From 69403394b4c87cbb6d622ad7a310d9c1330025b98e17236550edc0ab8e298737 Mon Sep 17 00:00:00 2001
From: Christian Wittmer
Date: Wed, 18 Feb 2015 23:15:24 +0000
Subject: [PATCH] Accepting request 286695 from server:proxy:Test
recover old spec, fix permissions for SLE11
OBS-URL: https://build.opensuse.org/request/show/286695
OBS-URL: https://build.opensuse.org/package/show/server:proxy/squid?expand=0&rev=65
---
squid-3.4.10-RELEASENOTES.html | 597 +++++++++++++++++++++++++++++++++
squid.changes | 13 +
squid.init | 201 +++++++++++
squid.init.rh | 187 +++++++++++
squid.permissions | 4 +
squid.spec | 203 +++++++++--
6 files changed, 1177 insertions(+), 28 deletions(-)
create mode 100644 squid-3.4.10-RELEASENOTES.html
create mode 100644 squid.init
create mode 100644 squid.init.rh
create mode 100644 squid.permissions
diff --git a/squid-3.4.10-RELEASENOTES.html b/squid-3.4.10-RELEASENOTES.html
new file mode 100644
index 0000000..c1814af
--- /dev/null
+++ b/squid-3.4.10-RELEASENOTES.html
@@ -0,0 +1,597 @@
+
+
+
+
+ Squid 3.4.10 release notes
+
+
+Squid 3.4.10 release notes
+
+Squid Developers
+
+This document contains the release notes for version 3.4 of Squid.
+Squid is a WWW Cache application developed by the National Laboratory
+for Applied Network Research and members of the Web Caching community.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+The Squid Team are pleased to announce the release of Squid-3.4.10 for testing.
+This new release is available for download from
+http://www.squid-cache.org/Versions/v3/3.4/ or the
+mirrors.
+
+Some interesting new features adding system flexibility have been added along with general improvements all around.
+While this release is not fully bug-free we believe it is ready for use in production on many systems.
+
+We welcome feedback and bug reports. If you find a bug, please see
+http://wiki.squid-cache.org/SquidFaq/BugReporting
+for how to submit a report with a stack trace.
+
+
+
+Although this release is deemed good enough for use in many setups, please note the existence of
+open bugs against Squid-3.4.
+
+
+
+The 3.4 change history can be
+viewed here.
+
+
+
+
+Squid 3.4 represents a new feature release above 3.3.
+
+The most important of these new features are:
+
+- Helper protocol extensions
+- SSL Server Certificate Validator
+- Store-ID
+- TPROXY Support for OpenBSD 5.1+ and FreeBSD 9+
+- Transaction Annotations
+- Multicast DNS
+
+
+Most user-facing changes are reflected in squid.conf (see below).
+
+
+
+
+Details at
+http://wiki.squid-cache.org/Features/AddonHelpers.
+
+The Squid helper protocol used to communicate with authenticators,
+URL-rewriters, Redirectors, and External ACL helpers has been updated
+and extended.
+
+BH status code is now accepted from all helpers to report
+internal error events separate from ERR rejection code.
+Permitting Squid to perform recovery operations specific to
+helper failure instead of a blanket client rejection.
+
+Arbitrary key-value pairs can be returned from any helper.
+Allowing future helpers to be forward- and backward- compatible
+with this and future versions of Squid.
+
+
+
+
+Details at
+http://wiki.squid-cache.org/Features/SslServerCertValidator.
+
+The helper consulted after the internal OpenSSL validation, regardless of the
+validation results. The helper will receive:
+
+
+- the origin server certificate (chain),
+- the intended domain name, and
+- a list of OpenSSL validation errors (if any).
+
+
+
+If the helper decides to honor an OpenSSL error or report another validation
+error(s), the helper will return:
+
+
+- A list of certificates.
+- A list of items consists the the validation error name (see %err_name
+error page macro and %err_details code for logformat), error reason
+(%ssl_lib_error macro), and the offending certificate.
+
+
+
+The returned information mimics what the internal OpenSSL-based validation code
+collects now. Returned errors, if any, are fed to sslproxy_cert_error,
+triggering the existing SSL error processing code.
+
+The helper invocation controlled by the sslcrtvalidator_program and
+sslcrtvalidator_children configurations options which are similar to the
+ssl_crtd related options.
+
+
+
+
+Details at
+http://wiki.squid-cache.org/Features/StoreID.
+
+This feature is a redesigned equivalent to the Squid-2.7 feature known as StoreURL-rewrite.
+
+Notice that this is not a direct portage of the Squid-2.7 feature so behaviour
+differences do exist. Although the new feature works in similar enough ways that the old
+helper scripts used for Squid-2.7 are expected to work in this and later versions of Squid.
+
+Squid traditionally uses the requested URL as an index key ID to locate objects in cache.
+It is not the only key possible and the Store-ID feature exposes an API for external
+helpers to provide Squid with an alternative key name for any URL.
+
+When any client request is received which requires a cache lookup the URL is passed to
+a helper specified with the store_id_program directive to check for an alternative
+Store ID. This allows the helper to identify URLs which refer to duplicate resources and
+de-duplicate the cache content. store_id_access is provided to allow ACL-based
+tuning of which traffic gets sent to the helper and reduce overheads.
+
+One subtle and noteworthy difference between Squid-2 and Squid-3 which is highlighted by
+this feature is that refresh_pattern applies its regex argument against the Store
+ID key and not the transaction URL. So using the Store-ID feature to alter the value
+affects which refresh_pattern directive will be matched.
+
+Store-ID helpers bundled with Squid can be built with the --enable-storeid-rewrite-helpers
+option which is added in this version. Currently there is a file helper
+provided.
+
+
+
+
+Details at
+http://wiki.squid-cache.org/ConfigExamples/Intercept/OpenBsdPf.
+
+The Packet Filter (PF) firewall in OpenBSD 4.4 and later offers traffic interception
+using several very simple methods. One of which is the divert-to rule type
+which acts as a simple routing diversion instead of performing NAT packet alterations.
+
+The IP Firewall (IPFW) on FreeBSD 9+ contains a port of the Linux Netfilter TPROXY feature.
