{"Proxy-Authentication-Info", HDR_PROXY_AUTHENTICATION_INFO, ftStr},
{"Proxy-Authorization", HDR_PROXY_AUTHORIZATION, ftStr},
{"Proxy-Connection", HDR_PROXY_CONNECTION, ftStr},
+ {"Proxy-support", HDR_PROXY_SUPPORT, ftStr},
{"Public", HDR_PUBLIC, ftStr},
{"Range", HDR_RANGE, ftPRange},
{"Referer", HDR_REFERER, ftStr},
HDR_IF_MATCH, HDR_IF_NONE_MATCH,
HDR_LINK, HDR_PRAGMA,
HDR_PROXY_CONNECTION,
+ HDR_PROXY_SUPPORT,
HDR_TRANSFER_ENCODING,
HDR_UPGRADE,
HDR_VARY,
HDR_PROXY_AUTHENTICATION_INFO,
HDR_PROXY_AUTHORIZATION,
HDR_PROXY_CONNECTION,
+ HDR_PROXY_SUPPORT,
HDR_PUBLIC,
HDR_RANGE,
HDR_REQUEST_RANGE, /**< some clients use this, sigh */
virtual bool expectingBody(const HttpRequestMethod&, int64_t&) const = 0;
void firstLineBuf(MemBuf&);
+
+ virtual bool inheritProperties(const HttpMsg *aMsg) = 0;
protected:
virtual bool sanityCheckStartLine(MemBuf *buf, http_status *error) = 0;
rep->protocol = protocol;
rep->sline = sline;
+ rep->keep_alive = keep_alive;
return rep;
}
+
+
+bool HttpReply::inheritProperties(const HttpMsg *aMsg)
+{
+ const HttpReply *aRep = dynamic_cast<const HttpReply*>(aMsg);
+ if(!aRep)
+ return false;
+ keep_alive = aRep->keep_alive;
+ return true;
+}
virtual bool expectingBody(const HttpRequestMethod&, int64_t&) const;
+ virtual bool inheritProperties(const HttpMsg *aMsg);
+
void updateOnNotModified(HttpReply const *other);
/** set commonly used info with one call */
login[0] = '\0';
host[0] = '\0';
auth_user_request = NULL;
+ pinned_connection = NULL;
port = 0;
canonical = NULL;
memset(&flags, '\0', sizeof(flags));
range = NULL;
}
+ if(pinned_connection)
+ cbdataReferenceDone(pinned_connection);
+
tag.clean();
extacl_user.clean();
return true;
}
+
+bool HttpRequest::inheritProperties(const HttpMsg *aMsg)
+{
+ const HttpRequest* aReq = dynamic_cast<const HttpRequest*>(aMsg);
+ if(!aReq)
+ return false;
+
+ client_addr = aReq->client_addr;
+ my_addr = aReq->my_addr;
+
+ // This may be too conservative for the 204 No Content case
+ // may eventually need cloneNullAdaptationImmune() for that.
