]>
Commit | Line | Data |
---|---|---|
745114d1 AJ |
1 | <!doctype linuxdoc system> |
2 | <article> | |
362d74b6 | 3 | <title>Squid 3.2.3 release notes</title> |
745114d1 AJ |
4 | <author>Squid Developers</author> |
5 | ||
6 | <abstract> | |
7 | This document contains the release notes for version 3.2 of Squid. | |
8 | Squid is a WWW Cache application developed by the National Laboratory | |
9 | for Applied Network Research and members of the Web Caching community. | |
10 | </abstract> | |
11 | ||
12 | <toc> | |
13 | ||
14 | <sect>Notice | |
15 | <p> | |
362d74b6 | 16 | The Squid Team are pleased to announce the release of Squid-3.2.3 for testing. |
745114d1 AJ |
17 | |
18 | This new release is available for download from <url url="http://www.squid-cache.org/Versions/v3/3.2/"> or the <url url="http://www.squid-cache.org/Mirrors/http-mirrors.html" name="mirrors">. | |
19 | ||
20 | While this release is not deemed ready for production use, we believe it is ready for wider testing by the community. | |
21 | ||
2284b7f7 AJ |
22 | We welcome feedback and bug reports. If you find a bug, please see <url url="http://wiki.squid-cache.org/SquidFaq/BugReporting"> for how to submit a |
23 | report with a stack trace. | |
745114d1 AJ |
24 | |
25 | <sect1>Known issues | |
26 | <p> | |
a81947e2 | 27 | Although this release is deemed good enough for use in many setups, please note the existence of <url url="http://bugs.squid-cache.org/buglist.cgi?query_format=advanced&short_desc_type=allwordssubstr&short_desc=&target_milestone=3.2&long_desc_type=allwordssubstr&long_desc=&bug_file_loc_type=allwordssubstr&bug_file_loc=&status_whiteboard_type=allwordssubstr&status_whiteboard=&bug_status=NEW&bug_status=ASSIGNED&bug_status=REOPENED&emailtype1=substring&email1=&emailtype2=substring&email2=&bugidtype=include&bug_id=&votes=&chfieldfrom=&chfieldto=Now&chfieldvalue=&cmdtype=doit&order=bugs.bug_severity&field0-0-0=noop&type0-0-0=noop&value0-0-0=" name="open bugs against Squid-3.2">. |
745114d1 | 28 | |
a9eec4aa AJ |
29 | <p>Some issues to note as currently known in this release which are not able to be fixed in the 3.2 series are: |
30 | ||
31 | <itemize> | |
a9eec4aa | 32 | <item>TCP logging of access.log does not recover from broken connections well. |
c72a2049 AJ |
33 | <item>SSL-Bump not re-wrapping decrypted traffic in CONNECT for peers. |
34 | <item>Cache Manager reports in txt/plain format even when requested directly via browser. | |
a9eec4aa AJ |
35 | </itemize> |
36 | ||
f787354b AJ |
37 | <p>Currently known issues which only depends on available developer time and may still be resolved in a future 3.2 release are: |
38 | ||
39 | <itemize> | |
f787354b AJ |
40 | <item>SMP Support still has a number of important bugs needing to be resolved. see the bugs list above for details. |
41 | <item>Windows support is still incomplete. | |
f787354b AJ |
42 | <item>The lack of some features available in Squid-2.x series. See the regression sections below for full details. |
43 | </itemize> | |
44 | ||
45 | ||
745114d1 AJ |
46 | <sect1>Changes since earlier releases of Squid-3.2 |
47 | <p> | |
48 | The 3.2 change history can be <url url="http://www.squid-cache.org/Versions/v3/3.2/changesets/" name="viewed here">. | |
49 | ||
50 | <sect>Major new features since Squid-3.1 | |
6739cb10 | 51 | <p>Squid 3.2 represents a new feature release above 3.1. |
745114d1 | 52 | |
6739cb10 | 53 | <p>The most important of these new features are: |
745114d1 | 54 | <itemize> |
a9eec4aa | 55 | <item>CVE-2009-0801 : NAT interception vulnerability to malicious clients. |
8f308a98 | 56 | <item>NCSA helper DES algorithm password limits |
a67c462c | 57 | <item>SMP scalability |
6be4a9a8 | 58 | <item>Helper Multiplexer and On-Demand |
e5269a11 | 59 | <item>Helper Name Changes |
745114d1 | 60 | <item>Multi-Lingual manuals |
f787354b | 61 | <item>Solaris 10 pthreads Support |
6be4a9a8 AJ |
62 | <item>Surrogate/1.0 protocol extensions to HTTP |
63 | <item>Logging Infrastructure Updated | |
69a9b4de | 64 | <item>Client Bandwidth Limits |
97b70186 | 65 | <item>Better eCAP support |
ff3dcd10 | 66 | <item>Cache Manager access changes |
745114d1 AJ |
67 | </itemize> |
68 | ||
69 | Most user-facing changes are reflected in squid.conf (see below). | |
70 | ||
6be4a9a8 | 71 | |
a9eec4aa | 72 | <sect1>CVE-2009-0801 : NAT interception vulnerability to malicious clients. |
2284b7f7 AJ |
73 | <p>Details in Advisory <url url="http://www.squid-cache.org/Advisories/SQUID-2011_1.txt" name="SQUID-2011:1"> |
74 | ||
75 | <p>Squid locates the authority-URL details available in an HTTP request as | |
76 | defined by RFC 2616 and validates that all found representations are | |
77 | <em>textually</em> equivalent. In the case of intercepted traffic the | |
78 | client destination IP is also compared to the Host: authority domains | |
79 | DNS entries. | |
80 | ||
81 | <p>When the Host: authority contradicts another authority source Squid will log | |
f787354b | 82 | "SECURITY ALERT: Host: header forgery detected". The response will then be determined |
6978bd17 | 83 | by the <url url="http://www.squid-cache.org/Doc/config/host_verify_strict/" name="host_verify_strict"> |
f787354b AJ |
84 | directive. Squid will respond with 409 Conflict error response when strict validation |
85 | fails and handles the request normally when strict validation succeeds or is OFF (default). | |
86 | ||
5eb32cde AJ |
87 | <p>Relaying of messages which FAIL non-strict Host: validation are permitted through Squid but |
88 | only to the original destination IP the client was requesting or to explicit peers. This means | |
89 | DNS lookups to locate alternative DIRECT destinations will not be done. | |
f787354b AJ |
90 | |
91 | <p>Known Issue: When non-strict validation fails Squid will relay the request, but can only do | |
a9eec4aa | 92 | so safely to the orginal destination IP the client was contacting. The client original |
5eb32cde AJ |
93 | destination IP is lost when relaying to peers in a hierarchy. This means the upstream peers |
94 | are still at risk of causing same-origin bypass CVE-2009-0801 vulnerability. | |
f787354b AJ |
95 | Developer time is required to implement safe transit of these requests. |
96 | Please contact squid-dev if you are able to assist or sponsor the development. | |
2284b7f7 AJ |
97 | |
98 | ||
8f308a98 AJ |
99 | <sect1>NCSA helper DES algorithm password limits |
100 | <p>Details in Advisory <url url="http://www.squid-cache.org/Advisories/SQUID-2011_2.txt" name="SQUID-2011:2"> | |
101 | ||
102 | <p>The DES algorithm used by the NCSA Basic authentication helper has an | |
103 | limit of 8 bytes but some implementations do not error when truncating | |
104 | longer passwords down to this unsafe level. | |
105 | ||
106 | <p>This both significantly lowers the threshold of difficulty decrypting | |
107 | captured password files and hides from users the fact that the extra bits | |
108 | of their chosen long password is not being utilized. | |
109 | ||
110 | <p>The NCSA helper bundled with Squid will prevent passwords longer than 8 | |
111 | characters being sent to the DES algorithm. The MD5 hash algorithm which | |
112 | supports longer than 8 character passwords is also supported by this helper | |
113 | and should be used instead. | |
114 | ||
115 | ||
a67c462c AR |
116 | <sect1>SMP scalability |
117 | <p>The new "workers" squid.conf option can be used to launch multiple worker | |
118 | processes and utilize multiple CPU cores. The overall intent is to make | |
119 | multiple workers look like one to an outside observer, while providing | |
120 | knobs to customize each worker behavior if needed. | |
121 | ||
