I think this is right. Anyone able to double-check me though?
Amos
=== modified file 'src/ClientRequestContext.h'
--- src/ClientRequestContext.h 2009-07-13 01:20:26 +0000
+++ src/ClientRequestContext.h 2010-01-20 02:07:17 +0000
@@ -26,6 +26,7 @@
bool httpStateIsValid();
void clientAccessCheck();
+ void clientAccessCheck2();
void clientAccessCheckDone(int answer);
void clientRedirectStart();
void clientRedirectDone(char *result);
@@ -42,11 +43,10 @@
int redirect_state;
bool http_access_done;
+ bool http_access2_done;
#if USE_ADAPTATION
-
bool adaptation_acl_check_done;
#endif
-
bool redirect_done;
bool no_cache_done;
bool interpreted_req_hdrs;
=== modified file 'src/cf.data.depend'
--- src/cf.data.depend 2009-12-16 03:46:59 +0000
+++ src/cf.data.depend 2010-01-20 02:03:45 +0000
@@ -22,7 +22,7 @@
HelperChildConfig
hostdomain cache_peer
hostdomaintype cache_peer
-http_header_access
+http_header_access acl
http_header_replace
http_port_list
https_port_list
=== modified file 'src/cf.data.pre'
--- src/cf.data.pre 2010-01-02 04:32:46 +0000
+++ src/cf.data.pre 2010-01-20 02:03:13 +0000
@@ -922,6 +922,18 @@
NOCOMMENT_END
DOC_END
+NAME: http_access2
+TYPE: acl_access
+LOC: Config.accessList.http2
+DEFAULT: none
+DOC_START
+ Allowing or Denying access based on defined access lists
+
+ Essentially identical to http_access, but runs after redirectors
+ and ICAP/eCAP adatpation.
+ If not set then only http_access is used.
+DOC_END
+
NAME: http_reply_access
TYPE: acl_access
LOC: Config.accessList.reply
=== modified file 'src/client_side_request.cc'
--- src/client_side_request.cc 2009-12-11 23:37:30 +0000
+++ src/client_side_request.cc 2010-01-20 02:01:22 +0000
@@ -525,6 +525,23 @@
}
}
+/**
+ * Identical in operation to clientAccessCheck() but performed later using
different configured ACL list.
+ * The default here is to allow all. Since the earlier http_access should do a
default deny all.
+ * This check is just for a last-minute denial based on adapted request
headers.
+ */
+void
+ClientRequestContext::clientAccessCheck2()
+{
+ if (Config.accessList.http2) {
+ acl_checklist = clientAclChecklistCreate(Config.accessList.http2,
http);
+ acl_checklist->nonBlockingCheck(clientAccessCheckDoneWrapper, this);
+ } else {
+ debugs(85, 2, HERE << "No http_access2 configuration.");
+ clientAccessCheckDone(ACCESS_ALLOWED);
+ }
+}
+
void
clientAccessCheckDoneWrapper(int answer, void *data)
{
@@ -1283,6 +1300,13 @@
}
}
+ if (!calloutContext->http_access2_done) {
+ debugs(83, 3, HERE << "Doing calloutContext->clientAccessCheck2()");
+ calloutContext->http_access2_done = true;
+ calloutContext->clientAccessCheck2();
+ return;
+ }
+
if (!calloutContext->interpreted_req_hdrs) {
debugs(83, 3, HERE << "Doing clientInterpretRequestHeaders()");
calloutContext->interpreted_req_hdrs = 1;
=== modified file 'src/structs.h'
--- src/structs.h 2010-01-02 04:32:46 +0000
+++ src/structs.h 2010-01-20 02:04:46 +0000
@@ -459,6 +459,7 @@
struct {
acl_access *http;
+ acl_access *http2;
acl_access *icp;
acl_access *miss;
acl_access *NeverDirect;
