From patchwork Sun Jan 18 10:57:01 2015 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: hanno X-Patchwork-Id: 430165 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Received: from arrakis.dune.hu (arrakis.dune.hu [78.24.191.176]) (using TLSv1.1 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 0925414008F for ; Sun, 18 Jan 2015 21:57:26 +1100 (AEDT) Received: from arrakis.dune.hu (localhost [127.0.0.1]) by arrakis.dune.hu (Postfix) with ESMTP id A095E28BE08; Sun, 18 Jan 2015 11:54:58 +0100 (CET) X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on arrakis.dune.hu X-Spam-Level: X-Spam-Status: No, score=-1.5 required=5.0 tests=BAYES_00,FREEMAIL_FROM, T_DKIM_INVALID autolearn=unavailable version=3.3.2 Received: from arrakis.dune.hu (localhost [127.0.0.1]) by arrakis.dune.hu (Postfix) with ESMTP id E3E47280172 for ; Sun, 18 Jan 2015 11:54:52 +0100 (CET) X-policyd-weight: NOT_IN_SBL_XBL_SPAMHAUS=-1.5 NOT_IN_SPAMCOP=-1.5 NOT_IN_BL_NJABL=-1.5 CL_IP_EQ_HELO_IP=-2 (check from: .gmail. - helo: .mail-pd0-f172.google. - helo-domain: .google.) FROM/MX_MATCHES_HELO(DOMAIN)=-2; rate: -8.5 Received: from mail-pd0-f172.google.com (mail-pd0-f172.google.com [209.85.192.172]) by arrakis.dune.hu (Postfix) with ESMTPS for ; Sun, 18 Jan 2015 11:54:51 +0100 (CET) Received: by mail-pd0-f172.google.com with SMTP id v10so9667486pde.3 for ; Sun, 18 Jan 2015 02:57:08 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=date:from:to:subject:message-id:mime-version:content-type :content-disposition:user-agent; bh=KYRRRzVYexgE6WJUlFvZXRrVl3psSR8nl0rdVyivQuA=; b=mej/R6zg8w+JDtuq+N507I23zsGuWFvT8SJP5ykvfopu6vmgjV4adrCxRr5o8M4Rpc IxPcV3nE9SLKZIRh9UDYu+ZU41g5GjcPN2C+jpjn5AU1uZ9hNukR+F352rxw17rhTO7D iHqMKo61UYoWWeEQ/XfmF8poGWZ1EJNE0MqJE8OUaR8FzazOsWsEuf/JJtEhmQwnTVy1 jtKYnb1uJtuYc546TI7PcJhpdT5xS1DF8iqe210O++zq3nnrKukrq7C+Q4ZNmNAYto00 R3MtTo4BRA9fvsZ4aHjYCWHEcTGoQZCxxduDKZrs2BV2V/zEKAi94fUyUidNvzvyf8YI tcVA== X-Received: by 10.68.94.131 with SMTP id dc3mr25740822pbb.106.1421578628072; Sun, 18 Jan 2015 02:57:08 -0800 (PST) Received: from localhost (203-96-144-34.cable.paradise.net.nz. [203.96.144.34]) by mx.google.com with ESMTPSA id ob4sm8744809pdb.48.2015.01.18.02.57.05 for (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Sun, 18 Jan 2015 02:57:06 -0800 (PST) Date: Sun, 18 Jan 2015 23:57:01 +1300 From: hanno To: openwrt-devel@lists.openwrt.org Message-ID: <20150118105701.GB22118@hanno-All-Series> MIME-Version: 1.0 Content-Disposition: inline User-Agent: Mutt/1.5.23 (2014-03-12) Subject: [OpenWrt-Devel] [PATCH] [packages] new package squid3 X-BeenThere: openwrt-devel@lists.openwrt.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: OpenWrt Development List List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openwrt-devel-bounces@lists.openwrt.org Sender: "openwrt-devel" This patch provides support for squid 3.4.10. Rather than replacing squid2 a new package squid3 has been created to avoid any compatibility issues. The squid.conf file has a number of options included that allow squid3 to run on OpenWrt directory structure. In addition a squid3 init programme is provided that takes care of iptable rules for interecpt proxy mode. Signed-off-by: Hanno Schupp diff -uprN ../trunk/feeds/packages/net/squid3/files/squid3.init ./feeds/packages/net/squid3/files/squid3.init --- ../trunk/feeds/packages/net/squid3/files/squid3.init 1970-01-01 12:00:00.000000000 +1200 +++ ./feeds/packages/net/squid3/files/squid3.init 2015-01-18 23:20:53.795030540 +1300 @@ -0,0 +1,116 @@ +#!