]>
Commit | Line | Data |
---|---|---|
aee44ee6 AJ |
1 | <!doctype linuxdoc system> |
2 | <article> | |
3 | <title>Squid 5.0.0 release notes</title> | |
4 | <author>Squid Developers</author> | |
5 | ||
6 | <abstract> | |
518c7430 | 7 | This document contains the release notes for version 5 of Squid. |
aee44ee6 AJ |
8 | Squid is a WWW Cache application developed by the National Laboratory |
9 | for Applied Network Research and members of the Web Caching community. | |
10 | </abstract> | |
11 | ||
12 | <toc> | |
13 | ||
14 | <sect>Notice | |
15 | <p>The Squid Team are pleased to announce the release of Squid-5.0.0 for testing. | |
16 | ||
17 | This new release is available for download from <url url="http://www.squid-cache.org/Versions/v5/"> or the | |
18 | <url url="http://www.squid-cache.org/Download/http-mirrors.html" name="mirrors">. | |
19 | ||
20 | <p>While this release is not deemed ready for production use, we believe it is ready for wider testing by the community. | |
21 | ||
22 | <p>We welcome feedback and bug reports. If you find a bug, please see <url url="http://wiki.squid-cache.org/SquidFaq/BugReporting"> | |
23 | for how to submit a report with a stack trace. | |
24 | ||
25 | <sect1>Known issues | |
26 | <p>Although this release is deemed good enough for use in many setups, please note the existence of | |
27 | <url url="http://bugs.squid-cache.org/buglist.cgi?query_format=advanced&product=Squid&bug_status=UNCONFIRMED&bug_status=NEW&bug_status=ASSIGNED&bug_status=REOPENED&version=5" name="open bugs against Squid-5">. | |
28 | ||
29 | <sect1>Changes since earlier releases of Squid-5 | |
30 | <p> | |
d6d360e9 | 31 | The Squid-5 change history can be <url url="http://www.squid-cache.org/Versions/v5/changesets/" name="viewed here">. |
aee44ee6 AJ |
32 | |
33 | ||
34 | <sect>Major new features since Squid-4 | |
35 | <p>Squid-5 represents a new feature release above Squid-4. | |
36 | ||
37 | <p>The most important of these new features are: | |
38 | <itemize> | |
565b91d8 | 39 | <item>ICAP Trailers |
7701d1a0 AJ |
40 | <item>Happy Eyeballs Update |
41 | <item>Kerberos Group Helper | |
42 | <item>TrivialDB Support | |
aee44ee6 AJ |
43 | </itemize> |
44 | ||
45 | Most user-facing changes are reflected in squid.conf (see below). | |
46 | ||
47 | ||
565b91d8 AJ |
48 | <sect1>ICAP Trailers |
49 | <p>Details in <url url="https://datatracker.ietf.org/doc/draft-rousskov-icap-trailers/" name="Draft: ICAP Trailers"> | |
aee44ee6 | 50 | |
565b91d8 AJ |
51 | <p>The <em>Trailers</em> feature from HTTP is being proposed for addition to ICAP, |
52 | with some modifications. | |
aee44ee6 | 53 | |
565b91d8 AJ |
54 | <p>This implementation complies with version -01 of that draft: |
55 | <itemize> | |
56 | <item>Announces ICAP Trailer support via the ICAP Allow request header field. | |
57 | <item>Parses the ICAP response trailer if and only if the ICAP server signals | |
58 | its presence by sending both Trailer header and Allow/trailers in the | |
59 | ICAP response. | |
60 | </itemize> | |
61 | ||
62 | <p>For now Squid logs and ignores all parsed ICAP header fields. | |
aee44ee6 AJ |
63 | |
64 | ||
7701d1a0 AJ |
65 | <sect1>Happy Eyeballs Update |
66 | ||
67 | <p>Squid now uses a received IP address as soon as it is needed for request | |
68 | forwarding instead of waiting for all of the potential forwarding | |
69 | destinations to be fully resolved (i.e. complete both IPv4 and IPv6 domain | |
70 | name resolution) before beginning to forward the request. | |
71 | ||
72 | <p>Instead of obeying <em>dns_v4_first</em> settings, IP family usage order is | |
