+++ /dev/null
-<!doctype linuxdoc system>
-<article>
-<title>Squid 3.0.STABLE26 release notes</title>
-<author>Squid Developers</author>
-
-<abstract>
-This document contains the release notes for version 3.0 of Squid.
-Squid is a WWW Cache application developed by the National Laboratory
-for Applied Network Research and members of the Web Caching community.
-</abstract>
-
-<toc>
-
-<sect>Notice
-<p>
-The Squid Team are pleased to announce the release of Squid-3.0.STABLE26.
-
-This new release is available for download from <url url="http://www.squid-cache.org/Versions/v3/3.0/"> or the <url url="http://www.squid-cache.org/Download/http-mirrors.html" name="mirrors">.
-
-A large number of the show-stopper bugs have been fixed along with general improvements to the ICAP support and additional Languages.
-
-We welcome feedback and bug reports. If you find a bug, please see <url url="https://wiki.squid-cache.org/SquidFaq/BugReporting"> for how to submit a
-report with a stack trace.
-
-<sect>Known issues
-<p>
-Although this release is deemed good enough for use in many setups, please note the existence of <url url="https://bugs.squid-cache.org/buglist.cgi?query_format=advanced&short_desc_type=allwordssubstr&short_desc=&target_milestone=3.0&long_desc_type=allwordssubstr&long_desc=&bug_file_loc_type=allwordssubstr&bug_file_loc=&status_whiteboard_type=allwordssubstr&status_whiteboard=&bug_status=NEW&bug_status=ASSIGNED&bug_status=REOPENED&emailtype1=substring&email1=&emailtype2=substring&email2=&bugidtype=include&bug_id=&votes=&chfieldfrom=&chfieldto=Now&chfieldvalue=&cmdtype=doit&order=bugs.bug_severity&field0-0-0=noop&type0-0-0=noop&value0-0-0=" name="open bugs against Squid-3.0">.
-
-<sect>Changes since earlier STABLE releases of Squid-3.0
-<p>
-The 3.0 change history can be <url url="http://www.squid-cache.org/Versions/v3/3.0/changesets/" name="viewed here">.
-
-<sect>Changes since Squid-2.6
-
-<sect1>Major new features
-<p>
-Squid 3.0 represents a major rewrite of Squid and has a number of new features.
-
-The most important of these are:
-
-<itemize>
- <item>Code converted to C++, with significant internal restructuring and rewrites.
- <item>ICAP implementation (RFC 3507 and www.icap-forum.org)
- <item>Edge Side Includes (ESI) implementation (www.esi.org)
-</itemize>
-
-Most user-facing changes are reflected in squid.conf (see below).
-
-<sect2>Internet Content Adaptation Protocol (ICAP)
-
-<p>Squid 3.0 supports ICAP/1.0. To enable ICAP support, use the --enable-icap-client ./configure option and icap_enable squid.conf option. You will also need to configure ICAP services in your squid.conf using icap_service, icap_class, and icap_access options. The following example instructs Squid to talk to two ICAP services, one for request and one for response adaptation:
-
-<verb>
-icap_enable on
-icap_service service_req reqmod_precache 1 icap://127.0.0.1:1344/request
-icap_service service_resp respmod_precache 0 icap://127.0.0.1:1344/response
-icap_class class_req service_req
-icap_class class_resp service_resp
-icap_access class_req allow all
-icap_access class_resp allow all
-</verb>
-
-<p>Please see squid.conf.default for more details about these and many other icap_* options.
-
-<p>Squid supports pre-cache request and pre-cache response vectoring points. The following ICAP features are supported: message preview, 204 responses outside of preview, request satisfaction, X-Transfer-* negotiation, persistent ICAP connections, client IP/credentials sharing, and optional bypass of certain service failures.
-
-<p>No more than one ICAP service can be applied to an HTTP message. In other words, chaining or load balancing multiple services is not yet supported.
-
-<p>Proxy-directed data trickling and patience pages are not supported yet.
-
-<p>Following ICAP requirements, Squid never performs HTTP message adaptation without a successful and fresh ICAP OPTIONS response on file. A REQMOD or RESPMOD request will not be sent to a configured ICAP service until Squid receives a valid OPTIONS response from that service. If a service malfunctions or goes down, Squid may stop talking to the service for a while. Several squid.conf options can be used to tune the failure bypass algorithm (e.g., icap_service_failure_limit and icap_service_revival_delay).
-
-<p>The bypass parameter of the icap_service squid.conf option determines whether Squid will try to bypass service failures. Most connectivity and preview-stage failures can be bypassed.
-
-<p>More information about ICAP can be found from the ICAP-forum website <url url="http://www.icap-forum.org">
-
-<sect2>Edge Side Includes (ESI)
-
-<p>ESI is an open specification of an markup language enabling reverse proxies
-to perform some simple XML based processing, offloading the final page assembly from the webserver and similar tasks.
-
-<p>More information about ESI can be found from the ESI website <url url="http://www.esi.org">
-
-<sect1>2.6 features not found in Squid-3.0
-<p>
-Some of the features found in Squid-2.6 is not available in Squid-3.
-Some have been dropped as they are not needed. Some have not yet been forward-ported to Squid-3 and may appear in a later release.
-
-<itemize>
- <item>refresh_stale_hit option. Not yet ported.
- <item>ability to follow X-Forwarded-For. Not yet ported.
- <item>Full caching of Vary/ETag using If-None-Match. Only basic Vary cache supported. Not yet ported.
- <item>Mapping of server error messages. Not yet ported.
- <item>http_access2 access directive. Not yet ported.
- <item>Location header rewrites. Not yet ported.
- <item>wais_relay. Feature dropped as it's equivalent to cache_peer + cache_peer_access.
- <item>urlgroup. Not yet ported.
- <item>collapsed forwarding. Not yet ported.
- <item>stable Windows support. Irregularly maintained.
-</itemize>
-
-<sect1>Logging changes
-<sect2>access.log
-<p>The TCP_REFRESH_HIT and TCP_REFRESH_MISS log types have been replaced because they were misleading (all refreshes need to query the origin server, so they could never be hits). The following log types have been introduced to replace them:
-
-<descrip>
- <tag>TCP_REFRESH_UNMODIFIED</tag>
- <p>The requested object was cached but STALE. The IMS query for the object resulted in "304 not modified".
- <tag>TCP_REFRESH_MODIFIED</tag>
- <p>The requested object was cached but STALE. The IMS query returned the new content.
-</descrip>
-<p>See <url url="http://www.squid-cache.org/Doc/FAQ/FAQ-6.html#ss6.7"> for a definition of all log types.
-
-
-<sect>Windows support
-<P>This Squid version can run on Windows as a system service using the Cygwin emulation environment,
-or can be compiled in Windows native mode using the MinGW + MSYS development environment. Windows NT 4 SP4 and later are supported.<newline>
-On Windows 2000 and later the service is configured to use the Windows Service Recovery option
-restarting automatically after 60 seconds.
-<descrip>
-
-<tag>Usage</tag>
-
-Some new command line options were added for the Windows service support:<newline>
-
-The service installation is made with -i command line switch, it's possible to use -f switch at
-the same time for specify a different config-file settings for the Squid Service that will be
-stored on the Windows Registry.
-
-A new -n switch specify the Windows Service Name, so multiple Squid instance are allowed.
-<em/"Squid"/ is the default when the switch is not used.
-
-So, to install the service, the syntax is:
-
-<verb>squid -i [-f file] [-n name]</verb>
-
-Service uninstallation is made with -r command line switch with the appropriate -n switch.
-
-The -k switch family must be used with the appropriate -f and -n switches, so the syntax is:
-
-<verb>squid -k command [-f file] -n service-name</verb>
-where <em/service-name/ is the name specified with -n options at service install time.
-
-To use the Squid original command line, the new -O switch must be used ONCE, the syntax is:
-
-<verb>squid -O cmdline [-n service-name]</verb>
-If multiple service command line options must be specified, use quote. The -n switch is
-needed only when a non default service name is in use.
-
-Don't use the "Start parameters" in the Windows 2000/XP/2003 Service applet: they are
-specific to Windows services functionality and Squid is not designed for understand they.
-
-In the following example the command line of the "squidsvc" Squid service is set to "-D -u 3130":
-
-<verb>squid -O "-D -u 3130" -n squidsvc</verb>
-</descrip>
-
-<descrip>
-<tag>PSAPI.DLL (Process Status Helper) Considerations</tag>
-
-The process status helper functions make it easier for you to obtain information about
-processes and device drivers running on Microsoft? Windows NT?/Windows? 2000. These
-functions are available in PSAPI.DLL, which is distributed in the Microsoft? Platform
-Software Development Kit (SDK). The same information is generally available through the
-performance data in the registry, but it is more difficult to get to it. PSAPI.DLL is
-freely redistributable.
-
-PSAPI.DLL is available only on Windows NT, 2000, XP and 2003. The implementation in Squid is
-aware of this, and try to use it only on the right platform.
-
-On Windows NT PSAPI.DLL can be found as component of many applications, if you need it,
-you can find it on Windows NT Resource KIT. If you have problem, it can be
-downloaded from here:
-<url url="http://download.microsoft.com/download/platformsdk/Redist/4.0.1371.1/NT4/EN-US/psinst.EXE" name="http://download.microsoft.com/download/platformsdk/Redist/4.0.1371.1/NT4/EN-US/psinst.EXE">
-
-On Windows 2000 and later it is available installing the Windows Support Tools, located on the
-Support\Tools folder of the installation Windows CD-ROM.
-</descrip>
-
-<descrip>
-<tag>Registry DNS lookup</tag>
-On Windows platforms, if no value is specified in the <em/dns_nameservers/ option on
-squid.conf or in the /etc/resolv.conf file, the list of DNS name servers are
-taken from the Windows registry, both static and dynamic DHCP configurations
-are supported.
-</descrip>
-
-<descrip>
-<tag>Compatibility Notes</tag>
-<itemize>
-<item>It's recommended to use '/' char in Squid paths instead of '\'
-<item>Paths with spaces (like 'C:\Programs Files\Squid) are NOT supported by Squid
-<item>When using ACL like 'acl aclname acltype "file"' the file must be in DOS text
-format (CR+LF) and the full Windows path must be specified, for example:
-
-<verb>acl blocklist url_regex -i "c:/squid/etc/blocked1.txt"</verb>
-
-<item>The Windows equivalent of '/dev/null' is 'NUL'
-<item>Squid doesn't know how to run external helpers based on scripts, like .bat, .cmd,
-.vbs, .pl, etc. So in squid.conf the interpreter path must be always specified, for example:
-
-<verb>redirect_program c:/perl/bin/perl.exe c:/squid/libexec/redir.pl
-redirect_program c:/winnt/system32/cmd.exe /C c:/squid/libexec/redir.cmd</verb>
-<item>When Squid runs in command line mode, the launching user account must have administrative privilege on the system
-<item>"Start parameters" in the Windows 2000/XP/2003 Service applet cannot be used
-<item>Building with MinGW, when the configure option --enable-truncate is used, Squid cannot run on Windows NT, only Windows 2000 and later are supported
-<item>On Windows Vista and later, User Account Control (UAC) must be disabled before running service installation
-</itemize>
-</descrip>
-
-<descrip>
-<tag>Known Limitations</tag>
-<itemize>
-<item>Squid features not operational:<newline>
-<itemize>
-<item>DISKD: still needs to be ported<newline>
-<item>WCCP: cannot work because user space GRE support on Windows is missing<newline>
-<item>Transparent Proxy: missing Windows non commercial interception driver<newline>
-</itemize>
-<item>Some code sections can make blocking calls.
-<item>Some external helpers may not work.
-<item>File Descriptors number hard-limited to 2048 when building with MinGW.
-</itemize>
-</descrip>
-
-<descrip>
-<tag>Building Squid on Windows</tag>
-A reasonably recent release of <url url="http://www.cygwin.com/" name="Cygwin"> or <url url="http://www.mingw.org/" name="MinGW"> is needed.<newline>
-The usage of the Cygwin environment is very similar to other Unix/Linux environments, and -devel version of libraries must be installed.<newline>
-For the MinGW environment, the packages MSYS, MinGW and msysDTK must be installed. Some additional libraries and tools must be downloaded separately:<newline><newline>
-OpenSSL: <url url="http://www.slproweb.com/products/Win32OpenSSL.html" name="Shining Light Productions Win32 OpenSSL"><newline>
-libcrypt: <url url="http://sourceforge.net/projects/mingwrep/" name="MinGW packages repository"><newline>
-db-1.85: <url url="http://tinycobol.org/download.html" name="TinyCOBOL download area"><newline>
-uudecode: <url url="http://unxutils.sourceforge.net/" name="Native Win32 ports of some GNU utilities"><newline><newline>
-When running configure, --disable-wccp and --disable-wccpv2 options should always specified to avoid compile errors.<newline>
-<itemize>
-<item>New configure options:<newline>
-<itemize>
-<item>--enable-win32-service<newline>
-</itemize>
-<item>Updated configure options:<newline>
-<itemize>
-<item>--enable-arp-acl<newline>
-<item>--enable-default-hostsfile<newline>
-</itemize>
-<item>Unsupported configure options:<newline>
-<itemize>
-<item>--enable-coss-aio-ops: On Windows Posix AIO is not available<newline>
-<item>--with-large-files: No suitable build environment is available on both Cygwin and MinGW, but --enable-large-cache-files works fine<newline>
-</itemize>
-<item>Recommended configure minimal options for Windows:<newline>
-<itemize>
-<item>--prefix=c:/squid --disable-wccp --disable-wccpv2 --enable-win32-service --enable-default-hostsfile=none
-</itemize>
-</itemize>
-<newline>
-Before build Squid with SSL support, some operations are needed (in the following example OpenSSL is installed in C:\OpenSSL and MinGW in C:\MinGW):
-<itemize>
-<item>Copy C:\OpenSSL\lib\MinGW content to C:\MinGW\lib<newline>
-<item>Copy C:\OpenSSL\include\openssl content to C:\MinGW\include\openssl<newline>
-<item>Rename C:\MinGW\lib\ssleay32.a to C:\MinGW\lib\libssleay32.a<newline>
-</itemize>
-
-</descrip>
-
-<descrip>
-<tag>Using cache manager on Windows:</tag>
-On Windows, cache manager (cachemgr.cgi) can be used with Microsoft IIS or Apache.<newline>
-Some specific configuration could be needed:<newline>
-<itemize>
-<item>IIS 6 (Windows 2003):<newline>
-<itemize>
-<item>On IIS 6.0 all CGI extensions are denied by default for security reason, so the following configuration is needed:<newline>
-<itemize>
-<item>Create a cgi-bin Directory
-<item>Define the cgi-bin IIS Virtual Directory with read and CGI execute IIS
-permissions, ASP scripts are not needed. This automatically defines a
-cgi-bin IIS web application
-<item>Copy cachemgr.cgi into cgi-bin directory and look to file permissions:
-the IIS system account and SYSTEM must be able to read and execute the file
-<item>In IIS manager go to Web Service extensions and add a new Web Service
-Extension called <em/"Squid Cachemgr"/, add the cachemgr.cgi file and set the
-extension status to <em/Allowed/
-</itemize>
-</itemize>
-<item>Apache:<newline>
-<itemize>
-<item>On Windows, cachemgr.cgi needs to create a temporary file, so Apache must be instructed
- to pass the TMP and TEMP Windows environment variables to CGI applications:<newline>
-<verb>
-ScriptAlias /squid/cgi-bin/ "c:/squid/libexec/"
-<Location /squid/cgi-bin/cachemgr.cgi>
- PassEnv TMP TEMP
- Order allow,deny
- Allow from workstation.example.com
-</Location>
-</verb>
-</itemize>
-</itemize>
-</descrip>
-
-
-
-<sect>Changes to squid.conf since Squid-2.6
-<p>There have been many changes to Squid's configuration file since Squid-2.6.
-
-<p>This section gives a detailed account of those changes in three categories:
-
-<itemize>
- <item><ref id="newtags" name="New tags">
- <item><ref id="modifiedtags" name="Changes to existing tags">
- <item><ref id="removedtags" name="Removed tags">
-</itemize>
-<p>
-
-<sect1>New tags<label id="newtags">
-<p>
-<descrip>
- <tag>minimum_icp_query_timeout (msec)</tag>
- <verb>
-Default: 5
-
-Normally the ICP query timeout is determined dynamically. But
-sometimes it can lead to very small timeouts, even lower than
-the normal latency variance on your link due to traffic.
-Use this option to put an lower limit on the dynamic timeout
-value. Do NOT use this option to always use a fixed (instead
-of a dynamic) timeout value. To set a fixed timeout see the
-'icp_query_timeout' directive.
- </verb>
-
- <tag>background_ping_rate</tag>
- <verb>
-Default: 10 seconds
-
-Controls how often the ICP pings are sent to siblings that
-have background-ping set.
- </verb>
-
- <tag>httpd_accel_surrogate_id</tag>
- <verb>
-Default: unset
-
-Surrogates (http://www.esi.org/architecture_spec_1.0.html)
-need an identification token to allow control targeting. Because
-a farm of surrogates may all perform the same tasks, they may share
-an identification token.
- </verb>
-
- <tag>http_accel_surrogate_remote on|off</tag>
- <verb>
-Default: off
-
-Remote surrogates (such as those in a CDN) honour Surrogate-Control: no-store-remote.
-Set this to on to have squid behave as a remote surrogate.
- </verb>
-
- <tag>esi_parser libxml2|expat|custom</tag>
- <verb>
-Default: custom
-
-ESI markup is not strictly XML compatible. The custom ESI parser
-will give higher performance, but cannot handle non ASCII character
-encodings.
- </verb>
-
- <tag>email_err_data on|off</tag>
- <verb>
-Default: on
-
-If enabled, information about the occurred error will be
-included in the mailto links of the ERR pages (if %W is set)
-so that the email body contains the data.
-Syntax is <A HREF="mailto:%w%W">%w</A>
- </verb>
-
- <tag>refresh_all_ims on|off</tag>
- <verb>
-Default: off
-
-When you enable this option, squid will always check
-the origin server for an update when a client sends an
-If-Modified-Since request. Many browsers use IMS
-requests when the user requests a reload, and this
-ensures those clients receive the latest version.
-
-By default (off), squid may return a Not Modified response
-based on the age of the cached version.
- </verb>
- <tag>request_header_access</tag>
- <p>Replaces the header_access directive of Squid-2.6 and earlier, but applies to requests only.
- <tag>reply_header_access</tag>
- <p>Replaces the header_access directive of Squid-2.6 and earlier, but applies to replies only.
-
- <tag>icap_enable on|off</tag>
- <verb>
-Default: off
-
-If you want to enable the ICAP module support, set this to on.
- </verb>
- <tag>icap_preview_enable on|off</tag>
- <verb>
-Default: off
-
-Set this to 'on' if you want to enable the ICAP preview
-feature in Squid.
- </verb>
- <tag>icap_preview_size</tag>
- <verb>
-Default: -1
-
-The default size of preview data to be sent to the ICAP server.
--1 means no preview. This value might be overwritten on a per server
-basis by OPTIONS requests.
- </verb>
- <tag>icap_default_options_ttl (seconds)</tag>
- <verb>
-Default: 60
-
-The default TTL value for ICAP OPTIONS responses that don't have
-an Options-TTL header.
- </verb>
- <tag>icap_persistent_connections on|off</tag>
- <verb>
-Default: on
-
-Whether or not Squid should use persistent connections to
-an ICAP server.
- </verb>
- <tag>icap_send_client_ip on|off</tag>
- <verb>
-Default: off
-
-This adds the header "X-Client-IP" to ICAP requests.
- </verb>
- <tag>icap_send_client_username on|off</tag>
- <verb>
-Default: off
-
-This adds the header "X-Client-Username" to ICAP requests
-if proxy access is authentified.
- </verb>
- <tag>icap_service</tag>
- <verb>
-Default: none
-
-Defines a single ICAP service
-
-icap_service servicename vectoring_point bypass service_url
-
-vectoring_point = reqmod_precache|reqmod_postcache|respmod_precache|respmod_postcache
-This specifies at which point of request processing the ICAP
-service should be plugged in.
-bypass = 1|0
-If set to 1 and the ICAP server cannot be reached, the request will go
-through without being processed by an ICAP server
-service_url = icap://servername:port/service
-
-Note: reqmod_postcache and respmod_postcache is not yet implemented
-
-Example:
-icap_service service_1 reqmod_precache 0 icap://icap1.mydomain.net:1344/reqmod
-icap_service service_2 respmod_precache 0 icap://icap2.mydomain.net:1344/respmod
- </verb>
- <tag>icap_class</tag>
- <verb>
-Default: none
-
-Defines an ICAP service chain. If there are multiple services per
-vectoring point, they are processed in the specified order.
-
-icap_class classname servicename...
-
-Example:
-icap_class class_1 service_1 service_2
-icap class class_2 service_1 service_3
- </verb>
- <tag>icap_access</tag>
- <verb>
-Default: none
-
-Redirects a request through an ICAP service class, depending
-on given acls
-
-icap_access classname allow|deny [!]aclname...
-
-The icap_access statements are processed in the order they appear in
-this configuration file. If an access list matches, the processing stops.
-For an "allow" rule, the specified class is used for the request. A "deny"
-rule simply stops processing without using the class. You can also use the
-special classname "None".
-
-For backward compatibility, it is also possible to use services
-directly here.
-
-Example:
-icap_access class_1 allow all
- </verb>
-
- <tag>accept_filter</tag>
- <verb>
-The name of an accept(2) filter to install on Squid's
-listen socket(s). This feature is perhaps specific to
-FreeBSD and requires support in the kernel.
-
-The 'httpready' filter delays delivering new connections
-to Squid until a full HTTP request has been received.
-See the accf_http(9) man page.
- </verb>
-
- <tag>include</tag>
- <p>New option to import entire secondary configuration files into squid.conf.
- <verb>
- Squid will follow the files immediately and insert all their content
- as if it was at that position in squid.conf. As per squid.conf some
- options are order-specific within the config as a whole.
-
- A few layers of include are allowed, but too many are confusing and
- squid will enforce an include depth of 16 files.
-
- Syntax:
- include /path/to/file1 /path/to/file2
- </verb>
-
- <tag>acl myportname</tag>
- <p>New acl type myportname, matching the name of the http(s)_port where the request was accepted
- <verb>
- acl aclname myportname 3128 ... # http(s)_port name
- </verb>
-
- <tag>umask</tag>
- <p>Ported from 2.6. Behaviour identical.
- <verb>
- Minimum umask which should be enforced while the proxy
- is running, in addition to the umask set at startup.
-
- For a traditional octal representation of umasks, start
- your value with 0.
- </verb>
-
-</descrip>
-
-
-<sect1>Changes to existing tags<label id="modifiedtags">
-<p>
-<descrip>
- <tag>http_port</tag>
- <p>New options:
- <verb>
- disable-pmtu-discovery=
- Control Path-MTU discovery usage:
- off lets OS decide on what to do (default).
- transparent disable PMTU discovery when transparent support is enabled.
- always disable always PMTU discovery.
-
- In many setups of transparently intercepting proxies Path-MTU
- discovery can not work on traffic towards the clients. This is
- the case when the intercepting device does not fully track
- connections and fails to forward ICMP must fragment messages
- to the cache server. If you have such setup and experience that
- certain clients sporadically hang or never complete requests set
- disable-pmtu-discovery option to 'transparent'.
- </verb>
-
- <tag>cache_peer</tag>
- <p>New options:
- <verb>
- basetime=n
-
- background-ping
-
- weighted-round-robin
-
- use 'basetime=n' to specify a base amount to
- be subtracted from round trip times of parents.
- It is subtracted before division by weight in calculating
- which parent to fectch from. If the rtt is less than the
- base time the rtt is set to a minimal value.
-
- use 'background-ping' to only send ICP queries to this
- neighbor infrequently. This is used to keep the neighbor
- round trip time updated and is usually used in
- conjunction with weighted-round-robin.
-
- use 'weighted-round-robin' to define a set of parents
- which should be used in a round-robin fashion with the
- frequency of each parent being based on the round trip
- time. Closer parents are used more often.
- Usually used for background-ping parents.
- </verb>
-
- <tag>cache_dir</tag>
- <p>Common options <em>no-store</em>, replaces the older <em>read-only</em> option
-
- <tag>auth_param</tag>
- <p>NCSA authenticator updated in 3.0.STALE26 to alert if passwords with more
- than 8 characters are used with DES encryption method.
- <p>Removed Basic auth option
- <verb>
- blankpasswor, not yet ported to squid-3.
- auth_param basic concurrency 0
- </verb>
-
- <tag>external_acl_type</tag>
- <p>New format specifications:
- <verb>
- %URI Requested URI
-
- %PATH Requested URL path
- </verb>
- <p>New result keywords:
- <verb>
- tag= Apply a tag to a request (for both ERR and OK results)
- Only sets a tag, does not alter existing tags.
