diff -u -r -N squid-3.1.6/bootstrap.sh squid-3.1.7/bootstrap.sh --- squid-3.1.6/bootstrap.sh 2010-08-02 02:01:37.000000000 +1200 +++ squid-3.1.7/bootstrap.sh 2010-08-24 17:41:26.000000000 +1200 @@ -115,12 +115,17 @@ chmod u-w $makefile # Libtool 2.2.6b we bundle is slightly broken with non-portable dependencies - sed 's//\"libltdl\/lt_system.h\"/g' $src/ltdl.h | - sed 's//\"libltdl\/lt_error.h\"/g' | - sed 's//\"libltdl\/lt_dlloader.h\"/g' > $src/ltdl.h.new; - chmod u+w $src/ltdl.h - mv $src/ltdl.h.new $src/ltdl.h - chmod u-w $src/ltdl.h + # HACK: Make it backward-compatible by linking the bundled headers. + for f in ltdl.h libltdl/lt_error.h libltdl/lt_system.h libltdl/lt_dlloader.h libltdl/slist.h; do + echo "Fixing $f ..." + sed 's//\"libltdl\/lt_system.h\"/g' $src/$f | + sed 's//\"libltdl\/lt__glibc.h\"/g' | + sed 's//\"libltdl\/lt_error.h\"/g' | + sed 's//\"libltdl\/lt_dlloader.h\"/g' > $src/$f.new; + chmod u+w $src/$f + mv $src/$f.new $src/$f + chmod u-w $src/$f + done fi } diff -u -r -N squid-3.1.6/ChangeLog squid-3.1.7/ChangeLog --- squid-3.1.6/ChangeLog 2010-08-02 02:01:37.000000000 +1200 +++ squid-3.1.7/ChangeLog 2010-08-24 17:41:25.000000000 +1200 @@ -1,3 +1,20 @@ +Changes to squid-3.1.7 (23 Aug 2010): + + - Regression Bug 3021: Large DNS reply causes crash + - Regression Bug 3011: ICAP, HTTPS, cache_peer probe IPv4-only port fixes + - Regression Bug 2997: visible_hostname directive no longer matches docs + - Bug 3012: deprecate sslBump and support ssl-bump spelling in http_port + - Bug 3006: handle IPV6_V6ONLY definition missing + - Bug 3004: Solaris 9 SunStudio 12 build failure + - Bug 3003: inconsistent concepts in documentation of cache_dir + - Bug 3001: dnsserver link issues + - HTTP/1.1: default keep-alive for 1.1 clients (bug 3016) + - HTTP/1.1: Improved Range header field validation + - HTTP/1.1: Forward multiple unknown Cache-Control directives + - HTTP/1.1: Stop sending Proxy-Connection header + - Fix 32-bit wrap in refresh_pattern min/max values + - ... and several documentation corrections. + Changes to squid-3.1.6 (02 Aug 2010): - Bug 2994, 2995: IPv4-only regressions diff -u -r -N squid-3.1.6/configure squid-3.1.7/configure --- squid-3.1.6/configure 2010-08-02 02:03:14.000000000 +1200 +++ squid-3.1.7/configure 2010-08-24 17:43:37.000000000 +1200 @@ -1,7 +1,7 @@ #! /bin/sh # From configure.in Revision. # Guess values for system-dependent variables and create Makefiles. -# Generated by GNU Autoconf 2.62 for Squid Web Proxy 3.1.6. +# Generated by GNU Autoconf 2.62 for Squid Web Proxy 3.1.7. # # Report bugs to . # @@ -750,8 +750,8 @@ # Identity of this package. PACKAGE_NAME='Squid Web Proxy' PACKAGE_TARNAME='squid' -PACKAGE_VERSION='3.1.6' -PACKAGE_STRING='Squid Web Proxy 3.1.6' +PACKAGE_VERSION='3.1.7' +PACKAGE_STRING='Squid Web Proxy 3.1.7' PACKAGE_BUGREPORT='http://www.squid-cache.org/bugs/' ac_unique_file="src/main.cc" @@ -1712,7 +1712,7 @@ # Omit some internal or obsolete options to make the list less imposing. # This message is too long to be a string in the A/UX 3.1 sh. cat <<_ACEOF -\`configure' configures Squid Web Proxy 3.1.6 to adapt to many kinds of systems. +\`configure' configures Squid Web Proxy 3.1.7 to adapt to many kinds of systems. Usage: $0 [OPTION]... [VAR=VALUE]... @@ -1782,7 +1782,7 @@ if test -n "$ac_init_help"; then case $ac_init_help in - short | recursive ) echo "Configuration of Squid Web Proxy 3.1.6:";; + short | recursive ) echo "Configuration of Squid Web Proxy 3.1.7:";; esac cat <<\_ACEOF @@ -2109,7 +2109,7 @@ test -n "$ac_init_help" && exit $ac_status if $ac_init_version; then cat <<\_ACEOF -Squid Web Proxy configure 3.1.6 +Squid Web Proxy configure 3.1.7 generated by GNU Autoconf 2.62 Copyright (C) 1992, 1993, 1994, 1995, 1996, 1998, 1999, 2000, 2001, @@ -2123,7 +2123,7 @@ This file contains any messages produced by compilers while running configure, to aid debugging if configure makes a mistake. -It was created by Squid Web Proxy $as_me 3.1.6, which was +It was created by Squid Web Proxy $as_me 3.1.7, which was generated by GNU Autoconf 2.62. Invocation command line was $ $0 $@ @@ -2841,7 +2841,7 @@ # Define the identity of the package. PACKAGE='squid' - VERSION='3.1.6' + VERSION='3.1.7' cat >>confdefs.h <<_ACEOF @@ -48878,7 +48878,7 @@ # report actual input values of CONFIG_FILES etc. instead of their # values after options handling. ac_log=" -This file was extended by Squid Web Proxy $as_me 3.1.6, which was +This file was extended by Squid Web Proxy $as_me 3.1.7, which was generated by GNU Autoconf 2.62. Invocation command line was CONFIG_FILES = $CONFIG_FILES @@ -48931,7 +48931,7 @@ _ACEOF cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 ac_cs_version="\\ -Squid Web Proxy config.status 3.1.6 +Squid Web Proxy config.status 3.1.7 configured by $0, generated by GNU Autoconf 2.62, with options \\"`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`\\" diff -u -r -N squid-3.1.6/configure.in squid-3.1.7/configure.in --- squid-3.1.6/configure.in 2010-08-02 02:03:14.000000000 +1200 +++ squid-3.1.7/configure.in 2010-08-24 17:43:36.000000000 +1200 @@ -2,7 +2,7 @@ dnl dnl $Id$ dnl -AC_INIT([Squid Web Proxy],[3.1.6],[http://www.squid-cache.org/bugs/],[squid]) +AC_INIT([Squid Web Proxy],[3.1.7],[http://www.squid-cache.org/bugs/],[squid]) AC_PREREQ(2.61) AC_CONFIG_HEADERS([include/autoconf.h]) AC_CONFIG_AUX_DIR(cfgaux) diff -u -r -N squid-3.1.6/include/version.h squid-3.1.7/include/version.h --- squid-3.1.6/include/version.h 2010-08-02 02:03:14.000000000 +1200 +++ squid-3.1.7/include/version.h 2010-08-24 17:43:37.000000000 +1200 @@ -9,7 +9,7 @@ */ #ifndef SQUID_RELEASE_TIME -#define SQUID_RELEASE_TIME 1280671275 +#define SQUID_RELEASE_TIME 1282628458 #endif #ifndef APP_SHORTNAME diff -u -r -N squid-3.1.6/libltdl/libltdl/lt_dlloader.h squid-3.1.7/libltdl/libltdl/lt_dlloader.h --- squid-3.1.6/libltdl/libltdl/lt_dlloader.h 2010-08-02 02:02:22.000000000 +1200 +++ squid-3.1.7/libltdl/libltdl/lt_dlloader.h 2010-08-24 17:42:13.000000000 +1200 @@ -31,7 +31,7 @@ #if !defined(LT_DLLOADER_H) #define LT_DLLOADER_H 1 -#include +#include "libltdl/lt_system.h" LT_BEGIN_C_DECLS diff -u -r -N squid-3.1.6/libltdl/libltdl/lt_error.h squid-3.1.7/libltdl/libltdl/lt_error.h --- squid-3.1.6/libltdl/libltdl/lt_error.h 2010-08-02 02:02:22.000000000 +1200 +++ squid-3.1.7/libltdl/libltdl/lt_error.h 2010-08-24 17:42:13.000000000 +1200 @@ -32,7 +32,7 @@ #if !defined(LT_ERROR_H) #define LT_ERROR_H 1 -#include +#include "libltdl/lt_system.h" LT_BEGIN_C_DECLS diff -u -r -N squid-3.1.6/libltdl/libltdl/slist.h squid-3.1.7/libltdl/libltdl/slist.h --- squid-3.1.6/libltdl/libltdl/slist.h 2010-08-02 02:02:22.000000000 +1200 +++ squid-3.1.7/libltdl/libltdl/slist.h 2010-08-24 17:42:13.000000000 +1200 @@ -42,8 +42,8 @@ #define SLIST_H 1 #if defined(LTDL) -# include -# include +# include "libltdl/lt__glibc.h" +# include "libltdl/lt_system.h" #else # define LT_SCOPE #endif diff -u -r -N squid-3.1.6/RELEASENOTES.html squid-3.1.7/RELEASENOTES.html --- squid-3.1.6/RELEASENOTES.html 2010-08-02 02:28:51.000000000 +1200 +++ squid-3.1.7/RELEASENOTES.html 2010-08-24 18:21:00.000000000 +1200 @@ -1,11 +1,11 @@ - - Squid 3.1.6 release notes + + Squid 3.1.7 release notes -

