Windows: Fix error displaying helper name on pipe close errors
The helper name string is not directly available to the HelperServerBase
methods for closing pipes. Pass it from the method callers as needed and
drop logging of the command line details.
idnsParseResolvConf() had been disabled for all windows builds. Cygwin
does provide this system config file.
Also, instead of seeding #if/#endif wrappers around always call the
function and just wrap its internals away from Windows builds that do
not supply the necessary config file.
Portability: rename BodyPipe member to avoid clash with pipe() macro
Our Windows compatibility layer defines pipe() as a macro. On MinGW at
least the precompiler makes no distinction between parameterless macro
pipe() and pipe variables.
Use thePipe for member naming and aPipe for function local variables.
Windows: fix mapping between POSIX and Windows socket types
MinGW at least still defines several socket structure fields with size_t
instead of socklen_t. In order to maintain the POSIX API definition in
appearance we need to cast these types to their POSIX variant regardless
of whether size_t or socklen_t is used.
* Windows defines CMSG_DATA macro name for uses unrelated to the BSD
socket CMSG mechanism. Define SQUID_CMSG_DATA as a generic replacement.
* MinGW provides a wrapper layer emulating the BSD socket CMSG mechanism
in the form of WSA_CMG_* macros for the BSD struct types.
Detect and use those wrapper macros when available.
Cleanup: wrap some C-includes with protective macros
Squid-3 guidelines require that C-header includes should be wrapped
and the absence of wrapping causes build errors on Windows at least for
these ones.
Source Maintenance: fix various maintenance script issues
* ensure auto-generated .list are sorted, instead of ad-hoc system
dependent ordering which can cause needless updates.
* grep only paths with *.* (usually files) instead of all items in each
directory. This avoids scanning sub-directory indexes with grep, which
produces fatal errors on some systems.
* add check for Squid Software Foundation copyright blurb and highlight
files needing attention.
%<tt (total server time) is not computed in some cases
The total server time is not computed for CONNECT requests.
An other example case is when server-first bumping mode is used and squid
connects to SSL peer, but connection terminated before the SSL handshake
completes.
PROXY protocol has been developed by Willy Tarreau of HAProxy for
communicating original src and dst IP:port details between proxies and
load balancers in a protocol-agnostic way.
stunnel, HAProxy and some other HTTP proxying software are already
enabled and by adding support to Squid we can effectively chain these
proxies without having to rely on X-Forwarded-For headers.
This patch adds http_port mode flag (require-proxy-header) to signal the
protocol is in use, parsing and processing logics for the PROXY protocol
headers on new connections, and the proxy_protocol_access control to
manage inbound connections.
The indirect client security/trust model remains unchanged. As do all
HTTP related logics on the connection once PROXY protocol header has
been received.
Furture Work:
* support sending PROXY protocol to cache_peers
* support receiving PROXY protocol on https_port
* rework the PROXY parse logics as a Parser-NG child parser.
Close active pconns after their *_port goes away on reconfigure.
This change reduces what may be perceived as reconfigure memory leaks
related to *_port options. Before this change, a single persistent
connection could continue to receive new requests (and tie no longer
globally accessible PortCfg-related structures) for hours.
The goal of this patch is to make SSL bumping decision after the origin server
name is known.
Peek and Splice peeks at the SSL client Hello message and SNI info if any
(bumping step 1), sends identical or a similar Hello message to the SSL server
and peeks at the SSL server Hello message (bumping step 2), and finally
decides to proceed with splicing or bumping the connection (bumping step 3).
After the step 1 bumping step completes the SNI information is available and
after the step 2 bumping step completes the server certificate is available.
The ssl_bump access list evaluated on every bumping step to select the bumping
mode to use. The new acl "at_step" can be used to match the current bumping
step.
In most cases:
- if the user select "peek" bumping mode at step2 then at step3 can select
one of the "splice" or "terminate" modes.
- If the user select "stare" bumping mode at step2 then at step 3 can select
one of the "bump" or "terminate" modes.
