]>
Commit | Line | Data |
---|---|---|
f2c46e40 AJ |
1 | <!doctype linuxdoc system> |
2 | <article> | |
bf611e3a | 3 | <title>Squid 3.5.0.2 release notes</title> |
f2c46e40 AJ |
4 | <author>Squid Developers</author> |
5 | ||
6 | <abstract> | |
7 | This document contains the release notes for version 3.5 of Squid. | |
8 | Squid is a WWW Cache application developed by the National Laboratory | |
9 | for Applied Network Research and members of the Web Caching community. | |
10 | </abstract> | |
11 | ||
12 | <toc> | |
13 | ||
14 | <sect>Notice | |
15 | <p> | |
bf611e3a | 16 | The Squid Team are pleased to announce the release of Squid-3.5.0.2 for testing. |
f2c46e40 AJ |
17 | |
18 | This new release is available for download from <url url="http://www.squid-cache.org/Versions/v3/3.5/"> or the | |
19 | <url url="http://www.squid-cache.org/Mirrors/http-mirrors.html" name="mirrors">. | |
20 | ||
e0dbeeb6 | 21 | <p>While this release is not deemed ready for production use, we believe it is ready for wider testing by the community. |
f2c46e40 | 22 | |
e0dbeeb6 AJ |
23 | <p>We welcome feedback and bug reports. If you find a bug, please see <url url="http://wiki.squid-cache.org/SquidFaq/BugReporting"> |
24 | for how to submit a report with a stack trace. | |
f2c46e40 AJ |
25 | |
26 | <sect1>Known issues | |
27 | <p> | |
28 | Although this release is deemed good enough for use in many setups, please note the existence of | |
29 | <url url="http://bugs.squid-cache.org/buglist.cgi?query_format=advanced&product=Squid&bug_status=UNCONFIRMED&bug_status=NEW&bug_status=ASSIGNED&bug_status=REOPENED&version=3.5" name="open bugs against Squid-3.5">. | |
30 | ||
31 | <sect1>Changes since earlier releases of Squid-3.5 | |
32 | <p> | |
33 | The 3.5 change history can be <url url="http://www.squid-cache.org/Versions/v3/3.5/changesets/" name="viewed here">. | |
34 | ||
e8a16b1a AJ |
35 | <sect1>Copyright disclaimer adjustments |
36 | <p>Squid sources are now administered by the Squid Software Foundation on | |
37 | behalf of the Squid Project and community. | |
38 | ||
39 | <p>This version of Squid contains initial changes to streamline copyright | |
40 | declarations in Squid sources and related metafiles. No functionality | |
41 | or licensing changes are intended. | |
42 | ||
43 | <p>Once completed, the changes will consistently declare Squid contributors | |
44 | (listed in CONTRIBUTORS and represented by the Squid Software Foundation) as | |
45 | Squid copyright owners while referring the reader to the COPYING file for GPL | |
46 | licensing details. The boilerplate with the above information is provided. | |
47 | ||
48 | <p>These changes do not affect copyright rights of individuals or organizations. | |
49 | We are simply confirming the fact that there are many Squid copyright owners, | |
50 | just like there are many Linux kernel copyright owners. We are also providing | |
51 | a simple, consistent way to document that fact. | |
52 | ||
f2c46e40 AJ |
53 | |
54 | <sect>Major new features since Squid-3.4 | |
55 | <p>Squid 3.5 represents a new feature release above 3.4. | |
56 | ||
57 | <p>The most important of these new features are: | |
58 | <itemize> | |
59 | <item>Support libecap v1.0 | |
4e022adf | 60 | <item>Authentication helper query extensions |
27dad1a3 AJ |
61 | <item>Support named services |
62 | <item>Upgraded squidclient tool | |
63 | <item>Helper support for concurrency channels | |
b3cb9958 | 64 | <item>Native FTP Relay |
a5b14a8c | 65 | <item>Receive PROXY protocol, Versions 1 & 2 |
f2c46e40 AJ |
66 | </itemize> |
67 | ||
68 | Most user-facing changes are reflected in squid.conf (see below). | |
69 | ||
70 | ||
71 | <sect1>Support libecap v1.0 | |
95fa2851 | 72 | <p>Details at <url url="http://wiki.squid-cache.org/Features/eCAP">. |
f2c46e40 AJ |
73 | |
74 | <p>The new libecap version allows Squid to better check the version of | |
75 | the eCAP adapter being loaded as well as the version of the eCAP library | |
76 | being used. | |
