From f3e0551c1d28a211bff28dc2df89a19a4ca6697618ccf0b4d30c07efd81c44e5 Mon Sep 17 00:00:00 2001
From: Martin Pluskal
+
+
+
+
+
+ The Squid Team are pleased to announce the release of Squid-4.5 for testing. This new release is available for download from
+http://www.squid-cache.org/Versions/v4/ or the
+mirrors. We welcome feedback and bug reports. If you find a bug, please see
+http://wiki.squid-cache.org/SquidFaq/BugReporting
+for how to submit a report with a stack trace. Although this release is deemed good enough for use in production, please note the existence of
+open bugs against Squid-4. This release adds a dependency on C++11 support in any compiler used to build Squid.
+As a result older C++03 -only and most C++0x compilers will no longer build successfully.
+GCC 4.9+ and Clang 3.5+ are known to have working C++11 support and are usable.
+GCC-4.8 will also build for now despite lack of full C++11 support, but some future features may not be available. This release does not support LibreSSL.
+Due to a bug in the way LibreSSL uses the OpenSSL version macro some changes
+necessary to support OpenSSL 1.1 prevent building with LibreSSL. The Squid-4 change history can be
+viewed here. Squid 4 represents a new feature release above 3.5. The most important of these new features are:
+Squid 4.5 release notes
+
+Squid Developers
+
+This document contains the release notes for version 4 of Squid.
+Squid is a WWW Cache application developed by the National Laboratory
+for Applied Network Research and members of the Web Caching community.
+
+1. Notice
+
+
+2. Major new features since Squid-3.5
+
+
+
+3. Changes to squid.conf since Squid-3.5
+
+
+4. Changes to ./configure options since Squid-3.5
+
+
+5. Regressions since Squid-2.7
+
+
+6. Copyright
+
+
+
+1. Notice
+
+1.1 Known issues
+
+
+1.2 Changes since earlier releases of Squid-4
+
+
+2. Major new features since Squid-3.5
+
+
+
+
Most user-facing changes are reflected in squid.conf (see below).
+ + +The new queue-size=N option to helpers configuration, allows users +to configure the maximum number of queued requests to busy helpers.
+ +helper-mux.pl we have been distributing for the past few years to +encourage use of concurrency is no longer compatible with Squid. If +used it will spawn up to 2^64 helpers and DoS the Squid server.
+ +Helpers utilizing arrays to handle fixed amounts of concurrency +channels MUST be re-written to use queues and capable of handling a +64-bit int as index or they will be vulnerable to buffer overrun and +arbitrary memory accesses.
+ +32-bit helpers need re-writing to handle the concurrency channel ID +as a 64-bit integer value. If not updated they will cause proxies to +return unexpected results or timeout once crossing the 32-bit wrap +boundary. Leading to undefined behaviour in the client HTTP traffic.
+ + +Details in +RFC 6176 +and +RFC 7568
+ +SSLv2 is not fit for purpose. Squid no longer supports being configured with +any settings regarding this protocol. That includes settings manually disabling +its use since it is now forced to disable by default. Also settings enabling +various client/server workarounds specific to SSLv2 are removed.
+ +SSLv3 is not fit for purpose. Squid still accepts configuration, but use +is deprecated and will be removed entirely in a future version. +Squid default behavour is to follow the TLS built in negotiation mechanism +which prefers the latest TLS version. But also to accept downgrades to SSLv3. +Use tls-options=NO_SSLv3 to disable SSLv3 support completely.
+ +A new option tls-min-version=1.N is added in place of sslversion= +to configure the minimum version the TLS negotiation will allow to be used +when an old TLS version is requested by the remote endpoint.
+ +The system Trusted CAs are no longer used by default when verifying client +certificates. The cafile= option should be used instead to +explicitly load the specific CA which signed acceptible client certificates, +even if that CA is one of the system Trusted CAs. +The tls-default-ca option can be used to restore the old +behaviour if needed.
+ + +The basic_msnt_multi_domain_auth helper has been removed. The +basic_smb_lm_auth helper performs the same actions without extra +Perl and Samba dependencies.
+ +The cert_valid.pl testing helper has been renamed to +security_fake_certverify, reflecting the Squid helper naming schema +and that it does not actually perform any certificate checks.
+ +The security_fake_certverify helper is also now built and installed +by default. It is written in Perl so does not require OpenSSL dependencies +for installation. But does use the Perl Crypt::OpenSSL::X509 module for execution. +Building the helper can be controlled using the --enable-security-cert-validators="fake" +option.
+ +The ssl_crtd helper has been renamed to security_file_certgen +and is now built and installed by default whenever OpenSSL support is enabled. +Building the helper can be controlled using the --enable-security-cert-generators="file" +option.
