diff options
author | Andrew Pantyukhin <sat@FreeBSD.org> | 2006-07-10 19:57:12 +0000 |
---|---|---|
committer | Andrew Pantyukhin <sat@FreeBSD.org> | 2006-07-10 19:57:12 +0000 |
commit | f6d8d65eeff5b374fd45e7814e65bfa6f85c92c3 (patch) | |
tree | e08793f8904fa463e107906cf3c482ef969278e3 /www/squid26 | |
parent | b691fb39c1d2064374130f6bf7fe888d8fd60a2e (diff) | |
download | ports-f6d8d65eeff5b374fd45e7814e65bfa6f85c92c3.tar.gz ports-f6d8d65eeff5b374fd45e7814e65bfa6f85c92c3.zip |
- Add an OPTION to enable transparent proxying with IPFW
- Include official patchset #10799
- Minor fixes
Submitted by: Thomas-Martin Seck <tmseck@netcologne.de> (maintainer)
Notes
Notes:
svn path=/head/; revision=167383
Diffstat (limited to 'www/squid26')
-rw-r--r-- | www/squid26/Makefile | 13 | ||||
-rw-r--r-- | www/squid26/distinfo | 3 | ||||
-rw-r--r-- | www/squid26/files/patch-changeset.10801 | 284 | ||||
-rw-r--r-- | www/squid26/files/patch-src-client_side.c | 16 | ||||
-rw-r--r-- | www/squid26/files/squid.in | 1 |
5 files changed, 312 insertions, 5 deletions
diff --git a/www/squid26/Makefile b/www/squid26/Makefile index 9fac6b748b93..54f8810d1153 100644 --- a/www/squid26/Makefile +++ b/www/squid26/Makefile @@ -69,8 +69,6 @@ # to indicate variance within an accelerator setup. Typically used # together with other code that adds custom HTTP headers to the # requests. -# --enable-auth-on-acceleration -# Enable authentication in accelerators. # --enable-forward-log # Enable experimental forward_log directive. # --enable-multicast-miss @@ -78,6 +76,7 @@ PORTNAME= squid PORTVERSION= 2.6.1 +PORTREVISION= 1 CATEGORIES= www MASTER_SITES= ftp://ftp.squid-cache.org/pub/%SUBDIR%/ \ ftp://archive.progeny.com/squid/%SUBDIR%/ \ @@ -101,8 +100,8 @@ PATCH_SITES= http://www.squid-cache.org/%SUBDIR%/ \ http://www1.uk.squid-cache.org/%SUBDIR%/ \ http://www1.jp.squid-cache.org/%SUBDIR%/ \ http://www1.tw.squid-cache.org/%SUBDIR%/ -PATCH_SITE_SUBDIR= Versions/v2/2.6/bugs -PATCHFILES= +PATCH_SITE_SUBDIR= Versions/v2/2.6/changesets/ +PATCHFILES= 10799.patch PATCH_DIST_STRIP= -p1 MAINTAINER= tmseck@netcologne.de @@ -145,6 +144,7 @@ OPTIONS= SQUID_LDAP_AUTH "Install LDAP authentication helpers" off \ SQUID_ARP_ACL "Enable ACLs based on ethernet address" off \ SQUID_PF "Enable transparent proxying with PF" off \ SQUID_IPFILTER "Enable transp. proxying with IPFilter" off \ + SQUID_IPFW "Enable transparent proxying with IPFW" off \ SQUID_FOLLOW_XFF "Follow X-Forwarded-For headers" off \ SQUID_ICAP "Enable ICAP client functionality" off \ SQUID_AUFS "Enable the aufs storage scheme" off \ @@ -331,12 +331,15 @@ IGNORE= IPFilter headers are not part of the base system CONFIGURE_ARGS+= --enable-ipf-transparent .endif .endif +.if defined(WITH_SQUID_IPFW) +CFLAGS+= -DIPFW_TRANSPARENT +.endif .if defined(WITH_SQUID_FOLLOW_XFF) CONFIGURE_ARGS+= --enable-follow-x-forwarded-for .endif .if defined(WITH_SQUID_ICAP) IGNORE= patches for ICAP support are not yet updated -EXTRA_PATCHES+= +EXTRA_PATCHES+= #CONFIGURE_ARGS+= --enable-icap-support #error_files+= ERR_ICAP_FAILURE .endif diff --git a/www/squid26/distinfo b/www/squid26/distinfo index 311c668b1599..1d11150734c3 100644 --- a/www/squid26/distinfo +++ b/www/squid26/distinfo @@ -1,3 +1,6 @@ MD5 (squid2.6/squid-2.6.STABLE1.tar.bz2) = d6bb23a67b0475cca11d4af8d574d054 SHA256 (squid2.6/squid-2.6.STABLE1.tar.bz2) = a9efea26f1c3966dff69f80c271a73562afed5c65929d69dab713308dd402ba9 SIZE (squid2.6/squid-2.6.STABLE1.tar.bz2) = 