]>
Commit | Line | Data |
---|---|---|
f2c46e40 AJ |
1 | <!doctype linuxdoc system> |
2 | <article> | |
6f4a12cf | 3 | <title>Squid 3.5.23 release notes</title> |
f2c46e40 AJ |
4 | <author>Squid Developers</author> |
5 | ||
6 | <abstract> | |
7 | This document contains the release notes for version 3.5 of Squid. | |
8 | Squid is a WWW Cache application developed by the National Laboratory | |
9 | for Applied Network Research and members of the Web Caching community. | |
10 | </abstract> | |
11 | ||
12 | <toc> | |
13 | ||
14 | <sect>Notice | |
15 | <p> | |
6f4a12cf | 16 | The Squid Team are pleased to announce the release of Squid-3.5.23. |
f2c46e40 AJ |
17 | |
18 | This new release is available for download from <url url="http://www.squid-cache.org/Versions/v3/3.5/"> or the | |
71f0186a | 19 | <url url="http://www.squid-cache.org/Download/http-mirrors.html" name="mirrors">. |
f2c46e40 | 20 | |
4666bb8d AJ |
21 | <p>Some interesting new features adding system flexibility have been added along with general improvements all around. |
22 | While this release is not fully bug-free we believe it is ready for use in production on many systems. | |
f2c46e40 | 23 | |
e0dbeeb6 AJ |
24 | <p>We welcome feedback and bug reports. If you find a bug, please see <url url="http://wiki.squid-cache.org/SquidFaq/BugReporting"> |
25 | for how to submit a report with a stack trace. | |
f2c46e40 AJ |
26 | |
27 | <sect1>Known issues | |
28 | <p> | |
29 | Although this release is deemed good enough for use in many setups, please note the existence of | |
30 | <url url="http://bugs.squid-cache.org/buglist.cgi?query_format=advanced&product=Squid&bug_status=UNCONFIRMED&bug_status=NEW&bug_status=ASSIGNED&bug_status=REOPENED&version=3.5" name="open bugs against Squid-3.5">. | |
31 | ||
32 | <sect1>Changes since earlier releases of Squid-3.5 | |
33 | <p> | |
34 | The 3.5 change history can be <url url="http://www.squid-cache.org/Versions/v3/3.5/changesets/" name="viewed here">. | |
35 | ||
e8a16b1a AJ |
36 | <sect1>Copyright disclaimer adjustments |
37 | <p>Squid sources are now administered by the Squid Software Foundation on | |
38 | behalf of the Squid Project and community. | |
39 | ||
40 | <p>This version of Squid contains initial changes to streamline copyright | |
41 | declarations in Squid sources and related metafiles. No functionality | |
42 | or licensing changes are intended. | |
43 | ||
44 | <p>Once completed, the changes will consistently declare Squid contributors | |
45 | (listed in CONTRIBUTORS and represented by the Squid Software Foundation) as | |
46 | Squid copyright owners while referring the reader to the COPYING file for GPL | |
47 | licensing details. The boilerplate with the above information is provided. | |
48 | ||
49 | <p>These changes do not affect copyright rights of individuals or organizations. | |
50 | We are simply confirming the fact that there are many Squid copyright owners, | |
51 | just like there are many Linux kernel copyright owners. We are also providing | |
52 | a simple, consistent way to document that fact. | |
53 | ||
f2c46e40 AJ |
54 | |
55 | <sect>Major new features since Squid-3.4 | |
56 | <p>Squid 3.5 represents a new feature release above 3.4. | |
57 | ||
58 | <p>The most important of these new features are: | |
59 | <itemize> | |
60 | <item>Support libecap v1.0 | |
4e022adf | 61 | <item>Authentication helper query extensions |
27dad1a3 AJ |
62 | <item>Support named services |
63 | <item>Upgraded squidclient tool | |
64 | <item>Helper support for concurrency channels | |
b3cb9958 | 65 | <item>Native FTP Relay |
a5b14a8c | 66 | <item>Receive PROXY protocol, Versions 1 & 2 |
700e2961 | 67 | <item>Basic authentication MSNT helper changes |
0461fde7 | 68 | <item>Elliptic Curve Diffie-Hellman (ECDH) (since 3.5.13) |
f2c46e40 AJ |
69 | </itemize> |
70 | ||
71 | Most user-facing changes are reflected in squid.conf (see below). | |
72 | ||
73 | ||
74 | <sect1>Support libecap v1.0 | |
95fa2851 | 75 | <p>Details at <url url="http://wiki.squid-cache.org/Features/eCAP">. |
f2c46e40 AJ |
76 | |
77 | <p>The new libecap version allows Squid to better check the version of | |
78 | the eCAP adapter being loaded as well as the version of the eCAP library | |
79 | being used. | |
80 | ||
81 | <p>Squid-3.5 can support eCAP adapters built with libecap v1.0, | |
82 | but no longer supports adapters built with earlier libecap versions | |
83 | due to API changes. | |
84 | ||
85 | ||
4e022adf AJ |
86 | <sect1>Authentication helper query extensions |
