summaryrefslogtreecommitdiff
blob: 266c40c8dce10c9499bf922f59b279b93d5b7d1d (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
# Copyright 1999-2024 Gentoo Authors
# Distributed under the terms of the GNU General Public License v2

EAPI=8

VERIFY_SIG_OPENPGP_KEY_PATH=/usr/share/openpgp-keys/squid.gpg
inherit autotools flag-o-matic linux-info pam systemd toolchain-funcs verify-sig

DESCRIPTION="Full-featured web proxy cache"
HOMEPAGE="https://www.squid-cache.org/"

MY_PV_MAJOR=$(ver_cut 1)
# Upstream patch ID for the most recent bug-fixed update to the formal release.
#r=-20181117-r0022167
r=
if [[ -z ${r} ]]; then
	SRC_URI="
		http://static.squid-cache.org/Versions/v${MY_PV_MAJOR}/${P}.tar.xz
		https://dev.gentoo.org/~juippis/distfiles/squid-6.9-memleak_fix.patch
		verify-sig? ( http://static.squid-cache.org/Versions/v${MY_PV_MAJOR}/${P}.tar.xz.asc )
	"
else
	SRC_URI="http://static.squid-cache.org/Versions/v${MY_PV_MAJOR}/${P}${r}.tar.bz2
		https://dev.gentoo.org/~juippis/distfiles/squid-6.9-memleak_fix.patch"
	S="${S}${r}"
fi

LICENSE="GPL-2+"
SLOT="0"
KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~mips ~ppc ~ppc64 ~riscv ~sparc ~x86"
IUSE="caps gnutls pam ldap samba sasl kerberos nis radius ssl snmp selinux logrotate test ecap"
IUSE+=" esi ssl-crtd mysql postgres sqlite systemd perl qos tproxy +htcp valgrind +wccp +wccpv2"
RESTRICT="!test? ( test )"
REQUIRED_USE="tproxy? ( caps ) qos? ( caps ) ssl-crtd? ( ssl )"

DEPEND="
	acct-group/squid
	acct-user/squid
	dev-libs/libltdl
	sys-libs/tdb
	virtual/libcrypt:=
	caps? ( >=sys-libs/libcap-2.16 )
	ecap? ( net-libs/libecap:1 )
	esi? (
		dev-libs/expat
		dev-libs/libxml2
	)
	ldap? ( net-nds/openldap:= )
	gnutls? ( >=net-libs/gnutls-3.1.5:= )
	logrotate? ( app-admin/logrotate )
	nis? (
		net-libs/libtirpc:=
		net-libs/libnsl:=
	)
	kerberos? ( virtual/krb5 )
	pam? ( sys-libs/pam )
	qos? ( net-libs/libnetfilter_conntrack )
	ssl? (
		dev-libs/nettle:=
		!gnutls? (
			dev-libs/openssl:=
		)
	)
	sasl? ( dev-libs/cyrus-sasl )
	systemd? ( sys-apps/systemd:= )
"
RDEPEND="
	${DEPEND}
	mysql? ( dev-perl/DBD-mysql )
	postgres? ( dev-perl/DBD-Pg )
	perl? ( dev-lang/perl )
	samba? ( net-fs/samba )
	selinux? ( sec-policy/selinux-squid )
	sqlite? ( dev-perl/DBD-SQLite )
"
DEPEND+=" valgrind? ( dev-debug/valgrind )"
BDEPEND="
	dev-lang/perl
	ecap? ( virtual/pkgconfig )
	test? ( dev-util/cppunit )
	verify-sig? ( sec-keys/openpgp-keys-squid )
"

PATCHES=(
	"${FILESDIR}"/${PN}-6.2-gentoo.patch
	"${FILESDIR}"/${PN}-4.17-use-system-libltdl.patch
	"${DISTDIR}"/${PN}-6.9-memleak_fix.patch
)

pkg_pretend() {
	if use tproxy; then
		local CONFIG_CHECK="~NF_CONNTRACK ~NETFILTER_XT_MATCH_SOCKET ~NETFILTER_XT_TARGET_TPROXY"
		linux-info_pkg_setup
	fi
}

src_unpack() {
	if use verify-sig ; then
		# Needed for downloaded patch (which is unsigned, which is fine)
		verify-sig_verify_detached "${DISTDIR}"/${P}.tar.xz{,.asc}
	fi

