squid: bump to 4.0

net/squid/Config.in

@@ -0,0 +1,95 @@
+if PACKAGE_squid
+
+	comment "Optional features"
+
+	config SQUID_enable-ipv6
+		bool "Enable support for IP version 6"
+		default y
+
+	config SQUID_enable-snmp
+		bool "Enable SNMP monitoring support"
+		default n
+
+	config SQUID_enable-icmp
+		bool "Enable ICMP pinging and Network Measurement"
+		default n
+
+	config SQUID_enable-icap-client
+		bool "Enable ICAP client support"
+		default n
+
+	config SQUID_enable-dlmalloc
+		bool "Compile & use the malloc package by Doug Lea"
+		default y
+
+	config SQUID_enable-ssl-crtd
+		bool "Enable dynamic SSL certificate generation "
+		depends on !SQUID_use-gnutls
+		default n
+
+	config SQUID_auth-basic
+		bool "Enable the Basic authentication scheme"
+		default n
+
+	config SQUID_auth-digest
+		bool "Enable the Digest authentication scheme"
+		default n
+
+	config SQUID_auth-negotiate
+		bool "Enable the Negotiate authentication scheme"
+		default n
+
+	config SQUID_auth-ntlm
+		bool "Enable the NTLM authentication scheme"
+		default n
+
+	comment "Optional packages"
+
+	choice
+		prompt "Choose SSL Library"
+		default SQUID_use-openssl
+
+		config SQUID_use-openssl
+		bool "Use OpenSSL (default)"
+
+		config SQUID_use-gnutls
+		bool "Use GnuTLS (experimental, see help)"
+		help
+			Use GnuTLS in place of OpenSSL for the core features of receiving
+			TLS connections from clients and making TLS connections to servers.
+			The GnuTLS support is still very much experimental and should be
+			tested before use.
+
+			SSL-Bump and certificate generation features are not yet supported
+			by GnuTLS builds. Nor are many other less commonly used Squid
+			TLS/SSL features.
+
+			squid.conf directives and configuration options which have undergone
+			name changes from 'ssl' to 'tls' prefix in Squid-4 have GnuTLS
+			support, unless explicitly stated otherwise.
+
+			Advanced configuration with specific selection of ciphers and
+			similar settings should still work, but needs the GnuTLS Priority
+			Strings instead of the OpenSSL options when using GnuTLS.
+	endchoice
+
+	config SQUID_with-libcap
+		bool "Use libcap - Linux capabilities library"
+		default n
+
+	config SQUID_with-nettle
+		bool "Use nettle - GNU crypto library"
+		default n
+
+	config SQUID_with-expat
+		bool "Use expat - XML parsing library"
+		default n
+
+	config SQUID_with-libxml2
+		bool "Use libxml2 - Gnome XML library"
+		default n
+
+	comment "Additional tools"
+
+endif
+

net/squid/Makefile

@@ -8,20 +8,22 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=squid
-PKG_VERSION:=3.5.27
-PKG_RELEASE:=1
-
-PKG_LICENSE:=GPL-2.0
-PKG_MAINTAINER:=Marko Ratkaj <marko.ratkaj@sartura.hr>
+PKG_VERSION:=4.6
+PKG_RELEASE:=2
 
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.xz
-PKG_SOURCE_URL:=http://www3.us.squid-cache.org/Versions/v3/3.5/ \
-	http://www2.pl.squid-cache.org/Versions/v3/3.5/ \
-	http://www.squid-cache.org/Versions/v3/3.5/
-PKG_HASH:=5ddb4367f2dc635921f9ca7a59d8b87edb0412fa203d1543393ac3c7f9fef0ec
+PKG_SOURCE_URL:=http://www3.us.squid-cache.org/Versions/v4/ \
+	http://www2.pl.squid-cache.org/Versions/v4/ \
+	http://www.squid-cache.org/Versions/v4/
+PKG_HASH:=015bade5d3a4905142c4c605df5c4216471e3d8338079955e0e44b0ae0303d41
+
+PKG_MAINTAINER:=Marko Ratkaj <marko.ratkaj@sartura.hr>
+PKG_LICENSE:=GPL-2.0-or-later
+PKG_CPE_ID:=cpe:/a:squid-cache:squid
 
