%<tt (total server time) is not computed in some cases
The total server time is not computed for CONNECT requests.
An other example case is when server-first bumping mode is used and squid
connects to SSL peer, but connection terminated before the SSL handshake
completes.
PROXY protocol has been developed by Willy Tarreau of HAProxy for
communicating original src and dst IP:port details between proxies and
load balancers in a protocol-agnostic way.
stunnel, HAProxy and some other HTTP proxying software are already
enabled and by adding support to Squid we can effectively chain these
proxies without having to rely on X-Forwarded-For headers.
This patch adds http_port mode flag (require-proxy-header) to signal the
protocol is in use, parsing and processing logics for the PROXY protocol
headers on new connections, and the proxy_protocol_access control to
manage inbound connections.
The indirect client security/trust model remains unchanged. As do all
HTTP related logics on the connection once PROXY protocol header has
been received.
Furture Work:
* support sending PROXY protocol to cache_peers
* support receiving PROXY protocol on https_port
* rework the PROXY parse logics as a Parser-NG child parser.
Close active pconns after their *_port goes away on reconfigure.
This change reduces what may be perceived as reconfigure memory leaks
related to *_port options. Before this change, a single persistent
connection could continue to receive new requests (and tie no longer
globally accessible PortCfg-related structures) for hours.
The goal of this patch is to make SSL bumping decision after the origin server
name is known.
Peek and Splice peeks at the SSL client Hello message and SNI info if any
(bumping step 1), sends identical or a similar Hello message to the SSL server
and peeks at the SSL server Hello message (bumping step 2), and finally
decides to proceed with splicing or bumping the connection (bumping step 3).
After the step 1 bumping step completes the SNI information is available and
after the step 2 bumping step completes the server certificate is available.
The ssl_bump access list evaluated on every bumping step to select the bumping
mode to use. The new acl "at_step" can be used to match the current bumping
step.
In most cases:
- if the user select "peek" bumping mode at step2 then at step3 can select
one of the "splice" or "terminate" modes.
- If the user select "stare" bumping mode at step2 then at step 3 can select
one of the "bump" or "terminate" modes.
If the squid built with the SQUID_USE_OPENSSL_HELLO_OVERWRITE_HACK and the
client uses openSSL library similar to the library used by squid then bumping
is possible after "peek" bumping mode selection and "splice" after "stare"
bumping mode selection.
The bump, terminate and splice are final decisions.
Fixes and polishing in response to Amos' squid-dev review dated 2014/08/19
- Polishing changes
- Move src/acl/AtBumpStep*.[cc,h] files to src/acl/AtStep*.[cc,h]
- Convert Ssl::Bio::sslFeatures::serverName,
Ssl::Bio::sslFeatures::HelloMesssage and Ssl::ServerBio::helloMsg members
to SBuf
Amos Jeffries [Tue, 26 Aug 2014 02:39:30 +0000 (19:39 -0700)]
Boilerplate: update acinclude/ and configure.ac copyrights
* update CONTRIBUTORS with missing contributors
* update CREDITS with missing copyright licenses
- remove outdated Treehouse Networks license on rfc3596.h rfc3596.cc
- shuffle some entries for easier reading. Alphabetical by first source
file path.
* split AX_WITH_PROG() macro into its own source file to clarify the
license scope. It is provided as a standalone file by the author(s).
Amos Jeffries [Mon, 25 Aug 2014 15:47:04 +0000 (08:47 -0700)]
Boilerplate: update copyright licenses on include/ sources
* add Squid Software Foundation blurb
* update CONTRIBUTORS with missing authors
* update CREDITS with missing license and copyright statements
It looks a bit messy, but Carnegie Mellon Univeristy license requires
that several very similar but unique copyright and license blurbs be
documented unabreviated.
Squid-3 is now being administered by the Squid Software Foundation,
a non-profit organisation created for the purpose of providing
governance and representation for the Squid Project and community
of contributors.
http://www.squid-cache.org/Foundation/
As such the Squid source code collection is being prefixed with a
new copyright blurb:
* Copyright (C) 1996-2014 The Squid Software Foundation and contributors
*
* Squid software is distributed under GPLv2+ license and includes
* contributions from numerous individuals and organizations.
* Please see the COPYING and CONTRIBUTORS files for details.
Existing copyright claims on specific source code files are being
preserved in-situ following this collection blurb.
With some exceptions where existing copyright owners have explicitly
given permission for their specific claim statements to be moved to
the CONTRIBUTORS file and assist removal of the inconsistent and
now often incorrect Harvest and Squid Project blurb(s).
