From 863d63939444cc1ade56f7fbc7c504e76bfaf336 Mon Sep 17 00:00:00 2001 From: Amos Jeffries Date: Thu, 16 Oct 2014 16:33:12 -0700 Subject: [PATCH] Release Notes update for 3.4 --- doc/release-notes/release-3.4.html | 573 ----------------------------- doc/release-notes/release-3.4.sgml | 5 +- 2 files changed, 3 insertions(+), 575 deletions(-) delete mode 100644 doc/release-notes/release-3.4.html diff --git a/doc/release-notes/release-3.4.html b/doc/release-notes/release-3.4.html deleted file mode 100644 index 93c51b5f39..0000000000 --- a/doc/release-notes/release-3.4.html +++ /dev/null @@ -1,573 +0,0 @@ - - - - - Squid 3.4.0.0 release notes - - -

Squid 3.4.0.0 release notes

- -

Squid Developers

-
-This document contains the release notes for version 3.4 of Squid. -Squid is a WWW Cache application developed by the National Laboratory -for Applied Network Research and members of the Web Caching community. -
-

-

1. Notice

- - -

-

2. Major new features since Squid-3.3

- - -

-

3. Changes to squid.conf since Squid-3.3

- - -

-

4. Changes to ./configure options since Squid-3.3

- - -

-

5. Regressions since Squid-2.7

- - - -
-

1. Notice

- -

The Squid Team are pleased to announce the release of Squid-3.4.0.0 for testing.

-

This new release is available for download from -http://www.squid-cache.org/Versions/v3/3.HEAD/ or the -mirrors.

-

While this release is not deemed ready for production use, we believe it is ready for wider testing by the community.

-

We welcome feedback and bug reports. If you find a bug, please see -http://wiki.squid-cache.org/SquidFaq/BugReporting -for how to submit a report with a stack trace.

- -

1.1 Known issues -

- -

Although this release is deemed good enough for use in many setups, please note the existence of -open bugs against Squid-3.4.

- - -

1.2 Changes since earlier releases of Squid-3.4 -

- -

The 3.4 change history can be -viewed here.

- -

2. Major new features since Squid-3.3

- -

Squid 3.4 represents a new feature release above 3.3.

- -

The most important of these new features are: -

-

-

Most user-facing changes are reflected in squid.conf (see below).

- - -

2.1 Helper protocol extensions -

- -

Details at -http://wiki.squid-cache.org/Features/AddonHelpers.

- -

The Squid helper protocol used to communicate with authenticators, -URL-rewriters, Redirectors, and External ACL helpers has been updated -and extended.

- -

BH status code is now accepted from all helpers to report -internal error events separate from ERR rejection code. -Permitting Squid to perform recovery operations specific to -helper failure instead of a blanket client rejection.

- -

Arbitrary key-value pairs can be returned from any helper. -Allowing future helpers to be forward- and backward- compatible -with this and future version of Squid.

- - -

2.2 SSL Server Certificate Validator -

- -

Details at -http://wiki.squid-cache.org/Features/SslServerCertValidator.

- -

The helper consulted after the internal OpenSSL validation, regardless of the -validation results. The helper will receive:

-

-

-

- -

If the helper decides to honor an OpenSSL error or report another validation -error(s), the helper will return:

-

-

-

- -

The returned information mimics what the internal OpenSSL-based validation code -collects now. Returned errors, if any, are fed to sslproxy_cert_error, -triggering the existing SSL error processing code.

- -

The helper invocation controlled by the sslcrtvalidator_program and -sslcrtvalidator_children configurations options which are similar to the -ssl_crtd related options.

- - -

2.3 Store-ID -

- -

Details at -http://wiki.squid-cache.org/Features/StoreID.

- -

This feature is a redesigned equivalent to the Squid-2.7 feature known as StoreURL-rewrite.

- -

Notice that this is not a direct portage of the Squid-2.7 feature so behaviour -differences do exist. Although the new feature works in similar enough ways that the old -helper scripts used for Squid-2.7 are expected to work in this and later versions of Squid.

- -

Squid traditionally uses the requested URL as an index key ID to locate objects in cache. -It is not the only key possible and the Store-ID feature exposes an API for external -helpers to provide Squid with an alternative key name for any URL.