+ +NOTE: The --enable-ssl-crtd option is still required to enable the +sslcrtd_program helper interface within Squid that uses the helper.
+ +The ntlm_smb_lm_auth helper is now built using --enable-auth-ntlm="SMB_LM". +Notice the upper case where it was previously a (wrongly) lower cased acronym.
+ + +ICAP services can now be used over TLS connections.
+ +To mark an ICAP service as secure, use an icaps:// service URI scheme when +listing your service via an icap_service directive. The industry is using a +Secure ICAP term, and Squid follows that convention, but icaps seems more +appropriate for a scheme name.
+ +Squid uses port 11344 for Secure ICAP by default, following another popular +proxy convention. The old 1344 default for plain ICAP ports has not changed.
+ + +Use of C++11 atomic operations instead of GNU atomics allows a wider range of +operating systems and compilers to build Squid SMP and multi-process features. +However this does require a C++11 compiler with a recent version of the C++ +standard library.
+ +IpcIo and Mmapped disk I/O modules are now auto-detected properly which +enables Rock storage on more systems by default than previously.
+ + +Squid is traditionally refered to as a daemon. But is actually a combination +of daemon and daemon manager processes. This has caused significant problems +integrating it with other third-party daemon managers.
+ +The Squid process which places its PID into the squid.pid file has always +been the process to which control signals are sent. The manager process is +now taking on signal handling instead of the main daemon process. Enabling +integration with daemon managers such as Upstart or systemd which assume the +process they initiated is the daemon with a PID to control.
+ +The squid binary now has a new --foreground command line option, +which (only) prevents daemonizing the master process. +Unlike the old -N option, +--foreground supports SMP workers and multi-process features. +--foreground is particularly useful for use with -z (disk +cache structures creation), as it allows the caller to wait until Squid has +finished.
+ +The squid binary now accepts a --kid command line option which +informs the process which role it is to take on. This aids with debugging +SMP issues with specific process types and resolves some SMP forking issues.
+ + +Squid can now be built to use GnuTLS in place of OpenSSL for the core +features of receiving TLS connections from clients and making TLS +connections to servers. The GnuTLS support is still very much experimental +and should be tested before use.
+ +SSL-Bump and certificate generation features are not yet supported by +GnuTLS builds. Nor are many other less commonly used Squid TLS/SSL features.
+ +squid.conf directives and configuration options which have undergone +name changes from 'ssl' to 'tls' prefix in Squid-4 have GnuTLS support, unless +explicitly stated otherwise.
+ +Advanced configuration with specific selection of ciphers and similar settings +should still work, but needs the GnuTLS Priority Strings instead of +the OpenSSL options when using GnuTLS. +See +GnuTLS manual +for more details.
+ + +The Squid custom ESI (Edge Side Includes) parser has been removed in favour +of better supported and maintained third-party libraries. At least one of libxml2 +or libexpat is now mandatory to build support for the ESI response processor.
+ + +There have been changes to Squid's configuration file since Squid-3.5.
+This section gives a thorough account of those changes in three categories:
++
+
New directive to limit the size of a table used for sharing information +about collapsible entries among SMP workers.
+ +New directive to control Squid behaviour on the client connection when +receiving an HTTP request with an Expect:100-continue header.
+ +New directive to set a cool-down delay reviving a child process if +the process is encountering frequent deaths.
+ +New directive to set the action performed when encountering strange +protocol requests at the beginning of an accepted TCP connection.
+ +New directive to limit the lifetime of persistent connections.
+ +New directive to add header fields to outgoing HTTP responses to +the client.
+ +New directive controlling how long Squid waits for the first request +bytes to arrive after initial connection establishment by a client.
+ +New directive to provide fine-grained control over persistent connection +reuse when forwarding HTTP requests that Squid cannot retry. It is useful +in environments where opening new connections is very expensive +and race conditions associated with persistent connections are very rare +and/or only cause minor problems.
+ +New directive to ensure shared memory is all available immediately +on startup. Protects against SIGBUS errors, but delays startup.
+ +New directive to define TLS security context options for outgoing +connections. For example to HTTPS servers.
+ +Squid times active requests to redirector. This directive sets +the timeout value and the Squid reaction to a timed out +request.
+ ++
TCP accept(2) errors logged with URI error:accept-client-connection.
+Unused connections received in http_port or https_port +or transactions terminated before reading[parsing] request headers are +logged with URI error:transaction-end-before-headers.
+New option rotate= to control the number of log file rotations +to make when -k rotate command is received. Default is to +obey the logfile_rotate directive.
+ +New -m flag for note ACL to match substrings.
+New client_connection_mark type for matching Netfilter +CONNMARK of the client TCP connection.
+New connections_encrypted type for matching transactions +where all HTTP messages were received over TLS transport connections, +including messages received from ICAP servers.