+ flags = aReq->flags.cloneAdaptationImmune();
+
+ if (aReq->auth_user_request) {
+ auth_user_request = aReq->auth_user_request;
+ AUTHUSERREQUESTLOCK(auth_user_request, "inheritProperties");
+ }
+
+ if(aReq->pinned_connection) {
+ pinned_connection = cbdataReference(aReq->pinned_connection);
+ }
+ return true;
+}
private:
char host[SQUIDHOSTNAMELEN];
+
+ /***
+ * The client side connection data of pinned connections for the client side
+ * request related objects
+ */
+ ConnStateData *pinned_connection;
public:
IPAddress host_addr;
static HttpRequest * CreateFromUrlAndMethod(char * url, const HttpRequestMethod& method);
static HttpRequest * CreateFromUrl(char * url);
+
+ void setPinnedConnection(ConnStateData *conn) {
+ pinned_connection = cbdataReference(conn);
+ }
+
+ ConnStateData *pinnedConnection() {
+ return pinned_connection;
+ }
+
+ void releasePinnedConnection() {
+ cbdataReferenceDone(pinned_connection);
+ }
private:
const char *packableURI(bool full_uri) const;
virtual bool sanityCheckStartLine(MemBuf *buf, http_status *error);
virtual void hdrCacheInit();
-
+
+ virtual bool inheritProperties(const HttpMsg *aMsg);
};
MEMPROXY_CLASS_INLINE(HttpRequest) /**DOCS_NOSEMI*/
// allocate the adapted message and copy metainfo
Must(!adapted.header);
HttpMsg *newHead = NULL;
- if (const HttpRequest *oldR = dynamic_cast<const HttpRequest*>(oldHead)) {
+ if (dynamic_cast<const HttpRequest*>(oldHead)) {
HttpRequest *newR = new HttpRequest;
- inheritVirginProperties(*newR, *oldR);
newHead = newR;
- } else
- if (dynamic_cast<const HttpReply*>(oldHead))
- newHead = new HttpReply;
+ }
+ else if (dynamic_cast<const HttpReply*>(oldHead)) {
+ HttpReply *newRep = new HttpReply;
+ newHead = newRep;
+ }
Must(newHead);
+ newHead->inheritProperties(oldHead);
adapted.setHeader(newHead);
if (!parseHead(adapted.header))
return; // need more header data
- if (HttpRequest *newHead = dynamic_cast<HttpRequest*>(adapted.header)) {
+ if (dynamic_cast<HttpRequest*>(adapted.header)) {
const HttpRequest *oldR = dynamic_cast<const HttpRequest*>(virgin.header);
Must(oldR);
// TODO: the adapted request did not really originate from the
// client; give proxy admin an option to prevent copying of
// sensitive client information here. See the following thread:
// http://www.squid-cache.org/mail-archive/squid-dev/200703/0040.html
- inheritVirginProperties(*newHead, *oldR);
}
+
+ // Maybe adapted.header==NULL if HttpReply and have Http 0.9 ....
+ if(adapted.header)
+ adapted.header->inheritProperties(virgin.header);
}
decideOnParsingBody();
return true;
}
-// TODO: Move this method to HttpRequest?
-void ICAPModXact::inheritVirginProperties(HttpRequest &newR, const HttpRequest &oldR) {
-
- newR.client_addr = oldR.client_addr;
- newR.my_addr = oldR.my_addr;
-
- // This may be too conservative for the 204 No Content case
- // may eventually need cloneNullAdaptationImmune() for that.
- newR.flags = oldR.flags.cloneAdaptationImmune();
-
- if (oldR.auth_user_request) {
- newR.auth_user_request = oldR.auth_user_request;
- AUTHUSERREQUESTLOCK(newR.auth_user_request, "newR in ICAPModXact");
- }
-}
-
void ICAPModXact::decideOnParsingBody() {
if (gotEncapsulated("res-body") || gotEncapsulated("req-body")) {
debugs(93, 5, HERE << "expecting a body");
HttpRequest* new_request = new HttpRequest;
urlParse(old_request->method, old_request->canonical,new_request);
new_request->http_ver = old_request->http_ver;
- inheritVirginProperties(*new_request, *old_request);
headClone = new_request;
}
else if (const HttpReply *old_reply = dynamic_cast<const HttpReply*>(head)) {
}
Must(headClone);
+ headClone->inheritProperties(head);
HttpHeaderPos pos = HttpHeaderInitPos;
