<HTML>
<HEAD>
<META NAME="GENERATOR" CONTENT="LinuxDoc-Tools 0.9.21">
- <TITLE>Squid 3.0.PRE5 release notes</TITLE>
+ <TITLE>Squid 3.0.PRE7 release notes</TITLE>
</HEAD>
<BODY>
-<H1>Squid 3.0.PRE5 release notes</H1>
+<H1>Squid 3.0.PRE7 release notes</H1>
-<H2>Squid Developers</H2>$Id: release-3.0.html,v 1.5 2006/11/06 05:14:08 adrian Exp $
+<H2>Squid Developers</H2>$Id: release-3.0.html,v 1.6 2007/08/27 23:58:34 hno Exp $
<HR>
<EM>This document contains the release notes for version 3.0 of Squid.
Squid is a WWW Cache application developed by the National Laboratory
<HR>
<H2><A NAME="s1">1. Notice</A></H2>
-<P>The Squid Team are pleased to announce the release of Squid-3.0.PRE5 for pre-release testing.</P>
+<P>The Squid Team are pleased to announce the release of Squid-3.0.PRE7 for pre-release testing.</P>
<P>This new release is available for download from
<A HREF="http://www.squid-cache.org/Versions/v3/3.0/">http://www.squid-cache.org/Versions/v3/3.0/</A> or the
<A HREF="http://www.squid-cache.org/Mirrors/http-mirrors.html">mirrors</A>.</P>
<P>A large number of the show-stopper bugs have been fixed along with general improvements to the ICAP support.
While this release is not deemed ready for production use, we believe it is ready for wider testing by the community.</P>
<P>We welcome feedback and bug reports. If you find a bug, please see
-<A HREF="http://www.squid-cache.org/Doc/FAQ/FAQ-11.html#ss11.19">http://www.squid-cache.org/Doc/FAQ/FAQ-11.html#ss11.19</A> for how to submit a report with a stack trace.</P>
+<A HREF="http://wiki.squid-cache.org/SquidFaq/TroubleShooting#head-7067fc0034ce967e67911becaabb8c95a34d576d">http://wiki.squid-cache.org/SquidFaq/TroubleShooting#head-7067fc0034ce967e67911becaabb8c95a34d576d</A> for how to submit a report with a stack trace.</P>
<H2><A NAME="s2">2. Known issues</A></H2>
<A HREF="http://www.squid-cache.org/bugs/buglist.cgi?query_format=advanced&short_desc_type=allwordssubstr&short_desc=&target_milestone=3.0&long_desc_type=allwordssubstr&long_desc=&bug_file_loc_type=allwordssubstr&bug_file_loc=&status_whiteboard_type=allwordssubstr&status_whiteboard=&bug_status=NEW&bug_status=ASSIGNED&bug_status=REOPENED&emailtype1=substring&email1=&emailtype2=substring&email2=&bugidtype=include&bug_id=&votes=&chfieldfrom=&chfieldto=Now&chfieldvalue=&cmdtype=doit&order=bugs.bug_severity&field0-0-0=noop&type0-0-0=noop&value0-0-0=">open bugs against Squid-3.0</A>.</P>
<P>In particular, ESI may still be too buggy for meaningful testing at this stage.</P>
-<H2><A NAME="s3">3. Changes since Squid-3.0-PRE4</A></H2>
+<H2><A NAME="s3">3. Changes since earlier PRE releases of Squid-3.0</A></H2>
-<P>The change history can be
+<P>The 3.0 change history can be
<A HREF="http://www.squid-cache.org/Versions/v3/3.0/changesets/">viewed here</A>.</P>
-<H2><A NAME="s4">4. Changes since Squid-2.5.STABLE14</A></H2>
+<H2><A NAME="s4">4. Changes since Squid-2.6.STABLE14</A></H2>
<H2><A NAME="ss4.1">4.1 Major new features</A>
</H2>
-<P>Squid 3.0 represents a major rewrite of Squid 2.5 and has a large number of new features.</P>
+<P>Squid 3.0 represents a major rewrite of Squid and has a number of new features.</P>
<P>The most important of these are:</P>
<P>
<UL>
<LI>Edge Side Include implementation (www.esi.org)</LI>
<LI>ICAP implementation (www.i-cap.org)</LI>
-<LI>Better support for reverse proxy setups. The httpd_accel_* directives are now gone, replaced by http(s)_port options and cache_peer based request forwarding</LI>
-<LI>Better support for SSL</LI>
-<LI>Better support for external ACLs</LI>
<LI>Finer control over cacheability (refresh_pattern)</LI>
-<LI>Custom log formats and the ability to log different requests to different log files</LI>
</UL>
</P>
<P>Most user-facing changes are reflected in squid.conf (see below).</P>
-<H2><A NAME="ss4.2">4.2 Logging changes</A>
+<H2><A NAME="ss4.2">4.2 2.6 features not found in Squid-3.0</A>
+</H2>
+
+<P>Some of the features found in Squid-2.6 is not available in Squid-3.
+Some has been dropped as they are not needed. Some has not yet been forward-ported to Squid-3 and may appear in a later release.</P>
+<P>
+<UL>
+<LI>refresh_stale_hit option. Not yet ported.</LI>
+<LI>ability to follow X-Forwarded-For. Not yet ported.</LI>
+<LI>Full caching of Vary/ETag using If-None-Match. Only basic Vary cache supported. Not yet ported.</LI>
+<LI>Mapping of server error messages. Not yet ported.</LI>
+<LI>http_access2 access directive. Not yet ported.</LI>
+<LI>Location header rewrites. Not yet ported.</LI>
+<LI>umask directive. Not yet ported.</LI>
+<LI>wais_relay. Feature dropped as it's equivalent to cache_peer + cache_peer_access.</LI>
+<LI>urlgroup. Not yet ported.</LI>
+<LI>collapsed forwarding. Not yet ported.</LI>
+</UL>
+</P>
+
+<H2><A NAME="ss4.3">4.3 Logging changes</A>
</H2>
<H3>access.log</H3>
-<H2><A NAME="ss4.3">4.3 Changes to squid.conf</A>
+<H2><A NAME="ss4.4">4.4 Changes to squid.conf</A>
</H2>
-<P>There have been many changes to Squid's configuration file since Squid-2.5.</P>
+<P>There have been many changes to Squid's configuration file since Squid-2.6.</P>
<P>This section gives a thorough account of those changes in three categories:</P>
<P>
<UL>
<P>
<DL>
-<DT><B>ssl_engine</B><DD><P>
-<PRE>
-Default: none
-
-The openssl engine to use. You will need to set this if you
-would like to use hardware SSL acceleration for example.
-
-</PRE>
-</P>
-<DT><B>sslproxy_client_certificate</B><DD><P>
-<PRE>
-Default: none
-
-Client SSL Certificate to use when proxying https:// URLs
-
-</PRE>
-</P>
-<DT><B>sslproxy_client_key</B><DD><P>
-<PRE>
-Default: none
-
-Client SSL Key to use when proxying https:// URLs
-
-</PRE>
-</P>
-<DT><B>sslproxy_version</B><DD><P>
-<PRE>
-Default: 1
-
-SSL version level to use when proxying https:// URLs
-
-</PRE>
-</P>
-<DT><B>sslproxy_options</B><DD><P>
-<PRE>
-Default: none
-
-SSL engine options to use when proxying https:// URLs
-
-</PRE>
-</P>
-<DT><B>sslproxy_cipher</B><DD><P>
-<PRE>
-Default: none
-
-SSL cipher list to use when proxying https:// URLs
-
-</PRE>
-</P>
-<DT><B>sslproxy_cafile</B><DD><P>
-<PRE>
-Default: none
-
-file containing CA certificates to use when verifying server
-certificates while proxying https:// URLs
-
-</PRE>
-</P>
-<DT><B>sslproxy_capath</B><DD><P>
-<PRE>
-Default: none
-
-directory containing CA certificates to use when verifying
-server certificates while proxying https:// URLs
-
-</PRE>
-</P>
-<DT><B>sslproxy_flags</B><DD><P>
-<PRE>
-Default: none
-
-Various flags modifying the use of SSL while proxying https:// URLs:
- DONT_VERIFY_PEER Accept certificates even if they fail to
-verify.
- NO_DEFAULT_CA Don't use the default CA list built in
-to OpenSSL.
-
-</PRE>
-</P>
-<DT><B>sslpassword_program</B><DD><P>
-<PRE>
-Default: none
-
-Specify a program used for entering SSL key passphrases
-when using encrypted SSL certificate keys. If not specified
-keys must either be unencrypted, or Squid started with the -N
-option to allow it to query interactively for the passphrase.
-
-</PRE>
-</P>
<DT><B>minimum_icp_query_timeout (msec)</B><DD><P>
<PRE>
Default: 5
</PRE>
</P>
-<DT><B>logformat</B><DD><P>
-<PRE>
-Default: none
-
-Usage:
-
-logformat <name> <format specification>
-
-Defines an access log format.
-
-The <format specification> is a string with embedded % format codes
-
-% format codes all follow the same basic structure where all but
-the formatcode is optional. Output strings are automatically escaped
-as required according to their context and the output format
-modifiers are usually not needed, but can be specified if an explicit
-output format is desired.
