commit fe36c0e0458a8c2898f370e4e970604a9cbea853 · pyrox.dev/nixpkgs

doc/release-notes/rl-2505.section.md

···

       4
       4
        
       

     

       5
       5
        
       <!-- To avoid merge conflicts, consider adding your item at an arbitrary place in the list instead. -->

     

       6
       6
        
       

     

       7
       7
       +
       - `services.rippled` has been removed, as `rippled` was broken and had not been updated since 2022.

     

       8
       8
       +
       

     

       9
       9
       +
       - `services.rippleDataApi` has been removed, as `ripple-data-api` was broken and had not been updated since 2022.

     

       10
       10
       +
       

     

       11
       11
       +
       - `squid` has been updated to version 7, this release includes multiple breaking changes, like ESI removal.

     

       12
       12
       +
         For more information, [check the release notes](https://github.com/squid-cache/squid/releases/tag/SQUID_7_0_1).

     

       13
       13
       +
       

     

       7
       14
        
       - The [`no-broken-symlinks` hook](https://nixos.org/manual/nixpkgs/unstable/#no-broken-symlinks.sh) was added to catch builds containing dangling or reflexive symlinks, as these are indicative of problems with packaging.

     

       8
       15
        
         The hook can be disabled by providing `dontCheckForBrokenSymlinks = true;` as an argument to `mkDerivation`.

     

       9
       16
        
         For more information, [check the docs](https://nixos.org/manual/nixpkgs/unstable/#no-broken-symlinks.sh) or [see this PR](https://github.com/NixOS/nixpkgs/pull/370750).

+1 -1

nixos/modules/services/networking/squid.nix

···

       67
       67
        
           http_access deny to_localhost

     

       68
       68
        
       

     

       69
       69
        
           # Application logs to syslog, access and store logs have specific files

     

       70
       70
       -
           cache_log       syslog

     

       70
       70
       +
           cache_log       stdio:/var/log/squid/cache.log

     

       71
       71
        
           access_log      stdio:/var/log/squid/access.log

     

       72
       72
        
           cache_store_log stdio:/var/log/squid/store.log

     

       73
       73

+29 -6

nixos/tests/squid.nix

···

       56
       56
        
                 {

     

       57
       57
        
                   virtualisation.vlans = [ 1 ];

     

       58
       58
        
                   networking.firewall.enable = true;

     

       59
       59
       +
       

     

       60
       60
       +
                   # NOTE: the client doesn't need a HTTP server, this is here to allow a validation of the proxy acl

     

       61
       61
       +
                   networking.firewall.allowedTCPPorts = [ 80 ];

     

       62
       62
       +
       

     

       63
       63
       +
                   services.nginx = {

     

       64
       64
       +
                     enable = true;

     

       65
       65
       +
       

     

       66
       66
       +
                     virtualHosts."server" = {

     

       67
       67
       +
                       root = "/etc";

     

       68
       68
       +
                       locations."/".index = "hostname";

     

       69
       69
       +
                       listen = [

     

       70
       70
       +
                         {

     

       71
       71
       +
                           addr = "0.0.0.0";

     

       72
       72
       +
                           port = 80;

     

       73
       73
       +
                         }

     

       74
       74
       +
                       ];

     

       75
       75
       +
                     };

     

       76
       76
       +
                   };

     

       59
       77
        
                 }

     

       60
       78
        
               ];

     

       61
       79
        
       

     
···

       68
       86
        
               lib.mkMerge [

     

       69
       87
        
                 commonConfig

     

       70
       88
        
                 {

     

       89
       89
       +
                   nixpkgs.config.permittedInsecurePackages = [ "squid-7.0.1" ];

     

       90
       90
       +
       

     

       71
       91
        
                   virtualisation.vlans = [

     

       72
       92
        
                     1

     

       73
       93
        
                     2

     
···

       75
       95
        
                   networking.firewall.enable = true;

     

       76
       96
        
                   networking.firewall.allowedTCPPorts = [ config.services.squid.proxyPort ];

     

       77
       97
        
       

     

       78
       78
       -
                   nixpkgs.config.permittedInsecurePackages = [

     

       79
       79
       -
                     "squid-6.12"

     

       80
       80
       -
                   ];

     

       81
       81
       -
       

     

       82
       98
        
                   services.squid = {

     

       83
       99
        
                     enable = true;

     

       84
       100
        
       

     
···

       86
       102
        
                       acl client src ${clientIp}

     

       87
       103
        
                       acl server dst ${serverIp}

     

       88
       104
        
                       http_access allow client server

     

       105
       105
       +
                       http_access deny all

     

       89
       106
        
                     '';

     

       90
       107
        
                   };

     

       91
       108
        
                 }

     
···

       157
       174
        
       

     

       158
       175
        
               with subtest("HTTP"):

     

