URL filtering solution for squid
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
 

366 lines
13 KiB

# ufdbGuard.spec.CentOS7
%global _hardened_build 1
%global version 1.33.5
# no stripping of the binaries
%global __os_install_post %{nil}
%define debug_package %{nil}
%define __strip /bin/true
### %__global_cflags -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches %{_hardened_cflags} %{_performance_cflags}
%define __global_cflags -O2 -g -pipe -Wall -grecord-gcc-switches %{_hardened_cflags} %{_performance_cflags}
Name: ufdbGuard
Version: 1.33.6rc1
Release: 0.beta1%{?dist}
Summary: ufdbGuard is a URL filter for Squid
License: GNU General Public License v2.0 only
Group: Internet/Proxy
# FHS says no package may have files under /usr/local nor /opt
# Prefix: /usr/local/ufdbguard
Prefix: /usr
Provides: ufdbguardd
Provides: ufdbgclient
Provides: ufdbhttpd
Provides: ufdbsignal
Provides: ufdb-pstack
Provides: ufdbpeek
Provides: ufdbGenTable, ufdbConvertDB
Provides: ufdbUpdate
Provides: ufdbAnalyse
Provides: ufdb_analyse_urls, ufdb_analyse_users, ufdb_top_urls, ufdb_top_users
URL: http://www.urlfilterdb.com/
# The sources for many versions of ufdbGuard are on sourceforge.net (Source0)
# The latest version can also be downloaded from URLfilterDB (Source1)
Source: https://www.urlfilterdb.com/files/downloads/%{name}-%{version}.tar.gz
# Source0: http://sourceforge.net/projects/ufdbguard/
# Source1: http://www.urlfilterdb.com/en/downloads/software_doc.html
# Buildroot: /local/src/ufdbGuard-%{version}
# Buildroot: .
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-buildroot-%(%{__id_u} -n)
# required packages for ufdbguardd
Requires: glibc >= 2.17
Requires: openssl >= 1.0.1e
Requires: bzip2-libs >= 1.0.6
Requires: zlib >= 1.2.7
# required packages for ufdbUpdate
Requires: wget >= 1.14
Requires: tar, gzip
# require packages for ufdb-pstack
Requires: gdb >= 7.6.1
# Requires: yum-utils >= 1.1.31
# required packages for installation
# Requires: at
# required packages for analysis scripts
Requires: perl
%global __requires_exclude %{?__requires_exclude}|perl\\(CGI::|perl\\(FCGI::
# squid is required but may be installed from source and not using an RPM,
# or ufdbguard is used on a system where squid is not installed.
# Requires: squid
Buildrequires: openssl-devel >= 1.0.1e
Buildrequires: bzip2-devel >= 1.0.6
Buildrequires: zlib-devel >= 1.2.7
Buildrequires: make, gcc, bison, flex
Buildrequires: bind-utils
# TODO: %_initddir is macro for /etc/rc.d/init.d
Requires(post): chkconfig
Requires(preun): chkconfig
Requires(preun): initscripts
Requires(pre): shadow-utils
%description
ufdbGuard is a free URL filter for Squid with additional features like
SafeSearch enforcement for a large number of search engines, safer HTTPS
visits and dynamic detection of proxies (URL filter circumventors).
ufdbGuard supports free and commercial URL databases that can be
downloaded from various sites and vendors.
You can also make your own URL database for ufdbGuard.