 PKG_BUILD_PARALLEL:=1
 PKG_INSTALL:=1
+PKG_FIXUP:=autoreconf
 
 include $(INCLUDE_DIR)/package.mk
 
@@ -30,12 +32,18 @@ define Package/squid/Default
   CATEGORY:=Network
   SUBMENU:=Web Servers/Proxies
   URL:=http://www.squid-cache.org/
-  MENU:=1
 endef
 
 define Package/squid
   $(call Package/squid/Default)
-  DEPENDS:=+libopenssl +libpthread +librt +libltdl +libstdcpp
+  MENU:=1
+  DEPENDS:=+libpthread +librt +libltdl +libstdcpp +libatomic +USE_GLIBC:libbsd
+  DEPENDS+= +SQUID_use-gnutls:libgnutls +SQUID_use-openssl:libopenssl
+  DEPENDS+= +SQUID_with-libcap:libcap
+  DEPENDS+= +SQUID_with-nettle:libnettle
+  DEPENDS+= +SQUID_with-expat:libexpat
+  DEPENDS+= +SQUID_with-libxml2:libxml2
+  USERID:=squid=137:squid=137
   TITLE:=full-featured Web proxy cache
 endef
 
@@ -45,6 +53,14 @@ define Package/squid/description
   frequently-requested web pages.
 endef
 
+define Package/squid/config
+  source "$(SOURCE)/Config.in"
+endef
+
+define Package/squid/conffiles
+  /etc/squid/squid.conf
+endef
+
 define Package/squid-mod-cachemgr
   $(call Package/squid/Default)
   DEPENDS:=squid
@@ -52,19 +68,17 @@ define Package/squid-mod-cachemgr
 endef
 
 CONFIGURE_ARGS += \
+	BUILDCXX=$(HOSTCXX) \
+	BUILDCXXFLAGS=$(if $(HOST_CXXFLAGS),$(HOST_CXXFLAGS),-O2) \
 	--config-cache \
 	--datadir=/usr/share/squid \
 	--libexecdir=/usr/lib/squid \
 	--sysconfdir=/etc/squid \
 	--enable-shared \
 	--disable-static \
-	--enable-icmp \
 	--enable-delay-pools \
-	--enable-icap-client \
 	--enable-kill-parent-hack \
-	--disable-snmp \
 	--enable-ssl \
-	--enable-ssl-crtd \
 	--enable-cache-digests \
 	--enable-linux-netfilter \
 	--disable-unlinkd \
@@ -73,28 +87,39 @@ CONFIGURE_ARGS += \
 	--disable-auto-locale \
 	--with-dl \
 	--with-pthreads \
-	--without-expat \
-	--without-libxml2 \
-	--without-gnutls \
-	--without-nettle \
-	--with-openssl=$(STAGING_DIR)/usr \
 	--enable-epoll \
-	--with-maxfd=4096 \
+	--with-maxfd=2048 \
+	--disable-ecap \
 	--disable-external-acl-helpers \
-	--disable-auth-negotiate \
-	--disable-auth-ntlm \
-	--disable-auth-digest \
-	--disable-auth-basic \
 	--disable-arch-native \
 	--with-krb5-config=no \
 	--without-mit-krb5 \
-	--without-libcap \
-	--without-netfilter-conntrack
+	--without-netfilter-conntrack \
+	--disable-ident-lookups \
+	$(if $(CONFIG_SQUID_auth-basic),--enable,--disable)-auth-basic \
+	$(if $(CONFIG_SQUID_auth-digest),--enable,--disable)-auth-digest \
+	$(if $(CONFIG_SQUID_auth-ntlm),--enable,--disable)-auth-ntlm \
+	$(if $(CONFIG_SQUID_auth-negotiate),--enable,--disable)-auth-negotiate \
+	$(if $(CONFIG_SQUID_enable-ipv6),--enable,--disable)-dlmalloc \
+	$(if $(CONFIG_SQUID_enable-ipv6),--enable,--disable)-ipv6 \
+	$(if $(CONFIG_SQUID_enable-ssl-crtd),--enable-ssl-crtd) \
+	$(if $(CONFIG_SQUID_use-gnutls),--with,--without)-gnutls \
+	$(if $(CONFIG_SQUID_use-gnutls),--without-openssl) \
+	$(if $(CONFIG_SQUID_use-gnutls),,--with-openssl="$(STAGING_DIR)/usr") \
+	$(if $(CONFIG_SQUID_enable-icmp),--enable,--disable)-icmp \
+	$(if $(CONFIG_SQUID_enable-icap-client),--enable,--disable)-icap-client \
+	$(if $(CONFIG_SQUID_enable-snmp),--enable,--disable)-snmp \
+	$(if $(CONFIG_SQUID_with-libcap),--with,--without)-libcap \
+	$(if $(CONFIG_SQUID_with-nettle),--with,--without)-nettle \
+	$(if $(CONFIG_SQUID_with-expat),--with,--without)-expat \
+	$(if $(CONFIG_SQUID_with-libxml2),--with,--without)-libxml2
 
