From: Francesco Chemolli Date: Mon, 4 Feb 2013 09:47:50 +0000 (+0100) Subject: Implemented TrafficMode::isIntercepted() X-Git-Tag: SQUID_3_4_0_1~312^2 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=c3d244900c9cfe30cc75675279d126bb4569e26f;p=thirdparty%2Fsquid.git Implemented TrafficMode::isIntercepted() --- diff --git a/src/anyp/TrafficMode.h b/src/anyp/TrafficMode.h index a57855d386..e843541fe6 100644 --- a/src/anyp/TrafficMode.h +++ b/src/anyp/TrafficMode.h @@ -58,6 +58,11 @@ public: * - peer relay prohibited. TODO: re-encrypt and re-wrap with CONNECT */ bool tunnelSslBumping; + + /** true if the traffic is in any way intercepted + * + */ + bool isIntercepted() { return natIntercept||tproxyIntercept ;} }; } // namespace AnyP diff --git a/src/cache_cf.cc b/src/cache_cf.cc index 242bf1061f..931145f42b 100644 --- a/src/cache_cf.cc +++ b/src/cache_cf.cc @@ -3556,7 +3556,7 @@ parse_port_option(AnyP::PortCfg * s, char *token) /* modes first */ if (strcmp(token, "accel") == 0) { - if (s->flags.natIntercept || s->flags.tproxyIntercept) { + if (s->flags.isIntercepted()) { debugs(3, DBG_CRITICAL, "FATAL: http(s)_port: Accelerator mode requires its own port. It cannot be shared with other modes."); self_destruct(); } @@ -3646,7 +3646,7 @@ parse_port_option(AnyP::PortCfg * s, char *token) } else if (strcmp(token, "ignore-cc") == 0) { #if !USE_HTTP_VIOLATIONS if (!s->flags.accelSurrogate) { - debugs(3, DBG_CRITICAL, "FATAL: http(s)_port: ignore-cc option requires Scceleration mode flag."); + debugs(3, DBG_CRITICAL, "FATAL: http(s)_port: ignore-cc option requires Acceleration mode flag."); self_destruct(); } #endif @@ -3697,9 +3697,9 @@ parse_port_option(AnyP::PortCfg * s, char *token) } else if (strcasecmp(token, "sslBump") == 0) { debugs(3, DBG_CRITICAL, "WARNING: '" << token << "' is deprecated " << "in http_port. Use 'ssl-bump' instead."); - s->flags.tunnelSslBumping = true; // accelerated when bumped, otherwise not + s->flags.tunnelSslBumping = true; } else if (strcmp(token, "ssl-bump") == 0) { - s->flags.tunnelSslBumping = true; // accelerated when bumped, otherwise not + s->flags.tunnelSslBumping = true; } else if (strncmp(token, "cert=", 5) == 0) { safe_free(s->cert); s->cert = xstrdup(token + 5); @@ -3796,7 +3796,7 @@ parsePortCfg(AnyP::PortCfg ** head, const char *optionName) #if USE_SSL if (strcasecmp(protocol, "https") == 0) { /* ssl-bump on https_port configuration requires either tproxy or intercept, and vice versa */ - const bool hijacked = s->flags.tproxyIntercept || s->flags.natIntercept; + const bool hijacked = s->flags.isIntercepted(); if (s->flags.tunnelSslBumping && !hijacked) { debugs(3, DBG_CRITICAL, "FATAL: ssl-bump on https_port requires tproxy/intercept which is missing."); self_destruct(); diff --git a/src/client_side.cc b/src/client_side.cc index 5872944689..93d0143253 100644 --- a/src/client_side.cc +++ b/src/client_side.cc @@ -3965,7 +3965,7 @@ ConnStateData::httpsPeeked(Comm::ConnectionPointer serverConnection) debugs(33, 5, HERE << "Error while bumping: " << sslConnectHostOrIp); Ip::Address intendedDest; intendedDest = sslConnectHostOrIp.termedBuf(); - const bool isConnectRequest = !port->flags.tproxyIntercept && !port->flags.natIntercept; + const bool isConnectRequest = !port->flags.isIntercepted(); // Squid serves its own error page and closes, so we want // a CN that causes no additional browser errors. Possible diff --git a/src/forward.cc b/src/forward.cc index e7ddba8b45..caf14dbbac 100644 --- a/src/forward.cc +++ b/src/forward.cc @@ -716,8 +716,7 @@ FwdState::negotiateSSL(int fd) // For intercepted connections, set the host name to the server // certificate CN. Otherwise, we just hope that CONNECT is using // a user-entered address (a host name or a user-entered IP). - const bool isConnectRequest = !request->clientConnectionManager->port->flags.tproxyIntercept && - !request->clientConnectionManager->port->flags.natIntercept; + const bool isConnectRequest = !request->clientConnectionManager->port->flags.isIntercepted(); if (request->flags.sslPeek && !isConnectRequest) { if (X509 *srvX509 = errDetails->peerCert()) { if (const char *name = Ssl::CommonHostName(srvX509)) { @@ -963,8 +962,7 @@ FwdState::initiateSSL() // unless it was the CONNECT request with a user-typed address. const char *hostname = request->GetHost(); const bool hostnameIsIp = request->GetHostIsNumeric(); - const bool isConnectRequest = !request->clientConnectionManager->port->flags.tproxyIntercept && - !request->clientConnectionManager->port->flags.natIntercept; + const bool isConnectRequest = !request->clientConnectionManager->port->flags.isIntercepted(); if (!request->flags.sslPeek || isConnectRequest) SSL_set_ex_data(ssl, ssl_ex_index_server, (void*)hostname); diff --git a/src/tools.cc b/src/tools.cc index 7311975b73..069caef741 100644 --- a/src/tools.cc +++ b/src/tools.cc @@ -1209,7 +1209,7 @@ getMyPort(void) AnyP::PortCfg *p = NULL; if ((p = Config.Sockaddr.http)) { // skip any special interception ports - while (p && (p->flags.natIntercept || p->flags.tproxyIntercept)) + while (p && p->flags.isIntercepted()) p = p->next; if (p) return p->s.GetPort(); @@ -1218,7 +1218,7 @@ getMyPort(void) #if USE_SSL if ((p = Config.Sockaddr.https)) { // skip any special interception ports - while (p && (p->flags.natIntercept || p->flags.tproxyIntercept)) + while (p && p->flags.isIntercepted()) p = p->next; if (p) return p->s.GetPort();