+
+This version of Squid adds support for these features through the ./configure
+options --enable-pf-transparent and --enable-ipfw-transparent when Squid is built on
+systems with the required support. No special extras are required to enable
+http_port ... tproxy configuration to work.
+
+NOTE: To resolve NAT lookup issues on recent PF firewall versions the code behind
+./configure --enable-pf-transparent has been altered and is expected to
+break on the version of PF firewall shipped with BSD systems such as NetBSD and FreeBSD
+which do not yet support the getsockname() API.
+These systems require --with-nat-devpf to enable /dev/pf support when using PF firewall.
+
+
+
+
+Previously the only annotation methods available were ICAP/eCAP HTTP header insertions
+or external ACL tag= result code. Each of which had only limited possibilities
+for use and little or no correlation.
+
+It is now possible to add annotations to a client transaction from several sources:
+
+- Directly from squid.conf using the note directive with
+ACL-based selection of which annotation is linked to any
+particular transaction.
+
+- By configured helper processes returning a key=value pair.
+The key name becomes the annotation name.
+
+
+
+Annotations on the transaction can be passed to ICAP services or eCAP modules using the
+adaptation_meta directive to send them as headers.
+They can also be logged using the %note log format code in custom logs. With
+the new helper response syntax changes this means all helper response key=value details
+such as URL-rewrite or store-id changes, external ACL tag etc. are now able to be logged.
+
+Annotations which are already assigned to a transaction can be checked using an ACL test
+of the new note ACL type. This can match a particular note by name and value,
+of for any notes with a given name.
+
+NOTE: not all helper interfaces are yet enabled to convert key=value into annotations
+and the external ACL interface does not yet send annotations to the helper.
+
+
+
+
+The internal DNS component of Squid now supports multicast DNS (mDNS) resolution in
+accordance with RFC 6762.
+
+The dns_multicast_local directive must be set to on to enable this
+feature.
+
+The multicast DNS group IP addresses for IPv4 and IPv6 resolving are added to the set
+of available DNS resolvers and used automatically for domain names ending in .local
+and reverse-DNS lookups before attempting a secondary resolution on the configured
+resolvers. Domains without .local are resolved using only the configured resolvers.
+
+Statistics for multicast DNS resolution can be found on the idns cache manager
+report.
+
+NOTE that the external DNS helper interface is now deprecated and has been
+removed from future Squid versions. Any installations still using it for local hostname
+resolution need to upgrade to mDNS resolution with this Squid version.
+
+
+
+
+There have been changes to Squid's configuration file since Squid-3.3.
+
+Squid supports reading configuration option parameters from external
+files using the syntax parameters("/path/filename"). For example:
+
+ acl whitelist dstdomain parameters("/etc/squid/whitelist.txt")
+
+
+
+There have also been changes to individual directives in the config file.
+This section gives a thorough account of those changes in three categories:
+
+
+
+
+
+
+
+
+
+- configuration_includes_quoted_values
-
+
Whether Squid supports directive parameters with spaces, quotes, and other
+special characters. Surround such parameters with "double quotes" and
+also set this directive on/off around the relevant squid.conf line(s)
+making use of such quoting.
+
+ - dns_multicast_local
-
+
Use multicast DNS for .local domains and reverse-DNS resolution.
+
+ - note
-
+
Use ACLs to annotate a transaction with customized annotations
+which can be logged in access.log
+
+ - spoof_client_ip
-
+
Access control to determine whether to disable the TPROXY spoofing on upstream traffic.
+
+ - sslcrtvalidator_children
-
+
Specifies the settings for how many SSL server certificate
+validator helpers are run and when they are started.
+
+ - sslcrtvalidator_program
-
+
Specifies the location of a SSL server certificate validator helper.
+
+ - store_id_access
-
+
Whether the URL for a given request is passed to the Store-ID helper process.
+Used to improve StoreID performance by quickly eliminating helper delays using ACL tests.
+Ported equivalent to storeurl_access from 2.7
+
+ - store_id_bypass
-
+
Whether the StoreID helper may be bypassed when overloaded.
+
+ - store_id_children
-
+
Controls the number of StoreID helper processes.
+Options startup=N, idle=N, concurrency=N
+
+- startup=N allow finer tuning of how many helpers are started initially.
+- idle=N allow fine tuning of how many helper to retain as buffer against sudden traffic loads.
+- concurrency=N was previously called url_rewrite_concurrency as a distinct directive.
+
+
+
+ - store_id_rewrite_program
-
+
A helper program to provide cache storage internal key ID value for a request.
+Ported equivalent to storeurl_rewrite_program from 2.7
+
+
+
+
+
+
+
+
+- access_log
-
+
Configuration syntax extended to support name=value options.
+New Syntax: access_log module:place [option ...] [acl ...]
+New option logformat= to specify the logging format name.
+New option buffer-size= to specify how large the log buffer
+for this log is to be when buffered_logs is enabled.
+New option on-error= to specify what handling is to be done
+if the logging module encounters a non-recoverable error writing logs.
+With the value die (the default) Squid halts operation.
+With the value drop Squid drops log lines and continue running.
+
+ - acl
-
+
New test type server_cert_fingerprint to match against
+server SSL certificate fingerprint.
+New test type note to match against transaction annotations
+by name and value, or just by name.
+New test type any-of to match if any one of a set of named ACLs.
+New test type all-of to match against all of a set of named ACLs.
+
+ - auth_param
-
+
New result code BH to signal helper internal errors
+available in all authentication schemes.
+New key message= for error message details in all authentication schemes.
+New result code OK and key ha1= in Digest authentication.
+New result codes OK, ERR replace result codes AF,
+and NA in NTLM and Negotiate authentication.
+New key token= for NTLM and Negotiate authentication OK responses.
+Details at
+http://wiki.squid-cache.org/Features/AddonHelpers.
+
+ - external_acl_type
-
+
Deprecated protocol=3.0 option. No longer necessary.
+New result code BH to signal helper internal errors
+Details at
+http://wiki.squid-cache.org/Features/AddonHelpers.