Squid 3.1.6 release notes

+

Squid 3.1.7 release notes

Squid Developers

@@ -70,7 +70,7 @@

1. Notice

-

The Squid Team are pleased to announce the release of Squid-3.1.6

+

The Squid Team are pleased to announce the release of Squid-3.1.7

This new release is available for download from http://www.squid-cache.org/Versions/v3/3.1/ or the mirrors.

@@ -241,7 +241,7 @@
  • permit IPv6 server connection provided tcp_outgoing_address has been configured (see below).

    • -

    NOTE: SNMP, ICP and HTCP are not yet opening double ports so they will only run as IPv4-only or IPv6-only.

    +

    NOTE: ICAP, SNMP, ICP and HTCP are not yet opening double ports so they will only run as IPv4-only or IPv6-only.

    Specify a specific tcp_outgoing_address and the clients who match its ACL are limited to the IPv4 or IPv6 network that address belongs to. They are not permitted over the @@ -1033,8 +1033,8 @@

    ssl_bump

    New Access control for which CONNECT requests to an http_port -marked with an sslBump flag are actually "bumped". Please -see the sslBump flag of an http_port option for more details +marked with an ssl-bump flag are actually "bumped". Please +see the ssl-bump flag of an http_port option for more details about decoding proxied SSL connections. DEFAULT: No requests are bumped. 

    @@ -1288,7 +1288,7 @@

    -
    http_port transparent intercept sslbump connection-auth[=on|off] ignore-cc
    +
    http_port transparent intercept ssl-bump connection-auth[=on|off] ignore-cc

    Option 'transparent' is being deprecated in favour of 'intercept' which more clearly identifies what the option does. For now option 'tproxy' remains with old behaviour meaning fully-invisible proxy using TPROXY support.

    New port options @@ -1315,7 +1315,7 @@ Warning: This option violates HTTP specifications if used in non-accelerator setups. - sslBump Intercept each CONNECT request matching ssl_bump ACL, + ssl-bump Intercept each CONNECT request matching ssl_bump ACL, establish secure connection with the client and with the server, decrypt HTTP messages as they pass through Squid, and treat them as unencrypted HTTP messages, @@ -1329,12 +1329,12 @@ for more information on these options. The ssl_bump option is required to fully enable - the SslBump feature. + the SSL Bump feature.

