<!doctype linuxdoc system>
<article>
-<title>Squid 3.3.0.0 release notes</title>
+<title>Squid 3.3.14 release notes</title>
<author>Squid Developers</author>
<abstract>
<sect>Notice
<p>
-The Squid Team are pleased to announce the release of Squid-3.3.0.0 for testing.
+The Squid Team are pleased to announce the release of Squid-3.3.14.
-This new release is available for download from <url url="http://www.squid-cache.org/Versions/v3/3.3/"> or the <url url="http://www.squid-cache.org/Mirrors/http-mirrors.html" name="mirrors">.
+This new release is available for download from <url url="http://www.squid-cache.org/Versions/v3/3.3/"> or the
+<url url="http://www.squid-cache.org/Download/http-mirrors.html" name="mirrors">.
-While this release is not deemed ready for production use, we believe it is ready for wider testing by the community.
+<p>A large number of the design flaws in SSL-Bump feature have been fixed along with general improvements all around.
+While this release is not fully bug-free we believe it is ready for use in production on many systems.
-We welcome feedback and bug reports. If you find a bug, please see <url url="http://wiki.squid-cache.org/SquidFaq/TroubleShooting#head-7067fc0034ce967e67911becaabb8c95a34d576d"> for how to submit a report with a stack trace.
+<p>We welcome feedback and bug reports. If you find a bug, please see <url url="http://wiki.squid-cache.org/SquidFaq/BugReporting">
+ for how to submit a report with a stack trace.
<sect1>Known issues
<p>
-Although this release is deemed good enough for use in many setups, please note the existence of <url url="http://www.squid-cache.org/bugs/buglist.cgi?query_format=advanced&short_desc_type=allwordssubstr&short_desc=&target_milestone=3.3&long_desc_type=allwordssubstr&long_desc=&bug_file_loc_type=allwordssubstr&bug_file_loc=&status_whiteboard_type=allwordssubstr&status_whiteboard=&bug_status=NEW&bug_status=ASSIGNED&bug_status=REOPENED&emailtype1=substring&email1=&emailtype2=substring&email2=&bugidtype=include&bug_id=&votes=&chfieldfrom=&chfieldto=Now&chfieldvalue=&cmdtype=doit&order=bugs.bug_severity&field0-0-0=noop&type0-0-0=noop&value0-0-0=" name="open bugs against Squid-3.3">.
+Although this release is deemed good enough for use in many setups, please note the existence of
+<url url="http://bugs.squid-cache.org/buglist.cgi?query_format=advanced&product=Squid&bug_status=UNCONFIRMED&bug_status=NEW&bug_status=ASSIGNED&bug_status=REOPENED&version=3.3" name="open bugs against Squid-3.3">.
+
<sect1>Changes since earlier releases of Squid-3.3
<p>
<p>The most important of these new features are:
<itemize>
- <item>...
+ <item>SQL Database logging helper
+ <item>Time-Quota session helper
+ <item>SSL-Bump Server First
+ <item>Server Certificate Mimic
+ <item>Custom HTTP request headers
</itemize>
Most user-facing changes are reflected in squid.conf (see below).
-<sect1>...
-<p>...
+<sect1>SQL Database logging helper
+<p><em>log_db_daemon</em> - Database logging daemon for Squid
+
+<p>This program writes Squid access.log entries to an SQL database.
+ Written in Perl it can utilize any database supported by the Perl
+ database abstraction layer.
+
+<p>NOTE: Presently it only accepts the Squid native log format.
+
+
+<sect1>Time-Quota session helper
+<p><em>ext_time_quota_acl</em> - Time quota external ACL helper.
+
+<p>Allows an administrator to define time budgets (quota) for the
+ users of Squid to limit the time using Squid.
+
+<p>This is useful for corporate lunch time allocations, wifi portal
+ pay-per-minute installations or for parental control of children.
