Allow upgrading from HTTP/1.1 to other protocols (#481)
Support admin-authorized HTTP Upgrade-driven (RFC 7230 Section 6.7)
protocol switching. The new http_upgrade_request_protocols configuration
directive allows admin to control what client Upgrade offer(s) are
forwarded to the server. Squid does not automatically check whether the
server selection matches one of the client offers, but the admin can
deny unacceptable server responses using http_reply_access.
By default, Squid still does not forward any Upgrade headers,
effectively blocking an upgrade attempt.
Squid itself does not understand the protocols being upgraded to and
participates in the upgraded communication only as a dumb TCP proxy.
Detail TLS and CONNECT cache_peer negotiation failures (#518)
Before PeerConnector and Tunneler were introduced, FwdState and
TunnelStateData naturally owned their to-server connection. When CONNECT
and TLS negotiation were outsourced, we kept that ownership to minimize
changes and simplify negotiation code. That was wrong because FwdState
and TunnelStateData, as connection owners, had to monitor for connection
closures but could not distinguish basic TCP peer closures from complex
CONNECT/TLS negotiation failures that required further detailing. The
user got generic error messages instead of details known to negotiators.
Now, Ssl::PeerConnector and Http::Tunneler jobs own the connection they
work with and, hence, are responsible for monitoring it and, upon
successful negotiation, returning it to the initiators. In case of
problems, these jobs send detailed errors to the initiators instead.
Passing connection ownership to and from a helper job is difficult
because the connection may be either closed or begin to close (e.g. by
shutdown) while the callback is pending without working close handlers.
Many changes focus on keeping Connection::fd in sync with Comm.
Also improved tunnel.cc mimicking of (better) FwdState code: Partially
open connections after Comm::ConnOpener failures are now closed, and
Http::Tunneler failures are now retried.
Amos Jeffries [Thu, 21 May 2020 14:42:02 +0000 (14:42 +0000)]
Add flexible RFC 3986 URI encoder (#617)
Use AnyP::Uri namespace to self-document encoder scope and
coding type.
Use SBuf and CharacterSet for more flexible input and actions
than previous RFC 1738 encoder. Allowing callers to trivially
determine which characters are encoded.
Reduced startup time with large rock cache_dirs (#634)
... addressing an old TODO.
Before scanning the disks to find the actual entries, the old rock
cache_dir initialization code had to populate its index as if all disk
slots were available and then remove all the added entries. Those two
wasteful operations took ~1.5 seconds for a 200GB disk before the
PageStack ABA bug was fixed in a586085. With the tree-based fix, that
time increased to ~15 seconds. The delay is completely gone now,
reducing the total index initialization time (for a 200GB disk) down to
a second.
test-builds.sh: in case of error dump full log (#622)
Change behaviour of the test-builds script to
dump the full output of the current layer's log in
case of error. This will help better diagnose errors
as the root cause of an error may have exited the 20-lines
buffer we currently use
Alex Rousskov [Mon, 18 May 2020 21:42:05 +0000 (21:42 +0000)]
Fix PoolingAllocator build errors with older GCCs (#632)
error: no class template named rebind in class PoolingAllocator
GCC v4.8.4 (at least) does not fully implement C++11 Allocator-related
APIs, forcing the developer to manually provide Allocator traits that
are supposed to come automatically via std::allocator_traits.
The problem may only manifest itself when using a custom allocator with
types such as std::map<T> and std::list<T> that allocate wrapper
objects instead of Ts. For example, std::vector is unaffected.
Alex Rousskov [Wed, 13 May 2020 14:05:00 +0000 (14:05 +0000)]
Validate Content-Length value prefix (#629)
The new code detects all invalid Content-Length prefixes but the old
code was already rejecting most invalid prefixes using strtoll(). The
newly covered (and now rejected) invalid characters are
* explicit "+" sign;
* explicit "-" sign in "-0" values;
* isspace(3) characters that are not (relaxed) OWS characters.
In most deployment environments, the last set is probably empty because
the relaxed OWS set has all the POSIX/C isspace(3) characters but the
new line, and the new line is unlikely to sneak in past other checks.
Thank you, Amit Klein <amit.klein@safebreach.com>, for elevating the
importance of this 2016 TODO (added in commit a1b9ec2).
Replaced a list-based PageStack implementation with a tree-based one.
The new code uses a deterministic binary tree. Inner nodes count the
number of available IDs in their child subtrees. Leaf nodes store IDs
using bitmasks. The root node tells the pop() method whether it is going
to find a free page. The method then adjusts counters in 1-23 nodes
(depending on the tree hight) on the path to the leaf containing a page.
The push() method adds a bit to the leaf node and adjusts the counters
of all the inner nodes (1-23) on the way up to the root one. All the
adjustments are lockless. Push may also be wait-free. No ABA problems.
