]>
Commit | Line | Data |
---|---|---|
4d0832d7 AJ |
1 | <!doctype linuxdoc system> |
2 | <article> | |
04add666 | 3 | <title>Squid 4.17 release notes</title> |
4d0832d7 AJ |
4 | <author>Squid Developers</author> |
5 | ||
6 | <abstract> | |
183b876f | 7 | This document contains the release notes for version 4 of Squid. |
4d0832d7 AJ |
8 | Squid is a WWW Cache application developed by the National Laboratory |
9 | for Applied Network Research and members of the Web Caching community. | |
10 | </abstract> | |
11 | ||
12 | <toc> | |
13 | ||
14 | <sect>Notice | |
04add666 | 15 | <p>The Squid Team are pleased to announce the release of Squid-4.17. |
4d0832d7 | 16 | |
183b876f | 17 | This new release is available for download from <url url="http://www.squid-cache.org/Versions/v4/"> or the |
71f0186a | 18 | <url url="http://www.squid-cache.org/Download/http-mirrors.html" name="mirrors">. |
4d0832d7 | 19 | |
4d0832d7 AJ |
20 | <p>We welcome feedback and bug reports. If you find a bug, please see <url url="http://wiki.squid-cache.org/SquidFaq/BugReporting"> |
21 | for how to submit a report with a stack trace. | |
22 | ||
23 | <sect1>Known issues | |
3cd71470 AJ |
24 | <p>Although this release is deemed good enough for use in production, please note the existence of |
25 | <url url="http://bugs.squid-cache.org/buglist.cgi?query_format=advanced&product=Squid&bug_status=UNCONFIRMED&bug_status=NEW&bug_status=ASSIGNED&bug_status=REOPENED&version=4" name="open bugs against Squid-4">. | |
4d0832d7 | 26 | |
1377f2b1 | 27 | <p>This release adds a dependency on C++11 support in any compiler used to build Squid. |
4dd2c9d6 | 28 | As a result older C++03 -only and most C++0x compilers will no longer build successfully. |
a9d17dfc | 29 | GCC 4.9+ and Clang 3.5+ are known to have working C++11 support and are usable. |
4dd2c9d6 AJ |
30 | GCC-4.8 will also build for now despite lack of full C++11 support, but some future features may not be available. |
31 | ||
7b84ebcc AJ |
32 | <p>This release does not support LibreSSL. |
33 | Due to a bug in the way LibreSSL uses the OpenSSL version macro some changes | |
34 | necessary to support OpenSSL 1.1 prevent building with LibreSSL. | |
35 | ||
36 | ||
183b876f | 37 | <sect1>Changes since earlier releases of Squid-4 |
4d0832d7 | 38 | <p> |
183b876f | 39 | The Squid-4 change history can be <url url="http://www.squid-cache.org/Versions/v4/changesets/" name="viewed here">. |
4d0832d7 AJ |
40 | |
41 | ||
42 | <sect>Major new features since Squid-3.5 | |
183b876f | 43 | <p>Squid 4 represents a new feature release above 3.5. |
4d0832d7 AJ |
44 | |
45 | <p>The most important of these new features are: | |
46 | <itemize> | |
9a258777 | 47 | <item>Configurable helper queue size |
1377f2b1 | 48 | <item>Helper concurrency channels changes |
0e5c14da | 49 | <item>SSL support removal |
b817c20f | 50 | <item>Helper Binary Changes |
4dd2c9d6 | 51 | <item>Secure ICAP |
4dd2c9d6 | 52 | <item>Improved SMP support |
fbcef294 | 53 | <item>Improved process management |
7b84ebcc | 54 | <item>Initial GnuTLS support |
f1dfef29 | 55 | <item>ESI Custom Parser removal |
4d0832d7 AJ |
56 | </itemize> |
57 | ||
58 | Most user-facing changes are reflected in squid.conf (see below). | |
59 | ||
60 | ||
6825b101 | 61 | <sect1>Configurable helper queue size |
76b18386 | 62 | <p>The new <em>queue-size=N</em> option to helpers configuration, allows users |
4dd2c9d6 | 63 | to configure the maximum number of queued requests to busy helpers. |
4d0832d7 | 64 | |
32fd6d8a | 65 | <sect1>Helper concurrency channels changes |
4dd2c9d6 AJ |
66 | <p>helper-mux.pl we have been distributing for the past few years to |
67 | encourage use of concurrency is no longer compatible with Squid. If | |
68 | used it will spawn up to 2^64 helpers and DoS the Squid server. | |
69 | ||
70 | <p>Helpers utilizing arrays to handle fixed amounts of concurrency | |
71 | channels MUST be re-written to use queues and capable of handling a | |
72 | 64-bit int as index or they will be vulnerable to buffer overrun and | |
73 | arbitrary memory accesses. | |
32fd6d8a | 74 | |
4dd2c9d6 AJ |
75 | <p>32-bit helpers need re-writing to handle the concurrency channel ID |
76 | as a 64-bit integer value. If not updated they will cause proxies to | |
77 | return unexpected results or timeout once crossing the 32-bit wrap | |
78 | boundary. Leading to undefined behaviour in the client HTTP traffic. | |
32fd6d8a | 79 | |