-
-% ["|[|'|#] [-] [[0]width] [{argument}] formatcode
-
-" output in quoted string format
-[ output in squid text log format as used by log_mime_hdrs
-# output in URL quoted format
-' output as-is
-
-- left aligned
-width field width. If starting with 0 the
-output is zero padded
-{arg} argument such as header name etc
-
-Format codes:
-
->a Client source IP address
->A Client FQDN
-<A Server IP address or peer name
-la Local IP address (http_port)
-lp Local port number (http_port)
-ts Seconds since epoch
-tu subsecond time (milliseconds)
-tl Local time. Optional strftime format argument
-default %d/%b/%Y:%H:%M:S %z
-tg GMT time. Optional strftime format argument
-default %d/%b/%Y:%H:%M:S %z
-tr Response time (milliseconds)
->h Request header. Optional header name argument
-on the format header[:[separator]element]
-<h Reply header. Optional header name argument
-as for >h
-un User name
-ul User login
-ui User ident
-ue User from external acl
-Hs HTTP status code
-Ss Squid request status (TCP_MISS etc)
-Sh Squid hierarchy status (DEFAULT_PARENT etc)
-mt MIME content type
-rm Request method (GET/POST etc)
-ru Request URL
-rv Request protocol version
-et Tag returned by external acl
-ea Log string returned by external acl
-<st Reply size including HTTP headers
-<sH Reply high offset sent
-<sS Upstream object size
-% a literal % character
-
-logformat squid %ts.%03tu %6tr %>a %Ss/%03Hs %<st %rm %ru %un %Sh/%<A %mt
-logformat squidmime %ts.%03tu %6tr %>a %Ss/%03Hs %<st %rm %ru %un %Sh/%<A %mt [%>h] [%<h]
-logformat common %>a %ui %un [%tl] "%rm %ru HTTP/%rv" %Hs %<st %Ss:%Sh
-logformat combined %>a %ui %un [%tl] "%rm %ru HTTP/%rv" %Hs %<st "%{Referer}>h" "%{User-Agent}>h" %Ss:%Sh
-
-</PRE>
-</P>
-<DT><B>check_hostnames on|off</B><DD><P>
-<PRE>
-Default: on
-
-For security and stability reasons Squid by default checks
-hostnames for Internet standard RFC compliance. If you do not want
-Squid to perform these checks turn this directive off.
-
-</PRE>
-</P>
-<DT><B>url_rewrite_concurrency redirect_concurrency</B><DD><P>
-<PRE>
-Default: 0
-
-The number of requests each redirector helper can handle in
-parallell. Defaults to 0 which indicates the redirector
-is a old-style singlethreaded redirector.
-
-</PRE>
-</P>
-<DT><B>read_ahead_gap</B><DD><P>
-<PRE>
-Default: 16 KB
-
-The amount of data the cache will buffer ahead of what has been
-sent to the client when retrieving an object from another server.
-
-</PRE>
-</P>
-<DT><B>log_access allow|deny acl acl...</B><DD><P>
-<PRE>
-Default: none
-
-This options allows you to control which requests gets logged
-to access.log (see access_log directive). Requests denied for
-logging will also not be accounted for in performance counters.
-
-</PRE>
-</P>
-<DT><B>httpd_suppress_version_string on|off</B><DD><P>
-<PRE>
-Default: off
-Suppress Squid version string info in HTTP headers and HTML error pages.
-
-</PRE>
-</P>
<DT><B>httpd_accel_surrogate_id</B><DD><P>
<PRE>
Default: unset
</PRE>
</P>
+
<DT><B>http_accel_surrogate_remote on|off</B><DD><P>
<PRE>
Default: off
</PRE>
</P>
+
<DT><B>esi_parser libxml2|expat|custom</B><DD><P>
<PRE>
Default: custom
</PRE>
</P>
+
<DT><B>email_err_data on|off</B><DD><P>
<PRE>
Default: on
</PRE>
</P>
-<DT><B>via on|off</B><DD><P>
-<PRE>
-Default: on
-If set (default), Squid will include a Via header in requests and
-replies as required by RFC2616.
-
-</PRE>
-</P>
<DT><B>refresh_all_ims on|off</B><DD><P>
<PRE>
Default: off
</PRE>
</P>
-<DT><B>request_header_access</B><DD><P>
-<PRE>
-Default: none
-
-Usage: request_header_access header_name allow|deny [!]aclname ...
-
-WARNING: Doing this VIOLATES the HTTP standard. Enabling
-this feature could make you liable for problems which it
-causes.
-
-This option replaces the old 'anonymize_headers' and the
-older 'http_anonymizer' option with something that is much
-more configurable. This new method creates a list of ACLs
-for each header, allowing you very fine-tuned header
-mangling.
-
-This option only applies to request headers, i.e., from the
-client to the server.
-
-You can only specify known headers for the header name.
-Other headers are reclassified as 'Other'. You can also
-refer to all the headers with 'All'.
-
-For example, to achieve the same behavior as the old
-'http_anonymizer standard' option, you should use:
-
-request_header_access From deny all
-request_header_access Referer deny all
-request_header_access Server deny all
-request_header_access User-Agent deny all
-request_header_access WWW-Authenticate deny all
-request_header_access Link deny all
-
-Or, to reproduce the old 'http_anonymizer paranoid' feature
-you should use:
-
-request_header_access Allow allow all
-request_header_access Authorization allow all
-request_header_access WWW-Authenticate allow all
-request_header_access Proxy-Authorization allow all
-request_header_access Proxy-Authenticate allow all
-request_header_access Cache-Control allow all
-request_header_access Content-Encoding allow all
-request_header_access Content-Length allow all
-request_header_access Content-Type allow all
-request_header_access Date allow all
-request_header_access Expires allow all
-request_header_access Host allow all
-request_header_access If-Modified-Since allow all
-request_header_access Last-Modified allow all
-request_header_access Location allow all
-request_header_access Pragma allow all
-request_header_access Accept allow all
-request_header_access Accept-Charset allow all
-request_header_access Accept-Encoding allow all
-request_header_access Accept-Language allow all
-request_header_access Content-Language allow all
-request_header_access Mime-Version allow all
-request_header_access Retry-After allow all
-request_header_access Title allow all
-request_header_access Connection allow all
-request_header_access Proxy-Connection allow all
-request_header_access All deny all
-
-although many of those are HTTP reply headers, and so should be
-controlled with the reply_header_access directive.
-
-By default, all headers are allowed (no anonymizing is
-performed).
-
-</PRE>
-</P>
-<DT><B>reply_header_access</B><DD><P>
-<PRE>
-Default: none
+<DT><B>request_header_access</B><DD><P>Replaces the header_access directive of Squid-2.6 and earlier, but applies to requests only.</P>
+<DT><B>reply_header_access</B><DD><P>Replaces the header_access directive of Squid-2.6 and earlier, but applies to replies only.</P>
-Usage: reply_header_access header_name allow|deny [!]aclname ...
-
-WARNING: Doing this VIOLATES the HTTP standard. Enabling
-this feature could make you liable for problems which it
-causes.
-
-This option only applies to reply headers, i.e., from the
-server to the client.
-
-This is the same as request_header_access, but in the other
-direction.
-
-This option replaces the old 'anonymize_headers' and the
-older 'http_anonymizer' option with something that is much
-more configurable. This new method creates a list of ACLs
-for each header, allowing you very fine-tuned header
-mangling.
-
-You can only specify known headers for the header name.
-Other headers are reclassified as 'Other'. You can also
-refer to all the headers with 'All'.
-
-For example, to achieve the same behavior as the old
-'http_anonymizer standard' option, you should use:
-
-reply_header_access From deny all
-reply_header_access Referer deny all
-reply_header_access Server deny all
-reply_header_access User-Agent deny all
-reply_header_access WWW-Authenticate deny all
-reply_header_access Link deny all
-
-Or, to reproduce the old 'http_anonymizer paranoid' feature
-you should use:
-
-reply_header_access Allow allow all
-reply_header_access Authorization allow all
-reply_header_access WWW-Authenticate allow all
-reply_header_access Proxy-Authorization allow all
-reply_header_access Proxy-Authenticate allow all
-reply_header_access Cache-Control allow all
-reply_header_access Content-Encoding allow all
-reply_header_access Content-Length allow all
-reply_header_access Content-Type allow all
-reply_header_access Date allow all
-reply_header_access Expires allow all
-reply_header_access Host allow all
-reply_header_access If-Modified-Since allow all
-reply_header_access Last-Modified allow all
-reply_header_access Location allow all
-reply_header_access Pragma allow all
-reply_header_access Accept allow all
-reply_header_access Accept-Charset allow all
-reply_header_access Accept-Encoding allow all
-reply_header_access Accept-Language allow all
-reply_header_access Content-Language allow all
-reply_header_access Mime-Version allow all
-reply_header_access Retry-After allow all
-reply_header_access Title allow all
-reply_header_access Connection allow all
-reply_header_access Proxy-Connection allow all
-reply_header_access All deny all
-
-although the HTTP request headers won't be usefully controlled
-by this directive -- see request_header_access for details.
-
-By default, all headers are allowed (no anonymizing is
-performed).
-
-</PRE>
-</P>
-<DT><B>minimum_expiry_time</B><DD><P>
-<PRE>
-Default: 60 seconds
-
-The minimum caching time according to (Expires - Date)
-Headers Squid honors if the object can't be revalidated
-defaults to 60 seconds. In reverse proxy enorinments it
-might be desirable to honor shorter object lifetimes. It
-is most likely better to make your server return a
-meaningful Last-Modified header however. In ESI environments
-where page fragments often have short lifetimes, this will
-often be best set to 0.