An alternative fix that preserved list-based implementation was
implemented but ultimately rejected: Avoiding ABA problems required
complex code, and that complexity prevented meaningful validation using
Rust's Loom. Also, dirty performance tests of outside-of-Squid code
showed unexplained significant response time growth of the list-based
implementation when concurrency levels were being increased beyond a few
threads. While these validation and performance concerns could be red
herrings, their existence decreased our confidence in the list-based
algorithm that already had a history of fooling developers.
The tree-based PageStack implementation needs 8-16x less RAM. Roughly:
* list-based: sizeof(uint32_t) * capacity or 4*capacity
* tree-based: sizeof(uint64_t) * 2 * rcapacity/64 or rcapacity/4
where rounded capacity is somewhere between capacity and 2*capacity
The absolute RAM savings are minor for most environments, but the
footprint reduction might be enough to fit a significant part of some
hot index in a modern L1 CPU cache: (e.g., a 32GB rock cache_dir may
have 16GB/16KB = 1M slot IDs = 512KB tree size).
The tree-based structure may make future support for caches with more
than 2^25 entries easier because it does not heavily rely on combining a
cache entry ID and an ABA version/nonce in a single 64-bit atomic.
TODO: While absolute tree- and list-based operation costs are all small
(under 1 microsecond), tree-based implementation cost are higher. Since
rock code pops all disk slots at startup (a known performance bug), rock
startup costs increased significantly. For example, a 200 GB disk cache
test shows ~18 seconds startup time for the tree-based implementation
versus ~4 seconds for list-based. This will be addressed by fixing that
known performance bug. The fix will not alter the tree algorithm.
TODO: The PageStack class should be renamed. Ideally, that renaming
should coincide with refactoring the PagePool/PageStack split, which is
an old XXX also currently exposes a lot of internal PageStack code.
See also: https://en.wikipedia.org/wiki/ABA_problem
gcc-8+ build error: undefined reference to __atomic_is_lock_free (#625)
Compilers warned about AC_SEARCH_LIBS(__atomic_load_8)-generated code.
Newer, stricter compilers (e.g., gcc-8), exit with an error, resulting
in AC_SEARCH_LIBS failure when determining whether libatomic is needed.
More at https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=907277#30
It is unclear whether autoconf will ever handle this case better. Let's
use a custom-made test for now. The current test refuses to build Squid
on platforms where a program using std::atomic<T>::is_lock_free() cannot
be successfully linked (either with or without libatomic) for a the
largest atomic T used by Squid (i.e. a 64 bit integer).
Linking with libatomic may be required for many reasons that we do not
fully understand, but we know that std::atomic<T>::is_lock_free() does
require linking with libatomic in some environments, even where T is an
inlineable atomic. That is why we use that as a test case.
Amos Jeffries [Sun, 10 May 2020 10:29:24 +0000 (10:29 +0000)]
Fix whitespace shell bugs in configure library detection (#628)
Whitespace around shell variable assign and append operators
results in those operations not being performed.
This caused the with_*, *_PATH and *_LIBS variables to not
be set to the correct path when a custom path is used.
Also, lack of condition on the *_CFLAGS assign can pollute
the compiler parameters with non-existent directories.
It should also have been an append like PATH and LIBS to
add the auto-detected value after any user-provided value
instead of overwriting.
Alex Rousskov [Wed, 6 May 2020 01:54:07 +0000 (01:54 +0000)]
Fixed TLS selected_version parsing and debugging (#621)
The description of the expected input was given to the wrong parsing
function. This typo may have affected parsing because it told the TLS
version tokenizer that more data may be expected for the already fully
extracted extension. I believe that the lie could affect error
diagnostic when parsing malformed input, but had no effect on handling
well-formed TLS handshakes (other than less-specific debugging).
Detected by Coverity. CID 1462621: Incorrect expression (NO_EFFECT)
Amos Jeffries [Tue, 5 May 2020 13:57:24 +0000 (13:57 +0000)]
Bug 5046: FreeBSD lacks open(2) O_DSYNC flag (#623)
ext_session_acl built with TrivialDB uses O_DSYNC to ensure
thread-safe manipulation of data within the TDB files in Squid
multi-process environment.
FreeBSD lacks this flag entirely. Use the O_SYNC flag as a
backup, which apparently provides file-level synchronization.
It is not clear whether this flag will prevent duplicate keys or
record overwrites in the case of process write race collisions.
NP: this appears to be FreeBSD specific. Other BSD either define
O_DSYNC or lack support for these POSIX flags entirely.
Add an option to test-builds.sh to emit dots
to enable tracking progress in the test without
being fully verbose
In the context of the build farm, this will save storage
and bandwidth on the build nodes, while still showing
issues if anything were to occur, and showing whether
progress is being made or a build is stuck.
Preserve caller context in commHandleWriteHelper() (#607)
This event handler resumes write operations for descriptors,
queued due to delay pool restraints. Before this fix, the enqueuing
code did not save and the dequeuing code did not restore transaction
contexts.