If the squid built with the SQUID_USE_OPENSSL_HELLO_OVERWRITE_HACK and the
client uses openSSL library similar to the library used by squid then bumping
is possible after "peek" bumping mode selection and "splice" after "stare"
bumping mode selection.
The bump, terminate and splice are final decisions.
Fixes and polishing in response to Amos' squid-dev review dated 2014/08/19
- Polishing changes
- Move src/acl/AtBumpStep*.[cc,h] files to src/acl/AtStep*.[cc,h]
- Convert Ssl::Bio::sslFeatures::serverName,
Ssl::Bio::sslFeatures::HelloMesssage and Ssl::ServerBio::helloMsg members
to SBuf
Amos Jeffries [Tue, 26 Aug 2014 02:39:30 +0000 (19:39 -0700)]
Boilerplate: update acinclude/ and configure.ac copyrights
* update CONTRIBUTORS with missing contributors
* update CREDITS with missing copyright licenses
- remove outdated Treehouse Networks license on rfc3596.h rfc3596.cc
- shuffle some entries for easier reading. Alphabetical by first source
file path.
* split AX_WITH_PROG() macro into its own source file to clarify the
license scope. It is provided as a standalone file by the author(s).
Amos Jeffries [Mon, 25 Aug 2014 15:47:04 +0000 (08:47 -0700)]
Boilerplate: update copyright licenses on include/ sources
* add Squid Software Foundation blurb
* update CONTRIBUTORS with missing authors
* update CREDITS with missing license and copyright statements
It looks a bit messy, but Carnegie Mellon Univeristy license requires
that several very similar but unique copyright and license blurbs be
documented unabreviated.
Squid-3 is now being administered by the Squid Software Foundation,
a non-profit organisation created for the purpose of providing
governance and representation for the Squid Project and community
of contributors.
http://www.squid-cache.org/Foundation/
As such the Squid source code collection is being prefixed with a
new copyright blurb:
* Copyright (C) 1996-2014 The Squid Software Foundation and contributors
*
* Squid software is distributed under GPLv2+ license and includes
* contributions from numerous individuals and organizations.
* Please see the COPYING and CONTRIBUTORS files for details.
Existing copyright claims on specific source code files are being
preserved in-situ following this collection blurb.
With some exceptions where existing copyright owners have explicitly
given permission for their specific claim statements to be moved to
the CONTRIBUTORS file and assist removal of the inconsistent and
now often incorrect Harvest and Squid Project blurb(s).
This patch publishes the script and boilerplate text used to perform
this change of copyright marking for public review.
Also, adds some administrative polishing in preparation for the
blurb adjustments.
Amos Jeffries [Mon, 25 Aug 2014 04:53:57 +0000 (21:53 -0700)]
Cleanup: remove SQUID_NO_STRING_BUFFER_PROTECT and SQUID_UNIT_TEST macros
These macros were used solely to prevent cppunit and operating system
includes from generating build errors and warnings via Squid protection
from unsafe use of sprintf, strdup and other allocator and string
functions.
The protection against these functions has long ago been move to
source-maintenance script instead of runtime checking. Making these
macros obsolete.
Amos Jeffries [Fri, 22 Aug 2014 12:48:40 +0000 (05:48 -0700)]
Portability: disable krb5-config use when cross-compiling
krb5-config detection does not support cross-compiling or multiple krb5
library installations properly.
pkg-config is supported by recent releases of the popular krb5 libraries
and supports cross-compile properly and complicated build environments
much better. Trust its results when cross-compiling.
Amos Jeffries [Thu, 21 Aug 2014 18:11:23 +0000 (11:11 -0700)]
Docs: update release notes and configure --help after Kerberos update
Add release notes for the ./configure option changes in rev.13538.
Also, adjust ./configure --help display text to match the option
behaviour:
* --with is default action, so --without gets documented.
* --without does not accept path, and --with-foo=PATH is available on
all library options. So remove repeated text.
Alex Rousskov [Thu, 21 Aug 2014 00:29:33 +0000 (18:29 -0600)]
Do not leak fake SSL certificate context cache when reconfigure
changes port addresses.
