webadmin/bpfire
1
0
Fork 0
mirror of https://github.com/vincentmli/bpfire.git synced 2026-04-09 18:45:54 +02:00
Code Issues Packages Projects Releases Wiki Activity

squid: Update to 4.4 (stable)

Browse Source 
For details see:
http://www.squid-cache.org/Versions/v4/changesets/

In July 2018, 'squid 4' was "released for production use", see:
https://wiki.squid-cache.org/Squid-4

"The features have been set and large code changes are reserved for later versions."

I've tested almost all 4.x-versions and patch series before with good results.
Right now, 4.4 is running here with no seen problems together with
'squidclamav', 'squidguard' and 'privoxy'.

I too would declare this version stable.

Best,
Matthias

Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
This commit is contained in:
Matthias Fischer
2018-12-13 18:40:24 +01:00
committed by Michael Tremer
parent 27801da089
commit a2bcb4135b
8 changed files with 314 additions and 108 deletions
Download Patch File Download Diff File Expand all files Collapse all files

64
config/rootfiles/common/squid
View File

@@ -20,7 +20,6 @@ usr/lib/squid/basic_db_auth
usr/lib/squid/basic_fake_auth
usr/lib/squid/basic_getpwnam_auth
usr/lib/squid/basic_ldap_auth
usr/lib/squid/basic_msnt_multi_domain_auth
usr/lib/squid/basic_ncsa_auth
usr/lib/squid/basic_nis_auth
usr/lib/squid/basic_pam_auth
@@ -29,7 +28,6 @@ usr/lib/squid/basic_radius_auth
usr/lib/squid/basic_sasl_auth
usr/lib/squid/basic_smb_auth
usr/lib/squid/basic_smb_auth.sh
usr/lib/squid/basic_smb_lm_auth
#usr/lib/squid/cachemgr.cgi
usr/lib/squid/digest_edirectory_auth
usr/lib/squid/digest_file_auth
@@ -69,6 +67,7 @@ usr/lib/squid/diskd
#usr/lib/squid/errors/af/ERR_NO_RELAY
#usr/lib/squid/errors/af/ERR_ONLY_IF_CACHED_MISS
#usr/lib/squid/errors/af/ERR_PRECONDITION_FAILED
#usr/lib/squid/errors/af/ERR_PROTOCOL_UNKNOWN
#usr/lib/squid/errors/af/ERR_READ_ERROR
#usr/lib/squid/errors/af/ERR_READ_TIMEOUT
#usr/lib/squid/errors/af/ERR_SECURE_CONNECT_FAIL
@@ -128,6 +127,7 @@ usr/lib/squid/diskd
#usr/lib/squid/errors/ar/ERR_NO_RELAY
#usr/lib/squid/errors/ar/ERR_ONLY_IF_CACHED_MISS
#usr/lib/squid/errors/ar/ERR_PRECONDITION_FAILED
#usr/lib/squid/errors/ar/ERR_PROTOCOL_UNKNOWN
#usr/lib/squid/errors/ar/ERR_READ_ERROR
#usr/lib/squid/errors/ar/ERR_READ_TIMEOUT
#usr/lib/squid/errors/ar/ERR_SECURE_CONNECT_FAIL
@@ -172,6 +172,7 @@ usr/lib/squid/diskd
#usr/lib/squid/errors/az/ERR_NO_RELAY
#usr/lib/squid/errors/az/ERR_ONLY_IF_CACHED_MISS
#usr/lib/squid/errors/az/ERR_PRECONDITION_FAILED
#usr/lib/squid/errors/az/ERR_PROTOCOL_UNKNOWN
#usr/lib/squid/errors/az/ERR_READ_ERROR
#usr/lib/squid/errors/az/ERR_READ_TIMEOUT
#usr/lib/squid/errors/az/ERR_SECURE_CONNECT_FAIL
@@ -216,6 +217,7 @@ usr/lib/squid/diskd
#usr/lib/squid/errors/bg/ERR_NO_RELAY
#usr/lib/squid/errors/bg/ERR_ONLY_IF_CACHED_MISS
#usr/lib/squid/errors/bg/ERR_PRECONDITION_FAILED
#usr/lib/squid/errors/bg/ERR_PROTOCOL_UNKNOWN
#usr/lib/squid/errors/bg/ERR_READ_ERROR
#usr/lib/squid/errors/bg/ERR_READ_TIMEOUT
#usr/lib/squid/errors/bg/ERR_SECURE_CONNECT_FAIL
@@ -229,6 +231,7 @@ usr/lib/squid/diskd
#usr/lib/squid/errors/bg/ERR_ZERO_SIZE_OBJECT
#usr/lib/squid/errors/bg/error-details.txt
#usr/lib/squid/errors/ca
#usr/lib/squid/errors/ca-es
#usr/lib/squid/errors/ca/ERR_ACCESS_DENIED
#usr/lib/squid/errors/ca/ERR_ACL_TIME_QUOTA_EXCEEDED
#usr/lib/squid/errors/ca/ERR_AGENT_CONFIGURE
@@ -259,6 +262,7 @@ usr/lib/squid/diskd
#usr/lib/squid/errors/ca/ERR_NO_RELAY
#usr/lib/squid/errors/ca/ERR_ONLY_IF_CACHED_MISS
#usr/lib/squid/errors/ca/ERR_PRECONDITION_FAILED
#usr/lib/squid/errors/ca/ERR_PROTOCOL_UNKNOWN
#usr/lib/squid/errors/ca/ERR_READ_ERROR
#usr/lib/squid/errors/ca/ERR_READ_TIMEOUT
#usr/lib/squid/errors/ca/ERR_SECURE_CONNECT_FAIL
@@ -303,6 +307,7 @@ usr/lib/squid/diskd
#usr/lib/squid/errors/cs/ERR_NO_RELAY
#usr/lib/squid/errors/cs/ERR_ONLY_IF_CACHED_MISS
#usr/lib/squid/errors/cs/ERR_PRECONDITION_FAILED
#usr/lib/squid/errors/cs/ERR_PROTOCOL_UNKNOWN
#usr/lib/squid/errors/cs/ERR_READ_ERROR
#usr/lib/squid/errors/cs/ERR_READ_TIMEOUT
#usr/lib/squid/errors/cs/ERR_SECURE_CONNECT_FAIL
@@ -347,6 +352,7 @@ usr/lib/squid/diskd
#usr/lib/squid/errors/da/ERR_NO_RELAY
#usr/lib/squid/errors/da/ERR_ONLY_IF_CACHED_MISS
#usr/lib/squid/errors/da/ERR_PRECONDITION_FAILED
#usr/lib/squid/errors/da/ERR_PROTOCOL_UNKNOWN
#usr/lib/squid/errors/da/ERR_READ_ERROR
#usr/lib/squid/errors/da/ERR_READ_TIMEOUT
#usr/lib/squid/errors/da/ERR_SECURE_CONNECT_FAIL
@@ -395,6 +401,7 @@ usr/lib/squid/errors/de/ERR_LIFETIME_EXP