	default
}

src_prepare() {
	default

	# Fixup various paths
	sed -i -e 's:/usr/local/squid/etc:/etc/squid:' \
		INSTALL QUICKSTART \
		scripts/fileno-to-pathname.pl \
		scripts/check_cache.pl \
		tools/cachemgr.cgi.8 \
		tools/purge/conffile.hh \
		tools/purge/purge.1 || die
	sed -i -e 's:/usr/local/squid/sbin:/usr/sbin:' \
		INSTALL QUICKSTART || die
	sed -i -e 's:/usr/local/squid/var/cache:/var/cache/squid:' \
		QUICKSTART || die
	sed -i -e 's:/usr/local/squid/var/logs:/var/log/squid:' \
		QUICKSTART \
		src/log/access_log.cc || die
	sed -i -e 's:/usr/local/squid/logs:/var/log/squid:' \
		src/log/access_log.cc || die
	sed -i -e 's:/usr/local/squid/libexec:/usr/libexec/squid:' \
		src/acl/external/unix_group/ext_unix_group_acl.8 \
		src/acl/external/session/ext_session_acl.8 || die
	sed -i -e 's:/usr/local/squid/cache:/var/cache/squid:' \
		scripts/check_cache.pl || die
	# /var/run/squid to /run/squid
	sed -i -e 's:$(localstatedir)::' \
		src/ipc/Makefile.am || die
	sed -i 's:/var/run/:/run/:g' tools/systemd/squid.service || die

	sed -i -e 's:_LTDL_SETUP:LTDL_INIT([installable]):' \
		libltdl/configure.ac || die

	eautoreconf
}

src_configure() {
	local myeconfargs=(
		--cache-file="${S}"/config.cache

		--datadir=/usr/share/squid
		--libexecdir=/usr/libexec/squid
		--localstatedir=/var
		--sysconfdir=/etc/squid
		--with-default-user=squid
		--with-logdir=/var/log/squid
		--with-pidfile=/run/squid.pid

		--enable-build-info="Gentoo ${PF} (r: ${r:-NONE})"
		--enable-log-daemon-helpers
		--enable-url-rewrite-helpers
		--enable-cache-digests
		--enable-delay-pools
		--enable-disk-io
		--enable-eui
		--enable-icmp
		--enable-ipv6
		--enable-follow-x-forwarded-for
		--enable-removal-policies="lru,heap"
		--disable-strict-error-checking
		--disable-arch-native

		--with-large-files
		--with-build-environment=default

		--with-tdb

		--without-included-ltdl
		--with-ltdl-include="${ESYSROOT}"/usr/include
		--with-ltdl-lib="${ESYSROOT}"/usr/$(get_libdir)

		$(use_with caps cap)
		$(use_enable snmp)
		$(use_with ssl openssl)
		$(use_with ssl nettle)
		$(use_with gnutls)
		$(use_with ldap)
		$(use_enable ssl-crtd)
		$(use_with systemd)
		$(use_with test cppunit)
		$(use_enable ecap)
		$(use_enable esi)
		$(use_enable esi expat)
		$(use_enable esi xml2)
		$(use_enable htcp)
		$(use_with valgrind valgrind-debug)
		$(use_enable wccp)
		$(use_enable wccpv2)
	)

	# Basic modules
	local basic_modules=(
		NCSA
		POP3
		getpwnam

		$(usev samba 'SMB')
		$(usev ldap 'SMB_LM LDAP')
		$(usev pam 'PAM')
		$(usev sasl 'SASL')
		$(usev nis 'NIS')
		$(usev radius 'RADIUS')
	)

	use nis && append-cppflags "-I${ESYSROOT}/usr/include/tirpc"

	if use mysql || use postgres || use sqlite; then
		basic_modules+=( DB )
	fi

	# Digests
	local digest_modules=(
		file

		$(usev ldap 'LDAP eDirectory')
	)

	# Kerberos
	local negotiate_modules=( none )

	myeconfargs+=( --without-mit-krb5 --without-heimdal-krb5 )

	if use kerberos; then
		# We intentionally overwrite negotiate_modules here to lose
		# the 'none'.
		negotiate_modules=( kerberos wrapper )

		if has_version app-crypt/heimdal; then
			myeconfargs+=(
				--without-mit-krb5
				--with-heimdal-krb5
			)
		else
			myeconfargs+=(
				--with-mit-krb5
				--without-heimdal-krb5
			)
		fi
	fi

	# NTLM modules
	local ntlm_modules=( none )

	if use samba ; then
		# We intentionally overwrite ntlm_modules here to lose
		# the 'none'.
		ntlm_modules=( SMB_LM )
	fi

	# External helpers
	local ext_helpers=(
		file_userip
		session
		unix_group
		delayer
		time_quota

		$(usev samba 'wbinfo_group')
		$(usev ldap 'LDAP_group eDirectory_userip')
	)

	use ldap && use kerberos && ext_helpers+=( kerberos_ldap_group )
	if use mysql || use postgres || use sqlite; then
		ext_helpers+=( SQL_session )
	fi

