Squid 2.5 release notes

1. Key changes from squid 2.4:

Major rewrite of proxy authentication to support other schemes +than basic. First in the line is NTLM support but others can +easily be added (minimal digest is present). See the Programmers +Guide for the internals. +Thanks to the SAMBA team for some excellent collaboration on the +NTLM support! +(Robert Collins & Francesco Chemolli)

Optimized searching in proxy_auth and ident ACL types. Squid +should now handle large access lists a lot more efficiently. +(Francesco Chemolli)

Fixed forwarding/peer loop detection code (Brian Degenhardt) - +now a peer is ignored if it turns out to be us, rather than +committing suicide

Changed the internal URL code to obey appendDomain for +internal objects if it needs appending. This fixes weirdnesses +where a machine can think it is "foo.bar.com", and "foo" is +requested. +(Brian Degenhardt)

Added the use of Automake to create the Makefile.in's in the +squid source tree. This will allow libtool in the future, and +immediately allows better dependency tracking - with or +without gcc - as well as the dist-all and distcheck targets +for developers which respectively build a tar.gz and a tar.bz2 +distribution, and check that what will be distributed builds. +(Robert Collins)

Added TOS and source address selection based on ACLs, +written by Roger Venning. This allows administrators to set +the TOS precedence bits and/or the source IP from a set of +available IPs based upon some ACLs, generally to map different +users to different outgoing links and traffic profiles.

Added 'max-conn' option to 'cache_peer'

Added SSL gatewaying support, allowing Squid to act as a SSL +server in accelerator setups.

Many new authentication helpers.

no_cache now applies to cache hits as well as cache misses

the Gopher client in Squid has been significantly improved

Squid now sanity checks FTP data connections to ensure the +connection is from the requested server. Can be disabled if +needed by turning off the ftp_sanitycheck option.

external acl support. A mechanism where flexible ACL checks +can be driven by external helpers. See the external_acl_type +and acl external directives.

Countless other small things and fixes

HTML pages generated by Squid or CacheMgr as well as the +ERR documents now contain a doctype declaration so that +browsers know which HTML specification the document uses. +In addition to that they have a new look +(background-color, font) and are valid according to the HTML +standards at www.w3.org. +(Clemens Löser)

Login and password send to Basic auth helpers is now URL +escaped to allow for spaces and other "odd" characters in +logins and passwords

Proxy Authentication is no longer blindly forwarded to peer +caches if not used locally. If forwarding of proxy authentication +is desired then it must now be configured with the login=PASS +cache_peer option.

Responses with Vary: in the header are now cached by squid. +(Henrik Nordstrom).

2. Changes to squid.conf

http_port

Allows ip address specification.

https_port

This is an option for use with SSL acceleration - it determines where squid listens for SSL requests.

ssl_unclean_shutdown

This is used to handle some bugs in browsers that don't fully support SSL.

tcp_incoming_address

This has been removed - use the http_port line to specify ip address's.

cache_peer

login= has been extended to allow pass through authentication, fixed password authentication and maximum connection limits.

hosts_file

Directs squid to read in a set of name-address associations upon startup and reconfiguration.

authenticate_program

authenticate_children

proxy_auth_realm

Removed. See auth_param.

auth_param

This replaces the authenticate_program directive. It allows configuration of multiple authentication helpers, one for each of the supported authentication schemes. Such schemes include "NTLM", "Digest (from RFC 2617)", and "Basic".

authenticate_cache_garbage_interval

This directive sets the garbage collection interval for the authentication cache.

external_acl_type

This directive configures the new external ACL Helper interface. VERY useful for authenticating by group membership - i.e. from an LDAP server or NT domain.

request_body_max_size

The default for this is now 0 - unlimited.

reply_body_max_size

Now multiple size limits are allowed based on ACL lists.

refresh_pattern

The default is now blank - users must uncomment the suggested default to use it. This allows the use of a blank refresh pattern if desired.

request_timeout

Raised the default to 5 minutes.

persistent_request_timeout

New directive - how long to wait after a reply is completed before closing the connection.

acl

New acl types +

referer_regex (match Referer headers),
max_user_ip (limit concurrent IP's a single user may use)
rep_mime_type (filter replies based on their content type).
external (use an external helper)

http_reply_access

Limit HTTP replies based on ACL's. This is complementary to http_access.

tcp_outgoing_tos

tcp_outgoing_ds

tcp_outgoing_dscp

These three directives allow marking of outbound connections at the IP level - i.e. for choosing routes based on the usercode.

tcp_outgoing_address

Allows mapping of requests onto specific outbound IP address's.

anonymize_headers

Removed. See header_access.

header_access

Allow granular filtering of HTTP headers.

header_replace

Replace specific headers with custom values.

pipeline_prefetch

Now defaults to off for bandwidth management and access logging reasons.

vary_ignore_expire

Enables a workaround for web servers that immediately expire Varied objects because they think squid is unable to handle Vary:.

sleep_after_fork

Give the OS a small amount of time to accomodate the fork+exec used to launch helpers - if squid has a lot of virtual memory allocated the OS may run out of virtual memory during helper spawning otherwise.

