ports/63651: [Maintainer] www/squid: Update to 2.5.STABLE5
Thomas-Martin Seck
tmseck at netcologne.de
Tue Mar 2 18:40:11 UTC 2004
>Number: 63651
>Category: ports
>Synopsis: [Maintainer] www/squid: Update to 2.5.STABLE5
>Confidential: no
>Severity: non-critical
>Priority: high
>Responsible: freebsd-ports-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: maintainer-update
>Submitter-Id: current-users
>Arrival-Date: Tue Mar 02 10:40:10 PST 2004
>Closed-Date:
>Last-Modified:
>Originator: Thomas-Martin Seck
>Release: FreeBSD 4.9-STABLE i386
>Organization:
private site in Germany
>Environment:
FreeBSD ports repository as of Mar 02, 2004.
>Description:
- update to version 2.5.STABLE5 + vendor patches as of Mar 02, 2004
- supply more OPTIONS, e.g.
+ integrate the follow-XFF-headers patch from devel.squid-cache.org
(submitted by Michael Ranner, slightly modified to remove the need
to run the auto*-tools before configuring), this should be good
news for the dansguardian users out there
+ enable transparent PF filtering; due to my lack of autoconf skills
this will only work on systems where PF is part of the base system.
Patches that allow one to pull in the port instead are welcome.
- create the squid pseudo-user with an id of 100:100 instead of choosing
the first free one greater than or equal 3128, test for the
presence of an already created user with such a "high" id and provide
a 'changeuser' target for migration (requested by Kris Kennaway)
Be careful not to fiddle with 'nobody', though.
- do not overdue CONFLICTS (criticized by Oliver Eikemeier)
- remove rcNG support for systems which lack /etc/rc.subr to avoid a
possible POLA violation and try to explain $required_files better
Information for committers:
- please 'cvs add' the following files:
files/follow_xff-2.5.patch
files/follow_xff-configure.patch
files/patch-configure
files/patch-helpers-basic_auth-SMB-smb_auth.sh
- please document in the Porter's Handbook that squid claims uid 100
>How-To-Repeat:
>Fix:
Apply this patch:
Index: projekte/FreeBSD/ports/www/squid/Makefile
diff -u projekte/FreeBSD/ports/www/squid/Makefile:1.10 projekte/FreeBSD/ports/www/squid/Makefile:1.5.2.28
--- projekte/FreeBSD/ports/www/squid/Makefile:1.10 Sat Feb 28 17:16:26 2004
+++ projekte/FreeBSD/ports/www/squid/Makefile Tue Mar 2 19:02:16 2004
@@ -7,11 +7,17 @@
# Tunables not (yet) configurable via 'make config':
# SQUID_{U,G}ID
# Which user/group squid should run as (default: squid/squid).
-# The user and group will be created if they do not already exist.
+# The user and group will be created if they do not already exist using
+# a uid:gid of 100:100.
# NOTE: before version 2.5.4_6, these settings defaulted to
# nobody/nogroup.
# If you wish to keep these settings, please define SQUID_UID=nobody and
# SQUID_GID=nogroup in your make environment before you start the update.
+# NOTE2:
+# Before version 2.5.4_11 the numerical id chosen for SQUID_UID (and
+# SQUID_GID respectively) was the first free id greater than or equal 3128.
+# If you wish to move your squid user to id 100:100, run "make changeuser",
+# please see the changeuser target's definition for further information.
# SQUID_LANGUAGES
# A list of languages for which error page files should be installed
# (default: all)
@@ -22,8 +28,7 @@
# Additional configuration options, see below for a list
PORTNAME= squid
-PORTVERSION= 2.5.4
-PORTREVISION= 10
+PORTVERSION= 2.5.5
CATEGORIES= www
MASTER_SITES= \
ftp://ftp.squid-cache.org/pub/%SUBDIR%/ \
@@ -32,68 +37,18 @@
ftp://ftp.leo.org/pub/comp/general/infosys/www/servers/squid/%SUBDIR%/ \
${MASTER_SITE_RINGSERVER:S,%SUBDIR%,net/www/squid/&,}
MASTER_SITE_SUBDIR= squid-2/STABLE
-DISTNAME= squid-2.5.STABLE4
+DISTNAME= squid-2.5.STABLE5
DIST_SUBDIR= squid2.5
PATCH_SITES= http://www.squid-cache.org/Versions/v2/2.5/bugs/
-PATCHFILES= squid-2.5.STABLE4-reconfigure_message.patch \
- squid-2.5.STABLE4-digest_auth_pwchange.patch \
- squid-2.5.STABLE4-redirect_login_space.patch \
- squid-2.5.STABLE4-fqdnnegcache.patch \
- pam_auth-2.2.patch \
- squid-2.5.STABLE4_auth_param_doc.patch \
- squid-2.5.STABLE4-errorpages.patch \
- squid-2.5.STABLE4-error_load_text.patch \
- squid-2.5.STABLE4-xpi_mime.patch \
- squid-2.5.STABLE4-size_overflow.patch \
- squid-2.5.STABLE4-extacl_auth_loop.patch \
- squid-2.5.STABLE4-squid_ldap_group.patch \
- squid-2.5.STABLE4-positive_dns_ttl.patch \
- squid-2.5.STABLE4-gopherhtml.patch \
- squid-2.5.STABLE4-netroute.patch \
- squid-2.5.STABLE4-synflood.patch \
- squid-2.5.STABLE4-fqdn.patch \
- squid-2.5.STABLE4-connect_cleanup.patch \
- squid-2.5.STABLE4-pconn_post.patch \
- squid-2.5.STABLE4-ftp_put.patch \
- squid-2.5.STABLE4-pconn-load.patch \
- squid-2.5.STABLE4-icon_urls.patch \
- squid-2.5.STABLE4-redirector_access.patch \
- squid-2.5.STABLE4-pconn-lifo.patch \
- squid-2.5.STABLE4-cache_peer_maxconn.patch \
- squid-2.5.STABLE4-pid_filename_none.patch \
- squid-2.5.STABLE4-dns_namelength.patch \
- squid-2.5.STABLE4-urllogin_acl.patch \
- squid-2.5.STABLE4-russian.patch \
- squid-2.5.STABLE4-redirlog.patch \
- squid-2.5.STABLE4-pinger.patch \
- squid-2.5.STABLE4-partial_reload.patch \
- squid-2.5.STABLE4-ldap_tls.patch \
- squid-2.5.STABLE4-ldap_group_bufsize.patch \
- squid-2.5.STABLE4-http_workarounds.patch \
- squid-2.5.STABLE4-empty_proxy_auth.patch \
- squid-2.5.STABLE4-ftp_telnet.patch \
- squid-2.5.STABLE4-ntlm_auth_popups.patch \
- squid-2.5.STABLE4-ldap_group-S.patch \
- squid-2.5.STABLE4-ipcache_purge.patch \
- squid-2.5.STABLE4-cache_peer_access_ntlm.patch \
- squid-2.5.STABLE4-wbinfo_group.patch \
- squid-2.5.STABLE4-SMB_ntlm_auth.patch \
- squid-2.5.STABLE4-miss_access_internal.patch \
- squid-2.5.STABLE4-squidclient_auth.patch \
- squid-2.5.STABLE4-authfixes.patch \
- squid-2.5.STABLE4-arp-FreeBSD.patch \
- squid-2.5.STABLE4-deny_info_reply.patch \
- squid-2.5.STABLE4-authfixes2.patch \