77 | ||
78 | <p>Squid-3.5 can support eCAP adapters built with libecap v1.0, | |
79 | but no longer supports adapters built with earlier libecap versions | |
80 | due to API changes. | |
81 | ||
82 | ||
4e022adf AJ |
83 | <sect1>Authentication helper query extensions |
84 | <p>Details at <url url="http://www.squid-cache.org/Doc/config/auth_param/">. | |
85 | ||
86 | <p>The new <em>key_extras</em> parameter allows sending of additional | |
87 | details to the authentication helper beyond the minimum required for | |
88 | the HTTP authentication. This is primarily intended to allow switching | |
89 | of authentication databases based on criteria such as client IP subnet, | |
90 | Squid receiving port, or in reverse-proxy the requested domain name. | |
91 | ||
92 | <p>In theory any <em>logformat</em> code may be used, however only the | |
93 | codes which have available details at the time of authentication | |
94 | will send any meaningful detail. | |
95 | ||
96 | ||
27dad1a3 AJ |
97 | <sect1>Support named services |
98 | <p>Details at <url url="http://wiki.squid-cache.org/MultipleInstances">. | |
99 | <p>Terminology details at <url url="http://wiki.squid-cache.org/Features/SmpScale#Terminology">. | |
100 | ||
101 | <p>The command line option <em>-n</em> assigns a name to the Squid service | |
102 | instance to be used as a unique identifier for all SMP processes run as | |
103 | part of that instance. This allows multiple instances of Squid service to | |
104 | be run on a single machine without background SMP systems such as shared | |
105 | memory and inter-process communication becoming confused or requiring | |
106 | additional configuration. | |
107 | ||
108 | <p>A service name is always used. When the <em>-n</em> option is missing | |
109 | from the command line the default service name is <em>squid</em>. | |
110 | ||
111 | <p>When multiple instances are being run the <em>-n</em> service name is | |
112 | required to target all other options such as <em>-z</em> or <em>-k</em> | |
113 | commands at the correct service. | |
114 | ||
115 | <p>The squid.conf macro ${service_name} is added to provide the service name | |
116 | of the process parsing the config. | |
117 | ||
118 | ||
119 | <sect1>Upgraded squidclient tool | |
95fa2851 AJ |
120 | <p>Details at <url="http://www.squid-cache.org/Versions/v3/3.5/manuals/squidclient.html">. |
121 | ||
27dad1a3 AJ |
122 | <p>The <em>squidclient</em> has begun the process of upgrading to support |
123 | protocols other than HTTP. | |
124 | ||
125 | <sect2>Debug levels | |
126 | <p>The tool displays the server response message on STDOUT unless the <em>-q</em> | |
127 | command line option is used. Error messages will be output to STDERR. | |
128 | All other possible output is considered debug and output to STDERR using | |
129 | a range of debug verbosity levels (currently 1, 2 and 3). | |
130 | ||
131 | <p>When the <em>-v</em> command line option is used debugging is enabled. | |
132 | The level of debug display is raised for each repetition of the option. | |
133 | ||
134 | <sect2>PING | |
135 | <p>When <em>--ping</em> is given the tool will send its message repeatedly | |
136 | using whichever protocol that message has been formatted for. | |
137 | Optional parameters to limit the number of pings and their frequency are | |
138 | available. | |
139 | ||
140 | <p>Older tool versions also provide this feature but require the loop count | |
141 | parameter to be set to enable use of the feature. | |
142 | ||
143 | <sect2>HTTPS | |
144 | <p>When Squid is built with the GnuTLS encryption library the tool is able | |
145 | to open TLS (or SSL/3.0) connections to servers. | |
146 | ||
ae06fcd7 | 147 | <p>The <em>--https</em> option enables TLS using default values. |
27dad1a3 | 148 | |
ae06fcd7 | 149 | <p>The <em>--cert</em> option specifies a file containing X.509 client |
27dad1a3 AJ |
150 | certificate and private key in PEM format to be loaded for use. Multiple |