 CONFIGURE_VARS += \
 	ac_cv_header_linux_netfilter_ipv4_h=yes \
-	ac_cv_epoll_works=yes \
-	squid_cv_gnu_atomics=no
+	ac_cv_epoll_works=yes
+
+TARGET_CFLAGS += -Wno-error
+TARGET_LDFLAGS += -latomic
 
 define Build/Compile
 	+$(MAKE) $(PKG_JOBS) -C $(PKG_BUILD_DIR)/lib all
@@ -108,13 +133,13 @@ define Package/squid/install
 	$(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/sbin/squid $(1)/usr/sbin/
 
 	$(INSTALL_DIR) $(1)/usr/lib/squid
-	$(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/lib/squid/ssl_crtd $(1)/usr/lib/squid
+	$(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/lib/squid/* $(1)/usr/lib/squid/
 
 	$(INSTALL_DIR) $(1)/etc/config
 	$(INSTALL_CONF) ./files/squid.config $(1)/etc/config/squid
 
 	$(INSTALL_DIR) $(1)/etc/squid
-	$(INSTALL_CONF) $(PKG_INSTALL_DIR)/etc/squid/mime.conf $(1)/etc/squid/
+	$(CP) $(PKG_INSTALL_DIR)/etc/squid/* $(1)/etc/squid/
 	$(INSTALL_CONF) ./files/squid.conf $(1)/etc/squid/
 
 	$(INSTALL_DIR) $(1)/etc/init.d/
@@ -122,6 +147,7 @@ define Package/squid/install
 
 	$(INSTALL_DIR) $(1)/usr/share/squid/icons/
 	$(CP) $(PKG_INSTALL_DIR)/usr/share/squid/icons/* $(1)/usr/share/squid/icons/
+	$(CP) $(PKG_INSTALL_DIR)/usr/share/squid/mib.txt $(1)/usr/share/squid/
 
 	$(INSTALL_DIR) $(1)/usr/share/squid/errors/templates/
 	$(CP) $(PKG_INSTALL_DIR)/usr/share/squid/errors/templates/* $(1)/usr/share/squid/errors/templates/

net/squid/files/squid.conf

@@ -1,44 +1,80 @@
-acl localnet src 10.0.0.0/8
-acl localnet src 172.16.0.0/12
-acl localnet src 192.168.0.0/16
-acl localnet src fc00::/7
-acl localnet src fe80::/10
+#
+# Recommended minimum configuration:
+#
 
-acl ssl_ports port 443
+# Example rule allowing access from your local networks.
+# Adapt to list your (internal) IP networks from where browsing
+# should be allowed
+acl localnet src 0.0.0.1-0.255.255.255	# RFC 1122 "this" network (LAN)
+acl localnet src 10.0.0.0/8		# RFC 1918 local private network (LAN)
+acl localnet src 100.64.0.0/10		# RFC 6598 shared address space (CGN)
+acl localhet src 169.254.0.0/16 	# RFC 3927 link-local (directly plugged) machines
+acl localnet src 172.16.0.0/12		# RFC 1918 local private network (LAN)
+acl localnet src 192.168.0.0/16		# RFC 1918 local private network (LAN)
+acl localnet src fc00::/7       	# RFC 4193 local private network range
+acl localnet src fe80::/10      	# RFC 4291 link-local (directly plugged) machines
 
-acl safe_ports port 80
-acl safe_ports port 21
-acl safe_ports port 443
-acl safe_ports port 70
-acl safe_ports port 210
-acl safe_ports port 1025-65535
-acl safe_ports port 280
-acl safe_ports port 488
-acl safe_ports port 591
-acl safe_ports port 777
-acl connect method connect
+acl SSL_ports port 443
+acl Safe_ports port 80		# http
+acl Safe_ports port 21		# ftp
+acl Safe_ports port 443		# https
+acl Safe_ports port 70		# gopher
+acl Safe_ports port 210		# wais
+acl Safe_ports port 1025-65535	# unregistered ports
+acl Safe_ports port 280		# http-mgmt
+acl Safe_ports port 488		# gss-http
+acl Safe_ports port 591		# filemaker
+acl Safe_ports port 777		# multiling http
+acl CONNECT method CONNECT
 