87 | <p>Details at <url url="http://www.squid-cache.org/Doc/config/auth_param/">. | |
88 | ||
89 | <p>The new <em>key_extras</em> parameter allows sending of additional | |
90 | details to the authentication helper beyond the minimum required for | |
91 | the HTTP authentication. This is primarily intended to allow switching | |
92 | of authentication databases based on criteria such as client IP subnet, | |
93 | Squid receiving port, or in reverse-proxy the requested domain name. | |
94 | ||
95 | <p>In theory any <em>logformat</em> code may be used, however only the | |
96 | codes which have available details at the time of authentication | |
97 | will send any meaningful detail. | |
98 | ||
99 | ||
27dad1a3 AJ |
100 | <sect1>Support named services |
101 | <p>Details at <url url="http://wiki.squid-cache.org/MultipleInstances">. | |
102 | <p>Terminology details at <url url="http://wiki.squid-cache.org/Features/SmpScale#Terminology">. | |
103 | ||
104 | <p>The command line option <em>-n</em> assigns a name to the Squid service | |
105 | instance to be used as a unique identifier for all SMP processes run as | |
106 | part of that instance. This allows multiple instances of Squid service to | |
107 | be run on a single machine without background SMP systems such as shared | |
108 | memory and inter-process communication becoming confused or requiring | |
109 | additional configuration. | |
110 | ||
111 | <p>A service name is always used. When the <em>-n</em> option is missing | |
112 | from the command line the default service name is <em>squid</em>. | |
113 | ||
114 | <p>When multiple instances are being run the <em>-n</em> service name is | |
115 | required to target all other options such as <em>-z</em> or <em>-k</em> | |
116 | commands at the correct service. | |
117 | ||
118 | <p>The squid.conf macro ${service_name} is added to provide the service name | |
119 | of the process parsing the config. | |
120 | ||
121 | ||
122 | <sect1>Upgraded squidclient tool | |
a555dbca | 123 | <p>Details at <url url="http://www.squid-cache.org/Versions/v3/3.5/manuals/squidclient.html">. |
95fa2851 | 124 | |
27dad1a3 AJ |
125 | <p>The <em>squidclient</em> has begun the process of upgrading to support |
126 | protocols other than HTTP. | |
127 | ||
128 | <sect2>Debug levels | |
129 | <p>The tool displays the server response message on STDOUT unless the <em>-q</em> | |
130 | command line option is used. Error messages will be output to STDERR. | |
131 | All other possible output is considered debug and output to STDERR using | |
132 | a range of debug verbosity levels (currently 1, 2 and 3). | |
133 | ||
134 | <p>When the <em>-v</em> command line option is used debugging is enabled. | |
135 | The level of debug display is raised for each repetition of the option. | |
136 | ||
137 | <sect2>PING | |
138 | <p>When <em>--ping</em> is given the tool will send its message repeatedly | |
139 | using whichever protocol that message has been formatted for. | |
140 | Optional parameters to limit the number of pings and their frequency are | |
141 | available. | |
142 | ||
143 | <p>Older tool versions also provide this feature but require the loop count | |
144 | parameter to be set to enable use of the feature. | |
145 | ||
146 | <sect2>HTTPS | |
147 | <p>When Squid is built with the GnuTLS encryption library the tool is able | |
148 | to open TLS (or SSL/3.0) connections to servers. | |
149 | ||
ae06fcd7 | 150 | <p>The <em>--https</em> option enables TLS using default values. |
27dad1a3 | 151 | |
ae06fcd7 | 152 | <p>The <em>--cert</em> option specifies a file containing X.509 client |
27dad1a3 AJ |
153 | certificate and private key in PEM format to be loaded for use. Multiple |
154 | certificates are supported and the option may be used multiple times to | |
155 | load certificates. | |
156 | The default is not to use a client certificate. | |
157 | ||
158 | <p>The <em>--params</em> option specifies a library specific set of parameters | |
159 | to be sent to the library for configuring the security context. | |
160 | See <url url="http://gnutls.org/manual/html_node/Priority-Strings.html"> for | |
161 | available GnuTLS parameters. | |
162 | ||
163 | <p>The <em>--trusted-ca</em> option specifies a file in PEM format containing | |
164 | one or more Certificate Authority (CA) certificates used to verify the | |
165 | remote server. This option may be used multiple times to load additional | |
166 | CA certificate lists. | |
167 | The default is not to use any CA, nor trust any server. | |
168 | ||
