wok-backports rev 28
squidguard: Add support for squid 3.4.x
author | Eric Joseph-Alexandre <erjo@slitaz.org> |
---|---|
date | Wed May 28 23:56:03 2014 +0200 (2014-05-28) |
parents | 1fad0cb29187 |
children | e12ce24a43fa |
files | squidguard/receipt squidguard/stuff/squidGuard-1.4-dnsbl.patch squidguard/stuff/squidGuard-1.4_upgrade.patch |
line diff
1.1 --- a/squidguard/receipt Thu Apr 17 10:54:51 2014 +0000 1.2 +++ b/squidguard/receipt Wed May 28 23:56:03 2014 +0200 1.3 @@ -27,6 +27,10 @@ 1.4 squidGuard-1.4-patch-20091015.tar.gz 1.5 squidGuard-1.4-patch-20091019.tar.gz 1.6 EOT 1.7 + # Add support for squid 3.4 1.8 + patch -p1 < $stuff/squidGuard-1.4_upgrade.patch 1.9 + patch -p1 < $stuff/squidGuard-1.4-dnsbl.patch 1.10 + 1.11 ./configure --prefix=/usr --infodir=/usr/share/info \ 1.12 --sysconfdir=/etc --with-sg-config=/etc/squidGuard/squidGuard.conf \ 1.13 --with-sg-logdir=/var/lib/squidGuard/log \
2.1 --- /dev/null Thu Jan 01 00:00:00 1970 +0000 2.2 +++ b/squidguard/stuff/squidGuard-1.4-dnsbl.patch Wed May 28 23:56:03 2014 +0200 2.3 @@ -0,0 +1,282 @@ 2.4 +diff -Naurb squidGuard-1.4/doc/configuration.html squidGuard-1.4-dnsbl/doc/configuration.html 2.5 +--- squidGuard-1.4/doc/configuration.html 2007-11-16 17:58:32.000000000 +0100 2.6 ++++ squidGuard-1.4-dnsbl/doc/configuration.html 2009-03-04 18:07:15.000000000 +0100 2.7 +@@ -1630,6 +1630,15 @@ 2.8 + "<B><TT>^[^:/]+://[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}($|[:/])</TT></B>". 2.9 + </DD> 2.10 + <DT> 2.11 ++ <B>dnsbl</B> 2.12 ++ </DT> 2.13 ++ <DD> 2.14 ++ <B>!dnsbl</B> can be used to dynamically check domain names against 2.15 ++ DNS-based blacklists, such as black.uribl.com, which is the default. 2.16 ++ The DNS blacklist can be set to another domain by setting 2.17 ++ !dnsbl:your.blacklist.domain.com 2.18 ++ </DD> 2.19 ++ <DT> 2.20 + <B>any</B> 2.21 + </DT> 2.22 + <DD> 2.23 +@@ -2419,6 +2428,9 @@ 2.24 + even if they would match a blocking regex: 2.25 + <BR> 2.26 + <TT><B>+</B></TT> limiting the usage of IP-address URLs: 2.27 ++ <BR> 2.28 ++ <TT><B>+</B></TT> blocking sites known to be part of the 2.29 ++ black.uribl.com DNS blacklist. 2.30 + </P> 2.31 + 2.32 + <TT> 2.33 +@@ -2442,7 +2454,7 @@ 2.34 + 2.35 + acl { 2.36 + default { 2.37 +- pass local good !in-addr !porn all 2.38 ++ pass local good !in-addr !porn !dnsbl:black.uribl.com all 2.39 + redirect http://localhost/cgi/blocked?clientaddr=%a&clientname=%n&clientuser=%i&clientgroup=%s&url=%u 2.40 + } 2.41 + } 2.42 +diff -Naurb squidGuard-1.4/doc/configuration.txt squidGuard-1.4-dnsbl/doc/configuration.txt 2.43 +--- squidGuard-1.4/doc/configuration.txt 2007-11-16 17:58:32.000000000 +0100 2.44 ++++ squidGuard-1.4-dnsbl/doc/configuration.txt 2009-03-04 18:09:39.000000000 +0100 2.45 +@@ -637,6 +637,12 @@ 2.46 + "^[^:/]+://[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9 2.47 + ]\{1,3\}($|[:/])". 