Amos Jeffries [Wed, 4 Feb 2015 21:37:28 +0000 (13:37 -0800)]
Drop unused cbdata.h definitions and re-document
Remove the now unused cbdataFree, cbdataAlloc, CBDATA_TYPE,
CBDATA_INIT_TYPE, CBDATA_INIT_TYPE_FREECB symbols.
Re-write CBDATA documentation to reflect the current available
API symbols, their usage, and mechanisms that should be used
instead of CBDATA such as AsyncJob/Call and RefCount.
Along with some doxygen polishing to meet currently agreed
style for how to document major code features.
Make generic_cbdata::data a private member. The constructor
and unwrap() operator provide all necessary public API.
Replace store_client.cc use of cbdataInternalLock/Unlock with
a CbcPointer<> smart pointer equivalent. The use remains an
abuse of CBDATA, just no longer directly referencing the
internal API functions.
Amos Jeffries [Wed, 4 Feb 2015 17:38:27 +0000 (09:38 -0800)]
Fix some cbdataFree related memory leaks
The delete operator should have been called for these objects after
previous code changes converted them to CBDATA_CLASS. As a result any
member objects relying on their destructor to cleanup were being leaked.
Also, make generic_cbdata::data a private member. The unwrap() method is
easily used now.
Amos Jeffries [Sun, 1 Feb 2015 21:25:46 +0000 (13:25 -0800)]
Cleanup: migrate CachePeer to CBDATA_CLASS API
Replace the alloc/free for CachePeer with new/delete from
the CBDATA_CLASS API.
Shuffle class member default values to constructor.
Shuffle class cleanup code from the (3!) different mechanisms
where it was being done to the class destructor. Also
releasing some memory which was previously leaked on
reconfigure.
Drop the now unused CBDUNL type definition and peerDestroy()
cleanup handler for CachePeer.
Amos Jeffries [Sat, 31 Jan 2015 19:09:22 +0000 (08:09 +1300)]
Per-rule refresh_pattern matching statistics
.. to make it blindingly obvious from the cachemgr report which rules
are completely useless. Such as when the global dot pattern (.) is
placed ahead of custom rules, or one rules pattern is always a subset
of an earlier pattern.
This also allows sysadmin to tune refresh_pattern ordering so most
commonly matching rules are first.
Amos Jeffries [Sat, 31 Jan 2015 14:10:25 +0000 (06:10 -0800)]
Stop emitting (Proxy-)Authentication-Info for Negotiate
This header is not defined for use by RFC 4559, and there seem to
be no clients actually using it.
The syntax Squid was using to emit the details was also clashing
with the syntax defined for use in Digest which is becoming the
standardized ABNF syntax for the header in general.
Amos Jeffries [Sun, 25 Jan 2015 04:48:21 +0000 (20:48 -0800)]
Remove dst ACL dependency on HTTP request message existence
The ACL checklist dst_addr member can be used in cases where the HTTP
message is not provided. Such as ssl_bump, ICAP outgoing IP, or peer
selection probes.
When he prefix() method is passed a set limit for characters to scan and
the matched characters do reach that limit the entire Tokenizer buffer
content is consumed and returned.
Correct operation is to only consume and return the matched characters.
Add missing root CAs when validating chains that passed internal checks.
When internal checks found no certificate errors, Squid does not include root
CA certificate in certificates chain sent to the certificate validator. Squid
just sent the certificates chain sent by the SSL server.
This patch stores the full certificates list built by OpenSSL while validating
the SSL server certificates chain, even if no certificate error found and sends
this list to certificate validator.
Amos Jeffries [Thu, 22 Jan 2015 12:54:08 +0000 (04:54 -0800)]
RFC 7230 compliant request-line parser based on Tokenizer API
Refactor the request-line parser using a Tokenizer.
RFC 7230 requirements provide field terminator/delimiter limitations and
character sets for token validation. Also provides definitions of
boundaries for relaxed/tollerant parsing without needing Squid-specific
RFC violations.