This patch publishes the script and boilerplate text used to perform
this change of copyright marking for public review.
Also, adds some administrative polishing in preparation for the
blurb adjustments.
Amos Jeffries [Mon, 25 Aug 2014 04:53:57 +0000 (21:53 -0700)]
Cleanup: remove SQUID_NO_STRING_BUFFER_PROTECT and SQUID_UNIT_TEST macros
These macros were used solely to prevent cppunit and operating system
includes from generating build errors and warnings via Squid protection
from unsafe use of sprintf, strdup and other allocator and string
functions.
The protection against these functions has long ago been move to
source-maintenance script instead of runtime checking. Making these
macros obsolete.
Amos Jeffries [Fri, 22 Aug 2014 12:48:40 +0000 (05:48 -0700)]
Portability: disable krb5-config use when cross-compiling
krb5-config detection does not support cross-compiling or multiple krb5
library installations properly.
pkg-config is supported by recent releases of the popular krb5 libraries
and supports cross-compile properly and complicated build environments
much better. Trust its results when cross-compiling.
Amos Jeffries [Thu, 21 Aug 2014 18:11:23 +0000 (11:11 -0700)]
Docs: update release notes and configure --help after Kerberos update
Add release notes for the ./configure option changes in rev.13538.
Also, adjust ./configure --help display text to match the option
behaviour:
* --with is default action, so --without gets documented.
* --without does not accept path, and --with-foo=PATH is available on
all library options. So remove repeated text.
Alex Rousskov [Thu, 21 Aug 2014 00:29:33 +0000 (18:29 -0600)]
Do not leak fake SSL certificate context cache when reconfigure
changes port addresses.
We believe that deleting a cached LocalContextStorage object does not actually
affect connections that use the corresponding SSL_CTX and certificate because
any SSL object using those things increments their sharing counter and
deleting LocalContextStorage only decrements that counter. The [cached]
SSL_CTX object is not destroyed by SSL_CTX_free until that sharing counter
reaches zero.
Alex Rousskov [Tue, 19 Aug 2014 18:09:50 +0000 (12:09 -0600)]
Do not assert on native FTP ERR_TOO_BIG. Do not check for ERR_TOO_BIG twice.
The assertion occurred because both the FTP request parser and the generic
ConnStateData::checkHeaderLimits() code would try to write their own error
message to the user. Reworked all error reporting code in the FTP parser to
avoid writing early responses (that were bypassing the overall transaction
flow with various negative side effects such as lack of logging).
Removed ConnStateData::checkHeaderLimits(): We already have protocol-specific
checks for huge HTTP and FTP requests. There is no point in duplicating them.
Centralizing them sounds like a good idea, but a general checkHeaderLimits()
cannot produce protocol-specific errors messages that we need, so it hurts
more than it helps. Moreover, checkHeaderLimits() was handling errors
differently than protocol parsing code, making the code more complex overall.
All that remains from the checkHeaderLimits() code now is a single Must(),
checking that the protocol parsers did what they were supposed to do: Return
NULL to request more data after checking any applicable limits. If parsers do
not (a Squid bug!), the ConnStateData job gets killed (and connection gets
closed) as the last resort.
Added clientReplyContext::setReplyToReply() and
StoreEntry::storeErrorResponse() to handle storing of a response to an FTP
command parsing error. The old code was using ErrorState to store parsing
errors, but ErrorState is still HTTP-specific and cannot relay the right FTP
codes/reasons to the user. The setReplyToReply() sounds silly but it matches
the existing setReplyTo*() naming scheme well.
Make sure parsed native FTP command tokens are not even close to the String
buffer limit. These checks are not a firm guarantee, but are better than
nothing until we replace String.
Handle ClientSocketContext registration centrally because all parsers need it.
Call quitAfterError() on fatal native FTP errors. Probably not necessary due
to fssError handling code that closes the FTP control connection, but adds
helpful debugging and brings us closer to the HTTP error handling code.
author: Alex Rousskov <rousskov@measurement-factory.com>
Use v3 for fake certificate if we add _any_ certificate extension.
We used to force v3 version only when adding the subjectAltName extension.
That broke sites that did not have subjectAltName but used other mimicked x509
extensions, when accessed through Firefox 31 (at least):
https://bugzilla.mozilla.org/show_bug.cgi?id=1045973
- Remove any references to "bumpErr" bumping mode. It is not implemented
- Changes to allow make without openssl, "make dist" and "make distcheck"
- Fix peek-and-splice documentation: The bumping modes are SslBump1, SslBump2 a
nd SslBump3
- Other minor changes
Alex Rousskov [Mon, 11 Aug 2014 16:09:06 +0000 (10:09 -0600)]
Initial native FTP Relay support.
