]>
Commit | Line | Data |
---|---|---|
a2bcb413 MF |
1 | commit bc54d7a6f7ec510a25966f2f800d3ea874657546 |
2 | Author: chi-mf <43963496+chi-mf@users.noreply.github.com> | |
3 | Date: 2018-10-30 04:48:40 +0000 | |
4 | ||
5 | Fix netdb exchange with a TLS cache_peer (#307) | |
6 | ||
7 | Squid uses http-scheme URLs when sending netdb exchange (and possibly | |
8 | other) requests to a cache_peer. If a DIRECT path is selected for that | |
9 | cache_peer URL, then Squid sends a clear text HTTP request to that | |
10 | cache_peer. If that cache_peer expects a TLS connection, it will reject | |
11 | that request (with, e.g., error:transaction-end-before-headers), | |
12 | resulting in an HTTP 503 or 504 netdb fetch error. | |
13 | ||
14 | Workaround this by adding an internalRemoteUri() parameter to indicate | |
15 | whether https or http URL scheme should be used. Netdb fetches from | |
16 | CachePeer::secure peers now get an https scheme and, hence, a TLS | |
17 | connection. | |
18 | ||
19 | diff --git a/src/icmp/net_db.cc b/src/icmp/net_db.cc | |
20 | index 0f488de..526093f 100644 | |
21 | --- a/src/icmp/net_db.cc | |
22 | +++ b/src/icmp/net_db.cc | |
23 | @@ -1282,7 +1282,7 @@ netdbExchangeStart(void *data) | |
24 | #if USE_ICMP | |
25 | CachePeer *p = (CachePeer *)data; | |
26 | static const SBuf netDB("netdb"); | |
27 | - char *uri = internalRemoteUri(p->host, p->http_port, "/squid-internal-dynamic/", netDB); | |
28 | + char *uri = internalRemoteUri(p->secure.encryptTransport, p->host, p->http_port, "/squid-internal-dynamic/", netDB); | |
29 | debugs(38, 3, "Requesting '" << uri << "'"); | |
30 | const MasterXaction::Pointer mx = new MasterXaction(XactionInitiator::initIcmp); | |
31 | HttpRequest *req = HttpRequest::FromUrl(uri, mx); | |
32 | diff --git a/src/internal.cc b/src/internal.cc | |
33 | index 6ebc7a6..ff7b4d6 100644 | |
34 | --- a/src/internal.cc | |
35 | +++ b/src/internal.cc | |
36 | @@ -82,7 +82,7 @@ internalStaticCheck(const SBuf &urlPath) | |
37 | * makes internal url with a given host and port (remote internal url) | |
38 | */ | |
39 | char * | |
40 | -internalRemoteUri(const char *host, unsigned short port, const char *dir, const SBuf &name) | |
41 | +internalRemoteUri(bool encrypt, const char *host, unsigned short port, const char *dir, const SBuf &name) | |
42 | { | |
43 | static char lc_host[SQUIDHOSTNAMELEN]; | |
44 | assert(host && !name.isEmpty()); | |
45 | @@ -115,7 +115,7 @@ internalRemoteUri(const char *host, unsigned short port, const char *dir, const | |
46 | static MemBuf mb; | |
47 | ||
48 | mb.reset(); | |
49 | - mb.appendf("http://" SQUIDSBUFPH, SQUIDSBUFPRINT(tmp.authority())); | |
50 | + mb.appendf("%s://" SQUIDSBUFPH, encrypt ? "https" : "http", SQUIDSBUFPRINT(tmp.authority())); | |
51 | ||
52 | if (dir) | |
53 | mb.append(dir, strlen(dir)); | |
54 | @@ -132,7 +132,10 @@ internalRemoteUri(const char *host, unsigned short port, const char *dir, const | |
55 | char * | |
56 | internalLocalUri(const char *dir, const SBuf &name) | |
57 | { | |
58 | - return internalRemoteUri(getMyHostname(), | |
59 | + // XXX: getMy*() may return https_port info, but we force http URIs | |
60 | + // because we have not checked whether the callers can handle https. | |
61 | + const bool secure = false; | |
62 | + return internalRemoteUri(secure, getMyHostname(), | |
63 | getMyPort(), dir, name); | |
64 | } | |
65 | ||
66 | diff --git a/src/internal.h b/src/internal.h | |
67 | index c91f9ac..13a43a6 100644 | |
68 | --- a/src/internal.h | |
69 | +++ b/src/internal.h | |
70 | @@ -24,7 +24,7 @@ void internalStart(const Comm::ConnectionPointer &clientConn, HttpRequest *, Sto | |
71 | bool internalCheck(const SBuf &urlPath); | |
72 | bool internalStaticCheck(const SBuf &urlPath); | |
73 | char *internalLocalUri(const char *dir, const SBuf &name); | |
74 | -char *internalRemoteUri(const char *, unsigned short, const char *, const SBuf &); | |
75 | +char *internalRemoteUri(bool, const char *, unsigned short, const char *, const SBuf &); | |
76 | const char *internalHostname(void); | |
77 | int internalHostnameIs(const char *); | |
78 | ||
79 | diff --git a/src/peer_digest.cc b/src/peer_digest.cc | |
80 | index 36a8705..f515aaa 100644 | |
81 | --- a/src/peer_digest.cc | |
82 | +++ b/src/peer_digest.cc | |
83 | @@ -323,7 +323,7 @@ peerDigestRequest(PeerDigest * pd) | |
84 | if (p->digest_url) | |
85 | url = xstrdup(p->digest_url); | |
86 | else | |
87 | - url = xstrdup(internalRemoteUri(p->host, p->http_port, "/squid-internal-periodic/", SBuf(StoreDigestFileName))); | |
88 | + url = xstrdup(internalRemoteUri(p->secure.encryptTransport, p->host, p->http_port, "/squid-internal-periodic/", SBuf(StoreDigestFileName))); | |
89 | debugs(72, 2, url); | |
90 | ||
91 | const MasterXaction::Pointer mx = new MasterXaction(XactionInitiator::initCacheDigest); |