SslBump: Disable OpenSSL TLSv1.3 support for older TLS traffic (#588)
This change fixes stalled peeked-at during step2 connections from IE11
and FireFox v56 running on Windows 10 (at least), producing "Handshake
with SSL server failed" cache.log errors with this OpenSSL detail:
Disabling TLS v1.3 support for older TLS connections is required
because, in the affected environments, OpenSSL detects and, for some
unknown reason, blocks a "downgrade" when a server claims support for
TLS v1.3 but then accepts a TLS v1.2 connection from an older client.
Streamline ./configure handling of optional libraries (#606)
Squid macros to simplify most AC_ARG_WITH behaviour.
These macros perform the necessary checks for on/off and
custom library path validation for Squid coding policy.
Usage:
* When the parameter is for a build value rather than a
library to link. Use AC_ARG_WITH.
* When a library is experimental and should default disable.
Use SQUID_OPTIONAL_LIB to detect the --with parameter.
* When a library is expected to be available and default enable.
Use SQUID_AUTO_LIB to detect --without parameter.
Sets pkg-config variables to enable more consistent configure.ac
logic for libraries even if pkg-config is not used or supported
for any specific library.
Fixes several trivial bugs where unnecessary or duplicate
library entries were injected into CXXFLAGS, LDFLAGS and similar.
Followup logic for some libraries is adjusted to inject the
pkg-config variables to retain build behaviour for now.
Happy Eyeballs: Do not discard viable reforwarding destinations (#567)
When HappyConnOpener starts opening two connections, both destinations
are removed from the shared destinations list. As soon as one connection
(X) succeeded, the other destination (Y) was essentially forgotten. If
FwdState, after using X, decided to reforward the request, then the
request was never reforwarded to Y. We now return Y to the list.
Also abort the still-active ConnOpener job upon the termination of its
"parent" HappyConnOpener job. Without an explicit termination, those
abandoned child jobs wasted OS and Squid resources while the OS was
trying to open the requested connection. They would terminate on a
timeout or when the connection was finally opened (and discarded).
Waiting for the child ConnOpener job to end is a useful optimization,
but it remains a TODO. It requires complex accumulation avoidance logic.
Also fixed retrying via FwdState::fail() which could reorder addresses.
It incorrectly assumed that only the prime connections were retried.
Maintenance: Move sort-includes.pl to scripts/maintenance/ (#599)
We will no longer get `changed #include order` notices but will get
`changed: by maintenance/sort-includes.pl` notices, including for
whitespace-only changes.
Support plugin-style scripts for source format enforcement (#531)
Allow the source-maintenance script to run arbitrary code or sub-scripts
to perform enforcement of Squid code style and content.
Code placed in the scripts/maintenance/ sub-folder MUST meet the
following criteria:
* be self-executable,
* receive filename of the code file to be touched as one and only
command-line parameter,
* always dump the file contents to stdout (with or without edits),
* not depend on any other code in this sub-folder being run first.
Restore PURGE miss replies to be "404 Not Found", not "0 Init" (#586)
Since commit 6956579, PURGE requests resulted in invalid HTTP responses
with zero status code when Store lacked both GET and HEAD entries with
the requested URI.
Also adjusted Http::StatusLine packing code to avoid generating similar
invalid responses in the future (and to attract developer attention to
their presence in the code logic with a BUG message).
Converting std::chrono::nanoseconds::rep to double may lead to rounding
errors [-Wimplicit-int-float-conversion]. Use explicit cast to signal
that we want to ignore those errors in the max-value checking context.
Create and preserve code context in peerCountMcastPeers* events (#575)
These event handlers initiate multicast cache peer pinging and collect
multicast statistics for the peer in CachePeer::mcast. Before the fix,
both handlers ran without any context, ignoring the existing
ICP transaction context.
DrDaveD [Wed, 18 Mar 2020 17:34:45 +0000 (17:34 +0000)]
Bug 5030: Negative responses are never cached (#566)
Negative caching was blocked by checkCachable().
Since 3e98df2, Squid cached ENTRY_NEGCACHED entries in memory cache
only. Back then, storeCheckSwapable() prevented what later became
ENTRY_NEGCACHED entries from going to disk. The design was obscured by 8350fe9 that renamed storeCheckSwapable() to storeCheckCachable().
Commit 97754f5 violated that (obscured) design by adding a
checkCachable() call to StoreEntry::memoryCachable(), effectively
blocking ENTRY_NEGCACHED entries from the memory cache as well. That
call should have been added, but checkCachable() should not have denied
caching rights to ENTRY_NEGCACHED -- the corresponding check should have
been moved into StoreEntry::mayStartSwapOut().
By removing ENTRY_NEGCACHED from checkCachable(), we now allow
ENTRY_NEGCACHED entries into both memory and disk caches, subject to all
the other checks. We allow ENTRY_NEGCACHED to be cached on disk because
negative responses are fundamentally no different than positive ones:
HTTP allows caching of 4xx and 5xx responses expiring in the future.
Hopefully, the increased disk cache traffic will not be a problem.
