rpm/squid
SHA256
1
0
Fork 0
forked from pool/squid
Code Pull Requests Activity

Accepting request 286695 from server:proxy:Test

Browse Source 
recover old spec, fix permissions for SLE11

OBS-URL: https://build.opensuse.org/request/show/286695
OBS-URL: https://build.opensuse.org/package/show/server:proxy/squid?expand=0&rev=65
This commit is contained in:
Christian Wittmer 2015-02-18 23:15:24 +00:00 committed by Git OBS Bridge
parent 3ca11bdc56
commit 69403394b4
6 changed files with 1177 additions and 28 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

597
squid-3.4.10-RELEASENOTES.html Normal file
View File

@ -0,0 +1,597 @@
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
<HTML>
<HEAD>
<META NAME="GENERATOR" CONTENT="LinuxDoc-Tools 0.9.69">
<TITLE>Squid 3.4.10 release notes</TITLE>
</HEAD>
<BODY>
<H1>Squid 3.4.10 release notes</H1>
<H2>Squid Developers</H2>
<HR>
<EM>This document contains the release notes for version 3.4 of Squid.
Squid is a WWW Cache application developed by the National Laboratory
for Applied Network Research and members of the Web Caching community.</EM>
<HR>
<P>
<H2><A NAME="toc1">1.</A> <A HREF="#s1">Notice</A></H2>
<UL>
<LI><A NAME="toc1.1">1.1</A> <A HREF="#ss1.1">Known issues</A>
<LI><A NAME="toc1.2">1.2</A> <A HREF="#ss1.2">Changes since earlier releases of Squid-3.4</A>
</UL>
<P>
<H2><A NAME="toc2">2.</A> <A HREF="#s2">Major new features since Squid-3.3</A></H2>
<UL>
<LI><A NAME="toc2.1">2.1</A> <A HREF="#ss2.1">Helper protocol extensions</A>
<LI><A NAME="toc2.2">2.2</A> <A HREF="#ss2.2">SSL Server Certificate Validator</A>
<LI><A NAME="toc2.3">2.3</A> <A HREF="#ss2.3">Store-ID</A>
<LI><A NAME="toc2.4">2.4</A> <A HREF="#ss2.4">TPROXY Support for OpenBSD 5.1+ and FreeBSD 9+</A>
<LI><A NAME="toc2.5">2.5</A> <A HREF="#ss2.5">Transaction Annotations</A>
<LI><A NAME="toc2.6">2.6</A> <A HREF="#ss2.6">Multicast DNS</A>
</UL>
<P>
<H2><A NAME="toc3">3.</A> <A HREF="#s3">Changes to squid.conf since Squid-3.3</A></H2>
<UL>
<LI><A NAME="toc3.1">3.1</A> <A HREF="#ss3.1">New tags</A>
<LI><A NAME="toc3.2">3.2</A> <A HREF="#ss3.2">Changes to existing tags</A>
<LI><A NAME="toc3.3">3.3</A> <A HREF="#ss3.3">Removed tags</A>
</UL>
<P>
<H2><A NAME="toc4">4.</A> <A HREF="#s4">Changes to ./configure options since Squid-3.3</A></H2>
<UL>
<LI><A NAME="toc4.1">4.1</A> <A HREF="#ss4.1">New options</A>
<LI><A NAME="toc4.2">4.2</A> <A HREF="#ss4.2">Changes to existing options</A>
<LI><A NAME="toc4.3">4.3</A> <A HREF="#ss4.3">Removed options</A>
</UL>
<P>
<H2><A NAME="toc5">5.</A> <A HREF="#s5">Regressions since Squid-2.7</A></H2>
<UL>
<LI><A NAME="toc5.1">5.1</A> <A HREF="#ss5.1">Missing squid.conf options available in Squid-2.7</A>
</UL>
<HR>
<H2><A NAME="s1">1.</A> <A HREF="#toc1">Notice</A></H2>
<P>The Squid Team are pleased to announce the release of Squid-3.4.10 for testing.</P>
<P>This new release is available for download from
<A HREF="http://www.squid-cache.org/Versions/v3/3.4/">http://www.squid-cache.org/Versions/v3/3.4/</A> or the
<A HREF="http://www.squid-cache.org/Mirrors/http-mirrors.html">mirrors</A>.</P>
<P>Some interesting new features adding system flexibility have been added along with general improvements all around.
While this release is not fully bug-free we believe it is ready for use in production on many systems.</P>
<P>We welcome feedback and bug reports. If you find a bug, please see
<A HREF="http://wiki.squid-cache.org/SquidFaq/BugReporting">http://wiki.squid-cache.org/SquidFaq/BugReporting</A>
for how to submit a report with a stack trace.</P>
<H2><A NAME="ss1.1">1.1</A> <A HREF="#toc1.1">Known issues</A>
</H2>
<P>Although this release is deemed good enough for use in many setups, please note the existence of
<A HREF="http://bugs.squid-cache.org/buglist.cgi?query_format=advanced&amp;product=Squid&amp;bug_status=UNCONFIRMED&amp;bug_status=NEW&amp;bug_status=ASSIGNED&amp;bug_status=REOPENED&amp;version=3.4">open bugs against Squid-3.4</A>.</P>
<H2><A NAME="ss1.2">1.2</A> <A HREF="#toc1.2">Changes since earlier releases of Squid-3.4</A>
</H2>
<P>The 3.4 change history can be
<A HREF="http://www.squid-cache.org/Versions/v3/3.4/changesets/">viewed here</A>.</P>
<H2><A NAME="s2">2.</A> <A HREF="#toc2">Major new features since Squid-3.3</A></H2>
<P>Squid 3.4 represents a new feature release above 3.3.</P>
<P>The most important of these new features are:
<UL>
<LI>Helper protocol extensions</LI>
<LI>SSL Server Certificate Validator</LI>
<LI>Store-ID</LI>
<LI>TPROXY Support for OpenBSD 5.1+ and FreeBSD 9+</LI>
<LI>Transaction Annotations</LI>
<LI>Multicast DNS</LI>
</UL>
</P>
<P>Most user-facing changes are reflected in squid.conf (see below).</P>
<H2><A NAME="ss2.1">2.1</A> <A HREF="#toc2.1">Helper protocol extensions</A>
</H2>
<P>Details at
<A HREF="http://wiki.squid-cache.org/Features/AddonHelpers">http://wiki.squid-cache.org/Features/AddonHelpers</A>.</P>
<P>The Squid helper protocol used to communicate with authenticators,
URL-rewriters, Redirectors, and External ACL helpers has been updated
and extended.</P>
<P><EM>BH</EM> status code is now accepted from all helpers to report
internal error events separate from <EM>ERR</EM> rejection code.
Permitting Squid to perform recovery operations specific to
helper failure instead of a blanket client rejection.</P>
<P>Arbitrary key-value pairs can be returned from any helper.
Allowing future helpers to be forward- and backward- compatible
with this and future versions of Squid.</P>
<H2><A NAME="ss2.2">2.2</A> <A HREF="#toc2.2">SSL Server Certificate Validator</A>
</H2>
<P>Details at
<A HREF="http://wiki.squid-cache.org/Features/SslServerCertValidator">http://wiki.squid-cache.org/Features/SslServerCertValidator</A>.</P>
<P>The helper consulted after the internal OpenSSL validation, regardless of the
validation results. The helper will receive:</P>
<P>
<UL>
<LI>the origin server certificate (chain),</LI>
<LI>the intended domain name, and</LI>
<LI>a list of OpenSSL validation errors (if any).</LI>
</UL>
</P>
<P>If the helper decides to honor an OpenSSL error or report another validation
error(s), the helper will return:</P>
<P>
<UL>
<LI>A list of certificates.</LI>
<LI>A list of items consists the the validation error name (see <EM>%err_name</EM>
error page macro and <EM>%err_details</EM> code for <EM>logformat</EM>), error reason
(<EM>%ssl_lib_error macro</EM>), and the offending certificate.</LI>
</UL>
</P>
<P>The returned information mimics what the internal OpenSSL-based validation code
collects now. Returned errors, if any, are fed to <EM>sslproxy_cert_error</EM>,
triggering the existing SSL error processing code.</P>
<P>The helper invocation controlled by the <EM>sslcrtvalidator_program</EM> and
<EM>sslcrtvalidator_children</EM> configurations options which are similar to the
<EM>ssl_crtd</EM> related options. </P>
<H2><A NAME="ss2.3">2.3</A> <A HREF="#toc2.3">Store-ID</A>
</H2>
<P>Details at
<A HREF="http://wiki.squid-cache.org/Features/StoreID">http://wiki.squid-cache.org/Features/StoreID</A>.</P>
<P>This feature is a redesigned equivalent to the Squid-2.7 feature known as StoreURL-rewrite.</P>
<P><EM>Notice</EM> that this is not a direct portage of the Squid-2.7 feature so behaviour
differences do exist. Although the new feature works in similar enough ways that the old
helper scripts used for Squid-2.7 are expected to work in this and later versions of Squid.</P>
<P>Squid traditionally uses the requested URL as an index key ID to locate objects in cache.
It is not the only key possible and the Store-ID feature exposes an API for external
helpers to provide Squid with an alternative key name for any URL.</P>
<P>When any client request is received which requires a cache lookup the URL is passed to
a helper specified with the <EM>store_id_program</EM> directive to check for an alternative
Store ID. This allows the helper to identify URLs which refer to duplicate resources and
de-duplicate the cache content. <EM>store_id_access</EM> is provided to allow ACL-based
tuning of which traffic gets sent to the helper and reduce overheads.</P>
<P>One subtle and noteworthy difference between Squid-2 and Squid-3 which is highlighted by
this feature is that <EM>refresh_pattern</EM> applies its regex argument against the Store
ID key and not the transaction URL. So using the Store-ID feature to alter the value
affects which <EM>refresh_pattern</EM> directive will be matched.</P>
<P>Store-ID helpers bundled with Squid can be built with the --enable-storeid-rewrite-helpers
option which is added in this version. Currently there is a <EM>file</EM> helper
provided.</P>
<H2><A NAME="ss2.4">2.4</A> <A HREF="#toc2.4">TPROXY Support for OpenBSD 5.1+ and FreeBSD 9+</A>
</H2>
<P>Details at
<A HREF="http://wiki.squid-cache.org/ConfigExamples/Intercept/OpenBsdPf">http://wiki.squid-cache.org/ConfigExamples/Intercept/OpenBsdPf</A>.</P>
<P>The Packet Filter (PF) firewall in OpenBSD 4.4 and later offers traffic interception
using several very simple methods. One of which is the <EM>divert-to</EM> rule type
which acts as a simple routing diversion instead of performing NAT packet alterations.</P>
<P>The IP Firewall (IPFW) on FreeBSD 9+ contains a port of the Linux Netfilter TPROXY feature.</P>
<P>This version of Squid adds support for these features through the ./configure
options --enable-pf-transparent and --enable-ipfw-transparent when Squid is built on
systems with the required support. No special extras are required to enable
<EM>http_port ... tproxy</EM> configuration to work.</P>
<P>NOTE: To resolve NAT lookup issues on recent PF firewall versions the code behind
<EM>./configure --enable-pf-transparent</EM> has been altered and is expected to
break on the version of PF firewall shipped with BSD systems such as NetBSD and FreeBSD
which do not yet support the getsockname() API.
These systems require <EM>--with-nat-devpf</EM> to enable /dev/pf support when using PF firewall.</P>
<H2><A NAME="ss2.5">2.5</A> <A HREF="#toc2.5">Transaction Annotations</A>
</H2>
<P>Previously the only annotation methods available were ICAP/eCAP HTTP header insertions
or external ACL <EM>tag=</EM> result code. Each of which had only limited possibilities
for use and little or no correlation.</P>
<P>It is now possible to add annotations to a client transaction from several sources:
<UL>
<LI> Directly from squid.conf using the <EM>note</EM> directive with
ACL-based selection of which annotation is linked to any
particular transaction.
</LI>
<LI> By configured helper processes returning a key=value pair.
The key name becomes the annotation name.</LI>
</UL>
</P>
<P>Annotations on the transaction can be passed to ICAP services or eCAP modules using the
<EM>adaptation_meta</EM> directive to send them as headers.
They can also be logged using the <EM>%note</EM> log format code in custom logs. With
the new helper response syntax changes this means all helper response key=value details
such as URL-rewrite or store-id changes, external ACL tag etc. are now able to be logged.</P>
<P>Annotations which are already assigned to a transaction can be checked using an ACL test
of the new <EM>note</EM> ACL type. This can match a particular note by name and value,
of for any notes with a given name.</P>
<P>NOTE: not all helper interfaces are yet enabled to convert key=value into annotations
and the external ACL interface does not yet send annotations to the helper.</P>
<H2><A NAME="ss2.6">2.6</A> <A HREF="#toc2.6">Multicast DNS</A>
</H2>
<P>The internal DNS component of Squid now supports multicast DNS (mDNS) resolution in
accordance with RFC 6762.</P>
<P>The <EM>dns_multicast_local</EM> directive must be set to <EM>on</EM> to enable this
feature.</P>
<P>The multicast DNS group IP addresses for IPv4 and IPv6 resolving are added to the set
of available DNS resolvers and used automatically for domain names ending in <EM>.local</EM>
and reverse-DNS lookups before attempting a secondary resolution on the configured
resolvers. Domains without <EM>.local</EM> are resolved using only the configured resolvers.</P>
<P>Statistics for multicast DNS resolution can be found on the <EM>idns</EM> cache manager
report.</P>
<P><EM>NOTE</EM> that the external DNS helper interface is now deprecated and has been
removed from future Squid versions. Any installations still using it for local hostname
resolution need to upgrade to mDNS resolution with this Squid version.</P>
<H2><A NAME="s3">3.</A> <A HREF="#toc3">Changes to squid.conf since Squid-3.3</A></H2>
<P>There have been changes to Squid's configuration file since Squid-3.3.</P>
<P>Squid supports reading configuration option parameters from external
files using the syntax <EM>parameters("/path/filename")</EM>. For example:
<PRE>
acl whitelist dstdomain parameters("/etc/squid/whitelist.txt")
</PRE>
</P>
<P>There have also been changes to individual directives in the config file.</P>
<P>This section gives a thorough account of those changes in three categories:</P>
<P>
<UL>
<LI>
<A HREF="#newtags">New tags</A></LI>
<LI>
<A HREF="#modifiedtags">Changes to existing tags</A></LI>
<LI>
<A HREF="#removedtags">Removed tags</A></LI>
</UL>
</P>
<H2><A NAME="newtags"></A> <A NAME="ss3.1">3.1</A> <A HREF="#toc3.1">New tags</A>
</H2>
<P>
<DL>
<DT><B>configuration_includes_quoted_values</B><DD>
<P>Whether Squid supports directive parameters with spaces, quotes, and other
special characters. Surround such parameters with "double quotes" and
also set this directive on/off around the relevant squid.conf line(s)
making use of such quoting.</P>
<DT><B>dns_multicast_local</B><DD>
<P>Use multicast DNS for <EM>.local</EM> domains and reverse-DNS resolution.</P>
<DT><B>note</B><DD>
<P>Use ACLs to annotate a transaction with customized annotations
which can be logged in access.log</P>
<DT><B>spoof_client_ip</B><DD>
<P>Access control to determine whether to disable the TPROXY spoofing on upstream traffic.</P>
<DT><B>sslcrtvalidator_children</B><DD>
<P>Specifies the settings for how many SSL server certificate
validator helpers are run and when they are started.</P>
<DT><B>sslcrtvalidator_program</B><DD>
<P>Specifies the location of a SSL server certificate validator helper.</P>
<DT><B>store_id_access</B><DD>
<P>Whether the URL for a given request is passed to the Store-ID helper process.
Used to improve StoreID performance by quickly eliminating helper delays using ACL tests.</P>
<P>Ported equivalent to <EM>storeurl_access</EM> from 2.7</P>
<DT><B>store_id_bypass</B><DD>
<P>Whether the StoreID helper may be bypassed when overloaded.</P>
<DT><B>store_id_children</B><DD>
<P>Controls the number of StoreID helper processes.</P>
<P>Options <EM>startup=N</EM>, <EM>idle=N</EM>, <EM>concurrency=N</EM>
<UL>
<LI>startup=N allow finer tuning of how many helpers are started initially.</LI>
<LI>idle=N allow fine tuning of how many helper to retain as buffer against sudden traffic loads.</LI>
<LI>concurrency=N was previously called url_rewrite_concurrency as a distinct directive.</LI>
</UL>
</P>
<DT><B>store_id_rewrite_program</B><DD>
<P>A helper program to provide cache storage internal key ID value for a request.</P>
<P>Ported equivalent to <EM>storeurl_rewrite_program</EM> from 2.7</P>
</DL>
</P>
<H2><A NAME="modifiedtags"></A> <A NAME="ss3.2">3.2</A> <A HREF="#toc3.2">Changes to existing tags</A>
</H2>
<P>
<DL>
<DT><B>access_log</B><DD>
<P>Configuration syntax extended to support name=value options.
<EM>New Syntax:</EM> access_log module:place [option ...] [acl ...]</P>
<P>New option <EM>logformat=</EM> to specify the logging format name.</P>
<P>New option <EM>buffer-size=</EM> to specify how large the log buffer
for this log is to be when <EM>buffered_logs</EM> is enabled.</P>
<P>New option <EM>on-error=</EM> to specify what handling is to be done
if the logging module encounters a non-recoverable error writing logs.
With the value <EM>die</EM> (the default) Squid halts operation.
With the value <EM>drop</EM> Squid drops log lines and continue running.</P>
<DT><B>acl</B><DD>
<P>New test type <EM>server_cert_fingerprint</EM> to match against
server SSL certificate fingerprint.</P>
<P>New test type <EM>note</EM> to match against transaction annotations
by name and value, or just by name.</P>
<P>New test type <EM>any-of</EM> to match if any one of a set of named ACLs.</P>
<P>New test type <EM>all-of</EM> to match against all of a set of named ACLs.</P>
<DT><B>auth_param</B><DD>
<P>New result code <EM>BH</EM> to signal helper internal errors
available in all authentication schemes.</P>
<P>New key <EM>message=</EM> for error message details in all authentication schemes.</P>
<P>New result code <EM>OK</EM> and key <EM>ha1=</EM> in Digest authentication.</P>
<P>New result codes <EM>OK</EM>, <EM>ERR</EM> replace result codes <EM>AF</EM>,
and <EM>NA</EM> in NTLM and Negotiate authentication.</P>
<P>New key <EM>token=</EM> for NTLM and Negotiate authentication <EM>OK</EM> responses.</P>
<P>Details at
<A HREF="http://wiki.squid-cache.org/Features/AddonHelpers">http://wiki.squid-cache.org/Features/AddonHelpers</A>.</P>
<DT><B>external_acl_type</B><DD>
<P>Deprecated <EM>protocol=3.0</EM> option. No longer necessary.</P>
<P>New result code <EM>BH</EM> to signal helper internal errors</P>
<P>Details at
<A HREF="http://wiki.squid-cache.org/Features/AddonHelpers">http://wiki.squid-cache.org/Features/AddonHelpers</A>.</P>
<DT><B>http_port</B><DD>
<P>Support IPv6 for <EM>intercept</EM> mode. Requires ip6tables support on Linux,
PF support on OpenBSD and IPFW support on FreeBSD. Squid will no longer complain
about misconfiguration if IPv6 support is missing, we now rely on the firewall
tools reporting misconfiguration when the NAT rules are created.</P>
<P>Support <EM>tproxy</EM> mode traffic on BSD systems with BINDANY support
(OpenBSD 5+, FreeBSD 9+ so far).</P>
<P>Changed build options behind <EM>intercept</EM> traffic mode handling on BSD.
see <EM>--enable-pf-transparent</EM> for more details.</P>
<DT><B>logformat</B><DD>
<P>New format code <EM>%note</EM> to log a transaction annotation linked to the
transaction by ICAP, eCAP, a helper, or the <EM>note</EM> squid.conf directive.</P>
<P>New format code <EM>%&gt;qos</EM> to log client connection TOS/DSCP value set by Squid.</P>
<P>New format code <EM>%&lt;qos</EM> to log server connection TOS/DSCP value set by Squid.</P>
<P>New format code <EM>%&gt;nfmark</EM> to log client connection netfilter mark set by Squid.</P>
<P>New format code <EM>%&lt;nfmark</EM> to log server connection netfilter mark set by Squid.</P>
<DT><B>pipeline_prefetch</B><DD>
<P>Updated to take a numeric count of prefetched pipeline requests instead of ON/OFF.</P>
<DT><B>refresh_pattern</B><DD>
<P><EM>NOTE:</EM> the regular expression pattern operates on the cache Store-ID value.