73 | now primarily controlled by DNS response time: If a DNS AAAA response comes | |
74 | first while Squid is waiting for an IP address, then Squid will use the | |
75 | received IPv6 address(es) first. For previously cached IPs, Squid tries | |
76 | IPv6 addresses first. To control IP address families used by Squid, admins | |
77 | are expected to use firewalls, DNS recursive-resolver configuration, and/or | |
78 | <em>--disable-ipv6</em>. When planning you configuration changes, please | |
79 | keep in mind that the upcoming Happy Eyeballs improvements will favor | |
80 | faster TCP connection establishment, decreasing the impact of DNS | |
81 | resolution timing. | |
82 | ||
83 | <p>These Happy Eyeballs changes do not affect peer selection: Squid still does | |
84 | not move on to the next selected destination until all IP addresses for the | |
85 | previous destination have been received and tried. | |
86 | ||
87 | <p>The Cache Manager <em>mgr:ipcache</em> report no longer contains | |
59f09b18 AJ |
88 | "IPcache Entries In Use" but that info is now available as |
89 | "cbdata ipcache_entry" row on the <em>mgr:mem</em> page. | |
7701d1a0 AJ |
90 | |
91 | ||
92 | <sect1>Kerberos Group Helper | |
93 | <p>This release adds a sample Kerberos group authentication external_acl helper | |
94 | called <em>ext_kerberos_sid_group_acl</em>. | |
95 | It uses <em>ldapsearch</em> from OpenLDAP to lookup the name of an AD group SID. | |
96 | ||
97 | <p>This helper must be used in with the <em>negotiate_kerberos_auth</em> helper in | |
98 | a Microsft AD or Samba environment. | |
99 | ||
100 | <p>It reads from the standard input the domain username and a list of group SIDs | |
101 | and tries to match the group SIDs to the AD group SIDs. | |
102 | ||
103 | ||
104 | <sect1>TrivialDB Support | |
105 | <p>This release deprecates use of BerkleyDB in favour of TrivialDB. | |
106 | ||
107 | <p>The BerkleyDB library code has been moved under a copyright licence which | |
108 | causes problems for many OS distributors. The result of that is that most | |
109 | are no longer providing the latest security supported libdb version. | |
110 | ||
111 | <p>TrivialDB by comparison has better OS support and security updates along | |
112 | with functionality differences that resolve some long standing issues | |
113 | libdb suffered with parallel concurrent access to the database. | |
114 | ||
115 | <p>The <em>ext_session_acl</em> and <em>ext_time_quota_acl</em> helpers may | |
116 | now be built with either libdb or libtdb. Preferring libtdb if both are | |
117 | enabled or auto-detected at build time. Use the <em>--without-tdb</em> | |
118 | build option to retain BerkleyDB support. | |
119 | ||
120 | <p>Please note that the database formats are not guaranteed to be identical. | |
121 | So when migrating it is recommended to erase the database file(s) and use | |
122 | the helpers functionality to rebuild it as needed. | |
123 | ||
124 | ||
aee44ee6 AJ |
125 | <sect>Changes to squid.conf since Squid-4 |
126 | <p> | |
127 | There have been changes to Squid's configuration file since Squid-4. | |
128 | ||
129 | This section gives a thorough account of those changes in three categories: | |
130 | ||
131 | <itemize> | |
132 | <item><ref id="newdirectives" name="New directives"> | |
133 | <item><ref id="modifieddirectives" name="Changes to existing directives"> | |
134 | <item><ref id="removeddirectives" name="Removed directives"> | |
135 | </itemize> | |
136 | <p> | |
137 | ||
138 | <sect1>New directives<label id="newdirectives"> | |
139 | <p> | |
140 | <descrip> | |
457c00d0 AJ |
141 | <tag>auth_schemes</tag> |