+
+ - http_port
-
+
Support IPv6 for intercept mode. Requires ip6tables support on Linux,
+PF support on OpenBSD and IPFW support on FreeBSD. Squid will no longer complain
+about misconfiguration if IPv6 support is missing, we now rely on the firewall
+tools reporting misconfiguration when the NAT rules are created.
+Support tproxy mode traffic on BSD systems with BINDANY support
+(OpenBSD 5+, FreeBSD 9+ so far).
+Changed build options behind intercept traffic mode handling on BSD.
+see --enable-pf-transparent for more details.
+
+ - logformat
-
+
New format code %note to log a transaction annotation linked to the
+transaction by ICAP, eCAP, a helper, or the note squid.conf directive.
+New format code %>qos to log client connection TOS/DSCP value set by Squid.
+New format code %<qos to log server connection TOS/DSCP value set by Squid.
+New format code %>nfmark to log client connection netfilter mark set by Squid.
+New format code %<nfmark to log server connection netfilter mark set by Squid.
+
+ - pipeline_prefetch
-
+
Updated to take a numeric count of prefetched pipeline requests instead of ON/OFF.
+
+ - refresh_pattern
-
+
NOTE: the regular expression pattern operates on the cache Store-ID value.
+Which by default is identical to the requested URL, but may differ for some
+objects if the Store-ID feature is in use.
+
+ - unlinkd_program
-
+
New helper response format utilizing result codes OK and BH,
+to signal helper lookup results. Also, key-value response values to return
+multiple values to Squid.
+Details at
+http://wiki.squid-cache.org/Features/AddonHelpers.
+
+ - url_rewrite_program
-
+
New helper response format utilizing result codes OK, ERR,
+and BH to signal helper lookup results. Also, key-value response
+values to return multiple values to Squid.
+Details at
+http://wiki.squid-cache.org/Features/AddonHelpers.
+
+
+
+
+
+
+
+
+- storeurl_access
-
+
Replaced by store_id_access.
+
+ - storeurl_rewrite_children
-
+
Replaced by store_id_children.
+
+ - storeurl_rewrite_concurrency
-
+
Replaced by store_id_children with concurrency=N option.
+
+ - storeurl_rewrite_program
-
+
Replaced by store_id_program.
+
+
+
+
+
+
+
+There have been some changes to Squid's build configuration since Squid-3.3.
+This section gives an account of those changes in three categories:
+
+
+
+
+
+
+
+
+
+- --enable-storeid-rewrite-helpers
-
+
New option to control which Store-ID helpers are built. As with other
+helper options use --disable-* to prevent any helpers building and
+omit to get all helper auto-detected.
+Currenly only a helper using file for backend is provided.
+
+ - --disable-arch-native
-
+
New option to disable use of -march=native compiler flag.
+The new flag auto-enables CPU-specific optimizations in GCC and is
+required by Clang++ v3.2 for correct 64-bit environment detection.
+It does not always work well however, so this build option is provided
+to remove it when necessary.
+
+ - --with-nat-devpf
-
+
New option to alter the behaviour of http_port ... intercept option
+in squid.conf.
+When this option is used Squid performs the /dev/pf lookups required to
+support PF rdr-to rules. Otherwise Squid will perform perform the
+getsockname() API calls to support PF divert-to rules.
+NOTE: systems such as NetBSD and FreeBSD which do not yet support
+the getsockname() API in recent PF versions require this option.
+
+
+
+
+
+
+
+
+- --enable-pf-transparent
-
+
NAT table support updated to use the getsockname() API provided by the
+latest PF versions divert-to. This allows http_port
+in squid.conf to support both intercept and tproxy traffic
+and to silence NAT lookup failure messages on recent BSD.
+NOTE: systems such as NetBSD and FreeBSD which do not yet support
+the getsockname() API in recent PF versions require --with-nat-devpf
+to re-enable /dev/pf support when using PF firewall.
+
+ - --disable-translation
-
+
Default changed to prevent translating error page templates during build.
+Use --enable-translation to explicitly build and install the templates.
+The latest pre-translated templates can be downloaded from
+http://www.squid-cache.org/Versions/langpack/
+
+
+
+
+
+
+
+There are no removed ./configure options in Squid-3.4.
+
+
+
+
+
+
+
+Some squid.conf options which were available in Squid-2.7 are not yet available in Squid-3.4
+
+If you need something to do then porting one of these from Squid-2 to Squid-3 is most welcome.