    -
    https_port intercept sslbump connection-auth[=on|off]
    +
    https_port intercept ssl-bump connection-auth[=on|off]

    New port options. see http_port.

    icap_service bypass=on|off|1|0 routing=on|off|1|0
    @@ -1361,7 +1361,7 @@ should have the same method and vectoring point as the current ICAP transaction. Services violating these rules are ignored. An empty X-Next-Services value results in an empty plan which - ends the current adaptation. + ends the current adaptation. Routing is not allowed by default: the ICAP X-Next-Services response header is ignored. diff -u -r -N squid-3.1.6/src/adaptation/icap/Xaction.cc squid-3.1.7/src/adaptation/icap/Xaction.cc --- squid-3.1.6/src/adaptation/icap/Xaction.cc 2010-08-02 02:01:37.000000000 +1200 +++ squid-3.1.7/src/adaptation/icap/Xaction.cc 2010-08-24 17:41:27.000000000 +1200 @@ -13,6 +13,7 @@ #include "pconn.h" #include "HttpRequest.h" #include "HttpReply.h" +#include "ip/tools.h" #include "acl/FilledChecklist.h" #include "icap_log.h" #include "fde.h" @@ -116,6 +117,15 @@ disableRetries(); // we only retry pconn failures IpAddress outgoing; + if (!Ip::EnableIpv6 && !outgoing.SetIPv4()) { + debugs(31, DBG_CRITICAL, "ERROR: IPv6 is disabled. " << outgoing << " is not an IPv4 address."); + dieOnConnectionFailure(); // throws + } + /* split-stack for now requires default IPv4-only socket */ + if (Ip::EnableIpv6&IPV6_SPECIAL_SPLITSTACK && outgoing.IsAnyAddr() && !s.cfg().ipv6) { + outgoing.SetIPv4(); + } + connection = comm_open(SOCK_STREAM, 0, outgoing, COMM_NONBLOCKING, s.cfg().uri.termedBuf()); diff -u -r -N squid-3.1.6/src/adaptation/Makefile.am squid-3.1.7/src/adaptation/Makefile.am --- squid-3.1.6/src/adaptation/Makefile.am 2010-08-02 02:01:38.000000000 +1200 +++ squid-3.1.7/src/adaptation/Makefile.am 2010-08-24 17:41:27.000000000 +1200 @@ -12,6 +12,11 @@ SUBDIRS += ecap endif +if USE_LOADABLE_MODULES +## LTDL headers require their local include path... +INCLUDES += $(INCLTDL) +endif + noinst_LTLIBRARIES = libadaptation.la ## start with the code shared among all adaptation schemes diff -u -r -N squid-3.1.6/src/adaptation/Makefile.in squid-3.1.7/src/adaptation/Makefile.in --- squid-3.1.6/src/adaptation/Makefile.in 2010-08-02 02:02:37.000000000 +1200 +++ squid-3.1.7/src/adaptation/Makefile.in 2010-08-24 17:42:38.000000000 +1200 @@ -37,6 +37,7 @@ check_PROGRAMS = @USE_ICAP_CLIENT_TRUE@am__append_1 = icap @USE_ECAP_TRUE@am__append_2 = ecap +@USE_LOADABLE_MODULES_TRUE@am__append_3 = $(INCLTDL) subdir = src/adaptation ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 am__aclocal_m4_deps = $(top_srcdir)/acinclude.m4 \ @@ -289,13 +290,8 @@ AM_CXXFLAGS = $(SQUID_CXXFLAGS) CLEANFILES = testHeaders TESTS = testHeaders -INCLUDES = \ - -I$(top_srcdir) \ - -I$(top_srcdir)/include \ - -I$(top_srcdir)/src \ - -I$(top_builddir)/include \ - $(SQUID_CPPUNIT_INC) - +INCLUDES = -I$(top_srcdir) -I$(top_srcdir)/include -I$(top_srcdir)/src \ + -I$(top_builddir)/include $(SQUID_CPPUNIT_INC) $(am__append_3) SUBDIRS = $(am__append_1) $(am__append_2) noinst_LTLIBRARIES = libadaptation.la libadaptation_la_SOURCES = \ diff -u -r -N squid-3.1.6/src/adaptation/ServiceConfig.cc squid-3.1.7/src/adaptation/ServiceConfig.cc --- squid-3.1.6/src/adaptation/ServiceConfig.cc 2010-08-02 02:01:38.000000000 +1200 +++ squid-3.1.7/src/adaptation/ServiceConfig.cc 2010-08-24 17:41:27.000000000 +1200 @@ -5,10 +5,11 @@ #include "squid.h" #include "ConfigParser.h" #include "adaptation/ServiceConfig.h" +#include "ip/tools.h" Adaptation::ServiceConfig::ServiceConfig(): port(-1), method(methodNone), point(pointNone), - bypass(false), routing(false) + bypass(false), routing(false), ipv6(false) {} const char * @@ -93,7 +94,11 @@ grokked = grokBool(bypass, name, value); else if (strcmp(name, "routing") == 0) grokked = grokBool(routing, name, value); - else { + else if (strcmp(name, "ipv6") == 0) { + grokked = grokBool(ipv6, name, value); + if (grokked && ipv6 && !Ip::EnableIpv6) + debugs(3, DBG_IMPORTANT, "WARNING: IPv6 is disabled. ICAP service option ignored."); + } else { debugs(3, 0, cfg_filename << ':' << config_lineno << ": " << "unknown adaptation service option: " << name << '=' << value); } diff -u -r -N squid-3.1.6/src/adaptation/ServiceConfig.h squid-3.1.7/src/adaptation/ServiceConfig.h --- squid-3.1.6/src/adaptation/ServiceConfig.h 2010-08-02 02:01:37.000000000 +1200 +++ squid-3.1.7/src/adaptation/ServiceConfig.h 2010-08-24 17:41:25.000000000 +1200 @@ -33,6 +33,7 @@ VectPoint point; // where the adaptation happens (pre- or post-cache) bool bypass; bool routing; ///< whether this service may determine the next service(s) + bool ipv6; ///< whether this service uses IPv6 transport (default IPv4) protected: Method parseMethod(const char *buf) const; diff -u -r -N squid-3.1.6/src/auth/negotiate/auth_negotiate.cc squid-3.1.7/src/auth/negotiate/auth_negotiate.cc --- squid-3.1.6/src/auth/negotiate/auth_negotiate.cc 