Author: Robert Collins <robertc@robertcollins.net>
This is most of a changeover of scripts for squid 3 trunk to use bzr;
the missing bit appears to need a bzr 1.1 (to do 'rdiff' basically) or
thereabouts, I'll look into that in a bit. I'm not sure that the
unconverted cvs calls will actually trigger with our current setup or
not.
amosjeffries [Wed, 27 Feb 2008 04:49:32 +0000 (04:49 +0000)]
Merge auto-docs branch. pt 2
- Updates build config (dyn,html) for portable dynamic and static docs
- Merges all code-comment changes
- Updates some function parameter types to reduce silent conversions
- Fixes some typos.
- Migrates some TODO items to the automatic TODO list.
rousskov [Wed, 27 Feb 2008 01:43:30 +0000 (01:43 +0000)]
Bug #2224 fix: reentrant debugging crashes Squid
Reentrant debugging occurs when something being written into the debugging
stream produces its own debugging. For example, a field accessor method may
make cbdata-validation calls, which would produce debugging. Logging such
field would crash Squid if sufficiently high debugging level is enabled.
With this change, the Debug methods detect reentrant calls and mostly ignore
them, allowing the caller to append debugging information to the existing
debug stream. A short debugging label is added before and after the reentrant
debugging message to reduce confusion that overlapping debugging statements
may cause during log analysis.
rousskov [Tue, 26 Feb 2008 07:24:00 +0000 (07:24 +0000)]
Added a CPPUNIT assertion to test whether a failed CPPUNIT test case properly
destructs local objects on exit.
If a previous test case fails for any reason, the new assertion will fail
instead of store_dir.cc aborting. This may save us from tracking non-existent
StoreController initialization bugs.
rousskov [Tue, 26 Feb 2008 07:22:07 +0000 (07:22 +0000)]
Bug #2240 fix: AsyncCall-related unit tests fail
Removed EventDispatcher references, disabling the following test cases:
testRunOnce, testRegisterDispatcher, testRegisterEngine,
testEngineTimeout, testStopOnIdle.
Eventually, we will add AsyncCallQueue test cases, but EventLoop testing
does not have to wait for that.
rousskov [Tue, 26 Feb 2008 07:21:13 +0000 (07:21 +0000)]
Bug #2240 fix: AsyncCall-related unit tests fail
Removed EventDispatcher references, deleting testDispatch test case.
The test cases now use the AsyncCall queue to force call firing
without a real main loop.
Eventually, we will add AsyncCallQueue test cases, but event testing
does not have to wait for that.
rousskov [Tue, 26 Feb 2008 07:19:29 +0000 (07:19 +0000)]
Bug #2240 fix: AsyncCall-related unit tests fail
Removed libsquid.la from SWAP_TEST_LDADD: Store-related test cases use comm
stubs. They must not include libsquid which provides the true comm code.
Added AsyncCall* sources to selected test cases: Every test case that needs
event.cc also needs AsyncCallQueue and AsyncCall. Placed all three in
$TEST_CALL_SOURCES variable and used as needed. This prevents test case
compilation failures due to undefined call-related symbols.
I suspect that there are more files in the same "calls" group, but it would be
a lot easier to identify them once we clean src/ up and group files into
subdirs and libraries.
rousskov [Tue, 26 Feb 2008 07:15:48 +0000 (07:15 +0000)]
Protos.h said to remove HttpRequestMethod.h #include when no method_t is used
by prototypes. Removed the header and adjusted other source files that relied
on that header being in protos.h.
serassio [Wed, 20 Feb 2008 03:15:09 +0000 (03:15 +0000)]
Author: Klaubert Herr <klaubert@gmail.com>
Patch to strip kerberos realm from username
This patch add a new option to squid_ldap_group to strip kerberos realm from
username received from squid.
