On 17/01/2013 6:47 a.m., Alex Rousskov wrote:
Hello,clientProcessRequest() assumes that a CONNECT request is always tunneled and sets flags.readMore to false. However, if url_rewriter redirects the CONNECTing user, Squid responds with a redirect message and does not tunnel. In that case, we do want to read more. Otherwise, keepaliveNextRequest() will declare the connection abandoned and the connection descriptor will "leak" until the connection lifetime expires, even if the client disconnects immediately after receiving the redirect response. The fix delays setting flags.readMore to false until we are about to call tunnelStart(). The effect on CONNECT authentication (another case where CONNECT is not tunneled) is untested, but I hope that code continues to work because it should be OK with reading more requests on the [being] authenticated connection. These changes may also fix other similar not-tunneled CONNECT cases. They are not related to SslBump. One of the attached patches is for trunk. The other one is for v3.2. I did not check whether the problem exists in v3.1. HTH, Alex.
+1. It looks okay, although I would like confirmation from somebody using NTLM authentication that things still work afterwards.
Amos
