From 6a25a04601da29b69842de917ecc3bff9cab1f4d Mon Sep 17 00:00:00 2001 From: Francesco Chemolli Date: Mon, 28 Jan 2013 14:24:51 +0100 Subject: [PATCH] Test-playground --- src/acl/Acl.cc | 4 +-- src/anyp/Makefile.am | 3 +- src/anyp/PortCfg.cc | 5 +-- src/anyp/PortCfg.h | 7 ++-- src/anyp/TrafficMode.h | 65 ++++++++++++++++++++++++++++++++++++++ src/cache_cf.cc | 56 ++++++++++++++++---------------- src/client_side.cc | 47 ++++++++++++++------------- src/client_side_request.cc | 3 +- src/forward.cc | 8 ++--- src/ssl/helper.cc | 8 ++--- src/tools.cc | 4 +-- 11 files changed, 139 insertions(+), 71 deletions(-) create mode 100644 src/anyp/TrafficMode.h diff --git a/src/acl/Acl.cc b/src/acl/Acl.cc index 37d8ee571f..2eeef57fab 100644 --- a/src/acl/Acl.cc +++ b/src/acl/Acl.cc @@ -186,7 +186,7 @@ ACL::ParseAclLine(ConfigParser &parser, ACL ** head) AnyP::PortCfg *p = Config.Sockaddr.http; while (p) { // Bug 3239: not reliable when there is interception traffic coming - if (p->intercepted) + if (p->flags.natIntercept) debugs(28, DBG_CRITICAL, "WARNING: 'myip' ACL is not reliable for interception proxies. Please use 'myportname' instead."); p = p->next; } @@ -197,7 +197,7 @@ ACL::ParseAclLine(ConfigParser &parser, ACL ** head) while (p) { // Bug 3239: not reliable when there is interception traffic coming // Bug 3239: myport - not reliable (yet) when there is interception traffic coming - if (p->intercepted) + if (p->flags.natIntercept) debugs(28, DBG_CRITICAL, "WARNING: 'myport' ACL is not reliable for interception proxies. Please use 'myportname' instead."); p = p->next; } diff --git a/src/anyp/Makefile.am b/src/anyp/Makefile.am index 7d79e3ecb4..680f09affb 100644 --- a/src/anyp/Makefile.am +++ b/src/anyp/Makefile.am @@ -8,7 +8,8 @@ libanyp_la_SOURCES = \ PortCfg.h \ ProtocolType.cc \ ProtocolType.h \ - ProtocolVersion.h + ProtocolVersion.h \ + TrafficMode.h ProtocolType.cc: ProtocolType.h $(top_srcdir)/src/mk-string-arrays.awk ($(AWK) -f $(top_srcdir)/src/mk-string-arrays.awk <$(srcdir)/ProtocolType.h | sed -e 's%PROTO_%%' >$@) || ($(RM) -f $@ && exit 1) diff --git a/src/anyp/PortCfg.cc b/src/anyp/PortCfg.cc index 3025c2284a..32e3ef003a 100644 --- a/src/anyp/PortCfg.cc +++ b/src/anyp/PortCfg.cc @@ -58,12 +58,9 @@ AnyP::PortCfg::clone() const if (defaultsite) b->defaultsite = xstrdup(defaultsite); - b->intercepted = intercepted; - b->spoof_client_ip = spoof_client_ip; - b->accel = accel; + b->flags = flags; b->allow_direct = allow_direct; b->vhost = vhost; - b->sslBump = sslBump; b->vport = vport; b->connection_auth_disabled = connection_auth_disabled; b->disable_pmtu_discovery = disable_pmtu_discovery; diff --git a/src/anyp/PortCfg.h b/src/anyp/PortCfg.h index c8ae95cb2a..43da576aa5 100644 --- a/src/anyp/PortCfg.h +++ b/src/anyp/PortCfg.h @@ -1,6 +1,7 @@ #ifndef SQUID_ANYP_PORTCFG_H #define SQUID_ANYP_PORTCFG_H +#include "anyp/TrafficMode.h" #include "cbdata.h" #include "comm/Connection.h" @@ -29,12 +30,10 @@ public: char *name; /* visible name */ char *defaultsite; /* default web site */ - unsigned int intercepted:1; /**< intercepting proxy port */ - unsigned int spoof_client_ip:1; /**< spoof client ip if possible */ - unsigned int accel:1; /**< HTTP accelerator */ + TrafficMode flags; ///< flags indicating what type