/bin/sh /etc/rc.common +# Copyright (C) 2008-2013 OpenWrt.org +# +# This is free software, licensed under the GNU General Public License v2. +# See /LICENSE for more information. + +# This script will start or stop the squid 3 service and at the same time +# create the appropriate iptable rules for intercepting (aka.transparent) +# proxy mode. 'acl Safe_ports' directives will be intercepted using +# iptables to the intercepting http_port and 'acl SSL_ports will be +# redirected to the intercepting https_port. all iptable rules are removed +# when the service is stopped. + +START=90 +STOP=10 + +USE_PROCD=1 +PROG=squid +SSLCRTD_PROG=/usr/lib/squid3/ssl_crtd +CONFIG_FILE=/etc/squid3/squid.conf + +service_triggers() +{ + procd_add_reload_trigger "$CONFIG_FILE" +} + +ipt() { + opt=$1; shift + echo "iptables -D $*" >> /var/run/squid3.sh + iptables $opt $* +} + +intercept_ports() { + intercepting=$1 + acl_word=$2 + while read o; do + case "$o" in + "$acl_word"*) + intercepted=$(echo "$o" | awk '{print $4;}'| sed 's/-/:/g') + lanip=$(uci get network.lan.ipaddr) + ipt -I prerouting_rule -t nat -p tcp -i br-lan --dport $intercepted -j DNAT --to $lanip:$intercepting + ;; + esac + done < $CONFIG_FILE +} + +add_firewall_rules() { + while read p; do + case "$p" in + *intercept*) + case "$p" in + *https_port*) + intercept_ports $(echo "$p" | awk '{print $2;}') 'acl SSL_ports' + ;; + *http_port*) + intercept_ports $(echo "$p" | awk '{print $2;}') 'acl Safe_ports' + ;; + esac + ;; + esac + done < $CONFIG_FILE + [ -e /var/run/squid3.sh ] && chmod 755 /var/run/squid3.sh +} + +remove_firewall_rules() { + if [ -e /var/run/squid3.sh ]; then + sh /var/run/squid3.sh 2>/dev/null + rm -f /var/run/squid3.sh 2>/dev/null + fi +} + +start_service() { + + if [ ! -z "$CONFIG_FILE" ]; then + + remove_firewall_rules + + cache_dir=$(cat "$CONFIG_FILE" | awk '/cache_dir/ {print $3;}') + [ -z "cache_dir" ] && cache_dir=$(cat "$CONFIG_FILE" | awk '/coredump_dir/ {print $2;}') + [ -z "cache_dir" ] && cache_dir=/var/cache + + if [ ! -d "$cache_dir" ]; then + mkdir -p "$cache_dir" + chown nobody:nogroup "$cache_dir" + chmod -R 777 "$cache_dir" + "$PROG" -z + fi + [ ! -d "$cache_dir/ssl_db" ] && "$SSLCRTD_PROG" -c -s "$cache_dir"/ssl_db + chown nobody:nogroup "$cache_dir"/ssl_db + chmod -R 777 "$cache_dir"/ssl_db +# uncomment if you want the config file parsed before startup +# "$PROG" -k parse + + procd_open_instance + procd_set_param command "$PROG" -N -f "$CONFIG_FILE" + procd_set_param file "$CONFIG_FILE" + procd_close_instance + + add_firewall_rules + + return + fi +} + +stop_service() { + "$PROG" -k shutdown + remove_firewall_rules +} + +reload() +{ + "$PROG" -k reconfigure + remove_firewall_rules + add_firewall_rules +} + diff -uprN ../trunk/feeds/packages/net/squid3/files/squid.conf ./feeds/packages/net/squid3/files/squid.conf --- ../trunk/feeds/packages/net/squid3/files/squid.conf 1970-01-01 12:00:00.000000000 +1200 +++ ./feeds/packages/net/squid3/files/squid.conf 2015-01-18 23:14:10.867143467 +1300 @@ -0,0 +1,92 @@ +# +# Recommended minimum configuration for OpenWrt +# + +# Example rule allowing access from your local networks. +# Adapt to list your (internal) IP networks from where browsing +# should be allowed +acl localnet src 10.0.0.0/8 # RFC1918 possible internal network +acl localnet src 172.16.0.0/12 # RFC1918 possible internal network +acl localnet src 192.168.0.0/16 # RFC1918 possible internal network +acl localnet