]> git.ipfire.org Git - thirdparty/squid.git/blame - doc/release-notes/release-3.2.sgml
projects / thirdparty / squid.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Ported: urllogin ACL from squid 2.7
[thirdparty/squid.git] / doc / release-notes / release-3.2.sgml
CommitLineData
745114d1
AJ		 1<!doctype linuxdoc system>
2<article>
362d74b6 3<title>Squid 3.2.3 release notes</title>
745114d1
AJ		 4<author>Squid Developers</author>
5
6<abstract>
7This document contains the release notes for version 3.2 of Squid.
8Squid is a WWW Cache application developed by the National Laboratory
9for Applied Network Research and members of the Web Caching community.
10</abstract>
11
12<toc>
13
14<sect>Notice
15<p>
362d74b6 16The Squid Team are pleased to announce the release of Squid-3.2.3 for testing.
745114d1
AJ		 17
18This new release is available for download from <url url="http://www.squid-cache.org/Versions/v3/3.2/"> or the <url url="http://www.squid-cache.org/Mirrors/http-mirrors.html" name="mirrors">.
19
20While this release is not deemed ready for production use, we believe it is ready for wider testing by the community.
21
2284b7f7
AJ		 22We welcome feedback and bug reports. If you find a bug, please see <url url="http://wiki.squid-cache.org/SquidFaq/BugReporting"> for how to submit a
23report with a stack trace.
745114d1
AJ		 24
25<sect1>Known issues
26<p>
a81947e2 27Although this release is deemed good enough for use in many setups, please note the existence of <url url="http://bugs.squid-cache.org/buglist.cgi?query_format=advanced&amp;short_desc_type=allwordssubstr&amp;short_desc=&amp;target_milestone=3.2&amp;long_desc_type=allwordssubstr&amp;long_desc=&amp;bug_file_loc_type=allwordssubstr&amp;bug_file_loc=&amp;status_whiteboard_type=allwordssubstr&amp;status_whiteboard=&amp;bug_status=NEW&amp;bug_status=ASSIGNED&amp;bug_status=REOPENED&amp;emailtype1=substring&amp;email1=&amp;emailtype2=substring&amp;email2=&amp;bugidtype=include&amp;bug_id=&amp;votes=&amp;chfieldfrom=&amp;chfieldto=Now&amp;chfieldvalue=&amp;cmdtype=doit&amp;order=bugs.bug_severity&amp;field0-0-0=noop&amp;type0-0-0=noop&amp;value0-0-0=" name="open bugs against Squid-3.2">.
745114d1 28
a9eec4aa
AJ		 29<p>Some issues to note as currently known in this release which are not able to be fixed in the 3.2 series are:
30
31<itemize>
a9eec4aa 32 <item>TCP logging of access.log does not recover from broken connections well.
c72a2049
AJ		 33 <item>SSL-Bump not re-wrapping decrypted traffic in CONNECT for peers.
34 <item>Cache Manager reports in txt/plain format even when requested directly via browser.
a9eec4aa
AJ		 35</itemize>
36
f787354b
AJ		 37<p>Currently known issues which only depends on available developer time and may still be resolved in a future 3.2 release are:
38
39<itemize>
f787354b
AJ		 40 <item>SMP Support still has a number of important bugs needing to be resolved. see the bugs list above for details.
41 <item>Windows support is still incomplete.
f787354b
AJ		 42 <item>The lack of some features available in Squid-2.x series. See the regression sections below for full details.
43</itemize>
44
45
745114d1
AJ		 46<sect1>Changes since earlier releases of Squid-3.2
47<p>
48The 3.2 change history can be <url url="http://www.squid-cache.org/Versions/v3/3.2/changesets/" name="viewed here">.
49
50<sect>Major new features since Squid-3.1
6739cb10 51<p>Squid 3.2 represents a new feature release above 3.1.
745114d1 52
6739cb10 53<p>The most important of these new features are:
745114d1 54<itemize>
a9eec4aa 55 <item>CVE-2009-0801 : NAT interception vulnerability to malicious clients.
8f308a98 56 <item>NCSA helper DES algorithm password limits
a67c462c 57 <item>SMP scalability
6be4a9a8 58 <item>Helper Multiplexer and On-Demand
e5269a11 59 <item>Helper Name Changes
745114d1 60 <item>Multi-Lingual manuals
f787354b 61 <item>Solaris 10 pthreads Support
6be4a9a8
AJ		 62 <item>Surrogate/1.0 protocol extensions to HTTP
63 <item>Logging Infrastructure Updated
69a9b4de 64 <item>Client Bandwidth Limits
97b70186 65 <item>Better eCAP support
ff3dcd10 66 <item>Cache Manager access changes
745114d1
AJ		 67</itemize>
68
69Most user-facing changes are reflected in squid.conf (see below).
70
6be4a9a8 71
a9eec4aa 72<sect1>CVE-2009-0801 : NAT interception vulnerability to malicious clients.
2284b7f7
AJ		 73<p>Details in Advisory <url url="http://www.squid-cache.org/Advisories/SQUID-2011_1.txt" name="SQUID-2011:1">
74
75<p>Squid locates the authority-URL details available in an HTTP request as
76 defined by RFC 2616 and validates that all found representations are
77 <em>textually</em> equivalent. In the case of intercepted traffic the
78 client destination IP is also compared to the Host: authority domains
79 DNS entries.
80
81<p>When the Host: authority contradicts another authority source Squid will log
f787354b 82 "SECURITY ALERT: Host: header forgery detected". The response will then be determined
6978bd17 83 by the <url url="http://www.squid-cache.org/Doc/config/host_verify_strict/" name="host_verify_strict">
f787354b
AJ		 84 directive. Squid will respond with 409 Conflict error response when strict validation
85 fails and handles the request normally when strict validation succeeds or is OFF (default).
86
5eb32cde
AJ		 87<p>Relaying of messages which FAIL non-strict Host: validation are permitted through Squid but
88 only to the original destination IP the client was requesting or to explicit peers. This means
89 DNS lookups to locate alternative DIRECT destinations will not be done.
f787354b
AJ		 90
91<p>Known Issue: When non-strict validation fails Squid will relay the request, but can only do
a9eec4aa 92 so safely to the orginal destination IP the client was contacting. The client original
5eb32cde
AJ		 93 destination IP is lost when relaying to peers in a hierarchy. This means the upstream peers
94 are still at risk of causing same-origin bypass CVE-2009-0801 vulnerability.
f787354b
AJ		 95 Developer time is required to implement safe transit of these requests.
96 Please contact squid-dev if you are able to assist or sponsor the development.
2284b7f7
AJ		 97
98
8f308a98
AJ		 99<sect1>NCSA helper DES algorithm password limits
100<p>Details in Advisory <url url="http://www.squid-cache.org/Advisories/SQUID-2011_2.txt" name="SQUID-2011:2">
101
102<p>The DES algorithm used by the NCSA Basic authentication helper has an
103 limit of 8 bytes but some implementations do not error when truncating
104 longer passwords down to this unsafe level.
105
106<p>This both significantly lowers the threshold of difficulty decrypting
107 captured password files and hides from users the fact that the extra bits
108 of their chosen long password is not being utilized.
109
110<p>The NCSA helper bundled with Squid will prevent passwords longer than 8
111 characters being sent to the DES algorithm. The MD5 hash algorithm which
112 supports longer than 8 character passwords is also supported by this helper
113 and should be used instead.
