diff --git a/RELEASENOTES.html b/RELEASENOTES.html index e2fade6..70b3db1 100644 --- a/RELEASENOTES.html +++ b/RELEASENOTES.html @@ -2,14 +2,14 @@
--
-
-
-
-
The Squid Team are pleased to announce the release of Squid-3.2.13.
+The Squid Team are pleased to announce the release of Squid-3.3.8.
This new release is available for download from -http://www.squid-cache.org/Versions/v3/3.2/ or the +http://www.squid-cache.org/Versions/v3/3.3/ or the mirrors.
-A large number of the show-stopper bugs have been fixed along with general improvements to the IPv6 support. +
A large number of the design flaws in SSL-Bump feature have been fixed along with general improvements all around. While this release is not fully bug-free we believe it is ready for use in production on many systems.
We welcome feedback and bug reports. If you find a bug, please see -http://wiki.squid-cache.org/SquidFaq/BugReporting for how to submit a -report with a stack trace.
+http://wiki.squid-cache.org/SquidFaq/BugReporting +for how to submit a report with a stack trace.Although this release is deemed good enough for use in many setups, please note the existence of -open bugs against Squid-3.2.
- -Some issues to note as currently known in this release which are not able to be fixed in the 3.2 series are:
--
Currently known issues which only depends on available developer time and may still be resolved in a future 3.2 release are:
--
The 3.2 change history can be -viewed here.
+The 3.3 change history can be +viewed here.
-Squid 3.2 represents a new feature release above 3.1.
+Squid 3.3 represents a new feature release above 3.2.
The most important of these new features are:
Most user-facing changes are reflected in squid.conf (see below).
- -Details in Advisory -SQUID-2011:1
+log_db_daemon - Database logging daemon for Squid
-Squid locates the authority-URL details available in an HTTP request as -defined by RFC 2616 and validates that all found representations are -textually equivalent. In the case of intercepted traffic the -client destination IP is also compared to the Host: authority domains -DNS entries.
+This program writes Squid access.log entries to an SQL database. +Written in Perl it can utilize any database supported by the Perl +database abstraction layer.
-When the Host: authority contradicts another authority source Squid will log -"SECURITY ALERT: Host: header forgery detected". The response will then be determined -by the -host_verify_strict -directive. Squid will respond with 409 Conflict error response when strict validation -fails and handles the request normally when strict validation succeeds or is OFF (default).
- -Relaying of messages which FAIL non-strict Host: validation are permitted through Squid but -only to the original destination IP the client was requesting or to explicit peers. This means -DNS lookups to locate alternative DIRECT destinations will not be done.
- -Known Issue: When non-strict validation fails Squid will relay the request, but can only do -so safely to the original destination IP the client was contacting. The client original -destination IP is lost when relaying to peers in a hierarchy. This means the upstream peers -are still at risk of causing same-origin bypass CVE-2009-0801 vulnerability. -Developer time is required to implement safe transit of these requests. -Please contact squid-dev if you are able to assist or sponsor the development.
+NOTE: Presently it only accepts the Squid native log format.
-Details in Advisory -SQUID-2011:2
+ext_time_quota_acl - Time quota external ACL helper.
-The DES algorithm used by the NCSA Basic authentication helper has an -limit of 8 bytes but some implementations do not error when truncating -longer passwords down to this unsafe level.
+Allows an administrator to define time budgets (quota) for the +users of Squid to limit the time using Squid.
-This both significantly lowers the threshold of difficulty decrypting -captured password files and hides from users the fact that the extra bits -of their chosen long password is not being utilized.
+This is useful for corporate lunch time allocations, wifi portal +pay-per-minute installations or for parental control of children.
-The NCSA helper bundled with Squid will prevent passwords longer than 8 -characters being sent to the DES algorithm. The MD5 hash algorithm which -supports longer than 8 character passwords is also supported by this helper -and should be used instead.
+The administrator can define a time budget (e.g. 1 hour per day) +which is enforced through this helper using session estimations +of their browsing time. A 'pause' threshold is given in seconds +and defines the period between two requests to be treated as part +of the same session. Pauses shorter than this value will be +counted against the quota, longer ones ignored.
-The new "workers" squid.conf option can be used to launch multiple worker -processes and utilize multiple CPU cores. The overall intent is to make -multiple workers look like one to an outside observer, while providing -knobs to customize each worker behavior if needed.
