diff --git a/squid-3.4.10-RELEASENOTES.html b/squid-3.4.10-RELEASENOTES.html new file mode 100644 index 0000000..c1814af --- /dev/null +++ b/squid-3.4.10-RELEASENOTES.html @@ -0,0 +1,597 @@ + + + + + Squid 3.4.10 release notes + + +

Squid 3.4.10 release notes

+ +

Squid Developers

+
+This document contains the release notes for version 3.4 of Squid. +Squid is a WWW Cache application developed by the National Laboratory +for Applied Network Research and members of the Web Caching community. +
+

+

1. Notice

+ + +

+

2. Major new features since Squid-3.3

+ + +

+

3. Changes to squid.conf since Squid-3.3

+ + +

+

4. Changes to ./configure options since Squid-3.3

+ + +

+

5. Regressions since Squid-2.7

+ + + +
+

1. Notice

+ +

The Squid Team are pleased to announce the release of Squid-3.4.10 for testing.

+

This new release is available for download from +http://www.squid-cache.org/Versions/v3/3.4/ or the +mirrors.

+ +

Some interesting new features adding system flexibility have been added along with general improvements all around. +While this release is not fully bug-free we believe it is ready for use in production on many systems.

+ +

We welcome feedback and bug reports. If you find a bug, please see +http://wiki.squid-cache.org/SquidFaq/BugReporting +for how to submit a report with a stack trace.

+ +

1.1 Known issues +

+ +

Although this release is deemed good enough for use in many setups, please note the existence of +open bugs against Squid-3.4.

+ +

1.2 Changes since earlier releases of Squid-3.4 +

+ +

The 3.4 change history can be +viewed here.

+ + +

2. Major new features since Squid-3.3

+ +

Squid 3.4 represents a new feature release above 3.3.

+ +

The most important of these new features are: +

+

+

Most user-facing changes are reflected in squid.conf (see below).

+ + +

2.1 Helper protocol extensions +

+ +

Details at +http://wiki.squid-cache.org/Features/AddonHelpers.

+ +

The Squid helper protocol used to communicate with authenticators, +URL-rewriters, Redirectors, and External ACL helpers has been updated +and extended.

+ +

BH status code is now accepted from all helpers to report +internal error events separate from ERR rejection code. +Permitting Squid to perform recovery operations specific to +helper failure instead of a blanket client rejection.

+ +

Arbitrary key-value pairs can be returned from any helper. +Allowing future helpers to be forward- and backward- compatible +with this and future versions of Squid.

+ + +

2.2 SSL Server Certificate Validator +

+ +

Details at +http://wiki.squid-cache.org/Features/SslServerCertValidator.

+ +

The helper consulted after the internal OpenSSL validation, regardless of the +validation results. The helper will receive:

+

+

+

+ +

If the helper decides to honor an OpenSSL error or report another validation +error(s), the helper will return:

+

+

+

+ +

The returned information mimics what the internal OpenSSL-based validation code +collects now. Returned errors, if any, are fed to sslproxy_cert_error, +triggering the existing SSL error processing code.

+ +

The helper invocation controlled by the sslcrtvalidator_program and +sslcrtvalidator_children configurations options which are similar to the +ssl_crtd related options.

+ + +

2.3 Store-ID +

+ +

Details at +http://wiki.squid-cache.org/Features/StoreID.

+ +

This feature is a redesigned equivalent to the Squid-2.7 feature known as StoreURL-rewrite.

+ +

Notice that this is not a direct portage of the Squid-2.7 feature so behaviour +differences do exist. Although the new feature works in similar enough ways that the old +helper scripts used for Squid-2.7 are expected to work in this and later versions of Squid.

+ +

Squid traditionally uses the requested URL as an index key ID to locate objects in cache. +It is not the only key possible and the Store-ID feature exposes an API for external +helpers to provide Squid with an alternative key name for any URL.

+ +

When any client request is received which requires a cache lookup the URL is passed to +a helper specified with the store_id_program directive to check for an alternative +Store ID. This allows the helper to identify URLs which refer to duplicate resources and +de-duplicate the cache content. store_id_access is provided to allow ACL-based +tuning of which traffic gets sent to the helper and reduce overheads.

+ +

One subtle and noteworthy difference between Squid-2 and Squid-3 which is highlighted by +this feature is that refresh_pattern applies its regex argument against the Store +ID key and not the transaction URL. So using the Store-ID feature to alter the value +affects which refresh_pattern directive will be matched.

+ +

Store-ID helpers bundled with Squid can be built with the --enable-storeid-rewrite-helpers +option which is added in this version. Currently there is a file helper +provided.

+ + +

2.4 TPROXY Support for OpenBSD 5.1+ and FreeBSD 9+ +

+ +

Details at +http://wiki.squid-cache.org/ConfigExamples/Intercept/OpenBsdPf.

+ +

The Packet Filter (PF) firewall in OpenBSD 4.4 and later offers traffic interception +using several very simple methods. One of which is the divert-to rule type +which acts as a simple routing diversion instead of performing NAT packet alterations.

+ +

The IP Firewall (IPFW) on FreeBSD 9+ contains a port of the Linux Netfilter TPROXY feature.

+ +

This version of Squid adds support for these features through the ./configure +options --enable-pf-transparent and --enable-ipfw-transparent when Squid is built on +systems with the required support. No special extras are required to enable +http_port ... tproxy configuration to work.

+ +

NOTE: To resolve NAT lookup issues on recent PF firewall versions the code behind +./configure --enable-pf-transparent has been altered and is expected to +break on the version of PF firewall shipped with BSD systems such as NetBSD and FreeBSD +which do not yet support the getsockname() API. +These systems require --with-nat-devpf to enable /dev/pf support when using PF firewall.

+ + +

2.5 Transaction Annotations +

+ +

Previously the only annotation methods available were ICAP/eCAP HTTP header insertions +or external ACL tag= result code. Each of which had only limited possibilities +for use and little or no correlation.

+ +

It is now possible to add annotations to a client transaction from several sources: +

+

+ +

Annotations on the transaction can be passed to ICAP services or eCAP modules using the +adaptation_meta directive to send them as headers. +They can also be logged using the %note log format code in custom logs. With +the new helper response syntax changes this means all helper response key=value details +such as URL-rewrite or store-id changes, external ACL tag etc. are now able to be logged.

+ +

Annotations which are already assigned to a transaction can be checked using an ACL test +of the new note ACL type. This can match a particular note by name and value, +of for any notes with a given name.

+ +

NOTE: not all helper interfaces are yet enabled to convert key=value into annotations +and the external ACL interface does not yet send annotations to the helper.

+ + +

2.6 Multicast DNS +

+ +

The internal DNS component of Squid now supports multicast DNS (mDNS) resolution in +accordance with RFC 6762.

+ +

The dns_multicast_local directive must be set to on to enable this +feature.

+ +

The multicast DNS group IP addresses for IPv4 and IPv6 resolving are added to the set +of available DNS resolvers and used automatically for domain names ending in .local +and reverse-DNS lookups before attempting a secondary resolution on the configured +resolvers. Domains without .local are resolved using only the configured resolvers.

+ +

Statistics for multicast DNS resolution can be found on the idns cache manager +report.

+ +

NOTE that the external DNS helper interface is now deprecated and has been +removed from future Squid versions. Any installations still using it for local hostname +resolution need to upgrade to mDNS resolution with this Squid version.

+ + +

3. Changes to squid.conf since Squid-3.3

+ +

There have been changes to Squid's configuration file since Squid-3.3.

+ +

Squid supports reading configuration option parameters from external +files using the syntax parameters("/path/filename"). For example: +

+    acl whitelist dstdomain parameters("/etc/squid/whitelist.txt")
+
+

+ +

There have also been changes to individual directives in the config file.

+

This section gives a thorough account of those changes in three categories:

+

+

+

+ + +

3.1 New tags +

+ +

+

+
configuration_includes_quoted_values
+

Whether Squid supports directive parameters with spaces, quotes, and other +special characters. Surround such parameters with "double quotes" and +also set this directive on/off around the relevant squid.conf line(s) +making use of such quoting.

+ +
dns_multicast_local
+

Use multicast DNS for .local domains and reverse-DNS resolution.

+ +
note
+

Use ACLs to annotate a transaction with customized annotations +which can be logged in access.log

+ +
spoof_client_ip
+

Access control to determine whether to disable the TPROXY spoofing on upstream traffic.

+ +
sslcrtvalidator_children
+

Specifies the settings for how many SSL server certificate +validator helpers are run and when they are started.

+ +
sslcrtvalidator_program
+

Specifies the location of a SSL server certificate validator helper.

+ +
store_id_access
+

Whether the URL for a given request is passed to the Store-ID helper process. +Used to improve StoreID performance by quickly eliminating helper delays using ACL tests.

+

Ported equivalent to storeurl_access from 2.7

+ +
store_id_bypass
+

Whether the StoreID helper may be bypassed when overloaded.

+ +
store_id_children
+

Controls the number of StoreID helper processes.

+

Options startup=N, idle=N, concurrency=N +

+

+ +
store_id_rewrite_program
+

A helper program to provide cache storage internal key ID value for a request.

+

Ported equivalent to storeurl_rewrite_program from 2.7

+ +
+

+ +

3.2 Changes to existing tags +

+ +

+

+
access_log
+

Configuration syntax extended to support name=value options. +New Syntax: access_log module:place [option ...] [acl ...]

+

New option logformat= to specify the logging format name.

+

New option buffer-size= to specify how large the log buffer +for this log is to be when buffered_logs is enabled.

+

New option on-error= to specify what handling is to be done +if the logging module encounters a non-recoverable error writing logs. +With the value die (the default) Squid halts operation. +With the value drop Squid drops log lines and continue running.

+ +
acl
+

New test type server_cert_fingerprint to match against +server SSL certificate fingerprint.

+

New test type note to match against transaction annotations +by name and value, or just by name.

+

New test type any-of to match if any one of a set of named ACLs.

+

New test type all-of to match against all of a set of named ACLs.

+ +
auth_param
+

New result code BH to signal helper internal errors +available in all authentication schemes.

+

New key message= for error message details in all authentication schemes.

+

New result code OK and key ha1= in Digest authentication.

+

New result codes OK, ERR replace result codes AF, +and NA in NTLM and Negotiate authentication.

+

New key token= for NTLM and Negotiate authentication OK responses.

+

Details at +http://wiki.squid-cache.org/Features/AddonHelpers.

+ +
external_acl_type
+

Deprecated protocol=3.0 option. No longer necessary.

+

New result code BH to signal helper internal errors

+

Details at +http://wiki.squid-cache.org/Features/AddonHelpers.

+ +
http_port
+

Support IPv6 for intercept mode. Requires ip6tables support on Linux, +PF support on OpenBSD and IPFW support on FreeBSD. Squid will no longer complain +about misconfiguration if IPv6 support is missing, we now rely on the firewall +tools reporting misconfiguration when the NAT rules are created.

+

Support tproxy mode traffic on BSD systems with BINDANY support +(OpenBSD 5+, FreeBSD 9+ so far).

+

Changed build options behind intercept traffic mode handling on BSD. +see --enable-pf-transparent for more details.

+ +
logformat
+

New format code %note to log a transaction annotation linked to the +transaction by ICAP, eCAP, a helper, or the note squid.conf directive.

+

New format code %>qos to log client connection TOS/DSCP value set by Squid.

+

New format code %<qos to log server connection TOS/DSCP value set by Squid.

+

New format code %>nfmark to log client connection netfilter mark set by Squid.

+

New format code %<nfmark to log server connection netfilter mark set by Squid.

+ +
pipeline_prefetch
+

Updated to take a numeric count of prefetched pipeline requests instead of ON/OFF.

+ +
refresh_pattern
+

NOTE: the regular expression pattern operates on the cache Store-ID value. +Which by default is identical to the requested URL, but may differ for some +objects if the Store-ID feature is in use.

+ +
unlinkd_program
+

New helper response format utilizing result codes OK and BH, +to signal helper lookup results. Also, key-value response values to return +multiple values to Squid.

+

Details at +http://wiki.squid-cache.org/Features/AddonHelpers.

+ +
url_rewrite_program
+

New helper response format utilizing result codes OK, ERR, +and BH to signal helper lookup results. Also, key-value response +values to return multiple values to Squid.

+

Details at +http://wiki.squid-cache.org/Features/AddonHelpers.

+ +
+

+ +

3.3 Removed tags +

+ +

+

+
storeurl_access
+

Replaced by store_id_access.

+ +
storeurl_rewrite_children
+

Replaced by store_id_children.

+ +
storeurl_rewrite_concurrency
+

Replaced by store_id_children with concurrency=N option.

+ +
storeurl_rewrite_program
+

Replaced by store_id_program.

+ +
+

+ + +

4. Changes to ./configure options since Squid-3.3

+ +

There have been some changes to Squid's build configuration since Squid-3.3.

+

This section gives an account of those changes in three categories:

+

+

+

+ + +

4.1 New options +

+ +

+

+
--enable-storeid-rewrite-helpers
+

New option to control which Store-ID helpers are built. As with other +helper options use --disable-* to prevent any helpers building and +omit to get all helper auto-detected.

+

Currenly only a helper using file for backend is provided.

+ +
--disable-arch-native
+

New option to disable use of -march=native compiler flag.

+

The new flag auto-enables CPU-specific optimizations in GCC and is +required by Clang++ v3.2 for correct 64-bit environment detection. +It does not always work well however, so this build option is provided +to remove it when necessary.

+ +
--with-nat-devpf
+

New option to alter the behaviour of http_port ... intercept option +in squid.conf.

+

When this option is used Squid performs the /dev/pf lookups required to +support PF rdr-to rules. Otherwise Squid will perform perform the +getsockname() API calls to support PF divert-to rules.

+

NOTE: systems such as NetBSD and FreeBSD which do not yet support +the getsockname() API in recent PF versions require this option.

+ +
+

+ +

4.2 Changes to existing options +

+ +

+

+
--enable-pf-transparent
+

NAT table support updated to use the getsockname() API provided by the +latest PF versions divert-to. This allows http_port +in squid.conf to support both intercept and tproxy traffic +and to silence NAT lookup failure messages on recent BSD.

+

NOTE: systems such as NetBSD and FreeBSD which do not yet support +the getsockname() API in recent PF versions require --with-nat-devpf +to re-enable /dev/pf support when using PF firewall.

+ +
--disable-translation
+

Default changed to prevent translating error page templates during build. +Use --enable-translation to explicitly build and install the templates.

+

The latest pre-translated templates can be downloaded from +http://www.squid-cache.org/Versions/langpack/

+ +
+

+

4.3 Removed options +

+ +

+

+

There are no removed ./configure options in Squid-3.4.

+ +
+

+ + +

5. Regressions since Squid-2.7

+ +

Some squid.conf options which were available in Squid-2.7 are not yet available in Squid-3.4

+ +

If you need something to do then porting one of these from Squid-2 to Squid-3 is most welcome.

