Accepting request 214647 from server:proxy

update to 3.4.2 (forwarded request 214646 from computersalat)

OBS-URL: https://build.opensuse.org/request/show/214647
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/squid?expand=0&rev=16
This commit is contained in:
Stephan Kulow 2014-01-22 13:00:42 +00:00 committed by Git OBS Bridge
commit d7aa5e4f6d
11 changed files with 473 additions and 267 deletions

View File

@ -2,14 +2,14 @@
<HTML> <HTML>
<HEAD> <HEAD>
<META NAME="GENERATOR" CONTENT="LinuxDoc-Tools 0.9.69"> <META NAME="GENERATOR" CONTENT="LinuxDoc-Tools 0.9.69">
<TITLE>Squid 3.3.11 release notes</TITLE> <TITLE>Squid 3.4.2 release notes</TITLE>
</HEAD> </HEAD>
<BODY> <BODY>
<H1>Squid 3.3.11 release notes</H1> <H1>Squid 3.4.2 release notes</H1>
<H2>Squid Developers</H2> <H2>Squid Developers</H2>
<HR> <HR>
<EM>This document contains the release notes for version 3.3 of Squid. <EM>This document contains the release notes for version 3.4 of Squid.
Squid is a WWW Cache application developed by the National Laboratory Squid is a WWW Cache application developed by the National Laboratory
for Applied Network Research and members of the Web Caching community.</EM> for Applied Network Research and members of the Web Caching community.</EM>
<HR> <HR>
@ -18,20 +18,21 @@ for Applied Network Research and members of the Web Caching community.</EM>
<UL> <UL>
<LI><A NAME="toc1.1">1.1</A> <A HREF="#ss1.1">Known issues</A> <LI><A NAME="toc1.1">1.1</A> <A HREF="#ss1.1">Known issues</A>
<LI><A NAME="toc1.2">1.2</A> <A HREF="#ss1.2">Changes since earlier releases of Squid-3.3</A> <LI><A NAME="toc1.2">1.2</A> <A HREF="#ss1.2">Changes since earlier releases of Squid-3.4</A>
</UL> </UL>
<P> <P>
<H2><A NAME="toc2">2.</A> <A HREF="#s2">Major new features since Squid-3.2</A></H2> <H2><A NAME="toc2">2.</A> <A HREF="#s2">Major new features since Squid-3.3</A></H2>
<UL> <UL>
<LI><A NAME="toc2.1">2.1</A> <A HREF="#ss2.1">SQL Database logging helper</A> <LI><A NAME="toc2.1">2.1</A> <A HREF="#ss2.1">Helper protocol extensions</A>
<LI><A NAME="toc2.2">2.2</A> <A HREF="#ss2.2">Time-Quota session helper</A> <LI><A NAME="toc2.2">2.2</A> <A HREF="#ss2.2">SSL Server Certificate Validator</A>
<LI><A NAME="toc2.3">2.3</A> <A HREF="#ss2.3">SSL-Bump Server First</A> <LI><A NAME="toc2.3">2.3</A> <A HREF="#ss2.3">Store-ID</A>
<LI><A NAME="toc2.4">2.4</A> <A HREF="#ss2.4">Server Certificate Mimic</A> <LI><A NAME="toc2.4">2.4</A> <A HREF="#ss2.4">TPROXY Support for OpenBSD 5.1+ and FreeBSD 9+</A>
<LI><A NAME="toc2.5">2.5</A> <A HREF="#ss2.5">Custom HTTP request headers</A> <LI><A NAME="toc2.5">2.5</A> <A HREF="#ss2.5">Transaction Annotations</A>
<LI><A NAME="toc2.6">2.6</A> <A HREF="#ss2.6">Multicast DNS</A>
</UL> </UL>
<P> <P>
<H2><A NAME="toc3">3.</A> <A HREF="#s3">Changes to squid.conf since Squid-3.2</A></H2> <H2><A NAME="toc3">3.</A> <A HREF="#s3">Changes to squid.conf since Squid-3.3</A></H2>
<UL> <UL>
<LI><A NAME="toc3.1">3.1</A> <A HREF="#ss3.1">New tags</A> <LI><A NAME="toc3.1">3.1</A> <A HREF="#ss3.1">New tags</A>
@ -39,7 +40,7 @@ for Applied Network Research and members of the Web Caching community.</EM>
<LI><A NAME="toc3.3">3.3</A> <A HREF="#ss3.3">Removed tags</A> <LI><A NAME="toc3.3">3.3</A> <A HREF="#ss3.3">Removed tags</A>
</UL> </UL>
<P> <P>
<H2><A NAME="toc4">4.</A> <A HREF="#s4">Changes to ./configure options since Squid-3.2</A></H2> <H2><A NAME="toc4">4.</A> <A HREF="#s4">Changes to ./configure options since Squid-3.3</A></H2>
<UL> <UL>
<LI><A NAME="toc4.1">4.1</A> <A HREF="#ss4.1">New options</A> <LI><A NAME="toc4.1">4.1</A> <A HREF="#ss4.1">New options</A>
@ -56,14 +57,11 @@ for Applied Network Research and members of the Web Caching community.</EM>
<HR> <HR>
<H2><A NAME="s1">1.</A> <A HREF="#toc1">Notice</A></H2> <H2><A NAME="s1">1.</A> <A HREF="#toc1">Notice</A></H2>
<P>The Squid Team are pleased to announce the release of Squid-3.3.11.</P> <P>The Squid Team are pleased to announce the release of Squid-3.4.2 for testing.</P>
<P>This new release is available for download from <P>This new release is available for download from
<A HREF="http://www.squid-cache.org/Versions/v3/3.3/">http://www.squid-cache.org/Versions/v3/3.3/</A> or the <A HREF="http://www.squid-cache.org/Versions/v3/3.4/">http://www.squid-cache.org/Versions/v3/3.4/</A> or the
<A HREF="http://www.squid-cache.org/Mirrors/http-mirrors.html">mirrors</A>.</P> <A HREF="http://www.squid-cache.org/Mirrors/http-mirrors.html">mirrors</A>.</P>
<P>While this release is not deemed ready for production use, we believe it is ready for wider testing by the community.</P>
<P>A large number of the design flaws in SSL-Bump feature have been fixed along with general improvements all around.
While this release is not fully bug-free we believe it is ready for use in production on many systems.</P>
<P>We welcome feedback and bug reports. If you find a bug, please see <P>We welcome feedback and bug reports. If you find a bug, please see
<A HREF="http://wiki.squid-cache.org/SquidFaq/BugReporting">http://wiki.squid-cache.org/SquidFaq/BugReporting</A> <A HREF="http://wiki.squid-cache.org/SquidFaq/BugReporting">http://wiki.squid-cache.org/SquidFaq/BugReporting</A>
for how to submit a report with a stack trace.</P> for how to submit a report with a stack trace.</P>
@ -72,162 +70,210 @@ for how to submit a report with a stack trace.</P>
</H2> </H2>
<P>Although this release is deemed good enough for use in many setups, please note the existence of <P>Although this release is deemed good enough for use in many setups, please note the existence of
<A HREF="http://bugs.squid-cache.org/buglist.cgi?query_format=advanced&amp;product=Squid&amp;bug_status=UNCONFIRMED&amp;bug_status=NEW&amp;bug_status=ASSIGNED&amp;bug_status=REOPENED&amp;version=3.3">open bugs against Squid-3.3</A>.</P> <A HREF="http://bugs.squid-cache.org/buglist.cgi?query_format=advanced&amp;product=Squid&amp;bug_status=UNCONFIRMED&amp;bug_status=NEW&amp;bug_status=ASSIGNED&amp;bug_status=REOPENED&amp;version=3.4">open bugs against Squid-3.4</A>.</P>
<H2><A NAME="ss1.2">1.2</A> <A HREF="#toc1.2">Changes since earlier releases of Squid-3.4</A>
<H2><A NAME="ss1.2">1.2</A> <A HREF="#toc1.2">Changes since earlier releases of Squid-3.3</A>
</H2> </H2>
<P>The 3.3 change history can be <P>The 3.4 change history can be
<A HREF="http://www.squid-cache.org/Versions/v3/3.3/changesets/">viewed here</A>.</P> <A HREF="http://www.squid-cache.org/Versions/v3/3.4/changesets/">viewed here</A>.</P>
<H2><A NAME="s2">2.</A> <A HREF="#toc2">Major new features since Squid-3.2</A></H2>
<P>Squid 3.3 represents a new feature release above 3.2.</P> <H2><A NAME="s2">2.</A> <A HREF="#toc2">Major new features since Squid-3.3</A></H2>
<P>Squid 3.4 represents a new feature release above 3.3.</P>
<P>The most important of these new features are: <P>The most important of these new features are:
<UL> <UL>
<LI>SQL Database logging helper</LI> <LI>Helper protocol extensions</LI>
<LI>Time-Quota session helper</LI> <LI>SSL Server Certificate Validator</LI>
<LI>SSL-Bump Server First</LI> <LI>Store-ID</LI>
<LI>Server Certificate Mimic</LI> <LI>TPROXY Support for OpenBSD 5.1+ and FreeBSD 9+</LI>
<LI>Custom HTTP request headers</LI> <LI>Transaction Annotations</LI>
