]>
Commit | Line | Data |
---|---|---|
f2c46e40 AJ |
1 | <!doctype linuxdoc system> |
2 | <article> | |
3 | <title>Squid 3.5.0.0 release notes</title> | |
4 | <author>Squid Developers</author> | |
5 | ||
6 | <abstract> | |
7 | This document contains the release notes for version 3.5 of Squid. | |
8 | Squid is a WWW Cache application developed by the National Laboratory | |
9 | for Applied Network Research and members of the Web Caching community. | |
10 | </abstract> | |
11 | ||
12 | <toc> | |
13 | ||
14 | <sect>Notice | |
15 | <p> | |
16 | The Squid Team are pleased to announce the release of Squid-3.5.0.0 for testing. | |
17 | ||
18 | This new release is available for download from <url url="http://www.squid-cache.org/Versions/v3/3.5/"> or the | |
19 | <url url="http://www.squid-cache.org/Mirrors/http-mirrors.html" name="mirrors">. | |
20 | ||
e0dbeeb6 | 21 | <p>While this release is not deemed ready for production use, we believe it is ready for wider testing by the community. |
f2c46e40 | 22 | |
e0dbeeb6 AJ |
23 | <p>We welcome feedback and bug reports. If you find a bug, please see <url url="http://wiki.squid-cache.org/SquidFaq/BugReporting"> |
24 | for how to submit a report with a stack trace. | |
f2c46e40 AJ |
25 | |
26 | <sect1>Known issues | |
27 | <p> | |
28 | Although this release is deemed good enough for use in many setups, please note the existence of | |
29 | <url url="http://bugs.squid-cache.org/buglist.cgi?query_format=advanced&product=Squid&bug_status=UNCONFIRMED&bug_status=NEW&bug_status=ASSIGNED&bug_status=REOPENED&version=3.5" name="open bugs against Squid-3.5">. | |
30 | ||
31 | <sect1>Changes since earlier releases of Squid-3.5 | |
32 | <p> | |
33 | The 3.5 change history can be <url url="http://www.squid-cache.org/Versions/v3/3.5/changesets/" name="viewed here">. | |
34 | ||
e8a16b1a AJ |
35 | <sect1>Copyright disclaimer adjustments |
36 | <p>Squid sources are now administered by the Squid Software Foundation on | |
37 | behalf of the Squid Project and community. | |
38 | ||
39 | <p>This version of Squid contains initial changes to streamline copyright | |
40 | declarations in Squid sources and related metafiles. No functionality | |
41 | or licensing changes are intended. | |
42 | ||
43 | <p>Once completed, the changes will consistently declare Squid contributors | |
44 | (listed in CONTRIBUTORS and represented by the Squid Software Foundation) as | |
45 | Squid copyright owners while referring the reader to the COPYING file for GPL | |
46 | licensing details. The boilerplate with the above information is provided. | |
47 | ||
48 | <p>These changes do not affect copyright rights of individuals or organizations. | |
49 | We are simply confirming the fact that there are many Squid copyright owners, | |
50 | just like there are many Linux kernel copyright owners. We are also providing | |
51 | a simple, consistent way to document that fact. | |
52 | ||
f2c46e40 AJ |
53 | |
54 | <sect>Major new features since Squid-3.4 | |
55 | <p>Squid 3.5 represents a new feature release above 3.4. | |
56 | ||
57 | <p>The most important of these new features are: | |
58 | <itemize> | |
59 | <item>Support libecap v1.0 | |
4e022adf | 60 | <item>Authentication helper query extensions |
27dad1a3 AJ |
61 | <item>Support named services |
62 | <item>Upgraded squidclient tool | |
63 | <item>Helper support for concurrency channels | |
b3cb9958 | 64 | <item>Native FTP Relay |
a5b14a8c | 65 | <item>Receive PROXY protocol, Versions 1 & 2 |
f2c46e40 AJ |
66 | </itemize> |
67 | ||
68 | Most user-facing changes are reflected in squid.conf (see below). | |
69 | ||
70 | ||
71 | <sect1>Support libecap v1.0 | |
72 | <p>Details at <url url="http://wiki.squid-cache.org/Features/BLAH">. | |
73 | ||
74 | <p>The new libecap version allows Squid to better check the version of | |
75 | the eCAP adapter being loaded as well as the version of the eCAP library | |