+
+
+
+
+
+- broken_vary_encoding
-
+
Not yet ported from 2.6
+
+ - cache_dir
-
+
COSS storage type is lacking stability fixes from 2.6
+COSS overwrite-percent= option not yet ported from 2.6
+COSS max-stripe-waste= option not yet ported from 2.6
+COSS membufs= option not yet ported from 2.6
+COSS maxfullbufs= option not yet ported from 2.6
+
+ - cache_peer
-
+
idle= not yet ported from 2.7
+monitorinterval= not yet ported from 2.6
+monitorsize= not yet ported from 2.6
+monitortimeout= not yet ported from 2.6
+monitorurl= not yet ported from 2.6
+
+ - cache_vary
-
+
Not yet ported from 2.6
+
+ - collapsed_forwarding
-
+
Not yet ported from 2.6
+
+ - error_map
-
+
Not yet ported from 2.6
+
+ - external_refresh_check
-
+
Not yet ported from 2.7
+
+ - location_rewrite_access
-
+
Not yet ported from 2.6
+
+ - location_rewrite_children
-
+
Not yet ported from 2.6
+
+ - location_rewrite_concurrency
-
+
Not yet ported from 2.6
+
+ - location_rewrite_program
-
+
Not yet ported from 2.6
+
+ - refresh_pattern
-
+
stale-while-revalidate= not yet ported from 2.7
+ignore-stale-while-revalidate= not yet ported from 2.7
+negative-ttl= not yet ported from 2.7
+
+ - refresh_stale_hit
-
+
Not yet ported from 2.7
+
+ - update_headers
-
+
Not yet ported from 2.7
+
+
+
+
+
+
diff --git a/squid.changes b/squid.changes
index 5d99c67..d2048d4 100644
--- a/squid.changes
+++ b/squid.changes
@@ -1,3 +1,16 @@
+-------------------------------------------------------------------
+Sat Jan 10 01:08:40 UTC 2015 - chris@computersalat.de
+
+- recover old spec
+ * merge in suggested changes from tchvatal
+- fix permissions for SLE11
+ * revert suid bit for pinger and basic_pam_auth
+ add them to permissions file (commented)
+- readd deleted files
+ * RELEASENOTES
+ * permissions (needed for SLE11)
+ * init.rh
+
-------------------------------------------------------------------
Fri Jan 9 10:19:10 UTC 2015 - tchvatal@suse.com
diff --git a/squid.init b/squid.init
new file mode 100644
index 0000000..cb400db
--- /dev/null
+++ b/squid.init
@@ -0,0 +1,201 @@
+#!/bin/sh
+# Copyright (c) 1996, 1997, 1998 S.u.S.E. GmbH
+# Copyright (c) 1998, 1999, 2000, 2001 SuSE GmbH
+# Copyright (c) 2002 SuSE Linux AG
+#
+# Author: Frank Bodammer, Peter Poeml, Klaus Singvogel
+#
+# /etc/init.d/squid
+# and its symbolic link
+# /(usr/)sbin/rcsquid
+#
+### BEGIN INIT INFO
+# Provides: squid
+# Required-Start: $local_fs $remote_fs $network $time
+# Should-Start: apache $named winbind
+# Required-Stop: $local_fs $remote_fs $network $time
+# Should-Stop: apache $named winbind
+# Default-Start: 3 5
+# Default-Stop: 0 1 2 6
+# Short-Description: Squid web cache
+# Description: Start the Squid web cache, providing
+# HTTP, FTP and other proxy services
+### END INIT INFO
+#
+# Note on runlevels:
+# 0 - halt/poweroff 6 - reboot
+# 1 - single user 2 - multiuser without network exported
+# 3 - multiuser w/ network (text mode) 5 - multiuser w/ network and X11 (xdm)
+
+
+# Check for missing binaries (stale symlinks should not happen)
+# Note: Special treatment of stop for LSB conformance
+SQUID_BIN=/usr/sbin/squid
+test -x $SQUID_BIN || { echo "$SQUID_BIN not installed";
+ if [ "$1" = "stop" ]; then exit 0;
+ else exit 5; fi; }
+
+# Check for existence of needed config file and read it
+SQUID_SYSCONFIG=/etc/sysconfig/squid
+test -r $SQUID_SYSCONFIG || { echo "$SQUID_SYSCONFIG not existing";
+ if [ "$1" = "stop" ]; then exit 0;
+ else exit 6; fi; }
+
+# Read config
+. $SQUID_SYSCONFIG
+
+SQUID_PID=/var/run/squid.pid
+SQUID_CONF=/etc/squid/squid.conf
+SQUID_S_T=${SQUID_SHUTDOWN_TIMEOUT:="60"}
+SQUID_OPTS=${SQUID_START_OPTIONS:="-sY"}
+SQUID_ULIMIT=${SQUID_DEFAULT_ULIMT:="4096"}
+
+# determine which one is the cache_swap directory
+SQUID_CACHE_DIR=$(perl -n -e \
+ '/^cache_dir\s+\S+\s+(.*)\s+\d+\s+\d+\s+\d+/ && print "$1"' $SQUID_CONF)
+
+ulimit -n "$SQUID_ULIMIT"
+
+#IN: $SQUID_CACHE_DIR
+setup_squid_cache_dir(){
+ for adir in "$1" ; do
+ if [ ! -d $adir/00 ]; then # create missing cache directories
+ umask 027 # prevent users reading any cache data
+ echo -n " ($adir)"
+ $SQUID_BIN -z -F > /dev/null 2>&1
+ fi
+ if [ ! -d $adir/00 ]; then
+ echo " - failed while creating cache_dir ! "
+ rc_failed
+ rc_status -v
+ rc_exit
+ fi
+ done
+ sleep 2
+}
+
+# Shell functions sourced from /etc/rc.status:
+# rc_check check and set local and overall rc status
+# rc_status check and set local and overall rc status
+# rc_status -v be verbose in local rc status and clear it afterwards
+# rc_status -v -r ditto and clear both the local and overall rc status
+# rc_status -s display "skipped" and exit with status 3
+# rc_status -u display "unused" and exit with status 3
+# rc_failed set local and overall rc status to failed
+# rc_failed set local and overall rc status to
+# rc_reset clear both the local and overall rc status
+# rc_exit exit appropriate to overall rc status
+# rc_active checks whether a service is activated by symlinks
+. /etc/rc.status
+
+# Reset status of this service
+rc_reset
+
+
+case "$1" in
+ start)
+ echo -n "Starting WWW-proxy squid "
+ if /sbin/checkproc $SQUID_BIN ; then
+ echo -n "- Warning: squid already running ! "
+ rc_failed
+ else
+ [ -e $SQUID_PID ] && echo -n "- Warning: $SQUID_PID exists ! "
+ if [ -n "$SQUID_CACHE_DIR" -a -d "$SQUID_CACHE_DIR" ]; then
+ setup_squid_cache_dir "$SQUID_CACHE_DIR"
+ fi
+ fi
+ startproc -l /var/log/squid/rcsquid.log $SQUID_BIN "$SQUID_OPTS"
+
+ # Remember status and be verbose
+ rc_status -v
+ ;;
+ stop)
+ echo -n "Shutting down WWW-proxy squid "
+ if /sbin/checkproc $SQUID_BIN ; then
+ $SQUID_BIN -k shutdown
+ sleep 2
+ if [ -e $SQUID_PID ] ; then
+ echo -n "- wait a minute or two... "
+ i="$SQUID_S_T"
+ while [ -e $SQUID_PID ] && [ $i -gt 0 ] ; do
+ sleep 2
+ i=$[$i-1]
+ echo -n "."
+ [ $i -eq 41 ] && echo
+ done
+ fi
+ if /sbin/checkproc $SQUID_BIN ; then
+ killproc -TERM $SQUID_BIN
+ echo -n " Warning: squid killed !"
