+++ /dev/null
-<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
-<HTML>
-<HEAD>
- <META NAME="GENERATOR" CONTENT="LinuxDoc-Tools 0.9.50">
- <TITLE>Squid 3.0.STABLE16 release notes</TITLE>
-</HEAD>
-<BODY>
-<H1>Squid 3.0.STABLE16 release notes</H1>
-
-<H2>Squid Developers</H2>
-<HR>
-<EM>This document contains the release notes for version 3.0 of Squid.
-Squid is a WWW Cache application developed by the National Laboratory
-for Applied Network Research and members of the Web Caching community.</EM>
-<HR>
-<P>The Squid Team are pleased to announce the release of Squid-3.0.STABLE16.</P>
-<P>This new release is available for download from
-<A HREF="http://www.squid-cache.org/Versions/v3/3.0/">http://www.squid-cache.org/Versions/v3/3.0/</A> or the
-<A HREF="http://www.squid-cache.org/Mirrors/http-mirrors.html">mirrors</A>.</P>
-<P>A large number of the show-stopper bugs have been fixed along with general improvements to the ICAP support and additional Languages.</P>
-<P>We welcome feedback and bug reports. If you find a bug, please see
-<A HREF="http://wiki.squid-cache.org/SquidFaq/TroubleShooting#head-7067fc0034ce967e67911becaabb8c95a34d576d">http://wiki.squid-cache.org/SquidFaq/TroubleShooting#head-7067fc0034ce967e67911becaabb8c95a34d576d</A> for how to submit a report with a stack trace.</P>
-
-<H2><A NAME="s2">2.</A> <A HREF="#toc2">Known issues</A></H2>
-
-<P>Although this release is deemed good enough for use in many setups, please note the existence of
-<A HREF="http://www.squid-cache.org/bugs/buglist.cgi?query_format=advanced&short_desc_type=allwordssubstr&short_desc=&target_milestone=3.0&long_desc_type=allwordssubstr&long_desc=&bug_file_loc_type=allwordssubstr&bug_file_loc=&status_whiteboard_type=allwordssubstr&status_whiteboard=&bug_status=NEW&bug_status=ASSIGNED&bug_status=REOPENED&emailtype1=substring&email1=&emailtype2=substring&email2=&bugidtype=include&bug_id=&votes=&chfieldfrom=&chfieldto=Now&chfieldvalue=&cmdtype=doit&order=bugs.bug_severity&field0-0-0=noop&type0-0-0=noop&value0-0-0=">open bugs against Squid-3.0</A>.</P>
-
-<H2><A NAME="s3">3.</A> <A HREF="#toc3">Changes since earlier STABLE releases of Squid-3.0</A></H2>
-
-<P>The 3.0 change history can be
-<A HREF="http://www.squid-cache.org/Versions/v3/3.0/changesets/">viewed here</A>.</P>
-
-<H2><A NAME="s4">4.</A> <A HREF="#toc4">Changes since Squid-2.6</A></H2>
-
-<H2><A NAME="ss4.1">4.1</A> <A HREF="#toc4.1">Major new features</A>
-</H2>
-
-<P>Squid 3.0 represents a major rewrite of Squid and has a number of new features.</P>
-<P>The most important of these are:</P>
-<P>
-<UL>
-<LI>Code converted to C++, with significant internal restructuring and rewrites.</LI>
-<LI>ICAP implementation (RFC 3507 and www.icap-forum.org)</LI>
-<LI>Edge Side Includes (ESI) implementation (www.esi.org)</LI>
-</UL>
-</P>
-<P>Most user-facing changes are reflected in squid.conf (see below).</P>
-
-<H3>Internet Content Adaptation Protocol (ICAP)</H3>
-
-<P>Squid 3.0 supports ICAP/1.0. To enable ICAP support, use the --enable-icap-client ./configure option and icap_enable squid.conf option. You will also need to configure ICAP services in your squid.conf using icap_service, icap_class, and icap_access options. The following example instructs Squid to talk to two ICAP services, one for request and one for response adaptation:</P>
-<P>
-<PRE>
-icap_enable on
-icap_service service_req reqmod_precache 1 icap://127.0.0.1:1344/request
-icap_service service_resp respmod_precache 0 icap://127.0.0.1:1344/response
-icap_class class_req service_req
-icap_class class_resp service_resp
-icap_access class_req allow all
-icap_access class_resp allow all
-</PRE>
-</P>
-
-<P>Please see squid.conf.default for more details about these and many other icap_* options.</P>
-
-<P>Squid supports pre-cache request and pre-cache response vectoring points. The following ICAP features are supported: message preview, 204 responses outside of preview, request satisfaction, X-Transfer-* negotiation, persistent ICAP connections, client IP/credentials sharing, and optional bypass of certain service failures.</P>
-
-<P>No more than one ICAP service can be applied to an HTTP message. In other words, chaining or load balancing multiple services is not yet supported.</P>
-
-<P>Proxy-directed data trickling and patience pages are not supported yet.</P>
-
-<P>Following ICAP requirements, Squid never performs HTTP message adaptation without a successful and fresh ICAP OPTIONS response on file. A REQMOD or RESPMOD request will not be sent to a configured ICAP service until Squid receives a valid OPTIONS response from that service. If a service malfunctions or goes down, Squid may stop talking to the service for a while. Several squid.conf options can be used to tune the failure bypass algorithm (e.g., icap_service_failure_limit and icap_service_revival_delay). </P>
-
-<P>The bypass parameter of the icap_service squid.conf option determines whether Squid will try to bypass service failures. Most connectivity and preview-stage failures can be bypassed.</P>
-
-<P>More information about ICAP can be found from the ICAP-forum website
-<A HREF="http://www.icap-forum.org">http://www.icap-forum.org</A></P>
-
-<H3>Edge Side Includes (ESI)</H3>
-
-<P>ESI is an open specification of an markup language enabling reverse proxies
-to perform some simple XML based processing, offloading the final page assembly from the webserver and similar tasks.</P>
-
-<P>More information about ESI can be found from the ESI website
-<A HREF="http://www.esi.org">http://www.esi.org</A></P>
-
-<H2><A NAME="ss4.2">4.2</A> <A HREF="#toc4.2">2.6 features not found in Squid-3.0</A>
-</H2>
-
-<P>Some of the features found in Squid-2.6 is not available in Squid-3.
-Some have been dropped as they are not needed. Some have not yet been forward-ported to Squid-3 and may appear in a later release.</P>
-<P>
-<UL>
-<LI>refresh_stale_hit option. Not yet ported.</LI>
-<LI>ability to follow X-Forwarded-For. Not yet ported.</LI>
-<LI>Full caching of Vary/ETag using If-None-Match. Only basic Vary cache supported. Not yet ported.</LI>
-<LI>Mapping of server error messages. Not yet ported.</LI>
-<LI>http_access2 access directive. Not yet ported.</LI>
-<LI>Location header rewrites. Not yet ported.</LI>
-<LI>wais_relay. Feature dropped as it's equivalent to cache_peer + cache_peer_access.</LI>
-<LI>urlgroup. Not yet ported.</LI>
-<LI>collapsed forwarding. Not yet ported.</LI>
-<LI>stable Windows support. Irregularly maintained.</LI>
-</UL>
-</P>
-
-<H2><A NAME="ss4.3">4.3</A> <A HREF="#toc4.3">Logging changes</A>
-</H2>
-
-<H3>access.log</H3>
-
-<P>The TCP_REFRESH_HIT and TCP_REFRESH_MISS log types have been replaced because they were misleading (all refreshes need to query the origin server, so they could never be hits). The following log types have been introduced to replace them:</P>
-<P>
-<DL>
-<DT><B>TCP_REFRESH_UNMODIFIED</B><DD>
-<P>The requested object was cached but STALE. The IMS query for the object resulted in "304 not modified".</P>
-<DT><B>TCP_REFRESH_MODIFIED</B><DD>
-<P>The requested object was cached but STALE. The IMS query returned the new content.</P>
-</DL>
-</P>
-<P>See
-<A HREF="http://www.squid-cache.org/Doc/FAQ/FAQ-6.html#ss6.7">http://www.squid-cache.org/Doc/FAQ/FAQ-6.html#ss6.7</A> for a definition of all log types.</P>
-
-
-<H2><A NAME="s5">5.</A> <A HREF="#toc5">Windows support</A></H2>
-
-<P>This Squid version can run on Windows as a system service using the Cygwin emulation environment,
-or can be compiled in Windows native mode using the MinGW + MSYS development environment. Windows NT 4 SP4 and later are supported.<BR>
-On Windows 2000 and later the service is configured to use the Windows Service Recovery option
-restarting automatically after 60 seconds.
-<DL>
-
-<DT><B>Usage</B><DD>
-<P>Some new command line options were added for the Windows service support:<BR></P>
-<P>The service installation is made with -i command line switch, it's possible to use -f switch at
-the same time for specify a different config-file settings for the Squid Service that will be
-stored on the Windows Registry.</P>
-<P>A new -n switch specify the Windows Service Name, so multiple Squid instance are allowed.
-<EM>"Squid"</EM> is the default when the switch is not used.</P>
-<P>So, to install the service, the syntax is: </P>
-<P>
-<PRE>
-squid -i [-f file] [-n name]
-</PRE>
-</P>
-<P>Service uninstallation is made with -r command line switch with the appropriate -n switch.</P>
-<P>The -k switch family must be used with the appropriate -f and -n switches, so the syntax is: </P>
-<P>
-<PRE>
-squid -k command [-f file] -n service-name
-</PRE>
-
-where <EM>service-name</EM> is the name specified with -n options at service install time.</P>
-<P>To use the Squid original command line, the new -O switch must be used ONCE, the syntax is: </P>
-<P>
-<PRE>
-squid -O cmdline [-n service-name]
-</PRE>
-
-If multiple service command line options must be specified, use quote. The -n switch is
-needed only when a non default service name is in use.</P>
-<P>Don't use the "Start parameters" in the Windows 2000/XP/2003 Service applet: they are
-specific to Windows services functionality and Squid is not designed for understand they.</P>
-<P>In the following example the command line of the "squidsvc" Squid service is set to "-D -u 3130": </P>
-<P>
-<PRE>
-squid -O "-D -u 3130" -n squidsvc
-</PRE>
-</P>
-</DL>
-</P>
-<P>
-<DL>
-<DT><B>PSAPI.DLL (Process Status Helper) Considerations</B><DD>
-<P>The process status helper functions make it easier for you to obtain information about
-processes and device drivers running on Microsoft® Windows NT®/Windows® 2000. These
-functions are available in PSAPI.DLL, which is distributed in the Microsoft® Platform
-Software Development Kit (SDK). The same information is generally available through the
-performance data in the registry, but it is more difficult to get to it. PSAPI.DLL is
-freely redistributable.</P>
-<P>PSAPI.DLL is available only on Windows NT, 2000, XP and 2003. The implementation in Squid is
-aware of this, and try to use it only on the right platform.</P>
-<P>On Windows NT PSAPI.DLL can be found as component of many applications, if you need it,
-you can find it on Windows NT Resource KIT. If you have problem, it can be
-downloaded from here:
-<A HREF="http://download.microsoft.com/download/platformsdk/Redist/4.0.1371.1/NT4/EN-US/psinst.EXE">http://download.microsoft.com/download/platformsdk/Redist/4.0.1371.1/NT4/EN-US/psinst.EXE</A></P>
-<P>On Windows 2000 and later it is available installing the Windows Support Tools, located on the
-Support\Tools folder of the installation Windows CD-ROM.</P>
-</DL>
-</P>
-<P>
-<DL>
-<DT><B>Registry DNS lookup</B><DD>
-<P>On Windows platforms, if no value is specified in the <EM>dns_nameservers</EM> option on
-squid.conf or in the /etc/resolv.conf file, the list of DNS name servers are
-taken from the Windows registry, both static and dynamic DHCP configurations
-are supported.</P>
-</DL>
-</P>
-<P>
-<DL>
-<DT><B>Compatibility Notes</B><DD>
-<P>
-<UL>
-<LI>It's recommended to use '/' char in Squid paths instead of '\'</LI>
-<LI>Paths with spaces (like 'C:\Programs Files\Squid) are NOT supported by Squid</LI>
-<LI>When using ACL like 'acl aclname acltype "file"' the file must be in DOS text
-format (CR+LF) and the full Windows path must be specified, for example:
-
-<PRE>
-acl blocklist url_regex -i "c:/squid/etc/blocked1.txt"
-</PRE>
-
-</LI>
-<LI>The Windows equivalent of '/dev/null' is 'NUL'</LI>
-<LI>Squid doesn't know how to run external helpers based on scripts, like .bat, .cmd,
-.vbs, .pl, etc. So in squid.conf the interpreter path must be always specified, for example:
-
-<PRE>
-redirect_program c:/perl/bin/perl.exe c:/squid/libexec/redir.pl
-redirect_program c:/winnt/system32/cmd.exe /C c:/squid/libexec/redir.cmd
-</PRE>
-</LI>
-<LI>When Squid runs in command line mode, the launching user account must have administrative privilege on the system</LI>
-<LI>"Start parameters" in the Windows 2000/XP/2003 Service applet cannot be used</LI>
-<LI>Building with MinGW, when the configure option --enable-truncate is used, Squid cannot run on Windows NT, only Windows 2000 and later are supported</LI>
-</UL>
-</P>
-</DL>
-</P>
-<P>
-<DL>
-<DT><B>Known Limitations</B><DD>
-<P>
-<UL>
-<LI>Squid features not operational:<BR>
-<UL>
-<LI>DISKD: still needs to be ported<BR></LI>
-<LI>WCCP: cannot work because user space GRE support on Windows is missing<BR></LI>
-<LI>Transparent Proxy: missing Windows non commercial interception driver<BR></LI>
-</UL>
-</LI>
-<LI>Some code sections can make blocking calls.</LI>
-<LI>Some external helpers may not work.</LI>
-<LI>File Descriptors number hard-limited to 2048 when building with MinGW.</LI>
-</UL>
-</P>
-</DL>
-</P>
-<P>
-<DL>
-<DT><B>Building Squid on Windows</B><DD>
-<P>A reasonably recent release of
-<A HREF="http://www.cygwin.com/">Cygwin</A> or
-<A HREF="http://www.mingw.org/">MinGW</A> is needed.<BR>
-The usage of the Cygwin environment is very similar to other Unix/Linux environments, and -devel version of libraries must be installed.<BR>
-For the MinGW environment, the packages MSYS, MinGW and msysDTK must be installed. Some additional libraries and tools must be downloaded separately:<BR><BR>
-OpenSSL:
-<A HREF="http://www.slproweb.com/products/Win32OpenSSL.html">Shining Light Productions Win32 OpenSSL</A><BR>
-libcrypt:
-<A HREF="http://sourceforge.net/projects/mingwrep/">MinGW packages repository</A><BR>
-db-1.85:
-<A HREF="http://tinycobol.org/download.html">TinyCOBOL download area</A><BR>
-uudecode:
-<A HREF="http://unxutils.sourceforge.net/">Native Win32 ports of some GNU utilities</A><BR><BR>
-When running configure, --disable-wccp and --disable-wccpv2 options should always specified to avoid compile errors.<BR>
-<UL>
-<LI>New configure options:<BR>
-<UL>
-<LI>--enable-win32-service<BR></LI>
-</UL>
-</LI>
-<LI>Updated configure options:<BR>
-<UL>
-<LI>--enable-arp-acl<BR></LI>
-<LI>--enable-default-hostsfile<BR></LI>
-</UL>
-</LI>
-<LI>Unsupported configure options:<BR>
-<UL>
-<LI>--enable-coss-aio-ops: On Windows Posix AIO is not available<BR></LI>
-<LI>--with-large-files: No suitable build environment is available on both Cygwin and MinGW, but --enable-large-cache-files works fine<BR></LI>
-</UL>
-</LI>
-<LI>Recommended configure minimal options for Windows:<BR>
-<UL>
-<LI>--prefix=c:/squid --disable-wccp --disable-wccpv2 --enable-win32-service --enable-default-hostsfile=none</LI>
-</UL>
-</LI>
-</UL>
-<BR>
-Before build Squid with SSL support, some operations are needed (in the following example OpenSSL is installed in C:\OpenSSL and MinGW in C:\MinGW):
-<UL>
-<LI>Copy C:\OpenSSL\lib\MinGW content to C:\MinGW\lib<BR></LI>
-<LI>Copy C:\OpenSSL\include\openssl content to C:\MinGW\include\openssl<BR></LI>
-<LI>Rename C:\MinGW\lib\ssleay32.a to C:\MinGW\lib\libssleay32.a<BR></LI>
-</UL>
-</P>
-
-</DL>
-</P>
-<P>
-<DL>
-<DT><B>Using cache manager on Windows:</B><DD>
-<P>On Windows, cache manager (cachemgr.cgi) can be used with Microsoft IIS or Apache.<BR>
-Some specific configuration could be needed:<BR>
-<UL>
-<LI>IIS 6 (Windows 2003):<BR>
-<UL>
-<LI>On IIS 6.0 all CGI extensions are denied by default for security reason, so the following configuration is needed:<BR>
-<UL>
-<LI>Create a cgi-bin Directory</LI>
-<LI>Define the cgi-bin IIS Virtual Directory with read and CGI execute IIS
-permissions, ASP scripts are not needed. This automatically defines a
-cgi-bin IIS web application </LI>
-<LI>Copy cachemgr.cgi into cgi-bin directory and look to file permissions:
-the IIS system account and SYSTEM must be able to read and execute the file</LI>
-<LI>In IIS manager go to Web Service extensions and add a new Web Service
-Extension called <EM>"Squid Cachemgr"</EM>, add the cachemgr.cgi file and set the
-extension status to <EM>Allowed</EM></LI>
-</UL>
-</LI>
-</UL>
-</LI>
-<LI>Apache:<BR>
-<UL>
-<LI>On Windows, cachemgr.cgi needs to create a temporary file, so Apache must be instructed
-to pass the TMP and TEMP Windows environment variables to CGI applications:<BR>
-<PRE>
-ScriptAlias /squid/cgi-bin/ "c:/squid/libexec/"
-<Location /squid/cgi-bin/cachemgr.cgi>
- PassEnv TMP TEMP
- Order allow,deny
- Allow from workstation.example.com
-</Location>
-</PRE>
-</LI>
-</UL>
-</LI>
-</UL>
-</P>
-</DL>
-</P>
-
-
-
-<H2><A NAME="s6">6.</A> <A HREF="#toc6">Changes to squid.conf since Squid-2.6</A></H2>
-
-<P>There have been many changes to Squid's configuration file since Squid-2.6.</P>
-
-<P>This section gives a detailed account of those changes in three categories:</P>
-<P>
-<UL>
-<LI>
-<A HREF="#newtags">New tags</A></LI>
-<LI>
-<A HREF="#modifiedtags">Changes to existing tags</A></LI>
-<LI>
-<A HREF="#removedtags">Removed tags</A></LI>
-</UL>
-</P>
-
-
-<H2><A NAME="newtags"></A> <A NAME="ss6.1">6.1</A> <A HREF="#toc6.1">New tags</A>
-</H2>
-
-<P>
-<DL>
-<DT><B>minimum_icp_query_timeout (msec)</B><DD>
-<P>
-<PRE>
-Default: 5
-
-Normally the ICP query timeout is determined dynamically. But
-sometimes it can lead to very small timeouts, even lower than
-the normal latency variance on your link due to traffic.
-Use this option to put an lower limit on the dynamic timeout
-value. Do NOT use this option to always use a fixed (instead
-of a dynamic) timeout value. To set a fixed timeout see the
-'icp_query_timeout' directive.
-
-</PRE>
-</P>
-
-<DT><B>background_ping_rate</B><DD>
-<P>
-<PRE>
-Default: 10 seconds
-
-Controls how often the ICP pings are sent to siblings that
-have background-ping set.
-
-</PRE>
-</P>
-
-<DT><B>httpd_accel_surrogate_id</B><DD>
-<P>
-<PRE>
-Default: unset
-
-Surrogates (http://www.esi.org/architecture_spec_1.0.html)
-need an identification token to allow control targeting. Because
-a farm of surrogates may all perform the same tasks, they may share
-an identification token.
-
-</PRE>
-</P>
-
-<DT><B>http_accel_surrogate_remote on|off</B><DD>
-<P>
-<PRE>
-Default: off
-
-Remote surrogates (such as those in a CDN) honour Surrogate-Control: no-store-remote.
-Set this to on to have squid behave as a remote surrogate.
-
-</PRE>
-</P>
-
-<DT><B>esi_parser libxml2|expat|custom</B><DD>
-<P>
-<PRE>
-Default: custom
-
-ESI markup is not strictly XML compatible. The custom ESI parser
-will give higher performance, but cannot handle non ASCII character
-encodings.
-
-</PRE>
-</P>
-
-<DT><B>email_err_data on|off</B><DD>
-<P>
-<PRE>
-Default: on
-
-If enabled, information about the occurred error will be
-included in the mailto links of the ERR pages (if %W is set)
-so that the email body contains the data.
