This patch enable SSL client certificate ACL checks (user_cert and ca_cert)
in all cases the client connection information can retrieved from the related
HttpRequest object, eg when making peering decisions (peer_cache_access ACL).
Also fixes assertion failure caused by acl dst on transparent proxy.
Discussed under the "Supply client connection and IDENT information to
peer_cache_access ACL check" thread on squid-dev.
This is a Measurement Factory project
void
ACLFilledChecklist::conn(ConnStateData *aConn)
{
+ if (conn() == aConn)
+ return;
assert (conn() == NULL);
conn_ = cbdataReference(aConn);
}
#endif /* FOLLOW_X_FORWARDED_FOR */
src_addr = request->client_addr;
my_addr = request->my_addr;
+
+ if (request->clientConnectionManager.valid())
+ conn(request->clientConnectionManager.get());
}
#if USE_IDENT
* the ident result on persistent connections...
*/
/* connection oriented auth also needs these two lines for it's operation. */
- /*
- * Internal requests do not have a connection reference, because: A) their
- * byte count may be transformed before being applied to an outbound
- * connection B) they are internal - any limiting on them should be done on
- * the server end.
- */
-
- if (conn != NULL)
- ch->conn(conn); /* unreferenced in FilledCheckList.cc */
-
return ch;
}
checklist.src_addr = request->client_addr;
checklist.my_addr = request->my_addr;
-#if 0 && USE_IDENT
- /*
- * this is currently broken because 'request->user_ident' has been
- * moved to conn->rfc931 and we don't have access to the parent
- * ConnStateData here.
- */
- if (request->user_ident[0])
- xstrncpy(checklist.rfc931, request->user_ident, USER_IDENT_SZ);
-
-#endif
-
return (checklist.fastCheck() == ACCESS_ALLOWED);
}
projects / thirdparty / squid.git / commitdiff