HttpHeaderEntry* p_head_entry = NULL;
void parseIcapHead();
void parseHttpHead();
bool parseHead(HttpMsg *head);
- void inheritVirginProperties(HttpRequest &newR, const HttpRequest &oldR);
void decideOnParsingBody();
void parseBody();
unsigned int sslBump:1; /**< intercepts CONNECT requests */
int vport; /* virtual port support, -1 for dynamic, >0 static*/
+ bool connection_auth_disabled; /* Don't support connection oriented auth */
int disable_pmtu_discovery;
struct {
self_destruct();
p->icp.port = GetUdpService();
+ p->connection_auth = 2; /* auto */
while ((token = strtok(NULL, w_space))) {
if (!strcasecmp(token, "proxy-only")) {
p->front_end_https = 1;
} else if (strcmp(token, "front-end-https=auto") == 0) {
p->front_end_https = 2;
+ }else if (strcmp(token, "connection-auth=off") == 0) {
+ p->connection_auth = 0;
+ } else if (strcmp(token, "connection-auth") == 0) {
+ p->connection_auth = 1;
+ } else if (strcmp(token, "connection-auth=on") == 0) {
+ p->connection_auth = 1;
+ } else if (strcmp(token, "connection-auth=auto") == 0) {
+ p->connection_auth = 2;
} else {
debugs(3, 0, "parse_peer: token='" << token << "'");
self_destruct();
s->disable_pmtu_discovery = DISABLE_PMTU_OFF;
s->name = xstrdup(token);
+ s->connection_auth_disabled = false;
#if USE_IPV6
if (*token == '[') {
s->accel = 1;
} else if (strcmp(token, "accel") == 0) {
s->accel = 1;
+ } else if (strcmp(token, "no-connection-auth") == 0) {
+ s->connection_auth_disabled = true;
+ } else if (strcmp(token, "connection-auth=off") == 0) {
+ s->connection_auth_disabled = true;
+ } else if (strcmp(token, "connection-auth") == 0) {
+ s->connection_auth_disabled = false;
+ } else if (strcmp(token, "connection-auth=on") == 0) {
+ s->connection_auth_disabled = false;
} else if (strncmp(token, "disable-pmtu-discovery=", 23) == 0) {
if (!strcasecmp(token + 23, "off"))
s->disable_pmtu_discovery = DISABLE_PMTU_OFF;
if (s->vport)
storeAppendPrintf(e, " vport");
+ if (s->connection_auth_disabled)
+ storeAppendPrintf(e, " connection-auth=off");
+ else
+ storeAppendPrintf(e, " connection-auth=on");
+
if (s->disable_pmtu_discovery != DISABLE_PMTU_OFF) {
const char *pmtu;
protocol= Protocol to reconstruct accelerated requests with.
Defaults to http.
+ connection-auth[=on|off]
+ use connection-auth=off to tell Squid to prevent
+ forwarding Microsoft connection oriented authentication
+ (NTLM, Negotiate and Kerberos)
+
disable-pmtu-discovery=
Control Path-MTU discovery usage:
off lets OS decide on what to do (default).
sslcipher=...
ssloptions=...
front-end-https[=on|auto]
+ connection-auth[=on|off|auto]
use 'proxy-only' to specify objects fetched
from this cache should not be saved locally.
on this header. If set to auto the header will
only be added if the request is forwarded as a https://
URL.
+
+ use connection-auth=off to tell Squid that this peer does
+ not support Microsoft connection oriented authentication,
+ and any such challenges received from there should be
+ ignored. Default is auto to automatically determine the
+ status of the peer.
DOC_END
NAME: cache_peer_domain cache_host_domain
auth_user_request->onConnectionClose(this);
}
+ if (pinning.fd >= 0)
+ comm_close(pinning.fd);
+
BodyProducer::swanSong();
flags.swanSang = true;
}
debugs(33, 3, "ClientSocketContext::keepaliveNextRequest: FD " << conn->fd);
connIsFinished();
+ if (conn->pinning.pinned && conn->pinning.fd == -1) {
+ debugs(33, 2, "clientKeepaliveNextRequest: FD " << conn->fd << " Connection was pinned but server side gone. Terminating client connection");
+ comm_close(conn->fd);
+ return;
+ }
+
/** \par
* Attempt to parse a request from the request buffer.
