client_side_request.cc
Go to the documentation of this file.
1 /*
2  * Copyright (C) 1996-2019 The Squid Software Foundation and contributors
3  *
4  * Squid software is distributed under GPLv2+ license and includes
5  * contributions from numerous individuals and organizations.
6  * Please see the COPYING and CONTRIBUTORS files for details.
7  */
8 
9 /* DEBUG: section 85 Client-side Request Routines */
10 
11 /*
12  * General logic of request processing:
13  *
14  * We run a series of tests to determine if access will be permitted, and to do
15  * any redirection. Then we call into the result clientStream to retrieve data.
16  * From that point on it's up to reply management.
17  */
18 
19 #include "squid.h"
20 #include "acl/FilledChecklist.h"
21 #include "acl/Gadgets.h"
22 #include "anyp/PortCfg.h"
23 #include "base/AsyncJobCalls.h"
24 #include "client_side.h"
25 #include "client_side_reply.h"
26 #include "client_side_request.h"
27 #include "ClientRequestContext.h"
28 #include "clientStream.h"
29 #include "comm/Connection.h"
30 #include "comm/Write.h"
31 #include "err_detail_type.h"
32 #include "errorpage.h"
33 #include "fd.h"
34 #include "fde.h"
35 #include "format/Token.h"
36 #include "gopher.h"
37 #include "helper.h"
38 #include "helper/Reply.h"
39 #include "http.h"
40 #include "http/Stream.h"
41 #include "HttpHdrCc.h"
42 #include "HttpReply.h"
43 #include "HttpRequest.h"
44 #include "ip/NfMarkConfig.h"
45 #include "ip/QosConfig.h"
46 #include "ipcache.h"
47 #include "log/access_log.h"
48 #include "MemObject.h"
49 #include "Parsing.h"
50 #include "profiler/Profiler.h"
51 #include "proxyp/Header.h"
52 #include "redirect.h"
53 #include "rfc1738.h"
54 #include "SquidConfig.h"
55 #include "SquidTime.h"
56 #include "Store.h"
57 #include "StrList.h"
58 #include "tools.h"
59 #include "wordlist.h"
60 #if USE_AUTH
61 #include "auth/UserRequest.h"
62 #endif
63 #if USE_ADAPTATION
64 #include "adaptation/AccessCheck.h"
65 #include "adaptation/Answer.h"
66 #include "adaptation/Iterator.h"
67 #include "adaptation/Service.h"
68 #if ICAP_CLIENT
70 #endif
71 #endif
72 #if USE_OPENSSL
73 #include "ssl/ServerBump.h"
74 #include "ssl/support.h"
75 #endif
76 
77 #if LINGERING_CLOSE
78 #define comm_close comm_lingering_close
79 #endif
80 
81 static const char *const crlf = "\r\n";
82 
83 #if FOLLOW_X_FORWARDED_FOR
84 static void clientFollowXForwardedForCheck(allow_t answer, void *data);
85 #endif /* FOLLOW_X_FORWARDED_FOR */
86 
88 
90 
91 /* Local functions */
92 /* other */
93 static void clientAccessCheckDoneWrapper(allow_t, void *);
94 #if USE_OPENSSL
95 static void sslBumpAccessCheckDoneWrapper(allow_t, void *);
96 #endif
97 static int clientHierarchical(ClientHttpRequest * http);
101 static void checkNoCacheDoneWrapper(allow_t, void *);
105 static void checkFailureRatio(err_type, hier_code);
106 
108 {
109  /*
110  * Release our "lock" on our parent, ClientHttpRequest, if we
111  * still have one
112  */
113 
114  if (http)
116 
117  delete error;
118  debugs(85,3, "ClientRequestContext destructed, this=" << this);
119 }
120 
122  http(cbdataReference(anHttp)),
129 #if USE_ADAPTATION
131 #endif
137 #if USE_OPENSSL
139 #endif
140  error(NULL),
142 {
143  debugs(85, 3, "ClientRequestContext constructed, this=" << this);
144 }
145 
147 
149 #if USE_ADAPTATION
150  AsyncJob("ClientHttpRequest"),
151 #endif
152  request(NULL),
153  uri(NULL),
154  log_uri(NULL),
155  req_sz(0),
156  calloutContext(NULL),
157  maxReplyBodySize_(0),
158  entry_(NULL),
159  loggingEntry_(NULL),
160  conn_(NULL)
161 #if USE_OPENSSL
162  , sslBumpNeed_(Ssl::bumpEnd)
163 #endif
164 #if USE_ADAPTATION
165  , request_satisfaction_mode(false)
166  , request_satisfaction_offset(0)
167 #endif
168 {
169  setConn(aConn);
170  al = new AccessLogEntry;
172  if (aConn) {
174  al->cache.port = aConn->port;
175  al->cache.caddr = aConn->log_addr;
177 
178 #if USE_OPENSSL
179  if (aConn->clientConnection != NULL && aConn->clientConnection->isOpen()) {
180  if (auto ssl = fd_table[aConn->clientConnection->fd].ssl.get())
181  al->cache.sslClientCert.resetWithoutLocking(SSL_get_peer_certificate(ssl));
182  }
183 #endif
184  }
186 }
187 
188 /*
189  * returns true if client specified that the object must come from the cache
190  * without contacting origin server
191  */
192 bool
194 {
195  assert(request);
196  return request->cache_control &&
198 }
199 
212 static void
214 {
215  // Can be set at compile time with -D compiler flag
216 #ifndef FAILURE_MODE_TIME
217 #define FAILURE_MODE_TIME 300
218 #endif
219 
220  if (hcode == HIER_NONE)
221  return;
222 
223  // don't bother when ICP is disabled.
224  if (Config.Port.icp <= 0)
225  return;
226 
227  static double magic_factor = 100.0;
228  double n_good;
229  double n_bad;
230 
231  n_good = magic_factor / (1.0 + request_failure_ratio);
232 
233  n_bad = magic_factor - n_good;
234 
235  switch (etype) {
236 
237  case ERR_DNS_FAIL:
238 
239  case ERR_CONNECT_FAIL:
241 
242  case ERR_READ_ERROR:
243  ++n_bad;
244  break;
245 
246  default:
247  ++n_good;
248  }
249 
250  request_failure_ratio = n_bad / n_good;
251 
253  return;
254 
255  if (request_failure_ratio < 1.0)
256  return;
257 
258  debugs(33, DBG_CRITICAL, "WARNING: Failure Ratio at "<< std::setw(4)<<
259  std::setprecision(3) << request_failure_ratio);
260 
261  debugs(33, DBG_CRITICAL, "WARNING: ICP going into HIT-only mode for " <<
262  FAILURE_MODE_TIME / 60 << " minutes...");
263 
265 
266  request_failure_ratio = 0.8; /* reset to something less than 1.0 */
267 }
268 
270 {
271  debugs(33, 3, "httpRequestFree: " << uri);
273 
274  // Even though freeResources() below may destroy the request,
275  // we no longer set request->body_pipe to NULL here
276  // because we did not initiate that pipe (ConnStateData did)
277 
278  /* the ICP check here was erroneous
279  * - StoreEntry::releaseRequest was always called if entry was valid
280  */
281 
282  logRequest();
283 
285 
286  if (request)
288 
289  freeResources();
290 
291 #if USE_ADAPTATION
293 
294  if (adaptedBodySource != NULL)
296 #endif
297 
298  if (calloutContext)
299  delete calloutContext;
300 
302 
303  if (conn_)
305 
306  /* moving to the next connection is handled by the context free */
308 
310 }
311 
321 int
322 clientBeginRequest(const HttpRequestMethod& method, char const *url, CSCB * streamcallback,
323  CSD * streamdetach, ClientStreamData streamdata, HttpHeader const *header,
324  char *tailbuf, size_t taillen, const MasterXaction::Pointer &mx)
325 {
326  size_t url_sz;
329  StoreIOBuffer tempBuffer;
330  if (http->al != NULL)
331  http->al->cache.start_time = current_time;
332  /* this is only used to adjust the connection offset in client_side.c */
333  http->req_sz = 0;
334  tempBuffer.length = taillen;
335  tempBuffer.data = tailbuf;
336  /* client stream setup */
338  clientReplyStatus, new clientReplyContext(http), streamcallback,
339  streamdetach, streamdata, tempBuffer);
340  /* make it visible in the 'current acctive requests list' */
341  /* Set flags */
342  /* internal requests only makes sense in an
343  * accelerator today. TODO: accept flags ? */
344  http->flags.accel = true;
345  /* allow size for url rewriting */
346  url_sz = strlen(url) + Config.appendDomainLen + 5;
347  http->uri = (char *)xcalloc(url_sz, 1);
348  strcpy(http->uri, url); // XXX: polluting http->uri before parser validation
349 
350  if ((request = HttpRequest::FromUrl(http->uri, mx, method)) == NULL) {
351  debugs(85, 5, "Invalid URL: " << http->uri);
352  return -1;
353  }
354 
355  /*
356  * now update the headers in request with our supplied headers.
357  * HttpRequest::FromUrl() should return a blank header set, but
358  * we use Update to be sure of correctness.
359  */
360  if (header)
361  request->header.update(header);
362 
363  /* http struct now ready */
364 
365  /*
366  * build new header list *? TODO
367  */
368  request->flags.accelerated = http->flags.accel;
369 
370  /* this is an internally created
371  * request, not subject to acceleration
372  * target overrides */
373  /*
374  * FIXME? Do we want to detect and handle internal requests of internal
375  * objects ?
376  */
377 
378  /* Internally created requests cannot have bodies today */
379  request->content_length = 0;
380 
381  request->client_addr.setNoAddr();
382 
383 #if FOLLOW_X_FORWARDED_FOR
384  request->indirect_client_addr.setNoAddr();
385 #endif /* FOLLOW_X_FORWARDED_FOR */
386 
387  request->my_addr.setNoAddr(); /* undefined for internal requests */
388 
389  request->my_addr.port(0);
390 
391  request->http_ver = Http::ProtocolVersion();
392 
393  http->initRequest(request);
394 
395  /* optional - skip the access check ? */
396  http->calloutContext = new ClientRequestContext(http);
397 
398  http->calloutContext->http_access_done = false;
399 
400  http->calloutContext->redirect_done = true;
401 
402  http->calloutContext->no_cache_done = true;
403 
404  http->doCallouts();
405 
406  return 0;
407 }
408 
409 bool
411 {
412  ClientHttpRequest *http_ = http;
413 
414  if (cbdataReferenceValid(http_))
415  return true;
416 
417  http = NULL;
418 
419  cbdataReferenceDone(http_);
420 
421  return false;
422 }
423 
424 #if FOLLOW_X_FORWARDED_FOR
425 
439 static void
441 {
443 
444  if (!calloutContext->httpStateIsValid())
445  return;
446 
447  ClientHttpRequest *http = calloutContext->http;
448  HttpRequest *request = http->request;
449 
450  if (answer.allowed() && request->x_forwarded_for_iterator.size() != 0) {
451 
452  /*
453  * Remove the last comma-delimited element from the
454  * x_forwarded_for_iterator and use it to repeat the cycle.
455  */
456  const char *p;
457  const char *asciiaddr;
458  int l;
460  p = request->x_forwarded_for_iterator.termedBuf();
461  l = request->x_forwarded_for_iterator.size();
462 
463  /*
464  * XXX x_forwarded_for_iterator should really be a list of
465  * IP addresses, but it's a String instead. We have to
466  * walk backwards through the String, biting off the last
467  * comma-delimited part each time. As long as the data is in
468  * a String, we should probably implement and use a variant of
469  * strListGetItem() that walks backwards instead of forwards
470  * through a comma-separated list. But we don't even do that;
471  * we just do the work in-line here.
