From: Yuhua Wu <ywu@bitglass.com>
Date: Mon, 20 Apr 2015 02:38:20 +0000 (-0700)
Subject: Fix require-proxy-header preventing HTTPS proxying and ssl-bump
X-Git-Tag: SQUID_3_5_4~19
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=37ab7dec7ce1d5e20b900b69904436da6881e9c3;p=thirdparty%2Fsquid.git

Fix require-proxy-header preventing HTTPS proxying and ssl-bump

When require-proxy-header was used, the request->flags.interceptTproxy is
wrongly set to 1.

Since request->flags.interceptTproxy is 1, the 200 status code for CONNECT
call is not sent which breaks both HTTPS proxying and SSL-bump.
---

diff --git a/src/client_side.cc b/src/client_side.cc
index 8dc8e4789f..6a30b60662 100644
--- a/src/client_side.cc
+++ b/src/client_side.cc
@@ -3046,7 +3046,8 @@ ConnStateData::parseProxy1p0()
         debugs(33, 5, "PROXY/1.0 protocol on connection " << clientConnection);
         clientConnection->local = originalDest;
         clientConnection->remote = originalClient;
-        clientConnection->flags ^= COMM_TRANSPARENT; // prevent TPROXY spoofing of this new IP.
+        if ((clientConnection->flags & COMM_TRANSPARENT))
+            clientConnection->flags ^= COMM_TRANSPARENT; // prevent TPROXY spoofing of this new IP.
         debugs(33, 5, "PROXY/1.0 upgrade: " << clientConnection);
 
         // repeat fetch ensuring the new client FQDN can be logged
@@ -3136,14 +3137,16 @@ ConnStateData::parseProxy2p0()
         clientConnection->local.port(ntohs(ipu.ipv4_addr.dst_port));
         clientConnection->remote = ipu.ipv4_addr.src_addr;
         clientConnection->remote.port(ntohs(ipu.ipv4_addr.src_port));
-        clientConnection->flags ^= COMM_TRANSPARENT; // prevent TPROXY spoofing of this new IP.
+        if ((clientConnection->flags & COMM_TRANSPARENT))
+            clientConnection->flags ^= COMM_TRANSPARENT; // prevent TPROXY spoofing of this new IP.
         break;
     case 0x2: // IPv6
         clientConnection->local = ipu.ipv6_addr.dst_addr;
         clientConnection->local.port(ntohs(ipu.ipv6_addr.dst_port));
         clientConnection->remote = ipu.ipv6_addr.src_addr;
         clientConnection->remote.port(ntohs(ipu.ipv6_addr.src_port));
-        clientConnection->flags ^= COMM_TRANSPARENT; // prevent TPROXY spoofing of this new IP.
+        if ((clientConnection->flags & COMM_TRANSPARENT))
+            clientConnection->flags ^= COMM_TRANSPARENT; // prevent TPROXY spoofing of this new IP.
         break;
     default: // do nothing
         break;