122 | <p>By default, all worker processes are configured identically and do what a | |
123 | single Squid instance would have done. Squid.conf macro substitutions and | |
124 | conditionals (see below) can be used to customize individual worker | |
125 | configurations. In the paragraphs below, "can share" implies "will share by | |
126 | default". | |
127 | ||
128 | <p>Workers can share HTTP, HTTPS, SNMP, ICP, and HTCP listening addresses. | |
129 | Configuration related to ICP and HTCP clients must be adjusted to avoid | |
130 | source address conflicts: Modify the IP address and/or the port used for | |
131 | the protocol. Workers do not share DNS addresses by default because the OS | |
132 | assigns each worker a unique DNS port. | |
133 | ||
134 | <p>Workers can share logs. | |
135 | ||
8fe9e0a2 AJ |
136 | <p>Workers can share caches. Memory cache is automatically shared when multiple |
137 | workers are used. Cache_dir are shared when configured with the <em>rock</em> | |
138 | storage type. Cache_dir of other types must be adjusted to point each | |
139 | disk-caching worker to its own disk area. ICP and HTCP responses are based | |
140 | on the responding worker cache state. | |
a67c462c | 141 | |
850ff99f AJ |
142 | <p>Cache manager statistics are reported from a worker point of view, for now. |
143 | Though some reports are combined. SNMP statistics are combined across all | |
144 | workers. | |
a67c462c AR |
145 | |
146 | <p>Startup, reconfiguration, shutdown, and log rotation are handled as for a | |
147 | monolithic Squid. Abnormally terminated workers are restarted while | |
148 | other workers continue serving traffic. | |
149 | ||
a67c462c AR |
150 | <sect2>Squid.conf macros and conditionals |
151 | <p>Added support for process_name and process_number macros as well as simple | |
152 | if-statement conditionals in squid.conf. These features allow individual | |
153 | worker customization in SMP mode. For details, search for "Conditional | |
154 | configuration" and "SMP-Related Macros" sections in squid.conf.documented. | |
155 | ||
156 | ||
1d7e0d63 AJ |
157 | <sect1>Helper Multiplexer |
158 | <p>The helper multiplexer's purpose is to relieve some of the burden | |
159 | Squid has when dealing with slow helpers. It does so by acting as a | |
160 | middleman between squid and the actual helpers, talking to Squid via | |
161 | the multiplexed concurrent variant of the helper protocol and to the | |
162 | helpers via the non-concurrent variant. | |
163 | ||
164 | <p>Helpers are started on demand, and in theory the muxer can handle up to | |
165 | 1k helpers per instance. It's up to squid to decide how many helpers | |
166 | to start. | |
167 | ||
168 | <p>The muxer knows nothing about the actual messages being passed around, | |
169 | and as such can't really (yet?) compensate for broken helpers. | |
170 | It is not yet able to manage dying helpers, but it will. | |
171 | ||
172 | <p>To configure the multiplexer add its binary name (usually /usr/share/libexec/helper-mux.pl) | |
173 | in front of the name of whichever helper is being multiplexed. It takes the helper binary | |
174 | path and parameters as its own command parameters. The <em>concurrency</em> setting already | |
175 | existing in Squid is used to configure how many child helpers it may run. | |
176 | ||
177 | <p>For example, a traditional configration is | |
178 | <verb> | |
179 | url_rewrite_program /your/redirector.sh | |
180 | url_rewrite_children 5 | |
181 | </verb> | |
182 | the alternative multiplexer configuration is: | |
183 | <verb> | |
184 | url_rewrite_program /usr/share/libexec/helper-mux.pl /your/redirector.sh | |
185 | url_rewrite_children 1 concurrency=5 | |
186 | </verb> | |
187 | ||
188 | <p>Helpers which are already concurrent protocol enabled gain little benefit from the multiplexer | |
189 | on most systems. However on some systems where Squid spawning helpers causes excess memory usage | |
190 | the reduction in direct helper spawned by Squid can result in a great reduction in resource use. | |
191 | ||
192 | <p>The helper can be controlled using various signals: | |
193 | <itemize> | |
194 | <item>SIGHUP: dump the state of all helpers to STDERR | |
195 | </itemize> | |
196 | ||
e5269a11 | 197 | |
6be4a9a8 AJ |
198 | <sect1>Helpers On-Demand |
199 | <p>Traditionally Squid has been configured with a fixed number of helpers and started them during | |
200 | it's start and reconfigure phases. This forces the hard configuration problem of how many helpers | |
201 | will be needed to be solved before starting Squid in production use. | |
202 | ||
203 | <p>The on-demand helpers feature allows greater flexibility and resolves this problem by allowing | |
204 | maximum, initial and idle thresholds to be configured. Squid will start the initial set during | |
205 | start and reconfigure phases. However over the operational use new helpers up to the maxium will | |
206 | be started as load demands. The idle threshold determins how many more helpers to start if the | |
207 | currently running set is not enough to handle current request loads. | |
208 | ||
209 | <p>For example, a traditional configration is | |
210 | <verb> | |
211 | auth_param ntlm /usr/libexec/squid/ntlm_auth | |
212 | auth_param ntlm children 200 | |
213 | </verb> | |
214 | the alternative on-demand configuration could be: | |
215 | <verb> | |
216 | auth_param ntlm /usr/libexec/squid/ntlm_auth | |
217 | auth_param ntlm children 200 startup=10 idle=2 | |
218 | </verb> | |
219 | ||
220 | <p>The example still permits up to 200 helpers to be running at once under peak traffic loads. | |
221 | But only starts 10 when Squid is initialized resulting in a faster boot up. | |
222 | When client requests threaten to overload the running helpers an additional 2 will be started. | |
223 | ||
224 | <p>NOTE: if no <em>startup</em> and <em>idle</em> values are specified the traditional behaviour | |
225 | of starting the maximum number of helpers will occur. | |
226 | ||
227 | ||
228 | <sect1>Helper Name Changes | |
e5269a11 AJ |
229 | <p>To improve the understanding of what each helper does and where it should be used the helper binaries |
230 | which are bundled with Squid have undergone a naming change in this release. | |
231 | ||
232 | <p>Below is a list of the old helper names and what their names have changed to. | |
5a48ed18 | 233 | For several helpers the directory name used in --enable-X-helpers configure option has also changed. |
e5269a11 AJ |
234 | |
235 | <sect2>Basic Authentication protocol helpers | |
6739cb10 | 236 | <p><itemize> |
e5269a11 | 237 | <item>squid_db_auth - basic_db_auth - Retrieve authentication details from a simple SQL database table. |
acb775ad | 238 | <item>getpwnam_auth - basic_getpwname_auth - Authenticate with local system user accounts. |
428744a1 | 239 | <item>squid_ldap_auth - basic_ldap_auth - Authenticate with LDAP user accounts. |
c152a447 | 240 | <item>MSNT-multi-domain - basic_msnt_multi_domain_auth - Authenticate with any one of multiple Windows Domain Controllers. |
7c16470c | 241 | <item>msnt_auth - basic_msnt_auth - Authenticate with Windows Domain Controllers selected by username. |
0d8565ac | 242 | <item>ncsa_auth - basic_ncsa_auth - Authenticate with NCSA httpd-style password file. |
c152a447 | 243 | <item>yp_auth - basic_nis_auth - Authenticate with NIS security system. |
5a48ed18 | 244 | <item>pam_auth - basic_pam_auth - Authenticate with the system PAM infrastructure. |
7c16470c | 245 | <item>pop3.pl - basic_pop3_auth - Authenticate with a mail server POP3/SMTP credentials. |
c152a447 | 246 | <item>squid_radius_auth - basic_radius_auth - Authenticate with RADIUS. |
5a48ed18 AJ |
247 | <item>squid_sasl_auth - basic_sasl_auth - Authenticate with SASL. |
248 | <item>smb_auth - basic_smb_auth - Authenticate with Samba SMB. | |
5a48ed18 | 249 | <item>mswin_sspi - basic_sspi_auth - Authenticate with a Windows Domain Controller using SSPI. |
e5269a11 AJ |
250 | </itemize> |
251 | ||
252 | <sect2>Digest Authentication protocol helpers | |
6739cb10 | 253 | <p><itemize> |
54e8823b | 254 | <item>digest_pw_auth - digest_file_auth - Authenticate against credentials stored in a simple text file. |
e5269a11 AJ |
255 | </itemize> |
256 | ||
257 | <sect2>External ACL helpers | |
6739cb10 | 258 | <p><itemize> |
c152a447 AJ |
259 | <item>mswin_check_ad_group - ext_ad_group_acl - Check logged in users Group membership using Active Directory. |
260 | <item>ip_user_check - ext_file_userip_acl - Restrict users to cetain IP addresses, using a text file backend. | |
dee6a922 | 261 | <item>squid_kerb_ldap - ext_kerberos_ldap_group_acl - Check logged in Kerberos or NTLM users Group membership using LDAP. |
c152a447 AJ |
262 | <item>squid_ldap_group - ext_ldap_group_acl - Check logged in users Group membership using LDAP. |
263 | <item>mswin_check_lm_group - ext_lm_group_acl - Check logged in users Group membership using LanManager. | |
264 | <item>squid_session - ext_session_acl - Maintain a session cache of client identifiers (usually IP address). | |
902bc38b | 265 | This helper has also gone through a version update and now uses more current BerkeleyDB 4.1+ APIs. |
c152a447 AJ |
266 | <item>squid_unix_group - ext_unix_group_acl - Check logged in users Group membership using local UNIX groups. |
267 | <item>wbinfo_group.pl - ext_wbinfo_group_acl - Check logged in users Group membership using wbinfo. | |
e5269a11 AJ |
268 | </itemize> |
269 | ||
270 | <sect2>Negotiate Authentication protocol helpers | |
6739cb10 | 271 | <p><itemize> |
87db552c | 272 | <item>squid_kerb_auth - negotiate_kerberos_auth - Authenticate with Kerberos servers. |
c152a447 | 273 | <item>mswin_sspi - negotiate_sspi_auth - Authenticate with a Windows Domain Controller using SSPI. |
065f7779 | 274 | <item>negotiate_wrapper - negotiate_wrapper_auth - Split Negotiate traffic between Kerberos and NTLM helpers. |
e5269a11 AJ |
275 | </itemize> |
276 | ||
277 | <sect2>NTLM Authentication protocol helpers | |
6739cb10 | 278 | <p><itemize> |
c152a447 | 279 | <item>no_check.pl - Deprecated. - Use the faster and less easily decrypted ntlm_fake_auth instead. |
75aa769b | 280 | <item>fakeauth_auth - ntlm_fake_auth - Perform NTLMSSP to recover the username but don't verify the password. |
e5269a11 | 281 | <item>ntlm_auth - ntlm_smb_lm_auth - Perform SMB LanManager domain-less authentication over NTLM protocol. |
c152a447 | 282 | <item>mswin_ntlm_auth - ntlm_sspi_auth - Perform NTLMSSP authentication using Windows native Security Support Provider Interface API. |
e5269a11 AJ |
283 | </itemize> |
284 | ||
285 | <sect2>URL re-write helpers | |
286 | <p>This group of helpers have been bundled to demonstrate how to code URL re-writers: | |
e5269a11 AJ |
287 | <itemize> |
288 | <item>url_fake_rewrite - Accept various url_rewrite details and log the input. | |
289 | </itemize> | |
290 | ||
291 | ||
745114d1 | 292 | <sect1>Multi-Lingual manuals |
745114d1 | 293 | <p>The man(8) and man(1) pages bundled with Squid are now provided online for all |
7d9ce496 | 294 | versions and beginning with 3.2 they are available in languages other than English (where translated). |
745114d1 | 295 | |
1d8114ce | 296 | <p>Details in <url url="http://wiki.squid-cache.org/Translations" name="The Squid wiki"> |
745114d1 AJ |
297 | |
298 | <p>3.1 began the Internationalization of Squid with the public facing error pages. | |
299 | This move begins the Localization of the internal administrator facing manuals. | |
300 | ||
68c0ac6f | 301 | |
745114d1 | 302 | <sect1>Solaris 10 pthreads Support (Experimental) |
745114d1 AJ |
303 | <p>Automatic detection and use of the pthreads library available from Solaris 10 |
304 | ||
6be4a9a8 AJ |
305 | <p>The result of this addition means that faster more efficient AUFS cache storage mechanisims |
306 | are now available in Solaris 10. | |
307 | ||
308 | <p>Support is experimental at this stage due to lack of feedback on the results of enabling it. | |
309 | We recommend giving AUFS a try for faster disk storage and encourage feedback. | |
310 | ||
311 | ||
312 | <sect1>Surrogate/1.0 protocol extensions to HTTP | |
313 | <p>The <em>Surrogate</em> extensions to HTTP protocol enable an origin web server to specify separate | |
314 | cache controls for a reverse proxy acting on its behalf. Previously this was closely tied with the ESI | |
315 | feature support in Squid. This release opens Surrogate support to all reverse proxies. | |
316 | ||
317 | <p>Reverse proxy requests sent on to the web server include the HTTP header <em>Surrogate-Capabilities:</em> | |
318 | specifying the capabilities of the reverse proxy along with an ID which can be used to target reponses with | |
319 | a <em>Surrogate-Control:</em> HTTP header used instead of the <em>Cache-Control:</em> header. | |
320 | ||
321 | <p>The default surrogate ID is generated automatically from the Squid site-unique hostname as found by the | |
322 | automatic detection or manual configuration of <em>visible_hostname</em> although can be configured | |
323 | separately with the <em>httpd_accel_surrogate_id</em> option. | |
324 | ||
325 | <p><em>Security Considerations:</em> Websites sould be careful of accepting any surrogate ID. | |
326 | Older releases of Squid leak the Surrogate-Control headers to external servers. | |
327 | This 3.2 series of Squid will now prevent this leakage of its own ID destined responses, however it is possible | |
328 | and for some uses desirable to receive external reverse-proxies <em>Surrogate-Capabilities:</em> headers. | |
329 | ||
330 | <p><em>NOTE:</em> Several operating system distributions historically package Squid with a forced value of | |
331 | <em>visible_hostname localhost</em>. If this is done on a Surrogate enabled install a manual re-configuration | |
332 | is required to prevent an unacceptable surrogate ID of 'localhost' being generated. | |
333 | ||
334 | ||
335 | <sect1>Logging Infrastructure Updated | |
336 | <p>The advanced logging modules introduced in Squid-2.7 are now available from Squid-3.2. | |
337 | ||
338 | <p>This feature is documented at http://wiki.squid-cache.org/Features/LogModules | |
339 | ||
340 | <p>The new infrastructure currently supports several different channels types (modules) ranging from | |
341 | direct filesystem logging (stdio, daemon) to network logging (syslog, UDP and TCP). The daemon logging | |
342 | interface allows for a custom helper to be written to process logs in real-time. | |
343 | ||
6d1dfcfc AJ |
344 | <p>Upgrading: the <em>access_log</em> and <em>cache_store_log</em> were previously logged via what is |
345 | now called the <em>stdio</em> module. | |
6be4a9a8 AJ |
346 | This is still supported and used by default if no module is named. For best performance particularly in SMP |
347 | environments we recommend the <em>daemon</em> be used. The provided <em>log_file_daemon</em> helper | |
348 | performs the traditional logging to local filesystem. | |
349 | ||
350 | <p>Additional to this the cache.log can now be limited to a smaller number of files stored. | |
351 | Traditionally cache.log.N has been fixed at the same number of rotated files as access.log.N through the | |
352 | <em>logfile_rotate</em> setting. The <em>debug_options</em> setting can now be used to configure the number | |
353 | of debug cache.log files to rotate through with a <em>rotate=N</em> option. This is particularly useful for | |
