From: Christos Tsantilas Date: Fri, 6 May 2011 09:10:34 +0000 (+0300) Subject: Bug 3209: ssl-bumped requests forwarded unencrypted to the parent proxies/caches X-Git-Tag: take07~16^2~35 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=b68415a1d7d08d3845db1bfe206d18704c00e663;p=thirdparty%2Fsquid.git Bug 3209: ssl-bumped requests forwarded unencrypted to the parent proxies/caches This patch block all ssl-bumped requests which does not forwarded directly to origin servers. A new flag added to the requests_flags to mark http requests which are ssl-bumped --- diff --git a/src/client_side.cc b/src/client_side.cc index 755ac29709..6b79f81e9f 100644 --- a/src/client_side.cc +++ b/src/client_side.cc @@ -2501,6 +2501,7 @@ clientProcessRequest(ConnStateData *conn, HttpParser *hp, ClientSocketContext *c } request->flags.accelerated = http->flags.accel; + request->flags.sslBumped = conn->switchedToHttps(); request->flags.ignore_cc = conn->port->ignore_cc; request->flags.no_direct = request->flags.accelerated ? !conn->port->allow_direct : 0; diff --git a/src/forward.cc b/src/forward.cc index 0c1d27c1a2..2ae2843c1b 100644 --- a/src/forward.cc +++ b/src/forward.cc @@ -828,6 +828,13 @@ FwdState::connectStart() if (ftimeout < ctimeout) ctimeout = ftimeout; + if (fs->_peer && request->flags.sslBumped == true) { + debugs(50, 4, "fwdConnectStart: Ssl bumped connections through parrent proxy are not allowed"); + ErrorState *anErr = errorCon(ERR_CANNOT_FORWARD, HTTP_SERVICE_UNAVAILABLE, request); + fail(anErr); + self = NULL; // refcounted + return; + } request->flags.pinned = 0; if (fs->code == PINNED) { diff --git a/src/structs.h b/src/structs.h index c99508fa86..49cf40bf43 100644 --- a/src/structs.h +++ b/src/structs.h @@ -1011,7 +1011,7 @@ struct _iostats { struct request_flags { - request_flags(): range(0),nocache(0),ims(0),auth(0),cachable(0),hierarchical(0),loopdetect(0),proxy_keepalive(0),proxying(0),refresh(0),redirected(0),need_validation(0),fail_on_validation_err(0),stale_if_hit(0),accelerated(0),ignore_cc(0),intercepted(0),spoof_client_ip(0),internal(0),internalclient(0),must_keepalive(0),chunked_reply(0),stream_error(0),destinationIPLookedUp_(0) { +request_flags(): range(0),nocache(0),ims(0),auth(0),cachable(0),hierarchical(0),loopdetect(0),proxy_keepalive(0),proxying(0),refresh(0),redirected(0),need_validation(0),fail_on_validation_err(0),stale_if_hit(0),accelerated(0),ignore_cc(0),intercepted(0),spoof_client_ip(0),internal(0),internalclient(0),must_keepalive(0),chunked_reply(0),stream_error(0),sslBumped(0),destinationIPLookedUp_(0) { #if USE_HTTP_VIOLATIONS nocache_hack = 0; #endif @@ -1053,6 +1053,7 @@ unsigned int proxying: unsigned int no_direct:1; /* Deny direct forwarding unless overriden by always_direct. Used in accelerator mode */ unsigned int chunked_reply:1; /**< Reply with chunked transfer encoding */ unsigned int stream_error:1; /**< Whether stream error has occured */ + unsigned int sslBumped:1; /**< ssl-bumped request*/ // When adding new flags, please update cloneAdaptationImmune() as needed.