[squid-dev] [PATCH] Invalid FTP connection handling on blocked content

Kinkie gkinkie at gmail.com
Sun Jan 24 09:37:27 UTC 2016 

Please go ahead. If you have a feature-branch it'd be maybe useful to
give a build-test prior to merging via the anybranch-wholefarm
parametric job http://build.squid-cache.org/job/anybranch-wholefarm-matrix/

On Thu, Jan 21, 2016 at 6:39 PM, Christos Tsantilas
<christos at chtsanti.net> wrote:
> Hi all,
>  this patch waits for long time in queue.
> If no objection I will apply this patch to trunk.
>
>
>
> On 12/29/2015 06:31 PM, Christos Tsantilas wrote:
>>
>>
>> Problem description
>> --------------------
>>
>> FTP client gets stuck after the following chain of events:
>>
>>   * Client requests a file that will be blocked by ICAP.
>>
>>   * Squid starts downloading the file from the FTP server and sends "150
>> Opening..." to the FTP client.
>>
>>   * Squid aborts the data connection with the FTP server as soon as the
>> ICAP service blocks it.
>>
>>   * Squid sends "451 Forbidden" to the FTP client.
>>
>>   * The FTP server sends "500 OOPS: setsockopt: linger" to Squid.
>>
>>   * Squid terminates the control connection to the FTP server.
>>
>>   * Squid establishes a new control connection to the FTP server but
>> does not authenticate itself.
>>
>>   * Further commands from the FTP client do not work any more.
>>
>> The above and many similar problems exist because Squid handles FTP
>> client-to-squid and squid-to-FTP server data connections independently
>> from each other. In many cases, one connection does not get notified
>> about the problems with the other connection.
>>
>> Tech details
>> ------------
>>
>> This patch:
>>    - Add Ftp::MasterState::userDataDone to record received the FTP
>> client final response status code to sent (or to be send) to the client.
>>
>>    - The Ftp::MasterState::waitForOriginData flag to hold status of the
>> squid-to-server side. If the squid-to-server side is not finishes yet
>> this is true.
>>
>>    - Send a control reply to the FTP client only after the data
>> transferred on both server and client sides.
>>
>>    - Split Client::abortTransaction to Client::abortOnData and to
>> Client::abortAll()
>>
>>    - Implement the Ftp::Relay::abortOnData() and Ftp::Relay::Abort()
>> (i.e., StoreEntry abort handler) to avoid closing the control connection
>> when the data connection is closed unexpectedly.
>>
>> This is a Measurement Factory project.
>
>
>
> _______________________________________________
> squid-dev mailing list
> squid-dev at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-dev



-- 
    Francesco

More information about the squid-dev mailing list