+Details at +http://wiki.squid-cache.org/Features/BumpSslServerFirst.
-By default, all worker processes are configured identically and do what a -single Squid instance would have done. Squid.conf macro substitutions and -conditionals (see below) can be used to customize individual worker -configurations. In the paragraphs below, "can share" implies "will share by -default".
- -Workers can share HTTP, HTTPS, SNMP, ICP, and HTCP listening addresses. -Configuration related to ICP and HTCP clients must be adjusted to avoid -source address conflicts: Modify the IP address and/or the port used for -the protocol. Workers do not share DNS addresses by default because the OS -assigns each worker a unique DNS port.
- -Workers can share logs.
- -Workers can share caches. Memory cache is automatically shared when multiple -workers are used. Cache_dir are shared when configured with the rock -storage type. Cache_dir of other types must be adjusted to point each -disk-caching worker to its own disk area. ICP and HTCP responses are based -on the responding worker cache state.
- -Cache manager statistics are reported from a worker point of view, for now. -Though some reports are combined. SNMP statistics are combined across all -workers.
- -Startup, reconfiguration, shutdown, and log rotation are handled as for a -monolithic Squid. Abnormally terminated workers are restarted while -other workers continue serving traffic.
- -Added support for process_name and process_number macros as well as simple -if-statement conditionals in squid.conf. These features allow individual -worker customization in SMP mode. For details, search for "Conditional -configuration" and "SMP-Related Macros" sections in squid.conf.documented.
- - -The helper multiplexer's purpose is to relieve some of the burden -Squid has when dealing with slow helpers. It does so by acting as a -middleman between squid and the actual helpers, talking to Squid via -the multiplexed concurrent variant of the helper protocol and to the -helpers via the non-concurrent variant.
- -Helpers are started on demand, and in theory the muxer can handle up to -1k helpers per instance. It's up to squid to decide how many helpers -to start.
- -The muxer knows nothing about the actual messages being passed around, -and as such can't really (yet?) compensate for broken helpers. -It is not yet able to manage dying helpers, but it will.
- -To configure the multiplexer add its binary name (usually /usr/share/libexec/helper-mux.pl) -in front of the name of whichever helper is being multiplexed. It takes the helper binary -path and parameters as its own command parameters. The concurrency setting already -existing in Squid is used to configure how many child helpers it may run.
- -For example, a traditional configuration is -
- url_rewrite_program /your/redirector.sh - url_rewrite_children 5 - -- -the alternative multiplexer configuration is: -
- url_rewrite_program /usr/share/libexec/helper-mux.pl /your/redirector.sh - url_rewrite_children 1 concurrency=5 - -- - -
Helpers which are already concurrent protocol enabled gain little benefit from the multiplexer -on most systems. However on some systems where Squid spawning helpers causes excess memory usage -the reduction in direct helper spawned by Squid can result in a great reduction in resource use.
- -The helper can be controlled using various signals: -
Traditionally Squid has been configured with a fixed number of helpers and started them during -it's start and reconfigure phases. This forces the hard configuration problem of how many helpers -will be needed to be solved before starting Squid in production use.
- -The on-demand helpers feature allows greater flexibility and resolves this problem by allowing -maximum, initial and idle thresholds to be configured. Squid will start the initial set during -start and reconfigure phases. However over the operational use new helpers up to the maxium will -be started as load demands. The idle threshold determines how many more helpers to start if the -currently running set is not enough to handle current request loads.
- -For example, a traditional configuration is -
- auth_param ntlm /usr/libexec/squid/ntlm_auth - auth_param ntlm children 200 - -- -the alternative on-demand configuration could be: -
- auth_param ntlm /usr/libexec/squid/ntlm_auth - auth_param ntlm children 200 startup=10 idle=2 - -- - -
The example still permits up to 200 helpers to be running at once under peak traffic loads. -But only starts 10 when Squid is initialized resulting in a faster boot up. -When client requests threaten to overload the running helpers an additional 2 will be started.
- -NOTE: if no startup and idle values are specified the traditional behaviour -of starting the maximum number of helpers will occur.
- - -To improve the understanding of what each helper does and where it should be used the helper binaries -which are bundled with Squid have undergone a naming change in this release.
- -Below is a list of the old helper names and what their names have changed to. -For several helpers the directory name used in --enable-X-helpers configure option has also changed.
