Author: Francesco Chemolli <kinkie@squid-cache.org>
Improved helper configlets for wider compatibility.
* Add configlet tests for building the DB basic auth helper
* Improved detection of samba prefix for wbinfo_group and SMB
* Also check for SASL shared libraries in SASL helper
* Distribute the config.test files to enable auto-build properly
Bug 2899: Restore lost rfc1738_unescape() data type
Data type was converted to char from int during recent upgrades.
On unix systems char is unsigned making the safety checks fail on build.
This reverts the type back to a usable signed int, no logic changes.
Amos Jeffries [Tue, 23 Mar 2010 11:31:32 +0000 (00:31 +1300)]
Default pinger OFF
The pinger install is still done without the special permissions needed.
So the pinger will fail to run in most setups. Will turn this on again
in a later release when the pinger is actually installed properly by
default.
Amos Jeffries [Fri, 19 Mar 2010 10:22:14 +0000 (23:22 +1300)]
Author: Henrik Nordstrom <henrik@henriknordstrom.net>
Drop ufsdump from default builds.
As reported some weeks ago ufsdump fails to link on the upcoming Fedora
13 release due to linking issues, and as reported by Amos the same
linking issues is now also seen on Debian since somewhere between March
2 - 5.
While investigating this I found the following conclusions
- We are not actually installing ufsdump
- The dependencies between the Squid libraries are very non-obvious,
with libraries depending on plain object files and other strange things.
- The ufsdump linkage issues is somehow triggered by the libraries
including objects needing symbols from objects not included in that link
- Those failing library objects are not actually needed by ufsdump.
Linking succeeds if repeatedly removing each reported failing object
from the squid libraries.
- If the libraries were shared libraries then linking would fail on all
systems
The issue have been identified, or actually two separate issues. What is
yet unclear is what is the proper solution..
- Inline operator overloading causing indeterministic linkage,
resulting in seemingly unneeded sub modules being pulled in "at random".
Most notably this is seen with our custom new operation (which btw is
duplicated in two places: src/SquidNew.cc and include/SquidNew.h)
- The current Squid libraries have very unclear dependencies with no
clean boundaries, resulting in linking failure when the above happens..
Amos Jeffries [Wed, 10 Mar 2010 09:45:55 +0000 (22:45 +1300)]
Author: Henrik Nordstrom <henrik@henriknordstrom.net>
Various other Digest parser fixes
* Correct debug message when failing to parse digest attributes
* Correct digest stale=false in POST workaround code
* Fix new digest parser shutdown code when digest auth not configured
* Sanity check of the username.
" cannot be allowed in usernames until the digest helper protocol
has been redone
Amos Jeffries [Sat, 6 Mar 2010 03:42:04 +0000 (16:42 +1300)]
Author: Henrik Nordstrom <henrik@henriknordstrom.net>
Bug 2367: Fix stale=true on digest requests with unknown nonce
The nonce staleness check only worked if the stale nonce had not yet
been garbage collected, often resulting in incorrect stale=false
responses and resulting auth popups when using digest auth.
Note: this fix is different from how it's done in squid-2 where fixHeader
is called on all schemes in such conditions but only the active one with
and auth_user_request. Not entirely sure why that is done, but commit
message says something about Negotiate authentication.
Amos Jeffries [Fri, 12 Feb 2010 12:26:49 +0000 (01:26 +1300)]
Author: Jean-Gabriel Dick <jean-gabriel.dick@curie.fr>
Bug 1843: multicast-siblings cache_peer option for optimising multicast ICP relations
'multicast-siblings' : this option is meant to be used only for cache peers of
type "multicast". It instructs Squid that ALL members of this multicast group
have "sibling" relationship with it, not "parent". This is an optimization
that avoids useless multicast queries to a multicast group when the requested
object would be fetched only from a "parent" cache, anyway. It's useful, e.g.,
when configuring a pool of redundant Squid proxies, being members of the same
multicast group.
