Latest squid never shows DNS errors for user. When the user tries to retrieve
web page from non-existent domain, ERR_CANNOT_FORWARD error appears,
which misleads both user and administrator.
Alex Rousskov [Fri, 26 Aug 2011 20:48:08 +0000 (14:48 -0600)]
Polished unused code.
The unused dlopen() call is actually useful to enable when lt_dlopen() reports
"file not found" errors for loadable modules that do exist but that Libtool
cannot load successfully due to undefined symbols or other errors.
This inability to correctly report a library loading error is a long-standing
Libtool bug, stemming from Libtool's desire to try and load several
differently named library files until one succeeds, losing true error
information in the process.
Bertrand Jacquin [Mon, 22 Aug 2011 14:45:52 +0000 (08:45 -0600)]
Bug 2662: cf_gen failure when cross compiling
Adds support for "./configure HOSTCXX=foo" to specify a host compiler
to build cf_gen with. If none is specified the normal build compiler will
be used.
Amos Jeffries [Sat, 20 Aug 2011 15:57:06 +0000 (03:57 +1200)]
Bug 2279: Log Format options to log server source IP and port
* Add %<a and %<p log format tokens
* Remove log_ip_on_direct configuration directive
* Rename %la to %>la and %lp to %>lp
* polish log format tokens and documentation
* de-duplicate tunnel.cc and forward.cc updateHierarchyInfo() code.
This last is the only logic change. It involved creating hier.note()
and shuffling bits of code around inside forward.cc to ensure
connection setup had a single function, startConnectionOrFai(), which
began the server connect process for all destination changes.
Amos Jeffries [Fri, 19 Aug 2011 03:35:19 +0000 (21:35 -0600)]
Converts the bulk of cf_gen to C++ OOP code.
* char* tree members to std::string. Which eliminates xstrdup() and
xis*() calls.
* structs to classes and replaces calloc/free with new/delete.
* link cf_gen_depends.cci directly to autoconf.h defines.
The result of these is that we can erase the dependencies on util.h,
time.cc, config.h, libcompat.la, libmisc.la and other libraries.
Directly fixing seevral build and cross-compile issues that keep appearing
on various OS.
TODO:
There is a bit further cleanup we can do. Replacing several classes with
std::list<std::string>.
Pawel Worach [Sun, 14 Aug 2011 12:42:59 +0000 (00:42 +1200)]
Fix NIS helper build on FreeBSD
Fails on clang++ and other strict compilers due to missing __cplusplus
checks in FreeBSD system headers and yp_prot.h typedefs bool unless
BOOL_DEFINED is defined.
Amos Jeffries [Sat, 13 Aug 2011 15:53:38 +0000 (09:53 -0600)]
Support extended authentication states to ACL results
Support sub-states of authentication to be sent as results from ACLs.
This allows future work to resolve issues around cases such as expired
but known credentials being used in fast category access controls.
The new authentication states are:
ACCESS_AUTH_OK
- equivalent to ACCESS_ALLOWED
ACCESS_AUTH_REQUIRED
- Missing Credentials. Used to be ACCESS_REQ_PROXY_AUTH
ACCESS_AUTH_EXPIRED_OK
- Expired now. Were Okay.
ACCESS_AUTH_EXPIRED_BAD
- Expired now. Were Failed.
Also converts cases of ACCESS_REQ_PROXY_AUTH to the new name.
As yet no attempt is made to alter auth or access control logics to use
the new states.
Alex Rousskov [Sat, 13 Aug 2011 04:15:06 +0000 (22:15 -0600)]
Bug 3217: "!fd_table[fd].closing()" from ServerStateData::noteMoreBodySpaceAvailable
It is possible that the next hop connection is going through the closing steps
when we receive a "noteMoreBodySpaceAvailable" notification from the response
body consumer. Do not try to read in this case.
Mrcus Kool [Tue, 9 Aug 2011 07:09:03 +0000 (01:09 -0600)]
Optimize regular expression ACLs
This patch is inspired by the work that I did for ufdbGuard and a few emails with Amos.
The new code optimises lists of regular expressions.
