ports/63503: [Maintainer] www/squid: integrate vendor patches, fix squid user creation, new OPTION
Thomas-Martin Seck
tmseck at netcologne.de
Sat Feb 28 17:00:34 UTC 2004
>Number: 63503
>Category: ports
>Synopsis: [Maintainer] www/squid: integrate vendor patches, fix squid user creation, new OPTION
>Confidential: no
>Severity: non-critical
>Priority: medium
>Responsible: freebsd-ports-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: maintainer-update
>Submitter-Id: current-users
>Arrival-Date: Sat Feb 28 09:00:34 PST 2004
>Closed-Date:
>Last-Modified:
>Originator: Thomas-Martin Seck
>Release: FreeBSD 4.9-STABLE i386
>Organization:
private site in Germany
>Environment:
FreeBSD ports repository as of Feb 28, 2004.
>Description:
- integrate the latest vendor patches
(see http://www.squid-cache.org/Versions/v2/2.5/bugs/ for details)
- integrate the "Follow XFF-Headers" patch from devel.squid-cache.org
as a non-default OPTION (submitted by Michael Ranner); this should
make the dansguardian users out there happy
- create the squid user with an id of 100:100 instead of choosing the
first free one greater than or equal 3128; notify the user to change
the squid user's id if a "suspicious looking" configuration was found
during installation and provide a 'make changeuser' target to automate
the necessary tasks (requested by Kris Kennaway).
While there, try to explain the purpose of $required_files better.
- in order to avoid a possible POLA violation solely depend on the presence
of /etc/rc.subr to decide whether squid.sh should use rcNG's features
- bump PORTREVISION
Information for committers:
- please 'cvs add'
files/follow_xff-2.5.patch
files/patch-helpers-basic_auth-SMB-smb_auth.sh
- please note that squid now claims uid 100 in the Porter's Handbook
>How-To-Repeat:
>Fix:
Apply this patch:
Index: projekte/FreeBSD/ports/www/squid/Makefile
diff -u projekte/FreeBSD/ports/www/squid/Makefile:1.10 projekte/FreeBSD/ports/www/squid/Makefile:1.5.2.21
--- projekte/FreeBSD/ports/www/squid/Makefile:1.10 Sat Feb 28 17:16:26 2004
+++ projekte/FreeBSD/ports/www/squid/Makefile Sat Feb 28 17:30:46 2004
@@ -7,11 +7,17 @@
# Tunables not (yet) configurable via 'make config':
# SQUID_{U,G}ID
# Which user/group squid should run as (default: squid/squid).
-# The user and group will be created if they do not already exist.
+# The user and group will be created if they do not already exist with
+# a uid:gid of 100:100.
# NOTE: before version 2.5.4_6, these settings defaulted to
# nobody/nogroup.
# If you wish to keep these settings, please define SQUID_UID=nobody and
# SQUID_GID=nogroup in your make environment before you start the update.
+# NOTE2:
+# Before version 2.5.4_11 the numerical id chosen for SQUID_UID (and
+# SQUID_GID respectively) was the first free id greater than or equal 3128.
+# If you wish to move your squid user to id 100:100, run "make changeuser",
+# please see the changeuser target's definition for further information.
# SQUID_LANGUAGES
# A list of languages for which error page files should be installed
# (default: all)
@@ -23,7 +29,7 @@
PORTNAME= squid
PORTVERSION= 2.5.4
-PORTREVISION= 10
+PORTREVISION= 11
CATEGORIES= www
MASTER_SITES= \
ftp://ftp.squid-cache.org/pub/%SUBDIR%/ \
@@ -87,7 +93,11 @@
squid-2.5.STABLE4-authfixes2.patch \
squid-2.5.STABLE4-reply_body_max_size.patch \
squid-2.5.STABLE4-digest-abort.patch \
- squid-2.5.STABLE4-ntlm_auth_user_hash_pointer-leak.patch
+ squid-2.5.STABLE4-ntlm_auth_user_hash_pointer-leak.patch \
+ squid-2.5.STABLE4-authfixes3.patch \
+ squid-2.5.STABLE4-anonymous_ftp.patch \
+ squid-2.5.STABLE4-mime.patch \
+ squid-2.5.STABLE4-authenticateAuthUserRequestUnlock-assert.patch
PATCH_DIST_STRIP= -p1
MAINTAINER= tmseck at netcologne.de
@@ -123,7 +133,8 @@
SQUID_STRICT_HTTP "Be strictly HTTP compliant" off \
SQUID_IDENT "Enable ident (RFC 931) lookups" on \
SQUID_USERAGENT_LOG "Enable User-Agent-header logging" off \
- SQUID_ARP_ACL "Enable ACLs based on ethernet address" off
+ SQUID_ARP_ACL "Enable ACLs based on ethernet address" off \
+ SQUID_FOLLOW_XFF "Follow X-Forwarded-For headers" off
PLIST_FILES= etc/rc.d/squid.sh etc/squid/mib.txt etc/squid/mime.conf.default \
etc/squid/msntauth.conf.default etc/squid/squid.conf.default \
@@ -204,6 +215,12 @@
.if defined(WITH_SQUID_ARP_ACL)
CONFIGURE_ARGS+= --enable-arp-acl
.endif
+.if defined(WITH_SQUID_FOLLOW_XFF)
+USE_AUTOHEADER= yes
+USE_AUTOCONF= yes
+EXTRA_PATCHES+= ${PATCHDIR}/follow_xff-2.5.patch
+CONFIGURE_ARGS+= --enable-follow-x-forwarded-for
+.endif
# Languages:
#
@@ -309,4 +326,45 @@
.endfor
@${ECHO_CMD} "@dirrm etc/squid/errors" >>${TMPPLIST}
+changeuser:
+# Recover from the problem that earlier versions of this port created the
+# squid pseudo-user with an id greater than 999 which is not allowed in
+# FreeBSD's ports system. The port now uses id 100:100.