<LI>Multicast DNS</LI>
</UL> </UL>
</P> </P>
<P>Most user-facing changes are reflected in squid.conf (see below).</P> <P>Most user-facing changes are reflected in squid.conf (see below).</P>
<H2><A NAME="ss2.1">2.1</A> <A HREF="#toc2.1">SQL Database logging helper</A>
</H2>
<P><EM>log_db_daemon</EM> - Database logging daemon for Squid</P> <H2><A NAME="ss2.1">2.1</A> <A HREF="#toc2.1">Helper protocol extensions</A>
<P>This program writes Squid access.log entries to an SQL database.
Written in Perl it can utilize any database supported by the Perl
database abstraction layer.</P>
<P>NOTE: Presently it only accepts the Squid native log format.</P>
<H2><A NAME="ss2.2">2.2</A> <A HREF="#toc2.2">Time-Quota session helper</A>
</H2>
<P><EM>ext_time_quota_acl</EM> - Time quota external ACL helper.</P>
<P>Allows an administrator to define time budgets (quota) for the
users of Squid to limit the time using Squid.</P>
<P>This is useful for corporate lunch time allocations, wifi portal
pay-per-minute installations or for parental control of children.</P>
<P>The administrator can define a time budget (e.g. 1 hour per day)
which is enforced through this helper using session estimations
of their browsing time. A 'pause' threshold is given in seconds
and defines the period between two requests to be treated as part
of the same session. Pauses shorter than this value will be
counted against the quota, longer ones ignored.</P>
<H2><A NAME="ss2.3">2.3</A> <A HREF="#toc2.3">SSL-Bump Server First</A>
</H2> </H2>
<P>Details at <P>Details at
<A HREF="http://wiki.squid-cache.org/Features/BumpSslServerFirst">http://wiki.squid-cache.org/Features/BumpSslServerFirst</A>.</P> <A HREF="http://wiki.squid-cache.org/Features/AddonHelpers">http://wiki.squid-cache.org/Features/AddonHelpers</A>.</P>
<P>When an intercepted connection is received, Squid first connects <P>The Squid helper protocol used to communicate with authenticators,
to the server using SSL and receives the server certificate. URL-rewriters, Redirectors, and External ACL helpers has been updated
Squid then uses the host name inside the true server certificate and extended.</P>
to generate a fake one and impersonates the server while still
using the already established secure connection to the server.</P>
<P>Bumping server first is essentially required for handling <P><EM>BH</EM> status code is now accepted from all helpers to report
intercepted HTTPS connections but the same scheme should be used internal error events separate from <EM>ERR</EM> rejection code.
for most HTTP CONNECT requests because it offers a few advantages Permitting Squid to perform recovery operations specific to
compared to the old bump-client-first approach:</P> helper failure instead of a blanket client rejection.</P>
<P>Arbitrary key-value pairs can be returned from any helper.
Allowing future helpers to be forward- and backward- compatible
with this and future versions of Squid.</P>
<H2><A NAME="ss2.2">2.2</A> <A HREF="#toc2.2">SSL Server Certificate Validator</A>
</H2>
<P>Details at
<A HREF="http://wiki.squid-cache.org/Features/SslServerCertValidator">http://wiki.squid-cache.org/Features/SslServerCertValidator</A>.</P>
<P>The helper consulted after the internal OpenSSL validation, regardless of the
validation results. The helper will receive:</P>
<P> <P>
<UL> <UL>
<LI>When Squid knows valid server certificate details, it can <LI>the origin server certificate (chain),</LI>
generate its fake server certificate with those details. <LI>the intended domain name, and</LI>
With the bump-client-first scheme, all those details are lost. <LI>a list of OpenSSL validation errors (if any).</LI>
In general, browsers do not care about those details but there
may be HTTP clients (or even human users) that require or could
benefit from knowing them.
</LI>
<LI>When a server sends a bad certificate, Squid may be able to
replicate that brokenness in its own fake certificate, giving
the HTTP client control whether to ignore the problem or
terminate the transaction. With bump-client-furst, it is
difficult to support similar dynamic, user-directed opt out;
Squid itself has to decide what to do when the server
certificate cannot be validated.
</LI>
<LI>When a server asks for a client certificate, Squid may be
able to ask the client and then forward the client certificate
to the server. Such client certificate handling may not be
possible with the bump-client-first scheme because it would
have to be done after the SSL handshake.
</LI>
<LI>Some clients (e.g., Rekonq browser v0.7.x) do not send host
names in CONNECT requests. Such clients require bump-server-first
even in forward proxying mode. Unfortunately, there are other
problems with fully supporting such clients (i.e., Squid does
not know whether the IP address in the CONNECT request is what
the user have typed into the address bar) so not all features
will work well for them until more specialized detection code
is added.</LI>
</UL> </UL>
</P> </P>
<H2><A NAME="ss2.4">2.4</A> <A HREF="#toc2.4">Server Certificate Mimic</A> <P>If the helper decides to honor an OpenSSL error or report another validation
error(s), the helper will return:</P>
<P>
<UL>
<LI>A list of certificates.</LI>
<LI>A list of items consists the the validation error name (see <EM>%err_name</EM>
error page macro and <EM>%err_details</EM> code for <EM>logformat</EM>), error reason
(<EM>%ssl_lib_error macro</EM>), and the offending certificate.</LI>
</UL>
</P>
<P>The returned information mimics what the internal OpenSSL-based validation code
collects now. Returned errors, if any, are fed to <EM>sslproxy_cert_error</EM>,
triggering the existing SSL error processing code.</P>
<P>The helper invocation controlled by the <EM>sslcrtvalidator_program</EM> and
<EM>sslcrtvalidator_children</EM> configurations options which are similar to the
<EM>ssl_crtd</EM> related options. </P>
<H2><A NAME="ss2.3">2.3</A> <A HREF="#toc2.3">Store-ID</A>
</H2> </H2>
<P>Details at <P>Details at
<A HREF="http://wiki.squid-cache.org/Features/MimicSslServerCert">http://wiki.squid-cache.org/Features/MimicSslServerCert</A>.</P> <A HREF="http://wiki.squid-cache.org/Features/StoreID">http://wiki.squid-cache.org/Features/StoreID</A>.</P>
<P>One of the SslBump features serious drawbacks is the loss of <P>This feature is a redesigned equivalent to the Squid-2.7 feature known as StoreURL-rewrite.</P>
information embedded in SSL server certificate.
This certificate mimic feature passes original SSL server <P><EM>Notice</EM> that this is not a direct portage of the Squid-2.7 feature so behaviour
certificate information to the user. Allowing the user to differences do exist. Although the new feature works in similar enough ways that the old
make an informed decision on whether to trust the server helper scripts used for Squid-2.7 are expected to work in this and later versions of Squid.</P>
certificate.</P>
<P>Squid traditionally uses the requested URL as an index key ID to locate objects in cache.
It is not the only key possible and the Store-ID feature exposes an API for external
helpers to provide Squid with an alternative key name for any URL.</P>
<P>When any client request is received which requires a cache lookup the URL is passed to
