Amos Jeffries [Fri, 30 Dec 2016 06:27:19 +0000 (19:27 +1300)]
Detect HTTP header ACL issues
rep_header and req_header ACL types cannot match multiple different
headers in one test (unlike Squid-2 appears to have done). Produce
an ERROR and ignore the extra line(s) instead of silently changing
all the previous regex to match the second header name.
Also detect and ERROR when header name is missing entirely. Ignore
these lines instead of asserting.
Amos Jeffries [Thu, 22 Dec 2016 04:08:55 +0000 (17:08 +1300)]
Bug 3940 pt2: Make 'cache deny' do what is documented
Instead of overriding whatever cacheability was previously set to
(including changing non-cacheables to be cacheable) actually
prevent both cache read and write.
Amos Jeffries [Wed, 21 Dec 2016 17:11:34 +0000 (06:11 +1300)]
Cleanup: Refactor libauth Config object(s)
Refactoring the Auth::Config objects to get v5 building again.
The object storing auth_param settings is renamed to SchemeConfig.
A new Auth::Config object is added. The objects holding auth_param,
auth_schemes and other authenticate_* directives settings are stored
there instead of just auth_params.
Lots of outdated doxygen docs that have more up to date copies elsewhere
are removed. The "\ingroup AuthAPI" are left for now since some auth
things are not yet in the Auth:: namespace, but other auth related
groups are dropped completely.
Code parsing and dumping auth_param lines has been de-duplicated. Along
with the keep_alive and utf8 settings, which are shared by multiple
schemes. This allows dropping several virtual methods from NTLM and
Negotiate scheme objects.
An auth/forward.h file is added for predefines. Some initial Auth::
symbols are listed there. It is not complete, but others can be added as
needed later.
Some unnecessary includes have been removed. There are probably more. I
just did the obvious ones related to the new auth/forward.h and
auth/Config.h files at this time.
Amos Jeffries [Mon, 19 Dec 2016 10:47:37 +0000 (23:47 +1300)]
Drop old Basic Authenticatio docs
The wiki these days contains a more detailed and correct description of
how Basic auth helpers work in Squid. This old document does not even
describe how the code works, so is no longer useful.
Amos Jeffries [Mon, 19 Dec 2016 10:27:54 +0000 (23:27 +1300)]
Shuffle auth_schemes config objects into Auth::Config
Also, move the directive definition down into "Access Controls" section
of squid.conf to avoid dependency issues with acl directive definitions
being done too late.
Do not share private responses with collapsed client(s).
This excessive sharing problem with collapsed forwarding code has
several layers. In most cases, the core CF code does not share
uncachable or private response with collapsed clients because of the
refreshCheckHTTP() check. However, some responses might not be subject
to that (or equivalent) check. More importantly, collapsed revalidation
code does not check its responses at all and, hence, easily shares
private responses.
This short-term fix incorrectly assumes that an entry may become private
(KEY_PRIVATE) only when it cannot be shared among multiple clients
(e.g., because of a Cache-Control:private response header). However,
there are a few other cases when an entry becomes private. One of them
is a DISK_NO_SPACE_LEFT error inside storeSwapOutFileClosed() where
StoreEntry::releaseRequest() sets KEY_PRIVATE for a sharable entry [that
may still be perfectly preserved in the memory cache]. Consequently, the
short-term fix reduces CF effectiveness. The extent of this reduction is
probably environment-dependent.
Also: do not re-use SET_COOKIE headers for collapsed revalidation slaves,
i.e., adhere to the same requirement as for regular response HITs.
Added auth_schemes to control schemes presence and order in 401s/407s.
The new squid.conf directive may be used to customize authentication
schemes presence and order in Squid's HTTP 401 (Unauthorized) and 407
(Proxy Authentication Required) responses. The defaults remain the same.
Garri Djavadyan [Wed, 7 Dec 2016 00:05:07 +0000 (13:05 +1300)]
Bug 3940 (partial): hostHeaderVerify failures MISS when they should be HIT
This fixes the critical condition leading to the HIT. However not all
code is correctly setting flags.noCache and flags.cacheable (see bugzilla).
So there may be other fixes needed after this.
Amos Jeffries [Sun, 20 Nov 2016 09:12:00 +0000 (22:12 +1300)]
C++11: Remove GnuRegex and all -lregex related code
Squid is now exclusively using the STL std::regex API provided on all
operating systems in a portable manner.
We no longer have any need of detecting if the system is providing a
libregex, or user has configured one, or if it actually works, or how
to call it, or use the GnuRegex code as a backup when one of those
complex details goes wrong.
Amos Jeffries [Fri, 18 Nov 2016 18:08:30 +0000 (07:08 +1300)]
Fix Null pointer dereferences after rev.14913
on_unsupported_protocol with non-HTTP requests occurs without
an HTTP request object. Some ACLs will not be possible to check
but that is not a reason to crash.
The r14945 patch has a major bug:
When the Http::One::Server::writeControlMsgAndCall fails to write the control
message, schedules a Comm::Write callback using just a ScheduleCallHere command.
The callback called withtout the CommIoCbParams details and squid is crashes.
This patch fixes the ConnStateData::writeControlMsgAndCall to return false if it
fails to write the control message and allow the caller to handle the failure.
The following sequence of events triggers this assertion:
- The server sends an 1xx control message.
- http.cc schedules ConnStateData::sendControlMsg call.
- Before sendControlMsg is fired, http.cc detects an error (e.g., I/O
error or timeout) and starts writing the reply to the user.
- The ConnStateData::sendControlMsg is fired, starts writing 1xx, and
hits the "no concurrent writes" assertion.
We could only reproduce this sequence in the lab after changing Squid
code to trigger a timeout at the right moment, but the sequence looks
plausible. Other event sequences might result in the same outcome.
To avoid concurrent writes, Squid now drops the control message if
Http::One::Server detects that a reply is already being written. Also,
ConnStateData delays reply writing until a pending control message write
has been completed.
ICAP trailers are currently specified by
https://datatracker.ietf.org/doc/draft-rousskov-icap-trailers/
This implementation complies with version -01 of that draft:
- Squid unconditionally announces ICAP Trailer support via the ICAP
Allow request header field.
- Squid parses the ICAP response trailer if and only if the ICAP server
signals its presence by sending both Trailer header and Allow/trailers
in the ICAP response.
Squid logs and ignores all parsed ICAP header fields (for now).
Also refactored HttpHeader parsing methods in order to reuse them for
ICAP trailer parsing.
Also simplified and fixed headers isolating code while dealing with
empty (i.e. zero header fields) headers. Old httpMsgIsolateHeaders()
tried to re-implement header end detection/processing logic that is
actually covered by headersEnd(). Old httpMsgIsolateHeaders() could
return success for some garbage input (e.g., a buffer of several CRs)
even if no end of headers was found.
Added nil dereference checks for Ftp::Client::ctrl.conn, including:
- Ftp::Client::handlePasvReply() and handleEpsvReply() that dereference
ctrl.conn in DBG_IMPORTANT messages.
- Many functions inside FtpClient.cc and FtpGateway.cc files.
TODO: We need to find a better way to handle nil ctrl.conn. It is only
a matter of time when we forget to add another dereference check or
discover a place we missed during this change.
Also disabled forwarding of EPRT and PORT commands to origin servers.
Squid support for those commands is broken and their forwarding may
cause segfaults (bug #4004). Active FTP is still supported, of course.
Amos Jeffries [Mon, 7 Nov 2016 10:49:37 +0000 (23:49 +1300)]
Bug 4599 pt1: initial support for OpenSSL v1.1
Converts some CRYPTO_add(..., CRYPTO_LOCK_X509) calls with portability
wrapper for X509_up_ref(). Just the calls which are in code not yet using
Security::CertPointer.
Alex Rousskov [Fri, 4 Nov 2016 22:04:34 +0000 (16:04 -0600)]
Improved testAppendSBuf to actually test SBuf::append() optimization.
... rather than to test SBuf::id preservation across assignments
[currently used by that optimization].
Trunk r14911 talks about bitwise object copy but making sure that SBuf
has a working assignment operator is an issue unrelated to append() and
its optimization. Besides, it is not really the prohibited by C++
bitwise copy that we might worry about but the default member-wise
assignment that we may forget to customize.
Alex Rousskov [Fri, 4 Nov 2016 21:14:54 +0000 (15:14 -0600)]
Honor SBufReservationRequirements::minSize regardless of idealSize.
In a fully specified SBufReservationRequirements, idealSize would
naturally match or exceed minSize. However, the idealSize default value
(zero) may not. We should honor minSize regardless of idealSize, just as
the API documentation promises to do.
No runtime changes expected right now because the only existing user of
SBufReservationRequirements sets .idealSize to CLIENT_REQ_BUF_SZ (4096)
and .minSize to 1024.
The pinned_connection->stopPinnedConnectionMonitoring() call does not needed,
it is already called from inside pinned_connection->borrowPinnedConnection
called two lines before.
Support tunneling of bumped non-HTTP traffic. Other SslBump fixes.
Use case: Skype groups appear to use TLS-encrypted MSNP protocol instead
of HTTPS. This change allows Squid admins using SslBump to tunnel Skype
groups and similar non-HTTP traffic bytes via "on_unsupported_protocol
tunnel all". Previously, the combination resulted in encrypted HTTP 400
(Bad Request) messages sent to the client (that does not speak HTTP).
Also this patch:
* fixes bug 4529: !EBIT_TEST(entry->flags, ENTRY_FWD_HDR_WAIT)
assertion in FwdState.cc.
* when splicing transparent connections during SslBump step1, avoid
access-logging an extra record and log %ssl::bump_mode as the expected
"splice" not "none".
* handles an XXX comment inside clientTunnelOnError for possible memory
leak of client streams related objects
* fixes TunnelStateData logging in the case of splicing after peek.
Alex Rousskov [Thu, 3 Nov 2016 13:57:02 +0000 (02:57 +1300)]
Optimize appending to empty SBufs, a common use case.
Most appends start with an empty buffer. Some append only once. There
is no reason to allocate new memory for that first append or force the
appender to write code to optimize that first append.
Why also check that SBuf has never been configured or altered then? To
preserve pre-allocated SBufs, such as those [ab]used as I/O buffers.
projects / thirdparty / squid.git / log