This implementation is slightly stricter regarding whitespace in URLs
than previous implementation. It obeys a SHOULD requirement in RFC 7230
regarding responding with 400 status to those broken request messages.
Set cap_net_admin capability when Squid sets TOS/Diffserv packet values.
In capabilities-capable environments (e.g., Linux with libcap), CAP_NET_ADMIN
capability is required to honor clientside_tos and tcp_outgoing_tos
directives. The code was setting that capability when Netfilter marks or
tproxy was enabled, but missed the clientside_tos and tcp_outgoing_tos cases.
Moved PID file management from Coordinator to Master.
This move is the first step necessary to avoid the following race condition
among PID file deletion and shared segment creation/destruction in SMP Squid:
O1) The old Squid Coordinator removes its PID file and quits.
N1) The system script notices Coordinator death and starts the new Squid.
N2) Shared segments are created by the new Master process.
O2) Shared segments are removed by the old Master process.
N3) New worker/disker processes fail due to missing segments.
TODO: The second step (not a part of this change) is to delete shared memory
segments before PID file is deleted (all in the Master process after this
change).
Now the Master process receives signals and is responsible for forwarding them
to the kids.
The kids does not install default signal handler for shudown signals (SIGINT,
SIGTERM) after a signal received. If a second shutdown signal is received then
squid imediatelly terminates the event loop and exits.
When the "kill-parent-hack" is enabled the kids are sending the kill signal
to master process and master process forward it to other kids too.
Also a small regression added: The PID file can no longer be renamed using
hot reconfiguration. A full Squid restart is now required for that.
When the force_request_body_continuation access list is configured squid is
sends 100-Continue responses to all HTTP GET messages unless the admin
is very careful with the ACLs. This can be reproduced trivially with
force_request_body_continuation allow all
We should not evaluate force_request_body_continuation if the request
does not include "Expect: 100-continue" header.
Amos Jeffries [Sun, 18 Jan 2015 16:34:13 +0000 (08:34 -0800)]
Support rotate=N option on access_log
Add a rotate=N option to access_log directive to set per-log what the
retained log count will be. At present it is only used by the stdio:
logging module, which is also the only one to use logfile_rotate
directive.
If this option is absent (as will be the common case) the log rotation
defaults to using the value of logfile_rotate directive.
Also, add missing dump output of other access_log options if they differ
from the defaults.
The use-cases for this are:
1) Unix fifo logging requires all the stdio: module operations except
that the normal rotate/rename operation is NOT performed on the fifo
socket. It makes more sense to add this option which can also meet case
#2 than to create a whole new module just for fifo.
2) managing only some access_log files with a third-party log manager.
Those specific logs need rotate=0, but the Squid managed logs may
require non-0 values.
Amos Jeffries [Sat, 17 Jan 2015 09:15:53 +0000 (01:15 -0800)]
Bug 3997: Excessive NTLM or Negotiate auth helper annotations
With the transaction annotations feature added in Squid-3.4 auth
helper response values get recorded as annotatiions. In the case
of NTLM and Negotiate authentication the helper response contains
a large credentials token which changes frequently.
Also, user credentials state is cached. In the case of NTLM and
Negotiate the active credentials are cached in the TCP connection
state data, but also for the cache mgr helper reports make use of
caching in a global username cache.
When these two features are combined, the global username cache
for mgr reporting accumulates all TCP connection specific
token= values presented by the client on all its connections, and
any changes to the token over its lifetime.
The result is that for users performing either many transactions,
or staying connected for long periods the memory consumption from
unnecesarily stored tokens is excessive. When clients do both the
machine memory can be consumed, and the CPU can reach 100%
consumption just walking the annotations lists during regular
operations.
To fix this we drop the security credentials tokens from cached
annotations list in NTLM and Negotiate. Digest is also included
though its HA1 token value is static it has similar privacy issues
related to storage.