76 | being used. | |
77 | ||
78 | <p>Squid-3.5 can support eCAP adapters built with libecap v1.0, | |
79 | but no longer supports adapters built with earlier libecap versions | |
80 | due to API changes. | |
81 | ||
82 | ||
4e022adf AJ |
83 | <sect1>Authentication helper query extensions |
84 | <p>Details at <url url="http://www.squid-cache.org/Doc/config/auth_param/">. | |
85 | ||
86 | <p>The new <em>key_extras</em> parameter allows sending of additional | |
87 | details to the authentication helper beyond the minimum required for | |
88 | the HTTP authentication. This is primarily intended to allow switching | |
89 | of authentication databases based on criteria such as client IP subnet, | |
90 | Squid receiving port, or in reverse-proxy the requested domain name. | |
91 | ||
92 | <p>In theory any <em>logformat</em> code may be used, however only the | |
93 | codes which have available details at the time of authentication | |
94 | will send any meaningful detail. | |
95 | ||
96 | ||
27dad1a3 AJ |
97 | <sect1>Support named services |
98 | <p>Details at <url url="http://wiki.squid-cache.org/MultipleInstances">. | |
99 | <p>Terminology details at <url url="http://wiki.squid-cache.org/Features/SmpScale#Terminology">. | |
100 | ||
101 | <p>The command line option <em>-n</em> assigns a name to the Squid service | |
102 | instance to be used as a unique identifier for all SMP processes run as | |
103 | part of that instance. This allows multiple instances of Squid service to | |
104 | be run on a single machine without background SMP systems such as shared | |
105 | memory and inter-process communication becoming confused or requiring | |
106 | additional configuration. | |
107 | ||
108 | <p>A service name is always used. When the <em>-n</em> option is missing | |
109 | from the command line the default service name is <em>squid</em>. | |
110 | ||
111 | <p>When multiple instances are being run the <em>-n</em> service name is | |
112 | required to target all other options such as <em>-z</em> or <em>-k</em> | |
113 | commands at the correct service. | |
114 | ||
115 | <p>The squid.conf macro ${service_name} is added to provide the service name | |
116 | of the process parsing the config. | |
117 | ||
118 | ||
119 | <sect1>Upgraded squidclient tool | |
120 | <p>The <em>squidclient</em> has begun the process of upgrading to support | |
121 | protocols other than HTTP. | |
122 | ||
123 | <sect2>Debug levels | |
124 | <p>The tool displays the server response message on STDOUT unless the <em>-q</em> | |
125 | command line option is used. Error messages will be output to STDERR. | |
126 | All other possible output is considered debug and output to STDERR using | |
127 | a range of debug verbosity levels (currently 1, 2 and 3). | |
128 | ||
129 | <p>When the <em>-v</em> command line option is used debugging is enabled. | |
130 | The level of debug display is raised for each repetition of the option. | |
131 | ||
132 | <sect2>PING | |
133 | <p>When <em>--ping</em> is given the tool will send its message repeatedly | |
134 | using whichever protocol that message has been formatted for. | |
135 | Optional parameters to limit the number of pings and their frequency are | |
136 | available. | |
137 | ||
138 | <p>Older tool versions also provide this feature but require the loop count | |
139 | parameter to be set to enable use of the feature. | |
140 | ||
141 | <sect2>HTTPS | |
142 | <p>When Squid is built with the GnuTLS encryption library the tool is able | |
143 | to open TLS (or SSL/3.0) connections to servers. | |
144 | ||
ae06fcd7 | 145 | <p>The <em>--https</em> option enables TLS using default values. |
27dad1a3 | 146 | |
ae06fcd7 | 147 | <p>The <em>--cert</em> option specifies a file containing X.509 client |
27dad1a3 AJ |
148 | certificate and private key in PEM format to be loaded for use. Multiple |
149 | certificates are supported and the option may be used multiple times to | |