354 | logging a single cache.log at relatively high debug levels on a high-traffic system. Or one which is | |
355 | required to store a long period of access.log and needs to conserve disk space. | |
356 | ||
6d1dfcfc AJ |
357 | <p>The <em>referer_log</em> and <em>useragent_log</em> directives have been converted to built-in log formats. |
358 | These logs are now created using an <em>access_log</em> line with the format "referrer" or "useragent". | |
488e6901 | 359 | They also now log all client requests, if there was no Referer or User-Agent header a dash (-) is logged. |
68c0ac6f | 360 | |
f787354b AJ |
361 | <p>Known Issue: The TCP logging module does not recover from broken connections well. |
362 | At present it will restart the affected Squid instance if the TCP connection is broken. | |
363 | ||
ff3dcd10 | 364 | |
69a9b4de AJ |
365 | <sect1> Client Bandwidth Limits |
366 | <p>In mobile environments, Squid may need to limit Squid-to-client bandwidth | |
367 | available to individual users, identified by their IP addresses. The IP | |
368 | address pool can be as large as a /10 IPv4 network (4 million unique IP | |
369 | addresses) and even larger in IPv6 environments. On the other hand, the code | |
370 | should support thousands of connections coming from a single IP (e.g., | |
371 | a child proxy). | |
372 | ||
373 | <p>The implementation is based on storing bandwidth-related "bucket" information | |
374 | in the existing "client database" hash (client_db.cc). The old code already | |
375 | assigned each client IP a single ClientInfo object, which satisfies the | |
376 | client-side IP-based bandwidth pooling requirements. The old hash size is | |
377 | increased to support up to 32K concurrent clients if needed. | |
378 | ||
379 | <p>Client-side pools are configured similarly to server-side ones, but there is | |
380 | only one pool class. See client_delay_pools, | |
381 | client_delay_initial_bucket_level, client_delay_parameters, and | |
382 | client_delay_access in squid.conf. The client_delay_access matches the client | |
383 | with delay parameters. It does not pool clients from different IP addresses | |
384 | together. | |
385 | ||
386 | <p>Special care is taken to provide fair distribution of bandwidth among clients | |
387 | sharing the same bucket (i.e., clients coming from the same IP address). | |
388 | Multiple same-IP clients competing for bandwidth are queued using FIFO | |
389 | algorithm. If a bucket becomes empty, the first client among those sharing | |
390 | the bucket is delayed by 1 second before it can attempt to receive more | |
391 | response data from Squid. This delay may need to be lowered in | |
392 | high-bandwidth environments. | |
393 | ||
ff3dcd10 AJ |
394 | |
395 | <sect1>Better eCAP Suport | |
396 | <p>Support for libecap version 0.2.0 has been added with this series of Squid. Bringing | |
397 | better support for body handling, and logging. | |
398 | ||
f787354b AJ |
399 | <p>Known Issue: Due to API changes in libecap this release of Squid will not build |
400 | against any older libecap releases. | |
401 | ||
ff3dcd10 AJ |
402 | |
403 | <sect1>Cache Manager access changes | |
404 | <p>The Squid Cache Manager has previously only been accessible under the cache_object:// | |
405 | URL scheme. Which has restricted its reporting to tools which can send arbitrary | |
406 | URI to the proxy. | |
407 | ||
408 | <p>This version of Squid now provides access through the http:// and https:// URL schemes | |
409 | allowing web browsers access without having to use the cachemgr.cgi gateway and enabling | |
410 | the use of HTTPS security were desired. | |
411 | ||
412 | <p>The cache manager is available under the path prefix /squid-internal-mgr/. For example | |
413 | the URL http://example/com/squid-internal-mgr/menu will bring up the manager menu. This | |
414 | means there are some configuration changes required to lock down manager access. | |
415 | The <em>manager</em> ACL needs changing to: | |
416 | <verb> | |
417 | acl manager url_regex -i ^cache_object:// ^https?://[^/]+/squid-internal-mgr/ | |
418 | </verb> | |
419 | ||
f9329b54 AJ |
420 | <p>The manager prefix /squid-internal-mgr/ with no action attempts to load an optional |
421 | template MGR_INDEX which may be installed amongst in the Squid error templates. | |
422 | This template is not supplied with Squid but intended to be supplied by separate | |
423 | cache manager applications as their front page embedding all scripts, accessors or | |
424 | redirects required for their initial GUI display. | |
425 | ||
426 | <p>Version 3.2 of the CGI cache manager tool now presents XHR scripted probes to detect | |
427 | proxies presenting these manager index pagess and provides direct HTTP/HTTPS web links | |
428 | to those managers. | |
429 | ||
ff3dcd10 | 430 | |
745114d1 AJ |
431 | <sect>Changes to squid.conf since Squid-3.1 |
432 | <p> | |
433 | There have been changes to Squid's configuration file since Squid-3.1. | |
434 | ||
435 | This section gives a thorough account of those changes in three categories: | |
436 | ||
437 | <itemize> | |
438 | <item><ref id="newtags" name="New tags"> | |
439 | <item><ref id="modifiedtags" name="Changes to existing tags"> | |
440 | <item><ref id="removedtags" name="Removed tags"> | |
441 | </itemize> | |
442 | <p> | |
443 | ||
745114d1 AJ |
444 | <sect1>New tags<label id="newtags"> |
445 | <p> | |
446 | <descrip> | |
902bc38b AJ |
447 | <tag>adaptation_meta</tag> |
448 | <p>This option allows Squid administrator to add custom ICAP request | |
449 | headers or eCAP options to Squid ICAP requests or eCAP transactions. | |
450 | ||
4b67fbe0 AR |
451 | <tag>adaptation_send_client_ip</tag> |
452 | <p>Same as depricated icap_send_client_ip | |
453 | but applies to both ICAP and eCAP.</p> | |
454 | ||
455 | <tag>adaptation_send_username</tag> | |
456 | <p>Same as depricated icap_send_client_username | |
457 | but applies to both ICAP and eCAP.</p> | |
458 | ||
459 | <tag>adaptation_uses_indirect_client</tag> | |
460 | <p>Same as depricated icap_uses_indirect_client | |
461 | but applies to both ICAP and eCAP.</p> | |
462 | ||
69a9b4de AJ |
463 | <tag>client_delay_pools</tag> |
464 | <p>New setting for client bandwith limits to specifies the number | |
465 | of client delay pools used. | |
466 | ||
467 | <tag>client_delay_initial_bucket_level</tag> | |
468 | <p>New setting for client bandwith limits to determine the initial | |
469 | bucket size as a percentage of max_bucket_size from | |
470 | client_delay_parameters. | |
471 | ||
472 | <tag>client_delay_parameters</tag> | |
473 | <p>New setting for client bandwith limits to configures client-side | |
474 | bandwidth limits. | |
475 | ||
476 | <tag>client_delay_access</tag> | |
477 | <p>New setting for client bandwith limits to determines the | |
478 | client-side delay pool for the request. | |
479 | ||
bfe4e2fe | 480 | <tag>client_dst_passthru</tag> |
2284b7f7 | 481 | <p>New setting to disable extra Host: header security on interception proxies. |
bfe4e2fe | 482 | Impacts cache integrity/reliability and client browser security. |
2284b7f7 AJ |
483 | <p><em>IMPORTANT:</em> disabling this directive only allows Squid to change the |
484 | destination IP to another source indicated by Host: domain DNS or | |
485 | cache_peer configuration. It <em>does not</em> affect Host: validation. | |
bfe4e2fe | 486 | |
97b32442 AJ |
487 | <tag>client_idle_pconn_timeout</tag> |
488 | <p>Renamed from <em>persistent_request_timeout</em>. | |
489 | ||
eb9b1666 AJ |
490 | <tag>cpu_affinity_map</tag> |
491 | <p>New setting for SMP support to map Squid processes onto specific CPU cores. | |
