rpms/squid
7
0
Fork 0
Code Issues Pull Requests Releases Activity

auto-import squid-2.5.STABLE1-2 from squid-2.5.STABLE1-2.src.rpm

Browse Source
This commit is contained in:
cvsdist 2004-09-09 12:41:26 +00:00
parent 4b5c7a3665
commit 3a68c214ed
5 changed files with 582 additions and 129 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
.cvsignore
View File

@ -1 +1 @@
squid-2.4.STABLE7-src.tar.gz
squid-2.5.STABLE1.tar.gz

523
FAQ.sgml
View File

@ -114,6 +114,7 @@ is known to work on at least the following platforms:
<item> FreeBSD
<item> NetBSD
<item> BSDI
<item> Mac OS/X
<item> OSF and Digital Unix
<item> IRIX
<item> SunOS/Solaris
@ -128,9 +129,9 @@ is known to work on at least the following platforms:
For more specific information, please see
<url url="http://www.squid-cache.org/platforms.html" name="platforms.html">.
If you encounter any platform-specific problems, please
let us know by sending email to
<url url="mailto:squid-bugs@squid-cache.org"
name="squid-bugs">.
let us know by registering a entry in our
<url url="http://www.squid-cache.org/bugs/"
name="bug database">.
<sect1>Does Squid run on Windows NT?
<label id="squid-NT">
@ -140,6 +141,10 @@ with the
<url url="http://www.cygnus.com/misc/gnu-win32/"
name="GNU-Win32 package">.
<p>
<url url="http://serassio.interfree.it/SquidNT.htm" name="Guido Serassio">
have Squid NT pages and is actively working on having the needed changes integrated into the standard Squid distribution. Partially based on earlier NT port by <url url="http://www.phys-iasi.ro/users/romeo/squidnt.htm" name="Romeo Anghelache">.
<p>
<url url="http://www.logisense.com/" name="LogiSense">
has ported Squid to Windows NT and sells a supported
@ -147,19 +152,6 @@ version. You can also download the source from
<url url="ftp://ftp.logisense.com/pub/cachexpress/" name="their FTP site">.
Thanks to LogiSense for making the code available as required by the GPL terms.
<p>
<url url="mailto: robert dot collins at itdomain dot com dot au" name="Robert Collins">
is working on a Windows NT port as well. You can find more information from him
at <url url="http://www.ideal.net.au/~collinsdial/Squid2.4.htm" name="his page">.
<p>
<url url="http://serassio.interfree.it/SquidNT.htm" name="Guido Serassio">
and <url url="http://www.phys-iasi.ro/users/romeo/squidnt.htm" name="Romeo Anghelache"> have Squid NT pages, including
binaries and patches.
<p>
<sect1>What Squid mailing lists are available?
<P>
<itemize>
@ -260,13 +252,21 @@ Yeah, its extremely incomplete. I assure you this is the most recent version.
</itemize>
<sect1>Does Squid support SSL/HTTPS/TLS?
<P>
Squid supports these encrypted protocols by ``tunelling'' traffic between
clients and servers.
Squid can relay the encrypted bits between a client and a server.
<p>
As of version 2.5, Squid can terminate SSL connections. This is perhaps
only useful in a surrogate (http accelerator) configuration. You must
run configure with <em/--enable-ssl/. See <em/https_port/ in
squid.conf for more information.
<P>
Squid also supports these encrypted protocols by ``tunelling''
traffic between clients and servers. In this case, Squid can relay
the encrypted bits between a client and a server.
<p>
Normally, when your browser comes across an <em/https/ URL, it
does one of two things:
<enum>
<item>The browser opens an SSL connection directly to the origin
server.
@ -283,9 +283,6 @@ method, please see
<url url="ftp://ftp.isi.edu/in-notes/rfc2817.txt" name="RFC 2817">
and <url url="http://www.web-cache.com/Writings/Internet-Drafts/draft-luotonen-web-proxy-tunneling-01.txt"
name="Tunneling TCP based protocols through Web proxy servers"> (expired).
<p>
Squid can not (yet) encrypt or decrypt such connections, however.
Some folks are working on a patch, using OpenSSL, that allows Squid to do this.
<sect1>What's the legal status of Squid?
@ -447,13 +444,15 @@ The following people have made contributions to this document:
<item>
<url url="mailto:Support@dnet.co.uk" name="Martin Lyons">
<item>
<url url="mailto:luyer@ucs.uwa.edu.au" name="David Luyer">
<url url="mailto:david@luyer.net" name="David Luyer">
<item>
<url url="mailto:chris@senet.com.au" name="Chris Foote">
<item>
<url url="mailto:elkner@wotan.cs.Uni-Magdeburg.DE" name="Jens Elkner">
<item>
<url url="mailto:simon@mtds.com" name="Simon White">
<item>
<url url="mailto: jmurdoc at itraktech dot com" name="Jerry Murdock">
</itemize>
<P>
Please send corrections, updates, and comments to:
@ -1442,8 +1441,8 @@ must use the parent for all others, you would write:
<p>
You could also specify internal servers by IP address
<verb>
acl INSIDE_IP dst 1.2.3.4/24
always_direct allow INSIDE
acl INSIDE_IP dst 1.2.3.0/24
always_direct allow INSIDE_IP
never_direct allow all
</verb>
Note, however that when you use IP addresses, Squid must
@ -1871,7 +1870,17 @@ You can use the <em/no_cache/ access list to make Squid never cache any response
<p>
With Squid-2.4 and later you can use the ``null'' storage module:
<verb>
cache_dir null /null
cache_dir null /tmp
</verb>
<p>
Note: the directory (e.g., <em>/tmp</em>) must exist so that squid
can chdir to it, unless you also use the <em/coredump_dir/ option.