150 | load certificates. | |
151 | The default is not to use a client certificate. | |
152 | ||
153 | <p>The <em>--params</em> option specifies a library specific set of parameters | |
154 | to be sent to the library for configuring the security context. | |
155 | See <url url="http://gnutls.org/manual/html_node/Priority-Strings.html"> for | |
156 | available GnuTLS parameters. | |
157 | ||
158 | <p>The <em>--trusted-ca</em> option specifies a file in PEM format containing | |
159 | one or more Certificate Authority (CA) certificates used to verify the | |
160 | remote server. This option may be used multiple times to load additional | |
161 | CA certificate lists. | |
162 | The default is not to use any CA, nor trust any server. | |
163 | ||
164 | <p>Anonymous TLS (using non-authenticated Diffi-Hellman or Elliptic Curve | |
165 | encryption) is available with the <em>--anonymous-tls</em> option. | |
166 | The default is to use X.509 certificate encryption instead. | |
167 | ||
168 | <p>When performing TLS/SSL server certificates are always verified, the | |
169 | results shown at debug level 3. The encrypted type is displayed at debug | |
170 | level 2 and the connection is used to send and receive the messages | |
171 | regardless of verification results. | |
172 | ||
173 | ||
174 | <sect1>Helper support for concurrency channels | |
175 | <p>Helper concurrency greatly reduces the communication lag between Squid | |
176 | and its helpers allowing faster transaction speeds even on sequential | |
177 | helpers. | |
178 | ||
f80c51ec AJ |
179 | <p>The Digest authentication, Store-ID, and URL-rewrite helpers packaged |
180 | with Squid have been updated to support concurrency channels. They will | |
181 | auto-detect the <em>channel-ID</em> field and will produce the appropriate | |
182 | response format. | |
183 | With these helpers concurrency may now be set to 0 or any higher number as desired. | |
27dad1a3 AJ |
184 | |
185 | ||
b3cb9958 AR |
186 | <sect1>Native FTP Relay |
187 | <p>Details at <url url="http://wiki.squid-cache.org/Features/FtpRelay">. | |
188 | ||
189 | <p>Squid is now capable of accepting native FTP commands and relaying native | |
190 | FTP messages between FTP clients and FTP servers. Native FTP commands | |
191 | accepted at ftp_port are internally converted or wrapped into HTTP-like | |
192 | messages. The same happens to Native FTP responses received from FTP origin | |
193 | servers. Those HTTP-like messages are shoveled through regular access | |
194 | control and adaptation layers between the FTP client and the FTP origin | |
195 | server. This allows Squid to examine, adapt, block, and log FTP exchanges. | |
196 | Squid reuses most HTTP mechanisms when shoveling wrapped FTP messages. For | |
197 | example, http_access and adaptation_access directives are used. | |
198 | ||
199 | <p>FTP Relay is a new, experimental, complex feature that has seen limited | |
200 | production exposure. Some Squid modules (e.g., caching) do not currently | |
201 | work with native FTP proxying, and many features have not even been tested | |
202 | for compatibility. Test well before deploying! | |
203 | ||
204 | <p>Native FTP proxying differs substantially from proxying HTTP requests with | |
205 | <em>ftp://</em> URIs because Squid works as an FTP server and receives | |
206 | actual FTP commands (rather than HTTP requests with FTP URLs). | |
207 | ||
208 | <p>FTP Relay highlights:</p> | |
209 | ||
210 | <itemize> | |
211 | <item>Added ftp_port directive telling Squid to relay native FTP commands. | |
212 | <item>Active and passive FTP support on the user-facing side; require | |
213 | passive connections to come from the control connection source IP | |
214 | address. | |
215 | <item>IPv6 support (EPSV and, on the user-facing side, EPRT). | |
216 | <item>Intelligent adaptation of relayed FTP FEAT responses. | |
