[squid-dev] [PATCH] remove HttpsPortList
Amos Jeffries
squid3 at treenet.co.nz
Sun Oct 11 05:17:25 UTC 2015
Combine the https_port list internal state with http_port state.
These two lists have been near identical for some time now and we can
easily reduce code by simply merging the two and using either the
secure.encryptTransport flag or the transport.protocol type to select
the remaining non-identical code paths.
There are only minor documentation changes resulting from this change.
Amos
-------------- next part --------------
=== modified file 'src/anyp/PortCfg.cc'
--- src/anyp/PortCfg.cc 2015-09-24 21:08:23 +0000
+++ src/anyp/PortCfg.cc 2015-10-10 06:35:15 +0000
@@ -2,43 +2,40 @@
* Copyright (C) 1996-2015 The Squid Software Foundation and contributors
*
* Squid software is distributed under GPLv2+ license and includes
* contributions from numerous individuals and organizations.
* Please see the COPYING and CONTRIBUTORS files for details.
*/
#include "squid.h"
#include "anyp/PortCfg.h"
#include "comm.h"
#include "fatal.h"
#include "security/PeerOptions.h"
#if USE_OPENSSL
#include "ssl/support.h"
#endif
#include <cstring>
#include <limits>
AnyP::PortCfgPointer HttpPortList;
-#if USE_OPENSSL
-AnyP::PortCfgPointer HttpsPortList;
-#endif
AnyP::PortCfgPointer FtpPortList;
int NHttpSockets = 0;
int HttpSockets[MAXTCPLISTENPORTS];
AnyP::PortCfg::PortCfg() :
next(),
s(),
transport(AnyP::PROTO_HTTP,1,1), // "Squid is an HTTP proxy", etc.
name(NULL),
defaultsite(NULL),
flags(),
allow_direct(false),
vhost(false),
actAsOrigin(false),
ignore_cc(false),
connection_auth_disabled(false),
ftp_track_dirs(false),
vport(0),
disable_pmtu_discovery(0),
=== modified file 'src/anyp/PortCfg.h'
--- src/anyp/PortCfg.h 2015-09-24 21:08:23 +0000
+++ src/anyp/PortCfg.h 2015-10-10 06:37:36 +0000
@@ -78,42 +78,37 @@
char *tls_dh;
char *sslContextSessionId; ///< "session id context" for staticSslContext
bool generateHostCertificates; ///< dynamically make host cert for sslBump
size_t dynamicCertMemCacheSize; ///< max size of generated certificates memory cache
Ssl::SSL_CTX_Pointer staticSslContext; ///< for HTTPS accelerator or static sslBump
Security::CertPointer signingCert; ///< x509 certificate for signing generated certificates
Ssl::EVP_PKEY_Pointer signPkey; ///< private key for sighing generated certificates
Ssl::X509_STACK_Pointer certsToChain; ///< x509 certificates to send with the generated cert
Security::CertPointer untrustedSigningCert; ///< x509 certificate for signing untrusted generated certificates
Ssl::EVP_PKEY_Pointer untrustedSignPkey; ///< private key for signing untrusted generated certificates
Ssl::X509_NAME_STACK_Pointer clientCA; ///< CA certificates to use when verifying client certificates
Ssl::DH_Pointer dhParams; ///< DH parameters for temporary/ephemeral DH key exchanges
char *eecdhCurve; ///< Elliptic curve for ephemeral EC-based DH key exchanges
#endif
};
} // namespace AnyP
-/// list of Squid http_port configured
+/// list of Squid http(s)_port configured
extern AnyP::PortCfgPointer HttpPortList;
-#if USE_OPENSSL
-/// list of Squid https_port configured
-extern AnyP::PortCfgPointer HttpsPortList;
-#endif
-
/// list of Squid ftp_port configured
extern AnyP::PortCfgPointer FtpPortList;
#if !defined(MAXTCPLISTENPORTS)
// Max number of TCP listening ports
#define MAXTCPLISTENPORTS 128
#endif
// TODO: kill this global array. Need to check performance of array vs list though.
