[squid-dev] [PATCH] Secure ICAP

Amos Jeffries squid3 at treenet.co.nz
Fri Apr 10 01:51:43 UTC 2015 

On 10/04/2015 2:43 a.m., Tsantilas Christos wrote:
> 
> This patch adds support for ICAP services that require SSL/TLS transport
> connections.
> 
> To mark an ICAP service as "secure", use an "icaps://" service URI
> scheme when listing your service via an icap_service directive.

The squid.conf parsing code contradicts that - it expects "... ssl
icap://...".


> 
> Squid uses port 11344 for Secure ICAP by default, following another
> popular proxy convention. The old 1344 default for plain ICAP ports has
> not changed.
> 
> This patch should applied after the "server_name" and "splicing resumed
> sessions" patches applied to trunk, and after re-merged with the trunk.
> However we can start the discussion if you agree.
> 
> 
> Technical Details
> ==================
> 
> This patch:
>   - Splits Ssl::PeerConnector class into Ssl::PeerConnector parent and
> two kids: Ssl::BlindPeerConnector, a basic SSL connector for
> cache_peers, and Ssl::PeekingPeerConnector, a peek-and-splice SSL
> connector for HTTP servers.
> 
>   - Adds a third Ssl::IcapPeerConnector kid to connect to Secure ICAP
> servers.
> 
>   - Fixes ErrorState class to avoid crashes on nil ErrorState::request
> member. (Ssl::IcapPeerConnector may generate an ErrorState with a nil
> request).
> 
>   - Modifies the ACL peername to use the Secure ICAP server name as
> value while connecting to an ICAP server. This is useful to make SSL
> certificate  policies based on ICAP server name. However, this change is
> undocumented until we decide whether a dedicated ACL would be better.
> 
> 
> This is a Measurement Factory project.
> 

Initial audit:

* Watch for HERE macros in the new, changed or moved code. I see at
least one being added in PeerConnector.cc


in src/acl/FilledChecklist.h:

* please use an SBuf for dst_peer_name
 - that will also prevent memory leaks in
Ssl::IcapPeerConnector::initializeSsl().



in src/adaptation/ServiceConfig.cc:

* the new "ssl" option needs some polishing.
 - for the dependency WARNING it should have:
debugs(3, DBG_PARSE_NOTE(DBG_IMPORTANT), "WARNING: ... ICAP service
option ignored.");
 - since this is all new code please use "tls-" as the TLS/SSL options
prefix.


in src/cf.data.pre:
* the new securtiy options section title should have s/HTTPS/ICAPS/


in src/adaptation/icap/ServiceRep.cc:

* please create/use #define DEFAULT_ICAP_PORT and DEFAULT_ICAPS_PORT
instead of magic port numbers.


in src/adaptation/icap/ServiceRep.h:

* please use Security::ContextPointer instead of SSL_CTX* for sslContext.
 - and it can go outside the USE_OPENSSL wrapper


in src/adaptation/icap/Xaction.cc:

* Adaptation::Icap::Xaction::noteCommClosed() does not need to wrap
securer use with USE_OPENSSL.


in src/err_detail_type.h:
* whats with the change to ERR_DETAIL_REDIRECTOR_TIMEDOUT ?
  - if thats a bug-fix you found along the way it should go in separate
for backporting.


NOTE: I've not done much audit on the PeerConnector changes, my brain is
too fuzzy right now. Though I am liking the class split.


Amos

More information about the squid-dev mailing list