Which by default is identical to the requested URL, but may differ for some
objects if the Store-ID feature is in use.</P>
<DT><B>unlinkd_program</B><DD>
<P>New helper response format utilizing result codes <EM>OK</EM> and <EM>BH</EM>,
to signal helper lookup results. Also, key-value response values to return
multiple values to Squid.</P>
<P>Details at
<A HREF="http://wiki.squid-cache.org/Features/AddonHelpers">http://wiki.squid-cache.org/Features/AddonHelpers</A>.</P>
<DT><B>url_rewrite_program</B><DD>
<P>New helper response format utilizing result codes <EM>OK</EM>, <EM>ERR</EM>,
and <EM>BH</EM> to signal helper lookup results. Also, key-value response
values to return multiple values to Squid.</P>
<P>Details at
<A HREF="http://wiki.squid-cache.org/Features/AddonHelpers">http://wiki.squid-cache.org/Features/AddonHelpers</A>.</P>
</DL>
</P>
<H2><A NAME="removedtags"></A> <A NAME="ss3.3">3.3</A> <A HREF="#toc3.3">Removed tags</A>
</H2>
<P>
<DL>
<DT><B>storeurl_access</B><DD>
<P>Replaced by <EM>store_id_access</EM>.</P>
<DT><B>storeurl_rewrite_children</B><DD>
<P>Replaced by <EM>store_id_children</EM>.</P>
<DT><B>storeurl_rewrite_concurrency</B><DD>
<P>Replaced by <EM>store_id_children</EM> with <EM>concurrency=N</EM> option.</P>
<DT><B>storeurl_rewrite_program</B><DD>
<P>Replaced by <EM>store_id_program</EM>.</P>
</DL>
</P>
<H2><A NAME="s4">4.</A> <A HREF="#toc4">Changes to ./configure options since Squid-3.3</A></H2>
<P>There have been some changes to Squid's build configuration since Squid-3.3.</P>
<P>This section gives an account of those changes in three categories:</P>
<P>
<UL>
<LI>
<A HREF="#newoptions">New options</A></LI>
<LI>
<A HREF="#modifiedoptions">Changes to existing options</A></LI>
<LI>
<A HREF="#removedoptions">Removed options</A></LI>
</UL>
</P>
<H2><A NAME="newoptions"></A> <A NAME="ss4.1">4.1</A> <A HREF="#toc4.1">New options</A>
</H2>
<P>
<DL>
<DT><B>--enable-storeid-rewrite-helpers</B><DD>
<P>New option to control which Store-ID helpers are built. As with other
helper options use --disable-* to prevent any helpers building and
omit to get all helper auto-detected.</P>
<P>Currenly only a helper using <EM>file</EM> for backend is provided.</P>
<DT><B>--disable-arch-native</B><DD>
<P>New option to disable use of -march=native compiler flag.</P>
<P>The new flag auto-enables CPU-specific optimizations in GCC and is
required by Clang++ v3.2 for correct 64-bit environment detection.
It does not always work well however, so this build option is provided
to remove it when necessary.</P>
<DT><B>--with-nat-devpf</B><DD>
<P>New option to alter the behaviour of <EM>http_port ... intercept</EM> option
in squid.conf.</P>
<P>When this option is used Squid performs the /dev/pf lookups required to
support PF <EM>rdr-to</EM> rules. Otherwise Squid will perform perform the
getsockname() API calls to support PF <EM>divert-to</EM> rules.</P>
<P>NOTE: systems such as NetBSD and FreeBSD which do not yet support
the getsockname() API in recent PF versions require this option.</P>
</DL>
</P>
<H2><A NAME="modifiedoptions"></A> <A NAME="ss4.2">4.2</A> <A HREF="#toc4.2">Changes to existing options</A>
</H2>
<P>
<DL>
<DT><B>--enable-pf-transparent</B><DD>
<P>NAT table support updated to use the getsockname() API provided by the
latest PF versions <EM>divert-to</EM>. This allows <EM>http_port</EM>
in squid.conf to support both <EM>intercept</EM> and <EM>tproxy</EM> traffic
and to silence NAT lookup failure messages on recent BSD.</P>
<P>NOTE: systems such as NetBSD and FreeBSD which do not yet support
the getsockname() API in recent PF versions require <EM>--with-nat-devpf</EM>
to re-enable /dev/pf support when using PF firewall.</P>
<DT><B>--disable-translation</B><DD>
<P>Default changed to prevent translating error page templates during build.
Use --enable-translation to explicitly build and install the templates.</P>
<P>The latest pre-translated templates can be downloaded from
<A HREF="http://www.squid-cache.org/Versions/langpack/">http://www.squid-cache.org/Versions/langpack/</A></P>
</DL>
</P>
<H2><A NAME="removedoptions"></A> <A NAME="ss4.3">4.3</A> <A HREF="#toc4.3">Removed options</A>
</H2>
<P>
<DL>
<P><EM>There are no removed ./configure options in Squid-3.4.</EM></P>
</DL>
</P>
<H2><A NAME="s5">5.</A> <A HREF="#toc5">Regressions since Squid-2.7</A></H2>
<P>Some squid.conf options which were available in Squid-2.7 are not yet available in Squid-3.4</P>
<P>If you need something to do then porting one of these from Squid-2 to Squid-3 is most welcome.</P>
<H2><A NAME="ss5.1">5.1</A> <A HREF="#toc5.1">Missing squid.conf options available in Squid-2.7</A>
</H2>
<P>
<DL>
<DT><B>broken_vary_encoding</B><DD>
<P>Not yet ported from 2.6</P>
<DT><B>cache_dir</B><DD>
<P><EM>COSS</EM> storage type is lacking stability fixes from 2.6</P>
<P>COSS <EM>overwrite-percent=</EM> option not yet ported from 2.6</P>
<P>COSS <EM>max-stripe-waste=</EM> option not yet ported from 2.6</P>
<P>COSS <EM>membufs=</EM> option not yet ported from 2.6</P>
<P>COSS <EM>maxfullbufs=</EM> option not yet ported from 2.6</P>
<DT><B>cache_peer</B><DD>
<P><EM>idle=</EM> not yet ported from 2.7</P>
<P><EM>monitorinterval=</EM> not yet ported from 2.6</P>
<P><EM>monitorsize=</EM> not yet ported from 2.6</P>
<P><EM>monitortimeout=</EM> not yet ported from 2.6</P>
<P><EM>monitorurl=</EM> not yet ported from 2.6</P>
<DT><B>cache_vary</B><DD>
<P>Not yet ported from 2.6</P>
<DT><B>collapsed_forwarding</B><DD>
<P>Not yet ported from 2.6</P>
<DT><B>error_map</B><DD>
<P>Not yet ported from 2.6</P>
<DT><B>external_refresh_check</B><DD>
<P>Not yet ported from 2.7</P>
<DT><B>location_rewrite_access</B><DD>
<P>Not yet ported from 2.6</P>
<DT><B>location_rewrite_children</B><DD>
<P>Not yet ported from 2.6</P>
<DT><B>location_rewrite_concurrency</B><DD>
<P>Not yet ported from 2.6</P>
<DT><B>location_rewrite_program</B><DD>
<P>Not yet ported from 2.6</P>
<DT><B>refresh_pattern</B><DD>
<P><EM>stale-while-revalidate=</EM> not yet ported from 2.7</P>
<P><EM>ignore-stale-while-revalidate=</EM> not yet ported from 2.7</P>
<P><EM>negative-ttl=</EM> not yet ported from 2.7</P>
<DT><B>refresh_stale_hit</B><DD>
<P>Not yet ported from 2.7</P>
<DT><B>update_headers</B><DD>
<P>Not yet ported from 2.7</P>
</DL>
</P>
</BODY>
</HTML>

13
squid.changes
View File

@ -1,3 +1,16 @@
-------------------------------------------------------------------
Sat Jan 10 01:08:40 UTC 2015 - chris@computersalat.de
- recover old spec
* merge in suggested changes from tchvatal
- fix permissions for SLE11
* revert suid bit for pinger and basic_pam_auth
add them to permissions file (commented)
- readd deleted files
* RELEASENOTES
* permissions (needed for SLE11)
* init.rh
-------------------------------------------------------------------
Fri Jan 9 10:19:10 UTC 2015 - tchvatal@suse.com

201
squid.init Normal file
View File

@ -0,0 +1,201 @@
#!/bin/sh
# Copyright (c) 1996, 1997, 1998 S.u.S.E. GmbH
# Copyright (c) 1998, 1999, 2000, 2001 SuSE GmbH
# Copyright (c) 2002 SuSE Linux AG
#
# Author: Frank Bodammer, Peter Poeml, Klaus Singvogel <feedback@suse.de>
#
# /etc/init.d/squid
# and its symbolic link
# /(usr/)sbin/rcsquid
#
### BEGIN INIT INFO
# Provides: squid
# Required-Start: $local_fs $remote_fs $network $time
# Should-Start: apache $named winbind
# Required-Stop: $local_fs $remote_fs $network $time
# Should-Stop: apache $named winbind
# Default-Start: 3 5
# Default-Stop: 0 1 2 6
# Short-Description: Squid web cache
# Description: Start the Squid web cache, providing
# HTTP, FTP and other proxy services
### END INIT INFO
#
# Note on runlevels:
# 0 - halt/poweroff 6 - reboot
# 1 - single user 2 - multiuser without network exported
# 3 - multiuser w/ network (text mode) 5 - multiuser w/ network and X11 (xdm)
# Check for missing binaries (stale symlinks should not happen)
# Note: Special treatment of stop for LSB conformance
SQUID_BIN=/usr/sbin/squid
test -x $SQUID_BIN || { echo "$SQUID_BIN not installed";
if [ "$1" = "stop" ]; then exit 0;
else exit 5; fi; }
# Check for existence of needed config file and read it
SQUID_SYSCONFIG=/etc/sysconfig/squid
test -r $SQUID_SYSCONFIG || { echo "$SQUID_SYSCONFIG not existing";
if [ "$1" = "stop" ]; then exit 0;
else exit 6; fi; }
# Read config
. $SQUID_SYSCONFIG
SQUID_PID=/var/run/squid.pid
SQUID_CONF=/etc/squid/squid.conf
SQUID_S_T=${SQUID_SHUTDOWN_TIMEOUT:="60"}
SQUID_OPTS=${SQUID_START_OPTIONS:="-sY"}
SQUID_ULIMIT=${SQUID_DEFAULT_ULIMT:="4096"}
# determine which one is the cache_swap directory
SQUID_CACHE_DIR=$(perl -n -e \
'/^cache_dir\s+\S+\s+(.*)\s+\d+\s+\d+\s+\d+/ && print "$1"' $SQUID_CONF)
ulimit -n "$SQUID_ULIMIT"
#IN: $SQUID_CACHE_DIR
setup_squid_cache_dir(){
for adir in "$1" ; do
if [ ! -d $adir/00 ]; then # create missing cache directories
umask 027 # prevent users reading any cache data
echo -n " ($adir)"
$SQUID_BIN -z -F > /dev/null 2>&1
fi
if [ ! -d $adir/00 ]; then
echo " - failed while creating cache_dir ! "
rc_failed
rc_status -v
rc_exit
fi
done
sleep 2
}
# Shell functions sourced from /etc/rc.status:
# rc_check check and set local and overall rc status
# rc_status check and set local and overall rc status
# rc_status -v be verbose in local rc status and clear it afterwards
# rc_status -v -r ditto and clear both the local and overall rc status
# rc_status -s display "skipped" and exit with status 3
# rc_status -u display "unused" and exit with status 3
# rc_failed set local and overall rc status to failed
# rc_failed <num> set local and overall rc status to <num>
# rc_reset clear both the local and overall rc status
# rc_exit exit appropriate to overall rc status
# rc_active checks whether a service is activated by symlinks
. /etc/rc.status
# Reset status of this service
rc_reset
case "$1" in
start)
echo -n "Starting WWW-proxy squid "
if /sbin/checkproc $SQUID_BIN ; then
echo -n "- Warning: squid already running ! "
rc_failed
else
[ -e $SQUID_PID ] && echo -n "- Warning: $SQUID_PID exists ! "
if [ -n "$SQUID_CACHE_DIR" -a -d "$SQUID_CACHE_DIR" ]; then
setup_squid_cache_dir "$SQUID_CACHE_DIR"
fi
fi
startproc -l /var/log/squid/rcsquid.log $SQUID_BIN "$SQUID_OPTS"
# Remember status and be verbose
rc_status -v
;;
stop)
echo -n "Shutting down WWW-proxy squid "
if /sbin/checkproc $SQUID_BIN ; then
$SQUID_BIN -k shutdown
sleep 2
if [ -e $SQUID_PID ] ; then
echo -n "- wait a minute or two... "
i="$SQUID_S_T"
while [ -e $SQUID_PID ] && [ $i -gt 0 ] ; do
sleep 2
i=$[$i-1]
echo -n "."
[ $i -eq 41 ] && echo
done
fi
if /sbin/checkproc $SQUID_BIN ; then
killproc -TERM $SQUID_BIN
echo -n " Warning: squid killed !"
fi
else
echo -n "- Warning: squid not running ! "
rc_failed 7
fi
# Remember status and be verbose
rc_status -v
;;
try-restart)
$0 status >/dev/null && $0 restart
# Remember status and be quiet
rc_status
;;
restart)
$0 stop
$0 start
# Remember status and be quiet
rc_status
;;
force-reload)
$0 reload
# Remember status and be quiet
rc_status
;;
reload)
echo -n "Reloading WWW-proxy squid "
if /sbin/checkproc $SQUID_BIN ; then
$SQUID_BIN -k rotate
sleep 2
$SQUID_BIN -k reconfigure
rc_status
else
echo -n "- Warning: squid not running ! "
rc_failed 7
fi
# Remember status and be verbose
rc_status -v
;;
status)
echo -n "Checking for WWW-proxy squid "
## Check status with checkproc(8), if process is running
## checkproc will return with exit status 0.
# Return value is slightly different for the status command:
# 0 - service up and running
# 1 - service dead, but /var/run/ pid file exists
# 2 - service dead, but /var/lock/ lock file exists
# 3 - service not running (unused)
# 4 - service status unknown :-(
# 5--199 reserved (5--99 LSB, 100--149 distro, 150--199 appl.)
# NOTE: checkproc returns LSB compliant status values.
/sbin/checkproc $SQUID_BIN
# Remember status and be verbose
rc_status -v
;;
probe)
test $SQUID_CONF -nt $SQUID_PID && echo reload
;;
*)
echo "Usage: $0 {start|stop|status|try-restart|restart|force-reload|reload|probe}"
exit 1
;;
esac
rc_exit

187
squid.init.rh Normal file
View File

@ -0,0 +1,187 @@
#!/bin/bash
# chkconfig: - 90 25
# pidfile: /var/run/squid.pid
# config: /etc/squid/squid.conf
#
### BEGIN INIT INFO
# Provides: squid
# Short-Description: starting and stopping Squid Internet Object Cache
# Description: Squid - Internet Object Cache. Internet object caching is \
# a way to store requested Internet objects (i.e., data available \
# via the HTTP, FTP, and gopher protocols) on a system closer to the \
# requesting site than to the source. Web browsers can then use the \
# local Squid cache as a proxy HTTP server, reducing access time as \
# well as bandwidth consumption.
### END INIT INFO
PATH=/usr/bin:/sbin:/bin:/usr/sbin
export PATH
# Source function library.
. /etc/rc.d/init.d/functions
# Source networking configuration.
. /etc/sysconfig/network
if [ -f /etc/sysconfig/squid ]; then
. /etc/sysconfig/squid
fi
# don't raise an error if the config file is incomplete
# set defaults instead:
SQUID_OPTS=${SQUID_OPTS:-""}
SQUID_PIDFILE_TIMEOUT=${SQUID_PIDFILE_TIMEOUT:-20}
SQUID_SHUTDOWN_TIMEOUT=${SQUID_SHUTDOWN_TIMEOUT:-100}
SQUID_CONF=${SQUID_CONF:-"/etc/squid/squid.conf"}
SQUID_PIDFILE_DIR="/var/run/squid"
SQUID_USER="squid"
SQUID_DIR="squid"
# determine the name of the squid binary
[ -f /usr/sbin/squid ] && SQUID=squid
prog="$SQUID"
# determine which one is the cache_swap directory
CACHE_SWAP=`sed -e 's/#.*//g' $SQUID_CONF | \
grep cache_dir | awk '{ print $3 }'`
RETVAL=0
probe() {
# Check that networking is up.
[ ${NETWORKING} = "no" ] && exit 1
[ `id -u` -ne 0 ] && exit 4
# check if the squid conf file is present
[ -f $SQUID_CONF ] || exit 6
}
start() {
# Check if $SQUID_PIDFILE_DIR exists and if not, lets create it and give squid permissions.
if [ ! -d $SQUID_PIDFILE_DIR ] ; then mkdir $SQUID_PIDFILE_DIR ; chown -R $SQUID_USER.$SQUID_DIR $SQUID_PIDFILE_DIR; fi
probe
parse=`$SQUID -k parse -f $SQUID_CONF 2>&1`
RETVAL=$?
if [ $RETVAL -ne 0 ]; then
echo -n $"Starting $prog: "
echo_failure
echo
echo "$parse"
return 1
fi
for adir in $CACHE_SWAP; do
if [ ! -d $adir/00 ]; then
echo -n "init_cache_dir $adir... "
$SQUID -z -F -f $SQUID_CONF >> /var/log/squid/squid.out 2>&1
fi
done
echo -n $"Starting $prog: "
$SQUID $SQUID_OPTS -f $SQUID_CONF >> /var/log/squid/squid.out 2>&1
RETVAL=$?
if [ $RETVAL -eq 0 ]; then
timeout=0;
while : ; do
[ ! -f /var/run/squid.pid ] || break
if [ $timeout -ge $SQUID_PIDFILE_TIMEOUT ]; then
RETVAL=1
break
fi
sleep 1 && echo -n "."
timeout=$((timeout+1))
done
fi
[ $RETVAL -eq 0 ] && touch /var/lock/subsys/$SQUID
[ $RETVAL -eq 0 ] && echo_success
[ $RETVAL -ne 0 ] && echo_failure
echo
return $RETVAL
}
stop() {
echo -n $"Stopping $prog: "
$SQUID -k check -f $SQUID_CONF >> /var/log/squid/squid.out 2>&1
RETVAL=$?
if [ $RETVAL -eq 0 ] ; then
$SQUID -k shutdown -f $SQUID_CONF &
rm -f /var/lock/subsys/$SQUID
timeout=0
while : ; do
[ -f /var/run/squid.pid ] || break
if [ $timeout -ge $SQUID_SHUTDOWN_TIMEOUT ]; then
echo
return 1
fi
sleep 2 && echo -n "."
timeout=$((timeout+2))
done
echo_success
echo
else
echo_failure
if [ ! -e /var/lock/subsys/$SQUID ]; then
RETVAL=0
fi
echo
fi
rm -rf $SQUID_PIDFILE_DIR/*
return $RETVAL
}
reload() {
$SQUID $SQUID_OPTS -k reconfigure -f $SQUID_CONF
}
restart() {
stop
rm -rf $SQUID_PIDFILE_DIR/*
start
}
condrestart() {
[ -e /var/lock/subsys/squid ] && restart || :
}
rhstatus() {
status $SQUID && $SQUID -k check -f $SQUID_CONF
}
case "$1" in
start)
start
;;
stop)
stop
;;
reload|force-reload)
reload
;;
restart)
restart
;;
condrestart|try-restart)
condrestart
;;
status)
rhstatus
;;
probe)
probe
;;
*)
echo $"Usage: $0 {start|stop|status|reload|force-reload|restart|try-restart|probe}"
exit 2
esac
exit $?

4
squid.permissions Normal file
View File

@ -0,0 +1,4 @@
/var/cache/squid/ squid:root 750
/var/log/squid/ squid:root 750
#/usr/sbin/pinger root:squid 4750
#/usr/sbin/basic_pam_auth root:shadow 2750