<p>
To configure Squid for the ``null'' storage module, specify it
on the <em/configure/ command line:
<verb>
./configure --enable-storeio=ufs,null ...
</verb>
<sect1>Can I prevent users from downloading large files?
@ -3799,6 +3808,22 @@ any of the ports, then Squid stops.
With version 2.3 and later you can specify IP addresses
and port numbers together (see the squid.conf comments).
<sect1>Can I make origin servers see the client's IP address when going through Squid?
<p>
Normally you cannot. Most TCP/IP stacks do not allow applications to
create sockets with the local endpoint assigned to a foreign IP address.
However, some folks have some <url
url="http://www.balabit.hu/en/downloads/tproxy/" name="patches to
Linux"> that allow exactly that.
<p>
In this situation, you must ensure that all HTTP packets destined for
the client IP addresses are routed to the Squid box. If the packets
take another path, the real clients will send TCP resets to the
origin servers, thereby breaking the connections.
<!-- %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% -->
<sect>Memory
@ -4409,7 +4434,7 @@ This marks the script as executable to those in <tt/MGR-PROT/.
<sect1>Cache manager configuration for Apache
<P>
First, make sure the cgi-bin directory you're using is listed with a
<tt/ScriptAlias/ in your Apache <em/srm.conf/ file like this:
<tt/ScriptAlias/ in your Apache <em/httpd.conf/ file like this:
<verb>
ScriptAlias /Squid/cgi-bin/ /usr/local/squid/cgi-bin/
</verb>
@ -4418,31 +4443,30 @@ the entire <em//usr/local/squid/bin/ directory where all the
Squid executables live.
<P>
Next, you should ensure that only specified workstations can access
the cache manager. That is done in your Apache <em/access.conf/,
not in <em/squid.conf/. At the bottom of <em/access.conf/
the cache manager. That is done in your Apache <em/httpd.conf/,
not in <em/squid.conf/. At the bottom of <em/httpd.conf/
file, insert:
<verb>
<Location /Squid/cgi-bin/cachemgr.cgi>
order deny,allow
deny from all
&lt;Location /Squid/cgi-bin/cachemgr.cgi&gt;
order allow,deny
allow from workstation.example.com
&etago;Location>
&etago;Location&gt;
</verb>
You can have more than one allow line, and you can allow
domains or networks.
<P>
Alternately, <em/cachemgr.cgi/ can be password-protected. You'd
add the following to <em/access.conf/:
add the following to <em/httpd.conf/:
<verb>
<Location /Squid/cgi-bin/cachemgr.cgi>
&lt;Location /Squid/cgi-bin/cachemgr.cgi&gt;
AuthUserFile /path/to/password/file
AuthGroupFile /dev/null
AuthName User/Password Required
AuthType Basic
require user cachemanager
&etago;Location>
&etago;Location&gt;
</verb>
Consult the Apache documentation for information on using <em/htpasswd/
@ -5083,6 +5107,16 @@ for the rule to be a match. This means that it is possible to
write a rule that can never be matched. For example, a port number
can never be equal to both 80 AND 8000 at the same time.
<p>
To summarise the acl logics can be described as:
<verb>
http_access allow|deny acl AND acl AND ...
OR
http_access allow|deny acl AND acl AND ...
OR
...
</verb>
<p>
If none of the rules are matched, then the default action is the
<em/opposite/ of the last rule in the list. Its a good idea to
@ -5440,6 +5474,8 @@ the neighbor ACL's first in the list of <em/http_access/ lines. For example:
Information on this on the <url
url="http://www.snerpa.is/notendur/infilter/infilter-en.phtml"
name="INfilter"> webpage.
<item>The <url url="http://www.squidguard.org/blacklist/" name="SquidGuard">
redirector folks provide a blacklist.
</itemize>
<sect1>Squid doesn't match my subdomains
@ -5692,6 +5728,17 @@ http_access deny porn
(additional http_access lines ...)
</verb>
<sect1>I want to use local time zone in error messages
<P>Squid by defaults uses GMT as timestamp in all geenrated error messages.
This to allow the cache to participate in a hierarchy of caches in different
timezones without risking confusion about what the time is.
<P>To change the timestamp in Squid generated error messages you must change
the Squid signature. See <ref id="custom-err-msgs" name="Customizable Error
Messages">. The signature by defaults uses %T as timestamp, but if you like
then you can use %t instead for a timestamp using local time zone.
<!-- %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% -->
<sect>Troubleshooting
@ -5818,10 +5865,12 @@ edit <em>src/Makefile</em> and enable
<p>
<url url="mailto:voeckler at rvs dot uni-hannover dot de" name="Jens-S. Voeckler">
advises that you should NOT change the soft limit (<em/rlim_fd_cur/) to anything
advises that you should NOT change the default soft limit (<em/rlim_fd_cur/) to anything
larger than 256. It will break other programs, such as the license
manager needed for the SUN workshop compiler. Jens-S. also says that it
should be safe to raise the limit as high as 16,384.
should be safe to raise the limit for the Squid process as high as 16,384
except that there may be problems duruing reconfigure or logrotate if all of
the lower 256 filedescriptors are in use at the time or rotate/reconfigure.
