<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
<HTML>
<HEAD>
- <META NAME="GENERATOR" CONTENT="LinuxDoc-Tools 0.9.16">
- <TITLE>Squid 3.0 release notes</TITLE>
+ <META NAME="GENERATOR" CONTENT="LinuxDoc-Tools 0.9.21">
+ <TITLE>Squid 3.0.PRE4 release notes</TITLE>
</HEAD>
<BODY>
-<H1>Squid 3.0 release notes</H1>
+<H1>Squid 3.0.PRE4 release notes</H1>
-<H2>Squid Developers</H2>$Id: release-3.0.html,v 1.2 2003/09/06 10:55:57 hno Exp $
+<H2>Squid Developers</H2>$Id: release-3.0.html,v 1.3 2006/06/19 22:45:48 hno Exp $
<HR>
<EM>This document contains the release notes for version 3.0 of Squid.
Squid is a WWW Cache application developed by the National Laboratory
for Applied Network Research and members of the Web Caching community.</EM>
<HR>
-<H2><A NAME="s1">1. Key changes from squid 2.5:</A></H2>
+<H2><A NAME="s1">1. Notice</A></H2>
+<P>The Squid Team are pleased to announce the release of Squid-3.0.PRE4 for pre-release testing.</P>
+<P>This new release is available for download from
+<A HREF="http://www.squid-cache.org/Versions/v3/3.0/">http://www.squid-cache.org/Versions/v3/3.0/</A> or the
+<A HREF="http://www.squid-cache.org/Mirrors/http-mirrors.html">mirrors</A>.</P>
+<P>This is the first PRE release since August 2003, and marks a renewed effort to push Squid-3.0 through to STABLE.</P>
+<P>While this release is not deemed ready for production use, we believe it is ready for wider testing by the community</P>
+<P>We welcome feedback and bug reports. If you find a bug, please see
+<A HREF="http://www.squid-cache.org/Doc/FAQ/FAQ-11.html#ss11.19">http://www.squid-cache.org/Doc/FAQ/FAQ-11.html#ss11.19</A> for how to submit a report with a stack trace.</P>
+
+
+<H2><A NAME="s2">2. Known issues</A></H2>
+
+<P>Although this release is deemed good enough for testing in many setups, please note the existence of
+<A HREF="http://www.squid-cache.org/bugs/buglist.cgi?query_format=advanced&short_desc_type=allwordssubstr&short_desc=&target_milestone=3.0&long_desc_type=allwordssubstr&long_desc=&bug_file_loc_type=allwordssubstr&bug_file_loc=&status_whiteboard_type=allwordssubstr&status_whiteboard=&bug_status=NEW&bug_status=ASSIGNED&bug_status=REOPENED&emailtype1=substring&email1=&emailtype2=substring&email2=&bugidtype=include&bug_id=&votes=&chfieldfrom=&chfieldto=Now&chfieldvalue=&cmdtype=doit&order=bugs.bug_severity&field0-0-0=noop&type0-0-0=noop&value0-0-0=">open bugs against Squid-3.0</A>.</P>
+<P>In particular, ESI may still be too buggy for meaningful testing at this stage.</P>
+
+
+<H2><A NAME="s3">3. Changes since Squid-2.5.STABLE14</A></H2>
+
+<H2><A NAME="ss3.1">3.1 Major new features</A>
+</H2>
+
+<P>Squid 3.0 represents a major rewrite of Squid 2.5 and has a large number of new features.</P>
+<P>The most important of these are:</P>
<P>
<UL>
-<LI>Convert core squid source to C++ (Robert Collins).</LI>
-<LI>http_port optional, allowing for SSL-only operation. Squid will refuse to start unless at least one port is defined. (Henrik Nordström).</LI>
-<LI>Ability to read the configuration file from an external program pipe (Henrik Nordström).</LI>
-<LI>Major cleanup or CARP. Now plays well with the other peering algorithms as just another non-ICP peering method. This also allows CARP support to be compiled by default with no need to recompile Squid to use CARP (Henrik Nordström)</LI>
-<LI>Class 4 delay pools - user specific buckets. (Robert Collins).</LI>
-<LI>Comms layer refactored to increase efficiency (Adrian Chadd).</LI>
-<LI>epoll support (David Nicklay)</LI>
-<LI>kqueue support (Adrian Chadd)</LI>
-<LI>Range processing moved from client side to both client and server (Robert Collins).</LI>
-<LI>Added support for sys/bitypes.h, apparently needed for some of the bittypes on tru64 and possibly others. (Henrik Nordström)</LI>
-<LI>Edge Side Include implementation (www.esi.org). (Robert Collins).</LI>
-<LI>Reduce the depth of recursion in make, improving make -j performance. (Robert Collins)</LI>
-<LI>Cleanup of the relation between accelerated request and transparently intercepted request. The two are now handled separately from each other.
-This fixes two issues:
-<UL>
-<LI>Transparently intercepted requests is no longer under the restrictions of accelerated requests in peering relations etc..</LI>
-<LI>No risk of confusion in authentication. Authentication is now allowed for accelerated requests but not transparently intercepted requests.</LI>
-</UL>
- (Henrik Nordström)</LI>
-<LI>Change --disable-hostname-checks to --enable-hostname-checks, default to not verify hostname sanity. (Henrik Nordström)</LI>
-<LI>also removed the dot magics from hostname parsing. These are more evil than helpful and breaks semantic transparency in certain configurations. (Henrik Nordström)</LI>
-<LI>added reporting of "Process Data Segment Size via sbrk()" when sbrk() call exists. According to the sbrk() man page, calling sbrk(0) returns the end of the data segment. By storing the data segment offset when Squid starts, we can report the size of the data segment at any time. This might be a better metric than getrusage()'s MAX RSS, which, in my experience, is often less than the process size reported by 'ps' (presumably because some of the processes memory is swapped to disk). However, initial tests show that the sbrk() trick reports a value slightly smaller than reported by 'ps'. (Duane Wessels)</LI>
-<LI>failure_ratio is a ratio, not a percentage. Removed %% from printf. (Duane Wessels)</LI>
-<LI>Start using inline C and C++ code via .cci source files. This defaults to inlined, with a configure option to disable for troubleshooting or development. (Robert Collins).</LI>
-<LI>Better MacOSX support (Robert Collins, Adrian Chadd, Henrik Nordström)</LI>
-<LI>--with-filedescriptors=XX configure option (Francesco Chemolli)</LI>
-<LI>UNIX domain IPC now used by default for helpers, no loger relying on TCP/IP sockets via loopback. (Henrik Nordström)</LI>
-<LI>Removed potentially dangerous debugging related configure options. Developers know how to edit configure.in or set defines. (Henrik Nordström)</LI>
-<LI>--enable-large-files to enable support for large files (>2GB) on 32-bit GNU libc systems. (Henrik Nordström)</LI>
-<LI>Digest auth helper improvements (Robert Collins, Sean Burford)</LI>
-<LI>Digest authentication scheme bugfixs & improvements (Robert Collins)</LI>
-<LI>accelerator mode cleaned up, using the design from the rproxy development branch
-<UL>
-<LI>The httpd_accel_* directives is now gone, replaced by http(s)_port options and cache_peer based request forwarding.</LI>
-<LI>The http(s)_port options has a list of new options for controlling the type and mode of port created with respect to
-<UL>
-<LI>transparent proxying</LI>
-<LI>plain acceleration</LI>
-<LI>host header based acceleration</LI>
-<LI>normal proxying (default)</LI>
-</UL>
-</LI>
-<LI>To enforce a reasonable level of security in accelerators, accelerated requests are denied to go direct unless forced by always_direct.</LI>
-</UL>
-(Henrik Nordström)</LI>
-<LI>Cache manager auth helper output tidyup (Duane Wessels).</LI>
-<LI>Native Windows port enhancements:
-<UL>
-<LI>Another fix for profiling support</LI>
-<LI>Added correct timezone handling</LI>
-<LI>Fixed rotate problem</LI>
-<LI>Added native Windows support to client.cc</LI>
-<LI>This patch add the native Windows support for profiling and fix some C++/C include files problems.</LI>
-<LI>Support for Windows .NET (5.2). </LI>
-<LI>Added native Windows and Cygwin support to pinger.cc</LI>
-<LI>Introduced the use of IPPROTO_TCP and IPPROTO_UDP defines instead of '0' on comm_open, needed by Winsocket. See this old squid-dev thread about http://www.squid-cache.org/mail-archive/squid-dev/200108/0162.html.</LI>
-<LI>Added native Windows support to cachemgr.cc</LI>
-<LI>Added native Windows support to dnsserver.cc</LI>
-<LI>On Windows, fork() is not available, so we need to use a workaround in store_dir.cc for create store directories sequentially</LI>
-</UL>
-By Guido Serassio.</LI>
-<LI>SSL support update
-<UL>
-<LI>SSL encrypted peers</LI>
-<LI>https:// gatewaying/proxying for clients not supporting SSL or URLs rewritten via a redirector to https://...</LI>
-<LI>Client certificate support</LI>
-<LI>Hardware crypto SSL acceleration support via OpenSSL engine</LI>
-<LI>SSL key/certificate now read while parsing squid.conf to support secure key protection in combination with chroot..</LI>
-<LI>A few minor bugfixes/optimizations</LI>
-</UL>
-(Henrik Nordström)</LI>
-<LI>--enable-default-hostsfile configure option by Guido Serassio. Tells the default /etc/hosts file location</LI>
-<LI>New squid.conf directive to disable hostname verifications. It isn't really our business to enforce what characters is used in hostnames. (Henrik Nordström).</LI>
-<LI>Peering enhancement options for satellite or other high latency links by Robert Cohen.</LI>
-<LI>Cleanup of authentication forwarding, and added authentication gatewaying proxy->reverseproxy when the same Squid is acting as both proxy and reverseproxy with authentication. (Henrik Nordström)</LI>
-<LI>The mailto links on Squid's ERR pages now contain data about the cccurred error by default, so that the email will contain this data in its body. This feature can be disabled via the email_err_data directive. (Clemens Löser)</LI>
-<LI>pipeline_prefetch is disabled and known to be broken due to internal store_client_copy() change (Henrik Nordström)</LI>
-<LI>ncsa_auth extened with support for MD5 hashes. (Henrik Nordström)</LI>
-<LI>Complain if open of /dev/null fails; avoids infinite loop in ipcCreate() and gives a correct error message should this occur.</LI>
-<LI>Properly quote the quoting character '%' in log_quote() and username_quote().</LI>
-<LI>in icmpRecv(), Handle the case when recv() returns EAGAIN and do not treat it like an error.</LI>
-<LI>Update squid to build with gcc/g++ 3.3 with no warnings.</LI>
-<LI>wb_group updated to support domain qualified groups (Guido Serassio)</LI>
-<LI>most helper interfaces now support multiple overlapping requests (external_acl_type, redirect_program, basic auth).</LI>
-<LI>custom log formats, and the ability to log different requests to different log files.</LI>
-<LI>ext_user acl type added for matching the user name returned by external acls. Not longer abusing the ident acl for this purpose</LI>
-<LI>external_acl extended with soft timeouts</LI>
-<LI>external_acl can optionally return information to be logged in access.log</LI>
-<LI>Requests denied due to 'http_reply_access' are now logged with TCP_DENIED_REPLY.</LI>
-<LI>Added counters for HTCP messages sent and received, reported in 'info' cache manager page.</LI>
-<LI>Fixed 'ICP dynamic timeout algorithm ignores multicast' bug</LI>
-<LI>Bug #743: "#ifdef HTTP_VIOLATIONS" should be "#if HTTP_VIOLATIONS"</LI>
+<LI>Edge Side Include implementation (www.esi.org)</LI>
+<LI>ICAP implementation (www.i-cap.org)</LI>
+<LI>Better support for reverse proxy setups. The httpd_accel_* directives are now gone, replaced by http(s)_port options and cache_peer based request forwarding</LI>
+<LI>Better support for SSL</LI>
+<LI>Better support for external ACLs</LI>
+<LI>Finer control over cacheability (refresh_pattern)</LI>
+<LI>Custom log formats and the ability to log different requests to different log files</LI>
</UL>
</P>
+<P>Most user-facing changes are reflected in squid.conf (see below).</P>
+
+<H2><A NAME="ss3.2">3.2 Logging changes</A>
+</H2>
-<H2><A NAME="s2">2. Changes to squid.conf</A></H2>
+<H3>access.log</H3>
+<P>The TCP_REFRESH_HIT and TCP_REFRESH_MISS log types have been replaced because they were misleading (all refreshes need to query the origin server, so they could never be hits). The following log types have been introduced to replace them:</P>
<P>
<DL>
-<DT><B>read_ahead_gap</B><DD><P>Config directive by Jeffrey D. Wheelhouse. Allows the read-ahead gap to be configured from squid.conf (previously hardcoded at 16 KB)</P>
-<DT><B>request_entities</B><DD><P>New squid.conf directive "request_entities on/off".If set to "on" then Squid will allow GET/HEAD requests with request entities, even if such entites are "undefined" in the HTTP specification. (Henrik Nordström)</P>
-<DT><B>cache_peer</B><DD><P>New options for reverse proxy setups
+<DT><B>TCP_REFRESH_UNMODIFIED</B><DD><P>The requested object was cached but STALE. The IMS query for the object resulted in "304 not modified".</P>
+<DT><B>TCP_REFRESH_MODIFIED</B><DD><P>The requested object was cached but STALE. The IMS query returned the new content.
