This commit is contained in:
parent
f3e0551c1d
commit
b292dfd12d
@ -1,740 +0,0 @@
|
||||
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
|
||||
<HTML>
|
||||
<HEAD>
|
||||
<META NAME="GENERATOR" CONTENT="LinuxDoc-Tools 0.9.73">
|
||||
<TITLE>Squid 4.5 release notes</TITLE>
|
||||
</HEAD>
|
||||
<BODY>
|
||||
<H1>Squid 4.5 release notes</H1>
|
||||
|
||||
<H2>Squid Developers</H2>
|
||||
<HR>
|
||||
<EM>This document contains the release notes for version 4 of Squid.
|
||||
Squid is a WWW Cache application developed by the National Laboratory
|
||||
for Applied Network Research and members of the Web Caching community.</EM>
|
||||
<HR>
|
||||
<P>
|
||||
<H2><A NAME="toc1">1.</A> <A HREF="#s1">Notice</A></H2>
|
||||
|
||||
<UL>
|
||||
<LI><A NAME="toc1.1">1.1</A> <A HREF="#ss1.1">Known issues</A>
|
||||
<LI><A NAME="toc1.2">1.2</A> <A HREF="#ss1.2">Changes since earlier releases of Squid-4</A>
|
||||
</UL>
|
||||
<P>
|
||||
<H2><A NAME="toc2">2.</A> <A HREF="#s2">Major new features since Squid-3.5</A></H2>
|
||||
|
||||
<UL>
|
||||
<LI><A NAME="toc2.1">2.1</A> <A HREF="#ss2.1">Configurable helper queue size</A>
|
||||
<LI><A NAME="toc2.2">2.2</A> <A HREF="#ss2.2">Helper concurrency channels changes</A>
|
||||
<LI><A NAME="toc2.3">2.3</A> <A HREF="#ss2.3">SSL support removal</A>
|
||||
<LI><A NAME="toc2.4">2.4</A> <A HREF="#ss2.4">Helper Binary Changes</A>
|
||||
<LI><A NAME="toc2.5">2.5</A> <A HREF="#ss2.5">Secure ICAP</A>
|
||||
<LI><A NAME="toc2.6">2.6</A> <A HREF="#ss2.6">Improved SMP support</A>
|
||||
<LI><A NAME="toc2.7">2.7</A> <A HREF="#ss2.7">Improved process management</A>
|
||||
<LI><A NAME="toc2.8">2.8</A> <A HREF="#ss2.8">Initial GnuTLS support</A>
|
||||
<LI><A NAME="toc2.9">2.9</A> <A HREF="#ss2.9">ESI Custom Parser removal</A>
|
||||
</UL>
|
||||
<P>
|
||||
<H2><A NAME="toc3">3.</A> <A HREF="#s3">Changes to squid.conf since Squid-3.5</A></H2>
|
||||
|
||||
<UL>
|
||||
<LI><A NAME="toc3.1">3.1</A> <A HREF="#ss3.1">New tags</A>
|
||||
<LI><A NAME="toc3.2">3.2</A> <A HREF="#ss3.2">Changes to existing tags</A>
|
||||
<LI><A NAME="toc3.3">3.3</A> <A HREF="#ss3.3">Removed tags</A>
|
||||
</UL>
|
||||
<P>
|
||||
<H2><A NAME="toc4">4.</A> <A HREF="#s4">Changes to ./configure options since Squid-3.5</A></H2>
|
||||
|
||||
<UL>
|
||||
<LI><A NAME="toc4.1">4.1</A> <A HREF="#ss4.1">New options</A>
|
||||
<LI><A NAME="toc4.2">4.2</A> <A HREF="#ss4.2">Changes to existing options</A>
|
||||
<LI><A NAME="toc4.3">4.3</A> <A HREF="#ss4.3">Removed options</A>
|
||||
</UL>
|
||||
<P>
|
||||
<H2><A NAME="toc5">5.</A> <A HREF="#s5">Regressions since Squid-2.7</A></H2>
|
||||
|
||||
<UL>
|
||||
<LI><A NAME="toc5.1">5.1</A> <A HREF="#ss5.1">Missing squid.conf options available in Squid-2.7</A>
|
||||
</UL>
|
||||
<P>
|
||||
<H2><A NAME="toc6">6.</A> <A HREF="#s6">Copyright</A></H2>
|
||||
|
||||
|
||||
<HR>
|
||||
<H2><A NAME="s1">1.</A> <A HREF="#toc1">Notice</A></H2>
|
||||
|
||||
<P>The Squid Team are pleased to announce the release of Squid-4.5 for testing.</P>
|
||||
<P>This new release is available for download from
|
||||
<A HREF="http://www.squid-cache.org/Versions/v4/">http://www.squid-cache.org/Versions/v4/</A> or the
|
||||
<A HREF="http://www.squid-cache.org/Download/http-mirrors.html">mirrors</A>.</P>
|
||||
|
||||
<P>We welcome feedback and bug reports. If you find a bug, please see
|
||||
<A HREF="http://wiki.squid-cache.org/SquidFaq/BugReporting">http://wiki.squid-cache.org/SquidFaq/BugReporting</A>
|
||||
for how to submit a report with a stack trace.</P>
|
||||
|
||||
<H2><A NAME="ss1.1">1.1</A> <A HREF="#toc1.1">Known issues</A>
|
||||
</H2>
|
||||
|
||||
<P>Although this release is deemed good enough for use in production, please note the existence of
|
||||
<A HREF="http://bugs.squid-cache.org/buglist.cgi?query_format=advanced&product=Squid&bug_status=UNCONFIRMED&bug_status=NEW&bug_status=ASSIGNED&bug_status=REOPENED&version=4">open bugs against Squid-4</A>.</P>
|
||||
|
||||
<P>This release adds a dependency on C++11 support in any compiler used to build Squid.
