This patch allow the user of the Range template class to define the type of
the returned value of Range::size() method, adding a second template argument.
The default type of the return value of Range::size() method is size_t, which
in most cases is enough (but not always, eg HttpRange).
This patch will allow Range template to be used with non numeric types.
Amos Jeffries [Sat, 29 Jan 2011 02:23:48 +0000 (15:23 +1300)]
Profiler: fix report sorting algorithm
The sorting was performed in a way to exclude the UNACCOUNTED and leave it
first in the display list. However with the new auto-genenerated enum all
other entries are at indeterminate locations. Using hash_lookup resulted
in only half teh list being sorted.
Fix that by referencing from UNACCOUNTED which is guaranteed to be first.
Amos Jeffries [Fri, 28 Jan 2011 07:58:53 +0000 (20:58 +1300)]
Windows: fix code wrappers for Cygwin and generic Win32 code
_SQUID_WIN32_ was being used to wrap all code built specific for Windows
but with any compiler on that platform.
- rename to _SQUID_WINDOWS_ to match OS wrpper naming convention.
- compact several macros using verbose test: (cygwin or Ming or any)
Cleans up all affected tests to match current precompiler code style.
Also cleans up all tests involving _SQUID_CYGWN_ to match code styles.
Author: Alex Rousskov <rousskov@measurement-factory.com>
Fix IP/FQDN cache accounting to avoid idle caches on busy servers.
When maintaining the IP/FQDN cache size, use the number of entries in the cache
rather than the number of allocated and not freed MEM_IPCACHE_ENTRY and
MEM_FQDNCACHE_ENTRY objects. These objects are used outside the cache
for DNS queries. If queries leak (or perhaps when there are just a lot of them),
the memory-pool-based count overestimates the cache size, sometimes to
such a degree that the cache remains nearly empty despite lots of misses.
Use memory-pool-based counter to estimate cache size also violates IP/FQDN cache
encapsulation boundaries because it effectively prevents others from using
the same memory pool.
Bug 3081:
During conversion of listening socket handlers to AsyncCalls a violation
of the AsyncCall API was introduced. Resulting in occasional crashes from
invalid re-use of call objects.
This implements a TcpAcceptor async job which receives a listening socket
and a CallSubscription. For every connection attempt on the listener socket
a new AsyncCall is spawned from the subscription template.
Initial users are the HTTP and HTTPS listening sockets and FTP data channel.
In order to implement this job in FTP the logics surrounding data channel
handling had to be extended and reworked. Fixing bug 2948 and 2581 in the
process.
Amos Jeffries [Tue, 25 Jan 2011 08:55:40 +0000 (21:55 +1300)]
Author: Fabian Hugelshofer <fh@open.ch>
Allow persistent connections for Mozilla/3.0 User-Agents
This fixes NTLM and Negotiate authentication for these agents.
History:
In 1998 a hack was added to HttpMsg::persistent() that disables
persistent connections for HTTP/1.0 User-Agents starting with
"Mozilla/3." and "Netscape/3.".
According to the thread on squid-dev
(http://www.eu.squid-cache.org/mail-archive/squid-dev/199805/0087.html),
this was necessary to make some versions of Netscape browsers work that
had a broken implementation of persistent connections. It was said that
"NS 3.01 is ok. NS 3.02 is bad. NS 3.04 is good." Netscape 4 was ok, too.
Amos Jeffries [Tue, 25 Jan 2011 05:31:59 +0000 (18:31 +1300)]
Fix external_acl_type grace= option
Due to race conditions between concurrent requests this is still not a
complete fix. But reduces the unwanted re-use of helper responses from
all connections arriving in a whole second which match the ACL key down
to just those that arrive within the reply lag time of the helper.
Henrik Nordstrom [Mon, 24 Jan 2011 20:23:27 +0000 (21:23 +0100)]
Simplify request parsing to not check request method when determining if a
request contains a request-entity or not. For requests this is signalled
entirely by Content-Length/Transfer-Encoding regardless of method.
also drops the requirement that PUT/POST requests must have a request-entity.
The RFC do not explicitly state this requirement even if the wording for those
methods do assume there is a enclosed request-entity.
The administrative "request_entities" config flag is kept for security
reasons, even if not really RFC compliant. (RFC meaning of request-entity
in GET/HEAD is just undefined or "ignored", not forbidden)
Amos Jeffries [Fri, 14 Jan 2011 14:10:21 +0000 (07:10 -0700)]
Make FTP and CacheMgr obey --disable-auth-basic
When teh proxy has been built with this auth module explicitly disabled
do not add headers indicating that it is available.
The side effect of not having Basic authentication support in the proxy
is that FTP is reduced to depending on URL logins and CacheMgr protected
actions cannot be used.
Amos Jeffries [Fri, 14 Jan 2011 06:15:23 +0000 (23:15 -0700)]
Support configurable status codes for deny_info
This changes the default behaviour of deny_info redirects. Making Squid
automaticaly select 307 or 303 status code where appropriate for HTTP/1.1
clients and 302 for HTTP/1.0 clients or other appropriate cases.
For example;
deny_info 303:http://example.com/ POST
On top of the behaviour change this patch adds capability for admin to
configure deny_info with explicit status codes ranging from 200 to 599.
There are limits placed on the use of each range of status codes:
* 2xx, 4xx and 5xx may only be set when there is a local file or template
being used as body content on the response.
* 3xx status may only be set when there is a URI being used as a redirect
destination.
These limitations are enforced with a configuration hard abort due to:
3xx with a named template and 4xx/5xx with a redirect break with a range
of horrible results to our file loading and output Location: URLs. My
tests ended up with Squid scanning the FS for local files called
http://blah, redirecting the browser to 404:ERR_ACCESS_DENIED, or getting
past those with zero-sized replies and crashes when err is required to
have length.
