diff -u -r -N squid-3.2.0.9/ChangeLog squid-3.2.0.10/ChangeLog --- squid-3.2.0.9/ChangeLog 2011-06-18 20:13:34.000000000 +1200 +++ squid-3.2.0.10/ChangeLog 2011-07-24 17:46:11.000000000 +1200 @@ -1,3 +1,28 @@ +Changes to squid-3.2.0.10 (24 Jul 2011): + + - Port from 2.7: act-as-origin for reverse proxy ports + - Regression fix: broken --disable-ipv6 + - Regression fix: negative cacheing on unknown or -1 expiry timestamp + - Regression fix: vhost and defaultsite causing vport to be ignored + - Regression fix: several errors in persistent connection handling + - Regression Bug 3280: allow max-size unset and min-size=N for large objects + - Regression Bug 3245: reconfigure assertion in MemPools[type] + - Regression Bug 3274: assertion failed: CommCalls.h:144: "dp" + - Regression Bug 3273: assertion comm.cc:775: Comm::IsConnOpen(conn) + - Regression Bug 3269: cache.log applyQueryParams messages + - Regression Bug 3264: Segmentation Fault in src/ipc/Strand.cc(54) receive: 3 + - Regression Bug 3246: assertion client_side.cc:1407 connIsUsable(http->getConn()) + - Bug 3267: workers IPC mount points disobey --localstatedir + - Bug 3248: login=NEGOTIATE sends wrong auth header to origin peers + - Bug 3247: Domain from URL Stripped when going through peers + - Bug 3244: wrong port for peer relayed requests + - Bug 3195: kerberos_ldap_group will not build without kerberos + - Bug 2862: add http(s):// support to cache manager + - kerberos_ldap_group: several fixes to -S option + - ssl_crtd: Add man(8) file + - ... and several pieces of code cleanup and polishing. + - ... and most bug fixes and updates from 3.1.14 and 3.1.15 + Changes to squid-3.2.0.9 (18 Jun 2011): - Bug 3159: delay pools --disable-auth compile problems @@ -196,6 +221,16 @@ - ... and a great many testing improvements - ... and many documentation updates +Changes to squid-3.1.14 (04 Jul 2011): + + - Regression Bug 3261: Could not create a DNS socket and exit + +Changes to squid-3.1.13 (01 Jul 2011): + + - Regression Bug 3239: problems with myip/myport upgrade + - Bug 3153: hung ICAP RESPMOD transactions + - Update ssl_crtd to use 'OK' status inline with other helpers + Changes to squid-3.1.12.3 (18 Jun 2011): - Bug 3236: Port of %oa, % #endif -#ifdef _SQUID_MSWIN_ +#if _SQUID_MSWIN_ #undef IN_ADDR #include #endif diff -u -r -N squid-3.2.0.9/compat/GnuRegex.c squid-3.2.0.10/compat/GnuRegex.c --- squid-3.2.0.9/compat/GnuRegex.c 2011-06-18 20:13:34.000000000 +1200 +++ squid-3.2.0.10/compat/GnuRegex.c 2011-07-24 17:46:11.000000000 +1200 @@ -3730,6 +3730,9 @@ POP_FAILURE_POINT(sdummy, pdummy, dummy_low_reg, dummy_high_reg, reg_dummy, reg_dummy, reg_info_dummy); + /* avoid GCC 4.6 set but unused variables warning. Does not matter here. */ + if (pdummy || sdummy) + (void)0; } /* Note fall through. */ diff -u -r -N squid-3.2.0.9/compat/os/aix.h squid-3.2.0.10/compat/os/aix.h --- squid-3.2.0.9/compat/os/aix.h 2011-06-18 20:13:34.000000000 +1200 +++ squid-3.2.0.10/compat/os/aix.h 2011-07-24 17:46:11.000000000 +1200 @@ -1,7 +1,7 @@ #ifndef SQUID_OS_AIX_H #define SQUID_OS_AIX_H -#ifdef _SQUID_AIX_ +#if _SQUID_AIX_ /**************************************************************************** *--------------------------------------------------------------------------* diff -u -r -N squid-3.2.0.9/compat/os/dragonfly.h squid-3.2.0.10/compat/os/dragonfly.h --- squid-3.2.0.9/compat/os/dragonfly.h 2011-06-18 20:13:34.000000000 +1200 +++ squid-3.2.0.10/compat/os/dragonfly.h 2011-07-24 17:46:11.000000000 +1200 @@ -1,7 +1,7 @@ #ifndef SQUID_OS_DRAGONFLY_H #define SQUID_OS_DRAGONFLY_H -#ifdef _SQUID_DRAGONFLY_ +#if _SQUID_DRAGONFLY_ /**************************************************************************** *--------------------------------------------------------------------------* diff -u -r -N squid-3.2.0.9/compat/os/freebsd.h squid-3.2.0.10/compat/os/freebsd.h --- squid-3.2.0.9/compat/os/freebsd.h 2011-06-18 20:13:34.000000000 +1200 +++ squid-3.2.0.10/compat/os/freebsd.h 2011-07-24 17:46:11.000000000 +1200 @@ -1,7 +1,7 @@ #ifndef SQUID_OS_FREEBSD_H #define SQUID_OS_FREEBSD_H -#ifdef _SQUID_FREEBSD_ +#if _SQUID_FREEBSD_ /**************************************************************************** *--------------------------------------------------------------------------* diff -u -r -N squid-3.2.0.9/compat/os/hpux.h squid-3.2.0.10/compat/os/hpux.h --- squid-3.2.0.9/compat/os/hpux.h 2011-06-18 20:13:34.000000000 +1200 +++ squid-3.2.0.10/compat/os/hpux.h 2011-07-24 17:46:11.000000000 +1200 @@ -1,7 +1,7 @@ #ifndef SQUID_OS_HPUX_H #define SQUID_OS_PHUX_H -#ifdef _SQUID_HPUX_ +#if _SQUID_HPUX_ /**************************************************************************** *--------------------------------------------------------------------------* diff -u -r -N squid-3.2.0.9/compat/os/linux.h squid-3.2.0.10/compat/os/linux.h --- squid-3.2.0.9/compat/os/linux.h 2011-06-18 20:13:34.000000000 +1200 +++ squid-3.2.0.10/compat/os/linux.h 2011-07-24 17:46:11.000000000 +1200 @@ -1,7 +1,7 @@ #ifndef SQUID_OS_LINUX_H #define SQUID_OS_LINUX_H -#ifdef _SQUID_LINUX_ +#if _SQUID_LINUX_ /**************************************************************************** *--------------------------------------------------------------------------* diff -u -r -N squid-3.2.0.9/compat/os/macosx.h squid-3.2.0.10/compat/os/macosx.h --- squid-3.2.0.9/compat/os/macosx.h 2011-06-18 20:13:34.000000000 +1200 +++ squid-3.2.0.10/compat/os/macosx.h 2011-07-24 17:46:11.000000000 +1200 @@ -1,7 +1,7 @@ #ifndef SQUID_OS_MACOSX_H #define SQUID_OS_MACOSX_H -#ifdef _SQUID_APPLE_ +#if _SQUID_APPLE_ /**************************************************************************** *--------------------------------------------------------------------------* diff -u -r -N squid-3.2.0.9/compat/os/netbsd.h squid-3.2.0.10/compat/os/netbsd.h --- squid-3.2.0.9/compat/os/netbsd.h 2011-06-18 20:13:34.000000000 +1200 +++ squid-3.2.0.10/compat/os/netbsd.h 2011-07-24 17:46:11.000000000 +1200 @@ -1,7 +1,7 @@ #ifndef SQUID_OS_NETBSD_H #define SQUID_OS_NETBSD_H -#ifdef _SQUID_NETBSD_ +#if _SQUID_NETBSD_ /**************************************************************************** *--------------------------------------------------------------------------* diff -u -r -N squid-3.2.0.9/compat/os/next.h squid-3.2.0.10/compat/os/next.h --- squid-3.2.0.9/compat/os/next.h 2011-06-18 20:13:34.000000000 +1200 +++ squid-3.2.0.10/compat/os/next.h 2011-07-24 17:46:11.000000000 +1200 @@ -1,7 +1,7 @@ #ifndef SQUID_OS_NEXT_H #define SQUID_OS_NEXT_H -#ifdef _SQUID_NEXT_ +#if _SQUID_NEXT_ /**************************************************************************** *--------------------------------------------------------------------------* diff -u -r -N squid-3.2.0.9/compat/os/openbsd.h squid-3.2.0.10/compat/os/openbsd.h --- squid-3.2.0.9/compat/os/openbsd.h 2011-06-18 20:13:34.000000000 +1200 +++ squid-3.2.0.10/compat/os/openbsd.h 2011-07-24 17:46:11.000000000 +1200 @@ -1,7 +1,7 @@ #ifndef SQUID_OS_OPENBSD_H #define SQUID_OS_OPENBSD_H -#ifdef _SQUID_OPENBSD_ +#if _SQUID_OPENBSD_ /**************************************************************************** *--------------------------------------------------------------------------* diff -u -r -N squid-3.2.0.9/compat/os/os2.h squid-3.2.0.10/compat/os/os2.h --- squid-3.2.0.9/compat/os/os2.h 2011-06-18 20:13:34.000000000 +1200 +++ squid-3.2.0.10/compat/os/os2.h 2011-07-24 17:46:11.000000000 +1200 @@ -1,7 +1,7 @@ #ifndef SQUID_OS_OS2_H #define SQUID_OS_OS2_H -#ifdef _SQUID_OS2_ +#if _SQUID_OS2_ /**************************************************************************** *--------------------------------------------------------------------------* diff -u -r -N squid-3.2.0.9/compat/os/qnx.h squid-3.2.0.10/compat/os/qnx.h --- squid-3.2.0.9/compat/os/qnx.h 2011-06-18 20:13:34.000000000 +1200 +++ squid-3.2.0.10/compat/os/qnx.h 2011-07-24 17:46:11.000000000 +1200 @@ -1,7 +1,7 @@ #ifndef SQUID_OS_QNX_H #define SQUID_OS_QNX_H -#ifdef _SQUID_QNX_ +#if _SQUID_QNX_ /**************************************************************************** *--------------------------------------------------------------------------* diff -u -r -N squid-3.2.0.9/compat/os/sunos.h squid-3.2.0.10/compat/os/sunos.h --- squid-3.2.0.9/compat/os/sunos.h 2011-06-18 20:13:34.000000000 +1200 +++ squid-3.2.0.10/compat/os/sunos.h 2011-07-24 17:46:11.000000000 +1200 @@ -1,7 +1,7 @@ #ifndef SQUID_OS_SUNOS_H #define SQUID_OS_SUNOS_H -#ifdef _SQUID_SUNOS_ +#if _SQUID_SUNOS_ /**************************************************************************** *--------------------------------------------------------------------------* diff -u -r -N squid-3.2.0.9/compat/types.h squid-3.2.0.10/compat/types.h --- squid-3.2.0.9/compat/types.h 2011-06-18 20:13:34.000000000 +1200 +++ squid-3.2.0.10/compat/types.h 2011-07-24 17:46:11.000000000 +1200 @@ -93,7 +93,7 @@ * "%lx" instead of "%llx" */ #ifndef PRId64 -#ifdef _SQUID_MSWIN_ /* Windows native port using MSVCRT */ +#if _SQUID_MSWIN_ /* Windows native port using MSVCRT */ #define PRId64 "I64d" #elif SIZEOF_INT64_T > SIZEOF_LONG #define PRId64 "lld" @@ -103,7 +103,7 @@ #endif #ifndef PRIu64 -#ifdef _SQUID_MSWIN_ /* Windows native port using MSVCRT */ +#if _SQUID_MSWIN_ /* Windows native port using MSVCRT */ #define PRIu64 "I64u" #elif SIZEOF_INT64_T > SIZEOF_LONG #define PRIu64 "llu" @@ -113,7 +113,7 @@ #endif #ifndef PRIX64 -#ifdef _SQUID_MSWIN_ /* Windows native port using MSVCRT */ +#if _SQUID_MSWIN_ /* Windows native port using MSVCRT */ #define PRIX64 "I64X" #elif SIZEOF_INT64_T > SIZEOF_LONG #define PRIX64 "llX" diff -u -r -N squid-3.2.0.9/configure squid-3.2.0.10/configure --- squid-3.2.0.9/configure 2011-06-18 20:17:06.000000000 +1200 +++ squid-3.2.0.10/configure 2011-07-24 17:47:28.000000000 +1200 @@ -1,7 +1,7 @@ #! /bin/sh # From configure.ac Revision. # Guess values for system-dependent variables and create Makefiles. -# Generated by GNU Autoconf 2.68 for Squid Web Proxy 3.2.0.9. +# Generated by GNU Autoconf 2.68 for Squid Web Proxy 3.2.0.10. # # Report bugs to . # @@ -575,8 +575,8 @@ # Identity of this package. PACKAGE_NAME='Squid Web Proxy' PACKAGE_TARNAME='squid' -PACKAGE_VERSION='3.2.0.9' -PACKAGE_STRING='Squid Web Proxy 3.2.0.9' +PACKAGE_VERSION='3.2.0.10' +PACKAGE_STRING='Squid Web Proxy 3.2.0.10' PACKAGE_BUGREPORT='http://www.squid-cache.org/bugs/' PACKAGE_URL='' @@ -1569,7 +1569,7 @@ # Omit some internal or obsolete options to make the list less imposing. # This message is too long to be a string in the A/UX 3.1 sh. cat <<_ACEOF -\`configure' configures Squid Web Proxy 3.2.0.9 to adapt to many kinds of systems. +\`configure' configures Squid Web Proxy 3.2.0.10 to adapt to many kinds of systems. Usage: $0 [OPTION]... [VAR=VALUE]... @@ -1639,7 +1639,7 @@ if test -n "$ac_init_help"; then case $ac_init_help in - short | recursive ) echo "Configuration of Squid Web Proxy 3.2.0.9:";; + short | recursive ) echo "Configuration of Squid Web Proxy 3.2.0.10:";; esac cat <<\_ACEOF @@ -2017,7 +2017,7 @@ test -n "$ac_init_help" && exit $ac_status if $ac_init_version; then cat <<\_ACEOF -Squid Web Proxy configure 3.2.0.9 +Squid Web Proxy configure 3.2.0.10 generated by GNU Autoconf 2.68 Copyright (C) 2010 Free Software Foundation, Inc. @@ -3113,7 +3113,7 @@ This file contains any messages produced by compilers while running configure, to aid debugging if configure makes a mistake. -It was created by Squid Web Proxy $as_me 3.2.0.9, which was +It was created by Squid Web Proxy $as_me 3.2.0.10, which was generated by GNU Autoconf 2.68. Invocation command line was $ $0 $@ @@ -3932,7 +3932,7 @@ # Define the identity of the package. PACKAGE='squid' - VERSION='3.2.0.9' + VERSION='3.2.0.10' cat >>confdefs.h <<_ACEOF @@ -26667,14 +26667,14 @@ fi -{ $as_echo "$as_me:${as_lineno-$LINENO}: result: ${use_ipng:=yes}" >&5 -$as_echo "${use_ipng:=yes}" >&6; } +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: ${enable_ipv6:=yes}" >&5 +$as_echo "${enable_ipv6:=yes}" >&6; } squid_tmp_define="" -case "$use_ipng" in +case "$enable_ipv6" in yes|true|1) squid_tmp_define="1" ;; no|false|0|"") squid_tmp_define="0" ;; - *) as_fn_error $? "SQUID_DEFINE_BOOL: unrecognized value for USE_IPV6: '$use_ipng'" "$LINENO" 5 ;; + *) as_fn_error $? "SQUID_DEFINE_BOOL: unrecognized value for USE_IPV6: '$enable_ipv6'" "$LINENO" 5 ;; esac cat >>confdefs.h <<_ACEOF @@ -26684,7 +26684,7 @@ unset squid_tmp_define -if test "x$use_ipng" = "xyes" ; then +if test "x$enable_ipv6" = "xyes" ; then { $as_echo "$as_me:${as_lineno-$LINENO}: checking for sin6_len field in struct sockaddr_in6" >&5 $as_echo_n "checking for sin6_len field in struct sockaddr_in6... " >&6; } @@ -26733,6 +26733,7 @@ unset squid_tmp_define +fi { $as_echo "$as_me:${as_lineno-$LINENO}: checking for ss_len field in struct sockaddr_storage" >&5 $as_echo_n "checking for ss_len field in struct sockaddr_storage... " >&6; } @@ -26829,7 +26830,6 @@ unset squid_tmp_define -fi CRYPTLIB= @@ -30526,7 +30526,7 @@ # report actual input values of CONFIG_FILES etc. instead of their # values after options handling. ac_log=" -This file was extended by Squid Web Proxy $as_me 3.2.0.9, which was +This file was extended by Squid Web Proxy $as_me 3.2.0.10, which was generated by GNU Autoconf 2.68. Invocation command line was CONFIG_FILES = $CONFIG_FILES @@ -30592,7 +30592,7 @@ cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`" ac_cs_version="\\ -Squid Web Proxy config.status 3.2.0.9 +Squid Web Proxy config.status 3.2.0.10 configured by $0, generated by GNU Autoconf 2.68, with options \\"\$ac_cs_config\\" diff -u -r -N squid-3.2.0.9/configure.ac squid-3.2.0.10/configure.ac --- squid-3.2.0.9/configure.ac 2011-06-18 20:17:05.000000000 +1200 +++ squid-3.2.0.10/configure.ac 2011-07-24 17:47:28.000000000 +1200 @@ -3,7 +3,7 @@ dnl dnl dnl -AC_INIT([Squid Web Proxy],[3.2.0.9],[http://www.squid-cache.org/bugs/],[squid]) +AC_INIT([Squid Web Proxy],[3.2.0.10],[http://www.squid-cache.org/bugs/],[squid]) AC_PREREQ(2.61) AC_CONFIG_HEADERS([include/autoconf.h]) AC_CONFIG_AUX_DIR(cfgaux) @@ -2603,14 +2603,14 @@ AS_HELP_STRING([--disable-ipv6],[Disable IPv6 support. The default is to probe system capabilities on startup.]), [ SQUID_YESNO([$enableval],[unrecognized argument to --disable-ipv6: $enableval]) ]) -AC_MSG_RESULT(${use_ipng:=yes}) -SQUID_DEFINE_BOOL(USE_IPV6,$use_ipng,[Enable support for IPv6 ]) +AC_MSG_RESULT(${enable_ipv6:=yes}) +SQUID_DEFINE_BOOL(USE_IPV6,$enable_ipv6,[Enable support for IPv6 ]) -if test "x$use_ipng" = "xyes" ; then +if test "x$enable_ipv6" = "xyes" ; then SQUID_CHECK_SIN6_LEN_IN_SAI - SQUID_CHECK_SS_LEN_IN_SOCKADDR_STORAGE - SQUID_CHECK_SIN_LEN_IN_SOCKADDR_IN fi +SQUID_CHECK_SS_LEN_IN_SOCKADDR_STORAGE +SQUID_CHECK_SIN_LEN_IN_SOCKADDR_IN dnl Check for libcrypt diff -u -r -N squid-3.2.0.9/errors/af/error-details.txt squid-3.2.0.10/errors/af/error-details.txt --- squid-3.2.0.9/errors/af/error-details.txt 2011-06-18 20:20:58.000000000 +1200 +++ squid-3.2.0.10/errors/af/error-details.txt 2011-07-24 17:49:51.000000000 +1200 @@ -1,3 +1,7 @@ +name: SQUID_X509_V_ERR_DOMAIN_MISMATCH +detail: "%ssl_error_descr: %ssl_subject" +descr: "Certificate does not match domainname" + name: X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT detail: "SSL Certficate error: certificate issuer (CA) not known: %ssl_ca_name" descr: "Unable to get issuer certificate" diff -u -r -N squid-3.2.0.9/errors/ar/error-details.txt squid-3.2.0.10/errors/ar/error-details.txt --- squid-3.2.0.9/errors/ar/error-details.txt 2011-06-18 20:21:37.000000000 +1200 +++ squid-3.2.0.10/errors/ar/error-details.txt 2011-07-24 17:50:22.000000000 +1200 @@ -1,3 +1,7 @@ +name: SQUID_X509_V_ERR_DOMAIN_MISMATCH +detail: "%ssl_error_descr: %ssl_subject" +descr: "Certificate does not match domainname" + name: X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT detail: "SSL Certficate error: certificate issuer (CA) not known: %ssl_ca_name" descr: "Unable to get issuer certificate" diff -u -r -N squid-3.2.0.9/errors/az/error-details.txt squid-3.2.0.10/errors/az/error-details.txt --- squid-3.2.0.9/errors/az/error-details.txt 2011-06-18 20:22:21.000000000 +1200 +++ squid-3.2.0.10/errors/az/error-details.txt 2011-07-24 17:50:49.000000000 +1200 @@ -1,3 +1,7 @@ +name: SQUID_X509_V_ERR_DOMAIN_MISMATCH +detail: "%ssl_error_descr: %ssl_subject" +descr: "Certificate does not match domainname" + name: X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT detail: "SSL Certficate error: certificate issuer (CA) not known: %ssl_ca_name" descr: "Unable to get issuer certificate" diff -u -r -N squid-3.2.0.9/errors/bg/error-details.txt squid-3.2.0.10/errors/bg/error-details.txt --- squid-3.2.0.9/errors/bg/error-details.txt 2011-06-18 20:23:06.000000000 +1200 +++ squid-3.2.0.10/errors/bg/error-details.txt 2011-07-24 17:51:21.000000000 +1200 @@ -1,3 +1,7 @@ +name: SQUID_X509_V_ERR_DOMAIN_MISMATCH +detail: "%ssl_error_descr: %ssl_subject" +descr: "Certificate does not match domainname" + name: X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT detail: "SSL Certficate error: certificate issuer (CA) not known: %ssl_ca_name" descr: "Unable to get issuer certificate" diff -u -r -N squid-3.2.0.9/errors/ca/error-details.txt squid-3.2.0.10/errors/ca/error-details.txt --- squid-3.2.0.9/errors/ca/error-details.txt 2011-06-18 20:23:42.000000000 +1200 +++ squid-3.2.0.10/errors/ca/error-details.txt 2011-07-24 17:51:53.000000000 +1200 @@ -1,3 +1,7 @@ +name: SQUID_X509_V_ERR_DOMAIN_MISMATCH +detail: "%ssl_error_descr: %ssl_subject" +descr: "Certificate does not match domainname" + name: X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT detail: "SSL Certficate error: certificate issuer (CA) not known: %ssl_ca_name" descr: "Unable to get issuer certificate" diff -u -r -N squid-3.2.0.9/errors/cs/error-details.txt squid-3.2.0.10/errors/cs/error-details.txt --- squid-3.2.0.9/errors/cs/error-details.txt 2011-06-18 20:24:22.000000000 +1200 +++ squid-3.2.0.10/errors/cs/error-details.txt 2011-07-24 17:52:19.000000000 +1200 @@ -1,3 +1,7 @@ +name: SQUID_X509_V_ERR_DOMAIN_MISMATCH +detail: "%ssl_error_descr: %ssl_subject" +descr: "Certificate does not match domainname" + name: X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT detail: "SSL Certficate error: certificate issuer (CA) not known: %ssl_ca_name" descr: "Unable to get issuer certificate" diff -u -r -N squid-3.2.0.9/errors/da/error-details.txt squid-3.2.0.10/errors/da/error-details.txt --- squid-3.2.0.9/errors/da/error-details.txt 2011-06-18 20:24:57.000000000 +1200 +++ squid-3.2.0.10/errors/da/error-details.txt 2011-07-24 17:52:48.000000000 +1200 @@ -1,3 +1,7 @@ +name: SQUID_X509_V_ERR_DOMAIN_MISMATCH +detail: "%ssl_error_descr: %ssl_subject" +descr: "Certificate does not match domainname" + name: X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT detail: "SSL Certficate error: certificate issuer (CA) not known: %ssl_ca_name" descr: "Unable to get issuer certificate" diff -u -r -N squid-3.2.0.9/errors/de/ERR_AGENT_CONFIGURE squid-3.2.0.10/errors/de/ERR_AGENT_CONFIGURE --- squid-3.2.0.9/errors/de/ERR_AGENT_CONFIGURE 2011-06-18 20:24:58.000000000 +1200 +++ squid-3.2.0.10/errors/de/ERR_AGENT_CONFIGURE 2011-07-24 17:52:49.000000000 +1200 @@ -1 +1 @@ - Webbrowserkonfiguration

FEHLER

Web Browser Configuration

Ihre Webbrowserkonfiguration muss korrigiert werden um dieses Netzwerk zu nutzen.

Wie sie diese Einstellung in ihrem Browser finden:

Für Firefox Browser gehen sie zu:
  • Extras -> Optionen -> Erweitert -> Netzwerk -> Verbindungseinstellungen
  • In the HTTP proxy box type the proxy name %h and port %b.
Für Internet Explorer Browser gehen sie zu:
  • Extras -> Internetoptionen -> Verbindung -> LAN Einstellungen ->Proxy
  • In the HTTP proxy box type the proxy name %h and port %b.
Für Opera Browser gehen sie zu:
  • Extras -> Einstellungen -> Erweitert -> Netzwerk -> Proxyserver
  • In the HTTP proxy box type the proxy name %h and port %b.

Ihr Cache Administrator ist %w.


\ No newline at end of file + Webbrowserkonfiguration

FEHLER

Web Browser Configuration

Ihre Webbrowserkonfiguration muss korrigiert werden um dieses Netzwerk zu nutzen.

Wie sie diese Einstellung in ihrem Browser finden:

Für Firefox Browser gehen sie zu:
  • Extras -> Optionen -> Erweitert -> Netzwerk -> Verbindungseinstellungen
  • Im HTTP Proxy Feld geben sie den Proxy Namen %h und Port %b ein.
Für Internet Explorer Browser gehen sie zu:
  • Extras -> Internetoptionen -> Verbindung -> LAN Einstellungen ->Proxy
  • In the HTTP proxy box type the proxy name %h and port %b.
Für Opera Browser gehen sie zu:
  • Extras -> Einstellungen -> Erweitert -> Netzwerk -> Proxyserver
  • In the HTTP proxy box type the proxy name %h and port %b.

Ihr Cache Administrator ist %w.


\ No newline at end of file diff -u -r -N squid-3.2.0.9/errors/de/ERR_AGENT_WPAD squid-3.2.0.10/errors/de/ERR_AGENT_WPAD --- squid-3.2.0.9/errors/de/ERR_AGENT_WPAD 2011-06-18 20:24:59.000000000 +1200 +++ squid-3.2.0.10/errors/de/ERR_AGENT_WPAD 2011-07-24 17:52:50.000000000 +1200 @@ -1 +1 @@ - Webbrowserkonfiguration

FEHLER

Web Browser Configuration

Ihre Webbrowserkonfiguration muss korrigiert werden um dieses Netzwerk zu nutzen.

Wie sie diese Einstellung in ihrem Browser finden:

Für Firefox Browser gehen sie zu:
  • Extras -> Optionen -> Erweitert -> Netzwerk -> Verbindungseinstellungen
  • Select Auto-detect proxy settings for this network
Für Internet Explorer Browser gehen sie zu:
  • Extras -> Internetoptionen -> Verbindung -> LAN Einstellungen ->Proxy
  • Automatische Suche von Einstellungen
Für Opera Browser gehen sie zu:
  • Extras -> Einstellungen -> Erweitert -> Netzwerk -> Proxyserver
  • Automatisches Konfigurationsskript verwenden

Ihr Cache Administrator ist %w.


\ No newline at end of file + Webbrowserkonfiguration

FEHLER

Web Browser Configuration

Ihre Webbrowserkonfiguration muss korrigiert werden um dieses Netzwerk zu nutzen.

Wie sie diese Einstellung in ihrem Browser finden:

Für Firefox Browser gehen sie zu:
  • Extras -> Optionen -> Erweitert -> Netzwerk -> Verbindungseinstellungen
  • Wählen sie Automatische Suche von Einstellungen für dieses Netzwerk
Für Internet Explorer Browser gehen sie zu:
  • Extras -> Internetoptionen -> Verbindung -> LAN Einstellungen ->Proxy
  • Automatische Suche von Einstellungen
Für Opera Browser gehen sie zu:
  • Extras -> Einstellungen -> Erweitert -> Netzwerk -> Proxyserver
  • Automatisches Konfigurationsskript verwenden

Ihr Cache Administrator ist %w.


\ No newline at end of file diff -u -r -N squid-3.2.0.9/errors/de/ERR_FTP_PUT_CREATED squid-3.2.0.10/errors/de/ERR_FTP_PUT_CREATED --- squid-3.2.0.9/errors/de/ERR_FTP_PUT_CREATED 2011-06-18 20:25:11.000000000 +1200 +++ squid-3.2.0.10/errors/de/ERR_FTP_PUT_CREATED 2011-07-24 17:53:00.000000000 +1200 @@ -1 +1 @@ - FTP PUT Successful.

Operation Erfolgreich

Datei erstellt


\ No newline at end of file + FTP PUT Erfolgreich.

Operation Erfolgreich

Datei erstellt


\ No newline at end of file diff -u -r -N squid-3.2.0.9/errors/de/ERR_FTP_PUT_ERROR squid-3.2.0.10/errors/de/ERR_FTP_PUT_ERROR --- squid-3.2.0.9/errors/de/ERR_FTP_PUT_ERROR 2011-06-18 20:25:11.000000000 +1200 +++ squid-3.2.0.10/errors/de/ERR_FTP_PUT_ERROR 2011-07-24 17:53:01.000000000 +1200 @@ -1 +1 @@ - FEHLER: FTP upload failed

ERROR

FTP PUT upload failed

Ein FTP Protokollfehler ist bei der URL %U aufgetreten.

Squid sendete das folgende FTP Kommando:

%f

Der Server antwortete:

%F

Das heißt, dass der FTP Server keine Berechtigung oder nicht genug Plattenplatz zum Speichern der Datei zur Verfügung hat. Überprüfen sie Pfad, Berechtigungen und Plattenplatz und wiederholen sie die Anfrage.

Ihr Cache Administrator ist %w.


\ No newline at end of file + FEHLER: FTP upload failed

ERROR

FTP PUT Upload fehlgeschlagen

Ein FTP Protokollfehler ist bei der URL %U aufgetreten.

Squid sendete das folgende FTP Kommando:

%f

Der Server antwortete:

%F

Das heißt, dass der FTP Server keine Berechtigung oder nicht genug Plattenplatz zum Speichern der Datei zur Verfügung hat. Überprüfen sie Pfad, Berechtigungen und Plattenplatz und wiederholen sie die Anfrage.

Ihr Cache Administrator ist %w.


\ No newline at end of file diff -u -r -N squid-3.2.0.9/errors/de/ERR_FTP_PUT_MODIFIED squid-3.2.0.10/errors/de/ERR_FTP_PUT_MODIFIED --- squid-3.2.0.9/errors/de/ERR_FTP_PUT_MODIFIED 2011-06-18 20:25:12.000000000 +1200 +++ squid-3.2.0.10/errors/de/ERR_FTP_PUT_MODIFIED 2011-07-24 17:53:02.000000000 +1200 @@ -1 +1 @@ - FTP PUT Successful.

Operation Erfolgreich

Datei aktualisiert


\ No newline at end of file + FTP PUT Erfolgreich.

Operation Erfolgreich

Datei aktualisiert


\ No newline at end of file diff -u -r -N squid-3.2.0.9/errors/de/ERR_GATEWAY_FAILURE squid-3.2.0.10/errors/de/ERR_GATEWAY_FAILURE --- squid-3.2.0.9/errors/de/ERR_GATEWAY_FAILURE 2011-06-18 20:25:14.000000000 +1200 +++ squid-3.2.0.10/errors/de/ERR_GATEWAY_FAILURE 2011-07-24 17:53:04.000000000 +1200 @@ -1 +1 @@ - FEHLER: Die angeforderte URL konnte nicht gefunden werden

ERROR

The requested URL could not be retrieved

Der folgende Fehler wurde beim Versuch die URL %U zu holen festgestellt:

Gateway Proxy Failure

A non-recoverable internal failure or configuration problem prevents this request from being completed.

This may be due to limits established by the Internet Service Provider who operates this cache. Please contact them directly for more information.

Ihr Cache Administrator ist %w.


\ No newline at end of file + FEHLER: Die angeforderte URL konnte nicht gefunden werden

ERROR

The requested URL could not be retrieved

Der folgende Fehler wurde beim Versuch die URL %U zu holen festgestellt:

Gateway Proxy Failure

Ein nicht-behebbarer interner Fehler oder ein Konfigurationsproblem verhindert die Ausführung der Anfrage.

This may be due to limits established by the Internet Service Provider who operates this cache. Please contact them directly for more information.

Ihr Cache Administrator ist %w.


\ No newline at end of file diff -u -r -N squid-3.2.0.9/errors/de/error-details.txt squid-3.2.0.10/errors/de/error-details.txt --- squid-3.2.0.9/errors/de/error-details.txt 2011-06-18 20:25:33.000000000 +1200 +++ squid-3.2.0.10/errors/de/error-details.txt 2011-07-24 17:53:24.000000000 +1200 @@ -1,3 +1,7 @@ +name: SQUID_X509_V_ERR_DOMAIN_MISMATCH +detail: "%ssl_error_descr: %ssl_subject" +descr: "Certificate does not match domainname" + name: X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT detail: "SSL Certficate error: certificate issuer (CA) not known: %ssl_ca_name" descr: "Unable to get issuer certificate" diff -u -r -N squid-3.2.0.9/errors/de/ERR_PRECONDITION_FAILED squid-3.2.0.10/errors/de/ERR_PRECONDITION_FAILED --- squid-3.2.0.9/errors/de/ERR_PRECONDITION_FAILED 2011-06-18 20:25:22.000000000 +1200 +++ squid-3.2.0.10/errors/de/ERR_PRECONDITION_FAILED 2011-07-24 17:53:13.000000000 +1200 @@ -1 +1 @@ - FEHLER: Die angeforderte URL konnte nicht gefunden werden

ERROR

The requested URL could not be retrieved

Der folgende Fehler wurde beim Versuch die URL %U zu holen festgestellt:

Precondition Failed.

This means:

At least one precondition specified by the HTTP client in the request header has failed.


\ No newline at end of file + FEHLER: Die angeforderte URL konnte nicht gefunden werden

ERROR

The requested URL could not be retrieved

Der folgende Fehler wurde beim Versuch die URL %U zu holen festgestellt:

Bedingung nicht Erfüllt.

Dies Bedeutet:

Mindestens eine Bedingung, die vom HTTP Client vorrausgesetzt wird, wurde nicht erfüllt.