+ fi
+ else
+ echo -n "- Warning: squid not running ! "
+ rc_failed 7
+ fi
+
+ # Remember status and be verbose
+ rc_status -v
+ ;;
+ try-restart)
+ $0 status >/dev/null && $0 restart
+
+ # Remember status and be quiet
+ rc_status
+ ;;
+ restart)
+ $0 stop
+ $0 start
+
+ # Remember status and be quiet
+ rc_status
+ ;;
+ force-reload)
+ $0 reload
+
+ # Remember status and be quiet
+ rc_status
+ ;;
+ reload)
+ echo -n "Reloading WWW-proxy squid "
+ if /sbin/checkproc $SQUID_BIN ; then
+ $SQUID_BIN -k rotate
+ sleep 2
+ $SQUID_BIN -k reconfigure
+ rc_status
+ else
+ echo -n "- Warning: squid not running ! "
+ rc_failed 7
+ fi
+
+ # Remember status and be verbose
+ rc_status -v
+ ;;
+ status)
+ echo -n "Checking for WWW-proxy squid "
+ ## Check status with checkproc(8), if process is running
+ ## checkproc will return with exit status 0.
+
+ # Return value is slightly different for the status command:
+ # 0 - service up and running
+ # 1 - service dead, but /var/run/ pid file exists
+ # 2 - service dead, but /var/lock/ lock file exists
+ # 3 - service not running (unused)
+ # 4 - service status unknown :-(
+ # 5--199 reserved (5--99 LSB, 100--149 distro, 150--199 appl.)
+
+ # NOTE: checkproc returns LSB compliant status values.
+ /sbin/checkproc $SQUID_BIN
+
+ # Remember status and be verbose
+ rc_status -v
+ ;;
+ probe)
+ test $SQUID_CONF -nt $SQUID_PID && echo reload
+ ;;
+ *)
+ echo "Usage: $0 {start|stop|status|try-restart|restart|force-reload|reload|probe}"
+ exit 1
+ ;;
+esac
+rc_exit
+
diff --git a/squid.init.rh b/squid.init.rh
new file mode 100644
index 0000000..15cb5b9
--- /dev/null
+++ b/squid.init.rh
@@ -0,0 +1,187 @@
+#!/bin/bash
+# chkconfig: - 90 25
+# pidfile: /var/run/squid.pid
+# config: /etc/squid/squid.conf
+#
+### BEGIN INIT INFO
+# Provides: squid
+# Short-Description: starting and stopping Squid Internet Object Cache
+# Description: Squid - Internet Object Cache. Internet object caching is \
+# a way to store requested Internet objects (i.e., data available \
+# via the HTTP, FTP, and gopher protocols) on a system closer to the \
+# requesting site than to the source. Web browsers can then use the \
+# local Squid cache as a proxy HTTP server, reducing access time as \
+# well as bandwidth consumption.
+### END INIT INFO
+
+
+PATH=/usr/bin:/sbin:/bin:/usr/sbin
+export PATH
+
+# Source function library.
+. /etc/rc.d/init.d/functions
+
+# Source networking configuration.
+. /etc/sysconfig/network
+
+if [ -f /etc/sysconfig/squid ]; then
+ . /etc/sysconfig/squid
+fi
+
+# don't raise an error if the config file is incomplete
+# set defaults instead:
+SQUID_OPTS=${SQUID_OPTS:-""}
+SQUID_PIDFILE_TIMEOUT=${SQUID_PIDFILE_TIMEOUT:-20}
+SQUID_SHUTDOWN_TIMEOUT=${SQUID_SHUTDOWN_TIMEOUT:-100}
+SQUID_CONF=${SQUID_CONF:-"/etc/squid/squid.conf"}
+SQUID_PIDFILE_DIR="/var/run/squid"
+SQUID_USER="squid"
+SQUID_DIR="squid"
+
+# determine the name of the squid binary
+[ -f /usr/sbin/squid ] && SQUID=squid
+
+prog="$SQUID"
+
+# determine which one is the cache_swap directory
+CACHE_SWAP=`sed -e 's/#.*//g' $SQUID_CONF | \
+ grep cache_dir | awk '{ print $3 }'`
+
+RETVAL=0
+
+probe() {
+ # Check that networking is up.
+ [ ${NETWORKING} = "no" ] && exit 1
+
+ [ `id -u` -ne 0 ] && exit 4
+
+ # check if the squid conf file is present
+ [ -f $SQUID_CONF ] || exit 6
+}
+
+start() {
+ # Check if $SQUID_PIDFILE_DIR exists and if not, lets create it and give squid permissions.
+ if [ ! -d $SQUID_PIDFILE_DIR ] ; then mkdir $SQUID_PIDFILE_DIR ; chown -R $SQUID_USER.$SQUID_DIR $SQUID_PIDFILE_DIR; fi
+ probe
+
+ parse=`$SQUID -k parse -f $SQUID_CONF 2>&1`
+ RETVAL=$?
+ if [ $RETVAL -ne 0 ]; then
+ echo -n $"Starting $prog: "
+ echo_failure
+ echo
+ echo "$parse"
+ return 1
+ fi
+ for adir in $CACHE_SWAP; do
+ if [ ! -d $adir/00 ]; then
+ echo -n "init_cache_dir $adir... "
+ $SQUID -z -F -f $SQUID_CONF >> /var/log/squid/squid.out 2>&1
+ fi
+ done
+ echo -n $"Starting $prog: "
+ $SQUID $SQUID_OPTS -f $SQUID_CONF >> /var/log/squid/squid.out 2>&1
+ RETVAL=$?
+ if [ $RETVAL -eq 0 ]; then
+ timeout=0;
+ while : ; do
+ [ ! -f /var/run/squid.pid ] || break
+ if [ $timeout -ge $SQUID_PIDFILE_TIMEOUT ]; then
+ RETVAL=1
+ break
+ fi
+ sleep 1 && echo -n "."
+ timeout=$((timeout+1))
+ done
+ fi
+ [ $RETVAL -eq 0 ] && touch /var/lock/subsys/$SQUID
+ [ $RETVAL -eq 0 ] && echo_success
+ [ $RETVAL -ne 0 ] && echo_failure
+ echo
+ return $RETVAL
+}
+
+stop() {
+ echo -n $"Stopping $prog: "
+ $SQUID -k check -f $SQUID_CONF >> /var/log/squid/squid.out 2>&1
+ RETVAL=$?
