Jakob Bohm [Wed, 25 Dec 2013 21:36:07 +0000 (14:36 -0700)]
Bug 3985: 60s limit introduced by balance_on_multiple_ip breaks bad IP recovery
Alternative fix if necessary would be to calculate a dynamic timeout
value based on number and timeouts for connections and forwarding.
However, as noted in the bug report the address markings are reset every
TTL when the stored RR are replaced. This meets the criteria for
periodic
retries of marked-BAD IPs. Also if all IPs are marked BAD they all get
un-marked and retried. So for now just remove the TTL hack.
Amos Jeffries [Wed, 25 Dec 2013 21:35:15 +0000 (14:35 -0700)]
Fix \-unescaping in quoted strings from helpers
strwordtok() was unescaping '\' values in unquoted tokens. This causes
problems with NTLM helper response user\DOMAIN values which are sent as
a un-quoted un-escaped value.
Restrict un-escaping of '\' to only occur when inside "quoted" words.
Amos Jeffries [Wed, 25 Dec 2013 21:34:33 +0000 (14:34 -0700)]
WCCPv2: fix assertion 'Cannot convert non-IPv4 to IPv4' on FreeBSD
FreeBSD does not set the from-address on recv() if there was an error
reading the packet. This can result in Ip::Address assertion if the
error is not checked for before the IP address is mapped into Squid
internal format.
Bug 3980: FATAL ERROR due to max_user_ip -s option
NP: unit test for -s option temporarily removed and replaced with manual
testing due to 3.4 series parser flags handlign being done at the ACL
module level instead of ACl test.
Amos Jeffries [Thu, 19 Dec 2013 07:55:03 +0000 (00:55 -0700)]
Fix linker errors "relocation R_X86_64_32 against .rodata"
... "can not be used when making a shared object; recompile with -fPIC"
Caused by some libraries built without libtool in certain environments.
NP: there are other libraries in Squid built without libtool but they
appear not to be having these linker issues at this time.
Also, fixes "undefined symbol eui64_aton" uncovered by these changes.
Amos Jeffries [Sun, 15 Dec 2013 05:33:33 +0000 (22:33 -0700)]
Regression in URL helper API
The backward compatibility logics in redirect.cc are not working as
intended on redirection URLs due to the presence of '=' in the URL and
how the key=value name parsing is performed.
A typical redirection URL looks like:
http://example.com/?url=http://www.example.net/
and 3.4 has a parser that splits tokens at '=' unconditionally and then
passes the bits as a key and value to the redirector logics which
complains that it does not understand the answer of the URL redirector.
Or treats is an an unknown key=value with no redirection URL.
Either case is handled as a no-redirection result from the helper.
This limits the key names to alphanumeric, hyphen and underscore
characters. Valid URL responses contain characters outside this set and
should no longer be interpreted as keys regardless of the '=' character.
Alex Rousskov [Fri, 6 Dec 2013 12:18:19 +0000 (05:18 -0700)]
Destroy ACLs in the reverse order of creation to avoid destruction segfaults
during reconfiguration.
Group ACLs created later may use other ACLs created earlier. A group ACL must
be deleted first so that its AclDeleter can safely access registration status
(and avoid double deletion) of the ACLs it uses. Since ACLs are remembered (in
Config.aclList) using a singly-linked list, it is difficult to change their
deletion order. Instead, we change their listing order from FIFO to LIFO.
Amos Jeffries [Fri, 6 Dec 2013 12:15:11 +0000 (05:15 -0700)]
Portability: std::string:npos is not always appropriate for String::npos
On some systems such as Windows MinGW the signed/unsigned property of
std::string::npos does not match up with the Squdi String class size_type
signed/unsigned property. Resulting in compiler signed vs unsigned
mismatch errors when compiling.
Nathan Hoad [Sat, 30 Nov 2013 09:16:25 +0000 (02:16 -0700)]
Bug 3972: Segfault when getting the deny info page ID after a reconfigure
Older ACL code was using a stale AclMatchedName value. More recent code resets
the AclMatchedName global to NULL to avoid leaking the stale value, but that
may crash strcmp() in aclGetDenyInfoPage(). Long-term, the global should be
removed, of course.
Amos Jeffries [Fri, 29 Nov 2013 10:55:53 +0000 (03:55 -0700)]
Receive annotations from authentication and external ACL helpers
This saves the kv-pair from authentication and ACL helper responses as
annotations on the HttpRequest and pass on from there to logging.
Added a method appendNewOnly() to ensure duplicate-free addition
to a NotePairs list.
Also, fixes a bug in hasPair() accessor which was returning true
if either the key OR the value matched.
ie. hasPair("a","1") would match true for notes "a=2 b=1"
Alex Rousskov [Tue, 19 Nov 2013 22:51:46 +0000 (15:51 -0700)]
Re-compute Range response content offset after an FTP response was adapted.
Moved HTTP-only offset calculation code to the general ServerStateData code so
that [converted-to-HTTP] FTP responses can use it. FTP code computes the range
offset on its own earlier, but we must REcalculate in case the response is
adapted into a response with a different (or no) content range.
aclocal on Windows cannot handle line-wrapping \ characters and leaves
them present in the output m4 code. in side AC_CONFIG_FILES macro this
results in a mystery file '\\r' being 'registered'.