-
-</PRE>
-</P>
<DT><B>icap_enable on|off</B><DD><P>
<PRE>
Default: off
Example:
icap_access class_1 allow all
+</PRE>
+</P>
+
+<DT><B>accept_filter</B><DD><P>
+<PRE>
+The name of an accept(2) filter to install on Squid's
+listen socket(s). This feature is perhaps specific to
+FreeBSD and requires support in the kernel.
+
+The 'httpready' filter delays delivering new connections
+to Squid until a full HTTP request has been received.
+See the accf_http(9) man page.
+
</PRE>
</P>
</DL>
<DL>
<DT><B>http_port</B><DD><P>New options:
<PRE>
- transparent Support for transparent proxies
-
- accel Accelerator mode. Also set implicit by the other accelerator directives
-
- vhost Accelerator mode using Host header for virtual domain support
-
- vport Accelerator with IP based virtual host support
-
- vport=NN As above, but uses specified port number rather
- than the http_port number
-
- defaultsite= Main web site name for accelerators
-
- protocol= Protocol to reconstruct accelerated requests with.
- Defaults to http
-
disable-pmtu-discovery=
Control Path-MTU discovery usage:
off lets OS decide on what to do (default).
</PRE>
</P>
-<DT><B> https_port</B><DD><P>New options:
+<P>Removed options:
<PRE>
- defaultsite= The name of the https site presented on this port
-
- protocol= Protocol to reconstruct accelerated requests
- with. Defaults to https
-
- options= Various SSL engine options. The most important
- being:
- NO_SSLv2 Disallow the use of SSLv2
- NO_SSLv3 Disallow the use of SSLv3
- NO_TLSv1 Disallow the use of TLSv1
- SINGLE_DH_USE Always create a new key when using
- temporary/ephemeral DH key exchanges
- See src/ssl_support.c or OpenSSL SSL_CTX_set_options
- documentation for a complete list of options
-
- clientca= File containing the list of CAs to use when
- requesting a client certificate
-
- cafile= File containing additional CA certificates to
- use when verifying client certificates. If unset
- clientca will be used
-
- capath= Directory containing additional CA certificates
- and CRL lists to use when verifying client certificates
-
- crlfile= File of additional CRL lists to use when verifying
- the client certificate, in addition to CRLs stored in
- the capath. Implies VERIFY_CRL flag below.
-
- dhparams= File containing DH parameters for temporary/ephemeral
- DH key exchanges
-
- sslflags= Various flags modifying the use of SSL:
- DELAYED_AUTH
- Don't request client certificates
- immediately, but wait until acl processing
- requires a certificate (not yet implemented)
- NO_DEFAULT_CA
- Don't use the default CA lists built in
- to OpenSSL
- NO_SESSION_REUSE
- Don't allow for session reuse. Each connection
- will result in a new SSL session.
- VERIFY_CRL
- Verify CRL lists when accepting client
- certificates
- VERIFY_CRL_ALL
- Verify CRL lists for all certificates in the
- client certificate chain
-
- sslcontext= SSL session ID context identifier.
-
- accelAccelerator mode. Also set implicit by the other
- accelerator directives
-
- vhostAccelerator mode using Host header for virtual
- domain support
-
- vportAccelerator with IP based virtual host support
-
- vport=NN As above, but uses specified port number rather
- than the https_port number
+ urlgroup=, not yet ported to Squid-3.
+
+ no-connection-auth, not yet ported to Squid-3.
+
+</PRE>
+ </P>
+<DT><B> https_port</B><DD><P>Removed options:
+<PRE>
+ urlgroup=, not yet ported to Squid-3.
</PRE>
</P>
<DT><B>cache_peer</B><DD><P>New options:
<PRE>
basetime=n
+
background-ping
- weighted-round-robin
- carp
- htcp-oldsquid
- originserver
- name=xxx
- forceddomain=name
- ssl
- sslcert=/path/to/ssl/certificate
- sslkey=/path/to/ssl/key
- sslversion=1|2|3|4
- sslcipher=...
- ssloptions=...
- front-end-https[=on|auto]
+ weighted-round-robin
use 'basetime=n' to specify a base amount to
be subtracted from round trip times of parents.
time. Closer parents are used more often.
Usually used for background-ping parents.
- use 'carp' to define a set of parents which should
- be used as a CARP array. The requests will be
- distributed among the parents based on the CARP load
- balancing hash function based on their weigth.
-
- use 'htcp-oldsquid' to send HTCP to old Squid versions
-
- 'originserver' causes this parent peer to be contacted as
- a origin server. Meant to be used in accelerator setups.
-
- use 'name=xxx' if you have multiple peers on the same
- host but different ports. This name can be used to
- differentiate the peers in cache_peer_access and similar
- directives.
-
- use 'forceddomain=name' to forcibly set the Host header
- of requests forwarded to this peer. Useful in accelerator
- setups where the server (peer) expects a certain domain
- name and using redirectors to feed this domainname
- is not feasible.
-
- use 'ssl' to indicate connections to this peer should
- bs SSL/TLS encrypted.
-
- use 'sslcert=/path/to/ssl/certificate' to specify a client
- SSL certificate to use when connecting to this peer.
-
- use 'sslkey=/path/to/ssl/key' to specify the private SSL
- key corresponding to sslcert above. If 'sslkey' is not
- specified 'sslcert' is assumed to reference a
- combined file containing both the certificate and the key.
-
- use sslversion=1|2|3|4 to specify the SSL version to use
- when connecting to this peer
- 1 = automatic (default)
- 2 = SSL v2 only
- 3 = SSL v3 only
- 4 = TLS v1 only
-
- use sslcipher=... to specify the list of valid SSL chipers
- to use when connecting to this peer
-
- use ssloptions=... to specify various SSL engine options:
- NO_SSLv2 Disallow the use of SSLv2
- NO_SSLv3 Disallow the use of SSLv3
- NO_TLSv1 Disallow the use of TLSv1
- See src/ssl_support.c or the OpenSSL documentation for
- a more complete list.
-
- use cafile=... to specify a file containing additional
- CA certificates to use when verifying the peer certificate
-
- use capath=... to specify a directory containing additional
- CA certificates to use when verifying the peer certificate
-
- use sslflags=... to specify various flags modifying the
- SSL implementation:
- DONT_VERIFY_PEER
- Accept certificates even if they fail to
- verify.
- NO_DEFAULT_CA
- Don't use the default CA list built in
- to OpenSSL.
- DONT_VERIFY_DOMAIN
- Don't verify the peer certificate
- matches the server name
-
- use sslname= to specify the peer name as advertised
- in it's certificate. Used for verifying the correctness
- of the received peer certificate. If not specified the
- peer hostname will be used.
-
- use front-end-https to enable the "Front-End-Https: On"
- header needed when using Squid as a SSL frontend infront
- of Microsoft OWA. See MS KB document Q307347 for details
- on this header. If set to auto the header will
- only be added if the request is forwarded as a https://
- URL.
</PRE>
</P>
<P>Removed options:
<PRE>
- carp-load-factor
+ userhash, not yet ported to Squid-3
+
+ sourcehash, not yet ported to Squid-2
+
+ monitorurl, monitorsize etc, not yet ported to Squid-3
+
+ connection-auth=, not yet ported to Squid-3
</PRE>
</P>
-<DT><B>cache_dir</B><DD><P>COSS stripe file:
+<DT><B>cache_dir</B><DD><P>Common options
<PRE>
- The coss file store has changed from 2.5. Now it uses a file
- called 'stripe' in the directory names in the config - and
- this will be created by squid -z.
+ no-store, replaces the older read-only option
+
+ min-size, not yet portedto Squid-3
</PRE>
</P>
-<DT><B>access_log cache_access_log</B><DD><P>Takes an optional log format:
+<P>COSS file system:
<PRE>
- These files log client request activities. Has a line every HTTP or
- ICP request. The format is:
- access_log <filepath> [<logformat name> [acl acl ...]]
- access_log none [acl acl ...]]
+ The coss file store is experimental, and still lacks much
+ of the functionality found in 2.6.
- Will log to the specified file using the specified format (which
- must be defined in a logformat directive) those entries which match
- ALL the acl's specified (which must be defined in acl clauses).
- If no acl is specified, all requests will be logged to this file.
+ overwrite-percent=n, not yet ported to Squid-3.
- To disable logging of a request use the filepath "none", in which case
- a logformat name should not be specified.
+ max-stripe-waste=n, not yet ported to Squid-3.
- To log the request via syslog specify a filepath of "syslog":
+ membufs=n, not yet ported to Squid-3.
- access_log syslog[:facility|priority] [format [acl1 [acl2 ....]]]
- where facility could be any of:
- LOG_AUTHPRIV, LOG_DAEMON, LOG_LOCAL0 .. LOG_LOCAL7 or LOG_USER.
-
- And priority could be any of:
- LOG_ERR, LOG_WARNING, LOG_NOTICE, LOG_INFO, LOG_DEBUG.
+ maxfullbufs=n, not yet ported to Squid-3.
