squid transparent proxy is broken

I'll second this one. I replaced a gentoo server in my DMZ providing the squid transparent proxy and couldn't figure out why it wasn't working with my brand new "Edgy" install. It took me a while to track down that it was bug in squid and not a configuration error on my part. Refer to bug #1650 in the squid bug system.

We've just run into this at the allhands conference. There's a trivial workaround in the upstream bug (adding 'always_direct allow all' to the config). But this is a serious regression from dapper and really should be fixed in edgy updates if at all possible.

Using always_direct allow all, in most cases defeats the purpose of using a proxy. I have pinned to dapper for squid until this is fixed.

I have the same trouble here, anybody know a .deb that i can install without the bug ?

As I've just had this issue on my local server, I quickly made a backport of Feisty packages.
They are available here : http://www.stgraber.org/download/ubuntu/packages/
And their use is of course at your own risks.

I have found a working patch attached to Squid Bug 1650.
I updated it a little bit to apply on the Ubuntu Edgy package and then made the attached debdiff, if someone can have a look at it.
(As it's for Edgy I didn't what distrib and what version to put, actually I took the previous record from the changelog which is edgy-security and -3ubuntu1.3, let me know if you want something else)

Remember this is an upstream bug that was broken and has also been fixed upstream. Ideally, the upstream version of squid this package uses should be updated to a more recent version where the fix has been applied.

Usually Ubuntu doesn't do a backport only for one bugfix if it's possible to isolate the patch and apply it to the current version of the package in Ubuntu (what I in fact did).

Fixed upstream in 2.6.5, thus fixed in Feisty.

Stephane, please rework this patch a bit. First, I am not convinced that the autoconf changes are necessary. If debian/rules actually specifies this flag, then it should just be removed there (it has to be removed anyway if configure does not offer it any more).

Also, the dpatch seems broken, since it duplicates the patches:

$ lsdiff bug-68818.debdiff
squid_2.6.1/configure
squid_2.6.1/configure.in
squid_2.6.1/include/autoconf.h.in
squid_2.6.1/src/acl.c
squid_2.6.1/src/client_side.c
squid_2.6.1/src/structs.h
configure
configure.in
include/autoconf.h.in
src/acl.c
src/client_side.c
src/structs.h

The code parts of the upstream parts look reasonable.

Stephane, please set this back to 'in progress' when you have an updated patch. Thank you!

New updated patch, removing the autoconf part (this flag wasn't used) and I fixed the duplicate thing (a copy of the patch was in the debian/patches/ directory).

Stephane,

+squid (2.6.1-3ubuntu1.3) edgy-proposed; urgency=low

You have to bump this to 1.4 and base your patch on the already existing

     squid | 2.6.1-3ubuntu1.3 | http://security.ubuntu.com edgy-security/main Sources

Patch is ok otherwise, so please upload with above correction.

Ok, I've just done the changes

Stephane, looks good. Please upload.

Upload sponsored and accepted into edgy-proposed, please go ahead with QA testing.

Thanks for your update.

Please include instructions how to reproduce the bug. The policy says:
"Detailled instructions how to reproduce the bug.- These should allow someone who is not familiar with the affected package to reproduce the bug and verify that the updated package fixes the problem."

I will be happy to do the verification once I have this instructions.

Thanks,
 Michael

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Setting the following in squid.conf before starting squid will reproduce
 this bug.

httpd_accel_host virtual
httpd_accel_port 80
httpd_accel_with_proxy on
httpd_accel_uses_host_header on

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFGUxcdFEB3Y4u99PkRAtV9AKCG9jonrBiXv/lOg7duWE/KIDqEcgCfbye0
29K0EyBDTPV3Gvjd5d5sp+w=
=CfEi
-----END PGP SIGNATURE-----

Martin OConnor: which version of Squid are you using? Do you still have the problem?

Marking the bug as fixed released, please reopen the bug, if you can follow up with more information.

The package is still sitting in edgy-proposed, it is not in -updates yet. We need proper testing verification first.

This has been superseded by a security upload. Please remerge.

Security debdiff attached...

Can someone please test this? Martin OConnor?

This SRU is very old, and if it does not get verified I'll just remove it from -proposed due to obsolescence.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I can confirm that this now works. I have installed the version in
edgy-proposed and the transparent option now works.
Martin Pitt wrote:
| Can someone please test this? Martin OConnor?
|
| This SRU is very old, and if it does not get verified I'll just remove
| it from -proposed due to obsolescence.
|

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAkeGLlUACgkQFEB3Y4u99Pns8gCfagTvJOSpqA2BMKqRC4tgARrH
lxoAmwblTccIM4a3lT9m5wWE7UjjDjU6
=McFw
-----END PGP SIGNATURE-----

Reuploaded this patch on top of Kees' security update:

 squid (2.6.1-3ubuntu1.6) edgy-proposed; urgency=low
 .
   * Fix transparent proxies (LP: #68818).

Can you please test this version and give feedback here? Thanks!

squid 2.6.1-3ubuntu1.6 from edgy-proposed works as required as a transparent proxy

Copied to edgy-updates. Thank you!

" In package 2.6.1-3ubuntu1 , the transparent option in squid.conf is broken in Squid upstream version 2.6.RELEASE1. This has been fixed in 2.6.RELEASE2.

Recommend 2.6.RELEASE2 be added to edgy-backports."

Please how do I carry out the backporting?

sadeeb [2009-01-20 12:08 -0000]:
> " In package 2.6.1-3ubuntu1 , the transparent option in squid.conf is
> broken in Squid upstream version 2.6.RELEASE1. This has been fixed in
> 2.6.RELEASE2.
>
> Recommend 2.6.RELEASE2 be added to edgy-backports."

edgy has not been supported since April 2008, so we will not do any
official backports for it any more. So if you are still running edgy,
you need to install your own package from upstream sources. However, I
urgently recommend you to upgrade to a supported Ubuntu release like
8.04 LTS.

As a further note, Squid 2.6 is not supported anymore by the Squid developers; the currently supported versions are 2.7.STABLE5 and 3.0.STABLE11.
If recompilation from source, we recommend to choose one of the two - which one depends on the needed features.
See http://wiki.squid-cache.org/FeatureComparison