closes#15 for real.
the previous patch that was merged[0] was halfbaked and only removed
the warning part of the original patch from openwrt[1], but didn't
actually activate bind support. further it invoked UB by removing
the return value from the function, if transparent proxy support was
compiled in.
[0]: d97d486d53
[1]: 7c01da4a72
just like the rest of the socks code, this was stolen from
proxychains-ng, of which i'm happen to be the maintainer of,
so it's not an issue (the licenses are identical, too).
tinyproxy uses a curious mechanism to log those early messages
that result from parsing the config file before the logging mechanism
has been properly set up yet by finishing parsing of the config file:
those early messages are written into a memory buffer and then
are printed later on. this slipped my attention when making it possible
to log to stdout in ccbbb81a.
using the "BasicAuth" keyword in tinyproxy.conf.
base64 code was written by myself and taken from my own library "libulz".
for this purpose it is relicensed under the usual terms of the tinyproxy
license.
original patch submitted in 2006 to debian mailing list:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=392848%29#12
this version was rebased to git and updated by Russ Dill <russ.dill@gmail.com>
in 2015 (the original patch used a different config file format).
as discussed in #40.
commit message by @rofl0r.
if using one of unsigned or signed char for the function prototype, one
gets nasty warnings when using it with the other type. the only proper
solution is to put void* into the prototype, and then specialize the pointer
inside the function using an automatic variable.
for exactly this reason, libc functions like read(), write(), etc use void*
too.
some users want to run tinyproxy on an as-needed basis in a terminal,
without setting it up permanently to run as a daemon/service.
in such use case, it is very annoying that tinyproxy didn't have
an option to log to stdout, so the user has to keep a second terminal
open to `tail -f` the log.
additionally, this precluded usage with runit service supervisor,
which runs all services in foreground and creates logfiles from the
service's stdout/stderr.
since logging to stdout doesn't make sense when daemonized, now if
no logfile is specified and daemon mode activated, a warning is
printed to stderr once, and nothing is logged.
the original idea was to fail with an error message, though some users
might actually want to run tinyproxy as daemon and no logging at all.
some people want to run tinyproxy with minimal configuration from
the command line (and as non-root), but tinyproxy insists on writing
a pid file, which only makes sense for usage as a service, hereby
forcing the user to either run it as root so it can write to the
default location, or start editing the default config file to work
around it.
and if no pidfile is specified in the config, it frankly doesn't
make sense to force creation of one anyway.
this causes a build failure on several platforms using older versions
of autotools or GNU make.
make[2]: Entering directory `src'
Makefile:670: *** missing separator (did you mean TAB instead of 8 spaces?). Stop.
make[2]: Leaving directory `src'
fixes#72
This should make hash processing generally faster.
There is a treadeoff between memory footprint and
speed of processing. 10 KB instead of 1.2 KB of
hash table per process should not be a huge problem
even on very limited current systems.
Who really needs to stick to 32 buckets could
recompile. We could also think about making
this configurable at some point.
Signed-off-by: Michael Adam <obnox@samba.org>
This hash function distributes much better than the
original one. The effect is not as visible with
hashes taken modulo 32 than with a bigger modulus,
but it is there. And larger number of buckets migh
become possible in the future...
Reviewed-by: Michael Adam <obnox@samba.org>
I seem to have forgotten to compile with transparent support enabled...
This belongs to the fix for bug BB#63.
Signed-off-by: Michael Adam <obnox@samba.org>
This was accidentially used instead of the function parameter listen_addrs
This still belongs to the fix for bug BB#63.
Signed-off-by: Michael Adam <obnox@samba.org>
check the return code of fcntl via socket_nonblocking
on the listen sockets in child_main()
Found by coverity.
Signed-off-by: Michael Adam <obnox@samba.org>
Effectively, the return code of fcntl was not checked
by not checking the return code of socket_nonblocking()
for the server fd.
Found by coverity.
Signed-off-by: Michael Adam <obnox@samba.org>
Effectively, the return code of fcntl was not checked
by not checking the return code of socket_nonblocking()
for the client fd.
Found by coverity.
Signed-off-by: Michael Adam <obnox@samba.org>
Use extract_url instead of the old extract_ssl_url:
extract_url is generic and handles ipv6 literal addresses correctly.
Signed-off-by: Michael Adam <obnox@samba.org>
There is in fact nothing http-specific any more about this function, hence
the rename. The input has been stripped of the <proto>:// header anyways.
This in preparation of fixing bug BB#106: ssl fails with literal ipv6 addrs.
Signed-off-by: Michael Adam <obnox@samba.org>
When removing the '[' and ']' characers from the ipv6 literal address, make sure
the pointer that is later free'd stays a malloced pointer by memmoving the
string one place left.
Signed-off-by: Michael Adam <obnox@samba.org>
log entering opensock and successful return of getaddrinfo.
