diff --git a/RELEASENOTES.html b/RELEASENOTES.html index 61e03c9..c5b35ab 100644 --- a/RELEASENOTES.html +++ b/RELEASENOTES.html @@ -2,14 +2,14 @@
--
-
-
The Squid Team are pleased to announce the release of Squid-3.3.11.
+The Squid Team are pleased to announce the release of Squid-3.4.2 for testing.
This new release is available for download from -http://www.squid-cache.org/Versions/v3/3.3/ or the +http://www.squid-cache.org/Versions/v3/3.4/ or the mirrors.
- -A large number of the design flaws in SSL-Bump feature have been fixed along with general improvements all around. -While this release is not fully bug-free we believe it is ready for use in production on many systems.
- +While this release is not deemed ready for production use, we believe it is ready for wider testing by the community.
We welcome feedback and bug reports. If you find a bug, please see http://wiki.squid-cache.org/SquidFaq/BugReporting for how to submit a report with a stack trace.
@@ -72,162 +70,210 @@ for how to submit a report with a stack trace.Although this release is deemed good enough for use in many setups, please note the existence of -open bugs against Squid-3.3.
+open bugs against Squid-3.4. - -The 3.3 change history can be -viewed here.
+The 3.4 change history can be +viewed here.
-Squid 3.3 represents a new feature release above 3.2.
+Squid 3.4 represents a new feature release above 3.3.
The most important of these new features are:
Most user-facing changes are reflected in squid.conf (see below).
-log_db_daemon - Database logging daemon for Squid
- -This program writes Squid access.log entries to an SQL database. -Written in Perl it can utilize any database supported by the Perl -database abstraction layer.
- -NOTE: Presently it only accepts the Squid native log format.
- - -ext_time_quota_acl - Time quota external ACL helper.
- -Allows an administrator to define time budgets (quota) for the -users of Squid to limit the time using Squid.
- -This is useful for corporate lunch time allocations, wifi portal -pay-per-minute installations or for parental control of children.
- -The administrator can define a time budget (e.g. 1 hour per day) -which is enforced through this helper using session estimations -of their browsing time. A 'pause' threshold is given in seconds -and defines the period between two requests to be treated as part -of the same session. Pauses shorter than this value will be -counted against the quota, longer ones ignored.
- - -Details at -http://wiki.squid-cache.org/Features/BumpSslServerFirst.
+http://wiki.squid-cache.org/Features/AddonHelpers. -When an intercepted connection is received, Squid first connects -to the server using SSL and receives the server certificate. -Squid then uses the host name inside the true server certificate -to generate a fake one and impersonates the server while still -using the already established secure connection to the server.
+The Squid helper protocol used to communicate with authenticators, +URL-rewriters, Redirectors, and External ACL helpers has been updated +and extended.
-Bumping server first is essentially required for handling -intercepted HTTPS connections but the same scheme should be used -for most HTTP CONNECT requests because it offers a few advantages -compared to the old bump-client-first approach:
+BH status code is now accepted from all helpers to report +internal error events separate from ERR rejection code. +Permitting Squid to perform recovery operations specific to +helper failure instead of a blanket client rejection.
+ +Arbitrary key-value pairs can be returned from any helper. +Allowing future helpers to be forward- and backward- compatible +with this and future versions of Squid.
+ + +Details at +http://wiki.squid-cache.org/Features/SslServerCertValidator.
+ +The helper consulted after the internal OpenSSL validation, regardless of the +validation results. The helper will receive:
If the helper decides to honor an OpenSSL error or report another validation +error(s), the helper will return:
++
The returned information mimics what the internal OpenSSL-based validation code +collects now. Returned errors, if any, are fed to sslproxy_cert_error, +triggering the existing SSL error processing code.
+ +The helper invocation controlled by the sslcrtvalidator_program and +sslcrtvalidator_children configurations options which are similar to the +ssl_crtd related options.