* If we've been fed a pipelined request it may already
ConnStateData::ConnStateData() :AsyncJob("ConnStateData"), transparent_ (false), reading_ (false), closing_ (false)
{
+ pinning.fd = -1;
+ pinning.pinned = false;
+ pinning.auth = false;
}
bool
if (allocatedSize)
memFreeBuf(allocatedSize, buf);
}
+
+/* This is a comm call normally scheduled by comm_close() */
+void
+ConnStateData::clientPinnedConnectionClosed(const CommCloseCbParams &io)
+{
+ pinning.fd = -1;
+ if (pinning.peer) {
+ cbdataReferenceDone(pinning.peer);
+ }
+ safe_free(pinning.host);
+ /* NOTE: pinning.pinned should be kept. This combined with fd == -1 at the end of a request indicates that the host
+ * connection has gone away */
+}
+
+void ConnStateData::pinConnection(int pinning_fd, HttpRequest *request, struct peer *peer, bool auth){
+ fde *f;
+ char desc[FD_DESC_SZ];
+
+ if (pinning.fd == pinning_fd)
+ return;
+ else if (pinning.fd != -1)
+ comm_close(pinning.fd);
+
+ if(pinning.host)
+ safe_free(pinning.host);
+
+ pinning.fd = pinning_fd;
+ pinning.host = xstrdup(request->GetHost());
+ pinning.port = request->port;
+ pinning.pinned = true;
+ if (pinning.peer)
+ cbdataReferenceDone(pinning.peer);
+ if (peer)
+ pinning.peer = cbdataReference(peer);
+ pinning.auth = auth;
+ f = &fd_table[fd];
+ snprintf(desc, FD_DESC_SZ, "%s pinned connection for %s:%d (%d)",
+ (auth || !peer) ? request->GetHost() : peer->name, f->ipaddr, (int) f->remote_port, fd);
+ fd_note(pinning_fd, desc);
+
+ typedef CommCbMemFunT<ConnStateData, CommCloseCbParams> Dialer;
+ pinning.closeHandler = asyncCall(33, 5, "ConnStateData::clientPinnedConnectionClosed",
+ Dialer(this, &ConnStateData::clientPinnedConnectionClosed));
+ comm_add_close_handler(pinning_fd, pinning.closeHandler);
+
+}
+
+int ConnStateData::validatePinnedConnection(HttpRequest *request, const struct peer *peer)
+{
+ bool valid = true;
+ if (pinning.fd < 0)
+ return -1;
+
+ if (pinning.auth && request && strcasecmp(pinning.host, request->GetHost()) != 0) {
+ valid = false;
+ }
+ if (request && pinning.port != request->port){
+ valid = false;
+ }
+ if (pinning.peer && !cbdataReferenceValid(pinning.peer)){
+ valid = false;
+ }
+ if (peer != pinning.peer){
+ valid = false;
+ }
+
+ if(!valid) {
+ int pinning_fd=pinning.fd;
+ /* The pinning info is not safe, remove any pinning info*/
+ unpinConnection();
+
+ /* also close the server side socket, we should not use it for invalid/unauthenticated
+ requests...
+ */
+ comm_close(pinning_fd);
+ return -1;
+ }
+
+ return pinning.fd;
+}
+
+void ConnStateData::unpinConnection()
+{
+ if(pinning.peer)
+ cbdataReferenceDone(pinning.peer);
+
+ if(pinning.closeHandler != NULL) {
+ comm_remove_close_handler(pinning.fd, pinning.closeHandler);
+ pinning.closeHandler = NULL;
+ }
+ pinning.fd = -1;
+ safe_free(pinning.host);
+}
bool readMoreRequests;
bool swanSang; // XXX: temporary flag to check proper cleanup
} flags;
+ struct {
+ int fd; /* pinned server side connection */
+ char *host; /* host name of pinned connection */
+ int port; /* port of pinned connection */
+ bool pinned; /* this connection was pinned */
+ bool auth; /* pinned for www authentication */
+ struct peer *peer; /* peer the connection goes via */
+ AsyncCall::Pointer closeHandler; /*The close handler for pinned server side connection*/
+ } pinning;
+
http_port_list *port;
bool transparent() const;
void handleReadData(char *buf, size_t size);
void handleRequestBodyData();
+ /**
+ * Correlate the current ConnStateData object with the pinning_fd socket descriptor.
+ */
+ void pinConnection(int fd, HttpRequest *request, struct peer *peer, bool auth);
+ /**
+ * Decorrelate the ConnStateData object from its pinned peer
+ */
+ void unpinConnection();
+ /**
+ * Checks if there is pinning info if it is valid. It can close the server side connection
+ * if pinned info is not valid.
+ \param request if it is not NULL also checks if the pinning info refers to the request client side HttpRequest
+ \param peer if it is not NULL also check if the peer is the pinning peer
+ \return The fd of the server side connection or -1 if fails.
+ */
+ int validatePinnedConnection(HttpRequest *request, const struct peer *peer=NULL);
+ /**
+ * returts the pinned peer if exists, NULL otherwise
+ */
+ struct peer *pinnedPeer() const {return pinning.peer;}
+ bool pinnedAuth() const {return pinning.auth;}
+
+ // pining related comm callbacks
+ void clientPinnedConnectionClosed(const CommCloseCbParams &io);
+
// comm callbacks
void clientReadRequest(const CommIoCbParams &io);
void connStateClosed(const CommCloseCbParams &io);
/* Filter unproxyable authentication types */
if (http->logType != LOG_TCP_DENIED &&
- (hdr->has(HDR_WWW_AUTHENTICATE) || hdr->has(HDR_PROXY_AUTHENTICATE))) {
+ hdr->has(HDR_WWW_AUTHENTICATE)) {
HttpHeaderPos pos = HttpHeaderInitPos;
HttpHeaderEntry *e;
- int headers_deleted = 0;
+ int connection_auth_blocked = 0;
while ((e = hdr->getEntry(&pos))) {
- if (e->id == HDR_WWW_AUTHENTICATE || e->id == HDR_PROXY_AUTHENTICATE) {
+ if (e->id == HDR_WWW_AUTHENTICATE) {
const char *value = e->value.buf();
if ((strncasecmp(value, "NTLM", 4) == 0 &&
(value[4] == '\0' || value[4] == ' '))
||
(strncasecmp(value, "Negotiate", 9) == 0 &&
- (value[9] == '\0' || value[9] == ' ')))
- hdr->delAt(pos, headers_deleted);
+ (value[9] == '\0' || value[9] == ' '))
+ ||
+ (strncasecmp(value, "Kerberos", 8) == 0 &&
+ (value[8] == '\0' || value[8] == ' ')))
+ {
+ if (request->flags.connection_auth_disabled) {
+ hdr->delAt(pos, connection_auth_blocked);
+ continue;
+ }
+ request->flags.must_keepalive = 1;
+ if (!request->flags.accelerated && !request->flags.intercepted) {
+ httpHeaderPutStrf(hdr, HDR_PROXY_SUPPORT, "Session-Based-Authentication");
+ /*
+ We send "[Proxy-]Connection: Proxy-Support" header to mark
+ Proxy-Support as a hop-by-hop header for intermediaries that do not
+ understand the semantics of this header. The RFC should have included
+ this recommendation.
+ */
+ httpHeaderPutStrf(hdr, HDR_CONNECTION, "Proxy-support");
+ }
+ break;
+ }
}
}
- if (headers_deleted)
+
+ if (connection_auth_blocked)
hdr->refreshMask();
}
debugs(88, 3, "clientBuildReplyHeader: Shutting down, don't keep-alive.");
request->flags.proxy_keepalive = 0;
}
+
+ if (request->flags.connection_auth && !reply->keep_alive) {
+ debugs(33, 2, "clientBuildReplyHeader: Connection oriented auth but server side non-persistent");
+ request->flags.proxy_keepalive = 0;
+ }
+
/* Append VIA */
if (Config.onoff.via) {
if (req_hdr->has(HDR_AUTHORIZATION))
request->flags.auth = 1;
+ ConnStateData *http_conn = http->getConn();
+ assert(http_conn);
+ request->flags.connection_auth_disabled = http_conn->port->connection_auth_disabled;
+ if (!request->flags.connection_auth_disabled) {
+ if (http_conn->pinning.fd != -1) {
+ if (http_conn->pinning.auth) {
+ request->flags.connection_auth = 1;
+ request->flags.auth = 1;
+ } else {
+ request->flags.connection_proxy_auth = 1;
+ }
+ request->setPinnedConnection(http_conn);
+ }
+ }
+
+ /* check if connection auth is used, and flag as candidate for pinning
+ * in such case.
