From f3e0551c1d28a211bff28dc2df89a19a4ca6697618ccf0b4d30c07efd81c44e5 Mon Sep 17 00:00:00 2001 From: Martin Pluskal Date: Wed, 2 Jan 2019 08:30:55 +0000 Subject: [PATCH 1/2] Accepting request 662363 from home:seanlew:branches:server:proxy Updat squid OBS-URL: https://build.opensuse.org/request/show/662363 OBS-URL: https://build.opensuse.org/package/show/server:proxy/squid?expand=0&rev=175 --- squid-4.4.tar.xz | 3 - squid-4.4.tar.xz.asc | 25 -- squid-4.5-RELEASENOTES.html | 740 ++++++++++++++++++++++++++++++++++++ squid-4.5.tar.xz | 3 + squid-4.5.tar.xz.asc | 25 ++ squid.changes | 15 + squid.spec | 6 +- 7 files changed, 786 insertions(+), 31 deletions(-) delete mode 100644 squid-4.4.tar.xz delete mode 100644 squid-4.4.tar.xz.asc create mode 100644 squid-4.5-RELEASENOTES.html create mode 100644 squid-4.5.tar.xz create mode 100644 squid-4.5.tar.xz.asc diff --git a/squid-4.4.tar.xz b/squid-4.4.tar.xz deleted file mode 100644 index ccd3983..0000000 --- a/squid-4.4.tar.xz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:4905e6da7f5574d2583ba36f398bb062a12d51e70d67035078b6e85b09e9ee82 -size 2436468 diff --git a/squid-4.4.tar.xz.asc b/squid-4.4.tar.xz.asc deleted file mode 100644 index b596bbb..0000000 --- a/squid-4.4.tar.xz.asc +++ /dev/null @@ -1,25 +0,0 @@ -File: squid-4.4.tar.xz -Date: Sat Oct 27 21:20:24 UTC 2018 -Size: 2436468 -MD5 : 892504ca9700e1f139a53f84098613bd -SHA1: 0ab6b133f65866d825bf72cbbe8cef209768b2fa -Key : CD6DBF8EF3B17D3E - B068 84ED B779 C89B 044E 64E3 CD6D BF8E F3B1 7D3E - keyring = http://www.squid-cache.org/pgp.asc - keyserver = pool.sks-keyservers.net ------BEGIN PGP SIGNATURE----- - -iQIzBAABCgAdFiEEsGiE7bd5yJsETmTjzW2/jvOxfT4FAlvU1qAACgkQzW2/jvOx -fT5Y3Q//R3/ZtDHal9H9c4VUB1fEzkk22JfgXTzRRUdzNkN+XxDkVGmM9R0E0Opo -9E/lsE9PcLX1EBtBXbPfwLESzfMe4QJgqq1B4FocpJcdtfCQX6ADU4Qdfc+oo8Z1 -J/xCf8XrU3yUgXn3pMnQ9DT+IuPYe+Jte7Awm148mC15GMC49NBAYAd793XZ+L2t -fVPCbVYA40AU3xVJkxlblh7O0E8UEQ7zQMxcXM2jJJ4jJOjqecOIoJt6lyPD59q3 -UjD0EmcjTj54BpaU8r++kAc2TkLyBvFV1vWQuQRNG5IAMEOF3H8OfujCXl3lX9fD -Tvi9763f9LxdImLJttkzgTt20XAudlUmKOdpj6t1uF+7EmNJg/ChowyLsLzlLLST -1mGNdcUdP9VhX2aoTXN/ctn8BTQ/cNIx2VY8kKWsXB+ymFcCJRBW1cBAr3R+UzuX -KVlsDzlxP6Dp8EFvKN3sIbM/QtpstKgbTkxro7d9XBkeldsasd5uI2Yt5PSMIs+y -VtscqCnwDjxAIW6FNqB96J4hcOYECdWHDL3s46wEDnQaiR0IdBAN5QHn1imzM5e1 -eHuwZimqBW6vE4rPnVpPIr1Gml5OlLl3te2jsbUVmBiOwDVlQLZJQGzI5UTazvnN -eR3QeTW+ggSAdVc6GEApELARfKPRxywLQTOlAhEPn0xayy4ByME= -=1eSQ ------END PGP SIGNATURE----- diff --git a/squid-4.5-RELEASENOTES.html b/squid-4.5-RELEASENOTES.html new file mode 100644 index 0000000..7ae578d --- /dev/null +++ b/squid-4.5-RELEASENOTES.html @@ -0,0 +1,740 @@ + + + + + Squid 4.5 release notes + + +

Squid 4.5 release notes

+ +

Squid Developers

+
+This document contains the release notes for version 4 of Squid. +Squid is a WWW Cache application developed by the National Laboratory +for Applied Network Research and members of the Web Caching community. +
+

+

1. Notice

+ + +

+

2. Major new features since Squid-3.5

+ + +

+

3. Changes to squid.conf since Squid-3.5

+ + +

+

4. Changes to ./configure options since Squid-3.5

+ + +

+

5. Regressions since Squid-2.7

+ + +

+

6. Copyright

+ + +
+

1. Notice

+ +

The Squid Team are pleased to announce the release of Squid-4.5 for testing.

+

This new release is available for download from +http://www.squid-cache.org/Versions/v4/ or the +mirrors.

+ +

We welcome feedback and bug reports. If you find a bug, please see +http://wiki.squid-cache.org/SquidFaq/BugReporting +for how to submit a report with a stack trace.

+ +

1.1 Known issues +

+ +

Although this release is deemed good enough for use in production, please note the existence of +open bugs against Squid-4.

+ +

This release adds a dependency on C++11 support in any compiler used to build Squid. +As a result older C++03 -only and most C++0x compilers will no longer build successfully. +GCC 4.9+ and Clang 3.5+ are known to have working C++11 support and are usable. +GCC-4.8 will also build for now despite lack of full C++11 support, but some future features may not be available.

+ +

This release does not support LibreSSL. +Due to a bug in the way LibreSSL uses the OpenSSL version macro some changes +necessary to support OpenSSL 1.1 prevent building with LibreSSL.

+ + +

1.2 Changes since earlier releases of Squid-4 +

+ +

The Squid-4 change history can be +viewed here.

+ + +

2. Major new features since Squid-3.5

+ +

Squid 4 represents a new feature release above 3.5.

+ +

The most important of these new features are: +

+

+

Most user-facing changes are reflected in squid.conf (see below).

+ + +

2.1 Configurable helper queue size +

+ +

The new queue-size=N option to helpers configuration, allows users +to configure the maximum number of queued requests to busy helpers.

+ +

2.2 Helper concurrency channels changes +

+ +

helper-mux.pl we have been distributing for the past few years to +encourage use of concurrency is no longer compatible with Squid. If +used it will spawn up to 2^64 helpers and DoS the Squid server.