a helper specified with the <EM>store_id_program</EM> directive to check for an alternative
Store ID. This allows the helper to identify URLs which refer to duplicate resources and
de-duplicate the cache content. <EM>store_id_access</EM> is provided to allow ACL-based
tuning of which traffic gets sent to the helper and reduce overheads.</P>
<P>One subtle and noteworthy difference between Squid-2 and Squid-3 which is highlighted by
this feature is that <EM>refresh_pattern</EM> applies its regex argument against the Store
ID key and not the transaction URL. So using the Store-ID feature to alter the value
affects which <EM>refresh_pattern</EM> directive will be matched.</P>
<P>Store-ID helpers bundled with Squid can be built with the --enable-storeid-rewrite-helpers
option which is added in this version. Currently there is a <EM>file</EM> helper
provided.</P>
<H2><A NAME="ss2.5">2.5</A> <A HREF="#toc2.5">Custom HTTP request headers</A> <H2><A NAME="ss2.4">2.4</A> <A HREF="#toc2.4">TPROXY Support for OpenBSD 5.1+ and FreeBSD 9+</A>
</H2> </H2>
<P>The <EM>request_header_add</EM> option is added to insert <P>Details at
HTTP header fields to outgoing HTTP requests (i.e., <A HREF="http://wiki.squid-cache.org/ConfigExamples/Intercept/OpenBsdPf">http://wiki.squid-cache.org/ConfigExamples/Intercept/OpenBsdPf</A>.</P>
request headers sent by Squid to the next HTTP hop such as a
cache peer or an origin server). The option has no effect on
cache hit traffic or requests serviced by Squid and ICAP.</P>
<P>WARNING: If a standard HTTP header name is used, Squid does not check whether <P>The Packet Filter (PF) firewall in OpenBSD 4.4 and later offers traffic interception
the new header conflicts with any existing headers or violates using several very simple methods. One of which is the <EM>divert-to</EM> rule type
HTTP rules. If the request to be modified already contains a which acts as a simple routing diversion instead of performing NAT packet alterations.</P>
field with the same name, the old field is preserved but the
header field values are not merged.</P>
<P>Field-value set can be either a token or a quoted string. If quoted <P>The IP Firewall (IPFW) on FreeBSD 9+ contains a port of the Linux Netfilter TPROXY feature.</P>
string format is used, then the surrounding quotes are removed
while escape sequences and %macros are processed.</P>
<P>In theory, all of the <EM>logformat</EM> codes can be used as %macros. <P>This version of Squid adds support for these features through the ./configure
However, unlike logging (which happens at the very end of options --enable-pf-transparent and --enable-ipfw-transparent when Squid is built on
transaction lifetime), the transaction may not yet have enough systems with the required support. No special extras are required to enable
information to expand a macro when the new header value is needed. <EM>http_port ... tproxy</EM> configuration to work.</P>
And some information may already be available to Squid but not yet
committed where the macro expansion code can access it (please report
such instances!). The macro will be expanded into a single dash
('-') in such cases. Not all macros have been tested.</P>
<P>One or more Squid ACLs may be specified to restrict header <P>NOTE: To resolve NAT lookup issues on recent PF firewall versions the code behind
injection to matching requests. As always in squid.conf, all <EM>./configure --enable-pf-transparent</EM> has been altered and is expected to
ACLs in an option ACL list must be satisfied for the insertion break on the version of PF firewall shipped with BSD systems such as NetBSD and FreeBSD
to happen. The <EM>request_header_add</EM> option supports fast ACLs only.</P> which do not yet support the getsockname() API.
These systems require <EM>--with-nat-devpf</EM> to enable /dev/pf support when using PF firewall.</P>
<H2><A NAME="s3">3.</A> <A HREF="#toc3">Changes to squid.conf since Squid-3.2</A></H2> <H2><A NAME="ss2.5">2.5</A> <A HREF="#toc2.5">Transaction Annotations</A>
</H2>
<P>There have been changes to Squid's configuration file since Squid-3.2.</P> <P>Previously the only annotation methods available were ICAP/eCAP HTTP header insertions
or external ACL <EM>tag=</EM> result code. Each of which had only limited possibilities
for use and little or no correlation.</P>
<P>It is now possible to add annotations to a client transaction from several sources:
<UL>
<LI> Directly from squid.conf using the <EM>note</EM> directive with
ACL-based selection of which annotation is linked to any
particular transaction.
</LI>
<LI> By configured helper processes returning a key=value pair.
The key name becomes the annotation name.</LI>
</UL>
</P>
<P>Annotations on the transaction can be passed to ICAP services or eCAP modules using the
<EM>adaptation_meta</EM> directive to send them as headers.
They can also be logged using the <EM>%note</EM> log format code in custom logs. With
the new helper response syntax changes this means all helper response key=value details
such as URL-rewrite or store-id changes, external ACL tag etc. are now able to be logged.</P>
<P>Annotations which are already assigned to a transaction can be checked using an ACL test
of the new <EM>note</EM> ACL type. This can match a particular note by name and value,
of for any notes with a given name.</P>
<P>NOTE: not all helper interfaces are yet enabled to convert key=value into annotations
and the external ACL interface does not yet send annotations to the helper.</P>
<H2><A NAME="ss2.6">2.6</A> <A HREF="#toc2.6">Multicast DNS</A>
</H2>
<P>The internal DNS component of Squid now supports multicast DNS (mDNS) resolution in
accordance with RFC 6762.</P>
<P>The <EM>dns_multicast_local</EM> directive must be set to <EM>on</EM> to enable this
feature.</P>
<P>The multicast DNS group IP addresses for IPv4 and IPv6 resolving are added to the set
of available DNS resolvers and used automatically for domain names ending in <EM>.local</EM>
and reverse-DNS lookups before attempting a secondary resolution on the configured
resolvers. Domains without <EM>.local</EM> are resolved using only the configured resolvers.</P>
<P>Statistics for multicast DNS resolution can be found on the <EM>idns</EM> cache manager
report.</P>
<P><EM>NOTE</EM> that the external DNS helper interface is now deprecated and has been
removed from future Squid versions. Any installations still using it for local hostname
resolution need to upgrade to mDNS resolution with this Squid version.</P>
<H2><A NAME="s3">3.</A> <A HREF="#toc3">Changes to squid.conf since Squid-3.3</A></H2>
<P>There have been changes to Squid's configuration file since Squid-3.3.</P>
<P>Squid supports reading configuration option parameters from external
files using the syntax <EM>parameters("/path/filename")</EM>. For example:
<PRE>
acl whitelist dstdomain parameters("/etc/squid/whitelist.txt")
</PRE>
</P>
<P>There have also been changes to individual directives in the config file.</P>
<P>This section gives a thorough account of those changes in three categories:</P> <P>This section gives a thorough account of those changes in three categories:</P>
<P> <P>
<UL> <UL>