1212556 +MD5 (squid2.6/10799.patch) = 3a3d941b0d256a1da9ad8f2430da4e2b +SHA256 (squid2.6/10799.patch) = 0f010962faae226a21761996df7c487ed6ca2d51458e6941a9f2a5b69aa3e6c3 +SIZE (squid2.6/10799.patch) = 1288 diff --git a/www/squid26/files/patch-changeset.10801 b/www/squid26/files/patch-changeset.10801 new file mode 100644 index 000000000000..f73e5dbf7b4d --- /dev/null +++ b/www/squid26/files/patch-changeset.10801 @@ -0,0 +1,284 @@ +--------------------- +PatchSet 10801 +Date: 2006/07/04 21:51:15 +Author: hno +Branch: HEAD +Tag: (none) +Log: +Bug #1650: transparent interception "Unable to forward this request at this time" + +this patch clears up some confusion between accelerated and transparently +intercepted requests, clearly separating the two cases. + +With this patch the --enable-auth-on-acceleration is removed again as it +no longer serves any purpose as there no longer is any conflict between +the processing accelerated and transparently intercepted requests. + +Members: + configure:1.388->1.389 + configure.in:1.384->1.385 + include/autoconf.h.in:1.153->1.154 + src/acl.c:1.303->1.304 + src/client_side.c:1.657->1.658 + src/structs.h:1.489->1.490 + +Index: squid/configure +=================================================================== +RCS file: /cvsroot/squid/squid/configure,v +retrieving revision 1.388 +retrieving revision 1.389 +diff -u -r1.388 -r1.389 +--- configure 1 Jul 2006 18:42:04 -0000 1.388 ++++ configure 4 Jul 2006 21:51:15 -0000 1.389 +@@ -907,8 +907,6 @@ + --enable-forw-via-db Enable Forw/Via database + --enable-cache-digests Use Cache Digests + see http://www.squid-cache.org/FAQ/FAQ-16.html +- --enable-auth-on-acceleration +- Enable authentication in accelerators + --enable-default-err-language=lang + Select default language for Error pages (see + errors directory) +@@ -4220,20 +4218,6 @@ + + fi; + +-# Check whether --enable-auth-on-acceleration or --disable-auth-on-acceleration was given. +-if test "${enable_auth_on_acceleration+set}" = set; then +- enableval="$enable_auth_on_acceleration" +- if test "$enableval" = "yes" ; then +- echo "AUTH_ON_ACCELERATION enabled" +- +-cat >>confdefs.h <<\_ACEOF +-#define AUTH_ON_ACCELERATION 1 +-_ACEOF +- +- fi +- +-fi; +- + # Check whether --enable-default-err-language or --disable-default-err-language was given. + if test "${enable_default_err_language+set}" = set; then + enableval="$enable_default_err_language" +Index: squid/configure.in +=================================================================== +RCS file: /cvsroot/squid/squid/configure.in,v +retrieving revision 1.384 +retrieving revision 1.385 +diff -u -r1.384 -r1.385 +--- configure.in 1 Jul 2006 18:41:21 -0000 1.384 ++++ configure.in 4 Jul 2006 21:51:15 -0000 1.385 +@@ -736,15 +736,6 @@ + fi + ]) + +-AC_ARG_ENABLE(auth-on-acceleration, +-[ --enable-auth-on-acceleration +- Enable authentication in accelerators], +-[ if test "$enableval" = "yes" ; then +- echo "AUTH_ON_ACCELERATION enabled" +- AC_DEFINE(AUTH_ON_ACCELERATION, 1, [Enable authentication support in accelerators]) +- fi +-]) +- + dnl Select Default Error language + AC_ARG_ENABLE(default-err-language, + [ --enable-default-err-language=lang +Index: squid/include/autoconf.h.in +=================================================================== +RCS file: /cvsroot/squid/squid/include/autoconf.h.in,v +retrieving revision 1.153 +retrieving revision 1.154 +diff -u -r1.153 -r1.154 +--- include/autoconf.h.in 21 Jun 2006 20:33:46 -0000 