- </verb>
-
- <tag>refresh_pattern</tag>
- <p>New options:
- <verb>
- ignore-no-store
- refresh-ims
-
- ignore-no-store ignores any ``Cache-control: no-store''
- headers received from a server. Doing this VIOLATES
- the HTTP standard. Enabling this feature could make you
- liable for problems which it causes.
-
- refresh-ims causes squid to contact the origin server
- when a client issues an If-Modified-Since request. This
- ensures that the client will receive an updated version
- if one is available.
- </verb>
-
- <tag>acl</tag>
- <p>The 'all' ACL is now provided as a built-in. Warnings will be displayed if any attempt is made to redefine it.
- <p>New types:
- <verb>
- acl aclname http_status 200 301 500- 400-403 ... # status code in reply
- </verb>
-
- <tag>short_icon_urls</tag>
- <p>New default:
- <verb>
- Default: on
- (Old default: off)
- </verb>
- <tag>delay_class</tag>
- <p>New delay classes:
- <verb>
- class 4 Everything in a class 3 delay pool, with an
- additional limit on a per user basis. This
- only takes effect if the username is established
- in advance - by forcing authentication in your
- http_access rules.
-
- class 5 Requests are grouped according their tag (see
- external_acl's tag= reply).
- </verb>
-
- <tag>htcp_port</tag>
- <p>New default to require the feature to be enabled in squid.conf:
- <verb>
- Default: 0 (disabled)
- (Old default: 4827)
- </verb>
-
- <tag>icp_port</tag>
- <p>New default to require the feature to be enabled in squid.conf:
- <verb>
- Default: 0 (disabled)
- (Old default: 3130)
- </verb>
-
- <tag>snmp_port</tag>
- <p>New default to require the feature to be enabled in squid.conf:
- <verb>
- Default: 0 (disabled)
- (Old default: 3401)
- </verb>
-
- <tag>logformat</tag>
- <p>New format tags:
- <verb>
- rp Request URL-Path excluding hostname
-
- et Tag returned by external acl
-
- <sH Reply high offset sent
-
- <sS Upstream object size
- </verb>
-
- <tag>reply_body_max_size</tag>
- <p>Syntax changed:
- <verb>
- reply_body_max_size size [acl acl...]
- </verb>
- <p>allow/deny no longer used.
-
- <tag>url_rewrite_program</tag>
- <p>No urlgroup support in either requests or response
-
- <tag>auth_param</tag>
- <p>fake_auth helper for NTLM now accepts the '-S' parameter to strip NTLM domain off the username string.
- This is useful for class 4 Delay Pools in Squid 3.x
-
- <tag>half_closed_clients</tag>
- <p>New default value of OFF
-
-</descrip>
-
-<sect1>Removed tags<label id="removedtags">
-<p>
-<descrip>
- <tag>header_access</tag>
- <p>This has been replaced by request_header_access and reply_header_access
-
- <tag>httpd_accel_no_pmtu_disc</tag>
- <p>Replaced by disable-pmtu-discovery http_port option
-
- <tag>wais_relay_*</tag>
- <p>equivalent to cache_peer + cache_peer_access.
-
-</descrip>
-
-
-<sect>Changes to ./configure Options since Squid-2.6
-<p>There have been some changes to Squid's build configuration since Squid-2.6.
-
-<p>This section gives an account of those changes in three categories:
-
-<itemize>
- <item><ref id="newoptions" name="New options">
- <item><ref id="modifiedoptions" name="Changes to existing options">
- <item><ref id="removedoptions" name="Removed options">
-</itemize>
-<p>
-
-
-<sect1>New options<label id="newoptions">
-
-<p>
-<descrip>
- <tag>--enable-shared[=PKGS]</tag>
- <p>Build shared libraries. The default is to build without.</p>
-
- <tag>--enable-static[=PKGS]</tag>
- <p>Build static libraries. The default is on.</p>
-
- <tag>--enable-fast-install[=PKGS]</tag>
- <verb>Optimize for fast installation
- default: yes</verb>
-
- <tag>--disable-libtool-lock</tag>
- <p>Avoid locking (might break parallel builds)</p>
-
- <tag>--disable-optimizations</tag>
- <p>Don't compile Squid with compiler optimizations enabled.
- Optimization is good for production builds, but not
- good for debugging. During development, use
- --disable-optimizations to reduce compilation times
- and allow easier debugging. This option implicitly
- also enables --disable-inline</p>
-
- <tag>--disable-inline</tag>
- <p>Don't compile trivial methods as inline. Squid
- is coded with much of the code able to be inlined.
- Inlining is good for production builds, but not
- good for development. During development, use
- --disable-inline to reduce compilation times and
- allow incremental builds to be quick. For
- production builds, or load tests, use
- --enable-inline to have squid make all trivial
- methods inlinable by the compiler.</p>
-
- <tag>--enable-debug-cbdata</tag>
- <p>Provide some debug information in cbdata</p>
-
- <tag>--enable-disk-io=\"list of modules\"</tag>
- <p>Build support for the list of disk I/O modules.
- The default is only to build the "Blocking" module.
- See src/DiskIO for a list of available modules, or
- Programmers Guide for details on how to build your
- custom disk module.</p>
-
- <tag>--enable-esi</tag>
- <p>Enable ESI for accelerators. Requires libexpat.
- Enabling ESI will cause squid to follow the Edge
- Acceleration Specification (www.esi.org). This
- causes squid to IGNORE client Cache-Control headers.</p>
- <p><em>DO NOT</em> use this in a squid configured as a web
- proxy, ONLY use it in a squid configured for
- webserver acceleration.</p>
-
- <tag>--enable-icap-client</tag>
- <p>Enable the ICAP client.</p>
-
- <tag>--disable-snmp</tag>
- <p>Disable SNMP monitoring support which is now built by default.</p>
-
- <tag>--disable-htcp</tag>
- <p>Disable HTCP protocol support which is now built by default.</p>
-
- <tag>--enable-kqueue</tag>
- <p>Enable kqueue() support. Marked as experimental in 3.0.</p>
-
- <tag>--enable-ipfw-transparent</tag>
- <p>Enable Transparent Proxy support for systems
- using FreeBSD IPFW style redirection.</p>
-
- <tag>--disable-mempools</tag>
- <p>Disable memPools. Note that this option now simply sets the
- default behaviour. Specific classes can override this at runtime, and
- only lib/MemPool.c needs to be altered to change the squid-wide
- default for all classes.</p>
-
- <tag>--enable-cpu-profiling</tag>
- <p>This option allows you to see which internal functions
- in Squid are consuming how much CPU. Compiles in probes
- that measure time spent in probed functions. Needs
- source modifications to add new probes. This is meant
- for developers to assist in performance optimisations
- of Squid internal functions.</p>
- <p>If you are not developer and not interested in the stats
- you shouldn't enable this, as overhead added, although
- small, is still overhead. See lib/Profiler.c for more.</p>
-
- <tag>--with-gnu-ld</tag>
- <p>Assume the C compiler uses GNU ld. The default is to auto-detect.</p>
-
- <tag>--with-pic</tag>
- <p>Try to use only PIC/non-PIC objects. The default is to use both.</p>
-
- <tag>--with-tags[=TAGS]</tag>
- <p>Include additional configurations. The default is automatic.</p>
-
- <tag>--with-default-user=USER</tag>
- <p>Sets the default System User account for squid permissions.
- The default is 'nobody' as in other releases of squid.</p>
-
- <tag>--with-cppunit-basedir=[PATH]</tag>
- <p>Path where the cppunit headers and libraries are found
- for unit testing. The default is automatic detection.</p>
- <p>NOTE: Since 3.0-PRE6 and 2.6STABLE14 squid no longer comes
- bundled with CPPUnit. Compile-time validation will be disabled
- if it is not installed on your system.</p>
-
-</descrip>
-</p>
-
-<sect1>Changes to existing options<label id="modifiedoptions">
-
-<p>
-<descrip>
- <tag>--enable-carp</tag>
- <p>CARP support is now built by default.
- --disable-carp can be used to build without it.</p>
-
- <tag>--enable-htcp</tag>
- <p>HTCP protocol support is now built by default.
- Use --disable-htcp to build without it.</p>
-
- <tag>--enable-snmp</tag>
- <p>SNMP monitoring is now build by default.
- Use --disable-snmp to build without it.</p>
-
- <tag>--enable-heap-replacement</tag>
- <p>Please use --enable-removal-policies directive instead.</p>
-
- <tag>--with-maxfd=N</tag>
- <p>Replaced by --with-filedescriptors=N</p>
- <p>Override maximum number of filedescriptors. Useful
- if you build as another user who is not privileged
- to use the number of filedescriptors you want the
- resulting binary to support</p>
-
- <tag>--enable-select</tag>
- <p>Deprecated.
- Automatic checks will enable best I/O loop method available.</p>
-
- <tag>--enable-epoll</tag>
- <p>Deprecated.
- Automatic checks will enable best I/O loop method available.</p>
-
- <tag>--enable-poll</tag>
- <p>Deprecated.
- Automatic checks will enable best I/O loop method available.</p>
-
- <tag>--enable-kqueue</tag>
- <p>kqueue support is marked Experimental in Squid 3.0. Known to have some issues under load.</p>
-
-</descrip>
-</p>
-
-
-<sect1>Removed options<label id="removedoptions">
-
-<p>The following configure options have been removed.
-
-<descrip>
- <tag>--enable-dlmalloc</tag>
- <p>Most OS:es have good malloc implementations these days, and the version we used to ship with Squid was very very old..</p>
- <tag>--enable-mempool-debug</tag>
- <p>Debug option, not needed and therefore removed.</p>
- <tag>--enable-forward-log</tag>
- <p>Rarely used extra log file. Removed.</p>
- <tag>--enable-multicast-miss</tag>
- <p>Rarely used feature, and multicast ICP acheives almost the same result. Removed.</p>
- <tag>--enable-coss-aio-ops</tag>
- <p>Specific to the COSS implementation in Squid-2</p>
- <tag>--enable-large-cache-files</tag>
- <p>Now enabled by default. Configure option was redundant and therefore removed.
- <tag>--enable-truncate</tag>
- <p>Known to cause race conditions where cache objects may get corrupted, and this for at most a marginal performance improvement. Removed.</p>
-
-</descrip>
-
-
-<sect>Regressions since Squid-2.7
-
-<p>Some squid.conf and ./configure options which were available in Squid-2.7 are not yet available in Squid-3.0
-
-<p>If you need something to do then porting one of these from Squid-2 to Squid-3 is most welcome.
-
-<sect1>Missing squid.conf options available in Squid-2.7
-<p>
-<descrip>
- <tag>acl</tag>
- <p><em>urllogin</em> option not yet ported from 2.6
- <p><em>urlgroup</em> option not yet ported from 2.6
-
- <tag>acl_uses_indirect_client</tag>
- <p>Not yet ported from 2.6
-
- <tag>auth_param digest</tag>
- <p><em>concurrency</em> option not yet ported from Squid-2
-
- <tag>authenticate_ip_shortcircuit_access</tag>
- <p>Not yet ported from 2.7
-
- <tag>authenticate_ip_shortcircuit_ttl</tag>
- <p>Not yet ported from 2.7
-
- <tag>broken_vary_encoding</tag>
- <p>Not yet ported from 2.6
-
- <tag>cache_dir</tag>
- <p><em>min-size</em> option not yet ported from Squid-2
- <p><em>COSS</em> storage type is lacking stability fixes from 2.6
- <p>COSS <em>overwrite-percent=</em> option not yet ported from 2.6
- <p>COSS <em>max-stripe-waste=</em> option not yet ported from 2.6
- <p>COSS <em>membufs=</em> option not yet ported from 2.6
- <p>COSS <em>maxfullbufs=</em> option not yet ported from 2.6
-
- <tag>cache_peer</tag>
- <p><em>multicast-siblings</em> not yet ported from 2.7
- <p><em>idle=</em> not yet ported from 2.7
- <p><em>http11</em> not yet ported from 2.7
- <p><em>connection-auth=</em> not yet ported from 2.6
- <p><em>monitorinterval=</em> not yet ported from 2.6
- <p><em>monitorsize=</em> not yet ported from 2.6
- <p><em>monitortimeout=</em> not yet ported from 2.6
- <p><em>monitorurl=</em> not yet ported from 2.6
-
- <tag>cache_vary</tag>
- <p>Not yet ported from 2.6
-
- <tag>collapsed_forwarding</tag>
- <p>Not yet ported from 2.6
-
- <tag>delay_pool_uses_indirect_client</tag>
- <p>Not yet ported from 2.6
-
- <tag>error_map</tag>
- <p>Not yet ported from 2.6
-
- <tag>external_acl_type</tag>
- <p><em>%ACL</em> format tag not yet ported from 2.6
- <p><em>%DATA</em> format tag not yet ported from 2.6
-
- <tag>external_refresh_check</tag>
- <p>Not yet ported from 2.7
-
- <tag>follow_x_forwarded_for</tag>
- <p>Not yet ported from 2.6
-
- <tag>http_access2</tag>
- <p>Not yet ported from 2.6
-
- <tag>http_port</tag>
- <p><em>act-as-origin</em> not yet ported from 2.7
- <p><em>allow-direct</em> not yet ported from 2.7
- <p><em>http11</em> not yet ported from 2.7
- <p><em>urlgroup=</em> not yet ported from 2.6
- <p><em>no-connection-auth</em> not yet ported from 2.6
-
- <tag>ignore_expect_100</tag>
- <p>Not yet ported from 2.7
-
- <tag>ignore_ims_on_miss</tag>
- <p>Not yet ported from 2.7
-
- <tag>location_rewrite_access</tag>
- <p>Not yet ported from 2.6
-
- <tag>location_rewrite_children</tag>
- <p>Not yet ported from 2.6
-
- <tag>location_rewrite_concurrency</tag>
- <p>Not yet ported from 2.6
-
- <tag>location_rewrite_program</tag>
- <p>Not yet ported from 2.6
-
- <tag>log_uses_indirect_client</tag>
- <p>Not yet ported from 2.6
-
- <tag>logfile_daemon</tag>
- <p>Not yet ported from 2.7
-
- <tag>logformat</tag>
- <p><em>%oa</em> tag not yet ported from 2.7
- <p><em>%sn</em> tag not yet ported from 2.7
-
- <tag>max_filedescriptors</tag>
- <p>Not yet ported from 2.7
-
- <tag>max_stale</tag>
- <p>Not yet ported from 2.7
-
- <tag>refresh_pattern</tag>
- <p><em>stale-while-revalidate=</em> not yet ported from 2.7
- <p><em>ignore-stale-while-revalidate=</em> not yet ported from 2.7
- <p><em>max-stale=</em> not yet ported from 2.7
- <p><em>negative-ttl=</em> not yet ported from 2.7
-
- <tag>refresh_stale_hit</tag>
- <p>Not yet ported from 2.7
-
- <tag>server_http11</tag>
- <p>Not yet ported from 2.7
-
- <tag>storeurl_access</tag>
- <p>Not yet ported from 2.7
-
- <tag>storeurl_rewrite_children</tag>
- <p>Not yet ported from 2.7
-
- <tag>storeurl_rewrite_concurrency</tag>
- <p>Not yet ported from 2.7
-
- <tag>storeurl_rewrite_program</tag>
- <p>Not yet ported from 2.7
-
- <tag>update_headers</tag>
- <p>Not yet ported from 2.7
-
- <tag>upgrade_http0.9</tag>
- <p>Not yet ported from 2.7
-
- <tag>zero_buffers</tag>
- <p>Not yet ported from 2.7
-
-</descrip>
-
-<sect1>Missing ./configure options available in Squid-2.7
-<p>
-<descrip>
- <tag>--enable-devpoll</tag>
- <p>Support for Solaris /dev/poll</p>
-
- <tag>--enable-select-simple</tag>
- <p>Basic POSIX select() loop without any binary fd_set optimizations.</p>
-
- <tag>--enable-follow-x-forwarded-for</tag>
- <p>Support following the X-Forwarded-For HTTP header for determining the
- client IP address</p>
-
- <tag>--without-system-md5</tag>
-
-</descrip>
-
-<sect>Copyright
-<p>
-Copyright (C) 1996-2023 The Squid Software Foundation and contributors
-<p>
-Squid software is distributed under GPLv2+ license and includes
-contributions from numerous individuals and organizations.
-Please see the COPYING and CONTRIBUTORS files for details.
-
-</article>
+++ /dev/null
-<!doctype linuxdoc system>
-<article>
-<title>Squid 3.1.23 release notes</title>
-<author>Squid Developers</author>
-
-<abstract>
-This document contains the release notes for version 3.1 of Squid.
-Squid is a WWW Cache application developed by the National Laboratory
-for Applied Network Research and members of the Web Caching community.
-</abstract>
-
-<toc>
-
-<sect>Notice
-<p>
-The Squid Team are pleased to announce the release of Squid-3.1.23
-
-This new release is available for download from <url url="http://www.squid-cache.org/Versions/v3/3.1/"> or the <url url="http://www.squid-cache.org/Download/http-mirrors.html" name="mirrors">.
-
-A large number of the show-stopper bugs have been fixed along with general improvements to the ICAP support.
-While this release is not fully bug-free we believe it is ready for use in production on many systems.
-
-We welcome feedback and bug reports. If you find a new bug, please see <url url="https://wiki.squid-cache.org/SquidFaq/BugReporting"> for how to submit a report with a stack trace and other required details. Additional information is also very welcome on other open bugs.
-
-<sect1>Known issues
-<p>
-Although this release is deemed good enough for use in many setups, please note the existence of
-<url url="https://bugs.squid-cache.org/buglist.cgi?query_format=advanced&target_milestone=3.1&bug_status=NEW&bug_status=ASSIGNED&bug_status=REOPENED&cmdtype=doit&order=bugs.bug_severity" name="open bugs against Squid-3.1">.
-
-<p>Some issues to note as currently known in this release which are not able to be fixed in the 3.1 series are:
-
-<itemize>
- <item>The lack of some features available in Squid-2.x series. See the regression sections below for full details.
- <item>eCAP library version 0.2.0 and later are not supported. See eCAP section below for details.
- <item>CVE-2009-0801 : NAT interception vulnerability to malicious clients. This is fixed in 3.2 series.
- Some attempts have been made to port for 3.1, but the unreliability of NAT handling in 3.1 makes this unsafe.
-</itemize>
-
-<p>Currently known issues which only depends on available developer time and may still be resolved in a future 3.1 release are:
-
-<itemize>
- <item>Windows support is still largely missing.
- <item>AIX support for building with the IBM compiler is broken.
- <item>OpenSSL 1.0.0 support is incomplete.
-</itemize>
-
-
-<sect1>Changes since earlier releases of Squid-3.1
-<p>
-The 3.1 change history can be <url url="http://www.squid-cache.org/Versions/v3/3.1/changesets/" name="viewed here">.
-
-<sect>Major new features since Squid-3.0
-<p>
-Squid 3.1 represents a new feature release above 3.0.
-
-The most important of these new features are:
-
-<itemize>
- <item>New Version Numbering System
- <item>Minimal squid.conf improvements
- <item>Native IPv6 Support
- <item>Error Page Localization
- <item>Connection Pinning (for NTLM Auth Passthrough)
- <item>Quality of Service (QoS) Flow support
- <item>SSL Bump (for HTTPS Filtering and Adaptation)
- <item>eCAP Adaptation Module support
- <item>ICAP Bypass and Retry enhancements
- <item>ICY streaming protocol support
- <item>Dynamic SSL Certificate Generation (3.1.13 and later)
-</itemize>
-
-Most user-facing changes are reflected in squid.conf (see below).
-
-<sect1>New Version Numbering System
-
-<p>Begining with 3.1 the Squid Developers are using a new release numbering system.
-
-<p>We have decided, based on input from interested users to drop the Squid-2 terminology of
- (DEVEL, PRE, RC, and STABLE) from the release package names.
-These are replaced with a simpler 3-tier system based around the natural code development cycle.
-
-<p>Daily generated snapshots of all current versions are provided as testing (old DEVEL) and bug-fix releases.
-These are numbered from their last release with a date appended.
-Snapshots generated from 3.HEAD continue to be highly volatile.
-
-<p>Regular feature releases from Squid-3 will be branched out as sub-versions. Such as this Squid-3.1.
-
-<p>All this is previous policy you should be accustomed to. Now we get to the new numbering change.
-
-<p>Initial branch packages will be generated with a 3.X.0.Z version as beta testing packages.
-Packages and Snapshots generated with these 3-dot numbers are expected to be relatively stable regarding feature behaviors.
-Suitable for testing, but without any guarantees under production loads. This replaces both the old PRE and RC packages.
-
-<p>If a large number of bugs are found several *.0.Z packages may be attempted before any is fully frozen for production use.
- To be frozen as stable the code must be compiling well and have passed a period of 14 days with no new bugs reported against
- the new code added in that release.
-
-<p>When one of these Squid-3.X.0.Z packages passes those criteria a 3.X.Y numbered release will be made.
-
-<p>We can only hope enough testing has been done to consider these ready for production use.
-As always we are fully dependent on people testing the previous packages and reporting all bugs.
-
-<p>In support of all this are several squid-dev process changes which have been worked out over the last year.
-
-<itemize>
-<item>We no longer accept new features into branches.
- Those are reserved for the next feature release.
- The cycle for major releases is hoped to be fast enough to suit some peoples needs for new features
- and others need for stability in the branched releases.
-
-<item>We now audit and vote on all feature and major code additions.
- Requiring at least two sets of developer eyes on any new features before they are committed to 3.HEAD.
- Vastly reducing the number of bugs in all code.
-
-<item>We have implemented and continue to add more testing infrastructure.
-</itemize>
-
-
-<sect1>Minimal squid.conf improvements
-
-<p>squid.conf has undergone a facelift.
-
-<p>Don't worry, few operational changes have been made.
-Older configs from Squid 2.x and 3.0 are still expected to run in 3.1 with only the usual minor
-changes seen between major release. Details on those are listed below.
-
-<p>New users will be relieved to see a very short squid.conf on clean installs.
-Many of the options have reasonable defaults but had previously needed them explicitly configured!
-These are now proper built-in defaults and no longer need to be in squid.conf unless changed.
-
-<p>All of the option documentation has been offloaded to another file <em>squid.conf.documented</em> which
-contains a fully documented set of available options previously cluttering up squid.conf itself.
-
-<p>Package maintainers are provided with a second file squid.conf.default which as always contains the default
-config options provided on a clean install.
-
-<p>We are also providing online copies of configuration documentation.
- Updated live to match the latest release of each Squid series, and a combined global version.
- This is available on <url url="http://www.squid-cache.org/Doc/config/" name="the Squid website">
-
-
-<sect1>Internet Protocol version 6 (IPv6)
-
-<p>Squid 3.1 supports IPv6.
- Details in <url url="https://wiki.squid-cache.org/Features/IPv6" name="The Squid wiki">
-
-<sect2>New Features for IPv6
-
-<p>Squid handles localhost values seperately. For the purpose of ACLs and also external
- connections ::1 is considered a seperate IP from 127.0.0.1. This means all ACL which
- define behaviour for localhost may need ::1/128 included.
-
-<p>Pinger has been upgraded to perform both ICMP and ICMPv6 as required.
- As a result of this and due to a change in the binary protocol format between them,
- new builds of Squid are no longer backwards-compatible with old pinger binaries.
- You will need to perform "make install-pinger" again after installing Squid.
-
-<p>Peer and Client SNMP tables have been altered to handle IPv6 addresses.
- As a side effect of this the long-missing fix to show seperate named peers on one IP
- has been integrated. Making the SNMP peer table now produce correct output.
- The table structure change is identical for both IPv4-only and Dual modes but with
- IPv4-only simply not including any IPv6 entries. This means any third-party SNMP
- software which hard coded the MIB paths needs to be upgraded for this Squid release.
- Details can be found in the wiki <url url="https://wiki.squid-cache.org/Features/Snmp#squid-oids" name="SNMP feature page">.
-
-<sect2>Limitations of IPv6 Support
-
-<p>In this release there is incomplete split-stack support. This means that OS which do not provide
- IP stacks based on the KAME stack with Hybrid extensions to do IPv4-mapping cannot use full IPv6
- with Squid. From 3.1.6 the automatic capability detection will enable these abilities:
-<itemize>
- <item>open both IPv4 and IPv6 versions of http_port for client connections where applicable.
- <item>perform DNS to both IPv4 and IPv6 DNS servers.
- <item>permit IPv6-only snmp_incoming_address and snmp_outgoing_address to be configured.
- <item>permit IPv6 server connection provided tcp_outgoing_address has been configured (see below).
-</itemize>
-<p><em>NOTE:</em> ICAP, SNMP, ICP and HTCP are not yet opening double ports so they will only run as IPv4-only or IPv6-only.