+New has type for matching whether or not Squid is able to provide +certain sets of transaction state. For example HTTP reply headers.
+New transaction_initiator type for detecting various +unusual transactions.
+New --consensus, --client-requested and +--server-provided flags for the ssl::server_name +type to control which server name to match against.
+ +New parameter queue-size= to set the maximum number +of queued requests.
+New parameter on-persistent-overload= to set the action taken +when the helper queue is overloaded.
+ +New option auth-no-keytab to let GSSAPI implementation determine +which Kerberos credentials to use, instead of specifying a keytab.
+Replaced option ssl with tls. Use of any +tls- prefixed options implies tls is enabled.
+New option tls-min-version=1.N to set minimum TLS version allowed.
+New option tls-default-ca replaces sslflags=NO_DEFAULT_CA
+New option tls-no-npn to disable sending TLS NPN extension.
+All ssloptions= values for SSLv2 configuration or disabling +have been removed.
+Removed sslversion= option. Use tls-options= instead.
+Manual squid.conf update may be required on upgrade.
+Replaced option sslcafile= with tls-cafile= +which takes multiple entries.
+ +New format macro %O to expand the message= value supplied +by external ACL helpers.
+ +New connection-encryption= option to determine ICAP service +effect on connections_encrypted ACL.
+ +Removed custom parser option.
+Changed default to auto-detect available parsers instead of custom.
+ +New parameter queue-size= to set the maximum number +of queued requests.
+New parameter on-persistent-overload= to set the action taken +when the helper queue is overloaded.
+Format field updated to accept any logformat %macro code.
+The optional acl-value fields in this helper input now expand +to a dash ('-') if the %DATA macro is not specified explicitly.
+ +New option tls-min-version=1.N to set minimum TLS version allowed.
+New option tls-default-ca replaces sslflags=NO_DEFAULT_CA, +the default is also changed to OFF.
+New option tls-no-npn to disable sending TLS NPN extension.
+All option= values for SSLv2 configuration or disabling +have been removed.
+Removed version= option. Use tls-options= instead.
+Manual squid.conf update may be required on upgrade.
+Replaced cafile= with tls-cafile= which takes multiple entries.
+Changed default value of generate-host-certificates to ON.
+ +New option tls-min-version=1.N to set minimum TLS version allowed.
+New option tls-default-ca replaces sslflags=NO_DEFAULT_CA, +the default is also changed to OFF.
+New option tls-no-npn to disable sending TLS NPN extension.
+All options= values for SSLv2 +configuration or disabling have been removed.
+Removed version= option. Use tls-options= instead.
+Manual squid.conf update may be required on upgrade.
+Replaced cafile= with tls-cafile= which takes multiple entries.
+Changed default value of generate-host-certificates to ON.
+ +New scheme icaps:// to enable TLS/SSL connections to Secure ICAP +servers on port 11344.
+New connection-encryption= option to determine ICAP service +effect on connections_encrypted ACL.
+New tls-cert= option to set TLS client certificate to use.
+New tls-key= option to set TLS private key matching the client +certificate used.
+New tls-min-version=1.N option to set minimum TLS version allowed +on server connections.
+New tls-options= option to set OpenSSL library parameters.
+New tls-flags= option to set flags modifying Squid TLS operations.
+New tls-cipher= option to set a list of ciphers permitted.
+New tls-cafile= option to set a file with additional CA +certificate(s) to verify the server certificate.
+New tls-capath= option to set a directory with additional CA +certificate(s) to verify the server certificate.
+New tls-crlfile= option to set a file with a CRL to verify the +server certificate.
+New tls-default-ca option to use the system Trusted CAs to +verify the server certificate.
+New tls-domain= option to verify the server certificate domain.
+ +Now only requires that helper binary exists when daemon: log module +is actually being used.
+ +New quoting modifier to produce \-escaped output.
+New code %ssl::<cert_errors to display server X.509 +certificate errors.
+New code %ssl::<cert_issuer to display Issuer field of +the received server X.509 certificate.
+New code %ssl::<cert_subject to display Subject field of +the received server X.509 certificate.
+New code %ssl::>negotiated_version to display +negotiated TLS version of the client connection.
+New code %ssl::<negotiated_version to display +negotiated TLS version of the last server or peer connection.
+New code %ssl::>received_hello_version to display the +TLS version of the Hello message received from TLS client.
+New code %ssl::<received_hello_version to display the +TLS version of the Hello message received from TLS server.
+New code %ssl::>received_supported_version to display +the maximum TLS version supported by the TLS client.
+New code %ssl::<received_supported_version to display +the maximum TLS version supported by the TLS server.
+New code %ssl::>negotiated_cipher to display the +negotiated cipher of the client connection.
