Amos Jeffries [Fri, 21 Nov 2014 04:33:21 +0000 (20:33 -0800)]
Fix build errors on CentOS 7 in rev.13712
It turns out the RHEL and CentOS 7 STL definition does not quite match
up to official documentation of what their GCC version supports. In
particular the use of const_iterator on std::list containers.
Use auto instead of an explicit iterator. Allowing the compiler to select
whichever iterator is available and will work.
In many cases HITs logged with zero response times. The logging entries are
correct, those transaction took less than a millisecond. However, to better
monitor Squid performance and to optimize things further, a user may want to
see more precise response time measurements logged.
Squid already computes response times with microsecond resolution
(timeval::tv_usec), which would be enough for any modern measurement, but
Squid loses that precision due to tvSubMs conversion.
This patch add configurable "precision" for time-related fields such as %tr,
using a .n syntax similar to the syntax used by the well-known printf(3) API
to mean "maximum field width".
Amos Jeffries [Wed, 19 Nov 2014 22:29:50 +0000 (14:29 -0800)]
ParserNG: fix typo in rev.13688
Squid xstrncpy() assumes \0-termination and enforces it by overwriting
the last byte of the output. Un-terminated strings must have +1 length
delivered or they will be truncated.
Amos Jeffries [Tue, 18 Nov 2014 10:13:39 +0000 (02:13 -0800)]
Alternate-Protocol is a hop-by-hop header
Google are pushing Alternate-Protocol header to arbitrarily move clients
from HTTP to their experimental and proprietary protocols.
When relayed through a proxy this can cause traffic bifurcation with
side effects ranging from client visible failures, to traffic increase
on the network as proxy caching is bypassed, to security vulnerabilities
or privacy information leaks over the experimental protocol.
Treating the Alternate-Protocol header as a hop-by-hop header only
relevant on client->origin connections we can both prevent the above
issues occuring on networks utilizing a proxy, and also participate in
the protocol exprimentation process ourselves.
Amos Jeffries [Tue, 18 Nov 2014 06:38:51 +0000 (22:38 -0800)]
Move the AnyP::ProtocolVersion stream operator into AnyP:: namespace
Clang compiler detects an issue determining which of multiple overloaded
operator<<() at global scope apply to the display of
AnyP::ProtocolVersion.
Moving the operator into the class itself is not possible due to similar
scoping issues with GCC failing to detect it as an inline member from
inside expanded templates.
To resolve both issues we can move the operator only to the AnyP::
namespace but no deeper.
Amos Jeffries [Mon, 17 Nov 2014 10:04:18 +0000 (02:04 -0800)]
Fix output from squid.conf parser
DBG_CRITICAL level messages before self_destruct() require a FATAL: tag
to highlight the reason for the crash and obscure "BUNGLED" text which
is about to follow.
Currently squid fails to handle correctly "100 Continue" requests/responses
when ICAP is used. The problems discussed in squid bugzilla:
http://bugs.squid-cache.org/show_bug.cgi?id=4067
A short discussion of the problem:
When a data upload request enters squid (eg a PUT request with
"Expect: 100-continue" header), squid sends ICAP headers and HTTP headers to
ICAP server and stucks waiting for ever the request body data.
This patch implements the "force_request_body_continuation" access list
directive which controls how Squid handles data upload requests from HTTP and
send the request body to Squid.
An allow match tells Squid to respond with the HTTP 100 or FTP 150
(Please Continue) control message on its own, before forwarding the
request to an adaptation service or peer. Such a response usually forces
the request sender to proceed with sending the body. A deny match tells
Squid to delay that control response until the origin server confirms
that the request body is needed. Delaying is the default behavior.
Amos Jeffries [Mon, 10 Nov 2014 08:42:54 +0000 (00:42 -0800)]
C++11: cleanup compiler flag detection logics
Annotate what GCC version is required to pass the -std=c++11 and
-std=c++0x feature detection tests.
Disable the tests for features we do not use that require GCC 4.5+.
This should allow Squid to continue building on older OS and compilers
at least until we start using those features.
Amos Jeffries [Mon, 10 Nov 2014 07:47:13 +0000 (23:47 -0800)]
RFC 6176 compliance
... prohibits use of SSLv2.
https://tools.ietf.org/html/rfc6176
Remove the documentation and support for configuring Squid with
SSLv2-only.
