]>
Commit | Line | Data |
---|---|---|
aee44ee6 AJ |
1 | <!doctype linuxdoc system> |
2 | <article> | |
5297c853 | 3 | <title>Squid 5.0.6 release notes</title> |
aee44ee6 AJ |
4 | <author>Squid Developers</author> |
5 | ||
6 | <abstract> | |
518c7430 | 7 | This document contains the release notes for version 5 of Squid. |
aee44ee6 AJ |
8 | Squid is a WWW Cache application developed by the National Laboratory |
9 | for Applied Network Research and members of the Web Caching community. | |
10 | </abstract> | |
11 | ||
12 | <toc> | |
13 | ||
14 | <sect>Notice | |
5297c853 | 15 | <p>The Squid Team are pleased to announce the release of Squid-5.0.6 for testing. |
aee44ee6 AJ |
16 | |
17 | This new release is available for download from <url url="http://www.squid-cache.org/Versions/v5/"> or the | |
18 | <url url="http://www.squid-cache.org/Download/http-mirrors.html" name="mirrors">. | |
19 | ||
20 | <p>While this release is not deemed ready for production use, we believe it is ready for wider testing by the community. | |
21 | ||
22 | <p>We welcome feedback and bug reports. If you find a bug, please see <url url="http://wiki.squid-cache.org/SquidFaq/BugReporting"> | |
23 | for how to submit a report with a stack trace. | |
24 | ||
25 | <sect1>Known issues | |
26 | <p>Although this release is deemed good enough for use in many setups, please note the existence of | |
27 | <url url="http://bugs.squid-cache.org/buglist.cgi?query_format=advanced&product=Squid&bug_status=UNCONFIRMED&bug_status=NEW&bug_status=ASSIGNED&bug_status=REOPENED&version=5" name="open bugs against Squid-5">. | |
28 | ||
29 | <sect1>Changes since earlier releases of Squid-5 | |
30 | <p> | |
d6d360e9 | 31 | The Squid-5 change history can be <url url="http://www.squid-cache.org/Versions/v5/changesets/" name="viewed here">. |
aee44ee6 AJ |
32 | |
33 | ||
34 | <sect>Major new features since Squid-4 | |
35 | <p>Squid-5 represents a new feature release above Squid-4. | |
36 | ||
37 | <p>The most important of these new features are: | |
38 | <itemize> | |
565b91d8 | 39 | <item>ICAP Trailers |
7701d1a0 AJ |
40 | <item>Happy Eyeballs Update |
41 | <item>Kerberos Group Helper | |
42 | <item>TrivialDB Support | |
755eac94 AJ |
43 | <item>RFC 8586: Loop Detection in Content Delivery Networks |
44 | <item>Peering support for SSL-Bump | |
aee44ee6 AJ |
45 | </itemize> |
46 | ||
47 | Most user-facing changes are reflected in squid.conf (see below). | |
48 | ||
49 | ||
565b91d8 AJ |
50 | <sect1>ICAP Trailers |
51 | <p>Details in <url url="https://datatracker.ietf.org/doc/draft-rousskov-icap-trailers/" name="Draft: ICAP Trailers"> | |
aee44ee6 | 52 | |
565b91d8 AJ |
53 | <p>The <em>Trailers</em> feature from HTTP is being proposed for addition to ICAP, |
54 | with some modifications. | |
aee44ee6 | 55 | |
565b91d8 AJ |
56 | <p>This implementation complies with version -01 of that draft: |
57 | <itemize> | |
58 | <item>Announces ICAP Trailer support via the ICAP Allow request header field. | |
59 | <item>Parses the ICAP response trailer if and only if the ICAP server signals | |
60 | its presence by sending both Trailer header and Allow/trailers in the | |
61 | ICAP response. | |
62 | </itemize> | |
63 | ||
64 | <p>For now Squid logs and ignores all parsed ICAP header fields. | |
aee44ee6 AJ |
65 | |
66 | ||
7701d1a0 AJ |
67 | <sect1>Happy Eyeballs Update |
68 | ||
69 | <p>Squid now uses a received IP address as soon as it is needed for request | |
70 | forwarding instead of waiting for all of the potential forwarding | |
71 | destinations to be fully resolved (i.e. complete both IPv4 and IPv6 domain | |
72 | name resolution) before beginning to forward the request. | |
73 | ||
74 | <p>Instead of obeying <em>dns_v4_first</em> settings, IP family usage order is | |
75 | now primarily controlled by DNS response time: If a DNS AAAA response comes | |
