From owner-freebsd-ports-bugs@FreeBSD.ORG Wed Mar 10 10:50:20 2004 Return-Path: Delivered-To: freebsd-ports-bugs@hub.freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id F376F16A4D7 for ; Wed, 10 Mar 2004 10:50:19 -0800 (PST) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id F3AC543D60 for ; Wed, 10 Mar 2004 10:50:18 -0800 (PST) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) i2AIoIbv020913 for ; Wed, 10 Mar 2004 10:50:18 -0800 (PST) (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.12.10/8.12.10/Submit) id i2AIoIKu020912; Wed, 10 Mar 2004 10:50:18 -0800 (PST) (envelope-from gnats) Resent-Date: Wed, 10 Mar 2004 10:50:18 -0800 (PST) Resent-Message-Id: <200403101850.i2AIoIKu020912@freefall.freebsd.org> Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer) Resent-To: freebsd-ports-bugs@FreeBSD.org Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org, Thomas-Martin Seck Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 311C716A4CE for ; Wed, 10 Mar 2004 10:49:34 -0800 (PST) Received: from smtp2.netcologne.de (smtp2.netcologne.de [194.8.194.218]) by mx1.FreeBSD.org (Postfix) with ESMTP id 312FF43D1F for ; Wed, 10 Mar 2004 10:49:33 -0800 (PST) (envelope-from thomas@laurel.tmseck.homedns.org) Received: from laurel.tmseck.homedns.org (xdsl-213-168-109-223.netcologne.de [213.168.109.223]) by smtp2.netcologne.de (Postfix) with SMTP id AF00539E2A for ; Wed, 10 Mar 2004 19:49:27 +0100 (MET) Received: (qmail 1619 invoked by uid 1001); 10 Mar 2004 18:49:07 -0000 Message-Id: <20040310184907.1618.qmail@laurel.tmseck.homedns.org> Date: 10 Mar 2004 18:49:07 -0000 From: Thomas-Martin Seck To: FreeBSD-gnats-submit@FreeBSD.org X-Send-Pr-Version: 3.113 Subject: ports/64061: [Maintainer] www/squid: update to 2.5.STABLE5+patches X-BeenThere: freebsd-ports-bugs@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: Thomas-Martin Seck List-Id: Ports bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 10 Mar 2004 18:50:20 -0000 >Number: 64061 >Category: ports >Synopsis: [Maintainer] www/squid: update to 2.5.STABLE5+patches >Confidential: no >Severity: non-critical >Priority: medium >Responsible: freebsd-ports-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: maintainer-update >Submitter-Id: current-users >Arrival-Date: Wed Mar 10 10:50:18 PST 2004 >Closed-Date: >Last-Modified: >Originator: Thomas-Martin Seck >Release: FreeBSD 4.9-STABLE i386 >Organization: private site in Germany >Environment: FreeBSD ports collection as of March 10, 2004. >Description: This PR supercedes PR 63651 which can be closed. - update to squid-2.5.STABLE5, including two vendor patches issued so far - provide more OPTIONS, including (untested) support for pf(4) - integrate the follow-XFF-patch from devel.squid-cache.org (submitted by Michael Ranner), this should improve interaction with dansguardian - use id 100 for the squid pseudo user instead of choosing the first free id greater than 3127, a behaviour introduced with PORTVERSION 2.5.4_6. Provide a 'changeuser' target to make migration from a high id to id 100 possible (requested by Kris Kennaway) - don't let the port CONFLICT with itself (criticized by Oliver Eikemeier) - provide rcNG support in squid.sh only on systems with /etc/rc.subr Information for committers: Please 'cvs add' these files: files/follow_xff-2.5.patch files/follow_xff-configure.patch files/patch-configure files/patch-helpers-basic_auth-SMB-smb_auth.sh Please document in the Porter's Handbook that squid claims id 100:100 >How-To-Repeat: >Fix: Apply this patch: Index: projekte/FreeBSD/ports/www/squid/Makefile diff -u projekte/FreeBSD/ports/www/squid/Makefile:1.10 projekte/FreeBSD/ports/www/squid/Makefile:1.5.2.32 --- projekte/FreeBSD/ports/www/squid/Makefile:1.10 Sat Feb 28 17:16:26 2004 +++ projekte/FreeBSD/ports/www/squid/Makefile Wed Mar 10 19:20:39 2004 @@ -7,11 +7,17 @@ # Tunables not (yet) configurable via 'make config': # SQUID_{U,G}ID # Which user/group squid should run as (default: squid/squid). -# The user and group will be created if they do not already exist. +# The user and group will be created if they do not already exist using +# a uid:gid of 100:100. # NOTE: before version 2.5.4_6, these settings defaulted to # nobody/nogroup. # If you wish to keep these settings, please define SQUID_UID=nobody and # SQUID_GID=nogroup in your make environment before you start the update. +# NOTE2: +# Before version 2.5.4_11 the numerical id chosen for SQUID_UID (and +# SQUID_GID respectively) was the first free id greater than or equal 3128. +# If you wish to move your squid user to id 100:100, run "make changeuser", +# please see the changeuser target's definition for further information. # SQUID_LANGUAGES # A list of languages for which error page files should be installed # (default: all) @@ -22,8 +28,7 @@ # Additional configuration options, see below for a list PORTNAME= squid -PORTVERSION= 2.5.4 -PORTREVISION= 10 +PORTVERSION= 2.5.5 CATEGORIES= www MASTER_SITES= \ ftp://ftp.squid-cache.org/pub/%SUBDIR%/ \ @@ -32,68 +37,18 @@ ftp://ftp.leo.org/pub/comp/general/infosys/www/servers/squid/%SUBDIR%/ \ ${MASTER_SITE_RINGSERVER:S,%SUBDIR%,net/www/squid/&,} MASTER_SITE_SUBDIR= squid-2/STABLE -DISTNAME= squid-2.5.STABLE4 +DISTNAME= squid-2.5.STABLE5 DIST_SUBDIR= squid2.5 PATCH_SITES= http://www.squid-cache.org/Versions/v2/2.5/bugs/ -PATCHFILES= squid-2.5.STABLE4-reconfigure_message.patch \ - squid-2.5.STABLE4-digest_auth_pwchange.patch \ - squid-2.5.STABLE4-redirect_login_space.patch \ - squid-2.5.STABLE4-fqdnnegcache.patch \ - pam_auth-2.2.patch \ - squid-2.5.STABLE4_auth_param_doc.patch \ - squid-2.5.STABLE4-errorpages.patch \ - squid-2.5.STABLE4-error_load_text.patch \ - squid-2.5.STABLE4-xpi_mime.patch \ - squid-2.5.STABLE4-size_overflow.patch \ - squid-2.5.STABLE4-extacl_auth_loop.patch \ - squid-2.5.STABLE4-squid_ldap_group.patch \ - squid-2.5.STABLE4-positive_dns_ttl.patch \ - squid-2.5.STABLE4-gopherhtml.patch \ - squid-2.5.STABLE4-netroute.patch \ - squid-2.5.STABLE4-synflood.patch \ - squid-2.5.STABLE4-fqdn.patch \ - squid-2.5.STABLE4-connect_cleanup.patch \ - squid-2.5.STABLE4-pconn_post.patch \ - squid-2.5.STABLE4-ftp_put.patch \ - squid-2.5.STABLE4-pconn-load.patch \ - squid-2.5.STABLE4-icon_urls.patch \ - squid-2.5.STABLE4-redirector_access.patch \ - squid-2.5.STABLE4-pconn-lifo.patch \ - squid-2.5.STABLE4-cache_peer_maxconn.patch \ - squid-2.5.STABLE4-pid_filename_none.patch \ - squid-2.5.STABLE4-dns_namelength.patch \ - squid-2.5.STABLE4-urllogin_acl.patch \ - squid-2.5.STABLE4-russian.patch \ - squid-2.5.STABLE4-redirlog.patch \ - squid-2.5.STABLE4-pinger.patch \ - squid-2.5.STABLE4-partial_reload.patch \ - squid-2.5.STABLE4-ldap_tls.patch \ - squid-2.5.STABLE4-ldap_group_bufsize.patch \ - squid-2.5.STABLE4-http_workarounds.patch \ - squid-2.5.STABLE4-empty_proxy_auth.patch \ - squid-2.5.STABLE4-ftp_telnet.patch \ - squid-2.5.STABLE4-ntlm_auth_popups.patch \ - squid-2.5.STABLE4-ldap_group-S.patch \ - squid-2.5.STABLE4-ipcache_purge.patch \ - squid-2.5.STABLE4-cache_peer_access_ntlm.patch \ - squid-2.5.STABLE4-wbinfo_group.patch \ - squid-2.5.STABLE4-SMB_ntlm_auth.patch \ - squid-2.5.STABLE4-miss_access_internal.patch \ - squid-2.5.STABLE4-squidclient_auth.patch \ - squid-2.5.STABLE4-authfixes.patch \ - squid-2.5.STABLE4-arp-FreeBSD.patch \ - squid-2.5.STABLE4-deny_info_reply.patch \ - squid-2.5.STABLE4-authfixes2.patch \ - squid-2.5.STABLE4-reply_body_max_size.patch \ - squid-2.5.STABLE4-digest-abort.patch \ - squid-2.5.STABLE4-ntlm_auth_user_hash_pointer-leak.patch +PATCHFILES= squid-2.5.STABLE5-ntlm_assert.patch \ + squid-2.5.STABLE5-ldap.patch PATCH_DIST_STRIP= -p1 MAINTAINER= tmseck@netcologne.de COMMENT= The successful WWW proxy cache and accelerator -CONFLICTS= squid-* +CONFLICTS= squid-2.[^5] GNU_CONFIGURE= yes USE_BZIP2= yes USE_PERL5= yes @@ -120,10 +75,16 @@ SQUID_CACHE_DIGESTS "Enable cache digests" off \ SQUID_WCCP "Enable Web Cache Coordination Protocol" on \ SQUID_UNDERSCORES "Allow underscores in hostnames" on \ + SQUID_CHECK_HOSTNAME "Do hostname checking" on \ SQUID_STRICT_HTTP "Be strictly HTTP compliant" off \ SQUID_IDENT "Enable ident (RFC 931) lookups" on \ SQUID_USERAGENT_LOG "Enable User-Agent-header logging" off \ - SQUID_ARP_ACL "Enable ACLs based on ethernet address" off + SQUID_ARP_ACL "Enable ACLs based on ethernet address" off \ + SQUID_PF "Enable transp. proxy support using PF" off \ + SQUID_FOLLOW_XFF "Follow X-Forwarded-For headers" off \ + SQUID_AUFS "Enable the aufs store type" off \ + SQUID_COSS "Enable the COSS store type" off \ + SQUID_STACKTRACES "Create backtraces on fatal errors" off PLIST_FILES= etc/rc.d/squid.sh etc/squid/mib.txt etc/squid/mime.conf.default \ etc/squid/msntauth.conf.default etc/squid/squid.conf.default \ @@ -133,8 +94,7 @@ --datadir=${PREFIX}/etc/squid \ --libexecdir=${PREFIX}/libexec/squid \ --localstatedir=${PREFIX}/squid \ - --enable-storeio="ufs diskd null" \ - --enable-removal-policies="lru heap" \ + --enable-removal-policies="lru heap" .include @@ -157,6 +117,20 @@ --enable-external-acl-helpers="${external_acl}" \ --enable-ntlm-auth-helpers="SMB winbind" +# Selection of store types: + +store_types= ufs diskd null +.if defined(WITH_SQUID_AUFS) +store_types+= aufs +# Nil aufs threads is default, set any other value via SQUID_CONFIGURE_ARGS +CONFIGURE_ARGS+= --enable-async-io --with-pthreads +.endif +.if defined(WITH_SQUID_COSS) +store_types+= coss +CONFIGURE_ARGS+= --with-aio +.endif +CONFIGURE_ARGS+= --enable-storeio="${store_types}" + # Other options set via 'make config': .if defined(WITH_SQUID_DELAY_POOLS) @@ -192,6 +166,9 @@ .if defined(WITH_SQUID_UNDERSCORES) CONFIGURE_ARGS+= --enable-underscores .endif +.if defined(WITHOUT_SQUID_CHECK_HOSTNAME) +CONFIGURE_ARGS+= --disable-hostname-checks +.endif .if defined(WITH_SQUID_STRICT_HTTP) CONFIGURE_ARGS+= --disable-http-violations .endif @@ -204,6 +181,24 @@ .if defined(WITH_SQUID_ARP_ACL) CONFIGURE_ARGS+= --enable-arp-acl .endif +.if defined(WITH_SQUID_PF) +.if ${OSVERSION} >= 502106 +# This will work only systems where PF is part of the base system for now. +# If someone is eager to teach autoconf to pick up the pf port +# on 5.[0-2] systems instead, go on, I will integrate your patch. +CONFIGURE_ARGS+= --enable-pf-transparent +.else +.error WITH_SQUID_PF only works on systems where pf is part of the base system. +.endif +.endif +.if defined(WITH_SQUID_FOLLOW_XFF) +EXTRA_PATCHES+= ${PATCHDIR}/follow_xff-2.5.patch \ + ${PATCHDIR}/follow_xff-configure.patch +CONFIGURE_ARGS+= --enable-follow-x-forwarded-for +.endif +.if defined(WITH_SQUID_STACKTRACES) +CONFIGURE_ARGS+= --enable-stacktraces +.endif # Languages: # @@ -235,16 +230,12 @@ # Set an explicit hostname in cachemgr.cgi # --enable-truncate # Use truncate() rather than unlink() -# --disable-hostname-checks -# Squid by default rejects any host names with odd characters in their name -# to conform with internet standards. If you disagree with this you may use -# this switch to turn off any such checks, provided that the resolver used by -# Squid does not reject such host names. This may be required to participate -# in testbeds for international domain names. # --disable-unlinkd # Do not use "unlinkd" -# --enable-stacktraces -# Enable automatic call backtrace on fatal errors +# --with-aufs-threads=N_THREADS +# Tune the number of worker threads for the aufs object +# --with-coss-membuf-size +# COSS membuf size (default: 1048576 bytes) # # This option does not yet work on FreeBSD: # @@ -260,15 +251,15 @@ post-patch: @${REINPLACE_CMD} -e 's|-lpthread|${PTHREAD_LIBS}|g' ${WRKSRC}/configure @${REINPLACE_CMD} -e 's|/etc|${PREFIX}/etc|g' ${WRKSRC}/doc/squid.8 -# Prevent installation of .orig files by deleting them. - @${FIND} ${WRKSRC} -name '*.bak' -delete - @${FIND} ${WRKSRC} -name '*.orig' -delete pre-configure: @${REINPLACE_CMD} -e 's|%%SQUID_UID%%|${SQUID_UID}|g' \ -e 's|%%SQUID_GID%%|${SQUID_GID}|g' ${WRKSRC}/src/cf.data.pre pre-install: +# Prevent installation of .orig files by deleting them. + @${FIND} ${WRKSRC} -name '*.bak' -delete + @${FIND} ${WRKSRC} -name '*.orig' -delete @${SED} -e 's|%%PREFIX%%|${PREFIX}|g' \ -e 's|%%SQUID_UID%%|${SQUID_UID}|g' ${FILESDIR}/squid.sh \ >${WRKDIR}/squid.sh @@ -287,14 +278,8 @@ @${MKDIR} ${DOCSDIR} cd ${WRKSRC} && ${INSTALL_DATA} ${docs} ${DOCSDIR} .endif - -# Work around the fact that the errorpages.patch creates files in -# an "Attic" subdir: -.if exists(${PREFIX}/etc/squid/errors/Lithuanian) - @${FIND} ${WRKSRC}/errors/Lithuanian/Attic -type f \ - -exec ${INSTALL_DATA} {} ${PREFIX}/etc/squid/errors/Lithuanian/ \; -.endif - @${SETENV} PKG_PREFIX=${PREFIX} ${SH} ${PKGINSTALL} ${PKGNAME} POST-INSTALL + @${SETENV} PKG_PREFIX=${PREFIX} \ + ${SH} ${PKGINSTALL} ${PKGNAME} POST-INSTALL # Create package list: @cd ${PREFIX} && ${FIND} libexec/squid -type f -o -type l | ${SORT} \ >>${TMPPLIST} @@ -308,5 +293,51 @@ @${ECHO_CMD} "@dirrm etc/squid/errors/${d}" >>${TMPPLIST} .endfor @${ECHO_CMD} "@dirrm etc/squid/errors" >>${TMPPLIST} + +changeuser: +# Recover from the problem that earlier versions of this port created the +# squid pseudo-user with an id greater than 999 which is not allowed in +# FreeBSD's ports system. The port now uses id 100:100. +# NOTE: +# This target assumes that SQUID_GID is the primary group of SQUID_UID. If you +# have a different setup, do not run this target! +.if ${SQUID_UID:L} == nobody + @${ECHO_CMD} "'nobody' is a system user, you do not need to execute"; \ + ${ECHO_CMD} "this target!" + exit 1 +.endif + @if [ `id -u` -ne 0 ]; \ + then ${ECHO_CMD} "Sorry, you must be root to use this target."; exit 1; fi; \ + current_uid=`id -u ${SQUID_UID}`; \ + current_gid=`pw groupshow ${SQUID_GID}|cut -f 3 -d :`; \ + ${ECHO_CMD} "I will remove this user:"; \ + id -P $${current_uid}; \ + ${ECHO_CMD} "and this group:"; \ + pw groupshow ${SQUID_GID}; \ + ${ECHO_CMD} "I will then re-create them with a user and group id of 100."; \ + ${ECHO_CMD} "Then all files and directories under ${PREFIX} and /var that"; \ + ${ECHO_CMD} "are owned by uid $${current_uid} will be chown(1)'ed."; \ + ${ECHO_CMD} "After that, all files and directories that were accessible"; \ + ${ECHO_CMD} "by group $${current_gid} will chgrp(1)'ed respectively."; \ + ${ECHO_CMD} "Note that this assumes group '${SQUID_GID}' to be the primary"; \ + ${ECHO_CMD} "group of user '${SQUID_UID}'. If you have a different setup"; \ + ${ECHO_CMD} "please abort this target now."; \ + read -p "Press RETURN to continue or CTRL-C to abort:" dummy ; \ + ${ECHO_CMD} "OK, here we go:"; \ + ${ECHO_CMD} "deleting user $${current_uid} and his primary group..."; \ + pw userdel -u $${current_uid}; \ + ${ECHO_CMD} "adding user ${SQUID_UID} with id 100..."; \ + pw groupadd -n ${SQUID_GID} -g 100; \ + pw useradd -n ${SQUID_UID} -u 100 -c "squid caching-proxy pseudo user" \ + -d ${PREFIX}/squid -s /sbin/nologin -h - ; \ + ${ECHO_CMD} "chown(1)'ing everything under ${PREFIX} from $${current_uid} to 100..."; \ + ${FIND} -H ${PREFIX} -user $${current_uid} -exec ${CHOWN} 100 {} \; ; \ + ${ECHO_CMD} "chgrp(1)'ing everything under ${PREFIX} from $${current_gid} to 100..."; \ + ${FIND} -H ${PREFIX} -group $${current_gid} -exec ${CHOWN} :100 {} \; ; \ + ${ECHO_CMD} "chown(1)'ing everything under /var from $${current_uid} to 100..."; \ + ${FIND} -H /var -user $${current_uid} -exec ${CHOWN} 100 {} \; ; \ + ${ECHO_CMD} "chgrp(1)'ing everything under /var from $${current_gid} to 100..."; \ + ${FIND} -H /var -group $${current_gid} -exec ${CHOWN} :100 {} \; ; \ + ${ECHO_CMD} "Finished." .include Index: projekte/FreeBSD/ports/www/squid/distinfo diff -u projekte/FreeBSD/ports/www/squid/distinfo:1.8 projekte/FreeBSD/ports/www/squid/distinfo:1.4.2.16 --- projekte/FreeBSD/ports/www/squid/distinfo:1.8 Sat Feb 28 17:16:27 2004 +++ projekte/FreeBSD/ports/www/squid/distinfo Fri Mar 5 18:32:24 2004 @@ -1,106 +1,6 @@ -MD5 (squid2.5/squid-2.5.STABLE4.tar.bz2) = 9894a1fe855b0cccdc14fbf014060990 -SIZE (squid2.5/squid-2.5.STABLE4.tar.bz2) = 1036704 -MD5 (squid2.5/squid-2.5.STABLE4-reconfigure_message.patch) = a746143deab8b609730660916a297618 -SIZE (squid2.5/squid-2.5.STABLE4-reconfigure_message.patch) = 760 -MD5 (squid2.5/squid-2.5.STABLE4-digest_auth_pwchange.patch) = e5020f5b87a92c4d9621ce25403d691b -SIZE (squid2.5/squid-2.5.STABLE4-digest_auth_pwchange.patch) = 2694 -MD5 (squid2.5/squid-2.5.STABLE4-redirect_login_space.patch) = 2374ed6dae7ef57c009e2428284d6b65 -SIZE (squid2.5/squid-2.5.STABLE4-redirect_login_space.patch) = 619 -MD5 (squid2.5/squid-2.5.STABLE4-fqdnnegcache.patch) = ae1b7cce41ca403ebd7115d4506b0c25 -SIZE (squid2.5/squid-2.5.STABLE4-fqdnnegcache.patch) = 701 -MD5 (squid2.5/pam_auth-2.2.patch) = 3037a67d8f4b85cd7d51cb2dd5b4e8b8 -SIZE (squid2.5/pam_auth-2.2.patch) = 4878 -MD5 (squid2.5/squid-2.5.STABLE4_auth_param_doc.patch) = 3b35c424db58c71c541563cd5ae39d15 -SIZE (squid2.5/squid-2.5.STABLE4_auth_param_doc.patch) = 9068 -MD5 (squid2.5/squid-2.5.STABLE4-errorpages.patch) = df16c73a786ce0c59b1585ab6b745210 -SIZE (squid2.5/squid-2.5.STABLE4-errorpages.patch) = 49937 -MD5 (squid2.5/squid-2.5.STABLE4-error_load_text.patch) = 3935a3005d125f55cd78b228eba20647 -SIZE (squid2.5/squid-2.5.STABLE4-error_load_text.patch) = 571 -MD5 (squid2.5/squid-2.5.STABLE4-xpi_mime.patch) = 1143fb9244690a24450c3c9ce6105da4 -SIZE (squid2.5/squid-2.5.STABLE4-xpi_mime.patch) = 601 -MD5 (squid2.5/squid-2.5.STABLE4-size_overflow.patch) = 7cd2d6b1ebbd86aa143fa5a57156d6ce -SIZE (squid2.5/squid-2.5.STABLE4-size_overflow.patch) = 438 -MD5 (squid2.5/squid-2.5.STABLE4-extacl_auth_loop.patch) = de06bbc89f5408b7ab83733d894d4fe7 -SIZE (squid2.5/squid-2.5.STABLE4-extacl_auth_loop.patch) = 756 -MD5 (squid2.5/squid-2.5.STABLE4-squid_ldap_group.patch) = a5d0a8730aacf129401aabdfa61d60f7 -SIZE (squid2.5/squid-2.5.STABLE4-squid_ldap_group.patch) = 30490 -MD5 (squid2.5/squid-2.5.STABLE4-positive_dns_ttl.patch) = 7fca4475d86acc7db242c261b08751d7 -SIZE (squid2.5/squid-2.5.STABLE4-positive_dns_ttl.patch) = 3409 -MD5 (squid2.5/squid-2.5.STABLE4-gopherhtml.patch) = 2c6c50a4a8f4d0d0017ab7c15bacfe26 -SIZE (squid2.5/squid-2.5.STABLE4-gopherhtml.patch) = 3382 -MD5 (squid2.5/squid-2.5.STABLE4-netroute.patch) = f83e66712f37f34a04571b31be6c2db8 -SIZE (squid2.5/squid-2.5.STABLE4-netroute.patch) = 592 -MD5 (squid2.5/squid-2.5.STABLE4-synflood.patch) = b92e7a56e87374ebf2eb50e044f07f6d -SIZE (squid2.5/squid-2.5.STABLE4-synflood.patch) = 12861 -MD5 (squid2.5/squid-2.5.STABLE4-fqdn.patch) = dbf2c020e3c3c52ae540d96a724fac87 -SIZE (squid2.5/squid-2.5.STABLE4-fqdn.patch) = 713 -MD5 (squid2.5/squid-2.5.STABLE4-connect_cleanup.patch) = ee0398f51a22ab2c82048c8935d6d11c -SIZE (squid2.5/squid-2.5.STABLE4-connect_cleanup.patch) = 32516 -MD5 (squid2.5/squid-2.5.STABLE4-pconn_post.patch) = 4a5b7ab04fe8b73906db441448534bbb -SIZE (squid2.5/squid-2.5.STABLE4-pconn_post.patch) = 1231 -MD5 (squid2.5/squid-2.5.STABLE4-ftp_put.patch) = d3b69c8e79c96c13005d6dbeb72e5c76 -SIZE (squid2.5/squid-2.5.STABLE4-ftp_put.patch) = 584 -MD5 (squid2.5/squid-2.5.STABLE4-pconn-load.patch) = a432f9eff9e0963b7338e41a91230d95 -SIZE (squid2.5/squid-2.5.STABLE4-pconn-load.patch) = 2397 -MD5 (squid2.5/squid-2.5.STABLE4-icon_urls.patch) = cf28143216b1364e56e820dddbb66dfc -SIZE (squid2.5/squid-2.5.STABLE4-icon_urls.patch) = 2399 -MD5 (squid2.5/squid-2.5.STABLE4-redirector_access.patch) = 9c534a3d58fe0e3545cd4ed9af92a0e8 -SIZE (squid2.5/squid-2.5.STABLE4-redirector_access.patch) = 3498 -MD5 (squid2.5/squid-2.5.STABLE4-pconn-lifo.patch) = f41051c248764749d9d9ca5704925da7 -SIZE (squid2.5/squid-2.5.STABLE4-pconn-lifo.patch) = 1350 -MD5 (squid2.5/squid-2.5.STABLE4-cache_peer_maxconn.patch) = efd99c5e2f526c08cb52d9af948c7b25 -SIZE (squid2.5/squid-2.5.STABLE4-cache_peer_maxconn.patch) = 3603 -MD5 (squid2.5/squid-2.5.STABLE4-pid_filename_none.patch) = 808bafa144b22c3cf6900759b30f39e6 -SIZE (squid2.5/squid-2.5.STABLE4-pid_filename_none.patch) = 508 -MD5 (squid2.5/squid-2.5.STABLE4-dns_namelength.patch) = 290da300d02124be3971282d5b0a799d -SIZE (squid2.5/squid-2.5.STABLE4-dns_namelength.patch) = 603 -MD5 (squid2.5/squid-2.5.STABLE4-urllogin_acl.patch) = 5ad09d7d4bf105e699cfeb647a4836a3 -SIZE (squid2.5/squid-2.5.STABLE4-urllogin_acl.patch) = 3064 -MD5 (squid2.5/squid-2.5.STABLE4-russian.patch) = 5a4357bd56134fc6578c435314c1a835 -SIZE (squid2.5/squid-2.5.STABLE4-russian.patch) = 20731 -MD5 (squid2.5/squid-2.5.STABLE4-redirlog.patch) = 8a2cc15f2bde6fa263a9e40aae807f82 -SIZE (squid2.5/squid-2.5.STABLE4-redirlog.patch) = 762 -MD5 (squid2.5/squid-2.5.STABLE4-pinger.patch) = 0902849d051873aaf5f54584d0536bb5 -SIZE (squid2.5/squid-2.5.STABLE4-pinger.patch) = 738 -MD5 (squid2.5/squid-2.5.STABLE4-partial_reload.patch) = 6d8fa663f46ffc2272b7d18a0b6eea34 -SIZE (squid2.5/squid-2.5.STABLE4-partial_reload.patch) = 751 -MD5 (squid2.5/squid-2.5.STABLE4-ldap_tls.patch) = dcd6b4ec46e252833a54c4bfd155c284 -SIZE (squid2.5/squid-2.5.STABLE4-ldap_tls.patch) = 1853 -MD5 (squid2.5/squid-2.5.STABLE4-ldap_group_bufsize.patch) = e42207a45232ca739a64f2ac3901263c -SIZE (squid2.5/squid-2.5.STABLE4-ldap_group_bufsize.patch) = 762 -MD5 (squid2.5/squid-2.5.STABLE4-http_workarounds.patch) = 77d1a43dffa7aa97eb39b9178689e8df -SIZE (squid2.5/squid-2.5.STABLE4-http_workarounds.patch) = 12322 -MD5 (squid2.5/squid-2.5.STABLE4-empty_proxy_auth.patch) = ff55a2c7a718868ad245fd6de07018c9 -SIZE (squid2.5/squid-2.5.STABLE4-empty_proxy_auth.patch) = 2719 -MD5 (squid2.5/squid-2.5.STABLE4-ftp_telnet.patch) = 570ed0193201946fc10b42c0d96f7f48 -SIZE (squid2.5/squid-2.5.STABLE4-ftp_telnet.patch) = 3844 -MD5 (squid2.5/squid-2.5.STABLE4-ntlm_auth_popups.patch) = 922ef0774b855866b6daeb5df19bb4b3 -SIZE (squid2.5/squid-2.5.STABLE4-ntlm_auth_popups.patch) = 63653 -MD5 (squid2.5/squid-2.5.STABLE4-ldap_group-S.patch) = 35eb045971a1fe12b847e05862614aa6 -SIZE (squid2.5/squid-2.5.STABLE4-ldap_group-S.patch) = 993 -MD5 (squid2.5/squid-2.5.STABLE4-ipcache_purge.patch) = d76b6163f0806494defe9cba37a2d708 -SIZE (squid2.5/squid-2.5.STABLE4-ipcache_purge.patch) = 1022 -MD5 (squid2.5/squid-2.5.STABLE4-cache_peer_access_ntlm.patch) = 94841c505d86a1ab310b817119079e3b -SIZE (squid2.5/squid-2.5.STABLE4-cache_peer_access_ntlm.patch) = 3378 -MD5 (squid2.5/squid-2.5.STABLE4-wbinfo_group.patch) = 4fff0be253f87fa538691497600daf70 -SIZE (squid2.5/squid-2.5.STABLE4-wbinfo_group.patch) = 1105 -MD5 (squid2.5/squid-2.5.STABLE4-SMB_ntlm_auth.patch) = 6ee610502b49c00914e2fe986f21db78 -SIZE (squid2.5/squid-2.5.STABLE4-SMB_ntlm_auth.patch) = 1924 -MD5 (squid2.5/squid-2.5.STABLE4-miss_access_internal.patch) = 8f4259401052ecae31fa3de4535a624f -SIZE (squid2.5/squid-2.5.STABLE4-miss_access_internal.patch) = 837 -MD5 (squid2.5/squid-2.5.STABLE4-squidclient_auth.patch) = eff31cbd54adad086d50e0ae7dbe2c6e -SIZE (squid2.5/squid-2.5.STABLE4-squidclient_auth.patch) = 1107 -MD5 (squid2.5/squid-2.5.STABLE4-authfixes.patch) = 139ab240c01acf6eeed7ead27f0ce387 -SIZE (squid2.5/squid-2.5.STABLE4-authfixes.patch) = 9401 -MD5 (squid2.5/squid-2.5.STABLE4-arp-FreeBSD.patch) = bad7a9a59071faf569734f022b35b28f -SIZE (squid2.5/squid-2.5.STABLE4-arp-FreeBSD.patch) = 3999 -MD5 (squid2.5/squid-2.5.STABLE4-deny_info_reply.patch) = 97a9af2a33ded35bcef989181318ac71 -SIZE (squid2.5/squid-2.5.STABLE4-deny_info_reply.patch) = 1951 -MD5 (squid2.5/squid-2.5.STABLE4-authfixes2.patch) = b1de702ac773133affa1393c48d04807 -SIZE (squid2.5/squid-2.5.STABLE4-authfixes2.patch) = 2222 -MD5 (squid2.5/squid-2.5.STABLE4-reply_body_max_size.patch) = 79beba0e5466279ffbdd4322a3579aeb -SIZE (squid2.5/squid-2.5.STABLE4-reply_body_max_size.patch) = 524 -MD5 (squid2.5/squid-2.5.STABLE4-digest-abort.patch) = a0cf9a5451b89bb6d8a8982a14791c15 -SIZE (squid2.5/squid-2.5.STABLE4-digest-abort.patch) = 946 -MD5 (squid2.5/squid-2.5.STABLE4-ntlm_auth_user_hash_pointer-leak.patch) = 8422d34ab797ae07727a5f2fdfe1a832 -SIZE (squid2.5/squid-2.5.STABLE4-ntlm_auth_user_hash_pointer-leak.patch) = 3277 +MD5 (squid2.5/squid-2.5.STABLE5.tar.bz2) = 45ed1b1cd492e3f529085d09c3ffc1b8 +SIZE (squid2.5/squid-2.5.STABLE5.tar.bz2) = 1044932 +MD5 (squid2.5/squid-2.5.STABLE5-ntlm_assert.patch) = 1bb2a8455a1e988c52b2ca3cf3fe0867 +SIZE (squid2.5/squid-2.5.STABLE5-ntlm_assert.patch) = 545 +MD5 (squid2.5/squid-2.5.STABLE5-ldap.patch) = 81bdcaf96390eab1655fd8d65cf607ed +SIZE (squid2.5/squid-2.5.STABLE5-ldap.patch) = 6245 Index: projekte/FreeBSD/ports/www/squid/pkg-install diff -u projekte/FreeBSD/ports/www/squid/pkg-install:1.4 projekte/FreeBSD/ports/www/squid/pkg-install:1.2.2.7 --- projekte/FreeBSD/ports/www/squid/pkg-install:1.4 Wed Feb 18 16:20:28 2004 +++ projekte/FreeBSD/ports/www/squid/pkg-install Fri Mar 5 18:32:24 2004 @@ -9,16 +9,19 @@ squid_confdir=${PKG_PREFIX:-/usr/local}/etc/squid squid_user=${SQUID_USER:=squid} squid_group=${SQUID_GROUP:=squid} -squid_gid=3128 -squid_uid=3128 - +squid_gid=100 +squid_uid=100 +# Try to catch the case where the $squid_user might have been created with an +# id greater than or equal 3128. The valid exception is "nobody". +nobody_uid=65534 +nobody_gid=65534 +squid_oldgid=3128 +squid_olduid=3128 +unset wrong_id case $2 in PRE-INSTALL) echo "===> Pre-installation configuration for ${pkgname}" if ! pw groupshow ${squid_group} -q >/dev/null ; then - while pw groupshow -g ${squid_gid} -q >/dev/null; do - squid_gid=`expr ${squid_gid} + 1` - done echo "There is no group '${squid_group}' on this system, so I will try to create it:" if ! pw groupadd ${squid_group} -g ${squid_gid} -q ; then echo "Failed to create group \"${squid_group}\"!" >&2 @@ -29,12 +32,15 @@ fi else echo "I will use the existing group '${squid_group}':" + current_gid=`pw groupshow ${squid_group}|cut -f 3 -d :` + if [ ${current_gid} -ge ${squid_oldgid} \ + -a ${current_gid} -ne ${nobody_gid} ]; then + wrong_id=1 + fi fi pw groupshow ${squid_group} + if ! pw usershow ${squid_user} -q >/dev/null ; then - while pw usershow -u ${squid_uid} -q >/dev/null; do - squid_uid=`expr ${squid_uid} + 1` - done echo "There is no account '${squid_user}' on this system, so I will try to create it:" if ! pw useradd ${squid_user} -u ${squid_uid} -q \ -c "squid caching-proxy pseudo user" -g ${squid_group} \ @@ -47,8 +53,53 @@ fi else echo "I will use the existing user '${squid_user}':" + current_uid=`id -u ${squid_user}` + if [ ${current_uid} -ge ${squid_olduid} \ + -a ${current_uid} -ne ${nobody_uid} ]; + then + wrong_id=1 + fi fi pw usershow ${squid_user} + if [ "${wrong_id}" ]; then + echo "" + echo " * NOTICE *" + echo "" + echo "The squid pseudo-user's uid and/or gid have been found" + echo "to be greater than or equal 3128." + echo "" + echo "This is not a problem as such, but violates the FreeBSD" + echo "ports' principle that a ports must not claim a uid greater" + echo "than 999." + echo "" + echo "Since version 2.5.4_11, the squid user is thus created" + echo "with an id of ${squid_uid}:${squid_gid} while earlier versions of this" + echo "port used the first unused uid/gid greater than or" + echo "equal 3128." + echo "" + echo "If you want to change the existing squid user's id, run" + echo "'make changeuser' after the installation has completed." + echo "If you installed this port via a package, issue the" + echo "following commands as root:" + echo "" + echo "pw userdel -u ${current_uid}" + echo "pw groupadd -n ${squid_group} -g ${squid_gid}" + echo "pw useradd -n ${squid_user} -u ${squid_uid} \\" + echo " -c \"squid caching-proxy pseudo user\" \\" + echo " -g ${squid_group} -d ${squid_base} -s /sbin/nologin \\" + echo " -h -" + echo "find -H ${PKG_PREFIX} -user ${current_uid} -exec chown ${squid_user} {} \\;" + echo "find -H ${PKG_PREFIX} -group ${current_gid} -exec chgrp ${squid_group} {} \\;" + echo "" + echo "In case you have installed third party software for squid" + echo "like squidGuard, you should additionally run:" + echo "find -H /var -user ${current_uid} -exec chown ${squid_user} {} \\;" + echo "find -H /var -group ${current_gid} -exec chgrp ${squid_group} {} \\;" + echo "" + if [ -z "${PACKAGE_BUILDING}" -a -z "${BATCH}" ]; then + sleep 30 + fi + fi for dir in cache logs; do if [ ! -d ${squid_base}/${dir} ]; then echo "Creating ${squid_base}/${dir}..." Index: projekte/FreeBSD/ports/www/squid/files/follow_xff-2.5.patch diff -u /dev/null projekte/FreeBSD/ports/www/squid/files/follow_xff-2.5.patch:1.1.2.2 --- /dev/null Wed Mar 10 19:22:01 2004 +++ projekte/FreeBSD/ports/www/squid/files/follow_xff-2.5.patch Tue Mar 2 17:56:19 2004 @@ -0,0 +1,412 @@ +! This is a reduced part of the original follow-XFF patchset from +! devel.squid-cache.org for use with the FreeBSD squid-2.5 port. +Index: src/acl.c +--- src/acl.c 13 May 2003 02:14:12 -0000 1.43.2.16 ++++ src/acl.c 23 Nov 2003 14:20:12 -0000 +@@ -2001,6 +2001,11 @@ + cbdataLock(A); + if (request != NULL) { + checklist->request = requestLink(request); ++#if FOLLOW_X_FORWARDED_FOR ++ if (Config.onoff.acl_uses_indirect_client) { ++ checklist->src_addr = request->indirect_client_addr; ++ } else ++#endif /* FOLLOW_X_FORWARDED_FOR */ + checklist->src_addr = request->client_addr; + checklist->my_addr = request->my_addr; + checklist->my_port = request->my_port; +Index: src/cf.data.pre +--- src/cf.data.pre 7 Nov 2003 03:14:30 -0000 1.49.2.46 ++++ src/cf.data.pre 23 Nov 2003 14:20:17 -0000 +@@ -2065,6 +2065,92 @@ + NOCOMMENT_END + DOC_END + ++NAME: follow_x_forwarded_for ++TYPE: acl_access ++IFDEF: FOLLOW_X_FORWARDED_FOR ++LOC: Config.accessList.followXFF ++DEFAULT: none ++DEFAULT_IF_NONE: deny all ++DOC_START ++ Allowing or Denying the X-Forwarded-For header to be followed to ++ find the original source of a request. ++ ++ Requests may pass through a chain of several other proxies ++ before reaching us. The X-Forwarded-For header will contain a ++ comma-separated list of the IP addresses in the chain, with the ++ rightmost address being the most recent. ++ ++ If a request reaches us from a source that is allowed by this ++ configuration item, then we consult the X-Forwarded-For header ++ to see where that host received the request from. If the ++ X-Forwarded-For header contains multiple addresses, and if ++ acl_uses_indirect_client is on, then we continue backtracking ++ until we reach an address for which we are not allowed to ++ follow the X-Forwarded-For header, or until we reach the first ++ address in the list. (If acl_uses_indirect_client is off, then ++ it's impossible to backtrack through more than one level of ++ X-Forwarded-For addresses.) ++ ++ The end result of this process is an IP address that we will ++ refer to as the indirect client address. This address may ++ be treated as the client address for access control, delay ++ pools and logging, depending on the acl_uses_indirect_client, ++ delay_pool_uses_indirect_client and log_uses_indirect_client ++ options. ++ ++ SECURITY CONSIDERATIONS: ++ ++ Any host for which we follow the X-Forwarded-For header ++ can place incorrect information in the header, and Squid ++ will use the incorrect information as if it were the ++ source address of the request. This may enable remote ++ hosts to bypass any access control restrictions that are ++ based on the client's source addresses. ++ ++ For example: ++ ++ acl localhost src 127.0.0.1 ++ acl my_other_proxy srcdomain .proxy.example.com ++ follow_x_forwarded_for allow localhost ++ follow_x_forwarded_for allow my_other_proxy ++DOC_END ++ ++NAME: acl_uses_indirect_client ++COMMENT: on|off ++TYPE: onoff ++IFDEF: FOLLOW_X_FORWARDED_FOR ++DEFAULT: on ++LOC: Config.onoff.acl_uses_indirect_client ++DOC_START ++ Controls whether the indirect client address ++ (see follow_x_forwarded_for) is used instead of the ++ direct client address in acl matching. ++DOC_END ++ ++NAME: delay_pool_uses_indirect_client ++COMMENT: on|off ++TYPE: onoff ++IFDEF: FOLLOW_X_FORWARDED_FOR && DELAY_POOLS ++DEFAULT: on ++LOC: Config.onoff.delay_pool_uses_indirect_client ++DOC_START ++ Controls whether the indirect client address ++ (see follow_x_forwarded_for) is used instead of the ++ direct client address in delay pools. ++DOC_END ++ ++NAME: log_uses_indirect_client ++COMMENT: on|off ++TYPE: onoff ++IFDEF: FOLLOW_X_FORWARDED_FOR ++DEFAULT: on ++LOC: Config.onoff.log_uses_indirect_client ++DOC_START ++ Controls whether the indirect client address ++ (see follow_x_forwarded_for) is used instead of the ++ direct client address in the access log. ++DOC_END ++ + NAME: http_access + TYPE: acl_access + LOC: Config.accessList.http +Index: src/client_side.c +--- src/client_side.c 2 Sep 2003 02:13:45 -0000 1.47.2.39 ++++ src/client_side.c 23 Nov 2003 14:20:22 -0000 +@@ -109,6 +109,11 @@ + #if USE_IDENT + static IDCB clientIdentDone; + #endif ++#if FOLLOW_X_FORWARDED_FOR ++static void clientFollowXForwardedForStart(void *data); ++static void clientFollowXForwardedForNext(void *data); ++static void clientFollowXForwardedForDone(int answer, void *data); ++#endif /* FOLLOW_X_FORWARDED_FOR */ + static int clientOnlyIfCached(clientHttpRequest * http); + static STCB clientSendMoreData; + static STCB clientCacheHit; +@@ -177,10 +182,179 @@ + return ch; + } + ++#if FOLLOW_X_FORWARDED_FOR ++/* ++ * clientFollowXForwardedForStart() copies the X-Forwarded-For ++ * header into x_forwarded_for_iterator and passes control to ++ * clientFollowXForwardedForNext(). ++ * ++ * clientFollowXForwardedForNext() checks the indirect_client_addr ++ * against the followXFF ACL and passes the result to ++ * clientFollowXForwardedForDone(). ++ * ++ * clientFollowXForwardedForDone() either grabs the next address ++ * from the tail of x_forwarded_for_iterator and loops back to ++ * clientFollowXForwardedForNext(), or cleans up and passes control to ++ * clientAccessCheck(). ++ */ ++ ++static void ++clientFollowXForwardedForStart(void *data) ++{ ++ clientHttpRequest *http = data; ++ request_t *request = http->request; ++ if (Config.accessList.followXFF ++ && httpHeaderHas(&request->header, HDR_X_FORWARDED_FOR)) ++ { ++ request->x_forwarded_for_iterator = httpHeaderGetList( ++ &request->header, HDR_X_FORWARDED_FOR); ++ debug(33, 5) ("clientFollowXForwardedForStart: indirect_client_addr=%s XFF='%s'\n", ++ inet_ntoa(request->indirect_client_addr), ++ strBuf(request->x_forwarded_for_iterator)); ++ clientFollowXForwardedForNext(http); ++ } else { ++ /* not configured to follow X-Forwarded-For, or nothing to follow */ ++ debug(33, 5) ("clientFollowXForwardedForStart: nothing to do\n"); ++ clientFollowXForwardedForDone(-1, http); ++ } ++} ++ ++static void ++clientFollowXForwardedForNext(void *data) ++{ ++ clientHttpRequest *http = data; ++ request_t *request = http->request; ++ debug(33, 5) ("clientFollowXForwardedForNext: indirect_client_addr=%s XFF='%s'\n", ++ inet_ntoa(request->indirect_client_addr), ++ strBuf(request->x_forwarded_for_iterator)); ++ if (strLen(request->x_forwarded_for_iterator) != 0) { ++ /* check the acl to see whether to believe the X-Forwarded-For header */ ++ http->acl_checklist = clientAclChecklistCreate( ++ Config.accessList.followXFF, http); ++ aclNBCheck(http->acl_checklist, clientFollowXForwardedForDone, http); ++ } else { ++ /* nothing left to follow */ ++ debug(33, 5) ("clientFollowXForwardedForNext: nothing more to do\n"); ++ clientFollowXForwardedForDone(-1, http); ++ } ++} ++ ++static void ++clientFollowXForwardedForDone(int answer, void *data) ++{ ++ clientHttpRequest *http = data; ++ request_t *request = http->request; ++ /* ++ * answer should be be ACCESS_ALLOWED or ACCESS_DENIED if we are ++ * called as a result of ACL checks, or -1 if we are called when ++ * there's nothing left to do. ++ */ ++ if (answer == ACCESS_ALLOWED) { ++ /* ++ * The IP address currently in request->indirect_client_addr ++ * is trusted to use X-Forwarded-For. Remove the last ++ * comma-delimited element from x_forwarded_for_iterator and use ++ * it to to replace indirect_client_addr, then repeat the cycle. ++ */ ++ const char *p; ++ const char *asciiaddr; ++ int l; ++ struct in_addr addr; ++ debug(33, 5) ("clientFollowXForwardedForDone: indirect_client_addr=%s is trusted\n", ++ inet_ntoa(request->indirect_client_addr)); ++ p = strBuf(request->x_forwarded_for_iterator); ++ l = strLen(request->x_forwarded_for_iterator); ++ ++ /* ++ * XXX x_forwarded_for_iterator should really be a list of ++ * IP addresses, but it's a String instead. We have to ++ * walk backwards through the