151 | certificates are supported and the option may be used multiple times to | |
152 | load certificates. | |
153 | The default is not to use a client certificate. | |
154 | ||
155 | <p>The <em>--params</em> option specifies a library specific set of parameters | |
156 | to be sent to the library for configuring the security context. | |
157 | See <url url="http://gnutls.org/manual/html_node/Priority-Strings.html"> for | |
158 | available GnuTLS parameters. | |
159 | ||
160 | <p>The <em>--trusted-ca</em> option specifies a file in PEM format containing | |
161 | one or more Certificate Authority (CA) certificates used to verify the | |
162 | remote server. This option may be used multiple times to load additional | |
163 | CA certificate lists. | |
164 | The default is not to use any CA, nor trust any server. | |
165 | ||
166 | <p>Anonymous TLS (using non-authenticated Diffi-Hellman or Elliptic Curve | |
167 | encryption) is available with the <em>--anonymous-tls</em> option. | |
168 | The default is to use X.509 certificate encryption instead. | |
169 | ||
170 | <p>When performing TLS/SSL server certificates are always verified, the | |
171 | results shown at debug level 3. The encrypted type is displayed at debug | |
172 | level 2 and the connection is used to send and receive the messages | |
173 | regardless of verification results. | |
174 | ||
175 | ||
176 | <sect1>Helper support for concurrency channels | |
177 | <p>Helper concurrency greatly reduces the communication lag between Squid | |
178 | and its helpers allowing faster transaction speeds even on sequential | |
179 | helpers. | |
180 | ||
f80c51ec AJ |
181 | <p>The Digest authentication, Store-ID, and URL-rewrite helpers packaged |
182 | with Squid have been updated to support concurrency channels. They will | |
183 | auto-detect the <em>channel-ID</em> field and will produce the appropriate | |
184 | response format. | |
185 | With these helpers concurrency may now be set to 0 or any higher number as desired. | |
27dad1a3 AJ |
186 | |
187 | ||
b3cb9958 AR |
188 | <sect1>Native FTP Relay |
189 | <p>Details at <url url="http://wiki.squid-cache.org/Features/FtpRelay">. | |
190 | ||
191 | <p>Squid is now capable of accepting native FTP commands and relaying native | |
192 | FTP messages between FTP clients and FTP servers. Native FTP commands | |
193 | accepted at ftp_port are internally converted or wrapped into HTTP-like | |
194 | messages. The same happens to Native FTP responses received from FTP origin | |
195 | servers. Those HTTP-like messages are shoveled through regular access | |
196 | control and adaptation layers between the FTP client and the FTP origin | |
197 | server. This allows Squid to examine, adapt, block, and log FTP exchanges. | |
198 | Squid reuses most HTTP mechanisms when shoveling wrapped FTP messages. For | |
199 | example, http_access and adaptation_access directives are used. | |
200 | ||
201 | <p>FTP Relay is a new, experimental, complex feature that has seen limited | |
202 | production exposure. Some Squid modules (e.g., caching) do not currently | |
203 | work with native FTP proxying, and many features have not even been tested | |
204 | for compatibility. Test well before deploying! | |
205 | ||
206 | <p>Native FTP proxying differs substantially from proxying HTTP requests with | |
207 | <em>ftp://</em> URIs because Squid works as an FTP server and receives | |
208 | actual FTP commands (rather than HTTP requests with FTP URLs). | |
209 | ||
86d74505 | 210 | <p>FTP Relay highlights: |
b3cb9958 AR |
211 | <itemize> |
212 | <item>Added ftp_port directive telling Squid to relay native FTP commands. | |
213 | <item>Active and passive FTP support on the user-facing side; require | |
214 | passive connections to come from the control connection source IP | |
215 | address. | |
216 | <item>IPv6 support (EPSV and, on the user-facing side, EPRT). | |
217 | <item>Intelligent adaptation of relayed FTP FEAT responses. | |
218 | <item>Relaying of multi-line FTP control responses using various formats. | |
