diff --git a/debian/control b/debian/control index 629cbbee4c9658e5b45faaf58b80ec12edc5a7b4..de8d58354b84ce4715f70a399f5fcff3f6d02bfc 100644 --- a/debian/control +++ b/debian/control @@ -35,21 +35,26 @@ Pre-Depends: ${misc:Pre-Depends}, adduser Depends: ${shlibs:Depends}, ${misc:Depends}, netbase, logrotate (>= 3.5.4-1), squid-common (>= ${source:Version}), lsb-base, libdbi-perl Suggests: squidclient, squid-cgi, squid-purge, resolvconf (>= 0.40), smbclient, ufw, winbind, apparmor Recommends: libcap2-bin [linux-any], ca-certificates -Conflicts: squid-openssl +Conflicts: squid-openssl (<< 4.16-2) Description: Full featured Web Proxy cache (HTTP proxy GnuTLS flavour) Squid is a high-performance proxy caching server for web clients, supporting FTP, gopher, ICY and HTTP data objects. + . + This package provides Squid binaries supporting HTTPS features + without SSL-Bump (HTTPS interception). Package: squid-openssl Architecture: any -Pre-Depends: ${misc:Pre-Depends}, adduser -Depends: ${shlibs:Depends}, ${misc:Depends}, netbase, logrotate (>= 3.5.4-1), squid-common (>= ${source:Version}), lsb-base, libdbi-perl -Suggests: squidclient, squid-cgi, squid-purge, resolvconf (>= 0.40), smbclient, ufw, winbind, apparmor -Recommends: libcap2-bin [linux-any], ca-certificates -Conflicts: squid +Pre-Depends: ${misc:Pre-Depends}, squid +Depends: ${shlibs:Depends}, ${misc:Depends} +Recommends: ca-certificates +Conflicts: squid (<< 4.16-2) Description: Full featured Web Proxy cache (HTTP proxy OpenSSL flavour) Squid is a high-performance proxy caching server for web clients, supporting FTP, gopher, ICY and HTTP data objects. + . + This package provides Squid binaries supporting full SSL-Bump features for + with SSL-Bump (HTTPS interception) using OpenSSL. Package: squid-common Architecture: all diff --git a/debian/rules b/debian/rules index 85d55f30027a5ea7dc5cbf2012e0a041e44bf803..f2b83f7301828274a5f0acb8d183b75ddef471d3 100755 --- a/debian/rules +++ b/debian/rules @@ -83,7 +83,8 @@ override_dh_auto_configure: --with-gnutls cd debian/build-openssl && dh_auto_configure -- ${DEB_CONFIGURE_EXTRA_FLAGS} \ --with-openssl \ - --enable-ssl-crtd + --enable-ssl-crtd \ + --enable-security-cert-generators="file" override_dh_auto_build: dh_auto_build @@ -102,54 +103,40 @@ override_dh_installinit: dh_installinit -psquid-openssl --name=squid execute_after_dh_auto_install: + # squid-purge Package + mv $(INSTALLDIR)/usr/bin/purge $(INSTALLDIR)/usr/bin/squid-purge + install -m 755 -g root -d $(INSTALLDIR)/usr/share/man/man1 + mv $(INSTALLDIR)/usr/share/man/man1/purge.1 $(INSTALLDIR)/usr/share/man/man1/squid-purge.1 + # squid-openssl Package + mv $(INSTALLDIR)-openssl/usr/sbin/squid $(INSTALLDIR)/usr/sbin/squid-openssl + # squid-cgi Package install -m 755 -g root -d $(INSTALLDIR)/usr/lib/cgi-bin - install -m 755 -g root -d $(INSTALLDIR)-openssl/usr/lib/cgi-bin - install -m 644 $(INSTALLDIR)/etc/squid/squid.conf.documented $(INSTALLDIR)-openssl/etc/squid/squid.conf + mv $(INSTALLDIR)/usr/lib/squid/cachemgr.cgi $(INSTALLDIR)/usr/lib/cgi-bin/cachemgr.cgi + # squid-gnutls Package + mv $(INSTALLDIR)/usr/sbin/squid $(INSTALLDIR)/usr/sbin/squid-gnutls install -m 644 $(INSTALLDIR)/etc/squid/squid.conf.documented $(INSTALLDIR)/etc/squid/squid.conf install -m 755 -g root -d $(INSTALLDIR)/etc/squid/conf.d - install -m 755 -g root -d $(INSTALLDIR)-openssl/etc/squid/conf.d install -m 644 -g root debian/debian.conf $(INSTALLDIR)/etc/squid/conf.d/debian.conf - install -m 644 -g root debian/debian.conf $(INSTALLDIR)-openssl/etc/squid/conf.d/debian.conf - rm $(INSTALLDIR)-openssl/usr/lib/squid/cachemgr.cgi - mv $(INSTALLDIR)/usr/lib/squid/cachemgr.cgi $(INSTALLDIR)/usr/lib/cgi-bin/cachemgr.cgi - install -m 755 -g root -d $(INSTALLDIR)-openssl/etc/init.d - install -m 755 -g root -d $(INSTALLDIR)-openssl/etc/logrotate.d - install -m 755 -g root -d $(INSTALLDIR)-openssl/etc/resolvconf - install -m 755 -g root -d $(INSTALLDIR)-openssl/etc/resolvconf/update-libc.d - install -m 755 -g root -d $(INSTALLDIR)-openssl/etc/ufw/applications.d - #install -m 755 -g root -d $(INSTALLDIR)/etc/init.d - install -m 755 -g root -d $(INSTALLDIR)/etc/logrotate.d + install -m 755 -g root -d debian/squid/var/log + install -m 750 -o proxy -g proxy -d debian/squid/var/log/squid + install -m 755 -g root -d debian/squid/var/spool + install -m 750 -o proxy -g proxy -d debian/squid/var/spool/squid + # resolvconf Support install -m 755 -g root -d $(INSTALLDIR)/etc/resolvconf install -m 755 -g root -d $(INSTALLDIR)/etc/resolvconf/update-libc.d - install -m 755 -g root -d $(INSTALLDIR)/etc/ufw/applications.d - install -m 755 -g root debian/squid.resolvconf $(INSTALLDIR)-openssl/etc/resolvconf/update-libc.d/squid - install -m 644 -g root debian/squid.logrotate $(INSTALLDIR)-openssl/etc/logrotate.d/squid - install -m 644 -g root debian/squid.ufw.profile $(INSTALLDIR)-openssl/etc/ufw/applications.d/squid install -m 755 -g root debian/squid.resolvconf $(INSTALLDIR)/etc/resolvconf/update-libc.d/squid - install -m 644 -g root debian/squid.logrotate $(INSTALLDIR)/etc/logrotate.d/squid + # ufw Support + install -m 755 -g root -d $(INSTALLDIR)/etc/ufw/applications.d install -m 644 -g root debian/squid.ufw.profile $(INSTALLDIR)/etc/ufw/applications.d/squid - install -m 755 -g root -d debian/squid-openssl/var/log - install -m 755 -g root -d debian/squid-openssl/var/spool - install -m 755 -g root -d debian/squid/var/log - install -m 755 -g root -d debian/squid/var/spool - install -m 750 -o proxy -g proxy -d debian/squid-openssl/var/log/squid - install -m 750 -o proxy -g proxy -d debian/squid-openssl/var/spool/squid - install -m 750 -o proxy -g proxy -d debian/squid/var/log/squid - install -m 750 -o proxy -g proxy -d debian/squid/var/spool/squid - install -m 755 -g root -d $(INSTALLDIR)-openssl/usr/share/man/man1 - install -m 755 -g root -d $(INSTALLDIR)/usr/share/man/man1 - rm $(INSTALLDIR)-openssl/usr/bin/purge - rm $(INSTALLDIR)-openssl/usr/share/man/man1/purge.1 - mv $(INSTALLDIR)/usr/bin/purge $(INSTALLDIR)/usr/bin/squid-purge - mv $(INSTALLDIR)/usr/share/man/man1/purge.1 $(INSTALLDIR)/usr/share/man/man1/squid-purge.1 - install -m 755 -g root -d $(INSTALLDIR)-openssl/etc/apparmor.d/force-complain - install -m 755 -g root -d $(INSTALLDIR)-openssl/etc/apparmor.d/disable + # apparmor Support + install -m 755 -g root -d $(INSTALLDIR)/etc/apparmor.d install -m 755 -g root -d $(INSTALLDIR)/etc/apparmor.d/force-complain install -m 755 -g root -d $(INSTALLDIR)/etc/apparmor.d/disable - install -m 644 -g root debian/usr.sbin.squid $(INSTALLDIR)-openssl/etc/apparmor.d install -m 644 -g root debian/usr.sbin.squid $(INSTALLDIR)/etc/apparmor.d - dh_apparmor --profile-name=usr.sbin.squid -psquid-openssl dh_apparmor --profile-name=usr.sbin.squid -psquid + # logrotate Support + install -m 755 -g root -d $(INSTALLDIR)/etc/logrotate.d + install -m 644 -g root debian/squid.logrotate $(INSTALLDIR)/etc/logrotate.d/squid override_dh_install: dh_install -psquid -psquid-common -psquidclient -psquid-cgi -psquid-purge \ diff --git a/debian/squid-openssl.alternatives b/debian/squid-openssl.alternatives new file mode 100644 index 0000000000000000000000000000000000000000..556886c1d016f68977e4f7ad3c8265f73d6f8425 --- /dev/null +++ b/debian/squid-openssl.alternatives @@ -0,0 +1,4 @@ +Name: squid +Link: /usr/sbin/squid +Alternative: /usr/sbin/squid-openssl +Priority: 50 diff --git a/debian/squid-openssl.dirs b/debian/squid-openssl.dirs deleted file mode 100644 index 5d47ccb6f325cfa7fe128060894c87faa7a7e913..0000000000000000000000000000000000000000 --- a/debian/squid-openssl.dirs +++ /dev/null @@ -1 +0,0 @@ -/lib/systemd/system \ No newline at end of file diff --git a/debian/squid-openssl.install b/debian/squid-openssl.install index 2e9045131ef2955ec46333f3f9a50e5d560fe6a2..d3ce7314c701bcb2a339cdc5444e5e2ca6545874 100644 --- a/debian/squid-openssl.install +++ b/debian/squid-openssl.install @@ -1,32 +1,2 @@ -etc/squid/squid.conf -etc/squid/conf.d -etc/squid/errorpage.css -etc/logrotate.d -etc/resolvconf -etc/ufw -usr/lib/squid -usr/sbin/squid -usr/share/man/man8/basic_db_auth.8 -usr/share/man/man8/basic_getpwnam_auth.8 -usr/share/man/man8/basic_ldap_auth.8 -usr/share/man/man8/basic_ncsa_auth.8 -usr/share/man/man8/basic_pam_auth.8 -usr/share/man/man8/basic_pop3_auth.8 -usr/share/man/man8/basic_radius_auth.8 -usr/share/man/man8/basic_sasl_auth.8 -usr/share/man/man8/digest_file_auth.8 -usr/share/man/man8/ext_file_userip_acl.8 -usr/share/man/man8/ext_ldap_group_acl.8 -usr/share/man/man8/ext_session_acl.8 -usr/share/man/man8/ext_sql_session_acl.8 -usr/share/man/man8/ext_time_quota_acl.8 -usr/share/man/man8/ext_unix_group_acl.8 -usr/share/man/man8/ext_wbinfo_group_acl.8 -usr/share/man/man8/log_db_daemon.8 -usr/share/man/man8/negotiate_kerberos_auth.8 -usr/share/man/man8/security_fake_certverify.8 -usr/share/man/man8/storeid_file_rewrite.8 -usr/share/man/man8/squid.8 -etc/apparmor.d/disable -etc/apparmor.d/force-complain -etc/apparmor.d/usr.sbin.squid +usr/lib/squid/security_file_certgen +usr/sbin/squid-openssl diff --git a/debian/squid-openssl.postinst b/debian/squid-openssl.postinst deleted file mode 100644 index f64fd4911e42f9484ed1ddaf66246ad82e85d6e4..0000000000000000000000000000000000000000 --- a/debian/squid-openssl.postinst +++ /dev/null @@ -1,89 +0,0 @@ -#! /bin/sh - -set -e - -grepconf () { - w=" " # space tab - # sed is cool. - res=`squid -k parse 2>&1 | - grep "Processing:" | - sed s/.*Processing:\ // | - sed -ne ' - s/^'$1'['"$w"']\+\([^'"$w"']\+\).*$/\1/p; - t end; - d; - :end q'` - [ -n "$res" ] || res=$2 - echo "$res" -} - -grepconf2 () { - w=" " # space tab - # sed is cool. - res=`squid -k parse 2>&1 | - grep "Processing:" | - sed s/.*Processing:\ // | - sed -ne ' - s/^'$1'['"$w"']\+[^'"$w"']\+['"$w"']\+\([^'"$w"']\+\).