This is useful when you make kerberos authentication on squid, and try to
authorize the user using ldap in MS Active Directory, quering for
sAMAccountName.
rousskov [Tue, 19 Feb 2008 04:54:07 +0000 (04:54 +0000)]
Bug 2224 fix: reentrant debugging crashes Squid
This patch does not fix the true/core problem, but it changes some pieces of
code that expose that problem. There are probably other pieces not masked
by this patch.
rousskov [Sun, 17 Feb 2008 00:41:55 +0000 (00:41 +0000)]
When METHOD_ENUM_END and METHOD_OTHER were reordered, the rest of the
code was not reviewed and an infinite loop in
clientReplyContext::purgeAllCached was created.
Polished the ++ operator and added a TODO to replace it eventually.
rousskov [Sat, 16 Feb 2008 00:26:00 +0000 (00:26 +0000)]
Bug 2225 fix: method CONNECT acl wrongly applied to method GET
The method comparison operator was broken for all methods other than "other".
I did not check whether we need to do case-insensitive compare of method
strings when the method is "other". We have to if Squid does not convert all
unknown methods to uppercase.
rousskov [Wed, 13 Feb 2008 07:01:47 +0000 (07:01 +0000)]
Merging async-call branch changes to HEAD:
Removed class fdc_t. After CommCallbackData removal, fdc_t was
only used to check that a FD is "active" and to check that a FD
is half_closed. fd_table flags.open seems to be identical to
the "active" state flag so we use that now, via newly added
isOpen() static function. AbortChecker already maintains
half_closed status.
Synced ipc code to call fd_open instead of fdc_open.
rousskov [Wed, 13 Feb 2008 07:00:57 +0000 (07:00 +0000)]
Merging async-call branch changes to HEAD:
Async-call work replaces event-based asynchronous calls with
stand-alone implementation. The common async call API allows Squid
core do call, debug, and troubleshoot all callback handlers in a
uniform way.
An async "job" API is introduced to manage independent logical threads
or work such as protocol transaction handlers on client, server, and
ICAP sides. These jobs should communicate with each other using async
calls to minimize dependencies and avoid reentrant callback loops.
These changes will eventually improve overall code quality, debugging
quality, and Squid robustness.
Below you will find log messages from the async-call branch that are
relevant to the file(s) being committed.
Made comm_read and comm_write calls to use the new CommCalls.
Converted the ConnStateData related code in client_side.cc to
use CommCalls.
BodyPipe now uses the new job calls interface. Many changes in
BodyPipe's related code.
rousskov [Wed, 13 Feb 2008 06:57:47 +0000 (06:57 +0000)]
Merging async-call branch changes to HEAD:
Async-call work replaces event-based asynchronous calls with
stand-alone implementation. The common async call API allows Squid
core do call, debug, and troubleshoot all callback handlers in a
uniform way.
An async "job" API is introduced to manage independent logical threads
or work such as protocol transaction handlers on client, server, and
ICAP sides. These jobs should communicate with each other using async
calls to minimize dependencies and avoid reentrant callback loops.
These changes will eventually improve overall code quality, debugging
quality, and Squid robustness.
Below you will find log messages from the async-call branch that are
relevant to the file(s) being committed.
Removed CommDispatcher as unused.
Use async calls for firing ready events. Deleted
EventDispatcher as unused.
Converted CompletionDispatcher-based SignalDispatcher into
AsyncEngine-based SignalEngine to get rid of CompletionDispatchers.
rousskov [Wed, 13 Feb 2008 06:55:26 +0000 (06:55 +0000)]
Merging async-call branch changes to HEAD:
Async-call work replaces event-based asynchronous calls with
stand-alone implementation. The common async call API allows Squid
core do call, debug, and troubleshoot all callback handlers in a
uniform way.
An async "job" API is introduced to manage independent logical threads
or work such as protocol transaction handlers on client, server, and
ICAP sides. These jobs should communicate with each other using async
calls to minimize dependencies and avoid reentrant callback loops.
These changes will eventually improve overall code quality, debugging
quality, and Squid robustness.
Below you will find log messages from the async-call branch that are
relevant to the file(s) being committed.
