pool/squid
SHA256
2
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Accepting request 280566 from server:proxy

Browse Source 
OBS-URL: https://build.opensuse.org/request/show/280566
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/squid?expand=0&rev=20
This commit is contained in:
Dominique Leuenberger 2015-01-09 19:50:52 +00:00 committed by Git OBS Bridge
commit 8510e6c251
15 changed files with 315 additions and 1008 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

594
RELEASENOTES.html
View File

@ -1,594 +0,0 @@
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
<HTML>
<HEAD>
<META NAME="GENERATOR" CONTENT="LinuxDoc-Tools 0.9.69">
<TITLE>Squid 3.4.4 release notes</TITLE>
</HEAD>
<BODY>
<H1>Squid 3.4.4 release notes</H1>
<H2>Squid Developers</H2>
<HR>
<EM>This document contains the release notes for version 3.4 of Squid.
Squid is a WWW Cache application developed by the National Laboratory
for Applied Network Research and members of the Web Caching community.</EM>
<HR>
<P>
<H2><A NAME="toc1">1.</A> <A HREF="#s1">Notice</A></H2>
<UL>
<LI><A NAME="toc1.1">1.1</A> <A HREF="#ss1.1">Known issues</A>
<LI><A NAME="toc1.2">1.2</A> <A HREF="#ss1.2">Changes since earlier releases of Squid-3.4</A>
</UL>
<P>
<H2><A NAME="toc2">2.</A> <A HREF="#s2">Major new features since Squid-3.3</A></H2>
<UL>
<LI><A NAME="toc2.1">2.1</A> <A HREF="#ss2.1">Helper protocol extensions</A>
<LI><A NAME="toc2.2">2.2</A> <A HREF="#ss2.2">SSL Server Certificate Validator</A>
<LI><A NAME="toc2.3">2.3</A> <A HREF="#ss2.3">Store-ID</A>
<LI><A NAME="toc2.4">2.4</A> <A HREF="#ss2.4">TPROXY Support for OpenBSD 5.1+ and FreeBSD 9+</A>
<LI><A NAME="toc2.5">2.5</A> <A HREF="#ss2.5">Transaction Annotations</A>
<LI><A NAME="toc2.6">2.6</A> <A HREF="#ss2.6">Multicast DNS</A>
</UL>
<P>
<H2><A NAME="toc3">3.</A> <A HREF="#s3">Changes to squid.conf since Squid-3.3</A></H2>
<UL>
<LI><A NAME="toc3.1">3.1</A> <A HREF="#ss3.1">New tags</A>
<LI><A NAME="toc3.2">3.2</A> <A HREF="#ss3.2">Changes to existing tags</A>
<LI><A NAME="toc3.3">3.3</A> <A HREF="#ss3.3">Removed tags</A>
</UL>
<P>
<H2><A NAME="toc4">4.</A> <A HREF="#s4">Changes to ./configure options since Squid-3.3</A></H2>
<UL>
<LI><A NAME="toc4.1">4.1</A> <A HREF="#ss4.1">New options</A>
<LI><A NAME="toc4.2">4.2</A> <A HREF="#ss4.2">Changes to existing options</A>
<LI><A NAME="toc4.3">4.3</A> <A HREF="#ss4.3">Removed options</A>
</UL>
<P>
<H2><A NAME="toc5">5.</A> <A HREF="#s5">Regressions since Squid-2.7</A></H2>
<UL>
<LI><A NAME="toc5.1">5.1</A> <A HREF="#ss5.1">Missing squid.conf options available in Squid-2.7</A>
</UL>
<HR>
<H2><A NAME="s1">1.</A> <A HREF="#toc1">Notice</A></H2>
<P>The Squid Team are pleased to announce the release of Squid-3.4.4 for testing.</P>
<P>This new release is available for download from
<A HREF="http://www.squid-cache.org/Versions/v3/3.4/">http://www.squid-cache.org/Versions/v3/3.4/</A> or the
<A HREF="http://www.squid-cache.org/Mirrors/http-mirrors.html">mirrors</A>.</P>
<P>While this release is not deemed ready for production use, we believe it is ready for wider testing by the community.</P>
<P>We welcome feedback and bug reports. If you find a bug, please see
<A HREF="http://wiki.squid-cache.org/SquidFaq/BugReporting">http://wiki.squid-cache.org/SquidFaq/BugReporting</A>
for how to submit a report with a stack trace.</P>
<H2><A NAME="ss1.1">1.1</A> <A HREF="#toc1.1">Known issues</A>
</H2>
<P>Although this release is deemed good enough for use in many setups, please note the existence of
<A HREF="http://bugs.squid-cache.org/buglist.cgi?query_format=advanced&amp;product=Squid&amp;bug_status=UNCONFIRMED&amp;bug_status=NEW&amp;bug_status=ASSIGNED&amp;bug_status=REOPENED&amp;version=3.4">open bugs against Squid-3.4</A>.</P>
<H2><A NAME="ss1.2">1.2</A> <A HREF="#toc1.2">Changes since earlier releases of Squid-3.4</A>
</H2>
<P>The 3.4 change history can be
<A HREF="http://www.squid-cache.org/Versions/v3/3.4/changesets/">viewed here</A>.</P>
<H2><A NAME="s2">2.</A> <A HREF="#toc2">Major new features since Squid-3.3</A></H2>
<P>Squid 3.4 represents a new feature release above 3.3.</P>
<P>The most important of these new features are:
<UL>
<LI>Helper protocol extensions</LI>
<LI>SSL Server Certificate Validator</LI>
<LI>Store-ID</LI>
<LI>TPROXY Support for OpenBSD 5.1+ and FreeBSD 9+</LI>
<LI>Transaction Annotations</LI>
<LI>Multicast DNS</LI>
</UL>
</P>
<P>Most user-facing changes are reflected in squid.conf (see below).</P>
<H2><A NAME="ss2.1">2.1</A> <A HREF="#toc2.1">Helper protocol extensions</A>
</H2>
<P>Details at
<A HREF="http://wiki.squid-cache.org/Features/AddonHelpers">http://wiki.squid-cache.org/Features/AddonHelpers</A>.</P>
<P>The Squid helper protocol used to communicate with authenticators,
URL-rewriters, Redirectors, and External ACL helpers has been updated
and extended.</P>
<P><EM>BH</EM> status code is now accepted from all helpers to report
internal error events separate from <EM>ERR</EM> rejection code.
Permitting Squid to perform recovery operations specific to
helper failure instead of a blanket client rejection.</P>
<P>Arbitrary key-value pairs can be returned from any helper.
Allowing future helpers to be forward- and backward- compatible
with this and future versions of Squid.</P>
<H2><A NAME="ss2.2">2.2</A> <A HREF="#toc2.2">SSL Server Certificate Validator</A>
</H2>
<P>Details at
<A HREF="http://wiki.squid-cache.org/Features/SslServerCertValidator">http://wiki.squid-cache.org/Features/SslServerCertValidator</A>.</P>
<P>The helper consulted after the internal OpenSSL validation, regardless of the
validation results. The helper will receive:</P>
<P>
<UL>
<LI>the origin server certificate (chain),</LI>
<LI>the intended domain name, and</LI>
<LI>a list of OpenSSL validation errors (if any).</LI>
</UL>
</P>
<P>If the helper decides to honor an OpenSSL error or report another validation
error(s), the helper will return:</P>
<P>
<UL>
<LI>A list of certificates.</LI>
<LI>A list of items consists the the validation error name (see <EM>%err_name</EM>
error page macro and <EM>%err_details</EM> code for <EM>logformat</EM>), error reason
(<EM>%ssl_lib_error macro</EM>), and the offending certificate.</LI>
</UL>
</P>
<P>The returned information mimics what the internal OpenSSL-based validation code
collects now. Returned errors, if any, are fed to <EM>sslproxy_cert_error</EM>,
triggering the existing SSL error processing code.</P>
<P>The helper invocation controlled by the <EM>sslcrtvalidator_program</EM> and
<EM>sslcrtvalidator_children</EM> configurations options which are similar to the
<EM>ssl_crtd</EM> related options. </P>
<H2><A NAME="ss2.3">2.3</A> <A HREF="#toc2.3">Store-ID</A>
</H2>
<P>Details at
<A HREF="http://wiki.squid-cache.org/Features/StoreID">http://wiki.squid-cache.org/Features/StoreID</A>.</P>
<P>This feature is a redesigned equivalent to the Squid-2.7 feature known as StoreURL-rewrite.</P>
<P><EM>Notice</EM> that this is not a direct portage of the Squid-2.7 feature so behaviour
differences do exist. Although the new feature works in similar enough ways that the old
helper scripts used for Squid-2.7 are expected to work in this and later versions of Squid.</P>
<P>Squid traditionally uses the requested URL as an index key ID to locate objects in cache.
It is not the only key possible and the Store-ID feature exposes an API for external
helpers to provide Squid with an alternative key name for any URL.</P>
<P>When any client request is received which requires a cache lookup the URL is passed to
a helper specified with the <EM>store_id_program</EM> directive to check for an alternative
Store ID. This allows the helper to identify URLs which refer to duplicate resources and
de-duplicate the cache content. <EM>store_id_access</EM> is provided to allow ACL-based
tuning of which traffic gets sent to the helper and reduce overheads.</P>
<P>One subtle and noteworthy difference between Squid-2 and Squid-3 which is highlighted by
this feature is that <EM>refresh_pattern</EM> applies its regex argument against the Store
ID key and not the transaction URL. So using the Store-ID feature to alter the value
affects which <EM>refresh_pattern</EM> directive will be matched.</P>
<P>Store-ID helpers bundled with Squid can be built with the --enable-storeid-rewrite-helpers
