You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@trafficserver.apache.org by zw...@apache.org on 2011/05/09 04:01:15 UTC
svn commit: r1100859 - in /trafficserver/traffic/trunk: cop/TrafficCop.cc
iocore/cluster/ClusterConfig.cc iocore/net/I_NetProcessor.h
iocore/net/UnixNetProcessor.cc proxy/SocksProxy.cc proxy/http/HttpAccept.cc
proxy/http/HttpProxyServerMain.cc
Author: zwoop
Date: Mon May 9 02:01:15 2011
New Revision: 1100859
URL: http://svn.apache.org/viewvc?rev=1100859&view=rev
Log:
TS-765 Make the backdoor port (8084 by default) only listen on 127.0.0.1
Modified:
trafficserver/traffic/trunk/cop/TrafficCop.cc
trafficserver/traffic/trunk/iocore/cluster/ClusterConfig.cc
trafficserver/traffic/trunk/iocore/net/I_NetProcessor.h
trafficserver/traffic/trunk/iocore/net/UnixNetProcessor.cc
trafficserver/traffic/trunk/proxy/SocksProxy.cc
trafficserver/traffic/trunk/proxy/http/HttpAccept.cc
trafficserver/traffic/trunk/proxy/http/HttpProxyServerMain.cc
Modified: trafficserver/traffic/trunk/cop/TrafficCop.cc
URL: http://svn.apache.org/viewvc/trafficserver/traffic/trunk/cop/TrafficCop.cc?rev=1100859&r1=1100858&r2=1100859&view=diff
==============================================================================
--- trafficserver/traffic/trunk/cop/TrafficCop.cc (original)
+++ trafficserver/traffic/trunk/cop/TrafficCop.cc Mon May 9 02:01:15 2011
@@ -91,7 +91,6 @@ static int autoconf_port = 8083;
static int rs_port = 8088;
static MgmtClusterType cluster_type = NO_CLUSTER;
static int http_backdoor_port = 8084;
-static char http_backdoor_ip[PATH_MAX];
static int manager_failures = 0;
static int server_failures = 0;
@@ -528,13 +527,6 @@ build_config_table(FILE * fp)
#endif
}
-static int
-config_exists(const char *str)
-{
- InkHashTableValue hval;
- return ink_hash_table_lookup(configTable, str, &hval);
-}
-
static void
read_config_string(const char *str, char *val, size_t val_len)
{
@@ -677,19 +669,6 @@ read_config()
read_config_int("proxy.local.cluster.type", &tmp_int);
cluster_type = static_cast<MgmtClusterType>(tmp_int);
- // If TS is going to bind to incoming_ip_to_bind, we need to make
- // sure we connect to it when heartbeating TS on the http_backdoor
- // port. Also, we need to make sure we bind our outgoing TS
- // heartbeat connection to the same ip. This binding is necessary
- // so that when HTTP checks the client_ip of the backdoor
- // connection, it knows that it's from someone on the local
- // machine.
- if (config_exists("proxy.local.incoming_ip_to_bind")) {
- read_config_string("proxy.local.incoming_ip_to_bind", http_backdoor_ip, sizeof(http_backdoor_ip));
- } else {
- ink_strncpy(http_backdoor_ip, "NULL", sizeof(http_backdoor_ip));
- }
-
read_config_string("proxy.config.syslog_facility", syslog_fac_str, sizeof(syslog_fac_str));
process_syslog_config();
read_config_int("proxy.config.cop.core_signal", &coresig);
@@ -1262,15 +1241,13 @@ static int
test_server_http_port()
{
char request[1024] = {'\0'};
- char *ip = NULL;
- char localhost[] = "127.0.0.1";
+ static char localhost[] = "127.0.0.1";
// Generate a request for a the 'synthetic.txt' document the manager
// servers up on the autoconf port.
