Amos Jeffries [Mon, 7 Feb 2011 10:27:53 +0000 (03:27 -0700)]
Bug 2870: --disable-auth does not work
This patch attempts to make it work by removing libauth.la and all component
functionality which depends on it. So far this reduces the minimal squid
binary by a further 900 KB on disk.
It also means anything which requires an authentication process wont work.
They get wrapped in USE_AUTH or if its a specific type with the relevant
HAVE_AUTH_MODULE_* wrappers.
So far this does:
* FTP and CacheMgr dependency on --disable-auth-basic is already committed
* cache_peer login= functionality is greatly reduced under various
combinations of --disable-auth, --disable-auth-basic and
--disable-auth-negotiate
* peering userhash algorithm is removed
* delay pools class 4 is removed
* ACLs testing username are dropped.
Additionally since external ACL user= field is used interchangeably in
several places with a full login and with the right helper can be
considered a full side-band authentication I have disabled the
ExtUser/ext_user components as well.
NP: pinning is not strictly dependent on NTLM, we may use it for other
things without involving auth so left most of it in. Just the logics
which use auth to set the pinning flag are now removable.
IDENT not being an authentication mechanism is also left in.
Amos Jeffries [Mon, 7 Feb 2011 04:16:22 +0000 (21:16 -0700)]
Author: Jonathan Wolfe <jonathan.wolfe@gmail.com>
Bug 3149: not caching ecap adapted body
eCAP adapters may remove or edit the Content-Length header, and to allow
caching of the adapted body squid must reflect that new (or unspecified)
content length when deciding whether or not the adapted body can be cached.
In the case the SQUID_SNMP is disabled the MessageType enum list ends with a ","
The gcc compiler does not have any problem with this but SunStudio return a
parse error.
Amos Jeffries [Sun, 6 Feb 2011 09:20:16 +0000 (02:20 -0700)]
Enable non-caching of external ACL results
Admin configure ttl=0 and/or negative_ttl=0 to prevent Squid storing the
ACL lookup results. The problem is that results still get cached and
re-used for the grace= period or one second, whichever is larger.
Also, in the event where two or more requests with identical details
needing to be looked up at the same time there is an optimization
which will merge and share one lookup result for all these requests.
In most situations this result sharing is beneficial, however when a
unique result is wanted it can cause problems.
This patch makes ttl=0 and negative_ttl=0 prevent their respective OK and
ERR results from being stored into the helper result cache. Sharing is
still performed for overlapping duplicate requests.
When cache=0 is configured, no caching or sharing of results is performed
at all.
The attached patch implements aggregation of SNMP responses, similar to how
we aggregate some cache manager stats.
The code contains changes that allow us to share some of the classes between
Cache Manager and SNMP code:
* implement the following base classes under the ipc directory/module:
- Ipc::Forwarder (ipc/Forwarder{.cc,.h} files)
- Ipc::Inquirer (ipc/Inquirer{.cc,.h} files)
- Ipc::Request (ipc/Request{.cc,.h} files)
- Ipc::Response (ipc/Response{.cc,.h} files)
* fix the Mgr::Forwarder, Mgr::Inquirer, Mgr::Request and Mgr::Response
classes to be implemented as kid classes of the equivalent Icp::* classes.
Also implements for the SNMP the same mechanism used for cache manager:
The SNMP requests forwarder to coordinator which collects the statistics from
kids and aggregate them.
This patch allow the user of the Range template class to define the type of
the returned value of Range::size() method, adding a second template argument.
The default type of the return value of Range::size() method is size_t, which
in most cases is enough (but not always, eg HttpRange).
This patch will allow Range template to be used with non numeric types.
Amos Jeffries [Sat, 29 Jan 2011 02:23:48 +0000 (15:23 +1300)]
Profiler: fix report sorting algorithm
The sorting was performed in a way to exclude the UNACCOUNTED and leave it
first in the display list. However with the new auto-genenerated enum all
other entries are at indeterminate locations. Using hash_lookup resulted
in only half teh list being sorted.