+ +

Helpers utilizing arrays to handle fixed amounts of concurrency +channels MUST be re-written to use queues and capable of handling a +64-bit int as index or they will be vulnerable to buffer overrun and +arbitrary memory accesses.

+ +

32-bit helpers need re-writing to handle the concurrency channel ID +as a 64-bit integer value. If not updated they will cause proxies to +return unexpected results or timeout once crossing the 32-bit wrap +boundary. Leading to undefined behaviour in the client HTTP traffic.

+ + +

2.3 SSL support removal +

+ +

Details in +RFC 6176 +and +RFC 7568

+ +

SSLv2 is not fit for purpose. Squid no longer supports being configured with +any settings regarding this protocol. That includes settings manually disabling +its use since it is now forced to disable by default. Also settings enabling +various client/server workarounds specific to SSLv2 are removed.

+ +

SSLv3 is not fit for purpose. Squid still accepts configuration, but use +is deprecated and will be removed entirely in a future version. +Squid default behavour is to follow the TLS built in negotiation mechanism +which prefers the latest TLS version. But also to accept downgrades to SSLv3. +Use tls-options=NO_SSLv3 to disable SSLv3 support completely.

+ +

A new option tls-min-version=1.N is added in place of sslversion= +to configure the minimum version the TLS negotiation will allow to be used +when an old TLS version is requested by the remote endpoint.

+ +

The system Trusted CAs are no longer used by default when verifying client +certificates. The cafile= option should be used instead to +explicitly load the specific CA which signed acceptible client certificates, +even if that CA is one of the system Trusted CAs. +The tls-default-ca option can be used to restore the old +behaviour if needed.

+ + +

2.4 Helper Binary Changes +

+ +

The basic_msnt_multi_domain_auth helper has been removed. The +basic_smb_lm_auth helper performs the same actions without extra +Perl and Samba dependencies.

+ +

The cert_valid.pl testing helper has been renamed to +security_fake_certverify, reflecting the Squid helper naming schema +and that it does not actually perform any certificate checks.

+ +

The security_fake_certverify helper is also now built and installed +by default. It is written in Perl so does not require OpenSSL dependencies +for installation. But does use the Perl Crypt::OpenSSL::X509 module for execution. +Building the helper can be controlled using the --enable-security-cert-validators="fake" +option.

+ +

The ssl_crtd helper has been renamed to security_file_certgen +and is now built and installed by default whenever OpenSSL support is enabled. +Building the helper can be controlled using the --enable-security-cert-generators="file" +option.

+ +

NOTE: The --enable-ssl-crtd option is still required to enable the +sslcrtd_program helper interface within Squid that uses the helper.

+ +

The ntlm_smb_lm_auth helper is now built using --enable-auth-ntlm="SMB_LM". +Notice the upper case where it was previously a (wrongly) lower cased acronym.

+ + +

2.5 Secure ICAP +

+ +

ICAP services can now be used over TLS connections.

+ +

To mark an ICAP service as secure, use an icaps:// service URI scheme when +listing your service via an icap_service directive. The industry is using a +Secure ICAP term, and Squid follows that convention, but icaps seems more +appropriate for a scheme name.

+ +

Squid uses port 11344 for Secure ICAP by default, following another popular +proxy convention. The old 1344 default for plain ICAP ports has not changed.

+ + +

2.6 Improved SMP support +

+ +

Use of C++11 atomic operations instead of GNU atomics allows a wider range of +operating systems and compilers to build Squid SMP and multi-process features. +However this does require a C++11 compiler with a recent version of the C++ +standard library.

+ +

IpcIo and Mmapped disk I/O modules are now auto-detected properly which +enables Rock storage on more systems by default than previously.

+ + +

2.7 Improved process management +

+ +

Squid is traditionally refered to as a daemon. But is actually a combination +of daemon and daemon manager processes. This has caused significant problems +integrating it with other third-party daemon managers.

+ +

The Squid process which places its PID into the squid.pid file has always +been the process to which control signals are sent. The manager process is +now taking on signal handling instead of the main daemon process. Enabling +integration with daemon managers such as Upstart or systemd which assume the +process they initiated is the daemon with a PID to control.

+ +

The squid binary now has a new --foreground command line option, +which (only) prevents daemonizing the master process. +Unlike the old -N option, +--foreground supports SMP workers and multi-process features. +--foreground is particularly useful for use with -z (disk +cache structures creation), as it allows the caller to wait until Squid has +finished.

+ +

The squid binary now accepts a --kid command line option which +informs the process which role it is to take on. This aids with debugging +SMP issues with specific process types and resolves some SMP forking issues.

+ + +

2.8 Initial GnuTLS support +

+ +

Squid can now be built to use GnuTLS in place of OpenSSL for the core +features of receiving TLS connections from clients and making TLS +connections to servers. The GnuTLS support is still very much experimental +and should be tested before use.

+ +

SSL-Bump and certificate generation features are not yet supported by +GnuTLS builds. Nor are many other less commonly used Squid TLS/SSL features.

+ +

squid.conf directives and configuration options which have undergone +name changes from 'ssl' to 'tls' prefix in Squid-4 have GnuTLS support, unless +explicitly stated otherwise.

+ +

Advanced configuration with specific selection of ciphers and similar settings +should still work, but needs the GnuTLS Priority Strings instead of +the OpenSSL options when using GnuTLS. +See +GnuTLS manual +for more details.

+ + +

2.9 ESI Custom Parser removal +

+ +

The Squid custom ESI (Edge Side Includes) parser has been removed in favour +of better supported and maintained third-party libraries. At least one of libxml2 +or libexpat is now mandatory to build support for the ESI response processor.

+ + +

3. Changes to squid.conf since Squid-3.5

+ +

There have been changes to Squid's configuration file since Squid-3.5.

+

This section gives a thorough account of those changes in three categories:

+

+

+

+ + +

3.1 New tags +

+ +

+

+
collapsed_forwarding_shared_entries_limit
+

New directive to limit the size of a table used for sharing information +about collapsible entries among SMP workers.

+ +
force_request_body_continuation
+

New directive to control Squid behaviour on the client connection when +receiving an HTTP request with an Expect:100-continue header.

+ +
hopeless_kid_revival_delay
+

New directive to set a cool-down delay reviving a child process if +the process is encountering frequent deaths.

+ +
on_unsupported_protocol
+

New directive to set the action performed when encountering strange +protocol requests at the beginning of an accepted TCP connection.

+ +
pconn_lifetime
+

New directive to limit the lifetime of persistent connections.

+ +
reply_header_add
+

New directive to add header fields to outgoing HTTP responses to +the client.