snprintf(request, sizeof(request), "GET http://127.0.0.1:%d/synthetic.txt HTTP/1.0\r\n\r\n", autoconf_port);
- ip = (strcmp(http_backdoor_ip, "NULL") == 0) ? localhost : http_backdoor_ip;
- return test_http_port(http_backdoor_port, request, server_timeout * 1000, ip, ip);
+ return test_http_port(http_backdoor_port, request, server_timeout * 1000, localhost, localhost);
}
static int
Modified: trafficserver/traffic/trunk/iocore/cluster/ClusterConfig.cc
URL: http://svn.apache.org/viewvc/trafficserver/traffic/trunk/iocore/cluster/ClusterConfig.cc?rev=1100859&r1=1100858&r2=1100859&view=diff
==============================================================================
--- trafficserver/traffic/trunk/iocore/cluster/ClusterConfig.cc (original)
+++ trafficserver/traffic/trunk/iocore/cluster/ClusterConfig.cc Mon May 9 02:01:15 2011
@@ -110,7 +110,7 @@ ClusterAccept::ClusterAcceptEvent(int ev
opt.domain = AF_INET;
accept_action = netProcessor.main_accept(this, NO_FD,
NULL, NULL,
- false, opt);
+ false, false, opt);
if (!accept_action) {
Warning("Unable to accept cluster connections on port: %d", cluster_port);
} else {
Modified: trafficserver/traffic/trunk/iocore/net/I_NetProcessor.h
URL: http://svn.apache.org/viewvc/trafficserver/traffic/trunk/iocore/net/I_NetProcessor.h?rev=1100859&r1=1100858&r2=1100859&view=diff
==============================================================================
--- trafficserver/traffic/trunk/iocore/net/I_NetProcessor.h (original)
+++ trafficserver/traffic/trunk/iocore/net/I_NetProcessor.h Mon May 9 02:01:15 2011
@@ -183,7 +183,7 @@ public:
*/
virtual Action *main_accept(Continuation * cont, SOCKET listen_socket_in, sockaddr * bound_sockaddr = NULL,
- int *bound_sockaddr_size = NULL, bool accept_only = false,
+ int *bound_sockaddr_size = NULL, bool accept_only = false, bool localhost_only = false,
AcceptOptions const& opt = DEFAULT_ACCEPT_OPTIONS);
/**
Modified: trafficserver/traffic/trunk/iocore/net/UnixNetProcessor.cc
URL: http://svn.apache.org/viewvc/trafficserver/traffic/trunk/iocore/net/UnixNetProcessor.cc?rev=1100859&r1=1100858&r2=1100859&view=diff
==============================================================================
--- trafficserver/traffic/trunk/iocore/net/UnixNetProcessor.cc (original)
+++ trafficserver/traffic/trunk/iocore/net/UnixNetProcessor.cc Mon May 9 02:01:15 2011
@@ -106,23 +106,33 @@ NetProcessor::accept(Continuation * cont
}
Action *
-NetProcessor::main_accept(Continuation * cont, SOCKET fd,
- sockaddr * bound_sockaddr, int *bound_sockaddr_size,
- bool accept_only,
- AcceptOptions const& opt
- )
+NetProcessor::main_accept(Continuation * cont, SOCKET fd, sockaddr * bound_sockaddr, int *bound_sockaddr_size,
+ bool accept_only, bool localhost_only, AcceptOptions const& opt)
{
(void) accept_only; // NT only
Debug("iocore_net_processor", "NetProcessor::main_accept - port %d,recv_bufsize %d, send_bufsize %d, sockopt 0x%0lX",
opt.port, opt.recv_bufsize, opt.send_bufsize, opt.sockopt_flags);
- return ((UnixNetProcessor *) this)->accept_internal(cont, fd,
- bound_sockaddr,
- bound_sockaddr_size,
- true,
- net_accept,
- ((UnixNetProcessor *) this)->incoming_ip_to_bind_saddr,
- ((UnixNetProcessor *) this)->incoming_ip_to_bind,
- opt);
+ if (localhost_only) {
+ static char localhost[] = "127.0.0.1";
+
+ return ((UnixNetProcessor *) this)->accept_internal(cont, fd,
+ bound_sockaddr,
+ bound_sockaddr_size,
+ true,
+ net_accept,
+ inet_addr(localhost),
+ localhost,
+ opt);
+ } else {
+ return ((UnixNetProcessor *) this)->accept_internal(cont, fd,
+ bound_sockaddr,
+ bound_sockaddr_size,
+ true,
+ net_accept,
+ ((UnixNetProcessor *) this)->incoming_ip_to_bind_saddr,