2.48 + 2.49 ++ dnsbl 2.50 ++ !dnsbl can be used to dynamically check domain names against 2.51 ++ DNS-based blacklists, such as black.uribl.com, which is the default. 2.52 ++ The DNS blacklist can be set to another domain by setting 2.53 ++ !dnsbl:your.blacklist.domain.com 2.54 ++ 2.55 + any 2.56 + matches any URL and is a fast equivalent to the 2.57 + expression ".*". 2.58 +@@ -1052,6 +1058,7 @@ 2.59 + + ensuring local and good sites are passed even if they would match a 2.60 + blocking regex: 2.61 + + limiting the usage of IP-address URLs: 2.62 ++ + blocking sites known to be part of the black.uribl.com DNS blacklist: 2.63 + logdir /usr/local/squidGuard/log 2.64 + dbhome /usr/local/squidGuard/db 2.65 + 2.66 +@@ -1071,7 +1078,7 @@ 2.67 + 2.68 + acl { 2.69 + default { 2.70 +- pass local good !in-addr !porn all 2.71 ++ pass local good !in-addr !porn !dnsbl:black.uribl.com all 2.72 + redirect http://localhost/cgi/blocked?clientaddr=%a&clientname=%n& 2.73 + clientuser=%i&clientgroup=%s&url=%u 2.74 + } 2.75 +diff -Naurb squidGuard-1.4/doc/extended.html squidGuard-1.4-dnsbl/doc/extended.html 2.76 +--- squidGuard-1.4/doc/extended.html 2007-11-16 17:58:37.000000000 +0100 2.77 ++++ squidGuard-1.4-dnsbl/doc/extended.html 2009-03-04 18:15:59.000000000 +0100 2.78 +@@ -168,6 +168,34 @@ 2.79 + </pre> 2.80 + </td></tr></table> 2.81 + <br><br> 2.82 ++ 2.83 ++<li> <a name=notIP> <b>Using online DNS blacklists</b></a><br><br> 2.84 ++Several DNS based databases can be used to block domain names referrenced in 2.85 ++blacklists. First choose which database you would like to trust (some well known 2.86 ++are : http://www.uribl.com/, or http://www.surbl.org/). 2.87 ++Be aware that this will raise several DNS requests every time squidGuard 2.88 ++receives a request to filter. SquidGuard will not cache any DNS result, so make 2.89 ++sure your DNS server does, and mesure the performance impact before using on 2.90 ++production. 2.91 ++To get squidGuard to request DNS dynamically and block listed domain names, just use : 2.92 ++<br><br> 2.93 ++<table width="75%" cellpadding="0" cellspacing="0" style="background-color: #f2fff0; border: solid 1px #2299bf;"> 2.94 ++<tr> 2.95 ++<td style="background-color: #77afaf; border-bottom: 1px solid #888;"> <font size="-1" color=white>Blocking domain names referenced in a DNS blacklist</font> 2.96 ++</td></tr> 2.97 ++<tr> 2.98 ++<td> 2.99 ++<pre> acl { 2.100 ++ default { 2.101 ++ pass !dnsbl:black.uribl.com all 2.102 ++ redirect http://localhost/block.html 2.103 ++ } 2.104 ++ } 2.105 ++</pre> 2.106 ++</td></tr> 2.107 ++</table> 2.108 ++<br><br> 2.109 ++ 2.110 + <li><a name=blocklog><b>Logging blocked access tries</b></a> 2.111 + <br><br> 2.112 + It may be of interest who is accessing blocked sites. To track that 2.113 +diff -Naurb squidGuard-1.4/doc/extended.txt squidGuard-1.4-dnsbl/doc/extended.txt 2.114 +--- squidGuard-1.4/doc/extended.txt 2007-11-16 17:58:32.000000000 +0100 2.115 ++++ squidGuard-1.4-dnsbl/doc/extended.txt 2009-03-04 18:18:01.000000000 +0100 2.116 +@@ -100,6 +100,29 @@ 2.117 + 172.16.12.0/255.255.255.0 2.118 + 10.5.3.1/28 2.119 + 2.120 ++ Using online DNS blacklists 2.121 ++ Several DNS based databases can be used to block domain names referrenced in 2.122 ++ blacklists. First choose which database you would like to trust (some well known 2.123 ++ are : http://www.uribl.com/, or http://www.surbl.org/). 