9a258777 | 80 | |
0e5c14da | 81 | <sect1>SSL support removal |
9a258777 | 82 | <p>Details in <url url="https://tools.ietf.org/html/rfc6176" name="RFC 6176"> |
0e5c14da | 83 | and <url url="https://tools.ietf.org/html/rfc7568" name="RFC 7568"> |
9a258777 AJ |
84 | |
85 | <p>SSLv2 is not fit for purpose. Squid no longer supports being configured with | |
4dd2c9d6 AJ |
86 | any settings regarding this protocol. That includes settings manually disabling |
87 | its use since it is now forced to disable by default. Also settings enabling | |
88 | various client/server workarounds specific to SSLv2 are removed. | |
9a258777 | 89 | |
0e5c14da | 90 | <p>SSLv3 is not fit for purpose. Squid still accepts configuration, but use |
4dd2c9d6 AJ |
91 | is deprecated and will be removed entirely in a future version. |
92 | Squid default behavour is to follow the TLS built in negotiation mechanism | |
93 | which prefers the latest TLS version. But also to accept downgrades to SSLv3. | |
94 | Use <em>tls-options=NO_SSLv3</em> to disable SSLv3 support completely. | |
0e5c14da | 95 | |
4dd2c9d6 AJ |
96 | <p>A new option <em>tls-min-version=1.N</em> is added in place of <em>sslversion=</em> |
97 | to configure the minimum version the TLS negotiation will allow to be used | |
98 | when an old TLS version is requested by the remote endpoint. | |
9a258777 | 99 | |
435c72b0 | 100 | <p>The system Trusted CAs are no longer used by default when verifying client |
3cd71470 AJ |
101 | certificates. The <em>cafile=</em> option should be used instead to |
102 | explicitly load the specific CA which signed acceptible client certificates, | |
435c72b0 AJ |
103 | even if that CA is one of the system Trusted CAs. |
104 | The <em>tls-default-ca</em> option can be used to restore the old | |
3cd71470 | 105 | behaviour if needed. |
435c72b0 | 106 | |
8f0e29d2 | 107 | |
b817c20f AJ |
108 | <sect1>Helper Binary Changes |
109 | <p>The <em>basic_msnt_multi_domain_auth</em> helper has been removed. The | |
110 | <em>basic_smb_lm_auth</em> helper performs the same actions without extra | |
111 | Perl and Samba dependencies. | |
112 | ||
e90ce3d1 | 113 | <p>The <em>cert_valid.pl</em> testing helper has been renamed to |
bbf79f12 | 114 | <em>security_fake_certverify</em>, reflecting the Squid helper naming schema |
e90ce3d1 AJ |
115 | and that it does not actually perform any certificate checks. |
116 | ||
8732ea9d AJ |
117 | <p>The <em>security_fake_certverify</em> helper is also now built and installed |
118 | by default. It is written in Perl so does not require OpenSSL dependencies | |
119 | for installation. But does use the Perl Crypt::OpenSSL::X509 module for execution. | |
120 | Building the helper can be controlled using the <em>--enable-security-cert-validators="fake"</em> | |
121 | option. | |
122 | ||
cb0b3d63 AJ |
123 | <p>The <em>ssl_crtd</em> helper has been renamed to <em>security_file_certgen</em> |
124 | and is now built and installed by default whenever OpenSSL support is enabled. | |
125 | Building the helper can be controlled using the <em>--enable-security-cert-generators="file"</em> | |
126 | option. | |
3cd71470 AJ |
127 | |
128 | <p>NOTE: The <em>--enable-ssl-crtd</em> option is still required to enable the | |
cb0b3d63 AJ |
129 | <em>sslcrtd_program</em> helper interface within Squid that uses the helper. |
130 | ||
b817c20f AJ |
131 | <p>The <em>ntlm_smb_lm_auth</em> helper is now built using <em>--enable-auth-ntlm="SMB_LM"</em>. |
132 | Notice the upper case where it was previously a (wrongly) lower cased acronym. | |
4d0832d7 AJ |
133 | |
134 | ||
4dd2c9d6 AJ |
135 | <sect1>Secure ICAP |
136 | <p>ICAP services can now be used over TLS connections. | |
137 | ||
138 | <p>To mark an ICAP service as secure, use an <em>icaps://</em> service URI scheme when | |
139 | listing your service via an icap_service directive. The industry is using a | |
68bdae93 AJ |
140 | <em>Secure ICAP</em> term, and Squid follows that convention, but <em>icaps</em> seems more |
141 | appropriate for a <em>scheme</em> name. | |
4dd2c9d6 AJ |
142 | |
143 | <p>Squid uses <em>port 11344</em> for Secure ICAP by default, following another popular | |
144 | proxy convention. The old 1344 default for plain ICAP ports has not changed. | |
145 | ||
146 | ||
4dd2c9d6 AJ |
147 | <sect1>Improved SMP support |
148 | <p>Use of C++11 atomic operations instead of GNU atomics allows a wider range of | |
