1 <!doctype linuxdoc system>
3 <title>Squid 3.4.0.2 release notes</title>
4 <author>Squid Developers</author>
7 This document contains the release notes for version 3.4 of Squid.
8 Squid is a WWW Cache application developed by the National Laboratory
9 for Applied Network Research and members of the Web Caching community.
16 The Squid Team are pleased to announce the release of Squid-3.4.0.2 for testing.
18 This new release is available for download from <url url="http://www.squid-cache.org/Versions/v3/3.4/"> or the
19 <url url="http://www.squid-cache.org/Mirrors/http-mirrors.html" name="mirrors">.
21 While this release is not deemed ready for production use, we believe it is ready for wider testing by the community.
23 We welcome feedback and bug reports. If you find a bug, please see <url url="http://wiki.squid-cache.org/SquidFaq/BugReporting">
24 for how to submit a report with a stack trace.
28 Although this release is deemed good enough for use in many setups, please note the existence of
29 <url url="http://bugs.squid-cache.org/buglist.cgi?query_format=advanced&product=Squid&bug_status=UNCONFIRMED&bug_status=NEW&bug_status=ASSIGNED&bug_status=REOPENED&version=3.4" name="open bugs against Squid-3.4">.
32 <sect1>Changes since earlier releases of Squid-3.4
34 The 3.4 change history can be <url url="http://www.squid-cache.org/Versions/v3/3.4/changesets/" name="viewed here">.
36 <sect>Major new features since Squid-3.3
37 <p>Squid 3.4 represents a new feature release above 3.3.
39 <p>The most important of these new features are:
41 <item>Helper protocol extensions
42 <item>SSL Server Certificate Validator
44 <item>TPROXY Support for OpenBSD 5.1+ and FreeBSD 9+
45 <item>Transaction Annotations
49 Most user-facing changes are reflected in squid.conf (see below).
52 <sect1>Helper protocol extensions
53 <p>Details at <url url="http://wiki.squid-cache.org/Features/AddonHelpers">.
55 <p>The Squid helper protocol used to communicate with authenticators,
56 URL-rewriters, Redirectors, and External ACL helpers has been updated
59 <p><em>BH</em> status code is now accepted from all helpers to report
60 internal error events separate from <em>ERR</em> rejection code.
61 Permitting Squid to perform recovery operations specific to
62 helper failure instead of a blanket client rejection.
64 <p>Arbitrary key-value pairs can be returned from any helper.
65 Allowing future helpers to be forward- and backward- compatible
66 with this and future version of Squid.
69 <sect1>SSL Server Certificate Validator
70 <p>Details at <url url="http://wiki.squid-cache.org/Features/SslServerCertValidator">.
72 <p>The helper consulted after the internal OpenSSL validation, regardless of the
73 validation results. The helper will receive:
76 <item>the origin server certificate (chain),
77 <item>the intended domain name, and
78 <item>a list of OpenSSL validation errors (if any).
81 <p>If the helper decides to honor an OpenSSL error or report another validation
82 error(s), the helper will return:
85 <item>A list of certificates.
86 <item>A list of items consists the the validation error name (see <em>%err_name</em>
87 error page macro and <em>%err_details</em> code for <em>logformat</em>), error reason
88 (<em>%ssl_lib_error macro</em>), and the offending certificate.
91 <p>The returned information mimics what the internal OpenSSL-based validation code
92 collects now. Returned errors, if any, are fed to <em>sslproxy_cert_error</em>,
93 triggering the existing SSL error processing code.
95 <p>The helper invocation controlled by the <em>sslcrtvalidator_program</em> and
96 <em>sslcrtvalidator_children</em> configurations options which are similar to the
97 <em>ssl_crtd</em> related options.
101 <p>Details at <url url="http://wiki.squid-cache.org/Features/StoreID">.
103 <p>This feature is a redesigned equivalent to the Squid-2.7 feature known as StoreURL-rewrite.
105 <p><em>Notice</em> that this is not a direct portage of the Squid-2.7 feature so behaviour
106 differences do exist. Although the new feature works in similar enough ways that the old
107 helper scripts used for Squid-2.7 are expected to work in this and later versions of Squid.
