# # spec file for package squid # # Copyright (c) 2014 SUSE LINUX Products GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed # upon. The license for this file, and modifications and additions to the # file, is the same license as for the pristine package itself (unless the # license for the pristine package is not an Open Source License, in which # case the license is the MIT License). An "Open Source License" is a # license that conforms to the Open Source Definition (Version 1.9) # published by the Open Source Initiative. # Please submit bugfixes or comments via http://bugs.opensuse.org/ # %define squidlibdir %{_libdir}/squid %define squidconfdir /etc/squid #define snap -20131225-r13064 Name: squid Summary: A fully featured HTTP/1.0 proxy License: GPL-2.0+ Group: Productivity/Networking/Web/Proxy Version: 3.4.9 Release: 0 Url: http://www.squid-cache.org/Versions/v3/3.4 Source0: http://www.squid-cache.org/Versions/v3/3.4/%{name}-%{version}.tar.bz2 Source1: http://www.squid-cache.org/Versions/v3/3.4/%{name}-%{version}.tar.bz2.asc Source2: RELEASENOTES.html Source3: squid.init Source4: squid.sysconfig Source5: pam.squid Source6: unsquid.pl Source7: %{name}.logrotate ###Source9: %%{name}.permissions.easy Source10: README.kerberos Source11: %{name}.service Source13: %{name}.keyring Source14: squid.init.rh ###Source15: %%{name}.permissions.paranoid # # the following patches are downloaded directly from the webserver # don't change the names for easier identification # # please read every file if there is interest about what the patch changes # or just visit: http://www.squid-cache.org/Versions/v3/3.2/changesets/ # # # Upstream patch # Patch0: # do not show some rpmlint warnings Source99: squid-rpmlintrc # some useful defaults for squid Patch100: %{name}-config.patch # make build compare happy - remove build dates Patch101: %{name}-nobuilddates.patch ## File is compiled without RPM_OPT_FLAGS # squid3 no-rpm-opt-flags :./cf_gen.cc Patch102: %{name}-compiled_without_RPM_OPT_FLAGS.patch # patch fixes kerberos principalname handling (http://bugs.squid-cache.org/show_bug.cgi?id=4042) Patch103: squid-brokenad.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build %if 0%{?suse_version} PreReq: %fillup_prereq PreReq: %insserv_prereq PreReq: /usr/bin/getent PreReq: permissions PreReq: pwdutils %else Requires(pre): shadow-utils Requires(post): /sbin/chkconfig Requires(preun): /sbin/service /sbin/chkconfig Requires(postun): /sbin/service %endif BuildRequires: db-devel # needed by bootstrap.sh BuildRequires: cyrus-sasl-devel BuildRequires: ed BuildRequires: expat %if 0%{?suse_version} || 0%{?fedora_version} > 8 BuildRequires: fdupes %endif BuildRequires: gcc-c++ BuildRequires: krb5-devel BuildRequires: libcap-devel BuildRequires: libexpat-devel %if 0%{?suse_version} <= 1140 BuildRequires: libtool %else BuildRequires: libtool >= 2.4 %endif BuildRequires: openldap2-devel BuildRequires: opensp-devel BuildRequires: openssl-devel BuildRequires: pam-devel BuildRequires: pkgconfig BuildRequires: sharutils %if 0%{?suse_version} < 1220 BuildRequires: libxml2-devel %else BuildRequires: pkgconfig(libxml-2.0) %endif %if 0%{?suse_version} >= 1210 BuildRequires: systemd %{?systemd_requires} %define has_systemd 1 %endif Requires: logrotate Requires: sed Provides: http_proxy # due to package rename # Wed Aug 15 17:40:30 UTC 2012 Provides: %{name}3 = %{version} Obsoletes: %{name}3 < %{version} %description Squid is a fully-featured HTTP/1.0 proxy which is almost (but not quite - we're getting there!) a fully-featured HTTP/1.1 proxy. Squid offers a rich access control, authorization and logging environment to develop web proxy and content serving applications. Squid offers a rich set of traffic optimization options, most of which are enabled by default for simpler installation and high performance. Squid 3.4 represents a new feature release above 3.3. The most important of these new features are: * Helper protocol extensions * SSL Server Certificate Validator * Store-ID * TPROXY Support for OpenBSD 5.1+ and FreeBSD 9+ * Transaction Annotations * Multicast DNS %prep #setup -q -n %{name}-%{version}%{snap} %setup -q -n %{name}-%{version} cp %{S:10} . # upstream patches after RELEASE # ##### other patches %patch100 perl -p -i -e 's|/usr/local/bin/perl|/usr/bin/perl|' `find -name "*.pl"` chmod a-x CREDITS %patch101 %patch102 %patch103 %build export CFLAGS="%{optflags} -fPIE -fPIC -DOPENSSL_LOAD_CONF" export CXXFLAGS="%{optflags} -fPIE -fPIC -DOPENSSL_LOAD_CONF" export LDFLAGS='-Wl,-z,relro,-z,now -pie' %configure \ --disable-strict-error-checking \ --sysconfdir=%{squidconfdir} \ --libexecdir=/usr/sbin \ --datadir=/usr/share/squid \ --sharedstatedir=/var/squid \ --with-logdir=/var/log/squid \ %if 0%{?has_systemd} --with-pidfile=/run/squid.pid \ %else --with-pidfile=/var/run/squid.pid \ %endif --with-dl \ %if 0%{?suse_version} <= 1140 --with-included-ltdl \ %endif --enable-disk-io \ --enable-storeio \ --enable-removal-policies=heap,lru \ --enable-icmp \ --enable-delay-pools \ --enable-esi \ --enable-icap-client \ --enable-useragent-log \ --enable-referer-log \ --enable-kill-parent-hack \ --enable-arp-acl \ --enable-ssl \ --enable-ssl-crtd \ --enable-forw-via-db \ --enable-cache-digests \ --enable-linux-netfilter \ --with-large-files \ --enable-underscores \ --enable-auth \ --enable-auth-basic \ --enable-auth-ntlm \ --enable-auth-negotiate \ --enable-auth-digest \ --enable-external-acl-helpers=LDAP_group,eDirectory_userip,file_userip,kerberos_ldap_group,session,unix_group,wbinfo_group \ --enable-ntlm-fail-open \ --enable-stacktraces \ --enable-x-accelerator-vary \ --with-default-user=%{name} \ --disable-ident-lookups \ --enable-follow-x-forwarded-for \ --disable-arch-native # overwrite the number of open filedescriptors of configure to 4096 # to be backward compatible, but numbers above should not be overwritten if [ `awk '/SQUID_MAXFD/{print $3}' include/autoconf.h` -lt 4096 ]; then set +x echo "adapting SQUID_MAXFD to 4096" set -x perl -pi -e 's;(\#define SQUID_MAXFD) [0-9]+;$1 4096;' include/autoconf.h fi make SAMBAPREFIX=/usr %{?_smp_mflags} %install %{_sbindir}/groupadd -g 31 -r %{name} 2>/dev/null || : %{_sbindir}/useradd -c "WWW-proxy squid" -d /var/cache/%{name} \ -g %{name} -o -u 31 -r -s /bin/false 2> /dev/null || : install -d -m 750 %{buildroot}%{_localstatedir}/{cache,log}/%{name} install -d %{buildroot}%{_prefix}/sbin # make_install make install DESTDIR=%{buildroot} SAMBAPREFIX=/usr mv %{buildroot}{/etc/%{name}/,/usr/share/%{name}/}mime.conf.default ln -s /etc/%{name}/mime.conf %{buildroot}%{_datadir}/%{name} # backward compatible #### install permissions files ###%%if 0%%{?suse_version} <= 1320 ###cp -a %%{SOURCE9} %%{name}.easy ###cp -a %%{SOURCE9} %%{name}.secure ###cp -a %%{SOURCE15} %%{name}.paranoid ###%if !0%%{?has_systemd} ###sed -i -re '/capabilities/d;s@^(/usr/sbin/pinger.*)750@\12750@g' %%{name}.easy ###sed -i -re '/capabilities/d;s@^(/usr/sbin/pinger.*)750@\12750@g' %%{name}.secure ###sed -i -re '/capabilities/d;s@^(/usr/sbin/pinger.*)750@\1750@g' %%{name}.paranoid ###%%endif ###install -D -m 644 %%{name}.easy %%{buildroot}%%{_sysconfdir}/permissions.d/%%{name}.easy #### pinger should be secure "enough" anyway paranoid will strip everything :) ###install -m 644 %%{name}.secure %%{buildroot}%%{_sysconfdir}/permissions.d/%%{name}.secure ###install -m 644 %%{name}.paranoid %%{buildroot}%%{_sysconfdir}/permissions.d/%%{name}.paranoid ###%%endif # install logrotate file install -D -m 644 %{SOURCE7} %{buildroot}%{_sysconfdir}/logrotate.d/%{name} install -d -m 755 doc/scripts install scripts/*.pl doc/scripts cat > doc/scripts/cachemgr.readme <<-EOT cachemgr.cgi will now be found in %{_libdir}/%{name} EOT install -d -m 755 %{buildroot}/%{_libdir}/%{name} mv %{buildroot}%{_sbindir}/cachemgr.cgi %{buildroot}/%{_libdir}/%{name} install -d -m 755 doc/contrib install %{SOURCE6} doc/contrib install -D -m 644 %{SOURCE5} %{buildroot}%{_sysconfdir}/pam.d/%{name} install -D -m 644 ./helpers/external_acl/kerberos_ldap_group/ext_kerberos_ldap_group_acl.8 %{buildroot}%{_mandir}/man8/ext_kerberos_ldap_group_acl.8 rm -rf %{buildroot}%{squidconfdir}/errors for i in errors/*; do if [ -d $i ]; then mkdir -p %{buildroot}%{_datadir}/%{name}/$i install -m 644 $i/* %{buildroot}%{_datadir}/%{name}/$i fi done ln -sf /usr/share/%{name}/errors/de %{buildroot}%{squidconfdir}/errors # fix file duplicates %if 0%{?suse_version} > 1030 %fdupes -s %{buildroot}%{_prefix} %endif %if 0%{?fedora_version} > 8 fdupes -q -n -r %{buildroot}%{_prefix} %endif %if 0%{?has_systemd} install -D -m 644 %{SOURCE11} %{buildroot}%{_unitdir}/%{name}.service ln -sf %{_sbindir}/service %{buildroot}%{_sbindir}/rc%{name} %else # SysVinit # fix postrotate script for SysVinit sed -i -re 's@/usr/bin/systemctl.*@/etc/init.d/squid reload@g' %{buildroot}%{_sysconfdir}/logrotate.d/%{name} %if 0%{?suse_version} install -D %{SOURCE3} %{buildroot}%{_sysconfdir}/init.d/%{name} ln -sf %{_sysconfdir}/init.d/%{name} %{buildroot}%{_sbindir}/rc%{name} %else # lets just assume other are rh based ones... install -D %{SOURCE14} %{buildroot}%{_sysconfdir}/init.d/%{name} %endif %endif %if 0%{?suse_version} install -D -m644 %{SOURCE4} %{buildroot}%{_localstatedir}/adm/fillup-templates/sysconfig.%{name} %else install -D -m644 %{SOURCE4} %{buildroot}%{_sysconfdir}/sysconfig/%{name} %endif %pre # we need this group for /usr/sbin/pinger if [ -z "`%{_bindir}/getent group %{name} 2>/dev/null`" ]; then %{_sbindir}/groupadd -g 31 -r %{name} 2>/dev/null fi # we need this group for squid (ntlmauth) # read access to /var/lib/samba/winbindd_privileged if [ -z "`%{_bindir}/getent group winbind 2>/dev/null`" ]; then %{_sbindir}/groupadd -r winbind 2>/dev/null fi if [ -z "`%{_bindir}/getent passwd squid 2>/dev/null`" ]; then %{_sbindir}/useradd -c "WWW-proxy squid" -d /var/cache/%{name} \ -G winbind -g %{name} -o -u 31 -r -s /bin/false \ %{name} 2>/dev/null fi # if squid is not member of winbind, add him if [ `%{_bindir}/id -nG %{name} 2>/dev/null | grep -q winbind >/dev/null; echo $?` -ne 0 ]; then %{_sbindir}/usermod -G winbind %{name} 2>/dev/null fi %if 0%{?has_systemd} %service_add_pre %{name}.service %endif %post %if 0%{?suse_version} >= 1140 %if 0%{?set_permissions:1} %set_permissions %{_sbindir}/pinger %set_permissions %{_sbindir}/basic_pam_auth %set_permissions %{_localstatedir}/cache/squid/ %set_permissions %{_localstatedir}/log/squid/ %else %run_permissions %endif %endif # update mode? if [ "$1" -gt "1" ]; then if [ -e etc/%{name}.conf -a ! -L etc/%{name}.conf -a ! -e etc/%{name}/%{name}.conf ]; then echo "moving /etc/%{name}.conf to /etc/%{name}/%{name}.conf" mv etc/%{name}.conf etc/%{name}/%{name}.conf fi # default group changed from nogroup to squid %{_sbindir}/usermod -g %{name} %{name} fi %if 0%{?has_systemd} %service_add_post squid.service %else %if 0%{?suse_version} %{fillup_and_insserv -n "squid"} %else /sbin/chkconfig --add squid %endif %endif %preun %if 0%{?has_systemd} %service_del_preun squid.service %else %if 0%{?suse_version} %stop_on_removal squid %else if [ $1 = 0 ] ; then service squid stop >/dev/null 2>&1 rm -f /var/log/squid/* /sbin/chkconfig --del squid fi %endif %endif %if 0%{?suse_version} %verifyscript %verify_permissions -e /usr/sbin/basic_pam_auth %verify_permissions -e /usr/sbin/pinger %verify_permissions -e /var/cache/squid/ %verify_permissions -e /var/log/squid/ %endif %postun %if 0%{?has_systemd} %service_del_postun squid.service %else %if 0%{?suse_version} %restart_on_update squid %insserv_cleanup %else if [ "$1" -ge "1" ] ; then service squid condrestart >/dev/null 2>&1 fi %endif %endif %files %defattr(-,root,root) %doc CONTRIBUTORS COPYING COPYRIGHT CREDITS ChangeLog %doc QUICKSTART README RELEASENOTES.html SPONSORS* %doc README.kerberos %doc doc/contrib doc/scripts %doc doc/debug-sections.txt src/%{name}.conf.default %doc %{_mandir}/man?/* %if 0%{?has_systemd} %{_unitdir}/%{name}.service %else %{_sysconfdir}/init.d/%{name} %endif %verify(not user group mode) %attr(750,%{name},root) %dir %{_localstatedir}/cache/%{name}/ %verify(not user group mode) %attr(750,%{name},root) %dir %{_localstatedir}/log/%{name}/ %dir %{squidconfdir} %config(noreplace) %{squidconfdir}/cachemgr.conf %config(noreplace) %{squidconfdir}/errorpage.css %config(noreplace) %{squidconfdir}/errors %config(noreplace) %{_sysconfdir}/logrotate.d/%{name} %config(noreplace) %{squidconfdir}/mime.conf %config(noreplace) %{squidconfdir}/msntauth.conf %config(noreplace) %{squidconfdir}/%{name}.conf %config %{squidconfdir}/cachemgr.conf.default %config %{squidconfdir}/errorpage.css.default %config %{squidconfdir}/msntauth.conf.default %config %{squidconfdir}/%{name}.conf.default %config %{squidconfdir}/%{name}.conf.documented %config %{_sysconfdir}/pam.d/%{name} ###%%if 0%%{?suse_version} <= 1320 ###%%config %%{_sysconfdir}/permissions.d/%%{name}.easy ###%%config %%{_sysconfdir}/permissions.d/%%{name}.secure ###%%config %%{_sysconfdir}/permissions.d/%%{name}.paranoid ###%%endif %dir %{_datadir}/%{name} %{_datadir}/%{name}/errors %{_datadir}/%{name}/icons %config %{_datadir}/%{name}/mib.txt %{_datadir}/%{name}/mime.conf %{_datadir}/%{name}/mime.conf.default %{_bindir}/purge %{_bindir}/squidclient %{_sbindir}/basic_db_auth %{_sbindir}/basic_fake_auth %{_sbindir}/basic_getpwnam_auth %{_sbindir}/basic_ldap_auth %{_sbindir}/basic_msnt_auth %{_sbindir}/basic_msnt_multi_domain_auth %{_sbindir}/basic_ncsa_auth %{_sbindir}/basic_nis_auth %verify(not mode) %attr(2750,root,shadow) %{_sbindir}/basic_pam_auth #{_sbindir}/basic_pam_auth %{_sbindir}/basic_pop3_auth %{_sbindir}/basic_radius_auth %{_sbindir}/basic_sasl_auth %{_sbindir}/basic_smb_auth %{_sbindir}/basic_smb_auth.sh %{_sbindir}/cert_tool %{_sbindir}/cert_valid.pl #{_sbindir}/digest_edirectory_auth %{_sbindir}/digest_file_auth %{_sbindir}/digest_ldap_auth %{_sbindir}/diskd %{_sbindir}/ext_edirectory_userip_acl %{_sbindir}/ext_file_userip_acl %{_sbindir}/ext_kerberos_ldap_group_acl %{_sbindir}/ext_ldap_group_acl %{_sbindir}/ext_session_acl %{_sbindir}/ext_unix_group_acl %{_sbindir}/ext_wbinfo_group_acl %{_sbindir}/helper-mux.pl %{_sbindir}/log_db_daemon %{_sbindir}/log_file_daemon %{_sbindir}/negotiate_kerberos_auth %{_sbindir}/negotiate_kerberos_auth_test %{_sbindir}/negotiate_wrapper_auth %{_sbindir}/ntlm_fake_auth %{_sbindir}/ntlm_smb_lm_auth # not working %%caps(cap_net_raw=ep) %if 0%{?has_systemd} %verify(not user group mode caps) %attr(750,root,squid) %{_sbindir}/pinger %else %verify(not user group mode) %attr(2750,root,squid) %{_sbindir}/pinger %endif %{_sbindir}/%{name} %{_sbindir}/ssl_crtd %{_sbindir}/storeid_file_rewrite %{_sbindir}/unlinkd %{_sbindir}/url_fake_rewrite %{_sbindir}/url_fake_rewrite.sh %if 0%{?suse_version} %{_sbindir}/rc%{name} %{_localstatedir}/adm/fillup-templates/sysconfig.%{name} %else %{_sysconfdir}/sysconfig/%{name} %endif %dir %{_libdir}/%{name} %{_libdir}/%{name}/cachemgr.cgi %changelog