- -When an intercepted connection is received, Squid first connects +to the server using SSL and receives the server certificate. +Squid then uses the host name inside the true server certificate +to generate a fake one and impersonates the server while still +using the already established secure connection to the server.
+Bumping server first is essentially required for handling +intercepted HTTPS connections but the same scheme should be used +for most HTTP CONNECT requests because it offers a few advantages +compared to the old bump-client-first approach:
-
-
-
-
This group of helpers have been bundled to demonstrate how to code URL re-writers: -
The man(8) and man(1) pages bundled with Squid are now provided online for all -versions and beginning with 3.2 they are available in languages other than English (where translated).
+Details at +http://wiki.squid-cache.org/Features/MimicSslServerCert.
-Details in -The Squid wiki
- -3.1 began the Internationalization of Squid with the public facing error pages. -This move begins the Localization of the internal administrator facing manuals.
+One of the SslBump features serious drawbacks is the loss of +information embedded in SSL server certificate. +This certificate mimic feature passes original SSL server +certificate information to the user. Allowing the user to +make an informed decision on whether to trust the server +certificate.
-Automatic detection and use of the pthreads library available from Solaris 10
+The request_header_add option is added to insert +HTTP header fields to outgoing HTTP requests (i.e., +request headers sent by Squid to the next HTTP hop such as a +cache peer or an origin server). The option has no effect on +cache hit traffic or requests serviced by Squid and ICAP.
-The result of this addition means that faster more efficient AUFS cache storage mechanism -is now available in Solaris 10.
+WARNING: If a standard HTTP header name is used, Squid does not check whether +the new header conflicts with any existing headers or violates +HTTP rules. If the request to be modified already contains a +field with the same name, the old field is preserved but the +header field values are not merged.
-Support is experimental at this stage due to lack of feedback on the results of enabling it. -We recommend giving AUFS a try for faster disk storage and encourage feedback.
+Field-value set can be either a token or a quoted string. If quoted +string format is used, then the surrounding quotes are removed +while escape sequences and %macros are processed.
+ +In theory, all of the logformat codes can be used as %macros. +However, unlike logging (which happens at the very end of +transaction lifetime), the transaction may not yet have enough +information to expand a macro when the new header value is needed. +And some information may already be available to Squid but not yet +committed where the macro expansion code can access it (please report +such instances!). The macro will be expanded into a single dash +('-') in such cases. Not all macros have been tested.
+ +One or more Squid ACLs may be specified to restrict header +injection to matching requests. As always in squid.conf, all +ACLs in an option ACL list must be satisfied for the insertion +to happen. The request_header_add option supports fast ACLs only.
-The Surrogate extensions to HTTP protocol enable an origin web server to specify separate -cache controls for a reverse proxy acting on its behalf. Previously this was closely tied with the ESI -feature support in Squid. This release opens Surrogate support to all reverse proxies.
- -Reverse proxy requests sent on to the web server include the HTTP header Surrogate-Capabilities: -specifying the capabilities of the reverse proxy along with an ID which can be used to target responses with -a Surrogate-Control: HTTP header used instead of the Cache-Control: header.
- -The default surrogate ID is generated automatically from the Squid site-unique hostname as found by the -automatic detection or manual configuration of visible_hostname although can be configured -separately with the httpd_accel_surrogate_id option.
- -Security Considerations: Websites should be careful of accepting any surrogate ID. -Older releases of Squid leak the Surrogate-Control headers to external servers. -This 3.2 series of Squid will now prevent this leakage of its own ID destined responses, however it is possible -and for some uses desirable to receive external reverse-proxies Surrogate-Capabilities: headers.
- -NOTE: Several operating system distributions historically package Squid with a forced value of -visible_hostname localhost. If this is done on a Surrogate enabled install a manual re-configuration -is required to prevent an unacceptable surrogate ID of 'localhost' being generated.
- - -The advanced logging modules introduced in Squid-2.7 are now available from Squid-3.2.
- -This feature is documented at http://wiki.squid-cache.org/Features/LogModules
- -The new infrastructure currently supports several different channels types (modules) ranging from -direct filesystem logging (stdio, daemon) to network logging (syslog, UDP and TCP). The daemon logging -interface allows for a custom helper to be written to process logs in real-time.
- -Upgrading: the access_log and cache_store_log were previously logged via what is -now called the stdio module. -This is still supported and used by default if no module is named. For best performance particularly in SMP -environments we recommend the daemon be used. The provided log_file_daemon helper -performs the traditional logging to local filesystem.
