NULL) { - debugs(1, DBG_IMPORTANT, "Closing HTTP port " << s->listenConn->local); + debugs(1, DBG_IMPORTANT, "Closing HTTP(S) port " << s->listenConn->local); s->listenConn->close(); s->listenConn = NULL; } } -#if USE_OPENSSL - for (AnyP::PortCfgPointer s = HttpsPortList; s != NULL; s = s->next) { - if (s->listenConn != NULL) { - debugs(1, DBG_IMPORTANT, "Closing HTTPS port " << s->listenConn->local); - s->listenConn->close(); - s->listenConn = NULL; - } - } -#endif - Ftp::StopListening(); // TODO see if we can drop HttpSockets array entirely */ diff --git a/src/ssl/helper.cc b/src/ssl/helper.cc index 1331f70b56..a88a855b17 100644 --- a/src/ssl/helper.cc +++ b/src/ssl/helper.cc @@ -46,8 +46,6 @@ void Ssl::Helper::Init() bool found = false; for (AnyP::PortCfgPointer s = HttpPortList; !found && s != NULL; s = s->next) found = s->flags.tunnelSslBumping && s->generateHostCertificates; - for (AnyP::PortCfgPointer s = HttpsPortList; !found && s != NULL; s = s->next) - found = s->flags.tunnelSslBumping && s->generateHostCertificates; if (!found) return; @@ -138,8 +136,6 @@ void Ssl::CertValidationHelper::Init() bool found = false; for (AnyP::PortCfgPointer s = HttpPortList; !found && s != NULL; s = s->next) found = s->flags.tunnelSslBumping; - for (AnyP::PortCfgPointer s = HttpsPortList; !found && s != NULL; s = s->next) - found = s->flags.tunnelSslBumping; if (!found) return; diff --git a/src/ssl/support.cc b/src/ssl/support.cc index 2ee7e21c80..e82d02c86f 100644 --- a/src/ssl/support.cc +++ b/src/ssl/support.cc @@ -1377,10 +1377,9 @@ setSessionCallbacks(SSL_CTX *ctx) static bool isSslServer() { - if (HttpsPortList != NULL) - return true; - for (AnyP::PortCfgPointer s = HttpPortList; s != NULL; s = s->next) { + if (s->secure.encryptTransport) + return true; if (s->flags.tunnelSslBumping) return true; } @@ -1411,11 +1410,6 @@ Ssl::initialize_session_cache() return; } - for (AnyP::PortCfgPointer s = HttpsPortList; s != NULL; s = s->next) { - if (s->staticSslContext.get() != NULL) - setSessionCallbacks(s->staticSslContext.get()); - } - for (AnyP::PortCfgPointer s = HttpPortList; s != NULL; s = s->next) { if (s->staticSslContext.get() != NULL) setSessionCallbacks(s->staticSslContext.get()); diff --git a/src/tools.cc b/src/tools.cc index 3176bab2a9..f8dc5412e0 100644 --- a/src/tools.cc +++ b/src/tools.cc @@ -421,13 +421,6 @@ getMyHostname(void) if (HttpPortList != NULL && sa.isAnyAddr()) sa = HttpPortList->s; -#if USE_OPENSSL - - if (HttpsPortList != NULL && sa.isAnyAddr()) - sa = HttpsPortList->s; - -#endif - /* * If the first http_port address has a specific address, try a * reverse DNS lookup on it. @@ -1078,16 +1071,6 @@ getMyPort(void) return p->s.port(); } -#if USE_OPENSSL - if ((p = HttpsPortList) != NULL) { - // skip any special interception ports - while (p != NULL && p->flags.isIntercepted()) - p = p->next; - if (p != NULL) - return p->s.port(); - } -#endif - if ((p = FtpPortList) != NULL) { // skip any special interception ports while (p != NULL && p->flags.isIntercepted())