<sect2>IRIX
<p>
@ -6351,11 +6400,13 @@ Should produce something like:
<sect1>Sending in Squid bug reports
<P>
Bug reports for Squid should be sent to the <url url="mailto:squid-bugs@squid-cache.org"
name="squid-bugs alias">. Any bug report must include
Bug reports for Squid should be registered in our
<url url="http://www.squid-cache.org/bugs/"
name="bug database">. Any bug report must include
<itemize>
<item>The Squid version
<item>Your Operating System type and version
<item>A clear description of the bug symptoms
</itemize>
<sect2>crashes and core dumps
@ -6387,7 +6438,7 @@ due to one of the following reasons:
a meaningful coredump.
<item>
Threads and Linux. On Linux, threaded applications do not generate
core dumps. When you use --enable-async-io, it uses threads and
core dumps. When you use the aufs cache_dir type, it uses threads and
you can't get a coredump.
<item>
It did leave a coredump file, you just can't find it.
@ -6458,11 +6509,11 @@ starting, so look there first:
</verb>
If you cannot find a core file, then either Squid does not have
permission to write in its current directory, or perhaps your shell
limits (csh and clones) are preventing the core file from being written.
limits are preventing the core file from being written.
<p>
Often you can get a coredump if you run Squid from the
command line like this:
command line like this (csh shells and clones):
<verb>
% limit core un
% /usr/local/squid/bin/squid -NCd1
@ -6500,7 +6551,12 @@ Program terminated with signal 6, Aborted.
<P>
If possible, you might keep the coredump file around for a day or
two. It is often helpful if we can ask you to send additional
debugger output, such as the contents of some variables.
debugger output, such as the contents of some variables. But please
note that a core file is only useful if paired with the exact same binary
as generated the corefile. If you recompile Squid then any coredumps from
previous versions will be useless unless you have saved the corresponding
Squid binaries, and any attempts to analyze such coredumps will most certainly
give misleading information about the cause to the crash.
<P>If you CANNOT get Squid to leave a core file for you then one of
the following approaches can be used<label ID="nocore">
@ -6538,7 +6594,7 @@ Squid. Here is a short automated script that should work:
<P>Other options if the above cannot be done is to:
<P>a) Build Squid with the --enable-stacktraces option, if support exists for your OS (exists for Linux glibc on Intel, and Solaris with some extra libraries..)
<P>a) Build Squid with the --enable-stacktraces option, if support exists for your OS (exists for Linux glibc on Intel, and Solaris with some extra libraries which seems rather impossible to find these days..)
<P>b) Run Squid using the "catchsegv" tool. (Linux glibc Intel)
@ -6563,7 +6619,7 @@ command line option:
</verb>
This causes every <em/debug()/ statement in the source code to write a line
in the <em/cache.log/ file.
You also use the same command to restore Squid to normal debugging.
You also use the same command to restore Squid to normal debugging level.
<P>
To enable selective debugging (e.g. for one source file only), you
@ -7179,7 +7235,7 @@ encryption in Webmin.
<sect1>Segment Violation at startup or upon first request
<p>
Some versions of GCC (notably 2.95.1 through 2.95.3) have bugs
Some versions of GCC (notably 2.95.1 through 2.95.4 at least) have bugs
with compiler optimization. These GCC bugs may cause NULL pointer
accesses in Squid, resulting in a ``FATAL: Received Segment
Violation...dying'' message and a core dump.
@ -7964,7 +8020,7 @@ The <em/keep-alive ratio/ shows up in the <em/server_list/
cache manager page for Squid 2.
<P>
This is a mechanism to try detecting neighbor caches which might
not be able to deal with HTTP/1.1 persistent connections. Every
not be able to deal with persistent connections. Every
time we send a <em/proxy-connection: keep-alive/ request header
to a neighbor, we count how many times the neighbor sent us
a <em/proxy-connection: keep-alive/ reply header. Thus, the
@ -8661,6 +8717,20 @@ describes this.
<sect1>Solaris
<sect2>TCP incompatibility?
<p>
J.D. Bronson (jb at ktxg dot com) reported that his Solaris box
could not talk to certain origin servers, such as
<url url="http://moneycentral.msn.com/" name="moneycentral.msn.com">
and <url url="http://www.mbnanetaccess.com" name="www.mbnanetaccess.com">.
J.D. fixed his problem by setting:
<verb>
tcp_xmit_hiwat 49152
tcp_xmit_lowat 4096
tcp_recv_hiwat 49152
</verb>
<sect2>select()
<P>
<em/select(3c)/ won't handle more than 1024 file descriptors. The
@ -8972,8 +9042,8 @@ diff -p -u -r1.40 -r1.41
* SUCH DAMAGE.
*
* @(#)uipc_socket.c 8.3 (Berkeley) 4/15/94
- * $Id: FAQ.sgml,v 1.5 2004/09/09 12:40:04 cvsdist Exp $
+ * $Id: FAQ.sgml,v 1.5 2004/09/09 12:40:04 cvsdist Exp $
- * $Id: FAQ.sgml,v 1.6 2004/09/09 12:41:26 cvsdist Exp $
+ * $Id: FAQ.sgml,v 1.6 2004/09/09 12:41:26 cvsdist Exp $
*/
#include <sys/param.h>
@ -10582,13 +10652,16 @@ forwarding is enabled with the following command:
<sect1>Interception caching with Linux 2.4 and netfilter
<label id="trans-linux-3">
<P>
<p>
NOTE: this information comes from Daniel Kiracofe's
<url url="http://www.linuxdoc.org/HOWTO/mini/TransparentProxy.html"
name="Transparent Proxy with Squid mini-HOWTO">.