+ if [ $RETVAL -eq 0 ] ; then
+ $SQUID -k shutdown -f $SQUID_CONF &
+ rm -f /var/lock/subsys/$SQUID
+ timeout=0
+ while : ; do
+ [ -f /var/run/squid.pid ] || break
+ if [ $timeout -ge $SQUID_SHUTDOWN_TIMEOUT ]; then
+ echo
+ return 1
+ fi
+ sleep 2 && echo -n "."
+ timeout=$((timeout+2))
+ done
+ echo_success
+ echo
+ else
+ echo_failure
+ if [ ! -e /var/lock/subsys/$SQUID ]; then
+ RETVAL=0
+ fi
+ echo
+ fi
+ rm -rf $SQUID_PIDFILE_DIR/*
+ return $RETVAL
+}
+
+reload() {
+ $SQUID $SQUID_OPTS -k reconfigure -f $SQUID_CONF
+}
+
+restart() {
+ stop
+ rm -rf $SQUID_PIDFILE_DIR/*
+ start
+}
+
+condrestart() {
+ [ -e /var/lock/subsys/squid ] && restart || :
+}
+
+rhstatus() {
+ status $SQUID && $SQUID -k check -f $SQUID_CONF
+}
+
+
+case "$1" in
+start)
+ start
+ ;;
+
+stop)
+ stop
+ ;;
+
+reload|force-reload)
+ reload
+ ;;
+
+restart)
+ restart
+ ;;
+
+condrestart|try-restart)
+ condrestart
+ ;;
+
+status)
+ rhstatus
+ ;;
+
+probe)
+ probe
+ ;;
+
+*)
+ echo $"Usage: $0 {start|stop|status|reload|force-reload|restart|try-restart|probe}"
+ exit 2
+esac
+
+exit $?
diff --git a/squid.permissions b/squid.permissions
new file mode 100644
index 0000000..0be2caa
--- /dev/null
+++ b/squid.permissions
@@ -0,0 +1,4 @@
+/var/cache/squid/ squid:root 750
+/var/log/squid/ squid:root 750
+#/usr/sbin/pinger root:squid 4750
+#/usr/sbin/basic_pam_auth root:shadow 2750
diff --git a/squid.spec b/squid.spec
index 3238f34..2f6ec66 100644
--- a/squid.spec
+++ b/squid.spec
@@ -18,6 +18,7 @@
%define squidlibdir %{_libdir}/squid
%define squidconfdir %{_sysconfdir}/squid
+
Name: squid
Version: 3.4.10
Release: 0
@@ -27,13 +28,18 @@ Group: Productivity/Networking/Web/Proxy
Url: http://www.squid-cache.org/Versions/v3/3.4
Source0: http://www.squid-cache.org/Versions/v3/3.4/%{name}-%{version}.tar.bz2
Source1: http://www.squid-cache.org/Versions/v3/3.4/%{name}-%{version}.tar.bz2.asc
+Source2: %{name}-%{version}-RELEASENOTES.html
+Source3: squid.init
Source4: squid.sysconfig
Source5: pam.squid
Source6: unsquid.pl
Source7: %{name}.logrotate
+Source9: %{name}.permissions
Source10: README.kerberos
Source11: %{name}.service
Source13: %{name}.keyring
+Source14: squid.init.rh
+
# do not show some rpmlint warnings
Source99: squid-rpmlintrc
# some useful defaults for squid
@@ -45,47 +51,89 @@ Patch101: %{name}-nobuilddates.patch
Patch102: %{name}-compiled_without_RPM_OPT_FLAGS.patch
# patch fixes kerberos principalname handling (http://bugs.squid-cache.org/show_bug.cgi?id=4042)
Patch103: squid-brokenad.patch
-BuildRequires: cyrus-sasl-devel
+
+BuildRoot: %{_tmppath}/%{name}-%{version}-build
BuildRequires: db-devel
+# needed by bootstrap.sh
+BuildRequires: cyrus-sasl-devel
BuildRequires: ed
BuildRequires: expat
+#
BuildRequires: fdupes
BuildRequires: gcc-c++
BuildRequires: krb5-devel
BuildRequires: libcap-devel
BuildRequires: libexpat-devel
+%if 0%{?suse_version} <= 1140
+BuildRequires: libtool
+%else
BuildRequires: libtool >= 2.4
+%endif
+%if 0%{?suse_version} < 1220
+BuildRequires: libxml2-devel
+%else
+BuildRequires: pkgconfig(libxml-2.0)
+%endif
BuildRequires: openldap2-devel
BuildRequires: opensp-devel
BuildRequires: openssl-devel
BuildRequires: pam-devel
BuildRequires: pkgconfig
BuildRequires: sharutils
-BuildRequires: systemd
-BuildRequires: pkgconfig(libxml-2.0)
-Requires: logrotate
-Requires: sed
+
+%if 0%{?suse_version}
Requires(post): %fillup_prereq
-Requires(pre): %insserv_prereq
Requires(pre): %{_bindir}/getent
+%if 0%{?suse_version} < 1140
Requires(pre): permissions
+%else
+Requires(pre): permissions >= 2014.11
+%endif
Requires(pre): pwdutils
-Provides: %{name}3 = %{version}
-Provides: http_proxy
-Obsoletes: %{name}3 < %{version}
-BuildRoot: %{_tmppath}/%{name}-%{version}-build
+%else
+Requires(pre): shadow-utils
+Requires(post): /sbin/chkconfig
+Requires(preun): /sbin/service /sbin/chkconfig
+Requires(postun): /sbin/service
+%endif
+
+%if 0%{?suse_version} > 1210
+BuildRequires: systemd
%{?systemd_requires}
+%define has_systemd 1
+%else
+Requires(pre): %insserv_prereq
+%endif
+
+Requires: logrotate
+Provides: http_proxy
+
+# due to package rename
+# Wed Aug 15 17:40:30 UTC 2012
+Provides: %{name}3 = %{version}
+Obsoletes: %{name}3 < %{version}
%description
-Squid is a fully-featured HTTP/1.0 proxy which is almost a fully-featured
-HTTP/1.1 proxy. Squid offers a rich access control, authorization and logging
-environment to develop web proxy and content serving applications.