76 | first while Squid is waiting for an IP address, then Squid will use the | |
77 | received IPv6 address(es) first. For previously cached IPs, Squid tries | |
78 | IPv6 addresses first. To control IP address families used by Squid, admins | |
79 | are expected to use firewalls, DNS recursive-resolver configuration, and/or | |
80 | <em>--disable-ipv6</em>. When planning you configuration changes, please | |
81 | keep in mind that the upcoming Happy Eyeballs improvements will favor | |
82 | faster TCP connection establishment, decreasing the impact of DNS | |
83 | resolution timing. | |
84 | ||
85 | <p>These Happy Eyeballs changes do not affect peer selection: Squid still does | |
86 | not move on to the next selected destination until all IP addresses for the | |
87 | previous destination have been received and tried. | |
88 | ||
89 | <p>The Cache Manager <em>mgr:ipcache</em> report no longer contains | |
59f09b18 AJ |
90 | "IPcache Entries In Use" but that info is now available as |
91 | "cbdata ipcache_entry" row on the <em>mgr:mem</em> page. | |
7701d1a0 AJ |
92 | |
93 | ||
94 | <sect1>Kerberos Group Helper | |
95 | <p>This release adds a sample Kerberos group authentication external_acl helper | |
96 | called <em>ext_kerberos_sid_group_acl</em>. | |
97 | It uses <em>ldapsearch</em> from OpenLDAP to lookup the name of an AD group SID. | |
98 | ||
99 | <p>This helper must be used in with the <em>negotiate_kerberos_auth</em> helper in | |
100 | a Microsft AD or Samba environment. | |
101 | ||
102 | <p>It reads from the standard input the domain username and a list of group SIDs | |
103 | and tries to match the group SIDs to the AD group SIDs. | |
104 | ||
105 | ||
106 | <sect1>TrivialDB Support | |
107 | <p>This release deprecates use of BerkleyDB in favour of TrivialDB. | |
108 | ||
109 | <p>The BerkleyDB library code has been moved under a copyright licence which | |
110 | causes problems for many OS distributors. The result of that is that most | |
111 | are no longer providing the latest security supported libdb version. | |
112 | ||
113 | <p>TrivialDB by comparison has better OS support and security updates along | |
114 | with functionality differences that resolve some long standing issues | |
115 | libdb suffered with parallel concurrent access to the database. | |
116 | ||
117 | <p>The <em>ext_session_acl</em> and <em>ext_time_quota_acl</em> helpers may | |
118 | now be built with either libdb or libtdb. Preferring libtdb if both are | |
119 | enabled or auto-detected at build time. Use the <em>--without-tdb</em> | |
120 | build option to retain BerkleyDB support. | |
121 | ||
122 | <p>Please note that the database formats are not guaranteed to be identical. | |
123 | So when migrating it is recommended to erase the database file(s) and use | |
124 | the helpers functionality to rebuild it as needed. | |
125 | ||
126 | ||
755eac94 AJ |
127 | <sect1>Loop Detection in Content Delivery Networks |
128 | <p>Details in <url url="https://tools.ietf.org/html/rfc8586" name="RFC 8586"> | |
129 | ||
130 | <p>Squid now uses the CDN-Loop header as a source for loop detection. | |
131 | ||
132 | <p>This header is only relevant to CDN installations. For which the | |
133 | <em>surrogate_id</em> configuration directive specifies the authoritative | |
134 | ID. | |
135 | ||
136 | <p>Squid does not add this header by default, preferring to use the | |
137 | Via mechanism instead. Administrators may add it to requests | |
138 | with the <em>request_header_add</em> directive or remove with | |
139 | <em>request_header_remove</em>. | |
140 | ||
141 | ||
142 | <sect1>Peering support for SSL-Bump | |
143 | <p>Squid now supports forwarding of bumped, re-encrypted HTTPS requests through | |
51f07c98 | 144 | a <em>cache_peer</em> using a standard HTTP CONNECT tunnel. |
755eac94 | 145 | |
51f07c98 | 146 | <p>No support for triggering client authentication when a <em>cache_peer</em> |
