1 <!doctype linuxdoc system>
3 <title>Squid 3.2.0.18 release notes</title>
4 <author>Squid Developers</author>
7 This document contains the release notes for version 3.2 of Squid.
8 Squid is a WWW Cache application developed by the National Laboratory
9 for Applied Network Research and members of the Web Caching community.
16 The Squid Team are pleased to announce the release of Squid-3.2.0.18 for testing.
18 This new release is available for download from <url url="http://www.squid-cache.org/Versions/v3/3.2/"> or the <url url="http://www.squid-cache.org/Mirrors/http-mirrors.html" name="mirrors">.
20 While this release is not deemed ready for production use, we believe it is ready for wider testing by the community.
22 We welcome feedback and bug reports. If you find a bug, please see <url url="http://wiki.squid-cache.org/SquidFaq/BugReporting"> for how to submit a
23 report with a stack trace.
27 Although this release is deemed good enough for use in many setups, please note the existence of <url url="http://bugs.squid-cache.org/buglist.cgi?query_format=advanced&short_desc_type=allwordssubstr&short_desc=&target_milestone=3.2&long_desc_type=allwordssubstr&long_desc=&bug_file_loc_type=allwordssubstr&bug_file_loc=&status_whiteboard_type=allwordssubstr&status_whiteboard=&bug_status=NEW&bug_status=ASSIGNED&bug_status=REOPENED&emailtype1=substring&email1=&emailtype2=substring&email2=&bugidtype=include&bug_id=&votes=&chfieldfrom=&chfieldto=Now&chfieldvalue=&cmdtype=doit&order=bugs.bug_severity&field0-0-0=noop&type0-0-0=noop&value0-0-0=" name="open bugs against Squid-3.2">.
29 <p>Currently known issues which only depends on available developer time and may still be resolved in a future 3.2 release are:
32 <item>CVE-2009-0801 : interception proxies cannot relay certain requests to peers. see the CVE section below for details.
33 <item>SMP Support still has a number of important bugs needing to be resolved. see the bugs list above for details.
34 <item>Windows support is still incomplete.
35 <item>TCP logging of access.log does not recover from broken connections well.
36 <item>The lack of some features available in Squid-2.x series. See the regression sections below for full details.
40 <sect1>Changes since earlier releases of Squid-3.2
42 The 3.2 change history can be <url url="http://www.squid-cache.org/Versions/v3/3.2/changesets/" name="viewed here">.
44 <sect>Major new features since Squid-3.1
45 <p>Squid 3.2 represents a new feature release above 3.1.
47 <p>The most important of these new features are:
49 <item>Fixed CVE-2009-0801 : NAT interception vulnerability to malicious clients.
51 <item>Helper Multiplexer and On-Demand
52 <item>Helper Name Changes
53 <item>Multi-Lingual manuals
54 <item>Solaris 10 pthreads Support
55 <item>Surrogate/1.0 protocol extensions to HTTP
56 <item>Logging Infrastructure Updated
57 <item>Client Bandwidth Limits
58 <item>Better eCAP support
59 <item>Cache Manager access changes
62 Most user-facing changes are reflected in squid.conf (see below).
65 <sect1>Fixed CVE-2009-0801 : NAT interception vulnerability to malicious clients.
66 <p>Details in Advisory <url url="http://www.squid-cache.org/Advisories/SQUID-2011_1.txt" name="SQUID-2011:1">
68 <p>Squid locates the authority-URL details available in an HTTP request as
69 defined by RFC 2616 and validates that all found representations are
70 <em>textually</em> equivalent. In the case of intercepted traffic the
71 client destination IP is also compared to the Host: authority domains
74 <p>When the Host: authority contradicts another authority source Squid will log
75 "SECURITY ALERT: Host: header forgery detected". The response will then be determined
76 by the <url url="http://www.squid-cache.org/Doc/config/host_verify_strict/" name="host_verify_strict">
77 directive. Squid will respond with 409 Conflict error response when strict validation
78 fails and handles the request normally when strict validation succeeds or is OFF (default).
80 <p>Relaying of messages which FAIL non-strct Host: validation are permitted through Squid but
81 only to the original destination IP the client was requesting. This means interception proxies
82 can not be used as feeder gateways into a cluster or peer hierarchy without strict validation.
84 <p>Known Issue: When non-strict validation fails Squid will relay the request, but can only do
85 so to the orginal destination IP the client was contacting. This means that interception
86 proxy Squid are unable to pass traffic reliably to peers in a cache hierarchy.
87 Developer time is required to implement safe transit of these requests.
88 Please contact squid-dev if you are able to assist or sponsor the development.
91 <sect1>SMP scalability
92 <p>The new "workers" squid.conf option can be used to launch multiple worker
93 processes and utilize multiple CPU cores. The overall intent is to make
94 multiple workers look like one to an outside observer, while providing
95 knobs to customize each worker behavior if needed.
97 <p>By default, all worker processes are configured identically and do what a
98 single Squid instance would have done. Squid.conf macro substitutions and
99 conditionals (see below) can be used to customize individual worker
100 configurations. In the paragraphs below, "can share" implies "will share by
103 <p>Workers can share HTTP, HTTPS, SNMP, ICP, and HTCP listening addresses.
104 Configuration related to ICP and HTCP clients must be adjusted to avoid
105 source address conflicts: Modify the IP address and/or the port used for
106 the protocol. Workers do not share DNS addresses by default because the OS
107 assigns each worker a unique DNS port.
109 <p>Workers can share logs.
111 <p>Workers can share caches. Memory cache is automatically shared when multiple
112 workers are used. Cache_dir are shared when configured with the <em>rock</em>
113 storage type. Cache_dir of other types must be adjusted to point each
114 disk-caching worker to its own disk area. ICP and HTCP responses are based
115 on the responding worker cache state.
117 <p>Cache manager statistics are reported from a worker point of view, for now.