+# NOTE:
+# This target assumes that SQUID_GID is the primary group of SQUID_UID. If you
+# have a different setup, do not run this target!
+ @if [ `id -u` -ne 0 ]; \
+ then echo "Sorry, you must be root to use this target."; exit 1; fi; \
+ current_uid=`id -u ${SQUID_UID}`; \
+ current_gid=`pw groupshow ${SQUID_GID}|cut -f 3 -d :`; \
+ echo "I will remove this user:"; \
+ id -P $${current_uid}; \
+ echo "and this group:"; \
+ pw groupshow ${SQUID_GID}; \
+ echo "I will then re-create them with a user and group id of 100."; \
+ echo "Then all files and directories under ${PREFIX} and /var that"; \
+ echo "are owned by uid $${current_uid} will be chown(1)'ed."; \
+ echo "After that, all files and directories that were accessible"; \
+ echo "by group $${current_gid} will chgrp(1)'ed respectively."; \
+ echo "Note that this assumes group '${SQUID_GID}' to be the primary"; \
+ echo "group of user '${SQUID_UID}'. If you have a different setup"; \
+ echo "please abort this target now."; \
+ read -p "Press RETURN to continue or CTRL-C to abort:" dummy ; \
+ echo "OK, here we go:"; \
+ echo "deleting user $${current_uid} and his primary group..."; \
+ pw userdel -u $${current_uid}; \
+ echo "adding user ${SQUID_UID} with id 100..."; \
+ pw groupadd -n ${SQUID_GID} -g 100; \
+ pw useradd -n ${SQUID_UID} -u 100 -c "squid caching-proxy pseudo user" \
+ -d ${PREFIX}/squid -s /sbin/nologin -h - ; \
+ echo "chown(1)'ing everything under ${PREFIX} from $${current_uid} to 100..."; \
+ ${FIND} -H ${PREFIX} -user $${current_uid} -exec chown 100 {} \; ; \
+ echo "chgrp(1)'ing everything under ${PREFIX} from $${current_gid} to 100..."; \
+ ${FIND} -H ${PREFIX} -group $${current_gid} -exec chgrp 100 {} \; ; \
+ echo "chown(1)'ing everything under /var from $${current_uid} to 100..."; \
+ ${FIND} -H /var -user $${current_uid} -exec chown 100 {} \; ; \
+ echo "chgrp(1)'ing everything under /var from $${current_gid} to 100..."; \
+ ${FIND} -H /var -group $${current_gid} -exec chgrp 100 {} \; ; \
+ echo "Finished."
+
.include <bsd.port.post.mk>
Index: projekte/FreeBSD/ports/www/squid/distinfo
diff -u projekte/FreeBSD/ports/www/squid/distinfo:1.8 projekte/FreeBSD/ports/www/squid/distinfo:1.4.2.13
--- projekte/FreeBSD/ports/www/squid/distinfo:1.8 Sat Feb 28 17:16:27 2004
+++ projekte/FreeBSD/ports/www/squid/distinfo Sat Feb 28 17:30:46 2004
@@ -104,3 +104,11 @@
SIZE (squid2.5/squid-2.5.STABLE4-digest-abort.patch) = 946
MD5 (squid2.5/squid-2.5.STABLE4-ntlm_auth_user_hash_pointer-leak.patch) = 8422d34ab797ae07727a5f2fdfe1a832
SIZE (squid2.5/squid-2.5.STABLE4-ntlm_auth_user_hash_pointer-leak.patch) = 3277
+MD5 (squid2.5/squid-2.5.STABLE4-authfixes3.patch) = 4f8fcad80737a7185b3dbfb2b84884e0
+SIZE (squid2.5/squid-2.5.STABLE4-authfixes3.patch) = 5464
+MD5 (squid2.5/squid-2.5.STABLE4-anonymous_ftp.patch) = bcc43127de11fa90e625045f16118977
+SIZE (squid2.5/squid-2.5.STABLE4-anonymous_ftp.patch) = 815
+MD5 (squid2.5/squid-2.5.STABLE4-mime.patch) = ea0ac66312199fe9f44521ac0274c3b5
+SIZE (squid2.5/squid-2.5.STABLE4-mime.patch) = 18691
+MD5 (squid2.5/squid-2.5.STABLE4-authenticateAuthUserRequestUnlock-assert.patch) = 07e095eb31b136136a02fc8a197edc03
+SIZE (squid2.5/squid-2.5.STABLE4-authenticateAuthUserRequestUnlock-assert.patch) = 657
Index: projekte/FreeBSD/ports/www/squid/pkg-install
diff -u projekte/FreeBSD/ports/www/squid/pkg-install:1.4 projekte/FreeBSD/ports/www/squid/pkg-install:1.2.2.4
--- projekte/FreeBSD/ports/www/squid/pkg-install:1.4 Wed Feb 18 16:20:28 2004
+++ projekte/FreeBSD/ports/www/squid/pkg-install Sat Feb 28 16:41:27 2004
@@ -9,16 +9,15 @@
squid_confdir=${PKG_PREFIX:-/usr/local}/etc/squid
squid_user=${SQUID_USER:=squid}
squid_group=${SQUID_GROUP:=squid}
-squid_gid=3128
-squid_uid=3128
-
+squid_gid=100
+squid_uid=100
+squid_oldgid=3128
+squid_olduid=3128
+unset wrong_id
case $2 in
PRE-INSTALL)
echo "===> Pre-installation configuration for ${pkgname}"
if ! pw groupshow ${squid_group} -q >/dev/null ; then
- while pw groupshow -g ${squid_gid} -q >/dev/null; do
- squid_gid=`expr ${squid_gid} + 1`
- done
echo "There is no group '${squid_group}' on this system, so I will try to create it:"
if ! pw groupadd ${squid_group} -g ${squid_gid} -q ; then
echo "Failed to create group \"${squid_group}\"!" >&2
@@ -29,12 +28,14 @@
fi
else
echo "I will use the existing group '${squid_group}':"
+ current_gid=`pw groupshow ${squid_group}|cut -f 3 -d :`
+ if [ ${current_gid} -ge ${squid_oldgid} ]; then
+ wrong_id=1
+ fi
fi
pw groupshow ${squid_group}
+
if ! pw usershow ${squid_user} -q >/dev/null ; then
- while pw usershow -u ${squid_uid} -q >/dev/null; do
- squid_uid=`expr ${squid_uid} + 1`
- done
echo "There is no account '${squid_user}' on this system, so I will try to create it:"
if ! pw useradd ${squid_user} -u ${squid_uid} -q \
-c "squid caching-proxy pseudo user" -g ${squid_group} \
@@ -47,8 +48,53 @@
fi
else
echo "I will use the existing user '${squid_user}':"
+ current_uid=`id -u ${squid_user}`
+ if [ ${current_uid} -ge ${squid_olduid} ];
+ then
+ wrong_id=1
+ fi
fi
pw usershow ${squid_user}
+ # Catch wrong_id=non-null here
+ if [ "${wrong_id}" ]; then
+ echo ""
+ echo " * NOTICE *"
+ echo ""
+ echo "The squid pseudo-user's uid and/or gid have been found"
+ echo "to be greater than or equal 3128."
+ echo ""
+ echo "This is not a problem as such, but violates the FreeBSD"
+ echo "ports' principle that a ports must not claim a uid greater"
+ echo "than 999."
+ echo ""
+ echo "Since version 2.5.4_11, the squid user is thus created"
+ echo "with an id of ${squid_uid}:${squid_gid} while earlier versions of this"
+ echo "port used the first unused uid/gid greater than or"
+ echo "equal 3128."
+ echo ""
+ echo "If you want to change the existing squid user's id, run"
+ echo "'make changeuser' after the installation has completed."
+ echo "If you installed this port via a package, issue the"
+ echo "following commands as root:"
+ echo ""
+ echo "pw userdel -u ${current_uid}"
+ echo "pw groupadd -n ${squid_group} -g ${squid_gid}"
+ echo "pw useradd -n ${squid_user} -u ${squid_uid} \\"
+ echo " -c \"squid caching-proxy pseudo user\" \\"
+ echo " -g ${squid_group} -d ${squid_base} -s /sbin/nologin \\"
+ echo " -h -"
+ echo "find -H ${PKG_PREFIX} -user ${current_uid} -exec chown ${squid_user} {} \\;"
+ echo "find -H ${PKG_PREFIX} -group ${current_gid} -exec chgrp ${squid_group} {} \\;"
+ echo ""
+ echo "In case you have installed third party software for squid"
+ echo "like squidGuard, you should additionally run:"
+ echo "find -H /var -user ${current_uid} -exec chown ${squid_user} {} \\;"
+ echo "find -H /var -group ${current_gid} -exec chgrp ${squid_group} {} \\;"
+ echo ""
+ if [ -z "${PACKAGE_BUILDING}" -a -z "${BATCH}" ]; then
+ read -p "Press RETURN to continue..." dummy
+ fi
+ fi
for dir in cache logs; do
if [ ! -d ${squid_base}/${dir} ]; then
echo "Creating ${squid_base}/${dir}..."
