Amos Jeffries [Thu, 24 Oct 2013 15:35:08 +0000 (09:35 -0600)]
Add cache_miss_revalidate
Port of 2.7 ignore_ims_on_miss directive by Henrik Nordstrom.
This on/off switch enables Squid to convert conditional requests from
clients to non-conditional fetches that can fill the cache faster under
cold-start conditions.
Alex Rousskov [Thu, 24 Oct 2013 15:27:49 +0000 (09:27 -0600)]
Bug 3480: StoreEntry::kickProducer() segfaults in store_client::copy()
context
Short-term fix: Lock StoreEntry object so that it is not freed by
storeClientCopy2() callbacks. Also lock StoreEntry in storeUnregister()
context because an aborting entry may be deleted there unless it is
double-locked.
See bug 3480 comment #27 for detailed call stack analysis. Additional
cases
include rejected copied HIT due to Var mismatch and hits blocked by
reply_from_cache directive (under development; see bug 3937).
Long-term, we need to make store copying asynchronous and revise
StoreEntry
locking approach.
Amos Jeffries [Thu, 24 Oct 2013 15:26:21 +0000 (09:26 -0600)]
Fix CBDATA_CLASS2 macro definition
CBDATA_UNKNOWN was being used in place of a void no-op statement.
This was incorrect and useless. Now that the value definition is fixed
it is being picked up by the stricter compilers.
Replace the trinary conditional with an if-statement.
Amos Jeffries [Thu, 3 Oct 2013 11:17:30 +0000 (05:17 -0600)]
Use IPv6 localhost nameserver on DNS configuration errors
When DNS configuration fails to locate a set of nameservers "localhost"
is used as the default but has previously only been setting 127.0.0.1
IPv4 address for localhost. This enables the failover to work as
designed on IPv6-only networks.
Alex Rousskov [Sun, 29 Sep 2013 17:28:00 +0000 (11:28 -0600)]
Close idle client connections associated with closed idle pinned connections.
Squid was not monitoring idle persistent connections pinned to servers. Squid
would discover that the pinned server connection is closed only after
receiving a new request on the idle client connection and trying to write that
request to the server. In such cases, Squid propagates the pinned connection
closure to the client (as it should).
Chrome and, to a lesser extent, Firefox handle such races by opening a new
connection and resending the failed [idempotent] request transparently to the
user. However, IE usually displays an error page to the user.
While some pconn races cannot be avoided, without monitoring idle pconns,
Squid virtually guaranteed such a race in environments where origin server
idle connection timeout is smaller than client/Squid timeouts and users
are revisiting pages in the window between those two timeouts.
Squid now monitors idle pinned connections similar to idle connections in the
pconn pool and closes the corresponding idle client connection to keep the two
sides in sync (to the extent possible).
It is theoretically possible that this change will break servers that send
whitespace on an idle persistent connection or perhaps send some SSL keepalive
traffic. No such cases are known to exist though.
Revert r12609 due to compile errors on stable branch
src/ssl/support.cc:302: error: expected type-specifier
src/ssl/support.cc:302: error: cannot convert 'int*' to 'Ssl::Errors*' in assignment
src/ssl/support.cc:302: error: expected `;'
src/ssl/support.cc:303: error: 'class ACLFilledChecklist' has no member named 'serverCert'
src/ssl/support.cc:312: error: 'class ACLFilledChecklist' has no member named 'serverCert'
src/ssl/support.cc:316: error: 'TheConfig' is not a member of 'Ssl'
src/ssl/support.cc:319: error: 'ssl_ex_index_ssl_cert_chain' was not declared in this scope
src/ssl/support.cc:495: error: a function-definition is not allowed here before '{' token
src/ssl/support.cc:1595: error: expected `}' at end of input
Windows: locate CMSG definitions in WinSock2.h when present
Windows defines the CMSG macros in WinSock2.h sometimes. This allows the
definitions there to be used when present and avoids compiler errors
about double definitions.
Bug 3849: Duplicate certificate sent when using https_port
The certificate file given with the "cert=" option it may contain a list
of
certificates to be chained to the SSL client, for example intermediate
certificates.