169 | <p>Anonymous TLS (using non-authenticated Diffi-Hellman or Elliptic Curve | |
170 | encryption) is available with the <em>--anonymous-tls</em> option. | |
171 | The default is to use X.509 certificate encryption instead. | |
172 | ||
173 | <p>When performing TLS/SSL server certificates are always verified, the | |
174 | results shown at debug level 3. The encrypted type is displayed at debug | |
175 | level 2 and the connection is used to send and receive the messages | |
176 | regardless of verification results. | |
177 | ||
178 | ||
179 | <sect1>Helper support for concurrency channels | |
180 | <p>Helper concurrency greatly reduces the communication lag between Squid | |
181 | and its helpers allowing faster transaction speeds even on sequential | |
182 | helpers. | |
183 | ||
f80c51ec AJ |
184 | <p>The Digest authentication, Store-ID, and URL-rewrite helpers packaged |
185 | with Squid have been updated to support concurrency channels. They will | |
186 | auto-detect the <em>channel-ID</em> field and will produce the appropriate | |
187 | response format. | |
188 | With these helpers concurrency may now be set to 0 or any higher number as desired. | |
27dad1a3 AJ |
189 | |
190 | ||
b3cb9958 AR |
191 | <sect1>Native FTP Relay |
192 | <p>Details at <url url="http://wiki.squid-cache.org/Features/FtpRelay">. | |
193 | ||
194 | <p>Squid is now capable of accepting native FTP commands and relaying native | |
195 | FTP messages between FTP clients and FTP servers. Native FTP commands | |
196 | accepted at ftp_port are internally converted or wrapped into HTTP-like | |
197 | messages. The same happens to Native FTP responses received from FTP origin | |
198 | servers. Those HTTP-like messages are shoveled through regular access | |
199 | control and adaptation layers between the FTP client and the FTP origin | |
200 | server. This allows Squid to examine, adapt, block, and log FTP exchanges. | |
201 | Squid reuses most HTTP mechanisms when shoveling wrapped FTP messages. For | |
202 | example, http_access and adaptation_access directives are used. | |
203 | ||
204 | <p>FTP Relay is a new, experimental, complex feature that has seen limited | |
205 | production exposure. Some Squid modules (e.g., caching) do not currently | |
206 | work with native FTP proxying, and many features have not even been tested | |
207 | for compatibility. Test well before deploying! | |
208 | ||
209 | <p>Native FTP proxying differs substantially from proxying HTTP requests with | |
210 | <em>ftp://</em> URIs because Squid works as an FTP server and receives | |
211 | actual FTP commands (rather than HTTP requests with FTP URLs). | |
212 | ||
86d74505 | 213 | <p>FTP Relay highlights: |
b3cb9958 AR |
214 | <itemize> |
215 | <item>Added ftp_port directive telling Squid to relay native FTP commands. | |
216 | <item>Active and passive FTP support on the user-facing side; require | |
217 | passive connections to come from the control connection source IP | |
218 | address. | |
219 | <item>IPv6 support (EPSV and, on the user-facing side, EPRT). | |
220 | <item>Intelligent adaptation of relayed FTP FEAT responses. | |
221 | <item>Relaying of multi-line FTP control responses using various formats. | |
222 | <item>Support relaying of FTP MLSD and MLST commands (RFC 3659). | |
223 | <item>Several Microsoft FTP server compatibility features. | |
224 | <item>ICAP/eCAP support (at individual FTP command/response level). | |
225 | <item>Optional "current FTP directory" tracking with the assistance of | |
226 | injected (by Squid) PWD commands (cannot be 100% reliable due to | |
227 | symbolic links and such, but is helpful in some common use cases). | |
228 | <item>No caching support -- no reliable Request URIs for that (see above). | |
229 | </itemize> | |
230 | ||
a5b14a8c | 231 | <sect1>Receive PROXY protocol, Versions 1 & 2 |
00d0ce87 AJ |
232 | <p>More info at <url url="http://www.haproxy.org/download/1.5/doc/proxy-protocol.txt"> |
233 | ||
234 | <p>PROXY protocol provides a simple way for proxies and tunnels of any kind to | |
235 | relay the original client source details without having to alter or understand | |
236 | the protocol being relayed on the connection. | |
237 | ||
a5b14a8c | 238 | <p>Squid currently supports receiving HTTP traffic from a client proxy using this protocol. |
0461fde7 AJ |
239 | An <em>http_port</em> which has been configured to receive this protocol may only be used |
240 | to receive traffic from client software sending in this protocol. | |
70a16fea | 241 | HTTP traffic without the PROXY header is not accepted on such a port. |