+ +
request_start_timeout
+

New directive controlling how long Squid waits for the first request +bytes to arrive after initial connection establishment by a client.

+ +
server_pconn_for_nonretriable
+

New directive to provide fine-grained control over persistent connection +reuse when forwarding HTTP requests that Squid cannot retry. It is useful +in environments where opening new connections is very expensive +and race conditions associated with persistent connections are very rare +and/or only cause minor problems.

+ +
shared_memory_locking
+

New directive to ensure shared memory is all available immediately +on startup. Protects against SIGBUS errors, but delays startup.

+ +
tls_outgoing_options
+

New directive to define TLS security context options for outgoing +connections. For example to HTTPS servers.

+ +
url_rewrite_timeout
+

Squid times active requests to redirector. This directive sets +the timeout value and the Squid reaction to a timed out +request.

+ +
+

+ +

3.2 Changes to existing tags +

+ +

+

+
access_log
+

TCP accept(2) errors logged with URI error:accept-client-connection.

+

Unused connections received in http_port or https_port +or transactions terminated before reading[parsing] request headers are +logged with URI error:transaction-end-before-headers.

+

New option rotate= to control the number of log file rotations +to make when -k rotate command is received. Default is to +obey the logfile_rotate directive.

+ +
acl
+

New -m flag for note ACL to match substrings.

+

New client_connection_mark type for matching Netfilter +CONNMARK of the client TCP connection.

+

New connections_encrypted type for matching transactions +where all HTTP messages were received over TLS transport connections, +including messages received from ICAP servers.

+

New has type for matching whether or not Squid is able to provide +certain sets of transaction state. For example HTTP reply headers.

+

New transaction_initiator type for detecting various +unusual transactions.

+

New --consensus, --client-requested and +--server-provided flags for the ssl::server_name +type to control which server name to match against.

+ +
auth_param
+

New parameter queue-size= to set the maximum number +of queued requests.

+

New parameter on-persistent-overload= to set the action taken +when the helper queue is overloaded.

+ +
cache_peer
+

New option auth-no-keytab to let GSSAPI implementation determine +which Kerberos credentials to use, instead of specifying a keytab.

+

Replaced option ssl with tls. Use of any +tls- prefixed options implies tls is enabled.

+

New option tls-min-version=1.N to set minimum TLS version allowed.

+

New option tls-default-ca replaces sslflags=NO_DEFAULT_CA

+

New option tls-no-npn to disable sending TLS NPN extension.

+

All ssloptions= values for SSLv2 configuration or disabling +have been removed.

+

Removed sslversion= option. Use tls-options= instead.

+

Manual squid.conf update may be required on upgrade.

+

Replaced option sslcafile= with tls-cafile= +which takes multiple entries.

+ +
deny_info
+

New format macro %O to expand the message= value supplied +by external ACL helpers.

+ +
ecap_service
+

New connection-encryption= option to determine ICAP service +effect on connections_encrypted ACL.

+ +
esi_parser
+

Removed custom parser option.

+

Changed default to auto-detect available parsers instead of custom.

+ +
external_acl_type
+

New parameter queue-size= to set the maximum number +of queued requests.

+

New parameter on-persistent-overload= to set the action taken +when the helper queue is overloaded.

+

Format field updated to accept any logformat %macro code.

+

The optional acl-value fields in this helper input now expand +to a dash ('-') if the %DATA macro is not specified explicitly.

+ +
http_port
+

New option tls-min-version=1.N to set minimum TLS version allowed.

+

New option tls-default-ca replaces sslflags=NO_DEFAULT_CA, +the default is also changed to OFF.

+

New option tls-no-npn to disable sending TLS NPN extension.

+

All option= values for SSLv2 configuration or disabling +have been removed.

+

Removed version= option. Use tls-options= instead.

+

Manual squid.conf update may be required on upgrade.

+

Replaced cafile= with tls-cafile= which takes multiple entries.

+

Changed default value of generate-host-certificates to ON.

+ +
https_port
+

New option tls-min-version=1.N to set minimum TLS version allowed.

+

New option tls-default-ca replaces sslflags=NO_DEFAULT_CA, +the default is also changed to OFF.

+

New option tls-no-npn to disable sending TLS NPN extension.

+

All options= values for SSLv2 +configuration or disabling have been removed.

+

Removed version= option. Use tls-options= instead.

+

Manual squid.conf update may be required on upgrade.

+

Replaced cafile= with tls-cafile= which takes multiple entries.

+

Changed default value of generate-host-certificates to ON.

+ +
icap_service
+

New scheme icaps:// to enable TLS/SSL connections to Secure ICAP +servers on port 11344.

+

New connection-encryption= option to determine ICAP service +effect on connections_encrypted ACL.

+

New tls-cert= option to set TLS client certificate to use.

+

New tls-key= option to set TLS private key matching the client +certificate used.

+

New tls-min-version=1.N option to set minimum TLS version allowed +on server connections.

+

New tls-options= option to set OpenSSL library parameters.

+

New tls-flags= option to set flags modifying Squid TLS operations.

+

New tls-cipher= option to set a list of ciphers permitted.

+

New tls-cafile= option to set a file with additional CA +certificate(s) to verify the server certificate.

+

New tls-capath= option to set a directory with additional CA +certificate(s) to verify the server certificate.

+

New tls-crlfile= option to set a file with a CRL to verify the +server certificate.

+

New tls-default-ca option to use the system Trusted CAs to +verify the server certificate.

+

New tls-domain= option to verify the server certificate domain.

+ +
logfile_daemon
+

Now only requires that helper binary exists when daemon: log module +is actually being used.

+ +
logformat
+

New quoting modifier to produce \-escaped output.

+

New code %ssl::<cert_errors to display server X.509 +certificate errors.

+

New code %ssl::<cert_issuer to display Issuer field of +the received server X.509 certificate.

+

New code %ssl::<cert_subject to display Subject field of +the received server X.509 certificate.

+

New code %ssl::>negotiated_version to display +negotiated TLS version of the client connection.

+

New code %ssl::<negotiated_version to display +negotiated TLS version of the last server or peer connection.

+

New code %ssl::>received_hello_version to display the +TLS version of the Hello message received from TLS client.

+

New code %ssl::<received_hello_version to display the +TLS version of the Hello message received from TLS server.

+

New code %ssl::>received_supported_version to display +the maximum TLS version supported by the TLS client.

+

New code %ssl::<received_supported_version to display +the maximum TLS version supported by the TLS server.

+

New code %ssl::>negotiated_cipher to display the +negotiated cipher of the client connection.

+

New code %ssl::<negotiated_cipher to display the +negotiated cipher of the last server or peer connection.

+

New code %>handshake to display initial octets +received on a client connection (Base64 encoded).

+

Fixed %<Hs, %<pt and %<tt +codes for received CONNECT errors.

