Alex Rousskov [Tue, 7 Dec 2010 19:32:43 +0000 (12:32 -0700)]
Tolerate adapted body delivery failures in REQMOD request satisfaction mode.
Without these changes, Squid may assert if an ICAP or eCAP service fails
while delivering response body in REQMOD:
assertion failed: client_side.cc:1438: "rep"
Other assertions may be possible as well, because we were trying to
serve a freshly built, HttpReply-free error response while already
writing the REQMOD "request satisfaction" response. The assertion
probably depends on that writing stage (wrote nothing yet, wrote
headers, wrote some body, etc).
Polished ERR_DETAIL constants to distinguish the special "request
satisfaction" case and to remove ICAP-specific labels from general
adaptation code.
Alex Rousskov [Tue, 7 Dec 2010 19:10:11 +0000 (12:10 -0700)]
Support upcoming "fresh message creation" eCAP API.
Adapters need "fresh" (i.e., empty and not cloned) messages to support
"request satisfaction" mode and other cases where cloning a virgin message is
not possible or is awkward because the adapted message is not an adjusted
version of the virgin one.
fix compile error on OpenSolaris using SunStudio CC
The way the TidyPointer used inside ssl/gadgets.h which included
through ssl/support.h in squid.h file requires the ssl libraries
linked with every binary, even if not realy needed.
To solve this probelm remove the 'include "ssl/support.h"' line
from the squid.h and add it only where required.
The *_free SSL API functions can not be used with TidyPointer in some OSes/compilers
The *_free SSL functions are declared as extern "C" and can not be used as
DeAllocator argument of the TidyPointer class with some compilers and OSes.
To solve this problem:
- Define the CtoCpp1 macro to allow easy implementation of the C++ equivalent
function of an extern C function.
Currently defined in gadgets.h file, if required in the future can be
moved to TidyPointer.h file
- Use the CtoCpp macro to define the X509_free_cpp
- Remove the Ssl::BIO_free_wrapper function does not needed any more
Amos Jeffries [Mon, 6 Dec 2010 14:06:06 +0000 (03:06 +1300)]
Fix 'can't create ./src/***: No such file' errors on linking
Side effect of the AIX port fixes using .o instead of duplicating and
re-building the .cc individually. "It seemed a good idea at the time"(tm).
It is a bit strange that it should only show up now, those changes were
made long ago.
Anyways, I've come to the conclusion from other places that the rebuild is
slower to compile but a lot safer to deal with linkage and dependencies.
Amos Jeffries [Mon, 6 Dec 2010 08:24:12 +0000 (01:24 -0700)]
Fix host OS detection in configure.ac
squid_host_os was being left with the version appended. Which screwed all
the switch and if cases which depended on exact matching the name only.
This corrects the squid_host_os to not contain numeric versions and also
corrects several of the test cases using host_os instead of squid_host_os
or using squid_host_os with version digits.
Amos Jeffries [Sun, 5 Dec 2010 14:29:27 +0000 (03:29 +1300)]
Build libprofiler only when it will be operational
The internal CPU profiler requires specific CPU support. It is not useful
to build and link the library unless it is going to work.
Uses AC_PREPROC_IFELSE to allow building on cross-compilers.
Alex Rousskov [Fri, 3 Dec 2010 23:04:01 +0000 (16:04 -0700)]
Avoid comm_read "!fd_table[fd].closing()" assertion after adaptation ACL check
The assertion was hit if Server fd was closed while we were checking
adaptation ACLs, and we have not been notified of the closure yet (because the
Adaptation::AccessCheck callback is not async while closure notification is).
Alex Rousskov [Fri, 3 Dec 2010 22:59:37 +0000 (15:59 -0700)]
Polished HttpStateData::persistentConnStatus() code. No functionality changes.
Moved virginReply() call closer to the first virgin reply use. This will help
re-adding "did we parse the header yet" check if we ever need it again. It
also saves a couple of CPU cycles for some transactions.
Alex Rousskov [Fri, 3 Dec 2010 22:56:17 +0000 (15:56 -0700)]
Polished HttpStateData::persistentConnStatus() code. No functionality changes.
