]>
Commit | Line | Data |
---|---|---|
f2c46e40 AJ |
1 | <!doctype linuxdoc system> |
2 | <article> | |
cf62b886 | 3 | <title>Squid 3.5.0.4 release notes</title> |
f2c46e40 AJ |
4 | <author>Squid Developers</author> |
5 | ||
6 | <abstract> | |
7 | This document contains the release notes for version 3.5 of Squid. | |
8 | Squid is a WWW Cache application developed by the National Laboratory | |
9 | for Applied Network Research and members of the Web Caching community. | |
10 | </abstract> | |
11 | ||
12 | <toc> | |
13 | ||
14 | <sect>Notice | |
15 | <p> | |
cf62b886 | 16 | The Squid Team are pleased to announce the release of Squid-3.5.0.4 for testing. |
f2c46e40 AJ |
17 | |
18 | This new release is available for download from <url url="http://www.squid-cache.org/Versions/v3/3.5/"> or the | |
19 | <url url="http://www.squid-cache.org/Mirrors/http-mirrors.html" name="mirrors">. | |
20 | ||
4666bb8d AJ |
21 | <p>Some interesting new features adding system flexibility have been added along with general improvements all around. |
22 | While this release is not fully bug-free we believe it is ready for use in production on many systems. | |
f2c46e40 | 23 | |
e0dbeeb6 AJ |
24 | <p>We welcome feedback and bug reports. If you find a bug, please see <url url="http://wiki.squid-cache.org/SquidFaq/BugReporting"> |
25 | for how to submit a report with a stack trace. | |
f2c46e40 AJ |
26 | |
27 | <sect1>Known issues | |
28 | <p> | |
29 | Although this release is deemed good enough for use in many setups, please note the existence of | |
30 | <url url="http://bugs.squid-cache.org/buglist.cgi?query_format=advanced&product=Squid&bug_status=UNCONFIRMED&bug_status=NEW&bug_status=ASSIGNED&bug_status=REOPENED&version=3.5" name="open bugs against Squid-3.5">. | |
31 | ||
32 | <sect1>Changes since earlier releases of Squid-3.5 | |
33 | <p> | |
34 | The 3.5 change history can be <url url="http://www.squid-cache.org/Versions/v3/3.5/changesets/" name="viewed here">. | |
35 | ||
e8a16b1a AJ |
36 | <sect1>Copyright disclaimer adjustments |
37 | <p>Squid sources are now administered by the Squid Software Foundation on | |
38 | behalf of the Squid Project and community. | |
39 | ||
40 | <p>This version of Squid contains initial changes to streamline copyright | |
41 | declarations in Squid sources and related metafiles. No functionality | |
42 | or licensing changes are intended. | |
43 | ||
44 | <p>Once completed, the changes will consistently declare Squid contributors | |
45 | (listed in CONTRIBUTORS and represented by the Squid Software Foundation) as | |
46 | Squid copyright owners while referring the reader to the COPYING file for GPL | |
47 | licensing details. The boilerplate with the above information is provided. | |
48 | ||
49 | <p>These changes do not affect copyright rights of individuals or organizations. | |
50 | We are simply confirming the fact that there are many Squid copyright owners, | |
51 | just like there are many Linux kernel copyright owners. We are also providing | |
52 | a simple, consistent way to document that fact. | |
53 | ||
f2c46e40 AJ |
54 | |
55 | <sect>Major new features since Squid-3.4 | |
56 | <p>Squid 3.5 represents a new feature release above 3.4. | |
57 | ||
58 | <p>The most important of these new features are: | |
59 | <itemize> | |
60 | <item>Support libecap v1.0 | |
4e022adf | 61 | <item>Authentication helper query extensions |
27dad1a3 AJ |
62 | <item>Support named services |
63 | <item>Upgraded squidclient tool | |
64 | <item>Helper support for concurrency channels | |
b3cb9958 | 65 | <item>Native FTP Relay |
a5b14a8c | 66 | <item>Receive PROXY protocol, Versions 1 & 2 |
700e2961 | 67 | <item>Basic authentication MSNT helper changes |
f2c46e40 AJ |
68 | </itemize> |
69 | ||
70 | Most user-facing changes are reflected in squid.conf (see below). | |
71 | ||
72 | ||
73 | <sect1>Support libecap v1.0 | |
95fa2851 | 74 | <p>Details at <url url="http://wiki.squid-cache.org/Features/eCAP">. |
f2c46e40 AJ |
75 | |
76 | <p>The new libecap version allows Squid to better check the version of | |
77 | the eCAP adapter being loaded as well as the version of the eCAP library | |
78 | being used. | |
79 | ||