We believe that deleting a cached LocalContextStorage object does not actually
affect connections that use the corresponding SSL_CTX and certificate because
any SSL object using those things increments their sharing counter and
deleting LocalContextStorage only decrements that counter. The [cached]
SSL_CTX object is not destroyed by SSL_CTX_free until that sharing counter
reaches zero.
Alex Rousskov [Tue, 19 Aug 2014 18:09:50 +0000 (12:09 -0600)]
Do not assert on native FTP ERR_TOO_BIG. Do not check for ERR_TOO_BIG twice.
The assertion occurred because both the FTP request parser and the generic
ConnStateData::checkHeaderLimits() code would try to write their own error
message to the user. Reworked all error reporting code in the FTP parser to
avoid writing early responses (that were bypassing the overall transaction
flow with various negative side effects such as lack of logging).
Removed ConnStateData::checkHeaderLimits(): We already have protocol-specific
checks for huge HTTP and FTP requests. There is no point in duplicating them.
Centralizing them sounds like a good idea, but a general checkHeaderLimits()
cannot produce protocol-specific errors messages that we need, so it hurts
more than it helps. Moreover, checkHeaderLimits() was handling errors
differently than protocol parsing code, making the code more complex overall.
All that remains from the checkHeaderLimits() code now is a single Must(),
checking that the protocol parsers did what they were supposed to do: Return
NULL to request more data after checking any applicable limits. If parsers do
not (a Squid bug!), the ConnStateData job gets killed (and connection gets
closed) as the last resort.
Added clientReplyContext::setReplyToReply() and
StoreEntry::storeErrorResponse() to handle storing of a response to an FTP
command parsing error. The old code was using ErrorState to store parsing
errors, but ErrorState is still HTTP-specific and cannot relay the right FTP
codes/reasons to the user. The setReplyToReply() sounds silly but it matches
the existing setReplyTo*() naming scheme well.
Make sure parsed native FTP command tokens are not even close to the String
buffer limit. These checks are not a firm guarantee, but are better than
nothing until we replace String.
Handle ClientSocketContext registration centrally because all parsers need it.
Call quitAfterError() on fatal native FTP errors. Probably not necessary due
to fssError handling code that closes the FTP control connection, but adds
helpful debugging and brings us closer to the HTTP error handling code.
author: Alex Rousskov <rousskov@measurement-factory.com>
Use v3 for fake certificate if we add _any_ certificate extension.
We used to force v3 version only when adding the subjectAltName extension.
That broke sites that did not have subjectAltName but used other mimicked x509
extensions, when accessed through Firefox 31 (at least):
https://bugzilla.mozilla.org/show_bug.cgi?id=1045973
- Remove any references to "bumpErr" bumping mode. It is not implemented
- Changes to allow make without openssl, "make dist" and "make distcheck"
- Fix peek-and-splice documentation: The bumping modes are SslBump1, SslBump2 a
nd SslBump3
- Other minor changes
Alex Rousskov [Mon, 11 Aug 2014 16:09:06 +0000 (10:09 -0600)]
Initial native FTP Relay support.
* Added ftp_port directive telling Squid to relay native FTP commands.
* Active and passive FTP support on the user-facing side;
require passive connections to come from the control connection src IP.
* IPv6 support (EPSV and, on the user-facing side, EPRT).
* Intelligent adaptation of relayed FTP FEAT responses.
* Relaying of multi-line FTP control responses using various formats.
* Support relaying of FTP MLSD and MLST commands (RFC 3659).
* Several Microsoft FTP server compatibility features.
* ICAP/eCAP support (at individual FTP command/response level).
* Optional "current FTP directory" tracking (cannot be 100% reliable due to
symbolic links and such, but is helpful in some common use cases).
* FTP origin control connection is pinned to the FTP user connection.
* No caching support -- no reliable Request URIs for that (see above).
* Significant FTP code restructuring on the server-facing side.
* Initial steps towards HTTP code restructuring on the client-facing side.
Alex Rousskov [Sat, 9 Aug 2014 00:35:28 +0000 (18:35 -0600)]
Centralized and documented FTP protocol "version" (1.1) definition.