|
||||
As a result older C++03 -only and most C++0x compilers will no longer build successfully.
|
||||
GCC 4.9+ and Clang 3.5+ are known to have working C++11 support and are usable.
|
||||
GCC-4.8 will also build for now despite lack of full C++11 support, but some future features may not be available.</P>
|
||||
|
||||
<P>This release does not support LibreSSL.
|
||||
Due to a bug in the way LibreSSL uses the OpenSSL version macro some changes
|
||||
necessary to support OpenSSL 1.1 prevent building with LibreSSL.</P>
|
||||
|
||||
|
||||
<H2><A NAME="ss1.2">1.2</A> <A HREF="#toc1.2">Changes since earlier releases of Squid-4</A>
|
||||
</H2>
|
||||
|
||||
<P>The Squid-4 change history can be
|
||||
<A HREF="http://www.squid-cache.org/Versions/v4/changesets/">viewed here</A>.</P>
|
||||
|
||||
|
||||
<H2><A NAME="s2">2.</A> <A HREF="#toc2">Major new features since Squid-3.5</A></H2>
|
||||
|
||||
<P>Squid 4 represents a new feature release above 3.5.</P>
|
||||
|
||||
<P>The most important of these new features are:
|
||||
<UL>
|
||||
<LI>Configurable helper queue size</LI>
|
||||
<LI>Helper concurrency channels changes</LI>
|
||||
<LI>SSL support removal</LI>
|
||||
<LI>Helper Binary Changes</LI>
|
||||
<LI>Secure ICAP</LI>
|
||||
<LI>Improved SMP support</LI>
|
||||
<LI>Improved process management</LI>
|
||||
<LI>Initial GnuTLS support</LI>
|
||||
<LI>ESI Custom Parser removal</LI>
|
||||
</UL>
|
||||
</P>
|
||||
<P>Most user-facing changes are reflected in squid.conf (see below).</P>
|
||||
|
||||
|
||||
<H2><A NAME="ss2.1">2.1</A> <A HREF="#toc2.1">Configurable helper queue size</A>
|
||||
</H2>
|
||||
|
||||
<P>The new queue-size=N option to helpers configuration, allows users
|
||||
to configure the maximum number of queued requests to busy helpers.</P>
|
||||
|
||||
<H2><A NAME="ss2.2">2.2</A> <A HREF="#toc2.2">Helper concurrency channels changes</A>
|
||||
</H2>
|
||||
|
||||
<P>helper-mux.pl we have been distributing for the past few years to
|
||||
encourage use of concurrency is no longer compatible with Squid. If
|
||||
used it will spawn up to 2^64 helpers and DoS the Squid server.</P>
|
||||
|
||||
<P>Helpers utilizing arrays to handle fixed amounts of concurrency
|
||||
channels MUST be re-written to use queues and capable of handling a
|
||||
64-bit int as index or they will be vulnerable to buffer overrun and
|
||||
arbitrary memory accesses.</P>
|
||||
|
||||
<P>32-bit helpers need re-writing to handle the concurrency channel ID
|
||||
as a 64-bit integer value. If not updated they will cause proxies to
|
||||
return unexpected results or timeout once crossing the 32-bit wrap
|
||||
boundary. Leading to undefined behaviour in the client HTTP traffic.</P>
|
||||
|
||||
|
||||
<H2><A NAME="ss2.3">2.3</A> <A HREF="#toc2.3">SSL support removal</A>
|
||||
</H2>
|
||||
|
||||
<P>Details in
|
||||
<A HREF="https://tools.ietf.org/html/rfc6176">RFC 6176</A>
|
||||
and
|
||||
<A HREF="https://tools.ietf.org/html/rfc7568">RFC 7568</A></P>
|
||||
|
||||
<P>SSLv2 is not fit for purpose. Squid no longer supports being configured with
|
||||
any settings regarding this protocol. That includes settings manually disabling
|
||||
its use since it is now forced to disable by default. Also settings enabling
|
||||
various client/server workarounds specific to SSLv2 are removed.</P>
|
||||
|
||||
<P>SSLv3 is not fit for purpose. Squid still accepts configuration, but use
|
||||
is deprecated and will be removed entirely in a future version.
|
||||
Squid default behavour is to follow the TLS built in negotiation mechanism
|
||||
which prefers the latest TLS version. But also to accept downgrades to SSLv3.
|
||||
Use <EM>tls-options=NO_SSLv3</EM> to disable SSLv3 support completely.</P>
|
||||
|
||||
<P>A new option <EM>tls-min-version=1.N</EM> is added in place of <EM>sslversion=</EM>
|
||||
to configure the minimum version the TLS negotiation will allow to be used
|
||||
when an old TLS version is requested by the remote endpoint.</P>
|
||||
|
||||
<P>The system Trusted CAs are no longer used by default when verifying client
|
||||
certificates. The <EM>cafile=</EM> option should be used instead to
|
||||
explicitly load the specific CA which signed acceptible client certificates,
|
||||
even if that CA is one of the system Trusted CAs.