203
squid.spec
View File

@ -18,6 +18,7 @@
%define squidlibdir %{_libdir}/squid
%define squidconfdir %{_sysconfdir}/squid
Name: squid
Version: 3.4.10
Release: 0
@ -27,13 +28,18 @@ Group: Productivity/Networking/Web/Proxy
Url: http://www.squid-cache.org/Versions/v3/3.4
Source0: http://www.squid-cache.org/Versions/v3/3.4/%{name}-%{version}.tar.bz2
Source1: http://www.squid-cache.org/Versions/v3/3.4/%{name}-%{version}.tar.bz2.asc
Source2: %{name}-%{version}-RELEASENOTES.html
Source3: squid.init
Source4: squid.sysconfig
Source5: pam.squid
Source6: unsquid.pl
Source7: %{name}.logrotate
Source9: %{name}.permissions
Source10: README.kerberos
Source11: %{name}.service
Source13: %{name}.keyring
Source14: squid.init.rh
# do not show some rpmlint warnings
Source99: squid-rpmlintrc
# some useful defaults for squid
@ -45,47 +51,89 @@ Patch101: %{name}-nobuilddates.patch
Patch102: %{name}-compiled_without_RPM_OPT_FLAGS.patch
# patch fixes kerberos principalname handling (http://bugs.squid-cache.org/show_bug.cgi?id=4042)
Patch103: squid-brokenad.patch
BuildRequires: cyrus-sasl-devel
BuildRoot: %{_tmppath}/%{name}-%{version}-build
BuildRequires: db-devel
# needed by bootstrap.sh
BuildRequires: cyrus-sasl-devel
BuildRequires: ed
BuildRequires: expat
#
BuildRequires: fdupes
BuildRequires: gcc-c++
BuildRequires: krb5-devel
BuildRequires: libcap-devel
BuildRequires: libexpat-devel
%if 0%{?suse_version} <= 1140
BuildRequires: libtool
%else
BuildRequires: libtool >= 2.4
%endif
%if 0%{?suse_version} < 1220
BuildRequires: libxml2-devel
%else
BuildRequires: pkgconfig(libxml-2.0)
%endif
BuildRequires: openldap2-devel
BuildRequires: opensp-devel
BuildRequires: openssl-devel
BuildRequires: pam-devel
BuildRequires: pkgconfig
BuildRequires: sharutils
BuildRequires: systemd
BuildRequires: pkgconfig(libxml-2.0)
Requires: logrotate
Requires: sed
%if 0%{?suse_version}
Requires(post): %fillup_prereq
Requires(pre): %insserv_prereq
Requires(pre): %{_bindir}/getent
%if 0%{?suse_version} < 1140
Requires(pre): permissions
%else
Requires(pre): permissions >= 2014.11
%endif
Requires(pre): pwdutils
Provides: %{name}3 = %{version}
Provides: http_proxy
Obsoletes: %{name}3 < %{version}
BuildRoot: %{_tmppath}/%{name}-%{version}-build
%else
Requires(pre): shadow-utils
Requires(post): /sbin/chkconfig
Requires(preun): /sbin/service /sbin/chkconfig
Requires(postun): /sbin/service
%endif
%if 0%{?suse_version} > 1210
BuildRequires: systemd
%{?systemd_requires}
%define has_systemd 1
%else
Requires(pre): %insserv_prereq
%endif
Requires: logrotate
Provides: http_proxy
# due to package rename
# Wed Aug 15 17:40:30 UTC 2012
Provides: %{name}3 = %{version}
Obsoletes: %{name}3 < %{version}
%description
Squid is a fully-featured HTTP/1.0 proxy which is almost a fully-featured
HTTP/1.1 proxy. Squid offers a rich access control, authorization and logging
environment to develop web proxy and content serving applications.
Squid offers a rich set of traffic optimization options, most of which are
enabled by default for simpler installation and high performance.
Squid is a fully-featured HTTP/1.0 proxy which is almost (but not quite - we're getting there!) a fully-featured HTTP/1.1 proxy. Squid offers a rich access control, authorization and logging environment to develop web proxy and content serving applications. Squid offers a rich set of traffic optimization options, most of which are enabled by default for simpler installation and high performance.
Squid 3.4 represents a new feature release above 3.3.
The most important of these new features are:
* Helper protocol extensions
* SSL Server Certificate Validator
* Store-ID
* TPROXY Support for OpenBSD 5.1+ and FreeBSD 9+
* Transaction Annotations
* Multicast DNS
%prep
#setup -q -n %{name}-%{version}%{snap}
%setup -q
cp %{SOURCE10} .
# upstream patches after RELEASE
#
##### other patches
%patch100
perl -p -i -e 's|%{_prefix}/local/bin/perl|%{_bindir}/perl|' `find -name "*.pl"`
chmod a-x CREDITS
@ -104,8 +152,15 @@ export LDFLAGS='-Wl,-z,relro,-z,now -pie'
--datadir=%{_datadir}/squid \
--sharedstatedir=%{_localstatedir}/squid \
--with-logdir=%{_localstatedir}/log/squid \
%if 0%{?has_systemd}
--with-pidfile=/run/squid.pid \
%else
--with-pidfile=%{_localstatedir}/run/squid.pid \
%endif
--with-dl \
%if 0%{?suse_version} <= 1140
--with-included-ltdl \
%endif
--enable-disk-io \
--enable-storeio \
--enable-removal-policies=heap,lru \
@ -136,7 +191,7 @@ export LDFLAGS='-Wl,-z,relro,-z,now -pie'
--with-default-user=%{name} \
--disable-ident-lookups \
--enable-follow-x-forwarded-for \
--disable-arch-native
--disable-arch-native
# overwrite the number of open filedescriptors of configure to 4096
# to be backward compatible, but numbers above should not be overwritten
@ -162,6 +217,11 @@ make install DESTDIR=%{buildroot} SAMBAPREFIX=/usr
mv %{buildroot}{%{_sysconfdir}/%{name}/,%{_datadir}/%{name}/}mime.conf.default
ln -s %{_sysconfdir}/%{name}/mime.conf %{buildroot}%{_datadir}/%{name} # backward compatible
%if 0%{?suse_version} < 1140
# permissions file
install -D -m 644 %{SOURCE9} %{buildroot}%{_sysconfdir}/permissions.d/%{name}
%endif
# install logrotate file
install -D -m 644 %{SOURCE7} %{buildroot}%{_sysconfdir}/logrotate.d/%{name}
@ -187,40 +247,73 @@ for i in errors/*; do
done
ln -sf %{_datadir}/%{name}/errors/de %{buildroot}%{squidconfdir}/errors
# systemd service
install -D -m 644 %{SOURCE11} %{buildroot}%{_unitdir}/%{name}.service
ln -sf service %{buildroot}%{_sbindir}/rc%{name}
install -D -m644 %{SOURCE4} %{buildroot}%{_localstatedir}/adm/fillup-templates/sysconfig.%{name}
# fix file duplicates
%if 0%{?suse_version} > 1030
%fdupes -s %{buildroot}%{_prefix}
%endif
%if 0%{?fedora_version} > 8