- squid-2.5.STABLE4-reply_body_max_size.patch \
- squid-2.5.STABLE4-digest-abort.patch \
- squid-2.5.STABLE4-ntlm_auth_user_hash_pointer-leak.patch
+PATCHFILES= squid-2.5.STABLE5-ntlm_assert.patch \
+ squid-2.5.STABLE5-ldap.patch
PATCH_DIST_STRIP= -p1
MAINTAINER= tmseck at netcologne.de
COMMENT= The successful WWW proxy cache and accelerator
-CONFLICTS= squid-*
+CONFLICTS= squid-2.[^5]
GNU_CONFIGURE= yes
USE_BZIP2= yes
USE_PERL5= yes
@@ -120,10 +75,16 @@
SQUID_CACHE_DIGESTS "Enable cache digests" off \
SQUID_WCCP "Enable Web Cache Coordination Protocol" on \
SQUID_UNDERSCORES "Allow underscores in hostnames" on \
+ SQUID_CHECK_HOSTNAME "Do hostname checking" on \
SQUID_STRICT_HTTP "Be strictly HTTP compliant" off \
SQUID_IDENT "Enable ident (RFC 931) lookups" on \
SQUID_USERAGENT_LOG "Enable User-Agent-header logging" off \
- SQUID_ARP_ACL "Enable ACLs based on ethernet address" off
+ SQUID_ARP_ACL "Enable ACLs based on ethernet address" off \
+ SQUID_PF "Enable transp. proxy support using PF" off \
+ SQUID_FOLLOW_XFF "Follow X-Forwarded-For headers" off \
+ SQUID_AUFS "Enable the aufs store type" off \
+ SQUID_COSS "Enable the COSS store type" off \
+ SQUID_STACKTRACES "Create backtraces on fatal errors" off
PLIST_FILES= etc/rc.d/squid.sh etc/squid/mib.txt etc/squid/mime.conf.default \
etc/squid/msntauth.conf.default etc/squid/squid.conf.default \
@@ -133,8 +94,7 @@
--datadir=${PREFIX}/etc/squid \
--libexecdir=${PREFIX}/libexec/squid \
--localstatedir=${PREFIX}/squid \
- --enable-storeio="ufs diskd null" \
- --enable-removal-policies="lru heap" \
+ --enable-removal-policies="lru heap"
.include <bsd.port.pre.mk>
@@ -157,6 +117,20 @@
--enable-external-acl-helpers="${external_acl}" \
--enable-ntlm-auth-helpers="SMB winbind"
+# Selection of store types:
+
+store_types= ufs diskd null
+.if defined(WITH_SQUID_AUFS)
+store_types+= aufs
+# Nil aufs threads is default, set any other value via SQUID_CONFIGURE_ARGS
+CONFIGURE_ARGS+= --enable-async-io --with-pthreads
+.endif
+.if defined(WITH_SQUID_COSS)
+store_types+= coss
+CONFIGURE_ARGS+= --with-aio
+.endif
+CONFIGURE_ARGS+= --enable-storeio="${store_types}"
+
# Other options set via 'make config':
.if defined(WITH_SQUID_DELAY_POOLS)
@@ -192,6 +166,9 @@
.if defined(WITH_SQUID_UNDERSCORES)
CONFIGURE_ARGS+= --enable-underscores
.endif
+.if defined(WITHOUT_SQUID_CHECK_HOSTNAME)
+CONFIGURE_ARGS+= --disable-hostname-checks
+.endif
.if defined(WITH_SQUID_STRICT_HTTP)
CONFIGURE_ARGS+= --disable-http-violations
.endif
@@ -204,6 +181,20 @@
.if defined(WITH_SQUID_ARP_ACL)
CONFIGURE_ARGS+= --enable-arp-acl
.endif
+.if defined(WITH_SQUID_PF)
+# This will work only systems where PF is part of the base system for now.
+# If someone is eager to teach autoconf to pick up the pf port
+# on 5.[0-2] systems instead, go on, I will integrate your patch.
+CONFIGURE_ARGS+= --enable-pf-transparent
+.endif
+.if defined(WITH_SQUID_FOLLOW_XFF)
+EXTRA_PATCHES+= ${PATCHDIR}/follow_xff-2.5.patch \
+ ${PATCHDIR}/follow_xff-configure.patch
+CONFIGURE_ARGS+= --enable-follow-x-forwarded-for
+.endif
+.if defined(WITH_SQUID_STACKTRACES)
+CONFIGURE_ARGS+= --enable-stacktraces
+.endif
# Languages:
#
@@ -235,16 +226,12 @@
# Set an explicit hostname in cachemgr.cgi
# --enable-truncate
# Use truncate() rather than unlink()
-# --disable-hostname-checks
-# Squid by default rejects any host names with odd characters in their name
-# to conform with internet standards. If you disagree with this you may use
-# this switch to turn off any such checks, provided that the resolver used by
-# Squid does not reject such host names. This may be required to participate
-# in testbeds for international domain names.
# --disable-unlinkd
# Do not use "unlinkd"
-# --enable-stacktraces
-# Enable automatic call backtrace on fatal errors
+# --with-aufs-threads=N_THREADS
+# Tune the number of worker threads for the aufs object
+# --with-coss-membuf-size
+# COSS membuf size (default: 1048576 bytes)
#
# This option does not yet work on FreeBSD:
#
@@ -260,15 +247,15 @@
post-patch:
@${REINPLACE_CMD} -e 's|-lpthread|${PTHREAD_LIBS}|g' ${WRKSRC}/configure
@${REINPLACE_CMD} -e 's|/etc|${PREFIX}/etc|g' ${WRKSRC}/doc/squid.8
-# Prevent installation of .orig files by deleting them.
- @${FIND} ${WRKSRC} -name '*.bak' -delete
- @${FIND} ${WRKSRC} -name '*.orig' -delete
pre-configure:
@${REINPLACE_CMD} -e 's|%%SQUID_UID%%|${SQUID_UID}|g' \
-e 's|%%SQUID_GID%%|${SQUID_GID}|g' ${WRKSRC}/src/cf.data.pre
pre-install:
+# Prevent installation of .orig files by deleting them.
+ @${FIND} ${WRKSRC} -name '*.bak' -delete
+ @${FIND} ${WRKSRC} -name '*.orig' -delete
@${SED} -e 's|%%PREFIX%%|${PREFIX}|g' \
-e 's|%%SQUID_UID%%|${SQUID_UID}|g' ${FILESDIR}/squid.sh \
>${WRKDIR}/squid.sh
@@ -287,14 +274,8 @@
@${MKDIR} ${DOCSDIR}
cd ${WRKSRC} && ${INSTALL_DATA} ${docs} ${DOCSDIR}
.endif
-
-# Work around the fact that the errorpages.patch creates files in
-# an "Attic" subdir:
-.if exists(${PREFIX}/etc/squid/errors/Lithuanian)
- @${FIND} ${WRKSRC}/errors/Lithuanian/Attic -type f \
- -exec ${INSTALL_DATA} {} ${PREFIX}/etc/squid/errors/Lithuanian/ \;
-.endif
- @${SETENV} PKG_PREFIX=${PREFIX} ${SH} ${PKGINSTALL} ${PKGNAME} POST-INSTALL
+ @${SETENV} PKG_PREFIX=${PREFIX} \
+ ${SH} ${PKGINSTALL} ${PKGNAME} POST-INSTALL
# Create package list:
@cd ${PREFIX} && ${FIND} libexec/squid -type f -o -type l | ${SORT} \
>>${TMPPLIST}
@@ -308,5 +289,51 @@
@${ECHO_CMD} "@dirrm etc/squid/errors/${d}" >>${TMPPLIST}
.endfor
@${ECHO_CMD} "@dirrm etc/squid/errors" >>${TMPPLIST}
+
+changeuser:
+# Recover from the problem that earlier versions of this port created the
+# squid pseudo-user with an id greater than 999 which is not allowed in
+# FreeBSD's ports system. The port now uses id 100:100.
+# NOTE:
+# This target assumes that SQUID_GID is the primary group of SQUID_UID. If you
+# have a different setup, do not run this target!
+.if ${SQUID_UID:L} == nobody
+ @${ECHO_CMD} "'nobody' is a system user, you do not need to execute"; \
+ ${ECHO_CMD} "this target!"
+ exit 1
+.endif
+ @if [ `id -u` -ne 0 ]; \
+ then ${ECHO_CMD} "Sorry, you must be root to use this target."; exit 1; fi; \
+ current_uid=`id -u ${SQUID_UID}`; \
+ current_gid=`pw groupshow ${SQUID_GID}|cut -f 3 -d :`; \
+ ${ECHO_CMD} "I will remove this user:"; \
+ id -P $${current_uid}; \
+ ${ECHO_CMD} "and this group:"; \
+ pw groupshow ${SQUID_GID}; \
+ ${ECHO_CMD} "I will then re-create them with a user and group id of 100."; \
+ ${ECHO_CMD} "Then all files and directories under ${PREFIX} and /var that"; \
+ ${ECHO_CMD} "are owned by uid $${current_uid} will be chown(1)'ed."; \
+ ${ECHO_CMD} "After that, all files and directories that were accessible"; \
+ ${ECHO_CMD} "by group $${current_gid} will chgrp(1)'ed respectively."; \
+ ${ECHO_CMD} "Note that this assumes group '${SQUID_GID}' to be the primary"; \
+ ${ECHO_CMD} "group of user '${SQUID_UID}'. If you have a different setup"; \
+ ${ECHO_CMD} "please abort this target now."; \
+ read -p "Press RETURN to continue or CTRL-C to abort:" dummy ; \
+ ${ECHO_CMD} "OK, here we go:"; \
+ ${ECHO_CMD} "deleting user $${current_uid} and his primary group..."; \
+ pw userdel -u $${current_uid}; \
+ ${ECHO_CMD} "adding user ${SQUID_UID} with id 100..."; \
+ pw groupadd -n ${SQUID_GID} -g 100; \
+ pw useradd -n ${SQUID_UID} -u 100 -c "squid caching-proxy pseudo user" \
+ -d ${PREFIX}/squid -s /sbin/nologin -h - ; \
+ ${ECHO_CMD} "chown(1)'ing everything under ${PREFIX} from $${current_uid} to 100..."; \
+ ${FIND} -H ${PREFIX} -user $${current_uid} -exec ${CHOWN} 100 {} \; ; \
+ ${ECHO_CMD} "chgrp(1)'ing everything under ${PREFIX} from $${current_gid} to 100..."; \
+ ${FIND} -H ${PREFIX} -group $${current_gid} -exec ${CHOWN} :100 {} \; ; \
+ ${ECHO_CMD} "chown(1)'ing everything under /var from $${current_uid} to 100..."; \
+ ${FIND} -H /var -user $${current_uid} -exec ${CHOWN} 100 {} \; ; \
+ ${ECHO_CMD} "chgrp(1)'ing everything under /var from $${current_gid} to 100..."; \
+ ${FIND} -H /var -group $${current_gid} -exec ${CHOWN} :100 {} \; ; \
+ ${ECHO_CMD} "Finished."
.include <bsd.port.post.mk>
Index: projekte/FreeBSD/ports/www/squid/distinfo
diff -u projekte/FreeBSD/ports/www/squid/distinfo:1.8 projekte/FreeBSD/ports/www/squid/distinfo:1.4.2.15
--- projekte/FreeBSD/ports/www/squid/distinfo:1.8 Sat Feb 28 17:16:27 2004
+++ projekte/FreeBSD/ports/www/squid/distinfo Tue Mar 2 18:25:09 2004
@@ -1,106 +1,6 @@
-MD5 (squid2.5/squid-2.5.STABLE4.tar.bz2) = 9894a1fe855b0cccdc14fbf014060990
-SIZE (squid2.5/squid-2.5.STABLE4.tar.bz2) = 1036704
-MD5 (squid2.5/squid-2.5.STABLE4-reconfigure_message.patch) = a746143deab8b609730660916a297618
-SIZE (squid2.5/squid-2.5.STABLE4-reconfigure_message.patch) = 760
-MD5 (squid2.5/squid-2.5.STABLE4-digest_auth_pwchange.patch) = e5020f5b87a92c4d9621ce25403d691b
-SIZE (squid2.5/squid-2.5.STABLE4-digest_auth_pwchange.patch) = 2694
-MD5 (squid2.5/squid-2.5.STABLE4-redirect_login_space.patch) = 2374ed6dae7ef57c009e2428284d6b65
-SIZE (squid2.5/squid-2.5.STABLE4-redirect_login_space.patch) = 619
-MD5 (squid2.5/squid-2.5.STABLE4-fqdnnegcache.patch) = ae1b7cce41ca403ebd7115d4506b0c25
-SIZE (squid2.5/squid-2.5.STABLE4-fqdnnegcache.patch) = 701
-MD5 (squid2.5/pam_auth-2.2.patch) = 3037a67d8f4b85cd7d51cb2dd5b4e8b8
-SIZE (squid2.5/pam_auth-2.2.patch) = 4878
-MD5 (squid2.5/squid-2.5.STABLE4_auth_param_doc.patch) = 3b35c424db58c71c541563cd5ae39d15
-SIZE (squid2.5/squid-2.5.STABLE4_auth_param_doc.patch) = 9068
-MD5 (squid2.5/squid-2.5.STABLE4-errorpages.patch) = df16c73a786ce0c59b1585ab6b745210
-SIZE (squid2.5/squid-2.5.STABLE4-errorpages.patch) = 49937
-MD5 (squid2.5/squid-2.5.STABLE4-error_load_text.patch) = 3935a3005d125f55cd78b228eba20647
-SIZE (squid2.5/squid-2.5.STABLE4-error_load_text.patch) = 571
-MD5 (squid2.5/squid-2.5.STABLE4-xpi_mime.patch) = 1143fb9244690a24450c3c9ce6105da4
-SIZE (squid2.5/squid-2.5.STABLE4-xpi_mime.patch) = 601
-MD5 (squid2.5/squid-2.5.STABLE4-size_overflow.patch) = 7cd2d6b1ebbd86aa143fa5a57156d6ce
-SIZE (squid2.5/squid-2.5.STABLE4-size_overflow.patch) = 438
-MD5 (squid2.5/squid-2.5.STABLE4-extacl_auth_loop.patch) = de06bbc89f5408b7ab83733d894d4fe7
-SIZE (squid2.5/squid-2.5.STABLE4-extacl_auth_loop.patch) = 756
-MD5 (squid2.5/squid-2.5.STABLE4-squid_ldap_group.patch) = a5d0a8730aacf129401aabdfa61d60f7
-SIZE (squid2.5/squid-2.5.STABLE4-squid_ldap_group.patch) = 30490
-MD5 (squid2.5/squid-2.5.STABLE4-positive_dns_ttl.patch) = 7fca4475d86acc7db242c261b08751d7
-SIZE (squid2.5/squid-2.5.STABLE4-positive_dns_ttl.patch) = 3409
-MD5 (squid2.5/squid-2.5.STABLE4-gopherhtml.patch) = 2c6c50a4a8f4d0d0017ab7c15bacfe26
-SIZE (squid2.5/squid-2.5.STABLE4-gopherhtml.patch) = 3382
-MD5 (squid2.5/squid-2.5.STABLE4-netroute.patch) = f83e66712f37f34a04571b31be6c2db8
-SIZE (squid2.5/squid-2.5.STABLE4-netroute.patch) = 592
-MD5 (squid2.5/squid-2.5.STABLE4-synflood.patch) = b92e7a56e87374ebf2eb50e044f07f6d
-SIZE (squid2.5/squid-2.5.STABLE4-synflood.patch) = 12861