- -Additional to this the cache.log can now be limited to a smaller number of files stored. -Traditionally cache.log.N has been fixed at the same number of rotated files as access.log.N through the -logfile_rotate setting. The debug_options setting can now be used to configure the number -of debug cache.log files to rotate through with a rotate=N option. This is particularly useful for -logging a single cache.log at relatively high debug levels on a high-traffic system. Or one which is -required to store a long period of access.log and needs to conserve disk space.
- -The referer_log and useragent_log directives have been converted to built-in log formats. -These logs are now created using an access_log line with the format "referrer" or "useragent". -They also now log all client requests, if there was no Referer or User-Agent header a dash (-) is logged.
- -Known Issue: The TCP logging module does not recover from broken connections well. -At present it will restart the affected Squid instance if the TCP connection is broken.
- - -In mobile environments, Squid may need to limit Squid-to-client bandwidth -available to individual users, identified by their IP addresses. The IP -address pool can be as large as a /10 IPv4 network (4 million unique IP -addresses) and even larger in IPv6 environments. On the other hand, the code -should support thousands of connections coming from a single IP (e.g., -a child proxy).
- -The implementation is based on storing bandwidth-related "bucket" information -in the existing "client database" hash (client_db.cc). The old code already -assigned each client IP a single ClientInfo object, which satisfies the -client-side IP-based bandwidth pooling requirements. The old hash size is -increased to support up to 32K concurrent clients if needed.
- -Client-side pools are configured similarly to server-side ones, but there is -only one pool class. See client_delay_pools, -client_delay_initial_bucket_level, client_delay_parameters, and -client_delay_access in squid.conf. The client_delay_access matches the client -with delay parameters. It does not pool clients from different IP addresses -together.
- -Special care is taken to provide fair distribution of bandwidth among clients -sharing the same bucket (i.e., clients coming from the same IP address). -Multiple same-IP clients competing for bandwidth are queued using FIFO -algorithm. If a bucket becomes empty, the first client among those sharing -the bucket is delayed by 1 second before it can attempt to receive more -response data from Squid. This delay may need to be lowered in -high-bandwidth environments.
- - -Support for libecap version 0.2.0 has been added with this series of Squid. Bringing -better support for body handling, and logging.
- -Known Issue: Due to API changes in libecap this release of Squid will not build -against any older libecap releases.
- - -The Squid Cache Manager has previously only been accessible under the cache_object:// -URL scheme. Which has restricted its reporting to tools which can send arbitrary -URI to the proxy.
- -This version of Squid now provides access through the http:// and https:// URL schemes -allowing web browsers access without having to use the cachemgr.cgi gateway and enabling -the use of HTTPS security were desired.
- -The cache manager is available under the path prefix /squid-internal-mgr/. For example -the URL http://example/com/squid-internal-mgr/menu will bring up the manager menu. This -means there are some configuration changes required to lock down manager access. -The manager ACL needs changing. A built-in definition is now used, equivalent -to the following regex pattern: -
- ^(cache_object://|https?://[^/]+/squid-internal-mgr/) -- - -
The manager prefix /squid-internal-mgr/ with no action attempts to load an optional -template MGR_INDEX which may be installed amongst in the Squid error templates. -This template is not supplied with Squid but intended to be supplied by separate -cache manager applications as their front page embedding all scripts, accessors or -redirects required for their initial GUI display.
- -MGR_INDEX file -
Version 3.2 of the CGI cache manager tool now presents XHR scripted probes to detect -proxies presenting these manager index pagess and provides direct HTTP/HTTPS web links -to those managers.
- - -There have been changes to Squid's configuration file since Squid-3.1.
+There have been changes to Squid's configuration file since Squid-3.2.
This section gives a thorough account of those changes in three categories:
This option allows Squid administrator to add custom ICAP request -headers or eCAP options to Squid ICAP requests or eCAP transactions.
+New directive to add custom headers on HTTP traffic sent to upstream servers.
-Same as deprecated icap_send_client_ip -but applies to both ICAP and eCAP.
+New option to determine how the client certificate sent to upstream servers is signed.
-Same as deprecated icap_send_client_username -but applies to both ICAP and eCAP.
+New option to adapt certain properties of outgoing SSL certificates generated for use when bumping SSL to an upstream server.
-Same as deprecated icap_uses_indirect_client -but applies to both ICAP and eCAP.