fdupes -q -n -r %{buildroot}%{_prefix}
%endif
# systemd vs SysVinit
%if 0%{?has_systemd}
install -D -m 644 %{SOURCE11} %{buildroot}%{_unitdir}/%{name}.service
ln -sf %{_sbindir}/service %{buildroot}%{_sbindir}/rc%{name}
%else # SysVinit
# fix postrotate script for SysVinit
sed -i -re 's@/usr/bin/systemctl.*@/etc/init.d/squid reload@g' %{buildroot}%{_sysconfdir}/logrotate.d/%{name}
%if 0%{?suse_version}
install -D %{SOURCE3} %{buildroot}%{_sysconfdir}/init.d/%{name}
ln -sf %{_sysconfdir}/init.d/%{name} %{buildroot}%{_sbindir}/rc%{name}
%else # lets just assume other are rh based ones...
install -D %{SOURCE14} %{buildroot}%{_sysconfdir}/init.d/%{name}
%endif
%endif
%if 0%{?suse_version}
install -D -m644 %{SOURCE4} %{buildroot}%{_localstatedir}/adm/fillup-templates/sysconfig.%{name}
%else
install -D -m644 %{SOURCE4} %{buildroot}%{_sysconfdir}/sysconfig/%{name}
%endif
%pre
# we need this group for /usr/sbin/pinger
if [ -z "`%{_bindir}/getent group %{name} 2>/dev/null`" ]; then
if [[ -z $(%{_bindir}/getent group %{name} 2>/dev/null) ]]; then
%{_sbindir}/groupadd -g 31 -r %{name} 2>/dev/null
fi
# we need this group for squid (ntlmauth)
# read access to /var/lib/samba/winbindd_privileged
if [ -z "`%{_bindir}/getent group winbind 2>/dev/null`" ]; then
if [[ -z $(%{_bindir}/getent group winbind 2>/dev/null) ]]; then
%{_sbindir}/groupadd -r winbind 2>/dev/null
fi
if [ -z "`%{_bindir}/getent passwd squid 2>/dev/null`" ]; then
if [[ -z $(%{_bindir}/getent passwd squid 2>/dev/null) ]]; then
%{_sbindir}/useradd -c "WWW-proxy squid" -d %{_localstatedir}/cache/%{name} \
-G winbind -g %{name} -o -u 31 -r -s /bin/false \
%{name} 2>/dev/null
fi
# if default group is not squid, change it
if [[ "$(%{_bindir}/id -ng %{name} 2>/dev/null)" != "%{name}" ]]; then
%{_sbindir}/usermod -g %{name} %{name} 2>/dev/null
fi
# if squid is not member of winbind, add him
if [ `%{_bindir}/id -nG %{name} 2>/dev/null | grep -q winbind >/dev/null; echo $?` -ne 0 ]; then
if [[ $(%{_bindir}/id -nG %{name} 2>/dev/null | grep -q winbind >/dev/null; echo $?) -ne 0 ]]; then
%{_sbindir}/usermod -G winbind %{name} 2>/dev/null
fi
%if 0%{?has_systemd}
%service_add_pre %{name}.service
%endif
%post
%set_permissions %{_sbindir}/pinger
%if 0%{?suse_version} >= 1140
%if 0%{?set_permissions:1}
%set_permissions %{_sbindir}/basic_pam_auth
%set_permissions %{_sbindir}/pinger
%set_permissions %{_localstatedir}/cache/squid/
%set_permissions %{_localstatedir}/log/squid/
%else
%run_permissions
%endif
%endif
# update mode?
if [ "$1" -gt "1" ]; then
if [ -e etc/%{name}.conf -a ! -L etc/%{name}.conf -a ! -e etc/%{name}/%{name}.conf ]; then
@ -230,20 +323,53 @@ if [ "$1" -gt "1" ]; then
# default group changed from nogroup to squid
%{_sbindir}/usermod -g %{name} %{name}
fi
%fillup_only
%if 0%{?has_systemd}
%service_add_post squid.service
%else
%if 0%{?suse_version}
%{fillup_and_insserv -n "squid"}
%else
/sbin/chkconfig --add squid
%endif
%endif
%preun
%if 0%{?has_systemd}
%service_del_preun squid.service
%else
%if 0%{?suse_version}
%stop_on_removal squid
%else
if [ $1 = 0 ] ; then
service squid stop >/dev/null 2>&1
rm -f /var/log/squid/*
/sbin/chkconfig --del squid
fi
%endif
%endif
%if 0%{?suse_version}
%verifyscript
%verify_permissions -e %{_sbindir}/basic_pam_auth
%verify_permissions -e %{_sbindir}/pinger
%verify_permissions -e %{_localstatedir}/cache/squid/
%verify_permissions -e %{_localstatedir}/log/squid/
%endif
%postun
%if 0%{?has_systemd}
%service_del_postun squid.service
%else
%if 0%{?suse_version}
%restart_on_update squid
%insserv_cleanup
%else
if [ "$1" -ge "1" ] ; then
service squid condrestart >/dev/null 2>&1
fi
%endif
%endif
%files
%defattr(-,root,root)
@ -253,7 +379,11 @@ fi
%doc doc/contrib doc/scripts
%doc doc/debug-sections.txt src/%{name}.conf.default
%doc %{_mandir}/man?/*
%if 0%{?has_systemd}
%{_unitdir}/%{name}.service
%else
%{_sysconfdir}/init.d/%{name}
%endif
%verify(not user group mode) %attr(750,%{name},root) %dir %{_localstatedir}/cache/%{name}/
%verify(not user group mode) %attr(750,%{name},root) %dir %{_localstatedir}/log/%{name}/
%dir %{squidconfdir}
@ -270,6 +400,9 @@ fi
%config %{squidconfdir}/%{name}.conf.default
%config %{squidconfdir}/%{name}.conf.documented
%config %{_sysconfdir}/pam.d/%{name}
%if 0%{?suse_version} < 1140
%config %{_sysconfdir}/permissions.d/%{name}
%endif
%dir %{_datadir}/%{name}
%{_datadir}/%{name}/errors
%{_datadir}/%{name}/icons
@ -286,7 +419,11 @@ fi
%{_sbindir}/basic_msnt_multi_domain_auth
%{_sbindir}/basic_ncsa_auth
%{_sbindir}/basic_nis_auth
%if 0%{?suse_version} < 1140
%{_sbindir}/basic_pam_auth
%else
%verify(not mode) %attr(2750,root,shadow) %{_sbindir}/basic_pam_auth
%endif
%{_sbindir}/basic_pop3_auth
%{_sbindir}/basic_radius_auth
%{_sbindir}/basic_sasl_auth
@ -294,6 +431,7 @@ fi
%{_sbindir}/basic_smb_auth.sh
%{_sbindir}/cert_tool
%{_sbindir}/cert_valid.pl
#{_sbindir}/digest_edirectory_auth
%{_sbindir}/digest_file_auth
%{_sbindir}/digest_ldap_auth
%{_sbindir}/diskd
@ -312,15 +450,24 @@ fi
%{_sbindir}/negotiate_wrapper_auth
%{_sbindir}/ntlm_fake_auth
%{_sbindir}/ntlm_smb_lm_auth
%verify(not user group mode caps) %attr(750,root,squid) %{_sbindir}/pinger
# not working %%caps(cap_net_raw=ep)
%if 0%{?suse_version} < 1140
%attr(0750,root,squid) %{_sbindir}/pinger
%else
%verify(not user group mode caps) %attr(0750,root,squid) %{_sbindir}/pinger
%endif
%{_sbindir}/%{name}
%{_sbindir}/ssl_crtd
%{_sbindir}/storeid_file_rewrite
%{_sbindir}/unlinkd
%{_sbindir}/url_fake_rewrite
%{_sbindir}/url_fake_rewrite.sh
%if 0%{?suse_version}
%{_sbindir}/rc%{name}
%{_localstatedir}/adm/fillup-templates/sysconfig.%{name}
%else
%{_sysconfdir}/sysconfig/%{name}
%endif
%dir %{_libdir}/%{name}
%{_libdir}/%{name}/cachemgr.cgi