	# Storage modules
	local storeio_modules=(
		aufs
		diskd
		rock
		ufs
	)

	#
	local transparent
	if use kernel_linux; then
		myeconfargs+=(
			--enable-linux-netfilter
			$(usev qos '--enable-zph-qos --with-netfilter-conntrack')
		)
	fi

	tc-export_build_env BUILD_CXX
	export BUILDCXX="${BUILD_CXX}"
	export BUILDCXXFLAGS="${BUILD_CXXFLAGS}"
	tc-export CC AR

	# Should be able to drop this workaround with newer versions.
	# https://bugs.squid-cache.org/show_bug.cgi?id=4224
	tc-is-cross-compiler && export squid_cv_gnu_atomics=no

	# Bug #719662
	append-atomic-flags

	print_options_without_comma() {
		# IFS as ',' will cut off any trailing commas
		(
			IFS=','
			options=( $(printf "%s," "${@}") )
			echo "${options[*]}"
		)
	}

	myeconfargs+=(
		--enable-storeio=$(print_options_without_comma "${storeio_modules[@]}")
		--enable-auth-basic=$(print_options_without_comma "${basic_modules[@]}")
		--enable-auth-digest=$(print_options_without_comma "${digest_modules[@]}")
		--enable-auth-ntlm=$(print_options_without_comma "${ntlm_modules[@]}")
		--enable-auth-negotiate=$(print_options_without_comma "${negotiate_modules[@]}")
		--enable-external-acl-helpers=$(print_options_without_comma "${ext_helpers[@]}")
	)

	econf "${myeconfargs[@]}"
}

src_install() {
	default

	systemd_dounit tools/systemd/squid.service

	# Need suid root for looking into /etc/shadow
	fowners root:squid /usr/libexec/squid/basic_ncsa_auth
	fperms 4750 /usr/libexec/squid/basic_ncsa_auth

	if use pam; then
		fowners root:squid /usr/libexec/squid/basic_pam_auth
		fperms 4750 /usr/libexec/squid/basic_pam_auth
	fi

	# Pinger needs suid as well
	fowners root:squid /usr/libexec/squid/pinger
	fperms 4750 /usr/libexec/squid/pinger

	# These scripts depend on perl
	if ! use perl; then
		local perl_scripts=(
			basic_pop3_auth ext_delayer_acl helper-mux
			log_db_daemon security_fake_certverify
			storeid_file_rewrite url_lfs_rewrite
		)

		local script
		for script in "${perl_scripts[@]}"; do
			rm "${ED}"/usr/libexec/squid/${script} || die
		done
	fi

	# Cleanup
	rm -r "${D}"/run "${D}"/var/cache || die

	dodoc CONTRIBUTORS CREDITS ChangeLog INSTALL QUICKSTART README SPONSORS doc/*.txt
	newdoc src/auth/negotiate/kerberos/README README.kerberos
	newdoc src/auth/basic/RADIUS/README README.RADIUS
	newdoc src/acl/external/kerberos_ldap_group/README README.kerberos_ldap_group
	dodoc RELEASENOTES.html

	if use pam; then
		newpamd "${FILESDIR}"/squid.pam squid
	fi

	newconfd "${FILESDIR}"/squid.confd-r2 squid
	newinitd "${FILESDIR}"/squid.initd-r7 squid

	if use logrotate ; then
		insinto /etc/logrotate.d
		newins "${FILESDIR}"/squid.logrotate-r1 squid
	else
		exeinto /etc/cron.weekly
		newexe "${FILESDIR}"/squid.cron-r1 squid.cron
	fi

	diropts -m0750 -o squid -g squid
	keepdir /var/log/squid /etc/ssl/squid /var/lib/squid

	# Hack for bug #834503 (see also bug #664940)
	# Please keep this for a few years until it's no longer plausible
	# someone is upgrading from < squid 5.7.
	mv "${ED}"/usr/share/squid/errors{,.new} || die
}

pkg_preinst() {
	# Remove file in EROOT that the directory collides with.
	rm -rf "${EROOT}"/usr/share/squid/errors || die

	# Following the collision protection check, reverse
	# src_install's rename in ED.
	mv "${ED}"/usr/share/squid/errors{.new,} || die
}

pkg_postinst() {
	elog "A good starting point to debug Squid issues is to use 'squidclient mgr:' commands such as 'squidclient mgr:info'."

	if [[ ${#r} -gt 0 ]]; then
		elog "You are using a release with the official ${r} patch! Make sure you mention that, or send the output of 'squidclient mgr:info' when asking for support."
	fi
}