2.124 ++ Be aware that this will raise several DNS requests every time squidGuard 2.125 ++ receives a request to filter. SquidGuard will not cache any DNS result, so make 2.126 ++ sure your DNS server does, and mesure the performance impact before using on 2.127 ++ production. 2.128 ++ To get squidGuard to request DNS dynamically and block listed domain names, just use : 2.129 ++acl { 2.130 ++ default { 2.131 ++ pass !dnsbl:black.uribl.com all 2.132 ++ redirect http://localhost/block.html 2.133 ++ } 2.134 ++} 2.135 ++ 2.136 ++ 2.137 ++ 2.138 ++ 2.139 ++ 2.140 ++ 2.141 ++ 2.142 ++ 2.143 + Logging blocked access tries 2.144 + It may be of interest who is accessing blocked sites. To track that 2.145 + down you can add a log directive to your src or dest definitions in 2.146 +diff -Naurb squidGuard-1.4/src/sg.h.in squidGuard-1.4-dnsbl/src/sg.h.in 2.147 +--- squidGuard-1.4/src/sg.h.in 2007-11-16 17:58:32.000000000 +0100 2.148 ++++ squidGuard-1.4-dnsbl/src/sg.h.in 2009-03-04 17:38:32.000000000 +0100 2.149 +@@ -68,6 +68,7 @@ 2.150 + #define ACL_TYPE_DEFAULT 1 2.151 + #define ACL_TYPE_TERMINATOR 2 2.152 + #define ACL_TYPE_INADDR 3 2.153 ++#define ACL_TYPE_DNSBL 4 2.154 + 2.155 + #define REQUEST_TYPE_REWRITE 1 2.156 + #define REQUEST_TYPE_REDIRECT 2 2.157 +@@ -301,6 +302,7 @@ 2.158 + 2.159 + struct AclDest { 2.160 + char *name; 2.161 ++ char *dns_suffix; 2.162 + struct Destination *dest; 2.163 + int access; 2.164 + int type; 2.165 +diff -Naurb squidGuard-1.4/src/sg.y.in squidGuard-1.4-dnsbl/src/sg.y.in 2.166 +--- squidGuard-1.4/src/sg.y.in 2008-05-17 20:25:18.000000000 +0200 2.167 ++++ squidGuard-1.4-dnsbl/src/sg.y.in 2009-03-22 21:43:08.000000000 +0100 2.168 +@@ -2253,6 +2274,7 @@ 2.169 + int allowed; 2.170 + #endif 2.171 + { 2.172 ++ char *subval = NULL; 2.173 + struct Destination *dest = NULL; 2.174 + struct sgRewrite *rewrite = NULL; 2.175 + struct AclDest *acldest; 2.176 +@@ -2264,6 +2286,9 @@ 2.177 + allowed=0; 2.178 + else if(!strcmp(value,"in-addr")){ 2.179 + type = ACL_TYPE_INADDR; 2.180 ++ } else if (!strncmp(value,"dnsbl",5)) { 2.181 ++ subval = strstr(value,":"); 2.182 ++ type = ACL_TYPE_DNSBL; 2.183 + } else { 2.184 + if((dest = sgDestFindName(value)) == NULL){ 2.185 + sgLogFatalError("%s: ACL destination %s is not defined in configfile %s", 2.186 +@@ -2278,6 +2303,25 @@ 2.187 + acldest->dest = dest; 2.188 + acldest->access = allowed; 2.189 + acldest->type = type; 2.190 ++ if (type == ACL_TYPE_DNSBL) 2.191 ++ { 2.192 ++ if ((subval==NULL) || (subval[1])=='\0')//Config does not define which dns domain to use 2.193 ++ { 2.194 ++ acldest->dns_suffix = (char *) sgCalloc(1,strlen(".black.uribl.com")+1); 2.195 ++ strcpy(acldest->dns_suffix, ".black.uribl.com"); 2.196 ++ }else{ 2.197 ++ subval=subval+1; 2.198 ++ if (strspn(subval,".