|
||||
The <EM>tls-default-ca</EM> option can be used to restore the old
|
||||
behaviour if needed.</P>
|
||||
|
||||
|
||||
<H2><A NAME="ss2.4">2.4</A> <A HREF="#toc2.4">Helper Binary Changes</A>
|
||||
</H2>
|
||||
|
||||
<P>The <EM>basic_msnt_multi_domain_auth</EM> helper has been removed. The
|
||||
<EM>basic_smb_lm_auth</EM> helper performs the same actions without extra
|
||||
Perl and Samba dependencies.</P>
|
||||
|
||||
<P>The <EM>cert_valid.pl</EM> testing helper has been renamed to
|
||||
<EM>security_fake_certverify</EM>, reflecting the Squid helper naming schema
|
||||
and that it does not actually perform any certificate checks.</P>
|
||||
|
||||
<P>The <EM>security_fake_certverify</EM> helper is also now built and installed
|
||||
by default. It is written in Perl so does not require OpenSSL dependencies
|
||||
for installation. But does use the Perl Crypt::OpenSSL::X509 module for execution.
|
||||
Building the helper can be controlled using the <EM>--enable-security-cert-validators="fake"</EM>
|
||||
option.</P>
|
||||
|
||||
<P>The <EM>ssl_crtd</EM> helper has been renamed to <EM>security_file_certgen</EM>
|
||||
and is now built and installed by default whenever OpenSSL support is enabled.
|
||||
Building the helper can be controlled using the <EM>--enable-security-cert-generators="file"</EM>
|
||||
option.</P>
|
||||
|
||||
<P>NOTE: The <EM>--enable-ssl-crtd</EM> option is still required to enable the
|
||||
<EM>sslcrtd_program</EM> helper interface within Squid that uses the helper.</P>
|
||||
|
||||
<P>The <EM>ntlm_smb_lm_auth</EM> helper is now built using <EM>--enable-auth-ntlm="SMB_LM"</EM>.
|
||||
Notice the upper case where it was previously a (wrongly) lower cased acronym.</P>
|
||||
|
||||
|
||||
<H2><A NAME="ss2.5">2.5</A> <A HREF="#toc2.5">Secure ICAP</A>
|
||||
</H2>
|
||||
|
||||
<P>ICAP services can now be used over TLS connections.</P>
|
||||
|
||||
<P>To mark an ICAP service as secure, use an <EM>icaps://</EM> service URI scheme when
|
||||
listing your service via an icap_service directive. The industry is using a
|
||||
<EM>Secure ICAP</EM> term, and Squid follows that convention, but <EM>icaps</EM> seems more
|
||||
appropriate for a <EM>scheme</EM> name.</P>
|
||||
|
||||
<P>Squid uses <EM>port 11344</EM> for Secure ICAP by default, following another popular
|
||||
proxy convention. The old 1344 default for plain ICAP ports has not changed.</P>
|
||||
|
||||
|
||||
<H2><A NAME="ss2.6">2.6</A> <A HREF="#toc2.6">Improved SMP support</A>
|
||||
</H2>
|
||||
|
||||
<P>Use of C++11 atomic operations instead of GNU atomics allows a wider range of
|
||||
operating systems and compilers to build Squid SMP and multi-process features.
|
||||
However this does require a C++11 compiler with a recent version of the C++
|
||||
standard library.</P>
|
||||
|
||||
<P>IpcIo and Mmapped disk I/O modules are now auto-detected properly which
|
||||
enables Rock storage on more systems by default than previously.</P>
|
||||
|
||||
|
||||
<H2><A NAME="ss2.7">2.7</A> <A HREF="#toc2.7">Improved process management</A>
|
||||
</H2>
|
||||
|
||||
<P>Squid is traditionally refered to as a daemon. But is actually a combination
|
||||
of daemon and daemon manager processes. This has caused significant problems
|
||||
integrating it with other third-party daemon managers.</P>
|
||||
|
||||
<P>The Squid process which places its PID into the squid.pid file has always
|
||||
been the process to which control signals are sent. The manager process is
|
||||
now taking on signal handling instead of the main daemon process. Enabling
|
||||
integration with daemon managers such as Upstart or systemd which assume the
|
||||
process they initiated is the daemon with a PID to control.</P>
|
||||
|
||||
<P>The squid binary now has a new <EM>--foreground</EM> command line option,
|
||||
which (only) prevents daemonizing the master process.
|
||||
Unlike the old <EM>-N</EM> option,
|
||||
<EM>--foreground</EM> supports SMP workers and multi-process features.
|
||||
<EM>--foreground</EM> is particularly useful for use with <EM>-z</EM> (disk
|
||||
cache structures creation), as it allows the caller to wait until Squid has
|
||||
finished.</P>
|
||||
|
||||
<P>The squid binary now accepts a <EM>--kid</EM> command line option which
|
||||
informs the process which role it is to take on. This aids with debugging
|
||||
SMP issues with specific process types and resolves some SMP forking issues.</P>
|
||||
|
||||
|
||||
<H2><A NAME="ss2.8">2.8</A> <A HREF="#toc2.8">Initial GnuTLS support</A>
|
||||
</H2>
|
||||
|
||||
<P>Squid can now be built to use GnuTLS in place of OpenSSL for the core
|
||||
features of receiving TLS connections from clients and making TLS
|
||||
connections to servers. The GnuTLS support is still very much experimental
|
||||
and should be tested before use.</P>
|
||||
|
||||
<P>SSL-Bump and certificate generation features are not yet supported by
|
||||
GnuTLS builds. Nor are many other less commonly used Squid TLS/SSL features.</P>
|
||||
|
||||
<P><EM>squid.conf</EM> directives and configuration options which have undergone
|
||||
name changes from 'ssl' to 'tls' prefix in Squid-4 have GnuTLS support, unless
|
||||
explicitly stated otherwise.</P>
|
||||
|
||||
<P>Advanced configuration with specific selection of ciphers and similar settings
|
||||
should still work, but needs the GnuTLS <EM>Priority Strings</EM> instead of
|
||||
the OpenSSL options when using GnuTLS.