118 Though some reports are combined. SNMP statistics are combined across all
121 <p>Startup, reconfiguration, shutdown, and log rotation are handled as for a
122 monolithic Squid. Abnormally terminated workers are restarted while
123 other workers continue serving traffic.
125 <sect2>Squid.conf macros and conditionals
126 <p>Added support for process_name and process_number macros as well as simple
127 if-statement conditionals in squid.conf. These features allow individual
128 worker customization in SMP mode. For details, search for "Conditional
129 configuration" and "SMP-Related Macros" sections in squid.conf.documented.
132 <sect1>Helper Multiplexer
133 <p>The helper multiplexer's purpose is to relieve some of the burden
134 Squid has when dealing with slow helpers. It does so by acting as a
135 middleman between squid and the actual helpers, talking to Squid via
136 the multiplexed concurrent variant of the helper protocol and to the
137 helpers via the non-concurrent variant.
139 <p>Helpers are started on demand, and in theory the muxer can handle up to
140 1k helpers per instance. It's up to squid to decide how many helpers
143 <p>The muxer knows nothing about the actual messages being passed around,
144 and as such can't really (yet?) compensate for broken helpers.
145 It is not yet able to manage dying helpers, but it will.
147 <p>To configure the multiplexer add its binary name (usually /usr/share/libexec/helper-mux.pl)
148 in front of the name of whichever helper is being multiplexed. It takes the helper binary
149 path and parameters as its own command parameters. The <em>concurrency</em> setting already
150 existing in Squid is used to configure how many child helpers it may run.
152 <p>For example, a traditional configration is
154 url_rewrite_program /your/redirector.sh
155 url_rewrite_children 5
157 the alternative multiplexer configuration is:
159 url_rewrite_program /usr/share/libexec/helper-mux.pl /your/redirector.sh
160 url_rewrite_children 1 concurrency=5
163 <p>Helpers which are already concurrent protocol enabled gain little benefit from the multiplexer
164 on most systems. However on some systems where Squid spawning helpers causes excess memory usage
165 the reduction in direct helper spawned by Squid can result in a great reduction in resource use.
167 <p>The helper can be controlled using various signals:
169 <item>SIGHUP: dump the state of all helpers to STDERR
173 <sect1>Helpers On-Demand
174 <p>Traditionally Squid has been configured with a fixed number of helpers and started them during
175 it's start and reconfigure phases. This forces the hard configuration problem of how many helpers
176 will be needed to be solved before starting Squid in production use.
178 <p>The on-demand helpers feature allows greater flexibility and resolves this problem by allowing
179 maximum, initial and idle thresholds to be configured. Squid will start the initial set during
180 start and reconfigure phases. However over the operational use new helpers up to the maxium will
181 be started as load demands. The idle threshold determins how many more helpers to start if the
182 currently running set is not enough to handle current request loads.
184 <p>For example, a traditional configration is
186 auth_param ntlm /usr/libexec/squid/ntlm_auth
187 auth_param ntlm children 200
189 the alternative on-demand configuration could be:
191 auth_param ntlm /usr/libexec/squid/ntlm_auth
192 auth_param ntlm children 200 startup=10 idle=2
195 <p>The example still permits up to 200 helpers to be running at once under peak traffic loads.
196 But only starts 10 when Squid is initialized resulting in a faster boot up.
197 When client requests threaten to overload the running helpers an additional 2 will be started.
199 <p>NOTE: if no <em>startup</em> and <em>idle</em> values are specified the traditional behaviour
200 of starting the maximum number of helpers will occur.
203 <sect1>Helper Name Changes
204 <p>To improve the understanding of what each helper does and where it should be used the helper binaries
205 which are bundled with Squid have undergone a naming change in this release.
207 <p>Below is a list of the old helper names and what their names have changed to.
208 For several helpers the directory name used in --enable-X-helpers configure option has also changed.
210 <sect2>Basic Authentication protocol helpers
212 <item>squid_db_auth - basic_db_auth - Retrieve authentication details from a simple SQL database table.
213 <item>getpwnam_auth - basic_getpwname_auth - Authenticate with local system user accounts.
214 <item>squid_ldap_auth - basic_ldap_auth - Authenticate with LDAP user accounts.
215 <item>MSNT-multi-domain - basic_msnt_multi_domain_auth - Authenticate with any one of multiple Windows Domain Controllers.
216 <item>msnt_auth - basic_msnt_auth - Authenticate with Windows Domain Controllers selected by username.
217 <item>ncsa_auth - basic_ncsa_auth - Authenticate with NCSA httpd-style password file.
218 <item>yp_auth - basic_nis_auth - Authenticate with NIS security system.
219 <item>pam_auth - basic_pam_auth - Authenticate with the system PAM infrastructure.
220 <item>pop3.pl - basic_pop3_auth - Authenticate with a mail server POP3/SMTP credentials.
221 <item>squid_radius_auth - basic_radius_auth - Authenticate with RADIUS.
222 <item>squid_sasl_auth - basic_sasl_auth - Authenticate with SASL.
223 <item>smb_auth - basic_smb_auth - Authenticate with Samba SMB.
224 <item>mswin_sspi - basic_sspi_auth - Authenticate with a Windows Domain Controller using SSPI.
227 <sect2>Digest Authentication protocol helpers
229 <item>digest_pw_auth - digest_file_auth - Authenticate against credentials stored in a simple text file.
232 <sect2>External ACL helpers
234 <item>mswin_check_ad_group - ext_ad_group_acl - Check logged in users Group membership using Active Directory.
235 <item>ip_user_check - ext_file_userip_acl - Restrict users to cetain IP addresses, using a text file backend.
236 <item>squid_kerb_ldap - ext_kerberos_ldap_group_acl - Check logged in Kerberos or NTLM users Group membership using LDAP.
237 <item>squid_ldap_group - ext_ldap_group_acl - Check logged in users Group membership using LDAP.
238 <item>mswin_check_lm_group - ext_lm_group_acl - Check logged in users Group membership using LanManager.