+New code %ssl::<negotiated_cipher to display the +negotiated cipher of the last server or peer connection.
+New code %>handshake to display initial octets +received on a client connection (Base64 encoded).
+Fixed %<Hs, %<pt and %<tt +codes for received CONNECT errors.
+Improved %<bs logging on forwarding retries.
+Improved %<Hs, %<pt, %<tt, +%<bs logging on SslBump errors.
+ +Default value now based on squid -n command line parameter.
+This directive is no longer mandatory to edit for +multi-instance/tenant Squid installations.
+ +Removed option ignore-auth. Its commonly desired behaviour +is performed by default with correct HTTP/1.1 revalidation.
+Removed option ignore-must-revalidate. Other more HTTP compliant +directives (cache, store_miss) can be used to prevent +objects from caching.
+ +New parameter queue-size= to set the maximum number +of queued requests.
+New parameter on-persistent-overload= to set the action taken +when the helper queue is overloaded.
+ +New parameter queue-size= to set the maximum number +of queued requests.
+New parameter on-persistent-overload= to set the action taken +when the helper queue is overloaded.
+ +New parameter queue-size= to set the maximum number +of queued requests.
+New parameter on-persistent-overload= to set the action taken +when the helper queue is overloaded.
+ +New parameter queue-size= to set the maximum number +of queued requests.
+New parameter on-persistent-overload= to set the action taken +when the helper queue is overloaded.
+ ++
Superceded by cache_peer_access. Use dstdomain ACL +in the access control list to restrict domains requested.
+ +Removed. MSIE 3.x, 4.x, 5.0 and 5.01 are no longer popular browsers.
+ +Replaced by tls_outgoing_options cafile=. +Which now takes multiple entries.
+ +Replaced by tls_outgoing_options capath=.
+ +Replaced by tls_outgoing_options cipher=.
+ +Replaced by tls_outgoing_options cert=.
+ +Replaced by tls_outgoing_options key=.
+ +Replaced by tls_outgoing_options flags=.
+ +Replaced by tls_outgoing_options options=.
+All values for SSLv2 configuration or disabling have been removed.
+Manual squid.conf update may be required on upgrade.
+ +Replaced by tls_outgoing_options options=.
+All values for SSLv2 configuration or disabling have been removed.
+Manual squid.conf update may be required on upgrade.
+ +There have been some changes to Squid's build configuration since Squid-3.5.
+This section gives an account of those changes in three categories:
++
+ + + ++
New option to control which TLS/SSL dynamic certificate generator +helpers are built and installed.
+Helper ssl_crtd has been renamed to security_file_certgen +and built with module name file. Requires --with-openssl.
+ +New option to control which TLS/SSL certificate validation +helpers are built and installed.
+One fake helper that does not actually perform any +certificate checks is provided for testing and as an example +for writing custom helpers.
+ +The cppunit testing framework is auto-detected and used when available. +This option can be used to disable it explicitly.
+ ++
The MSNT-multi-domain helper has been removed.
+The SMB LanMan helper SMB_LM is no longer built by default. +It needs to be explicitly listed to be built.
+ +The SMB LanMan helper is now built using SMB_LM +(was lower case smb_lm).
+The SMB LanMan helper SMB_LM is no longer built by default. +It needs to be explicitly listed to be built.
+ +Auto-detection of SMP related modules has been fixed to +actually auto-detect them without configuring the module +list manually.
+ +Custom ESI parser has been removed. +Libxml2 or libexpat is now required to enable ESI processing.
+ ++
Replaced by --with-cppunit=PATH. +Please prefer the default auto-detection though.
+ +Removed. Use --with-included-ltdl instead.
+Some squid.conf options which were available in Squid-2.7 are not yet available in Squid-4
+ +If you need something to do then porting one of these from Squid-2 to Squid-3 is most welcome.
+ ++
Not yet ported from 2.6
+ +monitorinterval= not yet ported from 2.6
+monitorsize= not yet ported from 2.6
+monitortimeout= not yet ported from 2.6
+monitorurl= not yet ported from 2.6
+ +Not yet ported from 2.6
+ +Not yet ported from 2.6
+ +Not yet ported from 2.7
+ +Not yet ported from 2.6
+ +Not yet ported from 2.6
+ +Not yet ported from 2.6
+ +Not yet ported from 2.6
+ +stale-while-revalidate= not yet ported from 2.7
+ignore-stale-while-revalidate= not yet ported from 2.7
+negative-ttl= not yet ported from 2.7
+ +Not yet ported from 2.7
+ +Not yet ported from 2.7
+ +Copyright (C) 1996-2018 The Squid Software Foundation and contributors
+Squid software is distributed under GPLv2+ license and includes +contributions from numerous individuals and organizations. +Please see the COPYING and CONTRIBUTORS files for details.