114
115
a67c462c
AR		 116<sect1>SMP scalability
117<p>The new "workers" squid.conf option can be used to launch multiple worker
118 processes and utilize multiple CPU cores. The overall intent is to make
119 multiple workers look like one to an outside observer, while providing
120 knobs to customize each worker behavior if needed.
121
122<p>By default, all worker processes are configured identically and do what a
123 single Squid instance would have done. Squid.conf macro substitutions and
124 conditionals (see below) can be used to customize individual worker
125 configurations. In the paragraphs below, "can share" implies "will share by
126 default".
127
128<p>Workers can share HTTP, HTTPS, SNMP, ICP, and HTCP listening addresses.
129 Configuration related to ICP and HTCP clients must be adjusted to avoid
130 source address conflicts: Modify the IP address and/or the port used for
131 the protocol. Workers do not share DNS addresses by default because the OS
132 assigns each worker a unique DNS port.
133
134<p>Workers can share logs.
135
8fe9e0a2
AJ		 136<p>Workers can share caches. Memory cache is automatically shared when multiple
137 workers are used. Cache_dir are shared when configured with the <em>rock</em>
138 storage type. Cache_dir of other types must be adjusted to point each
139 disk-caching worker to its own disk area. ICP and HTCP responses are based
140 on the responding worker cache state.
a67c462c 141
850ff99f
AJ		 142<p>Cache manager statistics are reported from a worker point of view, for now.
143 Though some reports are combined. SNMP statistics are combined across all
144 workers.
a67c462c
AR		 145
146<p>Startup, reconfiguration, shutdown, and log rotation are handled as for a
147 monolithic Squid. Abnormally terminated workers are restarted while
148 other workers continue serving traffic.
149
a67c462c
AR		 150<sect2>Squid.conf macros and conditionals
151<p>Added support for process_name and process_number macros as well as simple
152 if-statement conditionals in squid.conf. These features allow individual
153 worker customization in SMP mode. For details, search for "Conditional
154 configuration" and "SMP-Related Macros" sections in squid.conf.documented.
155
156
1d7e0d63
AJ		 157<sect1>Helper Multiplexer
158<p>The helper multiplexer's purpose is to relieve some of the burden
159 Squid has when dealing with slow helpers. It does so by acting as a
160 middleman between squid and the actual helpers, talking to Squid via
161 the multiplexed concurrent variant of the helper protocol and to the
162 helpers via the non-concurrent variant.
163
164<p>Helpers are started on demand, and in theory the muxer can handle up to
165 1k helpers per instance. It's up to squid to decide how many helpers
166 to start.
167
168<p>The muxer knows nothing about the actual messages being passed around,
169 and as such can't really (yet?) compensate for broken helpers.
170 It is not yet able to manage dying helpers, but it will.
171
172<p>To configure the multiplexer add its binary name (usually /usr/share/libexec/helper-mux.pl)
173 in front of the name of whichever helper is being multiplexed. It takes the helper binary
174 path and parameters as its own command parameters. The <em>concurrency</em> setting already
175 existing in Squid is used to configure how many child helpers it may run.
176
177<p>For example, a traditional configration is
178 <verb>
179 url_rewrite_program /your/redirector.sh
180 url_rewrite_children 5
181 </verb>
182 the alternative multiplexer configuration is:
183 <verb>
184 url_rewrite_program /usr/share/libexec/helper-mux.pl /your/redirector.sh
185 url_rewrite_children 1 concurrency=5
186 </verb>
187
188<p>Helpers which are already concurrent protocol enabled gain little benefit from the multiplexer
189 on most systems. However on some systems where Squid spawning helpers causes excess memory usage
190 the reduction in direct helper spawned by Squid can result in a great reduction in resource use.
191
192<p>The helper can be controlled using various signals:
193 <itemize>
194 <item>SIGHUP: dump the state of all helpers to STDERR
195 </itemize>
196
e5269a11 197
6be4a9a8
AJ		 198<sect1>Helpers On-Demand
199<p>Traditionally Squid has been configured with a fixed number of helpers and started them during
200 it's start and reconfigure phases. This forces the hard configuration problem of how many helpers
201 will be needed to be solved before starting Squid in production use.
202
203<p>The on-demand helpers feature allows greater flexibility and resolves this problem by allowing
204 maximum, initial and idle thresholds to be configured. Squid will start the initial set during
205 start and reconfigure phases. However over the operational use new helpers up to the maxium will
206 be started as load demands. The idle threshold determins how many more helpers to start if the
207 currently running set is not enough to handle current request loads.
208
209<p>For example, a traditional configration is
210 <verb>
211 auth_param ntlm /usr/libexec/squid/ntlm_auth
212 auth_param ntlm children 200
213 </verb>
214 the alternative on-demand configuration could be:
215 <verb>
216 auth_param ntlm /usr/libexec/squid/ntlm_auth
217 auth_param ntlm children 200 startup=10 idle=2
218 </verb>
219
220<p>The example still permits up to 200 helpers to be running at once under peak traffic loads.
221 But only starts 10 when Squid is initialized resulting in a faster boot up.
222 When client requests threaten to overload the running helpers an additional 2 will be started.
223
224<p>NOTE: if no <em>startup</em> and <em>idle</em> values are specified the traditional behaviour
225 of starting the maximum number of helpers will occur.
226
227
228<sect1>Helper Name Changes
e5269a11
AJ		 229<p>To improve the understanding of what each helper does and where it should be used the helper binaries
230 which are bundled with Squid have undergone a naming change in this release.
231
232<p>Below is a list of the old helper names and what their names have changed to.
5a48ed18 233 For several helpers the directory name used in --enable-X-helpers configure option has also changed.
e5269a11
AJ		 234
235<sect2>Basic Authentication protocol helpers
6739cb10 236<p><itemize>
e5269a11 237 <item>squid_db_auth - basic_db_auth - Retrieve authentication details from a simple SQL database table.
acb775ad 238 <item>getpwnam_auth - basic_getpwname_auth - Authenticate with local system user accounts.
428744a1 239 <item>squid_ldap_auth - basic_ldap_auth - Authenticate with LDAP user accounts.
c152a447 240 <item>MSNT-multi-domain - basic_msnt_multi_domain_auth - Authenticate with any one of multiple Windows Domain Controllers.
7c16470c 241 <item>msnt_auth - basic_msnt_auth - Authenticate with Windows Domain Controllers selected by username.
0d8565ac 242 <item>ncsa_auth - basic_ncsa_auth - Authenticate with NCSA httpd-style password file.
c152a447 243 <item>yp_auth - basic_nis_auth - Authenticate with NIS security system.
5a48ed18 244 <item>pam_auth - basic_pam_auth - Authenticate with the system PAM infrastructure.
7c16470c 245 <item>pop3.pl - basic_pop3_auth - Authenticate with a mail server POP3/SMTP credentials.
c152a447 246 <item>squid_radius_auth - basic_radius_auth - Authenticate with RADIUS.
5a48ed18
AJ		 247 <item>squid_sasl_auth - basic_sasl_auth - Authenticate with SASL.
248 <item>smb_auth - basic_smb_auth - Authenticate with Samba SMB.
5a48ed18 249 <item>mswin_sspi - basic_sspi_auth - Authenticate with a Windows Domain Controller using SSPI.
e5269a11
AJ		 250</itemize>
251
252<sect2>Digest Authentication protocol helpers
6739cb10 253<p><itemize>
54e8823b 254 <item>digest_pw_auth - digest_file_auth - Authenticate against credentials stored in a simple text file.
e5269a11
AJ		 255</itemize>
256
257<sect2>External ACL helpers
6739cb10 258<p><itemize>
c152a447
AJ		 259 <item>mswin_check_ad_group - ext_ad_group_acl - Check logged in users Group membership using Active Directory.
