Complete the task of splitting protos.h into more specific files
Remove inclusion of protos.h from most files
Clean CVS and arch file-tags up
Rework some module initialization code so that it is the callee's task and not the callers' to do feature-enabling
Added ssl-crtd option to the maximus build test
Changed many functions' linkage type from C to C++
Alex Rousskov [Mon, 10 Sep 2012 23:07:01 +0000 (17:07 -0600)]
Do not reuse persistent connections for PUTs to avoid ERR_ZERO_SIZE_OBJECT.
A compliant proxy may retry PUTs, but Squid lacks the [rather complicated]
code required to protect the PUT request body from being nibbled during the
first try or [also tricky] code to send 100-continue expectation requiredto
delay body sending. Thus, Squid cannot safely retry some PUTs today, and
FwdState::checkRetriable() must return false for all PUTs, to avoid
bogus ERR_ZERO_SIZE_OBJECT errors (especially for clients that did not
reuse a pconn and, hence, may not be ready to handle/retry an error response).
In theory, requests with safe or idempotent methods other than PUT might have
bodies so we apply the same logic to them as well.
This reopens Squid bug #3398, undoing trunk r11859 commit which attempted
to close that bug.
Alex Rousskov [Mon, 10 Sep 2012 22:38:09 +0000 (16:38 -0600)]
Do not chunk responses carrying a Content-Range header.
When Squid forwards a response with a Content-Range header,
ClientSocketContext::socketState() detects the end of the response range(s)
and returns STREAM_*COMPLETE to ClientSocketContext::writeComplete().
The latter thinks that the writing of the response to the client must be
over and calls keepaliveNextRequest() instead of writing the last-chunk
(if any). If the to-client response was chunked, the client gets stuck
waiting for that missing last-chunk.
The multipart Range request case was already excluded from chunking (or it
would probably suffer from the same problem). With this change, no
Content-Range responses will be chunked.
N.B. Some servers send Content-Range responses to basic GET requests
without a Range header, so the problem affects more than just Range requests.
TODO: A proper fix would be to rewrite ClientSocketContext::writeComplete()
and other code so that it does not mix internal ClientStream completion with
[possibly chunk-encoded] writing completion. This should probably be done
along with fixing ClientSocketContext::socketState() and other state-checking
code to ignore to-client persistence (flags.proxy_keepalive), which is not
related to the internal ClientStream state.
Implemented some more getters/setters for RequestFlags.
Moved from a preprocessor-backed conditional code to a compiler-backed conditional code for follow-x-forwarded-for
Bug fix: TLS/SSL Options does not apply to the dynamically generated certificates
The TLS/SSL options configured with http_port configuration parameter does not
used to generate SSL_CTX context objects used to establish SSL connections.
This is means that certificate based authentication, or SSL version selection
and other SSL/TLS http_port options does not work for ssl-bumped connection.
This patch fixes this problem.
Amos Jeffries [Thu, 30 Aug 2012 14:32:41 +0000 (08:32 -0600)]
Bug 3626: Forwarding loops on intercepted traffic
Changes to interception handling in 3.2 series (namely the preference
for using ORIGINAL_DST) have increased the chances that misconfigured
network systems involving Squid will hit forwarding loops.
Two instances are currently known:
* passing forward-proxy traffic to a interception port.
* NAT performed on a separate box.
This enacts an old TODO by removing the loop detection bypass for
intercepted traffic and accelerated traffic. Now we always check for
loops regardless of how the request was received.
NOTE: accel mode was only included due to the TODO.
If problems are found there it can be re-instated.
Dmitry Kurochkin [Thu, 30 Aug 2012 12:46:47 +0000 (06:46 -0600)]
Make CpuAffinitySet::applied() method non-const.
According to CPU_SET(3) and, apparently, on some systems (e.g.,
OpenSuSE 10.3) CPU_COUNT macro expects a non-const argument. The
patch fixes build error on these systems.
Retrieve client connection information for ACL checks from the related HttpRequest object
This patch enable SSL client certificate ACL checks (user_cert and ca_cert)
in all cases the client connection information can retrieved from the related
HttpRequest object, eg when making peering decisions (peer_cache_access ACL).
Discussed under the "Supply client connection and IDENT information to
peer_cache_access ACL check" thread on squid-dev.