- -

When any client request is received which requires a cache lookup the URL is passed to -a helper specified with the store_id_program directive to check for an alternative -Store ID. This allows the helper to identify URLs which refer to duplicate resources and -de-duplicate the cache content. store_id_access is provided to allow ACL-based -tuning of which traffic gets sent to the helper and reduce overheads.

- -

One subtle and noteworthy difference between Squid-2 and Squid-3 which is highlighted by -this feature is that refresh_pattern applies its regex argument against the Store -ID key and not the transaction URL. So using the Store-ID feature to alter the value -affects which refresh_pattern directive will be matched.

- -

Store-ID helpers bundled with Squid can be built with the --enable-storeid-rewrite-helpers -options which is added in this version. Currently there is a file helper -provided.

- - -

2.4 TPROXY Support for OpenBSD 5.1+ and FreeBSD 9+ -

- -

Details at -http://wiki.squid-cache.org/ConfigExamples/Intercept/OpenBsdPf.

- -

The Packet Filter (PF) firewall in OpenBSD 4.4 and later offers traffic interception -using several very simple methods. One of which is the divert-to rule type -which acts as a simple routing diversion instead of performing NAT packet alterations.

- -

The IP Firewall (IPFW) on FreeBSD 9+ contains a port of the Linux Netfilter TPROXY feature.

- -

This version of Squid adds support for these features through the ./configure -options --enable-pf-transparent and --enable-ipfw-transparent when Squid is built on -systems with the required support. No special extras are required to enable -http_port ... tproxy configuration to work.

- -

NOTE: To resolve NAT lookup issues on recent PF firewall versions the code behind -./configure --enable-pf-transparent has been altered and is expected to -break on the version of PF firewall shipped with BSD systems such as NetBSD and FreeBSD -which do not yet support the getsockname() API. -These systems require --with-nat-devpf to enable /dev/pf support when using PF firewall.

- - -

2.5 Transaction Annotations -

- -

Previously the only annotation methods available were ICAP/eCAP HTTP header insertions -or external ACL tag= result code. Each of which had only limited possibilities -for use and little or no correlation.

- -

It is now possible to add annotations to a client transaction from several sources: -

-

- -

Annotations on the transaction can be passed to ICAP services or eCAP modules using the -adaptation_meta directive to send them as headers. -They can also be logged using the %note log format code in custom logs. With -the new helper response syntax changes this means all helper response key=value details -such as URL-rewrite or store-id changes, external ACL tag etc. are now able to be logged.

- -

Annotations which are already assigned to a transaction can be checked using an ACL test -of the new note ACL type. This can match a particular note by name and value, -of for any notes with a given name.

- -

NOTE: not all helper interfaces are yet enabled to convert key=value into annotations -and the external ACL interface does not yet send annotations to the helper.

- - -

2.6 Multicast DNS -

- -

The internal DNS component fof Squid now supports multicast DNS (mDNS) resolution in -accordance with RFC 6762.

- -

There is no additional or special configuration required. The multicast DNS group IP -addresses for IPv4 and IPv6 resolving are added to the set of available DNS resolvers -and used automatically for domain names ending in .local before attempting a -secondary resolution on the configured resolvers. Domains without .local are -resolved using only the configured DNS resolvers.

- -

Statistics for multicast DNS resolution can be found on the idns cache manager -report.

- - -

3. Changes to squid.conf since Squid-3.3

- -

There have been changes to Squid's configuration file since Squid-3.3.

- -

Squid supports reading configuration option parameters from external -files using the syntax parameters("/path/filename"). For example: -

-    acl whitelist dstdomain parameters("/etc/squid/whitelist.txt")
-
-

- -

There hasve also been changes to individual directives in the config file.

-

This section gives a thorough account of those changes in three categories:

-

-

-

- - -

3.1 New tags -

- -

-

-
configuration_includes_quoted_values
-

Whether Squid supports directive parameters with spaces, quotes, and other -special characters. Surround such parameters with "double quotes".

- -
note
-

Use ACLs to annotate a transaction with customized annotations -which can be logged in access.log

- -
spoof_client_ip
-

Access control to determine whether to disable the TPROXY spoofing on upstream traffic.

- -
sslcrtvalidator_children
-

Specifies the settings for how many SSL server certificate -validator helpers are run and when they are started.

- -
sslcrtvalidator_program
-

Specifies the location of a SSL server certificate validator helper.