-
-<p>Specify a specific tcp_outgoing_address and the clients who match its ACL are limited
- to the IPv4 or IPv6 network that address belongs to. They are not permitted over the
- IPv4-IPv6 boundary. Some ACL voodoo can however be applied to explicitly route the
- IPv6/IPv4 bound traffic (DIRECT access) out an appropriate interface.
- See the squid.conf documentation for further details.
-
-<p>WCCP is not available (neither version 1 or 2).
- It remains built into Squid for use with IPv4 traffic but IPv6 cannot use it.
-
-<p>Pseudo-Transparent Interception is done via NAT at the OS level and is not available in IPv6.
- Squid will ensure that any port set with transparent or intercept options be an IPv4-only
- listening address. Wildcard can still be used but will not open as an IPv6.
- To ensure that Squid can accept IPv6 traffic on its default port, an alternative should
- be chosen to handle transparently intercepted traffic.
-<verb>
- http_port 3128
- http_port 8080 intercept
-</verb>
-
-<p>Real transparent Interception (TPROXY) may be able to perform IPv6 interception.
- However this currently still needs patching of kernels older than 2.6.37.
- Squid will attempt to discover support on startup and may permit or deny IPv6 wildcard for
- tproxy flagged ports depending on your system.
-
-<p>The bundled NTLM Auth helper is IPv4-native between itself and the NTLM server.
- A new one will be needed for IPv6 traffic between the helper and server.
-
-<p>The bundled RADIUS Auth helper is IPv4-native, both in traffic between and data storage
- with the RADIUS server. A new helper will be needed for IPv6 RADIUS protocol.
-
-
-<sect1>Error Page Localization
-
-<p>Details in <url url="https://wiki.squid-cache.org/Translations" name="The Squid wiki">
-
-<sect2>Localization
-
-<p>The error pages presented by Squid may now be localized per-request to match the visitors local preferred language.
-
-<p>The error_directory option in squid.conf needs to be removed.
-
-<p>For best coverage of languages, using the latest language pack of error files is recommended.
-Updates can be downloaded from <url url="http://www.squid-cache.org/Versions/langpack/" name="www.squid-cache.org/Versions/langpack/">
-
-<p>The Squid developers are interested in making Squid available in a wide variety of languages.
- Contribution of new languages is encouraged.
-
-<sect2>CSS Stylesheet controls
-
-<p>To further enhance the visitor experience all new translations have embeded CSS hooks for scalable per-site localization of the display.
-
-<p>CSS display is controlled by updating the errorpage.css file installed into Squids configuration directory
- or the <em>err_page_stylesheet</em> option in squid.conf.
-
-<p>Custom error pages can also embed the CSS content by adding the <em>%l</em> tag to their headers.
-
-
-<sect1>Connection Pinning (for NTLM Auth Passthrough)
-
-<p>Details in <url url="https://wiki.squid-cache.org/Features/ConnPin" name="The Squid wiki">
-
-<p>Squid 3.1 includes the much asked for Connection Pinning feature from Squid 2.6.
-
-<p>This feature is often called 'NTLM Passthru' since it is a giant workaround which permits Web servers to use
-Microsoft NTLM Authentication instead of HTTP standard authentication through a web proxy.
-
-
-<sect1>Quality of Service (QoS) Flow support
-
-<p>Details in <url url="https://wiki.squid-cache.org/Features/QualityOfService" name="The Squid wiki">
-
-<p>Zero Penalty Hit created a patch to set QoS markers on outgoing traffic.
-
-<itemize>
- <item>Allows you to select a TOS/Diffserv value to mark local hits.
- <item>Allows you to select a TOS/Diffserv value to mark peer hits.
- <item>Allows you to selectively mark only sibling or parent requests
- <item>Allows any HTTP response towards clients to have the TOS value of the response coming from
- the remote server preserved.
- For this to work correctly, you will need to patch your linux kernel with the TOS preserving ZPH patch.
- The kernel patch can be downloaded from <url url="http://zph.bratcheda.org" name="http://zph.bratcheda.org">
- <item>Allows you to mask certain bits in the TOS received from the remote server,
- before copying the value to the TOS send towards clients.
-</itemize>
-
-<sect2>Squid Configuration
-<p>Squid 3.1 needs to be configured with <em>--enable-zph-qos</em> for the ZPH QoS controls to be available.
-
-<p>The configuration options for Squid 2.7 and 3.1 are based on different ZPH patches.
- The two releases configuration differs and only the TOS mode settings are directly translatable.
-
-<itemize>
-<item><em>qos_flows local-hit=0xff</em> Responses found as a HIT in the local cache
-<item><em>qos_flows sibling-hit=0xff</em> Responses found as a HIT in a sibling peer
-<item><em>qos_flows parent-hit=0xff</em> Responses found as a HIT in a parent peer
-</itemize>
-
-<p>The lines above are separated for documentation. qos_flows may be configured with all options on one line, or separated as shown.
- Also options may be repeated as many times as desired. Only the final configured value for any option will be used.
-
-<p>The legacy <em>Option</em> and <em>Priority</em> modes available in Squid-2.7 are no longer supported.
-
-
-<sect1>SSL Bump (for HTTPS Filtering and Adaptation)
-
-<p>Details in <url url="https://wiki.squid-cache.org/Features/SslBump" name="The Squid wiki">
-
-<p>Squid-in-the-middle decryption and encryption of CONNECT tunneled SSL traffic,
- using configurable client- and server-side certificates.
- While decrypted, the traffic can be inspected using ICAP.
-
-<p>Squid 3.1 releases limit SSL Bump to CONNECT requests and requires that clients are
- configured to explicitly use the proxy in their browser settings or via WPAD/PAC
- configuration. Use of interception for port 443 is not officially supported, despite
- being known to work under certain limited networking circumstances.
-
-<sect1> Dynamic SSL Certificate Generation
-<p> SslBump users know how many certificate warnings a single complex site
-(using dedicated image, style, and/or advertisement servers for embedded content)
-can generate. The warnings are legitimate and are caused by Squid-provided site
-certificate. Two things may be wrong with that certificate:
-<itemize>
- <item> Squid certificate is not signed by a trusted authority.
- <item> Squid certificate name does not match the site domain name.
-</itemize>
-Squid can do nothing about (A), but in most targeted environments, users will
-trust the "man in the middle" authority and install the corresponding root
-certificate.
-
-<p>To avoid mismatch (B), the DynamicSslCert feature concentrates on generating
-site certificates that match the requested site domain name. Please note that
-the browser site name check does not really add much security in an SslBump
-environment where the user already trusts the "man in the middle". The check
-only adds warnings and creates page rendering problems in browsers that try to
-reduce the number of warnings by blocking some embedded content.
-
-<sect1>eCAP Adaptation Module support
-
-<p>Details in <url url="https://wiki.squid-cache.org/Features/eCAP" name="The Squid wiki">
-
-<p>eCAP provides a way to integrate CAP modules directly into Squid without the need for
- a c-icap server wrapper. This enables faster processing.
-
-<p>Currently known and available eCAP modules are listed in the wiki feature page on eCAP.
-
-<p><em>Known Issue:</em> libecap version 0.0.3 (exactly) is required to build this series
- of Squid. Other versions of libecap contain significant interface differences.
-
-
-<sect1>ICAP Bypass and Retry enhancements
-
-<p>Details in <url url="https://wiki.squid-cache.org/Features/ICAP" name="The Squid wiki">
-
-<p>ICAP is now extended with full bypass and dynamic chain routing to handle multiple
- adaptation services.
-
-<sect2>ICAP Adaptation Service Sets and Chains
-
-<p>An adaptation service set contains similar, interchangeable services. No more
- than one service is successfully applied. If one service is down or fails,
- Squid can use another service. Think "hot standby" or "spare" ICAP servers.
-
-<p>Sets may seem similar to the existing "service bypass" feature, but they allow
- the failed adaptation to be retried and succeed if a replacement service is
- available. The services in a set may be all optional or all essential,
- depending on whether ignoring the entire set is acceptable. The mixture of
- optional and essential services in a set is supported, but yields results that
- may be difficult for a human to anticipate or interpret. Squid warns when it
- detects such a mixture.
-
-<p>When performing adaptations with a set, failures at a service (optional or
- essential, does not matter) are retried with a different service if possible.
- If there are no more replacement services left to try, the failure is treated
- depending on whether the last service tried was optional or essential: Squid
- either tries to ignore the failure and proceed or terminates the master
- transaction.
-
-<p>An adaptation chain is a list of different services applied one after another,
- forming an adaptation pipeline. Services in a chain may be optional or
- essential. When performing adaptations, failures at an optional service are
- ignored as if the service did not exist in the chain.
-
-<p>Request satisfaction terminates the adaptation chain.
-
-<p>When forming a set or chain for a given transaction, optional down services are ignored as if they did not exist.
-
-<p>ICAP and eCAP services can be mixed and matched in an adaptation set or chain.
-
-<sect2>Dynamically form adaptation chains based on the ICAP X-Next-Services header.
-
-<p>If an ICAP service with the routing=1 option in squid.conf returns an ICAP
- X-Next-Services response header during a successful REQMOD or RESPMOD
- transaction, Squid abandons the original adaptation plan and forms a new
- adaptation chain consisting of services identified in the X-Next-Services
- header value (using a comma-separated list of adaptation service names from
- squid.conf). The dynamically created chain is destroyed once the new plan is
- completed or replaced.
-
-<p>This feature is useful when a custom adaptation service knows which other
- services are applicable to the message being adapted.
-
-<p>Limit adaptation iterations to adaptation_service_iteration_limit to protect
- Squid from infinite adaptation loops caused by ICAP services constantly
- including themselves in the dynamic adaptation chain they request. When the
- limit is exceeded, the master transaction fails. The default limit of 16
- should be large enough to not require an explicit configuration in most
- environments yet may be small enough to limit side-effects of loops.
-
-
-<sect1>ICY streaming protocol support
-<p>Squid-3.1 adds native support for streaming protocol ICY.
- Also commonly known as SHOUTcast multimedia streams.
-
-<p>This protocol uses port 80 and violates RFC 2616 by using an HTTP/1.1 compliant request and non-HTTP reply
- to start the stream transaction. If the reply is handled according to HTTP/1.1 RFC-compliance requirements
- the audio stream becomes jerky and contains regular 'popping' sounds.
-
-<p>Squid now processes the ICY replies natively according to the ICY requirements, not HTTP/1.1 requirements.
- The streamed data is not cacheable. All processing and access controls may be applied the same as for HTTP.
-
-<sect2>squid.conf change
-<p>Squid-2 contained a hack using the <em>update_http0.9</em> squid.conf option to work around the
- unusual replies. This option is now obsolete.
-
-<p>The <em>proto</em> ACL type only matches <em>ICY</em> once the reply has been received, before that the processing
- is only aware on an HTTP request. So the ACL will match <em>HTTP</em> in <em>http_access</em> and <em>ICY</em> in
- <em>http_reply_access</em>.
-
-
-<sect>Changes to squid.conf since Squid-3.0
-<p>
-There have been changes to Squid's configuration file since Squid-3.0.
-
-This section gives a thorough account of those changes in three categories:
-
-<itemize>
- <item><ref id="newtags" name="New tags">
- <item><ref id="modifiedtags" name="Changes to existing tags">
- <item><ref id="removedtags" name="Removed tags">
-</itemize>
-<p>
-
-
-<sect1>New tags<label id="newtags">
-<p>
-<descrip>
- <tag>acl_uses_indirect_client</tag>
- <p>Whether to use any result found by follow_x_forwarded_for in further ACL processing.
- Default: ON
- <verb>
- Controls whether the indirect client address
- (see follow_x_forwarded_for) is used instead of the
- direct client address in acl matching.
- </verb>
-
- <tag>adaptation_access</tag>
- <p>Sends an HTTP transaction to an ICAP or eCAP adaptation service.
- <verb>
- adaptation_access service_name allow|deny [!]aclname...
- adaptation_access set_name allow|deny [!]aclname...
-
- At each supported vectoring point, the adaptation_access
- statements are processed in the order they appear in this
- configuration file. Statements pointing to the following services
- are ignored (i.e., skipped without checking their ACL):
-
- - services serving different vectoring points
- - "broken-but-bypassable" services
- - "up" services configured to ignore such transactions
- (e.g., based on the ICAP Transfer-Ignore header).
-
- When a set_name is used, all services in the set are checked
- using the same rules, to find the first applicable one. See
- adaptation_service_set for details.
-
- If an access list is checked and there is a match, the
- processing stops: For an "allow" rule, the corresponding
- adaptation service is used for the transaction. For a "deny"
- rule, no adaptation service is activated.
-
- It is currently not possible to apply more than one adaptation
- service at the same vectoring point to the same HTTP transaction.
- </verb>
-
- <tag>adaptation_masterx_shared_names</tag>
- <verb>
- For each master transaction (i.e., the HTTP request and response
- sequence, including all related ICAP and eCAP exchanges), Squid
- maintains a table of metadata. The table entries are (name, value)
- pairs shared among eCAP and ICAP exchanges. The table is destroyed
- with the master transaction.
-
- This option specifies the table entry names that Squid must accept
- from and forward to the adaptation transactions.
-
- An ICAP REQMOD or RESPMOD transaction may set an entry in the
- shared table by returning an ICAP header field with a name
- specified in adaptation_masterx_shared_names. Squid will store
- and forward that ICAP header field to subsequent ICAP
- transactions within the same master transaction scope.
-
- Only one shared entry name is supported at this time.
- </verb>
-
- <tag>adaptation_service_chain</tag>
- <verb>
- Configures a list of complementary services that will be applied
- one-by-one, forming an adaptation chain or pipeline. This is useful
- when Squid must perform different adaptations on the same message.
-
- adaptation_service_chain chain_name service_name1 svc_name2 ...
-
- The named services are used in the chain declaration order. The first
- applicable adaptation service from the chain is used first. The next
- applicable service is applied to the successful adaptation results of
- the previous service in the chain.
-
- When adaptation starts, broken services are ignored as if they were
- not a part of the chain. A broken service is a down optional service.
-
- Request satisfaction terminates the adaptation chain because Squid
- does not currently allow declaration of RESPMOD services at the
- "reqmod_precache" vectoring point (see icap_service or ecap_service).
-
- The services in a chain must be attached to the same vectoring point
- (e.g., pre-cache) and use the same adaptation method (e.g., REQMOD).
-
- A chain may contain a mix of optional and essential services. If an
- essential adaptation fails (or the failure cannot be bypassed for
- other reasons), the master transaction fails. Otherwise, the failure
- is bypassed as if the failed adaptation service was not in the chain.
- </verb>
-
- <tag>adaptation_service_iteration_limit</tag>
- <verb>
- Limits the number of iterations allowed when applying adaptation
- services to a message. If your longest adaptation set or chain
- may have more than 16 services, increase the limit beyond its
- default value of 16. If detecting infinite iteration loops sooner
- is critical, make the iteration limit match the actual number
- of services in your longest adaptation set or chain.
-
- Infinite adaptation loops are most likely with routing services.
- </verb>
-
- <tag>adaptation_service_set</tag>
- <verb>
- Configures an ordered set of similar, redundant services. This is
- useful when hot standby or backup adaptation servers are available.
-
- adaptation_service_set set_name service_name1 service_name2 ...
-
- The named services are used in the set declaration order. The first
- applicable adaptation service from the set is used first. The next
- applicable service is tried if and only if the transaction with the
- previous service fails and the message waiting to be adapted is still
- intact.
-
- When adaptation starts, broken services are ignored as if they were
- not a part of the set. A broken service is a down optional service.
-
- The services in a set must be attached to the same vectoring point
- (e.g., pre-cache) and use the same adaptation method (e.g., REQMOD).
-
- If all services in a set are optional then adaptation failures are
- bypassable. If all services in the set are essential, then a
- transaction failure with one service may still be retried using
- another service from the set, but when all services fail, the master
- transaction fails as well.
-
- A set may contain a mix of optional and essential services, but that
- is likely to lead to surprising results because broken services become
- ignored (see above), making previously bypassable failures fatal.
- Technically, it is the bypassability of the last failed service that
- matters.
- </verb>
-
- <tag>adapted_http_access</tag>
- <p>New name for <em>http_access2</em>. This form includes access control
- of ICAP and eCAP adaptations as well as the URL-rewriter alterations.
-
- <tag>chunked_request_body_max_size</tag>
- <p>New option to enable handing of broken HTTP/1.1 clients sending chunk requests.
- <verb>
- A broken or confused HTTP/1.1 client may send a chunked HTTP
- request to Squid. Squid does not have full support for that
- feature yet. To cope with such requests, Squid buffers the
- entire request and then dechunks request body to create a
- plain HTTP/1.0 request with a known content length. The plain
- request is then used by the rest of Squid code as usual.
-
- The option value specifies the maximum size of the buffer used
- to hold the request before the conversion. If the chunked
- request size exceeds the specified limit, the conversion
- fails, and the client receives an "unsupported request" error,
- as if dechunking was disabled.
-
- Dechunking is enabled by default. To disable conversion of
- chunked requests, set the maximum to zero.
-
- Request dechunking feature and this option in particular are a
- temporary hack. When chunking requests and responses are fully
- supported, there will be no need to buffer a chunked request.
- </verb>
-
- <tag>client_request_buffer_max_size</tag>
- <p>New directive added with squid-3.1.10 to set limits on the amount of buffer space allocated
- for receiving upload and request data from clients.
-
- <tag>delay_pool_uses_indirect_client</tag>
- <p>Whether to use any result found by follow_x_forwarded_for in delay_pool assignment.
- Default: ON
- <verb>
- Controls whether the indirect client address
- (see follow_x_forwarded_for) is used instead of the
- direct client address in delay pools.
- </verb>
-
- <tag>dns_v4_fallback</tag>
- <p>New option to prevent Squid from always looking up IPv4 regardless of whether IPv6 addresses are found.
- Squid will follow a policy of prefering IPv6 links, keeping the IPv4 only as a safety net behind IPv6.
- <verb>
- Standard practice with DNS is to lookup either A or AAAA records
- and use the results if it succeeds. Only looking up the other if
- the first attempt fails or otherwise produces no results.
-
- That policy however will cause Squid to produce error pages for some
- servers that advertise AAAA but are unreachable over IPv6.
-
- If this is ON Squid will always lookup both AAAA and A, using both.
- If this is OFF Squid will lookup AAAA and only try A if none found.
-
- WARNING: There are some possibly unwanted side-effects with this on:
- *) Doubles the load placed by Squid on the DNS network.
- *) May negatively impact connection delay times.
- </verb>
-
- <tag>dns_v4_first</tag>
- <p>Added in 3.1.16. Controls whether IPv4 or IPv6 connection is
- attempted first when contacting servers and peers.
-
- <tag>ecap_enable</tag>
- <p>Controls whether eCAP support is enabled. Default: OFF
-
- <tag>ecap_service</tag>
- <p>Defines a single eCAP service
- <verb>
- ecap_service servicename vectoring_point bypass service_url
-
- vectoring_point = reqmod_precache|reqmod_postcache|respmod_precache|respmod_postcache
- This specifies at which point of transaction processing the
- eCAP service should be activated. *_postcache vectoring points
- are not yet supported.
-
- bypass = 1|0
- If set to 1, the eCAP service is treated as optional. If the
- service cannot be reached or malfunctions, Squid will try to
- ignore any errors and process the message as if the service
- was not enabled. No all eCAP errors can be bypassed.
- If set to 0, the eCAP service is treated as essential and all
- eCAP errors will result in an error page returned to the
- HTTP client.
-
- service_url = ecap://vendor/service_name?custom&cgi=style&parameters=optional
-
- Example:
- ecap_service service_1 reqmod_precache 0 ecap://filters-R-us/leakDetector?on_error=block
- ecap_service service_2 respmod_precache 1 icap://filters-R-us/virusFilter?config=/etc/vf.cfg
- </verb>
-
- <tag>err_page_stylesheet</tag>
- <p>New option to configure location for CSS stylesheet controlling error page display.
-
- <tag>error_default_language</tag>
- <p>New option to replace the old configure option --enable-default-err-language
- New translations can be downloaded from http://www.squid-cache.org/Versions/langpack/
- <verb>
- Set the default language which Squid will send error pages in
- if no existing translation matches the clients language
- preferences.
-
- If unset (default) generic English will be used.
- </verb>
-
- <tag>error_log_languages</tag>
- <p>
- <verb>
- Log to cache.log what languages users are attempting to
- auto-negotiate for translations.
-
- Successful negotiations are not logged. Only failures
- have meaning to indicate that Squid may need an upgrade
- of its error page translations.
- </verb>
-
- <tag>follow_x_forwarded_for</tag>
- <p>Enable processing of the X-Forwarded-for header for various administration tasks.
- <verb>
- Allowing or Denying the X-Forwarded-For header to be followed to
- find the original source of a request.
-
- Requests may pass through a chain of several other proxies
- before reaching us. The X-Forwarded-For header will contain a
- comma-separated list of the IP addresses in the chain, with the
- rightmost address being the most recent.
-
- If a request reaches us from a source that is allowed by this
- configuration item, then we consult the X-Forwarded-For header
- to see where that host received the request from. If the
- X-Forwarded-For header contains multiple addresses, and if
- acl_uses_indirect_client is on, then we continue backtracking
- until we reach an address for which we are not allowed to
- follow the X-Forwarded-For header, or until we reach the first
- address in the list. (If acl_uses_indirect_client is off, then
- it's impossible to backtrack through more than one level of
- X-Forwarded-For addresses.)
-
- The end result of this process is an IP address that we will
- refer to as the indirect client address. This address may
- be treated as the client address for access control, delay
- pools and logging, depending on the acl_uses_indirect_client,
- delay_pool_uses_indirect_client and log_uses_indirect_client
- options.
-
- SECURITY CONSIDERATIONS:
- Any host for which we follow the X-Forwarded-For header
- can place incorrect information in the header, and Squid
- will use the incorrect information as if it were the
- source address of the request. This may enable remote
- hosts to bypass any access control restrictions that are
- based on the client's source addresses.
-
- For example:
-
- acl localhost src 127.0.0.1
- acl my_other_proxy srcdomain .proxy.example.com
- follow_x_forwarded_for allow localhost
- follow_x_forwarded_for allow my_other_proxy
- </verb>
-
- <tag>ftp_eprt</tag>
- <p>New directive added with squid-3.1.11 to control whether Squid uses EPRT extension
- for efficient NAT handling and IPv6 protocol support in FTP.
-
- <tag>ftp_epsv</tag>
- <p>New directive to control whether Squid uses EPSV extension for
- efficient NAT handling and IPv6 protocol support in FTP.
-
- <tag>ftp_epsv_all</tag>
- <p>New directive to control whether Squid uses "EPSV ALL" extension for
- efficient NAT handling and IPv6 protocol support in FTP.
-
- <tag>forward_max_tries</tag>
- <p>Controls how many different forward paths Squid will try
- before giving up. Default: 10
-
- <tag>icap_log</tag>
- <p>New option to write ICAP log files record ICAP transaction summaries, one line per
- transaction. Similar to access.log.
- <verb>
- The icap_log option format is:
- icap_log <filepath> [<logformat name> [acl acl ...]]
- icap_log none [acl acl ...]]
-
- Please see access_log option documentation for details. The two
- kinds of logs share the overall configuration approach and many
- features.
-
- ICAP processing of a single HTTP message or transaction may
- require multiple ICAP transactions. In such cases, multiple
- ICAP transaction log lines will correspond to a single access
- log line.
-
- ICAP log uses logformat codes that make sense for an ICAP
- transaction. Header-related codes are applied to the HTTP header
- embedded in an ICAP server response, with the following caveats:
- For REQMOD, there is no HTTP response header unless the ICAP
- server performed request satisfaction. For RESPMOD, the HTTP
- request header is the header sent to the ICAP server. For
- OPTIONS, there are no HTTP headers.
-
- The following format codes are also available for ICAP logs:
-
- icap::<A ICAP server IP address. Similar to <A.
-
- icap::<service_name ICAP service name from the icap_service
- option in Squid configuration file.
-
- icap::ru ICAP Request-URI. Similar to ru.
-
- icap::rm ICAP request method (REQMOD, RESPMOD, or
- OPTIONS). Similar to existing rm.
-
- icap::>st Bytes sent to the ICAP server (TCP payload
- only; i.e., what Squid writes to the socket).
-
- icap::<st Bytes received from the ICAP server (TCP
- payload only; i.e., what Squid reads from
- the socket).
-
- icap::tr Transaction response time (in
- milliseconds). The timer starts when
- the ICAP transaction is created and
- stops when the transaction is completed.
- Similar to tr.
-
- icap::tio Transaction I/O time (in milliseconds). The
- timer starts when the first ICAP request
- byte is scheduled for sending. The timers
- stops when the last byte of the ICAP response
- is received.