-abcdefghijklmnopqrstuvwxyz0123456789") != 2.199 ++ strlen(subval) ) 2.200 ++ { 2.201 ++ sgLogFatalError("%s: provided dnsbl \"%s\" doesn't look like a valid domain suffix", 2.202 ++ progname,subval); 2.203 ++ } 2.204 ++ acldest->dns_suffix = (char *) sgCalloc(1,strlen(subval)+1); 2.205 ++ strcpy(acldest->dns_suffix, "."); 2.206 ++ strcat(acldest->dns_suffix,subval); 2.207 ++ } 2.208 ++ } 2.209 + acldest->next = NULL; 2.210 + if(lastAcl->pass == NULL){ 2.211 + lastAcl->pass = acldest; 2.212 +@@ -2365,6 +2409,56 @@ 2.213 + return acl; 2.214 + } 2.215 + 2.216 ++char *strip_fqdn(char *domain) 2.217 ++{ 2.218 ++ char *result; 2.219 ++ result=strstr(domain,"."); 2.220 ++ if (result == NULL) 2.221 ++ return NULL; 2.222 ++ return (result+1); 2.223 ++} 2.224 ++ 2.225 ++int is_blacklisted(char *domain, char *suffix) 2.226 ++{ 2.227 ++ char target[MAX_BUF]; 2.228 ++ struct addrinfo *res; 2.229 ++ int result; 2.230 ++ //Copying domain to target 2.231 ++ if (strlen(domain)+strlen(suffix)+1>MAX_BUF) 2.232 ++ { 2.233 ++ //Buffer overflow risk - just return and accept 2.234 ++@NOLOG1@ 2.235 ++ if( globalDebug == 1 ) { sgLogError("dnsbl : too long domain name - accepting without actual check"); } 2.236 ++@NOLOG2@ 2.237 ++ return(0); 2.238 ++ } 2.239 ++ strncpy(target,domain,strlen(domain)+1); 2.240 ++ strcat(target,suffix); 2.241 ++ 2.242 ++ result = getaddrinfo(target,NULL,NULL,&res); 2.243 ++ if (result == 0) //Result is defined 2.244 ++ { 2.245 ++ freeaddrinfo(res); 2.246 ++ return 1; 2.247 ++ } 2.248 ++ //If anything fails (DNS server not reachable, any problem in the resolution, 2.249 ++ //let's not block anything. 2.250 ++ return 0; 2.251 ++} 2.252 ++ 2.253 ++int blocked_by_dnsbl(char *domain, char *suffix) 2.254 ++{ 2.255 ++ char *dn=domain; 2.256 ++ while ((dn !=NULL) && (strchr(dn,'.')!=NULL)) //No need to lookup "com.black.uribl.com" 2.257 ++ { 2.258 ++ if (is_blacklisted(dn,suffix)) 2.259 ++ return(1); 2.260 ++ dn=strip_fqdn(dn); 2.261 ++ } 2.262 ++ return 0; 2.263 ++} 2.264 ++ 2.265 ++ 2.266 + #if __STDC__ 2.267 + char *sgAclAccess(struct Source *src, struct Acl *acl, struct SquidInfo *req) 2.268 + #else 2.269 +@@ -2397,6 +2491,16 @@ 2.270 + } 2.271 + continue; 2.272 + } 2.273 ++ // http://www.yahoo.fr/ 172.16.2.32 - GET 2.274 ++ if(aclpass->type == ACL_TYPE_DNSBL){ 2.275 ++ if (req->dot) 2.276 ++ continue; 2.277 ++ if (blocked_by_dnsbl(req->domain, aclpass->dns_suffix)){ 2.278 ++ access=0; 2.279 ++ break; 2.280 ++ } 2.281 ++ continue; 2.282 ++ } 2.283 + if(aclpass->dest->domainlistDb != NULL){ 2.284 + result = defined(aclpass->dest->domainlistDb, req->domain, &dbdata); 2.285 + if(result != DB_NOTFOUND) {
