Bug 3081:
During conversion of listening socket handlers to AsyncCalls a violation
of the AsyncCall API was introduced. Resulting in occasional crashes from
invalid re-use of call objects.
This implements a TcpAcceptor async job which receives a listening socket
and a CallSubscription. For every connection attempt on the listener socket
a new AsyncCall is spawned from the subscription template.
Initial users are the HTTP and HTTPS listening sockets and FTP data channel.
In order to implement this job in FTP the logics surrounding data channel
handling had to be extended and reworked. Fixing bug 2948 and 2581 in the
process.
Amos Jeffries [Tue, 25 Jan 2011 08:55:40 +0000 (21:55 +1300)]
Author: Fabian Hugelshofer <fh@open.ch>
Allow persistent connections for Mozilla/3.0 User-Agents
This fixes NTLM and Negotiate authentication for these agents.
History:
In 1998 a hack was added to HttpMsg::persistent() that disables
persistent connections for HTTP/1.0 User-Agents starting with
"Mozilla/3." and "Netscape/3.".
According to the thread on squid-dev
(http://www.eu.squid-cache.org/mail-archive/squid-dev/199805/0087.html),
this was necessary to make some versions of Netscape browsers work that
had a broken implementation of persistent connections. It was said that
"NS 3.01 is ok. NS 3.02 is bad. NS 3.04 is good." Netscape 4 was ok, too.
Amos Jeffries [Tue, 25 Jan 2011 05:31:59 +0000 (18:31 +1300)]
Fix external_acl_type grace= option
Due to race conditions between concurrent requests this is still not a
complete fix. But reduces the unwanted re-use of helper responses from
all connections arriving in a whole second which match the ACL key down
to just those that arrive within the reply lag time of the helper.
Henrik Nordstrom [Mon, 24 Jan 2011 20:23:27 +0000 (21:23 +0100)]
Simplify request parsing to not check request method when determining if a
request contains a request-entity or not. For requests this is signalled
entirely by Content-Length/Transfer-Encoding regardless of method.
also drops the requirement that PUT/POST requests must have a request-entity.
The RFC do not explicitly state this requirement even if the wording for those
methods do assume there is a enclosed request-entity.
The administrative "request_entities" config flag is kept for security
reasons, even if not really RFC compliant. (RFC meaning of request-entity
in GET/HEAD is just undefined or "ignored", not forbidden)
Amos Jeffries [Fri, 14 Jan 2011 14:10:21 +0000 (07:10 -0700)]
Make FTP and CacheMgr obey --disable-auth-basic
When teh proxy has been built with this auth module explicitly disabled
do not add headers indicating that it is available.
The side effect of not having Basic authentication support in the proxy
is that FTP is reduced to depending on URL logins and CacheMgr protected
actions cannot be used.
Amos Jeffries [Fri, 14 Jan 2011 06:15:23 +0000 (23:15 -0700)]
Support configurable status codes for deny_info
This changes the default behaviour of deny_info redirects. Making Squid
automaticaly select 307 or 303 status code where appropriate for HTTP/1.1
clients and 302 for HTTP/1.0 clients or other appropriate cases.
For example;
deny_info 303:http://example.com/ POST
On top of the behaviour change this patch adds capability for admin to
configure deny_info with explicit status codes ranging from 200 to 599.
There are limits placed on the use of each range of status codes:
* 2xx, 4xx and 5xx may only be set when there is a local file or template
being used as body content on the response.
* 3xx status may only be set when there is a URI being used as a redirect
destination.
These limitations are enforced with a configuration hard abort due to:
3xx with a named template and 4xx/5xx with a redirect break with a range
of horrible results to our file loading and output Location: URLs. My
tests ended up with Squid scanning the FS for local files called
http://blah, redirecting the browser to 404:ERR_ACCESS_DENIED, or getting
past those with zero-sized replies and crashes when err is required to
have length.
They are going to take something much more major logic re-plumbing and
maybe deeper cleanup to get the crossover down to safe enough for just a
warning. Given the RFC defined use of each status range I did not think
it worth doing to enable something on the fine edge of non-standard.
Amos Jeffries [Wed, 12 Jan 2011 05:23:00 +0000 (22:23 -0700)]
ftp_eprt directive to disable EPRT extensions in FTP
This allows admin to resolve compatibility problems with old devices which
encounter a range of problems when FTP extensions are used by selectively
disabling any of the extensions individually.
The other EPSV extensions already have enable/disable directives.
Amos Jeffries [Tue, 11 Jan 2011 07:33:27 +0000 (00:33 -0700)]
Bug 2959: remove SAMBAPREFIX dependency
This removes the tricky SAMBAPREFIX variable which passes full-path
information from the squid build machine down to the run-time host
helper.
Such information is not always correct when crossing machines, and the
binaries being run can easily be added to PATH in the run-time host
environment instead.
The net result of doing this is removal of Samba from the build
dependencies and increased availability of the basic_smb_auth and
ext_wbinfo_group_acl helpers.
Amos Jeffries [Sat, 8 Jan 2011 06:23:27 +0000 (19:23 +1300)]
Author: Henrik Nordstrom <hno@squid-cache.org>
Port from 2.7: maximum staleness limits
The default behaviour of Squid is to provide a stale copy (with Warnigng:
header) until an actove response from the origin server causes the object
to be updated or garbage collection causes its removal.
The max_stale direcive and refresh_pattern max-stale=N option allow admin
to set an upper limit on the objects age when serving stale responses.
Amos Jeffries [Mon, 27 Dec 2010 20:25:30 +0000 (13:25 -0700)]
Author: Henrik Nordstrom <hno@squid-cache.org>
Support RFC 5861 Cache-Control: stale-if-error option
The default behaviour for Squid is to present the stale object when
revalidation fails with a 5xx error.
stale-if-error places a maximum limit on how long this stale object may
be sent. After the limit has passed Squid is required to present the 5xx
message to the client.
Original code for Squid-2 was sponsored by Yahoo!.
Original code by Marcello Romani, this version has some additions to
initialize any missing database tables depended on during its startup
phase and some additional polish to fit within the current Squid release.
COPYRIGHT AND LICENSE
Copyright (C) 2008 by Marcello Romani
This library is free software; you can redistribute it and/or modify
it under the same terms as Perl itself, either Perl version 5.8.8 or,
at your option, any later version of Perl 5 you may have available.
Amos Jeffries [Wed, 15 Dec 2010 12:13:01 +0000 (05:13 -0700)]
ext_edirectory_userip_acl: alternative split algorithms
Some compilers do not support dynamically allocated stack space.
Instead perform a scan and hunk copy/wipe of the passed buffers directly.
As a side effect the split is no longer triple-copying data and
double-memset'ing.
Author: Graham Keeling <graham@equiinet.com>
Bug 3113: Squid can eat far too much memory when uploading files
Problem description:
Uploading a large file to a web site on the internet, squid's client
input buffer will increase far faster than it can be emptied to
the target website, and the machine will swiftly run out of memory.
This patch adds the client_request_buffer_max_size configuration
parameter which specifies the maximum buffer size of a client request.
Report ERR_SECURE_CONNECT_FAIL details to the user via a new error detail API.
Currently, the ERR_SECURE_CONNECT_FAIL response contains no usable error
information. Moreover, there is no interface to pass SSL error information
to the response generation code.
This patch adds an interface to allow Squid error responses to contain detailed
information about SSL certificate verification failure. For example, the error
message may contain the following text:
"Server Certificate Verification Failed: Certificate Common Name
(www.lufthansa.com) does not match the host name you are connecting to
(www.lufthansa.de)."
This is a Measurement Factory project.
Change details:
--------------------
- errorpage.cc/.h: The error page now supports the '%D' formating code to
display the detail string passed by modules. The detail strings passed by
modules can contain error page formating codes. Currently only SSL detail
errors messages are supported.
- A new class Ssl::ErrorDetail defined in ssl/ErrorDetail.[cc,h]
The Ssl::ErrorDetail objects passed to the SSL verification callback functions
(sl_verify_cb callback function defined in support.cc) and filled with error
detail data (error_no and a pointer to the X509 Certificate) in the case of
an error and passed back to the forward.cc code.
- The Ssl::ErrorDetail class internally uses (hard coded) templates and
formating codes to allow supporting multiple languages and adding easily
new features
Other changes:
-------------------
- errorpage.cc/.h: The BuildContent method split to BuildContent and ConvertText
method. The second method does the real conversion from a given text template
to output. It is used now to allow formating the detail strings passed with
%D.
- sslparseErrorString moved to ssl/ErrorDetail.cc file and renamed to
Ssl::parseErrorString
- sslFindErrorString moved to ssl/ErrorDetail.cc file and renamed to
Ssl::getErrorName
- The ssl_error_t typedef definition moved from ssl/support.h to
ssl/ErrorDetail.h and renamed to Ssl::error_t
Amos Jeffries [Mon, 13 Dec 2010 11:31:14 +0000 (00:31 +1300)]
Compat: cleanup several config.h hacks
* removes the xmemcpy and xmemmove hacks. Squid has been building for some
long time without them being consistently used all-over. No complaints.
bcopy() alternative is still use if needed. However main code can now
use memcpy( )and memmove() without special X knowledge.
* shuffle strnstr replacement into libcompat from libmisc
* shuffles xis*() function wrappers for is*() with type-casting into compat
Alex Rousskov [Sun, 12 Dec 2010 23:29:26 +0000 (16:29 -0700)]
Handle early eCAP transaction failures better.
Do not throw an exception if eCAP transaction had to deal with a virgin body
but was not consuming it at swangSong() time. This may happen if the eCAP
adapter throws an exception before the adapter requests the virgin body
transmission or after it stops the transmission. In other words, the
transaction wrapper consumes only if proxyingVb is on.