+ * Note: we may need to set flags.connection_auth even if the connection
+ * is already pinned if it was pinned earlier due to proxy auth
+ */
+ if (!request->flags.connection_auth) {
+ if (req_hdr->has(HDR_AUTHORIZATION) || req_hdr->has(HDR_PROXY_AUTHORIZATION)) {
+ HttpHeaderPos pos = HttpHeaderInitPos;
+ HttpHeaderEntry *e;
+ int may_pin = 0;
+ while ((e = req_hdr->getEntry(&pos))) {
+ if (e->id == HDR_AUTHORIZATION || e->id == HDR_PROXY_AUTHORIZATION) {
+ const char *value = e->value.buf();
+ if (strncasecmp(value, "NTLM ", 5) == 0
+ ||
+ strncasecmp(value, "Negotiate ", 10) == 0
+ ||
+ strncasecmp(value, "Kerberos ", 9) == 0) {
+ if (e->id == HDR_AUTHORIZATION) {
+ request->flags.connection_auth = 1;
+ may_pin = 1;
+ } else {
+ request->flags.connection_proxy_auth = 1;
+ may_pin = 1;
+ }
+ }
+ }
+ }
+ if (may_pin && !request->pinnedConnection()) {
+ request->setPinnedConnection(http->getConn());
+ }
+ }
+ }
+
+
if (request->login[0] != '\0')
request->flags.auth = 1;
ANY_OLD_PARENT,
USERHASH_PARENT,
SOURCEHASH_PARENT,
- HIER_MAX
+ HIER_MAX,
+ PINNED
} hier_code;
/// \ingroup ServerProtocolICPAPI
if (ftimeout < ctimeout)
ctimeout = ftimeout;
+
+ request->flags.pinned = 0;
+ if (fs->code == PINNED) {
+ ConnStateData *pinned_connection = request->pinnedConnection();
+ assert(pinned_connection);
+ fd = pinned_connection->validatePinnedConnection(request, fs->_peer);
+ if (fd >= 0) {
+ pinned_connection->unpinConnection();
+#if 0
+ if (!fs->_peer)
+ fs->code = HIER_DIRECT;
+#endif
+ server_fd = fd;
+ n_tries++;
+ request->flags.pinned = 1;
+ if (pinned_connection->pinnedAuth())
+ request->flags.auth = 1;
+ comm_add_close_handler(fd, fwdServerClosedWrapper, this);
+ connectDone(fd, COMM_OK, 0);
+ return;
+ }
+ /* Failure. Fall back on next path */
+ request->releasePinnedConnection();
+ servers = fs->next;
+ fwdServerFree(fs);
+ connectStart();
+ return;
+ }
+
fd = fwdPconnPool->pop(host, port, domain, client_addr, checkRetriable());
if (fd >= 0) {
debugs(17, 3, "fwdConnectStart: reusing pconn FD " << fd);
}
}
- if (request->flags.auth) {
+ if (request->flags.auth || request->flags.auth_sent) {
/*
* Responses to requests with authorization may be cached
* only if a Cache-Control: public reply header is present.
