From: hno <> Date: Wed, 20 Aug 2003 13:08:01 +0000 (+0000) Subject: Created section "Other changes mostly of interest to developers" and moved X-Git-Tag: SQUID_3_0_PRE4~1241 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=807aa36586e61a75ee828faee3d3cc21c614ec20;p=thirdparty%2Fsquid.git Created section "Other changes mostly of interest to developers" and moved corresponding entries there. SGML syntax corrections (bad characters etc) Indent Removed a few entries which was news in the 2.5 cycle and not really news for 3.0. --- diff --git a/doc/release-notes/release-3.0.sgml b/doc/release-notes/release-3.0.sgml index 6c36f6a3b7..331842f67a 100644 --- a/doc/release-notes/release-3.0.sgml +++ b/doc/release-notes/release-3.0.sgml @@ -2,7 +2,7 @@
Squid 3.0 release notes Squid Developers -$Id: release-3.0.sgml,v 1.14 2003/08/13 16:06:13 wessels Exp $ +$Id: release-3.0.sgml,v 1.15 2003/08/20 07:08:01 hno Exp $ This document contains the release notes for version 3.0 of Squid. @@ -14,154 +14,150 @@ for Applied Network Research and members of the Web Caching community. Key changes from squid 2.5:

- Clean up the squid code to consistenly use [u_]int<len>_t throughout, rather than some [u_]num<len> and some [u_]<len>_t instances. (Robert Collins). - Escapes Basic auth login and password information when sent to the helpers, to allow for spaces and other odd characters (Henrik Nordstrom). - New option ftp_sanitycheck (Henrik Nordstrom). - Gopher improvements (Henrik Nordstrom). - CARP enabled by default (Henrik Nordstrom). - Documented no_cache change (not new, but rather important) (Henrik Nordstrom). - Make http_port optional, allowing for SSL-only operation. Squid will refuse to start unless at least one port is defined. (Henrik Nordstrom). - Ability to read the configuration file from an external program pipe (Henrik Nordstrom). - Major cleanup or CARP. Now plays well with the other peering algorithms as just another non-ICP peering method. (Henrik Nordstrom) - Spelling corrections by Reuben Farrelly. - SASL auth helper by Ian Castle. - SNMP leak fix (Henrik Nordstrom). - Object reference counting supported to ease some programming tasks (Robert Collins). - EXEEXT cleanups, to hopefully allow pinger to install cleanly on cygwin etc.. (Henrik Nordstrom) - epoll support (David Nicklay) - Deferred reads removed from comms layer, implemented a layer above, allowing more efficent comms layers (such as epoll). (Robert Collins). - ACL Source code extracted into multiple separate classes, allowing great flexability in future development, and also for custom squid builds today. (Robert Collins) - Delay classes heavily refactored to allow easier extension and reuse. (Robert Collins). - Class 4 delay pools - user specific buckets. (Robert Collins). Convert core squid source to C++ (Robert Collins). - clientStreams, rationalising the client side logic to allow plugin output streams, and providing a simple interface to the store. See the programmers guide for details. (Robert Collins). - Andres Kroonmaa's chunked memory pool allocator included. (Squid 2.5 ?) + http_port optional, allowing for SSL-only operation. Squid will refuse to start unless at least one port is defined. (Henrik Nordström). + Ability to read the configuration file from an external program pipe (Henrik Nordström). + Major cleanup or CARP. Now plays well with the other peering algorithms as just another non-ICP peering method. This also allows CARP support to be compiled by default with no need to recompile Squid to use CARP (Henrik Nordström) + Class 4 delay pools - user specific buckets. (Robert Collins). Comms layer refactored to increase efficiency (Adrian Chadd). + epoll support (David Nicklay) + kqueue support (Adrian Chadd) Range processing moved from client side to both client and server (Robert Collins). - autoconf 2.5 support (Robert Collins). - Added support for sys/bitypes.h, apparently needed for some of the bittypes on tru64 and possibly others. (Henrik Nordstrom) + Added support for sys/bitypes.h, apparently needed for some of the bittypes on tru64 and possibly others. (Henrik Nordström) Edge Side Include implementation (www.esi.org). (Robert Collins). Reduce the depth of recursion in make, improving make -j performance. (Robert Collins) - Hi-resolution CPU profiling from Andres Kroonma, for single-threaded use only. - kqueue support (Adrian Chadd). Cleanup of the relation between accelerated request and transparently intercepted request. The two are now handled separately from each other. -This fixes two issues:Transparently intercepted requests is no longer under the restrictions of accelerated requests in peering relations etc.. -No risk of confusion in authentication. Authentication is now allowed for accelerated requests but not transparently intercepted requests. - (Henrik Nordstrom) - --enable-auth-on-accel configure option to enable authentication in accelerator setups (Henrik Nordstrom) - Cleaned up module/helper configure checks to use the same logics everywhere. (Henrik Nordstrom) - Added a small trap detecting incorrect --with-aufs-threads arguments (Henrik Nordstrom) - Change --disable-hostname-checks to --enable-hostname-checks, default to not verify hostname sanity. (Henrik Nordstrom) - also removed the dot magics. These are more evil than helpful and breaks semantic transparency in certain configurations. (Henrik Nordstrom) - added reporting of "Process Data Segment Size via sbrk()" when sbrk() call exists. According to the sbrk() man page, calling sbrk(0) returns the end of the data segment. By storing the data segment offset when Squid starts, we can report the size of the data segment at any time. This might be a better metric than getrusage()'s MAX RSS, which, in my experience, is often less than the process size reported by 'ps' (presumably because some of the processes memory is swapped to disk). However, initial tests show that the sbrk() trick reports a value slightly smaller than reported by 'ps'. (Duane Wessels) - failure_ratio is a ratio, not a percentage. Removed %% from printf. (Duane Wessels) - Start using inline C and C++ code via .cci source files. This defaults to inlined, with a configure option to disable for troubleshooting or development. (Robert Collins). - Unify much of the IO logic, shrinking the code base for diskd/aufs/ufs. (Robert Collins). - Introduce 'make check' support to provide an automated test suite for squid. (Robert Collins). - Fix --disable-... options to default to be enabled.. (CARP, WCCP, IDENT, ..) (Henrik Nordstrom) - pthreads detection and compilation bugfixes. (Henrik Nordstrom, Robert Collins) - Better MacOSX support (Robert Collins, Adrian Chadd, Henrik Nordstrom) - --with-filedescriptors=XX configure option (Francesco Chemolli) - Killed the remains of ALARM_UPDATES_TIME (--enable-time-hack) (Henrik Nordstrom) - Not all systems support the 'obsolete' getpass() function (Henrik Nordstrom) - UNIX domain IPC sockets support - Centralised the IPC type selection to defines.h by the defines IPC_STREAM and IPC_DGRAM. (Henrik Nordstrom) - Removed potentially dangerous debugging options. Developers know how to edit configure.in or set defines. configure --help lineups. (Henrik Nordstrom) - --enable-large-files to enable support for large files (>2GB) on 32-bit GNU libc systems. (Henrik Nordstrom) - Astyle is the code formatter of choice for squid-3 C++ code. See http://www.squid-cache.org/~robertc/squid-3-style.txt for the squid 3 style conventions. - WIN32 port update by Guido - Fix the problems on Windows related to open file renaming and text/binary file issues. - LDAP basic auth helper improvements (Henrik, David Begley, Christoph Lechleitner, Juerg Michel) - Digest auth helper improvements (Robert Collins, Sean Burford) - Digest authentication scheme bugfixs & improvements (Robert Collins) - Merge of http(s)_port and accelerator directive updates from rproxyThe httpd_accel_* directives is now gone, replaced by http(s)_port options and cache_peer based request forwarding. - The http(s)_port options has a list of new options for controlling the type and mode of port created with respect totransparent proxying - plain acceleration - host header based acceleration - normal proxying (default) - - To enforce a reasonable level of security in accelerators, accelerated requests are denied to go direct unless forced by always_direct. - (Henrik Nordstrom) - Cache manager auth helper output tidyup (Duane Wessels). - Native Windows port enhancements:Another fix for profiling support - Added correct timezone handling - Fixed rotate problem - Added native Windows