Fix that by referencing from UNACCOUNTED which is guaranteed to be first.
Amos Jeffries [Fri, 28 Jan 2011 07:58:53 +0000 (20:58 +1300)]
Windows: fix code wrappers for Cygwin and generic Win32 code
_SQUID_WIN32_ was being used to wrap all code built specific for Windows
but with any compiler on that platform.
- rename to _SQUID_WINDOWS_ to match OS wrpper naming convention.
- compact several macros using verbose test: (cygwin or Ming or any)
Cleans up all affected tests to match current precompiler code style.
Also cleans up all tests involving _SQUID_CYGWN_ to match code styles.
Author: Alex Rousskov <rousskov@measurement-factory.com>
Fix IP/FQDN cache accounting to avoid idle caches on busy servers.
When maintaining the IP/FQDN cache size, use the number of entries in the cache
rather than the number of allocated and not freed MEM_IPCACHE_ENTRY and
MEM_FQDNCACHE_ENTRY objects. These objects are used outside the cache
for DNS queries. If queries leak (or perhaps when there are just a lot of them),
the memory-pool-based count overestimates the cache size, sometimes to
such a degree that the cache remains nearly empty despite lots of misses.
Use memory-pool-based counter to estimate cache size also violates IP/FQDN cache
encapsulation boundaries because it effectively prevents others from using
the same memory pool.
Bug 3081:
During conversion of listening socket handlers to AsyncCalls a violation
of the AsyncCall API was introduced. Resulting in occasional crashes from
invalid re-use of call objects.
This implements a TcpAcceptor async job which receives a listening socket
and a CallSubscription. For every connection attempt on the listener socket
a new AsyncCall is spawned from the subscription template.
Initial users are the HTTP and HTTPS listening sockets and FTP data channel.
In order to implement this job in FTP the logics surrounding data channel
handling had to be extended and reworked. Fixing bug 2948 and 2581 in the
process.
Amos Jeffries [Tue, 25 Jan 2011 08:55:40 +0000 (21:55 +1300)]
Author: Fabian Hugelshofer <fh@open.ch>
Allow persistent connections for Mozilla/3.0 User-Agents
This fixes NTLM and Negotiate authentication for these agents.
History:
In 1998 a hack was added to HttpMsg::persistent() that disables
persistent connections for HTTP/1.0 User-Agents starting with
"Mozilla/3." and "Netscape/3.".
According to the thread on squid-dev
(http://www.eu.squid-cache.org/mail-archive/squid-dev/199805/0087.html),
this was necessary to make some versions of Netscape browsers work that
had a broken implementation of persistent connections. It was said that
"NS 3.01 is ok. NS 3.02 is bad. NS 3.04 is good." Netscape 4 was ok, too.
Amos Jeffries [Tue, 25 Jan 2011 05:31:59 +0000 (18:31 +1300)]
Fix external_acl_type grace= option
Due to race conditions between concurrent requests this is still not a
complete fix. But reduces the unwanted re-use of helper responses from
all connections arriving in a whole second which match the ACL key down
to just those that arrive within the reply lag time of the helper.
Henrik Nordstrom [Mon, 24 Jan 2011 20:23:27 +0000 (21:23 +0100)]
Simplify request parsing to not check request method when determining if a
request contains a request-entity or not. For requests this is signalled
entirely by Content-Length/Transfer-Encoding regardless of method.
also drops the requirement that PUT/POST requests must have a request-entity.
The RFC do not explicitly state this requirement even if the wording for those
methods do assume there is a enclosed request-entity.
The administrative "request_entities" config flag is kept for security
reasons, even if not really RFC compliant. (RFC meaning of request-entity
in GET/HEAD is just undefined or "ignored", not forbidden)
Amos Jeffries [Fri, 14 Jan 2011 14:10:21 +0000 (07:10 -0700)]
Make FTP and CacheMgr obey --disable-auth-basic
When teh proxy has been built with this auth module explicitly disabled
do not add headers indicating that it is available.