Amos Jeffries [Mon, 16 Mar 2020 05:25:42 +0000 (05:25 +0000)]
ESI: convert parse exceptions into 500 status response (#411)
Produce a valid HTTP 500 status reply and continue operations when
ESI parser throws an exception. This will prevent incomplete ESI
responses reaching clients on server errors. Such responses might
have been cacheable and thus corrupted, albeit corrupted consistently
and at source by the reverse-proxy delivering them.
This directive controls whether Squid should perform paranoid validation
of cache entry metadata integrity every time a cache entry is hit. The
client transaction experiences a cache miss instead.
This feature does not protect from the corruption that happens while the
hit is being delivered because the validation runs once per client
request when that client request discovers a cache hit. Future versions
may add more checkpoints.
The paranoid hit validation statistics are available by means of several
new cache manager counters, available by mgr:counters, mgr:5min and
mgr:60min requests. The statistics are reported only when
paranoid_hit_validation is enabled.
Preserve caller context across tunnelDelayed*Read (#560)
tunnel.cc code approximates delay pools functionality using event.h API
that is not meant for transaction-specific events. We (temporary) add a
transaction context data member to TunnelStateData until the class
switches to using transaction-specific deferred reads API.
Amos Jeffries [Fri, 6 Mar 2020 18:40:43 +0000 (18:40 +0000)]
Cleanup: cf_gen code updates (#558)
* cf_gen: fix obsolete yoda stye comparison
* cf.data.pre: replace NOCOMMENT_START/END with
clearer CONFIG_START/END tags
* cf_gen: fix special class constructor/destructors
* Comply with the 'Big Three / Big Five' rule.
* Use C++11 initialization for class Entry member
* Remove unnecessary entries in constructor lists
Supply ALE to request_header_add/reply_header_add (#564)
Supply ALE to request_header_add and reply_header_add ACLs that need it
(e.g., external, annotate_client, and annotate_transaction ACLs). Fixes
"ACL is used in context without an ALE state" errors when external ACLs
are used in the same context (other ACLs do not yet properly disclose
that they need ALE).
Also provides HTTP reply to reply_header_add ACLs.
Ban reserved annotations in "note", "adaptation_meta" directives (#561)
Squid defines a list of names used internally for exchanging name=value
pairs with various helpers. When Squid receives a name=value pair with a
reserved name, Squid stores it as if it was any other annotation; the
information can be checked with a "note" ACL and logged with %note. An
admin who configures a custom annotation with the same reserved name may
see strange/unexpected results such as seemingly corrupted access.log
record fields and mismatching ACLs.
Squid already prohibits reserved annotation names in
annotate_transaction and annotate_client ACLs. This change adds the
missing protection to the "note" and adaptation_meta directives.
Bug 4796: comm.cc !isOpen(conn->fd) assertion when rotating logs (#474)
This long-term solution overrides the short-term fix at 2cd72a2. Now,
debug.cc correctly maintains meta information associated with its file
descriptors.
IMO, the correct place for calling _db_init() is just after locking the
PID file because we want to log ASAP, but cache.log is a common resource
that requires protection. Thus, the two old _db_init() calls were both
excessive and misplaced:
* The first call happens too early, allowing another Squid instance to
pollute cache.log with messages unrelated to the cache.log-owning
instance (e.g., a "FATAL: Squid is already running" message when
attempting to start another instance).
* The second call happens too late, missing earlier debugs() that ought
to be written into cache.log (e.g., debugs() in comm_init()).
Fixing _db_init() calls led to adjustments like moving mainSetCwd() to
be called prior to the relocated _db_init(). However, these changes
should not affect chroot-sensitive code such as UseConfigRunners().
Some early debugs() messages are no longer written into cache.log:
* Exception messages like "Squid is already running" emitted by another
Squid instance. This is an improvement: Messages about other instances
do not belong to the cache.log locked by the running instance.
* Messages (mostly errors and warning) from "finalizeConfig" callers
(e.g., "WARNING: mem-cache size is too small..."). This loss is
regrettable. Long-term, these messages should be reported after
configuration is finalized (TODO). Delayed reporting will also help
when Squid starts rejecting invalid reconfigurations.
* Messages from a few early enter_suid()/leave_suid() calls, such as
"enter_suid: PID" and "leave_suid: PID". This is an improvement: These
debugging messages pollute cache.log.
* A few early SquidMain() messages emitted between parseConfigFile() and
StartUsingConfig() (e.g., "Doing post-config initialization"). This is
an improvement: These debugging messages pollute cache.log.
Also removed outdated 'TEST_ACCESS' hack for simplicity sake.
Also marked an old XXX: Chrooted SMP master process does not db_init().
DrDaveD [Fri, 21 Feb 2020 05:12:04 +0000 (05:12 +0000)]
Bug 5022: Reconfigure kills Coordinator in SMP+ufs configurations (#556)
In these unsupported SMP+ufs configurations, depending on the deployment
specifics, the Coordinator process could exit due to swap state file
opening errors:
kid11| FATAL: UFSSwapDir::openLog: Failed to open swap log.
This patch introduces new time units of microsecond and
nanosecond precision forming a new 'time-units-small' category.