-
- icap::to Transaction outcome: ICAP_ERR* for all
- transaction errors, ICAP_OPT for OPTION
- transactions, ICAP_ECHO for 204
- responses, ICAP_MOD for message
- modification, and ICAP_SAT for request
- satisfaction. Similar to Ss.
-
- icap::Hs ICAP response status code. Similar to Hs.
-
- icap::>h ICAP request header(s). Similar to >h.
-
- icap::<h ICAP response header(s). Similar to <h.
-
- The default ICAP log format, which can be used without an explicit
- definition, is called icap_squid:
-
-logformat icap_squid %ts.%03tu %6icap::tr %>a %icap::to/%03icap::Hs %icap::<size %icap::rm %icap::ru% %un -/%icap::<A -
- </verb>
-
- <tag>icap_retry</tag>
- <p>New option to determine which retriable ICAP transactions are
- retried.
- <verb>
- Transactions that received a complete ICAP response
- and did not have to consume or produce HTTP bodies to receive
- that response are usually retriable.
-
- icap_retry allow|deny [!]aclname ...
-
- Squid automatically retries some ICAP I/O timeouts and errors
- due to persistent connection race conditions.
- </verb>
-
- <tag>icap_retry_limit</tag>
- <verb>
- Limits the number of retries allowed. When set to zero (default),
- no retries are allowed.
-
- Communication errors due to persistent connection race
- conditions are unavoidable, automatically retried, and do not
- count against this limit.
- </verb>
-
- <tag>ignore_expect_100</tag>
- <p>Ported from 2.7. Requires --enable-http-violations
- Prevents 417 errors being sent to broken HTTP/1.1 non-compliant clients.
-
- <tag>include</tag>
- <p>New option to import entire secondary configuration files into squid.conf.
- <verb>
- Squid will follow the files immediately and insert all their content
- as if it was at that position in squid.conf. As per squid.conf some
- options are order-specific within the config as a whole.
-
- A few layers of include are allowed, but too many are confusing and
- Squid will enforce an include depth of 16 files.
-
- Syntax:
- include /path/to/file1 /path/to/file2
- </verb>
-
- <tag>loadable_modules</tag>
- <p>Instructs Squid to load the specified dynamic module(s) or activate
- preloaded module(s).
- <verb>
- Example:
- loadable_modules @DEFAULT_PREFIX@/lib/MinimalAdapter.so
- </verb>
-
- <tag>log_icap aclname [aclname ...]</tag>
- <verb>
- This options allows you to control which requests get logged
- to icap.log. See the icap_log directive for ICAP log details.
- </verb>
-
- <tag>log_uses_indirect_client</tag>
- <p>Whether to use any result found by follow_x_forwarded_for in access.log.
- Default: ON
- <verb>
- Controls whether the indirect client address
- (see follow_x_forwarded_for) is used instead of the
- direct client address in the access log.
- </verb>
-
- <tag>max_filedescriptors</tag>
- <p>Ported from 2.7.
-
- <tag>netdb_filename</tag>
- <verb>
- A filename where Squid stores it's netdb state between restarts.
- To disable, enter "none".
- </verb>
-
- <tag>pinger_enable</tag>
- <p>New option to enable/disable the ICMP pinger helper with a reconfigure instead of a full rebuild.
- <verb>
- Control whether the pinger is active at run-time.
- Enables turning ICMP pinger on and off with a simple squid -k reconfigure.
- default is off when --enable-icmp is compiled in.
- </verb>
-
- <tag>qos_flows local-hit= sibling-hit= parent-hit=</tag>
- <verb>
- Allows you to select a TOS/DSCP value to mark outgoing
- connections with, based on where the reply was sourced.
-
- TOS values really only have local significance - so you should
- know what you're specifying. For more information, see RFC2474,
- RFC2475, and RFC3260.
-
- The TOS/DSCP byte must be exactly that - octet value 0x00-0xFF.
- Note that in practice often only multiples of 4 is usable as the
- two rightmost bits have been redefined for use by ECN (RFC 3168
- section 23.1).
-
- Note that in practice often only values up to 0xFC are usable,
- and only in multiple of 4, as the two rightmost bits have been
- redefined for use by ECN (RFC3168).
-
- This setting is configured by setting the source TOS values:
-
- local-hit=0xFF Value to mark local cache hits.
-
- sibling-hit=0xFF Value to mark hits from sibling peers.
-
- parent-hit=0xFF Value to mark hits from parent peers.
-
-
- NOTE: 'miss' preserve feature is only possible on Linux at this time.
-
- For the following to work correctly, you will need to patch your
- linux kernel with the TOS preserving ZPH patch.
- The kernel patch can be downloaded from http://zph.bratcheda.org
-
- disable-preserve-miss
- If set, any HTTP response towards clients will
- have the TOS value of the response comming from the
- remote server masked with the value of miss-mask.
- miss-mask=0xFF
- Allows you to mask certain bits in the TOS received from the
- remote server, before copying the value to the TOS sent
- towards clients.
- Default: 0xFF (TOS from server is not changed).
- </verb>
-
- <tag>reply_header_replace</tag>
- <p>This option allows you to change the contents of reply headers.
- <verb>
- In Squid 2 header_replace (now deprecated) worked for both requests
- and replies, while in Squid 3 it only did respect request headers.
- This option brings back the functionality to replace the contents of
- reply headers. Consult the documentation for usage details.
- </verb>
-
- <tag>request_header_replace</tag>
- <p>This option allows you to change the contents of request headers.
- <verb>
- To be consistent with the naming changes of header_access in Squid 3
- (header_access has been split into two options request_header_access
- and reply_header_access), header_replace (now deprecated) is being
- replaced by request_header_replace.
- </verb>
-
- <tag>ssl_bump</tag>
- <p>New Access control for which CONNECT requests to an http_port
- marked with an ssl-bump flag are actually "bumped". Please
- see the ssl-bump flag of an http_port option for more details
- about decoding proxied SSL connections.
- DEFAULT: No requests are bumped.
- <verb>
-NOCOMMENT_START
-# Example: Bump all requests except those originating from localhost and
-# those going to webax.com or example.com sites.
-#
-# acl broken_sites dstdomain .webax.com
-# acl broken_sites dstdomain .example.com
-# ssl_bump deny localhost
-# ssl_bump deny broken_sites
-# ssl_bump allow all
- </verb>
-
- <tag>sslcrtd_program</tag>
- <p>Specify the location and options of the executable for ssl_crtd process.
-
- <tag>sslcrtd_children</tag>
- <p> Configures the number of sslcrtd processes to spawn
-
- <tag>sslproxy_cert_error</tag>
- <p>New Access Control to selectively bypass server certificate validation errors.
- DEFAULT: None bypassed.
- <verb>
- For example, the following lines will bypass all validation errors
- when talking to servers located at 172.16.0.0/16. All other
- validation errors will result in ERR_SECURE_CONNECT_FAIL error.
-
- acl BrokenServersAtTrustedIP dst 172.16.0.0/16
- sslproxy_cert_error allow BrokenServersAtTrustedIP
- sslproxy_cert_error deny all
-
- This option must use fast ACL expressions only. Expressions that use
- external lookups or communication result in unpredictable behavior or
- crashes.
-
- Without this option, all server certificate validation errors
- terminate the transaction. Bypassing validation errors is dangerous
- because an error usually implies that the server cannot be trusted and
- the connection may be insecure.
- </verb>
-
-
-</descrip>
-
-<sect1>Changes to existing tags<label id="modifiedtags">
-<p>
-<descrip>
- <tag>acl</tag>
- <p>New preset <em>ipv6</em> available in the src and dst ACL matching all of the public IPv6 network space.
- <p>New preset <em>ipv4</em> available in the src and dst ACL matching all of IPv4 network space.
- <p>New acl type myportname, matching the name of the http_port or https_port where the request was accepted.
- <p>New acl type tag, matching the tag= returned from the external_acl_type helper.
- <p>New acl type peername, matching against a named cache_peer entry where the request will be attempted first.
- NP: peername currently is limited to only match the first peer possible.
- <verb>
- acl aclname dst ipv6 # request for IPv6-enabled site
- acl aclname src ipv6 # request from IPv6 address
- acl aclname dst ipv4 # request for IPv4 site
- acl aclname src ipv4 # request from IPv4 address
- acl aclname myportname 3128 ... # http(s)_port name
- acl aclname peername myPeer ... # cache_peer ... name=myPeer
- acl aclname tag value ... # tag= option from external ACL
- </verb>
-
- <tag>auth_param ntlm, basic, digest</tag>
- <p>BASIC, DIGEST: New parameter option <em>utf8 on|off</em> to permit helpers to selectively process UTF-8 characters even though
- HTTP accepts only ISO-8859-1.</p>
- <p>NCSA authenticator updated in 3.1.15 to alert if passwords with more than 8 characters are used with DES encryption method.
- <p>NTLM: The helper binary bundled with Squid under the name <em>ntlm_auth</em> has been renamed to accurately reflect
- its real behavior and to prevent confusion with the more useful Samba helper using the same name.
- <p>Despite being used for NTLM, the helper does not in fact provide true NTLM function. What it does provide is
- SMB LanManager authentication through the NTLM interface without the need for a domain controller. Thus the
- new name is <em>ntlm_smb_lm_auth</em>.
- <p>WARNING: due to the name clash with Samba helper, admin should be careful to only update their squid.conf if the
- Squid bundled binary is used and needed. If the Samba helper is in use, the squid.conf should not be altered.
-
- <tag>balance_on_multiple_ip</tag>
- <p>The previous default behavour (rotate per-request) of this setting causes failover clashes with IPv6 built-in mechanisms.
- It has thus been turned off by default. Making the 'best choice' IP continue in use for any hostname until it encounters a connection failure and failover drops to the next known IP.
- <verb>
- Modern IP resolvers in Squid sort lookup results by preferred access.
- By default Squid will use these IP in order and only rotates to
- the next listed when the most preffered fails.
-
- Some load balancing servers based on round robin DNS have been
- found not to preserve user session state across requests
- to different IP addresses.
-
- Enabling this directive Squid rotates IP's per request.
- </verb>
-
- <tag>cache</tag>
- <p>Removed the 'QUERY' acl and 'cache deny QUERY' entries.
- Replaced by new refresh_pattern instead.
-
- <tag>cache_dir</tag>
- <p>Default changed to 256MB in-memory cache.
- see cache_mem and maximum_object_size_in_memory for size parameters.
- <p>'null' storage type dropped. In-memory cache is always present. Remove all cache_dir options to prevent on-disk caching.
-
- <tag>cache_mem</tag>
- <p>Default size increased to 256MB.
-
- <tag>cache_peer htcp-no-clr htcp-no-purge-clr htcp-only-clr htcp-forward-clr connection-auth[=on|off|auto] connect-fail-limit=N multicast-siblings no-tproxy</tag>
- <p>New Options.
- <verb>
- use 'htcp-no-clr' to send HTCP to the neighbor but without
- sending any CLR requests. This cannot be used with
- htcp-only-clr.
-
- use 'htcp-no-purge-clr' to send HTCP to the neighbor
- including CLRs but only when they do not result from
- PURGE requests.
-
- use 'htcp-only-clr' to send HTCP to the neighbor but ONLY
- CLR requests. This cannot be used with htcp-no-clr.
-
- use 'htcp-forward-clr' to forward any HTCP CLR requests
- this proxy receives to the peer.
-
- use 'connection-auth=off' to tell Squid that this peer does
- not support Microsoft connection oriented authentication,
- and any such challenges received from there should be
- ignored. Default is 'auto' to automatically determine the
- status of the peer.
-
- use 'connect-fail-limit=nn' to specify how many times
- connecting to a peer must fail before it is marked as
- down. Default is 10.
-
- use 'no-tproxy' to specify that requests passed to this peer
- are not to have the client IP spoofed. For use to prevent
- packet routing issues with a cluster of peers behind WCCPv2.
-
- multicast-siblings ported from 2.7
- </verb>
-
- <tag>cache_store_log</tag>
- <p>Default changed to OFF. Matching long-standing developer recommendations.
-
- <tag>debug_options rotate=</tag>
- <p>New parameter rotate=N to control number of cache.log rotations independent of other logs.
-
- <tag>deny_info</tag>
- <p>Support 307 status for redirecting CONNECT tunnels with HTTPS traffic.
-
- <tag>error_directory</tag>
- <p>Now an optional entry in squid.conf. If present it will force all visitors to receive the error pages
- contained in the directory it points at. If absent, error page localization will be given a chance.
- <verb>
- If you wish to create your own versions of the default
- error files to customize them to suit your company COPY
- the error/template files to another directory and point
- this tag at them.
-
- WARNING: This option will disable multi-language support
- on error pages if used.
- </verb>
-
- <tag>external_acl_type</tag>
- <p>New options 'ipv4' and 'ipv6' are added to set the IPv4/v6 protocol between Squid and its helpers.
- Please be aware of some limits to these options. These options only affect the transport protocol used
- to send data to and from the helpers. Squid in IPv6-mode may still send %SRC addresses in IPv4 or IPv6
- format, so all helpers will need to be checked and converted to cope with such information cleanly.
- <verb>
- ipv4 / ipv6 IP protocol used to communicate with this helper.
- The default is to auto-detect IPv6 and use it when available.
- </verb>
- <p>New header input format specifiers. To seperate Request and Reply headers when both passed back.
- <verb>
- %>{Header} HTTP request header
- %>{Hdr:member} HTTP request header list member
- %>{Hdr:;member} HTTP request header list member using ; as
- list separator. ; can be any non-alphanumeric
- character.
-
- %<{Header} HTTP reply header
- %<{Hdr:member} HTTP reply header list member
- %<{Hdr:;member} HTTP reply header list member using ; as
- list separator. ; can be any non-alphanumeric
- character.
- %% The percent symbol (available from 3.1.17)
- </verb>
-
- <tag>forwarded_for</tag>
- <p>New setting options. transparent, truncate, delete.
- <verb>
- If set to "transparent", Squid will not alter the
- X-Forwarded-For header in any way.
-
- If set to "delete", Squid will delete the entire
- X-Forwarded-For header.
-
- If set to "truncate", Squid will remove all existing
- X-Forwarded-For entries, and place the client IP as the sole entry.
- </verb>
-
- <tag>header_replace</tag>
- <p>Deprecated. Use request_header_replace or reply_header_replace instead.
-
- <tag>hierarchy_stoplist</tag>
- <p>Default value altered to no content, allowing dynamic websites to be fetched through peers.
-
- <tag>http_port transparent intercept ssl-bump connection-auth[=on|off] ignore-cc</tag>
- <p>Option 'transparent' is being deprecated in favour of 'intercept' which more clearly identifies what the option does.
- For now option 'tproxy' remains with old behaviour meaning fully-invisible proxy using TPROXY support.</p>
- <p>New port options
- <verb>
- intercept Rename of old 'transparent' option to indicate proper functionality.
-
- allow-direct Allow direct forwarding in accelerator mode. Normally
- accelerated requests are denied direct forwarding as if
- never_direct was used.
-
- connection-auth[=on|off]
- use connection-auth=off to tell Squid to prevent
- forwarding Microsoft connection oriented authentication
- (NTLM, Negotiate and Kerberos)
-
- keepalive[=idle,interval,timeout]
- Enable TCP keepalive probes of idle connections
- idle is the initial time before TCP starts probing
- the connection, interval how often to probe, and
- timeout the time before giving up.
-
- ignore-cc Ignore request Cache-Control headers.
-
- Warning: This option violates HTTP specifications if
- used in non-accelerator setups.
-
- ssl-bump Intercept each CONNECT request matching ssl_bump ACL,
- establish secure connection with the client and with
- the server, decrypt HTTP messages as they pass through
- Squid, and treat them as unencrypted HTTP messages,
- becoming the man-in-the-middle.
-
- When this option is enabled, additional options become
- available to specify SSL-related properties of the
- client-side connection: cert, key, version, cipher,
- options, clientca, cafile, capath, crlfile, dhparams,
- sslflags, and sslcontext. See the https_port directive
- for more information on these options.
-
- The ssl_bump option is required to fully enable
- the SSL Bump feature.
- </verb>
-
- <tag>https_port intercept ssl-bump connection-auth[=on|off]</tag>
- <p>New port options. see http_port.
-
- <tag>icap_service bypass=on|off|1|0 routing=on|off|1|0 ipv6=on|off</tag>
- <p>New options 'bypass=', 'routing=' and 'ipv6='.
- <verb>
- bypass=on|off|1|0
- If set to 'on' or '1', the ICAP service is treated as
- optional. If the service cannot be reached or malfunctions,
- Squid will try to ignore any errors and process the message as
- if the service was not enabled. No all ICAP errors can be
- bypassed. If set to 0, the ICAP service is treated as
- essential and all ICAP errors will result in an error page
- returned to the HTTP client.
-
- Bypass is off by default: services are treated as essential.
-
- routing=on|off|1|0
- If set to 'on' or '1', the ICAP service is allowed to
- dynamically change the current message adaptation plan by
- returning a chain of services to be used next. The services
- are specified using the X-Next-Services ICAP response header
- value, formatted as a comma-separated list of service names.
- Each named service should be configured in squid.conf and
- should have the same method and vectoring point as the current
- ICAP transaction. Services violating these rules are ignored.
- An empty X-Next-Services value results in an empty plan which
- ends the current adaptation.
-
- Routing is not allowed by default: the ICAP X-Next-Services
- response header is ignored.
-
- ipv6=on|off
- Only has effect on split-stack systems. The default on those systems
- is to use IPv4-only connections. When set to 'on' this option will
- make Squid use IPv6-only connections to contact this ICAP service.
- </verb>
-
- <tag>logfile_rotate</tag>
- <p>No longer controls cache.log rotation. Use debug_options rotate=N instead.
-
- <tag>logformat</tag>
- <p>New log format tag sets %icap::* %adapt::* for adaptation information.
- <p>%Hs tag deprecated and replaced by request/reply specific >Hs and <Hs
- <p>New <em>%<la</em> Local IP address of the last server or peer connection. Ported from 2.7 where it is called <em>%oa</em>.
- <p>New <em>%<lp</em> Local port number of the last server or peer connection.
- <p>New <em>%>ha</em> to log HTTP request headers after adaptation and redirection.
- <p>HTTP request/reply format tags may now be optionally prefixed with http::.
- Old forms will be deprecated in some as yet undecided future release.
- <verb>
- dt Total time spent making DNS lookups (milliseconds)
-
- [http::]>ha The HTTP request headers after adaptation and redirection.
- [http::]>Hs HTTP status code sent to the client
- [http::]<Hs HTTP status code received from the next hop
- [http::]>sh Received HTTP request headers size
- [http::]<sh Sent HTTP reply headers size
- [http::]<pt Peer response time in milliseconds. The timer starts
- when the last request byte is sent to the next hop
- and stops when the last response byte is received.
- [http::]<tt Total server-side time in milliseconds. The timer
- starts with the first connect request (or write I/O)
- sent to the first selected peer. The timer stops
- with the last I/O with the last peer.
-
- If ICAP is enabled, the following two codes become available (as
- well as ICAP log codes documented with the icap_log option):
-
- icap::tt Total ICAP processing time for the HTTP
- transaction. The timer ticks when ICAP
- ACLs are checked and when ICAP
- transaction is in progress.
-
- icap::<last_h The header of the last ICAP response
- related to the HTTP transaction. Like
- <h, accepts an optional header name
- argument. Will not change semantics
- when multiple ICAP transactions per HTTP
- transaction are supported.
-
- If adaptation is enabled the following two codes become available:
-
- adapt::sum_trs Summed adaptation transaction response
- times recorded as a comma-separated list in
- the order of transaction start time. Each time
- value is recorded as an integer number,
- representing response time of one or more
- adaptation (ICAP or eCAP) transaction in
- milliseconds. When a failed transaction is
- being retried or repeated, its time is not
- logged individually but added to the
- replacement (next) transaction.
-
- adapt::all_trs All adaptation transaction response times.
- Same as adaptation_strs but response times of
- individual transactions are never added
- together. Instead, all transaction response
- times are recorded individually.
-
- You can prefix adapt::*_trs format codes with adaptation
- service name in curly braces to record response time(s) specific
- to that service. For example: %{my_service}adapt::sum_trs
- </verb>
-
- <tag>maximum_object_size_in_memory</tag>
- <p>Default size limit increased to 512KB.
-
- <tag>memory_pools_limit</tag>
- <p>Memory limits have been revised and corrected from 3.1.4 onwards.
- <p>Please check and update your squid.conf to use the text <em>none</em> for no limit instead of the old 0 (zero).
- <p>All users upgrading need to be aware that from Squid-3.3 setting this option to 0 (zero) will mean zero bytes of memory get pooled.
-
- <tag>negative_ttl</tag>
- <p>New default of 0 seconds. To prevent negative-caching of failure messages unless explicitly
- permitted by the message generating web server.
- <p>Changing this is an RFC 2616 violation and now requires --enable-http-violations
-
- <tag>refresh_pattern</tag>
- <p>New option 'ignore-must-revalidate'.
- <verb>
- ignore-must-revalidate ignores any ``Cache-Control: must-revalidate``
- headers received from a server. Doing this VIOLATES
- the HTTP standard. Enabling this feature could make you
- liable for problems which it causes.
- </verb>
- <p>New set of basic patterns. These should always be listed after any custom patterns.
- They ensure RFC compliance with certain protocol and request handling in the absence
- of accurate Cache-Control: and Expires: information.
- <verb>
-refresh_pattern ^ftp: 1440 20% 10080
-refresh_pattern ^gopher: 1440 0% 1440
-refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
-refresh_pattern . 0 20% 4320
- </verb>
-
- <tag>reply_header_max_size</tag>
- <p>Default limit increased to 64KB for RFC 2616 compliance.
-
- <tag>request_header_max_size</tag>
- <p>Default limit increased to 64KB for RFC 2616 compliance.
-
- <tag>tcp_outgoing_address</tag>
- <p>This option causes some problems when bridging IPv4 and IPv6. A workaround has been provided.
- <verb>
- Squid is built with a capability of bridging the IPv4 and IPv6 internets.
- tcp_outgoing_address as previously used breaks this bridging by forcing
- all outbound traffic through a certain IPv4 which may be on the wrong
- side of the IPv4/IPv6 boundary.
-
- To operate with tcp_outgoing_address and keep the bridging benefits
- an additional ACL needs to be used which ensures the IPv6-bound traffic
- is never forced or permitted out the IPv4 interface.
-
- acl to_ipv6 dst ipv6
- http_access allow to_ipv6 !all
-
- tcp_outgoing_address 2002::c001 good_service_net to_ipv6
- tcp_outgoing_address 10.0.0.2 good_service_net !to_ipv6
-
- tcp_outgoing_address 2002::beef normal_service_net to_ipv6
- tcp_outgoing_address 10.0.0.1 normal_service_net !to_ipv6
-
- tcp_outgoing_address 2002::1 to_ipv6
- tcp_outgoing_address 10.0.0.3 !to_ipv6
- </verb>
-
- <tag>wccp2_assignment_method hash mask</tag>
- <p>Method names now accepted. Replacing the old magic numbers.
- '1' becomes 'hash' and '2' becomes 'mask'
-
- <tag>wccp2_forwarding_method gre l2</tag>
- <p>Method names now accepted. Replacing the old magic numbers.
- '1' becomes 'gre' and '2' becomes 'l2'
-
- <tag>wccp2_return_method gre l2</tag>
- <p>Method names now accepted. Replacing the old magic numbers.
- '1' becomes 'gre' and '2' becomes 'l2'
-
-</descrip>
-
-
-<sect1>Removed tags<label id="removedtags">
-<p>
-<descrip>
-
- <tag>dns_testnames</tag>
- <p>Obsolete. This feature is no longer relevant to modern networks and was causing boot problems.
- The -D command line option used previously to suppress these tests is also obsolete.
-
- <tag>extension_methods</tag>
- <p>Obsolete. All possible methods are now accepted and handled properly.</p>
-
- <tag>icap_class</tag>
- <p>Replaced by adaptation_service_set.</p>
-
- <tag>icap_access</tag>
- <p>Replaced by adaptation_access.</p>
-
-</descrip>
-
-
-<sect>Changes to ./configure options since Squid-3.0
-<p>
-There have been some changes to Squid's build configuration since Squid-3.0.
-
-This section gives an account of those changes in three categories:
-
-<itemize>
- <item><ref id="newoptions" name="New options">
- <item><ref id="modifiedoptions" name="Changes to existing options">
- <item><ref id="removedoptions" name="Removed options">
-</itemize>
-
-
-<sect1>New options<label id="newoptions">
-<p>
-<descrip>
- <tag>--enable-ecap</tag>
- <p>Build with support for loadable content adaptation modules.
- Cannot be used with --disable-loadable-modules.
-
- <tag>--enable-follow-x-forwarded-for</tag>
- <p>Support following the X-Forwarded-For HTTP header for determining the
- original or indirect client when a request has been forwarded through other
- proxies.