option which is added in this version. Currently there is a <EM>file</EM> helper
provided.</P>
<H2><A NAME="ss2.4">2.4</A> <A HREF="#toc2.4">TPROXY Support for OpenBSD 5.1+ and FreeBSD 9+</A>
</H2>
<P>Details at
<A HREF="http://wiki.squid-cache.org/ConfigExamples/Intercept/OpenBsdPf">http://wiki.squid-cache.org/ConfigExamples/Intercept/OpenBsdPf</A>.</P>
<P>The Packet Filter (PF) firewall in OpenBSD 4.4 and later offers traffic interception
using several very simple methods. One of which is the <EM>divert-to</EM> rule type
which acts as a simple routing diversion instead of performing NAT packet alterations.</P>
<P>The IP Firewall (IPFW) on FreeBSD 9+ contains a port of the Linux Netfilter TPROXY feature.</P>
<P>This version of Squid adds support for these features through the ./configure
options --enable-pf-transparent and --enable-ipfw-transparent when Squid is built on
systems with the required support. No special extras are required to enable
<EM>http_port ... tproxy</EM> configuration to work.</P>
<P>NOTE: To resolve NAT lookup issues on recent PF firewall versions the code behind
<EM>./configure --enable-pf-transparent</EM> has been altered and is expected to
break on the version of PF firewall shipped with BSD systems such as NetBSD and FreeBSD
which do not yet support the getsockname() API.
These systems require <EM>--with-nat-devpf</EM> to enable /dev/pf support when using PF firewall.</P>
<H2><A NAME="ss2.5">2.5</A> <A HREF="#toc2.5">Transaction Annotations</A>
</H2>
<P>Previously the only annotation methods available were ICAP/eCAP HTTP header insertions
or external ACL <EM>tag=</EM> result code. Each of which had only limited possibilities
for use and little or no correlation.</P>
<P>It is now possible to add annotations to a client transaction from several sources:
<UL>
<LI> Directly from squid.conf using the <EM>note</EM> directive with
ACL-based selection of which annotation is linked to any
particular transaction.
</LI>
<LI> By configured helper processes returning a key=value pair.
The key name becomes the annotation name.</LI>
</UL>
</P>
<P>Annotations on the transaction can be passed to ICAP services or eCAP modules using the
<EM>adaptation_meta</EM> directive to send them as headers.
They can also be logged using the <EM>%note</EM> log format code in custom logs. With
the new helper response syntax changes this means all helper response key=value details
such as URL-rewrite or store-id changes, external ACL tag etc. are now able to be logged.</P>
<P>Annotations which are already assigned to a transaction can be checked using an ACL test
of the new <EM>note</EM> ACL type. This can match a particular note by name and value,
of for any notes with a given name.</P>
<P>NOTE: not all helper interfaces are yet enabled to convert key=value into annotations
and the external ACL interface does not yet send annotations to the helper.</P>
<H2><A NAME="ss2.6">2.6</A> <A HREF="#toc2.6">Multicast DNS</A>
</H2>
<P>The internal DNS component of Squid now supports multicast DNS (mDNS) resolution in
accordance with RFC 6762.</P>
<P>The <EM>dns_multicast_local</EM> directive must be set to <EM>on</EM> to enable this
feature.</P>
<P>The multicast DNS group IP addresses for IPv4 and IPv6 resolving are added to the set
of available DNS resolvers and used automatically for domain names ending in <EM>.local</EM>
and reverse-DNS lookups before attempting a secondary resolution on the configured
resolvers. Domains without <EM>.local</EM> are resolved using only the configured resolvers.</P>
<P>Statistics for multicast DNS resolution can be found on the <EM>idns</EM> cache manager
report.</P>
<P><EM>NOTE</EM> that the external DNS helper interface is now deprecated and has been
removed from future Squid versions. Any installations still using it for local hostname
resolution need to upgrade to mDNS resolution with this Squid version.</P>
<H2><A NAME="s3">3.</A> <A HREF="#toc3">Changes to squid.conf since Squid-3.3</A></H2>
<P>There have been changes to Squid's configuration file since Squid-3.3.</P>
<P>Squid supports reading configuration option parameters from external
files using the syntax <EM>parameters("/path/filename")</EM>. For example:
<PRE>
acl whitelist dstdomain parameters("/etc/squid/whitelist.txt")
</PRE>
</P>
<P>There have also been changes to individual directives in the config file.</P>
<P>This section gives a thorough account of those changes in three categories:</P>
<P>
<UL>
<LI>
<A HREF="#newtags">New tags</A></LI>
<LI>
<A HREF="#modifiedtags">Changes to existing tags</A></LI>
<LI>
<A HREF="#removedtags">Removed tags</A></LI>
</UL>
</P>
<H2><A NAME="newtags"></A> <A NAME="ss3.1">3.1</A> <A HREF="#toc3.1">New tags</A>
</H2>
<P>
<DL>
<DT><B>configuration_includes_quoted_values</B><DD>
<P>Whether Squid supports directive parameters with spaces, quotes, and other
special characters. Surround such parameters with "double quotes" and
also set this directive on/off around the relevant squid.conf line(s)
making use of such quoting.</P>
<DT><B>dns_multicast_local</B><DD>
<P>Use multicast DNS for <EM>.local</EM> domains and reverse-DNS resolution.</P>
<DT><B>note</B><DD>
<P>Use ACLs to annotate a transaction with customized annotations
which can be logged in access.log</P>
<DT><B>spoof_client_ip</B><DD>
<P>Access control to determine whether to disable the TPROXY spoofing on upstream traffic.</P>
<DT><B>sslcrtvalidator_children</B><DD>
<P>Specifies the settings for how many SSL server certificate
validator helpers are run and when they are started.</P>
<DT><B>sslcrtvalidator_program</B><DD>
<P>Specifies the location of a SSL server certificate validator helper.</P>
<DT><B>store_id_access</B><DD>
<P>Whether the URL for a given request is passed to the Store-ID helper process.
Used to improve StoreID performance by quickly eliminating helper delays using ACL tests.</P>
<P>Ported equivalent to <EM>storeurl_access</EM> from 2.7</P>
<DT><B>store_id_bypass</B><DD>
<P>Whether the StoreID helper may be bypassed when overloaded.</P>
<DT><B>store_id_children</B><DD>
<P>Controls the number of StoreID helper processes.</P>
<P>Options <EM>startup=N</EM>, <EM>idle=N</EM>, <EM>concurrency=N</EM>
<UL>
<LI>startup=N allow finer tuning of how many helpers are started initially.</LI>
<LI>idle=N allow fine tuning of how many helper to retain as buffer against sudden traffic loads.</LI>
<LI>concurrency=N was previously called url_rewrite_concurrency as a distinct directive.</LI>
</UL>
</P>
<DT><B>store_id_rewrite_program</B><DD>
<P>A helper program to provide cache storage internal key ID value for a request.</P>
<P>Ported equivalent to <EM>storeurl_rewrite_program</EM> from 2.7</P>
</DL>
</P>
<H2><A NAME="modifiedtags"></A> <A NAME="ss3.2">3.2</A> <A HREF="#toc3.2">Changes to existing tags</A>
</H2>
<P>
<DL>
<DT><B>access_log</B><DD>
<P>Configuration syntax extended to support name=value options.
<EM>New Syntax:</EM> access_log module:place [option ...] [acl ...]</P>
<P>New option <EM>logformat=</EM> to specify the logging format name.</P>
<P>New option <EM>buffer-size=</EM> to specify how large the log buffer
for this log is to be when <EM>buffered_logs</EM> is enabled.</P>
<P>New option <EM>on-error=</EM> to specify what handling is to be done
if the logging module encounters a non-recoverable error writing logs.
With the value <EM>die</EM> (the default) Squid halts operation.
With the value <EM>drop</EM> Squid drops log lines and continue running.</P>
<DT><B>acl</B><DD>
<P>New test type <EM>server_cert_fingerprint</EM> to match against
server SSL certificate fingerprint.</P>
<P>New test type <EM>note</EM> to match against transaction annotations
by name and value, or just by name.</P>
<P>New test type <EM>any-of</EM> to match if any one of a set of named ACLs.</P>
<P>New test type <EM>all-of</EM> to match against all of a set of named ACLs.</P>
<DT><B>auth_param</B><DD>
<P>New result code <EM>BH</EM> to signal helper internal errors
available in all authentication schemes.</P>
<P>New key <EM>message=</EM> for error message details in all authentication schemes.</P>
<P>New result code <EM>OK</EM> and key <EM>ha1=</EM> in Digest authentication.</P>
<P>New result codes <EM>OK</EM>, <EM>ERR</EM> replace result codes <EM>AF</EM>,
and <EM>NA</EM> in NTLM and Negotiate authentication.</P>
<P>New key <EM>token=</EM> for NTLM and Negotiate authentication <EM>OK</EM> responses.</P>
<P>Details at
<A HREF="http://wiki.squid-cache.org/Features/AddonHelpers">http://wiki.squid-cache.org/Features/AddonHelpers</A>.</P>
<DT><B>external_acl_type</B><DD>
<P>Deprecated <EM>protocol=3.0</EM> option. No longer necessary.</P>
<P>New result code <EM>BH</EM> to signal helper internal errors</P>
<P>Details at
<A HREF="http://wiki.squid-cache.org/Features/AddonHelpers">http://wiki.squid-cache.org/Features/AddonHelpers</A>.</P>
<DT><B>http_port</B><DD>
<P>Support IPv6 for <EM>intercept</EM> mode. Requires ip6tables support on Linux,
PF support on OpenBSD and IPFW support on FreeBSD. Squid will no longer complain
about misconfiguration if IPv6 support is missing, we now rely on the firewall
tools reporting misconfiguration when the NAT rules are created.</P>
<P>Support <EM>tproxy</EM> mode traffic on BSD systems with BINDANY support
(OpenBSD 5+, FreeBSD 9+ so far).</P>
<P>Changed build options behind <EM>intercept</EM> traffic mode handling on BSD.
see <EM>--enable-pf-transparent</EM> for more details.</P>
<DT><B>logformat</B><DD>
<P>New format code <EM>%note</EM> to log a transaction annotation linked to the
transaction by ICAP, eCAP, a helper, or the <EM>note</EM> squid.conf directive.</P>
<P>New format code <EM>%&gt;qos</EM> to log client connection TOS/DSCP value set by Squid.</P>
<P>New format code <EM>%&lt;qos</EM> to log server connection TOS/DSCP value set by Squid.</P>
<P>New format code <EM>%&gt;nfmark</EM> to log client connection netfilter mark set by Squid.</P>
<P>New format code <EM>%&lt;nfmark</EM> to log server connection netfilter mark set by Squid.</P>
<DT><B>pipeline_prefetch</B><DD>
<P>Updated to take a numeric count of prefetched pipeline requests instead of ON/OFF.</P>
<DT><B>refresh_pattern</B><DD>
<P><EM>NOTE:</EM> the regular expression pattern operates on the cache Store-ID value.
Which by default is identical to the requested URL, but may differ for some
objects if the Store-ID feature is in use.</P>
<DT><B>unlinkd_program</B><DD>
<P>New helper response format utilizing result codes <EM>OK</EM> and <EM>BH</EM>,
to signal helper lookup results. Also, key-value response values to return
multiple values to Squid.</P>
<P>Details at
<A HREF="http://wiki.squid-cache.org/Features/AddonHelpers">http://wiki.squid-cache.org/Features/AddonHelpers</A>.</P>
<DT><B>url_rewrite_program</B><DD>
<P>New helper response format utilizing result codes <EM>OK</EM>, <EM>ERR</EM>,
and <EM>BH</EM> to signal helper lookup results. Also, key-value response
values to return multiple values to Squid.</P>
<P>Details at
<A HREF="http://wiki.squid-cache.org/Features/AddonHelpers">http://wiki.squid-cache.org/Features/AddonHelpers</A>.</P>
</DL>
</P>
<H2><A NAME="removedtags"></A> <A NAME="ss3.3">3.3</A> <A HREF="#toc3.3">Removed tags</A>
</H2>
<P>
<DL>
<DT><B>storeurl_access</B><DD>
<P>Replaced by <EM>store_id_access</EM>.</P>
<DT><B>storeurl_rewrite_children</B><DD>
<P>Replaced by <EM>store_id_children</EM>.</P>
<DT><B>storeurl_rewrite_concurrency</B><DD>
<P>Replaced by <EM>store_id_children</EM> with <EM>concurrency=N</EM> option.</P>
<DT><B>storeurl_rewrite_program</B><DD>
<P>Replaced by <EM>store_id_program</EM>.</P>
</DL>
</P>
<H2><A NAME="s4">4.</A> <A HREF="#toc4">Changes to ./configure options since Squid-3.3</A></H2>
<P>There have been some changes to Squid's build configuration since Squid-3.3.</P>
<P>This section gives an account of those changes in three categories:</P>
<P>
<UL>
<LI>
<A HREF="#newoptions">New options</A></LI>
<LI>
<A HREF="#modifiedoptions">Changes to existing options</A></LI>
<LI>
<A HREF="#removedoptions">Removed options</A></LI>
</UL>
</P>
<H2><A NAME="newoptions"></A> <A NAME="ss4.1">4.1</A> <A HREF="#toc4.1">New options</A>
</H2>
<P>
<DL>
<DT><B>--enable-storeid-rewrite-helpers</B><DD>
<P>New option to control which Store-ID helpers are built. As with other
helper options use --disable-* to prevent any helpers building and
omit to get all helper auto-detected.</P>
<P>Currenly only a helper using <EM>file</EM> for backend is provided.</P>
<DT><B>--disable-arch-native</B><DD>
<P>New option to disable use of -march=native compiler flag.</P>
<P>The new flag auto-enables CPU-specific optimizations in GCC and is
required by Clang++ v3.2 for correct 64-bit environment detection.
It does not always work well however, so this build option is provided
to remove it when necessary.</P>
<DT><B>--with-nat-devpf</B><DD>
<P>New option to alter the behaviour of <EM>http_port ... intercept</EM> option
in squid.conf.</P>
<P>When this option is used Squid performs the /dev/pf lookups required to
support PF <EM>rdr-to</EM> rules. Otherwise Squid will perform perform the
getsockname() API calls to support PF <EM>divert-to</EM> rules.</P>
<P>NOTE: systems such as NetBSD and FreeBSD which do not yet support
the getsockname() API in recent PF versions require this option.</P>
</DL>
</P>
<H2><A NAME="modifiedoptions"></A> <A NAME="ss4.2">4.2</A> <A HREF="#toc4.2">Changes to existing options</A>
</H2>
<P>
<DL>
<DT><B>--enable-pf-transparent</B><DD>
<P>NAT table support updated to use the getsockname() API provided by the
latest PF versions <EM>divert-to</EM>. This allows <EM>http_port</EM>
in squid.conf to support both <EM>intercept</EM> and <EM>tproxy</EM> traffic
and to silence NAT lookup failure messages on recent BSD.</P>
<P>NOTE: systems such as NetBSD and FreeBSD which do not yet support
the getsockname() API in recent PF versions require <EM>--with-nat-devpf</EM>
to re-enable /dev/pf support when using PF firewall.</P>
<DT><B>--disable-translation</B><DD>
<P>Default changed to prevent translating error page templates during build.
Use --enable-translation to explicitly build and install the templates.</P>
<P>The latest pre-translated templates can be downloaded from
<A HREF="http://www.squid-cache.org/Versions/langpack/">http://www.squid-cache.org/Versions/langpack/</A></P>
</DL>
</P>
<H2><A NAME="removedoptions"></A> <A NAME="ss4.3">4.3</A> <A HREF="#toc4.3">Removed options</A>
</H2>
<P>
<DL>
<P><EM>There are no removed ./configure options in Squid-3.4.</EM></P>
</DL>
</P>
<H2><A NAME="s5">5.</A> <A HREF="#toc5">Regressions since Squid-2.7</A></H2>
<P>Some squid.conf options which were available in Squid-2.7 are not yet available in Squid-3.4</P>
<P>If you need something to do then porting one of these from Squid-2 to Squid-3 is most welcome.</P>
<H2><A NAME="ss5.1">5.1</A> <A HREF="#toc5.1">Missing squid.conf options available in Squid-2.7</A>
</H2>
<P>
<DL>
<DT><B>broken_vary_encoding</B><DD>
<P>Not yet ported from 2.6</P>
<DT><B>cache_dir</B><DD>
<P><EM>COSS</EM> storage type is lacking stability fixes from 2.6</P>
<P>COSS <EM>overwrite-percent=</EM> option not yet ported from 2.6</P>
<P>COSS <EM>max-stripe-waste=</EM> option not yet ported from 2.6</P>
<P>COSS <EM>membufs=</EM> option not yet ported from 2.6</P>
<P>COSS <EM>maxfullbufs=</EM> option not yet ported from 2.6</P>
<DT><B>cache_peer</B><DD>
<P><EM>idle=</EM> not yet ported from 2.7</P>
<P><EM>monitorinterval=</EM> not yet ported from 2.6</P>
<P><EM>monitorsize=</EM> not yet ported from 2.6</P>
<P><EM>monitortimeout=</EM> not yet ported from 2.6</P>
<P><EM>monitorurl=</EM> not yet ported from 2.6</P>
<DT><B>cache_vary</B><DD>
<P>Not yet ported from 2.6</P>
<DT><B>collapsed_forwarding</B><DD>
<P>Not yet ported from 2.6</P>
<DT><B>error_map</B><DD>
<P>Not yet ported from 2.6</P>
<DT><B>external_refresh_check</B><DD>
<P>Not yet ported from 2.7</P>
<DT><B>location_rewrite_access</B><DD>
<P>Not yet ported from 2.6</P>
<DT><B>location_rewrite_children</B><DD>
<P>Not yet ported from 2.6</P>
<DT><B>location_rewrite_concurrency</B><DD>
<P>Not yet ported from 2.6</P>
<DT><B>location_rewrite_program</B><DD>
<P>Not yet ported from 2.6</P>
<DT><B>refresh_pattern</B><DD>
<P><EM>stale-while-revalidate=</EM> not yet ported from 2.7</P>
<P><EM>ignore-stale-while-revalidate=</EM> not yet ported from 2.7</P>
<P><EM>negative-ttl=</EM> not yet ported from 2.7</P>
<DT><B>refresh_stale_hit</B><DD>
<P>Not yet ported from 2.7</P>
<DT><B>update_headers</B><DD>
<P>Not yet ported from 2.7</P>
</DL>
</P>
</BODY>
</HTML>

