From: Amos Jeffries Date: Tue, 26 Jul 2011 23:09:58 +0000 (+1200) Subject: Default to vhost for accelerator mode (reverse proxy) X-Git-Tag: take08~55^2~33 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=cf673853019d0fb5f0eb423bb6c94526dd7700ef;p=thirdparty%2Fsquid.git Default to vhost for accelerator mode (reverse proxy) Defaults to match HTTP requirements, and Host awareness is a rather strong HTTP/1.1 requirement. The default in HTTP/1.1 is to read the Host header (unless URL is absolute) but a server MAY optionally ignore the Host header if desired. The option no-vhost is provided to disable this behaviour if necessary. --- diff --git a/doc/release-notes/release-3.2.sgml b/doc/release-notes/release-3.2.sgml index a7a99d411a..c995e1709a 100644 --- a/doc/release-notes/release-3.2.sgml +++ b/doc/release-notes/release-3.2.sgml @@ -522,10 +522,12 @@ This section gives a thorough account of those changes in three categories:

children-idle=N determines how many helper to retain as buffer against sudden traffic loads.

Deprecated children=N in favor of children-max=N. - http_port act-as-origin + http_port act-as-origin vhost no-vhost

act-as-origin ported from 2.7. This option corrects several HTTP header issues when operating as a reverse proxy and cache. Notably the externally visible aging of objects stored in the server-side cache. +

vhost is deprecated. accel mode, reverse proxy, now defaults to always enable HTTP/1.1 virtual domain support. +

no-vhost option is added to disable the new reverse proxy behaviour. icap_send_client_ip

Deprecated in favor of adaptation_send_client_ip diff --git a/src/cache_cf.cc b/src/cache_cf.cc index d2989db00a..130c2f188d 100644 --- a/src/cache_cf.cc +++ b/src/cache_cf.cc @@ -3546,7 +3546,7 @@ parse_http_port_option(http_port_list * s, char *token) debugs(3, DBG_CRITICAL, "FATAL: http(s)_port: Accelerator mode requires its own port. It cannot be shared with other modes."); self_destruct(); } - s->accel = 1; + s->accel = s->vhost = 1; } else if (strcmp(token, "transparent") == 0 || strcmp(token, "intercept") == 0) { if (s->accel || s->spoof_client_ip) { debugs(3, DBG_CRITICAL, "FATAL: http(s)_port: Intercept mode requires its own interception port. It cannot be shared with other modes."); @@ -3590,10 +3590,14 @@ parse_http_port_option(http_port_list * s, char *token) s->defaultsite = xstrdup(token + 12); } else if (strcmp(token, "vhost") == 0) { if (!s->accel) { - debugs(3, DBG_CRITICAL, "FATAL: http(s)_port: vhost option requires Acceleration mode flag."); - self_destruct(); + debugs(3, DBG_CRITICAL, "WARNING: http(s)_port: vhost option is deprecated. Use 'accel' mode flag instead."); + } + s->accel = s->vhost = 1; + } else if (strcmp(token, "no-vhost") == 0) { + if (!s->accel) { + debugs(3, DBG_IMPORTANT, "ERROR: http(s)_port: no-vhost option requires Acceleration mode flag."); } - s->vhost = 1; + s->vhost = 0; } else if (strcmp(token, "vport") == 0) { if (!s->accel) { debugs(3, DBG_CRITICAL, "FATAL: http(s)_port: vport option requires Acceleration mode flag."); diff --git a/src/cf.data.pre b/src/cf.data.pre index 2448409763..32e34c6796 100644 --- a/src/cf.data.pre +++ b/src/cf.data.pre @@ -1292,8 +1292,9 @@ DOC_START connections using the client IP address. NP: disables authentication and maybe IPv6 on the port. - accel Accelerator mode. Also needs at least one of - vhost / vport / defaultsite. + accel Accelerator mode. Using the HTTP/1.1 Host header for + virtual domain support. Also uses the port as specified + in Host: header unless overridden by the vport option. ssl-bump Intercept each CONNECT request matching ssl_bump ACL, establish secure connection with the client and with @@ -1309,38 +1310,38 @@ DOC_START Accelerator Mode Options: + act-as-origin + Act as if this Squid is the origin server. + This currently means generate new Date: and Expires: + headers on HIT instead of adding Age:. + allow-direct Allow direct forwarding in accelerator mode. Normally accelerated requests are denied direct forwarding as if never_direct was used. + WARNING: this option opens accelerator mode to security + vulnerabilities usually only affecting in interception mode. + defaultsite=domainname What to use for the Host: header if it is not present in a request. Determines what site (not origin server) accelerators should consider the default. - Implies accel. - vhost Using the Host header for virtual domain support. - Also uses the port as specified in Host: header unless - overridden by the vport option. + ignore-cc Ignore request Cache-Control headers. - vport Virtual host port support. Using the http_port number - instead of the port passed on Host: headers. + WARNING: This option violates HTTP specifications if + used in non-accelerator setups. - vport=NN Virtual host port support. Using the specified port - number instead of the port passed on Host: headers. + no-vhost Disable using HTTP/1.1 Host header for virtual domain support. protocol= Protocol to reconstruct accelerated requests with. Defaults to http://. - act-as-origin - Act as if this Squid is the origin server. - This currently means generate new Date: and Expires: - headers on HIT instead of adding Age:. - - ignore-cc Ignore request Cache-Control headers. + vport Virtual host port support. Using the http_port number + instead of the port passed on Host: headers. - Warning: This option violates HTTP specifications if - used in non-accelerator setups. + vport=NN Virtual host port support. Using the specified port + number instead of the port passed on Host: headers. SSL Bump Mode Options: