From: Amos Jeffries Date: Thu, 22 Apr 2010 09:15:02 +0000 (+1200) Subject: Clarify http_port mode options and enhance config validation. X-Git-Tag: SQUID_3_2_0_1~279 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=c7b1dd5d377a3cd748cf48dde9cfa12e1fb5f3df;p=thirdparty%2Fsquid.git Clarify http_port mode options and enhance config validation. This makes some changes to the config validation of http_port lines and documentation of http_port. It alters documentation to call accel, tproxy, intercept, and sslbump options "mode flags" since they determine the overall code paths which traffic received is handled by. The http_port syntax docs are updated to show that mode flags must go first before any options. This is not strictly true, since the mode flag only must go before mode-specific options. But its clearer to explain the syntax docs like this. Both mode and options remain completely optional (except that some options require certain modes as before). The parser is updated to validate that only one of the mode flags is used. Attempts to mix them will result in a fatal error. Attempts to use any of the mode-specific options without the correct mode being enabled first will result in a fatal message. As a side-effect of this the implicit enabling of accel on several of its options has been dropped. Explicit use as mode flag is preferred (and required) instead for clear reading of the config. Implications for older configs are that the http_port may fail a parse check until some basic re-ordering of options or splitting of http_port into multiple entries is done. Hopefully the messages emitted on failure are clear enough for people to follow easily. --- diff --git a/src/cache_cf.cc b/src/cache_cf.cc index 5adeae4db3..9ae9b94544 100644 --- a/src/cache_cf.cc +++ b/src/cache_cf.cc @@ -3001,37 +3001,97 @@ parse_http_port_specification(http_port_list * s, char *token) static void parse_http_port_option(http_port_list * s, char *token) { - if (strncmp(token, "defaultsite=", 12) == 0) { + /* modes first */ + + if (strcmp(token, "accel") == 0) { + if (s->intercepted || s->spoof_client_ip) { + debugs(3, DBG_CRITICAL, "FATAL: http(s)_port: Accelerator mode requires its own port. It cannot be shared with other modes."); + self_destruct(); + } + s->accel = 1; + } else if (strcmp(token, "transparent") == 0 || strcmp(token, "intercept") == 0) { + if (s->accel || s->spoof_client_ip) { + debugs(3, DBG_CRITICAL, "FATAL: http(s)_port: Intercept mode requires its own interception port. It cannot be shared with other modes."); + self_destruct(); + } + s->intercepted = 1; + Ip::Interceptor.StartInterception(); + /* Log information regarding the port modes under interception. */ + debugs(3, DBG_IMPORTANT, "Starting Authentication on port " << s->s); + debugs(3, DBG_IMPORTANT, "Disabling Authentication on port " << s->s << " (interception enabled)"); + +#if USE_IPV6 + /* INET6: until transparent REDIRECT works on IPv6 SOCKET, force wildcard to IPv4 */ + debugs(3, DBG_IMPORTANT, "Disabling IPv6 on port " << s->s << " (interception enabled)"); + if ( !s->s.SetIPv4() ) { + debugs(3, DBG_CRITICAL, "FATAL: http(s)_port: IPv6 addresses cannot be transparent (protocol does not provide NAT)" << s->s ); + self_destruct(); + } +#endif + } else if (strcmp(token, "tproxy") == 0) { + if (s->intercepted || s->accel) { + debugs(3,DBG_CRITICAL, "FATAL: http(s)_port: TPROXY option requires its own interception port. It cannot be shared with other modes."); + self_destruct(); + } + s->spoof_client_ip = 1; + Ip::Interceptor.StartTransparency(); + /* Log information regarding the port modes under transparency. */ + debugs(3, DBG_IMPORTANT, "Starting IP Spoofing on port " << s->s); + debugs(3, DBG_IMPORTANT, "Disabling Authentication on port " << s->s << " (IP spoofing enabled)"); + + if (!Ip::Interceptor.ProbeForTproxy(s->s)) { + debugs(3, DBG_CRITICAL, "FATAL: http(s)_port: TPROXY support in the system does not work."); + self_destruct(); + } + + } else if (strncmp(token, "defaultsite=", 