3
rpmlintrc
View File

@ -1,3 +0,0 @@
addFilter("macro-in-comment")
addFilter("no-manual-page-for-binary")
addFilter("zero-length")

3
squid-3.4.10.tar.bz2 Normal file
View File

@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:5a971c4f5404113bd0264d13137cd5f326b58ef20c17beae836036668aeabc97
size 3043193

20
squid-3.4.10.tar.bz2.asc Normal file
View File

@ -0,0 +1,20 @@
File: squid-3.4.10.tar.bz2
Date: Tue Dec 9 17:23:33 UTC 2014
Size: 3043193
MD5 : 326283b0c37e7dc9b2f90dc0ecd9a8a4
SHA1: a04ab50971e1a446fe82514fff830898661c6fad
Key : 0xFF5CF463 <squid3@treenet.co.nz>
fingerprint = EA31 CC5E 9488 E516 8D2D CC5E B268 E706 FF5C F463
keyring = http://www.squid-cache.org/pgp.asc
keyserver = subkeys.pgp.net
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQEcBAABAgAGBQJUhzBbAAoJELJo5wb/XPRjUCIH/3hfJgMi/iKRZpedeFjQhstf
twbTxrtW1x+Er6J3pswPUIbLcYARHhsTpfYHAatleE1Ccl9b16FXSMSXobHpmrab
YR1q/N/W3QwgqH3D2a2m8eUNJTWxTeZ1xYeGzHJK7sgKfaBbt/JlYfs8nh7ekdkV
GjHzHa3IDuq5VX4Pra6riCW9NjAvUo8oaesU3ZRjV9fECbZ2XMqvrxHq7V7bGOgx
sU1gsRjlgsAZeFDiEXz+Dww2RBh46/gUwJZwO/uTYmJjPzr4hFb1PLwEVL4+auv2
uS8lta6K9ZpIXPXaKj0zntG1Z+5X77SoLoTQMq06PpLlGpDjYMDzcs25mCyU1R0=
=Ooir
-----END PGP SIGNATURE-----

3
squid-3.4.4.tar.bz2
View File

@ -1,3 +0,0 @@
version https://git-lfs.github.com/spec/v1
oid sha256:d15e7cc8b1cb25b1b552d938e622819a9cbf5c5bbb517875709a6088bbd3d1e5
size 2812380

20
squid-3.4.4.tar.bz2.asc
View File

@ -1,20 +0,0 @@
File: squid-3.4.4.tar.bz2
Date: Sun Mar 9 10:06:07 UTC 2014
Size: 2812380
MD5 : f9c7dd495e45042cc162d89cfbb97cc0
SHA1: 1d5db3970d4a8bd460315d90253c5c20d96abdad
Key : 0xFF5CF463 <squid3@treenet.co.nz>
fingerprint = EA31 CC5E 9488 E516 8D2D CC5E B268 E706 FF5C F463
keyring = http://www.squid-cache.org/pgp.asc
keyserver = subkeys.pgp.net
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQEcBAABAgAGBQJTHD43AAoJELJo5wb/XPRjD/QH/3GMK+VPmnP5QiMgr995Zp+o
ZHfQoVXO679Mq55Yv53ZSCE8xUGtqwaabm/3pP+U1URrs2kTJV+392fN43RmZ7R+
11zvIXJD3/dGAHAKQlxELMskWNNAdQWCpXGhKaJFU0ghvqlGpq1hLx2M5DqOgJBU
DoFLFUQdKLPU8n1PwnY3SKdT3q3VxpSVbaUx+doQnsNW2Fj2NBj/kb2TQy/1UmyF
FWVpn6Gr3BMCrl4uiw1yiCdHty61Tt6BH6swjA7sQjcenMLWQjNzRzGgM4TfhlvR
czHrrJDbpNZ7Z8NBGvyAYBQmsFRxNm51yIFmpRst+PJBZuNJFW4RB9lek1hWsuk=
=zJQN
-----END PGP SIGNATURE-----

4
squid-compiled_without_RPM_OPT_FLAGS.patch
View File

@ -2,7 +2,7 @@ Index: src/Makefile.am
===================================================================
--- src/Makefile.am.orig
+++ src/Makefile.am
@@ -981,7 +981,7 @@ cache_cf.o: cf_parser.cci
@@ -983,7 +983,7 @@ cache_cf.o: cf_parser.cci
# cf_gen builds the configuration files.
cf_gen$(EXEEXT): $(cf_gen_SOURCES) $(cf_gen_DEPENDENCIES) cf_gen_defines.cci
@ -15,7 +15,7 @@ Index: src/Makefile.in
===================================================================
--- src/Makefile.in.orig
+++ src/Makefile.in
@@ -7295,7 +7295,7 @@ cache_cf.o: cf_parser.cci
@@ -7742,7 +7742,7 @@ cache_cf.o: cf_parser.cci
# cf_gen builds the configuration files.
cf_gen$(EXEEXT): $(cf_gen_SOURCES) $(cf_gen_DEPENDENCIES) cf_gen_defines.cci

8
squid-config.patch
View File

@ -2,7 +2,7 @@ Index: src/cf.data.pre
===================================================================
--- src/cf.data.pre.orig
+++ src/cf.data.pre
@@ -1350,6 +1350,8 @@ http_access deny manager
@@ -1361,6 +1361,8 @@ http_access deny manager
# Adapt localnet in the ACL section to list your (internal) IP networks
# from where browsing should be allowed
http_access allow localnet
@ -11,7 +11,7 @@ Index: src/cf.data.pre
http_access allow localhost
# And finally deny all other access to this proxy
@@ -3361,6 +3363,10 @@ DOC_START
@@ -3414,6 +3416,10 @@ DOC_START
Instead, if you want Squid to use the entire disk drive,
subtract 20% and use that value.
@ -22,7 +22,7 @@ Index: src/cf.data.pre
'L1' is the number of first-level subdirectories which
will be created under the 'Directory'. The default is 16.
@@ -3494,7 +3500,7 @@ DOC_START
@@ -3547,7 +3553,7 @@ DOC_START
NOCOMMENT_START
# Uncomment and adjust the following to add a disk cache directory.
@ -31,7 +31,7 @@ Index: src/cf.data.pre
NOCOMMENT_END
DOC_END
@@ -4147,7 +4153,7 @@ DOC_END
@@ -4178,7 +4184,7 @@ DOC_END
NAME: logfile_rotate
TYPE: int