extern int NHttpSockets;
extern int HttpSockets[MAXTCPLISTENPORTS];
#endif /* SQUID_ANYP_PORTCFG_H */
=== modified file 'src/cache_cf.cc'
--- src/cache_cf.cc 2015-10-09 06:02:01 +0000
+++ src/cache_cf.cc 2015-10-10 06:16:17 +0000
@@ -878,52 +878,45 @@
}
for (CachePeer *p = Config.peers; p != NULL; p = p->next) {
// default value for ssldomain= is the peer host/IP
if (p->secure.sslDomain.isEmpty())
p->secure.sslDomain = p->host;
if (p->secure.encryptTransport) {
debugs(3, DBG_IMPORTANT, "Initializing cache_peer " << p->name << " TLS context");
p->sslContext = p->secure.createClientContext(true);
if (!p->sslContext) {
debugs(3, DBG_CRITICAL, "ERROR: Could not initialize cache_peer " << p->name << " TLS context");
self_destruct();
}
}
}
#if USE_OPENSSL
for (AnyP::PortCfgPointer s = HttpPortList; s != NULL; s = s->next) {
- if (!s->flags.tunnelSslBumping)
+ if (!s->secure.encryptTransport)
continue;
-
- debugs(3, DBG_IMPORTANT, "Initializing http_port " << s->s << " SSL context");
+ debugs(3, DBG_IMPORTANT, "Initializing " << AnyP::UriScheme(s->transport.protocol) << "_port " << s->s << " TLS context");
s->configureSslServerContext();
}
-
- for (AnyP::PortCfgPointer s = HttpsPortList; s != NULL; s = s->next) {
- debugs(3, DBG_IMPORTANT, "Initializing https_port " << s->s << " SSL context");
- s->configureSslServerContext();
- }
-
#endif
// prevent infinite fetch loops in the request parser
// due to buffer full but not enough data recived to finish parse
if (Config.maxRequestBufferSize <= Config.maxRequestHeaderSize) {
fatalf("Client request buffer of %u bytes cannot hold a request with %u bytes of headers." \
" Change client_request_buffer_max or request_header_max_size limits.",
(uint32_t)Config.maxRequestBufferSize, (uint32_t)Config.maxRequestHeaderSize);
}
/*
* Disable client side request pipelining if client_persistent_connections OFF.
* Waste of resources queueing any pipelined requests when the first will close the connection.
*/
if (Config.pipeline_max_prefetch > 0 && !Config.onoff.client_pconns) {
debugs(3, DBG_PARSE_NOTE(DBG_IMPORTANT), "WARNING: pipeline_prefetch " << Config.pipeline_max_prefetch <<
" requires client_persistent_connections ON. Forced pipeline_prefetch 0.");
Config.pipeline_max_prefetch = 0;
}
=== modified file 'src/cf.data.pre'
--- src/cf.data.pre 2015-10-10 07:11:39 +0000
+++ src/cf.data.pre 2015-10-10 07:11:59 +0000
@@ -2040,44 +2040,44 @@
timeout the time before giving up.
require-proxy-header
Require PROXY protocol version 1 or 2 connections.
The proxy_protocol_access is required to whitelist
downstream proxies which can be trusted.
If you run Squid on a dual-homed machine with an internal
and an external interface we recommend you to specify the
internal address:port in http_port. This way Squid will only be
visible on the internal address.
NOCOMMENT_START
# Squid normally listens to port 3128
http_port @DEFAULT_HTTP_PORT@
NOCOMMENT_END
DOC_END
NAME: https_port
-IFDEF: USE_OPENSSL
+IFDEF: USE_GNUTLS||USE_OPENSSL
TYPE: PortCfg
DEFAULT: none
-LOC: HttpsPortList
+LOC: HttpPortList
DOC_START
Usage: [ip:]port [mode] cert=certificate.pem [options]
The socket address where Squid will listen for client requests made
over TLS or SSL connections. Commonly referred to as HTTPS.
This is most useful for situations where you are running squid in
accelerator mode and you want to do the TLS work at the accelerator level.
You may specify multiple socket addresses on multiple lines,
each with their own certificate and/or options.
The TLS cert= option is mandatory on HTTPS ports.
See http_port for a list of modes and options.