Convert the comm_* calls to use CommCalls.
Use the AsyncJob::deleteThis method as "delete this"
replacement instead of the previously commited block "if
(inCall) musStop(...) else delete this"
ICAPInitiate::sendAnswer dialers take care of message locking
now.
rousskov [Wed, 13 Feb 2008 06:51:37 +0000 (06:51 +0000)]
Merging async-call branch changes to HEAD:
Async-call work replaces event-based asynchronous calls with
stand-alone implementation. The common async call API allows Squid
core do call, debug, and troubleshoot all callback handlers in a
uniform way.
An async "job" API is introduced to manage independent logical threads
or work such as protocol transaction handlers on client, server, and
ICAP sides. These jobs should communicate with each other using async
calls to minimize dependencies and avoid reentrant callback loops.
These changes will eventually improve overall code quality, debugging
quality, and Squid robustness.
Below you will find log messages from the async-call branch that are
relevant to the file(s) being committed.
Added initial implelentation of AsyncCall-based wrappers for
comm callbacks. The comm layer no longer calls callbacks from
the select loop. Instead, the select loop schedules async
calls. Scheduled calls are then called from the main loop (like
all other async calls), after the select loop completes.
Removed accept loop. We cannot loop because async calls do not
get fired during the loop and, hence, cannot register new
callbacks for new ready FDs.
The loop is implicit now. When the next callback is registered,
we check whether the last accept(2) call was successful or
OPTIMISTIC_IO is defined and call acceptNext() again if yes.
AcceptNext() may schedule another async call (using the
being-submitted callback) if the socket was still ready. Since
callbacks are fired until there are no callabacks left, we
still have an accept loop.
Removed CommDispatcher as unused.
Removed unused IOFCB, IOWCB, and CWCB.
Removed class fdc_t. After CommCallbackData removal, fdc_t was
only used to check that a FD is "active" and to check that a FD
is half_closed. fd_table flags.open seems to be identical to
the "active" state flag so we use that now, via newly added
isOpen() static function. AbortChecker already maintains
half_closed status.
The accept-specific functionality is still implemented by
AcceptFD class. Removed fdc_t used to marshall accept-ralted
calls to AcceptFD anyway. fdc_table now stores AcceptFDs
directly. I did not rename the table to ease merging with other
code, but added a TODO for that.
Removed calls to comm_iocallbackpending(). They were added to
"Speed up processing of queued events significantly, to not
cause large delays when under low load" but I do not see how
having pending callbacks can be relevant because all pending
callbacks are (should be) executed before FDs are probed.
Removed unused nullCallback() methods.
Removed CommCallbackData and related code. It looks like it
remained after one of the big comm rewrites, just to handle
accept errors. We can now schedule an async call to notify of
those errors and do not seem to need CommCallbackData at all.
Removed commfd_completed_events: a list of completed (but not
yet fired) callbacks. We simply schedule the async call now
instead of maintaining our own list of callbacks to call. This
change allows us to eliminate the CommDispatcher class (which
was the motivation behind these changes), but I have not done
that yet.
For comm_io_callback_t, being active seems to be the same as
having a callback. Replaced active data member with a method
that checks for the callback presence.
Relaxed comm_read_cancel() preconditions so that the callers do
not have to check all the assertions inside before calling that
function.
rousskov [Wed, 13 Feb 2008 06:49:44 +0000 (06:49 +0000)]
Merging async-call branch changes to HEAD:
Async-call work replaces event-based asynchronous calls with
stand-alone implementation. The common async call API allows Squid
core do call, debug, and troubleshoot all callback handlers in a
uniform way.
An async "job" API is introduced to manage independent logical threads
or work such as protocol transaction handlers on client, server, and
ICAP sides. These jobs should communicate with each other using async
calls to minimize dependencies and avoid reentrant callback loops.
These changes will eventually improve overall code quality, debugging
quality, and Squid robustness.
Below you will find log messages from the async-call branch that are
relevant to the file(s) being committed.
Do not use CompletionDispatcher.