00d0ce87 | 242 | |
c1c99471 | 243 | <p>The <em>accel</em> and <em>intercept</em> options are still used to identify the HTTP |
a5b14a8c AJ |
244 | traffic syntax being delivered by the client proxy. |
245 | ||
9deb9a42 | 246 | <p>Squid can be configured by adding an <em>http_port</em> |
d3d92daa | 247 | with the <em>require-proxy-header</em> mode flag. The <em>proxy_protocol_access</em> |
00d0ce87 AJ |
248 | must also be configured with <em>src</em> ACLs to whitelist proxies which are |
249 | trusted to send correct client details. | |
250 | ||
a5b14a8c | 251 | <p>Forward-proxy traffic from a client proxy: |
86d74505 | 252 | <verb> |
6e96d415 | 253 | acl frontend src 192.0.2.1 |
d3d92daa | 254 | http_port 3128 require-proxy-header |
6e96d415 | 255 | proxy_protocol_access allow frontend |
86d74505 | 256 | </verb> |
00d0ce87 | 257 | |
a5b14a8c | 258 | <p>Intercepted traffic from a client proxy or tunnel: |
86d74505 | 259 | <verb> |
6e96d415 | 260 | acl frontend src 192.0.2.2 |
d3d92daa | 261 | http_port 3128 intercept require-proxy-header |
6e96d415 | 262 | proxy_protocol_access allow frontend |
86d74505 | 263 | </verb> |
6e96d415 AJ |
264 | |
265 | <p>Reverse-proxy traffic from a frontend load balancer sending PROXY protocol: | |
86d74505 | 266 | <verb> |
6e96d415 AJ |
267 | acl frontend src 192.0.2.3 |
268 | http_port 3128 accel require-proxy-header | |
269 | proxy_protocol_access allow frontend | |
86d74505 | 270 | </verb> |
a5b14a8c AJ |
271 | |
272 | <p><em>Known Issue:</em> | |
6e96d415 | 273 | Use of <em>require-proxy-header</em> on <em>https_port</em> and <em>ftp_port</em> is not supported. |
9deb9a42 | 274 | |
b3cb9958 | 275 | |
700e2961 AJ |
276 | <sect1>Basic authentication MSNT helper changes |
277 | ||
278 | <p>The authentication helper previously known as <em>basic_msnt_auth</em> has | |
279 | been deprecated and renamed to <em>basic_smb_lm_auth</em> to reflect that | |
280 | it only performs SMB LanMan protocol(s) instead of modern MS authentication | |
281 | protocols. | |
282 | ||
283 | <p>The <em>basic_smb_lm_auth</em> helper has been remodelled and no longer uses | |
284 | configuration files. The Doman Controller servers are now configured via | |
285 | command line parameters and user credentials are looked up in each DC in the | |
286 | order configured until one matches or all have confirmed a non-match. | |
287 | ||
288 | <p>The <em>MSNT-multi-domain</em> helper provides the same functionality and | |
289 | is also deprecated. It will be removed in the Squid-3.6 series. | |
290 | ||
291 | ||
0461fde7 AJ |
292 | <sect1>Elliptic Curve Diffie-Hellman (ECDH) |
293 | <p>All listening port which supported Diffie-Hellman key exchange are now updated | |
294 | to support Elliptic Curve configuration which allows for forward secrecy with | |
295 | better performance than traditional ephemeral Diffie-Hellman. | |
296 | ||
297 | <p>The http(s)_port <em>dhparams=</em> option is replaced with <em>tls-dh=</em> that | |
298 | takes an optional curve name as well as filename for curve parameters. The new | |
299 | option configured without a curve name uses the traditional ephemeral DH. | |
300 | ||
301 | <p>A new <em>options=SINGLE_ECDH_USE</em> parameter is added to enable ephemeral | |
302 | key exchanges for Elliptic Curve DH. | |
303 | ||
304 | ||
700e2961 | 305 | |
f2c46e40 AJ |
306 | <sect>Changes to squid.conf since Squid-3.4 |
307 | <p> | |
308 | There have been changes to Squid's configuration file since Squid-3.4. | |
309 | ||
310 | <p>Squid supports reading configuration option parameters from external | |
311 | files using the syntax <em>parameters("/path/filename")</em>. For example: | |
312 | <verb> | |
313 | acl whitelist dstdomain parameters("/etc/squid/whitelist.txt") | |
314 | </verb> | |
315 | ||
e0dbeeb6 | 316 | <p>The squid.conf macro <em>${service_name}</em> is added to provide the service name |
ae06fcd7 AJ |
317 | of the process parsing the config. |
318 | ||
f2c46e40 AJ |
319 | <p>There have also been changes to individual directives in the config file. |
320 | ||
321 | This section gives a thorough account of those changes in three categories: | |
322 | ||
323 | <itemize> | |
324 | <item><ref id="newtags" name="New tags"> | |
325 | <item><ref id="modifiedtags" name="Changes to existing tags"> | |
326 | <item><ref id="removedtags" name="Removed tags"> | |
327 | </itemize> | |
328 | <p> | |
329 | ||
330 | <sect1>New tags<label id="newtags"> | |
331 | <p> | |
332 | <descrip> | |
0f5964c3 AJ |
333 | <tag>collapsed_forwarding</tag> |
