Update the http(s)_port directives protocol= parameter
... to use AnyP::ProtocolVersion for internal storage instead of opaque
string text.
This both limits the possible parameter values to one of HTTP, HTTP/1.1,
HTTPS or HTTPS/1.1 and ensures that URLs generated from that protocol
parameter value are http:// and https:// URL.
Other values will cause Squid to abort.
Invalid casting seems to confuse the ABI generator and results in
illegal instruction faults when the unit tests is run.
The class API is already const-correct so there is no need for the cast
to occur, and it should not be done on a non-pointer type anyway.
Also, fixes a missing "struct" type identifier found along the way.
This patch :
- adds support for quoted values in the entire squid.conf
- warn about or prohibit values that can no longer be interpreted as
either quoted strings or simple tokens
- support parameters("/path/to/file.name") syntax to load external
configuration files
- Checks if macros allowed in "double quoted" values.
- replaces the strtok() calls with calls to the new ConfigParser::NextToken()
- modify strtokFile to use new ConfigParser::NextToken()
- Add the new configuration_includes_quoted_values configuration option, to
control the squid parser behaviour. If set to on Squid will recognize each
"quoted string" after a configuration directive as a single parameter
This patch add new logformat codes to log TOS/DSCP values and netfilter marks
for client and server connections. If multiple outgoing connections were used,
the last used connection value logged.
The values printed in hexadecimal form.
The logformat codes are:
%>tos Client connection tos mark set by Squid
%<tos Server connection tos mark set by Squid
%>nfmark Client connection netfilter mark set by Squid
%<nfmark Server connection netfilter mark set by Squid
This patch also modify qos related code to set Comm::Connection::nfmark and
Comm::Connection::tos members in Ip::Qos::setSockNfmark and Ip::Qos::setSockTos
methods. The Comm::Connection members are now set only if the tos and nfmark
set successfuly.
This patch sends an If-None-Match request, when we need to re-validate
if a cached object which has a strong ETag is still valid.
This is also done in the cases an HTTP client request contains HTTP
headers prohibiting a from-cache response (i.e., a "reload" request).
The use of If-None-Match request in this context violates RFC 2616 and
requires using reload-into-ims option within refresh_pattern squid.conf
directive.
The exact definition of a "reload request" and the adjustment/removal of
"reload" headers is the same as currently used for reload-into-ims
option support. This patch is not modifying that code/logic, just adding
an If-None-Match header in addition to the IMS header that Squid already
adds.
Fix external ACL user:pass detail logging after adaptation
When a request is successfully adapted, the external ACL username and
password are now inherited with this patch. This means the
LFT_USER_NAME log token can display the username from an external ACL
if available, for adapted requests.
The HttpRequest will inherit the password for good measure as well -
while none too useful, it seems strange to inherit the username but
not the password.
We can do better than just producing errors about invalid port details
and treatign it as port-0.
We can instead undo the port separation and pass it through as part of
the host name to be verified with the default port number properly
assumed.
Protect against buffer overrun in DNS query generation
see SQUID-2013:2.
This bug has been present as long as the internal DNS component however
most code reaching this point is passing through URL validation first.
With Squid-3.2 Host header verification using DNS directly we may have
problems.
Alan Mizrahi [Tue, 9 Jul 2013 11:15:51 +0000 (05:15 -0600)]
Add storeid_file_rewrite helper
Based on work by Eliezer Croitoru <eliezer@ngtech.co.il>
This program acts as a Store-ID helper program, rewriting URLs passed
by Squid into storage-ids that can be used to achieve better caching
for websites that use different URLs for the same content.
It takes a text file with two tab separated columns.
Column 1: Regular expression to match against the URL
Column 2: Rewrite rule to generate a Store-ID
Rewrite rules are matched in the same order as they appear in the file.
So for best performance, sort it in order of frequency of occurrence.
Alexis Robert [Tue, 9 Jul 2013 10:04:39 +0000 (22:04 +1200)]
Support IPv6 NAT interception on Linux
NAT support has been included for IPv6 in Linux 3.7 (along with
REDIRECT/DNAT rules), as well as IP6T_SO_ORIGINAL_DST in Linux 3.8.
Add support for transparent proxies over IPv6.
There is a bug in linux/netfilter_ipv6/ip6_tables.h on C++ compilers,
the bug report and patch to fix it can be found at
https://lkml.org/lkml/2012/9/30/146.
It is only used for the constant IP6T_SO_ORIGINAL_DST. We attempt to use
the official header whenever possible but if it is detected missing or
broken we define our own version of the option.
IPv6 is now permitted on any http_port or https_port in squid.conf
however on older Linux systems and Unix systems without the required NAT
support Squid will fail when accepting the traffic.
Also, this removes the blocker checks preventing BSD systems using NAT
interception on IPv6 ports. Several version of PF have long since
supported IPv6 NAT operations although it was discouraged, such support
is not easily detected though so results WILL vary by operating system.
Bug 3876: mDNS support segfault when using --disable-ipv6
When IPv6 is disabled the mDNS IPv6 multicast group gets rejected by
idnsAddnameserver() resulting in invalid pointers for the remaining
mDNS NS setup operations.