|
||||
See
|
||||
<A HREF="https://www.gnutls.org/manual/gnutls.html#Priority-Strings">GnuTLS manual</A>
|
||||
for more details.</P>
|
||||
|
||||
|
||||
<H2><A NAME="ss2.9">2.9</A> <A HREF="#toc2.9">ESI Custom Parser removal</A>
|
||||
</H2>
|
||||
|
||||
<P>The Squid custom ESI (Edge Side Includes) parser has been removed in favour
|
||||
of better supported and maintained third-party libraries. At least one of libxml2
|
||||
or libexpat is now mandatory to build support for the ESI response processor.</P>
|
||||
|
||||
|
||||
<H2><A NAME="s3">3.</A> <A HREF="#toc3">Changes to squid.conf since Squid-3.5</A></H2>
|
||||
|
||||
<P>There have been changes to Squid's configuration file since Squid-3.5.</P>
|
||||
<P>This section gives a thorough account of those changes in three categories:</P>
|
||||
<P>
|
||||
<UL>
|
||||
<LI>
|
||||
<A HREF="#newtags">New tags</A></LI>
|
||||
<LI>
|
||||
<A HREF="#modifiedtags">Changes to existing tags</A></LI>
|
||||
<LI>
|
||||
<A HREF="#removedtags">Removed tags</A></LI>
|
||||
</UL>
|
||||
</P>
|
||||
|
||||
|
||||
<H2><A NAME="newtags"></A> <A NAME="ss3.1">3.1</A> <A HREF="#toc3.1">New tags</A>
|
||||
</H2>
|
||||
|
||||
<P>
|
||||
<DL>
|
||||
<DT><B>collapsed_forwarding_shared_entries_limit</B><DD>
|
||||
<P>New directive to limit the size of a table used for sharing information
|
||||
about collapsible entries among SMP workers.</P>
|
||||
|
||||
<DT><B>force_request_body_continuation</B><DD>
|
||||
<P>New directive to control Squid behaviour on the client connection when
|
||||
receiving an HTTP request with an Expect:100-continue header.</P>
|
||||
|
||||
<DT><B>hopeless_kid_revival_delay</B><DD>
|
||||
<P>New directive to set a cool-down delay reviving a child process if
|
||||
the process is encountering frequent deaths.</P>
|
||||
|
||||
<DT><B>on_unsupported_protocol</B><DD>
|
||||
<P>New directive to set the action performed when encountering strange
|
||||
protocol requests at the beginning of an accepted TCP connection.</P>
|
||||
|
||||
<DT><B>pconn_lifetime</B><DD>
|
||||
<P>New directive to limit the lifetime of persistent connections.</P>
|
||||
|
||||
<DT><B>reply_header_add</B><DD>
|
||||
<P>New directive to add header fields to outgoing HTTP responses to
|
||||
the client.</P>
|
||||
|
||||
<DT><B>request_start_timeout</B><DD>
|
||||
<P>New directive controlling how long Squid waits for the first request
|
||||
bytes to arrive after initial connection establishment by a client.</P>
|
||||
|
||||
<DT><B>server_pconn_for_nonretriable</B><DD>
|
||||
<P>New directive to provide fine-grained control over persistent connection
|
||||
reuse when forwarding HTTP requests that Squid cannot retry. It is useful
|
||||
in environments where opening new connections is very expensive
|
||||
and race conditions associated with persistent connections are very rare
|
||||
and/or only cause minor problems.</P>
|
||||
|
||||
<DT><B>shared_memory_locking</B><DD>
|
||||
<P>New directive to ensure shared memory is all available immediately
|
||||
on startup. Protects against SIGBUS errors, but delays startup.</P>
|
||||
|
||||
<DT><B>tls_outgoing_options</B><DD>
|
||||
<P>New directive to define TLS security context options for outgoing
|
||||
connections. For example to HTTPS servers.</P>
|
||||
|
||||
<DT><B>url_rewrite_timeout</B><DD>
|
||||
<P>Squid times active requests to redirector. This directive sets
|
||||
the timeout value and the Squid reaction to a timed out
|
||||
request.</P>
|
||||
|
||||
</DL>
|
||||
</P>
|
||||
|
||||
<H2><A NAME="modifiedtags"></A> <A NAME="ss3.2">3.2</A> <A HREF="#toc3.2">Changes to existing tags</A>
|
||||
</H2>
|
||||
|
||||
<P>
|
||||
<DL>
|
||||
<DT><B>access_log</B><DD>
|
||||
<P>TCP accept(2) errors logged with URI <EM>error:accept-client-connection</EM>.</P>
|
||||
<P>Unused connections received in <EM>http_port</EM> or <EM>https_port</EM>
|
||||
or transactions terminated before reading[parsing] request headers are
|
||||
logged with URI <EM>error:transaction-end-before-headers</EM>.</P>
|
||||
<P>New option <EM>rotate=</EM> to control the number of log file rotations
|
||||
to make when <EM>-k rotate</EM> command is received. Default is to
|
||||
obey the <EM>logfile_rotate</EM> directive.</P>
|
||||
|
||||
<DT><B>acl</B><DD>
|
||||
<P>New <EM>-m</EM> flag for <EM>note</EM> ACL to match substrings.</P>
|
||||
<P>New <EM>client_connection_mark</EM> type for matching Netfilter