334 | <p>Ported from Squid-2 with no configuration or visible behaviour changes. | |
335 | Collapsing of requests is performed across SMP workers. | |
336 | ||
0461fde7 AJ |
337 | <tag>sslproxy_foreign_intermediate_certs</tag> |
338 | <p>New directive to load intermediate TLS certificates for | |
339 | filling incomplete server certificate chains. Added in 3.5.13. | |
340 | ||
e0dbeeb6 AJ |
341 | <tag>ftp_client_idle_timeout</tag> |
342 | <p>New directive controlling how long to wait for an FTP request on a | |
343 | client connection to Squid <em>ftp_port</em>. | |
c1c99471 AJ |
344 | <p>Many FTP clients do not deal with idle connection closures well, |
345 | necessitating a longer default timeout (30 minutes) than | |
346 | <em>client_idle_pconn_timeout</em> used for incoming HTTP requests (2 | |
347 | minutes). | |
348 | <p>The current default may be changed as we get more experience with FTP relaying. | |
e0dbeeb6 AJ |
349 | |
350 | <tag>ftp_port</tag> | |
351 | <p>New configuration directive to accept and relay native FTP | |
352 | commands. Typically used for port 21 traffic. By default, native | |
353 | FTP commands are not accepted. | |
354 | ||
d3d92daa AJ |
355 | <tag>proxy_protocol_access</tag> |
356 | <p>New directive to control which clients are permitted to open PROXY | |
357 | protocol connections on a port flagged with <em>require-proxy-header</em>. | |
00d0ce87 | 358 | |
0f5964c3 AJ |
359 | <tag>send_hit</tag> |
360 | <p>New configuration directive to enable/disable sending cached content | |
361 | based on ACL selection. ACL can be based on client request or cached | |
362 | response details. | |
363 | ||
e0dbeeb6 AJ |
364 | <tag>sslproxy_cert_sign_hash</tag> |
365 | <p>New directive to set the hashing algorithm to use when signing generated certificates. | |
366 | ||
267a742e AJ |
367 | <tag>sslproxy_foreign_intermediate_certs</tag> |
368 | <p>New directive to load intermediate certificates for validating server | |
369 | certificate chains. This directive is only available in 3.5.13 and later. | |
370 | ||
27dad1a3 AJ |
371 | <tag>sslproxy_session_cache_size</tag> |
372 | <p>New directive which sets the cache size to use for TLS/SSL sessions cache. | |
373 | ||
374 | <tag>sslproxy_session_ttl</tag> | |
375 | <p>New directive to specify the time in seconds the TLS/SSL session is valid. | |
376 | ||
377 | <tag>store_id_extras</tag> | |
378 | <p>New directive to send additional lookup parameters to the configured | |
379 | Store-ID helper program. It takes a string which may contain logformat %macros. | |
380 | <p>The Store-ID helper input format is now: | |
ae06fcd7 | 381 | <verb> |
27dad1a3 | 382 | [channel-ID] url [extras] |
ae06fcd7 | 383 | </verb> |
e0dbeeb6 | 384 | <p>The default value for extras is: "%>a/%>A %un %>rm myip=%la myport=%lp" |
27dad1a3 | 385 | |
0f5964c3 AJ |
386 | <tag>store_miss</tag> |
387 | <p>New configuration directive to enable/disable caching of MISS responses. | |
388 | ACL can be based on any request or response details. | |
f2c46e40 | 389 | |
27dad1a3 AJ |
390 | <tag>url_rewrite_extras</tag> |
391 | <p>New directive to send additional lookup parameters to the configured | |
392 | URL-rewriter/redirector helper program. It takes a string which may | |
393 | contain logformat %macros. | |
394 | <p>The url rewrite and redirector helper input format is now: | |
ae06fcd7 | 395 | <verb> |
27dad1a3 | 396 | [channel-ID] url [extras] |
ae06fcd7 | 397 | </verb> |
e0dbeeb6 | 398 | <p>The default value for extras is: "%>a/%>A %un %>rm myip=%la myport=%lp" |
b3cb9958 | 399 | |
f2c46e40 AJ |
400 | </descrip> |
401 | ||
402 | <sect1>Changes to existing tags<label id="modifiedtags"> | |
403 | <p> | |
404 | <descrip> | |
405 | <tag>acl</tag> | |
e0dbeeb6 AJ |
406 | <p>Deprecated type <em>tag</em>. Use type <em>note</em> with 'tag' key |
407 | name instead. | |
f2c46e40 AJ |
408 | <p>New type <em>adaptation_service</em> to match the name of any |
409 | icap_service, ecap_service, adaptation_service_set, or | |
410 | adaptation_service_chain that Squid has used (or attempted to use) | |
411 | for the HTTP transaction so far. | |
e0dbeeb6 AJ |
412 | <p>New type <em>at_step</em> to match the current SSL-Bump processing step. |
413 | Never matches and should not be used outside of <em>ssl_bump</em>. | |
7404dd23 AJ |
414 | <p>New types <em>ssl::server_name</em> and <em>ssl::server_name_regex</em> |
415 | to match server name from various sources (CONNECT authority name, | |
416 | TLS SNI domain, or X.509 certificate Subject Name). | |
0461fde7 AJ |