-Squid offers a rich set of traffic optimization options, most of which are
-enabled by default for simpler installation and high performance.
+Squid is a fully-featured HTTP/1.0 proxy which is almost (but not quite - we're getting there!) a fully-featured HTTP/1.1 proxy. Squid offers a rich access control, authorization and logging environment to develop web proxy and content serving applications. Squid offers a rich set of traffic optimization options, most of which are enabled by default for simpler installation and high performance.
+
+Squid 3.4 represents a new feature release above 3.3.
+
+The most important of these new features are:
+
+ * Helper protocol extensions
+ * SSL Server Certificate Validator
+ * Store-ID
+ * TPROXY Support for OpenBSD 5.1+ and FreeBSD 9+
+ * Transaction Annotations
+ * Multicast DNS
%prep
+#setup -q -n %{name}-%{version}%{snap}
%setup -q
cp %{SOURCE10} .
+# upstream patches after RELEASE
+#
+##### other patches
%patch100
perl -p -i -e 's|%{_prefix}/local/bin/perl|%{_bindir}/perl|' `find -name "*.pl"`
chmod a-x CREDITS
@@ -104,8 +152,15 @@ export LDFLAGS='-Wl,-z,relro,-z,now -pie'
--datadir=%{_datadir}/squid \
--sharedstatedir=%{_localstatedir}/squid \
--with-logdir=%{_localstatedir}/log/squid \
+%if 0%{?has_systemd}
--with-pidfile=/run/squid.pid \
+%else
+ --with-pidfile=%{_localstatedir}/run/squid.pid \
+%endif
--with-dl \
+%if 0%{?suse_version} <= 1140
+ --with-included-ltdl \
+%endif
--enable-disk-io \
--enable-storeio \
--enable-removal-policies=heap,lru \
@@ -136,7 +191,7 @@ export LDFLAGS='-Wl,-z,relro,-z,now -pie'
--with-default-user=%{name} \
--disable-ident-lookups \
--enable-follow-x-forwarded-for \
- --disable-arch-native
+ --disable-arch-native
# overwrite the number of open filedescriptors of configure to 4096
# to be backward compatible, but numbers above should not be overwritten
@@ -162,6 +217,11 @@ make install DESTDIR=%{buildroot} SAMBAPREFIX=/usr
mv %{buildroot}{%{_sysconfdir}/%{name}/,%{_datadir}/%{name}/}mime.conf.default
ln -s %{_sysconfdir}/%{name}/mime.conf %{buildroot}%{_datadir}/%{name} # backward compatible
+%if 0%{?suse_version} < 1140
+# permissions file
+install -D -m 644 %{SOURCE9} %{buildroot}%{_sysconfdir}/permissions.d/%{name}
+%endif
+
# install logrotate file
install -D -m 644 %{SOURCE7} %{buildroot}%{_sysconfdir}/logrotate.d/%{name}
@@ -187,40 +247,73 @@ for i in errors/*; do
done
ln -sf %{_datadir}/%{name}/errors/de %{buildroot}%{squidconfdir}/errors
-# systemd service
-install -D -m 644 %{SOURCE11} %{buildroot}%{_unitdir}/%{name}.service
-ln -sf service %{buildroot}%{_sbindir}/rc%{name}
-install -D -m644 %{SOURCE4} %{buildroot}%{_localstatedir}/adm/fillup-templates/sysconfig.%{name}
-
# fix file duplicates
+%if 0%{?suse_version} > 1030
%fdupes -s %{buildroot}%{_prefix}
+%endif
+%if 0%{?fedora_version} > 8
+fdupes -q -n -r %{buildroot}%{_prefix}
+%endif
+
+# systemd vs SysVinit
+%if 0%{?has_systemd}
+ install -D -m 644 %{SOURCE11} %{buildroot}%{_unitdir}/%{name}.service
+ ln -sf %{_sbindir}/service %{buildroot}%{_sbindir}/rc%{name}
+%else # SysVinit
+ # fix postrotate script for SysVinit
+ sed -i -re 's@/usr/bin/systemctl.*@/etc/init.d/squid reload@g' %{buildroot}%{_sysconfdir}/logrotate.d/%{name}
+ %if 0%{?suse_version}
+ install -D %{SOURCE3} %{buildroot}%{_sysconfdir}/init.d/%{name}
+ ln -sf %{_sysconfdir}/init.d/%{name} %{buildroot}%{_sbindir}/rc%{name}
+ %else # lets just assume other are rh based ones...
+ install -D %{SOURCE14} %{buildroot}%{_sysconfdir}/init.d/%{name}
+ %endif
+%endif
+%if 0%{?suse_version}
+ install -D -m644 %{SOURCE4} %{buildroot}%{_localstatedir}/adm/fillup-templates/sysconfig.%{name}
+%else
+ install -D -m644 %{SOURCE4} %{buildroot}%{_sysconfdir}/sysconfig/%{name}
+%endif
%pre
# we need this group for /usr/sbin/pinger
-if [ -z "`%{_bindir}/getent group %{name} 2>/dev/null`" ]; then
+if [[ -z $(%{_bindir}/getent group %{name} 2>/dev/null) ]]; then
%{_sbindir}/groupadd -g 31 -r %{name} 2>/dev/null
fi
# we need this group for squid (ntlmauth)
# read access to /var/lib/samba/winbindd_privileged
-if [ -z "`%{_bindir}/getent group winbind 2>/dev/null`" ]; then
+if [[ -z $(%{_bindir}/getent group winbind 2>/dev/null) ]]; then
%{_sbindir}/groupadd -r winbind 2>/dev/null
fi
-if [ -z "`%{_bindir}/getent passwd squid 2>/dev/null`" ]; then
+if [[ -z $(%{_bindir}/getent passwd squid 2>/dev/null) ]]; then
%{_sbindir}/useradd -c "WWW-proxy squid" -d %{_localstatedir}/cache/%{name} \
-G winbind -g %{name} -o -u 31 -r -s /bin/false \
%{name} 2>/dev/null
fi
+# if default group is not squid, change it
+if [[ "$(%{_bindir}/id -ng %{name} 2>/dev/null)" != "%{name}" ]]; then
+ %{_sbindir}/usermod -g %{name} %{name} 2>/dev/null
+fi
# if squid is not member of winbind, add him
-if [ `%{_bindir}/id -nG %{name} 2>/dev/null | grep -q winbind >/dev/null; echo $?` -ne 0 ]; then
+if [[ $(%{_bindir}/id -nG %{name} 2>/dev/null | grep -q winbind >/dev/null; echo $?) -ne 0 ]]; then