|
||||
CONNMARK of the client TCP connection.</P>
|
||||
<P>New <EM>connections_encrypted</EM> type for matching transactions
|
||||
where all HTTP messages were received over TLS transport connections,
|
||||
including messages received from ICAP servers.</P>
|
||||
<P>New <EM>has</EM> type for matching whether or not Squid is able to provide
|
||||
certain sets of transaction state. For example HTTP reply headers.</P>
|
||||
<P>New <EM>transaction_initiator</EM> type for detecting various
|
||||
unusual transactions.</P>
|
||||
<P>New <EM>--consensus</EM>, <EM>--client-requested</EM> and
|
||||
<EM>--server-provided</EM> flags for the <EM>ssl::server_name</EM>
|
||||
type to control which server name to match against.</P>
|
||||
|
||||
<DT><B>auth_param</B><DD>
|
||||
<P>New parameter <EM>queue-size=</EM> to set the maximum number
|
||||
of queued requests.</P>
|
||||
<P>New parameter <EM>on-persistent-overload=</EM> to set the action taken
|
||||
when the helper queue is overloaded.</P>
|
||||
|
||||
<DT><B>cache_peer</B><DD>
|
||||
<P>New option <EM>auth-no-keytab</EM> to let GSSAPI implementation determine
|
||||
which Kerberos credentials to use, instead of specifying a keytab.</P>
|
||||
<P>Replaced option <EM>ssl</EM> with <EM>tls</EM>. Use of any
|
||||
<EM>tls-</EM> prefixed options implies <EM>tls</EM> is enabled.</P>
|
||||
<P>New option <EM>tls-min-version=1.N</EM> to set minimum TLS version allowed.</P>
|
||||
<P>New option <EM>tls-default-ca</EM> replaces <EM>sslflags=NO_DEFAULT_CA</EM></P>
|
||||
<P>New option <EM>tls-no-npn</EM> to disable sending TLS NPN extension.</P>
|
||||
<P>All <EM>ssloptions=</EM> values for SSLv2 configuration or disabling
|
||||
have been removed.</P>
|
||||
<P>Removed <EM>sslversion=</EM> option. Use <EM>tls-options=</EM> instead.</P>
|
||||
<P>Manual squid.conf update may be required on upgrade.</P>
|
||||
<P>Replaced option <EM>sslcafile=</EM> with <EM>tls-cafile=</EM>
|
||||
which takes multiple entries.</P>
|
||||
|
||||
<DT><B>deny_info</B><DD>
|
||||
<P>New format macro <EM>%O</EM> to expand the <EM>message=</EM> value supplied
|
||||
by external ACL helpers.</P>
|
||||
|
||||
<DT><B>ecap_service</B><DD>
|
||||
<P>New <EM>connection-encryption=</EM> option to determine ICAP service
|
||||
effect on <EM>connections_encrypted</EM> ACL.</P>
|
||||
|
||||
<DT><B>esi_parser</B><DD>
|
||||
<P>Removed <EM>custom</EM> parser option.</P>
|
||||
<P>Changed default to auto-detect available parsers instead of <EM>custom</EM>.</P>
|
||||
|
||||
<DT><B>external_acl_type</B><DD>
|
||||
<P>New parameter <EM>queue-size=</EM> to set the maximum number
|
||||
of queued requests.</P>
|
||||
<P>New parameter <EM>on-persistent-overload=</EM> to set the action taken
|
||||
when the helper queue is overloaded.</P>
|
||||
<P>Format field updated to accept any logformat %macro code.</P>
|
||||
<P>The optional <EM>acl-value</EM> fields in this helper input now expand
|
||||
to a dash ('-') if the %DATA macro is not specified explicitly.</P>
|
||||
|
||||
<DT><B>http_port</B><DD>
|
||||
<P>New option <EM>tls-min-version=1.N</EM> to set minimum TLS version allowed.</P>
|
||||
<P>New option <EM>tls-default-ca</EM> replaces <EM>sslflags=NO_DEFAULT_CA</EM>,
|
||||
the default is also changed to OFF.</P>
|
||||
<P>New option <EM>tls-no-npn</EM> to disable sending TLS NPN extension.</P>
|
||||
<P>All <EM>option=</EM> values for SSLv2 configuration or disabling
|
||||
have been removed.</P>
|
||||
<P>Removed <EM>version=</EM> option. Use <EM>tls-options=</EM> instead.</P>
|
||||
<P>Manual squid.conf update may be required on upgrade.</P>
|
||||
<P>Replaced <EM>cafile=</EM> with <EM>tls-cafile=</EM> which takes multiple entries.</P>
|
||||
<P>Changed default value of <EM>generate-host-certificates</EM> to ON.</P>
|
||||
|
||||
<DT><B>https_port</B><DD>
|
||||
<P>New option <EM>tls-min-version=1.N</EM> to set minimum TLS version allowed.</P>
|
||||
<P>New option <EM>tls-default-ca</EM> replaces <EM>sslflags=NO_DEFAULT_CA</EM>,
|
||||
the default is also changed to OFF.</P>
|
||||
<P>New option <EM>tls-no-npn</EM> to disable sending TLS NPN extension.</P>
|
||||
<P>All <EM>options=</EM> values for SSLv2
|
||||
configuration or disabling have been removed.</P>
|
||||
<P>Removed <EM>version=</EM> option. Use <EM>tls-options=</EM> instead.</P>
|
||||
<P>Manual squid.conf update may be required on upgrade.</P>