DOC_END
NAME: ftp_port
TYPE: PortCfg
DEFAULT: none
=== modified file 'src/client_side.cc'
--- src/client_side.cc 2015-09-27 10:30:23 +0000
+++ src/client_side.cc 2015-10-11 04:24:59 +0000
@@ -4359,137 +4359,108 @@
}
return true;
}
/// find any unused HttpSockets[] slot and store fd there or return false
static bool
AddOpenedHttpSocket(const Comm::ConnectionPointer &conn)
{
bool found = false;
for (int i = 0; i < NHttpSockets && !found; ++i) {
if ((found = HttpSockets[i] < 0))
HttpSockets[i] = conn->fd;
}
return found;
}
static void
clientHttpConnectionsOpen(void)
{
for (AnyP::PortCfgPointer s = HttpPortList; s != NULL; s = s->next) {
+ const char *scheme = AnyP::UriScheme(s->transport.protocol).c_str();
+
if (MAXTCPLISTENPORTS == NHttpSockets) {
- debugs(1, DBG_IMPORTANT, "WARNING: You have too many 'http_port' lines.");
+ debugs(1, DBG_IMPORTANT, "WARNING: You have too many '" << scheme << "_port' lines.");
debugs(1, DBG_IMPORTANT, " The limit is " << MAXTCPLISTENPORTS << " HTTP ports.");
continue;
}
#if USE_OPENSSL
- if (s->flags.tunnelSslBumping && !Config.accessList.ssl_bump) {
- debugs(33, DBG_IMPORTANT, "WARNING: No ssl_bump configured. Disabling ssl-bump on " << AnyP::UriScheme(s->transport.protocol) << "_port " << s->s);
- s->flags.tunnelSslBumping = false;
- }
-
- if (s->flags.tunnelSslBumping &&
- !s->staticSslContext &&
- !s->generateHostCertificates) {
- debugs(1, DBG_IMPORTANT, "Will not bump SSL at http_port " << s->s << " due to SSL initialization failure.");
- s->flags.tunnelSslBumping = false;
- }
if (s->flags.tunnelSslBumping) {
- // Create ssl_ctx cache for this port.
- Ssl::TheGlobalContextStorage.addLocalStorage(s->s, s->dynamicCertMemCacheSize == std::numeric_limits<size_t>::max() ? 4194304 : s->dynamicCertMemCacheSize);
+ if (!Config.accessList.ssl_bump) {
+ debugs(33, DBG_IMPORTANT, "WARNING: No ssl_bump configured. Disabling ssl-bump on " << scheme << "_port " << s->s);
+ s->flags.tunnelSslBumping = false;
+ }
+ if (!s->staticSslContext && !s->generateHostCertificates) {
+ debugs(1, DBG_IMPORTANT, "Will not bump SSL at " << scheme << "_port " << s->s << " due to TLS initialization failure.");
+ s->flags.tunnelSslBumping = false;
+ if (s->transport.protocol == AnyP::PROTO_HTTP)
+ s->secure.encryptTransport = false;
+ }
+ if (s->flags.tunnelSslBumping) {
+ // Create ssl_ctx cache for this port.
+ auto sz = s->dynamicCertMemCacheSize == std::numeric_limits<size_t>::max() ? 4194304 : s->dynamicCertMemCacheSize;
+ Ssl::TheGlobalContextStorage.addLocalStorage(s->s, sz);
+ }
}
#endif
- // Fill out a Comm::Connection which IPC will open as a listener for us
- // then pass back when active so we can start a TcpAcceptor subscription.
- s->listenConn = new Comm::Connection;
- s->listenConn->local = s->s;
- s->listenConn->flags = COMM_NONBLOCKING | (s->flags.tproxyIntercept ? COMM_TRANSPARENT : 0) | (s->flags.natIntercept ? COMM_INTERCEPTION : 0);
-
- // setup the subscriptions such that new connections accepted by listenConn are handled by HTTP
- typedef CommCbFunPtrCallT<CommAcceptCbPtrFun> AcceptCall;
- RefCount<AcceptCall> subCall = commCbCall(5, 5, "httpAccept", CommAcceptCbPtrFun(httpAccept, CommAcceptCbParams(NULL)));
- Subscription::Pointer sub = new CallSubscription<AcceptCall>(subCall);
-
- AsyncCall::Pointer listenCall = asyncCall(33,2, "clientListenerConnectionOpened",
- ListeningStartedDialer(&clientListenerConnectionOpened, s, Ipc::fdnHttpSocket, sub));
- Ipc::StartListening(SOCK_STREAM, IPPROTO_TCP, s->listenConn, Ipc::fdnHttpSocket, listenCall);
-
- HttpSockets[NHttpSockets] = -1; // set in clientListenerConnectionOpened
- ++NHttpSockets;
- }
-}
-
-#if USE_OPENSSL
-static void
-clientHttpsConnectionsOpen(void)
-{
- for (AnyP::PortCfgPointer s = HttpsPortList; s != NULL; s = s->next) {