</PRE>
</P>
-<DT><B>redirect_program</B><DD><P>New alias: 'url_rewrite_program'</P>
-<DT><B>redirect_children</B><DD><P>New alias: 'url_rewrite_children'</P>
-<DT><B>redirect_host_header</B><DD><P>New alias: 'url_rewrite_host_header'</P>
-<DT><B>auth_param</B><DD><P>New option for basic scheme:
+<DT><B>auth_param</B><DD><P>Removed Basic auth option
<PRE>
- "concurrency" concurrency
- The number of concurrent requests the helper can process.
- The default of 0 is used for helpers who only supports
- one request at a time.
+ blankpasswor, not yet ported to squid-3.
auth_param basic concurrency 0
</PRE>
</P>
-<P>Removed NTLM options:
-<PRE>
- "max_challenge_reuses" number
- The maximum number of times a challenge given by a ntlm authentication
- helper can be reused. Increasing this number increases your exposure
- to replay attacks on your network. 0 (the default) means use the
- challenge is used only once. See also the max_ntlm_challenge_lifetime
- directive if enabling challenge reuses.
- auth_param ntlm max_challenge_reuses 0
-
- "max_challenge_lifetime" timespan
- The maximum time period a ntlm challenge is reused over. The
- actual period will be the minimum of this time AND the number of
- reused challenges.
- auth_param ntlm max_challenge_lifetime 2 minutes
-
- "use_ntlm_negotiate" on|off
- Enables support for NTLM NEGOTIATE packet exchanges with the helper.
- The configured ntlm authenticator must be able to handle NTLM
- NEGOTIATE packet. See the authenticator programs documentation if
- unsure. ntlm_auth from Samba-3.0.2 or later supports the use of this
- option.
- The NEGOTIATE packet is required to support NTLMv2 and a
- number of other negotiable NTLMSSP options, and also makes it
- more likely the negotiation is successful. Enabling this parameter
- will also solve problems encountered when NT domain policies
- restrict users to access only certain workstations. When this is off,
- all users must be allowed to log on the proxy servers too, or they'll
- get "invalid workstation" errors - and access denied - when trying to
- use Squid's services.
- Use of ntlm NEGOTIATE is incompatible with challenge reuse, so
- enabling this parameter will OVERRIDE the max_challenge_reuses and
- max_challenge_lifetime parameters and set them to 0.
- auth_param ntlm use_ntlm_negotiate off
-
-</PRE>
-</P>
-<P>New NTLM option:
+<P>Removed digest options:
<PRE>
- "keep_alive" on|off
- If you experience problems with PUT/POST requests when using the
- Negotiate authentication scheme then you can try setting this to
- off. This will cause Squid to forcibly close the connection on
- the initial requests where the browser asks which schemes are
- supported by the proxy.
+ concurrency, not yet ported to Squid-3.
</PRE>
</P>
-<DT><B>external_acl_type</B><DD><P>New options:
+
+<DT><B>external_acl_type</B><DD><P>New format specifications:
<PRE>
- concurrency=n concurrency level per process. Use 0 for old style
- helpers who can only process a single request at a time.
-
- grace=n Percentage remaining of TTL where a refresh of a
- cached entry should be initiated without needing to
- wait for a new reply. (default 0 for no grace period)
- protocol=2.5 Compatibility mode for Squid-2.5 external acl helpers
+ %URI Requested URI
+
+ %PATH Requested URL path
</PRE>
</P>
-<P>New format specifications:
+<P>Removed format specifications:
<PRE>
- %EXT_USER Username from external acl
- %SRCPORT Client source port
- %PATH Requested URL path
- %METHOD Request method
- %MYADDR Squid interface address
- %MYPORT Squid http_port number
- %USER_CERT SSL User certificate in PEM format
- %USER_CERTCHAIN SSL User certificate chain in PEM format
- %USER_CERT_xx SSL User certificate subject attribute xx
- %USER_CA_xx SSL User certificate issuer attribute xx
+ %ACL, not yet ported to Squid-3
+
+ %DATA, not yet ported to Squid-3
</PRE>
</P>
-<P>New keywords:
+<P>New result keywords:
<PRE>
- user= The users name (login)
- password= The users password (for login= cache_peer option)
- message= Message describing the reason. Available as %o
- in error pages
tag= Apply a tag to a request (for both ERR and OK results)
Only sets a tag, does not alter existing tags.
- log= String to be logged in access.log. Available as
- %ea in logformat specifications
-
- Keyword values need to be URL escaped if they may contain
- contain whitespace or quotes.
-
- In Squid-2.5 compatibility mode quoting using " and \ is used
- instead of URL escaping.
-
-</PRE>
-</P>
-<P>Removed option:
-<PRE>
- protocol=3.0 Use URL-escaped strings instead of quoting
</PRE>
</P>
+
<DT><B>refresh_pattern</B><DD><P>New options:
<PRE>
- ignore-no-cache
ignore-no-store
- ignore-private
- ignore-auth
refresh-ims
- ignore-no-cache ignores any ``Pragma: no-cache'' and
- ``Cache-control: no-cache'' headers received from a server.
- The HTTP RFC never allows the use of this (Pragma) header
- from a server, only a client, though plenty of servers
- send it anyway.
-
ignore-no-store ignores any ``Cache-control: no-store''
headers received from a server. Doing this VIOLATES
the HTTP standard. Enabling this feature could make you
liable for problems which it causes.
- ignore-private ignores any ``Cache-control: private''
- headers received from a server. Doing this VIOLATES
- the HTTP standard. Enabling this feature could make you
- liable for problems which it causes.
-
- ignore-auth caches responses to requests with authorization,
- irrespective of ``Cache-control'' headers received from
- a server. Doing this VIOLATES the HTTP standard. Enabling
- this feature could make you liable for problems which
- it causes.
-
refresh-ims causes squid to contact the origin server
when a client issues an If-Modified-Since request. This
ensures that the client will receive an updated version
if one is available.
-</PRE>
-</P>
-<DT><B>negative_dns_ttl</B><DD><P>New default:
-<PRE>
- Default: 5 minutes
- (Old default: 1 minute)
-
</PRE>
</P>
<DT><B>acl</B><DD><P>New types:
<PRE>
acl aclname http_status 200 301 500- 400-403 ... # status code in reply
- acl aclname user_cert attribute values...
- # match against attributes in a user SSL certificate
- # attribute is one of DN/C/O/CN/L/ST
-
- acl aclname ca_cert attribute values...
- # match against attributes a users issuing CA SSL certificate
- # attribute is one of DN/C/O/CN/L/ST
-
- acl aclname ext_user username ...
- acl aclname ext_user_regex [-i] pattern ...
- # string match on username returned by external acl processing
- # use REQUIRED to accept any non-null user name.
</PRE>
</P>
<PRE>
acl aclname urllogin [-i] [^a-zA-Z0-9] ... # regex matching on URL login field
- acl aclname req_header header-name [-i] any\.regex\.here
- # regex match against any of the known request headers. May be
- # thought of as a superset of "browser", "referer" and "mime-type"
- # ACLs.
+ acl urlgroup group1 ...
+ # match against the urlgroup as indicated by redirectors
- acl aclname rep_header header-name [-i] any\.regex\.here
- # regex match against any of the known response headers.
- # Example:
- #
- # acl many_spaces rep_header Content-Disposition -i [[:space:]]{3,}
</PRE>
</P>
</PRE>
</P>
+
+<DT><B>htcp_port</B><DD><P>New default to require the feature to be enabled in squid.conf:
+<PRE>
+ Default: 0 (disabled)
+ (Old default: 4827)
+
+</PRE>
+</P>
+
+<DT><B>icp_port</B><DD><P>New default to require the feature to be enabled in squid.conf:
+<PRE>
+ Default: 0 (disabled)
+ (Old default: 3130)
+
+</PRE>
+</P>
+
+<DT><B>snmp_port</B><DD><P>New default to require the feature to be enabled in squid.conf:
+<PRE>
+ Default: 0 (disabled)
+ (Old default: 3401)
+
+</PRE>
+</P>
+
+<DT><B>logformat</B><DD><P>New format tags:
+<PRE>
+ rp Request URL-Path excluding hostname
+
+ et Tag returned by external acl
+
+ <sH Reply high offset sent
+
+ <sS Upstream object size
+
+</PRE>
+</P>
+
+<P>Removed format tags:
+<PRE>
+ >st Request size including HTTP headers, not yet ported to Squid-3.
+
+ st Request+Reply size including HTTP headers, not yet ported to Squid-3.
+
+</PRE>
+</P>
+
+<DT><B>reply_body_max_size</B><DD><P>Syntax changed:
+<PRE>
+ reply_body_max_size size [acl acl...]