239 <item>squid_session - ext_session_acl - Maintain a session cache of client identifiers (usually IP address).
240 This helper has also gone through a version update and now uses more current BerkeleyDB 4.1+ APIs.
241 <item>squid_unix_group - ext_unix_group_acl - Check logged in users Group membership using local UNIX groups.
242 <item>wbinfo_group.pl - ext_wbinfo_group_acl - Check logged in users Group membership using wbinfo.
245 <sect2>Negotiate Authentication protocol helpers
247 <item>squid_kerb_auth - negotiate_kerberos_auth - Authenticate with Kerberos servers.
248 <item>mswin_sspi - negotiate_sspi_auth - Authenticate with a Windows Domain Controller using SSPI.
249 <item>negotiate_wrapper - negotiate_wrapper_auth - Split Negotiate traffic between Kerberos and NTLM helpers.
252 <sect2>NTLM Authentication protocol helpers
254 <item>no_check.pl - Deprecated. - Use the faster and less easily decrypted ntlm_fake_auth instead.
255 <item>fakeauth_auth - ntlm_fake_auth - Perform NTLMSSP to recover the username but don't verify the password.
256 <item>ntlm_auth - ntlm_smb_lm_auth - Perform SMB LanManager domain-less authentication over NTLM protocol.
257 <item>mswin_ntlm_auth - ntlm_sspi_auth - Perform NTLMSSP authentication using Windows native Security Support Provider Interface API.
260 <sect2>URL re-write helpers
261 <p>This group of helpers have been bundled to demonstrate how to code URL re-writers:
263 <item>url_fake_rewrite - Accept various url_rewrite details and log the input.
267 <sect1>Multi-Lingual manuals
268 <p>The man(8) and man(1) pages bundled with Squid are now provided online for all
269 versions and beginning with 3.2 they are available in languages other than English (where translated).
271 <p>Details in <url url="http://wiki.squid-cache.org/Features/QualityOfService" name="The Squid wiki">
273 <p>3.1 began the Internationalization of Squid with the public facing error pages.
274 This move begins the Localization of the internal administrator facing manuals.
277 <sect1>Solaris 10 pthreads Support (Experimental)
278 <p>Automatic detection and use of the pthreads library available from Solaris 10
280 <p>The result of this addition means that faster more efficient AUFS cache storage mechanisims
281 are now available in Solaris 10.
283 <p>Support is experimental at this stage due to lack of feedback on the results of enabling it.
284 We recommend giving AUFS a try for faster disk storage and encourage feedback.
287 <sect1>Surrogate/1.0 protocol extensions to HTTP
288 <p>The <em>Surrogate</em> extensions to HTTP protocol enable an origin web server to specify separate
289 cache controls for a reverse proxy acting on its behalf. Previously this was closely tied with the ESI
290 feature support in Squid. This release opens Surrogate support to all reverse proxies.
292 <p>Reverse proxy requests sent on to the web server include the HTTP header <em>Surrogate-Capabilities:</em>
293 specifying the capabilities of the reverse proxy along with an ID which can be used to target reponses with
294 a <em>Surrogate-Control:</em> HTTP header used instead of the <em>Cache-Control:</em> header.
296 <p>The default surrogate ID is generated automatically from the Squid site-unique hostname as found by the
297 automatic detection or manual configuration of <em>visible_hostname</em> although can be configured
298 separately with the <em>httpd_accel_surrogate_id</em> option.
300 <p><em>Security Considerations:</em> Websites sould be careful of accepting any surrogate ID.
301 Older releases of Squid leak the Surrogate-Control headers to external servers.
302 This 3.2 series of Squid will now prevent this leakage of its own ID destined responses, however it is possible
303 and for some uses desirable to receive external reverse-proxies <em>Surrogate-Capabilities:</em> headers.
305 <p><em>NOTE:</em> Several operating system distributions historically package Squid with a forced value of
306 <em>visible_hostname localhost</em>. If this is done on a Surrogate enabled install a manual re-configuration
307 is required to prevent an unacceptable surrogate ID of 'localhost' being generated.
310 <sect1>Logging Infrastructure Updated
311 <p>The advanced logging modules introduced in Squid-2.7 are now available from Squid-3.2.
313 <p>This feature is documented at http://wiki.squid-cache.org/Features/LogModules
315 <p>The new infrastructure currently supports several different channels types (modules) ranging from
316 direct filesystem logging (stdio, daemon) to network logging (syslog, UDP and TCP). The daemon logging
317 interface allows for a custom helper to be written to process logs in real-time.
319 <p>Upgrading: the <em>access_log</em> was previously logged via what is now called the <em>stdio</em> module.
320 This is still supported and used by default if no module is named. For best performance particularly in SMP
321 environments we recommend the <em>daemon</em> be used. The provided <em>log_file_daemon</em> helper
322 performs the traditional logging to local filesystem.
324 <p>Additional to this the cache.log can now be limited to a smaller number of files stored.
325 Traditionally cache.log.N has been fixed at the same number of rotated files as access.log.N through the
326 <em>logfile_rotate</em> setting. The <em>debug_options</em> setting can now be used to configure the number
327 of debug cache.log files to rotate through with a <em>rotate=N</em> option. This is particularly useful for
328 logging a single cache.log at relatively high debug levels on a high-traffic system. Or one which is
329 required to store a long period of access.log and needs to conserve disk space.
331 <p>The referer_log and useragent_log directives have been converted to built-in log formats.
332 These logs are now created using an access_log line with the format "referrer" or "useragent".
333 They also now log all client requests, if there was no Referer or User-Agent header a dash (-) is logged.
335 <p>Known Issue: The TCP logging module does not recover from broken connections well.
