1 commit bc54d7a6f7ec510a25966f2f800d3ea874657546
2 Author: chi-mf <43963496+chi-mf@users.noreply.github.com>
3 Date: 2018-10-30 04:48:40 +0000
5 Fix netdb exchange with a TLS cache_peer (#307)
7 Squid uses http-scheme URLs when sending netdb exchange (and possibly
8 other) requests to a cache_peer. If a DIRECT path is selected for that
9 cache_peer URL, then Squid sends a clear text HTTP request to that
10 cache_peer. If that cache_peer expects a TLS connection, it will reject
11 that request (with, e.g., error:transaction-end-before-headers),
12 resulting in an HTTP 503 or 504 netdb fetch error.
14 Workaround this by adding an internalRemoteUri() parameter to indicate
15 whether https or http URL scheme should be used. Netdb fetches from
16 CachePeer::secure peers now get an https scheme and, hence, a TLS
19 diff --git a/src/icmp/net_db.cc b/src/icmp/net_db.cc
20 index 0f488de..526093f 100644
21 --- a/src/icmp/net_db.cc
22 +++ b/src/icmp/net_db.cc
23 @@ -1282,7 +1282,7 @@ netdbExchangeStart(void *data)
25 CachePeer *p = (CachePeer *)data;
26 static const SBuf netDB("netdb");
27 - char *uri = internalRemoteUri(p->host, p->http_port, "/squid-internal-dynamic/", netDB);
28 + char *uri = internalRemoteUri(p->secure.encryptTransport, p->host, p->http_port, "/squid-internal-dynamic/", netDB);
29 debugs(38, 3, "Requesting '" << uri << "'");
30 const MasterXaction::Pointer mx = new MasterXaction(XactionInitiator::initIcmp);
31 HttpRequest *req = HttpRequest::FromUrl(uri, mx);
32 diff --git a/src/internal.cc b/src/internal.cc
33 index 6ebc7a6..ff7b4d6 100644
36 @@ -82,7 +82,7 @@ internalStaticCheck(const SBuf &urlPath)
37 * makes internal url with a given host and port (remote internal url)
40 -internalRemoteUri(const char *host, unsigned short port, const char *dir, const SBuf &name)
41 +internalRemoteUri(bool encrypt, const char *host, unsigned short port, const char *dir, const SBuf &name)
43 static char lc_host[SQUIDHOSTNAMELEN];
44 assert(host && !name.isEmpty());
45 @@ -115,7 +115,7 @@ internalRemoteUri(const char *host, unsigned short port, const char *dir, const
49 - mb.appendf("http://" SQUIDSBUFPH, SQUIDSBUFPRINT(tmp.authority()));
50 + mb.appendf("%s://" SQUIDSBUFPH, encrypt ? "https" : "http", SQUIDSBUFPRINT(tmp.authority()));
53 mb.append(dir, strlen(dir));
54 @@ -132,7 +132,10 @@ internalRemoteUri(const char *host, unsigned short port, const char *dir, const
56 internalLocalUri(const char *dir, const SBuf &name)
58 - return internalRemoteUri(getMyHostname(),
59 + // XXX: getMy*() may return https_port info, but we force http URIs
60 + // because we have not checked whether the callers can handle https.
61 + const bool secure = false;
62 + return internalRemoteUri(secure, getMyHostname(),
63 getMyPort(), dir, name);
66 diff --git a/src/internal.h b/src/internal.h
67 index c91f9ac..13a43a6 100644
70 @@ -24,7 +24,7 @@ void internalStart(const Comm::ConnectionPointer &clientConn, HttpRequest *, Sto
71 bool internalCheck(const SBuf &urlPath);
72 bool internalStaticCheck(const SBuf &urlPath);
73 char *internalLocalUri(const char *dir, const SBuf &name);
74 -char *internalRemoteUri(const char *, unsigned short, const char *, const SBuf &);
75 +char *internalRemoteUri(bool, const char *, unsigned short, const char *, const SBuf &);
76 const char *internalHostname(void);
77 int internalHostnameIs(const char *);
79 diff --git a/src/peer_digest.cc b/src/peer_digest.cc
80 index 36a8705..f515aaa 100644
81 --- a/src/peer_digest.cc
82 +++ b/src/peer_digest.cc
83 @@ -323,7 +323,7 @@ peerDigestRequest(PeerDigest * pd)
85 url = xstrdup(p->digest_url);
87 - url = xstrdup(internalRemoteUri(p->host, p->http_port, "/squid-internal-periodic/", SBuf(StoreDigestFileName)));
88 + url = xstrdup(internalRemoteUri(p->secure.encryptTransport, p->host, p->http_port, "/squid-internal-periodic/", SBuf(StoreDigestFileName)));
91 const MasterXaction::Pointer mx = new MasterXaction(XactionInitiator::initCacheDigest);
projects / ipfire-2.x.git / blob