+
+</PRE>
+</P>
+<P>allow/deny no longer used.</P>
+
+<DT><B>url_rewrite_program</B><DD><P>No urlgroup support in either requests or responese</P>
</DL>
</P>
<P>
<DL>
-<DT><B>httpd_accel_host</B><DD><P>Replaced by the defaultsite= or vport=0 (in case of virtual) http_port options</P>
-<DT><B>httpd_accel_port</B><DD><P>Replaced by vport http(s)_port option</P>
-<DT><B>httpd_accel_single_host on|off</B><DD><P>Replaced by cache_peer originserver based request forwarding
-making this option obsolete.</P>
-<DT><B>httpd_accel_with_proxy on|off</B><DD><P>Obsolete, no longer needed.</P>
-<DT><B>httpd_accel_uses_host_header on|off</B><DD><P>This has been replaced by the vhost http(s)_port option</P>
-<DT><B>httpd_accel_no_pmtu_disc on|off</B><DD><P>This has been replaced by the disable-pmtu-discovery=.. http_port option</P>
+<DT><B>broken_vary_encoding</B><DD><P>Not yet ported to Squid-3.</P>
+<DT><B>cache_vary</B><DD><P>Not yet ported to Squid-3.</P>
+<DT><B>collapsed_forwarding</B><DD><P>Not yet ported to Squid-3.</P>
+<DT><B>follow_x_forwarded_for</B><DD><P>Not yet ported to Squid-3.</P>
+<DT><B>*_uses_indirect_client</B><DD><P>Not yet ported to Squid-3.</P>
+<DT><B>error_map</B><DD><P>Not yet ported to Squid-3.</P>
<DT><B>header_access</B><DD><P>This has been replaced by request_header_access and reply_header_access</P>
+<DT><B>http_access2</B><DD><P>Not yet ported to Squid-3.</P>
+<DT><B>httpd_accel_no_pmtu_disc</B><DD><P>Replaced by disable-pmtu-discovery http_port option</P>
+<DT><B>location_rewrite_*</B><DD><P>Not yet ported to Squid-3.</P>
+<DT><B>refresh_stale_hit</B><DD><P>Not yet ported to Squid-3.</P>
+<DT><B>umask</B><DD><P>Not yet ported to Squid-3.</P>
+<DT><B>wais_relay_*</B><DD><P>equivalent to cache_peer + cache_peer_access.</P>
</DL>
</P>
<!doctype linuxdoc system>
<article>
-<title>Squid 3.0.PRE5 release notes</title>
+<title>Squid 3.0.PRE7 release notes</title>
<author>Squid Developers</author>
-<date>$Id: release-3.0.sgml,v 1.22 2006/11/06 05:14:08 adrian Exp $</date>
+<date>$Id: release-3.0.sgml,v 1.23 2007/08/27 23:58:34 hno Exp $</date>
<abstract>
This document contains the release notes for version 3.0 of Squid.
<sect>Notice
<p>
-The Squid Team are pleased to announce the release of Squid-3.0.PRE5 for pre-release testing.
+The Squid Team are pleased to announce the release of Squid-3.0.PRE7 for pre-release testing.
This new release is available for download from <url url="http://www.squid-cache.org/Versions/v3/3.0/"> or the <url url="http://www.squid-cache.org/Mirrors/http-mirrors.html" name="mirrors">.
A large number of the show-stopper bugs have been fixed along with general improvements to the ICAP support.
While this release is not deemed ready for production use, we believe it is ready for wider testing by the community.
-We welcome feedback and bug reports. If you find a bug, please see <url url="http://www.squid-cache.org/Doc/FAQ/FAQ-11.html#ss11.19"> for how to submit a report with a stack trace.
+We welcome feedback and bug reports. If you find a bug, please see <url url="http://wiki.squid-cache.org/SquidFaq/TroubleShooting#head-7067fc0034ce967e67911becaabb8c95a34d576d"> for how to submit a report with a stack trace.
<sect>Known issues
<p>
In particular, ESI may still be too buggy for meaningful testing at this stage.
-<sect>Changes since Squid-3.0-PRE4
+<sect>Changes since earlier PRE releases of Squid-3.0
<p>
-The change history can be <url url="http://www.squid-cache.org/Versions/v3/3.0/changesets/" name="viewed here">.
+The 3.0 change history can be <url url="http://www.squid-cache.org/Versions/v3/3.0/changesets/" name="viewed here">.
+
+<sect>Changes since Squid-2.6.STABLE14
-<sect>Changes since Squid-2.5.STABLE14
<sect1>Major new features
<p>
-Squid 3.0 represents a major rewrite of Squid 2.5 and has a large number of new features.
+Squid 3.0 represents a major rewrite of Squid and has a number of new features.
The most important of these are:
<itemize>
<item>Edge Side Include implementation (www.esi.org)
<item>ICAP implementation (www.i-cap.org)
- <item>Better support for reverse proxy setups. The httpd_accel_* directives are now gone, replaced by http(s)_port options and cache_peer based request forwarding
- <item>Better support for SSL
- <item>Better support for external ACLs
<item>Finer control over cacheability (refresh_pattern)
- <item>Custom log formats and the ability to log different requests to different log files
</itemize>
Most user-facing changes are reflected in squid.conf (see below).
+<sect1>2.6 features not found in Squid-3.0
+<p>
+Some of the features found in Squid-2.6 is not available in Squid-3.
+Some has been dropped as they are not needed. Some has not yet been forward-ported to Squid-3 and may appear in a later release.
+
+<itemize>
+ <item>refresh_stale_hit option. Not yet ported.
+ <item>ability to follow X-Forwarded-For. Not yet ported.
+ <item>Full caching of Vary/ETag using If-None-Match. Only basic Vary cache supported. Not yet ported.
+ <item>Mapping of server error messages. Not yet ported.
+ <item>http_access2 access directive. Not yet ported.
+ <item>Location header rewrites. Not yet ported.
+ <item>umask directive. Not yet ported.
+ <item>wais_relay. Feature dropped as it's equivalent to cache_peer + cache_peer_access.
+ <item>urlgroup. Not yet ported.
+ <item>collapsed forwarding. Not yet ported.
+</itemize>
+
<sect1>Logging changes
<sect2>access.log
<p>The TCP_REFRESH_HIT and TCP_REFRESH_MISS log types have been replaced because they were misleading (all refreshes need to query the origin server, so they could never be hits). The following log types have been introduced to replace them:
<sect1>Changes to squid.conf
<p>
-There have been many changes to Squid's configuration file since Squid-2.5.
+There have been many changes to Squid's configuration file since Squid-2.6.
This section gives a thorough account of those changes in three categories:
<p>
<descrip>
- <tag>ssl_engine</tag>
- <verb>
-Default: none
-
-The openssl engine to use. You will need to set this if you
-would like to use hardware SSL acceleration for example.
- </verb>
- <tag>sslproxy_client_certificate</tag>
- <verb>
-Default: none
-
-Client SSL Certificate to use when proxying https:// URLs
- </verb>
- <tag>sslproxy_client_key</tag>
- <verb>
-Default: none
-
-Client SSL Key to use when proxying https:// URLs
- </verb>
- <tag>sslproxy_version</tag>
- <verb>
-Default: 1
-
-SSL version level to use when proxying https:// URLs
- </verb>
- <tag>sslproxy_options</tag>
- <verb>
-Default: none
-
-SSL engine options to use when proxying https:// URLs
- </verb>
- <tag>sslproxy_cipher</tag>
- <verb>
-Default: none
-
-SSL cipher list to use when proxying https:// URLs
- </verb>
- <tag>sslproxy_cafile</tag>
- <verb>
-Default: none
-
-file containing CA certificates to use when verifying server
-certificates while proxying https:// URLs
- </verb>
- <tag>sslproxy_capath</tag>
- <verb>
-Default: none
-
-directory containing CA certificates to use when verifying
-server certificates while proxying https:// URLs
- </verb>
- <tag>sslproxy_flags</tag>
- <verb>
-Default: none
-
-Various flags modifying the use of SSL while proxying https:// URLs:
- DONT_VERIFY_PEER Accept certificates even if they fail to
-verify.
- NO_DEFAULT_CA Don't use the default CA list built in
-to OpenSSL.
- </verb>
- <tag>sslpassword_program</tag>
- <verb>
-Default: none
-
-Specify a program used for entering SSL key passphrases
-when using encrypted SSL certificate keys. If not specified
-keys must either be unencrypted, or Squid started with the -N
-option to allow it to query interactively for the passphrase.
- </verb>
<tag>minimum_icp_query_timeout (msec)</tag>
<verb>
Default: 5
Controls how often the ICP pings are sent to siblings that
have background-ping set.
</verb>
- <tag>logformat</tag>
- <verb>
-Default: none
-
-Usage:
-
-logformat <name> <format specification>
-
-Defines an access log format.
-
-The <format specification> is a string with embedded % format codes
-
-% format codes all follow the same basic structure where all but
-the formatcode is optional. Output strings are automatically escaped
-as required according to their context and the output format
-modifiers are usually not needed, but can be specified if an explicit
-output format is desired.