417 | <p>Extended <em>user_cert</em> and <em>ca_cert</em> types to accept |
418 | numeric OID for certificate attributes. | |
f2c46e40 AJ |
419 | |
420 | <tag>auth_param</tag> | |
421 | <p>New parameter <em>key_extras</em> to send additional parameters to | |
422 | the authentication helper. | |
423 | ||
27dad1a3 AJ |
424 | <tag>cache_dir</tag> |
425 | <p>New support for larger than 32KB objects in both <em>rock</em> type | |
426 | cache and shared memory cache. | |
427 | <p>New <em>slot-size=N</em> option for rock cache to specify the database | |
428 | slot/page size when small slot sizes are desired. The default and | |
429 | maximum slot size is 32KB. | |
430 | <p>Removal of old rock cache dir followed by <em>squid -z</em> is required | |
431 | when upgrading from earlier versions of Squid. | |
e0dbeeb6 AJ |
432 | <p><em>COSS</em> storage type is formally replaced by Rock storage type. |
433 | COSS storage type and all COSS specific options are removed. | |
27dad1a3 AJ |
434 | |
435 | <tag>cache_peer</tag> | |
436 | <p>New <em>standby=N</em> option to retain a set of N open and unused | |
437 | connections to the peer at virtually all times to reduce TCP handshake | |
438 | delays. | |
439 | <p>These connections differ from HTTP persistent connections in that they | |
440 | have not been used for HTTP messaging (and may never be). They may be | |
441 | turned into persistent connections after their first use subject to the | |
442 | same keep-alive critera any HTTP connection is checked for. | |
e0dbeeb6 AJ |
443 | <p>Squid-2 option <em>idle=</em> replaced by <em>standby=</em>. |
444 | <p>NOTE that standby connections are started earlier and available in | |
445 | more circumstances than squid-2 idle connections were. They are | |
446 | also spread over all IPs of the peer. | |
447 | ||
61a31961 AJ |
448 | <tag>configuration_includes_quoted_values</tag> |
449 | <p>Regex pattern values cannot be parsed in parts of squid.conf when this | |
450 | directive is configured to <em>ON</em>. Instead of quoted strings Squid | |
451 | now accepts regex \-escaped characters (including escaped spaces) in all | |
452 | regex patterns. | |
453 | ||
e0dbeeb6 AJ |
454 | <tag>external_acl_type</tag> |
455 | <p>New format code <em>%ssl::>sni</em> to send SSL client SNI. | |
456 | <p>New format code <em>%ssl::<cert_subject</em> to send SSL server certificate DN. | |
457 | <p>New format code <em>%ssl::<cert_issuer</em> to send SSL server certificate issuer DN. | |
4df5649e | 458 | <p>New format code <em>%un</em> to send any available user name (requires 3.5.7 or later). |
267a742e | 459 | <p>New format code <em>%>eui</em> to send either EUI-48 or EUI-64 (requires 3.5.20 or later). |
e0dbeeb6 | 460 | <p>New response kv-pair <em>clt_conn_tag=</em> to associates a given tag with the client TCP connection. |
27dad1a3 | 461 | |
f2c46e40 | 462 | <tag>forward_max_tries</tag> |
ae06fcd7 | 463 | <p>Default value increased to <em>25 destinations</em> to allow better |
f2c46e40 AJ |
464 | contact and IPv4 failover with domains using long lists of IPv6 |
465 | addresses. | |
466 | ||
27dad1a3 AJ |
467 | <tag>ftp_epsv</tag> |
468 | <p>Converted into an Access List with allow/deny value driven by ACLs | |
469 | using Squid standard first line wins matching basis. | |
470 | <p>The old values of <em>on</em> and <em>off</em> imply <em>allow all</em> | |
471 | and <em>deny all</em> respectively and are now deprecated. | |
472 | Do not combine use of on/off values with ACL configuration. | |
473 | ||
f2c46e40 AJ |
474 | <tag>http_port</tag> |
475 | <p><em>protocol=</em> option altered to accept protocol version details. | |
476 | Currently supported values are: HTTP, HTTP/1.1, HTTPS, HTTPS/1.1 | |
86d74505 | 477 | <p>New option <em>require-proxy-header</em> to mark ports receiving PROXY |
a5b14a8c | 478 | protocol version 1 or 2 traffic. |
0461fde7 AJ |
479 | <p>New <em>options=NO_TICKET</em> parameter to disable TLS tickets |
480 | extension. | |
481 | <p>New <em>options=SINGLE_ECDH_USE</em> parameter to enable ephemeral | |
482 | ECDH key exchange. Added in 3.5.13. | |
483 | <p>Deprecated <em>dhparams=</em> option. Use <em>tls-dh=</em> instead. | |
484 | The new option allows to optionally specify an elliptic curve for | |
485 | ephemeral ECDH by adding <em>curve-name:</em> in front of the | |
486 | parameter file name. Added in 3.5.13. | |
f2c46e40 | 487 | |
ae06fcd7 AJ |
488 | <tag>https_port</tag> |
489 | <p><em>protocol=</em> option altered to accept protocol version details. | |