+
+<p>The administrator can define a time budget (e.g. 1 hour per day)
+ which is enforced through this helper using session estimations
+ of their browsing time. A 'pause' threshold is given in seconds
+ and defines the period between two requests to be treated as part
+ of the same session. Pauses shorter than this value will be
+ counted against the quota, longer ones ignored.
+
+
+<sect1>SSL-Bump Server First
+<p>Details at <url url="http://wiki.squid-cache.org/Features/BumpSslServerFirst">.
+
+<p>When an intercepted connection is received, Squid first connects
+ to the server using SSL and receives the server certificate.
+ Squid then uses the host name inside the true server certificate
+ to generate a fake one and impersonates the server while still
+ using the already established secure connection to the server.
+
+<p>Bumping server first is essentially required for handling
+ intercepted HTTPS connections but the same scheme should be used
+ for most HTTP CONNECT requests because it offers a few advantages
+ compared to the old bump-client-first approach:
+
+<itemize>
+<item>When Squid knows valid server certificate details, it can
+ generate its fake server certificate with those details.
+ With the bump-client-first scheme, all those details are lost.
+ In general, browsers do not care about those details but there
+ may be HTTP clients (or even human users) that require or could
+ benefit from knowing them.
+
+<item>When a server sends a bad certificate, Squid may be able to
+ replicate that brokenness in its own fake certificate, giving
+ the HTTP client control whether to ignore the problem or
+ terminate the transaction. With bump-client-furst, it is
+ difficult to support similar dynamic, user-directed opt out;
+ Squid itself has to decide what to do when the server
+ certificate cannot be validated.
+
+<item>When a server asks for a client certificate, Squid may be
+ able to ask the client and then forward the client certificate
+ to the server. Such client certificate handling may not be
+ possible with the bump-client-first scheme because it would
+ have to be done after the SSL handshake.
+
+<item>Some clients (e.g., Rekonq browser v0.7.x) do not send host
+ names in CONNECT requests. Such clients require bump-server-first
+ even in forward proxying mode. Unfortunately, there are other
+ problems with fully supporting such clients (i.e., Squid does
+ not know whether the IP address in the CONNECT request is what
+ the user have typed into the address bar) so not all features
+ will work well for them until more specialized detection code
+ is added.
+</itemize>
+
+<sect1>Server Certificate Mimic
+<p>Details at <url url="http://wiki.squid-cache.org/Features/MimicSslServerCert">.
+
+<p>One of the SslBump features serious drawbacks is the loss of
+ information embedded in SSL server certificate.
+ This certificate mimic feature passes original SSL server
+ certificate information to the user. Allowing the user to
+ make an informed decision on whether to trust the server
+ certificate.
+
+
+<sect1>Custom HTTP request headers
+<p>The <em>request_header_add</em> option is added to insert
+ HTTP header fields to outgoing HTTP requests (i.e.,
+ request headers sent by Squid to the next HTTP hop such as a
+ cache peer or an origin server). The option has no effect on
+ cache hit traffic or requests serviced by Squid and ICAP.
+
+<p>WARNING: If a standard HTTP header name is used, Squid does not check whether
+ the new header conflicts with any existing headers or violates
+ HTTP rules. If the request to be modified already contains a
+ field with the same name, the old field is preserved but the
+ header field values are not merged.
+
+<p>Field-value set can be either a token or a quoted string. If quoted
+ string format is used, then the surrounding quotes are removed
+ while escape sequences and %macros are processed.
+
+<p>In theory, all of the <em>logformat</em> codes can be used as %macros.
+ However, unlike logging (which happens at the very end of
+ transaction lifetime), the transaction may not yet have enough
+ information to expand a macro when the new header value is needed.
+ And some information may already be available to Squid but not yet
+ committed where the macro expansion code can access it (please report
+ such instances!). The macro will be expanded into a single dash
+ ('-') in such cases. Not all macros have been tested.