-
-% ["|[|'|#] [-] [[0]width] [{argument}] formatcode
-
-" output in quoted string format
-[ output in squid text log format as used by log_mime_hdrs
-# output in URL quoted format
-' output as-is
-
-- left aligned
-width field width. If starting with 0 the
-output is zero padded
-{arg} argument such as header name etc
-
-Format codes:
-
->a Client source IP address
->A Client FQDN
-<A Server IP address or peer name
-la Local IP address (http_port)
-lp Local port number (http_port)
-ts Seconds since epoch
-tu subsecond time (milliseconds)
-tl Local time. Optional strftime format argument
-default %d/%b/%Y:%H:%M:S %z
-tg GMT time. Optional strftime format argument
-default %d/%b/%Y:%H:%M:S %z
-tr Response time (milliseconds)
->h Request header. Optional header name argument
-on the format header[:[separator]element]
-<h Reply header. Optional header name argument
-as for >h
-un User name
-ul User login
-ui User ident
-ue User from external acl
-Hs HTTP status code
-Ss Squid request status (TCP_MISS etc)
-Sh Squid hierarchy status (DEFAULT_PARENT etc)
-mt MIME content type
-rm Request method (GET/POST etc)
-ru Request URL
-rv Request protocol version
-et Tag returned by external acl
-ea Log string returned by external acl
-<st Reply size including HTTP headers
-<sH Reply high offset sent
-<sS Upstream object size
-% a literal % character
-
-logformat squid %ts.%03tu %6tr %>a %Ss/%03Hs %<st %rm %ru %un %Sh/%<A %mt
-logformat squidmime %ts.%03tu %6tr %>a %Ss/%03Hs %<st %rm %ru %un %Sh/%<A %mt [%>h] [%<h]
-logformat common %>a %ui %un [%tl] "%rm %ru HTTP/%rv" %Hs %<st %Ss:%Sh
-logformat combined %>a %ui %un [%tl] "%rm %ru HTTP/%rv" %Hs %<st "%{Referer}>h" "%{User-Agent}>h" %Ss:%Sh
- </verb>
- <tag>check_hostnames on|off</tag>
- <verb>
-Default: on
-
-For security and stability reasons Squid by default checks
-hostnames for Internet standard RFC compliance. If you do not want
-Squid to perform these checks turn this directive off.
- </verb>
- <tag>url_rewrite_concurrency redirect_concurrency</tag>
- <verb>
-Default: 0
-The number of requests each redirector helper can handle in
-parallell. Defaults to 0 which indicates the redirector
-is a old-style singlethreaded redirector.
- </verb>
- <tag>read_ahead_gap</tag>
- <verb>
-Default: 16 KB
-
-The amount of data the cache will buffer ahead of what has been
-sent to the client when retrieving an object from another server.
- </verb>
- <tag>log_access allow|deny acl acl...</tag>
- <verb>
-Default: none
-
-This options allows you to control which requests gets logged
-to access.log (see access_log directive). Requests denied for
-logging will also not be accounted for in performance counters.
- </verb>
- <tag>httpd_suppress_version_string on|off</tag>
- <verb>
-Default: off
-
-Suppress Squid version string info in HTTP headers and HTML error pages.
- </verb>
<tag>httpd_accel_surrogate_id</tag>
<verb>
Default: unset
a farm of surrogates may all perform the same tasks, they may share
an identification token.
</verb>
+
<tag>http_accel_surrogate_remote on|off</tag>
<verb>
Default: off
Remote surrogates (such as those in a CDN) honour Surrogate-Control: no-store-remote.
Set this to on to have squid behave as a remote surrogate.
</verb>
+
<tag>esi_parser libxml2|expat|custom</tag>
<verb>
Default: custom
will give higher performance, but cannot handle non ASCII character
encodings.
</verb>
+
<tag>email_err_data on|off</tag>
<verb>
Default: on
so that the email body contains the data.
Syntax is <A HREF="mailto:%w%W">%w</A>
</verb>
- <tag>via on|off</tag>
- <verb>
-Default: on
-If set (default), Squid will include a Via header in requests and
-replies as required by RFC2616.
- </verb>
<tag>refresh_all_ims on|off</tag>
<verb>
Default: off
based on the age of the cached version.
</verb>
<tag>request_header_access</tag>
- <verb>
-Default: none
-
-Usage: request_header_access header_name allow|deny [!]aclname ...
-
-WARNING: Doing this VIOLATES the HTTP standard. Enabling
-this feature could make you liable for problems which it
-causes.
-
-This option replaces the old 'anonymize_headers' and the
-older 'http_anonymizer' option with something that is much
-more configurable. This new method creates a list of ACLs
-for each header, allowing you very fine-tuned header
-mangling.
-
-This option only applies to request headers, i.e., from the
-client to the server.
-
-You can only specify known headers for the header name.
-Other headers are reclassified as 'Other'. You can also
-refer to all the headers with 'All'.
-
-For example, to achieve the same behavior as the old
-'http_anonymizer standard' option, you should use:
-
-request_header_access From deny all
-request_header_access Referer deny all
-request_header_access Server deny all
-request_header_access User-Agent deny all
-request_header_access WWW-Authenticate deny all
-request_header_access Link deny all
-
-Or, to reproduce the old 'http_anonymizer paranoid' feature
-you should use:
-
-request_header_access Allow allow all
-request_header_access Authorization allow all
-request_header_access WWW-Authenticate allow all
-request_header_access Proxy-Authorization allow all
-request_header_access Proxy-Authenticate allow all
-request_header_access Cache-Control allow all
-request_header_access Content-Encoding allow all
-request_header_access Content-Length allow all
-request_header_access Content-Type allow all
-request_header_access Date allow all
-request_header_access Expires allow all
-request_header_access Host allow all
-request_header_access If-Modified-Since allow all
-request_header_access Last-Modified allow all
-request_header_access Location allow all
-request_header_access Pragma allow all
-request_header_access Accept allow all
-request_header_access Accept-Charset allow all
-request_header_access Accept-Encoding allow all
-request_header_access Accept-Language allow all
-request_header_access Content-Language allow all
-request_header_access Mime-Version allow all
-request_header_access Retry-After allow all
-request_header_access Title allow all
-request_header_access Connection allow all
-request_header_access Proxy-Connection allow all
-request_header_access All deny all
-
-although many of those are HTTP reply headers, and so should be
-controlled with the reply_header_access directive.
-
-By default, all headers are allowed (no anonymizing is
-performed).
- </verb>
+ <p>Replaces the header_access directive of Squid-2.6 and earlier, but applies to requests only.
<tag>reply_header_access</tag>
- <verb>
-Default: none
+ <p>Replaces the header_access directive of Squid-2.6 and earlier, but applies to replies only.
-Usage: reply_header_access header_name allow|deny [!]aclname ...
-
-WARNING: Doing this VIOLATES the HTTP standard. Enabling
-this feature could make you liable for problems which it
-causes.
-
-This option only applies to reply headers, i.e., from the
-server to the client.
-
-This is the same as request_header_access, but in the other
-direction.
-
-This option replaces the old 'anonymize_headers' and the
-older 'http_anonymizer' option with something that is much
-more configurable. This new method creates a list of ACLs
-for each header, allowing you very fine-tuned header
-mangling.
-
-You can only specify known headers for the header name.
-Other headers are reclassified as 'Other'. You can also
-refer to all the headers with 'All'.
-
-For example, to achieve the same behavior as the old
-'http_anonymizer standard' option, you should use:
-
-reply_header_access From deny all
-reply_header_access Referer deny all
-reply_header_access Server deny all
-reply_header_access User-Agent deny all
-reply_header_access WWW-Authenticate deny all
-reply_header_access Link deny all
-
-Or, to reproduce the old 'http_anonymizer paranoid' feature
-you should use:
-
-reply_header_access Allow allow all
-reply_header_access Authorization allow all
-reply_header_access WWW-Authenticate allow all
-reply_header_access Proxy-Authorization allow all
-reply_header_access Proxy-Authenticate allow all
-reply_header_access Cache-Control allow all
-reply_header_access Content-Encoding allow all
-reply_header_access Content-Length allow all
-reply_header_access Content-Type allow all
-reply_header_access Date allow all
-reply_header_access Expires allow all
-reply_header_access Host allow all
-reply_header_access If-Modified-Since allow all
-reply_header_access Last-Modified allow all
-reply_header_access Location allow all
-reply_header_access Pragma allow all
-reply_header_access Accept allow all
-reply_header_access Accept-Charset allow all
-reply_header_access Accept-Encoding allow all
-reply_header_access Accept-Language allow all
-reply_header_access Content-Language allow all
-reply_header_access Mime-Version allow all
-reply_header_access Retry-After allow all
-reply_header_access Title allow all
-reply_header_access Connection allow all
-reply_header_access Proxy-Connection allow all
-reply_header_access All deny all
-
-although the HTTP request headers won't be usefully controlled
-by this directive -- see request_header_access for details.
-
-By default, all headers are allowed (no anonymizing is
-performed).
- </verb>
- <tag>minimum_expiry_time</tag>
- <verb>
-Default: 60 seconds
-
-The minimum caching time according to (Expires - Date)
-Headers Squid honors if the object can't be revalidated
-defaults to 60 seconds. In reverse proxy enorinments it
-might be desirable to honor shorter object lifetimes. It
-is most likely better to make your server return a
-meaningful Last-Modified header however. In ESI environments
-where page fragments often have short lifetimes, this will
-often be best set to 0.
- </verb>
<tag>icap_enable on|off</tag>
<verb>
Default: off
Example:
icap_access class_1 allow all
</verb>
+
+ <tag>accept_filter</tag>
+ <verb>
+The name of an accept(2) filter to install on Squid's
+listen socket(s). This feature is perhaps specific to
+FreeBSD and requires support in the kernel.
+
+The 'httpready' filter delays delivering new connections
+to Squid until a full HTTP request has been received.
+See the accf_http(9) man page.
+ </verb>
</descrip>
<tag>http_port</tag>
<p>New options:
<verb>
- transparent Support for transparent proxies
-
- accel Accelerator mode. Also set implicit by the other accelerator directives
-
- vhost Accelerator mode using Host header for virtual domain support
-
- vport Accelerator with IP based virtual host support
-
- vport=NN As above, but uses specified port number rather
- than the http_port number
-
- defaultsite= Main web site name for accelerators
-
- protocol= Protocol to reconstruct accelerated requests with.