+ + +Details at -http://wiki.squid-cache.org/Features/MimicSslServerCert.
+http://wiki.squid-cache.org/Features/StoreID. -One of the SslBump features serious drawbacks is the loss of -information embedded in SSL server certificate. -This certificate mimic feature passes original SSL server -certificate information to the user. Allowing the user to -make an informed decision on whether to trust the server -certificate.
+This feature is a redesigned equivalent to the Squid-2.7 feature known as StoreURL-rewrite.
+ +Notice that this is not a direct portage of the Squid-2.7 feature so behaviour +differences do exist. Although the new feature works in similar enough ways that the old +helper scripts used for Squid-2.7 are expected to work in this and later versions of Squid.
+ +Squid traditionally uses the requested URL as an index key ID to locate objects in cache. +It is not the only key possible and the Store-ID feature exposes an API for external +helpers to provide Squid with an alternative key name for any URL.
+ +When any client request is received which requires a cache lookup the URL is passed to +a helper specified with the store_id_program directive to check for an alternative +Store ID. This allows the helper to identify URLs which refer to duplicate resources and +de-duplicate the cache content. store_id_access is provided to allow ACL-based +tuning of which traffic gets sent to the helper and reduce overheads.
+ +One subtle and noteworthy difference between Squid-2 and Squid-3 which is highlighted by +this feature is that refresh_pattern applies its regex argument against the Store +ID key and not the transaction URL. So using the Store-ID feature to alter the value +affects which refresh_pattern directive will be matched.
+ +Store-ID helpers bundled with Squid can be built with the --enable-storeid-rewrite-helpers +option which is added in this version. Currently there is a file helper +provided.
-The request_header_add option is added to insert -HTTP header fields to outgoing HTTP requests (i.e., -request headers sent by Squid to the next HTTP hop such as a -cache peer or an origin server). The option has no effect on -cache hit traffic or requests serviced by Squid and ICAP.
+Details at +http://wiki.squid-cache.org/ConfigExamples/Intercept/OpenBsdPf.
-WARNING: If a standard HTTP header name is used, Squid does not check whether -the new header conflicts with any existing headers or violates -HTTP rules. If the request to be modified already contains a -field with the same name, the old field is preserved but the -header field values are not merged.
+The Packet Filter (PF) firewall in OpenBSD 4.4 and later offers traffic interception +using several very simple methods. One of which is the divert-to rule type +which acts as a simple routing diversion instead of performing NAT packet alterations.
-Field-value set can be either a token or a quoted string. If quoted -string format is used, then the surrounding quotes are removed -while escape sequences and %macros are processed.
+The IP Firewall (IPFW) on FreeBSD 9+ contains a port of the Linux Netfilter TPROXY feature.
-In theory, all of the logformat codes can be used as %macros. -However, unlike logging (which happens at the very end of -transaction lifetime), the transaction may not yet have enough -information to expand a macro when the new header value is needed. -And some information may already be available to Squid but not yet -committed where the macro expansion code can access it (please report -such instances!). The macro will be expanded into a single dash -('-') in such cases. Not all macros have been tested.
+This version of Squid adds support for these features through the ./configure +options --enable-pf-transparent and --enable-ipfw-transparent when Squid is built on +systems with the required support. No special extras are required to enable +http_port ... tproxy configuration to work.
-One or more Squid ACLs may be specified to restrict header -injection to matching requests. As always in squid.conf, all -ACLs in an option ACL list must be satisfied for the insertion -to happen. The request_header_add option supports fast ACLs only.
+NOTE: To resolve NAT lookup issues on recent PF firewall versions the code behind +./configure --enable-pf-transparent has been altered and is expected to +break on the version of PF firewall shipped with BSD systems such as NetBSD and FreeBSD +which do not yet support the getsockname() API. +These systems require --with-nat-devpf to enable /dev/pf support when using PF firewall.
-There have been changes to Squid's configuration file since Squid-3.2.