2bf4e8fa | 492 | |
31ef19cd AJ |
493 | <tag>connect_retries</tag> |
494 | <p>Replacement for <em>maximum_single_addr_tries</em>, but instead of only applying to hosts with single addresses. | |
6d44d1e9 | 495 | This directive applies to all hosts, extending the number of connection attempts to each IP address. |
a750e510 | 496 | |
f9f44d76 AJ |
497 | <tag>dns_packet_max</tag> |
498 | <p>New setting to configure maximum number of bytes packet size to advertise via EDNS. | |
499 | Set to "none" (the initial default) to disable EDNS large packet support. | |
31ef19cd | 500 | |
7eba3326 | 501 | <tag>else</tag> |
eb9b1666 | 502 | <p>Part of conditional SMP support syntax. see <em>if</em> |
7eba3326 AJ |
503 | |
504 | <tag>endif</tag> | |
eb9b1666 | 505 | <p>Part of conditional SMP support syntax. see <em>if</em> |
7eba3326 | 506 | |
a98c2da5 | 507 | <tag>eui_lookup</tag> |
2bf4e8fa | 508 | <p>Whether to lookup the EUI or MAC address of a connected client. |
a98c2da5 | 509 | |
f787354b AJ |
510 | <tag>host_verify_strict</tag> |
511 | <p>New option to enable super-strict HTTP and DNS information match. | |
512 | Ensuring the HTTP URI details, DNS records, and TCP connection layers all match in a | |
513 | three-legged security verification. Preventing domain hijacking or malicious poisoning | |
514 | attacks by malicious scripts. | |
515 | <p>The default is to verify only intercepted traffic, to log all issues and let failed | |
516 | traffic through when doing so can be done safely. | |
517 | ||
eb9b1666 AJ |
518 | <tag>icap_206_enable</tag> |
519 | <p>New option to toggle whether the ICAP 206 (Partial Content) responses extension. | |
520 | Default is on. | |
521 | ||
7eba3326 AJ |
522 | <tag>if</tag> |
523 | <p>New conditional syntax for SMP multiple-worker. | |
524 | If-statements can be used to make configuration directives depend on conditions. | |
525 | <p>The else part is optional. The keywords <em>if</em>, <em>else</em> and <em>endif</em> | |
526 | must be typed on their own lines, as if they were regular configuration directives. | |
527 | ||
5945964d AJ |
528 | <tag>logfile_daemon</tag> |
529 | <p>Ported from 2.7. Specify the file I/O daemon helper to run for logging. | |
530 | ||
570d3f75 AJ |
531 | <tag>max_stale</tag> |
532 | <p>Places an upper limit on how stale content Squid will serve from the cache if cache validation fails | |
533 | ||
745114d1 | 534 | <tag>memory_cache_mode</tag> |
2bf4e8fa | 535 | <p>Controls which objects to keep in the memory cache (cache_mem) |
745114d1 AJ |
536 | <verb> |
537 | 'always' Keep most recently fetched objects in memory (default) | |
538 | ||
539 | 'disk' Only disk cache hits are kept in memory, which means | |
540 | an object must first be cached on disk and then hit | |
541 | a second time before cached in memory. | |
542 | ||
543 | network Only objects fetched from network is kept in memory | |
544 | </verb> | |
545 | ||
f9329b54 AJ |
546 | <tag>memory_cache_shared</tag> |
547 | <p>Controls whether the memory cache is shared among SMP workers. | |
548 | <p>Currently, entities exceeding 32KB in size cannot be shared. | |
549 | ||
97b32442 AJ |
550 | <tag>server_idle_pconn_timeout</tag> |
551 | <p>Renamed from <em>pconn_timeout</em>. | |
552 | ||
96d64448 AJ |
553 | <tag>tproxy_uses_indirect_client</tag> |
554 | <p>Controls whether the indirect client address found in the X-Forwarded-For | |
555 | header is used for spoofing instead of the directly connected client address. | |
68c0ac6f | 556 | Requires both <em>--enable-follow-x-forwarded-for</em> and <em>--enable-linux-netfilter</em> |
96d64448 | 557 | |
7eba3326 AJ |
558 | <tag>workers</tag> |
559 | <p>Number of main Squid processes or "workers" to fork and maintain. | |
560 | In SMP mode, each worker does nearly all what a single Squid daemon | |
561 | does (e.g., listen on http_port and forward HTTP requests). | |
562 | <verb> | |
563 | 0: "no daemon" mode, like running "squid -N ..." | |
564 | 1: "no SMP" mode, start one main Squid process daemon (default) | |
565 | N: start N main Squid process daemons (i.e., SMP mode) | |
566 | </verb> | |
eb9b1666 AJ |
567 | |
568 | <tag>write_timeout</tag> | |
569 | <p>New setting to limit time spent waiting for data writes to be confirmed. | |
745114d1 AJ |
570 | </descrip> |
571 | ||
572 | <sect1>Changes to existing tags<label id="modifiedtags"> | |
573 | <p> | |
574 | <descrip> | |
2bf4e8fa | 575 | <tag>access_log</tag> |
68c0ac6f AJ |
576 | <p>New <em>stdio</em> module to send log data directly from Squid to a disk file. |
577 | This is the historic behaviour of Squid before logging modules were introduced, and | |
578 | remains the default used when no module is selected. | |
579 | It is recommended to upgrade logging to the faster <em>daemon:</em> module. | |
580 | <p>New <em>daemon</em> module to send each log line as text data to a file I/O daemon handling the slow disk I/O. | |
581 | New installs, or installs with no logs configured explicitly will use this module by default. | |
2bf4e8fa AJ |
582 | <p>New <em>tcp</em> module to send each log line as text data to a TCP receiver. |
583 | <p>New <em>udp</em> module to send each log line as text data to a UDP receiver. | |
20efa1c2 AJ |
584 | <p>New format <em>referrer</em> to log with the format prevously used by referer_log directive. |
585 | <p>New format <em>useragent</em> to log with the format prevously used by useragent_log directive. | |
2bf4e8fa | 586 | |
1e40905d | 587 | <tag>acl : random, localip, localport</tag> |
cb1b906f | 588 | <p>New type <em>random</em>. Pseudo-randomly match requests based on a configured probability. |
1e40905d AJ |
589 | <p>Renamed <em>myip</em> to <em>localip</em>. It matches the IP which the client connected to. |
590 | <p>Renamed <em>myport</em> to <em>localport</em>. It matches the port which the client connected to. | |
9d35fe37 | 591 | <p>Ported <em>urllogin</em> option from Squid 2.7, to match a regex pattern on the URL login field (if any). |
1e40905d AJ |
592 | <p>The <em>localip</em>/<em>localport</em> differ from earlier releases where they matched a mix of |
593 | of an invalid IP and port 0, the client destination IP/port or the Squid listening IP/port. | |
594 | This definition is now consistent across all modes of traffic received by Squid. | |
ff3dcd10 AJ |
595 | <p>The <em>manager</em> ACL requires adjustment to cover new cache manager access: |
596 | <verb> | |
597 | acl manager url_regex -i ^cache_object:// ^https?://[^/]+/squid-internal-mgr/ | |
598 | </verb> | |
cb1b906f | 599 | |
48d54e4d AJ |
600 | <tag>auth_param</tag> |
601 | <p>New options for Basic, Digest, NTLM, Negotiate <em>children</em> settings. | |
602 | <em>startup=N</em> determins minimum number of helper processes used. | |
603 | <em>idle=N</em> determines how many helper to retain as buffer against sudden traffic loads. | |
6739cb10 AJ |
604 | <em>concurrency=N</em> previously called <em>auth_param ... concurrency</em> as a separate option. |
605 | <p>Removed Basic, Digest, NTLM, Negotiate <em>auth_param ... concurrency</em> setting option. | |
f787354b | 606 | <p>Known Issue: NTLM and Negotiate protocols do not support concurrency. When set this option is ignored. |
48d54e4d | 607 | |
a8a33c46 A |
608 | <tag>cache_dir</tag> |
609 | <p><em>min-size</em> option ported from Squid-2 | |
610 | ||
18191440 AJ |
611 | <tag>cache_peer</tag> |
612 | <p><em>htcp-*</em> options collapsed into <em>htcp=</em> taking an optional comma-separated list of flags. | |
613 | The old form is deprecated but still accepted. | |
614 | ||
6d1dfcfc AJ |
615 | <tag>cache_store_log</tag> |
616 | <p>Now uses logging modules. Example: stdio:/file/path | |