Do not check for flags.headers_parsed. The removed check was:
- misplaced: connection-related conditions such as eof must be checked first;
- wasteful: we never call persistentConnStatus() unless we parsed headers.
Moreover, calling persistentConnStatus() before we parse headers would trigger
and assertion because the method uses virginReply() which does not exist until
the headers are parsed.
Alex Rousskov [Thu, 2 Dec 2010 23:33:27 +0000 (16:33 -0700)]
Author: Stefan Fritsch <sf@sfritsch.de>
Bug 3096: Squid destroys CbDataList<DeferredRead> objects too late
When server download speed exceeds client download speed, Squid creates a
CbDataList<DeferredRead> object and associates a comm_close handler with it.
When the server kicks the deferred read, the comm_close handler is canceled.
This create/cancel sequence happens every time the server-side code wants to
read but has to wait for the client, which may happen hundreds of times per
second.
Before this change, those canceled comm_close handlers were not removed from
Comm until the end of the entire server transaction, possibly accumulating
thousands of CbDataList<DeferredRead> objects tied to the socket descriptor
via the canceled but still stored close handler.
comm_remove_close_handler now immediately removes canceled close handlers to
avoid their accumulation.
Alex Rousskov [Sun, 28 Nov 2010 15:29:51 +0000 (08:29 -0700)]
Prevent memory leaks when Adaptation::AccessCheck callback ends the job.
The AccessCheckCallbackWrapper is used in nonBlockingCheck() and is called
from the ACL code, using legacy function-based API. If the job ends during
the callback processing, there are no AsyncCall wrappers to destroy the job
object. We now convert legacy to async call to enable proper wrapping and job
destruction.
These kind of job leaks are invisible to valgrind, but that is another bug.
Amos Jeffries [Sat, 27 Nov 2010 01:46:22 +0000 (18:46 -0700)]
SourceLayout: Comm Write cleanups
* creates namespace Comm.
* The comm_write() functions are moved into that scope as Comm::Write()
and only accept AsyncCall now. Old wrapper functions are removed.
* commio_* functions are all moved to methods of a new Comm::IoCallback
object. Which represents either a read or a write callback event
waiting to happen. Old wrapper functions have been removed.
* The fdc_table of pending read and write callbacks has been moved into
the Comm scope with (the name iocb_table) and should be considered private.
For now the COMMIO_*_CB() macros are retained to produce a pointer to
a callback object in this table.
* libcomm-listener.la has been renamed to libcomm.la
Alex Rousskov [Fri, 19 Nov 2010 02:10:21 +0000 (19:10 -0700)]
HTTP Compliance: do not forward TRACE with Max-Forwards: 0 after REQMOD
Before the change, Max-Forwards request value was cached in
HttpRequest::max_forwards member. It was set once in
clientProcessRequest() function. This works fine as long as no request
adaptation is performed. Otherwise original HTTP request may be
replaced with adopted one in ClientHttpRequest::noteAdaptationAnswer()
method and max_forwards value is lost.
This change removes HttpRequest::max_forwards member and gets the value
directly from HttpHeader when needed. This adds another string-to-int
conversion for TRACE and OPTIONS requests, but those are rare, and we
save a little in the other, far more common cases by removing the
HttpRequest::max_forwards member.
Removed assertion from clientReplyContext::traceReply() since it is
called from a single place and the condition is checked right before
the call.
Co-Advisors test cases:
test_case/rfc2616/maxForwardsZero-TRACE-asterisk
test_case/rfc2616/maxForwardsZero-TRACE-absolute
Author: Alex Rousskov, Andrew Balabohin, Christos Tsantilas
Dynamic SSL certificate generartion
This patch implements dynamic SSL certificate generartion in Squid.When
used with SSL Bump, the feature allows Squid to dynamically
generate (using a configurable CA certificate) and cache SSL
certificates for the proxied hosts.