- -
store_id_access
-

Whether the URL for a given request is passed to the Store-ID helper process. -Used to improve StoreID performance by quickly eliminating helper delays using ACL tests.

-

Ported equivalent to storeurl_access from 2.7

- -
store_id_bypass
-

Whether the StoreID helper may be bypassed when overloaded.

- -
store_id_children
-

Controls the number of StoreID helper processes.

-

Options startup=N, idle=N, concurrency=N -

    -
  • startup=N allow finer tuning of how many helpers are started initially.
    • -
  • idle=N allow fine tuning of how many helper to retain as buffer against sudden traffic loads.
    • -
  • concurrency=N was previously called url_rewrite_concurrency as a distinct directive.
    • -
-

- -
storeurl_rewrite_program
-

A helper program to provide cache storage internal key ID value for a request.

-

Ported equivalent to storeurl_rewrite_program from 2.7

- -
-

- -

3.2 Changes to existing tags -

- -

-

-
access_log
-

Configuration syntax extended to support name=value options. -New Syntax: access_log module:place [option ...] [acl ...]

-

New option logformat= to specify the logging format name.

-

New option buffer-size= to specify how large the log buffer -for this log is to be when buffered_logs is enabled.

-

New option on-error= to specify what handling is to be done -if the logging module encounters a non-recoverable error writing logs. -With the value die (the default) Squid halts operation. -With the value drop Squid drops log lines and continue running.

- -
acl
-

New test type server_cert_fingerprint to match against -server SSL certificate fingerprint.

-

New test type note to match against transaction annotations -by name and value, or just by name.

-

New test type any-of to match if any one of a set of named ACLs.

-

New test type all-of to match against all of a set of named ACLs.

- -
auth_param
-

New result code BH to signal helper internal errors -available in all authentication schemes.

-

New key message= for error message details in all authentication schemes.

-

New result code OK and key ha1= in Digest authentication.

-

New result codes OK, ERR replace result codes AF, -and NA in NTLM and Negotiate authentication.

-

New key token= for NTLM and Negotiate authentication OK responses.

-

Details at -http://wiki.squid-cache.org/Features/AddonHelpers.

- -
external_acl_type
-

Deprecated protocol=3.0 option. No longer necessary.

-

New result code BH to signal helper internal errors

-

Details at -http://wiki.squid-cache.org/Features/AddonHelpers.

- -
http_port
-

Support IPv6 for intercept mode. Requires ip6tables support on Linux, -PF support on OpenBSD and IPFW support on FreeBSD. Squid will no longer complain -about misconfiguration if IPv6 support is missing, we now rely on the firewall -tools reporting misconfiguration when the NAT rules are created.

-

Support tproxy mode traffic on BSD systems with BINDANY support -(OpenBSD 5+, FreeBSD 9+ so far).

-

Changed build options behind intercept traffic mode handling on BSD. -see --enable-pf-transparent for more details.

- -
logformat
-

New format code %note to log a transaction annotation linked to the -transaction by ICAP, eCAP, a helper, or the note squid.conf directive.

-

New format code %>qos to log client connection TOS/DSCP value set by Squid.

-

New format code %<qos to log server connection TOS/DSCP value set by Squid.

-

New format code %>nfmark to log client connection netfilter mark set by Squid.

-

New format code %<nfmark to log server connection netfilter mark set by Squid.

- -
pipeline_prefetch
-

Updated to take a numeric count of prefetched pipeline requests instead of ON/OFF.

- -
refresh_pattern
-

NOTE: the regular expression pattern operates on the cache Store-ID value. -Which by default is identical to the requested URL, but may differ for some -objects if the Store-ID feature is in use.

- -
unlinkd_program
-

New helper response format utilizing result codes OK and BH, -to signal helper lookup results. Also, key-value response values to return -multiple values to Squid.

-

Details at -http://wiki.squid-cache.org/Features/AddonHelpers.

- -
url_rewrite_program
-

New helper response format utilizing result codes OK, ERR, -and BH to signal helper lookup results. Also, key-value response -values to return multiple values to Squid.

-

Details at -http://wiki.squid-cache.org/Features/AddonHelpers.

- -
-

- -

3.3 Removed tags -

- -

-

-
storeurl_access
-

Replaced by store_id_access.

- -
storeurl_rewrite_children
-

Replaced by store_id_children.

- -
storeurl_rewrite_concurrency
-

Replaced by store_id_children with concurrency=N option.