The list of Makefiles does not even need ths line-wrap indicator as
demonstrated by the tools/Makefile missing its one for some time without
problems.
Amos Jeffries [Tue, 19 Nov 2013 22:45:02 +0000 (15:45 -0700)]
Make HTTP header parser obey relaxed_header_parser
Some unimportant warnings were not obeying the directives silent/loud
setting values.
This abstracts the condition to simplify code and make all the
non-critical warnings depend on the directive for their display level.
Alex Rousskov [Sun, 10 Nov 2013 23:01:35 +0000 (16:01 -0700)]
Replace blocking sleep(3) and close UDS socket on failures.
The two addressed XXX were not causing any known serious bugs on their own,
but the blocking sleep was ugly and possibly in the way of further
kid registration fixes/improvements.
Squid fails parsing error-details.txt template when one or more listed
OpenSSL errors are not supported on running platform.
This patch add a hardcoded list of OpenSSL errors wich can be optional.
Coordinator should not send SNMP client FD to strands when broadcasting SNMP
requests. Strands do not need the descriptor and were forgetting to close it,
causing one FD leak on every SNMP query in SMP mode.
Enhance Ipc::TypedMsgHdr to be able to tell whether the message has a FD.
Alex Rousskov [Fri, 1 Nov 2013 01:25:17 +0000 (19:25 -0600)]
Avoid "hot idle": A series of rapid select() calls with zero timeout.
Squid uses "infinite" precision when it comes to deciding whether the next
timed event is ready but uses millisecond (1e-3) precision when deciding how
long to wait before the next event will be ready. This inconsistency results
in the EventScheduler engine telling the main loop that it has 0 milliseconds
to poll pending I/O, but when asked again (after the I/O is quickly polled),
the EventScheduler engine often does not schedule the promised event and tells
the main loop to poll for another 0 milliseconds again. This cycling may
happen many times in a row (until enough time is wasted for the next event to
become ready using higher precision).
The fixed code adds a minimum 1ms delay for not-yet-ready events. It also
places both decisions into one method (EventScheduler::timeRemaining), and
tries to polish/document decision logic (which is more complex than it may
seem) because the code has to avoid both inconsistent decisions and hot idle
loops while maintaining the traditional "no event is fired before it is due"
guarantee.
TODO: Idle Squid still runs hotter than it should because the maximum waiting
time is artificially capped outside the event queue to EVENT_LOOP_TIMEOUT=1s.
This causes at most one extra loop iteration per second.
Amos Jeffries [Wed, 23 Oct 2013 05:11:22 +0000 (23:11 -0600)]
Add cache_miss_revalidate
Port of 2.7 ignore_ims_on_miss directive by Henrik Nordstrom.
This on/off switch enables Squid to convert conditional requests from
clients to non-conditional fetches that can fill the cache faster under
cold-start conditions.
Alex Rousskov [Wed, 23 Oct 2013 05:10:17 +0000 (23:10 -0600)]
Bug 3480: StoreEntry::kickProducer() segfaults in store_client::copy()
context
Short-term fix: Lock StoreEntry object so that it is not freed by
storeClientCopy2() callbacks. Also lock StoreEntry in storeUnregister()
context because an aborting entry may be deleted there unless it is
double-locked.
See bug 3480 comment #27 for detailed call stack analysis. Additional
cases
include rejected copied HIT due to Var mismatch and hits blocked by
reply_from_cache directive (under development; see bug 3937).
Long-term, we need to make store copying asynchronous and revise
StoreEntry
locking approach.
Amos Jeffries [Sun, 13 Oct 2013 13:41:55 +0000 (07:41 -0600)]
Fix CBDATA_CLASS2 macro definition
CBDATA_UNKNOWN was being used in place of a void no-op statement.
This was incorrect and useless. Now that the value definition is fixed
it is being picked up by the stricter compilers.
Replace the trinary conditional with an if-statement.
Amos Jeffries [Thu, 3 Oct 2013 11:12:31 +0000 (05:12 -0600)]
Add --disable-arch-native build option
The -march-native option is required by Clang 3.2 on some CPU
and produces better optimization in binaries by GCC.
But building inside a virtual machine environment has been found to
cause random Illegal Instruction errors due to mis-detection of CPU.
This option is added to permit selective disabling of teh preferred
default (which is to use the compiler flag when available).
Amos Jeffries [Thu, 3 Oct 2013 11:10:43 +0000 (05:10 -0600)]
Fix various header build issues in librfcnb
Highlighted when the #include sorting was applied to lib/rfcnb/ files
several of the headers were using order-dependent definitions and were
not wrapped with sfety macros.
Amos Jeffries [Thu, 3 Oct 2013 11:02:34 +0000 (05:02 -0600)]
Portability: cleanup includes for sys/time.h and sys/resource.h
These two include files are order-dependent on several operating systems
and as such are provided by Squid libcompat headers. There is no need for
code to include them specially and several HAVE_SYS_TIME_H macros were
missing which breaks the build on systems where the file is missing.