Index: projekte/FreeBSD/ports/www/squid/files/follow_xff-2.5.patch
diff -u /dev/null projekte/FreeBSD/ports/www/squid/files/follow_xff-2.5.patch:1.1.2.1
--- /dev/null Sat Feb 28 17:31:15 2004
+++ projekte/FreeBSD/ports/www/squid/files/follow_xff-2.5.patch Sat Feb 28 17:13:01 2004
@@ -0,0 +1,467 @@
+Index: acconfig.h
+--- acconfig.h 1 Jul 2002 17:24:48 -0000 1.13.2.3
++++ acconfig.h 23 Nov 2003 14:20:06 -0000
+@@ -267,6 +267,12 @@
+ #define USE_IDENT 1
+
+ /*
++ * Compile in support for following X-Forwarded-For headers?
++ * Enabled by default.
++ */
++#define FOLLOW_X_FORWARDED_FOR 1
++
++/*
+ * If your system has statvfs(), and if it actually works!
+ */
+ #undef HAVE_STATVFS
+Index: bootstrap.sh
+--- bootstrap.sh 1 Nov 2002 09:17:13 -0000 1.5.14.4
++++ bootstrap.sh 23 Nov 2003 14:20:06 -0000
+@@ -59,6 +59,9 @@
+ amver=`find_version automake ${amversions}`
+ acver=`find_version autoconf ${acversions}`
+
++# Set environment variable to tell automake which autoconf to use.
++AUTOCONF="autoconf${acver}" ; export AUTOCONF
++
+ # Bootstrap the autotool subsystems
+ bootstrap aclocal$amver
+ bootstrap autoheader$acver
+Index: configure.in
+--- configure.in 15 Sep 2003 02:14:10 -0000 1.42.2.40
++++ configure.in 23 Nov 2003 14:20:09 -0000
+@@ -1100,6 +1100,24 @@
+ fi
+ ])
+
++follow_xff=1
++AC_ARG_ENABLE(follow-x-forwarded-for,
++[ --enable-follow-x-forwarded-for
++ Enable support for following the X-Forwarded-For
++ HTTP header to try to find the IP address of the
++ original or indirect client when a request has
++ been forwarded through other proxies.],
++[ if test "$enableval" = "yes" ; then
++ echo "follow X-Forwarded-For enabled"
++ follow_xff=1
++ fi
++])
++if test $follow_xff = 1; then
++ AC_DEFINE(FOLLOW_X_FORWARDED_FOR, 1, [Enable following X-Forwarded-For headers])
++else
++ AC_DEFINE(FOLLOW_X_FORWARDED_FOR, 0)
++fi
++
+ # Force some compilers to use ANSI features
+ #
+ case "$host" in
+Index: src/acl.c
+--- src/acl.c 13 May 2003 02:14:12 -0000 1.43.2.16
++++ src/acl.c 23 Nov 2003 14:20:12 -0000
+@@ -2001,6 +2001,11 @@
+ cbdataLock(A);
+ if (request != NULL) {
+ checklist->request = requestLink(request);
++#if FOLLOW_X_FORWARDED_FOR
++ if (Config.onoff.acl_uses_indirect_client) {
++ checklist->src_addr = request->indirect_client_addr;
++ } else
++#endif /* FOLLOW_X_FORWARDED_FOR */
+ checklist->src_addr = request->client_addr;
+ checklist->my_addr = request->my_addr;
+ checklist->my_port = request->my_port;
+Index: src/cf.data.pre
+--- src/cf.data.pre 7 Nov 2003 03:14:30 -0000 1.49.2.46
++++ src/cf.data.pre 23 Nov 2003 14:20:17 -0000
+@@ -2065,6 +2065,92 @@
+ NOCOMMENT_END
+ DOC_END
+
++NAME: follow_x_forwarded_for
++TYPE: acl_access
++IFDEF: FOLLOW_X_FORWARDED_FOR
++LOC: Config.accessList.followXFF
++DEFAULT: none
++DEFAULT_IF_NONE: deny all
++DOC_START
++ Allowing or Denying the X-Forwarded-For header to be followed to
++ find the original source of a request.
++
++ Requests may pass through a chain of several other proxies
++ before reaching us. The X-Forwarded-For header will contain a
++ comma-separated list of the IP addresses in the chain, with the
++ rightmost address being the most recent.