String, biting off the last ++ * comma-delimited part each time. As long as the data is in ++ * a String, we should probably implement and use a variant of ++ * strListGetItem() that walks backwards instead of forwards ++ * through a comma-separated list. But we don't even do that; ++ * we just do the work in-line here. ++ */ ++ /* skip trailing space and commas */ ++ while (l > 0 && (p[l-1] == ',' || xisspace(p[l-1]))) ++ l--; ++ strCut(request->x_forwarded_for_iterator, l); ++ /* look for start of last item in list */ ++ while (l > 0 && ! (p[l-1] == ',' || xisspace(p[l-1]))) ++ l--; ++ asciiaddr = p+l; ++ if (inet_aton(asciiaddr, &addr) == 0) { ++ /* the address is not well formed; do not use it */ ++ debug(33, 3) ("clientFollowXForwardedForDone: malformed address '%s'\n", ++ asciiaddr); ++ goto done; ++ } ++ debug(33, 3) ("clientFollowXForwardedForDone: changing indirect_client_addr from %s to '%s'\n", ++ inet_ntoa(request->indirect_client_addr), ++ asciiaddr); ++ request->indirect_client_addr = addr; ++ strCut(request->x_forwarded_for_iterator, l); ++ if (! Config.onoff.acl_uses_indirect_client) { ++ /* ++ * If acl_uses_indirect_client is off, then it's impossible ++ * to follow more than one level of X-Forwarded-For. ++ */ ++ goto done; ++ } ++ clientFollowXForwardedForNext(http); ++ return; ++ } else if (answer == ACCESS_DENIED) { ++ debug(33, 5) ("clientFollowXForwardedForDone: indirect_client_addr=%s not trusted\n", ++ inet_ntoa(request->indirect_client_addr)); ++ } else { ++ debug(33, 5) ("clientFollowXForwardedForDone: indirect_client_addr=%s nothing more to do\n", ++ inet_ntoa(request->indirect_client_addr)); ++ } ++done: ++ /* clean up, and pass control to clientAccessCheck */ ++ debug(33, 6) ("clientFollowXForwardedForDone: cleanup\n"); ++ if (Config.onoff.log_uses_indirect_client) { ++ /* ++ * Ensure that the access log shows the indirect client ++ * instead of the direct client. ++ */ ++ ConnStateData *conn = http->conn; ++ conn->log_addr = request->indirect_client_addr; ++ conn->log_addr.s_addr &= Config.Addrs.client_netmask.s_addr; ++ debug(33, 3) ("clientFollowXForwardedForDone: setting log_addr=%s\n", ++ inet_ntoa(conn->log_addr)); ++ } ++ stringClean(&request->x_forwarded_for_iterator); ++ request->flags.done_follow_x_forwarded_for = 1; ++ http->acl_checklist = NULL; /* XXX do we need to aclChecklistFree() ? */ ++ clientAccessCheck(http); ++} ++#endif /* FOLLOW_X_FORWARDED_FOR */ ++ + void + clientAccessCheck(void *data) + { + clientHttpRequest *http = data; ++#if FOLLOW_X_FORWARDED_FOR ++ if (! http->request->flags.done_follow_x_forwarded_for ++ && httpHeaderHas(&http->request->header, HDR_X_FORWARDED_FOR)) ++ { ++ /* ++ * There's an X-ForwardedFor header and we haven't yet tried ++ * to follow it to find the indirect_client_addr. Follow it now. ++ * clientFollowXForwardedForDone() will eventually pass control ++ * back to us. ++ * ++ * XXX perhaps our caller should have called ++ * clientFollowXForwardedForStart instead. Then we wouldn't ++ * need to do this little dance transferring control over ++ * there and then back here, and we wouldn't need the ++ * done_follow_x_forwarded_for flag. ++ */ ++ clientFollowXForwardedForStart(data); ++ return; ++ } ++#endif /* FOLLOW_X_FORWARDED_FOR */ + if (checkAccelOnly(http)) { + /* deny proxy requests in accel_only mode */ + debug(33, 1) ("clientAccessCheck: proxy request denied in accel_only mode\n"); +@@ -325,6 +499,9 @@ + new_request->http_ver = old_request->http_ver; + httpHeaderAppend(&new_request->header, &old_request->header); + new_request->client_addr = old_request->client_addr; ++#if FOLLOW_X_FORWARDED_FOR ++ new_request->indirect_client_addr = old_request->indirect_client_addr; ++#endif /* FOLLOW_X_FORWARDED_FOR */ + new_request->my_addr = old_request->my_addr; + new_request->my_port = old_request->my_port; + new_request->flags.redirected = 1; +@@ -3051,6 +3228,9 @@ + safe_free(http->log_uri); + http->log_uri = xstrdup(urlCanonicalClean(request)); + request->client_addr = conn->peer.sin_addr; ++#if FOLLOW_X_FORWARDED_FOR ++ request->indirect_client_addr = request->client_addr; ++#endif /* FOLLOW_X_FORWARDED_FOR */ + request->my_addr = conn->me.sin_addr; + request->my_port = ntohs(conn->me.sin_port); + request->http_ver = http->http_ver; +Index: src/delay_pools.c +--- src/delay_pools.c 19 Jun 2003 02:13:57 -0000 1.5.54.6 ++++ src/delay_pools.c 23 Nov 2003 14:20:23 -0000 +@@ -318,6 +318,11 @@ + r = http->request; + + memset(&ch, '\0', sizeof(ch)); ++#if FOLLOW_X_FORWARDED_FOR ++ if (Config.onoff.delay_pool_uses_indirect_client) { ++ ch.src_addr = r->indirect_client_addr; ++ } else ++#endif /* FOLLOW_X_FORWARDED_FOR */ + ch.src_addr = r->client_addr; + ch.my_addr = r->my_addr; + ch.my_port = r->my_port; +Index: src/structs.h +*** src/structs.h.orig Thu Feb 26 20:32:47 2004 +--- src/structs.h Thu Feb 26 20:34:51 2004 +*************** +*** 594,599 **** +--- 594,604 ---- + int pipeline_prefetch; + int request_entities; + int detect_broken_server_pconns; ++ #if FOLLOW_X_FORWARDED_FOR ++ int acl_uses_indirect_client; ++ int delay_pool_uses_indirect_client; ++ int log_uses_indirect_client; ++ #endif /* FOLLOW_X_FORWARDED_FOR */ + } onoff; + acl *aclList; + struct { +*************** +*** 615,620 **** +--- 620,628 ---- + acl_access *reply; + acl_address *outgoing_address; + acl_tos *outgoing_tos; ++ #if FOLLOW_X_FORWARDED_FOR ++ acl_access *followXFF; ++ #endif /* FOLLOW_X_FORWARDED_FOR */ + } accessList; + acl_deny_info_list *denyInfoList; + struct _authConfig { +*************** +*** 1611,1616 **** +--- 1619,1629 ---- + unsigned int internal:1; + unsigned int body_sent:1; + unsigned int reset_tcp:1; ++ #if FOLLOW_X_FORWARDED_FOR ++ /* XXX this flag could be eliminated; ++ * see comments in clientAccessCheck */ ++ unsigned int done_follow_x_forwarded_for; ++ #endif /* FOLLOW_X_FORWARDED_FOR */ + }; + + struct _link_list { +*************** +*** 1657,1662 **** +--- 1670,1678 ---- + int max_forwards; + /* these in_addr's could probably be sockaddr_in's */ + struct