[PATCH] detaching sslbump from accel mode

Wed, 07 Dec 2011 03:20:14 -0800

So, in theory ssl-bump is a form of intercept not a form of accelerator. Its use of prepareAcceleratorURL() to convert the partial to absolute URL unconditionally sets the accel flag with a mix of side effects. Some bad ones have been identified already.
This patch changes the flag setting, to allow ssl-bump to use the URL preparation function without the side effects. I'm in half a mind to make a ssl-bump specific URL preparation function, but only after this is proven workable. 


Christos: as the person who appears to have the best testing ability for 
ssl-bump can you run your tests over the resulting Squid and check that 
the expected behaviours have not changed for the worse? I am fully 
expecting there to be several as yet unknown places needing to add a 
test of the sslBumped flag alongside testing accel flag.



I'm expecting this to fix the need for ssl-bump to configure 
"always_direct allow" and for this to be the proper long-term fix for 
the bug 2519 status mixup in comment 52 (comment 53 has an adequate 
workaround for the bug patch while this gets tested).


Amos

=== modified file 'src/client_side.cc'
--- src/client_side.cc  2011-12-06 14:06:38 +0000
+++ src/client_side.cc  2011-12-07 10:59:48 +0000
@@ -1994,8 +1994,6 @@
     char *host;
     char ipbuf[MAX_IPSTRLEN];
 
-    http->flags.accel = 1;
-
     /* BUG: Squid cannot deal with '*' URLs (RFC2616 5.1.2) */
 
     if (strncasecmp(url, "cache_object://", 15) == 0)
@@ -2271,6 +2269,7 @@
      *  - transparent mode (TPROXY)
      *  - transparent mode with failures
      *  - intercept mode (NAT)
+     *  - intercept mode (SSL)
      *  - intercept mode with failures
      *  - accelerator mode (reverse proxy)
      *  - internal URL
@@ -2280,9 +2279,14 @@
         /* intercept or transparent mode, properly working with no failures */
         prepareTransparentURL(csd, http, url, req_hdr);
 
-    } else if (csd->port->accel || csd->switchedToHttps()) {
+    } else if (csd->port->accel) {
         /* accelerator mode */
         prepareAcceleratedURL(csd, http, url, req_hdr);
+        http->flags.accel = 1;
+
+    } else if (csd->switchedToHttps()) {
+        /* SSL interception mode */
+        prepareAcceleratedURL(csd, http, url, req_hdr);
 
     } else if (internalCheck(url)) {
         /* internal URL mode */























					Reply via email to