217 | <item>Relaying of multi-line FTP control responses using various formats. | |
218 | <item>Support relaying of FTP MLSD and MLST commands (RFC 3659). | |
219 | <item>Several Microsoft FTP server compatibility features. | |
220 | <item>ICAP/eCAP support (at individual FTP command/response level). | |
221 | <item>Optional "current FTP directory" tracking with the assistance of | |
222 | injected (by Squid) PWD commands (cannot be 100% reliable due to | |
223 | symbolic links and such, but is helpful in some common use cases). | |
224 | <item>No caching support -- no reliable Request URIs for that (see above). | |
225 | </itemize> | |
226 | ||
a5b14a8c | 227 | <sect1>Receive PROXY protocol, Versions 1 & 2 |
00d0ce87 AJ |
228 | <p>More info at <url url="http://www.haproxy.org/download/1.5/doc/proxy-protocol.txt"> |
229 | ||
230 | <p>PROXY protocol provides a simple way for proxies and tunnels of any kind to | |
231 | relay the original client source details without having to alter or understand | |
232 | the protocol being relayed on the connection. | |
233 | ||
a5b14a8c AJ |
234 | <p>Squid currently supports receiving HTTP traffic from a client proxy using this protocol. |
235 | An http_port which has been configured to receive this protocol may only be used to | |
8d757308 | 236 | receive traffic from client software sending in this protocol. |
70a16fea | 237 | HTTP traffic without the PROXY header is not accepted on such a port. |
00d0ce87 | 238 | |
a5b14a8c AJ |
239 | <p>The <em>accel</em> and <em>intercept</em> options are still used to identify the |
240 | traffic syntax being delivered by the client proxy. | |
241 | ||
9deb9a42 | 242 | <p>Squid can be configured by adding an <em>http_port</em> |
d3d92daa | 243 | with the <em>require-proxy-header</em> mode flag. The <em>proxy_protocol_access</em> |
00d0ce87 AJ |
244 | must also be configured with <em>src</em> ACLs to whitelist proxies which are |
245 | trusted to send correct client details. | |
246 | ||
a5b14a8c | 247 | <p>Forward-proxy traffic from a client proxy: |
00d0ce87 | 248 | <verbatim> |
6e96d415 | 249 | acl frontend src 192.0.2.1 |
d3d92daa | 250 | http_port 3128 require-proxy-header |
6e96d415 | 251 | proxy_protocol_access allow frontend |
00d0ce87 AJ |
252 | </verbatim> |
253 | ||
a5b14a8c AJ |
254 | <p>Intercepted traffic from a client proxy or tunnel: |
255 | <verbatim> | |
6e96d415 | 256 | acl frontend src 192.0.2.2 |
d3d92daa | 257 | http_port 3128 intercept require-proxy-header |
6e96d415 AJ |
258 | proxy_protocol_access allow frontend |
259 | </verbatim> | |
260 | ||
261 | <p>Reverse-proxy traffic from a frontend load balancer sending PROXY protocol: | |
262 | <verbatim> | |
263 | acl frontend src 192.0.2.3 | |
264 | http_port 3128 accel require-proxy-header | |
265 | proxy_protocol_access allow frontend | |
a5b14a8c AJ |
266 | </verbatim> |
267 | ||
268 | <p><em>Known Issue:</em> | |
6e96d415 | 269 | Use of <em>require-proxy-header</em> on <em>https_port</em> and <em>ftp_port</em> is not supported. |
9deb9a42 | 270 | |
b3cb9958 | 271 | |
f2c46e40 AJ |
272 | <sect>Changes to squid.conf since Squid-3.4 |
273 | <p> | |
274 | There have been changes to Squid's configuration file since Squid-3.4. | |
275 | ||
276 | <p>Squid supports reading configuration option parameters from external | |
277 | files using the syntax <em>parameters("/path/filename")</em>. For example: | |
278 | <verb> | |
279 | acl whitelist dstdomain parameters("/etc/squid/whitelist.txt") | |
280 | </verb> | |
281 | ||
e0dbeeb6 | 282 | <p>The squid.conf macro <em>${service_name}</em> is added to provide the service name |
ae06fcd7 AJ |
283 | of the process parsing the config. |
284 | ||
f2c46e40 AJ |
285 | <p>There have also been changes to individual directives in the config file. |
286 | ||
287 | This section gives a thorough account of those changes in three categories: | |
288 | ||
289 | <itemize> | |
290 | <item><ref id="newtags" name="New tags"> | |
291 | <item><ref id="modifiedtags" name="Changes to existing tags"> | |
292 | <item><ref id="removedtags" name="Removed tags"> | |
293 | </itemize> | |
294 | <p> | |
295 | ||
296 | <sect1>New tags<label id="newtags"> | |
297 | <p> | |
298 | <descrip> | |
0f5964c3 AJ |
299 | <tag>collapsed_forwarding</tag> |
300 | <p>Ported from Squid-2 with no configuration or visible behaviour changes. | |
301 | Collapsing of requests is performed across SMP workers. | |
302 | ||
e0dbeeb6 AJ |
303 | <tag>ftp_client_idle_timeout</tag> |
304 | <p>This new configuration directive controls how long Squid should | |
305 | wait for an FTP request on a connection to an ftp_port. Many FTP | |
306 | clients do not deal with idle connection closures well, | |
307 | necessitating a longer default timeout (30 minutes) than | |
308 | client_idle_pconn_timeout used for incoming HTTP requests (2 | |
309 | minutes). The current default may be changed as we get more | |
310 | experience with FTP relaying. | |
311 | ||
312 | <tag>ftp_client_idle_timeout</tag> | |
313 | <p>New directive controlling how long to wait for an FTP request on a | |
314 | client connection to Squid <em>ftp_port</em>. | |
315 | ||
316 | <tag>ftp_port</tag> | |
317 | <p>New configuration directive to accept and relay native FTP | |
318 | commands. Typically used for port 21 traffic. By default, native | |
319 | FTP commands are not accepted. | |
320 | ||
d3d92daa AJ |
321 | <tag>proxy_protocol_access</tag> |
322 | <p>New directive to control which clients are permitted to open PROXY | |
323 | protocol connections on a port flagged with <em>require-proxy-header</em>. | |
00d0ce87 | 324 | |
0f5964c3 AJ |
325 | <tag>send_hit</tag> |
326 | <p>New configuration directive to enable/disable sending cached content | |
327 | based on ACL selection. ACL can be based on client request or cached | |
328 | response details. | |
329 | ||
e0dbeeb6 AJ |
330 | <tag>sslproxy_cert_sign_hash</tag> |
331 | <p>New directive to set the hashing algorithm to use when signing generated certificates. | |
332 | ||
27dad1a3 AJ |
333 | <tag>sslproxy_session_cache_size</tag> |
334 | <p>New directive which sets the cache size to use for TLS/SSL sessions cache. | |
335 | ||
336 | <tag>sslproxy_session_ttl</tag> | |
337 | <p>New directive to specify the time in seconds the TLS/SSL session is valid. | |
338 | ||
339 | <tag>store_id_extras</tag> | |
340 | <p>New directive to send additional lookup parameters to the configured | |
341 | Store-ID helper program. It takes a string which may contain logformat %macros. | |
342 | <p>The Store-ID helper input format is now: | |
ae06fcd7 | 343 | <verb> |
27dad1a3 | 344 | [channel-ID] url [extras] |
ae06fcd7 | 345 | </verb> |
e0dbeeb6 | 346 | <p>The default value for extras is: "%>a/%>A %un %>rm myip=%la myport=%lp" |
27dad1a3 | 347 | |
0f5964c3 AJ |
348 | <tag>store_miss</tag> |
349 | <p>New configuration directive to enable/disable caching of MISS responses. | |
350 | ACL can be based on any request or response details. | |
f2c46e40 | 351 | |
27dad1a3 AJ |
352 | <tag>url_rewrite_extras</tag> |
353 | <p>New directive to send additional lookup parameters to the configured | |
354 | URL-rewriter/redirector helper program. It takes a string which may | |
355 | contain logformat %macros. | |
356 | <p>The url rewrite and redirector helper input format is now: | |
ae06fcd7 | 357 | <verb> |
27dad1a3 | 358 | [channel-ID] url [extras] |
ae06fcd7 | 359 | </verb> |
e0dbeeb6 | 360 | <p>The default value for extras is: "%>a/%>A %un %>rm myip=%la myport=%lp" |
b3cb9958 | 361 | |
f2c46e40 AJ |
362 | </descrip> |
363 | ||
364 | <sect1>Changes to existing tags<label id="modifiedtags"> | |
365 | <p> | |
366 | <descrip> | |
367 | <tag>acl</tag> | |
e0dbeeb6 AJ |
368 | <p>Deprecated type <em>tag</em>. Use type <em>note</em> with 'tag' key |
369 | name instead. | |
f2c46e40 AJ |