-
- <tag>--enable-ssl-crtd</tag>
- <p>Prevent Squid from direct generation of SSL private key and
- certificate request and instead enables the <em>ssl_crtd</em> processes.
-
- <tag>--enable-zph-qos</tag>
- <p>Build with support for ZPH Quality of Service controls
-
- <tag>--disable-auto-locale</tag>
- <p>Disable error page localization for visitors.
- <p>error_directory option is required if this option is used.
-
- <tag>--disable-ipv6</tag>
- <p>Build without IPv6 support. The default is to auto-detect system capabilities
- and use IPv6 when possible.
-
- <tag>--disable-loadable-modules</tag>
- <p>Build without support for loadable modules.
-
- <tag>--disable-strict-error-checking</tag>
- <p>Build Squid without advanced compiler error checking (without the -Werror option).
- This only affects the building process, enabling it to complete despite some
- possibly serious issues.
- Please do not use lightly, and please report the build issues which make it needed
- to the Squid developers before doing so.
-
- <tag>--disable-translation</tag>
- <p>Prevent Squid generating localized error page templates and manuals when built.
- Which is usually tried, but may not be needed.
- <p>This is an optimization for building fast when localization is not needed
- or localization tools are not available.
- <p>A copy of the latest translated files can instead be downloaded from
-<url url="http://www.squid-cache.org/Versions/langpack/" name="http://www.squid-cache.org/Versions/langpack/">
-
- <tag>--with-logdir=PATH</tag>
- <p>Allow build-time configuration of Default location for Squid logs.
-
- <tag>--with-pidfile=PATH</tag>
- <p>Allow build-time configuration of Default location and name of squid.pid file.
-
- <tag>--with-po2html=PATH</tag>
- <p>Absolute path to po2html executable.
- Default is to automatically detect the binary.
-
- <tag>--without-libcap</tag>
- <p>Build without libcap support. The default is to auto-detect system capabilities
- and enable support when possible.
- <p>NOTE: Disabling this or building without libcap support will break TPROXY support.
-
-</descrip>
-
-<sect1>Changes to existing options<label id="modifiedoptions">
-<p>
-<descrip>
- <tag>--enable-shared[=PKGS]</tag>
- <p>Default changed to yes.
-
- <tag>--enable-linux-netfilter</tag>
- <p>This option now enables support for all three netfilter interception targets.
- <p>Adding TPROXY version 4+ support to Squid through the netfilter TPROXY target.
- This options requires a linux kernel 2.6.25 or later for embeded netfilter TPROXY targets.
- <p>Older REDIRECT and DNAT targets work as before on HTTP ports marked 'intercept'.
-
- <tag>--enable-linux-tproxy</tag>
- <p>Deprecated. Remains only to support old TPROXY version 2.2 installations.
- Scheduled for complete removal in Squid 3.2
-
- <tag>--enable-ntlm-auth-helpers</tag>
- <p>Helper previously built by <em>SMB</em> is now built by <em>smb_lm</em>.
- It also has a new squid.conf name for usage, see <em>auth_param</em> above for details.
-
- <tag>--disable-internl-dns</tag>
- <p>Better support for Linux using the external DNS helper.
- The helper will now compile and work with dns_nameservers on more variants of Linux than previously.
- It is still deprecated however and use of this option should be avoided as much as possible.
-
- <tag>--with-aio</tag>
- <p>Deprecated. POSIX AIO is now auto-detected and enabled.
- Use --without-aio to disable, but only if you really have to.
-
- <tag>--with-pthreads</tag>
- <p>Deprecated. pthreads library is now auto-detected and enabled.
- Use --without-pthreads to disable, but only if you really have to.
-
-</descrip>
-</p>
-
-<sect1>Removed options<label id="removedoptions">
-<p>
-<descrip>
- <tag>--enable-default-err-language</tag>
- <p>Replaced by error_default_language squid.conf option
-
- <tag>--enable-err-languages</tag>
- <p>Removed. All languages used now for error page localization.
-
- <tag>--disable-carp</tag>
- <p>Removed. CARP is required by several peering algoithms. Disabling is not useful.
-
- <tag>--disable-mempools</tag>
- <p>Replaced by memory_pools squid.conf option.
-</descrip>
-
-
-<sect>Options Removed since Squid-2
-
-<p>Some squid.conf and ./configure options which were available in Squid-2.6 and Squid-2.7 are made obsolete in Squid-3.1.
-
-<sect1>Removed squid.conf options since Squid-2.7
-<p>
-<descrip>
- <tag>auth_param</tag>
- <p><em>blankpassword</em> option for basic scheme removed.
-
- <tag>cache_peer</tag>
- <p><em>http11</em> Obsolete.
-
- <tag>external_acl_type</tag>
- <p>Format tag <em>%{Header}</em> replaced by <em>%>{Header}</em>
- <p>Format tag <em>%{Header:member}</em> replaced by <em>%>{Header:member}</em>
-
- <tag>header_access</tag>
- <p>Replaced by <em>request_header_access</em> and <em>reply_header_access</em>
-
- <tag>http_access2</tag>
- <p>Replaced by <em>adapted_http_access</em>
-
- <tag>http_port</tag>
- <p><em>no-connection-auth</em> replaced by <em>connection-auth=[on|off]</em>. Default is ON.
- <p><em>transparent</em> option replaced by <em>intercept</em>
-
- <tag>httpd_accel_no_pmtu_disc</tag>
- <p>Replaced by <em>http_port disable-pmtu-discovery=</em> option
-
- <tag>incoming_rate</tag>
- <p>Obsolete.
-
- <tag>logformat</tag>
- <p><em>%oa</em> tag replaced by <em>%<la</em>
-
- <tag>redirector_bypass</tag>
- <p>Replaced by <em>url_rewrite_bypass</em>
-
- <tag>server_http11</tag>
- <p>Obsolete.
-
- <tag>upgrade_http0.9</tag>
- <p>Obsolete. ICY protocol streaming support added natively.
-
- <tag>zph_local</tag>
- <p>Replaced by <em>qos_flows local-hit=</em>
-
- <tag>zph_mode</tag>
- <p>Obsolete.
-
- <tag>zph_option</tag>
- <p>Obsolete.
-
- <tag>zph_parent</tag>
- <p>Replaced by <em>qos_flows parent-hit=</em>
-
- <tag>zph_sibling</tag>
- <p>Replaced by <em>qos_flows sibling-hit=</em>
-
-</descrip>
-
-<sect1>Removed squid.conf options since Squid-2.6
-<p>
-<descrip>
- <tag>cache_dir</tag>
- <p><em>read-only</em> option replaced by <em>no-store</em>.
-
-</descrip>
-
-<sect1>Removed ./configure options since Squid-2.7
-<p>
-<descrip>
- <tag>--enable-coss-aio-ops</tag>
- <p>Obsolete.
-
- <tag>--enable-devpoll</tag>
- <p>Replaced by automatic detection.
-
- <tag>--enable-dlmalloc=LIB</tag>
- <p>Obsolete.
-
- <tag>--enable-epoll</tag>
- <p>Replaced by automatic detection.
-
- <tag>--enable-forward-log</tag>
- <p>Obsolete.
-
- <tag>--enable-heap-replacement</tag>
- <p>Obsolete.
-
- <tag>--enable-htcp</tag>
- <p>Obsolete. Enabled by default.
-
- <tag>--enable-large-cache-files</tag>
- <p>Obsolete.
-
- <tag>--enable-mempool-debug</tag>
- <p>Obsolete.
-
- <tag>--enable-multicast-miss</tag>
- <p>Obsolete.
-
- <tag>--enable-poll</tag>
- <p>Replaced by automatic detection.
-
- <tag>--enable-select</tag>
- <p>Replaced by automatic detection.
-
- <tag>--enable-select-simple</tag>
- <p>Replaced by automatic detection.
-
- <tag>--enable-snmp</tag>
- <p>Obsolete. Enabled by default.
-
- <tag>--enable-truncate</tag>
- <p>Obsolete.
-
- <tag>--disable-kqueue</tag>
- <p>Obsolete. Disabled by default.
-
-</descrip>
-
-
-<sect>Regressions since Squid-2.7
-
-<p>Some squid.conf and ./configure options which were available in Squid-2.7 are not yet available in Squid-3.1
-
-<p>If you need something to do then porting one of these from Squid-2 to Squid-3 is most welcome.
-
-<sect1>Missing squid.conf options available in Squid-2.7
-<p>
-<descrip>
- <tag>acl</tag>
- <p><em>urllogin</em> option not yet ported from 2.6
- <p><em>urlgroup</em> option not yet ported from 2.6
-
- <tag>auth_param digest</tag>
- <p><em>concurrency</em> option not yet ported from Squid-2
-
- <tag>authenticate_ip_shortcircuit_access</tag>
- <p>Not yet ported from 2.7
-
- <tag>authenticate_ip_shortcircuit_ttl</tag>
- <p>Not yet ported from 2.7
-
- <tag>broken_vary_encoding</tag>
- <p>Not yet ported from 2.6
-
- <tag>cache_dir</tag>
- <p><em>min-size</em> option not yet ported from Squid-2
- <p><em>COSS</em> storage type is lacking stability fixes from 2.6
- <p>COSS <em>overwrite-percent=</em> option not yet ported from 2.6
- <p>COSS <em>max-stripe-waste=</em> option not yet ported from 2.6
- <p>COSS <em>membufs=</em> option not yet ported from 2.6
- <p>COSS <em>maxfullbufs=</em> option not yet ported from 2.6
-
- <tag>cache_peer</tag>
- <p><em>idle=</em> not yet ported from 2.7
- <p><em>monitorinterval=</em> not yet ported from 2.6
- <p><em>monitorsize=</em> not yet ported from 2.6
- <p><em>monitortimeout=</em> not yet ported from 2.6
- <p><em>monitorurl=</em> not yet ported from 2.6
-
- <tag>cache_vary</tag>
- <p>Not yet ported from 2.6
-
- <tag>collapsed_forwarding</tag>
- <p>Not yet ported from 2.6
-
- <tag>error_map</tag>
- <p>Not yet ported from 2.6
-
- <tag>external_acl_type</tag>
- <p><em>%ACL</em> format tag not yet ported from 2.6
- <p><em>%DATA</em> format tag not yet ported from 2.6
-
- <tag>external_refresh_check</tag>
- <p>Not yet ported from 2.7
-
- <tag>http_port</tag>
- <p><em>act-as-origin</em> not yet ported from 2.7
- <p><em>http11</em> not yet ported from 2.7
- <p><em>urlgroup=</em> not yet ported from 2.6
-
- <tag>ignore_ims_on_miss</tag>
- <p>Not yet ported from 2.7
-
- <tag>location_rewrite_access</tag>
- <p>Not yet ported from 2.6
-
- <tag>location_rewrite_children</tag>
- <p>Not yet ported from 2.6
-
- <tag>location_rewrite_concurrency</tag>
- <p>Not yet ported from 2.6
-
- <tag>location_rewrite_program</tag>
- <p>Not yet ported from 2.6
-
- <tag>logfile_daemon</tag>
- <p>Not yet ported from 2.7.
-
- <tag>logformat</tag>
- <p><em>%sn</em> tag not yet ported from 2.7
-
- <tag>max_stale</tag>
- <p>Not yet ported from 2.7
-
- <tag>refresh_pattern</tag>
- <p><em>stale-while-revalidate=</em> not yet ported from 2.7
- <p><em>ignore-stale-while-revalidate=</em> not yet ported from 2.7
- <p><em>max-stale=</em> not yet ported from 2.7
- <p><em>negative-ttl=</em> not yet ported from 2.7
-
- <tag>refresh_stale_hit</tag>
- <p>Not yet ported from 2.7
-
- <tag>storeurl_access</tag>
- <p>Not yet ported from 2.7
-
- <tag>storeurl_rewrite_children</tag>
- <p>Not yet ported from 2.7
-
- <tag>storeurl_rewrite_concurrency</tag>
- <p>Not yet ported from 2.7
-
- <tag>storeurl_rewrite_program</tag>
- <p>Not yet ported from 2.7
-
- <tag>update_headers</tag>
- <p>Not yet ported from 2.7
-
- <tag>zero_buffers</tag>
- <p>Not yet ported from 2.7
-
-</descrip>
-
-<sect1>Missing ./configure options available in Squid-2.7
-<p>
-<descrip>
- <tag>--without-system-md5</tag>
-
-</descrip>
-
-<sect>Copyright
-<p>
-Copyright (C) 1996-2023 The Squid Software Foundation and contributors
-<p>
-Squid software is distributed under GPLv2+ license and includes
-contributions from numerous individuals and organizations.
-Please see the COPYING and CONTRIBUTORS files for details.
-
-</article>
+++ /dev/null
-<!doctype linuxdoc system>
-<article>
-<title>Squid 3.2.14 release notes</title>
-<author>Squid Developers</author>
-
-<abstract>
-This document contains the release notes for version 3.2 of Squid.
-Squid is a WWW Cache application developed by the National Laboratory
-for Applied Network Research and members of the Web Caching community.
-</abstract>
-
-<toc>
-
-<sect>Notice
-<p>
-The Squid Team are pleased to announce the release of Squid-3.2.14.
-
-This new release is available for download from <url url="http://www.squid-cache.org/Versions/v3/3.2/"> or the
- <url url="http://www.squid-cache.org/Download/http-mirrors.html" name="mirrors">.
-
-<p>A large number of the show-stopper bugs have been fixed along with general improvements to the IPv6 support.
-While this release is not fully bug-free we believe it is ready for use in production on many systems.
-
-<p>We welcome feedback and bug reports. If you find a bug, please see <url url="https://wiki.squid-cache.org/SquidFaq/BugReporting"> for how to submit a
-report with a stack trace.
-
-<sect1>Known issues
-<p>
-Although this release is deemed good enough for use in many setups, please note the existence of
-<url url="https://bugs.squid-cache.org/buglist.cgi?query_format=advanced&product=Squid&bug_status=UNCONFIRMED&bug_status=NEW&bug_status=ASSIGNED&bug_status=REOPENED&version=3.2" name="open bugs against Squid-3.2">.
-
-<p>Some issues to note as currently known in this release which are not able to be fixed in the 3.2 series are:
-
-<itemize>
- <item>TCP logging of access.log does not recover from broken connections well.
- <item>SSL-Bump not re-wrapping decrypted traffic in CONNECT for peers.
- <item>Cache Manager reports in txt/plain format even when requested directly via browser.
-</itemize>
-
-<p>Currently known issues which only depends on available developer time and may still be resolved in a future 3.2 release are:
-
-<itemize>
- <item>SMP Support still has a number of important bugs needing to be resolved. see the bugs list above for details.
- <item>Windows support is still incomplete.
- <item>The lack of some features available in Squid-2.x series. See the regression sections below for full details.
-</itemize>
-
-
-<sect1>Changes since earlier releases of Squid-3.2
-<p>
-The 3.2 change history can be <url url="http://www.squid-cache.org/Versions/v3/3.2/changesets/" name="viewed here">.
-
-<sect>Major new features since Squid-3.1
-<p>Squid 3.2 represents a new feature release above 3.1.
-
-<p>The most important of these new features are:
-<itemize>
- <item>CVE-2009-0801 : NAT interception vulnerability to malicious clients.
- <item>NCSA helper DES algorithm password limits
- <item>SMP scalability
- <item>Helper Multiplexer and On-Demand
- <item>Helper Name Changes
- <item>Multi-Lingual manuals
- <item>Solaris 10 pthreads Support
- <item>Surrogate/1.0 protocol extensions to HTTP
- <item>Logging Infrastructure Updated
- <item>Client Bandwidth Limits
- <item>Better eCAP support
- <item>Cache Manager access changes
-</itemize>
-
-Most user-facing changes are reflected in squid.conf (see below).
-
-
-<sect1>CVE-2009-0801 : NAT interception vulnerability to malicious clients.
-<p>Details in Advisory <url url="http://www.squid-cache.org/Advisories/SQUID-2011_1.txt" name="SQUID-2011:1">
-
-<p>Squid locates the authority-URL details available in an HTTP request as
- defined by RFC 2616 and validates that all found representations are
- <em>textually</em> equivalent. In the case of intercepted traffic the
- client destination IP is also compared to the Host: authority domains
- DNS entries.
-
-<p>When the Host: authority contradicts another authority source Squid will log
- "SECURITY ALERT: Host: header forgery detected". The response will then be determined
- by the <url url="http://www.squid-cache.org/Doc/config/host_verify_strict/" name="host_verify_strict">
- directive. Squid will respond with 409 Conflict error response when strict validation
- fails and handles the request normally when strict validation succeeds or is OFF (default).
-
-<p>Relaying of messages which FAIL non-strict Host: validation are permitted through Squid but
- only to the original destination IP the client was requesting or to explicit peers. This means
- DNS lookups to locate alternative DIRECT destinations will not be done.
-
-<p>Known Issue: When non-strict validation fails Squid will relay the request, but can only do
- so safely to the original destination IP the client was contacting. The client original
- destination IP is lost when relaying to peers in a hierarchy. This means the upstream peers
- are still at risk of causing same-origin bypass CVE-2009-0801 vulnerability.
- Developer time is required to implement safe transit of these requests.
- Please contact squid-dev if you are able to assist or sponsor the development.
-
-
-<sect1>NCSA helper DES algorithm password limits
-<p>Details in Advisory <url url="http://www.squid-cache.org/Advisories/SQUID-2011_2.txt" name="SQUID-2011:2">
-
-<p>The DES algorithm used by the NCSA Basic authentication helper has an
- limit of 8 bytes but some implementations do not error when truncating
- longer passwords down to this unsafe level.
-
-<p>This both significantly lowers the threshold of difficulty decrypting
- captured password files and hides from users the fact that the extra bits
- of their chosen long password is not being utilized.
-
-<p>The NCSA helper bundled with Squid will prevent passwords longer than 8
- characters being sent to the DES algorithm. The MD5 hash algorithm which
- supports longer than 8 character passwords is also supported by this helper
- and should be used instead.
-
-
-<sect1>SMP scalability
-<p>The new "workers" squid.conf option can be used to launch multiple worker
- processes and utilize multiple CPU cores. The overall intent is to make
- multiple workers look like one to an outside observer, while providing
- knobs to customize each worker behavior if needed.
-
-<p>By default, all worker processes are configured identically and do what a
- single Squid instance would have done. Squid.conf macro substitutions and
- conditionals (see below) can be used to customize individual worker
- configurations. In the paragraphs below, "can share" implies "will share by
- default".
-
-<p>Workers can share HTTP, HTTPS, SNMP, ICP, and HTCP listening addresses.
- Configuration related to ICP and HTCP clients must be adjusted to avoid
- source address conflicts: Modify the IP address and/or the port used for
- the protocol. Workers do not share DNS addresses by default because the OS
- assigns each worker a unique DNS port.
-
-<p>Workers can share logs.
-
-<p>Workers can share caches. Memory cache is automatically shared when multiple
- workers are used. Cache_dir are shared when configured with the <em>rock</em>
- storage type. Cache_dir of other types must be adjusted to point each
- disk-caching worker to its own disk area. ICP and HTCP responses are based
- on the responding worker cache state.
-
-<p>Cache manager statistics are reported from a worker point of view, for now.
- Though some reports are combined. SNMP statistics are combined across all
- workers.
-
-<p>Startup, reconfiguration, shutdown, and log rotation are handled as for a
- monolithic Squid. Abnormally terminated workers are restarted while
- other workers continue serving traffic.
-
-<sect2>Squid.conf macros and conditionals
-<p>Added support for process_name and process_number macros as well as simple
- if-statement conditionals in squid.conf. These features allow individual
- worker customization in SMP mode. For details, search for "Conditional
- configuration" and "SMP-Related Macros" sections in squid.conf.documented.
-
-
-<sect1>Helper Multiplexer
-<p>The helper multiplexer's purpose is to relieve some of the burden
- Squid has when dealing with slow helpers. It does so by acting as a
- middleman between squid and the actual helpers, talking to Squid via
- the multiplexed concurrent variant of the helper protocol and to the
- helpers via the non-concurrent variant.
-
-<p>Helpers are started on demand, and in theory the muxer can handle up to
- 1k helpers per instance. It's up to squid to decide how many helpers
- to start.
-
-<p>The muxer knows nothing about the actual messages being passed around,
- and as such can't really (yet?) compensate for broken helpers.
- It is not yet able to manage dying helpers, but it will.
-
-<p>To configure the multiplexer add its binary name (usually /usr/share/libexec/helper-mux.pl)
- in front of the name of whichever helper is being multiplexed. It takes the helper binary
- path and parameters as its own command parameters. The <em>concurrency</em> setting already
- existing in Squid is used to configure how many child helpers it may run.
-
-<p>For example, a traditional configuration is
- <verb>
- url_rewrite_program /your/redirector.sh
- url_rewrite_children 5
- </verb>
- the alternative multiplexer configuration is:
- <verb>
- url_rewrite_program /usr/share/libexec/helper-mux.pl /your/redirector.sh
- url_rewrite_children 1 concurrency=5
- </verb>
-
-<p>Helpers which are already concurrent protocol enabled gain little benefit from the multiplexer
- on most systems. However on some systems where Squid spawning helpers causes excess memory usage
- the reduction in direct helper spawned by Squid can result in a great reduction in resource use.
-
-<p>The helper can be controlled using various signals:
- <itemize>
- <item>SIGHUP: dump the state of all helpers to STDERR
- </itemize>
-
-
-<sect1>Helpers On-Demand
-<p>Traditionally Squid has been configured with a fixed number of helpers and started them during
- it's start and reconfigure phases. This forces the hard configuration problem of how many helpers
- will be needed to be solved before starting Squid in production use.
-
-<p>The on-demand helpers feature allows greater flexibility and resolves this problem by allowing
- maximum, initial and idle thresholds to be configured. Squid will start the initial set during
- start and reconfigure phases. However over the operational use new helpers up to the maxium will
- be started as load demands. The idle threshold determines how many more helpers to start if the
- currently running set is not enough to handle current request loads.
-
-<p>For example, a traditional configuration is
- <verb>
- auth_param ntlm /usr/libexec/squid/ntlm_auth
- auth_param ntlm children 200
- </verb>
- the alternative on-demand configuration could be:
- <verb>
- auth_param ntlm /usr/libexec/squid/ntlm_auth
- auth_param ntlm children 200 startup=10 idle=2
- </verb>
-
-<p>The example still permits up to 200 helpers to be running at once under peak traffic loads.
- But only starts 10 when Squid is initialized resulting in a faster boot up.
- When client requests threaten to overload the running helpers an additional 2 will be started.
-
-<p>NOTE: if no <em>startup</em> and <em>idle</em> values are specified the traditional behaviour
- of starting the maximum number of helpers will occur.
-
-
-<sect1>Helper Name Changes
-<p>To improve the understanding of what each helper does and where it should be used the helper binaries
- which are bundled with Squid have undergone a naming change in this release.
-
-<p>Below is a list of the old helper names and what their names have changed to.
- For several helpers the directory name used in --enable-X-helpers configure option has also changed.
-
-<sect2>Basic Authentication protocol helpers
-<p><itemize>
- <item>squid_db_auth - basic_db_auth - Retrieve authentication details from a simple SQL database table.
- <item>getpwnam_auth - basic_getpwname_auth - Authenticate with local system user accounts.
- <item>squid_ldap_auth - basic_ldap_auth - Authenticate with LDAP user accounts.
- <item>MSNT-multi-domain - basic_msnt_multi_domain_auth - Authenticate with any one of multiple Windows Domain Controllers.
- <item>msnt_auth - basic_msnt_auth - Authenticate with Windows Domain Controllers selected by username.
- <item>ncsa_auth - basic_ncsa_auth - Authenticate with NCSA httpd-style password file.
- <item>yp_auth - basic_nis_auth - Authenticate with NIS security system.
- <item>pam_auth - basic_pam_auth - Authenticate with the system PAM infrastructure.
- <item>pop3.pl - basic_pop3_auth - Authenticate with a mail server POP3/SMTP credentials.
- <item>squid_radius_auth - basic_radius_auth - Authenticate with RADIUS.
- <item>squid_sasl_auth - basic_sasl_auth - Authenticate with SASL.
- <item>smb_auth - basic_smb_auth - Authenticate with Samba SMB.
- <item>mswin_sspi - basic_sspi_auth - Authenticate with a Windows Domain Controller using SSPI.
-</itemize>
-
-<sect2>Digest Authentication protocol helpers
-<p><itemize>
- <item>digest_pw_auth - digest_file_auth - Authenticate against credentials stored in a simple text file.
-</itemize>
-
-<sect2>External ACL helpers
-<p><itemize>
- <item>mswin_check_ad_group - ext_ad_group_acl - Check logged in users Group membership using Active Directory.
- <item>ip_user_check - ext_file_userip_acl - Restrict users to certain IP addresses, using a text file backend.