8
squid-nobuilddates.patch
View File

@ -44,14 +44,14 @@ Index: helpers/external_acl/LM_group/ext_lm_group_acl.cc
- debug("External ACL win32 group helper build " __DATE__ ", " __TIME__
- " starting up...\n");
+ debug("External ACL win32 group helper build starting up...\n");
if (use_global)
if (use_global) {
debug("Domain Global group mode enabled using '%s' as default domain.\n", DefaultDomain);
if (use_case_insensitive_compare)
}
Index: helpers/negotiate_auth/SSPI/negotiate_sspi_auth.cc
===================================================================
--- helpers/negotiate_auth/SSPI/negotiate_sspi_auth.cc.orig
+++ helpers/negotiate_auth/SSPI/negotiate_sspi_auth.cc
@@ -272,7 +272,7 @@ main(int argc, char *argv[])
@@ -274,7 +274,7 @@ main(int argc, char *argv[])
process_options(argc, argv);
@ -64,7 +64,7 @@ Index: helpers/ntlm_auth/SSPI/ntlm_sspi_auth.cc
===================================================================
--- helpers/ntlm_auth/SSPI/ntlm_sspi_auth.cc.orig
+++ helpers/ntlm_auth/SSPI/ntlm_sspi_auth.cc
@@ -609,7 +609,7 @@ main(int argc, char *argv[])
@@ -611,7 +611,7 @@ main(int argc, char *argv[])
process_options(argc, argv);

5
squid-rpmlintrc Normal file
View File

@ -0,0 +1,5 @@
addFilter("no-manual-page-for-binary")
addFilter("zero-length")
addFilter("incorrect-fsf-address")
# Temporary solution untill it is moved into factory
#setBadness('permissions-unauthorized-file', 333)

197
squid.changes
View File

@ -1,3 +1,200 @@
-------------------------------------------------------------------
Fri Jan 9 10:19:10 UTC 2015 - tchvatal@suse.com
- Cleanup with spec-cleaner
- Version bump to 3.4.10:
* Fix bootstrap.sh dependency on SPONSORS.list
* HTTP/2: Support 421 (Misdirected Request) status code
* Alternate-Protocol is a hop-by-hop header
* Bug #4148: external_acl_type header format does not accept the new libformat syntax
* Bug #4033: Rebuild corrupted ssl_db/size file
* Bug #3902: Docs: external_acl_type cache hash key
* Bug #4145: squid_endian.h compile errors with OpenBSD 5.6
* Fix segmentation fault in ACLUrlPathStrategy::match
- Remove support for other distros as we build for opensuse anyway
-------------------------------------------------------------------
Fri Jan 2 16:07:38 UTC 2015 - boris@steki.net
- remove permissions.easy and permissions.paranoid files from package
as they are not used any more
-------------------------------------------------------------------
Tue Dec 9 12:42:48 UTC 2014 - boris@steki.net
- remove setBadness in rpmlintrc as it should be already in Factory
permissions package handled
-------------------------------------------------------------------
Mon Dec 8 15:28:42 UTC 2014 - meissner@suse.com
- %verifyscript is its own section, move out of the %postun section
-------------------------------------------------------------------
Tue Dec 2 10:27:49 UTC 2014 - dimstar@opensuse.org
- Use URLs to paths that the source validator actually understands
and make this acceptable for Tumbleweed.
-------------------------------------------------------------------
Thu Nov 27 21:18:35 UTC 2014 - chris@computersalat.de
- fix for boo#894636 (squid's logrotate snippet runs init script)
* modify squid.logrotate to work on both systemd and SysVinit
-------------------------------------------------------------------
Thu Nov 27 13:16:58 UTC 2014 - lmuelle@suse.com
- Changes to 3.4.9 (31 Oct 2014):
+ Regression fix: ext_kerberos_ldap_group_acl typo in 3.4.7 update
+ Bug 4102: sslbump cert contains only a dot character in key usage extension
+ Bug 4093: source-maintenance.sh errors and warnings due to wrong
tools/options
+ Bug 4088: memory leak in external_acl_type helper with cache=0 or ttl=0
+ Bug 4024: Bad host/IP ::1 when using IPv4-only environment
+ Bug 3803: ident leaks memory on failure
+ kerberos_ldap_group/cert_tool: Remove ksh dependency;
obsoletes squid-cert_tool_use_bash_not_ksh.patch
+ ... and some automated code style updates
+ ... and some documentation updates
- Changes to 3.4.8 (15 Sep 2014):
+ Fix off by one in SNMP subsystem
+ pinger: Fix various ICMP handling issues; CVE-2014-7141; CVE-2014-7142;
http://www.squid-cache.org/Advisories/SQUID-2014_4.txt; bnc#891268
obsoletes squid-icmp-DoS.patch
-------------------------------------------------------------------
Wed Nov 26 21:45:48 UTC 2014 - lmuelle@suse.com
- Remove dependency on gpg-offline as signature checking is implemented in the
source validator.
-------------------------------------------------------------------
Wed Sep 24 11:49:04 UTC 2014 - chris@computersalat.de
- fix spec and changes file
-------------------------------------------------------------------
Tue Sep 16 09:31:35 UTC 2014 - boris@steki.net
- update logrotate file
* postrotate now defaults to 'systemd'
-------------------------------------------------------------------
Tue Sep 16 08:35:11 UTC 2014 - boris@steki.net
- fix for icmp pinger DOS bnc#891268
-------------------------------------------------------------------
Mon Sep 15 11:36:51 UTC 2014 - chris@computersalat.de
- some spec cleanup
- some systemd/SysVinit fixes
- fix sysconfig file for ! suse_version
-------------------------------------------------------------------
Thu Sep 11 15:25:01 UTC 2014 - boris@steki.net
- replaced permissions handling using setuid bit with use of
linux capabilities (on supported systems)
- general cleanup of .spec file and systemd handling
-------------------------------------------------------------------
Fri Sep 5 15:04:47 UTC 2014 - chris@computersalat.de
- Changes to 3.4.7 (28 Aug 2014):
* Regression Fix: Kerberos LDAP authorizing groups with principle subdomain
* Bug 4080: worker hangs when client identd is not responding
* Bug 3966: Add KeyEncipherment when ssl-bump substitues RSA for EC
* HTTP/1.1: Ignore Range headers with unidentifiable byte-range values
* SSL-bump: Use v3 for fake certificate if we add _any_ certificate extension
* Enable compile-time override for MAXTCPLISTENPORTS
* ntlm_sspi_auth: Fix various build errors
* negotiate_wrapper: Fix build issues with non-portable vfork()
* negotiate_sspi_auth: Portability fixes for MinGW
* ext_lm_group_acl: Portability fixes for MinGW
* ... and several minor memory leaks
- fix for bnc#894636
* fix postrotate for systemd
- rebase patches
* squid-cert_tool_use_bash_not_ksh.patch
* squid-compiled_without_RPM_OPT_FLAGS.patch
* squid-nobuilddates.patch
* squid-config.patch
-------------------------------------------------------------------
Thu Sep 4 16:02:45 UTC 2014 - chris@computersalat.de
- fix for bnc#894840
* fix logrotate file (sharedscripts)
-------------------------------------------------------------------
Sun Aug 31 09:32:01 UTC 2014 - boris@steki.net
- add --disable-arch-native configure param as vmware does not
emulate all instruction set and squid fails with
"Illegal instruction" more info at
http://wiki.squid-cache.org/KnowledgeBase/IllegalInstructionError
-------------------------------------------------------------------
Thu Aug 14 16:42:17 CEST 2014 - draht@suse.de
- squid-cert_tool_use_bash_not_ksh.patch:
/usr/sbin/cert_tool should use bash, not ksh. [bnc#891313]
-------------------------------------------------------------------
Sun Aug 10 21:16:29 UTC 2014 - chris@computersalat.de
- Changes to squid-3.4.6 (25 Jun 2014):
* Regression: segmentation fault logging with %tg format specifier
* Bug 4065: round-robin neighbor selection with unequal weights
* Bug 4056: assertion MemPools[type] from netdbExchangeStart()
* Bug 4050: segmentation fault in CommSelectEngine::checkEvents on helper response
* Fix segmentation fault setting up server SSL connnection
* Fix hanging Non-HTTPS connections on SSL-bump enabled port
* Fix Cache Manager actions listed more than once
* ... and many minor memory leaks
* ... and several portability build issues
* ... and some documentation updates
- Changes to squid-3.4.5 (02 May 2014):
* Regression Bug 4051: inverted test on CONNECT payload existence
* Regression Fix: order dependency between cache_dir and maximum_object_size
* Fix logformat %note display
* Resolve 'dying from an unhandled exception: c'
* Copyright: Update CONTRIBUTORS list of copyright holders
- fix deps
* libtool >= 2.4
* older libtool needs --with-included-ltd
-------------------------------------------------------------------
Thu Jul 31 14:01:54 UTC 2014 - dimstar@opensuse.org
- Rename rpmlintrc to %{name}-rpmlintrc.
Follow the packaging guidelines.
-------------------------------------------------------------------
Thu Apr 24 20:47:05 UTC 2014 - boris@steki.net
- fix rhel/centos usermod parameter invocation order
-------------------------------------------------------------------
Wed Apr 9 15:42:06 UTC 2014 - boris@steki.net
- setuid handling for opensuse using permissions updated
-------------------------------------------------------------------
Mon Apr 7 12:06:41 UTC 2014 - boris@steki.net
- enable build for centos/rhel
- add centos/rhel init script
-------------------------------------------------------------------
Sat Mar 29 16:47:44 UTC 2014 - chris@computersalat.de
- add 'squid' as default group and added suid bit for /usr/sbin/pinger
# pinger needs 'root' privileges to be able to ping (cache peer)
* attr(4750,root,squid) /usr/sbin/pinger
-------------------------------------------------------------------
Fri Mar 28 18:46:44 UTC 2014 - chris@computersalat.de