755eac94 AJ |
147 | configuration instructs the bumping Squid to relay authentication info |
148 | contained in client CONNECT request. The bumping Squid still responds | |
149 | with HTTP 200 (Connection Established) to the client CONNECT request (to | |
150 | see TLS client handshake) <em>before</em> selecting the cache_peer. | |
151 | ||
152 | <p>HTTPS cache_peers are not yet supported primarily because Squid cannot | |
153 | yet do TLS-in-TLS. | |
154 | ||
155 | ||
aee44ee6 AJ |
156 | <sect>Changes to squid.conf since Squid-4 |
157 | <p> | |
158 | There have been changes to Squid's configuration file since Squid-4. | |
159 | ||
160 | This section gives a thorough account of those changes in three categories: | |
161 | ||
162 | <itemize> | |
163 | <item><ref id="newdirectives" name="New directives"> | |
164 | <item><ref id="modifieddirectives" name="Changes to existing directives"> | |
165 | <item><ref id="removeddirectives" name="Removed directives"> | |
166 | </itemize> | |
167 | <p> | |
168 | ||
169 | <sect1>New directives<label id="newdirectives"> | |
170 | <p> | |
171 | <descrip> | |
457c00d0 AJ |
172 | <tag>auth_schemes</tag> |
173 | <p>New access control to customize authentication schemes presence | |
174 | and order in Squid generated HTTP 401 (Unauthorized) and 407 | |
175 | (Proxy Authentication Required) responses. | |
aee44ee6 | 176 | |
7701d1a0 AJ |
177 | <tag>collapsed_forwarding_access</tag> |
178 | <p>New access control to restrict collapsed forwarding to a subset of | |
179 | eligible HTTP, ICP and HTCP requests. | |
180 | ||
755eac94 AJ |
181 | <tag>happy_eyeballs_connect_gap</tag> |
182 | <p>New directive to specify the minimum delay between opening spare | |
183 | connections to any server. | |
184 | ||
185 | <tag>happy_eyeballs_connect_limit</tag> | |
186 | <p>New directive to specify the maximum number of spare connections | |
187 | to any server. | |
188 | ||
189 | <tag>happy_eyeballs_connect_timeout</tag> | |
190 | <p>New directive to specify the minimum delay between opening a | |
191 | primary to-server connection and opening a spare to-server | |
192 | connection for the same transaction. | |
193 | ||
7701d1a0 AJ |
194 | <tag>mark_client_connection</tag> |
195 | <p>New access control to apply a Netfilter CONNMARK value to a TCP client | |
196 | connection. | |
197 | ||
198 | <tag>mark_client_packet</tag> | |
199 | <p>New access control to apply a Netfilter MARK value to packets being | |
200 | transmitted on a client TCP connection. | |
201 | ||
202 | <tag>response_delay_pool</tag> | |
203 | <p>New access control to configure client response bandwidth limits. | |
204 | This feature is a port and update of the class 6 / Client Delay Pools | |
205 | feature planned for the abandoned <em>Squid-2.8</em> series. | |
206 | ||
207 | <tag>response_delay_pool_access</tag> | |
208 | <p>New access control to determines whether a specific named response | |
209 | delay pool is used for the HTTP transaction. | |
210 | ||
755eac94 AJ |
211 | <tag>shared_transient_entries_limit</tag> |
212 | <p>Replacement for <em>collapsed_forwarding_shared_entries_limit</em>. | |
213 | ||
aee44ee6 AJ |
214 | </descrip> |
215 | ||
216 | <sect1>Changes to existing directives<label id="modifieddirectives"> | |
217 | <p> | |
218 | <descrip> | |
29503899 AJ |
219 | <tag>acl</tag> |
220 | <p>The <em>CONNECT</em> ACL definition is now built-in. | |
7701d1a0 AJ |
221 | <p>New <em>annotate_client</em> type to annotate a client TCP connection. |
222 | These annotations can be used by other ACLs, logs or helpers and | |
223 | persist until the client TCP connection is closed. | |
224 | <p>New <em>annotate_transaction</em> type to annotate an HTTP transaction. | |
225 | Annotations can be used by other ACLs or helpers and persist until | |
226 | logging of the HTTP transaction is completed. | |
