squid transparent proxy is broken

Bug #68818 reported by Martin OConnor
16
Affects Status Importance Assigned to Milestone
Squid
Fix Released
Low
squid (Ubuntu)
Fix Released
High
Stéphane Graber
Edgy
Fix Released
High
Stéphane Graber

Bug Description

Binary package hint: squid

In package 2.6.1-3ubuntu1 , the transparent option in squid.conf is broken in Squid upstream version 2.6.RELEASE1. This has been fixed in 2.6.RELEASE2.

Recommend 2.6.RELEASE2 be added to edgy-backports.

Changed in squid:
status: Unknown → Fix Released
Revision history for this message
Kenneth Rawlings (rawlink) wrote :

I'll second this one. I replaced a gentoo server in my DMZ providing the squid transparent proxy and couldn't figure out why it wasn't working with my brand new "Edgy" install. It took me a while to track down that it was bug in squid and not a configuration error on my part. Refer to bug #1650 in the squid bug system.

Revision history for this message
James Troup (elmo) wrote :

We've just run into this at the allhands conference. There's a trivial workaround in the upstream bug (adding 'always_direct allow all' to the config). But this is a serious regression from dapper and really should be fixed in edgy updates if at all possible.

Changed in squid:
importance: Undecided → High
status: Unconfirmed → Confirmed
importance: Undecided → High
status: Unconfirmed → Confirmed
Revision history for this message
Martin OConnor (martinoc) wrote :

Using always_direct allow all, in most cases defeats the purpose of using a proxy. I have pinned to dapper for squid until this is fixed.

Revision history for this message
Daniel Fonseca (dalraf) wrote :

I have the same trouble here, anybody know a .deb that i can install without the bug ?

Revision history for this message
Stéphane Graber (stgraber) wrote :

As I've just had this issue on my local server, I quickly made a backport of Feisty packages.
They are available here : http://www.stgraber.org/download/ubuntu/packages/
And their use is of course at your own risks.

Changed in squid:
assignee: nobody → stgraber
Revision history for this message
Stéphane Graber (stgraber) wrote :

I have found a working patch attached to Squid Bug 1650.
I updated it a little bit to apply on the Ubuntu Edgy package and then made the attached debdiff, if someone can have a look at it.
(As it's for Edgy I didn't what distrib and what version to put, actually I took the previous record from the changelog which is edgy-security and -3ubuntu1.3, let me know if you want something else)

Changed in squid:
status: Confirmed → In Progress
Revision history for this message
Martin OConnor (martinoc) wrote :

Remember this is an upstream bug that was broken and has also been fixed upstream. Ideally, the upstream version of squid this package uses should be updated to a more recent version where the fix has been applied.

Revision history for this message
Stéphane Graber (stgraber) wrote :

Usually Ubuntu doesn't do a backport only for one bugfix if it's possible to isolate the patch and apply it to the current version of the package in Ubuntu (what I in fact did).

Revision history for this message
Stéphane Graber (stgraber) wrote :
Changed in squid:
status: Confirmed → In Progress
Revision history for this message
Martin Pitt (pitti) wrote :

Fixed upstream in 2.6.5, thus fixed in Feisty.

Changed in squid:
status: In Progress → Fix Released
Changed in squid:
assignee: nobody → stgraber
Revision history for this message
Martin Pitt (pitti) wrote :

Stephane, please rework this patch a bit. First, I am not convinced that the autoconf changes are necessary. If debian/rules actually specifies this flag, then it should just be removed there (it has to be removed anyway if configure does not offer it any more).

Also, the dpatch seems broken, since it duplicates the patches:

$ lsdiff bug-68818.debdiff
squid_2.6.1/configure
squid_2.6.1/configure.in
squid_2.6.1/include/autoconf.h.in
squid_2.6.1/src/acl.c
squid_2.6.1/src/client_side.c
squid_2.6.1/src/structs.h
configure
configure.in
include/autoconf.h.in
src/acl.c
src/client_side.c
src/structs.h

The code parts of the upstream parts look reasonable.

Changed in squid:
status: In Progress → Needs Info
Revision history for this message
Martin Pitt (pitti) wrote :

Stephane, please set this back to 'in progress' when you have an updated patch. Thank you!

Revision history for this message
Stéphane Graber (stgraber) wrote :

New updated patch, removing the autoconf part (this flag wasn't used) and I fixed the duplicate thing (a copy of the patch was in the debian/patches/ directory).

Changed in squid:
status: Needs Info → In Progress
Revision history for this message
Martin Pitt (pitti) wrote :

Stephane,

+squid (2.6.1-3ubuntu1.3) edgy-proposed; urgency=low

You have to bump this to 1.4 and base your patch on the already existing

     squid | 2.6.1-3ubuntu1.3 | http://security.ubuntu.com edgy-security/main Sources

Patch is ok otherwise, so please upload with above correction.

Revision history for this message
Stéphane Graber (stgraber) wrote :

Ok, I've just done the changes

Revision history for this message
Martin Pitt (pitti) wrote :

Stephane, looks good. Please upload.