- if (MAXTCPLISTENPORTS == NHttpSockets) {
- debugs(1, DBG_IMPORTANT, "Ignoring 'https_port' lines exceeding the limit.");
- debugs(1, DBG_IMPORTANT, "The limit is " << MAXTCPLISTENPORTS << " HTTPS ports.");
- continue;
- }
-
- if (!s->staticSslContext) {
- debugs(1, DBG_IMPORTANT, "Ignoring https_port " << s->s <<
- " due to SSL initialization failure.");
+ if (s->secure.encryptTransport && !s->staticSslContext) {
+ debugs(1, DBG_CRITICAL, "ERROR: Ignoring " << scheme << "_port " << s->s << " due to TLS context initialization failure.");
continue;
}
- // TODO: merge with similar code in clientHttpConnectionsOpen()
- if (s->flags.tunnelSslBumping && !Config.accessList.ssl_bump) {
- debugs(33, DBG_IMPORTANT, "WARNING: No ssl_bump configured. Disabling ssl-bump on " << AnyP::UriScheme(s->transport.protocol) << "_port " << s->s);
- s->flags.tunnelSslBumping = false;
- }
-
- if (s->flags.tunnelSslBumping && !s->staticSslContext && !s->generateHostCertificates) {
- debugs(1, DBG_IMPORTANT, "Will not bump SSL at https_port " << s->s << " due to SSL initialization failure.");
- s->flags.tunnelSslBumping = false;
- }
-
- if (s->flags.tunnelSslBumping) {
- // Create ssl_ctx cache for this port.
- Ssl::TheGlobalContextStorage.addLocalStorage(s->s, s->dynamicCertMemCacheSize == std::numeric_limits<size_t>::max() ? 4194304 : s->dynamicCertMemCacheSize);
- }
-
// Fill out a Comm::Connection which IPC will open as a listener for us
+ // then pass back when active so we can start a TcpAcceptor subscription.
s->listenConn = new Comm::Connection;
s->listenConn->local = s->s;
+
s->listenConn->flags = COMM_NONBLOCKING | (s->flags.tproxyIntercept ? COMM_TRANSPARENT : 0) |
(s->flags.natIntercept ? COMM_INTERCEPTION : 0);
- // setup the subscriptions such that new connections accepted by listenConn are handled by HTTPS
typedef CommCbFunPtrCallT<CommAcceptCbPtrFun> AcceptCall;
- RefCount<AcceptCall> subCall = commCbCall(5, 5, "httpsAccept", CommAcceptCbPtrFun(httpsAccept, CommAcceptCbParams(NULL)));
- Subscription::Pointer sub = new CallSubscription<AcceptCall>(subCall);
+ if (s->transport.protocol == AnyP::PROTO_HTTP) {
+ // setup the subscriptions such that new connections accepted by listenConn are handled by HTTP
+ RefCount<AcceptCall> subCall = commCbCall(5, 5, "httpAccept", CommAcceptCbPtrFun(httpAccept, CommAcceptCbParams(NULL)));
+ Subscription::Pointer sub = new CallSubscription<AcceptCall>(subCall);
+
+ AsyncCall::Pointer listenCall = asyncCall(33,2, "clientListenerConnectionOpened",
+ ListeningStartedDialer(&clientListenerConnectionOpened, s, Ipc::fdnHttpSocket, sub));
+ Ipc::StartListening(SOCK_STREAM, IPPROTO_TCP, s->listenConn, Ipc::fdnHttpSocket, listenCall);
+
+#if USE_OPENSSL
+ } else if (s->transport.protocol == AnyP::PROTO_HTTPS) {
+ // setup the subscriptions such that new connections accepted by listenConn are handled by HTTPS
+ RefCount<AcceptCall> subCall = commCbCall(5, 5, "httpsAccept", CommAcceptCbPtrFun(httpsAccept, CommAcceptCbParams(NULL)));
+ Subscription::Pointer sub = new CallSubscription<AcceptCall>(subCall);
+
+ AsyncCall::Pointer listenCall = asyncCall(33, 2, "clientListenerConnectionOpened",
+ ListeningStartedDialer(&clientListenerConnectionOpened,
+ s, Ipc::fdnHttpsSocket, sub));
+ Ipc::StartListening(SOCK_STREAM, IPPROTO_TCP, s->listenConn, Ipc::fdnHttpsSocket, listenCall);
+#endif
+ }
- AsyncCall::Pointer listenCall = asyncCall(33, 2, "clientListenerConnectionOpened",
- ListeningStartedDialer(&clientListenerConnectionOpened,
- s, Ipc::fdnHttpsSocket, sub));
- Ipc::StartListening(SOCK_STREAM, IPPROTO_TCP, s->listenConn, Ipc::fdnHttpsSocket, listenCall);
- HttpSockets[NHttpSockets] = -1;
+ HttpSockets[NHttpSockets] = -1; // set in clientListenerConnectionOpened
++NHttpSockets;
}
}
-#endif
