[squid-dev] [PATCH] received_encrypted ACL
This patch adds received_encrypted ACL
The new received_encrypted ACL matches transactions where all HTTP
messages were received over TLS or SSL transport connections, including
messages received from ICAP servers.
Some eCAP services receive data from unencrypted sources. Some eCAP
services are secure, but we assume that all are not secure until we
add a configuration option to mark secure eCAP services.
Use case: Sending everything to Secure ICAP services increases
adaptation performance overhead. Folks want to send received_encrypted
transactions and only those transactions to Secure ICAP services.
NOTE: Currently there is not any mechanism to indicate if a cached
object came from secure source or not, so we assume that all hits for
secure requests are secure too.
This is a Measurement Factory project.
Add received_encrypted ACL
The new received_encrypted ACL matches transactions where all HTTP
messages were received over TLS or SSL transport connections, including
messages received from ICAP servers.
Some eCAP services receive data from unencrypted sources. Some eCAP
services are secure, but we assume that all are not secure until we
add a configuration option to mark secure eCAP services.
This is a Measurement Factory project.
=== modified file 'src/AclRegs.cc'
--- src/AclRegs.cc 2015-04-10 08:54:13 +
+++ src/AclRegs.cc 2015-06-15 15:45:43 +
@@ -43,40 +43,41 @@
#include acl/HierCode.h
#include acl/HierCodeData.h
#include acl/HttpHeaderData.h
#include acl/HttpRepHeader.h
#include acl/HttpReqHeader.h
#include acl/HttpStatus.h
#include acl/IntRange.h
#include acl/Ip.h
#include acl/LocalIp.h
#include acl/LocalPort.h
#include acl/MaxConnection.h
#include acl/Method.h
#include acl/MethodData.h
#include acl/MyPortName.h
#include acl/Note.h
#include acl/NoteData.h
#include acl/PeerName.h
#include acl/Protocol.h
#include acl/ProtocolData.h
#include acl/Random.h
+#include acl/ReceivedEncrypted.h
#include acl/Referer.h
#include acl/RegexData.h
#include acl/ReplyHeaderStrategy.h
#include acl/ReplyMimeType.h
#include acl/RequestHeaderStrategy.h
#include acl/RequestMimeType.h
#include acl/SourceAsn.h
#include acl/SourceDomain.h
#include acl/SourceIp.h
#include acl/SquidError.h
#include acl/SquidErrorData.h
#if USE_OPENSSL
#include acl/Certificate.h
#include acl/CertificateData.h
#include acl/ServerName.h
#include acl/SslError.h
#include acl/SslErrorData.h
#endif
#include acl/Strategised.h
#include acl/Strategy.h
@@ -213,20 +214,22 @@
ACL::Prototype ACLTag::RegistryProtoype(ACLTag::RegistryEntry_, tag);
ACLStrategisedconst char * ACLTag::RegistryEntry_(new ACLStringData, ACLTagStrategy::Instance(), tag);
ACL::Prototype Acl::AnyOf::RegistryProtoype(Acl::AnyOf::RegistryEntry_, any-of);
Acl::AnyOf Acl::AnyOf::RegistryEntry_;
ACL::Prototype Acl::AllOf::RegistryProtoype(Acl::AllOf::RegistryEntry_, all-of);
Acl::AllOf Acl::AllOf::RegistryEntry_;
ACL::Prototype ACLNote::RegistryProtoype(ACLNote::RegistryEntry_, note);
ACLStrategisedHttpRequest * ACLNote::RegistryEntry_(new ACLNoteData, ACLNoteStrategy::Instance(), note);
#if USE_ADAPTATION
ACL::Prototype ACLAdaptationService::RegistryProtoype(ACLAdaptationService::RegistryEntry_, adaptation_service);
ACLStrategisedconst char * ACLAdaptationService::RegistryEntry_(new ACLAdaptationServiceData, ACLAdaptationServiceStrategy::Instance(), adaptation_service);
#endif
ACL::Prototype ACLSquidError::RegistryProtoype(ACLSquidError::RegistryEntry_, squid_error);
ACLStrategisederr_type ACLSquidError::RegistryEntry_(new ACLSquidErrorData, ACLSquidErrorStrategy::Instance(), squid_error);
+ACL::Prototype ACLReceivedEncrypted::RegistryProtoype(ACLReceivedEncrypted::RegistryEntry_, received_encrypted);
+ACLReceivedEncrypted ACLReceivedEncrypted::RegistryEntry_(received_encrypted);
=== modified file 'src/HttpMsg.cc'
--- src/HttpMsg.cc 2015-04-27 05:31:56 +
+++ src/HttpMsg.cc 2015-06-26 15:49:21 +
@@ -6,41 +6,42 @@
* Please see the COPYING and CONTRIBUTORS files for details.