472  */
473  /* skip trailing space and commas */
474  while (l > 0 && (p[l-1] == ',' || xisspace(p[l-1])))
475  --l;
476  request->x_forwarded_for_iterator.cut(l);
477  /* look for start of last item in list */
478  while (l > 0 && ! (p[l-1] == ',' || xisspace(p[l-1])))
479  --l;
480  asciiaddr = p+l;
481  if ((addr = asciiaddr)) {
482  request->indirect_client_addr = addr;
483  request->x_forwarded_for_iterator.cut(l);
486  /* override the default src_addr tested if we have to go deeper than one level into XFF */
487  Filled(calloutContext->acl_checklist)->src_addr = request->indirect_client_addr;
488  }
490  return;
491  }
492  }
493 
494  /* clean up, and pass control to clientAccessCheck */
496  /*
497  * Ensure that the access log shows the indirect client
498  * instead of the direct client.
499  */
500  http->al->cache.caddr = request->indirect_client_addr;
501  if (ConnStateData *conn = http->getConn())
502  conn->log_addr = request->indirect_client_addr;
503  }
504  request->x_forwarded_for_iterator.clean();
505  request->flags.done_follow_x_forwarded_for = true;
506 
507  if (answer.conflicted()) {
508  debugs(28, DBG_CRITICAL, "ERROR: Processing X-Forwarded-For. Stopping at IP address: " << request->indirect_client_addr );
509  }
510 
511  /* process actual access ACL as normal. */
512  calloutContext->clientAccessCheck();
513 }
514 #endif /* FOLLOW_X_FORWARDED_FOR */
515 
516 static void
518 {
519  ClientRequestContext *c = static_cast<ClientRequestContext*>(data);
520  c->hostHeaderIpVerify(ia, dns);
521 }
522 
523 void
525 {
526  Comm::ConnectionPointer clientConn = http->getConn()->clientConnection;
527 
528  // note the DNS details for the transaction stats.
529  http->request->recordLookup(dns);
530 
531  // Is the NAT destination IP in DNS?
532  if (ia && ia->have(clientConn->local)) {
533  debugs(85, 3, "validate IP " << clientConn->local << " possible from Host:");
534  http->request->flags.hostVerified = true;
535  http->doCallouts();
536  return;
537  }
538  debugs(85, 3, HERE << "FAIL: validate IP " << clientConn->local << " possible from Host:");
539  hostHeaderVerifyFailed("local IP", "any domain IP");
540 }
541 
542 void
544 {
545  // IP address validation for Host: failed. Admin wants to ignore them.
546  // NP: we do not yet handle CONNECT tunnels well, so ignore for them
547  if (!Config.onoff.hostStrictVerify && http->request->method != Http::METHOD_CONNECT) {
548  debugs(85, 3, "SECURITY ALERT: Host header forgery detected on " << http->getConn()->clientConnection <<
549  " (" << A << " does not match " << B << ") on URL: " << http->request->effectiveRequestUri());
550 
551  // NP: it is tempting to use 'flags.noCache' but that is all about READing cache data.
552  // The problems here are about WRITE for new cache content, which means flags.cachable
553  http->request->flags.cachable = false; // MUST NOT cache (for now)
554  // XXX: when we have updated the cache key to base on raw-IP + URI this cacheable limit can go.
555  http->request->flags.hierarchical = false; // MUST NOT pass to peers (for now)
556  // XXX: when we have sorted out the best way to relay requests properly to peers this hierarchical limit can go.
557  http->doCallouts();
558  return;
559  }
560 
561  debugs(85, DBG_IMPORTANT, "SECURITY ALERT: Host header forgery detected on " <<
562  http->getConn()->clientConnection << " (" << A << " does not match " << B << ")");
563  if (const char *ua = http->request->header.getStr(Http::HdrType::USER_AGENT))
564  debugs(85, DBG_IMPORTANT, "SECURITY ALERT: By user agent: " << ua);
565  debugs(85, DBG_IMPORTANT, "SECURITY ALERT: on URL: " << http->request->effectiveRequestUri());
566 
567  // IP address validation for Host: failed. reject the connection.
568  clientStreamNode *node = (clientStreamNode *)http->client_stream.tail->prev->data;
569  clientReplyContext *repContext = dynamic_cast<clientReplyContext *>(node->data.getRaw());
570  assert (repContext);
571  repContext->setReplyToError(ERR_CONFLICT_HOST, Http::scConflict,
572  http->request->method, NULL,
573  http->getConn()->clientConnection->remote,
574  http->request,
575  NULL,
576 #if USE_AUTH
577  http->getConn() != NULL && http->getConn()->getAuth() != NULL ?
578  http->getConn()->getAuth() : http->request->auth_user_request);
579 #else
580  NULL);
581 #endif
582  node = (clientStreamNode *)http->client_stream.tail->data;
583  clientStreamRead(node, http, node->readBuffer);
584 }
585 
586 void
588 {
589  // Require a Host: header.
590  const char *host = http->request->header.getStr(Http::HdrType::HOST);
591 
592  if (!host) {
593  // TODO: dump out the HTTP/1.1 error about missing host header.
594  // otherwise this is fine, can't forge a header value when its not even set.
595  debugs(85, 3, HERE << "validate skipped with no Host: header present.");
596  http->doCallouts();
597  return;
598  }
599 
600  if (http->request->flags.internal) {
601  // TODO: kill this when URL handling allows partial URLs out of accel mode
602  // and we no longer screw with the URL just to add our internal host there
603  debugs(85, 6, HERE << "validate skipped due to internal composite URL.");
604  http->doCallouts();
605  return;
606  }
607 
608  // Locate if there is a port attached, strip ready for IP lookup
609  char *portStr = NULL;
610  char *hostB = xstrdup(host);
611  host = hostB;
612  if (host[0] == '[') {
613  // IPv6 literal.
614  portStr = strchr(hostB, ']');
615  if (portStr && *(++portStr) != ':') {
616  portStr = NULL;
617  }
618  } else {
619  // Domain or IPv4 literal with port
620  portStr = strrchr(hostB, ':');
621  }
622 
623  uint16_t port = 0;
624  if (portStr) {
625  *portStr = '\0'; // strip the ':'
626  if (*(++portStr) != '\0') {
627  char *end = NULL;
628  int64_t ret = strtoll(portStr, &end, 10);
629  if (end == portStr || *end != '\0' || ret < 1 || ret > 0xFFFF) {
630  // invalid port details. Replace the ':'
631  *(--portStr) = ':';
632  portStr = NULL;
633  } else
634  port = (ret & 0xFFFF);
635  }
636  }
637 
638  debugs(85, 3, "validate host=" << host << ", port=" << port << ", portStr=" << (portStr?portStr:"NULL"));
639  if (http->request->flags.intercepted || http->request->flags.interceptTproxy) {
640  // verify the Host: port (if any) matches the apparent destination
641  if (portStr && port != http->getConn()->clientConnection->local.port()) {
642  debugs(85, 3, "FAIL on validate port " << http->getConn()->clientConnection->local.port() <<
643  " matches Host: port " << port << " (" << portStr << ")");
644  hostHeaderVerifyFailed("intercepted port", portStr);
645  } else {
646  // XXX: match the scheme default port against the apparent destination
647 
648  // verify the destination DNS is one of the Host: headers IPs
650  }
651  } else if (!Config.onoff.hostStrictVerify) {
652  debugs(85, 3, "validate skipped.");
653  http->doCallouts();
654  } else if (strlen(host) != strlen(http->request->url.host())) {
655  // Verify forward-proxy requested URL domain matches the Host: header
656  debugs(85, 3, "FAIL on validate URL domain length " << http->request->url.host() << " matches Host: " << host);
657  hostHeaderVerifyFailed(host, http->request->url.host());
658  } else if (matchDomainName(host, http->request->url.host()) != 0) {
659  // Verify forward-proxy requested URL domain matches the Host: header
660  debugs(85, 3, "FAIL on validate URL domain " << http->request->url.host() << " matches Host: " << host);
661  hostHeaderVerifyFailed(host, http->request->url.host());
662  } else if (portStr && port != http->request->url.port()) {
663  // Verify forward-proxy requested URL domain matches the Host: header
664  debugs(85, 3, "FAIL on validate URL port " << http->request->url.port() << " matches Host: port " << portStr);
665  hostHeaderVerifyFailed("URL port", portStr);
666  } else if (!portStr && http->request->method != Http::METHOD_CONNECT && http->request->url.port() != http->request->url.getScheme().defaultPort()) {
667  // Verify forward-proxy requested URL domain matches the Host: header
668  // Special case: we don't have a default-port to check for CONNECT. Assume URL is correct.
669  debugs(85, 3, "FAIL on validate URL port " << http->request->url.port() << " matches Host: default port " << http->request->url.getScheme().defaultPort());
670  hostHeaderVerifyFailed("URL port", "default port");
671  } else {
672  // Okay no problem.
673  debugs(85, 3, "validate passed.");
674  http->request->flags.hostVerified = true;
675  http->doCallouts();
676  }
677  safe_free(hostB);
678 }
679 
680 /* This is the entry point for external users of the client_side routines */
681 void
683 {
684 #if FOLLOW_X_FORWARDED_FOR
685  if (!http->request->flags.doneFollowXff() &&
687  http->request->header.has(Http::HdrType::X_FORWARDED_FOR)) {
688 
689  /* we always trust the direct client address for actual use */
690  http->request->indirect_client_addr = http->request->client_addr;
691  http->request->indirect_client_addr.port(0);
692 
693  /* setup the XFF iterator for processing */
694  http->request->x_forwarded_for_iterator = http->request->header.getList(Http::HdrType::X_FORWARDED_FOR);
695 
696  /* begin by checking to see if we trust direct client enough to walk XFF */
697  acl_checklist = clientAclChecklistCreate(Config.accessList.followXFF, http);
698  acl_checklist->nonBlockingCheck(clientFollowXForwardedForCheck, this);
699  return;
700  }
701 #endif
702 
703  if (Config.accessList.http) {
704  acl_checklist = clientAclChecklistCreate(Config.accessList.http, http);
705  acl_checklist->nonBlockingCheck(clientAccessCheckDoneWrapper, this);
706  } else {
707  debugs(0, DBG_CRITICAL, "No http_access configuration found. This will block ALL traffic");
708  clientAccessCheckDone(ACCESS_DENIED);
709  }
710 }
711 
717 void
719 {
722  acl_checklist->nonBlockingCheck(clientAccessCheckDoneWrapper, this);
723  } else {
724  debugs(85, 2, HERE << "No adapted_http_access configuration. default: ALLOW");
725  clientAccessCheckDone(ACCESS_ALLOWED);
726  }
727 }
728 
729 void
731 {
733 
734  if (!calloutContext->httpStateIsValid())
735  return;
736 
737  calloutContext->clientAccessCheckDone(answer);
738 }
739 
740 void
742 {
743  acl_checklist = NULL;
744  err_type page_id;
746  debugs(85, 2, "The request " << http->request->method << ' ' <<
747  http->uri << " is " << answer <<
748  "; last ACL checked: " << (AclMatchedName ? AclMatchedName : "[none]"));
749 
750 #if USE_AUTH
751  char const *proxy_auth_msg = "<null>";
752  if (http->getConn() != NULL && http->getConn()->getAuth() != NULL)
753  proxy_auth_msg = http->getConn()->getAuth()->denyMessage("<null>");
754  else if (http->request->auth_user_request != NULL)
755  proxy_auth_msg = http->request->auth_user_request->denyMessage("<null>");
756 #endif
757 
758  if (!answer.allowed()) {
759  // auth has a grace period where credentials can be expired but okay not to challenge.
760 
761  /* Send an auth challenge or error */
762  // XXX: do we still need aclIsProxyAuth() ?
763  bool auth_challenge = (answer == ACCESS_AUTH_REQUIRED || aclIsProxyAuth(AclMatchedName));
764  debugs(85, 5, "Access Denied: " << http->uri);
765  debugs(85, 5, "AclMatchedName = " << (AclMatchedName ? AclMatchedName : "<null>"));
766 #if USE_AUTH
767  if (auth_challenge)
768  debugs(33, 5, "Proxy Auth Message = " << (proxy_auth_msg ? proxy_auth_msg : "<null>"));
769 #endif
770 
771  /*
772  * NOTE: get page_id here, based on AclMatchedName because if
773  * USE_DELAY_POOLS is enabled, then AclMatchedName gets clobbered in
774  * the clientCreateStoreEntry() call just below. Pedro Ribeiro
775  * <pribeiro@isel.pt>
776  */
777  page_id = aclGetDenyInfoPage(&Config.denyInfoList, AclMatchedName, answer != ACCESS_AUTH_REQUIRED);
778 
779  http->logType.update(LOG_TCP_DENIED);
780 
781  if (auth_challenge) {
782 #if USE_AUTH
783  if (http->request->flags.sslBumped) {
784  /*SSL Bumped request, authentication is not possible*/
785  status = Http::scForbidden;
786  } else if (!http->flags.accel) {
787  /* Proxy authorisation needed */
789  } else {
790  /* WWW authorisation needed */
791  status = Http::scUnauthorized;
792  }
793 #else
794  // need auth, but not possible to do.
795  status = Http::scForbidden;
796 #endif
797  if (page_id == ERR_NONE)
798  page_id = ERR_CACHE_ACCESS_DENIED;
799  } else {
800  status = Http::scForbidden;
801 
802  if (page_id == ERR_NONE)
803  page_id = ERR_ACCESS_DENIED;
804  }
805 
806  Ip::Address tmpnoaddr;
807  tmpnoaddr.setNoAddr();
808  error = clientBuildError(page_id, status,
809  NULL,
810  http->getConn() != NULL ? http->getConn()->clientConnection->remote : tmpnoaddr,
811  http->request
812  );
813 
814 #if USE_AUTH
815  error->auth_user_request =
816  http->getConn() != NULL && http->getConn()->getAuth() != NULL ?
817  http->getConn()->getAuth() : http->request->auth_user_request;
818 #endif
819 
820  readNextRequest = true;
821  }
822 
823  /* ACCESS_ALLOWED continues here ... */
824  xfree(http->uri);
825  http->uri = SBufToCstring(http->request->effectiveRequestUri());
826  http->doCallouts();
827 }
828 
829 #if USE_ADAPTATION
830 void
832 {
833  debugs(93,3,HERE << this << " adaptationAclCheckDone called");
834 
835 #if ICAP_CLIENT
837  if (ih != NULL) {
838  if (getConn() != NULL && getConn()->clientConnection != NULL) {
839  ih->rfc931 = getConn()->clientConnection->rfc931;
840 #if USE_OPENSSL
841  if (getConn()->clientConnection->isOpen()) {
842  ih->ssluser = sslGetUserEmail(fd_table[getConn()->clientConnection->fd].ssl.get());
843  }
844 #endif
845  }
846  ih->log_uri = log_uri;
847  ih->req_sz = req_sz;
848  }
849 #endif
850 
851  if (!g) {
852  debugs(85,3, HERE << "no adaptation needed");
853  doCallouts();
854  return;
855  }
856 
857  startAdaptation(g);
858 }
859 
860 #endif
861 
862 static void
864 {
865  ClientRequestContext *context = (ClientRequestContext *)data;
866  ClientHttpRequest *http = context->http;
867  context->acl_checklist = NULL;
868 
869  if (answer.allowed())
871  else {
872  Helper::Reply const nilReply(Helper::Error);
873  context->clientRedirectDone(nilReply);
874  }
875 }
876 
877 void
879 {
880  debugs(33, 5, HERE << "'" << http->uri << "'");
881  http->al->syncNotes(http->request);
883  acl_checklist = clientAclChecklistCreate(Config.accessList.redirector, http);
884  acl_checklist->nonBlockingCheck(clientRedirectAccessCheckDone, this);
885  } else
887 }
888 
893 static void
895 {
896  ClientRequestContext *context = static_cast<ClientRequestContext *>(data);
897  ClientHttpRequest *http = context->http;
898  context->acl_checklist = NULL;
899 
900  if (answer.allowed())
901  storeIdStart(http, clientStoreIdDoneWrapper, context);
902  else {
903  debugs(85, 3, "access denied expected ERR reply handling: " << answer);
904  Helper::Reply const nilReply(Helper::Error);
905  context->clientStoreIdDone(nilReply);
906  }
907 }
908 
914 void
916 {
917  debugs(33, 5,"'" << http->uri << "'");
918 
919  if (Config.accessList.store_id) {
920  acl_checklist = clientAclChecklistCreate(Config.accessList.store_id, http);
921  acl_checklist->nonBlockingCheck(clientStoreIdAccessCheckDone, this);
922  } else
924 }
925 
926 static int
928 {
929  HttpRequest *request = http->request;
930  HttpRequestMethod method = request->method;
931 
932  // intercepted requests MUST NOT (yet) be sent to peers unless verified
933  if (!request->flags.hostVerified && (request->flags.intercepted || request->flags.interceptTproxy))
934  return 0;
935 
936  /*
937  * IMS needs a private key, so we can use the hierarchy for IMS only if our
938  * neighbors support private keys
939  */
940 
941  if (request->flags.ims && !neighbors_do_private_keys)
942  return 0;
943 
944  /*
945  * This is incorrect: authenticating requests can be sent via a hierarchy
946  * (they can even be cached if the correct headers are set on the reply)
947  */
948  if (request->flags.auth)
949  return 0;
950 
951  if (method == Http::METHOD_TRACE)
952  return 1;
953 
954  if (method != Http::METHOD_GET)
955  return 0;
956 
957  if (request->flags.loopDetected)
958  return 0;
959 
960  if (request->url.getScheme() == AnyP::PROTO_HTTP)
961  return method.respMaybeCacheable();
962 
963  if (request->url.getScheme() == AnyP::PROTO_GOPHER)
964  return gopherCachable(request);
965 
966  if (request->url.getScheme() == AnyP::PROTO_CACHE_OBJECT)
967  return 0;
968 
969  return 1;
970 }
971 
972 static void
974 {
975  HttpRequest *request = http->request;
976  HttpHeader *req_hdr = &request->header;
977  ConnStateData *http_conn = http->getConn();
978 
979  /* Internal requests such as those from ESI includes may be without
980  * a client connection
981  */
982  if (!http_conn)
983  return;
984 
985  request->flags.connectionAuthDisabled = http_conn->port->connection_auth_disabled;
986  if (!request->flags.connectionAuthDisabled) {
987  if (Comm::IsConnOpen(http_conn->pinning.serverConnection)) {
988  if (http_conn->pinning.auth) {
989  request->flags.connectionAuth = true;
990  request->flags.auth = true;
991  } else {
992  request->flags.connectionProxyAuth = true;
993  }
994  // These should already be linked correctly.
995  assert(request->clientConnectionManager == http_conn);
996  }
997  }
998 
999  /* check if connection auth is used, and flag as candidate for pinning
1000  * in such case.
1001  * Note: we may need to set flags.connectionAuth even if the connection
1002  * is already pinned if it was pinned earlier due to proxy auth
1003  */
1004  if (!request->flags.connectionAuth) {
1007  HttpHeaderEntry *e;
1008  int may_pin = 0;
1009  while ((e = req_hdr->getEntry(&pos))) {
1011  const char *value = e->value.rawBuf();
1012  if (strncasecmp(value, "NTLM ", 5) == 0
1013  ||
1014  strncasecmp(value, "Negotiate ", 10) == 0
1015  ||
1016  strncasecmp(value, "Kerberos ", 9) == 0) {
1017  if (e->id == Http::HdrType::AUTHORIZATION) {
1018  request->flags.connectionAuth = true;
1019  may_pin = 1;
1020  } else {
1021  request->flags.connectionProxyAuth = true;
1022  may_pin = 1;
1023  }
1024  }
1025  }
1026  }
1027  if (may_pin && !request->pinnedConnection()) {
1028  // These should already be linked correctly. Just need the ServerConnection to pinn.
1029  assert(request->clientConnectionManager == http_conn);
1030  }
1031  }
1032  }
1033 }
1034 
1035 static void
1037 {
1038  HttpRequest *request = http->request;
1039  HttpHeader *req_hdr = &request->header;
1040  bool no_cache = false;
1041 
1042  request->imslen = -1;
1043  request->ims = req_hdr->getTime(Http::HdrType::IF_MODIFIED_SINCE);
1044 
1045  if (request->ims > 0)
1046  request->flags.ims = true;
1047 
1048  if (!request->flags.ignoreCc) {
1049  if (request->cache_control) {
1050  if (request->cache_control->hasNoCache())
1051  no_cache=true;
1052 
1053  // RFC 2616: treat Pragma:no-cache as if it was Cache-Control:no-cache when Cache-Control is missing
1054  } else if (req_hdr->has(Http::HdrType::PRAGMA))
1055  no_cache = req_hdr->hasListMember(Http::HdrType::PRAGMA,"no-cache",',');
1056  }
1057 
1058  if (request->method == Http::METHOD_OTHER) {
1059  no_cache=true;
1060  }
1061 
1062  if (no_cache) {
1063 #if USE_HTTP_VIOLATIONS
1064 
1066  request->flags.nocacheHack = true;
1067  else if (refresh_nocache_hack)
1068  request->flags.nocacheHack = true;
1069  else
1070 #endif
1071 
1072  request->flags.noCache = true;
1073  }
1074 
1075  /* ignore range header in non-GETs or non-HEADs */
1076  if (request->method == Http::METHOD_GET || request->method == Http::METHOD_HEAD) {
1077  // XXX: initialize if we got here without HttpRequest::parseHeader()
1078  if (!request->range)
1079  request->range = req_hdr->getRange();
1080 
1081  if (request->range) {
1082  request->flags.isRanged = true;
1084  /* XXX: This is suboptimal. We should give the stream the range set,
1085  * and thereby let the top of the stream set the offset when the
1086  * size becomes known. As it is, we will end up requesting from 0
1087  * for evey -X range specification.
1088  * RBC - this may be somewhat wrong. We should probably set the range
1089  * iter up at this point.
1090  */
1091  node->readBuffer.offset = request->range->lowestOffset(0);
1092  http->range_iter.pos = request->range->begin();
1093  http->range_iter.end = request->range->end();
1094  http->range_iter.valid = true;
1095  }
1096  }
1097 
1098  /* Only HEAD and GET requests permit a Range or Request-Range header.
1099  * If these headers appear on any other type of request, delete them now.
1100  */
1101  else {
1102  req_hdr->delById(Http::HdrType::RANGE);
1104  request->ignoreRange("neither HEAD nor GET");
1105  }
1106 
1107  if (req_hdr->has(Http::HdrType::AUTHORIZATION))
1108  request->flags.auth = true;
1109 
1110  clientCheckPinning(http);
1111 
1112  if (!request->url.userInfo().isEmpty())
1113  request->flags.auth = true;
1114 
1115  if (req_hdr->has(Http::HdrType::VIA)) {
1116  String s = req_hdr->getList(Http::HdrType::VIA);
1117  /*
1118  * ThisCache cannot be a member of Via header, "1.1 ThisCache" can.
1119  * Note ThisCache2 has a space prepended to the hostname so we don't
1120  * accidentally match super-domains.
1121  */
1122 
1123  if (strListIsSubstr(&s, ThisCache2, ',')) {
1124  debugObj(33, 1, "WARNING: Forwarding loop detected for:\n",
1125  request, (ObjPackMethod) & httpRequestPack);
1126  request->flags.loopDetected = true;
1127  }
1128 
1129 #if USE_FORW_VIA_DB
1130  fvdbCountVia(s.termedBuf());
1131 
1132 #endif
1133 
1134  s.clean();
1135  }
1136 
1137 #if USE_FORW_VIA_DB
1138 
1139  if (req_hdr->has(Http::HdrType::X_FORWARDED_FOR)) {
1141  fvdbCountForw(s.termedBuf());
1142  s.clean();
1143  }
1144 
1145 #endif
1146 
1147  request->flags.cachable = http->request->maybeCacheable();
1148 
1149  if (clientHierarchical(http))
1150  request->flags.hierarchical = true;
1151 
1152  debugs(85, 5, "clientInterpretRequestHeaders: REQ_NOCACHE = " <<
1153  (request->flags.noCache ? "SET" : "NOT SET"));
1154  debugs(85, 5, "clientInterpretRequestHeaders: REQ_CACHABLE = " <<
1155  (request->flags.cachable ? "SET" : "NOT SET"));
1156  debugs(85, 5, "clientInterpretRequestHeaders: REQ_HIERARCHICAL = " <<
1157  (request->flags.hierarchical ? "SET" : "NOT SET"));
1158 
1159 }
1160 
1161 void
1163 {
1165 
1166  if (!calloutContext->httpStateIsValid())
1167  return;
1168 
1169  calloutContext->clientRedirectDone(result);
1170 }
1171 
1172 void
1174 {
1176 
1177  if (!calloutContext->httpStateIsValid())
1178  return;
1179 
1180  calloutContext->clientStoreIdDone(result);
1181 }
1182 
1183 void
1185 {
1186  HttpRequest *old_request = http->request;
1187  debugs(85, 5, HERE << "'" << http->uri << "' result=" << reply);
1188  assert(redirect_state == REDIRECT_PENDING);
1189  redirect_state = REDIRECT_DONE;
1190 
1191  // Put helper response Notes into the transaction state record (ALE) eventually
1192  // do it early to ensure that no matter what the outcome the notes are present.
1193  if (http->al)
1194  http->al->syncNotes(old_request);
1195 
1196  UpdateRequestNotes(http->getConn(), *old_request, reply.notes);
1197 
1198  switch (reply.result) {
1199  case Helper::TimedOut:
1202  debugs(85, DBG_IMPORTANT, "ERROR: URL rewrite helper: Timedout");
1203  }
1204  break;
1205 
1206  case Helper::Unknown:
1207  case Helper::TT:
1208  // Handler in redirect.cc should have already mapped Unknown
1209  // IF it contained valid entry for the old URL-rewrite helper protocol
1210  debugs(85, DBG_IMPORTANT, "ERROR: URL rewrite helper returned invalid result code. Wrong helper? " << reply);
1211  break;
1212 
1213  case Helper::BrokenHelper:
1214  debugs(85, DBG_IMPORTANT, "ERROR: URL rewrite helper: " << reply);
1215  break;
1216 
1217  case Helper::Error:
1218  // no change to be done.
1219  break;
1220 
1221  case Helper::Okay: {
1222  // #1: redirect with a specific status code OK status=NNN url="..."
1223  // #2: redirect with a default status code OK url="..."
1224  // #3: re-write the URL OK rewrite-url="..."
1225 
1226  const char *statusNote = reply.notes.findFirst("status");
1227  const char *urlNote = reply.notes.findFirst("url");
1228 
1229  if (urlNote != NULL) {
1230  // HTTP protocol redirect to be done.
1231 
1232  // TODO: change default redirect status for appropriate requests
1233  // Squid defaults to 302 status for now for better compatibility with old clients.
1234  // HTTP/1.0 client should get 302 (Http::scFound)
1235  // HTTP/1.1 client contacting reverse-proxy should get 307 (Http::scTemporaryRedirect)
1236  // HTTP/1.1 client being diverted by forward-proxy should get 303 (Http::scSeeOther)
1238  if (statusNote != NULL) {
1239  const char * result = statusNote;
1240  status = static_cast<Http::StatusCode>(atoi(result));
1241  }
1242 
1243  if (status == Http::scMovedPermanently
1244  || status == Http::scFound
1245  || status == Http::scSeeOther
1246  || status == Http::scPermanentRedirect
1247  || status == Http::scTemporaryRedirect) {
1248  http->redirect.status = status;
1249  http->redirect.location = xstrdup(urlNote);
1250  // TODO: validate the URL produced here is RFC 2616 compliant absolute URI
1251  } else {
1252  debugs(85, DBG_CRITICAL, "ERROR: URL-rewrite produces invalid " << status << " redirect Location: " << urlNote);
1253  }
1254  } else {
1255  // URL-rewrite wanted. Ew.
1256  urlNote = reply.notes.findFirst("rewrite-url");
1257 
1258  // prevent broken helpers causing too much damage. If old URL == new URL skip the re-write.
1259  if (urlNote != NULL && strcmp(urlNote, http->uri)) {
1260  AnyP::Uri tmpUrl;
1261  if (tmpUrl.parse(old_request->method, urlNote)) {
1262  HttpRequest *new_request = old_request->clone();
1263  new_request->url = tmpUrl;
1264  debugs(61, 2, "URL-rewriter diverts URL from " << old_request->effectiveRequestUri() << " to " << new_request->effectiveRequestUri());
1265 
1266  // update the new request to flag the re-writing was done on it
1267  new_request->flags.redirected = true;
1268 
1269  // unlink bodypipe from the old request. Not needed there any longer.
1270  if (old_request->body_pipe != NULL) {
1271  old_request->body_pipe = NULL;
1272  debugs(61,2, HERE << "URL-rewriter diverts body_pipe " << new_request->body_pipe <<
1273  " from request " << old_request << " to " << new_request);
1274  }
1275 
1276  http->resetRequest(new_request);
1277  old_request = nullptr;
1278  } else {
1279  debugs(85, DBG_CRITICAL, "ERROR: URL-rewrite produces invalid request: " <<
1280  old_request->method << " " << urlNote << " " << old_request->http_ver);
1281  }
1282  }
1283  }
1284  }
1285  break;
1286  }
1287 
1288  /* FIXME PIPELINE: This is innacurate during pipelining */
1289 
1290  if (http->getConn() != NULL && Comm::IsConnOpen(http->getConn()->clientConnection))
1291  fd_note(http->getConn()->clientConnection->fd, http->uri);
1292 
1293  assert(http->uri);
1294 
1295  http->doCallouts();
1296 }
1297 
1301 void
1303 {
1304  HttpRequest *old_request = http->request;
1305  debugs(85, 5, "'" << http->uri << "' result=" << reply);
1306  assert(store_id_state == REDIRECT_PENDING);
1307  store_id_state = REDIRECT_DONE;
1308 
1309  // Put helper response Notes into the transaction state record (ALE) eventually
1310  // do it early to ensure that no matter what the outcome the notes are present.
1311  if (http->al)
1312  http->al->syncNotes(old_request);
1313 
1314  UpdateRequestNotes(http->getConn(), *old_request, reply.notes);
1315 
1316  switch (reply.result) {
1317  case Helper::Unknown:
1318  case Helper::TT:
1319  // Handler in redirect.cc should have already mapped Unknown
1320  // IF it contained valid entry for the old helper protocol
1321  debugs(85, DBG_IMPORTANT, "ERROR: storeID helper returned invalid result code. Wrong helper? " << reply);
1322  break;
1323 
1324  case Helper::TimedOut:
1325  // Timeouts for storeID are not implemented
1326  case Helper::BrokenHelper:
1327  debugs(85, DBG_IMPORTANT, "ERROR: storeID helper: " << reply);
1328  break;
1329 
1330  case Helper::Error:
1331  // no change to be done.
1332  break;
1333 
1334  case Helper::Okay: {
1335  const char *urlNote = reply.notes.findFirst("store-id");
1336 
1337  // prevent broken helpers causing too much damage. If old URL == new URL skip the re-write.
1338  if (urlNote != NULL && strcmp(urlNote, http->uri) ) {
1339  // Debug section required for some very specific cases.
1340  debugs(85, 9, "Setting storeID with: " << urlNote );
1341  http->request->store_id = urlNote;
1342  http->store_id = urlNote;
1343  }
1344  }
1345  break;
1346  }
1347 
1348  http->doCallouts();
1349 }
1350 
1354 void
1356 {
1357  if (Config.accessList.noCache) {
1358  acl_checklist = clientAclChecklistCreate(Config.accessList.noCache, http);
1359  acl_checklist->nonBlockingCheck(checkNoCacheDoneWrapper, this);
1360  } else {
1361  /* unless otherwise specified, we try to cache. */
1362  checkNoCacheDone(ACCESS_ALLOWED);
1363  }
1364 }
1365 
1366 static void
1368 {
1370 
1371  if (!calloutContext->httpStateIsValid())
1372  return;
1373 
1374  calloutContext->checkNoCacheDone(answer);
1375 }
1376 
1377 void
1379 {
1380  acl_checklist = NULL;
1381  if (answer.denied()) {
1382  http->request->flags.noCache = true; // do not read reply from cache
1383  http->request->flags.cachable = false; // do not store reply into cache
1384  }
1385  http->doCallouts();
1386 }
1387 
1388 #if USE_OPENSSL
1389 bool
1391 {
1392  if (!http->getConn()) {
1393  http->al->ssl.bumpMode = Ssl::bumpEnd; // SslBump does not apply; log -
1394  return false;
1395  }
1396 
1397  const Ssl::BumpMode bumpMode = http->getConn()->sslBumpMode;
1398  if (http->request->flags.forceTunnel) {
1399  debugs(85, 5, "not needed; already decided to tunnel " << http->getConn());
1400  if (bumpMode != Ssl::bumpEnd)
1401  http->al->ssl.bumpMode = bumpMode; // inherited from bumped connection
1402  return false;
1403  }
1404 
1405  // If SSL connection tunneling or bumping decision has been made, obey it.
1406  if (bumpMode != Ssl::bumpEnd) {
1407  debugs(85, 5, HERE << "SslBump already decided (" << bumpMode <<
1408  "), " << "ignoring ssl_bump for " << http->getConn());
1409 
1410  // We need the following "if" for transparently bumped TLS connection,
1411  // because in this case we are running ssl_bump access list before
1412  // the doCallouts runs. It can be removed after the bug #4340 fixed.
1413  // We do not want to proceed to bumping steps:
1414  // - if the TLS connection with the client is already established
1415  // because we are accepting normal HTTP requests on TLS port,
1416  // or because of the client-first bumping mode
1417  // - When the bumping is already started
1418  if (!http->getConn()->switchedToHttps() &&
1419  !http->getConn()->serverBump())
1420  http->sslBumpNeed(bumpMode); // for processRequest() to bump if needed and not already bumped
1421  http->al->ssl.bumpMode = bumpMode; // inherited from bumped connection
1422  return false;
1423  }
1424 
1425  // If we have not decided yet, decide whether to bump now.
1426 
1427  // Bumping here can only start with a CONNECT request on a bumping port
1428  // (bumping of intercepted SSL conns is decided before we get 1st request).
1429  // We also do not bump redirected CONNECT requests.
1430  if (http->request->method != Http::METHOD_CONNECT || http->redirect.status ||
1432  !http->getConn()->port->flags.tunnelSslBumping) {
1433  http->al->ssl.bumpMode = Ssl::bumpEnd; // SslBump does not apply; log -
1434  debugs(85, 5, HERE << "cannot SslBump this request");
1435  return false;
1436  }
1437 
1438  // Do not bump during authentication: clients would not proxy-authenticate
1439  // if we delay a 407 response and respond with 200 OK to CONNECT.
1440  if (error && error->httpStatus == Http::scProxyAuthenticationRequired) {
1441  http->al->ssl.bumpMode = Ssl::bumpEnd; // SslBump does not apply; log -
1442  debugs(85, 5, HERE << "no SslBump during proxy authentication");
1443  return false;
1444  }
1445 
1446  if (error) {
1447  debugs(85, 5, "SslBump applies. Force bump action on error " << errorTypeName(error->type));
1448  http->sslBumpNeed(Ssl::bumpBump);
1449  http->al->ssl.bumpMode = Ssl::bumpBump;
1450  return false;
1451  }
1452 
1453  debugs(85, 5, HERE << "SslBump possible, checking ACL");
1454 
1456  aclChecklist->nonBlockingCheck(sslBumpAccessCheckDoneWrapper, this);
1457  return true;
1458 }
1459 
1464 static void
1466 {
1468 
1469  if (!calloutContext->httpStateIsValid())
1470  return;
1471  calloutContext->sslBumpAccessCheckDone(answer);
1472 }
1473 
1474 void
1476 {
1477  if (!httpStateIsValid())
1478  return;
1479 
1480  const Ssl::BumpMode bumpMode = answer.allowed() ?
1481  static_cast<Ssl::BumpMode>(answer.kind) : Ssl::bumpSplice;
1482  http->sslBumpNeed(bumpMode); // for processRequest() to bump if needed
1483  http->al->ssl.bumpMode = bumpMode; // for logging
1484 
1485  if (bumpMode == Ssl::bumpTerminate) {
1486  const Comm::ConnectionPointer clientConn = http->getConn() ? http->getConn()->clientConnection : nullptr;
1487  if (Comm::IsConnOpen(clientConn)) {
1488  debugs(85, 3, "closing after Ssl::bumpTerminate ");
1489  clientConn->close();
1490  }
1491  return;
1492  }
1493 
1494  http->doCallouts();
1495 }
1496 #endif
1497 
1498 /*
1499  * Identify requests that do not go through the store and client side stream
1500  * and forward them to the appropriate location. All other requests, request
1501  * them.
1502  */
1503 void
1505 {
1506  debugs(85, 4, request->method << ' ' << uri);
1507 
1508  const bool untouchedConnect = request->method == Http::METHOD_CONNECT && !redirect.status;
1509 
1510 #if USE_OPENSSL
1511  if (untouchedConnect && sslBumpNeeded()) {
1513  sslBumpStart();
1514  return;
1515  }
1516 #endif
1517 
1518  if (untouchedConnect || request->flags.forceTunnel) {
1519  getConn()->stopReading(); // tunnels read for themselves
1520  tunnelStart(this);
1521  return;
1522  }
1523 
1524  httpStart();
1525 }
1526 
1527 void
1529 {
1531  // XXX: Re-initializes rather than updates. Should not be needed at all.
1533  debugs(85, 4, logType.c_str() << " for '" << uri << "'");
1534 
1535  /* no one should have touched this */
1536  assert(out.offset == 0);
1537  /* Use the Stream Luke */
1539  clientStreamRead(node, this, node->readBuffer);
1541 }
1542 
1543 #if USE_OPENSSL
1544 
1545 void
1547 {
1548  debugs(83, 3, HERE << "sslBump required: "<< Ssl::bumpMode(mode));
1549  sslBumpNeed_ = mode;
1550 }
1551 
1552 // called when comm_write has completed
1553 static void
1554 SslBumpEstablish(const Comm::ConnectionPointer &, char *, size_t, Comm::Flag errflag, int, void *data)
1555 {
1556  ClientHttpRequest *r = static_cast<ClientHttpRequest*>(data);
1557  debugs(85, 5, HERE << "responded to CONNECT: " << r << " ? " << errflag);
1558 
1559  assert(r && cbdataReferenceValid(r));
1560  r->sslBumpEstablish(errflag);
1561 }
1562 
1563 void
1565 {
1566  // Bail out quickly on Comm::ERR_CLOSING - close handlers will tidy up
1567  if (errflag == Comm::ERR_CLOSING)
1568  return;
1569 
1570  if (errflag) {
1571  debugs(85, 3, HERE << "CONNECT response failure in SslBump: " << errflag);
1573  return;
1574  }
1575 
1576  // We lack HttpReply which logRequest() uses to log the status code.
1577  // TODO: Use HttpReply instead of the "200 Connection established" string.
1578  al->http.code = 200;
1579 
1580 #if USE_AUTH
1581  // Preserve authentication info for the ssl-bumped request
1582  if (request->auth_user_request != NULL)
1583  getConn()->setAuth(request->auth_user_request, "SSL-bumped CONNECT");
1584 #endif
1585 
1586  assert(sslBumpNeeded());
1588 }
1589 
1590 void
1592 {
1593  debugs(85, 5, HERE << "Confirming " << Ssl::bumpMode(sslBumpNeed_) <<
1594  "-bumped CONNECT tunnel on FD " << getConn()->clientConnection);
1596 
1597  AsyncCall::Pointer bumpCall = commCbCall(85, 5, "ClientSocketContext::sslBumpEstablish",
1599 
1601  CommIoCbParams &params = GetCommParams<CommIoCbParams>(bumpCall);
1602  params.flag = Comm::OK;
1603  params.conn = getConn()->clientConnection;
1604  ScheduleCallHere(bumpCall);
1605  return;
1606  }
1607 
1608  // send an HTTP 200 response to kick client SSL negotiation
1609  // TODO: Unify with tunnel.cc and add a Server(?) header
1610  static const char *const conn_established = "HTTP/1.1 200 Connection established\r\n\r\n";
1611  Comm::Write(getConn()->clientConnection, conn_established, strlen(conn_established), bumpCall, NULL);
1612 }
1613 
1614 #endif
1615 
1616 bool
1618 {
1620  int64_t contentLength =
1622  assert(contentLength >= 0);
1623 
1624  if (out.offset < contentLength)
1625  return false;
1626 
1627  return true;
1628 }
1629 
1630 void
1632 {
1633  entry_ = newEntry;
1634 }
1635 
1636 void
1638 {
1639  if (loggingEntry_)
1640  loggingEntry_->unlock("ClientHttpRequest::loggingEntry");
1641 
1642  loggingEntry_ = newEntry;
1643 
1644  if (loggingEntry_)
1645  loggingEntry_->lock("ClientHttpRequest::loggingEntry");
1646 }
1647 
1648 void
1650 {
1651  assignRequest(aRequest);
1652  if (const auto csd = getConn()) {
1653  if (!csd->notes()->empty())
1654  request->notes()->appendNewOnly(csd->notes().getRaw());
1655  }
1656  // al is created in the constructor
1657  assert(al);
1658  if (!al->request) {
1659  al->request = request;
1661  al->syncNotes(request);
1662  }
1663 }
1664 
1665 void
1667 {
1668  assert(request != newRequest);
1669  clearRequest();
1670  assignRequest(newRequest);
1671  xfree(uri);
1673 }
1674 
1675 void
1677 {
1678  assert(newRequest);
1679  assert(!request);
1680  const_cast<HttpRequest *&>(request) = newRequest;
1683 }
1684 
1685 void
1687 {
1688  HttpRequest *oldRequest = request;
1689  HTTPMSGUNLOCK(oldRequest);
1690  const_cast<HttpRequest *&>(request) = nullptr;
1691  absorbLogUri(nullptr);
1692 }
1693 
1694 /*
1695  * doCallouts() - This function controls the order of "callout"
1696  * executions, including non-blocking access control checks, the
1697  * redirector, and ICAP. Previously, these callouts were chained
1698  * together such that "clientAccessCheckDone()" would call
1699  * "clientRedirectStart()" and so on.
1700  *
1701  * The ClientRequestContext (aka calloutContext) class holds certain
1702  * state data for the callout/callback operations. Previously
1703  * ClientHttpRequest would sort of hand off control to ClientRequestContext
1704  * for a short time. ClientRequestContext would then delete itself
1705  * and pass control back to ClientHttpRequest when all callouts
1706  * were finished.
1707  *
1708  * This caused some problems for ICAP because we want to make the
1709  * ICAP callout after checking ACLs, but before checking the no_cache
1710  * list. We can't stuff the ICAP state into the ClientRequestContext
1711  * class because we still need the ICAP state after ClientRequestContext
1712  * goes away.
1713  *
1714  * Note that ClientRequestContext is created before the first call
1715  * to doCallouts().
1716  *
1717  * If one of the callouts notices that ClientHttpRequest is no
1718  * longer valid, it should call cbdataReferenceDone() so that
1719  * ClientHttpRequest's reference count goes to zero and it will get
1720  * deleted. ClientHttpRequest will then delete ClientRequestContext.
1721  *
1722  * Note that we set the _done flags here before actually starting
1723  * the callout. This is strictly for convenience.
1724  */
1725 
1726 tos_t aclMapTOS (acl_tos * head, ACLChecklist * ch);
1728 
1729 void
1731 {
1733 
1734  if (!calloutContext->error) {
1735  // CVE-2009-0801: verify the Host: header is consistent with other known details.
1737  debugs(83, 3, HERE << "Doing calloutContext->hostHeaderVerify()");
1740  return;
1741  }
1742 
1744  debugs(83, 3, HERE << "Doing calloutContext->clientAccessCheck()");
1747  return;
1748  }
1749 
1750 #if USE_ADAPTATION
1755  request, NULL, calloutContext->http->al, this))
1756  return; // will call callback
1757  }
1758 #endif
1759 
1760  if (!calloutContext->redirect_done) {
1761  calloutContext->redirect_done = true;
1762 
1763  if (Config.Program.redirect) {
1764  debugs(83, 3, HERE << "Doing calloutContext->clientRedirectStart()");
1767  return;
1768  }
1769  }
1770 
1772  debugs(83, 3, HERE << "Doing calloutContext->clientAccessCheck2()");
1775  return;
1776  }
1777 
1778  if (!calloutContext->store_id_done) {
1779  calloutContext->store_id_done = true;
1780 
1781  if (Config.Program.store_id) {
1782  debugs(83, 3,"Doing calloutContext->clientStoreIdStart()");
1785  return;
1786  }
1787  }
1788 
1790  debugs(83, 3, HERE << "Doing clientInterpretRequestHeaders()");
1793  }
1794 
1795  if (!calloutContext->no_cache_done) {
1796  calloutContext->no_cache_done = true;
1797 
1799  debugs(83, 3, HERE << "Doing calloutContext->checkNoCache()");
1801  return;
1802  }
1803  }
1804  } // if !calloutContext->error
1805 
1806  // Set appropriate MARKs and CONNMARKs if needed.
1808  ACLFilledChecklist ch(nullptr, request, nullptr);
1809  ch.al = calloutContext->http->al;
1811  ch.my_addr = request->my_addr;
1812  ch.syncAle(request, log_uri);
1813 
1816  tos_t tos = aclMapTOS(Ip::Qos::TheConfig.tosToClient, &ch);
1817  if (tos)
1819 
1820  const auto packetMark = aclFindNfMarkConfig(Ip::Qos::TheConfig.nfmarkToClient, &ch);
1821  if (!packetMark.isEmpty())
1822  Ip::Qos::setSockNfmark(getConn()->clientConnection, packetMark.mark);
1823 
1824  const auto connmark = aclFindNfMarkConfig(Ip::Qos::TheConfig.nfConnmarkToClient, &ch);
1825  if (!connmark.isEmpty())
1827  }
1828  }
1829 
1830 #if USE_OPENSSL
1831  // Even with calloutContext->error, we call sslBumpAccessCheck() to decide
1832  // whether SslBump applies to this transaction. If it applies, we will
1833  // attempt to bump the client to serve the error.
1837  return;
1838  /* else no ssl bump required*/
1839  }
1840 #endif
1841 
1842  if (calloutContext->error) {
1843  // XXX: prformance regression. c_str() reallocates
1844  SBuf storeUriBuf(request->storeId());
1845  const char *storeUri = storeUriBuf.c_str();
1846  StoreEntry *e = storeCreateEntry(storeUri, storeUri, request->flags, request->method);
1847 #if USE_OPENSSL
1848  if (sslBumpNeeded()) {
1849  // We have to serve an error, so bump the client first.
1851  // set final error but delay sending until we bump
1855  getConn()->setServerBump(srvBump);
1856  e->unlock("ClientHttpRequest::doCallouts+sslBumpNeeded");
1857  } else
1858 #endif
1859  {
1860  // send the error to the client now
1862  clientReplyContext *repContext = dynamic_cast<clientReplyContext *>(node->data.getRaw());
1863  assert (repContext);
1864  repContext->setReplyToStoreEntry(e, "immediate SslBump error");
1868  getConn()->flags.readMore = true; // resume any pipeline reads.
1870  clientStreamRead(node, this, node->readBuffer);
1871  e->unlock("ClientHttpRequest::doCallouts-sslBumpNeeded");
1872  return;
1873  }
1874  }
1875 
1877  delete calloutContext;
1878  calloutContext = NULL;
1879 #if HEADERS_LOG
1880 
1881  headersLog(0, 1, request->method, request);
1882 #endif
1883 
1884  debugs(83, 3, HERE << "calling processRequest()");
1885  processRequest();
1886 
1887 #if ICAP_CLIENT
1889  if (ih != NULL)
1890  ih->logType = logType;
1891 #endif
1892 }
1893 
1894 void
1896 {
1897  assert(request);
1898  const auto canonicalUri = request->canonicalCleanUrl();
1899  absorbLogUri(xstrndup(canonicalUri, MAX_URL));
1900 }
1901 
1902 void
1904 {
1905  assert(rawUri);
1906  // Should(!request);
1907 
1908  // TODO: SBuf() performance regression, fix by converting rawUri to SBuf
1909  char *canonicalUri = urlCanonicalCleanWithoutRequest(SBuf(rawUri), method, AnyP::UriScheme());
1910 
1911  absorbLogUri(AnyP::Uri::cleanup(canonicalUri));
1912 
1913  char *cleanedRawUri = AnyP::Uri::cleanup(rawUri);
1914  al->setVirginUrlForMissingRequest(SBuf(cleanedRawUri));
1915  xfree(cleanedRawUri);
1916 }
1917 
1918 void
1920 {
1921  xfree(log_uri);
1922  const_cast<char *&>(log_uri) = aUri;
1923 }
1924 
1925 void
1927 {
1928  assert(!uri);
1929  assert(aUri);
1930  // Should(!request);
1931 
1932  uri = xstrdup(aUri);
1933  // TODO: SBuf() performance regression, fix by converting setErrorUri() parameter to SBuf
1934  const SBuf errorUri(aUri);
1935  const auto canonicalUri = urlCanonicalCleanWithoutRequest(errorUri, HttpRequestMethod(), AnyP::UriScheme());
1936  absorbLogUri(xstrndup(canonicalUri, MAX_URL));
1937 
1938  al->setVirginUrlForMissingRequest(errorUri);
1939 }
1940 
1941 #if USE_ADAPTATION
1942 void
1945 {
1946  debugs(85, 3, HERE << "adaptation needed for " << this);
1950  new Adaptation::Iterator(request, NULL, al, g));
1951 
1952  // we could try to guess whether we can bypass this adaptation
1953  // initiation failure, but it should not really happen
1955 }
1956 
1957 void
1959 {
1960  assert(cbdataReferenceValid(this)); // indicates bug
1963 
1964  switch (answer.kind) {
1966  handleAdaptedHeader(const_cast<Http::Message*>(answer.message.getRaw()));
1967  break;
1968 
1970  handleAdaptationBlock(answer);
1971  break;
1972 
1975  break;
1976  }
1977 }
1978 
1979 void
1981 {
1982  assert(msg);
1983 
1984  if (HttpRequest *new_req = dynamic_cast<HttpRequest*>(msg)) {
1985  // update the new message to flag whether URL re-writing was done on it
1986  if (request->effectiveRequestUri() != new_req->effectiveRequestUri())
1987  new_req->flags.redirected = true;
1988  resetRequest(new_req);
1989  assert(request->method.id());
1990  } else if (HttpReply *new_rep = dynamic_cast<HttpReply*>(msg)) {
1991  debugs(85,3,HERE << "REQMOD reply is HTTP reply");
1992 
1993  // subscribe to receive reply body
1994  if (new_rep->body_pipe != NULL) {
1995  adaptedBodySource = new_rep->body_pipe;
1996  int consumer_ok = adaptedBodySource->setConsumerIfNotLate(this);
1997  assert(consumer_ok);
1998  }
1999 
2001  clientReplyContext *repContext = dynamic_cast<clientReplyContext *>(node->data.getRaw());
2002  assert(repContext);
2003  repContext->createStoreEntry(request->method, request->flags);
2004 
2007  storeEntry()->replaceHttpReply(new_rep);
2009 
2010  if (!adaptedBodySource) // no body
2011  storeEntry()->complete();
2012  clientGetMoreData(node, this);
2013  }
2014 
2015  // we are done with getting headers (but may be receiving body)
2017 
2019  doCallouts();
2020 }
2021 
2022 void
2024 {
2026  AclMatchedName = answer.ruleId.termedBuf();
2029  AclMatchedName = NULL;
2030 }
2031 
2032 void
2034 {
2035  if (!adaptedBodySource)
2036  return;
2037 
2039 }
2040 
2041 void
2043 {
2046 
2047  if (size_t contentSize = adaptedBodySource->buf().contentSize()) {
2048  const size_t spaceAvailable = storeEntry()->bytesWanted(Range<size_t>(0,contentSize));
2049 
2050  if (spaceAvailable < contentSize ) {
2051  // No or partial body data consuming
2052  typedef NullaryMemFunT<ClientHttpRequest> Dialer;
2053  AsyncCall::Pointer call = asyncCall(93, 5, "ClientHttpRequest::resumeBodyStorage",
2054  Dialer(this, &ClientHttpRequest::resumeBodyStorage));
2055  storeEntry()->deferProducer(call);
2056  }
2057 
2058  if (!spaceAvailable)
2059  return;
2060 
2061  if (spaceAvailable < contentSize )
2062  contentSize = spaceAvailable;
2063 
2065  const StoreIOBuffer ioBuf(&bpc.buf, request_satisfaction_offset, contentSize);
2066  storeEntry()->write(ioBuf);
2067  // assume StoreEntry::write() writes the entire ioBuf
2069  bpc.buf.consume(contentSize);
2070  bpc.checkIn();
2071  }
2072 
2075  // else wait for more body data
2076 }
2077 
2078 void
2080 {
2082  // should we end request satisfaction now?
2085 }
2086 
2087 void
2089 {
2090  debugs(85,4, HERE << this << " ends request satisfaction");
2093 
2094  // TODO: anything else needed to end store entry formation correctly?
2095  storeEntry()->complete();
2096 }
2097 
2098 void
2100 {
2103 
2104  debugs(85,3, HERE << "REQMOD body production failed");
2105  if (request_satisfaction_mode) { // too late to recover or serve an error
2108  Must(Comm::IsConnOpen(c));
2109  c->close(); // drastic, but we may be writing a response already
2110  } else {
2112  }
2113 }
2114 
2115 void
2116 ClientHttpRequest::handleAdaptationFailure(int errDetail, bool bypassable)
2117 {
2118  debugs(85,3, HERE << "handleAdaptationFailure(" << bypassable << ")");
2119 
2120  const bool usedStore = storeEntry() && !storeEntry()->isEmpty();
2121  const bool usedPipe = request->body_pipe != NULL &&
2122  request->body_pipe->consumedSize() > 0;
2123 
2124  if (bypassable && !usedStore && !usedPipe) {
2125  debugs(85,3, HERE << "ICAP REQMOD callout failed, bypassing: " << calloutContext);
2126  if (calloutContext)
2127  doCallouts();
2128  return;
2129  }
2130 
2131  debugs(85,3, HERE << "ICAP REQMOD callout failed, responding with error");
2132 
2134  clientReplyContext *repContext = dynamic_cast<clientReplyContext *>(node->data.getRaw());
2135  assert(repContext);
2136 
2137  calloutsError(ERR_ICAP_FAILURE, errDetail);
2138 
2139  if (calloutContext)
2140  doCallouts();
2141 }
2142 
2143 void
2144 ClientHttpRequest::callException(const std::exception &ex)
2145 {
2146  if (const auto clientConn = getConn() ? getConn()->clientConnection : nullptr) {
2148  debugs(85, 3, "closing after exception: " << ex.what());
2149  clientConn->close(); // initiate orderly top-to-bottom cleanup
2150  return;
2151  }
2152  }
2153  debugs(85, DBG_IMPORTANT, "ClientHttpRequest exception without connection. Ignoring " << ex.what());
2154  // XXX: Normally, we mustStop() but we cannot do that here because it is
2155  // likely to leave Http::Stream and ConnStateData with a dangling http
2156  // pointer. See r13480 or XXX in Http::Stream class description.
2157 }
2158 #endif
2159 
2160 // XXX: modify and use with ClientRequestContext::clientAccessCheckDone too.
2161 void
2163 {
2164  // The original author of the code also wanted to pass an errno to
2165  // setReplyToError, but it seems unlikely that the errno reflects the
2166  // true cause of the error at this point, so I did not pass it.
2167  if (calloutContext) {
2168  Ip::Address noAddr;
2169  noAddr.setNoAddr();
2170  ConnStateData * c = getConn();
2172  NULL,
2173  c != NULL ? c->clientConnection->remote : noAddr,
2174  request
2175  );
2176 #if USE_AUTH
2178  c != NULL && c->getAuth() != NULL ? c->getAuth() : request->auth_user_request;
2179 #endif
2180  calloutContext->error->detailError(errDetail);
2182  if (c != NULL)
2183  c->expectNoForwarding();
2184  }
2185  //else if(calloutContext == NULL) is it possible?
2186 }
2187 
int hasListMember(Http::HdrType id, const char *member, const char separator) const
Definition: HttpHeader.cc:1640
iterates services in ServiceGroup, starting adaptation launchers
Definition: Iterator.h:31
int delById(Http::HdrType id)
Definition: HttpHeader.cc:681
void nonBlockingCheck(ACLCB *callback, void *callback_data)
Definition: Checklist.cc:238
char const * rawBuf() const
Definition: SquidString.h:85
summarizes adaptation service answer for the noteAdaptationAnswer() API
Definition: Answer.h:22
AnyP::ProtocolVersion ProtocolVersion(unsigned int aMajor, unsigned int aMinor)
HTTP version label information.
static void sslBumpAccessCheckDoneWrapper(allow_t, void *)
static void clientInterpretRequestHeaders(ClientHttpRequest *http)
bool interceptTproxy
Set for requests handled by a "tproxy" port.
Definition: RequestFlags.h:68
Ssl::BumpMode sslBumpNeed() const
returns raw sslBump mode value
void redirectStart(ClientHttpRequest *http, HLPCB *handler, void *data)
Definition: redirect.cc:288
StoreEntry * loggingEntry() const
const MemBuf & buf() const
Definition: BodyPipe.h:137
err_type errType
Definition: HttpRequest.h:153
void setAuth(const Auth::UserRequest::Pointer &aur, const char *cause)
Definition: client_side.cc:502
#define fd_table
Definition: fde.h:157
ConnStateData * pinnedConnection()
Definition: HttpRequest.cc:668
CbcPointer< Initiate > initiateAdaptation(Initiate *x)
< starts freshly created initiate and returns a safe pointer to it
Definition: Initiator.cc:23
SQUIDCEXTERN CSD clientReplyDetach
ClientHttpRequest * http
HttpHdrRange * range
Definition: HttpRequest.h:135
unsigned short port() const
Definition: Address.cc:778
#define assert(EX)
Definition: assert.h:17
Ip::Address my_addr
Definition: HttpRequest.h:147
void clientStreamInit(dlink_list *list, CSR *func, CSD *rdetach, CSS *readstatus, ClientStreamData readdata, CSCB *callback, CSD *cdetach, ClientStreamData callbackdata, StoreIOBuffer tailBuffer)
String ruleId
ACL (or similar rule) name that blocked forwarding.
Definition: Answer.h:40
static void checkFailureRatio(err_type, hier_code)
bool hierarchical
Definition: RequestFlags.h:34
int neighbors_do_private_keys
#define HttpHeaderInitPos
Definition: HttpHeader.h:48
#define cbdataReferenceDone(var)
Definition: cbdata.h:350
static HLPCB clientRedirectDoneWrapper
wordlist * store_id
Definition: SquidConfig.h:195
void UpdateRequestNotes(ConnStateData *csd, HttpRequest &request, NotePairs const &helperNotes)
Definition: HttpRequest.cc:703
HttpHdrCc * cache_control
Definition: Message.h:77
int unlock(const char *context)
Definition: store.cc:457
void fd_note(int fd, const char *s)
Definition: fd.cc:250
struct ClientHttpRequest::Redirect redirect
bool loopDetected
Definition: RequestFlags.h:36
virtual void noteBodyProducerAborted(BodyPipe::Pointer)
Definition: Acl.h:113
bool timestampsSet()
Definition: store.cc:1454
Definition: SBuf.h:86
static uint32 B
Definition: md4.c:43
virtual void noteBodyProductionEnded(BodyPipe::Pointer)
#define xcalloc
Definition: membanger.c:57
#define REDIRECT_NONE
Definition: defines.h:87
Ip::Address src_addr
void checkNoCacheDone(const allow_t &answer)
Comm::ConnectionPointer clientConnection
int log_uses_indirect_client
Definition: SquidConfig.h:331
acl_access * redirector
Definition: SquidConfig.h:376
void consume(mb_size_t sz)
removes sz bytes and "packs" by moving content left
Definition: MemBuf.cc:171
String getList(Http::HdrType id) const
Definition: HttpHeader.cc:828
int64_t bodySize(const HttpRequestMethod &) const
Definition: HttpReply.cc:371
ACLFilledChecklist * Filled(ACLChecklist *checklist)
convenience and safety wrapper for dynamic_cast<ACLFilledChecklist*>
HttpRequestMethod method
Definition: HttpRequest.h:106
void resetWithoutLocking(T *t)
Reset raw pointer - unlock any previous one and save new one without locking.
void setErrorUri(const char *errorUri)
void assignRequest(HttpRequest *aRequest)
#define SQUIDCEXTERN
Definition: squid.h:26
struct _request * request(char *urlin)
Definition: tcp-banger2.c:291
void error(char *format,...)
Http::MessagePointer message
HTTP request or response to forward.
Definition: Answer.h:39
#define xstrdup
ClientHttpRequest(ConnStateData *csd)
ConnStateData * getConn() const
bool denied() const
Definition: Acl.h:147
char * xstrndup(const char *s, size_t n)
Definition: xstring.cc:56
struct timeval start_time
The time the master transaction started.
void announceInitiatorAbort(CbcPointer< Initiate > &x)
inform the transaction about abnormal termination and clear the pointer
Definition: Initiator.cc:38
#define safe_free(x)
Definition: xalloc.h:73
bool initiated(const CbcPointer< AsyncJob > &job) const
Must(initiated(initiate)) instead of Must(initiate.set()), for clarity.
Definition: Initiator.h:52
const char * bumpMode(int bm)
Definition: support.h:149
Definition: Flag.h:16
int clientBeginRequest(const HttpRequestMethod &method, char const *url, CSCB *streamcallback, CSD *streamdetach, ClientStreamData streamdata, HttpHeader const *header, char *tailbuf, size_t taillen, const MasterXaction::Pointer &mx)
AccessLogEntry::Pointer al
info for the future access.log, and external ACL
Definition: Range.h:18
static void hostHeaderIpVerifyWrapper(const ipcache_addrs *ia, const Dns::LookupDetails &dns, void *data)
encapsulates DNS lookup results
Definition: LookupDetails.h:20
void HTTPMSGLOCK(Http::Message *a)
Definition: Message.h:160
void calloutsError(const err_type error, const int errDetail)
Build an error reply. For use with the callouts.
void handleAdaptedHeader(Http::Message *msg)
void appendNewOnly(const NotePairs *src)
Definition: Notes.cc:349
void(* ObjPackMethod)(void *obj, Packable *p)
Definition: tools.h:33
#define Must(condition)
Like assert() but throws an exception instead of aborting the process.
Definition: TextException.h:69
virtual void noteAdaptationAclCheckDone(Adaptation::ServiceGroupPointer group)
StoreEntry * storeEntry() const
Comm::ConnectionPointer tcpClient
TCP/IP level details about the client connection.
AnyP::ProtocolVersion http_ver
Definition: Message.h:73
#define xisspace(x)
Definition: xis.h:17
HttpHeaderEntry * getEntry(HttpHeaderPos *pos) const
Definition: HttpHeader.cc:598
bool conflicted() const
whether Squid is uncertain about the allowed() or denied() answer
Definition: Acl.h:150
#define DBG_CRITICAL
Definition: Debug.h:45
Auth::UserRequest::Pointer auth_user_request
Definition: errorpage.h:145
char * p
Definition: membanger.c:43
wordlist * redirect
Definition: SquidConfig.h:194
int conn
the current server connection FD
Definition: Transport.cc:26
time_t ims
Definition: HttpRequest.h:137
bool done_follow_x_forwarded_for
Definition: RequestFlags.h:101
void clientStreamRead(clientStreamNode *thisObject, ClientHttpRequest *http, StoreIOBuffer readBuffer)
bool hostVerified
Definition: RequestFlags.h:66
void SBufToCstring(char *d, const SBuf &s)
Definition: SBuf.h:741
uint64_t consumedSize() const
Definition: BodyPipe.h:111
Ip::Address log_addr
Definition: client_side.h:128
struct timeval current_time
Definition: stub_time.cc:15
void startAdaptation(const Adaptation::ServiceGroupPointer &g)
Initiate an asynchronous adaptation transaction which will call us back.
int aclIsProxyAuth(const char *name)
Definition: Gadgets.cc:71
iterator end()
const SBuf storeId()
Definition: HttpRequest.cc:676
time_t squid_curtime
Definition: stub_time.cc:17
Comm::ConnectionPointer serverConnection
Definition: client_side.h:135
void replaceHttpReply(HttpReply *, bool andStartWriting=true)
Definition: store.cc:1782
no adapted message will come; see bypassable
Definition: Answer.h:29
bool readMore
needs comm_read (for this request or new requests)
Definition: client_side.h:131
a netfilter mark/mask pair
Definition: NfMarkConfig.h:20
HttpHdrRangeIter range_iter
bool connectionAuth
Definition: RequestFlags.h:78
char * urlCanonicalCleanWithoutRequest(const SBuf &url, const HttpRequestMethod &method, const AnyP::UriScheme &scheme)
Definition: Uri.cc:518
AsyncCall * asyncCall(int aDebugSection, int aDebugLevel, const char *aName, const Dialer &aDialer)
Definition: AsyncCall.h:156
Helper::ResultCode result
The helper response &#39;result&#39; field.
Definition: Reply.h:59
virtual const char * status() const
internal cleanup; do not call directly
Definition: AsyncJob.cc:159
void complete()
Definition: store.cc:1058
unsigned char tos_t
Definition: forward.h:26
Http::HdrType id
Definition: HttpHeader.h:63
static const char *const conn_established
Definition: tunnel.cc:241
size_t appendDomainLen
Definition: SquidConfig.h:216
bool readNextRequest
whether Squid should read after error handling
const ProxyProtocol::HeaderPointer & proxyProtocolHeader() const
Definition: client_side.h:324
void fvdbCountVia(const char *key)
int gopherCachable(const HttpRequest *req)
Definition: gopher.cc:294
NotePairs::Pointer notes()
Definition: HttpRequest.cc:695
ACLFilledChecklist * clientAclChecklistCreate(const acl_access *acl, ClientHttpRequest *http)
static const char *const crlf
const SBuf & effectiveRequestUri() const
RFC 7230 section 5.5 - Effective Request URI.
Definition: HttpRequest.cc:687
bool setNfConnmark(Comm::ConnectionPointer &conn, const ConnectionDirection connDir, const NfMarkConfig &cm)
void setNoAddr()
Definition: Address.cc:292
void setVirginUrlForMissingRequest(const SBuf &vu)
Remember Client URI (or equivalent) when there is no HttpRequest.
void HLPCB(void *, const Helper::Reply &)
Definition: forward.h:27
Comm::ConnectionPointer conn
Definition: CommCalls.h:85
bool IsConnOpen(const Comm::ConnectionPointer &conn)
Definition: Connection.cc:24
bool sslBumpNeeded() const
returns true if and only if the request needs to be bumped
acl_access * followXFF
Definition: SquidConfig.h:390
void const char HLPCB void * data
Definition: stub_helper.cc:16
NotePairs notes
Definition: Reply.h:62
int64_t offset
Definition: StoreIOBuffer.h:55
LogTags logType
the processing tags associated with this request transaction.
Definition: parse.c:104
iterator begin()
StatusCode
Definition: StatusCode.h:20
int64_t content_length
Definition: Message.h:84
const char * c_str() const
compute the status access.log field
Definition: LogTags.cc:56
void setConn(ConnStateData *aConn)
int reload_into_ims
Definition: SquidConfig.h:295
struct SquidConfig::UrlHelperTimeout onUrlRewriteTimeout
#define debugs(SECTION, LEVEL, CONTENT)
Definition: Debug.h:124
#define cbdataReference(var)
Definition: cbdata.h:341
bool hasNoCache(const String **val=nullptr) const
Definition: HttpHdrCc.h:89
StoreEntry * storeCreateEntry(const char *url, const char *logUrl, const RequestFlags &flags, const HttpRequestMethod &method)
Definition: store.cc:776
void stopReading()
cancels Comm::Read() if it is scheduled
Definition: Server.cc:56
#define DBG_IMPORTANT
Definition: Debug.h:46
struct SquidConfig::@99 Port
void setLogUriToRawUri(const char *rawUri, const HttpRequestMethod &)
static void SslBumpEstablish(const Comm::ConnectionPointer &, char *, size_t, Comm::Flag errflag, int, void *data)
mb_size_t contentSize() const
available data size
Definition: MemBuf.h:47
bool parse(const HttpRequestMethod &, const char *url)
Definition: Uri.cc:191
void update(const LogTags_ot t)
Definition: LogTags.cc:44
bool connectionAuthDisabled
Definition: RequestFlags.h:80
void expectNoForwarding()
cleans up virgin request [body] forwarding state
Ip::Address client_addr
Definition: HttpRequest.h:141
void CSCB(clientStreamNode *, ClientHttpRequest *, HttpReply *, StoreIOBuffer)
client stream read callback
static void clientAccessCheckDoneWrapper(allow_t, void *)
bool connectionProxyAuth
Definition: RequestFlags.h:83
int kind
which custom access list verb matched
Definition: Acl.h:153
void absorbLogUri(char *aUri)
assigns log_uri with aUri without copying the entire C-string
bool isEmpty() const
Definition: Store.h:60
unsigned short icp
Definition: SquidConfig.h:135
common parts of HttpRequest and HttpReply
Definition: Message.h:25
Config TheConfig
Globally available instance of Qos::Config.
Definition: QosConfig.cc:271
AnyP::Uri url
the request URI
Definition: HttpRequest.h:107
int strListIsSubstr(const String *list, const char *s, char del)
Definition: StrList.cc:54
void * addr
Definition: membanger.c:46
void handleAdaptationBlock(const Adaptation::Answer &answer)
void userInfo(const SBuf &s)
Definition: Uri.h:75
CbcPointer< ConnStateData > clientConnectionManager
Definition: HttpRequest.h:222
struct SquidConfig::@113 accessList
HttpRequest * request
char * canonicalCleanUrl() const
Definition: HttpRequest.cc:757
BodyPipe::Pointer adaptedBodySource
bool setConsumerIfNotLate(const Consumer::Pointer &aConsumer)
Definition: BodyPipe.cc:228
Ip::NfMarkConfig aclFindNfMarkConfig(acl_nfmark *head, ACLChecklist *ch)
Checks for a netfilter mark value to apply depending on the ACL.