+</P>
+</DL>
+</P>
+<P>See
+<A HREF="http://www.squid-cache.org/Doc/FAQ/FAQ-6.html#ss6.7">http://www.squid-cache.org/Doc/FAQ/FAQ-6.html#ss6.7</A> for a definition of all log types.</P>
+
+
+
+
+<H2><A NAME="ss3.3">3.3 Changes to squid.conf</A>
+</H2>
+
+<P>There have been many changes to Squid's configuration file since Squid-2.5.</P>
+<P>This section gives a thorough account of those changes in three categories:</P>
+<P>
<UL>
-<LI>originserver</LI>
-<LI>name=XXX</LI>
-<LI>forceddomain=XXX</LI>
+<LI>
+<A HREF="#newtags">New tags</A></LI>
+<LI>
+<A HREF="#modifiedtags">Changes to existing tags</A></LI>
+<LI>
+<A HREF="#removedtags">Removed tags</A></LI>
</UL>
</P>
-<DT><B>https_port</B><DD><P>Many new SSL options
+
+
+
+
+
+<H3><A NAME="newtags"></A> New tags</H3>
+
+<P>
<DL>
-<DT><B>dhparams=/path/to/file.pem</B><DD><P>https_port option to specify DH parameters for forward-secrecy in encryption. (Henrik Nordström)</P>
-<DT><B>clientca= etc</B><DD><P>specifies which CA to accept client certificates from</P>
-<DT><B>defaultsite</B><DD><P>specifies the accelerated site name</P>
-</DL>
+<DT><B>ssl_engine</B><DD><P>
+<PRE>
+Default: none
+
+The openssl engine to use. You will need to set this if you
+would like to use hardware SSL acceleration for example.
+
+</PRE>
+</P>
+<DT><B>sslproxy_client_certificate</B><DD><P>
+<PRE>
+Default: none
+
+Client SSL Certificate to use when proxying https:// URLs
+
+</PRE>
+</P>
+<DT><B>sslproxy_client_key</B><DD><P>
+<PRE>
+Default: none
+
+Client SSL Key to use when proxying https:// URLs
+
+</PRE>
+</P>
+<DT><B>sslproxy_version</B><DD><P>
+<PRE>
+Default: 1
+
+SSL version level to use when proxying https:// URLs
+
+</PRE>
+</P>
+<DT><B>sslproxy_options</B><DD><P>
+<PRE>
+Default: none
+
+SSL engine options to use when proxying https:// URLs
+
+</PRE>
+</P>
+<DT><B>sslproxy_cipher</B><DD><P>
+<PRE>
+Default: none
+
+SSL cipher list to use when proxying https:// URLs
+
+</PRE>
+</P>
+<DT><B>sslproxy_cafile</B><DD><P>
+<PRE>
+Default: none
+
+file containing CA certificates to use when verifying server
+certificates while proxying https:// URLs
+
+</PRE>
+</P>
+<DT><B>sslproxy_capath</B><DD><P>
+<PRE>
+Default: none
+
+directory containing CA certificates to use when verifying
+server certificates while proxying https:// URLs
+
+</PRE>
+</P>
+<DT><B>sslproxy_flags</B><DD><P>
+<PRE>
+Default: none
+
+Various flags modifying the use of SSL while proxying https:// URLs:
+ DONT_VERIFY_PEER Accept certificates even if they fail to
+verify.
+ NO_DEFAULT_CA Don't use the default CA list built in
+to OpenSSL.
+
+</PRE>
+</P>
+<DT><B>sslpassword_program</B><DD><P>
+<PRE>
+Default: none
+
+Specify a program used for entering SSL key passphrases
+when using encrypted SSL certificate keys. If not specified
+keys must either be unencrypted, or Squid started with the -N
+option to allow it to query interactively for the passphrase.
+
+</PRE>
+</P>
+<DT><B>minimum_icp_query_timeout (msec)</B><DD><P>
+<PRE>
+Default: 5
+
+Normally the ICP query timeout is determined dynamically. But
+sometimes it can lead to very small timeouts, even lower than
+the normal latency variance on your link due to traffic.
+Use this option to put an lower limit on the dynamic timeout
+value. Do NOT use this option to always use a fixed (instead
+of a dynamic) timeout value. To set a fixed timeout see the
+'icp_query_timeout' directive.
+
+</PRE>
+</P>
+<DT><B>background_ping_rate</B><DD><P>
+<PRE>
+Default: 10 seconds
+
+Controls how often the ICP pings are sent to siblings that
+have background-ping set.
+
+</PRE>
+</P>
+<DT><B>logformat</B><DD><P>
+<PRE>
+Default: none
+
+Usage:
+
+logformat <name> <format specification>
+
+Defines an access log format.
+
+The <format specification> is a string with embedded % format codes
+
+% format codes all follow the same basic structure where all but
+the formatcode is optional. Output strings are automatically escaped
+as required according to their context and the output format
+modifiers are usually not needed, but can be specified if an explicit
+output format is desired.
+
+% ["|[|'|#] [-] [[0]width] [{argument}] formatcode
+
+" output in quoted string format
+[ output in squid text log format as used by log_mime_hdrs
+# output in URL quoted format
+' output as-is
+
+- left aligned
+width field width. If starting with 0 the
+output is zero padded
+{arg} argument such as header name etc
+
+Format codes:
+
+>a Client source IP address
+>A Client FQDN
+<A Server IP address or peer name
+la Local IP address (http_port)
+lp Local port number (http_port)
+ts Seconds since epoch
+tu subsecond time (milliseconds)
+tl Local time. Optional strftime format argument
+default %d/%b/%Y:%H:%M:S %z
+tg GMT time. Optional strftime format argument
+default %d/%b/%Y:%H:%M:S %z
+tr Response time (milliseconds)
+>h Request header. Optional header name argument
+on the format header[:[separator]element]
+<h Reply header. Optional header name argument
+as for >h
+un User name
+ul User login
+ui User ident
+ue User from external acl
+Hs HTTP status code
+Ss Squid request status (TCP_MISS etc)
+Sh Squid hierarchy status (DEFAULT_PARENT etc)
+mt MIME content type
+rm Request method (GET/POST etc)
+ru Request URL
+rv Request protocol version
+et Tag returned by external acl
+ea Log string returned by external acl
+<st Reply size including HTTP headers
+<sH Reply high offset sent
+<sS Upstream object size
+% a literal % character
+
+logformat squid %ts.%03tu %6tr %>a %Ss/%03Hs %<st %rm %ru %un %Sh/%<A %mt
+logformat squidmime %ts.%03tu %6tr %>a %Ss/%03Hs %<st %rm %ru %un %Sh/%<A %mt [%>h] [%<h]
+logformat common %>a %ui %un [%tl] "%rm %ru HTTP/%rv" %Hs %<st %Ss:%Sh
+logformat combined %>a %ui %un [%tl] "%rm %ru HTTP/%rv" %Hs %<st "%{Referer}>h" "%{User-Agent}>h" %Ss:%Sh
+
+</PRE>
+</P>
+<DT><B>check_hostnames on|off</B><DD><P>
+<PRE>
+Default: on
+
+For security and stability reasons Squid by default checks
+hostnames for Internet standard RFC compliance. If you do not want
+Squid to perform these checks turn this directive off.
+
+</PRE>
+</P>
+<DT><B>url_rewrite_concurrency redirect_concurrency</B><DD><P>
+<PRE>
+Default: 0
+
+The number of requests each redirector helper can handle in
+parallell. Defaults to 0 which indicates the redirector
+is a old-style singlethreaded redirector.
+
+</PRE>
+</P>
+<DT><B>read_ahead_gap</B><DD><P>
+<PRE>
+Default: 16 KB
+
+The amount of data the cache will buffer ahead of what has been
+sent to the client when retrieving an object from another server.
+
+</PRE>
+</P>
+<DT><B>log_access allow|deny acl acl...</B><DD><P>
+<PRE>
+Default: none
+
+This options allows you to control which requests gets logged
+to access.log (see access_log directive). Requests denied for
+logging will also not be accounted for in performance counters.
+
+</PRE>
+</P>
+<DT><B>httpd_suppress_version_string on|off</B><DD><P>
+<PRE>
+Default: off
+
+Suppress Squid version string info in HTTP headers and HTML error pages.
+
+</PRE>
+</P>
+<DT><B>httpd_accel_surrogate_id</B><DD><P>
+<PRE>
+Default: unset
+
+Surrogates (http://www.esi.org/architecture_spec_1.0.html)
+need an identification token to allow control targeting. Because
+a farm of surrogates may all perform the same tasks, they may share
+an identification token.
+
+</PRE>
+</P>
+<DT><B>http_accel_surrogate_remote on|off</B><DD><P>
+<PRE>
+Default: off
+
+Remote surrogates (such as those in a CDN) honour Surrogate-Control: no-store-remote.
+Set this to on to have squid behave as a remote surrogate.
+
+</PRE>
+</P>
+<DT><B>esi_parser libxml2|expat|custom</B><DD><P>
+<PRE>
+Default: custom
+
+ESI markup is not strictly XML compatible. The custom ESI parser
+will give higher performance, but cannot handle non ASCII character
+encodings.
+
+</PRE>
+</P>
+<DT><B>email_err_data on|off</B><DD><P>
+<PRE>
+Default: on
+
+If enabled, information about the occurred error will be
+included in the mailto links of the ERR pages (if %W is set)
+so that the email body contains the data.
+Syntax is <A HREF="mailto:%w%W">%w</A>
+
+</PRE>
+</P>
+<DT><B>via on|off</B><DD><P>
+<PRE>
+Default: on
+
+If set (default), Squid will include a Via header in requests and
+replies as required by RFC2616.
+
+</PRE>
+</P>
+<DT><B>refresh_all_ims on|off</B><DD><P>
+<PRE>
+Default: off
+
+When you enable this option, squid will always check
+the origin server for an update when a client sends an
+If-Modified-Since request. Many browsers use IMS
+requests when the user requests a reload, and this
+ensures those clients receive the latest version.
+
+By default (off), squid may return a Not Modified response
+based on the age of the cached version.
+
+</PRE>
+</P>
+<DT><B>request_header_access</B><DD><P>
+<PRE>
+Default: none
+
+Usage: request_header_access header_name allow|deny [!]aclname ...
+
+WARNING: Doing this VIOLATES the HTTP standard. Enabling
+this feature could make you liable for problems which it
+causes.
+
+This option replaces the old 'anonymize_headers' and the
+older 'http_anonymizer' option with something that is much
+more configurable. This new method creates a list of ACLs
+for each header, allowing you very fine-tuned header
+mangling.
+
+This option only applies to request headers, i.e., from the
+client to the server.
+
+You can only specify known headers for the header name.
+Other headers are reclassified as 'Other'. You can also
+refer to all the headers with 'All'.
+
+For example, to achieve the same behavior as the old
+'http_anonymizer standard' option, you should use:
+
+request_header_access From deny all
+request_header_access Referer deny all
+request_header_access Server deny all
+request_header_access User-Agent deny all
+request_header_access WWW-Authenticate deny all
+request_header_access Link deny all
+
+Or, to reproduce the old 'http_anonymizer paranoid' feature
+you should use:
+
+request_header_access Allow allow all
+request_header_access Authorization allow all
+request_header_access WWW-Authenticate allow all
+request_header_access Proxy-Authorization allow all
+request_header_access Proxy-Authenticate allow all
+request_header_access Cache-Control allow all
+request_header_access Content-Encoding allow all
+request_header_access Content-Length allow all
+request_header_access Content-Type allow all
+request_header_access Date allow all
+request_header_access Expires allow all
+request_header_access Host allow all
+request_header_access If-Modified-Since allow all
+request_header_access Last-Modified allow all
+request_header_access Location allow all
+request_header_access Pragma allow all
+request_header_access Accept allow all
+request_header_access Accept-Charset allow all
+request_header_access Accept-Encoding allow all
+request_header_access Accept-Language allow all
+request_header_access Content-Language allow all
+request_header_access Mime-Version allow all
+request_header_access Retry-After allow all
+request_header_access Title allow all
+request_header_access Connection allow all
+request_header_access Proxy-Connection allow all
+request_header_access All deny all
+
+although many of those are HTTP reply headers, and so should be
+controlled with the reply_header_access directive.
+
+By default, all headers are allowed (no anonymizing is
+performed).
+
+</PRE>
+</P>
+<DT><B>reply_header_access</B><DD><P>
+<PRE>
+Default: none
+
+Usage: reply_header_access header_name allow|deny [!]aclname ...
+
+WARNING: Doing this VIOLATES the HTTP standard. Enabling
+this feature could make you liable for problems which it
+causes.