usr/lib/squid/errors/de/ERR_NO_RELAY
usr/lib/squid/errors/de/ERR_ONLY_IF_CACHED_MISS
usr/lib/squid/errors/de/ERR_PRECONDITION_FAILED
usr/lib/squid/errors/de/ERR_PROTOCOL_UNKNOWN
usr/lib/squid/errors/de/ERR_READ_ERROR
usr/lib/squid/errors/de/ERR_READ_TIMEOUT
usr/lib/squid/errors/de/ERR_SECURE_CONNECT_FAIL
@@ -439,6 +446,7 @@ usr/lib/squid/errors/de/error-details.txt
#usr/lib/squid/errors/el/ERR_NO_RELAY
#usr/lib/squid/errors/el/ERR_ONLY_IF_CACHED_MISS
#usr/lib/squid/errors/el/ERR_PRECONDITION_FAILED
#usr/lib/squid/errors/el/ERR_PROTOCOL_UNKNOWN
#usr/lib/squid/errors/el/ERR_READ_ERROR
#usr/lib/squid/errors/el/ERR_READ_TIMEOUT
#usr/lib/squid/errors/el/ERR_SECURE_CONNECT_FAIL
@@ -455,6 +463,7 @@ usr/lib/squid/errors/de/error-details.txt
#usr/lib/squid/errors/en-au
#usr/lib/squid/errors/en-bz
#usr/lib/squid/errors/en-ca
#usr/lib/squid/errors/en-cn
#usr/lib/squid/errors/en-gb
#usr/lib/squid/errors/en-ie
#usr/lib/squid/errors/en-in
@@ -497,6 +506,7 @@ usr/lib/squid/errors/en/ERR_LIFETIME_EXP
usr/lib/squid/errors/en/ERR_NO_RELAY
usr/lib/squid/errors/en/ERR_ONLY_IF_CACHED_MISS
usr/lib/squid/errors/en/ERR_PRECONDITION_FAILED
usr/lib/squid/errors/en/ERR_PROTOCOL_UNKNOWN
usr/lib/squid/errors/en/ERR_READ_ERROR
usr/lib/squid/errors/en/ERR_READ_TIMEOUT
usr/lib/squid/errors/en/ERR_SECURE_CONNECT_FAIL
@@ -530,6 +540,7 @@ usr/lib/squid/errors/en/error-details.txt
#usr/lib/squid/errors/es-us
#usr/lib/squid/errors/es-uy
#usr/lib/squid/errors/es-ve
#usr/lib/squid/errors/es-xl
usr/lib/squid/errors/es/ERR_ACCESS_DENIED
usr/lib/squid/errors/es/ERR_ACL_TIME_QUOTA_EXCEEDED
usr/lib/squid/errors/es/ERR_AGENT_CONFIGURE
@@ -560,6 +571,7 @@ usr/lib/squid/errors/es/ERR_LIFETIME_EXP
usr/lib/squid/errors/es/ERR_NO_RELAY
usr/lib/squid/errors/es/ERR_ONLY_IF_CACHED_MISS
usr/lib/squid/errors/es/ERR_PRECONDITION_FAILED
usr/lib/squid/errors/es/ERR_PROTOCOL_UNKNOWN
usr/lib/squid/errors/es/ERR_READ_ERROR
usr/lib/squid/errors/es/ERR_READ_TIMEOUT
usr/lib/squid/errors/es/ERR_SECURE_CONNECT_FAIL
@@ -604,6 +616,7 @@ usr/lib/squid/errors/es/error-details.txt
#usr/lib/squid/errors/et/ERR_NO_RELAY
#usr/lib/squid/errors/et/ERR_ONLY_IF_CACHED_MISS
#usr/lib/squid/errors/et/ERR_PRECONDITION_FAILED
#usr/lib/squid/errors/et/ERR_PROTOCOL_UNKNOWN
#usr/lib/squid/errors/et/ERR_READ_ERROR
#usr/lib/squid/errors/et/ERR_READ_TIMEOUT
#usr/lib/squid/errors/et/ERR_SECURE_CONNECT_FAIL
@@ -649,6 +662,7 @@ usr/lib/squid/errors/es/error-details.txt
#usr/lib/squid/errors/fa/ERR_NO_RELAY
#usr/lib/squid/errors/fa/ERR_ONLY_IF_CACHED_MISS
#usr/lib/squid/errors/fa/ERR_PRECONDITION_FAILED
#usr/lib/squid/errors/fa/ERR_PROTOCOL_UNKNOWN
#usr/lib/squid/errors/fa/ERR_READ_ERROR
#usr/lib/squid/errors/fa/ERR_READ_TIMEOUT
#usr/lib/squid/errors/fa/ERR_SECURE_CONNECT_FAIL
@@ -693,6 +707,7 @@ usr/lib/squid/errors/es/error-details.txt
#usr/lib/squid/errors/fi/ERR_NO_RELAY
#usr/lib/squid/errors/fi/ERR_ONLY_IF_CACHED_MISS
#usr/lib/squid/errors/fi/ERR_PRECONDITION_FAILED
#usr/lib/squid/errors/fi/ERR_PROTOCOL_UNKNOWN
#usr/lib/squid/errors/fi/ERR_READ_ERROR
#usr/lib/squid/errors/fi/ERR_READ_TIMEOUT
#usr/lib/squid/errors/fi/ERR_SECURE_CONNECT_FAIL
@@ -742,6 +757,7 @@ usr/lib/squid/errors/fr/ERR_LIFETIME_EXP
usr/lib/squid/errors/fr/ERR_NO_RELAY
usr/lib/squid/errors/fr/ERR_ONLY_IF_CACHED_MISS
usr/lib/squid/errors/fr/ERR_PRECONDITION_FAILED
usr/lib/squid/errors/fr/ERR_PROTOCOL_UNKNOWN
usr/lib/squid/errors/fr/ERR_READ_ERROR
usr/lib/squid/errors/fr/ERR_READ_TIMEOUT
usr/lib/squid/errors/fr/ERR_SECURE_CONNECT_FAIL
@@ -786,6 +802,7 @@ usr/lib/squid/errors/fr/error-details.txt
#usr/lib/squid/errors/he/ERR_NO_RELAY
#usr/lib/squid/errors/he/ERR_ONLY_IF_CACHED_MISS
#usr/lib/squid/errors/he/ERR_PRECONDITION_FAILED
#usr/lib/squid/errors/he/ERR_PROTOCOL_UNKNOWN
#usr/lib/squid/errors/he/ERR_READ_ERROR
#usr/lib/squid/errors/he/ERR_READ_TIMEOUT
#usr/lib/squid/errors/he/ERR_SECURE_CONNECT_FAIL
@@ -830,6 +847,7 @@ usr/lib/squid/errors/fr/error-details.txt
#usr/lib/squid/errors/hu/ERR_NO_RELAY
#usr/lib/squid/errors/hu/ERR_ONLY_IF_CACHED_MISS
#usr/lib/squid/errors/hu/ERR_PRECONDITION_FAILED
#usr/lib/squid/errors/hu/ERR_PROTOCOL_UNKNOWN
#usr/lib/squid/errors/hu/ERR_READ_ERROR
#usr/lib/squid/errors/hu/ERR_READ_TIMEOUT
#usr/lib/squid/errors/hu/ERR_SECURE_CONNECT_FAIL
@@ -875,6 +893,7 @@ usr/lib/squid/errors/fr/error-details.txt
#usr/lib/squid/errors/hy/ERR_NO_RELAY
#usr/lib/squid/errors/hy/ERR_ONLY_IF_CACHED_MISS
#usr/lib/squid/errors/hy/ERR_PRECONDITION_FAILED