The bug caused because in the certificates chain we are storing also
the
certificate of the port. This is works well for SSL-bump because squid
generates a certificate which uses the port certificate as CA
certificate.
But in the case of https_port without bumping the port certificate is
sent
twice, one as SSL server certificate and one as chained certificate.
This patch try to chain port certificate only when the sslbump is used.
The port name from http_port/https_port was not being propigated to
adapted reqeusts after ICAP/eCAP. Which makes the myportname ACL and
logging of portname not work on adapted requests.
Windows: fix collision between POSIX wrappers and DiskIO class methods
The POSIX function shutdown() is #define'd on Windows. This causes
compiler issues with the DiskIO method of same name. Rename the method
to gracefulShutdown() instead.
Also, Bug 3189 was incomplete and missed a change to DiskThreads
Windows initialization method.
Jan Sievers [Tue, 10 Sep 2013 11:28:13 +0000 (05:28 -0600)]
Regression Bug 3077: off-by-one error in Digest header decoding
This is a regression in the 3.2 and later version of the original bug
fix patch.
The effect is that all attributes are treated as quoted-string values
with unescaping performed. This ends with credentials wrongly being
rejected as invalid.
Squid would semi-silently accept invalid IP address or hostname in some
directives which required them (eg wccp_router) and use the magic
IP_ANYADDR value. This change makes configure halt with a FATAL error
instead.
Handle infinite certificate validation loops caused by OpenSSL bug #3090.
If OpenSSL is stuck in a validation loop, Squid breaks the loop and
triggers a
new custom SQUID_X509_V_ERR_INFINITE_VALIDATION SSL validation error.
That
error cannot be bypassed using sslproxy_cert_error because to break the
loop
Squid has to tell OpenSSL that the certificate is invalid, which
terminates
the SSL connection.
Validation loops exceeding SQUID_CERT_VALIDATION_ITERATION_MAX
iterations
are deemed infinite. That macro is defined to be 16384, but that default
can
be overwritten using CPPFLAGS.
* _SQUID_WINDOWS_ for any Windows build specific code
* _SQUID_CYGWIN_ for CygWin Windows build specific code
* _SQUID_MINGW_ for MinGW Windows build specific code
Invalid casting seems to confuse the ABI generator and results in
illegal instruction faults when the unit tests is run.
The class API is already const-correct so there is no need for the cast
to occur, and it should not be done on a non-pointer type anyway.
Also, fixes a missing "struct" type identifier found along the way.
This patch sends an If-None-Match request, when we need to re-validate
if a cached object which has a strong ETag is still valid.
This is also done in the cases an HTTP client request contains HTTP
headers prohibiting a from-cache response (i.e., a "reload" request).
The use of If-None-Match request in this context violates RFC 2616 and
requires using reload-into-ims option within refresh_pattern squid.conf
directive.
The exact definition of a "reload request" and the adjustment/removal of
"reload" headers is the same as currently used for reload-into-ims
option support. This patch is not modifying that code/logic, just adding
an If-None-Match header in addition to the IMS header that Squid already
adds.
Fix external ACL user:pass detail logging after adaptation
When a request is successfully adapted, the external ACL username and
password are now inherited with this patch. This means the
LFT_USER_NAME log token can display the username from an external ACL
if available, for adapted requests.
The HttpRequest will inherit the password for good measure as well -
while none too useful, it seems strange to inherit the username but
not the password.
We can do better than just producing errors about invalid port details
and treating it as port-0.
We can instead undo the port separation and pass it through as part of
the host name to be verified with the default port number properly
assumed.
Protect against buffer overrun in DNS query generation
see SQUID-2013:2.
This bug has been present as long as the internal DNS component however
most code reaching this point is passing through URL validation first.
With Squid-3.2 Host header verification using DNS directly we may have
problems.
- The SSL_CTX_new in newer openSSL releases requires a const
'SSL_METHOD *' argument and in older releases requires non const
'SSL_METHD *' argument. Currently we are trying to identify openSSL
version using the OPENSSL_VERSION_NUMBER macro define but we are failing
to correctly identify all cases.