       159
       176
        
                   # the client cannot reach the server directly over HTTP

     

       160
       160
       -
                   client.fail('[[ `timeout 3 curl http://${serverIp}` ]]')

     

       177
       177
       +
                   client.fail('[[ `timeout 3 curl --fail-with-body http://${serverIp}` ]]')

     

       161
       178
        
                   # ... but can with the proxy

     

       162
       162
       -
                   client.succeed('[[ `timeout 3 curl --proxy http://${proxyInternalIp}:3128 http://${serverIp}` == "server" ]]')

     

       179
       179
       +
                   client.succeed('[[ `timeout 3 curl --fail-with-body --proxy http://${proxyInternalIp}:3128 http://${serverIp}` == "server" ]]')

     

       180
       180
       +
                   # and cannot from the server (with a 4xx error code) and ...

     

       181
       181
       +
                   server.fail('[[ `timeout 3 curl --fail-with-body --proxy http://${proxyExternalIp}:3128 http://${clientIp}` == "client" ]]')

     

       182
       182
       +
                   # .. not the client hostname

     

       183
       183
       +
                   server.fail('[[ `timeout 3 curl --proxy http://${proxyExternalIp}:3128 http://${clientIp}` == "client" ]]')

     

       184
       184
       +
                   # with an explicit deny message (no --fail because we want to parse the returned message)

     

       185
       185
       +
                   server.succeed('[[ `timeout 3 curl --proxy http://${proxyExternalIp}:3128 http://${clientIp}` == *"ERR_ACCESS_DENIED"* ]]')

     

       163
       186
        
             '';

     

       164
       187
        
         }

     

       165
       188
        
       )

+16 -4

pkgs/by-name/sq/squid/package.nix

···

       14
       14
        
         pkg-config,

     

       15
       15
        
         systemd,

     

       16
       16
        
         cppunit,

     

       17
       17
       -
         esi ? false,

     

       18
       17
        
         ipv6 ? true,

     

       19
       18
        
         nixosTests,

     

       20
       19
        
       }:

     

       21
       20
        
       

     

       22
       21
        
       stdenv.mkDerivation (finalAttrs: {

     

       23
       22
        
         pname = "squid";

     

       24
       24
       -
         version = "6.13";

     

       23
       23
       +
         version = "7.0.1";

     

       25
       24
        
       

     

       26
       25
        
         src = fetchurl {

     

       27
       26
        
           url = "https://github.com/squid-cache/squid/releases/download/SQUID_${

     

       28
       27
        
             builtins.replaceStrings [ "." ] [ "_" ] finalAttrs.version

     

       29
       28
        
           }/squid-${finalAttrs.version}.tar.xz";

     

       30
       30
       -
           hash = "sha256-Iy4FZ5RszAEVZTw8GPAeg/LZzEnEPZ3q2LMZrws1rVI=";

     

       29
       29
       +
           hash = "sha256-Bw3Y5iGtItRdcAYF6xnSysG2zae3PwTzRXjTw/2N35s=";

     

       31
       30
        
         };

     

       32
       31
        
       

     

       33
       32
        
         nativeBuildInputs = [ pkg-config ];

     
···

       62
       61
        
             "--enable-htcp"

     

       63
       62
        
           ]

     

       64
       63
        
           ++ (if ipv6 then [ "--enable-ipv6" ] else [ "--disable-ipv6" ])

     

       65
       65
       -
           ++ lib.optional (!esi) "--disable-esi"

     

       66
       64
        
           ++ lib.optional (

     

       67
       65
        
             stdenv.hostPlatform.isLinux && !stdenv.hostPlatform.isMusl

     

       68
       66
        
           ) "--enable-linux-netfilter";

     
···

       81
       79
        
               --replace "$(type -P true)" "$(realpath fake-true)" \

     

       82
       80
        
               --replace "/bin/true" "$(realpath fake-true)"

     

       83
       81
        
           done

     

       82
       82
       +
       

     

       83
       83
       +
           cd test-suite/

     

       84
       84
       +
         '';

     

       85
       85
       +
       

     

       86
       86
       +
         installPhase = ''

     

       87
       87
       +
           runHook preInstall

     

       88
       88
       +
           mkdir -p $out/bin $out/libexec $out/etc $out/share

     

       89
       89
       +
           cd ..

     

       90
       90
       +
           cp src/squid $out/bin

     

       91
       91
       +
           cp src/unlinkd $out/libexec

     

       92
       92
       +
           cp src/mime.conf.default $out/etc/mime.conf

     

       93
       93
       +
           cp -r icons $out/share

     

       94
       94
       +
           cp -r errors $out/share

     

       95
       95
       +
           runHook postInstall

     

       84
       96
        
         '';

     

       85
       97
        
       

     

       86
       98
        
         passthru.tests.squid = nixosTests.squid;