370 | <p>New type <em>adaptation_service</em> to match the name of any |
371 | icap_service, ecap_service, adaptation_service_set, or | |
372 | adaptation_service_chain that Squid has used (or attempted to use) | |
373 | for the HTTP transaction so far. | |
e0dbeeb6 AJ |
374 | <p>New type <em>at_step</em> to match the current SSL-Bump processing step. |
375 | Never matches and should not be used outside of <em>ssl_bump</em>. | |
f2c46e40 AJ |
376 | |
377 | <tag>auth_param</tag> | |
378 | <p>New parameter <em>key_extras</em> to send additional parameters to | |
379 | the authentication helper. | |
380 | ||
27dad1a3 AJ |
381 | <tag>cache_dir</tag> |
382 | <p>New support for larger than 32KB objects in both <em>rock</em> type | |
383 | cache and shared memory cache. | |
384 | <p>New <em>slot-size=N</em> option for rock cache to specify the database | |
385 | slot/page size when small slot sizes are desired. The default and | |
386 | maximum slot size is 32KB. | |
387 | <p>Removal of old rock cache dir followed by <em>squid -z</em> is required | |
388 | when upgrading from earlier versions of Squid. | |
e0dbeeb6 AJ |
389 | <p><em>COSS</em> storage type is formally replaced by Rock storage type. |
390 | COSS storage type and all COSS specific options are removed. | |
27dad1a3 AJ |
391 | |
392 | <tag>cache_peer</tag> | |
393 | <p>New <em>standby=N</em> option to retain a set of N open and unused | |
394 | connections to the peer at virtually all times to reduce TCP handshake | |
395 | delays. | |
396 | <p>These connections differ from HTTP persistent connections in that they | |
397 | have not been used for HTTP messaging (and may never be). They may be | |
398 | turned into persistent connections after their first use subject to the | |
399 | same keep-alive critera any HTTP connection is checked for. | |
e0dbeeb6 AJ |
400 | <p>Squid-2 option <em>idle=</em> replaced by <em>standby=</em>. |
401 | <p>NOTE that standby connections are started earlier and available in | |
402 | more circumstances than squid-2 idle connections were. They are | |
403 | also spread over all IPs of the peer. | |
404 | ||
405 | <tag>external_acl_type</tag> | |
406 | <p>New format code <em>%ssl::>sni</em> to send SSL client SNI. | |
407 | <p>New format code <em>%ssl::<cert_subject</em> to send SSL server certificate DN. | |
408 | <p>New format code <em>%ssl::<cert_issuer</em> to send SSL server certificate issuer DN. | |
409 | <p>New response kv-pair <em>clt_conn_tag=</em> to associates a given tag with the client TCP connection. | |
27dad1a3 | 410 | |
f2c46e40 | 411 | <tag>forward_max_tries</tag> |
ae06fcd7 | 412 | <p>Default value increased to <em>25 destinations</em> to allow better |
f2c46e40 AJ |
413 | contact and IPv4 failover with domains using long lists of IPv6 |
414 | addresses. | |
415 | ||
27dad1a3 AJ |
416 | <tag>ftp_epsv</tag> |
417 | <p>Converted into an Access List with allow/deny value driven by ACLs | |
418 | using Squid standard first line wins matching basis. | |
419 | <p>The old values of <em>on</em> and <em>off</em> imply <em>allow all</em> | |
420 | and <em>deny all</em> respectively and are now deprecated. | |
421 | Do not combine use of on/off values with ACL configuration. | |
422 | ||
f2c46e40 AJ |
423 | <tag>http_port</tag> |
424 | <p><em>protocol=</em> option altered to accept protocol version details. | |
425 | Currently supported values are: HTTP, HTTP/1.1, HTTPS, HTTPS/1.1 | |
d3d92daa | 426 | <p><em>New option <em>require-proxy-header</em> to mark ports receiving PROXY |
a5b14a8c | 427 | protocol version 1 or 2 traffic. |
f2c46e40 | 428 | |
ae06fcd7 AJ |
429 | <tag>https_port</tag> |
430 | <p><em>protocol=</em> option altered to accept protocol version details. | |
431 | Currently supported values are: HTTP, HTTP/1.1, HTTPS, HTTPS/1.1 | |
432 | ||
f2c46e40 | 433 | <tag>logformat</tag> |
e0dbeeb6 AJ |
434 | <p>New format code <em>%credentials</em> to log the client credentials token. |
