client_side_request.cc
Go to the documentation of this file.
1 /*
2  * Copyright (C) 1996-2019 The Squid Software Foundation and contributors
3  *
4  * Squid software is distributed under GPLv2+ license and includes
5  * contributions from numerous individuals and organizations.
6  * Please see the COPYING and CONTRIBUTORS files for details.
7  */
8 
9 /* DEBUG: section 85 Client-side Request Routines */
10 
11 /*
12  * General logic of request processing:
13  *
14  * We run a series of tests to determine if access will be permitted, and to do
15  * any redirection. Then we call into the result clientStream to retrieve data.
16  * From that point on it's up to reply management.
17  */
18 
19 #include "squid.h"
20 #include "acl/FilledChecklist.h"
21 #include "acl/Gadgets.h"
22 #include "anyp/PortCfg.h"
23 #include "base/AsyncJobCalls.h"
24 #include "client_side.h"
25 #include "client_side_reply.h"
26 #include "client_side_request.h"
27 #include "ClientRequestContext.h"
28 #include "clientStream.h"
29 #include "comm/Connection.h"
30 #include "comm/Write.h"
31 #include "err_detail_type.h"
32 #include "errorpage.h"
33 #include "fd.h"
34 #include "fde.h"
35 #include "format/Token.h"
36 #include "gopher.h"
37 #include "helper.h"
38 #include "helper/Reply.h"
39 #include "http.h"
40 #include "http/Stream.h"
41 #include "HttpHdrCc.h"
42 #include "HttpReply.h"
43 #include "HttpRequest.h"
44 #include "ip/NfMarkConfig.h"
45 #include "ip/QosConfig.h"
46 #include "ipcache.h"
47 #include "log/access_log.h"
48 #include "MemObject.h"
49 #include "Parsing.h"
50 #include "profiler/Profiler.h"
51 #include "proxyp/Header.h"
52 #include "redirect.h"
53 #include "rfc1738.h"
54 #include "SquidConfig.h"
55 #include "SquidTime.h"
56 #include "Store.h"
57 #include "StrList.h"
58 #include "tools.h"
59 #include "wordlist.h"
60 #if USE_AUTH
61 #include "auth/UserRequest.h"
62 #endif
63 #if USE_ADAPTATION
64 #include "adaptation/AccessCheck.h"
65 #include "adaptation/Answer.h"
66 #include "adaptation/Iterator.h"
67 #include "adaptation/Service.h"
68 #if ICAP_CLIENT
70 #endif
71 #endif
72 #if USE_OPENSSL
73 #include "ssl/ServerBump.h"
74 #include "ssl/support.h"
75 #endif
76 
77 #if LINGERING_CLOSE
78 #define comm_close comm_lingering_close
79 #endif
80 
81 static const char *const crlf = "\r\n";
82 
83 #if FOLLOW_X_FORWARDED_FOR
84 static void clientFollowXForwardedForCheck(Acl::Answer answer, void *data);
85 #endif /* FOLLOW_X_FORWARDED_FOR */
86 
88 
90 
91 /* Local functions */
92 /* other */
93 static void clientAccessCheckDoneWrapper(Acl::Answer, void *);
94 #if USE_OPENSSL
95 static void sslBumpAccessCheckDoneWrapper(Acl::Answer, void *);
96 #endif
97 static int clientHierarchical(ClientHttpRequest * http);
101 static void checkNoCacheDoneWrapper(Acl::Answer, void *);
105 static void checkFailureRatio(err_type, hier_code);
106 
108 {
109  /*
110  * Release our "lock" on our parent, ClientHttpRequest, if we
111  * still have one
112  */
113 
114  if (http)
116 
117  delete error;
118  debugs(85,3, "ClientRequestContext destructed, this=" << this);
119 }
120 
122  http(cbdataReference(anHttp)),
129 #if USE_ADAPTATION
131 #endif
137 #if USE_OPENSSL
139 #endif
140  error(NULL),
142 {
143  debugs(85, 3, "ClientRequestContext constructed, this=" << this);
144 }
145 
147 
149 #if USE_ADAPTATION
150  AsyncJob("ClientHttpRequest"),
151 #endif
152  request(NULL),
153  uri(NULL),
154  log_uri(NULL),
155  req_sz(0),
156  calloutContext(NULL),
157  maxReplyBodySize_(0),
158  entry_(NULL),
159  loggingEntry_(NULL),
160  conn_(NULL)
161 #if USE_OPENSSL
162  , sslBumpNeed_(Ssl::bumpEnd)
163 #endif
164 #if USE_ADAPTATION
165  , request_satisfaction_mode(false)
166  , request_satisfaction_offset(0)
167 #endif
168 {
169  setConn(aConn);
170  al = new AccessLogEntry;
172  if (aConn) {
174  al->cache.port = aConn->port;
175  al->cache.caddr = aConn->log_addr;
177 
178 #if USE_OPENSSL
179  if (aConn->clientConnection != NULL && aConn->clientConnection->isOpen()) {
180  if (auto ssl = fd_table[aConn->clientConnection->fd].ssl.get())
181  al->cache.sslClientCert.resetWithoutLocking(SSL_get_peer_certificate(ssl));
182  }
183 #endif
184  }
186 }
187 
188 /*
189  * returns true if client specified that the object must come from the cache
190  * without contacting origin server
191  */
192 bool
194 {
195  assert(request);
196  return request->cache_control &&
198 }
199 
212 static void
214 {
215  // Can be set at compile time with -D compiler flag
216 #ifndef FAILURE_MODE_TIME
217 #define FAILURE_MODE_TIME 300
218 #endif
219 
220  if (hcode == HIER_NONE)
221  return;
222 
223  // don't bother when ICP is disabled.
224  if (Config.Port.icp <= 0)
225  return;
226 
227  static double magic_factor = 100.0;
228  double n_good;
229  double n_bad;
230 
231  n_good = magic_factor / (1.0 + request_failure_ratio);
232 
233  n_bad = magic_factor - n_good;
234 
235  switch (etype) {
236 
237  case ERR_DNS_FAIL:
238 
239  case ERR_CONNECT_FAIL:
241 
242  case ERR_READ_ERROR:
243  ++n_bad;
244  break;
245 
246  default:
247  ++n_good;
248  }
249 
250  request_failure_ratio = n_bad / n_good;
251 
253  return;
254 
255  if (request_failure_ratio < 1.0)
256  return;
257 
258  debugs(33, DBG_CRITICAL, "WARNING: Failure Ratio at "<< std::setw(4)<<
259  std::setprecision(3) << request_failure_ratio);
260 
261  debugs(33, DBG_CRITICAL, "WARNING: ICP going into HIT-only mode for " <<
262  FAILURE_MODE_TIME / 60 << " minutes...");
263 
265 
266  request_failure_ratio = 0.8; /* reset to something less than 1.0 */
267 }
268 
270 {
271  debugs(33, 3, "httpRequestFree: " << uri);
273 
274  // Even though freeResources() below may destroy the request,
275  // we no longer set request->body_pipe to NULL here
276  // because we did not initiate that pipe (ConnStateData did)
277 
278  /* the ICP check here was erroneous
279  * - StoreEntry::releaseRequest was always called if entry was valid
280  */
281 
282  logRequest();
283 
285 
286  if (request)
288 
289  freeResources();
290 
291 #if USE_ADAPTATION
293 
294  if (adaptedBodySource != NULL)
296 #endif
297 
298  if (calloutContext)
299  delete calloutContext;
300 
302 
303  if (conn_)
305 
306  /* moving to the next connection is handled by the context free */
308 
310 }
311 
321 int
322 clientBeginRequest(const HttpRequestMethod& method, char const *url, CSCB * streamcallback,
323  CSD * streamdetach, ClientStreamData streamdata, HttpHeader const *header,
324  char *tailbuf, size_t taillen, const MasterXaction::Pointer &mx)
325 {
326  size_t url_sz;
329  StoreIOBuffer tempBuffer;
330  if (http->al != NULL)
331  http->al->cache.start_time = current_time;
332  /* this is only used to adjust the connection offset in client_side.c */
333  http->req_sz = 0;
334  tempBuffer.length = taillen;
335  tempBuffer.data = tailbuf;
336  /* client stream setup */
338  clientReplyStatus, new clientReplyContext(http), streamcallback,
339  streamdetach, streamdata, tempBuffer);
340  /* make it visible in the 'current acctive requests list' */
341  /* Set flags */
342  /* internal requests only makes sense in an
343  * accelerator today. TODO: accept flags ? */
344  http->flags.accel = true;
345  /* allow size for url rewriting */
346  url_sz = strlen(url) + Config.appendDomainLen + 5;
347  http->uri = (char *)xcalloc(url_sz, 1);
348  strcpy(http->uri, url); // XXX: polluting http->uri before parser validation
349 
350  if ((request = HttpRequest::FromUrl(http->uri, mx, method)) == NULL) {
351  debugs(85, 5, "Invalid URL: " << http->uri);
352  return -1;
353  }
354 
355  /*
356  * now update the headers in request with our supplied headers.
357  * HttpRequest::FromUrl() should return a blank header set, but
358  * we use Update to be sure of correctness.
359  */
360  if (header)
361  request->header.update(header);
362 
363  /* http struct now ready */
364 
365  /*
366  * build new header list *? TODO
367  */
368  request->flags.accelerated = http->flags.accel;
369 
370  /* this is an internally created
371  * request, not subject to acceleration
372  * target overrides */
373  /*
374  * FIXME? Do we want to detect and handle internal requests of internal
375  * objects ?
376  */
377 
378  /* Internally created requests cannot have bodies today */
379  request->content_length = 0;
380 
381  request->client_addr.setNoAddr();
382 
383 #if FOLLOW_X_FORWARDED_FOR
384  request->indirect_client_addr.setNoAddr();
385 #endif /* FOLLOW_X_FORWARDED_FOR */
386 
387  request->my_addr.setNoAddr(); /* undefined for internal requests */
388 
389  request->my_addr.port(0);
390 
391  request->http_ver = Http::ProtocolVersion();
392 
393  http->initRequest(request);
394 
395  /* optional - skip the access check ? */
396  http->calloutContext = new ClientRequestContext(http);
397 
398  http->calloutContext->http_access_done = false;
399 
400  http->calloutContext->redirect_done = true;
401 
402  http->calloutContext->no_cache_done = true;
403 
404  http->doCallouts();
405 
406  return 0;
407 }
408 
409 bool
411 {
412  ClientHttpRequest *http_ = http;
413 
414  if (cbdataReferenceValid(http_))
415  return true;
416 
417  http = NULL;
418 
419  cbdataReferenceDone(http_);
420 
421  return false;
422 }
423 
424 #if FOLLOW_X_FORWARDED_FOR
425 
439 static void
441 {
443 
444  if (!calloutContext->httpStateIsValid())
445  return;
446 
447  ClientHttpRequest *http = calloutContext->http;
448  HttpRequest *request = http->request;
449 
450  if (answer.allowed() && request->x_forwarded_for_iterator.size() != 0) {
451 
452  /*
453  * Remove the last comma-delimited element from the
454  * x_forwarded_for_iterator and use it to repeat the cycle.
455  */
456  const char *p;
457  const char *asciiaddr;
458  int l;
460  p = request->x_forwarded_for_iterator.termedBuf();
461  l = request->x_forwarded_for_iterator.size();
462 
463  /*
464  * XXX x_forwarded_for_iterator should really be a list of
465  * IP addresses, but it's a String instead. We have to
466  * walk backwards through the String, biting off the last
467  * comma-delimited part each time. As long as the data is in
468  * a String, we should probably implement and use a variant of
469  * strListGetItem() that walks backwards instead of forwards
470  * through a comma-separated list. But we don't even do that;
471  * we just do the work in-line here.
472  */
473  /* skip trailing space and commas */
474  while (l > 0 && (p[l-1] == ',' || xisspace(p[l-1])))
475  --l;
476  request->x_forwarded_for_iterator.cut(l);
477  /* look for start of last item in list */
478  while (l > 0 && ! (p[l-1] == ',' || xisspace(p[l-1])))
479  --l;
480  asciiaddr = p+l;
481  if ((addr = asciiaddr)) {
482  request->indirect_client_addr = addr;
483  request->x_forwarded_for_iterator.cut(l);
486  /* override the default src_addr tested if we have to go deeper than one level into XFF */
487  Filled(calloutContext->acl_checklist)->src_addr = request->indirect_client_addr;
488  }
490  return;
491  }
492  }
493 
494  /* clean up, and pass control to clientAccessCheck */
496  /*
497  * Ensure that the access log shows the indirect client
498  * instead of the direct client.
499  */
500  http->al->cache.caddr = request->indirect_client_addr;
501  if (ConnStateData *conn = http->getConn())
502  conn->log_addr = request->indirect_client_addr;
503  }
504  request->x_forwarded_for_iterator.clean();
505  request->flags.done_follow_x_forwarded_for = true;
506 
507  if (answer.conflicted()) {
508  debugs(28, DBG_CRITICAL, "ERROR: Processing X-Forwarded-For. Stopping at IP address: " << request->indirect_client_addr );
509  }
510 
511  /* process actual access ACL as normal. */
512  calloutContext->clientAccessCheck();
513 }
514 #endif /* FOLLOW_X_FORWARDED_FOR */
515 
516 static void
518 {
519  ClientRequestContext *c = static_cast<ClientRequestContext*>(data);
520  c->hostHeaderIpVerify(ia, dns);
521 }
522 
523 void
525 {
526  Comm::ConnectionPointer clientConn = http->getConn()->clientConnection;
527 
528  // note the DNS details for the transaction stats.
529  http->request->recordLookup(dns);
530 
531  // Is the NAT destination IP in DNS?
532  if (ia && ia->have(clientConn->local)) {
533  debugs(85, 3, "validate IP " << clientConn->local << " possible from Host:");
534  http->request->flags.hostVerified = true;
535  http->doCallouts();
536  return;
537  }
538  debugs(85, 3, HERE << "FAIL: validate IP " << clientConn->local << " possible from Host:");
539  hostHeaderVerifyFailed("local IP", "any domain IP");
540 }
541 
542 void
544 {
545  // IP address validation for Host: failed. Admin wants to ignore them.
546  // NP: we do not yet handle CONNECT tunnels well, so ignore for them
547  if (!Config.onoff.hostStrictVerify && http->request->method != Http::METHOD_CONNECT) {
548  debugs(85, 3, "SECURITY ALERT: Host header forgery detected on " << http->getConn()->clientConnection <<
549  " (" << A << " does not match " << B << ") on URL: " << http->request->effectiveRequestUri());
550 
551  // NP: it is tempting to use 'flags.noCache' but that is all about READing cache data.
552  // The problems here are about WRITE for new cache content, which means flags.cachable
553  http->request->flags.cachable = false; // MUST NOT cache (for now)
554  // XXX: when we have updated the cache key to base on raw-IP + URI this cacheable limit can go.
555  http->request->flags.hierarchical = false; // MUST NOT pass to peers (for now)
556  // XXX: when we have sorted out the best way to relay requests properly to peers this hierarchical limit can go.
557  http->doCallouts();
558  return;
559  }
560 
561  debugs(85, DBG_IMPORTANT, "SECURITY ALERT: Host header forgery detected on " <<
562  http->getConn()->clientConnection << " (" << A << " does not match " << B << ")");
563  if (const char *ua = http->request->header.getStr(Http::HdrType::USER_AGENT))
564  debugs(85, DBG_IMPORTANT, "SECURITY ALERT: By user agent: " << ua);
565  debugs(85, DBG_IMPORTANT, "SECURITY ALERT: on URL: " << http->request->effectiveRequestUri());
566 
567  // IP address validation for Host: failed. reject the connection.
568  clientStreamNode *node = (clientStreamNode *)http->client_stream.tail->prev->data;
569  clientReplyContext *repContext = dynamic_cast<clientReplyContext *>(node->data.getRaw());
570  assert (repContext);
571  repContext->setReplyToError(ERR_CONFLICT_HOST, Http::scConflict,
572  http->request->method, NULL,
573  http->getConn()->clientConnection->remote,
574  http->request,
575  NULL,
576 #if USE_AUTH
577  http->getConn() != NULL && http->getConn()->getAuth() != NULL ?
578  http->getConn()->getAuth() : http->request->auth_user_request);
579 #else
580  NULL);
581 #endif
582  node = (clientStreamNode *)http->client_stream.tail->data;
583  clientStreamRead(node, http, node->readBuffer);
584 }
585 
586 void
588 {
589  // Require a Host: header.
590  const char *host = http->request->header.getStr(Http::HdrType::HOST);
591 
592  if (!host) {
593  // TODO: dump out the HTTP/1.1 error about missing host header.
594  // otherwise this is fine, can't forge a header value when its not even set.
595  debugs(85, 3, HERE << "validate skipped with no Host: header present.");
596  http->doCallouts();
597  return;
598  }
599 
600  if (http->request->flags.internal) {
601  // TODO: kill this when URL handling allows partial URLs out of accel mode
602  // and we no longer screw with the URL just to add our internal host there
603  debugs(85, 6, HERE << "validate skipped due to internal composite URL.");
604  http->doCallouts();
605  return;
606  }
607 
608  // Locate if there is a port attached, strip ready for IP lookup
609  char *portStr = NULL;
610  char *hostB = xstrdup(host);
611  host = hostB;
612  if (host[0] == '[') {
613  // IPv6 literal.
614  portStr = strchr(hostB, ']');
615  if (portStr && *(++portStr) != ':') {
616  portStr = NULL;
617  }
618  } else {
619  // Domain or IPv4 literal with port
620  portStr = strrchr(hostB, ':');
621  }
622 
623  uint16_t port = 0;
624  if (portStr) {
625  *portStr = '\0'; // strip the ':'
626  if (*(++portStr) != '\0') {
627  char *end = NULL;
628  int64_t ret = strtoll(portStr, &end, 10);
629  if (end == portStr || *end != '\0' || ret < 1 || ret > 0xFFFF) {
630  // invalid port details. Replace the ':'
631  *(--portStr) = ':';
632  portStr = NULL;
633  } else
634  port = (ret & 0xFFFF);
635  }
636  }
637 
638  debugs(85, 3, "validate host=" << host << ", port=" << port << ", portStr=" << (portStr?portStr:"NULL"));
639  if (http->request->flags.intercepted || http->request->flags.interceptTproxy) {
640  // verify the Host: port (if any) matches the apparent destination
641  if (portStr && port != http->getConn()->clientConnection->local.port()) {
642  debugs(85, 3, "FAIL on validate port " << http->getConn()->clientConnection->local.port() <<
643  " matches Host: port " << port << " (" << portStr << ")");
644  hostHeaderVerifyFailed("intercepted port", portStr);
645  } else {
646  // XXX: match the scheme default port against the apparent destination
647 
648  // verify the destination DNS is one of the Host: headers IPs
650  }
651  } else if (!Config.onoff.hostStrictVerify) {
652  debugs(85, 3, "validate skipped.");
653  http->doCallouts();
654  } else if (strlen(host) != strlen(http->request->url.host())) {
655  // Verify forward-proxy requested URL domain matches the Host: header
656  debugs(85, 3, "FAIL on validate URL domain length " << http->request->url.host() << " matches Host: " << host);
657  hostHeaderVerifyFailed(host, http->request->url.host());
658  } else if (matchDomainName(host, http->request->url.host()) != 0) {
659  // Verify forward-proxy requested URL domain matches the Host: header
660  debugs(85, 3, "FAIL on validate URL domain " << http->request->url.host() << " matches Host: " << host);
661  hostHeaderVerifyFailed(host, http->request->url.host());
662  } else if (portStr && port != http->request->url.port()) {
663  // Verify forward-proxy requested URL domain matches the Host: header
664  debugs(85, 3, "FAIL on validate URL port " << http->request->url.port() << " matches Host: port " << portStr);
665  hostHeaderVerifyFailed("URL port", portStr);
666  } else if (!portStr && http->request->method != Http::METHOD_CONNECT && http->request->url.port() != http->request->url.getScheme().defaultPort()) {
667  // Verify forward-proxy requested URL domain matches the Host: header
668  // Special case: we don't have a default-port to check for CONNECT. Assume URL is correct.
669  debugs(85, 3, "FAIL on validate URL port " << http->request->url.port() << " matches Host: default port " << http->request->url.getScheme().defaultPort());
670  hostHeaderVerifyFailed("URL port", "default port");
671  } else {
672  // Okay no problem.
673  debugs(85, 3, "validate passed.");
674  http->request->flags.hostVerified = true;
675  http->doCallouts();
676  }
677  safe_free(hostB);
678 }
679 
680 /* This is the entry point for external users of the client_side routines */
681 void
683 {
684 #if FOLLOW_X_FORWARDED_FOR
685  if (!http->request->flags.doneFollowXff() &&
687  http->request->header.has(Http::HdrType::X_FORWARDED_FOR)) {
688 
689  /* we always trust the direct client address for actual use */
690  http->request->indirect_client_addr = http->request->client_addr;
691  http->request->indirect_client_addr.port(0);
692 
693  /* setup the XFF iterator for processing */
694  http->request->x_forwarded_for_iterator = http->request->header.getList(Http::HdrType::X_FORWARDED_FOR);
695 
696  /* begin by checking to see if we trust direct client enough to walk XFF */
697  acl_checklist = clientAclChecklistCreate(Config.accessList.followXFF, http);
698  acl_checklist->nonBlockingCheck(clientFollowXForwardedForCheck, this);
699  return;
700  }
701 #endif
702 
703  if (Config.accessList.http) {
704  acl_checklist = clientAclChecklistCreate(Config.accessList.http, http);
705  acl_checklist->nonBlockingCheck(clientAccessCheckDoneWrapper, this);
706  } else {
707  debugs(0, DBG_CRITICAL, "No http_access configuration found. This will block ALL traffic");
708  clientAccessCheckDone(ACCESS_DENIED);
709  }
710 }
711 
717 void
719 {
722  acl_checklist->nonBlockingCheck(clientAccessCheckDoneWrapper, this);
723  } else {
724  debugs(85, 2, HERE << "No adapted_http_access configuration. default: ALLOW");
725  clientAccessCheckDone(ACCESS_ALLOWED);
726  }
727 }
728 
729 void
731 {
733 
734  if (!calloutContext->httpStateIsValid())
735  return;
736 
737  calloutContext->clientAccessCheckDone(answer);
738 }
739 
740 void
742 {
743  acl_checklist = NULL;
744  err_type page_id;
746  debugs(85, 2, "The request " << http->request->method << ' ' <<
747  http->uri << " is " << answer <<
748  "; last ACL checked: " << (AclMatchedName ? AclMatchedName : "[none]"));
749 
750 #if USE_AUTH
751  char const *proxy_auth_msg = "<null>";
752  if (http->getConn() != NULL && http->getConn()->getAuth() != NULL)
753  proxy_auth_msg = http->getConn()->getAuth()->denyMessage("<null>");
754  else if (http->request->auth_user_request != NULL)
755  proxy_auth_msg = http->request->auth_user_request->denyMessage("<null>");
756 #endif
757 
758  if (!answer.allowed()) {
759  // auth has a grace period where credentials can be expired but okay not to challenge.
760 
761  /* Send an auth challenge or error */
762  // XXX: do we still need aclIsProxyAuth() ?
763  bool auth_challenge = (answer == ACCESS_AUTH_REQUIRED || aclIsProxyAuth(AclMatchedName));
764  debugs(85, 5, "Access Denied: " << http->uri);
765  debugs(85, 5, "AclMatchedName = " << (AclMatchedName ? AclMatchedName : "<null>"));
766 #if USE_AUTH
767  if (auth_challenge)
768  debugs(33, 5, "Proxy Auth Message = " << (proxy_auth_msg ? proxy_auth_msg : "<null>"));
769 #endif
770 
771  /*
772  * NOTE: get page_id here, based on AclMatchedName because if
773  * USE_DELAY_POOLS is enabled, then AclMatchedName gets clobbered in
774  * the clientCreateStoreEntry() call just below. Pedro Ribeiro
775  * <pribeiro@isel.pt>
776  */
777  page_id = aclGetDenyInfoPage(&Config.denyInfoList, AclMatchedName, answer != ACCESS_AUTH_REQUIRED);
778 
779  http->logType.update(LOG_TCP_DENIED);
780 
781  if (auth_challenge) {
782 #if USE_AUTH
783  if (http->request->flags.sslBumped) {
784  /*SSL Bumped request, authentication is not possible*/
785  status = Http::scForbidden;
786  } else if (!http->flags.accel) {
787  /* Proxy authorisation needed */
789  } else {
790  /* WWW authorisation needed */
791  status = Http::scUnauthorized;
792  }
793 #else
794  // need auth, but not possible to do.
795  status = Http::scForbidden;
796 #endif
797  if (page_id == ERR_NONE)
798  page_id = ERR_CACHE_ACCESS_DENIED;
799  } else {
800  status = Http::scForbidden;
801 
802  if (page_id == ERR_NONE)
803  page_id = ERR_ACCESS_DENIED;
804  }
805 
806  Ip::Address tmpnoaddr;
807  tmpnoaddr.setNoAddr();
808  error = clientBuildError(page_id, status,
809  NULL,
810  http->getConn() != NULL ? http->getConn()->clientConnection->remote : tmpnoaddr,
811  http->request, http->al
812  );
813 
814 #if USE_AUTH
815  error->auth_user_request =
816  http->getConn() != NULL && http->getConn()->getAuth() != NULL ?
817  http->getConn()->getAuth() : http->request->auth_user_request;
818 #endif
819 
820  readNextRequest = true;
821  }
822 
823  /* ACCESS_ALLOWED continues here ... */
824  xfree(http->uri);
825  http->uri = SBufToCstring(http->request->effectiveRequestUri());
826  http->doCallouts();
827 }
828 
829 #if USE_ADAPTATION
830 void
832 {
833  debugs(93,3,HERE << this << " adaptationAclCheckDone called");
834 
835 #if ICAP_CLIENT
837  if (ih != NULL) {
838  if (getConn() != NULL && getConn()->clientConnection != NULL) {
839  ih->rfc931 = getConn()->clientConnection->rfc931;
840 #if USE_OPENSSL
841  if (getConn()->clientConnection->isOpen()) {
842  ih->ssluser = sslGetUserEmail(fd_table[getConn()->clientConnection->fd].ssl.get());
843  }
844 #endif
845  }
846  ih->log_uri = log_uri;
847  ih->req_sz = req_sz;
848  }
849 #endif
850 
851  if (!g) {
852  debugs(85,3, HERE << "no adaptation needed");
853  doCallouts();
854  return;
855  }
856 
857  startAdaptation(g);
858 }
859 
860 #endif
861 
862 static void
864 {
865  ClientRequestContext *context = (ClientRequestContext *)data;
866  ClientHttpRequest *http = context->http;
867  context->acl_checklist = NULL;
868 
869  if (answer.allowed())
871  else {
872  Helper::Reply const nilReply(Helper::Error);
873  context->clientRedirectDone(nilReply);
874  }
875 }
876 
877 void
879 {
880  debugs(33, 5, HERE << "'" << http->uri << "'");
881  http->al->syncNotes(http->request);
883  acl_checklist = clientAclChecklistCreate(Config.accessList.redirector, http);
884  acl_checklist->nonBlockingCheck(clientRedirectAccessCheckDone, this);
885  } else
887 }
888 
893 static void
895 {
896  ClientRequestContext *context = static_cast<ClientRequestContext *>(data);
897  ClientHttpRequest *http = context->http;
898  context->acl_checklist = NULL;
899 
900  if (answer.allowed())
901  storeIdStart(http, clientStoreIdDoneWrapper, context);
902  else {
903  debugs(85, 3, "access denied expected ERR reply handling: " << answer);
904  Helper::Reply const nilReply(Helper::Error);
905  context->clientStoreIdDone(nilReply);
906  }
907 }
908 
914 void
916 {
917  debugs(33, 5,"'" << http->uri << "'");
918 
919  if (Config.accessList.store_id) {
920  acl_checklist = clientAclChecklistCreate(Config.accessList.store_id, http);
921  acl_checklist->nonBlockingCheck(clientStoreIdAccessCheckDone, this);
922  } else
924 }
925 
926 static int
928 {
929  HttpRequest *request = http->request;
930  HttpRequestMethod method = request->method;
931 
932  // intercepted requests MUST NOT (yet) be sent to peers unless verified
933  if (!request->flags.hostVerified && (request->flags.intercepted || request->flags.interceptTproxy))
934  return 0;
935 
936  /*
937  * IMS needs a private key, so we can use the hierarchy for IMS only if our
938  * neighbors support private keys
939  */
940 
941  if (request->flags.ims && !neighbors_do_private_keys)
942  return 0;
943 
944  /*
945  * This is incorrect: authenticating requests can be sent via a hierarchy
946  * (they can even be cached if the correct headers are set on the reply)
947  */
948  if (request->flags.auth)
949  return 0;
950 
951  if (method == Http::METHOD_TRACE)
952  return 1;
953 
954  if (method != Http::METHOD_GET)
955  return 0;
956 
957  if (request->flags.loopDetected)
958  return 0;
959 
960  if (request->url.getScheme() == AnyP::PROTO_HTTP)
961  return method.respMaybeCacheable();
962 
963  if (request->url.getScheme() == AnyP::PROTO_GOPHER)
964  return gopherCachable(request);
965 
966  if (request->url.getScheme() == AnyP::PROTO_CACHE_OBJECT)
967  return 0;
968 
969  return 1;
970 }
971 
972 static void
974 {
975  HttpRequest *request = http->request;
976  HttpHeader *req_hdr = &request->header;
977  ConnStateData *http_conn = http->getConn();
978 
979  /* Internal requests such as those from ESI includes may be without
980  * a client connection
981  */
982  if (!http_conn)
983  return;
984 
985  request->flags.connectionAuthDisabled = http_conn->port->connection_auth_disabled;
986  if (!request->flags.connectionAuthDisabled) {
987  if (Comm::IsConnOpen(http_conn->pinning.serverConnection)) {
988  if (http_conn->pinning.auth) {
989  request->flags.connectionAuth = true;
990  request->flags.auth = true;
991  } else {
992  request->flags.connectionProxyAuth = true;
993  }
994  // These should already be linked correctly.
995  assert(request->clientConnectionManager == http_conn);
996  }
997  }
998 
999  /* check if connection auth is used, and flag as candidate for pinning
1000  * in such case.
1001  * Note: we may need to set flags.connectionAuth even if the connection
1002  * is already pinned if it was pinned earlier due to proxy auth
1003  */
1004  if (!request->flags.connectionAuth) {
1007  HttpHeaderEntry *e;
1008  int may_pin = 0;
1009  while ((e = req_hdr->getEntry(&pos))) {
1011  const char *value = e->value.rawBuf();
1012  if (strncasecmp(value, "NTLM ", 5) == 0
1013  ||
1014  strncasecmp(value, "Negotiate ", 10) == 0
1015  ||
1016  strncasecmp(value, "Kerberos ", 9) == 0) {
1017  if (e->id == Http::HdrType::AUTHORIZATION) {
1018  request->flags.connectionAuth = true;
1019  may_pin = 1;
1020  } else {
1021  request->flags.connectionProxyAuth = true;
1022  may_pin = 1;
1023  }
1024  }
1025  }
1026  }
1027  if (may_pin && !request->pinnedConnection()) {
1028  // These should already be linked correctly. Just need the ServerConnection to pinn.
1029  assert(request->clientConnectionManager == http_conn);
1030  }
1031  }
1032  }
1033 }
1034 
1035 static void
1037 {
1038  HttpRequest *request = http->request;
1039  HttpHeader *req_hdr = &request->header;
1040  bool no_cache = false;
1041 
1042  request->imslen = -1;
1043  request->ims = req_hdr->getTime(Http::HdrType::IF_MODIFIED_SINCE);
1044 
1045  if (request->ims > 0)
1046  request->flags.ims = true;
1047 
1048  if (!request->flags.ignoreCc) {
1049  if (request->cache_control) {
1050  if (request->cache_control->hasNoCache())
1051  no_cache=true;
1052 
1053  // RFC 2616: treat Pragma:no-cache as if it was Cache-Control:no-cache when Cache-Control is missing
1054  } else if (req_hdr->has(Http::HdrType::PRAGMA))
1055  no_cache = req_hdr->hasListMember(Http::HdrType::PRAGMA,"no-cache",',');
1056  }
1057 
1058  if (request->method == Http::METHOD_OTHER) {
1059  no_cache=true;
1060  }
1061 
1062  if (no_cache) {
1063 #if USE_HTTP_VIOLATIONS
1064 
1066  request->flags.nocacheHack = true;
1067  else if (refresh_nocache_hack)
1068  request->flags.nocacheHack = true;
1069  else
1070 #endif
1071 
1072  request->flags.noCache = true;
1073  }
1074 
1075  /* ignore range header in non-GETs or non-HEADs */
1076  if (request->method == Http::METHOD_GET || request->method == Http::METHOD_HEAD) {
1077  // XXX: initialize if we got here without HttpRequest::parseHeader()
1078  if (!request->range)
1079  request->range = req_hdr->getRange();
1080 
1081  if (request->range) {
1082  request->flags.isRanged = true;
1084  /* XXX: This is suboptimal. We should give the stream the range set,
1085  * and thereby let the top of the stream set the offset when the
1086  * size becomes known. As it is, we will end up requesting from 0
1087  * for evey -X range specification.
1088  * RBC - this may be somewhat wrong. We should probably set the range
1089  * iter up at this point.
1090  */
1091  node->readBuffer.offset = request->range->lowestOffset(0);
1092  http->range_iter.pos = request->range->begin();
1093  http->range_iter.end = request->range->end();
1094  http->range_iter.valid = true;
1095  }
1096  }
1097 
1098  /* Only HEAD and GET requests permit a Range or Request-Range header.
1099  * If these headers appear on any other type of request, delete them now.
1100  */
1101  else {
1102  req_hdr->delById(Http::HdrType::RANGE);
1104  request->ignoreRange("neither HEAD nor GET");
1105  }
1106 
1107  if (req_hdr->has(Http::HdrType::AUTHORIZATION))
1108  request->flags.auth = true;
1109 
1110  clientCheckPinning(http);
1111 
1112  if (!request->url.userInfo().isEmpty())
1113  request->flags.auth = true;
1114 
1115  if (req_hdr->has(Http::HdrType::VIA)) {
1116  String s = req_hdr->getList(Http::HdrType::VIA);
1117  /*
1118  * ThisCache cannot be a member of Via header, "1.1 ThisCache" can.
1119  * Note ThisCache2 has a space prepended to the hostname so we don't
1120  * accidentally match super-domains.
1121  */
1122 
1123  if (strListIsSubstr(&s, ThisCache2, ',')) {
1124  request->flags.loopDetected = true;
1125  }
1126 
1127 #if USE_FORW_VIA_DB
1128  fvdbCountVia(s.termedBuf());
1129 
1130 #endif
1131 
1132  s.clean();
1133  }
1134 
1135  // headers only relevant to reverse-proxy
1136  if (request->flags.accelerated) {
1137  // check for a cdn-info member with a cdn-id matching surrogate_id
1138  // XXX: HttpHeader::hasListMember() does not handle OWS around ";" yet
1140  request->flags.loopDetected = true;
1141  }
1142 
1143  if (request->flags.loopDetected) {
1144  debugObj(33, DBG_IMPORTANT, "WARNING: Forwarding loop detected for:\n",
1145  request, (ObjPackMethod) & httpRequestPack);
1146  }
1147 
1148 #if USE_FORW_VIA_DB
1149 
1150  if (req_hdr->has(Http::HdrType::X_FORWARDED_FOR)) {
1152  fvdbCountForw(s.termedBuf());
1153  s.clean();
1154  }
1155 
1156 #endif
1157 
1158  request->flags.cachable = http->request->maybeCacheable();
1159 
1160  if (clientHierarchical(http))
1161  request->flags.hierarchical = true;
1162 
1163  debugs(85, 5, "clientInterpretRequestHeaders: REQ_NOCACHE = " <<
1164  (request->flags.noCache ? "SET" : "NOT SET"));
1165  debugs(85, 5, "clientInterpretRequestHeaders: REQ_CACHABLE = " <<
1166  (request->flags.cachable ? "SET" : "NOT SET"));
1167  debugs(85, 5, "clientInterpretRequestHeaders: REQ_HIERARCHICAL = " <<
1168  (request->flags.hierarchical ? "SET" : "NOT SET"));
1169 
1170 }
1171 
1172 void
1174 {
1176 
1177  if (!calloutContext->httpStateIsValid())
1178  return;
1179 
1180  calloutContext->clientRedirectDone(result);
1181 }
1182 
1183 void
1185 {
1187 
1188  if (!calloutContext->httpStateIsValid())
1189  return;
1190 
1191  calloutContext->clientStoreIdDone(result);
1192 }
1193 
1194 void
1196 {
1197  HttpRequest *old_request = http->request;
1198  debugs(85, 5, HERE << "'" << http->uri << "' result=" << reply);
1199  assert(redirect_state == REDIRECT_PENDING);
1200  redirect_state = REDIRECT_DONE;
1201 
1202  // Put helper response Notes into the transaction state record (ALE) eventually
1203  // do it early to ensure that no matter what the outcome the notes are present.
1204  if (http->al)
1205  http->al->syncNotes(old_request);
1206 
1207  UpdateRequestNotes(http->getConn(), *old_request, reply.notes);
1208 
1209  switch (reply.result) {
1210  case Helper::TimedOut:
1213  debugs(85, DBG_IMPORTANT, "ERROR: URL rewrite helper: Timedout");
1214  }
1215  break;
1216 
1217  case Helper::Unknown:
1218  case Helper::TT:
1219  // Handler in redirect.cc should have already mapped Unknown
1220  // IF it contained valid entry for the old URL-rewrite helper protocol
1221  debugs(85, DBG_IMPORTANT, "ERROR: URL rewrite helper returned invalid result code. Wrong helper? " << reply);
1222  break;
1223 
1224  case Helper::BrokenHelper:
1225  debugs(85, DBG_IMPORTANT, "ERROR: URL rewrite helper: " << reply);
1226  break;
1227 
1228  case Helper::Error:
1229  // no change to be done.
1230  break;
1231 
1232  case Helper::Okay: {
1233  // #1: redirect with a specific status code OK status=NNN url="..."
1234  // #2: redirect with a default status code OK url="..."
1235  // #3: re-write the URL OK rewrite-url="..."
1236 
1237  const char *statusNote = reply.notes.findFirst("status");
1238  const char *urlNote = reply.notes.findFirst("url");
1239 
1240  if (urlNote != NULL) {
1241  // HTTP protocol redirect to be done.
1242 
1243  // TODO: change default redirect status for appropriate requests
1244  // Squid defaults to 302 status for now for better compatibility with old clients.
1245  // HTTP/1.0 client should get 302 (Http::scFound)
1246  // HTTP/1.1 client contacting reverse-proxy should get 307 (Http::scTemporaryRedirect)
1247  // HTTP/1.1 client being diverted by forward-proxy should get 303 (Http::scSeeOther)
1249  if (statusNote != NULL) {
1250  const char * result = statusNote;
1251  status = static_cast<Http::StatusCode>(atoi(result));
1252  }
1253 
1254  if (status == Http::scMovedPermanently
1255  || status == Http::scFound
1256  || status == Http::scSeeOther
1257  || status == Http::scPermanentRedirect
1258  || status == Http::scTemporaryRedirect) {
1259  http->redirect.status = status;
1260  http->redirect.location = xstrdup(urlNote);
1261  // TODO: validate the URL produced here is RFC 2616 compliant absolute URI
1262  } else {
1263  debugs(85, DBG_CRITICAL, "ERROR: URL-rewrite produces invalid " << status << " redirect Location: " << urlNote);
1264  }
1265  } else {
1266  // URL-rewrite wanted. Ew.
1267  urlNote = reply.notes.findFirst("rewrite-url");
1268 
1269  // prevent broken helpers causing too much damage. If old URL == new URL skip the re-write.
1270  if (urlNote != NULL && strcmp(urlNote, http->uri)) {
1271  AnyP::Uri tmpUrl;
1272  if (tmpUrl.parse(old_request->method, urlNote)) {
1273  HttpRequest *new_request = old_request->clone();
1274  new_request->url = tmpUrl;
1275  debugs(61, 2, "URL-rewriter diverts URL from " << old_request->effectiveRequestUri() << " to " << new_request->effectiveRequestUri());
1276 
1277  // update the new request to flag the re-writing was done on it
1278  new_request->flags.redirected = true;
1279 
1280  // unlink bodypipe from the old request. Not needed there any longer.
1281  if (old_request->body_pipe != NULL) {
1282  old_request->body_pipe = NULL;
1283  debugs(61,2, HERE << "URL-rewriter diverts body_pipe " << new_request->body_pipe <<
1284  " from request " << old_request << " to " << new_request);
1285  }
1286 
1287  http->resetRequest(new_request);
1288  old_request = nullptr;
1289  } else {
1290  debugs(85, DBG_CRITICAL, "ERROR: URL-rewrite produces invalid request: " <<
1291  old_request->method << " " << urlNote << " " << old_request->http_ver);
1292  }
1293  }
1294  }
1295  }
1296  break;
1297  }
1298 
1299  /* FIXME PIPELINE: This is innacurate during pipelining */
1300 
1301  if (http->getConn() != NULL && Comm::IsConnOpen(http->getConn()->clientConnection))
1302  fd_note(http->getConn()->clientConnection->fd, http->uri);
1303 
1304  assert(http->uri);
1305 
1306  http->doCallouts();
1307 }
1308 
1312 void
1314 {
1315  HttpRequest *old_request = http->request;
1316  debugs(85, 5, "'" << http->uri << "' result=" << reply);
1317  assert(store_id_state == REDIRECT_PENDING);
1318  store_id_state = REDIRECT_DONE;
1319 
1320  // Put helper response Notes into the transaction state record (ALE) eventually
1321  // do it early to ensure that no matter what the outcome the notes are present.
1322  if (http->al)
1323  http->al->syncNotes(old_request);
1324 
1325  UpdateRequestNotes(http->getConn(), *old_request, reply.notes);
1326 
1327  switch (reply.result) {
1328  case Helper::Unknown:
1329  case Helper::TT:
1330  // Handler in redirect.cc should have already mapped Unknown
1331  // IF it contained valid entry for the old helper protocol
1332  debugs(85, DBG_IMPORTANT, "ERROR: storeID helper returned invalid result code. Wrong helper? " << reply);
1333  break;
1334 
1335  case Helper::TimedOut:
1336  // Timeouts for storeID are not implemented
1337  case Helper::BrokenHelper:
1338  debugs(85, DBG_IMPORTANT, "ERROR: storeID helper: " << reply);
1339  break;
1340 
1341  case Helper::Error:
1342  // no change to be done.
1343  break;
1344 
1345  case Helper::Okay: {
1346  const char *urlNote = reply.notes.findFirst("store-id");
1347 
1348  // prevent broken helpers causing too much damage. If old URL == new URL skip the re-write.
1349  if (urlNote != NULL && strcmp(urlNote, http->uri) ) {
1350  // Debug section required for some very specific cases.
1351  debugs(85, 9, "Setting storeID with: " << urlNote );
1352  http->request->store_id = urlNote;
1353  http->store_id = urlNote;
1354  }
1355  }
1356  break;
1357  }
1358 
1359  http->doCallouts();
1360 }
1361 
1365 void
1367 {
1368  if (Config.accessList.noCache) {
1369  acl_checklist = clientAclChecklistCreate(Config.accessList.noCache, http);
1370  acl_checklist->nonBlockingCheck(checkNoCacheDoneWrapper, this);
1371  } else {
1372  /* unless otherwise specified, we try to cache. */
1373  checkNoCacheDone(ACCESS_ALLOWED);
1374  }
1375 }
1376 
1377 static void
1379 {
1381 
1382  if (!calloutContext->httpStateIsValid())
1383  return;
1384 
1385  calloutContext->checkNoCacheDone(answer);
1386 }
1387 
1388 void
1390 {
1391  acl_checklist = NULL;
1392  if (answer.denied()) {
1393  http->request->flags.noCache = true; // do not read reply from cache
1394  http->request->flags.cachable = false; // do not store reply into cache
1395  }
1396  http->doCallouts();
1397 }
1398 
1399 #if USE_OPENSSL
1400 bool
1402 {
1403  if (!http->getConn()) {
1404  http->al->ssl.bumpMode = Ssl::bumpEnd; // SslBump does not apply; log -
1405  return false;
1406  }
1407 
1408  const Ssl::BumpMode bumpMode = http->getConn()->sslBumpMode;
1409  if (http->request->flags.forceTunnel) {
1410  debugs(85, 5, "not needed; already decided to tunnel " << http->getConn());
1411  if (bumpMode != Ssl::bumpEnd)
1412  http->al->ssl.bumpMode = bumpMode; // inherited from bumped connection
1413  return false;
1414  }
1415 
1416  // If SSL connection tunneling or bumping decision has been made, obey it.
1417  if (bumpMode != Ssl::bumpEnd) {
1418  debugs(85, 5, HERE << "SslBump already decided (" << bumpMode <<
1419  "), " << "ignoring ssl_bump for " << http->getConn());
1420 
1421  // We need the following "if" for transparently bumped TLS connection,
1422  // because in this case we are running ssl_bump access list before
1423  // the doCallouts runs. It can be removed after the bug #4340 fixed.
1424  // We do not want to proceed to bumping steps:
1425  // - if the TLS connection with the client is already established
1426  // because we are accepting normal HTTP requests on TLS port,
1427  // or because of the client-first bumping mode
1428  // - When the bumping is already started
1429  if (!http->getConn()->switchedToHttps() &&
1430  !http->getConn()->serverBump())
1431  http->sslBumpNeed(bumpMode); // for processRequest() to bump if needed and not already bumped
1432  http->al->ssl.bumpMode = bumpMode; // inherited from bumped connection
1433  return false;
1434  }
1435 
1436  // If we have not decided yet, decide whether to bump now.
1437 
1438  // Bumping here can only start with a CONNECT request on a bumping port
1439  // (bumping of intercepted SSL conns is decided before we get 1st request).
1440  // We also do not bump redirected CONNECT requests.
1441  if (http->request->method != Http::METHOD_CONNECT || http->redirect.status ||
1443  !http->getConn()->port->flags.tunnelSslBumping) {
1444  http->al->ssl.bumpMode = Ssl::bumpEnd; // SslBump does not apply; log -
1445  debugs(85, 5, HERE << "cannot SslBump this request");
1446  return false;
1447  }
1448 
1449  // Do not bump during authentication: clients would not proxy-authenticate
1450  // if we delay a 407 response and respond with 200 OK to CONNECT.
1451  if (error && error->httpStatus == Http::scProxyAuthenticationRequired) {
1452  http->al->ssl.bumpMode = Ssl::bumpEnd; // SslBump does not apply; log -
1453  debugs(85, 5, HERE << "no SslBump during proxy authentication");
1454  return false;
1455  }
1456 
1457  if (error) {
1458  debugs(85, 5, "SslBump applies. Force bump action on error " << errorTypeName(error->type));
1459  http->sslBumpNeed(Ssl::bumpBump);
1460  http->al->ssl.bumpMode = Ssl::bumpBump;
1461  return false;
1462  }
1463 
1464  debugs(85, 5, HERE << "SslBump possible, checking ACL");
1465 
1467  aclChecklist->nonBlockingCheck(sslBumpAccessCheckDoneWrapper, this);
1468  return true;
1469 }
1470 
1475 static void
1477 {
1479 
1480  if (!calloutContext->httpStateIsValid())
1481  return;
1482  calloutContext->sslBumpAccessCheckDone(answer);
1483 }
1484 
1485 void
1487 {
1488  if (!httpStateIsValid())
1489  return;
1490 
1491  const Ssl::BumpMode bumpMode = answer.allowed() ?
1492  static_cast<Ssl::BumpMode>(answer.kind) : Ssl::bumpSplice;
1493  http->sslBumpNeed(bumpMode); // for processRequest() to bump if needed
1494  http->al->ssl.bumpMode = bumpMode; // for logging
1495 
1496  if (bumpMode == Ssl::bumpTerminate) {
1497  const Comm::ConnectionPointer clientConn = http->getConn() ? http->getConn()->clientConnection : nullptr;
1498  if (Comm::IsConnOpen(clientConn)) {
1499  debugs(85, 3, "closing after Ssl::bumpTerminate ");
1500  clientConn->close();
1501  }
1502  return;
1503  }
1504 
1505  http->doCallouts();
1506 }
1507 #endif
1508 
1509 /*
1510  * Identify requests that do not go through the store and client side stream
1511  * and forward them to the appropriate location. All other requests, request
1512  * them.
1513  */
1514 void
1516 {
1517  debugs(85, 4, request->method << ' ' << uri);
1518 
1519  const bool untouchedConnect = request->method == Http::METHOD_CONNECT && !redirect.status;
1520 
1521 #if USE_OPENSSL
1522  if (untouchedConnect && sslBumpNeeded()) {
1524  sslBumpStart();
1525  return;
1526  }
1527 #endif
1528 
1529  if (untouchedConnect || request->flags.forceTunnel) {
1530  getConn()->stopReading(); // tunnels read for themselves
1531  tunnelStart(this);
1532  return;
1533  }
1534 
1535  httpStart();
1536 }
1537 
1538 void
1540 {
1542  // XXX: Re-initializes rather than updates. Should not be needed at all.
1544  debugs(85, 4, logType.c_str() << " for '" << uri << "'");
1545 
1546  /* no one should have touched this */
1547  assert(out.offset == 0);
1548  /* Use the Stream Luke */
1550  clientStreamRead(node, this, node->readBuffer);
1552 }
1553 
1554 #if USE_OPENSSL
1555 
1556 void
1558 {
1559  debugs(83, 3, HERE << "sslBump required: "<< Ssl::bumpMode(mode));
1560  sslBumpNeed_ = mode;
1561 }
1562 
1563 // called when comm_write has completed
1564 static void
1565 SslBumpEstablish(const Comm::ConnectionPointer &, char *, size_t, Comm::Flag errflag, int, void *data)
1566 {
1567  ClientHttpRequest *r = static_cast<ClientHttpRequest*>(data);
1568  debugs(85, 5, HERE << "responded to CONNECT: " << r << " ? " << errflag);
1569 
1570  assert(r && cbdataReferenceValid(r));
1571  r->sslBumpEstablish(errflag);
1572 }
1573 
1574 void
1576 {
1577  // Bail out quickly on Comm::ERR_CLOSING - close handlers will tidy up
1578  if (errflag == Comm::ERR_CLOSING)
1579  return;
1580 
1581  if (errflag) {
1582  debugs(85, 3, HERE << "CONNECT response failure in SslBump: " << errflag);
1584  return;
1585  }
1586 
1587  // We lack HttpReply which logRequest() uses to log the status code.
1588  // TODO: Use HttpReply instead of the "200 Connection established" string.
1589  al->http.code = 200;
1590 
1591 #if USE_AUTH
1592  // Preserve authentication info for the ssl-bumped request
1593  if (request->auth_user_request != NULL)
1594  getConn()->setAuth(request->auth_user_request, "SSL-bumped CONNECT");
1595 #endif
1596 
1597  assert(sslBumpNeeded());
1599 }
1600 
1601 void
1603 {
1604  debugs(85, 5, HERE << "Confirming " << Ssl::bumpMode(sslBumpNeed_) <<
1605  "-bumped CONNECT tunnel on FD " << getConn()->clientConnection);
1607 
1608  AsyncCall::Pointer bumpCall = commCbCall(85, 5, "ClientSocketContext::sslBumpEstablish",
1610 
1612  CommIoCbParams &params = GetCommParams<CommIoCbParams>(bumpCall);
1613  params.flag = Comm::OK;
1614  params.conn = getConn()->clientConnection;
1615  ScheduleCallHere(bumpCall);
1616  return;
1617  }
1618 
1619  // send an HTTP 200 response to kick client SSL negotiation
1620  // TODO: Unify with tunnel.cc and add a Server(?) header
1621  static const char *const conn_established = "HTTP/1.1 200 Connection established\r\n\r\n";
1622  Comm::Write(getConn()->clientConnection, conn_established, strlen(conn_established), bumpCall, NULL);
1623 }
1624 
1625 #endif
1626 
1627 bool
1629 {
1631  int64_t contentLength =
1633  assert(contentLength >= 0);
1634 
1635  if (out.offset < contentLength)
1636  return false;
1637 
1638  return true;
1639 }
1640 
1641 void
1643 {
1644  entry_ = newEntry;
1645 }
1646 
1647 void
1649 {
1650  if (loggingEntry_)
1651  loggingEntry_->unlock("ClientHttpRequest::loggingEntry");
1652 
1653  loggingEntry_ = newEntry;
1654 
1655  if (loggingEntry_)
1656  loggingEntry_->lock("ClientHttpRequest::loggingEntry");
1657 }
1658 
1659 void
1661 {
1662  assignRequest(aRequest);
1663  if (const auto csd = getConn()) {
1664  if (!csd->notes()->empty())
1665  request->notes()->appendNewOnly(csd->notes().getRaw());
1666  }
1667  // al is created in the constructor
1668  assert(al);
1669  if (!al->request) {
1670  al->request = request;
1672  al->syncNotes(request);
1673  }
1674 }
1675 
1676 void
1678 {
1679  assert(request != newRequest);
1680  clearRequest();
1681  assignRequest(newRequest);
1682  xfree(uri);
1684 }
1685 
1686 void
1688 {
1689  assert(newRequest);
1690  assert(!request);
1691  const_cast<HttpRequest *&>(request) = newRequest;
1694 }
1695 
1696 void
1698 {
1699  HttpRequest *oldRequest = request;
1700  HTTPMSGUNLOCK(oldRequest);
1701  const_cast<HttpRequest *&>(request) = nullptr;
1702  absorbLogUri(nullptr);
1703 }
1704 
1705 /*
1706  * doCallouts() - This function controls the order of "callout"
1707  * executions, including non-blocking access control checks, the
1708  * redirector, and ICAP. Previously, these callouts were chained
1709  * together such that "clientAccessCheckDone()" would call
1710  * "clientRedirectStart()" and so on.
1711  *
1712  * The ClientRequestContext (aka calloutContext) class holds certain
1713  * state data for the callout/callback operations. Previously
1714  * ClientHttpRequest would sort of hand off control to ClientRequestContext
1715  * for a short time. ClientRequestContext would then delete itself
1716  * and pass control back to ClientHttpRequest when all callouts
1717  * were finished.
1718  *
1719  * This caused some problems for ICAP because we want to make the
1720  * ICAP callout after checking ACLs, but before checking the no_cache
1721  * list. We can't stuff the ICAP state into the ClientRequestContext
1722  * class because we still need the ICAP state after ClientRequestContext
1723  * goes away.
1724  *
1725  * Note that ClientRequestContext is created before the first call
1726  * to doCallouts().
1727  *
1728  * If one of the callouts notices that ClientHttpRequest is no
1729  * longer valid, it should call cbdataReferenceDone() so that
1730  * ClientHttpRequest's reference count goes to zero and it will get
1731  * deleted. ClientHttpRequest will then delete ClientRequestContext.
1732  *
1733  * Note that we set the _done flags here before actually starting
1734  * the callout. This is strictly for convenience.
1735  */
1736 
1737 tos_t aclMapTOS (acl_tos * head, ACLChecklist * ch);
1739 
1740 void
1742 {
1744 
1745  if (!calloutContext->error) {
1746  // CVE-2009-0801: verify the Host: header is consistent with other known details.
1748  debugs(83, 3, HERE << "Doing calloutContext->hostHeaderVerify()");
1751  return;
1752  }
1753 
1755  debugs(83, 3, HERE << "Doing calloutContext->clientAccessCheck()");
1758  return;
1759  }
1760 
1761 #if USE_ADAPTATION
1766  request, NULL, calloutContext->http->al, this))
1767  return; // will call callback
1768  }
1769 #endif
1770 
1771  if (!calloutContext->redirect_done) {
1772  calloutContext->redirect_done = true;
1773 
1774  if (Config.Program.redirect) {
1775  debugs(83, 3, HERE << "Doing calloutContext->clientRedirectStart()");
1778  return;
1779  }
1780  }
1781 
1783  debugs(83, 3, HERE << "Doing calloutContext->clientAccessCheck2()");
1786  return;
1787  }
1788 
1789  if (!calloutContext->store_id_done) {
1790  calloutContext->store_id_done = true;
1791 
1792  if (Config.Program.store_id) {
1793  debugs(83, 3,"Doing calloutContext->clientStoreIdStart()");
1796  return;
1797  }
1798  }
1799 
1801  debugs(83, 3, HERE << "Doing clientInterpretRequestHeaders()");
1804  }
1805 
1806  if (!calloutContext->no_cache_done) {
1807  calloutContext->no_cache_done = true;
1808 
1810  debugs(83, 3, HERE << "Doing calloutContext->checkNoCache()");
1812  return;
1813  }
1814  }
1815  } // if !calloutContext->error
1816 
1817  // Set appropriate MARKs and CONNMARKs if needed.
1819  ACLFilledChecklist ch(nullptr, request, nullptr);
1820  ch.al = calloutContext->http->al;
1822  ch.my_addr = request->my_addr;
1823  ch.syncAle(request, log_uri);
1824 
1827  tos_t tos = aclMapTOS(Ip::Qos::TheConfig.tosToClient, &ch);
1828  if (tos)
1830 
1831  const auto packetMark = aclFindNfMarkConfig(Ip::Qos::TheConfig.nfmarkToClient, &ch);
1832  if (!packetMark.isEmpty())
1833  Ip::Qos::setSockNfmark(getConn()->clientConnection, packetMark.mark);
1834 
1835  const auto connmark = aclFindNfMarkConfig(Ip::Qos::TheConfig.nfConnmarkToClient, &ch);
1836  if (!connmark.isEmpty())
1838  }
1839  }
1840 
1841 #if USE_OPENSSL
1842  // Even with calloutContext->error, we call sslBumpAccessCheck() to decide
1843  // whether SslBump applies to this transaction. If it applies, we will
1844  // attempt to bump the client to serve the error.
1848  return;
1849  /* else no ssl bump required*/
1850  }
1851 #endif
1852 
1853  if (calloutContext->error) {
1854  // XXX: prformance regression. c_str() reallocates
1855  SBuf storeUriBuf(request->storeId());
1856  const char *storeUri = storeUriBuf.c_str();
1857  StoreEntry *e = storeCreateEntry(storeUri, storeUri, request->flags, request->method);
1858 #if USE_OPENSSL
1859  if (sslBumpNeeded()) {
1860  // We have to serve an error, so bump the client first.
1862  // set final error but delay sending until we bump
1863  Ssl::ServerBump *srvBump = new Ssl::ServerBump(this, e, Ssl::bumpClientFirst);
1866  getConn()->setServerBump(srvBump);
1867  e->unlock("ClientHttpRequest::doCallouts+sslBumpNeeded");
1868  } else
1869 #endif
1870  {
1871  // send the error to the client now
1873  clientReplyContext *repContext = dynamic_cast<clientReplyContext *>(node->data.getRaw());
1874  assert (repContext);
1875  repContext->setReplyToStoreEntry(e, "immediate SslBump error");
1879  getConn()->flags.readMore = true; // resume any pipeline reads.
1881  clientStreamRead(node, this, node->readBuffer);
1882  e->unlock("ClientHttpRequest::doCallouts-sslBumpNeeded");
1883  return;
1884  }
1885  }
1886 
1888  delete calloutContext;
1889  calloutContext = NULL;
1890 #if HEADERS_LOG
1891 
1892  headersLog(0, 1, request->method, request);
1893 #endif
1894 
1895  debugs(83, 3, HERE << "calling processRequest()");
1896  processRequest();
1897 
1898 #if ICAP_CLIENT
1900  if (ih != NULL)
1901  ih->logType = logType;
1902 #endif
1903 }
1904 
1905 void
1907 {
1908  assert(request);
1909  const auto canonicalUri = request->canonicalCleanUrl();
1910  absorbLogUri(xstrndup(canonicalUri, MAX_URL));
1911 }
1912 
1913 void
1915 {
1916  assert(rawUri);
1917  // Should(!request);
1918 
1919  // TODO: SBuf() performance regression, fix by converting rawUri to SBuf
1920  char *canonicalUri = urlCanonicalCleanWithoutRequest(SBuf(rawUri), method, AnyP::UriScheme());
1921 
1922  absorbLogUri(AnyP::Uri::cleanup(canonicalUri));
1923 
1924  char *cleanedRawUri = AnyP::Uri::cleanup(rawUri);
1925  al->setVirginUrlForMissingRequest(SBuf(cleanedRawUri));
1926  xfree(cleanedRawUri);
1927 }
1928 
1929 void
1931 {
1932  xfree(log_uri);
1933  const_cast<char *&>(log_uri) = aUri;
1934 }
1935 
1936 void
1938 {
1939  assert(!uri);
1940  assert(aUri);
1941  // Should(!request);
1942 
1943  uri = xstrdup(aUri);
1944  // TODO: SBuf() performance regression, fix by converting setErrorUri() parameter to SBuf
1945  const SBuf errorUri(aUri);
1946  const auto canonicalUri = urlCanonicalCleanWithoutRequest(errorUri, HttpRequestMethod(), AnyP::UriScheme());
1947  absorbLogUri(xstrndup(canonicalUri, MAX_URL));
1948 
1949  al->setVirginUrlForMissingRequest(errorUri);
1950 }
1951 
1952 #if USE_ADAPTATION
1953 void
1956 {
1957  debugs(85, 3, HERE << "adaptation needed for " << this);
1961  new Adaptation::Iterator(request, NULL, al, g));
1962 
1963  // we could try to guess whether we can bypass this adaptation
1964  // initiation failure, but it should not really happen
1966 }
1967 
1968 void
1970 {
1971  assert(cbdataReferenceValid(this)); // indicates bug
1974 
1975  switch (answer.kind) {
1977  handleAdaptedHeader(const_cast<Http::Message*>(answer.message.getRaw()));
1978  break;
1979 
1981  handleAdaptationBlock(answer);
1982  break;
1983 
1986  break;
1987  }
1988 }
1989 
1990 void
1992 {
1993  assert(msg);
1994 
1995  if (HttpRequest *new_req = dynamic_cast<HttpRequest*>(msg)) {
1996  // update the new message to flag whether URL re-writing was done on it
1997  if (request->effectiveRequestUri() != new_req->effectiveRequestUri())
1998  new_req->flags.redirected = true;
1999  resetRequest(new_req);
2000  assert(request->method.id());
2001  } else if (HttpReply *new_rep = dynamic_cast<HttpReply*>(msg)) {
2002  debugs(85,3,HERE << "REQMOD reply is HTTP reply");
2003 
2004  // subscribe to receive reply body
2005  if (new_rep->body_pipe != NULL) {
2006  adaptedBodySource = new_rep->body_pipe;
2007  int consumer_ok = adaptedBodySource->setConsumerIfNotLate(this);
2008  assert(consumer_ok);
2009  }
2010 
2012  clientReplyContext *repContext = dynamic_cast<clientReplyContext *>(node->data.getRaw());
2013  assert(repContext);
2014  repContext->createStoreEntry(request->method, request->flags);
2015 
2018  storeEntry()->replaceHttpReply(new_rep);
2020 
2021  if (!adaptedBodySource) // no body
2022  storeEntry()->complete();
2023  clientGetMoreData(node, this);
2024  }
2025 
2026  // we are done with getting headers (but may be receiving body)
2028 
2030  doCallouts();
2031 }
2032 
2033 void
2035 {
2037  AclMatchedName = answer.ruleId.termedBuf();
2040  AclMatchedName = NULL;
2041 }
2042 
2043 void
2045 {
2046  if (!adaptedBodySource)
2047  return;
2048 
2050 }
2051 
2052 void
2054 {
2057 
2058  if (size_t contentSize = adaptedBodySource->buf().contentSize()) {
2059  const size_t spaceAvailable = storeEntry()->bytesWanted(Range<size_t>(0,contentSize));
2060 
2061  if (spaceAvailable < contentSize ) {
2062  // No or partial body data consuming
2063  typedef NullaryMemFunT<ClientHttpRequest> Dialer;
2064  AsyncCall::Pointer call = asyncCall(93, 5, "ClientHttpRequest::resumeBodyStorage",
2065  Dialer(this, &ClientHttpRequest::resumeBodyStorage));
2066  storeEntry()->deferProducer(call);
2067  }
2068 
2069  if (!spaceAvailable)
2070  return;
2071 
2072  if (spaceAvailable < contentSize )
2073  contentSize = spaceAvailable;
2074 
2076  const StoreIOBuffer ioBuf(&bpc.buf, request_satisfaction_offset, contentSize);
2077  storeEntry()->write(ioBuf);
2078  // assume StoreEntry::write() writes the entire ioBuf
2080  bpc.buf.consume(contentSize);
2081  bpc.checkIn();
2082  }
2083 
2086  // else wait for more body data
2087 }
2088 
2089 void
2091 {
2093  // should we end request satisfaction now?
2096 }
2097 
2098 void
2100 {
2101  debugs(85,4, HERE << this << " ends request satisfaction");
2104 
2105  // TODO: anything else needed to end store entry formation correctly?
2106  storeEntry()->complete();
2107 }
2108 
2109 void
2111 {
2114 
2115  debugs(85,3, HERE << "REQMOD body production failed");
2116  if (request_satisfaction_mode) { // too late to recover or serve an error
2119  Must(Comm::IsConnOpen(c));
2120  c->close(); // drastic, but we may be writing a response already
2121  } else {
2123  }
2124 }
2125 
2126 void
2127 ClientHttpRequest::handleAdaptationFailure(int errDetail, bool bypassable)
2128 {
2129  debugs(85,3, HERE << "handleAdaptationFailure(" << bypassable << ")");
2130 
2131  const bool usedStore = storeEntry() && !storeEntry()->isEmpty();
2132  const bool usedPipe = request->body_pipe != NULL &&
2133  request->body_pipe->consumedSize() > 0;
2134 
2135  if (bypassable && !usedStore && !usedPipe) {
2136  debugs(85,3, HERE << "ICAP REQMOD callout failed, bypassing: " << calloutContext);
2137  if (calloutContext)
2138  doCallouts();
2139  return;
2140  }
2141 
2142  debugs(85,3, HERE << "ICAP REQMOD callout failed, responding with error");
2143 
2145  clientReplyContext *repContext = dynamic_cast<clientReplyContext *>(node->data.getRaw());
2146  assert(repContext);
2147 
2148  calloutsError(ERR_ICAP_FAILURE, errDetail);
2149 
2150  if (calloutContext)
2151  doCallouts();
2152 }
2153 
2154 void
2155 ClientHttpRequest::callException(const std::exception &ex)
2156 {
2157  if (const auto clientConn = getConn() ? getConn()->clientConnection : nullptr) {
2159  debugs(85, 3, "closing after exception: " << ex.what());
2160  clientConn->close(); // initiate orderly top-to-bottom cleanup
2161  return;
2162  }
2163  }
2164  debugs(85, DBG_IMPORTANT, "ClientHttpRequest exception without connection. Ignoring " << ex.what());
2165  // XXX: Normally, we mustStop() but we cannot do that here because it is
2166  // likely to leave Http::Stream and ConnStateData with a dangling http
2167  // pointer. See r13480 or XXX in Http::Stream class description.
2168 }
2169 #endif
2170 
2171 // XXX: modify and use with ClientRequestContext::clientAccessCheckDone too.
2172 void
2174 {
2175  // The original author of the code also wanted to pass an errno to
2176  // setReplyToError, but it seems unlikely that the errno reflects the
2177  // true cause of the error at this point, so I did not pass it.
2178  if (calloutContext) {
2179  Ip::Address noAddr;
2180  noAddr.setNoAddr();
2181  ConnStateData * c = getConn();
2183  NULL,
2184  c != NULL ? c->clientConnection->remote : noAddr,
2185  request,
2186  al
2187  );
2188 #if USE_AUTH
2190  c != NULL && c->getAuth() != NULL ? c->getAuth() : request->auth_user_request;
2191 #endif
2192  calloutContext->error->detailError(errDetail);
2194  if (c != NULL)
2195  c->expectNoForwarding();
2196  }
2197  //else if(calloutContext == NULL) is it possible?
2198 }
2199 
int hasListMember(Http::HdrType id, const char *member, const char separator) const
Definition: HttpHeader.cc:1643
iterates services in ServiceGroup, starting adaptation launchers
Definition: Iterator.h:31
int delById(Http::HdrType id)
Definition: HttpHeader.cc:681
void nonBlockingCheck(ACLCB *callback, void *callback_data)
Definition: Checklist.cc:238
char const * rawBuf() const
Definition: SquidString.h:85
summarizes adaptation service answer for the noteAdaptationAnswer() API
Definition: Answer.h:22
AnyP::ProtocolVersion ProtocolVersion(unsigned int aMajor, unsigned int aMinor)
HTTP version label information.
static void clientInterpretRequestHeaders(ClientHttpRequest *http)
bool interceptTproxy
Set for requests handled by a "tproxy" port.
Definition: RequestFlags.h:66
Ssl::BumpMode sslBumpNeed() const
returns raw sslBump mode value
void redirectStart(ClientHttpRequest *http, HLPCB *handler, void *data)
Definition: redirect.cc:288
StoreEntry * loggingEntry() const
const MemBuf & buf() const
Definition: BodyPipe.h:137
err_type errType
Definition: HttpRequest.h:161
void setAuth(const Auth::UserRequest::Pointer &aur, const char *cause)
Definition: client_side.cc:502
#define fd_table
Definition: fde.h:174
ConnStateData * pinnedConnection()
Definition: HttpRequest.cc:688
CbcPointer< Initiate > initiateAdaptation(Initiate *x)
< starts freshly created initiate and returns a safe pointer to it
Definition: Initiator.cc:23
SQUIDCEXTERN CSD clientReplyDetach
ClientHttpRequest * http
struct SquidConfig::@105 Accel
HttpHdrRange * range
Definition: HttpRequest.h:143
unsigned short port() const
Definition: Address.cc:778
#define assert(EX)
Definition: assert.h:17
Ip::Address my_addr
Definition: HttpRequest.h:155
void clientStreamInit(dlink_list *list, CSR *func, CSD *rdetach, CSS *readstatus, ClientStreamData readdata, CSCB *callback, CSD *cdetach, ClientStreamData callbackdata, StoreIOBuffer tailBuffer)
String ruleId
ACL (or similar rule) name that blocked forwarding.
Definition: Answer.h:40
static void checkFailureRatio(err_type, hier_code)
bool hierarchical
Definition: RequestFlags.h:34
int neighbors_do_private_keys
#define HttpHeaderInitPos
Definition: HttpHeader.h:48
#define cbdataReferenceDone(var)
Definition: cbdata.h:350
static HLPCB clientRedirectDoneWrapper
wordlist * store_id
Definition: SquidConfig.h:195
void UpdateRequestNotes(ConnStateData *csd, HttpRequest &request, NotePairs const &helperNotes)
Definition: HttpRequest.cc:723
HttpHdrCc * cache_control
Definition: Message.h:77
int unlock(const char *context)
Definition: store.cc:463
void fd_note(int fd, const char *s)
Definition: fd.cc:246
struct ClientHttpRequest::Redirect redirect
bool loopDetected
Definition: RequestFlags.h:36
virtual void noteBodyProducerAborted(BodyPipe::Pointer)
bool timestampsSet()
Definition: store.cc:1460
Definition: SBuf.h:86
static uint32 B
Definition: md4.c:43
virtual void noteBodyProductionEnded(BodyPipe::Pointer)
#define xcalloc
Definition: membanger.c:57
#define REDIRECT_NONE
Definition: defines.h:87
Ip::Address src_addr
Comm::ConnectionPointer clientConnection
int log_uses_indirect_client
Definition: SquidConfig.h:331
acl_access * redirector
Definition: SquidConfig.h:376
void consume(mb_size_t sz)
removes sz bytes and "packs" by moving content left
Definition: MemBuf.cc:171
String getList(Http::HdrType id) const
Definition: HttpHeader.cc:828
int64_t bodySize(const HttpRequestMethod &) const
Definition: HttpReply.cc:371
ACLFilledChecklist * Filled(ACLChecklist *checklist)
convenience and safety wrapper for dynamic_cast<ACLFilledChecklist*>
HttpRequestMethod method
Definition: HttpRequest.h:114
void resetWithoutLocking(T *t)
Reset raw pointer - unlock any previous one and save new one without locking.
void setErrorUri(const char *errorUri)
void assignRequest(HttpRequest *aRequest)
#define SQUIDCEXTERN
Definition: squid.h:26
struct _request * request(char *urlin)
Definition: tcp-banger2.c:291
void error(char *format,...)
Http::MessagePointer message
HTTP request or response to forward.
Definition: Answer.h:39
#define xstrdup
ClientHttpRequest(ConnStateData *csd)
ConnStateData * getConn() const
char * xstrndup(const char *s, size_t n)
Definition: xstring.cc:56
struct timeval start_time
The time the master transaction started.
void announceInitiatorAbort(CbcPointer< Initiate > &x)
inform the transaction about abnormal termination and clear the pointer
Definition: Initiator.cc:38
#define safe_free(x)
Definition: xalloc.h:73
bool initiated(const CbcPointer< AsyncJob > &job) const
Must(initiated(initiate)) instead of Must(initiate.set()), for clarity.
Definition: Initiator.h:52
const char * bumpMode(int bm)
Definition: support.h:149
Definition: Flag.h:16
int clientBeginRequest(const HttpRequestMethod &method, char const *url, CSCB *streamcallback, CSD *streamdetach, ClientStreamData streamdata, HttpHeader const *header, char *tailbuf, size_t taillen, const MasterXaction::Pointer &mx)
AccessLogEntry::Pointer al
info for the future access.log, and external ACL
Definition: Range.h:18
static void checkNoCacheDoneWrapper(Acl::Answer, void *)
static void hostHeaderIpVerifyWrapper(const ipcache_addrs *ia, const Dns::LookupDetails &dns, void *data)
encapsulates DNS lookup results
Definition: LookupDetails.h:20
void HTTPMSGLOCK(Http::Message *a)
Definition: Message.h:160
void calloutsError(const err_type error, const int errDetail)
Build an error reply. For use with the callouts.
void handleAdaptedHeader(Http::Message *msg)
void appendNewOnly(const NotePairs *src)
Definition: Notes.cc:349
void(* ObjPackMethod)(void *obj, Packable *p)
Definition: tools.h:33
#define Must(condition)
Like assert() but throws an exception instead of aborting the process.
Definition: TextException.h:69
virtual void noteAdaptationAclCheckDone(Adaptation::ServiceGroupPointer group)
StoreEntry * storeEntry() const
Comm::ConnectionPointer tcpClient
TCP/IP level details about the client connection.
AnyP::ProtocolVersion http_ver
Definition: Message.h:73
#define xisspace(x)
Definition: xis.h:17
HttpHeaderEntry * getEntry(HttpHeaderPos *pos) const
Definition: HttpHeader.cc:598
#define DBG_CRITICAL
Definition: Debug.h:45
Auth::UserRequest::Pointer auth_user_request
Definition: errorpage.h:176
char * p
Definition: membanger.c:43
wordlist * redirect
Definition: SquidConfig.h:194
int conn
the current server connection FD
Definition: Transport.cc:26
time_t ims
Definition: HttpRequest.h:145
bool done_follow_x_forwarded_for
Definition: RequestFlags.h:99
void clientStreamRead(clientStreamNode *thisObject, ClientHttpRequest *http, StoreIOBuffer readBuffer)
bool hostVerified
Definition: RequestFlags.h:64
void SBufToCstring(char *d, const SBuf &s)
Definition: SBuf.h:741
uint64_t consumedSize() const
Definition: BodyPipe.h:111
Ip::Address log_addr
Definition: client_side.h:128
struct timeval current_time
Definition: stub_time.cc:15
static void clientFollowXForwardedForCheck(Acl::Answer answer, void *data)
void startAdaptation(const Adaptation::ServiceGroupPointer &g)
Initiate an asynchronous adaptation transaction which will call us back.
int aclIsProxyAuth(const char *name)
Definition: Gadgets.cc:72
iterator end()
const SBuf storeId()
Definition: HttpRequest.cc:696
time_t squid_curtime
Definition: stub_time.cc:17
Comm::ConnectionPointer serverConnection
Definition: client_side.h:135
void replaceHttpReply(HttpReply *, bool andStartWriting=true)
Definition: store.cc:1788
no adapted message will come; see bypassable
Definition: Answer.h:29
bool readMore
needs comm_read (for this request or new requests)
Definition: client_side.h:131
a netfilter mark/mask pair
Definition: NfMarkConfig.h:20
HttpHdrRangeIter range_iter
bool connectionAuth
Definition: RequestFlags.h:76
char * urlCanonicalCleanWithoutRequest(const SBuf &url, const HttpRequestMethod &method, const AnyP::UriScheme &scheme)
Definition: Uri.cc:551
AsyncCall * asyncCall(int aDebugSection, int aDebugLevel, const char *aName, const Dialer &aDialer)
Definition: AsyncCall.h:156
Helper::ResultCode result
The helper response &#39;result&#39; field.
Definition: Reply.h:59
virtual const char * status() const
internal cleanup; do not call directly
Definition: AsyncJob.cc:159
void complete()
Definition: store.cc:1064
unsigned char tos_t
Definition: forward.h:26
Http::HdrType id
Definition: HttpHeader.h:63
static const char *const conn_established
Definition: tunnel.cc:255
size_t appendDomainLen
Definition: SquidConfig.h:216
bool readNextRequest
whether Squid should read after error handling
const ProxyProtocol::HeaderPointer & proxyProtocolHeader() const
Definition: client_side.h:328
void fvdbCountVia(const char *key)
int gopherCachable(const HttpRequest *req)
Definition: gopher.cc:294
NotePairs::Pointer notes()
Definition: HttpRequest.cc:715
ACLFilledChecklist * clientAclChecklistCreate(const acl_access *acl, ClientHttpRequest *http)
static const char *const crlf
const SBuf & effectiveRequestUri() const
RFC 7230 section 5.5 - Effective Request URI.
Definition: HttpRequest.cc:707
bool setNfConnmark(Comm::ConnectionPointer &conn, const ConnectionDirection connDir, const NfMarkConfig &cm)
void setNoAddr()
Definition: Address.cc:292
void setVirginUrlForMissingRequest(const SBuf &vu)
Remember Client URI (or equivalent) when there is no HttpRequest.
void HLPCB(void *, const Helper::Reply &)
Definition: forward.h:27
static void clientRedirectAccessCheckDone(Acl::Answer answer, void *data)
Comm::ConnectionPointer conn
Definition: CommCalls.h:85
bool IsConnOpen(const Comm::ConnectionPointer &conn)
Definition: Connection.cc:24
bool sslBumpNeeded() const
returns true if and only if the request needs to be bumped
acl_access * followXFF
Definition: SquidConfig.h:390
void const char HLPCB void * data
Definition: stub_helper.cc:16
NotePairs notes
Definition: Reply.h:62
int64_t offset
Definition: StoreIOBuffer.h:55
LogTags logType
the processing tags associated with this request transaction.
Definition: parse.c:104
iterator begin()
StatusCode
Definition: StatusCode.h:20
int64_t content_length
Definition: Message.h:84
const char * c_str() const
compute the status access.log field
Definition: LogTags.cc:56
void setConn(ConnStateData *aConn)
int reload_into_ims
Definition: SquidConfig.h:295
struct SquidConfig::UrlHelperTimeout onUrlRewriteTimeout
#define debugs(SECTION, LEVEL, CONTENT)
Definition: Debug.h:124
#define cbdataReference(var)
Definition: cbdata.h:341
bool hasNoCache(const String **val=nullptr) const
Definition: HttpHdrCc.h:89
StoreEntry * storeCreateEntry(const char *url, const char *logUrl, const RequestFlags &flags, const HttpRequestMethod &method)
Definition: store.cc:782
void stopReading()
cancels Comm::Read() if it is scheduled
Definition: Server.cc:56
#define DBG_IMPORTANT
Definition: Debug.h:46
struct SquidConfig::@99 Port
bool allowed() const
Definition: Acl.h:143
void setLogUriToRawUri(const char *rawUri, const HttpRequestMethod &)
static void SslBumpEstablish(const Comm::ConnectionPointer &, char *, size_t, Comm::Flag errflag, int, void *data)
mb_size_t contentSize() const
available data size
Definition: MemBuf.h:47
bool parse(const HttpRequestMethod &, const char *url)
Definition: Uri.cc:225
void update(const LogTags_ot t)
Definition: LogTags.cc:44
bool connectionAuthDisabled
Definition: RequestFlags.h:78
void expectNoForwarding()
cleans up virgin request [body] forwarding state
Ip::Address client_addr
Definition: HttpRequest.h:149
void CSCB(clientStreamNode *, ClientHttpRequest *, HttpReply *, StoreIOBuffer)
client stream read callback
char * surrogate_id
Definition: SquidConfig.h:213
static void clientAccessCheckDoneWrapper(Acl::Answer, void *)
bool connectionProxyAuth
Definition: RequestFlags.h:81
void absorbLogUri(char *aUri)
assigns log_uri with aUri without copying the entire C-string
bool isEmpty() const
Definition: Store.h:60
unsigned short icp
Definition: SquidConfig.h:135
common parts of HttpRequest and HttpReply
Definition: Message.h:25
Config TheConfig
Globally available instance of Qos::Config.
Definition: QosConfig.cc:271
AnyP::Uri url
the request URI
Definition: HttpRequest.h:115
int strListIsSubstr(const String *list, const char *s, char del)
Definition: StrList.cc:54
void * addr
Definition: membanger.c:46
void handleAdaptationBlock(const Adaptation::Answer &answer)
void userInfo(const SBuf &s)
Definition: Uri.h:75
CbcPointer< ConnStateData > clientConnectionManager
Definition: HttpRequest.h:230
struct SquidConfig::@113 accessList
HttpRequest * request
char * canonicalCleanUrl() const
Definition: HttpRequest.cc:777
BodyPipe::Pointer adaptedBodySource
bool setConsumerIfNotLate(const Consumer::Pointer &aConsumer)
Definition: BodyPipe.cc:228
Ip::NfMarkConfig aclFindNfMarkConfig(acl_nfmark *head, ACLChecklist *ch)
Checks for a netfilter mark value to apply depending on the ACL.