-Syntax is <A HREF="mailto:%w%W">%w</A>
-
-</PRE>
-</P>
-
-<DT><B>refresh_all_ims on|off</B><DD>
-<P>
-<PRE>
-Default: off
-
-When you enable this option, squid will always check
-the origin server for an update when a client sends an
-If-Modified-Since request. Many browsers use IMS
-requests when the user requests a reload, and this
-ensures those clients receive the latest version.
-
-By default (off), squid may return a Not Modified response
-based on the age of the cached version.
-
-</PRE>
-</P>
-<DT><B>request_header_access</B><DD>
-<P>Replaces the header_access directive of Squid-2.6 and earlier, but applies to requests only.</P>
-<DT><B>reply_header_access</B><DD>
-<P>Replaces the header_access directive of Squid-2.6 and earlier, but applies to replies only.</P>
-
-<DT><B>icap_enable on|off</B><DD>
-<P>
-<PRE>
-Default: off
-
-If you want to enable the ICAP module support, set this to on.
-
-</PRE>
-</P>
-<DT><B>icap_preview_enable on|off</B><DD>
-<P>
-<PRE>
-Default: off
-
-Set this to 'on' if you want to enable the ICAP preview
-feature in Squid.
-
-</PRE>
-</P>
-<DT><B>icap_preview_size</B><DD>
-<P>
-<PRE>
-Default: -1
-
-The default size of preview data to be sent to the ICAP server.
--1 means no preview. This value might be overwritten on a per server
-basis by OPTIONS requests.
-
-</PRE>
-</P>
-<DT><B>icap_default_options_ttl (seconds)</B><DD>
-<P>
-<PRE>
-Default: 60
-
-The default TTL value for ICAP OPTIONS responses that don't have
-an Options-TTL header.
-
-</PRE>
-</P>
-<DT><B>icap_persistent_connections on|off</B><DD>
-<P>
-<PRE>
-Default: on
-
-Whether or not Squid should use persistent connections to
-an ICAP server.
-
-</PRE>
-</P>
-<DT><B>icap_send_client_ip on|off</B><DD>
-<P>
-<PRE>
-Default: off
-
-This adds the header "X-Client-IP" to ICAP requests.
-
-</PRE>
-</P>
-<DT><B>icap_send_client_username on|off</B><DD>
-<P>
-<PRE>
-Default: off
-
-This adds the header "X-Client-Username" to ICAP requests
-if proxy access is authentified.
-
-</PRE>
-</P>
-<DT><B>icap_service</B><DD>
-<P>
-<PRE>
-Default: none
-
-Defines a single ICAP service
-
-icap_service servicename vectoring_point bypass service_url
-
-vectoring_point = reqmod_precache|reqmod_postcache|respmod_precache|respmod_postcache
-This specifies at which point of request processing the ICAP
-service should be plugged in.
-bypass = 1|0
-If set to 1 and the ICAP server cannot be reached, the request will go
-through without being processed by an ICAP server
-service_url = icap://servername:port/service
-
-Note: reqmod_postcache and respmod_postcache is not yet implemented
-
-Example:
-icap_service service_1 reqmod_precache 0 icap://icap1.mydomain.net:1344/reqmod
-icap_service service_2 respmod_precache 0 icap://icap2.mydomain.net:1344/respmod
-
-</PRE>
-</P>
-<DT><B>icap_class</B><DD>
-<P>
-<PRE>
-Default: none
-
-Defines an ICAP service chain. If there are multiple services per
-vectoring point, they are processed in the specified order.
-
-icap_class classname servicename...
-
-Example:
-icap_class class_1 service_1 service_2
-icap class class_2 service_1 service_3
-
-</PRE>
-</P>
-<DT><B>icap_access</B><DD>
-<P>
-<PRE>
-Default: none
-
-Redirects a request through an ICAP service class, depending
-on given acls
-
-icap_access classname allow|deny [!]aclname...
-
-The icap_access statements are processed in the order they appear in
-this configuration file. If an access list matches, the processing stops.
-For an "allow" rule, the specified class is used for the request. A "deny"
-rule simply stops processing without using the class. You can also use the
-special classname "None".
-
-For backward compatibility, it is also possible to use services
-directly here.
-
-Example:
-icap_access class_1 allow all
-
-</PRE>
-</P>
-
-<DT><B>accept_filter</B><DD>
-<P>
-<PRE>
-The name of an accept(2) filter to install on Squid's
-listen socket(s). This feature is perhaps specific to
-FreeBSD and requires support in the kernel.
-
-The 'httpready' filter delays delivering new connections
-to Squid until a full HTTP request has been received.
-See the accf_http(9) man page.
-
-</PRE>
-</P>
-
-<DT><B>include</B><DD>
-<P>New option to import entire secondary configuration files into squid.conf.
-<PRE>
- Squid will follow the files immediately and insert all their content
- as if it was at that position in squid.conf. As per squid.conf some
- options are order-specific within the config as a whole.
-
- A few layers of include are allowed, but too many are confusing and
- squid will enforce an include depth of 16 files.
-
- Syntax:
- include /path/to/file1 /path/to/file2
-
-</PRE>
-</P>
-
-<DT><B>acl myportname</B><DD>
-<P>New acl type myportname, matching the name of the http(s)_port where the request was accepted
-<PRE>
- acl aclname myportname 3128 ... # http(s)_port name
-
-</PRE>
-</P>
-
-<DT><B>umask</B><DD>
-<P>Ported from 2.6. Behaviour identical.
-<PRE>
- Minimum umask which should be enforced while the proxy
- is running, in addition to the umask set at startup.
-
- For a traditional octal representation of umasks, start
- your value with 0.
-
-</PRE>
-</P>
-
-</DL>
-</P>
-
-
-<H2><A NAME="modifiedtags"></A> <A NAME="ss6.2">6.2</A> <A HREF="#toc6.2">Changes to existing tags</A>
-</H2>
-
-<P>
-<DL>
-<DT><B>http_port</B><DD>
-<P>New options:
-<PRE>
- disable-pmtu-discovery=
- Control Path-MTU discovery usage:
- off lets OS decide on what to do (default).
- transparent disable PMTU discovery when transparent support is enabled.
- always disable always PMTU discovery.
-
- In many setups of transparently intercepting proxies Path-MTU
- discovery can not work on traffic towards the clients. This is
- the case when the intercepting device does not fully track
- connections and fails to forward ICMP must fragment messages
- to the cache server. If you have such setup and experience that
- certain clients sporadically hang or never complete requests set
- disable-pmtu-discovery option to 'transparent'.
-
-</PRE>
-</P>
-
-<DT><B>cache_peer</B><DD>
-<P>New options:
-<PRE>
- basetime=n
-
- background-ping
-
- weighted-round-robin
-
- use 'basetime=n' to specify a base amount to
- be subtracted from round trip times of parents.
- It is subtracted before division by weight in calculating
- which parent to fectch from. If the rtt is less than the
- base time the rtt is set to a minimal value.
-
- use 'background-ping' to only send ICP queries to this
- neighbor infrequently. This is used to keep the neighbor
- round trip time updated and is usually used in
- conjunction with weighted-round-robin.
-
- use 'weighted-round-robin' to define a set of parents
- which should be used in a round-robin fashion with the
- frequency of each parent being based on the round trip
- time. Closer parents are used more often.
- Usually used for background-ping parents.
-
-</PRE>
-</P>
-
-<DT><B>cache_dir</B><DD>
-<P>Common options <EM>no-store</EM>, replaces the older <EM>read-only</EM> option</P>
-
-<DT><B>auth_param</B><DD>
-<P>Removed Basic auth option
-<PRE>
- blankpasswor, not yet ported to squid-3.
- auth_param basic concurrency 0
-
-</PRE>
-</P>
-
-<DT><B>external_acl_type</B><DD>
-<P>New format specifications:
-<PRE>
- %URI Requested URI
-
- %PATH Requested URL path
-
-</PRE>
-</P>
-<P>New result keywords:
-<PRE>
- tag= Apply a tag to a request (for both ERR and OK results)
- Only sets a tag, does not alter existing tags.
-
-</PRE>
-</P>
-
-<DT><B>refresh_pattern</B><DD>
-<P>New options:
-<PRE>
- ignore-no-store
- refresh-ims
-
- ignore-no-store ignores any ``Cache-control: no-store''
- headers received from a server. Doing this VIOLATES
- the HTTP standard. Enabling this feature could make you
- liable for problems which it causes.
-
- refresh-ims causes squid to contact the origin server
- when a client issues an If-Modified-Since request. This
- ensures that the client will receive an updated version
- if one is available.
-
-</PRE>
-</P>
-
-<DT><B>acl</B><DD>
-<P>The 'all' ACL is now provided as a built-in. Warnings will be displayed if any attempt is made to redefine it.</P>
-<P>New types:
-<PRE>
- acl aclname http_status 200 301 500- 400-403 ... # status code in reply
-
-</PRE>
-</P>
-
-<DT><B>short_icon_urls</B><DD>
-<P>New default:
-<PRE>
- Default: on
- (Old default: off)
-
-</PRE>
-</P>
-<DT><B>delay_class</B><DD>
-<P>New delay classes:
-<PRE>
- class 4 Everything in a class 3 delay pool, with an
- additional limit on a per user basis. This
- only takes effect if the username is established
- in advance - by forcing authentication in your
- http_access rules.
-
- class 5 Requests are grouped according their tag (see
- external_acl's tag= reply).
-
-</PRE>
-</P>
-
-<DT><B>htcp_port</B><DD>
-<P>New default to require the feature to be enabled in squid.conf:
-<PRE>
- Default: 0 (disabled)
- (Old default: 4827)
-
-</PRE>
-</P>
-
-<DT><B>icp_port</B><DD>
-<P>New default to require the feature to be enabled in squid.conf:
-<PRE>
- Default: 0 (disabled)
- (Old default: 3130)
-
-</PRE>
-</P>
-
-<DT><B>snmp_port</B><DD>
-<P>New default to require the feature to be enabled in squid.conf:
-<PRE>
- Default: 0 (disabled)
- (Old default: 3401)
-
-</PRE>
-</P>
-
-<DT><B>logformat</B><DD>
-<P>New format tags:
-<PRE>
- rp Request URL-Path excluding hostname
-
- et Tag returned by external acl
-
- <sH Reply high offset sent
-
- <sS Upstream object size
-
-</PRE>
-</P>
-
-<DT><B>reply_body_max_size</B><DD>
-<P>Syntax changed:
-<PRE>
- reply_body_max_size size [acl acl...]
-
-</PRE>
-</P>
-<P>allow/deny no longer used.</P>
-
-<DT><B>url_rewrite_program</B><DD>
-<P>No urlgroup support in either requests or response</P>
-
-<DT><B>auth_param</B><DD>
-<P>fake_auth helper for NTLM now accepts the '-S' parameter to strip NTLM domain off the username string.
-This is useful for class 4 Delay Pools in Squid 3.x</P>
-
-</DL>
-</P>
-
-<H2><A NAME="removedtags"></A> <A NAME="ss6.3">6.3</A> <A HREF="#toc6.3">Removed tags</A>
-</H2>
-
-<P>
-<DL>
-<DT><B>header_access</B><DD>
-<P>This has been replaced by request_header_access and reply_header_access</P>
-
-<DT><B>httpd_accel_no_pmtu_disc</B><DD>
-<P>Replaced by disable-pmtu-discovery http_port option</P>
-
-<DT><B>wais_relay_*</B><DD>
-<P>equivalent to cache_peer + cache_peer_access.</P>
-
-</DL>
-</P>
-
-
-<H2><A NAME="s7">7.</A> <A HREF="#toc7">Changes to ./configure Options since Squid-2.6</A></H2>
-
-<P>There have been some changes to Squid's build configuration since Squid-2.6.</P>
-
-<P>This section gives an account of those changes in three categories:</P>
-<P>
-<UL>
-<LI>
-<A HREF="#newoptions">New options</A></LI>
-<LI>
-<A HREF="#modifiedoptions">Changes to existing options</A></LI>
-<LI>
-<A HREF="#removedoptions">Removed options</A></LI>
-</UL>
-</P>
-
-
-
-<H2><A NAME="newoptions"></A> <A NAME="ss7.1">7.1</A> <A HREF="#toc7.1">New options</A>
-</H2>
-
-<P>
-<DL>
-<DT><B>--enable-shared[=PKGS]</B><DD>
-<P>Build shared libraries. The default is to build without.</P>
-
-<DT><B>--enable-static[=PKGS]</B><DD>
-<P>Build static libraries. The default is on.</P>
-
-<DT><B>--enable-fast-install[=PKGS]</B><DD>
-<P>
-<PRE>
-Optimize for fast installation
- default: yes
-</PRE>
-</P>
-
-<DT><B>--disable-libtool-lock</B><DD>
-<P>Avoid locking (might break parallel builds)</P>
-
-<DT><B>--disable-optimizations</B><DD>
-<P>Don't compile Squid with compiler optimizations enabled.
-Optimization is good for production builds, but not
-good for debugging. During development, use
---disable-optimizations to reduce compilation times
-and allow easier debugging. This option implicitly
-also enables --disable-inline</P>
-
-<DT><B>--disable-inline</B><DD>
-<P>Don't compile trivial methods as inline. Squid
-is coded with much of the code able to be inlined.
-Inlining is good for production builds, but not
-good for development. During development, use
---disable-inline to reduce compilation times and
-allow incremental builds to be quick. For
-production builds, or load tests, use
---enable-inline to have squid make all trivial
-methods inlinable by the compiler.</P>
-
-<DT><B>--enable-debug-cbdata</B><DD>
-<P>Provide some debug information in cbdata</P>
-
-<DT><B>--enable-disk-io=\"list of modules\"</B><DD>
-<P>Build support for the list of disk I/O modules.
-The default is only to build the "Blocking" module.
-See src/DiskIO for a list of available modules, or
-Programmers Guide for details on how to build your
-custom disk module.</P>
-
-<DT><B>--enable-esi</B><DD>
-<P>Enable ESI for accelerators. Requires libexpat.
-Enabling ESI will cause squid to follow the Edge
-Acceleration Specification (www.esi.org). This
-causes squid to IGNORE client Cache-Control headers.</P>
-<P><EM>DO NOT</EM> use this in a squid configured as a web
-proxy, ONLY use it in a squid configured for
-webserver acceleration.</P>
-
-<DT><B>--enable-icap-client</B><DD>
-<P>Enable the ICAP client.</P>
-
-<DT><B>--disable-snmp</B><DD>
-<P>Disable SNMP monitoring support which is now built by default.</P>
-
-<DT><B>--disable-htcp</B><DD>
-<P>Disable HTCP protocol support which is now built by default.</P>
-
-<DT><B>--enable-kqueue</B><DD>
-<P>Enable kqueue() support. Marked as experimental in 3.0.</P>
-
-<DT><B>--enable-ipfw-transparent</B><DD>
-<P>Enable Transparent Proxy support for systems
-using FreeBSD IPFW style redirection.</P>
-
-<DT><B>--disable-mempools</B><DD>
-<P>Disable memPools. Note that this option now simply sets the
-default behaviour. Specific classes can override this at runtime, and
-only lib/MemPool.c needs to be altered to change the squid-wide
-default for all classes.</P>
-
-<DT><B>--enable-cpu-profiling</B><DD>
-<P>This option allows you to see which internal functions
-in Squid are consuming how much CPU. Compiles in probes
-that measure time spent in probed functions. Needs
-source modifications to add new probes. This is meant
-for developers to assist in performance optimisations
-of Squid internal functions.</P>
-<P>If you are not developer and not interested in the stats
-you shouldn't enable this, as overhead added, although
-small, is still overhead. See lib/Profiler.c for more.</P>
-
-<DT><B>--with-gnu-ld</B><DD>
-<P>Assume the C compiler uses GNU ld. The default is to auto-detect.</P>
-
-<DT><B>--with-pic</B><DD>
-<P>Try to use only PIC/non-PIC objects. The default is to use both.</P>
-
-<DT><B>--with-tags[=TAGS]</B><DD>
-<P>Include additional configurations. The default is automatic.</P>
-
-<DT><B>--with-default-user=USER</B><DD>
-<P>Sets the default System User account for squid permissions.
-The default is 'nobody' as in other releases of squid.</P>
-
-<DT><B>--with-cppunit-basedir=[PATH]</B><DD>
-<P>Path where the cppunit headers and libraries are found
-for unit testing. The default is automatic detection.</P>
-<P>NOTE: Since 3.0-PRE6 and 2.6STABLE14 squid no longer comes
-bundled with CPPUnit. Compile-time validation will be disabled
-if it is not installed on your system.</P>
-
-</DL>
-</P>
-<H2><A NAME="modifiedoptions"></A> <A NAME="ss7.2">7.2</A> <A HREF="#toc7.2">Changes to existing options</A>
-</H2>
-
-<P>
-<DL>
-<DT><B>--enable-carp</B><DD>
-<P>CARP support is now built by default.
---disable-carp can be used to build without it.</P>
-
-<DT><B>--enable-htcp</B><DD>
-<P>HTCP protocol support is now built by default.
-Use --disable-htcp to build without it.</P>
-
-<DT><B>--enable-snmp</B><DD>
-<P>SNMP monitoring is now build by default.
-Use --disable-snmp to build without it.</P>
-
-<DT><B>--enable-heap-replacement</B><DD>
-<P>Please use --enable-removal-policies directive instead.</P>
-
-<DT><B>--with-maxfd=N</B><DD>
-<P>Replaced by --with-filedescriptors=N</P>
-<P>Override maximum number of filedescriptors. Useful
-if you build as another user who is not privileged
-to use the number of filedescriptors you want the
-resulting binary to support</P>
-
-<DT><B>--enable-select</B><DD>
-<P>Deprecated.
-Automatic checks will enable best I/O loop method available.</P>
-
-<DT><B>--enable-epoll</B><DD>
-<P>Deprecated.
-Automatic checks will enable best I/O loop method available.</P>
-
-<DT><B>--enable-poll</B><DD>
-<P>Deprecated.
