From: Yuhua Wu <ywu@bitglass.com>
Date: Wed, 15 Apr 2015 10:26:30 +0000 (-0700)
Subject: Fix require-proxy-header preventing HTTPS proxying and ssl-bump
X-Git-Tag: merge-candidate-3-v1~177
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=65984b09a23ca2204224c5f73feac5c3b3c57587;p=thirdparty%2Fsquid.git

Fix require-proxy-header preventing HTTPS proxying and ssl-bump

When requir-proxy-header was used, the request->flags.interceptTproxy is
wrongly set to 1.

Since request->flags.interceptTproxy is 1, the 200 status code for CONNECT
call is not sent which breaks both HTTPS proxying and SSL-bump.
---

diff --git a/src/client_side.cc b/src/client_side.cc
index 85c6a22e76..7145942582 100644
--- a/src/client_side.cc
+++ b/src/client_side.cc
@@ -2913,7 +2913,8 @@ ConnStateData::parseProxy1p0()
         debugs(33, 5, "PROXY/1.0 protocol on connection " << clientConnection);
         clientConnection->local = originalDest;
         clientConnection->remote = originalClient;
-        clientConnection->flags ^= COMM_TRANSPARENT; // prevent TPROXY spoofing of this new IP.
+        if ((clientConnection->flags & COMM_TRANSPARENT))
+            clientConnection->flags ^= COMM_TRANSPARENT; // prevent TPROXY spoofing of this new IP.
         debugs(33, 5, "PROXY/1.0 upgrade: " << clientConnection);
 
         // repeat fetch ensuring the new client FQDN can be logged
@@ -3003,14 +3004,16 @@ ConnStateData::parseProxy2p0()
         clientConnection->local.port(ntohs(ipu.ipv4_addr.dst_port));
         clientConnection->remote = ipu.ipv4_addr.src_addr;
         clientConnection->remote.port(ntohs(ipu.ipv4_addr.src_port));
-        clientConnection->flags ^= COMM_TRANSPARENT; // prevent TPROXY spoofing of this new IP.
+        if ((clientConnection->flags & COMM_TRANSPARENT))
+            clientConnection->flags ^= COMM_TRANSPARENT; // prevent TPROXY spoofing of this new IP.
         break;
     case 0x2: // IPv6
         clientConnection->local = ipu.ipv6_addr.dst_addr;
         clientConnection->local.port(ntohs(ipu.ipv6_addr.dst_port));
         clientConnection->remote = ipu.ipv6_addr.src_addr;
         clientConnection->remote.port(ntohs(ipu.ipv6_addr.src_port));
-        clientConnection->flags ^= COMM_TRANSPARENT; // prevent TPROXY spoofing of this new IP.
+        if ((clientConnection->flags & COMM_TRANSPARENT))
+            clientConnection->flags ^= COMM_TRANSPARENT; // prevent TPROXY spoofing of this new IP.
         break;
     default: // do nothing
         break;