219 | <item>Support relaying of FTP MLSD and MLST commands (RFC 3659). | |
220 | <item>Several Microsoft FTP server compatibility features. | |
221 | <item>ICAP/eCAP support (at individual FTP command/response level). | |
222 | <item>Optional "current FTP directory" tracking with the assistance of | |
223 | injected (by Squid) PWD commands (cannot be 100% reliable due to | |
224 | symbolic links and such, but is helpful in some common use cases). | |
225 | <item>No caching support -- no reliable Request URIs for that (see above). | |
226 | </itemize> | |
227 | ||
a5b14a8c | 228 | <sect1>Receive PROXY protocol, Versions 1 & 2 |
00d0ce87 AJ |
229 | <p>More info at <url url="http://www.haproxy.org/download/1.5/doc/proxy-protocol.txt"> |
230 | ||
231 | <p>PROXY protocol provides a simple way for proxies and tunnels of any kind to | |
232 | relay the original client source details without having to alter or understand | |
233 | the protocol being relayed on the connection. | |
234 | ||
a5b14a8c AJ |
235 | <p>Squid currently supports receiving HTTP traffic from a client proxy using this protocol. |
236 | An http_port which has been configured to receive this protocol may only be used to | |
8d757308 | 237 | receive traffic from client software sending in this protocol. |
70a16fea | 238 | HTTP traffic without the PROXY header is not accepted on such a port. |
00d0ce87 | 239 | |
a5b14a8c AJ |
240 | <p>The <em>accel</em> and <em>intercept</em> options are still used to identify the |
241 | traffic syntax being delivered by the client proxy. | |
242 | ||
9deb9a42 | 243 | <p>Squid can be configured by adding an <em>http_port</em> |
d3d92daa | 244 | with the <em>require-proxy-header</em> mode flag. The <em>proxy_protocol_access</em> |
00d0ce87 AJ |
245 | must also be configured with <em>src</em> ACLs to whitelist proxies which are |
246 | trusted to send correct client details. | |
247 | ||
a5b14a8c | 248 | <p>Forward-proxy traffic from a client proxy: |
86d74505 | 249 | <verb> |
6e96d415 | 250 | acl frontend src 192.0.2.1 |
d3d92daa | 251 | http_port 3128 require-proxy-header |
6e96d415 | 252 | proxy_protocol_access allow frontend |
86d74505 | 253 | </verb> |
00d0ce87 | 254 | |
a5b14a8c | 255 | <p>Intercepted traffic from a client proxy or tunnel: |
86d74505 | 256 | <verb> |
6e96d415 | 257 | acl frontend src 192.0.2.2 |
d3d92daa | 258 | http_port 3128 intercept require-proxy-header |
6e96d415 | 259 | proxy_protocol_access allow frontend |
86d74505 | 260 | </verb> |
6e96d415 AJ |
261 | |
262 | <p>Reverse-proxy traffic from a frontend load balancer sending PROXY protocol: | |
86d74505 | 263 | <verb> |
6e96d415 AJ |
264 | acl frontend src 192.0.2.3 |
265 | http_port 3128 accel require-proxy-header | |
266 | proxy_protocol_access allow frontend | |
86d74505 | 267 | </verb> |
a5b14a8c AJ |
268 | |
269 | <p><em>Known Issue:</em> | |
6e96d415 | 270 | Use of <em>require-proxy-header</em> on <em>https_port</em> and <em>ftp_port</em> is not supported. |
9deb9a42 | 271 | |
b3cb9958 | 272 | |
f2c46e40 AJ |
273 | <sect>Changes to squid.conf since Squid-3.4 |
274 | <p> | |
275 | There have been changes to Squid's configuration file since Squid-3.4. | |
276 | ||
277 | <p>Squid supports reading configuration option parameters from external | |
278 | files using the syntax <em>parameters("/path/filename")</em>. For example: | |
279 | <verb> | |
280 | acl whitelist dstdomain parameters("/etc/squid/whitelist.txt") | |
281 | </verb> | |
282 | ||
e0dbeeb6 | 283 | <p>The squid.conf macro <em>${service_name}</em> is added to provide the service name |
ae06fcd7 AJ |
284 | of the process parsing the config. |
285 | ||
f2c46e40 AJ |
286 | <p>There have also been changes to individual directives in the config file. |
287 | ||
288 | This section gives a thorough account of those changes in three categories: | |
289 | ||
290 | <itemize> | |
291 | <item><ref id="newtags" name="New tags"> | |
292 | <item><ref id="modifiedtags" name="Changes to existing tags"> | |