#usr/lib/squid/errors/hy/ERR_PROTOCOL_UNKNOWN
#usr/lib/squid/errors/hy/ERR_READ_ERROR
#usr/lib/squid/errors/hy/ERR_READ_TIMEOUT
#usr/lib/squid/errors/hy/ERR_SECURE_CONNECT_FAIL
@@ -919,6 +938,7 @@ usr/lib/squid/errors/fr/error-details.txt
#usr/lib/squid/errors/id/ERR_NO_RELAY
#usr/lib/squid/errors/id/ERR_ONLY_IF_CACHED_MISS
#usr/lib/squid/errors/id/ERR_PRECONDITION_FAILED
#usr/lib/squid/errors/id/ERR_PROTOCOL_UNKNOWN
#usr/lib/squid/errors/id/ERR_READ_ERROR
#usr/lib/squid/errors/id/ERR_READ_TIMEOUT
#usr/lib/squid/errors/id/ERR_SECURE_CONNECT_FAIL
@@ -964,6 +984,7 @@ usr/lib/squid/errors/fr/error-details.txt
#usr/lib/squid/errors/it/ERR_NO_RELAY
#usr/lib/squid/errors/it/ERR_ONLY_IF_CACHED_MISS
#usr/lib/squid/errors/it/ERR_PRECONDITION_FAILED
#usr/lib/squid/errors/it/ERR_PROTOCOL_UNKNOWN
#usr/lib/squid/errors/it/ERR_READ_ERROR
#usr/lib/squid/errors/it/ERR_READ_TIMEOUT
#usr/lib/squid/errors/it/ERR_SECURE_CONNECT_FAIL
@@ -1008,6 +1029,7 @@ usr/lib/squid/errors/fr/error-details.txt
#usr/lib/squid/errors/ja/ERR_NO_RELAY
#usr/lib/squid/errors/ja/ERR_ONLY_IF_CACHED_MISS
#usr/lib/squid/errors/ja/ERR_PRECONDITION_FAILED
#usr/lib/squid/errors/ja/ERR_PROTOCOL_UNKNOWN
#usr/lib/squid/errors/ja/ERR_READ_ERROR
#usr/lib/squid/errors/ja/ERR_READ_TIMEOUT
#usr/lib/squid/errors/ja/ERR_SECURE_CONNECT_FAIL
@@ -1021,6 +1043,7 @@ usr/lib/squid/errors/fr/error-details.txt
#usr/lib/squid/errors/ja/ERR_ZERO_SIZE_OBJECT
#usr/lib/squid/errors/ja/error-details.txt
#usr/lib/squid/errors/ka
#usr/lib/squid/errors/ka-ge
#usr/lib/squid/errors/ka/ERR_ACCESS_DENIED
#usr/lib/squid/errors/ka/ERR_ACL_TIME_QUOTA_EXCEEDED
#usr/lib/squid/errors/ka/ERR_AGENT_CONFIGURE
@@ -1051,6 +1074,7 @@ usr/lib/squid/errors/fr/error-details.txt
#usr/lib/squid/errors/ka/ERR_NO_RELAY
#usr/lib/squid/errors/ka/ERR_ONLY_IF_CACHED_MISS
#usr/lib/squid/errors/ka/ERR_PRECONDITION_FAILED
#usr/lib/squid/errors/ka/ERR_PROTOCOL_UNKNOWN
#usr/lib/squid/errors/ka/ERR_READ_ERROR
#usr/lib/squid/errors/ka/ERR_READ_TIMEOUT
#usr/lib/squid/errors/ka/ERR_SECURE_CONNECT_FAIL
@@ -1063,7 +1087,6 @@ usr/lib/squid/errors/fr/error-details.txt
#usr/lib/squid/errors/ka/ERR_WRITE_ERROR
#usr/lib/squid/errors/ka/ERR_ZERO_SIZE_OBJECT
#usr/lib/squid/errors/ka/error-details.txt
#usr/lib/squid/errors/ka-ge
#usr/lib/squid/errors/ko
#usr/lib/squid/errors/ko-kp
#usr/lib/squid/errors/ko-kr
@@ -1097,6 +1120,7 @@ usr/lib/squid/errors/fr/error-details.txt
#usr/lib/squid/errors/ko/ERR_NO_RELAY
#usr/lib/squid/errors/ko/ERR_ONLY_IF_CACHED_MISS
#usr/lib/squid/errors/ko/ERR_PRECONDITION_FAILED
#usr/lib/squid/errors/ko/ERR_PROTOCOL_UNKNOWN
#usr/lib/squid/errors/ko/ERR_READ_ERROR
#usr/lib/squid/errors/ko/ERR_READ_TIMEOUT
#usr/lib/squid/errors/ko/ERR_SECURE_CONNECT_FAIL
@@ -1141,6 +1165,7 @@ usr/lib/squid/errors/fr/error-details.txt
#usr/lib/squid/errors/lt/ERR_NO_RELAY
#usr/lib/squid/errors/lt/ERR_ONLY_IF_CACHED_MISS
#usr/lib/squid/errors/lt/ERR_PRECONDITION_FAILED
#usr/lib/squid/errors/lt/ERR_PROTOCOL_UNKNOWN
#usr/lib/squid/errors/lt/ERR_READ_ERROR
#usr/lib/squid/errors/lt/ERR_READ_TIMEOUT
#usr/lib/squid/errors/lt/ERR_SECURE_CONNECT_FAIL
@@ -1185,6 +1210,7 @@ usr/lib/squid/errors/fr/error-details.txt
#usr/lib/squid/errors/lv/ERR_NO_RELAY
#usr/lib/squid/errors/lv/ERR_ONLY_IF_CACHED_MISS
#usr/lib/squid/errors/lv/ERR_PRECONDITION_FAILED
#usr/lib/squid/errors/lv/ERR_PROTOCOL_UNKNOWN
#usr/lib/squid/errors/lv/ERR_READ_ERROR
#usr/lib/squid/errors/lv/ERR_READ_TIMEOUT
#usr/lib/squid/errors/lv/ERR_SECURE_CONNECT_FAIL
@@ -1229,6 +1255,7 @@ usr/lib/squid/errors/fr/error-details.txt
#usr/lib/squid/errors/ms/ERR_NO_RELAY
#usr/lib/squid/errors/ms/ERR_ONLY_IF_CACHED_MISS
#usr/lib/squid/errors/ms/ERR_PRECONDITION_FAILED
#usr/lib/squid/errors/ms/ERR_PROTOCOL_UNKNOWN
#usr/lib/squid/errors/ms/ERR_READ_ERROR
#usr/lib/squid/errors/ms/ERR_READ_TIMEOUT
#usr/lib/squid/errors/ms/ERR_SECURE_CONNECT_FAIL
@@ -1273,6 +1300,7 @@ usr/lib/squid/errors/nl/ERR_LIFETIME_EXP
usr/lib/squid/errors/nl/ERR_NO_RELAY
usr/lib/squid/errors/nl/ERR_ONLY_IF_CACHED_MISS
usr/lib/squid/errors/nl/ERR_PRECONDITION_FAILED
usr/lib/squid/errors/nl/ERR_PROTOCOL_UNKNOWN
usr/lib/squid/errors/nl/ERR_READ_ERROR
usr/lib/squid/errors/nl/ERR_READ_TIMEOUT
usr/lib/squid/errors/nl/ERR_SECURE_CONNECT_FAIL
@@ -1316,6 +1344,7 @@ usr/lib/squid/errors/nl/error-details.txt
#usr/lib/squid/errors/oc/ERR_NO_RELAY
#usr/lib/squid/errors/oc/ERR_ONLY_IF_CACHED_MISS
#usr/lib/squid/errors/oc/ERR_PRECONDITION_FAILED
#usr/lib/squid/errors/oc/ERR_PROTOCOL_UNKNOWN
#usr/lib/squid/errors/oc/ERR_READ_ERROR