149 | operating systems and compilers to build Squid SMP and multi-process features. | |
3cd71470 AJ |
150 | However this does require a C++11 compiler with a recent version of the C++ |
151 | standard library. | |
4dd2c9d6 AJ |
152 | |
153 | <p>IpcIo and Mmapped disk I/O modules are now auto-detected properly which | |
154 | enables Rock storage on more systems by default than previously. | |
155 | ||
156 | ||
fbcef294 AJ |
157 | <sect1>Improved process management |
158 | <p>Squid is traditionally refered to as a daemon. But is actually a combination | |
159 | of daemon and daemon manager processes. This has caused significant problems | |
160 | integrating it with other third-party daemon managers. | |
161 | ||
162 | <p>The Squid process which places its PID into the squid.pid file has always | |
163 | been the process to which control signals are sent. The manager process is | |
df200055 MM |
164 | now taking on signal handling instead of the main daemon process. Enabling |
165 | integration with daemon managers such as Upstart or systemd which assume the | |
fbcef294 AJ |
166 | process they initiated is the daemon with a PID to control. |
167 | ||
d73c6e83 AW |
168 | <p>The squid binary now has a new <em>--foreground</em> command line option, |
169 | which (only) prevents daemonizing the master process. | |
170 | Unlike the old <em>-N</em> option, | |
fbcef294 | 171 | <em>--foreground</em> supports SMP workers and multi-process features. |
df200055 MM |
172 | <em>--foreground</em> is particularly useful for use with <em>-z</em> (disk |
173 | cache structures creation), as it allows the caller to wait until Squid has | |
174 | finished. | |
fbcef294 | 175 | |
b5391492 AJ |
176 | <p>The squid binary now accepts a <em>--kid</em> command line option which |
177 | informs the process which role it is to take on. This aids with debugging | |
178 | SMP issues with specific process types and resolves some SMP forking issues. | |
179 | ||
fbcef294 | 180 | |
7b84ebcc | 181 | <sect1>Initial GnuTLS support |
2db9989c AJ |
182 | <p>Squid can now be built to use GnuTLS in place of OpenSSL for the core |
183 | features of receiving TLS connections from clients and making TLS | |
184 | connections to servers. The GnuTLS support is still very much experimental | |
185 | and should be tested before use. | |
186 | ||
187 | <p>SSL-Bump and certificate generation features are not yet supported by | |
188 | GnuTLS builds. Nor are many other less commonly used Squid TLS/SSL features. | |
7b84ebcc AJ |
189 | |
190 | <p><em>squid.conf</em> directives and configuration options which have undergone | |
191 | name changes from 'ssl' to 'tls' prefix in Squid-4 have GnuTLS support, unless | |
192 | explicitly stated otherwise. | |
193 | ||
194 | <p>Advanced configuration with specific selection of ciphers and similar settings | |
195 | should still work, but needs the GnuTLS <em>Priority Strings</em> instead of | |
196 | the OpenSSL options when using GnuTLS. | |
3cd71470 AJ |
197 | See <url url="https://www.gnutls.org/manual/gnutls.html#Priority-Strings" name="GnuTLS manual"> |
198 | for more details. | |
7b84ebcc AJ |
199 | |
200 | ||
f1dfef29 | 201 | <sect1>ESI Custom Parser removal |
202 | <p>The Squid custom ESI (Edge Side Includes) parser has been removed in favour | |
203 | of better supported and maintained third-party libraries. At least one of libxml2 | |
204 | or libexpat is now mandatory to build support for the ESI response processor. | |
205 | ||
206 | ||
4d0832d7 AJ |
207 | <sect>Changes to squid.conf since Squid-3.5 |
208 | <p> | |
209 | There have been changes to Squid's configuration file since Squid-3.5. | |
210 | ||
211 | This section gives a thorough account of those changes in three categories: | |
212 | ||
213 | <itemize> | |
214 | <item><ref id="newtags" name="New tags"> | |
215 | <item><ref id="modifiedtags" name="Changes to existing tags"> | |
216 | <item><ref id="removedtags" name="Removed tags"> | |
217 | </itemize> | |
218 | <p> | |
219 | ||
220 | <sect1>New tags<label id="newtags"> | |
221 | <p> | |
222 | <descrip> | |
fbf7b67f AJ |
223 | <tag>collapsed_forwarding_shared_entries_limit</tag> |
224 | <p>New directive to limit the size of a table used for sharing information | |
225 | about collapsible entries among SMP workers. | |
226 | ||
66f92ffc AJ |
227 | <tag>force_request_body_continuation</tag> |
228 | <p>New directive to control Squid behaviour on the client connection when | |