Explicitly enable the SSL_NO_SSLv2 option when provided by the library
to prevent implicit fallback.
Remove support for ssloptions= values which are for SSLv2-specific bugs.
Due to the way they are implemented with atoi() sslversion=N
configuration will still accept the values for SSLv2-only. But the
context creation will now unconditionally produce "SSLv2 not
supported" errors if the now undocumented values are attempted.
Make helper queue size configurable, with consistent defaults and better overflow handling.
This patch adds a queue-size=N option to helpers configuration. This
option allows users to configure the maximum number of queued requests
to busy helpers. We also adjusted the default queue size limits to be
more consistent across all helpers and made Squid more robust on some
queue overflows:
- external_acl helpers
Make the maximum queue size configurable via queue-size.
Default to 2*maximum-number-of-children.
If the queue overflows, then the ACL returns ACCESS_DUNNO.
Unpatched code uses the number of running children as the maximum
queue size. If the queue is overloaded, then the ACL returns ACCESS_DUNNO.
-redirector/storeID helpers
Make the maximum queue size configurable via queue-size.
Default to 2*maximum-number-of-children.
If the queue overflows and redirector_bypass configuration option
is set, then redirector is bypassed. Otherwise, if overloading
persists for more than 3 minutes squid quits with a FATAL message.
If the redirector_bypass/storeID_bypass is set then the default queue_size
is set to 0 for backward compatibility.
Unpatched code uses 2*number-of-running-children as the maximum queue size.
If the redirector_bypass/storeID_bypass is set then helper bypassed if all
of the children are busy.
If the queue is overloaded and redirector_bypass/storeID_bypass is not set
then squid quits with a FATAL message.
- ssl_crtd/ssl_crtd_validator helpers.
Make the maximum queue size configurable via queue-size.
Default to 2*maximum-number-of-children.
If the queue overflows, then helpers are bypassed. If overloading persists
for more than 3 minutes squid quits with a FATAL message.
The default size limit and overflow behavior has not changed.
- Authentication helpers
Make the maximum queue size configurable via queue-size.
Default to 2*maximum-number-of-children.
If the queue overflows and overloading persists for more than 3 minutes,
then squid quits with a FATAL message.
The default size limit and overflow behavior has not changed.
Amos Jeffries [Fri, 7 Nov 2014 08:41:47 +0000 (00:41 -0800)]
Parser-NG: HTTP Parser structural redesign
This update is to lay the groundwork for several planned future projects
implementing protocol specific parsers, seperating the currently
intertwinned client connection management and HTTP protocol parsing
logics, and for zero-copy processing of transactions using SBuf.
This patch renames the HttpParser class as RequestParser and moves it
into the Http::One:: namespace as child of an Http::Parser class with
generic API accessors for shared use by other HTTP message parsers.
The class API
- is updated to process both the request-line and HTTP mime headers,
returning an incomplete parse result until the entire headers parts of
the message have been received.
- now contains accessor methods for retrieving the method, URI,
protocol, mime headers block (as an SBuf) and some metrics about those.
- the old request_offsets structure and similar offset details are no
longer exposed.
- now emits 414 and 431 HTTP status codes as appropriate.
The parser is made partially incremental and some use of Tokenizer is
added for faster parsing. There is more that can be done to further
speed up parsing of slow or very large requests.
Much of the code from client_side.cc parseHttpRequest() and also the
header-field code from mime_headers.cc has been moved into the parser
class. The client_side.cc code now simply runs the main
Http1::RequestParser::parse() method then uses accessors to retrieve
and process the parse results.
A unit test for incremental parsing has been added to testHttpParser.
Also, the HttpRequestMethod class is moved into the Http:: namespace and
library to reduce dependencies on the parser class outside the library.
The gains made so far from incremental parse, reducing parser passes and
zero-copy SBuf are offset by several temporary performance regressions
added converting SBuf for legacy code use. These are marked for later
removal.
Amos Jeffries [Tue, 4 Nov 2014 08:47:03 +0000 (00:47 -0800)]
Bug 1961 part 2: redesign of URL handling.