Async calls are not longer using time-based events with zero
delay. They have a dedicated AsyncCallQueue.
Moved duplicated code into dispatchCalls().
EventLoop will need further internal polishing to polish, simplify and
possibly speed up the code.
rousskov [Wed, 13 Feb 2008 06:44:35 +0000 (06:44 +0000)]
Merging async-call branch changes to HEAD:
BodyPipe now uses the new job calls interface:
- Instead of scheduling BodyPipe calls we are scheduling BodyProducer
and BodyCosnumer calls
- BodyProducer/BodyConsumer::noteXXXXXX(BodyPipe &bp) methods converted
to Body*::noteXXXXXX(BodyPipe::Pointer) to allow them used with new
async calls interface.
- BodyPipe::tell* methods and related AsyncCallWrappers removed.
- Implement the CallNoteBodyProducer and CallNoteBodyConsumer JobCall based
classes. These classes used too schedule calls for BodyConsumer and
BodyProducer respectivelly. They are like the normal JobCalls but
aditionally checks if the BodyConsumer and BodyProducer is still part
of the pipe.
- Implement the NullBodyConsumer class as a BodyConsumer child which just
reads the data from pipe and discard them. This class used to replace
old AutoConsume mechanism.
- Removing the ICAPXaction_{Enter,Exit} calls from ICAPModXact::note* methods
Their logic implemented inside the new async calls code.
Remove the old "late call avoidance" code from BodyPipe as no longer needed.
rousskov [Wed, 13 Feb 2008 06:40:02 +0000 (06:40 +0000)]
Merging async-call branch changes to HEAD:
Async-call work replaces event-based asynchronous calls with
stand-alone implementation. The common async call API allows Squid
core do call, debug, and troubleshoot all callback handlers in a
uniform way.
An async "job" API is introduced to manage independent logical threads
or work such as protocol transaction handlers on client, server, and
ICAP sides. These jobs should communicate with each other using async
calls to minimize dependencies and avoid reentrant callback loops.
These changes will eventually improve overall code quality, debugging
quality, and Squid robustness.
The code is still more complex than I want it to be. However, these are
low-level interfaces that most developers will not have to deal with and
the complexity will be significantly reduced if we get rid of old style
function-pointer based callbacks, which is probably desirable for several
reasons. Other simplifications will be found in time as well.
TODO: src/ICAP/AsyncJob needs to be moved to src/. It is not moved yet to
preserve commit logs.
rousskov [Wed, 13 Feb 2008 06:33:48 +0000 (06:33 +0000)]
Merging async-call branch changes to HEAD:
Synced after changing delayed read callback storage model from
(function pointer, opaque parameter) pair to AsyncCall.
Internally, comm module uses AsyncCalls to store callback
information now.
rousskov [Wed, 13 Feb 2008 06:29:25 +0000 (06:29 +0000)]
Merging async-call branch changes to HEAD:
ConnStateData used a RefCount pointer (the openReference) to keep itself alive
which is not compatible with the cbdata used by CommCalls. This change makes
the ConnStateData class non RefCountable and uses cbdata instead.
rousskov [Wed, 13 Feb 2008 06:26:36 +0000 (06:26 +0000)]
Merging async-call branch changes to HEAD:
Added toCbdata() method to deal with multiple inheritence in cbdata-protected
objects. The pointers to the object used by others may not point to the part
of the object with the cbdata magic.
rousskov [Wed, 13 Feb 2008 06:17:50 +0000 (06:17 +0000)]
Merging async-call branch changes to HEAD:
ConnStateData used a RefCount pointer (the openReference) to keep itself alive
which is not compatible with the cbdata used by CommCalls. This change makes
the ConnStateData class non RefCountable and uses cbdata instead.
rousskov [Wed, 13 Feb 2008 06:12:45 +0000 (06:12 +0000)]
Merging async-call branch changes to HEAD:
Async-call work replaces event-based asynchronous calls with
stand-alone implementation. The common async call API allows Squid
core do call, debug, and troubleshoot all callback handlers in a
uniform way.