+
+<p>One or more Squid ACLs may be specified to restrict header
+ injection to matching requests. As always in squid.conf, all
+ ACLs in an option ACL list must be satisfied for the insertion
+ to happen. The <em>request_header_add</em> option supports fast ACLs only.
<sect>Changes to squid.conf since Squid-3.2
<sect1>New tags<label id="newtags">
<p>
<descrip>
+ <tag>cache_miss_revalidate</tag>
+ <p>Whether Squid is to pass-through If-Modified-Since and If-None-Match headers on cache MISS.
+ Revalidation requests can prevent cache gathering objects to HIT on.
+ <p>Based on the Squid-2.7 <em>ignore_ims_on_miss</em> feature.
+ <p><em>IMPORTANT:</em> the meaning for on/off values has changed along with the name since 2.7.
+
+ <tag>request_header_add</tag>
+ <p>New directive to add custom headers on HTTP traffic sent to upstream servers.
+
+ <tag>sslproxy_cert_sign</tag>
+ <p>New option to determine how the client certificate sent to upstream servers is signed.
+
+ <tag>sslproxy_cert_adapt</tag>
+ <p>New option to adapt certain properties of outgoing SSL certificates generated for use when bumping SSL to an upstream server.
</descrip>
<sect1>Changes to existing tags<label id="modifiedtags">
<p>
<descrip>
+ <tag>acl</tag>
+ <p><em>myport</em> and <em>myip</em>ACL types replaced with <em>localport</em> and <em>localip</em> respectively.
+ To reflect that it matches the TCP connection details and not the squid.conf port.
+ This matters when dealing with intercepted traffic, where the Squid receiving port differs from the TCP connection IP:port.
+ Always use <em>myportname</em> type to match the squid.conf port details.
+ <p>New default built-in ACLs for testing SSL certificate properties.
+ <p><em>ssl::certHasExpired</em>,
+ <em>ssl::certNotYetValid</em>,
+ <em>ssl::certDomainMismatch</em>,
+ <em>ssl::certUntrusted</em>,
+ <em>ssl::certSelfSigned</em>.
+
+ <tag>client_netmask</tag>
+ <p>IP address 127.0.0.1 (localhost IPv4) is no longer masked.
+
+ <tag>external_acl_type</tag>
+ <p><em>%ACL</em> format tag ported from 2.6.
+ Sends the name of ACL being tested to the external helper.
+ <p><em>%DATA</em> format tag ported from 2.6.
+ Inserts the ACL arguments into a particular location of the helper input instead of at the end of the line.
+
<tag>logformat</tag>
- <p><em>%>bs</em> Number of HTTP-equivalent message body bytes received from the next hop.
- <p><em>icap::%>bs</em> Number of message body bytes received from the ICAP server.
-</descrip>
+ <p>New token <em>%ssl::bump_mode</em> to log the SSL-bump mode type performed on a request.
+ Logs values of: <em>-</em>, <em>none</em>, <em>client-first</em>, or <em>server-first</em>.
+ <p>New token of <em>%ssl::>cert_subject</em> to log the Subject field of a SSL certificate received from the client.
+ <p>New token of <em>%ssl::>cert_issuer</em> to log the Issuer field of a SSL certificate received from the client.
+
+ <tag>ssl_bump</tag>
+ <p>New action types <em>none</em>, <em>client-first</em>, <em>server-first</em>. The default is <em>none</em>.
+ <p>Use of <em>allow</em>/<em>deny</em> is now deprecated and they should be removed as soon as possible.
+ To retain the exact same behaviour between 3.3 and older releases replace <em>deny</em> with <em>none</em>,
+ and <em>allow</em> with <em>client-first</em>. However an upgrade to <em>server-first</em> is the recommended.
+ <p><em>NOTE</em>: Mixing of allow/deny with the new action types is prohibited and will cause Squid to exit with a FATAL error.
