From: Amos Jeffries <squid3@treenet.co.nz>
Date: Fri, 5 Mar 2010 02:07:24 +0000 (+1300)
Subject: Rationalize the default httpd_accel_surrogate_id
X-Git-Tag: SQUID_3_2_0_1~391
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=b2b40d8c69cf988f8e4fb5a545464f9ddcee7c67;p=thirdparty%2Fsquid.git

Rationalize the default httpd_accel_surrogate_id

Prevents more posibilities for data leakage by making the default
surrogate ID based on visible_hostname (public FQDN for the proxy).

Now that Surrogate_Capability: header is sent by default in accelerator
environments it makes more sense to default it to a value fairly unique
or at least restricted to that local administrative domain.

When visible_hostname is setup correctly (either automatic or manual)
each stand-alone squid install should have a unique ID. Groups of proxies
sharing work for a domain should also be by default sharing an ID and
thus sharing the override behavior.

When visible_hostname is unavailable it will retain the old default of
'unset-id'.
---

diff --git a/src/cache_cf.cc b/src/cache_cf.cc
index 996873df04..76fa702e23 100644
--- a/src/cache_cf.cc
+++ b/src/cache_cf.cc
@@ -505,6 +505,12 @@ configDoConfigure(void)
              uniqueHostname(),
              visible_appname_string);
 
+    /* Use visible_hostname as default surrogate_id */
+    if (!Config.Accel.surrogate_id) {
+        const char *t = getMyHostname();
+        Config.Accel.surrogate_id = xstrdup( (t?t:"unset-id") );
+    }
+
     if (!Config.udpMaxHitObjsz || Config.udpMaxHitObjsz > SQUID_UDP_SO_SNDBUF)
         Config.udpMaxHitObjsz = SQUID_UDP_SO_SNDBUF;
 
diff --git a/src/cf.data.pre b/src/cf.data.pre
index 837f147d02..b399474cd2 100644
--- a/src/cf.data.pre
+++ b/src/cf.data.pre
@@ -4327,13 +4327,15 @@ COMMENT_END
 
 NAME: httpd_accel_surrogate_id
 TYPE:  string
+DEFAULT: none
 LOC: Config.Accel.surrogate_id
-DEFAULT: unset-id
 DOC_START
 	Surrogates (http://www.esi.org/architecture_spec_1.0.html)
 	need an identification token to allow control targeting. Because
 	a farm of surrogates may all perform the same tasks, they may share
 	an identification token.
+
+	The default ID is the visible_hostname
 DOC_END
 
 NAME: http_accel_surrogate_remote