+ +

5.1 Missing squid.conf options available in Squid-2.7 +

+ +

+

+
broken_vary_encoding
+

Not yet ported from 2.6

+ +
cache_dir
+

COSS storage type is lacking stability fixes from 2.6

+

COSS overwrite-percent= option not yet ported from 2.6

+

COSS max-stripe-waste= option not yet ported from 2.6

+

COSS membufs= option not yet ported from 2.6

+

COSS maxfullbufs= option not yet ported from 2.6

+ +
cache_peer
+

idle= not yet ported from 2.7

+

monitorinterval= not yet ported from 2.6

+

monitorsize= not yet ported from 2.6

+

monitortimeout= not yet ported from 2.6

+

monitorurl= not yet ported from 2.6

+ +
cache_vary
+

Not yet ported from 2.6

+ +
collapsed_forwarding
+

Not yet ported from 2.6

+ +
error_map
+

Not yet ported from 2.6

+ +
external_refresh_check
+

Not yet ported from 2.7

+ +
location_rewrite_access
+

Not yet ported from 2.6

+ +
location_rewrite_children
+

Not yet ported from 2.6

+ +
location_rewrite_concurrency
+

Not yet ported from 2.6

+ +
location_rewrite_program
+

Not yet ported from 2.6

+ +
refresh_pattern
+

stale-while-revalidate= not yet ported from 2.7

+

ignore-stale-while-revalidate= not yet ported from 2.7

+

negative-ttl= not yet ported from 2.7

+ +
refresh_stale_hit
+

Not yet ported from 2.7

+ +
update_headers
+

Not yet ported from 2.7

+ +
+

+ + + diff --git a/squid.changes b/squid.changes index 5d99c67..d2048d4 100644 --- a/squid.changes +++ b/squid.changes @@ -1,3 +1,16 @@ +------------------------------------------------------------------- +Sat Jan 10 01:08:40 UTC 2015 - chris@computersalat.de + +- recover old spec + * merge in suggested changes from tchvatal +- fix permissions for SLE11 + * revert suid bit for pinger and basic_pam_auth + add them to permissions file (commented) +- readd deleted files + * RELEASENOTES + * permissions (needed for SLE11) + * init.rh + ------------------------------------------------------------------- Fri Jan 9 10:19:10 UTC 2015 - tchvatal@suse.com diff --git a/squid.init b/squid.init new file mode 100644 index 0000000..cb400db --- /dev/null +++ b/squid.init @@ -0,0 +1,201 @@ +#!/bin/sh +# Copyright (c) 1996, 1997, 1998 S.u.S.E. GmbH +# Copyright (c) 1998, 1999, 2000, 2001 SuSE GmbH +# Copyright (c) 2002 SuSE Linux AG +# +# Author: Frank Bodammer, Peter Poeml, Klaus Singvogel +# +# /etc/init.d/squid +# and its symbolic link +# /(usr/)sbin/rcsquid +# +### BEGIN INIT INFO +# Provides: squid +# Required-Start: $local_fs $remote_fs $network $time +# Should-Start: apache $named winbind +# Required-Stop: $local_fs $remote_fs $network $time +# Should-Stop: apache $named winbind +# Default-Start: 3 5 +# Default-Stop: 0 1 2 6 +# Short-Description: Squid web cache +# Description: Start the Squid web cache, providing +# HTTP, FTP and other proxy services +### END INIT INFO +# +# Note on runlevels: +# 0 - halt/poweroff 6 - reboot +# 1 - single user 2 - multiuser without network exported +# 3 - multiuser w/ network (text mode) 5 - multiuser w/ network and X11 (xdm) + + +# Check for missing binaries (stale symlinks should not happen) +# Note: Special treatment of stop for LSB conformance +SQUID_BIN=/usr/sbin/squid +test -x $SQUID_BIN || { echo "$SQUID_BIN not installed"; + if [ "$1" = "stop" ]; then exit 0; + else exit 5; fi; } + +# Check for existence of needed config file and read it +SQUID_SYSCONFIG=/etc/sysconfig/squid +test -r $SQUID_SYSCONFIG || { echo "$SQUID_SYSCONFIG not existing"; + if [ "$1" = "stop" ]; then exit 0; + else exit 6; fi; } + +# Read config +. $SQUID_SYSCONFIG + +SQUID_PID=/var/run/squid.pid +SQUID_CONF=/etc/squid/squid.conf +SQUID_S_T=${SQUID_SHUTDOWN_TIMEOUT:="60"} +SQUID_OPTS=${SQUID_START_OPTIONS:="-sY"} +SQUID_ULIMIT=${SQUID_DEFAULT_ULIMT:="4096"} + +# determine which one is the cache_swap directory +SQUID_CACHE_DIR=$(perl -n -e \ + '/^cache_dir\s+\S+\s+(.*)\s+\d+\s+\d+\s+\d+/ && print "$1"' $SQUID_CONF) + +ulimit -n "$SQUID_ULIMIT" + +#IN: $SQUID_CACHE_DIR +setup_squid_cache_dir(){ + for adir in "$1" ; do + if [ ! -d $adir/00 ]; then # create missing cache directories + umask 027 # prevent users reading any cache data + echo -n " ($adir)" + $SQUID_BIN -z -F > /dev/null 2>&1 + fi + if [ ! -d $adir/00 ]; then + echo " - failed while creating cache_dir ! " + rc_failed + rc_status -v + rc_exit + fi + done + sleep 2 +} + +# Shell functions sourced from /etc/rc.status: +# rc_check check and set local and overall rc status +# rc_status check and set local and overall rc status +# rc_status -v be verbose in local rc status and clear it afterwards +# rc_status -v -r ditto and clear both the local and overall rc status +# rc_status -s display "skipped" and exit with status 3 +# rc_status -u display "unused" and exit