80 | <p>Squid-3.5 can support eCAP adapters built with libecap v1.0, | |
81 | but no longer supports adapters built with earlier libecap versions | |
82 | due to API changes. | |
83 | ||
84 | ||
4e022adf AJ |
85 | <sect1>Authentication helper query extensions |
86 | <p>Details at <url url="http://www.squid-cache.org/Doc/config/auth_param/">. | |
87 | ||
88 | <p>The new <em>key_extras</em> parameter allows sending of additional | |
89 | details to the authentication helper beyond the minimum required for | |
90 | the HTTP authentication. This is primarily intended to allow switching | |
91 | of authentication databases based on criteria such as client IP subnet, | |
92 | Squid receiving port, or in reverse-proxy the requested domain name. | |
93 | ||
94 | <p>In theory any <em>logformat</em> code may be used, however only the | |
95 | codes which have available details at the time of authentication | |
96 | will send any meaningful detail. | |
97 | ||
98 | ||
27dad1a3 AJ |
99 | <sect1>Support named services |
100 | <p>Details at <url url="http://wiki.squid-cache.org/MultipleInstances">. | |
101 | <p>Terminology details at <url url="http://wiki.squid-cache.org/Features/SmpScale#Terminology">. | |
102 | ||
103 | <p>The command line option <em>-n</em> assigns a name to the Squid service | |
104 | instance to be used as a unique identifier for all SMP processes run as | |
105 | part of that instance. This allows multiple instances of Squid service to | |
106 | be run on a single machine without background SMP systems such as shared | |
107 | memory and inter-process communication becoming confused or requiring | |
108 | additional configuration. | |
109 | ||
110 | <p>A service name is always used. When the <em>-n</em> option is missing | |
111 | from the command line the default service name is <em>squid</em>. | |
112 | ||
113 | <p>When multiple instances are being run the <em>-n</em> service name is | |
114 | required to target all other options such as <em>-z</em> or <em>-k</em> | |
115 | commands at the correct service. | |
116 | ||
117 | <p>The squid.conf macro ${service_name} is added to provide the service name | |
118 | of the process parsing the config. | |
119 | ||
120 | ||
121 | <sect1>Upgraded squidclient tool | |
95fa2851 AJ |
122 | <p>Details at <url="http://www.squid-cache.org/Versions/v3/3.5/manuals/squidclient.html">. |
123 | ||
27dad1a3 AJ |
124 | <p>The <em>squidclient</em> has begun the process of upgrading to support |
125 | protocols other than HTTP. | |
126 | ||
127 | <sect2>Debug levels | |
128 | <p>The tool displays the server response message on STDOUT unless the <em>-q</em> | |
129 | command line option is used. Error messages will be output to STDERR. | |
130 | All other possible output is considered debug and output to STDERR using | |
131 | a range of debug verbosity levels (currently 1, 2 and 3). | |
132 | ||
133 | <p>When the <em>-v</em> command line option is used debugging is enabled. | |
134 | The level of debug display is raised for each repetition of the option. | |
135 | ||
136 | <sect2>PING | |
137 | <p>When <em>--ping</em> is given the tool will send its message repeatedly | |
138 | using whichever protocol that message has been formatted for. | |
139 | Optional parameters to limit the number of pings and their frequency are | |
140 | available. | |
141 | ||
142 | <p>Older tool versions also provide this feature but require the loop count | |
143 | parameter to be set to enable use of the feature. | |
144 | ||
145 | <sect2>HTTPS | |
146 | <p>When Squid is built with the GnuTLS encryption library the tool is able | |
147 | to open TLS (or SSL/3.0) connections to servers. | |
148 | ||
ae06fcd7 | 149 | <p>The <em>--https</em> option enables TLS using default values. |
27dad1a3 | 150 | |
ae06fcd7 | 151 | <p>The <em>--cert</em> option specifies a file containing X.509 client |
27dad1a3 AJ |
152 | certificate and private key in PEM format to be loaded for use. Multiple |
153 | certificates are supported and the option may be used multiple times to | |
154 | load certificates. | |
155 | The default is not to use a client certificate. | |
156 | ||