109 <p>Squid traditionally uses the requested URL as an index key ID to locate objects in cache.
110 It is not the only key possible and the Store-ID feature exposes an API for external
111 helpers to provide Squid with an alternative key name for any URL.
113 <p>When any client request is received which requires a cache lookup the URL is passed to
114 a helper specified with the <em>store_id_program</em> directive to check for an alternative
115 Store ID. This allows the helper to identify URLs which refer to duplicate resources and
116 de-duplicate the cache content. <em>store_id_access</em> is provided to allow ACL-based
117 tuning of which traffic gets sent to the helper and reduce overheads.
119 <p>One subtle and noteworthy difference between Squid-2 and Squid-3 which is highlighted by
120 this feature is that <em>refresh_pattern</em> applies its regex argument against the Store
121 ID key and not the transaction URL. So using the Store-ID feature to alter the value
122 affects which <em>refresh_pattern</em> directive will be matched.
124 <p>Store-ID helpers bundled with Squid can be built with the --enable-storeid-rewrite-helpers
125 options which is added in this version. Currently there is a <em>file</em> helper
129 <sect1>TPROXY Support for OpenBSD 5.1+ and FreeBSD 9+
130 <p>Details at <url url="http://wiki.squid-cache.org/ConfigExamples/Intercept/OpenBsdPf">.
132 <p>The Packet Filter (PF) firewall in OpenBSD 4.4 and later offers traffic interception
133 using several very simple methods. One of which is the <em>divert-to</em> rule type
134 which acts as a simple routing diversion instead of performing NAT packet alterations.
136 <p>The IP Firewall (IPFW) on FreeBSD 9+ contains a port of the Linux Netfilter TPROXY feature.
138 <p>This version of Squid adds support for these features through the ./configure
139 options --enable-pf-transparent and --enable-ipfw-transparent when Squid is built on
140 systems with the required support. No special extras are required to enable
141 <em>http_port ... tproxy</em> configuration to work.
143 <p>NOTE: To resolve NAT lookup issues on recent PF firewall versions the code behind
144 <em>./configure --enable-pf-transparent</em> has been altered and is expected to
145 break on the version of PF firewall shipped with BSD systems such as NetBSD and FreeBSD
146 which do not yet support the getsockname() API.
147 These systems require <em>--with-nat-devpf</em> to enable /dev/pf support when using PF firewall.
150 <sect1>Transaction Annotations
151 <p>Previously the only annotation methods available were ICAP/eCAP HTTP header insertions
152 or external ACL <em>tag=</em> result code. Each of which had only limited possibilities
153 for use and little or no correlation.
155 <p>It is now possible to add annotations to a client transaction from several sources:
157 <item> Directly from squid.conf using the <em>note</em> directive with
158 ACL-based selection of which annotation is linked to any
159 particular transaction.
161 <item> By configured helper processes returning a key=value pair.
162 The key name becomes the annotation name.
165 <p>Annotations on the transaction can be passed to ICAP services or eCAP modules using the
166 <em>adaptation_meta</em> directive to send them as headers.
167 They can also be logged using the <em>%note</em> log format code in custom logs. With
168 the new helper response syntax changes this means all helper response key=value details
169 such as URL-rewrite or store-id changes, external ACL tag etc. are now able to be logged.
171 <p>Annotations which are already assigned to a transaction can be checked using an ACL test
172 of the new <em>note</em> ACL type. This can match a particular note by name and value,
173 of for any notes with a given name.
175 <p>NOTE: not all helper interfaces are yet enabled to convert key=value into annotations
176 and the external ACL interface does not yet send annotations to the helper.
180 <p>The internal DNS component of Squid now supports multicast DNS (mDNS) resolution in
181 accordance with RFC 6762.
183 <p>The <em>dns_multicast_local</em> directive must be set to <em>on</em> to enable this
186 <p>The multicast DNS group IP addresses for IPv4 and IPv6 resolving are added to the set
187 of available DNS resolvers and used automatically for domain names ending in <em>.local</em>
188 and reverse-DNS lookups before attempting a secondary resolution on the configured
189 resolvers. Domains without <em>.local</em> are resolved using only the configured resolvers.
