Amos Jeffries [Wed, 3 Oct 2012 00:44:13 +0000 (12:44 +1200)]
Fix website config display of default settings
The website page cfgman builder script was omitted when adding the
DEFAULT_DOC parameter and making DEFAULT / DEFAULT_IF_NONE support
multi-line values.
Amos Jeffries [Tue, 2 Oct 2012 02:18:50 +0000 (14:18 +1200)]
Bug 3130: helpers are crashing too rapidly
As discussed quite many months ago. This reduces the FATAL when helpers
crash/exit to a critical level ERROR have responded with useful reply to
at least one lookup.
The result is that Squid can now cope with helpers written in languages
which cannot loop infinitely. For example; PHP helpers often exit after
a timeout, broken scripts written to respond and exit immediately,
and helpers which encounter some permissions error and respond only with
"ERR" or "BH" results before aborting.
Amos Jeffries [Tue, 2 Oct 2012 01:55:36 +0000 (13:55 +1200)]
Polish: de-duplicate helper statistics objects
* Combine the stats structure on per-helper server classes. For more
consistent statistic gathering.
* Add initStats() method to initialize statistics variables correctly.
Previously only done for some counters on stateless helper objects.
* Add missing accounting of pending lookups in stateful helper code.
* Add counter for replies received from the helper.
* Add reporting of replies received back from each helper.
There are no logic or decision making logics affected by these changes.
The new increment/decrement and stats are purely affecting statistical
report outputs.
FUTURE TODO:
* replace the 'busy' flag on stateful helpers with pending>0 check
as used by stateless helpers to indicate queue count.
Amos Jeffries [Mon, 1 Oct 2012 22:47:10 +0000 (10:47 +1200)]
Cleanup: remove a wrong TODO
Squid may need to use the hop-by-hop response headers. This is too early
to be removing them. the right place is in client-side before delivering
to the client. Squid already contains code to do it there.
Fixes one minor memory leak when IPv6 is disabled and parsing an IPv6
address. For example the default localhost ACL ::1 value.
Caught by Valgrind:
==26647== 384 bytes in 4 blocks are definitely lost in loss record 1,132 of 1,726
==26647== at 0x4C25A28: calloc (vg_replace_malloc.c:467)
==26647== by 0x65B441: xcalloc (xalloc.cc:75)
==26647== by 0x657B99: MemPoolMalloc::allocate() (MemPoolMalloc.cc:62)
==26647== by 0x5A95B1: acl_ip_data::FactoryParse(char const*) (Ip.h:66)
==26647== by 0x5AA8BD: ACLIP::parse() (Ip.cc:523)
==26647== by 0x5E0A80: ACL::ParseAclLine(ConfigParser&, ACL**) (Acl.cc:174)
==26647== by 0x4B0C0F: parse_line(char*) (cache_cf.cc:1252)
==26647== by 0x4B2076: parseOneConfigFile(char const*, unsigned int) (cache_cf.cc:518)
==26647== by 0x4B29D0: parseConfigFile(char const*) (cache_cf.cc:558)
==26647== by 0x546B81: SquidMain(int, char**) (main.cc:1372)
==26647== by 0x547445: main (main.cc:1215)
Regression fix: Handle dstdomain duplicates and overlapping names better
Since 3.2 changes to dstdomain overlap detection teh case of duplicate
wildcards has become a fatal error needlessly.
This silently ignores all exact duplicates, even if they are wildcards.
Also, adjust the message display to always display the longer of the
domains first. Since we are dealing with sub-domains it is the most
reliable indicator of which should be removed to safely fix the detected
issue.
Complete the task of splitting protos.h into more specific files
Remove inclusion of protos.h from most files
Clean CVS and arch file-tags up
Rework some module initialization code so that it is the callee's task and not the callers' to do feature-enabling
Added ssl-crtd option to the maximus build test
Changed many functions' linkage type from C to C++
Alex Rousskov [Mon, 10 Sep 2012 23:07:01 +0000 (17:07 -0600)]
Do not reuse persistent connections for PUTs to avoid ERR_ZERO_SIZE_OBJECT.