An async "job" API is introduced to manage independent logical threads
or work such as protocol transaction handlers on client, server, and
ICAP sides. These jobs should communicate with each other using async
calls to minimize dependencies and avoid reentrant callback loops.
These changes will eventually improve overall code quality, debugging
quality, and Squid robustness.
Most of the changes in the ICAP/ICAP* files are related to removing handler
wrappers and using CommCalls. AsyncJob is now a [virtual] base class for
ICAPInitiator. All ICAP initiators and ICAP transactions are now "jobs".
rousskov [Wed, 13 Feb 2008 06:07:52 +0000 (06:07 +0000)]
Merging async-call branch changes to HEAD:
Async-call work replaces event-based asynchronous calls with
stand-alone implementation. The common async call API allows Squid
core do call, debug, and troubleshoot all callback handlers in a
uniform way.
An async "job" API is introduced to manage independent logical threads
or work such as protocol transaction handlers on client, server, and
ICAP sides. These jobs should communicate with each other using async
calls to minimize dependencies and avoid reentrant callback loops.
These changes will eventually improve overall code quality, debugging
quality, and Squid robustness.
Below you will find log messages from the async-call branch that are
relevant to the file(s) being committed.
Made comm_read and comm_write calls to use the new CommCalls.
Converted the ConnStateData related code in client_side.cc to
use CommCalls.
BodyPipe now uses the new job calls interface. Many changes in
BodyPipe's related code.
rousskov [Wed, 13 Feb 2008 06:02:13 +0000 (06:02 +0000)]
Merging async-call branch changes to HEAD:
Removed calls to comm_iocallbackpending(). They were added to
"Speed up processing of queued events significantly, to not
cause large delays when under low load" but I do not see how
having pending callbacks can be relevant because all pending
callbacks are (should be) executed before FDs are probed.
rousskov [Wed, 13 Feb 2008 05:58:29 +0000 (05:58 +0000)]
Merging async-call branch changes to HEAD:
Async-call work replaces event-based asynchronous calls with
stand-alone implementation. The common async call API allows Squid
core do call, debug, and troubleshoot all callback handlers in a
uniform way.
An async "job" API is introduced to manage independent logical threads
or work such as protocol transaction handlers on client, server, and
ICAP sides. These jobs should communicate with each other using async
calls to minimize dependencies and avoid reentrant callback loops.
These changes will eventually improve overall code quality, debugging
quality, and Squid robustness.
Below you will find log messages from the async-call branch that are
relevant to the file(s) being committed.
Added initial implelentation of AsyncCall-based wrappers for
comm callbacks. The comm layer no longer calls callbacks from
the select loop. Instead, the select loop schedules async
calls. Scheduled calls are then called from the main loop (like
all other async calls), after the select loop completes.
Removed accept loop. We cannot loop because async calls do not
get fired during the loop and, hence, cannot register new
callbacks for new ready FDs.
The loop is implicit now. When the next callback is registered,
we check whether the last accept(2) call was successful or
OPTIMISTIC_IO is defined and call acceptNext() again if yes.
AcceptNext() may schedule another async call (using the
being-submitted callback) if the socket was still ready. Since
callbacks are fired until there are no callabacks left, we
still have an accept loop.
Removed CommDispatcher as unused.
Removed unused IOFCB, IOWCB, and CWCB.
Removed class fdc_t. After CommCallbackData removal, fdc_t was
only used to check that a FD is "active" and to check that a FD
is half_closed. fd_table flags.open seems to be identical to
the "active" state flag so we use that now, via newly added
isOpen() static function. AbortChecker already maintains
half_closed status.
The accept-specific functionality is still implemented by
AcceptFD class. Removed fdc_t used to marshall accept-ralted
calls to AcceptFD anyway. fdc_table now stores AcceptFDs
directly. I did not rename the table to ease merging with other
code, but added a TODO for that.