\ No newline at end of file diff -u -r -N squid-3.2.0.9/errors/el/error-details.txt squid-3.2.0.10/errors/el/error-details.txt --- squid-3.2.0.9/errors/el/error-details.txt 2011-06-18 20:26:19.000000000 +1200 +++ squid-3.2.0.10/errors/el/error-details.txt 2011-07-24 17:54:09.000000000 +1200 @@ -1,3 +1,7 @@ +name: SQUID_X509_V_ERR_DOMAIN_MISMATCH +detail: "%ssl_error_descr: %ssl_subject" +descr: "Certificate does not match domainname" + name: X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT detail: "SSL Certficate error: certificate issuer (CA) not known: %ssl_ca_name" descr: "Unable to get issuer certificate" diff -u -r -N squid-3.2.0.9/errors/en/error-details.txt squid-3.2.0.10/errors/en/error-details.txt --- squid-3.2.0.9/errors/en/error-details.txt 2011-06-18 20:27:28.000000000 +1200 +++ squid-3.2.0.10/errors/en/error-details.txt 2011-07-24 17:54:49.000000000 +1200 @@ -1,3 +1,7 @@ +name: SQUID_X509_V_ERR_DOMAIN_MISMATCH +detail: "%ssl_error_descr: %ssl_subject" +descr: "Certificate does not match domainname" + name: X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT detail: "SSL Certficate error: certificate issuer (CA) not known: %ssl_ca_name" descr: "Unable to get issuer certificate" diff -u -r -N squid-3.2.0.9/errors/es/error-details.txt squid-3.2.0.10/errors/es/error-details.txt --- squid-3.2.0.9/errors/es/error-details.txt 2011-06-18 20:28:35.000000000 +1200 +++ squid-3.2.0.10/errors/es/error-details.txt 2011-07-24 17:55:30.000000000 +1200 @@ -1,3 +1,7 @@ +name: SQUID_X509_V_ERR_DOMAIN_MISMATCH +detail: "%ssl_error_descr: %ssl_subject" +descr: "Certificate does not match domainname" + name: X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT detail: "SSL Certficate error: certificate issuer (CA) not known: %ssl_ca_name" descr: "Unable to get issuer certificate" diff -u -r -N squid-3.2.0.9/errors/et/error-details.txt squid-3.2.0.10/errors/et/error-details.txt --- squid-3.2.0.9/errors/et/error-details.txt 2011-06-18 20:29:42.000000000 +1200 +++ squid-3.2.0.10/errors/et/error-details.txt 2011-07-24 17:56:06.000000000 +1200 @@ -1,3 +1,7 @@ +name: SQUID_X509_V_ERR_DOMAIN_MISMATCH +detail: "%ssl_error_descr: %ssl_subject" +descr: "Certificate does not match domainname" + name: X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT detail: "SSL Certficate error: certificate issuer (CA) not known: %ssl_ca_name" descr: "Unable to get issuer certificate" diff -u -r -N squid-3.2.0.9/errors/fa/error-details.txt squid-3.2.0.10/errors/fa/error-details.txt --- squid-3.2.0.9/errors/fa/error-details.txt 2011-06-18 20:30:46.000000000 +1200 +++ squid-3.2.0.10/errors/fa/error-details.txt 2011-07-24 17:56:52.000000000 +1200 @@ -1,3 +1,7 @@ +name: SQUID_X509_V_ERR_DOMAIN_MISMATCH +detail: "%ssl_error_descr: %ssl_subject" +descr: "Certificate does not match domainname" + name: X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT detail: "SSL Certficate error: certificate issuer (CA) not known: %ssl_ca_name" descr: "Unable to get issuer certificate" diff -u -r -N squid-3.2.0.9/errors/fi/error-details.txt squid-3.2.0.10/errors/fi/error-details.txt --- squid-3.2.0.9/errors/fi/error-details.txt 2011-06-18 20:31:48.000000000 +1200 +++ squid-3.2.0.10/errors/fi/error-details.txt 2011-07-24 17:57:34.000000000 +1200 @@ -1,3 +1,7 @@ +name: SQUID_X509_V_ERR_DOMAIN_MISMATCH +detail: "%ssl_error_descr: %ssl_subject" +descr: "Certificate does not match domainname" + name: X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT detail: "SSL Certficate error: certificate issuer (CA) not known: %ssl_ca_name" descr: "Unable to get issuer certificate" diff -u -r -N squid-3.2.0.9/errors/fr/error-details.txt squid-3.2.0.10/errors/fr/error-details.txt --- squid-3.2.0.9/errors/fr/error-details.txt 2011-06-18 20:32:54.000000000 +1200 +++ squid-3.2.0.10/errors/fr/error-details.txt 2011-07-24 17:58:17.000000000 +1200 @@ -1,3 +1,7 @@ +name: SQUID_X509_V_ERR_DOMAIN_MISMATCH +detail: "%ssl_error_descr: %ssl_subject" +descr: "Certificate does not match domainname" + name: X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT detail: "SSL Certficate error: certificate issuer (CA) not known: %ssl_ca_name" descr: "Unable to get issuer certificate" diff -u -r -N squid-3.2.0.9/errors/he/error-details.txt squid-3.2.0.10/errors/he/error-details.txt --- squid-3.2.0.9/errors/he/error-details.txt 2011-06-18 20:33:57.000000000 +1200 +++ squid-3.2.0.10/errors/he/error-details.txt 2011-07-24 17:58:54.000000000 +1200 @@ -1,3 +1,7 @@ +name: SQUID_X509_V_ERR_DOMAIN_MISMATCH +detail: "%ssl_error_descr: %ssl_subject" +descr: "Certificate does not match domainname" + name: X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT detail: "SSL Certficate error: certificate issuer (CA) not known: %ssl_ca_name" descr: "Unable to get issuer certificate" diff -u -r -N squid-3.2.0.9/errors/hu/error-details.txt squid-3.2.0.10/errors/hu/error-details.txt --- squid-3.2.0.9/errors/hu/error-details.txt 2011-06-18 20:34:57.000000000 +1200 +++ squid-3.2.0.10/errors/hu/error-details.txt 2011-07-24 17:59:31.000000000 +1200 @@ -1,3 +1,7 @@ +name: SQUID_X509_V_ERR_DOMAIN_MISMATCH +detail: "%ssl_error_descr: %ssl_subject" +descr: "Certificate does not match domainname" + name: X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT detail: "SSL Certficate error: certificate issuer (CA) not known: %ssl_ca_name" descr: "Unable to get issuer certificate" diff -u -r -N squid-3.2.0.9/errors/hy/error-details.txt squid-3.2.0.10/errors/hy/error-details.txt --- squid-3.2.0.9/errors/hy/error-details.txt 2011-06-18 20:36:06.000000000 +1200 +++ squid-3.2.0.10/errors/hy/error-details.txt 2011-07-24 18:00:42.000000000 +1200 @@ -1,3 +1,7 @@ +name: SQUID_X509_V_ERR_DOMAIN_MISMATCH +detail: "%ssl_error_descr: %ssl_subject" +descr: "Certificate does not match domainname" + name: X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT detail: "SSL Certficate error: certificate issuer (CA) not known: %ssl_ca_name" descr: "Unable to get issuer certificate" diff -u -r -N squid-3.2.0.9/errors/id/error-details.txt squid-3.2.0.10/errors/id/error-details.txt --- squid-3.2.0.9/errors/id/error-details.txt 2011-06-18 20:37:06.000000000 +1200 +++ squid-3.2.0.10/errors/id/error-details.txt 2011-07-24 18:01:36.000000000 +1200 @@ -1,3 +1,7 @@ +name: SQUID_X509_V_ERR_DOMAIN_MISMATCH +detail: "%ssl_error_descr: %ssl_subject" +descr: "Certificate does not match domainname" + name: X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT detail: "SSL Certficate error: certificate issuer (CA) not known: %ssl_ca_name" descr: "Unable to get issuer certificate" diff -u -r -N squid-3.2.0.9/errors/it/error-details.txt squid-3.2.0.10/errors/it/error-details.txt --- squid-3.2.0.9/errors/it/error-details.txt 2011-06-18 20:38:10.000000000 +1200 +++ squid-3.2.0.10/errors/it/error-details.txt 2011-07-24 18:02:08.000000000 +1200 @@ -1,3 +1,7 @@ +name: SQUID_X509_V_ERR_DOMAIN_MISMATCH +detail: "%ssl_error_descr: %ssl_subject" +descr: "Certificate does not match domainname" + name: X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT detail: "SSL Certficate error: certificate issuer (CA) not known: %ssl_ca_name" descr: "Unable to get issuer certificate" diff -u -r -N squid-3.2.0.9/errors/ja/error-details.txt squid-3.2.0.10/errors/ja/error-details.txt --- squid-3.2.0.9/errors/ja/error-details.txt 2011-06-18 20:39:15.000000000 +1200 +++ squid-3.2.0.10/errors/ja/error-details.txt 2011-07-24 18:02:38.000000000 +1200 @@ -1,3 +1,7 @@ +name: SQUID_X509_V_ERR_DOMAIN_MISMATCH +detail: "%ssl_error_descr: %ssl_subject" +descr: "Certificate does not match domainname" + name: X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT detail: "SSL Certficate error: certificate issuer (CA) not known: %ssl_ca_name" descr: "Unable to get issuer certificate" diff -u -r -N squid-3.2.0.9/errors/ko/error-details.txt squid-3.2.0.10/errors/ko/error-details.txt --- squid-3.2.0.9/errors/ko/error-details.txt 2011-06-18 20:40:20.000000000 +1200 +++ squid-3.2.0.10/errors/ko/error-details.txt 2011-07-24 18:03:05.000000000 +1200 @@ -1,3 +1,7 @@ +name: SQUID_X509_V_ERR_DOMAIN_MISMATCH +detail: "%ssl_error_descr: %ssl_subject" +descr: "Certificate does not match domainname" + name: X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT detail: "SSL Certficate error: certificate issuer (CA) not known: %ssl_ca_name" descr: "Unable to get issuer certificate" diff -u -r -N squid-3.2.0.9/errors/lt/error-details.txt squid-3.2.0.10/errors/lt/error-details.txt --- squid-3.2.0.9/errors/lt/error-details.txt 2011-06-18 20:41:22.000000000 +1200 +++ squid-3.2.0.10/errors/lt/error-details.txt 2011-07-24 18:03:33.000000000 +1200 @@ -1,3 +1,7 @@ +name: SQUID_X509_V_ERR_DOMAIN_MISMATCH +detail: "%ssl_error_descr: %ssl_subject" +descr: "Certificate does not match domainname" + name: X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT detail: "SSL Certficate error: certificate issuer (CA) not known: %ssl_ca_name" descr: "Unable to get issuer certificate" diff -u -r -N squid-3.2.0.9/errors/lv/error-details.txt squid-3.2.0.10/errors/lv/error-details.txt --- squid-3.2.0.9/errors/lv/error-details.txt 2011-06-18 20:42:19.000000000 +1200 +++ squid-3.2.0.10/errors/lv/error-details.txt 2011-07-24 18:03:59.000000000 +1200 @@ -1,3 +1,7 @@ +name: SQUID_X509_V_ERR_DOMAIN_MISMATCH +detail: "%ssl_error_descr: %ssl_subject" +descr: "Certificate does not match domainname" + name: X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT detail: "SSL Certficate error: certificate issuer (CA) not known: %ssl_ca_name" descr: "Unable to get issuer certificate" diff -u -r -N squid-3.2.0.9/errors/ms/error-details.txt squid-3.2.0.10/errors/ms/error-details.txt --- squid-3.2.0.9/errors/ms/error-details.txt 2011-06-18 20:43:13.000000000 +1200 +++ squid-3.2.0.10/errors/ms/error-details.txt 2011-07-24 18:04:24.000000000 +1200 @@ -1,3 +1,7 @@ +name: SQUID_X509_V_ERR_DOMAIN_MISMATCH +detail: "%ssl_error_descr: %ssl_subject" +descr: "Certificate does not match domainname" + name: X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT detail: "SSL Certficate error: certificate issuer (CA) not known: %ssl_ca_name" descr: "Unable to get issuer certificate" diff -u -r -N squid-3.2.0.9/errors/nl/error-details.txt squid-3.2.0.10/errors/nl/error-details.txt --- squid-3.2.0.9/errors/nl/error-details.txt 2011-06-18 20:44:10.000000000 +1200 +++ squid-3.2.0.10/errors/nl/error-details.txt 2011-07-24 18:04:51.000000000 +1200 @@ -1,3 +1,7 @@ +name: SQUID_X509_V_ERR_DOMAIN_MISMATCH +detail: "%ssl_error_descr: %ssl_subject" +descr: "Certificate does not match domainname" + name: X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT detail: "SSL Certficate error: certificate issuer (CA) not known: %ssl_ca_name" descr: "Unable to get issuer certificate" diff -u -r -N squid-3.2.0.9/errors/oc/error-details.txt squid-3.2.0.10/errors/oc/error-details.txt --- squid-3.2.0.9/errors/oc/error-details.txt 2011-06-18 20:45:14.000000000 +1200 +++ squid-3.2.0.10/errors/oc/error-details.txt 2011-07-24 18:05:42.000000000 +1200 @@ -1,3 +1,7 @@ +name: SQUID_X509_V_ERR_DOMAIN_MISMATCH +detail: "%ssl_error_descr: %ssl_subject" +descr: "Certificate does not match domainname" + name: X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT detail: "SSL Certficate error: certificate issuer (CA) not known: %ssl_ca_name" descr: "Unable to get issuer certificate" diff -u -r -N squid-3.2.0.9/errors/pl/error-details.txt squid-3.2.0.10/errors/pl/error-details.txt --- squid-3.2.0.9/errors/pl/error-details.txt 2011-06-18 20:46:14.000000000 +1200 +++ squid-3.2.0.10/errors/pl/error-details.txt 2011-07-24 18:06:30.000000000 +1200 @@ -1,3 +1,7 @@ +name: SQUID_X509_V_ERR_DOMAIN_MISMATCH +detail: "%ssl_error_descr: %ssl_subject" +descr: "Certificate does not match domainname" + name: X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT detail: "SSL Certficate error: certificate issuer (CA) not known: %ssl_ca_name" descr: "Unable to get issuer certificate" diff -u -r -N squid-3.2.0.9/errors/pt/error-details.txt squid-3.2.0.10/errors/pt/error-details.txt --- squid-3.2.0.9/errors/pt/error-details.txt 2011-06-18 20:48:22.000000000 +1200 +++ squid-3.2.0.10/errors/pt/error-details.txt 2011-07-24 18:08:09.000000000 +1200 @@ -1,3 +1,7 @@ +name: SQUID_X509_V_ERR_DOMAIN_MISMATCH +detail: "%ssl_error_descr: %ssl_subject" +descr: "Certificate does not match domainname" + name: X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT detail: "SSL Certficate error: certificate issuer (CA) not known: %ssl_ca_name" descr: "Unable to get issuer certificate" diff -u -r -N squid-3.2.0.9/errors/pt-br/error-details.txt squid-3.2.0.10/errors/pt-br/error-details.txt --- squid-3.2.0.9/errors/pt-br/error-details.txt 2011-06-18 20:47:15.000000000 +1200 +++ squid-3.2.0.10/errors/pt-br/error-details.txt 2011-07-24 18:07:20.000000000 +1200 @@ -1,3 +1,7 @@ +name: SQUID_X509_V_ERR_DOMAIN_MISMATCH +detail: "%ssl_error_descr: %ssl_subject" +descr: "Certificate does not match domainname" + name: X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT detail: "SSL Certficate error: certificate issuer (CA) not known: %ssl_ca_name" descr: "Unable to get issuer certificate" diff -u -r -N squid-3.2.0.9/errors/ro/error-details.txt squid-3.2.0.10/errors/ro/error-details.txt --- squid-3.2.0.9/errors/ro/error-details.txt 2011-06-18 20:49:40.000000000 +1200 +++ squid-3.2.0.10/errors/ro/error-details.txt 2011-07-24 18:08:59.000000000 +1200 @@ -1,3 +1,7 @@ +name: SQUID_X509_V_ERR_DOMAIN_MISMATCH +detail: "%ssl_error_descr: %ssl_subject" +descr: "Certificate does not match domainname" + name: X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT detail: "SSL Certficate error: certificate issuer (CA) not known: %ssl_ca_name" descr: "Unable to get issuer certificate" diff -u -r -N squid-3.2.0.9/errors/ru/error-details.txt squid-3.2.0.10/errors/ru/error-details.txt --- squid-3.2.0.9/errors/ru/error-details.txt 2011-06-18 20:50:54.000000000 +1200 +++ squid-3.2.0.10/errors/ru/error-details.txt 2011-07-24 18:09:52.000000000 +1200 @@ -1,3 +1,7 @@ +name: SQUID_X509_V_ERR_DOMAIN_MISMATCH +detail: "%ssl_error_descr: %ssl_subject" +descr: "Certificate does not match domainname" + name: X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT detail: "SSL Certficate error: certificate issuer (CA) not known: %ssl_ca_name" descr: "Unable to get issuer certificate" diff -u -r -N squid-3.2.0.9/errors/sk/error-details.txt squid-3.2.0.10/errors/sk/error-details.txt --- squid-3.2.0.9/errors/sk/error-details.txt 2011-06-18 20:51:30.000000000 +1200 +++ squid-3.2.0.10/errors/sk/error-details.txt 2011-07-24 18:10:45.000000000 +1200 @@ -1,3 +1,7 @@ +name: SQUID_X509_V_ERR_DOMAIN_MISMATCH +detail: "%ssl_error_descr: %ssl_subject" +descr: "Certificate does not match domainname" + name: X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT detail: "SSL Certficate error: certificate issuer (CA) not known: %ssl_ca_name" descr: "Unable to get issuer certificate" diff -u -r -N squid-3.2.0.9/errors/sl/error-details.txt squid-3.2.0.10/errors/sl/error-details.txt --- squid-3.2.0.9/errors/sl/error-details.txt 2011-06-18 20:52:03.000000000 +1200 +++ squid-3.2.0.10/errors/sl/error-details.txt 2011-07-24 18:11:36.000000000 +1200 @@ -1,3 +1,7 @@ +name: SQUID_X509_V_ERR_DOMAIN_MISMATCH +detail: "%ssl_error_descr: %ssl_subject" +descr: "Certificate does not match domainname" + name: X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT detail: "SSL Certficate error: certificate issuer (CA) not known: %ssl_ca_name" descr: "Unable to get issuer certificate" diff -u -r -N squid-3.2.0.9/errors/sr-cyrl/error-details.txt squid-3.2.0.10/errors/sr-cyrl/error-details.txt --- squid-3.2.0.9/errors/sr-cyrl/error-details.txt 2011-06-18 20:52:36.000000000 +1200 +++ squid-3.2.0.10/errors/sr-cyrl/error-details.txt 2011-07-24 18:12:27.000000000 +1200 @@ -1,3 +1,7 @@ +name: SQUID_X509_V_ERR_DOMAIN_MISMATCH +detail: "%ssl_error_descr: %ssl_subject" +descr: "Certificate does not match domainname" + name: X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT detail: "SSL Certficate error: certificate issuer (CA) not known: %ssl_ca_name" descr: "Unable to get issuer certificate" diff -u -r -N squid-3.2.0.9/errors/sr-latn/error-details.txt squid-3.2.0.10/errors/sr-latn/error-details.txt --- squid-3.2.0.9/errors/sr-latn/error-details.txt 2011-06-18 20:53:15.000000000 +1200 +++ squid-3.2.0.10/errors/sr-latn/error-details.txt 2011-07-24 18:13:17.000000000 +1200 @@ -1,3 +1,7 @@ +name: SQUID_X509_V_ERR_DOMAIN_MISMATCH +detail: "%ssl_error_descr: %ssl_subject" +descr: "Certificate does not match domainname" + name: X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT detail: "SSL Certficate error: certificate issuer (CA) not known: %ssl_ca_name" descr: "Unable to get issuer certificate" diff -u -r -N squid-3.2.0.9/errors/sv/error-details.txt squid-3.2.0.10/errors/sv/error-details.txt --- squid-3.2.0.9/errors/sv/error-details.txt 2011-06-18 20:53:55.000000000 +1200 +++ squid-3.2.0.10/errors/sv/error-details.txt 2011-07-24 18:14:07.000000000 +1200 @@ -1,3 +1,7 @@ +name: SQUID_X509_V_ERR_DOMAIN_MISMATCH +detail: "%ssl_error_descr: %ssl_subject" +descr: "Certificate does not match domainname" + name: X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT detail: "SSL Certficate error: certificate issuer (CA) not known: %ssl_ca_name" descr: "Unable to get issuer certificate" diff -u -r -N squid-3.2.0.9/errors/templates/error-details.txt squid-3.2.0.10/errors/templates/error-details.txt --- squid-3.2.0.9/errors/templates/error-details.txt 2011-06-18 20:13:34.000000000 +1200 +++ squid-3.2.0.10/errors/templates/error-details.txt 2011-07-24 17:46:11.000000000 +1200 @@ -1,3 +1,7 @@ +name: SQUID_X509_V_ERR_DOMAIN_MISMATCH +detail: "%ssl_error_descr: %ssl_subject" +descr: "Certificate does not match domainname" + name: X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT detail: "SSL Certficate error: certificate issuer (CA) not known: %ssl_ca_name" descr: "Unable to get issuer certificate" diff -u -r -N squid-3.2.0.9/errors/th/error-details.txt squid-3.2.0.10/errors/th/error-details.txt --- squid-3.2.0.9/errors/th/error-details.txt 2011-06-18 20:54:32.000000000 +1200 +++ squid-3.2.0.10/errors/th/error-details.txt 2011-07-24 18:14:58.000000000 +1200 @@ -1,3 +1,7 @@ +name: SQUID_X509_V_ERR_DOMAIN_MISMATCH +detail: "%ssl_error_descr: %ssl_subject" +descr: "Certificate does not match domainname" + name: X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT detail: "SSL Certficate error: certificate issuer (CA) not known: %ssl_ca_name" descr: "Unable to get issuer certificate" diff -u -r -N squid-3.2.0.9/errors/tr/error-details.txt squid-3.2.0.10/errors/tr/error-details.txt --- squid-3.2.0.9/errors/tr/error-details.txt 2011-06-18 20:55:12.000000000 +1200 +++ squid-3.2.0.10/errors/tr/error-details.txt 2011-07-24 18:15:56.000000000 +1200 @@ -1,3 +1,7 @@ +name: SQUID_X509_V_ERR_DOMAIN_MISMATCH +detail: "%ssl_error_descr: %ssl_subject" +descr: "Certificate does not match domainname" + name: X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT detail: "SSL Certficate error: certificate issuer (CA) not known: %ssl_ca_name" descr: "Unable to get issuer certificate" diff -u -r -N squid-3.2.0.9/errors/uk/error-details.txt squid-3.2.0.10/errors/uk/error-details.txt --- squid-3.2.0.9/errors/uk/error-details.txt 2011-06-18 20:55:38.000000000 +1200 +++ squid-3.2.0.10/errors/uk/error-details.txt 2011-07-24 18:16:50.000000000 +1200 @@ -1,3 +1,7 @@ +name: SQUID_X509_V_ERR_DOMAIN_MISMATCH +detail: "%ssl_error_descr: %ssl_subject" +descr: "Certificate does not match domainname" + name: X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT detail: "SSL Certficate error: certificate issuer (CA) not known: %ssl_ca_name" descr: "Unable to get issuer certificate" diff -u -r -N squid-3.2.0.9/errors/uz/error-details.txt squid-3.2.0.10/errors/uz/error-details.txt --- squid-3.2.0.9/errors/uz/error-details.txt 2011-06-18 20:56:06.000000000 +1200 +++ squid-3.2.0.10/errors/uz/error-details.txt 2011-07-24 18:17:41.000000000 +1200 @@ -1,3 +1,7 @@ +name: SQUID_X509_V_ERR_DOMAIN_MISMATCH +detail: "%ssl_error_descr: %ssl_subject" +descr: "Certificate does not match domainname" + name: X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT detail: "SSL Certficate error: certificate issuer (CA) not known: %ssl_ca_name" descr: "Unable to get issuer certificate" diff -u -r -N squid-3.2.0.9/errors/vi/error-details.txt squid-3.2.0.10/errors/vi/error-details.txt --- squid-3.2.0.9/errors/vi/error-details.txt 2011-06-18 20:56:39.000000000 +1200 +++ squid-3.2.0.10/errors/vi/error-details.txt 2011-07-24 18:18:32.000000000 +1200 @@ -1,3 +1,7 @@ +name: SQUID_X509_V_ERR_DOMAIN_MISMATCH +detail: "%ssl_error_descr: %ssl_subject" +descr: "Certificate does not match domainname" + name: X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT detail: "SSL Certficate error: certificate issuer (CA) not known: %ssl_ca_name" descr: "Unable to get issuer certificate" diff -u -r -N squid-3.2.0.9/errors/zh-cn/error-details.txt squid-3.2.0.10/errors/zh-cn/error-details.txt --- squid-3.2.0.9/errors/zh-cn/error-details.txt 2011-06-18 20:57:27.000000000 +1200 +++ squid-3.2.0.10/errors/zh-cn/error-details.txt 2011-07-24 18:19:21.000000000 +1200 @@ -1,3 +1,7 @@ +name: SQUID_X509_V_ERR_DOMAIN_MISMATCH +detail: "%ssl_error_descr: %ssl_subject" +descr: "Certificate does not match domainname" + name: X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT detail: "SSL Certficate error: certificate issuer (CA) not known: %ssl_ca_name" descr: "Unable to get issuer certificate" diff -u -r -N squid-3.2.0.9/errors/zh-tw/error-details.txt squid-3.2.0.10/errors/zh-tw/error-details.txt --- squid-3.2.0.9/errors/zh-tw/error-details.txt 2011-06-18 20:58:14.000000000 +1200 +++ squid-3.2.0.10/errors/zh-tw/error-details.txt 2011-07-24 18:20:13.000000000 +1200 @@ -1,3 +1,7 @@ +name: SQUID_X509_V_ERR_DOMAIN_MISMATCH +detail: "%ssl_error_descr: %ssl_subject" +descr: "Certificate does not match domainname" + name: X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT detail: "SSL Certficate error: certificate issuer (CA) not known: %ssl_ca_name" descr: "Unable to get issuer certificate" diff -u -r -N squid-3.2.0.9/helpers/basic_auth/DB/basic_db_auth.8 squid-3.2.0.10/helpers/basic_auth/DB/basic_db_auth.8 --- squid-3.2.0.9/helpers/basic_auth/DB/basic_db_auth.8 2011-06-18 20:58:21.000000000 +1200 +++ squid-3.2.0.10/helpers/basic_auth/DB/basic_db_auth.8 2011-07-24 18:20:18.000000000 +1200 @@ -124,7 +124,7 @@ .\" ======================================================================== .\" .IX Title "BASIC_DB_AUTH 1" -.TH BASIC_DB_AUTH 1 "2011-06-18" "perl v5.10.1" "User Contributed Perl Documentation" +.TH BASIC_DB_AUTH 1 "2011-07-24" "perl v5.10.1" "User Contributed Perl Documentation" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff -u -r -N squid-3.2.0.9/helpers/basic_auth/LDAP/basic_ldap_auth.cc squid-3.2.0.10/helpers/basic_auth/LDAP/basic_ldap_auth.cc --- squid-3.2.0.9/helpers/basic_auth/LDAP/basic_ldap_auth.cc 2011-06-18 20:13:34.000000000 +1200 +++ squid-3.2.0.10/helpers/basic_auth/LDAP/basic_ldap_auth.cc 2011-07-24 17:46:11.000000000 +1200 @@ -93,7 +93,7 @@ #include #include -#ifdef _SQUID_MSWIN_ /* Native Windows port and MinGW */ +#if _SQUID_MSWIN_ /* Native Windows port and MinGW */ #define snprintf _snprintf #include @@ -554,7 +554,7 @@ /* On Windows ldap_start_tls_s is available starting from Windows XP, * so we need to bind at run-time with the function entry point */ -#ifdef _SQUID_MSWIN_ +#if _SQUID_MSWIN_ if (use_tls) { HMODULE WLDAP32Handle; diff -u -r -N squid-3.2.0.9/helpers/basic_auth/RADIUS/basic_radius_auth.cc squid-3.2.0.10/helpers/basic_auth/RADIUS/basic_radius_auth.cc --- squid-3.2.0.9/helpers/basic_auth/RADIUS/basic_radius_auth.cc 2011-06-18 20:13:34.000000000 +1200 +++ squid-3.2.0.10/helpers/basic_auth/RADIUS/basic_radius_auth.cc 2011-07-24 17:46:11.000000000 +1200 @@ -120,14 +120,14 @@ char progname[] = "basic_radius_auth"; -#ifdef _SQUID_MSWIN_ +#if _SQUID_MSWIN_ void Win32SockCleanup(void) { WSACleanup(); return; } -#endif /* ifdef _SQUID_MSWIN_ */ +#endif /* * Diff two timeval, b - a @@ -498,7 +498,7 @@ fprintf(stderr, "FATAL: %s: Shared secret not specified\n", argv[0]); exit(1); } -#ifdef _SQUID_MSWIN_ +#if _SQUID_MSWIN_ { WSADATA wsaData; WSAStartup(2, &wsaData); diff -u -r -N squid-3.2.0.9/helpers/basic_auth/SSPI/valid.h squid-3.2.0.10/helpers/basic_auth/SSPI/valid.h --- squid-3.2.0.9/helpers/basic_auth/SSPI/valid.h 2011-06-18 20:13:34.000000000 +1200 +++ squid-3.2.0.10/helpers/basic_auth/SSPI/valid.h 2011-07-24 17:46:11.000000000 +1200 @@ -88,7 +88,7 @@ debug(char *format,...) { #ifdef DEBUG -#ifdef _SQUID_MSWIN_ +#if _SQUID_MSWIN_ if (debug_enabled) { va_list args; diff -u -r -N squid-3.2.0.9/helpers/digest_auth/eDirectory/edir_ldapext.cc squid-3.2.0.10/helpers/digest_auth/eDirectory/edir_ldapext.cc --- squid-3.2.0.9/helpers/digest_auth/eDirectory/edir_ldapext.cc 2011-06-18 20:13:34.000000000 +1200 +++ squid-3.2.0.10/helpers/digest_auth/eDirectory/edir_ldapext.cc 2011-07-24 17:46:11.000000000 +1200 @@ -26,7 +26,7 @@ #include "digest_common.h" -#ifdef _SQUID_MSWIN_ /* Native Windows port and MinGW */ +#if _SQUID_MSWIN_ /* Native Windows port and MinGW */ #define snprintf _snprintf #include diff -u -r -N squid-3.2.0.9/helpers/digest_auth/eDirectory/ldap_backend.cc squid-3.2.0.10/helpers/digest_auth/eDirectory/ldap_backend.cc --- squid-3.2.0.9/helpers/digest_auth/eDirectory/ldap_backend.cc 2011-06-18 20:13:34.000000000 +1200 +++ squid-3.2.0.10/helpers/digest_auth/eDirectory/ldap_backend.cc 2011-07-24 17:46:11.000000000 +1200 @@ -11,7 +11,7 @@ #include "ldap_backend.h" -#ifdef _SQUID_MSWIN_ /* Native Windows port and MinGW */ +#if _SQUID_MSWIN_ /* Native Windows port and MinGW */ #define snprintf _snprintf #include @@ -329,7 +329,7 @@ /* On Windows ldap_start_tls_s is available starting from Windows XP, * so we need to bind at run-time with the function entry point */ -#ifdef _SQUID_MSWIN_ +#if _SQUID_MSWIN_ if (use_tls) { HMODULE WLDAP32Handle; diff -u -r -N squid-3.2.0.9/helpers/digest_auth/LDAP/ldap_backend.cc squid-3.2.0.10/helpers/digest_auth/LDAP/ldap_backend.cc --- squid-3.2.0.9/helpers/digest_auth/LDAP/ldap_backend.cc 2011-06-18 20:13:34.000000000 +1200 +++ squid-3.2.0.10/helpers/digest_auth/LDAP/ldap_backend.cc 2011-07-24 17:46:11.000000000 +1200 @@ -12,7 +12,7 @@ #include "ldap_backend.h" -#ifdef _SQUID_MSWIN_ /* Native Windows port and MinGW */ +#if _SQUID_MSWIN_ /* Native Windows port and MinGW */ #define snprintf _snprintf #include @@ -301,7 +301,7 @@ /* On Windows ldap_start_tls_s is available starting from Windows XP, * so we need to bind at run-time with the function entry point */ -#ifdef _SQUID_MSWIN_ +#if _SQUID_MSWIN_ if (use_tls) { HMODULE WLDAP32Handle; diff -u -r -N squid-3.2.0.9/helpers/external_acl/kerberos_ldap_group/config.test squid-3.2.0.10/helpers/external_acl/kerberos_ldap_group/config.test --- squid-3.2.0.9/helpers/external_acl/kerberos_ldap_group/config.test 2011-06-18 20:13:34.000000000 +1200 +++ squid-3.2.0.10/helpers/external_acl/kerberos_ldap_group/config.test 2011-07-24 17:46:11.000000000 +1200 @@ -12,6 +12,9 @@ if [ -f /usr/lib/libsasl.so -o -f /usr/lib/libsasl2.so ]; then exit 0 fi + if [ -f /usr/lib64/libsasl.so -o -f /usr/lib64/libsasl2.so ]; then + exit 0 + fi if [ -f /usr/local/lib/libsasl.so -o -f /usr/local/lib/libsasl2.so ]; then exit 0 fi diff -u -r -N squid-3.2.0.9/helpers/external_acl/kerberos_ldap_group/kerberos_ldap_group.cc squid-3.2.0.10/helpers/external_acl/kerberos_ldap_group/kerberos_ldap_group.cc --- squid-3.2.0.9/helpers/external_acl/kerberos_ldap_group/kerberos_ldap_group.cc 2011-06-18 20:13:34.000000000 +1200 +++ squid-3.2.0.10/helpers/external_acl/kerberos_ldap_group/kerberos_ldap_group.cc 2011-07-24 17:46:11.000000000 +1200 @@ -237,7 +237,7 @@ init_args(&margs); - while (-1 != (opt = getopt(argc, argv, "diasg:D:N:u:U:t:T:p:l:b:m:h"))) { + while (-1 != (opt = getopt(argc, argv, "diasg:D:N:S:u:U:t:T:p:l:b:m:h"))) { switch (opt) { case 'd': debug_enabled = 1; diff -u -r -N squid-3.2.0.9/helpers/external_acl/kerberos_ldap_group/support.h squid-3.2.0.10/helpers/external_acl/kerberos_ldap_group/support.h --- squid-3.2.0.9/helpers/external_acl/kerberos_ldap_group/support.h 2011-06-18 20:13:34.000000000 +1200 +++ squid-3.2.0.10/helpers/external_acl/kerberos_ldap_group/support.h 2011-07-24 17:46:11.000000000 +1200 @@ -28,24 +28,6 @@ #include #endif -#if HAVE_GSSAPI_GSSAPI_H -#include -#elif HAVE_GSSAPI_H -#include -#endif /* HAVE_GSSAPI_GSSAPI_H/HAVE_GSSAPI_H */ - -#if !HAVE_HEIMDAL_KERBEROS -#if HAVE_GSSAPI_GSSAPI_KRB5_H -#include -#endif -#if HAVE_GSSAPI_GSSAPI_GENERIC_H -#include -#endif -#if HAVE_GSSAPI_GSSAPI_EXT_H -#include -#endif -#endif - #if HAVE_KRB5_H #if HAVE_BROKEN_SOLARIS_KRB5_H #warn "Warning! You have a broken Solaris system header" @@ -71,10 +53,6 @@ #define error_message(code) krb5_get_err_text(kparam.context,code) #endif /* HAVE_COM_ERR_H */ -#ifndef gss_nt_service_name -#define gss_nt_service_name GSS_C_NT_HOSTBASED_SERVICE -#endif - #define LDAP_DEPRECATED 1 #ifdef HAVE_LDAP_REBIND_FUNCTION #define LDAP_REFERRALS @@ -180,8 +158,10 @@ int create_nd(struct main_args *margs); int create_ls(struct main_args *margs); +#ifdef HAVE_KRB5 int krb5_create_cache(struct main_args *margs, char *domain); void krb5_cleanup(void); +#endif int get_ldap_hostname_list(struct main_args *margs, struct hstruct **hlist, int nhosts, char *domain); int get_hostname_list(struct main_args *margs, struct hstruct **hlist, int nhosts, char *name); diff -u -r -N squid-3.2.0.9/helpers/external_acl/kerberos_ldap_group/support_krb5.cc squid-3.2.0.10/helpers/external_acl/kerberos_ldap_group/support_krb5.cc --- squid-3.2.0.9/helpers/external_acl/kerberos_ldap_group/support_krb5.cc 2011-06-18 20:13:34.000000000 +1200 +++ squid-3.2.0.10/helpers/external_acl/kerberos_ldap_group/support_krb5.cc 2011-07-24 17:46:11.000000000 +1200 @@ -25,7 +25,7 @@ #include "config.h" #include "util.h" -#ifdef HAVE_LDAP +#if defined(HAVE_LDAP) && defined(HAVE_KRB5) #include "support.h" diff -u -r -N squid-3.2.0.9/helpers/external_acl/kerberos_ldap_group/support_ldap.cc squid-3.2.0.10/helpers/external_acl/kerberos_ldap_group/support_ldap.cc --- squid-3.2.0.9/helpers/external_acl/kerberos_ldap_group/support_ldap.cc 2011-06-18 20:13:34.000000000 +1200 +++ squid-3.2.0.10/helpers/external_acl/kerberos_ldap_group/support_ldap.cc 2011-07-24 17:46:11.000000000 +1200 @@ -833,11 +833,17 @@ if (domain) { debug((char *) "%s| %s: DEBUG: Setup Kerberos credential cache\n", LogTime(), PROGRAM); +#ifdef HAVE_KRB5 kc = krb5_create_cache(margs, domain); if (kc) { error((char *) "%s| %s: ERROR: Error during setup of Kerberos credential cache\n", LogTime(), PROGRAM); } +#else + kc = 1; + debug((char *) "%s| %s: DEBUG: Kerberos is not supported. Use username/passwaord with ldap url instead\n", LogTime(), PROGRAM); +#endif } + if (kc && (!margs->lurl || !margs->luser | !margs->lpass)) { /* * If Kerberos fails and no url given exit here @@ -1200,8 +1206,10 @@ } debug((char *) "%s| %s: DEBUG: Unbind ldap server\n", LogTime(), PROGRAM); cleanup: +#ifdef HAVE_KRB5 if (domain) krb5_cleanup(); +#endif if (lcreds) { if (lcreds->dn) xfree(lcreds->dn); diff -u -r -N squid-3.2.0.9/helpers/external_acl/kerberos_ldap_group/support_lserver.cc squid-3.2.0.10/helpers/external_acl/kerberos_ldap_group/support_lserver.cc --- squid-3.2.0.9/helpers/external_acl/kerberos_ldap_group/support_lserver.cc 2011-06-18 20:13:34.000000000 +1200 +++ squid-3.2.0.10/helpers/external_acl/kerberos_ldap_group/support_lserver.cc 2011-07-24 17:46:11.000000000 +1200 @@ -100,11 +100,7 @@ } lsspn = lssp; np = p; /* after : starts new group name */ - if (!lssp->domain || !strcmp(lssp->domain, "")) { - debug((char *) "%s| %s: DEBUG: No domain defined for ldap server %s\n", LogTime(), PROGRAM, lssp->lserver); - return (1); - } - debug((char *) "%s| %s: DEBUG: ldap server %s Domain %s\n", LogTime(), PROGRAM, lssp->lserver, lssp->domain); + debug((char *) "%s| %s: DEBUG: ldap server %s Domain %s\n", LogTime(), PROGRAM, lssp->lserver, lssp->domain?lssp->domain:"NULL"); } else p++; } @@ -120,11 +116,7 @@ if (lsspn) /* Have already an existing structure */ lssp->next = lsspn; } - if (!lssp->domain || !strcmp(lssp->domain, "")) { - debug((char *) "%s| %s: DEBUG: No domain defined for ldap server %s\n", LogTime(), PROGRAM, lssp->lserver); - return (1); - } - debug((char *) "%s| %s: DEBUG: ldap server %s Domain %s\n", LogTime(), PROGRAM, lssp->lserver, lssp->domain); + debug((char *) "%s| %s: DEBUG: ldap server %s Domain %s\n", LogTime(), PROGRAM, lssp->lserver, lssp->domain?lssp->domain:"NULL"); margs->lservs = lssp; return (0); diff -u -r -N squid-3.2.0.9/helpers/external_acl/kerberos_ldap_group/support_resolv.cc squid-3.2.0.10/helpers/external_acl/kerberos_ldap_group/support_resolv.cc --- squid-3.2.0.9/helpers/external_acl/kerberos_ldap_group/support_resolv.cc 2011-06-18 20:13:34.000000000 +1200 +++ squid-3.2.0.10/helpers/external_acl/kerberos_ldap_group/support_resolv.cc 2011-07-24 17:46:11.000000000 +1200 @@ -243,7 +243,7 @@ ls = margs->lservs; while (ls) { - debug((char *) "%s| %s: DEBUG: Ldap server loop: lserver@domain %s@%s\n", LogTime(), PROGRAM, ls->lserver, ls->domain); + debug((char *) "%s| %s: DEBUG: Ldap server loop: lserver@domain %s@%s\n", LogTime(), PROGRAM, ls->lserver, ls->domain?ls->domain:"NULL"); if (ls->domain && !strcasecmp(ls->domain, domain)) { debug((char *) "%s| %s: DEBUG: Found lserver@domain %s@%s\n", LogTime(), PROGRAM, ls->lserver, ls->domain); hp = (struct hstruct *) xrealloc(hp, sizeof(struct hstruct) * (nhosts + 1)); @@ -252,6 +252,15 @@ hp[nhosts].priority = -2; hp[nhosts].weight = -2; nhosts++; + } else if ( !ls->domain || !strcasecmp(ls->domain, "") ) { + debug((char *) "%s| %s: DEBUG: Found lserver@domain %s@%s\n", LogTime(), PROGRAM, ls->lserver, ls->domain?ls->domain:"NULL"); + hp = (struct hstruct *) xrealloc(hp, sizeof(struct hstruct) * (nhosts + 1)); + hp[nhosts].host = strdup(ls->lserver); + hp[nhosts].port = -1; + hp[nhosts].priority = -2; + hp[nhosts].weight = -2; + nhosts++; + } ls = ls->next; } @@ -390,6 +399,8 @@ #endif goto cleanup; } + +cleanup: nhosts = get_hostname_list(margs, &hp, nh, domain); debug("%s| %s: DEBUG: Adding %s to list\n", LogTime(), PROGRAM, domain); @@ -435,14 +446,6 @@ if (buffer) xfree(buffer); if (service) - xfree(service); - *hlist = hp; - return (nhosts); - -cleanup: - if (buffer) - xfree(buffer); - if (service) xfree(service); *hlist = hp; return (nhosts); diff -u -r -N squid-3.2.0.9/helpers/external_acl/kerberos_ldap_group/support_sasl.cc squid-3.2.0.10/helpers/external_acl/kerberos_ldap_group/support_sasl.cc --- squid-3.2.0.9/helpers/external_acl/kerberos_ldap_group/support_sasl.cc 2011-06-18 20:13:34.000000000 +1200 +++ squid-3.2.0.10/helpers/external_acl/kerberos_ldap_group/support_sasl.cc 2011-07-24 17:46:11.000000000 +1200 @@ -136,9 +136,6 @@ { const char *dflt = interact->defresult; - int noecho = 0; - int challenge = 0; - flags = flags; switch (interact->id) { case SASL_CB_GETREALM: @@ -152,18 +149,14 @@ case SASL_CB_PASS: if (defaults) dflt = defaults->passwd; - noecho = 1; break; case SASL_CB_USER: if (defaults) dflt = defaults->authzid; break; case SASL_CB_NOECHOPROMPT: - noecho = 1; - challenge = 1; break; case SASL_CB_ECHOPROMPT: - challenge = 1; break; } diff -u -r -N squid-3.2.0.9/helpers/external_acl/LDAP_group/ext_ldap_group_acl.cc squid-3.2.0.10/helpers/external_acl/LDAP_group/ext_ldap_group_acl.cc --- squid-3.2.0.9/helpers/external_acl/LDAP_group/ext_ldap_group_acl.cc 2011-06-18 20:13:34.000000000 +1200 +++ squid-3.2.0.10/helpers/external_acl/LDAP_group/ext_ldap_group_acl.cc 2011-07-24 17:46:11.000000000 +1200 @@ -51,7 +51,7 @@ #include #endif -#ifdef _SQUID_MSWIN_ /* Native Windows port and MinGW */ +#if _SQUID_MSWIN_ /* Native Windows port and MinGW */ #define snprintf _snprintf #include @@ -451,7 +451,7 @@ /* On Windows ldap_start_tls_s is available starting from Windows XP, * so we need to bind at run-time with the function entry point */ -#ifdef _SQUID_MSWIN_ +#if _SQUID_MSWIN_ if (use_tls) { HMODULE WLDAP32Handle; diff -u -r -N squid-3.2.0.9/helpers/external_acl/wbinfo_group/ext_wbinfo_group_acl.8 squid-3.2.0.10/helpers/external_acl/wbinfo_group/ext_wbinfo_group_acl.8 --- squid-3.2.0.9/helpers/external_acl/wbinfo_group/ext_wbinfo_group_acl.8 2011-06-18 20:58:28.000000000 +1200 +++ squid-3.2.0.10/helpers/external_acl/wbinfo_group/ext_wbinfo_group_acl.8 2011-07-24 18:20:26.000000000 +1200 @@ -124,7 +124,7 @@ .\" ======================================================================== .\" .IX Title "EXT_WBINFO_GROUP_ACL.PL.IN 1" -.TH EXT_WBINFO_GROUP_ACL.PL.IN 1 "2011-06-18" "perl v5.10.1" "User Contributed Perl Documentation" +.TH EXT_WBINFO_GROUP_ACL.PL.IN 1 "2011-07-23" "perl v5.10.1" "User Contributed Perl Documentation" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff -u -r -N squid-3.2.0.9/include/util.h squid-3.2.0.10/include/util.h --- squid-3.2.0.9/include/util.h 2011-06-18 20:13:34.000000000 +1200 +++ squid-3.2.0.10/include/util.h 2011-07-24 17:46:11.000000000 +1200 @@ -115,7 +115,7 @@ /* Windows Port */ /* win32lib.c */ -#ifdef _SQUID_MSWIN_ +#if _SQUID_MSWIN_ SQUIDCEXTERN int chroot (const char *); SQUIDCEXTERN int ftruncate(int, off_t); #if !HAVE_GETTIMEOFDAY diff -u -r -N squid-3.2.0.9/include/version.h squid-3.2.0.10/include/version.h --- squid-3.2.0.9/include/version.h 2011-06-18 20:17:06.000000000 +1200 +++ squid-3.2.0.10/include/version.h 2011-07-24 17:47:28.000000000 +1200 @@ -9,7 +9,7 @@ */ #ifndef SQUID_RELEASE_TIME -#define SQUID_RELEASE_TIME 1308384811 +#define SQUID_RELEASE_TIME 1311486369 #endif #ifndef APP_SHORTNAME diff -u -r -N squid-3.2.0.9/RELEASENOTES.html squid-3.2.0.10/RELEASENOTES.html --- squid-3.2.0.9/RELEASENOTES.html 2011-06-18 20:58:49.000000000 +1200 +++ squid-3.2.0.10/RELEASENOTES.html 2011-07-24 18:20:45.000000000 +1200 @@ -2,10 +2,10 @@ - Squid 3.2.0.9 release notes + Squid 3.2.0.10 release notes -

Squid 3.2.0.9 release notes

+

Squid 3.2.0.10 release notes

Squid Developers

@@ -33,6 +33,8 @@
  • 2.7 Surrogate/1.0 protocol extensions to HTTP
  • 2.8 Logging Infrastructure Updated
  • 2.9 Client Bandwidth Limits +
  • 2.10 Better eCAP Suport +
  • 2.11 Cache Manager access changes

    3. Changes to squid.conf since Squid-3.1

    @@ -69,7 +71,7 @@

    1. Notice

    -

    The Squid Team are pleased to announce the release of Squid-3.2.0.9 for testing.

