]> git.ipfire.org Git - thirdparty/squid.git/commitdiff
projects / thirdparty / squid.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: d9f5eb0)
Fix require-proxy-header preventing HTTPS proxying and ssl-bump
authorYuhua Wu <ywu@bitglass.com>
Mon, 20 Apr 2015 02:38:20 +0000 (19:38 -0700)
committerAmos Jeffries <squid3@treenet.co.nz>
Mon, 20 Apr 2015 02:38:20 +0000 (19:38 -0700)
When require-proxy-header was used, the request->flags.interceptTproxy is
wrongly set to 1.

Since request->flags.interceptTproxy is 1, the 200 status code for CONNECT
call is not sent which breaks both HTTPS proxying and SSL-bump.

src/client_side.cc patch | blob | blame | history

diff --git a/src/client_side.cc b/src/client_side.cc
index 8dc8e4789f70cdfa12cb4a7b65ab1b619d1eac96..6a30b60662ffa9f92a63c88ffe37e5f2d59532aa 100644 (file)
--- a/src/client_side.cc
+++ b/src/client_side.cc
@@ -3046,7 +3046,8 @@ ConnStateData::parseProxy1p0()
         debugs(33, 5, "PROXY/1.0 protocol on connection " << clientConnection);
         clientConnection->local = originalDest;
         clientConnection->remote = originalClient;
-        clientConnection->flags ^= COMM_TRANSPARENT; // prevent TPROXY spoofing of this new IP.
+        if ((clientConnection->flags & COMM_TRANSPARENT))
+            clientConnection->flags ^= COMM_TRANSPARENT; // prevent TPROXY spoofing of this new IP.
         debugs(33, 5, "PROXY/1.0 upgrade: " << clientConnection);
 
         // repeat fetch ensuring the new client FQDN can be logged
@@ -3136,14 +3137,16 @@ ConnStateData::parseProxy2p0()
         clientConnection->local.port(ntohs(ipu.ipv4_addr.dst_port));
         clientConnection->remote = ipu.ipv4_addr.src_addr;
         clientConnection->remote.port(ntohs(ipu.ipv4_addr.src_port));
-        clientConnection->flags ^= COMM_TRANSPARENT; // prevent TPROXY spoofing of this new IP.
+        if ((clientConnection->flags & COMM_TRANSPARENT))
+            clientConnection->flags ^= COMM_TRANSPARENT; // prevent TPROXY spoofing of this new IP.
         break;
     case 0x2: // IPv6
         clientConnection->local = ipu.ipv6_addr.dst_addr;
         clientConnection->local.port(ntohs(ipu.ipv6_addr.dst_port));
         clientConnection->remote = ipu.ipv6_addr.src_addr;
         clientConnection->remote.port(ntohs(ipu.ipv6_addr.src_port));
-        clientConnection->flags ^= COMM_TRANSPARENT; // prevent TPROXY spoofing of this new IP.
+        if ((clientConnection->flags & COMM_TRANSPARENT))
+            clientConnection->flags ^= COMM_TRANSPARENT; // prevent TPROXY spoofing of this new IP.
         break;
     default: // do nothing
         break;
Mirror of https://github.com/squid-cache/squid.git