+Previously the only annotation methods available were ICAP/eCAP HTTP header insertions +or external ACL tag= result code. Each of which had only limited possibilities +for use and little or no correlation.
+ +It is now possible to add annotations to a client transaction from several sources: +
Annotations on the transaction can be passed to ICAP services or eCAP modules using the +adaptation_meta directive to send them as headers. +They can also be logged using the %note log format code in custom logs. With +the new helper response syntax changes this means all helper response key=value details +such as URL-rewrite or store-id changes, external ACL tag etc. are now able to be logged.
+ +Annotations which are already assigned to a transaction can be checked using an ACL test +of the new note ACL type. This can match a particular note by name and value, +of for any notes with a given name.
+ +NOTE: not all helper interfaces are yet enabled to convert key=value into annotations +and the external ACL interface does not yet send annotations to the helper.
+ + +The internal DNS component of Squid now supports multicast DNS (mDNS) resolution in +accordance with RFC 6762.
+ +The dns_multicast_local directive must be set to on to enable this +feature.
+ +The multicast DNS group IP addresses for IPv4 and IPv6 resolving are added to the set +of available DNS resolvers and used automatically for domain names ending in .local +and reverse-DNS lookups before attempting a secondary resolution on the configured +resolvers. Domains without .local are resolved using only the configured resolvers.
+ +Statistics for multicast DNS resolution can be found on the idns cache manager +report.
+ +NOTE that the external DNS helper interface is now deprecated and has been +removed from future Squid versions. Any installations still using it for local hostname +resolution need to upgrade to mDNS resolution with this Squid version.
+ + +There have been changes to Squid's configuration file since Squid-3.3.
+ +Squid supports reading configuration option parameters from external +files using the syntax parameters("/path/filename"). For example: +
+ acl whitelist dstdomain parameters("/etc/squid/whitelist.txt") ++ + +
There have also been changes to individual directives in the config file.
This section gives a thorough account of those changes in three categories:
Whether Squid is to pass-through If-Modified-Since and If-None-Match headers on cache MISS. -Revalidation requests can prevent cache gathering objects to HIT on.
-Based on the Squid-2.7 ignore_ims_on_miss feature.
-IMPORTANT: the meaning for on/off values has changed along with the name since 2.7.
+Whether Squid supports directive parameters with spaces, quotes, and other +special characters. Surround such parameters with "double quotes" and +also set this directive on/off around the relevant squid.conf line(s) +making use of such quoting.
-New directive to add custom headers on HTTP traffic sent to upstream servers.
+Use multicast DNS for .local domains and reverse-DNS resolution.
-New option to determine how the client certificate sent to upstream servers is signed.
+Use ACLs to annotate a transaction with customized annotations +which can be logged in access.log
-New option to adapt certain properties of outgoing SSL certificates generated for use when bumping SSL to an upstream server.
+Access control to determine whether to disable the TPROXY spoofing on upstream traffic.
+ +Specifies the settings for how many SSL server certificate +validator helpers are run and when they are started.
+ +Specifies the location of a SSL server certificate validator helper.
+ +Whether the URL for a given request is passed to the Store-ID helper process. +Used to improve StoreID performance by quickly eliminating helper delays using ACL tests.
+Ported equivalent to storeurl_access from 2.7
+ +Whether the StoreID helper may be bypassed when overloaded.
+ +Controls the number of StoreID helper processes.
+Options startup=N, idle=N, concurrency=N +
A helper program to provide cache storage internal key ID value for a request.
+Ported equivalent to storeurl_rewrite_program from 2.7
Configuration syntax extended to support name=value options. +New Syntax: access_log module:place [option ...] [acl ...]
+New option logformat= to specify the logging format name.
+New option buffer-size= to specify how large the log buffer +for this log is to be when buffered_logs is enabled.
