Fix netdb exchange with a TLS cache_peer (#307)

Squid uses http-scheme URLs when sending netdb exchange (and possibly
other) requests to a cache_peer. If a DIRECT path is selected for that
cache_peer URL, then Squid sends a clear text HTTP request to that
cache_peer. If that cache_peer expects a TLS connection, it will reject
that request (with, e.g., error:transaction-end-before-headers),
resulting in an HTTP 503 or 504 netdb fetch error.

Workaround this by adding an internalRemoteUri() parameter to indicate
whether https or http URL scheme should be used. Netdb fetches from
CachePeer::secure peers now get an https scheme and, hence, a TLS
connection.

diff --git a/src/icmp/net_db.cc b/src/icmp/net_db.cc
index afffab45f33cd54da2f532f61d1466064c808b74..db0a987915f47497709e3d7274bcb0d56a8a3164 100644 (file)
--- a/src/icmp/net_db.cc
+++ b/src/icmp/net_db.cc
@@ -1272,7 +1272,7 @@ netdbExchangeStart(void *data)
 #if USE_ICMP
     CachePeer *p = (CachePeer *)data;
     static const SBuf netDB("netdb");
-    char *uri = internalRemoteUri(p->host, p->http_port, "/squid-internal-dynamic/", netDB);
+    char *uri = internalRemoteUri(p->secure.encryptTransport, p->host, p->http_port, "/squid-internal-dynamic/", netDB);
     debugs(38, 3, "Requesting '" << uri << "'");
     const MasterXaction::Pointer mx = new MasterXaction(XactionInitiator::initIcmp);
     HttpRequestPointer req(HttpRequest::FromUrl(uri, mx));

diff --git a/src/internal.cc b/src/internal.cc
index 6ebc7a67937980cad3e68279db6de8915efcb6ac..ff7b4d635fc4ebc4af28857a19319899cce3828c 100644 (file)
--- a/src/internal.cc
+++ b/src/internal.cc
@@ -82,7 +82,7 @@ internalStaticCheck(const SBuf &urlPath)
  * makes internal url with a given host and port (remote internal url)
  */
 char *
-internalRemoteUri(const char *host, unsigned short port, const char *dir, const SBuf &name)
+internalRemoteUri(bool encrypt, const char *host, unsigned short port, const char *dir, const SBuf &name)
 {
     static char lc_host[SQUIDHOSTNAMELEN];
     assert(host && !name.isEmpty());
@@ -115,7 +115,7 @@ internalRemoteUri(const char *host, unsigned short port, const char *dir, const
     static MemBuf mb;
 
     mb.reset();
-    mb.appendf("http://" SQUIDSBUFPH, SQUIDSBUFPRINT(tmp.authority()));
+    mb.appendf("%s://" SQUIDSBUFPH, encrypt ? "https" : "http", SQUIDSBUFPRINT(tmp.authority()));
 
     if (dir)
         mb.append(dir, strlen(dir));
@@ -132,7 +132,10 @@ internalRemoteUri(const char *host, unsigned short port, const char *dir, const
 char *
 internalLocalUri(const char *dir, const SBuf &name)
 {
-    return internalRemoteUri(getMyHostname(),
+    // XXX: getMy*() may return https_port info, but we force http URIs
+    // because we have not checked whether the callers can handle https.
+    const bool secure = false;
+    return internalRemoteUri(secure, getMyHostname(),
                              getMyPort(), dir, name);
 }
 

diff --git a/src/internal.h b/src/internal.h
index c91f9acabce0747aa0d3d4e1fd7be8caa89770c7..13a43a63f563e9b8ab430285df60c776bb745c1c 100644 (file)
--- a/src/internal.h
+++ b/src/internal.h
@@ -24,7 +24,7 @@ void internalStart(const Comm::ConnectionPointer &clientConn, HttpRequest *, Sto
 bool internalCheck(const SBuf &urlPath);
 bool internalStaticCheck(const SBuf &urlPath);
 char *internalLocalUri(const char *dir, const SBuf &name);
-char *internalRemoteUri(const char *, unsigned short, const char *, const SBuf &);
+char *internalRemoteUri(bool, const char *, unsigned short, const char *, const SBuf &);
 const char *internalHostname(void);
 int internalHostnameIs(const char *);
 

diff --git a/src/peer_digest.cc b/src/peer_digest.cc
index cc5ab7e94bfd1d4513733a87738063321a512b7f..cd693deafac52737abb07b9b5cd81354b37f3612 100644 (file)
--- a/src/peer_digest.cc
+++ b/src/peer_digest.cc
@@ -323,7 +323,7 @@ peerDigestRequest(PeerDigest * pd)
     if (p->digest_url)
         url = xstrdup(p->digest_url);
     else
-        url = xstrdup(internalRemoteUri(p->host, p->http_port, "/squid-internal-periodic/", SBuf(StoreDigestFileName)));
+        url = xstrdup(internalRemoteUri(p->secure.encryptTransport, p->host, p->http_port, "/squid-internal-periodic/", SBuf(StoreDigestFileName)));
     debugs(72, 2, url);
 
     const MasterXaction::Pointer mx = new MasterXaction(XactionInitiator::initCacheDigest);