+ + + diff --git a/squid-4.5.tar.xz b/squid-4.5.tar.xz new file mode 100644 index 0000000..f554019 --- /dev/null +++ b/squid-4.5.tar.xz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:553edf76d6ee9a1627af9c2be7be850c14cd6836170b3d6c1393fd700d44ccc5 +size 2437936 diff --git a/squid-4.5.tar.xz.asc b/squid-4.5.tar.xz.asc new file mode 100644 index 0000000..f8cc308 --- /dev/null +++ b/squid-4.5.tar.xz.asc @@ -0,0 +1,25 @@ +File: squid-4.5.tar.xz +Date: Tue Jan 1 05:12:50 UTC 2019 +Size: 2437936 +MD5 : 8275da5846f9f2243ad2625e5aef2ee0 +SHA1: 1249cf60f1ea2a0cd145f66a790d1e9e48333c51 +Key : CD6DBF8EF3B17D3E-
-
-
-
-
-
The Squid Team are pleased to announce the release of Squid-4.5 for testing.
-This new release is available for download from -http://www.squid-cache.org/Versions/v4/ or the -mirrors.
- -We welcome feedback and bug reports. If you find a bug, please see -http://wiki.squid-cache.org/SquidFaq/BugReporting -for how to submit a report with a stack trace.
- -Although this release is deemed good enough for use in production, please note the existence of -open bugs against Squid-4.
- -This release adds a dependency on C++11 support in any compiler used to build Squid. -As a result older C++03 -only and most C++0x compilers will no longer build successfully. -GCC 4.9+ and Clang 3.5+ are known to have working C++11 support and are usable. -GCC-4.8 will also build for now despite lack of full C++11 support, but some future features may not be available.
- -This release does not support LibreSSL. -Due to a bug in the way LibreSSL uses the OpenSSL version macro some changes -necessary to support OpenSSL 1.1 prevent building with LibreSSL.
- - -The Squid-4 change history can be -viewed here.
- - -Squid 4 represents a new feature release above 3.5.
- -The most important of these new features are: -
Most user-facing changes are reflected in squid.conf (see below).
- - -The new queue-size=N option to helpers configuration, allows users -to configure the maximum number of queued requests to busy helpers.
- -helper-mux.pl we have been distributing for the past few years to -encourage use of concurrency is no longer compatible with Squid. If -used it will spawn up to 2^64 helpers and DoS the Squid server.
- -Helpers utilizing arrays to handle fixed amounts of concurrency -channels MUST be re-written to use queues and capable of handling a -64-bit int as index or they will be vulnerable to buffer overrun and -arbitrary memory accesses.
- -32-bit helpers need re-writing to handle the concurrency channel ID -as a 64-bit integer value. If not updated they will cause proxies to -return unexpected results or timeout once crossing the 32-bit wrap -boundary. Leading to undefined behaviour in the client HTTP traffic.
- - -Details in -RFC 6176 -and -RFC 7568
- -SSLv2 is not fit for purpose. Squid no longer supports being configured with -any settings regarding this protocol. That includes settings manually disabling -its use since it is now forced to disable by default. Also settings enabling -various client/server workarounds specific to SSLv2 are removed.
- -SSLv3 is not fit for purpose. Squid still accepts configuration, but use -is deprecated and will be removed entirely in a future version. -Squid default behavour is to follow the TLS built in negotiation mechanism -which prefers the latest TLS version. But also to accept downgrades to SSLv3. -Use tls-options=NO_SSLv3 to disable SSLv3 support completely.
- -A new option tls-min-version=1.N is added in place of sslversion= -to configure the minimum version the TLS negotiation will allow to be used -when an old TLS version is requested by the remote endpoint.
- -The system Trusted CAs are no longer used by default when verifying client -certificates. The cafile= option should be used instead to -explicitly load the specific CA which signed acceptible client certificates, -even if that CA is one of the system Trusted CAs. -The tls-default-ca option can be used to restore the old -behaviour if needed.
- - -The basic_msnt_multi_domain_auth helper has been removed. The -basic_smb_lm_auth helper performs the same actions without extra -Perl and Samba dependencies.
- -The cert_valid.pl testing helper has been renamed to -security_fake_certverify, reflecting the Squid helper naming schema -and that it does not actually perform any certificate checks.
- -The security_fake_certverify helper is also now built and installed -by default. It is written in Perl so does not require OpenSSL dependencies -for installation. But does use the Perl Crypt::OpenSSL::X509 module for execution. -Building the helper can be controlled using the --enable-security-cert-validators="fake" -option.