of traffic to expect via this port. + unsigned int allow_direct:1; /**< Allow direct forwarding in accelerator mode */ unsigned int vhost:1; /**< uses host header */ - unsigned int sslBump:1; /**< intercepts CONNECT requests */ unsigned int actAsOrigin:1; ///< update replies to conform with RFC 2616 unsigned int ignore_cc:1; /**< Ignore request Cache-Control directives */ diff --git a/src/anyp/TrafficMode.h b/src/anyp/TrafficMode.h new file mode 100644 index 0000000000..a57855d386 --- /dev/null +++ b/src/anyp/TrafficMode.h @@ -0,0 +1,65 @@ +#ifndef SQUID_ANYP_TRAFFIC_MODE_H +#define SQUID_ANYP_TRAFFIC_MODE_H + +namespace AnyP +{ + +/** + * Set of 'mode' flags defining types of trafic which can be received. + * + * Use to determine the processing steps which need to be applied + * to this traffic under any special circumstances which may apply. + */ +class TrafficMode +{ +public: + TrafficMode() : accelSurrogate(false), natIntercept(false), tproxyIntercept(false), tunnelSslBumping(false) {} + TrafficMode(const TrafficMode &rhs) { operator =(rhs); } + TrafficMode &operator =(const TrafficMode &rhs) { memcpy(this, &rhs, sizeof(TrafficMode)); return *this; } + + /** marks HTTP accelerator (reverse/surrogate proxy) traffic + * + * Indicating the following are required: + * - URL translation from relative to absolute form + * - restriction to origin peer relay recommended + */ + bool accelSurrogate; + + /** marks NAT intercepted traffic + * + * Indicating the following are required: + * - NAT lookups + * - URL translation from relative to absolute form + * - Same-Origin verification is mandatory + * - destination pinning is recommended + * - authentication prohibited + */ + bool natIntercept; + + /** marks TPROXY intercepted traffic + * + * Indicating the following are required: + * - src/dst IP inversion must be performed + * - client IP should be spoofed if possible + * - URL translation from relative to absolute form + * - Same-Origin verification is mandatory + * - destination pinning is recommended + * - authentication prohibited + */ + bool tproxyIntercept; + + /** marks intercept and decryption of CONNECT (tunnel) SSL traffic + * + * Indicating the following are required: + * - decryption of CONNECT request + * - URL translation from relative to absolute form + * - authentication prohibited on unwrapped requests (only on the CONNECT tunnel) + * - encrypted outbound server connections + * - peer relay prohibited. TODO: re-encrypt and re-wrap with CONNECT + */ + bool tunnelSslBumping; +}; + +} // namespace AnyP + +#endif diff --git a/src/cache_cf.cc b/src/cache_cf.cc index cc45babfbd..a1671c11a3 100644 --- a/src/cache_cf.cc +++ b/src/cache_cf.cc @@ -928,7 +928,7 @@ configDoConfigure(void) } for (AnyP::PortCfg *s = Config.Sockaddr.http; s != NULL; s = s->next) { - if (!s->sslBump) + if (!s->flags.tunnelSslBumping) continue; debugs(3, DBG_IMPORTANT, "Initializing http_port " << s->s << " SSL context"); @@ -3556,17 +3556,18 @@ parse_port_option(AnyP::PortCfg * s, char *token) /* modes first */ if (strcmp(token, "accel") == 0) { - if (s->intercepted || s->spoof_client_ip) { + if (s->flags.natIntercept || s->flags.tproxyIntercept) { debugs(3, DBG_CRITICAL, "FATAL: http(s)_port: Accelerator mode requires its own