191 <p>Statistics for multicast DNS resolution can be found on the <em>idns</em> cache manager
195 <sect>Changes to squid.conf since Squid-3.3
197 There have been changes to Squid's configuration file since Squid-3.3.
199 <p>Squid supports reading configuration option parameters from external
200 files using the syntax <em>parameters("/path/filename")</em>. For example:
202 acl whitelist dstdomain parameters("/etc/squid/whitelist.txt")
205 <p>There hasve also been changes to individual directives in the config file.
207 This section gives a thorough account of those changes in three categories:
210 <item><ref id="newtags" name="New tags">
211 <item><ref id="modifiedtags" name="Changes to existing tags">
212 <item><ref id="removedtags" name="Removed tags">
216 <sect1>New tags<label id="newtags">
219 <tag>configuration_includes_quoted_values</tag>
220 <p>Whether Squid supports directive parameters with spaces, quotes, and other
221 special characters. Surround such parameters with "double quotes" and
222 also set this directive on/off around the relevant squid.conf line(s)
223 making use of such quoting.
225 <tag>dns_multicast_local</tag>
226 <p>Use multicast DNS for <em>.local</em> domains and reverse-DNS resolution.
229 <p>Use ACLs to annotate a transaction with customized annotations
230 which can be logged in access.log
232 <tag>spoof_client_ip</tag>
233 <p>Access control to determine whether to disable the TPROXY spoofing on upstream traffic.
235 <tag>sslcrtvalidator_children</tag>
236 <p>Specifies the settings for how many SSL server certificate
237 validator helpers are run and when they are started.
239 <tag>sslcrtvalidator_program</tag>
240 <p>Specifies the location of a SSL server certificate validator helper.
242 <tag>store_id_access</tag>
243 <p>Whether the URL for a given request is passed to the Store-ID helper process.
244 Used to improve StoreID performance by quickly eliminating helper delays using ACL tests.
245 <p>Ported equivalent to <em>storeurl_access</em> from 2.7
247 <tag>store_id_bypass</tag>
248 <p>Whether the StoreID helper may be bypassed when overloaded.
250 <tag>store_id_children</tag>
251 <p>Controls the number of StoreID helper processes.
252 <p>Options <em>startup=N</em>, <em>idle=N</em>, <em>concurrency=N</em>
254 <item>startup=N allow finer tuning of how many helpers are started initially.
255 <item>idle=N allow fine tuning of how many helper to retain as buffer against sudden traffic loads.
256 <item>concurrency=N was previously called url_rewrite_concurrency as a distinct directive.
259 <tag>storeurl_rewrite_program</tag>
260 <p>A helper program to provide cache storage internal key ID value for a request.
261 <p>Ported equivalent to <em>storeurl_rewrite_program</em> from 2.7
265 <sect1>Changes to existing tags<label id="modifiedtags">
268 <tag>access_log</tag>
269 <p>Configuration syntax extended to support name=value options.
270 <em>New Syntax:</em> access_log module:place [option ...] [acl ...]
271 <p>New option <em>logformat=</em> to specify the logging format name.
272 <p>New option <em>buffer-size=</em> to specify how large the log buffer
273 for this log is to be when <em>buffered_logs</em> is enabled.
274 <p>New option <em>on-error=</em> to specify what handling is to be done
275 if the logging module encounters a non-recoverable error writing logs.
276 With the value <em>die</em> (the default) Squid halts operation.
277 With the value <em>drop</em> Squid drops log lines and continue running.
280 <p>New test type <em>server_cert_fingerprint</em> to match against
281 server SSL certificate fingerprint.
282 <p>New test type <em>note</em> to match against transaction annotations
283 by name and value, or just by name.
284 <p>New test type <em>any-of</em> to match if any one of a set of named ACLs.
285 <p>New test type <em>all-of</em> to match against all of a set of named ACLs.
287 <tag>auth_param</tag>
288 <p>New result code <em>BH</em> to signal helper internal errors
289 available in all authentication schemes.
290 <p>New key <em>message=</em> for error message details in all authentication schemes.
