From: Amos Jeffries Date: Thu, 16 Oct 2014 23:38:20 +0000 (-0700) Subject: Prep for 3.5.0.1 X-Git-Tag: merge-candidate-3-v1~546 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=e0dbeeb6a0dc9fd1d21b7a2656a9c4d5c7017800;p=thirdparty%2Fsquid.git Prep for 3.5.0.1 --- diff --git a/ChangeLog b/ChangeLog index af9c766c92..c01a41b790 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,69 @@ +Changes to squid-3.5.0.1 (17 Oct 2014): + + - Port from 2.7: redirector and logging urlgroup feature + - Bug 4093: source-maintenance.sh bad perl -i option + - Bug 3608: per-service name for workers UDS sockets + - Bug 2554: 32-bit wrap in AUFS counters + - Bug 1961 pt1: URL handling redesign + - Bug 1202 pt1: documentation for refresh_pattern algorithms + - Update Squid boilerplate copyright/license + - Update the http(s)_port directives protocol= parameter + - Update forward_max_tries to permit 25 server paths + - Update Kerberos library detection and build options + - Support ACLs on ftp_epsv directive + - Support >32KB objects in cache_dir rock storage + - Support client connection annotation by helpers via clt_conn_tag=TAG + - Support native FTP Relay + - Support libgnugss Kerberos library + - Support libecap v1.0 + - Support SSL Peek and Splice feature + - Support receiving PROXY protocol version 1 and 2 + - Replace --enable-ssl build option with --with-openssl + - Enable -n service name command line option for all Squid builds + - Enable ICAP client by default + - Fix configuration file parsing bugs, related to quoted strings + - Fix Windows MinGW build errors + - Fix multiple TCP outgoing TOS/DiffServ bugs + - Fix Cygwin /etc/resolv.conf parsing + - Fix crash when sending %ssl::cert_subject to external ACL w/o certificate + - Fix crash reading malformed config files + - Send selected SSL version and cipher to the certificate validation helper + - Validate server certificates without bumping + - Add zero-copy string buffer support + - Add automated squid.conf parser testing with squid -k parse + - Add adaptation_service ACL + - Add logformat code %tS to log transaction start time + - Add logformat code %>rd to log client URL domain name + - Add key_extras to proxy authentication + - Add url_rewrite_extras and store_id_extras directives + - Add send_hit and store_miss directives + - Add collapsed_forwarding directive + - Add sslproxy_cert_sign_hash directive + - Add SMP SSL session cache + - Add cache_peer standby connections + - Add helper ext_delayer_acl + - Add TCP_TUNNEL log code for CONNECT tunnels which are not SSL-bumped + - Add BUILDCXX and BUILDCXXFLAGS configure options for cross-compile + - Remove COSS storage in favour of Rock storage + - Remove dnsserver and external DNS helper API in favour of mDNS + - Remove broken mallinfo() accounting and memory tracing + - Remove hierarchy_stoplist in favour of always_direct + - Deprecate tag ACL type in favour of note ACL type + - Deprecate urlgroup feature in favour of note ACL type + - HTTP/1.1: method names are case-sensitive + - HTTP/1.1: register new headers from RFC 723x + - squidclient: polish and update help display + - squidclient: support TLS with GnuTLS 3.1.5+ + - squidclient: support verbosity levels + - squidclient: --ping mode module support + - url_fake_rewrite: support concurrency + - storeid_file_rewrite: support concurrency + - digest_file_auth: support concurrency + - digest_edirectory_auth: support concurrency + - digest_ldap_auth: support concurrency + - ... and many error page translation updates + - ... and much code cleanup and polishing + Changes to squid-3.4.8 (15 Sep 2014): - Fix off by one in SNMP subsystem diff --git a/doc/release-notes/release-3.5.sgml b/doc/release-notes/release-3.5.sgml index 8f5f0e702e..3e53dc7755 100644 --- a/doc/release-notes/release-3.5.sgml +++ b/doc/release-notes/release-3.5.sgml @@ -18,10 +18,10 @@ The Squid Team are pleased to announce the release of Squid-3.5.0.0 for testing. This new release is available for download from or the . -While this release is not deemed ready for production use, we believe it is ready for wider testing by the community. +

While this release is not deemed ready for production use, we believe it is ready for wider testing by the community. -We welcome feedback and bug reports. If you find a bug, please see - for how to submit a report with a stack trace. +

We welcome feedback and bug reports. If you find a bug, please see + for how to submit a report with a stack trace. Known issues

@@ -279,7 +279,7 @@ There have been changes to Squid's configuration file since Squid-3.4. acl whitelist dstdomain parameters("/etc/squid/whitelist.txt") -

The squid.conf macro ${service_name} is added to provide the service name +

The squid.conf macro ${service_name} is added to provide the service name of the process parsing the config.

