On Mon, 2006-12-04 at 12:57 +0100, Axel Westerhold wrote:
> Hi everyone,
>
> Second try this time hopefully complete.
>
> This is again patched against Squid 3 HEAD and includes 4 changes I would
> like to have when working with webwasher/squid systems.
>
>
> A.) ICAPServiceRep::TheSessionFailureLimit set through squid.conf
> B.) ICAPServiceRep delay for a down service set through squid.conf
> C.) Instead of hardcoding the Header used to transfer the username being
> able to set the used one through squid.conf
> D.) When using X-Authenticated-User in C I need the username to be base64
> encoded so I added another option to turn on encoding if needed.
The above changes, with minor modifications are now committed to
squid3-icap branch. The corresponding patch is attached.
I took the liberty to rename some of your new squid.conf options as well
as polish squid.conf comments and code. A negative value for the
icap_service_failure_limit disables the limit feature.
Please test and let me know whether any further changes are needed.
Thank you,
Alex.
- Added icap_service_failure_limit squid.conf option. The limit
specifies the number of failures that Squid tolerates when
establishing a new TCP connection with an ICAP service. If the
number of failures exceeds the limit, the ICAP service is not used
for new ICAP requests until it is time to refresh its OPTIONS. The
per-service failure counter is reset to zero each time Squid
fetches new service OPTIONS.
A negative value disables the limit.
The limit used to be hardcoded to 10.
- Added icap_service_revival_delay squid.conf option. The delay
specifies the number of seconds to wait after an ICAP OPTIONS
request failure before requesting the options again. The failed
ICAP service is considered "down" until fresh OPTIONS are fetched.
The actual delay cannot be smaller than the [still] hardcoded
minimum delay of 60 seconds.
- Added icap_client_username_header and icap_client_username_encode
squid.conf options to control how the authenticated client username
should be sent to the ICAP service.
- All of the above changes are based on the patch by Axel Westerhold.
Index: CONTRIBUTORS
===================================================================
RCS file: /cvsroot/squid/squid3/CONTRIBUTORS,v
retrieving revision 1.7.8.3
diff -u -r1.7.8.3 CONTRIBUTORS
--- CONTRIBUTORS 3 Oct 2006 05:24:00 -0000 1.7.8.3
+++ CONTRIBUTORS 14 Dec 2006 05:15:56 -0000
@@ -105,5 +105,6 @@
Mark Bergsma <[EMAIL PROTECTED]>
Tim Starling <[EMAIL PROTECTED]>
Tsantilas Christos <[EMAIL PROTECTED]>
+ Axel Westerhold <[EMAIL PROTECTED]>
Duane Wessels <[EMAIL PROTECTED]>
Index: src/cf.data.pre
===================================================================
RCS file: /cvsroot/squid/squid3/src/cf.data.pre,v
retrieving revision 1.79.2.12
diff -u -r1.79.2.12 cf.data.pre
--- src/cf.data.pre 18 Oct 2006 21:26:10 -0000 1.79.2.12
+++ src/cf.data.pre 14 Dec 2006 05:16:03 -0000
@@ -4966,6 +4966,39 @@
If you want to enable the ICAP module support, set this to on.
DOC_END
+NAME: icap_service_failure_limit
+TYPE: int
+IFDEF: ICAP_CLIENT
+LOC: TheICAPConfig.service_failure_limit
+DEFAULT: 10
+DOC_START
+ The limit specifies the number of failures that Squid tolerates
+ when establishing a new TCP connection with an ICAP service. If
+ the number of failures exceeds the limit, the ICAP service is
+ not used for new ICAP requests until it is time to refresh its
+ OPTIONS. The per-service failure counter is reset to zero each
+ time Squid fetches new service OPTIONS.
+
+ A negative value disables the limit. Without the limit, an ICAP
+ service will not be considered down due to connectivity failures
+ between ICAP OPTIONS requests.
+DOC_END
+
+NAME: icap_service_revival_delay
+TYPE: int
+IFDEF: ICAP_CLIENT
+LOC: TheICAPConfig.service_revival_delay
+DEFAULT: 180
+DOC_START
+ The delay specifies the number of seconds to wait after an ICAP
+ OPTIONS request failure before requesting the options again. The
+ failed ICAP service is considered "down" until fresh OPTIONS are
+ fetched.
+
+ The actual delay cannot be smaller than the hardcoded minimum
+ delay of 60 seconds.
+DOC_END
+
NAME: icap_preview_enable
TYPE: onoff
IFDEF: ICAP_CLIENT
@@ -5026,8 +5059,29 @@
LOC: TheICAPConfig.send_client_username
DEFAULT: off
DOC_START
- This adds the header "X-Client-Username" to ICAP requests
- if proxy access is authentified.
+ This sends authenticated HTTP client username (if available) to
+ the ICAP service. The username value is encoded based on the
+ icap_client_username_encode option and is sent using the header
+ specified by the icap_client_username_header option.
+DOC_END
+
+NAME: icap_client_username_header
+TYPE: string
+IFDEF: ICAP_CLIENT
+LOC: TheICAPConfig.client_username_header
+DEFAULT: X-Client-Username
+DOC_START
+ ICAP request header name to use for send_client_username.
+DOC_END
+
+NAME: icap_client_username_encode
+TYPE: onoff
+IFDEF: ICAP_CLIENT
+COMMENT: on|off
+LOC: TheICAPConfig.client_username_encode
+DEFAULT: off
+DOC_START
+ Whether to base64 encode the authenticated client username.