336 At present it will restart the affected Squid instance if the TCP connection is broken.
339 <sect1> Client Bandwidth Limits
340 <p>In mobile environments, Squid may need to limit Squid-to-client bandwidth
341 available to individual users, identified by their IP addresses. The IP
342 address pool can be as large as a /10 IPv4 network (4 million unique IP
343 addresses) and even larger in IPv6 environments. On the other hand, the code
344 should support thousands of connections coming from a single IP (e.g.,
347 <p>The implementation is based on storing bandwidth-related "bucket" information
348 in the existing "client database" hash (client_db.cc). The old code already
349 assigned each client IP a single ClientInfo object, which satisfies the
350 client-side IP-based bandwidth pooling requirements. The old hash size is
351 increased to support up to 32K concurrent clients if needed.
353 <p>Client-side pools are configured similarly to server-side ones, but there is
354 only one pool class. See client_delay_pools,
355 client_delay_initial_bucket_level, client_delay_parameters, and
356 client_delay_access in squid.conf. The client_delay_access matches the client
357 with delay parameters. It does not pool clients from different IP addresses
360 <p>Special care is taken to provide fair distribution of bandwidth among clients
361 sharing the same bucket (i.e., clients coming from the same IP address).
362 Multiple same-IP clients competing for bandwidth are queued using FIFO
363 algorithm. If a bucket becomes empty, the first client among those sharing
364 the bucket is delayed by 1 second before it can attempt to receive more
365 response data from Squid. This delay may need to be lowered in
366 high-bandwidth environments.
369 <sect1>Better eCAP Suport
370 <p>Support for libecap version 0.2.0 has been added with this series of Squid. Bringing
371 better support for body handling, and logging.
373 <p>Known Issue: Due to API changes in libecap this release of Squid will not build
374 against any older libecap releases.
377 <sect1>Cache Manager access changes
378 <p>The Squid Cache Manager has previously only been accessible under the cache_object://
379 URL scheme. Which has restricted its reporting to tools which can send arbitrary
382 <p>This version of Squid now provides access through the http:// and https:// URL schemes
383 allowing web browsers access without having to use the cachemgr.cgi gateway and enabling
384 the use of HTTPS security were desired.
386 <p>The cache manager is available under the path prefix /squid-internal-mgr/. For example
387 the URL http://example/com/squid-internal-mgr/menu will bring up the manager menu. This
388 means there are some configuration changes required to lock down manager access.
389 The <em>manager</em> ACL needs changing to:
391 acl manager url_regex -i ^cache_object:// ^https?://[^/]+/squid-internal-mgr/
394 <p>The manager prefix /squid-internal-mgr/ with no action attempts to load an optional
395 template MGR_INDEX which may be installed amongst in the Squid error templates.
396 This template is not supplied with Squid but intended to be supplied by separate
397 cache manager applications as their front page embedding all scripts, accessors or
398 redirects required for their initial GUI display.
400 <p>Version 3.2 of the CGI cache manager tool now presents XHR scripted probes to detect
401 proxies presenting these manager index pagess and provides direct HTTP/HTTPS web links
405 <sect>Changes to squid.conf since Squid-3.1
407 There have been changes to Squid's configuration file since Squid-3.1.
409 This section gives a thorough account of those changes in three categories:
412 <item><ref id="newtags" name="New tags">
413 <item><ref id="modifiedtags" name="Changes to existing tags">
414 <item><ref id="removedtags" name="Removed tags">
418 <sect1>New tags<label id="newtags">
421 <tag>adaptation_meta</tag>
422 <p>This option allows Squid administrator to add custom ICAP request
423 headers or eCAP options to Squid ICAP requests or eCAP transactions.
425 <tag>adaptation_send_client_ip</tag>
426 <p>Same as depricated icap_send_client_ip
427 but applies to both ICAP and eCAP.</p>
429 <tag>adaptation_send_username</tag>
430 <p>Same as depricated icap_send_client_username
431 but applies to both ICAP and eCAP.</p>
433 <tag>adaptation_uses_indirect_client</tag>
434 <p>Same as depricated icap_uses_indirect_client
435 but applies to both ICAP and eCAP.</p>
437 <tag>client_delay_pools</tag>
438 <p>New setting for client bandwith limits to specifies the number
439 of client delay pools used.
441 <tag>client_delay_initial_bucket_level</tag>
442 <p>New setting for client bandwith limits to determine the initial
443 bucket size as a percentage of max_bucket_size from
444 client_delay_parameters.
446 <tag>client_delay_parameters</tag>
447 <p>New setting for client bandwith limits to configures client-side
450 <tag>client_delay_access</tag>
451 <p>New setting for client bandwith limits to determines the
452 client-side delay pool for the request.
454 <tag>client_dst_passthru</tag>
455 <p>New setting to disable extra Host: header security on interception proxies.
456 Impacts cache integrity/reliability and client browser security.
457 <p><em>IMPORTANT:</em> disabling this directive only allows Squid to change the
458 destination IP to another source indicated by Host: domain DNS or
459 cache_peer configuration. It <em>does not</em> affect Host: validation.
461 <tag>client_idle_pconn_timeout</tag>
462 <p>Renamed from <em>persistent_request_timeout</em>.
464 <tag>cpu_affinity_map</tag>
465 <p>New setting for SMP support to map Squid processes onto specific CPU cores.
467 <tag>connect_retries</tag>
468 <p>Replacement for <em>maximum_single_addr_tries</em>, but instead of only applying to hosts with single addresses.
469 This directive applies to all hosts, extending the number of connection attempts to each IP address.
471 <tag>dns_packet_max</tag>
472 <p>New setting to configure maximum number of bytes packet size to advertise via EDNS.
473 Set to "none" (the initial default) to disable EDNS large packet support.
476 <p>Part of conditional SMP support syntax. see <em>if</em>
479 <p>Part of conditional SMP support syntax. see <em>if</em>
481 <tag>eui_lookup</tag>
482 <p>Whether to lookup the EUI or MAC address of a connected client.
484 <tag>host_verify_strict</tag>
485 <p>New option to enable super-strict HTTP and DNS information match.
486 Ensuring the HTTP URI details, DNS records, and TCP connection layers all match in a
487 three-legged security verification. Preventing domain hijacking or malicious poisoning
488 attacks by malicious scripts.