- -
storeurl_rewrite_program
-

Replaced by store_id_program.

- -
-

- - -

4. Changes to ./configure options since Squid-3.3

- -

There have been some changes to Squid's build configuration since Squid-3.3.

-

This section gives an account of those changes in three categories:

-

-

-

- - -

4.1 New options -

- -

-

-
--enable-storeid-rewrite-helpers
-

New option to control which Store-ID helpers are built. As with other -helper options use --disable-* to prevent any helpers building and -omit to get all helper auto-detected.

-

Currenly only a helper using file for backend is provided.

- -
--with-nat-pf
-

New option to alter the behaviour of http_port ... intercept option -in squid.conf.

-

When this option is used Squid performs the /dev/pf lookups required to -support PF rdr-to rules. Otherwise Squid will perform perform the -getsockname() API calls to support PF divert-to rules.

-

NOTE: systems such as NetBSD and FreeBSD which do not yet support -the getsockname() API in recent PF versions require this option.

- -
-

- -

4.2 Changes to existing options -

- -

-

-
--enable-pf-transparent
-

NAT table support updated to use the getsockname() API provided by the -latest PF versions divert-to. This allows http_port -in squid.conf to support both intercept and tproxy traffic -and to silence NAT lookup failure messages on recent BSD.

-

NOTE: systems such as NetBSD and FreeBSD which do not yet support -the getsockname() API in recent PF versions require --with-nat-devpf -to re-enable /dev/pf support when using PF firewall.

- -
-

-

4.3 Removed options -

- -

-

-

There are no removed ./configure options in Squid-3.4.

- -
-

- - -

5. Regressions since Squid-2.7

- -

Some squid.conf options which were available in Squid-2.7 are not yet available in Squid-3.4

- -

If you need something to do then porting one of these from Squid-2 to Squid-3 is most welcome.

- -

5.1 Missing squid.conf options available in Squid-2.7 -

- -

-

-
broken_vary_encoding
-

Not yet ported from 2.6

- -
cache_dir
-

COSS storage type is lacking stability fixes from 2.6

-

COSS overwrite-percent= option not yet ported from 2.6

-

COSS max-stripe-waste= option not yet ported from 2.6

-

COSS membufs= option not yet ported from 2.6

-

COSS maxfullbufs= option not yet ported from 2.6

- -
cache_peer
-

idle= not yet ported from 2.7

-

monitorinterval= not yet ported from 2.6

-

monitorsize= not yet ported from 2.6

-

monitortimeout= not yet ported from 2.6

-

monitorurl= not yet ported from 2.6

- -
cache_vary
-

Not yet ported from 2.6

- -
collapsed_forwarding
-

Not yet ported from 2.6

- -
error_map
-

Not yet ported from 2.6

- -
external_refresh_check
-

Not yet ported from 2.7

- -
ignore_ims_on_miss
-

Not yet ported from 2.7

- -
location_rewrite_access
-

Not yet ported from 2.6

- -
location_rewrite_children
-

Not yet ported from 2.6

- -
location_rewrite_concurrency
-

Not yet ported from 2.6

- -
location_rewrite_program
-

Not yet ported from 2.6

- -
refresh_pattern
-

stale-while-revalidate= not yet ported from 2.7

-

ignore-stale-while-revalidate= not yet ported from 2.7

-

negative-ttl= not yet ported from 2.7

- -
refresh_stale_hit
-

Not yet ported from 2.7

- -
update_headers
-

Not yet ported from 2.7

- -
-

- - - diff --git a/doc/release-notes/release-3.4.sgml b/doc/release-notes/release-3.4.sgml index 3bde1bfb01..3306f1f680 100644 --- a/doc/release-notes/release-3.4.sgml +++ b/doc/release-notes/release-3.4.sgml @@ -18,9 +18,10 @@ The Squid Team are pleased to announce the release of Squid-3.4.8 for testing. This new release is available for download from or the . -While this release is not deemed ready for production use, we believe it is ready for wider testing by the community. +

Some interestign ne features adding system flexibility have been added along with general improvements all around. + While this release is not fully bug-free we believe it is ready for use in production on many systems. -We welcome feedback and bug reports. If you find a bug, please see +

We welcome feedback and bug reports. If you find a bug, please see for how to submit a report with a stack trace. Known issues -- 2.47.2