+ ((UnixNetProcessor *) this)->incoming_ip_to_bind,
+ opt);
+ }
}
Modified: trafficserver/traffic/trunk/proxy/SocksProxy.cc
URL: http://svn.apache.org/viewvc/trafficserver/traffic/trunk/proxy/SocksProxy.cc?rev=1100859&r1=1100858&r2=1100859&view=diff
==============================================================================
--- trafficserver/traffic/trunk/proxy/SocksProxy.cc (original)
+++ trafficserver/traffic/trunk/proxy/SocksProxy.cc Mon May 9 02:01:15 2011
@@ -523,7 +523,7 @@ start_SocksProxy(int port)
Debug("SocksProxy", "Accepting SocksProxy connections on port %d\n", port);
NetProcessor::AcceptOptions opt;
opt.port = port;
- netProcessor.main_accept(NEW(new SocksAccepter), NO_FD, 0, 0, false, opt);
+ netProcessor.main_accept(NEW(new SocksAccepter), NO_FD, 0, 0, false, false, opt);
socksproxy_stat_block = RecAllocateRawStatBlock(socksproxy_stat_count);
Modified: trafficserver/traffic/trunk/proxy/http/HttpAccept.cc
URL: http://svn.apache.org/viewvc/trafficserver/traffic/trunk/proxy/http/HttpAccept.cc?rev=1100859&r1=1100858&r2=1100859&view=diff
==============================================================================
--- trafficserver/traffic/trunk/proxy/http/HttpAccept.cc (original)
+++ trafficserver/traffic/trunk/proxy/http/HttpAccept.cc Mon May 9 02:01:15 2011
@@ -40,33 +40,17 @@ HttpAccept::mainEvent(int event, void *d
NetVConnection *netvc = (NetVConnection *) data;
unsigned int client_ip = netvc->get_remote_ip();
- if (backdoor) {
- unsigned int lip = 0;
- unsigned char *plip = (unsigned char *) &lip;
- plip[0] = 127;
- plip[1] = 0;
- plip[2] = 0;
- plip[3] = 1;
- if (client_ip != this_machine()->ip && client_ip != lip
- && client_ip != HttpConfig::m_master.incoming_ip_to_bind_saddr) {
- char ip_string[32];
- unsigned char *p = (unsigned char *) &(client_ip);
-
- snprintf(ip_string, sizeof(ip_string), "%d.%d.%d.%d", p[0], p[1], p[2], p[3]);
- Warning("connect by disallowed client %s on backdoor, closing", ip_string);
- netvc->do_io_close();
- return (VC_EVENT_CONT);
- }
- } else {
- if (ip_allow_table && (!ip_allow_table->match(client_ip))) {
- char ip_string[32];
- unsigned char *p = (unsigned char *) &(client_ip);
-
- snprintf(ip_string, sizeof(ip_string), "%d.%d.%d.%d", p[0], p[1], p[2], p[3]);
- Warning("connect by disallowed client %s, closing", ip_string);
- netvc->do_io_close();
- return (VC_EVENT_CONT);
- }
+ // The backdoor port is now only bound to "localhost", so reason to
+ // check for if it's incoming from "localhost" or not.
+ if (!backdoor && ip_allow_table && (!ip_allow_table->match(client_ip))) {
+ char ip_string[32];
+ unsigned char *p = (unsigned char *) &(client_ip);
+
+ snprintf(ip_string, sizeof(ip_string), "%d.%d.%d.%d", p[0], p[1], p[2], p[3]);
+ Warning("connect by disallowed client %s, closing", ip_string);
+ netvc->do_io_close();
+
+ return VC_EVENT_CONT;
}
netvc->attributes = attr;
@@ -75,26 +59,27 @@ HttpAccept::mainEvent(int event, void *d
HttpClientSession *new_session = THREAD_ALLOC_INIT(httpClientSessionAllocator, netvc->thread);
new_session->new_connection(netvc, backdoor);
- return (EVENT_CONT);
- } else {
- /////////////////
- // EVENT_ERROR //
- /////////////////
- if (((long) data) == -ECONNABORTED) {
- /////////////////////////////////////////////////
- // Under Solaris, when accept() fails and sets //
- // errno to EPROTO, it means the client has //
- // sent a TCP reset before the connection has //
- // been accepted by the server... Note that //
- // in 2.5.1 with the Internet Server Supplement//
- // and also in 2.6 the errno for this case has //
- // changed from EPROTO to ECONNABORTED. //
- /////////////////////////////////////////////////
+ return EVENT_CONT;
+ }
- // FIX: add time to user_agent_hangup