httpChunkDecoder = new ChunkedCodingParser;
}
+ if(!peerSupportsConnectionPinning())
+ orig_request->flags.connection_auth_disabled = 1;
+
HttpReply *vrep = setVirginReply(newrep);
flags.headers_parsed = 1;
}
+/**
+ * returns true if the peer can support connection pinning
+*/
+bool HttpStateData::peerSupportsConnectionPinning() const
+{
+ const HttpReply *rep = entry->mem_obj->getReply();
+ const HttpHeader *hdr = &rep->header;
+ bool rc;
+ String header;
+
+ if (!_peer)
+ return true;
+
+ /*If this peer does not support connection pinning (authenticated
+ connections) return false
+ */
+ if (!_peer->connection_auth)
+ return false;
+
+ /*The peer supports connection pinning and the http reply status
+ is not unauthorized, so the related connection can be pinned
+ */
+ if (rep->sline.status != HTTP_UNAUTHORIZED)
+ return true;
+
+ /*The server respond with HTTP_UNAUTHORIZED and the peer configured
+ with "connection-auth=on" we know that the peer supports pinned
+ connections
+ */
+ if (_peer->connection_auth == 1)
+ return true;
+
+ /*At this point peer has configured with "connection-auth=auto"
+ parameter so we need some extra checks to decide if we are going
+ to allow pinned connections or not
+ */
+
+ /*if the peer configured with originserver just allow connection
+ pinning (squid 2.6 behaviour)
+ */
+ if (_peer->options.originserver)
+ return true;
+
+ /*if the connections it is already pinned it is OK*/
+ if (request->flags.pinned)
+ return true;
+
+ /*Allow pinned connections only if the Proxy-support header exists in
+ reply and has in its list the "Session-Based-Authentication"
+ which means that the peer supports connection pinning.
+ */
+ if (!hdr->has(HDR_PROXY_SUPPORT))
+ return false;
+
+ header = hdr->getStrOrList(HDR_PROXY_SUPPORT);
+ /* XXX This ought to be done in a case-insensitive manner */
+ rc = (strstr(header.buf(), "Session-Based-Authentication") != NULL);
+
+ return rc;
+}
+
// Called when we parsed (and possibly adapted) the headers but
// had not starting storing (a.k.a., sending) the body yet.
void
{
AsyncCall::Pointer call;
IPAddress client_addr;
+ bool ispinned = false;
if (!flags.headers_parsed) {
flags.do_next_read = 1;
if (orig_request->flags.spoof_client_ip)
client_addr = orig_request->client_addr;
- if (_peer) {
+
+ if (request->flags.pinned) {
+ ispinned = true;
+ } else if (request->flags.connection_auth && request->flags.auth_sent) {
+ ispinned = true;
+ }
+
+ if (orig_request->pinnedConnection() && ispinned) {
+ orig_request->pinnedConnection()->pinConnection(fd, orig_request, _peer,
+ (request->flags.connection_auth != 0));
+ } else if (_peer) {
if (_peer->options.originserver)
fwd->pconnPush(fd, _peer->name, orig_request->port, orig_request->GetHost(), client_addr);
else
*/
if (NULL == orig_request->range || !orig_request->flags.cachable
- || orig_request->range->offsetLimitExceeded())
+ || orig_request->range->offsetLimitExceeded() || orig_request->flags.connection_auth)
result = false;
debugs(11, 8, "decideIfWeDoRanges: range specs: " <<
HttpHeader hdr(hoRequest);
Packer p;
httpBuildRequestHeader(request, orig_request, entry, &hdr, flags);
+
+ if (request->flags.pinned && request->flags.connection_auth)
+ request->flags.auth_sent = 1;
+ else if (hdr.has(HDR_AUTHORIZATION))
+ request->flags.auth_sent = 1;
+
packerToMemInit(&p, mb);
hdr.packInto(&p);
hdr.clean();
/*
* Is keep-alive okay for all request methods?