Markus Moeller [Thu, 3 Oct 2013 10:47:40 +0000 (04:47 -0600)]
negotiate_kerberos_auth: upgrade to present group= keys
Use the new kv-pair protocol extensions for emitting group details
directly at the time of authentication. group=X key-value pair is
used to emit the Kerberos SIDS values presented by MS Active
Directory environments.
Also, update the Hiemdal library support for recent library versions.
Also, polish the Kerberos and LDAP Group related code to avoid memory
leaks and improve C++ coding style.
Amos Jeffries [Thu, 3 Oct 2013 10:38:31 +0000 (04:38 -0600)]
Use IPv6 localhost nameserver on DNS configuration errors
When DNS configuration fails to locate a set of nameservers "localhost"
is used as the default but has previously only been setting 127.0.0.1
IPv4 address for localhost. This enables the failover to work as
designed
on IPv6-only networks.
Alex Rousskov [Sat, 28 Sep 2013 15:38:33 +0000 (09:38 -0600)]
Regression Bug 3891: squid.conf parser errors in 3.4.0.1
Alternative implementation for configuration_includes_quoted_values and
quoted string support in squid.conf that avoids the extensions attempted
in 3.4.0.1 leading to parse errors from overly strict parsing of all
directives parameters.
Documentation updated by Amos Jeffries, Treehouse Networks Ltd.
This feature has turned out to be more buggy than previously thought.
After a very log series of discussions the upgrade has been re-thought
and will not include this code in 3.4 series.
Windows: locate CMSG definitions in Winsock2.h when present
Windows defines the CMSG macros in Winsock2.h sometimes. This allows the
definitions there to be used when present and avoids compiler errors
about double definitions.
Bug 3849: Duplicate certificate sent when using https_port
The certificate file given with the "cert=" option it may contain a list of
certificates to be chained to the SSL client, for example intermediate
certificates.
The bug caused because in the certificates chain we are storing also the
certificate of the port. This is works well for SSL-bump because squid
generates a certificate which uses the port certificate as CA certificate.
But in the case of https_port without bumping the port certificate is sent
twice, one as SSL server certificate and one as chained certificate.
This patch try to chain port certificate only when the sslbump is used.
The port name from http_port/https_port was not being propigated to
adapted reqeusts after ICAP/eCAP. Which makes the myportname ACL and
logging of portname not work on adapted requests.
Windows: fix collision between POSIX wrappers and DiskIO class methods
The POSIX function shutdown() is #define'd on Windows. This causes
compiler issues with the DiskIO method of same name. Rename the method
to gracefulShutdown() instead.
Also, Bug 3189 was incomplete and missed a change to DiskThreads
Windows initialization method.
Alex Rousskov [Mon, 9 Sep 2013 01:31:30 +0000 (19:31 -0600)]
Close idle client connections associated with closed idle pinned connections.
Squid was not monitoring idle persistent connections pinned to servers. Squid
would discover that the pinned server connection is closed only after
receiving a new request on the idle client connection and trying to write that
request to the server. In such cases, Squid propagates the pinned connection
closure to the client (as it should).
Chrome and, to a lesser extent, Firefox handle such races by opening a new
connection and resending the failed [idempotent] request transparently to the
user. However, IE usually displays an error page to the user.
While some pconn races cannot be avoided, without monitoring idle pconns,
Squid virtually guaranteed such a race in environments where origin server
idle connection timeout is smaller than client/Squid timeouts and users
are revisiting pages in the window between those two timeouts.
Squid now monitors idle pinned connections similar to idle connections in the
pconn pool and closes the corresponding idle client connection to keep the two
sides in sync (to the extent possible).
It is theoretically possible that this change will break servers that send
whitespace on an idle persistent connection or perhaps send some SSL keepalive
traffic. No such cases are known to exist though.
Jan Sievers [Mon, 9 Sep 2013 01:25:12 +0000 (19:25 -0600)]
Regression Bug 3077: off-by-one error in Digest header decoding
This is a regression in the 3.2 and later version of the original bug
fix patch.
The effect is that all attributes are treated as quoted-string values
with unescaping performed. This ends with credentials wrongly being
rejected as invalid.
Amos Jeffries [Thu, 8 Aug 2013 06:08:02 +0000 (00:08 -0600)]
Fix configure parsing IP/domain directives
Squid would semi-silently accept invalid IP address or hostname in some
directives which required them (eg wccp_router) and use the magic
IP_ANYADDR value. This change makes configure halt with a FATAL error
instead.
Amos Jeffries [Thu, 8 Aug 2013 06:04:47 +0000 (00:04 -0600)]
Add dns_multicast_local to control mDNS operation
Enable admin control over whether mDNS operates or not. Set the default
to OFF due to .arpa reverse-DNS requests causing a rise in traffic from
this feature even on networks without mDNS responders setup.
Also, polish cachemgr idns report to show for queued queries which
resolver type and query the entry is involving. mDNS can cause a queue
to exist as some lookups timeout on the mDNS resolvers.
projects / thirdparty / squid.git / log