435 | <p>New format code <em>%ssl::>sni</em> to TLS client SNI sent to Squid. | |
f2c46e40 AJ |
436 | <p>New format code <em>%tS</em> to log transaction start time in |
437 | "seconds.milliseconds" format, similar to the existing access.log | |
438 | "current time" field (%ts.%03tu) which logs the corresponding | |
439 | transaction finish time. | |
e0dbeeb6 AJ |
440 | <p>New format codes <em>%<rs</em> and <em>%>rs</em> to log request URL |
441 | scheme from client or sent to server/peer respectively. | |
442 | <p>New format codes <em>%<rd</em> and <em>%>rd</em> to log request URL | |
443 | domain from client or sent to server/peer respectively. | |
444 | <p>New format codes <em>%<rP</em> and <em>%>rP</em> to log request URL | |
445 | port from client or sent to server/peer respectively. | |
446 | ||
447 | <tag>ssl_bump</tag> | |
448 | <p>Bumping 'modes' redesigned as 'actions' and ACLs evaluated repeatedly in a number of steps. | |
449 | <p>Renamed <em>server-first</em> as <em>bump</em> action. | |
450 | <p>Renamed <em>none</em> as <em>splice</em> action. | |
451 | <p>New actions <em>peek</em> and <em>stare</em> to receive client or server | |
452 | certificate while preserving the ability to later decide between bumping | |
453 | or splicing the connections later. | |
454 | <p>New action <em>terminate</em> to close the client and server connections. | |
455 | ||
456 | <tag>url_rewrite_program</tag> | |
457 | <p>New response kv-pair <em>clt_conn_tag=</em> to associates a given tag with the client TCP connection. | |
f2c46e40 AJ |
458 | |
459 | </descrip> | |
460 | ||
461 | <sect1>Removed tags<label id="removedtags"> | |
462 | <p> | |
463 | <descrip> | |
f2c46e40 AJ |
464 | <tag>cache_dns_program</tag> |
465 | <p>DNS external helper interface has been removed. It was no longer | |
466 | able to provide high performance service and the internal DNS | |
467 | client library with multicast DNS cover all modern use-cases. | |
468 | ||
469 | <tag>dns_children</tag> | |
470 | <p>DNS external helper interface has been removed. | |
471 | ||
6884ec40 AJ |
472 | <tag>hierarchy_stoplist</tag> |
473 | <p>Removed. The old directive values prohibiting CGI and dynamic content | |
474 | going to cache_peer are no longer relevant. | |
475 | <p>The functionality provided by this directive can be configured | |
476 | using <em>always_direct allow</em> if still needed. | |
477 | ||
f2c46e40 AJ |
478 | </descrip> |
479 | ||
480 | ||
481 | <sect>Changes to ./configure options since Squid-3.4 | |
482 | <p> | |
483 | There have been some changes to Squid's build configuration since Squid-3.4. | |
484 | ||
485 | This section gives an account of those changes in three categories: | |
486 | ||
487 | <itemize> | |
488 | <item><ref id="newoptions" name="New options"> | |
489 | <item><ref id="modifiedoptions" name="Changes to existing options"> | |
490 | <item><ref id="removedoptions" name="Removed options"> | |
491 | </itemize> | |
492 | ||
493 | ||
494 | <sect1>New options<label id="newoptions"> | |
495 | <p> | |
496 | <descrip> | |
b2f0a375 AJ |
497 | <tag>BUILDCXX=</tag> |
498 | <p>Used when cross-compiling Squid. | |
499 | <p>The path and name of a compiler for building cf_gen and related | |
500 | tools used in the compile process. | |
501 | ||
502 | <tag>BUILDCXXFLAGS=</tag> | |
503 | <p>Used when cross-compiling Squid. | |
504 | <p>C++ compiler flags used for building cf_gen and related | |
505 | tools used in the compile process. | |
506 | ||
27dad1a3 AJ |
507 | <tag>--without-gnutls</tag> |
508 | <p>New option to explicitly disable use of GnuTLS encryption library. | |
509 | Use of this library is auto-enabled if v3.1.5 or later is available. | |
510 | <p>It is currently only used by the squidclient tool. | |
511 | ||
a5c79bf3 AJ |
512 | <tag>--without-mit-krb5</tag> |
513 | <p>New option to explicitly disable use of MIT Kerberos library. | |