A compliant proxy may retry PUTs, but Squid lacks the [rather complicated]
code required to protect the PUT request body from being nibbled during the
first try or [also tricky] code to send 100-continue expectation requiredto
delay body sending. Thus, Squid cannot safely retry some PUTs today, and
FwdState::checkRetriable() must return false for all PUTs, to avoid
bogus ERR_ZERO_SIZE_OBJECT errors (especially for clients that did not
reuse a pconn and, hence, may not be ready to handle/retry an error response).
In theory, requests with safe or idempotent methods other than PUT might have
bodies so we apply the same logic to them as well.
This reopens Squid bug #3398, undoing trunk r11859 commit which attempted
to close that bug.
Alex Rousskov [Mon, 10 Sep 2012 22:38:09 +0000 (16:38 -0600)]
Do not chunk responses carrying a Content-Range header.
When Squid forwards a response with a Content-Range header,
ClientSocketContext::socketState() detects the end of the response range(s)
and returns STREAM_*COMPLETE to ClientSocketContext::writeComplete().
The latter thinks that the writing of the response to the client must be
over and calls keepaliveNextRequest() instead of writing the last-chunk
(if any). If the to-client response was chunked, the client gets stuck
waiting for that missing last-chunk.
The multipart Range request case was already excluded from chunking (or it
would probably suffer from the same problem). With this change, no
Content-Range responses will be chunked.
N.B. Some servers send Content-Range responses to basic GET requests
without a Range header, so the problem affects more than just Range requests.
TODO: A proper fix would be to rewrite ClientSocketContext::writeComplete()
and other code so that it does not mix internal ClientStream completion with
[possibly chunk-encoded] writing completion. This should probably be done
along with fixing ClientSocketContext::socketState() and other state-checking
code to ignore to-client persistence (flags.proxy_keepalive), which is not
related to the internal ClientStream state.
Bug fix: TLS/SSL Options does not apply to the dynamically generated certificates
The TLS/SSL options configured with http_port configuration parameter does not
used to generate SSL_CTX context objects used to establish SSL connections.
This is means that certificate based authentication, or SSL version selection
and other SSL/TLS http_port options does not work for ssl-bumped connection.
This patch fixes this problem.
Amos Jeffries [Thu, 30 Aug 2012 14:32:41 +0000 (08:32 -0600)]
Bug 3626: Forwarding loops on intercepted traffic
Changes to interception handling in 3.2 series (namely the preference
for using ORIGINAL_DST) have increased the chances that misconfigured
network systems involving Squid will hit forwarding loops.
Two instances are currently known:
* passing forward-proxy traffic to a interception port.
* NAT performed on a separate box.
This enacts an old TODO by removing the loop detection bypass for
intercepted traffic and accelerated traffic. Now we always check for
loops regardless of how the request was received.
NOTE: accel mode was only included due to the TODO.
If problems are found there it can be re-instated.
Dmitry Kurochkin [Thu, 30 Aug 2012 12:46:47 +0000 (06:46 -0600)]
Make CpuAffinitySet::applied() method non-const.
According to CPU_SET(3) and, apparently, on some systems (e.g.,
OpenSuSE 10.3) CPU_COUNT macro expects a non-const argument. The
patch fixes build error on these systems.
Retrieve client connection information for ACL checks from the related HttpRequest object
This patch enable SSL client certificate ACL checks (user_cert and ca_cert)
in all cases the client connection information can retrieved from the related
HttpRequest object, eg when making peering decisions (peer_cache_access ACL).
Discussed under the "Supply client connection and IDENT information to
peer_cache_access ACL check" thread on squid-dev.
Amos Jeffries [Wed, 29 Aug 2012 05:23:15 +0000 (23:23 -0600)]
Regression: login=PASS send no credentials when none available.
login=PASS should act like PASSTHRU, sending no credentials header, when
no client supplied OR external ACL credentials are available.
3.2 has been found wrongly adding the username "PASS" in this case.
Bug 3613: relax standard-compliance strctness on clang to enable build
When clang is invoked with the -std=c++0x option, it won't make available some system functions
defined in c99. For some reason configure fails to detect this, and so the built-in implementation is
not invoked. This change prevents enabling the -std=c++0x option for clang.
Prep work for automatic sorting of include directives.
Automatic sorting of include files reveals some indirect inclusions, which would break the build.
scripts/sort-includes.pl is the tool to do the automatic header include order sorting.
The other changes in this set fix the issues which that be introduced by running the sorting.
projects / thirdparty / squid.git / log