*$/\1/p; - t end; - d; - :end q'` - [ -n "$res" ] || res=$2 - echo "$res" -} - -case "$1" in - configure) - # - # Chown the directories. - # - log_dir=/var/log/squid - cache_dir=`grepconf2 cache_dir /var/spool/squid` - usr=`grepconf cache_effective_user proxy` - grp=`grepconf cache_effective_group proxy` - - if [ "$(stat -c %U $cache_dir)" != "$usr" ] || - [ "$(stat -c %G $cache_dir)" != "$grp" ] ; then - chown $usr:$grp $cache_dir - fi - - if [ "$(stat -c %U $log_dir)" != "$usr" ] || - [ "$(stat -c %G $log_dir)" != "$grp" ] ; then - if [ "$(dpkg-statoverride --list $log_dir)" = "" ] ; then - chown $usr:$grp $log_dir - fi - fi - - # If we have setcap is installed, try setting cap_net_raw+ep, - # which allows us to install our binaries without the setuid - # bit. - PINGER=/usr/lib/squid/pinger - if command -v setcap > /dev/null; then - if setcap cap_net_raw+ep $PINGER; then - echo "Setcap worked! $PINGER is not suid!" - else - echo "Setcap failed on $PINGER, falling back to setuid" >&2 - chmod u+s $PINGER - fi - else - echo "Setcap is not installed, falling back to setuid" >&2 - chmod u+s $PINGER - fi - - ;; - abort-upgrade|abort-remove|abort-deconfigure) - ;; - *) - # - # Unknown action - do nothing. - # - exit 0 - ;; -esac - -# dh_installdeb will replace this with shell code automatically -# generated by other debhelper scripts. - -#DEBHELPER# - -exit 0 diff --git a/debian/squid-openssl.postrm b/debian/squid-openssl.postrm deleted file mode 100644 index 043d6182bb89b7539203da8ad170b08b1885a16b..0000000000000000000000000000000000000000 --- a/debian/squid-openssl.postrm +++ /dev/null @@ -1,54 +0,0 @@ -#! /bin/sh - -set -e - -case "$1" in - remove) - ;; - purge) - # - # We do not remove /var/spool/squid because that might - # take a lot of time. Most of the time it is on a seperate - # disk anyway and it is faster to do a mkfs on it.. - # - echo "Log and cache files are not automatically removed." - echo "These files are used by squid and squid-openssl flavours." - echo "Remove logs (/var/log/squid) and cache (/var/spool/squid) yourself" - echo "if you no longer need them." - ;; - failed-upgrade|abort-upgrade|upgrade|abort-install|disappear) - ;; -esac - -# Manually added while we don't solve #984897 on debhelper -if [ "$1" = "purge" ] && ! [ -e /etc/init.d/squid ]; then - update-rc.d squid remove >/dev/null -fi -if [ -d /run/systemd/system ] && [ "$1" = remove ]; then - systemctl --system daemon-reload >/dev/null || true -fi -if [ "$1" = "remove" ]; then - if [ -x "/usr/bin/deb-systemd-helper" ]; then - deb-systemd-helper mask 'squid.service' >/dev/null || true - fi -fi - -if [ "$1" = "purge" ] && ! [ -e /lib/systemd/system/squid.service ]; then - if [ -x "/usr/bin/deb-systemd-helper" ]; then - deb-systemd-helper purge 'squid.service' >/dev/null || true - deb-systemd-helper unmask 'squid.service' >/dev/null || true - fi -fi -if [ "$1" = "purge" ] && ! [ -e "/etc/apparmor.d/usr.sbin.squid" ] ; then - rm -f "/etc/apparmor.d/disable/usr.sbin.squid" || true - rm -f "/etc/apparmor.d/force-complain/usr.sbin.squid" || true - rm -f "/etc/apparmor.d/local/usr.sbin.squid" || true - rm -f /var/cache/apparmor/*/"usr.sbin.squid" || true - rmdir /etc/apparmor.d/disable 2>/dev/null || true - rmdir /etc/apparmor.d/local 2>/dev/null || true - rmdir /etc/apparmor.d 2>/dev/null || true -fi -# End manually added section - - -exit 0 diff --git a/debian/squid-openssl.preinst b/debian/squid-openssl.preinst deleted file mode 100644 index 