617 | see <em>access_log</em> for a list of supported modules and their parameters. | |
618 | ||
425de4c8 AJ |
619 | <tag>clientside_mark</tag> |
620 | <p>New configuration parameter <em>clientside_mark</em> | |
621 | <p>Allows packets leaving Squid on the client side to be marked with a Netfilter mark value in the same way as the existing clientside_tos feature. | |
622 | <p>This feature is only available for Netfilter environments. | |
623 | ||
15b02e9a AJ |
624 | <tag>deny_info</tag> |
625 | <p>Support URL format tags. For dynamically generated URL in denial redirect. | |
b5ec6228 AJ |
626 | <p>Support the full range of 200-599 HTTP status codes. |
627 | 3xx status only available when redirecting to a URI. | |
628 | Other status only available when supplying an error template body. | |
15b02e9a | 629 | |
a98c2da5 | 630 | <tag>external_acl_type</tag> |
48d54e4d AJ |
631 | <p>New format tags and option parameters: |
632 | <p><em>%SRCEUI48</em> EUI-48 / MAC address of client from ARP lookup. | |
633 | <p><em>%SRCEUI64</em> EUI-64 of clients with SLAAC address. | |
99e4ad67 JB |
634 | <p><em>%EXT_LOG</em> log= message returned by previous external ACL calls. An updated version may be returned. |
635 | <p><em>%EXT_TAG</em> tag= value returned by previous external ACL calls. Tag may not be altered once set. | |
48d54e4d AJ |
636 | <p><em>children-max=N</em> determins maximum number of helper processes used. |
637 | <p><em>children-startup=N</em> determins minimum number of helper processes used. | |
638 | <p><em>children-idle=N</em> determines how many helper to retain as buffer against sudden traffic loads. | |
639 | <p>Deprecated <em>children=N</em> in favor of <em>children-max=N</em>. | |
a98c2da5 | 640 | |
cf673853 | 641 | <tag>http_port act-as-origin vhost no-vhost</tag> |
90fa5816 AJ |
642 | <p><em>act-as-origin</em> ported from 2.7. |
643 | This option corrects several HTTP header issues when operating as a reverse proxy and cache. | |
644 | Notably the externally visible aging of objects stored in the server-side cache. | |
cf673853 AJ |
645 | <p><em>vhost</em> is deprecated. <em>accel</em> mode, reverse proxy, now defaults to always enable HTTP/1.1 virtual domain support. |
646 | <p><em>no-vhost</em> option is added to disable the new reverse proxy behaviour. | |
90fa5816 | 647 | |
4b67fbe0 AR |
648 | <tag>icap_send_client_ip</tag> |
649 | <p>Deprecated in favor of adaptation_send_client_ip | |
650 | which applies to both ICAP and eCAP.</p> | |
651 | ||
652 | <tag>icap_send_client_username</tag> | |
653 | <p>Deprecated in favor of adaptation_send_username | |
654 | which applies to both ICAP and eCAP.</p> | |
655 | ||
656 | <tag>icap_uses_indirect_client</tag> | |
657 | <p>Deprecated in favor of adaptation_uses_indirect_client | |
658 | which applies to both ICAP and eCAP.</p> | |
659 | ||
17fde513 | 660 | <tag>logformat</tag> |
8652f8e7 | 661 | <p><em>%<a</em> Server or Peer IP address from the last server connection (next hop). |
a81febfd AJ |
662 | <p><em>%>bs</em> Number of HTTP-equivalent message body bytes received from the next hop. |
663 | <p><em>icap::%>bs</em> Number of message body bytes received from the ICAP server. | |
17fde513 | 664 | <p><em>%sn</em> Unique sequence number per log line. Ported from 2.7 |
8652f8e7 | 665 | <p><em>%>eui</em> EUI logging (EUI-48 / MAC address for IPv4, EUI-64 for IPv6). |
a98c2da5 | 666 | Both EUI forms are logged in the same field. Type can be identified by length or byte delimiter. |
8652f8e7 | 667 | <p><em>%err_code</em> The ID of an error response served by Squid or a similar internal error identifier |
5da0c0ca | 668 | <p><em>%err_detail</em> Additional err_code-dependent error information. |
8652f8e7 AJ |
669 | <p><em>%>la</em> Rename of %la to indicate being a client connection detail. |
670 | <p><em>%>lp</em> Rename of %lp to indicate being a client connection detail. | |
671 | <p><em>%<p</em> Server or Peer port number from the last server connection (next hop). | |
17fde513 | 672 | |
2d94c829 AJ |
673 | <tag>memory_pools_limit</tag> |
674 | <p>Memory limits have been revised and corrected from 3.1.4 onwards. | |
675 | <p>Please check and update your squid.conf to use the text <em>none</em> for no limit instead of the old 0 (zero). | |
676 | <p>All users upgrading need to be aware that from Squid-3.3 setting this option to 0 (zero) will mean zero bytes of memory get pooled. | |
677 | ||
425de4c8 AJ |
678 | <tag>qos_flows</tag> |
679 | <p>New options <em>mark</em> and <em>tos</em> and <em>miss</em> | |
680 | <p><em>tos</em> retains the original QOS functionality of the IP header TOS field. | |
681 | <p><em>mark</em> offers the same functionality, but with a netfilter mark value. | |
682 | <p>These options should be placed immediately after qos_flows. | |
683 | <p>The <em>tos</em> value is optional in order to maintain backwards compatability. | |
684 | <p>The preserve-miss functionality is available with the <em>mark</em> option and requires no kernel patching. | |
685 | It does, however, require libnetfilter_conntrack. | |
686 | This will be included by default if available (see the --without-netfilter-conntrack configure option for more details). | |
687 | <p><em>miss</em> sets a value for a cache miss. It is available for both the tos and mark options and takes precedence over the preserve-miss feature. | |
688 | ||
e5308a1f AJ |
689 | <tag>range_offset_limit</tag> |
690 | <p>Added ACL support for control over when the limit applies and when it is avoided. | |
691 | ||
570d3f75 AJ |
692 | <tag>refresh_pattern</tag> |
693 | <p>New option <em>max-stale=</em> to provide a maximum staleness factor. Squid won't | |
694 | serve objects more stale than this even if it failed to validate the object. | |
362d74b6 AJ |
695 | <p>Removed option <em>ignore-no-cache</em>. Its commonly desired behaviour is obsoleted |
696 | by correct HTTP/1.1 Cache-Control:no-cache handling. | |
570d3f75 | 697 | |
8ca98847 | 698 | <tag>reply_header_access</tag> |
c694236b | 699 | <p>Added support for custom response header names.</p> |
8ca98847 AJ |
700 | |
701 | <tag>request_header_access</tag> | |
c694236b | 702 | <p>Added support for custom request header names.</p> |
8ca98847 AJ |
703 | |
704 | <tag>reply_header_replace</tag> | |
c694236b | 705 | <p>Added support for custom response header names.</p> |
8ca98847 AJ |
706 | |
707 | <tag>request_header_replace</tag> | |
c694236b | 708 | <p>Added support for custom request header names.</p> |
8ca98847 | 709 | |
6d44d1e9 AJ |
710 | <tag>tcp_outgoing_address</tag> |
711 | <p>This parameter is now compatible with persistent server connections. | |
2dd51400 | 712 | The IPv6 magic 'to_ipv6' hacks needed in 3.1 are now no longer necessary. |
6d44d1e9 | 713 | |
425de4c8 AJ |
714 | <tag>tcp_outgoing_mark</tag> |
715 | <p>New configuration parameter <em>tcp_outgoing_mark</em> | |
716 | <p>Allows packets leaving Squid on the server side to be marked with a Netfilter mark value in the same way as the existing tcp_outgoing_tos feature. | |
717 | <p>This feature is only available for Netfilter environments. | |
718 | ||
719 | <tag>tcp_outgoing_tos</tag> | |
720 | <p>This parameter is now compatible with persistent server connections. | |
721 | ||
48d54e4d | 722 | <tag>url_rewrite_children</tag> |
1d7e0d63 AJ |
723 | <p>New options <em>startup=N</em>, <em>idle=N</em>, <em>concurrency=N</em> |
724 | <itemize> | |
725 | <item>startup=N allow finer tuning of how many helpers are started initially. | |
726 | <item>idle=N allow fine tuning of how many helper to retain as buffer against sudden traffic loads. | |
727 | <item>concurrency=N was previously called url_rewrite_concurrency as a distinct directive. | |
728 | </itemize> | |