@ -246,20 +292,50 @@ to happen. The <EM>request_header_add</EM> option supports fast ACLs only.</P>
<P> <P>
<DL> <DL>
<DT><B>cache_miss_revalidate</B><DD> <DT><B>configuration_includes_quoted_values</B><DD>
<P>Whether Squid is to pass-through If-Modified-Since and If-None-Match headers on cache MISS. <P>Whether Squid supports directive parameters with spaces, quotes, and other
Revalidation requests can prevent cache gathering objects to HIT on.</P> special characters. Surround such parameters with "double quotes" and
<P>Based on the Squid-2.7 <EM>ignore_ims_on_miss</EM> feature.</P> also set this directive on/off around the relevant squid.conf line(s)
<P><EM>IMPORTANT:</EM> the meaning for on/off values has changed along with the name since 2.7.</P> making use of such quoting.</P>
<DT><B>request_header_add</B><DD> <DT><B>dns_multicast_local</B><DD>
<P>New directive to add custom headers on HTTP traffic sent to upstream servers.</P> <P>Use multicast DNS for <EM>.local</EM> domains and reverse-DNS resolution.</P>
<DT><B>sslproxy_cert_sign</B><DD> <DT><B>note</B><DD>
<P>New option to determine how the client certificate sent to upstream servers is signed.</P> <P>Use ACLs to annotate a transaction with customized annotations
which can be logged in access.log</P>
<DT><B>sslproxy_cert_adapt</B><DD> <DT><B>spoof_client_ip</B><DD>
<P>New option to adapt certain properties of outgoing SSL certificates generated for use when bumping SSL to an upstream server.</P> <P>Access control to determine whether to disable the TPROXY spoofing on upstream traffic.</P>
<DT><B>sslcrtvalidator_children</B><DD>
<P>Specifies the settings for how many SSL server certificate
validator helpers are run and when they are started.</P>
<DT><B>sslcrtvalidator_program</B><DD>
<P>Specifies the location of a SSL server certificate validator helper.</P>
<DT><B>store_id_access</B><DD>
<P>Whether the URL for a given request is passed to the Store-ID helper process.
Used to improve StoreID performance by quickly eliminating helper delays using ACL tests.</P>
<P>Ported equivalent to <EM>storeurl_access</EM> from 2.7</P>
<DT><B>store_id_bypass</B><DD>
<P>Whether the StoreID helper may be bypassed when overloaded.</P>
<DT><B>store_id_children</B><DD>
<P>Controls the number of StoreID helper processes.</P>
<P>Options <EM>startup=N</EM>, <EM>idle=N</EM>, <EM>concurrency=N</EM>
<UL>
<LI>startup=N allow finer tuning of how many helpers are started initially.</LI>
<LI>idle=N allow fine tuning of how many helper to retain as buffer against sudden traffic loads.</LI>
<LI>concurrency=N was previously called url_rewrite_concurrency as a distinct directive.</LI>
</UL>
</P>
<DT><B>store_id_rewrite_program</B><DD>
<P>A helper program to provide cache storage internal key ID value for a request.</P>
<P>Ported equivalent to <EM>storeurl_rewrite_program</EM> from 2.7</P>
</DL> </DL>
</P> </P>
@ -269,36 +345,81 @@ Revalidation requests can prevent cache gathering objects to HIT on.</P>
<P> <P>
<DL> <DL>
<DT><B>access_log</B><DD>
<P>Configuration syntax extended to support name=value options.
<EM>New Syntax:</EM> access_log module:place [option ...] [acl ...]</P>
<P>New option <EM>logformat=</EM> to specify the logging format name.</P>
<P>New option <EM>buffer-size=</EM> to specify how large the log buffer
for this log is to be when <EM>buffered_logs</EM> is enabled.</P>
<P>New option <EM>on-error=</EM> to specify what handling is to be done
if the logging module encounters a non-recoverable error writing logs.
With the value <EM>die</EM> (the default) Squid halts operation.
With the value <EM>drop</EM> Squid drops log lines and continue running.</P>
<DT><B>acl</B><DD> <DT><B>acl</B><DD>
<P><EM>myport</EM> and <EM>myip</EM>ACL types replaced with <EM>localport</EM> and <EM>localip</EM> respectively. <P>New test type <EM>server_cert_fingerprint</EM> to match against
To reflect that it matches the TCP connection details and not the squid.conf port. server SSL certificate fingerprint.</P>
This matters when dealing with intercepted traffic, where the Squid receiving port differs from the TCP connection IP:port. <P>New test type <EM>note</EM> to match against transaction annotations
Always use <EM>myportname</EM> type to match the squid.conf port details.</P> by name and value, or just by name.</P>
<P>New default built-in ACLs for testing SSL certificate properties.</P> <P>New test type <EM>any-of</EM> to match if any one of a set of named ACLs.</P>
<P><EM>ssl::certHasExpired</EM>, <P>New test type <EM>all-of</EM> to match against all of a set of named ACLs.</P>
<EM>ssl::certNotYetValid</EM>,
<EM>ssl::certDomainMismatch</EM>, <DT><B>auth_param</B><DD>
<EM>ssl::certUntrusted</EM>, <P>New result code <EM>BH</EM> to signal helper internal errors
<EM>ssl::certSelfSigned</EM>.</P> available in all authentication schemes.</P>
<P>New key <EM>message=</EM> for error message details in all authentication schemes.</P>
<P>New result code <EM>OK</EM> and key <EM>ha1=</EM> in Digest authentication.</P>
<P>New result codes <EM>OK</EM>, <EM>ERR</EM> replace result codes <EM>AF</EM>,
and <EM>NA</EM> in NTLM and Negotiate authentication.</P>
<P>New key <EM>token=</EM> for NTLM and Negotiate authentication <EM>OK</EM> responses.</P>
<P>Details at
<A HREF="http://wiki.squid-cache.org/Features/AddonHelpers">http://wiki.squid-cache.org/Features/AddonHelpers</A>.</P>
<DT><B>external_acl_type</B><DD> <DT><B>external_acl_type</B><DD>
<P><EM>%ACL</EM> format tag ported from 2.6. <P>Deprecated <EM>protocol=3.0</EM> option. No longer necessary.</P>
Sends the name of ACL being tested to the external helper.</P> <P>New result code <EM>BH</EM> to signal helper internal errors</P>
<P><EM>%DATA</EM> format tag ported from 2.6. <P>Details at
Inserts the ACL arguments into a particular location of the helper input instead of at the end of the line.</P> <A HREF="http://wiki.squid-cache.org/Features/AddonHelpers">http://wiki.squid-cache.org/Features/AddonHelpers</A>.</P>
<DT><B>http_port</B><DD>
<P>Support IPv6 for <EM>intercept</EM> mode. Requires ip6tables support on Linux,
PF support on OpenBSD and IPFW support on FreeBSD. Squid will no longer complain
about misconfiguration if IPv6 support is missing, we now rely on the firewall
tools reporting misconfiguration when the NAT rules are created.</P>
<P>Support <EM>tproxy</EM> mode traffic on BSD systems with BINDANY support
(OpenBSD 5+, FreeBSD 9+ so far).</P>
<P>Changed build options behind <EM>intercept</EM> traffic mode handling on BSD.
see <EM>--enable-pf-transparent</EM> for more details.</P>
<DT><B>logformat</B><DD> <DT><B>logformat</B><DD>
<P>New token <EM>%ssl::bump_mode</EM> to log the SSL-bump mode type performed on a request. <P>New format code <EM>%note</EM> to log a transaction annotation linked to the
Logs values of: <EM>-</EM>, <EM>none</EM>, <EM>client-first</EM>, or <EM>server-first</EM>.</P> transaction by ICAP, eCAP, a helper, or the <EM>note</EM> squid.conf directive.</P>
<P>New token of <EM>%ssl::&gt;cert_subject</EM> to log the Subject field of a SSL certificate received from the client.</P> <P>New format code <EM>%&gt;qos</EM> to log client connection TOS/DSCP value set by Squid.</P>
