This patch allows Squid to provide details for the %D macro on the secure
connect failed error page when an SSL handshake with the origin server fails.
The default %D text is "Handshake with SSL server failed: XYZ" where XYZ is the
corresponding error string/description returned by OpenSSL if there is any.
Amos Jeffries [Tue, 8 Nov 2011 10:54:37 +0000 (03:54 -0700)]
Document and alter the pconn idle timeout directives.
Alters the directive names to clarify what they do and adds some more
description to the config file documentation.
Alters the internal config variables to match the new directive names.
Also alters the well known messages in mgr:filedescriptors report a little
to indicate client/server type and adds a standard "Idle " prefix for
easy automated scanning.
Amos Jeffries [Tue, 8 Nov 2011 09:24:08 +0000 (22:24 +1300)]
Document and alter the pconn idle timeout directives.
Alters the directive names to clarify what they do and adds some more
description to the config file documentation.
Alters the internal config variables to match the new directive names.
Also alters the well known messages in mgr:filedescriptors report a little
to indicate client/server type and adds a standard "Idle " prefix for
easy automated scanning.
Andrew Beverley [Sat, 5 Nov 2011 05:21:11 +0000 (18:21 +1300)]
Add a mask on the qos_flows miss configuration value.
The reason for this is to allow the preserved mark/TOS value from the
server to be altered slightly rather than overwritten completely.
Example usage. The following will preserve the netfilter mark, but will
ensure that the (9th) bit specified in the miss value will be set to 1
in the preserved mark:
Alex Rousskov [Wed, 2 Nov 2011 21:18:50 +0000 (15:18 -0600)]
Fixed two more cases of outdated shared memory cache detection
which led to "STORE_DISK_CLIENT == getType()" assertions
when running SMP Squid with non-shared memory caching.
UsingSmp() is not the right condition to detect whether we are using a shared
memory cache because shared memory caching may be disabled and because
Coordinator does not use a shared memory cache even if shared caching is
enabled.
This option allows Squid administrator to add custom ICAP request
headers or eCAP options to Squid ICAP requests or eCAP transactions.
Use it to pass custom authentication tokens and other
transaction-state related meta information to an ICAP/eCAP service.
The addition of a meta header is ACL-driven:
adaptation_meta name value [!]aclname ...
Processing for a given header name stops after the first ACL list match.
Thus, it is impossible to add two headers with the same name. If no ACL
lists match for a given header name, no such header is added. For example:
# do not debug transactions except for those that need debugging
adaptation_meta X-Debug 1 needs_debugging
# log all transactions except for those that must remain secret
adaptation_meta X-Log 1 !keep_secret
# mark transactions from users in the "G 1" group
adaptation_meta X-Authenticated-Groups "G 1" authed_as_G1
The "value" parameter may be a regular squid.conf token or a "double
quoted string". Within the quoted string, use backslash (\) to escape
any character, which is currently only useful for escaping backslashes
and double quotes. For example,
"this string has one backslash (\\) and two \"quotes\""
Dmitry Kurochkin [Fri, 28 Oct 2011 01:11:23 +0000 (19:11 -0600)]
Portability fixes for Atomic::WordT API.
Change parameter types for swap_if() and operator==() from int to
Value. This fixes some GCC warnings in "fake" implementation when
the AtomicWordT template parameter is unsigned.
Polished (waitingToBeFreed == true) test. waitingToBeFreed is
Atomic::WordT<uint8_t> and GCC does not know whether to cast AtomicWord or
boolean when comparing the two.
Dmitry Kurochkin [Fri, 28 Oct 2011 01:01:41 +0000 (19:01 -0600)]
Provide "fake" AtomicWordT implementation for non-SMP configurations.
While we can not provide real AtomicWordT implementation on the systems where
atomic operations are not available, we can use a "fake" one if Squid is
running in non-SMP mode. Before the change, the "fake" implementation was
always asserting, which is too restrictive and leads to test failures on
systems without atomic operations.
The new implementation works under conditions similar to "fake" shared memory
segments and allows SMP-using code (e.g. Rock store) to work in non-SMP mode.
In particular, it allows tests to pass on such systems.
AtomicWordT was renamed to WordT and moved to Ipc::Atomic namespace to allow
Ipc::Atomic::Enabled() to be declared outside of the AtomicWordT template
class. This lets us define the Enabled() method in AtomicWord.cc which avoids
dragging protos.h #include into the AtomicWord.h header.
Dmitry Kurochkin [Thu, 27 Oct 2011 23:14:28 +0000 (17:14 -0600)]
Bug 3150: do not start useless unlinkd.
