Amos Jeffries [Fri, 28 Jan 2011 07:58:53 +0000 (20:58 +1300)]
Windows: fix code wrappers for Cygwin and generic Win32 code
_SQUID_WIN32_ was being used to wrap all code built specific for Windows
but with any compiler on that platform.
- rename to _SQUID_WINDOWS_ to match OS wrpper naming convention.
- compact several macros using verbose test: (cygwin or Ming or any)
Cleans up all affected tests to match current precompiler code style.
Also cleans up all tests involving _SQUID_CYGWN_ to match code styles.
Author: Alex Rousskov <rousskov@measurement-factory.com>
Fix IP/FQDN cache accounting to avoid idle caches on busy servers.
When maintaining the IP/FQDN cache size, use the number of entries in the cache
rather than the number of allocated and not freed MEM_IPCACHE_ENTRY and
MEM_FQDNCACHE_ENTRY objects. These objects are used outside the cache
for DNS queries. If queries leak (or perhaps when there are just a lot of them),
the memory-pool-based count overestimates the cache size, sometimes to
such a degree that the cache remains nearly empty despite lots of misses.
Use memory-pool-based counter to estimate cache size also violates IP/FQDN cache
encapsulation boundaries because it effectively prevents others from using
the same memory pool.
Bug 3081:
During conversion of listening socket handlers to AsyncCalls a violation
of the AsyncCall API was introduced. Resulting in occasional crashes from
invalid re-use of call objects.
This implements a TcpAcceptor async job which receives a listening socket
and a CallSubscription. For every connection attempt on the listener socket
a new AsyncCall is spawned from the subscription template.
Initial users are the HTTP and HTTPS listening sockets and FTP data channel.
In order to implement this job in FTP the logics surrounding data channel
handling had to be extended and reworked. Fixing bug 2948 and 2581 in the
process.
Amos Jeffries [Tue, 25 Jan 2011 08:55:40 +0000 (21:55 +1300)]
Author: Fabian Hugelshofer <fh@open.ch>
Allow persistent connections for Mozilla/3.0 User-Agents
This fixes NTLM and Negotiate authentication for these agents.
History:
In 1998 a hack was added to HttpMsg::persistent() that disables
persistent connections for HTTP/1.0 User-Agents starting with
"Mozilla/3." and "Netscape/3.".
According to the thread on squid-dev
(http://www.eu.squid-cache.org/mail-archive/squid-dev/199805/0087.html),
this was necessary to make some versions of Netscape browsers work that
had a broken implementation of persistent connections. It was said that
"NS 3.01 is ok. NS 3.02 is bad. NS 3.04 is good." Netscape 4 was ok, too.
Amos Jeffries [Tue, 25 Jan 2011 05:31:59 +0000 (18:31 +1300)]
Fix external_acl_type grace= option
Due to race conditions between concurrent requests this is still not a
complete fix. But reduces the unwanted re-use of helper responses from
all connections arriving in a whole second which match the ACL key down
to just those that arrive within the reply lag time of the helper.
Henrik Nordstrom [Mon, 24 Jan 2011 20:23:27 +0000 (21:23 +0100)]
Simplify request parsing to not check request method when determining if a
request contains a request-entity or not. For requests this is signalled
entirely by Content-Length/Transfer-Encoding regardless of method.
also drops the requirement that PUT/POST requests must have a request-entity.
The RFC do not explicitly state this requirement even if the wording for those
methods do assume there is a enclosed request-entity.
The administrative "request_entities" config flag is kept for security
reasons, even if not really RFC compliant. (RFC meaning of request-entity
in GET/HEAD is just undefined or "ignored", not forbidden)
Amos Jeffries [Fri, 14 Jan 2011 14:10:21 +0000 (07:10 -0700)]
Make FTP and CacheMgr obey --disable-auth-basic
When teh proxy has been built with this auth module explicitly disabled
do not add headers indicating that it is available.
The side effect of not having Basic authentication support in the proxy
is that FTP is reduced to depending on URL logins and CacheMgr protected
actions cannot be used.
Amos Jeffries [Fri, 14 Jan 2011 06:15:23 +0000 (23:15 -0700)]
Support configurable status codes for deny_info
This changes the default behaviour of deny_info redirects. Making Squid
automaticaly select 307 or 303 status code where appropriate for HTTP/1.1
clients and 302 for HTTP/1.0 clients or other appropriate cases.
For example;
deny_info 303:http://example.com/ POST
On top of the behaviour change this patch adds capability for admin to
configure deny_info with explicit status codes ranging from 200 to 599.
There are limits placed on the use of each range of status codes:
* 2xx, 4xx and 5xx may only be set when there is a local file or template
being used as body content on the response.
* 3xx status may only be set when there is a URI being used as a redirect
destination.
These limitations are enforced with a configuration hard abort due to:
3xx with a named template and 4xx/5xx with a redirect break with a range
of horrible results to our file loading and output Location: URLs. My
tests ended up with Squid scanning the FS for local files called
http://blah, redirecting the browser to 404:ERR_ACCESS_DENIED, or getting
past those with zero-sized replies and crashes when err is required to
have length.