- Defaults to http
-
disable-pmtu-discovery=
Control Path-MTU discovery usage:
off lets OS decide on what to do (default).
certain clients sporadically hang or never complete requests set
disable-pmtu-discovery option to 'transparent'.
</verb>
+ <p>Removed options:
+ <verb>
+ urlgroup=, not yet ported to Squid-3.
+
+ no-connection-auth, not yet ported to Squid-3.
+ </verb>
<tag> https_port</tag>
- <p>New options:
+ <p>Removed options:
<verb>
- defaultsite= The name of the https site presented on this port
-
- protocol= Protocol to reconstruct accelerated requests
- with. Defaults to https
-
- options= Various SSL engine options. The most important
- being:
- NO_SSLv2 Disallow the use of SSLv2
- NO_SSLv3 Disallow the use of SSLv3
- NO_TLSv1 Disallow the use of TLSv1
- SINGLE_DH_USE Always create a new key when using
- temporary/ephemeral DH key exchanges
- See src/ssl_support.c or OpenSSL SSL_CTX_set_options
- documentation for a complete list of options
-
- clientca= File containing the list of CAs to use when
- requesting a client certificate
-
- cafile= File containing additional CA certificates to
- use when verifying client certificates. If unset
- clientca will be used
-
- capath= Directory containing additional CA certificates
- and CRL lists to use when verifying client certificates
-
- crlfile= File of additional CRL lists to use when verifying
- the client certificate, in addition to CRLs stored in
- the capath. Implies VERIFY_CRL flag below.
-
- dhparams= File containing DH parameters for temporary/ephemeral
- DH key exchanges
-
- sslflags= Various flags modifying the use of SSL:
- DELAYED_AUTH
- Don't request client certificates
- immediately, but wait until acl processing
- requires a certificate (not yet implemented)
- NO_DEFAULT_CA
- Don't use the default CA lists built in
- to OpenSSL
- NO_SESSION_REUSE
- Don't allow for session reuse. Each connection
- will result in a new SSL session.
- VERIFY_CRL
- Verify CRL lists when accepting client
- certificates
- VERIFY_CRL_ALL
- Verify CRL lists for all certificates in the
- client certificate chain
-
- sslcontext= SSL session ID context identifier.
-
- accelAccelerator mode. Also set implicit by the other
- accelerator directives
-
- vhostAccelerator mode using Host header for virtual
- domain support
-
- vportAccelerator with IP based virtual host support
-
- vport=NN As above, but uses specified port number rather
- than the https_port number
+ urlgroup=, not yet ported to Squid-3.
</verb>
<tag>cache_peer</tag>
<p>New options:
<verb>
basetime=n
+
background-ping
- weighted-round-robin
- carp
- htcp-oldsquid
- originserver
- name=xxx
- forceddomain=name
- ssl
- sslcert=/path/to/ssl/certificate
- sslkey=/path/to/ssl/key
- sslversion=1|2|3|4
- sslcipher=...
- ssloptions=...
- front-end-https[=on|auto]
+ weighted-round-robin
use 'basetime=n' to specify a base amount to
be subtracted from round trip times of parents.
time. Closer parents are used more often.
Usually used for background-ping parents.
- use 'carp' to define a set of parents which should
- be used as a CARP array. The requests will be
- distributed among the parents based on the CARP load
- balancing hash function based on their weigth.
-
- use 'htcp-oldsquid' to send HTCP to old Squid versions
-
- 'originserver' causes this parent peer to be contacted as
- a origin server. Meant to be used in accelerator setups.
-
- use 'name=xxx' if you have multiple peers on the same
- host but different ports. This name can be used to
- differentiate the peers in cache_peer_access and similar
- directives.
-
- use 'forceddomain=name' to forcibly set the Host header
- of requests forwarded to this peer. Useful in accelerator
- setups where the server (peer) expects a certain domain
- name and using redirectors to feed this domainname
- is not feasible.
-
- use 'ssl' to indicate connections to this peer should
- bs SSL/TLS encrypted.
-
- use 'sslcert=/path/to/ssl/certificate' to specify a client
- SSL certificate to use when connecting to this peer.
-
- use 'sslkey=/path/to/ssl/key' to specify the private SSL
- key corresponding to sslcert above. If 'sslkey' is not
- specified 'sslcert' is assumed to reference a
- combined file containing both the certificate and the key.
-
- use sslversion=1|2|3|4 to specify the SSL version to use
- when connecting to this peer
- 1 = automatic (default)
- 2 = SSL v2 only
- 3 = SSL v3 only
- 4 = TLS v1 only
-
- use sslcipher=... to specify the list of valid SSL chipers
- to use when connecting to this peer
-
- use ssloptions=... to specify various SSL engine options:
- NO_SSLv2 Disallow the use of SSLv2
- NO_SSLv3 Disallow the use of SSLv3
- NO_TLSv1 Disallow the use of TLSv1
- See src/ssl_support.c or the OpenSSL documentation for
- a more complete list.
-
- use cafile=... to specify a file containing additional
- CA certificates to use when verifying the peer certificate
-
- use capath=... to specify a directory containing additional
- CA certificates to use when verifying the peer certificate
-
- use sslflags=... to specify various flags modifying the
- SSL implementation:
- DONT_VERIFY_PEER
- Accept certificates even if they fail to
- verify.
- NO_DEFAULT_CA
- Don't use the default CA list built in
- to OpenSSL.
- DONT_VERIFY_DOMAIN
- Don't verify the peer certificate
- matches the server name
-
- use sslname= to specify the peer name as advertised
- in it's certificate. Used for verifying the correctness
- of the received peer certificate. If not specified the
- peer hostname will be used.
-
- use front-end-https to enable the "Front-End-Https: On"
- header needed when using Squid as a SSL frontend infront
- of Microsoft OWA. See MS KB document Q307347 for details
- on this header. If set to auto the header will
- only be added if the request is forwarded as a https://
- URL.
</verb>
<p>Removed options:
<verb>
- carp-load-factor
+ userhash, not yet ported to Squid-3
+
+ sourcehash, not yet ported to Squid-2
+
+ monitorurl, monitorsize etc, not yet ported to Squid-3
+
+ connection-auth=, not yet ported to Squid-3
</verb>
<tag>cache_dir</tag>
- <p>COSS stripe file:
+ <p>Common options
<verb>
- The coss file store has changed from 2.5. Now it uses a file
- called 'stripe' in the directory names in the config - and
- this will be created by squid -z.
+ no-store, replaces the older read-only option
+
+ min-size, not yet portedto Squid-3
</verb>
- <tag>access_log cache_access_log</tag>
- <p>Takes an optional log format:
+ <p>COSS file system:
<verb>
- These files log client request activities. Has a line every HTTP or
- ICP request. The format is:
- access_log <filepath> [<logformat name> [acl acl ...]]
- access_log none [acl acl ...]]
-
- Will log to the specified file using the specified format (which
- must be defined in a logformat directive) those entries which match
- ALL the acl's specified (which must be defined in acl clauses).
- If no acl is specified, all requests will be logged to this file.
+ The coss file store is experimental, and still lacks much
+ of the functionality found in 2.6.
- To disable logging of a request use the filepath "none", in which case
- a logformat name should not be specified.
+ overwrite-percent=n, not yet ported to Squid-3.
- To log the request via syslog specify a filepath of "syslog":
+ max-stripe-waste=n, not yet ported to Squid-3.
- access_log syslog[:facility|priority] [format [acl1 [acl2 ....]]]
- where facility could be any of:
- LOG_AUTHPRIV, LOG_DAEMON, LOG_LOCAL0 .. LOG_LOCAL7 or LOG_USER.
+ membufs=n, not yet ported to Squid-3.
- And priority could be any of:
- LOG_ERR, LOG_WARNING, LOG_NOTICE, LOG_INFO, LOG_DEBUG.
+ maxfullbufs=n, not yet ported to Squid-3.
</verb>
- <tag>redirect_program</tag>
- <p>New alias: 'url_rewrite_program'
- <tag>redirect_children</tag>
- <p>New alias: 'url_rewrite_children'
- <tag>redirect_host_header</tag>
- <p>New alias: 'url_rewrite_host_header'
<tag>auth_param</tag>
- <p>New option for basic scheme:
+ <p>Removed Basic auth option
<verb>
- "concurrency" concurrency
- The number of concurrent requests the helper can process.
- The default of 0 is used for helpers who only supports
- one request at a time.
+ blankpasswor, not yet ported to squid-3.
auth_param basic concurrency 0
</verb>
- <p>Removed NTLM options:
- <verb>
- "max_challenge_reuses" number
- The maximum number of times a challenge given by a ntlm authentication
- helper can be reused. Increasing this number increases your exposure
- to replay attacks on your network. 0 (the default) means use the
- challenge is used only once. See also the max_ntlm_challenge_lifetime
- directive if enabling challenge reuses.
- auth_param ntlm max_challenge_reuses 0
-
- "max_challenge_lifetime" timespan
- The maximum time period a ntlm challenge is reused over. The
- actual period will be the minimum of this time AND the number of
- reused challenges.
- auth_param ntlm max_challenge_lifetime 2 minutes
-
- "use_ntlm_negotiate" on|off
- Enables support for NTLM NEGOTIATE packet exchanges with the helper.