#usr/lib/squid/errors/oc/ERR_READ_TIMEOUT
#usr/lib/squid/errors/oc/ERR_SECURE_CONNECT_FAIL
@@ -1360,6 +1389,7 @@ usr/lib/squid/errors/pl/ERR_LIFETIME_EXP
usr/lib/squid/errors/pl/ERR_NO_RELAY
usr/lib/squid/errors/pl/ERR_ONLY_IF_CACHED_MISS
usr/lib/squid/errors/pl/ERR_PRECONDITION_FAILED
usr/lib/squid/errors/pl/ERR_PROTOCOL_UNKNOWN
usr/lib/squid/errors/pl/ERR_READ_ERROR
usr/lib/squid/errors/pl/ERR_READ_TIMEOUT
usr/lib/squid/errors/pl/ERR_SECURE_CONNECT_FAIL
@@ -1404,6 +1434,7 @@ usr/lib/squid/errors/pl/error-details.txt
#usr/lib/squid/errors/pt-br/ERR_NO_RELAY
#usr/lib/squid/errors/pt-br/ERR_ONLY_IF_CACHED_MISS
#usr/lib/squid/errors/pt-br/ERR_PRECONDITION_FAILED
#usr/lib/squid/errors/pt-br/ERR_PROTOCOL_UNKNOWN
#usr/lib/squid/errors/pt-br/ERR_READ_ERROR
#usr/lib/squid/errors/pt-br/ERR_READ_TIMEOUT
#usr/lib/squid/errors/pt-br/ERR_SECURE_CONNECT_FAIL
@@ -1418,6 +1449,7 @@ usr/lib/squid/errors/pl/error-details.txt
#usr/lib/squid/errors/pt-br/error-details.txt
#usr/lib/squid/errors/pt-bz
#usr/lib/squid/errors/pt-pt
#usr/lib/squid/errors/pt-xl
#usr/lib/squid/errors/pt/ERR_ACCESS_DENIED
#usr/lib/squid/errors/pt/ERR_ACL_TIME_QUOTA_EXCEEDED
#usr/lib/squid/errors/pt/ERR_AGENT_CONFIGURE
@@ -1448,6 +1480,7 @@ usr/lib/squid/errors/pl/error-details.txt
#usr/lib/squid/errors/pt/ERR_NO_RELAY
#usr/lib/squid/errors/pt/ERR_ONLY_IF_CACHED_MISS
#usr/lib/squid/errors/pt/ERR_PRECONDITION_FAILED
#usr/lib/squid/errors/pt/ERR_PROTOCOL_UNKNOWN
#usr/lib/squid/errors/pt/ERR_READ_ERROR
#usr/lib/squid/errors/pt/ERR_READ_TIMEOUT
#usr/lib/squid/errors/pt/ERR_SECURE_CONNECT_FAIL
@@ -1493,6 +1526,7 @@ usr/lib/squid/errors/pl/error-details.txt
#usr/lib/squid/errors/ro/ERR_NO_RELAY
#usr/lib/squid/errors/ro/ERR_ONLY_IF_CACHED_MISS
#usr/lib/squid/errors/ro/ERR_PRECONDITION_FAILED
#usr/lib/squid/errors/ro/ERR_PROTOCOL_UNKNOWN
#usr/lib/squid/errors/ro/ERR_READ_ERROR
#usr/lib/squid/errors/ro/ERR_READ_TIMEOUT
#usr/lib/squid/errors/ro/ERR_SECURE_CONNECT_FAIL
@@ -1537,6 +1571,7 @@ usr/lib/squid/errors/ru/ERR_LIFETIME_EXP
usr/lib/squid/errors/ru/ERR_NO_RELAY
usr/lib/squid/errors/ru/ERR_ONLY_IF_CACHED_MISS
usr/lib/squid/errors/ru/ERR_PRECONDITION_FAILED
usr/lib/squid/errors/ru/ERR_PROTOCOL_UNKNOWN
usr/lib/squid/errors/ru/ERR_READ_ERROR
usr/lib/squid/errors/ru/ERR_READ_TIMEOUT
usr/lib/squid/errors/ru/ERR_SECURE_CONNECT_FAIL
@@ -1581,6 +1616,7 @@ usr/lib/squid/errors/ru/error-details.txt
#usr/lib/squid/errors/sk/ERR_NO_RELAY
#usr/lib/squid/errors/sk/ERR_ONLY_IF_CACHED_MISS
#usr/lib/squid/errors/sk/ERR_PRECONDITION_FAILED
#usr/lib/squid/errors/sk/ERR_PROTOCOL_UNKNOWN
#usr/lib/squid/errors/sk/ERR_READ_ERROR
#usr/lib/squid/errors/sk/ERR_READ_TIMEOUT
#usr/lib/squid/errors/sk/ERR_SECURE_CONNECT_FAIL
@@ -1625,6 +1661,7 @@ usr/lib/squid/errors/ru/error-details.txt
#usr/lib/squid/errors/sl/ERR_NO_RELAY
#usr/lib/squid/errors/sl/ERR_ONLY_IF_CACHED_MISS
#usr/lib/squid/errors/sl/ERR_PRECONDITION_FAILED
#usr/lib/squid/errors/sl/ERR_PROTOCOL_UNKNOWN
#usr/lib/squid/errors/sl/ERR_READ_ERROR
#usr/lib/squid/errors/sl/ERR_READ_TIMEOUT
#usr/lib/squid/errors/sl/ERR_SECURE_CONNECT_FAIL
@@ -1672,6 +1709,7 @@ usr/lib/squid/errors/ru/error-details.txt
#usr/lib/squid/errors/sr-cyrl/ERR_NO_RELAY
#usr/lib/squid/errors/sr-cyrl/ERR_ONLY_IF_CACHED_MISS
#usr/lib/squid/errors/sr-cyrl/ERR_PRECONDITION_FAILED
#usr/lib/squid/errors/sr-cyrl/ERR_PROTOCOL_UNKNOWN
#usr/lib/squid/errors/sr-cyrl/ERR_READ_ERROR
#usr/lib/squid/errors/sr-cyrl/ERR_READ_TIMEOUT
#usr/lib/squid/errors/sr-cyrl/ERR_SECURE_CONNECT_FAIL
@@ -1718,6 +1756,7 @@ usr/lib/squid/errors/ru/error-details.txt
#usr/lib/squid/errors/sr-latn/ERR_NO_RELAY
#usr/lib/squid/errors/sr-latn/ERR_ONLY_IF_CACHED_MISS
#usr/lib/squid/errors/sr-latn/ERR_PRECONDITION_FAILED
#usr/lib/squid/errors/sr-latn/ERR_PROTOCOL_UNKNOWN
#usr/lib/squid/errors/sr-latn/ERR_READ_ERROR
#usr/lib/squid/errors/sr-latn/ERR_READ_TIMEOUT
#usr/lib/squid/errors/sr-latn/ERR_SECURE_CONNECT_FAIL
@@ -1765,6 +1804,7 @@ usr/lib/squid/errors/ru/error-details.txt
#usr/lib/squid/errors/sv/ERR_NO_RELAY
#usr/lib/squid/errors/sv/ERR_ONLY_IF_CACHED_MISS
#usr/lib/squid/errors/sv/ERR_PRECONDITION_FAILED
#usr/lib/squid/errors/sv/ERR_PROTOCOL_UNKNOWN
#usr/lib/squid/errors/sv/ERR_READ_ERROR
#usr/lib/squid/errors/sv/ERR_READ_TIMEOUT
#usr/lib/squid/errors/sv/ERR_SECURE_CONNECT_FAIL
@@ -1808,6 +1848,7 @@ usr/lib/squid/errors/ru/error-details.txt
#usr/lib/squid/errors/templates/ERR_NO_RELAY
#usr/lib/squid/errors/templates/ERR_ONLY_IF_CACHED_MISS