Move the HttpRequest::login detail into class URL. Renaming to userInfo
as per the RFC 3986 defined name for this URI piece.
Convert the details to SBuf gaining several minor str*() removals in
the process and a simpler FTP login parser based on SBuf capabilities.
Also, updated the base64 encoder API used for converting between URI
userInfo and Basic authentication header token. Gaining better control
over the length of maximum token size and a small speedup from pre-known
input length.
Amos Jeffries [Sun, 2 Nov 2014 00:10:01 +0000 (17:10 -0700)]
Cleanup: Simplify CBDATA API and rename CBDATA_CLASS
There are no logic changes here.
* Rename CBDATA_CLASS2() to CBDATA_CLASS()
* Remove cbdata*Dbg() duplicate interface for CBDATA.
Inline it with the CBDATA_CLASS() API
* update public:/private: class section handling in CBDATA_CLASS() and
place all uses at the top of class definition as with MEMPROXY_CLASS()
and typedef coding style.
- this highlights TunnelStateData API as previously broken in regards
to private members. Leave it public: for now with TODO on fixing.
Amos Jeffries [Sat, 1 Nov 2014 05:04:05 +0000 (22:04 -0700)]
Docs: Add man(8) page for helper-mux tool
Convert the helper-mux.pl.README to inlineperl docs and generate a man(8)
page using pod2man when possible.
Also, shuffle the tool into a sub-directory of its own for easier build
management.
Also, add a automake conditional ENABLE_POD2MAN_DOC to allow optional
build of perl tools or helpers without depending on pod2man which is
only necessary for the documentation.
Amos Jeffries [Tue, 21 Oct 2014 11:10:13 +0000 (04:10 -0700)]
Enable flexible transport protocol in Server hierarchy
We are quickly approaching a time when a client connection can freely
migrate between protocols or versions of protocols. Already we have
ssl-bump which can switch a connection from HTTP to HTTPS. We are also
expecting switching HTTP<->HTTPS via Upgrade, and HTTP/1<->HTTP/2 via
"magic", Upgrade, or ALPN.
Based on ssl-bump experience with switchedToHttps() and the pain that
can be predicted when there are several permutations of such accessors
to test against make the Server class aware of what transfer protocol
is in use at whatever the 'top' layer of the protocol stack is.
* Add a transportVersion member to ConnStateData which holds the current
protocol to be used over the clientConnection socket. This variable can
be altered whenever necessary to cause an on-wire protocol change. New
connections default to the protocol signalled in the http(s)_port directive.
* ssl-bump transforms the transportVersion from whatever it was
previously (usually HTTP or HTTPS) to HTTPS, and back to HTTP is splice
action is performed.
* transparent and reverse-proxy URL reconstruction is updated to use the
new member instead of the http(s)_port protocol= setting. This removes
edge conditions where the URL reconstructor needs to figure out ssl-bump
existence.
Amos Jeffries [Mon, 20 Oct 2014 06:58:59 +0000 (23:58 -0700)]
Cleanup: Simplify MEMPROXY_CLASS_* macros
There are no logical changes in this patch.
* Make MEMPROXY_CLASS() macro inline its definitions.
* Remove MEMPROXY_CLASS_INLINE
* Remove last remaining mention of obsolete MEMPROXY_CLASS_INIT
* Adjust MEMPROXY_CLASS() to control its private/public definitions
appropriate to their needs.
* Shuffle all MEMPROXY_CLASS() macro uses to the top of the relevant
classes (in some cases renaming struct to class with public members
if necessary) such that the new terminal private: does not affect
existing class definitions.
Bug 4102: sslbump cert contains only a dot character in key usage extension
The patch for bug 3966 was slightly incorrect. As a result the Key Usage
field for SSL-bump mimic'ed certificates could end up containing only a
dot (.) character.
Amos Jeffries [Sun, 19 Oct 2014 22:06:38 +0000 (15:06 -0700)]
Enable long (--foo) command line parameters on squid binary
The squid binary is running out of single-character options that make
any sense phonetically or as abbreviations. This lays the groundwork for
future options to use words or even just more than a single character.
Since we cannot define an empty array for long options, add --help and
--version as initial expansions of -h and -v.
