From: Amos Jeffries <squid3@treenet.co.nz>
Date: Sun, 12 Jul 2009 08:58:47 +0000 (+1200)
Subject: Author: Henrik Nordstrom <henrik@henriknordstrom.net>
X-Git-Tag: SQUID_3_2_0_1~890
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=7f7bdd96ae91b6f9c22d674e09214a430abcfb8b;p=thirdparty%2Fsquid.git

Author: Henrik Nordstrom <henrik@henriknordstrom.net>
http_port allow-direct option to allow direct forwarding in accelerator mode

normally direct forwarding is disabled in accelerator mode unless overridden
by always_direct, to avoid unintentional security loops. But there is setups
where it makes sense to not have this restriction as this has effects on
peer selection as well.
---

diff --git a/doc/release-notes/release-3.1.sgml b/doc/release-notes/release-3.1.sgml
index f1112a61bb..2e75735260 100644
--- a/doc/release-notes/release-3.1.sgml
+++ b/doc/release-notes/release-3.1.sgml
@@ -946,6 +946,10 @@ NOCOMMENT_START
         <verb>
            intercept    Rename of old 'transparent' option to indicate proper functionality.
 
+	   allow-direct	Allow direct forwarding in accelerator mode. Normally
+	                accelerated requests are denied direct forwarding as if
+	                never_direct was used.
+
 	   connection-auth[=on|off]
 	                use connection-auth=off to tell Squid to prevent
 	                forwarding Microsoft connection oriented authentication
@@ -1352,7 +1356,6 @@ This section gives an account of those changes in three categories:
 
 	<tag>http_port</tag>
 	<p><em>act-as-origin</em> not yet ported from 2.7
-	<p><em>allow-direct</em> not yet ported from 2.7
 	<p><em>http11</em> not yet ported from 2.7
 	<p><em>urlgroup=</em> not yet ported from 2.6
 
diff --git a/src/ProtoPort.h b/src/ProtoPort.h
index 8f5384d463..b421dd1267 100644
--- a/src/ProtoPort.h
+++ b/src/ProtoPort.h
@@ -21,6 +21,7 @@ struct http_port_list {
     unsigned int intercepted:1;        /**< intercepting proxy port */
     unsigned int spoof_client_ip:1;    /**< spoof client ip if possible */
     unsigned int accel:1;              /**< HTTP accelerator */
+    unsigned int allow_direct:1;       /**< Allow direct forwarding in accelerator mode */
     unsigned int vhost:1;              /**< uses host header */
     unsigned int sslBump:1;            /**< intercepts CONNECT requests */
 
diff --git a/src/cache_cf.cc b/src/cache_cf.cc
index 3f379b7315..536234ad91 100644
--- a/src/cache_cf.cc
+++ b/src/cache_cf.cc
@@ -2992,6 +2992,8 @@ parse_http_port_option(http_port_list * s, char *token)
         s->accel = 1;
     } else if (strcmp(token, "accel") == 0) {
         s->accel = 1;
+    } else if (strcmp(token, "allow-direct") == 0) {
+        s->allow_direct = 1;
     } else if (strcmp(token, "no-connection-auth") == 0) {
         s->connection_auth_disabled = true;
     } else if (strcmp(token, "connection-auth=off") == 0) {
diff --git a/src/cf.data.pre b/src/cf.data.pre
index ee7e104404..c918e394e8 100644
--- a/src/cf.data.pre
+++ b/src/cf.data.pre
@@ -1039,6 +1039,10 @@ DOC_START
 	   accel	Accelerator mode. Also needs at least one of
 			vhost / vport / defaultsite.
 
+	   allow-direct	Allow direct forwarding in accelerator mode. Normally
+			accelerated requests are denied direct forwarding as if
+			never_direct was used.
+
 	   defaultsite=domainname
 			What to use for the Host: header if it is not present
 			in a request. Determines what site (not origin server)
diff --git a/src/client_side.cc b/src/client_side.cc
index 6e507fcd6a..a6c3054322 100644
--- a/src/client_side.cc
+++ b/src/client_side.cc
@@ -2275,6 +2275,7 @@ clientProcessRequest(ConnStateData *conn, HttpParser *hp, ClientSocketContext *c
     }
 
     request->flags.accelerated = http->flags.accel;
+    request->flags.no_direct = request->flags.accelerated ? !conn->port->allow_direct : 0;
 
     /** \par
      * If transparent or interception mode is working clone the transparent and interception flags
diff --git a/src/peer_select.cc b/src/peer_select.cc
index 7f2d137d08..7caf9c5ec5 100644
--- a/src/peer_select.cc
+++ b/src/peer_select.cc
@@ -315,7 +315,7 @@ peerSelectFoo(ps_state * ps)
         } else if (ps->never_direct > 0) {
             /** if always_direct says NO, do that. */
             ps->direct = DIRECT_NO;
-        } else if (request->flags.accelerated) {
+        } else if (request->flags.no_direct) {
             /** if we are accelerating, direct is not an option. */
             ps->direct = DIRECT_NO;
         } else if (request->flags.loopdetect) {
diff --git a/src/structs.h b/src/structs.h
index dd201c54dd..ab2d305706 100644
--- a/src/structs.h
+++ b/src/structs.h
@@ -1027,6 +1027,7 @@ unsigned int proxying:
     unsigned int connection_proxy_auth:1; /** Request wants connection oriented auth */
     unsigned int pinned:1;      /* Request sent on a pinned connection */
     unsigned int auth_sent:1;   /* Authentication forwarded */
+    unsigned int no_direct:1;	/* Deny direct forwarding unless overriden by always_direct. Used in accelerator mode */
 
     // When adding new flags, please update cloneAdaptationImmune() as needed.