- <item>squid_kerb_ldap - ext_kerberos_ldap_group_acl - Check logged in Kerberos or NTLM users Group membership using LDAP.
- <item>squid_ldap_group - ext_ldap_group_acl - Check logged in users Group membership using LDAP.
- <item>mswin_check_lm_group - ext_lm_group_acl - Check logged in users Group membership using LanManager.
- <item>squid_session - ext_session_acl - Maintain a session cache of client identifiers (usually IP address).
- This helper has also gone through a version update and now uses more current BerkeleyDB 4.1+ APIs.
- <item>squid_unix_group - ext_unix_group_acl - Check logged in users Group membership using local UNIX groups.
- <item>wbinfo_group.pl - ext_wbinfo_group_acl - Check logged in users Group membership using wbinfo.
-</itemize>
-
-<sect2>Negotiate Authentication protocol helpers
-<p><itemize>
- <item>squid_kerb_auth - negotiate_kerberos_auth - Authenticate with Kerberos servers.
- <item>mswin_sspi - negotiate_sspi_auth - Authenticate with a Windows Domain Controller using SSPI.
- <item>negotiate_wrapper - negotiate_wrapper_auth - Split Negotiate traffic between Kerberos and NTLM helpers.
-</itemize>
-
-<sect2>NTLM Authentication protocol helpers
-<p><itemize>
- <item>no_check.pl - Deprecated. - Use the faster and less easily decrypted ntlm_fake_auth instead.
- <item>fakeauth_auth - ntlm_fake_auth - Perform NTLMSSP to recover the username but don't verify the password.
- <item>ntlm_auth - ntlm_smb_lm_auth - Perform SMB LanManager domain-less authentication over NTLM protocol.
- <item>mswin_ntlm_auth - ntlm_sspi_auth - Perform NTLMSSP authentication using Windows native Security Support Provider Interface API.
-</itemize>
-
-<sect2>URL re-write helpers
-<p>This group of helpers have been bundled to demonstrate how to code URL re-writers:
-<itemize>
- <item>url_fake_rewrite - Accept various url_rewrite details and log the input.
-</itemize>
-
-
-<sect1>Multi-Lingual manuals
-<p>The man(8) and man(1) pages bundled with Squid are now provided online for all
- versions and beginning with 3.2 they are available in languages other than English (where translated).
-
-<p>Details in <url url="https://wiki.squid-cache.org/Translations" name="The Squid wiki">
-
-<p>3.1 began the Internationalization of Squid with the public facing error pages.
- This move begins the Localization of the internal administrator facing manuals.
-
-
-<sect1>Solaris 10 pthreads Support (Experimental)
-<p>Automatic detection and use of the pthreads library available from Solaris 10
-
-<p>The result of this addition means that faster more efficient AUFS cache storage mechanism
- is now available in Solaris 10.
-
-<p>Support is experimental at this stage due to lack of feedback on the results of enabling it.
- We recommend giving AUFS a try for faster disk storage and encourage feedback.
-
-
-<sect1>Surrogate/1.0 protocol extensions to HTTP
-<p>The <em>Surrogate</em> extensions to HTTP protocol enable an origin web server to specify separate
- cache controls for a reverse proxy acting on its behalf. Previously this was closely tied with the ESI
- feature support in Squid. This release opens Surrogate support to all reverse proxies.
-
-<p>Reverse proxy requests sent on to the web server include the HTTP header <em>Surrogate-Capabilities:</em>
- specifying the capabilities of the reverse proxy along with an ID which can be used to target responses with
- a <em>Surrogate-Control:</em> HTTP header used instead of the <em>Cache-Control:</em> header.
-
-<p>The default surrogate ID is generated automatically from the Squid site-unique hostname as found by the
- automatic detection or manual configuration of <em>visible_hostname</em> although can be configured
- separately with the <em>httpd_accel_surrogate_id</em> option.
-
-<p><em>Security Considerations:</em> Websites should be careful of accepting any surrogate ID.
- Older releases of Squid leak the Surrogate-Control headers to external servers.
- This 3.2 series of Squid will now prevent this leakage of its own ID destined responses, however it is possible
- and for some uses desirable to receive external reverse-proxies <em>Surrogate-Capabilities:</em> headers.
-
-<p><em>NOTE:</em> Several operating system distributions historically package Squid with a forced value of
- <em>visible_hostname localhost</em>. If this is done on a Surrogate enabled install a manual re-configuration
- is required to prevent an unacceptable surrogate ID of 'localhost' being generated.
-
-
-<sect1>Logging Infrastructure Updated
-<p>The advanced logging modules introduced in Squid-2.7 are now available from Squid-3.2.
-
-<p>This feature is documented at https://wiki.squid-cache.org/Features/LogModules
-
-<p>The new infrastructure currently supports several different channels types (modules) ranging from
- direct filesystem logging (stdio, daemon) to network logging (syslog, UDP and TCP). The daemon logging
- interface allows for a custom helper to be written to process logs in real-time.
-
-<p>Upgrading: the <em>access_log</em> and <em>cache_store_log</em> were previously logged via what is
- now called the <em>stdio</em> module.
- This is still supported and used by default if no module is named. For best performance particularly in SMP
- environments we recommend the <em>daemon</em> be used. The provided <em>log_file_daemon</em> helper
- performs the traditional logging to local filesystem.
-
-<p>Additional to this the cache.log can now be limited to a smaller number of files stored.
- Traditionally cache.log.N has been fixed at the same number of rotated files as access.log.N through the
- <em>logfile_rotate</em> setting. The <em>debug_options</em> setting can now be used to configure the number
- of debug cache.log files to rotate through with a <em>rotate=N</em> option. This is particularly useful for
- logging a single cache.log at relatively high debug levels on a high-traffic system. Or one which is
- required to store a long period of access.log and needs to conserve disk space.
-
-<p>The <em>referer_log</em> and <em>useragent_log</em> directives have been converted to built-in log formats.
- These logs are now created using an <em>access_log</em> line with the format "referrer" or "useragent".
- They also now log all client requests, if there was no Referer or User-Agent header a dash (-) is logged.
-
-<p>Known Issue: The TCP logging module does not recover from broken connections well.
- At present it will restart the affected Squid instance if the TCP connection is broken.
-
-
-<sect1> Client Bandwidth Limits
-<p>In mobile environments, Squid may need to limit Squid-to-client bandwidth
- available to individual users, identified by their IP addresses. The IP
- address pool can be as large as a /10 IPv4 network (4 million unique IP
- addresses) and even larger in IPv6 environments. On the other hand, the code
- should support thousands of connections coming from a single IP (e.g.,
- a child proxy).
-
-<p>The implementation is based on storing bandwidth-related "bucket" information
- in the existing "client database" hash (client_db.cc). The old code already
- assigned each client IP a single ClientInfo object, which satisfies the
- client-side IP-based bandwidth pooling requirements. The old hash size is
- increased to support up to 32K concurrent clients if needed.
-
-<p>Client-side pools are configured similarly to server-side ones, but there is
- only one pool class. See client_delay_pools,
- client_delay_initial_bucket_level, client_delay_parameters, and
- client_delay_access in squid.conf. The client_delay_access matches the client
- with delay parameters. It does not pool clients from different IP addresses
- together.
-
-<p>Special care is taken to provide fair distribution of bandwidth among clients
- sharing the same bucket (i.e., clients coming from the same IP address).
- Multiple same-IP clients competing for bandwidth are queued using FIFO
- algorithm. If a bucket becomes empty, the first client among those sharing
- the bucket is delayed by 1 second before it can attempt to receive more
- response data from Squid. This delay may need to be lowered in
- high-bandwidth environments.
-
-
-<sect1>Better eCAP Suport
-<p>Support for libecap version 0.2.0 has been added with this series of Squid. Bringing
- better support for body handling, and logging.
-
-<p>Known Issue: Due to API changes in libecap this release of Squid will not build
- against any older libecap releases.
-
-
-<sect1>Cache Manager access changes
-<p>The Squid Cache Manager has previously only been accessible under the cache_object://
- URL scheme. Which has restricted its reporting to tools which can send arbitrary
- URI to the proxy.
-
-<p>This version of Squid now provides access through the http:// and https:// URL schemes
- allowing web browsers access without having to use the cachemgr.cgi gateway and enabling
- the use of HTTPS security were desired.
-
-<p>The cache manager is available under the path prefix /squid-internal-mgr/. For example
- the URL http://example/com/squid-internal-mgr/menu will bring up the manager menu. This
- means there are some configuration changes required to lock down manager access.
- The <em>manager</em> ACL needs changing. A built-in definition is now used, equivalent
- to the following regex pattern:
-<verb>
- ^(cache_object://|https?://[^/]+/squid-internal-mgr/)
-</verb>
-
-<p>The manager prefix /squid-internal-mgr/ with no action attempts to load an optional
- template MGR_INDEX which may be installed amongst in the Squid error templates.
- This template is not supplied with Squid but intended to be supplied by separate
- cache manager applications as their front page embedding all scripts, accessors or
- redirects required for their initial GUI display.
-
-<p>MGR_INDEX file
-<itemize>
- <item>should contain a complete HTML page, with optional client-side scripting.
- <item>must not contain server-side scripting.
- <item>will have macro substitution performed on it using the same macros as used by the error page templates.
-</itemize>
-
-<p>Version 3.2 of the CGI cache manager tool now presents XHR scripted probes to detect
- proxies presenting these manager index pagess and provides direct HTTP/HTTPS web links
- to those managers.
-
-
-<sect>Changes to squid.conf since Squid-3.1
-<p>
-There have been changes to Squid's configuration file since Squid-3.1.
-
-This section gives a thorough account of those changes in three categories:
-
-<itemize>
- <item><ref id="newtags" name="New tags">
- <item><ref id="modifiedtags" name="Changes to existing tags">
- <item><ref id="removedtags" name="Removed tags">
-</itemize>
-<p>
-
-<sect1>New tags<label id="newtags">
-<p>
-<descrip>
- <tag>adaptation_meta</tag>
- <p>This option allows Squid administrator to add custom ICAP request
- headers or eCAP options to Squid ICAP requests or eCAP transactions.
-
- <tag>adaptation_send_client_ip</tag>
- <p>Same as deprecated icap_send_client_ip
- but applies to both ICAP and eCAP.</p>
-
- <tag>adaptation_send_username</tag>
- <p>Same as deprecated icap_send_client_username
- but applies to both ICAP and eCAP.</p>
-
- <tag>adaptation_uses_indirect_client</tag>
- <p>Same as deprecated icap_uses_indirect_client
- but applies to both ICAP and eCAP.</p>
-
- <tag>client_delay_pools</tag>
- <p>New setting for client bandwidth limits to specifies the number
- of client delay pools used.
-
- <tag>client_delay_initial_bucket_level</tag>
- <p>New setting for client bandwidth limits to determine the initial
- bucket size as a percentage of max_bucket_size from
- client_delay_parameters.
-
- <tag>client_delay_parameters</tag>
- <p>New setting for client bandwidth limits to configures client-side
- bandwidth limits.
-
- <tag>client_delay_access</tag>
- <p>New setting for client bandwidth limits to determines the
- client-side delay pool for the request.
-
- <tag>client_dst_passthru</tag>
- <p>New setting to disable extra Host: header security on interception proxies.
- Impacts cache integrity/reliability and client browser security.
- <p><em>IMPORTANT:</em> disabling this directive only allows Squid to change the
- destination IP to another source indicated by Host: domain DNS or
- cache_peer configuration. It <em>does not</em> affect Host: validation.
-
- <tag>client_idle_pconn_timeout</tag>
- <p>Renamed from <em>persistent_request_timeout</em>.
-
- <tag>cpu_affinity_map</tag>
- <p>New setting for SMP support to map Squid processes onto specific CPU cores.
-
- <tag>connect_retries</tag>
- <p>Replacement for <em>maximum_single_addr_tries</em>, but instead of only applying to hosts with single addresses.
- This directive applies to all hosts, extending the number of connection attempts to each IP address.
-
- <tag>dns_packet_max</tag>
- <p>New setting to configure maximum number of bytes packet size to advertise via EDNS.
- Set to "none" (the initial default) to disable EDNS large packet support.
-
- <tag>else</tag>
- <p>Part of conditional SMP support syntax. see <em>if</em>
-
- <tag>endif</tag>
- <p>Part of conditional SMP support syntax. see <em>if</em>
-
- <tag>eui_lookup</tag>
- <p>Whether to lookup the EUI or MAC address of a connected client.
-
- <tag>host_verify_strict</tag>
- <p>New option to enable super-strict HTTP and DNS information match.
- Ensuring the HTTP URI details, DNS records, and TCP connection layers all match in a
- three-legged security verification. Preventing domain hijacking or malicious poisoning
- attacks by malicious scripts.
- <p>The default is to verify only intercepted traffic, to log all issues and let failed
- traffic through when doing so can be done safely.
-
- <tag>icap_206_enable</tag>
- <p>New option to toggle whether the ICAP 206 (Partial Content) responses extension.
- Default is on.
-
- <tag>if</tag>
- <p>New conditional syntax for SMP multiple-worker.
- If-statements can be used to make configuration directives depend on conditions.
- <p>The else part is optional. The keywords <em>if</em>, <em>else</em> and <em>endif</em>
- must be typed on their own lines, as if they were regular configuration directives.
-
- <tag>logfile_daemon</tag>
- <p>Ported from 2.7. Specify the file I/O daemon helper to run for logging.
-
- <tag>max_stale</tag>
- <p>Places an upper limit on how stale content Squid will serve from the cache if cache validation fails
-
- <tag>memory_cache_mode</tag>
- <p>Controls which objects to keep in the memory cache (cache_mem)
- <verb>
- 'always' Keep most recently fetched objects in memory (default)
-
- 'disk' Only disk cache hits are kept in memory, which means
- an object must first be cached on disk and then hit
- a second time before cached in memory.
-
- network Only objects fetched from network is kept in memory
- </verb>
-
- <tag>memory_cache_shared</tag>
- <p>Controls whether the memory cache is shared among SMP workers.
- <p>Currently, entities exceeding 32KB in size cannot be shared.
-
- <tag>server_idle_pconn_timeout</tag>
- <p>Renamed from <em>pconn_timeout</em>.
-
- <tag>tproxy_uses_indirect_client</tag>
- <p>Controls whether the indirect client address found in the X-Forwarded-For
- header is used for spoofing instead of the directly connected client address.
- Requires both <em>--enable-follow-x-forwarded-for</em> and <em>--enable-linux-netfilter</em>
-
- <tag>workers</tag>
- <p>Number of main Squid processes or "workers" to fork and maintain.
- In SMP mode, each worker does nearly all what a single Squid daemon
- does (e.g., listen on http_port and forward HTTP requests).
- <verb>
- 0: "no daemon" mode, like running "squid -N ..."
- 1: "no SMP" mode, start one main Squid process daemon (default)
- N: start N main Squid process daemons (i.e., SMP mode)
- </verb>
-
- <tag>write_timeout</tag>
- <p>New setting to limit time spent waiting for data writes to be confirmed.
-</descrip>
-
-<sect1>Changes to existing tags<label id="modifiedtags">
-<p>
-<descrip>
- <tag>access_log</tag>
- <p>New <em>stdio</em> module to send log data directly from Squid to a disk file.
- This is the historic behaviour of Squid before logging modules were introduced, and
- remains the default used when no module is selected.
- It is recommended to upgrade logging to the faster <em>daemon:</em> module.
- <p>New <em>daemon</em> module to send each log line as text data to a file I/O daemon handling the slow disk I/O.
- New installs, or installs with no logs configured explicitly will use this module by default.
- <p>New <em>tcp</em> module to send each log line as text data to a TCP receiver.
- <p>New <em>udp</em> module to send each log line as text data to a UDP receiver.
- <p>New format <em>referrer</em> to log with the format previously used by referer_log directive.
- <p>New format <em>useragent</em> to log with the format previously used by useragent_log directive.
-
- <tag>acl : random, urllogin</tag>
- <p>New type <em>random</em>. Pseudo-randomly match requests based on a configured probability.
- <p>Ported <em>urllogin</em> option from Squid 2.7, to match a regex pattern on the URL login field (if any).
- <p>The <em>manager</em> ACL requires adjustment to cover new cache manager access. So it has now been
- built-in as a predefined ACL name matching URLs equivalent to the following regular expression:
- <verb>
- ^(cache_object://|https?://[^/]+/squid-internal-mgr/)
- </verb>
- squid.conf containing the old manager definition can expect to see ACL type collisions.
-
- <tag>auth_param</tag>
- <p>New options for Basic, Digest, NTLM, Negotiate <em>children</em> settings.
- <em>startup=N</em> determines minimum number of helper processes used.
- <em>idle=N</em> determines how many helper to retain as buffer against sudden traffic loads.
- <em>concurrency=N</em> previously called <em>auth_param ... concurrency</em> as a separate option.
- <p>Removed Basic, Digest, NTLM, Negotiate <em>auth_param ... concurrency</em> setting option.
- <p>Known Issue: NTLM and Negotiate protocols do not support concurrency. When set this option is ignored.
-
- <tag>cache_dir</tag>
- <p><em>min-size</em> option ported from Squid-2
-
- <tag>cache_peer</tag>
- <p><em>htcp-*</em> options collapsed into <em>htcp=</em> taking an optional comma-separated list of flags.
- The old form is deprecated but still accepted.
-
- <tag>cache_store_log</tag>
- <p>Now uses logging modules. Example: stdio:/file/path
- see <em>access_log</em> for a list of supported modules and their parameters.
-
- <tag>clientside_mark</tag>
- <p>New configuration parameter <em>clientside_mark</em>
- <p>Allows packets leaving Squid on the client side to be marked with a Netfilter mark value in the same way as the existing clientside_tos feature.
- <p>This feature is only available for Netfilter environments.
-
- <tag>deny_info</tag>
- <p>Support URL format tags. For dynamically generated URL in denial redirect.
- <p>Support the full range of 200-599 HTTP status codes.
- 3xx status only available when redirecting to a URI.
- Other status only available when supplying an error template body.
-
- <tag>external_acl_type</tag>
- <p>New format tags and option parameters:
- <p><em>%SRCEUI48</em> EUI-48 / MAC address of client from ARP lookup.
- <p><em>%SRCEUI64</em> EUI-64 of clients with SLAAC address.
- <p><em>%EXT_LOG</em> log= message returned by previous external ACL calls. An updated version may be returned.
- <p><em>%EXT_TAG</em> tag= value returned by previous external ACL calls. Tag may not be altered once set.
- <p><em>children-max=N</em> determines maximum number of helper processes used.
- <p><em>children-startup=N</em> determines minimum number of helper processes used.
- <p><em>children-idle=N</em> determines how many helper to retain as buffer against sudden traffic loads.
- <p>Deprecated <em>children=N</em> in favor of <em>children-max=N</em>.
-
- <tag>http_port act-as-origin vhost no-vhost</tag>
- <p><em>act-as-origin</em> ported from 2.7.
- This option corrects several HTTP header issues when operating as a reverse proxy and cache.
- Notably the externally visible aging of objects stored in the server-side cache.
- <p><em>vhost</em> is deprecated. <em>accel</em> mode, reverse proxy, now defaults to always enable HTTP/1.1 virtual domain support.
- <p><em>no-vhost</em> option is added to disable the new reverse proxy behaviour.
-
- <tag>icap_send_client_ip</tag>
- <p>Deprecated in favor of adaptation_send_client_ip
- which applies to both ICAP and eCAP.</p>
-
- <tag>icap_send_client_username</tag>
- <p>Deprecated in favor of adaptation_send_username
- which applies to both ICAP and eCAP.</p>
-
- <tag>icap_uses_indirect_client</tag>
- <p>Deprecated in favor of adaptation_uses_indirect_client
- which applies to both ICAP and eCAP.</p>
-
- <tag>logformat</tag>
- <p><em>%<a</em> Server or Peer IP address from the last server connection (next hop).
- <p><em>%>bs</em> Number of HTTP-equivalent message body bytes received from the next hop.
- <p><em>icap::%>bs</em> Number of message body bytes received from the ICAP server.
- <p><em>%sn</em> Unique sequence number per log line. Ported from 2.7
- <p><em>%>eui</em> EUI logging (EUI-48 / MAC address for IPv4, EUI-64 for IPv6).
- Both EUI forms are logged in the same field. Type can be identified by length or byte delimiter.
- <p><em>%err_code</em> The ID of an error response served by Squid or a similar internal error identifier
- <p><em>%err_detail</em> Additional err_code-dependent error information.
- <p><em>%>la</em> Rename of %la to indicate being a client connection detail.
- <p><em>%>lp</em> Rename of %lp to indicate being a client connection detail.
- <p><em>%<p</em> Server or Peer port number from the last server connection (next hop).
-
- <tag>memory_pools_limit</tag>
- <p>Memory limits have been revised and corrected from 3.1.4 onwards.
- <p>Please check and update your squid.conf to use the text <em>none</em> for no limit instead of the old 0 (zero).
- <p>All users upgrading need to be aware that from Squid-3.3 setting this option to 0 (zero) will mean zero bytes of memory get pooled.
-
- <tag>qos_flows</tag>
- <p>New options <em>mark</em> and <em>tos</em> and <em>miss</em>
- <p><em>tos</em> retains the original QOS functionality of the IP header TOS field.
- <p><em>mark</em> offers the same functionality, but with a netfilter mark value.
- <p>These options should be placed immediately after qos_flows.
- <p>The <em>tos</em> value is optional in order to maintain backwards compatability.
- <p>The preserve-miss functionality is available with the <em>mark</em> option and requires no kernel patching.
- It does, however, require libnetfilter_conntrack.
- This will be included by default if available (see the --without-netfilter-conntrack configure option for more details).
- <p><em>miss</em> sets a value for a cache miss. It is available for both the tos and mark options and takes precedence over the preserve-miss feature.
-
- <tag>range_offset_limit</tag>
- <p>Added ACL support for control over when the limit applies and when it is avoided.
-
- <tag>refresh_pattern</tag>
- <p>New option <em>max-stale=</em> to provide a maximum staleness factor. Squid won't
- serve objects more stale than this even if it failed to validate the object.
- <p>Removed option <em>ignore-no-cache</em>. Its commonly desired behaviour is obsoleted
- by correct HTTP/1.1 Cache-Control:no-cache handling.
-
- <tag>reply_header_access</tag>
- <p>Added support for custom response header names.</p>
-
- <tag>request_header_access</tag>
- <p>Added support for custom request header names.</p>
-
- <tag>reply_header_replace</tag>
- <p>Added support for custom response header names.</p>
-
- <tag>request_header_replace</tag>
- <p>Added support for custom request header names.</p>
-
- <tag>tcp_outgoing_address</tag>
- <p>This parameter is now compatible with persistent server connections.
- The IPv6 magic 'to_ipv6' hacks needed in 3.1 are now no longer necessary.
-
- <tag>tcp_outgoing_mark</tag>
- <p>New configuration parameter <em>tcp_outgoing_mark</em>
- <p>Allows packets leaving Squid on the server side to be marked with a Netfilter mark value in the same way as the existing tcp_outgoing_tos feature.
- <p>This feature is only available for Netfilter environments.
-
- <tag>tcp_outgoing_tos</tag>
- <p>This parameter is now compatible with persistent server connections.
-
- <tag>url_rewrite_children</tag>
- <p>New options <em>startup=N</em>, <em>idle=N</em>, <em>concurrency=N</em>
- <itemize>
- <item>startup=N allow finer tuning of how many helpers are started initially.
- <item>idle=N allow fine tuning of how many helper to retain as buffer against sudden traffic loads.
- <item>concurrency=N was previously called url_rewrite_concurrency as a distinct directive.
- </itemize>
-
- <tag>windows_ipaddrchangemonitor</tag>
- <p>Now only available to be set in Windows builds.
-
-</descrip>
-
-
-<sect1>Removed tags<label id="removedtags">
-<p>
-<descrip>
- <tag>balance_on_multiple_ip</tag>
- <p>Obsolete. The behaviour controlled by this directive is no longer possible
- with DNS parallel lookup and connection features (aka 'Happy Eyeballs').
-
- <tag>chunked_request_body_max_size</tag>
- <p>Obsolete. Squid is now HTTP/1.1 with support for streaming chunked encoded requests.
-
- <tag>dns_v4_fallback</tag>
- <p>Obsolete. Replaced by DNS parallel lookups.
-
- <tag>emulate_httpd_log</tag>
- <p>Replaced by <em>common</em> format option on an <em>access_log</em> directive.
-
- <tag>forward_log</tag>
- <p>Obsolete.
-
- <tag>ftp_list_width</tag>
- <p>Obsolete.
-
- <tag>ignore_expect_100</tag>
- <p>Obsolete.
-
- <tag>log_fqdn</tag>
- <p>Obsolete. Replaced by automatic detection of the %>A logformat tag.
-
- <tag>log_ip_on_direct</tag>
- <p>Obsolete. Use a custom log with <em>%<A</em> format tag to receive server FQDN or peer name.