void
clientStartListeningOn(AnyP::PortCfgPointer &port, const RefCount< CommCbFunPtrCallT<CommAcceptCbPtrFun> > &subCall, const Ipc::FdNoteId fdNote)
{
// Fill out a Comm::Connection which IPC will open as a listener for us
port->listenConn = new Comm::Connection;
port->listenConn->local = port->s;
port->listenConn->flags =
COMM_NONBLOCKING |
(port->flags.tproxyIntercept ? COMM_TRANSPARENT : 0) |
(port->flags.natIntercept ? COMM_INTERCEPTION : 0);
// route new connections to subCall
typedef CommCbFunPtrCallT<CommAcceptCbPtrFun> AcceptCall;
Subscription::Pointer sub = new CallSubscription<AcceptCall>(subCall);
AsyncCall::Pointer listenCall =
asyncCall(33, 2, "clientListenerConnectionOpened",
ListeningStartedDialer(&clientListenerConnectionOpened,
port, fdNote, sub));
Ipc::StartListening(SOCK_STREAM, IPPROTO_TCP, port->listenConn, fdNote, listenCall);
@@ -4511,69 +4482,56 @@
Must(Comm::IsConnOpen(s->listenConn));
// TCP: setup a job to handle accept() with subscribed handler
AsyncJob::Start(new Comm::TcpAcceptor(s, FdNote(portTypeNote), sub));
debugs(1, DBG_IMPORTANT, "Accepting " <<
(s->flags.natIntercept ? "NAT intercepted " : "") <<
(s->flags.tproxyIntercept ? "TPROXY intercepted " : "") <<
(s->flags.tunnelSslBumping ? "SSL bumped " : "") <<
(s->flags.accelSurrogate ? "reverse-proxy " : "")
<< FdNote(portTypeNote) << " connections at "
<< s->listenConn);
Must(AddOpenedHttpSocket(s->listenConn)); // otherwise, we have received a fd we did not ask for
}
void
clientOpenListenSockets(void)
{
clientHttpConnectionsOpen();
-#if USE_OPENSSL
- clientHttpsConnectionsOpen();
-#endif
Ftp::StartListening();
if (NHttpSockets < 1)
fatal("No HTTP, HTTPS, or FTP ports configured");
}
void
clientConnectionsClose()
{
for (AnyP::PortCfgPointer s = HttpPortList; s != NULL; s = s->next) {
if (s->listenConn != NULL) {
- debugs(1, DBG_IMPORTANT, "Closing HTTP port " << s->listenConn->local);
- s->listenConn->close();
- s->listenConn = NULL;
- }
- }
-
-#if USE_OPENSSL
- for (AnyP::PortCfgPointer s = HttpsPortList; s != NULL; s = s->next) {
- if (s->listenConn != NULL) {
- debugs(1, DBG_IMPORTANT, "Closing HTTPS port " << s->listenConn->local);
+ debugs(1, DBG_IMPORTANT, "Closing HTTP(S) port " << s->listenConn->local);
s->listenConn->close();
s->listenConn = NULL;
}
}
-#endif
Ftp::StopListening();
// TODO see if we can drop HttpSockets array entirely */
for (int i = 0; i < NHttpSockets; ++i) {
HttpSockets[i] = -1;
}
NHttpSockets = 0;
}
int
varyEvaluateMatch(StoreEntry * entry, HttpRequest * request)
{
const char *vary = request->vary_headers;
int has_vary = entry->getReply()->header.has(Http::HdrType::VARY);
#if X_ACCELERATOR_VARY
has_vary |=
entry->getReply()->header.has(Http::HdrType::HDR_X_ACCELERATOR_VARY);
=== modified file 'src/ssl/helper.cc'
--- src/ssl/helper.cc 2015-05-18 12:50:03 +0000
+++ src/ssl/helper.cc 2015-10-10 06:35:44 +0000
@@ -29,42 +29,40 @@
}
Ssl::Helper::Helper() : ssl_crtd(NULL)
{
}
Ssl::Helper::~Helper()
{
Shutdown();
}
void Ssl::Helper::Init()
{
assert(ssl_crtd == NULL);
// we need to start ssl_crtd only if some port(s) need to bump SSL *and* generate certificates
// TODO: generate host certificates for SNI enabled accel ports
bool found = false;
for (AnyP::PortCfgPointer s = HttpPortList; !found && s != NULL; s = s->next)
found = s->flags.tunnelSslBumping && s->generateHostCertificates;
- for (AnyP::PortCfgPointer s = HttpsPortList; !found && s != NULL; s = s->next)
- found = s->flags.tunnelSslBumping && s->generateHostCertificates;
if (!found)
return;
ssl_crtd = new helper("ssl_crtd");
ssl_crtd->childs.updateLimits(Ssl::TheConfig.ssl_crtdChildren);
ssl_crtd->ipc_type = IPC_STREAM;
// The crtd messages may contain the eol ('\n') character. We are
// going to use the '\1' char as the end-of-message mark.