489 <p>The default is to verify only intercepted traffic, to log all issues and let failed
490 traffic through when doing so can be done safely.
492 <tag>icap_206_enable</tag>
493 <p>New option to toggle whether the ICAP 206 (Partial Content) responses extension.
497 <p>New conditional syntax for SMP multiple-worker.
498 If-statements can be used to make configuration directives depend on conditions.
499 <p>The else part is optional. The keywords <em>if</em>, <em>else</em> and <em>endif</em>
500 must be typed on their own lines, as if they were regular configuration directives.
502 <tag>logfile_daemon</tag>
503 <p>Ported from 2.7. Specify the file I/O daemon helper to run for logging.
506 <p>Places an upper limit on how stale content Squid will serve from the cache if cache validation fails
508 <tag>memory_cache_mode</tag>
509 <p>Controls which objects to keep in the memory cache (cache_mem)
511 'always' Keep most recently fetched objects in memory (default)
513 'disk' Only disk cache hits are kept in memory, which means
514 an object must first be cached on disk and then hit
515 a second time before cached in memory.
517 network Only objects fetched from network is kept in memory
520 <tag>memory_cache_shared</tag>
521 <p>Controls whether the memory cache is shared among SMP workers.
522 <p>Currently, entities exceeding 32KB in size cannot be shared.
524 <tag>server_idle_pconn_timeout</tag>
525 <p>Renamed from <em>pconn_timeout</em>.
527 <tag>tproxy_uses_indirect_client</tag>
528 <p>Controls whether the indirect client address found in the X-Forwarded-For
529 header is used for spoofing instead of the directly connected client address.
530 Requires both <em>--enable-follow-x-forwarded-for</em> and <em>--enable-linux-netfilter</em>
533 <p>Number of main Squid processes or "workers" to fork and maintain.
534 In SMP mode, each worker does nearly all what a single Squid daemon
535 does (e.g., listen on http_port and forward HTTP requests).
537 0: "no daemon" mode, like running "squid -N ..."
538 1: "no SMP" mode, start one main Squid process daemon (default)
539 N: start N main Squid process daemons (i.e., SMP mode)
542 <tag>write_timeout</tag>
543 <p>New setting to limit time spent waiting for data writes to be confirmed.
546 <sect1>Changes to existing tags<label id="modifiedtags">
549 <tag>access_log</tag>
550 <p>New <em>stdio</em> module to send log data directly from Squid to a disk file.
551 This is the historic behaviour of Squid before logging modules were introduced, and
552 remains the default used when no module is selected.
553 It is recommended to upgrade logging to the faster <em>daemon:</em> module.
554 <p>New <em>daemon</em> module to send each log line as text data to a file I/O daemon handling the slow disk I/O.
555 New installs, or installs with no logs configured explicitly will use this module by default.
556 <p>New <em>tcp</em> module to send each log line as text data to a TCP receiver.
557 <p>New <em>udp</em> module to send each log line as text data to a UDP receiver.
558 <p>New format <em>referrer</em> to log with the format prevously used by referer_log directive.
559 <p>New format <em>useragent</em> to log with the format prevously used by useragent_log directive.
561 <tag>acl : random, localip, localport</tag>
562 <p>New type <em>random</em>. Pseudo-randomly match requests based on a configured probability.
563 <p>Renamed <em>myip</em> to <em>localip</em>. It matches the IP which the client connected to.
564 <p>Renamed <em>myport</em> to <em>localport</em>. It matches the port which the client connected to.
565 <p>The <em>localip</em>/<em>localport</em> differ from earlier releases where they matched a mix of
566 of an invalid IP and port 0, the client destination IP/port or the Squid listening IP/port.
567 This definition is now consistent across all modes of traffic received by Squid.
568 <p>The <em>manager</em> ACL requires adjustment to cover new cache manager access:
570 acl manager url_regex -i ^cache_object:// ^https?://[^/]+/squid-internal-mgr/
573 <tag>auth_param</tag>
574 <p>New options for Basic, Digest, NTLM, Negotiate <em>children</em> settings.
575 <em>startup=N</em> determins minimum number of helper processes used.
576 <em>idle=N</em> determines how many helper to retain as buffer against sudden traffic loads.
577 <em>concurrency=N</em> previously called <em>auth_param ... concurrency</em> as a separate option.
578 <p>Removed Basic, Digest, NTLM, Negotiate <em>auth_param ... concurrency</em> setting option.
579 <p>Known Issue: NTLM and Negotiate protocols do not support concurrency. When set this option is ignored.
582 <p><em>min-size</em> option ported from Squid-2
584 <tag>cache_peer</tag>
585 <p><em>htcp-*</em> options collapsed into <em>htcp=</em> taking an optional comma-separated list of flags.
586 The old form is deprecated but still accepted.
588 <tag>clientside_mark</tag>
589 <p>New configuration parameter <em>clientside_mark</em>
590 <p>Allows packets leaving Squid on the client side to be marked with a Netfilter mark value in the same way as the existing clientside_tos feature.
591 <p>This feature is only available for Netfilter environments.
594 <p>Support URL format tags. For dynamically generated URL in denial redirect.
595 <p>Support the full range of 200-599 HTTP status codes.
596 3xx status only available when redirecting to a URI.
597 Other status only available when supplying an error template body.
599 <tag>external_acl_type</tag>
600 <p>New format tags and option parameters:
601 <p><em>%SRCEUI48</em> EUI-48 / MAC address of client from ARP lookup.
602 <p><em>%SRCEUI64</em> EUI-64 of clients with SLAAC address.
603 <p><em>%EXT_LOG</em> log= message returned by previous external ACL calls. An updated version may be returned.
604 <p><em>%EXT_TAG</em> tag= value returned by previous external ACL calls. Tag may not be altered once set.
605 <p><em>children-max=N</em> determins maximum number of helper processes used.
606 <p><em>children-startup=N</em> determins minimum number of helper processes used.
