]>
Commit | Line | Data |
---|---|---|
061bf1a3 AJ |
1 | <!doctype linuxdoc system> |
2 | <article> | |
88e192b1 | 3 | <title>Squid 3.3.14 release notes</title> |
061bf1a3 AJ |
4 | <author>Squid Developers</author> |
5 | ||
6 | <abstract> | |
7 | This document contains the release notes for version 3.3 of Squid. | |
8 | Squid is a WWW Cache application developed by the National Laboratory | |
9 | for Applied Network Research and members of the Web Caching community. | |
10 | </abstract> | |
11 | ||
12 | <toc> | |
13 | ||
14 | <sect>Notice | |
15 | <p> | |
88e192b1 | 16 | The Squid Team are pleased to announce the release of Squid-3.3.14. |
061bf1a3 | 17 | |
4ded749e | 18 | This new release is available for download from <url url="http://www.squid-cache.org/Versions/v3/3.3/"> or the |
71f0186a | 19 | <url url="http://www.squid-cache.org/Download/http-mirrors.html" name="mirrors">. |
061bf1a3 | 20 | |
d4dc9eea | 21 | <p>A large number of the design flaws in SSL-Bump feature have been fixed along with general improvements all around. |
725e8017 | 22 | While this release is not fully bug-free we believe it is ready for use in production on many systems. |
061bf1a3 | 23 | |
d4dc9eea | 24 | <p>We welcome feedback and bug reports. If you find a bug, please see <url url="http://wiki.squid-cache.org/SquidFaq/BugReporting"> |
4ded749e | 25 | for how to submit a report with a stack trace. |
061bf1a3 AJ |
26 | |
27 | <sect1>Known issues | |
28 | <p> | |
4ded749e | 29 | Although this release is deemed good enough for use in many setups, please note the existence of |
4e752abd | 30 | <url url="http://bugs.squid-cache.org/buglist.cgi?query_format=advanced&product=Squid&bug_status=UNCONFIRMED&bug_status=NEW&bug_status=ASSIGNED&bug_status=REOPENED&version=3.3" name="open bugs against Squid-3.3">. |
4ded749e | 31 | |
061bf1a3 AJ |
32 | |
33 | <sect1>Changes since earlier releases of Squid-3.3 | |
34 | <p> | |
35 | The 3.3 change history can be <url url="http://www.squid-cache.org/Versions/v3/3.3/changesets/" name="viewed here">. | |
36 | ||
37 | <sect>Major new features since Squid-3.2 | |
38 | <p>Squid 3.3 represents a new feature release above 3.2. | |
39 | ||
40 | <p>The most important of these new features are: | |
41 | <itemize> | |
d23fd8b7 AJ |
42 | <item>SQL Database logging helper |
43 | <item>Time-Quota session helper | |
44 | <item>SSL-Bump Server First | |
45 | <item>Server Certificate Mimic | |
46 | <item>Custom HTTP request headers | |
061bf1a3 AJ |
47 | </itemize> |
48 | ||
49 | Most user-facing changes are reflected in squid.conf (see below). | |
50 | ||
d23fd8b7 AJ |
51 | <sect1>SQL Database logging helper |
52 | <p><em>log_db_daemon</em> - Database logging daemon for Squid | |
53 | ||
54 | <p>This program writes Squid access.log entries to an SQL database. | |
55 | Written in Perl it can utilize any database supported by the Perl | |
56 | database abstraction layer. | |
57 | ||
58 | <p>NOTE: Presently it only accepts the Squid native log format. | |
59 | ||
60 | ||
61 | <sect1>Time-Quota session helper | |
62 | <p><em>ext_time_quota_acl</em> - Time quota external ACL helper. | |
63 | ||
64 | <p>Allows an administrator to define time budgets (quota) for the | |
65 | users of Squid to limit the time using Squid. | |
66 | ||
67 | <p>This is useful for corporate lunch time allocations, wifi portal | |
68 | pay-per-minute installations or for parental control of children. | |
69 | ||
70 | <p>The administrator can define a time budget (e.g. 1 hour per day) | |
71 | which is enforced through this helper using session estimations | |
72 | of their browsing time. A 'pause' threshold is given in seconds | |