Also found and fixed several problems, related to time parameters
parsing:
* Obscure "integer overflow" fatal messages. For example, passing
"0.0001 second" caused this message. After fixing, Squid reports
that the value "is too small to be used in this context".
* Ignoring possible zero-rounded values after parsing. For example, if
a second-precision parameter was configured with 0.1 second, it
became zero after rounding, which is unexpected. It is treated
as a fatal error now.
* Inconsistent parameter overflow type. For example, parameters
with millisecond and second precision reported that 'time_msec_t'
overflowed. Now we introduce an absolute time maximum allowed,
equal to the maximum of chrono::nanoseconds type which is about
293 years. This absolute maximum allows to keep the time parsing
code simple and at the same time should satisfy any reasonable
configuration need. Note that this solution treats existing
configurations with unreasonably huge time values > 293 years
as fatal errors, such configurations should be fixed accordingly.
* Time overflows for icap_service_failure_limit parameter were not
checked at all. This is probably a result of code duplication.
By fixing the latter problem, the former one was resolved
automatically.
* Unclear fatal message if a time parameter lacked time unit. Now
Squid reports about "missing time unit".
* Improved error reporting when an inapplicable time unit was used, for
example a 'millisecond' instead of a 'second'. For the majority of
time parameters, it reported only a common "FATAL: Bungled..."
message. For url_rewrite_timeout parameter, it reported an irrelevant
"unsupported option ..." message (since it began to treat the faulty
time unit as the next option). Now in both cases it reports about the
underlying time unit problem.
While fixing these bugs I had to refactor and improve time parsing
functions, using safer std::chrono types instead of raw integer types.
Support worker-dedicated listening queues (SO_REUSEPORT) (#369)
This performance optimization has a few cons, including security
concerns, but it improves CPU core utilization/balance in many SMP
environments and is supported by many high-performance servers. Enabled
by the new `*_port worker-queues` configuration option.
Worker-dedicated listening queues reduce client-worker affinity for
requests submitted over different TCP connections. The effect of that
reduction on Squid performance depends on the environment, but many busy
SMP proxies handling modern traffic should benefit.
TODO: Linux tests show load balancing effects of SO_REUSEPORT, but
untested FreeBSD probably needs SO_REUSEPORT_LB to get those effects.
Daris A Nevil [Tue, 18 Feb 2020 14:26:06 +0000 (14:26 +0000)]
Remove 8K limit for single access.log line (#332)
The function logfilePrintf() currently limits a single line
to no more than 8K characters. It allocates an 8K buffer
on the stack, which is not safe. This PR eliminates
the 8K limit, and moves the buffer to the heap.
squidcontrib [Wed, 29 Jan 2020 06:10:04 +0000 (06:10 +0000)]
Remove pointer from the input of Digest nonce hashes (#549)
This is a follow-up to #491 (b20ce97), which hashed what was previously
revealed as plaintext. Removing the pointer from the input to the hash
removes the possibility that someone could recover a pointer by
reversing a hash. Having the pointer as input was not adding anything:
Squid remembers all outstanding nonces, so it really only requires
uniqueness, which is already guaranteed by the
authenticateDigestNonceFindNonce loop.
Knowing client transport connection ID can be very helpful in triage,
especially when dealing with multiple requests associated with a
problematic connection (e.g., two access log records associated with a
single TLS connection bumping failure).
The "transport" namespace was added in hope to reduce confusion when/if
other connection_id %codes are added. The shorter and more familiar
"tcp::" namespace was rejected because we want configurations using the
new %code to continue to work well after Squid gains HTTP/3 support, and
HTTP/3 uses UDP for transport connections. Other UDP-based protocols may
have similar "connection" concepts.
huaraz [Sat, 25 Jan 2020 03:36:49 +0000 (03:36 +0000)]
kerberos_ldap_group: fix encryption type for cross realm check (#542)
Newer setups require AESxxx encryption but old Crossrealm
tickets are still using RC4. Remove the use of the cached client
ticket encryption type and use the configured default list
(which must include AESxxx and RC4).
Alex Rousskov [Fri, 24 Jan 2020 03:41:38 +0000 (03:41 +0000)]
Preserve caller context across Store data delivery (#543)
StoreEntry::invokeHandlers() sends a recently loaded response data to
the waiting store_clients. During concurrent cache hits (including, but
not limited to collapsed ones), the response can be loaded into Store by
one transaction and delivered to several different transactions (i.e.
store_clients). This Store "hit sharing service" must restore the
context of the transactions it serves.
Marcos Mello [Thu, 23 Jan 2020 12:07:40 +0000 (12:07 +0000)]
Bug 5016: systemd thinks Squid is ready before Squid listens (#539)
Use systemd API to send start-up completion notification if built
with libsystemd support. New configure option --with-systemd
can be used to force enable or disable the feature (default:
auto-detect on Linux platforms).