-Automatic checks will enable best I/O loop method available.</P>
-
-<DT><B>--enable-kqueue</B><DD>
-<P>kqueue support is marked Experimental in Squid 3.0. Known to have some issues under load.</P>
-
-</DL>
-</P>
-<H2><A NAME="removedoptions"></A> <A NAME="ss7.3">7.3</A> <A HREF="#toc7.3">Removed options</A>
-</H2>
-
-<P>The following configure options have been removed.</P>
-<P>
-<DL>
-<DT><B>--enable-dlmalloc</B><DD>
-<P>Most OS:es have good malloc implementations these days, and the version we used to ship with Squid was very very old..</P>
-<DT><B>--enable-mempool-debug</B><DD>
-<P>Debug option, not needed and therefore removed.</P>
-<DT><B>--enable-forward-log</B><DD>
-<P>Rarely used extra log file. Removed.</P>
-<DT><B>--enable-multicast-miss</B><DD>
-<P>Rarely used feature, and multicast ICP acheives almost the same result. Removed.</P>
-<DT><B>--enable-coss-aio-ops</B><DD>
-<P>Specific to the COSS implementation in Squid-2</P>
-<DT><B>--enable-large-cache-files</B><DD>
-<P>Now enabled by default. Configure option was redundant and therefore removed.</P>
-<DT><B>--enable-truncate</B><DD>
-<P>Known to cause race conditions where cache objects may get corrupted, and this for at most a marginal performance improvement. Removed.</P>
-
-</DL>
-</P>
-
-
-<H2><A NAME="s8">8.</A> <A HREF="#toc8">Regressions since Squid-2.7</A></H2>
-
-<P>Some squid.conf and ./configure options which were available in Squid-2.7 are not yet available in Squid-3.0</P>
-
-<P>If you need something to do then porting one of these from Squid-2 to Squid-3 is most welcome.</P>
-
-<H2><A NAME="ss8.1">8.1</A> <A HREF="#toc8.1">Missing squid.conf options available in Squid-2.7</A>
-</H2>
-
-<P>
-<DL>
-<DT><B>acl</B><DD>
-<P><EM>urllogin</EM> option not yet ported from 2.6</P>
-<P><EM>urlgroup</EM> option not yet ported from 2.6</P>
-
-<DT><B>acl_uses_indirect_client</B><DD>
-<P>Not yet ported from 2.6</P>
-
-<DT><B>auth_param digest</B><DD>
-<P><EM>concurrency</EM> option not yet ported from Squid-2</P>
-
-<DT><B>authenticate_ip_shortcircuit_access</B><DD>
-<P>Not yet ported from 2.7</P>
-
-<DT><B>authenticate_ip_shortcircuit_ttl</B><DD>
-<P>Not yet ported from 2.7</P>
-
-<DT><B>broken_vary_encoding</B><DD>
-<P>Not yet ported from 2.6</P>
-
-<DT><B>cache_dir</B><DD>
-<P><EM>min-size</EM> option not yet ported from Squid-2</P>
-<P><EM>COSS</EM> storage type is lacking stability fixes from 2.6</P>
-<P>COSS <EM>overwrite-percent=</EM> option not yet ported from 2.6</P>
-<P>COSS <EM>max-stripe-waste=</EM> option not yet ported from 2.6</P>
-<P>COSS <EM>membufs=</EM> option not yet ported from 2.6</P>
-<P>COSS <EM>maxfullbufs=</EM> option not yet ported from 2.6</P>
-
-<DT><B>cache_peer</B><DD>
-<P><EM>multicast-siblings</EM> not yet ported from 2.7</P>
-<P><EM>idle=</EM> not yet ported from 2.7</P>
-<P><EM>http11</EM> not yet ported from 2.7</P>
-<P><EM>connection-auth=</EM> not yet ported from 2.6</P>
-<P><EM>monitorinterval=</EM> not yet ported from 2.6</P>
-<P><EM>monitorsize=</EM> not yet ported from 2.6</P>
-<P><EM>monitortimeout=</EM> not yet ported from 2.6</P>
-<P><EM>monitorurl=</EM> not yet ported from 2.6</P>
-
-<DT><B>cache_vary</B><DD>
-<P>Not yet ported from 2.6</P>
-
-<DT><B>collapsed_forwarding</B><DD>
-<P>Not yet ported from 2.6</P>
-
-<DT><B>delay_pool_uses_indirect_client</B><DD>
-<P>Not yet ported from 2.6</P>
-
-<DT><B>error_map</B><DD>
-<P>Not yet ported from 2.6</P>
-
-<DT><B>external_acl_type</B><DD>
-<P><EM>%ACL</EM> format tag not yet ported from 2.6</P>
-<P><EM>%DATA</EM> format tag not yet ported from 2.6</P>
-
-<DT><B>external_refresh_check</B><DD>
-<P>Not yet ported from 2.7</P>
-
-<DT><B>follow_x_forwarded_for</B><DD>
-<P>Not yet ported from 2.6</P>
-
-<DT><B>http_access2</B><DD>
-<P>Not yet ported from 2.6</P>
-
-<DT><B>http_port</B><DD>
-<P><EM>act-as-origin</EM> not yet ported from 2.7</P>
-<P><EM>allow-direct</EM> not yet ported from 2.7</P>
-<P><EM>http11</EM> not yet ported from 2.7</P>
-<P><EM>urlgroup=</EM> not yet ported from 2.6</P>
-<P><EM>no-connection-auth</EM> not yet ported from 2.6</P>
-
-<DT><B>ignore_expect_100</B><DD>
-<P>Not yet ported from 2.7</P>
-
-<DT><B>ignore_ims_on_miss</B><DD>
-<P>Not yet ported from 2.7</P>
-
-<DT><B>location_rewrite_access</B><DD>
-<P>Not yet ported from 2.6</P>
-
-<DT><B>location_rewrite_children</B><DD>
-<P>Not yet ported from 2.6</P>
-
-<DT><B>location_rewrite_concurrency</B><DD>
-<P>Not yet ported from 2.6</P>
-
-<DT><B>location_rewrite_program</B><DD>
-<P>Not yet ported from 2.6</P>
-
-<DT><B>log_uses_indirect_client</B><DD>
-<P>Not yet ported from 2.6</P>
-
-<DT><B>logfile_daemon</B><DD>
-<P>Not yet ported from 2.7</P>
-
-<DT><B>logformat</B><DD>
-<P><EM>%oa</EM> tag not yet ported from 2.7</P>
-<P><EM>%sn</EM> tag not yet ported from 2.7</P>
-
-<DT><B>max_filedescriptors</B><DD>
-<P>Not yet ported from 2.7</P>
-
-<DT><B>max_stale</B><DD>
-<P>Not yet ported from 2.7</P>
-
-<DT><B>refresh_pattern</B><DD>
-<P><EM>stale-while-revalidate=</EM> not yet ported from 2.7</P>
-<P><EM>ignore-stale-while-revalidate=</EM> not yet ported from 2.7</P>
-<P><EM>max-stale=</EM> not yet ported from 2.7</P>
-<P><EM>negative-ttl=</EM> not yet ported from 2.7</P>
-
-<DT><B>refresh_stale_hit</B><DD>
-<P>Not yet ported from 2.7</P>
-
-<DT><B>server_http11</B><DD>
-<P>Not yet ported from 2.7</P>
-
-<DT><B>storeurl_access</B><DD>
-<P>Not yet ported from 2.7</P>
-
-<DT><B>storeurl_rewrite_children</B><DD>
-<P>Not yet ported from 2.7</P>
-
-<DT><B>storeurl_rewrite_concurrency</B><DD>
-<P>Not yet ported from 2.7</P>
-
-<DT><B>storeurl_rewrite_program</B><DD>
-<P>Not yet ported from 2.7</P>
-
-<DT><B>update_headers</B><DD>
-<P>Not yet ported from 2.7</P>
-
-<DT><B>upgrade_http0.9</B><DD>
-<P>Not yet ported from 2.7</P>
-
-<DT><B>zero_buffers</B><DD>
-<P>Not yet ported from 2.7</P>
-
-</DL>
-</P>
-
-<H2><A NAME="ss8.2">8.2</A> <A HREF="#toc8.2">Missing ./configure options available in Squid-2.7</A>
-</H2>
-
-<P>
-<DL>
-<DT><B>--enable-devpoll</B><DD>
-<P>Support for Solaris /dev/poll</P>
-
-<DT><B>--enable-select-simple</B><DD>
-<P>Basic POSIX select() loop without any binary fd_set optimizations.</P>
-
-<DT><B>--enable-follow-x-forwarded-for</B><DD>
-<P>Support following the X-Forwarded-For HTTP header for determining the
-client IP address</P>
-
-<DT><B>--without-system-md5</B><DD>
-
-</DL>
-</P>
-
-</BODY>
-</HTML>
+++ /dev/null
-Squid 3.0.RC1 release notesSquid Developers$Id$
-Squid is a WWW Cache application developed by the National Laboratory
-for Applied Network Research and members of the Web Caching community.Notice
-
-.Pp
-The Squid Team are pleased to announce the release of Squid-3.0.RC1 for pre-release testing.
-.Pp
-This new release is available for download from or the \&.
-.Pp
-A large number of the show-stopper bugs have been fixed along with general improvements to the ICAP support.
-While this release is not deemed ready for production use, we believe it is ready for wider testing by the community.
-.Pp
-We welcome feedback and bug reports. If you find a bug, please see for how to submit a report with a stack trace.
-.Pp
-Known issues
-
-.Pp
-Although this release is deemed good enough for testing in many setups, please note the existence of \&.
-.Pp
-Changes since earlier PRE releases of Squid-3.0
-
-.Pp
-The 3.0 change history can be \&.
-.Pp
-Changes since Squid-2.6
-
-.SH Major new features
-
-.Pp
-Squid 3.0 represents a major rewrite of Squid and has a number of new features.
-.Pp
-The most important of these are:
-.Pp
-.nr ll +1
-.nr t\n(ll 0
-.if \n(ll>1 .RS
-.nr bi 1
-.Pp
-Code converted to C++, with significant internal restructuring and rewrites.
-.nr bi 1
-.Pp
-ICAP implementation (RFC 3507 and www.icap-forum.org)
-.nr bi 1
-.Pp
-Edge Side Includes (ESI) implementation (www.esi.org)
-.if \n(ll>1 .RE
-.nr ll -1
-.Pp
-Most user-facing changes are reflected in squid.conf (see below).
-.Pp
-Internet Content Adaptation Protocol (ICAP)
-
-.Pp
-Squid 3.0 supports ICAP/1.0. To enable ICAP support, use the --enable-icap-client ./configure option and icap_enable squid.conf option. You will also need to configure ICAP services in your squid.conf using icap_service, icap_class, and icap_access options. The following example instructs Squid to talk to two ICAP services, one for request and one for response adaptation:
-.Pp
-.DS
-.sp
-.ft RR
-.nf
-icap_enable on
-icap_service service_req reqmod_precache 1 icap://127.0.0.1:1344/request
-icap_service service_resp respmod_precache 0 icap://127.0.0.1:1344/response
-icap_class class_req service_req
-icap_class class_resp service_resp
-icap_access class_req allow all
-icap_access class_resp allow all
-.DE
-.fi
-.ec
-.ft P
-.sp
-.Pp
-.Pp
-Please see squid.conf.default for more details about these and many other icap_* options.
-.Pp
-.Pp
-Squid supports pre-cache request and pre-cache response vectoring points. The following ICAP features are supported: message preview, 204 responses outside of preview, request satisfaction, X-Transfer-* negotiation, persistent ICAP connections, client IP/credentials sharing, and optional bypass of certain service failures.
-.Pp
-.Pp
-No more than one ICAP service can be applied to an HTTP message. In other words, chaining or load balancing multiple services is not yet supported.
-.Pp
-.Pp
-Proxy-directed data trickling and patience pages are not supported yet.
-.Pp
-.Pp
-Following ICAP requirements, Squid never performs HTTP message adaptation without a successful and fresh ICAP OPTIONS response on file. A REQMOD or RESPMOD request will not be sent to a configured ICAP service until Squid receives a valid OPTIONS response from that service. If a service malfunctions or goes down, Squid may stop talking to the service for a while. Several squid.conf options can be used to tune the failure bypass algorithm (e.g., icap_service_failure_limit and icap_service_revival_delay).
-.Pp
-.Pp
-The bypass parameter of the icap_service squid.conf option determines whether Squid will try to bypass service failures. Most connectivity and preview-stage failures can be bypassed.
-.Pp
-.Pp
-More information about ICAP can be found from the ICAP-forum website
-.Pp
-Edge Side Includes (ESI)
-
-.Pp
-ESI is an open specification of an markup language enabling reverse proxies
-to perform some simple XML based processing, offloading the final page assembly from the webserver and similar tasks.
-.Pp
-.Pp
-More information about ESI can be found from the ESI website
-.Pp
-.SH 2.6 features not found in Squid-3.0
-
-.Pp
-Some of the features found in Squid-2.6 is not available in Squid-3.
-Some has been dropped as they are not needed. Some has not yet been forward-ported to Squid-3 and may appear in a later release.
-.Pp
-.nr ll +1
-.nr t\n(ll 0
-.if \n(ll>1 .RS
-.nr bi 1
-.Pp
-refresh_stale_hit option. Not yet ported.
-.nr bi 1
-.Pp
-ability to follow X-Forwarded-For. Not yet ported.
-.nr bi 1
-.Pp
-Full caching of Vary/ETag using If-None-Match. Only basic Vary cache supported. Not yet ported.
-.nr bi 1
-.Pp
-Mapping of server error messages. Not yet ported.
-.nr bi 1
-.Pp
-http_access2 access directive. Not yet ported.
-.nr bi 1
-.Pp
-Location header rewrites. Not yet ported.
-.nr bi 1
-.Pp
-umask directive. Not yet ported.
-.nr bi 1
-.Pp
-wais_relay. Feature dropped as it's equivalent to cache_peer + cache_peer_access.
-.nr bi 1
-.Pp
-urlgroup. Not yet ported.
-.nr bi 1
-.Pp
-collapsed forwarding. Not yet ported.
-.nr bi 1
-.Pp
-stable Windows support. Irregularly maintained.
-.if \n(ll>1 .RE
-.nr ll -1
-.Pp
-.SH Logging changes
-
-access.log
-
-.Pp
-The TCP_REFRESH_HIT and TCP_REFRESH_MISS log types have been replaced because they were misleading (all refreshes need to query the origin server, so they could never be hits). The following log types have been introduced to replace them:
-.Pp
-.nr ll +1
-.nr t\n(ll 2
-.if \n(ll>1 .RS
-.IP "TCP_REFRESH_UNMODIFIED"
-.nr bi 1
-.Pp
-The requested object was cached but STALE. The IMS query for the object resulted in \&"304 not modified\&".
-.IP "TCP_REFRESH_MODIFIED"
-.nr bi 1
-.Pp
-The requested object was cached but STALE. The IMS query returned the new content.
-.if \n(ll>1 .RE
-.nr ll -1
-.Pp
-See for a definition of all log types.
-.Pp
-.Pp
-.Pp
-.Pp
-.SH Changes to squid.conf
-
-.Pp
-There have been many changes to Squid's configuration file since Squid-2.6.
-.Pp
-This section gives a thorough account of those changes in three categories:
-.Pp
-.nr ll +1
-.nr t\n(ll 0
-.if \n(ll>1 .RS
-.nr bi 1
-.Pp
-.nr bi 1
-.Pp
-.nr bi 1
-.Pp
-.if \n(ll>1 .RE
-.nr ll -1
-.Pp
-.Pp
-.Pp
-.Pp
-.Pp
-New tags
-
-.Pp
-.nr ll +1
-.nr t\n(ll 2
-.if \n(ll>1 .RS
-.IP "minimum_icp_query_timeout (msec)"
-.nr bi 1
-.Pp
-.DS
-.sp
-.ft RR
-.nf
-Default: 5
-
-Normally the ICP query timeout is determined dynamically. But
-sometimes it can lead to very small timeouts, even lower than
-the normal latency variance on your link due to traffic.
-Use this option to put an lower limit on the dynamic timeout
-value. Do NOT use this option to always use a fixed (instead
-of a dynamic) timeout value. To set a fixed timeout see the
-\&'icp_query_timeout' directive.
-
-.DE
-.fi
-.ec
-.ft P
-.sp
-.IP "background_ping_rate"
-.nr bi 1
-.Pp
-.DS
-.sp
-.ft RR
-.nf
-Default: 10 seconds
-
-Controls how often the ICP pings are sent to siblings that
-have background-ping set.
-
-.DE
-.fi
-.ec
-.ft P
-.sp
-.Pp
-.IP "httpd_accel_surrogate_id"
-.nr bi 1
-.Pp
-.DS
-.sp
-.ft RR
-.nf
-Default: unset
-
-Surrogates (http://www.esi.org/architecture_spec_1.0.html)
-need an identification token to allow control targeting. Because
-a farm of surrogates may all perform the same tasks, they may share
-an identification token.
-
-.DE
-.fi
-.ec
-.ft P
-.sp
-.Pp
-.IP "http_accel_surrogate_remote on\(broff"
-.nr bi 1
-.Pp
-.DS
-.sp
-.ft RR
-.nf
-Default: off
-
-Remote surrogates (such as those in a CDN) honour Surrogate-Control: no-store-remote.
-Set this to on to have squid behave as a remote surrogate.
-
-.DE
-.fi
-.ec
-.ft P
-.sp
-.Pp
-.IP "esi_parser libxml2\(brexpat\(brcustom"
-.nr bi 1
-.Pp
-.DS
-.sp
-.ft RR
-.nf
-Default: custom
-
-ESI markup is not strictly XML compatible. The custom ESI parser
-will give higher performance, but cannot handle non ASCII character
-encodings.
-
-.DE
-.fi
-.ec
-.ft P
-.sp
-.Pp
-.IP "email_err_data on\(broff"
-.nr bi 1
-.Pp
-.DS
-.sp
-.ft RR
-.nf
-Default: on
-
-If enabled, information about the occurred error will be
-included in the mailto links of the ERR pages (if %W is set)
-so that the email body contains the data.
-Syntax is <A HREF=\&"mailto:%w%W\&">%w</A>
-
-.DE
-.fi
-.ec
-.ft P
-.sp
-.Pp
-.IP "refresh_all_ims on\(broff"
-.nr bi 1
-.Pp
-.DS
-.sp
-.ft RR
-.nf
-Default: off
-
-When you enable this option, squid will always check
-the origin server for an update when a client sends an
-If-Modified-Since request. Many browsers use IMS
-requests when the user requests a reload, and this
-ensures those clients receive the latest version.
-
-By default (off), squid may return a Not Modified response
-based on the age of the cached version.
-
-.DE
-.fi
-.ec
-.ft P
-.sp
-.IP "request_header_access"
-.nr bi 1
-.Pp
-Replaces the header_access directive of Squid-2.6 and earlier, but applies to requests only.
-.IP "reply_header_access"
-.nr bi 1
-.Pp
-Replaces the header_access directive of Squid-2.6 and earlier, but applies to replies only.
-.Pp
-.IP "icap_enable on\(broff"
-.nr bi 1
-.Pp
-.DS
-.sp
-.ft RR
-.nf
-Default: off
-
-If you want to enable the ICAP module support, set this to on.
-
-.DE
-.fi
-.ec
-.ft P
-.sp
-.IP "icap_preview_enable on\(broff"
-.nr bi 1
-.Pp
-.DS
-.sp
-.ft RR
-.nf
-Default: off
-
-Set this to 'on' if you want to enable the ICAP preview
-feature in Squid.
-
-.DE
-.fi
-.ec
-.ft P
-.sp
-.IP "icap_preview_size"
-.nr bi 1
-.Pp
-.DS
-.sp
-.ft RR
-.nf
-Default: -1
-
-The default size of preview data to be sent to the ICAP server.
--1 means no preview. This value might be overwritten on a per server
-basis by OPTIONS requests.
-
-.DE
-.fi
-.ec
-.ft P
-.sp
-.IP "icap_default_options_ttl (seconds)"
-.nr bi 1
-.Pp
-.DS
-.sp
-.ft RR
-.nf
-Default: 60
-
-The default TTL value for ICAP OPTIONS responses that don't have
-an Options-TTL header.
-
-.DE
-.fi
-.ec
-.ft P
-.sp
-.IP "icap_persistent_connections on\(broff"
-.nr bi 1
-.Pp
-.DS
-.sp
-.ft RR
-.nf
-Default: on
-
-Whether or not Squid should use persistent connections to
-an ICAP server.
-
-.DE
-.fi
-.ec
-.ft P
-.sp
-.IP "icap_send_client_ip on\(broff"
-.nr bi 1
-.Pp
-.DS
-.sp
-.ft RR
-.nf
-Default: off
-
-This adds the header \&"X-Client-IP\&" to ICAP requests.
-
-.DE
-.fi
-.ec
-.ft P
-.sp
-.IP "icap_send_client_username on\(broff"
-.nr bi 1
-.Pp
-.DS
-.sp
-.ft RR
-.nf
-Default: off
-
-This adds the header \&"X-Client-Username\&" to ICAP requests
-if proxy access is authentified.
-
-.DE
-.fi
-.ec
-.ft P
-.sp
-.IP "icap_service"
-.nr bi 1
-.Pp
-.DS
-.sp
-.ft RR
-.nf
-Default: none
-
-Defines a single ICAP service
-
-icap_service servicename vectoring_point bypass service_url
-
-vectoring_point = reqmod_precache|reqmod_postcache|respmod_precache|respmod_postcache
-This specifies at which point of request processing the ICAP
-service should be plugged in.
-bypass = 1|0
-If set to 1 and the ICAP server cannot be reached, the request will go
-through without being processed by an ICAP server
-service_url = icap://servername:port/service
-
-Note: reqmod_precache and respmod_postcache is not yet implemented
-
-Example:
-icap_service service_1 reqmod_precache 0 icap://icap1.mydomain.net:1344/reqmod
-icap_service service_2 respmod_precache 0 icap://icap2.mydomain.net:1344/respmod
-
-.DE
-.fi
-.ec
-.ft P
-.sp
-.IP "icap_class"
-.nr bi 1
-.Pp
-.DS
-.sp
-.ft RR
-.nf
-Default: none
-
-Defines an ICAP service chain. If there are multiple services per
-vectoring point, they are processed in the specified order.
-
-icap_class classname servicename...
-
-Example:
-icap_class class_1 service_1 service_2
-icap class class_2 service_1 service_3
-
-.DE
-.fi
-.ec
-.ft P
-.sp
-.IP "icap_access"
-.nr bi 1
-.Pp
-.DS
-.sp
-.ft RR
-.nf
-Default: none
-
-Redirects a request through an ICAP service class, depending
-on given acls
-
-icap_access classname allow|deny [!]aclname...
-
-The icap_access statements are processed in the order they appear in
-this configuration file. If an access list matches, the processing stops.
-For an \&"allow\&" rule, the specified class is used for the request. A \&"deny\&"
-rule simply stops processing without using the class. You can also use the
-special classname \&"None\&".
-
-For backward compatibility, it is also possible to use services
-directly here.
-
-Example:
-icap_access class_1 allow all
-
-.DE
-.fi
-.ec
-.ft P
-.sp
-.Pp
-.IP "accept_filter"
-.nr bi 1
-.Pp
-.DS
-.sp
-.ft RR
-.nf
-The name of an accept(2) filter to install on Squid's
-listen socket(s). This feature is perhaps specific to
-FreeBSD and requires support in the kernel.
-
-The 'httpready' filter delays delivering new connections
-to Squid until a full HTTP request has been received.
-See the accf_http(9) man page.
