]>
Commit | Line | Data |
---|---|---|
4d0832d7 AJ |
1 | <!doctype linuxdoc system> |
2 | <article> | |
183b876f | 3 | <title>Squid 4.0.0 release notes</title> |
4d0832d7 AJ |
4 | <author>Squid Developers</author> |
5 | ||
6 | <abstract> | |
183b876f | 7 | This document contains the release notes for version 4 of Squid. |
4d0832d7 AJ |
8 | Squid is a WWW Cache application developed by the National Laboratory |
9 | for Applied Network Research and members of the Web Caching community. | |
10 | </abstract> | |
11 | ||
12 | <toc> | |
13 | ||
14 | <sect>Notice | |
4dd2c9d6 | 15 | <p>The Squid Team are pleased to announce the release of Squid-4.0.0 for testing. |
4d0832d7 | 16 | |
183b876f | 17 | This new release is available for download from <url url="http://www.squid-cache.org/Versions/v4/"> or the |
71f0186a | 18 | <url url="http://www.squid-cache.org/Download/http-mirrors.html" name="mirrors">. |
4d0832d7 AJ |
19 | |
20 | <p>While this release is not deemed ready for production use, we believe it is ready for wider testing by the community. | |
21 | ||
22 | <p>We welcome feedback and bug reports. If you find a bug, please see <url url="http://wiki.squid-cache.org/SquidFaq/BugReporting"> | |
23 | for how to submit a report with a stack trace. | |
24 | ||
25 | <sect1>Known issues | |
4dd2c9d6 | 26 | <p>Although this release is deemed good enough for use in many setups, please note the existence of |
183b876f | 27 | <url url="http://bugs.squid-cache.org/buglist.cgi?query_format=advanced&product=Squid&bug_status=UNCONFIRMED&bug_status=NEW&bug_status=ASSIGNED&bug_status=REOPENED&version=4" name="open bugs against Squid-4">. |
4d0832d7 | 28 | |
4dd2c9d6 AJ |
29 | <p>This release addsa dependency on C++11 support in any cmpiler used to build Squid. |
30 | As a result older C++03 -only and most C++0x compilers will no longer build successfully. | |
a9d17dfc | 31 | GCC 4.9+ and Clang 3.5+ are known to have working C++11 support and are usable. |
4dd2c9d6 AJ |
32 | GCC-4.8 will also build for now despite lack of full C++11 support, but some future features may not be available. |
33 | ||
183b876f | 34 | <sect1>Changes since earlier releases of Squid-4 |
4d0832d7 | 35 | <p> |
183b876f | 36 | The Squid-4 change history can be <url url="http://www.squid-cache.org/Versions/v4/changesets/" name="viewed here">. |
4d0832d7 AJ |
37 | |
38 | ||
39 | <sect>Major new features since Squid-3.5 | |
183b876f | 40 | <p>Squid 4 represents a new feature release above 3.5. |
4d0832d7 AJ |
41 | |
42 | <p>The most important of these new features are: | |
43 | <itemize> | |
32fd6d8a | 44 | <item>Helper concurrency channels changes |
9a258777 | 45 | <item>Configurable helper queue size |
0e5c14da | 46 | <item>SSL support removal |
700e2961 | 47 | <item>MSNT-multi-domain helper removal |
4dd2c9d6 AJ |
48 | <item>Secure ICAP |
49 | <item>Elliptic Curve Diffie-Hellman (ECDH) | |
50 | <item>Improved SMP support | |
4d0832d7 AJ |
51 | </itemize> |
52 | ||
53 | Most user-facing changes are reflected in squid.conf (see below). | |
54 | ||
55 | ||
6825b101 CT |
56 | <sect1>Configurable helper queue size |
57 | <p>The new queue-size=N option to helpers configuration, allows users | |
4dd2c9d6 | 58 | to configure the maximum number of queued requests to busy helpers. |
4d0832d7 | 59 | |
32fd6d8a | 60 | <sect1>Helper concurrency channels changes |
4dd2c9d6 AJ |
61 | <p>helper-mux.pl we have been distributing for the past few years to |
62 | encourage use of concurrency is no longer compatible with Squid. If | |
63 | used it will spawn up to 2^64 helpers and DoS the Squid server. | |
64 | ||
65 | <p>Helpers utilizing arrays to handle fixed amounts of concurrency | |
66 | channels MUST be re-written to use queues and capable of handling a | |
67 | 64-bit int as index or they will be vulnerable to buffer overrun and | |
68 | arbitrary memory accesses. | |
32fd6d8a | 69 | |
4dd2c9d6 AJ |
70 | <p>32-bit helpers need re-writing to handle the concurrency channel ID |
71 | as a 64-bit integer value. If not updated they will cause proxies to | |
72 | return unexpected results or timeout once crossing the 32-bit wrap | |
73 | boundary. Leading to undefined behaviour in the client HTTP traffic. | |
32fd6d8a | 74 | |
9a258777 | 75 | |
0e5c14da | 76 | <sect1>SSL support removal |
9a258777 | 77 | <p>Details in <url url="https://tools.ietf.org/html/rfc6176" name="RFC 6176"> |
0e5c14da | 78 | and <url url="https://tools.ietf.org/html/rfc7568" name="RFC 7568"> |
9a258777 AJ |
79 | |
80 | <p>SSLv2 is not fit for purpose. Squid no longer supports being configured with | |
4dd2c9d6 AJ |
81 | any settings regarding this protocol. That includes settings manually disabling |
82 | its use since it is now forced to disable by default. Also settings enabling | |
83 | various client/server workarounds specific to SSLv2 are removed. | |
9a258777 | 84 | |
0e5c14da | 85 | <p>SSLv3 is not fit for purpose. Squid still accepts configuration, but use |
4dd2c9d6 AJ |
86 | is deprecated and will be removed entirely in a future version. |
87 | Squid default behavour is to follow the TLS built in negotiation mechanism | |
88 | which prefers the latest TLS version. But also to accept downgrades to SSLv3. | |
89 | Use <em>tls-options=NO_SSLv3</em> to disable SSLv3 support completely. | |
0e5c14da | 90 | |
4dd2c9d6 AJ |
91 | <p>A new option <em>tls-min-version=1.N</em> is added in place of <em>sslversion=</em> |
92 | to configure the minimum version the TLS negotiation will allow to be used | |
93 | when an old TLS version is requested by the remote endpoint. | |
9a258777 | 94 | |
8f0e29d2 | 95 | |
4dd2c9d6 | 96 | <sect1>MSNT-multi-domain helper removal |
b0ab4ab3 AJ |
97 | <p>The <em>basic_msnt_multi_domain_auth</em> helper has been removed. The |
98 | <em>basic_smb_lm_auth</em> helper performs the same actions without extra | |
99 | Perl and Samba dependencies. | |
4d0832d7 AJ |
100 | |
101 | ||
4dd2c9d6 AJ |
102 | <sect1>Secure ICAP |
103 | <p>ICAP services can now be used over TLS connections. | |
104 | ||
105 | <p>To mark an ICAP service as secure, use an <em>icaps://</em> service URI scheme when | |
106 | listing your service via an icap_service directive. The industry is using a | |
68bdae93 AJ |
107 | <em>Secure ICAP</em> term, and Squid follows that convention, but <em>icaps</em> seems more |
108 | appropriate for a <em>scheme</em> name. | |
4dd2c9d6 AJ |
109 | |
110 | <p>Squid uses <em>port 11344</em> for Secure ICAP by default, following another popular | |
111 | proxy convention. The old 1344 default for plain ICAP ports has not changed. | |
112 | ||
113 | ||