Removed calls to comm_iocallbackpending(). They were added to
"Speed up processing of queued events significantly, to not
cause large delays when under low load" but I do not see how
having pending callbacks can be relevant because all pending
callbacks are (should be) executed before FDs are probed.
Removed unused nullCallback() methods.
Removed CommCallbackData and related code. It looks like it
remained after one of the big comm rewrites, just to handle
accept errors. We can now schedule an async call to notify of
those errors and do not seem to need CommCallbackData at all.
Removed commfd_completed_events: a list of completed (but not
yet fired) callbacks. We simply schedule the async call now
instead of maintaining our own list of callbacks to call. This
change allows us to eliminate the CommDispatcher class (which
was the motivation behind these changes), but I have not done
that yet.
For comm_io_callback_t, being active seems to be the same as
having a callback. Replaced active data member with a method
that checks for the callback presence.
Relaxed comm_read_cancel() preconditions so that the callers do
not have to check all the assertions inside before calling that
function.
The CommCall code is still more complex than I want it to be.
However, these are low-level interfaces that most developers
will not have to deal with and the complexity will be
significantly reduced if we get rid of old style
function-pointer based callbacks, which is probably desirable
for several reasons.
amosjeffries [Tue, 12 Feb 2008 07:05:11 +0000 (07:05 +0000)]
extension_methods directive is now obsolete.
METHOD_OTHER type now cleanly handles unknown methods in squid.
Part 1:
- removes the directive from squid default config.
- removes the placeholder EXT methods enumerations
- deprecates the code which previously handled config parsing.
part 2: (TODO)
- needs to cleanup the remaining enumerated methods to reduce
memory footprint
amosjeffries [Tue, 12 Feb 2008 06:01:23 +0000 (06:01 +0000)]
Several String fixes.
- Add two missing includes when configured --disable-inline
- SegFault when newly allocated string set to 0-length.
buf_ may be NULL and buffer overruns on truncate attempt
rousskov [Tue, 12 Feb 2008 05:41:52 +0000 (05:41 +0000)]
Importing SslBump feature from Squid3 ssl-bump branch:
Added sslproxy_cert_error ACL to be able to bypass some
certificate validation errors. The default is to bypass
nothing.
Only a few SSL certificate validation errors are currently
recognized by name, including the newly defined
SQUID_X509_V_ERR_DOMAIN_MISMATCH error which is raised when
Squid certificate domain validation fails.
rousskov [Tue, 12 Feb 2008 05:33:48 +0000 (05:33 +0000)]
Importing SslBump feature from Squid3 ssl-bump branch:
When SslBump is activated, Squid responds to CONNECT request
with HTTP 200 "Connection established" and switches to SSL
encryption on the connection.
Added ssl_bump ACL. The ACL controls which CONNECT requests to
an http_port marked with an sslBump flag are actually "bumped".
This was needed to bypass the bump and tunnel requests to sites
that Squid cannot handle well (with or without the bump), with
other use cases likely to surface.
By default, no requests are bumped. Squid warns if http_port(s)
have SslBump but no ssl_bump ACL was configured.
The ACL applies to all http_ports, but I suspect that, if
needed, specific ACL rules can distinguish ports using
"myport".
Added ERR_SECURE_CONNECT_FAIL that is returned when we cannot
secure the established connection with the server. Formerly,
ERR_CONNECT_FAIL was returned.
rousskov [Tue, 12 Feb 2008 05:30:10 +0000 (05:30 +0000)]
The connect(2) system call might return "connection ready"
status even for a non-blocking file descriptor. The connection
itself can never be immediately ready in reality because of the
TCP handshake, but I am guessing that in some environments, the
TCP stack fakes/optimizes local connection readiness. We have
seen that for loopback sockets on FreeBSD 6.2, for example, but
the behavior is probably OS- or OS-configuration specific.
If connect(2) is immediately successful, comm module
immediately calls the callback. This means that the callback is
called while the same callback is being registered with comm.
ICAP does not allow this "re-entrance" and other code might not
deal well with it.