Amos Jeffries [Sun, 31 Jan 2010 09:42:17 +0000 (22:42 +1300)]
Author: Graham Keeling <graham@equiinet.com>
WCCPv1 not connecting to router correctly
I am coming across a problem with WCCPv1...
squid-2.5 connects to UDP port 2048, I get replies, and everything else then works.
squid-3.1 looks like it is trying to connect to UDP port 0 on the cisco.
[and fails to work]
I have looked at the src/wccp.c for squid-2.5, and it is clear that the port is
being set to 2048 for the connection to the router.
I have also looked at the source for 2.6, 2.7 and 3.0 (src/wccp.cc for this
version).
In all those, it appears to be setting the port on the outgoing connection.
Amos Jeffries [Sat, 30 Jan 2010 01:08:33 +0000 (14:08 +1300)]
Author: Christos Tsantilas <chtsanti@users.sourceforge.net>
Add the http::>ha format code and make http::>h log original request headers
This patch:
- Modify the existin "http::>h format code to log HTTP request headers
before any adaptation and redirection
- Add the new format code "http::>ha" which allow the user to log HTTP
request header or header fields after adaptation and redirection.
Amos Jeffries [Fri, 29 Jan 2010 11:32:46 +0000 (00:32 +1300)]
Author: Wolfgang Nothdurft <wolfgang@linogate.de>
Bug 2730: Regressions in follow_x_forwarded_for since Squid-2
Two Major Regressions:
* Omitted testing for trust of the directly connecting client.
this is critical is trusting the header content itself.
The absence permitted remote clients to forge X-Forwarded-For
and gain access to resources through Squid.
(mitigated by the following)
* Bad logic in implementing the trust model resulted in any XFF
headers containing untrusted IPs to be dropped in their entirety.
This resulted in clients transiting more than one proxy heirarchy to
be incorrectly logged and reported in the second.
Some polish alterations to the existing logics:
* Testing the direct client address for trust means the testing must be
fully async 'slow'. Thus avoiding the memory leaks found on occasion.
* acl_uses_indirect_client is not strictly needed to test multiple levels
of X-Forwarded-For properly. The entire list of IPs are now always
tested until an untrusted is found or an ACL failure occurs.
- Remove 'odd' netmask support from ACL.
- Fully deprecate netmask support for ACL.
Earlier fix caused inconsistent handling between IPv4 and IPv6 builds of
Squid. Which has turned out to be a bad idea.
This fixes that by 'breaking' both build alternatives.
Amos Jeffries [Wed, 13 Jan 2010 12:11:48 +0000 (01:11 +1300)]
Add client_ip_max_connections
Given some incentive after deep consideration of the slowloris claims.
While I still do not believe Squid is vulnerable per-se and some people
have tested and found no such failures as claimed for the DoS attack.
We found we could provide better administrative controls. This is one such
that has been asked about many times and still did not exist. It operates
essentially the same as maxconn ACL, but does not require HTTP headers and
other request data to fully exist like ACLs do.
It is tested immediately after accept() and is request type agnostic, right
down to DNS TCP requests. So care is warranted in hierarchy situations or where
clients may be behind NAT.
Utilizes the client DB to monitor accepted TCP links. Operates prior to
everything so as to eliminate resource usage on the blocking case and
close the windows of opportunity for dribble-attacks etc.
Default (-1) is to keep the status-quo of no limits.
Amos Jeffries [Wed, 13 Jan 2010 04:17:42 +0000 (17:17 +1300)]
Regression Fix: Make Squid abort on parse failures.
The addition of multi-file parsing and catching of thrown errors between
them caused any errors in sub-files to be non-fatal and allow Squid to
run as if everything was normal, even if parts of the config were not
being loaded.
Squid will now propigate the error exception out and exit with a count of
the errors found.
Amos Jeffries [Wed, 13 Jan 2010 03:59:53 +0000 (16:59 +1300)]
Bug 2811: pt 1: Correct Peer table OID numbering
The IPv6 alterations to the cache_peer table display should not have
altered existing OID numbers. This fixes that by bumping the new table
format to a new OID number .1.3.6.1.4.1.3495.1.5.1.3 for version 3 of the
table.
NP: version 1 of the table was in 2.0->2.5, and 3.0
version 2 of the table was in 2.6+
projects / thirdparty / squid.git / log