+
+This option only applies to reply headers, i.e., from the
+server to the client.
+
+This is the same as request_header_access, but in the other
+direction.
+
+This option replaces the old 'anonymize_headers' and the
+older 'http_anonymizer' option with something that is much
+more configurable. This new method creates a list of ACLs
+for each header, allowing you very fine-tuned header
+mangling.
+
+You can only specify known headers for the header name.
+Other headers are reclassified as 'Other'. You can also
+refer to all the headers with 'All'.
+
+For example, to achieve the same behavior as the old
+'http_anonymizer standard' option, you should use:
+
+reply_header_access From deny all
+reply_header_access Referer deny all
+reply_header_access Server deny all
+reply_header_access User-Agent deny all
+reply_header_access WWW-Authenticate deny all
+reply_header_access Link deny all
+
+Or, to reproduce the old 'http_anonymizer paranoid' feature
+you should use:
+
+reply_header_access Allow allow all
+reply_header_access Authorization allow all
+reply_header_access WWW-Authenticate allow all
+reply_header_access Proxy-Authorization allow all
+reply_header_access Proxy-Authenticate allow all
+reply_header_access Cache-Control allow all
+reply_header_access Content-Encoding allow all
+reply_header_access Content-Length allow all
+reply_header_access Content-Type allow all
+reply_header_access Date allow all
+reply_header_access Expires allow all
+reply_header_access Host allow all
+reply_header_access If-Modified-Since allow all
+reply_header_access Last-Modified allow all
+reply_header_access Location allow all
+reply_header_access Pragma allow all
+reply_header_access Accept allow all
+reply_header_access Accept-Charset allow all
+reply_header_access Accept-Encoding allow all
+reply_header_access Accept-Language allow all
+reply_header_access Content-Language allow all
+reply_header_access Mime-Version allow all
+reply_header_access Retry-After allow all
+reply_header_access Title allow all
+reply_header_access Connection allow all
+reply_header_access Proxy-Connection allow all
+reply_header_access All deny all
+
+although the HTTP request headers won't be usefully controlled
+by this directive -- see request_header_access for details.
+
+By default, all headers are allowed (no anonymizing is
+performed).
+
+</PRE>
+</P>
+<DT><B>minimum_expiry_time</B><DD><P>
+<PRE>
+Default: 60 seconds
+
+The minimum caching time according to (Expires - Date)
+Headers Squid honors if the object can't be revalidated
+defaults to 60 seconds. In reverse proxy enorinments it
+might be desirable to honor shorter object lifetimes. It
+is most likely better to make your server return a
+meaningful Last-Modified header however. In ESI environments
+where page fragments often have short lifetimes, this will
+often be best set to 0.
+
+</PRE>
+</P>
+<DT><B>icap_enable on|off</B><DD><P>
+<PRE>
+Default: off
+
+If you want to enable the ICAP module support, set this to on.
+
+</PRE>
+</P>
+<DT><B>icap_preview_enable on|off</B><DD><P>
+<PRE>
+Default: off
+
+Set this to 'on' if you want to enable the ICAP preview
+feature in Squid.
+
+</PRE>
+</P>
+<DT><B>icap_preview_size</B><DD><P>
+<PRE>
+Default: -1
+
+The default size of preview data to be sent to the ICAP server.
+-1 means no preview. This value might be overwritten on a per server
+basis by OPTIONS requests.
+
+</PRE>
+</P>
+<DT><B>icap_default_options_ttl (seconds)</B><DD><P>
+<PRE>
+Default: 60
+
+The default TTL value for ICAP OPTIONS responses that don't have
+an Options-TTL header.
+
+</PRE>
+</P>
+<DT><B>icap_persistent_connections on|off</B><DD><P>
+<PRE>
+Default: on
+
+Whether or not Squid should use persistent connections to
+an ICAP server.
+
+</PRE>
+</P>
+<DT><B>icap_send_client_ip on|off</B><DD><P>
+<PRE>
+Default: off
+
+This adds the header "X-Client-IP" to ICAP requests.
+
+</PRE>
+</P>
+<DT><B>icap_send_client_username on|off</B><DD><P>
+<PRE>
+Default: off
+
+This adds the header "X-Client-Username" to ICAP requests
+if proxy access is authentified.
+
+</PRE>
+</P>
+<DT><B>icap_service</B><DD><P>
+<PRE>
+Default: none
+
+Defines a single ICAP service
+
+icap_service servicename vectoring_point bypass service_url
+
+vectoring_point = reqmod_precache|reqmod_postcache|respmod_precache|respmod_postcache
+This specifies at which point of request processing the ICAP
+service should be plugged in.
+bypass = 1|0
+If set to 1 and the ICAP server cannot be reached, the request will go
+through without being processed by an ICAP server
+service_url = icap://servername:port/service
+
+Note: reqmod_precache and respmod_postcache is not yet implemented
+
+Example:
+icap_service service_1 reqmod_precache 0 icap://icap1.mydomain.net:1344/reqmod
+icap_service service_2 respmod_precache 0 icap://icap2.mydomain.net:1344/respmod
+
+</PRE>
+</P>
+<DT><B>icap_class</B><DD><P>
+<PRE>
+Default: none
+
+Defines an ICAP service chain. If there are multiple services per
+vectoring point, they are processed in the specified order.
+
+icap_class classname servicename...
+
+Example:
+icap_class class_1 service_1 service_2
+icap class class_2 service_1 service_3
+
+</PRE>
+</P>
+<DT><B>icap_access</B><DD><P>
+<PRE>
+Default: none
+
+Redirects a request through an ICAP service class, depending
+on given acls
+
+icap_access classname allow|deny [!]aclname...
+
+The icap_access statements are processed in the order they appear in
+this configuration file. If an access list matches, the processing stops.
+For an "allow" rule, the specified class is used for the request. A "deny"
+rule simply stops processing without using the class. You can also use the
+special classname "None".
+
+For backward compatibility, it is also possible to use services
+directly here.
+
+Example:
+icap_access class_1 allow all
+
+</PRE>
</P>
-<DT><B>http(s)_port</B><DD><P>Many new options to control acceleration, transparent proxying etc</P>
-<DT><B>header_replace</B><DD><P>This is now dependent on --disable-http-violations (Henrik Nordström) </P>
-<DT><B>email_err_data</B><DD><P>Allow disabling the data now embedded in the mailto links on Squid's ERR pages.</P>
-<DT><B>reply_body_max_size</B><DD><P>No longer uses allow/deny. Instead it is specified as a size followed by acl elements. The size "none" can be used for no limit (the default)</P>
-<DT><B>external_acl_type</B><DD><P>The argument which was named concurrenty= in Squid-2.5 is now named children=. concurrency= has a different meaing in Squid-3.0 and your external acls will not work until updated.</P>
-<DT><B>ext_user acl</B><DD><P>this acl matches the username returned by external acl. ident can no longer be used for this purpose.</P>
-<DT><B>access_log</B><DD><P>The access_log directive now optionally includes specifications on what log format to use and acls matching which requests to log. Can be specified multiple times to log different requests to different files.</P>
-<DT><B>logformat</B><DD><P>new directive to define custom log formats</P>
-<DT><B>httpd_accel_*</B><DD><P>These directives have been replaced by http(s)_port options and cache_peer based request forwarding. Note that you can no longer run proxy and acceleration mode on the same port. If you previously did this you now need to define two ports, one for acceleration, one for proxying.</P>
</DL>
</P>
-<H2><A NAME="s3">3. Known limitations</A></H2>
+
+<H3><A NAME="modifiedtags"></A> Changes to existing tags</H3>
<P>
-<UL>
-<LI>SSL Acceleration Support - CRL's are not currently supported. The design has been completed, but time to implement is missing - contact squid-dev@squid-cache.org for more details.</LI>
-<LI>tcp_outgoing_addr/tos uses "fast" ACL checks and is somewhat limited in what kind of acl types you may use. Probably only src/my_port/my_addr/dstdomain/method/port/url* acl types is reliable.</LI>
-<LI>reply_body_max_size is uses "fast" ACL checks and may occationally fail on acls which may require external lookups (dst/srcdomain/external).</LI>
-</UL>
+<DL>
+<DT><B>http_port</B><DD><P>New options:
+<PRE>
+ transparent Support for transparent proxies
+
+ accel Accelerator mode. Also set implicit by the other accelerator directives
+
+ vhost Accelerator mode using Host header for virtual domain support
+
+ vport Accelerator with IP based virtual host support
+
+ vport=NN As above, but uses specified port number rather
+ than the http_port number
+
+ defaultsite= Main web site name for accelerators
+
+ protocol= Protocol to reconstruct accelerated requests with.
+ Defaults to http
+
+ disable-pmtu-discovery=
+ Control Path-MTU discovery usage:
+ off lets OS decide on what to do (default).
+ transparent disable PMTU discovery when transparent support is enabled.
+ always disable always PMTU discovery.
+
+ In many setups of transparently intercepting proxies Path-MTU
+ discovery can not work on traffic towards the clients. This is
+ the case when the intercepting device does not fully track
+ connections and fails to forward ICMP must fragment messages
+ to the cache server. If you have such setup and experience that
+ certain clients sporadically hang or never complete requests set
+ disable-pmtu-discovery option to 'transparent'.
+
+</PRE>
+</P>
+<DT><B> https_port</B><DD><P>New options:
+<PRE>
+ defaultsite= The name of the https site presented on this port
+
+ protocol= Protocol to reconstruct accelerated requests
+ with. Defaults to https
+
+ options= Various SSL engine options. The most important
+ being:
+ NO_SSLv2 Disallow the use of SSLv2
+ NO_SSLv3 Disallow the use of SSLv3
+ NO_TLSv1 Disallow the use of TLSv1
+ SINGLE_DH_USE Always create a new key when using
+ temporary/ephemeral DH key exchanges
+ See src/ssl_support.c or OpenSSL SSL_CTX_set_options
+ documentation for a complete list of options
+
+ clientca= File containing the list of CAs to use when
+ requesting a client certificate
+
+ cafile= File containing additional CA certificates to
+ use when verifying client certificates. If unset
+ clientca will be used
+
+ capath= Directory containing additional CA certificates
+ and CRL lists to use when verifying client certificates
+
+ crlfile= File of additional CRL lists to use when verifying
+ the client certificate, in addition to CRLs stored in
+ the capath. Implies VERIFY_CRL flag below.
+
+ dhparams= File containing DH parameters for temporary/ephemeral
+ DH key exchanges
+
+ sslflags= Various flags modifying the use of SSL:
+ DELAYED_AUTH
+ Don't request client certificates
+ immediately, but wait until acl processing
+ requires a certificate (not yet implemented)
+ NO_DEFAULT_CA
+ Don't use the default CA lists built in
+ to OpenSSL
+ NO_SESSION_REUSE
+ Don't allow for session reuse. Each connection
+ will result in a new SSL session.
+ VERIFY_CRL
+ Verify CRL lists when accepting client
+ certificates
+ VERIFY_CRL_ALL
+ Verify CRL lists for all certificates in the
+ client certificate chain
+
+ sslcontext= SSL session ID context identifier.
+
+ accelAccelerator mode. Also set implicit by the other
+ accelerator directives
+
+ vhostAccelerator mode using Host header for virtual
+ domain support
+
+ vportAccelerator with IP based virtual host support
+
+ vport=NN As above, but uses specified port number rather
+ than the https_port number
+
+</PRE>
+</P>
+<DT><B>cache_peer</B><DD><P>New options:
+<PRE>
+ basetime=n
+ background-ping
+ weighted-round-robin
+ carp
+ htcp-oldsquid
+ originserver
+ name=xxx
+ forceddomain=name
+ ssl
+ sslcert=/path/to/ssl/certificate
+ sslkey=/path/to/ssl/key
+ sslversion=1|2|3|4
+ sslcipher=...
+ ssloptions=...
+ front-end-https[=on|auto]
+
+
+ use 'basetime=n' to specify a base amount to
+ be subtracted from round trip times of parents.
+ It is subtracted before division by weight in calculating
+ which parent to fectch from. If the rtt is less than the
+ base time the rtt is set to a minimal value.
+
+ use 'background-ping' to only send ICP queries to this
+ neighbor infrequently. This is used to keep the neighbor
+ round trip time updated and is usually used in
+ conjunction with weighted-round-robin.
+
+ use 'weighted-round-robin' to define a set of parents
+ which should be used in a round-robin fashion with the
+ frequency of each parent being based on the round trip
+ time. Closer parents are used more often.
+ Usually used for background-ping parents.
+
+ use 'carp' to define a set of parents which should
+ be used as a CARP array. The requests will be
+ distributed among the parents based on the CARP load
+ balancing hash function based on their weigth.
+
+ use 'htcp-oldsquid' to send HTCP to old Squid versions
+
+ 'originserver' causes this parent peer to be contacted as
+ a origin server. Meant to be used in accelerator setups.
+
+ use 'name=xxx' if you have multiple peers on the same
+ host but different ports. This name can be used to
+ differentiate the peers in cache_peer_access and similar
+ directives.