+

Improved %<bs logging on forwarding retries.

+

Improved %<Hs, %<pt, %<tt, +%<bs logging on SslBump errors.

+ +
pid_filename
+

Default value now based on squid -n command line parameter.

+

This directive is no longer mandatory to edit for +multi-instance/tenant Squid installations.

+ +
refresh_pattern
+

Removed option ignore-auth. Its commonly desired behaviour +is performed by default with correct HTTP/1.1 revalidation.

+

Removed option ignore-must-revalidate. Other more HTTP compliant +directives (cache, store_miss) can be used to prevent +objects from caching.

+ +
sslcrtd_children
+

New parameter queue-size= to set the maximum number +of queued requests.

+

New parameter on-persistent-overload= to set the action taken +when the helper queue is overloaded.

+ +
sslcrtvalidator_children
+

New parameter queue-size= to set the maximum number +of queued requests.

+

New parameter on-persistent-overload= to set the action taken +when the helper queue is overloaded.

+ +
store_id_children
+

New parameter queue-size= to set the maximum number +of queued requests.

+

New parameter on-persistent-overload= to set the action taken +when the helper queue is overloaded.

+ +
url_rewrite_children
+

New parameter queue-size= to set the maximum number +of queued requests.

+

New parameter on-persistent-overload= to set the action taken +when the helper queue is overloaded.

+ +
+

+ +

3.3 Removed tags +

+ +

+

+
cache_peer_domain
+

Superceded by cache_peer_access. Use dstdomain ACL +in the access control list to restrict domains requested.

+ +
ie_refresh
+

Removed. MSIE 3.x, 4.x, 5.0 and 5.01 are no longer popular browsers.

+ +
sslproxy_cafile
+

Replaced by tls_outgoing_options cafile=. +Which now takes multiple entries.

+ +
sslproxy_capath
+

Replaced by tls_outgoing_options capath=.

+ +
sslproxy_cipher
+

Replaced by tls_outgoing_options cipher=.

+ +
sslproxy_client_certificate
+

Replaced by tls_outgoing_options cert=.

+ +
sslproxy_client_key
+

Replaced by tls_outgoing_options key=.

+ +
sslproxy_flags
+

Replaced by tls_outgoing_options flags=.

+ +
sslproxy_options
+

Replaced by tls_outgoing_options options=.

+

All values for SSLv2 configuration or disabling have been removed.

+

Manual squid.conf update may be required on upgrade.

+ +
sslproxy_version
+

Replaced by tls_outgoing_options options=.

+

All values for SSLv2 configuration or disabling have been removed.

+

Manual squid.conf update may be required on upgrade.

+ +
+

+ + +

4. Changes to ./configure options since Squid-3.5

+ +

There have been some changes to Squid's build configuration since Squid-3.5.

+

This section gives an account of those changes in three categories:

+

+

+

+ + +

4.1 New options +

+ +

+

+
--enable-security-cert-generators
+

New option to control which TLS/SSL dynamic certificate generator +helpers are built and installed.

+

Helper ssl_crtd has been renamed to security_file_certgen +and built with module name file. Requires --with-openssl.

+ +
--enable-security-cert-validators
+

New option to control which TLS/SSL certificate validation +helpers are built and installed.

+

One fake helper that does not actually perform any +certificate checks is provided for testing and as an example +for writing custom helpers.

+ +
--without-cppunit
+

The cppunit testing framework is auto-detected and used when available. +This option can be used to disable it explicitly.

+ +
+

+ +

4.2 Changes to existing options +

+ +

+

+
--enable-auth-basic
+

The MSNT-multi-domain helper has been removed.

+

The SMB LanMan helper SMB_LM is no longer built by default. +It needs to be explicitly listed to be built.

+ +
--enable-auth-ntlm
+

The SMB LanMan helper is now built using SMB_LM +(was lower case smb_lm).

+

The SMB LanMan helper SMB_LM is no longer built by default. +It needs to be explicitly listed to be built.

+ +
--enable-diskio
+

Auto-detection of SMP related modules has been fixed to +actually auto-detect them without configuring the module +list manually.

+ +
--enable-esi
+

Custom ESI parser has been removed. +Libxml2 or libexpat is now required to enable ESI processing.

+ +
+

+

4.3 Removed options +

+ +

+

+
--with-cppunit-basedir
+

Replaced by --with-cppunit=PATH. +Please prefer the default auto-detection though.

+ +
XSTD_USE_LIBLTDL
+

Removed. Use --with-included-ltdl instead.

+
+

+ + +

5. Regressions since Squid-2.7

+ +

Some squid.conf options which were available in Squid-2.7 are not yet available in Squid-4

+ +

If you need something to do then porting one of these from Squid-2 to Squid-3 is most welcome.

+ +

5.1 Missing squid.conf options available in Squid-2.7 +

+ +

+

+
broken_vary_encoding
+

Not yet ported from 2.6

+ +
cache_peer
+

monitorinterval= not yet ported from 2.6

+

monitorsize= not yet ported from 2.6

+

monitortimeout= not yet ported from 2.6

+

monitorurl= not yet ported from 2.6

+ +
cache_vary
+

Not yet ported from 2.6

+ +
error_map
+

Not yet ported from 2.6

+ +
external_refresh_check
+

Not yet ported from 2.7

+ +
location_rewrite_access
+

Not yet ported from 2.6

+ +
location_rewrite_children
+

Not yet ported from 2.6

+ +
location_rewrite_concurrency
+

Not yet ported from 2.6

+ +
location_rewrite_program
+

Not yet ported from 2.6

+ +
refresh_pattern
+

stale-while-revalidate= not yet ported from 2.7

+

ignore-stale-while-revalidate= not yet ported from 2.7

+

negative-ttl= not yet ported from 2.7

+ +
refresh_stale_hit
+

Not yet ported from 2.7

+ +
update_headers
+

Not yet ported from 2.7

+ +
+

+ +

6. Copyright

+ +

Copyright (C) 1996-2018 The Squid Software Foundation and contributors

+

Squid software is distributed under GPLv2+ license and includes +contributions from numerous individuals and organizations. +Please see the COPYING and CONTRIBUTORS files for details.

+ + + diff --git a/squid-4.5.tar.xz b/squid-4.5.tar.xz new file mode 100644 index 0000000..f554019 --- /dev/null +++ b/squid-4.5.tar.xz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:553edf76d6ee9a1627af9c2be7be850c14cd6836170b3d6c1393fd700d44ccc5 +size 2437936 diff --git a/squid-4.5.tar.xz.asc b/squid-4.5.tar.xz.asc new file mode 100644 index 0000000..f8cc308 --- /dev/null +++ b/squid-4.5.tar.xz.asc @@ -0,0 +1,25 @@ +File: squid-4.5.tar.xz +Date: Tue Jan 1 05:12:50 UTC 2019 +Size: 2437936 +MD5 : 8275da5846f9f2243ad2625e5aef2ee0 +SHA1: 1249cf60f1ea2a0cd145f66a790d1e9e48333c51 +Key : CD6DBF8EF3B17D3E + B068 84ED B779 C89B 044E 64E3 CD6D BF8E F3B1 7D3E + keyring = http://www.squid-cache.org/pgp.asc + keyserver = pool.sks-keyservers.net +-----BEGIN PGP SIGNATURE----- + +iQIzBAABCgAdFiEEsGiE7bd5yJsETmTjzW2/jvOxfT4FAlwq9vIACgkQzW2/jvOx +fT5u8hAAnXV/L+XDTZXjxIYimN/4zKPVwG0lEbAg6uXQ0z/7+tH3G8kQ+DAXtxlz +my5MnJ0GvI98RhuIIR34wces/KLMYtcH8wTj5YzNRxLZu929eIm5IyV02Ve83FNd +uuU4Tea0H2qCPUKZrsdQX7fn9ZlVeSvu7/pRNmM1/V+Txnn0Jut+Xk1KxkTHtwr5 +5UjGm+sP9/ISpttosY5FcYEdIrOB9PlqLI6umt9L+mdAOnnhIN2YgXX167PzSZqv +O+3VRUKGEFXi31krvWE+gL46tnHpV75A9Ccy52yNKCkdfVbRelJijnk7WYj/32GC +jWOzkjJh235CoIwiVt0xQshnrVs3EbiEWgu2XLBbGmWAyc4eJerPxwR8MQR6hnWf +tGB+RyzQ+7rGBTCupKuk1k75tHOqPxcPN6N2Pw+l+A34yAyu721Bnt76AqQVYPQH +wKwK5BGQF5t1llW8I5C7CAO5Kn/mtF5ZbkhjTsqy+BvqVPAeMVbCCgGro694vWKG +YOX2MqXwVaA/LE+Y8cWRYIVfyl3ABpP98JZU9HAzC9D+AIwLFUI6EaVrwcKfDU1j +GRSBJsG6N0Z/MvdQdlU3xqAWvyKI+HRLKxRP+9DK2DkRX8RVsODhZ2txsjpCxh3t +mYICqcuahPuPSUvR6m+wfLDsniQ93Fdzzv6YC34f/9LPdnj4DrM= +=aK8J +-----END PGP SIGNATURE----- diff --git a/squid.changes b/squid.changes index 0c8509a..8dc0539 100644 --- a/squid.changes +++ b/squid.changes @@ -1,3 +1,18 @@ +------------------------------------------------------------------- +Wed Jan 02 05:45:03 UTC 2019 - sean@suspend.net + +- Update to squid 4.5: + + Squid crashes when ICAPS and a sslcrtvalidator used together (#328) + + ssl_bump prevents from accessing some web contents (#304) + + Docs: improved lexgrog compatibility (#340) + + Redesign forward_max_tries count TCP connection attempts + + Fix client_connection_mark ACL handling of clientless transactions + + Fix netdb exchange with a TLS cache peer + + Update netdb when tunneling requests + + Use pkg-config for detecting libxml2 + + Misc doc updates + + Misc code compile fixes + ------------------------------------------------------------------- Fri Nov 9 13:13:37 UTC 2018 - adam.majer@suse.de diff --git a/squid.spec b/squid.spec index 566e67a..a6bf63f 100644 --- a/squid.spec +++ b/squid.spec @@ -1,7 +1,7 @@ # # spec file for package squid # -# Copyright (c) 2018 SUSE LINUX GmbH, Nuernberg, Germany. +# Copyright (c) 2019 SUSE LINUX GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -12,14 +12,14 @@ # license that conforms to the Open Source Definition (Version 1.9) # published by the Open Source Initiative. -# Please submit bugfixes or comments via http://bugs.opensuse.org/ +# Please submit bugfixes or comments via https://bugs.opensuse.org/ # %define squidlibdir %{_libdir}/squid %define squidconfdir %{_sysconfdir}/squid Name: squid -Version: 4.4 +Version: 4.5 Release: 0 Summary: Caching and forwarding HTTP web proxy License: GPL-2.0-or-later From b292dfd12d03b5b87ce40156b3a79d5a0ba4dc0043a2f9e0ad5c9b269b4cab64 Mon Sep 17 00:00:00 2001 From: Martin Pluskal Date: Wed, 2 Jan 2019 08:44:24 +0000 Subject: [PATCH 2/2] OBS-URL: https://build.opensuse.org/package/show/server:proxy/squid?expand=0&rev=176 --- squid-4.5-RELEASENOTES.html | 740 ------------------------------------ 1 file changed, 740 deletions(-) delete mode 100644 squid-4.5-RELEASENOTES.html diff --git a/squid-4.5-RELEASENOTES.html b/squid-4.5-RELEASENOTES.html deleted file mode 100644 index 7ae578d..0000000 --- a/squid-4.5-RELEASENOTES.html +++ /dev/null @@ -1,740 +0,0 @@ - - - - - Squid 4.5 release notes - - -

Squid 4.5 release notes

- -

Squid Developers

-
-This document contains the release notes for version 4 of Squid. -Squid is a WWW Cache application developed by the National Laboratory -for Applied Network Research and members of the Web Caching community. -
-

-

1. Notice

- - -

-

2. Major new features since Squid-3.5

- - -

-

3. Changes to squid.conf since Squid-3.5

- - -

-

4. Changes to ./configure options since Squid-3.5

- - -

-

5. Regressions since Squid-2.7

- - -

-

6. Copyright

- - -
-

1. Notice

- -

The Squid Team are pleased to announce the release of Squid-4.5 for testing.

-

This new release is available for download from -http://www.squid-cache.org/Versions/v4/ or the -mirrors.

- -

We welcome feedback and bug reports. If you find a bug, please see -http://wiki.squid-cache.org/SquidFaq/BugReporting -for how to submit a report with a stack trace.

- -

1.1 Known issues -

- -

Although this release is deemed good enough for use in production, please note the existence of -open bugs against Squid-4.

- -

This release adds a dependency on C++11 support in any compiler used to build Squid. -As a result older C++03 -only and most C++0x compilers will no longer build successfully. -GCC 4.9+ and Clang 3.5+ are known to have working C++11 support and are usable. -GCC-4.8 will also build for now despite lack of full C++11 support, but some future features may not be available.

- -

This release does not support LibreSSL. -Due to a bug in the way LibreSSL uses the OpenSSL version macro some changes -necessary to support OpenSSL 1.1 prevent building with LibreSSL.

- - -

1.2 Changes since earlier releases of Squid-4 -

- -

The Squid-4 change history can be -viewed here.