- -The ssl_crtd helper has been renamed to security_file_certgen -and is now built and installed by default whenever OpenSSL support is enabled. -Building the helper can be controlled using the --enable-security-cert-generators="file" -option.
- -NOTE: The --enable-ssl-crtd option is still required to enable the -sslcrtd_program helper interface within Squid that uses the helper.
- -The ntlm_smb_lm_auth helper is now built using --enable-auth-ntlm="SMB_LM". -Notice the upper case where it was previously a (wrongly) lower cased acronym.
- - -ICAP services can now be used over TLS connections.
- -To mark an ICAP service as secure, use an icaps:// service URI scheme when -listing your service via an icap_service directive. The industry is using a -Secure ICAP term, and Squid follows that convention, but icaps seems more -appropriate for a scheme name.
- -Squid uses port 11344 for Secure ICAP by default, following another popular -proxy convention. The old 1344 default for plain ICAP ports has not changed.
- - -Use of C++11 atomic operations instead of GNU atomics allows a wider range of -operating systems and compilers to build Squid SMP and multi-process features. -However this does require a C++11 compiler with a recent version of the C++ -standard library.
- -IpcIo and Mmapped disk I/O modules are now auto-detected properly which -enables Rock storage on more systems by default than previously.
- - -Squid is traditionally refered to as a daemon. But is actually a combination -of daemon and daemon manager processes. This has caused significant problems -integrating it with other third-party daemon managers.
- -The Squid process which places its PID into the squid.pid file has always -been the process to which control signals are sent. The manager process is -now taking on signal handling instead of the main daemon process. Enabling -integration with daemon managers such as Upstart or systemd which assume the -process they initiated is the daemon with a PID to control.
- -The squid binary now has a new --foreground command line option, -which (only) prevents daemonizing the master process. -Unlike the old -N option, ---foreground supports SMP workers and multi-process features. ---foreground is particularly useful for use with -z (disk -cache structures creation), as it allows the caller to wait until Squid has -finished.
- -The squid binary now accepts a --kid command line option which -informs the process which role it is to take on. This aids with debugging -SMP issues with specific process types and resolves some SMP forking issues.
- - -Squid can now be built to use GnuTLS in place of OpenSSL for the core -features of receiving TLS connections from clients and making TLS -connections to servers. The GnuTLS support is still very much experimental -and should be tested before use.
- -SSL-Bump and certificate generation features are not yet supported by -GnuTLS builds. Nor are many other less commonly used Squid TLS/SSL features.
- -squid.conf directives and configuration options which have undergone -name changes from 'ssl' to 'tls' prefix in Squid-4 have GnuTLS support, unless -explicitly stated otherwise.
- -Advanced configuration with specific selection of ciphers and similar settings -should still work, but needs the GnuTLS Priority Strings instead of -the OpenSSL options when using GnuTLS. -See -GnuTLS manual -for more details.
- - -The Squid custom ESI (Edge Side Includes) parser has been removed in favour -of better supported and maintained third-party libraries. At least one of libxml2 -or libexpat is now mandatory to build support for the ESI response processor.
- - -There have been changes to Squid's configuration file since Squid-3.5.
-This section gives a thorough account of those changes in three categories:
--
-
New directive to limit the size of a table used for sharing information -about collapsible entries among SMP workers.
- -New directive to control Squid behaviour on the client connection when -receiving an HTTP request with an Expect:100-continue header.
- -New directive to set a cool-down delay reviving a child process if -the process is encountering frequent deaths.
- -New directive to set the action performed when encountering strange -protocol requests at the beginning of an accepted TCP connection.
- -New directive to limit the lifetime of persistent connections.
- -New directive to add header fields to outgoing HTTP responses to -the client.
- -New directive controlling how long Squid waits for the first request -bytes to arrive after initial connection establishment by a client.
- -New directive to provide fine-grained control over persistent connection -reuse when forwarding HTTP requests that Squid cannot retry. It is useful -in environments where opening new connections is very expensive -and race conditions associated with persistent connections are very rare -and/or only cause minor problems.
- -New directive to ensure shared memory is all available immediately -on startup. Protects against SIGBUS errors, but delays startup.
- -New directive to define TLS security context options for outgoing -connections. For example to HTTPS servers.
- -Squid times active requests to redirector. This directive sets -the timeout value and the Squid reaction to a timed out -request.
- --
TCP accept(2) errors logged with URI error:accept-client-connection.
-Unused connections received in http_port or https_port -or transactions terminated before reading[parsing] request headers are -logged with URI error:transaction-end-before-headers.
-New option rotate= to control the number of log file rotations -to make when -k rotate command is received. Default is to -obey the logfile_rotate directive.
- -New -m flag for note ACL to match substrings.
-New client_connection_mark type for matching Netfilter -CONNMARK of the client TCP connection.