%{_sbindir}/usermod -G winbind %{name} 2>/dev/null
fi
+
+%if 0%{?has_systemd}
%service_add_pre %{name}.service
+%endif
%post
-%set_permissions %{_sbindir}/pinger
+%if 0%{?suse_version} >= 1140
+ %if 0%{?set_permissions:1}
%set_permissions %{_sbindir}/basic_pam_auth
+%set_permissions %{_sbindir}/pinger
%set_permissions %{_localstatedir}/cache/squid/
%set_permissions %{_localstatedir}/log/squid/
+ %else
+%run_permissions
+ %endif
+%endif
# update mode?
if [ "$1" -gt "1" ]; then
if [ -e etc/%{name}.conf -a ! -L etc/%{name}.conf -a ! -e etc/%{name}/%{name}.conf ]; then
@@ -230,20 +323,53 @@ if [ "$1" -gt "1" ]; then
# default group changed from nogroup to squid
%{_sbindir}/usermod -g %{name} %{name}
fi
-%fillup_only
+
+%if 0%{?has_systemd}
%service_add_post squid.service
+%else
+ %if 0%{?suse_version}
+%{fillup_and_insserv -n "squid"}
+ %else
+ /sbin/chkconfig --add squid
+ %endif
+%endif
%preun
+%if 0%{?has_systemd}
%service_del_preun squid.service
+%else
+ %if 0%{?suse_version}
+%stop_on_removal squid
+ %else
+ if [ $1 = 0 ] ; then
+ service squid stop >/dev/null 2>&1
+ rm -f /var/log/squid/*
+ /sbin/chkconfig --del squid
+ fi
+ %endif
+%endif
+%if 0%{?suse_version}
%verifyscript
%verify_permissions -e %{_sbindir}/basic_pam_auth
%verify_permissions -e %{_sbindir}/pinger
%verify_permissions -e %{_localstatedir}/cache/squid/
%verify_permissions -e %{_localstatedir}/log/squid/
+%endif
%postun
+%if 0%{?has_systemd}
%service_del_postun squid.service
+%else
+ %if 0%{?suse_version}
+%restart_on_update squid
+%insserv_cleanup
+ %else
+ if [ "$1" -ge "1" ] ; then
+ service squid condrestart >/dev/null 2>&1
+ fi
+ %endif
+%endif
%files
%defattr(-,root,root)
@@ -253,7 +379,11 @@ fi
%doc doc/contrib doc/scripts
%doc doc/debug-sections.txt src/%{name}.conf.default
%doc %{_mandir}/man?/*
+%if 0%{?has_systemd}
%{_unitdir}/%{name}.service
+%else
+%{_sysconfdir}/init.d/%{name}
+%endif
%verify(not user group mode) %attr(750,%{name},root) %dir %{_localstatedir}/cache/%{name}/
%verify(not user group mode) %attr(750,%{name},root) %dir %{_localstatedir}/log/%{name}/
%dir %{squidconfdir}
@@ -270,6 +400,9 @@ fi
%config %{squidconfdir}/%{name}.conf.default
%config %{squidconfdir}/%{name}.conf.documented
%config %{_sysconfdir}/pam.d/%{name}
+%if 0%{?suse_version} < 1140
+%config %{_sysconfdir}/permissions.d/%{name}
+%endif
%dir %{_datadir}/%{name}
%{_datadir}/%{name}/errors
%{_datadir}/%{name}/icons
@@ -286,7 +419,11 @@ fi
%{_sbindir}/basic_msnt_multi_domain_auth
%{_sbindir}/basic_ncsa_auth
%{_sbindir}/basic_nis_auth
+%if 0%{?suse_version} < 1140
+%{_sbindir}/basic_pam_auth
+%else
%verify(not mode) %attr(2750,root,shadow) %{_sbindir}/basic_pam_auth
+%endif
%{_sbindir}/basic_pop3_auth
%{_sbindir}/basic_radius_auth
%{_sbindir}/basic_sasl_auth
@@ -294,6 +431,7 @@ fi
%{_sbindir}/basic_smb_auth.sh
%{_sbindir}/cert_tool
%{_sbindir}/cert_valid.pl
+#{_sbindir}/digest_edirectory_auth
%{_sbindir}/digest_file_auth
%{_sbindir}/digest_ldap_auth
%{_sbindir}/diskd
@@ -312,15 +450,24 @@ fi
%{_sbindir}/negotiate_wrapper_auth
%{_sbindir}/ntlm_fake_auth
%{_sbindir}/ntlm_smb_lm_auth
-%verify(not user group mode caps) %attr(750,root,squid) %{_sbindir}/pinger
+# not working %%caps(cap_net_raw=ep)
+%if 0%{?suse_version} < 1140
+%attr(0750,root,squid) %{_sbindir}/pinger
+%else
+%verify(not user group mode caps) %attr(0750,root,squid) %{_sbindir}/pinger
+%endif
%{_sbindir}/%{name}
%{_sbindir}/ssl_crtd
%{_sbindir}/storeid_file_rewrite
%{_sbindir}/unlinkd
%{_sbindir}/url_fake_rewrite
%{_sbindir}/url_fake_rewrite.sh
+%if 0%{?suse_version}
%{_sbindir}/rc%{name}
%{_localstatedir}/adm/fillup-templates/sysconfig.%{name}
+%else
+%{_sysconfdir}/sysconfig/%{name}
+%endif
%dir %{_libdir}/%{name}
%{_libdir}/%{name}/cachemgr.cgi