48d54e4d | 729 | |
5945964d AJ |
730 | <tag>windows_ipaddrchangemonitor</tag> |
731 | <p>Now only available to be set in Windows builds. | |
732 | ||
745114d1 AJ |
733 | </descrip> |
734 | ||
735 | ||
736 | <sect1>Removed tags<label id="removedtags"> | |
737 | <p> | |
738 | <descrip> | |
488e6901 AJ |
739 | <tag>dns_v4_fallback</tag> |
740 | <p>Obsolete. Replaced by DNS parallel lookups. | |
741 | ||
20efa1c2 AJ |
742 | <tag>emulate_httpd_log</tag> |
743 | <p>Replaced by <em>common</em> format option on an <em>access_log</em> directive. | |
744 | ||
745 | <tag>forward_log</tag> | |
746 | <p>Obsolete. | |
747 | ||
0477a072 AJ |
748 | <tag>ftp_list_width</tag> |
749 | <p>Obsolete. | |
745114d1 | 750 | |
eb9b1666 AJ |
751 | <tag>ignore_expect_100</tag> |
752 | <p>Obsolete. | |
753 | ||
c581e96b AJ |
754 | <tag>log_fqdn</tag> |
755 | <p>Obsolete. Replaced by automatic detection of the %>A logformat tag. | |
756 | ||
8652f8e7 AJ |
757 | <tag>log_ip_on_direct</tag> |
758 | <p>Obsolete. Use a custom log with <em>%<A</em> format tag to receive server FQDN or peer name. | |
759 | ||
31ef19cd AJ |
760 | <tag>maximum_single_addr_tries</tag> |
761 | <p>The behaviour controlled by this directive is no longer possible. | |
9c8a6c3b | 762 | It has been replaced by <em>connect_retries</em> option which operates a little differently. |
31ef19cd | 763 | |
97b32442 AJ |
764 | <tag>pconn_timeout</tag> |
765 | <p>Renamed to <em>server_idle_pconn_timeout</em> | |
766 | ||
767 | <tag>persistent_request_timeout</tag> | |
768 | <p>Renamed to <em>client_idle_pconn_timeout</em> | |
769 | ||
20efa1c2 AJ |
770 | <tag>referer_log</tag> |
771 | <p>Replaced by the <em>referrer</em> format option on an <em>access_log</em> directive. | |
772 | ||
48d54e4d AJ |
773 | <tag>url_rewrite_concurrency</tag> |
774 | <p>Replaced by url_rewrite_children ... concurrency=N option. | |
775 | ||
20efa1c2 AJ |
776 | <tag>useragent_log</tag> |
777 | <p>Replaced by the <em>useragent</em> format option on an <em>access_log</em> directive. | |
745114d1 AJ |
778 | </descrip> |
779 | ||
780 | ||
781 | <sect>Changes to ./configure options since Squid-3.1 | |
782 | <p> | |
783 | There have been some changes to Squid's build configuration since Squid-3.1. | |
784 | ||
785 | This section gives an account of those changes in three categories: | |
786 | ||
787 | <itemize> | |
788 | <item><ref id="newoptions" name="New options"> | |
789 | <item><ref id="modifiedoptions" name="Changes to existing options"> | |
790 | <item><ref id="removedoptions" name="Removed options"> | |
791 | </itemize> | |
792 | ||
793 | ||
794 | <sect1>New options<label id="newoptions"> | |
795 | <p> | |
796 | <descrip> | |
68c0ac6f AJ |
797 | <tag>--enable-auth-basic[=HELPERS]</tag> |
798 | <p>Specified without any parameters all helpers will be auto-built. | |
b9c250bf | 799 | <p>With an explicit empty list <em>=""</em> protocol support will be built but no helpers. |
68c0ac6f AJ |
800 | <p>With an explicit list protocol support and just those helpers will be built. |
801 | ||
802 | <tag>--enable-auth-digest[=HELPERS]</tag> | |
803 | <p>Specified without any parameters all helpers will be auto-built. | |
b9c250bf | 804 | <p>With an explicit empty list <em>=""</em> protocol support will be built but no helpers. |
68c0ac6f AJ |
805 | <p>With an explicit list protocol support and just those helpers will be built. |
806 | ||
807 | <tag>--enable-auth-negotiate</tag> | |
808 | <p>Specified without any parameters all helpers will be auto-built. | |
b9c250bf | 809 | <p>With an explicit empty list <em>=""</em> protocol support will be built but no helpers. |
68c0ac6f AJ |
810 | <p>With an explicit list protocol support and just those helpers will be built. |
811 | ||
812 | <tag>--enable-auth-ntlm</tag> | |
813 | <p>Specified without any parameters all helpers will be auto-built. | |
b9c250bf | 814 | <p>With an explicit empty list <em>=""</em> protocol support will be built but no helpers. |
68c0ac6f AJ |
815 | <p>With an explicit list protocol support and just those helpers will be built. |
816 | ||
b9c250bf AJ |
817 | <tag>--enable-build-info</tag> |
818 | <p>Add an additional string in the output of "squid -v". | |
819 | ||
ee0927b6 AJ |
820 | <tag>--enable-eui</tag> |
821 | <p>Enable Support for handling EUI operations. | |
822 | This includes ARP lookups for MAC (EUI-48) addresses and the ACL arp type tests. | |
823 | ||
68c0ac6f | 824 | <tag>--enable-log-daemon-helpers</tag> |
2bf4e8fa AJ |
825 | <p>Build helpers for logging I/O. |
826 | ||
dfeb186b AJ |
827 | <tag>--enable-url-rewrite-helpers</tag> |
828 | <p>Build helpers for some basic URL-rewrite actions. For use by url_rewrite_program. | |
829 | If omitted or set to =all then all bundled helpers that are able to build will be built. | |
830 | If set to a specific list of helpers then only those helpers will build. | |
831 | Currently one demo helper <em>fake</em> is provided in shell and C++ forms to demonstrate | |
832 | the helper protocol usage and provide exemplar code. | |
745114d1 | 833 | |
bf52b026 AJ |
834 | <tag>--with-swapdir=PATH</tag> |
835 | <p>Location to display in documentation for the default cache. | |
836 | Updated to indicate /var/cache/squid in accordance with the filesystem layout standards. | |
837 | Squid-3 no longer builds an implicit disk cache at this location, so the change is not expected | |
838 | to have any effect on existing builds other than fixing some mysterious lack of core dumps. | |
839 | The old /var/cache location was often non-writable which blocked core dumps creation. | |
840 | ||
425de4c8 AJ |
841 | <tag>--without-netfiler-conntrack</tag> |
842 | <p>Disables the libnetfilter_conntrack library being used for the new qos_flows option <em>mark</em>. | |
843 | default is to auto-detect the library and use where available. | |
745114d1 AJ |
844 | </descrip> |
845 | ||
846 | <sect1>Changes to existing options<label id="modifiedoptions"> | |
847 | <p> | |
848 | <descrip> | |
68c0ac6f | 849 | <tag>--enable-auth</tag> |
5945964d | 850 | <p>No longer takes a list of arguments. This option now is restricted to building Squid with or without authentication support. |
68c0ac6f | 851 | <p>The new <em>--enable-auth-X</em>/<em>--disable-auth-X</em> parameters determine which authentication protocols and helpers are built. |
6739cb10 | 852 | |
745114d1 AJ |
853 | </descrip> |
854 | </p> | |
855 | ||
856 | <sect1>Removed options<label id="removedoptions"> | |
857 | <p> | |
858 | <descrip> | |
ee0927b6 AJ |
859 | <tag>--enable-arp-acl</tag> |
860 | <p>Replaced by --enable-eui | |
745114d1 | 861 | |
68c0ac6f AJ |
862 | <tag>--enable-auth-basic-helpers</tag> |
863 | <p>replaced by <em>--enable-auth-basic</em>. | |
864 | ||
865 | <tag>--enable-auth-digest-helpers</tag> | |
866 | <p>replaced by <em>--enable-auth-digest</em>. | |
867 | ||
868 | <tag>--enable-auth-negotiate-helpers</tag> | |
869 | <p>replaced by <em>--enable-auth-negotiate</em>. | |
870 | ||
871 | <tag>--enable-auth-ntlm-helpers</tag> | |
872 | <p>replaced by <em>--enable-auth-ntlm</em>. | |
873 | ||
20efa1c2 AJ |
874 | <tag>--enable-referer-log</tag> |
875 | <p>Obsolete. | |
876 | ||
877 | <tag>--enable-useragent-log</tag> | |
878 | <p>Obsolete. | |
879 | ||
745114d1 AJ |
880 | </descrip> |
881 | ||
882 | ||
883 | <sect>Options Removed since Squid-2 | |
884 | ||
885 | <p>Some squid.conf and ./configure options which were available in Squid-2.6 and Squid-2.7 are made obsolete in Squid-3.2. | |
886 | ||
887 | <sect1>Removed squid.conf options since Squid-2.7 | |
888 | <p> | |
889 | <descrip> | |
890 | <tag>auth_param</tag> | |
891 | <p><em>blankpassword</em> option for basic scheme removed. | |
892 | ||