-
-.DE
-.fi
-.ec
-.ft P
-.sp
-.if \n(ll>1 .RE
-.nr ll -1
-.Pp
-.Pp
-Changes to existing tags
-
-.Pp
-.nr ll +1
-.nr t\n(ll 2
-.if \n(ll>1 .RS
-.IP "http_port"
-.nr bi 1
-.Pp
-New options:
-.DS
-.sp
-.ft RR
-.nf
- disable-pmtu-discovery=
- Control Path-MTU discovery usage:
- off lets OS decide on what to do (default).
- transparent disable PMTU discovery when transparent support is enabled.
- always disable always PMTU discovery.
-
- In many setups of transparently intercepting proxies Path-MTU
- discovery can not work on traffic towards the clients. This is
- the case when the intercepting device does not fully track
- connections and fails to forward ICMP must fragment messages
- to the cache server. If you have such setup and experience that
- certain clients sporadically hang or never complete requests set
- disable-pmtu-discovery option to 'transparent'.
-
-.DE
-.fi
-.ec
-.ft P
-.sp
-.Pp
-Removed options:
-.DS
-.sp
-.ft RR
-.nf
- urlgroup=, not yet ported to Squid-3.
-
- no-connection-auth, not yet ported to Squid-3.
-
-.DE
-.fi
-.ec
-.ft P
-.sp
-
-.IP " https_port"
-.nr bi 1
-.Pp
-Removed options:
-.DS
-.sp
-.ft RR
-.nf
- urlgroup=, not yet ported to Squid-3.
-
-.DE
-.fi
-.ec
-.ft P
-.sp
-.IP "cache_peer"
-.nr bi 1
-.Pp
-New options:
-.DS
-.sp
-.ft RR
-.nf
- basetime=n
-
- background-ping
-
- weighted-round-robin
-
- use 'basetime=n' to specify a base amount to
- be subtracted from round trip times of parents.
- It is subtracted before division by weight in calculating
- which parent to fectch from. If the rtt is less than the
- base time the rtt is set to a minimal value.
-
- use 'background-ping' to only send ICP queries to this
- neighbor infrequently. This is used to keep the neighbor
- round trip time updated and is usually used in
- conjunction with weighted-round-robin.
-
- use 'weighted-round-robin' to define a set of parents
- which should be used in a round-robin fashion with the
- frequency of each parent being based on the round trip
- time. Closer parents are used more often.
- Usually used for background-ping parents.
-
-
-.DE
-.fi
-.ec
-.ft P
-.sp
-.Pp
-Removed options:
-.DS
-.sp
-.ft RR
-.nf
- userhash, not yet ported to Squid-3
-
- sourcehash, not yet ported to Squid-2
-
- monitorurl, monitorsize etc, not yet ported to Squid-3
-
- connection-auth=, not yet ported to Squid-3
-
-.DE
-.fi
-.ec
-.ft P
-.sp
-.IP "cache_dir"
-.nr bi 1
-.Pp
-Common options
-.DS
-.sp
-.ft RR
-.nf
- no-store, replaces the older read-only option
-
- min-size, not yet portedto Squid-3
-
-.DE
-.fi
-.ec
-.ft P
-.sp
-.Pp
-COSS file system:
-.DS
-.sp
-.ft RR
-.nf
- The coss file store is experimental, and still lacks much
- of the functionality found in 2.6.
-
- overwrite-percent=n, not yet ported to Squid-3.
-
- max-stripe-waste=n, not yet ported to Squid-3.
-
- membufs=n, not yet ported to Squid-3.
-
- maxfullbufs=n, not yet ported to Squid-3.
-
-.DE
-.fi
-.ec
-.ft P
-.sp
-.IP "auth_param"
-.nr bi 1
-.Pp
-Removed Basic auth option
-.DS
-.sp
-.ft RR
-.nf
- blankpasswor, not yet ported to squid-3.
- auth_param basic concurrency 0
-
-.DE
-.fi
-.ec
-.ft P
-.sp
-.Pp
-Removed digest options:
-.DS
-.sp
-.ft RR
-.nf
- concurrency, not yet ported to Squid-3.
-
-.DE
-.fi
-.ec
-.ft P
-.sp
-.Pp
-.IP "external_acl_type"
-.nr bi 1
-.Pp
-New format specifications:
-.DS
-.sp
-.ft RR
-.nf
- %URI Requested URI
-
- %PATH Requested URL path
-
-.DE
-.fi
-.ec
-.ft P
-.sp
-.Pp
-Removed format specifications:
-.DS
-.sp
-.ft RR
-.nf
- %ACL, not yet ported to Squid-3
-
- %DATA, not yet ported to Squid-3
-
-.DE
-.fi
-.ec
-.ft P
-.sp
-.Pp
-New result keywords:
-.DS
-.sp
-.ft RR
-.nf
- tag= Apply a tag to a request (for both ERR and OK results)
- Only sets a tag, does not alter existing tags.
-
-.DE
-.fi
-.ec
-.ft P
-.sp
-.Pp
-.IP "refresh_pattern"
-.nr bi 1
-.Pp
-New options:
-.DS
-.sp
-.ft RR
-.nf
- ignore-no-store
- refresh-ims
-
- ignore-no-store ignores any ``Cache-control: no-store''
- headers received from a server. Doing this VIOLATES
- the HTTP standard. Enabling this feature could make you
- liable for problems which it causes.
-
- refresh-ims causes squid to contact the origin server
- when a client issues an If-Modified-Since request. This
- ensures that the client will receive an updated version
- if one is available.
-
-.DE
-.fi
-.ec
-.ft P
-.sp
-.IP "acl"
-.nr bi 1
-.Pp
-New types:
-.DS
-.sp
-.ft RR
-.nf
- acl aclname http_status 200 301 500- 400-403 ... # status code in reply
-
-
-.DE
-.fi
-.ec
-.ft P
-.sp
-.Pp
-Removed types:
-.DS
-.sp
-.ft RR
-.nf
- acl aclname urllogin [-i] [^a-zA-Z0-9] ... # regex matching on URL login field
-
- acl urlgroup group1 ...
- # match against the urlgroup as indicated by redirectors
-
-
-.DE
-.fi
-.ec
-.ft P
-.sp
-.IP "short_icon_urls"
-.nr bi 1
-.Pp
-New default:
-.DS
-.sp
-.ft RR
-.nf
- Default: on
- (Old default: off)
-
-.DE
-.fi
-.ec
-.ft P
-.sp
-.IP "delay_class"
-.nr bi 1
-.Pp
-New delay classes:
-.DS
-.sp
-.ft RR
-.nf
- class 4 Everything in a class 3 delay pool, with an
- additional limit on a per user basis. This
- only takes effect if the username is established
- in advance - by forcing authentication in your
- http_access rules.
-
- class 5 Requests are grouped according their tag (see
- external_acl's tag= reply).
-
-.DE
-.fi
-.ec
-.ft P
-.sp
-.Pp
-.IP "htcp_port"
-.nr bi 1
-.Pp
-New default to require the feature to be enabled in squid.conf:
-.DS
-.sp
-.ft RR
-.nf
- Default: 0 (disabled)
- (Old default: 4827)
-
-.DE
-.fi
-.ec
-.ft P
-.sp
-.Pp
-.IP "icp_port"
-.nr bi 1
-.Pp
-New default to require the feature to be enabled in squid.conf:
-.DS
-.sp
-.ft RR
-.nf
- Default: 0 (disabled)
- (Old default: 3130)
-
-.DE
-.fi
-.ec
-.ft P
-.sp
-.Pp
-.IP "snmp_port"
-.nr bi 1
-.Pp
-New default to require the feature to be enabled in squid.conf:
-.DS
-.sp
-.ft RR
-.nf
- Default: 0 (disabled)
- (Old default: 3401)
-
-.DE
-.fi
-.ec
-.ft P
-.sp
-.Pp
-.IP "logformat"
-.nr bi 1
-.Pp
-New format tags:
-.DS
-.sp
-.ft RR
-.nf
- rp Request URL-Path excluding hostname
-
- et Tag returned by external acl
-
- <sH Reply high offset sent
-
- <sS Upstream object size
-
-.DE
-.fi
-.ec
-.ft P
-.sp
-.Pp
-.Pp
-Removed format tags:
-.DS
-.sp
-.ft RR
-.nf
- >st Request size including HTTP headers, not yet ported to Squid-3.
-
- st Request+Reply size including HTTP headers, not yet ported to Squid-3.
-
-.DE
-.fi
-.ec
-.ft P
-.sp
-.Pp
-.IP "reply_body_max_size"
-.nr bi 1
-.Pp
-Syntax changed:
-.DS
-.sp
-.ft RR
-.nf
- reply_body_max_size size [acl acl...]
-
-.DE
-.fi
-.ec
-.ft P
-.sp
-.Pp
-allow/deny no longer used.
-.Pp
-.IP "url_rewrite_program"
-.nr bi 1
-.Pp
-No urlgroup support in either requests or responese
-.if \n(ll>1 .RE
-.nr ll -1
-.Pp
-.Pp
-.Pp
-.Pp
-Removed tags
-
-.Pp
-.nr ll +1
-.nr t\n(ll 2
-.if \n(ll>1 .RS
-.IP "broken_vary_encoding"
-.nr bi 1
-.Pp
-Not yet ported to Squid-3.
-.IP "cache_vary"
-.nr bi 1
-.Pp
-Not yet ported to Squid-3.
-.IP "collapsed_forwarding"
-.nr bi 1
-.Pp
-Not yet ported to Squid-3.
-.IP "follow_x_forwarded_for"
-.nr bi 1
-.Pp
-Not yet ported to Squid-3.
-.IP "*_uses_indirect_client"
-.nr bi 1
-.Pp
-Not yet ported to Squid-3.
-.IP "error_map"
-.nr bi 1
-.Pp
-Not yet ported to Squid-3.
-.IP "header_access"
-.nr bi 1
-.Pp
-This has been replaced by request_header_access and reply_header_access
-.IP "http_access2"
-.nr bi 1
-.Pp
-Not yet ported to Squid-3.
-.IP "httpd_accel_no_pmtu_disc"
-.nr bi 1
-.Pp
-Replaced by disable-pmtu-discovery http_port option
-.IP "location_rewrite_*"
-.nr bi 1
-.Pp
-Not yet ported to Squid-3.
-.IP "refresh_stale_hit"
-.nr bi 1
-.Pp
-Not yet ported to Squid-3.
-.IP "umask"
-.nr bi 1
-.Pp
-Not yet ported to Squid-3.
-.IP "wais_relay_*"
-.nr bi 1
-.Pp
-equivalent to cache_peer + cache_peer_access.
-.if \n(ll>1 .RE
-.nr ll -1
-.Pp
-.Pp
-.SH Changes to ./configure Options
-
-.Pp
-There have been some changes to Squid's build configuration since Squid-2.6.
-.Pp
-This section gives an account of those changes in three categories:
-.Pp
-.nr ll +1
-.nr t\n(ll 0
-.if \n(ll>1 .RS
-.nr bi 1
-.Pp
-.nr bi 1
-.Pp
-.nr bi 1
-.Pp
-.nr bi 1
-.Pp
-.if \n(ll>1 .RE
-.nr ll -1
-.Pp
-.Pp
-.Pp
-New options
-
-.Pp
-.nr ll +1
-.nr t\n(ll 2
-.if \n(ll>1 .RS
-.IP "--enable-shared[=PKGS]"
-.nr bi 1
-.Pp
-Build shared libraries. The default is to build without.
-.Pp
-.IP "--enable-static[=PKGS]"
-.nr bi 1
-.Pp
-Build static libraries. The default is on.
-.Pp
-.IP "--enable-fast-install[=PKGS]"
-.nr bi 1
-.Pp
-.DS
-.sp
-.ft RR
-.nf
-Optimize for fast installation
- default: yes
-.DE
-.fi
-.ec
-.ft P
-.sp
-.Pp
-.IP "--disable-libtool-lock"
-.nr bi 1
-.Pp
-Avoid locking (might break parallel builds)
-.Pp
-.IP "--disable-optimizations"
-.nr bi 1
-.Pp
-Don't compile Squid with compiler optimizations enabled.
-Optimization is good for production builds, but not
-good for debugging. During development, use
---disable-optimizations to reduce compilation times
-and allow easier debugging. This option implicitly
-also enables --disable-inline
-.Pp
-.IP "--disable-inline"
-.nr bi 1
-.Pp
-Don't compile trivial methods as inline. Squid
-is coded with much of the code able to be inlined.
-Inlining is good for production builds, but not
-good for development. During development, use
---disable-inline to reduce compilation times and
-allow incremental builds to be quick. For
-production builds, or load tests, use
---enable-inline to have squid make all trivial
-methods inlinable by the compiler.
-.Pp
-.IP "--enable-debug-cbdata"
-.nr bi 1
-.Pp
-Provide some debug information in cbdata
-.Pp
-.IP "--enable-disk-io=\e\&"list of modules\e\&""
-.nr bi 1
-.Pp
-Build support for the list of disk I/O modules.
-The default is only to build the \&"Blocking\&" module.
-See src/DiskIO for a list of available modules, or
-Programmers Guide for details on how to build your
-custom disk module.
-.Pp
-.IP "--enable-esi"
-.nr bi 1
-.Pp
-Enable ESI for accelerators. Requires libexpat.
-Enabling ESI will cause squid to follow the Edge
-Acceleration Specification (www.esi.org). This
-causes squid to IGNORE client Cache-Control headers.
-.Pp
-\fIDO NOT\fP use this in a squid configured as a web
-proxy, ONLY use it in a squid configured for
-webserver acceleration.
-.Pp
-.IP "--enable-icap-client"
-.nr bi 1
-.Pp
-Enable the ICAP client.
-.Pp
-.IP "--disable-snmp"
-.nr bi 1
-.Pp
-Disable SNMP monitoring support which is now built by default.
-.Pp
-.IP "--disable-htcp"
-.nr bi 1
-.Pp
-Disable HTCP protocol support which is now built by default.
-.Pp
-.IP "--enable-kqueue"
-.nr bi 1
-.Pp
-Enable kqueue() support. Marked as experimental in 3.0.
-.Pp
-.IP "--enable-ipfw-transparent"
-.nr bi 1
-.Pp
-Enable Transparent Proxy support for systems
-using FreeBSD IPFW style redirection.
-.Pp
-.IP "--disable-mempools"
-.nr bi 1
-.Pp
-Disable memPools. Note that this option now simply sets the
-default behaviour. Specific classes can override this at runtime, and
-only lib/MemPool.c needs to be altered to change the squid-wide
-default for all classes.
-.Pp
-.IP "--enable-cpu-profiling"
-.nr bi 1
-.Pp
-This option allows you to see which internal functions
-in Squid are consuming how much CPU. Compiles in probes
-that measure time spent in probed functions. Needs
-source modifications to add new probes. This is meant
-for developers to assist in performance optimisations
-of Squid internal functions.
-.Pp
-If you are not developer and not interested in the stats
-you shouldn't enable this, as overhead added, although
-small, is still overhead. See lib/Profiler.c for more.
-.Pp
-.IP "--with-gnu-ld"
-.nr bi 1
-.Pp
-Assume the C compiler uses GNU ld. The default is to auto-detect.
-.Pp
-.IP "--with-pic"
-.nr bi 1
-.Pp
-Try to use only PIC/non-PIC objects. The default is to use both.
-.Pp
-.IP "--with-tags[=TAGS]"
-.nr bi 1
-.Pp
-Include additional configurations. The default is automatic.
-.Pp
-.IP "--with-default-user=USER"
-.nr bi 1
-.Pp
-Sets the default System User account for squid permissions.
-The default is 'nobody' as in other releases of squid.
-.Pp
-.IP "--with-cppunit-basedir=[PATH]"
-.nr bi 1
-.Pp
-Path where the cppunit headers and libraries are found
-for unit testing. The default is automatic detection.
-.Pp
-NOTE: Since 3.0-PRE6 and 2.6STABLE14 squid no longer comes
-bundled with CPPUnit. Compile-time validation will be disabled
-if it is not installed on your system.
-.Pp
-.if \n(ll>1 .RE
-.nr ll -1
-Changes to existing options
-
-.Pp
-.nr ll +1
-.nr t\n(ll 2
-.if \n(ll>1 .RS
-.IP "--enable-carp"
-.nr bi 1
-.Pp
-CARP support is now built by default.
---disable-carp can be used to build without it.
-.Pp
-.IP "--enable-htcp"
-.nr bi 1
-.Pp
-HTCP protocol support is now built by default.
-Use --disable-htcp to build without it.
-.Pp
-.IP "--enable-snmp"
-.nr bi 1
-.Pp
-SNMP monitoring is now build by default.
-Use --disable-snmp to build without it.
-.Pp
-.IP "--enable-heap-replacement"
-.nr bi 1
-.Pp
-Please use --enable-removal-policies directive instead.
-.Pp
-.IP "--with-maxfd=N"
-.nr bi 1
-.Pp
-Replaced by --with-filedescriptors=N
-.Pp
-Override maximum number of filedescriptors. Useful
-if you build as another user who is not privileged
-to use the number of filedescriptors you want the
-resulting binary to support
-.Pp
-.IP "--enable-select"
-.nr bi 1
-.Pp
-Deprecated.
-Automatic checks will enable best I/O loop method available.
-.Pp
-.IP "--enable-epoll"
-.nr bi 1
-.Pp
-Deprecated.
-Automatic checks will enable best I/O loop method available.
-.Pp
-.IP "--enable-poll"
-.nr bi 1
-.Pp
-Deprecated.
-Automatic checks will enable best I/O loop method available.
-.Pp
-.IP "--enable-kqueue"
-.nr bi 1
-.Pp
-kqueue support is marked Experimental in Squid 3.0. Known to have some issues under load.
-.Pp
-.if \n(ll>1 .RE
-.nr ll -1
-Not yet available options
-
-.Pp
-These configure options have not yet been ported to Squid-3. If you need something to do then
-porting one of these from Squid-2 to Squid-3 is most welcome.
-.Pp
-.nr ll +1
-.nr t\n(ll 2
-.if \n(ll>1 .RS
-.IP "--enable-devpoll"
-.nr bi 1
-.Pp
-Support for Solaris /dev/poll
-.Pp
-.IP "--enable-select-simple"
-.nr bi 1
-.Pp
-Basic POSIX select() loop without any binary fd_set optimizations.
-.Pp
-.IP "--enable-follow-x-forwarded-for"
-.nr bi 1
-.Pp
-Support following the X-Forwarded-For HTTP header for determining the
-client IP address
-.if \n(ll>1 .RE
-.nr ll -1
-.Pp
-Removed options
-
-.Pp
-The following configure options have been removed.
-.Pp
-.nr ll +1
-.nr t\n(ll 2
-.if \n(ll>1 .RS
-.IP "--enable-dlmalloc"
-.nr bi 1
-.Pp
-Most OS:es have good malloc implementations these days, and the version we used to ship with Squid was very very old..
-.IP "--enable-mempool-debug"
-.nr bi 1
-.Pp
-Debug option, not needed and therefore removed.
-.IP "--enable-forward-log"
-.nr bi 1
-.Pp
-Rarely used extra log file. Removed.
-.IP "--enable-multicast-miss"
-.nr bi 1
-.Pp
-Rarely used feature, and multicast ICP acheives almost the same result. Removed.
-.IP "--enable-coss-aio-ops"
-.nr bi 1
-.Pp
-Specific to the COSS implementation in Squid-2
-.IP "--enable-large-cache-files"
-.nr bi 1
-.Pp
-Now enabled by default. Configure option was redundant and therefore removed.
-.IP "--enable-truncate"
-.nr bi 1
-.Pp
-Known to cause race conditions where cache objects may get corrupted, and this for at most a marginal performance improvement. Removed.
-.Pp
-.if \n(ll>1 .RE
-.nr ll -1
-.Pp
+++ /dev/null
-<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
-<HTML>
-<HEAD>
- <META NAME="GENERATOR" CONTENT="LinuxDoc-Tools 0.9.50">
- <TITLE>Squid 3.1.0.11 release notes</TITLE>
-</HEAD>
-<BODY>
-<H1>Squid 3.1.0.11 release notes</H1>
-
-<H2>Squid Developers</H2>
-<HR>
-<EM>This document contains the release notes for version 3.1 of Squid.