490 | Currently supported values are: HTTP, HTTP/1.1, HTTPS, HTTPS/1.1 | |
0461fde7 AJ |
491 | <p>New <em>options=NO_TICKET</em> parameter to disable TLS tickets |
492 | extension. | |
493 | <p>New <em>options=SINGLE_ECDH_USE</em> parameter to enable ephemeral | |
494 | ECDH key exchange. Added in 3.5.13. | |
495 | <p>Deprecated <em>dhparams=</em> option. Use <em>tls-dh=</em> instead. | |
496 | The new option allows to optionally specify an elliptic curve for | |
497 | ephemeral ECDH by adding <em>curve-name:</em> in front of the | |
498 | parameter file name. Added in 3.5.13. | |
ae06fcd7 | 499 | |
f2c46e40 | 500 | <tag>logformat</tag> |
e0dbeeb6 AJ |
501 | <p>New format code <em>%credentials</em> to log the client credentials token. |
502 | <p>New format code <em>%ssl::>sni</em> to TLS client SNI sent to Squid. | |
f2c46e40 AJ |
503 | <p>New format code <em>%tS</em> to log transaction start time in |
504 | "seconds.milliseconds" format, similar to the existing access.log | |
505 | "current time" field (%ts.%03tu) which logs the corresponding | |
506 | transaction finish time. | |
e0dbeeb6 AJ |
507 | <p>New format codes <em>%<rs</em> and <em>%>rs</em> to log request URL |
508 | scheme from client or sent to server/peer respectively. | |
509 | <p>New format codes <em>%<rd</em> and <em>%>rd</em> to log request URL | |
510 | domain from client or sent to server/peer respectively. | |
511 | <p>New format codes <em>%<rP</em> and <em>%>rP</em> to log request URL | |
512 | port from client or sent to server/peer respectively. | |
513 | ||
514 | <tag>ssl_bump</tag> | |
515 | <p>Bumping 'modes' redesigned as 'actions' and ACLs evaluated repeatedly in a number of steps. | |
516 | <p>Renamed <em>server-first</em> as <em>bump</em> action. | |
517 | <p>Renamed <em>none</em> as <em>splice</em> action. | |
518 | <p>New actions <em>peek</em> and <em>stare</em> to receive client or server | |
519 | certificate while preserving the ability to later decide between bumping | |
520 | or splicing the connections later. | |
521 | <p>New action <em>terminate</em> to close the client and server connections. | |
522 | ||
523 | <tag>url_rewrite_program</tag> | |
524 | <p>New response kv-pair <em>clt_conn_tag=</em> to associates a given tag with the client TCP connection. | |
f2c46e40 AJ |
525 | |
526 | </descrip> | |
527 | ||
528 | <sect1>Removed tags<label id="removedtags"> | |
529 | <p> | |
530 | <descrip> | |
f2c46e40 AJ |
531 | <tag>cache_dns_program</tag> |
532 | <p>DNS external helper interface has been removed. It was no longer | |
533 | able to provide high performance service and the internal DNS | |
534 | client library with multicast DNS cover all modern use-cases. | |
535 | ||
536 | <tag>dns_children</tag> | |
537 | <p>DNS external helper interface has been removed. | |
538 | ||
6884ec40 AJ |
539 | <tag>hierarchy_stoplist</tag> |
540 | <p>Removed. The old directive values prohibiting CGI and dynamic content | |
541 | going to cache_peer are no longer relevant. | |
542 | <p>The functionality provided by this directive can be configured | |
543 | using <em>always_direct allow</em> if still needed. | |
544 | ||
f2c46e40 AJ |
545 | </descrip> |
546 | ||
547 | ||
548 | <sect>Changes to ./configure options since Squid-3.4 | |
549 | <p> | |
550 | There have been some changes to Squid's build configuration since Squid-3.4. | |
551 | ||
552 | This section gives an account of those changes in three categories: | |
553 | ||
554 | <itemize> | |
555 | <item><ref id="newoptions" name="New options"> | |
556 | <item><ref id="modifiedoptions" name="Changes to existing options"> | |
557 | <item><ref id="removedoptions" name="Removed options"> | |
558 | </itemize> | |
559 | ||
560 | ||
561 | <sect1>New options<label id="newoptions"> | |
562 | <p> | |
563 | <descrip> | |
b2f0a375 AJ |
564 | <tag>BUILDCXX=</tag> |
565 | <p>Used when cross-compiling Squid. | |
566 | <p>The path and name of a compiler for building cf_gen and related | |
567 | tools used in the compile process. | |
568 | ||
569 | <tag>BUILDCXXFLAGS=</tag> | |
570 | <p>Used when cross-compiling Squid. | |
571 | <p>C++ compiler flags used for building cf_gen and related | |
572 | tools used in the compile process. | |
573 | ||
27dad1a3 AJ |
574 | <tag>--without-gnutls</tag> |
575 | <p>New option to explicitly disable use of GnuTLS encryption library. | |
576 | Use of this library is auto-enabled if v3.1.5 or later is available. | |
577 | <p>It is currently only used by the squidclient tool. | |
578 | ||
a5c79bf3 AJ |
579 | <tag>--without-mit-krb5</tag> |