    +

    The Squid Team are pleased to announce the release of Squid-3.2.0.10 for testing.

    This new release is available for download from http://www.squid-cache.org/Versions/v3/3.2/ or the mirrors.

    @@ -104,6 +106,7 @@
  • Logging Infrastructure Updated
  • Client Bandwidth Limits
  • Better eCAP support
    • +
  • Cache Manager access changes

    • Most user-facing changes are reflected in squid.conf (see below).

    @@ -397,6 +400,7 @@

    The referer_log and useragent_log directives have been converted to built-in log formats. These logs are now created using an access_log line with the format "referrer" or "useragent".

    +

    2.9 Client Bandwidth Limits

    @@ -428,6 +432,35 @@ response data from Squid. This delay may need to be lowered in high-bandwidth environments.

    + +

    2.10 Better eCAP Suport +

    + +

    Support for libecap version 0.2.0 has been added with this series of Squid. Bringing +better support for body handling, and logging.

    + + +

    2.11 Cache Manager access changes +

    + +

    The Squid Cache Manager has previously only been accessible under the cache_object:// +URL scheme. Which has restricted its reporting to tools which can send arbitrary +URI to the proxy.

    + +

    This version of Squid now provides access through the http:// and https:// URL schemes +allowing web browsers access without having to use the cachemgr.cgi gateway and enabling +the use of HTTPS security were desired.

    + +

    The cache manager is available under the path prefix /squid-internal-mgr/. For example +the URL http://example/com/squid-internal-mgr/menu will bring up the manager menu. This +means there are some configuration changes required to lock down manager access. +The manager ACL needs changing to: +

    +        acl manager url_regex -i ^cache_object:// ^https?://[^/]+/squid-internal-mgr/
+
    +

    + +

    3. Changes to squid.conf since Squid-3.1

    There have been changes to Squid's configuration file since Squid-3.1.

    @@ -569,6 +602,12 @@
    acl random

    New type random. Pseudo-randomly match requests based on a configured probability.

    +

    The manager ACL requires adjustment to cover new cache manager access: +

    +                acl manager url_regex -i ^cache_object:// ^https?://[^/]+/squid-internal-mgr/
+        
+
    +

    auth_param

    New options for Basic, Digest, NTLM, Negotiate children settings. @@ -606,6 +645,11 @@

    children-idle=N determines how many helper to retain as buffer against sudden traffic loads.

    Deprecated children=N in favor of children-max=N.

    +
    http_port act-as-origin
    +

    act-as-origin ported from 2.7. +This option corrects several HTTP header issues when operating as a reverse proxy and cache. +Notably the externally visible aging of objects stored in the server-side cache.

    +
    icap_send_client_ip

    Deprecated in favor of adaptation_send_client_ip which applies to both ICAP and eCAP.

    @@ -652,7 +696,8 @@ serve objects more stale than this even if it failed to validate the object.

    tcp_outgoing_address
    -

    This parameter is now compatible with persistent server connections.

    +

    This parameter is now compatible with persistent server connections. +The IPv6 magic 'to_ipv6' hacks needed in 3.1 are now no longer necessary.

