Ubuntu

squid transparent proxy is broken

Reported by Martin OConnor on 2006-10-28
16
Affects Status Importance Assigned to Milestone
Squid
Fix Released
Unknown
squid (Ubuntu)
High
Stéphane Graber
Edgy
High
Stéphane Graber

Bug Description

Binary package hint: squid

In package 2.6.1-3ubuntu1 , the transparent option in squid.conf is broken in Squid upstream version 2.6.RELEASE1. This has been fixed in 2.6.RELEASE2.

Recommend 2.6.RELEASE2 be added to edgy-backports.

Changed in squid:
status: Unknown → Fix Released
Kenneth Rawlings (rawlink) wrote :

I'll second this one. I replaced a gentoo server in my DMZ providing the squid transparent proxy and couldn't figure out why it wasn't working with my brand new "Edgy" install. It took me a while to track down that it was bug in squid and not a configuration error on my part. Refer to bug #1650 in the squid bug system.

James Troup (elmo) wrote :

We've just run into this at the allhands conference. There's a trivial workaround in the upstream bug (adding 'always_direct allow all' to the config). But this is a serious regression from dapper and really should be fixed in edgy updates if at all possible.

Changed in squid:
importance: Undecided → High
status: Unconfirmed → Confirmed
importance: Undecided → High
status: Unconfirmed → Confirmed
Martin OConnor (martinoc) wrote :

Using always_direct allow all, in most cases defeats the purpose of using a proxy. I have pinned to dapper for squid until this is fixed.

Daniel Fonseca (dalraf) wrote :

I have the same trouble here, anybody know a .deb that i can install without the bug ?

Stéphane Graber (stgraber) wrote :

As I've just had this issue on my local server, I quickly made a backport of Feisty packages.
They are available here : http://www.stgraber.org/download/ubuntu/packages/
And their use is of course at your own risks.

Changed in squid:
assignee: nobody → stgraber
Stéphane Graber (stgraber) wrote :

I have found a working patch attached to Squid Bug 1650.
I updated it a little bit to apply on the Ubuntu Edgy package and then made the attached debdiff, if someone can have a look at it.
(As it's for Edgy I didn't what distrib and what version to put, actually I took the previous record from the changelog which is edgy-security and -3ubuntu1.3, let me know if you want something else)

Changed in squid:
status: Confirmed → In Progress
Martin OConnor (martinoc) wrote :

Remember this is an upstream bug that was broken and has also been fixed upstream. Ideally, the upstream version of squid this package uses should be updated to a more recent version where the fix has been applied.

Stéphane Graber (stgraber) wrote :

Usually Ubuntu doesn't do a backport only for one bugfix if it's possible to isolate the patch and apply it to the current version of the package in Ubuntu (what I in fact did).

Changed in squid:
status: Confirmed → In Progress
Martin Pitt (pitti) wrote :

Fixed upstream in 2.6.5, thus fixed in Feisty.

Changed in squid:
status: In Progress → Fix Released
Changed in squid:
assignee: nobody → stgraber
Martin Pitt (pitti) wrote :

Stephane, please rework this patch a bit. First, I am not convinced that the autoconf changes are necessary. If debian/rules actually specifies this flag, then it should just be removed there (it has to be removed anyway if configure does not offer it any more).

Also, the dpatch seems broken, since it duplicates the patches:

$ lsdiff bug-68818.debdiff
squid_2.6.1/configure
squid_2.6.1/configure.in
squid_2.6.1/include/autoconf.h.in
squid_2.6.1/src/acl.c
squid_2.6.1/src/client_side.c
squid_2.6.1/src/structs.h
configure
configure.in
include/autoconf.h.in
src/acl.c
src/client_side.c
src/structs.h

The code parts of the upstream parts look reasonable.

Changed in squid:
status: In Progress → Needs Info
Martin Pitt (pitti) wrote :

Stephane, please set this back to 'in progress' when you have an updated patch. Thank you!

Stéphane Graber (stgraber) wrote :

New updated patch, removing the autoconf part (this flag wasn't used) and I fixed the duplicate thing (a copy of the patch was in the debian/patches/ directory).

Changed in squid:
status: Needs Info → In Progress
Martin Pitt (pitti) wrote :

Stephane,

+squid (2.6.1-3ubuntu1.3) edgy-proposed; urgency=low

You have to bump this to 1.4 and base your patch on the already existing

     squid | 2.6.1-3ubuntu1.3 | http://security.ubuntu.com edgy-security/main Sources

Patch is ok otherwise, so please upload with above correction.