142 | <p>New access control to customize authentication schemes presence | |
143 | and order in Squid generated HTTP 401 (Unauthorized) and 407 | |
144 | (Proxy Authentication Required) responses. | |
aee44ee6 | 145 | |
7701d1a0 AJ |
146 | <tag>collapsed_forwarding_access</tag> |
147 | <p>New access control to restrict collapsed forwarding to a subset of | |
148 | eligible HTTP, ICP and HTCP requests. | |
149 | ||
150 | <tag>mark_client_connection</tag> | |
151 | <p>New access control to apply a Netfilter CONNMARK value to a TCP client | |
152 | connection. | |
153 | ||
154 | <tag>mark_client_packet</tag> | |
155 | <p>New access control to apply a Netfilter MARK value to packets being | |
156 | transmitted on a client TCP connection. | |
157 | ||
158 | <tag>response_delay_pool</tag> | |
159 | <p>New access control to configure client response bandwidth limits. | |
160 | This feature is a port and update of the class 6 / Client Delay Pools | |
161 | feature planned for the abandoned <em>Squid-2.8</em> series. | |
162 | ||
163 | <tag>response_delay_pool_access</tag> | |
164 | <p>New access control to determines whether a specific named response | |
165 | delay pool is used for the HTTP transaction. | |
166 | ||
aee44ee6 AJ |
167 | </descrip> |
168 | ||
169 | <sect1>Changes to existing directives<label id="modifieddirectives"> | |
170 | <p> | |
171 | <descrip> | |
29503899 AJ |
172 | <tag>acl</tag> |
173 | <p>The <em>CONNECT</em> ACL definition is now built-in. | |
7701d1a0 AJ |
174 | <p>New <em>annotate_client</em> type to annotate a client TCP connection. |
175 | These annotations can be used by other ACLs, logs or helpers and | |
176 | persist until the client TCP connection is closed. | |
177 | <p>New <em>annotate_transaction</em> type to annotate an HTTP transaction. | |
178 | Annotations can be used by other ACLs or helpers and persist until | |
179 | logging of the HTTP transaction is completed. | |
180 | <p>Replaced <em>clientside_mark</em> with <em>client_connection_mark</em> | |
181 | type to match Netfilter CONNMARK of the client TCP connection. | |
182 | ||
183 | <tag>deny_info</tag> | |
184 | <p>New code <em>%A</em> to display Squid listening IP address the client | |
185 | TCP connection was connected to. | |
186 | ||
187 | <tag>logformat</tag> | |
188 | <p>New <em>ssl::<cert</em> macro code to display received server X.509 | |
189 | certificate in PEM format. | |
190 | <p>New <em>CF</em> value for <em>%Ss</em> code to indicate the response | |
191 | was handled by Collapsed Forwarding. | |
aee44ee6 AJ |
192 | |
193 | </descrip> | |
194 | ||
195 | <sect1>Removed directives<label id="removeddirectives"> | |
196 | <p> | |
197 | <descrip> | |
7701d1a0 AJ |
198 | <tag>clientside_mark</tag> |
199 | <p>Replaced by <em>mark_client_packet</em>. | |
200 | ||
201 | <tag>dns_v4_first</tag> | |
59f09b18 | 202 | <p>Removed. The new "Happy Eyeballs" algorithm uses received IP |
7701d1a0 AJ |
203 | addresses as soon as they are needed. |
204 | <p>Firewall rules prohibiting IPv6 TCP connections remain the preferred | |
205 | configuration method for 'disabling' IPv6 connectivity, with DNS | |
206 | recursive-resolver configuration also available. | |
aee44ee6 AJ |
207 | |
208 | </descrip> | |
209 | ||
210 | ||
211 | <sect>Changes to ./configure options since Squid-4 | |
212 | <p> | |
213 | There have been some changes to Squid's build configuration since Squid-4. | |
214 | ||
215 | This section gives an account of those changes in three categories: | |
216 | ||
217 | <itemize> | |
218 | <item><ref id="newoptions" name="New options"> | |
219 | <item><ref id="modifiedoptions" name="Changes to existing options"> | |
220 | <item><ref id="removedoptions" name="Removed options"> | |
221 | </itemize> | |
222 | ||
223 | ||
224 | <sect1>New options<label id="newoptions"> | |
225 | <p> | |
226 | <descrip> | |
acd207af AJ |
227 | <tag>--without-tdb</tag> |
228 | <p>New option to determine whether TrivialDB support is used, and | |
229 | build against local custom installs. | |
230 | <p>Samba TrivialDB is now the preferred database used by the | |
231 | <em>ext_session_acl</em> and <em>ext_time_quota_acl</em> helpers, | |
232 | deprecating use of BerkleyDB. | |
aee44ee6 AJ |
233 | |
234 | </descrip> | |
235 | ||
236 | <sect1>Changes to existing options<label id="modifiedoptions"> | |
237 | <p> | |
238 | <descrip> | |
10185a38 AJ |
239 | <tag>--disable-optimizations</tag> |
240 | <p>No longer implies <em>--disable-inline</em> option (which is removed). | |
aee44ee6 AJ |
241 | |
242 | </descrip> | |
243 | </p> | |
244 | ||
245 | <sect1>Removed options<label id="removedoptions"> | |
246 | <p> | |
247 | <descrip> | |
10185a38 | 248 | <tag>--disable-inline</tag> |
7701d1a0 | 249 | <p>Removed. Use compiler flags instead if necessary. |
aee44ee6 | 250 | |
2414910d AJ |
251 | <tag>-DUSE_CHUNKEDMEMPOOLS=1</tag> |
252 | <p>Removed compiler flag. Use run-time environment variable <em>MEMPOOLS=1</em> | |
253 | to enable chunked memory pools instead. | |
254 | ||
aee44ee6 AJ |
255 | </descrip> |
256 | ||
257 | ||
258 | <sect>Regressions since Squid-2.7 | |
259 | ||
260 | <p>Some squid.conf options which were available in Squid-2.7 are not yet available in Squid-5 | |
261 | ||
262 | <p>If you need something to do then porting one of these from Squid-2 is most welcome. | |
263 | ||
264 | <sect1>Missing squid.conf options available in Squid-2.7 | |
265 | <p> | |
266 | <descrip> | |
267 | <tag>broken_vary_encoding</tag> | |
268 | <p>Not yet ported from 2.6 | |
269 | ||
270 | <tag>cache_peer</tag> | |
271 | <p><em>monitorinterval=</em> not yet ported from 2.6 | |
272 | <p><em>monitorsize=</em> not yet ported from 2.6 | |
273 | <p><em>monitortimeout=</em> not yet ported from 2.6 | |
274 | <p><em>monitorurl=</em> not yet ported from 2.6 | |
275 | ||
276 | <tag>cache_vary</tag> | |
277 | <p>Not yet ported from 2.6 | |
278 | ||
279 | <tag>error_map</tag> | |
280 | <p>Not yet ported from 2.6 | |
281 | ||
282 | <tag>external_refresh_check</tag> | |
283 | <p>Not yet ported from 2.7 | |
284 | ||
285 | <tag>location_rewrite_access</tag> | |
286 | <p>Not yet ported from 2.6 | |
287 | ||
288 | <tag>location_rewrite_children</tag> | |
289 | <p>Not yet ported from 2.6 | |
290 | ||
291 | <tag>location_rewrite_concurrency</tag> | |
292 | <p>Not yet ported from 2.6 | |
293 | ||
294 | <tag>location_rewrite_program</tag> | |
295 | <p>Not yet ported from 2.6 | |
296 | ||
297 | <tag>refresh_pattern</tag> | |
298 | <p><em>stale-while-revalidate=</em> not yet ported from 2.7 | |
299 | <p><em>ignore-stale-while-revalidate=</em> not yet ported from 2.7 | |
300 | <p><em>negative-ttl=</em> not yet ported from 2.7 | |
301 | ||
302 | <tag>refresh_stale_hit</tag> | |
303 | <p>Not yet ported from 2.7 | |
304 | ||
305 | <tag>update_headers</tag> | |
306 | <p>Not yet ported from 2.7 | |
307 | ||
308 | </descrip> | |
309 | ||
310 | <sect>Copyright | |
311 | <p> | |
77b1029d | 312 | Copyright (C) 1996-2020 The Squid Software Foundation and contributors |
aee44ee6 AJ |
313 | <p> |
314 | Squid software is distributed under GPLv2+ license and includes | |
315 | contributions from numerous individuals and organizations. | |
316 | Please see the COPYING and CONTRIBUTORS files for details. | |
317 | ||
318 | </article> |