From: Christos Tsantilas <chtsanti@users.sourceforge.net>
Date: Mon, 23 Apr 2012 16:34:04 +0000 (+0300)
Subject: Bug fix: src ACL broken with sslproxy_cert_error
X-Git-Tag: BumpSslServerFirst.take08~12
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=23670c61085542346f30bde8fb2b3729cb021b12;p=thirdparty%2Fsquid.git

Bug fix: src ACL broken with sslproxy_cert_error

The following Squid configuration uses src ACL with sslproxy_cert_error:
   acl me src 172.16.101.51
   sslproxy_cert_error allow me
Cache log shows that the source IP address is missing when the 'me' ACL
is checked for sslproxy_cert_error:
   | ACL::checklistMatches: checking 'me'
   | aclIpAddrNetworkCompare: compare: *[::]/[ff...ff] ([::])*  vs ...
   | aclIpMatchIp: '[::]' NOT found

The problem is that the HttpRequest::client_addr is not set, for  the fake
HTTPS request created to initiate the  bump-server-first procedure.
---

diff --git a/src/client_side.cc b/src/client_side.cc
index be95b534c9..434095ff4a 100644
--- a/src/client_side.cc
+++ b/src/client_side.cc
@@ -3889,6 +3889,11 @@ ConnStateData::switchToHttps(const char *host, const int port)
         fakeRequest->port = port;
         fakeRequest->protocol = AnyP::PROTO_HTTPS;
         fakeRequest->clientConnectionManager = this;
+        fakeRequest->client_addr = clientConnection->remote;
+#if FOLLOW_X_FORWARDED_FOR
+        fakeRequest->indirect_client_addr = clientConnection->remote;
+#endif
+        fakeRequest->my_addr = clientConnection->local;
         sslServerBump = new Ssl::ServerBump(fakeRequest);
 
         // will call httpsPeeked() with certificate and connection, eventually