hno [Sun, 15 Aug 2004 03:15:15 +0000 (03:15 +0000)]
The external_acl helper protocol breaks down if there for whatever reason
is newines embedded in the data.
This patch changes the external acl helper protocol to use URL encoding
with an optional configuration parameter to switch back to the "shell style"
quoting used in Squid-2.5.
In addition the "shell style" quoting format is extended to support newlines
by the traditional \n and \r codes.
The URL syntax used by Squid for FTP/Gopher icons are uneededly complex and
often causes problems. This patch adds a "short_icon_urls" directive which
can be used to enable a less complex URL syntax for icons.
Bug #877: Squid doesn't follow telnet protocol on FTP control connections
Squid forgot to escape IAC characters (ascii code 255) in FTP requests,
causing problems to access files/directories using this character in their
name or to log in with this character in the login or password.
Bug #877: cache_swap_log still refers to "swap.log" filename
swap.log was renamed to swap.state very many versions ago, but squid.conf
documentation still referred to the old "swap.log" name.
This patch also officially renames cache_swap_log to cache_swap_state with
the old name still accepted. (squid-2.5.STABLE6 will also accept the new
name)
Due to the a accounting mismatch in the number of open connections to peers
the cache_peer max-conn=.. option does not work. This issue is also seen as
very high numbers in the OPEN CONN peer statistics via cachemgr.
Bug #865: Persistent connection usage too high after sudden burst of traffic
Persistent server connections are reused in a round-robin fashion which may
cause the number of connections to stay artificially high after a sudden
burst of requests.
This patch changes persistent connection management to use a LIFO order
reusing the most recently used connection first, thereby allowing unneeded
connections to close down by idle timeout.
Bug #862: Repeated POST requests causes number of persistent connections to grow
If responses to POST or other non-indempotent requests allows the connection
to be kept persistently open then this can lead to a increased connection
usage by Squid. This patch changes the behaviour to keep the number of
connections stable by closing a persistent connection before opening the
new connection.
Bug #935: squid_ldap_auth can be confused by the use of reserved characters
squid_ldap_auth may be confused by the use of reserved characters allowing
the login name to be masqueraded in different manners possibly allowing the
user to partially bypass certain per-user restrictions or confuse third
party accounting packages.
Note that the user can not bypass the login procedure as such. All he can
do is to make the login name look different than normal. There is still
full audit trails on who the user is etc.
The patch also adds and documents a -d flag to both squid_ldap_auth and
squid_ldap_group to allow for easier tracing of the operation of these
programs if results is not what is expected.
If the proxy or web server authentication options of squidclient is used then
the HTTP headers sent in the request is slightly malformed and may confuse
other non-Squid software which is not as tolerant on HTTP format.
Bug #799: positive_dns_ttl ignored when using internal DNS client
The positive_dns_ttl directive is not used by the internal dns client (the
default). This patch changes it to at least be used as a upper limit on how
long DNS data may be cached.
Bug #594: mime type missing for .bz2 and many other filetypes
Mime types missing for .bz2 and several other file types, causing slightly
undesireable results when browsing ftp:// directories (viewed in browser
rather than downloaded). The patch also make sure the download icon is
always shown to make downloading more obvious
Bug #14: connection setup may look like syn flood attack if server is
refusing connection
If the contacted server refuses connection then the repeated attempts to
connect to the server may look like a syn flood attack. This patch makes
Squid behave a little friendler in such case and:
* Delays a little between the repeated attempts. Longer if the attempt
was to an origin server.
* Limits origin server attempts to 3 connection setup attempts or 2 request
forwarding attempts (was 10 on both which only makes sense in peering
relations)
* Changes the default for maximum_single_addr_tries to 1 as there is plenty
of reforwarding attempts done by Squid and at least 3 attempts to initiate
the request which makes this directive redundant.
* removes a redundant lock from commConnect*() (cbdata managed)
* Adds a small delay to commConnect() reconnection attempts when the
contacted destination has more than one IP address or
maximum_single_addr_tries is used.
* Small cleanup in how/when digest considers a peer usable to not disturb
the peer probing.
* Cleanup of peer TCP probing to correct timeout management etc and to
more promptly recover after a failure.
adrian [Mon, 1 Mar 2004 08:37:34 +0000 (08:37 +0000)]
All of this is to fix a simple FTP crash if a HTTP keepalive+pipelined
request closes too early.
* fix the half-closed detection logic to be called once a second
out of an event
* modify clientReadRequest() - break out the parsing logic into a seperate
routine which can be called elsewhere to attempt to parse request(s) from
the read buffer (ie clientParseRequest())
* call our clientParseRequest() routine in keepaliveNextRequest() to
try parsing a request out of the read buffer before running off and
scheduling another read (or dequeueing a parsed but deferred request)
* improve the half-closed detection: close the filedescriptor if its
marked as half-closed and we reach a point where there are no pending
requests and we're left to try reading from the FD. Since its half-closed,
this signifies its end of life.
(this occurs in keepaliveNextRequest() _and_ clientReadRequest() as
they are the beginning and end points of any request.)
adrian [Fri, 20 Feb 2004 10:27:46 +0000 (10:27 +0000)]
change the order of the comm loop logic to use kqueue/epoll first
if they've been enabled.
The configure code detects poll/select automatically and so they were selected
above epoll/kqueue unless explicitly disabled (--disable-poll --disable-select).
adrian [Wed, 18 Feb 2004 08:58:59 +0000 (08:58 +0000)]
* create a new method in CallBack which does the cbdataReferenceValid()
for us
* remove the extra cbdataReference/cbdataReferenceDone() in the comm
connect codepath: this was exposing a bug with how cbdataReferenceDone()
operates. In a nutshell, its a macro which sets the value to NULL after
decrementing its refcount because, after that function call, the memory
may have been freed. The problem was that we were doing it on the data
pointer in a CallBack instance and so the instance never had a chance to
remove _its_ reference count on the data because, at the time the
destructor is called, the data pointer has been made NULL.
Not nice.
* Fix the comm connect finish routine to properly get rid of any CallBack
which may be allocated. cbdataReferenceDone() would NOT have been
sufficient if the connection had timed out - we'd still have been left
with an extra refcount without the above modifications.
adrian [Thu, 12 Feb 2004 09:31:55 +0000 (09:31 +0000)]
Free the generic cbdata mempool allocation if we fail the storeOpen() -
if we fail on open any subsequent calls to storeSwapOut() will simply
return immediately and so this memory is never freed.
hno [Mon, 10 Nov 2003 00:11:10 +0000 (00:11 +0000)]
Bug #796: epoll fixes for 100% CPU usage
by Gonzalo Arana
This fixes the (100% CPU usage) problem with this platform:
kernel 2.4.21 patched with
http://www.xmailserver.org/linux-patches/epoll-lt-2.4.21-0.18.diff,
epoll-lib-0.10, pcl-1.2.
hno [Sun, 9 Nov 2003 18:05:24 +0000 (18:05 +0000)]
Bug #822: cache_peer originserver connects to wrong port
The patch to work around origin servers not liking persistent connections
crossing hostnames accidently broke how Squid selects the port number to
connect to on a origin server class peer.
projects / thirdparty / squid.git / log