293 | <item><ref id="removedtags" name="Removed tags"> | |
294 | </itemize> | |
295 | <p> | |
296 | ||
297 | <sect1>New tags<label id="newtags"> | |
298 | <p> | |
299 | <descrip> | |
0f5964c3 AJ |
300 | <tag>collapsed_forwarding</tag> |
301 | <p>Ported from Squid-2 with no configuration or visible behaviour changes. | |
302 | Collapsing of requests is performed across SMP workers. | |
303 | ||
e0dbeeb6 AJ |
304 | <tag>ftp_client_idle_timeout</tag> |
305 | <p>This new configuration directive controls how long Squid should | |
306 | wait for an FTP request on a connection to an ftp_port. Many FTP | |
307 | clients do not deal with idle connection closures well, | |
308 | necessitating a longer default timeout (30 minutes) than | |
309 | client_idle_pconn_timeout used for incoming HTTP requests (2 | |
310 | minutes). The current default may be changed as we get more | |
311 | experience with FTP relaying. | |
312 | ||
313 | <tag>ftp_client_idle_timeout</tag> | |
314 | <p>New directive controlling how long to wait for an FTP request on a | |
315 | client connection to Squid <em>ftp_port</em>. | |
316 | ||
317 | <tag>ftp_port</tag> | |
318 | <p>New configuration directive to accept and relay native FTP | |
319 | commands. Typically used for port 21 traffic. By default, native | |
320 | FTP commands are not accepted. | |
321 | ||
d3d92daa AJ |
322 | <tag>proxy_protocol_access</tag> |
323 | <p>New directive to control which clients are permitted to open PROXY | |
324 | protocol connections on a port flagged with <em>require-proxy-header</em>. | |
00d0ce87 | 325 | |
0f5964c3 AJ |
326 | <tag>send_hit</tag> |
327 | <p>New configuration directive to enable/disable sending cached content | |
328 | based on ACL selection. ACL can be based on client request or cached | |
329 | response details. | |
330 | ||
e0dbeeb6 AJ |
331 | <tag>sslproxy_cert_sign_hash</tag> |
332 | <p>New directive to set the hashing algorithm to use when signing generated certificates. | |
333 | ||
27dad1a3 AJ |
334 | <tag>sslproxy_session_cache_size</tag> |
335 | <p>New directive which sets the cache size to use for TLS/SSL sessions cache. | |
336 | ||
337 | <tag>sslproxy_session_ttl</tag> | |
338 | <p>New directive to specify the time in seconds the TLS/SSL session is valid. | |
339 | ||
340 | <tag>store_id_extras</tag> | |
341 | <p>New directive to send additional lookup parameters to the configured | |
342 | Store-ID helper program. It takes a string which may contain logformat %macros. | |
343 | <p>The Store-ID helper input format is now: | |
ae06fcd7 | 344 | <verb> |
27dad1a3 | 345 | [channel-ID] url [extras] |
ae06fcd7 | 346 | </verb> |
e0dbeeb6 | 347 | <p>The default value for extras is: "%>a/%>A %un %>rm myip=%la myport=%lp" |
27dad1a3 | 348 | |
0f5964c3 AJ |
349 | <tag>store_miss</tag> |
350 | <p>New configuration directive to enable/disable caching of MISS responses. | |
351 | ACL can be based on any request or response details. | |
f2c46e40 | 352 | |
27dad1a3 AJ |
353 | <tag>url_rewrite_extras</tag> |
354 | <p>New directive to send additional lookup parameters to the configured | |
355 | URL-rewriter/redirector helper program. It takes a string which may | |
356 | contain logformat %macros. | |
357 | <p>The url rewrite and redirector helper input format is now: | |
ae06fcd7 | 358 | <verb> |
27dad1a3 | 359 | [channel-ID] url [extras] |
ae06fcd7 | 360 | </verb> |
e0dbeeb6 | 361 | <p>The default value for extras is: "%>a/%>A %un %>rm myip=%la myport=%lp" |
b3cb9958 | 362 | |
f2c46e40 AJ |
363 | </descrip> |
364 | ||
365 | <sect1>Changes to existing tags<label id="modifiedtags"> | |
366 | <p> | |
367 | <descrip> | |
368 | <tag>acl</tag> | |
e0dbeeb6 AJ |
369 | <p>Deprecated type <em>tag</em>. Use type <em>note</em> with 'tag' key |
370 | name instead. | |
f2c46e40 AJ |
371 | <p>New type <em>adaptation_service</em> to match the name of any |
372 | icap_service, ecap_service, adaptation_service_set, or | |
