This alters the getMyPort() function to skip ports flagged for special
mode handling (intercept, tproxy, accel) when generating internal URLs.
This allows us to lock down security on these special mode ports and
still have an arbitrary position for the forward-proxy port. Prior to
this only the first port was used, forcing an unnecessary configuration
order.
Since it is now possible to have no port available for these URLs the
fatal()/crash has been reduced to an annoying cache.log message. Port 0
will be inserted into the URLs making them invalid.
For now this is only done on http_port entries. https_port has an
incomplete merge of https_port_list/http_port_list which needs to be
completed before it is easily done there.
Amos
--
Please be using
Current Stable Squid 2.7.STABLE9 or 3.1.12
Beta testers wanted for 3.2.0.6
=== modified file 'src/tools.cc'
--- src/tools.cc 2011-04-08 00:12:34 +0000
+++ src/tools.cc 2011-04-10 07:11:42 +0000
@@ -1245,19 +1245,22 @@
int
getMyPort(void)
{
- if (Config.Sockaddr.http)
- return Config.Sockaddr.http->s.GetPort();
+ if (Config.Sockaddr.http) {
+ // skip any special mode ports
+ http_port_list *p = Config.Sockaddr.http;
+ while(p->intercepted || p->accel || p->spoof_client_ip)
+ p = p->next;
+ if (p)
+ return p->s.GetPort();
+ }
#if USE_SSL
-
if (Config.Sockaddr.https)
return Config.Sockaddr.https->http.s.GetPort();
-
#endif
- fatal("No port defined");
-
- return 0; /* NOT REACHED */
+ debugs(21, DBG_CRITICAL, "ERROR: No forward-proxy ports configured.");
+ return 0; // invalid port. This will result in invalid URLs on bad configurations.
}
/*