There have also been changes to individual directives in the config file. @@ -300,6 +300,24 @@ This section gives a thorough account of those changes in three categories:

Ported from Squid-2 with no configuration or visible behaviour changes. Collapsing of requests is performed across SMP workers. + ftp_client_idle_timeout +

This new configuration directive controls how long Squid should + wait for an FTP request on a connection to an ftp_port. Many FTP + clients do not deal with idle connection closures well, + necessitating a longer default timeout (30 minutes) than + client_idle_pconn_timeout used for incoming HTTP requests (2 + minutes). The current default may be changed as we get more + experience with FTP relaying. + + ftp_client_idle_timeout +

New directive controlling how long to wait for an FTP request on a + client connection to Squid ftp_port. + + ftp_port +

New configuration directive to accept and relay native FTP + commands. Typically used for port 21 traffic. By default, native + FTP commands are not accepted. + proxy_protocol_access

New directive to control which clients are permitted to open PROXY protocol connections on a port flagged with require-proxy-header. @@ -309,6 +327,9 @@ This section gives a thorough account of those changes in three categories: based on ACL selection. ACL can be based on client request or cached response details. + sslproxy_cert_sign_hash +

New directive to set the hashing algorithm to use when signing generated certificates. + sslproxy_session_cache_size

New directive which sets the cache size to use for TLS/SSL sessions cache. @@ -322,7 +343,7 @@ This section gives a thorough account of those changes in three categories: [channel-ID] url [extras] -

The default value for extras is: "%>a/%>A %un %>rm myip=%la myport=%lp" +

The default value for extras is: "%>a/%>A %un %>rm myip=%la myport=%lp" store_miss

New configuration directive to enable/disable caching of MISS responses. @@ -336,23 +357,7 @@ This section gives a thorough account of those changes in three categories: [channel-ID] url [extras] -

The default value for extras is: "%>a/%>A %un %>rm myip=%la myport=%lp" - - ftp_port - -

New configuration directive to accept and relay native FTP - commands. Typically used for port 21 traffic. By default, native - FTP commands are not accepted. - - ftp_client_idle_timeout - -

This new configuration directive controls how long Squid should - wait for an FTP request on a connection to an ftp_port. Many FTP - clients do not deal with idle connection closures well, - necessitating a longer default timeout (30 minutes) than - client_idle_pconn_timeout used for incoming HTTP requests (2 - minutes). The current default may be changed as we get more - experience with FTP relaying. +

The default value for extras is: "%>a/%>A %un %>rm myip=%la myport=%lp" @@ -360,10 +365,14 @@ This section gives a thorough account of those changes in three categories:

acl +

Deprecated type tag. Use type note with 'tag' key + name instead.

New type adaptation_service to match the name of any icap_service, ecap_service, adaptation_service_set, or adaptation_service_chain that Squid has used (or attempted to use) for the HTTP transaction so far. +

New type at_step to match the current SSL-Bump processing step. + Never matches and should not be used outside of ssl_bump. auth_param

New parameter key_extras to send additional parameters to @@ -377,6 +386,8 @@ This section gives a thorough account of those changes in three categories: maximum slot size is 32KB.

Removal of old rock cache dir followed by squid -z is required when upgrading from earlier versions of Squid. +

COSS storage type is formally replaced by Rock storage type. + COSS storage type and all COSS specific options are removed. cache_peer

New standby=N option to retain a set of N open and unused @@ -386,6 +397,16 @@ This section gives a thorough account of those changes in three categories: have not been used for HTTP messaging (and may never be). They may be turned into persistent connections after their first use subject to the same keep-alive critera any HTTP connection is checked for. +

Squid-2 option idle= replaced by standby=. +

NOTE that standby connections are started earlier and available in + more circumstances than squid-2 idle connections were. They are + also spread over all IPs of the peer. + + external_acl_type +

New format code %ssl::>sni to send SSL client SNI. +

New format code %ssl::<cert_subject to send SSL server certificate DN. +

New format code %ssl::<cert_issuer to send SSL server certificate issuer DN. +

New response kv-pair clt_conn_tag= to associates a given tag with the client TCP connection. forward_max_tries

Default value increased to 25 destinations to allow better @@ -410,32 +431,41 @@ This section gives a thorough account of those changes in three categories: Currently supported values are: HTTP, HTTP/1.1, HTTPS, HTTPS/1.1 logformat -

New format code %credentials to log the client credentials - token. +

New format code %credentials to log the client credentials token. +

New format code %ssl::>sni to TLS client SNI sent to Squid.

New format code %tS to log transaction start time in "seconds.milliseconds" format, similar to the existing access.log "current time" field (%ts.%03tu) which logs the corresponding transaction finish time. +

New format codes %<rs and %>rs to log request URL + scheme from client or sent to server/peer respectively. +

New format codes %<rd and %>rd to log request URL + domain from client or sent to server/peer respectively. +

New format codes %<rP and %>rP to log request URL + port from client or sent to server/peer respectively. + + ssl_bump +

Bumping 'modes' redesigned as 'actions' and ACLs evaluated repeatedly in a number of steps. +

Renamed server-first as bump action. +

Renamed none as splice action. +

New actions peek and stare to receive client or server + certificate while preserving the ability to later decide between bumping + or splicing the connections later. +

New action terminate to close the client and server connections. + + url_rewrite_program +

New response kv-pair clt_conn_tag= to associates a given tag with the client TCP connection. Removed tags

- cache_dir -

COSS storage type is formally replaced by Rock storage type. - cache_dns_program

DNS external helper interface has been removed. It was no longer able to provide high performance service and the internal DNS client library with multicast DNS cover all modern use-cases. - cache_peer -

idle= replaced by standby=. -

NOTE that standby connections are started earlier and available in - more circumstances than squid-2 idle connections were. They are - also spread over all IPs of the peer. - dns_children

DNS external helper interface has been removed.