------------------------------------------------------------ revno: 13860 revision-id: squid3@treenet.co.nz-20150714175121-xg8942a4cm9udpd7 parent: squid3@treenet.co.nz-20150707084254-5o2dmaumckmtqzab author: Christos Tsantilas committer: Amos Jeffries branch nick: 3.5 timestamp: Tue 2015-07-14 10:51:21 -0700 message: Splice to origin cache_peer. Currently, Squid cannot redirect intercepted connections that are subject to SslBump rules to _originserver_ cache_peer. For example, consider Squid that enforces "safe search" by redirecting clients to forcesafesearch.example.com. Consider a TLS client that tries to connect to www.example.com. Squid needs to send that client to forcesafesearch.example.com (without changing the host header and SNI information; those would still point to www.example.com for safe search to work as intended!). The admin may configure Squid to send intercepted clients to an originserver cache_peer with the forcesafesearch.example.com address. Such a configuration does not currently work together with ssl_bump peek/splice rules. This patch: * Fixes src/neighbors.cc bug which prevented CONNECT requests from going to originserver cache peers. This bug affects both true CONNECT requests and intercepted SSL/TLS connections (with fake CONNECT requests). Squid use the CachePeer::in_addr.port which is not meant to be used for the HTTP port, apparently. HTTP checks should use CachePeer::http_port instead. * Changes Squid to not initiate SSL/TLS connection to cache_peer for true CONNECT requests. * Allows forwarding being-peeked (or stared) at connections to originserver cache_peers. The bug fix described in the first bullet makes the last two changes necessary. This is a Measurement Factory project. ------------------------------------------------------------ # Bazaar merge directive format 2 (Bazaar 0.90) # revision_id: squid3@treenet.co.nz-20150714175121-xg8942a4cm9udpd7 # target_branch: http://bzr.squid-cache.org/bzr/squid3/3.5 # testament_sha1: 02e53b356d7a21f4ffd0327afbf1f59e5f35113d # timestamp: 2015-07-14 18:14:49 +0000 # source_branch: http://bzr.squid-cache.org/bzr/squid3/3.5 # base_revision_id: squid3@treenet.co.nz-20150707084254-\ # 5o2dmaumckmtqzab # # Begin patch === modified file 'src/FwdState.cc' --- src/FwdState.cc 2015-05-09 11:40:55 +0000 +++ src/FwdState.cc 2015-07-14 17:51:21 +0000 @@ -683,10 +683,14 @@ #if USE_OPENSSL if (!request->flags.pinned) { - if ((serverConnection()->getPeer() && serverConnection()->getPeer()->use_ssl) || - (!serverConnection()->getPeer() && request->url.getScheme() == AnyP::PROTO_HTTPS) || - request->flags.sslPeek) { - + const CachePeer *p = serverConnection()->getPeer(); + const bool peerWantsTls = p && p->use_ssl; + // userWillSslToPeerForUs assumes CONNECT == HTTPS + const bool userWillTlsToPeerForUs = p && p->options.originserver && + request->method == Http::METHOD_CONNECT; + const bool needTlsToPeer = peerWantsTls && !userWillTlsToPeerForUs; + const bool needTlsToOrigin = !p && request->url.getScheme() == AnyP::PROTO_HTTPS; + if (needTlsToPeer || needTlsToOrigin || request->flags.sslPeek) { HttpRequest::Pointer requestPointer = request; AsyncCall::Pointer callback = asyncCall(17,4, "FwdState::ConnectedToPeer", @@ -782,7 +786,9 @@ request->hier.startPeerClock(); - if (serverDestinations[0]->getPeer() && request->flags.sslBumped) { + // Do not fowrward bumped connections to parent proxy unless it is an + // origin server + if (serverDestinations[0]->getPeer() && !serverDestinations[0]->getPeer()->options.originserver && request->flags.sslBumped) { debugs(50, 4, "fwdConnectStart: Ssl bumped connections through parent proxy are not allowed"); ErrorState *anErr = new ErrorState(ERR_CANNOT_FORWARD, Http::scServiceUnavailable, request); fail(anErr); === modified file 'src/neighbors.cc' --- src/neighbors.cc 2015-02-06 15:59:58 +0000 +++ src/neighbors.cc 2015-07-14 17:51:21 +0000 @@ -161,7 +161,7 @@ // CONNECT requests are proxy requests. Not to be forwarded to origin servers. // Unless the destination port matches, in which case we MAY perform a 'DIRECT' to this CachePeer. - if (p->options.originserver && request->method == Http::METHOD_CONNECT && request->port != p->in_addr.port()) + if (p->options.originserver && request->method == Http::METHOD_CONNECT && request->port != p->http_port) return false; if (p->peer_domain == NULL && p->access == NULL)