Unlinkd may be used only by UFS storage but, before the change, Squid
always started unlinkd if it was built, even if it was not needed.
Whether a SwapDir may use unlinkd depends on the SwapDir
implementation and DiskIO strategy it uses. The patch adds
unlinkdUseful() method to SwapDir and DiskIOStrategy to decide if
unlinkd should be started.
After the change, unlinkd may be started during reconfiguration and
unlinkdInit() may be called multiple times.
After the change, unlinkdClose() may be called when unlinkd was never
started. The patch removes a warning which was printed in this case
on Windows.
Dmitry Kurochkin [Thu, 27 Oct 2011 22:51:19 +0000 (16:51 -0600)]
Optimization: Make read requests in [Rock] IpcIo bypass max-swap-rate limit.
Before the change, IpcIoFile::WaitBeforePop() delayed both swap ins
(hits) and swap outs (misses). This is suboptimal because reads do
not usually accumulate unfinished I/O requests in OS buffers and,
hence, do not eventually require the OS to block all I/O.
Ideally, a disker should probably dequeue all pending disker requests,
satisfy reads ASAP, and then handle writes, but that is difficult for
several reasons. The patch implements a simpler approach: peek the
next request to be popped, and if it is a swap in (i.e., read or hit),
then pop it without any delay.
When a read is popped, we still adjust the balance member and LastIo,
because we do want to maintain the configured average I/O rate. When a
write request comes in, it will be delayed [longer] if needed.
In the extreme case of a very long stream of read requests (no writes
at all), there will be essentially no I/O rate limit and that is what
we want.
Dmitry Kurochkin [Thu, 27 Oct 2011 22:44:20 +0000 (16:44 -0600)]
Do not allow max-swap-rate and swap-timeout reconfiguration for Rock Store.
These options are used to configure DiskIO module during Rock SwapDir
initialization. During reconfiguration, the values are updated in Rock
SwapDir, but they do not reach the DiskIO module. Thus, while Squid says that
option has a new value, the new value is never really used. This patch fixes
this inconsistency.
In the future, we may support reconfiguration for max-swap-rate and
swap-timeout, but that would require adding reconfiguration support
to DiskIO modules.
Dmitry Kurochkin [Thu, 27 Oct 2011 21:57:26 +0000 (15:57 -0600)]
Independent shared I/O page limit.
Shared memory pages are used for shared memory cache and IPC I/O module.
Before this change, the number of shared memory pages needed for IPC I/O
was calculated from the size of shared memory cache. Moreover, shared
memory cache was required for IPC I/O.
The patch makes the limit for shared I/O pages independent from the
shared memory cache size and presence. IPC I/O pages limit is calculated
from the number of workers and diskers; it does not depend on cache_dir
configuration. This may change in the future if we learn how to compute
it (e.g., by multiplying max-swap-rate and swap-timeout if both are
available).
UsingSmp() is not the right condition to detect whether we are using a shared
cache because shared memory caching may be disabled and because Coordinator
does not use a shared memory cache even if shared caching is enabled.
The assertion was triggered by icons being added to Coordinator local memory
cache. TODO: Coordinator does not need to cache [icons] at all.
SslBump code assumed that it is signing generated certificates with a root CA
certificate. Root certificates are usually not sent along with the server
certificates because clients must have them independently installed or
built-in. Squid was not sending the signing certificate.
In many environments, Squid signing certificate is intermediate (i.e., it
belongs to a non-root CA). If Squid does not send that intermediate signing
certificate with the generated one, the client will not be able to establish a
complete chain of trust from the generated fake to the root CA certificate,
leading to errors.
With this change, Squid may send the signing certificate (along with the
generated one) using the following rules:
* If the configured signing certificate is self-signed,
then just send the generated certificate alone.
Note that root CA certificates are self-signed (by root CA).
* Otherwise (i.e., if the configured signing certificate is an intermediate
CA certificate), send both the intermediate CA and the generated fake
certificate.
* If Squid sends the intermediate CA certificate, Squid also sends
all other certificates from the "cert=" file, Sending a chain with
multiple intermediate CA certificates may be required when the Squid
signing certificate was signed by another intermediate CA.
Bug fix: The multi-language support is broken for Ssl error details
Current Ssl::ErrorDetail::useRequest never sets the ErrorDetail::request
member.The ErrorDetail::request member used to select the correct language
for the web client from Accept-Language header.
Alex Rousskov [Thu, 27 Oct 2011 01:00:39 +0000 (19:00 -0600)]
Bug 3383: unhandled exception: theGroupBSize > 0
Do not create shared queue for IpcIoFile if there are no diskers. The queue
code requires at least one queue reader and writer, and SMP does not imply the
existence of diskers.