73 | and defines the period between two requests to be treated as part | |
74 | of the same session. Pauses shorter than this value will be | |
75 | counted against the quota, longer ones ignored. | |
76 | ||
77 | ||
78 | <sect1>SSL-Bump Server First | |
79 | <p>Details at <url url="http://wiki.squid-cache.org/Features/BumpSslServerFirst">. | |
80 | ||
81 | <p>When an intercepted connection is received, Squid first connects | |
82 | to the server using SSL and receives the server certificate. | |
83 | Squid then uses the host name inside the true server certificate | |
84 | to generate a fake one and impersonates the server while still | |
85 | using the already established secure connection to the server. | |
86 | ||
87 | <p>Bumping server first is essentially required for handling | |
88 | intercepted HTTPS connections but the same scheme should be used | |
89 | for most HTTP CONNECT requests because it offers a few advantages | |
90 | compared to the old bump-client-first approach: | |
91 | ||
92 | <itemize> | |
93 | <item>When Squid knows valid server certificate details, it can | |
94 | generate its fake server certificate with those details. | |
95 | With the bump-client-first scheme, all those details are lost. | |
96 | In general, browsers do not care about those details but there | |
97 | may be HTTP clients (or even human users) that require or could | |
98 | benefit from knowing them. | |
99 | ||
100 | <item>When a server sends a bad certificate, Squid may be able to | |
101 | replicate that brokenness in its own fake certificate, giving | |
102 | the HTTP client control whether to ignore the problem or | |
103 | terminate the transaction. With bump-client-furst, it is | |
104 | difficult to support similar dynamic, user-directed opt out; | |
105 | Squid itself has to decide what to do when the server | |
106 | certificate cannot be validated. | |
107 | ||
108 | <item>When a server asks for a client certificate, Squid may be | |
109 | able to ask the client and then forward the client certificate | |
110 | to the server. Such client certificate handling may not be | |
111 | possible with the bump-client-first scheme because it would | |
112 | have to be done after the SSL handshake. | |
113 | ||
114 | <item>Some clients (e.g., Rekonq browser v0.7.x) do not send host | |
115 | names in CONNECT requests. Such clients require bump-server-first | |
116 | even in forward proxying mode. Unfortunately, there are other | |
117 | problems with fully supporting such clients (i.e., Squid does | |
118 | not know whether the IP address in the CONNECT request is what | |
119 | the user have typed into the address bar) so not all features | |
120 | will work well for them until more specialized detection code | |
121 | is added. | |
122 | </itemize> | |
123 | ||
124 | <sect1>Server Certificate Mimic | |
125 | <p>Details at <url url="http://wiki.squid-cache.org/Features/MimicSslServerCert">. | |
126 | ||
127 | <p>One of the SslBump features serious drawbacks is the loss of | |
128 | information embedded in SSL server certificate. | |
129 | This certificate mimic feature passes original SSL server | |
130 | certificate information to the user. Allowing the user to | |
131 | make an informed decision on whether to trust the server | |
132 | certificate. | |
133 | ||
134 | ||
135 | <sect1>Custom HTTP request headers | |
136 | <p>The <em>request_header_add</em> option is added to insert | |
137 | HTTP header fields to outgoing HTTP requests (i.e., | |
138 | request headers sent by Squid to the next HTTP hop such as a | |
139 | cache peer or an origin server). The option has no effect on | |