- - -

2. Major new features since Squid-3.5

- -

Squid 4 represents a new feature release above 3.5.

- -

The most important of these new features are: -

    -
  • Configurable helper queue size
  • -
  • Helper concurrency channels changes
  • -
  • SSL support removal
  • -
  • Helper Binary Changes
  • -
  • Secure ICAP
  • -
  • Improved SMP support
  • -
  • Improved process management
  • -
  • Initial GnuTLS support
  • -
  • ESI Custom Parser removal
  • -
-

-

Most user-facing changes are reflected in squid.conf (see below).

- - -

2.1 Configurable helper queue size -

- -

The new queue-size=N option to helpers configuration, allows users -to configure the maximum number of queued requests to busy helpers.

- -

2.2 Helper concurrency channels changes -

- -

helper-mux.pl we have been distributing for the past few years to -encourage use of concurrency is no longer compatible with Squid. If -used it will spawn up to 2^64 helpers and DoS the Squid server.

- -

Helpers utilizing arrays to handle fixed amounts of concurrency -channels MUST be re-written to use queues and capable of handling a -64-bit int as index or they will be vulnerable to buffer overrun and -arbitrary memory accesses.

- -

32-bit helpers need re-writing to handle the concurrency channel ID -as a 64-bit integer value. If not updated they will cause proxies to -return unexpected results or timeout once crossing the 32-bit wrap -boundary. Leading to undefined behaviour in the client HTTP traffic.

- - -

2.3 SSL support removal -

- -

Details in -RFC 6176 -and -RFC 7568

- -

SSLv2 is not fit for purpose. Squid no longer supports being configured with -any settings regarding this protocol. That includes settings manually disabling -its use since it is now forced to disable by default. Also settings enabling -various client/server workarounds specific to SSLv2 are removed.

- -

SSLv3 is not fit for purpose. Squid still accepts configuration, but use -is deprecated and will be removed entirely in a future version. -Squid default behavour is to follow the TLS built in negotiation mechanism -which prefers the latest TLS version. But also to accept downgrades to SSLv3. -Use tls-options=NO_SSLv3 to disable SSLv3 support completely.

- -

A new option tls-min-version=1.N is added in place of sslversion= -to configure the minimum version the TLS negotiation will allow to be used -when an old TLS version is requested by the remote endpoint.

- -

The system Trusted CAs are no longer used by default when verifying client -certificates. The cafile= option should be used instead to -explicitly load the specific CA which signed acceptible client certificates, -even if that CA is one of the system Trusted CAs. -The tls-default-ca option can be used to restore the old -behaviour if needed.

- - -

2.4 Helper Binary Changes -

- -

The basic_msnt_multi_domain_auth helper has been removed. The -basic_smb_lm_auth helper performs the same actions without extra -Perl and Samba dependencies.

- -

The cert_valid.pl testing helper has been renamed to -security_fake_certverify, reflecting the Squid helper naming schema -and that it does not actually perform any certificate checks.

- -

The security_fake_certverify helper is also now built and installed -by default. It is written in Perl so does not require OpenSSL dependencies -for installation. But does use the Perl Crypt::OpenSSL::X509 module for execution. -Building the helper can be controlled using the --enable-security-cert-validators="fake" -option.

- -

The ssl_crtd helper has been renamed to security_file_certgen -and is now built and installed by default whenever OpenSSL support is enabled. -Building the helper can be controlled using the --enable-security-cert-generators="file" -option.

- -

NOTE: The --enable-ssl-crtd option is still required to enable the -sslcrtd_program helper interface within Squid that uses the helper.

- -

The ntlm_smb_lm_auth helper is now built using --enable-auth-ntlm="SMB_LM". -Notice the upper case where it was previously a (wrongly) lower cased acronym.

- - -

2.5 Secure ICAP -

- -

ICAP services can now be used over TLS connections.

- -

To mark an ICAP service as secure, use an icaps:// service URI scheme when -listing your service via an icap_service directive. The industry is using a -Secure ICAP term, and Squid follows that convention, but icaps seems more -appropriate for a scheme name.

- -

Squid uses port 11344 for Secure ICAP by default, following another popular -proxy convention. The old 1344 default for plain ICAP ports has not changed.

- - -

2.6 Improved SMP support -

- -

Use of C++11 atomic operations instead of GNU atomics allows a wider range of -operating systems and compilers to build Squid SMP and multi-process features. -However this does require a C++11 compiler with a recent version of the C++ -standard library.

- -

IpcIo and Mmapped disk I/O modules are now auto-detected properly which -enables Rock storage on more systems by default than previously.

- - -

2.7 Improved process management -

- -

Squid is traditionally refered to as a daemon. But is actually a combination -of daemon and daemon manager processes. This has caused significant problems -integrating it with other third-party daemon managers.

- -

The Squid process which places its PID into the squid.pid file has always -been the process to which control signals are sent. The manager process is -now taking on signal handling instead of the main daemon process. Enabling -integration with daemon managers such as Upstart or systemd which assume the -process they initiated is the daemon with a PID to control.

- -

The squid binary now has a new --foreground command line option, -which (only) prevents daemonizing the master process. -Unlike the old -N option, ---foreground supports SMP workers and multi-process features. ---foreground is particularly useful for use with -z (disk -cache structures creation), as it allows the caller to wait until Squid has -finished.

- -

The squid binary now accepts a --kid command line option which -informs the process which role it is to take on. This aids with debugging -SMP issues with specific process types and resolves some SMP forking issues.

- - -

2.8 Initial GnuTLS support -

- -

Squid can now be built to use GnuTLS in place of OpenSSL for the core -features of receiving TLS connections from clients and making TLS -connections to servers. The GnuTLS support is still very much experimental -and should be tested before use.

- -

SSL-Bump and certificate generation features are not yet supported by -GnuTLS builds. Nor are many other less commonly used Squid TLS/SSL features.

- -

squid.conf directives and configuration options which have undergone -name changes from 'ssl' to 'tls' prefix in Squid-4 have GnuTLS support, unless -explicitly stated otherwise.

- -

Advanced configuration with specific selection of ciphers and similar settings -should still work, but needs the GnuTLS Priority Strings instead of -the OpenSSL options when using GnuTLS. -See -GnuTLS manual -for more details.

- - -

2.9 ESI Custom Parser removal -

- -

The Squid custom ESI (Edge Side Includes) parser has been removed in favour -of better supported and maintained third-party libraries. At least one of libxml2 -or libexpat is now mandatory to build support for the ESI response processor.

- - -

3. Changes to squid.conf since Squid-3.5

- -

There have been changes to Squid's configuration file since Squid-3.5.