229 | receiving an HTTP request with an Expect:100-continue header. | |
230 | ||
6f518cf0 S |
231 | <tag>hopeless_kid_revival_delay</tag> |
232 | <p>New directive to set a cool-down delay reviving a child process if | |
233 | the process is encountering frequent deaths. | |
234 | ||
0d8b2d16 AJ |
235 | <tag>on_unsupported_protocol</tag> |
236 | <p>New directive to set the action performed when encountering strange | |
237 | protocol requests at the beginning of an accepted TCP connection. | |
238 | ||
66f92ffc AJ |
239 | <tag>pconn_lifetime</tag> |
240 | <p>New directive to limit the lifetime of persistent connections. | |
241 | ||
cde8f31b NH |
242 | <tag>reply_header_add</tag> |
243 | <p>New directive to add header fields to outgoing HTTP responses to | |
244 | the client. | |
245 | ||
0d8b2d16 AJ |
246 | <tag>request_start_timeout</tag> |
247 | <p>New directive controlling how long Squid waits for the first request | |
248 | bytes to arrive after initial connection establishment by a client. | |
249 | ||
fbf7b67f AJ |
250 | <tag>server_pconn_for_nonretriable</tag> |
251 | <p>New directive to provide fine-grained control over persistent connection | |
252 | reuse when forwarding HTTP requests that Squid cannot retry. It is useful | |
253 | in environments where opening new connections is very expensive | |
254 | and race conditions associated with persistent connections are very rare | |
255 | and/or only cause minor problems. | |
256 | ||
088d61c0 AJ |
257 | <tag>shared_memory_locking</tag> |
258 | <p>New directive to ensure shared memory is all available immediately | |
259 | on startup. Protects against SIGBUS errors, but delays startup. | |
260 | ||
7e62a74f | 261 | <tag>tls_outgoing_options</tag> |
0461fde7 | 262 | <p>New directive to define TLS security context options for outgoing |
7e62a74f | 263 | connections. For example to HTTPS servers. |
4d0832d7 | 264 | |
ff5d59eb | 265 | <tag>url_rewrite_timeout</tag> |
3cd71470 | 266 | <p>Squid times active requests to redirector. This directive sets |
ff5d59eb AJ |
267 | the timeout value and the Squid reaction to a timed out |
268 | request. | |
269 | ||
4d0832d7 AJ |
270 | </descrip> |
271 | ||
272 | <sect1>Changes to existing tags<label id="modifiedtags"> | |
273 | <p> | |
274 | <descrip> | |
da6dbcd1 EB |
275 | <tag>access_log</tag> |
276 | <p>TCP accept(2) errors logged with URI <em>error:accept-client-connection</em>. | |
277 | <p>Unused connections received in <em>http_port</em> or <em>https_port</em> | |
3cd71470 | 278 | or transactions terminated before reading[parsing] request headers are |
da6dbcd1 | 279 | logged with URI <em>error:transaction-end-before-headers</em>. |
66f92ffc AJ |
280 | <p>New option <em>rotate=</em> to control the number of log file rotations |
281 | to make when <em>-k rotate</em> command is received. Default is to | |
282 | obey the <em>logfile_rotate</em> directive. | |
b3cc78d3 AJ |
283 | <p>Extend <em>buffer-size=</em> support to UDP logging. Prior to Squid-4.7 |
284 | log entries would be buffered up to 1400 bytes before sending to UDP logger. | |
285 | This option may now set smaller buffers, but not larger than 1400 bytes. | |
da6dbcd1 | 286 | |
0461fde7 AJ |
287 | <tag>acl</tag> |
288 | <p>New <em>-m</em> flag for <em>note</em> ACL to match substrings. | |
6f405e99 AJ |
289 | <p>New <em>client_connection_mark</em> type for matching Netfilter |
290 | CONNMARK of the client TCP connection. | |
57542821 AJ |
291 | <p>New <em>connections_encrypted</em> type for matching transactions |
292 | where all HTTP messages were received over TLS transport connections, | |
293 | including messages received from ICAP servers. | |
ef396425 AJ |
294 | <p>New <em>has</em> type for matching whether or not Squid is able to provide |
295 | certain sets of transaction state. For example HTTP reply headers. | |
b008ed2e AJ |
296 | <p>New <em>transaction_initiator</em> type for detecting various |
297 | unusual transactions. | |
298 | <p>New <em>--consensus</em>, <em>--client-requested</em> and | |
299 | <em>--server-provided</em> flags for the <em>ssl::server_name</em> | |
300 | type to control which server name to match against. | |
b339d00c | 301 | <p>Added <em>::/128</em> IPv6 range to <em>to_localhost</em> ACL. |
0461fde7 | 302 | |
9a258777 AJ |
303 | <tag>auth_param</tag> |
304 | <p>New parameter <em>queue-size=</em> to set the maximum number | |
305 | of queued requests. | |
6082a0e2 EB |