<p>
You may need to build a new kernel. Be sure to enable
all of these options (none of them as modules):
<P>
To support netfilter transparent interception on Linux 2.4 Squid
must be compiled with the --enable-linux-netfilter option.
<P>
To enable netwfilter support you may need to build a new kernel.
Be sure to enable all of these options:
<itemize>
<item>Networking support
<item>Sysctl support
@ -11015,8 +11088,8 @@ This appears to cause the correct behaviour.
<sect1>WCCP - Web Cache Coordination Protocol
<p>
Contributors: <url url="mailto:glenn@ircache.net" name="Glenn Chisholm"> and
<url url="mailto:ltd@cisco.com" name="Lincoln Dale">.
Contributors: <url url="mailto:glenn@ircache.net" name="Glenn Chisholm">,
<url url="mailto:ltd@cisco.com" name="Lincoln Dale"> and <url url="mailto:reuben-squid@reub.net" name="Reuben Farrelly">.
<sect2>Does Squid support WCCP?
@ -11046,7 +11119,7 @@ debug output from your router to <em/squid-bugs/.
wccp enable
!
interface [Interface Carrying Outgoing Traffic]x/x
interface [Interface carrying Outgoing Traffic]x/x
!
ip wccp web-cache redirect
!
@ -11070,32 +11143,40 @@ and <em/12.0(4)T/ do not have WCCPv1, but <em/12.0(5)T/ does.
conf t
ip wccp version 1
ip wccp web-cache
ip wccp web-cache redirect-list 150
!
interface [Interface Carrying Outgoing/Incomming Traffic]x/x
interface [Interface carrying Outgoing/Incoming Traffic]x/x
ip wccp web-cache redirect out|in
!
CTRL Z
write mem
</verb>
<sect2>IOS 12.3 problems
<p>
Some people report problems with WCCP and IOS 12.3. They see
Replace 150 with an access list number (either standard or extended)
which lists IP addresses which you do not wish to be transparently
redirected to your cache. Otherwise simply user the word 'redirect'
on it's own to redirect traffic from all sources to all destinations.
<sect2>IOS 12.x problems
<p>
Some people report problems with WCCP and IOS 12.x. They see
truncated or fragmented GRE packets arriving at the cache. Apparently
it works if you disable Cisco Express Forwarding for the interface:
<verb>
conf t
ip cep # some systems may need 'ip cep global'
int Ethernet0/0
ip cef # some systems may already have 'ip cef global'
int Ethernet 0/0 (or int FastEthernet 0/0 or other internal interface)
no ip route-cache cef
CTRL Z
</verb>
<p>
This may well be fixed in later releases of IOS.
<sect2>Configuring FreeBSD
<P>
FreeBSD first needs to be configured to recieve and strip the GRE
FreeBSD first needs to be configured to receive and strip the GRE
encapsulation from the packets from the router. To do this you will
need to patch and recompile your kernel.
@ -11512,7 +11593,7 @@ name="cache-snmp-request@ircache.net">.
<P>
<itemize>
<item>HTTP/1.1 persistent connections.
<item>persistent connections.
<item>Lower VM usage; in-transit objects are not held fully in memory.
<item>Totally independent swap directories.
<item>Customizable error texts.
@ -11655,7 +11736,7 @@ option:
<sect1>Delay Pools
<P>
by <url url="mailto:luyer@ucs.uwa.edu.au" name="David Luyer">.
by <url url="mailto:david@luyer.net" name="David Luyer">.
<P>
<bf>
@ -12101,7 +12182,7 @@ This list describes the tags which Squid will insert into the messages:
<descrip>
<tag/%B/ URL with FTP %2f hack
<tag/%c/ Squid error code
<tag/%d/ seconds elapsed since request received
<tag/%d/ seconds elapsed since request received (not yet implemented)
<tag/%e/ errno
<tag/%E/ strerror()
<tag/%f/ FTP request line
@ -12113,19 +12194,34 @@ This list describes the tags which Squid will insert into the messages:
<tag/%I/ server IP address
<tag/%L/ contents of <em/err_html_text/ config option
<tag/%M/ Request Method
<tag/%m/ Error message returned by external auth helper
<tag/%p/ URL port \#
<tag/%P/ Protocol
<tag/%R/ Full HTTP Request
<tag/%S/ squid signature from ERR_SIGNATURE
<tag/%S/ squid default signature
<tag/%s/ caching proxy software with version
<tag/%t/ local time
<tag/%T/ UTC
<tag/%U/ URL without password
<tag/%u/ URL without password, %2f added to path
<tag/%u/ URL with password (Squid-2.5 and later only)
<tag/%w/ cachemgr email address
<tag/%z/ dns server error message
</descrip>
The Squid default signature is added automatically unless %s or %S
is used in the error page. To change the signature you must manually append
the signature to each error page.
<P>The default signature reads like:
<verb>
&lt;BR clear="all"&gt;
&lt;HR noshade size="1px"&gt;
&lt;ADDRESS&gt;
Generated %T by %h (%s)
&lt;/ADDRESS&gt;
&lt;/BODY&gt;&lt;/HTML&gt;
</verb>
<sect1>My squid.conf from version 1.1 doesn't work!
<P>
Yes, a number of configuration directives have been renamed.
@ -12908,6 +13004,291 @@ storage of passwords and usernames.
<!-- %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% -->
<sect1>How do I use the Winbind authenticators?
<p>by
<url url="mailto: jmurdock at itraktech dot com" name="Jerry Murdock">
<p>
Winbind is a recent addition to Samba providing some impressive
capabilities for NT based user accounts. From Squid's perspective winbind provides a
robust and efficient engine for both basic and NTLM challenge/response authentication
against an NT domain controller.