-MD5 (squid2.5/squid-2.5.STABLE4-fqdn.patch) = dbf2c020e3c3c52ae540d96a724fac87
-SIZE (squid2.5/squid-2.5.STABLE4-fqdn.patch) = 713
-MD5 (squid2.5/squid-2.5.STABLE4-connect_cleanup.patch) = ee0398f51a22ab2c82048c8935d6d11c
-SIZE (squid2.5/squid-2.5.STABLE4-connect_cleanup.patch) = 32516
-MD5 (squid2.5/squid-2.5.STABLE4-pconn_post.patch) = 4a5b7ab04fe8b73906db441448534bbb
-SIZE (squid2.5/squid-2.5.STABLE4-pconn_post.patch) = 1231
-MD5 (squid2.5/squid-2.5.STABLE4-ftp_put.patch) = d3b69c8e79c96c13005d6dbeb72e5c76
-SIZE (squid2.5/squid-2.5.STABLE4-ftp_put.patch) = 584
-MD5 (squid2.5/squid-2.5.STABLE4-pconn-load.patch) = a432f9eff9e0963b7338e41a91230d95
-SIZE (squid2.5/squid-2.5.STABLE4-pconn-load.patch) = 2397
-MD5 (squid2.5/squid-2.5.STABLE4-icon_urls.patch) = cf28143216b1364e56e820dddbb66dfc
-SIZE (squid2.5/squid-2.5.STABLE4-icon_urls.patch) = 2399
-MD5 (squid2.5/squid-2.5.STABLE4-redirector_access.patch) = 9c534a3d58fe0e3545cd4ed9af92a0e8
-SIZE (squid2.5/squid-2.5.STABLE4-redirector_access.patch) = 3498
-MD5 (squid2.5/squid-2.5.STABLE4-pconn-lifo.patch) = f41051c248764749d9d9ca5704925da7
-SIZE (squid2.5/squid-2.5.STABLE4-pconn-lifo.patch) = 1350
-MD5 (squid2.5/squid-2.5.STABLE4-cache_peer_maxconn.patch) = efd99c5e2f526c08cb52d9af948c7b25
-SIZE (squid2.5/squid-2.5.STABLE4-cache_peer_maxconn.patch) = 3603
-MD5 (squid2.5/squid-2.5.STABLE4-pid_filename_none.patch) = 808bafa144b22c3cf6900759b30f39e6
-SIZE (squid2.5/squid-2.5.STABLE4-pid_filename_none.patch) = 508
-MD5 (squid2.5/squid-2.5.STABLE4-dns_namelength.patch) = 290da300d02124be3971282d5b0a799d
-SIZE (squid2.5/squid-2.5.STABLE4-dns_namelength.patch) = 603
-MD5 (squid2.5/squid-2.5.STABLE4-urllogin_acl.patch) = 5ad09d7d4bf105e699cfeb647a4836a3
-SIZE (squid2.5/squid-2.5.STABLE4-urllogin_acl.patch) = 3064
-MD5 (squid2.5/squid-2.5.STABLE4-russian.patch) = 5a4357bd56134fc6578c435314c1a835
-SIZE (squid2.5/squid-2.5.STABLE4-russian.patch) = 20731
-MD5 (squid2.5/squid-2.5.STABLE4-redirlog.patch) = 8a2cc15f2bde6fa263a9e40aae807f82
-SIZE (squid2.5/squid-2.5.STABLE4-redirlog.patch) = 762
-MD5 (squid2.5/squid-2.5.STABLE4-pinger.patch) = 0902849d051873aaf5f54584d0536bb5
-SIZE (squid2.5/squid-2.5.STABLE4-pinger.patch) = 738
-MD5 (squid2.5/squid-2.5.STABLE4-partial_reload.patch) = 6d8fa663f46ffc2272b7d18a0b6eea34
-SIZE (squid2.5/squid-2.5.STABLE4-partial_reload.patch) = 751
-MD5 (squid2.5/squid-2.5.STABLE4-ldap_tls.patch) = dcd6b4ec46e252833a54c4bfd155c284
-SIZE (squid2.5/squid-2.5.STABLE4-ldap_tls.patch) = 1853
-MD5 (squid2.5/squid-2.5.STABLE4-ldap_group_bufsize.patch) = e42207a45232ca739a64f2ac3901263c
-SIZE (squid2.5/squid-2.5.STABLE4-ldap_group_bufsize.patch) = 762
-MD5 (squid2.5/squid-2.5.STABLE4-http_workarounds.patch) = 77d1a43dffa7aa97eb39b9178689e8df
-SIZE (squid2.5/squid-2.5.STABLE4-http_workarounds.patch) = 12322
-MD5 (squid2.5/squid-2.5.STABLE4-empty_proxy_auth.patch) = ff55a2c7a718868ad245fd6de07018c9
-SIZE (squid2.5/squid-2.5.STABLE4-empty_proxy_auth.patch) = 2719
-MD5 (squid2.5/squid-2.5.STABLE4-ftp_telnet.patch) = 570ed0193201946fc10b42c0d96f7f48
-SIZE (squid2.5/squid-2.5.STABLE4-ftp_telnet.patch) = 3844
-MD5 (squid2.5/squid-2.5.STABLE4-ntlm_auth_popups.patch) = 922ef0774b855866b6daeb5df19bb4b3
-SIZE (squid2.5/squid-2.5.STABLE4-ntlm_auth_popups.patch) = 63653
-MD5 (squid2.5/squid-2.5.STABLE4-ldap_group-S.patch) = 35eb045971a1fe12b847e05862614aa6
-SIZE (squid2.5/squid-2.5.STABLE4-ldap_group-S.patch) = 993
-MD5 (squid2.5/squid-2.5.STABLE4-ipcache_purge.patch) = d76b6163f0806494defe9cba37a2d708
-SIZE (squid2.5/squid-2.5.STABLE4-ipcache_purge.patch) = 1022
-MD5 (squid2.5/squid-2.5.STABLE4-cache_peer_access_ntlm.patch) = 94841c505d86a1ab310b817119079e3b
-SIZE (squid2.5/squid-2.5.STABLE4-cache_peer_access_ntlm.patch) = 3378
-MD5 (squid2.5/squid-2.5.STABLE4-wbinfo_group.patch) = 4fff0be253f87fa538691497600daf70
-SIZE (squid2.5/squid-2.5.STABLE4-wbinfo_group.patch) = 1105
-MD5 (squid2.5/squid-2.5.STABLE4-SMB_ntlm_auth.patch) = 6ee610502b49c00914e2fe986f21db78
-SIZE (squid2.5/squid-2.5.STABLE4-SMB_ntlm_auth.patch) = 1924
-MD5 (squid2.5/squid-2.5.STABLE4-miss_access_internal.patch) = 8f4259401052ecae31fa3de4535a624f
-SIZE (squid2.5/squid-2.5.STABLE4-miss_access_internal.patch) = 837
-MD5 (squid2.5/squid-2.5.STABLE4-squidclient_auth.patch) = eff31cbd54adad086d50e0ae7dbe2c6e
-SIZE (squid2.5/squid-2.5.STABLE4-squidclient_auth.patch) = 1107
-MD5 (squid2.5/squid-2.5.STABLE4-authfixes.patch) = 139ab240c01acf6eeed7ead27f0ce387
-SIZE (squid2.5/squid-2.5.STABLE4-authfixes.patch) = 9401
-MD5 (squid2.5/squid-2.5.STABLE4-arp-FreeBSD.patch) = bad7a9a59071faf569734f022b35b28f
-SIZE (squid2.5/squid-2.5.STABLE4-arp-FreeBSD.patch) = 3999
-MD5 (squid2.5/squid-2.5.STABLE4-deny_info_reply.patch) = 97a9af2a33ded35bcef989181318ac71
-SIZE (squid2.5/squid-2.5.STABLE4-deny_info_reply.patch) = 1951
-MD5 (squid2.5/squid-2.5.STABLE4-authfixes2.patch) = b1de702ac773133affa1393c48d04807
-SIZE (squid2.5/squid-2.5.STABLE4-authfixes2.patch) = 2222
-MD5 (squid2.5/squid-2.5.STABLE4-reply_body_max_size.patch) = 79beba0e5466279ffbdd4322a3579aeb
-SIZE (squid2.5/squid-2.5.STABLE4-reply_body_max_size.patch) = 524
-MD5 (squid2.5/squid-2.5.STABLE4-digest-abort.patch) = a0cf9a5451b89bb6d8a8982a14791c15
-SIZE (squid2.5/squid-2.5.STABLE4-digest-abort.patch) = 946
-MD5 (squid2.5/squid-2.5.STABLE4-ntlm_auth_user_hash_pointer-leak.patch) = 8422d34ab797ae07727a5f2fdfe1a832
-SIZE (squid2.5/squid-2.5.STABLE4-ntlm_auth_user_hash_pointer-leak.patch) = 3277
+MD5 (squid2.5/squid-2.5.STABLE5.tar.bz2) = 45ed1b1cd492e3f529085d09c3ffc1b8
+SIZE (squid2.5/squid-2.5.STABLE5.tar.bz2) = 1044932
+MD5 (squid2.5/squid-2.5.STABLE5-ntlm_assert.patch) = 1bb2a8455a1e988c52b2ca3cf3fe0867
+SIZE (squid2.5/squid-2.5.STABLE5-ntlm_assert.patch) = 545
+MD5 (squid2.5/squid-2.5.STABLE5-ldap.patch) = 5e02b8ec2a9f9e88bfe2bb286362fe16
+SIZE (squid2.5/squid-2.5.STABLE5-ldap.patch) = 7099
Index: projekte/FreeBSD/ports/www/squid/pkg-install
diff -u projekte/FreeBSD/ports/www/squid/pkg-install:1.4 projekte/FreeBSD/ports/www/squid/pkg-install:1.2.2.6
--- projekte/FreeBSD/ports/www/squid/pkg-install:1.4 Wed Feb 18 16:20:28 2004
+++ projekte/FreeBSD/ports/www/squid/pkg-install Mon Mar 1 19:17:38 2004
@@ -9,16 +9,19 @@
squid_confdir=${PKG_PREFIX:-/usr/local}/etc/squid
squid_user=${SQUID_USER:=squid}
squid_group=${SQUID_GROUP:=squid}
-squid_gid=3128
-squid_uid=3128
-
+squid_gid=100
+squid_uid=100
+# Try to catch the case where the $squid_user might have been created with an
+# id greater than or equal 3128. The valid exception is "nobody".
+nobody_uid=65534
+nobody_gid=65534
+squid_oldgid=3128
+squid_olduid=3128
+unset wrong_id
case $2 in
PRE-INSTALL)
echo "===> Pre-installation configuration for ${pkgname}"
if ! pw groupshow ${squid_group} -q >/dev/null ; then
- while pw groupshow -g ${squid_gid} -q >/dev/null; do
- squid_gid=`expr ${squid_gid} + 1`
- done
echo "There is no group '${squid_group}' on this system, so I will try to create it:"
if ! pw groupadd ${squid_group} -g ${squid_gid} -q ; then
echo "Failed to create group \"${squid_group}\"!" >&2
@@ -29,12 +32,15 @@
fi
else
echo "I will use the existing group '${squid_group}':"
+ current_gid=`pw groupshow ${squid_group}|cut -f 3 -d :`
+ if [ ${current_gid} -ge ${squid_oldgid} \
+ -a ${current_gid} -ne ${nobody_gid} ]; then
+ wrong_id=1
+ fi
fi
pw groupshow ${squid_group}
+
if ! pw usershow ${squid_user} -q >/dev/null ; then
- while pw usershow -u ${squid_uid} -q >/dev/null; do
- squid_uid=`expr ${squid_uid} + 1`
- done
echo "There is no account '${squid_user}' on this system, so I will try to create it:"
if ! pw useradd ${squid_user} -u ${squid_uid} -q \
-c "squid caching-proxy pseudo user" -g ${squid_group} \
@@ -47,8 +53,53 @@
fi
else
echo "I will use the existing user '${squid_user}':"
+ current_uid=`id -u ${squid_user}`
+ if [ ${current_uid} -ge ${squid_olduid} \
+ -a ${current_uid} -ne ${nobody_uid} ];
+ then
+ wrong_id=1
+ fi
fi
pw usershow ${squid_user}
+ if [ "${wrong_id}" ]; then
+ echo ""
+ echo " * NOTICE *"
+ echo ""
+ echo "The squid pseudo-user's uid and/or gid have been found"
+ echo "to be greater than or equal 3128."
+ echo ""
+ echo "This is not a problem as such, but violates the FreeBSD"
+ echo "ports' principle that a ports must not claim a uid greater"
+ echo "than 999."
+ echo ""
+ echo "Since version 2.5.4_11, the squid user is thus created"
+ echo "with an id of ${squid_uid}:${squid_gid} while earlier versions of this"
+ echo "port used the first unused uid/gid greater than or"
+ echo "equal 3128."
+ echo ""
+ echo "If you want to change the existing squid user's id, run"
+ echo "'make changeuser' after the installation has completed."
+ echo "If you installed this port via a package, issue the"
+ echo "following commands as root:"
+ echo ""
+ echo "pw userdel -u ${current_uid}"
+ echo "pw groupadd -n ${squid_group} -g ${squid_gid}"
+ echo "pw useradd -n ${squid_user} -u ${squid_uid} \\"
+ echo " -c \"squid caching-proxy pseudo user\" \\"
+ echo " -g ${squid_group} -d ${squid_base} -s /sbin/nologin \\"
+ echo " -h -"
+ echo "find -H ${PKG_PREFIX} -user ${current_uid} -exec chown ${squid_user} {} \\;"
+ echo "find -H ${PKG_PREFIX} -group ${current_gid} -exec chgrp ${squid_group} {} \\;"
+ echo ""
+ echo "In case you have installed third party software for squid"
+ echo "like squidGuard, you should additionally run:"
+ echo "find -H /var -user ${current_uid} -exec chown ${squid_user} {} \\;"
+ echo "find -H /var -group ${current_gid} -exec chgrp ${squid_group} {} \\;"
+ echo ""
+ if [ -z "${PACKAGE_BUILDING}" -a -z "${BATCH}" ]; then
+ read -p "Press RETURN to continue..." dummy
+ fi
+ fi
for dir in cache logs; do
if [ ! -d ${squid_base}/${dir} ]; then
echo "Creating ${squid_base}/${dir}..."
Index: projekte/FreeBSD/ports/www/squid/files/follow_xff-2.5.patch
diff -u /dev/null projekte/FreeBSD/ports/www/squid/files/follow_xff-2.5.patch:1.1.2.2
--- /dev/null Tue Mar 2 19:03:29 2004
+++ projekte/FreeBSD/ports/www/squid/files/follow_xff-2.5.patch Tue Mar 2 17:56:19 2004
@@ -0,0 +1,412 @@
+! This is a reduced part of the original follow-XFF patchset from
+! devel.squid-cache.org for use with the FreeBSD squid-2.5 port.