260 <item>ip_user_check - ext_file_userip_acl - Restrict users to cetain IP addresses, using a text file backend.
dee6a922 261 <item>squid_kerb_ldap - ext_kerberos_ldap_group_acl - Check logged in Kerberos or NTLM users Group membership using LDAP.
c152a447
AJ		 262 <item>squid_ldap_group - ext_ldap_group_acl - Check logged in users Group membership using LDAP.
263 <item>mswin_check_lm_group - ext_lm_group_acl - Check logged in users Group membership using LanManager.
264 <item>squid_session - ext_session_acl - Maintain a session cache of client identifiers (usually IP address).
902bc38b 265 This helper has also gone through a version update and now uses more current BerkeleyDB 4.1+ APIs.
c152a447
AJ		 266 <item>squid_unix_group - ext_unix_group_acl - Check logged in users Group membership using local UNIX groups.
267 <item>wbinfo_group.pl - ext_wbinfo_group_acl - Check logged in users Group membership using wbinfo.
e5269a11
AJ		 268</itemize>
269
270<sect2>Negotiate Authentication protocol helpers
6739cb10 271<p><itemize>
87db552c 272 <item>squid_kerb_auth - negotiate_kerberos_auth - Authenticate with Kerberos servers.
c152a447 273 <item>mswin_sspi - negotiate_sspi_auth - Authenticate with a Windows Domain Controller using SSPI.
065f7779 274 <item>negotiate_wrapper - negotiate_wrapper_auth - Split Negotiate traffic between Kerberos and NTLM helpers.
e5269a11
AJ		 275</itemize>
276
277<sect2>NTLM Authentication protocol helpers
6739cb10 278<p><itemize>
c152a447 279 <item>no_check.pl - Deprecated. - Use the faster and less easily decrypted ntlm_fake_auth instead.
75aa769b 280 <item>fakeauth_auth - ntlm_fake_auth - Perform NTLMSSP to recover the username but don't verify the password.
e5269a11 281 <item>ntlm_auth - ntlm_smb_lm_auth - Perform SMB LanManager domain-less authentication over NTLM protocol.
c152a447 282 <item>mswin_ntlm_auth - ntlm_sspi_auth - Perform NTLMSSP authentication using Windows native Security Support Provider Interface API.
e5269a11
AJ		 283</itemize>
284
285<sect2>URL re-write helpers
286<p>This group of helpers have been bundled to demonstrate how to code URL re-writers:
e5269a11
AJ		 287<itemize>
288 <item>url_fake_rewrite - Accept various url_rewrite details and log the input.
289</itemize>
290
291
745114d1 292<sect1>Multi-Lingual manuals
745114d1 293<p>The man(8) and man(1) pages bundled with Squid are now provided online for all
7d9ce496 294 versions and beginning with 3.2 they are available in languages other than English (where translated).
745114d1 295
1d8114ce 296<p>Details in <url url="http://wiki.squid-cache.org/Translations" name="The Squid wiki">
745114d1
AJ		 297
298<p>3.1 began the Internationalization of Squid with the public facing error pages.
299 This move begins the Localization of the internal administrator facing manuals.
300
68c0ac6f 301
745114d1 302<sect1>Solaris 10 pthreads Support (Experimental)
745114d1
AJ		 303<p>Automatic detection and use of the pthreads library available from Solaris 10
304
6be4a9a8
AJ		 305<p>The result of this addition means that faster more efficient AUFS cache storage mechanisims
306 are now available in Solaris 10.
307
308<p>Support is experimental at this stage due to lack of feedback on the results of enabling it.
309 We recommend giving AUFS a try for faster disk storage and encourage feedback.
310
311
312<sect1>Surrogate/1.0 protocol extensions to HTTP
313<p>The <em>Surrogate</em> extensions to HTTP protocol enable an origin web server to specify separate
314 cache controls for a reverse proxy acting on its behalf. Previously this was closely tied with the ESI
315 feature support in Squid. This release opens Surrogate support to all reverse proxies.
316
317<p>Reverse proxy requests sent on to the web server include the HTTP header <em>Surrogate-Capabilities:</em>
318 specifying the capabilities of the reverse proxy along with an ID which can be used to target reponses with
319 a <em>Surrogate-Control:</em> HTTP header used instead of the <em>Cache-Control:</em> header.
320
321<p>The default surrogate ID is generated automatically from the Squid site-unique hostname as found by the
322 automatic detection or manual configuration of <em>visible_hostname</em> although can be configured
323 separately with the <em>httpd_accel_surrogate_id</em> option.
324
325<p><em>Security Considerations:</em> Websites sould be careful of accepting any surrogate ID.
326 Older releases of Squid leak the Surrogate-Control headers to external servers.
327 This 3.2 series of Squid will now prevent this leakage of its own ID destined responses, however it is possible
328 and for some uses desirable to receive external reverse-proxies <em>Surrogate-Capabilities:</em> headers.
329
330<p><em>NOTE:</em> Several operating system distributions historically package Squid with a forced value of
331 <em>visible_hostname localhost</em>. If this is done on a Surrogate enabled install a manual re-configuration
332 is required to prevent an unacceptable surrogate ID of 'localhost' being generated.
333
334
335<sect1>Logging Infrastructure Updated
336<p>The advanced logging modules introduced in Squid-2.7 are now available from Squid-3.2.
337
338<p>This feature is documented at http://wiki.squid-cache.org/Features/LogModules
339
340<p>The new infrastructure currently supports several different channels types (modules) ranging from
341 direct filesystem logging (stdio, daemon) to network logging (syslog, UDP and TCP). The daemon logging
342 interface allows for a custom helper to be written to process logs in real-time.
343
6d1dfcfc
AJ		 344<p>Upgrading: the <em>access_log</em> and <em>cache_store_log</em> were previously logged via what is
345 now called the <em>stdio</em> module.
6be4a9a8
AJ		 346 This is still supported and used by default if no module is named. For best performance particularly in SMP
347 environments we recommend the <em>daemon</em> be used. The provided <em>log_file_daemon</em> helper
348 performs the traditional logging to local filesystem.
349
350<p>Additional to this the cache.log can now be limited to a smaller number of files stored.
351 Traditionally cache.log.N has been fixed at the same number of rotated files as access.log.N through the
352 <em>logfile_rotate</em> setting. The <em>debug_options</em> setting can now be used to configure the number
353 of debug cache.log files to rotate through with a <em>rotate=N</em> option. This is particularly useful for
354 logging a single cache.log at relatively high debug levels on a high-traffic system. Or one which is
355 required to store a long period of access.log and needs to conserve disk space.
356
6d1dfcfc
AJ		 357<p>The <em>referer_log</em> and <em>useragent_log</em> directives have been converted to built-in log formats.
358 These logs are now created using an <em>access_log</em> line with the format "referrer" or "useragent".
488e6901 359 They also now log all client requests, if there was no Referer or User-Agent header a dash (-) is logged.
68c0ac6f 360
f787354b
AJ		 361<p>Known Issue: The TCP logging module does not recover from broken connections well.
362 At present it will restart the affected Squid instance if the TCP connection is broken.
363
ff3dcd10 364
69a9b4de
AJ		 365<sect1> Client Bandwidth Limits
366<p>In mobile environments, Squid may need to limit Squid-to-client bandwidth
367 available to individual users, identified by their IP addresses. The IP
368 address pool can be as large as a /10 IPv4 network (4 million unique IP
369 addresses) and even larger in IPv6 environments. On the other hand, the code
370 should support thousands of connections coming from a single IP (e.g.,
371 a child proxy).