+</descrip>
<sect1>Removed tags<label id="removedtags">
<p>
<descrip>
+ <tag>ignore_ims_on_miss</tag>
+ <p>This option has been replaced by the <em>cache_miss_revalidate</em> feature.
</descrip>
<sect1>New options<label id="newoptions">
<p>
<descrip>
+ <p><em>There are no new ./configure options in Squid-3.3.</em>
</descrip>
<sect1>Changes to existing options<label id="modifiedoptions">
<p>
<descrip>
+ <tag>--enable-kqueue</tag>
+ <p>kqueue network I/O module is now built by default when it is available.
+ This option is no longer required to enable kqueue support,
+ but if used will abort build when kqueue dependencies are missing or broken.
+
+ <tag>--disable-kqueue</tag>
+ <p>kqueue network I/O module is now built by default when it is available.
+ This configure option is now needed to disable it. Previously it did nothing.
</descrip>
</p>
<sect1>Removed options<label id="removedoptions">
<p>
<descrip>
-
-</descrip>
-
-
-<sect>Options Removed since Squid-2
-
-<p>Some squid.conf and ./configure options which were available in Squid-2.6 and Squid-2.7 are made obsolete in Squid-3.3.
-
-<sect1>Removed squid.conf options since Squid-2.7
-<p>
-<descrip>
- <tag>auth_param</tag>
- <p><em>blankpassword</em> option for basic scheme removed.
-
- <tag>cache_peer</tag>
- <p><em>http11</em> Obsolete.
-
- <tag>external_acl_type</tag>
- <p>Format tag <em>%{Header}</em> replaced by <em>%>{Header}</em>
- <p>Format tag <em>%{Header:member}</em> replaced by <em>%>{Header:member}</em>
-
- <tag>header_access</tag>
- <p>Replaced by <em>request_header_access</em> and <em>reply_header_access</em>
-
- <tag>http_port</tag>
- <p><em>no-connection-auth</em> replaced by <em>connection-auth=[on|off]</em>. Default is ON.
- <p><em>transparent</em> option replaced by <em>intercept</em>
- <p><em>http11</em> obsolete.
-
- <tag>http_access2</tag>
- <p>Replaced by <em>adapted_http_access</em>
-
- <tag>httpd_accel_no_pmtu_disc</tag>
- <p>Replaced by <em>http_port disable-pmtu-discovery=</em> option
-
- <tag>incoming_rate</tag>
- <p>Obsolete.
-
- <tag>redirector_bypass</tag>
- <p>Replaced by <em>url_rewrite_bypass</em>
-
- <tag>server_http11</tag>
- <p>Obsolete.
-
- <tag>upgrade_http0.9</tag>
- <p>Obsolete.
-
- <tag>zph_local</tag>
- <p>Replaced by <em>qos_flows local-hit=</em>
-
- <tag>zph_mode</tag>
- <p>Obsolete.
-
- <tag>zph_option</tag>
- <p>Obsolete.
-
- <tag>zph_parent</tag>
- <p>Replaced by <em>qos_flows parent-hit=</em>
-
- <tag>zph_sibling</tag>
- <p>Replaced by <em>qos_flows sibling-hit=</em>
-
-</descrip>
-
-<sect1>Removed squid.conf options since Squid-2.6
-<p>
-<descrip>
- <tag>cache_dir</tag>
- <p><em>read-only</em> option replaced by <em>no-store</em>.
-
-</descrip>
-
-<sect1>Removed ./configure options since Squid-2.7
-<p>
-<descrip>
- <tag>--enable-coss-aio-ops</tag>
- <p>Obsolete.
-
- <tag>--enable-devpoll</tag>
- <p>Replaced by automatic detection.
-
- <tag>--enable-dlmalloc=LIB</tag>
- <p>Obsolete.
-
- <tag>--enable-epoll</tag>
- <p>Replaced by automatic detection.
-
- <tag>--enable-forward-log</tag>
- <p>Obsolete.
-
- <tag>--enable-heap-replacement</tag>
- <p>Obsolete.