291 <p>New result code <em>OK</em> and key <em>ha1=</em> in Digest authentication.
292 <p>New result codes <em>OK</em>, <em>ERR</em> replace result codes <em>AF</em>,
293 and <em>NA</em> in NTLM and Negotiate authentication.
294 <p>New key <em>token=</em> for NTLM and Negotiate authentication <em>OK</em> responses.
295 <p>Details at <url url="http://wiki.squid-cache.org/Features/AddonHelpers">.
297 <tag>external_acl_type</tag>
298 <p>Deprecated <em>protocol=3.0</em> option. No longer necessary.
299 <p>New result code <em>BH</em> to signal helper internal errors
300 <p>Details at <url url="http://wiki.squid-cache.org/Features/AddonHelpers">.
303 <p>Support IPv6 for <em>intercept</em> mode. Requires ip6tables support on Linux,
304 PF support on OpenBSD and IPFW support on FreeBSD. Squid will no longer complain
305 about misconfiguration if IPv6 support is missing, we now rely on the firewall
306 tools reporting misconfiguration when the NAT rules are created.
307 <p>Support <em>tproxy</em> mode traffic on BSD systems with BINDANY support
308 (OpenBSD 5+, FreeBSD 9+ so far).
309 <p>Changed build options behind <em>intercept</em> traffic mode handling on BSD.
310 see <em>--enable-pf-transparent</em> for more details.
313 <p>New format code <em>%note</em> to log a transaction annotation linked to the
314 transaction by ICAP, eCAP, a helper, or the <em>note</em> squid.conf directive.
315 <p>New format code <em>%>qos</em> to log client connection TOS/DSCP value set by Squid.
316 <p>New format code <em>%<qos</em> to log server connection TOS/DSCP value set by Squid.
317 <p>New format code <em>%>nfmark</em> to log client connection netfilter mark set by Squid.
318 <p>New format code <em>%<nfmark</em> to log server connection netfilter mark set by Squid.
320 <tag>pipeline_prefetch</tag>
321 <p>Updated to take a numeric count of prefetched pipeline requests instead of ON/OFF.
323 <tag>refresh_pattern</tag>
324 <p><em>NOTE:</em> the regular expression pattern operates on the cache Store-ID value.
325 Which by default is identical to the requested URL, but may differ for some
326 objects if the Store-ID feature is in use.
328 <tag>unlinkd_program</tag>
329 <p>New helper response format utilizing result codes <em>OK</em> and <em>BH</em>,
330 to signal helper lookup results. Also, key-value response values to return
331 multiple values to Squid.
332 <p>Details at <url url="http://wiki.squid-cache.org/Features/AddonHelpers">.
334 <tag>url_rewrite_program</tag>
335 <p>New helper response format utilizing result codes <em>OK</em>, <em>ERR</em>,
336 and <em>BH</em> to signal helper lookup results. Also, key-value response
337 values to return multiple values to Squid.
338 <p>Details at <url url="http://wiki.squid-cache.org/Features/AddonHelpers">.
342 <sect1>Removed tags<label id="removedtags">
345 <tag>storeurl_access</tag>
346 <p>Replaced by <em>store_id_access</em>.
348 <tag>storeurl_rewrite_children</tag>
349 <p>Replaced by <em>store_id_children</em>.
351 <tag>storeurl_rewrite_concurrency</tag>
352 <p>Replaced by <em>store_id_children</em> with <em>concurrency=N</em> option.
354 <tag>storeurl_rewrite_program</tag>
355 <p>Replaced by <em>store_id_program</em>.
360 <sect>Changes to ./configure options since Squid-3.3
362 There have been some changes to Squid's build configuration since Squid-3.3.
364 This section gives an account of those changes in three categories:
367 <item><ref id="newoptions" name="New options">
368 <item><ref id="modifiedoptions" name="Changes to existing options">
369 <item><ref id="removedoptions" name="Removed options">
373 <sect1>New options<label id="newoptions">
376 <tag>--enable-storeid-rewrite-helpers</tag>
377 <p>New option to control which Store-ID helpers are built. As with other
378 helper options use --disable-* to prevent any helpers building and
379 omit to get all helper auto-detected.
380 <p>Currenly only a helper using <em>file</em> for backend is provided.
382 <tag>--disable-arch-native</tag>
383 <p>New option to disable use of -march=native compiler flag.
384 <p>The new flag auto-enables CPU-specific optimizations in GCC and is
385 required by Clang++ v3.2 for correct 64-bit environment detection.
386 It does not always work well however, so this build option is provided
387 to remove it when necessary.
389 <tag>--with-nat-devpf</tag>
390 <p>New option to alter the behaviour of <em>http_port ... intercept</em> option
392 <p>When this option is used Squid performs the /dev/pf lookups required to
393 support PF <em>rdr-to</em> rules. Otherwise Squid will perform perform the
394 getsockname() API calls to support PF <em>divert-to</em> rules.
395 <p>NOTE: systems such as NetBSD and FreeBSD which do not yet support
396 the getsockname() API in recent PF versions require this option.
400 <sect1>Changes to existing options<label id="modifiedoptions">
403 <tag>--enable-pf-transparent</tag>
404 <p>NAT table support updated to use the getsockname() API provided by the
405 latest PF versions <em>divert-to</em>. This allows <em>http_port</em>
406 in squid.conf to support both <em>intercept</em> and <em>tproxy</em> traffic
407 and to silence NAT lookup failure messages on recent BSD.
408 <p>NOTE: systems such as NetBSD and FreeBSD which do not yet support
409 the getsockname() API in recent PF versions require <em>--with-nat-devpf</em>
410 to re-enable /dev/pf support when using PF firewall.
415 <sect1>Removed options<label id="removedoptions">
418 <p><em>There are no removed ./configure options in Squid-3.4.</em>
423 <sect>Regressions since Squid-2.7
425 <p>Some squid.conf options which were available in Squid-2.7 are not yet available in Squid-3.4
427 <p>If you need something to do then porting one of these from Squid-2 to Squid-3 is most welcome.
429 <sect1>Missing squid.conf options available in Squid-2.7
432 <tag>broken_vary_encoding</tag>
433 <p>Not yet ported from 2.6
436 <p><em>COSS</em> storage type is lacking stability fixes from 2.6
437 <p>COSS <em>overwrite-percent=</em> option not yet ported from 2.6
438 <p>COSS <em>max-stripe-waste=</em> option not yet ported from 2.6
439 <p>COSS <em>membufs=</em> option not yet ported from 2.6
440 <p>COSS <em>maxfullbufs=</em> option not yet ported from 2.6
442 <tag>cache_peer</tag>
443 <p><em>idle=</em> not yet ported from 2.7
444 <p><em>monitorinterval=</em> not yet ported from 2.6
445 <p><em>monitorsize=</em> not yet ported from 2.6
446 <p><em>monitortimeout=</em> not yet ported from 2.6
447 <p><em>monitorurl=</em> not yet ported from 2.6
449 <tag>cache_vary</tag>
450 <p>Not yet ported from 2.6
452 <tag>collapsed_forwarding</tag>
453 <p>Not yet ported from 2.6
456 <p>Not yet ported from 2.6
458 <tag>external_refresh_check</tag>
459 <p>Not yet ported from 2.7
461 <tag>ignore_ims_on_miss</tag>
462 <p>Not yet ported from 2.7
464 <tag>location_rewrite_access</tag>
465 <p>Not yet ported from 2.6
467 <tag>location_rewrite_children</tag>
468 <p>Not yet ported from 2.6
470 <tag>location_rewrite_concurrency</tag>
471 <p>Not yet ported from 2.6
473 <tag>location_rewrite_program</tag>
474 <p>Not yet ported from 2.6
476 <tag>refresh_pattern</tag>
477 <p><em>stale-while-revalidate=</em> not yet ported from 2.7
478 <p><em>ignore-stale-while-revalidate=</em> not yet ported from 2.7
479 <p><em>negative-ttl=</em> not yet ported from 2.7
481 <tag>refresh_stale_hit</tag>
482 <p>Not yet ported from 2.7
484 <tag>update_headers</tag>
485 <p>Not yet ported from 2.7