Definition: FwdState.cc:1369
const char * c_str()
Definition: SBuf.cc:526
ClientStreamData data
Definition: clientStream.h:94
AccessLogEntry::Pointer al
access.log entry
void ipcache_nbgethostbyname(const char *name, IPH *handler, void *handlerData)
Definition: ipcache.cc:600
void resumeBodyStorage()
called by StoreEntry when it has more buffer space available
const char * AclMatchedName
Definition: Acl.cc:30
class AccessLogEntry::HttpDetails http
bool hasOnlyIfCached() const
Definition: HttpHdrCc.h:145
Http::MethodType id() const
Definition: RequestMethod.h:73
bool update(HttpHeader const *fresh)
Definition: HttpHeader.cc:283
ClientRequestContext * calloutContext
static int port
Definition: ldap_backend.cc:69
void tunnelStart(ClientHttpRequest *)
Definition: tunnel.cc:951
void sslBumpAccessCheckDone(const Acl::Answer &answer)
The callback function for ssl-bump access check list.
void setLogUriToRequestUri()
sets log_uri when we know the current request
void cut(size_type newLength)
Definition: String.cc:236
String x_forwarded_for_iterator
Definition: HttpRequest.h:188
char const * termedBuf() const
Definition: SquidString.h:91
Security::CertPointer sslClientCert
cert received from the client
struct ClientHttpRequest::Out out
static HttpRequest * FromUrl(const char *url, const MasterXaction::Pointer &, const HttpRequestMethod &method=Http::METHOD_GET)
Definition: HttpRequest.cc:543
void ignoreRange(const char *reason)
forgets about the cached Range header (for a reason)
Definition: HttpRequest.cc:648
time_t getTime(Http::HdrType id) const
Definition: HttpHeader.cc:1161
acl_access * adapted_http
Definition: SquidConfig.h:359
int kind
which custom access list verb matched
Definition: Acl.h:155
std::ostream & HERE(std::ostream &s)
Definition: Debug.h:153
class AccessLogEntry::CacheDetails cache
ssize_t HttpHeaderPos
Definition: HttpHeader.h:45
struct SquidConfig::@112 onoff
static uint32 A
Definition: md4.c:43
void handleAdaptationFailure(int errDetail, bool bypassable=false)
#define FAILURE_MODE_TIME
acl_access * noCache
Definition: SquidConfig.h:365
Flag
Definition: Flag.h:15
void clientAccessCheckDone(const Acl::Answer &answer)
virtual void syncAle(HttpRequest *adaptedRequest, const char *logUri) const
assigns uninitialized adapted_request and url ALE components
Ip::Address local
Definition: Connection.h:135
static char * cleanup(const char *uri)
Definition: Uri.cc:974
HttpHeader header
Definition: Message.h:75
bool accelerated
Definition: RequestFlags.h:58
bool final
whether the error, if any, cannot be bypassed
Definition: Answer.h:41
Ssl::BumpMode sslBumpNeed_
whether (and how) the request needs to be bumped
static void sslBumpAccessCheckDoneWrapper(Acl::Answer, void *)
AclDenyInfoList * denyInfoList
Definition: SquidConfig.h:407
struct SquidConfig::@104 Program
MemObject * memObject() const
char rfc931[USER_IDENT_SZ]
Definition: Connection.h:165
RequestFlags flags
Definition: HttpRequest.h:141
#define REDIRECT_DONE
Definition: defines.h:89
ClientRequestContext(ClientHttpRequest *)
void clearRequest()
resets the current request and log_uri to nil
bool maybeCacheable()
Definition: HttpRequest.cc:558
void setServerBump(Ssl::ServerBump *srvBump)
Definition: client_side.h:254
virtual void noteMoreBodyDataAvailable(BodyPipe::Pointer)
int has(Http::HdrType id) const
Definition: HttpHeader.cc:977
Ip::Address remote
Definition: Connection.h:138
void Comm::ConnectionPointer & clientConn
Definition: stub_tunnel.cc:19
hier_code
Definition: hier_code.h:12
Definition: Xaction.cc:47
#define ScheduleCallHere(call)
Definition: AsyncCall.h:166
void httpRequestPack(void *obj, Packable *p)
Definition: HttpRequest.cc:372
Definition: Uri.h:30
StoreEntry * loggingEntry_
int acl_uses_indirect_client
Definition: SquidConfig.h:329
void write(StoreIOBuffer)
Definition: store.cc:803
bool intercepted
Definition: RequestFlags.h:62
#define PROF_start(probename)
Definition: Profiler.h:62
StoreIOBuffer readBuffer
Definition: clientStream.h:95
bool isOpen() const
Definition: Connection.h:87
void HTTPMSGUNLOCK(M *&a)
Definition: Message.h:149
AnyP::PortCfgPointer port
Kind kind
the type of the answer
Definition: Answer.h:42
#define CBDATA_CLASS_INIT(type)
Definition: cbdata.h:318
void detailError(err_type aType, int aDetail)
sets error detail if no earlier detail was available
Definition: HttpRequest.cc:476
forward the supplied adapted HTTP message
Definition: Answer.h:27
int64_t lowestOffset(int64_t) const
struct ClientHttpRequest::Flags flags
Comm::Flag flag
comm layer result status.
Definition: CommCalls.h:87
CbcPointer< Adaptation::Initiate > virginHeadSource
double request_failure_ratio
static int clientHierarchical(ClientHttpRequest *http)
block or deny the master xaction; see authority
Definition: Answer.h:28
C * getRaw() const
Definition: RefCount.h:74
struct ConnStateData::@39 flags
size_t HttpReply *STUB StoreEntry const KeyScope scope const HttpRequestMethod & method
Definition: stub_store.cc:112
static bool Start(Method method, VectPoint vp, HttpRequest *req, HttpReply *rep, AccessLogEntry::Pointer &al, Adaptation::Initiator *initiator)
Definition: AccessCheck.cc:30
void syncNotes(HttpRequest *request)
accepted (from a client by Squid)
Definition: QosConfig.h:67
ConnStateData * conn_
void stopConsumingFrom(RefCount< BodyPipe > &)
Definition: BodyPipe.cc:118
void storeIdStart(ClientHttpRequest *http, HLPCB *handler, void *data)
Definition: redirect.cc:314
Comm::ConnectionPointer clientConnection
Definition: Server.h:97
void hostHeaderIpVerify(const ipcache_addrs *ia, const Dns::LookupDetails &dns)
Auth::UserRequest::Pointer auth_user_request
Definition: HttpRequest.h:127
const char * errorTypeName(err_type err)
Definition: err_type.h:102
int setSockNfmark(const Comm::ConnectionPointer &conn, nfmark_t mark)
Definition: QosConfig.cc:586
void errorAppendEntry(StoreEntry *entry, ErrorState *err)
Definition: errorpage.cc:711
clientStream_status_t CSS(clientStreamNode *, ClientHttpRequest *)
int hostStrictVerify
Definition: SquidConfig.h:340
BodyPipe::Pointer body_pipe
optional pipeline to receive message body
Definition: Message.h:98
CommCbFunPtrCallT< Dialer > * commCbCall(int debugSection, int debugLevel, const char *callName, const Dialer &dialer)
Definition: CommCalls.h:342
#define REDIRECT_PENDING
Definition: defines.h:88
int cbdataReferenceValid(const void *p)
Definition: cbdata.cc:412
HttpHdrRange::iterator end
void sslBumpEstablish(Comm::Flag errflag)
Ssl::BumpMode sslBumpMode
ssl_bump decision (Ssl::bumpEnd if n/a).
Definition: client_side.h:272
void clientRedirectDone(const Helper::Reply &reply)
void detailError(int dCode)
set error type-specific detail code
Definition: errorpage.h:112
virtual HttpRequest * clone() const
Definition: HttpRequest.cc:177
time_t hit_only_mode_until
virtual void noteAdaptationAnswer(const Adaptation::Answer &answer)
void deferProducer(const AsyncCall::Pointer &producer)
call back producer when more buffer space is available
Definition: store.cc:358
HttpRequest *const request
static void clientCheckPinning(ClientHttpRequest *http)
void clean()
Definition: String.cc:125
#define MAX_URL
Definition: defines.h:118
BumpMode
Definition: support.h:135
#define PROF_stop(probename)
Definition: Profiler.h:63
void initRequest(HttpRequest *)
bool exhausted() const
Definition: BodyPipe.cc:174
ACLChecklist * acl_checklist
bool denied() const
Definition: Acl.h:149
struct ConnStateData::@40 pinning
int64_t strtoll(const char *nptr, char **endptr, int base)
Definition: strtoll.c:81
bool have(const Ip::Address &ip, size_t *position=nullptr) const
Definition: ipcache.cc:974
AnyP::UriScheme const & getScheme() const
Definition: Uri.h:67
HttpHdrRange::iterator pos
void CSD(clientStreamNode *, ClientHttpRequest *)
client stream detach
void switchToHttps(ClientHttpRequest *, Ssl::BumpMode bumpServerMode)
void CSR(clientStreamNode *, ClientHttpRequest *)
client stream read
int matchDomainName(const char *h, const char *d, uint8_t flags)
Definition: Uri.cc:693
#define xfree
static void clientStoreIdAccessCheckDone(Acl::Answer answer, void *data)
SQUIDCEXTERN CSR clientGetMoreData
const Auth::UserRequest::Pointer & getAuth() const
Definition: client_side.h:115
const char * sslGetUserEmail(SSL *ssl)
Definition: support.cc:712
int setSockTos(const Comm::ConnectionPointer &conn, tos_t tos)
Definition: QosConfig.cc:558
acl_access * http
Definition: SquidConfig.h:358
HierarchyLogEntry hier
size_type size() const
Definition: SquidString.h:72
void httpRequestFree(void *data)
Definition: client_side.cc:487
bool respMaybeCacheable() const
static HLPCB clientStoreIdDoneWrapper
Ip::Address indirect_client_addr
Definition: HttpRequest.h:152
ErrorState * clientBuildError(err_type, Http::StatusCode, char const *url, Ip::Address &, HttpRequest *, const AccessLogEntry::Pointer &)
void checkNoCacheDone(const Acl::Answer &answer)
class SquidConfig Config
Definition: SquidConfig.cc:12
const char * findFirst(const char *noteKey) const
Definition: Notes.cc:265
tos_t aclMapTOS(acl_tos *head, ACLChecklist *ch)
Checks for a TOS value to apply depending on the ACL.
Definition: FwdState.cc:1357
acl_access * ssl_bump
Definition: SquidConfig.h:387
#define NULL
Definition: types.h:166
void hostHeaderVerifyFailed(const char *A, const char *B)
SQUIDCEXTERN CSS clientReplyStatus
ErrorState * error
saved error page for centralized/delayed processing
size_t bytesWanted(Range< size_t > const aRange, bool ignoreDelayPool=false) const
Definition: store.cc:229
void debugObj(int section, int level, const char *label, void *obj, ObjPackMethod pm)
Definition: tools.cc:900
ProxyProtocol::HeaderPointer proxyProtocolHeader
see ConnStateData::proxyProtocolHeader_
int refresh_nocache_hack
#define false
Definition: GnuRegex.c:233
void Write(const Comm::ConnectionPointer &conn, const char *buf, int size, AsyncCall::Pointer &callback, FREE *free_func)
Definition: Write.cc:35
void clientStoreIdDone(const Helper::Reply &reply)
err_type
Definition: err_type.h:12
Adaptation::Icap::History::Pointer icapHistory() const
Returns possibly nil history, creating it if icap logging is enabled.
Definition: HttpRequest.cc:400
err_type aclGetDenyInfoPage(AclDenyInfoList **head, const char *name, int redirect_allowed)
Definition: Gadgets.cc:41
const HttpReplyPointer & getReply() const
Definition: MemObject.h:57
HttpHdrRange * getRange() const
Definition: HttpHeader.cc:1238
bool conflicted() const
whether Squid is uncertain about the allowed() or denied() answer
Definition: Acl.h:152
MemBuf & buf
Definition: BodyPipe.h:74
bool forceTunnel
whether to forward via TunnelStateData (instead of FwdState)
Definition: RequestFlags.h:111
bool nocacheHack
Definition: RequestFlags.h:56
void resetRequest(HttpRequest *)
void fvdbCountForw(const char *key)
void clearAdaptation(CbcPointer< Initiate > &x)
clears the pointer (does not call announceInitiatorAbort)
Definition: Initiator.cc:32
char ThisCache2[RFC2181_MAXHOSTNAMELEN<< 1]
void lock(const char *context)
Definition: store.cc:439
virtual void callException(const std::exception &ex)
called when the job throws during an async call

 

Introduction

Documentation

Support

Miscellaneous

Web Site Translations

Mirrors