port. It cannot be shared with other modes."); self_destruct(); } - s->accel = s->vhost = 1; + s->flags.accelSurrogate = true; + s->vhost = 1; } else if (strcmp(token, "transparent") == 0 || strcmp(token, "intercept") == 0) { - if (s->accel || s->spoof_client_ip) { + if (s->flags.accelSurrogate || s->flags.tproxyIntercept) { debugs(3, DBG_CRITICAL, "FATAL: http(s)_port: Intercept mode requires its own interception port. It cannot be shared with other modes."); self_destruct(); } - s->intercepted = 1; + s->flags.natIntercept = true; Ip::Interceptor.StartInterception(); /* Log information regarding the port modes under interception. */ debugs(3, DBG_IMPORTANT, "Starting Authentication on port " << s->s); @@ -3580,11 +3581,11 @@ parse_port_option(AnyP::PortCfg * s, char *token) self_destruct(); } } else if (strcmp(token, "tproxy") == 0) { - if (s->intercepted || s->accel) { + if (s->flags.natIntercept || s->flags.accelSurrogate) { debugs(3,DBG_CRITICAL, "FATAL: http(s)_port: TPROXY option requires its own interception port. It cannot be shared with other modes."); self_destruct(); } - s->spoof_client_ip = 1; + s->flags.tproxyIntercept = true; Ip::Interceptor.StartTransparency(); /* Log information regarding the port modes under transparency. */ debugs(3, DBG_IMPORTANT, "Starting IP Spoofing on port " << s->s); @@ -3596,54 +3597,55 @@ parse_port_option(AnyP::PortCfg * s, char *token) } } else if (strncmp(token, "defaultsite=", 12) == 0) { - if (!s->accel) { + if (!s->flags.accelSurrogate) { debugs(3, DBG_CRITICAL, "FATAL: http(s)_port: defaultsite option requires Acceleration mode flag."); self_destruct(); } safe_free(s->defaultsite); s->defaultsite = xstrdup(token + 12); } else if (strcmp(token, "vhost") == 0) { - if (!s->accel) { + if (!s->flags.accelSurrogate) { debugs(3, DBG_CRITICAL, "WARNING: http(s)_port: vhost option is deprecated. Use 'accel' mode flag instead."); } - s->accel = s->vhost = 1; + s->flags.accelSurrogate = true; + s->vhost = 1; } else if (strcmp(token, "no-vhost") == 0) { - if (!s->accel) { + if (!s->flags.accelSurrogate) { debugs(3, DBG_IMPORTANT, "ERROR: http(s)_port: no-vhost option requires Acceleration mode flag."); } s->vhost = 0; } else if (strcmp(token, "vport") == 0) { - if (!s->accel) { + if (!s->flags.accelSurrogate) { debugs(3, DBG_CRITICAL, "FATAL: http(s)_port: vport option requires Acceleration mode flag."); self_destruct(); } s->vport = -1; } else if (strncmp(token, "vport=", 6) == 0) { - if (!s->accel) { + if (!s->flags.accelSurrogate) { debugs(3, DBG_CRITICAL, "FATAL: http(s)_port: vport option requires Acceleration mode flag."); self_destruct(); } s->vport = xatos(token + 6); } else if (strncmp(token, "protocol=", 9) == 0) { - if (!s->accel) { + if (!s->flags.accelSurrogate) { debugs(3, DBG_CRITICAL, "FATAL: http(s)_port: protocol option requires Acceleration mode flag."); self_destruct(); } s->protocol = xstrdup(token + 9); } else if (strcmp(token, "allow-direct") == 0) { - if (!s->accel) { + if (!s->flags.accelSurrogate) { debugs(3, DBG_CRITICAL, "FATAL: http(s)_port: allow-direct option requires Acceleration mode flag."); self_destruct(); } s->allow_direct = 1; } else if (strcmp(token, "act-as-origin") == 0) { - if (!s->accel) { + if (!s->flags.accelSurrogate) { debugs(3, DBG_IMPORTANT, "ERROR: http(s)_port: act-as-origin option requires Acceleration mode flag."); } else s->actAsOrigin = 1; } else if (strcmp(token, "ignore-cc") == 0) { #if !USE_HTTP_VIOLATIONS - if (!s->accel) { + if (!s->flags.accelSurrogate) { debugs(3, DBG_CRITICAL, "FATAL: http(s)_port: ignore-cc option requires Scceleration mode flag."); self_destruct(); } @@ -3695,9 +3697,9 @@ parse_port_option(AnyP::PortCfg * s, char *token) } else if (strcasecmp(token, "sslBump") == 0) { debugs(3, DBG_CRITICAL, "WARNING: '" << token << "' is deprecated " << "in http_port. Use 'ssl-bump' instead."); - s->sslBump = 1; // accelerated when bumped, otherwise not + s->flags.tunnelSslBumping = true; // accelerated when bumped, otherwise not } else if (strcmp(token, "ssl-bump") == 0) { - s->sslBump = 1; // accelerated when bumped, otherwise not + s->flags.tunnelSslBumping = true; // accelerated when bumped, otherwise not } else if (strncmp(token, "cert=", 5) == 0) { safe_free(s->cert); s->cert = xstrdup(token + 5); @@ -3794,12 +3796,12 @@ parsePortCfg(AnyP::PortCfg ** head, const char *optionName) #if USE_SSL if (strcasecmp(protocol, "https") == 0) { /* ssl-bump on https_port configuration requires either tproxy or intercept, and vice versa */ - const bool hijacked = s->spoof_client_ip || s->intercepted; - if (s->sslBump && !hijacked) { + const bool hijacked = s->flags.tproxyIntercept || s->flags.natIntercept; + if (s->flags.tunnelSslBumping && !hijacked) { debugs(3, DBG_CRITICAL, "FATAL: ssl-bump on https_port requires tproxy/intercept which is missing."); self_destruct(); } - if (hijacked && !s->sslBump) { + if (hijacked && !s->flags.tunnelSslBumping) { debugs(3, DBG_CRITICAL, "FATAL: tproxy/intercept on https_port requires ssl-bump which is missing."); self_destruct(); } @@ -3829,13 +3831,13 @@ dump_generic_port(StoreEntry * e, const char *n, const AnyP::PortCfg * s) s->s.ToURL(buf,MAX_IPSTRLEN)); // MODES and specific sub-options. - if (s->intercepted) + if (s->flags.natIntercept) storeAppendPrintf(e, " intercept"); - else if (s->spoof_client_ip) + else if (s->flags.tproxyIntercept) storeAppendPrintf(e, " tproxy"); - else if (s->accel) { + else if (s->flags.accelSurrogate) { storeAppendPrintf(e, " accel"); if (s->vhost) @@ -3866,7 +3868,7 @@ dump_generic_port(StoreEntry * e, const char *n, const AnyP::PortCfg * s) storeAppendPrintf(e, " name=%s", s->name); #if USE_HTTP_VIOLATIONS - if (!s->accel && s->ignore_cc) + if (!s->flags.accelSurrogate && s->ignore_cc) storeAppendPrintf(e, " ignore-cc"); #endif @@ -3898,7 +3900,7 @@ dump_generic_port(StoreEntry * e, const char *n, const AnyP::PortCfg * s) } #if USE_SSL - if (s->sslBump) + if (s->flags.tunnelSslBumping) storeAppendPrintf(e, " ssl-bump"); if (s->cert) diff --git a/src/client_side.cc b/src/client_side.cc index 919d243ede..b4c427fef7 100644 --- a/src/client_side.cc +++ b/src/client_side.cc @@ -2228,7 +2228,7 @@ parseHttpRequest(ConnStateData *csd, HttpParser *hp, HttpRequestMethod * method_ *method_p = HttpRequestMethod(&hp->buf[hp->req.m_start], &hp->buf[hp->req.m_end]+1); /* deny CONNECT via accelerated ports */ - if (*method_p == Http::METHOD_CONNECT && csd->port && csd->port->accel) { + if (*method_p == Http::METHOD_CONNECT && csd->port && csd->port->flags.accelSurrogate) { debugs(33, DBG_IMPORTANT, "WARNING: CONNECT method received on " << csd->port->protocol << " Accelerator port " << csd->port->s.GetPort() ); /* XXX need a way to say "this many character length string" */ debugs(33, DBG_IMPORTANT, "WARNING: for request: " << hp->buf); @@ -2294,7 +2294,8 @@ parseHttpRequest(ConnStateData *csd, HttpParser *hp, HttpRequestMethod * method_ #endif - debugs(33,5, HERE << "repare absolute URL from " << (csd->transparent()?"intercept":(csd->port->accel ? "accel":""))); + debugs(33,5, HERE << "repare absolute URL from " << + (csd->transparent()?"intercept":(csd->port->flags.accelSurrogate ? "accel":""))); /* Rewrite the URL in transparent or accelerator mode */ /* NP: there are several cases to traverse here: * - standard mode (forward proxy) @@ -2318,7 +2319,7 @@ parseHttpRequest(ConnStateData *csd, HttpParser *hp, HttpRequestMethod * method_ // But have not parsed there yet!! flag for local-only handling. http->flags.internal = 1; - } else if (csd->port->accel || csd->switchedToHttps()) { + } else if (csd->port->flags.accelSurrogate || csd->switchedToHttps()) { /* accelerator mode */ prepareAcceleratedURL(csd, http, url, req_hdr); } @@ -3667,7 +3668,7 @@ httpsAccept(const CommAcceptCbParams ¶ms) // Socket is ready, setup the connection manager to start using it ConnStateData *connState = connStateCreate(params.conn, s); - if (s->sslBump) { + if (s->flags.tunnelSslBumping) { debugs(33, 5, "httpsAccept: accept transparent connection: " << params.conn); if (!Config.accessList.ssl_bump) { @@ -3964,7 +3965,7 @@ ConnStateData::httpsPeeked(Comm::ConnectionPointer serverConnection) debugs(33, 5, HERE << "Error while bumping: " << sslConnectHostOrIp); Ip::Address intendedDest; intendedDest = sslConnectHostOrIp.termedBuf(); - const bool isConnectRequest = !port->spoof_client_ip && !port->intercepted; + const bool isConnectRequest = !port->flags.tproxyIntercept && !port->flags.natIntercept; // Squid serves its own error page and closes, so we want // a CN that causes no additional browser errors. Possible @@ -4026,16 +4027,18 @@ clientHttpConnectionsOpen(void) } #if USE_SSL - if (s->sslBump && !Config.accessList.ssl_bump) { + if (s->flags.tunnelSslBumping && !Config.accessList.ssl_bump) { debugs(33, DBG_IMPORTANT, "WARNING: No ssl_bump configured. Disabling ssl-bump on " << s->protocol << "_port " << s->s); - s->sslBump = 0; + s->flags.tunnelSslBumping = false; } - if (s->sslBump && !s->staticSslContext && !s->generateHostCertificates) { + if (s->flags.tunnelSslBumping && + !s->staticSslContext && + !s->generateHostCertificates) { debugs(1, DBG_IMPORTANT, "Will not bump SSL at http_port " << s->s << " due to SSL initialization failure."); - s->sslBump = 0; + s->flags.tunnelSslBumping = false; } - if (s->sslBump) { + if (s->flags.tunnelSslBumping) { // Create ssl_ctx cache for this port. Ssl::TheGlobalContextStorage.addLocalStorage(s->s, s->dynamicCertMemCacheSize == std::numeric_limits::max() ? 