6d44d1e9 AJ |
893 | <tag>authenticate_ip_shortcircuit_access</tag> |
894 | <p>Not safe for general use. | |
895 | An external_acl_type helper may be used to bypass authentication if that is suitable. | |
896 | ||
897 | <tag>authenticate_ip_shortcircuit_ttl</tag> | |
898 | <p>Not safe for general use. | |
899 | An external_acl_type helper may be used to bypass authentication if that is suitable. | |
900 | ||
862d667e AJ |
901 | <tag>cache_peer</tag> |
902 | <p><em>http11</em> Obsolete. | |
903 | ||
745114d1 AJ |
904 | <tag>external_acl_type</tag> |
905 | <p>Format tag <em>%{Header}</em> replaced by <em>%>{Header}</em> | |
906 | <p>Format tag <em>%{Header:member}</em> replaced by <em>%>{Header:member}</em> | |
907 | ||
908 | <tag>header_access</tag> | |
909 | <p>Replaced by <em>request_header_access</em> and <em>reply_header_access</em> | |
910 | ||
911 | <tag>http_port</tag> | |
912 | <p><em>no-connection-auth</em> replaced by <em>connection-auth=[on|off]</em>. Default is ON. | |
913 | <p><em>transparent</em> option replaced by <em>intercept</em> | |
2bf4e8fa | 914 | <p><em>http11</em> obsolete. |
745114d1 | 915 | |
533493da | 916 | <tag>http_access2</tag> |
862d667e | 917 | <p>Replaced by <em>adapted_http_access</em> |
533493da | 918 | |
745114d1 AJ |
919 | <tag>httpd_accel_no_pmtu_disc</tag> |
920 | <p>Replaced by <em>http_port disable-pmtu-discovery=</em> option | |
921 | ||
922 | <tag>incoming_rate</tag> | |
923 | <p>Obsolete. | |
924 | ||
925 | <tag>redirector_bypass</tag> | |
926 | <p>Replaced by <em>url_rewrite_bypass</em> | |
927 | ||
862d667e AJ |
928 | <tag>server_http11</tag> |
929 | <p>Obsolete. | |
930 | ||
82b7abe3 AJ |
931 | <tag>upgrade_http0.9</tag> |
932 | <p>Obsolete. | |
933 | ||
745114d1 AJ |
934 | <tag>zph_local</tag> |
935 | <p>Replaced by <em>qos_flows local-hit=</em> | |
936 | ||
937 | <tag>zph_mode</tag> | |
938 | <p>Obsolete. | |
939 | ||
940 | <tag>zph_option</tag> | |
941 | <p>Obsolete. | |
942 | ||
943 | <tag>zph_parent</tag> | |
944 | <p>Replaced by <em>qos_flows parent-hit=</em> | |
945 | ||
946 | <tag>zph_sibling</tag> | |
947 | <p>Replaced by <em>qos_flows sibling-hit=</em> | |
948 | ||
949 | </descrip> | |
950 | ||
951 | <sect1>Removed squid.conf options since Squid-2.6 | |
952 | <p> | |
953 | <descrip> | |
c72a2049 AJ |
954 | <tag>acl</tag> |
955 | <p><em>urlgroup</em> type removed. Use <em>myportname</em> type instead. | |
956 | ||
745114d1 AJ |
957 | <tag>cache_dir</tag> |
958 | <p><em>read-only</em> option replaced by <em>no-store</em>. | |
959 | ||
c72a2049 AJ |
960 | <tag>http_port</tag> |
961 | <p><em>urlgroup=</em> removed. Use <em>name=</em> feature instead. | |
962 | ||
963 | <tag>zero_buffers</tag> | |
964 | <p>Replaced by native support. | |
965 | ||
745114d1 AJ |
966 | </descrip> |
967 | ||
968 | <sect1>Removed ./configure options since Squid-2.7 | |
969 | <p> | |
970 | <descrip> | |
971 | <tag>--enable-coss-aio-ops</tag> | |
972 | <p>Obsolete. | |
973 | ||
974 | <tag>--enable-devpoll</tag> | |
975 | <p>Replaced by automatic detection. | |
976 | ||
977 | <tag>--enable-dlmalloc=LIB</tag> | |
978 | <p>Obsolete. | |
979 | ||
980 | <tag>--enable-epoll</tag> | |
981 | <p>Replaced by automatic detection. | |
982 | ||
983 | <tag>--enable-forward-log</tag> | |
984 | <p>Obsolete. | |
985 | ||
986 | <tag>--enable-heap-replacement</tag> | |
987 | <p>Obsolete. | |
988 | ||
989 | <tag>--enable-htcp</tag> | |
990 | <p>Obsolete. Enabled by default. | |
991 | ||
992 | <tag>--enable-large-cache-files</tag> | |
993 | <p>Obsolete. | |
994 | ||
995 | <tag>--enable-mempool-debug</tag> | |
996 | <p>Obsolete. | |
997 | ||
998 | <tag>--enable-multicast-miss</tag> | |
999 | <p>Obsolete. | |
1000 | ||
1001 | <tag>--enable-poll</tag> | |
1002 | <p>Replaced by automatic detection. | |
1003 | ||
1004 | <tag>--enable-select</tag> | |
1005 | <p>Replaced by automatic detection. | |
1006 | ||
1007 | <tag>--enable-select-simple</tag> | |
1008 | <p>Replaced by automatic detection. | |
1009 | ||
1010 | <tag>--enable-snmp</tag> | |
1011 | <p>Obsolete. Enabled by default. | |
1012 | ||
1013 | <tag>--enable-truncate</tag> | |
1014 | <p>Obsolete. | |
1015 | ||
1016 | <tag>--disable-kqueue</tag> | |
1017 | <p>Obsolete. Disabled by default. | |
1018 | ||
c72a2049 AJ |
1019 | <tag>--without-system-md5</tag> |
1020 | <p>Obsolete. Disabled by default. | |
1021 | ||
745114d1 AJ |
1022 | </descrip> |
1023 | ||
1024 | ||
1025 | <sect>Regressions since Squid-2.7 | |
1026 | ||
1027 | <p>Some squid.conf and ./configure options which were available in Squid-2.7 are not yet available in Squid-3.2 | |
1028 | ||
1029 | <p>If you need something to do then porting one of these from Squid-2 to Squid-3 is most welcome. | |
1030 | ||
1031 | <sect1>Missing squid.conf options available in Squid-2.7 | |
1032 | <p> | |
1033 | <descrip> | |
745114d1 AJ |
1034 | <tag>broken_vary_encoding</tag> |
1035 | <p>Not yet ported from 2.6 | |
1036 | ||
1037 | <tag>cache_dir</tag> | |
745114d1 AJ |
1038 | <p><em>COSS</em> storage type is lacking stability fixes from 2.6 |
1039 | <p>COSS <em>overwrite-percent=</em> option not yet ported from 2.6 | |
1040 | <p>COSS <em>max-stripe-waste=</em> option not yet ported from 2.6 | |
1041 | <p>COSS <em>membufs=</em> option not yet ported from 2.6 | |
1042 | <p>COSS <em>maxfullbufs=</em> option not yet ported from 2.6 | |
1043 | ||
1044 | <tag>cache_peer</tag> | |
745114d1 | 1045 | <p><em>idle=</em> not yet ported from 2.7 |
745114d1 AJ |
1046 | <p><em>monitorinterval=</em> not yet ported from 2.6 |
1047 | <p><em>monitorsize=</em> not yet ported from 2.6 | |
1048 | <p><em>monitortimeout=</em> not yet ported from 2.6 | |
1049 | <p><em>monitorurl=</em> not yet ported from 2.6 | |
1050 | ||
1051 | <tag>cache_vary</tag> | |
1052 | <p>Not yet ported from 2.6 | |
1053 | ||
1054 | <tag>collapsed_forwarding</tag> | |
1055 | <p>Not yet ported from 2.6 | |
1056 | ||
1057 | <tag>error_map</tag> | |
1058 | <p>Not yet ported from 2.6 | |
1059 | ||
1060 | <tag>external_acl_type</tag> | |
1061 | <p><em>%ACL</em> format tag not yet ported from 2.6 | |
1062 | <p><em>%DATA</em> format tag not yet ported from 2.6 | |
1063 | ||
1064 | <tag>external_refresh_check</tag> | |
1065 | <p>Not yet ported from 2.7 | |
1066 | ||
745114d1 AJ |
1067 | <tag>ignore_ims_on_miss</tag> |
1068 | <p>Not yet ported from 2.7 | |
1069 | ||
1070 | <tag>location_rewrite_access</tag> | |
1071 | <p>Not yet ported from 2.6 | |
1072 | ||
1073 | <tag>location_rewrite_children</tag> | |
1074 | <p>Not yet ported from 2.6 | |
1075 | ||
1076 | <tag>location_rewrite_concurrency</tag> | |
1077 | <p>Not yet ported from 2.6 | |
1078 | ||
1079 | <tag>location_rewrite_program</tag> | |
1080 | <p>Not yet ported from 2.6 | |
1081 | ||
745114d1 AJ |
1082 | <tag>refresh_pattern</tag> |
1083 | <p><em>stale-while-revalidate=</em> not yet ported from 2.7 | |
1084 | <p><em>ignore-stale-while-revalidate=</em> not yet ported from 2.7 | |
745114d1 AJ |
1085 | <p><em>negative-ttl=</em> not yet ported from 2.7 |
1086 | ||
1087 | <tag>refresh_stale_hit</tag> | |
1088 | <p>Not yet ported from 2.7 | |
1089 | ||
745114d1 AJ |
1090 | <tag>storeurl_access</tag> |
1091 | <p>Not yet ported from 2.7 | |
1092 | ||
1093 | <tag>storeurl_rewrite_children</tag> | |
1094 | <p>Not yet ported from 2.7 | |
1095 | ||
1096 | <tag>storeurl_rewrite_concurrency</tag> | |
1097 | <p>Not yet ported from 2.7 | |
1098 | ||
1099 | <tag>storeurl_rewrite_program</tag> | |
1100 | <p>Not yet ported from 2.7 | |
1101 | ||
1102 | <tag>update_headers</tag> | |
c72a2049 | 1103 | <p>Not yet fully ported from 2.7. Memory and rock storage caches support this natively. UFS caches do not support it. |
745114d1 AJ |
1104 | |
1105 | </descrip> | |
745114d1 | 1106 | </article> |