-Squid is a WWW Cache application developed by the National Laboratory
-for Applied Network Research and members of the Web Caching community.</EM>
-<HR>
-<P>
-<H2><A NAME="toc1">1.</A> <A HREF="#s1">Notice</A></H2>
-
-<UL>
-<LI><A NAME="toc1.1">1.1</A> <A HREF="#ss1.1">Known issues</A>
-<LI><A NAME="toc1.2">1.2</A> <A HREF="#ss1.2">Changes since earlier releases of Squid-3.1</A>
-</UL>
-<P>
-<H2><A NAME="toc2">2.</A> <A HREF="#s2">Major new features since Squid-3.0</A></H2>
-
-<UL>
-<LI><A NAME="toc2.1">2.1</A> <A HREF="#ss2.1">New Version Numbering System</A>
-<LI><A NAME="toc2.2">2.2</A> <A HREF="#ss2.2">Minimal squid.conf improvements</A>
-<LI><A NAME="toc2.3">2.3</A> <A HREF="#ss2.3">Internet Protocol version 6 (IPv6)</A>
-<LI><A NAME="toc2.4">2.4</A> <A HREF="#ss2.4">Error Page Localization</A>
-<LI><A NAME="toc2.5">2.5</A> <A HREF="#ss2.5">Connection Pinning (for NTLM Auth Passthrough)</A>
-<LI><A NAME="toc2.6">2.6</A> <A HREF="#ss2.6">Quality of Service (QoS) Flow support</A>
-<LI><A NAME="toc2.7">2.7</A> <A HREF="#ss2.7">SSL Bump (for HTTPS Filtering and Adaptation)</A>
-<LI><A NAME="toc2.8">2.8</A> <A HREF="#ss2.8">eCAP Adaptation Module support</A>
-<LI><A NAME="toc2.9">2.9</A> <A HREF="#ss2.9">ICAP Bypass and Retry enhancements</A>
-</UL>
-<P>
-<H2><A NAME="toc3">3.</A> <A HREF="#s3">Windows support</A></H2>
-
-<UL>
-<LI><A NAME="toc3.1">3.1</A> <A HREF="#ss3.1">Usage</A>
-<LI><A NAME="toc3.2">3.2</A> <A HREF="#ss3.2">PSAPI.DLL (Process Status Helper) Considerations</A>
-<LI><A NAME="toc3.3">3.3</A> <A HREF="#ss3.3">Registry DNS lookup</A>
-<LI><A NAME="toc3.4">3.4</A> <A HREF="#ss3.4">Compatibility Notes</A>
-<LI><A NAME="toc3.5">3.5</A> <A HREF="#ss3.5">Known Limitations</A>
-<LI><A NAME="toc3.6">3.6</A> <A HREF="#ss3.6">Building Squid on Windows</A>
-<LI><A NAME="toc3.7">3.7</A> <A HREF="#ss3.7">Using cache manager on Windows:</A>
-</UL>
-<P>
-<H2><A NAME="toc4">4.</A> <A HREF="#s4">Changes to squid.conf since Squid-3.0</A></H2>
-
-<UL>
-<LI><A NAME="toc4.1">4.1</A> <A HREF="#ss4.1">New tags</A>
-<LI><A NAME="toc4.2">4.2</A> <A HREF="#ss4.2">Changes to existing tags</A>
-<LI><A NAME="toc4.3">4.3</A> <A HREF="#ss4.3">Removed tags</A>
-</UL>
-<P>
-<H2><A NAME="toc5">5.</A> <A HREF="#s5">Changes to ./configure options since Squid-3.0</A></H2>
-
-<UL>
-<LI><A NAME="toc5.1">5.1</A> <A HREF="#ss5.1">New options</A>
-<LI><A NAME="toc5.2">5.2</A> <A HREF="#ss5.2">Changes to existing options</A>
-<LI><A NAME="toc5.3">5.3</A> <A HREF="#ss5.3">Removed options</A>
-</UL>
-<P>
-<H2><A NAME="toc6">6.</A> <A HREF="#s6">Options Removed since Squid-2</A></H2>
-
-<UL>
-<LI><A NAME="toc6.1">6.1</A> <A HREF="#ss6.1">Removed squid.conf options since Squid-2.7</A>
-<LI><A NAME="toc6.2">6.2</A> <A HREF="#ss6.2">Removed squid.conf options since Squid-2.6</A>
-<LI><A NAME="toc6.3">6.3</A> <A HREF="#ss6.3">Removed ./configure options since Squid-2.7</A>
-</UL>
-<P>
-<H2><A NAME="toc7">7.</A> <A HREF="#s7">Regressions since Squid-2.7</A></H2>
-
-<UL>
-<LI><A NAME="toc7.1">7.1</A> <A HREF="#ss7.1">Missing squid.conf options available in Squid-2.7</A>
-<LI><A NAME="toc7.2">7.2</A> <A HREF="#ss7.2">Missing ./configure options available in Squid-2.7</A>
-</UL>
-
-<HR>
-<H2><A NAME="s1">1.</A> <A HREF="#toc1">Notice</A></H2>
-
-<P>The Squid Team are pleased to announce the release of Squid-3.1.0.11 for testing.</P>
-<P>This new release is available for download from
-<A HREF="http://www.squid-cache.org/Versions/v3/3.1/">http://www.squid-cache.org/Versions/v3/3.1/</A> or the
-<A HREF="http://www.squid-cache.org/Mirrors/http-mirrors.html">mirrors</A>.</P>
-<P>A large number of the show-stopper bugs have been fixed along with general improvements to the ICAP support.
-While this release is not deemed ready for production use, we believe it is ready for wider testing by the community.</P>
-<P>We welcome feedback and bug reports. If you find a bug, please see
-<A HREF="http://wiki.squid-cache.org/SquidFaq/TroubleShooting#head-7067fc0034ce967e67911becaabb8c95a34d576d">http://wiki.squid-cache.org/SquidFaq/TroubleShooting#head-7067fc0034ce967e67911becaabb8c95a34d576d</A> for how to submit a report with a stack trace.</P>
-
-<H2><A NAME="ss1.1">1.1</A> <A HREF="#toc1.1">Known issues</A>
-</H2>
-
-<P>Although this release is deemed good enough for use in many setups, please note the existence of
-<A HREF="http://www.squid-cache.org/bugs/buglist.cgi?query_format=advanced&short_desc_type=allwordssubstr&short_desc=&target_milestone=3.1&long_desc_type=allwordssubstr&long_desc=&bug_file_loc_type=allwordssubstr&bug_file_loc=&status_whiteboard_type=allwordssubstr&status_whiteboard=&bug_status=NEW&bug_status=ASSIGNED&bug_status=REOPENED&emailtype1=substring&email1=&emailtype2=substring&email2=&bugidtype=include&bug_id=&votes=&chfieldfrom=&chfieldto=Now&chfieldvalue=&cmdtype=doit&order=bugs.bug_severity&field0-0-0=noop&type0-0-0=noop&value0-0-0=">open bugs against Squid-3.1</A>.</P>
-
-<H2><A NAME="ss1.2">1.2</A> <A HREF="#toc1.2">Changes since earlier releases of Squid-3.1</A>
-</H2>
-
-<P>The 3.1 change history can be
-<A HREF="http://www.squid-cache.org/Versions/v3/3.1/changesets/">viewed here</A>.</P>
-
-<H2><A NAME="s2">2.</A> <A HREF="#toc2">Major new features since Squid-3.0</A></H2>
-
-<P>Squid 3.1 represents a new feature release above 3.0.</P>
-<P>The most important of these new features are:</P>
-<P>
-<UL>
-<LI>New Version Numbering System</LI>
-<LI>Minimal squid.conf improvements</LI>
-<LI>Native IPv6 Support</LI>
-<LI>Error Page Localization</LI>
-<LI>Connection Pinning (for NTLM Auth Passthrough)</LI>
-<LI>Quality of Service (QoS) Flow support</LI>
-<LI>SSL Bump (for HTTPS Filtering and Adaptation)</LI>
-<LI>eCAP Adaptation Module support</LI>
-<LI>ICAP Bypass and Retry enhancements</LI>
-</UL>
-</P>
-<P>Most user-facing changes are reflected in squid.conf (see below).</P>
-
-<H2><A NAME="ss2.1">2.1</A> <A HREF="#toc2.1">New Version Numbering System</A>
-</H2>
-
-<P>Begining with 3.1 the Squid Developers are trialling a new release numbering system.</P>
-
-<P>We have decided, based on input from interested users to drop the Squid-2 terminology of
-(DEVEL, PRE, RC, and STABLE) from the release package names.
-These are replaced with a simpler 3-tier system based around the natural code development cycle.</P>
-
-<P>Daily generated snapshots of all current versions are provided as testing (old DEVEL) and bug-fix releases.
-These are numbered from their last release with a date appended.
-Snapshots generated from 3.HEAD continue to be highly volatile.</P>
-
-<P>Regular feature releases from Squid-3 will be branched out as sub-versions. Such as this Squid-3.1.</P>
-
-<P>All this is previous policy you should be accustomed to. Now we get to the new numbering change.</P>
-
-<P>Initial branch packages will be generated with a 3.X.0.Z version as testing packages.
-Packages and Snapshots generated with these 3-dot numbers are expected to be relatively stable regarding feature behaviors.
-Suitable for testing, but without any guarantees under production loads. This replaces both the old PRE and RC packages.</P>
-
-<P>If a large number of bugs are found several *.0.Z packages may be attempted before any is considered production-ready.</P>
-
-<P>When one of these Squid-3.X.0.Z packages passes our bug-free standards a 3.X.Y numbered release will be made.</P>
-
-<P>We can only hope enough testing has been done to consider these ready for production use.
-As always we are fully dependent on people testing the previous packages and reporting all bugs.</P>
-
-<P>In support of all this are several squid-dev process changes which have been worked out over the last year.</P>
-<P>
-<UL>
-<LI>We no longer accept new features into branches.
-Those are reserved for the next feature release.
-The cycle for major releases is hoped to be fast enough to suit some peoples needs for new features
-and others need for stability in the branched releases.
-</LI>
-<LI>We now audit and vote on all feature and major code additions.
-Requiring at least two sets of developer eyes on any new features before they are committed to 3.HEAD.
-Vastly reducing the number of bugs in all code.
-</LI>
-<LI>We have implemented and continue to add more testing infrastructure.</LI>
-</UL>
-</P>
-
-
-<H2><A NAME="ss2.2">2.2</A> <A HREF="#toc2.2">Minimal squid.conf improvements</A>
-</H2>
-
-<P>squid.conf has undergone a facelift.</P>
-
-<P>Don't worry, few operational changes have been made.
-Older configs from are still expected to run in 3.1 with only the usual minor
-changes seen between major release. Details on those are listed below.</P>
-
-<P>New users will be relieved to see a short 32-line or less squid.conf on clean installs.
-Many of the options have reasonable defaults but had previously needed them explicitly configured!
-These are now proper built-in defaults and no longer need to be in squid.conf unless changed.</P>
-
-<P>All of the option documentation has been offloaded to another file <EM>squid.conf.documented</EM> which
-contains a fully documented set of options previously cluttering up squid.conf itself.</P>
-
-<P>Package maintainers are provided with a second file squid.conf.default which as always contains the default
-config options provided on a clean install.</P>
-
-
-<H2><A NAME="ss2.3">2.3</A> <A HREF="#toc2.3">Internet Protocol version 6 (IPv6)</A>
-</H2>
-
-<P>Squid 3.1 supports IPv6.
-Details in
-<A HREF="http://wiki.squid-cache.org/Features/IPv6">The Squid wiki</A></P>
-
-<H3>New Features for IPv6</H3>
-
-<P>Squid handles localhost values seperately. For the purpose of ACLs and also external
-connections ::1 is considered a seperate IP from 127.0.0.1. This means all ACL which
-define behaviour for localhost may need ::1/128 included.</P>
-
-<P>Pinger has been upgraded to perform both ICMP and ICMPv6 as required.
-As a result of this and due to a change in the binary protocol format between them,
-new builds of squid are no longer backwards-compatible with old pinger binaries.
-You will need to perform "make install-pinger" again after installing squid.</P>
-
-<P>Peer and Client SNMP tables have been altered to handle IPv6 addresses.
-As a side effect of this the long-missing fix to show seperate named peers on one IP
-has been integrated. Making the SNMP peer table now produce correct output.
-The table structure change is identical for both IPv4-only and Dual modes but with
-IPv4-only simply not including any IPv6 entries. This means any third-party SNMP
-software which hard coded the MIB paths needs to be upgraded for this Squid release.</P>
-
-
-<H3>Limitations of IPv6 Support</H3>
-
-<P>Specify a specific tcp_outgoing_address and the clients who match its ACL are limited
-to the IPv4 or IPv6 network that address belongs to. They are not permitted over the
-IPv4-IPv6 boundary. Some ACL voodoo can however be applied to explicitly route the
-IPv6/IPv4 bound traffic (DIRECT access) out an appropriate interface.
-<PRE>
- acl toIP6 dst ipv6
- tcp_outgoing_address 2001::1 toIP6
- tcp_outgoing_address 10.0.0.1 !toIP6
-</PRE>
-</P>
-
-<P>WCCP is not available (neither version 1 or 2). It remains built into squid for use with IPv4 traffic but IPv6 cannot use it.</P>
-
-<P>Transparent Interception is done via NAT at the OS level and is not available in IPv6.
-Squid will ensure that any port set with transparent, intercept, or tproxy options be an IPv4-only
-listening address. Wildcard can still be used but will not open as an IPv6.
-To ensure that squid can accept IPv6 traffic on its default port, an alternative should
-be chosen to handle transparently intercepted traffic.
-<PRE>
- http_port 3128
- http_port 8080 intercept
-</PRE>
-</P>
-
-<P>The bundled NTLM Auth helper is IPv4-native between itself and the NTLM server.
-A new one will be needed for IPv6 traffic between the helper and server.</P>
-
-<P>The bundled RADIUS Auth helper is IPv4-native, both in traffic between and data storage
-with the RADIUS server. A new helper will be needed for IPv6 RADIUS protocol.</P>
-
-
-<H2><A NAME="ss2.4">2.4</A> <A HREF="#toc2.4">Error Page Localization</A>
-</H2>
-
-<P>Details in
-<A HREF="http://wiki.squid-cache.org/Translations">The Squid wiki</A></P>
-
-<H3>Localization</H3>
-
-<P>The error pages presented by squid may now be localized per-request to match the visitors local preferred language.</P>
-
-<P>The error_directory option in squid.conf needs to be removed.</P>
-
-<P>For best coverage of languages, using the latest language pack of error files is recommended.
-Updates can be downloaded from
-<A HREF="http://www.squid-cahch.org/Versions/langpack/">www.squid-cache.org/Versions/langpack/</A></P>
-
-<P>The squid developers are interested in making squid available in a wide variety of languages.
-Contribution of new languages is encouraged.</P>
-
-<H3>CSS Stylesheet controls</H3>
-
-<P>To further enhance the visitor experience all new translations have embeded CSS hooks for scalable per-site localization of the display.</P>
-
-<P>CSS display is controlled by updating the errorpage.css file installed into Squids configuration directory
-or the <EM>err_page_stylesheet</EM> option in squid.conf.</P>
-
-<P>Custom error pages can also embed the CSS content by adding the <EM>%l</EM> tag to their headers.</P>
-
-
-<H2><A NAME="ss2.5">2.5</A> <A HREF="#toc2.5">Connection Pinning (for NTLM Auth Passthrough)</A>
-</H2>
-
-<P>Details in
-<A HREF="http://wiki.squid-cache.org/Features/ConnPinn">The Squid wiki</A></P>
-
-<P>Squid 3.1 includes the much asked for Connection Pinning feature from Squid 2.6.</P>
-
-<P>This feature is often called 'NTLM Passthru' since it is a giant workaround which permits Web servers to use
-Microsoft NTLM Authentication instead of HTTP standard authentication through a web proxy.</P>
-
-
-<H2><A NAME="ss2.6">2.6</A> <A HREF="#toc2.6">Quality of Service (QoS) Flow support</A>
-</H2>
-
-<P>Details in
-<A HREF="http://wiki.squid-cache.org/Features/QualityOfService">The Squid wiki</A></P>
-
-<P>Zero Penalty Hit created a patch to set QoS markers on outgoing traffic.</P>
-<P>
-<UL>
-<LI>Allows you to select a TOS/Diffserv value to mark local hits.</LI>
-<LI>Allows you to select a TOS/Diffserv value to mark peer hits.</LI>
-<LI>Allows you to selectively mark only sibling or parent requests</LI>
-<LI>Allows any HTTP response towards clients to have the TOS value of the response coming from
-the remote server preserved.
-For this to work correctly, you will need to patch your linux kernel with the TOS preserving ZPH patch.
-The kernel patch can be downloaded from
-<A HREF="http://zph.bratcheda.org">http://zph.bratcheda.org</A></LI>
-<LI>Allows you to mask certain bits in the TOS received from the remote server,
-before copying the value to the TOS send towards clients.</LI>
-</UL>
-</P>
-
-<H3>Squid Configuration</H3>
-
-<P>Squid 3.1 needs to be configured with --enable-zph-qos for the ZPH QoS controls to be available.</P>
-
-<P>The configuration options for 2.7 and 3.1 are based on different ZPH patches.
-The two releases configuration differs and only the TOS mode settings are directly translatable.</P>
-<P>
-<UL>
-<LI><EM>qos_flows local-hit=0xff</EM> Responses found as a HIT in the local cache</LI>
-<LI><EM>qos_flows sibling-hit=0xff</EM> Responses found as a HIT in a sibling peer</LI>
-<LI><EM>qos_flows parent-hit=0xff</EM> Responses found as a HIT in a parent peer</LI>
-</UL>
-</P>
-
-<P>The lines above are spearated for documentation. qos_flows may be configured with all options on one line, or separated as shown.
-Also options may be repeated as many times as desired. Only the final configured value for any option will be used.</P>
-
-<P>The legacy <EM>Option</EM> and <EM>Priority</EM> modes available in Squid-2.7 are no longer supported.</P>
-
-
-<H2><A NAME="ss2.7">2.7</A> <A HREF="#toc2.7">SSL Bump (for HTTPS Filtering and Adaptation)</A>
-</H2>
-
-<P>Details in
-<A HREF="http://wiki.squid-cache.org/Features/SslBump">The Squid wiki</A></P>
-
-<P>Squid-in-the-middle decryption and encryption of straight CONNECT and transparently redirected SSL traffic,
-using configurable client- and server-side certificates.
-While decrypted, the traffic can be inspected using ICAP.</P>
-
-
-<H2><A NAME="ss2.8">2.8</A> <A HREF="#toc2.8">eCAP Adaptation Module support</A>
-</H2>
-
-<P>Details in
-<A HREF="http://wiki.squid-cache.org/Features/eCAP">The Squid wiki</A></P>
-
-<H2><A NAME="ss2.9">2.9</A> <A HREF="#toc2.9">ICAP Bypass and Retry enhancements</A>
-</H2>
-
-<P>Details in
-<A HREF="http://wiki.squid-cache.org/Features/ICAP">The Squid wiki</A></P>
-
-<P>ICAP is now extended with full bypass and dynamic chain routing to handle multiple
-adaptation services.</P>
-
-<H3>ICAP Adaptation Service Sets and Chains</H3>
-
-<P>An adaptation service set contains similar, interchangeable services. No more
-than one service is successfully applied. If one service is down or fails,
-Squid can use another service. Think "hot standby" or "spare" ICAP servers. </P>
-
-<P>Sets may seem similar to the existing "service bypass" feature, but they allow
-the failed adaptation to be retried and succeed if a replacement service is
-available. The services in a set may be all optional or all essential,
-depending on whether ignoring the entire set is acceptable. The mixture of
-optional and essential services in a set is supported, but yields results that
-may be difficult for a human to anticipate or interpret. Squid warns when it
-detects such a mixture.</P>
-
-<P>When performing adaptations with a set, failures at a service (optional or
-essential, does not matter) are retried with a different service if possible.
-If there are no more replacement services left to try, the failure is treated
-depending on whether the last service tried was optional or essential: Squid
-either tries to ignore the failure and proceed or terminates the master
-transaction.</P>
-
-<P>An adaptation chain is a list of different services applied one after another,
-forming an adaptation pipeline. Services in a chain may be optional or
-essential. When performing adaptations, failures at an optional service are
-ignored as if the service did not exist in the chain.</P>
-
-<P>Request satisfaction terminates the adaptation chain.</P>
-
-<P>When forming a set or chain for a given transaction, optional down services are ignored as if they did not exist.</P>
-
-<P>ICAP and eCAP services can be mixed and matched in an adaptation set or chain.</P>
-
-<H3>Dynamically form adaptation chains based on the ICAP X-Next-Services header.</H3>
-
-<P>If an ICAP service with the routing=1 option in squid.conf returns an ICAP
-X-Next-Services response header during a successful REQMOD or RESPMOD
-transaction, Squid abandons the original adaptation plan and forms a new
-adaptation chain consisting of services identified in the X-Next-Services
-header value (using a comma-separated list of adaptation service names from
-squid.conf). The dynamically created chain is destroyed once the new plan is
-completed or replaced.</P>
-
-<P>This feature is useful when a custom adaptation service knows which other
-services are applicable to the message being adapted.</P>
-
-<P>Limit adaptation iterations to adaptation_service_iteration_limit to protect
-Squid from infinite adaptation loops caused by ICAP services constantly
-including themselves in the dynamic adaptation chain they request. When the
-limit is exceeded, the master transaction fails. The default limit of 16
-should be large enough to not require an explicit configuration in most
-environments yet may be small enough to limit side-effects of loops.</P>
-
-
-<H2><A NAME="s3">3.</A> <A HREF="#toc3">Windows support</A></H2>
-
-<P>This Squid version can run on Windows as a system service using the Cygwin emulation environment,
-or can be compiled in Windows native mode using the MinGW + MSYS development environment. Windows NT 4 SP4 and later are supported.<BR>
-On Windows 2000 and later the service is configured to use the Windows Service Recovery option
-restarting automatically after 60 seconds.</P>
-
-<H2><A NAME="ss3.1">3.1</A> <A HREF="#toc3.1">Usage</A>
-</H2>
-
-<P>Some new command line options were added for the Windows service support:<BR></P>
-
-<P>The service installation is made with -i command line switch, it's possible to use -f switch at
-the same time for specify a different config-file settings for the Squid Service that will be
-stored on the Windows Registry.</P>
-
-<P>A new -n switch specify the Windows Service Name, so multiple Squid instance are allowed.
