From: Amos Jeffries Date: Thu, 2 Mar 2017 01:26:30 +0000 (+1300) Subject: Bug 4657: delay IDENT until after PROXY protocol handling X-Git-Tag: M-staged-PR71~234 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=42cbf844c7e5134cfa8cd7ae429e5546c58a3b75;p=thirdparty%2Fsquid.git Bug 4657: delay IDENT until after PROXY protocol handling --- diff --git a/src/client_side.cc b/src/client_side.cc index 976b96b75a..882b8a5e89 100644 --- a/src/client_side.cc +++ b/src/client_side.cc @@ -1999,11 +1999,6 @@ ConnStateData::parseProxy1p0() if ((clientConnection->flags & COMM_TRANSPARENT)) clientConnection->flags ^= COMM_TRANSPARENT; // prevent TPROXY spoofing of this new IP. debugs(33, 5, "PROXY/1.0 upgrade: " << clientConnection); - - // repeat fetch ensuring the new client FQDN can be logged - if (Config.onoff.log_fqdn) - fqdncache_gethostbyaddr(clientConnection->remote, FQDN_LOOKUP_IF_MISS); - return true; } else if (tok.skip(unknown)) { @@ -2102,11 +2097,6 @@ ConnStateData::parseProxy2p0() break; } debugs(33, 5, "PROXY/2.0 upgrade: " << clientConnection); - - // repeat fetch ensuring the new client FQDN can be logged - if (Config.onoff.log_fqdn) - fqdncache_gethostbyaddr(clientConnection->remote, FQDN_LOOKUP_IF_MISS); - return true; } @@ -2145,8 +2135,14 @@ ConnStateData::clientParseRequests() break; // try to parse the PROXY protocol header magic bytes - if (needProxyProtocolHeader_ && !parseProxyProtocolHeader()) - break; + if (needProxyProtocolHeader_) { + if (!parseProxyProtocolHeader()) + break; + + // we have been waiting for PROXY to provide client-IP + // for some lookups, ie rDNS and IDENT. + whenClientIpKnown(); + } if (Http::StreamPointer context = parseOneRequest()) { debugs(33, 5, clientConnection << ": done parsing a request"); @@ -2462,6 +2458,18 @@ ConnStateData::start() AsyncCall::Pointer call = JobCallback(33, 5, Dialer, this, ConnStateData::connStateClosed); comm_add_close_handler(clientConnection->fd, call); + needProxyProtocolHeader_ = port->flags.proxySurrogate; + if (needProxyProtocolHeader_) { + if (!proxyProtocolValidateClient()) // will close the connection on failure + return; + } else + whenClientIpKnown(); + +} + +void +ConnStateData::whenClientIpKnown() +{ if (Config.onoff.log_fqdn) fqdncache_gethostbyaddr(clientConnection->remote, FQDN_LOOKUP_IF_MISS); @@ -2477,12 +2485,6 @@ ConnStateData::start() clientdbEstablished(clientConnection->remote, 1); - needProxyProtocolHeader_ = port->flags.proxySurrogate; - if (needProxyProtocolHeader_) { - if (!proxyProtocolValidateClient()) // will close the connection on failure - return; - } - #if USE_DELAY_POOLS fd_table[clientConnection->fd].clientInfo = NULL; diff --git a/src/client_side.h b/src/client_side.h index dfb9b0d6d3..b53c0f5eb2 100644 --- a/src/client_side.h +++ b/src/client_side.h @@ -332,6 +332,10 @@ protected: /// timeout to use when waiting for the next request virtual time_t idleTimeout() const = 0; + /// Perform client data lookups that depend on client src-IP. + /// The PROXY protocol may require some data intput first. + void whenClientIpKnown(); + BodyPipe::Pointer bodyPipe; ///< set when we are reading request body private: