icp_hit_stale can couse denied error for FTP: a fix

From: Marc van Selm <marc.van.selm@dont-contact.us>
Date: Mon, 28 Jul 1997 12:55:13 +0100

I'm running V1.1.11 with icp_hit_stale on.

When the siblings don't have miss-access "FTP-requests" can result in an
Access-Denied error. (Very annoying for the users because another proxy
outside their domain denies them access)

Tests showed that only FTP produces this behavior (Gopher not tested). When
"FTP-files" are stale a TCP_MISS is produced (apparently) and this is denied
for the siblings.

A work-around can be allowing MISS-ACCESS to siblings but this might not be
desirable (as in our case where I have a sibling without any relation to our
agency except for my personal one but also a few under my control)

I decided to patch the source to produce only a UDP_HIT on a stale file is
PROT_HTTP. This seems to work. Denied errors are gone and HTTP still gets
UDP_HITS on stale files without any errors.

static int icpCheckUdpHit(StoreEntry * e, request_t * request)
    if (e == NULL)
        return 0;
    if (!storeEntryValidToSend(e))
        return 0;
    /* if (Config.Options.icp_hit_stale)
     * only icp_hit_stale for http
     * Marc van Selm <selm@nc3a.nato.int>
    if (Config.Options.icp_hit_stale && request->protocol== PROTO_HTTP)
        return 1;
    if (refreshCheck(e, request, 30))
        return 0;
    return 1;

It might be useful to be able to enable icp_hit_stale per sibling_host. This
way I can only grant this service to proxies in the domain under my control
and grant other siblings only access to fresh files.

Marc van Selm
NATO C3 Agency
Communication Systems Division, A-Branch
E-Mail: marc.van.selm@nc3a.nato.int
Private: selm@cistron.nl, selm@het.net, http://www.cistron.nl/~selm
Received on Mon Jul 28 1997 - 03:58:30 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:35:51 MST