The optimisations are:
* initial .* is stripped
* RE-1 RE-2 ... RE-n are joined into one large RE: (RE-1)|(RE-2)|...|(RE-n)
* -i ... -i options are optimised: the second one is ignored, same for +i
If compounding optimization fails it falls back to using unoptimized
expressions.
Amos Jeffries [Mon, 8 Aug 2011 00:21:01 +0000 (12:21 +1200)]
Remove hierarchy_stoplist default value
This should have been done long ago with the other dynamic website
handling changes. It has caused a certain amount of confusion when things
which apparently should go to peers fail to reach them.
author: Christos Tsantilas <chtsanti@users.sourceforge.net>, Amos Jeffries <squid3@treenet.co.nz>
Bug fix: The Ip::Address::IsAnyAddr method return false for IPv4 anyaddr.
- The ip::Address::IsAnyAddr() returns true only for ipv6 anyaddr
(0000:0000:0000:0000:0000:0000:0000:0000) and returns false when we have an
ipv4 anyaddr (0000:0000:0000:0000:0000:FFFF:0000:0000)
- The ip::Address::IsIPv4 method returns false in the case of IPv4 anyaddr.
The above can cause bugs, eg:
- inside Ip::Address::SetIPv4(). When it is called for an IPv6 anyaddr the ip
address will not considred as anyaddr any morei (it IsAnyAddr will return
false).
- inside cache_cf.cc file inside dump_generic_http_port function:
if (s->s.IsAnyAddr() && !s->s.IsIPv6())
storeAppendPrintf(e, " ipv4");
The if condition in the above statement can never be true. But the s->s can
be an ipv4 anyaddr.
- other places where the code will not work as expected in the case we are
listening to an ipv4 anyaddr ip address.
This patch:
- moving the IsIPv4/6 to base purely on the v4-mapped or not
- making both protocols ANYADDR match the same test
- making both protocols NOADDR match the same test
- Fixing the IsIPv4/6 documentation to match the implementation
Amos Jeffries [Thu, 4 Aug 2011 03:21:06 +0000 (21:21 -0600)]
SourceLayout: format namespace for custom tag-based formats
Part 1 of enabling non-logging components to support custom formats in strings
Shuffle the log custom format code into its own library separate from the
logging functionality.
One minor logic change removing redundant LogFileEnabled flag.
TODO:
- use MemBuf instead or as well as StoreEntry as the output buffer
- separate from AccessLogEntry confusion
- upgrade deny_info URL generation format
- upgrade external_acl_type format
- add custom helper formats
Amos Jeffries [Wed, 3 Aug 2011 12:35:41 +0000 (06:35 -0600)]
Bug 3243: CVE-2009-0801 Bypass of browser same-origin access control in intercepted communication
Add a verify step between header parsing and http_access to validate that the
Host: header matches the URL for forward-proxied traffic or the destination
IP:port for intercepted traffic.
This is part 1 of the CVE protections. The validation step required to detect
forgery and protect against cache poisoning.
author: Measurement Factory
Bug 3118: ecap_enable on forces icap_enable on
We were updating [Icap|Ecap]::TheConfig even when [icap|ecap]_enable was false,
which may lead to service activation for Icap or Ecap services that should be
disabled. The patch removes such services from service groups before they are
activated.
The patch also warns the user when an adaptation group loses some but not all
of its services due to the new group cleanup code.
- The "Sender Host Address" field of the ICP messages header it is a 32bit
integer so it can be only an ipv4 ip address. Moreover according the ICP RFC:
"Sender Host Address
The IPv4 address of the host sending the ICP message. This field
should probably not be trusted over what is provided by getpeer-
name(), accept(), and recvfrom(). There is some ambiguity over
the original purpose of this field. In practice it is not used."
This patch set the "Sender Host Address" field always to 0.
- Remove the echo_hdr static variable from neighbors.cc file and the
theIcpPublicHostID variables from the icp_v2.cc file. They are part of the
old "source_ping" squid feature code which does not exist any more.
- Remove the theIcpPrivateHostID variable from the icp_v2.cc file. It was used
only to set the "Sender Host Address" icp message header field.
Display HTTP protocol syntax at section 11 level 2
This enables easy debugging of what HTTP requests and replies are flowing
over the between Squid and external clients/servers. Avoiding the need
for level-9 debug traces or packet-level deciphering.