<P>New token of <EM>%ssl::&gt;cert_issuer</EM> to log the Issuer field of a SSL certificate received from the client.</P> <P>New format code <EM>%&lt;qos</EM> to log server connection TOS/DSCP value set by Squid.</P>
<P>New format code <EM>%&gt;nfmark</EM> to log client connection netfilter mark set by Squid.</P>
<P>New format code <EM>%&lt;nfmark</EM> to log server connection netfilter mark set by Squid.</P>
<DT><B>ssl_bump</B><DD> <DT><B>pipeline_prefetch</B><DD>
<P>New action types <EM>none</EM>, <EM>client-first</EM>, <EM>server-first</EM>. The default is <EM>none</EM>.</P> <P>Updated to take a numeric count of prefetched pipeline requests instead of ON/OFF.</P>
<P>Use of <EM>allow</EM>/<EM>deny</EM> is now deprecated and they should be removed as soon as possible.
To retain the exact same behaviour between 3.3 and older releases replace <EM>deny</EM> with <EM>none</EM>, <DT><B>refresh_pattern</B><DD>
and <EM>allow</EM> with <EM>client-first</EM>. However an upgrade to <EM>server-first</EM> is the recommended.</P> <P><EM>NOTE:</EM> the regular expression pattern operates on the cache Store-ID value.
<P><EM>NOTE</EM>: Mixing of allow/deny with the new action types is prohibited and will cause Squid to exit with a FATAL error.</P> Which by default is identical to the requested URL, but may differ for some
objects if the Store-ID feature is in use.</P>
<DT><B>unlinkd_program</B><DD>
<P>New helper response format utilizing result codes <EM>OK</EM> and <EM>BH</EM>,
to signal helper lookup results. Also, key-value response values to return
multiple values to Squid.</P>
<P>Details at
<A HREF="http://wiki.squid-cache.org/Features/AddonHelpers">http://wiki.squid-cache.org/Features/AddonHelpers</A>.</P>
<DT><B>url_rewrite_program</B><DD>
<P>New helper response format utilizing result codes <EM>OK</EM>, <EM>ERR</EM>,
and <EM>BH</EM> to signal helper lookup results. Also, key-value response
values to return multiple values to Squid.</P>
<P>Details at
<A HREF="http://wiki.squid-cache.org/Features/AddonHelpers">http://wiki.squid-cache.org/Features/AddonHelpers</A>.</P>
</DL> </DL>
</P> </P>
@ -308,16 +429,25 @@ and <EM>allow</EM> with <EM>client-first</EM>. However an upgrade to <EM>server-
<P> <P>
<DL> <DL>
<DT><B>ignore_ims_on_miss</B><DD> <DT><B>storeurl_access</B><DD>
<P>This option has been replaced by the <EM>cache_miss_revalidate</EM> feature.</P> <P>Replaced by <EM>store_id_access</EM>.</P>
<DT><B>storeurl_rewrite_children</B><DD>
<P>Replaced by <EM>store_id_children</EM>.</P>
<DT><B>storeurl_rewrite_concurrency</B><DD>
<P>Replaced by <EM>store_id_children</EM> with <EM>concurrency=N</EM> option.</P>
<DT><B>storeurl_rewrite_program</B><DD>
<P>Replaced by <EM>store_id_program</EM>.</P>
</DL> </DL>
</P> </P>
<H2><A NAME="s4">4.</A> <A HREF="#toc4">Changes to ./configure options since Squid-3.2</A></H2> <H2><A NAME="s4">4.</A> <A HREF="#toc4">Changes to ./configure options since Squid-3.3</A></H2>
<P>There have been some changes to Squid's build configuration since Squid-3.2.</P> <P>There have been some changes to Squid's build configuration since Squid-3.3.</P>
<P>This section gives an account of those changes in three categories:</P> <P>This section gives an account of those changes in three categories:</P>
<P> <P>
<UL> <UL>
@ -336,7 +466,27 @@ and <EM>allow</EM> with <EM>client-first</EM>. However an upgrade to <EM>server-
<P> <P>
<DL> <DL>
<P><EM>There are no new ./configure options in Squid-3.3.</EM></P> <DT><B>--enable-storeid-rewrite-helpers</B><DD>
<P>New option to control which Store-ID helpers are built. As with other
helper options use --disable-* to prevent any helpers building and
omit to get all helper auto-detected.</P>
<P>Currenly only a helper using <EM>file</EM> for backend is provided.</P>
<DT><B>--disable-arch-native</B><DD>
<P>New option to disable use of -march=native compiler flag.</P>
<P>The new flag auto-enables CPU-specific optimizations in GCC and is
required by Clang++ v3.2 for correct 64-bit environment detection.
It does not always work well however, so this build option is provided
to remove it when necessary.</P>
<DT><B>--with-nat-devpf</B><DD>
<P>New option to alter the behaviour of <EM>http_port ... intercept</EM> option
in squid.conf.</P>
<P>When this option is used Squid performs the /dev/pf lookups required to
support PF <EM>rdr-to</EM> rules. Otherwise Squid will perform perform the
getsockname() API calls to support PF <EM>divert-to</EM> rules.</P>
<P>NOTE: systems such as NetBSD and FreeBSD which do not yet support
the getsockname() API in recent PF versions require this option.</P>
</DL> </DL>
</P> </P>
@ -346,14 +496,14 @@ and <EM>allow</EM> with <EM>client-first</EM>. However an upgrade to <EM>server-
<P> <P>
<DL> <DL>
<DT><B>--enable-kqueue</B><DD> <DT><B>--enable-pf-transparent</B><DD>
<P>kqueue network I/O module is now built by default when it is available. <P>NAT table support updated to use the getsockname() API provided by the
This option is no longer required to enable kqueue support, latest PF versions <EM>divert-to</EM>. This allows <EM>http_port</EM>
but if used will abort build when kqueue dependencies are missing or broken.</P> in squid.conf to support both <EM>intercept</EM> and <EM>tproxy</EM> traffic
and to silence NAT lookup failure messages on recent BSD.</P>
<DT><B>--disable-kqueue</B><DD> <P>NOTE: systems such as NetBSD and FreeBSD which do not yet support
<P>kqueue network I/O module is now built by default when it is available. the getsockname() API in recent PF versions require <EM>--with-nat-devpf</EM>
This configure option is now needed to disable it. Previously it did nothing.</P> to re-enable /dev/pf support when using PF firewall.</P>
</DL> </DL>
</P> </P>
@ -362,8 +512,7 @@ This configure option is now needed to disable it. Previously it did nothing.</P
<P> <P>
<DL> <DL>
<DT><B>--enable-ntlm-fail-open</B><DD> <P><EM>There are no removed ./configure options in Squid-3.4.</EM></P>
<P>This has not been supported by Squid for several versions.</P>
</DL> </DL>
</P> </P>
@ -371,7 +520,7 @@ This configure option is now needed to disable it. Previously it did nothing.</P
<H2><A NAME="s5">5.</A> <A HREF="#toc5">Regressions since Squid-2.7</A></H2> <H2><A NAME="s5">5.</A> <A HREF="#toc5">Regressions since Squid-2.7</A></H2>
<P>Some squid.conf and ./configure options which were available in Squid-2.7 are not yet available in Squid-3.3</P> <P>Some squid.conf options which were available in Squid-2.7 are not yet available in Squid-3.4</P>
<P>If you need something to do then porting one of these from Squid-2 to Squid-3 is most welcome.</P> <P>If you need something to do then porting one of these from Squid-2 to Squid-3 is most welcome.</P>
@ -429,16 +578,7 @@ This configure option is now needed to disable it. Previously it did nothing.</P
<DT><B>refresh_stale_hit</B><DD> <DT><B>refresh_stale_hit</B><DD>
<P>Not yet ported from 2.7</P> <P>Not yet ported from 2.7</P>
<DT><B>storeurl_access</B><DD> <DT><B>update_headers</B><DD>
<P>Not yet ported from 2.7</P>
<DT><B>storeurl_rewrite_children</B><DD>
<P>Not yet ported from 2.7</P>
<DT><B>storeurl_rewrite_concurrency</B><DD>
<P>Not yet ported from 2.7</P>
<DT><B>storeurl_rewrite_program</B><DD>
<P>Not yet ported from 2.7</P> <P>Not yet ported from 2.7</P>
</DL> </DL>