-

This section gives a thorough account of those changes in three categories:

-

-

-

- - -

3.1 New tags -

- -

-

-
collapsed_forwarding_shared_entries_limit
-

New directive to limit the size of a table used for sharing information -about collapsible entries among SMP workers.

- -
force_request_body_continuation
-

New directive to control Squid behaviour on the client connection when -receiving an HTTP request with an Expect:100-continue header.

- -
hopeless_kid_revival_delay
-

New directive to set a cool-down delay reviving a child process if -the process is encountering frequent deaths.

- -
on_unsupported_protocol
-

New directive to set the action performed when encountering strange -protocol requests at the beginning of an accepted TCP connection.

- -
pconn_lifetime
-

New directive to limit the lifetime of persistent connections.

- -
reply_header_add
-

New directive to add header fields to outgoing HTTP responses to -the client.

- -
request_start_timeout
-

New directive controlling how long Squid waits for the first request -bytes to arrive after initial connection establishment by a client.

- -
server_pconn_for_nonretriable
-

New directive to provide fine-grained control over persistent connection -reuse when forwarding HTTP requests that Squid cannot retry. It is useful -in environments where opening new connections is very expensive -and race conditions associated with persistent connections are very rare -and/or only cause minor problems.

- -
shared_memory_locking
-

New directive to ensure shared memory is all available immediately -on startup. Protects against SIGBUS errors, but delays startup.

- -
tls_outgoing_options
-

New directive to define TLS security context options for outgoing -connections. For example to HTTPS servers.

- -
url_rewrite_timeout
-

Squid times active requests to redirector. This directive sets -the timeout value and the Squid reaction to a timed out -request.

- -
-

- -

3.2 Changes to existing tags -

- -

-

-
access_log
-

TCP accept(2) errors logged with URI error:accept-client-connection.

-

Unused connections received in http_port or https_port -or transactions terminated before reading[parsing] request headers are -logged with URI error:transaction-end-before-headers.

-

New option rotate= to control the number of log file rotations -to make when -k rotate command is received. Default is to -obey the logfile_rotate directive.

- -
acl
-

New -m flag for note ACL to match substrings.

-

New client_connection_mark type for matching Netfilter -CONNMARK of the client TCP connection.

-

New connections_encrypted type for matching transactions -where all HTTP messages were received over TLS transport connections, -including messages received from ICAP servers.

-

New has type for matching whether or not Squid is able to provide -certain sets of transaction state. For example HTTP reply headers.

-

New transaction_initiator type for detecting various -unusual transactions.

-

New --consensus, --client-requested and ---server-provided flags for the ssl::server_name -type to control which server name to match against.

- -
auth_param
-

New parameter queue-size= to set the maximum number -of queued requests.

-

New parameter on-persistent-overload= to set the action taken -when the helper queue is overloaded.

- -
cache_peer
-

New option auth-no-keytab to let GSSAPI implementation determine -which Kerberos credentials to use, instead of specifying a keytab.

-

Replaced option ssl with tls. Use of any -tls- prefixed options implies tls is enabled.

-

New option tls-min-version=1.N to set minimum TLS version allowed.

-

New option tls-default-ca replaces sslflags=NO_DEFAULT_CA

-

New option tls-no-npn to disable sending TLS NPN extension.

-

All ssloptions= values for SSLv2 configuration or disabling -have been removed.

-

Removed sslversion= option. Use tls-options= instead.

-

Manual squid.conf update may be required on upgrade.

-

Replaced option sslcafile= with tls-cafile= -which takes multiple entries.

- -
deny_info
-

New format macro %O to expand the message= value supplied -by external ACL helpers.

- -
ecap_service
-

New connection-encryption= option to determine ICAP service -effect on connections_encrypted ACL.

- -
esi_parser
-

Removed custom parser option.

-

Changed default to auto-detect available parsers instead of custom.

- -
external_acl_type
-

New parameter queue-size= to set the maximum number -of queued requests.

-

New parameter on-persistent-overload= to set the action taken -when the helper queue is overloaded.

-

Format field updated to accept any logformat %macro code.

-

The optional acl-value fields in this helper input now expand -to a dash ('-') if the %DATA macro is not specified explicitly.

- -
http_port
-

New option tls-min-version=1.N to set minimum TLS version allowed.

-

New option tls-default-ca replaces sslflags=NO_DEFAULT_CA, -the default is also changed to OFF.

-

New option tls-no-npn to disable sending TLS NPN extension.

-

All option= values for SSLv2 configuration or disabling -have been removed.

-

Removed version= option. Use tls-options= instead.

-

Manual squid.conf update may be required on upgrade.

-

Replaced cafile= with tls-cafile= which takes multiple entries.

-

Changed default value of generate-host-certificates to ON.

- -
https_port
-

New option tls-min-version=1.N to set minimum TLS version allowed.

-

New option tls-default-ca replaces sslflags=NO_DEFAULT_CA, -the default is also changed to OFF.

-

New option tls-no-npn to disable sending TLS NPN extension.

-

All options= values for SSLv2 -configuration or disabling have been removed.

-

Removed version= option. Use tls-options= instead.

-

Manual squid.conf update may be required on upgrade.

-

Replaced cafile= with tls-cafile= which takes multiple entries.

-

Changed default value of generate-host-certificates to ON.

- -
icap_service
-

New scheme icaps:// to enable TLS/SSL connections to Secure ICAP -servers on port 11344.

-

New connection-encryption= option to determine ICAP service -effect on connections_encrypted ACL.

-

New tls-cert= option to set TLS client certificate to use.

-

New tls-key= option to set TLS private key matching the client -certificate used.

-

New tls-min-version=1.N option to set minimum TLS version allowed -on server connections.

-

New tls-options= option to set OpenSSL library parameters.

-

New tls-flags= option to set flags modifying Squid TLS operations.

-

New tls-cipher= option to set a list of ciphers permitted.

-

New tls-cafile= option to set a file with additional CA -certificate(s) to verify the server certificate.

-

New tls-capath= option to set a directory with additional CA -certificate(s) to verify the server certificate.

-

New tls-crlfile= option to set a file with a CRL to verify the -server certificate.

-

New tls-default-ca option to use the system Trusted CAs to -verify the server certificate.

-

New tls-domain= option to verify the server certificate domain.

- -
logfile_daemon
-

Now only requires that helper binary exists when daemon: log module -is actually being used.

- -
logformat
-

New quoting modifier to produce \-escaped output.

-

New code %ssl::<cert_errors to display server X.509 -certificate errors.

-

New code %ssl::<cert_issuer to display Issuer field of -the received server X.509 certificate.

-

New code %ssl::<cert_subject to display Subject field of -the received server X.509 certificate.

-

New code %ssl::>negotiated_version to display -negotiated TLS version of the client connection.

-

New code %ssl::<negotiated_version to display -negotiated TLS version of the last server or peer connection.