2cf69037774e78d059f96377a794b4fce8035e78..0000000000000000000000000000000000000000 --- a/debian/squid-openssl.preinst +++ /dev/null @@ -1,43 +0,0 @@ -#! /bin/sh - -set -e - -# -# Add the "proxy" user/group to /etc/passwd if needed. -# - -if ! getent passwd proxy -then - # - # Let's hope that this works; if /var/spool/squid is - # already present this fails :( - # - adduser --system --home /var/spool/squid --group proxy - # - # Change the shell so that cron jobs will work. - # (They run as root now, but you can never know). - # - chsh -s /bin/sh proxy -fi - -disable_profile() { - APP_CONFFILE="/etc/apparmor.d/usr.sbin.squid" - APP_DISABLE="/etc/apparmor.d/disable/usr.sbin.squid" - # Create a symlink to the yet-to-be-unpacked profile - if [ ! -e "$APP_CONFFILE" ]; then - mkdir -p `dirname $APP_DISABLE` 2>/dev/null || true - ln -sf $APP_CONFFILE $APP_DISABLE - fi -} - -if [ "$1" = "install" ]; then - # Disable AppArmor profile on install - disable_profile -fi - -# dh_installdeb will replace this with shell code automatically -# generated by other debhelper scripts. - -#DEBHELPER# - -exit 0 diff --git a/debian/squid-openssl.prerm b/debian/squid-openssl.prerm deleted file mode 100644 index 82996a7eab90e08200aaabca208d82649fc9c7af..0000000000000000000000000000000000000000 --- a/debian/squid-openssl.prerm +++ /dev/null @@ -1,21 +0,0 @@ -#!/bin/sh - -set -e - -case "$1" in - remove|remove-in-favour|deconfigure-in-favour) - # - # Stop the daemon - # - invoke-rc.d squid stop - ;; - upgrade|failed-upgrade) - ;; -esac - -# dh_installdeb will replace this with shell code automatically -# generated by other debhelper scripts. - -#DEBHELPER# - -exit 0 diff --git a/debian/squid-openssl.squid.init b/debian/squid-openssl.squid.init deleted file mode 120000 index 96a7e12fd16c035a7f54a660d28468d4609a2a27..0000000000000000000000000000000000000000 --- a/debian/squid-openssl.squid.init +++ /dev/null @@ -1 +0,0 @@ -squid.init \ No newline at end of file diff --git a/debian/squid-openssl.squid.service b/debian/squid-openssl.squid.service deleted file mode 120000 index 88e9f12e8ea7ae0a0da46d4f3c8b3c491a720f78..0000000000000000000000000000000000000000 --- a/debian/squid-openssl.squid.service +++ /dev/null @@ -1 +0,0 @@ -../tools/systemd/squid.service \ No newline at end of file diff --git a/debian/squid-openssl.tmpfile b/debian/squid-openssl.tmpfile deleted file mode 100644 index a45d96ccf7a10f9b5d679df12bc8603039af1c27..0000000000000000000000000000000000000000 --- a/debian/squid-openssl.tmpfile +++ /dev/null @@ -1 +0,0 @@ -d /run/squid 0755 proxy proxy - diff --git a/debian/squid.alternatives b/debian/squid.alternatives new file mode 100644 index 0000000000000000000000000000000000000000..eaa13702180b23bdc3e4859806eaa9404347d06e --- /dev/null +++ b/debian/squid.alternatives @@ -0,0 +1,4 @@ +Name: squid +Link: /usr/sbin/squid +Alternative: /usr/sbin/squid-gnutls +Priority: 60 diff --git a/debian/squid.install b/debian/squid.install index 2e9045131ef2955ec46333f3f9a50e5d560fe6a2..a41c63151015c9b1badc0ae9a272e2b085bb12a0 100644 --- a/debian/squid.install +++ b/debian/squid.install @@ -5,7 +5,7 @@ etc/logrotate.d etc/resolvconf etc/ufw usr/lib/squid -usr/sbin/squid +usr/sbin/squid-gnutls usr/share/man/man8/basic_db_auth.8 usr/share/man/man8/basic_getpwnam_auth.8 usr/share/man/man8/basic_ldap_auth.8