114 | <sect1>Elliptic Curve Diffie-Hellman (ECDH) | |
115 | <p>All listening port which supported Diffie-Hellman key exchange are now updated | |
116 | to support Elliptic Curve configuration which allows for forward secrecy with | |
117 | better performance than traditional ephemeral Diffie-Hellman. | |
118 | ||
119 | <p>The http(s)_port <em>dhparams=</em> option is replaced with <em>tls-dh=</em> that | |
120 | takes an optional curve name as well as filename for curve parameters. The new | |
121 | option configured without a curve name uses the traditional ephemeral DH. | |
122 | ||
123 | <p>A new <em>options=SINGLE_ECDH_USE</em> parameter is added to enable ephemeral | |
124 | key exchanges for Elliptic Curve DH. | |
125 | ||
126 | ||
127 | <sect1>Improved SMP support | |
128 | <p>Use of C++11 atomic operations instead of GNU atomics allows a wider range of | |
129 | operating systems and compilers to build Squid SMP and multi-process features. | |
130 | However this does require a C++11 or C++0x compiler with a recent version of | |
131 | the C++ standard library. | |
132 | ||
133 | <p>IpcIo and Mmapped disk I/O modules are now auto-detected properly which | |
134 | enables Rock storage on more systems by default than previously. | |
135 | ||
136 | ||
4d0832d7 AJ |
137 | <sect>Changes to squid.conf since Squid-3.5 |
138 | <p> | |
139 | There have been changes to Squid's configuration file since Squid-3.5. | |
140 | ||
141 | This section gives a thorough account of those changes in three categories: | |
142 | ||
143 | <itemize> | |
144 | <item><ref id="newtags" name="New tags"> | |
145 | <item><ref id="modifiedtags" name="Changes to existing tags"> | |
146 | <item><ref id="removedtags" name="Removed tags"> | |
147 | </itemize> | |
148 | <p> | |
149 | ||
150 | <sect1>New tags<label id="newtags"> | |
151 | <p> | |
152 | <descrip> | |
7e62a74f AJ |
153 | <tag>tls_outgoing_options</tag> |
154 | <p>New tag to define TLS security context options for outgoing | |
155 | connections. For example to HTTPS servers. | |
4d0832d7 | 156 | |
ff5d59eb AJ |
157 | <tag>url_rewrite_timeout</tag> |
158 | <p>Squid times active requests to redirector. This option sets | |
159 | the timeout value and the Squid reaction to a timed out | |
160 | request. | |
161 | ||
4d0832d7 AJ |
162 | </descrip> |
163 | ||
164 | <sect1>Changes to existing tags<label id="modifiedtags"> | |
165 | <p> | |
166 | <descrip> | |
9a258777 AJ |
167 | <tag>auth_param</tag> |
168 | <p>New parameter <em>queue-size=</em> to set the maximum number | |
169 | of queued requests. | |
170 | ||
171 | <tag>cache_peer</tag> | |
1cc44095 | 172 | <p>New option <em>tls-min-version=1.N</em> to set minimum TLS version allowed. |
8b253b83 | 173 | <p>New option <em>tls-no-default-ca</em> replaces <em>sslflags=NO_DEFAULT_CA</em> |
0e5c14da AJ |
174 | <p>All <em>ssloptions=</em> values for SSLv2 configuration or disabling |
175 | have been removed. | |
176 | <p>Removed <em>sslversion=</em> option. Use <em>tls-options=</em> instead. | |
9a258777 | 177 | <p>Manual squid.conf update may be required on upgrade. |
b0769ee3 | 178 | <p>Replaced <em>sslcafile=</em> with <em>tls-cafile=</em> which takes multiple entries. |
9a258777 | 179 | |
183b876f | 180 | <tag>external_acl_type</tag> |
9a258777 AJ |
181 | <p>New parameter <em>queue-size=</em> to set the maximum number |