201
squid.init
View File

@ -1,201 +0,0 @@
#!/bin/sh
# Copyright (c) 1996, 1997, 1998 S.u.S.E. GmbH
# Copyright (c) 1998, 1999, 2000, 2001 SuSE GmbH
# Copyright (c) 2002 SuSE Linux AG
#
# Author: Frank Bodammer, Peter Poeml, Klaus Singvogel <feedback@suse.de>
#
# /etc/init.d/squid
# and its symbolic link
# /(usr/)sbin/rcsquid
#
### BEGIN INIT INFO
# Provides: squid
# Required-Start: $local_fs $remote_fs $network $time
# Should-Start: apache $named winbind
# Required-Stop: $local_fs $remote_fs $network $time
# Should-Stop: apache $named winbind
# Default-Start: 3 5
# Default-Stop: 0 1 2 6
# Short-Description: Squid web cache
# Description: Start the Squid web cache, providing
# HTTP, FTP and other proxy services
### END INIT INFO
#
# Note on runlevels:
# 0 - halt/poweroff 6 - reboot
# 1 - single user 2 - multiuser without network exported
# 3 - multiuser w/ network (text mode) 5 - multiuser w/ network and X11 (xdm)
# Check for missing binaries (stale symlinks should not happen)
# Note: Special treatment of stop for LSB conformance
SQUID_BIN=/usr/sbin/squid
test -x $SQUID_BIN || { echo "$SQUID_BIN not installed";
if [ "$1" = "stop" ]; then exit 0;
else exit 5; fi; }
# Check for existence of needed config file and read it
SQUID_SYSCONFIG=/etc/sysconfig/squid
test -r $SQUID_SYSCONFIG || { echo "$SQUID_SYSCONFIG not existing";
if [ "$1" = "stop" ]; then exit 0;
else exit 6; fi; }
# Read config
. $SQUID_SYSCONFIG
SQUID_PID=/var/run/squid.pid
SQUID_CONF=/etc/squid/squid.conf
SQUID_S_T=${SQUID_SHUTDOWN_TIMEOUT:="60"}
SQUID_OPTS=${SQUID_START_OPTIONS:="-sY"}
SQUID_ULIMIT=${SQUID_DEFAULT_ULIMT:="4096"}
# determine which one is the cache_swap directory
SQUID_CACHE_DIR=$(perl -n -e \
'/^cache_dir\s+\S+\s+(.*)\s+\d+\s+\d+\s+\d+/ && print "$1"' $SQUID_CONF)
ulimit -n "$SQUID_ULIMIT"
#IN: $SQUID_CACHE_DIR
setup_squid_cache_dir(){
for adir in "$1" ; do
if [ ! -d $adir/00 ]; then # create missing cache directories
umask 027 # prevent users reading any cache data
echo -n " ($adir)"
$SQUID_BIN -z -F > /dev/null 2>&1
fi
if [ ! -d $adir/00 ]; then
echo " - failed while creating cache_dir ! "
rc_failed
rc_status -v
rc_exit
fi
done
sleep 2
}
# Shell functions sourced from /etc/rc.status:
# rc_check check and set local and overall rc status
# rc_status check and set local and overall rc status
# rc_status -v be verbose in local rc status and clear it afterwards
# rc_status -v -r ditto and clear both the local and overall rc status
# rc_status -s display "skipped" and exit with status 3
# rc_status -u display "unused" and exit with status 3
# rc_failed set local and overall rc status to failed
# rc_failed <num> set local and overall rc status to <num>
# rc_reset clear both the local and overall rc status
# rc_exit exit appropriate to overall rc status
# rc_active checks whether a service is activated by symlinks
. /etc/rc.status
# Reset status of this service
rc_reset
case "$1" in
start)
echo -n "Starting WWW-proxy squid "
if /sbin/checkproc $SQUID_BIN ; then
echo -n "- Warning: squid already running ! "
rc_failed
else
[ -e $SQUID_PID ] && echo -n "- Warning: $SQUID_PID exists ! "
if [ -n "$SQUID_CACHE_DIR" -a -d "$SQUID_CACHE_DIR" ]; then
setup_squid_cache_dir "$SQUID_CACHE_DIR"
fi
fi
startproc -l /var/log/squid/rcsquid.log $SQUID_BIN "$SQUID_OPTS"
# Remember status and be verbose
rc_status -v
;;
stop)
echo -n "Shutting down WWW-proxy squid "
if /sbin/checkproc $SQUID_BIN ; then
$SQUID_BIN -k shutdown
sleep 2
if [ -e $SQUID_PID ] ; then
echo -n "- wait a minute or two... "
i="$SQUID_S_T"
while [ -e $SQUID_PID ] && [ $i -gt 0 ] ; do
sleep 2
i=$[$i-1]
echo -n "."
[ $i -eq 41 ] && echo
done
fi
if /sbin/checkproc $SQUID_BIN ; then
killproc -TERM $SQUID_BIN
echo -n " Warning: squid killed !"
fi
else
echo -n "- Warning: squid not running ! "
rc_failed 7
fi
# Remember status and be verbose
rc_status -v
;;
try-restart)
$0 status >/dev/null && $0 restart
# Remember status and be quiet
rc_status
;;
restart)
$0 stop
$0 start
# Remember status and be quiet
rc_status
;;
force-reload)
$0 reload
# Remember status and be quiet
rc_status
;;
reload)
echo -n "Reloading WWW-proxy squid "
if /sbin/checkproc $SQUID_BIN ; then
$SQUID_BIN -k rotate
sleep 2
$SQUID_BIN -k reconfigure
rc_status
else
echo -n "- Warning: squid not running ! "
rc_failed 7
fi
# Remember status and be verbose
rc_status -v
;;
status)
echo -n "Checking for WWW-proxy squid "
## Check status with checkproc(8), if process is running
## checkproc will return with exit status 0.
# Return value is slightly different for the status command:
# 0 - service up and running
# 1 - service dead, but /var/run/ pid file exists
# 2 - service dead, but /var/lock/ lock file exists
# 3 - service not running (unused)
# 4 - service status unknown :-(
# 5--199 reserved (5--99 LSB, 100--149 distro, 150--199 appl.)
# NOTE: checkproc returns LSB compliant status values.
/sbin/checkproc $SQUID_BIN
# Remember status and be verbose
rc_status -v
;;
probe)
test $SQUID_CONF -nt $SQUID_PID && echo reload
;;
*)
echo "Usage: $0 {start|stop|status|try-restart|restart|force-reload|reload|probe}"
exit 1
;;
esac
rc_exit

