lp:~gary-wzl77/squid/snap_package

Branch merges

Propose for merging

No branches dependent on this one.

Rejected for merging into lp:squid/3.5

Amos Jeffries: Disapprove on 2017-02-26

Alex Rousskov: Disapprove on 2017-02-25

Diff: 584 lines (+409/-8)

13 files modified

README.snap (+29/-0)
configure.ac (+10/-0)
snap/snapcraft.yaml (+83/-0)
snap/src/squid/conf/squid.conf.template (+116/-0)
snap/src/squid/script/run-squid (+52/-0)
snap/src/squid/script/settings (+39/-0)
src/cache_cf.cc (+6/-0)
src/cf_gen_defines (+1/-0)
src/errorpage.cc (+8/-2)
src/ipc/mem/Segment.cc (+16/-0)
src/main.cc (+20/-4)
src/mime.cc (+7/-1)
src/tools.cc (+22/-1)

api

Related source package recipes

No recipes using this branch. (?)

Create packaging recipe

Related snap packages

Related bugs

Related blueprints

14144. By Gary.Wang on 2017-02-25

Enable to package and compile squid in snap world.

1.Added conditional for snap packaging by testing "--enable-snap".
As all services run as root thanks to confinement in snap world,
so we need to get rid of uid, gid configured,
otherwise there will be bunch of apparmor DENIED issue when running
this snap in confined mode.
2.Fixed bunch of critical conf file reading path.
3.Make sure writeable path for some file reading. e.g pidfile
4.Make sure sem_open available inside snap. see
    https://bugs.launchpad.net/snappy/+bug/1653955

14143. By Christos Tsantilas on 2017-02-25

Fix regression in CONNECT authentication after rev.14142

14142. By Christos Tsantilas on 2017-02-08

Bump SSL client on [more] errors encountered before ssl_bump evaluation

... such as ERR_ACCESS_DENIED with HTTP/403 Forbidden triggered by an
http_access deny rule match.

The old code allowed ssl_bump step1 rules to be evaluated in the
presence of an error. An ssl_bump splicing decision would then trigger
the useless "send the error to the client now" processing logic instead
of going down the "to serve an error, bump the client first" path.

Furthermore, the ssl_bump evaluation result itself could be surprising
to the admin because ssl_bump (and most other) rules are not meant to be
evaluated for a transaction in an error state. This complicated triage.

Also polished an important comment to clarify that we want to bump on
error if (and only if) the SslBump feature is applicable to the failed
transaction (i.e., if the ssl_bump rules would have been evaluated if
there were no prior errors). The old comment could have been
misinterpreted that ssl_bump rules must be evaluated to allow an
"ssl_bump splice" match to hide the error.

This is a Measurement Factory project.

14141. By Amos Jeffries on 2017-01-28

3.5.24

14140. By Source Maintenance <email address hidden> on 2017-01-27

SourceFormat Enforcement

14139. By Christos Tsantilas on 2017-01-27

SSLv2 records force SslBump bumping despite a matching step2 peek rule.

If Squid receives a valid TLS Hello encapsulated into ancient SSLv2
records (observed on Solaris 10), the old code ignored the step2 peek
decision and bumped the transaction instead.
Now Squid peeks (or stares) at the origin server as configured, even
after detecting (and parsing) SSLv2 records.

This is a Measurement Factory project.

14138. By Christos Tsantilas on 2017-01-27

Mitigate DoS attacks that use client-initiated SSL/TLS renegotiation.

There is a well-known DoS attack using client-initiated SSL/TLS
renegotiation. The severety or uniqueness of this attack method
is disputed, but many believe it is serious/real.
There is even a (disputed) CVE 2011-1473:
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1473

The old Squid code tried to disable client-initiated renegotiation, but
it did not work reliably (or at all), depending on Squid version, due
to OpenSSL API changes and conflicting SslBump callbacks. That
code is now removed and client-initiated renegotiations are allowed.

With this change, Squid aborts the TLS connection, with a level-1 ERROR
message if the rate of client-initiated renegotiate requests exceeds
5 requests in 10 seconds (approximately). This protection and the rate
limit are currently hard-coded but the rate is not expected to be
exceeded under normal circumstances.

This is a Measurement Factory project.

14137. By Amos Jeffries on 2017-01-27

Detect HTTP header ACL issues

rep_header and req_header ACL types cannot match multiple different
headers in one test (unlike Squid-2 appears to have done). Produce
an ERROR and ignore the extra line(s) instead of silently changing
all the previous regex to match the second header name.

Also detect and ERROR when header name is missing entirely. Ignore
these lines instead of asserting.

14136. By Frederic Bourgeois <email address hidden> on 2017-01-27

Fix some spelling mistakes

14135. By Source Maintenance <email address hidden> on 2017-01-27

SourceFormat Enforcement