Convert the hard-coded mDNS nameserver count to dynamic global count and
elide the relevant NS when IPv6 support disabled.
- The SSL_CTX_new in newer openSSL releases requires a const
'SSL_METHOD *' argument and in older releases requires non const
'SSL_METHD *' argument. Currently we are trying to identify openSSL
version using the OPENSSL_VERSION_NUMBER macro define but we are failing
to correctly identify all cases.
- sk_OPENSSL_PSTRING_value is buggy in early openSSL-1.0.0? releases
causing compile errors to squid.
Amos Jeffries [Sat, 29 Jun 2013 14:43:23 +0000 (08:43 -0600)]
Bug 3762: remove bogus WARNING in cache.log
The warning is bogus for several reasons:
* it appears with memory-only cache configurations
* it only checks the size of first SwapDir (as seen in bug 3762)
* very large memory spaces are now possible which may make disk appear
small by comparison.
Its usefulness in detecting memory and disk misconfigurations has long
been almosy nil. Removing this entirey to resolve the bogus noise in
the above mentinoed legitimate configurations.
Alexis Robert [Mon, 24 Jun 2013 07:42:35 +0000 (01:42 -0600)]
Fix Ip::Address::operator =(sockaddr_storage)
The memcpy() for AF_INET6 is using a length of sizeof(sockaddr_in) instead
of sizeof(sockaddr_in6), so squid was trying to connect to truncatured IPv6
addresses with strange ports.
- The redirectStateData handlers requires the HelperReply::Okay helper reply
result code else will drop the helper reply, but we are always pass to them
the HelperReply::Unknown reply result code
- The NotePairs are not support "=" operator. This patch replaces a such command
using the NotePairs::append member, and also adds unimplemented private
= operator and copy constructor to prevent developers from using it.
Amos Jeffries [Tue, 18 Jun 2013 23:26:17 +0000 (17:26 -0600)]
Add Master Transaction class
... to store and propigate the shared state used end-to-end through Squid
for logging or server-side component input. This excludes Job and Call
pointers, but does include any 'factual' data regarding the traansaction.
Alex Rousskov [Tue, 18 Jun 2013 22:30:39 +0000 (16:30 -0600)]
Make sure %<tt includes all [failed] connection attempts.
The old code was using zero n_tries to detect the first connection attempt,
but n_tries is not incremented when we are opening a new connection rather
than reusing an old one. Perhaps n_tries should be updated differently as
well, but this change simply makes %<tt (hier.total_response_time) management
independent from that [complex] counter.
This patch modify squid cert validation subsystem to sent to cert validator
helper the complete certificates chain, not only the certificates sent by
web server. This is may not be possible in all cases, for example in cases
where the root certificate is not stored localy.
Also this patch includes a small optimization, it checks for domain mismatch
error only when the checked (current) certificate is the server certificate.
Deprecate log_icap and log_access configuration directives
The log_icap and log_access are not really needed to control requests logging.
Someone can use acls with access_log and icap_log configuration directives
for this purpose.
Also currently the requests denied for logging using the log_access access list
will not be accounted for in performance counters.
This patch:
- removes log_icap and log_access options from configuration file.
- adds the "stats_collection" access list to control performane counters
accounting.
Alex Rousskov [Mon, 10 Jun 2013 20:46:08 +0000 (14:46 -0600)]
Support forwarding intercepted but not bumped connections to cache_peers.
When talking to a cache_peer (i.e., sending a CONNECT request before tunneling
the transaction), tunnel code is using a clever hack: Squid does not parse
the CONNECT response from peer but blindly forwards it to the client. This
works great and simplifies code a lot, except when the client connection
was intercepted and, hence, the client did not send a CONNECT request and
is not expecting a CONNECT response.
In those situations, we now accumulate, parse, and strip the peer CONNECT
response (or close connection on errors).
The existing tunnel I/O code is too simple to accommodate that task -- it
cannot accumulate read data (its I/O buffers work in lockstep fashion, writing
everything it reads before reading again). Instead of rewriting the entire
tunnel code to use more complex buffers, I added a temporary accumulation
buffer for the CONNECT response. That buffer is not allocated unless it is
needed and does not grow beyond SQUID_TCP_SO_RCVBUF size, just like the
simple buffers.
Alex Rousskov [Sat, 8 Jun 2013 23:21:23 +0000 (17:21 -0600)]
Fix detection of concurrent ACLChecklist checks, avoiding !accessList asserts.
Concurrent checks are not supported, but it is possible for the same
ACLChecklist to be used for a sequence of checks, alternating fastCheck(void)
and fastCheck(list) calls. We needed a different/dedicated mechanism to detect
check concurrency (added ACLChecklist::occupied_), and we needed to preserve
(and then restore) pre-set accessList during fastCheck(list) checks.
Amos Jeffries [Fri, 7 Jun 2013 04:35:25 +0000 (22:35 -0600)]
SourceLayout: shuffle forward.h/cc to FwdState.h/cc
Our convenience libraries are using the filename forward.h for forward
declarations of symbols. This clashes with the old deprecated naming
of src/forward.h at times.
