- Log rejected CONNECT requests with LOG_LEVEL_INFO

  and explain why they were rejected in the first place.
- Fix the LOG_LEVEL_CLF message for crunches of unallowed
  CONNECT requests. The request line was missing.
- Add two more XXX reminders as we don't have enough already.

diff --git a/ChangeLog b/ChangeLog
index 3298527..2e1176e 100644 (file)
--- a/ChangeLog
+++ b/ChangeLog
@@ -115,6 +115,8 @@ ChangeLog for Privoxy
   specify a Content-Type. Bug reported by Amuro Namie.
 - Allow to rewrite the request destination behind the client's back.
 - Fix socks requests on big-endian platforms. Patch provided by Song Weijia.
+- Rejected CONNECT requests are logged with log level info
+  (enabled by default) and the reason for the block.
 - Minor code clean-ups, filter and action file updates.
   (Some of them reported by Davide Alberani, Markus Elfring
   and Adam Piggott)

diff --git a/jcc.c b/jcc.c
index 408612b..e82e95c 100644 (file)
--- a/jcc.c
+++ b/jcc.c
@@ -1,4 +1,4 @@
-const char jcc_rcs[] = "$Id: jcc.c,v 1.139 2007/07/14 07:46:41 fabiankeil Exp $";
+const char jcc_rcs[] = "$Id: jcc.c,v 1.140 2007/07/21 11:51:36 fabiankeil Exp $";
 /*********************************************************************
  *
  * File        :  $Source: /cvsroot/ijbswa/current/jcc.c,v $
@@ -33,6 +33,12 @@ const char jcc_rcs[] = "$Id: jcc.c,v 1.139 2007/07/14 07:46:41 fabiankeil Exp $"
  *
  * Revisions   :
  *    $Log: jcc.c,v $
+ *    Revision 1.140  2007/07/21 11:51:36  fabiankeil
+ *    As Hal noticed, checking dispatch_cgi() as the last cruncher
+ *    looks like a bug if CGI requests are blocked unintentionally,
+ *    so don't do it unless the user enabled the new config option
+ *    "allow-cgi-request-crunching".
+ *
  *    Revision 1.139  2007/07/14 07:46:41  fabiankeil
  *    - Allow to rewrite the request destination behind the client's back.
  *    - Turn the weird-looking unconditional for loop that
@@ -2161,20 +2167,31 @@ static void chat(struct client_state *csp)
             /*
              * The response may confuse some clients,
              * but makes unblocking easier.
+             *
+             * XXX: It seems to work with all major browsers,
+             * so we should consider returning a body by default someday ... 
              */
-            log_error(LOG_LEVEL_ERROR, "Marking suspicious CONNECT request from %s for blocking.",
-               csp->ip_addr_str);
+            log_error(LOG_LEVEL_INFO, "Request from %s marked for blocking. "
+               "limit-connect{%s} doesn't allow CONNECT requests to port %d.",
+               csp->ip_addr_str, csp->action->string[ACTION_STRING_LIMIT_CONNECT],
+               csp->http->port);
             csp->action->flags |= ACTION_BLOCK;
             http->ssl = 0;
          }
          else
          {
             write_socket(csp->cfd, CFORBIDDEN, strlen(CFORBIDDEN));
-            log_error(LOG_LEVEL_CONNECT, "Denying suspicious CONNECT request from %s", csp->ip_addr_str);
-            log_error(LOG_LEVEL_CLF, "%s - - [%T] \" \" 403 0", csp->ip_addr_str);
+            log_error(LOG_LEVEL_INFO, "Request from %s denied. "
+               "limit-connect{%s} doesn't allow CONNECT requests to port %d.",
+               csp->ip_addr_str, csp->action->string[ACTION_STRING_LIMIT_CONNECT],
+               csp->http->port);
+            assert(NULL != csp->http->ocmd);
+            log_error(LOG_LEVEL_CLF, "%s - - [%T] \"%s\" 403 0", csp->ip_addr_str, csp->http->ocmd);
 
             list_remove_all(csp->headers);
-
+            /*
+             * XXX: For consistency we might want to log a crunch message here.
+             */
             return;
          }
       }