Amos Jeffries [Thu, 16 Oct 2014 18:01:46 +0000 (11:01 -0700)]
Bug 3803: ident leaks memory on failure
Begin the process of conversion for IdentStateData to an AsyncJob.
* convert the object from CBDATA struct to a class with
CBDATA_CLASS2() API.
* Bug 3803 is caused by a lack of proper cleanup and consistent exit
actions terminating the job. Take the core logic changes from the
tested bug patch and;
1) define a swanSong() method to cleanup the memory allocated
2) define a deleteThis() method to emulate AsyncJob::deleteThis()
* Locate all code paths leveraging conn->close() to trigger cleanup
via the connection close handler and convert to explicit deleteThis()
with excuse. Including a few which were not but need to in order to
terminate the job correctly as fixed in bug 3803 patch.
The actions performed are nearly identical to the original code. The
differences are that many code paths now omit an AsyncCall step going
via the Comm close handler, and that all paths terminating the IDENT
lookup now go through swanSong() cleanup.
Further cleanup converting to a full AsyncJob is not included, since
there is an explicit hash of running IdentStateData object pointers
being used in the old code.
Amos Jeffries [Wed, 15 Oct 2014 14:09:32 +0000 (07:09 -0700)]
Audit updates
* rename HttpRequestMethod(char*) to HttpRequestMethodXXX() in order to
assist removal since it is deprecated now
- plus code polishing and unit-test updates to work with this as a
method instead of constructor
* fix several potential out-of-bounds SBuf and MemBlob accesses
Amos Jeffries [Fri, 10 Oct 2014 16:06:38 +0000 (09:06 -0700)]
CBDATA: log memory leak situations when --enable-debug-cbdata
CBDATA objects are supposed to be explicitly locked and unlocked by all
users. The nominal 'owner' of the data is also supposed to mark it as
invalid when unlocking its reference.
If a CBDATA object reaches 0 locks and is still valid, it therefore
follows that either the locking or invalidate has not been properly
implemented.
Now that we are migrating to CbcPointer usage instead of explicit
lock/unlock macro calls we have started encountering these situations.
Any object reporting a 'leak' must be investigated;
a) perhapse RefCount is better?
b) using CbcPointer consistently and invalidating correctly.
Amos Jeffries [Wed, 8 Oct 2014 15:51:28 +0000 (08:51 -0700)]
Bug 4088: memory leak in external_acl_type helper with cache=0 or ttl=0
ExternalACLEntry / external_acl_entry objects have been abusing the
CBDATA API for reference counting and since 3.4 this has resulted in
hidden memory leaks as object accounting shows all locks released but
the memory is not freed by any 'owner'.
* convert to using RefCount<> API.
* move ExternalACLEntry pre-define to acl/forward.h
* add ExternalACLEntryPointer in acl/forward.h
* convert LookupDone() method to using explicit typed pointer
* convert from CBDATA_CLASS to MEMPROXY_CLASS memory management.
* convert almost all raw ExternalACLEntry* to Pointer
- remaining usage is in the cache hash pointers. Use an explicit 'cachd'
lock/unlock until this hash is updated to std:: structure types.
Browser vendors will get rid of SSL certificates that use SHA-1 to generate
the hash that is then signed by the CA. For example, Google Chrome will start
to show an "insecure" sign for certificates that are valid after 1.1.2016 and
will generate a warning page for certificates that are valid after 1.1.2017 [1],
[2],[4]. Microsoft will block certificates with SHA-1 after 1.1.2017 [3].
This patch:
1) Add a new configuration option to select the signing hash for
generated certificates: sslproxy_cert_sign_hash.
2) If sslproxy_cert_sign_hash is not set, then use the sha256 hash.
This patch add support for the "Validate server certificates without bumping"
use case described on the Peek and Splice wiki page:
http://wiki.squid-cache.org/Features/SslPeekAndSplice
This patch send to the certificate validation helper the certificates and
errors found in SslBump3 step, even if the splicing mode selected.
In the case the validation helper found errors in certificates an error
page returned to the http client.
The SSL error forwarding is controlled by ACLs along these lines:
sslproxy_cert_error allow sslBoringErrors
sslproxy_cert_error allow serversWithInvalidCerts
sslproxy_cert_error deny all
projects / thirdparty / squid.git / log