+
+ use 'forceddomain=name' to forcibly set the Host header
+ of requests forwarded to this peer. Useful in accelerator
+ setups where the server (peer) expects a certain domain
+ name and using redirectors to feed this domainname
+ is not feasible.
+
+ use 'ssl' to indicate connections to this peer should
+ bs SSL/TLS encrypted.
+
+ use 'sslcert=/path/to/ssl/certificate' to specify a client
+ SSL certificate to use when connecting to this peer.
+
+ use 'sslkey=/path/to/ssl/key' to specify the private SSL
+ key corresponding to sslcert above. If 'sslkey' is not
+ specified 'sslcert' is assumed to reference a
+ combined file containing both the certificate and the key.
+
+ use sslversion=1|2|3|4 to specify the SSL version to use
+ when connecting to this peer
+ 1 = automatic (default)
+ 2 = SSL v2 only
+ 3 = SSL v3 only
+ 4 = TLS v1 only
+
+ use sslcipher=... to specify the list of valid SSL chipers
+ to use when connecting to this peer
+
+ use ssloptions=... to specify various SSL engine options:
+ NO_SSLv2 Disallow the use of SSLv2
+ NO_SSLv3 Disallow the use of SSLv3
+ NO_TLSv1 Disallow the use of TLSv1
+ See src/ssl_support.c or the OpenSSL documentation for
+ a more complete list.
+
+ use cafile=... to specify a file containing additional
+ CA certificates to use when verifying the peer certificate
+
+ use capath=... to specify a directory containing additional
+ CA certificates to use when verifying the peer certificate
+
+ use sslflags=... to specify various flags modifying the
+ SSL implementation:
+ DONT_VERIFY_PEER
+ Accept certificates even if they fail to
+ verify.
+ NO_DEFAULT_CA
+ Don't use the default CA list built in
+ to OpenSSL.
+ DONT_VERIFY_DOMAIN
+ Don't verify the peer certificate
+ matches the server name
+
+ use sslname= to specify the peer name as advertised
+ in it's certificate. Used for verifying the correctness
+ of the received peer certificate. If not specified the
+ peer hostname will be used.
+
+ use front-end-https to enable the "Front-End-Https: On"
+ header needed when using Squid as a SSL frontend infront
+ of Microsoft OWA. See MS KB document Q307347 for details
+ on this header. If set to auto the header will
+ only be added if the request is forwarded as a https://
+ URL.
+
+</PRE>
+</P>
+<P>Removed options:
+<PRE>
+ carp-load-factor
+
+</PRE>
+</P>
+<DT><B>cache_dir</B><DD><P>COSS stripe file:
+<PRE>
+ The coss file store has changed from 2.5. Now it uses a file
+ called 'stripe' in the directory names in the config - and
+ this will be created by squid -z.
+
+</PRE>
+</P>
+<DT><B>access_log cache_access_log</B><DD><P>Takes an optional log format:
+<PRE>
+ These files log client request activities. Has a line every HTTP or
+ ICP request. The format is:
+ access_log <filepath> [<logformat name> [acl acl ...]]
+ access_log none [acl acl ...]]
+
+ Will log to the specified file using the specified format (which
+ must be defined in a logformat directive) those entries which match
+ ALL the acl's specified (which must be defined in acl clauses).
+ If no acl is specified, all requests will be logged to this file.
+
+ To disable logging of a request use the filepath "none", in which case
+ a logformat name should not be specified.
+
+ To log the request via syslog specify a filepath of "syslog":
+
+ access_log syslog[:facility|priority] [format [acl1 [acl2 ....]]]
+ where facility could be any of:
+ LOG_AUTHPRIV, LOG_DAEMON, LOG_LOCAL0 .. LOG_LOCAL7 or LOG_USER.
+
+ And priority could be any of:
+ LOG_ERR, LOG_WARNING, LOG_NOTICE, LOG_INFO, LOG_DEBUG.
+
+</PRE>
+</P>
+<DT><B>redirect_program</B><DD><P>New alias: 'url_rewrite_program'</P>
+<DT><B>redirect_children</B><DD><P>New alias: 'url_rewrite_children'</P>
+<DT><B>redirect_host_header</B><DD><P>New alias: 'url_rewrite_host_header'</P>
+<DT><B>auth_param</B><DD><P>New option for basic scheme:
+<PRE>
+ "concurrency" concurrency
+ The number of concurrent requests the helper can process.
+ The default of 0 is used for helpers who only supports
+ one request at a time.
+ auth_param basic concurrency 0
+
+</PRE>
+</P>
+<P>Removed NTLM options:
+<PRE>
+ "max_challenge_reuses" number
+ The maximum number of times a challenge given by a ntlm authentication
+ helper can be reused. Increasing this number increases your exposure
+ to replay attacks on your network. 0 (the default) means use the
+ challenge is used only once. See also the max_ntlm_challenge_lifetime
+ directive if enabling challenge reuses.
+ auth_param ntlm max_challenge_reuses 0
+
+ "max_challenge_lifetime" timespan
+ The maximum time period a ntlm challenge is reused over. The
+ actual period will be the minimum of this time AND the number of
+ reused challenges.
+ auth_param ntlm max_challenge_lifetime 2 minutes
+
+ "use_ntlm_negotiate" on|off
+ Enables support for NTLM NEGOTIATE packet exchanges with the helper.
+ The configured ntlm authenticator must be able to handle NTLM
+ NEGOTIATE packet. See the authenticator programs documentation if
+ unsure. ntlm_auth from Samba-3.0.2 or later supports the use of this
+ option.
+ The NEGOTIATE packet is required to support NTLMv2 and a
+ number of other negotiable NTLMSSP options, and also makes it
+ more likely the negotiation is successful. Enabling this parameter
+ will also solve problems encountered when NT domain policies
+ restrict users to access only certain workstations. When this is off,
+ all users must be allowed to log on the proxy servers too, or they'll
+ get "invalid workstation" errors - and access denied - when trying to
+ use Squid's services.
+ Use of ntlm NEGOTIATE is incompatible with challenge reuse, so
+ enabling this parameter will OVERRIDE the max_challenge_reuses and
+ max_challenge_lifetime parameters and set them to 0.
+ auth_param ntlm use_ntlm_negotiate off
+
+</PRE>
+</P>
+<P>New NTLM option:
+<PRE>
+ "keep_alive" on|off
+ If you experience problems with PUT/POST requests when using the
+ Negotiate authentication scheme then you can try setting this to
+ off. This will cause Squid to forcibly close the connection on
+ the initial requests where the browser asks which schemes are
+ supported by the proxy.
+
+</PRE>
+</P>
+<DT><B>external_acl_type</B><DD><P>New options:
+<PRE>
+ concurrency=n concurrency level per process. Use 0 for old style
+ helpers who can only process a single request at a time.
+
+ grace=n Percentage remaining of TTL where a refresh of a
+ cached entry should be initiated without needing to
+ wait for a new reply. (default 0 for no grace period)
+ protocol=2.5 Compatibility mode for Squid-2.5 external acl helpers
+
+</PRE>
+</P>
+<P>New format specifications:
+<PRE>
+ %EXT_USER Username from external acl
+ %SRCPORT Client source port
+ %PATH Requested URL path
+ %METHOD Request method
+ %MYADDR Squid interface address
+ %MYPORT Squid http_port number
+ %USER_CERT SSL User certificate in PEM format
+ %USER_CERTCHAIN SSL User certificate chain in PEM format
+ %USER_CERT_xx SSL User certificate subject attribute xx
+ %USER_CA_xx SSL User certificate issuer attribute xx
+
+</PRE>
+</P>
+<P>New keywords:
+<PRE>
+ user= The users name (login)
+ password= The users password (for login= cache_peer option)
+ message= Message describing the reason. Available as %o
+ in error pages
+ tag= Apply a tag to a request (for both ERR and OK results)
+ Only sets a tag, does not alter existing tags.
+ log= String to be logged in access.log. Available as
+ %ea in logformat specifications
+
+ Keyword values need to be URL escaped if they may contain
+ contain whitespace or quotes.
+
+ In Squid-2.5 compatibility mode quoting using " and \ is used
+ instead of URL escaping.
+
+</PRE>
+</P>
+<P>Removed option:
+<PRE>
+ protocol=3.0 Use URL-escaped strings instead of quoting
+
+</PRE>
+</P>
+<DT><B>refresh_pattern</B><DD><P>New options:
+<PRE>
+ ignore-no-cache
+ ignore-no-store
+ ignore-private
+ ignore-auth
+ refresh-ims
+
+ ignore-no-cache ignores any ``Pragma: no-cache'' and
+ ``Cache-control: no-cache'' headers received from a server.
+ The HTTP RFC never allows the use of this (Pragma) header
+ from a server, only a client, though plenty of servers
+ send it anyway.
+
+ ignore-no-store ignores any ``Cache-control: no-store''
+ headers received from a server. Doing this VIOLATES
+ the HTTP standard. Enabling this feature could make you
+ liable for problems which it causes.
+
+ ignore-private ignores any ``Cache-control: private''
+ headers received from a server. Doing this VIOLATES
+ the HTTP standard. Enabling this feature could make you
+ liable for problems which it causes.
+
+ ignore-auth caches responses to requests with authorization,
+ irrespective of ``Cache-control'' headers received from
+ a server. Doing this VIOLATES the HTTP standard. Enabling
+ this feature could make you liable for problems which
+ it causes.
+
+ refresh-ims causes squid to contact the origin server
+ when a client issues an If-Modified-Since request. This
+ ensures that the client will receive an updated version
+ if one is available.
+
+</PRE>
+</P>
+<DT><B>negative_dns_ttl</B><DD><P>New default:
+<PRE>
+ Default: 5 minutes
+ (Old default: 1 minute)
+
+</PRE>
+</P>
+<DT><B>acl</B><DD><P>New types:
+<PRE>
+ acl aclname http_status 200 301 500- 400-403 ... # status code in reply
+
+ acl aclname user_cert attribute values...
+ # match against attributes in a user SSL certificate
+ # attribute is one of DN/C/O/CN/L/ST
+
+ acl aclname ca_cert attribute values...
+ # match against attributes a users issuing CA SSL certificate
+ # attribute is one of DN/C/O/CN/L/ST
+
+ acl aclname ext_user username ...
+ acl aclname ext_user_regex [-i] pattern ...
+ # string match on username returned by external acl processing
+ # use REQUIRED to accept any non-null user name.
+
+</PRE>
+</P>
+<P>Removed types:
+<PRE>
+ acl aclname urllogin [-i] [^a-zA-Z0-9] ... # regex matching on URL login field
+
+ acl aclname req_header header-name [-i] any\.regex\.here
+ # regex match against any of the known request headers. May be
+ # thought of as a superset of "browser", "referer" and "mime-type"
+ # ACLs.
+
+ acl aclname rep_header header-name [-i] any\.regex\.here
+ # regex match against any of the known response headers.
+ # Example:
+ #
+ # acl many_spaces rep_header Content-Disposition -i [[:space:]]{3,}
+
+</PRE>
</P>
+<DT><B>short_icon_urls</B><DD><P>New default:
+<PRE>
+ Default: on
+ (Old default: off)
+
+</PRE>
+</P>
+<DT><B>delay_class</B><DD><P>New delay classes:
+<PRE>
+ class 4 Everything in a class 3 delay pool, with an
+ additional limit on a per user basis. This
+ only takes effect if the username is established
+ in advance - by forcing authentication in your
+ http_access rules.
-<H2><A NAME="s4">4. Other internal changes mostly of interest to developers</A></H2>
+ class 5 Requests are grouped according their tag (see
+ external_acl's tag= reply).
+
+</PRE>
+</P>
+</DL>
+</P>
+
+
+
+
+<H3><A NAME="removedtags"></A> Removed tags</H3>
<P>
-<UL>
-<LI>Andres Kroonmaa's chunked memory pool allocator included.</LI>
-<LI>clientStreams, rationalising the client side logic to allow plugin output streams, and providing a simple interface to the store. See the programmers guide for details. (Robert Collins).</LI>
-<LI>Clean up the squid code to consistenly use [u_]int<len>_t throughout, rather than some [u_]num<len> and some [u_]<len>_t instances. (Robert Collins).</LI>
-<LI>Spelling corrections by Reuben Farrelly.</LI>
-<LI>Object reference counting supported to ease some programming tasks (Robert Collins).</LI>
-<LI>Deferred reads removed from comms layer, implemented a layer above, allowing more efficent comms layers (such as epoll). (Robert Collins).</LI>
-<LI>ACL Source code extracted into multiple separate classes, allowing great flexability in future development, and also for custom squid builds today. (Robert Collins)</LI>
-<LI>Delay classes heavily refactored to allow easier extension and reuse. (Robert Collins).</LI>
-<LI>autoconf 2.5 support (Robert Collins).</LI>
-<LI>Hi-resolution CPU profiling from Andres Kroonma, for single-threaded use only.</LI>
-<LI>Cleaned up module/helper configure checks to use the same logics everywhere. (Henrik Nordström)</LI>
-<LI>Unify much of the IO logic, shrinking the code base for diskd/aufs/ufs. (Robert Collins).</LI>
-<LI>Introduce 'make check' support to provide an automated test suite for squid. (Robert Collins).</LI>
-<LI>pthreads detection and compilation bugfixes. (Henrik Nordström, Robert Collins)</LI>
-<LI>Killed the remains of ALARM_UPDATES_TIME (--enable-time-hack) (Henrik Nordström)</LI>
-<LI>Centralised the IPC type selection to defines.h by the defines IPC_STREAM and IPC_DGRAM. (Henrik Nordström)</LI>
-<LI>Astyle is the code formatter of choice for squid-3 C++ code. See http://www.squid-cache.org/ robertc/squid-3-style.txt for the squid 3 style conventions.</LI>
-<LI>Fix "access_log none" (and "forward_log none") (Arkadi E. Shishlov).</LI>
-</UL>
+<DL>
+<DT><B>httpd_accel_host</B><DD><P>Replaced by the defaultsite= or vport=0 (in case of virtual) http_port options
+<PRE>
+
+</PRE>
+</P>
+<DT><B>httpd_accel_port</B><DD><P>
+<PRE>
+ Replaced by vport http(s)_port option
+
+</PRE>
</P>
+<DT><B>httpd_accel_single_host on|off</B><DD><P>
+<PRE>
+ Replaced by cache_peer originserver based request forwarding
+ making this option obsolete.