157 | <p>The <em>--params</em> option specifies a library specific set of parameters | |
158 | to be sent to the library for configuring the security context. | |
159 | See <url url="http://gnutls.org/manual/html_node/Priority-Strings.html"> for | |
160 | available GnuTLS parameters. | |
161 | ||
162 | <p>The <em>--trusted-ca</em> option specifies a file in PEM format containing | |
163 | one or more Certificate Authority (CA) certificates used to verify the | |
164 | remote server. This option may be used multiple times to load additional | |
165 | CA certificate lists. | |
166 | The default is not to use any CA, nor trust any server. | |
167 | ||
168 | <p>Anonymous TLS (using non-authenticated Diffi-Hellman or Elliptic Curve | |
169 | encryption) is available with the <em>--anonymous-tls</em> option. | |
170 | The default is to use X.509 certificate encryption instead. | |
171 | ||
172 | <p>When performing TLS/SSL server certificates are always verified, the | |
173 | results shown at debug level 3. The encrypted type is displayed at debug | |
174 | level 2 and the connection is used to send and receive the messages | |
175 | regardless of verification results. | |
176 | ||
177 | ||
178 | <sect1>Helper support for concurrency channels | |
179 | <p>Helper concurrency greatly reduces the communication lag between Squid | |
180 | and its helpers allowing faster transaction speeds even on sequential | |
181 | helpers. | |
182 | ||
f80c51ec AJ |
183 | <p>The Digest authentication, Store-ID, and URL-rewrite helpers packaged |
184 | with Squid have been updated to support concurrency channels. They will | |
185 | auto-detect the <em>channel-ID</em> field and will produce the appropriate | |
186 | response format. | |
187 | With these helpers concurrency may now be set to 0 or any higher number as desired. | |
27dad1a3 AJ |
188 | |
189 | ||
b3cb9958 AR |
190 | <sect1>Native FTP Relay |
191 | <p>Details at <url url="http://wiki.squid-cache.org/Features/FtpRelay">. | |
192 | ||
193 | <p>Squid is now capable of accepting native FTP commands and relaying native | |
194 | FTP messages between FTP clients and FTP servers. Native FTP commands | |
195 | accepted at ftp_port are internally converted or wrapped into HTTP-like | |
196 | messages. The same happens to Native FTP responses received from FTP origin | |
197 | servers. Those HTTP-like messages are shoveled through regular access | |
198 | control and adaptation layers between the FTP client and the FTP origin | |
199 | server. This allows Squid to examine, adapt, block, and log FTP exchanges. | |
200 | Squid reuses most HTTP mechanisms when shoveling wrapped FTP messages. For | |
201 | example, http_access and adaptation_access directives are used. | |
202 | ||
203 | <p>FTP Relay is a new, experimental, complex feature that has seen limited | |
204 | production exposure. Some Squid modules (e.g., caching) do not currently | |
205 | work with native FTP proxying, and many features have not even been tested | |
206 | for compatibility. Test well before deploying! | |
207 | ||
208 | <p>Native FTP proxying differs substantially from proxying HTTP requests with | |
209 | <em>ftp://</em> URIs because Squid works as an FTP server and receives | |
210 | actual FTP commands (rather than HTTP requests with FTP URLs). | |
211 | ||
86d74505 | 212 | <p>FTP Relay highlights: |
b3cb9958 AR |
213 | <itemize> |
214 | <item>Added ftp_port directive telling Squid to relay native FTP commands. | |
215 | <item>Active and passive FTP support on the user-facing side; require | |
216 | passive connections to come from the control connection source IP | |
217 | address. | |
218 | <item>IPv6 support (EPSV and, on the user-facing side, EPRT). | |
219 | <item>Intelligent adaptation of relayed FTP FEAT responses. | |
220 | <item>Relaying of multi-line FTP control responses using various formats. | |
221 | <item>Support relaying of FTP MLSD and MLST commands (RFC 3659). | |
222 | <item>Several Microsoft FTP server compatibility features. | |
223 | <item>ICAP/eCAP support (at individual FTP command/response level). | |
224 | <item>Optional "current FTP directory" tracking with the assistance of | |
225 | injected (by Squid) PWD commands (cannot be 100% reliable due to | |
226 | symbolic links and such, but is helpful in some common use cases). | |
227 | <item>No caching support -- no reliable Request URIs for that (see above). | |
228 | </itemize> | |
229 | ||
a5b14a8c | 230 | <sect1>Receive PROXY protocol, Versions 1 & 2 |
00d0ce87 AJ |
231 | <p>More info at <url url="http://www.haproxy.org/download/1.5/doc/proxy-protocol.txt"> |
232 | ||
233 | <p>PROXY protocol provides a simple way for proxies and tunnels of any kind to | |
234 | relay the original client source details without having to alter or understand | |
235 | the protocol being relayed on the connection. | |
236 | ||
a5b14a8c AJ |
237 | <p>Squid currently supports receiving HTTP traffic from a client proxy using this protocol. |
238 | An http_port which has been configured to receive this protocol may only be used to | |
8d757308 | 239 | receive traffic from client software sending in this protocol. |
70a16fea | 240 | HTTP traffic without the PROXY header is not accepted on such a port. |
00d0ce87 | 241 | |
a5b14a8c AJ |
242 | <p>The <em>accel</em> and <em>intercept</em> options are still used to identify the |
243 | traffic syntax being delivered by the client proxy. | |
244 | ||
9deb9a42 | 245 | <p>Squid can be configured by adding an <em>http_port</em> |
d3d92daa | 246 | with the <em>require-proxy-header</em> mode flag. The <em>proxy_protocol_access</em> |
00d0ce87 AJ |
247 | must also be configured with <em>src</em> ACLs to whitelist proxies which are |
248 | trusted to send correct client details. | |
249 | ||
a5b14a8c | 250 | <p>Forward-proxy traffic from a client proxy: |
86d74505 | 251 | <verb> |
6e96d415 | 252 | acl frontend src 192.0.2.1 |
d3d92daa | 253 | http_port 3128 require-proxy-header |
6e96d415 | 254 | proxy_protocol_access allow frontend |
86d74505 | 255 | </verb> |
00d0ce87 | 256 | |
a5b14a8c | 257 | <p>Intercepted traffic from a client proxy or tunnel: |
86d74505 | 258 | <verb> |
6e96d415 | 259 | acl frontend src 192.0.2.2 |
d3d92daa | 260 | http_port 3128 intercept require-proxy-header |
6e96d415 | 261 | proxy_protocol_access allow frontend |
86d74505 | 262 | </verb> |
6e96d415 AJ |
263 | |
264 | <p>Reverse-proxy traffic from a frontend load balancer sending PROXY protocol: | |
86d74505 | 265 | <verb> |
6e96d415 AJ |
266 | acl frontend src 192.0.2.3 |
267 | http_port 3128 accel require-proxy-header | |
268 | proxy_protocol_access allow frontend | |
86d74505 | 269 | </verb> |
a5b14a8c AJ |
270 | |
271 | <p><em>Known Issue:</em> | |
6e96d415 | 272 | Use of <em>require-proxy-header</em> on <em>https_port</em> and <em>ftp_port</em> is not supported. |
9deb9a42 | 273 | |
b3cb9958 | 274 | |
700e2961 AJ |
275 | <sect1>Basic authentication MSNT helper changes |
276 | ||
277 | <p>The authentication helper previously known as <em>basic_msnt_auth</em> has | |
278 | been deprecated and renamed to <em>basic_smb_lm_auth</em> to reflect that | |
279 | it only performs SMB LanMan protocol(s) instead of modern MS authentication | |
280 | protocols. | |
281 | ||
282 | <p>The <em>basic_smb_lm_auth</em> helper has been remodelled and no longer uses | |
283 | configuration files. The Doman Controller servers are now configured via | |
284 | command line parameters and user credentials are looked up in each DC in the | |
285 | order configured until one matches or all have confirmed a non-match. | |
286 | ||
287 | <p>The <em>MSNT-multi-domain</em> helper provides the same functionality and | |
288 | is also deprecated. It will be removed in the Squid-3.6 series. | |
289 | ||
290 | ||
291 | ||
f2c46e40 AJ |
292 | <sect>Changes to squid.conf since Squid-3.4 |
293 | <p> | |
294 | There have been changes to Squid's configuration file since Squid-3.4. | |
295 | ||
296 | <p>Squid supports reading configuration option parameters from external | |
297 | files using the syntax <em>parameters("/path/filename")</em>. For example: | |
298 | <verb> | |
299 | acl whitelist dstdomain parameters("/etc/squid/whitelist.txt") | |
300 | </verb> | |
301 | ||
e0dbeeb6 | 302 | <p>The squid.conf macro <em>${service_name}</em> is added to provide the service name |
ae06fcd7 AJ |
303 | of the process parsing the config. |