++
++ If a request reaches us from a source that is allowed by this
++ configuration item, then we consult the X-Forwarded-For header
++ to see where that host received the request from. If the
++ X-Forwarded-For header contains multiple addresses, and if
++ acl_uses_indirect_client is on, then we continue backtracking
++ until we reach an address for which we are not allowed to
++ follow the X-Forwarded-For header, or until we reach the first
++ address in the list. (If acl_uses_indirect_client is off, then
++ it's impossible to backtrack through more than one level of
++ X-Forwarded-For addresses.)
++
++ The end result of this process is an IP address that we will
++ refer to as the indirect client address. This address may
++ be treated as the client address for access control, delay
++ pools and logging, depending on the acl_uses_indirect_client,
++ delay_pool_uses_indirect_client and log_uses_indirect_client
++ options.
++
++ SECURITY CONSIDERATIONS:
++
++ Any host for which we follow the X-Forwarded-For header
++ can place incorrect information in the header, and Squid
++ will use the incorrect information as if it were the
++ source address of the request. This may enable remote
++ hosts to bypass any access control restrictions that are
++ based on the client's source addresses.
++
++ For example:
++
++ acl localhost src 127.0.0.1
++ acl my_other_proxy srcdomain .proxy.example.com
++ follow_x_forwarded_for allow localhost
++ follow_x_forwarded_for allow my_other_proxy
++DOC_END
++
++NAME: acl_uses_indirect_client
++COMMENT: on|off
++TYPE: onoff
++IFDEF: FOLLOW_X_FORWARDED_FOR
++DEFAULT: on
++LOC: Config.onoff.acl_uses_indirect_client
++DOC_START
++ Controls whether the indirect client address
++ (see follow_x_forwarded_for) is used instead of the
++ direct client address in acl matching.
++DOC_END
++
++NAME: delay_pool_uses_indirect_client
++COMMENT: on|off
++TYPE: onoff
++IFDEF: FOLLOW_X_FORWARDED_FOR && DELAY_POOLS
++DEFAULT: on
++LOC: Config.onoff.delay_pool_uses_indirect_client
++DOC_START
++ Controls whether the indirect client address
++ (see follow_x_forwarded_for) is used instead of the
++ direct client address in delay pools.
++DOC_END
++
++NAME: log_uses_indirect_client
++COMMENT: on|off
++TYPE: onoff
++IFDEF: FOLLOW_X_FORWARDED_FOR
++DEFAULT: on
++LOC: Config.onoff.log_uses_indirect_client
++DOC_START
++ Controls whether the indirect client address
++ (see follow_x_forwarded_for) is used instead of the
++ direct client address in the access log.
++DOC_END
++
+ NAME: http_access
+ TYPE: acl_access
+ LOC: Config.accessList.http
+Index: src/client_side.c
+--- src/client_side.c 2 Sep 2003 02:13:45 -0000 1.47.2.39
++++ src/client_side.c 23 Nov 2003 14:20:22 -0000
+@@ -109,6 +109,11 @@
+ #if USE_IDENT
+ static IDCB clientIdentDone;
+ #endif
++#if FOLLOW_X_FORWARDED_FOR
++static void clientFollowXForwardedForStart(void *data);
++static void clientFollowXForwardedForNext(void *data);
++static void clientFollowXForwardedForDone(int answer, void *data);
++#endif /* FOLLOW_X_FORWARDED_FOR */
+ static int clientOnlyIfCached(clientHttpRequest * http);
+ static STCB clientSendMoreData;
+ static STCB clientCacheHit;
+@@ -177,10 +182,179 @@
+ return ch;
+ }
+
++#if FOLLOW_X_FORWARDED_FOR
++/*
++ * clientFollowXForwardedForStart() copies the X-Forwarded-For
++ * header into x_forwarded_for_iterator and passes control to
++ * clientFollowXForwardedForNext().
++ *
++ * clientFollowXForwardedForNext() checks the indirect_client_addr
++ * against the followXFF ACL and passes the result to
++ * clientFollowXForwardedForDone().
++ *
++ * clientFollowXForwardedForDone() either grabs the next address
++ * from the tail of x_forwarded_for_iterator and loops back to
++ * clientFollowXForwardedForNext(), or cleans up and passes control to
++ * clientAccessCheck().