    tcp_outgoing_mark

    New configuration parameter tcp_outgoing_mark

    @@ -1014,7 +1059,6 @@

    Not yet ported from 2.7

    http_port
    -

    act-as-origin not yet ported from 2.7

    urlgroup= not yet ported from 2.6

    ignore_ims_on_miss
    diff -u -r -N squid-3.2.0.9/src/acl/Acl.cc squid-3.2.0.10/src/acl/Acl.cc --- squid-3.2.0.9/src/acl/Acl.cc 2011-06-18 20:13:34.000000000 +1200 +++ squid-3.2.0.10/src/acl/Acl.cc 2011-07-24 17:46:11.000000000 +1200 @@ -128,7 +128,7 @@ } // Is this ACL going to work? - if (strcmp(theType, "myip") != 0) { + if (strcmp(theType, "myip") == 0) { http_port_list *p = Config.Sockaddr.http; while (p) { // Bug 3239: not reliable when there is interception traffic coming @@ -136,7 +136,7 @@ debugs(28, DBG_CRITICAL, "WARNING: 'myip' ACL is not reliable for interception proxies. Please use 'myportname' instead."); p = p->next; } - } else if (strcmp(theType, "myport") != 0) { + } else if (strcmp(theType, "myport") == 0) { http_port_list *p = Config.Sockaddr.http; while (p) { // Bug 3239: not reliable when there is interception traffic coming diff -u -r -N squid-3.2.0.9/src/acl/Acl.h squid-3.2.0.10/src/acl/Acl.h --- squid-3.2.0.9/src/acl/Acl.h 2011-06-18 20:13:34.000000000 +1200 +++ squid-3.2.0.10/src/acl/Acl.h 2011-07-24 17:46:11.000000000 +1200 @@ -107,6 +107,7 @@ typedef enum { ACCESS_DENIED, ACCESS_ALLOWED, + ACCESS_DUNNO, ACCESS_REQ_PROXY_AUTH } allow_t; diff -u -r -N squid-3.2.0.9/src/acl/Checklist.cc squid-3.2.0.10/src/acl/Checklist.cc --- squid-3.2.0.9/src/acl/Checklist.cc 2011-06-18 20:13:34.000000000 +1200 +++ squid-3.2.0.10/src/acl/Checklist.cc 2011-07-24 17:46:11.000000000 +1200 @@ -49,7 +49,7 @@ } void -ACLChecklist::check() +ACLChecklist::matchNonBlocking() { if (checking()) return; @@ -169,7 +169,7 @@ { preCheck(); /* does the current AND clause match */ - matchAclListSlow(accessList->aclList); + matchAclList(accessList->aclList, false); } void @@ -183,7 +183,7 @@ void ACLChecklist::checkCallback(allow_t answer) { - PF *callback_; + ACLCB *callback_; void *cbdata_; debugs(28, 3, "ACLChecklist::checkCallback: " << this << " answer=" << answer); @@ -197,12 +197,6 @@ } void -ACLChecklist::matchAclListSlow(const ACLList * list) -{ - matchAclList(list, false); -} - -void ACLChecklist::matchAclList(const ACLList * head, bool const fast) { PROF_start(aclMatchAclList); @@ -324,29 +318,44 @@ * NP: this should probably be made Async now. */ void -ACLChecklist::nonBlockingCheck(PF * callback_, void *callback_data_) +ACLChecklist::nonBlockingCheck(ACLCB * callback_, void *callback_data_) { callback = callback_; callback_data = cbdataReference(callback_data_); - check(); + matchNonBlocking(); +} + +allow_t const & +ACLChecklist::fastCheck(const ACLList * list) +{ + PROF_start(aclCheckFast); + currentAnswer(ACCESS_DUNNO); + matchAclList(list, true); + // assume ALLOWED on matches due to not having an acl_access object + if (finished()) + currentAnswer(ACCESS_ALLOWED); + PROF_stop(aclCheckFast); + return currentAnswer(); } /* Warning: do not cbdata lock this here - it * may be static or on the stack */ -int +allow_t const & ACLChecklist::fastCheck() { PROF_start(aclCheckFast); - currentAnswer(ACCESS_DENIED); + currentAnswer(ACCESS_DUNNO); + debugs(28, 5, "aclCheckFast: list: " << accessList); const acl_access *acl = cbdataReference(accessList); while (acl != NULL && cbdataReferenceValid(acl)) { currentAnswer(acl->allow); - if (matchAclListFast(acl->aclList)) { + matchAclList(acl->aclList, true); + if (finished()) { PROF_stop(aclCheckFast); cbdataReferenceDone(acl); - return currentAnswer() == ACCESS_ALLOWED; + return currentAnswer(); } /* @@ -357,10 +366,10 @@ cbdataReferenceDone(A); } - debugs(28, 5, "aclCheckFast: no matches, returning: " << (currentAnswer() == ACCESS_DENIED)); - + debugs(28, 5, "aclCheckFast: no matches, returning: " << currentAnswer()); PROF_stop(aclCheckFast); - return currentAnswer() == ACCESS_DENIED; + + return currentAnswer(); } @@ -381,12 +390,3 @@ { return !cbdataReferenceValid(callback_data); } - -bool -ACLChecklist::matchAclListFast(const ACLList * list) -{ - matchAclList(list, true); - return finished(); -} - - diff -u -r -N squid-3.2.0.9/src/acl/Checklist.h squid-3.2.0.10/src/acl/Checklist.h --- squid-3.2.0.9/src/acl/Checklist.h 2011-06-18 20:13:34.000000000 +1200 +++ squid-3.2.0.10/src/acl/Checklist.h 2011-07-24 17:46:11.000000000 +1200 @@ -35,6 +35,9 @@ #include "acl/Acl.h" +/// ACL checklist callback +typedef void ACLCB(allow_t, void *); + /** \ingroup ACLAPI Base class for maintaining Squid and transaction state for access checks. Provides basic ACL checking methods. Its only child, ACLFilledChecklist, @@ -93,7 +96,7 @@ * The callback specified will be called with true/false * when the results of the ACL tests are known. */ - void nonBlockingCheck(PF * callback, void *callback_data); + void nonBlockingCheck(ACLCB * callback, void *callback_data); /** * Trigger a blocking access check for a set of *_access options. @@ -107,34 +110,20 @@ * knowledge of the ACL usage rather than depend on this default. * That will also save on work setting up ACLChecklist fields for a no-op. * - * \retval 1/true Access Allowed - * \retval 0/false Access Denied + * \retval ACCESS_DUNNO Unable to determine any result + * \retval ACCESS_ALLOWED Access Allowed + * \retval ACCESS_DENIED Access Denied */ - int fastCheck(); + allow_t const & fastCheck(); /** - * Trigger a blocking access check for a single ACL line (a AND b AND c). + * A version of fastCheck() for use when there is a one-line set of ACLs + * to be tested and a match determins the result action to be done. * - * ACLs which cannot be satisfied directly from available data are ignored. - * This means any proxy_auth, external_acl, DNS lookups, Ident lookups etc - * which have not already been performed and cached will not be checked. - * - * \retval 1/true Access Allowed - * \retval 0/false Access Denied + * \retval ACCESS_DUNNO Unable to determine any result + * \retval ACCESS_ALLOWED ACLs all matched */ - bool matchAclListFast(const ACLList * list); - - /** - * Attempt to check the current checklist against current data. - * This is the core routine behind all ACL test routines. - * As much as possible of current tests are performed immediately - * and the result is maybe delayed to wait for async lookups. - * - * When all tests are done callback is presented with one of: - * - ACCESS_ALLOWED Access explicitly Allowed - * - ACCESS_DENIED Access explicitly Denied - */ - void check(); + allow_t const & fastCheck(const ACLList * list); bool asyncInProgress() const; void asyncInProgress(bool const); @@ -163,13 +152,24 @@ public: const acl_access *accessList; - PF *callback; + ACLCB *callback; void *callback_data; + /** + * Attempt to check the current checklist against current data. + * This is the core routine behind all ACL test routines. + * As much as possible of current tests are performed immediately + * and the result is maybe delayed to wait for async lookups. + * + * When all tests are done callback is presented with one of: + * - ACCESS_ALLOWED Access explicitly Allowed + * - ACCESS_DENIED Access explicitly Denied + */ + void matchNonBlocking(); + private: /* internal methods */ void preCheck(); void matchAclList(const ACLList * list, bool const fast); - void matchAclListSlow(const ACLList * list); bool async_; bool finished_; diff -u -r -N squid-3.2.0.9/src/acl/DestinationDomain.cc squid-3.2.0.10/src/acl/DestinationDomain.cc --- squid-3.2.0.9/src/acl/DestinationDomain.cc 2011-06-18 20:13:34.000000000 +1200 +++ squid-3.2.0.10/src/acl/DestinationDomain.cc 2011-07-24 17:46:11.000000000 +1200 @@ -68,7 +68,7 @@ checklist->changeState (ACLChecklist::NullState::Instance()); checklist->markDestinationDomainChecked(); checklist->request->recordLookup(details); - checklist->check(); + checklist->matchNonBlocking(); } diff -u -r -N squid-3.2.0.9/src/acl/DestinationIp.cc squid-3.2.0.10/src/acl/DestinationIp.cc --- squid-3.2.0.9/src/acl/DestinationIp.cc 2011-06-18 20:13:34.000000000 +1200 +++ squid-3.2.0.10/src/acl/DestinationIp.cc 2011-07-24 17:46:11.000000000 +1200 @@ -94,7 +94,7 @@ checklist->request->recordLookup(details); checklist->asyncInProgress(false); checklist->changeState (ACLChecklist::NullState::Instance()); - checklist->check(); + checklist->matchNonBlocking(); } diff -u -r -N squid-3.2.0.9/src/acl/Gadgets.cc squid-3.2.0.10/src/acl/Gadgets.cc --- squid-3.2.0.9/src/acl/Gadgets.cc 2011-06-18 20:13:34.000000000 +1200 +++ squid-3.2.0.10/src/acl/Gadgets.cc 2011-07-24 17:46:11.000000000 +1200 @@ -196,7 +196,7 @@ for (B = *head, T = head; B; T = &B->next, B = B->next); *T = A; - /* We lock _acl_access structures in ACLChecklist::check() */ + /* We lock _acl_access structures in ACLChecklist::matchNonBlocking() */ } void diff -u -r -N squid-3.2.0.9/src/acl/SourceDomain.cc squid-3.2.0.10/src/acl/SourceDomain.cc --- squid-3.2.0.9/src/acl/SourceDomain.cc 2011-06-18 20:13:34.000000000 +1200 +++ squid-3.2.0.10/src/acl/SourceDomain.cc 2011-07-24 17:46:11.000000000 +1200 @@ -66,7 +66,7 @@ checklist->changeState (ACLChecklist::NullState::Instance()); checklist->markSourceDomainChecked(); checklist->request->recordLookup(details); - checklist->check(); + checklist->matchNonBlocking(); } diff -u -r -N squid-3.2.0.9/src/adaptation/AccessCheck.cc squid-3.2.0.10/src/adaptation/AccessCheck.cc --- squid-3.2.0.9/src/adaptation/AccessCheck.cc 2011-06-18 20:13:34.000000000 +1200 +++ squid-3.2.0.10/src/adaptation/AccessCheck.cc 2011-07-24 17:46:11.000000000 +1200 @@ -139,7 +139,7 @@ } void -Adaptation::AccessCheck::AccessCheckCallbackWrapper(int answer, void *data) +Adaptation::AccessCheck::AccessCheckCallbackWrapper(allow_t answer, void *data) { debugs(93, 8, HERE << "callback answer=" << answer); AccessCheck *ac = (AccessCheck*)data; @@ -150,23 +150,22 @@ */ // convert to async call to get async call protections and features - typedef UnaryMemFunT MyDialer; + typedef UnaryMemFunT MyDialer; AsyncCall::Pointer call = asyncCall(93,7, "Adaptation::AccessCheck::noteAnswer", - MyDialer(ac, &Adaptation::AccessCheck::noteAnswer, - answer==ACCESS_ALLOWED)); + MyDialer(ac, &Adaptation::AccessCheck::noteAnswer, answer)); ScheduleCallHere(call); } /// process the results of the ACL check void -Adaptation::AccessCheck::noteAnswer(int answer) +Adaptation::AccessCheck::noteAnswer(allow_t answer) { Must(!candidates.empty()); // the candidate we were checking must be there debugs(93,5, HERE << topCandidate() << " answer=" << answer); - if (answer) { // the rule matched + if (answer == ACCESS_ALLOWED) { // the rule matched ServiceGroupPointer g = topGroup(); if (g != NULL) { // the corresponding group found callBack(g); diff -u -r -N squid-3.2.0.9/src/adaptation/AccessCheck.h squid-3.2.0.10/src/adaptation/AccessCheck.h --- squid-3.2.0.9/src/adaptation/AccessCheck.h 2011-06-18 20:13:34.000000000 +1200 +++ squid-3.2.0.10/src/adaptation/AccessCheck.h 2011-07-24 17:46:11.000000000 +1200 @@ -1,6 +1,7 @@ #ifndef SQUID_ADAPTATION__ACCESS_CHECK_H #define SQUID_ADAPTATION__ACCESS_CHECK_H +#include "acl/Acl.h" #include "base/AsyncJob.h" #include "adaptation/Elements.h" #include "adaptation/forward.h" @@ -47,8 +48,8 @@ public: void checkCandidates(); - static void AccessCheckCallbackWrapper(int, void*); - void noteAnswer(int answer); + static void AccessCheckCallbackWrapper(allow_t, void*); + void noteAnswer(allow_t answer); protected: // AsyncJob API diff -u -r -N squid-3.2.0.9/src/adaptation/icap/Launcher.cc squid-3.2.0.10/src/adaptation/icap/Launcher.cc --- squid-3.2.0.9/src/adaptation/icap/Launcher.cc 2011-06-18 20:13:34.000000000 +1200 +++ squid-3.2.0.10/src/adaptation/icap/Launcher.cc 2011-07-24 17:46:11.000000000 +1200 @@ -136,7 +136,7 @@ new ACLFilledChecklist(TheConfig.repeat, info.icapRequest, dash_str); cl->reply = HTTPMSGLOCK(info.icapReply); - const bool result = cl->fastCheck(); + bool result = cl->fastCheck() == ACCESS_ALLOWED; delete cl; return result; } diff -u -r -N squid-3.2.0.9/src/adaptation/icap/ServiceRep.cc squid-3.2.0.10/src/adaptation/icap/ServiceRep.cc --- squid-3.2.0.9/src/adaptation/icap/ServiceRep.cc 2011-06-18 20:13:34.000000000 +1200 +++ squid-3.2.0.10/src/adaptation/icap/ServiceRep.cc 2011-07-24 17:46:11.000000000 +1200 @@ -25,17 +25,19 @@ theBusyConns(0), theAllWaiters(0), connOverloadReported(false), - theIdleConns("ICAP Service",NULL), + theIdleConns(NULL), isSuspended(0), notifying(false), updateScheduled(false), wasAnnouncedUp(true), // do not announce an "up" service at startup isDetached(false) { setMaxConnections(); + theIdleConns = new IdleConnList("ICAP Service", NULL); } Adaptation::Icap::ServiceRep::~ServiceRep() { + delete theIdleConns; Must(!theOptionsFetcher); delete theOptions; } @@ -102,17 +104,13 @@ * In other words, (2) tells us to close one FD for each new one we open due to retriable. */ if (retriableXact) - connection = theIdleConns.pop(); + connection = theIdleConns->pop(); else - theIdleConns.closeN(1); - - if (!(reused = Comm::IsConnOpen(connection))) - connection = new Comm::Connection; - else { - debugs(93,3, HERE << "reused pconn " << connection); - ++theBusyConns; - } + theIdleConns->closeN(1); + reused = Comm::IsConnOpen(connection); + ++theBusyConns; + debugs(93,3, HERE << "got connection: " << connection); return connection; } @@ -124,7 +122,7 @@ if (isReusable && excessConnections() == 0) { debugs(93, 3, HERE << "pushing pconn" << comment); commUnsetConnTimeout(conn); - theIdleConns.push(conn); + theIdleConns->push(conn); } else { debugs(93, 3, HERE << "closing pconn" << comment); // comm_close will clear timeout @@ -144,6 +142,12 @@ fd_table[conn->fd].noteUse(NULL); // pconn re-use but not via PconnPool API } +void Adaptation::Icap::ServiceRep::noteConnectionFailed(const char *comment) +{ + debugs(93, 3, HERE << "Connection failed: " << comment); + --theBusyConns; +} + void Adaptation::Icap::ServiceRep::setMaxConnections() { if (cfg().maxConn >= 0) @@ -171,8 +175,8 @@ if (!available && !connOverloadReported) { debugs(93, DBG_IMPORTANT, "WARNING: ICAP Max-Connections limit " << "exceeded for service " << cfg().uri << ". Open connections now: " << - theBusyConns + theIdleConns.count() << ", including " << - theIdleConns.count() << " idle persistent connections."); + theBusyConns + theIdleConns->count() << ", including " << + theIdleConns->count() << " idle persistent connections."); connOverloadReported = true; } @@ -191,7 +195,7 @@ // Waiters affect the number of needed connections but a needed // connection may still be excessive from Max-Connections p.o.v. // so we should not account for waiting transaction needs here. - const int debt = theBusyConns + theIdleConns.count() - theMaxConnections; + const int debt = theBusyConns + theIdleConns->count() - theMaxConnections; if (debt > 0) return debt; else @@ -378,7 +382,7 @@ debugs(93,8, "ICAPServiceRep::callWhenAvailable"); Must(cb!=NULL); Must(up()); - Must(!theIdleConns.count()); // or we should not be waiting + Must(!theIdleConns->count()); // or we should not be waiting Client i; i.service = Pointer(this); @@ -560,11 +564,10 @@ setMaxConnections(); const int excess = excessConnections(); // if we owe connections and have idle pconns, close the latter - // XXX: but ... idle pconn to *where*? - if (excess && theIdleConns.count() > 0) { - const int n = min(excess, theIdleConns.count()); + if (excess && theIdleConns->count() > 0) { + const int n = min(excess, theIdleConns->count()); debugs(93,5, HERE << "closing " << n << " pconns to relief debt"); - theIdleConns.closeN(n); + theIdleConns->closeN(n); } scheduleNotification(); diff -u -r -N squid-3.2.0.9/src/adaptation/icap/ServiceRep.h squid-3.2.0.10/src/adaptation/icap/ServiceRep.h --- squid-3.2.0.9/src/adaptation/icap/ServiceRep.h 2011-06-18 20:13:34.000000000 +1200 +++ squid-3.2.0.10/src/adaptation/icap/ServiceRep.h 2011-07-24 17:46:11.000000000 +1200 @@ -113,6 +113,7 @@ Comm::ConnectionPointer getConnection(bool isRetriable, bool &isReused); void putConnection(const Comm::ConnectionPointer &conn, bool isReusable, const char *comment); void noteConnectionUse(const Comm::ConnectionPointer &conn); + void noteConnectionFailed(const char *comment); void noteFailure(); // called by transactions to report service failure @@ -160,7 +161,7 @@ int theMaxConnections; ///< the maximum allowed connections to the service // TODO: use a better type like the FadingCounter for connOverloadReported mutable bool connOverloadReported; ///< whether we reported exceeding theMaxConnections - IdleConnList theIdleConns; ///< idle persistent connection pool + IdleConnList *theIdleConns; ///< idle persistent connection pool FadingCounter theSessionFailures; const char *isSuspended; // also stores suspension reason for debugging diff -u -r -N squid-3.2.0.9/src/adaptation/icap/Xaction.cc squid-3.2.0.10/src/adaptation/icap/Xaction.cc --- squid-3.2.0.9/src/adaptation/icap/Xaction.cc 2011-06-18 20:13:34.000000000 +1200 +++ squid-3.2.0.10/src/adaptation/icap/Xaction.cc 2011-07-24 17:46:11.000000000 +1200 @@ -16,6 +16,7 @@ #include "pconn.h" #include "HttpRequest.h" #include "HttpReply.h" +#include "ipcache.h" #include "acl/FilledChecklist.h" #include "icap_log.h" #include "fde.h" @@ -85,6 +86,13 @@ Must(static_cast(readBuf.potentialSpaceSize()) <= commBufSize); } +static void +icapLookupDnsResults(const ipcache_addrs *ia, const DnsLookupDetails &, void *data) +{ + Adaptation::Icap::Xaction *xa = static_cast(data); + xa->dnsLookupDone(ia); +} + // TODO: obey service-specific, OPTIONS-reported connection limit void Adaptation::Icap::Xaction::openConnection() @@ -101,11 +109,6 @@ if (wasReused && Comm::IsConnOpen(connection)) { // Set comm Close handler - typedef CommCbMemFunT CloseDialer; - closer = asyncCall(93, 5, "Adaptation::Icap::Xaction::noteCommClosed", - CloseDialer(this,&Adaptation::Icap::Xaction::noteCommClosed)); - comm_add_close_handler(connection->fd, closer); - // fake the connect callback // TODO: can we sync call Adaptation::Icap::Xaction::noteCommConnected here instead? typedef CommCbMemFunT Dialer; @@ -124,23 +127,42 @@ // Attempt to open a new connection... debugs(93,3, typeName << " opens connection to " << s.cfg().host.termedBuf() << ":" << s.cfg().port); - // TODO: find the IPs and attempt each one if this is a named service. - connection->remote = s.cfg().host.termedBuf(); - connection->remote.SetPort(s.cfg().port); + // Locate the Service IP(s) to open + ipcache_nbgethostbyname(s.cfg().host.termedBuf(), icapLookupDnsResults, this); +} - // TODO: service bypass status may differ from that of a transaction - typedef CommCbMemFunT TimeoutDialer; - AsyncCall::Pointer timeoutCall = asyncCall(93, 5, "Adaptation::Icap::Xaction::noteCommTimedout", - TimeoutDialer(this,&Adaptation::Icap::Xaction::noteCommTimedout)); +void +Adaptation::Icap::Xaction::dnsLookupDone(const ipcache_addrs *ia) +{ + Adaptation::Icap::ServiceRep &s = service(); - commSetTimeout(connection->fd, TheConfig.connect_timeout( - service().cfg().bypass), timeoutCall); + if (ia == NULL) { + debugs(44, DBG_IMPORTANT, "ICAP: Unknown service host: " << s.cfg().host); - typedef CommCbMemFunT CloseDialer; - closer = asyncCall(93, 5, "Adaptation::Icap::Xaction::noteCommClosed", - CloseDialer(this,&Adaptation::Icap::Xaction::noteCommClosed)); - comm_add_close_handler(connection->fd, closer); +#if WHEN_IPCACHE_NBGETHOSTBYNAME_USES_ASYNC_CALLS + dieOnConnectionFailure(); // throws +#else // take a step back into protected Async call dialing. + // fake the connect callback + typedef CommCbMemFunT Dialer; + CbcPointer self(this); + Dialer dialer(self, &Adaptation::Icap::Xaction::noteCommConnected); + dialer.params.conn = connection; + dialer.params.flag = COMM_ERROR; + // fake other parameters by copying from the existing connection + connector = asyncCall(93,3, "Adaptation::Icap::Xaction::noteCommConnected", dialer); + ScheduleCallHere(connector); +#endif + return; + } + assert(ia->cur < ia->count); + + connection = new Comm::Connection; + connection->remote = ia->in_addrs[ia->cur]; + connection->remote.SetPort(s.cfg().port); + getOutgoingAddress(NULL, connection); + + // TODO: service bypass status may differ from that of a transaction typedef CommCbMemFunT ConnectDialer; connector = JobCallback(93,3, ConnectDialer, this, Adaptation::Icap::Xaction::noteCommConnected); Comm::ConnOpener *cs = new Comm::ConnOpener(connection, connector, TheConfig.connect_timeout(service().cfg().bypass)); @@ -206,6 +228,12 @@ if (io.flag != COMM_OK) dieOnConnectionFailure(); // throws + typedef CommCbMemFunT TimeoutDialer; + AsyncCall::Pointer timeoutCall = asyncCall(93, 5, "Adaptation::Icap::Xaction::noteCommTimedout", + TimeoutDialer(this,&Adaptation::Icap::Xaction::noteCommTimedout)); + commSetTimeout(io.conn->fd, TheConfig.connect_timeout( + service().cfg().bypass), timeoutCall); + typedef CommCbMemFunT CloseDialer; closer = asyncCall(93, 5, "Adaptation::Icap::Xaction::noteCommClosed", CloseDialer(this,&Adaptation::Icap::Xaction::noteCommClosed)); @@ -221,6 +249,7 @@ { debugs(93, 2, HERE << typeName << " failed to connect to " << service().cfg().uri); + service().noteConnectionFailed("failure"); detailError(ERR_DETAIL_ICAP_XACT_START); throw TexcHere("cannot connect to the ICAP service"); } @@ -268,7 +297,11 @@ theService->cfg().uri << status()); reuseConnection = false; const bool whileConnecting = connector != NULL; - closeConnection(); // so that late Comm callbacks do not disturb bypass + if (whileConnecting) { + assert(!haveConnection()); + theService->noteConnectionFailed("timedout"); + } else + closeConnection(); // so that late Comm callbacks do not disturb bypass throw TexcHere(whileConnecting ? "timed out while connecting to the ICAP service" : "timed out while talking to the ICAP service"); @@ -501,7 +534,7 @@ { if (IcapLogfileStatus == LOG_ENABLE) { ACLChecklist *checklist = new ACLFilledChecklist(::Config.accessList.icap, al.request, dash_str); - if (!::Config.accessList.icap || checklist->fastCheck()) { + if (!::Config.accessList.icap || checklist->fastCheck() == ACCESS_ALLOWED) { finalizeLogInfo(); icapLogLog(&al, checklist); } diff -u -r -N squid-3.2.0.9/src/adaptation/icap/Xaction.h squid-3.2.0.10/src/adaptation/icap/Xaction.h --- squid-3.2.0.9/src/adaptation/icap/Xaction.h 2011-06-18 20:13:34.000000000 +1200 +++ squid-3.2.0.10/src/adaptation/icap/Xaction.h 2011-07-24 17:46:11.000000000 +1200 @@ -41,6 +41,7 @@ #include "adaptation/Initiate.h" #include "AccessLogEntry.h" #include "HttpReply.h" +#include "ipcache.h" class CommConnectCbParams; @@ -133,6 +134,7 @@ // custom exception handling and end-of-call checks virtual void callException(const std::exception &e); virtual void callEnd(); + void dnsLookupDone(const ipcache_addrs *ia); protected: // logging diff -u -r -N squid-3.2.0.9/src/auth/AclProxyAuth.cc squid-3.2.0.10/src/auth/AclProxyAuth.cc --- squid-3.2.0.9/src/auth/AclProxyAuth.cc 2011-06-18 20:13:34.000000000 +1200 +++ squid-3.2.0.10/src/auth/AclProxyAuth.cc 2011-07-24 17:46:11.000000000 +1200 @@ -170,7 +170,7 @@ checklist->asyncInProgress(false); checklist->changeState (ACLChecklist::NullState::Instance()); - checklist->check(); + checklist->matchNonBlocking(); } void diff -u -r -N squid-3.2.0.9/src/cache_cf.cc squid-3.2.0.10/src/cache_cf.cc --- squid-3.2.0.9/src/cache_cf.cc 2011-06-18 20:13:34.000000000 +1200 +++ squid-3.2.0.10/src/cache_cf.cc 2011-07-24 17:46:11.000000000 +1200 @@ -442,6 +442,11 @@ if ((token = strchr(config_input_line, '\r'))) *token = '\0'; + // strip any prefix whitespace off the line. + const char *p = skip_ws(config_input_line); + if (config_input_line != p) + memmove(config_input_line, p, strlen(p)+1); + if (strncmp(config_input_line, "#line ", 6) == 0) { static char new_file_name[1024]; static char *file; @@ -3609,10 +3614,15 @@ s->protocol = xstrdup(token + 9); } else if (strcmp(token, "allow-direct") == 0) { if (!s->accel) { - debugs(3, DBG_CRITICAL, "FATAL: http(s)_port: vport option requires Acceleration mode flag."); + debugs(3, DBG_CRITICAL, "FATAL: http(s)_port: allow-direct option requires Acceleration mode flag."); self_destruct(); } s->allow_direct = 1; + } else if (strcmp(token, "act-as-origin") == 0) { + if (!s->accel) { + debugs(3, DBG_IMPORTANT, "ERROR: http(s)_port: act-as-origin option requires Acceleration mode flag."); + } else + s->actAsOrigin = 1; } else if (strcmp(token, "ignore-cc") == 0) { #if !USE_HTTP_VIOLATIONS if (!s->accel) { diff -u -r -N squid-3.2.0.9/src/cache_manager.cc squid-3.2.0.10/src/cache_manager.cc --- squid-3.2.0.9/src/cache_manager.cc 2011-06-18 20:13:34.000000000 +1200 +++ squid-3.2.0.10/src/cache_manager.cc 2011-07-24 17:46:11.000000000 +1200 @@ -193,6 +193,14 @@ int len = strlen(url); Must(len > 0); t = sscanf(url, "cache_object://%[^/]/%[^@?]%n@%[^?]?%s", host, request, &pos, password, params); + if (t < 1) { + t = sscanf(url, "http://%[^/]/squid-internal-mgr/%[^?]%n?%s", host, request, &pos, params); + } + if (t < 1) { + t = sscanf(url, "https://%[^/]/squid-internal-mgr/%[^?]%n?%s", host, request, &pos, params); + } + debugs(16, 3, HERE << "HTTPS: t=" << t << ", host='" << host << "', request='" << request << "', pos=" << pos << + ", password='" << password << "', params='" << params << "'"); if (pos >0 && url[pos] == '?') { ++pos; @@ -203,7 +211,7 @@ if (t < 2) xstrncpy(request, "menu", MAX_URL); -#ifdef _SQUID_OS2_ +#if _SQUID_OS2_ if (t == 2 && request[0] == '\0') { /* * emx's sscanf insists of returning 2 because it sets request diff -u -r -N squid-3.2.0.9/src/cf.data.pre squid-3.2.0.10/src/cf.data.pre --- squid-3.2.0.9/src/cf.data.pre 2011-06-18 20:13:34.000000000 +1200 +++ squid-3.2.0.10/src/cf.data.pre 2011-07-24 17:46:11.000000000 +1200 @@ -860,7 +860,7 @@ # # Recommended minimum configuration: # -acl manager proto cache_object +acl manager url_regex -i ^cache_object:// +i ^https?://[^/]+/squid-internal-mgr/ acl localhost src 127.0.0.1/32 ::1 acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1 @@ -1029,7 +1029,7 @@ # Recommended minimum Access Permission configuration: # # Only allow cachemgr access from localhost -http_access allow manager localhost +http_access allow localhost manager http_access deny manager # Deny requests to certain unsafe ports @@ -1318,17 +1318,23 @@ Implies accel. vhost Using the Host header for virtual domain support. - Also uses the port as specified in Host: header. + Also uses the port as specified in Host: header unless + overridden by the vport option. - vport IP based virtual host support. Using the http_port number - in passed on Host: headers. + vport Virtual host port support. Using the http_port number + instead of the port passed on Host: headers. - vport=NN Uses the specified port number rather than the - http_port number. + vport=NN Virtual host port support. Using the specified port + number instead of the port passed on Host: headers. protocol= Protocol to reconstruct accelerated requests with. Defaults to http://. + act-as-origin + Act as if this Squid is the origin server. + This currently means generate new Date: and Expires: + headers on HIT instead of adding Age:. + ignore-cc Ignore request Cache-Control headers. Warning: This option violates HTTP specifications if @@ -1738,66 +1744,38 @@ tcp_outgoing_address ipaddr [[!]aclname] ... - Example where requests from 10.0.0.0/24 will be forwarded - with source address 10.1.0.1, 10.0.2.0/24 forwarded with - source address 10.1.0.2 and the rest will be forwarded with - source address 10.1.0.3. + For example; + Forwarding clients with dedicated IPs for certain subnets. - acl normal_service_net src 10.0.0.0/24 - acl good_service_net src 10.0.2.0/24 - tcp_outgoing_address 10.1.0.1 normal_service_net - tcp_outgoing_address 10.1.0.2 good_service_net - tcp_outgoing_address 10.1.0.3 + acl normal_service_net src 10.0.0.0/24 + acl good_service_net src 10.0.2.0/24 + + tcp_outgoing_address 2001:db8::c001 good_service_net + tcp_outgoing_address 10.1.0.2 good_service_net + + tcp_outgoing_address 2001:db8::beef normal_service_net + tcp_outgoing_address 10.1.0.1 normal_service_net + + tcp_outgoing_address 2001:db8::1 + tcp_outgoing_address 10.1.0.3 Processing proceeds in the order specified, and stops at first fully matching line. - Note: The use of this directive using client dependent ACLs is + Squid will add an implicit IP version test to each line. + Requests going to IPv4 websites will use the outgoing 10.1.0.* addresses. + Requests going to IPv6 websites will use the outgoing 2001:db8:* addresses. + + + NOTE: The use of this directive using client dependent ACLs is incompatible with the use of server side persistent connections. To ensure correct results it is best to set server_persistent_connections to off when using this directive in such configurations. - Note: The use of this directive to set a local IP on outgoing TCP links + NOTE: The use of this directive to set a local IP on outgoing TCP links is incompatible with using TPROXY to set client IP out outbound TCP links. - When needing to contact peers use the no-tproxy cache_peer option to - re-enable normal forwarding such as this. - - IPv6 Magic: - - Squid is built with a capability of bridging the IPv4 and IPv6 - internets. - tcp_outgoing_address as exampled above breaks this bridging by forcing - all outbound traffic through a certain IPv4 which may be on the wrong - side of the IPv4/IPv6 boundary. - - To operate with tcp_outgoing_address and keep the bridging benefits - an additional ACL needs to be used which ensures the IPv6-bound traffic - is never forced or permitted out the IPv4 interface. - - # IPv6 destination test along with a dummy access control to perofrm the required DNS - # This MUST be place before any ALLOW rules. - acl to_ipv6 dst ipv6 - http_access deny ipv6 !all - - tcp_outgoing_address 2001:db8::c001 good_service_net to_ipv6 - tcp_outgoing_address 10.1.0.2 good_service_net !to_ipv6 - - tcp_outgoing_address 2001:db8::beef normal_service_net to_ipv6 - tcp_outgoing_address 10.1.0.1 normal_service_net !to_ipv6 - - tcp_outgoing_address 2001:db8::1 to_ipv6 - tcp_outgoing_address 10.1.0.3 !to_ipv6 - - WARNING: - 'dst ipv6' bases its selection assuming DIRECT access. - If peers are used the peername ACL are needed to select outgoing - address which can link to the peer. - - 'dst ipv6' is a slow ACL. It will only work here if 'dst' is used - previously in the http_access rules to locate the destination IP. - Some more magic may be needed for that: - http_access allow to_ipv6 !all - (meaning, allow if to IPv6 but not from anywhere ;) + When needing to contact peers use the no-tproxy cache_peer option and the + client_dst_passthru directive re-enable normal forwarding such as this. DOC_END @@ -2265,6 +2243,10 @@ The first principal from the default keytab or defined by the environment variable KRB5_KTNAME will be used. + WARNING: The connection may transmit requests from multiple + clients. Negotiate often assumes end-to-end authentication + and a single-client. Which is not strictly true here. + login=NEGOTIATE:principal_name If this is a personal/workgroup proxy and your parent requires a secure proxy authentication. @@ -2272,6 +2254,10 @@ defined by the environment variable KRB5_KTNAME will be used. + WARNING: The connection may transmit requests from multiple + clients. Negotiate often assumes end-to-end authentication + and a single-client. Which is not strictly true here. + connection-auth=on|off Tell Squid that this peer does or not support Microsoft connection oriented authentication, and any such diff -u -r -N squid-3.2.0.9/src/cf_gen.cc squid-3.2.0.10/src/cf_gen.cc --- squid-3.2.0.9/src/cf_gen.cc 2011-06-18 20:13:34.000000000 +1200 +++ squid-3.2.0.10/src/cf_gen.cc 2011-07-24 17:46:11.000000000 +1200 @@ -187,7 +187,7 @@ enum State state; int rc = 0; char *ptr = NULL; -#ifdef _SQUID_OS2_ +#if _SQUID_OS2_ const char *rmode = "rt"; #else diff -u -r -N squid-3.2.0.9/src/ClientRequestContext.h squid-3.2.0.10/src/ClientRequestContext.h --- squid-3.2.0.9/src/ClientRequestContext.h 2011-06-18 20:13:34.000000000 +1200 +++ squid-3.2.0.10/src/ClientRequestContext.h 2011-07-24 17:46:11.000000000 +1200 @@ -26,11 +26,11 @@ bool httpStateIsValid(); void clientAccessCheck(); void clientAccessCheck2(); - void clientAccessCheckDone(int answer); + void clientAccessCheckDone(const allow_t &answer); void clientRedirectStart(); void clientRedirectDone(char *result); void checkNoCache(); - void checkNoCacheDone(int answer); + void checkNoCacheDone(const allow_t &answer); #if USE_ADAPTATION void adaptationAccessCheck(); diff -u -r -N squid-3.2.0.9/src/client_side.cc squid-3.2.0.10/src/client_side.cc --- squid-3.2.0.9/src/client_side.cc 2011-06-18 20:13:34.000000000 +1200 +++ squid-3.2.0.10/src/client_side.cc 2011-07-24 17:46:11.000000000 +1200 @@ -129,6 +129,7 @@ #include "ssl/certificate_db.h" #endif #include "Store.h" +#include "TimeOrTag.h" #if HAVE_LIMITS #include @@ -671,7 +672,7 @@ if (al.reply) checklist->reply = HTTPMSGLOCK(al.reply); - if (!Config.accessList.log || checklist->fastCheck()) { + if (!Config.accessList.log || checklist->fastCheck() == ACCESS_ALLOWED) { if (request) al.adapted_request = HTTPMSGLOCK(request); accessLogLog(&al, checklist); @@ -2005,9 +2006,26 @@ return; } + if (vport < 0) + vport = http->getConn()->clientConnection->local.GetPort(); + const bool switchedToHttps = conn->switchedToHttps(); const bool tryHostHeader = vhost || switchedToHttps; if (tryHostHeader && (host = mime_get_header(req_hdr, "Host")) != NULL) { + debugs(33, 5, "ACCEL VHOST REWRITE: vhost=" << host << " + vport=" << vport); + char thost[256]; + if (vport > 0) { + thost[0] = '\0'; + char *t = NULL; + if (host[strlen(host)] != ']' && (t = strrchr(host,':')) != NULL) { + strncpy(thost, host, (t-host)); + snprintf(thost+(t-host), sizeof(thost)-(t-host), ":%d", vport); + host = thost; + } else if (!t) { + snprintf(thost, sizeof(thost), "%s:%d",host, vport); + host = thost; + } + } // else nothing to alter port-wise. int url_sz = strlen(url) + 32 + Config.appendDomainLen + strlen(host); http->uri = (char *)xcalloc(url_sz, 1); @@ -2015,24 +2033,22 @@ "https" : conn->port->protocol; snprintf(http->uri, url_sz, "%s://%s%s", protocol, host, url); debugs(33, 5, "ACCEL VHOST REWRITE: '" << http->uri << "'"); - } else if (conn->port->defaultsite) { + } else if (conn->port->defaultsite /* && !vhost */) { + debugs(33, 5, "ACCEL DEFAULTSITE REWRITE: defaultsite=" << conn->port->defaultsite << " + vport=" << vport); int url_sz = strlen(url) + 32 + Config.appendDomainLen + strlen(conn->port->defaultsite); http->uri = (char *)xcalloc(url_sz, 1); - snprintf(http->uri, url_sz, "%s://%s%s", - conn->port->protocol, conn->port->defaultsite, url); + char vportStr[32]; + vportStr[0] = '\0'; + if (vport > 0) { + snprintf(vportStr, sizeof(vportStr),":%d",vport); + } + snprintf(http->uri, url_sz, "%s://%s%s%s", + conn->port->protocol, conn->port->defaultsite, vportStr, url); debugs(33, 5, "ACCEL DEFAULTSITE REWRITE: '" << http->uri <<"'"); - } else if (vport == -1) { - /* Put the local socket IP address as the hostname. */ - int url_sz = strlen(url) + 32 + Config.appendDomainLen; - http->uri = (char *)xcalloc(url_sz, 1); - http->getConn()->clientConnection->local.ToHostname(ipbuf,MAX_IPSTRLEN); - snprintf(http->uri, url_sz, "%s://%s:%d%s", - http->getConn()->port->protocol, - ipbuf, http->getConn()->clientConnection->local.GetPort(), url); - debugs(33, 5, "ACCEL VPORT REWRITE: '" << http->uri << "'"); - } else if (vport > 0) { - /* Put the local socket IP address as the hostname, but static port */ + } else if (vport > 0 /* && (!vhost || no Host:) */) { + debugs(33, 5, "ACCEL VPORT REWRITE: http_port IP + vport=" << vport); + /* Put the local socket IP address as the hostname, with whatever vport we found */ int url_sz = strlen(url) + 32 + Config.appendDomainLen; http->uri = (char *)xcalloc(url_sz, 1); http->getConn()->clientConnection->local.ToHostname(ipbuf,MAX_IPSTRLEN); @@ -2222,6 +2238,7 @@ #endif + debugs(33,5, HERE << "repare absolute URL from " << (csd->transparent()?"intercept":(csd->port->accel ? "accel":""))); /* Rewrite the URL in transparent or accelerator mode */ /* NP: there are several cases to traverse here: * - standard mode (forward proxy) @@ -3127,7 +3144,7 @@ ACLFilledChecklist identChecklist(Ident::TheConfig.identLookup, NULL, NULL); identChecklist.src_addr = client->remote; identChecklist.my_addr = client->local; - if (identChecklist.fastCheck()) + if (identChecklist.fastCheck() == ACCESS_ALLOWED) Ident::Start(client, clientIdentDone, result); } #endif @@ -3186,35 +3203,38 @@ /* it was said several times