140 | cache hit traffic or requests serviced by Squid and ICAP. | |
141 | ||
142 | <p>WARNING: If a standard HTTP header name is used, Squid does not check whether | |
143 | the new header conflicts with any existing headers or violates | |
144 | HTTP rules. If the request to be modified already contains a | |
145 | field with the same name, the old field is preserved but the | |
146 | header field values are not merged. | |
147 | ||
148 | <p>Field-value set can be either a token or a quoted string. If quoted | |
149 | string format is used, then the surrounding quotes are removed | |
150 | while escape sequences and %macros are processed. | |
151 | ||
152 | <p>In theory, all of the <em>logformat</em> codes can be used as %macros. | |
153 | However, unlike logging (which happens at the very end of | |
154 | transaction lifetime), the transaction may not yet have enough | |
155 | information to expand a macro when the new header value is needed. | |
156 | And some information may already be available to Squid but not yet | |
157 | committed where the macro expansion code can access it (please report | |
158 | such instances!). The macro will be expanded into a single dash | |
159 | ('-') in such cases. Not all macros have been tested. | |
160 | ||
161 | <p>One or more Squid ACLs may be specified to restrict header | |
162 | injection to matching requests. As always in squid.conf, all | |
163 | ACLs in an option ACL list must be satisfied for the insertion | |
164 | to happen. The <em>request_header_add</em> option supports fast ACLs only. | |
65f2789a | 165 | |
061bf1a3 AJ |
166 | |
167 | <sect>Changes to squid.conf since Squid-3.2 | |
168 | <p> | |
169 | There have been changes to Squid's configuration file since Squid-3.2. | |
170 | ||
171 | This section gives a thorough account of those changes in three categories: | |
172 | ||
173 | <itemize> | |
174 | <item><ref id="newtags" name="New tags"> | |
175 | <item><ref id="modifiedtags" name="Changes to existing tags"> | |
176 | <item><ref id="removedtags" name="Removed tags"> | |
177 | </itemize> | |
178 | <p> | |
179 | ||
180 | <sect1>New tags<label id="newtags"> | |
181 | <p> | |
182 | <descrip> | |
96598f93 AJ |
183 | <tag>cache_miss_revalidate</tag> |
184 | <p>Whether Squid is to pass-through If-Modified-Since and If-None-Match headers on cache MISS. | |
185 | Revalidation requests can prevent cache gathering objects to HIT on. | |
186 | <p>Based on the Squid-2.7 <em>ignore_ims_on_miss</em> feature. | |
187 | <p><em>IMPORTANT:</em> the meaning for on/off values has changed along with the name since 2.7. | |
188 | ||
d23fd8b7 AJ |
189 | <tag>request_header_add</tag> |
190 | <p>New directive to add custom headers on HTTP traffic sent to upstream servers. | |
191 | ||
192 | <tag>sslproxy_cert_sign</tag> | |
193 | <p>New option to determine how the client certificate sent to upstream servers is signed. | |
194 | ||
195 | <tag>sslproxy_cert_adapt</tag> | |
196 | <p>New option to adapt certain properties of outgoing SSL certificates generated for use when bumping SSL to an upstream server. | |
197 | ||
061bf1a3 AJ |
198 | </descrip> |
199 | ||
200 | <sect1>Changes to existing tags<label id="modifiedtags"> | |
201 | <p> | |
202 | <descrip> | |
d23fd8b7 | 203 | <tag>acl</tag> |
4ded749e | 204 | <p><em>myport</em> and <em>myip</em>ACL types replaced with <em>localport</em> and <em>localip</em> respectively. |
d23fd8b7 | 205 | To reflect that it matches the TCP connection details and not the squid.conf port. |
4ded749e | 206 | This matters when dealing with intercepted traffic, where the Squid receiving port differs from the TCP connection IP:port. |
