From: Christos Tsantilas Date: Mon, 9 May 2011 07:48:55 +0000 (+0300) Subject: Support for slow ssl_bump ACLs X-Git-Tag: take07~16^2~23 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=e0c0d54c4deb4de2610fdfa3c1e8aea937c64f8f;p=thirdparty%2Fsquid.git Support for slow ssl_bump ACLs Allow slow ACLs with ssl_bump option in squid.conf to enable destination domain (and possibly other) slow ACL checks. This is a Measurement Factory project. --- diff --git a/src/ClientRequestContext.h b/src/ClientRequestContext.h index f6b94a2d69..006b028a22 100644 --- a/src/ClientRequestContext.h +++ b/src/ClientRequestContext.h @@ -36,6 +36,16 @@ public: void adaptationAccessCheck(); void adaptationAclCheckDone(Adaptation::ServiceGroupPointer g); #endif +#if USE_SSL + /** + * Initiates and start the acl checklist to check if the a CONNECT + * request must be bumped. + \retval true if the acl check scheduled, false if no ssl-bump required + */ + bool sslBumpAccessCheck(); + /// The callback function for ssl-bump access check list + void sslBumpAccessCheckDone(bool doSslBump); +#endif ClientHttpRequest *http; ACLChecklist *acl_checklist; /* need ptr back so we can unreg if needed */ @@ -51,6 +61,9 @@ public: bool interpreted_req_hdrs; bool tosToClientDone; bool nfmarkToClientDone; +#if USE_SSL + bool sslBumpCheckDone; +#endif private: CBDATA_CLASS(ClientRequestContext); diff --git a/src/cf.data.pre b/src/cf.data.pre index 0eedb73944..919379ad83 100644 --- a/src/cf.data.pre +++ b/src/cf.data.pre @@ -1919,9 +1919,9 @@ DOC_START By default, no requests are bumped. - See also: http_port sslBump + See also: http_port ssl-bump - This clause only supports fast acl types. + This clause supports both fast and slow acl types. See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. @@ -1949,7 +1949,6 @@ DOC_START to OpenSSL. DOC_END - NAME: sslproxy_cert_error IFDEF: USE_SSL DEFAULT: none @@ -1980,8 +1979,6 @@ DOC_START Default setting: sslproxy_cert_error deny all DOC_END - - NAME: sslpassword_program IFDEF: USE_SSL DEFAULT: none diff --git a/src/client_side_request.cc b/src/client_side_request.cc index 86b1c22bf4..c5a4c24429 100644 --- a/src/client_side_request.cc +++ b/src/client_side_request.cc @@ -112,6 +112,9 @@ ClientRequestContext::operator delete (void *address) /* Local functions */ /* other */ static void clientAccessCheckDoneWrapper(int, void *); +#if USE_SSL +static void sslBumpAccessCheckDoneWrapper(int, void *); +#endif static int clientHierarchical(ClientHttpRequest * http); static void clientInterpretRequestHeaders(ClientHttpRequest * http); static RH clientRedirectDoneWrapper; @@ -140,6 +143,9 @@ ClientRequestContext::ClientRequestContext(ClientHttpRequest *anHttp) : http(cbd redirect_done = false; no_cache_done = false; interpreted_req_hdrs = false; +#if USE_SSL + sslBumpCheckDone = false; +#endif debugs(85,3, HERE << this << " ClientRequestContext constructed"); } @@ -173,6 +179,9 @@ ClientHttpRequest::ClientHttpRequest(ConnStateData * aConn) : #if USE_ADAPTATION request_satisfaction_mode = false; #endif +#if USE_SSL + sslBumpNeed = needUnknown; +#endif } /* @@ -1113,6 +1122,46 @@ ClientRequestContext::checkNoCacheDone(int answer) http->doCallouts(); } +#if USE_SSL +bool +ClientRequestContext::sslBumpAccessCheck() +{ + if (http->request->method == METHOD_CONNECT && + Config.accessList.ssl_bump && http->getConn()->port->sslBump) { + debugs(85, 5, HERE << "SslBump possible, checking ACL"); + + ACLFilledChecklist *acl_checklist = clientAclChecklistCreate(Config.accessList.ssl_bump, http); + acl_checklist->nonBlockingCheck(sslBumpAccessCheckDoneWrapper, this); + return true; + } + else { + http->sslBumpNeeded(false); + return false; + } +} + +/** + * A wrapper function to use the ClientRequestContext::sslBumpAccessCheckDone method + * as ACLFilledChecklist callback + */ +static void +sslBumpAccessCheckDoneWrapper(int answer, void *data) +{ + ClientRequestContext *calloutContext = static_cast(data); + + if (!calloutContext->httpStateIsValid()) + return; + calloutContext->sslBumpAccessCheckDone(answer == ACCESS_ALLOWED); +} + +void +ClientRequestContext::sslBumpAccessCheckDone(bool doSslBump) +{ + http->sslBumpNeeded(doSslBump); + http->doCallouts(); +} +#endif + /* * Identify requests that do not go through the store and client side stream * and forward them to the appropriate location. All other requests, request @@ -1156,19 +1205,18 @@ ClientHttpRequest::httpStart() #if USE_SSL -// determines whether we should bump the CONNECT request bool ClientHttpRequest::sslBumpNeeded() const { - if (!getConn()->port->sslBump || !Config.accessList.ssl_bump) - return false; - - debugs(85, 5, HERE << "SslBump possible, checking ACL"); + assert(sslBumpNeed != needUnknown); + return (sslBumpNeed == needConfirmed); +} - ACLFilledChecklist check(Config.accessList.ssl_bump, request, NULL); - check.src_addr = request->client_addr; - check.my_addr = request->my_addr; - return check.fastCheck() == 1; +void +ClientHttpRequest::sslBumpNeeded(bool isNeeded) +{ + debugs(83, 3, HERE << "sslBump required: "<< (isNeeded ? "Yes" : "No")); + sslBumpNeed = (isNeeded ? needConfirmed : needNot); } // called when comm_write has completed @@ -1369,6 +1417,13 @@ ClientHttpRequest::doCallouts() } } + if (!calloutContext->sslBumpCheckDone) { + calloutContext->sslBumpCheckDone = true; + if (calloutContext->sslBumpAccessCheck()) + return; + /* else no ssl bump required*/ + } + cbdataReferenceDone(calloutContext->http); delete calloutContext; calloutContext = NULL; diff --git a/src/client_side_request.h b/src/client_side_request.h index d00a617a43..df9252fb40 100644 --- a/src/client_side_request.h +++ b/src/client_side_request.h @@ -149,8 +149,14 @@ private: ConnStateData * conn_; #if USE_SSL + /// whether the request needs to be bumped + enum { needUnknown, needConfirmed, needNot } sslBumpNeed; + public: + /// return true if the request needs to be bumped bool sslBumpNeeded() const; + /// set the sslBumpNeeded state + void sslBumpNeeded(bool isNeeded); void sslBumpStart(); void sslBumpEstablish(comm_err_t errflag); #endif