Revision history for this message
Martin Pitt (pitti) wrote :

Upload sponsored and accepted into edgy-proposed, please go ahead with QA testing.

Changed in squid:
status: In Progress → Fix Committed
Revision history for this message
Michael Vogt (mvo) wrote :

Thanks for your update.

Please include instructions how to reproduce the bug. The policy says:
"Detailled instructions how to reproduce the bug.- These should allow someone who is not familiar with the affected package to reproduce the bug and verify that the updated package fixes the problem."

I will be happy to do the verification once I have this instructions.

Thanks,
 Michael

Revision history for this message
Martin OConnor (martinoc) wrote : Re: [Bug 68818] Re: squid transparent proxy is broken

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Setting the following in squid.conf before starting squid will reproduce
 this bug.

httpd_accel_host virtual
httpd_accel_port 80
httpd_accel_with_proxy on
httpd_accel_uses_host_header on

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFGUxcdFEB3Y4u99PkRAtV9AKCG9jonrBiXv/lOg7duWE/KIDqEcgCfbye0
29K0EyBDTPV3Gvjd5d5sp+w=
=CfEi
-----END PGP SIGNATURE-----

Revision history for this message
Daniel Holbach (dholbach) wrote :

Martin OConnor: which version of Squid are you using? Do you still have the problem?

Changed in squid:
status: Fix Committed → Incomplete
Revision history for this message
Daniel Holbach (dholbach) wrote :

Marking the bug as fixed released, please reopen the bug, if you can follow up with more information.

Changed in squid:
status: Incomplete → Fix Released
Changed in squid:
status: Fix Released → Unknown
Changed in squid:
status: Unknown → Fix Released
Revision history for this message
Martin Pitt (pitti) wrote :

The package is still sitting in edgy-proposed, it is not in -updates yet. We need proper testing verification first.

Changed in squid:
status: Fix Released → Fix Committed
Revision history for this message
Kees Cook (kees) wrote :

This has been superseded by a security upload. Please remerge.

Changed in squid:
status: Fix Committed → Triaged
Revision history for this message
Kees Cook (kees) wrote :

Security debdiff attached...

Revision history for this message
Martin Pitt (pitti) wrote :

Can someone please test this? Martin OConnor?

This SRU is very old, and if it does not get verified I'll just remove it from -proposed due to obsolescence.

Revision history for this message
Martin OConnor (martinoc) wrote :

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I can confirm that this now works. I have installed the version in
edgy-proposed and the transparent option now works.
Martin Pitt wrote:
| Can someone please test this? Martin OConnor?
|
| This SRU is very old, and if it does not get verified I'll just remove
| it from -proposed due to obsolescence.
|

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAkeGLlUACgkQFEB3Y4u99Pns8gCfagTvJOSpqA2BMKqRC4tgARrH
lxoAmwblTccIM4a3lT9m5wWE7UjjDjU6
=McFw
-----END PGP SIGNATURE-----

Revision history for this message
Martin Pitt (pitti) wrote :

Reuploaded this patch on top of Kees' security update:

 squid (2.6.1-3ubuntu1.6) edgy-proposed; urgency=low
 .
   * Fix transparent proxies (LP: #68818).

Can you please test this version and give feedback here? Thanks!

Changed in squid:
status: Triaged → Fix Committed
Revision history for this message
Martin OConnor (martinoc) wrote :

squid 2.6.1-3ubuntu1.6 from edgy-proposed works as required as a transparent proxy

Revision history for this message
Martin Pitt (pitti) wrote :

Copied to edgy-updates. Thank you!

Changed in squid:
status: Fix Committed → Fix Released
Revision history for this message
Sunday Olutayo (solutayo) wrote :

" In package 2.6.1-3ubuntu1 , the transparent option in squid.conf is broken in Squid upstream version 2.6.RELEASE1. This has been fixed in 2.6.RELEASE2.

Recommend 2.6.RELEASE2 be added to edgy-backports."

Please how do I carry out the backporting?

Revision history for this message
Martin Pitt (pitti) wrote :

sadeeb [2009-01-20 12:08 -0000]:
> " In package 2.6.1-3ubuntu1 , the transparent option in squid.conf is
> broken in Squid upstream version 2.6.RELEASE1. This has been fixed in
> 2.6.RELEASE2.
>
> Recommend 2.6.RELEASE2 be added to edgy-backports."

edgy has not been supported since April 2008, so we will not do any
official backports for it any more. So if you are still running edgy,
you need to install your own package from upstream sources. However, I
urgently recommend you to upgrade to a supported Ubuntu release like
8.04 LTS.

Revision history for this message
Francesco Chemolli (kinkie) wrote :

As a further note, Squid 2.6 is not supported anymore by the Squid developers; the currently supported versions are 2.7.STABLE5 and 3.0.STABLE11.
If recompilation from source, we recommend to choose one of the two - which one depends on the needed features.
See http://wiki.squid-cache.org/FeatureComparison

Changed in squid:
importance: Unknown → Low
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.