d23fd8b7 AJ |
207 | Always use <em>myportname</em> type to match the squid.conf port details. |
208 | <p>New default built-in ACLs for testing SSL certificate properties. | |
209 | <p><em>ssl::certHasExpired</em>, | |
210 | <em>ssl::certNotYetValid</em>, | |
211 | <em>ssl::certDomainMismatch</em>, | |
212 | <em>ssl::certUntrusted</em>, | |
213 | <em>ssl::certSelfSigned</em>. | |
a81febfd | 214 | |
d3b930ff AJ |
215 | <tag>client_netmask</tag> |
216 | <p>IP address 127.0.0.1 (localhost IPv4) is no longer masked. | |
217 | ||
0bb298aa AJ |
218 | <tag>external_acl_type</tag> |
219 | <p><em>%ACL</em> format tag ported from 2.6. | |
220 | Sends the name of ACL being tested to the external helper. | |
221 | <p><em>%DATA</em> format tag ported from 2.6. | |
222 | Inserts the ACL arguments into a particular location of the helper input instead of at the end of the line. | |
223 | ||
d23fd8b7 AJ |
224 | <tag>logformat</tag> |
225 | <p>New token <em>%ssl::bump_mode</em> to log the SSL-bump mode type performed on a request. | |
226 | Logs values of: <em>-</em>, <em>none</em>, <em>client-first</em>, or <em>server-first</em>. | |
4ded749e AJ |
227 | <p>New token of <em>%ssl::>cert_subject</em> to log the Subject field of a SSL certificate received from the client. |
228 | <p>New token of <em>%ssl::>cert_issuer</em> to log the Issuer field of a SSL certificate received from the client. | |
d23fd8b7 AJ |
229 | |
230 | <tag>ssl_bump</tag> | |
231 | <p>New action types <em>none</em>, <em>client-first</em>, <em>server-first</em>. The default is <em>none</em>. | |
232 | <p>Use of <em>allow</em>/<em>deny</em> is now deprecated and they should be removed as soon as possible. | |
233 | To retain the exact same behaviour between 3.3 and older releases replace <em>deny</em> with <em>none</em>, | |
234 | and <em>allow</em> with <em>client-first</em>. However an upgrade to <em>server-first</em> is the recommended. | |
235 | <p><em>NOTE</em>: Mixing of allow/deny with the new action types is prohibited and will cause Squid to exit with a FATAL error. | |
061bf1a3 | 236 | |
d23fd8b7 | 237 | </descrip> |
061bf1a3 AJ |
238 | |
239 | <sect1>Removed tags<label id="removedtags"> | |
240 | <p> | |
241 | <descrip> | |
96598f93 AJ |
242 | <tag>ignore_ims_on_miss</tag> |
243 | <p>This option has been replaced by the <em>cache_miss_revalidate</em> feature. | |
061bf1a3 AJ |
244 | |
245 | </descrip> | |
246 | ||
247 | ||
248 | <sect>Changes to ./configure options since Squid-3.2 | |
249 | <p> | |
250 | There have been some changes to Squid's build configuration since Squid-3.2. | |
251 | ||
252 | This section gives an account of those changes in three categories: | |
253 | ||
254 | <itemize> | |
255 | <item><ref id="newoptions" name="New options"> | |
256 | <item><ref id="modifiedoptions" name="Changes to existing options"> | |
257 | <item><ref id="removedoptions" name="Removed options"> | |
258 | </itemize> | |
259 | ||
260 | ||
261 | <sect1>New options<label id="newoptions"> | |
262 | <p> | |
263 | <descrip> | |
d23fd8b7 | 264 | <p><em>There are no new ./configure options in Squid-3.3.</em> |
061bf1a3 AJ |
265 | |
266 | </descrip> | |
267 | ||
268 | <sect1>Changes to existing options<label id="modifiedoptions"> | |
269 | <p> | |
270 | <descrip> | |
56eea3f2 AJ |
271 | <tag>--enable-kqueue</tag> |
272 | <p>kqueue network I/O module is now built by default when it is available. | |
273 | This option is no longer required to enable kqueue support, | |
274 | but if used will abort build when kqueue dependencies are missing or broken. | |
275 | ||
276 | <tag>--disable-kqueue</tag> | |
277 | <p>kqueue network I/O module is now built by default when it is available. | |