*/
/* DEBUG: section 74HTTP Message */
#include squid.h
#include Debug.h
#include HttpHeaderTools.h
#include HttpMsg.h
#include MemBuf.h
#include mime_header.h
#include profiler/Profiler.h
#include SquidConfig.h
HttpMsg::HttpMsg(http_hdr_owner_type owner):
http_ver(Http::ProtocolVersion()),
header(owner),
cache_control(NULL),
hdr_sz(0),
content_length(0),
-pstate(psReadyToParseStartLine)
+pstate(psReadyToParseStartLine),
+sources(0)
{}
HttpMsg::~HttpMsg()
{
assert(!body_pipe);
}
HttpMsgParseState operator++ (HttpMsgParseState aState)
{
int tmp = (int)aState;
aState = (HttpMsgParseState)(++tmp);
return aState;
}
/* find end of headers */
static int
httpMsgIsolateHeaders(const char **parse_start, int l, const char **blk_start, const char **blk_end)
{
/*
* parse_start points to the first line of HTTP message
[squid-dev] Build failed in Jenkins: trunk-matrix ยป clang,d-centos-7 #252
See http://build.squid-cache.org/job/trunk-matrix/compiler=clang,label=d-centos-7/252/ -- [...truncated 50004 lines...] ccache clang++ -DHAVE_CONFIG_H -DDEFAULT_CONFIG_FILE=\http://build.squid-cache.org/job/trunk-matrix/compiler=clang,label=d-centos-7/ws/btlayer-04-noauth-everything/squid-4.0.0-BZR/_inst/etc/squid.conf\; -DDEFAULT_SQUID_DATA_DIR=\http://build.squid-cache.org/job/trunk-matrix/compiler=clang,label=d-centos-7/ws/btlayer-04-noauth-everything/squid-4.0.0-BZR/_inst/share\; -DDEFAULT_SQUID_CONFIG_DIR=\http://build.squid-cache.org/job/trunk-matrix/compiler=clang,label=d-centos-7/ws/btlayer-04-noauth-everything/squid-4.0.0-BZR/_inst/etc\; -I../.. -I../../include -I../../lib -I../../src -I../include-I../src -I/usr/include/libxml2 -I/usr/include/libxml2 -Werror -Qunused-arguments -Wno-deprecated-register -D_REENTRANT -g -O2 -std=c++11 -MT store_swapout.o -MD -MP -MF $depbase.Tpo -c -o store_swapout.o ../../src/store_swapout.cc \ mv -f $depbase.Tpo $depbase.Po depbase=`echo StoreMetaUnpacker.o | sed 's|[^/]*$|.deps/|;s|\.o$||'`;\ ccache clang++ -DHAVE_CONFIG_H -DDEFAULT_CONFIG_FILE=\http://build.squid-cache.org/job/trunk-matrix/compiler=clang,label=d-centos-7/ws/btlayer-04-noauth-everything/squid-4.0.0-BZR/_inst/etc/squid.conf\; -DDEFAULT_SQUID_DATA_DIR=\http://build.squid-cache.org/job/trunk-matrix/compiler=clang,label=d-centos-7/ws/btlayer-04-noauth-everything/squid-4.0.0-BZR/_inst/share\; -DDEFAULT_SQUID_CONFIG_DIR=\http://build.squid-cache.org/job/trunk-matrix/compiler=clang,label=d-centos-7/ws/btlayer-04-noauth-everything/squid-4.0.0-BZR/_inst/etc\; -I../.. -I../../include -I../../lib -I../../src -I../include-I../src -I/usr/include/libxml2 -I/usr/include/libxml2 -Werror -Qunused-arguments -Wno-deprecated-register -D_REENTRANT -g -O2 -std=c++11 -MT StoreMetaUnpacker.o -MD -MP -MF $depbase.Tpo -c -o StoreMetaUnpacker.o ../../src/StoreMetaUnpacker.cc \ mv -f $depbase.Tpo $depbase.Po depbase=`echo StoreMeta.o | sed 's|[^/]*$|.deps/|;s|\.o$||'`;\ ccache clang++ -DHAVE_CONFIG_H -DDEFAULT_CONFIG_FILE=\http://build.squid-cache.org/job/trunk-matrix/compiler=clang,label=d-centos-7/ws/btlayer-04-noauth-everything/squid-4.0.0-BZR/_inst/etc/squid.conf\; -DDEFAULT_SQUID_DATA_DIR=\http://build.squid-cache.org/job/trunk-matrix/compiler=clang,label=d-centos-7/ws/btlayer-04-noauth-everything/squid-4.0.0-BZR/_inst/share\; -DDEFAULT_SQUID_CONFIG_DIR=\http://build.squid-cache.org/job/trunk-matrix/compiler=clang,label=d-centos-7/ws/btlayer-04-noauth-everything/squid-4.0.0-BZR/_inst/etc\; -I../.. -I../../include -I../../lib -I../../src -I../include-I../src -I/usr/include/libxml2 -I/usr/include/libxml2 -Werror -Qunused-arguments -Wno-deprecated-register -D_REENTRANT -g -O2 -std=c++11 -MT StoreMeta.o -MD -MP -MF $depbase.Tpo -c -o StoreMeta.o ../../src/StoreMeta.cc \ mv -f $depbase.Tpo $depbase.Po depbase=`echo StoreMetaMD5.o | sed 's|[^/]*$|.deps/|;s|\.o$||'`;\ ccache clang++ -DHAVE_CONFIG_H -DDEFAULT_CONFIG_FILE=\http://build.squid-cache.org/job/trunk-matrix/compiler=clang,label=d-centos-7/ws/btlayer-04-noauth-everything/squid-4.0.0-BZR/_inst/etc/squid.conf\; -DDEFAULT_SQUID_DATA_DIR=\http://build.squid-cache.org/job/trunk-matrix/compiler=clang,label=d-centos-7/ws/btlayer-04-noauth-everything/squid-4.0.0-BZR/_inst/share\; -DDEFAULT_SQUID_CONFIG_DIR=\http://build.squid-cache.org/job/trunk-matrix/compiler=clang,label=d-centos-7/ws/btlayer-04-noauth-everything/squid-4.0.0-BZR/_inst/etc\; -I../.. -I../../include -I../../lib -I../../src -I../include-I../src -I/usr/include/libxml2 -I/usr/include/libxml2 -Werror -Qunused-arguments -Wno-deprecated-register -D_REENTRANT -g -O2 -std=c++11 -MT StoreMetaMD5.o -MD -MP -MF $depbase.Tpo -c -o StoreMetaMD5.o ../../src/StoreMetaMD5.cc \ mv -f $depbase.Tpo $depbase.Po depbase=`echo StoreMetaSTD.o | sed 's|[^/]*$|.deps/|;s|\.o$||'`;\ ccache clang++ -DHAVE_CONFIG_H -DDEFAULT_CONFIG_FILE=\http://build.squid-cache.org/job/trunk-matrix/compiler=clang,label=d-centos-7/ws/btlayer-04-noauth-everything/squid-4.0.0-BZR/_inst/etc/squid.conf\; -DDEFAULT_SQUID_DATA_DIR=\http://build.squid-cache.org/job/trunk-matrix/compiler=clang,label=d-centos-7/ws/btlayer-04-noauth-everything/squid-4.0.0-BZR/_inst/share\; -DDEFAULT_SQUID_CONFIG_DIR=\http://build.squid-cache.org/job/trunk-matrix/compiler=clang,label=d-centos-7/ws/btlayer-04-noauth-everything/squid-4.0.0-BZR/_inst/etc\; -I../.. -I../../include -I../../lib -I../../src -I../include-I../src -I/usr/include/libxml2 -I/usr/include/libxml2 -Werror -Qunused-arguments -Wno-deprecated-register -D_REENTRANT -g -O2 -std=c++11 -MT StoreMetaSTD.o -MD -MP -MF $depbase.Tpo -c -o StoreMetaSTD.o ../../src/StoreMetaSTD.cc \ mv -f $depbase.Tpo $depbase.Po depbase=`echo StoreMetaSTDLFS.o | sed 's|[^/]*$|.deps/|;s|\.o$||'`;\ ccache clang++ -DHAVE_CONFIG_H
[squid-dev] checklist-conn assertion in DestinationIp.cc
Hello,
Intercepting Squids sometimes fail with the following assertion in
ACLDestinationIP::match():
// Bug 3243: CVE 2009-0801
// Bypass of browser same-origin access control in intercepted
communication
// To resolve this we will force DIRECT and only to the original client
destination.
// In which case, we also need this ACL to accurately match the
destination
if (Config.onoff.client_dst_passthru ... intercepted ...) {
assert(checklist-conn() checklist-conn()-clientConnection !=
NULL);
return ACLIP::match(checklist-conn()-clientConnection-local);
}
There are several reports about these failures on squid-users, including
http://lists.squid-cache.org/pipermail/squid-users/2015-May/003562.html
The assertion makes no sense to me -- why would an ACL assert that a
connection is valid? A lot of things can happen between the time the ACL
checklist was formed and the time the ACL got evaluated. This is true
for all ACLs, but should be especially obvious for slow/asynchronous
ACLs such as dst.
Is suggest replacing the assert with an if-statement to return -1
(matching failure) when the connection is gone. Rationale: With the
connection gone, the matching result probably does not matter anymore so
there is little incentive for us to use alternative (and insecure!)
sources of destination information.
Any better ideas?
Thank you,
Alex.
___
squid-dev mailing list
squid-dev@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-dev
Re: [squid-dev] checklist-conn assertion in DestinationIp.cc
On 18/07/2015 6:09 a.m., Alex Rousskov wrote:
Hello,
Intercepting Squids sometimes fail with the following assertion in
ACLDestinationIP::match():
// Bug 3243: CVE 2009-0801
// Bypass of browser same-origin access control in intercepted
communication
// To resolve this we will force DIRECT and only to the original client
destination.
// In which case, we also need this ACL to accurately match the
destination
if (Config.onoff.client_dst_passthru ... intercepted ...) {
assert(checklist-conn() checklist-conn()-clientConnection !=
NULL);
return ACLIP::match(checklist-conn()-clientConnection-local);
}
There are several reports about these failures on squid-users, including
http://lists.squid-cache.org/pipermail/squid-users/2015-May/003562.html
The assertion makes no sense to me -- why would an ACL assert that a
connection is valid? A lot of things can happen between the time the ACL
checklist was formed and the time the ACL got evaluated. This is true
for all ACLs, but should be especially obvious for slow/asynchronous
ACLs such as dst.
What is a transaction without any existing state objects?
The connection may be closed (definition of 'invalid'?) and still pass
this test, so long as the state actually exists.
If the ConnStateData and ConnStateData::clientConnection are previously
deleted and things are still starting ACL tests something very bad has
happened. Probably broken refcount/cbdata locking on the Job-like object
holding the Checklist.
Is suggest replacing the assert with an if-statement to return -1
(matching failure) when the connection is gone. Rationale: With the
connection gone, the matching result probably does not matter anymore so
there is little incentive for us to use alternative (and insecure!)
sources of destination information.
Any better ideas?
That would seem to work for this problem. But be careful about other
hidden side effects of trying to complete delivery of a client response
without any existing client state object(s).
CbcPointer use for FilledChecklist::conn_ should also get a look-in to
see if its possible. The hitch there IIRC, was that CbcPointer get()
still produces NULL if the object has been 'deleted' but locks are still
existing for the Checklist to be destructed.
Amos
___
squid-dev mailing list
squid-dev@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-dev