ssl_crtd->eom = '\1';
assert(ssl_crtd->cmdline == NULL);
{
char *tmp = xstrdup(Ssl::TheConfig.ssl_crtd);
char *tmp_begin = tmp;
char * token = NULL;
bool db_path_was_found = false;
bool block_size_was_found = false;
char buffer[20] = "2048";
while ((token = strwordtok(NULL, &tmp))) {
wordlistAdd(&ssl_crtd->cmdline, token);
if (!strcmp(token, "-b"))
@@ -121,42 +119,40 @@
return &sslHelper;
}
Ssl::CertValidationHelper::CertValidationHelper() : ssl_crt_validator(NULL)
{
}
Ssl::CertValidationHelper::~CertValidationHelper()
{
Shutdown();
}
void Ssl::CertValidationHelper::Init()
{
assert(ssl_crt_validator == NULL);
// we need to start ssl_crtd only if some port(s) need to bump SSL
bool found = false;
for (AnyP::PortCfgPointer s = HttpPortList; !found && s != NULL; s = s->next)
found = s->flags.tunnelSslBumping;
- for (AnyP::PortCfgPointer s = HttpsPortList; !found && s != NULL; s = s->next)
- found = s->flags.tunnelSslBumping;
if (!found)
return;
ssl_crt_validator = new helper("ssl_crt_validator");
ssl_crt_validator->childs.updateLimits(Ssl::TheConfig.ssl_crt_validator_Children);
ssl_crt_validator->ipc_type = IPC_STREAM;
// The crtd messages may contain the eol ('\n') character. We are
// going to use the '\1' char as the end-of-message mark.
ssl_crt_validator->eom = '\1';
assert(ssl_crt_validator->cmdline == NULL);
int ttl = 60;
size_t cache = 2048;
{
char *tmp = xstrdup(Ssl::TheConfig.ssl_crt_validator);
char *tmp_begin = tmp;
char * token = NULL;
bool parseParams = true;
while ((token = strwordtok(NULL, &tmp))) {
if (parseParams) {
=== modified file 'src/ssl/support.cc'
--- src/ssl/support.cc 2015-10-03 05:26:00 +0000
+++ src/ssl/support.cc 2015-10-10 06:37:11 +0000
@@ -1420,79 +1420,73 @@
// the reference count is not incremented and therefore the session must
// not be explicitly freed with SSL_SESSION_free(3).
*copy = 0;
return session;
}
static void
setSessionCallbacks(SSL_CTX *ctx)
{
if (SslSessionCache) {
SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_SERVER|SSL_SESS_CACHE_NO_INTERNAL);
SSL_CTX_sess_set_new_cb(ctx, store_session_cb);
SSL_CTX_sess_set_remove_cb(ctx, remove_session_cb);
SSL_CTX_sess_set_get_cb(ctx, get_session_cb);
}
}
static bool
isSslServer()
{
- if (HttpsPortList != NULL)
- return true;
-
for (AnyP::PortCfgPointer s = HttpPortList; s != NULL; s = s->next) {
+ if (s->secure.encryptTransport)
+ return true;
if (s->flags.tunnelSslBumping)
return true;
}
return false;
}
#define SSL_SESSION_ID_SIZE 32
#define SSL_SESSION_MAX_SIZE 10*1024
void
Ssl::initialize_session_cache()
{
if (!isSslServer()) //no need to configure ssl session cache.