580 | <p>New option to explicitly disable use of MIT Kerberos library. | |
581 | Default is to auto-detect and use if possible. | |
582 | <p>Only one Kerberos library may be built against. | |
583 | ||
584 | <tag>--without-heimdal-krb5</tag> | |
585 | <p>New option to explicitly disable use of Hiemdal Kerberos library. | |
586 | Default is to auto-detect and use if possible. | |
587 | <p>Only one Kerberos library may be built against. | |
588 | ||
589 | <tag>--without-gnugss</tag> | |
590 | <p>New option to explicitly disable use of GNU GSSAPI library for Kerberos. | |
591 | Default is to auto-detect and use if possible. | |
592 | <p>Only one Kerberos library may be built against. | |
593 | ||
f2c46e40 AJ |
594 | </descrip> |
595 | ||
596 | <sect1>Changes to existing options<label id="modifiedoptions"> | |
597 | <p> | |
598 | <descrip> | |
4f07726a AJ |
599 | <tag>--enable-icap-client</tag> |
600 | <p>Deprecated. ICAP client is now auto-enabled. | |
601 | Use --disable-icap-client to disable if you need to. | |
f2c46e40 | 602 | |
6f4a12cf AJ |
603 | <tag>--with-nat-devpf</tag> |
604 | <p>IPv6 NAT interception support added for BSD built with this option. | |
605 | ||
f2c46e40 AJ |
606 | </descrip> |
607 | </p> | |
608 | ||
609 | <sect1>Removed options<label id="removedoptions"> | |
610 | <p> | |
611 | <descrip> | |
f2c46e40 AJ |
612 | <tag>--disable-internal-dns</tag> |
613 | <p>DNS external helper interface has been removed. It was no longer | |
614 | able to provide high performance service and the internal DNS | |
615 | client library with multicast DNS cover all modern use-cases. | |
616 | ||
c41db002 AJ |
617 | <tag>--enable-ssl</tag> |
618 | <p>Removed. Use <em>--with-openssl</em> to enable OpenSSL library support. | |
619 | ||
ae06fcd7 AJ |
620 | <tag>--with-coss-membuf-size</tag> |
621 | <p>The COSS cache type has been removed. | |
622 | It has been replaced by <em>rock</em> cache type. | |
623 | ||
a5c79bf3 AJ |
624 | <tag>--with-krb5-config</tag> |
625 | <p>Removed. The Kerberos library is auto-detected now. | |
626 | <p>Use <em>--with/--without-mit-krb5</em>, <em>--with/--without-heimdal-krb5</em>, or | |
627 | <em>--with/--without-gnugss</em> options for specific library selection if necesary. | |
628 | ||
f2c46e40 AJ |
629 | </descrip> |
630 | ||
631 | ||
632 | <sect>Regressions since Squid-2.7 | |
633 | ||
634 | <p>Some squid.conf options which were available in Squid-2.7 are not yet available in Squid-3.5 | |
635 | ||
636 | <p>If you need something to do then porting one of these from Squid-2 to Squid-3 is most welcome. | |
637 | ||
638 | <sect1>Missing squid.conf options available in Squid-2.7 | |
639 | <p> | |
640 | <descrip> | |
641 | <tag>broken_vary_encoding</tag> | |
642 | <p>Not yet ported from 2.6 | |
643 | ||
644 | <tag>cache_peer</tag> | |
f2c46e40 AJ |
645 | <p><em>monitorinterval=</em> not yet ported from 2.6 |
646 | <p><em>monitorsize=</em> not yet ported from 2.6 | |
647 | <p><em>monitortimeout=</em> not yet ported from 2.6 | |
648 | <p><em>monitorurl=</em> not yet ported from 2.6 | |
649 | ||
650 | <tag>cache_vary</tag> | |
651 | <p>Not yet ported from 2.6 | |
652 | ||
f2c46e40 AJ |
653 | <tag>error_map</tag> |
654 | <p>Not yet ported from 2.6 | |
655 | ||
656 | <tag>external_refresh_check</tag> | |
657 | <p>Not yet ported from 2.7 | |
658 | ||
659 | <tag>location_rewrite_access</tag> | |
660 | <p>Not yet ported from 2.6 | |
661 | ||
662 | <tag>location_rewrite_children</tag> | |
663 | <p>Not yet ported from 2.6 | |
664 | ||
665 | <tag>location_rewrite_concurrency</tag> | |
666 | <p>Not yet ported from 2.6 | |
667 | ||
668 | <tag>location_rewrite_program</tag> | |
669 | <p>Not yet ported from 2.6 | |
670 | ||
671 | <tag>refresh_pattern</tag> | |
672 | <p><em>stale-while-revalidate=</em> not yet ported from 2.7 | |
673 | <p><em>ignore-stale-while-revalidate=</em> not yet ported from 2.7 | |
674 | <p><em>negative-ttl=</em> not yet ported from 2.7 | |
675 | ||
676 | <tag>refresh_stale_hit</tag> | |
677 | <p>Not yet ported from 2.7 | |
678 | ||
679 | <tag>update_headers</tag> | |
680 | <p>Not yet ported from 2.7 | |
681 | ||
682 | </descrip> | |
683 | ||
6a9396a7 AJ |
684 | <sect>Copyright |
685 | <p> | |
4ac4a490 | 686 | Copyright (C) 1996-2017 The Squid Software Foundation and contributors |
6a9396a7 AJ |
687 | <p> |
688 | Squid software is distributed under GPLv2+ license and includes | |
689 | contributions from numerous individuals and organizations. | |
690 | Please see the COPYING and CONTRIBUTORS files for details. | |
691 | ||
f2c46e40 | 692 | </article> |