2010-08-02 02:01:39.000000000 +1200 +++ squid-3.1.7/src/auth/negotiate/auth_negotiate.cc 2010-08-24 17:41:25.000000000 +1200 @@ -144,7 +144,7 @@ } -AuthNegotiateConfig::AuthNegotiateConfig() : authenticateChildren(5), keep_alive(1) +AuthNegotiateConfig::AuthNegotiateConfig() : authenticateChildren(5), keep_alive(0) { } void diff -u -r -N squid-3.1.6/src/auth/ntlm/auth_ntlm.cc squid-3.1.7/src/auth/ntlm/auth_ntlm.cc --- squid-3.1.6/src/auth/ntlm/auth_ntlm.cc 2010-08-02 02:01:38.000000000 +1200 +++ squid-3.1.7/src/auth/ntlm/auth_ntlm.cc 2010-08-24 17:41:25.000000000 +1200 @@ -126,7 +126,7 @@ } -AuthNTLMConfig::AuthNTLMConfig() : authenticateChildren(5), keep_alive(1) +AuthNTLMConfig::AuthNTLMConfig() : authenticateChildren(5), keep_alive(0) { } void diff -u -r -N squid-3.1.6/src/cache_cf.cc squid-3.1.7/src/cache_cf.cc --- squid-3.1.6/src/cache_cf.cc 2010-08-02 02:01:37.000000000 +1200 +++ squid-3.1.7/src/cache_cf.cc 2010-08-24 17:41:25.000000000 +1200 @@ -2327,6 +2327,16 @@ i = GetInteger(); /* token: min */ + /* catch negative and insanely huge values close to 32-bit wrap */ + if (i < 0) { + debugs(3, DBG_IMPORTANT, "WARNING: refresh_pattern minimum age negative. Cropped back to zero."); + i = 0; + } + if (i > 60*24*365) { + debugs(3, DBG_IMPORTANT, "WARNING: refresh_pattern minimum age too high. Cropped back to 1 year."); + i = 60*24*365; + } + min = (time_t) (i * 60); /* convert minutes to seconds */ i = GetInteger(); /* token: pct */ @@ -2335,6 +2345,16 @@ i = GetInteger(); /* token: max */ + /* catch negative and insanely huge values close to 32-bit wrap */ + if (i < 0) { + debugs(3, DBG_IMPORTANT, "WARNING: refresh_pattern maximum age negative. Cropped back to zero."); + i = 0; + } + if (i > 60*24*365) { + debugs(3, DBG_IMPORTANT, "WARNING: refresh_pattern maximum age too high. Cropped back to 1 year."); + i = 60*24*365; + } + max = (time_t) (i * 60); /* convert minutes to seconds */ /* Options */ @@ -3136,7 +3156,11 @@ } else if (strncmp(token, "sslcontext=", 11) == 0) { safe_free(s->sslcontext); s->sslcontext = xstrdup(token + 11); - } else if (strcmp(token, "sslBump") == 0) { + } else if (strcasecmp(token, "sslBump") == 0) { + debugs(3, DBG_CRITICAL, "WARNING: '" << token << "' is deprecated " << + "in http_port. Use 'ssl-bump' instead."); + s->sslBump = 1; // accelerated when bumped, otherwise not + } else if (strcmp(token, "ssl-bump") == 0) { s->sslBump = 1; // accelerated when bumped, otherwise not #endif } else { diff -u -r -N squid-3.1.6/src/cf.data.pre squid-3.1.7/src/cf.data.pre --- squid-3.1.6/src/cf.data.pre 2010-08-02 02:01:38.000000000 +1200 +++ squid-3.1.7/src/cf.data.pre 2010-08-24 17:41:26.000000000 +1200 @@ -265,12 +265,12 @@ auth_param ntlm children 5 "keep_alive" on|off - If you experience problems with PUT/POST requests when using the - Negotiate authentication scheme then you can try setting this to - off. This will cause Squid to forcibly close the connection on - the initial requests where the browser asks which schemes are - supported by the proxy. - + Whether to keep the connection open after the initial response where + Squid tells the browser which schemes are supported by the proxy. + Some browsers are known to present many login popups or to corrupt + POST/PUT requests transfer if the connection is not closed. + The default is currently OFF to avoid this, but may change. + auth_param ntlm keep_alive on === Options for configuring the NEGOTIATE auth-scheme follow === @@ -299,15 +299,15 @@ auth_param negotiate children 5 "keep_alive" on|off - If you experience problems with PUT/POST requests when using the - Negotiate authentication scheme then you can try setting this to - off. This will cause Squid to forcibly close the connection on - the initial requests where the browser asks which schemes are - supported by the proxy. - + Whether to keep the connection open after the initial response where + Squid tells the browser which schemes are supported by the proxy. + Some browsers are known to present many login popups or to corrupt + POST/PUT requests transfer if the connection is not closed. + The default is currently OFF to avoid this, but may change. + auth_param negotiate keep_alive on - + Examples: #Recommended minimum configuration per scheme: @@ -1157,7 +1157,7 @@ sporadically hang or never complete requests set disable-pmtu-discovery option to 'transparent'. - sslBump Intercept each CONNECT request matching ssl_bump ACL, + ssl-bump Intercept each CONNECT request matching ssl_bump ACL, establish secure connection with the client and with the server, decrypt HTTP messages as they pass through Squid, and treat them as unencrypted HTTP messages, @@ -1650,6 +1650,10 @@ when using encrypted SSL certificate keys. If not specified keys must either be unencrypted, or Squid started with the -N option to allow it to query interactively for the passphrase. + + The key file name is given as