35
squid.logrotate
View File

@ -1,19 +1,5 @@
/var/log/squid/cache.log {
compress
dateext
maxage 365
rotate 99
size=+1024k
notifempty
missingok
create 640 squid root
sharedscripts
postrotate
/etc/init.d/squid reload
endscript
}
/var/log/squid/access.log {
/var/log/squid/access.log /var/log/squid/store.log /var/log/squid/cache.log {
su squid squid
compress
dateext
maxage 365
@ -24,21 +10,6 @@
create 640 squid root
sharedscripts
postrotate
/etc/init.d/squid reload
endscript
}
/var/log/squid/store.log {
compress
dateext
maxage 365
rotate 99
size=+4096k
notifempty
missingok
create 640 squid root
sharedscripts
postrotate
/etc/init.d/squid reload
/usr/bin/systemctl -q is-active squid.service && /usr/sbin/squid -k rotate
endscript
}

2
squid.permissions
View File

@ -1,2 +0,0 @@
/var/cache/squid/ squid:root 750
/var/log/squid/ squid:root 750

220
squid.spec
View File

@ -1,7 +1,7 @@
#
# spec file for package squid
#
# Copyright (c) 2014 SUSE LINUX Products GmbH, Nuernberg, Germany.
# Copyright (c) 2015 SUSE LINUX Products GmbH, Nuernberg, Germany.
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@ -17,42 +17,25 @@
%define squidlibdir %{_libdir}/squid
%define squidconfdir /etc/squid
#define snap -20131225-r13064
%define squidconfdir %{_sysconfdir}/squid
Name: squid
Summary: Squid Version 3.3 WWW Proxy Server
Version: 3.4.10
Release: 0
Summary: A fully featured HTTP/1.0 proxy
License: GPL-2.0+
Group: Productivity/Networking/Web/Proxy
Version: 3.4.4
Release: 0
Url: http://www.squid-cache.org/Versions/v3/3.4
#Source0: http://www.squid-cache.org/Versions/v3/3.3/%{name}-%{version}%{snap}.tar.bz2
Source0: http://www.squid-cache.org/Versions/v3/3.4/%{name}-%{version}.tar.bz2
Source1: %{name}-%{version}.tar.bz2.asc
Source2: RELEASENOTES.html
Source3: squid.init
Source1: http://www.squid-cache.org/Versions/v3/3.4/%{name}-%{version}.tar.bz2.asc
Source4: squid.sysconfig
Source5: pam.squid
Source6: unsquid.pl
Source7: %{name}.logrotate
Source9: %{name}.permissions
Source10: README.kerberos
Source11: %{name}.service
Source13: %{name}.keyring
#
# the following patches are downloaded directly from the webserver
# don't change the names for easier identification
#
# please read every file if there is interest about what the patch changes
# or just visit: http://www.squid-cache.org/Versions/v3/3.2/changesets/
#
#
# Upstream patch
# Patch0:
# do not show some rpmlint warnings
Source99: rpmlintrc
Source99: squid-rpmlintrc
# some useful defaults for squid
Patch100: %{name}-config.patch
# make build compare happy - remove build dates
@ -62,79 +45,49 @@ Patch101: %{name}-nobuilddates.patch
Patch102: %{name}-compiled_without_RPM_OPT_FLAGS.patch
# patch fixes kerberos principalname handling (http://bugs.squid-cache.org/show_bug.cgi?id=4042)
Patch103: squid-brokenad.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-build
PreReq: %fillup_prereq
PreReq: %insserv_prereq
PreReq: /usr/bin/getent
PreReq: permissions
PreReq: pwdutils
BuildRequires: db-devel
# needed by bootstrap.sh
BuildRequires: cyrus-sasl-devel
BuildRequires: db-devel
BuildRequires: ed
BuildRequires: expat
BuildRequires: fdupes
BuildRequires: gcc-c++
BuildRequires: gpg-offline
BuildRequires: krb5-devel
BuildRequires: libcap-devel
BuildRequires: libexpat-devel
BuildRequires: libtool
BuildRequires: libtool >= 2.4
BuildRequires: openldap2-devel
BuildRequires: opensp-devel
BuildRequires: openssl-devel
BuildRequires: pam-devel
BuildRequires: pkgconfig
BuildRequires: sharutils
%if 0%{?suse_version} < 1220
BuildRequires: libxml2-devel
%else
BuildRequires: pkgconfig(libxml-2.0)
%endif
%if 0%{?suse_version} >= 1210
BuildRequires: systemd
%{?systemd_requires}
%define has_systemd 1
%endif
BuildRequires: pkgconfig(libxml-2.0)
Requires: logrotate
Requires: sed
Provides: http_proxy
# due to package rename
# Wed Aug 15 17:40:30 UTC 2012
Requires(post): %fillup_prereq
Requires(pre): %insserv_prereq
Requires(pre): %{_bindir}/getent
Requires(pre): permissions
Requires(pre): pwdutils
Provides: %{name}3 = %{version}
Provides: http_proxy
Obsoletes: %{name}3 < %{version}
BuildRoot: %{_tmppath}/%{name}-%{version}-build
%{?systemd_requires}
%description
Squid is a caching proxy for the Web supporting HTTP, HTTPS, FTP, and more. It reduces bandwidth and improves response times by caching and reusing frequently-requested web pages. Squid has extensive access controls and makes a great server accelerator.
Squid 3.4 represents a new feature release above 3.3.
The most important of these new features are:
* Helper protocol extensions
* SSL Server Certificate Validator
* Store-ID
* TPROXY Support for OpenBSD 5.1+ and FreeBSD 9+
* Transaction Annotations
* Multicast DNS
Most user-facing changes are reflected in squid.conf (see below).
First STABLE release Date: 08 Dec 2013
Squid is a fully-featured HTTP/1.0 proxy which is almost a fully-featured
HTTP/1.1 proxy. Squid offers a rich access control, authorization and logging
environment to develop web proxy and content serving applications.
Squid offers a rich set of traffic optimization options, most of which are
enabled by default for simpler installation and high performance.
%prep
#setup -q -n %{name}-%{version}%{snap}
%gpg_verify %{S:1}
%setup -q -n %{name}-%{version}
cp %{S:10} .
# upstream patches after RELEASE
#
##### other patches
%setup -q
cp %{SOURCE10} .
%patch100
perl -p -i -e 's|/usr/local/bin/perl|/usr/bin/perl|' `find -name "*.pl"`
perl -p -i -e 's|%{_prefix}/local/bin/perl|%{_bindir}/perl|' `find -name "*.pl"`
chmod a-x CREDITS
%patch101
%patch102
@ -147,15 +100,11 @@ export LDFLAGS='-Wl,-z,relro,-z,now -pie'
%configure \
--disable-strict-error-checking \
--sysconfdir=%{squidconfdir} \
--libexecdir=/usr/sbin \
--datadir=/usr/share/squid \
--sharedstatedir=/var/squid \
--with-logdir=/var/log/squid \
%if 0%{?has_systemd}
--libexecdir=%{_sbindir} \
--datadir=%{_datadir}/squid \
--sharedstatedir=%{_localstatedir}/squid \
--with-logdir=%{_localstatedir}/log/squid \
--with-pidfile=/run/squid.pid \
%else
--with-pidfile=/var/run/squid.pid \
%endif
--with-dl \
--enable-disk-io \
--enable-storeio \
@ -186,7 +135,8 @@ export LDFLAGS='-Wl,-z,relro,-z,now -pie'
--enable-x-accelerator-vary \
--with-default-user=%{name} \
--disable-ident-lookups \
--enable-follow-x-forwarded-for
--enable-follow-x-forwarded-for \
--disable-arch-native
# overwrite the number of open filedescriptors of configure to 4096
# to be backward compatible, but numbers above should not be overwritten
@ -199,21 +149,21 @@ fi
make SAMBAPREFIX=/usr %{?_smp_mflags}
%install
/usr/sbin/useradd -r -o -g nogroup -u 31 -s /bin/false -c "WWW-proxy squid" \
