Amos Jeffries [Tue, 16 Mar 2010 23:53:33 +0000 (12:53 +1300)]
Templates for captive portal proxy configration instructions
Captive portals often have to bounce users to configuration instructions.
Those instructions consist of of how to setup WPAD or manual settings.
These templates allow for a standard and localized instruction set for
better support of mixed language users across any portal.
They are used by adding deny_info ERR_AGENT_... to the configuration.
The ERR_AGENT_CONFIGURE template utilizes visible_hostname and port info
from the responding proxy to display correct configuration details for
the gateway without requiring administrative re-write of the page.
Derived from work by the Mandrivia Project.
TODO:
* some form of CSS agent detection to specialize the instructions.
* add texts for other common agents
Henrik Nordstrom [Mon, 15 Mar 2010 23:21:14 +0000 (00:21 +0100)]
As reported some weeks ago ufsdump fails to link on the upcoming Fedora
13 release due to linking issues, and as reported by Amos the same
linking issues is now also seen on Debian since somewhere between March
2 - 5.
While investigating this I found the following conclusions
- We are not actually installing ufsdump
- The dependencies between the Squid libraries are very non-obvious,
with libraries depending on plain object files and other strange things.
- The ufsdump linkage issues is somehow triggered by the libraries
including objects needing symbols from objects not included in that link
- Those failing library objects are not actually needed by ufsdump.
Linking succeeds if repeatedly removing each reported failing object
from the squid libraries.
- If the libraries were shared libraries then linking would fail on all
systems
The issue have been identified, or actually two separate issues. What is
yet unclear is what is the proper solution..
- Inline operator overloading causing indeterministic linkage,
resulting in seemingly unneeded sub modules being pulled in "at random".
Most notably this is seen with our custom new operation (which btw is
duplicated in two places: src/SquidNew.cc and include/SquidNew.h)
- The current Squid libraries have very unclear dependencies with no
clean boundaries, resulting in linking failure when the above happens..
Fix stale=true on digest requests with unknown nonce
The nonce staleness check only worked if the stale nonce had not yet
been garbage collected, often resulting in incorrect stale=false
responses and resulting auth popups when using digest auth.
Note: this fix is different from how it's done in squid-2 where fixHeader
is called on all schemes in such conditions but only the active one with
and auth_user_request. Not entirely sure why that is done, but commit
message says something about Negotiate authentication.
Amos Jeffries [Fri, 5 Mar 2010 02:07:24 +0000 (15:07 +1300)]
Rationalize the default httpd_accel_surrogate_id
Prevents more posibilities for data leakage by making the default
surrogate ID based on visible_hostname (public FQDN for the proxy).
Now that Surrogate_Capability: header is sent by default in accelerator
environments it makes more sense to default it to a value fairly unique
or at least restricted to that local administrative domain.
When visible_hostname is setup correctly (either automatic or manual)
each stand-alone squid install should have a unique ID. Groups of proxies
sharing work for a domain should also be by default sharing an ID and
thus sharing the override behavior.
When visible_hostname is unavailable it will retain the old default of
'unset-id'.
Amos Jeffries [Sun, 14 Feb 2010 05:36:46 +0000 (18:36 +1300)]
Author: Serassio Guido <serassio@squid-cache.org>
Windows port: Update mswin_check_ad_group to version 2.0
The global groups support was rewritten, now is based on ADSI.
New Features:
- support for Domain Local, Domain Global ad Universal groups
- full group nesting support
This helper, like the previous version, can be compiled only using
Microsoft Visual Studio because some needed library are not available
on MSYS+MinGW or Cygwin.
Amos Jeffries [Sat, 6 Feb 2010 06:32:11 +0000 (19:32 +1300)]
Author: Henrik Nordstrom <hno@squid-cache.org>
Clean up use of httpReplySetHeaders to be consistent across the code, and
remove the unneeded http_version argument.
Amos Jeffries [Fri, 5 Feb 2010 23:27:27 +0000 (12:27 +1300)]
Author: Jean-Gabriel Dick <jean-gabriel.dick@curie.fr>
Bug 1843: multicast-siblings cache_peer option for optimising multicast ICP relations
'multicast-siblings' : this option is meant to be used only for cache peers of
type "multicast". It instructs Squid that ALL members of this multicast group
have "sibling" relationship with it, not "parent". This is an optimization
that avoids useless multicast queries to a multicast group when the requested
object would be fetched only from a "parent" cache, anyway. It's useful, e.g.,
when configuring a pool of redundant Squid proxies, being members of the same
multicast group.