304 | ||
f2c46e40 AJ |
305 | <p>There have also been changes to individual directives in the config file. |
306 | ||
307 | This section gives a thorough account of those changes in three categories: | |
308 | ||
309 | <itemize> | |
310 | <item><ref id="newtags" name="New tags"> | |
311 | <item><ref id="modifiedtags" name="Changes to existing tags"> | |
312 | <item><ref id="removedtags" name="Removed tags"> | |
313 | </itemize> | |
314 | <p> | |
315 | ||
316 | <sect1>New tags<label id="newtags"> | |
317 | <p> | |
318 | <descrip> | |
0f5964c3 AJ |
319 | <tag>collapsed_forwarding</tag> |
320 | <p>Ported from Squid-2 with no configuration or visible behaviour changes. | |
321 | Collapsing of requests is performed across SMP workers. | |
322 | ||
e0dbeeb6 AJ |
323 | <tag>ftp_client_idle_timeout</tag> |
324 | <p>This new configuration directive controls how long Squid should | |
325 | wait for an FTP request on a connection to an ftp_port. Many FTP | |
326 | clients do not deal with idle connection closures well, | |
327 | necessitating a longer default timeout (30 minutes) than | |
328 | client_idle_pconn_timeout used for incoming HTTP requests (2 | |
329 | minutes). The current default may be changed as we get more | |
330 | experience with FTP relaying. | |
331 | ||
332 | <tag>ftp_client_idle_timeout</tag> | |
333 | <p>New directive controlling how long to wait for an FTP request on a | |
334 | client connection to Squid <em>ftp_port</em>. | |
335 | ||
336 | <tag>ftp_port</tag> | |
337 | <p>New configuration directive to accept and relay native FTP | |
338 | commands. Typically used for port 21 traffic. By default, native | |
339 | FTP commands are not accepted. | |
340 | ||
d3d92daa AJ |
341 | <tag>proxy_protocol_access</tag> |
342 | <p>New directive to control which clients are permitted to open PROXY | |
343 | protocol connections on a port flagged with <em>require-proxy-header</em>. | |
00d0ce87 | 344 | |
0f5964c3 AJ |
345 | <tag>send_hit</tag> |
346 | <p>New configuration directive to enable/disable sending cached content | |
347 | based on ACL selection. ACL can be based on client request or cached | |
348 | response details. | |
349 | ||
e0dbeeb6 AJ |
350 | <tag>sslproxy_cert_sign_hash</tag> |
351 | <p>New directive to set the hashing algorithm to use when signing generated certificates. | |
352 | ||
27dad1a3 AJ |
353 | <tag>sslproxy_session_cache_size</tag> |
354 | <p>New directive which sets the cache size to use for TLS/SSL sessions cache. | |
355 | ||
356 | <tag>sslproxy_session_ttl</tag> | |
357 | <p>New directive to specify the time in seconds the TLS/SSL session is valid. | |
358 | ||
359 | <tag>store_id_extras</tag> | |
360 | <p>New directive to send additional lookup parameters to the configured | |
361 | Store-ID helper program. It takes a string which may contain logformat %macros. | |
362 | <p>The Store-ID helper input format is now: | |
ae06fcd7 | 363 | <verb> |
27dad1a3 | 364 | [channel-ID] url [extras] |
ae06fcd7 | 365 | </verb> |
e0dbeeb6 | 366 | <p>The default value for extras is: "%>a/%>A %un %>rm myip=%la myport=%lp" |
27dad1a3 | 367 | |
0f5964c3 AJ |
368 | <tag>store_miss</tag> |
369 | <p>New configuration directive to enable/disable caching of MISS responses. | |
370 | ACL can be based on any request or response details. | |
f2c46e40 | 371 | |
27dad1a3 AJ |
372 | <tag>url_rewrite_extras</tag> |
373 | <p>New directive to send additional lookup parameters to the configured | |
374 | URL-rewriter/redirector helper program. It takes a string which may | |
375 | contain logformat %macros. | |
376 | <p>The url rewrite and redirector helper input format is now: | |
ae06fcd7 | 377 | <verb> |
27dad1a3 | 378 | [channel-ID] url [extras] |
ae06fcd7 | 379 | </verb> |
e0dbeeb6 | 380 | <p>The default value for extras is: "%>a/%>A %un %>rm myip=%la myport=%lp" |
b3cb9958 | 381 | |
f2c46e40 AJ |
382 | </descrip> |
383 | ||
384 | <sect1>Changes to existing tags<label id="modifiedtags"> | |
385 | <p> | |
386 | <descrip> | |
387 | <tag>acl</tag> | |
e0dbeeb6 AJ |
388 | <p>Deprecated type <em>tag</em>. Use type <em>note</em> with 'tag' key |
389 | name instead. | |
f2c46e40 AJ |