#usr/lib/squid/errors/templates/ERR_PRECONDITION_FAILED
#usr/lib/squid/errors/templates/ERR_PROTOCOL_UNKNOWN
#usr/lib/squid/errors/templates/ERR_READ_ERROR
#usr/lib/squid/errors/templates/ERR_READ_TIMEOUT
#usr/lib/squid/errors/templates/ERR_SECURE_CONNECT_FAIL
@@ -1852,6 +1893,7 @@ usr/lib/squid/errors/ru/error-details.txt
#usr/lib/squid/errors/th/ERR_NO_RELAY
#usr/lib/squid/errors/th/ERR_ONLY_IF_CACHED_MISS
#usr/lib/squid/errors/th/ERR_PRECONDITION_FAILED
#usr/lib/squid/errors/th/ERR_PROTOCOL_UNKNOWN
#usr/lib/squid/errors/th/ERR_READ_ERROR
#usr/lib/squid/errors/th/ERR_READ_TIMEOUT
#usr/lib/squid/errors/th/ERR_SECURE_CONNECT_FAIL
@@ -1896,6 +1938,7 @@ usr/lib/squid/errors/tr/ERR_LIFETIME_EXP
usr/lib/squid/errors/tr/ERR_NO_RELAY
usr/lib/squid/errors/tr/ERR_ONLY_IF_CACHED_MISS
usr/lib/squid/errors/tr/ERR_PRECONDITION_FAILED
usr/lib/squid/errors/tr/ERR_PROTOCOL_UNKNOWN
usr/lib/squid/errors/tr/ERR_READ_ERROR
usr/lib/squid/errors/tr/ERR_READ_TIMEOUT
usr/lib/squid/errors/tr/ERR_SECURE_CONNECT_FAIL
@@ -1940,6 +1983,7 @@ usr/lib/squid/errors/tr/error-details.txt
#usr/lib/squid/errors/uk/ERR_NO_RELAY
#usr/lib/squid/errors/uk/ERR_ONLY_IF_CACHED_MISS
#usr/lib/squid/errors/uk/ERR_PRECONDITION_FAILED
#usr/lib/squid/errors/uk/ERR_PROTOCOL_UNKNOWN
#usr/lib/squid/errors/uk/ERR_READ_ERROR
#usr/lib/squid/errors/uk/ERR_READ_TIMEOUT
#usr/lib/squid/errors/uk/ERR_SECURE_CONNECT_FAIL
@@ -1983,6 +2027,7 @@ usr/lib/squid/errors/tr/error-details.txt
#usr/lib/squid/errors/uz/ERR_NO_RELAY
#usr/lib/squid/errors/uz/ERR_ONLY_IF_CACHED_MISS
#usr/lib/squid/errors/uz/ERR_PRECONDITION_FAILED
#usr/lib/squid/errors/uz/ERR_PROTOCOL_UNKNOWN
#usr/lib/squid/errors/uz/ERR_READ_ERROR
#usr/lib/squid/errors/uz/ERR_READ_TIMEOUT
#usr/lib/squid/errors/uz/ERR_SECURE_CONNECT_FAIL
@@ -2027,6 +2072,7 @@ usr/lib/squid/errors/tr/error-details.txt
#usr/lib/squid/errors/vi/ERR_NO_RELAY
#usr/lib/squid/errors/vi/ERR_ONLY_IF_CACHED_MISS
#usr/lib/squid/errors/vi/ERR_PRECONDITION_FAILED
#usr/lib/squid/errors/vi/ERR_PROTOCOL_UNKNOWN
#usr/lib/squid/errors/vi/ERR_READ_ERROR
#usr/lib/squid/errors/vi/ERR_READ_TIMEOUT
#usr/lib/squid/errors/vi/ERR_SECURE_CONNECT_FAIL
@@ -2073,6 +2119,7 @@ usr/lib/squid/errors/tr/error-details.txt
#usr/lib/squid/errors/zh-hans/ERR_NO_RELAY
#usr/lib/squid/errors/zh-hans/ERR_ONLY_IF_CACHED_MISS
#usr/lib/squid/errors/zh-hans/ERR_PRECONDITION_FAILED
#usr/lib/squid/errors/zh-hans/ERR_PROTOCOL_UNKNOWN
#usr/lib/squid/errors/zh-hans/ERR_READ_ERROR
#usr/lib/squid/errors/zh-hans/ERR_READ_TIMEOUT
#usr/lib/squid/errors/zh-hans/ERR_SECURE_CONNECT_FAIL
@@ -2119,6 +2166,7 @@ usr/lib/squid/errors/tr/error-details.txt
#usr/lib/squid/errors/zh-hant/ERR_NO_RELAY
#usr/lib/squid/errors/zh-hant/ERR_ONLY_IF_CACHED_MISS
#usr/lib/squid/errors/zh-hant/ERR_PRECONDITION_FAILED
#usr/lib/squid/errors/zh-hant/ERR_PROTOCOL_UNKNOWN
#usr/lib/squid/errors/zh-hant/ERR_READ_ERROR
#usr/lib/squid/errors/zh-hant/ERR_READ_TIMEOUT
#usr/lib/squid/errors/zh-hant/ERR_SECURE_CONNECT_FAIL
@@ -2144,7 +2192,7 @@ usr/lib/squid/ext_sql_session_acl
usr/lib/squid/ext_time_quota_acl
usr/lib/squid/ext_unix_group_acl
usr/lib/squid/ext_wbinfo_group_acl
usr/lib/squid/helper-mux.pl
usr/lib/squid/helper-mux
usr/lib/squid/icons
usr/lib/squid/icons/SN.png
usr/lib/squid/icons/silk
@@ -2203,18 +2251,19 @@ usr/lib/squid/log_file_daemon
usr/lib/squid/mib.txt
usr/lib/squid/negotiate_wrapper_auth
usr/lib/squid/ntlm_fake_auth
usr/lib/squid/ntlm_smb_lm_auth
usr/lib/squid/security_fake_certverify
usr/lib/squid/storeid_file_rewrite
usr/lib/squid/unlinkd
usr/lib/squid/url_fake_rewrite
usr/lib/squid/url_fake_rewrite.sh
usr/lib/squid/url_lfs_rewrite
usr/sbin/squid
usr/sbin/updxlrator
#usr/share/man/man1/purge.1
#usr/share/man/man1/squidclient.1
#usr/share/man/man8/basic_db_auth.8
#usr/share/man/man8/basic_getpwnam_auth.8
#usr/share/man/man8/basic_ldap_auth.8
#usr/share/man/man8/basic_msnt_multi_domain_auth.8
#usr/share/man/man8/basic_ncsa_auth.8
#usr/share/man/man8/basic_pam_auth.8
#usr/share/man/man8/basic_pop3_auth.8
@@ -2231,9 +2280,12 @@ usr/sbin/updxlrator
#usr/share/man/man8/ext_time_quota_acl.8
#usr/share/man/man8/ext_unix_group_acl.8
#usr/share/man/man8/ext_wbinfo_group_acl.8
#usr/share/man/man8/helper-mux.8
#usr/share/man/man8/log_db_daemon.8
#usr/share/man/man8/security_fake_certverify.8
#usr/share/man/man8/squid.8
#usr/share/man/man8/storeid_file_rewrite.8
#usr/share/man/man8/url_lfs_rewrite.8
#var/cache/squid
var/ipfire/proxy/errorpage-ipfire.css
var/ipfire/proxy/errorpage-squid.css