|
||||
<P>Replaced <EM>cafile=</EM> with <EM>tls-cafile=</EM> which takes multiple entries.</P>
|
||||
<P>Changed default value of <EM>generate-host-certificates</EM> to ON.</P>
|
||||
|
||||
<DT><B>icap_service</B><DD>
|
||||
<P>New scheme <EM>icaps://</EM> to enable TLS/SSL connections to Secure ICAP
|
||||
servers on port 11344.</P>
|
||||
<P>New <EM>connection-encryption=</EM> option to determine ICAP service
|
||||
effect on <EM>connections_encrypted</EM> ACL.</P>
|
||||
<P>New <EM>tls-cert=</EM> option to set TLS client certificate to use.</P>
|
||||
<P>New <EM>tls-key=</EM> option to set TLS private key matching the client
|
||||
certificate used.</P>
|
||||
<P>New <EM>tls-min-version=1.N</EM> option to set minimum TLS version allowed
|
||||
on server connections.</P>
|
||||
<P>New <EM>tls-options=</EM> option to set OpenSSL library parameters.</P>
|
||||
<P>New <EM>tls-flags=</EM> option to set flags modifying Squid TLS operations.</P>
|
||||
<P>New <EM>tls-cipher=</EM> option to set a list of ciphers permitted.</P>
|
||||
<P>New <EM>tls-cafile=</EM> option to set a file with additional CA
|
||||
certificate(s) to verify the server certificate.</P>
|
||||
<P>New <EM>tls-capath=</EM> option to set a directory with additional CA
|
||||
certificate(s) to verify the server certificate.</P>
|
||||
<P>New <EM>tls-crlfile=</EM> option to set a file with a CRL to verify the
|
||||
server certificate.</P>
|
||||
<P>New <EM>tls-default-ca</EM> option to use the system Trusted CAs to
|
||||
verify the server certificate.</P>
|
||||
<P>New <EM>tls-domain=</EM> option to verify the server certificate domain.</P>
|
||||
|
||||
<DT><B>logfile_daemon</B><DD>
|
||||
<P>Now only requires that helper binary exists when daemon: log module
|
||||
is actually being used.</P>
|
||||
|
||||
<DT><B>logformat</B><DD>
|
||||
<P>New quoting modifier to produce <EM>\-escaped</EM> output.</P>
|
||||
<P>New code <EM>%ssl::<cert_errors</EM> to display server X.509
|
||||
certificate errors.</P>
|
||||
<P>New code <EM>%ssl::<cert_issuer</EM> to display Issuer field of
|
||||
the received server X.509 certificate.</P>
|
||||
<P>New code <EM>%ssl::<cert_subject</EM> to display Subject field of
|
||||
the received server X.509 certificate.</P>
|
||||
<P>New code <EM>%ssl::>negotiated_version</EM> to display
|
||||
negotiated TLS version of the client connection.</P>
|
||||
<P>New code <EM>%ssl::<negotiated_version</EM> to display
|
||||
negotiated TLS version of the last server or peer connection.</P>
|
||||
<P>New code <EM>%ssl::>received_hello_version</EM> to display the
|
||||
TLS version of the Hello message received from TLS client.</P>
|
||||
<P>New code <EM>%ssl::<received_hello_version</EM> to display the
|
||||
TLS version of the Hello message received from TLS server.</P>
|
||||
<P>New code <EM>%ssl::>received_supported_version</EM> to display
|
||||
the maximum TLS version supported by the TLS client.</P>
|
||||
<P>New code <EM>%ssl::<received_supported_version</EM> to display
|
||||
the maximum TLS version supported by the TLS server.</P>
|
||||
<P>New code <EM>%ssl::>negotiated_cipher</EM> to display the
|
||||
negotiated cipher of the client connection.</P>
|
||||
<P>New code <EM>%ssl::<negotiated_cipher</EM> to display the
|
||||
negotiated cipher of the last server or peer connection.</P>
|
||||
<P>New code <EM>%>handshake</EM> to display initial octets
|
||||
received on a client connection (Base64 encoded).</P>
|
||||
<P>Fixed <EM>%<Hs</EM>, <EM>%<pt</EM> and <EM>%<tt</EM>
|
||||
codes for received CONNECT errors.</P>
|
||||
<P>Improved <EM>%<bs</EM> logging on forwarding retries.</P>
|
||||
<P>Improved <EM>%<Hs</EM>, <EM>%<pt</EM>, <EM>%<tt</EM>,
|
||||
<EM>%<bs</EM> logging on SslBump errors.</P>
|
||||
|
||||
<DT><B>pid_filename</B><DD>
|
||||
<P>Default value now based on squid -n command line parameter.</P>
|
||||
<P>This directive is no longer mandatory to edit for
|
||||
multi-instance/tenant Squid installations.</P>
|
||||
|
||||
<DT><B>refresh_pattern</B><DD>
|
||||
<P>Removed option <EM>ignore-auth</EM>. Its commonly desired behaviour
|
||||
is performed by default with correct HTTP/1.1 revalidation.</P>
|
||||
<P>Removed option <EM>ignore-must-revalidate</EM>. Other more HTTP compliant
|
||||
directives (<EM>cache</EM>, <EM>store_miss</EM>) can be used to prevent
|
||||
objects from caching.</P>