- sk_OPENSSL_PSTRING_value is buggy in early openSSL-1.0.0? releases
causing compile errors to squid.
Amos Jeffries [Sun, 30 Jun 2013 08:45:09 +0000 (02:45 -0600)]
Bug 3762: remove bogus WARNING in cache.log
The warning is bogus for several reasons:
* it appears with memory-only cache configurations
* it only checks the size of first SwapDir (as seen in bug 3762)
* very large memory spaces are now possible which may make disk appear
small by comparison.
Its usefulness in detecting memory and disk misconfigurations has long
been almosy nil. Removing this entirey to resolve the bogus noise in
the above mentioned legitimate configurations.
Alexis Robert [Sat, 29 Jun 2013 08:23:49 +0000 (02:23 -0600)]
Fix Ip::Address::operator =(sockaddr_storage)
The memcpy() for AF_INET6 is using a length of sizeof(sockaddr_in) instead
of sizeof(sockaddr_in6), so squid was trying to connect to truncatured IPv6
addresses with strange ports.
Alex Rousskov [Sat, 29 Jun 2013 08:20:01 +0000 (02:20 -0600)]
Make sure %<tt includes all [failed] connection attempts.
The old code was using zero n_tries to detect the first connection
attempt,
but n_tries is not incremented when we are opening a new connection
rather
than reusing an old one. Perhaps n_tries should be updated differently
as
well, but this change simply makes %<tt (hier.total_response_time)
management
independent from that [complex] counter.
Alex Rousskov [Wed, 5 Jun 2013 13:00:09 +0000 (07:00 -0600)]
Bug 3717: assertion failed with dstdom_regex with IP based URL
A combination of ACL negation and async lookup leads to
Checklist.cc:287:"!needsAsync && !matchFinished" assertions.
The lower-level ACL code says "not a match because I need an async lookup" but
the negation-handling code in ACL::matches() ignores the "need an async
lookup" part and converts "not a match" into a "match". This patch prevents
that conversion, while allowing Checklist code to decide what to do with
an async lookup (depending on whether the directive being checked supports
slow ACLs).
Note that this change prevents admins from negating async lookups in
directives that do not support them: both "!foo" and "foo" will probably not
match in those directives if ACL foo needs an async lookup.
Amos Jeffries [Tue, 4 Jun 2013 06:58:07 +0000 (00:58 -0600)]
Fix incorrect external_acl_type codes
Documentation describes %USER_CA_CERT_* codes for outputing the CA cert
attributes. However the directive parser and internals were all
referencing it as %CA_CERT_*.
This updates the internals to match documentation, and adds an upgrade
notice for any installations using the old token name.
Also, Prepare external_acl_type format codes for libformat upgrade.
Add upgrade warnings for the %> and %< header codes which will change
radically in a future version when libformat is integrated.
Also, while we are at it support the other logformat codes which map 1:1
but silently for now and only on parse.
Alex Rousskov [Sun, 2 Jun 2013 16:01:18 +0000 (10:01 -0600)]
Ask for SSL key password when started with -N but without sslpassword_program.
Do not give SSL a password-asking callback if sslpassword_program is not
configured. Without a callback, OpenSSL itself asks for the password (which
works if Squid runs in foreground because of -N).
The fix applies to Ssl::readCertChainAndPrivateKeyFromFiles() context only.
This is not the only place where we read private keys. Some other places are
working correctly, but others may need more work. Also,
Ssl::readCertChainAndPrivateKeyFromFiles() may not really work if
sslpassword_program _is_ configured because "user data" pointer will be nil.
Ming Fu [Thu, 23 May 2013 02:26:18 +0000 (20:26 -0600)]
Bug 1991: kqueue causes SSL to hang
Compare the code in normal select and epoll v.s. kqueue. The select use a 0
wait time to get out of select wait in order to handle a list of read_pendings.
However, epoll add the read_pending to read and write event monitor. At a first
look, this seems strange as why read pending has anything to do with write. It
became obvious when the write ready event is triggered. During a write ready
event, if read_pending is on, the read callback is called before the write
callback. As the write buffer is unlikely to be full for an extended period, a
write callback is guaranteed in the immediate future for the read_pending
socket by waiting on write.