Also, use the new 3.5 APi for username cache key creation to build
the global username cache key for NTLM/Negotiate using the TCP
connection specific token so that credentials and associated
tokens do not get accidentally shared between connections and the
manager can accurately report users.
Intercepting proxies often receive non-HTTP connections. Squid cannot currently
deal with such connections well because it assumes that a given port receives
HTTP, FTP, or HTTPS traffic exclusively. This patch allows Squid to tunnel
unexpected connections instead of terminating them with an error.
In this project, we define an unexpected connection as a connection that
resulted in a Squid error during first request parsing. Which errors trigger
tunneling behavior is configurable by the admin using ACLs.
# tunnel everything that does not look like HTTP:
on_first_request_error tunnel foreignProtocol
# tunnel if we think the client waits for the server to talk first:
on_first_request_error tunnel serverTalksFirstProtocol
# in all other error cases, just send an HTTP "error page" response:
on_first_request_error respond all
# Configure how long to wait for the first byte on the incoming
# connection before raising an ERR_REQUEST_START_TIMEOUT error.
request_start_timeout 5 seconds
The overall intent of this TCP tunnel is to get Squid out of the communication
loop to the extent possible. Once the decision to tunnel is made, no Squid
errors are going to be sent to the client and tunneled traffic is not going to
be sent to Squid adaptation services or logged to access.log (except for a
single summary line at the end of the transaction). Connection closure at the
server (or client) end of the tunnel is propagated to the other end by closing
the corresponding connection.
This patch also:
Add "on_first_request_error", a new ACL-driven squid.conf directive that can
be used to establish a blind TCP tunnel which relays all bytes from/to the
intercepted connection to/from the intended destination address. See the sketch
above.
The on_first_request_error directive supports fast ACLs only.
Add "squid_error", a new ACL type to match transactions that triggered a given
Squid error. Squid error IDs are used to configure one or more errors to match.
This is similar to the existing ssl_error ACL type but works with
Squid-generated errors rather than SSL library errors.
Add "ERR_PROTOCOL_UNKNOWN", a Squid error triggered for http_port connections
that start with something that lacks even basic HTTP request structure. This
error is triggered by the HTTP request parser, and probably only when/after the
current parsing code detects an error. That is, we do not want to introduce
new error conditions, but we want to treat some of the currently triggered
parsing errors as a "wrong protocol" error, possibly after checking the parsing
state or the input buffer for some clues. There is no known way to reliably
distinguish malformed HTTP requests from non-HTTP traffic so the parser has
to use some imprecise heuristics to make a decision in some cases.
In the future, it would be possible to add code to reliably detect some popular
non-HTTP protocols, but adding such code is outside this project scope.
Add "request_start_timeout", a new squid.conf directive to trigger a new
Squid ERR_REQUEST_START_TIMEOUT error if no bytes are received from the
client on a newly established http_port connection during the configured
time period. Applies to all http_ports (for now).
No support for tunneling through cache_peers is included. Configurations
that direct outgoing traffic through a peer may break Squid.
Amos Jeffries [Mon, 12 Jan 2015 08:11:06 +0000 (00:11 -0800)]
squidclient: Fix -A and -P options
With --https addition the A and P values are re-used for --cert and
--params within HTTPS options. This works for long options, but they
cannot be listed as short options by the Transport:: module because
they are required at the top level by old-style HTTP parameters.
Amos Jeffries [Thu, 8 Jan 2015 23:41:52 +0000 (15:41 -0800)]
Update IPC sockets verification check
Coverity Scan gets confused by the code trick of using memset() on a
buffer then filling arbitrary string data into all but the final byte of
that buffer - thus implicitly null terminating.
Try an explicit null termination instead of memset(), this should make
Coverity a bit happier and is also faster than zero'ing the entire buf.
projects / thirdparty / squid.git / log