373 | adaptation_service_chain that Squid has used (or attempted to use) | |
374 | for the HTTP transaction so far. | |
e0dbeeb6 AJ |
375 | <p>New type <em>at_step</em> to match the current SSL-Bump processing step. |
376 | Never matches and should not be used outside of <em>ssl_bump</em>. | |
f2c46e40 AJ |
377 | |
378 | <tag>auth_param</tag> | |
379 | <p>New parameter <em>key_extras</em> to send additional parameters to | |
380 | the authentication helper. | |
381 | ||
27dad1a3 AJ |
382 | <tag>cache_dir</tag> |
383 | <p>New support for larger than 32KB objects in both <em>rock</em> type | |
384 | cache and shared memory cache. | |
385 | <p>New <em>slot-size=N</em> option for rock cache to specify the database | |
386 | slot/page size when small slot sizes are desired. The default and | |
387 | maximum slot size is 32KB. | |
388 | <p>Removal of old rock cache dir followed by <em>squid -z</em> is required | |
389 | when upgrading from earlier versions of Squid. | |
e0dbeeb6 AJ |
390 | <p><em>COSS</em> storage type is formally replaced by Rock storage type. |
391 | COSS storage type and all COSS specific options are removed. | |
27dad1a3 AJ |
392 | |
393 | <tag>cache_peer</tag> | |
394 | <p>New <em>standby=N</em> option to retain a set of N open and unused | |
395 | connections to the peer at virtually all times to reduce TCP handshake | |
396 | delays. | |
397 | <p>These connections differ from HTTP persistent connections in that they | |
398 | have not been used for HTTP messaging (and may never be). They may be | |
399 | turned into persistent connections after their first use subject to the | |
400 | same keep-alive critera any HTTP connection is checked for. | |
e0dbeeb6 AJ |
401 | <p>Squid-2 option <em>idle=</em> replaced by <em>standby=</em>. |
402 | <p>NOTE that standby connections are started earlier and available in | |
403 | more circumstances than squid-2 idle connections were. They are | |
404 | also spread over all IPs of the peer. | |
405 | ||
406 | <tag>external_acl_type</tag> | |
407 | <p>New format code <em>%ssl::>sni</em> to send SSL client SNI. | |
408 | <p>New format code <em>%ssl::<cert_subject</em> to send SSL server certificate DN. | |
409 | <p>New format code <em>%ssl::<cert_issuer</em> to send SSL server certificate issuer DN. | |
410 | <p>New response kv-pair <em>clt_conn_tag=</em> to associates a given tag with the client TCP connection. | |
27dad1a3 | 411 | |
f2c46e40 | 412 | <tag>forward_max_tries</tag> |
ae06fcd7 | 413 | <p>Default value increased to <em>25 destinations</em> to allow better |
f2c46e40 AJ |
414 | contact and IPv4 failover with domains using long lists of IPv6 |
415 | addresses. | |
416 | ||
27dad1a3 AJ |
417 | <tag>ftp_epsv</tag> |
418 | <p>Converted into an Access List with allow/deny value driven by ACLs | |
419 | using Squid standard first line wins matching basis. | |
420 | <p>The old values of <em>on</em> and <em>off</em> imply <em>allow all</em> | |
421 | and <em>deny all</em> respectively and are now deprecated. | |
422 | Do not combine use of on/off values with ACL configuration. | |
423 | ||
f2c46e40 AJ |
424 | <tag>http_port</tag> |
425 | <p><em>protocol=</em> option altered to accept protocol version details. | |
426 | Currently supported values are: HTTP, HTTP/1.1, HTTPS, HTTPS/1.1 | |
86d74505 | 427 | <p>New option <em>require-proxy-header</em> to mark ports receiving PROXY |
a5b14a8c | 428 | protocol version 1 or 2 traffic. |
f2c46e40 | 429 | |
ae06fcd7 AJ |
430 | <tag>https_port</tag> |
431 | <p><em>protocol=</em> option altered to accept protocol version details. | |
432 | Currently supported values are: HTTP, HTTP/1.1, HTTPS, HTTPS/1.1 | |
433 | ||
f2c46e40 | 434 | <tag>logformat</tag> |
e0dbeeb6 AJ |
435 | <p>New format code <em>%credentials</em> to log the client credentials token. |
436 | <p>New format code <em>%ssl::>sni</em> to TLS client SNI sent to Squid. | |
f2c46e40 AJ |
437 | <p>New format code <em>%tS</em> to log transaction start time in |
438 | "seconds.milliseconds" format, similar to the existing access.log | |