They are going to take something much more major logic re-plumbing and
maybe deeper cleanup to get the crossover down to safe enough for just a
warning. Given the RFC defined use of each status range I did not think
it worth doing to enable something on the fine edge of non-standard.
Amos Jeffries [Wed, 12 Jan 2011 05:23:00 +0000 (22:23 -0700)]
ftp_eprt directive to disable EPRT extensions in FTP
This allows admin to resolve compatibility problems with old devices which
encounter a range of problems when FTP extensions are used by selectively
disabling any of the extensions individually.
The other EPSV extensions already have enable/disable directives.
Amos Jeffries [Tue, 11 Jan 2011 07:33:27 +0000 (00:33 -0700)]
Bug 2959: remove SAMBAPREFIX dependency
This removes the tricky SAMBAPREFIX variable which passes full-path
information from the squid build machine down to the run-time host
helper.
Such information is not always correct when crossing machines, and the
binaries being run can easily be added to PATH in the run-time host
environment instead.
The net result of doing this is removal of Samba from the build
dependencies and increased availability of the basic_smb_auth and
ext_wbinfo_group_acl helpers.
Amos Jeffries [Sat, 8 Jan 2011 06:23:27 +0000 (19:23 +1300)]
Author: Henrik Nordstrom <hno@squid-cache.org>
Port from 2.7: maximum staleness limits
The default behaviour of Squid is to provide a stale copy (with Warnigng:
header) until an actove response from the origin server causes the object
to be updated or garbage collection causes its removal.
The max_stale direcive and refresh_pattern max-stale=N option allow admin
to set an upper limit on the objects age when serving stale responses.
Amos Jeffries [Mon, 27 Dec 2010 20:25:30 +0000 (13:25 -0700)]
Author: Henrik Nordstrom <hno@squid-cache.org>
Support RFC 5861 Cache-Control: stale-if-error option
The default behaviour for Squid is to present the stale object when
revalidation fails with a 5xx error.
stale-if-error places a maximum limit on how long this stale object may
be sent. After the limit has passed Squid is required to present the 5xx
message to the client.
Original code for Squid-2 was sponsored by Yahoo!.
Original code by Marcello Romani, this version has some additions to
initialize any missing database tables depended on during its startup
phase and some additional polish to fit within the current Squid release.
COPYRIGHT AND LICENSE
Copyright (C) 2008 by Marcello Romani
This library is free software; you can redistribute it and/or modify
it under the same terms as Perl itself, either Perl version 5.8.8 or,
at your option, any later version of Perl 5 you may have available.
Alex Rousskov [Sun, 19 Dec 2010 03:51:48 +0000 (20:51 -0700)]
Fixed BodyPipe.cc:144 "!theConsumer" assertion.
BodySink must hold a pointer to the body pipe it is consuming. Otherwise, the
pipe may be deleted before BodySink received the final notification and had a
chance to stop consumption, causing the assertion in the pipe destructor.
These extra parameters are passed as (name, opaque value) pairs to the
adapter, using the newly added libecap::Config API. Adapters should throw if
they cannot understand the parameters to protect users from typos in optional
Squid-recognized parameters.
Squid-recognized service parameters can also be passed to adapters. Adapters
can distinguish them from custom ones or typos because their names have host
IDs set. We currently only pass one Squid recognized service parameter called
"bypassable", with a boolean values of "1" or "0". This tells Adapter whether
Squid can try to bypass the adapter in case of problems. In our experience,
many real adapters benefit from such knowledge because they can be less strict
and more forgiving if Squid might ignore their decisions anyway.
To support optional adapter parameters for eCAP without bothering ICAP,
we now allow ICAP and eCAP to create protocol-specific configuration objects.
ICAP code uses old defaults. eCAP implements parsing of optional adapter
parameters and sharing them with adapters
As a side effect, service configuration objects are now refcounted and each
service (once created) is responsible for its config. The global collection of
configs is emptied once the services are created.
(B) eCAP transaction wrapper code (Ecap::XactionRep) failed to pass a few test
cases when dealing with virgin bodies. The code used complex state and
mishandled several proxyingVb, nil body_pipe, and stillConsuming value
combinations. proxyingVb was especially troubling because it was not clear
whether it refers to us receiving vb from Squid core or sending vb to the
adapter. The two states are related but different because we could be
receiving vb from core but not sending it to the adapter and vice versa.
I have removed proxyingVb completely as the body pipe state alone is
sufficient to understand our dealings with Squid core. I added makingVb to
track adapter vb needs.
Alex Rousskov [Thu, 16 Dec 2010 06:12:06 +0000 (23:12 -0700)]
Allow uri=value parameter when specifying adaptation service URIs.
When adaptation service URI contains a "=" character, Squid thinks you are
specifying a name=value option rather than a service URI. This leads to a
fatal configuration error.