The patch follows that same logic as epoll and applies it on kqueue.
Bug 3744: squid terminated: FATAL: Bungled (null) line 3: sslproxy_cert_sign signTrusted all
This bug is a Makefile dependencies problem.
- The cf_gen includes the cf_gen_defines.cci so this file should included in
cf_gen dependencies.
- Currently the cf_gen_defines.cci exist in cf_gen.$(OBJEXT) dependencies but
does not have any effect because the obj file never build and used.
- Also the cf_gen_defines.cci file depends on autoconf.h so this file should
added to to cf_gen_defines.cc dependencies.
All of the sources has the autoconf.h file in their dependencies.
But the cf_gen_defines.cci is auto-generated and does not exist when the
dependencies computed.
Bug 3759: OpenSSL compilation error on stock Fedora17, RHEL, CentOS 6 systems
OpenSSL-1.0.x has changes in TXT_DB interface over the earlier openSSL releases.
Also looks that the IMPLEMENT_LHASH_* macros are not correctly implemented and
causes compile failures.
Some of the linux distributions to overcome the above problems trying to patch
openSSL SDK. For squid this is means that the current checks based on openSSL
version can not work.
This patch try to detect at configure time:
- if the TXT_DB uses the new implementation investigated in openSSL-1.0.x
releases
- If the IMPLEMENT_LHASH_* openSSL macros are correctly implemented.
Then uses the autoconf defines to implement the correct workarounds for used
openSSL SDK.
This patch try to avoid using the SSL_get_certificate function. While configures
squid run tests:
- to examine if the workaround code can be used
- to detect buggy SSL_get_certificate
Inside Ssl::verifySslCertificate try to use workarround code and if this is not
possible uses the SSL_get_certificate if it is not buggy, else hit an assertion
Amos Jeffries [Sun, 19 May 2013 02:43:38 +0000 (20:43 -0600)]
Log an ERROR instead of halting on unknown cache_dir types
Squid-3 can run fine without any configured cache_dir. This assists with
upgrade from older Squid-2 where COSS or NULL cache types may be present.
It also assists with backward compatibility for any future cache types
which may be added in future.
Silamael [Sun, 19 May 2013 02:38:40 +0000 (20:38 -0600)]
Bug 2648: Add missing piece omitted from rev.9677
rev.9677 created forward_max_tries directive but omitted one of the
checks. This adds that check and allows forward_max_tries to be set
to values greater than 10.
Amos Jeffries [Sun, 19 May 2013 02:35:36 +0000 (20:35 -0600)]
Remove origin_tries limiter on forwarding
This limit seems to have been set to prevent large amount of looping when
DIRECT attempts fail under the old model of constant DNS lookups and
retries.
However it is hard-coded and has no configuration knob visible. Under
the curent model of all destinations being enumerated once and tried
sequentially this protection would seem to be no longer necessary and
somewhat harmful as it will be preventing retries reaching destinations
with more than 2 unreachable IPs (think 3 IPv6 and an IPv4 on IPv4-only
network).
Alex Rousskov [Sun, 19 May 2013 02:34:11 +0000 (20:34 -0600)]
Fixed leaking configurable SSL error details.
Trunk r11496 "Configurable SSL error details messages" correctly disabled
collection of HTTP statistics for non-HTTP header fields, such as configurable
SSL error details. However, it also incorrectly disabled deletion of those
non-HTTP header fields.
Configurable SSL error details are only created during [re]configuration time,
so the leak went unnoticed since 2011-06-17, but the same bug caused a major
runtime annotation leak later (r12413) until the new annotation code was
redesigned to avoid using HttpHeader (r12779).
Alex Rousskov [Sun, 19 May 2013 02:32:10 +0000 (20:32 -0600)]
Avoid !closing assertions when helpers call comm_read [during reconfigure].
While helper reading code does check for COMM_ERR_CLOSING, it is not sufficient
because helperReturnBuffer() called by the reading code may notice the helper
shutdown flag (set earlier by reconfigure) and start closing the connection
underneath the reading code feet.
projects / thirdparty / squid.git / log