-
- <tag>maximum_single_addr_tries</tag>
- <p>The behaviour controlled by this directive is no longer possible.
- It has been replaced by <em>connect_retries</em> option which operates a little differently.
-
- <tag>pconn_timeout</tag>
- <p>Renamed to <em>server_idle_pconn_timeout</em>
-
- <tag>persistent_request_timeout</tag>
- <p>Renamed to <em>client_idle_pconn_timeout</em>
-
- <tag>referer_log</tag>
- <p>Replaced by the <em>referrer</em> format option on an <em>access_log</em> directive.
-
- <tag>url_rewrite_concurrency</tag>
- <p>Replaced by url_rewrite_children ... concurrency=N option.
-
- <tag>useragent_log</tag>
- <p>Replaced by the <em>useragent</em> format option on an <em>access_log</em> directive.
-</descrip>
-
-
-<sect>Changes to ./configure options since Squid-3.1
-<p>
-There have been some changes to Squid's build configuration since Squid-3.1.
-
-This section gives an account of those changes in three categories:
-
-<itemize>
- <item><ref id="newoptions" name="New options">
- <item><ref id="modifiedoptions" name="Changes to existing options">
- <item><ref id="removedoptions" name="Removed options">
-</itemize>
-
-
-<sect1>New options<label id="newoptions">
-<p>
-<descrip>
- <tag>--enable-auth-basic[=HELPERS]</tag>
- <p>Specified without any parameters all helpers will be auto-built.
- <p>With an explicit empty list <em>=""</em> protocol support will be built but no helpers.
- <p>With an explicit list protocol support and just those helpers will be built.
-
- <tag>--enable-auth-digest[=HELPERS]</tag>
- <p>Specified without any parameters all helpers will be auto-built.
- <p>With an explicit empty list <em>=""</em> protocol support will be built but no helpers.
- <p>With an explicit list protocol support and just those helpers will be built.
-
- <tag>--enable-auth-negotiate</tag>
- <p>Specified without any parameters all helpers will be auto-built.
- <p>With an explicit empty list <em>=""</em> protocol support will be built but no helpers.
- <p>With an explicit list protocol support and just those helpers will be built.
-
- <tag>--enable-auth-ntlm</tag>
- <p>Specified without any parameters all helpers will be auto-built.
- <p>With an explicit empty list <em>=""</em> protocol support will be built but no helpers.
- <p>With an explicit list protocol support and just those helpers will be built.
-
- <tag>--enable-build-info</tag>
- <p>Add an additional string in the output of "squid -v".
-
- <tag>--enable-eui</tag>
- <p>Enable Support for handling EUI operations.
- This includes ARP lookups for MAC (EUI-48) addresses and the ACL arp type tests.
-
- <tag>--enable-log-daemon-helpers</tag>
- <p>Build helpers for logging I/O.
-
- <tag>--enable-url-rewrite-helpers</tag>
- <p>Build helpers for some basic URL-rewrite actions. For use by url_rewrite_program.
- If omitted or set to =all then all bundled helpers that are able to build will be built.
- If set to a specific list of helpers then only those helpers will build.
- Currently one demo helper <em>fake</em> is provided in shell and C++ forms to demonstrate
- the helper protocol usage and provide exemplar code.
-
- <tag>--with-swapdir=PATH</tag>
- <p>Location to display in documentation for the default cache.
- Updated to indicate /var/cache/squid in accordance with the filesystem layout standards.
- Squid-3 no longer builds an implicit disk cache at this location, so the change is not expected
- to have any effect on existing builds other than fixing some mysterious lack of core dumps.
- The old /var/cache location was often non-writable which blocked core dumps creation.
-
- <tag>--without-netfiler-conntrack</tag>
- <p>Disables the libnetfilter_conntrack library being used for the new qos_flows option <em>mark</em>.
- default is to auto-detect the library and use where available.
-</descrip>
-
-<sect1>Changes to existing options<label id="modifiedoptions">
-<p>
-<descrip>
- <tag>--enable-auth</tag>
- <p>No longer takes a list of arguments. This option now is restricted to building Squid with or without authentication support.
- <p>The new <em>--enable-auth-X</em>/<em>--disable-auth-X</em> parameters determine which authentication protocols and helpers are built.
-
-</descrip>
-</p>
-
-<sect1>Removed options<label id="removedoptions">
-<p>
-<descrip>
- <tag>--enable-arp-acl</tag>
- <p>Replaced by --enable-eui
-
- <tag>--enable-auth-basic-helpers</tag>
- <p>Replaced by <em>--enable-auth-basic</em>.
-
- <tag>--enable-auth-digest-helpers</tag>
- <p>Replaced by <em>--enable-auth-digest</em>.
-
- <tag>--enable-auth-negotiate-helpers</tag>
- <p>Replaced by <em>--enable-auth-negotiate</em>.
-
- <tag>--enable-auth-ntlm-helpers</tag>
- <p>Replaced by <em>--enable-auth-ntlm</em>.
-
- <tag>--enable-referer-log</tag>
- <p>Obsolete.
-
- <tag>--enable-useragent-log</tag>
- <p>Obsolete.
-
-</descrip>
-
-
-<sect>Options Removed since Squid-2
-
-<p>Some squid.conf and ./configure options which were available in Squid-2.6 and Squid-2.7 are made obsolete in Squid-3.2.
-
-<sect1>Removed squid.conf options since Squid-2.7
-<p>
-<descrip>
- <tag>auth_param</tag>
- <p><em>blankpassword</em> option for basic scheme removed.
-
- <tag>authenticate_ip_shortcircuit_access</tag>
- <p>Not safe for general use.
- An external_acl_type helper may be used to bypass authentication if that is suitable.
-
- <tag>authenticate_ip_shortcircuit_ttl</tag>
- <p>Not safe for general use.
- An external_acl_type helper may be used to bypass authentication if that is suitable.
-
- <tag>cache_peer</tag>
- <p>Option <em>http11</em> obsolete.
-
- <tag>external_acl_type</tag>
- <p>Format tag <em>%{Header}</em> replaced by <em>%>{Header}</em>
- <p>Format tag <em>%{Header:member}</em> replaced by <em>%>{Header:member}</em>
-
- <tag>header_access</tag>
- <p>Replaced by <em>request_header_access</em> and <em>reply_header_access</em>
-
- <tag>http_port</tag>
- <p>Option <em>no-connection-auth</em> replaced by <em>connection-auth=[on|off]</em>. Default is ON.
- <p>Option <em>transparent</em> option replaced by <em>intercept</em>
- <p>Option <em>http11</em> obsolete.
-
- <tag>http_access2</tag>
- <p>Replaced by <em>adapted_http_access</em>
-
- <tag>httpd_accel_no_pmtu_disc</tag>
- <p>Replaced by <em>http_port disable-pmtu-discovery=</em> option
-
- <tag>incoming_rate</tag>
- <p>Obsolete.
-
- <tag>redirector_bypass</tag>
- <p>Replaced by <em>url_rewrite_bypass</em>
-
- <tag>server_http11</tag>
- <p>Obsolete.
-
- <tag>update_headers</tag>
- <p>Obsolete. The experimental actions enabled in 2.7 by this option have been integrated as default
- actions for the <em>rock</em> storage type and memory caches.
- The configuration option is no longer necessary and has been dropped.
- NOTE: It is not yet supported by <em>ufs</em>, <em>aufs</em>, or <em>diskd</em> storage.
-
- <tag>upgrade_http0.9</tag>
- <p>Obsolete.
-
- <tag>zph_local</tag>
- <p>Replaced by <em>qos_flows local-hit=</em>
-
- <tag>zph_mode</tag>
- <p>Obsolete.
-
- <tag>zph_option</tag>
- <p>Obsolete.
-
- <tag>zph_parent</tag>
- <p>Replaced by <em>qos_flows parent-hit=</em>
-
- <tag>zph_sibling</tag>
- <p>Replaced by <em>qos_flows sibling-hit=</em>
-
-</descrip>
-
-<sect1>Removed squid.conf options since Squid-2.6
-<p>
-<descrip>
- <tag>acl</tag>
- <p><em>urlgroup</em> type removed. Use <em>myportname</em> type instead.
-
- <tag>cache_dir</tag>
- <p><em>read-only</em> option replaced by <em>no-store</em>.
-
- <tag>http_port</tag>
- <p><em>urlgroup=</em> removed. Use <em>name=</em> feature instead.
-
- <tag>zero_buffers</tag>
- <p>Replaced by native support.
-
-</descrip>
-
-<sect1>Removed ./configure options since Squid-2.7
-<p>
-<descrip>
- <tag>--enable-coss-aio-ops</tag>
- <p>Obsolete.
-
- <tag>--enable-devpoll</tag>
- <p>Replaced by automatic detection.
-
- <tag>--enable-dlmalloc=LIB</tag>
- <p>Obsolete.
-
- <tag>--enable-epoll</tag>
- <p>Replaced by automatic detection.
-
- <tag>--enable-forward-log</tag>
- <p>Obsolete.
-
- <tag>--enable-heap-replacement</tag>
- <p>Obsolete.
-
- <tag>--enable-htcp</tag>
- <p>Obsolete. Enabled by default.
-
- <tag>--enable-large-cache-files</tag>
- <p>Obsolete.
-
- <tag>--enable-mempool-debug</tag>
- <p>Obsolete.
-
- <tag>--enable-multicast-miss</tag>
- <p>Obsolete.
-
- <tag>--enable-poll</tag>
- <p>Replaced by automatic detection.
-
- <tag>--enable-select</tag>
- <p>Replaced by automatic detection.
-
- <tag>--enable-select-simple</tag>
- <p>Replaced by automatic detection.
-
- <tag>--enable-snmp</tag>
- <p>Obsolete. Enabled by default.
-
- <tag>--enable-truncate</tag>
- <p>Obsolete.
-
- <tag>--disable-kqueue</tag>
- <p>Obsolete. Disabled by default.
-
- <tag>--without-system-md5</tag>
- <p>Obsolete. Disabled by default.
-
-</descrip>
-
-
-<sect>Regressions since Squid-2.7
-
-<p>Some squid.conf and ./configure options which were available in Squid-2.7 are not yet available in Squid-3.2
-
-<p>If you need something to do then porting one of these from Squid-2 to Squid-3 is most welcome.
-
-<sect1>Missing squid.conf options available in Squid-2.7
-<p>
-<descrip>
- <tag>broken_vary_encoding</tag>
- <p>Not yet ported from 2.6
-
- <tag>cache_dir</tag>
- <p><em>COSS</em> storage type is lacking stability fixes from 2.6
- <p>COSS <em>overwrite-percent=</em> option not yet ported from 2.6
- <p>COSS <em>max-stripe-waste=</em> option not yet ported from 2.6
- <p>COSS <em>membufs=</em> option not yet ported from 2.6
- <p>COSS <em>maxfullbufs=</em> option not yet ported from 2.6
-
- <tag>cache_peer</tag>
- <p><em>idle=</em> not yet ported from 2.7
- <p><em>monitorinterval=</em> not yet ported from 2.6
- <p><em>monitorsize=</em> not yet ported from 2.6
- <p><em>monitortimeout=</em> not yet ported from 2.6
- <p><em>monitorurl=</em> not yet ported from 2.6
-
- <tag>cache_vary</tag>
- <p>Not yet ported from 2.6
-
- <tag>collapsed_forwarding</tag>
- <p>Not yet ported from 2.6
-
- <tag>error_map</tag>
- <p>Not yet ported from 2.6
-
- <tag>external_acl_type</tag>
- <p><em>%ACL</em> format tag not yet ported from 2.6
- <p><em>%DATA</em> format tag not yet ported from 2.6
-
- <tag>external_refresh_check</tag>
- <p>Not yet ported from 2.7
-
- <tag>ignore_ims_on_miss</tag>
- <p>Not yet ported from 2.7
-
- <tag>location_rewrite_access</tag>
- <p>Not yet ported from 2.6
-
- <tag>location_rewrite_children</tag>
- <p>Not yet ported from 2.6
-
- <tag>location_rewrite_concurrency</tag>
- <p>Not yet ported from 2.6
-
- <tag>location_rewrite_program</tag>
- <p>Not yet ported from 2.6
-
- <tag>refresh_pattern</tag>
- <p><em>stale-while-revalidate=</em> not yet ported from 2.7
- <p><em>ignore-stale-while-revalidate=</em> not yet ported from 2.7
- <p><em>negative-ttl=</em> not yet ported from 2.7
-
- <tag>refresh_stale_hit</tag>
- <p>Not yet ported from 2.7
-
- <tag>storeurl_access</tag>
- <p>Not yet ported from 2.7
-
- <tag>storeurl_rewrite_children</tag>
- <p>Not yet ported from 2.7
-
- <tag>storeurl_rewrite_concurrency</tag>
- <p>Not yet ported from 2.7
-
- <tag>storeurl_rewrite_program</tag>
- <p>Not yet ported from 2.7
-
-</descrip>
-
-<sect>Copyright
-<p>
-Copyright (C) 1996-2023 The Squid Software Foundation and contributors
-<p>
-Squid software is distributed under GPLv2+ license and includes
-contributions from numerous individuals and organizations.
-Please see the COPYING and CONTRIBUTORS files for details.
-
-</article>
+++ /dev/null
-<!doctype linuxdoc system>
-<article>
-<title>Squid 3.3.14 release notes</title>
-<author>Squid Developers</author>
-
-<abstract>
-This document contains the release notes for version 3.3 of Squid.
-Squid is a WWW Cache application developed by the National Laboratory
-for Applied Network Research and members of the Web Caching community.
-</abstract>
-
-<toc>
-
-<sect>Notice
-<p>
-The Squid Team are pleased to announce the release of Squid-3.3.14.
-
-This new release is available for download from <url url="http://www.squid-cache.org/Versions/v3/3.3/"> or the
-<url url="http://www.squid-cache.org/Download/http-mirrors.html" name="mirrors">.
-
-<p>A large number of the design flaws in SSL-Bump feature have been fixed along with general improvements all around.
-While this release is not fully bug-free we believe it is ready for use in production on many systems.
-
-<p>We welcome feedback and bug reports. If you find a bug, please see <url url="https://wiki.squid-cache.org/SquidFaq/BugReporting">
- for how to submit a report with a stack trace.
-
-<sect1>Known issues
-<p>
-Although this release is deemed good enough for use in many setups, please note the existence of
-<url url="https://bugs.squid-cache.org/buglist.cgi?query_format=advanced&product=Squid&bug_status=UNCONFIRMED&bug_status=NEW&bug_status=ASSIGNED&bug_status=REOPENED&version=3.3" name="open bugs against Squid-3.3">.
-
-
-<sect1>Changes since earlier releases of Squid-3.3
-<p>
-The 3.3 change history can be <url url="http://www.squid-cache.org/Versions/v3/3.3/changesets/" name="viewed here">.
-
-<sect>Major new features since Squid-3.2
-<p>Squid 3.3 represents a new feature release above 3.2.
-
-<p>The most important of these new features are:
-<itemize>
- <item>SQL Database logging helper
- <item>Time-Quota session helper
- <item>SSL-Bump Server First
- <item>Server Certificate Mimic
- <item>Custom HTTP request headers
-</itemize>
-
-Most user-facing changes are reflected in squid.conf (see below).
-
-<sect1>SQL Database logging helper
-<p><em>log_db_daemon</em> - Database logging daemon for Squid
-
-<p>This program writes Squid access.log entries to an SQL database.
- Written in Perl it can utilize any database supported by the Perl
- database abstraction layer.
-
-<p>NOTE: Presently it only accepts the Squid native log format.
-
-
-<sect1>Time-Quota session helper
-<p><em>ext_time_quota_acl</em> - Time quota external ACL helper.
-
-<p>Allows an administrator to define time budgets (quota) for the
- users of Squid to limit the time using Squid.
-
-<p>This is useful for corporate lunch time allocations, wifi portal
- pay-per-minute installations or for parental control of children.
-
-<p>The administrator can define a time budget (e.g. 1 hour per day)
- which is enforced through this helper using session estimations
- of their browsing time. A 'pause' threshold is given in seconds
- and defines the period between two requests to be treated as part
- of the same session. Pauses shorter than this value will be
- counted against the quota, longer ones ignored.
-
-
-<sect1>SSL-Bump Server First
-<p>Details at <url url="https://wiki.squid-cache.org/Features/BumpSslServerFirst">.
-
-<p>When an intercepted connection is received, Squid first connects
- to the server using SSL and receives the server certificate.
- Squid then uses the host name inside the true server certificate
- to generate a fake one and impersonates the server while still
- using the already established secure connection to the server.
-
-<p>Bumping server first is essentially required for handling
- intercepted HTTPS connections but the same scheme should be used
- for most HTTP CONNECT requests because it offers a few advantages
- compared to the old bump-client-first approach:
-
-<itemize>
-<item>When Squid knows valid server certificate details, it can
- generate its fake server certificate with those details.
- With the bump-client-first scheme, all those details are lost.
- In general, browsers do not care about those details but there
- may be HTTP clients (or even human users) that require or could
- benefit from knowing them.
-
-<item>When a server sends a bad certificate, Squid may be able to
- replicate that brokenness in its own fake certificate, giving
- the HTTP client control whether to ignore the problem or
- terminate the transaction. With bump-client-furst, it is
- difficult to support similar dynamic, user-directed opt out;
- Squid itself has to decide what to do when the server
- certificate cannot be validated.
-
-<item>When a server asks for a client certificate, Squid may be
- able to ask the client and then forward the client certificate
- to the server. Such client certificate handling may not be
- possible with the bump-client-first scheme because it would
- have to be done after the SSL handshake.
-
-<item>Some clients (e.g., Rekonq browser v0.7.x) do not send host
- names in CONNECT requests. Such clients require bump-server-first
- even in forward proxying mode. Unfortunately, there are other
- problems with fully supporting such clients (i.e., Squid does
- not know whether the IP address in the CONNECT request is what
- the user have typed into the address bar) so not all features
- will work well for them until more specialized detection code
- is added.
-</itemize>
-
-<sect1>Server Certificate Mimic
-<p>Details at <url url="https://wiki.squid-cache.org/Features/MimicSslServerCert">.
-
-<p>One of the SslBump features serious drawbacks is the loss of
- information embedded in SSL server certificate.
- This certificate mimic feature passes original SSL server
- certificate information to the user. Allowing the user to
- make an informed decision on whether to trust the server
- certificate.
-
-
-<sect1>Custom HTTP request headers
-<p>The <em>request_header_add</em> option is added to insert
- HTTP header fields to outgoing HTTP requests (i.e.,
- request headers sent by Squid to the next HTTP hop such as a
- cache peer or an origin server). The option has no effect on
- cache hit traffic or requests serviced by Squid and ICAP.
-
-<p>WARNING: If a standard HTTP header name is used, Squid does not check whether
- the new header conflicts with any existing headers or violates
- HTTP rules. If the request to be modified already contains a
- field with the same name, the old field is preserved but the
- header field values are not merged.
-
-<p>Field-value set can be either a token or a quoted string. If quoted
- string format is used, then the surrounding quotes are removed
- while escape sequences and %macros are processed.
-
-<p>In theory, all of the <em>logformat</em> codes can be used as %macros.
- However, unlike logging (which happens at the very end of
- transaction lifetime), the transaction may not yet have enough
- information to expand a macro when the new header value is needed.
- And some information may already be available to Squid but not yet
- committed where the macro expansion code can access it (please report
- such instances!). The macro will be expanded into a single dash
- ('-') in such cases. Not all macros have been tested.
-
-<p>One or more Squid ACLs may be specified to restrict header
- injection to matching requests. As always in squid.conf, all
- ACLs in an option ACL list must be satisfied for the insertion
- to happen. The <em>request_header_add</em> option supports fast ACLs only.
-
-
-<sect>Changes to squid.conf since Squid-3.2
-<p>
-There have been changes to Squid's configuration file since Squid-3.2.
-
-This section gives a thorough account of those changes in three categories:
-
-<itemize>
- <item><ref id="newtags" name="New tags">
- <item><ref id="modifiedtags" name="Changes to existing tags">
- <item><ref id="removedtags" name="Removed tags">
-</itemize>
-<p>
-
-<sect1>New tags<label id="newtags">
-<p>
-<descrip>
- <tag>cache_miss_revalidate</tag>
- <p>Whether Squid is to pass-through If-Modified-Since and If-None-Match headers on cache MISS.
- Revalidation requests can prevent cache gathering objects to HIT on.
- <p>Based on the Squid-2.7 <em>ignore_ims_on_miss</em> feature.
- <p><em>IMPORTANT:</em> the meaning for on/off values has changed along with the name since 2.7.
-
- <tag>request_header_add</tag>
- <p>New directive to add custom headers on HTTP traffic sent to upstream servers.
-
- <tag>sslproxy_cert_sign</tag>
- <p>New option to determine how the client certificate sent to upstream servers is signed.
-
- <tag>sslproxy_cert_adapt</tag>
- <p>New option to adapt certain properties of outgoing SSL certificates generated for use when bumping SSL to an upstream server.
-
-</descrip>
-
-<sect1>Changes to existing tags<label id="modifiedtags">
-<p>
-<descrip>
- <tag>acl</tag>
- <p><em>myport</em> and <em>myip</em>ACL types replaced with <em>localport</em> and <em>localip</em> respectively.
- To reflect that it matches the TCP connection details and not the squid.conf port.
- This matters when dealing with intercepted traffic, where the Squid receiving port differs from the TCP connection IP:port.
- Always use <em>myportname</em> type to match the squid.conf port details.
- <p>New default built-in ACLs for testing SSL certificate properties.
- <p><em>ssl::certHasExpired</em>,
- <em>ssl::certNotYetValid</em>,
- <em>ssl::certDomainMismatch</em>,
- <em>ssl::certUntrusted</em>,
- <em>ssl::certSelfSigned</em>.
-
- <tag>client_netmask</tag>
- <p>IP address 127.0.0.1 (localhost IPv4) is no longer masked.
-
- <tag>external_acl_type</tag>
- <p><em>%ACL</em> format tag ported from 2.6.
- Sends the name of ACL being tested to the external helper.
- <p><em>%DATA</em> format tag ported from 2.6.
- Inserts the ACL arguments into a particular location of the helper input instead of at the end of the line.
-
- <tag>logformat</tag>
- <p>New token <em>%ssl::bump_mode</em> to log the SSL-bump mode type performed on a request.
- Logs values of: <em>-</em>, <em>none</em>, <em>client-first</em>, or <em>server-first</em>.
- <p>New token of <em>%ssl::>cert_subject</em> to log the Subject field of a SSL certificate received from the client.
- <p>New token of <em>%ssl::>cert_issuer</em> to log the Issuer field of a SSL certificate received from the client.
-
- <tag>ssl_bump</tag>
- <p>New action types <em>none</em>, <em>client-first</em>, <em>server-first</em>. The default is <em>none</em>.
- <p>Use of <em>allow</em>/<em>deny</em> is now deprecated and they should be removed as soon as possible.
- To retain the exact same behaviour between 3.3 and older releases replace <em>deny</em> with <em>none</em>,
- and <em>allow</em> with <em>client-first</em>. However an upgrade to <em>server-first</em> is the recommended.
- <p><em>NOTE</em>: Mixing of allow/deny with the new action types is prohibited and will cause Squid to exit with a FATAL error.
-
-</descrip>
-
-<sect1>Removed tags<label id="removedtags">
-<p>
-<descrip>
- <tag>ignore_ims_on_miss</tag>
- <p>This option has been replaced by the <em>cache_miss_revalidate</em> feature.
-
-</descrip>
-
-
-<sect>Changes to ./configure options since Squid-3.2
-<p>
-There have been some changes to Squid's build configuration since Squid-3.2.
-
-This section gives an account of those changes in three categories:
-
-<itemize>
- <item><ref id="newoptions" name="New options">
- <item><ref id="modifiedoptions" name="Changes to existing options">
- <item><ref id="removedoptions" name="Removed options">
-</itemize>
-
-
-<sect1>New options<label id="newoptions">
-<p>
-<descrip>
- <p><em>There are no new ./configure options in Squid-3.3.</em>
-
-</descrip>
-
-<sect1>Changes to existing options<label id="modifiedoptions">
-<p>
-<descrip>
- <tag>--enable-kqueue</tag>
- <p>kqueue network I/O module is now built by default when it is available.
- This option is no longer required to enable kqueue support,
- but if used will abort build when kqueue dependencies are missing or broken.
-
- <tag>--disable-kqueue</tag>
- <p>kqueue network I/O module is now built by default when it is available.
- This configure option is now needed to disable it. Previously it did nothing.
-
-</descrip>
-</p>
-
-<sect1>Removed options<label id="removedoptions">
-<p>
-<descrip>
- <tag>--enable-ntlm-fail-open</tag>
- <p>This has not been supported by Squid for several versions.