755eac94 AJ |
227 | <p>New value <em>GeneratingCONNECT</em> for the <em>at_step</em> type to |
228 | match when Squid is about to send a CONNECT request to a cache peer. | |
7701d1a0 AJ |
229 | <p>Replaced <em>clientside_mark</em> with <em>client_connection_mark</em> |
230 | type to match Netfilter CONNMARK of the client TCP connection. | |
231 | ||
755eac94 AJ |
232 | <tag>auth_param</tag> |
233 | <p>New <em>reservation-timeout=</em> option to allow NTLM and Negotiate | |
234 | helpers to forget about clients with outstanding authentication | |
235 | requests. | |
236 | <p>Added support for CP1251 charset conversion when <em>utf8</em> option | |
237 | is configured. | |
238 | ||
239 | <tag>authenticate_cache_garbage_interval</tag> | |
240 | <p>Now disabled when <em>--disable-auth</em> build parameter is used. | |
241 | ||
242 | <tag>authenticate_ttl</tag> | |
243 | <p>Now disabled when <em>--disable-auth</em> build parameter is used. | |
244 | ||
245 | <tag>authenticate_ip_ttl</tag> | |
246 | <p>Now disabled when <em>--disable-auth</em> build parameter is used. | |
247 | ||
7701d1a0 AJ |
248 | <tag>deny_info</tag> |
249 | <p>New code <em>%A</em> to display Squid listening IP address the client | |
250 | TCP connection was connected to. | |
251 | ||
5b0fbc71 AJ |
252 | <tag>http_port</tag> |
253 | <p>New <em>worker-queues</em> option to have TCP stack maintain dedicated | |
254 | listening queue for each worker in SMP. | |
255 | ||
76b18386 AJ |
256 | <tag>https_port</tag> |
257 | <p>New <em>CONDITIONAL_AUTH</em> flag for <em>sslflags=</em> option to | |
258 | request client certificate(s) but not reject clients without any. | |
259 | ||
7701d1a0 AJ |
260 | <tag>logformat</tag> |
261 | <p>New <em>ssl::<cert</em> macro code to display received server X.509 | |
262 | certificate in PEM format. | |
755eac94 AJ |
263 | <p>New <em>proxy_protocol::>h</em> code to display received PROXY |
264 | protocol version 2 TLV values. | |
265 | <p>New <em>master_xaction</em> code to display Squids internal | |
266 | transaction ID. | |
7701d1a0 AJ |
267 | <p>New <em>CF</em> value for <em>%Ss</em> code to indicate the response |
268 | was handled by Collapsed Forwarding. | |
5297c853 AJ |
269 | <p>New <em>TLS/1.3</em> value for <em>%%ssl::<negotiated_version</em> |
270 | code to indicate the request was received from client using TLS/1.3. | |
271 | <p>New <em>TLS/1.3</em> value for <em>%ssl::>negotiated_version</em> | |
272 | code to indicate the response was received from server using TLS/1.3. | |
755eac94 AJ |
273 | <p>Codes <em>rm</em>, <em><rm</em> and <em>>rm</em> display "-" |
274 | instead of the made-up method NONE. | |
aee44ee6 AJ |
275 | |
276 | </descrip> | |
277 | ||
278 | <sect1>Removed directives<label id="removeddirectives"> | |
279 | <p> | |
280 | <descrip> | |
7701d1a0 AJ |
281 | <tag>clientside_mark</tag> |
282 | <p>Replaced by <em>mark_client_packet</em>. | |
283 | ||
755eac94 AJ |
284 | <tag>collapsed_forwarding_shared_entries_limit</tag> |
285 | <p>Replaced by <em>shared_transient_entries_limit</em>. | |
286 | ||
7701d1a0 | 287 | <tag>dns_v4_first</tag> |
59f09b18 | 288 | <p>Removed. The new "Happy Eyeballs" algorithm uses received IP |
7701d1a0 AJ |
289 | addresses as soon as they are needed. |
290 | <p>Firewall rules prohibiting IPv6 TCP connections remain the preferred | |
291 | configuration method for 'disabling' IPv6 connectivity, with DNS | |
292 | recursive-resolver configuration also available. | |
aee44ee6 AJ |
293 | |
294 | </descrip> | |
295 | ||
296 | ||
297 | <sect>Changes to ./configure options since Squid-4 | |
298 | <p> | |
299 | There have been some changes to Squid's build configuration since Squid-4. | |
300 | ||
301 | This section gives an account of those changes in three categories: | |
302 | ||
303 | <itemize> | |
304 | <item><ref id="newoptions" name="New options"> | |
