Adapter transaction options are now extracted and can be logged in HTTP
transaction log (access.log): Moved ICAP-specific logging-related adaptation
history features to the general adaptation history class and used them in eCAP
code.
Support adaptation_masterx_shared_names option for eCAP transactions. eCAP
transactions can now forward meta information to subsequent ICAP or eCAP
transactions (within the same master transaction scope).
Allow a routing eCAP service to determine the list of adaptation services to
be applied next to the same master transaction (same as the X-Next-Services
ICAP extension).
Identified a couple of %adapt::<last_h logging bugs and history maintenance
inconsistencies but left them alone for now.
Alex Rousskov [Thu, 17 Feb 2011 19:27:54 +0000 (12:27 -0700)]
libecap v0.2.0 options support: supply client IP and user name to eCAP.
Squid now uses libecap::Options API to send client IP and user name
meta-information to the eCAP adapter transaction, just like ICAP code
does when talking to an ICAP service transaction.
Renamed related icap_* options to their more general adaptation_*
equivalents because they now control both eCAP and ICAP behavior.
Old icap_* names are deprecated but still available.
Converted eCAP service configuration code to support the new Options
API, polished.
Alex Rousskov [Thu, 17 Feb 2011 19:11:06 +0000 (12:11 -0700)]
Fixed linking with libecap after PKG_CHECK_MODULES changes.
Previous commit (r11126) made sense and seemed to work fine until I
discovered that touching a source file in src/adaptation/ecap and
running "make" there leads to libtool's "file not found" errors for some
libtool-generated internal file. However, "make clean all" would still
work.
To better diagnose the issue, I renamed PKG_CHECK_MODULES prefix to
EXTLIBECAP and our ecap/libecap to ecap/libxecap. The difference in
names allowed to distinguish external libecap-related names/failures
from internal ones, but it did not solve the problem.
Moving EXTLIBECAP_LIBS from adaptation/ecap/ to adaptation/ Makefile.am
helped. Older code included external libecap in adaptation/Makefile.am
as well, perhaps to avoid similar problems. It does not make sense to
put external libecap there instead of the ecap-specific directory, but
it works.
Amos Jeffries [Thu, 17 Feb 2011 14:57:33 +0000 (03:57 +1300)]
squidclient: send cachemgr password via -w option
Preparation for internal cachemgr updates to use real proxy-auth.
The cachamgr password may now be sent in three ways:
Deprecated: mgr:info@password
Current Option: -w password mgr:info
Preferred: -u username -w password mgr:info
The old explicit @ syntax is now deprecated for visible use. The background
systems will still send it that way for cache_object: URLs. Use of this
overrides any -w option set. So it is still possible to login to a proxy
with one set of credentials and pass a separate password to the cachemgr.
The long-term plan is to drop @ completely in future.
The current option of just -w will convert the password to @ syntax in the
background but not add Proxy-Authentication headers. This may die in future.
The preferred alternative is to use -u and -w which triggers addition of real
Proxy-Authenticate headers. The username is not yet used by cachemgr but
may be required by the proxy ACL configuration.
Alex Rousskov [Wed, 16 Feb 2011 17:57:09 +0000 (10:57 -0700)]
Use pkg-config's PKG_CHECK_MODULES to check for and link with libecap.
Side-effect: We can and do check whether Squid supports the installed libecap
package version. This check avoids accidently building Squid with the wrong
libecap release. TODO: Check whether the loaded eCAP adapter was build with a
supported libecap version as well.
This simplifies the header parser for basic auth. Working towards a more
generalized model of AuthUser children. Removing two memory allocations, two
leaks and several unnecessary functions.
Amos Jeffries [Mon, 7 Feb 2011 10:27:53 +0000 (03:27 -0700)]
Bug 2870: --disable-auth does not work
This patch attempts to make it work by removing libauth.la and all component
functionality which depends on it. So far this reduces the minimal squid
binary by a further 900 KB on disk.
It also means anything which requires an authentication process wont work.
They get wrapped in USE_AUTH or if its a specific type with the relevant
HAVE_AUTH_MODULE_* wrappers.
So far this does:
* FTP and CacheMgr dependency on --disable-auth-basic is already committed
* cache_peer login= functionality is greatly reduced under various
combinations of --disable-auth, --disable-auth-basic and
--disable-auth-negotiate
* peering userhash algorithm is removed
* delay pools class 4 is removed
* ACLs testing username are dropped.
Additionally since external ACL user= field is used interchangeably in
several places with a full login and with the right helper can be
considered a full side-band authentication I have disabled the
ExtUser/ext_user components as well.
NP: pinning is not strictly dependent on NTLM, we may use it for other
things without involving auth so left most of it in. Just the logics
which use auth to set the pinning flag are now removable.
IDENT not being an authentication mechanism is also left in.
Amos Jeffries [Mon, 7 Feb 2011 04:16:22 +0000 (21:16 -0700)]
Author: Jonathan Wolfe <jonathan.wolfe@gmail.com>
Bug 3149: not caching ecap adapted body
eCAP adapters may remove or edit the Content-Length header, and to allow
caching of the adapted body squid must reflect that new (or unspecified)
content length when deciding whether or not the adapted body can be cached.
In the case the SQUID_SNMP is disabled the MessageType enum list ends with a ","
The gcc compiler does not have any problem with this but SunStudio return a
parse error.
Amos Jeffries [Sun, 6 Feb 2011 09:20:16 +0000 (02:20 -0700)]
Enable non-caching of external ACL results
Admin configure ttl=0 and/or negative_ttl=0 to prevent Squid storing the
ACL lookup results. The problem is that results still get cached and
re-used for the grace= period or one second, whichever is larger.