|
||||
|
||||
<DT><B>sslcrtd_children</B><DD>
|
||||
<P>New parameter <EM>queue-size=</EM> to set the maximum number
|
||||
of queued requests.</P>
|
||||
<P>New parameter <EM>on-persistent-overload=</EM> to set the action taken
|
||||
when the helper queue is overloaded.</P>
|
||||
|
||||
<DT><B>sslcrtvalidator_children</B><DD>
|
||||
<P>New parameter <EM>queue-size=</EM> to set the maximum number
|
||||
of queued requests.</P>
|
||||
<P>New parameter <EM>on-persistent-overload=</EM> to set the action taken
|
||||
when the helper queue is overloaded.</P>
|
||||
|
||||
<DT><B>store_id_children</B><DD>
|
||||
<P>New parameter <EM>queue-size=</EM> to set the maximum number
|
||||
of queued requests.</P>
|
||||
<P>New parameter <EM>on-persistent-overload=</EM> to set the action taken
|
||||
when the helper queue is overloaded.</P>
|
||||
|
||||
<DT><B>url_rewrite_children</B><DD>
|
||||
<P>New parameter <EM>queue-size=</EM> to set the maximum number
|
||||
of queued requests.</P>
|
||||
<P>New parameter <EM>on-persistent-overload=</EM> to set the action taken
|
||||
when the helper queue is overloaded.</P>
|
||||
|
||||
</DL>
|
||||
</P>
|
||||
|
||||
<H2><A NAME="removedtags"></A> <A NAME="ss3.3">3.3</A> <A HREF="#toc3.3">Removed tags</A>
|
||||
</H2>
|
||||
|
||||
<P>
|
||||
<DL>
|
||||
<DT><B>cache_peer_domain</B><DD>
|
||||
<P>Superceded by <EM>cache_peer_access</EM>. Use dstdomain ACL
|
||||
in the access control list to restrict domains requested.</P>
|
||||
|
||||
<DT><B>ie_refresh</B><DD>
|
||||
<P>Removed. MSIE 3.x, 4.x, 5.0 and 5.01 are no longer popular browsers.</P>
|
||||
|
||||
<DT><B>sslproxy_cafile</B><DD>
|
||||
<P>Replaced by <EM>tls_outgoing_options cafile=</EM>.
|
||||
Which now takes multiple entries.</P>
|
||||
|
||||
<DT><B>sslproxy_capath</B><DD>
|
||||
<P>Replaced by <EM>tls_outgoing_options capath=</EM>.</P>
|
||||
|
||||
<DT><B>sslproxy_cipher</B><DD>
|
||||
<P>Replaced by <EM>tls_outgoing_options cipher=</EM>.</P>
|
||||
|
||||
<DT><B>sslproxy_client_certificate</B><DD>
|
||||
<P>Replaced by <EM>tls_outgoing_options cert=</EM>.</P>
|
||||
|
||||
<DT><B>sslproxy_client_key</B><DD>
|
||||
<P>Replaced by <EM>tls_outgoing_options key=</EM>.</P>
|
||||
|
||||
<DT><B>sslproxy_flags</B><DD>
|
||||
<P>Replaced by <EM>tls_outgoing_options flags=</EM>.</P>
|
||||
|
||||
<DT><B>sslproxy_options</B><DD>
|
||||
<P>Replaced by <EM>tls_outgoing_options options=</EM>.</P>
|
||||
<P>All values for SSLv2 configuration or disabling have been removed.</P>
|
||||
<P>Manual squid.conf update may be required on upgrade.</P>
|
||||
|
||||
<DT><B>sslproxy_version</B><DD>
|
||||
<P>Replaced by <EM>tls_outgoing_options options=</EM>.</P>
|
||||
<P>All values for SSLv2 configuration or disabling have been removed.</P>
|
||||
<P>Manual squid.conf update may be required on upgrade.</P>
|
||||
|
||||
</DL>
|
||||
</P>
|
||||
|
||||
|
||||
<H2><A NAME="s4">4.</A> <A HREF="#toc4">Changes to ./configure options since Squid-3.5</A></H2>
|
||||
|
||||
<P>There have been some changes to Squid's build configuration since Squid-3.5.</P>
|
||||
<P>This section gives an account of those changes in three categories:</P>
|
||||
<P>
|
||||
<UL>
|
||||
<LI>
|
||||
<A HREF="#newoptions">New options</A></LI>
|
||||
<LI>
|
||||
<A HREF="#modifiedoptions">Changes to existing options</A></LI>
|
||||
<LI>
|
||||
<A HREF="#removedoptions">Removed options</A></LI>
|
||||
</UL>
|
||||
</P>
|
||||
|
||||
|
||||
<H2><A NAME="newoptions"></A> <A NAME="ss4.1">4.1</A> <A HREF="#toc4.1">New options</A>
|
||||
</H2>
|
||||
|
||||
<P>
|
||||
<DL>
|
||||
<DT><B>--enable-security-cert-generators</B><DD>
|
||||
<P>New option to control which TLS/SSL dynamic certificate generator
|
||||
helpers are built and installed.</P>
|
||||
<P>Helper <EM>ssl_crtd</EM> has been renamed to <EM>security_file_certgen</EM>
|
||||
and built with module name <EM>file</EM>. Requires <EM>--with-openssl</EM>.</P>
|
||||
|
||||
<DT><B>--enable-security-cert-validators</B><DD>
|
||||
<P>New option to control which TLS/SSL certificate validation
|
||||
helpers are built and installed.</P>
|
||||
<P>One <EM>fake</EM> helper that does not actually perform any
|
||||
certificate checks is provided for testing and as an example
|
||||
for writing custom helpers.</P>
|
||||
|
||||
<DT><B>--without-cppunit</B><DD>
|
||||
<P>The cppunit testing framework is auto-detected and used when available.