Stéphane Graber (stgraber) wrote :

Ok, I've just done the changes

Martin Pitt (pitti) wrote :

Stephane, looks good. Please upload.

Martin Pitt (pitti) wrote :

Upload sponsored and accepted into edgy-proposed, please go ahead with QA testing.

Changed in squid:
status: In Progress → Fix Committed
Michael Vogt (mvo) wrote :

Thanks for your update.

Please include instructions how to reproduce the bug. The policy says:
"Detailled instructions how to reproduce the bug.- These should allow someone who is not familiar with the affected package to reproduce the bug and verify that the updated package fixes the problem."

I will be happy to do the verification once I have this instructions.

Thanks,
 Michael

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Setting the following in squid.conf before starting squid will reproduce
 this bug.

httpd_accel_host virtual
httpd_accel_port 80
httpd_accel_with_proxy on
httpd_accel_uses_host_header on

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFGUxcdFEB3Y4u99PkRAtV9AKCG9jonrBiXv/lOg7duWE/KIDqEcgCfbye0
29K0EyBDTPV3Gvjd5d5sp+w=
=CfEi
-----END PGP SIGNATURE-----

Daniel Holbach (dholbach) wrote :

Martin OConnor: which version of Squid are you using? Do you still have the problem?

Changed in squid:
status: Fix Committed → Incomplete
Daniel Holbach (dholbach) wrote :

Marking the bug as fixed released, please reopen the bug, if you can follow up with more information.

Changed in squid:
status: Incomplete → Fix Released
Changed in squid:
status: Fix Released → Unknown
Changed in squid:
status: Unknown → Fix Released
Martin Pitt (pitti) wrote :

The package is still sitting in edgy-proposed, it is not in -updates yet. We need proper testing verification first.

Changed in squid:
status: Fix Released → Fix Committed
Kees Cook (kees) wrote :

This has been superseded by a security upload. Please remerge.

Changed in squid:
status: Fix Committed → Triaged
Kees Cook (kees) wrote :

Security debdiff attached...

Martin Pitt (pitti) wrote :

Can someone please test this? Martin OConnor?

This SRU is very old, and if it does not get verified I'll just remove it from -proposed due to obsolescence.

Martin OConnor (martinoc) wrote :

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I can confirm that this now works. I have installed the version in
edgy-proposed and the transparent option now works.
Martin Pitt wrote:
| Can someone please test this? Martin OConnor?
|
| This SRU is very old, and if it does not get verified I'll just remove
| it from -proposed due to obsolescence.
|

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAkeGLlUACgkQFEB3Y4u99Pns8gCfagTvJOSpqA2BMKqRC4tgARrH
lxoAmwblTccIM4a3lT9m5wWE7UjjDjU6
=McFw
-----END PGP SIGNATURE-----

Martin Pitt (pitti) wrote :

Reuploaded this patch on top of Kees' security update:

 squid (2.6.1-3ubuntu1.6) edgy-proposed; urgency=low
 .
   * Fix transparent proxies (LP: #68818).

Can you please test this version and give feedback here? Thanks!

Changed in squid:
status: Triaged → Fix Committed
Martin OConnor (martinoc) wrote :

squid 2.6.1-3ubuntu1.6 from edgy-proposed works as required as a transparent proxy

Martin Pitt (pitti) wrote :

Copied to edgy-updates. Thank you!

Changed in squid:
status: Fix Committed → Fix Released
Sunday Olutayo (olutayo) wrote :

" In package 2.6.1-3ubuntu1 , the transparent option in squid.conf is broken in Squid upstream version 2.6.RELEASE1. This has been fixed in 2.6.RELEASE2.

Recommend 2.6.RELEASE2 be added to edgy-backports."

Please how do I carry out the backporting?

Martin Pitt (pitti) wrote :

sadeeb [2009-01-20 12:08 -0000]:
> " In package 2.6.1-3ubuntu1 , the transparent option in squid.conf is
> broken in Squid upstream version 2.6.RELEASE1. This has been fixed in
> 2.6.RELEASE2.
>
> Recommend 2.6.RELEASE2 be added to edgy-backports."

edgy has not been supported since April 2008, so we will not do any
official backports for it any more. So if you are still running edgy,
you need to install your own package from upstream sources. However, I
urgently recommend you to upgrade to a supported Ubuntu release like
8.04 LTS.

Francesco Chemolli (kinkie) wrote :

As a further note, Squid 2.6 is not supported anymore by the Squid developers; the currently supported versions are 2.7.STABLE5 and 3.0.STABLE11.
If recompilation from source, we recommend to choose one of the two - which one depends on the needed features.
See http://wiki.squid-cache.org/FeatureComparison

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.