306 | <p>New parameter <em>on-persistent-overload=</em> to set the action taken |
307 | when the helper queue is overloaded. | |
9a258777 AJ |
308 | |
309 | <tag>cache_peer</tag> | |
9825b398 AJ |
310 | <p>New option <em>auth-no-keytab</em> to let GSSAPI implementation determine |
311 | which Kerberos credentials to use, instead of specifying a keytab. | |
0ff7e52d AJ |
312 | <p>Replaced option <em>ssl</em> with <em>tls</em>. Use of any |
313 | <em>tls-</em> prefixed options implies <em>tls</em> is enabled. | |
1cc44095 | 314 | <p>New option <em>tls-min-version=1.N</em> to set minimum TLS version allowed. |
435c72b0 | 315 | <p>New option <em>tls-default-ca</em> replaces <em>sslflags=NO_DEFAULT_CA</em> |
b05d749d | 316 | <p>New option <em>tls-no-npn</em> to disable sending TLS NPN extension. |
b339d00c | 317 | <p>New <em>tls-options=</em> option value to disable TLS/1.3. |
0e5c14da AJ |
318 | <p>All <em>ssloptions=</em> values for SSLv2 configuration or disabling |
319 | have been removed. | |
320 | <p>Removed <em>sslversion=</em> option. Use <em>tls-options=</em> instead. | |
9a258777 | 321 | <p>Manual squid.conf update may be required on upgrade. |
0ff7e52d AJ |
322 | <p>Replaced option <em>sslcafile=</em> with <em>tls-cafile=</em> |
323 | which takes multiple entries. | |
9a258777 | 324 | |
66f92ffc AJ |
325 | <tag>deny_info</tag> |
326 | <p>New format macro <em>%O</em> to expand the <em>message=</em> value supplied | |
327 | by external ACL helpers. | |
328 | ||
329 | <tag>ecap_service</tag> | |
330 | <p>New <em>connection-encryption=</em> option to determine ICAP service | |
331 | effect on <em>connections_encrypted</em> ACL. | |
332 | ||
f1dfef29 | 333 | <tag>esi_parser</tag> |
334 | <p>Removed <em>custom</em> parser option. | |
335 | <p>Changed default to auto-detect available parsers instead of <em>custom</em>. | |
336 | ||
183b876f | 337 | <tag>external_acl_type</tag> |
9a258777 AJ |
338 | <p>New parameter <em>queue-size=</em> to set the maximum number |
339 | of queued requests. | |
6082a0e2 EB |
340 | <p>New parameter <em>on-persistent-overload=</em> to set the action taken |
341 | when the helper queue is overloaded. | |
1243ec71 | 342 | <p>Format field updated to accept any logformat %macro code. |
2fb65892 AJ |
343 | <p>The optional <em>acl-value</em> fields in this helper input now expand |
344 | to a dash ('-') if the %DATA macro is not specified explicitly. | |
9a258777 AJ |
345 | |
346 | <tag>http_port</tag> | |
0e5c14da | 347 | <p>New option <em>tls-min-version=1.N</em> to set minimum TLS version allowed. |
e8cc1c9c AJ |
348 | <p>New option <em>tls-default-ca</em> replaces <em>sslflags=NO_DEFAULT_CA</em>, |
349 | the default is also changed to OFF. | |
b05d749d | 350 | <p>New option <em>tls-no-npn</em> to disable sending TLS NPN extension. |
b339d00c | 351 | <p>New <em>tls-options=</em> option value to disable TLS/1.3. |
0e5c14da AJ |
352 | <p>All <em>option=</em> values for SSLv2 configuration or disabling |
353 | have been removed. | |
354 | <p>Removed <em>version=</em> option. Use <em>tls-options=</em> instead. | |
9a258777 | 355 | <p>Manual squid.conf update may be required on upgrade. |
b0769ee3 | 356 | <p>Replaced <em>cafile=</em> with <em>tls-cafile=</em> which takes multiple entries. |
b1f62fc6 | 357 | <p>Changed default value of <em>generate-host-certificates</em> to ON. |
9a258777 AJ |
358 | |
359 | <tag>https_port</tag> | |
0e5c14da | 360 | <p>New option <em>tls-min-version=1.N</em> to set minimum TLS version allowed. |
435c72b0 AJ |
361 | <p>New option <em>tls-default-ca</em> replaces <em>sslflags=NO_DEFAULT_CA</em>, |
362 | the default is also changed to OFF. | |
b05d749d | 363 | <p>New option <em>tls-no-npn</em> to disable sending TLS NPN extension. |
b339d00c | 364 | <p>New <em>tls-options=</em> option value to disable TLS/1.3. |
1cc44095 | 365 | <p>All <em>options=</em> values for SSLv2 |
9a258777 | 366 | configuration or disabling have been removed. |
0e5c14da | 367 | <p>Removed <em>version=</em> option. Use <em>tls-options=</em> instead. |
9a258777 | 368 | <p>Manual squid.conf update may be required on upgrade. |
b0769ee3 | 369 | <p>Replaced <em>cafile=</em> with <em>tls-cafile=</em> which takes multiple entries. |
b1f62fc6 | 370 | <p>Changed default value of <em>generate-host-certificates</em> to ON. |
9a258777 | 371 | |
4dd2c9d6 AJ |
372 | <tag>icap_service</tag> |
373 | <p>New scheme <em>icaps://</em> to enable TLS/SSL connections to Secure ICAP | |