-New connections_encrypted type for matching transactions -where all HTTP messages were received over TLS transport connections, -including messages received from ICAP servers.
-New has type for matching whether or not Squid is able to provide -certain sets of transaction state. For example HTTP reply headers.
-New transaction_initiator type for detecting various -unusual transactions.
-New --consensus, --client-requested and ---server-provided flags for the ssl::server_name -type to control which server name to match against.
- -New parameter queue-size= to set the maximum number -of queued requests.
-New parameter on-persistent-overload= to set the action taken -when the helper queue is overloaded.
- -New option auth-no-keytab to let GSSAPI implementation determine -which Kerberos credentials to use, instead of specifying a keytab.
-Replaced option ssl with tls. Use of any -tls- prefixed options implies tls is enabled.
-New option tls-min-version=1.N to set minimum TLS version allowed.
-New option tls-default-ca replaces sslflags=NO_DEFAULT_CA
-New option tls-no-npn to disable sending TLS NPN extension.
-All ssloptions= values for SSLv2 configuration or disabling -have been removed.
-Removed sslversion= option. Use tls-options= instead.
-Manual squid.conf update may be required on upgrade.
-Replaced option sslcafile= with tls-cafile= -which takes multiple entries.
- -New format macro %O to expand the message= value supplied -by external ACL helpers.
- -New connection-encryption= option to determine ICAP service -effect on connections_encrypted ACL.
- -Removed custom parser option.
-Changed default to auto-detect available parsers instead of custom.
- -New parameter queue-size= to set the maximum number -of queued requests.
-New parameter on-persistent-overload= to set the action taken -when the helper queue is overloaded.
-Format field updated to accept any logformat %macro code.
-The optional acl-value fields in this helper input now expand -to a dash ('-') if the %DATA macro is not specified explicitly.
- -New option tls-min-version=1.N to set minimum TLS version allowed.
-New option tls-default-ca replaces sslflags=NO_DEFAULT_CA, -the default is also changed to OFF.
-New option tls-no-npn to disable sending TLS NPN extension.
-All option= values for SSLv2 configuration or disabling -have been removed.
-Removed version= option. Use tls-options= instead.
-Manual squid.conf update may be required on upgrade.
-Replaced cafile= with tls-cafile= which takes multiple entries.
-Changed default value of generate-host-certificates to ON.
- -New option tls-min-version=1.N to set minimum TLS version allowed.
-New option tls-default-ca replaces sslflags=NO_DEFAULT_CA, -the default is also changed to OFF.
-New option tls-no-npn to disable sending TLS NPN extension.
-All options= values for SSLv2 -configuration or disabling have been removed.
-Removed version= option. Use tls-options= instead.
-Manual squid.conf update may be required on upgrade.
-Replaced cafile= with tls-cafile= which takes multiple entries.
-Changed default value of generate-host-certificates to ON.
- -New scheme icaps:// to enable TLS/SSL connections to Secure ICAP -servers on port 11344.
-New connection-encryption= option to determine ICAP service -effect on connections_encrypted ACL.
-New tls-cert= option to set TLS client certificate to use.
-New tls-key= option to set TLS private key matching the client -certificate used.
-New tls-min-version=1.N option to set minimum TLS version allowed -on server connections.
-New tls-options= option to set OpenSSL library parameters.
-New tls-flags= option to set flags modifying Squid TLS operations.
-New tls-cipher= option to set a list of ciphers permitted.
-New tls-cafile= option to set a file with additional CA -certificate(s) to verify the server certificate.
-New tls-capath= option to set a directory with additional CA -certificate(s) to verify the server certificate.
-New tls-crlfile= option to set a file with a CRL to verify the -server certificate.
-New tls-default-ca option to use the system Trusted CAs to -verify the server certificate.
-New tls-domain= option to verify the server certificate domain.
- -Now only requires that helper binary exists when daemon: log module -is actually being used.
- -New quoting modifier to produce \-escaped output.
-New code %ssl::<cert_errors to display server X.509 -certificate errors.
-New code %ssl::<cert_issuer to display Issuer field of -the received server X.509 certificate.
-New code %ssl::<cert_subject to display Subject field of -the received server X.509 certificate.
-New code %ssl::>negotiated_version to display -negotiated TLS version of the client connection.
-New code %ssl::<negotiated_version to display -negotiated TLS version of the last server or peer connection.
-New code %ssl::>received_hello_version to display the -TLS version of the Hello message received from TLS client.
-New code %ssl::<received_hello_version to display the -TLS version of the Hello message received from TLS server.
-New code %ssl::>received_supported_version to display -the maximum TLS version supported by the TLS client.
-New code %ssl::<received_supported_version to display -the maximum TLS version supported by the TLS server.