Also, in the event where two or more requests with identical details
needing to be looked up at the same time there is an optimization
which will merge and share one lookup result for all these requests.
In most situations this result sharing is beneficial, however when a
unique result is wanted it can cause problems.
This patch makes ttl=0 and negative_ttl=0 prevent their respective OK and
ERR results from being stored into the helper result cache. Sharing is
still performed for overlapping duplicate requests.
When cache=0 is configured, no caching or sharing of results is performed
at all.
The attached patch implements aggregation of SNMP responses, similar to how
we aggregate some cache manager stats.
The code contains changes that allow us to share some of the classes between
Cache Manager and SNMP code:
* implement the following base classes under the ipc directory/module:
- Ipc::Forwarder (ipc/Forwarder{.cc,.h} files)
- Ipc::Inquirer (ipc/Inquirer{.cc,.h} files)
- Ipc::Request (ipc/Request{.cc,.h} files)
- Ipc::Response (ipc/Response{.cc,.h} files)
* fix the Mgr::Forwarder, Mgr::Inquirer, Mgr::Request and Mgr::Response
classes to be implemented as kid classes of the equivalent Icp::* classes.
Also implements for the SNMP the same mechanism used for cache manager:
The SNMP requests forwarder to coordinator which collects the statistics from
kids and aggregate them.
This patch allow the user of the Range template class to define the type of
the returned value of Range::size() method, adding a second template argument.
The default type of the return value of Range::size() method is size_t, which
in most cases is enough (but not always, eg HttpRange).
This patch will allow Range template to be used with non numeric types.
Amos Jeffries [Sat, 29 Jan 2011 02:23:48 +0000 (15:23 +1300)]
Profiler: fix report sorting algorithm
The sorting was performed in a way to exclude the UNACCOUNTED and leave it
first in the display list. However with the new auto-genenerated enum all
other entries are at indeterminate locations. Using hash_lookup resulted
in only half teh list being sorted.
Fix that by referencing from UNACCOUNTED which is guaranteed to be first.
Amos Jeffries [Fri, 28 Jan 2011 07:58:53 +0000 (20:58 +1300)]
Windows: fix code wrappers for Cygwin and generic Win32 code
_SQUID_WIN32_ was being used to wrap all code built specific for Windows
but with any compiler on that platform.
- rename to _SQUID_WINDOWS_ to match OS wrpper naming convention.
- compact several macros using verbose test: (cygwin or Ming or any)
Cleans up all affected tests to match current precompiler code style.
Also cleans up all tests involving _SQUID_CYGWN_ to match code styles.
Author: Alex Rousskov <rousskov@measurement-factory.com>
Fix IP/FQDN cache accounting to avoid idle caches on busy servers.
When maintaining the IP/FQDN cache size, use the number of entries in the cache
rather than the number of allocated and not freed MEM_IPCACHE_ENTRY and
MEM_FQDNCACHE_ENTRY objects. These objects are used outside the cache
for DNS queries. If queries leak (or perhaps when there are just a lot of them),
the memory-pool-based count overestimates the cache size, sometimes to
such a degree that the cache remains nearly empty despite lots of misses.
Use memory-pool-based counter to estimate cache size also violates IP/FQDN cache
encapsulation boundaries because it effectively prevents others from using
the same memory pool.
Bug 3081:
During conversion of listening socket handlers to AsyncCalls a violation
of the AsyncCall API was introduced. Resulting in occasional crashes from
invalid re-use of call objects.
This implements a TcpAcceptor async job which receives a listening socket
and a CallSubscription. For every connection attempt on the listener socket
a new AsyncCall is spawned from the subscription template.
Initial users are the HTTP and HTTPS listening sockets and FTP data channel.
In order to implement this job in FTP the logics surrounding data channel
handling had to be extended and reworked. Fixing bug 2948 and 2581 in the
process.
Amos Jeffries [Tue, 25 Jan 2011 08:55:40 +0000 (21:55 +1300)]
Author: Fabian Hugelshofer <fh@open.ch>
Allow persistent connections for Mozilla/3.0 User-Agents
This fixes NTLM and Negotiate authentication for these agents.
History:
In 1998 a hack was added to HttpMsg::persistent() that disables
persistent connections for HTTP/1.0 User-Agents starting with
"Mozilla/3." and "Netscape/3.".
According to the thread on squid-dev
(http://www.eu.squid-cache.org/mail-archive/squid-dev/199805/0087.html),
this was necessary to make some versions of Netscape browsers work that
had a broken implementation of persistent connections. It was said that
"NS 3.01 is ok. NS 3.02 is bad. NS 3.04 is good." Netscape 4 was ok, too.
Amos Jeffries [Tue, 25 Jan 2011 05:31:59 +0000 (18:31 +1300)]
Fix external_acl_type grace= option
Due to race conditions between concurrent requests this is still not a
complete fix. But reduces the unwanted re-use of helper responses from
all connections arriving in a whole second which match the ACL key down
to just those that arrive within the reply lag time of the helper.
Henrik Nordstrom [Mon, 24 Jan 2011 20:23:27 +0000 (21:23 +0100)]
Simplify request parsing to not check request method when determining if a
request contains a request-entity or not. For requests this is signalled
entirely by Content-Length/Transfer-Encoding regardless of method.
also drops the requirement that PUT/POST requests must have a request-entity.
The RFC do not explicitly state this requirement even if the wording for those
methods do assume there is a enclosed request-entity.
The administrative "request_entities" config flag is kept for security
reasons, even if not really RFC compliant. (RFC meaning of request-entity
in GET/HEAD is just undefined or "ignored", not forbidden)
projects / thirdparty / squid.git / log