support to client.cc - This patch add the native Windows support for profiling and fix some C++/C include files problems. - Support for Windows .NET (5.2). - Added native Windows and Cygwin support to pinger.cc - Introduced the use of IPPROTO_TCP and IPPROTO_UDP defines instead of '0' on comm_open, needed by Winsocket. See this old squid-dev thread about http://www.squid-cache.org/mail-archive/squid-dev/200108/0162.html. - Added native Windows support to cachemgr.cc - Added native Windows support to dnsserver.cc - On Windows, fork() is not available, so we need to use a workaround in store_dir.cc for create store directories sequentially - By Guido Serassio. - SSL support updateSupport for outgoing SSL connections - SSL encrypted peers - https:// gatewaying for clients not supporting SSL or URLs rewritten via a redirector to https://... - Client certificate support - Hardware crypto SSL acceleration support via OpenSSL engine - SSL key/certificate now read while parsing squid.conf to support secure key protection and chroot. - A few minor bugfixes/optimizations - (Henrik Nordstrom) - --enable-default-hostsfile configure option by Guido Serassio. Tells the default /etc/hosts file location - Fix "access_log none" (and "forward_log none") (Arkadi E. Shishlov). - New squid.conf directive to disable hostname verifications. It isn't really our business to enforce what characters is used in hostnames. (Henrik Nordstrom). - ftp_sanitycheck option (default on) to make Squid sanity check the FTP data connection.Ignore "BAD" PASV replies, asking Squid to connect to another server than requested. - Ignore PORT and default connections coming from another address than expected. - (Henrik Nordstrom) - Peering enhancement options for satellite or other high latency links by Robert Cohen. - Cleanup of authentication forwarding, and added gatewaying proxy->reverseproxy when the same Squid is acting as both proxy and reverseproxy with authentication. (Henrik Nordstrom) - The mailto links on Squid's ERR pages now contain data about the cccurred error by default, so that the email will contain this data in its body. This feature can be disabled via the email_err_data directive. (Clemens Löser) - Disable pipeline_prefetch in HEAD as it is known to be broken due to the store_client_copy() api change (Henrik Nordstrom) - Fixup some SNMP variable types for more useful reporting. (Henrik Nordstrom) - ncsa_auth extened with support for MD5 hashes. (Henrik Nordstrom) - Complain if open of /dev/null fails; avoids infinite loop in ipcCreate(). - Properly quote the quoting character '%' in log_quote() and username_quote(). - in icmpRecv(), Handle the case when recv() returns EAGAIN and do not treat it like an error. - Update squid to build with gcc/g++ 3.3 with no warnings. - wb_group updated to support domain qualified groups (Guido Serassio) - most helper interfaces now support multiple overlapping requests (external_acl_type, redirect_program, basic auth). - digest authentication extended with support for common bugs in browser implementations - custom log formats, and the ability to log different requests to different log files. - ext_user acl type added for matching the user name returned by external acls. Not longer abusing the ident acl for this purpose - external_acl extended with soft timeouts - external_acl can optionally return information to be logged in access.log - Requests denied due to 'http_reply_access' are now logged with TCP_DENIED_REPLY. - Added counters for HTCP messages sent and received, reported - in 'info' cache manager page. - Fixed 'ICP dynamic timeout algorithm ignores multicast' bug - Bug #743: "#ifdef HTTP_VIOLATIONS" should be "#if HTTP_VIOLATIONS" +This fixes two issues: + + Transparently intercepted requests is no longer under the restrictions of accelerated requests in peering relations etc.. + No risk of confusion in authentication. Authentication is now allowed for accelerated requests but not transparently intercepted requests. + (Henrik Nordström) + Change --disable-hostname-checks to --enable-hostname-checks, default to not verify hostname sanity. (Henrik Nordström) + also removed the dot magics from hostname parsing. These are more evil than helpful and breaks semantic transparency in certain configurations. (Henrik Nordström) + added