118 lines
3.2 KiB
Nix
118 lines
3.2 KiB
Nix
{
|
|
lib,
|
|
stdenv,
|
|
fetchurl,
|
|
perl,
|
|
openldap,
|
|
pam,
|
|
db,
|
|
cyrus_sasl,
|
|
libcap,
|
|
expat,
|
|
libxml2,
|
|
openssl,
|
|
pkg-config,
|
|
systemd,
|
|
cppunit,
|
|
ipv6 ? true,
|
|
nixosTests,
|
|
fetchpatch,
|
|
}:
|
|
stdenv.mkDerivation (finalAttrs: {
|
|
pname = "squid";
|
|
version = "7.2";
|
|
|
|
src = fetchurl {
|
|
url = "https://github.com/squid-cache/squid/releases/download/SQUID_${
|
|
builtins.replaceStrings [ "." ] [ "_" ] finalAttrs.version
|
|
}/squid-${finalAttrs.version}.tar.xz";
|
|
hash = "sha256-Xgd74dg6nmls6NDZ5yOxJzFSIHoJFAS+aKS5qeGMcAM=";
|
|
};
|
|
|
|
patches = lib.optional (lib.versionOlder finalAttrs.version "7.2.0") (fetchpatch {
|
|
# Merged upstream PR; fixes the issue of rejecting domain names starting with digits
|
|
# To remove when 7.3 is released (or 7.2.1, but that doesn't seem likely)
|
|
url = "https://patch-diff.githubusercontent.com/raw/squid-cache/squid/pull/2283.patch";
|
|
hash = "sha256-HLGmzrAH5y1sFfFnVeeegRihyn+N7csGX9lVqmCDIHc=";
|
|
});
|
|
|
|
nativeBuildInputs = [ pkg-config ];
|
|
buildInputs = [
|
|
perl
|
|
openldap
|
|
db
|
|
cyrus_sasl
|
|
expat
|
|
libxml2
|
|
openssl
|
|
]
|
|
++ lib.optionals stdenv.hostPlatform.isLinux [
|
|
libcap
|
|
pam
|
|
systemd
|
|
];
|
|
|
|
enableParallelBuilding = true;
|
|
|
|
configureFlags = [
|
|
"--disable-strict-error-checking"
|
|
"--disable-arch-native"
|
|
"--with-openssl"
|
|
"--enable-ssl-crtd"
|
|
"--enable-storeio=ufs,aufs,diskd,rock"
|
|
"--enable-removal-policies=lru,heap"
|
|
"--enable-delay-pools"
|
|
"--enable-x-accelerator-vary"
|
|
"--enable-htcp"
|
|
]
|
|
++ (if ipv6 then [ "--enable-ipv6" ] else [ "--disable-ipv6" ])
|
|
++ lib.optional (
|
|
stdenv.hostPlatform.isLinux && !stdenv.hostPlatform.isMusl
|
|
) "--enable-linux-netfilter";
|
|
|
|
doCheck = true;
|
|
nativeCheckInputs = [ cppunit ];
|
|
preCheck = ''
|
|
# tests attempt to copy around "/bin/true" to make some things
|
|
# no-ops but this doesn't work if our "true" is a multi-call
|
|
# binary, so make our own fake "true" which will work when used
|
|
# this way
|
|
echo "#!$SHELL" > fake-true
|
|
chmod +x fake-true
|
|
grep -rlF '/bin/true' test-suite/ | while read -r filename ; do
|
|
substituteInPlace "$filename" \
|
|
--replace "$(type -P true)" "$(realpath fake-true)" \
|
|
--replace "/bin/true" "$(realpath fake-true)"
|
|
done
|
|
|
|
cd test-suite/
|
|
'';
|
|
|
|
# exit from test-suite/ dir back to src root for correct makefile
|
|
postCheck = ''
|
|
cd ..
|
|
'';
|
|
|
|
# remove unusual nixos paths (pre-made /var dirs, config grammar) and rename sbin output
|
|
postInstall = ''
|
|
rm -r $out/var
|
|
rm $out/share/mib.txt
|
|
mv $out/sbin $out/bin
|
|
'';
|
|
|
|
passthru.tests.squid = nixosTests.squid;
|
|
|
|
meta = with lib; {
|
|
description = "Caching proxy for the Web supporting HTTP, HTTPS, FTP, and more";
|
|
homepage = "http://www.squid-cache.org";
|
|
license = licenses.gpl2Plus;
|
|
platforms = platforms.linux;
|
|
maintainers = with maintainers; [ raskin ];
|
|
# In the past, it has been brought up that Squid had many security vulnerabilities
|
|
# (see https://megamansec.github.io/Squid-Security-Audit/). As of version 7.0,
|
|
# all of them have been solved, as tracked in their GitHub Security page:
|
|
# https://github.com/squid-cache/squid/security
|
|
knownVulnerabilities = [ ];
|
|
};
|
|
})
|