1.153 ++++ include/autoconf.h.in 4 Jul 2006 21:51:16 -0000 1.154 +@@ -3,9 +3,6 @@ + /* Defines how many threads aufs uses for I/O */ + #undef AUFS_IO_THREADS + +-/* Enable authentication support in accelerators */ +-#undef AUTH_ON_ACCELERATION +- + /* If you are upset that the cachemgr.cgi form comes up with the hostname + field blank, then define this to getfullhostname() */ + #undef CACHEMGR_HOSTNAME +Index: squid/src/acl.c +=================================================================== +RCS file: /cvsroot/squid/squid/src/acl.c,v +retrieving revision 1.303 +retrieving revision 1.304 +diff -u -r1.303 -r1.304 +--- src/acl.c 17 Jun 2006 23:31:03 -0000 1.303 ++++ src/acl.c 4 Jul 2006 21:51:16 -0000 1.304 +@@ -400,6 +400,10 @@ + type->accelerated = 1; + continue; + } ++ if (strcmp(t, "transparent") == 0) { ++ type->transparent = 1; ++ continue; ++ } + if (strcmp(t, "internal") == 0) { + type->internal = 1; + continue; +@@ -1679,6 +1683,8 @@ + { + if (type->accelerated && request->flags.accelerated) + return 1; ++ if (type->transparent && request->flags.transparent) ++ return 1; + if (type->internal && request->flags.internal) + return 1; + return 0; +@@ -1691,20 +1697,15 @@ + http_hdr_type headertype; + if (NULL == r) { + return -1; +- } else if (!r->flags.accelerated) { +- /* Proxy authorization on proxy requests */ +- headertype = HDR_PROXY_AUTHORIZATION; +- } else if (r->flags.internal) { +- /* WWW authorization on accelerated internal requests */ +- headertype = HDR_AUTHORIZATION; +- } else { +-#if AUTH_ON_ACCELERATION ++ } else if (r->flags.accelerated) { + /* WWW authorization on accelerated requests */ + headertype = HDR_AUTHORIZATION; +-#else +- debug(28, 1) ("aclAuthenticated: authentication not applicable on accelerated requests.\n"); ++ } else if (r->flags.transparent) { ++ debug(28, 1) ("aclAuthenticated: authentication not applicable on transparently intercepted requests.\n"); + return -1; +-#endif ++ } else { ++ /* Proxy authorization on proxy requests */ ++ headertype = HDR_PROXY_AUTHORIZATION; + } + /* get authed here */ + /* Note: this fills in checklist->auth_user_request when applicable (auth incomplete) */ +@@ -2911,6 +2912,8 @@ + wordlistAdd(&W, "accelerated"); + if (type->internal) + wordlistAdd(&W, "internal"); ++ if (type->transparent) ++ wordlistAdd(&W, "transparent"); + return W; + } + +Index: squid/src/client_side.c +=================================================================== +RCS file: /cvsroot/squid/squid/src/client_side.c,v +retrieving revision 1.657 +retrieving revision 1.658 +diff -u -r1.657 -r1.658 +--- src/client_side.c 4 Jul 2006 00:06:11 -0000 1.657 ++++ src/client_side.c 4 Jul 2006 21:51:17 -0000 1.658 +@@ -3482,7 +3482,7 @@ + /* + * Deny loops when running in accelerator/transproxy mode. + */ +- if (http->flags.accel && r->flags.loopdetect) { ++ if (r->flags.loopdetect && (http->flags.accel || http->flags.transparent)) { + http->al.http.code = HTTP_FORBIDDEN; + err = errorCon(ERR_ACCESS_DENIED, HTTP_FORBIDDEN); + err->request = requestLink(http->orig_request); +@@ -3684,15 +3684,19 @@ + if (method == METHOD_CONNECT) { + if (http_ver.major < 1) + goto invalid_request; ++ if (conn->port->accel) ++ goto invalid_request; + } else if (*url == '/') + accel:{ + int vhost = conn->port->vhost || conn->port->transparent; +- int vport = conn->port->vport || conn->transparent; ++ int vport = conn->port->vport; ++ int accel = conn->port->accel; ++ if (!vport && conn->transparent) ++ vport = ntohs(conn->me.sin_port); + if (Config.onoff.global_internal_static && conn->port->accel && internalCheck(url)) { + /* prepend our name & port */ + http->uri = xstrdup(internalStoreUri("", url)); + http->flags.internal = 1; +- http->flags.accel = 1; + debug(33, 5) ("INTERNAL REWRITE: '%s'\n", http->uri); + } else if (vhost && (t = mime_get_header(req_hdr, "Host"))) { + url_sz = strlen(url) + 32 + Config.appendDomainLen + +@@ -3724,14 +3728,14 @@ + /* prepend our name & port */ + http->uri = xstrdup(internalStoreUri("", url)); + http->flags.internal = 1; +- http->flags.accel = 1; + debug(33, 5) ("INTERNAL REWRITE: '%s'\n", http->uri); + } else { + goto invalid_request; + } +- http->flags.accel = 1; +- } else if (conn->transparent) { +- http->flags.accel = 1; ++ if (accel) ++ http->flags.accel = 1; ++ else if (conn->port->transparent) ++ http->flags.transparent = 1; + } else if (conn->port->accel) { + http->flags.accel = 1; + if (!conn->port->vhost) { +@@ -3743,9 +3747,6 @@ + url = (char *) "/"; + goto accel; + } +- } else { +- /* Proxy request */ +- http->flags.accel = 0; + } + if (!http->uri) { + /* No special rewrites have been applied above, use the +@@ -3753,7 +3754,6 @@ + url_sz = strlen(url) + Config.appendDomainLen + 5; + http->uri = xcalloc(url_sz, 1); + strcpy(http->uri, url); +- http->flags.accel = 0; + } + if (!stringHasCntl(http->uri)) + http->log_uri = xstrndup(http->uri, MAX_URL); +@@ -3989,6 +3989,7 @@ + request->flags.tproxy = conn->port->tproxy; + #endif + request->flags.accelerated = http->flags.accel; ++ request->flags.transparent = http->flags.transparent; + /* + * cache the Content-length value in request_t. + */ +Index: squid/src/structs.h +=================================================================== +RCS file: /cvsroot/squid/squid/src/structs.h,v +retrieving revision 1.489 +retrieving revision 1.490 +diff -u -r1.489 -r1.490 +--- src/structs.h 30 Jun 2006 21:23:05 -0000 1.489 ++++ src/structs.h 4 Jul 2006 21:51:18 -0000 1.490 +@@ -346,6 +346,7 @@ + + struct _acl_request_type { + unsigned int accelerated:1; ++ unsigned int transparent:1; + unsigned int internal:1; + }; + +@@ -1190,6 +1191,7 @@ + AccessLogEntry al; + struct { + unsigned int accel:1; ++ unsigned int transparent:1; + unsigned int internal:1; + unsigned int done_copying:1; + unsigned int purging:1; +@@ -1785,6 +1787,7 @@ + unsigned int nocache_hack:1; /* for changing/ignoring no-cache requests */ + #endif + unsigned int accelerated:1; ++ unsigned int transparent:1; + unsigned int internal:1; + unsigned int body_sent:1; + unsigned int reset_tcp:1; diff --git a/www/squid26/files/patch-src-client_side.c b/www/squid26/files/patch-src-client_side.c new file mode 100644 index 000000000000..3c9eed63c572 --- /dev/null +++ b/www/squid26/files/patch-src-client_side.c @@ -0,0 +1,16 @@ +--- ./src/client_side.c.orig Thu Jul 6 11:44:18 2006 ++++ ./src/client_side.c Thu Jul 6 11:52:07 2006 +@@ -4490,6 +4490,13 @@ + return -1; + } + } ++#elif IPFW_TRANSPARENT ++static int inline ++clientNatLookup(ConnStateData * conn) ++{ ++ static time_t last_reported = 0; ++ return 0; ++} + #else + static int inline + clientNatLookup(ConnStateData * conn) diff --git a/www/squid26/files/squid.in b/www/squid26/files/squid.in index d7ae60bba649..284b0112010d 100644 --- a/www/squid26/files/squid.in +++ b/www/squid26/files/squid.in @@ -15,6 +15,7 @@ # squid_stop() { + echo "Stopping ${name}." ${command} -k shutdown run_rc_command poll } |