+
+</PRE>
+</P>
+<DT><B>httpd_accel_with_proxy on|off</B><DD><P>
+<PRE>
+ Obsolete, no longer needed.
+
+</PRE>
+</P>
+<DT><B>httpd_accel_uses_host_header on|off</B><DD><P>
+<PRE>
+ This has been replaced by the vhost http(s)_port option
+
+</PRE>
+</P>
+<DT><B>httpd_accel_no_pmtu_disc on|off</B><DD><P>
+<PRE>
+ This has been replaced by the disable-pmtu-discovery=.. http_port option
+
+</PRE>
+</P>
+<DT><B>header_access</B><DD><P>This has been replaced by request_header_access and reply_header_access</P>
+</DL>
+</P>
+
</BODY>
</HTML>
<!doctype linuxdoc system>
<article>
-<title>Squid 3.0 release notes</title>
+<title>Squid 3.0.PRE4 release notes</title>
<author>Squid Developers</author>
-<date>$Id: release-3.0.sgml,v 1.19 2004/12/20 16:30:15 robertc Exp $</date>
+<date>$Id: release-3.0.sgml,v 1.20 2006/06/19 22:45:48 hno Exp $</date>
<abstract>
This document contains the release notes for version 3.0 of Squid.
</abstract>
<toc>
-<sect>Key changes from squid 2.5:
+
+<sect>Notice
+<p>
+The Squid Team are pleased to announce the release of Squid-3.0.PRE4 for pre-release testing.
+
+This new release is available for download from <url url="http://www.squid-cache.org/Versions/v3/3.0/"> or the <url url="http://www.squid-cache.org/Mirrors/http-mirrors.html" name="mirrors">.
+
+This is the first PRE release since August 2003, and marks a renewed effort to push Squid-3.0 through to STABLE.
+
+While this release is not deemed ready for production use, we believe it is ready for wider testing by the community
+
+We welcome feedback and bug reports. If you find a bug, please see <url url="http://www.squid-cache.org/Doc/FAQ/FAQ-11.html#ss11.19"> for how to submit a report with a stack trace.
+
+
+<sect>Known issues
+<p>
+Although this release is deemed good enough for testing in many setups, please note the existence of <url url="http://www.squid-cache.org/bugs/buglist.cgi?query_format=advanced&short_desc_type=allwordssubstr&short_desc=&target_milestone=3.0&long_desc_type=allwordssubstr&long_desc=&bug_file_loc_type=allwordssubstr&bug_file_loc=&status_whiteboard_type=allwordssubstr&status_whiteboard=&bug_status=NEW&bug_status=ASSIGNED&bug_status=REOPENED&emailtype1=substring&email1=&emailtype2=substring&email2=&bugidtype=include&bug_id=&votes=&chfieldfrom=&chfieldto=Now&chfieldvalue=&cmdtype=doit&order=bugs.bug_severity&field0-0-0=noop&type0-0-0=noop&value0-0-0=" name="open bugs against Squid-3.0">.
+
+In particular, ESI may still be too buggy for meaningful testing at this stage.
+
+
+<sect>Changes since Squid-2.5.STABLE14
+<sect1>Major new features
<p>
+Squid 3.0 represents a major rewrite of Squid 2.5 and has a large number of new features.
+
+The most important of these are:
+
<itemize>
- <item>Convert core squid source to C++ (Robert Collins).
- <item>http_port optional, allowing for SSL-only operation. Squid will refuse to start unless at least one port is defined. (Henrik Nordström).
- <item>Ability to read the configuration file from an external program pipe (Henrik Nordström).
- <item>Major cleanup or CARP. Now plays well with the other peering algorithms as just another non-ICP peering method. This also allows CARP support to be compiled by default with no need to recompile Squid to use CARP (Henrik Nordström)
- <item>Class 4 delay pools - user specific buckets. (Robert Collins).
- <item>Comms layer refactored to increase efficiency (Adrian Chadd).
- <item>epoll support (David Nicklay)
- <item>kqueue support (Adrian Chadd)
- <item>Range processing moved from client side to both client and server (Robert Collins).
- <item>Added support for sys/bitypes.h, apparently needed for some of the bittypes on tru64 and possibly others. (Henrik Nordström)
- <item>Edge Side Include implementation (www.esi.org). (Robert Collins).
- <item>Reduce the depth of recursion in make, improving make -j performance. (Robert Collins)
- <item>Cleanup of the relation between accelerated request and transparently intercepted request. The two are now handled separately from each other.
-This fixes two issues:
- <itemize>
- <item>Transparently intercepted requests is no longer under the restrictions of accelerated requests in peering relations etc..
- <item>No risk of confusion in authentication. Authentication is now allowed for accelerated requests but not transparently intercepted requests.
- </itemize> (Henrik Nordström)
- <item>Change --disable-hostname-checks to --enable-hostname-checks, default to not verify hostname sanity. (Henrik Nordström)
- <item>also removed the dot magics from hostname parsing. These are more evil than helpful and breaks semantic transparency in certain configurations. (Henrik Nordström)
- <item>added reporting of "Process Data Segment Size via sbrk()" when sbrk() call exists. According to the sbrk() man page, calling sbrk(0) returns the end of the data segment. By storing the data segment offset when Squid starts, we can report the size of the data segment at any time. This might be a better metric than getrusage()'s MAX RSS, which, in my experience, is often less than the process size reported by 'ps' (presumably because some of the processes memory is swapped to disk). However, initial tests show that the sbrk() trick reports a value slightly smaller than reported by 'ps'. (Duane Wessels)
- <item>failure_ratio is a ratio, not a percentage. Removed %% from printf. (Duane Wessels)
- <item>Start using inline C and C++ code via .cci source files. This defaults to inlined, with a configure option to disable for troubleshooting or development. (Robert Collins).
- <item>Better MacOSX support (Robert Collins, Adrian Chadd, Henrik Nordström)
- <item>--with-filedescriptors=XX configure option (Francesco Chemolli)
- <item>UNIX domain IPC now used by default for helpers, no loger relying on TCP/IP sockets via loopback. (Henrik Nordström)
- <item>Removed potentially dangerous debugging related configure options. Developers know how to edit configure.in or set defines. (Henrik Nordström)
- <item>--enable-large-files to enable support for large files (>2GB) on 32-bit GNU libc systems. (Henrik Nordström)
- <item>Digest auth helper improvements (Robert Collins, Sean Burford)
- <item>Digest authentication scheme bugfixs & improvements (Robert Collins)
- <item>accelerator mode cleaned up, using the design from the rproxy development branch
- <itemize>
- <item>The httpd_accel_* directives is now gone, replaced by http(s)_port options and cache_peer based request forwarding.
- <item>The http(s)_port options has a list of new options for controlling the type and mode of port created with respect to
- <itemize>
- <item>transparent proxying
- <item>plain acceleration
- <item>host header based acceleration
- <item>normal proxying (default)
- </itemize>
- <item>To enforce a reasonable level of security in accelerators, accelerated requests are denied to go direct unless forced by always_direct.
- </itemize>(Henrik Nordström)
- <item>Cache manager auth helper output tidyup (Duane Wessels).
- <item>Native Windows port enhancements:
- <itemize>
- <item>Another fix for profiling support
- <item>Added correct timezone handling
- <item>Fixed rotate problem
- <item>Added native Windows support to client.cc
- <item>This patch add the native Windows support for profiling and fix some C++/C include files problems.
- <item>Support for Windows .NET (5.2).
- <item>Added native Windows and Cygwin support to pinger.cc
- <item>Introduced the use of IPPROTO_TCP and IPPROTO_UDP defines instead of '0' on comm_open, needed by Winsocket. See this old squid-dev thread about http://www.squid-cache.org/mail-archive/squid-dev/200108/0162.html.
- <item>Added native Windows support to cachemgr.cc
- <item>Added native Windows support to dnsserver.cc
- <item>On Windows, fork() is not available, so we need to use a workaround in store_dir.cc for create store directories sequentially
- </itemize>By Guido Serassio.
- <item>SSL support update
- <itemize>
- <item>SSL encrypted peers
- <item>https:// gatewaying/proxying for clients not supporting SSL or URLs rewritten via a redirector to https://...
- <item>Client certificate support
- <item>Hardware crypto SSL acceleration support via OpenSSL engine
- <item>SSL key/certificate now read while parsing squid.conf to support secure key protection in combination with chroot..
- <item>A few minor bugfixes/optimizations
- </itemize>(Henrik Nordström)
- <item>--enable-default-hostsfile configure option by Guido Serassio. Tells the default /etc/hosts file location
- <item>New squid.conf directive to disable hostname verifications. It isn't really our business to enforce what characters is used in hostnames. (Henrik Nordström).
- <item>Peering enhancement options for satellite or other high latency links by Robert Cohen.
- <item>Cleanup of authentication forwarding, and added authentication gatewaying proxy->reverseproxy when the same Squid is acting as both proxy and reverseproxy with authentication. (Henrik Nordström)
- <item>The mailto links on Squid's ERR pages now contain data about the cccurred error by default, so that the email will contain this data in its body. This feature can be disabled via the email_err_data directive. (Clemens Löser)
- <item>pipeline_prefetch is disabled and known to be broken due to internal store_client_copy() change (Henrik Nordström)
- <item>ncsa_auth extened with support for MD5 hashes. (Henrik Nordström)
- <item>Complain if open of /dev/null fails; avoids infinite loop in ipcCreate() and gives a correct error message should this occur.
- <item>Properly quote the quoting character '%' in log_quote() and username_quote().
- <item>in icmpRecv(), Handle the case when recv() returns EAGAIN and do not treat it like an error.
- <item>Update squid to build with gcc/g++ 3.3 with no warnings.
- <item>wb_group updated to support domain qualified groups (Guido Serassio)
- <item>most helper interfaces now support multiple overlapping requests (external_acl_type, redirect_program, basic auth).
- <item>custom log formats, and the ability to log different requests to different log files.
- <item>ext_user acl type added for matching the user name returned by external acls. Not longer abusing the ident acl for this purpose
- <item>external_acl extended with soft timeouts
- <item>external_acl can optionally return information to be logged in access.log
- <item>external_acl protocol changed to use URL-escaped strings. Squid-2.5 compatible mode also available.
- <item>Requests denied due to 'http_reply_access' are now logged with TCP_DENIED_REPLY.
- <item>Added counters for HTCP messages sent and received, reported in 'info' cache manager page.
- <item>Fixed 'ICP dynamic timeout algorithm ignores multicast' bug
- <item>Bug #743: "#ifdef HTTP_VIOLATIONS" should be "#if HTTP_VIOLATIONS"
+ <item>Edge Side Include implementation (www.esi.org)
+ <item>ICAP implementation (www.i-cap.org)
+ <item>Better support for reverse proxy setups. The httpd_accel_* directives are now gone, replaced by http(s)_port options and cache_peer based request forwarding
+ <item>Better support for SSL
+ <item>Better support for external ACLs
+ <item>Finer control over cacheability (refresh_pattern)
+ <item>Custom log formats and the ability to log different requests to different log files
</itemize>
-<sect>Changes to squid.conf
-<p><descrip>
- <tag>read_ahead_gap</tag>Config directive by Jeffrey D. Wheelhouse. Allows the read-ahead gap to be configured from squid.conf (previously hardcoded at 16 KB)
- <tag>request_entities</tag>New squid.conf directive "request_entities on/off".If set to "on" then Squid will allow GET/HEAD requests with request entities, even if such entites are "undefined" in the HTTP specification. (Henrik Nordström)
- <tag>cache_peer</tag>New options for reverse proxy setups
- <itemize>
- <item>originserver
- <item>name=XXX
- <item>forceddomain=XXX
- </itemize>
- <tag>https_port</tag>Many new SSL options
- <descrip>
- <tag>dhparams=/path/to/file.pem</tag> https_port option to specify DH parameters for forward-secrecy in encryption. (Henrik Nordström)
- <tag>clientca= etc</tag>specifies which CA to accept client certificates from
- <tag>defaultsite</tag>specifies the accelerated site name
- </descrip>
- <tag>http(s)_port</tag>Many new options to control acceleration, transparent proxying etc
- <tag>header_replace</tag>This is now dependent on --disable-http-violations (Henrik Nordström)
- <tag>email_err_data</tag>Allow disabling the data now embedded in the mailto links on Squid's ERR pages.
- <tag>reply_body_max_size</tag>No longer uses allow/deny. Instead it is specified as a size followed by acl elements. The size "none" can be used for no limit (the default)
- <tag>external_acl_type</tag>The argument which was named concurrenty= in Squid-2.5 is now named children=. concurrency= has a different meaing in Squid-3.0 and your external acls will not work until updated. New protocol=2.5 parameter for compatibility with acl helpers written for Squid-2.5.
- <tag>ext_user acl</tag>this acl matches the username returned by external acl. ident can no longer be used for this purpose.
- <tag>access_log</tag>The access_log directive now optionally includes specifications on what log format to use and acls matching which requests to log. Can be specified multiple times to log different requests to different files.
- <tag>logformat</tag>new directive to define custom log formats
- <tag>httpd_accel_*</tag>These directives have been replaced by http(s)_port options and cache_peer based request forwarding. Note that you can no longer run proxy and acceleration mode on the same port. If you previously did this you now need to define two ports, one for acceleration, one for proxying.
- <tag>header_access</tag>This directive have been split into request_header_access and reply_header_access directives to allow for better control of what is allowed in reqests vs replies.
+Most user-facing changes are reflected in squid.conf (see below).
+
+<sect1>Logging changes
+<sect2>access.log
+<p>The TCP_REFRESH_HIT and TCP_REFRESH_MISS log types have been replaced because they were misleading (all refreshes need to query the origin server, so they could never be hits). The following log types have been introduced to replace them:
+
+<descrip>
+ <tag>TCP_REFRESH_UNMODIFIED</tag>
+ <p>The requested object was cached but STALE. The IMS query for the object resulted in "304 not modified".
+ <tag>TCP_REFRESH_MODIFIED</tag>
+ <p>The requested object was cached but STALE. The IMS query returned the new content.\r
</descrip>
+<p>See <url url="http://www.squid-cache.org/Doc/FAQ/FAQ-6.html#ss6.7"> for a definition of all log types.
+
+
-<sect>Known limitations
+
+<sect1>Changes to squid.conf
<p>
+There have been many changes to Squid's configuration file since Squid-2.5.
+
+This section gives a thorough account of those changes in three categories:
+
<itemize>
- <item>SSL Acceleration Support - CRL's are not currently supported. The design has been completed, but time to implement is missing - contact squid-dev@squid-cache.org for more details.
- <item>tcp_outgoing_addr/tos uses "fast" ACL checks and is somewhat limited in what kind of acl types you may use. Probably only src/my_port/my_addr/dstdomain/method/port/url* acl types is reliable.
- <item>reply_body_max_size is uses "fast" ACL checks and may occationally fail on acls which may require external lookups (dst/srcdomain/external).
+ <item><ref id="newtags" name="New tags">
+ <item><ref id="modifiedtags" name="Changes to existing tags">
+ <item><ref id="removedtags" name="Removed tags">
</itemize>
-<sect>Other internal changes mostly of interest to developers
-<P><itemize>
- <item>Andres Kroonmaa's chunked memory pool allocator included.
- <item>clientStreams, rationalising the client side logic to allow plugin output streams, and providing a simple interface to the store. See the programmers guide for details. (Robert Collins).
- <item>Clean up the squid code to consistenly use [u_]int<len>_t throughout, rather than some [u_]num<len> and some [u_]<len>_t instances. (Robert Collins).
- <item>Spelling corrections by Reuben Farrelly.
- <item>Object reference counting supported to ease some programming tasks (Robert Collins).
- <item>Deferred reads removed from comms layer, implemented a layer above, allowing more efficent comms layers (such as epoll). (Robert Collins).
- <item>ACL Source code extracted into multiple separate classes, allowing great flexability in future development, and also for custom squid builds today. (Robert Collins)
- <item>Delay classes heavily refactored to allow easier extension and reuse. (Robert Collins).
- <item>autoconf 2.5 support (Robert Collins).
- <item>Hi-resolution CPU profiling from Andres Kroonma, for single-threaded use only.
- <item>Cleaned up module/helper configure checks to use the same logics everywhere. (Henrik Nordström)
- <item>Unify much of the IO logic, shrinking the code base for diskd/aufs/ufs. (Robert Collins).
- <item>Introduce 'make check' support to provide an automated test suite for squid. (Robert Collins).
- <item>pthreads detection and compilation bugfixes. (Henrik Nordström, Robert Collins)
- <item>Killed the remains of ALARM_UPDATES_TIME (--enable-time-hack) (Henrik Nordström)
- <ITEM>Centralised the IPC type selection to defines.h by the defines IPC_STREAM and IPC_DGRAM. (Henrik Nordström)
- <item>Astyle is the code formatter of choice for squid-3 C++ code. See http://www.squid-cache.org/~robertc/squid-3-style.txt for the squid 3 style conventions.
- <item>Fix "access_log none" (and "forward_log none") (Arkadi E. Shishlov).
-</itemize>
+<p>
+
+
+
+<sect2>New tags<label id="newtags">
+
+<p>
+<descrip>
+ <tag>ssl_engine</tag>
+ <verb>
+Default: none
+
+The openssl engine to use. You will need to set this if you
+would like to use hardware SSL acceleration for example.
+ </verb>
+ <tag>sslproxy_client_certificate</tag>
+ <verb>
+Default: none
+
+Client SSL Certificate to use when proxying https:// URLs
+ </verb>
+ <tag>sslproxy_client_key</tag>
+ <verb>
+Default: none
+
+Client SSL Key to use when proxying https:// URLs
+ </verb>
+ <tag>sslproxy_version</tag>
+ <verb>
+Default: 1
+
+SSL version level to use when proxying https:// URLs
+ </verb>
+ <tag>sslproxy_options</tag>
+ <verb>
+Default: none
+
+SSL engine options to use when proxying https:// URLs
+ </verb>
+ <tag>sslproxy_cipher</tag>
+ <verb>
+Default: none
+
+SSL cipher list to use when proxying https:// URLs
+ </verb>
+ <tag>sslproxy_cafile</tag>
+ <verb>
+Default: none
+
+file containing CA certificates to use when verifying server
+certificates while proxying https:// URLs
+ </verb>
+ <tag>sslproxy_capath</tag>
+ <verb>
+Default: none
+
+directory containing CA certificates to use when verifying
+server certificates while proxying https:// URLs
+ </verb>
+ <tag>sslproxy_flags</tag>
+ <verb>
+Default: none
+
+Various flags modifying the use of SSL while proxying https:// URLs:
+ DONT_VERIFY_PEER Accept certificates even if they fail to
+verify.
+ NO_DEFAULT_CA Don't use the default CA list built in
+to OpenSSL.
+ </verb>
+ <tag>sslpassword_program</tag>
+ <verb>
+Default: none
+
+Specify a program used for entering SSL key passphrases
+when using encrypted SSL certificate keys. If not specified
+keys must either be unencrypted, or Squid started with the -N
+option to allow it to query interactively for the passphrase.
+ </verb>
+ <tag>minimum_icp_query_timeout (msec)</tag>
+ <verb>
+Default: 5
+
+Normally the ICP query timeout is determined dynamically. But
+sometimes it can lead to very small timeouts, even lower than
+the normal latency variance on your link due to traffic.
+Use this option to put an lower limit on the dynamic timeout
+value. Do NOT use this option to always use a fixed (instead
+of a dynamic) timeout value. To set a fixed timeout see the
+'icp_query_timeout' directive.
+ </verb>
+ <tag>background_ping_rate</tag>
+ <verb>
+Default: 10 seconds
+
+Controls how often the ICP pings are sent to siblings that
+have background-ping set.
+ </verb>
+ <tag>logformat</tag>
+ <verb>
+Default: none
+
+Usage:
+
+logformat <name> <format specification>
+
+Defines an access log format.
+
+The <format specification> is a string with embedded % format codes
+
+% format codes all follow the same basic structure where all but
+the formatcode is optional. Output strings are automatically escaped
+as required according to their context and the output format
+modifiers are usually not needed, but can be specified if an explicit
+output format is desired.
+
+% ["|[|'|#] [-] [[0]width] [{argument}] formatcode
+
+" output in quoted string format
+[ output in squid text log format as used by log_mime_hdrs
+# output in URL quoted format
+' output as-is
+
+- left aligned
+width field width. If starting with 0 the
+output is zero padded
+{arg} argument such as header name etc
+
+Format codes:
+
+>a Client source IP address
+>A Client FQDN
+<A Server IP address or peer name
+la Local IP address (http_port)
+lp Local port number (http_port)
+ts Seconds since epoch
+tu subsecond time (milliseconds)
+tl Local time. Optional strftime format argument
+default %d/%b/%Y:%H:%M:S %z
+tg GMT time. Optional strftime format argument
+default %d/%b/%Y:%H:%M:S %z
+tr Response time (milliseconds)
+>h Request header. Optional header name argument
+on the format header[:[separator]element]
+<h Reply header. Optional header name argument
+as for >h
+un User name
+ul User login
+ui User ident
+ue User from external acl
+Hs HTTP status code
+Ss Squid request status (TCP_MISS etc)
+Sh Squid hierarchy status (DEFAULT_PARENT etc)
+mt MIME content type
+rm Request method (GET/POST etc)
+ru Request URL
+rv Request protocol version
+et Tag returned by external acl
+ea Log string returned by external acl
+<st Reply size including HTTP headers
+<sH Reply high offset sent
+<sS Upstream object size
+% a literal % character
+
+logformat squid %ts.%03tu %6tr %>a %Ss/%03Hs %<st %rm %ru %un %Sh/%<A %mt
+logformat squidmime %ts.%03tu %6tr %>a %Ss/%03Hs %<st %rm %ru %un %Sh/%<A %mt [%>h] [%<h]
+logformat common %>a %ui %un [%tl] "%rm %ru HTTP/%rv" %Hs %<st %Ss:%Sh
+logformat combined %>a %ui %un [%tl] "%rm %ru HTTP/%rv" %Hs %<st "%{Referer}>h" "%{User-Agent}>h" %Ss:%Sh
+ </verb>
+ <tag>check_hostnames on|off</tag>
+ <verb>
+Default: on
+
+For security and stability reasons Squid by default checks
+hostnames for Internet standard RFC compliance. If you do not want
+Squid to perform these checks turn this directive off.
+ </verb>
+ <tag>url_rewrite_concurrency redirect_concurrency</tag>
+ <verb>
+Default: 0
+
+The number of requests each redirector helper can handle in
+parallell. Defaults to 0 which indicates the redirector
+is a old-style singlethreaded redirector.
+ </verb>
+ <tag>read_ahead_gap</tag>
+ <verb>
+Default: 16 KB
+
+The amount of data the cache will buffer ahead of what has been
+sent to the client when retrieving an object from another server.
+ </verb>
+ <tag>log_access allow|deny acl acl...</tag>
+ <verb>
+Default: none
+
+This options allows you to control which requests gets logged
+to access.log (see access_log directive). Requests denied for
+logging will also not be accounted for in performance counters.
+ </verb>
+ <tag>httpd_suppress_version_string on|off</tag>
+ <verb>
+Default: off
+
+Suppress Squid version string info in HTTP headers and HTML error pages.
+ </verb>
+ <tag>httpd_accel_surrogate_id</tag>
+ <verb>
+Default: unset
+
+Surrogates (http://www.esi.org/architecture_spec_1.0.html)
+need an identification token to allow control targeting. Because
+a farm of surrogates may all perform the same tasks, they may share
+an identification token.
+ </verb>
+ <tag>http_accel_surrogate_remote on|off</tag>
+ <verb>
+Default: off
+
+Remote surrogates (such as those in a CDN) honour Surrogate-Control: no-store-remote.
+Set this to on to have squid behave as a remote surrogate.
+ </verb>
+ <tag>esi_parser libxml2|expat|custom</tag>
+ <verb>
+Default: custom
+
+ESI markup is not strictly XML compatible. The custom ESI parser
+will give higher performance, but cannot handle non ASCII character
+encodings.
+ </verb>
+ <tag>email_err_data on|off</tag>
+ <verb>
+Default: on
+
+If enabled, information about the occurred error will be
+included in the mailto links of the ERR pages (if %W is set)
+so that the email body contains the data.
+Syntax is <A HREF="mailto:%w%W">%w</A>
+ </verb>
+ <tag>via on|off</tag>
+ <verb>
+Default: on
+
+If set (default), Squid will include a Via header in requests and
+replies as required by RFC2616.
+ </verb>
+ <tag>refresh_all_ims on|off</tag>
+ <verb>
+Default: off
+
+When you enable this option, squid will always check
+the origin server for an update when a client sends an
+If-Modified-Since request. Many browsers use IMS
+requests when the user requests a reload, and this
+ensures those clients receive the latest version.
+
+By default (off), squid may return a Not Modified response
+based on the age of the cached version.
+ </verb>
+ <tag>request_header_access</tag>
+ <verb>
+Default: none
+
+Usage: request_header_access header_name allow|deny [!]aclname ...
+
+WARNING: Doing this VIOLATES the HTTP standard. Enabling
+this feature could make you liable for problems which it
+causes.
+
+This option replaces the old 'anonymize_headers' and the
+older 'http_anonymizer' option with something that is much
+more configurable. This new method creates a list of ACLs
+for each header, allowing you very fine-tuned header
+mangling.
+
+This option only applies to request headers, i.e., from the
+client to the server.
+
+You can only specify known headers for the header name.
+Other headers are reclassified as 'Other'. You can also
+refer to all the headers with 'All'.
+
+For example, to achieve the same behavior as the old
+'http_anonymizer standard' option, you should use:
+
+request_header_access From deny all
+request_header_access Referer deny all
+request_header_access Server deny all
+request_header_access User-Agent deny all
+request_header_access WWW-Authenticate deny all
+request_header_access Link deny all
+
+Or, to reproduce the old 'http_anonymizer paranoid' feature
+you should use:
+
+request_header_access Allow allow all
+request_header_access Authorization allow all
+request_header_access WWW-Authenticate allow all
+request_header_access Proxy-Authorization allow all
+request_header_access Proxy-Authenticate allow all
+request_header_access Cache-Control allow all
+request_header_access Content-Encoding allow all
+request_header_access Content-Length allow all
+request_header_access Content-Type allow all
+request_header_access Date allow all
+request_header_access Expires allow all
+request_header_access Host allow all
+request_header_access If-Modified-Since allow all
+request_header_access Last-Modified allow all
+request_header_access Location allow all
+request_header_access Pragma allow all
+request_header_access Accept allow all
+request_header_access Accept-Charset allow all
+request_header_access Accept-Encoding allow all
+request_header_access Accept-Language allow all
+request_header_access Content-Language allow all
+request_header_access Mime-Version allow all
+request_header_access Retry-After allow all
+request_header_access Title allow all
+request_header_access Connection allow all
+request_header_access Proxy-Connection allow all
+request_header_access All deny all
+
+although many of those are HTTP reply headers, and so should be
+controlled with the reply_header_access directive.
+
+By default, all headers are allowed (no anonymizing is
+performed).
+ </verb>
+ <tag>reply_header_access</tag>
+ <verb>
+Default: none
+
+Usage: reply_header_access header_name allow|deny [!]aclname ...
+
+WARNING: Doing this VIOLATES the HTTP standard. Enabling
+this feature could make you liable for problems which it
+causes.
+
+This option only applies to reply headers, i.e., from the
+server to the client.
+
+This is the same as request_header_access, but in the other
+direction.
+
+This option replaces the old 'anonymize_headers' and the
+older 'http_anonymizer' option with something that is much
+more configurable. This new method creates a list of ACLs
+for each header, allowing you very fine-tuned header
+mangling.
+
+You can only specify known headers for the header name.
+Other headers are reclassified as 'Other'. You can also
+refer to all the headers with 'All'.
+
+For example, to achieve the same behavior as the old
+'http_anonymizer standard' option, you should use:
+
+reply_header_access From deny all
+reply_header_access Referer deny all
+reply_header_access Server deny all
+reply_header_access User-Agent deny all
+reply_header_access WWW-Authenticate deny all
+reply_header_access Link deny all
+
+Or, to reproduce the old 'http_anonymizer paranoid' feature
+you should use:
+
+reply_header_access Allow allow all
+reply_header_access Authorization allow all
+reply_header_access WWW-Authenticate allow all
+reply_header_access Proxy-Authorization allow all
+reply_header_access Proxy-Authenticate allow all
+reply_header_access Cache-Control allow all
+reply_header_access Content-Encoding allow all
+reply_header_access Content-Length allow all
+reply_header_access Content-Type allow all
+reply_header_access Date allow all
+reply_header_access Expires allow all
+reply_header_access Host allow all
+reply_header_access If-Modified-Since allow all
+reply_header_access Last-Modified allow all
+reply_header_access Location allow all
+reply_header_access Pragma allow all
+reply_header_access Accept allow all
+reply_header_access Accept-Charset allow all
+reply_header_access Accept-Encoding allow all
+reply_header_access Accept-Language allow all
+reply_header_access Content-Language allow all
+reply_header_access Mime-Version allow all
+reply_header_access Retry-After allow all
+reply_header_access Title allow all
+reply_header_access Connection allow all
+reply_header_access Proxy-Connection allow all
+reply_header_access All deny all
+
+although the HTTP request headers won't be usefully controlled
+by this directive -- see request_header_access for details.
+
+By default, all headers are allowed (no anonymizing is
+performed).
+ </verb>
+ <tag>minimum_expiry_time</tag>
+ <verb>
+Default: 60 seconds
+
+The minimum caching time according to (Expires - Date)
+Headers Squid honors if the object can't be revalidated
+defaults to 60 seconds. In reverse proxy enorinments it
+might be desirable to honor shorter object lifetimes. It
+is most likely better to make your server return a
+meaningful Last-Modified header however. In ESI environments
+where page fragments often have short lifetimes, this will
+often be best set to 0.
+ </verb>
+ <tag>icap_enable on|off</tag>
+ <verb>
+Default: off
+
+If you want to enable the ICAP module support, set this to on.
+ </verb>
+ <tag>icap_preview_enable on|off</tag>
+ <verb>
+Default: off
+
+Set this to 'on' if you want to enable the ICAP preview
+feature in Squid.
+ </verb>
+ <tag>icap_preview_size</tag>
+ <verb>
+Default: -1
+
+The default size of preview data to be sent to the ICAP server.
+-1 means no preview. This value might be overwritten on a per server
+basis by OPTIONS requests.
+ </verb>
+ <tag>icap_default_options_ttl (seconds)</tag>
+ <verb>
+Default: 60
+
+The default TTL value for ICAP OPTIONS responses that don't have
+an Options-TTL header.
+ </verb>
+ <tag>icap_persistent_connections on|off</tag>
+ <verb>
+Default: on
+
+Whether or not Squid should use persistent connections to
+an ICAP server.
+ </verb>
+ <tag>icap_send_client_ip on|off</tag>
+ <verb>
+Default: off
+
+This adds the header "X-Client-IP" to ICAP requests.
+ </verb>
+ <tag>icap_send_client_username on|off</tag>
+ <verb>
+Default: off
+
+This adds the header "X-Client-Username" to ICAP requests
+if proxy access is authentified.
+ </verb>
+ <tag>icap_service</tag>
+ <verb>
+Default: none
+
+Defines a single ICAP service
+
+icap_service servicename vectoring_point bypass service_url
+
+vectoring_point = reqmod_precache|reqmod_postcache|respmod_precache|respmod_postcache
+This specifies at which point of request processing the ICAP
+service should be plugged in.
+bypass = 1|0
+If set to 1 and the ICAP server cannot be reached, the request will go
+through without being processed by an ICAP server
+service_url = icap://servername:port/service
+
+Note: reqmod_precache and respmod_postcache is not yet implemented
+
+Example:
+icap_service service_1 reqmod_precache 0 icap://icap1.mydomain.net:1344/reqmod
+icap_service service_2 respmod_precache 0 icap://icap2.mydomain.net:1344/respmod
+ </verb>
+ <tag>icap_class</tag>
+ <verb>
+Default: none
+
+Defines an ICAP service chain. If there are multiple services per
+vectoring point, they are processed in the specified order.
+
+icap_class classname servicename...
+
+Example:
+icap_class class_1 service_1 service_2
+icap class class_2 service_1 service_3
+ </verb>
+ <tag>icap_access</tag>
+ <verb>
+Default: none
+
+Redirects a request through an ICAP service class, depending
+on given acls
+
+icap_access classname allow|deny [!]aclname...
+
+The icap_access statements are processed in the order they appear in
+this configuration file. If an access list matches, the processing stops.
+For an "allow" rule, the specified class is used for the request. A "deny"
+rule simply stops processing without using the class. You can also use the
+special classname "None".
+
+For backward compatibility, it is also possible to use services
+directly here.
+
+Example:
+icap_access class_1 allow all
+ </verb>
+</descrip>
+
+
+<sect2>Changes to existing tags<label id="modifiedtags">
+<p>
+<descrip>
+ <tag>http_port</tag>
+ <p>New options:
+ <verb>
+ transparent Support for transparent proxies
+
+ accel Accelerator mode. Also set implicit by the other accelerator directives
+
+ vhost Accelerator mode using Host header for virtual domain support
+
+ vport Accelerator with IP based virtual host support
+
+ vport=NN As above, but uses specified port number rather
+ than the http_port number
+
+ defaultsite= Main web site name for accelerators
+
+ protocol= Protocol to reconstruct accelerated requests with.
+ Defaults to http
+
+ disable-pmtu-discovery=
+ Control Path-MTU discovery usage:
+ off lets OS decide on what to do (default).
+ transparent disable PMTU discovery when transparent support is enabled.
+ always disable always PMTU discovery.
+
+ In many setups of transparently intercepting proxies Path-MTU
+ discovery can not work on traffic towards the clients. This is
+ the case when the intercepting device does not fully track
+ connections and fails to forward ICMP must fragment messages
+ to the cache server. If you have such setup and experience that
+ certain clients sporadically hang or never complete requests set
+ disable-pmtu-discovery option to 'transparent'.
+ </verb>
+ <tag> https_port</tag>
+ <p>New options:
+ <verb>
+ defaultsite= The name of the https site presented on this port
+
+ protocol= Protocol to reconstruct accelerated requests
+ with. Defaults to https
+
+ options= Various SSL engine options. The most important
+ being:
+ NO_SSLv2 Disallow the use of SSLv2
+ NO_SSLv3 Disallow the use of SSLv3
+ NO_TLSv1 Disallow the use of TLSv1
+ SINGLE_DH_USE Always create a new key when using
+ temporary/ephemeral DH key exchanges
+ See src/ssl_support.c or OpenSSL SSL_CTX_set_options
+ documentation for a complete list of options
+
+ clientca= File containing the list of CAs to use when
+ requesting a client certificate
+
+ cafile= File containing additional CA certificates to
+ use when verifying client certificates. If unset
+ clientca will be used
+
+ capath= Directory containing additional CA certificates
+ and CRL lists to use when verifying client certificates
+
+ crlfile= File of additional CRL lists to use when verifying
+ the client certificate, in addition to CRLs stored in
+ the capath. Implies VERIFY_CRL flag below.
+
+ dhparams= File containing DH parameters for temporary/ephemeral
+ DH key exchanges
+
+ sslflags= Various flags modifying the use of SSL:
+ DELAYED_AUTH
+ Don't request client certificates
+ immediately, but wait until acl processing
+ requires a certificate (not yet implemented)
+ NO_DEFAULT_CA
+ Don't use the default CA lists built in
+ to OpenSSL
+ NO_SESSION_REUSE
+ Don't allow for session reuse. Each connection
+ will result in a new SSL session.
+ VERIFY_CRL
+ Verify CRL lists when accepting client
+ certificates
+ VERIFY_CRL_ALL
+ Verify CRL lists for all certificates in the
+ client certificate chain
+
+ sslcontext= SSL session ID context identifier.
+
+ accelAccelerator mode. Also set implicit by the other
+ accelerator directives
+
+ vhostAccelerator mode using Host header for virtual
+ domain support
+
+ vportAccelerator with IP based virtual host support
+
+ vport=NN As above, but uses specified port number rather
+ than the https_port number
+ </verb>
+ <tag>cache_peer</tag>
+ <p>New options:
+ <verb>
+ basetime=n
+ background-ping
+ weighted-round-robin
+ carp
+ htcp-oldsquid
+ originserver
+ name=xxx
+ forceddomain=name
+ ssl
+ sslcert=/path/to/ssl/certificate
+ sslkey=/path/to/ssl/key
+ sslversion=1|2|3|4
+ sslcipher=...
+ ssloptions=...
+ front-end-https[=on|auto]
+
+
+ use 'basetime=n' to specify a base amount to
+ be subtracted from round trip times of parents.
+ It is subtracted before division by weight in calculating
+ which parent to fectch from. If the rtt is less than the
+ base time the rtt is set to a minimal value.
+
+ use 'background-ping' to only send ICP queries to this
+ neighbor infrequently. This is used to keep the neighbor
+ round trip time updated and is usually used in
+ conjunction with weighted-round-robin.
+
+ use 'weighted-round-robin' to define a set of parents
+ which should be used in a round-robin fashion with the
+ frequency of each parent being based on the round trip
+ time. Closer parents are used more often.
+ Usually used for background-ping parents.
