Hi all,
This patch allow to use slow acls (e.g. destination domain acls)
with ssl_bump feature.
Regards,
Christos
Support for slow ssl_bump ACLs
Allow slow ACLs with ssl_bump option in squid.conf to enable destination
domain (and possibly other) slow ACL checks.
=== modified file 'src/ClientRequestContext.h'
--- src/ClientRequestContext.h 2010-11-21 09:24:35 +0000
+++ src/ClientRequestContext.h 2011-05-06 14:03:01 +0000
@@ -36,6 +36,16 @@
void adaptationAccessCheck();
void adaptationAclCheckDone(Adaptation::ServiceGroupPointer g);
#endif
+#if USE_SSL
+ /**
+ * Initiates and start the acl checklist to check if the a CONNECT
+ * request must be bumped.
+ \retval true if the acl check scheduled, false if no ssl-bump required
+ */
+ bool sslBumpAccessCheck();
+ /// The callback function for ssl-bump access check list
+ void sslBumpAccessCheckDone(bool doSslBump);
+#endif
ClientHttpRequest *http;
ACLChecklist *acl_checklist; /* need ptr back so we can unreg if needed */
@@ -51,6 +61,9 @@
bool interpreted_req_hdrs;
bool tosToClientDone;
bool nfmarkToClientDone;
+#if USE_SSL
+ bool sslBumpCheckDone;
+#endif
private:
CBDATA_CLASS(ClientRequestContext);
=== modified file 'src/client_side_request.cc'
--- src/client_side_request.cc 2011-03-30 09:02:51 +0000
+++ src/client_side_request.cc 2011-05-06 17:46:28 +0000
@@ -112,6 +112,9 @@
/* Local functions */
/* other */
static void clientAccessCheckDoneWrapper(int, void *);
+#if USE_SSL
+static void sslBumpAccessCheckDoneWrapper(int, void *);
+#endif
static int clientHierarchical(ClientHttpRequest * http);
static void clientInterpretRequestHeaders(ClientHttpRequest * http);
static RH clientRedirectDoneWrapper;
@@ -140,6 +143,9 @@
redirect_done = false;
no_cache_done = false;
interpreted_req_hdrs = false;
+#if USE_SSL
+ sslBumpCheckDone = false;
+#endif
debugs(85,3, HERE << this << " ClientRequestContext constructed");
}
@@ -173,6 +179,9 @@
#if USE_ADAPTATION
request_satisfaction_mode = false;
#endif
+#if USE_SSL
+ sslBumpNeed = needUnknown;
+#endif
}
/*
@@ -1111,6 +1120,46 @@
http->doCallouts();
}
+#if USE_SSL
+bool
+ClientRequestContext::sslBumpAccessCheck()
+{
+ if (http->request->method == METHOD_CONNECT &&
+ Config.accessList.ssl_bump && http->getConn()->port->sslBump) {
+ debugs(85, 5, HERE << "SslBump possible, checking ACL");
+
+ ACLFilledChecklist *acl_checklist = clientAclChecklistCreate(Config.accessList.ssl_bump, http);
+ acl_checklist->nonBlockingCheck(sslBumpAccessCheckDoneWrapper, this);
+ return true;
+ }
+ else {
+ http->sslBumpNeeded(false);
+ return false;
+ }
+}
+
+/**
+ * A wrapper function to use the ClientRequestContext::sslBumpAccessCheckDone method
+ * as ACLFilledChecklist callback
+ */
+static void
+sslBumpAccessCheckDoneWrapper(int answer, void *data)
+{
+ ClientRequestContext *calloutContext = static_cast<ClientRequestContext *>(data);
+
+ if (!calloutContext->httpStateIsValid())
+ return;
+ calloutContext->sslBumpAccessCheckDone(answer == ACCESS_ALLOWED);
+}
+
+void
+ClientRequestContext::sslBumpAccessCheckDone(bool doSslBump)
+{
+ http->sslBumpNeeded(doSslBump);
+ http->doCallouts();
+}
+#endif
+
/*
* Identify requests that do not go through the store and client side stream
* and forward them to the appropriate location. All other requests, request
@@ -1155,19 +1204,18 @@
#if USE_SSL
-// determines whether we should bump the CONNECT request
bool
ClientHttpRequest::sslBumpNeeded() const
{
- if (!getConn()->port->sslBump || !Config.accessList.ssl_bump)
- return false;
-
- debugs(85, 5, HERE << "SslBump possible, checking ACL");
-
- ACLFilledChecklist check(Config.accessList.ssl_bump, request, NULL);
- check.src_addr = request->client_addr;
- check.my_addr = request->my_addr;
- return check.fastCheck() == 1;
+ assert(sslBumpNeed != needUnknown);
+ return (sslBumpNeed == needConfirmed);
+}
+
+void
+ClientHttpRequest::sslBumpNeeded(bool isNeeded)
+{
+ debugs(83, 3, HERE << "sslBump required: "<< (isNeeded ? "Yes" : "No"));
+ sslBumpNeed = (isNeeded ? needConfirmed : needNot);
}
// called when comm_write has completed
@@ -1368,6 +1416,13 @@
}
}
+ if (!calloutContext->sslBumpCheckDone) {
+ calloutContext->sslBumpCheckDone = true;
+ if (calloutContext->sslBumpAccessCheck())
+ return;
+ /* else no ssl bump required*/
+ }
+
cbdataReferenceDone(calloutContext->http);
delete calloutContext;
calloutContext = NULL;
=== modified file 'src/client_side_request.h'
--- src/client_side_request.h 2011-03-30 08:46:08 +0000
+++ src/client_side_request.h 2011-05-06 17:25:21 +0000
@@ -149,8 +149,14 @@
ConnStateData * conn_;
#if USE_SSL
+ /// whether the request needs to be bumped
+ enum { needUnknown, needConfirmed, needNot } sslBumpNeed;
+
public:
+ /// return true if the request needs to be bumped
bool sslBumpNeeded() const;
+ /// set the sslBumpNeeded state
+ void sslBumpNeeded(bool isNeeded);
void sslBumpStart();
void sslBumpEstablish(comm_err_t errflag);
#endif