- -New setting for client bandwidth limits to specifies the number -of client delay pools used.
- -New setting for client bandwidth limits to determine the initial -bucket size as a percentage of max_bucket_size from -client_delay_parameters.
- -New setting for client bandwidth limits to configures client-side -bandwidth limits.
- -New setting for client bandwidth limits to determines the -client-side delay pool for the request.
- -New setting to disable extra Host: header security on interception proxies. -Impacts cache integrity/reliability and client browser security.
-IMPORTANT: disabling this directive only allows Squid to change the -destination IP to another source indicated by Host: domain DNS or -cache_peer configuration. It does not affect Host: validation.
- -Renamed from persistent_request_timeout.
- -New setting for SMP support to map Squid processes onto specific CPU cores.
- -Replacement for maximum_single_addr_tries, but instead of only applying to hosts with single addresses. -This directive applies to all hosts, extending the number of connection attempts to each IP address.
- -New setting to configure maximum number of bytes packet size to advertise via EDNS. -Set to "none" (the initial default) to disable EDNS large packet support.
- -Part of conditional SMP support syntax. see if
- -Part of conditional SMP support syntax. see if
- -Whether to lookup the EUI or MAC address of a connected client.
- -New option to enable super-strict HTTP and DNS information match. -Ensuring the HTTP URI details, DNS records, and TCP connection layers all match in a -three-legged security verification. Preventing domain hijacking or malicious poisoning -attacks by malicious scripts.
-The default is to verify only intercepted traffic, to log all issues and let failed -traffic through when doing so can be done safely.
- -New option to toggle whether the ICAP 206 (Partial Content) responses extension. -Default is on.
- -New conditional syntax for SMP multiple-worker. -If-statements can be used to make configuration directives depend on conditions.
-The else part is optional. The keywords if, else and endif -must be typed on their own lines, as if they were regular configuration directives.
- -Ported from 2.7. Specify the file I/O daemon helper to run for logging.
- -Places an upper limit on how stale content Squid will serve from the cache if cache validation fails
- -Controls which objects to keep in the memory cache (cache_mem) -
- 'always' Keep most recently fetched objects in memory (default) - - 'disk' Only disk cache hits are kept in memory, which means - an object must first be cached on disk and then hit - a second time before cached in memory. - - network Only objects fetched from network is kept in memory - -- - -
Controls whether the memory cache is shared among SMP workers.
-Currently, entities exceeding 32KB in size cannot be shared.
- -Renamed from pconn_timeout.
- -Controls whether the indirect client address found in the X-Forwarded-For -header is used for spoofing instead of the directly connected client address. -Requires both --enable-follow-x-forwarded-for and --enable-linux-netfilter
- -Number of main Squid processes or "workers" to fork and maintain. -In SMP mode, each worker does nearly all what a single Squid daemon -does (e.g., listen on http_port and forward HTTP requests). -
- 0: "no daemon" mode, like running "squid -N ..." - 1: "no SMP" mode, start one main Squid process daemon (default) - N: start N main Squid process daemons (i.e., SMP mode) - -- - -
New setting to limit time spent waiting for data writes to be confirmed.
New stdio module to send log data directly from Squid to a disk file. -This is the historic behaviour of Squid before logging modules were introduced, and -remains the default used when no module is selected. -It is recommended to upgrade logging to the faster daemon: module.
-New daemon module to send each log line as text data to a file I/O daemon handling the slow disk I/O. -New installs, or installs with no logs configured explicitly will use this module by default.
-New tcp module to send each log line as text data to a TCP receiver.
-New udp module to send each log line as text data to a UDP receiver.
-New format referrer to log with the format previously used by referer_log directive.
-New format useragent to log with the format previously used by useragent_log directive.
- -New type random. Pseudo-randomly match requests based on a configured probability.
-Ported urllogin option from Squid 2.7, to match a regex pattern on the URL login field (if any).
-The manager ACL requires adjustment to cover new cache manager access. So it has now been -built-in as a predefined ACL name matching URLs equivalent to the following regular expression: -
- ^(cache_object://|https?://[^/]+/squid-internal-mgr/) - -- -squid.conf containing the old manager definition can expect to see ACL type collisions. - -
New options for Basic, Digest, NTLM, Negotiate children settings. -startup=N determines minimum number of helper processes used. -idle=N determines how many helper to retain as buffer against sudden traffic loads. -concurrency=N previously called auth_param ... concurrency as a separate option.