+Index: src/acl.c
+--- src/acl.c 13 May 2003 02:14:12 -0000 1.43.2.16
++++ src/acl.c 23 Nov 2003 14:20:12 -0000
+@@ -2001,6 +2001,11 @@
+ cbdataLock(A);
+ if (request != NULL) {
+ checklist->request = requestLink(request);
++#if FOLLOW_X_FORWARDED_FOR
++ if (Config.onoff.acl_uses_indirect_client) {
++ checklist->src_addr = request->indirect_client_addr;
++ } else
++#endif /* FOLLOW_X_FORWARDED_FOR */
+ checklist->src_addr = request->client_addr;
+ checklist->my_addr = request->my_addr;
+ checklist->my_port = request->my_port;
+Index: src/cf.data.pre
+--- src/cf.data.pre 7 Nov 2003 03:14:30 -0000 1.49.2.46
++++ src/cf.data.pre 23 Nov 2003 14:20:17 -0000
+@@ -2065,6 +2065,92 @@
+ NOCOMMENT_END
+ DOC_END
+
++NAME: follow_x_forwarded_for
++TYPE: acl_access
++IFDEF: FOLLOW_X_FORWARDED_FOR
++LOC: Config.accessList.followXFF
++DEFAULT: none
++DEFAULT_IF_NONE: deny all
++DOC_START
++ Allowing or Denying the X-Forwarded-For header to be followed to
++ find the original source of a request.
++
++ Requests may pass through a chain of several other proxies
++ before reaching us. The X-Forwarded-For header will contain a
++ comma-separated list of the IP addresses in the chain, with the
++ rightmost address being the most recent.
++
++ If a request reaches us from a source that is allowed by this
++ configuration item, then we consult the X-Forwarded-For header
++ to see where that host received the request from. If the
++ X-Forwarded-For header contains multiple addresses, and if
++ acl_uses_indirect_client is on, then we continue backtracking
++ until we reach an address for which we are not allowed to
++ follow the X-Forwarded-For header, or until we reach the first
++ address in the list. (If acl_uses_indirect_client is off, then
++ it's impossible to backtrack through more than one level of
++ X-Forwarded-For addresses.)
++
++ The end result of this process is an IP address that we will
++ refer to as the indirect client address. This address may
++ be treated as the client address for access control, delay
++ pools and logging, depending on the acl_uses_indirect_client,
++ delay_pool_uses_indirect_client and log_uses_indirect_client
++ options.
++
++ SECURITY CONSIDERATIONS:
++
++ Any host for which we follow the X-Forwarded-For header
++ can place incorrect information in the header, and Squid
++ will use the incorrect information as if it were the
++ source address of the request. This may enable remote
++ hosts to bypass any access control restrictions that are
++ based on the client's source addresses.
++
++ For example:
++
++ acl localhost src 127.0.0.1
++ acl my_other_proxy srcdomain .proxy.example.com
++ follow_x_forwarded_for allow localhost
++ follow_x_forwarded_for allow my_other_proxy
++DOC_END
++
++NAME: acl_uses_indirect_client
++COMMENT: on|off
++TYPE: onoff
++IFDEF: FOLLOW_X_FORWARDED_FOR
++DEFAULT: on
++LOC: Config.onoff.acl_uses_indirect_client
++DOC_START
++ Controls whether the indirect client address
++ (see follow_x_forwarded_for) is used instead of the
++ direct client address in acl matching.
++DOC_END
++
++NAME: delay_pool_uses_indirect_client
++COMMENT: on|off
++TYPE: onoff
++IFDEF: FOLLOW_X_FORWARDED_FOR && DELAY_POOLS
++DEFAULT: on
++LOC: Config.onoff.delay_pool_uses_indirect_client
++DOC_START
++ Controls whether the indirect client address
++ (see follow_x_forwarded_for) is used instead of the
++ direct client address in delay pools.
++DOC_END
++
++NAME: log_uses_indirect_client
++COMMENT: on|off
++TYPE: onoff
++IFDEF: FOLLOW_X_FORWARDED_FOR
++DEFAULT: on
++LOC: Config.onoff.log_uses_indirect_client
++DOC_START
++ Controls whether the indirect client address
++ (see follow_x_forwarded_for) is used instead of the
++ direct client address in the access log.
++DOC_END
++
+ NAME: http_access
+ TYPE: acl_access
+ LOC: Config.accessList.http
+Index: src/client_side.c
+--- src/client_side.c 2 Sep 2003 02:13:45 -0000 1.47.2.39
++++ src/client_side.c 23 Nov 2003 14:20:22 -0000
+@@ -109,6 +109,11 @@
+ #if USE_IDENT
+ static IDCB clientIdentDone;
+ #endif
++#if FOLLOW_X_FORWARDED_FOR
++static void clientFollowXForwardedForStart(void *data);
++static void clientFollowXForwardedForNext(void *data);
++static void clientFollowXForwardedForDone(int answer, void *data);
++#endif /* FOLLOW_X_FORWARDED_FOR */
+ static int clientOnlyIfCached(clientHttpRequest * http);
+ static STCB clientSendMoreData;
+ static STCB clientCacheHit;
+@@ -177,10 +182,179 @@
+ return ch;
+ }
+
++#if FOLLOW_X_FORWARDED_FOR
++/*
++ * clientFollowXForwardedForStart() copies the X-Forwarded-For
++ * header into x_forwarded_for_iterator and passes control to
++ * clientFollowXForwardedForNext().
++ *
++ * clientFollowXForwardedForNext() checks the indirect_client_addr
++ * against the followXFF ACL and passes the result to
++ * clientFollowXForwardedForDone().
++ *
++ * clientFollowXForwardedForDone() either grabs the next address
++ * from the tail of x_forwarded_for_iterator and loops back to
++ * clientFollowXForwardedForNext(), or cleans up and passes control to
++ * clientAccessCheck().
++ */
++
++static void
++clientFollowXForwardedForStart(void *data)
++{
++ clientHttpRequest *http = data;
++ request_t *request = http->request;
++ if (Config.accessList.followXFF
++ && httpHeaderHas(&request->header, HDR_X_FORWARDED_FOR))
++ {
++ request->x_forwarded_for_iterator = httpHeaderGetList(
++ &request->header, HDR_X_FORWARDED_FOR);
++ debug(33, 5) ("clientFollowXForwardedForStart: indirect_client_addr=%s XFF='%s'\n",
++ inet_ntoa(request->indirect_client_addr),
++ strBuf(request->x_forwarded_for_iterator));
++ clientFollowXForwardedForNext(http);
++ } else {
++ /* not configured to follow X-Forwarded-For, or nothing to follow */
++ debug(33, 5) ("clientFollowXForwardedForStart: nothing to do\n");
++ clientFollowXForwardedForDone(-1, http);
++ }
++}
++
++static void
++clientFollowXForwardedForNext(void *data)
++{
++ clientHttpRequest *http = data;
++ request_t *request = http->request;
++ debug(33, 5) ("clientFollowXForwardedForNext: indirect_client_addr=%s XFF='%s'\n",
++ inet_ntoa(request->indirect_client_addr),
++ strBuf(request->x_forwarded_for_iterator));
++ if (strLen(request->x_forwarded_for_iterator) != 0) {
++ /* check the acl to see whether to believe the X-Forwarded-For header */
++ http->acl_checklist = clientAclChecklistCreate(
++ Config.accessList.followXFF, http);
++ aclNBCheck(http->acl_checklist, clientFollowXForwardedForDone, http);
++ } else {
++ /* nothing left to follow */
++ debug(33, 5) ("clientFollowXForwardedForNext: nothing more to do\n");
++ clientFollowXForwardedForDone(-1, http);
++ }
++}
++
++static void
++clientFollowXForwardedForDone(int answer, void *data)
++{
++ clientHttpRequest *http = data;
++ request_t *request = http->request;
++ /*
++ * answer should be be ACCESS_ALLOWED or ACCESS_DENIED if we are
++ * called as a result of ACL checks, or -1 if we are called when
++ * there's nothing left to do.
++ */
++ if (answer == ACCESS_ALLOWED) {
++ /*
++ * The IP address currently in request->indirect_client_addr
++ * is trusted to use X-Forwarded-For. Remove the last
++ * comma-delimited element from x_forwarded_for_iterator and use
++ * it to to replace indirect_client_addr, then repeat the cycle.
++ */
++ const char *p;
++ const char *asciiaddr;
++ int l;
++ struct in_addr addr;
++ debug(33, 5) ("clientFollowXForwardedForDone: indirect_client_addr=%s is trusted\n",
++ inet_ntoa(request->indirect_client_addr));
++ p = strBuf(request->x_forwarded_for_iterator);
++ l = strLen(request->x_forwarded_for_iterator);
++
++ /*
++ * XXX x_forwarded_for_iterator should really be a list of
++ * IP addresses, but it's a String instead. We have to
++ * walk backwards through the String, biting off the last
++ * comma-delimited part each time. As long as the data is in
++ * a String, we should probably implement and use a variant of
++ * strListGetItem() that walks backwards instead of forwards
++ * through a comma-separated list. But we don't even do that;
++ * we just do the work in-line here.
++ */
++ /* skip trailing space and commas */
++ while (l > 0 && (p[l-1] == ',' || xisspace(p[l-1])))
++ l--;
++ strCut(request->x_forwarded_for_iterator, l);
++ /* look for start of last item in list */
++ while (l > 0 && ! (p[l-1] == ',' || xisspace(p[l-1])))
++ l--;
++ asciiaddr = p+l;
++ if (inet_aton(asciiaddr, &addr) == 0) {
++ /* the address is not well formed; do not use it */
++ debug(33, 3) ("clientFollowXForwardedForDone: malformed address '%s'\n",
++ asciiaddr);
++ goto done;
++ }
++ debug(33, 3) ("clientFollowXForwardedForDone: changing indirect_client_addr from %s to '%s'\n",
++ inet_ntoa(request->indirect_client_addr),
++ asciiaddr);
++ request->indirect_client_addr = addr;
++ strCut(request->x_forwarded_for_iterator, l);
++ if (! Config.onoff.acl_uses_indirect_client) {
++ /*
++ * If acl_uses_indirect_client is off, then it's impossible
++ * to follow more than one level of X-Forwarded-For.
++ */
++ goto done;
++ }
++ clientFollowXForwardedForNext(http);
++ return;
++ } else if (answer == ACCESS_DENIED) {
++ debug(33, 5) ("clientFollowXForwardedForDone: indirect_client_addr=%s not trusted\n",
++ inet_ntoa(request->indirect_client_addr));
++ } else {
++ debug(33, 5) ("clientFollowXForwardedForDone: indirect_client_addr=%s nothing more to do\n",
++ inet_ntoa(request->indirect_client_addr));
++ }
++done:
++ /* clean up, and pass control to clientAccessCheck */
++ debug(33, 6) ("clientFollowXForwardedForDone: cleanup\n");
++ if (Config.onoff.log_uses_indirect_client) {
++ /*
++ * Ensure that the access log shows the indirect client
++ * instead of the direct client.
++ */
++ ConnStateData *conn = http->conn;
++ conn->log_addr = request->indirect_client_addr;
++ conn->log_addr.s_addr &= Config.Addrs.client_netmask.s_addr;
++ debug(33, 3) ("clientFollowXForwardedForDone: setting log_addr=%s\n",
++ inet_ntoa(conn->log_addr));
++ }
++ stringClean(&request->x_forwarded_for_iterator);
++ request->flags.done_follow_x_forwarded_for = 1;
++ http->acl_checklist = NULL; /* XXX do we need to aclChecklistFree() ? */
++ clientAccessCheck(http);
++}
++#endif /* FOLLOW_X_FORWARDED_FOR */
++
+ void
+ clientAccessCheck(void *data)
+ {
+ clientHttpRequest *http = data;
++#if FOLLOW_X_FORWARDED_FOR
++ if (! http->request->flags.done_follow_x_forwarded_for
++ && httpHeaderHas(&http->request->header, HDR_X_FORWARDED_FOR))
++ {
++ /*
++ * There's an X-ForwardedFor header and we haven't yet tried
++ * to follow it to find the indirect_client_addr. Follow it now.
++ * clientFollowXForwardedForDone() will eventually pass control
++ * back to us.
++ *
++ * XXX perhaps our caller should have called
++ * clientFollowXForwardedForStart instead. Then we wouldn't
++ * need to do this little dance transferring control over
++ * there and then back here, and we wouldn't need the
++ * done_follow_x_forwarded_for flag.
++ */
++ clientFollowXForwardedForStart(data);
++ return;
++ }
++#endif /* FOLLOW_X_FORWARDED_FOR */
+ if (checkAccelOnly(http)) {
+ /* deny proxy requests in accel_only mode */
+ debug(33, 1) ("clientAccessCheck: proxy request denied in accel_only mode\n");
+@@ -325,6 +499,9 @@
+ new_request->http_ver = old_request->http_ver;
+ httpHeaderAppend(&new_request->header, &old_request->header);
+ new_request->client_addr = old_request->client_addr;
++#if FOLLOW_X_FORWARDED_FOR
++ new_request->indirect_client_addr = old_request->indirect_client_addr;
++#endif /* FOLLOW_X_FORWARDED_FOR */
+ new_request->my_addr = old_request->my_addr;
+ new_request->my_port = old_request->my_port;
+ new_request->flags.redirected = 1;
+@@ -3051,6 +3228,9 @@
+ safe_free(http->log_uri);
+ http->log_uri = xstrdup(urlCanonicalClean(request));
+ request->client_addr = conn->peer.sin_addr;
++#if FOLLOW_X_FORWARDED_FOR
++ request->indirect_client_addr = request->client_addr;
++#endif /* FOLLOW_X_FORWARDED_FOR */
+ request->my_addr = conn->me.sin_addr;
+ request->my_port = ntohs(conn->me.sin_port);
+ request->http_ver = http->http_ver;
+Index: src/delay_pools.c
+--- src/delay_pools.c 19 Jun 2003 02:13:57 -0000 1.5.54.6
++++ src/delay_pools.c 23 Nov 2003 14:20:23 -0000
+@@ -318,6 +318,11 @@
+ r = http->request;
+
+ memset(&ch, '\0', sizeof(ch));
++#if FOLLOW_X_FORWARDED_FOR
++ if (Config.onoff.delay_pool_uses_indirect_client) {
++ ch.src_addr = r->indirect_client_addr;
++ } else
++#endif /* FOLLOW_X_FORWARDED_FOR */
+ ch.src_addr = r->client_addr;
+ ch.my_addr = r->my_addr;
+ ch.my_port = r->my_port;
+Index: src/structs.h
+*** src/structs.h.orig Thu Feb 26 20:32:47 2004
+--- src/structs.h Thu Feb 26 20:34:51 2004
+***************
+*** 594,599 ****
+--- 594,604 ----
+ int pipeline_prefetch;
+ int request_entities;
+ int detect_broken_server_pconns;
++ #if FOLLOW_X_FORWARDED_FOR
++ int acl_uses_indirect_client;
++ int delay_pool_uses_indirect_client;
++ int log_uses_indirect_client;
++ #endif /* FOLLOW_X_FORWARDED_FOR */
+ } onoff;
+ acl *aclList;
+ struct {
+***************
+*** 615,620 ****
+--- 620,628 ----
+ acl_access *reply;
+ acl_address *outgoing_address;
+ acl_tos *outgoing_tos;
++ #if FOLLOW_X_FORWARDED_FOR
++ acl_access *followXFF;
++ #endif /* FOLLOW_X_FORWARDED_FOR */
+ } accessList;
+ acl_deny_info_list *denyInfoList;
+ struct _authConfig {
+***************
+*** 1611,1616 ****
+--- 1619,1629 ----
+ unsigned int internal:1;
+ unsigned int body_sent:1;
+ unsigned int reset_tcp:1;
++ #if FOLLOW_X_FORWARDED_FOR
++ /* XXX this flag could be eliminated;
++ * see comments in clientAccessCheck */
++ unsigned int done_follow_x_forwarded_for;
++ #endif /* FOLLOW_X_FORWARDED_FOR */
+ };
+
+ struct _link_list {
+***************
+*** 1657,1662 ****
+--- 1670,1678 ----
+ int max_forwards;
+ /* these in_addr's could probably be sockaddr_in's */
+ struct in_addr client_addr;
++ #if FOLLOW_X_FORWARDED_FOR
++ struct in_addr indirect_client_addr; /* after following X-Forwarded-For */
++ #endif /* FOLLOW_X_FORWARDED_FOR */
+ struct in_addr my_addr;
+ unsigned short my_port;
+ HttpHeader header;
+***************
+*** 1667,1672 ****
+--- 1683,1693 ----
+ char *peer_login; /* Configured peer login:password */
+ time_t lastmod; /* Used on refreshes */
+ const char *vary_headers; /* Used when varying entities are detected. Changes how the store key is calculated */
++ #if FOLLOW_X_FORWARDED_FOR
++ /* XXX a list of IP addresses would be a better data structure
++ * than this String */
++ String x_forwarded_for_iterator;
++ #endif /* FOLLOW_X_FORWARDED_FOR */
+ };
+
+ struct _cachemgr_passwd {
Index: projekte/FreeBSD/ports/www/squid/files/follow_xff-configure.patch
diff -u /dev/null projekte/FreeBSD/ports/www/squid/files/follow_xff-configure.patch:1.1.2.1
--- /dev/null Tue Mar 2 19:03:29 2004
+++ projekte/FreeBSD/ports/www/squid/files/follow_xff-configure.patch Tue Mar 2 17:56:19 2004
@@ -0,0 +1,52 @@
+!Patch configure directly to enable testing for the
+!--enable-follow-x-forwarding-for configuration option
+!instead of running configure.in through autoconf as in the
+!original follow-XFF patchset from devel.squid-cache.org.