that client write limiter does not work if client_db is disabled */ ClientDelayPools& pools(Config.ClientDelay.pools); - for (unsigned int pool = 0; pool < pools.size(); pool++) { - - /* pools require explicit 'allow' to assign a client into them */ - if (!pools[pool].access) - continue; // warned in ClientDelayConfig::Finalize() - - ACLFilledChecklist ch(pools[pool].access, NULL, NULL); - - // TODO: we check early to limit error response bandwith but we - // should recheck when we can honor delay_pool_uses_indirect - - ch.src_addr = details->remote; - ch.my_addr = details->local; + ACLFilledChecklist ch(NULL, NULL, NULL); - if (ch.fastCheck()) { + // TODO: we check early to limit error response bandwith but we + // should recheck when we can honor delay_pool_uses_indirect + // TODO: we should also pass the port details for myportname here. + ch.src_addr = details->remote; + ch.my_addr = details->local; - /* request client information from db after we did all checks - this will save hash lookup if client failed checks */ - ClientInfo * cli = clientdbGetInfo(details->remote); - assert(cli); - - /* put client info in FDE */ - fd_table[details->fd].clientInfo = cli; + for (unsigned int pool = 0; pool < pools.size(); pool++) { - /* setup write limiter for this request */ - const double burst = floor(0.5 + - (pools[pool].highwatermark * Config.ClientDelay.initial)/100.0); - cli->setWriteLimiter(pools[pool].rate, burst, pools[pool].highwatermark); - break; + /* pools require explicit 'allow' to assign a client into them */ + if (pools[pool].access) { + ch.accessList = pools[pool].access; + allow_t answer = ch.fastCheck(); + if (answer == ACCESS_ALLOWED) { + + /* request client information from db after we did all checks + this will save hash lookup if client failed checks */ + ClientInfo * cli = clientdbGetInfo(details->remote); + assert(cli); + + /* put client info in FDE */ + fd_table[details->fd].clientInfo = cli; + + /* setup write limiter for this request */ + const double burst = floor(0.5 + + (pools[pool].highwatermark * Config.ClientDelay.initial)/100.0); + cli->setWriteLimiter(pools[pool].rate, burst, pools[pool].highwatermark); + break; + } else { + debugs(83, 4, HERE << "Delay pool " << pool << " skipped because ACL " << answer); + } } } } @@ -3420,7 +3440,7 @@ if (reply_message.parse(reply, strlen(reply)) != Ssl::CrtdMessage::OK) { debugs(33, 5, HERE << "Reply from ssl_crtd for " << sslHostName << " is incorrect"); } else { - if (reply_message.getCode() != "ok") { + if (reply_message.getCode() != "OK") { debugs(33, 5, HERE << "Certificate for " << sslHostName << " cannot be generated. ssl_crtd response: " << reply_message.getBody()); } else { debugs(33, 5, HERE << "Certificate for " << sslHostName << " was successfully recieved from ssl_crtd"); diff -u -r -N squid-3.2.0.9/src/client_side_reply.cc squid-3.2.0.10/src/client_side_reply.cc --- squid-3.2.0.9/src/client_side_reply.cc 2011-06-18 20:13:34.000000000 +1200 +++ squid-3.2.0.10/src/client_side_reply.cc 2011-07-24 17:46:11.000000000 +1200 @@ -61,6 +61,7 @@ #include "ipcache.h" #include "log/Tokens.h" #include "MemObject.h" +#include "ProtoPort.h" #include "SquidTime.h" #include "StoreClient.h" #include "Store.h" @@ -1294,6 +1295,25 @@ if (EBIT_TEST(http->storeEntry()->flags, ENTRY_SPECIAL)) { hdr->delById(HDR_DATE); hdr->insertTime(HDR_DATE, squid_curtime); + } else if (http->getConn() && http->getConn()->port->actAsOrigin) { + // Swap the Date: header to current time if we are simulating an origin + HttpHeaderEntry *h = hdr->findEntry(HDR_DATE); + if (h) + hdr->putExt("X-Origin-Date", h->value.termedBuf()); + hdr->delById(HDR_DATE); + hdr->insertTime(HDR_DATE, squid_curtime); + h = hdr->findEntry(HDR_EXPIRES); + if (h && http->storeEntry()->expires >= 0) { + hdr->putExt("X-Origin-Expires", h->value.termedBuf()); + hdr->delById(HDR_EXPIRES); + hdr->insertTime(HDR_EXPIRES, squid_curtime + http->storeEntry()->expires - http->storeEntry()->timestamp); + } + if (http->storeEntry()->timestamp <= squid_curtime) { + // put X-Cache-Age: instead of Age: + char age[64]; + snprintf(age, sizeof(age), "%ld", (long int) squid_curtime - http->storeEntry()->timestamp); + hdr->putExt("X-Cache-Age", age); + } } else if (http->storeEntry()->timestamp <= squid_curtime) { hdr->putInt(HDR_AGE, squid_curtime - http->storeEntry()->timestamp); @@ -1865,6 +1885,7 @@ e = http->storeEntry(); // Copy timestamp from the original entry so the 304 // reply has a meaningful Age: header. + e->timestampsSet(); e->timestamp = timestamp; e->replaceHttpReply(temprep); e->complete(); @@ -1899,7 +1920,7 @@ http->logType == LOG_TCP_DENIED_REPLY || alwaysAllowResponse(reply->sline.status)) { headers_sz = reply->hdr_sz; - processReplyAccessResult(1); + processReplyAccessResult(ACCESS_ALLOWED); return; } @@ -1913,7 +1934,7 @@ /** check for absent access controls (permit by default) */ if (!Config.accessList.reply) { - processReplyAccessResult(1); + processReplyAccessResult(ACCESS_ALLOWED); return; } @@ -1925,22 +1946,20 @@ } void -clientReplyContext::ProcessReplyAccessResult (int rv, void *voidMe) +clientReplyContext::ProcessReplyAccessResult(allow_t rv, void *voidMe) { clientReplyContext *me = static_cast(voidMe); me->processReplyAccessResult(rv); } void -clientReplyContext::processReplyAccessResult(bool accessAllowed) +clientReplyContext::processReplyAccessResult(const allow_t &accessAllowed) { debugs(88, 2, "The reply for " << RequestMethodStr(http->request->method) - << " " << http->uri << " is " - << ( accessAllowed ? "ALLOWED" : "DENIED") - << ", because it matched '" + << " " << http->uri << " is " << accessAllowed << ", because it matched '" << (AclMatchedName ? AclMatchedName : "NO ACL's") << "'" ); - if (!accessAllowed) { + if (accessAllowed != ACCESS_ALLOWED) { ErrorState *err; err_type page_id; page_id = aclGetDenyInfoPage(&Config.denyInfoList, AclMatchedName, 1); @@ -2043,8 +2062,7 @@ ConnStateData * conn = http->getConn(); - // AYJ: this seems a bit weird to ignore CLOSED but drop on closing. - if (conn != NULL && Comm::IsConnOpen(conn->clientConnection) && fd_table[conn->clientConnection->fd].closing()) { + if (conn == NULL || !conn->isOpen()) { // too late, our conn is closing // TODO: should we also quit? debugs(33,3, HERE << "not sending more data to a closing " << conn->clientConnection); diff -u -r -N squid-3.2.0.9/src/client_side_reply.h squid-3.2.0.10/src/client_side_reply.h --- squid-3.2.0.9/src/client_side_reply.h 2011-06-18 20:13:34.000000000 +1200 +++ squid-3.2.0.10/src/client_side_reply.h 2011-07-24 17:46:11.000000000 +1200 @@ -125,8 +125,8 @@ StoreIOBuffer holdingBuffer; HttpReply *reply; void processReplyAccess(); - static PF ProcessReplyAccessResult; - void processReplyAccessResult(bool accessAllowed); + static ACLCB ProcessReplyAccessResult; + void processReplyAccessResult(const allow_t &accessAllowed); void cloneReply(); void buildReplyHeader (); bool alwaysAllowResponse(http_status sline) const; diff -u -r -N squid-3.2.0.9/src/client_side_request.cc squid-3.2.0.10/src/client_side_request.cc --- squid-3.2.0.9/src/client_side_request.cc 2011-06-18 20:13:34.000000000 +1200 +++ squid-3.2.0.10/src/client_side_request.cc 2011-07-24 17:46:11.000000000 +1200 @@ -88,8 +88,7 @@ static const char *const crlf = "\r\n"; #if FOLLOW_X_FORWARDED_FOR -static void -clientFollowXForwardedForCheck(int answer, void *data); +static void clientFollowXForwardedForCheck(allow_t answer, void *data); #endif /* FOLLOW_X_FORWARDED_FOR */ CBDATA_CLASS_INIT(ClientRequestContext); @@ -112,14 +111,14 @@ /* Local functions */ /* other */ -static void clientAccessCheckDoneWrapper(int, void *); +static void clientAccessCheckDoneWrapper(allow_t, void *); #if USE_SSL -static void sslBumpAccessCheckDoneWrapper(int, void *); +static void sslBumpAccessCheckDoneWrapper(allow_t, void *); #endif static int clientHierarchical(ClientHttpRequest * http); static void clientInterpretRequestHeaders(ClientHttpRequest * http); static RH clientRedirectDoneWrapper; -static PF checkNoCacheDoneWrapper; +static void checkNoCacheDoneWrapper(allow_t, void *); extern "C" CSR clientGetMoreData; extern "C" CSS clientReplyStatus; extern "C" CSD clientReplyDetach; @@ -438,7 +437,7 @@ * ++ indirect_client_addr contains the remote direct client from the trusted peers viewpoint. */ static void -clientFollowXForwardedForCheck(int answer, void *data) +clientFollowXForwardedForCheck(allow_t answer, void *data) { ClientRequestContext *calloutContext = (ClientRequestContext *) data; @@ -570,7 +569,7 @@ } void -clientAccessCheckDoneWrapper(int answer, void *data) +clientAccessCheckDoneWrapper(allow_t answer, void *data) { ClientRequestContext *calloutContext = (ClientRequestContext *) data; @@ -581,15 +580,14 @@ } void -ClientRequestContext::clientAccessCheckDone(int answer) +ClientRequestContext::clientAccessCheckDone(const allow_t &answer) { acl_checklist = NULL; err_type page_id; http_status status; debugs(85, 2, "The request " << RequestMethodStr(http->request->method) << " " << - http->uri << " is " << - (answer == ACCESS_ALLOWED ? "ALLOWED" : "DENIED") << + http->uri << " is " << answer << ", because it matched '" << (AclMatchedName ? AclMatchedName : "NO ACL's") << "'" ); @@ -717,7 +715,7 @@ #endif static void -clientRedirectAccessCheckDone(int answer, void *data) +clientRedirectAccessCheckDone(allow_t answer, void *data) { ClientRequestContext *context = (ClientRequestContext *)data; ClientHttpRequest *http = context->http; @@ -1096,12 +1094,12 @@ acl_checklist->nonBlockingCheck(checkNoCacheDoneWrapper, this); } else { /* unless otherwise specified, we try to cache. */ - checkNoCacheDone(1); + checkNoCacheDone(ACCESS_ALLOWED); } } static void -checkNoCacheDoneWrapper(int answer, void *data) +checkNoCacheDoneWrapper(allow_t answer, void *data) { ClientRequestContext *calloutContext = (ClientRequestContext *) data; @@ -1112,10 +1110,10 @@ } void -ClientRequestContext::checkNoCacheDone(int answer) +ClientRequestContext::checkNoCacheDone(const allow_t &answer) { acl_checklist = NULL; - http->request->flags.cachable = answer; + http->request->flags.cachable = (answer == ACCESS_ALLOWED); http->doCallouts(); } @@ -1141,7 +1139,7 @@ * as ACLFilledChecklist callback */ static void -sslBumpAccessCheckDoneWrapper(int answer, void *data) +sslBumpAccessCheckDoneWrapper(allow_t answer, void *data) { ClientRequestContext *calloutContext = static_cast(data); diff -u -r -N squid-3.2.0.9/src/comm/Connection.h squid-3.2.0.10/src/comm/Connection.h --- squid-3.2.0.9/src/comm/Connection.h 2011-06-18 20:13:34.000000000 +1200 +++ squid-3.2.0.10/src/comm/Connection.h 2011-07-24 17:46:11.000000000 +1200 @@ -37,7 +37,6 @@ #ifndef _SQUIDCONNECTIONDETAIL_H_ #define _SQUIDCONNECTIONDETAIL_H_ -#include "config.h" #include "comm/forward.h" #include "hier_code.h" #include "ip/Address.h" diff -u -r -N squid-3.2.0.9/src/comm/ConnOpener.cc squid-3.2.0.10/src/comm/ConnOpener.cc --- squid-3.2.0.9/src/comm/ConnOpener.cc 2011-06-18 20:13:34.000000000 +1200 +++ squid-3.2.0.10/src/comm/ConnOpener.cc 2011-07-24 17:46:11.000000000 +1200 @@ -156,7 +156,7 @@ } } - typedef CommCbMemFunT abortDialer; + typedef CommCbMemFunT abortDialer; calls_.earlyAbort_ = JobCallback(5, 4, abortDialer, this, Comm::ConnOpener::earlyAbort); comm_add_close_handler(conn_->fd, calls_.earlyAbort_); @@ -279,7 +279,7 @@ * Handles the case(s) when a partially setup connection gets closed early. */ void -Comm::ConnOpener::earlyAbort(const CommConnectCbParams &io) +Comm::ConnOpener::earlyAbort(const CommCloseCbParams &io) { debugs(5, 3, HERE << io.conn); doneConnecting(COMM_ERR_CLOSING, io.xerrno); // NP: is closing or shutdown better? diff -u -r -N squid-3.2.0.9/src/comm/ConnOpener.h squid-3.2.0.10/src/comm/ConnOpener.h --- squid-3.2.0.9/src/comm/ConnOpener.h 2011-06-18 20:13:34.000000000 +1200 +++ squid-3.2.0.10/src/comm/ConnOpener.h 2011-07-24 17:46:11.000000000 +1200 @@ -34,7 +34,7 @@ ConnOpener(const ConnOpener &); ConnOpener & operator =(const ConnOpener &c); - void earlyAbort(const CommConnectCbParams &); + void earlyAbort(const CommCloseCbParams &); void timeout(const CommTimeoutCbParams &); void doneConnecting(comm_err_t status, int xerrno); static void InProgressConnectRetry(int fd, void *data); diff -u -r -N squid-3.2.0.9/src/CommCalls.cc squid-3.2.0.10/src/CommCalls.cc --- squid-3.2.0.9/src/CommCalls.cc 2011-06-18 20:13:34.000000000 +1200 +++ squid-3.2.0.10/src/CommCalls.cc 2011-07-24 17:46:11.000000000 +1200 @@ -76,10 +76,9 @@ { // change parameters if the call was scheduled before comm_close but // is being fired after comm_close - if (conn->fd >= 0 && fd_table[conn->fd].closing() && flag != COMM_ERR_CLOSING) { + if ((conn->fd < 0 || fd_table[conn->fd].closing()) && flag != COMM_ERR_CLOSING) { debugs(5, 3, HERE << "converting late call to COMM_ERR_CLOSING: " << conn); flag = COMM_ERR_CLOSING; - size = 0; } return true; // now we are in sync and can handle the call } diff -u -r -N squid-3.2.0.9/src/comm.cc squid-3.2.0.10/src/comm.cc --- squid-3.2.0.9/src/comm.cc 2011-06-18 20:13:34.000000000 +1200 +++ squid-3.2.0.10/src/comm.cc 2011-07-24 17:46:11.000000000 +1200 @@ -189,7 +189,7 @@ static void comm_empty_os_read_buffers(int fd) { -#ifdef _SQUID_LINUX_ +#if _SQUID_LINUX_ /* prevent those nasty RST packets */ char buf[SQUID_TCP_SO_RCVBUF]; @@ -645,7 +645,7 @@ commSetReuseAddr(new_socket); if (addr.GetPort() > (u_short) 0) { -#ifdef _SQUID_MSWIN_ +#if _SQUID_MSWIN_ if (sock_type != SOCK_DGRAM) #endif commSetNoLinger(new_socket); @@ -704,7 +704,7 @@ fd_table[conn->fd].flags.close_on_exec = 1; if (conn->local.GetPort() > (u_short) 0) { -#ifdef _SQUID_MSWIN_ +#if _SQUID_MSWIN_ if (AI->ai_socktype != SOCK_DGRAM) #endif fd_table[conn->fd].flags.nolinger = 1; @@ -910,7 +910,7 @@ * we leak memory on many connect requests because of EINPROGRESS. * If you find that this code is needed, please file a bug report. */ #if 0 -#ifdef _SQUID_LINUX_ +#if _SQUID_LINUX_ /* 2007-11-27: * Linux Debian replaces our allocated AI pointer with garbage when * connect() fails. This leads to segmentation faults deallocating @@ -1156,7 +1156,7 @@ commCallCloseHandlers(fd); - if (F->pconn.uses) + if (F->pconn.uses && F->pconn.pool) F->pconn.pool->noteUses(F->pconn.uses); comm_empty_os_read_buffers(fd); @@ -1204,7 +1204,7 @@ if (x >= 0) return x; -#ifdef _SQUID_LINUX_ +#if _SQUID_LINUX_ if (ECONNREFUSED != errno) #endif @@ -1324,7 +1324,7 @@ int commSetNonBlocking(int fd) { -#ifndef _SQUID_MSWIN_ +#if !_SQUID_MSWIN_ int flags; int dummy = 0; #endif @@ -1344,7 +1344,7 @@ } else { #endif #endif -#ifndef _SQUID_MSWIN_ +#if !_SQUID_MSWIN_ if ((flags = fcntl(fd, F_GETFL, dummy)) < 0) { debugs(50, 0, "FD " << fd << ": fcntl F_GETFL: " << xstrerror()); @@ -1368,7 +1368,7 @@ int commUnsetNonBlocking(int fd) { -#ifdef _SQUID_MSWIN_ +#if _SQUID_MSWIN_ int nonblocking = FALSE; if (ioctlsocket(fd, FIONBIO, (unsigned long *) &nonblocking) < 0) { diff -u -r -N squid-3.2.0.9/src/debug.cc squid-3.2.0.10/src/debug.cc --- squid-3.2.0.9/src/debug.cc 2011-06-18 20:13:34.000000000 +1200 +++ squid-3.2.0.10/src/debug.cc 2011-07-24 17:46:11.000000000 +1200 @@ -64,7 +64,7 @@ static void _db_print_stderr(const char *format, va_list args); static void _db_print_file(const char *format, va_list args); -#ifdef _SQUID_MSWIN_ +#if _SQUID_MSWIN_ SQUIDCEXTERN LPCRITICAL_SECTION dbg_mutex; typedef BOOL (WINAPI * PFInitializeCriticalSectionAndSpinCount) (LPCRITICAL_SECTION, DWORD); #endif @@ -78,7 +78,7 @@ va_list args2; va_list args3; -#ifdef _SQUID_MSWIN_ +#if _SQUID_MSWIN_ /* Multiple WIN32 threads may call this simultaneously */ if (!dbg_mutex) { @@ -131,7 +131,7 @@ _db_print_syslog(format, args3); #endif -#ifdef _SQUID_MSWIN_ +#if _SQUID_MSWIN_ LeaveCriticalSection(dbg_mutex); #endif @@ -487,7 +487,7 @@ i--; snprintf(from, MAXPATHLEN, "%s.%d", debug_log_file, i - 1); snprintf(to, MAXPATHLEN, "%s.%d", debug_log_file, i); -#ifdef _SQUID_MSWIN_ +#if _SQUID_MSWIN_ remove (to); #endif @@ -498,14 +498,14 @@ * You can't rename open files on Microsoft "operating systems" * so we close before renaming. */ -#ifdef _SQUID_MSWIN_ +#if _SQUID_MSWIN_ if (debug_log != stderr) fclose(debug_log); #endif /* Rotate the current log to .0 */ if (Debug::rotateNumber > 0) { snprintf(to, MAXPATHLEN, "%s.%d", debug_log_file, 0); -#ifdef _SQUID_MSWIN_ +#if _SQUID_MSWIN_ remove (to); #endif diff -u -r -N squid-3.2.0.9/src/defines.h squid-3.2.0.10/src/defines.h --- squid-3.2.0.9/src/defines.h 2011-06-18 20:13:34.000000000 +1200 +++ squid-3.2.0.10/src/defines.h 2011-07-24 17:46:11.000000000 +1200 @@ -211,7 +211,7 @@ /* * Max number of ICP messages to receive per call to icpHandleUdp */ -#ifdef _SQUID_MSWIN_ +#if _SQUID_MSWIN_ #define INCOMING_ICP_MAX 1 #else #define INCOMING_ICP_MAX 15 @@ -219,7 +219,7 @@ /* * Max number of DNS messages to receive per call to DNS read handler */ -#ifdef _SQUID_MSWIN_ +#if _SQUID_MSWIN_ #define INCOMING_DNS_MAX 1 #else #define INCOMING_DNS_MAX 15 @@ -228,7 +228,7 @@ * Max number of HTTP connections to accept per call to httpAccept * and PER HTTP PORT */ -#ifdef _SQUID_MSWIN_ +#if _SQUID_MSWIN_ #define INCOMING_HTTP_MAX 1 #else #define INCOMING_HTTP_MAX 10 diff -u -r -N squid-3.2.0.9/src/DelayId.cc squid-3.2.0.10/src/DelayId.cc --- squid-3.2.0.9/src/DelayId.cc 2011-06-18 20:13:34.000000000 +1200 +++ squid-3.2.0.10/src/DelayId.cc 2011-07-24 17:46:11.000000000 +1200 @@ -126,7 +126,7 @@ if (http->getConn() != NULL) ch.conn(http->getConn()); - if (DelayPools::delay_data[pool].theComposite().getRaw() && ch.fastCheck()) { + if (DelayPools::delay_data[pool].theComposite().getRaw() && ch.fastCheck() == ACCESS_ALLOWED) { DelayId result (pool + 1); CompositePoolNode::CompositeSelectionDetails details; diff -u -r -N squid-3.2.0.9/src/DiskIO/AIO/aio_win32.h squid-3.2.0.10/src/DiskIO/AIO/aio_win32.h --- squid-3.2.0.9/src/DiskIO/AIO/aio_win32.h 2011-06-18 20:13:34.000000000 +1200 +++ squid-3.2.0.10/src/DiskIO/AIO/aio_win32.h 2011-07-24 17:46:11.000000000 +1200 @@ -44,7 +44,7 @@ typedef int64_t off64_t; #endif -#ifdef _SQUID_MSWIN_ +#if _SQUID_MSWIN_ union sigval { int sival_int; /* integer value */ diff -u -r -N squid-3.2.0.9/src/dns_internal.cc squid-3.2.0.10/src/dns_internal.cc --- squid-3.2.0.9/src/dns_internal.cc 2011-06-18 20:13:34.000000000 +1200 +++ squid-3.2.0.10/src/dns_internal.cc 2011-07-24 17:46:11.000000000 +1200 @@ -225,7 +225,7 @@ static void idnsFreeNameservers(void); static void idnsFreeSearchpath(void); static void idnsParseNameservers(void); -#ifndef _SQUID_MSWIN_ +#if !_SQUID_MSWIN_ static void idnsParseResolvConf(void); #endif #if _SQUID_WINDOWS_ @@ -356,7 +356,7 @@ } } -#ifndef _SQUID_MSWIN_ +#if !_SQUID_MSWIN_ static void idnsParseResolvConf(void) { @@ -1278,7 +1278,7 @@ if (ignoreErrno(errno)) break; -#ifdef _SQUID_LINUX_ +#if _SQUID_LINUX_ /* Some Linux systems seem to set the FD for reading and then * return ECONNREFUSED when sendto() fails and generates an ICMP * port unreachable message. */ @@ -1492,7 +1492,7 @@ Ip::Address addrB = addrA; addrA.SetIPv4(); - if (Ip::EnableIpv6 && (addrB.IsAnyAddr() || addrB.IsIPv6())) { + if (Ip::EnableIpv6 && addrB.IsIPv6()) { debugs(78, 2, "idnsInit: attempt open DNS socket to: " << addrB); DnsSocketB = comm_open_listener(SOCK_DGRAM, IPPROTO_UDP, @@ -1501,7 +1501,7 @@ "DNS Socket IPv6"); } - if (addrA.IsAnyAddr() || addrA.IsIPv4()) { + if (addrA.IsIPv4()) { debugs(78, 2, "idnsInit: attempt open DNS socket to: " << addrA); DnsSocketA = comm_open_listener(SOCK_DGRAM, IPPROTO_UDP, @@ -1530,7 +1530,7 @@ assert(0 == nns); idnsParseNameservers(); -#ifndef _SQUID_MSWIN_ +#if !_SQUID_MSWIN_ if (0 == nns) idnsParseResolvConf(); diff -u -r -N squid-3.2.0.9/src/dnsserver.cc squid-3.2.0.10/src/dnsserver.cc --- squid-3.2.0.9/src/dnsserver.cc 2011-06-18 20:13:34.000000000 +1200 +++ squid-3.2.0.10/src/dnsserver.cc 2011-07-24 17:46:11.000000000 +1200 @@ -491,7 +491,7 @@ } } -#ifdef _SQUID_MSWIN_ +#if _SQUID_MSWIN_ { WSADATA wsaData; @@ -505,7 +505,7 @@ memset(request, '\0', REQ_SZ); if (fgets(request, REQ_SZ, stdin) == NULL) { -#ifdef _SQUID_MSWIN_ +#if _SQUID_MSWIN_ WSACleanup(); #endif exit(1); diff -u -r -N squid-3.2.0.9/src/enums.h squid-3.2.0.10/src/enums.h --- squid-3.2.0.9/src/enums.h 2011-06-18 20:13:34.000000000 +1200 +++ squid-3.2.0.10/src/enums.h 2011-07-24 17:46:11.000000000 +1200 @@ -216,21 +216,23 @@ MEM_CLIENT_INFO, MEM_LINK_LIST, MEM_DLINK_NODE, - MEM_DONTFREE, MEM_DREAD_CTRL, MEM_DWRITE_Q, - MEM_FQDNCACHE_ENTRY, - MEM_FWD_SERVER, MEM_HTTP_HDR_CC, MEM_HTTP_HDR_CONTENT_RANGE, - MEM_IPCACHE_ENTRY, MEM_MD5_DIGEST, MEM_NETDBENTRY, MEM_NET_DB_NAME, MEM_RELIST, + // IMPORTANT: leave this here. pools above are initialized early with memInit() + MEM_DONTFREE, + // following pools are initialized late by their component if needed (or never) + MEM_FQDNCACHE_ENTRY, + MEM_FWD_SERVER, #if !USE_DNSSERVERS MEM_IDNS_QUERY, #endif + MEM_IPCACHE_ENTRY, MEM_MAX } mem_type; diff -u -r -N squid-3.2.0.9/src/errorpage.cc squid-3.2.0.10/src/errorpage.cc --- squid-3.2.0.9/src/errorpage.cc 2011-06-18 20:13:34.000000000 +1200 +++ squid-3.2.0.10/src/errorpage.cc 2011-07-24 17:46:11.000000000 +1200 @@ -39,6 +39,7 @@ #include "auth/UserRequest.h" #endif #include "SquidTime.h" +#include "ssl/ErrorDetailManager.h" #include "Store.h" #include "html_quote.h" #include "HttpReply.h" diff -u -r -N squid-3.2.0.9/src/ETag.cc squid-3.2.0.10/src/ETag.cc --- squid-3.2.0.9/src/ETag.cc 2011-06-18 20:13:34.000000000 +1200 +++ squid-3.2.0.10/src/ETag.cc 2011-07-24 17:46:11.000000000 +1200 @@ -33,7 +33,12 @@ * */ -#include "squid.h" +#include "config.h" +#include "ETag.h" + +#if HAVE_CSTRING +#include +#endif /* * Note: ETag is not an http "field" like, for example HttpHdrRange. ETag is a diff -u -r -N squid-3.2.0.9/src/ETag.h squid-3.2.0.10/src/ETag.h --- squid-3.2.0.9/src/ETag.h 1970-01-01 12:00:00.000000000 +1200 +++ squid-3.2.0.10/src/ETag.h 2011-07-24 17:46:11.000000000 +1200 @@ -0,0 +1,23 @@ +#ifndef _SQUID_ETAG_H +#define _SQUID_ETAG_H + +/** + * ETag support is rudimantal; this struct is likely to change + * Note: "str" points to memory in HttpHeaderEntry (for now) + * so ETags should be used as tmp variables only (for now) + */ +class ETag +{ +public: + const char *str; ///< quoted-string + int weak; ///< true if it is a weak validator +}; + +/* ETag */ +SQUIDCEXTERN int etagParseInit(ETag * etag, const char *str); +/// whether etags are strong-equal +SQUIDCEXTERN bool etagIsStrongEqual(const ETag &tag1, const ETag &tag2); +/// whether etags are weak-equal +SQUIDCEXTERN bool etagIsWeakEqual(const ETag &tag1, const ETag &tag2); + +#endif /* _SQUIDETAG_H */ diff -u -r -N squid-3.2.0.9/src/external_acl.cc squid-3.2.0.10/src/external_acl.cc --- squid-3.2.0.9/src/external_acl.cc 2011-06-18 20:13:34.000000000 +1200 +++ squid-3.2.0.10/src/external_acl.cc 2011-07-24 17:46:11.000000000 +1200 @@ -1562,7 +1562,7 @@ checklist->extacl_entry = cbdataReference((external_acl_entry *)result); checklist->asyncInProgress(false); checklist->changeState (ACLChecklist::NullState::Instance()); - checklist->check(); + checklist->matchNonBlocking(); } /* This registers "external" in the registry. To do dynamic definitions diff -u -r -N squid-3.2.0.9/src/fd.cc squid-3.2.0.10/src/fd.cc --- squid-3.2.0.9/src/fd.cc 2011-06-18 20:13:34.000000000 +1200 +++ squid-3.2.0.10/src/fd.cc 2011-07-24 17:46:11.000000000 +1200 @@ -49,7 +49,7 @@ int default_read_method(int, char *, int); int default_write_method(int, const char *, int); -#ifdef _SQUID_MSWIN_ +#if _SQUID_MSWIN_ int socket_read_method(int, char *, int); int socket_write_method(int, const char *, int); int file_read_method(int, char *, int); @@ -122,7 +122,7 @@ *F = fde(); } -#ifdef _SQUID_MSWIN_ +#if _SQUID_MSWIN_ int socket_read_method(int fd, char *buf, int len) @@ -222,7 +222,7 @@ F->type = type; F->flags.open = 1; F->epoll_state = 0; -#ifdef _SQUID_MSWIN_ +#if _SQUID_MSWIN_ F->win32.handle = _get_osfhandle(fd); diff -u -r -N squid-3.2.0.9/src/fde.cc squid-3.2.0.10/src/fde.cc --- squid-3.2.0.9/src/fde.cc 2011-06-18 20:13:34.000000000 +1200 +++ squid-3.2.0.10/src/fde.cc 2011-07-24 17:46:11.000000000 +1200 @@ -54,7 +54,7 @@ if (!flags.open) return; -#ifdef _SQUID_MSWIN_ +#if _SQUID_MSWIN_ storeAppendPrintf(&dumpEntry, "%4d 0x%-8lX %-6.6s %4d %7"PRId64"%c %7"PRId64"%c %-21s %s\n", fdNumber, @@ -78,7 +78,7 @@ { int i; storeAppendPrintf(dumpEntry, "Active file descriptors:\n"); -#ifdef _SQUID_MSWIN_ +#if _SQUID_MSWIN_ storeAppendPrintf(dumpEntry, "%-4s %-10s %-6s %-4s %-7s* %-7s* %-21s %s\n", "File", @@ -93,7 +93,7 @@ "Nwrite", "Remote Address", "Description"); -#ifdef _SQUID_MSWIN_ +#if _SQUID_MSWIN_ storeAppendPrintf(dumpEntry, "---- ---------- ------ ---- -------- -------- --------------------- ------------------------------\n"); #else storeAppendPrintf(dumpEntry, "---- ------ ---- -------- -------- --------------------- ------------------------------\n"); diff -u -r -N squid-3.2.0.9/src/fde.h squid-3.2.0.10/src/fde.h --- squid-3.2.0.9/src/fde.h 2011-06-18 20:13:34.000000000 +1200 +++ squid-3.2.0.10/src/fde.h 2011-07-24 17:46:11.000000000 +1200 @@ -115,7 +115,7 @@ SSL *ssl; SSL_CTX *dynamicSslContext; ///< cached and then freed when fd is closed #endif -#ifdef _SQUID_MSWIN_ +#if _SQUID_MSWIN_ struct { long handle; } win32; @@ -169,7 +169,7 @@ ssl = NULL; dynamicSslContext = NULL; #endif -#ifdef _SQUID_MSWIN_ +#if _SQUID_MSWIN_ win32.handle = NULL; #endif tosFromServer = '\0'; diff -u -r -N squid-3.2.0.9/src/forward.cc squid-3.2.0.10/src/forward.cc --- squid-3.2.0.9/src/forward.cc 2011-06-18 20:13:34.000000000 +1200 +++ squid-3.2.0.10/src/forward.cc 2011-07-24 17:46:11.000000000 +1200 @@ -93,7 +93,7 @@ FwdState::FwdState(const Comm::ConnectionPointer &client, StoreEntry * e, HttpRequest * r) { - debugs(17, 1, HERE << "Forwarding client request " << client << ", url=" << e->url() ); + debugs(17, 2, HERE << "Forwarding client request " << client << ", url=" << e->url() ); entry = e; clientConn = client; request = HTTPMSGLOCK(r); @@ -209,9 +209,7 @@ ACLFilledChecklist ch(Config.accessList.miss, request, NULL); ch.src_addr = request->client_addr; ch.my_addr = request->my_addr; - int answer = ch.fastCheck(); - - if (answer == 0) { + if (ch.fastCheck() == ACCESS_DENIED) { err_type page_id; page_id = aclGetDenyInfoPage(&Config.denyInfoList, AclMatchedName, 1); @@ -247,7 +245,7 @@ switch (request->protocol) { case AnyP::PROTO_INTERNAL: - internalStart(request, entry); + internalStart(clientConn, request, entry); return; case AnyP::PROTO_CACHE_OBJECT: @@ -804,7 +802,9 @@ return; } - request->flags.pinned = 0; + request->flags.pinned = 0; // XXX: what if the ConnStateData set this to flag existing credentials? + // XXX: answer: the peer selection *should* catch it and give us only the pinned peer. so we reverse the =0 step below. + // XXX: also, logs will now lie if pinning is broken and leads to an error message. if (serverDestinations[0]->peerType == PINNED) { ConnStateData *pinned_connection = request->pinnedConnection(); assert(pinned_connection); @@ -831,15 +831,11 @@ // Use pconn to avoid opening a new connection. const char *host; - int port; if (serverDestinations[0]->getPeer()) { host = serverDestinations[0]->getPeer()->host; - port = serverDestinations[0]->getPeer()->http_port; } else { host = request->GetHost(); - port = request->port; } - serverDestinations[0]->remote.SetPort(port); Comm::ConnectionPointer temp = fwdPconnPool->pop(serverDestinations[0], host, checkRetriable()); // if we found an open persistent connection to use. use it. @@ -1216,7 +1212,7 @@ acl_tos *l; for (l = head; l; l = l->next) { - if (!l->aclList || ch->matchAclListFast(l->aclList)) + if (!l->aclList || ch->fastCheck(l->aclList) == ACCESS_ALLOWED) return l->tos; } @@ -1230,7 +1226,7 @@ acl_nfmark *l; for (l = head; l; l = l->next) { - if (!l->aclList || ch->matchAclListFast(l->aclList)) + if (!l->aclList || ch->fastCheck(l->aclList) == ACCESS_ALLOWED) return l->nfmark; } @@ -1288,7 +1284,7 @@ if (conn->remote.IsIPv4() != l->addr.IsIPv4()) continue; /* check ACLs for this outgoing address */ - if (!l->aclList || ch.matchAclListFast(l->aclList)) { + if (!l->aclList || ch.fastCheck(l->aclList) == ACCESS_ALLOWED) { conn->local = l->addr; return; } diff -u -r -N squid-3.2.0.9/src/fs/coss/store_dir_coss.cc squid-3.2.0.10/src/fs/coss/store_dir_coss.cc --- squid-3.2.0.9/src/fs/coss/store_dir_coss.cc 2011-06-18 20:13:34.000000000 +1200 +++ squid-3.2.0.10/src/fs/coss/store_dir_coss.cc 2011-07-24 17:46:11.000000000 +1200 @@ -909,7 +909,7 @@ if (::stat(path, &swap_sb) < 0) { debugs (47, 2, "COSS swap space space being allocated."); -#ifdef _SQUID_MSWIN_ +#if _SQUID_MSWIN_ mkdir(path); #else diff -u -r -N squid-3.2.0.9/src/fs/ufs/store_dir_ufs.cc squid-3.2.0.10/src/fs/ufs/store_dir_ufs.cc --- squid-3.2.0.9/src/fs/ufs/store_dir_ufs.cc 2011-06-18 20:13:34.000000000 +1200 +++ squid-3.2.0.10/src/fs/ufs/store_dir_ufs.cc 2011-07-24 17:46:11.000000000 +1200 @@ -502,7 +502,7 @@ fatalf("Swap directory %s is not a directory.", aPath); } -#ifdef _SQUID_MSWIN_ +#if _SQUID_MSWIN_ } else if (0 == mkdir(aPath)) { #else @@ -1090,7 +1090,7 @@ if (dir_pointer == NULL) { if (errno == ENOENT) { debugs(36, 0, "storeDirClean: WARNING: Creating " << p1); -#ifdef _SQUID_MSWIN_ +#if _SQUID_MSWIN_ if (mkdir(p1) == 0) #else diff -u -r -N squid-3.2.0.9/src/ftp.cc squid-3.2.0.10/src/ftp.cc --- squid-3.2.0.9/src/ftp.cc 2011-06-18 20:13:34.000000000 +1200 +++ squid-3.2.0.10/src/ftp.cc 2011-07-24 17:46:11.000000000 +1200 @@ -2945,14 +2945,6 @@ return; } - if (io.flag != COMM_OK) { - data.close(); - debugs(9, DBG_IMPORTANT, "FTP AcceptDataConnection: FD " << io.fd << ": " << xstrerr(io.xerrno)); - /** \todo Need to send error message on control channel*/ - ftpFail(this); - return; - } - /* data listening conn is no longer even open. abort. */ if (!Comm::IsConnOpen(data.conn)) { data.clear(); // ensure that it's cleared and not just closed. diff -u -r -N squid-3.2.0.9/src/globals.h squid-3.2.0.10/src/globals.h --- squid-3.2.0.9/src/globals.h 2011-06-18 20:13:34.000000000 +1200 +++ squid-3.2.0.10/src/globals.h 2011-07-24 17:46:11.000000000 +1200 @@ -135,7 +135,7 @@ extern int64_t store_maxobjsize; /* -1 */ extern hash_table *proxy_auth_username_cache; /* NULL */ extern int incoming_sockets_accepted; -#ifdef _SQUID_MSWIN_ +#if _SQUID_MSWIN_ extern unsigned int WIN32_Socks_initialized; /* 0 */ #endif diff -u -r -N squid-3.2.0.9/src/helper.cc squid-3.2.0.10/src/helper.cc --- squid-3.2.0.9/src/helper.cc 2011-06-18 20:13:34.000000000 +1200 +++ squid-3.2.0.10/src/helper.cc 2011-07-24 17:46:11.000000000 +1200 @@ -79,7 +79,7 @@ void HelperServerBase::closePipesSafely() { -#ifdef _SQUID_MSWIN_ +#if _SQUID_MSWIN_ int no = index + 1; shutdown(writePipe->fd, SD_BOTH); @@ -92,7 +92,7 @@ readPipe->close(); writePipe->close(); -#ifdef _SQUID_MSWIN_ +#if _SQUID_MSWIN_ if (hIpc) { if (WaitForSingleObject(hIpc, 5000) != WAIT_OBJECT_0) { getCurrentTime(); @@ -108,7 +108,7 @@ void HelperServerBase::closeWritePipeSafely() { -#ifdef _SQUID_MSWIN_ +#if _SQUID_MSWIN_ int no = index + 1; shutdown(writePipe->fd, (readPipe->fd == writePipe->fd ? SD_BOTH : SD_SEND)); @@ -119,7 +119,7 @@ readPipe->fd = -1; writePipe->close(); -#ifdef _SQUID_MSWIN_ +#if _SQUID_MSWIN_ if (hIpc) { if (WaitForSingleObject(hIpc, 5000) != WAIT_OBJECT_0) { getCurrentTime(); diff -u -r -N squid-3.2.0.9/src/htcp.cc squid-3.2.0.10/src/htcp.cc --- squid-3.2.0.9/src/htcp.cc 2011-06-18 20:13:34.000000000 +1200 +++ squid-3.2.0.10/src/htcp.cc 2011-07-24 17:46:11.000000000 +1200 @@ -848,18 +848,17 @@ return d; } -static int -htcpAccessCheck(acl_access * acl, htcpSpecifier * s, Ip::Address &from) +static bool +htcpAccessAllowed(acl_access * acl, htcpSpecifier * s, Ip::Address &from) { /* default deny if no access list present */ if (!acl) - return 0; + return false; ACLFilledChecklist checklist(acl, s->request, NULL); checklist.src_addr = from; checklist.my_addr.SetNoAddr(); - int result = checklist.fastCheck(); - return result; + return (checklist.fastCheck() == ACCESS_ALLOWED); } static void @@ -1206,7 +1205,7 @@ return; } - if (!htcpAccessCheck(Config.accessList.htcp, s, from)) { + if (!htcpAccessAllowed(Config.accessList.htcp, s, from)) { debugs(31, 2, "htcpHandleTstRequest: Access denied"); htcpLogHtcp(from, dhdr->opcode, LOG_UDP_DENIED, s->uri); htcpFreeSpecifier(s); @@ -1279,7 +1278,7 @@ return; } - if (!htcpAccessCheck(Config.accessList.htcp_clr, s, from)) { + if (!htcpAccessAllowed(Config.accessList.htcp_clr, s, from)) { debugs(31, 2, "htcpHandleClr: Access denied"); htcpLogHtcp(from, hdr->opcode, LOG_UDP_DENIED, s->uri); htcpFreeSpecifier(s); @@ -1589,7 +1588,7 @@ stuff.S.method = (char *) RequestMethodStr(req->method); stuff.S.uri = (char *) e->url(); stuff.S.version = vbuf; - HttpStateData::httpBuildRequestHeader(req, req, e, &hdr, flags); + HttpStateData::httpBuildRequestHeader(req, e, &hdr, flags); mb.init(); packerToMemInit(&pa, &mb); hdr.packInto(&pa); @@ -1660,7 +1659,7 @@ } stuff.S.version = vbuf; if (reason != HTCP_CLR_INVALIDATION) { - HttpStateData::httpBuildRequestHeader(req, req, e, &hdr, flags); + HttpStateData::httpBuildRequestHeader(req, e, &hdr, flags); mb.init(); packerToMemInit(&pa, &mb); hdr.packInto(&pa); diff -u -r -N squid-3.2.0.9/src/http.cc squid-3.2.0.10/src/http.cc --- squid-3.2.0.9/src/http.cc 2011-06-18 20:13:34.000000000 +1200 +++ squid-3.2.0.10/src/http.cc 2011-07-24 17:46:11.000000000 +1200 @@ -83,7 +83,7 @@ static const char *const crlf = "\r\n"; static void httpMaybeRemovePublic(StoreEntry *, http_status); -static void copyOneHeaderFromClientsideRequestToUpstreamRequest(const HttpHeaderEntry *e, const String strConnection, HttpRequest * request, const HttpRequest * orig_request, +static void copyOneHeaderFromClientsideRequestToUpstreamRequest(const HttpHeaderEntry *e, const String strConnection, const HttpRequest * request, HttpHeader * hdr_out, const int we_do_ranges, const http_state_flags); HttpStateData::HttpStateData(FwdState *theFwdState) : AsyncJob("HttpStateData"), ServerStateData(theFwdState), @@ -96,39 +96,16 @@ serverConnection = fwd->serverConnection(); readBuf = new MemBuf; readBuf->init(16*1024, 256*1024); - orig_request = HTTPMSGLOCK(fwd->request); // reset peer response time stats for %hier.peer_http_request_sent.tv_sec = 0; - orig_request->hier.peer_http_request_sent.tv_usec = 0; + request->hier.peer_http_request_sent.tv_sec = 0; + request->hier.peer_http_request_sent.tv_usec = 0; if (fwd->serverConnection() != NULL) _peer = cbdataReference(fwd->serverConnection()->getPeer()); /* might be NULL */ if (_peer) { - const char *url; - - if (_peer->options.originserver) - url = orig_request->urlpath.termedBuf(); - else - url = entry->url(); - - HttpRequest * proxy_req = new HttpRequest(orig_request->method, orig_request->protocol, url); - - proxy_req->SetHost(_peer->host); - - proxy_req->port = _peer->http_port; - - proxy_req->flags = orig_request->flags; - - proxy_req->lastmod = orig_request->lastmod; - - proxy_req->flags.proxying = 1; - - HTTPMSGUNLOCK(request); - - request = HTTPMSGLOCK(proxy_req); - + request->flags.proxying = 1; /* * This NEIGHBOR_PROXY_ONLY check probably shouldn't be here. * We might end up getting the object from somewhere else if, @@ -164,8 +141,6 @@ if (httpChunkDecoder) delete httpChunkDecoder; - HTTPMSGUNLOCK(orig_request); - cbdataReferenceDone(_peer); debugs(11,5, HERE << "HttpStateData " << this << " destroyed; " << serverConnection); @@ -733,7 +708,7 @@ } if (!peerSupportsConnectionPinning()) - orig_request->flags.connection_auth_disabled = 1; + request->flags.connection_auth_disabled = 1; HttpReply *vrep = setVirginReply(newrep); flags.headers_parsed = 1; @@ -748,7 +723,7 @@ * Parse the header and remove all referenced headers */ - orig_request->hier.peer_reply_status = newrep->sline.status; + request->hier.peer_reply_status = newrep->sline.status; ctx_exit(ctx); } @@ -763,7 +738,7 @@ Must(!flags.handling1xx); flags.handling1xx = true; - if (!orig_request->canHandle1xx()) { + if (!request->canHandle1xx()) { debugs(11, 2, HERE << "ignoring client-unsupported 1xx"); proceedAfter1xx(); return; @@ -788,7 +763,7 @@ typedef NullaryMemFunT CbDialer; const AsyncCall::Pointer cb = JobCallback(11, 3, CbDialer, this, HttpStateData::proceedAfter1xx); - CallJobHere1(11, 4, orig_request->clientConnectionManager, ConnStateData, + CallJobHere1(11, 4, request->clientConnectionManager, ConnStateData, ConnStateData::sendControlMsg, HttpControlMsg(msg, cb)); // If the call is not fired, then the Sink is gone, and HttpStateData // will terminate due to an aborted store entry or another similar error. @@ -899,7 +874,7 @@ || rep->header.has(HDR_X_ACCELERATOR_VARY) #endif ) { - const char *vary = httpMakeVaryMark(orig_request, rep); + const char *vary = httpMakeVaryMark(request, rep); if (!vary) { entry->makePrivate(); @@ -984,7 +959,7 @@ * connection. */ if (!flags.request_sent) { - debugs(11, 2, "statusIfComplete: Request not yet fully sent \"" << RequestMethodStr(orig_request->method) << " " << entry->url() << "\"" ); + debugs(11, 2, "statusIfComplete: Request not yet fully sent \"" << RequestMethodStr(request->method) << " " << entry->url() << "\"" ); return COMPLETE_NONPERSISTENT_MSG; } @@ -1095,7 +1070,7 @@ } if (EBIT_TEST(entry->flags, ENTRY_ABORTED)) { - maybeReadVirginBody(); + // TODO: should we call abortTransaction() here? return; } @@ -1136,8 +1111,8 @@ IOStats.Http.read_hist[bin]++; // update peer response time stats (%hier.peer_http_request_sent; - orig_request->hier.peer_response_time = + const timeval &sent = request->hier.peer_http_request_sent; + request->hier.peer_response_time = sent.tv_sec ? tvSubMsec(sent, current_time) : -1; } @@ -1249,7 +1224,7 @@ const http_status s = vrep->sline.status; const HttpVersion &v = vrep->sline.version; if (s == HTTP_INVALID_HEADER && v != HttpVersion(0,9)) { - debugs(11, DBG_IMPORTANT, "WARNING: HTTP: Invalid Response: Bad header encountered from " << entry->url() << " AKA " << orig_request->GetHost() << orig_request->urlpath.termedBuf() ); + debugs(11, DBG_IMPORTANT, "WARNING: HTTP: Invalid Response: Bad header encountered from " << entry->url() << " AKA " << request->GetHost() << request->urlpath.termedBuf() ); error = ERR_INVALID_RESP; } else if (s == HTTP_HEADER_TOO_LARGE) { fwd->dontRetry(true); @@ -1259,18 +1234,18 @@ } } else { // parsed headers but got no reply - debugs(11, DBG_IMPORTANT, "WARNING: HTTP: Invalid Response: No reply at all for " << entry->url() << " AKA " << orig_request->GetHost() << orig_request->urlpath.termedBuf() ); + debugs(11, DBG_IMPORTANT, "WARNING: HTTP: Invalid Response: No reply at all for " << entry->url() << " AKA " << request->GetHost() << request->urlpath.termedBuf() ); error = ERR_INVALID_RESP; } } else { assert(eof); if (readBuf->hasContent()) { error = ERR_INVALID_RESP; - debugs(11, DBG_IMPORTANT, "WARNING: HTTP: Invalid Response: Headers did not parse at all for " << entry->url() << " AKA " << orig_request->GetHost() << orig_request->urlpath.termedBuf() ); + debugs(11, DBG_IMPORTANT, "WARNING: HTTP: Invalid Response: Headers did not parse at all for " << entry->url() << " AKA " << request->GetHost() << request->urlpath.termedBuf() ); } else { error = ERR_ZERO_SIZE_OBJECT; - debugs(11, (orig_request->flags.accelerated?DBG_IMPORTANT:2), "WARNING: HTTP: Invalid Response: No object data received for " << - entry->url() << " AKA " << orig_request->GetHost() << orig_request->urlpath.termedBuf() ); + debugs(11, (request->flags.accelerated?DBG_IMPORTANT:2), "WARNING: HTTP: Invalid Response: No object data received for " << + entry->url() << " AKA " << request->GetHost() << request->urlpath.termedBuf() ); } } @@ -1419,8 +1394,8 @@ closeHandler = NULL; fwd->unregister(serverConnection); - if (orig_request->flags.spoof_client_ip) - client_addr = orig_request->client_addr; + if (request->flags.spoof_client_ip) + client_addr = request->client_addr; if (request->flags.pinned) { @@ -1429,11 +1404,11 @@ ispinned = true; } - if (orig_request->pinnedConnection() && ispinned) { - orig_request->pinnedConnection()->pinConnection(serverConnection, orig_request, _peer, + if (request->pinnedConnection() && ispinned) { + request->pinnedConnection()->pinConnection(serverConnection, request, _peer, (request->flags.connection_auth != 0)); } else { - fwd->pconnPush(serverConnection, request->GetHost()); + fwd->pconnPush(serverConnection, request->peer_host ? request->peer_host : request->GetHost()); } serverConnection = NULL; @@ -1529,7 +1504,7 @@ flags.request_sent = 1; - orig_request->hier.peer_http_request_sent = current_time; + request->hier.peer_http_request_sent = current_time; } // Close the HTTP server connection. Used by serverComplete(). @@ -1556,7 +1531,7 @@ * Fixup authentication request headers for special cases */ static void -httpFixupAuthentication(HttpRequest * request, HttpRequest * orig_request, const HttpHeader * hdr_in, HttpHeader * hdr_out, http_state_flags flags) +httpFixupAuthentication(HttpRequest * request, const HttpHeader * hdr_in, HttpHeader * hdr_out, http_state_flags flags) { http_hdr_type header = flags.originpeer ? HDR_AUTHORIZATION : HDR_PROXY_AUTHORIZATION; @@ -1565,7 +1540,7 @@ return; /* Needs to be explicitly enabled */ - if (!orig_request->peer_login) + if (!request->peer_login) return; /* Maybe already dealt with? */ @@ -1573,11 +1548,11 @@ return; /* Nothing to do here for PASSTHRU */ - if (strcmp(orig_request->peer_login, "PASSTHRU") == 0) + if (strcmp(request->peer_login, "PASSTHRU") == 0) return; /* PROXYPASS is a special case, single-signon to servers with the proxy password (basic only) */ - if (flags.originpeer && strcmp(orig_request->peer_login, "PROXYPASS") == 0 && hdr_in->has(HDR_PROXY_AUTHORIZATION)) { + if (flags.originpeer && strcmp(request->peer_login, "PROXYPASS") == 0 && hdr_in->has(HDR_PROXY_AUTHORIZATION)) { const char *auth = hdr_in->getStr(HDR_PROXY_AUTHORIZATION); if (auth && strncasecmp(auth, "basic ", 6) == 0) { @@ -1587,18 +1562,18 @@ } /* Special mode to pass the username to the upstream cache */ - if (*orig_request->peer_login == '*') { + if (*request->peer_login == '*') { char loginbuf[256]; const char *username = "-"; - if (orig_request->extacl_user.size()) - username = orig_request->extacl_user.termedBuf(); + if (request->extacl_user.size()) + username = request->extacl_user.termedBuf(); #if USE_AUTH - else if (orig_request->auth_user_request != NULL) - username = orig_request->auth_user_request->username(); + else if (request->auth_user_request != NULL) + username = request->auth_user_request->username(); #endif - snprintf(loginbuf, sizeof(loginbuf), "%s%s", username, orig_request->peer_login + 1); + snprintf(loginbuf, sizeof(loginbuf), "%s%s", username, request->peer_login + 1); httpHeaderPutStrf(hdr_out, header, "Basic %s", old_base64_encode(loginbuf)); @@ -1606,13 +1581,13 @@ } /* external_acl provided credentials */ - if (orig_request->extacl_user.size() && orig_request->extacl_passwd.size() && - (strcmp(orig_request->peer_login, "PASS") == 0 || - strcmp(orig_request->peer_login, "PROXYPASS") == 0)) { + if (request->extacl_user.size() && request->extacl_passwd.size() && + (strcmp(request->peer_login, "PASS") == 0 || + strcmp(request->peer_login, "PROXYPASS") == 0)) { char loginbuf[256]; snprintf(loginbuf, sizeof(loginbuf), SQUIDSTRINGPH ":" SQUIDSTRINGPH, - SQUIDSTRINGPRINT(orig_request->extacl_user), - SQUIDSTRINGPRINT(orig_request->extacl_passwd)); + SQUIDSTRINGPRINT(request->extacl_user), + SQUIDSTRINGPRINT(request->extacl_passwd)); httpHeaderPutStrf(hdr_out, header, "Basic %s", old_base64_encode(loginbuf)); return; @@ -1620,22 +1595,22 @@ /* Kerberos login to peer */ #if HAVE_AUTH_MODULE_NEGOTIATE && HAVE_KRB5 && HAVE_GSSAPI - if (strncmp(orig_request->peer_login, "NEGOTIATE",strlen("NEGOTIATE")) == 0) { + if (strncmp(request->peer_login, "NEGOTIATE",strlen("NEGOTIATE")) == 0) { char *Token=NULL; char *PrincipalName=NULL,*p; - if ((p=strchr(orig_request->peer_login,':')) != NULL ) { + if ((p=strchr(request->peer_login,':')) != NULL ) { PrincipalName=++p; } - Token = peer_proxy_negotiate_auth(PrincipalName,request->peer_host); + Token = peer_proxy_negotiate_auth(PrincipalName, request->peer_host); if (Token) { - httpHeaderPutStrf(hdr_out, HDR_PROXY_AUTHORIZATION, "Negotiate %s",Token); + httpHeaderPutStrf(hdr_out, header, "Negotiate %s",Token); } return; } #endif /* HAVE_KRB5 && HAVE_GSSAPI */ httpHeaderPutStrf(hdr_out, header, "Basic %s", - old_base64_encode(orig_request->peer_login)); + old_base64_encode(request->peer_login)); return; } @@ -1646,7 +1621,6 @@ */ void HttpStateData::httpBuildRequestHeader(HttpRequest * request, - HttpRequest * orig_request, StoreEntry * entry, HttpHeader * hdr_out, const http_state_flags flags) @@ -1655,7 +1629,7 @@ #define BBUF_SZ (MAX_URL+32) LOCAL_ARRAY(char, bbuf, BBUF_SZ); LOCAL_ARRAY(char, ntoabuf, MAX_IPSTRLEN); - const HttpHeader *hdr_in = &orig_request->header; + const HttpHeader *hdr_in = &request->header; const HttpHeaderEntry *e = NULL; HttpHeaderPos pos = HttpHeaderInitPos; assert (hdr_out->owner == hoRequest); @@ -1664,23 +1638,23 @@ if (request->lastmod > -1) hdr_out->putTime(HDR_IF_MODIFIED_SINCE, request->lastmod); - bool we_do_ranges = decideIfWeDoRanges (orig_request); + bool we_do_ranges = decideIfWeDoRanges (request); String strConnection (hdr_in->getList(HDR_CONNECTION)); while ((e = hdr_in->getEntry(&pos))) - copyOneHeaderFromClientsideRequestToUpstreamRequest(e, strConnection, request, orig_request, hdr_out, we_do_ranges, flags); + copyOneHeaderFromClientsideRequestToUpstreamRequest(e, strConnection, request, hdr_out, we_do_ranges, flags); /* Abstraction break: We should interpret multipart/byterange responses * into offset-length data, and this works around our inability to do so. */ - if (!we_do_ranges && orig_request->multipartRangeRequest()) { + if (!we_do_ranges && request->multipartRangeRequest()) { /* don't cache the result */ - orig_request->flags.cachable = 0; + request->flags.cachable = 0; /* pretend it's not a range request */ - delete orig_request->range; - orig_request->range = NULL; - orig_request->flags.range = 0; + delete request->range; + request->range = NULL; + request->flags.range = 0; } /* append Via */ @@ -1688,14 +1662,14 @@ String strVia; strVia = hdr_in->getList(HDR_VIA); snprintf(bbuf, BBUF_SZ, "%d.%d %s", - orig_request->http_ver.major, - orig_request->http_ver.minor, ThisCache); + request->http_ver.major, + request->http_ver.minor, ThisCache); strListAdd(&strVia, bbuf, ','); hdr_out->putStr(HDR_VIA, strVia.termedBuf()); strVia.clean(); } - if (orig_request->flags.accelerated) { + if (request->flags.accelerated) { /* Append Surrogate-Capabilities */ String strSurrogate(hdr_in->getList(HDR_SURROGATE_CAPABILITY)); #if USE_SQUID_ESI @@ -1720,17 +1694,17 @@ static int warnedCount = 0; if (warnedCount++ < 100) { - const char *url = entry ? entry->url() : urlCanonical(orig_request); + const char *url = entry ? entry->url() : urlCanonical(request); debugs(11, 1, "Warning: likely forwarding loop with " << url); } } if (strcmp(opt_forwarded_for, "on") == 0) { /** If set to ON - append client IP or 'unknown'. */ - if ( orig_request->client_addr.IsNoAddr() ) + if ( request->client_addr.IsNoAddr() ) strListAdd(&strFwd, "unknown", ','); else - strListAdd(&strFwd, orig_request->client_addr.NtoA(ntoabuf, MAX_IPSTRLEN), ','); + strListAdd(&strFwd, request->client_addr.NtoA(ntoabuf, MAX_IPSTRLEN), ','); } else if (strcmp(opt_forwarded_for, "off") == 0) { /** If set to OFF - append 'unknown'. */ strListAdd(&strFwd, "unknown", ','); @@ -1738,10 +1712,10 @@ /** If set to TRANSPARENT - pass through unchanged. */ } else if (strcmp(opt_forwarded_for, "truncate") == 0) { /** If set to TRUNCATE - drop existing list and replace with client IP or 'unknown'. */ - if ( orig_request->client_addr.IsNoAddr() ) + if ( request->client_addr.IsNoAddr() ) strFwd = "unknown"; else - strFwd = orig_request->client_addr.NtoA(ntoabuf, MAX_IPSTRLEN); + strFwd = request->client_addr.NtoA(ntoabuf, MAX_IPSTRLEN); } if (strFwd.size() > 0) hdr_out->putStr(HDR_X_FORWARDED_FOR, strFwd.termedBuf()); @@ -1750,28 +1724,28 @@ /* append Host if not there already */ if (!hdr_out->has(HDR_HOST)) { - if (orig_request->peer_domain) { - hdr_out->putStr(HDR_HOST, orig_request->peer_domain); - } else if (orig_request->port == urlDefaultPort(orig_request->protocol)) { + if (request->peer_domain) { + hdr_out->putStr(HDR_HOST, request->peer_domain); + } else if (request->port == urlDefaultPort(request->protocol)) { /* use port# only if not default */ - hdr_out->putStr(HDR_HOST, orig_request->GetHost()); + hdr_out->putStr(HDR_HOST, request->GetHost()); } else { httpHeaderPutStrf(hdr_out, HDR_HOST, "%s:%d", - orig_request->GetHost(), - (int) orig_request->port); + request->GetHost(), + (int) request->port); } } /* append Authorization if known in URL, not in header and going direct */ if (!hdr_out->has(HDR_AUTHORIZATION)) { - if (!request->flags.proxying && *request->login) { + if (!request->flags.proxying && request->login && *request->login) { httpHeaderPutStrf(hdr_out, HDR_AUTHORIZATION, "Basic %s", old_base64_encode(request->login)); } } /* Fixup (Proxy-)Authorization special cases. Plain relaying dealt with above */ - httpFixupAuthentication(request, orig_request, hdr_in, hdr_out, flags); + httpFixupAuthentication(request, hdr_in, hdr_out, flags); /* append Cache-Control, add max-age if not there already */ { @@ -1782,18 +1756,16 @@ #if 0 /* see bug 2330 */ /* Set no-cache if determined needed but not found */ - if (orig_request->flags.nocache) + if (request->flags.nocache) EBIT_SET(cc->mask, CC_NO_CACHE); #endif /* Add max-age only without no-cache */ if (!EBIT_TEST(cc->mask, CC_MAX_AGE) && !EBIT_TEST(cc->mask, CC_NO_CACHE)) { const char *url = - entry ? entry->url() : urlCanonical(orig_request); + entry ? entry->url() : urlCanonical(request); httpHdrCcSetMaxAge(cc, getMaxAge(url)); - if (request->urlpath.size()) - assert(strstr(url, request->urlpath.termedBuf())); } /* Enforce sibling relations */ @@ -1834,7 +1806,7 @@ * to our outgoing fetch request. */ void -copyOneHeaderFromClientsideRequestToUpstreamRequest(const HttpHeaderEntry *e, const String strConnection, HttpRequest * request, const HttpRequest * orig_request, HttpHeader * hdr_out, const int we_do_ranges, const http_state_flags flags) +copyOneHeaderFromClientsideRequestToUpstreamRequest(const HttpHeaderEntry *e, const String strConnection, const HttpRequest * request, HttpHeader * hdr_out, const int we_do_ranges, const http_state_flags flags) { debugs(11, 5, "httpBuildRequestHeader: " << e->name << ": " << e->value ); @@ -1847,10 +1819,10 @@ * Only pass on proxy authentication to peers for which * authentication forwarding is explicitly enabled */ - if (!flags.originpeer && flags.proxying && orig_request->peer_login && - (strcmp(orig_request->peer_login, "PASS") == 0 || - strcmp(orig_request->peer_login, "PROXYPASS") == 0 || - strcmp(orig_request->peer_login, "PASSTHRU") == 0)) { + if (!flags.originpeer && flags.proxying && request->peer_login && + (strcmp(request->peer_login, "PASS") == 0 || + strcmp(request->peer_login, "PROXYPASS") == 0 || + strcmp(request->peer_login, "PASSTHRU") == 0)) { hdr_out->addEntry(e->clone()); } break; @@ -1879,10 +1851,10 @@ /** \note In accelerators, only forward authentication if enabled * (see also httpFixupAuthentication for special cases) */ - if (orig_request->peer_login && - (strcmp(orig_request->peer_login, "PASS") == 0 || - strcmp(orig_request->peer_login, "PASSTHRU") == 0 || - strcmp(orig_request->peer_login, "PROXYPASS") == 0)) { + if (request->peer_login && + (strcmp(request->peer_login, "PASS") == 0 || + strcmp(request->peer_login, "PASSTHRU") == 0 || + strcmp(request->peer_login, "PROXYPASS") == 0)) { hdr_out->addEntry(e->clone()); } } @@ -1896,19 +1868,19 @@ * went through our redirector and the admin configured * 'redir_rewrites_host' to be off. */ - if (orig_request->peer_domain) - hdr_out->putStr(HDR_HOST, orig_request->peer_domain); + if (request->peer_domain) + hdr_out->putStr(HDR_HOST, request->peer_domain); else if (request->flags.redirected && !Config.onoff.redir_rewrites_host) hdr_out->addEntry(e->clone()); else { /* use port# only if not default */ - if (orig_request->port == urlDefaultPort(orig_request->protocol)) { - hdr_out->putStr(HDR_HOST, orig_request->GetHost()); + if (request->port == urlDefaultPort(request->protocol)) { + hdr_out->putStr(HDR_HOST, request->GetHost()); } else { httpHeaderPutStrf(hdr_out, HDR_HOST, "%s:%d", - orig_request->GetHost(), - (int) orig_request->port); + request->GetHost(), + (int) request->port); } } @@ -1927,7 +1899,7 @@ case HDR_MAX_FORWARDS: /** \par Max-Forwards: * pass only on TRACE or OPTIONS requests */ - if (orig_request->method == METHOD_TRACE || orig_request->method == METHOD_OPTIONS) { + if (request->method == METHOD_TRACE || request->method == METHOD_OPTIONS) { const int64_t hops = e->getInt64(); if (hops > 0) @@ -1999,7 +1971,7 @@ } bool -HttpStateData::decideIfWeDoRanges (HttpRequest * orig_request) +HttpStateData::decideIfWeDoRanges (HttpRequest * request) { bool result = true; /* decide if we want to do Ranges ourselves @@ -2013,15 +1985,15 @@ * the server and fetch only the requested content) */ - int64_t roffLimit = orig_request->getRangeOffsetLimit(); + int64_t roffLimit = request->getRangeOffsetLimit(); - if (NULL == orig_request->range || !orig_request->flags.cachable - || orig_request->range->offsetLimitExceeded(roffLimit) || orig_request->flags.connection_auth) + if (NULL == request->range || !request->flags.cachable + || request->range->offsetLimitExceeded(roffLimit) || request->flags.connection_auth) result = false; debugs(11, 8, "decideIfWeDoRanges: range specs: " << - orig_request->range << ", cachable: " << - orig_request->flags.cachable << "; we_do_ranges: " << result); + request->range << ", cachable: " << + request->flags.cachable << "; we_do_ranges: " << result); return result; } @@ -2029,27 +2001,29 @@ /* build request prefix and append it to a given MemBuf; * return the length of the prefix */ mb_size_t -HttpStateData::buildRequestPrefix(HttpRequest * aRequest, - HttpRequest * original_request, - StoreEntry * sentry, - MemBuf * mb) +HttpStateData::buildRequestPrefix(MemBuf * mb) { const int offset = mb->size; HttpVersion httpver(1,1); + const char * url; + if (_peer && !_peer->options.originserver) + url = entry->url(); + else + url = request->urlpath.termedBuf(); mb->Printf("%s %s HTTP/%d.%d\r\n", - RequestMethodStr(aRequest->method), - aRequest->urlpath.size() ? aRequest->urlpath.termedBuf() : "/", + RequestMethodStr(request->method), + url && *url ? url : "/", httpver.major,httpver.minor); /* build and pack headers */ { HttpHeader hdr(hoRequest); Packer p; - httpBuildRequestHeader(aRequest, original_request, sentry, &hdr, flags); + httpBuildRequestHeader(request, entry, &hdr, flags); - if (aRequest->flags.pinned && aRequest->flags.connection_auth) - aRequest->flags.auth_sent = 1; + if (request->flags.pinned && request->flags.connection_auth) + request->flags.auth_sent = 1; else if (hdr.has(HDR_AUTHORIZATION)) - aRequest->flags.auth_sent = 1; + request->flags.auth_sent = 1; packerToMemInit(&p, mb); hdr.packInto(&p); @@ -2082,7 +2056,7 @@ flags.do_next_read = 1; maybeReadVirginBody(); - if (orig_request->body_pipe != NULL) { + if (request->body_pipe != NULL) { if (!startRequestBodyFlow()) // register to receive body data return false; typedef CommCbMemFunT Dialer; @@ -2091,7 +2065,7 @@ Must(!flags.chunked_request); // use chunked encoding if we do not know the length - if (orig_request->content_length < 0) + if (request->content_length < 0) flags.chunked_request = 1; } else { assert(!requestBodySource); @@ -2116,7 +2090,7 @@ /* * Is keep-alive okay for all request methods? */ - if (orig_request->flags.must_keepalive) + if (request->flags.must_keepalive) flags.keepalive = 1; else if (!Config.onoff.server_pconns) flags.keepalive = 0; @@ -2129,6 +2103,17 @@ flags.keepalive = 1; if (_peer) { + /*The old code here was + if (neighborType(_peer, request) == PEER_SIBLING && ... + which is equivalent to: + if (neighborType(_peer, NULL) == PEER_SIBLING && ... + or better: + if (((_peer->type == PEER_MULTICAST && p->options.mcast_siblings) || + _peer->type == PEER_SIBLINGS ) && _peer->options.allow_miss) + flags.only_if_cached = 1; + + But I suppose it was a bug + */ if (neighborType(_peer, request) == PEER_SIBLING && !_peer->options.allow_miss) flags.only_if_cached = 1; @@ -2138,7 +2123,7 @@ mb.init(); request->peer_host=_peer?_peer->host:NULL; - buildRequestPrefix(request, orig_request, entry, &mb); + buildRequestPrefix(&mb); debugs(11, 6, HERE << serverConnection << ":\n" << mb.buf); Comm::Write(serverConnection, &mb, requestSender); @@ -2286,7 +2271,7 @@ if (flags.headers_parsed && !flags.abuse_detected) { flags.abuse_detected = 1; - debugs(11, 1, "http handleMoreRequestBodyAvailable: Likely proxy abuse detected '" << orig_request->client_addr << "' -> '" << entry->url() << "'" ); + debugs(11, 1, "http handleMoreRequestBodyAvailable: Likely proxy abuse detected '" << request->client_addr << "' -> '" << entry->url() << "'" ); if (virginReply()->sline.status == HTTP_INVALID_HEADER) { serverConnection->close(); @@ -2345,9 +2330,3 @@ fwd->handleUnregisteredServerEnd(); deleteThis("HttpStateData::abortTransaction"); } - -HttpRequest * -HttpStateData::originalRequest() -{ - return orig_request; -} diff -u -r -N squid-3.2.0.9/src/http.h squid-3.2.0.10/src/http.h --- squid-3.2.0.9/src/http.h 2011-06-18 20:13:34.000000000 +1200 +++ squid-3.2.0.10/src/http.h 2011-07-24 17:46:11.000000000 +1200 @@ -49,7 +49,6 @@ ~HttpStateData(); static void httpBuildRequestHeader(HttpRequest * request, - HttpRequest * orig_request, StoreEntry * entry, HttpHeader * hdr_out, const http_state_flags flags); @@ -66,7 +65,6 @@ peer *_peer; /* peer request made to */ int eof; /* reached end-of-object? */ int lastChunk; /* reached last chunk of a chunk-encoded reply */ - HttpRequest *orig_request; http_state_flags flags; size_t read_sz; int header_bytes_read; // to find end of response, @@ -79,8 +77,6 @@ void processSurrogateControl(HttpReply *); protected: - virtual HttpRequest *originalRequest(); - void processReply(); void proceedAfter1xx(); void handle1xx(HttpReply *msg); @@ -128,10 +124,7 @@ void httpStateConnClosed(const CommCloseCbParams ¶ms); void httpTimeout(const CommTimeoutCbParams ¶ms); - mb_size_t buildRequestPrefix(HttpRequest * request, - HttpRequest * orig_request, - StoreEntry * entry, - MemBuf * mb); + mb_size_t buildRequestPrefix(MemBuf * mb); static bool decideIfWeDoRanges (HttpRequest * orig_request); bool peerSupportsConnectionPinning() const; diff -u -r -N squid-3.2.0.9/src/HttpHeader.cc squid-3.2.0.10/src/HttpHeader.cc --- squid-3.2.0.9/src/HttpHeader.cc 2011-06-18 20:13:34.000000000 +1200 +++ squid-3.2.0.10/src/HttpHeader.cc 2011-07-24 17:46:11.000000000 +1200 @@ -42,6 +42,7 @@ #include "mgr/Registration.h" #include "rfc1123.h" #include "Store.h" +#include "TimeOrTag.h" /* * On naming conventions: diff -u -r -N squid-3.2.0.9/src/HttpHeader.h squid-3.2.0.10/src/HttpHeader.h --- squid-3.2.0.9/src/HttpHeader.h 2011-06-18 20:13:34.000000000 +1200 +++ squid-3.2.0.10/src/HttpHeader.h 2011-07-24 17:46:11.000000000 +1200 @@ -177,14 +177,6 @@ /* use this and only this to initialize HttpHeaderPos */ #define HttpHeaderInitPos (-1) -/* these two are defined in structs.h */ - -/// \todo CLEANUP: Kill this. -typedef struct _TimeOrTag TimeOrTag; - -/// \todo CLEANUP: Kill this. -typedef struct _ETag ETag; - class HttpHeaderEntry { @@ -204,6 +196,9 @@ MEMPROXY_CLASS_INLINE(HttpHeaderEntry); +class ETag; +class TimeOrTag; + class HttpHeader { diff -u -r -N squid-3.2.0.9/src/HttpHeaderTools.cc squid-3.2.0.10/src/HttpHeaderTools.cc --- squid-3.2.0.9/src/HttpHeaderTools.cc 2011-06-18 20:13:34.000000000 +1200 +++ squid-3.2.0.10/src/HttpHeaderTools.cc 2011-07-24 17:46:11.000000000 +1200 @@ -433,7 +433,7 @@ ACLFilledChecklist checklist(hm->access_list, request, NULL); - if (checklist.fastCheck()) { + if (checklist.fastCheck() == ACCESS_ALLOWED) { /* aclCheckFast returns true for allow. */ retval = 1; } else if (NULL == hm->replacement) { diff -u -r -N squid-3.2.0.9/src/HttpReply.cc squid-3.2.0.10/src/HttpReply.cc --- squid-3.2.0.9/src/HttpReply.cc 2011-06-18 20:13:34.000000000 +1200 +++ squid-3.2.0.10/src/HttpReply.cc 2011-07-24 17:46:11.000000000 +1200 @@ -604,7 +604,7 @@ ch.reply = HTTPMSGLOCK(this); // XXX: this lock makes method non-const for (acl_size_t *l = Config.ReplyBodySize; l; l = l -> next) { /* if there is no ACL list or if the ACLs listed match use this size value */ - if (!l->aclList || ch.matchAclListFast(l->aclList)) { + if (!l->aclList || ch.fastCheck(l->aclList) == ACCESS_ALLOWED) { debugs(58, 4, HERE << "bodySizeMax=" << bodySizeMax); bodySizeMax = l->size; // may be -1 break; diff -u -r -N squid-3.2.0.9/src/HttpRequest.cc squid-3.2.0.10/src/HttpRequest.cc --- squid-3.2.0.9/src/HttpRequest.cc 2011-06-18 20:13:34.000000000 +1200 +++ squid-3.2.0.10/src/HttpRequest.cc 2011-07-24 17:46:11.000000000 +1200 @@ -666,7 +666,7 @@ for (acl_size_t *l = Config.rangeOffsetLimit; l; l = l -> next) { /* if there is no ACL list or if the ACLs listed match use this limit value */ - if (!l->aclList || ch.matchAclListFast(l->aclList)) { + if (!l->aclList || ch.fastCheck(l->aclList) == ACCESS_ALLOWED) { debugs(58, 4, HERE << "rangeOffsetLimit=" << rangeOffsetLimit); rangeOffsetLimit = l->size; // may be -1 break; diff -u -r -N squid-3.2.0.9/src/HttpVersion.h squid-3.2.0.10/src/HttpVersion.h --- squid-3.2.0.9/src/HttpVersion.h 2011-06-18 20:13:34.000000000 +1200 +++ squid-3.2.0.10/src/HttpVersion.h 2011-07-24 17:46:11.000000000 +1200 @@ -35,6 +35,10 @@ #ifndef SQUID_HTTPVERSION_H #define SQUID_HTTPVERSION_H +#if HAVE_OSTREAM +#include +#endif + class HttpVersion { @@ -85,4 +89,10 @@ } }; +inline std::ostream & +operator << (std::ostream &os, const HttpVersion &v) +{ + return (os << v.major << '.' << v.minor); +} + #endif /* SQUID_HTTPVERSION_H */ diff -u -r -N squid-3.2.0.9/src/icmp/Icmp4.h squid-3.2.0.10/src/icmp/Icmp4.h --- squid-3.2.0.9/src/icmp/Icmp4.h 2011-06-18 20:13:34.000000000 +1200 +++ squid-3.2.0.10/src/icmp/Icmp4.h 2011-07-24 17:46:11.000000000 +1200 @@ -52,7 +52,7 @@ #endif /* Linux uses its own field names. */ -#if defined (_SQUID_LINUX_) +#if _SQUID_LINUX_ #ifdef icmp_id #undef icmp_id #endif @@ -86,7 +86,7 @@ #if _SQUID_WINDOWS_ #include "fde.h" -#ifdef _SQUID_MSWIN_ +#if _SQUID_MSWIN_ #if HAVE_WINSOCK2_H #include diff -u -r -N squid-3.2.0.9/src/icmp/IcmpPinger.cc squid-3.2.0.10/src/icmp/IcmpPinger.cc --- squid-3.2.0.9/src/icmp/IcmpPinger.cc 2011-06-18 20:13:34.000000000 +1200 +++ squid-3.2.0.10/src/icmp/IcmpPinger.cc 2011-07-24 17:46:11.000000000 +1200 @@ -56,7 +56,7 @@ Close(); } -#ifdef _SQUID_MSWIN_ +#if _SQUID_MSWIN_ void Win32SockCleanup(void) { @@ -68,7 +68,7 @@ int IcmpPinger::Open(void) { -#ifdef _SQUID_MSWIN_ +#if _SQUID_MSWIN_ WSADATA wsaData; WSAPROTOCOL_INFO wpi; @@ -162,7 +162,7 @@ void IcmpPinger::Close(void) { -#ifdef _SQUID_MSWIN_ +#if _SQUID_MSWIN_ shutdown(icmp_sock, SD_BOTH); close(icmp_sock); diff -u -r -N squid-3.2.0.9/src/icmp/IcmpSquid.cc squid-3.2.0.10/src/icmp/IcmpSquid.cc --- squid-3.2.0.9/src/icmp/IcmpSquid.cc 2011-06-18 20:13:34.000000000 +1200 +++ squid-3.2.0.10/src/icmp/IcmpSquid.cc 2011-07-24 17:46:11.000000000 +1200 @@ -260,7 +260,7 @@ if (localhost.SetIPv4()) SendEcho(localhost, S_ICMP_ECHO, "localhost"); -#ifdef _SQUID_MSWIN_ +#if _SQUID_MSWIN_ debugs(37, 4, HERE << "Pinger handle: 0x" << std::hex << hIpc << std::dec << ", PID: " << pid); @@ -281,7 +281,7 @@ debugs(37, 1, HERE << "Closing Pinger socket on FD " << icmp_sock); -#ifdef _SQUID_MSWIN_ +#if _SQUID_MSWIN_ send(icmp_sock, (const void *) "$shutdown\n", 10, 0); @@ -289,7 +289,7 @@ comm_close(icmp_sock); -#ifdef _SQUID_MSWIN_ +#if _SQUID_MSWIN_ if (hIpc) { if (WaitForSingleObject(hIpc, 12000) != WAIT_OBJECT_0) { diff -u -r -N squid-3.2.0.9/src/icmp/pinger.cc squid-3.2.0.10/src/icmp/pinger.cc --- squid-3.2.0.9/src/icmp/pinger.cc 2011-06-18 20:13:34.000000000 +1200 +++ squid-3.2.0.10/src/icmp/pinger.cc 2011-07-24 17:46:11.000000000 +1200 @@ -72,7 +72,7 @@ #include "Icmp6.h" #include "IcmpPinger.h" -#ifdef _SQUID_MSWIN_ +#if _SQUID_MSWIN_ #if HAVE_WINSOCK2_H #include diff -u -r -N squid-3.2.0.9/src/ICP.h squid-3.2.0.10/src/ICP.h --- squid-3.2.0.9/src/ICP.h 2011-06-18 20:13:34.000000000 +1200 +++ squid-3.2.0.10/src/ICP.h 2011-07-24 17:46:11.000000000 +1200 @@ -131,7 +131,7 @@ HttpRequest* icpGetRequest(char *url, int reqnum, int fd, Ip::Address &from); /// \ingroup ServerProtocolICPAPI -int icpAccessAllowed(Ip::Address &from, HttpRequest * icp_request); +bool icpAccessAllowed(Ip::Address &from, HttpRequest * icp_request); /// \ingroup ServerProtocolICPAPI SQUIDCEXTERN void icpCreateAndSend(icp_opcode, int flags, char const *url, int reqnum, int pad, int fd, const Ip::Address &from); diff -u -r -N squid-3.2.0.9/src/icp_v2.cc squid-3.2.0.10/src/icp_v2.cc --- squid-3.2.0.9/src/icp_v2.cc 2011-06-18 20:13:34.000000000 +1200 +++ squid-3.2.0.10/src/icp_v2.cc 2011-07-24 17:46:11.000000000 +1200 @@ -445,18 +445,17 @@ } } -int +bool icpAccessAllowed(Ip::Address &from, HttpRequest * icp_request) { /* absent an explicit allow, we deny all */ if (!Config.accessList.icp) - return 0; + return true; ACLFilledChecklist checklist(Config.accessList.icp, icp_request, NULL); checklist.src_addr = from; checklist.my_addr.SetNoAddr(); - int result = checklist.fastCheck(); - return result; + return (checklist.fastCheck() == ACCESS_ALLOWED); } char const * @@ -647,7 +646,7 @@ if (ignoreErrno(errno)) break; -#ifdef _SQUID_LINUX_ +#if _SQUID_LINUX_ /* Some Linux systems seem to set the FD for reading and then * return ECONNREFUSED when sendto() fails and generates an ICMP * port unreachable message. */ diff -u -r -N squid-3.2.0.9/src/ident/AclIdent.cc squid-3.2.0.10/src/ident/AclIdent.cc --- squid-3.2.0.9/src/ident/AclIdent.cc 2011-06-18 20:13:34.000000000 +1200 +++ squid-3.2.0.10/src/ident/AclIdent.cc 2011-07-24 17:46:11.000000000 +1200 @@ -159,7 +159,7 @@ checklist->asyncInProgress(false); checklist->changeState(ACLChecklist::NullState::Instance()); - checklist->check(); + checklist->matchNonBlocking(); } #endif /* USE_IDENT */ diff -u -r -N squid-3.2.0.9/src/internal.cc squid-3.2.0.10/src/internal.cc --- squid-3.2.0.9/src/internal.cc 2011-06-18 20:13:34.000000000 +1200 +++ squid-3.2.0.10/src/internal.cc 2011-07-24 17:46:11.000000000 +1200 @@ -34,6 +34,8 @@ */ #include "squid.h" +#include "CacheManager.h" +#include "comm/Connection.h" #include "errorpage.h" #include "Store.h" #include "HttpRequest.h" @@ -48,11 +50,11 @@ * return HTTP_NOT_FOUND for others */ void -internalStart(HttpRequest * request, StoreEntry * entry) +internalStart(const Comm::ConnectionPointer &clientConn, HttpRequest * request, StoreEntry * entry) { ErrorState *err; const char *upath = request->urlpath.termedBuf(); - debugs(76, 3, "internalStart: " << request->client_addr << " requesting '" << upath << "'"); + debugs(76, 3, HERE << clientConn << " requesting '" << upath << "'"); if (0 == strcmp(upath, "/squid-internal-dynamic/netdb")) { netdbBinaryExchange(entry); @@ -69,6 +71,8 @@ entry->replaceHttpReply(reply); entry->append(msgbuf, strlen(msgbuf)); entry->complete(); + } else if (0 == strncmp(upath, "/squid-internal-mgr/", 20)) { + CacheManager::GetInstance()->Start(clientConn, request, entry); } else { debugObj(76, 1, "internalStart: unknown request:\n", request, (ObjPackMethod) & httpRequestPack); diff -u -r -N squid-3.2.0.9/src/ip/Address.h squid-3.2.0.10/src/ip/Address.h --- squid-3.2.0.9/src/ip/Address.h 2011-06-18 20:13:34.000000000 +1200 +++ squid-3.2.0.10/src/ip/Address.h 2011-07-24 17:46:11.000000000 +1200 @@ -45,7 +45,7 @@ #if HAVE_NETINET_IP_H #include #endif -#ifdef _SQUID_MSWIN_ +#if _SQUID_MSWIN_ #include #endif #if HAVE_NETDB_H diff -u -r -N squid-3.2.0.9/src/ip/testAddress.cc squid-3.2.0.10/src/ip/testAddress.cc --- squid-3.2.0.9/src/ip/testAddress.cc 2011-06-18 20:13:34.000000000 +1200 +++ squid-3.2.0.10/src/ip/testAddress.cc 2011-07-24 17:46:11.000000000 +1200 @@ -659,14 +659,17 @@ CPPUNIT_ASSERT_EQUAL( expect->ai_addrlen, ipval->ai_addrlen ); #if 0 + printf("sizeof IN(%d), IN6(%d), STORAGE(%d), \n", + sizeof(struct sockaddr_in), sizeof(struct sockaddr_in6), sizeof(struct sockaddr_storage)); + p = (unsigned int*)(expect->ai_addr); - printf("\nSYS-ADDR: (%d) %x %x %x %x %x %x %x %x ...", - expect->ai_addrlen, + printf("\nSYS-ADDR: (%d) {%d} %x %x %x %x %x %x %x %x ...", + expect->ai_addrlen, sizeof(*p), p[0],p[1],p[2],p[3],p[4],p[5],p[6],p[7] ); p = (unsigned int*)(ipval->ai_addr); - printf("\nSQD-ADDR: (%d) %x %x %x %x %x %x %x %x ...", - ipval->ai_addrlen, + printf("\nSQD-ADDR: (%d) {%d} %x %x %x %x %x %x %x %x ...", + ipval->ai_addrlen, sizeof(*p), p[0],p[1],p[2],p[3],p[4],p[5],p[6],p[7] ); printf("\n"); #if HAVE_SS_LEN_IN_SS @@ -690,10 +693,23 @@ ((struct sockaddr_in*)ipval->ai_addr)->sin_len ); CPPUNIT_ASSERT_EQUAL( (socklen_t)((struct sockaddr_in*)ipval->ai_addr)->sin_len, ipval->ai_addrlen ); #endif - CPPUNIT_ASSERT_EQUAL( ((struct sockaddr_in6*)expect->ai_addr)->sin6_family, - ((struct sockaddr_in6*)ipval->ai_addr)->sin6_family ); - CPPUNIT_ASSERT_EQUAL( ((struct sockaddr_in6*)expect->ai_addr)->sin6_port, - ((struct sockaddr_in6*)ipval->ai_addr)->sin6_port ); + + if (expect->ai_addrlen == sizeof(struct sockaddr_in)) { +//printf("FAMILY %d %d\n", ((struct sockaddr_in*)expect->ai_addr)->sin_family, ((struct sockaddr_in*)ipval->ai_addr)->sin_family); + CPPUNIT_ASSERT_EQUAL( ((struct sockaddr_in*)expect->ai_addr)->sin_family, + ((struct sockaddr_in*)ipval->ai_addr)->sin_family ); +//printf("PORT %d %d\n", ((struct sockaddr_in*)expect->ai_addr)->sin_port, ((struct sockaddr_in*)ipval->ai_addr)->sin_port); + CPPUNIT_ASSERT_EQUAL( ((struct sockaddr_in*)expect->ai_addr)->sin_port, + ((struct sockaddr_in*)ipval->ai_addr)->sin_port ); + } + if (expect->ai_addrlen == sizeof(struct sockaddr_in6)) { +//printf("FAMILY %d %d\n", ((struct sockaddr_in6*)expect->ai_addr)->sin6_family, ((struct sockaddr_in6*)ipval->ai_addr)->sin6_family); + CPPUNIT_ASSERT_EQUAL( ((struct sockaddr_in6*)expect->ai_addr)->sin6_family, + ((struct sockaddr_in6*)ipval->ai_addr)->sin6_family ); +//printf("PORT %d %d\n", ((struct sockaddr_in6*)expect->ai_addr)->sin6_port, ((struct sockaddr_in6*)ipval->ai_addr)->sin6_port); + CPPUNIT_ASSERT_EQUAL( ((struct sockaddr_in6*)expect->ai_addr)->sin6_port, + ((struct sockaddr_in6*)ipval->ai_addr)->sin6_port ); + } CPPUNIT_ASSERT( memcmp( expect->ai_addr, ipval->ai_addr, expect->ai_addrlen ) == 0 ); diff -u -r -N squid-3.2.0.9/src/ipc/Coordinator.cc squid-3.2.0.10/src/ipc/Coordinator.cc --- squid-3.2.0.9/src/ipc/Coordinator.cc 2011-06-18 20:13:34.000000000 +1200 +++ squid-3.2.0.10/src/ipc/Coordinator.cc 2011-07-24 17:46:11.000000000 +1200 @@ -128,7 +128,7 @@ request.params.addr << " to kid" << request.requestorId << " mapId=" << request.mapId); - SharedListenResponse response(c, errNo, request.mapId); + SharedListenResponse response(c->fd, errNo, request.mapId); TypedMsgHdr message; response.pack(message); SendMessage(MakeAddr(strandAddrPfx, request.requestorId), message); diff -u -r -N squid-3.2.0.9/src/ipc/Kid.h squid-3.2.0.10/src/ipc/Kid.h --- squid-3.2.0.9/src/ipc/Kid.h 2011-06-18 20:13:34.000000000 +1200 +++ squid-3.2.0.10/src/ipc/Kid.h 2011-07-24 17:46:11.000000000 +1200 @@ -14,7 +14,7 @@ class Kid { public: -#ifdef _SQUID_NEXT_ +#if _SQUID_NEXT_ typedef union wait status_type; #else typedef int status_type; diff -u -r -N squid-3.2.0.9/src/ipc/Makefile.am squid-3.2.0.10/src/ipc/Makefile.am --- squid-3.2.0.9/src/ipc/Makefile.am 2011-06-18 20:13:34.000000000 +1200 +++ squid-3.2.0.10/src/ipc/Makefile.am 2011-07-24 17:46:11.000000000 +1200 @@ -36,4 +36,7 @@ Request.h \ Response.h -DEFS += -DDEFAULT_PREFIX=\"$(prefix)\" +DEFS += -DDEFAULT_STATEDIR=\"$(localstatedir)/run/squid\" + +install-data-local: + $(mkinstalldirs) $(DESTDIR)$(localstatedir)/run/squid; diff -u -r -N squid-3.2.0.9/src/ipc/Makefile.in squid-3.2.0.10/src/ipc/Makefile.in --- squid-3.2.0.9/src/ipc/Makefile.in 2011-06-18 20:16:22.000000000 +1200 +++ squid-3.2.0.10/src/ipc/Makefile.in 2011-07-24 17:47:10.000000000 +1200 @@ -123,7 +123,7 @@ DEFAULT_LOG_DIR = @DEFAULT_LOG_DIR@ DEFAULT_PID_FILE = @DEFAULT_PID_FILE@ DEFAULT_SWAP_DIR = @DEFAULT_SWAP_DIR@ -DEFS = @DEFS@ -DDEFAULT_PREFIX=\"$(prefix)\" +DEFS = @DEFS@ -DDEFAULT_STATEDIR=\"$(localstatedir)/run/squid\" DEPDIR = @DEPDIR@ DIGEST_AUTH_HELPERS = @DIGEST_AUTH_HELPERS@ DISK_LIBS = @DISK_LIBS@ @@ -673,7 +673,7 @@ info-am: -install-data-am: +install-data-am: install-data-local install-dvi: install-dvi-am @@ -728,14 +728,14 @@ clean-noinstLTLIBRARIES ctags distclean distclean-compile \ distclean-generic distclean-libtool distclean-tags distdir dvi \ dvi-am html html-am info info-am install install-am \ - install-data install-data-am install-dvi install-dvi-am \ - install-exec install-exec-am install-html install-html-am \ - install-info install-info-am install-man install-pdf \ - install-pdf-am install-ps install-ps-am install-strip \ - installcheck installcheck-am installdirs maintainer-clean \ - maintainer-clean-generic mostlyclean mostlyclean-compile \ - mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \ - tags uninstall uninstall-am + install-data install-data-am install-data-local install-dvi \ + install-dvi-am install-exec install-exec-am install-html \ + install-html-am install-info install-info-am install-man \ + install-pdf install-pdf-am install-ps install-ps-am \ + install-strip installcheck installcheck-am installdirs \ + maintainer-clean maintainer-clean-generic mostlyclean \ + mostlyclean-compile mostlyclean-generic mostlyclean-libtool \ + pdf pdf-am ps ps-am tags uninstall uninstall-am $(OBJS): $(top_srcdir)/include/version.h $(top_builddir)/include/autoconf.h @@ -745,6 +745,9 @@ .PHONY: testHeaders +install-data-local: + $(mkinstalldirs) $(DESTDIR)$(localstatedir)/run/squid; + # Tell versions [3.59,3.63) of GNU make to not export all variables. # Otherwise a system limit (for SysV at least) may be exceeded. .NOEXPORT: diff -u -r -N squid-3.2.0.9/src/ipc/Port.cc squid-3.2.0.10/src/ipc/Port.cc --- squid-3.2.0.9/src/ipc/Port.cc 2011-06-18 20:13:34.000000000 +1200 +++ squid-3.2.0.10/src/ipc/Port.cc 2011-07-24 17:46:11.000000000 +1200 @@ -12,8 +12,8 @@ #include "comm/Connection.h" #include "ipc/Port.h" -const char Ipc::coordinatorAddr[] = DEFAULT_PREFIX "/var/run/coordinator.ipc"; -const char Ipc::strandAddrPfx[] = DEFAULT_PREFIX "/var/run/squid"; +const char Ipc::coordinatorAddr[] = DEFAULT_STATEDIR "/coordinator.ipc"; +const char Ipc::strandAddrPfx[] = DEFAULT_STATEDIR "/kid"; Ipc::Port::Port(const String& aListenAddr): diff -u -r -N squid-3.2.0.9/src/ipc/SharedListen.cc squid-3.2.0.10/src/ipc/SharedListen.cc --- squid-3.2.0.9/src/ipc/SharedListen.cc 2011-06-18 20:13:34.000000000 +1200 +++ squid-3.2.0.10/src/ipc/SharedListen.cc 2011-07-24 17:46:11.000000000 +1200 @@ -82,18 +82,17 @@ } -Ipc::SharedListenResponse::SharedListenResponse(const Comm::ConnectionPointer &c, int anErrNo, int aMapId): - conn(c), errNo(anErrNo), mapId(aMapId) +Ipc::SharedListenResponse::SharedListenResponse(int aFd, int anErrNo, int aMapId): + fd(aFd), errNo(anErrNo), mapId(aMapId) { } Ipc::SharedListenResponse::SharedListenResponse(const TypedMsgHdr &hdrMsg): - conn(NULL), errNo(0), mapId(-1) + fd(-1), errNo(0), mapId(-1) { hdrMsg.checkType(mtSharedListenResponse); hdrMsg.getPod(*this); - conn = new Comm::Connection; - conn->fd = hdrMsg.getFd(); + fd = hdrMsg.getFd(); // other conn details are passed in OpenListenerParams and filled out by SharedListenJoin() } @@ -101,7 +100,7 @@ { hdrMsg.setType(mtSharedListenResponse); hdrMsg.putPod(*this); - hdrMsg.putFd(conn->fd); + hdrMsg.putFd(fd); } @@ -127,10 +126,8 @@ void Ipc::SharedListenJoined(const SharedListenResponse &response) { - Comm::ConnectionPointer c = response.conn; - // Dont debugs c fully since only FD is filled right now. - debugs(54, 3, HERE << "got listening FD " << c->fd << " errNo=" << + debugs(54, 3, HERE << "got listening FD " << response.fd << " errNo=" << response.errNo << " mapId=" << response.mapId); Must(TheSharedListenRequestMap.find(response.mapId) != TheSharedListenRequestMap.end()); @@ -138,22 +135,24 @@ Must(por.callback != NULL); TheSharedListenRequestMap.erase(response.mapId); - if (Comm::IsConnOpen(c)) { + StartListeningCb *cbd = dynamic_cast(por.callback->getDialer()); + assert(cbd && cbd->conn != NULL); + Must(cbd && cbd->conn != NULL); + cbd->conn->fd = response.fd; + + if (Comm::IsConnOpen(cbd->conn)) { OpenListenerParams &p = por.params; - c->local = p.addr; - c->flags = p.flags; + cbd->conn->local = p.addr; + cbd->conn->flags = p.flags; // XXX: leave the comm AI stuff to comm_import_opened()? struct addrinfo *AI = NULL; p.addr.GetAddrInfo(AI); AI->ai_socktype = p.sock_type; AI->ai_protocol = p.proto; - comm_import_opened(c, FdNote(p.fdNote), AI); + comm_import_opened(cbd->conn, FdNote(p.fdNote), AI); p.addr.FreeAddrInfo(AI); } - StartListeningCb *cbd = dynamic_cast(por.callback->getDialer()); - Must(cbd); - cbd->conn = c; cbd->errNo = response.errNo; cbd->handlerSubscription = por.params.handlerSubscription; ScheduleCallHere(por.callback); diff -u -r -N squid-3.2.0.9/src/ipc/SharedListen.h squid-3.2.0.10/src/ipc/SharedListen.h --- squid-3.2.0.9/src/ipc/SharedListen.h 2011-06-18 20:13:34.000000000 +1200 +++ squid-3.2.0.10/src/ipc/SharedListen.h 2011-07-24 17:46:11.000000000 +1200 @@ -60,12 +60,12 @@ class SharedListenResponse { public: - SharedListenResponse(const Comm::ConnectionPointer &c, int errNo, int mapId); + SharedListenResponse(int fd, int errNo, int mapId); explicit SharedListenResponse(const TypedMsgHdr &hdrMsg); ///< from recvmsg() void pack(TypedMsgHdr &hdrMsg) const; ///< prepare for sendmsg() public: - Comm::ConnectionPointer conn; ///< opened listening socket or -1 + int fd; ///< opened listening socket or -1 int errNo; ///< errno value from comm_open_sharedListen() call int mapId; ///< to map future response to the requestor's callback }; diff -u -r -N squid-3.2.0.9/src/ipc/StartListening.cc squid-3.2.0.10/src/ipc/StartListening.cc --- squid-3.2.0.9/src/ipc/StartListening.cc 2011-06-18 20:13:34.000000000 +1200 +++ squid-3.2.0.10/src/ipc/StartListening.cc 2011-07-24 17:46:11.000000000 +1200 @@ -30,6 +30,10 @@ Ipc::StartListening(int sock_type, int proto, const Comm::ConnectionPointer &listenConn, FdNoteId fdNote, AsyncCall::Pointer &callback) { + StartListeningCb *cbd = dynamic_cast(callback->getDialer()); + Must(cbd); + cbd->conn = listenConn; + if (UsingSmp()) { // if SMP is on, share OpenListenerParams p; p.sock_type = sock_type; @@ -41,10 +45,6 @@ return; // wait for the call back } - StartListeningCb *cbd = dynamic_cast(callback->getDialer()); - Must(cbd); - cbd->conn = listenConn; - enter_suid(); comm_open_listener(sock_type, proto, cbd->conn, FdNote(fdNote)); cbd->errNo = Comm::IsConnOpen(cbd->conn) ? 0 : errno; diff -u -r -N squid-3.2.0.9/src/ipcache.cc squid-3.2.0.10/src/ipcache.cc --- squid-3.2.0.9/src/ipcache.cc 2011-06-18 20:13:34.000000000 +1200 +++ squid-3.2.0.10/src/ipcache.cc 2011-07-24 17:46:11.000000000 +1200 @@ -592,7 +592,6 @@ ipcacheHandleReply(void *data, rfc1035_rr * answers, int na, const char *error_message) #endif { - int done; ipcache_entry *i; static_cast(data)->unwrap(&i); IpcacheStats.replies++; @@ -600,11 +599,10 @@ statHistCount(&statCounter.dns.svc_time, age); #if USE_DNSSERVERS - - done = ipcacheParse(i, reply); + ipcacheParse(i, reply); #else - done = ipcacheParse(i, answers, na, error_message); + int done = ipcacheParse(i, answers, na, error_message); /* If we have not produced either IPs or Error immediately, wait for recursion to finish. */ if (done != 0 || error_message != NULL) diff -u -r -N squid-3.2.0.9/src/log/access_log.cc squid-3.2.0.10/src/log/access_log.cc --- squid-3.2.0.9/src/log/access_log.cc 2011-06-18 20:13:34.000000000 +1200 +++ squid-3.2.0.10/src/log/access_log.cc 2011-07-24 17:46:11.000000000 +1200 @@ -111,7 +111,7 @@ xstrncpy(al->hier.host, dash_str, SQUIDHOSTNAMELEN); for (; log; log = log->next) { - if (checklist && log->aclList && !checklist->matchAclListFast(log->aclList)) + if (log->aclList && checklist && checklist->fastCheck(log->aclList) != ACCESS_ALLOWED) continue; if (log->logfile) { diff -u -r -N squid-3.2.0.9/src/main.cc squid-3.2.0.10/src/main.cc --- squid-3.2.0.9/src/main.cc 2011-06-18 20:13:34.000000000 +1200 +++ squid-3.2.0.10/src/main.cc 2011-07-24 17:46:11.000000000 +1200 @@ -130,7 +130,7 @@ #endif -#ifndef SQUID_BUILD_INFO +#if !defined(SQUID_BUILD_INFO) #define SQUID_BUILD_INFO "" #endif @@ -168,7 +168,7 @@ static void mainSetCwd(void); static int checkRunningPid(void); -#ifndef _SQUID_MSWIN_ +#if !_SQUID_MSWIN_ static const char *squid_start_script = "squid_start"; #endif @@ -591,7 +591,7 @@ { do_rotate = 1; RotateSignal = sig; -#ifndef _SQUID_MSWIN_ +#if !_SQUID_MSWIN_ #if !HAVE_SIGACTION signal(sig, rotate_logs); @@ -605,7 +605,7 @@ { do_reconfigure = 1; ReconfigureSignal = sig; -#ifndef _SQUID_MSWIN_ +#if !_SQUID_MSWIN_ #if !HAVE_SIGACTION signal(sig, reconfigure); @@ -634,7 +634,7 @@ " pid " << ppid << ": " << xstrerror()); } -#ifndef _SQUID_MSWIN_ +#if !_SQUID_MSWIN_ #if KILL_PARENT_OPT if (!IamMasterProcess() && ppid > 1) { @@ -926,7 +926,7 @@ { keepCapabilities(); leave_suid(); /* Run as non privilegied user */ -#ifdef _SQUID_OS2_ +#if _SQUID_OS2_ return; #endif @@ -1010,7 +1010,7 @@ setSystemLimits(); debugs(1, 1, "With " << Squid_MaxFD << " file descriptors available"); -#ifdef _SQUID_MSWIN_ +#if _SQUID_MSWIN_ debugs(1, 1, "With " << _getmaxstdio() << " CRT stdio descriptors available"); @@ -1534,7 +1534,7 @@ WIN32_sendSignal(opt_send_signal); exit(0); } else -#ifdef _SQUID_MSWIN_ +#if _SQUID_MSWIN_ { fprintf(stderr, "%s: ERROR: Could not send ", APP_SHORTNAME); fprintf(stderr, "signal to Squid Service:\n"); @@ -1569,7 +1569,7 @@ exit(0); } -#ifndef _SQUID_MSWIN_ +#if !_SQUID_MSWIN_ /* * This function is run when Squid is in daemon mode, just * before the parent forks and starts up the child process. @@ -1599,7 +1599,7 @@ _exit(-1); } else { do { -#ifdef _SQUID_NEXT_ +#if _SQUID_NEXT_ union wait status; rpid = wait4(cpid, &status, 0, NULL); #else @@ -1642,9 +1642,9 @@ static void watch_child(char *argv[]) { -#ifndef _SQUID_MSWIN_ +#if !_SQUID_MSWIN_ char *prog; -#ifdef _SQUID_NEXT_ +#if _SQUID_NEXT_ union wait status; #else @@ -1740,7 +1740,7 @@ squid_signal(SIGINT, SIG_IGN, SA_RESTART); -#ifdef _SQUID_NEXT_ +#if _SQUID_NEXT_ pid = wait3(&status, 0, NULL); @@ -1773,7 +1773,7 @@ } else { syslog(LOG_NOTICE, "Squid Parent: unknown child process %d exited", pid); } -#ifdef _SQUID_NEXT_ +#if _SQUID_NEXT_ } while ((pid = wait3(&status, WNOHANG, NULL)) > 0); #else } diff -u -r -N squid-3.2.0.9/src/Makefile.am squid-3.2.0.10/src/Makefile.am --- squid-3.2.0.9/src/Makefile.am 2011-06-18 20:13:34.000000000 +1200 +++ squid-3.2.0.10/src/Makefile.am 2011-07-24 17:46:11.000000000 +1200 @@ -310,6 +310,7 @@ errorpage.cc \ errorpage.h \ ETag.cc \ + ETag.h \ event.cc \ event.h \ EventLoop.h \ @@ -469,6 +470,7 @@ SwapDir.cc \ SwapDir.h \ time.cc \ + TimeOrTag.h \ tools.cc \ tunnel.cc \ typedefs.h \ diff -u -r -N squid-3.2.0.9/src/Makefile.in squid-3.2.0.10/src/Makefile.in --- squid-3.2.0.9/src/Makefile.in 2011-06-18 20:16:08.000000000 +1200 +++ squid-3.2.0.10/src/Makefile.in 2011-07-24 17:47:06.000000000 +1200 @@ -215,49 +215,51 @@ DiskIO/DiskIOModule.h dlink.h dlink.cc dns_internal.cc \ DnsLookupDetails.h DnsLookupDetails.cc dns.cc enums.h \ err_type.h err_detail_type.h errorpage.cc errorpage.h ETag.cc \ - event.cc event.h EventLoop.h EventLoop.cc external_acl.cc \ - ExternalACL.h ExternalACLEntry.cc ExternalACLEntry.h \ - FadingCounter.h FadingCounter.cc fd.cc fde.cc fde.h filemap.cc \ - forward.cc forward.h fqdncache.cc ftp.cc Generic.h globals.h \ - gopher.cc helper.cc helper.h HelperChildConfig.h \ - HelperChildConfig.cc hier_code.h HierarchyLogEntry.h htcp.cc \ - htcp.h http.cc http.h HttpStatusCode.h HttpStatusLine.cc \ - HttpStatusLine.h HttpHdrCc.cc HttpHdrRange.cc HttpHdrSc.cc \ - HttpHdrSc.h HttpHdrScTarget.cc HttpHdrScTarget.h \ - HttpHdrContRange.cc HttpHdrContRange.h HttpHeader.cc \ - HttpHeader.h HttpHeaderMask.h HttpHeaderRange.h \ - HttpHeaderTools.cc HttpBody.cc HttpControlMsg.h HttpMsg.cc \ - HttpMsg.h HttpParser.cc HttpParser.h HttpReply.cc HttpReply.h \ - HttpRequest.cc HttpRequest.h HttpRequestMethod.cc \ - HttpRequestMethod.h HttpVersion.h ICP.h icp_opcode.h icp_v2.cc \ - icp_v3.cc int.cc internal.cc ipc.cc ipc_win32.cc ipcache.cc \ - ipcache.h LeakFinder.cc list.cc lookup_t.h main.cc mem.cc \ - mem_node.cc mem_node.h Mem.h MemBuf.cc MemObject.cc \ - MemObject.h mime.cc mime_header.cc multicast.cc neighbors.cc \ - Packer.cc Packer.h Parsing.cc Parsing.h ProfStats.cc pconn.cc \ - pconn.h PeerDigest.h peer_digest.cc \ - peer_proxy_negotiate_auth.cc peer_select.cc peer_sourcehash.cc \ - peer_userhash.cc PeerSelectState.h PingData.h protos.h \ - redirect.cc refresh.cc RemovalPolicy.cc RemovalPolicy.h \ - send-announce.cc base/InstanceId.h MemBlob.h MemBlob.cc \ - snmp_core.h snmp_core.cc snmp_agent.cc squid.h SquidMath.h \ - SquidMath.cc SquidNew.cc stat.cc StatHist.cc String.cc \ - stmem.cc stmem.h store.cc Store.h StoreFileSystem.cc \ - StoreFileSystem.h StoreHashIndex.h store_io.cc StoreIOBuffer.h \ - StoreIOState.cc StoreIOState.h store_client.cc StoreClient.h \ - store_digest.cc store_dir.cc store_key_md5.cc store_log.cc \ - store_rebuild.cc store_swapin.cc store_swapmeta.cc \ - store_swapout.cc StoreMeta.cc StoreMeta.h StoreMetaMD5.cc \ - StoreMetaMD5.h StoreMetaSTD.cc StoreMetaSTD.h \ - StoreMetaSTDLFS.cc StoreMetaSTDLFS.h StoreMetaObjSize.h \ - StoreMetaUnpacker.cc StoreMetaUnpacker.h StoreMetaURL.cc \ - StoreMetaURL.h StoreMetaVary.cc StoreMetaVary.h StoreSearch.h \ + ETag.h event.cc event.h EventLoop.h EventLoop.cc \ + external_acl.cc ExternalACL.h ExternalACLEntry.cc \ + ExternalACLEntry.h FadingCounter.h FadingCounter.cc fd.cc \ + fde.cc fde.h filemap.cc forward.cc forward.h fqdncache.cc \ + ftp.cc Generic.h globals.h gopher.cc helper.cc helper.h \ + HelperChildConfig.h HelperChildConfig.cc hier_code.h \ + HierarchyLogEntry.h htcp.cc htcp.h http.cc http.h \ + HttpStatusCode.h HttpStatusLine.cc HttpStatusLine.h \ + HttpHdrCc.cc HttpHdrRange.cc HttpHdrSc.cc HttpHdrSc.h \ + HttpHdrScTarget.cc HttpHdrScTarget.h HttpHdrContRange.cc \ + HttpHdrContRange.h HttpHeader.cc HttpHeader.h HttpHeaderMask.h \ + HttpHeaderRange.h HttpHeaderTools.cc HttpBody.cc \ + HttpControlMsg.h HttpMsg.cc HttpMsg.h HttpParser.cc \ + HttpParser.h HttpReply.cc HttpReply.h HttpRequest.cc \ + HttpRequest.h HttpRequestMethod.cc HttpRequestMethod.h \ + HttpVersion.h ICP.h icp_opcode.h icp_v2.cc icp_v3.cc int.cc \ + internal.cc ipc.cc ipc_win32.cc ipcache.cc ipcache.h \ + LeakFinder.cc list.cc lookup_t.h main.cc mem.cc mem_node.cc \ + mem_node.h Mem.h MemBuf.cc MemObject.cc MemObject.h mime.cc \ + mime_header.cc multicast.cc neighbors.cc Packer.cc Packer.h \ + Parsing.cc Parsing.h ProfStats.cc pconn.cc pconn.h \ + PeerDigest.h peer_digest.cc peer_proxy_negotiate_auth.cc \ + peer_select.cc peer_sourcehash.cc peer_userhash.cc \ + PeerSelectState.h PingData.h protos.h redirect.cc refresh.cc \ + RemovalPolicy.cc RemovalPolicy.h send-announce.cc \ + base/InstanceId.h MemBlob.h MemBlob.cc snmp_core.h \ + snmp_core.cc snmp_agent.cc squid.h SquidMath.h SquidMath.cc \ + SquidNew.cc stat.cc StatHist.cc String.cc stmem.cc stmem.h \ + store.cc Store.h StoreFileSystem.cc StoreFileSystem.h \ + StoreHashIndex.h store_io.cc StoreIOBuffer.h StoreIOState.cc \ + StoreIOState.h store_client.cc StoreClient.h store_digest.cc \ + store_dir.cc store_key_md5.cc store_log.cc store_rebuild.cc \ + store_swapin.cc store_swapmeta.cc store_swapout.cc \ + StoreMeta.cc StoreMeta.h StoreMetaMD5.cc StoreMetaMD5.h \ + StoreMetaSTD.cc StoreMetaSTD.h StoreMetaSTDLFS.cc \ + StoreMetaSTDLFS.h StoreMetaObjSize.h StoreMetaUnpacker.cc \ + StoreMetaUnpacker.h StoreMetaURL.cc StoreMetaURL.h \ + StoreMetaVary.cc StoreMetaVary.h StoreSearch.h \ StoreSwapLogData.cc StoreSwapLogData.h Server.cc Server.h \ - structs.h swap_log_op.h SwapDir.cc SwapDir.h time.cc tools.cc \ - tunnel.cc typedefs.h unlinkd.cc url.cc URL.h URLScheme.cc \ - URLScheme.h urn.cc wccp.cc wccp2.cc whois.cc wordlist.cc \ - wordlist.h win32.cc WinSvc.cc LoadableModule.h \ - LoadableModule.cc LoadableModules.h LoadableModules.cc + structs.h swap_log_op.h SwapDir.cc SwapDir.h time.cc \ + TimeOrTag.h tools.cc tunnel.cc typedefs.h unlinkd.cc url.cc \ + URL.h URLScheme.cc URLScheme.h urn.cc wccp.cc wccp2.cc \ + whois.cc wordlist.cc wordlist.h win32.cc WinSvc.cc \ + LoadableModule.h LoadableModule.cc LoadableModules.h \ + LoadableModules.cc am__objects_4 = AclRegs.$(OBJEXT) AuthReg.$(OBJEXT) am__objects_5 = delay_pools.$(OBJEXT) DelayId.$(OBJEXT) \ DelayBucket.$(OBJEXT) DelayConfig.$(OBJEXT) \ @@ -2012,8 +2014,8 @@ CpuAffinitySet.cc CpuAffinitySet.h debug.cc Debug.h defines.h \ $(DELAY_POOL_SOURCE) disk.cc $(DISKIO_SOURCE) dlink.h dlink.cc \ $(DNSSOURCE) enums.h err_type.h err_detail_type.h errorpage.cc \ - errorpage.h ETag.cc event.cc event.h EventLoop.h EventLoop.cc \ - external_acl.cc ExternalACL.h ExternalACLEntry.cc \ + errorpage.h ETag.cc ETag.h event.cc event.h EventLoop.h \ + EventLoop.cc external_acl.cc ExternalACL.h ExternalACLEntry.cc \ ExternalACLEntry.h FadingCounter.h FadingCounter.cc fd.cc \ fde.cc fde.h filemap.cc forward.cc forward.h fqdncache.cc \ ftp.cc Generic.h globals.h gopher.cc helper.cc helper.h \ @@ -2050,11 +2052,11 @@ StoreMetaUnpacker.cc StoreMetaUnpacker.h StoreMetaURL.cc \ StoreMetaURL.h StoreMetaVary.cc StoreMetaVary.h StoreSearch.h \ StoreSwapLogData.cc StoreSwapLogData.h Server.cc Server.h \ - structs.h swap_log_op.h SwapDir.cc SwapDir.h time.cc tools.cc \ - tunnel.cc typedefs.h $(UNLINKDSOURCE) url.cc URL.h \ - URLScheme.cc URLScheme.h urn.cc wccp.cc wccp2.cc whois.cc \ - wordlist.cc wordlist.h $(WIN32_SOURCE) $(WINSVC_SOURCE) \ - $(am__append_8) + structs.h swap_log_op.h SwapDir.cc SwapDir.h time.cc \ + TimeOrTag.h tools.cc tunnel.cc typedefs.h $(UNLINKDSOURCE) \ + url.cc URL.h URLScheme.cc URLScheme.h urn.cc wccp.cc wccp2.cc \ + whois.cc wordlist.cc wordlist.h $(WIN32_SOURCE) \ + $(WINSVC_SOURCE) $(am__append_8) EXTRA_squid_SOURCES = \ $(AIO_WIN32_ALL_SOURCES) \ $(all_AUTHMODULES) \ diff -u -r -N squid-3.2.0.9/src/mem.cc squid-3.2.0.10/src/mem.cc --- squid-3.2.0.9/src/mem.cc 2011-06-18 20:13:34.000000000 +1200 +++ squid-3.2.0.10/src/mem.cc 2011-07-24 17:46:11.000000000 +1200 @@ -180,14 +180,19 @@ */ /* - * we have a limit on _total_ amount of idle memory so we ignore - * max_pages for now + * we have a limit on _total_ amount of idle memory so we ignore max_pages for now. + * Will ignore repeated calls for the same pool type. + * + * Relies on Mem::Init() having been called beforehand. */ void memDataInit(mem_type type, const char *name, size_t size, int max_pages_notused, bool zeroOnPush) { assert(name && size); - assert(MemPools[type] == NULL); + + if (MemPools[type] != NULL) + return; + MemPools[type] = memPoolCreate(name, size); MemPools[type]->zeroOnPush(zeroOnPush); } @@ -197,6 +202,7 @@ void * memAllocate(mem_type type) { + assert(MemPools[type]); return MemPools[type]->alloc(); } @@ -204,6 +210,7 @@ void memFree(void *p, int type) { + assert(MemPools[type]); MemPools[type]->freeOne(p); } @@ -498,15 +505,13 @@ void memCheckInit(void) { - mem_type t; - - for (t = MEM_NONE, ++t; t < MEM_MAX; ++t) { - if (MEM_DONTFREE == t) - continue; + mem_type t = MEM_NONE; + while (++t < MEM_DONTFREE) { /* * If you hit this assertion, then you forgot to add a * memDataInit() line for type 't'. + * Or placed the pool type in the wrong section of the enum list. */ assert(MemPools[t]); } diff -u -r -N squid-3.2.0.9/src/mgr/Inquirer.cc squid-3.2.0.10/src/mgr/Inquirer.cc --- squid-3.2.0.9/src/mgr/Inquirer.cc 2011-06-18 20:13:34.000000000 +1200 +++ squid-3.2.0.10/src/mgr/Inquirer.cc 2011-07-24 17:46:11.000000000 +1200 @@ -171,9 +171,9 @@ } } - debugs(0, 0, HERE << "strands kid IDs = "); + debugs(16, 4, HERE << "strands kid IDs = "); for (Ipc::StrandCoords::const_iterator iter = sc.begin(); iter != sc.end(); ++iter) { - debugs(0, 0, HERE << iter->kidId); + debugs(16, 4, HERE << iter->kidId); } return sc; diff -u -r -N squid-3.2.0.9/src/neighbors.cc squid-3.2.0.10/src/neighbors.cc --- squid-3.2.0.9/src/neighbors.cc 2011-06-18 20:13:34.000000000 +1200 +++ squid-3.2.0.10/src/neighbors.cc 2011-07-24 17:46:11.000000000 +1200 @@ -55,7 +55,7 @@ /* count mcast group peers every 15 minutes */ #define MCAST_COUNT_RATE 900 -int peerAllowedToUse(const peer *, HttpRequest *); +bool peerAllowedToUse(const peer *, HttpRequest *); static int peerWouldBePinged(const peer *, HttpRequest *); static void neighborRemove(peer *); static void neighborAlive(peer *, const MemObject *, const icp_common_t *); @@ -138,18 +138,14 @@ return p->type; } -/* - * peerAllowedToUse - * - * this function figures out if it is appropriate to fetch REQUEST - * from PEER. +/** + * \return Whether it is appropriate to fetch REQUEST from PEER. */ -int +bool peerAllowedToUse(const peer * p, HttpRequest * request) { const struct _domain_ping *d = NULL; - int do_ping = 1; assert(request != NULL); if (neighborType(p, request) == PEER_SIBLING) { @@ -159,28 +155,27 @@ debugs(15, 2, "peerAllowedToUse(" << p->name << ", " << request->GetHost() << ") : multicast-siblings optimization match"); #endif if (request->flags.nocache) - return 0; + return false; if (request->flags.refresh) - return 0; + return false; if (request->flags.loopdetect) - return 0; + return false; if (request->flags.need_validation) - return 0; + return false; } // CONNECT requests are proxy requests. Not to be forwarded to origin servers. // Unless the destination port matches, in which case we MAY perform a 'DIRECT' to this peer. if (p->options.originserver && request->method == METHOD_CONNECT && request->port != p->in_addr.GetPort()) - return 0; + return false; if (p->peer_domain == NULL && p->access == NULL) - return do_ping; - - do_ping = 0; + return true; + bool do_ping = false; for (d = p->peer_domain; d; d = d->next) { if (0 == matchDomainName(request->GetHost(), d->domain)) { do_ping = d->do_ping; @@ -190,8 +185,8 @@ do_ping = !d->do_ping; } - if (p->peer_domain && 0 == do_ping) - return do_ping; + if (p->peer_domain && !do_ping) + return false; if (p->access == NULL) return do_ping; @@ -211,29 +206,26 @@ #endif - return checklist.fastCheck(); + return (checklist.fastCheck() == ACCESS_ALLOWED); } /* Return TRUE if it is okay to send an ICP request to this peer. */ static int peerWouldBePinged(const peer * p, HttpRequest * request) { - if (!peerAllowedToUse(p, request)) + if (p->icp.port == 0) return 0; if (p->options.no_query) return 0; - if (p->options.background_ping && (squid_curtime - p->stats.last_query < Config.backgroundPingRate)) - return 0; - if (p->options.mcast_responder) return 0; if (p->n_addresses == 0) return 0; - if (p->icp.port == 0) + if (p->options.background_ping && (squid_curtime - p->stats.last_query < Config.backgroundPingRate)) return 0; /* the case below seems strange, but can happen if the @@ -242,6 +234,9 @@ if (!request->flags.hierarchical) return 0; + if (!peerAllowedToUse(p, request)) + return 0; + /* Ping dead peers every timeout interval */ if (squid_curtime - p->stats.last_query > Config.Timeout.deadPeer) return 1; @@ -256,16 +251,16 @@ int peerHTTPOkay(const peer * p, HttpRequest * request) { + if (p->max_conn) + if (p->stats.conn_open >= p->max_conn) + return 0; + if (!peerAllowedToUse(p, request)) return 0; if (!neighborUp(p)) return 0; - if (p->max_conn) - if (p->stats.conn_open >= p->max_conn) - return 0; - return 1; } @@ -481,33 +476,6 @@ return NULL; } -/* - * XXX DW thinks this function is equivalent to/redundant with - * getFirstUpParent(). peerHTTPOkay() only returns true if the - * peer is UP anyway, so this function would not return a - * DOWN parent. - */ -peer * -getAnyParent(HttpRequest * request) -{ - peer *p = NULL; - - for (p = Config.peers; p; p = p->next) { - if (neighborType(p, request) != PEER_PARENT) - continue; - - if (!peerHTTPOkay(p, request)) - continue; - - debugs(15, 3, "getAnyParent: returning " << p->host); - - return p; - } - - debugs(15, 3, "getAnyParent: returning NULL"); - return NULL; -} - peer * getNextPeer(peer * p) { diff -u -r -N squid-3.2.0.9/src/pconn.cc squid-3.2.0.10/src/pconn.cc --- squid-3.2.0.9/src/pconn.cc 2011-06-18 20:13:34.000000000 +1200 +++ squid-3.2.0.10/src/pconn.cc 2011-07-24 17:46:11.000000000 +1200 @@ -100,16 +100,16 @@ // shuffle the remaining entries to fill the new gap. for (; index < size_ - 1; index++) theList_[index] = theList_[index + 1]; - theList_[size_-1] = NULL; + theList_[--size_] = NULL; if (parent_) { parent_->noteConnectionRemoved(); - - if (--size_ == 0) { + if (size_ == 0) { debugs(48, 3, HERE << "deleting " << hashKeyStr(&hash)); delete this; } } + return true; } @@ -120,37 +120,38 @@ if (n < 1) { debugs(48, 2, HERE << "Nothing to do."); return; - } else if (n < (size_t)count()) { + } else if (n >= (size_t)size_) { debugs(48, 2, HERE << "Closing all entries."); - while (size_ >= 0) { - const Comm::ConnectionPointer &conn = theList_[--size_]; + while (size_ > 0) { + const Comm::ConnectionPointer conn = theList_[--size_]; theList_[size_] = NULL; clearHandlers(conn); conn->close(); if (parent_) parent_->noteConnectionRemoved(); } - } else { + } else { //if (n < size_) debugs(48, 2, HERE << "Closing " << n << " of " << size_ << " entries."); - size_t index = 0; + size_t index; // ensure the first N entries are closed - while (index < n) { - const Comm::ConnectionPointer &conn = theList_[--size_]; - theList_[size_] = NULL; + for (index = 0; index < n; index++) { + const Comm::ConnectionPointer conn = theList_[index]; + theList_[index] = NULL; clearHandlers(conn); conn->close(); if (parent_) parent_->noteConnectionRemoved(); } // shuffle the list N down. - for (; index < (size_t)size_; index++) { - theList_[index - n] = theList_[index]; + for (index = 0; index < (size_t)size_ - n; index++) { + theList_[index] = theList_[index + n]; } // ensure the last N entries are unset - while (index < ((size_t)size_) + n) { - theList_[index] = NULL; + while (index < ((size_t)size_)) { + theList_[index++] = NULL; } + size_ -= n; } if (parent_ && size_ == 0) { @@ -188,7 +189,7 @@ AsyncCall::Pointer readCall = commCbCall(5,4, "IdleConnList::Read", CommIoCbPtrFun(IdleConnList::Read, this)); comm_read(conn, fakeReadBuf_, sizeof(fakeReadBuf_), readCall); - AsyncCall::Pointer timeoutCall = commCbCall(5,4, "IdleConnList::Read", + AsyncCall::Pointer timeoutCall = commCbCall(5,4, "IdleConnList::Timeout", CommTimeoutCbPtrFun(IdleConnList::Timeout, this)); commSetConnTimeout(conn, Config.Timeout.pconn, timeoutCall); } @@ -202,8 +203,10 @@ // this flag is set while our early-read/close handler is // waiting for a remote response. It gets unset when the // handler is scheduled. - if (!fd_table[theList_[i]->fd].flags.read_pending) - continue; + //The following check is disabled for now until we have a + // correct implementation of the read_pending flag + //if (!fd_table[theList_[i]->fd].flags.read_pending) + // continue; // connection already closed. useless. if (!Comm::IsConnOpen(theList_[i])) @@ -213,6 +216,7 @@ Comm::ConnectionPointer result = theList_[i]; /* may delete this */ removeAt(i); + clearHandlers(result); return result; } @@ -242,8 +246,10 @@ // this flag is set while our early-read/close handler is // waiting for a remote response. It gets unset when the // handler is scheduled. - if (!fd_table[theList_[i]->fd].flags.read_pending) - continue; + //The following check is disabled for now until we have a + // correct implementation of the read_pending flag + //if (!fd_table[theList_[i]->fd].flags.read_pending) + // continue; // connection already closed. useless. if (!Comm::IsConnOpen(theList_[i])) @@ -261,6 +267,7 @@ Comm::ConnectionPointer result = theList_[i]; /* may delete this */ removeAt(i); + clearHandlers(result); return result; } @@ -296,6 +303,7 @@ debugs(48, 3, HERE << io.conn); IdleConnList *list = static_cast(io.data); int index = list->findIndexOf(io.conn); + assert(index>=0); if (index >= 0) { /* might delete list */ list->removeAt(index); diff -u -r -N squid-3.2.0.9/src/peer_select.cc squid-3.2.0.10/src/peer_select.cc --- squid-3.2.0.9/src/peer_select.cc 2011-06-18 20:13:34.000000000 +1200 +++ squid-3.2.0.10/src/peer_select.cc 2011-07-24 17:46:11.000000000 +1200 @@ -171,22 +171,22 @@ } static void -peerCheckNeverDirectDone(int answer, void *data) +peerCheckNeverDirectDone(allow_t answer, void *data) { ps_state *psstate = (ps_state *) data; psstate->acl_checklist = NULL; debugs(44, 3, "peerCheckNeverDirectDone: " << answer); - psstate->never_direct = answer ? 1 : -1; + psstate->never_direct = answer; peerSelectFoo(psstate); } static void -peerCheckAlwaysDirectDone(int answer, void *data) +peerCheckAlwaysDirectDone(allow_t answer, void *data) { ps_state *psstate = (ps_state *)data; psstate->acl_checklist = NULL; debugs(44, 3, "peerCheckAlwaysDirectDone: " << answer); - psstate->always_direct = answer ? 1 : -1; + psstate->always_direct = answer; peerSelectFoo(psstate); } @@ -209,12 +209,21 @@ psstate->callback = NULL; if (psstate->paths->size() < 1) { - debugs(44, DBG_IMPORTANT, "Failed to select source for '" << psstate->entry->url() << "'" ); - debugs(44, DBG_IMPORTANT, " always_direct = " << psstate->always_direct ); - debugs(44, DBG_IMPORTANT, " never_direct = " << psstate->never_direct ); - debugs(44, DBG_IMPORTANT, " timedout = " << psstate->ping.timedout ); + debugs(44, DBG_IMPORTANT, "Failed to select source for '" << psstate->entry->url() << "'"); + debugs(44, DBG_IMPORTANT, " always_direct = " << psstate->always_direct); + debugs(44, DBG_IMPORTANT, " never_direct = " << psstate->never_direct); + debugs(44, DBG_IMPORTANT, " timedout = " << psstate->ping.timedout); } else { - debugs(44, 2, "Found IP destination for: " << psstate->entry->url() << "'"); + debugs(44, 2, "Found sources for '" << psstate->entry->url() << "'"); + debugs(44, 2, " always_direct = " << psstate->always_direct); + debugs(44, 2, " never_direct = " << psstate->never_direct); + for (size_t i = 0; i < psstate->paths->size(); i++) { + if ((*psstate->paths)[i]->peerType == HIER_DIRECT) + debugs(44, 2, " DIRECT = " << (*psstate->paths)[i]); + else + debugs(44, 2, " cache_peer = " << (*psstate->paths)[i]); + } + debugs(44, 2, " timedout = " << psstate->ping.timedout); } psstate->ping.stop = current_time; @@ -266,6 +275,7 @@ else p->remote.SetPort(psstate->request->port); p->peerType = fs->code; + p->setPeer(fs->_peer); // check for a configured outgoing address for this destination... getOutgoingAddress(psstate->request, p); @@ -336,7 +346,7 @@ /** If we don't known whether DIRECT is permitted ... */ if (ps->direct == DIRECT_UNKNOWN) { - if (ps->always_direct == 0 && Config.accessList.AlwaysDirect) { + if (ps->always_direct == ACCESS_DUNNO && Config.accessList.AlwaysDirect) { /** check always_direct; */ ps->acl_checklist = new ACLFilledChecklist( Config.accessList.AlwaysDirect, @@ -344,10 +354,10 @@ NULL); /* ident */ ps->acl_checklist->nonBlockingCheck(peerCheckAlwaysDirectDone, ps); return; - } else if (ps->always_direct > 0) { + } else if (ps->always_direct == ACCESS_ALLOWED) { /** if always_direct says YES, do that. */ ps->direct = DIRECT_YES; - } else if (ps->never_direct == 0 && Config.accessList.NeverDirect) { + } else if (ps->never_direct == ACCESS_DUNNO && Config.accessList.NeverDirect) { /** check never_direct; */ ps->acl_checklist = new ACLFilledChecklist( Config.accessList.NeverDirect, @@ -356,7 +366,7 @@ ps->acl_checklist->nonBlockingCheck(peerCheckNeverDirectDone, ps); return; - } else if (ps->never_direct > 0) { + } else if (ps->never_direct == ACCESS_ALLOWED) { /** if always_direct says NO, do that. */ ps->direct = DIRECT_NO; } else if (request->flags.no_direct) { @@ -417,7 +427,7 @@ peerSelectDnsPaths(ps); } -int peerAllowedToUse(const peer * p, HttpRequest * request); +bool peerAllowedToUse(const peer * p, HttpRequest * request); /** * peerSelectPinned @@ -584,14 +594,12 @@ if (ps->direct == DIRECT_YES) return; - if ((p = getDefaultParent(request))) { - code = DEFAULT_PARENT; + if ((p = peerSourceHashSelectParent(request))) { + code = SOURCEHASH_PARENT; #if USE_AUTH } else if ((p = peerUserHashSelectParent(request))) { code = USERHASH_PARENT; #endif - } else if ((p = peerSourceHashSelectParent(request))) { - code = SOURCEHASH_PARENT; } else if ((p = carpSelectParent(request))) { code = CARP; } else if ((p = getRoundRobinParent(request))) { @@ -600,8 +608,8 @@ code = ROUNDROBIN_PARENT; } else if ((p = getFirstUpParent(request))) { code = FIRSTUP_PARENT; - } else if ((p = getAnyParent(request))) { - code = ANY_OLD_PARENT; + } else if ((p = getDefaultParent(request))) { + code = DEFAULT_PARENT; } if (code != HIER_NONE) { @@ -857,8 +865,8 @@ ps_state::ps_state() : request (NULL), entry (NULL), - always_direct (0), - never_direct (0), + always_direct(ACCESS_DUNNO), + never_direct(ACCESS_DUNNO), direct (0), callback (NULL), callback_data (NULL), diff -u -r -N squid-3.2.0.9/src/PeerSelectState.h squid-3.2.0.10/src/PeerSelectState.h --- squid-3.2.0.9/src/PeerSelectState.h 2011-06-18 20:13:34.000000000 +1200 +++ squid-3.2.0.10/src/PeerSelectState.h 2011-07-24 17:46:11.000000000 +1200 @@ -33,6 +33,7 @@ #ifndef SQUID_PEERSELECTSTATE_H #define SQUID_PEERSELECTSTATE_H +#include "acl/Checklist.h" #include "Array.h" #include "cbdata.h" #include "comm/forward.h" @@ -73,9 +74,9 @@ ps_state(); HttpRequest *request; StoreEntry *entry; - int always_direct; - int never_direct; - int direct; + allow_t always_direct; + allow_t never_direct; + int direct; // TODO: fold always_direct/never_direct/prefer_direct into this now that ACL can do a multi-state result. PSC *callback; void *callback_data; diff -u -r -N squid-3.2.0.9/src/ProtoPort.h squid-3.2.0.10/src/ProtoPort.h --- squid-3.2.0.9/src/ProtoPort.h 2011-06-18 20:13:34.000000000 +1200 +++ squid-3.2.0.10/src/ProtoPort.h 2011-07-24 17:46:11.000000000 +1200 @@ -29,6 +29,7 @@ unsigned int allow_direct:1; /**< Allow direct forwarding in accelerator mode */ unsigned int vhost:1; /**< uses host header */ unsigned int sslBump:1; /**< intercepts CONNECT requests */ + unsigned int actAsOrigin:1; ///< update replies to conform with RFC 2616 unsigned int ignore_cc:1; /**< Ignore request Cache-Control directives */ int vport; /* virtual port support, -1 for dynamic, >0 static*/ diff -u -r -N squid-3.2.0.9/src/protos.h squid-3.2.0.10/src/protos.h --- squid-3.2.0.9/src/protos.h 2011-06-18 20:13:34.000000000 +1200 +++ squid-3.2.0.10/src/protos.h 2011-07-24 17:46:11.000000000 +1200 @@ -219,13 +219,6 @@ SQUIDCEXTERN int httpAnonHdrDenied(http_hdr_type hdr_id); SQUIDCEXTERN const char *httpMakeVaryMark(HttpRequest * request, HttpReply const * reply); -/* ETag */ -SQUIDCEXTERN int etagParseInit(ETag * etag, const char *str); -/// whether etags are strong-equal -SQUIDCEXTERN bool etagIsStrongEqual(const ETag &tag1, const ETag &tag2); -/// whether etags are weak-equal -SQUIDCEXTERN bool etagIsWeakEqual(const ETag &tag1, const ETag &tag2); - #include "HttpStatusCode.h" SQUIDCEXTERN const char *httpStatusString(http_status status); @@ -367,7 +360,6 @@ SQUIDCEXTERN peer *getWeightedRoundRobinParent(HttpRequest * request); SQUIDCEXTERN void peerClearRRStart(void); SQUIDCEXTERN void peerClearRR(void); -SQUIDCEXTERN peer *getAnyParent(HttpRequest * request); SQUIDCEXTERN lookup_t peerDigestLookup(peer * p, HttpRequest * request); SQUIDCEXTERN peer *neighborsDigestSelect(HttpRequest * request); SQUIDCEXTERN void peerNoteDigestLookup(HttpRequest * request, peer * p, lookup_t lookup); @@ -669,7 +661,7 @@ SQUIDCEXTERN void cacheDigestGuessStatsReport(const cd_guess_stats * stats, StoreEntry * sentry, const char *label); SQUIDCEXTERN void cacheDigestReport(CacheDigest * cd, const char *label, StoreEntry * e); -SQUIDCEXTERN void internalStart(HttpRequest *, StoreEntry *); +SQUIDCEXTERN void internalStart(const Comm::ConnectionPointer &clientConn, HttpRequest *, StoreEntry *); SQUIDCEXTERN int internalCheck(const char *urlpath); SQUIDCEXTERN int internalStaticCheck(const char *urlpath); SQUIDCEXTERN char *internalLocalUri(const char *dir, const char *name); @@ -697,7 +689,7 @@ * prototypes for system functions missing from system includes */ -#ifdef _SQUID_SOLARIS_ +#if _SQUID_SOLARIS_ SQUIDCEXTERN int getrusage(int, struct rusage *); SQUIDCEXTERN int getpagesize(void); @@ -727,7 +719,7 @@ SQUIDCEXTERN void WIN32_RemoveService(void); SQUIDCEXTERN int SquidMain(int, char **); #endif /* _SQUID_WINDOWS_ */ -#ifdef _SQUID_MSWIN_ +#if _SQUID_MSWIN_ SQUIDCEXTERN int WIN32_pipe(int[2]); diff -u -r -N squid-3.2.0.9/src/snmp_core.cc squid-3.2.0.10/src/snmp_core.cc --- squid-3.2.0.9/src/snmp_core.cc 2011-06-18 20:13:34.000000000 +1200 +++ squid-3.2.0.10/src/snmp_core.cc 2011-07-24 17:46:11.000000000 +1200 @@ -444,7 +444,12 @@ u_char *Community; u_char *buf = rq->buf; int len = rq->len; - int allow = 0; + allow_t allow = ACCESS_DENIED; + + if (!Config.accessList.snmp) { + debugs(49, DBG_IMPORTANT, "WARNING: snmp_access not configured. agent query DENIED from : " << rq->from); + return; + } debugs(49, 5, HERE << "Called."); PDU = snmp_pdu_create(0); @@ -454,25 +459,26 @@ /* Check if we have explicit permission to access SNMP data. * default (set above) is to deny all */ - if (Community && Config.accessList.snmp) { + if (Community) { ACLFilledChecklist checklist(Config.accessList.snmp, NULL, NULL); checklist.src_addr = rq->from; checklist.snmp_community = (char *) Community; allow = checklist.fastCheck(); - } - if ((snmp_coexist_V2toV1(PDU)) && (Community) && (allow)) { - rq->community = Community; - rq->PDU = PDU; - debugs(49, 5, "snmpAgentParse: reqid=[" << PDU->reqid << "]"); - snmpConstructReponse(rq); + if (allow == ACCESS_ALLOWED && (snmp_coexist_V2toV1(PDU))) { + rq->community = Community; + rq->PDU = PDU; + debugs(49, 5, "snmpAgentParse: reqid=[" << PDU->reqid << "]"); + snmpConstructReponse(rq); + } else { + debugs(49, DBG_IMPORTANT, "WARNING: SNMP agent query DENIED from : " << rq->from); + } + xfree(Community); + } else { - debugs(49, 1, HERE << "Failed SNMP agent query from : " << rq->from); + debugs(49, DBG_IMPORTANT, "WARNING: Failed SNMP agent query from : " << rq->from); snmp_free_pdu(PDU); } - - if (Community) - xfree(Community); } /* diff -u -r -N squid-3.2.0.9/src/squid.h squid-3.2.0.10/src/squid.h --- squid-3.2.0.9/src/squid.h 2011-06-18 20:13:34.000000000 +1200 +++ squid-3.2.0.10/src/squid.h 2011-07-24 17:46:11.000000000 +1200 @@ -34,7 +34,7 @@ #include "config.h" -#ifdef _SQUID_MSWIN_ +#if _SQUID_MSWIN_ /** \cond AUTODOCS-IGNORE */ using namespace Squid; /** \endcond */ diff -u -r -N squid-3.2.0.9/src/ssl/certificate_db.cc squid-3.2.0.10/src/ssl/certificate_db.cc --- squid-3.2.0.9/src/ssl/certificate_db.cc 2011-06-18 20:13:34.000000000 +1200 +++ squid-3.2.0.10/src/ssl/certificate_db.cc 2011-07-24 17:46:11.000000000 +1200 @@ -36,7 +36,7 @@ Ssl::FileLocker::~FileLocker() { -#ifdef _SQUID_MSWIN_ +#if _SQUID_MSWIN_ if (hFile != INVALID_HANDLE_VALUE) { UnlockFile(hFile, 0, 0, 1, 0); CloseHandle(hFile); @@ -258,14 +258,14 @@ std::string cert_full(db_path + "/" + cert_dir); std::string size_full(db_path + "/" + size_file); -#ifdef _SQUID_MSWIN_ +#if _SQUID_MSWIN_ if (mkdir(db_path.c_str())) #else if (mkdir(db_path.c_str(), 0777)) #endif throw std::runtime_error("Cannot create " + db_path); -#ifdef _SQUID_MSWIN_ +#if _SQUID_MSWIN_ if (mkdir(cert_full.c_str())) #else if (mkdir(cert_full.c_str(), 0777)) diff -u -r -N squid-3.2.0.9/src/ssl/certificate_db.h squid-3.2.0.10/src/ssl/certificate_db.h --- squid-3.2.0.9/src/ssl/certificate_db.h 2011-06-18 20:13:34.000000000 +1200 +++ squid-3.2.0.10/src/ssl/certificate_db.h 2011-07-24 17:46:11.000000000 +1200 @@ -22,7 +22,7 @@ /// Unlock file ~FileLocker(); private: -#ifdef _SQUID_MSWIN_ +#if _SQUID_MSWIN_ HANDLE hFile; ///< Windows file handle. #else int fd; ///< Linux file descriptor. diff -u -r -N squid-3.2.0.9/src/ssl/ErrorDetail.cc squid-3.2.0.10/src/ssl/ErrorDetail.cc --- squid-3.2.0.9/src/ssl/ErrorDetail.cc 2011-06-18 20:13:34.000000000 +1200 +++ squid-3.2.0.10/src/ssl/ErrorDetail.cc 2011-07-24 17:46:11.000000000 +1200 @@ -16,8 +16,10 @@ SslErrors TheSslErrors; static SslErrorEntry TheSslErrorArray[] = { + {SQUID_X509_V_ERR_DOMAIN_MISMATCH, + "SQUID_X509_V_ERR_DOMAIN_MISMATCH"}, {X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT, - "X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT"}, + "X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT"}, {X509_V_ERR_UNABLE_TO_GET_CRL, "X509_V_ERR_UNABLE_TO_GET_CRL"}, {X509_V_ERR_UNABLE_TO_DECRYPT_CERT_SIGNATURE, diff -u -r -N squid-3.2.0.9/src/ssl/Makefile.am squid-3.2.0.10/src/ssl/Makefile.am --- squid-3.2.0.9/src/ssl/Makefile.am 2011-06-18 20:13:34.000000000 +1200 +++ squid-3.2.0.10/src/ssl/Makefile.am 2011-07-24 17:46:11.000000000 +1200 @@ -6,7 +6,10 @@ EXTRA_PROGRAMS = \ ssl_crtd -EXTRA_DIST = stub_libsslsquid.cc stub_libsslutil.cc +EXTRA_DIST = \ + stub_libsslsquid.cc \ + stub_libsslutil.cc \ + ssl_crtd.8 if USE_SSL_CRTD SSL_CRTD = ssl_crtd diff -u -r -N squid-3.2.0.9/src/ssl/Makefile.in squid-3.2.0.10/src/ssl/Makefile.in --- squid-3.2.0.9/src/ssl/Makefile.in 2011-06-18 20:16:24.000000000 +1200 +++ squid-3.2.0.10/src/ssl/Makefile.in 2011-07-24 17:47:11.000000000 +1200 @@ -332,7 +332,11 @@ COMPAT_LIB = -L$(top_builddir)/compat -lcompat-squid $(LIBPROFILER) subst_perlshell = sed -e 's,[@]PERL[@],$(PERL),g' <$(srcdir)/$@.pl.in >$@ || ($(RM) -f $@ ; exit 1) noinst_LTLIBRARIES = libsslsquid.la libsslutil.la -EXTRA_DIST = stub_libsslsquid.cc stub_libsslutil.cc +EXTRA_DIST = \ + stub_libsslsquid.cc \ + stub_libsslutil.cc \ + ssl_crtd.8 + @USE_SSL_CRTD_FALSE@SSL_CRTD = @USE_SSL_CRTD_TRUE@SSL_CRTD = ssl_crtd @USE_SSL_CRTD_FALSE@SSL_CRTD_SOURCE = diff -u -r -N squid-3.2.0.9/src/ssl/ssl_crtd.8 squid-3.2.0.10/src/ssl/ssl_crtd.8 --- squid-3.2.0.9/src/ssl/ssl_crtd.8 1970-01-01 12:00:00.000000000 +1200 +++ squid-3.2.0.10/src/ssl/ssl_crtd.8 2011-07-24 17:46:11.000000000 +1200 @@ -0,0 +1,169 @@ +.if !'po4a'hide' .TH ssl_crtd 8 +. +.SH NAME +.if !'po4a'hide' .B ssl_crtd +.if !'po4a'hide' \- +SSL certificate generator. +.PP +Version 1.0 +. +.SH SYNOPSIS +.if !'po4a'hide' .B ssl_crtd +.if !'po4a'hide' .B [\-dhv] +. +.if !'po4a'hide' .B ssl_crtd +.if !'po4a'hide' .B "[\-d] -s " +directory +.if !'po4a'hide' .B [\-M +size +.if !'po4a'hide' .B ] +. +.if !'po4a'hide' .B ssl_crtd +.if !'po4a'hide' .B "[\-d] \-c \-s " +directory +.if !'po4a'hide' .B [\-n] +serial number +. +.if !'po4a'hide' .B ssl_crtd +.if !'po4a'hide' .B "[\-d] \-g \-s " +directory +. +.SH DESCRIPTION +.B ssl_crtd +is an installed binary. +.PP +Because the generation and signing of SSL certificates takes time +Squid must use external process to handle the work. +. +This process generates new SSL certificates and uses a disk cache of certificatess +to improve response times on repeated requests. +Communication occurs via TCP sockets bound to the loopback interface. +. +.SH OPTIONS +.if !'po4a'hide' .TP 12 +.if !'po4a'hide' .B \-b fs_block_size +File system block size in bytes. Needed for processing natural size of certificate on disk. +Default value is 2048 bytes. +. +.if !'po4a'hide' .TP +.if !'po4a'hide' .B \-c +Initialize the SSL storage database and exit. +Requires the +.B -s +option to determine the storage location being created. +. +.if !'po4a'hide' .TP +.if !'po4a'hide' .B \-d +Write debug info to stderr. +. +.if !'po4a'hide' .TP +.if !'po4a'hide' .B \-g +Display the current serial number using stderr and exit. +Requires +.B \-s +option to determine which storage directory the serial is located in. +. +.if !'po4a'hide' .TP +.if !'po4a'hide' .B \-h +Display the binary help and command line syntax info using stderr. +. +.if !'po4a'hide' .TP +.if !'po4a'hide' .B \-s directory +Directory path of disk storage for new SSL certificates. +. +.if !'po4a'hide' .TP +.if !'po4a'hide' .B \-M size +Maximum size of SSL certificate disk storage. +. +.if !'po4a'hide' .TP +.if !'po4a'hide' .B \-n serial number +HEX +.B "serial number " +to use when initializing an SSL storage database. +The default value of serial number is the number of seconds since Epoch minus 1200000000. +. +.if !'po4a'hide' .TP +.if !'po4a'hide' .B \-v +Display the binary version details using stderr. +. +.SH KNOWN ISSUES +.PP +The version 1.0 of this helper will not add chained intermediate CA certificates. +The client must have a full chain of trust from the root CA all the way +down to the end certificate generated by this program. +. +Signing with an intermediate CA needs to install both the +root and the intermediate public CA on the clients. +. +.SH CONFIGURATION +.PP +Before this helper can be used the storage area for new certificates must be initialized manually. +This is done from the command line using the +.B \-c +parameters. +. +.PP +For example: +.if !'po4a'hide' .RS +.if !'po4a'hide' .B ssl_crtd -c -s /var/lib/ssl_db +.if !'po4a'hide' .RE +. +.PP +For simple configuration the helper defaults can be used. +Only HTTP listening port options are required to enable generation and set the signign CA certificate. +For Example: +.if !'po4a'hide' .RS +.if !'po4a'hide' .B http_port 3128 ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/usr/local/squid/ssl_cert/www.sample.com.pem +.if !'po4a'hide' .RE +. +.PP +For more customized configuration the helper certificate storage directory location and size can be altered with the +.B sslcrtd_program +configuration directive. +For example: +.if !'po4a'hide' .RS +.if !'po4a'hide' .B sslcrtd_program /usr/local/squid/libexec/ssl_crtd -s /usr/local/squid/var/lib/ssl_db -M 4MB +.if !'po4a'hide' . +.if !'po4a'hide' .B sslcrtd_children 5 +.if !'po4a'hide' .RE +. +.SH AUTHOR +This program was written by +.if !'po4a'hide' .I Christos Tsantilas +.PP +This manual was written by +.if !'po4a'hide' .I Christos Tsantilas +.if !'po4a'hide' .I Amos Jeffries +. +.SH COPYRIGHT +This program and documentation is copyright to the authors named above. +.PP +Distributed under the GNU General Public License (GNU GPL) version 2 or later (GPLv2+). +. +.SH QUESTIONS +Questions on the usage of this program can be sent to the +.I Squid Users mailing list +.if !'po4a'hide' +. +.SH REPORTING BUGS +Bug reports need to be made in English. +See http://wiki.squid-cache.org/SquidFaq/BugReporting for details of what you need to include with your bug report. +.PP +Report bugs or bug fixes using http://bugs.squid-cache.org/ +.PP +Report serious security bugs to +.I Squid Bugs +.PP +Report ideas for new improvements to the +.I Squid Developers mailing list +.if !'po4a'hide' +. +.SH SEE ALSO +.if !'po4a'hide' .BR squid "(8), " +.if !'po4a'hide' .BR GPL "(7), " +.br +The Squid FAQ wiki +.if !'po4a'hide' http://wiki.squid-cache.org/SquidFaq +.br +The Squid Configuration Manual +.if !'po4a'hide' http://www.squid-cache.org/Doc/config/ diff -u -r -N squid-3.2.0.9/src/ssl/ssl_crtd.cc squid-3.2.0.10/src/ssl/ssl_crtd.cc --- squid-3.2.0.9/src/ssl/ssl_crtd.cc 2011-06-18 20:13:34.000000000 +1200 +++ squid-3.2.0.10/src/ssl/ssl_crtd.cc 2011-07-24 17:46:11.000000000 +1200 @@ -242,7 +242,7 @@ throw std::runtime_error("Cannot write ssl certificate or/and private key to memory."); Ssl::CrtdMessage response_message; - response_message.setCode("ok"); + response_message.setCode("OK"); response_message.setBody(bufferToWrite); // Use the '\1' char as end-of-message character diff -u -r -N squid-3.2.0.9/src/ssl/support.cc squid-3.2.0.10/src/ssl/support.cc --- squid-3.2.0.9/src/ssl/support.cc 2011-06-18 20:13:34.000000000 +1200 +++ squid-3.2.0.10/src/ssl/support.cc 2011-07-24 17:46:11.000000000 +1200 @@ -204,14 +204,16 @@ static int ssl_verify_cb(int ok, X509_STORE_CTX * ctx) { - char buffer[256]; + // preserve original ctx->error before SSL_ calls can overwrite it + Ssl::ssl_error_t error_no = ok ? SSL_ERROR_NONE : ctx->error; + + char buffer[256] = ""; SSL *ssl = (SSL *)X509_STORE_CTX_get_ex_data(ctx, SSL_get_ex_data_X509_STORE_CTX_idx()); SSL_CTX *sslctx = SSL_get_SSL_CTX(ssl); const char *server = (const char *)SSL_get_ex_data(ssl, ssl_ex_index_server); void *dont_verify_domain = SSL_CTX_get_ex_data(sslctx, ssl_ctx_ex_index_dont_verify_domain); ACLChecklist *check = (ACLChecklist*)SSL_get_ex_data(ssl, ssl_ex_index_cert_error_check); X509 *peer_cert = ctx->cert; - Ssl::ssl_error_t error_no = SSL_ERROR_NONE; X509_NAME_oneline(X509_get_subject_name(peer_cert), buffer, sizeof(buffer)); @@ -226,34 +228,30 @@ debugs(83, 2, "SQUID_X509_V_ERR_DOMAIN_MISMATCH: Certificate " << buffer << " does not match domainname " << server); ok = 0; error_no = SQUID_X509_V_ERR_DOMAIN_MISMATCH; - - if (check) - Filled(check)->ssl_error = SQUID_X509_V_ERR_DOMAIN_MISMATCH; } } - } else { - error_no = ctx->error; - if (const char *err_descr = Ssl::GetErrorDescr(ctx->error)) + } + + if (!ok) { + if (const char *err_descr = Ssl::GetErrorDescr(error_no)) debugs(83, 5, err_descr << ": " << buffer); else - debugs(83, 1, "SSL unknown certificate error " << ctx->error << " in " << buffer); + debugs(83, DBG_IMPORTANT, "SSL unknown certificate error " << error_no << " in " << buffer); - if (check) - Filled(check)->ssl_error = ctx->error; - } - - if (!ok && check) { - if (check->fastCheck()) { - debugs(83, 3, "bypassing SSL error " << ctx->error << " in " << buffer); - ok = 1; - } else { - debugs(83, 5, "confirming SSL error " << ctx->error); + if (check) { + Filled(check)->ssl_error = error_no; + if (check->fastCheck() == ACCESS_ALLOWED) { + debugs(83, 3, "bypassing SSL error " << error_no << " in " << buffer); + ok = 1; + } else { + debugs(83, 5, "confirming SSL error " << error_no); + } } } if (!dont_verify_domain && server) {} - if (error_no != SSL_ERROR_NONE && !SSL_get_ex_data(ssl, ssl_ex_index_ssl_error_detail) ) { + if (!ok && !SSL_get_ex_data(ssl, ssl_ex_index_ssl_error_detail) ) { Ssl::ErrorDetail *errDetail = new Ssl::ErrorDetail(error_no, peer_cert); if (!SSL_set_ex_data(ssl, ssl_ex_index_ssl_error_detail, errDetail)) { debugs(83, 2, "Failed to set Ssl::ErrorDetail in ssl_verify_cb: Certificate " << buffer); diff -u -r -N squid-3.2.0.9/src/ssl/support.h squid-3.2.0.10/src/ssl/support.h --- squid-3.2.0.9/src/ssl/support.h 2011-06-18 20:13:34.000000000 +1200 +++ squid-3.2.0.10/src/ssl/support.h 2011-07-24 17:46:11.000000000 +1200 @@ -153,9 +153,9 @@ bool setClientSNI(SSL *ssl, const char *fqdn); } //namespace Ssl -#ifdef _SQUID_MSWIN_ +#if _SQUID_MSWIN_ -#ifdef __cplusplus +#if defined(__cplusplus) /** \cond AUTODOCS-IGNORE */ namespace Squid diff -u -r -N squid-3.2.0.9/src/store.cc squid-3.2.0.10/src/store.cc --- squid-3.2.0.9/src/store.cc 2011-06-18 20:13:34.000000000 +1200 +++ squid-3.2.0.10/src/store.cc 2011-07-24 17:46:11.000000000 +1200 @@ -36,6 +36,7 @@ #include "squid.h" #include "CacheManager.h" #include "comm/Connection.h" +#include "ETag.h" #include "event.h" #include "fde.h" #include "Store.h" @@ -1447,7 +1448,9 @@ void StoreEntry::negativeCache() { - if (expires == 0) + // XXX: should make the default for expires 0 instead of -1 + // so we can distinguish "Expires: -1" from nothing. + if (expires <= 0) #if USE_HTTP_VIOLATIONS expires = squid_curtime + Config.negativeTtl; #else diff -u -r -N squid-3.2.0.9/src/store_dir.cc squid-3.2.0.10/src/store_dir.cc --- squid-3.2.0.9/src/store_dir.cc 2011-06-18 20:13:34.000000000 +1200 +++ squid-3.2.0.10/src/store_dir.cc 2011-07-24 17:46:11.000000000 +1200 @@ -106,7 +106,7 @@ * The following is a workaround for create store directories sequentially * when running on native Windows port. */ -#ifndef _SQUID_MSWIN_ +#if !_SQUID_MSWIN_ if (fork()) return; @@ -115,7 +115,7 @@ aStore.create(); -#ifndef _SQUID_MSWIN_ +#if !_SQUID_MSWIN_ exit(0); @@ -127,13 +127,13 @@ { swapDir->create(); -#ifndef _SQUID_MSWIN_ +#if !_SQUID_MSWIN_ pid_t pid; do { int status; -#ifdef _SQUID_NEXT_ +#if _SQUID_NEXT_ pid = wait3(&status, WNOHANG, NULL); #else @@ -169,7 +169,10 @@ return false; // Else, make sure that the object size will fit. - return min_objsize <= objsize && max_objsize > objsize; + if (max_objsize == -1 && min_objsize <= objsize) + return true; + else + return min_objsize <= objsize && max_objsize > objsize; } diff -u -r -N squid-3.2.0.9/src/structs.h squid-3.2.0.10/src/structs.h --- squid-3.2.0.9/src/structs.h 2011-06-18 20:13:34.000000000 +1200 +++ squid-3.2.0.10/src/structs.h 2011-07-24 17:46:11.000000000 +1200 @@ -659,17 +659,6 @@ FREE *free_func; }; - -/* ETag support is rudimantal; - * this struct is likely to change - * Note: "str" points to memory in HttpHeaderEntry (for now) - * so ETags should be used as tmp variables only (for now) */ - -struct _ETag { - const char *str; /* quoted-string */ - int weak; /* true if it is a weak validator */ -}; - struct _fde_disk { DWCB *wrt_handle; void *wrt_handle_data; @@ -722,14 +711,6 @@ String other; }; -/* some fields can hold either time or etag specs (e.g. If-Range) */ - -struct _TimeOrTag { - ETag tag; /* entity tag */ - time_t time; - int valid; /* true if struct is usable */ -}; - /* per field statistics */ class HttpHeaderFieldStat diff -u -r -N squid-3.2.0.9/src/tests/stub_icp.cc squid-3.2.0.10/src/tests/stub_icp.cc --- squid-3.2.0.9/src/tests/stub_icp.cc 2011-06-18 20:13:34.000000000 +1200 +++ squid-3.2.0.10/src/tests/stub_icp.cc 2011-07-24 17:46:11.000000000 +1200 @@ -22,7 +22,7 @@ Ip::Address theIcpPublicHostID; HttpRequest* icpGetRequest(char *url, int reqnum, int fd, Ip::Address &from) STUB_RETVAL(NULL) -int icpAccessAllowed(Ip::Address &from, HttpRequest * icp_request) STUB_RETVAL(0) +bool icpAccessAllowed(Ip::Address &from, HttpRequest * icp_request) STUB_RETVAL(false) void icpCreateAndSend(icp_opcode, int flags, char const *url, int reqnum, int pad, int fd, const Ip::Address &from) STUB icp_opcode icpGetCommonOpcode() STUB_RETVAL(ICP_INVALID) int icpUdpSend(int, const Ip::Address &, icp_common_t *, log_type, int) STUB_RETVAL(0) diff -u -r -N squid-3.2.0.9/src/TimeOrTag.h squid-3.2.0.10/src/TimeOrTag.h --- squid-3.2.0.9/src/TimeOrTag.h 1970-01-01 12:00:00.000000000 +1200 +++ squid-3.2.0.10/src/TimeOrTag.h 2011-07-24 17:46:11.000000000 +1200 @@ -0,0 +1,17 @@ +#ifndef _SQUID_TIMEORTAG_H +#define _SQUID_TIMEORTAG_H + +#include "ETag.h" + +/** + * Some fields can hold either time or etag specs (e.g. If-Range) + */ +class TimeOrTag +{ +public: + ETag tag; /* entity tag */ + time_t time; + int valid; /* true if struct is usable */ +}; + +#endif /* _SQUID_TIMEORTAG_H */ diff -u -r -N squid-3.2.0.9/src/tools.cc squid-3.2.0.10/src/tools.cc --- squid-3.2.0.9/src/tools.cc 2011-06-18 20:13:34.000000000 +1200 +++ squid-3.2.0.10/src/tools.cc 2011-07-24 17:46:11.000000000 +1200 @@ -72,7 +72,7 @@ static void restoreCapabilities(int keep); int DebugSignal = -1; -#ifdef _SQUID_LINUX_ +#if _SQUID_LINUX_ /* Workaround for crappy glic header files */ SQUIDCEXTERN int backtrace(void *, int); SQUIDCEXTERN void backtrace_symbols_fd(void *, int, int); @@ -338,7 +338,7 @@ fprintf(debug_log, "FATAL: Received signal %d...dying.\n", sig); #if PRINT_STACK_TRACE -#ifdef _SQUID_HPUX_ +#if _SQUID_HPUX_ { extern void U_STACK_TRACE(void); /* link with -lcl */ fflush(debug_log); @@ -558,8 +558,8 @@ void sig_child(int sig) { -#ifndef _SQUID_MSWIN_ -#ifdef _SQUID_NEXT_ +#if !_SQUID_MSWIN_ +#if _SQUID_NEXT_ union wait status; #else @@ -569,7 +569,7 @@ pid_t pid; do { -#ifdef _SQUID_NEXT_ +#if _SQUID_NEXT_ pid = wait3(&status, WNOHANG, NULL); #else @@ -1076,7 +1076,7 @@ debugs(50, 0, "sigaction: sig=" << sig << " func=" << func << ": " << xstrerror()); #else -#ifdef _SQUID_MSWIN_ +#if _SQUID_MSWIN_ /* On Windows, only SIGINT, SIGILL, SIGFPE, SIGTERM, SIGBREAK, SIGABRT and SIGSEGV signals are supported, so we must care of don't call signal() for other value. @@ -1245,19 +1245,22 @@ int getMyPort(void) { - if (Config.Sockaddr.http) - return Config.Sockaddr.http->s.GetPort(); + if (Config.Sockaddr.http) { + // skip any special mode ports + http_port_list *p = Config.Sockaddr.http; + while (p->intercepted || p->accel || p->spoof_client_ip) + p = p->next; + if (p) + return p->s.GetPort(); + } #if USE_SSL - if (Config.Sockaddr.https) return Config.Sockaddr.https->http.s.GetPort(); - #endif - fatal("No port defined"); - - return 0; /* NOT REACHED */ + debugs(21, DBG_CRITICAL, "ERROR: No forward-proxy ports configured."); + return 0; // Invalid port. This will result in invalid URLs on bad configurations. } /* diff -u -r -N squid-3.2.0.9/src/tunnel.cc squid-3.2.0.10/src/tunnel.cc --- squid-3.2.0.9/src/tunnel.cc 2011-06-18 20:13:34.000000000 +1200 +++ squid-3.2.0.10/src/tunnel.cc 2011-07-24 17:46:11.000000000 +1200 @@ -136,7 +136,7 @@ tunnelServerClosed(int fd, void *data) { TunnelStateData *tunnelState = (TunnelStateData *)data; - debugs(26, 3, "tunnelServerClosed: FD " << fd); + debugs(26, 3, HERE << "FD " << fd); tunnelState->server.conn = NULL; if (tunnelState->noConnections()) { @@ -154,7 +154,7 @@ tunnelClientClosed(int fd, void *data) { TunnelStateData *tunnelState = (TunnelStateData *)data; - debugs(26, 3, "tunnelClientClosed: FD " << fd); + debugs(26, 3, HERE << "FD " << fd); tunnelState->client.conn = NULL; if (tunnelState->noConnections()) { @@ -171,7 +171,7 @@ static void tunnelStateFree(TunnelStateData * tunnelState) { - debugs(26, 3, "tunnelStateFree: tunnelState=" << tunnelState); + debugs(26, 3, HERE << "tunnelState=" << tunnelState); assert(tunnelState != NULL); assert(tunnelState->noConnections()); safe_free(tunnelState->url); @@ -182,7 +182,7 @@ TunnelStateData::Connection::~Connection() { - safe_free (buf); + safe_free(buf); } int @@ -199,6 +199,7 @@ void TunnelStateData::Connection::bytesIn(int const &count) { + debugs(26, 3, HERE << "len=" << len << " + count=" << count); #if USE_DELAY_POOLS delayId.bytesIn(count); #endif @@ -224,10 +225,11 @@ /* Read from server side and queue it for writing to the client */ void -TunnelStateData::ReadServer(const Comm::ConnectionPointer &, char *buf, size_t len, comm_err_t errcode, int xerrno, void *data) +TunnelStateData::ReadServer(const Comm::ConnectionPointer &c, char *buf, size_t len, comm_err_t errcode, int xerrno, void *data) { TunnelStateData *tunnelState = (TunnelStateData *)data; assert(cbdataReferenceValid(tunnelState)); + debugs(26, 3, HERE << c); tunnelState->readServer(buf, len, errcode, xerrno); } @@ -235,7 +237,7 @@ void TunnelStateData::readServer(char *buf, size_t len, comm_err_t errcode, int xerrno) { - debugs(26, 3, HERE << server.conn << ", read " << len << " bytes"); + debugs(26, 3, HERE << server.conn << ", read " << len << " bytes, err=" << errcode); /* * Bail out early on COMM_ERR_CLOSING @@ -279,7 +281,7 @@ void TunnelStateData::readClient(char *buf, size_t len, comm_err_t errcode, int xerrno) { - debugs(26, 3, HERE << client.conn << ", read " << len << " bytes"); + debugs(26, 3, HERE << client.conn << ", read " << len << " bytes, err=" << errcode); /* * Bail out early on COMM_ERR_CLOSING @@ -300,6 +302,8 @@ void TunnelStateData::copy (size_t len, comm_err_t errcode, int xerrno, Connection &from, Connection &to, IOCB *completion) { + debugs(26, 3, HERE << "from={" << from.conn << "}, to={" << to.conn << "}"); + /* I think this is to prevent free-while-in-a-callback behaviour * - RBC 20030229 * from.conn->close() / to.conn->close() done here trigger close callbacks which may free TunnelStateData @@ -316,6 +320,7 @@ if (errcode) from.error (xerrno); else if (len == 0 || !Comm::IsConnOpen(to.conn)) { + debugs(26, 3, HERE << "Nothing to write or client gone. Terminate the tunnel."); from.conn->close(); /* Only close the remote end if we've finished queueing data to it */ @@ -323,7 +328,8 @@ to.conn->close(); } } else if (cbdataReferenceValid(this)) { - AsyncCall::Pointer call = commCbCall(5,5, "SomeTunnelWriteHandler", + debugs(26, 3, HERE << "Schedule Write"); + AsyncCall::Pointer call = commCbCall(5,5, "TunnelBlindCopyWriteHandler", CommIoCbPtrFun(completion, this)); Comm::Write(to.conn, from.buf, len, call, NULL); } @@ -344,17 +350,20 @@ void TunnelStateData::writeServerDone(char *buf, size_t len, comm_err_t flag, int xerrno) { - debugs(26, 3, HERE << server.conn << ", " << len << " bytes written"); + debugs(26, 3, HERE << server.conn << ", " << len << " bytes written, flag=" << flag); /* Error? */ if (flag != COMM_OK) { - if (flag != COMM_ERR_CLOSING) + if (flag != COMM_ERR_CLOSING) { + debugs(26, 4, HERE << "calling TunnelStateData::server.error(" << xerrno <<")"); server.error(xerrno); // may call comm_close + } return; } /* EOF? */ if (len == 0) { + debugs(26, 4, HERE << "No read input. Closing server connection."); server.conn->close(); return; } @@ -366,6 +375,7 @@ /* If the other end has closed, so should we */ if (!Comm::IsConnOpen(client.conn)) { + debugs(26, 4, HERE << "Client gone away. Shutting down server connection."); server.conn->close(); return; } @@ -391,6 +401,7 @@ void TunnelStateData::Connection::dataSent(size_t amount) { + debugs(26, 3, HERE << "len=" << len << " - amount=" << amount); assert(amount == (size_t)len); len =0; /* increment total object size */ @@ -402,17 +413,20 @@ void TunnelStateData::writeClientDone(char *buf, size_t len, comm_err_t flag, int xerrno) { - debugs(26, 3, HERE << client.conn << ", " << len << " bytes written"); + debugs(26, 3, HERE << client.conn << ", " << len << " bytes written, flag=" << flag); /* Error? */ if (flag != COMM_OK) { - if (flag != COMM_ERR_CLOSING) + if (flag != COMM_ERR_CLOSING) { + debugs(26, 4, HERE << "Closing client connection due to comm flags."); client.error(xerrno); // may call comm_close + } return; } /* EOF? */ if (len == 0) { + debugs(26, 4, HERE << "Closing client connection due to 0 byte read."); client.conn->close(); return; } @@ -423,6 +437,7 @@ /* If the other end has closed, so should we */ if (!Comm::IsConnOpen(server.conn)) { + debugs(26, 4, HERE << "Server has gone away. Terminating client connection."); client.conn->close(); return; } @@ -459,7 +474,7 @@ TunnelStateData::copyRead(Connection &from, IOCB *completion) { assert(from.len == 0); - AsyncCall::Pointer call = commCbCall(5,4, "SomeTunnelReadHandler", + AsyncCall::Pointer call = commCbCall(5,4, "TunnelBlindCopyReadHandler", CommIoCbPtrFun(completion, this)); comm_read(from.conn, from.buf, from.bytesWanted(1, SQUID_TCP_SO_RCVBUF), call); } @@ -474,6 +489,7 @@ tunnelConnectedWriteDone(const Comm::ConnectionPointer &conn, char *buf, size_t size, comm_err_t flag, int xerrno, void *data) { TunnelStateData *tunnelState = (TunnelStateData *)data; + debugs(26, 3, HERE << conn << ", flag=" << flag); if (flag != COMM_OK) { *tunnelState->status_ptr = HTTP_INTERNAL_SERVER_ERROR; @@ -502,9 +518,10 @@ } static void -tunnelErrorComplete(int /*const Comm::ConnectionPointer &*/, void *data, size_t) +tunnelErrorComplete(int fd/*const Comm::ConnectionPointer &*/, void *data, size_t) { TunnelStateData *tunnelState = (TunnelStateData *)data; + debugs(26, 3, HERE << "FD " << fd); assert(tunnelState != NULL); /* temporary lock to save our own feets (comm_close -> tunnelClientClosed -> Free) */ cbdataInternalLock(tunnelState); @@ -523,35 +540,23 @@ tunnelConnectDone(const Comm::ConnectionPointer &conn, comm_err_t status, int xerrno, void *data) { TunnelStateData *tunnelState = (TunnelStateData *)data; - HttpRequest *request = tunnelState->request; - ErrorState *err = NULL; - -#if USE_DELAY_POOLS - /* no point using the delayIsNoDelay stuff since tunnel is nice and simple */ - if (conn->getPeer() && conn->getPeer()->options.no_delay) - tunnelState->server.setDelayId(DelayId()); -#endif - - if (conn != NULL && conn->getPeer()) - hierarchyNote(&tunnelState->request->hier, conn->peerType, conn->getPeer()->host); - else if (Config.onoff.log_ip_on_direct) - hierarchyNote(&tunnelState->request->hier, conn->peerType, fd_table[conn->fd].ipaddr); - else - hierarchyNote(&tunnelState->request->hier, conn->peerType, tunnelState->getHost()); if (status != COMM_OK) { + debugs(26, 4, HERE << conn << ", comm failure recovery."); /* At this point only the TCP handshake has failed. no data has been passed. * we are allowed to re-try the TCP-level connection to alternate IPs for CONNECT. */ tunnelState->serverDestinations.shift(); if (status != COMM_TIMEOUT && tunnelState->serverDestinations.size() > 0) { /* Try another IP of this destination host */ + debugs(26, 4, HERE << "retry with : " << tunnelState->serverDestinations[0]); AsyncCall::Pointer call = commCbCall(26,3, "tunnelConnectDone", CommConnectCbPtrFun(tunnelConnectDone, tunnelState)); Comm::ConnOpener *cs = new Comm::ConnOpener(tunnelState->serverDestinations[0], call, Config.Timeout.connect); cs->setHost(tunnelState->url); AsyncJob::Start(cs); } else { - err = errorCon(ERR_CONNECT_FAIL, HTTP_SERVICE_UNAVAILABLE, request); + debugs(26, 4, HERE << "terminate with error."); + ErrorState *err = errorCon(ERR_CONNECT_FAIL, HTTP_SERVICE_UNAVAILABLE, tunnelState->request); *tunnelState->status_ptr = HTTP_SERVICE_UNAVAILABLE; err->xerrno = xerrno; // on timeout is this still: err->xerrno = ETIMEDOUT; @@ -563,10 +568,26 @@ return; } +#if USE_DELAY_POOLS + /* no point using the delayIsNoDelay stuff since tunnel is nice and simple */ + if (conn->getPeer() && conn->getPeer()->options.no_delay) + tunnelState->server.setDelayId(DelayId()); +#endif + + if (conn != NULL && conn->getPeer()) + hierarchyNote(&tunnelState->request->hier, conn->peerType, conn->getPeer()->name); + else if (Config.onoff.log_ip_on_direct) { + conn->remote.NtoA(fd_table[conn->fd].ipaddr,sizeof(fd_table[conn->fd].ipaddr)); + hierarchyNote(&tunnelState->request->hier, conn->peerType, fd_table[conn->fd].ipaddr); + } else + hierarchyNote(&tunnelState->request->hier, conn->peerType, tunnelState->getHost()); + + tunnelState->server.conn = conn; - request->peer_host = conn->getPeer() ? conn->getPeer()->host : NULL; + tunnelState->request->peer_host = conn->getPeer() ? conn->getPeer()->host : NULL; comm_add_close_handler(conn->fd, tunnelServerClosed, tunnelState); + debugs(26, 4, HERE << "determine post-connect handling pathway."); if (conn->getPeer()) { tunnelState->request->peer_login = conn->getPeer()->login; tunnelState->request->flags.proxying = (conn->getPeer()->options.originserver?0:1); @@ -592,10 +613,10 @@ void tunnelStart(ClientHttpRequest * http, int64_t * size_ptr, int *status_ptr) { + debugs(26, 3, HERE); /* Create state structure. */ TunnelStateData *tunnelState = NULL; ErrorState *err = NULL; - int answer; HttpRequest *request = http->request; char *url = http->uri; @@ -613,9 +634,8 @@ ACLFilledChecklist ch(Config.accessList.miss, request, NULL); ch.src_addr = request->client_addr; ch.my_addr = request->my_addr; - answer = ch.fastCheck(); - - if (answer == 0) { + if (ch.fastCheck() == ACCESS_DENIED) { + debugs(26, 4, HERE << "MISS access forbidden."); err = errorCon(ERR_FORWARDING_DENIED, HTTP_FORBIDDEN, request); *status_ptr = HTTP_FORBIDDEN; errorSend(http->getConn()->clientConnection, err); @@ -623,7 +643,7 @@ } } - debugs(26, 3, "tunnelStart: '" << RequestMethodStr(request->method) << " " << url << "'"); + debugs(26, 3, HERE << "'" << RequestMethodStr(request->method) << " " << url << " HTTP/" << request->http_ver << "'"); statCounter.server.all.requests++; statCounter.server.other.requests++; @@ -665,7 +685,6 @@ mb.init(); mb.Printf("CONNECT %s HTTP/1.1\r\n", tunnelState->url); HttpStateData::httpBuildRequestHeader(tunnelState->request, - tunnelState->request, NULL, /* StoreEntry */ &hdr_out, flags); /* flags */ @@ -690,6 +709,7 @@ TunnelStateData *tunnelState = (TunnelStateData *)data; if (peer_paths == NULL || peer_paths->size() < 1) { + debugs(26, 3, HERE << "No paths found. Aborting CONNECT"); ErrorState *err; err = errorCon(ERR_CANNOT_FORWARD, HTTP_SERVICE_UNAVAILABLE, tunnelState->request); *tunnelState->status_ptr = HTTP_SERVICE_UNAVAILABLE; @@ -698,6 +718,8 @@ errorSend(tunnelState->client.conn, err); return; } + debugs(26, 3, HERE << "paths=" << peer_paths->size() << ", p[0]={" << (*peer_paths)[0] << "}, serverDest[0]={" << + tunnelState->serverDestinations[0] << "}"); AsyncCall::Pointer call = commCbCall(26,3, "tunnelConnectDone", CommConnectCbPtrFun(tunnelConnectDone, tunnelState)); Comm::ConnOpener *cs = new Comm::ConnOpener(tunnelState->serverDestinations[0], call, Config.Timeout.connect); diff -u -r -N squid-3.2.0.9/src/typedefs.h squid-3.2.0.10/src/typedefs.h --- squid-3.2.0.9/src/typedefs.h 2011-06-18 20:13:34.000000000 +1200 +++ squid-3.2.0.10/src/typedefs.h 2011-07-24 17:46:11.000000000 +1200 @@ -60,14 +60,10 @@ typedef struct _dwrite_q dwrite_q; -typedef struct _ETag ETag; - typedef struct _fileMap fileMap; typedef struct _HttpHeaderFieldAttrs HttpHeaderFieldAttrs; -typedef struct _TimeOrTag TimeOrTag; - typedef struct _HttpHeaderStat HttpHeaderStat; typedef struct _HttpBody HttpBody; diff -u -r -N squid-3.2.0.9/src/unlinkd.cc squid-3.2.0.10/src/unlinkd.cc --- squid-3.2.0.9/src/unlinkd.cc 2011-06-18 20:13:34.000000000 +1200 +++ squid-3.2.0.10/src/unlinkd.cc 2011-07-24 17:46:11.000000000 +1200 @@ -142,7 +142,7 @@ void unlinkdClose(void) -#ifdef _SQUID_MSWIN_ +#if _SQUID_MSWIN_ { if (unlinkd_wfd > -1) { @@ -244,7 +244,7 @@ debugs(2, 1, "Unlinkd pipe opened on FD " << unlinkd_wfd); -#ifdef _SQUID_MSWIN_ +#if _SQUID_MSWIN_ debugs(2, 4, "Unlinkd handle: 0x" << std::hex << hIpc << std::dec << ", PID: " << pid); diff -u -r -N squid-3.2.0.9/src/win32.cc squid-3.2.0.10/src/win32.cc --- squid-3.2.0.9/src/win32.cc 2011-06-18 20:13:34.000000000 +1200 +++ squid-3.2.0.10/src/win32.cc 2011-07-24 17:46:11.000000000 +1200 @@ -36,7 +36,7 @@ #include "squid.h" #include "squid_windows.h" -#ifdef _SQUID_MSWIN_ +#if _SQUID_MSWIN_ #if HAVE_WIN32_PSAPI #include #endif diff -u -r -N squid-3.2.0.9/src/WinSvc.cc squid-3.2.0.10/src/WinSvc.cc --- squid-3.2.0.9/src/WinSvc.cc 2011-06-18 20:13:34.000000000 +1200 +++ squid-3.2.0.10/src/WinSvc.cc 2011-07-24 17:46:11.000000000 +1200 @@ -37,7 +37,7 @@ #include "squid.h" #include "squid_windows.h" -#ifdef _SQUID_MSWIN_ +#if _SQUID_MSWIN_ #ifndef _MSWSOCK_ #include #endif @@ -401,7 +401,7 @@ WIN32_Exit(); } -#ifdef _SQUID_MSWIN_ +#if _SQUID_MSWIN_ void WIN32_IpAddrChangeMonitorExit() { @@ -417,7 +417,7 @@ void WIN32_Exit() { -#ifdef _SQUID_MSWIN_ +#if _SQUID_MSWIN_ Win32SockCleanup(); #endif #if USE_WIN32_SERVICE @@ -430,7 +430,7 @@ } #endif -#ifdef _SQUID_MSWIN_ +#if _SQUID_MSWIN_ if (dbg_mutex) DeleteCriticalSection(dbg_mutex); @@ -442,7 +442,7 @@ _exit(0); } -#ifdef _SQUID_MSWIN_ +#if _SQUID_MSWIN_ static DWORD WINAPI WIN32_IpAddrChangeMonitor(LPVOID lpParam) { @@ -580,7 +580,7 @@ svcStatus.dwCheckPoint = 0; svcStatus.dwWaitHint = 10000; SetServiceStatus(svcHandle, &svcStatus); -#ifdef _SQUID_MSWIN_ +#if _SQUID_MSWIN_ _setmaxstdio(Squid_MaxFD); #endif @@ -588,7 +588,7 @@ } #endif /* USE_WIN32_SERVICE */ -#ifdef _SQUID_MSWIN_ +#if _SQUID_MSWIN_ if (Win32SockInit() < 0) return 1; @@ -964,7 +964,7 @@ } } else { WIN32_run_mode = _WIN_SQUID_RUN_MODE_INTERACTIVE; -#ifdef _SQUID_MSWIN_ +#if _SQUID_MSWIN_ opt_no_daemon = 1; diff -u -r -N squid-3.2.0.9/test-suite/refcount.cc squid-3.2.0.10/test-suite/refcount.cc --- squid-3.2.0.9/test-suite/refcount.cc 2011-06-18 20:13:34.000000000 +1200 +++ squid-3.2.0.10/test-suite/refcount.cc 2011-07-24 17:46:11.000000000 +1200 @@ -139,6 +139,8 @@ { ToRefCount anObject (new _ToRefCount); _ToRefCount *aPointer = anObject.getRaw(); + if (aPointer == NULL) + exit(3); aPointer = NULL; } /* Create a doubley inheriting refcount instance, diff -u -r -N squid-3.2.0.9/tools/cachemgr.cc squid-3.2.0.10/tools/cachemgr.cc --- squid-3.2.0.9/tools/cachemgr.cc 2011-06-18 20:13:34.000000000 +1200 +++ squid-3.2.0.10/tools/cachemgr.cc 2011-07-24 17:46:11.000000000 +1200 @@ -165,7 +165,7 @@ static int check_target_acl(const char *hostname, int port); -#ifdef _SQUID_MSWIN_ +#if _SQUID_MSWIN_ static int s_iInitCount = 0; int Win32SockInit(void) @@ -209,7 +209,7 @@ return; } -#endif /* ifdef _SQUID_MSWIN_ */ +#endif static const char * safe_str(const char *str) @@ -577,7 +577,7 @@ read_reply(int s, cachemgr_request * req) { char buf[4 * 1024]; -#ifdef _SQUID_MSWIN_ +#if _SQUID_MSWIN_ int reply; char *tmpfile = tempnam(NULL, "tmp0000"); @@ -601,7 +601,7 @@ parse_menu = 1; if (fp == NULL) { -#ifdef _SQUID_MSWIN_ +#if _SQUID_MSWIN_ perror(tmpfile); xfree(tmpfile); #else @@ -613,7 +613,7 @@ return 1; } -#ifdef _SQUID_MSWIN_ +#if _SQUID_MSWIN_ while ((reply=recv(s, buf , sizeof(buf), 0)) > 0) fwrite(buf, 1, reply, fp); @@ -752,7 +752,7 @@ } fclose(fp); -#ifdef _SQUID_MSWIN_ +#if _SQUID_MSWIN_ remove(tmpfile); xfree(tmpfile); @@ -867,7 +867,7 @@ cachemgr_request *req; now = time(NULL); -#ifdef _SQUID_MSWIN_ +#if _SQUID_MSWIN_ Win32SockInit(); atexit(Win32SockCleanup); @@ -975,7 +975,7 @@ else return NULL; -#ifdef _SQUID_MSWIN_ +#if _SQUID_MSWIN_ if (strlen(buf) == 0 || strlen(buf) == 4000) #else diff -u -r -N squid-3.2.0.9/tools/squidclient.cc squid-3.2.0.10/tools/squidclient.cc --- squid-3.2.0.9/tools/squidclient.cc 2011-06-18 20:13:34.000000000 +1200 +++ squid-3.2.0.10/tools/squidclient.cc 2011-07-24 17:46:11.000000000 +1200 @@ -38,7 +38,7 @@ #include "rfc1123.h" #include "SquidTime.h" -#ifdef _SQUID_MSWIN_ +#if _SQUID_MSWIN_ /** \cond AUTODOCS-IGNORE */ using namespace Squid; /** \endcond */ @@ -147,14 +147,14 @@ int total_bytes = 0; int io_timeout = 120; -#ifdef _SQUID_MSWIN_ +#if _SQUID_MSWIN_ void Win32SockCleanup(void) { WSACleanup(); return; } -#endif /* ifdef _SQUID_MSWIN_ */ +#endif static void usage(const char *progname) @@ -385,7 +385,7 @@ break; } } -#ifdef _SQUID_MSWIN_ +#if _SQUID_MSWIN_ { WSADATA wsaData; WSAStartup(2, &wsaData); @@ -644,7 +644,7 @@ if (put_file) { int x; lseek(put_fd, 0, SEEK_SET); -#ifdef _SQUID_MSWIN_ +#if _SQUID_MSWIN_ while ((x = read(put_fd, buf, sizeof(buf))) > 0) { #else @@ -664,7 +664,7 @@ } /* Read the data */ -#ifdef _SQUID_MSWIN_ +#if _SQUID_MSWIN_ setmode(1, O_BINARY); #endif @@ -676,7 +676,7 @@ perror("client: ERROR writing to stdout"); } -#ifdef _SQUID_MSWIN_ +#if _SQUID_MSWIN_ setmode(1, O_TEXT); #endif @@ -822,7 +822,7 @@ static ssize_t myread(int fd, void *buf, size_t len) { -#ifndef _SQUID_MSWIN_ +#if !_SQUID_MSWIN_ alarm(io_timeout); return read(fd, buf, len); #else @@ -834,7 +834,7 @@ static ssize_t mywrite(int fd, void *buf, size_t len) { -#ifndef _SQUID_MSWIN_ +#if !_SQUID_MSWIN_ alarm(io_timeout); return write(fd, buf, len); #else