From: hno <> Date: Wed, 8 Dec 2004 07:24:41 +0000 (+0000) Subject: Feature Request #601: add request_header_access and reply_header_access X-Git-Tag: SQUID_3_0_PRE4~989 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=8c01ada0ee4806a4ff0c258aa92b388ee9b052f6;p=thirdparty%2Fsquid.git Feature Request #601: add request_header_access and reply_header_access This splits header_access into request_header_access and reply_header_access --- diff --git a/CONTRIBUTORS b/CONTRIBUTORS index 04b81f048f..c367455f02 100644 --- a/CONTRIBUTORS +++ b/CONTRIBUTORS @@ -90,5 +90,6 @@ and ideas to make this software available. Jerry Murdock Leeann Bent Bruce Murphy + Francis Daly Duane Wessels diff --git a/doc/release-notes/release-3.0.sgml b/doc/release-notes/release-3.0.sgml index abf52e52ba..3c218a3521 100644 --- a/doc/release-notes/release-3.0.sgml +++ b/doc/release-notes/release-3.0.sgml @@ -2,7 +2,7 @@
Squid 3.0 release notes Squid Developers -$Id: release-3.0.sgml,v 1.16 2004/08/14 22:57:48 hno Exp $ +$Id: release-3.0.sgml,v 1.17 2004/12/08 00:24:41 hno Exp $ This document contains the release notes for version 3.0 of Squid. @@ -129,6 +129,7 @@ This fixes two issues: access_logThe access_log directive now optionally includes specifications on what log format to use and acls matching which requests to log. Can be specified multiple times to log different requests to different files. logformatnew directive to define custom log formats httpd_accel_*These directives have been replaced by http(s)_port options and cache_peer based request forwarding. Note that you can no longer run proxy and acceleration mode on the same port. If you previously did this you now need to define two ports, one for acceleration, one for proxying. + header_accessThis directive have been split into request_header_access and reply_header_access directives to allow for better control of what is allowed in reqests vs replies. Known limitations diff --git a/src/HttpHeaderTools.cc b/src/HttpHeaderTools.cc index 920bc47f38..a4daefa14e 100644 --- a/src/HttpHeaderTools.cc +++ b/src/HttpHeaderTools.cc @@ -1,6 +1,6 @@ /* - * $Id: HttpHeaderTools.cc,v 1.45 2003/09/21 00:30:46 robertc Exp $ + * $Id: HttpHeaderTools.cc,v 1.46 2004/12/08 00:24:42 hno Exp $ * * DEBUG: section 66 HTTP Header Tools * AUTHOR: Alex Rousskov @@ -504,7 +504,7 @@ httpHeaderStrCmp(const char *h1, const char *h2, int len) * Returns 1 if the header is allowed. */ static int -httpHdrMangle(HttpHeaderEntry * e, HttpRequest * request) +httpHdrMangle(HttpHeaderEntry * e, HttpRequest * request, int req_or_rep) { int retval; @@ -512,7 +512,16 @@ httpHdrMangle(HttpHeaderEntry * e, HttpRequest * request) header_mangler *hm; ACLChecklist *checklist; assert(e); - hm = &Config.header_access[e->id]; + + if (ROR_REQUEST == req_or_rep) { + hm = &Config.request_header_access[e->id]; + } else if (ROR_REPLY == req_or_rep) { + hm = &Config.reply_header_access[e->id]; + } else { + /* error. But let's call it "request". */ + hm = &Config.request_header_access[e->id]; + } + checklist = aclChecklistCreate(hm->access_list, request, NULL); if (1 == checklist->fastCheck()) { @@ -536,12 +545,12 @@ httpHdrMangle(HttpHeaderEntry * e, HttpRequest * request) /* Mangles headers for a list of headers. */ void -httpHdrMangleList(HttpHeader * l, HttpRequest * request) +httpHdrMangleList(HttpHeader * l, HttpRequest * request, int req_or_rep) { HttpHeaderEntry *e; HttpHeaderPos p = HttpHeaderInitPos; while ((e = httpHeaderGetEntry(l, &p))) - if (0 == httpHdrMangle(e, request)) + if (0 == httpHdrMangle(e, request, req_or_rep)) httpHeaderDelAt(l, p); } diff --git a/src/cf.data.pre b/src/cf.data.pre index 766811d516..467f12cd85 100644 --- a/src/cf.data.pre +++ b/src/cf.data.pre @@ -1,6 +1,6 @@ # -# $Id: cf.data.pre,v 1.362 2004/11/06 22:20:47 hno Exp $ +# $Id: cf.data.pre,v 1.363 2004/12/08 00:24:42 hno Exp $ # # # SQUID Web Proxy Cache http://www.squid-cache.org/ @@ -3501,13 +3501,13 @@ DOC_START and firewall_ip. DOC_END -NAME: header_access +NAME: request_header_access IFDEF: HTTP_VIOLATIONS TYPE: http_header_access[] -LOC: Config.header_access +LOC: Config.request_header_access DEFAULT: none DOC_START - Usage: header_access header_name allow|deny [!]aclname ... + Usage: request_header_access header_name allow|deny [!]aclname ... WARNING: Doing this VIOLATES the HTTP standard. Enabling this feature could make you liable for problems which it @@ -3519,6 +3519,9 @@ DOC_START for each header, allowing you very fine-tuned header mangling. + This option only applies to request headers, i.e., from the + client to the server. + You can only specify known headers for the header