Moved AnyP::PortCfg::setTransport() to the cache_cf.cc parsing code where it
currently belongs. AnyP code should not have protocol-specific pieces as it is
code shared among (or used by) many (ideally, all transfer) protocols.
TODO: Convert Http::ProtocolVersion from class into a function.
This patch:
- Add test in configure script to check if OpenSSL hacks can be supported.
These tests enable the SQUID_USE_OPENSSL_HELLO_OVERWRITE_HACK in autoconf.h
- Fixes peek-and splice related documentation , the step1, step2, step3 names
now used instead of the SslBump[1,2,3] as bumping steps
- Many fixes in bio subsystem:
* investigate the Ssl::Bio::sslFeatures::applyToSSL method to configure
and SSL object the features included in sslFeatures object
* rename Ssl::ClientBio::headerState to Ssl::ClientBio::helloState
* rename Ssl::ClientBio::headerSize to Ssl::ClientBio::helloSize
* investigate the Ssl::ClientBio::HelloReadState enum to describe
the ssl hello message read state
* Ssl::ServerBio::write should return the size of the data the openSSL
ask from us to write to server, else it abort SSL connection with error
* Do not overwrite openSSL SSL object with client hello on Peek mode if
we can not support web client SSL features. This is causes problems
and openSSL may abort the connection with error.
The adjustSSL function does not need the "force" parameter any more.
* If SQUID_USE_OPENSSL_HELLO_OVERWRITE_HACK is not defined adjustSSL
return always false.
* document bio related classes
- TunnelStateData::logTag_ptr:
* try to set TunnelStateData::logTag_ptr when peek and splice mode is used
* the TunnelStateData::logTag_ptr is not initialized in constructure
* Do not use TunnelStateData::logTag_ptr if it is not defined for a reason
- Try to set delay pools settings inside switchToTunnel when peek-and-splice
mode is used
- Remove unsused code inside switchToTunnel method (tunnel.cc file)
- Other minor changes
Alex Rousskov [Thu, 7 Aug 2014 22:33:48 +0000 (16:33 -0600)]
Fixed HttpHdr::Private/NoCache(v) implementations and optimized their API.
These calls now avoid assertions and extra trailing commas when called with
empty names. The API now allows calling with a String() object, but still
needs more polishing work.
Moved common code from Ftp::Server::setReply and Ftp::Relay::createHttpReply()
into Ftp::HttpReplyWrapper().
Also removed the last non-job callbak from Ftp::Client, polished and synced
new FTP comments with the modern client/server/gateway/relay terminology, as
well as minimized changes compared to trunk.
Alex Rousskov [Thu, 7 Aug 2014 17:26:03 +0000 (11:26 -0600)]
Tokenizer fixes and API improvements.
Taught Tokenizer to keep track of the number of parsed bytes. Many callers
need to know that because they need to adjust/consume I/O offsets/buffers.
Adjusted unused Parser::Tokenizer::token() to not treat NUL delimiter
specially. Besides the fact that not all grammars can treat NUL that way, the
special NUL treatment resulted in some token() calls returning true for empty
tokens, which was confusing parsers. Callers that do not require trailing
delimiters, should use prefix() instead. This change is based on experience
writing Tokenizer-based FTP parser, although the final parser code uses
prefix() instead of token(), for unrelated reasons.
Split Parser::Tokenizer::skip(set) into skipOne() and skipAll(). All other
skip() methods skip exactly one thing (either a given character or a given
token) but the old skip(set) method was skipping multiple things. That
confused callers. We now force the caller to make a choice.
Fixed Parser::Tokenizer::skip(char) to avoid out of bound access.
Alex Rousskov [Thu, 7 Aug 2014 17:20:27 +0000 (11:20 -0600)]
Added CharacterSet::complement() to create "all except those in that set" sets
handy for parsing (e.g., "get all characters until the end of line").
Added CharacterSet::rename() to label sets. Handy in const declarations that
use expressions. For example: const CharacterSet AB = (A+B).renamed("AB").
projects / thirdparty / squid.git / log