reporting of "Process Data Segment Size via sbrk()" when sbrk() call exists. According to the sbrk() man page, calling sbrk(0) returns the end of the data segment. By storing the data segment offset when Squid starts, we can report the size of the data segment at any time. This might be a better metric than getrusage()'s MAX RSS, which, in my experience, is often less than the process size reported by 'ps' (presumably because some of the processes memory is swapped to disk). However, initial tests show that the sbrk() trick reports a value slightly smaller than reported by 'ps'. (Duane Wessels) + failure_ratio is a ratio, not a percentage. Removed %% from printf. (Duane Wessels) + Start using inline C and C++ code via .cci source files. This defaults to inlined, with a configure option to disable for troubleshooting or development. (Robert Collins). + Better MacOSX support (Robert Collins, Adrian Chadd, Henrik Nordström) + --with-filedescriptors=XX configure option (Francesco Chemolli) + UNIX domain IPC now used by default for helpers, no loger relying on TCP/IP sockets via loopback. (Henrik Nordström) + Removed potentially dangerous debugging related configure options. Developers know how to edit configure.in or set defines. (Henrik Nordström) + --enable-large-files to enable support for large files (>2GB) on 32-bit GNU libc systems. (Henrik Nordström) + Digest auth helper improvements (Robert Collins, Sean Burford) + Digest authentication scheme bugfixs & improvements (Robert Collins) + accelerator mode cleaned up, using the design from the rproxy development branch + + The httpd_accel_* directives is now gone, replaced by http(s)_port options and cache_peer based request forwarding. + The http(s)_port options has a list of new options for controlling the type and mode of port created with respect to + + transparent proxying + plain acceleration + host header based acceleration + normal proxying (default) + + To enforce a reasonable level of security in accelerators, accelerated requests are denied to go direct unless forced by always_direct. + (Henrik Nordström) + Cache manager auth helper output tidyup (Duane Wessels). + Native Windows port enhancements: + + Another fix for profiling support + Added correct timezone handling + Fixed rotate problem + Added native Windows support to client.cc + This patch add the native Windows support for profiling and fix some C++/C include files problems. + Support for Windows .NET (5.2). + Added native Windows and Cygwin support to pinger.cc + Introduced the use of IPPROTO_TCP and IPPROTO_UDP defines instead of '0' on comm_open, needed by Winsocket. See this old squid-dev thread about http://www.squid-cache.org/mail-archive/squid-dev/200108/0162.html. + Added native Windows support to cachemgr.cc + Added native Windows support to dnsserver.cc + On Windows, fork() is not available, so we need to use a workaround in store_dir.cc for create store directories sequentially + By Guido Serassio. + SSL support update + + SSL encrypted peers + https:// gatewaying/proxying for clients not supporting SSL or URLs rewritten via a redirector to https://... + Client certificate support + Hardware crypto SSL acceleration support via OpenSSL engine + SSL key/certificate now read while parsing squid.conf to support secure key protection in combination with chroot.. + A few minor bugfixes/optimizations + (Henrik Nordström) + --enable-default-hostsfile configure option by Guido Serassio. Tells the default /etc/hosts file location + New squid.conf directive to disable hostname verifications. It isn't really our business to enforce what characters is used in hostnames. (Henrik Nordström). + Peering enhancement options for satellite or other high latency links by Robert Cohen. + Cleanup of authentication forwarding, and added authentication gatewaying proxy->reverseproxy when the same Squid is acting as both proxy and reverseproxy with authentication. (Henrik Nordström) + The mailto links on Squid's ERR pages now contain data about the cccurred error by default, so that the email will contain this data in its body. This feature can be disabled via the email_err_data directive. (Clemens Löser) + pipeline_prefetch is disabled and known to be broken due to internal store_client_copy() change (Henrik Nordström) + ncsa_auth