Definition: FwdState.cc:1291
const char * c_str()
Definition: SBuf.cc:526
ClientStreamData data
Definition: clientStream.h:94
AccessLogEntry::Pointer al
access.log entry
void ipcache_nbgethostbyname(const char *name, IPH *handler, void *handlerData)
Definition: ipcache.cc:600
void resumeBodyStorage()
called by StoreEntry when it has more buffer space available
const char * AclMatchedName
Definition: Acl.cc:30
class AccessLogEntry::HttpDetails http
bool hasOnlyIfCached() const
Definition: HttpHdrCc.h:145
Http::MethodType id() const
Definition: RequestMethod.h:73
bool update(HttpHeader const *fresh)
Definition: HttpHeader.cc:283
ClientRequestContext * calloutContext
static int port
Definition: ldap_backend.cc:69
void tunnelStart(ClientHttpRequest *)
Definition: tunnel.cc:1087
ErrorState * clientBuildError(err_type, Http::StatusCode, char const *url, Ip::Address &, HttpRequest *)
void setLogUriToRequestUri()
sets log_uri when we know the current request
void cut(size_type newLength)
Definition: String.cc:236
String x_forwarded_for_iterator
Definition: HttpRequest.h:180
char const * termedBuf() const
Definition: SquidString.h:91
Security::CertPointer sslClientCert
cert received from the client
struct ClientHttpRequest::Out out
static HttpRequest * FromUrl(const char *url, const MasterXaction::Pointer &, const HttpRequestMethod &method=Http::METHOD_GET)
Definition: HttpRequest.cc:523
void ignoreRange(const char *reason)
forgets about the cached Range header (for a reason)
Definition: HttpRequest.cc:628
time_t getTime(Http::HdrType id) const
Definition: HttpHeader.cc:1161
acl_access * adapted_http
Definition: SquidConfig.h:359
std::ostream & HERE(std::ostream &s)
Definition: Debug.h:153
class AccessLogEntry::CacheDetails cache
ssize_t HttpHeaderPos
Definition: HttpHeader.h:45
struct SquidConfig::@112 onoff
static uint32 A
Definition: md4.c:43
void handleAdaptationFailure(int errDetail, bool bypassable=false)
#define FAILURE_MODE_TIME
acl_access * noCache
Definition: SquidConfig.h:365
Flag
Definition: Flag.h:15
virtual void syncAle(HttpRequest *adaptedRequest, const char *logUri) const
assigns uninitialized adapted_request and url ALE components
Ip::Address local
Definition: Connection.h:135
static char * cleanup(const char *uri)
Definition: Uri.cc:941
HttpHeader header
Definition: Message.h:75
bool accelerated
Definition: RequestFlags.h:60
bool final
whether the error, if any, cannot be bypassed
Definition: Answer.h:41
Ssl::BumpMode sslBumpNeed_
whether (and how) the request needs to be bumped
AclDenyInfoList * denyInfoList
Definition: SquidConfig.h:407
struct SquidConfig::@104 Program
MemObject * memObject() const
char rfc931[USER_IDENT_SZ]
Definition: Connection.h:165
RequestFlags flags
Definition: HttpRequest.h:133
#define REDIRECT_DONE
Definition: defines.h:89
ClientRequestContext(ClientHttpRequest *)
void clearRequest()
resets the current request and log_uri to nil
bool maybeCacheable()
Definition: HttpRequest.cc:538
void setServerBump(Ssl::ServerBump *srvBump)
Definition: client_side.h:255
virtual void noteMoreBodyDataAvailable(BodyPipe::Pointer)
int has(Http::HdrType id) const
Definition: HttpHeader.cc:977
Ip::Address remote
Definition: Connection.h:138
void Comm::ConnectionPointer & clientConn
Definition: stub_tunnel.cc:19
hier_code
Definition: hier_code.h:12
Definition: Xaction.cc:47
#define ScheduleCallHere(call)
Definition: AsyncCall.h:166
void httpRequestPack(void *obj, Packable *p)
Definition: HttpRequest.cc:371
Definition: Uri.h:30
StoreEntry * loggingEntry_
int acl_uses_indirect_client
Definition: SquidConfig.h:329
void write(StoreIOBuffer)
Definition: store.cc:797
bool intercepted
Definition: RequestFlags.h:64
#define PROF_start(probename)
Definition: Profiler.h:62
StoreIOBuffer readBuffer
Definition: clientStream.h:95
bool isOpen() const
Definition: Connection.h:87
void HTTPMSGUNLOCK(M *&a)
Definition: Message.h:149
AnyP::PortCfgPointer port
Kind kind
the type of the answer
Definition: Answer.h:42
#define CBDATA_CLASS_INIT(type)
Definition: cbdata.h:318
void detailError(err_type aType, int aDetail)
sets error detail if no earlier detail was available
Definition: HttpRequest.cc:456
forward the supplied adapted HTTP message
Definition: Answer.h:27
int64_t lowestOffset(int64_t) const
struct ClientHttpRequest::Flags flags
Comm::Flag flag
comm layer result status.
Definition: CommCalls.h:87
CbcPointer< Adaptation::Initiate > virginHeadSource
double request_failure_ratio
static void clientStoreIdAccessCheckDone(allow_t answer, void *data)
static int clientHierarchical(ClientHttpRequest *http)
block or deny the master xaction; see authority
Definition: Answer.h:28
C * getRaw() const
Definition: RefCount.h:74
struct ConnStateData::@39 flags
size_t HttpReply *STUB StoreEntry const KeyScope scope const HttpRequestMethod & method
Definition: stub_store.cc:112
bool allowed() const
Definition: Acl.h:141
static bool Start(Method method, VectPoint vp, HttpRequest *req, HttpReply *rep, AccessLogEntry::Pointer &al, Adaptation::Initiator *initiator)
Definition: AccessCheck.cc:30
void syncNotes(HttpRequest *request)
accepted (from a client by Squid)
Definition: QosConfig.h:67
ConnStateData * conn_
void stopConsumingFrom(RefCount< BodyPipe > &)
Definition: BodyPipe.cc:118
void storeIdStart(ClientHttpRequest *http, HLPCB *handler, void *data)
Definition: redirect.cc:314
Comm::ConnectionPointer clientConnection
Definition: Server.h:97
void hostHeaderIpVerify(const ipcache_addrs *ia, const Dns::LookupDetails &dns)
Auth::UserRequest::Pointer auth_user_request
Definition: HttpRequest.h:119
const char * errorTypeName(err_type err)
Definition: err_type.h:100
int setSockNfmark(const Comm::ConnectionPointer &conn, nfmark_t mark)
Definition: QosConfig.cc:586
void errorAppendEntry(StoreEntry *entry, ErrorState *err)
Definition: errorpage.cc:575
clientStream_status_t CSS(clientStreamNode *, ClientHttpRequest *)
int hostStrictVerify
Definition: SquidConfig.h:340
BodyPipe::Pointer body_pipe
optional pipeline to receive message body
Definition: Message.h:98
CommCbFunPtrCallT< Dialer > * commCbCall(int debugSection, int debugLevel, const char *callName, const Dialer &dialer)
Definition: CommCalls.h:342
#define REDIRECT_PENDING
Definition: defines.h:88
int cbdataReferenceValid(const void *p)
Definition: cbdata.cc:412
HttpHdrRange::iterator end
void sslBumpEstablish(Comm::Flag errflag)
Ssl::BumpMode sslBumpMode
ssl_bump decision (Ssl::bumpEnd if n/a).
Definition: client_side.h:273
static void checkNoCacheDoneWrapper(allow_t, void *)
static void clientRedirectAccessCheckDone(allow_t answer, void *data)
void clientRedirectDone(const Helper::Reply &reply)
void detailError(int dCode)
set error type-specific detail code
Definition: errorpage.h:97
virtual HttpRequest * clone() const
Definition: HttpRequest.cc:176
time_t hit_only_mode_until
virtual void noteAdaptationAnswer(const Adaptation::Answer &answer)
void deferProducer(const AsyncCall::Pointer &producer)
call back producer when more buffer space is available
Definition: store.cc:352
HttpRequest *const request
static void clientCheckPinning(ClientHttpRequest *http)
void clean()
Definition: String.cc:125
void switchToHttps(HttpRequest *request, Ssl::BumpMode bumpServerMode)
#define MAX_URL
Definition: defines.h:118
BumpMode
Definition: support.h:135
#define PROF_stop(probename)
Definition: Profiler.h:63
void initRequest(HttpRequest *)
bool exhausted() const
Definition: BodyPipe.cc:174
ACLChecklist * acl_checklist
struct ConnStateData::@40 pinning
void sslBumpAccessCheckDone(const allow_t &answer)
The callback function for ssl-bump access check list.
int64_t strtoll(const char *nptr, char **endptr, int base)
Definition: strtoll.c:81
bool have(const Ip::Address &ip, size_t *position=nullptr) const
Definition: ipcache.cc:974
AnyP::UriScheme const & getScheme() const
Definition: Uri.h:67
HttpHdrRange::iterator pos
void CSD(clientStreamNode *, ClientHttpRequest *)
client stream detach
void CSR(clientStreamNode *, ClientHttpRequest *)
client stream read
void clientAccessCheckDone(const allow_t &answer)
int matchDomainName(const char *h, const char *d, uint8_t flags)
Definition: Uri.cc:660
#define xfree
SQUIDCEXTERN CSR clientGetMoreData
const Auth::UserRequest::Pointer & getAuth() const
Definition: client_side.h:115
const char * sslGetUserEmail(SSL *ssl)
Definition: support.cc:712
int setSockTos(const Comm::ConnectionPointer &conn, tos_t tos)
Definition: QosConfig.cc:558
acl_access * http
Definition: SquidConfig.h:358
HierarchyLogEntry hier
static void clientFollowXForwardedForCheck(allow_t answer, void *data)
size_type size() const
Definition: SquidString.h:72
void httpRequestFree(void *data)
Definition: client_side.cc:487
bool respMaybeCacheable() const
static HLPCB clientStoreIdDoneWrapper
Ip::Address indirect_client_addr
Definition: HttpRequest.h:144
class SquidConfig Config
Definition: SquidConfig.cc:12
const char * findFirst(const char *noteKey) const
Definition: Notes.cc:265
tos_t aclMapTOS(acl_tos *head, ACLChecklist *ch)
Checks for a TOS value to apply depending on the ACL.
Definition: FwdState.cc:1279
acl_access * ssl_bump
Definition: SquidConfig.h:387
#define NULL
Definition: types.h:166
void hostHeaderVerifyFailed(const char *A, const char *B)
SQUIDCEXTERN CSS clientReplyStatus
ErrorState * error
saved error page for centralized/delayed processing
size_t bytesWanted(Range< size_t > const aRange, bool ignoreDelayPool=false) const
Definition: store.cc:228
void debugObj(int section, int level, const char *label, void *obj, ObjPackMethod pm)
Definition: tools.cc:900
ProxyProtocol::HeaderPointer proxyProtocolHeader
see ConnStateData::proxyProtocolHeader_
int refresh_nocache_hack
#define false
Definition: GnuRegex.c:233
void Write(const Comm::ConnectionPointer &conn, const char *buf, int size, AsyncCall::Pointer &callback, FREE *free_func)
Definition: Write.cc:35
void clientStoreIdDone(const Helper::Reply &reply)
err_type
Definition: err_type.h:12
Adaptation::Icap::History::Pointer icapHistory() const
Returns possibly nil history, creating it if icap logging is enabled.
Definition: HttpRequest.cc:399
err_type aclGetDenyInfoPage(AclDenyInfoList **head, const char *name, int redirect_allowed)
Definition: Gadgets.cc:40
const HttpReplyPointer & getReply() const
Definition: MemObject.h:57
HttpHdrRange * getRange() const
Definition: HttpHeader.cc:1238
MemBuf & buf
Definition: BodyPipe.h:74
bool forceTunnel
whether to forward via TunnelStateData (instead of FwdState)
Definition: RequestFlags.h:113
bool nocacheHack
Definition: RequestFlags.h:58
void resetRequest(HttpRequest *)
void fvdbCountForw(const char *key)
void clearAdaptation(CbcPointer< Initiate > &x)
clears the pointer (does not call announceInitiatorAbort)
Definition: Initiator.cc:32
char ThisCache2[RFC2181_MAXHOSTNAMELEN<< 1]
void lock(const char *context)
Definition: store.cc:433
virtual void callException(const std::exception &ex)
called when the job throws during an async call

 

Introduction

Documentation

Support

Miscellaneous

Web Site Translations

Mirrors