390 | <p>New type <em>adaptation_service</em> to match the name of any |
391 | icap_service, ecap_service, adaptation_service_set, or | |
392 | adaptation_service_chain that Squid has used (or attempted to use) | |
393 | for the HTTP transaction so far. | |
e0dbeeb6 AJ |
394 | <p>New type <em>at_step</em> to match the current SSL-Bump processing step. |
395 | Never matches and should not be used outside of <em>ssl_bump</em>. | |
f2c46e40 AJ |
396 | |
397 | <tag>auth_param</tag> | |
398 | <p>New parameter <em>key_extras</em> to send additional parameters to | |
399 | the authentication helper. | |
400 | ||
27dad1a3 AJ |
401 | <tag>cache_dir</tag> |
402 | <p>New support for larger than 32KB objects in both <em>rock</em> type | |
403 | cache and shared memory cache. | |
404 | <p>New <em>slot-size=N</em> option for rock cache to specify the database | |
405 | slot/page size when small slot sizes are desired. The default and | |
406 | maximum slot size is 32KB. | |
407 | <p>Removal of old rock cache dir followed by <em>squid -z</em> is required | |
408 | when upgrading from earlier versions of Squid. | |
e0dbeeb6 AJ |
409 | <p><em>COSS</em> storage type is formally replaced by Rock storage type. |
410 | COSS storage type and all COSS specific options are removed. | |
27dad1a3 AJ |
411 | |
412 | <tag>cache_peer</tag> | |
413 | <p>New <em>standby=N</em> option to retain a set of N open and unused | |
414 | connections to the peer at virtually all times to reduce TCP handshake | |
415 | delays. | |
416 | <p>These connections differ from HTTP persistent connections in that they | |
417 | have not been used for HTTP messaging (and may never be). They may be | |
418 | turned into persistent connections after their first use subject to the | |
419 | same keep-alive critera any HTTP connection is checked for. | |
e0dbeeb6 AJ |
420 | <p>Squid-2 option <em>idle=</em> replaced by <em>standby=</em>. |
421 | <p>NOTE that standby connections are started earlier and available in | |
422 | more circumstances than squid-2 idle connections were. They are | |
423 | also spread over all IPs of the peer. | |
424 | ||
61a31961 AJ |
425 | <tag>configuration_includes_quoted_values</tag> |
426 | <p>Regex pattern values cannot be parsed in parts of squid.conf when this | |
427 | directive is configured to <em>ON</em>. Instead of quoted strings Squid | |
428 | now accepts regex \-escaped characters (including escaped spaces) in all | |
429 | regex patterns. | |
430 | ||
e0dbeeb6 AJ |
431 | <tag>external_acl_type</tag> |
432 | <p>New format code <em>%ssl::>sni</em> to send SSL client SNI. | |
433 | <p>New format code <em>%ssl::<cert_subject</em> to send SSL server certificate DN. | |
434 | <p>New format code <em>%ssl::<cert_issuer</em> to send SSL server certificate issuer DN. | |
435 | <p>New response kv-pair <em>clt_conn_tag=</em> to associates a given tag with the client TCP connection. | |
27dad1a3 | 436 | |
f2c46e40 | 437 | <tag>forward_max_tries</tag> |
ae06fcd7 | 438 | <p>Default value increased to <em>25 destinations</em> to allow better |
f2c46e40 AJ |
439 | contact and IPv4 failover with domains using long lists of IPv6 |
440 | addresses. | |
441 | ||
27dad1a3 AJ |
442 | <tag>ftp_epsv</tag> |
443 | <p>Converted into an Access List with allow/deny value driven by ACLs | |
444 | using Squid standard first line wins matching basis. | |
445 | <p>The old values of <em>on</em> and <em>off</em> imply <em>allow all</em> | |
446 | and <em>deny all</em> respectively and are now deprecated. | |
447 | Do not combine use of on/off values with ACL configuration. | |
448 | ||
f2c46e40 AJ |
449 | <tag>http_port</tag> |
450 | <p><em>protocol=</em> option altered to accept protocol version details. | |
451 | Currently supported values are: HTTP, HTTP/1.1, HTTPS, HTTPS/1.1 | |
86d74505 | 452 | <p>New option <em>require-proxy-header</em> to mark ports receiving PROXY |
a5b14a8c | 453 | protocol version 1 or 2 traffic. |
f2c46e40 | 454 | |
ae06fcd7 AJ |
455 | <tag>https_port</tag> |
456 | <p><em>protocol=</em> option altered to accept protocol version details. | |
457 | Currently supported values are: HTTP, HTTP/1.1, HTTPS, HTTPS/1.1 | |
458 | ||