607 <p><em>children-idle=N</em> determines how many helper to retain as buffer against sudden traffic loads.
608 <p>Deprecated <em>children=N</em> in favor of <em>children-max=N</em>.
610 <tag>http_port act-as-origin vhost no-vhost</tag>
611 <p><em>act-as-origin</em> ported from 2.7.
612 This option corrects several HTTP header issues when operating as a reverse proxy and cache.
613 Notably the externally visible aging of objects stored in the server-side cache.
614 <p><em>vhost</em> is deprecated. <em>accel</em> mode, reverse proxy, now defaults to always enable HTTP/1.1 virtual domain support.
615 <p><em>no-vhost</em> option is added to disable the new reverse proxy behaviour.
617 <tag>icap_send_client_ip</tag>
618 <p>Deprecated in favor of adaptation_send_client_ip
619 which applies to both ICAP and eCAP.</p>
621 <tag>icap_send_client_username</tag>
622 <p>Deprecated in favor of adaptation_send_username
623 which applies to both ICAP and eCAP.</p>
625 <tag>icap_uses_indirect_client</tag>
626 <p>Deprecated in favor of adaptation_uses_indirect_client
627 which applies to both ICAP and eCAP.</p>
630 <p><em>%<a</em> Server or Peer IP address from the last server connection (next hop).
631 <p><em>%>bs</em> Number of HTTP-equivalent message body bytes received from the next hop.
632 <p><em>icap::%>bs</em> Number of message body bytes received from the ICAP server.
633 <p><em>%sn</em> Unique sequence number per log line. Ported from 2.7
634 <p><em>%>eui</em> EUI logging (EUI-48 / MAC address for IPv4, EUI-64 for IPv6).
635 Both EUI forms are logged in the same field. Type can be identified by length or byte delimiter.
636 <p><em>%err_code</em> The ID of an error response served by Squid or a similar internal error identifier
637 <p><em>%err_detail</em> Additional err_code-dependent error information.
638 <p><em>%>la</em> Rename of %la to indicate being a client connection detail.
639 <p><em>%>lp</em> Rename of %lp to indicate being a client connection detail.
640 <p><em>%<p</em> Server or Peer port number from the last server connection (next hop).
642 <tag>memory_pools_limit</tag>
643 <p>Memory limits have been revised and corrected from 3.1.4 onwards.
644 <p>Please check and update your squid.conf to use the text <em>none</em> for no limit instead of the old 0 (zero).
645 <p>All users upgrading need to be aware that from Squid-3.3 setting this option to 0 (zero) will mean zero bytes of memory get pooled.
648 <p>New options <em>mark</em> and <em>tos</em> and <em>miss</em>
649 <p><em>tos</em> retains the original QOS functionality of the IP header TOS field.
650 <p><em>mark</em> offers the same functionality, but with a netfilter mark value.
651 <p>These options should be placed immediately after qos_flows.
652 <p>The <em>tos</em> value is optional in order to maintain backwards compatability.
653 <p>The preserve-miss functionality is available with the <em>mark</em> option and requires no kernel patching.
654 It does, however, require libnetfilter_conntrack.
655 This will be included by default if available (see the --without-netfilter-conntrack configure option for more details).
656 <p><em>miss</em> sets a value for a cache miss. It is available for both the tos and mark options and takes precedence over the preserve-miss feature.
658 <tag>range_offset_limit</tag>
659 <p>Added ACL support for control over when the limit applies and when it is avoided.
661 <tag>refresh_pattern</tag>
662 <p>New option <em>max-stale=</em> to provide a maximum staleness factor. Squid won't
663 serve objects more stale than this even if it failed to validate the object.
665 <tag>reply_header_access</tag>
666 <p>Added support for custom header header names.</p>
668 <tag>request_header_access</tag>
669 <p>Added support for custom header header names.</p>
671 <tag>reply_header_replace</tag>
672 <p>Added support for custom header header names.</p>
674 <tag>request_header_replace</tag>
675 <p>Added support for custom header header names.</p>
677 <tag>tcp_outgoing_address</tag>
678 <p>This parameter is now compatible with persistent server connections.
679 The IPv6 magic 'to_ipv6' hacks needed in 3.1 are now no longer necessary.
681 <tag>tcp_outgoing_mark</tag>
682 <p>New configuration parameter <em>tcp_outgoing_mark</em>
683 <p>Allows packets leaving Squid on the server side to be marked with a Netfilter mark value in the same way as the existing tcp_outgoing_tos feature.
684 <p>This feature is only available for Netfilter environments.
686 <tag>tcp_outgoing_tos</tag>
687 <p>This parameter is now compatible with persistent server connections.
689 <tag>url_rewrite_children</tag>
690 <p>New options <em>startup=N</em>, <em>idle=N</em>, <em>concurrency=N</em>
692 <item>startup=N allow finer tuning of how many helpers are started initially.
693 <item>idle=N allow fine tuning of how many helper to retain as buffer against sudden traffic loads.
694 <item>concurrency=N was previously called url_rewrite_concurrency as a distinct directive.
697 <tag>windows_ipaddrchangemonitor</tag>
698 <p>Now only available to be set in Windows builds.
703 <sect1>Removed tags<label id="removedtags">
706 <tag>dns_v4_fallback</tag>
707 <p>Obsolete. Replaced by DNS parallel lookups.
709 <tag>emulate_httpd_log</tag>
710 <p>Replaced by <em>common</em> format option on an <em>access_log</em> directive.
712 <tag>forward_log</tag>
715 <tag>ftp_list_width</tag>
718 <tag>ignore_expect_100</tag>
722 <p>Obsolete. Replaced by automatic detection of the %>A logformat tag.
724 <tag>log_ip_on_direct</tag>
725 <p>Obsolete. Use a custom log with <em>%<A</em> format tag to receive server FQDN or peer name.
727 <tag>maximum_single_addr_tries</tag>
728 <p>The behaviour controlled by this directive is no longer possible.
