Squid: 6.13 -> 7.0.1 (#384972)

doc/release-notes/rl-2505.section.md

@@ -4,6 +4,13 @@
 
 <!-- To avoid merge conflicts, consider adding your item at an arbitrary place in the list instead. -->
 
+- `services.rippled` has been removed, as `rippled` was broken and had not been updated since 2022.
+
+- `services.rippleDataApi` has been removed, as `ripple-data-api` was broken and had not been updated since 2022.
+
+- `squid` has been updated to version 7, this release includes multiple breaking changes, like ESI removal.
+  For more information, [check the release notes](https://github.com/squid-cache/squid/releases/tag/SQUID_7_0_1).
+
 - The [`no-broken-symlinks` hook](https://nixos.org/manual/nixpkgs/unstable/#no-broken-symlinks.sh) was added to catch builds containing dangling or reflexive symlinks, as these are indicative of problems with packaging.
   The hook can be disabled by providing `dontCheckForBrokenSymlinks = true;` as an argument to `mkDerivation`.
   For more information, [check the docs](https://nixos.org/manual/nixpkgs/unstable/#no-broken-symlinks.sh) or [see this PR](https://github.com/NixOS/nixpkgs/pull/370750).

nixos/modules/services/networking/squid.nix

@@ -67,7 +67,7 @@ let
     http_access deny to_localhost
 
     # Application logs to syslog, access and store logs have specific files
-    cache_log       syslog
+    cache_log       stdio:/var/log/squid/cache.log
     access_log      stdio:/var/log/squid/access.log
     cache_store_log stdio:/var/log/squid/store.log
 

nixos/tests/squid.nix

@@ -56,6 +56,24 @@ import ./make-test-python.nix (
           {
             virtualisation.vlans = [ 1 ];
             networking.firewall.enable = true;
+
+            # NOTE: the client doesn't need a HTTP server, this is here to allow a validation of the proxy acl
+            networking.firewall.allowedTCPPorts = [ 80 ];
+
+            services.nginx = {
+              enable = true;
+
+              virtualHosts."server" = {
+                root = "/etc";
+                locations."/".index = "hostname";
+                listen = [
+                  {
+                    addr = "0.0.0.0";
+                    port = 80;
+                  }
+                ];
+              };
+            };
           }
         ];
 
@@ -68,6 +86,8 @@ import ./make-test-python.nix (
         lib.mkMerge [
           commonConfig
           {
+            nixpkgs.config.permittedInsecurePackages = [ "squid-7.0.1" ];
+
             virtualisation.vlans = [
               1
               2
@@ -75,10 +95,6 @@ import ./make-test-python.nix (
             networking.firewall.enable = true;
             networking.firewall.allowedTCPPorts = [ config.services.squid.proxyPort ];
 
-            nixpkgs.config.permittedInsecurePackages = [
-              "squid-6.12"
-            ];
-
             services.squid = {
               enable = true;
 
@@ -86,6 +102,7 @@ import ./make-test-python.nix (
                 acl client src ${clientIp}
                 acl server dst ${serverIp}
                 http_access allow client server
+                http_access deny all
               '';
             };
           }
@@ -157,9 +174,15 @@ import ./make-test-python.nix (
 
         with subtest("HTTP"):
             # the client cannot reach the server directly over HTTP
-            client.fail('[[ `timeout 3 curl http://${serverIp}` ]]')
+            client.fail('[[ `timeout 3 curl --fail-with-body http://${serverIp}` ]]')
             # ... but can with the proxy
-            client.succeed('[[ `timeout 3 curl --proxy http://${proxyInternalIp}:3128 http://${serverIp}` == "server" ]]')
+            client.succeed('[[ `timeout 3 curl --fail-with-body --proxy http://${proxyInternalIp}:3128 http://${serverIp}` == "server" ]]')
+            # and cannot from the server (with a 4xx error code) and ...
+            server.fail('[[ `timeout 3 curl --fail-with-body --proxy http://${proxyExternalIp}:3128 http://${clientIp}` == "client" ]]')
+            # .. not the client hostname
+            server.fail('[[ `timeout 3 curl --proxy http://${proxyExternalIp}:3128 http://${clientIp}` == "client" ]]')
+            # with an explicit deny message (no --fail because we want to parse the returned message)
+            server.succeed('[[ `timeout 3 curl --proxy http://${proxyExternalIp}:3128 http://${clientIp}` == *"ERR_ACCESS_DENIED"* ]]')
       '';
   }
 )

pkgs/by-name/sq/squid/package.nix

@@ -14,20 +14,19 @@
   pkg-config,
   systemd,
   cppunit,
-  esi ? false,
   ipv6 ? true,
   nixosTests,
 }:
 
 stdenv.mkDerivation (finalAttrs: {
   pname = "squid";
-  version = "6.13";
+  version = "7.0.1";
 
   src = fetchurl {
     url = "https://github.com/squid-cache/squid/releases/download/SQUID_${
       builtins.replaceStrings [ "." ] [ "_" ] finalAttrs.version
     }/squid-${finalAttrs.version}.tar.xz";
-    hash = "sha256-Iy4FZ5RszAEVZTw8GPAeg/LZzEnEPZ3q2LMZrws1rVI=";
+    hash = "sha256-Bw3Y5iGtItRdcAYF6xnSysG2zae3PwTzRXjTw/2N35s=";
   };
 
   nativeBuildInputs = [ pkg-config ];
@@ -62,7 +61,6 @@ stdenv.mkDerivation (finalAttrs: {
       "--enable-htcp"
     ]
     ++ (if ipv6 then [ "--enable-ipv6" ] else [ "--disable-ipv6" ])
-    ++ lib.optional (!esi) "--disable-esi"
     ++ lib.optional (
       stdenv.hostPlatform.isLinux && !stdenv.hostPlatform.isMusl
     ) "--enable-linux-netfilter";
@@ -81,6 +79,20 @@ stdenv.mkDerivation (finalAttrs: {
         --replace "$(type -P true)" "$(realpath fake-true)" \
         --replace "/bin/true" "$(realpath fake-true)"
     done
+
+    cd test-suite/
+  '';
+
+  installPhase = ''
+    runHook preInstall
+    mkdir -p $out/bin $out/libexec $out/etc $out/share
+    cd ..
+    cp src/squid $out/bin
+    cp src/unlinkd $out/libexec
+    cp src/mime.conf.default $out/etc/mime.conf
+    cp -r icons $out/share
+    cp -r errors $out/share
+    runHook postInstall
   '';
 
   passthru.tests.squid = nixosTests.squid;