--------------------- PatchSet 6758 Date: 2008/02/10 19:41:52 Author: rousskov Branch: ssl-bump Tag: (none) Log: Added ssl_bump ACL. The ACL controls which CONNECT requests to an http_port marked with an sslBump flag are actually "bumped". This was needed to bypass the bump and tunnel requests to sites that Squid cannot handle well (with or without the bump), with other use cases likely to surface. By default, no requests are bumped. Squid warns if http_port(s) have SslBump but no ssl_bump ACL was configured. The ACL applies to all http_ports, but I suspect that, if needed, specific ACL rules can distinguish ports using "myport". Members: src/cf.data.pre:1.157.2.9->1.157.2.10 src/client_side.cc:1.139.6.12->1.139.6.13 src/client_side_request.cc:1.80.2.9->1.80.2.10 src/client_side_request.h:1.30.6.5->1.30.6.6 src/structs.h:1.116.6.6->1.116.6.7 Index: squid3/src/cf.data.pre =================================================================== RCS file: /cvsroot/squid-sf//squid3/src/cf.data.pre,v retrieving revision 1.157.2.9 retrieving revision 1.157.2.10 diff -u -r1.157.2.9 -r1.157.2.10 --- squid3/src/cf.data.pre 27 Jan 2008 20:47:20 -0000 1.157.2.9 +++ squid3/src/cf.data.pre 10 Feb 2008 19:41:52 -0000 1.157.2.10 @@ -1,6 +1,6 @@ # -# $Id: cf.data.pre,v 1.157.2.9 2008/01/27 20:47:20 rousskov Exp $ +# $Id: cf.data.pre,v 1.157.2.10 2008/02/10 19:41:52 rousskov Exp $ # # SQUID Web Proxy Cache http://www.squid-cache.org/ # ---------------------------------------------------------- @@ -926,11 +926,11 @@ sporadically hang or never complete requests set disable-pmtu-discovery option to 'transparent'. - sslBump Intercept each CONNECT request, establish secure - connection with the client and with the server, - decrypt HTTP messages as they pass through Squid, and - treat them as unencrypted HTTP messages, becoming the - man-in-the-middle. + sslBump Intercept each CONNECT request matching ssl_bump ACL, + establish secure connection with the client and with + the server, decrypt HTTP messages as they pass through + Squid, and treat them as unencrypted HTTP messages, + becoming the man-in-the-middle. When this option is enabled, additional options become available to specify SSL-related properties of the @@ -939,6 +939,9 @@ sslflags, and sslcontext. See the https_port directive for more information on these options. + The ssl_bump option is required to fully enable + the SslBump feature. + name= Specifies a internal name for the port. Defaults to the port specification (port or addr:port) @@ -1249,6 +1252,34 @@ server certificates while proxying https:// URLs DOC_END +NAME: ssl_bump +IFDEF: USE_SSL +TYPE: acl_access +LOC: Config.accessList.ssl_bump +DEFAULT: none +DOC_START + This ACL controls which CONNECT requests to an http_port + marked with an sslBump flag are actually "bumped". Please + see the sslBump flag of an http_port option for more details + about decoding proxied SSL connections. + + By default, no requests are bumped. + + See also: http_port sslBump + +NOCOMMENT_START +# Example: Bump all requests except those originating from localhost and +# those going to webax.com or example.com sites. +# +# acl localhost src 127.0.0.1/32 +# acl broken_sites dstdomain .webax.com +# acl broken_sites dstdomain .example.com +# ssl_bump deny localhost +# ssl_bump deny broken_sites +# ssl_bump allow all +NOCOMMENT_END +DOC_END + NAME: sslproxy_flags IFDEF: USE_SSL DEFAULT: none Index: squid3/src/client_side.cc =================================================================== RCS file: /cvsroot/squid-sf//squid3/src/client_side.cc,v retrieving revision 1.139.6.12 retrieving revision 1.139.6.13 diff -u -r1.139.6.12 -r1.139.6.13 --- squid3/src/client_side.cc 9 Feb 2008 00:35:11 -0000 1.139.6.12 +++ squid3/src/client_side.cc 10 Feb 2008 19:41:52 -0000 1.139.6.13 @@ -1,6 +1,6 @@ /* - * $Id: client_side.cc,v 1.139.6.12 2008/02/09 00:35:11 rousskov Exp $ + * $Id: client_side.cc,v 1.139.6.13 2008/02/10 19:41:52 rousskov Exp $ * * DEBUG: section 33 Client-side Routines * AUTHOR: Duane Wessels @@ -3044,6 +3044,9 @@ { http_port_list *s = NULL; int fd = -1; +#if USE_SSL + int bumpCount = 0; // counts http_ports with sslBump option +#endif for (s = Config.Sockaddr.http; s; s = s->next) { if (MAXHTTPPORTS == NHttpSockets) { @@ -3058,6 +3061,8 @@ s->http.s << " due to SSL initialization failure."); s->sslBump = 0; } + if (s->sslBump) + ++bumpCount; #endif enter_suid(); @@ -3083,6 +3088,13 @@ HttpSockets[NHttpSockets++] = fd; } + +#if USE_SSL + if (bumpCount && !Config.accessList.ssl_bump) + debugs(33, 1, "WARNING: http_port(s) with SslBump found, but no " << + std::endl << "\tssl_bump ACL configured. No requests will be " << + "bumped."); +#endif } #if USE_SSL Index: squid3/src/client_side_request.cc =================================================================== RCS file: /cvsroot/squid-sf//squid3/src/client_side_request.cc,v retrieving revision 1.80.2.9 retrieving revision 1.80.2.10 diff -u -r1.80.2.9 -r1.80.2.10 --- squid3/src/client_side_request.cc 27 Jan 2008 20:47:20 -0000 1.80.2.9 +++ squid3/src/client_side_request.cc 10 Feb 2008 19:41:52 -0000 1.80.2.10 @@ -1,6 +1,6 @@ /* - * $Id: client_side_request.cc,v 1.80.2.9 2008/01/27 20:47:20 rousskov Exp $ + * $Id: client_side_request.cc,v 1.80.2.10 2008/02/10 19:41:52 rousskov Exp $ * * DEBUG: section 85 Client-side Request Routines * AUTHOR: Robert Collins (Originally Duane Wessels in client_side.c) @@ -891,7 +891,7 @@ debugs(85, 4, "clientProcessRequest: " << RequestMethodStr(request->method) << " '" << uri << "'"); #if USE_SSL - if (request->method == METHOD_CONNECT && getConn()->port->sslBump) { + if (request->method == METHOD_CONNECT && sslBumpNeeded()) { sslBumpStart(); return; } @@ -922,7 +922,25 @@ } #if USE_SSL -// call when comm_write has completed + +// determines whether we should bump the CONNECT request +bool +ClientHttpRequest::sslBumpNeeded() const { + if (!getConn()->port->sslBump || !Config.accessList.ssl_bump) + return false; + + debugs(85, 5, HERE << "SslBump possible, checking ACL"); + + ACLChecklist check; + check.src_addr = request->client_addr; + check.my_addr = request->my_addr; + check.request = HTTPMSGLOCK(request); + check.accessList = cbdataReference(Config.accessList.ssl_bump); + /* cbdataReferenceDone() happens in either fastCheck() or ~ACLCheckList */ + return check.fastCheck() == 1; +} + +// called when comm_write has completed static void SslBumpEstablish(int, char *, size_t, comm_err_t errflag, int, void *data) { Index: squid3/src/client_side_request.h =================================================================== RCS file: /cvsroot/squid-sf//squid3/src/client_side_request.h,v retrieving revision 1.30.6.5 retrieving revision 1.30.6.6 diff -u -r1.30.6.5 -r1.30.6.6 --- squid3/src/client_side_request.h 27 Jan 2008 20:47:20 -0000 1.30.6.5 +++ squid3/src/client_side_request.h 10 Feb 2008 19:41:52 -0000 1.30.6.6 @@ -1,6 +1,6 @@ /* - * $Id: client_side_request.h,v 1.30.6.5 2008/01/27 20:47:20 rousskov Exp $ + * $Id: client_side_request.h,v 1.30.6.6 2008/02/10 19:41:52 rousskov Exp $ * * * SQUID Web Proxy Cache http://www.squid-cache.org/ @@ -160,6 +160,7 @@ #if USE_SSL public: + bool sslBumpNeeded() const; void sslBumpStart(); void sslBumpEstablish(comm_err_t errflag); #endif Index: squid3/src/structs.h =================================================================== RCS file: /cvsroot/squid-sf//squid3/src/structs.h,v retrieving revision 1.116.6.6 retrieving revision 1.116.6.7 diff -u -r1.116.6.6 -r1.116.6.7 --- squid3/src/structs.h 27 Jan 2008 20:47:28 -0000 1.116.6.6 +++ squid3/src/structs.h 10 Feb 2008 19:41:52 -0000 1.116.6.7 @@ -1,6 +1,6 @@ /* - * $Id: structs.h,v 1.116.6.6 2008/01/27 20:47:28 rousskov Exp $ + * $Id: structs.h,v 1.116.6.7 2008/02/10 19:41:52 rousskov Exp $ * * * SQUID Web Proxy Cache http://www.squid-cache.org/ @@ -537,6 +537,10 @@ acl_access *htcp; acl_access *htcp_clr; #endif + +#if USE_SSL + acl_access *ssl_bump; +#endif }