]> git.ipfire.org Git - thirdparty/squid.git/commitdiff
projects / thirdparty / squid.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 0485c6e)
Fix require-proxy-header preventing HTTPS proxying and ssl-bump
authorYuhua Wu <ywu@bitglass.com>
Wed, 15 Apr 2015 10:26:30 +0000 (03:26 -0700)
committerAmos Jeffries <squid3@treenet.co.nz>
Wed, 15 Apr 2015 10:26:30 +0000 (03:26 -0700)
When requir-proxy-header was used, the request->flags.interceptTproxy is
wrongly set to 1.

Since request->flags.interceptTproxy is 1, the 200 status code for CONNECT
call is not sent which breaks both HTTPS proxying and SSL-bump.

src/client_side.cc patch | blob | blame | history

diff --git a/src/client_side.cc b/src/client_side.cc
index 85c6a22e763819f5dbe177b50aa29d75496cd4e1..714594258268186604ffa7c2780aafc98167eb4c 100644 (file)
--- a/src/client_side.cc
+++ b/src/client_side.cc
@@ -2913,7 +2913,8 @@ ConnStateData::parseProxy1p0()
         debugs(33, 5, "PROXY/1.0 protocol on connection " << clientConnection);
         clientConnection->local = originalDest;
         clientConnection->remote = originalClient;
-        clientConnection->flags ^= COMM_TRANSPARENT; // prevent TPROXY spoofing of this new IP.
+        if ((clientConnection->flags & COMM_TRANSPARENT))
+            clientConnection->flags ^= COMM_TRANSPARENT; // prevent TPROXY spoofing of this new IP.
         debugs(33, 5, "PROXY/1.0 upgrade: " << clientConnection);
 
         // repeat fetch ensuring the new client FQDN can be logged
@@ -3003,14 +3004,16 @@ ConnStateData::parseProxy2p0()
         clientConnection->local.port(ntohs(ipu.ipv4_addr.dst_port));
         clientConnection->remote = ipu.ipv4_addr.src_addr;
         clientConnection->remote.port(ntohs(ipu.ipv4_addr.src_port));
-        clientConnection->flags ^= COMM_TRANSPARENT; // prevent TPROXY spoofing of this new IP.
+        if ((clientConnection->flags & COMM_TRANSPARENT))
+            clientConnection->flags ^= COMM_TRANSPARENT; // prevent TPROXY spoofing of this new IP.
         break;
     case 0x2: // IPv6
         clientConnection->local = ipu.ipv6_addr.dst_addr;
         clientConnection->local.port(ntohs(ipu.ipv6_addr.dst_port));
         clientConnection->remote = ipu.ipv6_addr.src_addr;
         clientConnection->remote.port(ntohs(ipu.ipv6_addr.src_port));
-        clientConnection->flags ^= COMM_TRANSPARENT; // prevent TPROXY spoofing of this new IP.
+        if ((clientConnection->flags & COMM_TRANSPARENT))
+            clientConnection->flags ^= COMM_TRANSPARENT; // prevent TPROXY spoofing of this new IP.
         break;
     default: // do nothing
         break;
Mirror of https://github.com/squid-cache/squid.git