%post
echo >&2
echo "ufdbGuard is installed." >&2
echo "See the Reference Manual for further instructions and configuration." >&2
echo "Seek help at https://www.urlfilterdb.com in case you have a question or an issue." >&2
echo >&2
job=`grep ufdbUpdate /var/spool/cron/* 2>/dev/null | grep -v "^#" `
if [ "$job" = "" ]
then
echo "There is not yet a cron job for ufdbUpdate *****" >&2
echo >&2
fi
# This adds the proper /etc/rc*.d links for the script
/sbin/chkconfig --add ufdb
#
# echo "#!/bin/sh" > /tmp/ufdb.postinstall
# echo "echo Updating debuginfo ..." >> /tmp/ufdb.postinstall
# echo "debuginfo-install -y -q glibc >/dev/null 2>&1" >> /tmp/ufdb.postinstall
# echo "debuginfo-install -y -q zlib >/dev/null 2>&1" >> /tmp/ufdb.postinstall
# echo "debuginfo-install -y -q bzip2 >/dev/null 2>&1" >> /tmp/ufdb.postinstall
# echo "debuginfo-install -y -q openssl >/dev/null 2>&1" >> /tmp/ufdb.postinstall
# chmod +x /tmp/ufdb.postinstall
# #
# echo "The installation of the ufdbGuard package is almost finished." >&2
# echo "Execute /tmp/ufdb.postinstall to update debuginfo for glibc, zlib, bzip2 and openssl. *****" >&2
# echo >&2
/usr/bin/sh >/tmp/ufdbguardd.postinstall.log 2>&1 <<EOF &
sleep 180
debuginfo-install -y -q glibc >/dev/null 2>&1
debuginfo-install -y -q zlib >/dev/null 2>&1
debuginfo-install -y -q bzip2 >/dev/null 2>&1
debuginfo-install -y -q openssl >/dev/null 2>&1
EOF
#
# TODO: run check_dns
%preun
if [ $1 = 0 ] ; then
/sbin/service ufdb stop >/dev/null 2>&1
/sbin/chkconfig --del ufdb
fi
# for pre-F13:
%clean
[ %{buildroot} != "/" ] && echo rm -rf %{buildroot}
# ufdbGuard is installed with user ufdb and group ufdb
%pre
# set -x
getent group ufdb >/dev/null || groupadd -r ufdb
getent passwd ufdb >/dev/null || \
useradd -r -g ufdb -d /var/ufdbguard -M -s /usr/bin/sh \
-c "ufdbGuard URL filter" ufdb
exit 0
%prep
# echo prep in %{buildroot}
# set -x
# TODO %setup -q
%setup -q
%build
echo build in `pwd`
%configure \
--with-ufdb-user=ufdb \
--prefix=/usr \
--with-ufdb-bindir=/usr/sbin \
--with-ufdb-piddir=/var/run/ufdbguard \
--with-ufdb-mandir=/usr/share/man \
--with-ufdb-images_dir=/var/ufdbguard/images \
--with-ufdb-logdir=/var/ufdbguard/logs \
--with-ufdb-samplesdir=/var/ufdbguard/samples \
--with-ufdb-config=/etc/ufdbguard \
--with-ufdb-dbhome=/var/ufdbguard/blacklists
%{__make} %{?_smp_mflags}
%install
# echo install
# env
[ %{buildroot} != "/" ] && rm -rf %{buildroot}
%{__make} DESTDIR=%{buildroot} mkdirsredhatcentos install
# the install makes a backup of the conf file that we do not want in the package
rm -f %{buildroot}/etc/ufdbguard/ufdbGuard.conf.pre-v1.*
# echo
# echo "The configuration file of ufdbGuard is /etc/ufdbguard/ufdbGuard.conf"
# echo "The system configuration file for the ufdbGuard Software Suite is /etc/sysconfig/ufdbguard"
# ufdbsignal is suid-root since it must be able to send a signal to ufdbguardd.
# ufdbsignal is a very simple program which checks the uid to see if the user is permitted to send a signal.
# ufdbsignal reads the pid from /var/run/ufdbguardd/ufdbguardd.pid.
%verifyscript
if [ ! -f /etc/sysconfig/ufdbguard ]
then
echo "/etc/sysconfig/ufdbguard does not exist." >&2
else
eval `grep "^DOWNLOAD_USER=" /etc/sysconfig/ufdbguard`
if [ "$DOWNLOAD_USER" = "" ]
then
echo "The username for periodical downloads of the URL database is not set." >&2
echo "Edit /etc/sysconfig/ufdbguard and set DOWNLOAD_USER and DOWNLOAD_PASSWORD." >&2
else
echo "DOWNLOAD_USER is set to $DOWNLOAD_USER in /etc/sysconfig/ufdbguard"
fi
fi
if [ ! -f /etc/ufdbguard/ufdbGuard.conf ]
then
echo "/etc/ufdbguard/ufdbGuard.conf does not exist."