372
373<p>The implementation is based on storing bandwidth-related "bucket" information
374 in the existing "client database" hash (client_db.cc). The old code already
375 assigned each client IP a single ClientInfo object, which satisfies the
376 client-side IP-based bandwidth pooling requirements. The old hash size is
377 increased to support up to 32K concurrent clients if needed.
378
379<p>Client-side pools are configured similarly to server-side ones, but there is
380 only one pool class. See client_delay_pools,
381 client_delay_initial_bucket_level, client_delay_parameters, and
382 client_delay_access in squid.conf. The client_delay_access matches the client
383 with delay parameters. It does not pool clients from different IP addresses
384 together.
385
386<p>Special care is taken to provide fair distribution of bandwidth among clients
387 sharing the same bucket (i.e., clients coming from the same IP address).
388 Multiple same-IP clients competing for bandwidth are queued using FIFO
389 algorithm. If a bucket becomes empty, the first client among those sharing
390 the bucket is delayed by 1 second before it can attempt to receive more
391 response data from Squid. This delay may need to be lowered in
392 high-bandwidth environments.
393
ff3dcd10
AJ		 394
395<sect1>Better eCAP Suport
396<p>Support for libecap version 0.2.0 has been added with this series of Squid. Bringing
397 better support for body handling, and logging.
398
f787354b
AJ		 399<p>Known Issue: Due to API changes in libecap this release of Squid will not build
400 against any older libecap releases.
401
ff3dcd10
AJ		 402
403<sect1>Cache Manager access changes
404<p>The Squid Cache Manager has previously only been accessible under the cache_object://
405 URL scheme. Which has restricted its reporting to tools which can send arbitrary
406 URI to the proxy.
407
408<p>This version of Squid now provides access through the http:// and https:// URL schemes
409 allowing web browsers access without having to use the cachemgr.cgi gateway and enabling
410 the use of HTTPS security were desired.
411
412<p>The cache manager is available under the path prefix /squid-internal-mgr/. For example
413 the URL http://example/com/squid-internal-mgr/menu will bring up the manager menu. This
414 means there are some configuration changes required to lock down manager access.
415 The <em>manager</em> ACL needs changing to:
416<verb>
417 acl manager url_regex -i ^cache_object:// ^https?://[^/]+/squid-internal-mgr/
418</verb>
419
f9329b54
AJ		 420<p>The manager prefix /squid-internal-mgr/ with no action attempts to load an optional
421 template MGR_INDEX which may be installed amongst in the Squid error templates.
422 This template is not supplied with Squid but intended to be supplied by separate
423 cache manager applications as their front page embedding all scripts, accessors or
424 redirects required for their initial GUI display.
425
426<p>Version 3.2 of the CGI cache manager tool now presents XHR scripted probes to detect
427 proxies presenting these manager index pagess and provides direct HTTP/HTTPS web links
428 to those managers.
429
ff3dcd10 430
745114d1
AJ		 431<sect>Changes to squid.conf since Squid-3.1
432<p>
433There have been changes to Squid's configuration file since Squid-3.1.
434
435This section gives a thorough account of those changes in three categories:
436
437<itemize>
438 <item><ref id="newtags" name="New tags">
439 <item><ref id="modifiedtags" name="Changes to existing tags">
440 <item><ref id="removedtags" name="Removed tags">
441</itemize>
442<p>
443
745114d1
AJ		 444<sect1>New tags<label id="newtags">
445<p>
446<descrip>
902bc38b
AJ		 447 <tag>adaptation_meta</tag>
448 <p>This option allows Squid administrator to add custom ICAP request
449 headers or eCAP options to Squid ICAP requests or eCAP transactions.
450
4b67fbe0
AR		 451 <tag>adaptation_send_client_ip</tag>
452 <p>Same as depricated icap_send_client_ip
453 but applies to both ICAP and eCAP.</p>
454
455 <tag>adaptation_send_username</tag>
456 <p>Same as depricated icap_send_client_username
457 but applies to both ICAP and eCAP.</p>
458
459 <tag>adaptation_uses_indirect_client</tag>
460 <p>Same as depricated icap_uses_indirect_client
461 but applies to both ICAP and eCAP.</p>
462
69a9b4de
AJ		 463 <tag>client_delay_pools</tag>
464 <p>New setting for client bandwith limits to specifies the number
465 of client delay pools used.
466
467 <tag>client_delay_initial_bucket_level</tag>
468 <p>New setting for client bandwith limits to determine the initial
469 bucket size as a percentage of max_bucket_size from
470 client_delay_parameters.
471
472 <tag>client_delay_parameters</tag>
473 <p>New setting for client bandwith limits to configures client-side
474 bandwidth limits.
475
476 <tag>client_delay_access</tag>
477 <p>New setting for client bandwith limits to determines the
478 client-side delay pool for the request.
479
bfe4e2fe 480 <tag>client_dst_passthru</tag>
2284b7f7 481 <p>New setting to disable extra Host: header security on interception proxies.
bfe4e2fe 482 Impacts cache integrity/reliability and client browser security.
2284b7f7
AJ		 483 <p><em>IMPORTANT:</em> disabling this directive only allows Squid to change the
484 destination IP to another source indicated by Host: domain DNS or
485 cache_peer configuration. It <em>does not</em> affect Host: validation.
bfe4e2fe 486
97b32442
AJ		 487 <tag>client_idle_pconn_timeout</tag>
488 <p>Renamed from <em>persistent_request_timeout</em>.
489
eb9b1666
AJ		 490 <tag>cpu_affinity_map</tag>
491 <p>New setting for SMP support to map Squid processes onto specific CPU cores.
2bf4e8fa 492
31ef19cd
AJ		 493 <tag>connect_retries</tag>
494 <p>Replacement for <em>maximum_single_addr_tries</em>, but instead of only applying to hosts with single addresses.
6d44d1e9 495 This directive applies to all hosts, extending the number of connection attempts to each IP address.
a750e510 496
f9f44d76
AJ		 497 <tag>dns_packet_max</tag>
498 <p>New setting to configure maximum number of bytes packet size to advertise via EDNS.
499 Set to "none" (the initial default) to disable EDNS large packet support.
31ef19cd 500
7eba3326 501 <tag>else</tag>
eb9b1666 502 <p>Part of conditional SMP support syntax. see <em>if</em>
7eba3326
AJ		 503
504 <tag>endif</tag>
eb9b1666 505 <p>Part of conditional SMP support syntax. see <em>if</em>
7eba3326 506
a98c2da5 507 <tag>eui_lookup</tag>
2bf4e8fa 508 <p>Whether to lookup the EUI or MAC address of a connected client.
a98c2da5 509
f787354b
AJ		 510 <tag>host_verify_strict</tag>
511 <p>New option to enable super-strict HTTP and DNS information match.
512 Ensuring the HTTP URI details, DNS records, and TCP connection layers all match in a
513 three-legged security verification. Preventing domain hijacking or malicious poisoning
514 attacks by malicious scripts.
515 <p>The default is to verify only intercepted traffic, to log all issues and let failed
516 traffic through when doing so can be done safely.
517
eb9b1666
AJ		 518 <tag>icap_206_enable</tag>
519 <p>New option to toggle whether the ICAP 206 (Partial Content) responses extension.