3.1 --- /dev/null Thu Jan 01 00:00:00 1970 +0000 3.2 +++ b/squidguard/stuff/squidGuard-1.4_upgrade.patch Wed May 28 23:56:03 2014 +0200 3.3 @@ -0,0 +1,76 @@ 3.4 +diff -urN squidGuard-1.4.orig/src/main.c squidGuard-1.4.upgraded/src/main.c 3.5 +--- squidGuard-1.4.orig/src/main.c 2013-12-11 17:42:15.000000000 +1300 3.6 ++++ squidGuard-1.4.upgraded/src/main.c 2013-12-11 19:04:09.000000000 +1300 3.7 +@@ -175,7 +175,7 @@ 3.8 + sgReloadConfig(); 3.9 + } 3.10 + if(failsafe_mode) { 3.11 +- puts(""); 3.12 ++ puts("ERR message=\"squidGuard failsafe mode\""); 3.13 + fflush(stdout); 3.14 + if(sig_hup){ 3.15 + sgReloadConfig(); 3.16 +@@ -184,7 +184,7 @@ 3.17 + } 3.18 + if(parseLine(buf,&squidInfo) != 1){ 3.19 + sgLogError("Error parsing squid line: %s",buf); 3.20 +- puts(""); 3.21 ++ puts("BH message=\"squidGuard error parsing squid line\""); 3.22 + } 3.23 + else { 3.24 + src = Source; 3.25 +@@ -196,14 +196,14 @@ 3.26 + acl = sgAclCheckSource(src); 3.27 + if((redirect = sgAclAccess(src,acl,&squidInfo)) == NULL){ 3.28 + if(src == NULL || src->cont_search == 0){ 3.29 +- puts(""); 3.30 ++ puts("ERR"); 3.31 + break; 3.32 + } else 3.33 + if(src->next != NULL){ 3.34 + src = src->next; 3.35 + continue; 3.36 + } else { 3.37 +- puts(""); 3.38 ++ puts("ERR"); 3.39 + break; 3.40 + } 3.41 + } else { 3.42 +@@ -215,9 +215,10 @@ 3.43 + squidInfo.ident[0] = '-'; 3.44 + squidInfo.ident[1] = '\0'; 3.45 + } 3.46 +- fprintf(stdout,"%s %s/%s %s %s\n",redirect,squidInfo.src, 3.47 +- squidInfo.srcDomain,squidInfo.ident, 3.48 +- squidInfo.method); 3.49 ++ if (isdigit(redirect[0]) && isdigit(redirect[1]) && isdigit(redirect[2]) && redirect[3]==':') { 3.50 ++ fprintf(stdout,"OK status=%c%c%c url=\"%s\"\n", redirect[0], redirect[1], redirect[2], &redirect[4]); 3.51 ++ } else 3.52 ++ fprintf(stdout,"OK rewrite-url=\"%s\"\n",redirect); 3.53 + /* sgLogError("%s %s/%s %s %s\n",redirect,squidInfo.src,squidInfo.srcDomain,squidInfo.ident,squidInfo.method); */ 3.54 + break; 3.55 + } 3.56 +diff -urN squidGuard-1.4.orig/src/sgDiv.c squidGuard-1.4.upgraded/src/sgDiv.c 3.57 +--- squidGuard-1.4.orig/src/sgDiv.c 2013-12-11 17:42:15.000000000 +1300 3.58 ++++ squidGuard-1.4.upgraded/src/sgDiv.c 2013-12-11 18:58:33.000000000 +1300 3.59 +@@ -771,7 +771,7 @@ 3.60 + } 3.61 + sgLogError("Going into emergency mode"); 3.62 + while(fgets(buf, MAX_BUF, stdin) != NULL){ 3.63 +- puts(""); 3.64 ++ puts("ERR"); 3.65 + fflush(stdout); 3.66 + } 3.67 + sgLogError("ending emergency mode, stdin empty"); 3.68 +diff -urN squidGuard-1.4.orig/src/sgDiv.c.in squidGuard-1.4.upgraded/src/sgDiv.c.in 3.69 +--- squidGuard-1.4.orig/src/sgDiv.c.in 2013-12-11 17:42:15.000000000 +1300 3.70 ++++ squidGuard-1.4.upgraded/src/sgDiv.c.in 2013-12-11 18:58:40.000000000 +1300 3.71 +@@ -782,7 +782,7 @@ 3.72 + } 3.73 + sgLogError("Going into emergency mode"); 3.74 + while(fgets(buf, MAX_BUF, stdin) != NULL){ 3.75 +- puts(""); 3.76 ++ puts("ERR"); 3.77 + fflush(stdout); 3.78 + } 3.79 + sgLogError("ending emergency mode, stdin empty");