- The configured ntlm authenticator must be able to handle NTLM
- NEGOTIATE packet. See the authenticator programs documentation if
- unsure. ntlm_auth from Samba-3.0.2 or later supports the use of this
- option.
- The NEGOTIATE packet is required to support NTLMv2 and a
- number of other negotiable NTLMSSP options, and also makes it
- more likely the negotiation is successful. Enabling this parameter
- will also solve problems encountered when NT domain policies
- restrict users to access only certain workstations. When this is off,
- all users must be allowed to log on the proxy servers too, or they'll
- get "invalid workstation" errors - and access denied - when trying to
- use Squid's services.
- Use of ntlm NEGOTIATE is incompatible with challenge reuse, so
- enabling this parameter will OVERRIDE the max_challenge_reuses and
- max_challenge_lifetime parameters and set them to 0.
- auth_param ntlm use_ntlm_negotiate off
- </verb>
- <p>New NTLM option:
+ <p>Removed digest options:
<verb>
- "keep_alive" on|off
- If you experience problems with PUT/POST requests when using the
- Negotiate authentication scheme then you can try setting this to
- off. This will cause Squid to forcibly close the connection on
- the initial requests where the browser asks which schemes are
- supported by the proxy.
+ concurrency, not yet ported to Squid-3.
</verb>
+
<tag>external_acl_type</tag>
- <p>New options:
- <verb>
- concurrency=n concurrency level per process. Use 0 for old style
- helpers who can only process a single request at a time.
-
- grace=n Percentage remaining of TTL where a refresh of a
- cached entry should be initiated without needing to
- wait for a new reply. (default 0 for no grace period)
- protocol=2.5 Compatibility mode for Squid-2.5 external acl helpers
- </verb>
<p>New format specifications:
<verb>
- %EXT_USER Username from external acl
- %SRCPORT Client source port
- %PATH Requested URL path
- %METHOD Request method
- %MYADDR Squid interface address
- %MYPORT Squid http_port number
- %USER_CERT SSL User certificate in PEM format
- %USER_CERTCHAIN SSL User certificate chain in PEM format
- %USER_CERT_xx SSL User certificate subject attribute xx
- %USER_CA_xx SSL User certificate issuer attribute xx
+ %URI Requested URI
+
+ %PATH Requested URL path
</verb>
- <p>New keywords:
+ <P>Removed format specifications:
<verb>
- user= The users name (login)
- password= The users password (for login= cache_peer option)
- message= Message describing the reason. Available as %o
- in error pages
- tag= Apply a tag to a request (for both ERR and OK results)
- Only sets a tag, does not alter existing tags.
- log= String to be logged in access.log. Available as
- %ea in logformat specifications
-
- Keyword values need to be URL escaped if they may contain
- contain whitespace or quotes.
+ %ACL, not yet ported to Squid-3
- In Squid-2.5 compatibility mode quoting using " and \ is used
- instead of URL escaping.
+ %DATA, not yet ported to Squid-3
</verb>
- <p>Removed option:
+ <p>New result keywords:
<verb>
- protocol=3.0 Use URL-escaped strings instead of quoting
+ tag= Apply a tag to a request (for both ERR and OK results)
+ Only sets a tag, does not alter existing tags.
</verb>
+
<tag>refresh_pattern</tag>
<p>New options:
<verb>
- ignore-no-cache
ignore-no-store
- ignore-private
- ignore-auth
refresh-ims
- ignore-no-cache ignores any ``Pragma: no-cache'' and
- ``Cache-control: no-cache'' headers received from a server.
- The HTTP RFC never allows the use of this (Pragma) header
- from a server, only a client, though plenty of servers
- send it anyway.
-
ignore-no-store ignores any ``Cache-control: no-store''
headers received from a server. Doing this VIOLATES
the HTTP standard. Enabling this feature could make you
liable for problems which it causes.
- ignore-private ignores any ``Cache-control: private''
- headers received from a server. Doing this VIOLATES
- the HTTP standard. Enabling this feature could make you
- liable for problems which it causes.
-
- ignore-auth caches responses to requests with authorization,
- irrespective of ``Cache-control'' headers received from
- a server. Doing this VIOLATES the HTTP standard. Enabling
- this feature could make you liable for problems which
- it causes.
-
refresh-ims causes squid to contact the origin server
when a client issues an If-Modified-Since request. This
ensures that the client will receive an updated version
if one is available.
- </verb>
- <tag>negative_dns_ttl</tag>
- <p>New default:
- <verb>
- Default: 5 minutes
- (Old default: 1 minute)
</verb>
<tag>acl</tag>
<p>New types:
<verb>
acl aclname http_status 200 301 500- 400-403 ... # status code in reply
- acl aclname user_cert attribute values...
- # match against attributes in a user SSL certificate
- # attribute is one of DN/C/O/CN/L/ST
-
- acl aclname ca_cert attribute values...
- # match against attributes a users issuing CA SSL certificate
- # attribute is one of DN/C/O/CN/L/ST
-
- acl aclname ext_user username ...
- acl aclname ext_user_regex [-i] pattern ...
- # string match on username returned by external acl processing
- # use REQUIRED to accept any non-null user name.
</verb>
<p>Removed types:
<verb>
acl aclname urllogin [-i] [^a-zA-Z0-9] ... # regex matching on URL login field
- acl aclname req_header header-name [-i] any\.regex\.here
- # regex match against any of the known request headers. May be
- # thought of as a superset of "browser", "referer" and "mime-type"
- # ACLs.
+ acl urlgroup group1 ...
+ # match against the urlgroup as indicated by redirectors
- acl aclname rep_header header-name [-i] any\.regex\.here
- # regex match against any of the known response headers.
- # Example:
- #
- # acl many_spaces rep_header Content-Disposition -i [[:space:]]{3,}
</verb>
<tag>short_icon_urls</tag>
<p>New default:
class 5 Requests are grouped according their tag (see
external_acl's tag= reply).
</verb>
+
+ <tag>htcp_port</tag>
+ <p>New default to require the feature to be enabled in squid.conf:
+ <verb>
+ Default: 0 (disabled)
+ (Old default: 4827)
+ </verb>
+
+ <tag>icp_port</tag>
+ <p>New default to require the feature to be enabled in squid.conf:
+ <verb>
+ Default: 0 (disabled)
+ (Old default: 3130)
+ </verb>
+
+ <tag>snmp_port</tag>
+ <p>New default to require the feature to be enabled in squid.conf:
+ <verb>
+ Default: 0 (disabled)
+ (Old default: 3401)
+ </verb>
+
+ <tag>logformat</tag>
+ <p>New format tags:
+ <verb>
+ rp Request URL-Path excluding hostname
+
+ et Tag returned by external acl
+
+ <sH Reply high offset sent
+
+ <sS Upstream object size
+ </verb>
+
+ <p>Removed format tags:
+ <verb>
+ >st Request size including HTTP headers, not yet ported to Squid-3.
+
+ st Request+Reply size including HTTP headers, not yet ported to Squid-3.
+ </verb>
+
+ <tag>reply_body_max_size</tag>
+ <p>Syntax changed:
+ <verb>
+ reply_body_max_size size [acl acl...]
+ </verb>
+ <p>allow/deny no longer used.
+
+ <tag>url_rewrite_program</tag>
+ <p>No urlgroup support in either requests or responese
</descrip>
<sect2>Removed tags<label id="removedtags">
<p>
<descrip>
- <tag>httpd_accel_host</tag>
- Replaced by the defaultsite= or vport=0 (in case of virtual) http_port options
- <tag>httpd_accel_port</tag>
- Replaced by vport http(s)_port option
- <tag>httpd_accel_single_host on|off</tag>
- Replaced by cache_peer originserver based request forwarding
- making this option obsolete.
- <tag>httpd_accel_with_proxy on|off</tag>
- Obsolete, no longer needed.
- <tag>httpd_accel_uses_host_header on|off</tag>
- This has been replaced by the vhost http(s)_port option
- <tag>httpd_accel_no_pmtu_disc on|off</tag>
- This has been replaced by the disable-pmtu-discovery=.. http_port option
+ <tag>broken_vary_encoding</tag>
+ <p>Not yet ported to Squid-3.
+ <tag>cache_vary</tag>
+ <p>Not yet ported to Squid-3.
+ <tag>collapsed_forwarding</tag>
+ <p>Not yet ported to Squid-3.
+ <tag>follow_x_forwarded_for</tag>
+ <p>Not yet ported to Squid-3.
+ <tag>*_uses_indirect_client</tag>
+ <p>Not yet ported to Squid-3.
+ <tag>error_map</tag>
+ <p>Not yet ported to Squid-3.
<tag>header_access</tag>
<p>This has been replaced by request_header_access and reply_header_access
+ <tag>http_access2</tag>
+ <p>Not yet ported to Squid-3.
+ <tag>httpd_accel_no_pmtu_disc</tag>
+ <p>Replaced by disable-pmtu-discovery http_port option
+ <tag>location_rewrite_*</tag>
+ <p>Not yet ported to Squid-3.
+ <tag>refresh_stale_hit</tag>
+ <p>Not yet ported to Squid-3.
+ <tag>umask</tag>
+ <p>Not yet ported to Squid-3.
+ <tag>wais_relay_*</tag>
+ <p>equivalent to cache_peer + cache_peer_access.
</descrip>
projects / thirdparty / squid.git / commitdiff