DOC_END
NAME: icap_service
Index: src/ICAP/ICAPConfig.h
===================================================================
RCS file: /cvsroot/squid/squid3/src/ICAP/ICAPConfig.h,v
retrieving revision 1.1.2.4
diff -u -r1.1.2.4 ICAPConfig.h
--- src/ICAP/ICAPConfig.h 26 Oct 2006 06:07:18 -0000 1.1.2.4
+++ src/ICAP/ICAPConfig.h 14 Dec 2006 05:16:04 -0000
@@ -43,8 +43,6 @@
class ConfigParser;
-class ICAPConfig;
-
class ICAPClass
{
@@ -102,6 +100,10 @@
int send_client_ip;
int send_client_username;
int reuse_connections;
+ int service_failure_limit;
+ int service_revival_delay;
+ char* client_username_header;
+ int client_username_encode;
Vector<ICAPServiceRep::Pointer> services;
Vector<ICAPClass*> classes;
@@ -126,4 +128,6 @@
};
+extern ICAPConfig TheICAPConfig;
+
#endif /* SQUID_ICAPCONFIG_H */
Index: src/ICAP/ICAPModXact.cc
===================================================================
RCS file: /cvsroot/squid/squid3/src/ICAP/ICAPModXact.cc,v
retrieving revision 1.1.2.18
diff -u -r1.1.2.18 ICAPModXact.cc
--- src/ICAP/ICAPModXact.cc 14 Dec 2006 00:21:54 -0000 1.1.2.18
+++ src/ICAP/ICAPModXact.cc 14 Dec 2006 05:16:05 -0000
@@ -1016,9 +1016,7 @@
buf.Printf("X-Client-IP: %s\r\n", inet_ntoa(request->client_addr));
if (TheICAPConfig.send_client_username && request)
- if (request->auth_user_request)
- if (request->auth_user_request->username())
- buf.Printf("X-Client-Username: %s\r\n", request->auth_user_request->username());
+ makeUsernameHeader(request, buf);
// fprintf(stderr, "%s\n", buf.content());
@@ -1030,6 +1028,17 @@
httpBuf.clean();
}
+void ICAPModXact::makeUsernameHeader(const HttpRequest *request, MemBuf &buf) {
+ if (const auth_user_request_t *auth = request->auth_user_request) {
+ if (char const *name = auth->username()) {
+ const char *value = TheICAPConfig.client_username_encode ?
+ base64_encode(name) : name;
+ buf.Printf("%s: %s\r\n", TheICAPConfig.client_username_header,
+ value);
+ }
+ }
+}
+
void ICAPModXact::encapsulateHead(MemBuf &icapBuf, const char *section, MemBuf &httpBuf, const HttpMsg *head)
{
// update ICAP header
Index: src/ICAP/ICAPModXact.h
===================================================================
RCS file: /cvsroot/squid/squid3/src/ICAP/ICAPModXact.h,v
retrieving revision 1.1.2.7
diff -u -r1.1.2.7 ICAPModXact.h
--- src/ICAP/ICAPModXact.h 25 Oct 2006 04:57:03 -0000 1.1.2.7
+++ src/ICAP/ICAPModXact.h 14 Dec 2006 05:16:05 -0000
@@ -172,6 +172,7 @@
size_t claimSize(const MemBufClaim &claim) const;
const char *claimContent(const MemBufClaim &claim) const;
void makeRequestHeaders(MemBuf &buf);
+ void makeUsernameHeader(const HttpRequest *request, MemBuf &buf);
void moveRequestChunk(MemBuf &buf, size_t chunkSize);
void addLastRequestChunk(MemBuf &buf);
void openChunk(MemBuf &buf, size_t chunkSize, bool ieof);
Index: src/ICAP/ICAPServiceRep.cc
===================================================================
RCS file: /cvsroot/squid/squid3/src/ICAP/ICAPServiceRep.cc,v
retrieving revision 1.1.2.11
diff -u -r1.1.2.11 ICAPServiceRep.cc
--- src/ICAP/ICAPServiceRep.cc 3 Nov 2006 15:54:55 -0000 1.1.2.11
+++ src/ICAP/ICAPServiceRep.cc 14 Dec 2006 05:16:05 -0000
@@ -8,13 +8,11 @@
#include "ICAPOptions.h"
#include "ICAPOptXact.h"
#include "ConfigParser.h"
+#include "ICAPConfig.h"
#include "SquidTime.h"
CBDATA_CLASS_INIT(ICAPServiceRep);
-// XXX: move to squid.conf
-const int ICAPServiceRep::TheSessionFailureLimit = 10;
-
ICAPServiceRep::ICAPServiceRep(): method(ICAP::methodNone),
point(ICAP::pointNone), port(-1), bypass(false),
theOptions(NULL), theLastUpdate(0),
@@ -177,9 +175,10 @@
void ICAPServiceRep::noteFailure() {
++theSessionFailures;
debugs(93,4, "ICAPService failure " << theSessionFailures <<
- ", out of " << TheSessionFailureLimit << " allowed");
+ ", out of " << TheICAPConfig.service_failure_limit << " allowed");
- if (theSessionFailures > TheSessionFailureLimit)
+ if (TheICAPConfig.service_failure_limit >= 0 &&
+ theSessionFailures > TheICAPConfig.service_failure_limit)
suspend("too many failures");
// TODO: Should bypass setting affect how much Squid tries to talk to
@@ -467,7 +466,8 @@
else
when = expire - expectedWait; // before the current options expire
} else {
- when = squid_curtime + 3*60; // delay for a down service
+ // delay for a down service
+ when = squid_curtime + TheICAPConfig.service_revival_delay;
}
debugs(93,7, "ICAPService options raw update on " << when << " or " << (when - squid_curtime));