305 | <item><ref id="modifiedoptions" name="Changes to existing options"> | |
306 | <item><ref id="removedoptions" name="Removed options"> | |
307 | </itemize> | |
308 | ||
309 | ||
310 | <sect1>New options<label id="newoptions"> | |
311 | <p> | |
312 | <descrip> | |
acd207af AJ |
313 | <tag>--without-tdb</tag> |
314 | <p>New option to determine whether TrivialDB support is used, and | |
315 | build against local custom installs. | |
316 | <p>Samba TrivialDB is now the preferred database used by the | |
317 | <em>ext_session_acl</em> and <em>ext_time_quota_acl</em> helpers, | |
318 | deprecating use of BerkleyDB. | |
aee44ee6 AJ |
319 | |
320 | </descrip> | |
321 | ||
322 | <sect1>Changes to existing options<label id="modifiedoptions"> | |
323 | <p> | |
324 | <descrip> | |
10185a38 AJ |
325 | <tag>--disable-optimizations</tag> |
326 | <p>No longer implies <em>--disable-inline</em> option (which is removed). | |
aee44ee6 | 327 | |
5b0fbc71 AJ |
328 | <tag>--enable-external-acl-helpers</tag> |
329 | <p>New helper type <em>kerberos_sid_group</em> to match <em>group=</em> | |
330 | annotations AD Domain group SID. | |
331 | ||
aee44ee6 AJ |
332 | </descrip> |
333 | </p> | |
334 | ||
335 | <sect1>Removed options<label id="removedoptions"> | |
336 | <p> | |
337 | <descrip> | |
10185a38 | 338 | <tag>--disable-inline</tag> |
7701d1a0 | 339 | <p>Removed. Use compiler flags instead if necessary. |
aee44ee6 | 340 | |
2414910d AJ |
341 | <tag>-DUSE_CHUNKEDMEMPOOLS=1</tag> |
342 | <p>Removed compiler flag. Use run-time environment variable <em>MEMPOOLS=1</em> | |
343 | to enable chunked memory pools instead. | |
344 | ||
aee44ee6 AJ |
345 | </descrip> |
346 | ||
347 | ||
348 | <sect>Regressions since Squid-2.7 | |
349 | ||
350 | <p>Some squid.conf options which were available in Squid-2.7 are not yet available in Squid-5 | |
351 | ||
352 | <p>If you need something to do then porting one of these from Squid-2 is most welcome. | |
353 | ||
354 | <sect1>Missing squid.conf options available in Squid-2.7 | |
355 | <p> | |
356 | <descrip> | |
357 | <tag>broken_vary_encoding</tag> | |
358 | <p>Not yet ported from 2.6 | |
359 | ||
360 | <tag>cache_peer</tag> | |
361 | <p><em>monitorinterval=</em> not yet ported from 2.6 | |
362 | <p><em>monitorsize=</em> not yet ported from 2.6 | |
363 | <p><em>monitortimeout=</em> not yet ported from 2.6 | |
364 | <p><em>monitorurl=</em> not yet ported from 2.6 | |
365 | ||
366 | <tag>cache_vary</tag> | |
367 | <p>Not yet ported from 2.6 | |
368 | ||
369 | <tag>error_map</tag> | |
370 | <p>Not yet ported from 2.6 | |
371 | ||
372 | <tag>external_refresh_check</tag> | |
373 | <p>Not yet ported from 2.7 | |
374 | ||
375 | <tag>location_rewrite_access</tag> | |
376 | <p>Not yet ported from 2.6 | |
377 | ||
378 | <tag>location_rewrite_children</tag> | |
379 | <p>Not yet ported from 2.6 | |
380 | ||
381 | <tag>location_rewrite_concurrency</tag> | |
382 | <p>Not yet ported from 2.6 | |
383 | ||
384 | <tag>location_rewrite_program</tag> | |
385 | <p>Not yet ported from 2.6 | |
386 | ||
387 | <tag>refresh_pattern</tag> | |
388 | <p><em>stale-while-revalidate=</em> not yet ported from 2.7 | |
389 | <p><em>ignore-stale-while-revalidate=</em> not yet ported from 2.7 | |
390 | <p><em>negative-ttl=</em> not yet ported from 2.7 | |
391 | ||
392 | <tag>refresh_stale_hit</tag> | |
393 | <p>Not yet ported from 2.7 | |
394 | ||
395 | <tag>update_headers</tag> | |
396 | <p>Not yet ported from 2.7 | |
397 | ||
398 | </descrip> | |
399 | ||
400 | <sect>Copyright | |
401 | <p> | |
f70aedc4 | 402 | Copyright (C) 1996-2021 The Squid Software Foundation and contributors |
aee44ee6 AJ |
403 | <p> |
404 | Squid software is distributed under GPLv2+ license and includes | |
405 | contributions from numerous individuals and organizations. | |
406 | Please see the COPYING and CONTRIBUTORS files for details. | |
407 | ||
408 | </article> |