View File

@ -1,2 +1,3 @@
addFilter("macro-in-comment") addFilter("macro-in-comment")
addFilter("no-manual-page-for-binary") addFilter("no-manual-page-for-binary")
addFilter("zero-length")

View File

@ -1,3 +0,0 @@
version https://git-lfs.github.com/spec/v1
oid sha256:6b314cd706693522f01d5ab1930f3aa7a9b03a913bc0e699def16cca8d15ea54
size 2989941

View File

@ -1,20 +0,0 @@
File: squid-3.3.11.tar.bz2
Date: Sat Nov 30 14:12:34 UTC 2013
Size: 2989941
MD5 : abf2b0fe128f73f5dc157e7e917949e0
SHA1: f99627f9f5c76cc2ddf6e14e4a3e955963801b6f
Key : 0xFF5CF463 <squid3@treenet.co.nz>
fingerprint = EA31 CC5E 9488 E516 8D2D CC5E B268 E706 FF5C F463
keyring = http://www.squid-cache.org/pgp.asc
keyserver = subkeys.pgp.net
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.15 (GNU/Linux)
iQEcBAABAgAGBQJSmfXuAAoJELJo5wb/XPRjaqcIAKvTzz9frodyUOeuop5W2yZx
s3knaI5ZyM7dsXYdDUixto5Q1+a8wIUAvZzCp2sLij3QQTKZJAxgmQ8Tztl/sgKI
NbHJSJxAtibNOGKBfCqCDurcNfmn2kLZJPxJXx3gulEP5O7rTdKVoZq/1vyj/rvv
rnzZBP2HZ5fnXNRfs7UPrOzMLmg423zXzsDnRjj69xy6w0dXpObDP5tb32jNmOLg
zRvk3lw4mtpWJ5kGZ4BbwPpO9i2MT94M9YupjL/doNbbiAt2nutGfGuLgPcmsCwA
fpb74hKIM20ON8A7XypeyX6eNeYn4nkRBSuzEX/sPWQUyq0BMxheCEZRboGCnvo=
=rlWB
-----END PGP SIGNATURE-----

3
squid-3.4.2.tar.bz2 Normal file
View File

@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:bc1f2c3e2b2d8975bfc3745419a6c5bfcbb4716b6cd04011303610b77b19b454
size 2812777

20
squid-3.4.2.tar.bz2.asc Normal file
View File

@ -0,0 +1,20 @@
File: squid-3.4.2.tar.bz2
Date: Mon Dec 30 11:52:11 UTC 2013
Size: 2812777
MD5 : 7ec46965bc58bc927e81869805a25241
SHA1: 0b96ee7502b21c69b5f9bd8d2c113b35dd58ecf0
Key : 0xFF5CF463 <squid3@treenet.co.nz>
fingerprint = EA31 CC5E 9488 E516 8D2D CC5E B268 E706 FF5C F463
keyring = http://www.squid-cache.org/pgp.asc
keyserver = subkeys.pgp.net
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.15 (GNU/Linux)
iQEcBAABAgAGBQJSwWThAAoJELJo5wb/XPRjdhgIAIjPMGSUDhylA56CEH5NAXg7
yevT8tC6D3dFhQLtXt8a0sT4ULzMwvXGvH/lYBrEyn8mO8tcU145AJldCAKA3tGS
j1EmB48w5Vu7R4rkfEpwraYS1y4X/hM1nqv0On78yvAOueau6E2Ti5bbkPKCU0xB
oP1YPv+WoLGQtvpgjO9EhX/uVTF+cnCWUwediq9EulAtnkkXAZnJlXgNoJW7cBFv
YhLKpds4Ge/LO0jsPp7j6BsOOhbpvIOmMiELCepZ8hk9Cxm7VeCMrFzI069tUiWs
TQGvblf32oVhlFWRNkVZI4ZPINXmGPPHT2t4f33Lrep0EawQDnFQfoJxOi2VUUM=
=Ugn1
-----END PGP SIGNATURE-----

View File

@ -2,7 +2,7 @@ Index: src/Makefile.am
=================================================================== ===================================================================
--- src/Makefile.am.orig --- src/Makefile.am.orig
+++ src/Makefile.am +++ src/Makefile.am
@@ -975,7 +975,7 @@ cache_cf.o: cf_parser.cci @@ -981,7 +981,7 @@ cache_cf.o: cf_parser.cci
# cf_gen builds the configuration files. # cf_gen builds the configuration files.
cf_gen$(EXEEXT): $(cf_gen_SOURCES) $(cf_gen_DEPENDENCIES) cf_gen_defines.cci cf_gen$(EXEEXT): $(cf_gen_SOURCES) $(cf_gen_DEPENDENCIES) cf_gen_defines.cci
@ -15,7 +15,7 @@ Index: src/Makefile.in
=================================================================== ===================================================================
--- src/Makefile.in.orig --- src/Makefile.in.orig
+++ src/Makefile.in +++ src/Makefile.in
@@ -7306,7 +7306,7 @@ cache_cf.o: cf_parser.cci @@ -7294,7 +7294,7 @@ cache_cf.o: cf_parser.cci
# cf_gen builds the configuration files. # cf_gen builds the configuration files.
cf_gen$(EXEEXT): $(cf_gen_SOURCES) $(cf_gen_DEPENDENCIES) cf_gen_defines.cci cf_gen$(EXEEXT): $(cf_gen_SOURCES) $(cf_gen_DEPENDENCIES) cf_gen_defines.cci