The side effect of not having Basic authentication support in the proxy
is that FTP is reduced to depending on URL logins and CacheMgr protected
actions cannot be used.
Amos Jeffries [Fri, 14 Jan 2011 06:15:23 +0000 (23:15 -0700)]
Support configurable status codes for deny_info
This changes the default behaviour of deny_info redirects. Making Squid
automaticaly select 307 or 303 status code where appropriate for HTTP/1.1
clients and 302 for HTTP/1.0 clients or other appropriate cases.
For example;
deny_info 303:http://example.com/ POST
On top of the behaviour change this patch adds capability for admin to
configure deny_info with explicit status codes ranging from 200 to 599.
There are limits placed on the use of each range of status codes:
* 2xx, 4xx and 5xx may only be set when there is a local file or template
being used as body content on the response.
* 3xx status may only be set when there is a URI being used as a redirect
destination.
These limitations are enforced with a configuration hard abort due to:
3xx with a named template and 4xx/5xx with a redirect break with a range
of horrible results to our file loading and output Location: URLs. My
tests ended up with Squid scanning the FS for local files called
http://blah, redirecting the browser to 404:ERR_ACCESS_DENIED, or getting
past those with zero-sized replies and crashes when err is required to
have length.
They are going to take something much more major logic re-plumbing and
maybe deeper cleanup to get the crossover down to safe enough for just a
warning. Given the RFC defined use of each status range I did not think
it worth doing to enable something on the fine edge of non-standard.
Amos Jeffries [Wed, 12 Jan 2011 05:23:00 +0000 (22:23 -0700)]
ftp_eprt directive to disable EPRT extensions in FTP
This allows admin to resolve compatibility problems with old devices which
encounter a range of problems when FTP extensions are used by selectively
disabling any of the extensions individually.
The other EPSV extensions already have enable/disable directives.
Amos Jeffries [Tue, 11 Jan 2011 07:33:27 +0000 (00:33 -0700)]
Bug 2959: remove SAMBAPREFIX dependency
This removes the tricky SAMBAPREFIX variable which passes full-path
information from the squid build machine down to the run-time host
helper.
Such information is not always correct when crossing machines, and the
binaries being run can easily be added to PATH in the run-time host
environment instead.
The net result of doing this is removal of Samba from the build
dependencies and increased availability of the basic_smb_auth and
ext_wbinfo_group_acl helpers.
Amos Jeffries [Sat, 8 Jan 2011 06:23:27 +0000 (19:23 +1300)]
Author: Henrik Nordstrom <hno@squid-cache.org>
Port from 2.7: maximum staleness limits
The default behaviour of Squid is to provide a stale copy (with Warnigng:
header) until an actove response from the origin server causes the object
to be updated or garbage collection causes its removal.
The max_stale direcive and refresh_pattern max-stale=N option allow admin
to set an upper limit on the objects age when serving stale responses.
Amos Jeffries [Mon, 27 Dec 2010 20:25:30 +0000 (13:25 -0700)]
Author: Henrik Nordstrom <hno@squid-cache.org>
Support RFC 5861 Cache-Control: stale-if-error option
The default behaviour for Squid is to present the stale object when
revalidation fails with a 5xx error.
stale-if-error places a maximum limit on how long this stale object may
be sent. After the limit has passed Squid is required to present the 5xx
message to the client.
Original code for Squid-2 was sponsored by Yahoo!.
Original code by Marcello Romani, this version has some additions to
initialize any missing database tables depended on during its startup
phase and some additional polish to fit within the current Squid release.
COPYRIGHT AND LICENSE
Copyright (C) 2008 by Marcello Romani
This library is free software; you can redistribute it and/or modify
it under the same terms as Perl itself, either Perl version 5.8.8 or,
at your option, any later version of Perl 5 you may have available.
projects / thirdparty / squid.git / log