* Added ftp_port directive telling Squid to relay native FTP commands.
* Active and passive FTP support on the user-facing side;
require passive connections to come from the control connection src IP.
* IPv6 support (EPSV and, on the user-facing side, EPRT).
* Intelligent adaptation of relayed FTP FEAT responses.
* Relaying of multi-line FTP control responses using various formats.
* Support relaying of FTP MLSD and MLST commands (RFC 3659).
* Several Microsoft FTP server compatibility features.
* ICAP/eCAP support (at individual FTP command/response level).
* Optional "current FTP directory" tracking (cannot be 100% reliable due to
symbolic links and such, but is helpful in some common use cases).
* FTP origin control connection is pinned to the FTP user connection.
* No caching support -- no reliable Request URIs for that (see above).
* Significant FTP code restructuring on the server-facing side.
* Initial steps towards HTTP code restructuring on the client-facing side.
Alex Rousskov [Sat, 9 Aug 2014 00:35:28 +0000 (18:35 -0600)]
Centralized and documented FTP protocol "version" (1.1) definition.
Moved AnyP::PortCfg::setTransport() to the cache_cf.cc parsing code where it
currently belongs. AnyP code should not have protocol-specific pieces as it is
code shared among (or used by) many (ideally, all transfer) protocols.
TODO: Convert Http::ProtocolVersion from class into a function.
This patch:
- Add test in configure script to check if OpenSSL hacks can be supported.
These tests enable the SQUID_USE_OPENSSL_HELLO_OVERWRITE_HACK in autoconf.h
- Fixes peek-and splice related documentation , the step1, step2, step3 names
now used instead of the SslBump[1,2,3] as bumping steps
- Many fixes in bio subsystem:
* investigate the Ssl::Bio::sslFeatures::applyToSSL method to configure
and SSL object the features included in sslFeatures object
* rename Ssl::ClientBio::headerState to Ssl::ClientBio::helloState
* rename Ssl::ClientBio::headerSize to Ssl::ClientBio::helloSize
* investigate the Ssl::ClientBio::HelloReadState enum to describe
the ssl hello message read state
* Ssl::ServerBio::write should return the size of the data the openSSL
ask from us to write to server, else it abort SSL connection with error
* Do not overwrite openSSL SSL object with client hello on Peek mode if
we can not support web client SSL features. This is causes problems
and openSSL may abort the connection with error.
The adjustSSL function does not need the "force" parameter any more.
* If SQUID_USE_OPENSSL_HELLO_OVERWRITE_HACK is not defined adjustSSL
return always false.
* document bio related classes
- TunnelStateData::logTag_ptr:
* try to set TunnelStateData::logTag_ptr when peek and splice mode is used
* the TunnelStateData::logTag_ptr is not initialized in constructure
* Do not use TunnelStateData::logTag_ptr if it is not defined for a reason
- Try to set delay pools settings inside switchToTunnel when peek-and-splice
mode is used
- Remove unsused code inside switchToTunnel method (tunnel.cc file)
- Other minor changes
Alex Rousskov [Thu, 7 Aug 2014 22:33:48 +0000 (16:33 -0600)]
Fixed HttpHdr::Private/NoCache(v) implementations and optimized their API.
These calls now avoid assertions and extra trailing commas when called with
empty names. The API now allows calling with a String() object, but still
needs more polishing work.
Moved common code from Ftp::Server::setReply and Ftp::Relay::createHttpReply()
into Ftp::HttpReplyWrapper().
Also removed the last non-job callbak from Ftp::Client, polished and synced
new FTP comments with the modern client/server/gateway/relay terminology, as
well as minimized changes compared to trunk.
Alex Rousskov [Thu, 7 Aug 2014 17:26:03 +0000 (11:26 -0600)]
Tokenizer fixes and API improvements.
Taught Tokenizer to keep track of the number of parsed bytes. Many callers
need to know that because they need to adjust/consume I/O offsets/buffers.
Adjusted unused Parser::Tokenizer::token() to not treat NUL delimiter
specially. Besides the fact that not all grammars can treat NUL that way, the
special NUL treatment resulted in some token() calls returning true for empty
tokens, which was confusing parsers. Callers that do not require trailing
delimiters, should use prefix() instead. This change is based on experience
writing Tokenizer-based FTP parser, although the final parser code uses
prefix() instead of token(), for unrelated reasons.