-<EM>"Squid"</EM> is the default when the switch is not used.</P>
-
-<P>So, to install the service, the syntax is: </P>
-<P>
-<PRE>
-squid -i [-f file] [-n name]
-</PRE>
-</P>
-
-<P>Service uninstallation is made with -r command line switch with the appropriate -n switch.</P>
-
-<P>The -k switch family must be used with the appropriate -f and -n switches, so the syntax is: </P>
-<P>
-<PRE>
-squid -k command [-f file] -n service-name
-</PRE>
-
-where <EM>service-name</EM> is the name specified with -n options at service install time.</P>
-
-<P>To use the Squid original command line, the new -O switch must be used ONCE, the syntax is: </P>
-<P>
-<PRE>
-squid -O cmdline [-n service-name]
-</PRE>
-</P>
-<P>If multiple service command line options must be specified, use quote. The -n switch is
-needed only when a non default service name is in use.</P>
-
-<P>Don't use the "Start parameters" in the Windows 2000/XP/2003 Service applet: they are
-specific to Windows services functionality and Squid is not designed for understand they.</P>
-
-<P>In the following example the command line of the "squidsvc" Squid service is set to "-D -u 3130": </P>
-<P>
-<PRE>
-squid -O "-D -u 3130" -n squidsvc
-</PRE>
-</P>
-
-<H2><A NAME="ss3.2">3.2</A> <A HREF="#toc3.2">PSAPI.DLL (Process Status Helper) Considerations</A>
-</H2>
-
-<P>The process status helper functions make it easier for you to obtain information about
-processes and device drivers running on Microsoft® Windows NT®/Windows® 2000. These
-functions are available in PSAPI.DLL, which is distributed in the Microsoft® Platform
-Software Development Kit (SDK). The same information is generally available through the
-performance data in the registry, but it is more difficult to get to it. PSAPI.DLL is
-freely redistributable.</P>
-
-<P>PSAPI.DLL is available only on Windows NT, 2000, XP and 2003. The implementation in Squid is
-aware of this, and try to use it only on the right platform.</P>
-
-<P>On Windows NT PSAPI.DLL can be found as component of many applications, if you need it,
-you can find it on Windows NT Resource KIT. If you have problem, it can be
-downloaded from here:
-<A HREF="http://download.microsoft.com/download/platformsdk/Redist/4.0.1371.1/NT4/EN-US/psinst.EXE">http://download.microsoft.com/download/platformsdk/Redist/4.0.1371.1/NT4/EN-US/psinst.EXE</A></P>
-
-<P>On Windows 2000 and later it is available installing the Windows Support Tools, located on the
-Support\Tools folder of the installation Windows CD-ROM.</P>
-
-<H2><A NAME="ss3.3">3.3</A> <A HREF="#toc3.3">Registry DNS lookup</A>
-</H2>
-
-<P>On Windows platforms, if no value is specified in the <EM>dns_nameservers</EM> option on
-squid.conf or in the /etc/resolv.conf file, the list of DNS name servers are
-taken from the Windows registry, both static and dynamic DHCP configurations
-are supported.</P>
-
-<H2><A NAME="ss3.4">3.4</A> <A HREF="#toc3.4">Compatibility Notes</A>
-</H2>
-
-<P>
-<UL>
-<LI>It's recommended to use '/' char in Squid paths instead of '\'</LI>
-<LI>Paths with spaces (like 'C:\Programs Files\Squid) are NOT supported by Squid</LI>
-<LI>When using ACL like 'acl aclname acltype "file"' the file must be in DOS text
-format (CR+LF) and the full Windows path must be specified, for example:
-
-<PRE>
-acl blocklist url_regex -i "c:/squid/etc/blocked1.txt"
-</PRE>
-
-</LI>
-<LI>The Windows equivalent of '/dev/null' is 'NUL'</LI>
-<LI>Squid doesn't know how to run external helpers based on scripts, like .bat, .cmd,
-.vbs, .pl, etc. So in squid.conf the interpreter path must be always specified, for example:
-
-<PRE>
-redirect_program c:/perl/bin/perl.exe c:/squid/libexec/redir.pl
-redirect_program c:/winnt/system32/cmd.exe /C c:/squid/libexec/redir.cmd
-</PRE>
-</LI>
-<LI>When Squid runs in command line mode, the launching user account must have administrative privilege on the system</LI>
-<LI>"Start parameters" in the Windows 2000/XP/2003 Service applet cannot be used</LI>
-<LI>On Windows Vista and later, User Account Control (UAC) must be disabled before running service installation</LI>
-</UL>
-</P>
-
-
-<H2><A NAME="ss3.5">3.5</A> <A HREF="#toc3.5">Known Limitations</A>
-</H2>
-
-<P>
-<UL>
-<LI>Squid features not operational:<BR>
-<UL>
-<LI>DISKD: still needs to be ported<BR></LI>
-<LI>WCCP: cannot work because user space GRE support on Windows is missing<BR></LI>
-<LI>Transparent Proxy: missing Windows non commercial interception driver<BR></LI>
-</UL>
-</LI>
-<LI>Some code sections can make blocking calls.</LI>
-<LI>Some external helpers may not work.</LI>
-<LI>File Descriptors number hard-limited to 2048 when building with MinGW.</LI>
-</UL>
-</P>
-
-<H2><A NAME="ss3.6">3.6</A> <A HREF="#toc3.6">Building Squid on Windows</A>
-</H2>
-
-<P>A reasonably recent release of
-<A HREF="http://www.cygwin.com/">Cygwin</A> or
-<A HREF="http://www.mingw.org/">MinGW</A> is needed.<BR>
-The usage of the Cygwin environment is very similar to other Unix/Linux environments, and -devel version of libraries must be installed.<BR>
-For the MinGW environment, the packages MSYS, MinGW and msysDTK must be installed. Some additional libraries and tools must be downloaded separately:<BR><BR>
-OpenSSL:
-<A HREF="http://www.slproweb.com/products/Win32OpenSSL.html">Shining Light Productions Win32 OpenSSL</A><BR>
-libcrypt:
-<A HREF="http://sourceforge.net/projects/mingwrep/">MinGW packages repository</A><BR>
-db-1.85:
-<A HREF="http://tinycobol.org/download.html">TinyCOBOL download area</A><BR>
-When running configure, --disable-wccp and --disable-wccpv2 options should always specified to avoid compile errors.<BR>
-<UL>
-<LI>New configure options:<BR>
-<UL>
-<LI>--enable-win32-service<BR></LI>
-</UL>
-</LI>
-<LI>Updated configure options:<BR>
-<UL>
-<LI>--enable-arp-acl<BR></LI>
-<LI>--enable-default-hostsfile<BR></LI>
-</UL>
-</LI>
-<LI>Unsupported configure options:<BR>
-<UL>
-<LI>--enable-coss-aio-ops: On Windows Posix AIO is not available<BR></LI>
-<LI>--with-large-files: No suitable build environment is available on both Cygwin and MinGW, but --enable-large-cache-files works fine<BR></LI>
-</UL>
-</LI>
-<LI>Recommended configure minimal options for Windows:<BR>
-<UL>
-<LI>--prefix=c:/squid --disable-wccp --disable-wccpv2 --enable-win32-service --enable-default-hostsfile=none</LI>
-</UL>
-</LI>
-</UL>
-<BR>
-Before build Squid with SSL support, some operations are needed (in the following example OpenSSL is installed in C:\OpenSSL and MinGW in C:\MinGW):
-<UL>
-<LI>Copy C:\OpenSSL\lib\MinGW content to C:\MinGW\lib<BR></LI>
-<LI>Copy C:\OpenSSL\include\openssl content to C:\MinGW\include\openssl<BR></LI>
-<LI>Rename C:\MinGW\lib\ssleay32.a to C:\MinGW\lib\libssleay32.a<BR></LI>
-</UL>
-</P>
-
-<H2><A NAME="ss3.7">3.7</A> <A HREF="#toc3.7">Using cache manager on Windows:</A>
-</H2>
-
-<P>On Windows, cache manager (cachemgr.cgi) can be used with Microsoft IIS or Apache.<BR>
-Some specific configuration could be needed:<BR>
-<UL>
-<LI>IIS 6 (Windows 2003):<BR>
-<UL>
-<LI>On IIS 6.0 all CGI extensions are denied by default for security reason, so the following configuration is needed:<BR>
-<UL>
-<LI>Create a cgi-bin Directory</LI>
-<LI>Define the cgi-bin IIS Virtual Directory with read and CGI execute IIS
-permissions, ASP scripts are not needed. This automatically defines a
-cgi-bin IIS web application </LI>
-<LI>Copy cachemgr.cgi into cgi-bin directory and look to file permissions:
-the IIS system account and SYSTEM must be able to read and execute the file</LI>
-<LI>In IIS manager go to Web Service extensions and add a new Web Service
-Extension called <EM>"Squid Cachemgr"</EM>, add the cachemgr.cgi file and set the
-extension status to <EM>Allowed</EM></LI>
-</UL>
-</LI>
-</UL>
-</LI>
-<LI>Apache:<BR>
-<UL>
-<LI>On Windows, cachemgr.cgi needs to create a temporary file, so Apache must be instructed
-to pass the TMP and TEMP Windows environment variables to CGI applications:<BR>
-<PRE>
-ScriptAlias /squid/cgi-bin/ "c:/squid/libexec/"
-<Location /squid/cgi-bin/cachemgr.cgi>
- PassEnv TMP TEMP
- Order allow,deny
- Allow from workstation.example.com
-</Location>
-</PRE>
-</LI>
-</UL>
-</LI>
-</UL>
-</P>
-
-
-<H2><A NAME="s4">4.</A> <A HREF="#toc4">Changes to squid.conf since Squid-3.0</A></H2>
-
-<P>There have been changes to Squid's configuration file since Squid-3.0.</P>
-<P>This section gives a thorough account of those changes in three categories:</P>
-<P>
-<UL>
-<LI>
-<A HREF="#newtags">New tags</A></LI>
-<LI>
-<A HREF="#modifiedtags">Changes to existing tags</A></LI>
-<LI>
-<A HREF="#removedtags">Removed tags</A></LI>
-</UL>
-</P>
-
-
-
-<H2><A NAME="newtags"></A> <A NAME="ss4.1">4.1</A> <A HREF="#toc4.1">New tags</A>
-</H2>
-
-<P>
-<DL>
-<DT><B>acl_uses_indirect_client</B><DD>
-<P>Whether to use any result found by follow_x_forwarded_for in further ACL processing.
-Default: ON
-<PRE>
- Controls whether the indirect client address
- (see follow_x_forwarded_for) is used instead of the
- direct client address in acl matching.
-
-</PRE>
-</P>
-
-<DT><B>adaptation_access</B><DD>
-<P>Sends an HTTP transaction to an ICAP or eCAP adaptation service.
-<PRE>
- adaptation_access service_name allow|deny [!]aclname...
- adaptation_access set_name allow|deny [!]aclname...
-
- At each supported vectoring point, the adaptation_access
- statements are processed in the order they appear in this
- configuration file. Statements pointing to the following services
- are ignored (i.e., skipped without checking their ACL):
-
- - services serving different vectoring points
- - "broken-but-bypassable" services
- - "up" services configured to ignore such transactions
- (e.g., based on the ICAP Transfer-Ignore header).
-
- When a set_name is used, all services in the set are checked
- using the same rules, to find the first applicable one. See
- adaptation_service_set for details.
-
- If an access list is checked and there is a match, the
- processing stops: For an "allow" rule, the corresponding
- adaptation service is used for the transaction. For a "deny"
- rule, no adaptation service is activated.
-
- It is currently not possible to apply more than one adaptation
- service at the same vectoring point to the same HTTP transaction.
-
-</PRE>
-</P>
-
-<DT><B>adaptation_masterx_shared_names</B><DD>
-<P>
-<PRE>
- For each master transaction (i.e., the HTTP request and response
- sequence, including all related ICAP and eCAP exchanges), Squid
- maintains a table of metadata. The table entries are (name, value)
- pairs shared among eCAP and ICAP exchanges. The table is destroyed
- with the master transaction.
-
- This option specifies the table entry names that Squid must accept
- from and forward to the adaptation transactions.
-
- An ICAP REQMOD or RESPMOD transaction may set an entry in the
- shared table by returning an ICAP header field with a name
- specified in adaptation_masterx_shared_names. Squid will store
- and forward that ICAP header field to subsequent ICAP
- transactions within the same master transaction scope.
-
- Only one shared entry name is supported at this time.
-
-</PRE>
-</P>
-
-<DT><B>adaptation_service_chain</B><DD>
-<P>
-<PRE>
- Configures a list of complementary services that will be applied
- one-by-one, forming an adaptation chain or pipeline. This is useful
- when Squid must perform different adaptations on the same message.
-
- adaptation_service_chain chain_name service_name1 svc_name2 ...
-
- The named services are used in the chain declaration order. The first
- applicable adaptation service from the chain is used first. The next
- applicable service is applied to the successful adaptation results of
- the previous service in the chain.
-
- When adaptation starts, broken services are ignored as if they were
- not a part of the chain. A broken service is a down optional service.
-
- Request satisfaction terminates the adaptation chain because Squid
- does not currently allow declaration of RESPMOD services at the
- "reqmod_precache" vectoring point (see icap_service or ecap_service).
-
- The services in a chain must be attached to the same vectoring point
- (e.g., pre-cache) and use the same adaptation method (e.g., REQMOD).
-
- A chain may contain a mix of optional and essential services. If an
- essential adaptation fails (or the failure cannot be bypassed for
- other reasons), the master transaction fails. Otherwise, the failure
- is bypassed as if the failed adaptation service was not in the chain.
-
-</PRE>
-</P>
-
-<DT><B>adaptation_service_iteration_limit</B><DD>
-<P>
-<PRE>
- Limits the number of iterations allowed when applying adaptation
- services to a message. If your longest adaptation set or chain
- may have more than 16 services, increase the limit beyond its
- default value of 16. If detecting infinite iteration loops sooner
- is critical, make the iteration limit match the actual number
- of services in your longest adaptation set or chain.
-
- Infinite adaptation loops are most likely with routing services.
-
-</PRE>
-</P>
-
-<DT><B>adaptation_service_set</B><DD>
-<P>
-<PRE>
- Configures an ordered set of similar, redundant services. This is
- useful when hot standby or backup adaptation servers are available.
-
- adaptation_service_set set_name service_name1 service_name2 ...
-
- The named services are used in the set declaration order. The first
- applicable adaptation service from the set is used first. The next
- applicable service is tried if and only if the transaction with the
- previous service fails and the message waiting to be adapted is still
- intact.
-
- When adaptation starts, broken services are ignored as if they were
- not a part of the set. A broken service is a down optional service.
-
- The services in a set must be attached to the same vectoring point
- (e.g., pre-cache) and use the same adaptation method (e.g., REQMOD).
-
- If all services in a set are optional then adaptation failures are
- bypassable. If all services in the set are essential, then a
- transaction failure with one service may still be retried using
- another service from the set, but when all services fail, the master
- transaction fails as well.
-
- A set may contain a mix of optional and essential services, but that
- is likely to lead to surprising results because broken services become
- ignored (see above), making previously bypassable failures fatal.
- Technically, it is the bypassability of the last failed service that
- matters.
-
-</PRE>
-</P>
-
-<DT><B>chunked_request_body_max_size</B><DD>
-<P>New option to enable handing of broken HTTP/1.1 clients sending chunk requests.
-<PRE>
- A broken or confused HTTP/1.1 client may send a chunked HTTP
- request to Squid. Squid does not have full support for that
- feature yet. To cope with such requests, Squid buffers the
- entire request and then dechunks request body to create a
- plain HTTP/1.0 request with a known content length. The plain
- request is then used by the rest of Squid code as usual.
-
- The option value specifies the maximum size of the buffer used
- to hold the request before the conversion. If the chunked
- request size exceeds the specified limit, the conversion
- fails, and the client receives an "unsupported request" error,
- as if dechunking was disabled.
-
- Dechunking is enabled by default. To disable conversion of
- chunked requests, set the maximum to zero.
-
- Request dechunking feature and this option in particular are a
- temporary hack. When chunking requests and responses are fully
- supported, there will be no need to buffer a chunked request.
-
-</PRE>
-</P>
-
-<DT><B>delay_pool_uses_indirect_client</B><DD>
-<P>Whether to use any result found by follow_x_forwarded_for in delay_pool assignment.
-Default: ON
-<PRE>
- Controls whether the indirect client address
- (see follow_x_forwarded_for) is used instead of the
- direct client address in delay pools.
-
-</PRE>
-</P>
-
-<DT><B>dns_v4_fallback</B><DD>
-<P>New option to prevent squid from always looking up IPv4 regardless of whether IPv6 addresses are found.
-Squid will follow a policy of prefering IPv6 links, keeping the IPv4 only as a safety net behind IPv6.
-<PRE>
- Standard practice with DNS is to lookup either A or AAAA records
- and use the results if it succeeds. Only looking up the other if
- the first attempt fails or otherwise produces no results.
-
- That policy however will cause squid to produce error pages for some
- servers that advertise AAAA but are unreachable over IPv6.
-
- If this is ON squid will always lookup both AAAA and A, using both.
- If this is OFF squid will lookup AAAA and only try A if none found.
-
- WARNING: There are some possibly unwanted side-effects with this on:
- *) Doubles the load placed by squid on the DNS network.
- *) May negatively impact connection delay times.
-
-</PRE>
-</P>
-
-<DT><B>ecap_enable</B><DD>
-<P>Controls whether eCAP support is enabled. Default: OFF</P>
-
-<DT><B>ecap_service</B><DD>
-<P>Defines a single eCAP service
-<PRE>
- ecap_service servicename vectoring_point bypass service_url
-
- vectoring_point = reqmod_precache|reqmod_postcache|respmod_precache|respmod_postcache
- This specifies at which point of transaction processing the
- eCAP service should be activated. *_postcache vectoring points
- are not yet supported.
-
- bypass = 1|0
- If set to 1, the eCAP service is treated as optional. If the
- service cannot be reached or malfunctions, Squid will try to
- ignore any errors and process the message as if the service
- was not enabled. No all eCAP errors can be bypassed.
- If set to 0, the eCAP service is treated as essential and all
- eCAP errors will result in an error page returned to the
- HTTP client.
-
- service_url = ecap://vendor/service_name?custom&cgi=style&parameters=optional
-
- Example:
- ecap_service service_1 reqmod_precache 0 ecap://filters-R-us/leakDetector?on_error=block
- ecap_service service_2 respmod_precache 1 icap://filters-R-us/virusFilter?config=/etc/vf.cfg
-
-</PRE>
-</P>
-
-<DT><B>err_page_stylesheet</B><DD>
-<P>New option to configure location for CSS stylesheet controlling error page display.</P>
-
-<DT><B>error_default_language</B><DD>
-<P>New option to replace the old configure option --enable-default-err-language
-New translations can be downloaded from http://www.squid-cache.org/Versions/langpack/
-<PRE>
- Set the default language which squid will send error pages in
- if no existing translation matches the clients language
- preferences.
-
- If unset (default) generic English will be used.
-
-</PRE>
-</P>
-
-<DT><B>error_log_languages</B><DD>
-<P>
-<PRE>
- Log to cache.log what languages users are attempting to
- auto-negotiate for translations.
-
- Successful negotiations are not logged. Only failures
- have meaning to indicate that Squid may need an upgrade
- of its error page translations.
-
-</PRE>
-</P>
-
-<DT><B>follow_x_forwarded_for</B><DD>
-<P>Enable processing of the X-Forwarded-for header for various administration tasks.
-<PRE>
- Allowing or Denying the X-Forwarded-For header to be followed to
- find the original source of a request.
-
- Requests may pass through a chain of several other proxies
- before reaching us. The X-Forwarded-For header will contain a
- comma-separated list of the IP addresses in the chain, with the
- rightmost address being the most recent.
-
- If a request reaches us from a source that is allowed by this
- configuration item, then we consult the X-Forwarded-For header
- to see where that host received the request from. If the
- X-Forwarded-For header contains multiple addresses, and if
- acl_uses_indirect_client is on, then we continue backtracking
- until we reach an address for which we are not allowed to
- follow the X-Forwarded-For header, or until we reach the first
- address in the list. (If acl_uses_indirect_client is off, then
- it's impossible to backtrack through more than one level of
- X-Forwarded-For addresses.)