4194304 : s->dynamicCertMemCacheSize); } @@ -4045,7 +4048,7 @@ clientHttpConnectionsOpen(void) // then pass back when active so we can start a TcpAcceptor subscription. s->listenConn = new Comm::Connection; s->listenConn->local = s->s; - s->listenConn->flags = COMM_NONBLOCKING | (s->spoof_client_ip ? COMM_TRANSPARENT : 0) | (s->intercepted ? COMM_INTERCEPTION : 0); + s->listenConn->flags = COMM_NONBLOCKING | (s->flags.tproxyIntercept ? COMM_TRANSPARENT : 0) | (s->flags.natIntercept ? COMM_INTERCEPTION : 0); // setup the subscriptions such that new connections accepted by listenConn are handled by HTTP typedef CommCbFunPtrCallT AcceptCall; @@ -4081,17 +4084,17 @@ clientHttpsConnectionsOpen(void) } // TODO: merge with similar code in clientHttpConnectionsOpen() - if (s->sslBump && !Config.accessList.ssl_bump) { + if (s->flags.tunnelSslBumping && !Config.accessList.ssl_bump) { debugs(33, DBG_IMPORTANT, "WARNING: No ssl_bump configured. Disabling ssl-bump on " << s->protocol << "_port " << s->s); - s->sslBump = 0; + s->flags.tunnelSslBumping = false; } - if (s->sslBump && !s->staticSslContext && !s->generateHostCertificates) { + if (s->flags.tunnelSslBumping && !s->staticSslContext && !s->generateHostCertificates) { debugs(1, DBG_IMPORTANT, "Will not bump SSL at http_port " << s->s << " due to SSL initialization failure."); - s->sslBump = 0; + s->flags.tunnelSslBumping = false; } - if (s->sslBump) { + if (s->flags.tunnelSslBumping) { // Create ssl_ctx cache for this port. Ssl::TheGlobalContextStorage.addLocalStorage(s->s, s->dynamicCertMemCacheSize == std::numeric_limits::max() ? 4194304 : s->dynamicCertMemCacheSize); } @@ -4099,8 +4102,8 @@ clientHttpsConnectionsOpen(void) // Fill out a Comm::Connection which IPC will open as a listener for us s->listenConn = new Comm::Connection; s->listenConn->local = s->s; - s->listenConn->flags = COMM_NONBLOCKING | (s->spoof_client_ip ? COMM_TRANSPARENT : 0) | - (s->intercepted ? COMM_INTERCEPTION : 0); + s->listenConn->flags = COMM_NONBLOCKING | (s->flags.tproxyIntercept ? COMM_TRANSPARENT : 0) | + (s->flags.natIntercept ? COMM_INTERCEPTION : 0); // setup the subscriptions such that new connections accepted by listenConn are handled by HTTPS typedef CommCbFunPtrCallT AcceptCall; @@ -4131,10 +4134,10 @@ clientListenerConnectionOpened(AnyP::PortCfg *s, const Ipc::FdNoteId portTypeNot AsyncJob::Start(new Comm::TcpAcceptor(s->listenConn, FdNote(portTypeNote), sub)); debugs(1, DBG_IMPORTANT, "Accepting " << - (s->intercepted ? "NAT intercepted " : "") << - (s->spoof_client_ip ? "TPROXY spoofing " : "") << - (s->sslBump ? "SSL bumped " : "") << - (s->accel ? "reverse-proxy " : "") + (s->flags.natIntercept ? "NAT intercepted " : "") << + (s->flags.tproxyIntercept ? "TPROXY spoofing " : "") << + (s->flags.tunnelSslBumping ? "SSL bumped " : "") << + (s->flags.accelSurrogate ? "reverse-proxy " : "") << FdNote(portTypeNote) << " connections at " << s->listenConn); diff --git a/src/client_side_request.cc b/src/client_side_request.cc index fb793f910e..30a395c6ae 100644 --- a/src/client_side_request.cc +++ b/src/client_side_request.cc @@ -1366,7 +1366,8 @@ ClientRequestContext::sslBumpAccessCheck() // (bumping of intercepted SSL conns is decided before we get 1st request). // We also do not bump redirected CONNECT requests. if (http->request->method != Http::METHOD_CONNECT || http->redirect.status || - !Config.accessList.ssl_bump || !http->getConn()->port->sslBump) { + !Config.accessList.ssl_bump || + !http->getConn()->port->flags.tunnelSslBumping) { http->al->ssl.bumpMode = Ssl::bumpEnd; // SslBump does not apply; log - debugs(85, 5, HERE << "cannot SslBump this request"); return false; diff --git a/src/forward.cc b/src/forward.cc index 084855b568..53b6617c2f 100644 --- a/src/forward.cc +++ b/src/forward.cc @@ -716,8 +716,8 @@ FwdState::negotiateSSL(int fd) // For intercepted connections, set the host name to the server // certificate CN. Otherwise, we just hope that CONNECT is using // a user-entered address (a host name or a user-entered IP). - const bool isConnectRequest = !request->clientConnectionManager->port->spoof_client_ip && - !request->clientConnectionManager->port->intercepted; + const bool isConnectRequest = !request->clientConnectionManager->port->flags.tproxyIntercept && + !request->clientConnectionManager->port->flags.natIntercept; if (request->flags.sslPeek && !isConnectRequest) { if (X509 *srvX509 = errDetails->peerCert()) { if (const char *name = Ssl::CommonHostName(srvX509)) { @@ -963,8 +963,8 @@ FwdState::initiateSSL() // unless it was the CONNECT request with a user-typed address. const char *hostname = request->GetHost(); const bool hostnameIsIp = request->GetHostIsNumeric(); - const bool isConnectRequest = !request->clientConnectionManager->port->spoof_client_ip && - !request->clientConnectionManager->port->intercepted; + const bool isConnectRequest = !request->clientConnectionManager->port->flags.tproxyIntercept && + !request->clientConnectionManager->port->flags.natIntercept; if (!request->flags.sslPeek || isConnectRequest) SSL_set_ex_data(ssl, ssl_ex_index_server, (void*)hostname); diff --git a/src/ssl/helper.cc b/src/ssl/helper.cc index 8f0e35ad64..789a4e31d9 100644 --- a/src/ssl/helper.cc +++ b/src/ssl/helper.cc @@ -34,9 +34,9 @@ void Ssl::Helper::Init() // we need to start ssl_crtd only if some port(s) need to bump SSL bool found = false; for (AnyP::PortCfg *s = ::Config.Sockaddr.http; !found && s; s = s->next) - found = s->sslBump; + found = s->flags.tunnelSslBumping; for (AnyP::PortCfg *s = ::Config.Sockaddr.https; !found && s; s = s->next) - found = s->sslBump; + found = s->flags.tunnelSslBumping; if (!found) return; @@ -135,9 +135,9 @@ void Ssl::CertValidationHelper::Init() // we need to start ssl_crtd only if some port(s) need to bump SSL bool found = false; for (AnyP::PortCfg *s = ::Config.Sockaddr.http; !found && s; s = s->next) - found = s->sslBump; + found = s->flags.tunnelSslBumping; for (AnyP::PortCfg *s = ::Config.Sockaddr.https; !found && s; s = s->next) - found = s->sslBump; + found = s->flags.tunnelSslBumping; if (!found) return; diff --git a/src/tools.cc b/src/tools.cc index e5ee4ff189..7311975b73 100644 --- a/src/tools.cc +++ b/src/tools.cc @@ -1209,7 +1209,7 @@ getMyPort(void) AnyP::PortCfg *p = NULL; if ((p = Config.Sockaddr.http)) { // skip any special interception ports - while (p && (p->intercepted || p->spoof_client_ip)) + while (p && (p->flags.natIntercept || p->flags.tproxyIntercept)) p = p->next; if (p) return p->s.GetPort(); @@ -1218,7 +1218,7 @@ getMyPort(void) #if USE_SSL if ((p = Config.Sockaddr.https)) { // skip any special interception ports - while (p && (p->intercepted || p->spoof_client_ip)) + while (p && (p->flags.natIntercept || p->flags.tproxyIntercept)) p = p->next; if (p) return p->s.GetPort(); -- 2.47.3