278 | This configure option is now needed to disable it. Previously it did nothing. | |
061bf1a3 AJ |
279 | |
280 | </descrip> | |
281 | </p> | |
282 | ||
283 | <sect1>Removed options<label id="removedoptions"> | |
284 | <p> | |
285 | <descrip> | |
e490d2a3 | 286 | <tag>--enable-ntlm-fail-open</tag> |
d23fd8b7 | 287 | <p>This has not been supported by Squid for several versions. |
061bf1a3 AJ |
288 | |
289 | </descrip> | |
290 | ||
291 | ||
292 | <sect>Regressions since Squid-2.7 | |
293 | ||
294 | <p>Some squid.conf and ./configure options which were available in Squid-2.7 are not yet available in Squid-3.3 | |
295 | ||
296 | <p>If you need something to do then porting one of these from Squid-2 to Squid-3 is most welcome. | |
297 | ||
298 | <sect1>Missing squid.conf options available in Squid-2.7 | |
299 | <p> | |
300 | <descrip> | |
061bf1a3 AJ |
301 | <tag>broken_vary_encoding</tag> |
302 | <p>Not yet ported from 2.6 | |
303 | ||
304 | <tag>cache_dir</tag> | |
061bf1a3 AJ |
305 | <p><em>COSS</em> storage type is lacking stability fixes from 2.6 |
306 | <p>COSS <em>overwrite-percent=</em> option not yet ported from 2.6 | |
307 | <p>COSS <em>max-stripe-waste=</em> option not yet ported from 2.6 | |
308 | <p>COSS <em>membufs=</em> option not yet ported from 2.6 | |
309 | <p>COSS <em>maxfullbufs=</em> option not yet ported from 2.6 | |
310 | ||
311 | <tag>cache_peer</tag> | |
312 | <p><em>idle=</em> not yet ported from 2.7 | |
313 | <p><em>monitorinterval=</em> not yet ported from 2.6 | |
314 | <p><em>monitorsize=</em> not yet ported from 2.6 | |
315 | <p><em>monitortimeout=</em> not yet ported from 2.6 | |
316 | <p><em>monitorurl=</em> not yet ported from 2.6 | |
317 | ||
318 | <tag>cache_vary</tag> | |
319 | <p>Not yet ported from 2.6 | |
320 | ||
321 | <tag>collapsed_forwarding</tag> | |
322 | <p>Not yet ported from 2.6 | |
323 | ||
324 | <tag>error_map</tag> | |
325 | <p>Not yet ported from 2.6 | |
326 | ||
061bf1a3 AJ |
327 | <tag>external_refresh_check</tag> |
328 | <p>Not yet ported from 2.7 | |
329 | ||
061bf1a3 AJ |
330 | <tag>location_rewrite_access</tag> |
331 | <p>Not yet ported from 2.6 | |
332 | ||
333 | <tag>location_rewrite_children</tag> | |
334 | <p>Not yet ported from 2.6 | |
335 | ||
336 | <tag>location_rewrite_concurrency</tag> | |
337 | <p>Not yet ported from 2.6 | |
338 | ||
339 | <tag>location_rewrite_program</tag> | |
340 | <p>Not yet ported from 2.6 | |
341 | ||
061bf1a3 AJ |
342 | <tag>refresh_pattern</tag> |
343 | <p><em>stale-while-revalidate=</em> not yet ported from 2.7 | |
344 | <p><em>ignore-stale-while-revalidate=</em> not yet ported from 2.7 | |
061bf1a3 AJ |
345 | <p><em>negative-ttl=</em> not yet ported from 2.7 |
346 | ||
347 | <tag>refresh_stale_hit</tag> | |
348 | <p>Not yet ported from 2.7 | |
349 | ||
350 | <tag>storeurl_access</tag> | |
351 | <p>Not yet ported from 2.7 | |
352 | ||
353 | <tag>storeurl_rewrite_children</tag> | |
354 | <p>Not yet ported from 2.7 | |
355 | ||
356 | <tag>storeurl_rewrite_concurrency</tag> | |
357 | <p>Not yet ported from 2.7 | |
358 | ||
359 | <tag>storeurl_rewrite_program</tag> | |
360 | <p>Not yet ported from 2.7 | |
361 | ||
061bf1a3 AJ |
362 | </descrip> |
363 | ||
6a9396a7 AJ |
364 | <sect>Copyright |
365 | <p> | |
4ac4a490 | 366 | Copyright (C) 1996-2017 The Squid Software Foundation and contributors |
6a9396a7 AJ |
367 | <p> |
368 | Squid software is distributed under GPLv2+ license and includes | |
369 | contributions from numerous individuals and organizations. | |
370 | Please see the COPYING and CONTRIBUTORS files for details. | |
371 | ||
061bf1a3 | 372 | </article> |