matters.
</verb>
+ <tag>adapted_http_access</tag>
+ <p>New name for <em>http_access2</em>. This form includes access control
+ of ICAP and eCAP adaptations as well as the URL-rewriter alterations.
+
<tag>chunked_request_body_max_size</tag>
<p>New option to enable handing of broken HTTP/1.1 clients sending chunk requests.
<verb>
<tag>header_access</tag>
<p>Replaced by <em>request_header_access</em> and <em>reply_header_access</em>
+ <tag>http_access2</tag>
+ <p>Replaced by <em>adapted_http_access</em>
+
<tag>http_port</tag>
<p><em>no-connection-auth</em> replaced by <em>connection-auth=[on|off]</em>. Default is ON.
<p><em>transparent</em> option replaced by <em>intercept</em>
<tag>external_refresh_check</tag>
<p>Not yet ported from 2.7
- <tag>http_access2</tag>
- <p>Not yet ported from 2.6
-
<tag>http_port</tag>
<p><em>act-as-origin</em> not yet ported from 2.7
<p><em>http11</em> not yet ported from 2.7
bool httpStateIsValid();
void clientAccessCheck();
+ void clientAccessCheck2();
void clientAccessCheckDone(int answer);
void clientRedirectStart();
void clientRedirectDone(char *result);
int redirect_state;
bool http_access_done;
+ bool adapted_http_access_done;
#if USE_ADAPTATION
-
bool adaptation_acl_check_done;
#endif
-
bool redirect_done;
bool no_cache_done;
bool interpreted_req_hdrs;
externalAclHelper auth_param
hostdomain cache_peer
hostdomaintype cache_peer
-http_header_access
+http_header_access acl
http_header_replace
http_port_list
https_port_list
NOCOMMENT_END
DOC_END
+NAME: adapted_http_access http_access2
+TYPE: acl_access
+LOC: Config.accessList.adapted_http
+DEFAULT: none
+DOC_START
+ Allowing or Denying access based on defined access lists
+
+ Essentially identical to http_access, but runs after redirectors
+ and ICAP/eCAP adaptation. Allowing access control based on their
+ output.
+
+ If not set then only http_access is used.
+DOC_END
+
NAME: http_reply_access
TYPE: acl_access
LOC: Config.accessList.reply
}
}
+/**
+ * Identical in operation to clientAccessCheck() but performed later using different configured ACL list.
+ * The default here is to allow all. Since the earlier http_access should do a default deny all.
+ * This check is just for a last-minute denial based on adapted request headers.
+ */
+void
+ClientRequestContext::clientAccessCheck2()
+{
+ if (Config.accessList.adapted_http) {
+ acl_checklist = clientAclChecklistCreate(Config.accessList.adapted_http, http);
+ acl_checklist->nonBlockingCheck(clientAccessCheckDoneWrapper, this);
+ } else {
+ debugs(85, 2, HERE << "No adapted_http_access configuration.");
+ clientAccessCheckDone(ACCESS_ALLOWED);
+ }
+}
+
void
clientAccessCheckDoneWrapper(int answer, void *data)
{
}
}
+ if (!calloutContext->adapted_http_access_done) {
+ debugs(83, 3, HERE << "Doing calloutContext->clientAccessCheck2()");
+ calloutContext->adapted_http_access_done = true;
+ calloutContext->clientAccessCheck2();
+ return;
+ }
+
if (!calloutContext->interpreted_req_hdrs) {
debugs(83, 3, HERE << "Doing clientInterpretRequestHeaders()");
calloutContext->interpreted_req_hdrs = 1;
struct {
acl_access *http;
+ acl_access *adapted_http;
acl_access *icp;
acl_access *miss;
acl_access *NeverDirect;
projects / thirdparty / squid.git / commitdiff