520 Default is on.
521
7eba3326
AJ		 522 <tag>if</tag>
523 <p>New conditional syntax for SMP multiple-worker.
524 If-statements can be used to make configuration directives depend on conditions.
525 <p>The else part is optional. The keywords <em>if</em>, <em>else</em> and <em>endif</em>
526 must be typed on their own lines, as if they were regular configuration directives.
527
5945964d
AJ		 528 <tag>logfile_daemon</tag>
529 <p>Ported from 2.7. Specify the file I/O daemon helper to run for logging.
530
570d3f75
AJ		 531 <tag>max_stale</tag>
532 <p>Places an upper limit on how stale content Squid will serve from the cache if cache validation fails
533
745114d1 534 <tag>memory_cache_mode</tag>
2bf4e8fa 535 <p>Controls which objects to keep in the memory cache (cache_mem)
745114d1
AJ		 536 <verb>
537 'always' Keep most recently fetched objects in memory (default)
538
539 'disk' Only disk cache hits are kept in memory, which means
540 an object must first be cached on disk and then hit
541 a second time before cached in memory.
542
543 network Only objects fetched from network is kept in memory
544 </verb>
545
f9329b54
AJ		 546 <tag>memory_cache_shared</tag>
547 <p>Controls whether the memory cache is shared among SMP workers.
548 <p>Currently, entities exceeding 32KB in size cannot be shared.
549
97b32442
AJ		 550 <tag>server_idle_pconn_timeout</tag>
551 <p>Renamed from <em>pconn_timeout</em>.
552
96d64448
AJ		 553 <tag>tproxy_uses_indirect_client</tag>
554 <p>Controls whether the indirect client address found in the X-Forwarded-For
555 header is used for spoofing instead of the directly connected client address.
68c0ac6f 556 Requires both <em>--enable-follow-x-forwarded-for</em> and <em>--enable-linux-netfilter</em>
96d64448 557
7eba3326
AJ		 558 <tag>workers</tag>
559 <p>Number of main Squid processes or "workers" to fork and maintain.
560 In SMP mode, each worker does nearly all what a single Squid daemon
561 does (e.g., listen on http_port and forward HTTP requests).
562 <verb>
563 0: "no daemon" mode, like running "squid -N ..."
564 1: "no SMP" mode, start one main Squid process daemon (default)
565 N: start N main Squid process daemons (i.e., SMP mode)
566 </verb>
eb9b1666
AJ		 567
568 <tag>write_timeout</tag>
569 <p>New setting to limit time spent waiting for data writes to be confirmed.
745114d1
AJ		 570</descrip>
571
572<sect1>Changes to existing tags<label id="modifiedtags">
573<p>
574<descrip>
2bf4e8fa 575 <tag>access_log</tag>
68c0ac6f
AJ		 576 <p>New <em>stdio</em> module to send log data directly from Squid to a disk file.
577 This is the historic behaviour of Squid before logging modules were introduced, and
578 remains the default used when no module is selected.
579 It is recommended to upgrade logging to the faster <em>daemon:</em> module.
580 <p>New <em>daemon</em> module to send each log line as text data to a file I/O daemon handling the slow disk I/O.
581 New installs, or installs with no logs configured explicitly will use this module by default.
2bf4e8fa
AJ		 582 <p>New <em>tcp</em> module to send each log line as text data to a TCP receiver.
583 <p>New <em>udp</em> module to send each log line as text data to a UDP receiver.
20efa1c2
AJ		 584 <p>New format <em>referrer</em> to log with the format prevously used by referer_log directive.
585 <p>New format <em>useragent</em> to log with the format prevously used by useragent_log directive.
2bf4e8fa 586
1e40905d 587 <tag>acl : random, localip, localport</tag>
cb1b906f 588 <p>New type <em>random</em>. Pseudo-randomly match requests based on a configured probability.
1e40905d
AJ		 589 <p>Renamed <em>myip</em> to <em>localip</em>. It matches the IP which the client connected to.
590 <p>Renamed <em>myport</em> to <em>localport</em>. It matches the port which the client connected to.
9d35fe37 591 <p>Ported <em>urllogin</em> option from Squid 2.7, to match a regex pattern on the URL login field (if any).
1e40905d
AJ		 592 <p>The <em>localip</em>/<em>localport</em> differ from earlier releases where they matched a mix of
593 of an invalid IP and port 0, the client destination IP/port or the Squid listening IP/port.
594 This definition is now consistent across all modes of traffic received by Squid.
ff3dcd10
AJ		 595 <p>The <em>manager</em> ACL requires adjustment to cover new cache manager access:
596 <verb>
597 acl manager url_regex -i ^cache_object:// ^https?://[^/]+/squid-internal-mgr/
598 </verb>
cb1b906f 599
48d54e4d
AJ		 600 <tag>auth_param</tag>
601 <p>New options for Basic, Digest, NTLM, Negotiate <em>children</em> settings.
602 <em>startup=N</em> determins minimum number of helper processes used.
603 <em>idle=N</em> determines how many helper to retain as buffer against sudden traffic loads.
6739cb10
AJ		 604 <em>concurrency=N</em> previously called <em>auth_param ... concurrency</em> as a separate option.
605 <p>Removed Basic, Digest, NTLM, Negotiate <em>auth_param ... concurrency</em> setting option.
f787354b 606 <p>Known Issue: NTLM and Negotiate protocols do not support concurrency. When set this option is ignored.
48d54e4d 607
a8a33c46
A		 608 <tag>cache_dir</tag>
609 <p><em>min-size</em> option ported from Squid-2
610
18191440
AJ		 611 <tag>cache_peer</tag>
612 <p><em>htcp-*</em> options collapsed into <em>htcp=</em> taking an optional comma-separated list of flags.
613 The old form is deprecated but still accepted.
614
6d1dfcfc
AJ		 615 <tag>cache_store_log</tag>
616 <p>Now uses logging modules. Example: stdio:/file/path
617 see <em>access_log</em> for a list of supported modules and their parameters.
618
425de4c8
AJ		 619 <tag>clientside_mark</tag>
620 <p>New configuration parameter <em>clientside_mark</em>
621 <p>Allows packets leaving Squid on the client side to be marked with a Netfilter mark value in the same way as the existing clientside_tos feature.
622 <p>This feature is only available for Netfilter environments.
623
15b02e9a
AJ		 624 <tag>deny_info</tag>
625 <p>Support URL format tags. For dynamically generated URL in denial redirect.
b5ec6228
AJ		 626 <p>Support the full range of 200-599 HTTP status codes.
627 3xx status only available when redirecting to a URI.
628 Other status only available when supplying an error template body.
15b02e9a 629
a98c2da5 630 <tag>external_acl_type</tag>
48d54e4d
AJ		 631 <p>New format tags and option parameters:
632 <p><em>%SRCEUI48</em> EUI-48 / MAC address of client from ARP lookup.
633 <p><em>%SRCEUI64</em> EUI-64 of clients with SLAAC address.
99e4ad67
JB		 634 <p><em>%EXT_LOG</em> log= message returned by previous external ACL calls. An updated version may be returned.
635 <p><em>%EXT_TAG</em> tag= value returned by previous external ACL calls. Tag may not be altered once set.
48d54e4d
AJ		 636 <p><em>children-max=N</em> determins maximum number of helper processes used.
637 <p><em>children-startup=N</em> determins minimum number of helper processes used.
638 <p><em>children-idle=N</em> determines how many helper to retain as buffer against sudden traffic loads.