<p>
The winbind authenticators have been used successfully under Linux, FreeBSD and Solaris.
<p>
<sect2>Supported Samba Releases
<p>
Samba 2.2.x releases 2.2.4 and later are officially supported.
Squid 2.5 uses an internal Samba interface to communicate with the winbindd daemon.
It is therefore sensitive to any changes the Samba team may make to the interface.
If using Samba 2.2.4 or 2.2.5 then the Squid winbind helpers will work as is.
With Samba 2.2.6, the winbindd interface changed and Squid 2.5 will not work as
distributed. Replacing the <tt>winbindd_nss.h</tt> file in Squid's
<tt>helpers/basic_auth/winbind</tt>, <tt>helpers/ntlm_auth/winbind</tt> and <tt>helpers/external_acl/wb_group/</tt>
directories with the version in Samba's <tt>source/nsswitch</tt> directory
is needed for the helpers to work properly.
Samba 3.0a17 and 3.0a18 implement the same winbindd interface as 2.2.4+ and are known to work.
With Samba 3.0a19, the winbindd interface changed and Squid 2.5 will not work as
distributed. Replacing the <tt>winbindd_nss.h</tt> file in Squid's
<tt>helpers/basic_auth/winbind</tt>, <tt>helpers/ntlm_auth/winbind</tt> and <tt>helpers/external_acl/wb_group/</tt>
directories with the version in Samba's <tt>source/nsswitch</tt> directory has
been reported to work.
The approach may be applicable for later Samba 3.0 versions as long as the
interface does not change significantly, but there is no guarantees.
The Samba and Squid teams are actively working together to insure future Samba
stable releases will be supported.
<sect2>Configure Samba
<p>
<bf>Build/Install Samba</bf>
<p>
Samba must be built with configure options:
<verb>
--with-winbind
--with-winbind-auth-challenge (needed for ntlm)
</verb>
<p>
Optionally, if building Samba 2.2.5, apply the
<url url="http://www.squid-cache.org/mail-archive/squid-dev/200207/att-0117/01-smbpasswd.diff" name="smbpasswd.diff">
patch. See <ref id="WinbindTrustAccounts" name="SMBD and Machine Trust Accounts"> below to
determine if the patch is worthwhile.
<bf>Test Samba's winbindd</bf>
<enum>
<item>
Edit smb.conf for winbindd functionality. The following entries in
the &lsqb;global&rsqb; section of smbd.conf may be used as a template.
<verb>
workgroup = mydomain
password server = myPDC
security = domain
winbind uid = 10000-20000
winbind gid = 10000-20000
winbind use default domain = yes
</verb>
</item>
<item>
Join the NT domain as outlined in the winbindd man page for your
version of samba.
</item>
<item>
Test winbindd functionality.
<itemize>
<item>
Start nmbd (required to insure proper operation).
</item>
<item>
Start winbindd.
</item>
<item>
Test basic winbindd functionality "wbinfo -t":
<verb>
# wbinfo -t
Secret is good
</verb>
</item>
<item>
Test winbindd user authentication:
<verb>
# wbinfo -a mydomain\\myuser%mypasswd
plaintext password authentication succeeded
error code was NT_STATUS_OK (0x0)
challenge/response password authentication succeeded
error code was NT_STATUS_OK (0x0)
</verb>
</item>
</itemize>
<em/NOTE/: both plaintext and challenge/response should return
"succeeded." If there is no "challenge/response" status returned then Samba
was not built with "--with-winbind-auth-challenge" and cannot support ntlm
authentication.
<p>
</enum>
<bf>SMBD and Machine Trust Accounts</bf><label id="WinbindTrustAccounts">
<p>
<bf>Samba 2.2.x</bf>
<p>
Samba's smbd daemon, while not strictly required by winbindd may be needed
to manage the machine's trust account.
<p>
Well behaved domain members change the account password on a regular
basis. Windows and Samba servers default to changing this password
every seven days.
<p>
The Samba component responsible for managing the trust account password
is smbd. Smbd needs to receive requests to trigger the password change.
If the machine will be used for file and print services, then just
running smbd to serve routine requests should keep everything happy.
<p>
However, in cases where Squid's winbind helpers are the only reason
Samba components are running, smbd may sit idle. Indeed, there may be
no other reason to run smbd at all.
<p>
There are two sample options to change the trust account. Either may be scheduled daily via a cron job to
change the trust password.
<p>
<url url="http://www.squid-cache.org/mail-archive/squid-dev/200207/att-0076/02-UglySolution.pl" name="UglySolution.pl">
is a sample perl script to load smbd, connect to
a Samba share using smbclient, and generate enough dummy activity to
trigger smbd's machine trust account password change code.
<p>
<url url="http://www.squid-cache.org/mail-archive/squid-dev/200207/att-0117/01-smbpasswd.diff" name="smbpasswd.diff">
is a patch to Samba 2.2.5's smbpasswd utility to allow
changing the machine account password at will. It is a minimal patch
simply exposing a command line interface to an existing Samba function.
<p><bf>Note: This patch has been included in Samba as of 2.2.6pre2.</bf>
<p>
Once patched, the smbpasswd syntax to change the password is:
<verb>
smbpasswd -t DOMAIN -r PDC
</verb>
<bf>Samba 3.x</bf>
<p>
The Samba team has incorporated functionality to change the machine
trust account password in the new "net" command. A simple daily cron
job scheduling "<tt>net rpc changetrustpw</tt>" is all that is needed.
