[squid-dev] [PATCH] Do not blindly forward cache peer CONNECT responses
Alex Rousskov
rousskov at measurement-factory.com
Fri Jun 19 16:54:39 UTC 2015
Hello,
The attached trunk patch fixes a rare but nasty problem by removing
a very old hack which shielded Squid from parsing most CONNECT responses.
Currently, Squid blindly forwards cache peer CONNECT responses to
clients when possible. This may break things if the peer responds with
something like HTTP 403 (Forbidden) and keeps the connection with Squid
open:
- The client application issues a CONNECT request.
- Squid forwards this request to a cache peer.
- Cache peer correctly responds back with a "403 Forbidden".
- Squid does not parse cache peer response and
just forwards it as if it was a Squid response to the client.
- The TCP connections are not closed.
At this stage, Squid is unaware that the CONNECT request has failed. All
subsequent requests on the user agent TCP connection are treated as
tunnelled traffic. Squid is forwarding these requests to the peer on the
TCP connection previously used for the 403-ed CONNECT request, without
proper processing. The additional headers which should have been applied
by Squid to these requests are not applied, and the requests are being
forwarded to the cache peer even though the Squid configuration may
state that these requests must go directly to the origin server.
This patch fixes Squid to parse cache peer responses, and if an error
response found, respond with "502 Bad Gateway" to the client and close
the connections.
HTH,
Alex.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: SQUID-53-blind-connect-response-t8.patch
Type: text/x-diff
Size: 29781 bytes
Desc: not available
URL: <http://lists.squid-cache.org/pipermail/squid-dev/attachments/20150619/27f08c05/attachment-0001.patch>
More information about the squid-dev
mailing list