View File

@ -2,7 +2,7 @@ Index: src/cf.data.pre
=================================================================== ===================================================================
--- src/cf.data.pre.orig --- src/cf.data.pre.orig
+++ src/cf.data.pre +++ src/cf.data.pre
@@ -1196,6 +1196,8 @@ http_access deny manager @@ -1350,6 +1350,8 @@ http_access deny manager
# Adapt localnet in the ACL section to list your (internal) IP networks # Adapt localnet in the ACL section to list your (internal) IP networks
# from where browsing should be allowed # from where browsing should be allowed
http_access allow localnet http_access allow localnet
@ -11,7 +11,7 @@ Index: src/cf.data.pre
http_access allow localhost http_access allow localhost
# And finally deny all other access to this proxy # And finally deny all other access to this proxy
@@ -3144,6 +3146,10 @@ DOC_START @@ -3361,6 +3363,10 @@ DOC_START
Instead, if you want Squid to use the entire disk drive, Instead, if you want Squid to use the entire disk drive,
subtract 20% and use that value. subtract 20% and use that value.
@ -22,7 +22,7 @@ Index: src/cf.data.pre
'L1' is the number of first-level subdirectories which 'L1' is the number of first-level subdirectories which
will be created under the 'Directory'. The default is 16. will be created under the 'Directory'. The default is 16.
@@ -3277,7 +3283,7 @@ DOC_START @@ -3494,7 +3500,7 @@ DOC_START
NOCOMMENT_START NOCOMMENT_START
# Uncomment and adjust the following to add a disk cache directory. # Uncomment and adjust the following to add a disk cache directory.
@ -31,7 +31,7 @@ Index: src/cf.data.pre
NOCOMMENT_END NOCOMMENT_END
DOC_END DOC_END
@@ -3890,7 +3896,7 @@ DOC_END @@ -4147,7 +4153,7 @@ DOC_END
NAME: logfile_rotate NAME: logfile_rotate
TYPE: int TYPE: int

View File

@ -1,24 +0,0 @@
Index: helpers/basic_auth/DB/config.test
===================================================================
--- helpers/basic_auth/DB/config.test.orig
+++ helpers/basic_auth/DB/config.test
@@ -2,6 +2,6 @@
## Test: do we have perl to build the helper scripts?
## Test: do we have pod2man to build the manual?
-perl --version >/dev/null && echo | pod2man >/dev/null
+perl --version >/dev/null && pod2man --help >/dev/null
exit $?
Index: helpers/log_daemon/DB/config.test
===================================================================
--- helpers/log_daemon/DB/config.test.orig
+++ helpers/log_daemon/DB/config.test
@@ -2,6 +2,6 @@
## Test: do we have perl to build the helper scripts?
## Test: do we have pod2man to build the manual?
-perl --version >/dev/null && echo | pod2man >/dev/null
+perl --version >/dev/null && pod2man --help >/dev/null
exit $?

View File

@ -1,3 +1,88 @@
-------------------------------------------------------------------
Tue Jan 7 19:45:22 UTC 2014 - chris@computersalat.de
- Changes to squid-3.4.2 (30 Dec 2013):
* Regression Bug 3980: FATAL ERROR due to max_user_ip -s option
* Regression Fix: \-unescaping in quoted strings from helpers
* Regression Fix: URL helper API bypassing on URL containing '=' character
* Bug 3985: 60s limit introduced by balance_on_multiple_ip breaks bad IP recovery
* Bug 3806: Caching responses with Vary header
* Bug 3498: FTP PUT assertion
* WCCPv2: Fix assertion 'Cannot convert non-IPv4 to IPv4' on FreeBSD
* Enable concurrency by default for SSL certificate validator
* ... and fix several build errors
-------------------------------------------------------------------
Wed Dec 25 23:10:24 UTC 2013 - chris@computersalat.de
- Changes to squid-3.4.1 (09 Dec 2013):
* Bug 3935: Invalid pointer dereference when peeking at origin server certificate
* Bug 3589: intercepted and ICAP modified request using a cache_peer
* ... and several portability fixes
* ... and some documentation updates
- Changes to squid-3.4.0.3 (01 Dec 2013):
* Bug 3941: Release notes error
* Receive annotations from authentication and external ACL helpers
* basic_nis_auth: Improved portability
* ... and several documentation updates
* ... and all bug fixes from 3.3.9, 3.3.10, 3.3.11
- Changes to squid-3.4.0.2 (03 Oct 2013):
* Regression Bug 3891: squid.conf parser errors in 3.4.0.1
* Regression Fix: re-disable MinGW C++11 support
* Bug 3914: partial: make squidclient tool build cleanly with -Wconversion
* Fix memory leak in refresh_pattern parsing
* negotiate_kerberos_auth: upgrade to present group= keys
* Handle NTLM helper returning OK without user= value
* Add dns_multicast_local to control mDNS operation
* Add --disable-arch-native build option
* Display Build-Info in cache manager info report
* ... and all changes from squid 3.3.9
* ... and some code and debug output polishing
- Changes to squid-3.4.0.1 (29 Jul 2013):
* Port from 2.7: StoreURL (renamed Store-ID) support
* Bug 3795: fix several mistakes in the MIB file
* Bug 3793: configure: improved helper detection
* Bug 3722: Invalid markup in Armenian hy ERR_ONLY_IF_CACHED_MISS
* Bug 3676: Support GCC 4.7 with -Wshadow option
* Bug 3643: NTLM helpers stuck in reserved state by Safari
* Bug 3389: Auto-reconnect for tcp access_log
* Bug 2066: squid does not do chdir() after chroot()
* Fix uninitialized fields in IcapLogEntry
* Fix a number of minor issues detected by Coverity Scan
* Fix some potential memory leaks detected by Coverity Scan
* Fix 64-bit support for Intel compiler suite (ICC) and other similar compilers
* Fix ACL matching algorithm to avoid repeating tests
* basic_pam_auth: Add -r option to strip NTLM/Negotiate domain from username
* squidpurge: fix META TLV parsing issues
* squid.conf: enforce all the directive and option names are lower-case
* Support EUI on HTTPS and FTP data connections
* Support OK/ERR/BH response codes from any helper
* Support No-lookup flag (-n) on DNS ACLs
* Support -march=native compiler optimization by default
* Support forwarding intercepted but not bumped connections to cache_peers
* Support IPv6 NAT interception on Linux and some BSD
* Deprecate log_icap and log_access configuration directives
* HTTP/1.1: improved method invalidation and cacheability detection
* HTTP/1.1: support length configuration for pipeline_prefetch queue
* Improved TPROXY support for OpenBSD and FreeBSD
* Add storeid_file_rewrite helper to perform Store-ID rewrites from a rules file
* Add all-of and any-of ACL types for grouping sets of ACL tests
* Add note directive for transaction annotations
* Add %note log format for transaction annotation logging
* Add note ACL type for matching annotated transactions with by annotation name or value
* Add kv-pair support to URL-rewrite/redirector interface
* Add SSL server certificate validator interface, helper and result cache
* Add SSL server certificate fingerprint ACL type
* Add spoof_client_ip access control
* Add pt-bz (Belize Portuguese) dialect to translations
* ... and many Windows portability changes (still incomplete)
* ... and many documentation changes
* ... and much code cleanup and polishing
- modified patches:
* squid-compiled_without_RPM_OPT_FLAGS.patch
* squid-config.patch
- remove obsolete fix-pod2man-check patch
------------------------------------------------------------------- -------------------------------------------------------------------
Wed Dec 25 21:29:38 UTC 2013 - chris@computersalat.de Wed Dec 25 21:29:38 UTC 2013 - chris@computersalat.de