<p>
<sect2>Configure Squid
<p>
<bf>Build/Install Squid</bf>
<p>
Squid must be built with the configure options:
<verb>
--enable-auth="ntlm,basic"
--enable-basic-auth-helpers="winbind"
--enable-ntlm-auth-helpers="winbind"
</verb>
<bf>Test Squid without auth</bf>
<p>
Before going further, test basic Squid functionality. Make sure squid
is functioning without requiring authorization.
<p>
<bf>Test the helpers</bf>
<p>
Testing the winbind ntlm helper is not really possible from the command
line, but the winbind basic authenticator can be tested like any other
basic helper:
<verb>
# /usr/local/squid/libexec/wb_auth -d
/wb_auth[65180](wb_basic_auth.c:136): basic winbindd auth helper ...
mydomain\myuser mypasswd
/wb_auth[65180](wb_basic_auth.c:107): Got 'mydomain\myuser mypasswd' from squid (length: 24).
/wb_auth[65180](wb_basic_auth.c:54): winbindd result: 0
/wb_auth[65180](wb_basic_auth.c:57): sending 'OK' to squid
OK
</verb>
The helper should return "OK" if given a valid username/password.
<p>
<bf>Edit squid.conf</bf>
<p>
<enum>
<item>
Setup the authenticators.
<p>
Add the following to enable both the winbind basic and ntlm
authenticators. IE will use ntlm and everything else basic:
<verb>
auth_param ntlm program /usr/local/squid/libexec/wb_ntlmauth
auth_param ntlm children 5
auth_param ntlm max_challenge_reuses 0
auth_param ntlm max_challenge_lifetime 2 minutes
auth_param basic program /usr/local/squid/libexec/wb_auth
auth_param basic children 5
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours
</verb>
</item>
<item>
Add acl entries to require authentication:
<verb>
acl AuthorizedUsers proxy_auth REQUIRED
..
http_access allow all AuthorizedUsers
</verb>
</item>
</enum>
<p>
<bf>Test Squid with auth</bf>
<p>
<enum>
<item>
Internet Explorer:
<p>
Test browsing through squid with IE. If logged into the domain,
a password prompt should NOT pop up.
<p>
Confirm the traffic really is being authorized by tailing access.log.
The domain\username should be present.
<p>
</item>
<item>
Netscape, mozilla, opera...:
<p>
Test with a non-IE browser. A standard password dialog should appear.
<p>
Entering the domain should not be required if the user is in the
default domain and "winbind use default domain = yes" is set in
smb.conf. Otherwise, the username must be entered in "domain\username" format.
</item>
</enum>
<p>
<p>
If no usernames appear in access.log and/or no password dialogs appear
in either browser, then the acl/http_access portions of squid.conf are
not correct.
<p>
<p>
<bf>References</bf>
<p>
<url url="http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection.html#WINBIND" name="Samba Winbind Overview">
<p>
<url url="http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection.html#AEN1134" name="Joining a Domain in Samba 2.2.x">
<p>
<url url="http://www.samba.org/samba/docs/man/winbindd.8.html" name="winbindd man page">
<p>
<url url="http://www.samba.org/samba/docs/man/wbinfo.1.html" name="wbinfo man page">
<p>
<url url="http://www.samba.org/samba/docs/man/nmbd.8.html" name="nmbd man page">
<p>
<url url="http://www.samba.org/samba/docs/man/smbd.8.html" name="smbd man page">
<p>
<url url="http://www.samba.org/samba/docs/man/smb.conf.5.html" name="smb.conf man page">
<p>
<url url="http://www.samba.org/samba/docs/man/smbclient.1.html" name="smbclient man page">
<!-- %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% -->
<sect>Terms and Definitions
<sect1>Neighbor
@ -12975,7 +13356,7 @@ want to make a cron job that regularly verifies that your proxy blocks
access to port 25.
<verb>
$Id: FAQ.sgml,v 1.5 2004/09/09 12:40:04 cvsdist Exp $
$Id: FAQ.sgml,v 1.6 2004/09/09 12:41:26 cvsdist Exp $
</verb>
</article>
<!-- LocalWords: SSL MSIE Netmanage Chameleon WebSurfer unchecking remotehost

2
sources
View File

@ -1 +1 @@
3b91136b8ddcc37196716fa6e85a14b2 squid-2.4.STABLE7-src.tar.gz
cd26774cd917842a689fee5f76c8d752 squid-2.5.STABLE1.tar.gz

2
squid.init
View File

@ -54,7 +54,7 @@ start() {
for adir in $CACHE_SWAP; do
if [ ! -d $adir/00 ]; then
echo -n "init_cache_dir $adir... "
$SQUID -z -F 2>/dev/null
$SQUID -z -F -D 2>/dev/null
fi
done
echo -n $"Starting $prog: "

182
squid.spec
View File

@ -1,20 +1,55 @@
Summary: The Squid proxy caching server.