A description for this feature can be found at:
http://wiki.squid-cache.org/Features/DynamicSslCert
A first version of the patch posted by Alex, some months before:
http://www.squid-cache.org/mail-archive/squid-dev/201003/0201.html
Some words about the patch:
* ssl related source files moved under the src/ssl directory
* Introduce the TidyPointer class similar to std::auto_ptr, which implements
a pointer that deletes the object it points to when the pointer's owner
or context is gone. It is designed to avoid memory leaks in the presence
of exceptions and processing short cuts.
* Implements ssl context cache to use with generated ssl contexts. The
Ssl::LocalContextStorage class stores the hostname/ssl context pairs for
a local listening address/port. The Ssl::GlobalContextStorage class used
to store Ssl::LocalContextStorages per local listening address and handles
squid shutdown/configure/reconfigure
* Ssl::Helper class implements the squid part of the ssl_crtd helpers.
* The ssl_crtd helper implemented in ssl_crtd.cc and certificate_db.* files
* The Ssl::CertificateDb class (certificate_db.* files) implements a
database of certificates on disk files. It is used by ssl_crtd helper to
manipulate generated certificates.
* The ssl related files included in the libraries libsslutil.a which
contains common classes and functions and the libsquidssl.a which has
squid related ssl objects and functions
Amos Jeffries [Tue, 16 Nov 2010 05:43:47 +0000 (18:43 +1300)]
Reduce debug level on bodypipe re-write change
- the original reason for adding is unknown
- it is an annoyance for some
- there have been no big problems tracked down to this bodypipe change
over the last few years. It appears relatively harmless.
Amos Jeffries [Wed, 10 Nov 2010 09:50:38 +0000 (22:50 +1300)]
Policy: detect config.h and squid.h include problems
We currently have a policy that config.h MUST be included first so as to
pull in the portability definitions early. It MAY be included via the
legacy squid.h at present.
This alteration to the source maintenance script validates that each .c
and .cc file in the sources includes config.h or squid.h first in its
include order. Also that each .h and .cci do not include config.h which
is a double include with enforced .c/.cc requirement.
* an ERROR: line is produces for each violating file
* as yet the maintenance run is not blocked so as to catch as many
errors as possible in one run
* detection only, as yet no code alterations are performed by this script
* FORMAT: informative lines are silenced to make ERROR: more visible
Alex Rousskov [Sun, 7 Nov 2010 03:07:29 +0000 (21:07 -0600)]
Bug 3091 fix: Bypassed ICAP errors are not counted as service failures.
Notify ICAP service about the failure even if we can bypass it. Otherwise,
a failing service may continue to stay "up", preventing Squid from using a
healthy backup alternative in a service_set (or bypassing ICAP completeley).
Fixed DNS query leaks and increased defense against DNS cache poisoning.
We were leaking (i.e. forgetting about) DNS queries under several conditions.
The most realistic leak case would go like this:
- We send UDP query1.
No response.
- We send UDP query2.
The response for query1 comes, with TC bit.
- We try to connect over TCP, sending TCP query3.
The response for query2 comes, with TC bit, matching TCP query3 ID.
Since we are waiting a response over TCP, we drop the UDP response,
and delete the query from the queue. We leak.
This change avoids forgetting the query under the above scenario.
Moreover, the above steps are hiding another problem: we are accepting responses
to timed out queries, making DNS cache poisoning easier. This change avoids
that by using unique query ID for each sent query. We have also added an
instance ID so that we still can track/identify a single "transaction" from
Squid point of view, even when that transaction involves many DNS query
messages.
When we forget about a DNS query, the caller may get stuck, holding a cbdata
lock. This is typical for ACLs that require domain name resolution, for example.
On a busy server with a long ACL list, the lock counter keeps growing due to
forgotten requests and may overflow, causing a "c->locks < 65535" assertion.
This change fixes the assertion unless there are more DNS leaks or different
lock leaks present.
and response_is_fresh is always false if freshness_lifetime is zero.
The check code was introduced in r5998 with a "Import of fix-ranges
branch" message. The code was commented out at the time of that
commit, for reasons unknown.
Test case:
test_case/rfc2616/noSrv-hit-stale-max-age-req
projects / thirdparty / squid.git / log