|
||||
This option can be used to disable it explicitly.</P>
|
||||
|
||||
</DL>
|
||||
</P>
|
||||
|
||||
<H2><A NAME="modifiedoptions"></A> <A NAME="ss4.2">4.2</A> <A HREF="#toc4.2">Changes to existing options</A>
|
||||
</H2>
|
||||
|
||||
<P>
|
||||
<DL>
|
||||
<DT><B>--enable-auth-basic</B><DD>
|
||||
<P>The <EM>MSNT-multi-domain</EM> helper has been removed.</P>
|
||||
<P>The SMB LanMan helper <EM>SMB_LM</EM> is no longer built by default.
|
||||
It needs to be explicitly listed to be built.</P>
|
||||
|
||||
<DT><B>--enable-auth-ntlm</B><DD>
|
||||
<P>The SMB LanMan helper is now built using <EM>SMB_LM</EM>
|
||||
(was lower case <EM>smb_lm</EM>).</P>
|
||||
<P>The SMB LanMan helper <EM>SMB_LM</EM> is no longer built by default.
|
||||
It needs to be explicitly listed to be built.</P>
|
||||
|
||||
<DT><B>--enable-diskio</B><DD>
|
||||
<P>Auto-detection of SMP related modules has been fixed to
|
||||
actually auto-detect them without configuring the module
|
||||
list manually.</P>
|
||||
|
||||
<DT><B>--enable-esi</B><DD>
|
||||
<P>Custom ESI parser has been removed.
|
||||
Libxml2 or libexpat is now required to enable ESI processing.</P>
|
||||
|
||||
</DL>
|
||||
</P>
|
||||
<H2><A NAME="removedoptions"></A> <A NAME="ss4.3">4.3</A> <A HREF="#toc4.3">Removed options</A>
|
||||
</H2>
|
||||
|
||||
<P>
|
||||
<DL>
|
||||
<DT><B>--with-cppunit-basedir</B><DD>
|
||||
<P>Replaced by <EM>--with-cppunit=PATH</EM>.
|
||||
Please prefer the default auto-detection though.</P>
|
||||
|
||||
<DT><B>XSTD_USE_LIBLTDL</B><DD>
|
||||
<P>Removed. Use <EM>--with-included-ltdl</EM> instead.</P>
|
||||
</DL>
|
||||
</P>
|
||||
|
||||
|
||||
<H2><A NAME="s5">5.</A> <A HREF="#toc5">Regressions since Squid-2.7</A></H2>
|
||||
|
||||
<P>Some squid.conf options which were available in Squid-2.7 are not yet available in Squid-4</P>
|
||||
|
||||
<P>If you need something to do then porting one of these from Squid-2 to Squid-3 is most welcome.</P>
|
||||
|
||||
<H2><A NAME="ss5.1">5.1</A> <A HREF="#toc5.1">Missing squid.conf options available in Squid-2.7</A>
|
||||
</H2>
|
||||
|
||||
<P>
|
||||
<DL>
|
||||
<DT><B>broken_vary_encoding</B><DD>
|
||||
<P>Not yet ported from 2.6</P>
|
||||
|
||||
<DT><B>cache_peer</B><DD>
|
||||
<P><EM>monitorinterval=</EM> not yet ported from 2.6</P>
|
||||
<P><EM>monitorsize=</EM> not yet ported from 2.6</P>
|
||||
<P><EM>monitortimeout=</EM> not yet ported from 2.6</P>
|
||||
<P><EM>monitorurl=</EM> not yet ported from 2.6</P>
|
||||
|
||||
<DT><B>cache_vary</B><DD>
|
||||
<P>Not yet ported from 2.6</P>
|
||||
|
||||
<DT><B>error_map</B><DD>
|
||||
<P>Not yet ported from 2.6</P>
|
||||
|
||||
<DT><B>external_refresh_check</B><DD>
|
||||
<P>Not yet ported from 2.7</P>
|
||||
|
||||
<DT><B>location_rewrite_access</B><DD>
|
||||
<P>Not yet ported from 2.6</P>
|
||||
|
||||
<DT><B>location_rewrite_children</B><DD>
|
||||
<P>Not yet ported from 2.6</P>
|
||||
|
||||
<DT><B>location_rewrite_concurrency</B><DD>
|
||||
<P>Not yet ported from 2.6</P>
|
||||
|
||||
<DT><B>location_rewrite_program</B><DD>
|
||||
<P>Not yet ported from 2.6</P>
|
||||
|
||||
<DT><B>refresh_pattern</B><DD>
|
||||
<P><EM>stale-while-revalidate=</EM> not yet ported from 2.7</P>
|
||||
<P><EM>ignore-stale-while-revalidate=</EM> not yet ported from 2.7</P>
|
||||
<P><EM>negative-ttl=</EM> not yet ported from 2.7</P>
|
||||
|
||||
<DT><B>refresh_stale_hit</B><DD>
|
||||
<P>Not yet ported from 2.7</P>
|
||||
|
||||
<DT><B>update_headers</B><DD>
|
||||
<P>Not yet ported from 2.7</P>
|
||||
|
||||
</DL>
|
||||
</P>
|
||||
|
||||
<H2><A NAME="s6">6.</A> <A HREF="#toc6">Copyright</A></H2>
|
||||
|
||||
<P>Copyright (C) 1996-2018 The Squid Software Foundation and contributors</P>
|
||||
<P>Squid software is distributed under GPLv2+ license and includes
|
||||
contributions from numerous individuals and organizations.
|
||||
Please see the COPYING and CONTRIBUTORS files for details.</P>
|
||||
|
||||
</BODY>
|
||||
</HTML>
|
Loading…
Reference in New Issue
Block a user