- HTTP_SUM_DYN_STAT(http_ua_msecs_counts_errors_pre_accept_hangups_stat, 0);
- }
- MachineFatal("HTTP accept received fatal error: errno = %d", -((int)(intptr_t)data));
- return (EVENT_CONT);
+ /////////////////
+ // EVENT_ERROR //
+ /////////////////
+ if (((long) data) == -ECONNABORTED) {
+ /////////////////////////////////////////////////
+ // Under Solaris, when accept() fails and sets //
+ // errno to EPROTO, it means the client has //
+ // sent a TCP reset before the connection has //
+ // been accepted by the server... Note that //
+ // in 2.5.1 with the Internet Server Supplement//
+ // and also in 2.6 the errno for this case has //
+ // changed from EPROTO to ECONNABORTED. //
+ /////////////////////////////////////////////////
+
+ // FIX: add time to user_agent_hangup
+ HTTP_SUM_DYN_STAT(http_ua_msecs_counts_errors_pre_accept_hangups_stat, 0);
}
+
+ MachineFatal("HTTP accept received fatal error: errno = %d", -((int)(intptr_t)data));
+ return EVENT_CONT;
}
Modified: trafficserver/traffic/trunk/proxy/http/HttpProxyServerMain.cc
URL: http://svn.apache.org/viewvc/trafficserver/traffic/trunk/proxy/http/HttpProxyServerMain.cc?rev=1100859&r1=1100858&r2=1100859&view=diff
==============================================================================
--- trafficserver/traffic/trunk/proxy/http/HttpProxyServerMain.cc (original)
+++ trafficserver/traffic/trunk/proxy/http/HttpProxyServerMain.cc Mon May 9 02:01:15 2011
@@ -305,7 +305,7 @@ start_HttpProxyServer(int fd, int port,
for (int i = 0; http_port_attr_array[i].fd != NO_FD; i++) {
HttpPortEntry & e = http_port_attr_array[i];
if (e.fd)
- netProcessor.main_accept(NEW(new HttpAccept(e.type)), e.fd, NULL, NULL, false, opt);
+ netProcessor.main_accept(NEW(new HttpAccept(e.type)), e.fd, NULL, NULL, false, false, opt);
}
} else {
// If traffic_server wasn't started with -A, get the list
@@ -314,7 +314,7 @@ start_HttpProxyServer(int fd, int port,
}
}
if (!http_port_attr_array) {
- netProcessor.main_accept(NEW(new HttpAccept(type)), fd, NULL, NULL, false, opt);
+ netProcessor.main_accept(NEW(new HttpAccept(type)), fd, NULL, NULL, false, false, opt);
if (http_other_port_array) {
for (int i = 0; http_other_port_array[i].port != -1; i++) {
@@ -325,7 +325,7 @@ start_HttpProxyServer(int fd, int port,
opt.port = e.port;
opt.domain = e.domain;
opt.f_outbound_transparent = e.f_outbound_transparent;
- netProcessor.main_accept(NEW(new HttpAccept(e.type)), fd, NULL, NULL, false, opt);
+ netProcessor.main_accept(NEW(new HttpAccept(e.type)), fd, NULL, NULL, false, false, opt);
}
}
}
@@ -333,7 +333,7 @@ start_HttpProxyServer(int fd, int port,
for (int i = 0; http_port_attr_array[i].fd != NO_FD; i++) {
HttpPortEntry & e = http_port_attr_array[i];
if (!e.fd) {
- netProcessor.main_accept(NEW(new HttpAccept(type)), fd, NULL, NULL, false, opt);
+ netProcessor.main_accept(NEW(new HttpAccept(type)), fd, NULL, NULL, false, false, opt);
}
}
}
@@ -344,7 +344,7 @@ start_HttpProxyServer(int fd, int port,
opt.reset();
opt.port = sslParam->getAcceptPort();
opt.accept_threads = accept_threads;
- sslNetProcessor.main_accept(NEW(new HttpAccept(SERVER_PORT_SSL)), ssl_fd, 0, 0, false, opt);
+ sslNetProcessor.main_accept(NEW(new HttpAccept(SERVER_PORT_SSL)), ssl_fd, 0, 0, false, false, opt);
}
sslTerminationConfig.release(sslParam);
@@ -368,5 +368,6 @@ start_HttpProxyServerBackDoor(int port,
opt.port = port;
opt.accept_threads = accept_threads;
- netProcessor.main_accept(NEW(new HttpAccept(SERVER_PORT_DEFAULT, true)), NO_FD, 0, 0, false, opt);
+ // The backdoor only binds the loopback interface
+ netProcessor.main_accept(NEW(new HttpAccept(SERVER_PORT_DEFAULT, true)), NO_FD, 0, 0, false, true, opt);
}