729 It has been replaced by <em>connect_retries</em> option which operates a little differently.
731 <tag>pconn_timeout</tag>
732 <p>Renamed to <em>server_idle_pconn_timeout</em>
734 <tag>persistent_request_timeout</tag>
735 <p>Renamed to <em>client_idle_pconn_timeout</em>
737 <tag>referer_log</tag>
738 <p>Replaced by the <em>referrer</em> format option on an <em>access_log</em> directive.
740 <tag>url_rewrite_concurrency</tag>
741 <p>Replaced by url_rewrite_children ... concurrency=N option.
743 <tag>useragent_log</tag>
744 <p>Replaced by the <em>useragent</em> format option on an <em>access_log</em> directive.
748 <sect>Changes to ./configure options since Squid-3.1
750 There have been some changes to Squid's build configuration since Squid-3.1.
752 This section gives an account of those changes in three categories:
755 <item><ref id="newoptions" name="New options">
756 <item><ref id="modifiedoptions" name="Changes to existing options">
757 <item><ref id="removedoptions" name="Removed options">
761 <sect1>New options<label id="newoptions">
764 <tag>--enable-auth-basic[=HELPERS]</tag>
765 <p>Specified without any parameters all helpers will be auto-built.
766 <p>With an explicit empty list <em>=""</em> protocol support will be built but no helpers.
767 <p>With an explicit list protocol support and just those helpers will be built.
769 <tag>--enable-auth-digest[=HELPERS]</tag>
770 <p>Specified without any parameters all helpers will be auto-built.
771 <p>With an explicit empty list <em>=""</em> protocol support will be built but no helpers.
772 <p>With an explicit list protocol support and just those helpers will be built.
774 <tag>--enable-auth-negotiate</tag>
775 <p>Specified without any parameters all helpers will be auto-built.
776 <p>With an explicit empty list <em>=""</em> protocol support will be built but no helpers.
777 <p>With an explicit list protocol support and just those helpers will be built.
779 <tag>--enable-auth-ntlm</tag>
780 <p>Specified without any parameters all helpers will be auto-built.
781 <p>With an explicit empty list <em>=""</em> protocol support will be built but no helpers.
782 <p>With an explicit list protocol support and just those helpers will be built.
784 <tag>--enable-build-info</tag>
785 <p>Add an additional string in the output of "squid -v".
787 <tag>--enable-eui</tag>
788 <p>Enable Support for handling EUI operations.
789 This includes ARP lookups for MAC (EUI-48) addresses and the ACL arp type tests.
791 <tag>--enable-log-daemon-helpers</tag>
792 <p>Build helpers for logging I/O.
794 <tag>--enable-url-rewrite-helpers</tag>
795 <p>Build helpers for some basic URL-rewrite actions. For use by url_rewrite_program.
796 If omitted or set to =all then all bundled helpers that are able to build will be built.
797 If set to a specific list of helpers then only those helpers will build.
798 Currently one demo helper <em>fake</em> is provided in shell and C++ forms to demonstrate
799 the helper protocol usage and provide exemplar code.
801 <tag>--with-swapdir=PATH</tag>
802 <p>Location to display in documentation for the default cache.
803 Updated to indicate /var/cache/squid in accordance with the filesystem layout standards.
804 Squid-3 no longer builds an implicit disk cache at this location, so the change is not expected
805 to have any effect on existing builds other than fixing some mysterious lack of core dumps.
806 The old /var/cache location was often non-writable which blocked core dumps creation.
808 <tag>--without-netfiler-conntrack</tag>
809 <p>Disables the libnetfilter_conntrack library being used for the new qos_flows option <em>mark</em>.
810 default is to auto-detect the library and use where available.
813 <sect1>Changes to existing options<label id="modifiedoptions">
816 <tag>--enable-auth</tag>
817 <p>No longer takes a list of arguments. This option now is restricted to building Squid with or without authentication support.
818 <p>The new <em>--enable-auth-X</em>/<em>--disable-auth-X</em> parameters determine which authentication protocols and helpers are built.
823 <sect1>Removed options<label id="removedoptions">
826 <tag>--enable-arp-acl</tag>
827 <p>Replaced by --enable-eui
829 <tag>--enable-auth-basic-helpers</tag>
830 <p>replaced by <em>--enable-auth-basic</em>.
832 <tag>--enable-auth-digest-helpers</tag>
833 <p>replaced by <em>--enable-auth-digest</em>.
835 <tag>--enable-auth-negotiate-helpers</tag>
836 <p>replaced by <em>--enable-auth-negotiate</em>.
838 <tag>--enable-auth-ntlm-helpers</tag>
839 <p>replaced by <em>--enable-auth-ntlm</em>.
841 <tag>--enable-referer-log</tag>
844 <tag>--enable-useragent-log</tag>
850 <sect>Options Removed since Squid-2
852 <p>Some squid.conf and ./configure options which were available in Squid-2.6 and Squid-2.7 are made obsolete in Squid-3.2.
854 <sect1>Removed squid.conf options since Squid-2.7
857 <tag>auth_param</tag>
858 <p><em>blankpassword</em> option for basic scheme removed.
860 <tag>authenticate_ip_shortcircuit_access</tag>
861 <p>Not safe for general use.
862 An external_acl_type helper may be used to bypass authentication if that is suitable.
864 <tag>authenticate_ip_shortcircuit_ttl</tag>
865 <p>Not safe for general use.
866 An external_acl_type helper may be used to bypass authentication if that is suitable.
868 <tag>cache_peer</tag>
869 <p><em>http11</em> Obsolete.
871 <tag>external_acl_type</tag>
872 <p>Format tag <em>%{Header}</em> replaced by <em>%>{Header}</em>
873 <p>Format tag <em>%{Header:member}</em> replaced by <em>%>{Header:member}</em>
875 <tag>header_access</tag>
876 <p>Replaced by <em>request_header_access</em> and <em>reply_header_access</em>
879 <p><em>no-connection-auth</em> replaced by <em>connection-auth=[on|off]</em>. Default is ON.