else
set -- `grep ^dbhome /etc/ufdbguard/ufdbGuard.conf`
# must get rid of quotes or else "if [ ! -d $DBDIR ]" fails :-(
DBDIR=`echo ${2:-notset} | sed -e 's,",,g' `
if [ $DBDIR = notset ]
then
DBDIR=/var/ufdbguard/blacklists
echo "/etc/ufdbguard/ufdbGuard.conf: dbhome is not set" >&2
echo "Using default value for dbhome: $DBDIR" >&2
fi
if [ ! -d $DBDIR ]
then
echo "/etc/ufdbguard/ufdbGuard.conf: dbhome $DBDIR: directory does not exist" >&2
else
if [ ! -d $DBDIR/adult -o ! -d $DBDIR/checked ]
then
echo "/etc/ufdbguard/ufdbGuard.conf: dbhome $DBDIR:" >&2
echo "The directory for the URL database does not contain subdirectories for adult and/or checked." >&2
echo "This means that the URL database of URLfilterDB is not used." >&2
echo "If you intend to use the URL database of URLfilterDB, make sure that " >&2
echo "\"ufdbUpdate [-v]\" runs without errors to download the URL database." >&2
echo "See the Reference Manual for more information." >&2
fi
fi
fi
exit 0
%postun
job=`grep ufdbUpdate /var/spool/cron/* 2>/dev/null | grep -v "^#" `
if [ "$job" != "" ]
then
echo "Note: there is still a cron job for ufdbUpdate." >&2
fi
exit 0
# %config
# /etc/sysconfig/ufdbguard
# /etc/ufdbguard/ufdbGuard.conf
%files
%defattr(-,root,root,-)
/etc/init.d/ufdb
%config(noreplace) %attr(-,ufdb,ufdb) /etc/sysconfig/ufdbguard
%config(noreplace) %attr(-,ufdb,ufdb) /etc/ufdbguard/ufdbGuard.conf
/var/ufdbguard/images/default.flv
/var/ufdbguard/images/default.mp3
/var/ufdbguard/images/default.mpeg
/var/ufdbguard/images/default.wmv
/var/ufdbguard/images/forbidden-normal-de.png
/var/ufdbguard/images/forbidden-normal-en.png
/var/ufdbguard/images/forbidden-normal-es.png
/var/ufdbguard/images/forbidden-normal-fr.png
/var/ufdbguard/images/forbidden-normal-it.png
/var/ufdbguard/images/forbidden-normal-nl.png
/var/ufdbguard/images/forbidden-normal-pl.png
/var/ufdbguard/images/forbidden-normal-pt.png
/var/ufdbguard/images/forbidden-normal-sv.png
/var/ufdbguard/images/forbidden-normal-tr.png
/var/ufdbguard/images/no-ads.png
/var/ufdbguard/images/smallcross.png
/var/ufdbguard/images/square.png
/var/ufdbguard/images/transparent.png
/var/ufdbguard/samples/execdomainlist.sh
/var/ufdbguard/samples/execuserlist.sh
/var/ufdbguard/samples/URLblocked.cgi
/usr/sbin/ufdb-pstack
/usr/sbin/ufdbAnalyse
/usr/sbin/ufdbConvertDB
/usr/sbin/ufdbGenTable
/usr/sbin/ufdbUpdate
/usr/sbin/ufdb_analyse_urls
/usr/sbin/ufdb_analyse_users
/usr/sbin/ufdb_top_urls
/usr/sbin/ufdb_top_users
/usr/sbin/ufdbgclient
/usr/sbin/ufdbguardd
/usr/sbin/ufdbhttpd
%attr(4755,root,root) /usr/sbin/ufdbsignal
/usr/share/man/man1/ufdb_analyse_urls.1
/usr/share/man/man1/ufdb_analyse_users.1
/usr/share/man/man1/ufdb_top_urls.1
/usr/share/man/man1/ufdb_top_users.1
/usr/share/man/man1/ufdbAnalyse.1
/usr/share/man/man8/ufdbgclient.8
/usr/share/man/man8/ufdbguardd.8
/usr/share/man/man8/ufdbhttpd.8
/usr/share/man/man8/ufdbupdate.8
%dir %attr(-,ufdb,ufdb) /var/ufdbguard/blacklists
%dir %attr(-,ufdb,ufdb) /var/ufdbguard/blacklists/security
# The cacerts get updated by ufdbUpdate:
%verify(not md5 size mtime) %attr(644,ufdb,ufdb) /var/ufdbguard/blacklists/security/cacerts
# log files go to /var/ufdbguard/logs
%dir %attr(-,ufdb,ufdb) /var/ufdbguard/logs
# pid files go to /var/run/ufdbguard
%dir %attr(755,ufdb,ufdb) /var/run/ufdbguard
%doc README CHANGELOG
# TODO
%changelog
* Thu May 24 2018 Daniel Berteaud <daniel@firewall-services.com> 1.33.6rc1-0.beta1
- update to 1.33.6rc1
* Wed May 09 2018 Daniel Berteaud <daniel@firewall-services.com> 1.33.5-1
- git-annex in
dani@germaine.lapiole.org:~/big/e-smith/files/users/dani/src/ufdbGuard
(daniel@firewall-services.com)
* Thu Apr 19 2018 Marcus Kool <marcus-dot-kool@urlfilterdb.com> - 1.33.5
Fix: ufdbguardd may crash during a database refresh
Fix: empty pass statements in acls may cause a crash.