++ */
++
++static void
++clientFollowXForwardedForStart(void *data)
++{
++ clientHttpRequest *http = data;
++ request_t *request = http->request;
++ if (Config.accessList.followXFF
++ && httpHeaderHas(&request->header, HDR_X_FORWARDED_FOR))
++ {
++ request->x_forwarded_for_iterator = httpHeaderGetList(
++ &request->header, HDR_X_FORWARDED_FOR);
++ debug(33, 5) ("clientFollowXForwardedForStart: indirect_client_addr=%s XFF='%s'\n",
++ inet_ntoa(request->indirect_client_addr),
++ strBuf(request->x_forwarded_for_iterator));
++ clientFollowXForwardedForNext(http);
++ } else {
++ /* not configured to follow X-Forwarded-For, or nothing to follow */
++ debug(33, 5) ("clientFollowXForwardedForStart: nothing to do\n");
++ clientFollowXForwardedForDone(-1, http);
++ }
++}
++
++static void
++clientFollowXForwardedForNext(void *data)
++{
++ clientHttpRequest *http = data;
++ request_t *request = http->request;
++ debug(33, 5) ("clientFollowXForwardedForNext: indirect_client_addr=%s XFF='%s'\n",
++ inet_ntoa(request->indirect_client_addr),
++ strBuf(request->x_forwarded_for_iterator));
++ if (strLen(request->x_forwarded_for_iterator) != 0) {
++ /* check the acl to see whether to believe the X-Forwarded-For header */
++ http->acl_checklist = clientAclChecklistCreate(
++ Config.accessList.followXFF, http);
++ aclNBCheck(http->acl_checklist, clientFollowXForwardedForDone, http);
++ } else {
++ /* nothing left to follow */
++ debug(33, 5) ("clientFollowXForwardedForNext: nothing more to do\n");
++ clientFollowXForwardedForDone(-1, http);
++ }
++}
++
++static void
++clientFollowXForwardedForDone(int answer, void *data)
++{
++ clientHttpRequest *http = data;
++ request_t *request = http->request;
++ /*
++ * answer should be be ACCESS_ALLOWED or ACCESS_DENIED if we are
++ * called as a result of ACL checks, or -1 if we are called when
++ * there's nothing left to do.
++ */
++ if (answer == ACCESS_ALLOWED) {
++ /*
++ * The IP address currently in request->indirect_client_addr
++ * is trusted to use X-Forwarded-For. Remove the last
++ * comma-delimited element from x_forwarded_for_iterator and use
++ * it to to replace indirect_client_addr, then repeat the cycle.
++ */
++ const char *p;
++ const char *asciiaddr;
++ int l;
++ struct in_addr addr;
++ debug(33, 5) ("clientFollowXForwardedForDone: indirect_client_addr=%s is trusted\n",
++ inet_ntoa(request->indirect_client_addr));
++ p = strBuf(request->x_forwarded_for_iterator);
++ l = strLen(request->x_forwarded_for_iterator);
++
++ /*
++ * XXX x_forwarded_for_iterator should really be a list of
++ * IP addresses, but it's a String instead. We have to
++ * walk backwards through the String, biting off the last
++ * comma-delimited part each time. As long as the data is in
++ * a String, we should probably implement and use a variant of
++ * strListGetItem() that walks backwards instead of forwards
++ * through a comma-separated list. But we don't even do that;
++ * we just do the work in-line here.
++ */
++ /* skip trailing space and commas */
++ while (l > 0 && (p[l-1] == ',' || xisspace(p[l-1])))
++ l--;
++ strCut(request->x_forwarded_for_iterator, l);
++ /* look for start of last item in list */
++ while (l > 0 && ! (p[l-1] == ',' || xisspace(p[l-1])))
++ l--;
++ asciiaddr = p+l;
++ if (inet_aton(asciiaddr, &addr) == 0) {
++ /* the address is not well formed; do not use it */
++ debug(33, 3) ("clientFollowXForwardedForDone: malformed address '%s'\n",
++ asciiaddr);
++ goto done;
++ }
++ debug(33, 3) ("clientFollowXForwardedForDone: changing indirect_client_addr from %s to '%s'\n",
++ inet_ntoa(request->indirect_client_addr),
++ asciiaddr);
++ request->indirect_client_addr = addr;
++ strCut(request->x_forwarded_for_iterator, l);
++ if (! Config.onoff.acl_uses_indirect_client) {
++ /*
++ * If acl_uses_indirect_client is off, then it's impossible
++ * to follow more than one level of X-Forwarded-For.
++ */
++ goto done;
++ }
++ clientFollowXForwardedForNext(http);
++ return;
++ } else if (answer == ACCESS_DENIED) {
++ debug(33, 5) ("clientFollowXForwardedForDone: indirect_client_addr=%s not trusted\n",
++ inet_ntoa(request->indirect_client_addr));
++ } else {
++ debug(33, 5) ("clientFollowXForwardedForDone: indirect_client_addr=%s nothing more to do\n",
++ inet_ntoa(request->indirect_client_addr));
++ }
++done:
++ /* clean up, and pass control to clientAccessCheck */
++ debug(33, 6) ("clientFollowXForwardedForDone: cleanup\n");
++ if (Config.onoff.log_uses_indirect_client) {
++ /*
++ * Ensure that the access log shows the indirect client
++ * instead of the direct client.