-

New code %ssl::>received_hello_version to display the -TLS version of the Hello message received from TLS client.

-

New code %ssl::<received_hello_version to display the -TLS version of the Hello message received from TLS server.

-

New code %ssl::>received_supported_version to display -the maximum TLS version supported by the TLS client.

-

New code %ssl::<received_supported_version to display -the maximum TLS version supported by the TLS server.

-

New code %ssl::>negotiated_cipher to display the -negotiated cipher of the client connection.

-

New code %ssl::<negotiated_cipher to display the -negotiated cipher of the last server or peer connection.

-

New code %>handshake to display initial octets -received on a client connection (Base64 encoded).

-

Fixed %<Hs, %<pt and %<tt -codes for received CONNECT errors.

-

Improved %<bs logging on forwarding retries.

-

Improved %<Hs, %<pt, %<tt, -%<bs logging on SslBump errors.

- -
pid_filename
-

Default value now based on squid -n command line parameter.

-

This directive is no longer mandatory to edit for -multi-instance/tenant Squid installations.

- -
refresh_pattern
-

Removed option ignore-auth. Its commonly desired behaviour -is performed by default with correct HTTP/1.1 revalidation.

-

Removed option ignore-must-revalidate. Other more HTTP compliant -directives (cache, store_miss) can be used to prevent -objects from caching.

- -
sslcrtd_children
-

New parameter queue-size= to set the maximum number -of queued requests.

-

New parameter on-persistent-overload= to set the action taken -when the helper queue is overloaded.

- -
sslcrtvalidator_children
-

New parameter queue-size= to set the maximum number -of queued requests.

-

New parameter on-persistent-overload= to set the action taken -when the helper queue is overloaded.

- -
store_id_children
-

New parameter queue-size= to set the maximum number -of queued requests.

-

New parameter on-persistent-overload= to set the action taken -when the helper queue is overloaded.

- -
url_rewrite_children
-

New parameter queue-size= to set the maximum number -of queued requests.

-

New parameter on-persistent-overload= to set the action taken -when the helper queue is overloaded.

- -
-

- -

3.3 Removed tags -

- -

-

-
cache_peer_domain
-

Superceded by cache_peer_access. Use dstdomain ACL -in the access control list to restrict domains requested.

- -
ie_refresh
-

Removed. MSIE 3.x, 4.x, 5.0 and 5.01 are no longer popular browsers.

- -
sslproxy_cafile
-

Replaced by tls_outgoing_options cafile=. -Which now takes multiple entries.

- -
sslproxy_capath
-

Replaced by tls_outgoing_options capath=.

- -
sslproxy_cipher
-

Replaced by tls_outgoing_options cipher=.

- -
sslproxy_client_certificate
-

Replaced by tls_outgoing_options cert=.

- -
sslproxy_client_key
-

Replaced by tls_outgoing_options key=.

- -
sslproxy_flags
-

Replaced by tls_outgoing_options flags=.

- -
sslproxy_options
-

Replaced by tls_outgoing_options options=.

-

All values for SSLv2 configuration or disabling have been removed.

-

Manual squid.conf update may be required on upgrade.

- -
sslproxy_version
-

Replaced by tls_outgoing_options options=.

-

All values for SSLv2 configuration or disabling have been removed.

-

Manual squid.conf update may be required on upgrade.

- -
-

- - -

4. Changes to ./configure options since Squid-3.5

- -

There have been some changes to Squid's build configuration since Squid-3.5.

-

This section gives an account of those changes in three categories:

-

-

-

- - -

4.1 New options -

- -

-

-
--enable-security-cert-generators
-

New option to control which TLS/SSL dynamic certificate generator -helpers are built and installed.

-

Helper ssl_crtd has been renamed to security_file_certgen -and built with module name file. Requires --with-openssl.

- -
--enable-security-cert-validators
-

New option to control which TLS/SSL certificate validation -helpers are built and installed.

-

One fake helper that does not actually perform any -certificate checks is provided for testing and as an example -for writing custom helpers.

- -
--without-cppunit
-

The cppunit testing framework is auto-detected and used when available. -This option can be used to disable it explicitly.

- -
-

- -

4.2 Changes to existing options -

- -

-

-
--enable-auth-basic
-

The MSNT-multi-domain helper has been removed.

-

The SMB LanMan helper SMB_LM is no longer built by default. -It needs to be explicitly listed to be built.

- -
--enable-auth-ntlm
-

The SMB LanMan helper is now built using SMB_LM -(was lower case smb_lm).

-

The SMB LanMan helper SMB_LM is no longer built by default. -It needs to be explicitly listed to be built.

- -
--enable-diskio
-

Auto-detection of SMP related modules has been fixed to -actually auto-detect them without configuring the module -list manually.

- -
--enable-esi
-

Custom ESI parser has been removed. -Libxml2 or libexpat is now required to enable ESI processing.

- -
-

-

4.3 Removed options -

- -

-

-
--with-cppunit-basedir
-

Replaced by --with-cppunit=PATH. -Please prefer the default auto-detection though.

- -
XSTD_USE_LIBLTDL
-

Removed. Use --with-included-ltdl instead.

-
-

- - -

5. Regressions since Squid-2.7

- -

Some squid.conf options which were available in Squid-2.7 are not yet available in Squid-4

- -

If you need something to do then porting one of these from Squid-2 to Squid-3 is most welcome.

- -

5.1 Missing squid.conf options available in Squid-2.7 -

- -

-

-
broken_vary_encoding
-

Not yet ported from 2.6

- -
cache_peer
-

monitorinterval= not yet ported from 2.6

-

monitorsize= not yet ported from 2.6

-

monitortimeout= not yet ported from 2.6

-

monitorurl= not yet ported from 2.6

- -
cache_vary
-

Not yet ported from 2.6

- -
error_map
-

Not yet ported from 2.6

- -
external_refresh_check
-

Not yet ported from 2.7

- -
location_rewrite_access
-

Not yet ported from 2.6

- -
location_rewrite_children
-

Not yet ported from 2.6

- -
location_rewrite_concurrency
-

Not yet ported from 2.6

- -
location_rewrite_program
-

Not yet ported from 2.6

- -
refresh_pattern
-

stale-while-revalidate= not yet ported from 2.7

-

ignore-stale-while-revalidate= not yet ported from 2.7

-

negative-ttl= not yet ported from 2.7

- -
refresh_stale_hit
-

Not yet ported from 2.7

- -
update_headers
-

Not yet ported from 2.7

- -
-

- -

6. Copyright

- -

Copyright (C) 1996-2018 The Squid Software Foundation and contributors

-

Squid software is distributed under GPLv2+ license and includes -contributions from numerous individuals and organizations. -Please see the COPYING and CONTRIBUTORS files for details.

- - -