The change overwrites connect(2) result so that Squid does not
think that connect(2) was immediately successful. Instead of
calling the callback, Squid then schedules the connection
write-ability check.
The NativeAsyncCall development will fix this and remove the
need to overwrite connect(2) result because comm will always
call callbacks asynchronously.
rousskov [Tue, 12 Feb 2008 05:28:47 +0000 (05:28 +0000)]
Importing SslBump feature from Squid3 ssl-bump branch:
SslBump needs access to SSL-related options when responding to
CONNECT requests. We could add a new squid.conf option to
accept those options, but I decided to add SSL-related options
to http_port, where CONNECT requests will arrive. This design
avoids the necessity to map SSL options to an HTTP port or to a
CONNECT request when a global default would not do.
Adding SSL options to http_port makes http_port_list and
https_port_list almost identical. I moved stuff around to
reduce duplication between the two classes, moving related
code to ProtoPort.{cc,h} in the process. More work is needed
to remove the distinction completely or, at least, remove the
https_port::http hack.
Added sslproxy_cert_error ACL to be able to bypass some
certificate validation errors. The default is to bypass
nothing.
Only a few SSL certificate validation errors are currently
recognized by name, including the newly defined
SQUID_X509_V_ERR_DOMAIN_MISMATCH error which is raised when
Squid certificate domain validation fails.
rousskov [Tue, 12 Feb 2008 05:26:59 +0000 (05:26 +0000)]
Importing SslBump feature from Squid3 ssl-bump branch:
Parse/dump the newly added sslBump http_port option. The option
does not imply an accelerated port because it only accelerates
after intercepting a CONNECT request.
Configure SSL Context if SSL certificate or key are specified
for an HTTP port.
rousskov [Tue, 12 Feb 2008 05:26:39 +0000 (05:26 +0000)]
Importing SslBump feature from Squid3 ssl-bump branch:
Added ERR_SECURE_CONNECT_FAIL that is returned when we cannot
secure the established connection with the server. Formerly,
ERR_CONNECT_FAIL was returned.
Supply the SSL error check ACL when forwarding SSL connections.
The check list is stored as SSL ex_data and is destroyed by
OpenSSL when the SSL struct is destroyed.
rousskov [Tue, 12 Feb 2008 05:26:16 +0000 (05:26 +0000)]
Importing SslBump feature from Squid3 ssl-bump branch:
When SslBump is activated, Squid responds to CONNECT request
with HTTP 200 "Connection established" and switches to SSL
encryption on the connection.
Added ssl_bump ACL. The ACL controls which CONNECT requests to
an http_port marked with an sslBump flag are actually "bumped".
This was needed to bypass the bump and tunnel requests to sites
that Squid cannot handle well (with or without the bump), with
other use cases likely to surface.
By default, no requests are bumped. Squid warns if http_port(s)
have SslBump but no ssl_bump ACL was configured.
The ACL applies to all http_ports, but I suspect that, if
needed, specific ACL rules can distinguish ports using
"myport".
Added ERR_SECURE_CONNECT_FAIL that is returned when we cannot
secure the established connection with the server. Formerly,
ERR_CONNECT_FAIL was returned.
rousskov [Tue, 12 Feb 2008 05:25:22 +0000 (05:25 +0000)]
Importing SslBump feature from Squid3 ssl-bump branch:
Added ConnStateData::switchToHttps() method that attempts to
switch regular connection into SSL encryption mode. It is meant
to be called after Squid responds to the CONNECT request,
pretending to be an origin server (SslBump feature).
Moved SSL structure creation to httpsCreate() so that the code
can be used for httpsAccept() and the new switchToHttps() code.
Mark connection that switched to SSL so that others can treat
associated requests specially (e.g., accelerate them).
Use configured SSL context of http_port. This means that we
can no longer rely on connection port protocol when
accelerating request. The port is HTTP but we need to prepend
https:// after switching to SSL mode.
Warn if sslBump is enabled but there is no usable SSL context.