639 <p>Deprecated <em>children=N</em> in favor of <em>children-max=N</em>.
a98c2da5 640
cf673853 641 <tag>http_port act-as-origin vhost no-vhost</tag>
90fa5816
AJ		 642 <p><em>act-as-origin</em> ported from 2.7.
643 This option corrects several HTTP header issues when operating as a reverse proxy and cache.
644 Notably the externally visible aging of objects stored in the server-side cache.
cf673853
AJ		 645 <p><em>vhost</em> is deprecated. <em>accel</em> mode, reverse proxy, now defaults to always enable HTTP/1.1 virtual domain support.
646 <p><em>no-vhost</em> option is added to disable the new reverse proxy behaviour.
90fa5816 647
4b67fbe0
AR		 648 <tag>icap_send_client_ip</tag>
649 <p>Deprecated in favor of adaptation_send_client_ip
650 which applies to both ICAP and eCAP.</p>
651
652 <tag>icap_send_client_username</tag>
653 <p>Deprecated in favor of adaptation_send_username
654 which applies to both ICAP and eCAP.</p>
655
656 <tag>icap_uses_indirect_client</tag>
657 <p>Deprecated in favor of adaptation_uses_indirect_client
658 which applies to both ICAP and eCAP.</p>
659
17fde513 660 <tag>logformat</tag>
8652f8e7 661 <p><em>%&lt;a</em> Server or Peer IP address from the last server connection (next hop).
a81febfd
AJ		 662 <p><em>%&gt;bs</em> Number of HTTP-equivalent message body bytes received from the next hop.
663 <p><em>icap::%&gt;bs</em> Number of message body bytes received from the ICAP server.
17fde513 664 <p><em>%sn</em> Unique sequence number per log line. Ported from 2.7
8652f8e7 665 <p><em>%&gt;eui</em> EUI logging (EUI-48 / MAC address for IPv4, EUI-64 for IPv6).
a98c2da5 666 Both EUI forms are logged in the same field. Type can be identified by length or byte delimiter.
8652f8e7 667 <p><em>%err_code</em> The ID of an error response served by Squid or a similar internal error identifier
5da0c0ca 668 <p><em>%err_detail</em> Additional err_code-dependent error information.
8652f8e7
AJ		 669 <p><em>%&gt;la</em> Rename of %la to indicate being a client connection detail.
670 <p><em>%&gt;lp</em> Rename of %lp to indicate being a client connection detail.
671 <p><em>%&lt;p</em> Server or Peer port number from the last server connection (next hop).
17fde513 672
2d94c829
AJ		 673 <tag>memory_pools_limit</tag>
674 <p>Memory limits have been revised and corrected from 3.1.4 onwards.
675 <p>Please check and update your squid.conf to use the text <em>none</em> for no limit instead of the old 0 (zero).
676 <p>All users upgrading need to be aware that from Squid-3.3 setting this option to 0 (zero) will mean zero bytes of memory get pooled.
677
425de4c8
AJ		 678 <tag>qos_flows</tag>
679 <p>New options <em>mark</em> and <em>tos</em> and <em>miss</em>
680 <p><em>tos</em> retains the original QOS functionality of the IP header TOS field.
681 <p><em>mark</em> offers the same functionality, but with a netfilter mark value.
682 <p>These options should be placed immediately after qos_flows.
683 <p>The <em>tos</em> value is optional in order to maintain backwards compatability.
684 <p>The preserve-miss functionality is available with the <em>mark</em> option and requires no kernel patching.
685 It does, however, require libnetfilter_conntrack.
686 This will be included by default if available (see the --without-netfilter-conntrack configure option for more details).
687 <p><em>miss</em> sets a value for a cache miss. It is available for both the tos and mark options and takes precedence over the preserve-miss feature.
688
e5308a1f
AJ		 689 <tag>range_offset_limit</tag>
690 <p>Added ACL support for control over when the limit applies and when it is avoided.
691
570d3f75
AJ		 692 <tag>refresh_pattern</tag>
693 <p>New option <em>max-stale=</em> to provide a maximum staleness factor. Squid won't
694 serve objects more stale than this even if it failed to validate the object.
362d74b6
AJ		 695 <p>Removed option <em>ignore-no-cache</em>. Its commonly desired behaviour is obsoleted
696 by correct HTTP/1.1 Cache-Control:no-cache handling.
570d3f75 697
8ca98847 698 <tag>reply_header_access</tag>
c694236b 699 <p>Added support for custom response header names.</p>
8ca98847
AJ		 700
701 <tag>request_header_access</tag>
c694236b 702 <p>Added support for custom request header names.</p>
8ca98847
AJ		 703
704 <tag>reply_header_replace</tag>
c694236b 705 <p>Added support for custom response header names.</p>
8ca98847
AJ		 706
707 <tag>request_header_replace</tag>
c694236b 708 <p>Added support for custom request header names.</p>
8ca98847 709
6d44d1e9
AJ		 710 <tag>tcp_outgoing_address</tag>
711 <p>This parameter is now compatible with persistent server connections.
2dd51400 712 The IPv6 magic 'to_ipv6' hacks needed in 3.1 are now no longer necessary.
6d44d1e9 713
425de4c8
AJ		 714 <tag>tcp_outgoing_mark</tag>
715 <p>New configuration parameter <em>tcp_outgoing_mark</em>
716 <p>Allows packets leaving Squid on the server side to be marked with a Netfilter mark value in the same way as the existing tcp_outgoing_tos feature.
717 <p>This feature is only available for Netfilter environments.
718
719 <tag>tcp_outgoing_tos</tag>
720 <p>This parameter is now compatible with persistent server connections.
721
48d54e4d 722 <tag>url_rewrite_children</tag>
1d7e0d63
AJ		 723 <p>New options <em>startup=N</em>, <em>idle=N</em>, <em>concurrency=N</em>
724 <itemize>
725 <item>startup=N allow finer tuning of how many helpers are started initially.
726 <item>idle=N allow fine tuning of how many helper to retain as buffer against sudden traffic loads.
727 <item>concurrency=N was previously called url_rewrite_concurrency as a distinct directive.
728 </itemize>
48d54e4d 729
5945964d
AJ		 730 <tag>windows_ipaddrchangemonitor</tag>
731 <p>Now only available to be set in Windows builds.
732
745114d1
AJ		 733</descrip>
734
735
736<sect1>Removed tags<label id="removedtags">
737<p>
738<descrip>
488e6901
AJ		 739 <tag>dns_v4_fallback</tag>
740 <p>Obsolete. Replaced by DNS parallel lookups.
741
20efa1c2
AJ		 742 <tag>emulate_httpd_log</tag>
743 <p>Replaced by <em>common</em> format option on an <em>access_log</em> directive.
744
745 <tag>forward_log</tag>
746 <p>Obsolete.
747
0477a072
AJ		 748 <tag>ftp_list_width</tag>
749 <p>Obsolete.
745114d1 750
eb9b1666
AJ		 751 <tag>ignore_expect_100</tag>
752 <p>Obsolete.
753
c581e96b
AJ		 754 <tag>log_fqdn</tag>
755 <p>Obsolete. Replaced by automatic detection of the %>A logformat tag.
756
8652f8e7
AJ		 757 <tag>log_ip_on_direct</tag>
758 <p>Obsolete. Use a custom log with <em>%&lt;A</em> format tag to receive server FQDN or peer name.
759
31ef19cd
AJ		 760 <tag>maximum_single_addr_tries</tag>
761 <p>The behaviour controlled by this directive is no longer possible.
9c8a6c3b 762 It has been replaced by <em>connect_retries</em> option which operates a little differently.