name. Other headers are reclassified as 'Other'. You can also refer to all the headers with 'All'. @@ -3526,41 +3529,118 @@ DOC_START For example, to achieve the same behaviour as the old 'http_anonymizer standard' option, you should use: - header_access From deny all - header_access Referer deny all - header_access Server deny all - header_access User-Agent deny all - header_access WWW-Authenticate deny all - header_access Link deny all + request_header_access From deny all + request_header_access Referer deny all + request_header_access Server deny all + request_header_access User-Agent deny all + request_header_access WWW-Authenticate deny all + request_header_access Link deny all Or, to reproduce the old 'http_anonymizer paranoid' feature you should use: - header_access Allow allow all - header_access Authorization allow all - header_access WWW-Authenticate allow all - header_access Cache-Control allow all - header_access Content-Encoding allow all - header_access Content-Length allow all - header_access Content-Type allow all - header_access Date allow all - header_access Expires allow all - header_access Host allow all - header_access If-Modified-Since allow all - header_access Last-Modified allow all - header_access Location allow all - header_access Pragma allow all - header_access Accept allow all - header_access Accept-Charset allow all - header_access Accept-Encoding allow all - header_access Accept-Language allow all - header_access Content-Language allow all - header_access Mime-Version allow all - header_access Retry-After allow all - header_access Title allow all - header_access Connection allow all - header_access Proxy-Connection allow all - header_access All deny all + request_header_access Allow allow all + request_header_access Authorization allow all + request_header_access WWW-Authenticate allow all + request_header_access Cache-Control allow all + request_header_access Content-Encoding allow all + request_header_access Content-Length allow all + request_header_access Content-Type allow all + request_header_access Date allow all + request_header_access Expires allow all + request_header_access Host allow all + request_header_access If-Modified-Since allow all + request_header_access Last-Modified allow all + request_header_access Location allow all + request_header_access Pragma allow all + request_header_access Accept allow all + request_header_access Accept-Charset allow all + request_header_access Accept-Encoding allow all + request_header_access Accept-Language allow all + request_header_access Content-Language allow all + request_header_access Mime-Version allow all + request_header_access Retry-After allow all + request_header_access Title allow all + request_header_access Connection allow all + request_header_access Proxy-Connection allow all + request_header_access All deny all + + although many of those are HTTP reply headers, and so should be + controlled with the reply_header_access directive. + + By default, all headers are allowed (no anonymizing is + performed). +DOC_END + +NAME: reply_header_access +IFDEF: HTTP_VIOLATIONS +TYPE: http_header_access[] +LOC: Config.reply_header_access +DEFAULT: none +DOC_START + Usage: reply_header_access header_name allow|deny [!]aclname ... + + WARNING: Doing this VIOLATES the HTTP standard. Enabling + this feature could make you liable for problems which it + causes. + + This option only applies to reply headers, i.e., from the + server to the client. + + This is the same as request_header_access, but in the other + direction. + + This option replaces the old 'anonymize_headers' and the + older 'http_anonymizer' option with something that is much + more configurable. This new method creates a list of ACLs + for each header, allowing you very fine-tuned header + mangling. + + You can only specify known headers for the header name. + Other headers are reclassified as 'Other'. You can also + refer to all the headers with 'All'. + + For example, to achieve the same behaviour as the old + 'http_anonymizer standard' option, you should use: + + reply_header_access From deny all + reply_header_access Referer deny all + reply_header_access Server deny all + reply_header_access User-Agent deny all + reply_header_access WWW-Authenticate deny all + reply_header_access Link deny all + + Or, to reproduce the old 'http_anonymizer paranoid' feature + you should use: + + reply_header_access Allow allow all + reply_header_access Authorization allow all + reply_header_access WWW-Authenticate allow all + reply_header_access Cache-Control allow all + reply_header_access Content-Encoding allow all + reply_header_access Content-Length allow all + reply_header_access Content-Type allow all + reply_header_access Date allow all + reply_header_access Expires allow all + reply_header_access Host allow all + reply_header_access If-Modified-Since allow all + reply_header_access Last-Modified allow all + reply_header_access Location allow all + reply_header_access Pragma allow all + reply_header_access Accept allow all + reply_header_access Accept-Charset allow all + reply_header_access Accept-Encoding allow all + reply_header_access Accept-Language allow all + reply_header_access Content-Language allow all + reply_header_access Mime-Version allow all + reply_header_access Retry-After allow all + reply_header_access Title allow all + reply_header_access Connection allow all + reply_header_access Proxy-Connection allow all + reply_header_access All deny all + + although the HTTP request headers won't be usefully controlled + by this directive -- see request_header_access for details. By default, all headers are allowed (no anonymizing is performed). @@ -3569,7 +3649,7 @@ DOC_END NAME: header_replace IFDEF: HTTP_VIOLATIONS TYPE: http_header_replace[] -LOC: Config.header_access +LOC: Config.request_header_access DEFAULT: none DOC_START Usage: header_replace header_name message @@ -3580,6 +3660,8 @@ DOC_START some fixed string. This replaces the old fake_user_agent option. + This only applies to request headers, not reply headers. + By default, headers are removed if denied. DOC_END diff --git a/src/client_side_reply.cc b/src/client_side_reply.cc index 2ce6e16ef7..bbb30517d3 100644 --- a/src/client_side_reply.cc +++ b/src/client_side_reply.cc @@ -1,6 +1,6 @@ /* - * $Id: client_side_reply.cc,v 1.74 2004/10/18 12:20:09 hno Exp $ + * $Id: client_side_reply.cc,v 1.75 2004/12/08 00:24:42 hno Exp $ * * DEBUG: section 88 Client-side Reply Routines * AUTHOR: Robert Collins (Originally Duane Wessels in client_side.c) @@ -1434,7 +1434,7 @@ clientReplyContext::buildReplyHeader() #endif - httpHdrMangleList(hdr, request); + httpHdrMangleList(hdr, request, ROR_REPLY); } diff --git a/src/enums.h b/src/enums.h index dca54067c2..ed2132d7d7 100644 --- a/src/enums.h +++ b/src/enums.h @@ -1,6 +1,6 @@ /* - * $Id: enums.h,v 1.235 2004/08/30 03:28:59 robertc Exp $ + * $Id: enums.h,v 1.236 2004/12/08 00:24:42 hno Exp $ * * * SQUID Web Proxy Cache http://www.squid-cache.org/ @@ -702,6 +702,12 @@ typedef enum { COMM_ERR_CLOSING = -9 } comm_err_t; +/* Distinguish between Request and Reply (for header mangling) */ +enum { + ROR_REQUEST, + ROR_REPLY +}; + /* CygWin & Windows NT Port */ #ifdef _SQUID_WIN32_ diff --git a/src/http.cc b/src/http.cc index a0f773325e..8b6b9a7f84 100644 --- a/src/http.cc +++ b/src/http.cc @@ -1,6 +1,6 @@ /* - * $Id: http.cc,v 1.435 2004/11/16 23:11:46 wessels Exp $ + * $Id: http.cc,v 1.436 2004/12/08 00:24:42 hno Exp $ * * DEBUG: section 11 Hypertext Transfer Protocol (HTTP) * AUTHOR: Harvest Derived @@ -1401,7 +1401,7 @@ httpBuildRequestHeader(HttpRequest * request, } /* Now mangle the headers. */ - httpHdrMangleList(hdr_out, request); + httpHdrMangleList(hdr_out, request, ROR_REQUEST); strConnection.clean(); } diff --git a/src/protos.h b/src/protos.h index ddc964f18c..5a645f47dd 100644 --- a/src/protos.h +++ b/src/protos.h @@ -1,6 +1,6 @@ /* - * $Id: protos.h,v 1.498 2004/11/07 13:58:30 hno Exp $ + * $Id: protos.h,v 1.499 2004/12/08 00:24:42 hno Exp $ * * * SQUID Web Proxy Cache http://www.squid-cache.org/ @@ -432,7 +432,7 @@ SQUIDCEXTERN HttpHeaderEntry *httpHeaderEntryClone(const HttpHeaderEntry * e); SQUIDCEXTERN void httpHeaderEntryPackInto(const HttpHeaderEntry * e, Packer * p); /* store report about current header usage and other stats */ SQUIDCEXTERN void httpHeaderStoreReport(StoreEntry * e); -SQUIDCEXTERN void httpHdrMangleList(HttpHeader *, HttpRequest *); +SQUIDCEXTERN void httpHdrMangleList(HttpHeader *, HttpRequest *, int req_or_rep); /* Http Msg (currently in HttpReply.c @?@ ) */ SQUIDCEXTERN int httpMsgIsolateHeaders(const char **parse_start, const char **blk_start, const char **blk_end); diff --git a/src/structs.h b/src/structs.h index 4b8ab0882c..18ec6a27b5 100644 --- a/src/structs.h +++ b/src/structs.h @@ -1,6 +1,6 @@ /* - * $Id: structs.h,v 1.495 2004/11/07 23:29:50 hno Exp $ + * $Id: structs.h,v 1.496 2004/12/08 00:24:42 hno Exp $ * * * SQUID Web Proxy Cache http://www.squid-cache.org/ @@ -674,7 +674,8 @@ struct _SquidConfig mcast_miss; #endif - header_mangler header_access[HDR_ENUM_END]; + header_mangler request_header_access[HDR_ENUM_END]; + header_mangler reply_header_access[HDR_ENUM_END]; char *coredump_dir; char *chroot_dir; #if USE_CACHE_DIGESTS