+
+ use 'carp' to define a set of parents which should
+ be used as a CARP array. The requests will be
+ distributed among the parents based on the CARP load
+ balancing hash function based on their weigth.
+
+ use 'htcp-oldsquid' to send HTCP to old Squid versions
+
+ 'originserver' causes this parent peer to be contacted as
+ a origin server. Meant to be used in accelerator setups.
+
+ use 'name=xxx' if you have multiple peers on the same
+ host but different ports. This name can be used to
+ differentiate the peers in cache_peer_access and similar
+ directives.
+
+ use 'forceddomain=name' to forcibly set the Host header
+ of requests forwarded to this peer. Useful in accelerator
+ setups where the server (peer) expects a certain domain
+ name and using redirectors to feed this domainname
+ is not feasible.
+
+ use 'ssl' to indicate connections to this peer should
+ bs SSL/TLS encrypted.
+
+ use 'sslcert=/path/to/ssl/certificate' to specify a client
+ SSL certificate to use when connecting to this peer.
+
+ use 'sslkey=/path/to/ssl/key' to specify the private SSL
+ key corresponding to sslcert above. If 'sslkey' is not
+ specified 'sslcert' is assumed to reference a
+ combined file containing both the certificate and the key.
+
+ use sslversion=1|2|3|4 to specify the SSL version to use
+ when connecting to this peer
+ 1 = automatic (default)
+ 2 = SSL v2 only
+ 3 = SSL v3 only
+ 4 = TLS v1 only
+
+ use sslcipher=... to specify the list of valid SSL chipers
+ to use when connecting to this peer
+
+ use ssloptions=... to specify various SSL engine options:
+ NO_SSLv2 Disallow the use of SSLv2
+ NO_SSLv3 Disallow the use of SSLv3
+ NO_TLSv1 Disallow the use of TLSv1
+ See src/ssl_support.c or the OpenSSL documentation for
+ a more complete list.
+
+ use cafile=... to specify a file containing additional
+ CA certificates to use when verifying the peer certificate
+
+ use capath=... to specify a directory containing additional
+ CA certificates to use when verifying the peer certificate
+
+ use sslflags=... to specify various flags modifying the
+ SSL implementation:
+ DONT_VERIFY_PEER
+ Accept certificates even if they fail to
+ verify.
+ NO_DEFAULT_CA
+ Don't use the default CA list built in
+ to OpenSSL.
+ DONT_VERIFY_DOMAIN
+ Don't verify the peer certificate
+ matches the server name
+
+ use sslname= to specify the peer name as advertised
+ in it's certificate. Used for verifying the correctness
+ of the received peer certificate. If not specified the
+ peer hostname will be used.
+
+ use front-end-https to enable the "Front-End-Https: On"
+ header needed when using Squid as a SSL frontend infront
+ of Microsoft OWA. See MS KB document Q307347 for details
+ on this header. If set to auto the header will
+ only be added if the request is forwarded as a https://
+ URL.
+ </verb>
+ <p>Removed options:
+ <verb>
+ carp-load-factor
+ </verb>
+ <tag>cache_dir</tag>
+ <p>COSS stripe file:
+ <verb>
+ The coss file store has changed from 2.5. Now it uses a file
+ called 'stripe' in the directory names in the config - and
+ this will be created by squid -z.
+ </verb>
+ <tag>access_log cache_access_log</tag>
+ <p>Takes an optional log format:
+ <verb>
+ These files log client request activities. Has a line every HTTP or
+ ICP request. The format is:
+ access_log <filepath> [<logformat name> [acl acl ...]]
+ access_log none [acl acl ...]]
+
+ Will log to the specified file using the specified format (which
+ must be defined in a logformat directive) those entries which match
+ ALL the acl's specified (which must be defined in acl clauses).
+ If no acl is specified, all requests will be logged to this file.
+
+ To disable logging of a request use the filepath "none", in which case
+ a logformat name should not be specified.
+
+ To log the request via syslog specify a filepath of "syslog":
+
+ access_log syslog[:facility|priority] [format [acl1 [acl2 ....]]]
+ where facility could be any of:
+ LOG_AUTHPRIV, LOG_DAEMON, LOG_LOCAL0 .. LOG_LOCAL7 or LOG_USER.
+
+ And priority could be any of:
+ LOG_ERR, LOG_WARNING, LOG_NOTICE, LOG_INFO, LOG_DEBUG.
+ </verb>
+ <tag>redirect_program</tag>
+ <p>New alias: 'url_rewrite_program'
+ <tag>redirect_children</tag>
+ <p>New alias: 'url_rewrite_children'
+ <tag>redirect_host_header</tag>
+ <p>New alias: 'url_rewrite_host_header'
+ <tag>auth_param</tag>
+ <p>New option for basic scheme:
+ <verb>
+ "concurrency" concurrency
+ The number of concurrent requests the helper can process.
+ The default of 0 is used for helpers who only supports
+ one request at a time.
+ auth_param basic concurrency 0
+ </verb>
+ <p>Removed NTLM options:
+ <verb>
+ "max_challenge_reuses" number
+ The maximum number of times a challenge given by a ntlm authentication
+ helper can be reused. Increasing this number increases your exposure
+ to replay attacks on your network. 0 (the default) means use the
+ challenge is used only once. See also the max_ntlm_challenge_lifetime
+ directive if enabling challenge reuses.
+ auth_param ntlm max_challenge_reuses 0
+
+ "max_challenge_lifetime" timespan
+ The maximum time period a ntlm challenge is reused over. The
+ actual period will be the minimum of this time AND the number of
+ reused challenges.
+ auth_param ntlm max_challenge_lifetime 2 minutes
+
+ "use_ntlm_negotiate" on|off
+ Enables support for NTLM NEGOTIATE packet exchanges with the helper.
+ The configured ntlm authenticator must be able to handle NTLM
+ NEGOTIATE packet. See the authenticator programs documentation if
+ unsure. ntlm_auth from Samba-3.0.2 or later supports the use of this
+ option.
+ The NEGOTIATE packet is required to support NTLMv2 and a
+ number of other negotiable NTLMSSP options, and also makes it
+ more likely the negotiation is successful. Enabling this parameter
+ will also solve problems encountered when NT domain policies
+ restrict users to access only certain workstations. When this is off,
+ all users must be allowed to log on the proxy servers too, or they'll
+ get "invalid workstation" errors - and access denied - when trying to
+ use Squid's services.
+ Use of ntlm NEGOTIATE is incompatible with challenge reuse, so
+ enabling this parameter will OVERRIDE the max_challenge_reuses and
+ max_challenge_lifetime parameters and set them to 0.
+ auth_param ntlm use_ntlm_negotiate off
+ </verb>
+ <p>New NTLM option:
+ <verb>
+ "keep_alive" on|off
+ If you experience problems with PUT/POST requests when using the
+ Negotiate authentication scheme then you can try setting this to
+ off. This will cause Squid to forcibly close the connection on
+ the initial requests where the browser asks which schemes are
+ supported by the proxy.
+ </verb>
+ <tag>external_acl_type</tag>
+ <p>New options:
+ <verb>
+ concurrency=n concurrency level per process. Use 0 for old style
+ helpers who can only process a single request at a time.
+
+ grace=n Percentage remaining of TTL where a refresh of a
+ cached entry should be initiated without needing to
+ wait for a new reply. (default 0 for no grace period)
+ protocol=2.5 Compatibility mode for Squid-2.5 external acl helpers
+ </verb>
+ <p>New format specifications:
+ <verb>
+ %EXT_USER Username from external acl
+ %SRCPORT Client source port
+ %PATH Requested URL path
+ %METHOD Request method
+ %MYADDR Squid interface address
+ %MYPORT Squid http_port number
+ %USER_CERT SSL User certificate in PEM format
+ %USER_CERTCHAIN SSL User certificate chain in PEM format
+ %USER_CERT_xx SSL User certificate subject attribute xx
+ %USER_CA_xx SSL User certificate issuer attribute xx
+ </verb>
+ <p>New keywords:
+ <verb>
+ user= The users name (login)
+ password= The users password (for login= cache_peer option)
+ message= Message describing the reason. Available as %o
+ in error pages
+ tag= Apply a tag to a request (for both ERR and OK results)
+ Only sets a tag, does not alter existing tags.
+ log= String to be logged in access.log. Available as
+ %ea in logformat specifications
+
+ Keyword values need to be URL escaped if they may contain
+ contain whitespace or quotes.
+
+ In Squid-2.5 compatibility mode quoting using " and \ is used
+ instead of URL escaping.
+ </verb>
+ <p>Removed option:
+ <verb>
+ protocol=3.0 Use URL-escaped strings instead of quoting
+ </verb>
+ <tag>refresh_pattern</tag>
+ <p>New options:
+ <verb>
+ ignore-no-cache
+ ignore-no-store
+ ignore-private
+ ignore-auth
+ refresh-ims
+
+ ignore-no-cache ignores any ``Pragma: no-cache'' and
+ ``Cache-control: no-cache'' headers received from a server.
+ The HTTP RFC never allows the use of this (Pragma) header
+ from a server, only a client, though plenty of servers
+ send it anyway.
+
+ ignore-no-store ignores any ``Cache-control: no-store''
+ headers received from a server. Doing this VIOLATES
+ the HTTP standard. Enabling this feature could make you
+ liable for problems which it causes.
+
+ ignore-private ignores any ``Cache-control: private''
+ headers received from a server. Doing this VIOLATES
+ the HTTP standard. Enabling this feature could make you
+ liable for problems which it causes.
+
+ ignore-auth caches responses to requests with authorization,
+ irrespective of ``Cache-control'' headers received from
+ a server. Doing this VIOLATES the HTTP standard. Enabling
+ this feature could make you liable for problems which
+ it causes.
+
+ refresh-ims causes squid to contact the origin server
+ when a client issues an If-Modified-Since request. This
+ ensures that the client will receive an updated version
+ if one is available.
+ </verb>
+ <tag>negative_dns_ttl</tag>
+ <p>New default:
+ <verb>
+ Default: 5 minutes
+ (Old default: 1 minute)
+ </verb>
+ <tag>acl</tag>
+ <p>New types:
+ <verb>
+ acl aclname http_status 200 301 500- 400-403 ... # status code in reply
+
+ acl aclname user_cert attribute values...
+ # match against attributes in a user SSL certificate
+ # attribute is one of DN/C/O/CN/L/ST
+
+ acl aclname ca_cert attribute values...
+ # match against attributes a users issuing CA SSL certificate
+ # attribute is one of DN/C/O/CN/L/ST
+
+ acl aclname ext_user username ...
+ acl aclname ext_user_regex [-i] pattern ...
+ # string match on username returned by external acl processing
+ # use REQUIRED to accept any non-null user name.
+ </verb>
+ <p>Removed types:
+ <verb>
+ acl aclname urllogin [-i] [^a-zA-Z0-9] ... # regex matching on URL login field
+
+ acl aclname req_header header-name [-i] any\.regex\.here
+ # regex match against any of the known request headers. May be
+ # thought of as a superset of "browser", "referer" and "mime-type"
+ # ACLs.
+
+ acl aclname rep_header header-name [-i] any\.regex\.here
+ # regex match against any of the known response headers.
+ # Example:
+ #
+ # acl many_spaces rep_header Content-Disposition -i [[:space:]]{3,}
+ </verb>
+ <tag>short_icon_urls</tag>
+ <p>New default:
+ <verb>
+ Default: on
+ (Old default: off)
+ </verb>
+ <tag>delay_class</tag>
+ <p>New delay classes:
+ <verb>
+ class 4 Everything in a class 3 delay pool, with an
+ additional limit on a per user basis. This
+ only takes effect if the username is established
+ in advance - by forcing authentication in your
+ http_access rules.
+
+ class 5 Requests are grouped according their tag (see
+ external_acl's tag= reply).
+ </verb>
+</descrip>
+
+
+
+
+<sect2>Removed tags<label id="removedtags">
+<p>
+<descrip>
+ <tag>httpd_accel_host</tag>
+ Replaced by the defaultsite= or vport=0 (in case of virtual) http_port options
+ <verb>
+ </verb>
+ <tag>httpd_accel_port</tag>
+ <verb>
+ Replaced by vport http(s)_port option
+ </verb>
+ <tag>httpd_accel_single_host on|off</tag>
+ <verb>
+ Replaced by cache_peer originserver based request forwarding
+ making this option obsolete.
+ </verb>
+ <tag>httpd_accel_with_proxy on|off</tag>
+ <verb>
+ Obsolete, no longer needed.
+ </verb>
+ <tag>httpd_accel_uses_host_header on|off</tag>
+ <verb>
+ This has been replaced by the vhost http(s)_port option
+ </verb>
+ <tag>httpd_accel_no_pmtu_disc on|off</tag>
+ <verb>
+ This has been replaced by the disable-pmtu-discovery=.. http_port option
+ </verb>
+ <tag>header_access</tag>
+ <p>This has been replaced by request_header_access and reply_header_access
+</descrip>
+
</article>
projects / thirdparty / squid.git / commitdiff