182 | of queued requests. | |
183 | ||
184 | <tag>http_port</tag> | |
0e5c14da | 185 | <p>New option <em>tls-min-version=1.N</em> to set minimum TLS version allowed. |
8b253b83 | 186 | <p>New option <em>tls-no-default-ca</em> replaces <em>sslflags=NO_DEFAULT_CA</em> |
0e5c14da AJ |
187 | <p>All <em>option=</em> values for SSLv2 configuration or disabling |
188 | have been removed. | |
189 | <p>Removed <em>version=</em> option. Use <em>tls-options=</em> instead. | |
4dd2c9d6 AJ |
190 | <p>New <em>options=SINGLE_ECDH_USE</em> parameter to enable ephemeral |
191 | ECDH key exchange. | |
192 | <p>Deprecated <em>dhparams=</em> option. Use <em>tls-dh=</em> instead. | |
193 | The new option allows to optionally specify an elliptic curve for | |
194 | ephemeral ECDH by adding <em>curve-name:</em> in front of the | |
195 | parameter file name. | |
9a258777 | 196 | <p>Manual squid.conf update may be required on upgrade. |
b0769ee3 | 197 | <p>Replaced <em>cafile=</em> with <em>tls-cafile=</em> which takes multiple entries. |
8b253b83 | 198 | <p>New option <em>tls-no-default-ca</em> replaces <em>sslflags=NO_DEFAULT_CA</em> |
9a258777 AJ |
199 | |
200 | <tag>https_port</tag> | |
0e5c14da | 201 | <p>New option <em>tls-min-version=1.N</em> to set minimum TLS version allowed. |
8b253b83 | 202 | <p>New option <em>tls-no-default-ca</em> replaces <em>sslflags=NO_DEFAULT_CA</em> |
1cc44095 | 203 | <p>All <em>options=</em> values for SSLv2 |
9a258777 | 204 | configuration or disabling have been removed. |
0e5c14da | 205 | <p>Removed <em>version=</em> option. Use <em>tls-options=</em> instead. |
54fbe371 PM |
206 | <p>New <em>options=SINGLE_ECDH_USE</em> parameter to enable ephemeral |
207 | ECDH key exchange. | |
208 | <p>Deprecated <em>dhparams=</em> option. Use <em>tls-dh=</em> instead. | |
209 | The new option allows to optionally specify an elliptic curve for | |
210 | ephemeral ECDH by adding <em>curve-name:</em> in front of the | |
211 | parameter file name. | |
9a258777 | 212 | <p>Manual squid.conf update may be required on upgrade. |
b0769ee3 | 213 | <p>Replaced <em>cafile=</em> with <em>tls-cafile=</em> which takes multiple entries. |
9a258777 | 214 | |
4dd2c9d6 AJ |
215 | <tag>icap_service</tag> |
216 | <p>New scheme <em>icaps://</em> to enable TLS/SSL connections to Secure ICAP | |
217 | servers on port 11344. | |
218 | <p>New <em>tls-cert=</em> option to set TLS client certificate to use. | |
219 | <p>New <em>tls-key=</em> option to set TLS private key matching the client | |
220 | certificate used. | |
221 | <p>New <em>tls-min-version=1.N</em> option to set minimum TLS version allowed | |
222 | on server connections. | |
223 | <p>New <em>tls-options=</em> option to set OpenSSL library parameters. | |
224 | <p>New <em>tls-flags=</em> option to set flags modifying Squid TLS operations. | |
225 | <p>New <em>tls-cipher=</em> option to set a list of ciphers permitted. | |
226 | <p>New <em>tls-cafile=</em> option to set a file with additional CA | |
227 | certificate(s) to verify the server certificate. | |
228 | <p>New <em>tls-crlfile=</em> option to set a file with a CRL to verify the | |
229 | server certificate. | |
230 | <p>New <em>tls-domain=</em> option to verify the server certificate domain. | |
231 | ||
c28b9a0e AJ |