++ */
++ ConnStateData *conn = http->conn;
++ conn->log_addr = request->indirect_client_addr;
++ conn->log_addr.s_addr &= Config.Addrs.client_netmask.s_addr;
++ debug(33, 3) ("clientFollowXForwardedForDone: setting log_addr=%s\n",
++ inet_ntoa(conn->log_addr));
++ }
++ stringClean(&request->x_forwarded_for_iterator);
++ request->flags.done_follow_x_forwarded_for = 1;
++ http->acl_checklist = NULL; /* XXX do we need to aclChecklistFree() ? */
++ clientAccessCheck(http);
++}
++#endif /* FOLLOW_X_FORWARDED_FOR */
++
+ void
+ clientAccessCheck(void *data)
+ {
+ clientHttpRequest *http = data;
++#if FOLLOW_X_FORWARDED_FOR
++ if (! http->request->flags.done_follow_x_forwarded_for
++ && httpHeaderHas(&http->request->header, HDR_X_FORWARDED_FOR))
++ {
++ /*
++ * There's an X-ForwardedFor header and we haven't yet tried
++ * to follow it to find the indirect_client_addr. Follow it now.
++ * clientFollowXForwardedForDone() will eventually pass control
++ * back to us.
++ *
++ * XXX perhaps our caller should have called
++ * clientFollowXForwardedForStart instead. Then we wouldn't
++ * need to do this little dance transferring control over
++ * there and then back here, and we wouldn't need the
++ * done_follow_x_forwarded_for flag.
++ */
++ clientFollowXForwardedForStart(data);
++ return;
++ }
++#endif /* FOLLOW_X_FORWARDED_FOR */
+ if (checkAccelOnly(http)) {
+ /* deny proxy requests in accel_only mode */
+ debug(33, 1) ("clientAccessCheck: proxy request denied in accel_only mode\n");
+@@ -325,6 +499,9 @@
+ new_request->http_ver = old_request->http_ver;
+ httpHeaderAppend(&new_request->header, &old_request->header);
+ new_request->client_addr = old_request->client_addr;
++#if FOLLOW_X_FORWARDED_FOR
++ new_request->indirect_client_addr = old_request->indirect_client_addr;
++#endif /* FOLLOW_X_FORWARDED_FOR */
+ new_request->my_addr = old_request->my_addr;
+ new_request->my_port = old_request->my_port;
+ new_request->flags.redirected = 1;
+@@ -3051,6 +3228,9 @@
+ safe_free(http->log_uri);
+ http->log_uri = xstrdup(urlCanonicalClean(request));
+ request->client_addr = conn->peer.sin_addr;
++#if FOLLOW_X_FORWARDED_FOR
++ request->indirect_client_addr = request->client_addr;
++#endif /* FOLLOW_X_FORWARDED_FOR */
+ request->my_addr = conn->me.sin_addr;
+ request->my_port = ntohs(conn->me.sin_port);
+ request->http_ver = http->http_ver;
+Index: src/delay_pools.c
+--- src/delay_pools.c 19 Jun 2003 02:13:57 -0000 1.5.54.6
++++ src/delay_pools.c 23 Nov 2003 14:20:23 -0000
+@@ -318,6 +318,11 @@
+ r = http->request;
+
+ memset(&ch, '\0', sizeof(ch));
++#if FOLLOW_X_FORWARDED_FOR
++ if (Config.onoff.delay_pool_uses_indirect_client) {
++ ch.src_addr = r->indirect_client_addr;
++ } else
++#endif /* FOLLOW_X_FORWARDED_FOR */
+ ch.src_addr = r->client_addr;
+ ch.my_addr = r->my_addr;
+ ch.my_port = r->my_port;
+Index: src/structs.h
+*** src/structs.h.orig Thu Feb 26 20:32:47 2004
+--- src/structs.h Thu Feb 26 20:34:51 2004
+***************
+*** 594,599 ****
+--- 594,604 ----
+ int pipeline_prefetch;
+ int request_entities;
+ int detect_broken_server_pconns;
++ #if FOLLOW_X_FORWARDED_FOR
++ int acl_uses_indirect_client;
++ int delay_pool_uses_indirect_client;
++ int log_uses_indirect_client;
++ #endif /* FOLLOW_X_FORWARDED_FOR */
+ } onoff;
+ acl *aclList;
+ struct {
+***************
+*** 615,620 ****
+--- 620,628 ----
+ acl_access *reply;
+ acl_address *outgoing_address;
+ acl_tos *outgoing_tos;
++ #if FOLLOW_X_FORWARDED_FOR
++ acl_access *followXFF;
++ #endif /* FOLLOW_X_FORWARDED_FOR */
+ } accessList;
+ acl_deny_info_list *denyInfoList;
+ struct _authConfig {
+***************
+*** 1611,1616 ****
+--- 1619,1629 ----
+ unsigned int internal:1;
+ unsigned int body_sent:1;
+ unsigned int reset_tcp:1;
++ #if FOLLOW_X_FORWARDED_FOR
++ /* XXX this flag could be eliminated;
++ * see comments in clientAccessCheck */
++ unsigned int done_follow_x_forwarded_for;
