apt-cacher-ng_rewriter.py#6
Closed
krichter722 wants to merge 6686 commits intosquid-cache:masterfrom
krichter722:apt-cacher-ng_helper
Closed
apt-cacher-ng_rewriter.py#6krichter722 wants to merge 6686 commits intosquid-cache:masterfrom krichter722:apt-cacher-ng_helper
krichter722 wants to merge 6686 commits intosquid-cache:masterfrom
krichter722:apt-cacher-ng_helper
Conversation
Previously, unsigned -1 size was returned for those bodies. Old adapters relying on that buggy behavior will now throw: !"attempt to use unknown libecap::BodySize size" Such adapters should check libecap::BodySize::known() before using the libecap::Body::bodySize() value.
Portability fixes for non-GNU make.
When no ssl_bump rules match, Squid may throw a "a rule with the final
action must have matched" exception:
Must(finalAction == Ssl::bumpSplice || finalAction == Ssl::bumpBump ||
finalAction == Ssl::bumpTerminate);
After the exception is thrown, Squid attempts to wind down the affected
transaction (as it should), but the code either quits with an unhandled
exception error or hits the !callback assertion, depending on whether
the async job processing was in place when the exception was hit (which
depends on whether non-blocking/slow ssl_bump ACLs were active).
The attached patch does three things:
1. Teaches Squid to guess the final ssl_bump action when no ssl_bump
rules match. The final guessed action is "bump" if the last non-final
action was "stare" and "splice" otherwise. I suspect that the older
Squid code attempted to do something like that, but that code may have
been lost when we taught Squid to ignore impossible ssl_bump actions.
2. Protects ssl_bump-checking code from quitting with an unhandled
exception error.
3. Converts the fatal !callback assertion into [hopefully less damaging]
transaction error, with a BUG message logged to cache.log.
More work may be needed to investigate other exceptions, especially
Must(!csd->serverBump() || csd->serverBump()->step <= Ssl::bumpStep2);
This is a Measurement Factory project
Certificate Revokation Lists have gone through several iterations of logic redesign leading to duplicated code and non-optimal I/O. Client contexts were loading CRL directly from disk into the context on every new context creation. Whereas the server contexts were loading into an OpenSSL STACK_OF structure and adding from memory instead of disk. This later design is more performant. * Move the pre-loaded CRL set to Security::PeerOptions and store in a std::list structure as LockingPointer which will deallocate as needed on shutdwown and reconfigure. This depends on trunk rev.14304 * Replace the client context disk I/O with the pre-loaded CRL list * Add GnuTLS CRL list types. Though at this point GnuTLS does not pre-load the CRL files.
…als-fetching rules
When oeprating with many listening ports workers can flood the UDS queue buffers and run into a timeout waiting for the coordinator to respond. To prevent that we for a queue and wait for each port to get a response before registering the next.
The patch for CVE-2015-5400 converts all non-200 peer responses into 502 Bad Gateway responses when relaying a CONNECT to a peer. This happens to break login=PASS and login=PASSTHRU behaviour which relies on the 401 and 407 status being relayed transparently. We need to relay the auth server responses as-is when login= is set to PASS or PASSTHRU but then unconditionally close the connections to prevent CVE-2015-5400 from occuring.
From: Guido Serassio <guido.serassio@acmeconsulting.it> To: Amos Jeffries <squid3@treenet.co.nz>, Squid Foundation Board <squid-board@lists.squid-cache.org> Subject: R: Squid copyrights Thread-Topic: Squid copyrights Thread-Index: AQHQ9+T6PCUWJkiqykyPO1tKufh0Lp5Odnyw Date: Sat, 26 Sep 2015 08:15:43 +0000 Message-ID: <0B31416C912584429DC230430752D91C0C028E4B@SBS.acmeconsulting.loc> Hi Amos, For me the changes are OK. Please apply the changes on behalf of me. Regards Guido Serassio
... to latest file copy from http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt This resolves some terminology and FSF address changes since the GPLv2 document was earlier applied to Squid.
Update the response mime header parse to using the parseHeader() method previously in HttpRequest.
…atoi to make g++-4.9 on FreeBsd-9.3 happy
…or failure When the Ssl::PeerConnector fails to establish an SSL connection FwdState does not retry to connect to the next destination server ip address, but instead returns an error. This is a Measurement Factory project
Also, adds new config option tls-no-npn to fully disable NPN on selected cache_peer or http(s)_port directives. ICAPS services set TLS NPN to off by default to prevent NPN wrongly advertising them as HTTPS connections. The semantic meaning of NPN is to name the protocol which is being wrapped by TLS, in the case of ICAPS that is ICAP/1.0 but Squid NPN callback is currently hard-coded to send 'http/1.1'
upon startup. Controller condition for allocating MemStore is slightly different from MemStore condition for allocating MemStore::map, resulting in MemStore without a map. Until that discrepancy is fixed, be careful when dereferencing MemStore::map.
CBDATA and RefCountable are not very compatible. With the recent I/O callback shuffling there appears to no longer be any reason for this class to be CBDATA.
…ad of keytab ... when using login=NEGOTIATE to authenticate via kerberos to a peer. When specified, this option prevents Squid from crafting a kerberos credentials cache from a keytab, but instead lets GSSAPI use an existing credentials cache.
This patch adds the following formatting codes:
%ssl::>negotiated_version The TLS version of the client-to-Squid connection.
%ssl::<negotiated_version The TLS version of the Squid-to-server connection.
%ssl::>received_hello_version The TLS version of the Hello message received
from TLS client
%ssl::<received_hello_version The TLS version of the Hello message received
from TLS server.
%ssl::>received_supported_version The maximum TLS version supported by the
the TLS client.
%ssl::<received_supported_version The maximum TLS version supported by the
the TLS server.
%ssl::>cipher The negotiated cipher of the client-to-Squid connection.
%ssl::<cipher The negotiated cipher of the Squid-to-server connection.
These are useful for statistics collection, security reviews, and reviews
prior to adjusting the list of the allowed TLS protocols and ciphers.
This is a Measurement Factory project
There are several use cases where an annotation may contain a list of values for a single key. Today it is only possible to match the full annotation value. This patch investigates the -m flag which can be used to enable delimiter separated substrings matching on annotations: acl aclname note [-m[=delimiters]] name value ... The '-m' flag by default matches comma separated substrings. The optional "delimiters" parameter is a list of non-alphanumeric characters, which can be used as alternate delimiters. E.g. if an external ACL sets an annotation like: "applications=http,facebook,facebook-chat" the following ACLs can be used to block access to certain applications: acl fb_chat note -m applications facebook-chat acl db_upload note -m applications dropbox-upload http_access deny fb_chat http_access deny db_upload This is a Measurement Factory project
Contributor
|
Unfortunately, the Squid Project is not using git (yet). Github activity is likely to be ignored or forgotten, and this repo is way out of date. The best way to get your changes accepted would be to follow the standard procedure outlined at http://wiki.squid-cache.org/MergeProcedure Here are some high level issues you will need to be aware of and happy with before the merge audit is worth initiating:
|
Contributor
|
Closing without prejudice because the old stale repository was replaced with the official one and Github cannot track this PR across such a huge repository change. Please resubmit if needed, after addressing @yadij comments. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
10 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
added apt-cacher-ng_rewriter.py, a configurable URL rewriter for apt-cacher-ng