31ef19cd 763
97b32442
AJ		 764 <tag>pconn_timeout</tag>
765 <p>Renamed to <em>server_idle_pconn_timeout</em>
766
767 <tag>persistent_request_timeout</tag>
768 <p>Renamed to <em>client_idle_pconn_timeout</em>
769
20efa1c2
AJ		 770 <tag>referer_log</tag>
771 <p>Replaced by the <em>referrer</em> format option on an <em>access_log</em> directive.
772
48d54e4d
AJ		 773 <tag>url_rewrite_concurrency</tag>
774 <p>Replaced by url_rewrite_children ... concurrency=N option.
775
20efa1c2
AJ		 776 <tag>useragent_log</tag>
777 <p>Replaced by the <em>useragent</em> format option on an <em>access_log</em> directive.
745114d1
AJ		 778</descrip>
779
780
781<sect>Changes to ./configure options since Squid-3.1
782<p>
783There have been some changes to Squid's build configuration since Squid-3.1.
784
785This section gives an account of those changes in three categories:
786
787<itemize>
788 <item><ref id="newoptions" name="New options">
789 <item><ref id="modifiedoptions" name="Changes to existing options">
790 <item><ref id="removedoptions" name="Removed options">
791</itemize>
792
793
794<sect1>New options<label id="newoptions">
795<p>
796<descrip>
68c0ac6f
AJ		 797 <tag>--enable-auth-basic[=HELPERS]</tag>
798 <p>Specified without any parameters all helpers will be auto-built.
b9c250bf 799 <p>With an explicit empty list <em>=""</em> protocol support will be built but no helpers.
68c0ac6f
AJ		 800 <p>With an explicit list protocol support and just those helpers will be built.
801
802 <tag>--enable-auth-digest[=HELPERS]</tag>
803 <p>Specified without any parameters all helpers will be auto-built.
b9c250bf 804 <p>With an explicit empty list <em>=""</em> protocol support will be built but no helpers.
68c0ac6f
AJ		 805 <p>With an explicit list protocol support and just those helpers will be built.
806
807 <tag>--enable-auth-negotiate</tag>
808 <p>Specified without any parameters all helpers will be auto-built.
b9c250bf 809 <p>With an explicit empty list <em>=""</em> protocol support will be built but no helpers.
68c0ac6f
AJ		 810 <p>With an explicit list protocol support and just those helpers will be built.
811
812 <tag>--enable-auth-ntlm</tag>
813 <p>Specified without any parameters all helpers will be auto-built.
b9c250bf 814 <p>With an explicit empty list <em>=""</em> protocol support will be built but no helpers.
68c0ac6f
AJ		 815 <p>With an explicit list protocol support and just those helpers will be built.
816
b9c250bf
AJ		 817 <tag>--enable-build-info</tag>
818 <p>Add an additional string in the output of "squid -v".
819
ee0927b6
AJ		 820 <tag>--enable-eui</tag>
821 <p>Enable Support for handling EUI operations.
822 This includes ARP lookups for MAC (EUI-48) addresses and the ACL arp type tests.
823
68c0ac6f 824 <tag>--enable-log-daemon-helpers</tag>
2bf4e8fa
AJ		 825 <p>Build helpers for logging I/O.
826
dfeb186b
AJ		 827 <tag>--enable-url-rewrite-helpers</tag>
828 <p>Build helpers for some basic URL-rewrite actions. For use by url_rewrite_program.
829 If omitted or set to =all then all bundled helpers that are able to build will be built.
830 If set to a specific list of helpers then only those helpers will build.
831 Currently one demo helper <em>fake</em> is provided in shell and C++ forms to demonstrate
832 the helper protocol usage and provide exemplar code.
745114d1 833
bf52b026
AJ		 834 <tag>--with-swapdir=PATH</tag>
835 <p>Location to display in documentation for the default cache.
836 Updated to indicate /var/cache/squid in accordance with the filesystem layout standards.
837 Squid-3 no longer builds an implicit disk cache at this location, so the change is not expected
838 to have any effect on existing builds other than fixing some mysterious lack of core dumps.
839 The old /var/cache location was often non-writable which blocked core dumps creation.
840
425de4c8
AJ		 841 <tag>--without-netfiler-conntrack</tag>
842 <p>Disables the libnetfilter_conntrack library being used for the new qos_flows option <em>mark</em>.
843 default is to auto-detect the library and use where available.
745114d1
AJ		 844</descrip>
845
846<sect1>Changes to existing options<label id="modifiedoptions">
847<p>
848<descrip>
68c0ac6f 849 <tag>--enable-auth</tag>
5945964d 850 <p>No longer takes a list of arguments. This option now is restricted to building Squid with or without authentication support.
68c0ac6f 851 <p>The new <em>--enable-auth-X</em>/<em>--disable-auth-X</em> parameters determine which authentication protocols and helpers are built.
6739cb10 852
745114d1
AJ		 853</descrip>
854</p>
855
856<sect1>Removed options<label id="removedoptions">
857<p>
858<descrip>
ee0927b6
AJ		 859 <tag>--enable-arp-acl</tag>
860 <p>Replaced by --enable-eui
745114d1 861
68c0ac6f
AJ		 862 <tag>--enable-auth-basic-helpers</tag>
863 <p>replaced by <em>--enable-auth-basic</em>.
864
865 <tag>--enable-auth-digest-helpers</tag>
866 <p>replaced by <em>--enable-auth-digest</em>.
867
868 <tag>--enable-auth-negotiate-helpers</tag>
869 <p>replaced by <em>--enable-auth-negotiate</em>.
870
871 <tag>--enable-auth-ntlm-helpers</tag>
872 <p>replaced by <em>--enable-auth-ntlm</em>.
873
20efa1c2
AJ		 874 <tag>--enable-referer-log</tag>
875 <p>Obsolete.
876
877 <tag>--enable-useragent-log</tag>
878 <p>Obsolete.
879
745114d1
AJ		 880</descrip>
881
882
883<sect>Options Removed since Squid-2
884
885<p>Some squid.conf and ./configure options which were available in Squid-2.6 and Squid-2.7 are made obsolete in Squid-3.2.
886
887<sect1>Removed squid.conf options since Squid-2.7
888<p>
889<descrip>
890 <tag>auth_param</tag>
891 <p><em>blankpassword</em> option for basic scheme removed.
892
6d44d1e9
AJ		 893 <tag>authenticate_ip_shortcircuit_access</tag>
894 <p>Not safe for general use.
895 An external_acl_type helper may be used to bypass authentication if that is suitable.
896
897 <tag>authenticate_ip_shortcircuit_ttl</tag>
898 <p>Not safe for general use.
899 An external_acl_type helper may be used to bypass authentication if that is suitable.
900
862d667e
AJ		 901 <tag>cache_peer</tag>
902 <p><em>http11</em> Obsolete.
903
745114d1
AJ		 904 <tag>external_acl_type</tag>
905 <p>Format tag <em>%{Header}</em> replaced by <em>%>{Header}</em>
906 <p>Format tag <em>%{Header:member}</em> replaced by <em>%>{Header:member}</em>
907
908 <tag>header_access</tag>
909 <p>Replaced by <em>request_header_access</em> and <em>reply_header_access</em>
910
911 <tag>http_port</tag>
912 <p><em>no-connection-auth</em> replaced by <em>connection-auth=[on|off]</em>. Default is ON.
913 <p><em>transparent</em> option replaced by <em>intercept</em>
2bf4e8fa 914 <p><em>http11</em> obsolete.