with status 3 +# rc_failed set local and overall rc status to failed +# rc_failed set local and overall rc status to +# rc_reset clear both the local and overall rc status +# rc_exit exit appropriate to overall rc status +# rc_active checks whether a service is activated by symlinks +. /etc/rc.status + +# Reset status of this service +rc_reset + + +case "$1" in + start) + echo -n "Starting WWW-proxy squid " + if /sbin/checkproc $SQUID_BIN ; then + echo -n "- Warning: squid already running ! " + rc_failed + else + [ -e $SQUID_PID ] && echo -n "- Warning: $SQUID_PID exists ! " + if [ -n "$SQUID_CACHE_DIR" -a -d "$SQUID_CACHE_DIR" ]; then + setup_squid_cache_dir "$SQUID_CACHE_DIR" + fi + fi + startproc -l /var/log/squid/rcsquid.log $SQUID_BIN "$SQUID_OPTS" + + # Remember status and be verbose + rc_status -v + ;; + stop) + echo -n "Shutting down WWW-proxy squid " + if /sbin/checkproc $SQUID_BIN ; then + $SQUID_BIN -k shutdown + sleep 2 + if [ -e $SQUID_PID ] ; then + echo -n "- wait a minute or two... " + i="$SQUID_S_T" + while [ -e $SQUID_PID ] && [ $i -gt 0 ] ; do + sleep 2 + i=$[$i-1] + echo -n "." + [ $i -eq 41 ] && echo + done + fi + if /sbin/checkproc $SQUID_BIN ; then + killproc -TERM $SQUID_BIN + echo -n " Warning: squid killed !" + fi + else + echo -n "- Warning: squid not running ! " + rc_failed 7 + fi + + # Remember status and be verbose + rc_status -v + ;; + try-restart) + $0 status >/dev/null && $0 restart + + # Remember status and be quiet + rc_status + ;; + restart) + $0 stop + $0 start + + # Remember status and be quiet + rc_status + ;; + force-reload) + $0 reload + + # Remember status and be quiet + rc_status + ;; + reload) + echo -n "Reloading WWW-proxy squid " + if /sbin/checkproc $SQUID_BIN ; then + $SQUID_BIN -k rotate + sleep 2 + $SQUID_BIN -k reconfigure + rc_status + else + echo -n "- Warning: squid not running ! " + rc_failed 7 + fi + + # Remember status and be verbose + rc_status -v + ;; + status) + echo -n "Checking for WWW-proxy squid " + ## Check status with checkproc(8), if process is running + ## checkproc will return with exit status 0. + + # Return value is slightly different for the status command: + # 0 - service up and running + # 1 - service dead, but /var/run/ pid file exists + # 2 - service dead, but /var/lock/ lock file exists + # 3 - service not running (unused) + # 4 - service status unknown :-( + # 5--199 reserved (5--99 LSB, 100--149 distro, 150--199 appl.) + + # NOTE: checkproc returns LSB compliant status values. + /sbin/checkproc $SQUID_BIN + + # Remember status and be verbose + rc_status -v + ;; + probe) + test $SQUID_CONF -nt $SQUID_PID && echo reload + ;; + *) + echo "Usage: $0 {start|stop|status|try-restart|restart|force-reload|reload|probe}" + exit 1 + ;; +esac +rc_exit + diff --git a/squid.init.rh b/squid.init.rh new file mode 100644 index 0000000..15cb5b9 --- /dev/null +++ b/squid.init.rh @@ -0,0 +1,187 @@ +#!/bin/bash +# chkconfig: - 90 25 +# pidfile: /var/run/squid.pid +# config: /etc/squid/squid.conf +# +### BEGIN INIT INFO +# Provides: squid +# Short-Description: starting and stopping Squid Internet Object Cache +# Description: Squid - Internet Object Cache. Internet object caching is \ +# a way to store requested Internet objects (i.e., data available \ +# via the HTTP, FTP, and gopher protocols) on a system closer to the \ +# requesting site than to the source. Web browsers can then use the \ +# local Squid cache as a proxy HTTP server, reducing access time as \ +# well as bandwidth consumption. +### END INIT INFO + + +PATH=/usr/bin:/sbin:/bin:/usr/sbin +export PATH + +# Source function library. +. /etc/rc.d/init.d/functions + +# Source networking configuration. +. /etc/sysconfig/network + +if [ -f /etc/sysconfig/squid ]; then + . /etc/sysconfig/squid +fi + +# don't raise an error if the config file is incomplete +# set defaults instead: +SQUID_OPTS=${SQUID_OPTS:-""} +SQUID_PIDFILE_TIMEOUT=${SQUID_PIDFILE_TIMEOUT:-20} +SQUID_SHUTDOWN_TIMEOUT=${SQUID_SHUTDOWN_TIMEOUT:-100} +SQUID_CONF=${SQUID_CONF:-"/etc/squid/squid.conf"} +SQUID_PIDFILE_DIR="/var/run/squid" +SQUID_USER="squid" +SQUID_DIR="squid" + +# determine the name of the squid binary +[ -f /usr/sbin/squid ] && SQUID=squid + +prog="$SQUID" + +# determine which one is the cache_swap directory +CACHE_SWAP=`sed -e 's/#.*//g' $SQUID_CONF | \ + grep cache_dir | awk '{ print $3 }'` + +RETVAL=0 + +probe() { + # Check that networking is up. + [ ${NETWORKING} = "no" ] && exit 1 + + [ `id -u` -ne 0 ] && exit 4 + + # check if the squid conf file is present + [ -f $SQUID_CONF ] || exit 6 +} + +start() { + # Check if $SQUID_PIDFILE_DIR exists and if not, lets create it and give squid permissions. + if [ ! -d $SQUID_PIDFILE_DIR ] ; then mkdir $SQUID_PIDFILE_DIR ; chown -R $SQUID_USER.$SQUID_DIR $SQUID_PIDFILE_DIR; fi + probe + + parse=`$SQUID -k parse -f $SQUID_CONF 2>&1` + RETVAL=$? + if [ $RETVAL -ne 0 ]; then + echo -n $"Starting $prog: " + echo_failure + echo + echo "$parse" + return 1 + fi + for adir in $CACHE_SWAP; do + if [ ! -d $adir/00 ]; then + echo -n "init_cache_dir $adir... " + $SQUID -z -F -f $SQUID_CONF >> /var/log/squid/squid.out 2>&1 + fi + done + echo -n $"Starting $prog: " + $SQUID $SQUID_OPTS -f $SQUID_CONF >> /var/log/squid/squid.out 2>&1 + RETVAL=$? + if [ $RETVAL -eq 0 ]; then + timeout=0; + while : ; do + [ ! -f /var/run/squid.pid ] || break + if [ $timeout -ge $SQUID_PIDFILE_TIMEOUT ]; then + RETVAL=1 + break + fi + sleep 1 && echo -n "." + timeout=$((timeout+1)) + done + fi + [ $RETVAL -eq 0 ] && touch /var/lock/subsys/$SQUID + [ $RETVAL -eq 0 ] && echo_success + [ $RETVAL -ne 0 ] && echo_failure + echo + return $RETVAL +} + +stop() { + echo -n $"Stopping $prog: " + $SQUID -k check -f $SQUID_CONF >> /var/log/squid/squid.out 2>&1 + RETVAL=$? + if [ $RETVAL -eq 0 ] ; then + $SQUID -k shutdown -f $SQUID_CONF & + rm -f /var/lock/subsys/$SQUID + timeout=0 + while : ; do + [ -f /var/run/squid.pid ] || break + if [ $timeout -ge $SQUID_SHUTDOWN_TIMEOUT ]; then + echo + return 1 + fi + sleep 2 && echo -n "." + timeout=$((timeout+2)) + done + echo_success + echo + else + echo_failure + if [ ! -e /var/lock/subsys/$SQUID ]; then + RETVAL=0 + fi + echo + fi + rm -rf $SQUID_PIDFILE_DIR/* + return $RETVAL +} + +reload() { + $SQUID $SQUID_OPTS -k reconfigure -f $SQUID_CONF +} + +restart() { + stop + rm -rf $SQUID_PIDFILE_DIR/* + start +} + +condrestart() { + [ -e /var/lock/subsys/squid ] && restart || : +} + +rhstatus() { + status $SQUID && $SQUID -k check -f $SQUID_CONF +} + + +case "$1" in +start) + start + ;; + +stop) + stop + ;; + +reload|force-reload) + reload + ;; + +restart) + restart + ;; + +condrestart|try-restart) + condrestart + ;; + +status) + rhstatus + ;; + +probe) + probe + ;; + +*) + echo $"Usage: $0 {start|stop|status|reload|force-reload|restart|try-restart|probe}" + exit 2 +esac + +exit $? diff --git a/squid.permissions b/squid.permissions new file mode 100644 index 0000000..0be2caa --- /dev/null +++ b/squid.permissions @@ -0,0 +1,4 @@ +/var/cache/squid/ squid:root 750 +/var/log/squid/ squid:root 750 +#/usr/sbin/pinger root:squid 4750 +#/usr/sbin/basic_pam_auth root:shadow 2750 diff --git a/squid.spec b/squid.spec index 3238f34..2f6ec66 100644 --- a/squid.spec +++ b/squid.spec @@ -18,6 +18,7 @@ %define squidlibdir %{_libdir}/squid %define squidconfdir %{_sysconfdir}/squid + Name: squid Version: 3.4.10 Release: 0 @@ -27,13 +28,18 @@ Group: Productivity/Networking/Web/Proxy Url: http://www.squid-cache.org/Versions/v3/3.4 Source0: http://www.squid-cache.org/Versions/v3/3.4/%{name}-%{version}.tar.bz2 Source1: http://www.squid-cache.org/Versions/v3/3.4/%{name}-%{version}.tar.bz2.asc +Source2: %{name}-%{version}-RELEASENOTES.html +Source3: squid.init Source4: squid.sysconfig Source5: pam.squid Source6: unsquid.pl Source7: %{name}.logrotate +Source9: %{name}.permissions Source10: README.kerberos Source11: %{name}.service Source13: %{name}.keyring +Source14: squid.init.rh + # do not show some rpmlint warnings Source99: squid-rpmlintrc # some useful defaults for squid @@ -45,47 +51,89 @@ Patch101: %{name}-nobuilddates.patch Patch102: %{name}-compiled_without_RPM_OPT_FLAGS.patch # patch fixes kerberos principalname handling (http://bugs.squid-cache.org/show_bug.cgi?id=4042) Patch103: squid-brokenad.patch -BuildRequires: cyrus-sasl-devel + +BuildRoot: %{_tmppath}/%{name}-%{version}-build BuildRequires: db-devel +# needed by bootstrap.sh +BuildRequires: cyrus-sasl-devel BuildRequires: ed BuildRequires: expat +# BuildRequires: fdupes BuildRequires: gcc-c++ BuildRequires: krb5-devel BuildRequires: libcap-devel BuildRequires: libexpat-devel +%if 0%{?suse_version} <= 1140 +BuildRequires: libtool +%else BuildRequires: libtool >= 2.4 +%endif +%if 0%{?suse_version} < 1220 +BuildRequires: libxml2-devel +%else +BuildRequires: pkgconfig(libxml-2.0) +%endif BuildRequires: openldap2-devel BuildRequires: opensp-devel BuildRequires: openssl-devel BuildRequires: pam-devel BuildRequires: pkgconfig BuildRequires: sharutils -BuildRequires: systemd -BuildRequires: pkgconfig(libxml-2.0) -Requires: logrotate -Requires: sed + +%if 0%{?suse_version} Requires(post): %fillup_prereq -Requires(pre): %insserv_prereq Requires(pre): %{_bindir}/getent +%if 0%{?suse_version} < 1140 Requires(pre): permissions +%else +Requires(pre): permissions >= 2014.11 +%endif Requires(pre): pwdutils -Provides: %{name}3 = %{version} -Provides: http_proxy -Obsoletes: %{name}3 < %{version} -BuildRoot: %{_tmppath}/%{name}-%{version}-build +%else +Requires(pre): shadow-utils +Requires(post): /sbin/chkconfig +Requires(preun): /sbin/service /sbin/chkconfig +Requires(postun): /sbin/service +%endif + +%if 0%{?suse_version} > 1210 +BuildRequires: systemd %{?systemd_requires} +%define has_systemd 1 +%else +Requires(pre): %insserv_prereq +%endif + +Requires: logrotate +Provides: http_proxy + +# due to package rename +# Wed Aug 15 17:40:30 UTC 2012 +Provides: %{name}3 = %{version} +Obsoletes: %{name}3 < %{version} %description -Squid is a fully-featured HTTP/1.0 proxy which is almost a fully-featured -HTTP/1.1 proxy. Squid offers a rich access control, authorization and logging -environment to develop web proxy and content serving applications. -Squid offers a rich set of traffic optimization options, most of which are -enabled by default for simpler installation and high performance. +Squid is a fully-featured HTTP/1.0 proxy which is almost (but not quite - we're getting there!) a fully-featured HTTP/1.1 proxy. Squid offers a rich access control, authorization and logging environment to develop web proxy and content serving applications. Squid offers a rich set of traffic optimization options, most of which are enabled by default for simpler installation and high performance. + +Squid 3.4 represents a new feature release above 3.3. + +The most important of these new features are: + + * Helper protocol extensions + * SSL Server Certificate Validator + * Store-ID + * TPROXY Support for OpenBSD 5.1+ and FreeBSD 9+ + * Transaction Annotations + * Multicast DNS %prep +#setup -q -n %{name}-%{version}%{snap} %setup -q cp %{SOURCE10} . +# upstream patches after RELEASE +# +##### other patches %patch100 perl -p -i -e 's|%{_prefix}/local/bin/perl|%{_bindir}/perl|' `find -name "*.pl"` chmod a-x CREDITS @@ -104,8 +152,15 @@ export LDFLAGS='-Wl,-z,relro,-z,now -pie' --datadir=%{_datadir}/squid \ --sharedstatedir=%{_localstatedir}/squid \ --with-logdir=%{_localstatedir}/log/squid \ +%if 0%{?has_systemd} --with-pidfile=/run/squid.pid \ +%else + --with-pidfile=%{_localstatedir}/run/squid.pid \ +%endif --with-dl \ +%if 0%{?suse_version} <= 1140 + --with-included-ltdl \ +%endif --enable-disk-io \ --enable-storeio \ --enable-removal-policies=heap,lru \ @@ -136,7 +191,7 @@ export LDFLAGS='-Wl,-z,relro,-z,now -pie' --with-default-user=%{name} \ --disable-ident-lookups \ --enable-follow-x-forwarded-for \ - --disable-arch-native + --disable-arch-native # overwrite the number of open filedescriptors of configure to 4096 # to be backward compatible, but numbers above should not be overwritten @@ -162,6 +217,11 @@ make install DESTDIR=%{buildroot} SAMBAPREFIX=/usr mv %{buildroot}{%{_sysconfdir}/%{name}/,%{_datadir}/%{name}/}mime.conf.default ln -s %{_sysconfdir}/%{name}/mime.conf %{buildroot}%{_datadir}/%{name} # backward compatible +%if 0%{?suse_version} < 1140 +# permissions file +install -D -m 644 %{SOURCE9} %{buildroot}%{_sysconfdir}/permissions.d/%{name} +%endif + # install logrotate file install -D -m 644 %{SOURCE7} %{buildroot}%{_sysconfdir}/logrotate.d/%{name} @@ -187,40 +247,73 @@ for i in errors/*; do done ln -sf %{_datadir}/%{name}/errors/de %{buildroot}%{squidconfdir}/errors -# systemd service -install -D -m 644 %{SOURCE11} %{buildroot}%{_unitdir}/%{name}.service -ln -sf service %{buildroot}%{_sbindir}/rc%{name} -install -D -m644 %{SOURCE4} %{buildroot}%{_localstatedir}/adm/fillup-templates/sysconfig.%{name} - # fix file duplicates +%if 0%{?suse_version} > 1030 %fdupes -s %{buildroot}%{_prefix} +%endif +%if 0%{?fedora_version} > 8 +fdupes -q -n -r %{buildroot}%{_prefix} +%endif + +# systemd vs SysVinit +%if 0%{?has_systemd} + install -D -m 644 %{SOURCE11} %{buildroot}%{_unitdir}/%{name}.service + ln -sf %{_sbindir}/service %{buildroot}%{_sbindir}/rc%{name} +%else # SysVinit + # fix postrotate script for SysVinit + sed -i -re 's@/usr/bin/systemctl.*@/etc/init.d/squid reload@g' %{buildroot}%{_sysconfdir}/logrotate.d/%{name} + %if 0%{?suse_version} + install -D %{SOURCE3} %{buildroot}%{_sysconfdir}/init.d/%{name} + ln -sf %{_sysconfdir}/init.d/%{name} %{buildroot}%{_sbindir}/rc%{name} + %else # lets just assume other are rh based ones... + install -D %{SOURCE14} %{buildroot}%{_sysconfdir}/init.d/%{name} + %endif +%endif +%if 0%{?suse_version} + install -D -m644 %{SOURCE4} %{buildroot}%{_localstatedir}/adm/fillup-templates/sysconfig.