-
- <tag>--enable-htcp</tag>
- <p>Obsolete. Enabled by default.
-
- <tag>--enable-large-cache-files</tag>
- <p>Obsolete.
-
- <tag>--enable-mempool-debug</tag>
- <p>Obsolete.
-
- <tag>--enable-multicast-miss</tag>
- <p>Obsolete.
-
- <tag>--enable-poll</tag>
- <p>Replaced by automatic detection.
-
- <tag>--enable-select</tag>
- <p>Replaced by automatic detection.
-
- <tag>--enable-select-simple</tag>
- <p>Replaced by automatic detection.
-
- <tag>--enable-snmp</tag>
- <p>Obsolete. Enabled by default.
-
- <tag>--enable-truncate</tag>
- <p>Obsolete.
-
- <tag>--disable-kqueue</tag>
- <p>Obsolete. Disabled by default.
+ <tag>--enable-ntlm-fail-open</tag>
+ <p>This has not been supported by Squid for several versions.
</descrip>
<sect1>Missing squid.conf options available in Squid-2.7
<p>
<descrip>
- <tag>acl</tag>
- <p><em>urllogin</em> option not yet ported from 2.6
- <p><em>urlgroup</em> option not yet ported from 2.6
-
- <tag>authenticate_ip_shortcircuit_access</tag>
- <p>Not yet ported from 2.7
-
- <tag>authenticate_ip_shortcircuit_ttl</tag>
- <p>Not yet ported from 2.7
-
<tag>broken_vary_encoding</tag>
<p>Not yet ported from 2.6
<tag>cache_dir</tag>
- <p><em>min-size</em> option not yet ported from Squid-2
<p><em>COSS</em> storage type is lacking stability fixes from 2.6
<p>COSS <em>overwrite-percent=</em> option not yet ported from 2.6
<p>COSS <em>max-stripe-waste=</em> option not yet ported from 2.6
<tag>error_map</tag>
<p>Not yet ported from 2.6
- <tag>external_acl_type</tag>
- <p><em>%ACL</em> format tag not yet ported from 2.6
- <p><em>%DATA</em> format tag not yet ported from 2.6
-
<tag>external_refresh_check</tag>
<p>Not yet ported from 2.7
- <tag>http_port</tag>
- <p><em>act-as-origin</em> not yet ported from 2.7
- <p><em>urlgroup=</em> not yet ported from 2.6
-
- <tag>ignore_ims_on_miss</tag>
- <p>Not yet ported from 2.7
-
<tag>location_rewrite_access</tag>
<p>Not yet ported from 2.6
<tag>location_rewrite_program</tag>
<p>Not yet ported from 2.6
- <tag>logformat</tag>
- <p><em>%oa</em> tag not yet ported from 2.7
-
- <tag>max_stale</tag>
- <p>Not yet ported from 2.7
-
<tag>refresh_pattern</tag>
<p><em>stale-while-revalidate=</em> not yet ported from 2.7
<p><em>ignore-stale-while-revalidate=</em> not yet ported from 2.7
- <p><em>max-stale=</em> not yet ported from 2.7
<p><em>negative-ttl=</em> not yet ported from 2.7
<tag>refresh_stale_hit</tag>
<tag>storeurl_rewrite_program</tag>
<p>Not yet ported from 2.7
- <tag>update_headers</tag>
- <p>Not yet ported from 2.7
-
- <tag>zero_buffers</tag>
- <p>Not yet ported from 2.7
-
</descrip>
-<sect1>Missing ./configure options available in Squid-2.7
+<sect>Copyright
<p>
-<descrip>
- <tag>--without-system-md5</tag>
-
-</descrip>
+Copyright (C) 1996-2021 The Squid Software Foundation and contributors
+<p>
+Squid software is distributed under GPLv2+ license and includes
+contributions from numerous individuals and organizations.
+Please see the COPYING and CONTRIBUTORS files for details.
</article>