+!Beware that all line number informations in configure.log greater
+!than 2972 are offset by -29 (correcting all line numbers would have
+!bloated the patch by 92kB!)
+--- configure.orig Tue Mar 2 10:18:14 2004
++++ configure Tue Mar 2 10:18:56 2004
+@@ -222,6 +222,12 @@
+ variance within an accelerator setup.
+ Typically used together with other code
+ that adds custom HTTP headers to the requests."
++ac_help="$ac_help
++ --enable-follow-x-forwarded-for
++ Enable support for following the X-Forwarded-For
++ HTTP header to try to find the IP address of the
++ original or indirect client when a request has
++ been forwarded through other proxies."
+
+ # Initialize some variables set by options.
+ # The variables have the same names as the options, with
+@@ -2966,6 +2972,29 @@
+ fi
+
+
++follow_xff=1
++# Check whether --enable-follow-x-forwarded-for or --disable-follow-x-forwarded-for was given.
++if test "${enable_follow_x_forwarded_for+set}" = set; then
++ enableval="$enable_follow_x_forwarded_for"
++ if test "$enableval" = "yes" ; then
++ echo "follow X-Forwarded-For enabled"
++ follow_xff=1
++ fi
++
++fi
++
++if test $follow_xff = 1; then
++ cat >> confdefs.h <<\EOF
++#define FOLLOW_X_FORWARDED_FOR 1
++EOF
++
++else
++ cat >> confdefs.h <<\EOF
++#define FOLLOW_X_FORWARDED_FOR 0
++EOF
++
++fi
++
+ # Force some compilers to use ANSI features
+ #
+ case "$host" in
Index: projekte/FreeBSD/ports/www/squid/files/patch-configure
diff -u /dev/null projekte/FreeBSD/ports/www/squid/files/patch-configure:1.1.2.1
--- /dev/null Tue Mar 2 19:03:29 2004
+++ projekte/FreeBSD/ports/www/squid/files/patch-configure Tue Mar 2 17:56:20 2004
@@ -0,0 +1,11 @@
+--- configure.orig Tue Mar 2 11:29:57 2004
++++ configure Tue Mar 2 11:30:34 2004
+@@ -2236,6 +2236,8 @@
+ ;;
+ *-solaris-*)
+ ;;
++ *-freebsd*)
++ ;;
+ *)
+ echo "WARNING: ARP ACL support probably won't work on $host."
+ sleep 10
Index: projekte/FreeBSD/ports/www/squid/files/patch-helpers-basic_auth-SMB-smb_auth.sh
diff -u /dev/null projekte/FreeBSD/ports/www/squid/files/patch-helpers-basic_auth-SMB-smb_auth.sh:1.1.2.1
--- /dev/null Tue Mar 2 19:03:29 2004
+++ projekte/FreeBSD/ports/www/squid/files/patch-helpers-basic_auth-SMB-smb_auth.sh Sat Feb 28 17:13:02 2004
@@ -0,0 +1,13 @@
+*** helpers/basic_auth/SMB/smb_auth.sh.orig Thu Feb 26 20:58:22 2004
+--- helpers/basic_auth/SMB/smb_auth.sh Thu Feb 26 20:59:45 2004
+***************
+*** 17,22 ****
+--- 17,24 ----
+ # along with this program; if not, write to the Free Software
+ # Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
+
++ SAMBAPREFIX=${SAMBAPREFIX:-/usr/local/bin}
++
+ read DOMAINNAME
+ read PASSTHROUGH
+ read NMBADDR
Index: projekte/FreeBSD/ports/www/squid/files/squid.sh
diff -u projekte/FreeBSD/ports/www/squid/files/squid.sh:1.4 projekte/FreeBSD/ports/www/squid/files/squid.sh:1.3.2.2
--- projekte/FreeBSD/ports/www/squid/files/squid.sh:1.4 Sat Jan 17 15:37:48 2004
+++ projekte/FreeBSD/ports/www/squid/files/squid.sh Sat Feb 28 16:42:06 2004
@@ -8,15 +8,13 @@
# KEYWORD: FreeBSD
#
# Note:
-# If you are running an rcNG-System (i.e. FreeBSD 5 and later or after
-# having installed the rc_subr-port on an earlier system) you must set
+# If you are running an rcNG-System (i.e. FreeBSD 5 and later) you need to set
# "squid_enable=YES" in either /etc/rc.conf, /etc/rc.conf.local or
# /etc/rc.conf.d/squid to make this script actually do something. There
# you can also set squid_chdir, squid_user, and squid_flags.
#
# Please see squid(8), rc.conf(5) and rc(8) for further details.
-unset rcNG
name="squid"
command=%%PREFIX%%/sbin/squid
extra_commands=reload
@@ -28,26 +26,22 @@
default_config=%%PREFIX%%/etc/squid/squid.conf
if [ -f /etc/rc.subr ]; then
- . /etc/rc.subr && rcNG=yes
-else
- if [ -f %%PREFIX%%/etc/rc.subr ]; then
- . %%PREFIX%%/etc/rc.subr && rcNG=yes
- fi
-fi
-
-if [ "${rcNG}" ]; then
+ # make use of rcNG features:
+ . /etc/rc.subr
rcvar=`set_rcvar`
load_rc_config ${name}
- # check that squid's default configuration is present when
- # squid_flags is not set. We assume that you specify at
- # least the path to your non-default configuration with
- # '-f /path/to/config.file' in squid_flags if you delete this file.
+ # squid(8) will not start if ${default_config} is not present so try
+ # to catch that beforehand via ${required_files} rather than make
+ # squid(8) crash.
+ # If you remove the default configuration file make sure to add
+ # '-f /path/to/your/squid.conf' to squid_flags
if [ -z "${squid_flags}" ]; then
required_files=${default_config}
fi
required_dirs=${squid_chdir}
run_rc_command "$1"
else
+ # implement the startup using the "old style" for non-rcNG-systems:
case $1 in
start)
if [ -x "${command}" -a \
>Release-Note:
>Audit-Trail:
>Unformatted:
More information about the freebsd-ports-bugs
mailing list