514 | Default is to auto-detect and use if possible. | |
515 | <p>Only one Kerberos library may be built against. | |
516 | ||
517 | <tag>--without-heimdal-krb5</tag> | |
518 | <p>New option to explicitly disable use of Hiemdal Kerberos library. | |
519 | Default is to auto-detect and use if possible. | |
520 | <p>Only one Kerberos library may be built against. | |
521 | ||
522 | <tag>--without-gnugss</tag> | |
523 | <p>New option to explicitly disable use of GNU GSSAPI library for Kerberos. | |
524 | Default is to auto-detect and use if possible. | |
525 | <p>Only one Kerberos library may be built against. | |
526 | ||
f2c46e40 AJ |
527 | </descrip> |
528 | ||
529 | <sect1>Changes to existing options<label id="modifiedoptions"> | |
530 | <p> | |
531 | <descrip> | |
4f07726a AJ |
532 | <tag>--enable-icap-client</tag> |
533 | <p>Deprecated. ICAP client is now auto-enabled. | |
534 | Use --disable-icap-client to disable if you need to. | |
f2c46e40 AJ |
535 | |
536 | </descrip> | |
537 | </p> | |
538 | ||
539 | <sect1>Removed options<label id="removedoptions"> | |
540 | <p> | |
541 | <descrip> | |
f2c46e40 AJ |
542 | <tag>--disable-internal-dns</tag> |
543 | <p>DNS external helper interface has been removed. It was no longer | |
544 | able to provide high performance service and the internal DNS | |
545 | client library with multicast DNS cover all modern use-cases. | |
546 | ||
c41db002 AJ |
547 | <tag>--enable-ssl</tag> |
548 | <p>Removed. Use <em>--with-openssl</em> to enable OpenSSL library support. | |
549 | ||
ae06fcd7 AJ |
550 | <tag>--with-coss-membuf-size</tag> |
551 | <p>The COSS cache type has been removed. | |
552 | It has been replaced by <em>rock</em> cache type. | |
553 | ||
a5c79bf3 AJ |
554 | <tag>--with-krb5-config</tag> |
555 | <p>Removed. The Kerberos library is auto-detected now. | |
556 | <p>Use <em>--with/--without-mit-krb5</em>, <em>--with/--without-heimdal-krb5</em>, or | |
557 | <em>--with/--without-gnugss</em> options for specific library selection if necesary. | |
558 | ||
f2c46e40 AJ |
559 | </descrip> |
560 | ||
561 | ||
562 | <sect>Regressions since Squid-2.7 | |
563 | ||
564 | <p>Some squid.conf options which were available in Squid-2.7 are not yet available in Squid-3.5 | |
565 | ||
566 | <p>If you need something to do then porting one of these from Squid-2 to Squid-3 is most welcome. | |
567 | ||
568 | <sect1>Missing squid.conf options available in Squid-2.7 | |
569 | <p> | |
570 | <descrip> | |
571 | <tag>broken_vary_encoding</tag> | |
572 | <p>Not yet ported from 2.6 | |
573 | ||
574 | <tag>cache_peer</tag> | |
f2c46e40 AJ |
575 | <p><em>monitorinterval=</em> not yet ported from 2.6 |
576 | <p><em>monitorsize=</em> not yet ported from 2.6 | |
577 | <p><em>monitortimeout=</em> not yet ported from 2.6 | |
578 | <p><em>monitorurl=</em> not yet ported from 2.6 | |
579 | ||
580 | <tag>cache_vary</tag> | |
581 | <p>Not yet ported from 2.6 | |
582 | ||
f2c46e40 AJ |
583 | <tag>error_map</tag> |
584 | <p>Not yet ported from 2.6 | |
585 | ||
586 | <tag>external_refresh_check</tag> | |
587 | <p>Not yet ported from 2.7 | |
588 | ||
589 | <tag>location_rewrite_access</tag> | |
590 | <p>Not yet ported from 2.6 | |
591 | ||
592 | <tag>location_rewrite_children</tag> | |
593 | <p>Not yet ported from 2.6 | |
594 | ||
595 | <tag>location_rewrite_concurrency</tag> | |
596 | <p>Not yet ported from 2.6 | |
597 | ||
598 | <tag>location_rewrite_program</tag> | |
599 | <p>Not yet ported from 2.6 | |
600 | ||
601 | <tag>refresh_pattern</tag> | |
602 | <p><em>stale-while-revalidate=</em> not yet ported from 2.7 | |
603 | <p><em>ignore-stale-while-revalidate=</em> not yet ported from 2.7 | |
604 | <p><em>negative-ttl=</em> not yet ported from 2.7 | |
605 | ||
606 | <tag>refresh_stale_hit</tag> | |
607 | <p>Not yet ported from 2.7 | |
608 | ||
609 | <tag>update_headers</tag> | |
610 | <p>Not yet ported from 2.7 | |
611 | ||
612 | </descrip> | |
613 | ||
614 | </article> |