This may need to be a fatal error.
Ignore https_port where we failed to create an SSL context. We
used to warn but did not ignore. Polished the warning message.
Disable SslBump for http_port where we failed to create an SSL
context. We used to warn but did not disable. Polished the
warning message.
Polished the "You have too many 'https_port' lines" warning.
rousskov [Tue, 12 Feb 2008 05:24:38 +0000 (05:24 +0000)]
Importing SslBump feature from Squid3 ssl-bump branch:
SslBump needs access to SSL-related options when responding to
CONNECT requests. We could add a new squid.conf option to
accept those options, but I decided to add SSL-related options
to http_port, where CONNECT requests will arrive. This design
avoids the necessity to map SSL options to an HTTP port or to a
CONNECT request when a global default would not do.
Adding SSL options to http_port makes http_port_list and
https_port_list almost identical. I moved stuff around to
reduce duplication between the two classes, moving related
code to ProtoPort.{cc,h} in the process. More work is needed
to remove the distinction completely or, at least, remove the
https_port::http hack.
rousskov [Tue, 12 Feb 2008 05:17:41 +0000 (05:17 +0000)]
Importing SslBump feature from Squid3 ssl-bump branch:
Added ERR_SECURE_CONNECT_FAIL that is returned when we cannot
secure the established connection with the server. Formerly,
ERR_CONNECT_FAIL was returned.
I copied new English/ERR_SECURE_CONNECT_FAIL to other
languages. Perhaps it would be better to use translated (but
less specific) ERR_CONNECT_FAIL text instead.
swilton [Sat, 9 Feb 2008 10:48:05 +0000 (10:48 +0000)]
Author: Steven Wilton <swilton@q-net.net.au>
Sort cache list in wccpv2 to ensure a consistent hash allocation across all serv
ices
Under some circumstances different caches were being allocated differnet hash
assignments for different wccpv2 services. This caused problems when using
TPROXY as the reply traffic was being sent to a different cache than the request
causing problems in browsing web pages.
This patch applied a selection sort algorithm to the cache list to ensure that
as long as the same group of caches are registered for any number of wccpv2
services, they will be allocated the same hash assignments in the router.
rousskov [Sat, 9 Feb 2008 01:31:02 +0000 (01:31 +0000)]
Bug 2038: check reply_body_max_size before ICAP
Use newly added HttpReply::*BodyTooLarge() checks to support the
reply_body_max_size ACL when the expected body size may be known and when more
body data is coming. The checks are now shared between server and client
sides.
The server side needs to do the checks before feeding the data to ICAP.
Otherwise, ICAP service may suck a large response in and spit a small response
out. It was decided that the reply_body_max_size ACL should apply to the
virgin response as well.
The server side does not perform receivedBodyTooLarge check yet.
rousskov [Sat, 9 Feb 2008 01:30:18 +0000 (01:30 +0000)]
Bug 2038: check reply_body_max_size before ICAP
Use newly added HttpReply::expectedBodyTooLarge() check to support the
reply_body_max_size ACL when the expected body size may be known. The check
is now shared between server and client sides.
The server side needs to do the checks before feeding the data to ICAP.
Otherwise, ICAP service may suck a large response in and spit a small response
out. It was decided that the reply_body_max_size ACL should apply to the
virgin response as well.
The server side does not perform HttpReply::receivedBodyTooLarge() check yet.
rousskov [Sat, 9 Feb 2008 01:27:59 +0000 (01:27 +0000)]
Bug 2038: check reply_body_max_size before ICAP
Moved maxReplyBodySize-related code from ClientHttpRequest to HttpReply
because server-side needs it too to check limits before ICAP sucks all the
data in.
Calculating limit requires knowing HttpRequest because it affects expected
content length. Since I did not find a single place where any HttpReply would
be guaranteed to be given the request to calculate the limit, we now supply
the request whenever a limit check is performed. The limit calculation result
is cached and the calculation should not be repeated.
projects / thirdparty / squid.git / log