return;
// Check if the MemMap keys and data are enough big to hold
// session ids and session data
assert(SSL_SESSION_ID_SIZE >= MEMMAP_SLOT_KEY_SIZE);
assert(SSL_SESSION_MAX_SIZE >= MEMMAP_SLOT_DATA_SIZE);
int configuredItems = ::Config.SSL.sessionCacheSize / sizeof(Ipc::MemMap::Slot);
if (IamWorkerProcess() && configuredItems)
SslSessionCache = new Ipc::MemMap(SslSessionCacheName);
else {
SslSessionCache = NULL;
return;
}
- for (AnyP::PortCfgPointer s = HttpsPortList; s != NULL; s = s->next) {
- if (s->staticSslContext.get() != NULL)
- setSessionCallbacks(s->staticSslContext.get());
- }
-
for (AnyP::PortCfgPointer s = HttpPortList; s != NULL; s = s->next) {
if (s->staticSslContext.get() != NULL)
setSessionCallbacks(s->staticSslContext.get());
}
}
void
destruct_session_cache()
{
delete SslSessionCache;
}
/// initializes shared memory segments used by MemStore
class SharedSessionCacheRr: public Ipc::Mem::RegisteredRunner
{
public:
/* RegisteredRunner API */
SharedSessionCacheRr(): owner(NULL) {}
virtual void useConfig();
virtual ~SharedSessionCacheRr();
=== modified file 'src/tools.cc'
--- src/tools.cc 2015-08-30 00:26:47 +0000
+++ src/tools.cc 2015-10-10 06:21:06 +0000
@@ -404,47 +404,40 @@
const char *
getMyHostname(void)
{
LOCAL_ARRAY(char, host, SQUIDHOSTNAMELEN + 1);
static int present = 0;
struct addrinfo *AI = NULL;
Ip::Address sa;
if (Config.visibleHostname != NULL)
return Config.visibleHostname;
if (present)
return host;
host[0] = '\0';
if (HttpPortList != NULL && sa.isAnyAddr())
sa = HttpPortList->s;
-#if USE_OPENSSL
-
- if (HttpsPortList != NULL && sa.isAnyAddr())
- sa = HttpsPortList->s;
-
-#endif
-
/*
* If the first http_port address has a specific address, try a
* reverse DNS lookup on it.
*/
if ( !sa.isAnyAddr() ) {
sa.getAddrInfo(AI);
/* we are looking for a name. */
if (getnameinfo(AI->ai_addr, AI->ai_addrlen, host, SQUIDHOSTNAMELEN, NULL, 0, NI_NAMEREQD ) == 0) {
/* DNS lookup successful */
/* use the official name from DNS lookup */
debugs(50, 4, "getMyHostname: resolved " << sa << " to '" << host << "'");
present = 1;
Ip::Address::FreeAddr(AI);
if (strchr(host, '.'))
return host;
}
@@ -1061,50 +1054,40 @@
fqdncacheAddEntryFromHosts(addr, hosts);
wordlistDestroy(&hosts);
}
}
fclose (fp);
}
int
getMyPort(void)
{
AnyP::PortCfgPointer p;
if ((p = HttpPortList) != NULL) {
// skip any special interception ports
while (p != NULL && p->flags.isIntercepted())
p = p->next;
if (p != NULL)
return p->s.port();
}
-#if USE_OPENSSL
- if ((p = HttpsPortList) != NULL) {
- // skip any special interception ports
- while (p != NULL && p->flags.isIntercepted())
- p = p->next;
- if (p != NULL)
- return p->s.port();
- }
-#endif
-
if ((p = FtpPortList) != NULL) {
// skip any special interception ports
while (p != NULL && p->flags.isIntercepted())
p = p->next;
if (p != NULL)
return p->s.port();
}
debugs(21, DBG_CRITICAL, "ERROR: No forward-proxy ports configured.");
return 0; // Invalid port. This will result in invalid URLs on bad configurations.
}
/*
* Set the umask to at least the given mask. This is in addition
* to the umask set at startup
*/
void
setUmask(mode_t mask)
{
// No way to get the current umask value without setting it.
More information about the squid-dev
mailing list