-
-</descrip>
-
-
-<sect>Regressions since Squid-2.7
-
-<p>Some squid.conf and ./configure options which were available in Squid-2.7 are not yet available in Squid-3.3
-
-<p>If you need something to do then porting one of these from Squid-2 to Squid-3 is most welcome.
-
-<sect1>Missing squid.conf options available in Squid-2.7
-<p>
-<descrip>
- <tag>broken_vary_encoding</tag>
- <p>Not yet ported from 2.6
-
- <tag>cache_dir</tag>
- <p><em>COSS</em> storage type is lacking stability fixes from 2.6
- <p>COSS <em>overwrite-percent=</em> option not yet ported from 2.6
- <p>COSS <em>max-stripe-waste=</em> option not yet ported from 2.6
- <p>COSS <em>membufs=</em> option not yet ported from 2.6
- <p>COSS <em>maxfullbufs=</em> option not yet ported from 2.6
-
- <tag>cache_peer</tag>
- <p><em>idle=</em> not yet ported from 2.7
- <p><em>monitorinterval=</em> not yet ported from 2.6
- <p><em>monitorsize=</em> not yet ported from 2.6
- <p><em>monitortimeout=</em> not yet ported from 2.6
- <p><em>monitorurl=</em> not yet ported from 2.6
-
- <tag>cache_vary</tag>
- <p>Not yet ported from 2.6
-
- <tag>collapsed_forwarding</tag>
- <p>Not yet ported from 2.6
-
- <tag>error_map</tag>
- <p>Not yet ported from 2.6
-
- <tag>external_refresh_check</tag>
- <p>Not yet ported from 2.7
-
- <tag>location_rewrite_access</tag>
- <p>Not yet ported from 2.6
-
- <tag>location_rewrite_children</tag>
- <p>Not yet ported from 2.6
-
- <tag>location_rewrite_concurrency</tag>
- <p>Not yet ported from 2.6
-
- <tag>location_rewrite_program</tag>
- <p>Not yet ported from 2.6
-
- <tag>refresh_pattern</tag>
- <p><em>stale-while-revalidate=</em> not yet ported from 2.7
- <p><em>ignore-stale-while-revalidate=</em> not yet ported from 2.7
- <p><em>negative-ttl=</em> not yet ported from 2.7
-
- <tag>refresh_stale_hit</tag>
- <p>Not yet ported from 2.7
-
- <tag>storeurl_access</tag>
- <p>Not yet ported from 2.7
-
- <tag>storeurl_rewrite_children</tag>
- <p>Not yet ported from 2.7
-
- <tag>storeurl_rewrite_concurrency</tag>
- <p>Not yet ported from 2.7
-
- <tag>storeurl_rewrite_program</tag>
- <p>Not yet ported from 2.7
-
-</descrip>
-
-<sect>Copyright
-<p>
-Copyright (C) 1996-2023 The Squid Software Foundation and contributors
-<p>
-Squid software is distributed under GPLv2+ license and includes
-contributions from numerous individuals and organizations.
-Please see the COPYING and CONTRIBUTORS files for details.
-
-</article>
+++ /dev/null
-<!doctype linuxdoc system>
-<article>
-<title>Squid 3.4.14 release notes</title>
-<author>Squid Developers</author>
-
-<abstract>
-This document contains the release notes for version 3.4 of Squid.
-Squid is a WWW Cache application developed by the National Laboratory
-for Applied Network Research and members of the Web Caching community.
-</abstract>
-
-<toc>
-
-<sect>Notice
-<p>
-The Squid Team are pleased to announce the release of Squid-3.4.14.
-
-This new release is available for download from <url url="http://www.squid-cache.org/Versions/v3/3.4/"> or the
- <url url="http://www.squid-cache.org/Download/http-mirrors.html" name="mirrors">.
-
-<p>Some interesting new features adding system flexibility have been added along with general improvements all around.
- While this release is not fully bug-free we believe it is ready for use in production on many systems.
-
-<p>We welcome feedback and bug reports. If you find a bug, please see <url url="https://wiki.squid-cache.org/SquidFaq/BugReporting">
- for how to submit a report with a stack trace.
-
-<sect1>Known issues
-<p>
-Although this release is deemed good enough for use in many setups, please note the existence of
-<url url="https://bugs.squid-cache.org/buglist.cgi?query_format=advanced&product=Squid&bug_status=UNCONFIRMED&bug_status=NEW&bug_status=ASSIGNED&bug_status=REOPENED&version=3.4" name="open bugs against Squid-3.4">.
-
-<sect1>Changes since earlier releases of Squid-3.4
-<p>
-The 3.4 change history can be <url url="http://www.squid-cache.org/Versions/v3/3.4/changesets/" name="viewed here">.
-
-
-<sect>Major new features since Squid-3.3
-<p>Squid 3.4 represents a new feature release above 3.3.
-
-<p>The most important of these new features are:
-<itemize>
- <item>Helper protocol extensions
- <item>SSL Server Certificate Validator
- <item>Store-ID
- <item>TPROXY Support for OpenBSD 5.1+ and FreeBSD 9+
- <item>Transaction Annotations
- <item>Multicast DNS
-</itemize>
-
-Most user-facing changes are reflected in squid.conf (see below).
-
-
-<sect1>Helper protocol extensions
-<p>Details at <url url="https://wiki.squid-cache.org/Features/AddonHelpers">.
-
-<p>The Squid helper protocol used to communicate with authenticators,
- URL-rewriters, Redirectors, and External ACL helpers has been updated
- and extended.
-
-<p><em>BH</em> status code is now accepted from all helpers to report
- internal error events separate from <em>ERR</em> rejection code.
- Permitting Squid to perform recovery operations specific to
- helper failure instead of a blanket client rejection.
-
-<p>Arbitrary key-value pairs can be returned from any helper.
- Allowing future helpers to be forward- and backward- compatible
- with this and future versions of Squid.
-
-
-<sect1>SSL Server Certificate Validator
-<p>Details at <url url="https://wiki.squid-cache.org/Features/SslServerCertValidator">.
-
-<p>The helper consulted after the internal OpenSSL validation, regardless of the
- validation results. The helper will receive:
-
-<itemize>
- <item>the origin server certificate (chain),
- <item>the intended domain name, and
- <item>a list of OpenSSL validation errors (if any).
-</itemize>
-
-<p>If the helper decides to honor an OpenSSL error or report another validation
- error(s), the helper will return:
-
-<itemize>
- <item>A list of certificates.
- <item>A list of items consists the the validation error name (see <em>%err_name</em>
- error page macro and <em>%err_details</em> code for <em>logformat</em>), error reason
- (<em>%ssl_lib_error macro</em>), and the offending certificate.
-</itemize>
-
-<p>The returned information mimics what the internal OpenSSL-based validation code
- collects now. Returned errors, if any, are fed to <em>sslproxy_cert_error</em>,
- triggering the existing SSL error processing code.
-
-<p>The helper invocation controlled by the <em>sslcrtvalidator_program</em> and
- <em>sslcrtvalidator_children</em> configurations options which are similar to the
- <em>ssl_crtd</em> related options.
-
-
-<sect1>Store-ID
-<p>Details at <url url="https://wiki.squid-cache.org/Features/StoreID">.
-
-<p>This feature is a redesigned equivalent to the Squid-2.7 feature known as StoreURL-rewrite.
-
-<p><em>Notice</em> that this is not a direct portage of the Squid-2.7 feature so behaviour
- differences do exist. Although the new feature works in similar enough ways that the old
- helper scripts used for Squid-2.7 are expected to work in this and later versions of Squid.
-
-<p>Squid traditionally uses the requested URL as an index key ID to locate objects in cache.
- It is not the only key possible and the Store-ID feature exposes an API for external
- helpers to provide Squid with an alternative key name for any URL.
-
-<p>When any client request is received which requires a cache lookup the URL is passed to
- a helper specified with the <em>store_id_program</em> directive to check for an alternative
- Store ID. This allows the helper to identify URLs which refer to duplicate resources and
- de-duplicate the cache content. <em>store_id_access</em> is provided to allow ACL-based
- tuning of which traffic gets sent to the helper and reduce overheads.
-
-<p>One subtle and noteworthy difference between Squid-2 and Squid-3 which is highlighted by
- this feature is that <em>refresh_pattern</em> applies its regex argument against the Store
- ID key and not the transaction URL. So using the Store-ID feature to alter the value
- affects which <em>refresh_pattern</em> directive will be matched.
-
-<p>Store-ID helpers bundled with Squid can be built with the --enable-storeid-rewrite-helpers
- option which is added in this version. Currently there is a <em>file</em> helper
- provided.
-
-
-<sect1>TPROXY Support for OpenBSD 5.1+ and FreeBSD 9+
-<p>Details at <url url="https://wiki.squid-cache.org/ConfigExamples/Intercept/OpenBsdPf">.
-
-<p>The Packet Filter (PF) firewall in OpenBSD 4.4 and later offers traffic interception
- using several very simple methods. One of which is the <em>divert-to</em> rule type
- which acts as a simple routing diversion instead of performing NAT packet alterations.
-
-<p>The IP Firewall (IPFW) on FreeBSD 9+ contains a port of the Linux Netfilter TPROXY feature.
-
-<p>This version of Squid adds support for these features through the ./configure
- options --enable-pf-transparent and --enable-ipfw-transparent when Squid is built on
- systems with the required support. No special extras are required to enable
- <em>http_port ... tproxy</em> configuration to work.
-
-<p>NOTE: To resolve NAT lookup issues on recent PF firewall versions the code behind
- <em>./configure --enable-pf-transparent</em> has been altered and is expected to
- break on the version of PF firewall shipped with BSD systems such as NetBSD and FreeBSD
- which do not yet support the getsockname() API.
- These systems require <em>--with-nat-devpf</em> to enable /dev/pf support when using PF firewall.
-
-
-<sect1>Transaction Annotations
-<p>Previously the only annotation methods available were ICAP/eCAP HTTP header insertions
- or external ACL <em>tag=</em> result code. Each of which had only limited possibilities
- for use and little or no correlation.
-
-<p>It is now possible to add annotations to a client transaction from several sources:
-<itemize>
- <item> Directly from squid.conf using the <em>note</em> directive with
- ACL-based selection of which annotation is linked to any
- particular transaction.
-
- <item> By configured helper processes returning a key=value pair.
- The key name becomes the annotation name.
-</itemize>
-
-<p>Annotations on the transaction can be passed to ICAP services or eCAP modules using the
- <em>adaptation_meta</em> directive to send them as headers.
- They can also be logged using the <em>%note</em> log format code in custom logs. With
- the new helper response syntax changes this means all helper response key=value details
- such as URL-rewrite or store-id changes, external ACL tag etc. are now able to be logged.
-
-<p>Annotations which are already assigned to a transaction can be checked using an ACL test
- of the new <em>note</em> ACL type. This can match a particular note by name and value,
- of for any notes with a given name.
-
-<p>NOTE: not all helper interfaces are yet enabled to convert key=value into annotations
- and the external ACL interface does not yet send annotations to the helper.
-
-
-<sect1>Multicast DNS
-<p>The internal DNS component of Squid now supports multicast DNS (mDNS) resolution in
- accordance with RFC 6762.
-
-<p>The <em>dns_multicast_local</em> directive must be set to <em>on</em> to enable this
- feature.
-
-<p>The multicast DNS group IP addresses for IPv4 and IPv6 resolving are added to the set
- of available DNS resolvers and used automatically for domain names ending in <em>.local</em>
- and reverse-DNS lookups before attempting a secondary resolution on the configured
- resolvers. Domains without <em>.local</em> are resolved using only the configured resolvers.
-
-<p>Statistics for multicast DNS resolution can be found on the <em>idns</em> cache manager
- report.
-
-<p><em>NOTE</em> that the external DNS helper interface is now deprecated and has been
- removed from future Squid versions. Any installations still using it for local hostname
- resolution need to upgrade to mDNS resolution with this Squid version.
-
-
-<sect>Changes to squid.conf since Squid-3.3
-<p>
-There have been changes to Squid's configuration file since Squid-3.3.
-
-<p>Squid supports reading configuration option parameters from external
- files using the syntax <em>parameters("/path/filename")</em>. For example:
-<verb>
- acl allowlist dstdomain parameters("/etc/squid/allowlist.txt")
-</verb>
-
-<p>There have also been changes to individual directives in the config file.
-
-This section gives a thorough account of those changes in three categories:
-
-<itemize>
- <item><ref id="newtags" name="New tags">
- <item><ref id="modifiedtags" name="Changes to existing tags">
- <item><ref id="removedtags" name="Removed tags">
-</itemize>
-<p>
-
-<sect1>New tags<label id="newtags">
-<p>
-<descrip>
- <tag>configuration_includes_quoted_values</tag>
- <p>Whether Squid supports directive parameters with spaces, quotes, and other
- special characters. Surround such parameters with "double quotes" and
- also set this directive on/off around the relevant squid.conf line(s)
- making use of such quoting.
-
- <tag>dns_multicast_local</tag>
- <p>Use multicast DNS for <em>.local</em> domains and reverse-DNS resolution.
-
- <tag>note</tag>
- <p>Use ACLs to annotate a transaction with customized annotations
- which can be logged in access.log
-
- <tag>spoof_client_ip</tag>
- <p>Access control to determine whether to disable the TPROXY spoofing on upstream traffic.
-
- <tag>sslcrtvalidator_children</tag>
- <p>Specifies the settings for how many SSL server certificate
- validator helpers are run and when they are started.
-
- <tag>sslcrtvalidator_program</tag>
- <p>Specifies the location of a SSL server certificate validator helper.
-
- <tag>store_id_access</tag>
- <p>Whether the URL for a given request is passed to the Store-ID helper process.
- Used to improve StoreID performance by quickly eliminating helper delays using ACL tests.
- <p>Ported equivalent to <em>storeurl_access</em> from 2.7
-
- <tag>store_id_bypass</tag>
- <p>Whether the StoreID helper may be bypassed when overloaded.
-
- <tag>store_id_children</tag>
- <p>Controls the number of StoreID helper processes.
- <p>Options <em>startup=N</em>, <em>idle=N</em>, <em>concurrency=N</em>
- <itemize>
- <item>startup=N allow finer tuning of how many helpers are started initially.
- <item>idle=N allow fine tuning of how many helper to retain as buffer against sudden traffic loads.
- <item>concurrency=N was previously called url_rewrite_concurrency as a distinct directive.
- </itemize>
-
- <tag>store_id_rewrite_program</tag>
- <p>A helper program to provide cache storage internal key ID value for a request.
- <p>Ported equivalent to <em>storeurl_rewrite_program</em> from 2.7
-
-</descrip>
-
-<sect1>Changes to existing tags<label id="modifiedtags">
-<p>
-<descrip>
- <tag>access_log</tag>
- <p>Configuration syntax extended to support name=value options.
- <em>New Syntax:</em> access_log module:place [option ...] [acl ...]
- <p>New option <em>logformat=</em> to specify the logging format name.
- <p>New option <em>buffer-size=</em> to specify how large the log buffer
- for this log is to be when <em>buffered_logs</em> is enabled.
- <p>New option <em>on-error=</em> to specify what handling is to be done
- if the logging module encounters a non-recoverable error writing logs.
- With the value <em>die</em> (the default) Squid halts operation.
- With the value <em>drop</em> Squid drops log lines and continue running.
-
- <tag>acl</tag>
- <p>New test type <em>server_cert_fingerprint</em> to match against
- server SSL certificate fingerprint.
- <p>New test type <em>note</em> to match against transaction annotations
- by name and value, or just by name.
- <p>New test type <em>any-of</em> to match if any one of a set of named ACLs.
- <p>New test type <em>all-of</em> to match against all of a set of named ACLs.
-
- <tag>auth_param</tag>
- <p>New result code <em>BH</em> to signal helper internal errors
- available in all authentication schemes.
- <p>New key <em>message=</em> for error message details in all authentication schemes.
- <p>New result code <em>OK</em> and key <em>ha1=</em> in Digest authentication.
- <p>New result codes <em>OK</em>, <em>ERR</em> replace result codes <em>AF</em>,
- and <em>NA</em> in NTLM and Negotiate authentication.
- <p>New key <em>token=</em> for NTLM and Negotiate authentication <em>OK</em> responses.
- <p>Details at <url url="https://wiki.squid-cache.org/Features/AddonHelpers">.
-
- <tag>external_acl_type</tag>
- <p>Deprecated <em>protocol=3.0</em> option. No longer necessary.
- <p>New result code <em>BH</em> to signal helper internal errors
- <p>Details at <url url="https://wiki.squid-cache.org/Features/AddonHelpers">.
-
- <tag>http_port</tag>
- <p>Support IPv6 for <em>intercept</em> mode. Requires ip6tables support on Linux,
- PF support on OpenBSD and IPFW support on FreeBSD. Squid will no longer complain
- about misconfiguration if IPv6 support is missing, we now rely on the firewall
- tools reporting misconfiguration when the NAT rules are created.
- <p>Support <em>tproxy</em> mode traffic on BSD systems with BINDANY support
- (OpenBSD 5+, FreeBSD 9+ so far).
- <p>Changed build options behind <em>intercept</em> traffic mode handling on BSD.
- see <em>--enable-pf-transparent</em> for more details.
-
- <tag>logformat</tag>
- <p>New format code <em>%note</em> to log a transaction annotation linked to the
- transaction by ICAP, eCAP, a helper, or the <em>note</em> squid.conf directive.
- <p>New format code <em>%>qos</em> to log client connection TOS/DSCP value set by Squid.
- <p>New format code <em>%<qos</em> to log server connection TOS/DSCP value set by Squid.
- <p>New format code <em>%>nfmark</em> to log client connection netfilter mark set by Squid.
- <p>New format code <em>%<nfmark</em> to log server connection netfilter mark set by Squid.
-
- <tag>pipeline_prefetch</tag>
- <p>Updated to take a numeric count of prefetched pipeline requests instead of ON/OFF.
-
- <tag>refresh_pattern</tag>
- <p><em>NOTE:</em> the regular expression pattern operates on the cache Store-ID value.
- Which by default is identical to the requested URL, but may differ for some
- objects if the Store-ID feature is in use.
-
- <tag>unlinkd_program</tag>
- <p>New helper response format utilizing result codes <em>OK</em> and <em>BH</em>,
- to signal helper lookup results. Also, key-value response values to return
- multiple values to Squid.
- <p>Details at <url url="https://wiki.squid-cache.org/Features/AddonHelpers">.
-
- <tag>url_rewrite_program</tag>
- <p>New helper response format utilizing result codes <em>OK</em>, <em>ERR</em>,
- and <em>BH</em> to signal helper lookup results. Also, key-value response
- values to return multiple values to Squid.
- <p>Details at <url url="https://wiki.squid-cache.org/Features/AddonHelpers">.
-
-</descrip>
-
-<sect1>Removed tags<label id="removedtags">
-<p>
-<descrip>
- <tag>log_access</tag>
- <p>Removed. Use access_log with ACLs instead
-
- <tag>log_icap</tag>
- <p>Removed. Use icap_log with ACLs instead
-
- <tag>storeurl_access</tag>
- <p>Replaced by <em>store_id_access</em>.
-
- <tag>storeurl_rewrite_children</tag>
- <p>Replaced by <em>store_id_children</em>.
-
- <tag>storeurl_rewrite_concurrency</tag>
- <p>Replaced by <em>store_id_children</em> with <em>concurrency=N</em> option.
-
- <tag>storeurl_rewrite_program</tag>
- <p>Replaced by <em>store_id_program</em>.
-
-</descrip>
-
-
-<sect>Changes to ./configure options since Squid-3.3
-<p>
-There have been some changes to Squid's build configuration since Squid-3.3.
-
-This section gives an account of those changes in three categories:
-
-<itemize>
- <item><ref id="newoptions" name="New options">
- <item><ref id="modifiedoptions" name="Changes to existing options">
- <item><ref id="removedoptions" name="Removed options">
-</itemize>
-
-
-<sect1>New options<label id="newoptions">
-<p>
-<descrip>
- <tag>--enable-storeid-rewrite-helpers</tag>
- <p>New option to control which Store-ID helpers are built. As with other
- helper options use --disable-* to prevent any helpers building and
- omit to get all helper auto-detected.
- <p>Currenly only a helper using <em>file</em> for backend is provided.
-
- <tag>--disable-arch-native</tag>
- <p>New option to disable use of -march=native compiler flag.
- <p>The new flag auto-enables CPU-specific optimizations in GCC and is
- required by Clang++ v3.2 for correct 64-bit environment detection.
- It does not always work well however, so this build option is provided
- to remove it when necessary.
-
- <tag>--with-nat-devpf</tag>
- <p>New option to alter the behaviour of <em>http_port ... intercept</em> option
- in squid.conf.
- <p>When this option is used Squid performs the /dev/pf lookups required to
- support PF <em>rdr-to</em> rules. Otherwise Squid will perform perform the
- getsockname() API calls to support PF <em>divert-to</em> rules.
- <p>NOTE: systems such as NetBSD and FreeBSD which do not yet support
- the getsockname() API in recent PF versions require this option.
-
-</descrip>
-
-<sect1>Changes to existing options<label id="modifiedoptions">
-<p>
-<descrip>
- <tag>--enable-pf-transparent</tag>
- <p>NAT table support updated to use the getsockname() API provided by the
- latest PF versions <em>divert-to</em>. This allows <em>http_port</em>
- in squid.conf to support both <em>intercept</em> and <em>tproxy</em> traffic
- and to silence NAT lookup failure messages on recent BSD.
- <p>NOTE: systems such as NetBSD and FreeBSD which do not yet support
- the getsockname() API in recent PF versions require <em>--with-nat-devpf</em>
- to re-enable /dev/pf support when using PF firewall.
-
- <tag>--disable-translation</tag>
- <p>Default changed to prevent translating error page templates during build.
- Use --enable-translation to explicitly build and install the templates.
- <p>The latest pre-translated templates can be downloaded from <url url="http://www.squid-cache.org/Versions/langpack/">
-
-</descrip>
-</p>
-
-<sect1>Removed options<label id="removedoptions">
-<p>
-<descrip>
- <p><em>There are no removed ./configure options in Squid-3.4.</em>
-
-</descrip>
-
-
-<sect>Regressions since Squid-2.7
-
-<p>Some squid.conf options which were available in Squid-2.7 are not yet available in Squid-3.4
-
-<p>If you need something to do then porting one of these from Squid-2 to Squid-3 is most welcome.
-
-<sect1>Missing squid.conf options available in Squid-2.7
-<p>
-<descrip>
- <tag>broken_vary_encoding</tag>
- <p>Not yet ported from 2.6
-
- <tag>cache_dir</tag>
- <p><em>COSS</em> storage type is lacking stability fixes from 2.6
- <p>COSS <em>overwrite-percent=</em> option not yet ported from 2.6
- <p>COSS <em>max-stripe-waste=</em> option not yet ported from 2.6
- <p>COSS <em>membufs=</em> option not yet ported from 2.6
- <p>COSS <em>maxfullbufs=</em> option not yet ported from 2.6
-
- <tag>cache_peer</tag>
- <p><em>idle=</em> not yet ported from 2.7
- <p><em>monitorinterval=</em> not yet ported from 2.6
- <p><em>monitorsize=</em> not yet ported from 2.6
- <p><em>monitortimeout=</em> not yet ported from 2.6
- <p><em>monitorurl=</em> not yet ported from 2.6
-
- <tag>cache_vary</tag>
- <p>Not yet ported from 2.6
-
- <tag>collapsed_forwarding</tag>
- <p>Not yet ported from 2.6
-
- <tag>error_map</tag>
- <p>Not yet ported from 2.6
-
- <tag>external_refresh_check</tag>
- <p>Not yet ported from 2.7
-
- <tag>location_rewrite_access</tag>
- <p>Not yet ported from 2.6
-
- <tag>location_rewrite_children</tag>
- <p>Not yet ported from 2.6
-
- <tag>location_rewrite_concurrency</tag>
- <p>Not yet ported from 2.6
-
- <tag>location_rewrite_program</tag>
- <p>Not yet ported from 2.6
-
- <tag>refresh_pattern</tag>
- <p><em>stale-while-revalidate=</em> not yet ported from 2.7
- <p><em>ignore-stale-while-revalidate=</em> not yet ported from 2.7
- <p><em>negative-ttl=</em> not yet ported from 2.7
-
- <tag>refresh_stale_hit</tag>
- <p>Not yet ported from 2.7
-
- <tag>update_headers</tag>
- <p>Not yet ported from 2.7
-
-</descrip>
-
-<sect>Copyright
-<p>
-Copyright (C) 1996-2023 The Squid Software Foundation and contributors
-<p>
-Squid software is distributed under GPLv2+ license and includes
-contributions from numerous individuals and organizations.
-Please see the COPYING and CONTRIBUTORS files for details.
-
-</article>
projects / thirdparty / squid.git / commitdiff