-Removed Basic, Digest, NTLM, Negotiate auth_param ... concurrency setting option.
-Known Issue: NTLM and Negotiate protocols do not support concurrency. When set this option is ignored.
- -min-size option ported from Squid-2
- -htcp-* options collapsed into htcp= taking an optional comma-separated list of flags. -The old form is deprecated but still accepted.
- -Now uses logging modules. Example: stdio:/file/path -see access_log for a list of supported modules and their parameters.
- -New configuration parameter clientside_mark
-Allows packets leaving Squid on the client side to be marked with a Netfilter mark value in the same way as the existing clientside_tos feature.
-This feature is only available for Netfilter environments.
- -Support URL format tags. For dynamically generated URL in denial redirect.
-Support the full range of 200-599 HTTP status codes. -3xx status only available when redirecting to a URI. -Other status only available when supplying an error template body.
+myport and myipACL types replaced with localport and localip respectively. +To reflect that it matches the TCP connection details and not the squid.conf port. +This matters when dealing with intercepted traffic, where the Squid receiving port differs from the TCP connection IP:port. +Always use myportname type to match the squid.conf port details.
+New default built-in ACLs for testing SSL certificate properties.
+ssl::certHasExpired, +ssl::certNotYetValid, +ssl::certDomainMismatch, +ssl::certUntrusted, +ssl::certSelfSigned.
New format tags and option parameters:
-%SRCEUI48 EUI-48 / MAC address of client from ARP lookup.
-%SRCEUI64 EUI-64 of clients with SLAAC address.
-%EXT_LOG log= message returned by previous external ACL calls. An updated version may be returned.
-%EXT_TAG tag= value returned by previous external ACL calls. Tag may not be altered once set.
-children-max=N determines maximum number of helper processes used.
-children-startup=N determines minimum number of helper processes used.
-children-idle=N determines how many helper to retain as buffer against sudden traffic loads.
-Deprecated children=N in favor of children-max=N.
- -act-as-origin ported from 2.7. -This option corrects several HTTP header issues when operating as a reverse proxy and cache. -Notably the externally visible aging of objects stored in the server-side cache.
-vhost is deprecated. accel mode, reverse proxy, now defaults to always enable HTTP/1.1 virtual domain support.
-no-vhost option is added to disable the new reverse proxy behaviour.
- -Deprecated in favor of adaptation_send_client_ip -which applies to both ICAP and eCAP.
- -Deprecated in favor of adaptation_send_username -which applies to both ICAP and eCAP.
- -Deprecated in favor of adaptation_uses_indirect_client -which applies to both ICAP and eCAP.
+%ACL format tag ported from 2.6. +Sends the name of ACL being tested to the external helper.
+%DATA format tag ported from 2.6. +Inserts the ACL arguments into a particular location of the helper input instead of at the end of the line.
%<a Server or Peer IP address from the last server connection (next hop).
-%>bs Number of HTTP-equivalent message body bytes received from the next hop.
-icap::%>bs Number of message body bytes received from the ICAP server.
-%sn Unique sequence number per log line. Ported from 2.7
-%>eui EUI logging (EUI-48 / MAC address for IPv4, EUI-64 for IPv6). -Both EUI forms are logged in the same field. Type can be identified by length or byte delimiter.
-%err_code The ID of an error response served by Squid or a similar internal error identifier
-%err_detail Additional err_code-dependent error information.
-%>la Rename of %la to indicate being a client connection detail.
-%>lp Rename of %lp to indicate being a client connection detail.
-%<p Server or Peer port number from the last server connection (next hop).
+New token %ssl::bump_mode to log the SSL-bump mode type performed on a request. +Logs values of: -, none, client-first, or server-first.
+New token of %ssl::>cert_subject to log the Subject field of a SSL certificate received from the client.
+New token of %ssl::>cert_issuer to log the Issuer field of a SSL certificate received from the client.
-Memory limits have been revised and corrected from 3.1.4 onwards.
-Please check and update your squid.conf to use the text none for no limit instead of the old 0 (zero).
-All users upgrading need to be aware that from Squid-3.3 setting this option to 0 (zero) will mean zero bytes of memory get pooled.
- -New options mark and tos and miss
-tos retains the original QOS functionality of the IP header TOS field.
-mark offers the same functionality, but with a netfilter mark value.
-These options should be placed immediately after qos_flows.
-The tos value is optional in order to maintain backwards compatability.