This allows to detect dns timeouts from looking at the logs.
Signed-off-by: Michael Adam <obnox@samba.org>
This is achieved by not stopping at the first result of getaddrinfo
that we managed to listen on: Without "Listen" in the config, we
call getraddrinfo with NULL address. With AI_PASSIVE, this gives results
for both IPv4 and IPv6 wildcard addresses (if both are supported).
This lets tinyproxy listen on both IPv4 and IPv6 wildcard if the system
supports them.
Signed-off-by: Michael Adam <obnox@samba.org>
This prepares listenting on multiple sockets, which will be ussed to
fix listening on the wildcard (listen on both ipv6 and ipv4) and
help add the support for multiple Listen statements in the config
Signed-off-by: Michael Adam <obnox@samba.org>
instead of using config.ipAddr internally.
This is in preparation to make it possible
to call it for multiple addresses.
Signed-off-by: Michael Adam <obnox@samba.org>
This changes listen_sock() to not return the
addrlen of the used address from getaddrinfo call
to the caller, stored in global addrlen in child.c.
This was only used to be able to allocate enough space for the
arguments to the later accept call depending on whether
IPv4 or IPv6 is used.
This removes the need to pass this info by always allocating
sizeof(struct sockaddr_storage) instead, which is enough
to carry both sockaddr_in and sockaddr_in6.
Signed-off-by: Michael Adam <obnox@samba.org>
Supplementary groups are inherited from the calling process. Drop all
supplementary groups if the "Group" configuration directive is set to
change to a different user. Otherwise the process may have more rights
than expected.
Reviewed-by: Michael Adam <obnox@samba.org>
Pass a pointer to a char pointer to do_transparent_proxy so the reassembled URL
will actually end up back in the caller where it is needed for filtering
decisions. This fixes the problem that a tinyproxy configured with the
transparent proxy functionality and "FilterURLs Yes" would filter on everything
but the domain.
Signed-off-by: daniel.egger@sphairon.com
Signed-off-by: Michael Adam <obnox@samba.org>
There are frequent questions "what does 'No proxy for ...' mean?"
on the mailing list and IRC. Be more specific. (No upstream proxy ...)
Correspondingly, log "Found upstream proxy ... for ..."
I.e., add a tinyproxy subdirectory.
This is meant to ease running tinyproxy as non-root user.
The subdirectory can be used to give the tinyproxy user
write permission.
Michael
i.e. add a tinyproxy subdirectory.
This is meant to ease running tinyproxy as non-root user
the subdirectory can be used to give the tinyproxy user
write permission.
Michael
This is the second part of fixing bug #74.
I lets tinyproxy create its log and pid files as the
user as which it is running, so that later on at SIGHUP,
the log file can successfully be reopened.
Michael
Now that there is always a log file set, we just check for
syslog being set to TRUE and in that case use syslog logging,
file logging otherwiese.
Michael
Now that we exit early when !logging_initialized, this
can actually not happen anymore anyways: When logging is
initialized, it was also properly configured.
Michael
https://www.banu.com/bugzilla/show_bug.cgi?id=55
This is achieved by streamlining handle_connection, adding
a common cleanup-and-exit poing ("done") and a common
failure exit point ("fail") that reads any pending data
from the client fd first before trying to send back
data (error page or stats page).
The new function get_request_entity that is used here,
does not honour any content-length header. It just calls
select on the client-fd and gets any data that is there
to read.
Michael
This way the logging from the various child processes does not
get clobbered up. Formerly, the different write portions
(time stamp, message, newline) would get mixed from the
various child processes' log messages.
Michael
Logging is re-initialized by reload_config() now.
And truncation is wrong anyways: A syslog mechanism will
move the current log file and the reopen-action will just
create a new empty log file upon SIGHUP.
Michael
This includes reopening the log file (in append mode).
Also switching from syslog to logfile and visa versa are included
when called from the SIGHUP handler.
Michael
When this code is hit, availability of syslog has already
been checked (when reading the config file). So config.syslog == TRUE
only when HAVE_SYSLOG_H is defined.
So I remove the preprocessor checks which only clobber the logic
and make the code harder to read (IMHO).
Michael
This seemed out of place. Now the information is
stored in the correct places (as log.c:logging_initialized).
This way, we will be able to cleanly re-initialize
logging during config reload (SIGHUP) in subsequent
commits.
Michael
This controls whether log_messages should write to the
log file / syslog or rather to the log_message_storage.
This will make the global processed_config_file variable
from main unneccessary in the next step.
Michael
This allows for later reloading the config at SIGHUP (e.g.).
First the old config data is freed, then the defaults that
are given as a parameter are copied over in a rather clumsy
manual fashion (maybe something more clever can be done here)
and finally, the actual config file is loaded.
Michael