-New code %ssl::>negotiated_cipher to display the -negotiated cipher of the client connection.
-New code %ssl::<negotiated_cipher to display the -negotiated cipher of the last server or peer connection.
-New code %>handshake to display initial octets -received on a client connection (Base64 encoded).
-Fixed %<Hs, %<pt and %<tt -codes for received CONNECT errors.
-Improved %<bs logging on forwarding retries.
-Improved %<Hs, %<pt, %<tt, -%<bs logging on SslBump errors.
- -Default value now based on squid -n command line parameter.
-This directive is no longer mandatory to edit for -multi-instance/tenant Squid installations.
- -Removed option ignore-auth. Its commonly desired behaviour -is performed by default with correct HTTP/1.1 revalidation.
-Removed option ignore-must-revalidate. Other more HTTP compliant -directives (cache, store_miss) can be used to prevent -objects from caching.
- -New parameter queue-size= to set the maximum number -of queued requests.
-New parameter on-persistent-overload= to set the action taken -when the helper queue is overloaded.
- -New parameter queue-size= to set the maximum number -of queued requests.
-New parameter on-persistent-overload= to set the action taken -when the helper queue is overloaded.
- -New parameter queue-size= to set the maximum number -of queued requests.
-New parameter on-persistent-overload= to set the action taken -when the helper queue is overloaded.
- -New parameter queue-size= to set the maximum number -of queued requests.
-New parameter on-persistent-overload= to set the action taken -when the helper queue is overloaded.
- --
Superceded by cache_peer_access. Use dstdomain ACL -in the access control list to restrict domains requested.
- -Removed. MSIE 3.x, 4.x, 5.0 and 5.01 are no longer popular browsers.
- -Replaced by tls_outgoing_options cafile=. -Which now takes multiple entries.
- -Replaced by tls_outgoing_options capath=.
- -Replaced by tls_outgoing_options cipher=.
- -Replaced by tls_outgoing_options cert=.
- -Replaced by tls_outgoing_options key=.
- -Replaced by tls_outgoing_options flags=.
- -Replaced by tls_outgoing_options options=.
-All values for SSLv2 configuration or disabling have been removed.
-Manual squid.conf update may be required on upgrade.
- -Replaced by tls_outgoing_options options=.
-All values for SSLv2 configuration or disabling have been removed.
-Manual squid.conf update may be required on upgrade.
- -There have been some changes to Squid's build configuration since Squid-3.5.
-This section gives an account of those changes in three categories:
--
- - - --
New option to control which TLS/SSL dynamic certificate generator -helpers are built and installed.
-Helper ssl_crtd has been renamed to security_file_certgen -and built with module name file. Requires --with-openssl.
- -New option to control which TLS/SSL certificate validation -helpers are built and installed.
-One fake helper that does not actually perform any -certificate checks is provided for testing and as an example -for writing custom helpers.
- -The cppunit testing framework is auto-detected and used when available. -This option can be used to disable it explicitly.
- --
The MSNT-multi-domain helper has been removed.
-The SMB LanMan helper SMB_LM is no longer built by default. -It needs to be explicitly listed to be built.
- -The SMB LanMan helper is now built using SMB_LM -(was lower case smb_lm).
-The SMB LanMan helper SMB_LM is no longer built by default. -It needs to be explicitly listed to be built.
- -Auto-detection of SMP related modules has been fixed to -actually auto-detect them without configuring the module -list manually.
- -Custom ESI parser has been removed. -Libxml2 or libexpat is now required to enable ESI processing.
- --
Replaced by --with-cppunit=PATH. -Please prefer the default auto-detection though.
- -Removed. Use --with-included-ltdl instead.
-Some squid.conf options which were available in Squid-2.7 are not yet available in Squid-4
- -If you need something to do then porting one of these from Squid-2 to Squid-3 is most welcome.
- --
Not yet ported from 2.6
- -monitorinterval= not yet ported from 2.6
-monitorsize= not yet ported from 2.6
-monitortimeout= not yet ported from 2.6
-monitorurl= not yet ported from 2.6
- -Not yet ported from 2.6
- -Not yet ported from 2.6
- -Not yet ported from 2.7
- -Not yet ported from 2.6
- -Not yet ported from 2.6
- -Not yet ported from 2.6
- -Not yet ported from 2.6
- -stale-while-revalidate= not yet ported from 2.7
-ignore-stale-while-revalidate= not yet ported from 2.7
-negative-ttl= not yet ported from 2.7
- -Not yet ported from 2.7
- -Not yet ported from 2.7
- -Copyright (C) 1996-2018 The Squid Software Foundation and contributors
-Squid software is distributed under GPLv2+ license and includes -contributions from numerous individuals and organizations. -Please see the COPYING and CONTRIBUTORS files for details.
- - -