This change lets you specify the service URI using the uri=value
syntax where the value may contain "=" character(s). For example, the
following works after and only after this change:
TODO: Should the adaptation service parser be changed to treat the last word
on the icap_service line as a service URI, regardless of whether it contains
the "=" character?
Alex Rousskov [Wed, 15 Dec 2010 17:52:35 +0000 (10:52 -0700)]
Support libecap::host::xaction::blockVirgin() API, serving ERR_ACCESS_DENIED.
deny_info logic is supported for these blocked responses, with the ACL name
replaced by the adaptation service name. This allows eCAP adapters to focus on
adaptation and blocking logic while letting Squid to serve a configurable
block message, with language negotiation and such.
Merged noteAdaptationAnswer(msg) and noteAdaptationQueryAbort(bool) into
noteAdaptationAnswer(answer). The Adaptation::Answer class manages all
currently supported adaptation decisions: forward the adapted message, block
user access to the virgin response, and bypassable or fatal error.
This "single answer hook" design allows us to add more information to adaption
answers without rewriting all the code that forwards those answers to the
adaptation initiator. We still often use multiple methods to handle multiple
answer categories, but that "forking" is optional and the decision to fork is
made locally, inside each answer recepient, reducing the overall code
complexity.
Also fixed a few virgin body handling corner cases that led to unnecessary
exceptions in Adaptation::Ecap::XactionRep despite correct adapter behavior.
Amos Jeffries [Wed, 15 Dec 2010 12:13:01 +0000 (05:13 -0700)]
ext_edirectory_userip_acl: alternative split algorithms
Some compilers do not support dynamically allocated stack space.
Instead perform a scan and hunk copy/wipe of the passed buffers directly.
As a side effect the split is no longer triple-copying data and
double-memset'ing.
Author: Graham Keeling <graham@equiinet.com>
Bug 3113: Squid can eat far too much memory when uploading files
Problem description:
Uploading a large file to a web site on the internet, squid's client
input buffer will increase far faster than it can be emptied to
the target website, and the machine will swiftly run out of memory.
This patch adds the client_request_buffer_max_size configuration
parameter which specifies the maximum buffer size of a client request.
Report ERR_SECURE_CONNECT_FAIL details to the user via a new error detail API.
Currently, the ERR_SECURE_CONNECT_FAIL response contains no usable error
information. Moreover, there is no interface to pass SSL error information
to the response generation code.
This patch adds an interface to allow Squid error responses to contain detailed
information about SSL certificate verification failure. For example, the error
message may contain the following text:
"Server Certificate Verification Failed: Certificate Common Name
(www.lufthansa.com) does not match the host name you are connecting to
(www.lufthansa.de)."
This is a Measurement Factory project.
Change details:
--------------------
- errorpage.cc/.h: The error page now supports the '%D' formating code to
display the detail string passed by modules. The detail strings passed by
modules can contain error page formating codes. Currently only SSL detail
errors messages are supported.
- A new class Ssl::ErrorDetail defined in ssl/ErrorDetail.[cc,h]
The Ssl::ErrorDetail objects passed to the SSL verification callback functions
(sl_verify_cb callback function defined in support.cc) and filled with error
detail data (error_no and a pointer to the X509 Certificate) in the case of
an error and passed back to the forward.cc code.
- The Ssl::ErrorDetail class internally uses (hard coded) templates and
formating codes to allow supporting multiple languages and adding easily
new features
Other changes:
-------------------
- errorpage.cc/.h: The BuildContent method split to BuildContent and ConvertText
method. The second method does the real conversion from a given text template
to output. It is used now to allow formating the detail strings passed with
%D.
- sslparseErrorString moved to ssl/ErrorDetail.cc file and renamed to
Ssl::parseErrorString
- sslFindErrorString moved to ssl/ErrorDetail.cc file and renamed to
Ssl::getErrorName
- The ssl_error_t typedef definition moved from ssl/support.h to
ssl/ErrorDetail.h and renamed to Ssl::error_t
Amos Jeffries [Mon, 13 Dec 2010 11:31:14 +0000 (00:31 +1300)]
Compat: cleanup several config.h hacks
* removes the xmemcpy and xmemmove hacks. Squid has been building for some
long time without them being consistently used all-over. No complaints.
bcopy() alternative is still use if needed. However main code can now
use memcpy( )and memmove() without special X knowledge.
* shuffle strnstr replacement into libcompat from libmisc
* shuffles xis*() function wrappers for is*() with type-casting into compat
Alex Rousskov [Mon, 13 Dec 2010 00:16:00 +0000 (17:16 -0700)]
Handle early eCAP transaction failures better.
Do not throw an exception if eCAP transaction had to deal with a virgin body
but was not consuming it at swangSong() time. This may happen if the eCAP
adapter throws an exception before the adapter requests the virgin body
transmission or after it stops the transmission. In other words, the
transaction wrapper consumes only if proxyingVb is on.
projects / thirdparty / squid.git / log