-http_access deny !safe_ports
-http_access deny connect !ssl_ports
+#
+# Recommended minimum Access Permission configuration:
+#
+# Deny requests to certain unsafe ports
+http_access deny !Safe_ports
 
+# Deny CONNECT to other than secure SSL ports
+http_access deny CONNECT !SSL_ports
+
+# Only allow cachemgr access from localhost
 http_access allow localhost manager
 http_access deny manager
 
-http_access deny to_localhost
+# We strongly recommend the following be uncommented to protect innocent
+# web applications running on the proxy server who think the only
+# one who can access services on "localhost" is a local user
+#http_access deny to_localhost
 
+#
+# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
+#
+
+# Example rule allowing access from your local networks.
+# Adapt localnet in the ACL section to list your (internal) IP networks
+# from where browsing should be allowed
 http_access allow localnet
 http_access allow localhost
 
+# And finally deny all other access to this proxy
 http_access deny all
 
-refresh_pattern ^ftp: 1440 20% 10080
-refresh_pattern ^gopher: 1440 0% 1440
-refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
-refresh_pattern . 0 20% 4320
+# Uncomment and adjust the following to add a disk cache directory.
+#cache_dir ufs /usr/local/squid/var/cache/squid 100 16 256
 
-access_log none
-cache_log /dev/null
-cache_store_log stdio:/dev/null
-logfile_rotate 0
+#
+# Add any of your own refresh_pattern entries above these.
+#
+refresh_pattern ^ftp:		1440	20%	10080
+refresh_pattern ^gopher:	1440	0%	1440
+refresh_pattern -i (/cgi-bin/|\?) 0	0%	0
+refresh_pattern .		0	20%	4320
 
-logfile_daemon /dev/null
+# Squid user
+cache_effective_user squid
+
+#
+# Logs, best to use only for debugging as they can become very large
+#
+
+access_log none  # daemon:/tmp/squid_access.log
+cache_log /dev/null  # /tmp/squid_cache.log

net/squid/files/squid.init

@@ -10,7 +10,7 @@ CONFIGFILE="/tmp/squid/squid.conf"
 MIMETABLE="/tmp/squid/mime.conf"
 
 validate_squid_section() {
-	uci_validate_section squid squid "${1}" \
+	uci_load_validate squid squid "$1" "$2" \
 		'config_file:string' \
 		'http_port:port:3128' \
 		'http_port_options:string' \
@@ -22,10 +22,15 @@ validate_squid_section() {
 		'mime_table:string:/etc/squid/mime.conf'
 }
 
-start_service() {
-	local config_file http_port http_port_options ssldb ssldb_options coredump_dir visible_hostname pinger_enable
+create_squid_user() {
+	user_exists squid || user_add squid $USERID
+	group_exists squid || group_add squid $USERID && group_add_user squid squid
+}
 
-	validate_squid_section squid || {
+start_squid_instance() {
+	local config_dir
+
+	[ "$2" = 0 ] || {
 		echo "validation failed"
 		return 1
 	}
@@ -33,7 +38,7 @@ start_service() {
 	config_dir=$(dirname $CONFIGFILE)
 	[ -d $config_dir ] || mkdir -p $config_dir && chown nobody:nogroup $config_dir
 	[ -d $coredump_dir ] || mkdir -p $coredump_dir && chown nobody:nogroup $coredump_dir
-	[ "$ssldb" ] && ( [ -f "$ssldb"/size ] || /usr/lib/squid/ssl_crtd -c -s $ssldb && chown -R nobody:nogroup $ssldb )
+	[ "$ssldb" ] && ( [ -f "$ssldb"/size ] || /usr/lib/squid/security_file_certgen -c -s $ssldb $ssldb_options && chown -R nobody:nogroup $ssldb )
 
