---------------------
PatchSet 6088 
Date: 2007/11/06 00:21:31
Author: rousskov
Branch: ssl-bump
Tag: (none) 
Log:
Mark connection that switched to SSL so that others can treat associated
requests specially (e.g., accelerate them).

Use now-configured SSL context of http_port instead of abusing htts_port
context. This means that we can no longer rely on connection port
protocol when accelerating request. The port is HTTP but we need to prepend
https:// after switching to SSL mode.

Warn if sslBump is enabled but there is no usable SSL context. This may need
to be a fatal error.

Members: 
	src/client_side.cc:1.139.6.3->1.139.6.4 
	src/client_side.h:1.22.6.2->1.22.6.3 

Index: squid3/src/client_side.cc
===================================================================
RCS file: /cvsroot/squid-sf//squid3/src/client_side.cc,v
retrieving revision 1.139.6.3
retrieving revision 1.139.6.4
diff -u -r1.139.6.3 -r1.139.6.4
--- squid3/src/client_side.cc	5 Nov 2007 22:13:39 -0000	1.139.6.3
+++ squid3/src/client_side.cc	6 Nov 2007 00:21:31 -0000	1.139.6.4
@@ -1,6 +1,6 @@
 
 /*
- * $Id: client_side.cc,v 1.139.6.3 2007/11/05 22:13:39 rousskov Exp $
+ * $Id: client_side.cc,v 1.139.6.4 2007/11/06 00:21:31 rousskov Exp $
  *
  * DEBUG: section 33    Client-side Routines
  * AUTHOR: Duane Wessels
@@ -1755,12 +1755,18 @@
     if (internalCheck(url)) {
         /* prepend our name & port */
         http->uri = xstrdup(internalLocalUri(NULL, url));
-    } else if (vhost && (host = mime_get_header(req_hdr, "Host")) != NULL) {
+        return;
+	}
+
+    const bool switchedToHttps = conn->switchedToHttps();
+    const bool tryHostHeader = vhost || switchedToHttps;
+    if (tryHostHeader && (host = mime_get_header(req_hdr, "Host")) != NULL) {
         int url_sz = strlen(url) + 32 + Config.appendDomainLen +
                      strlen(host);
         http->uri = (char *)xcalloc(url_sz, 1);
-        snprintf(http->uri, url_sz, "%s://%s%s",
-                 conn->port->protocol, host, url);
+        const char *protocol = switchedToHttps ?
+            "https" : conn->port->protocol;
+        snprintf(http->uri, url_sz, "%s://%s%s", protocol, host, url);
         debugs(33, 5, "ACCEL VHOST REWRITE: '" << http->uri << "'");
     } else if (conn->port->defaultsite) {
         int url_sz = strlen(url) + 32 + Config.appendDomainLen +
@@ -1960,7 +1966,7 @@
     /* Rewrite the URL in transparent or accelerator mode */
     if (conn->transparent()) {
         prepareTransparentURL(conn, http, url, req_hdr);
-    } else if (conn->port->accel) {
+    } else if (conn->port->accel || conn->switchedToHttps()) {
         prepareAcceleratedURL(conn, http, url, req_hdr);
     } else if (internalCheck(url)) {
         /* prepend our name & port */
@@ -2987,6 +2993,8 @@
 bool
 ConnStateData::switchToHttps()
 {
+    assert(!switchedToHttps_);
+
 	//HTTPMSGLOCK(currentobject->http->request);
     assert(areAllContextsForThisConnection());
     freeAllContexts();
@@ -2999,20 +3007,19 @@
     detail.me = me;
     detail.peer = peer;
 
-    SSL_CTX *sslContext = Config.Sockaddr.https->sslContext; // XXX: for now
+    SSL_CTX *sslContext = port->sslContext;
     SSL *ssl = NULL;
     if (!(ssl = httpsCreate(fd, &detail, sslContext)))
         return false;
 
-	cbdataReferenceDone(port);
-    port = cbdataReference(&Config.Sockaddr.https->http); // XXX: for now
-
     // commSetTimeout() was called for this request before we switched.
 
     // Disable the client read handler until peer selection is complete
     commSetSelect(fd, COMM_SELECT_READ, NULL, NULL, 0);
 
     commSetSelect(fd, COMM_SELECT_READ, clientNegotiateSSL, this, 0);
+
+    switchedToHttps_ = true;
     return true;
 }
 
@@ -3055,6 +3062,13 @@
             continue;
         }
 
+        if (s->sslBump && s->sslContext == NULL) {
+            debugs(1, 1, "Can not switch to HTTPS at " <<
+                   inet_ntoa(s->http.s.sin_addr) << ", port " <<
+                   (int) ntohs(s->http.s.sin_port));
+            // XXX: Should we abort then, perhaps when creating context?
+        }
+
         enter_suid();
         fd = comm_open(SOCK_STREAM,
                        IPPROTO_TCP,
@@ -3071,7 +3085,8 @@
 
         debugs(1, 1, "Accepting " <<
                (s->transparent ? "transparently proxied" :
-                       s->accel ? "accelerated" : "" ) 
+                       s->sslBump ? "bumpy" :
+                       s->accel ? "accelerated" : "") 
                << " HTTP connections at " 
                << inet_ntoa(s->s.sin_addr) << ", port " 
                << (int) ntohs(s->s.sin_port) << ", FD " << fd << "." );
Index: squid3/src/client_side.h
===================================================================
RCS file: /cvsroot/squid-sf//squid3/src/client_side.h,v
retrieving revision 1.22.6.2
retrieving revision 1.22.6.3
diff -u -r1.22.6.2 -r1.22.6.3
--- squid3/src/client_side.h	5 Nov 2007 17:52:09 -0000	1.22.6.2
+++ squid3/src/client_side.h	6 Nov 2007 00:21:31 -0000	1.22.6.3
@@ -1,5 +1,5 @@
 /*
- * $Id: client_side.h,v 1.22.6.2 2007/11/05 17:52:09 rousskov Exp $
+ * $Id: client_side.h,v 1.22.6.3 2007/11/06 00:21:31 rousskov Exp $
  *
  *
  * SQUID Web Proxy Cache          http://www.squid-cache.org/
@@ -208,13 +208,19 @@
     void handleReadData(char *buf, size_t size);
     void handleRequestBodyData();
 
+#if USE_SSL
     bool switchToHttps();
+    bool switchedToHttps() const { return switchedToHttps_; }
+#else
+    bool switchedToHttps() const { return false; }
+#endif
 
 private:
     CBDATA_CLASS2(ConnStateData);
     bool transparent_;
     bool reading_;
     bool closing_;
+    bool switchedToHttps_;
     Pointer openReference;
     BodyPipe::Pointer bodyPipe; // set when we are reading request body
 };