232 | <tag>logformat</tag> |
233 | <p>New code <em>%ssl::<cert_errors</em> to display server certificate errors. | |
234 | ||
235 | <tag>pid_filename</tag> | |
236 | <p>Default value now based on squid -n command line parameter. | |
237 | ||
064679ea AJ |
238 | <tag>refresh_pattern</tag> |
239 | <p>Removed <em>ignore-auth</em>. Its commonly desired behaviour is | |
240 | performed by default with correct HTTP/1.1 revalidation. | |
241 | <p>Removed <em>ignore-must-revalidate</em>. Other more HTTP compliant | |
242 | directives can be used to prevent objects from caching. | |
243 | ||
9a258777 AJ |
244 | <tag>sslcrtd_children</tag> |
245 | <p>New parameter <em>queue-size=</em> to set the maximum number | |
246 | of queued requests. | |
247 | ||
248 | <tag>sslcrtvalidator_children</tag> | |
249 | <p>New parameter <em>queue-size=</em> to set the maximum number | |
250 | of queued requests. | |
6825b101 | 251 | |
183b876f | 252 | <tag>url_rewrite_children</tag> |
9a258777 AJ |
253 | <p>New parameter <em>queue-size=</em> to set the maximum number |
254 | of queued requests. | |
4d0832d7 AJ |
255 | |
256 | </descrip> | |
257 | ||
258 | <sect1>Removed tags<label id="removedtags"> | |
259 | <p> | |
260 | <descrip> | |
f1a5d071 AJ |
261 | <tag>cache_peer_domain</tag> |
262 | <p>Superceded by <em>cache_peer_access</em>. Use dstdomain ACL | |
263 | in the access control list to restrict domains requested. | |
264 | ||
d94cbaa8 AJ |
265 | <tag>refresh_pattern</tag> |
266 | <p>Option <em>ignore-auth</em> removed. Its original intent was | |
267 | to improve caching. HTTP/1.1 permits caching of authenticated | |
268 | messages under conditions which Squid does check for and obey. | |
4d0832d7 | 269 | |
7e62a74f AJ |
270 | <tag>sslproxy_cafile</tag> |
271 | <p>Replaced by <em>tls_outgoing_options cafile=</em>. | |
b0769ee3 | 272 | Which now takes multiple entries. |
7e62a74f AJ |
273 | |
274 | <tag>sslproxy_capath</tag> | |
275 | <p>Replaced by <em>tls_outgoing_options capath=</em>. | |
276 | ||
277 | <tag>sslproxy_cipher</tag> | |
278 | <p>Replaced by <em>tls_outgoing_options cipher=</em>. | |
279 | ||
280 | <tag>sslproxy_client_certificate</tag> | |
281 | <p>Replaced by <em>tls_outgoing_options cert=</em>. | |
282 | ||
283 | <tag>sslproxy_client_key</tag> | |
284 | <p>Replaced by <em>tls_outgoing_options key=</em>. | |
285 | ||
286 | <tag>sslproxy_flags</tag> | |
287 | <p>Replaced by <em>tls_outgoing_options flags=</em>. | |
288 | ||
289 | <tag>sslproxy_options</tag> | |
290 | <p>Replaced by <em>tls_outgoing_options options=</em>. | |
1cc44095 AJ |
291 | <p>All values for SSLv2 configuration or disabling have been removed. |
292 | <p>Manual squid.conf update may be required on upgrade. | |
7e62a74f AJ |
293 | |
294 | <tag>sslproxy_version</tag> | |
1cc44095 AJ |
295 | <p>Replaced by <em>tls_outgoing_options options=</em>. |
296 | <p>All values for SSLv2 configuration or disabling have been removed. | |
297 | <p>Manual squid.conf update may be required on upgrade. | |
4d0832d7 AJ |
298 | |
299 | </descrip> | |
300 | ||
301 | ||
302 | <sect>Changes to ./configure options since Squid-3.5 | |
303 | <p> | |
304 | There have been some changes to Squid's build configuration since Squid-3.5. | |
305 | ||
306 | This section gives an account of those changes in three categories: | |
307 | ||