f2c46e40 | 459 | <tag>logformat</tag> |
e0dbeeb6 AJ |
460 | <p>New format code <em>%credentials</em> to log the client credentials token. |
461 | <p>New format code <em>%ssl::>sni</em> to TLS client SNI sent to Squid. | |
f2c46e40 AJ |
462 | <p>New format code <em>%tS</em> to log transaction start time in |
463 | "seconds.milliseconds" format, similar to the existing access.log | |
464 | "current time" field (%ts.%03tu) which logs the corresponding | |
465 | transaction finish time. | |
e0dbeeb6 AJ |
466 | <p>New format codes <em>%<rs</em> and <em>%>rs</em> to log request URL |
467 | scheme from client or sent to server/peer respectively. | |
468 | <p>New format codes <em>%<rd</em> and <em>%>rd</em> to log request URL | |
469 | domain from client or sent to server/peer respectively. | |
470 | <p>New format codes <em>%<rP</em> and <em>%>rP</em> to log request URL | |
471 | port from client or sent to server/peer respectively. | |
472 | ||
473 | <tag>ssl_bump</tag> | |
474 | <p>Bumping 'modes' redesigned as 'actions' and ACLs evaluated repeatedly in a number of steps. | |
475 | <p>Renamed <em>server-first</em> as <em>bump</em> action. | |
476 | <p>Renamed <em>none</em> as <em>splice</em> action. | |
477 | <p>New actions <em>peek</em> and <em>stare</em> to receive client or server | |
478 | certificate while preserving the ability to later decide between bumping | |
479 | or splicing the connections later. | |
480 | <p>New action <em>terminate</em> to close the client and server connections. | |
481 | ||
482 | <tag>url_rewrite_program</tag> | |
483 | <p>New response kv-pair <em>clt_conn_tag=</em> to associates a given tag with the client TCP connection. | |
f2c46e40 AJ |
484 | |
485 | </descrip> | |
486 | ||
487 | <sect1>Removed tags<label id="removedtags"> | |
488 | <p> | |
489 | <descrip> | |
f2c46e40 AJ |
490 | <tag>cache_dns_program</tag> |
491 | <p>DNS external helper interface has been removed. It was no longer | |
492 | able to provide high performance service and the internal DNS | |
493 | client library with multicast DNS cover all modern use-cases. | |
494 | ||
495 | <tag>dns_children</tag> | |
496 | <p>DNS external helper interface has been removed. | |
497 | ||
6884ec40 AJ |
498 | <tag>hierarchy_stoplist</tag> |
499 | <p>Removed. The old directive values prohibiting CGI and dynamic content | |
500 | going to cache_peer are no longer relevant. | |
501 | <p>The functionality provided by this directive can be configured | |
502 | using <em>always_direct allow</em> if still needed. | |
503 | ||
f2c46e40 AJ |
504 | </descrip> |
505 | ||
506 | ||
507 | <sect>Changes to ./configure options since Squid-3.4 | |
508 | <p> | |
509 | There have been some changes to Squid's build configuration since Squid-3.4. | |
510 | ||
511 | This section gives an account of those changes in three categories: | |
512 | ||
513 | <itemize> | |
514 | <item><ref id="newoptions" name="New options"> | |
515 | <item><ref id="modifiedoptions" name="Changes to existing options"> | |
516 | <item><ref id="removedoptions" name="Removed options"> | |
517 | </itemize> | |
518 | ||
519 | ||
520 | <sect1>New options<label id="newoptions"> | |
521 | <p> | |
522 | <descrip> | |
b2f0a375 AJ |
523 | <tag>BUILDCXX=</tag> |
524 | <p>Used when cross-compiling Squid. | |
525 | <p>The path and name of a compiler for building cf_gen and related | |
526 | tools used in the compile process. | |
527 | ||
528 | <tag>BUILDCXXFLAGS=</tag> | |
529 | <p>Used when cross-compiling Squid. | |
530 | <p>C++ compiler flags used for building cf_gen and related | |
531 | tools used in the compile process. | |
532 | ||
27dad1a3 AJ |
533 | <tag>--without-gnutls</tag> |
534 | <p>New option to explicitly disable use of GnuTLS encryption library. | |
535 | Use of this library is auto-enabled if v3.1.5 or later is available. | |
536 | <p>It is currently only used by the squidclient tool. | |
537 | ||
a5c79bf3 AJ |
538 | <tag>--without-mit-krb5</tag> |
539 | <p>New option to explicitly disable use of MIT Kerberos library. | |
540 | Default is to auto-detect and use if possible. | |
541 | <p>Only one Kerberos library may be built against. | |
542 | ||
543 | <tag>--without-heimdal-krb5</tag> | |