-d /var/cache/%{name} %{name} 2> /dev/null || :
install -d %{buildroot}%{_localstatedir}/{cache,log}/%{name}
chmod 750 %{buildroot}%{_localstatedir}/{cache,log}/%{name}
%{_sbindir}/groupadd -g 31 -r %{name} 2>/dev/null || :
%{_sbindir}/useradd -c "WWW-proxy squid" -d %{_localstatedir}/cache/%{name} \
-g %{name} -o -u 31 -r -s /bin/false 2> /dev/null || :
install -d -m 750 %{buildroot}%{_localstatedir}/{cache,log}/%{name}
install -d %{buildroot}%{_prefix}/sbin
# make_install
make install DESTDIR=%{buildroot} SAMBAPREFIX=/usr
mv %{buildroot}{/etc/%{name}/,/usr/share/%{name}/}mime.conf.default
ln -s /etc/%{name}/mime.conf %{buildroot}%{_datadir}/%{name} # backward compatible
install -d -m 755 %{buildroot}%{_sysconfdir}/permissions.d
install -m 644 %{SOURCE9} %{buildroot}%{_sysconfdir}/permissions.d/%{name}
install -d -m 755 %{buildroot}%{_sysconfdir}/logrotate.d
install -m 644 %{SOURCE7} %{buildroot}%{_sysconfdir}/logrotate.d/%{name}
install -D %{SOURCE3} %{buildroot}%{_sysconfdir}/init.d/%{name}
ln -sf %{_sysconfdir}/init.d/%{name} %{buildroot}%{_sbindir}/rcsquid
install -D -m644 %{SOURCE4} %{buildroot}%{_localstatedir}/adm/fillup-templates/sysconfig.%{name}
mv %{buildroot}{%{_sysconfdir}/%{name}/,%{_datadir}/%{name}/}mime.conf.default
ln -s %{_sysconfdir}/%{name}/mime.conf %{buildroot}%{_datadir}/%{name} # backward compatible
# install logrotate file
install -D -m 644 %{SOURCE7} %{buildroot}%{_sysconfdir}/logrotate.d/%{name}
install -d -m 755 doc/scripts
install scripts/*.pl doc/scripts
@ -235,75 +185,65 @@ for i in errors/*; do
install -m 644 $i/* %{buildroot}%{_datadir}/%{name}/$i
fi
done
ln -sf /usr/share/%{name}/errors/de %{buildroot}%{squidconfdir}/errors
ln -sf %{_datadir}/%{name}/errors/de %{buildroot}%{squidconfdir}/errors
# systemd service
install -D -m 644 %{SOURCE11} %{buildroot}%{_unitdir}/%{name}.service
ln -sf service %{buildroot}%{_sbindir}/rc%{name}
install -D -m644 %{SOURCE4} %{buildroot}%{_localstatedir}/adm/fillup-templates/sysconfig.%{name}
# fix file duplicates
%if 0%{?suse_version} > 1030
%fdupes -s %{buildroot}%{_prefix}
%endif
%if 0%{?fedora_version} > 8
fdupes -q -n -r %{buildroot}%{_prefix}
%endif
%if 0%{?has_systemd}
install -D -m 644 %{SOURCE11} %{buildroot}%{_unitdir}/%{name}.service
%endif
%pre
# we need this group for /usr/sbin/pinger
if [ -z "`%{_bindir}/getent group %{name} 2>/dev/null`" ]; then
%{_sbindir}/groupadd -g 31 -r %{name} 2>/dev/null
fi
# we need this group for squid (ntlmauth)
# read access to /var/lib/samba/winbindd_privileged
if [ -z "`%{_bindir}/getent group winbind 2>/dev/null`" ]; then
%{_sbindir}/groupadd -r winbind 2>/dev/null
fi
if [ -z "`%{_bindir}/getent passwd squid 2>/dev/null`" ]; then
%{_sbindir}/useradd -c "WWW-proxy squid" -d /var/cache/%{name} \
-G winbind -g nogroup -o -u 31 -r -s /bin/false \
%{_sbindir}/useradd -c "WWW-proxy squid" -d %{_localstatedir}/cache/%{name} \
-G winbind -g %{name} -o -u 31 -r -s /bin/false \
%{name} 2>/dev/null
fi
# if squid is not member of winbind, add him
if [ `%{_bindir}/id -nG %{name} 2>/dev/null | grep -q winbind >/dev/null; echo $?` -ne 0 ]; then
%{_sbindir}/groupmod -A %{name} winbind 2>/dev/null
%{_sbindir}/usermod -G winbind %{name} 2>/dev/null
fi
%if 0%{?has_systemd}
%service_add_pre %{name}.service
%endif
%post
%if 0%{?suse_version} >= 1140
%set_permissions %{_localstatedir}/cache/%{name}
%set_permissions %{_localstatedir}/log/%{name}
%endif
%set_permissions %{_sbindir}/pinger
%set_permissions %{_sbindir}/basic_pam_auth
%set_permissions %{_localstatedir}/cache/squid/
%set_permissions %{_localstatedir}/log/squid/
# update mode?
if [ "$1" -gt "1" ]; then
if [ -e etc/%{name}.conf -a ! -L etc/%{name}.conf -a ! -e etc/%{name}/%{name}.conf ]; then
echo "moving /etc/%{name}.conf to /etc/%{name}/%{name}.conf"
echo "moving %{_sysconfdir}/%{name}.conf to %{_sysconfdir}/%{name}/%{name}.conf"
mv etc/%{name}.conf etc/%{name}/%{name}.conf
fi
# default group changed from nogroup to squid
%{_sbindir}/usermod -g %{name} %{name}
fi
%{fillup_and_insserv -n "squid"}
%if 0%{?has_systemd}
%fillup_only
%service_add_post squid.service
%endif
%preun
%stop_on_removal squid
%if 0%{?has_systemd}
%service_del_preun squid.service
%endif
%verifyscript
%verify_permissions -e %{_sbindir}/basic_pam_auth
%verify_permissions -e %{_sbindir}/pinger
%verify_permissions -e %{_localstatedir}/cache/squid/
%verify_permissions -e %{_localstatedir}/log/squid/
%postun
%if 0%{?has_systemd}
%service_del_postun squid.service
%endif
%restart_on_update squid
%insserv_cleanup
%verifyscript
%verify_permissions -e /usr/sbin/pam_auth
%files
%defattr(-,root,root)
@ -313,11 +253,9 @@ fi
%doc doc/contrib doc/scripts
%doc doc/debug-sections.txt src/%{name}.conf.default
%doc %{_mandir}/man?/*
%if 0%{?has_systemd}
%{_unitdir}/%{name}.service
%endif
%attr(750,%{name},root) %dir %{_localstatedir}/cache/%{name}/
%attr(750,%{name},root) %dir %{_localstatedir}/log/%{name}/
%verify(not user group mode) %attr(750,%{name},root) %dir %{_localstatedir}/cache/%{name}/
%verify(not user group mode) %attr(750,%{name},root) %dir %{_localstatedir}/log/%{name}/
%dir %{squidconfdir}
%config(noreplace) %{squidconfdir}/cachemgr.conf
%config(noreplace) %{squidconfdir}/errorpage.css
@ -332,8 +270,6 @@ fi
%config %{squidconfdir}/%{name}.conf.default
%config %{squidconfdir}/%{name}.conf.documented
%config %{_sysconfdir}/pam.d/%{name}
%config %{_sysconfdir}/init.d/%{name}
%config %{_sysconfdir}/permissions.d/%{name}
%dir %{_datadir}/%{name}
%{_datadir}/%{name}/errors
%{_datadir}/%{name}/icons
@ -350,8 +286,7 @@ fi
%{_sbindir}/basic_msnt_multi_domain_auth
%{_sbindir}/basic_ncsa_auth
%{_sbindir}/basic_nis_auth
#verify(not mode) %attr(4755,root,shadow) %{_sbindir}/basic_pam_auth
%{_sbindir}/basic_pam_auth
%verify(not mode) %attr(2750,root,shadow) %{_sbindir}/basic_pam_auth
%{_sbindir}/basic_pop3_auth
%{_sbindir}/basic_radius_auth
%{_sbindir}/basic_sasl_auth
@ -359,7 +294,6 @@ fi
%{_sbindir}/basic_smb_auth.sh
%{_sbindir}/cert_tool
%{_sbindir}/cert_valid.pl
#{_sbindir}/digest_edirectory_auth
%{_sbindir}/digest_file_auth
%{_sbindir}/digest_ldap_auth
%{_sbindir}/diskd
@ -378,14 +312,14 @@ fi
%{_sbindir}/negotiate_wrapper_auth
%{_sbindir}/ntlm_fake_auth
%{_sbindir}/ntlm_smb_lm_auth
%{_sbindir}/pinger
%{_sbindir}/rc%{name}
%verify(not user group mode caps) %attr(750,root,squid) %{_sbindir}/pinger
%{_sbindir}/%{name}
%{_sbindir}/ssl_crtd
%{_sbindir}/storeid_file_rewrite
%{_sbindir}/unlinkd
%{_sbindir}/url_fake_rewrite
%{_sbindir}/url_fake_rewrite.sh
%{_sbindir}/rc%{name}
%{_localstatedir}/adm/fillup-templates/sysconfig.%{name}
%dir %{_libdir}/%{name}
%{_libdir}/%{name}/cachemgr.cgi