+New option on-error= to specify what handling is to be done +if the logging module encounters a non-recoverable error writing logs. +With the value die (the default) Squid halts operation. +With the value drop Squid drops log lines and continue running.
+myport and myipACL types replaced with localport and localip respectively. -To reflect that it matches the TCP connection details and not the squid.conf port. -This matters when dealing with intercepted traffic, where the Squid receiving port differs from the TCP connection IP:port. -Always use myportname type to match the squid.conf port details.
-New default built-in ACLs for testing SSL certificate properties.
-ssl::certHasExpired, -ssl::certNotYetValid, -ssl::certDomainMismatch, -ssl::certUntrusted, -ssl::certSelfSigned.
+New test type server_cert_fingerprint to match against +server SSL certificate fingerprint.
+New test type note to match against transaction annotations +by name and value, or just by name.
+New test type any-of to match if any one of a set of named ACLs.
+New test type all-of to match against all of a set of named ACLs.
+ +New result code BH to signal helper internal errors +available in all authentication schemes.
+New key message= for error message details in all authentication schemes.
+New result code OK and key ha1= in Digest authentication.
+New result codes OK, ERR replace result codes AF, +and NA in NTLM and Negotiate authentication.
+New key token= for NTLM and Negotiate authentication OK responses.
+Details at +http://wiki.squid-cache.org/Features/AddonHelpers.
%ACL format tag ported from 2.6. -Sends the name of ACL being tested to the external helper.
-%DATA format tag ported from 2.6. -Inserts the ACL arguments into a particular location of the helper input instead of at the end of the line.
+Deprecated protocol=3.0 option. No longer necessary.
+New result code BH to signal helper internal errors
+Details at +http://wiki.squid-cache.org/Features/AddonHelpers.
+ +Support IPv6 for intercept mode. Requires ip6tables support on Linux, +PF support on OpenBSD and IPFW support on FreeBSD. Squid will no longer complain +about misconfiguration if IPv6 support is missing, we now rely on the firewall +tools reporting misconfiguration when the NAT rules are created.
+Support tproxy mode traffic on BSD systems with BINDANY support +(OpenBSD 5+, FreeBSD 9+ so far).
+Changed build options behind intercept traffic mode handling on BSD. +see --enable-pf-transparent for more details.
New token %ssl::bump_mode to log the SSL-bump mode type performed on a request. -Logs values of: -, none, client-first, or server-first.
-New token of %ssl::>cert_subject to log the Subject field of a SSL certificate received from the client.
-New token of %ssl::>cert_issuer to log the Issuer field of a SSL certificate received from the client.
+New format code %note to log a transaction annotation linked to the +transaction by ICAP, eCAP, a helper, or the note squid.conf directive.
+New format code %>qos to log client connection TOS/DSCP value set by Squid.
+New format code %<qos to log server connection TOS/DSCP value set by Squid.
+New format code %>nfmark to log client connection netfilter mark set by Squid.
+New format code %<nfmark to log server connection netfilter mark set by Squid.
-New action types none, client-first, server-first. The default is none.
-Use of allow/deny is now deprecated and they should be removed as soon as possible. -To retain the exact same behaviour between 3.3 and older releases replace deny with none, -and allow with client-first. However an upgrade to server-first is the recommended.
-NOTE: Mixing of allow/deny with the new action types is prohibited and will cause Squid to exit with a FATAL error.
+Updated to take a numeric count of prefetched pipeline requests instead of ON/OFF.
+ +NOTE: the regular expression pattern operates on the cache Store-ID value. +Which by default is identical to the requested URL, but may differ for some +objects if the Store-ID feature is in use.
+ +New helper response format utilizing result codes OK and BH, +to signal helper lookup results. Also, key-value response values to return +multiple values to Squid.
+Details at +http://wiki.squid-cache.org/Features/AddonHelpers.
+ +New helper response format utilizing result codes OK, ERR, +and BH to signal helper lookup results. Also, key-value response +values to return multiple values to Squid.