-
- The end result of this process is an IP address that we will
- refer to as the indirect client address. This address may
- be treated as the client address for access control, delay
- pools and logging, depending on the acl_uses_indirect_client,
- delay_pool_uses_indirect_client and log_uses_indirect_client
- options.
-
- SECURITY CONSIDERATIONS:
- Any host for which we follow the X-Forwarded-For header
- can place incorrect information in the header, and Squid
- will use the incorrect information as if it were the
- source address of the request. This may enable remote
- hosts to bypass any access control restrictions that are
- based on the client's source addresses.
-
- For example:
-
- acl localhost src 127.0.0.1
- acl my_other_proxy srcdomain .proxy.example.com
- follow_x_forwarded_for allow localhost
- follow_x_forwarded_for allow my_other_proxy
-
-</PRE>
-</P>
-
-<DT><B>ftp_epsv</B><DD>
-<P>
-<PRE>
- FTP Protocol extensions permit the use of a special "EPSV" command.
-
- NATs may be able to put the connection on a "fast path" through the
- translator using EPSV, as the EPRT command will never be used and therefore,
- translation of the data portion of the segments will never be needed.
-
- Turning this OFF will prevent EPSV being attempted.
-
- WARNING: Doing so will convert Squid back to the old behavior with all
- the related problems with external NAT devices/layers.
-
- Requires ftp_passive to be ON (default) for any effect.
-
-</PRE>
-</P>
-
-<DT><B>ftp_epsv_all</B><DD>
-<P>
-<PRE>
- FTP Protocol extensions permit the use of a special "EPSV ALL" command.
-
- NATs may be able to put the connection on a "fast path" through the
- translator, as the EPRT command will never be used and therefore,
- translation of the data portion of the segments will never be needed.
-
- When a client only expects to do two-way FTP transfers this may be useful.
- If squid finds that it must do a three-way FTP transfer after issuing
- an EPSV ALL command, the FTP session will fail.
-
- If you have any doubts about this option do not use it.
- Squid will nicely attempt all other connection methods.
-
- Requires ftp_passive to be ON (default)
-
-</PRE>
-</P>
-
-<DT><B>forward_max_tries</B><DD>
-<P>Controls how many different forward paths Squid will try
-before giving up. Default: 10</P>
-
-<DT><B>icap_log</B><DD>
-<P>New option to write ICAP log files record ICAP transaction summaries, one line per
-transaction. Similar to access.log.
-<PRE>
- The icap_log option format is:
- icap_log <filepath> [<logformat name> [acl acl ...]]
- icap_log none [acl acl ...]]
-
- Please see access_log option documentation for details. The two
- kinds of logs share the overall configuration approach and many
- features.
-
- ICAP processing of a single HTTP message or transaction may
- require multiple ICAP transactions. In such cases, multiple
- ICAP transaction log lines will correspond to a single access
- log line.
-
- ICAP log uses logformat codes that make sense for an ICAP
- transaction. Header-related codes are applied to the HTTP header
- embedded in an ICAP server response, with the following caveats:
- For REQMOD, there is no HTTP response header unless the ICAP
- server performed request satisfaction. For RESPMOD, the HTTP
- request header is the header sent to the ICAP server. For
- OPTIONS, there are no HTTP headers.
-
- The following format codes are also available for ICAP logs:
-
- icap::<A ICAP server IP address. Similar to <A.
-
- icap::<service_name ICAP service name from the icap_service
- option in Squid configuration file.
-
- icap::ru ICAP Request-URI. Similar to ru.
-
- icap::rm ICAP request method (REQMOD, RESPMOD, or
- OPTIONS). Similar to existing rm.
-
- icap::>st Bytes sent to the ICAP server (TCP payload
- only; i.e., what Squid writes to the socket).
-
- icap::<st Bytes received from the ICAP server (TCP
- payload only; i.e., what Squid reads from
- the socket).
-
- icap::tr Transaction response time (in
- milliseconds). The timer starts when
- the ICAP transaction is created and
- stops when the transaction is completed.
- Similar to tr.
-
- icap::tio Transaction I/O time (in milliseconds). The
- timer starts when the first ICAP request
- byte is scheduled for sending. The timers
- stops when the last byte of the ICAP response
- is received.
-
- icap::to Transaction outcome: ICAP_ERR* for all
- transaction errors, ICAP_OPT for OPTION
- transactions, ICAP_ECHO for 204
- responses, ICAP_MOD for message
- modification, and ICAP_SAT for request
- satisfaction. Similar to Ss.
-
- icap::Hs ICAP response status code. Similar to Hs.
-
- icap::>h ICAP request header(s). Similar to >h.
-
- icap::<h ICAP response header(s). Similar to <h.
-
- The default ICAP log format, which can be used without an explicit
- definition, is called icap_squid:
-
-logformat icap_squid %ts.%03tu %6icap::tr %>a %icap::to/%03icap::Hs %icap::<size %icap::rm %icap::ru% %un -/%icap::<A -
-
-</PRE>
-</P>
-
-<DT><B>icap_retry</B><DD>
-<P>New option to determine which retriable ICAP transactions are
-retried.
-<PRE>
- Transactions that received a complete ICAP response
- and did not have to consume or produce HTTP bodies to receive
- that response are usually retriable.
-
- icap_retry allow|deny [!]aclname ...
-
- Squid automatically retries some ICAP I/O timeouts and errors
- due to persistent connection race conditions.
-
-</PRE>
-</P>
-
-<DT><B>icap_retry_limit</B><DD>
-<P>
-<PRE>
- Limits the number of retries allowed. When set to zero (default),
- no retries are allowed.
-
- Communication errors due to persistent connection race
- conditions are unavoidable, automatically retried, and do not
- count against this limit.
-
-</PRE>
-</P>
-
-<DT><B>include</B><DD>
-<P>New option to import entire secondary configuration files into squid.conf.
-<PRE>
- Squid will follow the files immediately and insert all their content
- as if it was at that position in squid.conf. As per squid.conf some
- options are order-specific within the config as a whole.
-
- A few layers of include are allowed, but too many are confusing and
- squid will enforce an include depth of 16 files.
-
- Syntax:
- include /path/to/file1 /path/to/file2
-
-</PRE>
-</P>
-
-<DT><B>loadable_modules</B><DD>
-<P>Instructs Squid to load the specified dynamic module(s) or activate
-preloaded module(s).
-<PRE>
- Example:
- loadable_modules @DEFAULT_PREFIX@/lib/MinimalAdapter.so
-
-</PRE>
-</P>
-
-<DT><B>log_icap aclname [aclname ...]</B><DD>
-<P>
-<PRE>
- This options allows you to control which requests get logged
- to icap.log. See the icap_log directive for ICAP log details.
-
-</PRE>
-</P>
-
-<DT><B>log_uses_indirect_client</B><DD>
-<P>Whether to use any result found by follow_x_forwarded_for in access.log.
-Default: ON
-<PRE>
- Controls whether the indirect client address
- (see follow_x_forwarded_for) is used instead of the
- direct client address in the access log.
-
-</PRE>
-</P>
-
-<DT><B>netdb_filename</B><DD>
-<P>
-<PRE>
- A filename where Squid stores it's netdb state between restarts.
- To disable, enter "none".
-
-</PRE>
-</P>
-
-<DT><B>pinger_enable</B><DD>
-<P>New option to enable/disable the ICMP pinger helper with a reconfigure instead of a full rebuild.
-<PRE>
- Control whether the pinger is active at run-time.
- Enables turning ICMP pinger on and off with a simple squid -k reconfigure.
- default is on when --enable-icmp is compiled in.
-
-</PRE>
-</P>
-
-<DT><B>ssl_bump</B><DD>
-<P>New Access control for which CONNECT requests to an http_port
-marked with an sslBump flag are actually "bumped". Please
-see the sslBump flag of an http_port option for more details
-about decoding proxied SSL connections.
-DEFAULT: No requests are bumped.
-<PRE>
-NOCOMMENT_START
-# Example: Bump all requests except those originating from localhost and
-# those going to webax.com or example.com sites.
-#
-# acl broken_sites dstdomain .webax.com
-# acl broken_sites dstdomain .example.com
-# ssl_bump deny localhost
-# ssl_bump deny broken_sites
-# ssl_bump allow all
-
-</PRE>
-</P>
-
-<DT><B>sslproxy_cert_error</B><DD>
-<P>New Access Control to selectively bypass server certificate validation errors.
-DEFAULT: None bypassed.
-<PRE>
- For example, the following lines will bypass all validation errors
- when talking to servers located at 172.16.0.0/16. All other
- validation errors will result in ERR_SECURE_CONNECT_FAIL error.
-
- acl BrokenServersAtTrustedIP dst 172.16.0.0/16
- sslproxy_cert_error allow BrokenServersAtTrustedIP
- sslproxy_cert_error deny all
-
- This option must use fast ACL expressions only. Expressions that use
- external lookups or communication result in unpredictable behavior or
- crashes.
-
- Without this option, all server certificate validation errors
- terminate the transaction. Bypassing validation errors is dangerous
- because an error usually implies that the server cannot be trusted and
- the connection may be insecure.
-
-</PRE>
-</P>
-
-<DT><B>qos_flows local-hit= sibling-hit= parent-hit=</B><DD>
-<P>
-<PRE>
- Allows you to select a TOS/DSCP value to mark outgoing
- connections with, based on where the reply was sourced.
-
- TOS values really only have local significance - so you should
- know what you're specifying. For more information, see RFC2474,
- RFC2475, and RFC3260.
-
- The TOS/DSCP byte must be exactly that - octet value 0x00-0xFF.
- Note that in practice often only values up to 0x3F are usable
- as the two highest bits have been redefined for use by ECN
- (RFC3168).
-
- This setting is configured by setting the source TOS values:
-
- local-hit=0xFF Value to mark local cache hits.
-
- sibling-hit=0xFF Value to mark hits from sibling peers.
-
- parent-hit=0xFF Value to mark hits from parent peers.
-
-
- NOTE: 'miss' preserve feature is only possible on Linux at this time.
-
- For the following to work correctly, you will need to patch your
- linux kernel with the TOS preserving ZPH patch.
- The kernel patch can be downloaded from http://zph.bratcheda.org
-
- disable-preserve-miss
- If set, any HTTP response towards clients will
- have the TOS value of the response comming from the
- remote server masked with the value of miss-mask.
- miss-mask=0xFF
- Allows you to mask certain bits in the TOS received from the
- remote server, before copying the value to the TOS sent
- towards clients.
- Default: 0xFF (TOS from server is not changed).
-
-</PRE>
-</P>
-
-
-</DL>
-</P>
-
-<H2><A NAME="modifiedtags"></A> <A NAME="ss4.2">4.2</A> <A HREF="#toc4.2">Changes to existing tags</A>
-</H2>
-
-<P>
-<DL>
-<DT><B>acl</B><DD>
-<P>New preset content <EM>ipv6</EM> available as a preset type in the src and dst ACL matching all of the public IPv6 network space.</P>
-<P>New acl type myportname, matching the name of the http_port or https_port where the request was accepted.</P>
-<P>New acl type tag, matching the tag= returned from the external_acl_type helper.</P>
-<P>New acl type peername, matching against a named cache_peer entry where the request will be attempted first.
-NP: peername currently is limited to only match the first peer possible.
-<PRE>
- acl aclname dst ipv6 # request for IPv6-enabled site
- acl aclname src ipv6 # request from IPv6 address
- acl aclname myportname 3128 ... # http(s)_port name
- acl aclname peername myPeer ... # cache_peer ... name=myPeer
- acl aclname tag value ... # tag= option from external ACL
-
-</PRE>
-</P>
-
-<DT><B>auth_param ntlm, basic, digest</B><DD>
-<P>BASIC, DIGEST: New parameter option <EM>utf8 on|off</EM> to permit helpers to selectively process UTF-8 characters even though
-HTTP accepts only ISO-8859-1.</P>
-<P>NTLM: The helper binary bundled with Squid under the name <EM>ntlm_auth</EM> has been renamed to accurately reflect
-its real behavior and to prevent confusion with the more useful Samba helper using the same name.</P>
-<P>Despite being used for NTLM, the helper does not in fact provide true NTLM function. What it does provide is
-SMB LanManager authentication through the NTLM interface without the need for a domain controller. Thus the
-new name is <EM>ntlm_smb_lm_auth</EM>.</P>
-<P>WARNING: due to the name clash with Samba helper, admin should be careful to only update their squid.conf if the
-squid bundled binary is used and needed. If the Samba helper is in use, the squid.conf should not be altered.</P>
-
-<DT><B>balance_on_multiple_ip</B><DD>
-<P>The previous default behavour (rotate per-request) of this setting causes failover clashes with IPv6 built-in mechanisms.
-It has thus been turned off by default. Making the 'best choice' IP continue in use for any hostname until it encounters a connection failure and failover drops to the next known IP.
-<PRE>
- Modern IP resolvers in squid sort lookup results by preferred access.
- By default squid will use these IP in order and only rotates to
- the next listed when the most preffered fails.
-
- Some load balancing servers based on round robin DNS have been
- found not to preserve user session state across requests
- to different IP addresses.
-
- Enabling this directive Squid rotates IP's per request.
-
-</PRE>
-</P>
-
-<DT><B>cache</B><DD>
-<P>Removed the 'QUERY' acl and 'cache deny QUERY' entries.
-Replaced by new refresh_pattern instead.</P>
-
-<DT><B>cache_dir</B><DD>
-<P>Default changed to 256MB in-memory cache.
-see cache_mem and maximum_object_size_in_memory for size parameters.</P>
-<P>'null' storage type dropped. In-memory cache is always present. Remove all cache_dir options to prevent on-disk caching.</P>
-
-<DT><B>cache_mem</B><DD>
-<P>Default size increased to 256MB.</P>
-
-<DT><B>cache_peer htcp-no-clr htcp-no-purge-clr htcp-only-clr htcp-forward-clr connection-auth[=on|off|auto] connect-fail-limit=N</B><DD>
-<P>New Options.
-<PRE>
- use 'htcp-no-clr' to send HTCP to the neighbor but without
- sending any CLR requests. This cannot be used with
- htcp-only-clr.
-
- use 'htcp-no-purge-clr' to send HTCP to the neighbor
- including CLRs but only when they do not result from
- PURGE requests.
-
- use 'htcp-only-clr' to send HTCP to the neighbor but ONLY
- CLR requests. This cannot be used with htcp-no-clr.
-
- use 'htcp-forward-clr' to forward any HTCP CLR requests
- this proxy receives to the peer.
-
- use 'connection-auth=off' to tell Squid that this peer does
- not support Microsoft connection oriented authentication,
- and any such challenges received from there should be
- ignored. Default is 'auto' to automatically determine the
- status of the peer.
-
- use 'connect-fail-limit=nn' to specify how many times
- connecting to a peer must fail before it is marked as
- down. Default is 10.
-
-</PRE>
-</P>
-
-<DT><B>cache_store_log</B><DD>
-<P>Default changed to OFF. Matching long-standing developer recommendations.</P>
-
-<DT><B>error_directory</B><DD>
-<P>Now an optional entry in squid.conf. If present it will force all visitors to receive the error pages
-contained in the directory it points at. If absent, error page localization will be given a chance.
-<PRE>
- If you wish to create your own versions of the default
- error files to customize them to suit your company COPY
- the error/template files to another directory and point
- this tag at them.
-
- WARNING: This option will disable multi-language support
- on error pages if used.
-
-</PRE>
-</P>
-
-<DT><B>debug_options rotate=</B><DD>
-<P>New parameter rotate=N to control number of cache.log rotations independent of other logs.</P>
-
-
-<DT><B>external_acl_type</B><DD>
-<P>New options 'ipv4' and 'ipv6' are added to set the IPv4/v6 protocol between squid and its helpers.
-Please be aware of some limits to these options. These options only affet the transport protocol used
-to send data to and from the helpers. Squid in IPv6-mode may still send %SRC addresses in IPv4 or IPv6
-format, so all helpers will need to be checked and converted to cope with such information cleanly.
-<PRE>
- ipv4 / ipv6 IP-mode used to communicate to this helper.
- For compatability with older configurations and helpers
- the default is 'ipv4'.
-
-</PRE>
-</P>
-<P>New header input format specifiers. To seperate Request and Reply headers when both passed back.
-<PRE>
- %>{Header} HTTP request header
- %>{Hdr:member} HTTP request header list member
- %>{Hdr:;member} HTTP request header list member using ; as
- list separator. ; can be any non-alphanumeric
- character.
-
- %<{Header} HTTP reply header
- %<{Hdr:member} HTTP reply header list member
- %<{Hdr:;member} HTTP reply header list member using ; as
- list separator. ; can be any non-alphanumeric
- character.
-
-</PRE>
-</P>
-
-<DT><B>forwarded_for</B><DD>
-<P>New setting options. transparent, truncate, delete.
-<PRE>
- If set to "transparent", Squid will not alter the
- X-Forwarded-For header in any way.
-
- If set to "delete", Squid will delete the entire
- X-Forwarded-For header.
-
- If set to "truncate", Squid will remove all existing
- X-Forwarded-For entries, and place itself as the sole entry.
-
-</PRE>
-</P>
-
-<DT><B>http_port transparent intercept sslbump connection-auth[=on|off]</B><DD>
-<P>Option 'transparent' is being deprecated in favour of 'intercept' which more clearly identifies what the option does.
-For now option 'tproxy' remains with old behaviour meaning fully-invisible proxy using TPROXY support.</P>
-<P>New port options
-<PRE>
- intercept Rename of old 'transparent' option to indicate proper functionality.
-
- allow-direct Allow direct forwarding in accelerator mode. Normally
- accelerated requests are denied direct forwarding as if
- never_direct was used.
-
- connection-auth[=on|off]
- use connection-auth=off to tell Squid to prevent
- forwarding Microsoft connection oriented authentication
- (NTLM, Negotiate and Kerberos)
-
- keepalive[=idle,interval,timeout]
- Enable TCP keepalive probes of idle connections
- idle is the initial time before TCP starts probing
- the connection, interval how often to probe, and
- timeout the time before giving up.
-
- sslBump Intercept each CONNECT request matching ssl_bump ACL,
- establish secure connection with the client and with
- the server, decrypt HTTP messages as they pass through
- Squid, and treat them as unencrypted HTTP messages,
- becoming the man-in-the-middle.
-
- When this option is enabled, additional options become
- available to specify SSL-related properties of the
- client-side connection: cert, key, version, cipher,
- options, clientca, cafile, capath, crlfile, dhparams,
- sslflags, and sslcontext. See the https_port directive
- for more information on these options.
-
- The ssl_bump option is required to fully enable
- the SslBump feature.
-
-</PRE>
-</P>
-
-<DT><B>https_port intercept sslbump connection-auth[=on|off]</B><DD>
-<P>New port options. see http_port.</P>
-
-<DT><B>icap_service bypass=on|off|1|0 routing=on|off|1|0</B><DD>
-<P>New options 'bypass=' and 'routing='.
-<PRE>
- bypass=on|off|1|0
- If set to 'on' or '1', the ICAP service is treated as
- optional. If the service cannot be reached or malfunctions,
- Squid will try to ignore any errors and process the message as
- if the service was not enabled. No all ICAP errors can be
- bypassed. If set to 0, the ICAP service is treated as
- essential and all ICAP errors will result in an error page
- returned to the HTTP client.
-
- Bypass is off by default: services are treated as essential.
-
- routing=on|off|1|0
- If set to 'on' or '1', the ICAP service is allowed to
- dynamically change the current message adaptation plan by
- returning a chain of services to be used next. The services
- are specified using the X-Next-Services ICAP response header
- value, formatted as a comma-separated list of service names.
- Each named service should be configured in squid.conf and
- should have the same method and vectoring point as the current
- ICAP transaction. Services violating these rules are ignored.
- An empty X-Next-Services value results in an empty plan which
- ends the current adaptation.
-
- Routing is not allowed by default: the ICAP X-Next-Services
- response header is ignored.
-
-</PRE>
-</P>
-
-<DT><B>logfile_rotate</B><DD>
-<P>No longer controls cache.log rotation. Use debug_options rotate=N instead.</P>
-
-<DT><B>logformat</B><DD>
-<P>New log format tag sets %icap::* %adapt::* for adaptation information.
-%Hs tag deprecated and replaced by request/reply specific >Hs and <Hs
-HTTP request/reply format tags may now be optionally prefixed with http::.
-Old forms will be deprecated in some as yet undecided future release.
-<PRE>
- dt Total time spent making DNS lookups (milliseconds)
-
- [http::]>Hs HTTP status code sent to the client
- [http::]<Hs HTTP status code received from the next hop
- [http::]>sh Received HTTP request headers size
- [http::]<sh Sent HTTP reply headers size
- [http::]<pt Peer response time in milliseconds. The timer starts
- when the last request byte is sent to the next hop
- and stops when the last response byte is received.