Name: squid
Version: 2.4.STABLE7
Release: 4
Version: 2.5.STABLE1
Release: 2
Serial: 7
License: GPL
Group: System Environment/Daemons
Source: http://www.squid-cache.org/Squid/v2/squid-%{version}-src.tar.gz
Source: http://www.squid-cache.org/Squid/v2/squid-%{version}.tar.gz
Source1: http://www.squid-cache.org/Squid/FAQ/FAQ.sgml
Source2: squid.init
Source3: squid.logrotate
Source4: squid.sysconfig
Patch0: squid-2.1-make.patch
Patch1: squid-2.4-config.patch
Patch1: squid-2.5-config.patch
Patch2: squid-perlpath.patch
Patch3: squid-location.patch
Patch10: squid-2.4.STABLE7-msntauth.patch
Patch4: squid-2.5-build.patch
# Official upstream patches
Patch100: squid-2.5.STABLE1-ldap_group.patch
Patch101: squid-2.5.STABLE1-relnote11.patch
Patch102: squid-2.5.STABLE1-aufs_reentrant.patch
Patch103: squid-2.5.STABLE1-chroot.patch
Patch104: squid-2.5.STABLE1-S.patch
Patch105: squid-2.5.STABLE1-offline_mode.patch
Patch106: squid-2.5.STABLE1-rebuild_assert.patch
Patch107: squid-2.5.STABLE1-RunCache.patch
Patch108: squid-2.5.STABLE1-aufs_performance.patch
Patch109: squid-2.5.STABLE1-ldap_group-compile.patch
Patch110: squid-2.5.STABLE1-flags_open.patch
Patch111: squid-2.5.STABLE1-spaces.patch
Patch112: squid-2.5.STABLE1-dnsserver.patch
Patch113: squid-2.5.STABLE1-auth-proxy.patch
Patch114: squid-2.5.STABLE1-cachemgr.patch
Patch115: squid-2.5.STABLE1-uninstall.patch
Patch116: squid-2.5.STABLE1-ext_acl_exit.patch
Patch117: squid-2.5.STABLE1-request_entity.patch
Patch118: squid-2.5.STABLE1-ext_acl_comma.patch
Patch119: squid-2.5.STABLE1-acl_leak.patch
Patch120: squid-2.5.STABLE1-aufs.patch
Patch121: squid-2.5.STABLE1-memstat.patch
Patch122: squid-2.5.STABLE1-wccp.patch
Patch123: squid-2.5.STABLE1-strwordtok.patch
Patch124: squid-2.5.STABLE1-pthreads.patch
Patch126: squid-2.5.STABLE1-ldap_auth.patch
Patch127: squid-2.5.STABLE1-referer_log.patch
Patch128: squid-2.5.STABLE1-load_icons.patch
Patch129: squid-2.5.STABLE1-cache_dir_docs.patch
Patch130: squid-2.5.STABLE1-max_user_ip.patch
Patch131: squid-2.5.STABLE1-proxy_auth.patch
Patch132: squid-2.5.STABLE1-disable-http-violations.patch
Patch133: squid-2.5.STABLE1-disable-ident-lookups.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-root
Prereq: /sbin/chkconfig logrotate shadow-utils
Requires: bash >= 2.0
@ -35,35 +70,61 @@ lookup program (dnsserver), a program for retrieving FTP data
%prep
%setup -q
%patch0 -p1 -b .make
%patch1 -p1 -b .config
%patch2 -p1 -b .perlpath
%patch3 -p1
%patch10 -p1
#%patch2 -p1 -b .perlpath
%patch3 -p1 -b .location
%patch4 -p1 -b .build
%patch100 -p1
%patch101 -p1
%patch102 -p1
%patch103 -p1
%patch104 -p1
%patch105 -p1
%patch106 -p1
%patch107 -p1
%patch108 -p1
%patch109 -p1
%patch110 -p1
%patch111 -p1
%patch112 -p1
%patch113 -p1
%patch114 -p1
%patch115 -p1
%patch116 -p1
%patch117 -p1
%patch118 -p1
%patch119 -p1
%patch120 -p1
%patch121 -p1
%patch122 -p1
%patch123 -p1
%patch124 -p1
%patch126 -p1
%patch127 -p1
%patch128 -p1
%patch129 -p1
%patch130 -p1
%patch131 -p1
%patch132 -p1
%patch133 -p1
%build
%configure \
--exec_prefix=/usr --bindir=/usr/sbin --libexecdir=/usr/lib/squid \
--localstatedir=/var --sysconfdir=/etc/squid \
--enable-poll --enable-snmp --enable-removal-policies="heap,lru" \
--enable-storeio="aufs,coss,diskd,ufs" \
--enable-storeio="aufs,coss,diskd,ufs" --enable-ssl \
--with-openssl=/usr/kerberos \
--enable-delay-pools --enable-linux-netfilter \
--with-pthreads \
--enable-auth-modules="LDAP,NCSA,PAM,SMB,MSNT" # --enable-icmp
--enable-basic-auth-helpers="LDAP,NCSA,PAM,SMB,SASL,MSNT" \
--enable-ntlm-auth-helpers="SMB,winbind" \
--enable-external-acl-helpers="ip_user,ldap_group,unix_group,wbinfo_group,winbind_group" \
# --enable-icmp
# Some versions of autoconf fail to detect sys/resource.h correctly;
# apparently because it generates a compiler warning.
if [ -e /usr/include/sys/resource.h ]; then
cat >>include/autoconf.h <<EOF
#ifndef HAVE_SYS_RESOURCE_H
#define HAVE_SYS_RESOURCE_H 1
#define HAVE_STRUCT_RUSAGE 1
#endif
EOF
fi
make -f makefile
make
mkdir faq
cp $RPM_SOURCE_DIR/FAQ.sgml faq
@ -71,18 +132,6 @@ cd faq
sgml2html FAQ.sgml
#cd ..
#cd auth_modules
#cd LDAP
#make
#cd ../NCSA
#make
#cd ../PAM
#make
#cd ../SMB
#make SAMBAPREFIX=%{prefix}
#cd ../getpwnam
#make
#cd ../..