src fc00::/7 # RFC 4193 local private network range +acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines + +acl SSL_ports port 443 +acl Safe_ports port 80 # http +acl Safe_ports port 21 # ftp +acl Safe_ports port 443 # https +acl Safe_ports port 70 # gopher +acl Safe_ports port 210 # wais +acl Safe_ports port 1025-65535 # unregistered ports +acl Safe_ports port 280 # http-mgmt +acl Safe_ports port 488 # gss-http +acl Safe_ports port 591 # filemaker +acl Safe_ports port 777 # multiling http +acl CONNECT method CONNECT + +# +# Recommended minimum Access Permission configuration: +# +# Deny requests to certain unsafe ports +http_access deny !Safe_ports + +# Deny CONNECT to other than secure SSL ports +http_access deny CONNECT !SSL_ports + +# Only allow cachemgr access from localhost +http_access allow localhost manager +http_access deny manager + +# We strongly recommend the following be uncommented to protect innocent +# web applications running on the proxy server who think the only +# one who can access services on "localhost" is a local user +#http_access deny to_localhost + +# +# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS +# + +# Example rule allowing access from your local networks. +# Adapt localnet in the ACL section to list your (internal) IP networks +# from where browsing should be allowed +http_access allow localnet +http_access allow localhost + +# And finally deny all other access to this proxy +http_access deny all + +# Squid normally listens to port 3128 +http_port 3128 + +# Uncomment and adjust the following to add a disk cache directory. +#cache_dir ufs /var/cache/squid 100 16 256 + +# Leave coredumps in the first cache dir +coredump_dir /var/cache/squid + +# +# Add any of your own refresh_pattern entries above these. +# +refresh_pattern ^ftp: 1440 20% 10080 +refresh_pattern ^gopher: 1440 0% 1440 +refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 +refresh_pattern . 0 20% 4320 + +# Above this line is Squid 3.4.10 default configuration. The section below is +# added to make squid work within OpenWrt's file structure. +# Please note: +# If you want to provide a caching service you will need more than the few +# MB a normal consume rgrade router can provide. You will need an external +# harddrive, which needs to be configured and mounted outside of squid. +# You can redirect your caching directory to your needs by chanching the +# coredump_dir variable below. The supplied squid init programme will +# use this setting as well to establish the necessary file structure + +# Openwrt specific configuration +access_log /var/cache/squid/access.log squid +cache_log /var/cache/squid/cache.log +cache_store_log /var/cache/squid/store.log +pid_filename /var/run/squid.pid +cache_effective_user nobody +cache_effective_group nogroup + diff -uprN ../trunk/feeds/packages/net/squid3/Makefile ./feeds/packages/net/squid3/Makefile --- ../trunk/feeds/packages/net/squid3/Makefile 1970-01-01 12:00:00.000000000 +1200 +++ ./feeds/packages/net/squid3/Makefile 2015-01-18 20:44:51.460082346 +1300 @@ -0,0 +1,135 @@ +# +# Copyright (C) 2006-2012 OpenWrt.org +# +# This is free software, licensed under the GNU General Public License v2. +# See /LICENSE for more information. +# + +include $(TOPDIR)/rules.mk + +PKG_NAME:=squid +PKG_VERSION:=3.4.10 +PKG_RELEASE:=1 + +PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.bz2 +PKG_SOURCE_URL:=http://www.squid-cache.org/Versions/v3/3.4/ +PKG_MD5SUM:=326283b0c37e7dc9b2f90dc0ecd9a8a4 + +include $(INCLUDE_DIR)/package.mk + +define Package/squid3/Default + SECTION:=net + CATEGORY:=Network + SUBMENU:=Web Servers/Proxies + URL:=http://www.squid-cache.org/ +endef + +define Package/squid3 + $(call Package/squid3/Default) + MENU:=1 + DEPENDS:=+libpthread +libopenssl +librt +libltdl +libstdcpp +libnetfilter-conntrack +libnettle + TITLE:=full-featured Web proxy cache +endef + +define Package/squid3/description + Squid is a high-performance proxy caching server for web clients, + supporting FTP, gopher, and HTTP data objects. Unlike traditional + caching software, Squid handles all requests in a single, + non-blocking, I/O-driven process. + This implementation is geared specifically toward transparent + proxying and caching of HTTP and HTTPS traffic, including sslbump + and dynamic certificate generation. +endef + +define Package/squid3/conffiles +/etc/squid3/cachemgr.conf +/etc/squid3/errorpage.css +/etc/squid3/mime.conf +/etc/squid3/squid.conf +endef + +# --disable-arch-native required for X86 X86_64 platforms +CONFIGURE_ARGS += \ + --datadir=/usr/share/squid3 \ + --libexecdir=/usr/lib/squid3 \ + --sysconfdir=/etc/squid3 \ + --config-cache \ + --enable-shared \ + --enable-static \ + --enable-x-accelerator-vary \ + --with-pthreads \ + --with-dl \ + --enable-icmp \ + --enable-kill-parent-hack \ + --enable-arp-acl \ + --enable-err-languages=English \ + --enable-default-err-language=English \ + --enable-linux-netfilter \ + --enable-icmp \ + --disable-arch-native \ + --disable-external-acl-helpers \ + --disable-auth-negotiate \ + --disable-auth-ntlm \ + --disable-auth-digest \ + --disable-auth-basic \ + --disable-wccp \ + --disable-wccpv2 \ + --disable-snmp \ + --disable-htcp \ + --enable-underscores \ + --enable-cache-digests \ + --enable-referer-log \ + --enable-delay-pools \ + --enable-useragent-log \ + --enable-storeio \ + --enable-epoll \ + --with-maxfd=4096 \ + --without-libcap \ + --with-krb5-config=no \ + --enable-ssl \ + --enable-ssl-crtd \ + --enable-icap-client + +# --with-openssl=$(STAGING_DIR)/usr \ +CONFIGURE_VARS += \ + ac_cv_header_linux_netfilter_ipv4_h=yes \ + ac_cv_epoll_works=yes \ + +define Build/Compile + # pass INCLUDES to compile host sources against our OpenSSL, not the host one + $(MAKE) -C $(PKG_BUILD_DIR)/lib \ + all + $(MAKE) -C $(PKG_BUILD_DIR) \ + DESTDIR="$(PKG_INSTALL_DIR)" \ + install +endef + +define BuildPlugin + define Package/$(1)/install + $(INSTALL_DIR) $$(1)/usr/lib/squid3 + $(CP) $(PKG_INSTALL_DIR)/usr/lib/squid3/$(2) $$(1)/usr/lib/squid3/ + endef + + $$(eval $$(call BuildPackage,$(1))) +endef + +define Package/squid3/install + $(INSTALL_DIR) $(1)/etc/squid3 + $(CP) $(PKG_INSTALL_DIR)/etc/squid3/* $(1)/etc/squid3/ + $(INSTALL_DIR) $(1)/usr/bin + $(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/bin/purge $(1)/usr/bin/ + $(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/bin/squidclient $(1)/usr/bin/ + $(INSTALL_DIR) $(1)/usr/share/squid3 + $(CP) $(PKG_INSTALL_DIR)/usr/share/squid3/* $(1)/usr/share/squid3/ + $(INSTALL_DIR) $(1)/usr/sbin + $(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/sbin/squid $(1)/usr/sbin/ + $(INSTALL_DIR) $(1)/usr/lib/squid3 + $(CP) $(PKG_INSTALL_DIR)/usr/lib/squid3/* $(1)/usr/lib/squid3/ + /bin/chmod 4755 $(1)/usr/lib/squid3/pinger + $(INSTALL_DIR) $(1)/etc/init.d + $(CP) ./files/squid3.init $(1)/etc/init.d/squid3 + /bin/chmod 4755 $(1)/etc/init.d/squid3 + $(CP) ./files/squid.conf $(1)/etc/squid3/squid.conf +endef + +$(eval $(call BuildPackage,squid3)) diff -uprN ../trunk/feeds/packages/net/squid3/patches/001-cross_compile.patch ./feeds/packages/net/squid3/patches/001-cross_compile.patch --- ../trunk/feeds/packages/net/squid3/patches/001-cross_compile.patch 1970-01-01 12:00:00.000000000 +1200 +++ ./feeds/packages/net/squid3/patches/001-cross_compile.patch 2014-05-16 04:51:06.000000000 +1200 @@ -0,0 +1,11 @@ +--- a/src/Makefile.in ++++ b/src/Makefile.in +@@ -7295,7 +7295,7 @@ + + # cf_gen builds the configuration files. + cf_gen$(EXEEXT): $(cf_gen_SOURCES) $(cf_gen_DEPENDENCIES) cf_gen_defines.cci +- $(HOSTCXX) -o $@ $(srcdir)/cf_gen.cc -I$(srcdir) -I$(top_builddir)/include/ -I$(top_builddir)/src ++ g++ -o $@ $(srcdir)/cf_gen.cc -I$(srcdir) -I$(top_builddir)/include/ -I$(top_builddir)/src + + # squid.conf.default is built by cf_gen when making cf_parser.cci + squid.conf.default squid.conf.documented: cf_parser.cci diff -uprN ../trunk/feeds/packages/net/squid3/patches/002-cross_compile_notest.patch ./feeds/packages/net/squid3/patches/002-cross_compile_notest.patch --- ../trunk/feeds/packages/net/squid3/patches/002-cross_compile_notest.patch 1970-01-01 12:00:00.000000000 +1200 +++ ./feeds/packages/net/squid3/patches/002-cross_compile_notest.patch 2015-01-18 19:55:29.683839992 +1300 @@ -0,0 +1,56 @@ +--- squid-3.4.10/configure ++++ squid-3.4.10/configure +@@ -22223,7 +22223,7 @@ + if test "$cross_compiling" = yes; then : + { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5 + $as_echo "$as_me: error: in \`$ac_pwd':" >&2;} +-as_fn_error $? "cannot run test program while cross compiling ++as_fn_error1 $? "cannot run test program while cross compiling + See \`config.log' for more details" "$LINENO" 5; } + else + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +@@ -22271,7 +22271,7 @@ + if test "$cross_compiling" = yes; then : + { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5 + $as_echo "$as_me: error: in \`$ac_pwd':" >&2;} +-as_fn_error $? "cannot run test program while cross compiling ++as_fn_error1 $? "cannot run test program while cross compiling + See \`config.log' for more details" "$LINENO" 5; } + else + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +@@ -24876,7 +24876,7 @@ + if test "$cross_compiling" = yes; then : + { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5 + $as_echo "$as_me: error: in \`$ac_pwd':" >&2;} +-as_fn_error $? "cannot run test program while cross compiling ++as_fn_error1 $? "cannot run test program while cross compiling + See \`config.log' for more details" "$LINENO" 5; } + else + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +@@ -24901,7 +24901,7 @@ + if test "$cross_compiling" = yes; then : + { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5 + $as_echo "$as_me: error: in \`$ac_pwd':" >&2;} +-as_fn_error $? "cannot run test program while cross compiling ++as_fn_error1 $? "cannot run test program while cross compiling + See \`config.log' for more details" "$LINENO" 5; } + else + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +@@ -33985,6 +33985,17 @@ + $as_echo "$as_me: error: $2" >&2 + as_fn_exit $as_status + } # as_fn_error ++as_fn_error1 () ++{ ++ as_status=$1; test $as_status -eq 0 && as_status=1 ++ if test "$4"; then ++ as_lineno=${as_lineno-"$3"} as_lineno_stack=as_lineno_stack=$as_lineno_stack ++ $as_echo "$as_me:${as_lineno-$LINENO}: error: $2" >&$4 ++ fi ++ $as_echo "$as_me: error: $2" >&2 ++ #as_fn_exit $as_status ++} # as_fn_error ++ + + + # as_fn_set_status STATUS