439 | "current time" field (%ts.%03tu) which logs the corresponding | |
440 | transaction finish time. | |
e0dbeeb6 AJ |
441 | <p>New format codes <em>%<rs</em> and <em>%>rs</em> to log request URL |
442 | scheme from client or sent to server/peer respectively. | |
443 | <p>New format codes <em>%<rd</em> and <em>%>rd</em> to log request URL | |
444 | domain from client or sent to server/peer respectively. | |
445 | <p>New format codes <em>%<rP</em> and <em>%>rP</em> to log request URL | |
446 | port from client or sent to server/peer respectively. | |
447 | ||
448 | <tag>ssl_bump</tag> | |
449 | <p>Bumping 'modes' redesigned as 'actions' and ACLs evaluated repeatedly in a number of steps. | |
450 | <p>Renamed <em>server-first</em> as <em>bump</em> action. | |
451 | <p>Renamed <em>none</em> as <em>splice</em> action. | |
452 | <p>New actions <em>peek</em> and <em>stare</em> to receive client or server | |
453 | certificate while preserving the ability to later decide between bumping | |
454 | or splicing the connections later. | |
455 | <p>New action <em>terminate</em> to close the client and server connections. | |
456 | ||
457 | <tag>url_rewrite_program</tag> | |
458 | <p>New response kv-pair <em>clt_conn_tag=</em> to associates a given tag with the client TCP connection. | |
f2c46e40 AJ |
459 | |
460 | </descrip> | |
461 | ||
462 | <sect1>Removed tags<label id="removedtags"> | |
463 | <p> | |
464 | <descrip> | |
f2c46e40 AJ |
465 | <tag>cache_dns_program</tag> |
466 | <p>DNS external helper interface has been removed. It was no longer | |
467 | able to provide high performance service and the internal DNS | |
468 | client library with multicast DNS cover all modern use-cases. | |
469 | ||
470 | <tag>dns_children</tag> | |
471 | <p>DNS external helper interface has been removed. | |
472 | ||
6884ec40 AJ |
473 | <tag>hierarchy_stoplist</tag> |
474 | <p>Removed. The old directive values prohibiting CGI and dynamic content | |
475 | going to cache_peer are no longer relevant. | |
476 | <p>The functionality provided by this directive can be configured | |
477 | using <em>always_direct allow</em> if still needed. | |
478 | ||
f2c46e40 AJ |
479 | </descrip> |
480 | ||
481 | ||
482 | <sect>Changes to ./configure options since Squid-3.4 | |
483 | <p> | |
484 | There have been some changes to Squid's build configuration since Squid-3.4. | |
485 | ||
486 | This section gives an account of those changes in three categories: | |
487 | ||
488 | <itemize> | |
489 | <item><ref id="newoptions" name="New options"> | |
490 | <item><ref id="modifiedoptions" name="Changes to existing options"> | |
491 | <item><ref id="removedoptions" name="Removed options"> | |
492 | </itemize> | |
493 | ||
494 | ||
495 | <sect1>New options<label id="newoptions"> | |
496 | <p> | |
497 | <descrip> | |
b2f0a375 AJ |
498 | <tag>BUILDCXX=</tag> |
499 | <p>Used when cross-compiling Squid. | |
500 | <p>The path and name of a compiler for building cf_gen and related | |
501 | tools used in the compile process. | |
502 | ||
503 | <tag>BUILDCXXFLAGS=</tag> | |
504 | <p>Used when cross-compiling Squid. | |
505 | <p>C++ compiler flags used for building cf_gen and related | |
506 | tools used in the compile process. | |
507 | ||
27dad1a3 AJ |
508 | <tag>--without-gnutls</tag> |
509 | <p>New option to explicitly disable use of GnuTLS encryption library. | |
510 | Use of this library is auto-enabled if v3.1.5 or later is available. | |
511 | <p>It is currently only used by the squidclient tool. | |
512 | ||
a5c79bf3 AJ |
513 | <tag>--without-mit-krb5</tag> |
514 | <p>New option to explicitly disable use of MIT Kerberos library. | |
515 | Default is to auto-detect and use if possible. | |
516 | <p>Only one Kerberos library may be built against. | |
517 | ||
518 | <tag>--without-heimdal-krb5</tag> | |
519 | <p>New option to explicitly disable use of Hiemdal Kerberos library. | |
520 | Default is to auto-detect and use if possible. | |