308 | <itemize> | |
309 | <item><ref id="newoptions" name="New options"> | |
310 | <item><ref id="modifiedoptions" name="Changes to existing options"> | |
311 | <item><ref id="removedoptions" name="Removed options"> | |
312 | </itemize> | |
313 | ||
314 | ||
315 | <sect1>New options<label id="newoptions"> | |
316 | <p> | |
317 | <descrip> | |
318 | ||
319 | </descrip> | |
320 | ||
321 | <sect1>Changes to existing options<label id="modifiedoptions"> | |
322 | <p> | |
323 | <descrip> | |
700e2961 AJ |
324 | <tag>--enable-auth-basic</tag> |
325 | <p>The <em>MSNT-multi-domain</em> helper has been removed. | |
4d0832d7 | 326 | |
4dd2c9d6 AJ |
327 | <tag>--enable-diskio</tag> |
328 | <p>Auto-detection of SMP related modules has been fixed to | |
329 | actually auto-detect them without configuring the module | |
330 | list manually. | |
331 | ||
4d0832d7 AJ |
332 | </descrip> |
333 | </p> | |
334 | ||
335 | <sect1>Removed options<label id="removedoptions"> | |
336 | <p> | |
337 | <descrip> | |
338 | ||
339 | </descrip> | |
340 | ||
341 | ||
342 | <sect>Regressions since Squid-2.7 | |
343 | ||
183b876f | 344 | <p>Some squid.conf options which were available in Squid-2.7 are not yet available in Squid-4 |
4d0832d7 AJ |
345 | |
346 | <p>If you need something to do then porting one of these from Squid-2 to Squid-3 is most welcome. | |
347 | ||
348 | <sect1>Missing squid.conf options available in Squid-2.7 | |
349 | <p> | |
350 | <descrip> | |
351 | <tag>broken_vary_encoding</tag> | |
352 | <p>Not yet ported from 2.6 | |
353 | ||
354 | <tag>cache_peer</tag> | |
355 | <p><em>monitorinterval=</em> not yet ported from 2.6 | |
356 | <p><em>monitorsize=</em> not yet ported from 2.6 | |
357 | <p><em>monitortimeout=</em> not yet ported from 2.6 | |
358 | <p><em>monitorurl=</em> not yet ported from 2.6 | |
359 | ||
360 | <tag>cache_vary</tag> | |
361 | <p>Not yet ported from 2.6 | |
362 | ||
363 | <tag>error_map</tag> | |
364 | <p>Not yet ported from 2.6 | |
365 | ||
366 | <tag>external_refresh_check</tag> | |
367 | <p>Not yet ported from 2.7 | |
368 | ||
369 | <tag>location_rewrite_access</tag> | |
370 | <p>Not yet ported from 2.6 | |
371 | ||
372 | <tag>location_rewrite_children</tag> | |
373 | <p>Not yet ported from 2.6 | |
374 | ||
375 | <tag>location_rewrite_concurrency</tag> | |
376 | <p>Not yet ported from 2.6 | |
377 | ||
378 | <tag>location_rewrite_program</tag> | |
379 | <p>Not yet ported from 2.6 | |
380 | ||
381 | <tag>refresh_pattern</tag> | |
382 | <p><em>stale-while-revalidate=</em> not yet ported from 2.7 | |
383 | <p><em>ignore-stale-while-revalidate=</em> not yet ported from 2.7 | |
384 | <p><em>negative-ttl=</em> not yet ported from 2.7 | |
385 | ||
386 | <tag>refresh_stale_hit</tag> | |
387 | <p>Not yet ported from 2.7 | |
388 | ||
389 | <tag>update_headers</tag> | |
390 | <p>Not yet ported from 2.7 | |
391 | ||
392 | </descrip> | |
393 | ||
6a9396a7 AJ |
394 | <sect>Copyright |
395 | <p> | |
bde978a6 | 396 | Copyright (C) 1996-2015 The Squid Software Foundation and contributors |
6a9396a7 AJ |
397 | <p> |
398 | Squid software is distributed under GPLv2+ license and includes | |
399 | contributions from numerous individuals and organizations. | |
400 | Please see the COPYING and CONTRIBUTORS files for details. | |
401 | ||
4d0832d7 | 402 | </article> |