15
lfs/squid
View File

@@ -24,7 +24,7 @@
include Config
VER = 3.5.28
VER = 4.4
THISAPP = squid-$(VER)
DL_FILE = $(THISAPP).tar.xz
@@ -42,7 +42,7 @@ objects = $(DL_FILE)
$(DL_FILE) = $(DL_FROM)/$(DL_FILE)
$(DL_FILE)_MD5 = 9367e0375ea53ba0e99f77054d4402c5
$(DL_FILE)_MD5 = 892504ca9700e1f139a53f84098613bd
install : $(TARGET)
@@ -72,9 +72,10 @@ $(subst %,%_MD5,$(objects)) :
$(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
@$(PREBUILD)
@rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar xaf $(DIR_DL)/$(DL_FILE)
cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/squid/01_Certificate_fields_injection_via_D_in_ERR_SECURE_CONNECT_FAIL_306.patch
cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/squid/02_Fix_memory_leak_when_parsing_SNMP_packet_313.patch
cd $(DIR_APP) && patch -Np0 -i $(DIR_SRC)/src/patches/squid/squid-3.5.28-fix-max-file-descriptors.patch
cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/squid/01_Fix_netdb_exchange_with_a_TLS_cache_peer_307.patch
cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/squid/02_Maintenance_add_xz_tarball_format_formally_to_make_dist_325.patch
cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/squid/03_The_handshake_logformat_code_331.patch
cd $(DIR_APP) && patch -Np0 -i $(DIR_SRC)/src/patches/squid/squid-4.4-fix-max-file-descriptors.patch
cd $(DIR_APP) && autoreconf -vfi
cd $(DIR_APP)/libltdl && autoreconf -vfi
@@ -125,7 +126,9 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
--enable-zph-qos \
--with-dl \
--with-filedescriptors=$$(( 16384 * 64 )) \
--with-large-files
--with-large-files \
--without-gnutls \
--without-netfilter-conntrack
cd $(DIR_APP) && make $(MAKETUNING)
cd $(DIR_APP) && make install

72
src/patches/squid/01_Certificate_fields_injection_via_D_in_ERR_SECURE_CONNECT_FAIL_306.patch
View File

@@ -1,72 +0,0 @@
commit f1657a9decc820f748fa3aff68168d3145258031
Author: Christos Tsantilas <christos@chtsanti.net>
Date: 2018-10-17 15:14:07 +0000
Certificate fields injection via %D in ERR_SECURE_CONNECT_FAIL (#306)
%ssl_subject, %ssl_ca_name, and %ssl_cn values were not properly escaped when %D code was expanded in HTML context of the ERR_SECURE_CONNECT_FAIL template. This bug affects all
ERR_SECURE_CONNECT_FAIL page templates containing %D, including the default template.
Other error pages are not vulnerable because Squid does not populate %D with certificate details in other contexts (yet).
Thanks to Nikolas Lohmann [eBlocker] for identifying the problem.
TODO: If those certificate details become needed for ACL checks or other non-HTML purposes, make their HTML-escaping conditional.
This is a Measurement Factory project.
diff --git a/src/ssl/ErrorDetail.cc b/src/ssl/ErrorDetail.cc
index b5030e3..314e998 100644
--- a/src/ssl/ErrorDetail.cc
+++ b/src/ssl/ErrorDetail.cc
@@ -8,6 +8,8 @@
#include "squid.h"
#include "errorpage.h"
+#include "fatal.h"
+#include "html_quote.h"
#include "ssl/ErrorDetail.h"
#include <climits>
@@ -432,8 +434,11 @@ const char *Ssl::ErrorDetail::subject() const
{
if (broken_cert.get()) {
static char tmpBuffer[256]; // A temporary buffer
- if (X509_NAME_oneline(X509_get_subject_name(broken_cert.get()), tmpBuffer, sizeof(tmpBuffer)))
- return tmpBuffer;
+ if (X509_NAME_oneline(X509_get_subject_name(broken_cert.get()), tmpBuffer, sizeof(tmpBuffer))) {
+ // quote to avoid possible html code injection through
+ // certificate subject
+ return html_quote(tmpBuffer);
+ }
}
return "[Not available]";
}
@@ -461,8 +466,11 @@ const char *Ssl::ErrorDetail::cn() const
static String tmpStr; ///< A temporary string buffer
tmpStr.clean();
Ssl::matchX509CommonNames(broken_cert.get(), &tmpStr, copy_cn);
- if (tmpStr.size())
- return tmpStr.termedBuf();
+ if (tmpStr.size()) {
+ // quote to avoid possible html code injection through
+ // certificate subject
+ return html_quote(tmpStr.termedBuf());
+ }
}
return "[Not available]";
}
@@ -474,8 +482,11 @@ const char *Ssl::ErrorDetail::ca_name() const
{
if (broken_cert.get()) {
static char tmpBuffer[256]; // A temporary buffer
- if (X509_NAME_oneline(X509_get_issuer_name(broken_cert.get()), tmpBuffer, sizeof(tmpBuffer)))
- return tmpBuffer;
+ if (X509_NAME_oneline(X509_get_issuer_name(broken_cert.get()), tmpBuffer, sizeof(tmpBuffer))) {
+ // quote to avoid possible html code injection through
+ // certificate issuer subject
+ return html_quote(tmpBuffer);
+ }
}
return "[Not available]";
}