- [http::]<tt Total server-side time in milliseconds. The timer
- starts with the first connect request (or write I/O)
- sent to the first selected peer. The timer stops
- with the last I/O with the last peer.
-
- If ICAP is enabled, the following two codes become available (as
- well as ICAP log codes documented with the icap_log option):
-
- icap::tt Total ICAP processing time for the HTTP
- transaction. The timer ticks when ICAP
- ACLs are checked and when ICAP
- transaction is in progress.
-
- icap::<last_h The header of the last ICAP response
- related to the HTTP transaction. Like
- <h, accepts an optional header name
- argument. Will not change semantics
- when multiple ICAP transactions per HTTP
- transaction are supported.
-
- If adaptation is enabled the following two codes become available:
-
- adapt::sum_trs Summed adaptation transaction response
- times recorded as a comma-separated list in
- the order of transaction start time. Each time
- value is recorded as an integer number,
- representing response time of one or more
- adaptation (ICAP or eCAP) transaction in
- milliseconds. When a failed transaction is
- being retried or repeated, its time is not
- logged individually but added to the
- replacement (next) transaction.
-
- adapt::all_trs All adaptation transaction response times.
- Same as adaptation_strs but response times of
- individual transactions are never added
- together. Instead, all transaction response
- times are recorded individually.
-
- You can prefix adapt::*_trs format codes with adaptation
- service name in curly braces to record response time(s) specific
- to that service. For example: %{my_service}adapt::sum_trs
-
-</PRE>
-</P>
-
-<DT><B>maximum_object_size_in_memory</B><DD>
-<P>Default size limit increased to 512KB.</P>
-
-<DT><B>negative_ttl</B><DD>
-<P>New default of 0 seconds. To prevent negative-caching of failure messages unless explicitly
-permitted by the message generating web server.</P>
-<P>Changing this is an RFC 2616 violation and now requires --enable-http-violations</P>
-
-<DT><B>refresh_pattern</B><DD>
-<P>New option 'ignore-must-revalidate'.
-<PRE>
- ignore-must-revalidate ignores any ``Cache-Control: must-revalidate``
- headers received from a server. Doing this VIOLATES
- the HTTP standard. Enabling this feature could make you
- liable for problems which it causes.
-
-</PRE>
-</P>
-<P>New set of basic patterns. These should always be listed after any custom patterns.
-They ensure RFC compliance with certain protocol and request handling in the absence
-of accurate Cache-Control: and Expires: information.
-<PRE>
-refresh_pattern ^ftp: 1440 20% 10080
-refresh_pattern ^gopher: 1440 0% 1440
-refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
-refresh_pattern . 0 20% 4320
-
-</PRE>
-</P>
-
-<DT><B>reply_header_max_size</B><DD>
-<P>Default limit increased to 64KB for RFC 2616 compliance.</P>
-
-<DT><B>request_header_max_size</B><DD>
-<P>Default limit increased to 64KB for RFC 2616 compliance.</P>
-
-<DT><B>tcp_outgoing_address</B><DD>
-<P>This option causes some problems when bridging IPv4 and IPv6. A workaround has been provided.
-<PRE>
- Squid is built with a capability of bridging the IPv4 and IPv6 internets.
- tcp_outgoing_address as previously used breaks this bridging by forcing
- all outbound traffic through a certain IPv4 which may be on the wrong
- side of the IPv4/IPv6 boundary.
-
- To operate with tcp_outgoing_address and keep the bridging benefits
- an additional ACL needs to be used which ensures the IPv6-bound traffic
- is never forced or permitted out the IPv4 interface.
-
- acl to_ipv6 dst ipv6
- tcp_outgoing_address 2002::c001 good_service_net to_ipv6
- tcp_outgoing_address 10.0.0.2 good_service_net !to_ipv6
-
- tcp_outgoing_address 2002::beef normal_service_net to_ipv6
- tcp_outgoing_address 10.0.0.1 normal_service_net !to_ipv6
-
- tcp_outgoing_address 2002::1 to_ipv6
- tcp_outgoing_address 10.0.0.3 !to_ipv6
-
-</PRE>
-</P>
-
-<DT><B>wccp2_assignment_method hash mask</B><DD>
-<P>Method names now accepted. Replacing the old magic numbers.
-'1' becomes 'hash' and '2' becomes 'mask'</P>
-
-<DT><B>wccp2_forwarding_method gre l2</B><DD>
-<P>Method names now accepted. Replacing the old magic numbers.
-'1' becomes 'gre' and '2' becomes 'l2'</P>
-
-<DT><B>wccp2_return_method gre l2</B><DD>
-<P>Method names now accepted. Replacing the old magic numbers.
-'1' becomes 'gre' and '2' becomes 'l2'</P>
-
-</DL>
-</P>
-
-
-<H2><A NAME="removedtags"></A> <A NAME="ss4.3">4.3</A> <A HREF="#toc4.3">Removed tags</A>
-</H2>
-
-<P>
-<DL>
-
-<DT><B>dns_testnames</B><DD>
-<P>Obsolete. This feature is no longer relevant to modern networks and was causing boot problems.
-The -D command line option used previously to suppress these tests is also obsolete.</P>
-
-<DT><B>extension_methods</B><DD>
-<P>Obsolete. All possible methods are now accepted and handled properly.</P>
-
-<DT><B>icap_class</B><DD>
-<P>Replaced by adaptation_service_set.</P>
-
-<DT><B>icap_access</B><DD>
-<P>Replaced by adaptation_access.</P>
-
-</DL>
-</P>
-
-
-<H2><A NAME="s5">5.</A> <A HREF="#toc5">Changes to ./configure options since Squid-3.0</A></H2>
-
-<P>There have been some changes to Squid's build configuration since Squid-3.0.</P>
-<P>This section gives an account of those changes in three categories:</P>
-<P>
-<UL>
-<LI>
-<A HREF="#newoptions">New options</A></LI>
-<LI>
-<A HREF="#modifiedoptions">Changes to existing options</A></LI>
-<LI>
-<A HREF="#removedoptions">Removed options</A></LI>
-</UL>
-</P>
-
-
-<H2><A NAME="newoptions"></A> <A NAME="ss5.1">5.1</A> <A HREF="#toc5.1">New options</A>
-</H2>
-
-<P>
-<DL>
-<DT><B>--enable-ecap</B><DD>
-<P>Build with support for loadable content adaptation modules.
-Cannot be used with --disable-loadable-modules.</P>
-
-<DT><B>--enable-follow-x-forwarded-for</B><DD>
-<P>Support following the X-Forwarded-For HTTP header for determining the
-original or indirect client when a request has been forwarded through other
-proxies.</P>
-
-<DT><B>--enable-zph-qos</B><DD>
-<P>Build with support for ZPH Quality of Service controls</P>
-
-<DT><B>--disable-auto-locale</B><DD>
-<P>Disable error page localization for visitors.</P>
-<P>error_directory option is required if this option is used.</P>
-
-<DT><B>--disable-ipv6</B><DD>
-<P>Build without IPv6 support. The default is to auto-detect system capabilities
-and build with IPv6 when possible.</P>
-
-<DT><B>--disable-loadable-modules</B><DD>
-<P>Build without support for loadable modules.</P>
-
-<DT><B>--disable-translation</B><DD>
-<P>Prevent Squid generating localized error page templates and manuals.
-Which is usually tried, but may not be needed.</P>
-<P>This is a development optimization for building from VCS when localization is
-not needed. Has no effect on pre-translated source bundles.</P>
-
-<DT><B>--with-dns-cname</B><DD>
-<P>Enable CNAME recursion within the Internal DNS resolver stub squid uses.
-This has no effect on the external DNS helper.</P>
-<P>Please note this extension is still experimental and may encounter problems.
-To see if it is actually needed you can run squid without it for a period and
-check the CNAME-Only Requests statistics squid maintains.</P>
-<P>If it produces ongoing serious problems the external helper may be needed
-but please report the bugs anyway.</P>
-
-<DT><B>--with-logdir=PATH</B><DD>
-<P>Allow build-time configuration of Default location for squid logs.</P>
-
-<DT><B>--with-ipv6-split-stack</B><DD>
-<P>Force enable special additions for IPv6 support in Windows XP and various BSD systems.
-see the IPv6 details above for a better description.</P>
-
-<DT><B>--with-pidfile=PATH</B><DD>
-<P>Allow build-time configuration of Default location and name of squid.pid file.</P>
-
-<DT><B>--with-po2html=PATH</B><DD>
-<P>Absolute path to po2html executable.
-Default is to automatically detect the binary.</P>
-
-</DL>
-</P>
-
-<H2><A NAME="modifiedoptions"></A> <A NAME="ss5.2">5.2</A> <A HREF="#toc5.2">Changes to existing options</A>
-</H2>
-
-<P>
-<DL>
-<DT><B>--enable-shared[=PKGS]</B><DD>
-<P>Default changed to yes.</P>
-
-<DT><B>--enable-linux-netfilter</B><DD>
-<P>This option now enables support for all three netfilter interception targets.</P>
-<P>Adding TPROXY version 4+ support to squid through the netfilter TPROXY target.
-This options requires a linux kernel 2.6.25 or later for embeded netfilter TPROXY targets.</P>
-<P>Older REDIRECT and DNAT targets work as before on HTTP ports marked 'intercept'.</P>
-
-<DT><B>--enable-linux-tproxy</B><DD>
-<P>Deprecated. Remains only to support old TPROXY version 2.2 installations.</P>
-
-<DT><B>--enable-ntlm-auth-helpers</B><DD>
-<P>Helper previously built by <EM>SMB</EM> is now built by <EM>smb_lm</EM>.
-It also has a new squid.conf name for usage, see <EM>auth_param</EM> above for details.</P>
-
-<DT><B>--disable-internl-dns</B><DD>
-<P>Better support for Linux using the external DNS helper.
-The helper will now compile and work with dns_nameservers on more variants of Linux than previously.</P>
-
-</DL>
-</P>
-<H2><A NAME="removedoptions"></A> <A NAME="ss5.3">5.3</A> <A HREF="#toc5.3">Removed options</A>
-</H2>
-
-<P>
-<DL>
-<DT><B>--enable-default-err-language</B><DD>
-<P>Replaced by error_default_language squid.conf option</P>
-
-<DT><B>--enable-err-languages</B><DD>
-<P>Removed. All languages used now for error page localization.</P>
-
-<DT><B>--disable-carp</B><DD>
-<P>Removed. CARP is required by several peering algoithms. Disabling is not useful.</P>
-</DL>
-</P>
-
-
-<H2><A NAME="s6">6.</A> <A HREF="#toc6">Options Removed since Squid-2</A></H2>
-
-<P>Some squid.conf and ./configure options which were available in Squid-2.6 and Squid-2.7 are made obsolete in Squid-3.1.</P>
-
-<H2><A NAME="ss6.1">6.1</A> <A HREF="#toc6.1">Removed squid.conf options since Squid-2.7</A>
-</H2>
-
-<P>
-<DL>
-<DT><B>auth_param</B><DD>
-<P><EM>blankpassword</EM> option for basic scheme removed.</P>
-
-<DT><B>external_acl_type</B><DD>
-<P>Format tag <EM>%{Header}</EM> replaced by <EM>%>{Header}</EM></P>
-<P>Format tag <EM>%{Header:member}</EM> replaced by <EM>%>{Header:member}</EM></P>
-
-<DT><B>header_access</B><DD>
-<P>Replaced by <EM>request_header_access</EM> and <EM>reply_header_access</EM></P>
-
-<DT><B>http_port</B><DD>
-<P><EM>no-connection-auth</EM> replaced by <EM>connection-auth=[on|off]</EM>. Default is ON.</P>
-<P><EM>transparent</EM> option replaced by <EM>intercept</EM></P>
-
-<DT><B>httpd_accel_no_pmtu_disc</B><DD>
-<P>Replaced by <EM>http_port disable-pmtu-discovery=</EM> option</P>
-
-<DT><B>incoming_rate</B><DD>
-<P>Obsolete.</P>
-
-<DT><B>redirector_bypass</B><DD>
-<P>Replaced by <EM>url_rewrite_bypass</EM></P>
-
-<DT><B>zph_local</B><DD>
-<P>Replaced by <EM>qos_flows local-hit=</EM></P>
-
-<DT><B>zph_mode</B><DD>
-<P>Obsolete.</P>
-
-<DT><B>zph_option</B><DD>
-<P>Obsolete.</P>
-
-<DT><B>zph_parent</B><DD>
-<P>Replaced by <EM>qos_flows parent-hit=</EM></P>
-
-<DT><B>zph_sibling</B><DD>
-<P>Replaced by <EM>qos_flows sibling-hit=</EM></P>
-
-</DL>
-</P>
-
-<H2><A NAME="ss6.2">6.2</A> <A HREF="#toc6.2">Removed squid.conf options since Squid-2.6</A>
-</H2>
-
-<P>
-<DL>
-<DT><B>cache_dir</B><DD>
-<P><EM>read-only</EM> option replaced by <EM>no-store</EM>.</P>
-
-</DL>
-</P>
-
-<H2><A NAME="ss6.3">6.3</A> <A HREF="#toc6.3">Removed ./configure options since Squid-2.7</A>
-</H2>
-
-<P>
-<DL>
-<DT><B>--enable-coss-aio-ops</B><DD>
-<P>Obsolete.</P>
-
-<DT><B>--enable-devpoll</B><DD>
-<P>Replaced by automatic detection.</P>
-
-<DT><B>--enable-dlmalloc=LIB</B><DD>
-<P>Obsolete.</P>
-
-<DT><B>--enable-epoll</B><DD>
-<P>Replaced by automatic detection.</P>
-
-<DT><B>--enable-forward-log</B><DD>
-<P>Obsolete.</P>
-
-<DT><B>--enable-heap-replacement</B><DD>
-<P>Obsolete.</P>
-
-<DT><B>--enable-htcp</B><DD>
-<P>Obsolete. Enabled by default.</P>
-
-<DT><B>--enable-large-cache-files</B><DD>
-<P>Obsolete.</P>
-
-<DT><B>--enable-mempool-debug</B><DD>
-<P>Obsolete.</P>
-
-<DT><B>--enable-multicast-miss</B><DD>
-<P>Obsolete.</P>
-
-<DT><B>--enable-poll</B><DD>
-<P>Replaced by automatic detection.</P>
-
-<DT><B>--enable-select</B><DD>
-<P>Replaced by automatic detection.</P>
-
-<DT><B>--enable-select-simple</B><DD>
-<P>Replaced by automatic detection.</P>
-
-<DT><B>--enable-snmp</B><DD>
-<P>Obsolete. Enabled by default.</P>
-
-<DT><B>--enable-truncate</B><DD>
-<P>Obsolete.</P>
-
-<DT><B>--disable-kqueue</B><DD>
-<P>Obsolete. Disabled by default.</P>
-
-</DL>
-</P>
-
-
-<H2><A NAME="s7">7.</A> <A HREF="#toc7">Regressions since Squid-2.7</A></H2>
-
-<P>Some squid.conf and ./configure options which were available in Squid-2.7 are not yet available in Squid-3.1</P>
-
-<P>If you need something to do then porting one of these from Squid-2 to Squid-3 is most welcome.</P>
-
-<H2><A NAME="ss7.1">7.1</A> <A HREF="#toc7.1">Missing squid.conf options available in Squid-2.7</A>
-</H2>
-
-<P>
-<DL>
-<DT><B>acl</B><DD>
-<P><EM>urllogin</EM> option not yet ported from 2.6</P>
-<P><EM>urlgroup</EM> option not yet ported from 2.6</P>
-
-<DT><B>auth_param digest</B><DD>
-<P><EM>concurrency</EM> option not yet ported from Squid-2</P>
-
-<DT><B>authenticate_ip_shortcircuit_access</B><DD>
-<P>Not yet ported from 2.7</P>
-
-<DT><B>authenticate_ip_shortcircuit_ttl</B><DD>
-<P>Not yet ported from 2.7</P>
-
-<DT><B>broken_vary_encoding</B><DD>
-<P>Not yet ported from 2.6</P>
-
-<DT><B>cache_dir</B><DD>
-<P><EM>min-size</EM> option not yet ported from Squid-2</P>
-<P><EM>COSS</EM> storage type is lacking stability fixes from 2.6</P>
-<P>COSS <EM>overwrite-percent=</EM> option not yet ported from 2.6</P>
-<P>COSS <EM>max-stripe-waste=</EM> option not yet ported from 2.6</P>
-<P>COSS <EM>membufs=</EM> option not yet ported from 2.6</P>
-<P>COSS <EM>maxfullbufs=</EM> option not yet ported from 2.6</P>
-
-<DT><B>cache_peer</B><DD>
-<P><EM>multicast-siblings</EM> not yet ported from 2.7</P>
-<P><EM>idle=</EM> not yet ported from 2.7</P>
-<P><EM>http11</EM> not yet ported from 2.7</P>
-<P><EM>monitorinterval=</EM> not yet ported from 2.6</P>
-<P><EM>monitorsize=</EM> not yet ported from 2.6</P>
-<P><EM>monitortimeout=</EM> not yet ported from 2.6</P>
-<P><EM>monitorurl=</EM> not yet ported from 2.6</P>
-
-<DT><B>cache_vary</B><DD>
-<P>Not yet ported from 2.6</P>
-
-<DT><B>collapsed_forwarding</B><DD>
-<P>Not yet ported from 2.6</P>
-
-<DT><B>error_map</B><DD>
-<P>Not yet ported from 2.6</P>
-
-<DT><B>external_acl_type</B><DD>
-<P><EM>%ACL</EM> format tag not yet ported from 2.6</P>
-<P><EM>%DATA</EM> format tag not yet ported from 2.6</P>
-
-<DT><B>external_refresh_check</B><DD>
-<P>Not yet ported from 2.7</P>
-
-<DT><B>http_access2</B><DD>
-<P>Not yet ported from 2.6</P>
-
-<DT><B>http_port</B><DD>
-<P><EM>act-as-origin</EM> not yet ported from 2.7</P>
-<P><EM>http11</EM> not yet ported from 2.7</P>
-<P><EM>urlgroup=</EM> not yet ported from 2.6</P>
-
-<DT><B>ignore_expect_100</B><DD>
-<P>Not yet ported from 2.7</P>
-
-<DT><B>ignore_ims_on_miss</B><DD>
-<P>Not yet ported from 2.7</P>
-
-<DT><B>location_rewrite_access</B><DD>
-<P>Not yet ported from 2.6</P>
-
-<DT><B>location_rewrite_children</B><DD>
-<P>Not yet ported from 2.6</P>
-
-<DT><B>location_rewrite_concurrency</B><DD>
-<P>Not yet ported from 2.6</P>
-
-<DT><B>location_rewrite_program</B><DD>
-<P>Not yet ported from 2.6</P>
-
-<DT><B>logfile_daemon</B><DD>
-<P>Not yet ported from 2.7</P>
-
-<DT><B>logformat</B><DD>
-<P><EM>%oa</EM> tag not yet ported from 2.7</P>
-<P><EM>%sn</EM> tag not yet ported from 2.7</P>
-
-<DT><B>max_filedescriptors</B><DD>
-<P>Not yet ported from 2.7</P>
-
-<DT><B>max_stale</B><DD>
-<P>Not yet ported from 2.7</P>
-
-<DT><B>refresh_pattern</B><DD>
-<P><EM>stale-while-revalidate=</EM> not yet ported from 2.7</P>
-<P><EM>ignore-stale-while-revalidate=</EM> not yet ported from 2.7</P>
-<P><EM>max-stale=</EM> not yet ported from 2.7</P>
-<P><EM>negative-ttl=</EM> not yet ported from 2.7</P>
-
-<DT><B>refresh_stale_hit</B><DD>
-<P>Not yet ported from 2.7</P>
-
-<DT><B>server_http11</B><DD>
-<P>Not yet ported from 2.7</P>
-
-<DT><B>storeurl_access</B><DD>
-<P>Not yet ported from 2.7</P>
-
-<DT><B>storeurl_rewrite_children</B><DD>
-<P>Not yet ported from 2.7</P>
-
-<DT><B>storeurl_rewrite_concurrency</B><DD>
-<P>Not yet ported from 2.7</P>
-
-<DT><B>storeurl_rewrite_program</B><DD>
-<P>Not yet ported from 2.7</P>
-
-<DT><B>update_headers</B><DD>
-<P>Not yet ported from 2.7</P>
-
-<DT><B>upgrade_http0.9</B><DD>
-<P>Not yet ported from 2.7</P>
-
-<DT><B>zero_buffers</B><DD>
-<P>Not yet ported from 2.7</P>
-
-</DL>
-</P>
-
-<H2><A NAME="ss7.2">7.2</A> <A HREF="#toc7.2">Missing ./configure options available in Squid-2.7</A>
-</H2>
-
-<P>
-<DL>
-<DT><B>--without-system-md5</B><DD>
-
-</DL>
-</P>
-
-</BODY>
-</HTML>
projects / thirdparty / squid.git / commitdiff