%{name} +%else + install -D -m644 %{SOURCE4} %{buildroot}%{_sysconfdir}/sysconfig/%{name} +%endif %pre # we need this group for /usr/sbin/pinger -if [ -z "`%{_bindir}/getent group %{name} 2>/dev/null`" ]; then +if [[ -z $(%{_bindir}/getent group %{name} 2>/dev/null) ]]; then %{_sbindir}/groupadd -g 31 -r %{name} 2>/dev/null fi # we need this group for squid (ntlmauth) # read access to /var/lib/samba/winbindd_privileged -if [ -z "`%{_bindir}/getent group winbind 2>/dev/null`" ]; then +if [[ -z $(%{_bindir}/getent group winbind 2>/dev/null) ]]; then %{_sbindir}/groupadd -r winbind 2>/dev/null fi -if [ -z "`%{_bindir}/getent passwd squid 2>/dev/null`" ]; then +if [[ -z $(%{_bindir}/getent passwd squid 2>/dev/null) ]]; then %{_sbindir}/useradd -c "WWW-proxy squid" -d %{_localstatedir}/cache/%{name} \ -G winbind -g %{name} -o -u 31 -r -s /bin/false \ %{name} 2>/dev/null fi +# if default group is not squid, change it +if [[ "$(%{_bindir}/id -ng %{name} 2>/dev/null)" != "%{name}" ]]; then + %{_sbindir}/usermod -g %{name} %{name} 2>/dev/null +fi # if squid is not member of winbind, add him -if [ `%{_bindir}/id -nG %{name} 2>/dev/null | grep -q winbind >/dev/null; echo $?` -ne 0 ]; then +if [[ $(%{_bindir}/id -nG %{name} 2>/dev/null | grep -q winbind >/dev/null; echo $?) -ne 0 ]]; then %{_sbindir}/usermod -G winbind %{name} 2>/dev/null fi + +%if 0%{?has_systemd} %service_add_pre %{name}.service +%endif %post -%set_permissions %{_sbindir}/pinger +%if 0%{?suse_version} >= 1140 + %if 0%{?set_permissions:1} %set_permissions %{_sbindir}/basic_pam_auth +%set_permissions %{_sbindir}/pinger %set_permissions %{_localstatedir}/cache/squid/ %set_permissions %{_localstatedir}/log/squid/ + %else +%run_permissions + %endif +%endif # update mode? if [ "$1" -gt "1" ]; then if [ -e etc/%{name}.conf -a ! -L etc/%{name}.conf -a ! -e etc/%{name}/%{name}.conf ]; then @@ -230,20 +323,53 @@ if [ "$1" -gt "1" ]; then # default group changed from nogroup to squid %{_sbindir}/usermod -g %{name} %{name} fi -%fillup_only + +%if 0%{?has_systemd} %service_add_post squid.service +%else + %if 0%{?suse_version} +%{fillup_and_insserv -n "squid"} + %else + /sbin/chkconfig --add squid + %endif +%endif %preun +%if 0%{?has_systemd} %service_del_preun squid.service +%else + %if 0%{?suse_version} +%stop_on_removal squid + %else + if [ $1 = 0 ] ; then + service squid stop >/dev/null 2>&1 + rm -f /var/log/squid/* + /sbin/chkconfig --del squid + fi + %endif +%endif +%if 0%{?suse_version} %verifyscript %verify_permissions -e %{_sbindir}/basic_pam_auth %verify_permissions -e %{_sbindir}/pinger %verify_permissions -e %{_localstatedir}/cache/squid/ %verify_permissions -e %{_localstatedir}/log/squid/ +%endif %postun +%if 0%{?has_systemd} %service_del_postun squid.service +%else + %if 0%{?suse_version} +%restart_on_update squid +%insserv_cleanup + %else + if [ "$1" -ge "1" ] ; then + service squid condrestart >/dev/null 2>&1 + fi + %endif +%endif %files %defattr(-,root,root) @@ -253,7 +379,11 @@ fi %doc doc/contrib doc/scripts %doc doc/debug-sections.txt src/%{name}.conf.default %doc %{_mandir}/man?/* +%if 0%{?has_systemd} %{_unitdir}/%{name}.service +%else +%{_sysconfdir}/init.d/%{name} +%endif %verify(not user group mode) %attr(750,%{name},root) %dir %{_localstatedir}/cache/%{name}/ %verify(not user group mode) %attr(750,%{name},root) %dir %{_localstatedir}/log/%{name}/ %dir %{squidconfdir} @@ -270,6 +400,9 @@ fi %config %{squidconfdir}/%{name}.conf.default %config %{squidconfdir}/%{name}.conf.documented %config %{_sysconfdir}/pam.d/%{name} +%if 0%{?suse_version} < 1140 +%config %{_sysconfdir}/permissions.d/%{name} +%endif %dir %{_datadir}/%{name} %{_datadir}/%{name}/errors %{_datadir}/%{name}/icons @@ -286,7 +419,11 @@ fi %{_sbindir}/basic_msnt_multi_domain_auth %{_sbindir}/basic_ncsa_auth %{_sbindir}/basic_nis_auth +%if 0%{?suse_version} < 1140 +%{_sbindir}/basic_pam_auth +%else %verify(not mode) %attr(2750,root,shadow) %{_sbindir}/basic_pam_auth +%endif %{_sbindir}/basic_pop3_auth %{_sbindir}/basic_radius_auth %{_sbindir}/basic_sasl_auth @@ -294,6 +431,7 @@ fi %{_sbindir}/basic_smb_auth.sh %{_sbindir}/cert_tool %{_sbindir}/cert_valid.pl +#{_sbindir}/digest_edirectory_auth %{_sbindir}/digest_file_auth %{_sbindir}/digest_ldap_auth %{_sbindir}/diskd @@ -312,15 +450,24 @@ fi %{_sbindir}/negotiate_wrapper_auth %{_sbindir}/ntlm_fake_auth %{_sbindir}/ntlm_smb_lm_auth -%verify(not user group mode caps) %attr(750,root,squid) %{_sbindir}/pinger +# not working %%caps(cap_net_raw=ep) +%if 0%{?suse_version} < 1140 +%attr(0750,root,squid) %{_sbindir}/pinger +%else +%verify(not user group mode caps) %attr(0750,root,squid) %{_sbindir}/pinger +%endif %{_sbindir}/%{name} %{_sbindir}/ssl_crtd %{_sbindir}/storeid_file_rewrite %{_sbindir}/unlinkd %{_sbindir}/url_fake_rewrite %{_sbindir}/url_fake_rewrite.sh +%if 0%{?suse_version} %{_sbindir}/rc%{name} %{_localstatedir}/adm/fillup-templates/sysconfig.%{name} +%else +%{_sysconfdir}/sysconfig/%{name} +%endif %dir %{_libdir}/%{name} %{_libdir}/%{name}/cachemgr.cgi