Rename the src/forward.* files to FwdState.* inline with current coding
guidelines and add a source maintenance check to avoid this problem in
future.
Alex Rousskov [Thu, 6 Jun 2013 16:43:29 +0000 (10:43 -0600)]
Do not log bogus ERRORs when url_rewrite_access bypasses url_rewriter.
The code uses HelperReply() object as a fake reply when url_rewrite_access
ACLs did not match. That fake reply had Unknown result code, which made Squid
log ERRORs to cache.log. We now use Error result code, just like
store_id_access does.
TODO: Bypass the overheads of creating and processing a fake reply by moving
all post-processing actions and checks into a new dedicated method and calling
that method when url_rewrite_access does not match. Do the same to the StoreID
code.
Amos Jeffries [Thu, 6 Jun 2013 15:39:53 +0000 (03:39 +1200)]
basic_sasl_auth: Fix helper auto-detection
The helpers update in rev.12782 revealed SASL detection errors in the
use of ./configure script variables. This fixes the SASL library checks
and updates them to use the configure variable naming scheme.
When Squid sends errors to the certificate validation daemon, the daemon cannot
tell which certificate caused which error. This is especially bad because the
validator has to return that same information in the response (the response
format requires the validator to match the error to the certificate).
This patch adjust the validation request format to provide that information
using a set of the following key=value pairs:
error_name_N=the name of the certificate error number N
error_cert_N=the ID of the certificate which caused error_name_N
where N is non-negative integer. N values start from zero and increase
sequentially.
Alex Rousskov [Wed, 5 Jun 2013 15:38:09 +0000 (09:38 -0600)]
Redo r12887 (bug 2066 fix) which introduced several related bugs:
- fatal() if chroot is given
- no chdir to / after chroot if coredump_dir is given
- wrong detection of "none" coredump_dir
- chdir to uninitialized pathbuf if no chroot is given
This emergency fix helps Squid start better but may need more testing/work.
Amos Jeffries [Tue, 4 Jun 2013 05:12:39 +0000 (23:12 -0600)]
Drop Ip::Address(Ip::Address *) constructor entirely
Has been deprecated for a while and appears to no longer be required by
any of the current code. The reference& copy-constructor can easily be
used in its place.
Amos Jeffries [Tue, 4 Jun 2013 04:21:48 +0000 (22:21 -0600)]
Fix NULL-dereference added in rev.12779
With the change of helper responses from Notes to NotePairs the errNote
in NTLM ERR/NA responses was altered to a potentially NULL char*, and
allowed to be printed in debugs() level 4.
This updated NTLM and Negotiate halpers to print the helper response as
"Result: ..." in identical fashion.
Amos Jeffries [Tue, 4 Jun 2013 04:09:31 +0000 (22:09 -0600)]
Bug 2066: squid does not do chdir() after chroot()
The earlier workaround applied only fixed 1 of the 3 places performing
chroot().
This makes chroot and chdir integral parts of setting up Squids running
directory and alters teh chroot() calls to be mainSetCwnd() calls. Which
fixes several potential problems with core dumps from squid -z or -k
executions ending up in unexpected locations, regardless of whether
chroot() and coredump_dir are configured.
Amos Jeffries [Mon, 3 Jun 2013 14:38:26 +0000 (08:38 -0600)]
Fix basic_pam_auth helper detection
The m4_include() for this helpers test script was omitted from rev.12782.
Add that in, and shuffle the PAM-specific configure tests into the helper
required.m4 script.
Amos Jeffries [Mon, 3 Jun 2013 14:05:16 +0000 (08:05 -0600)]
Polish: update Ip::Address to follow Squid coding guidelines
* lower-case initial word for camelCase method names
* _ suffix for private variables.
* upper-case for static methods
* InitAddrInfo() and FreeAddrInfo() are static, do not use as methods
Not all methods are camelCased due to meaning irregularities and there
are other guidelines not being followed which also need to be fixed.
Amos Jeffries [Sun, 2 Jun 2013 14:32:18 +0000 (02:32 +1200)]
Fix incorrect external_acl_type codes
Documentation describes %USER_CA_CERT_* codes for outputing the CA cert
attributes. However the directive parser and internals were all
referencing it as %CA_CERT_*.
This updates the internals to match documentation, and adds an upgrade
notice for any installations using the old token name.
Amos Jeffries [Sun, 2 Jun 2013 11:47:05 +0000 (05:47 -0600)]
Support multicast DNS
Resolve .local domain names using mDNS one-shot queries ahead of regular
recursive DNS qeuries.
* adds the mDNS multicast group IPs as always-present entries in the
nameservers list.
* filters each request. ".local" lookups are permitted to both the mDNS
resolvers and the recursive resolvers, other requests are only
permitted to the regular recursive resolvers.
Amos Jeffries [Sat, 1 Jun 2013 10:01:13 +0000 (04:01 -0600)]
Fix typo in rev.12859
cbdataReference() is a macro with a design which means it requires usage
in the form of an assignment. ie a = cbdataReference(B); , or as a
parameter in equivalent to a variable.
Not using it in either of those manners results in syntax errors about a
',' from any strict compiler, and many older versions of GCC.