12) == 0) { + if (!s->accel) { + debugs(3, DBG_CRITICAL, "FATAL: http(s)_port: defaultsite option requires Acceleration mode flag."); + self_destruct(); + } safe_free(s->defaultsite); s->defaultsite = xstrdup(token + 12); - s->accel = 1; - } else if (strncmp(token, "name=", 5) == 0) { - safe_free(s->name); - s->name = xstrdup(token + 5); } else if (strcmp(token, "vhost") == 0) { + if (!s->accel) { + debugs(3, DBG_CRITICAL, "FATAL: http(s)_port: vhost option requires Acceleration mode flag."); + self_destruct(); + } s->vhost = 1; - s->accel = 1; } else if (strcmp(token, "vport") == 0) { + if (!s->accel) { + debugs(3, DBG_CRITICAL, "FATAL: http(s)_port: vport option requires Acceleration mode flag."); + self_destruct(); + } s->vport = -1; - s->accel = 1; } else if (strncmp(token, "vport=", 6) == 0) { + if (!s->accel) { + debugs(3, DBG_CRITICAL, "FATAL: http(s)_port: vport option requires Acceleration mode flag."); + self_destruct(); + } s->vport = xatos(token + 6); - s->accel = 1; } else if (strncmp(token, "protocol=", 9) == 0) { + if (!s->accel) { + debugs(3, DBG_CRITICAL, "FATAL: http(s)_port: protocol option requires Acceleration mode flag."); + self_destruct(); + } s->protocol = xstrdup(token + 9); - s->accel = 1; - } else if (strcmp(token, "accel") == 0) { - s->accel = 1; } else if (strcmp(token, "allow-direct") == 0) { + if (!s->accel) { + debugs(3, DBG_CRITICAL, "FATAL: http(s)_port: vport option requires Acceleration mode flag."); + self_destruct(); + } s->allow_direct = 1; } else if (strcmp(token, "ignore-cc") == 0) { - s->ignore_cc = 1; #if !HTTP_VIOLATIONS if (!s->accel) { - debugs(3, DBG_CRITICAL, "FATAL: ignore-cc is only valid in accelerator mode"); + debugs(3, DBG_CRITICAL, "FATAL: http(s)_port: ignore-cc option requires Scceleration mode flag."); self_destruct(); } #endif + s->ignore_cc = 1; + } else if (strncmp(token, "name=", 5) == 0) { + safe_free(s->name); + s->name = xstrdup(token + 5); } else if (strcmp(token, "no-connection-auth") == 0) { s->connection_auth_disabled = true; } else if (strcmp(token, "connection-auth=off") == 0) { @@ -3049,42 +3109,10 @@ parse_http_port_option(http_port_list * s, char *token) s->disable_pmtu_discovery = DISABLE_PMTU_ALWAYS; else self_destruct(); - - } else if (strcmp(token, "transparent") == 0 || strcmp(token, "intercept") == 0) { - s->intercepted = 1; - Ip::Interceptor.StartInterception(); - /* Log information regarding the port modes under interception. */ - debugs(3, DBG_IMPORTANT, "Starting Authentication on port " << s->s); - debugs(3, DBG_IMPORTANT, "Disabling Authentication on port " << s->s << " (interception enabled)"); - -#if USE_IPV6 - /* INET6: until transparent REDIRECT works on IPv6 SOCKET, force wildcard to IPv4 */ - debugs(3, DBG_IMPORTANT, "Disabling IPv6 on port " << s->s << " (interception enabled)"); - if ( !s->s.SetIPv4() ) { - debugs(3, DBG_CRITICAL, "http(s)_port: IPv6 addresses cannot be transparent (protocol does not provide NAT)" << s->s ); - self_destruct(); - } -#endif - } else if (strcmp(token, "tproxy") == 0) { - if (s->intercepted || s->accel) { - debugs(3,DBG_CRITICAL, "http(s)_port: TPROXY option requires its own interception port. It cannot be shared."); - self_destruct(); - } - s->spoof_client_ip = 1; - Ip::Interceptor.StartTransparency(); - /* Log information regarding the port modes under transparency. */ - debugs(3, DBG_IMPORTANT, "Starting IP Spoofing on port " << s->s); - debugs(3, DBG_IMPORTANT, "Disabling Authentication on port " << s->s << " (IP spoofing enabled)"); - - if (!Ip::Interceptor.ProbeForTproxy(s->s)) { - debugs(3, DBG_CRITICAL, "FATAL: http(s)_port: TPROXY support in the system does not work."); - self_destruct(); - } - } else if (strcmp(token, "ipv4") == 0) { #if USE_IPV6 if ( !s->s.SetIPv4() ) { - debugs(3, 0, "http(s)_port: IPv6 addresses cannot be used a IPv4-Only." << s->s ); + debugs(3, DBG_CRITICAL, "FATAL: http(s)_port: IPv6 addresses cannot be used a IPv4-Only." << s->s ); self_destruct(); } #endif @@ -3106,6 +3134,10 @@ parse_http_port_option(http_port_list * s, char *token) t = strchr(t, ','); } #if USE_SSL + } else if (strcmp(token, "sslBump") == 0) { + s->sslBump = 1; // accelerated when bumped, otherwise not + } else if (strcmp(token, "ssl") == 0) { + s->ssl = 1; } else if (strncmp(token, "cert=", 5) == 0) { safe_free(s->cert); s->cert = xstrdup(token + 5); @@ -3114,7 +3146,6 @@ parse_http_port_option(http_port_list * s, char *token) s->key = xstrdup(token + 4); } else if (strncmp(token, "version=", 8) == 0) { s->version = xatoi(token + 8); - if (s->version < 1 || s->version > 4) self_destruct(); } else if (strncmp(token, "options=", 8) == 0) { @@ -3144,17 +3175,10 @@ parse_http_port_option(http_port_list * s, char *token) } else if (strncmp(token, "sslcontext=", 11) == 0) { safe_free(s->sslcontext); s->sslcontext = xstrdup(token + 11); - } else if (strcmp(token, "sslBump") == 0) { - s->sslBump = 1; // accelerated when bumped, otherwise not #endif } else { self_destruct(); } - - if ( s->spoof_client_ip && (s->intercepted || s->accel) ) { - debugs(3,DBG_CRITICAL, "http(s)_port: TPROXY option requires its own interception port. It cannot be shared."); - self_destruct(); - } } static http_port_list * @@ -3268,18 +3292,24 @@ dump_generic_http_port(StoreEntry * e, const char *n, const http_port_list * s) n, s->s.ToURL(buf,MAX_IPSTRLEN)); - if (s->defaultsite) - storeAppendPrintf(e, " defaultsite=%s", s->defaultsite); - if (s->intercepted) storeAppendPrintf(e, " intercept"); + if (s->spoof_client_ip) + storeAppendPrintf(e, " tproxy"); + + if (s->accel) + storeAppendPrintf(e, " accel"); + if (s->vhost) storeAppendPrintf(e, " vhost"); if (s->vport) storeAppendPrintf(e, " vport"); + if (s->defaultsite) + storeAppendPrintf(e, " defaultsite=%s", s->defaultsite); + if (s->connection_auth_disabled) storeAppendPrintf(e, " connection-auth=off"); else @@ -3305,6 +3335,9 @@ dump_generic_http_port(StoreEntry * e, const char *n, const http_port_list * s) } #if USE_SSL + if (s->sslBump) + storeAppendPrintf(e, " sslBump"); + if (s->cert) storeAppendPrintf(e, " cert=%s", s->cert); @@ -3337,9 +3370,6 @@ dump_generic_http_port(StoreEntry * e, const char *n, const http_port_list * s) if (s->sslcontext) storeAppendPrintf(e, " sslcontext=%s", s->sslcontext); - - if (s->sslBump) - storeAppendPrintf(e, " sslBump"); #endif } diff --git a/src/cf.data.pre b/src/cf.data.pre index 61b6a856fd..59934e034d 100644 --- a/src/cf.data.pre +++ b/src/cf.data.pre @@ -1133,17 +1133,16 @@ TYPE: http_port_list DEFAULT: none LOC: Config.Sockaddr.http DOC_START - Usage: port [options] - hostname:port [options] - 1.2.3.4:port [options] + Usage: port [mode] [options] + hostname:port [mode] [options] + 1.2.3.4:port [mode] [options] The socket addresses where Squid will listen for HTTP client requests. You may specify multiple socket addresses. There are three forms: port alone, hostname with port, and IP address with port. If you specify a hostname or IP address, Squid binds the socket to that specific - address. This replaces the old 'tcp_incoming_address' - option. Most likely, you do not need to bind to a specific + address. Most likely, you do not need to bind to a specific address, so you can use the port number alone. If you are running Squid in accelerator mode, you @@ -1155,7 +1154,7 @@ DOC_START You may specify multiple socket addresses on multiple lines. - Options: + Modes: intercept Support for IP-Layer interception of outgoing requests without browser settings. @@ -1168,6 +1167,20 @@ DOC_START accel Accelerator mode. Also needs at least one of vhost / vport / defaultsite. + sslbump Intercept each CONNECT request matching ssl_bump ACL, + establish secure connection with the client and with + the server, decrypt HTTP messages as they pass through + Squid, and treat them as unencrypted HTTP messages, + becoming the man-in-the-middle. + + The ssl_bump option is required to fully enable + the SslBump feature. + + Omitting the mode flag causes default forward proxy mode to be used. + + + Accelerator Mode Options: + allow-direct Allow direct forwarding in accelerator mode. Normally accelerated requests are denied direct forwarding as if never_direct was used. @@ -1178,23 +1191,91 @@ DOC_START accelerators should consider the default. Implies accel. - vhost Accelerator mode using Host header for virtual - domain support. Implies accel. + vhost Using the Host header for virtual domain support. + Also uses the port as specified in Host: header. - vport Accelerator with IP based virtual host support. - Implies accel. + vport IP based virtual host support. Using the http_port number + in passed on Host: headers. - vport=NN As above, but uses specified port number rather - than the http_port number. Implies accel. + vport=NN Uses the specified port number rather than the + http_port number. protocol= Protocol to reconstruct accelerated requests with. - Defaults to http. + Defaults to http://. ignore-cc Ignore request Cache-Control headers. Warning: This option violates HTTP specifications if used in non-accelerator setups. + + SSL Bump Mode Options: + + cert= Path to SSL certificate (PEM format). + + key= Path to SSL private key file (PEM format) + if not specified, the certificate file is + assumed to be a combined certificate and + key file. + + version= The version of SSL/TLS supported + 1 automatic (default) + 2 SSLv2 only + 3 SSLv3 only + 4 TLSv1 only + + cipher= Colon separated list of supported ciphers. + + options= Various SSL engine options. The most important + being: + NO_SSLv2 Disallow the use of SSLv2 + NO_SSLv3 Disallow the use of SSLv3 + NO_TLSv1 Disallow the use of TLSv1 + SINGLE_DH_USE Always create a new key when using + temporary/ephemeral DH key exchanges + See src/ssl_support.c or OpenSSL SSL_CTX_set_options + documentation for a complete list of options. + + clientca= File containing the list of CAs to use when + requesting a client certificate. + + cafile= File containing additional CA certificates to + use when verifying client certificates. If unset + clientca will be used. + + capath= Directory containing additional CA certificates + and CRL lists to use when verifying client certificates. + + crlfile= File of additional CRL lists to use when verifying + the client certificate, in addition to CRLs stored in + the capath. Implies VERIFY_CRL flag below. + + dhparams= File containing DH parameters for temporary/ephemeral + DH key exchanges. + + sslflags= Various flags modifying the use of SSL: + DELAYED_AUTH + Don't request client certificates + immediately, but wait until acl processing + requires a certificate (not yet implemented). + NO_DEFAULT_CA + Don't use the default CA lists built in + to OpenSSL. + NO_SESSION_REUSE + Don't allow for session reuse. Each connection + will result in a new SSL session. + VERIFY_CRL + Verify CRL lists when accepting client + certificates. + VERIFY_CRL_ALL + Verify CRL lists for all certificates in the + client certificate chain. + + sslcontext= SSL session ID context identifier. + + + Other Options: + connection-auth[=on|off] use connection-auth=off to tell Squid to prevent forwarding Microsoft connection oriented authentication @@ -1216,22 +1297,6 @@ DOC_START sporadically hang or never complete requests set disable-pmtu-discovery option to 'transparent'. - sslBump Intercept each CONNECT request matching ssl_bump ACL, - establish secure connection with the client and with - the server, decrypt HTTP messages as they pass through - Squid, and treat them as unencrypted HTTP messages, - becoming the man-in-the-middle. - - When this option is enabled, additional options become - available to specify SSL-related properties of the - client-side connection: cert, key, version, cipher, - options, clientca, cafile, capath, crlfile, dhparams, - sslflags, and sslcontext. See the https_port directive - for more information on these options. - - The ssl_bump option is required to fully enable - the SslBump feature. - name= Specifies a internal name for the port. Defaults to the port specification (port or addr:port)