From: Christos Tsantilas Date: Sat, 7 May 2011 05:48:50 +0000 (-0600) Subject: Bug 3209: ssl-bumped requests forwarded unencrypted to the parent proxies/caches X-Git-Tag: SQUID_3_1_12_2~20 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=33ed7766f4274cf1c7867118b5b30ef8da19c9b0;p=thirdparty%2Fsquid.git Bug 3209: ssl-bumped requests forwarded unencrypted to the parent proxies/caches This patch block all ssl-bumped requests which are not forwarded directly to origin servers. A new flag added to the requests_flags to mark http requests which are ssl-bumped --- diff --git a/src/client_side.cc b/src/client_side.cc index 7c842f28c1..ca2b2fc57d 100644 --- a/src/client_side.cc +++ b/src/client_side.cc @@ -2432,6 +2432,7 @@ clientProcessRequest(ConnStateData *conn, HttpParser *hp, ClientSocketContext *c } request->flags.accelerated = http->flags.accel; + request->flags.sslBumped = conn->switchedToHttps(); request->flags.ignore_cc = conn->port->ignore_cc; request->flags.no_direct = request->flags.accelerated ? !conn->port->allow_direct : 0; diff --git a/src/forward.cc b/src/forward.cc index 4eeb57bd53..f85db3bcb1 100644 --- a/src/forward.cc +++ b/src/forward.cc @@ -832,6 +832,13 @@ FwdState::connectStart() if (ftimeout < ctimeout) ctimeout = ftimeout; + if (fs->_peer && request->flags.sslBumped == true) { + debugs(50, 4, "fwdConnectStart: Ssl bumped connections through parrent proxy are not allowed"); + ErrorState *anErr = errorCon(ERR_CANNOT_FORWARD, HTTP_SERVICE_UNAVAILABLE, request); + fail(anErr); + self = NULL; // refcounted + return; + } request->flags.pinned = 0; if (fs->code == PINNED) { diff --git a/src/structs.h b/src/structs.h index b979712932..49c950b9a2 100644 --- a/src/structs.h +++ b/src/structs.h @@ -1014,7 +1014,8 @@ struct _iostats { struct request_flags { - request_flags(): range(0),nocache(0),ims(0),auth(0),cachable(0),hierarchical(0),loopdetect(0),proxy_keepalive(0),proxying(0),refresh(0),redirected(0),need_validation(0),fail_on_validation_err(0),stale_if_hit(0),accelerated(0),ignore_cc(0),intercepted(0),spoof_client_ip(0),internal(0),internalclient(0),must_keepalive(0),destinationIPLookedUp_(0) { + request_flags(): range(0),nocache(0),ims(0),auth(0),cachable(0),hierarchical(0),loopdetect(0),proxy_keepalive(0),proxying(0),refresh(0),redirected(0),need_validation(0),fail_on_validation_err(0),stale_if_hit(0),accelerated(0),ignore_cc(0),intercepted(0),spoof_client_ip(0),internal(0),internalclient(0),must_keepalive(0),sslBumped(0),destinationIPLookedUp_(0) +{ #if HTTP_VIOLATIONS nocache_hack = 0; #endif @@ -1054,6 +1055,7 @@ unsigned int proxying: unsigned int pinned:1; /* Request sent on a pinned connection */ unsigned int auth_sent:1; /* Authentication forwarded */ unsigned int no_direct:1; /* Deny direct forwarding unless overriden by always_direct. Used in accelerator mode */ + unsigned int sslBumped:1; /**< ssl-bumped request*/ // When adding new flags, please update cloneAdaptationImmune() as needed.