*/
- if (!Config.onoff.server_pconns)
+ if (orig_request->flags.must_keepalive)
+ flags.keepalive = 1;
+ else if (!Config.onoff.server_pconns)
flags.keepalive = 0;
else if (_peer == NULL)
flags.keepalive = 1;
MemBuf * mb,
http_state_flags flags);
static bool decideIfWeDoRanges (HttpRequest * orig_request);
+ bool peerSupportsConnectionPinning() const;
ChunkedCodingParser *httpChunkDecoder;
private:
/* count mcast group peers every 15 minutes */
#define MCAST_COUNT_RATE 900
-static int peerAllowedToUse(const peer *, HttpRequest *);
+int peerAllowedToUse(const peer *, HttpRequest *);
static int peerWouldBePinged(const peer *, HttpRequest *);
static void neighborRemove(peer *);
static void neighborAlive(peer *, const MemObject *, const icp_common_t *);
* this function figures out if it is appropriate to fetch REQUEST
* from PEER.
*/
-static int
+int
peerAllowedToUse(const peer * p, HttpRequest * request)
{
if (p->domain)
storeAppendPrintf(sentry, " forceddomain=%s", p->domain);
+ if(p->connection_auth == 0)
+ storeAppendPrintf(sentry, " connection-auth=off");
+ else if(p->connection_auth == 1)
+ storeAppendPrintf(sentry, " connection-auth=on");
+ else if(p->connection_auth == 2)
+ storeAppendPrintf(sentry, " connection-auth=auto");
+
storeAppendPrintf(sentry, "\n");
}
static void peerGetSomeParent(ps_state *);
static void peerGetAllParents(ps_state *);
static void peerAddFwdServer(FwdServer **, peer *, hier_code);
+static void peerSelectPinned(ps_state * ps);
CBDATA_CLASS_INIT(ps_state);
debugs(44, 3, "peerSelectFoo: direct = " << DirectStr[ps->direct]);
}
+ if (!entry || entry->ping_status == PING_NONE)
+ peerSelectPinned(ps);
if (entry == NULL) {
(void) 0;
} else if (entry->ping_status == PING_NONE) {
peerSelectCallback(ps);
}
+/*
+ * peerSelectPinned
+ *
+ * Selects a pinned connection
+ */
+int peerAllowedToUse(const peer * p, HttpRequest * request);
+static void
+peerSelectPinned(ps_state * ps)
+{
+ HttpRequest *request = ps->request;
+ peer *peer;
+ if (!request->pinnedConnection())
+ return;
+ if (request->pinnedConnection()->validatePinnedConnection(request) != -1) {
+ peer = request->pinnedConnection()->pinnedPeer();
+ if (peer && peerAllowedToUse(peer, request)) {
+ peerAddFwdServer(&ps->servers, peer, PINNED);
+ if (ps->entry)
+ ps->entry->ping_status = PING_DONE; /* Skip ICP */
+ } else if (!peer && ps->direct != DIRECT_NO) {
+ peerAddFwdServer(&ps->servers, NULL, PINNED);
+ if (ps->entry)
+ ps->entry->ping_status = PING_DONE; /* Skip ICP */
+ }
+ }
+}
+
/*
* peerGetSomeNeighbor
*
#endif
int front_end_https;
+ int connection_auth;
};
struct _net_db_name
unsigned int internal:1;
unsigned int internalclient:1;
unsigned int must_keepalive:1;
+ unsigned int connection_auth:1; /** Request wants connection oriented auth */
+ unsigned int connection_auth_disabled:1; /** Connection oriented auth can not be supported */
+ unsigned int connection_proxy_auth:1; /** Request wants connection oriented auth */
+ unsigned int pinned:1; /* Request sent on a pinned connection */
+ unsigned int auth_sent:1; /* Authentication forwarded */
// When adding new flags, please update cloneAdaptationImmune() as needed.
fatal("Not implemented");
return NULL;
}
+
+bool
+HttpReply::inheritProperties(const HttpMsg *aMsg)
+{
+ fatal("Not implemented");
+ return false;
+}
return NULL;
}
+bool
+HttpRequest::inheritProperties(const HttpMsg *aMsg)
+{
+ fatal("Not implemented");
+ return false;
+}
+
/*
* DO NOT MODIFY:
* arch-tag: dd894aa8-63cc-4543-92d9-1079a18bee11
projects / thirdparty / squid.git / commitdiff