-The preserve-miss functionality is available with the mark option and requires no kernel patching. -It does, however, require libnetfilter_conntrack. -This will be included by default if available (see the --without-netfilter-conntrack configure option for more details).
-miss sets a value for a cache miss. It is available for both the tos and mark options and takes precedence over the preserve-miss feature.
- -Added ACL support for control over when the limit applies and when it is avoided.
- -New option max-stale= to provide a maximum staleness factor. Squid won't -serve objects more stale than this even if it failed to validate the object.
-Removed option ignore-no-cache. Its commonly desired behaviour is obsoleted -by correct HTTP/1.1 Cache-Control:no-cache handling.
- -Added support for custom response header names.
- -Added support for custom request header names.
- -Added support for custom response header names.
- -Added support for custom request header names.
- -This parameter is now compatible with persistent server connections. -The IPv6 magic 'to_ipv6' hacks needed in 3.1 are now no longer necessary.
- -New configuration parameter tcp_outgoing_mark
-Allows packets leaving Squid on the server side to be marked with a Netfilter mark value in the same way as the existing tcp_outgoing_tos feature.
-This feature is only available for Netfilter environments.
- -This parameter is now compatible with persistent server connections.
- -New options startup=N, idle=N, concurrency=N -
Now only available to be set in Windows builds.
+New action types none, client-first, server-first. The default is none.
+Use of allow/deny is now deprecated and they should be removed as soon as possible. +To retain the exact same behaviour between 3.3 and older releases replace deny with none, +and allow with client-first. However an upgrade to server-first is the recommended.
+NOTE: Mixing of allow/deny with the new action types is prohibited and will cause Squid to exit with a FATAL error.
Obsolete. Replaced by DNS parallel lookups.
-Replaced by common format option on an access_log directive.
+There are no removed squid.conf options in Squid-3.3.
-Obsolete.
- -Obsolete.
- -Obsolete.
- -Obsolete. Replaced by automatic detection of the %>A logformat tag.
- -Obsolete. Use a custom log with %<A format tag to receive server FQDN or peer name.
- -The behaviour controlled by this directive is no longer possible. -It has been replaced by connect_retries option which operates a little differently.
- -Renamed to server_idle_pconn_timeout
- -Renamed to client_idle_pconn_timeout
- -Replaced by the referrer format option on an access_log directive.
- -Replaced by url_rewrite_children ... concurrency=N option.
- -Replaced by the useragent format option on an access_log directive.
There have been some changes to Squid's build configuration since Squid-3.1.
+There have been some changes to Squid's build configuration since Squid-3.2.
This section gives an account of those changes in three categories:
Specified without any parameters all helpers will be auto-built.
-With an explicit empty list ="" protocol support will be built but no helpers.
-With an explicit list protocol support and just those helpers will be built.
+There are no new ./configure options in Squid-3.3.
-Specified without any parameters all helpers will be auto-built.
-With an explicit empty list ="" protocol support will be built but no helpers.
-With an explicit list protocol support and just those helpers will be built.
- -Specified without any parameters all helpers will be auto-built.
-With an explicit empty list ="" protocol support will be built but no helpers.
-With an explicit list protocol support and just those helpers will be built.
- -Specified without any parameters all helpers will be auto-built.
-With an explicit empty list ="" protocol support will be built but no helpers.
-With an explicit list protocol support and just those helpers will be built.
- -Add an additional string in the output of "squid -v".
- -Enable Support for handling EUI operations. -This includes ARP lookups for MAC (EUI-48) addresses and the ACL arp type tests.
- -Build helpers for logging I/O.
- -Build helpers for some basic URL-rewrite actions. For use by url_rewrite_program. -If omitted or set to =all then all bundled helpers that are able to build will be built. -If set to a specific list of helpers then only those helpers will build. -Currently one demo helper fake is provided in shell and C++ forms to demonstrate -the helper protocol usage and provide exemplar code.
- -Location to display in documentation for the default cache. -Updated to indicate /var/cache/squid in accordance with the filesystem layout standards. -Squid-3 no longer builds an implicit disk cache at this location, so the change is not expected -to have any effect on existing builds other than fixing some mysterious lack of core dumps. -The old /var/cache location was often non-writable which blocked core dumps creation.
- -Disables the libnetfilter_conntrack library being used for the new qos_flows option mark. -default is to auto-detect the library and use where available.