374 | servers on port 11344. | |
66f92ffc AJ |
375 | <p>New <em>connection-encryption=</em> option to determine ICAP service |
376 | effect on <em>connections_encrypted</em> ACL. | |
4dd2c9d6 AJ |
377 | <p>New <em>tls-cert=</em> option to set TLS client certificate to use. |
378 | <p>New <em>tls-key=</em> option to set TLS private key matching the client | |
379 | certificate used. | |
380 | <p>New <em>tls-min-version=1.N</em> option to set minimum TLS version allowed | |
381 | on server connections. | |
382 | <p>New <em>tls-options=</em> option to set OpenSSL library parameters. | |
b339d00c | 383 | <p>New <em>tls-options=</em> option value to disable TLS/1.3. |
4dd2c9d6 AJ |
384 | <p>New <em>tls-flags=</em> option to set flags modifying Squid TLS operations. |
385 | <p>New <em>tls-cipher=</em> option to set a list of ciphers permitted. | |
386 | <p>New <em>tls-cafile=</em> option to set a file with additional CA | |
387 | certificate(s) to verify the server certificate. | |
66f92ffc AJ |
388 | <p>New <em>tls-capath=</em> option to set a directory with additional CA |
389 | certificate(s) to verify the server certificate. | |
4dd2c9d6 AJ |
390 | <p>New <em>tls-crlfile=</em> option to set a file with a CRL to verify the |
391 | server certificate. | |
435c72b0 AJ |
392 | <p>New <em>tls-default-ca</em> option to use the system Trusted CAs to |
393 | verify the server certificate. | |
4dd2c9d6 | 394 | <p>New <em>tls-domain=</em> option to verify the server certificate domain. |
5ea861f5 | 395 | <p>Squid-4.16 improved support for hostnames in ICAP service URLs. |
4dd2c9d6 | 396 | |
b5391492 AJ |
397 | <tag>logfile_daemon</tag> |
398 | <p>Now only requires that helper binary exists when daemon: log module | |
399 | is actually being used. | |
400 | ||
c28b9a0e | 401 | <tag>logformat</tag> |
66f92ffc AJ |
402 | <p>New quoting modifier to produce <em>\-escaped</em> output. |
403 | <p>New code <em>%ssl::<cert_errors</em> to display server X.509 | |
0461fde7 | 404 | certificate errors. |
66f92ffc AJ |
405 | <p>New code <em>%ssl::<cert_issuer</em> to display Issuer field of |
406 | the received server X.509 certificate. | |
407 | <p>New code <em>%ssl::<cert_subject</em> to display Subject field of | |
408 | the received server X.509 certificate. | |
0461fde7 AJ |
409 | <p>New code <em>%ssl::>negotiated_version</em> to display |
410 | negotiated TLS version of the client connection. | |
411 | <p>New code <em>%ssl::<negotiated_version</em> to display | |
412 | negotiated TLS version of the last server or peer connection. | |
413 | <p>New code <em>%ssl::>received_hello_version</em> to display the | |
414 | TLS version of the Hello message received from TLS client. | |
415 | <p>New code <em>%ssl::<received_hello_version</em> to display the | |
416 | TLS version of the Hello message received from TLS server. | |
417 | <p>New code <em>%ssl::>received_supported_version</em> to display | |
418 | the maximum TLS version supported by the TLS client. | |
419 | <p>New code <em>%ssl::<received_supported_version</em> to display | |
420 | the maximum TLS version supported by the TLS server. | |
421 | <p>New code <em>%ssl::>negotiated_cipher</em> to display the | |
422 | negotiated cipher of the client connection. | |
423 | <p>New code <em>%ssl::<negotiated_cipher</em> to display the | |
424 | negotiated cipher of the last server or peer connection. | |
6f405e99 AJ |
425 | <p>New code <em>%>handshake</em> to display initial octets |
426 | received on a client connection (Base64 encoded). | |
f1dfef29 | 427 | <p>Fixed <em>%<Hs</em>, <em>%<pt</em> and <em>%<tt</em> |
428 | codes for received CONNECT errors. | |
429 | <p>Improved <em>%<bs</em> logging on forwarding retries. | |
430 | <p>Improved <em>%<Hs</em>, <em>%<pt</em>, <em>%<tt</em>, | |
431 | <em>%<bs</em> logging on SslBump errors. | |
c28b9a0e AJ |
432 | |
433 | <tag>pid_filename</tag> | |
434 | <p>Default value now based on squid -n command line parameter. | |
66f92ffc AJ |
435 | <p>This directive is no longer mandatory to edit for |
436 | multi-instance/tenant Squid installations. | |
c28b9a0e | 437 | |
064679ea | 438 | <tag>refresh_pattern</tag> |
1377f2b1 AJ |
439 | <p>Removed option <em>ignore-auth</em>. Its commonly desired behaviour |
440 | is performed by default with correct HTTP/1.1 revalidation. | |
66f92ffc AJ |
441 | <p>Removed option <em>ignore-must-revalidate</em>. Other more HTTP compliant |
442 | directives (<em>cache</em>, <em>store_miss</em>) can be used to prevent | |
443 | objects from caching. | |
064679ea | 444 | |
9a258777 AJ |
445 | <tag>sslcrtd_children</tag> |
446 | <p>New parameter <em>queue-size=</em> to set the maximum number | |
447 | of queued requests. | |
6082a0e2 EB |
448 | <p>New parameter <em>on-persistent-overload=</em> to set the action taken |
449 | when the helper queue is overloaded. | |
9a258777 AJ |
450 | |
451 | <tag>sslcrtvalidator_children</tag> | |
452 | <p>New parameter <em>queue-size=</em> to set the maximum number | |
453 | of queued requests. | |
6082a0e2 EB |
454 | <p>New parameter <em>on-persistent-overload=</em> to set the action taken |
455 | when the helper queue is overloaded. | |
456 | ||
457 | <tag>store_id_children</tag> | |
458 | <p>New parameter <em>queue-size=</em> to set the maximum number | |
459 | of queued requests. | |
460 | <p>New parameter <em>on-persistent-overload=</em> to set the action taken | |
461 | when the helper queue is overloaded. | |
6825b101 | 462 | |
183b876f | 463 | <tag>url_rewrite_children</tag> |
9a258777 AJ |
464 | <p>New parameter <em>queue-size=</em> to set the maximum number |
465 | of queued requests. | |
6082a0e2 EB |
466 | <p>New parameter <em>on-persistent-overload=</em> to set the action taken |
467 | when the helper queue is overloaded. | |
4d0832d7 AJ |
468 | |
469 | </descrip> | |
470 | ||
471 | <sect1>Removed tags<label id="removedtags"> | |
472 | <p> | |
473 | <descrip> | |
f1a5d071 AJ |
474 | <tag>cache_peer_domain</tag> |
475 | <p>Superceded by <em>cache_peer_access</em>. Use dstdomain ACL | |
476 | in the access control list to restrict domains requested. | |
477 | ||
6eb545bc AJ |
478 | <tag>ie_refresh</tag> |
479 | <p>Removed. MSIE 3.x, 4.x, 5.0 and 5.01 are no longer popular browsers. | |
480 | ||
7e62a74f AJ |
481 | <tag>sslproxy_cafile</tag> |
482 | <p>Replaced by <em>tls_outgoing_options cafile=</em>. | |
b0769ee3 | 483 | Which now takes multiple entries. |
7e62a74f AJ |
484 | |
485 | <tag>sslproxy_capath</tag> | |
486 | <p>Replaced by <em>tls_outgoing_options capath=</em>. | |
487 | ||
488 | <tag>sslproxy_cipher</tag> | |
489 | <p>Replaced by <em>tls_outgoing_options cipher=</em>. | |
490 | ||
491 | <tag>sslproxy_client_certificate</tag> | |
492 | <p>Replaced by <em>tls_outgoing_options cert=</em>. | |
493 | ||
494 | <tag>sslproxy_client_key</tag> | |
495 | <p>Replaced by <em>tls_outgoing_options key=</em>. | |
496 | ||
497 | <tag>sslproxy_flags</tag> | |
498 | <p>Replaced by <em>tls_outgoing_options flags=</em>. | |
499 | ||
500 | <tag>sslproxy_options</tag> | |
501 | <p>Replaced by <em>tls_outgoing_options options=</em>. | |
1cc44095 AJ |
502 | <p>All values for SSLv2 configuration or disabling have been removed. |
503 | <p>Manual squid.conf update may be required on upgrade. | |
7e62a74f AJ |
504 | |
505 | <tag>sslproxy_version</tag> | |
1cc44095 AJ |
506 | <p>Replaced by <em>tls_outgoing_options options=</em>. |
507 | <p>All values for SSLv2 configuration or disabling have been removed. | |
508 | <p>Manual squid.conf update may be required on upgrade. | |
4d0832d7 AJ |
509 | |
510 | </descrip> | |
511 | ||
512 | ||
513 | <sect>Changes to ./configure options since Squid-3.5 | |
514 | <p> | |
515 | There have been some changes to Squid's build configuration since Squid-3.5. | |
516 | ||
517 | This section gives an account of those changes in three categories: | |
518 | ||
519 | <itemize> | |
520 | <item><ref id="newoptions" name="New options"> | |
521 | <item><ref id="modifiedoptions" name="Changes to existing options"> | |
522 | <item><ref id="removedoptions" name="Removed options"> | |
523 | </itemize> | |
524 | ||
525 | ||
526 | <sect1>New options<label id="newoptions"> | |
527 | <p> | |
528 | <descrip> | |
cb0b3d63 AJ |
529 | <tag>--enable-security-cert-generators</tag> |
530 | <p>New option to control which TLS/SSL dynamic certificate generator | |
531 | helpers are built and installed. | |
c5e641b4 | 532 | <p>Helper <em>ssl_crtd</em> has been renamed to <em>security_file_certgen</em> |
cb0b3d63 AJ |
533 | and built with module name <em>file</em>. Requires <em>--with-openssl</em>. |
534 | ||
8732ea9d | 535 | <tag>--enable-security-cert-validators</tag> |
cb0b3d63 | 536 | <p>New option to control which TLS/SSL certificate validation |
40063c71 AJ |
537 | helpers are built and installed. |
538 | <p>One <em>fake</em> helper that does not actually perform any | |
539 | certificate checks is provided for testing and as an example | |
540 | for writing custom helpers. | |
4d0832d7 | 541 | |
d93bf055 AJ |
542 | <tag>--without-cppunit</tag> |
543 | <p>The cppunit testing framework is auto-detected and used when available. | |
544 | This option can be used to disable it explicitly. | |
545 | ||
51f07c98 AJ |
546 | <tag>--without-systemd</tag> |
547 | <p>SystemD init environment features are auto-detected and used when available. | |
548 | This option can be used to disable systemd features explicitly. | |
549 | ||
4d0832d7 AJ |
550 | </descrip> |
551 | ||
552 | <sect1>Changes to existing options<label id="modifiedoptions"> | |
553 | <p> | |
554 | <descrip> | |
700e2961 AJ |
555 | <tag>--enable-auth-basic</tag> |
556 | <p>The <em>MSNT-multi-domain</em> helper has been removed. | |
8d06d869 AJ |
557 | <p>The SMB LanMan helper <em>SMB_LM</em> is no longer built by default. |
558 | It needs to be explicitly listed to be built. | |
4d0832d7 | 559 | |
b817c20f AJ |
560 | <tag>--enable-auth-ntlm</tag> |
561 | <p>The SMB LanMan helper is now built using <em>SMB_LM</em> | |
562 | (was lower case <em>smb_lm</em>). | |
8d06d869 AJ |
563 | <p>The SMB LanMan helper <em>SMB_LM</em> is no longer built by default. |
564 | It needs to be explicitly listed to be built. | |
b817c20f | 565 | |
4dd2c9d6 AJ |
566 | <tag>--enable-diskio</tag> |
567 | <p>Auto-detection of SMP related modules has been fixed to | |
568 | actually auto-detect them without configuring the module | |
569 | list manually. | |
570 | ||
f1dfef29 | 571 | <tag>--enable-esi</tag> |
572 | <p>Custom ESI parser has been removed. | |
573 | Libxml2 or libexpat is now required to enable ESI processing. | |
574 | ||
4d0832d7 AJ |
575 | </descrip> |
576 | </p> | |
577 | ||
578 | <sect1>Removed options<label id="removedoptions"> | |
579 | <p> | |
580 | <descrip> | |
d93bf055 AJ |
581 | <tag>--with-cppunit-basedir</tag> |
582 | <p>Replaced by <em>--with-cppunit=PATH</em>. | |
583 | Please prefer the default auto-detection though. | |
4d0832d7 | 584 | |
7566fb7e AJ |
585 | <tag>XSTD_USE_LIBLTDL</tag> |
586 | <p>Removed. Use <em>--with-included-ltdl</em> instead. | |
4d0832d7 AJ |
587 | </descrip> |
588 | ||
589 | ||
590 | <sect>Regressions since Squid-2.7 | |
591 | ||
183b876f | 592 | <p>Some squid.conf options which were available in Squid-2.7 are not yet available in Squid-4 |
4d0832d7 AJ |
593 | |
594 | <p>If you need something to do then porting one of these from Squid-2 to Squid-3 is most welcome. | |
595 | ||
596 | <sect1>Missing squid.conf options available in Squid-2.7 | |
597 | <p> | |
598 | <descrip> | |
599 | <tag>broken_vary_encoding</tag> | |
600 | <p>Not yet ported from 2.6 | |
601 | ||
602 | <tag>cache_peer</tag> | |
603 | <p><em>monitorinterval=</em> not yet ported from 2.6 | |
604 | <p><em>monitorsize=</em> not yet ported from 2.6 | |
605 | <p><em>monitortimeout=</em> not yet ported from 2.6 | |
606 | <p><em>monitorurl=</em> not yet ported from 2.6 | |
607 | ||
608 | <tag>cache_vary</tag> | |
609 | <p>Not yet ported from 2.6 | |
610 | ||
611 | <tag>error_map</tag> | |
612 | <p>Not yet ported from 2.6 | |
613 | ||
614 | <tag>external_refresh_check</tag> | |
615 | <p>Not yet ported from 2.7 | |
616 | ||
617 | <tag>location_rewrite_access</tag> | |
618 | <p>Not yet ported from 2.6 | |
619 | ||
620 | <tag>location_rewrite_children</tag> | |
621 | <p>Not yet ported from 2.6 | |
622 | ||
623 | <tag>location_rewrite_concurrency</tag> | |
624 | <p>Not yet ported from 2.6 | |
625 | ||
626 | <tag>location_rewrite_program</tag> | |
627 | <p>Not yet ported from 2.6 | |
628 | ||
629 | <tag>refresh_pattern</tag> | |
630 | <p><em>stale-while-revalidate=</em> not yet ported from 2.7 | |
631 | <p><em>ignore-stale-while-revalidate=</em> not yet ported from 2.7 | |
632 | <p><em>negative-ttl=</em> not yet ported from 2.7 | |
633 | ||
634 | <tag>refresh_stale_hit</tag> | |
635 | <p>Not yet ported from 2.7 | |
636 | ||
637 | <tag>update_headers</tag> | |
638 | <p>Not yet ported from 2.7 | |
639 | ||
640 | </descrip> | |
641 | ||
6a9396a7 AJ |
642 | <sect>Copyright |
643 | <p> | |
b8ae064d | 644 | Copyright (C) 1996-2023 The Squid Software Foundation and contributors |
6a9396a7 AJ |
645 | <p> |
646 | Squid software is distributed under GPLv2+ license and includes | |
647 | contributions from numerous individuals and organizations. | |
648 | Please see the COPYING and CONTRIBUTORS files for details. | |
649 | ||
4d0832d7 | 650 | </article> |