+Details at +http://wiki.squid-cache.org/Features/AddonHelpers.
This option has been replaced by the cache_miss_revalidate feature.
+Replaced by store_id_access.
+ +Replaced by store_id_children.
+ +Replaced by store_id_children with concurrency=N option.
+ +Replaced by store_id_program.
There have been some changes to Squid's build configuration since Squid-3.2.
+There have been some changes to Squid's build configuration since Squid-3.3.
This section gives an account of those changes in three categories:
There are no new ./configure options in Squid-3.3.
+New option to control which Store-ID helpers are built. As with other +helper options use --disable-* to prevent any helpers building and +omit to get all helper auto-detected.
+Currenly only a helper using file for backend is provided.
+ +New option to disable use of -march=native compiler flag.
+The new flag auto-enables CPU-specific optimizations in GCC and is +required by Clang++ v3.2 for correct 64-bit environment detection. +It does not always work well however, so this build option is provided +to remove it when necessary.
+ +New option to alter the behaviour of http_port ... intercept option +in squid.conf.
+When this option is used Squid performs the /dev/pf lookups required to +support PF rdr-to rules. Otherwise Squid will perform perform the +getsockname() API calls to support PF divert-to rules.
+NOTE: systems such as NetBSD and FreeBSD which do not yet support +the getsockname() API in recent PF versions require this option.
kqueue network I/O module is now built by default when it is available. -This option is no longer required to enable kqueue support, -but if used will abort build when kqueue dependencies are missing or broken.
- -kqueue network I/O module is now built by default when it is available. -This configure option is now needed to disable it. Previously it did nothing.
+NAT table support updated to use the getsockname() API provided by the +latest PF versions divert-to. This allows http_port +in squid.conf to support both intercept and tproxy traffic +and to silence NAT lookup failure messages on recent BSD.
+NOTE: systems such as NetBSD and FreeBSD which do not yet support +the getsockname() API in recent PF versions require --with-nat-devpf +to re-enable /dev/pf support when using PF firewall.
This has not been supported by Squid for several versions.
+There are no removed ./configure options in Squid-3.4.
Some squid.conf and ./configure options which were available in Squid-2.7 are not yet available in Squid-3.3
+Some squid.conf options which were available in Squid-2.7 are not yet available in Squid-3.4
If you need something to do then porting one of these from Squid-2 to Squid-3 is most welcome.
@@ -429,16 +578,7 @@ This configure option is now needed to disable it. Previously it did nothing.refresh_stale_hitNot yet ported from 2.7
-Not yet ported from 2.7
- -Not yet ported from 2.7
- -Not yet ported from 2.7
- -Not yet ported from 2.7
diff --git a/rpmlintrc b/rpmlintrc index df739f9..3e9ebd3 100644 --- a/rpmlintrc +++ b/rpmlintrc @@ -1,2 +1,3 @@ addFilter("macro-in-comment") addFilter("no-manual-page-for-binary") +addFilter("zero-length") diff --git a/squid-3.3.11.tar.bz2 b/squid-3.3.11.tar.bz2 deleted file mode 100644 index 18a825a..0000000 --- a/squid-3.3.11.tar.bz2 +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:6b314cd706693522f01d5ab1930f3aa7a9b03a913bc0e699def16cca8d15ea54 -size 2989941 diff --git a/squid-3.3.11.tar.bz2.asc b/squid-3.3.11.tar.bz2.asc deleted file mode 100644 index 87c1551..0000000 --- a/squid-3.3.11.tar.bz2.asc +++ /dev/null @@ -1,20 +0,0 @@ -File: squid-3.3.11.tar.bz2 -Date: Sat Nov 30 14:12:34 UTC 2013 -Size: 2989941 -MD5 : abf2b0fe128f73f5dc157e7e917949e0 -SHA1: f99627f9f5c76cc2ddf6e14e4a3e955963801b6f -Key : 0xFF5CF463