From: Amos Jeffries Date: Sun, 7 Feb 2010 03:38:46 +0000 (+1300) Subject: Add adapted_http_access option. Port of http_access2 from Squid-2 X-Git-Tag: SQUID_3_2_0_1~428 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=533493dab351f0542a7f8a286f2d639bc4f47750;p=thirdparty%2Fsquid.git Add adapted_http_access option. Port of http_access2 from Squid-2 --- diff --git a/doc/release-notes/release-3.1.sgml b/doc/release-notes/release-3.1.sgml index 7e81337def..bafa824ef9 100644 --- a/doc/release-notes/release-3.1.sgml +++ b/doc/release-notes/release-3.1.sgml @@ -475,6 +475,10 @@ This section gives a thorough account of those changes in three categories: matters. + adapted_http_access +

New name for http_access2. This form includes access control + of ICAP and eCAP adaptations as well as the URL-rewriter alterations. + chunked_request_body_max_size

New option to enable handing of broken HTTP/1.1 clients sending chunk requests. @@ -1425,6 +1429,9 @@ This section gives an account of those changes in three categories: header_access

Replaced by request_header_access and reply_header_access + http_access2 +

Replaced by adapted_http_access + http_port

no-connection-auth replaced by connection-auth=[on|off]. Default is ON.

transparent option replaced by intercept @@ -1577,9 +1584,6 @@ This section gives an account of those changes in three categories: external_refresh_check

Not yet ported from 2.7 - http_access2 -

Not yet ported from 2.6 - http_port

act-as-origin not yet ported from 2.7

http11 not yet ported from 2.7 diff --git a/doc/release-notes/release-3.2.sgml b/doc/release-notes/release-3.2.sgml index 666fcee0e7..508639a0ea 100644 --- a/doc/release-notes/release-3.2.sgml +++ b/doc/release-notes/release-3.2.sgml @@ -307,6 +307,9 @@ This section gives an account of those changes in three categories:

no-connection-auth replaced by connection-auth=[on|off]. Default is ON.

transparent option replaced by intercept + http_access2 +

Repalced by adapted_http_access + httpd_accel_no_pmtu_disc

Replaced by http_port disable-pmtu-discovery= option @@ -452,9 +455,6 @@ This section gives an account of those changes in three categories: external_refresh_check

Not yet ported from 2.7 - http_access2 -

Not yet ported from 2.6 - http_port

act-as-origin not yet ported from 2.7

http11 not yet ported from 2.7 diff --git a/src/ClientRequestContext.h b/src/ClientRequestContext.h index 430ac8319d..0b4dad40a1 100644 --- a/src/ClientRequestContext.h +++ b/src/ClientRequestContext.h @@ -26,6 +26,7 @@ public: bool httpStateIsValid(); void clientAccessCheck(); + void clientAccessCheck2(); void clientAccessCheckDone(int answer); void clientRedirectStart(); void clientRedirectDone(char *result); @@ -42,11 +43,10 @@ public: int redirect_state; bool http_access_done; + bool adapted_http_access_done; #if USE_ADAPTATION - bool adaptation_acl_check_done; #endif - bool redirect_done; bool no_cache_done; bool interpreted_req_hdrs; diff --git a/src/cf.data.depend b/src/cf.data.depend index 8215ce3951..75fe5ec502 100644 --- a/src/cf.data.depend +++ b/src/cf.data.depend @@ -22,7 +22,7 @@ externalAclHelper auth_param HelperChildConfig hostdomain cache_peer hostdomaintype cache_peer -http_header_access +http_header_access acl http_header_replace http_port_list https_port_list diff --git a/src/cf.data.pre b/src/cf.data.pre index 0b44064635..91f1f41f80 100644 --- a/src/cf.data.pre +++ b/src/cf.data.pre @@ -922,6 +922,20 @@ http_access deny all NOCOMMENT_END DOC_END +NAME: adapted_http_access http_access2 +TYPE: acl_access +LOC: Config.accessList.adapted_http +DEFAULT: none +DOC_START + Allowing or Denying access based on defined access lists + + Essentially identical to http_access, but runs after redirectors + and ICAP/eCAP adaptation. Allowing access control based on their + output. + + If not set then only http_access is used. +DOC_END + NAME: http_reply_access TYPE: acl_access LOC: Config.accessList.reply diff --git a/src/client_side_request.cc b/src/client_side_request.cc index 82c52557bd..980b66d062 100644 --- a/src/client_side_request.cc +++ b/src/client_side_request.cc @@ -532,6 +532,23 @@ ClientRequestContext::clientAccessCheck() } } +/** + * Identical in operation to clientAccessCheck() but performed later using different configured ACL list. + * The default here is to allow all. Since the earlier http_access should do a default deny all. + * This check is just for a last-minute denial based on adapted request headers. + */ +void +ClientRequestContext::clientAccessCheck2() +{ + if (Config.accessList.adapted_http) { + acl_checklist = clientAclChecklistCreate(Config.accessList.adapted_http, http); + acl_checklist->nonBlockingCheck(clientAccessCheckDoneWrapper, this); + } else { + debugs(85, 2, HERE << "No adapted_http_access configuration."); + clientAccessCheckDone(ACCESS_ALLOWED); + } +} + void clientAccessCheckDoneWrapper(int answer, void *data) { @@ -1294,6 +1311,13 @@ ClientHttpRequest::doCallouts() } } + if (!calloutContext->adapted_http_access_done) { + debugs(83, 3, HERE << "Doing calloutContext->clientAccessCheck2()"); + calloutContext->adapted_http_access_done = true; + calloutContext->clientAccessCheck2(); + return; + } + if (!calloutContext->interpreted_req_hdrs) { debugs(83, 3, HERE << "Doing clientInterpretRequestHeaders()"); calloutContext->interpreted_req_hdrs = 1; diff --git a/src/structs.h b/src/structs.h index 416799b45d..10005ccbad 100644 --- a/src/structs.h +++ b/src/structs.h @@ -461,6 +461,7 @@ struct SquidConfig { struct { acl_access *http; + acl_access *adapted_http; acl_access *icp; acl_access *miss; acl_access *NeverDirect;