Split Parser::Tokenizer::skip(set) into skipOne() and skipAll(). All other
skip() methods skip exactly one thing (either a given character or a given
token) but the old skip(set) method was skipping multiple things. That
confused callers. We now force the caller to make a choice.
Fixed Parser::Tokenizer::skip(char) to avoid out of bound access.
Alex Rousskov [Thu, 7 Aug 2014 17:20:27 +0000 (11:20 -0600)]
Added CharacterSet::complement() to create "all except those in that set" sets
handy for parsing (e.g., "get all characters until the end of line").
Added CharacterSet::rename() to label sets. Handy in const declarations that
use expressions. For example: const CharacterSet AB = (A+B).renamed("AB").
Alex Rousskov [Thu, 7 Aug 2014 17:13:26 +0000 (11:13 -0600)]
Do not allow SBuf::toLower/toUpper() return a value.
Some callers think toLower() method changes the string and some think it
returns a changed value without changing the string. Without unportable hacks
like __attribute__((warn_unused_result)), some of the callers will guess wrong
and not know about it. It is easier/safer to change the object itself and
return nothing.
Provided ToUpper/ToLower() functions (not methods!) that preserve their
paramter and return a new object for callers that need the old functionality.
These functions are a good candidate for __attribute__ hacks.
Alex Rousskov [Tue, 5 Aug 2014 22:44:23 +0000 (16:44 -0600)]
Polished for the official review, addressing several TODOs.
Use 1.1 version for FTP ports because FTP commands are sent on a
"persistent by default" connection, just like HTTP/1.1.
Cleaned up Ftp::CtrlChannel, Ftp::DataChannel, and Ftp::Client object
construction and destruction.
Do not insist on USER command when intercepting FTP. Interception support
may still not work for other reasons, but USER does not seem to be required
since Squid gets request destination from the intercepted connection info.
Peek and Splice: %ssl::<cert_subject and %ssl::<cert_issuer formating codes to e
xternal_acl
This patch investigates the %ssl::<cert_subject and %ssl::<cert_issuer
formating codes to external_acl helpers.
* The %ssl::<cert_subject formating code prints the server certificate DN
* The %ssl::<cert_issuer formating code prints the server certificate issuer DN
Both formating codes are available after the ssl bumped connection is
established.
When Peek and Splice mode is selected these formating codes are available on
peek or stare mode, after the step2 is comleted and server certificate is
received.
- For peek mode we need to always forward client hello message
- For stare mode we must forward client hello message only if we can mimic
all of the client SSL features, else we should sent a new SSL hello message.
Alex Rousskov [Tue, 5 Aug 2014 00:17:16 +0000 (18:17 -0600)]
Done moving FTP code around. Polished moved code to match new locations.
src/clients/FtpNative is now src/clients/FtpRelay. It was awkward to use a
non-noun "Native" as a class name, and the class was already described as
"relaying FTP".
Alex Rousskov [Mon, 4 Aug 2014 21:44:31 +0000 (15:44 -0600)]
Major source layout change: Moved FTP code into servers/, clients/, and ftp/.
src/servers/FtpServer.* # new FTP server, relaying FTP
src/servers/HttpServer.* # old ConnStateData parts conflicting w/ FtpServer
src/clients/FtpClient.* # code shared by old and new FTP clients
src/clients/FtpGateway.* # old FTP client, translating back to HTTP
src/clients/FtpNative.* # new FTP client, relaying FTP
src/ftp/* # FTP stuff shared by clients and servers
This change attempts to preserve code in moved files to the extent possible:
Only copied or added code was polished. Future changes will polish moved code.
Unfortunately, bzr does not track code changes across file splits, so the code
moved from ConnStateData (client_side.cc) into HttpServer and FtpServer
classes appears as removed and added in bzr diff. If you want to see the
branch log for the FtpServer or HttpServer code added in this revision, look
in the previous branch revision of client_side.cc.
Amos Jeffries [Sat, 2 Aug 2014 13:01:28 +0000 (06:01 -0700)]
Remove hierarchy_stoplist in favour of always_direct
This directive was deprecated 2 years (and versions) ago. It can be
replaced with:
acl stoplist url_regex cgi-bin|\?
always_direct allow stoplist
The major difference between the two configurations is that the old
hierarchy_stoplist was applied after never_direct and always_direct is
applied before it. Both override the never_direct result, so this is not
a problem.