521 | <p>Only one Kerberos library may be built against. | |
522 | ||
523 | <tag>--without-gnugss</tag> | |
524 | <p>New option to explicitly disable use of GNU GSSAPI library for Kerberos. | |
525 | Default is to auto-detect and use if possible. | |
526 | <p>Only one Kerberos library may be built against. | |
527 | ||
f2c46e40 AJ |
528 | </descrip> |
529 | ||
530 | <sect1>Changes to existing options<label id="modifiedoptions"> | |
531 | <p> | |
532 | <descrip> | |
4f07726a AJ |
533 | <tag>--enable-icap-client</tag> |
534 | <p>Deprecated. ICAP client is now auto-enabled. | |
535 | Use --disable-icap-client to disable if you need to. | |
f2c46e40 AJ |
536 | |
537 | </descrip> | |
538 | </p> | |
539 | ||
540 | <sect1>Removed options<label id="removedoptions"> | |
541 | <p> | |
542 | <descrip> | |
f2c46e40 AJ |
543 | <tag>--disable-internal-dns</tag> |
544 | <p>DNS external helper interface has been removed. It was no longer | |
545 | able to provide high performance service and the internal DNS | |
546 | client library with multicast DNS cover all modern use-cases. | |
547 | ||
c41db002 AJ |
548 | <tag>--enable-ssl</tag> |
549 | <p>Removed. Use <em>--with-openssl</em> to enable OpenSSL library support. | |
550 | ||
ae06fcd7 AJ |
551 | <tag>--with-coss-membuf-size</tag> |
552 | <p>The COSS cache type has been removed. | |
553 | It has been replaced by <em>rock</em> cache type. | |
554 | ||
a5c79bf3 AJ |
555 | <tag>--with-krb5-config</tag> |
556 | <p>Removed. The Kerberos library is auto-detected now. | |
557 | <p>Use <em>--with/--without-mit-krb5</em>, <em>--with/--without-heimdal-krb5</em>, or | |
558 | <em>--with/--without-gnugss</em> options for specific library selection if necesary. | |
559 | ||
f2c46e40 AJ |
560 | </descrip> |
561 | ||
562 | ||
563 | <sect>Regressions since Squid-2.7 | |
564 | ||
565 | <p>Some squid.conf options which were available in Squid-2.7 are not yet available in Squid-3.5 | |
566 | ||
567 | <p>If you need something to do then porting one of these from Squid-2 to Squid-3 is most welcome. | |
568 | ||
569 | <sect1>Missing squid.conf options available in Squid-2.7 | |
570 | <p> | |
571 | <descrip> | |
572 | <tag>broken_vary_encoding</tag> | |
573 | <p>Not yet ported from 2.6 | |
574 | ||
575 | <tag>cache_peer</tag> | |
f2c46e40 AJ |
576 | <p><em>monitorinterval=</em> not yet ported from 2.6 |
577 | <p><em>monitorsize=</em> not yet ported from 2.6 | |
578 | <p><em>monitortimeout=</em> not yet ported from 2.6 | |
579 | <p><em>monitorurl=</em> not yet ported from 2.6 | |
580 | ||
581 | <tag>cache_vary</tag> | |
582 | <p>Not yet ported from 2.6 | |
583 | ||
f2c46e40 AJ |
584 | <tag>error_map</tag> |
585 | <p>Not yet ported from 2.6 | |
586 | ||
587 | <tag>external_refresh_check</tag> | |
588 | <p>Not yet ported from 2.7 | |
589 | ||
590 | <tag>location_rewrite_access</tag> | |
591 | <p>Not yet ported from 2.6 | |
592 | ||
593 | <tag>location_rewrite_children</tag> | |
594 | <p>Not yet ported from 2.6 | |
595 | ||
596 | <tag>location_rewrite_concurrency</tag> | |
597 | <p>Not yet ported from 2.6 | |
598 | ||
599 | <tag>location_rewrite_program</tag> | |
600 | <p>Not yet ported from 2.6 | |
601 | ||
602 | <tag>refresh_pattern</tag> | |
603 | <p><em>stale-while-revalidate=</em> not yet ported from 2.7 | |
604 | <p><em>ignore-stale-while-revalidate=</em> not yet ported from 2.7 | |
605 | <p><em>negative-ttl=</em> not yet ported from 2.7 | |
606 | ||
607 | <tag>refresh_stale_hit</tag> | |
608 | <p>Not yet ported from 2.7 | |
609 | ||
610 | <tag>update_headers</tag> | |
611 | <p>Not yet ported from 2.7 | |
612 | ||
613 | </descrip> | |
614 | ||
6a9396a7 AJ |
615 | <sect>Copyright |
616 | <p> | |
617 | Copyright (C) 1996-2014 The Squid Software Foundation and contributors | |
618 | <p> | |
619 | Squid software is distributed under GPLv2+ license and includes | |
620 | contributions from numerous individuals and organizations. | |
621 | Please see the COPYING and CONTRIBUTORS files for details. | |
622 | ||
f2c46e40 | 623 | </article> |