++ #endif /* FOLLOW_X_FORWARDED_FOR */
+ };
+
+ struct _link_list {
+***************
+*** 1657,1662 ****
+--- 1670,1678 ----
+ int max_forwards;
+ /* these in_addr's could probably be sockaddr_in's */
+ struct in_addr client_addr;
++ #if FOLLOW_X_FORWARDED_FOR
++ struct in_addr indirect_client_addr; /* after following X-Forwarded-For */
++ #endif /* FOLLOW_X_FORWARDED_FOR */
+ struct in_addr my_addr;
+ unsigned short my_port;
+ HttpHeader header;
+***************
+*** 1667,1672 ****
+--- 1683,1693 ----
+ char *peer_login; /* Configured peer login:password */
+ time_t lastmod; /* Used on refreshes */
+ const char *vary_headers; /* Used when varying entities are detected. Changes how the store key is calculated */
++ #if FOLLOW_X_FORWARDED_FOR
++ /* XXX a list of IP addresses would be a better data structure
++ * than this String */
++ String x_forwarded_for_iterator;
++ #endif /* FOLLOW_X_FORWARDED_FOR */
+ };
+
+ struct _cachemgr_passwd {
Index: projekte/FreeBSD/ports/www/squid/files/patch-helpers-basic_auth-SMB-smb_auth.sh
diff -u /dev/null projekte/FreeBSD/ports/www/squid/files/patch-helpers-basic_auth-SMB-smb_auth.sh:1.1.2.1
--- /dev/null Sat Feb 28 17:31:15 2004
+++ projekte/FreeBSD/ports/www/squid/files/patch-helpers-basic_auth-SMB-smb_auth.sh Sat Feb 28 17:13:02 2004
@@ -0,0 +1,13 @@
+*** helpers/basic_auth/SMB/smb_auth.sh.orig Thu Feb 26 20:58:22 2004
+--- helpers/basic_auth/SMB/smb_auth.sh Thu Feb 26 20:59:45 2004
+***************
+*** 17,22 ****
+--- 17,24 ----
+ # along with this program; if not, write to the Free Software
+ # Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
+
++ SAMBAPREFIX=${SAMBAPREFIX:-/usr/local/bin}
++
+ read DOMAINNAME
+ read PASSTHROUGH
+ read NMBADDR
Index: projekte/FreeBSD/ports/www/squid/files/squid.sh
diff -u projekte/FreeBSD/ports/www/squid/files/squid.sh:1.4 projekte/FreeBSD/ports/www/squid/files/squid.sh:1.3.2.2
--- projekte/FreeBSD/ports/www/squid/files/squid.sh:1.4 Sat Jan 17 15:37:48 2004
+++ projekte/FreeBSD/ports/www/squid/files/squid.sh Sat Feb 28 16:42:06 2004
@@ -8,15 +8,13 @@
# KEYWORD: FreeBSD
#
# Note:
-# If you are running an rcNG-System (i.e. FreeBSD 5 and later or after
-# having installed the rc_subr-port on an earlier system) you must set
+# If you are running an rcNG-System (i.e. FreeBSD 5 and later) you need to set
# "squid_enable=YES" in either /etc/rc.conf, /etc/rc.conf.local or
# /etc/rc.conf.d/squid to make this script actually do something. There
# you can also set squid_chdir, squid_user, and squid_flags.
#
# Please see squid(8), rc.conf(5) and rc(8) for further details.
-unset rcNG
name="squid"
command=%%PREFIX%%/sbin/squid
extra_commands=reload
@@ -28,26 +26,22 @@
default_config=%%PREFIX%%/etc/squid/squid.conf
if [ -f /etc/rc.subr ]; then
- . /etc/rc.subr && rcNG=yes
-else
- if [ -f %%PREFIX%%/etc/rc.subr ]; then
- . %%PREFIX%%/etc/rc.subr && rcNG=yes
- fi
-fi
-
-if [ "${rcNG}" ]; then
+ # make use of rcNG features:
+ . /etc/rc.subr
rcvar=`set_rcvar`
load_rc_config ${name}
- # check that squid's default configuration is present when
- # squid_flags is not set. We assume that you specify at
- # least the path to your non-default configuration with
- # '-f /path/to/config.file' in squid_flags if you delete this file.
+ # squid(8) will not start if ${default_config} is not present so try
+ # to catch that beforehand via ${required_files} rather than make
+ # squid(8) crash.
+ # If you remove the default configuration file make sure to add
+ # '-f /path/to/your/squid.conf' to squid_flags
if [ -z "${squid_flags}" ]; then
required_files=${default_config}
fi
required_dirs=${squid_chdir}
run_rc_command "$1"
else
+ # implement the startup using the "old style" for non-rcNG-systems:
case $1 in
start)
if [ -x "${command}" -a \
>Release-Note:
>Audit-Trail:
>Unformatted:
More information about the freebsd-ports-bugs
mailing list