880 <p><em>transparent</em> option replaced by <em>intercept</em>
881 <p><em>http11</em> obsolete.
883 <tag>http_access2</tag>
884 <p>Replaced by <em>adapted_http_access</em>
886 <tag>httpd_accel_no_pmtu_disc</tag>
887 <p>Replaced by <em>http_port disable-pmtu-discovery=</em> option
889 <tag>incoming_rate</tag>
892 <tag>redirector_bypass</tag>
893 <p>Replaced by <em>url_rewrite_bypass</em>
895 <tag>server_http11</tag>
898 <tag>upgrade_http0.9</tag>
902 <p>Replaced by <em>qos_flows local-hit=</em>
907 <tag>zph_option</tag>
910 <tag>zph_parent</tag>
911 <p>Replaced by <em>qos_flows parent-hit=</em>
913 <tag>zph_sibling</tag>
914 <p>Replaced by <em>qos_flows sibling-hit=</em>
918 <sect1>Removed squid.conf options since Squid-2.6
922 <p><em>read-only</em> option replaced by <em>no-store</em>.
926 <sect1>Removed ./configure options since Squid-2.7
929 <tag>--enable-coss-aio-ops</tag>
932 <tag>--enable-devpoll</tag>
933 <p>Replaced by automatic detection.
935 <tag>--enable-dlmalloc=LIB</tag>
938 <tag>--enable-epoll</tag>
939 <p>Replaced by automatic detection.
941 <tag>--enable-forward-log</tag>
944 <tag>--enable-heap-replacement</tag>
947 <tag>--enable-htcp</tag>
948 <p>Obsolete. Enabled by default.
950 <tag>--enable-large-cache-files</tag>
953 <tag>--enable-mempool-debug</tag>
956 <tag>--enable-multicast-miss</tag>
959 <tag>--enable-poll</tag>
960 <p>Replaced by automatic detection.
962 <tag>--enable-select</tag>
963 <p>Replaced by automatic detection.
965 <tag>--enable-select-simple</tag>
966 <p>Replaced by automatic detection.
968 <tag>--enable-snmp</tag>
969 <p>Obsolete. Enabled by default.
971 <tag>--enable-truncate</tag>
974 <tag>--disable-kqueue</tag>
975 <p>Obsolete. Disabled by default.
980 <sect>Regressions since Squid-2.7
982 <p>Some squid.conf and ./configure options which were available in Squid-2.7 are not yet available in Squid-3.2
984 <p>If you need something to do then porting one of these from Squid-2 to Squid-3 is most welcome.
986 <sect1>Missing squid.conf options available in Squid-2.7
990 <p><em>urllogin</em> option not yet ported from 2.6
991 <p><em>urlgroup</em> option not yet ported from 2.6
993 <tag>broken_vary_encoding</tag>
994 <p>Not yet ported from 2.6
997 <p><em>COSS</em> storage type is lacking stability fixes from 2.6
998 <p>COSS <em>overwrite-percent=</em> option not yet ported from 2.6
999 <p>COSS <em>max-stripe-waste=</em> option not yet ported from 2.6
1000 <p>COSS <em>membufs=</em> option not yet ported from 2.6
1001 <p>COSS <em>maxfullbufs=</em> option not yet ported from 2.6
1003 <tag>cache_peer</tag>
1004 <p><em>idle=</em> not yet ported from 2.7
1005 <p><em>monitorinterval=</em> not yet ported from 2.6
1006 <p><em>monitorsize=</em> not yet ported from 2.6
1007 <p><em>monitortimeout=</em> not yet ported from 2.6
1008 <p><em>monitorurl=</em> not yet ported from 2.6
1010 <tag>cache_vary</tag>
1011 <p>Not yet ported from 2.6
1013 <tag>collapsed_forwarding</tag>
1014 <p>Not yet ported from 2.6
1016 <tag>error_map</tag>
1017 <p>Not yet ported from 2.6
1019 <tag>external_acl_type</tag>
1020 <p><em>%ACL</em> format tag not yet ported from 2.6
1021 <p><em>%DATA</em> format tag not yet ported from 2.6
1023 <tag>external_refresh_check</tag>
1024 <p>Not yet ported from 2.7
1026 <tag>http_port</tag>
1027 <p><em>urlgroup=</em> not yet ported from 2.6
1029 <tag>ignore_ims_on_miss</tag>
1030 <p>Not yet ported from 2.7
1032 <tag>location_rewrite_access</tag>
1033 <p>Not yet ported from 2.6
1035 <tag>location_rewrite_children</tag>
1036 <p>Not yet ported from 2.6
1038 <tag>location_rewrite_concurrency</tag>
1039 <p>Not yet ported from 2.6
1041 <tag>location_rewrite_program</tag>
1042 <p>Not yet ported from 2.6
1044 <tag>refresh_pattern</tag>
1045 <p><em>stale-while-revalidate=</em> not yet ported from 2.7
1046 <p><em>ignore-stale-while-revalidate=</em> not yet ported from 2.7
1047 <p><em>negative-ttl=</em> not yet ported from 2.7
1049 <tag>refresh_stale_hit</tag>
1050 <p>Not yet ported from 2.7
1052 <tag>storeurl_access</tag>
1053 <p>Not yet ported from 2.7
1055 <tag>storeurl_rewrite_children</tag>
1056 <p>Not yet ported from 2.7
1058 <tag>storeurl_rewrite_concurrency</tag>
1059 <p>Not yet ported from 2.7
1061 <tag>storeurl_rewrite_program</tag>
1062 <p>Not yet ported from 2.7
1064 <tag>update_headers</tag>
1065 <p>Not yet ported from 2.7
1067 <tag>zero_buffers</tag>
1068 <p>Not yet ported from 2.7
1072 <sect1>Missing ./configure options available in Squid-2.7
1075 <tag>--without-system-md5</tag>