Fix: SSH tunnels were detected but access was not blocked
Fix: sometimes the SSL/TLS certificate was not checked to be signed by a CA
Fix: skip acls with "pass any" if the source has the continue flag set
* Thu Sep 21 2017 Marcus Kool <marcus-dot-kool@urlfilterdb.com> - 1.33.4
Fix: URLs with very long domainnames may cause a crash if the URL is not in the URL database
Fix: ufdbguardd did not obey 'continue' inside a source
Fix: the logfile did not not contain "PASS URL" for all allowed URLs
Fix: suppress another warning by ufdbGenTable if the -q option is used
Fix: execuserlist with large arguments cannot be cached
Fix: ufdbguardd sometimes does not use the correct source for its decision
Fix: in-addr also matched URLs without an IP address
Configuration: the option squid-uses-active-bumping was missing in the default configuration file
* Tue Jun 6 2017 Marcus Kool <marcus-dot-kool@urlfilterdb.com> - 1.33.3
Fix: ufdbgclient truncates Squid request lines to 8K which means that very long URLs cannot be filtered
Fix: ufdbGenTable erroneously warned about URLs inside a comment
Fix: make ufdbGuard compile on FreeBSD
Fix: when evaluate-and IPv4/6 is used in a source definition, the source may not matched
Fix: ufdbguardd did not accept the IPv6 address '::'
Enhancement: several warnings for IPv4 and IPv6 addresses inside a source were implemented
* Tue May 23 2017 Marcus Kool <marcus-dot-kool@urlfilterdb.com> - 1.33.2
Fix: ufdbguardd may incorrectly abort with a fatal error cannot-get-rwlock-for-database-refresh-after-many-attempts
Fix: safesearch did not work in 2 out of 3 cases
Fix: ufdbguard did not compile on FreeBSD.
Fix: crash due to stack overwrite in uploadStatistics/logStatistics
Documentation: added use-ipv6-on-wan option to Reference Manual
* Wed Mar 15 2017 Marcus Kool <marcus-dot-kool@urlfilterdb.com> - 1.33.1
Enhancement: IPv6 support for sources with new keywords ipv6 and ipv6list
Enhancement: detect certificates of ucweb.com and uc.cn of the ucweb browser that circumvents URL filters
Enhancement: ufdbgclient has new -m parameter to use multithreading and improve performance
Enhancement: make ufdbguardd.pid world-readable
Enhancement: allow UTF8 characters in URLs
Enhancement: new keyword ufdb-log-url-details controls if URLs in the log file have parameters or not
Fix: on the ARM platform generated URL tables were corrupt
Fix: implicitly allowed URLs were logged with category "any" instead of the correct category ID
Fix: prevent false positives with Tor proxy detection on port 443
Fix: failed probes for <IP>:443 were not properly cached and resulted in too many probes for IP
Fix: when reverse IP lookups are used, the URL category was not logged correctly (was logged as "any")
Fix: ufdbGenTable uses less memory
Fix: the feature "block-bumped-connect on" never blocked a CONNECT request