544 | <p>New option to explicitly disable use of Hiemdal Kerberos library. | |
545 | Default is to auto-detect and use if possible. | |
546 | <p>Only one Kerberos library may be built against. | |
547 | ||
548 | <tag>--without-gnugss</tag> | |
549 | <p>New option to explicitly disable use of GNU GSSAPI library for Kerberos. | |
550 | Default is to auto-detect and use if possible. | |
551 | <p>Only one Kerberos library may be built against. | |
552 | ||
f2c46e40 AJ |
553 | </descrip> |
554 | ||
555 | <sect1>Changes to existing options<label id="modifiedoptions"> | |
556 | <p> | |
557 | <descrip> | |
4f07726a AJ |
558 | <tag>--enable-icap-client</tag> |
559 | <p>Deprecated. ICAP client is now auto-enabled. | |
560 | Use --disable-icap-client to disable if you need to. | |
f2c46e40 AJ |
561 | |
562 | </descrip> | |
563 | </p> | |
564 | ||
565 | <sect1>Removed options<label id="removedoptions"> | |
566 | <p> | |
567 | <descrip> | |
f2c46e40 AJ |
568 | <tag>--disable-internal-dns</tag> |
569 | <p>DNS external helper interface has been removed. It was no longer | |
570 | able to provide high performance service and the internal DNS | |
571 | client library with multicast DNS cover all modern use-cases. | |
572 | ||
c41db002 AJ |
573 | <tag>--enable-ssl</tag> |
574 | <p>Removed. Use <em>--with-openssl</em> to enable OpenSSL library support. | |
575 | ||
ae06fcd7 AJ |
576 | <tag>--with-coss-membuf-size</tag> |
577 | <p>The COSS cache type has been removed. | |
578 | It has been replaced by <em>rock</em> cache type. | |
579 | ||
a5c79bf3 AJ |
580 | <tag>--with-krb5-config</tag> |
581 | <p>Removed. The Kerberos library is auto-detected now. | |
582 | <p>Use <em>--with/--without-mit-krb5</em>, <em>--with/--without-heimdal-krb5</em>, or | |
583 | <em>--with/--without-gnugss</em> options for specific library selection if necesary. | |
584 | ||
f2c46e40 AJ |
585 | </descrip> |
586 | ||
587 | ||
588 | <sect>Regressions since Squid-2.7 | |
589 | ||
590 | <p>Some squid.conf options which were available in Squid-2.7 are not yet available in Squid-3.5 | |
591 | ||
592 | <p>If you need something to do then porting one of these from Squid-2 to Squid-3 is most welcome. | |
593 | ||
594 | <sect1>Missing squid.conf options available in Squid-2.7 | |
595 | <p> | |
596 | <descrip> | |
597 | <tag>broken_vary_encoding</tag> | |
598 | <p>Not yet ported from 2.6 | |
599 | ||
600 | <tag>cache_peer</tag> | |
f2c46e40 AJ |
601 | <p><em>monitorinterval=</em> not yet ported from 2.6 |
602 | <p><em>monitorsize=</em> not yet ported from 2.6 | |
603 | <p><em>monitortimeout=</em> not yet ported from 2.6 | |
604 | <p><em>monitorurl=</em> not yet ported from 2.6 | |
605 | ||
606 | <tag>cache_vary</tag> | |
607 | <p>Not yet ported from 2.6 | |
608 | ||
f2c46e40 AJ |
609 | <tag>error_map</tag> |
610 | <p>Not yet ported from 2.6 | |
611 | ||
612 | <tag>external_refresh_check</tag> | |
613 | <p>Not yet ported from 2.7 | |
614 | ||
615 | <tag>location_rewrite_access</tag> | |
616 | <p>Not yet ported from 2.6 | |
617 | ||
618 | <tag>location_rewrite_children</tag> | |
619 | <p>Not yet ported from 2.6 | |
620 | ||
621 | <tag>location_rewrite_concurrency</tag> | |
622 | <p>Not yet ported from 2.6 | |
623 | ||
624 | <tag>location_rewrite_program</tag> | |
625 | <p>Not yet ported from 2.6 | |
626 | ||
627 | <tag>refresh_pattern</tag> | |
628 | <p><em>stale-while-revalidate=</em> not yet ported from 2.7 | |
629 | <p><em>ignore-stale-while-revalidate=</em> not yet ported from 2.7 | |
630 | <p><em>negative-ttl=</em> not yet ported from 2.7 | |
631 | ||
632 | <tag>refresh_stale_hit</tag> | |
633 | <p>Not yet ported from 2.7 | |
634 | ||
635 | <tag>update_headers</tag> | |
636 | <p>Not yet ported from 2.7 | |
637 | ||
638 | </descrip> | |
639 | ||
6a9396a7 AJ |
640 | <sect>Copyright |
641 | <p> | |
bde978a6 | 642 | Copyright (C) 1996-2015 The Squid Software Foundation and contributors |
6a9396a7 AJ |
643 | <p> |
644 | Squid software is distributed under GPLv2+ license and includes | |
645 | contributions from numerous individuals and organizations. | |
646 | Please see the COPYING and CONTRIBUTORS files for details. | |
647 | ||
f2c46e40 | 648 | </article> |