No longer takes a list of arguments. This option now is restricted to building Squid with or without authentication support.
-The new --enable-auth-X/--disable-auth-X parameters determine which authentication protocols and helpers are built.
+kqueue network I/O module is now built by default when it is available. +This option is no longer required to enable kqueue support, +but if used will abort build when kqueue dependencies are missing or broken.
+ +kqueue network I/O module is now built by default when it is available. +This configure option is now needed to disable it. Previously it did nothing.
Replaced by --enable-eui
- -Replaced by --enable-auth-basic.
- -Replaced by --enable-auth-digest.
- -Replaced by --enable-auth-negotiate.
- -Replaced by --enable-auth-ntlm.
- -Obsolete.
- -Obsolete.
+This has not been supported by Squid for several versions.
Some squid.conf and ./configure options which were available in Squid-2.6 and Squid-2.7 are made obsolete in Squid-3.2.
- --
blankpassword option for basic scheme removed.
- -Not safe for general use. -An external_acl_type helper may be used to bypass authentication if that is suitable.
- -Not safe for general use. -An external_acl_type helper may be used to bypass authentication if that is suitable.
- -Option http11 obsolete.
- -Format tag %{Header} replaced by %>{Header}
-Format tag %{Header:member} replaced by %>{Header:member}
- -Replaced by request_header_access and reply_header_access
- -Option no-connection-auth replaced by connection-auth=[on|off]. Default is ON.
-Option transparent option replaced by intercept
-Option http11 obsolete.
- -Replaced by adapted_http_access
- -Replaced by http_port disable-pmtu-discovery= option
- -Obsolete.
- -Replaced by url_rewrite_bypass
- -Obsolete.
- -Obsolete. The experimental actions enabled in 2.7 by this option have been integrated as default -actions for the rock storage type and memory caches. -The configuration option is no longer necessary and has been dropped. -NOTE: It is not yet supported by ufs, aufs, or diskd storage.
- -Obsolete.
- -Replaced by qos_flows local-hit=
- -Obsolete.
- -Obsolete.
- -Replaced by qos_flows parent-hit=
- -Replaced by qos_flows sibling-hit=
- --
urlgroup type removed. Use myportname type instead.
- -read-only option replaced by no-store.
- -urlgroup= removed. Use name= feature instead.
- -Replaced by native support.
- --
Obsolete.
- -Replaced by automatic detection.
- -Obsolete.
- -Replaced by automatic detection.
- -Obsolete.
- -Obsolete.
- -Obsolete. Enabled by default.
- -Obsolete.
- -Obsolete.
- -Obsolete.
- -Replaced by automatic detection.
- -Replaced by automatic detection.
- -Replaced by automatic detection.
- -Obsolete. Enabled by default.
- -Obsolete.
- -Obsolete. Disabled by default.
- -Obsolete. Disabled by default.
- -Some squid.conf and ./configure options which were available in Squid-2.7 are not yet available in Squid-3.2
+Some squid.conf and ./configure options which were available in Squid-2.7 are not yet available in Squid-3.3
If you need something to do then porting one of these from Squid-2 to Squid-3 is most welcome.
-@@ -1236,10 +400,6 @@ NOTE: It is not yet supported by ufs, aufs, or diskd
Not yet ported from 2.6
-%ACL format tag not yet ported from 2.6
-%DATA format tag not yet ported from 2.6
-Not yet ported from 2.7
@@ -1280,5 +440,6 @@ NOTE: It is not yet supported by ufs, aufs, or diskd + diff --git a/squid-3.2.13.tar.bz2 b/squid-3.2.13.tar.bz2 deleted file mode 100644 index 39f1104..0000000 --- a/squid-3.2.13.tar.bz2 +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:92144b72088ac93de7a0d387266172238bfd4e36ed90996af676e406c0c64e35 -size 2898293 diff --git a/squid-3.2.13.tar.bz2.asc b/squid-3.2.13.tar.bz2.asc deleted file mode 100644 index 47a4088..0000000 --- a/squid-3.2.13.tar.bz2.asc +++ /dev/null @@ -1,20 +0,0 @@ -File: squid-3.2.13.tar.bz2 -Date: Sat Jul 13 13:49:04 UTC 2013 -Size: 2898293 -MD5 : 367e59c9c25da7ebbfbf7cbc36d2444e -SHA1: f253df4981981c297cc7e719908e07b046506952 -Key : 0xFF5CF463