They are going to take something much more major logic re-plumbing and
maybe deeper cleanup to get the crossover down to safe enough for just a
warning. Given the RFC defined use of each status range I did not think
it worth doing to enable something on the fine edge of non-standard.
Amos Jeffries [Wed, 12 Jan 2011 05:23:00 +0000 (22:23 -0700)]
ftp_eprt directive to disable EPRT extensions in FTP
This allows admin to resolve compatibility problems with old devices which
encounter a range of problems when FTP extensions are used by selectively
disabling any of the extensions individually.
The other EPSV extensions already have enable/disable directives.
Amos Jeffries [Tue, 11 Jan 2011 07:33:27 +0000 (00:33 -0700)]
Bug 2959: remove SAMBAPREFIX dependency
This removes the tricky SAMBAPREFIX variable which passes full-path
information from the squid build machine down to the run-time host
helper.
Such information is not always correct when crossing machines, and the
binaries being run can easily be added to PATH in the run-time host
environment instead.
The net result of doing this is removal of Samba from the build
dependencies and increased availability of the basic_smb_auth and
ext_wbinfo_group_acl helpers.
Amos Jeffries [Sat, 8 Jan 2011 06:23:27 +0000 (19:23 +1300)]
Author: Henrik Nordstrom <hno@squid-cache.org>
Port from 2.7: maximum staleness limits
The default behaviour of Squid is to provide a stale copy (with Warnigng:
header) until an actove response from the origin server causes the object
to be updated or garbage collection causes its removal.
The max_stale direcive and refresh_pattern max-stale=N option allow admin
to set an upper limit on the objects age when serving stale responses.
Amos Jeffries [Mon, 27 Dec 2010 20:25:30 +0000 (13:25 -0700)]
Author: Henrik Nordstrom <hno@squid-cache.org>
Support RFC 5861 Cache-Control: stale-if-error option
The default behaviour for Squid is to present the stale object when
revalidation fails with a 5xx error.
stale-if-error places a maximum limit on how long this stale object may
be sent. After the limit has passed Squid is required to present the 5xx
message to the client.
Original code for Squid-2 was sponsored by Yahoo!.
Original code by Marcello Romani, this version has some additions to
initialize any missing database tables depended on during its startup
phase and some additional polish to fit within the current Squid release.
COPYRIGHT AND LICENSE
Copyright (C) 2008 by Marcello Romani
This library is free software; you can redistribute it and/or modify
it under the same terms as Perl itself, either Perl version 5.8.8 or,
at your option, any later version of Perl 5 you may have available.
Amos Jeffries [Wed, 15 Dec 2010 12:13:01 +0000 (05:13 -0700)]
ext_edirectory_userip_acl: alternative split algorithms
Some compilers do not support dynamically allocated stack space.
Instead perform a scan and hunk copy/wipe of the passed buffers directly.
As a side effect the split is no longer triple-copying data and
double-memset'ing.
Author: Graham Keeling <graham@equiinet.com>
Bug 3113: Squid can eat far too much memory when uploading files
Problem description:
Uploading a large file to a web site on the internet, squid's client
input buffer will increase far faster than it can be emptied to
the target website, and the machine will swiftly run out of memory.
This patch adds the client_request_buffer_max_size configuration
parameter which specifies the maximum buffer size of a client request.
Report ERR_SECURE_CONNECT_FAIL details to the user via a new error detail API.
Currently, the ERR_SECURE_CONNECT_FAIL response contains no usable error
information. Moreover, there is no interface to pass SSL error information
to the response generation code.
This patch adds an interface to allow Squid error responses to contain detailed
information about SSL certificate verification failure. For example, the error
message may contain the following text:
"Server Certificate Verification Failed: Certificate Common Name
(www.lufthansa.com) does not match the host name you are connecting to
(www.lufthansa.de)."
This is a Measurement Factory project.
Change details:
--------------------
- errorpage.cc/.h: The error page now supports the '%D' formating code to
display the detail string passed by modules. The detail strings passed by
modules can contain error page formating codes. Currently only SSL detail
errors messages are supported.
- A new class Ssl::ErrorDetail defined in ssl/ErrorDetail.[cc,h]
The Ssl::ErrorDetail objects passed to the SSL verification callback functions
(sl_verify_cb callback function defined in support.cc) and filled with error
detail data (error_no and a pointer to the X509 Certificate) in the case of
an error and passed back to the forward.cc code.
- The Ssl::ErrorDetail class internally uses (hard coded) templates and
formating codes to allow supporting multiple languages and adding easily
new features
Other changes:
-------------------
- errorpage.cc/.h: The BuildContent method split to BuildContent and ConvertText
method. The second method does the real conversion from a given text template
to output. It is used now to allow formating the detail strings passed with
%D.
- sslparseErrorString moved to ssl/ErrorDetail.cc file and renamed to
Ssl::parseErrorString
- sslFindErrorString moved to ssl/ErrorDetail.cc file and renamed to
Ssl::getErrorName
- The ssl_error_t typedef definition moved from ssl/support.h to
ssl/ErrorDetail.h and renamed to Ssl::error_t
Amos Jeffries [Mon, 13 Dec 2010 11:31:14 +0000 (00:31 +1300)]
Compat: cleanup several config.h hacks
* removes the xmemcpy and xmemmove hacks. Squid has been building for some
long time without them being consistently used all-over. No complaints.
bcopy() alternative is still use if needed. However main code can now
use memcpy( )and memmove() without special X knowledge.
* shuffle strnstr replacement into libcompat from libmisc
* shuffles xis*() function wrappers for is*() with type-casting into compat
projects / thirdparty / squid.git / log