argument to the program allowing + selection of the right password if you have multiple encrypted + keys. DOC_END COMMENT_START @@ -2233,10 +2237,10 @@ Instead, if you want Squid to use the entire disk drive, subtract 20% and use that value. - 'Level-1' is the number of first-level subdirectories which + 'L1' is the number of first-level subdirectories which will be created under the 'Directory'. The default is 16. - 'Level-2' is the number of second-level subdirectories which + 'L2' is the number of second-level subdirectories which will be created under each first-level directory. The default is 256. @@ -3743,7 +3747,6 @@ request_header_access Retry-After allow all request_header_access Title allow all request_header_access Connection allow all - request_header_access Proxy-Connection allow all request_header_access All deny all although many of those are HTTP reply headers, and so should be @@ -3819,7 +3822,6 @@ reply_header_access Retry-After allow all reply_header_access Title allow all reply_header_access Connection allow all - reply_header_access Proxy-Connection allow all reply_header_access All deny all although the HTTP request headers won't be usefully controlled @@ -5794,6 +5796,11 @@ Routing is not allowed by default: the ICAP X-Next-Services response header is ignored. + ipv6=on|off + Only has effect on split-stack systems. The default on those systems + is to use IPv4-only connections. When set to 'on' this option will + make Squid use IPv6-only connections to contact this ICAP service. + Older icap_service format without optional named parameters is deprecated but supported for backward compatibility. diff -u -r -N squid-3.1.6/src/client_side.cc squid-3.1.7/src/client_side.cc --- squid-3.1.6/src/client_side.cc 2010-08-02 02:01:37.000000000 +1200 +++ squid-3.1.7/src/client_side.cc 2010-08-24 17:41:27.000000000 +1200 @@ -704,10 +704,7 @@ debugs(33, 3, "clientSetKeepaliveFlag: method = " << RequestMethodStr(request->method)); - /* We are HTTP/1.0 facing clients still */ - HttpVersion http_ver(1,0); - - if (httpMsgIsPersistent(http_ver, req_hdr)) + if (httpMsgIsPersistent(request->http_ver, req_hdr)) request->flags.proxy_keepalive = 1; } diff -u -r -N squid-3.1.6/src/client_side_reply.cc squid-3.1.7/src/client_side_reply.cc --- squid-3.1.6/src/client_side_reply.cc 2010-08-02 02:01:37.000000000 +1200 +++ squid-3.1.7/src/client_side_reply.cc 2010-08-24 17:41:27.000000000 +1200 @@ -1405,9 +1405,8 @@ hdr->delById(HDR_VIA); hdr->putStr(HDR_VIA, strVia.termedBuf()); } - /* Signal keep-alive if needed */ - hdr->putStr( (http->flags.accel || http->flags.intercepted)? HDR_CONNECTION : HDR_PROXY_CONNECTION, - request->flags.proxy_keepalive ? "keep-alive" : "close"); + /* Signal keep-alive or close explicitly */ + hdr->putStr(HDR_CONNECTION, request->flags.proxy_keepalive ? "keep-alive" : "close"); #if ADD_X_REQUEST_URI /* diff -u -r -N squid-3.1.6/src/dns_internal.cc squid-3.1.7/src/dns_internal.cc --- squid-3.1.6/src/dns_internal.cc 2010-08-02 02:01:37.000000000 +1200 +++ squid-3.1.7/src/dns_internal.cc 2010-08-24 17:41:25.000000000 +1200 @@ -201,10 +201,15 @@ if (A.IsAnyAddr()) { debugs(78, 0, "WARNING: Squid does not accept " << A << " in DNS server specifications."); - A = "127.0.0.1"; + A.SetLocalhost(); debugs(78, 0, "Will be using " << A << " instead, assuming you meant that DNS is running on the same machine"); } + if (!Ip::EnableIpv6 && !A.SetIPv4()) { + debugs(78, DBG_IMPORTANT, "WARNING: IPv6 is disabled. Discarding " << A << " in DNS server specifications."); + return; + } + if (nns == nns_alloc) { int oldalloc = nns_alloc; ns *oldptr = nameservers; @@ -742,6 +747,12 @@ else addr = Config.Addrs.udp_incoming; + if (nameservers[ns].S.IsIPv4() && !addr.SetIPv4()) { + debugs(31, DBG_CRITICAL, "ERROR: Cannot contact DNS nameserver " << nameservers[ns].S << " from " << addr); + addr.SetAnyAddr(); + addr.SetIPv4(); + } + vc->queue = new MemBuf; vc->msg = new MemBuf; @@ -832,14 +843,16 @@ } while ( (x<0 && y<0) && q->nsends % nns != 0); - if (y >= 0) { - fd_bytes(DnsSocketB, y, FD_WRITE); - commSetSelect(DnsSocketB, COMM_SELECT_READ, idnsRead, NULL, 0); - } + if (!q->need_vc) { + if (y >= 0) { + fd_bytes(DnsSocketB, y, FD_WRITE); + commSetSelect(DnsSocketB, COMM_SELECT_READ, idnsRead, NULL, 0); + } - if (x >= 0) { - fd_bytes(DnsSocketA, x, FD_WRITE); - commSetSelect(DnsSocketA, COMM_SELECT_READ, idnsRead, NULL, 0); + if (x >= 0) { + fd_bytes(DnsSocketA, x, FD_WRITE); + commSetSelect(DnsSocketA, COMM_SELECT_READ, idnsRead, NULL, 0); + } } nameservers[ns].nqueries++; diff -u -r -N squid-3.1.6/src/forward.cc squid-3.1.7/src/forward.cc --- squid-3.1.6/src/forward.cc 2010-08-02 02:01:37.000000000 +1200 +++ squid-3.1.7/src/forward.cc 2010-08-24 17:41:27.000000000 +1200 @@ -870,9 +870,9 @@ // if IPv6 is disabled try to force IPv4-only outgoing. if (!Ip::EnableIpv6 && !outgoing.SetIPv4()) { - debugs(50, 4, "fwdConnectStart: " << xstrerror()); + debugs(50, 4, "fwdConnectStart: IPv6 is Disabled. Cannot connect from " << outgoing); ErrorState *anErr = errorCon(ERR_CONNECT_FAIL, HTTP_SERVICE_UNAVAILABLE, request); - anErr->xerrno = errno; + anErr->xerrno = EAFNOSUPPORT; fail(anErr); self = NULL; // refcounted return; diff -u -r -N squid-3.1.6/src/gopher.cc squid-3.1.7/src/gopher.cc --- squid-3.1.6/src/gopher.cc 2010-08-02 02:01:39.000000000 +1200 +++ squid-3.1.7/src/gopher.cc 2010-08-24 17:41:27.000000000 +1200 @@ -892,7 +892,7 @@ ErrorState *err; err = errorCon(ERR_WRITE_ERROR, HTTP_SERVICE_UNAVAILABLE, gopherState->fwd->request); err->xerrno = errno; - err->port = gopherState->req->port; + err->port = gopherState->fwd->request->port; err->url = xstrdup(entry->url()); gopherState->fwd->fail(err); comm_close(fd); diff -u -r -N squid-3.1.6/src/http.cc squid-3.1.7/src/http.cc --- squid-3.1.6/src/http.cc 2010-08-02 02:01:39.000000000 +1200 +++ squid-3.1.7/src/http.cc 2010-08-24 17:41:26.000000000 +1200 @@ -1720,11 +1720,7 @@ /* maybe append Connection: keep-alive */ if (flags.keepalive) { - if (flags.proxying) { - hdr_out->putStr(HDR_PROXY_CONNECTION, "keep-alive"); - } else { - hdr_out->putStr(HDR_CONNECTION, "keep-alive"); - } + hdr_out->putStr(HDR_CONNECTION, "keep-alive"); } /* append Front-End-Https */ @@ -1870,12 +1866,13 @@ break; - case HDR_PROXY_CONNECTION: + case HDR_PROXY_CONNECTION: // SHOULD ignore. But doing so breaks things. + break; case HDR_X_FORWARDED_FOR: case HDR_CACHE_CONTROL: - /** \par Proxy-Connaction:, X-Forwarded-For:, Cache-Control: + /** \par X-Forwarded-For:, Cache-Control: * handled specially by Squid, so leave off for now. * append these after the loop if needed */ break; diff -u -r -N squid-3.1.6/src/HttpHdrCc.cc squid-3.1.7/src/HttpHdrCc.cc --- squid-3.1.6/src/HttpHdrCc.cc 2010-08-02 02:01:37.000000000 +1200 +++ squid-3.1.7/src/HttpHdrCc.cc 2010-08-24 17:41:27.000000000 +1200 @@ -138,18 +138,17 @@ type = CC_OTHER; } + // ignore known duplicate directives if (EBIT_TEST(cc->mask, type)) { - if (type != CC_OTHER) + if (type != CC_OTHER) { debugs(65, 2, "hdr cc: ignoring duplicate cache-directive: near '" << item << "' in '" << str << "'"); - - CcFieldsInfo[type].stat.repCount++; - - continue; + CcFieldsInfo[type].stat.repCount++; + continue; + } + } else { + EBIT_SET(cc->mask, type); } - /* update mask */ - EBIT_SET(cc->mask, type); - /* post-processing special cases */ switch (type) { diff -u -r -N squid-3.1.6/src/HttpHdrRange.cc squid-3.1.7/src/HttpHdrRange.cc --- squid-3.1.6/src/HttpHdrRange.cc 2010-08-02 02:01:37.000000000 +1200 +++ squid-3.1.7/src/HttpHdrRange.cc 2010-08-24 17:41:27.000000000 +1200 @@ -98,7 +98,7 @@ } else /* must have a '-' somewhere in _this_ field */ if (!((p = strchr(field, '-')) || (p - field >= flen))) { - debugs(64, 2, "ignoring invalid (missing '-') range-spec near: '" << field << "'"); + debugs(64, 2, "invalid (missing '-') range-spec near: '" << field << "'"); return false; } else { if (!httpHeaderParseOffset(field, &offset)) @@ -113,18 +113,18 @@ if (!httpHeaderParseOffset(p, &last_pos)) return false; + // RFC 2616 s14.35.1 MUST: last-byte-pos >= first-byte-pos + if (last_pos < offset) { + debugs(64, 2, "invalid (last-byte-pos < first-byte-pos) range-spec near: " << field); + return false; + } + HttpHdrRangeSpec::HttpRange aSpec (offset, last_pos + 1); length = aSpec.size(); } } - /* we managed to parse, check if the result makes sence */ - if (length == 0) { - debugs(64, 2, "ignoring invalid (zero length) range-spec near: '" << field << "'"); - return false; - } - return true; } @@ -248,7 +248,6 @@ const char *item; const char *pos = NULL; int ilen; - int count = 0; assert(this && range_spec); ++ParsedCount; debugs(64, 8, "parsing range field: '" << range_spec << "'"); @@ -264,19 +263,21 @@ while (strListGetItem(range_spec, ',', &item, &ilen, &pos)) { HttpHdrRangeSpec *spec = HttpHdrRangeSpec::Create(item, ilen); /* - * HTTP/1.1 draft says we must ignore the whole header field if one spec - * is invalid. However, RFC 2068 just says that we must ignore that spec. + * RFC 2616 section 14.35.1: MUST ignore Range with + * at least one syntactically invalid byte-range-specs. */ + if (!spec) { + while (!specs.empty()) + delete specs.pop_back(); + debugs(64, 2, "ignoring invalid range field: '" << range_spec << "'"); + break; + } - if (spec) - specs.push_back(spec); - - ++count; + specs.push_back(spec); } - debugs(64, 8, "parsed range range count: " << count << ", kept " << - specs.size()); - return specs.count != 0; + debugs(64, 8, "got range specs: " << specs.size()); + return !specs.empty(); } HttpHdrRange::~HttpHdrRange() diff -u -r -N squid-3.1.6/src/HttpHeaderTools.cc squid-3.1.7/src/HttpHeaderTools.cc --- squid-3.1.6/src/HttpHeaderTools.cc 2010-08-02 02:01:39.000000000 +1200 +++ squid-3.1.7/src/HttpHeaderTools.cc 2010-08-24 17:41:25.000000000 +1200 @@ -145,18 +145,18 @@ httpHeaderHasConnDir(const