91
src/patches/squid/01_Fix_netdb_exchange_with_a_TLS_cache_peer_307.patch Normal file
View File

@@ -0,0 +1,91 @@
commit bc54d7a6f7ec510a25966f2f800d3ea874657546
Author: chi-mf <43963496+chi-mf@users.noreply.github.com>
Date: 2018-10-30 04:48:40 +0000
Fix netdb exchange with a TLS cache_peer (#307)
Squid uses http-scheme URLs when sending netdb exchange (and possibly
other) requests to a cache_peer. If a DIRECT path is selected for that
cache_peer URL, then Squid sends a clear text HTTP request to that
cache_peer. If that cache_peer expects a TLS connection, it will reject
that request (with, e.g., error:transaction-end-before-headers),
resulting in an HTTP 503 or 504 netdb fetch error.
Workaround this by adding an internalRemoteUri() parameter to indicate
whether https or http URL scheme should be used. Netdb fetches from
CachePeer::secure peers now get an https scheme and, hence, a TLS
connection.
diff --git a/src/icmp/net_db.cc b/src/icmp/net_db.cc
index 0f488de..526093f 100644
--- a/src/icmp/net_db.cc
+++ b/src/icmp/net_db.cc
@@ -1282,7 +1282,7 @@ netdbExchangeStart(void *data)
#if USE_ICMP
CachePeer *p = (CachePeer *)data;
static const SBuf netDB("netdb");
- char *uri = internalRemoteUri(p->host, p->http_port, "/squid-internal-dynamic/", netDB);
+ char *uri = internalRemoteUri(p->secure.encryptTransport, p->host, p->http_port, "/squid-internal-dynamic/", netDB);
debugs(38, 3, "Requesting '" << uri << "'");
const MasterXaction::Pointer mx = new MasterXaction(XactionInitiator::initIcmp);
HttpRequest *req = HttpRequest::FromUrl(uri, mx);
diff --git a/src/internal.cc b/src/internal.cc
index 6ebc7a6..ff7b4d6 100644
--- a/src/internal.cc
+++ b/src/internal.cc
@@ -82,7 +82,7 @@ internalStaticCheck(const SBuf &urlPath)
* makes internal url with a given host and port (remote internal url)
*/
char *
-internalRemoteUri(const char *host, unsigned short port, const char *dir, const SBuf &name)
+internalRemoteUri(bool encrypt, const char *host, unsigned short port, const char *dir, const SBuf &name)
{
static char lc_host[SQUIDHOSTNAMELEN];
assert(host && !name.isEmpty());
@@ -115,7 +115,7 @@ internalRemoteUri(const char *host, unsigned short port, const char *dir, const
static MemBuf mb;
mb.reset();
- mb.appendf("http://" SQUIDSBUFPH, SQUIDSBUFPRINT(tmp.authority()));
+ mb.appendf("%s://" SQUIDSBUFPH, encrypt ? "https" : "http", SQUIDSBUFPRINT(tmp.authority()));
if (dir)
mb.append(dir, strlen(dir));
@@ -132,7 +132,10 @@ internalRemoteUri(const char *host, unsigned short port, const char *dir, const
char *
internalLocalUri(const char *dir, const SBuf &name)
{
- return internalRemoteUri(getMyHostname(),
+ // XXX: getMy*() may return https_port info, but we force http URIs
+ // because we have not checked whether the callers can handle https.
+ const bool secure = false;
+ return internalRemoteUri(secure, getMyHostname(),
getMyPort(), dir, name);
}
diff --git a/src/internal.h b/src/internal.h
index c91f9ac..13a43a6 100644
--- a/src/internal.h
+++ b/src/internal.h
@@ -24,7 +24,7 @@ void internalStart(const Comm::ConnectionPointer &clientConn, HttpRequest *, Sto
bool internalCheck(const SBuf &urlPath);
bool internalStaticCheck(const SBuf &urlPath);
char *internalLocalUri(const char *dir, const SBuf &name);
-char *internalRemoteUri(const char *, unsigned short, const char *, const SBuf &);
+char *internalRemoteUri(bool, const char *, unsigned short, const char *, const SBuf &);
const char *internalHostname(void);
int internalHostnameIs(const char *);
diff --git a/src/peer_digest.cc b/src/peer_digest.cc
index 36a8705..f515aaa 100644
--- a/src/peer_digest.cc
+++ b/src/peer_digest.cc
@@ -323,7 +323,7 @@ peerDigestRequest(PeerDigest * pd)
if (p->digest_url)
url = xstrdup(p->digest_url);
else
- url = xstrdup(internalRemoteUri(p->host, p->http_port, "/squid-internal-periodic/", SBuf(StoreDigestFileName)));
+ url = xstrdup(internalRemoteUri(p->secure.encryptTransport, p->host, p->http_port, "/squid-internal-periodic/", SBuf(StoreDigestFileName)));
debugs(72, 2, url);
const MasterXaction::Pointer mx = new MasterXaction(XactionInitiator::initCacheDigest);

22
src/patches/squid/02_Fix_memory_leak_when_parsing_SNMP_packet_313.patch
View File

@@ -1,22 +0,0 @@
commit bc9786119f058a76ddf0625424bc33d36460b9a2 (refs/remotes/origin/v3.5)
Author: flozilla <fishyflow@gmail.com>
Date: 2018-10-24 14:12:01 +0200
Fix memory leak when parsing SNMP packet (#313)
SNMP queries denied by snmp_access rules and queries with certain
unsupported SNMPv2 commands were leaking a few hundred bytes each. Such
queries trigger "SNMP agent query DENIED from..." WARNINGs in cache.log.
diff --git a/src/snmp_core.cc b/src/snmp_core.cc
index c4d21c1..16c2993 100644
--- a/src/snmp_core.cc
+++ b/src/snmp_core.cc
@@ -409,6 +409,7 @@ snmpDecodePacket(SnmpRequest * rq)
snmpConstructReponse(rq);
} else {
debugs(49, DBG_IMPORTANT, "WARNING: SNMP agent query DENIED from : " << rq->from);
+ snmp_free_pdu(PDU);
}
xfree(Community);

22
src/patches/squid/02_Maintenance_add_xz_tarball_format_formally_to_make_dist_325.patch Normal file
View File

@@ -0,0 +1,22 @@
commit 3c23ae8c7431344f8fc50bb5ee8f4b56d08c10a4
Author: Amos Jeffries <yadij@users.noreply.github.com>
Date: 2018-11-11 04:29:58 +0000
Maintenance: add .xz tarball format formally to make dist (#325)
Automake can now handle generating this format itself and the
experiments of providing it for downstream have gone well.
diff --git a/configure.ac b/configure.ac
index 3f8af6d..f668567 100644
--- a/configure.ac
+++ b/configure.ac
@@ -10,7 +10,7 @@ AC_PREREQ(2.61)
AC_CONFIG_HEADERS([include/autoconf.h])
AC_CONFIG_AUX_DIR(cfgaux)
AC_CONFIG_SRCDIR([src/main.cc])
-AM_INIT_AUTOMAKE([tar-ustar nostdinc subdir-objects])
+AM_INIT_AUTOMAKE([tar-ustar nostdinc subdir-objects dist-xz])
AC_REVISION($Revision$)dnl
AC_PREFIX_DEFAULT(/usr/local/squid)
AM_MAINTAINER_MODE