Alex Rousskov [Wed, 26 Oct 2011 16:33:46 +0000 (10:33 -0600)]
Name shared memory segments in a more portable way
to make shm_open() work on FreeBSD and some other OSes.
Linux and friends use "/slashless-name" template for shared memory segment IDs.
HPUX and friends use "/full/path/to/some/file".
FreeBSD uses the former or the latter, depending on version and jail context.
We now distinguish the above cases and prefix the internal segment ID
accordingly. The above analysis and its implementation are based on the
boost::interprocess code.
To make matters worse, the right prefix for path-based OSes depends on whether
we are running an [installed] Squid binary or just a "make check" test case.
For test cases, we cannot use PREFIX-based paths because they may not exist.
Instead, we use the current directory. This is consistent with TESTDIR (i.e.,
cache_dir location) which each fs test case defines to be in the current
directory.
Finally, the segment name may clash with cache_dir name on path-based OSes. We
now append ".shm" to the segment name to reduce the likelihood of a collision.
TODO: Should StoreMap/etc (or their creators) append "map"/etc to their IDs?
Amos Jeffries [Mon, 24 Oct 2011 00:18:26 +0000 (13:18 +1300)]
Produce full list of peer options on maybe-direct forwarding case
Now that we are generating the set of possible peers before attempting to
connect. The retry_on_error directive is no longer repeatedly cycling
through the peer selecting process failing on one peer until that peer
works.
The maybe-direct case seems to have been depending on this behaviour to
locate alternative peers before going DIRECT. The attached patch seeks
to make the maybe-direct case produce a list of all available parents
with the specific algorithm choice first.
Andrew Beverley [Sun, 23 Oct 2011 01:07:46 +0000 (19:07 -0600)]
ext_session_acl: version 1.2
This patch makes the following changes to the session helper:
- Removes support for Berkeley DB 1.85
- Adds support for the current Berkeley DB (db.h)
- Adds support for a DB environment (if a directory is specified as
the path then an environment is created). This gives better
synchronisation within multiple processes
- Fixes a bug with active mode where LOGIN/LOGOUT did not write to the DB
This patch finishes the conversion of ServerStateData into AsyncJob by properly
implementing the doneAll() method and by removing calls to deleteThis() or
replacing with mustStop() calls as appropriate.
The Adaptation::AccessCheck modified to schedule an AsyncJobCall when
access check finishes.
The ServerStateData and ClientHttpRequest classes modified to work with the new
Adaptation::AccessCheck.
Alex Rousskov [Fri, 14 Oct 2011 22:43:20 +0000 (16:43 -0600)]
Avoid "double to int" compiler warnings.
Could also use integer arithmetic instead of 1e3 double, but it is often safer
to use doubles when it comes to formulas because significant integer rounding
errors are difficult to spot.
Alex Rousskov [Fri, 14 Oct 2011 16:21:48 +0000 (10:21 -0600)]
SMP shared memory cache stats were not collected.
"Hot Object" stats were not reported for shared memory cache.
Mean disk object size stats were aggregated inaccurately for SMP.
Moved Store-related stats into a dedicated StoreStats class,
encapsulating memory cache-related (mem), disk cache-related (swap), and
global store (number of objects) stats. Used consistent naming scheme
and a common parent class to make memory and disk stats more alike.
Moved Store stats collection into corresponding Store classes rather
than forcing GetInfo() in stat.cc to know how to deal with all Store stats.
Alex Rousskov [Fri, 14 Oct 2011 16:00:08 +0000 (10:00 -0600)]
Account for max-swap-rate in swap-timeout handling for Rock.
Current swap-timeout code does not know about max-swap-rate. It
simply finds the longest-waiting I/O in disker queues (incoming and
outgoing) and then assumes that the new I/O will wait at least that
long. The assumption is likely to be wrong when the queue contains
lots of freshly queued requests to disker: Those requests have not
waited long yet, but a max-swap-rate limit will slow them down
shortly.
The patch changes the swap-timeout code to account for max-swap-rate
when dealing with the workers-to-disker queue: If there are N requests
pending, the new one will wait at least N/max-swap-rate seconds. Also
expected wait time is adjusted based on the queue "balance" member, in
case we have been borrowing time against future I/O already.
This patch:
- converts type of the Token::[width|precision] members from "unsigned int" to "int"
- renames the Token::[width|precision] members to Token::[widthMin/widthMax]
- removes unneeded typecastings
Alex Rousskov [Wed, 12 Oct 2011 20:56:41 +0000 (14:56 -0600)]
Allow non-shared memory caching when there are no cache_dirs.
Before this change, we destroyed unused/idle StoreEntries if nobody was voting
to keep them in store_table. That blocked non-shared memory cache from getting
new entries if there were no cache_dirs to vote for them, which is wrong. The
new code keeps unused/idle StoreEntries in store_table if nobody objects.
Alex Rousskov [Mon, 10 Oct 2011 14:39:00 +0000 (08:39 -0600)]
Fixed typos in the host_verify_strict description.
Frankly, the description is likely to still make little sense to
uninitiated because we do not explain what is "Host vs IP validation"
and what the "additional strict validation comparisons" are. There was
an attempt to explain the latter, but I think it failed. Perhaps there
are more typos that hide the intended meaning?
Amos Jeffries [Sun, 9 Oct 2011 05:44:22 +0000 (23:44 -0600)]
Add directive dns_v4_first to make IPv4 connections before IPv6 is tried.
Default off, to prefer the faster protocol.
The use-case for this is networks which are IPv6-enabled but stuck
behind slow tunnels and whose upstream is not supporting full transit
services over IP.
Properly parse HTTP list headers with embedded 8-bit characters
MSIE and maybe other browsers sometimes sends 8-bit high characters
in HTTP headers (and URLs). This was mistakenly read as CTL characters
on platforms with signed char type (i.e. x86 etc).
One visible effect of this was that HTTP Digest authentication failed
in MSIE when following a link with embedded 8-bit or UTF-8 characters.
Currently we are locking every file going to be accessed by CertificateDB code
even if it is not realy needed, because of a more general lock.
This patch:
- Replace the old FileLocker class with the pair Lock/Locker classes
- Remove most of the locks in CertificateDB with only two locks one
for main database locking and one lock for the file contain the
current serial number.
Bug 3349: Bad support for adaptation service URIs with '='
Currently using URIs which include "=" is not supported by
ecap_service/icap_service configuration parameters. Also the squid.conf
documentation about ecap_service is outdated.
This patch
- Fixes the [e|i]cap_service line parser to allow URIs with "="
- Changes the [e|i]cap_service configuration parameter to use the following syntax:
ecap_service id vectoring_point uri [name=value ...]
- Check for duplicated options
- Fixes the related documentation
- Also the older [e|i]cap_service syntax forms are supported:
ecap_service id vectoring_point [1|0] uri
ecap_service id vectoring_point [name=value ...] uri
- The "uri" options is not documented but supported.
Alex Rousskov [Thu, 6 Oct 2011 16:41:46 +0000 (10:41 -0600)]
Polished SMP caching code, primarily to stay out of the way in non-SMP mode.
Do not start useless diskers. Do not assume Rock cache_dirs are present.
Do not require IpcIo DiskIO module to build Rock store.
Check IPC I/O pages limits in Rock store only when using a disker.
Warn about Rock cache_dir disk space waste.
Warn if shared memory cache is enabled in non-SMP mode.
Fake shared memory segments if needed (e.g., we are using Rock cache_dirs with
no POSIX shared memory support) and possible (e.g., no SMP).
Alex Rousskov [Thu, 6 Oct 2011 16:38:03 +0000 (10:38 -0600)]
Added max-swap-rate=swaps/sec option to Rock cache_dir.
The option limits the rate of Rock disk access to smooth out OS disk commit
activity and to avoid blocking Rock diskers (or even other processes) on I/O.
Should be used when swap demand exceeds disk performance limits but the
underlying file system does not slow down incoming I/Os until the situation
gets out of control.
Bug 3190: Large HTTP POST stuck after early ICAP 400 error response
When an ICAP REQMOD service responds with an error to
(or the REQMOD transaction aborts while processing) a large HTTP
request, the HTTP request may get stuck because the request body
buffer gets full and nobody consumes the no-longer-needed content.
The ICAP code quits but leaves the body buffer intact in case the
client-side code wants to bypass the error. After that, nobody consumes
the request body because the buggy client side does not inform the body
pipe that there will be no other consumers, which would have triggered
a noteBodyConsumerAborted() callback and enable auto-consumption or closed
the client connection.
Remove entryLimitAllowed() TODO from RockSwapDirRr::run().
RockSwapDirRr::run() calls sd->entryLimitAllowed() when sd does not
have a map yet, which causes entryLimitAllowed() to use zero for the
lower limit. But that OK so we can remove the TODO.
In some configurations Rock cache_dir may hit the maximum entry limit.
In that case a significant disk space may be wasted. Before recent
SMP-related changes, there was code to warn the user about such
situations. The patch resurrects that code, adjusting it as needed to
match the current realities.
projects / thirdparty / squid.git / log