HttpHeader * hdr, const char *directive) { String list; - http_hdr_type ht; int res; /* what type of header do we have? */ +#if HTTP_VIOLATIONS if (hdr->has(HDR_PROXY_CONNECTION)) - ht = HDR_PROXY_CONNECTION; - else if (hdr->has(HDR_CONNECTION)) - ht = HDR_CONNECTION; + list = hdr->getList(HDR_PROXY_CONNECTION); else - return 0; - - list = hdr->getList(ht); +#endif + if (hdr->has(HDR_CONNECTION)) + list = hdr->getList(HDR_CONNECTION); + else + return 0; res = strListIsMember(&list, directive, ','); diff -u -r -N squid-3.1.6/src/ip/IpAddress.h squid-3.1.7/src/ip/IpAddress.h --- squid-3.1.6/src/ip/IpAddress.h 2010-08-02 02:01:37.000000000 +1200 +++ squid-3.1.7/src/ip/IpAddress.h 2010-08-24 17:41:27.000000000 +1200 @@ -238,7 +238,7 @@ \param force (optional) require the IPA in a specific format. \return pointer to buffer received. */ - char* NtoA(char *buf, unsigned int len, int force = AF_UNSPEC) const; + char* NtoA(char *buf, const unsigned int blen, int force = AF_UNSPEC) const; /** Return the ASCII equivalent of the address:port combination * Provides a URL formatted version of the content. diff -u -r -N squid-3.1.6/src/ip/tools.cc squid-3.1.7/src/ip/tools.cc --- squid-3.1.6/src/ip/tools.cc 2010-08-02 02:01:37.000000000 +1200 +++ squid-3.1.7/src/ip/tools.cc 2010-08-24 17:41:27.000000000 +1200 @@ -34,6 +34,9 @@ #include "Debug.h" #include "ip/tools.h" +#if HAVE_UNISTD_H +#include +#endif #if HAVE_SYS_SOCKET_H #include #endif @@ -59,6 +62,8 @@ } // Test for v4-mapping capability + // (AKA. the operating system supports RFC 3493 section 5.3) +#if defined(IPV6_V6ONLY) int tos = 0; if (setsockopt(s, IPPROTO_IPV6, IPV6_V6ONLY, (char *) &tos, sizeof(int)) == 0) { debugs(3, 2, "Detected IPv6 hybrid or v4-mapping stack..."); @@ -67,6 +72,12 @@ debugs(3, 2, "Detected split IPv4 and IPv6 stacks ..."); EnableIpv6 |= IPV6_SPECIAL_SPLITSTACK; } +#else + // compliance here means they at least supply the option for compilers building code + // even if possibly to return hard-coded -1 on use. + debugs(3, 2, "Missing RFC 3493 compliance - attempting split IPv4 and IPv6 stacks ..."); + EnableIpv6 |= IPV6_SPECIAL_SPLITSTACK; +#endif close(s); debugs(3, 2, "IPv6 transport " << (EnableIpv6?"Enabled":"Disabled")); diff -u -r -N squid-3.1.6/src/Makefile.am squid-3.1.7/src/Makefile.am --- squid-3.1.6/src/Makefile.am 2010-08-02 02:01:39.000000000 +1200 +++ squid-3.1.7/src/Makefile.am 2010-08-24 17:41:26.000000000 +1200 @@ -558,7 +558,7 @@ unlinkd_SOURCES = unlinkd_daemon.cc SquidNew.cc -dnsserver_SOURCES = dnsserver.cc SquidNew.cc +dnsserver_SOURCES = dnsserver.cc SquidNew.cc stub_debug.cc recv_announce_SOURCES = recv-announce.cc SquidNew.cc ## What requires what.. diff -u -r -N squid-3.1.6/src/Makefile.in squid-3.1.7/src/Makefile.in --- squid-3.1.6/src/Makefile.in 2010-08-02 02:02:37.000000000 +1200 +++ squid-3.1.7/src/Makefile.in 2010-08-24 17:42:37.000000000 +1200 @@ -151,7 +151,8 @@ cf_gen_OBJECTS = $(am_cf_gen_OBJECTS) cf_gen_DEPENDENCIES = ../compat/libcompat.la $(am__DEPENDENCIES_1) \ $(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1) -am_dnsserver_OBJECTS = dnsserver.$(OBJEXT) SquidNew.$(OBJEXT) +am_dnsserver_OBJECTS = dnsserver.$(OBJEXT) SquidNew.$(OBJEXT) \ + stub_debug.$(OBJEXT) dnsserver_OBJECTS = $(am_dnsserver_OBJECTS) dnsserver_LDADD = $(LDADD) dnsserver_DEPENDENCIES = $(COMMON_LIBS) $(am__DEPENDENCIES_1) \ @@ -1833,7 +1834,7 @@ # -all-static -dlopen self # unlinkd_SOURCES = unlinkd_daemon.cc SquidNew.cc -dnsserver_SOURCES = dnsserver.cc SquidNew.cc +dnsserver_SOURCES = dnsserver.cc SquidNew.cc stub_debug.cc recv_announce_SOURCES = recv-announce.cc SquidNew.cc ufsdump_SOURCES = \ ClientInfo.h \ @@ -3971,6 +3972,7 @@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/store_swapmeta.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/store_swapout.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/string_arrays.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/stub_debug.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/test_tools.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/time.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/tools.Po@am__quote@ diff -u -r -N squid-3.1.6/src/neighbors.cc squid-3.1.7/src/neighbors.cc --- squid-3.1.6/src/neighbors.cc 2010-08-02 02:01:38.000000000 +1200 +++ squid-3.1.7/src/neighbors.cc 2010-08-24 17:41:27.000000000 +1200 @@ -46,6 +46,7 @@ #include "Store.h" #include "icmp/net_db.h" #include "ip/IpAddress.h" +#include "ip/tools.h" /* count mcast group peers every 15 minutes */ #define MCAST_COUNT_RATE 900 @@ -1387,6 +1388,20 @@ IpAddress temp(getOutgoingAddr(NULL,p)); + // if IPv6 is disabled try to force IPv4-only outgoing. + if (!Ip::EnableIpv6 && !temp.SetIPv4()) { + debugs(50, DBG_IMPORTANT, "WARNING: IPv6 is disabled. Failed to use " << temp << " to probe " << p->host); + return ret; + } + + // if IPv6 is split-stack, prefer IPv4 + if (Ip::EnableIpv6&IPV6_SPECIAL_SPLITSTACK) { + // NP: This is not a great choice of default, + // but with the current Internet being IPv4-majority has a higher success rate. + // if setting to IPv4 fails we dont care, that just means to use IPv6 outgoing. + temp.SetIPv4(); + } + fd = comm_open(SOCK_STREAM, IPPROTO_TCP, temp, COMM_NONBLOCKING, p->host); if (fd < 0) diff -u -r -N squid-3.1.6/src/tools.cc squid-3.1.7/src/tools.cc --- squid-3.1.6/src/tools.cc 2010-08-02 02:01:37.000000000 +1200 +++ squid-3.1.7/src/tools.cc 2010-08-24 17:41:27.000000000 +1200 @@ -627,43 +627,42 @@ } sa.FreeAddrInfo(AI); - debugs(50, 1, "WARNING: failed to resolve " << sa << " to a fully qualified hostname"); - } else { - if (gethostname(host, SQUIDHOSTNAMELEN) < 0) { - debugs(50, 1, "WARNING: gethostname failed: " << xstrerror()); - } else { - /* Verify that the hostname given resolves properly */ - struct addrinfo hints; - memset(&hints, 0, sizeof(addrinfo)); - hints.ai_flags = AI_CANONNAME; - - if (xgetaddrinfo(host, NULL, NULL, &AI) == 0) { - /* DNS lookup successful */ - /* use the official name from DNS lookup */ - debugs(50, 6, "getMyHostname: '" << host << "' has rDNS."); - present = 1; - - /* AYJ: do we want to flag AI_ALL and cache the result anywhere. ie as our local host IPs? */ - if (AI) { - xfreeaddrinfo(AI); - AI = NULL; - } + debugs(50, 2, "WARNING: failed to resolve " << sa << " to a fully qualified hostname"); + } - return host; + // still no host. fallback to gethostname() + if (gethostname(host, SQUIDHOSTNAMELEN) < 0) { + debugs(50, DBG_IMPORTANT, "WARNING: gethostname failed: " << xstrerror()); + } else { + /* Verify that the hostname given resolves properly */ + struct addrinfo hints; + memset(&hints, 0, sizeof(addrinfo)); + hints.ai_flags = AI_CANONNAME; + + if (xgetaddrinfo(host, NULL, NULL, &AI) == 0) { + /* DNS lookup successful */ + /* use the official name from DNS lookup */ + debugs(50, 6, "getMyHostname: '" << host << "' has DNS resolution."); + present = 1; + + /* AYJ: do we want to flag AI_ALL and cache the result anywhere. ie as our local host IPs? */ + if (AI) { + xfreeaddrinfo(AI); + AI = NULL; } - if (AI) xfreeaddrinfo(AI); - debugs(50, 1, "WARNING: '" << host << "' rDNS test failed: " << xstrerror()); + return host; } + + if (AI) freeaddrinfo(AI); + debugs(50, DBG_IMPORTANT, "WARNING: '" << host << "' rDNS test failed: " << xstrerror()); } - /* throw a fatal configuration error when the Host/IP given has bad DNS/rDNS. */ - if (opt_send_signal == -1) - fatal("Could not determine fully qualified hostname. Please set 'visible_hostname'\n"); - else - return ("localhost"); + /* throw a configuration error when the Host/IP given has bad DNS/rDNS. */ + debugs(50, DBG_CRITICAL, "WARNING: Could not determine this machines public hostname. " << + "Please configure one or set 'visible_hostname'."); - return NULL; /* keep compiler happy */ + return ("localhost"); } const char * diff -u -r -N squid-3.1.6/src/tunnel.cc squid-3.1.7/src/tunnel.cc --- squid-3.1.6/src/tunnel.cc 2010-08-02 02:01:38.000000000 +1200 +++ squid-3.1.7/src/tunnel.cc 2010-08-24 17:41:26.000000000 +1200 @@ -46,6 +46,7 @@ #include "client_side.h" #include "MemBuf.h" #include "http.h" +#include "ip/tools.h" class TunnelStateData { @@ -641,6 +642,24 @@ statCounter.server.other.requests++; /* Create socket. */ IpAddress temp = getOutgoingAddr(request,NULL); + + // if IPv6 is disabled try to force IPv4-only outgoing. + if (!Ip::EnableIpv6 && !temp.SetIPv4()) { + debugs(50, 4, "tunnelStart: IPv6 is Disabled. Tunnel failed from " << temp); + ErrorState *anErr = errorCon(ERR_CONNECT_FAIL, HTTP_SERVICE_UNAVAILABLE, request); + anErr->xerrno = EAFNOSUPPORT; + errorSend(fd, anErr); + return; + } + + // if IPv6 is split-stack, prefer IPv4 + if (Ip::EnableIpv6&IPV6_SPECIAL_SPLITSTACK) { + // NP: This is not a great choice of default, + // but with the current Internet being IPv4-majority has a higher success rate. + // if setting to IPv4 fails we dont care, that just means to use IPv6 outgoing. + temp.SetIPv4(); + } + int flags = COMM_NONBLOCKING; if (request->flags.spoof_client_ip) { flags |= COMM_TRANSPARENT; diff -u -r -N squid-3.1.6/tools/squidclient.cc squid-3.1.7/tools/squidclient.cc --- squid-3.1.6/tools/squidclient.cc 2010-08-02 02:01:37.000000000 +1200 +++ squid-3.1.7/tools/squidclient.cc 2010-08-24 17:41:27.000000000 +1200 @@ -434,17 +434,11 @@ strcat(msg, buf); } - /* HTTP/1.0 may need keep-alive */ - if (strcmp(version, "1.0") == 0) { - if (keep_alive) { - if (strchr(url, ':')) { - snprintf(buf, BUFSIZ, "Proxy-Connection: keep-alive\r\n"); - strcat(msg, buf); - } else - strcat(msg, "Connection: keep-alive\r\n"); - } - } - /* HTTP/1.1 may need close */ + /* HTTP/1.0 may need keep-alive explicitly */ + if (strcmp(version, "1.0") == 0 && keep_alive) + strcat(msg, "Connection: keep-alive\r\n"); + + /* HTTP/1.1 may need close explicitly */ if (!keep_alive) strcat(msg, "Connection: close\r\n");