%install
rm -rf $RPM_BUILD_ROOT
@ -91,20 +140,8 @@ rm -rf $RPM_BUILD_ROOT
localstatedir=$RPM_BUILD_ROOT/var \
bindir=$RPM_BUILD_ROOT/usr/sbin \
libexecdir=$RPM_BUILD_ROOT/usr/lib/squid
#install -m 4750 src/pinger $RPM_BUILD_ROOT/usr/lib/squid
mv $RPM_BUILD_ROOT/usr/sbin/*auth $RPM_BUILD_ROOT/usr/lib/squid
cd errors
rm -rf $RPM_BUILD_ROOT/etc/squid/errors
mkdir -p $RPM_BUILD_ROOT/usr/lib/squid/errors
for i in *; do
if [ -d $i ]; then
mkdir -p $RPM_BUILD_ROOT/usr/lib/squid/errors/$i
install -m 644 $i/* $RPM_BUILD_ROOT/usr/lib/squid/errors/$i
fi
done
ln -s /usr/lib/squid/errors/English $RPM_BUILD_ROOT/etc/squid/errors
ln -s %{_datadir}/squid/errors/English $RPM_BUILD_ROOT/etc/squid/errors
mkdir -p $RPM_BUILD_ROOT/etc/rc.d/init.d
mkdir -p $RPM_BUILD_ROOT/etc/logrotate.d
@ -116,6 +153,9 @@ install -m 644 $RPM_SOURCE_DIR/squid.sysconfig $RPM_BUILD_ROOT/etc/sysconfig/squ
mkdir -p $RPM_BUILD_ROOT/var/log/squid
mkdir -p $RPM_BUILD_ROOT/var/spool/squid
# remove unpackaged files from the buildroot
rm -f $RPM_BUILD_ROOT%{_sbindir}/{RunAccel,RunCache}
%clean
rm -rf $RPM_BUILD_ROOT
@ -125,22 +165,27 @@ rm -rf $RPM_BUILD_ROOT
%config(noreplace) /etc/squid/squid.conf
%config(noreplace) /etc/squid/mime.conf
%config(noreplace) /etc/sysconfig/squid
%config(noreplace) /etc/squid/msntauth.conf
%config /etc/squid/mib.txt
/etc/squid/msntauth.conf.default
/etc/squid/squid.conf.default
/etc/squid/mime.conf.default
%config(noreplace) /etc/squid/errors
/usr/lib/squid
%{_datadir}/squid
/usr/sbin/squid
/usr/sbin/client
/usr/sbin/squidclient
%config /etc/rc.d/init.d/squid
%config /etc/logrotate.d/squid
%doc faq/* README ChangeLog QUICKSTART doc/*
%doc contrib/url-normalizer.pl contrib/rredir.* contrib/user-agents.pl
#%doc contrib/url-normalizer.pl contrib/rredir.* contrib/user-agents.pl
%attr(750,squid,squid) %dir /var/log/squid
%attr(750,squid,squid) %dir /var/spool/squid
%{_mandir}/man8/*
%pre
/usr/sbin/useradd -u 23 -d /var/spool/squid -r -s /dev/null squid >/dev/null 2>&1
/usr/sbin/useradd -u 23 -d /var/spool/squid -r -s /sbin/nologin squid >/dev/null 2>&1
for i in /var/log/squid /var/spool/squid ; do
if [ -d $i ] ; then
@ -159,6 +204,9 @@ if [ $1 = 0 ]; then
bg*)
DIR=Bulgarian
;;
ca*)
DIR=Catalan
;;
cs*)
DIR=Czech
;;
@ -183,6 +231,9 @@ if [ $1 = 0 ]; then
de*)
DIR=German
;;
he*)
DIR=Hebrew
;;
hu*)
DIR=Hungarian
;;
@ -207,6 +258,9 @@ if [ $1 = 0 ]; then
ru*)
DIR=Russian-koi8-r
;;
sr*)
DIR=Serbian
;;
sk*)
DIR=Slovak
;;
@ -216,9 +270,12 @@ if [ $1 = 0 ]; then
sv*)
DIR=Swedish
;;
zh*)
zh_TW*)
DIR=Traditional_Chinese
;;
zh_CN*)
DIR=Simplify_Chinese
;;
tr*)
DIR=Turkish
;;
@ -226,9 +283,15 @@ if [ $1 = 0 ]; then
DIR=English
;;
esac
ln -snf /usr/lib/squid/errors/$DIR /etc/squid/errors
ln -snf %{_datadir}/squid/errors/$DIR /etc/squid/errors
fi
%triggerpostun -- squid < 2.5.STABLE1-1
errordir=`ls -ld /etc/squid/errors | awk '{ print $NF }'`
errordir=${errordir##*/}
ln -snf %{_datadir}/squid/errors/$DIR /etc/squid/errors
%preun
if [ $1 = 0 ] ; then
service squid stop >/dev/null 2>&1
@ -242,6 +305,15 @@ if [ "$1" -ge "1" ] ; then
fi
%changelog
* Wed Jan 22 2003 Tim Powers <timp@redhat.com>
- rebuilt
* Wed Jan 15 2003 Bill Nottingham <notting@redhat.com> 7:2.5.STABLE1-1
- update to 2.5.STABLE1
* Wed Nov 27 2002 Tim Powers <timp@redhat.com> 7:2.4.STABLE7-5
- remove unpackaged files from the buildroot
* Tue Aug 27 2002 Nalin Dahyabhai <nalin@redhat.com> 2.4.STABLE7-4
- rebuild