in_addr client_addr; ++ #if FOLLOW_X_FORWARDED_FOR ++ struct in_addr indirect_client_addr; /* after following X-Forwarded-For */ ++ #endif /* FOLLOW_X_FORWARDED_FOR */ + struct in_addr my_addr; + unsigned short my_port; + HttpHeader header; +*************** +*** 1667,1672 **** +--- 1683,1693 ---- + char *peer_login; /* Configured peer login:password */ + time_t lastmod; /* Used on refreshes */ + const char *vary_headers; /* Used when varying entities are detected. Changes how the store key is calculated */ ++ #if FOLLOW_X_FORWARDED_FOR ++ /* XXX a list of IP addresses would be a better data structure ++ * than this String */ ++ String x_forwarded_for_iterator; ++ #endif /* FOLLOW_X_FORWARDED_FOR */ + }; + + struct _cachemgr_passwd { Index: projekte/FreeBSD/ports/www/squid/files/follow_xff-configure.patch diff -u /dev/null projekte/FreeBSD/ports/www/squid/files/follow_xff-configure.patch:1.1.2.1 --- /dev/null Wed Mar 10 19:22:01 2004 +++ projekte/FreeBSD/ports/www/squid/files/follow_xff-configure.patch Tue Mar 2 17:56:19 2004 @@ -0,0 +1,52 @@ +!Patch configure directly to enable testing for the +!--enable-follow-x-forwarding-for configuration option +!instead of running configure.in through autoconf as in the +!original follow-XFF patchset from devel.squid-cache.org. +!Beware that all line number informations in configure.log greater +!than 2972 are offset by -29 (correcting all line numbers would have +!bloated the patch by 92kB!) +--- configure.orig Tue Mar 2 10:18:14 2004 ++++ configure Tue Mar 2 10:18:56 2004 +@@ -222,6 +222,12 @@ + variance within an accelerator setup. + Typically used together with other code + that adds custom HTTP headers to the requests." ++ac_help="$ac_help ++ --enable-follow-x-forwarded-for ++ Enable support for following the X-Forwarded-For ++ HTTP header to try to find the IP address of the ++ original or indirect client when a request has ++ been forwarded through other proxies." + + # Initialize some variables set by options. + # The variables have the same names as the options, with +@@ -2966,6 +2972,29 @@ + fi + + ++follow_xff=1 ++# Check whether --enable-follow-x-forwarded-for or --disable-follow-x-forwarded-for was given. ++if test "${enable_follow_x_forwarded_for+set}" = set; then ++ enableval="$enable_follow_x_forwarded_for" ++ if test "$enableval" = "yes" ; then ++ echo "follow X-Forwarded-For enabled" ++ follow_xff=1 ++ fi ++ ++fi ++ ++if test $follow_xff = 1; then ++ cat >> confdefs.h <<\EOF ++#define FOLLOW_X_FORWARDED_FOR 1 ++EOF ++ ++else ++ cat >> confdefs.h <<\EOF ++#define FOLLOW_X_FORWARDED_FOR 0 ++EOF ++ ++fi ++ + # Force some compilers to use ANSI features + # + case "$host" in Index: projekte/FreeBSD/ports/www/squid/files/patch-configure diff -u /dev/null projekte/FreeBSD/ports/www/squid/files/patch-configure:1.1.2.1 --- /dev/null Wed Mar 10 19:22:01 2004 +++ projekte/FreeBSD/ports/www/squid/files/patch-configure Tue Mar 2 17:56:20 2004 @@ -0,0 +1,11 @@ +--- configure.orig Tue Mar 2 11:29:57 2004 ++++ configure Tue Mar 2 11:30:34 2004 +@@ -2236,6 +2236,8 @@ + ;; + *-solaris-*) + ;; ++ *-freebsd*) ++ ;; + *) + echo "WARNING: ARP ACL support probably won't work on $host." + sleep 10 Index: projekte/FreeBSD/ports/www/squid/files/patch-helpers-basic_auth-SMB-smb_auth.sh diff -u /dev/null projekte/FreeBSD/ports/www/squid/files/patch-helpers-basic_auth-SMB-smb_auth.sh:1.1.2.1 --- /dev/null Wed Mar 10 19:22:01 2004 +++ projekte/FreeBSD/ports/www/squid/files/patch-helpers-basic_auth-SMB-smb_auth.sh Sat Feb 28 17:13:02 2004 @@ -0,0 +1,13 @@ +*** helpers/basic_auth/SMB/smb_auth.sh.orig Thu Feb 26 20:58:22 2004 +--- helpers/basic_auth/SMB/smb_auth.sh Thu Feb 26 20:59:45 2004 +*************** +*** 17,22 **** +--- 17,24 ---- + # along with this program; if not, write to the Free Software + # Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. + ++ SAMBAPREFIX=${SAMBAPREFIX:-/usr/local/bin} ++ + read DOMAINNAME + read PASSTHROUGH + read NMBADDR Index: projekte/FreeBSD/ports/www/squid/files/squid.sh diff -u projekte/FreeBSD/ports/www/squid/files/squid.sh:1.4 projekte/FreeBSD/ports/www/squid/files/squid.sh:1.3.2.2 --- projekte/FreeBSD/ports/www/squid/files/squid.sh:1.4 Sat Jan 17 15:37:48 2004 +++ projekte/FreeBSD/ports/www/squid/files/squid.sh Sat Feb 28 16:42:06 2004 @@ -8,15 +8,13 @@ # KEYWORD: FreeBSD # # Note: -# If you are running an rcNG-System (i.e. FreeBSD 5 and later or after -# having installed the rc_subr-port on an earlier system) you must set +# If you are running an rcNG-System (i.e. FreeBSD 5 and later) you need to set # "squid_enable=YES" in either /etc/rc.conf, /etc/rc.conf.local or # /etc/rc.conf.d/squid to make this script actually do something. There # you can also set squid_chdir, squid_user, and squid_flags. # # Please see squid(8), rc.conf(5) and rc(8) for further details. -unset rcNG name="squid" command=%%PREFIX%%/sbin/squid extra_commands=reload @@ -28,26 +26,22 @@ default_config=%%PREFIX%%/etc/squid/squid.conf if [ -f /etc/rc.subr ]; then - . /etc/rc.subr && rcNG=yes -else - if [ -f %%PREFIX%%/etc/rc.subr ]; then - . %%PREFIX%%/etc/rc.subr && rcNG=yes - fi -fi - -if [ "${rcNG}" ]; then + # make use of rcNG features: + . /etc/rc.subr rcvar=`set_rcvar` load_rc_config ${name} - # check that squid's default configuration is present when - # squid_flags is not set. We assume that you specify at - # least the path to your non-default configuration with - # '-f /path/to/config.file' in squid_flags if you delete this file. + # squid(8) will not start if ${default_config} is not present so try + # to catch that beforehand via ${required_files} rather than make + # squid(8) crash. + # If you remove the default configuration file make sure to add + # '-f /path/to/your/squid.conf' to squid_flags if [ -z "${squid_flags}" ]; then required_files=${default_config} fi required_dirs=${squid_chdir} run_rc_command "$1" else + # implement the startup using the "old style" for non-rcNG-systems: case $1 in start) if [ -x "${command}" -a \ >Release-Note: >Audit-Trail: >Unformatted: