From: Alex Rousskov <rousskov@measurement-factory.com>
Date: Thu, 2 Jul 2009 15:24:24 +0000 (-0600)
Subject: Break forwarding loops for "transparent" or "intercept" http_ports.
X-Git-Tag: SQUID_3_2_0_1~914
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=ce5a16c28220fd02bda75be1652c157bf2c93bc8;p=thirdparty%2Fsquid.git

Break forwarding loops for "transparent" or "intercept" http_ports.

Squid detected forwarding loops in most configurations, but broke
them (using a customizable HTTP_FORBIDDEN response) only when working as
an accelerator. Squid now breaks loops when working as a transparent
proxy as well.

A persistent loop is going to be broken anyway, when the Via and
X-Forwarded-For headers exceed header size limit, but that wastes a lot of
resources and may also crash misconfigured Squids.

TODO: Consider breaking all loops, regardless of the http_port options.

TODO: Consider adding a specific and/or configurable error page for this case
instead of using hard-coded ACCESS_DENIED.
---

diff --git a/src/client_side_reply.cc b/src/client_side_reply.cc
index e75c349aab..ae0ec8eeef 100644
--- a/src/client_side_reply.cc
+++ b/src/client_side_reply.cc
@@ -650,10 +650,9 @@ clientReplyContext::processMiss()
         return;
     }
 
-    /**
-     * Deny loops when running in accelerator/transproxy mode.
-     */
-    if (http->flags.accel && r->flags.loopdetect) {
+    /// Deny loops for accelerator and interceptor. TODO: deny in all modes?
+    if (r->flags.loopdetect &&
+        (http->flags.accel || http->flags.intercepted)) {
         http->al.http.code = HTTP_FORBIDDEN;
         err = clientBuildError(ERR_ACCESS_DENIED, HTTP_FORBIDDEN, NULL, http->getConn()->peer, http->request);
         createStoreEntry(r->method, request_flags());