132
src/patches/squid/03_The_handshake_logformat_code_331.patch Normal file
View File

@@ -0,0 +1,132 @@
commit 0022167d80725513d95b38aaebc90086fc0b6938 (tag: refs/tags/M-staged-PR331, refs/remotes/origin/v4)
Author: Christos Tsantilas <christos@chtsanti.net>
Date: 2018-11-14 15:17:06 +0000
The %>handshake logformat code (#331)
Logging client "handshake" bytes is useful in at least two contexts:
* Runtime traffic bypass and bumping/splicing decisions. Identifying
popular clients like Skype for Business (that uses a TLS handshake but
then may not speak TLS) is critical for handling their traffic
correctly. Squid does not have enough ACLs to interrogate most TLS
handshake aspects. Adding more ACLs may still be a good idea, but
initial sketches for SfB handshakes showed rather complex
ACLs/configurations, _and_ no reasonable ACLs would be able to handle
non-TLS handshakes. An external ACL receiving the handshake is in a
much better position to analyze/fingerprint it according to custom
admin needs.
* A logged handshake can be used to analyze new/unusual traffic or even
trigger security-related alarms.
The current support is limited to cases where Squid was saving handshake
for other reasons. With enough demand, this initial support can be
extended to all protocols and port configurations.
This is a Measurement Factory project.
diff --git a/src/cf.data.pre b/src/cf.data.pre
index fa8af56..a8ca587 100644
--- a/src/cf.data.pre
+++ b/src/cf.data.pre
@@ -4394,6 +4394,37 @@ DOC_START
<qos Server connection TOS/DSCP value set by Squid
<nfmark Server connection netfilter mark set by Squid
+ >handshake Raw client handshake
+ Initial client bytes received by Squid on a newly
+ accepted TCP connection or inside a just established
+ CONNECT tunnel. Squid stops accumulating handshake
+ bytes as soon as the handshake parser succeeds or
+ fails (determining whether the client is using the
+ expected protocol).
+
+ For HTTP clients, the handshake is the request line.
+ For TLS clients, the handshake consists of all TLS
+ records up to and including the TLS record that
+ contains the last byte of the first ClientHello
+ message. For clients using an unsupported protocol,
+ this field contains the bytes received by Squid at the
+ time of the handshake parsing failure.
+
+ See the on_unsupported_protocol directive for more
+ information on Squid handshake traffic expectations.
+
+ Current support is limited to these contexts:
+ - http_port connections, but only when the
+ on_unsupported_protocol directive is in use.
+ - https_port connections (and CONNECT tunnels) that
+ are subject to the ssl_bump peek or stare action.
+
+ To protect binary handshake data, this field is always
+ base64-encoded (RFC 4648 Section 4). If logformat
+ field encoding is configured, that encoding is applied
+ on top of base64. Otherwise, the computed base64 value
+ is recorded as is.
+
Time related format codes:
ts Seconds since epoch
diff --git a/src/format/ByteCode.h b/src/format/ByteCode.h
index ad230bb..a6f8fd9 100644
--- a/src/format/ByteCode.h
+++ b/src/format/ByteCode.h
@@ -46,6 +46,8 @@ typedef enum {
LFT_CLIENT_LOCAL_TOS,
LFT_CLIENT_LOCAL_NFMARK,
+ LFT_CLIENT_HANDSHAKE,
+
/* client connection local squid.conf details */
LFT_LOCAL_LISTENING_IP,
LFT_LOCAL_LISTENING_PORT,
diff --git a/src/format/Format.cc b/src/format/Format.cc
index c1e19b4..8fd6720 100644
--- a/src/format/Format.cc
+++ b/src/format/Format.cc
@@ -8,6 +8,7 @@
#include "squid.h"
#include "AccessLogEntry.h"
+#include "base64.h"
#include "client_side.h"
#include "comm/Connection.h"
#include "err_detail_type.h"
@@ -547,6 +548,24 @@ Format::Format::assemble(MemBuf &mb, const AccessLogEntry::Pointer &al, int logS
}
break;
+ case LFT_CLIENT_HANDSHAKE:
+ if (al->request && al->request->clientConnectionManager.valid()) {
+ const auto &handshake = al->request->clientConnectionManager->preservedClientData;
+ if (const auto rawLength = handshake.length()) {
+ // add 1 byte to optimize the c_str() conversion below
+ char *buf = sb.rawAppendStart(base64_encode_len(rawLength) + 1);
+
+ struct base64_encode_ctx ctx;
+ base64_encode_init(&ctx);
+ auto encLength = base64_encode_update(&ctx, buf, rawLength, reinterpret_cast<const uint8_t*>(handshake.rawContent()));
+ encLength += base64_encode_final(&ctx, buf + encLength);
+
+ sb.rawAppendFinish(buf, encLength);
+ out = sb.c_str();
+ }
+ }
+ break;
+
case LFT_TIME_SECONDS_SINCE_EPOCH:
// some platforms store time in 32-bit, some 64-bit...
outoff = static_cast<int64_t>(current_time.tv_sec);
diff --git a/src/format/Token.cc b/src/format/Token.cc
index 186ade5..06c60cf 100644
--- a/src/format/Token.cc
+++ b/src/format/Token.cc
@@ -141,6 +141,7 @@ static TokenTableEntry TokenTableMisc[] = {
TokenTableEntry("<qos", LFT_SERVER_LOCAL_TOS),
TokenTableEntry(">nfmark", LFT_CLIENT_LOCAL_NFMARK),
TokenTableEntry("<nfmark", LFT_SERVER_LOCAL_NFMARK),
+ TokenTableEntry(">handshake", LFT_CLIENT_HANDSHAKE),
TokenTableEntry("err_code", LFT_SQUID_ERROR ),
TokenTableEntry("err_detail", LFT_SQUID_ERROR_DETAIL ),
TokenTableEntry("note", LFT_NOTE ),

4
src/patches/squid/squid-3.5.28-fix-max-file-descriptors.patch → src/patches/squid/squid-4.4-fix-max-file-descriptors.patch
View File

@@ -1,6 +1,6 @@
--- configure.ac.~ Wed Apr 20 14:26:07 2016
+++ configure.ac Fri Apr 22 17:20:46 2016
@@ -3135,6 +3135,9 @@
@@ -3156,6 +3156,9 @@
;;
esac
@@ -10,7 +10,7 @@
dnl --with-maxfd present for compatibility with Squid-2.
dnl undocumented in ./configure --help to encourage using the Squid-3 directive
AC_ARG_WITH(maxfd,,
@@ -3165,8 +3168,6 @@
@@ -3186,8 +3189,6 @@
esac
])