Do not stall if xactions overwrite a recently active cache entry (#516)
After the last transaction that cached or read the reply R1 ended, its
Transients entry T1 was not freed. Subsequent requests (with different
public keys) could occupy the same shared memory and rock slots (purging
unlocked R1), preventing Squid from attaching a T1-derived StoreEntry to
the cache. Another request for R1 would receive T1 and stall because its
worker W1 kept waiting for a notification from another worker W2,
incorrectly assuming that W2 exists and is going to fetch R1 for W1.
That request was aborted after a timeout.
A Transients entry represents active transaction(s). Broadcasts stop
when there are no transactions to inform. We must remove idle (i.e.
unlocked) Transients entries to avoid feeding new transactions with
stale info. We now do that when unlocking a Transients entry and also
double check that a found unattached Transients entry has a writer.
DrDaveD [Mon, 30 Dec 2019 20:43:33 +0000 (20:43 +0000)]
Bug 4735: Truncated chunked responses cached as whole (#528)
Mark responses received without the last chunk as responses that have
bad (and, hence, unknown) message body length (i.e. ENTRY_BAD_LENGTH).
If they were being cached, such responses will be released and will stop
being shareable.
Fix server_cert_fingerprint on cert validator-reported errors (#522)
The server_cert_fingerprint ACL mismatched when sslproxy_cert_error
directive was applied to validation errors reported by the certificate
validator because the ACL could not find the server certificate.
Centralized PagePool/PageStack ID generation (#525)
Easy-to-find-in-cache.log and predictable/stable stack IDs for shared
memory pages and/or index slot numbers are very useful when debugging
cache metadata corruption issues because they allow to track related
(e.g. same-stack) operations across huge SMP logs.
Fixed prohibitively slow search for new SMP shm pages (#523)
The original Ipc::Mem::PageStack algorithm used an optimistic linear
search to locate the next free page. Measurements showed that, in
certain cases, that search could take seconds on busy caches, iterating
over millions of page index items and effectively stalling all workers
while showing 100% CPU utilization.
The new code uses a deterministic stack. It is still lock-free. The spin
loops around stack head pointer updates are expected to quit after at
most few iterations, even with a large number of workers. These loops do
not have ABA update problems. They are not spin locks.
Sergey Kirpa [Mon, 23 Dec 2019 08:01:21 +0000 (08:01 +0000)]
Smarter auth_param utf8 handling, including CP1251 support (#480)
When forwarding authentication credentials to authentication helpers:
* With auth_param utf8 parameter: Squid assumed that the received
credentials are encoded with Latin-1 (and re-encoded them with UTF-8).
This assumption is wrong for Internet Explorer running with CP1251
regional settings. Now Squid uses HTTP Accept-Language request header
to guess the received credentials encoding (Latin-1, CP1251, or UTF-8)
and converts the first two encodings into UTF-8.
* Without auth_param utf8 parameter: No changes. Squid sends credentials
in their original encoding, only applying RFC 1738 escaping on top.
Chrome and Firefox should not be affected because they always use UTF-8
encoding when sending authentication credentials.
Amos Jeffries [Sat, 21 Dec 2019 21:14:11 +0000 (21:14 +0000)]
Fix some compile errors from Windows MinGW (#71)
MinGW compiler is a bit more limited than most GCC or Clang available.
The types used on Windows for some API declarations differ from those
commonly used on Linux/BSD systems.
TODO: There are additional compile issues to resolve.
Fix the parsing of the received listing from FTP services.
Also relaxed size/filename grammar used for DOS listings: Tolerate
multiple spaces between the size and the filename.
Fix shared memory size calculation on 64-bit systems (#520)
Since commit 2253ee0, the wrong type (uint32 instead of size_t) was used
to calculate the PagePool::theLevels size. theLevels memory (positioned
by different and correct code) did not overlap with the raw pages
buffer, but the raw pages buffer could, in some cases, be 32 bits short,
placing the last 4 bytes of the last page outside of allocated memory.
In practice, shared memory allocations are page-aligned, and the
difference in 4 bytes was probably compensated by the extra allocated
bytes in most (or perhaps even all) cases.
Send HTTP/500 (Internal Server Error) when lacking peers (#490)
... instead of sending HTTP/503 (Service Unavailable) in
tunneling cases.
Tunneling code reported 503 while regular forwarding code reported 500
errors under identical "no peers to try" circumstances.
For consistency sake, we need to use one of these codes in both places.
We considered and rejected 503 because RFC7231 limits its usage to
several specific cases, not including 'lacking peers' case.
jijiwawa [Sat, 23 Nov 2019 10:24:41 +0000 (10:24 +0000)]
Bug 5008: SIGBUS in PagePool::level() with custom rock slot size (#515)
SMP Squids were crashing on arm64 due to incorrect memory alignment of
Ipc::Mem::PagePool::theLevels array. The relative position of the array
depends on the number of workers and the number of pages (influenced by
the cache capacity and slot size), so some configurations worked OK.
We have to manually align manually positioned fields inside shared
memory segments. Thankfully, C++11 provides alignment-computing APIs.
Alex Rousskov [Sat, 23 Nov 2019 09:18:24 +0000 (09:18 +0000)]
Bug 5009: Build failure with older clang libc++ (#514)
Older clang libc++ implementations correctly reject implicit usage of an
explicit (in C++11) std::map copy constructor with "chosen constructor
is explicit in copy-initialization" errors. The same code becomes legal
in C++14[1], so newer libc++ implementation allow implicit usage (even
in C++11), but there is no need for copy-initialization here at all.
Evidently, libstdc++ has never declared constructors explicit.
The bug was seen with Apple clang in Xcode 5.1.1 (roughly upstream clang
3.4) and Xcode 6.2 (roughly upstream clang 3.5), both using libc++.
Happy Eyeballs: Do not wait for already exhausted spares (#509)
ResolvedPeers::findSpareOrNextPeer() never returned the next peer. That
bug made doneWithSpares() return false when the next peer was present,
even though no spares were expected. The exact effects of this bug are
not known, but wrong false doneWithSpares() outcome may force Squid to
wait for more spare addresses that would never come, possibly slowing
down transactions.
Amos Jeffries [Mon, 18 Nov 2019 12:06:56 +0000 (01:06 +1300)]
Fix detection of sys/sysctl.h detection (#511)
Make sure we test the EUI specific headers using same flags
chosen for final build operations. This should make the
test detect the header as unavailable if the user options
would make the compiler #warning be a fatal error later.
Preserve caller context across Happy Eyeballs connection attempts (#499)
To efficiently enforce various global and local limits, Happy Eyeballs
jobs uses two stand-alone HappyOrderEnforcer services that create job
calls. Thus, they need manual adjustments to preserve job context.
If similar changes are required in many places, we may want to add a
CodeContext member to the AsyncJob itself so that callbacks can
magically restore their context without service modifications (assuming
the job was created in or somehow provided the right context before
those callbacks).
squidcontrib [Sun, 20 Oct 2019 18:59:08 +0000 (18:59 +0000)]
Hash Digest noncedata (#491)
These commits together
1. Hash the noncedata for Digest nonces before encoding,
to match the documentation.
2. Encode Digest nonces using hex, rather than base64.
Alex Rousskov [Sun, 20 Oct 2019 07:35:40 +0000 (07:35 +0000)]
Preserve caller context across DNS lookups (#496)
For now, the context is restored when communicating with _individual_
callers waiting for their DNS lookup results. Eventually, we might also
support establishing a multi-caller context during DNS answer parsing,
before individual callers are notified. That feature would most likely
require making idns_query refcount-based (a serious change). Or we could
realize that maintaining a very basic query ID-based context is enough.
Alex Rousskov [Sat, 19 Oct 2019 16:19:10 +0000 (16:19 +0000)]
Fix build after ccfbe8f (Report context of cache.log messages) (#495)
In some environments (e.g., Ubuntu 14 without libcppunit-dev), GCC
correctly complained that it does not know how to print "[unknown]",
probably because none of the other headers imported `<ostream>` before
importing base/InstanceId.h.
Alex Rousskov [Sat, 12 Oct 2019 00:40:35 +0000 (00:40 +0000)]
Re-enabled updates of stored headers on HTTP 304 responses (#485)
Commit 60ba25f disabled header updates (introduced in commit abf396e)
after we discovered critical inconsistencies in related metadata
updates. Finding a way to keep metadata consistent proved to be very
difficult. The primary challenge is the multitude of often concurrent
and semi-dependent activities associated with a single StoreEntry object
(e.g., writing an incoming miss response into RAM, caching the response,
loading a cache hit into RAM, and sending a response to the client).
Concurrent activities (re)set or use overlapping sets of 304-dependent
members, including StoreEntry "basics" (e.g. StoreEntry::swap_file_sz
and timestamp), "reply" (MemObject::reply_ including its hdr_sz member),
and "data" (MemObject::data_hdr). A data member update by one activity
affects other activities.
Splitting one StoreEntry object into two internally consistent and
"constant" StoreEntry objects (one old and one updated) does not work
well because there is no mechanism to share StoreEntry "data" storage
and invokeHandlers() call streams after the split.
To avoid crashes and response corruption due to inconsistent sizes and
offsets, all size-related data members must be based on the same entry
"version". If we update one such member, we must update all others.
Furthermore, due to copying of information into activity-local
variables/state, we cannot update anything while an activity is still
running. For example, two HTTP clients may use the same StoreEntry to
receive data, and one of them may already be in the middle of response
sending, using old response offsets/sizes, when a 304 update arrives for
the other.
With any updates of size-related StoreEntry data members ruled out, the
only remaining solution for preserving consistency is to keep all those
members constant/stale despite the 304 update! The updated size-related
info has to go somewhere else (inside the same StoreEntry object).
The updated headers are now stored in a new MemObject::updatedReply
field. The updated headers are swapped out, but the old StoreEntry is
not (and was not before these changes) associated with the new store
entry anchor. After the old StoreEntry is abandoned, new local hits will
use the updated anchors. Other worker hits will use the updated anchors
immediately, but they will create fresh StoreEntry objects.
We update freshness-related data members because the associated instant
decisions should not lead to inconsistencies, and using the latest info
is preferable. If any counter-examples are found, we may have to split
StoreEntry::timestamp/etc. fields into stale and fresh groups.
We do not update Vary-related data members. See rationale below[1].
Also removed HttpHeader::update() code that disabled needUpdate() checks
for non-CF configurations. The check is expensive but storing the
updated response is a lot more expensive so even if a small fraction of
checks prevents updates, we may improve performance. Also moved the
corresponding code into HttpReply so that most Header::update() callers
(that have nothing to do with 304 updates) do not spend time on it.
Also adjusted CheckQuickAbortIsReasonable(): The old expectlen setting
code did not check for unknown content length, relying on "-1 + hdr_sz"
to be negative only when no data has been received. We now use a more
direct (but possibly still broken for HTTP/0) test (hdr_sz <= 0) and
avoid using unknown content_length in arithmetic expressions. HTTP/0
aside, responses without Content-Length should still be aborted but now
with a correct "unknown content length" debug message.
MemObject is always constructed with an (empty) base reply. We now also
assert that MemObject always has a (possibly empty) base reply after
checking that all [indirect] replaceBaseReply() callers either
* supply a non-nil reply or
* call replaceHttpReply() with a true andStartWriting parameter, going
through an existing assert(rep) in StoreEntry::startWriting().
[1] Why exclude Vary response headers from 304 updates?
RFC 7234 Section 4.3.4 requires that Squid updates cached Vary. However,
reacting to changed variance requires either forgetting all cached
entries attached to the old Vary mark entry (bad for caching) or
re-keying all those entries using a new variance and a new Vary mark.
Re-keying requires both maintaining a list of cached Vary-controlled
entries and caching _request_ headers for every such entry!
Whether HTTP compliance is worth this complexity is debatable. Perhaps
origins should not return 304s to change variance? FWIW, Fastly folks
decided that it is _not_ worth it for them; look for the "Side note" in
https://www.smashingmagazine.com/2017/11/understanding-vary-header/
Alex Rousskov [Fri, 4 Oct 2019 14:14:09 +0000 (14:14 +0000)]
Report context of level-0/1 cache.log messages (#483)
Most runtime level-0/1 cache.log messages do not carry information
sufficient to identify the transaction that caused the problem. Admins
are forced to guess the transaction based on message timestamp and, if
they are lucky to get one, request URL. The associated triage and
mitigation delay costs are often significant and can be huge, especially
when administering busy proxies in complex deployment environments.
The focus of this change is associating level-0/1 cache.log messages
with access.log records, but the same API is also used for associating
master transactions with (sections of) debugging cache.log messages.
Since level-0/1 messages are rare, association code usually wastes
resources. This performance overhead is reduced by saving pointers to
the existing transaction information (e.g., ALE). ALE gives access to
HttpRequest and MasterXaction (where available), is available in
contexts where HttpRequest and MasterXaction do not exist, and (unlike
HttpRequest) represents the whole master transaction rather than its
(often repeated) component.
CodeContext::Current() represents the current master transaction (or a
similar "primary processing task" context). A new context is created
when the master transaction (or a similar "primary processing task")
starts. Context changes usually happen in low-level transaction-unaware
callback-calling "context switching" code such as DoSelect().
The vast majority of AsyncCalls, including AsyncCall-based callbacks,
should run in their creator's context. This association is easily
automated. The primary difficulty is in handling C-style typeless calls
that prohibit context storage and restoration automation:
* In our design, the "context switching" code is ultimately responsible
for associating the being-saved callback with the current code context
and for restoring CodeContext::Current() when calling that callback.
* An alternative design would task the higher-level callback creator and
callback recipient with saving/restoring CodeContext::Current(). That
design is inferior because there are a lot more callback creators and
recipients than "context switchers". That alternative would require a
lot more manual changes.
The code context remains unknown if the context creator is not
instrumented to set CodeContext::Current(). TODO: Instrument ICP query
listener. Check for others.
The code context gets forgotten if the context switcher dealing with
C-style callbacks does not remember and restore CodeContext::Current().
TODO: Instrument remaining DoSelect()s, event.cc, as well as DNS, ICP,
HTCP, and IPC listeners/handlers. Check for others.
This change covers epoll DoSelect(), TcpAcceptor, ConnStateData, and SMP
disk I/O (IpcIoFile). It already annotates several level-0/1 messages
and significantly improves complex debugging. The remaining
instrumentation TODOs are likely to use similar techniques.
Squid might report wrong context until all context switchers are
instrumented, but the vast majority of uninstrumented cases result in
benign loss of context knowledge rather than mis-attribution. No design
guarantees correct attribution until all C-style callbacks are gone.
TODO: Remove legacy ctx_enter()/exit() debugging that covers very little
while suffering from worse mis-attribution problems.
Also log "-" instead of the made-up method "NONE".
projects / thirdparty / squid.git / log