View File

@ -1,7 +1,7 @@
# #
# spec file for package squid # spec file for package squid
# #
# Copyright (c) 2013 SUSE LINUX Products GmbH, Nuernberg, Germany. # Copyright (c) 2014 SUSE LINUX Products GmbH, Nuernberg, Germany.
# #
# All modifications and additions to the file contributed by third parties # All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed # remain the property of their copyright owners, unless otherwise agreed
@ -16,17 +16,19 @@
# #
%define squidlibdir %{_libdir}/squid %define squidlibdir %{_libdir}/squid
%define squidconfdir /etc/squid %define squidconfdir /etc/squid
#define snap -20131225-r13064
Name: squid Name: squid
Summary: Squid Version 3.3 WWW Proxy Server Summary: Squid Version 3.3 WWW Proxy Server
License: GPL-2.0+ License: GPL-2.0+
Group: Productivity/Networking/Web/Proxy Group: Productivity/Networking/Web/Proxy
Version: 3.3.11 Version: 3.4.2
Release: 0 Release: 0
Url: http://www.squid-cache.org/Versions/v3/3.3 Url: http://www.squid-cache.org/Versions/v3/3.4
Source0: http://www.squid-cache.org/Versions/v3/3.3/%{name}-%{version}.tar.bz2 #Source0: http://www.squid-cache.org/Versions/v3/3.3/%{name}-%{version}%{snap}.tar.bz2
Source0: http://www.squid-cache.org/Versions/v3/3.4/%{name}-%{version}.tar.bz2
Source1: %{name}-%{version}.tar.bz2.asc Source1: %{name}-%{version}.tar.bz2.asc
Source2: RELEASENOTES.html Source2: RELEASENOTES.html
Source3: squid.init Source3: squid.init
@ -58,8 +60,6 @@ Patch101: %{name}-nobuilddates.patch
## File is compiled without RPM_OPT_FLAGS ## File is compiled without RPM_OPT_FLAGS
# squid3 no-rpm-opt-flags <cmdline>:./cf_gen.cc # squid3 no-rpm-opt-flags <cmdline>:./cf_gen.cc
Patch102: %{name}-compiled_without_RPM_OPT_FLAGS.patch Patch102: %{name}-compiled_without_RPM_OPT_FLAGS.patch
# Upstream notified of this problem by mageia guys
Patch103: %{name}-fix-pod2man-check.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-build BuildRoot: %{_tmppath}/%{name}-%{version}-build
PreReq: %fillup_prereq PreReq: %fillup_prereq
PreReq: %insserv_prereq PreReq: %insserv_prereq
@ -108,21 +108,23 @@ Obsoletes: %{name}3 < %{version}
%description %description
Squid is a caching proxy for the Web supporting HTTP, HTTPS, FTP, and more. It reduces bandwidth and improves response times by caching and reusing frequently-requested web pages. Squid has extensive access controls and makes a great server accelerator. Squid is a caching proxy for the Web supporting HTTP, HTTPS, FTP, and more. It reduces bandwidth and improves response times by caching and reusing frequently-requested web pages. Squid has extensive access controls and makes a great server accelerator.
Squid 3.3 represents a new feature release above 3.2. Squid 3.4 represents a new feature release above 3.3.
The most important of these new features are: The most important of these new features are:
* SQL Database logging helper * Helper protocol extensions
* Time-Quota session helper * SSL Server Certificate Validator
* SSL-Bump Server First * Store-ID
* Server Certificate Mimic * TPROXY Support for OpenBSD 5.1+ and FreeBSD 9+
* Custom HTTP request headers * Transaction Annotations
* Multicast DNS
Most user-facing changes are reflected in squid.conf (see below). Most user-facing changes are reflected in squid.conf (see below).
First STABLE release Date: 20 Oct 2012 First STABLE release Date: 08 Dec 2013
%prep %prep
#setup -q -n %{name}-%{version}%{snap}
%gpg_verify %{S:1} %gpg_verify %{S:1}
%setup -q -n %{name}-%{version} %setup -q -n %{name}-%{version}
cp %{S:10} . cp %{S:10} .
@ -134,7 +136,6 @@ perl -p -i -e 's|/usr/local/bin/perl|/usr/bin/perl|' `find -name "*.pl"`
chmod a-x CREDITS chmod a-x CREDITS
%patch101 %patch101
%patch102 %patch102
%patch103
%build %build
export CFLAGS="%{optflags} -fPIE -fPIC -DOPENSSL_LOAD_CONF" export CFLAGS="%{optflags} -fPIE -fPIC -DOPENSSL_LOAD_CONF"
@ -351,7 +352,8 @@ fi
%{_sbindir}/basic_smb_auth %{_sbindir}/basic_smb_auth
%{_sbindir}/basic_smb_auth.sh %{_sbindir}/basic_smb_auth.sh
%{_sbindir}/cert_tool %{_sbindir}/cert_tool
%{_sbindir}/digest_edirectory_auth %{_sbindir}/cert_valid.pl
#{_sbindir}/digest_edirectory_auth
%{_sbindir}/digest_file_auth %{_sbindir}/digest_file_auth
%{_sbindir}/digest_ldap_auth %{_sbindir}/digest_ldap_auth
%{_sbindir}/diskd %{_sbindir}/diskd
@ -359,6 +361,7 @@ fi
%{_sbindir}/ext_file_userip_acl %{_sbindir}/ext_file_userip_acl
%{_sbindir}/ext_kerberos_ldap_group_acl %{_sbindir}/ext_kerberos_ldap_group_acl
%{_sbindir}/ext_ldap_group_acl %{_sbindir}/ext_ldap_group_acl
%{_sbindir}/ext_session_acl
%{_sbindir}/ext_unix_group_acl %{_sbindir}/ext_unix_group_acl
%{_sbindir}/ext_wbinfo_group_acl %{_sbindir}/ext_wbinfo_group_acl
%{_sbindir}/helper-mux.pl %{_sbindir}/helper-mux.pl
@ -372,6 +375,7 @@ fi
%{_sbindir}/pinger %{_sbindir}/pinger
%{_sbindir}/rc%{name} %{_sbindir}/rc%{name}
%{_sbindir}/%{name} %{_sbindir}/%{name}
%{_sbindir}/storeid_file_rewrite
%{_sbindir}/unlinkd %{_sbindir}/unlinkd
%{_sbindir}/url_fake_rewrite %{_sbindir}/url_fake_rewrite
%{_sbindir}/url_fake_rewrite.sh %{_sbindir}/url_fake_rewrite.sh