Amos Jeffries [Sun, 12 Dec 2010 05:30:58 +0000 (22:30 -0700)]
SourceLayout: cleanup the various log line formatting code
Adds:
* namespace Log::Format for log display functionality. Each line formater
is a global function inside here. The log format enum is also in here
along with the display encoding 'gadget' functions.
* namespace Time in SquidTime.h for the related time string display
functions. Unified the various log pretty-print httpd-style time
functions into Time::FormatHttpd(time_t).
** care has been taken to preserve the local-static optimization found
in accessLogTime() to prevent wasted cycles re-printing the same
time value more than once per second.
NP: the similar but timezone-missing format is now Time::FormatStrf()
with the same optimization applied to speed up its callers.
* namespace Math:: to avoid symbol clash with global function Log() and
namespace Log.
* support for the Apache "combined" log format. Was documented earlier as
being available but not actually present.
Obsoletes:
* forward_log directive and associated experimental code. If needed
we can easily add another special format to dump the details.
FWIW they are all available in the squid format anyway (timestamp,
squid status, source peer). The documented action of dumping every
forwarding attempt was not working.
* referer_log and useragent_log directives and matching ./configure options.
** shuffled into access_log formats "referrer" and "useragent" for more
flexibility with less directives.
* emulate_httpd_log replaced with Apache "common" format.
* the "auto" pseudo-format becomes obsolete with emulat_httpd_log.
default is now "squid" format in all situations.
Code Shuffles:
* moved the logformat directive parsing into LogConfig object methods.
* shuffled the logformat parsing and token code into src/log/Tokens.h|cc
** this is purely to break it out of access_log.cc. namespace and scoping
needs some work.
Alex Rousskov [Tue, 7 Dec 2010 19:32:43 +0000 (12:32 -0700)]
Tolerate adapted body delivery failures in REQMOD request satisfaction mode.
Without these changes, Squid may assert if an ICAP or eCAP service fails
while delivering response body in REQMOD:
assertion failed: client_side.cc:1438: "rep"
Other assertions may be possible as well, because we were trying to
serve a freshly built, HttpReply-free error response while already
writing the REQMOD "request satisfaction" response. The assertion
probably depends on that writing stage (wrote nothing yet, wrote
headers, wrote some body, etc).
Polished ERR_DETAIL constants to distinguish the special "request
satisfaction" case and to remove ICAP-specific labels from general
adaptation code.
Alex Rousskov [Tue, 7 Dec 2010 19:10:11 +0000 (12:10 -0700)]
Support upcoming "fresh message creation" eCAP API.
Adapters need "fresh" (i.e., empty and not cloned) messages to support
"request satisfaction" mode and other cases where cloning a virgin message is
not possible or is awkward because the adapted message is not an adjusted
version of the virgin one.
fix compile error on OpenSolaris using SunStudio CC
The way the TidyPointer used inside ssl/gadgets.h which included
through ssl/support.h in squid.h file requires the ssl libraries
linked with every binary, even if not realy needed.
To solve this probelm remove the 'include "ssl/support.h"' line
from the squid.h and add it only where required.
The *_free SSL API functions can not be used with TidyPointer in some OSes/compilers
The *_free SSL functions are declared as extern "C" and can not be used as
DeAllocator argument of the TidyPointer class with some compilers and OSes.
To solve this problem:
- Define the CtoCpp1 macro to allow easy implementation of the C++ equivalent
function of an extern C function.
Currently defined in gadgets.h file, if required in the future can be
moved to TidyPointer.h file
- Use the CtoCpp macro to define the X509_free_cpp
- Remove the Ssl::BIO_free_wrapper function does not needed any more
Amos Jeffries [Mon, 6 Dec 2010 14:06:06 +0000 (03:06 +1300)]
Fix 'can't create ./src/***: No such file' errors on linking
Side effect of the AIX port fixes using .o instead of duplicating and
re-building the .cc individually. "It seemed a good idea at the time"(tm).
It is a bit strange that it should only show up now, those changes were
made long ago.
Anyways, I've come to the conclusion from other places that the rebuild is
slower to compile but a lot safer to deal with linkage and dependencies.
Amos Jeffries [Mon, 6 Dec 2010 08:24:12 +0000 (01:24 -0700)]
Fix host OS detection in configure.ac
squid_host_os was being left with the version appended. Which screwed all
the switch and if cases which depended on exact matching the name only.
This corrects the squid_host_os to not contain numeric versions and also
corrects several of the test cases using host_os instead of squid_host_os
or using squid_host_os with version digits.
Amos Jeffries [Sun, 5 Dec 2010 14:29:27 +0000 (03:29 +1300)]
Build libprofiler only when it will be operational
The internal CPU profiler requires specific CPU support. It is not useful
to build and link the library unless it is going to work.
Uses AC_PREPROC_IFELSE to allow building on cross-compilers.
projects / thirdparty / squid.git / log