 	cat $config_file > $CONFIGFILE
 	echo http_port $http_port $http_port_options >> $CONFIGFILE
@@ -42,7 +47,7 @@ start_service() {
 	echo pinger_enable $pinger_enable >> $CONFIGFILE
 	cat $mime_table > $MIMETABLE
 	echo mime_table $MIMETABLE >> $CONFIGFILE
-	[ "$ssldb" ] && echo sslcrtd_program /usr/lib/squid/ssl_crtd -s $ssldb $ssldb_options >> $CONFIGFILE
+	[ "$ssldb" ] && echo sslcrtd_program /usr/lib/squid/security_file_certgen -s $ssldb $ssldb_options >> $CONFIGFILE
 	$PROG -s -f $CONFIGFILE -N -z 2>/dev/null
 
 	procd_open_instance
@@ -52,9 +57,14 @@ start_service() {
 	procd_close_instance
 }
 
+start_service()
+{
+	validate_squid_section squid start_squid_instance
+}
+
 stop_service()
 {
-        ${PROG} -f $CONFIGFILE -N -k shutdown 2>/dev/null
+	$PROG -f $CONFIGFILE -N -k shutdown 2>/dev/null
 }
 
 service_triggers()

net/squid/patches/001-cross_compile.patch

@@ -1,40 +1,22 @@
+From fac6f63a52a2f4cbb3748cd5687eca5409093904 Mon Sep 17 00:00:00 2001
+From: Marko Ratkaj <marko.ratkaj@sartura.hr>
+Date: Thu, 20 Apr 2017 15:15:50 +0200
+Subject: [PATCH] foo
+
+Signed-off-by: Marko Ratkaj <marko.ratkaj@sartura.hr>
+---
+ src/Makefile.in | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
 --- a/src/Makefile.in
 +++ b/src/Makefile.in
-@@ -7984,7 +7984,7 @@ cache_cf.o: cf_parser.cci
+@@ -8385,7 +8385,8 @@
  
  # cf_gen builds the configuration files.
  cf_gen$(EXEEXT): $(cf_gen_SOURCES) $(cf_gen_DEPENDENCIES) cf_gen_defines.cci
 -	$(BUILDCXX) $(BUILDCXXFLAGS) -o $@ $(srcdir)/cf_gen.cc -I$(srcdir) -I$(top_builddir)/include/ -I$(top_builddir)/src
 +	g++ -o $@ $(srcdir)/cf_gen.cc -I$(srcdir) -I$(top_builddir)/include/ -I$(top_builddir)/src
++
  
  # squid.conf.default is built by cf_gen when making cf_parser.cci
  squid.conf.default squid.conf.documented: cf_parser.cci
---- a/configure
-+++ b/configure
-@@ -20842,7 +20842,7 @@ else
- if test "$cross_compiling" = yes; then :
-   { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5
- $as_echo "$as_me: error: in \`$ac_pwd':" >&2;}
--as_fn_error $? "cannot run test program while cross compiling
-+_as_fn_error $? "cannot run test program while cross compiling
- See \`config.log' for more details" "$LINENO" 5; }
- else
-   cat confdefs.h - <<_ACEOF >conftest.$ac_ext
-@@ -29142,7 +29142,7 @@ else
-     if test "$cross_compiling" = yes; then :
-   { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5
- $as_echo "$as_me: error: in \`$ac_pwd':" >&2;}
--as_fn_error $? "cannot run test program while cross compiling
-+_as_fn_error $? "cannot run test program while cross compiling
- See \`config.log' for more details" "$LINENO" 5; }
- else
-   cat confdefs.h - <<_ACEOF >conftest.$ac_ext
-@@ -29167,7 +29167,7 @@ else
-     if test "$cross_compiling" = yes; then :
-   { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5
- $as_echo "$as_me: error: in \`$ac_pwd':" >&2;}
--as_fn_error $? "cannot run test program while cross compiling
-+_as_fn_error $? "cannot run test program while cross compiling
- See \`config.log' for more details" "$LINENO" 5; }
- else
-   cat confdefs.h - <<_ACEOF >conftest.$ac_ext

net/squid/patches/002-glibc-compile.patch

@@ -0,0 +1,12 @@
+--- a/src/tools.cc
++++ b/src/tools.cc
+@@ -582,7 +582,8 @@
+     }
+ #else
+ 
+-    setuid(0);
++    if (setuid(0) < 0)
++	debugs(50, 1, "no_suid: setuid (0)");
+ #endif
+ #if HAVE_PRCTL && defined(PR_SET_DUMPABLE)
+     /* Set Linux DUMPABLE flag */