745114d1 915
533493da 916 <tag>http_access2</tag>
862d667e 917 <p>Replaced by <em>adapted_http_access</em>
533493da 918
745114d1
AJ		 919 <tag>httpd_accel_no_pmtu_disc</tag>
920 <p>Replaced by <em>http_port disable-pmtu-discovery=</em> option
921
922 <tag>incoming_rate</tag>
923 <p>Obsolete.
924
925 <tag>redirector_bypass</tag>
926 <p>Replaced by <em>url_rewrite_bypass</em>
927
862d667e
AJ		 928 <tag>server_http11</tag>
929 <p>Obsolete.
930
82b7abe3
AJ		 931 <tag>upgrade_http0.9</tag>
932 <p>Obsolete.
933
745114d1
AJ		 934 <tag>zph_local</tag>
935 <p>Replaced by <em>qos_flows local-hit=</em>
936
937 <tag>zph_mode</tag>
938 <p>Obsolete.
939
940 <tag>zph_option</tag>
941 <p>Obsolete.
942
943 <tag>zph_parent</tag>
944 <p>Replaced by <em>qos_flows parent-hit=</em>
945
946 <tag>zph_sibling</tag>
947 <p>Replaced by <em>qos_flows sibling-hit=</em>
948
949</descrip>
950
951<sect1>Removed squid.conf options since Squid-2.6
952<p>
953<descrip>
c72a2049
AJ		 954 <tag>acl</tag>
955 <p><em>urlgroup</em> type removed. Use <em>myportname</em> type instead.
956
745114d1
AJ		 957 <tag>cache_dir</tag>
958 <p><em>read-only</em> option replaced by <em>no-store</em>.
959
c72a2049
AJ		 960 <tag>http_port</tag>
961 <p><em>urlgroup=</em> removed. Use <em>name=</em> feature instead.
962
963 <tag>zero_buffers</tag>
964 <p>Replaced by native support.
965
745114d1
AJ		 966</descrip>
967
968<sect1>Removed ./configure options since Squid-2.7
969<p>
970<descrip>
971 <tag>--enable-coss-aio-ops</tag>
972 <p>Obsolete.
973
974 <tag>--enable-devpoll</tag>
975 <p>Replaced by automatic detection.
976
977 <tag>--enable-dlmalloc=LIB</tag>
978 <p>Obsolete.
979
980 <tag>--enable-epoll</tag>
981 <p>Replaced by automatic detection.
982
983 <tag>--enable-forward-log</tag>
984 <p>Obsolete.
985
986 <tag>--enable-heap-replacement</tag>
987 <p>Obsolete.
988
989 <tag>--enable-htcp</tag>
990 <p>Obsolete. Enabled by default.
991
992 <tag>--enable-large-cache-files</tag>
993 <p>Obsolete.
994
995 <tag>--enable-mempool-debug</tag>
996 <p>Obsolete.
997
998 <tag>--enable-multicast-miss</tag>
999 <p>Obsolete.
1000
1001 <tag>--enable-poll</tag>
1002 <p>Replaced by automatic detection.
1003
1004 <tag>--enable-select</tag>
1005 <p>Replaced by automatic detection.
1006
1007 <tag>--enable-select-simple</tag>
1008 <p>Replaced by automatic detection.
1009
1010 <tag>--enable-snmp</tag>
1011 <p>Obsolete. Enabled by default.
1012
1013 <tag>--enable-truncate</tag>
1014 <p>Obsolete.
1015
1016 <tag>--disable-kqueue</tag>
1017 <p>Obsolete. Disabled by default.
1018
c72a2049
AJ		 1019 <tag>--without-system-md5</tag>
1020 <p>Obsolete. Disabled by default.
1021
745114d1
AJ		 1022</descrip>
1023
1024
1025<sect>Regressions since Squid-2.7
1026
1027<p>Some squid.conf and ./configure options which were available in Squid-2.7 are not yet available in Squid-3.2
1028
1029<p>If you need something to do then porting one of these from Squid-2 to Squid-3 is most welcome.
1030
1031<sect1>Missing squid.conf options available in Squid-2.7
1032<p>
1033<descrip>
745114d1
AJ		 1034 <tag>broken_vary_encoding</tag>
1035 <p>Not yet ported from 2.6
1036
1037 <tag>cache_dir</tag>
745114d1
AJ		 1038 <p><em>COSS</em> storage type is lacking stability fixes from 2.6
1039 <p>COSS <em>overwrite-percent=</em> option not yet ported from 2.6
1040 <p>COSS <em>max-stripe-waste=</em> option not yet ported from 2.6
1041 <p>COSS <em>membufs=</em> option not yet ported from 2.6
1042 <p>COSS <em>maxfullbufs=</em> option not yet ported from 2.6
1043
1044 <tag>cache_peer</tag>
745114d1 1045 <p><em>idle=</em> not yet ported from 2.7
745114d1
AJ		 1046 <p><em>monitorinterval=</em> not yet ported from 2.6
1047 <p><em>monitorsize=</em> not yet ported from 2.6
1048 <p><em>monitortimeout=</em> not yet ported from 2.6
1049 <p><em>monitorurl=</em> not yet ported from 2.6
1050
1051 <tag>cache_vary</tag>
1052 <p>Not yet ported from 2.6
1053
1054 <tag>collapsed_forwarding</tag>
1055 <p>Not yet ported from 2.6
1056
1057 <tag>error_map</tag>
1058 <p>Not yet ported from 2.6
1059
1060 <tag>external_acl_type</tag>
1061 <p><em>%ACL</em> format tag not yet ported from 2.6
1062 <p><em>%DATA</em> format tag not yet ported from 2.6
1063
1064 <tag>external_refresh_check</tag>
1065 <p>Not yet ported from 2.7
1066
745114d1
AJ		 1067 <tag>ignore_ims_on_miss</tag>
1068 <p>Not yet ported from 2.7
1069
1070 <tag>location_rewrite_access</tag>
1071 <p>Not yet ported from 2.6
1072
1073 <tag>location_rewrite_children</tag>
1074 <p>Not yet ported from 2.6
1075
1076 <tag>location_rewrite_concurrency</tag>
1077 <p>Not yet ported from 2.6
1078
1079 <tag>location_rewrite_program</tag>
1080 <p>Not yet ported from 2.6
1081
745114d1
AJ		 1082 <tag>refresh_pattern</tag>
1083 <p><em>stale-while-revalidate=</em> not yet ported from 2.7
1084 <p><em>ignore-stale-while-revalidate=</em> not yet ported from 2.7
745114d1
AJ		 1085 <p><em>negative-ttl=</em> not yet ported from 2.7
1086
1087 <tag>refresh_stale_hit</tag>
1088 <p>Not yet ported from 2.7
1089
745114d1
AJ		 1090 <tag>storeurl_access</tag>
1091 <p>Not yet ported from 2.7
1092
1093 <tag>storeurl_rewrite_children</tag>
1094 <p>Not yet ported from 2.7
1095
1096 <tag>storeurl_rewrite_concurrency</tag>
1097 <p>Not yet ported from 2.7
1098
1099 <tag>storeurl_rewrite_program</tag>
1100 <p>Not yet ported from 2.7
1101
1102 <tag>update_headers</tag>
c72a2049 1103 <p>Not yet fully ported from 2.7. Memory and rock storage caches support this natively. UFS caches do not support it.
745114d1
AJ		 1104
1105</descrip>
745114d1 1106</article>
Mirror of https://github.com/squid-cache/squid.git