- Added icap_service_failure_limit squid.conf option. The limit specifies the number of failures that Squid tolerates when establishing a new TCP connection with an ICAP service. If the number of failures exceeds the limit, the ICAP service is not used for new ICAP requests until it is time to refresh its OPTIONS. The per-service failure counter is reset to zero each time Squid fetches new service OPTIONS. A negative value disables the limit. The limit used to be hardcoded to 10. - Added icap_service_revival_delay squid.conf option. The delay specifies the number of seconds to wait after an ICAP OPTIONS request failure before requesting the options again. The failed ICAP service is considered "down" until fresh OPTIONS are fetched. The actual delay cannot be smaller than the [still] hardcoded minimum delay of 60 seconds. - Added icap_client_username_header and icap_client_username_encode squid.conf options to control how the authenticated client username should be sent to the ICAP service. - All of the above changes are based on the patch by Axel Westerhold. Index: CONTRIBUTORS =================================================================== RCS file: /cvsroot/squid/squid3/CONTRIBUTORS,v retrieving revision 1.7.8.3 diff -u -r1.7.8.3 CONTRIBUTORS --- CONTRIBUTORS 3 Oct 2006 05:24:00 -0000 1.7.8.3 +++ CONTRIBUTORS 14 Dec 2006 05:15:56 -0000 @@ -105,5 +105,6 @@ Mark Bergsma Tim Starling Tsantilas Christos + Axel Westerhold Duane Wessels Index: src/cf.data.pre =================================================================== RCS file: /cvsroot/squid/squid3/src/cf.data.pre,v retrieving revision 1.79.2.12 diff -u -r1.79.2.12 cf.data.pre --- src/cf.data.pre 18 Oct 2006 21:26:10 -0000 1.79.2.12 +++ src/cf.data.pre 14 Dec 2006 05:16:03 -0000 @@ -4966,6 +4966,39 @@ If you want to enable the ICAP module support, set this to on. DOC_END +NAME: icap_service_failure_limit +TYPE: int +IFDEF: ICAP_CLIENT +LOC: TheICAPConfig.service_failure_limit +DEFAULT: 10 +DOC_START + The limit specifies the number of failures that Squid tolerates + when establishing a new TCP connection with an ICAP service. If + the number of failures exceeds the limit, the ICAP service is + not used for new ICAP requests until it is time to refresh its + OPTIONS. The per-service failure counter is reset to zero each + time Squid fetches new service OPTIONS. + + A negative value disables the limit. Without the limit, an ICAP + service will not be considered down due to connectivity failures + between ICAP OPTIONS requests. +DOC_END + +NAME: icap_service_revival_delay +TYPE: int +IFDEF: ICAP_CLIENT +LOC: TheICAPConfig.service_revival_delay +DEFAULT: 180 +DOC_START + The delay specifies the number of seconds to wait after an ICAP + OPTIONS request failure before requesting the options again. The + failed ICAP service is considered "down" until fresh OPTIONS are + fetched. + + The actual delay cannot be smaller than the hardcoded minimum + delay of 60 seconds. +DOC_END + NAME: icap_preview_enable TYPE: onoff IFDEF: ICAP_CLIENT @@ -5026,8 +5059,29 @@ LOC: TheICAPConfig.send_client_username DEFAULT: off DOC_START - This adds the header "X-Client-Username" to ICAP requests - if proxy access is authentified. + This sends authenticated HTTP client username (if available) to + the ICAP service. The username value is encoded based on the + icap_client_username_encode option and is sent using the header + specified by the icap_client_username_header option. +DOC_END + +NAME: icap_client_username_header +TYPE: string +IFDEF: ICAP_CLIENT +LOC: TheICAPConfig.client_username_header +DEFAULT: X-Client-Username +DOC_START + ICAP request header name to use for send_client_username. +DOC_END + +NAME: icap_client_username_encode +TYPE: onoff +IFDEF: ICAP_CLIENT +COMMENT: on|off +LOC: TheICAPConfig.client_username_encode +DEFAULT: off +DOC_START + Whether to base64 encode the authenticated client username. DOC_END NAME: icap_service Index: src/ICAP/ICAPConfig.h =================================================================== RCS file: /cvsroot/squid/squid3/src/ICAP/ICAPConfig.h,v retrieving revision 1.1.2.4 diff -u -r1.1.2.4 ICAPConfig.h --- src/ICAP/ICAPConfig.h 26 Oct 2006 06:07:18 -0000 1.1.2.4 +++ src/ICAP/ICAPConfig.h 14 Dec 2006 05:16:04 -0000 @@ -43,8 +43,6 @@ class ConfigParser; -class ICAPConfig; - class ICAPClass { @@ -102,6 +100,10 @@ int send_client_ip; int send_client_username; int reuse_connections; + int service_failure_limit; + int service_revival_delay; + char* client_username_header; + int client_username_encode; Vector services; Vector classes; @@ -126,4 +128,6 @@ }; +extern ICAPConfig TheICAPConfig; + #endif /* SQUID_ICAPCONFIG_H */ Index: src/ICAP/ICAPModXact.cc =================================================================== RCS file: /cvsroot/squid/squid3/src/ICAP/ICAPModXact.cc,v retrieving revision 1.1.2.18 diff -u -r1.1.2.18 ICAPModXact.cc --- src/ICAP/ICAPModXact.cc 14 Dec 2006 00:21:54 -0000 1.1.2.18 +++ src/ICAP/ICAPModXact.cc 14 Dec 2006 05:16:05 -0000 @@ -1016,9 +1016,7 @@ buf.Printf("X-Client-IP: %s\r\n", inet_ntoa(request->client_addr)); if (TheICAPConfig.send_client_username && request) - if (request->auth_user_request) - if (request->auth_user_request->username()) - buf.Printf("X-Client-Username: %s\r\n", request->auth_user_request->username()); + makeUsernameHeader(request, buf); // fprintf(stderr, "%s\n", buf.content()); @@ -1030,6 +1028,17 @@ httpBuf.clean(); } +void ICAPModXact::makeUsernameHeader(const HttpRequest *request, MemBuf &buf) { + if (const auth_user_request_t *auth = request->auth_user_request) { + if (char const *name = auth->username()) { + const char *value = TheICAPConfig.client_username_encode ? + base64_encode(name) : name; + buf.Printf("%s: %s\r\n", TheICAPConfig.client_username_header, + value); + } + } +} + void ICAPModXact::encapsulateHead(MemBuf &icapBuf, const char *section, MemBuf &httpBuf, const HttpMsg *head) { // update ICAP header Index: src/ICAP/ICAPModXact.h =================================================================== RCS file: /cvsroot/squid/squid3/src/ICAP/ICAPModXact.h,v retrieving revision 1.1.2.7 diff -u -r1.1.2.7 ICAPModXact.h --- src/ICAP/ICAPModXact.h 25 Oct 2006 04:57:03 -0000 1.1.2.7 +++ src/ICAP/ICAPModXact.h 14 Dec 2006 05:16:05 -0000 @@ -172,6 +172,7 @@ size_t claimSize(const MemBufClaim &claim) const; const char *claimContent(const MemBufClaim &claim) const; void makeRequestHeaders(MemBuf &buf); + void makeUsernameHeader(const HttpRequest *request, MemBuf &buf); void moveRequestChunk(MemBuf &buf, size_t chunkSize); void addLastRequestChunk(MemBuf &buf); void openChunk(MemBuf &buf, size_t chunkSize, bool ieof); Index: src/ICAP/ICAPServiceRep.cc =================================================================== RCS file: /cvsroot/squid/squid3/src/ICAP/ICAPServiceRep.cc,v retrieving revision 1.1.2.11 diff -u -r1.1.2.11 ICAPServiceRep.cc --- src/ICAP/ICAPServiceRep.cc 3 Nov 2006 15:54:55 -0000 1.1.2.11 +++ src/ICAP/ICAPServiceRep.cc 14 Dec 2006 05:16:05 -0000 @@ -8,13 +8,11 @@ #include "ICAPOptions.h" #include "ICAPOptXact.h" #include "ConfigParser.h" +#include "ICAPConfig.h" #include "SquidTime.h" CBDATA_CLASS_INIT(ICAPServiceRep); -// XXX: move to squid.conf -const int ICAPServiceRep::TheSessionFailureLimit = 10; - ICAPServiceRep::ICAPServiceRep(): method(ICAP::methodNone), point(ICAP::pointNone), port(-1), bypass(false), theOptions(NULL), theLastUpdate(0), @@ -177,9 +175,10 @@ void ICAPServiceRep::noteFailure() { ++theSessionFailures; debugs(93,4, "ICAPService failure " << theSessionFailures << - ", out of " << TheSessionFailureLimit << " allowed"); + ", out of " << TheICAPConfig.service_failure_limit << " allowed"); - if (theSessionFailures > TheSessionFailureLimit) + if (TheICAPConfig.service_failure_limit >= 0 && + theSessionFailures > TheICAPConfig.service_failure_limit) suspend("too many failures"); // TODO: Should bypass setting affect how much Squid tries to talk to @@ -467,7 +466,8 @@ else when = expire - expectedWait; // before the current options expire } else { - when = squid_curtime + 3*60; // delay for a down service + // delay for a down service + when = squid_curtime + TheICAPConfig.service_revival_delay; } debugs(93,7, "ICAPService options raw update on " << when << " or " << (when - squid_curtime));