extened with support for MD5 hashes. (Henrik Nordström) + Complain if open of /dev/null fails; avoids infinite loop in ipcCreate() and gives a correct error message should this occur. + Properly quote the quoting character '%' in log_quote() and username_quote(). + in icmpRecv(), Handle the case when recv() returns EAGAIN and do not treat it like an error. + Update squid to build with gcc/g++ 3.3 with no warnings. + wb_group updated to support domain qualified groups (Guido Serassio) + most helper interfaces now support multiple overlapping requests (external_acl_type, redirect_program, basic auth). + custom log formats, and the ability to log different requests to different log files. + ext_user acl type added for matching the user name returned by external acls. Not longer abusing the ident acl for this purpose + external_acl extended with soft timeouts + external_acl can optionally return information to be logged in access.log + Requests denied due to 'http_reply_access' are now logged with TCP_DENIED_REPLY. + Added counters for HTCP messages sent and received, reported in 'info' cache manager page. + Fixed 'ICP dynamic timeout algorithm ignores multicast' bug + Bug #743: "#ifdef HTTP_VIOLATIONS" should be "#if HTTP_VIOLATIONS" Changes to squid.conf

-read_ahead_gapConfig directive by Jeffrey D. Wheelhouse. Allows the read-ahead gap to be configured from squid.conf (previously hardcoded at 16 KB) -request_entitiesNew squid.conf directive "request_entities on/off".If set to "on" then Squid will allow GET/HEAD requests with request entities, even if such entites are "undefined" in the HTTP specification. (Henrik Nordstrom) -cache_peerNew options for reverse proxy setupsoriginserver -name=XXX -forceddomain=XXX - -https_portMany new optionsdhparams=/path/to/file.pem https_port option to specify DH parameters for forward-secrecy in encryption (practically denies decryption even if the private key is known from what I understand). (Henrik Nordstrom) - clientca= etcspecifies which CA to accept client certificates from - defaultsitespecifies the accelerated site name - -http(s)_portMany new options to control acceleration, transparent proxying etc -header_replaceThis is now dependent on --disable-http-violations (Henrik Nordstrom) -email_err_dataAllow disabling the data now embedded in the mailto links on Squid's ERR pages. -refresh_patternMake the default refresh_pattern merely a suggested default. This is consistent with older Squid versions due to a bug in the "DEFAULT-IF-NONE" processing of refresh_pattern. (Henrik Nordstrom) -reply_body_max_sizeNo longer uses allow/deny. Instead it is specified as a size followed by acl elements. The size "none" can be used for no limit (the default) -external_acl_typeThe argument which was named concurrenty= in Squid-2.5 is now named children=. concurrency= has a different meaing in Squid-3.0 and your external acls will not work until updated. -ext_user aclthis acl matches the username returned by external acl. ident can no longer be used for this purpose. -access_logThe access_log directive now optionally includes specifications on what log format to use and acls matching which requests to log. Can be specified multiple times to log different requests to different files. -logformatnew directive to define custom log formats -httpd_accel_*These directives have been replaced by http(s)_port options and cache_peer based request forwarding. Note that you can no longer run proxy and acceleration mode on the same port. If you previously did this you now need to define two ports, one for acceleration, one for proxying. - + read_ahead_gapConfig directive by Jeffrey D. Wheelhouse. Allows the read-ahead gap to be configured from squid.conf (previously hardcoded at 16 KB) + request_entitiesNew squid.conf directive "request_entities on/off".If set to "on" then Squid will allow GET/HEAD requests with request entities, even if such entites are "undefined" in the HTTP specification. (Henrik Nordström) + cache_peerNew options for reverse proxy setups + + originserver + name=XXX + forceddomain=XXX + + https_portMany new SSL options + + dhparams=/path/to/file.pem https_port option to specify DH parameters for forward-secrecy in encryption. (Henrik Nordström) + clientca= etcspecifies which CA to accept client certificates from + defaultsitespecifies the accelerated site name + + http(s)_portMany new options to control acceleration, transparent proxying etc + header_replaceThis is now dependent on --disable-http-violations (Henrik Nordström) + email_err_dataAllow disabling the data now embedded in the mailto links on Squid's ERR pages. + reply_body_max_sizeNo longer uses allow/deny. Instead it is specified as a size followed by acl elements. The size "none" can be used for no limit (the default) + external_acl_typeThe argument which was named concurrenty= in Squid-2.5 is now named children=. concurrency= has a different meaing in Squid-3.0 and your external acls will not work until updated. + ext_user aclthis acl matches the username returned by external acl. ident can no longer be used for this purpose. + access_logThe access_log directive now optionally includes specifications on what log format to use and acls matching which requests to log. Can be specified multiple times to log different requests to different files. + logformatnew directive to define custom log formats + httpd_accel_*These directives have been replaced by http(s)_port options and cache_peer based request forwarding. Note that you can no longer run proxy and acceleration mode on the same port. If you previously did this you now need to define two ports, one for acceleration, one for proxying. Known limitations

- SSL Acceleration Support - CRL's are not currently supported. The design has been completed, but time to implement is missing - contact squid-dev@squid-cache.org for more details. - tcp_outgoing_addr/tos uses "fast" ACL checks and is somewhat limited in what kind of acl types you may use. Probably only src/my_port/my_addr/dstdomain/method/port/url* acl types is reliable. - reply_body_max_size is uses "fast" ACL checks and may occationally fail on acls which may require external lookups (dst/srcdomain/external). + SSL Acceleration Support - CRL's are not currently supported. The design has been completed, but time to implement is missing - contact squid-dev@squid-cache.org for more details. + tcp_outgoing_addr/tos uses "fast" ACL checks and is somewhat limited in what kind of acl types you may use. Probably only src/my_port/my_addr/dstdomain/method/port/url* acl types is reliable. + reply_body_max_size is uses "fast" ACL checks and may occationally fail on acls which may require external lookups (dst/srcdomain/external). + + +Other internal changes mostly of interest to developers +

+ Andres Kroonmaa's chunked memory pool allocator included. + clientStreams, rationalising the client side logic to allow plugin output streams, and providing a simple interface to the store. See the programmers guide for details. (Robert Collins). + Clean up the squid code to consistenly use [u_]int<len>_t throughout, rather than some [u_]num<len> and some [u_]<len>_t instances. (Robert Collins). + Spelling corrections by Reuben Farrelly. + Object reference counting supported to ease some programming tasks (Robert Collins). + Deferred reads removed from comms layer, implemented a layer above, allowing more efficent comms layers (such as epoll). (Robert Collins). + ACL Source code extracted into multiple separate classes, allowing great flexability in future development, and also for custom squid builds today. (Robert Collins) + Delay classes heavily refactored to allow easier extension and reuse. (Robert Collins). + autoconf 2.5 support (Robert Collins). + Hi-resolution CPU profiling from Andres Kroonma, for single-threaded use only. + Cleaned up module/helper configure checks to use the same logics everywhere. (Henrik Nordström) + Unify much of the IO logic, shrinking the code base for diskd/aufs/ufs. (Robert Collins). + Introduce 'make check' support to provide an automated test suite for squid. (Robert Collins). + pthreads detection and compilation bugfixes. (Henrik Nordström, Robert Collins) + Killed the remains of ALARM_UPDATES_TIME (--enable-time-hack) (Henrik Nordström) + Centralised the IPC type selection to defines.h by the defines IPC_STREAM and IPC_DGRAM. (Henrik Nordström) + Astyle is the code formatter of choice for squid-3 C++ code. See http://www.squid-cache.org/~robertc/squid-3-style.txt for the squid 3 style conventions. + Fix "access_log none" (and "forward_log none") (Arkadi E. Shishlov).