+Squid 2.5 release notes +Squid Developers +$Id: release-2.5.sgml,v 1.2 2002/08/31 13:16:13 robertc Exp $ + + +This document contains the release notes for version 2.5 of Squid. +Squid is a WWW Cache application developed by the National Laboratory +for Applied Network Research and members of the Web Caching community. + + + +Key changes from squid 2.4: +

+ + Major rewrite of proxy authentication to support other schemes + than basic. First in the line is NTLM support but others can + easily be added (minimal digest is present). See the Programmers + Guide for the internals. + Thanks to the SAMBA team for some excellent collaboration on the + NTLM support! + (Robert Collins & Francesco Chemolli) + Optimized searching in proxy_auth and ident ACL types. Squid + should now handle large access lists a lot more efficiently. + (Francesco Chemolli) + Fixed forwarding/peer loop detection code (Brian Degenhardt) - + now a peer is ignored if it turns out to be us, rather than + committing suicide + Changed the internal URL code to obey appendDomain for + internal objects if it needs appending. This fixes weirdnesses + where a machine can think it is "foo.bar.com", and "foo" is + requested. + (Brian Degenhardt) + Added the use of Automake to create the Makefile.in's in the + squid source tree. This will allow libtool in the future, and + immediately allows better dependency tracking - with or + without gcc - as well as the dist-all and distcheck targets + for developers which respectively build a tar.gz and a tar.bz2 + distribution, and check that what will be distributed builds. + (Robert Collins) + Added TOS and source address selection based on ACLs, + written by Roger Venning. This allows administrators to set + the TOS precedence bits and/or the source IP from a set of + available IPs based upon some ACLs, generally to map different + users to different outgoing links and traffic profiles. + Added 'max-conn' option to 'cache_peer' + Added SSL gatewaying support, allowing Squid to act as a SSL + server in accelerator setups. + Many new authentication helpers. + no_cache now applies to cache hits as well as cache misses + the Gopher client in Squid has been significantly improved + Squid now sanity checks FTP data connections to ensure the + connection is from the requested server. Can be disabled if + needed by turning off the ftp_sanitycheck option. + external acl support. A mechanism where flexible ACL checks + can be driven by external helpers. See the external_acl_type + and acl external directives. + Countless other small things and fixes + HTML pages generated by Squid or CacheMgr as well as the + ERR documents now contain a doctype declaration so that + browsers know which HTML specification the document uses. + In addition to that they have a new look + (background-color, font) and are valid according to the HTML + standards at www.w3.org. + (Clemens Löser) + Login and password send to Basic auth helpers is now URL + escaped to allow for spaces and other "odd" characters in + logins and passwords + Proxy Authentication is no longer blindly forwarded to peer + caches if not used locally. If forwarding of proxy authentication + is desired then it must now be configured with the login=PASS + cache_peer option. + Responses with Vary: in the header are now cached by squid. + (Henrik Nordstrom). + + +Changes to squid.conf +

+http_portAllows ip address specification. +https_portThis is an option for use with SSL acceleration - it determines where squid listens for SSL requests. +ssl_unclean_shutdownThis is used to handle some bugs in browsers that don't fully support SSL. +tcp_incoming_addressThis has been removed - use the http_port line to specify ip address's. +cache_peerlogin= has been extended to allow pass through authentication, fixed password authentication and maximum connection limits. +hosts_fileDirects squid to read in a set of name-address associations upon startup and reconfiguration. +authenticate_program

authenticate_children

proxy_auth_realmRemoved. See auth_param. +auth_paramThis replaces the authenticate_program directive. It allows configuration of multiple authentication helpers, one for each of the supported authentication schemes. Such schemes include "NTLM", "Digest (from RFC 2617)", and "Basic". +authenticate_cache_garbage_intervalThis directive sets the garbage collection interval for the authentication cache. +external_acl_typeThis directive configures the new external ACL Helper interface. VERY useful for authenticating by group membership - i.e. from an LDAP server or NT domain. +request_body_max_sizeThe default for this is now 0 - unlimited. +reply_body_max_sizeNow multiple size limits are allowed based on ACL lists. +refresh_patternThe default is now blank - users must uncomment the suggested default to use it. This allows the use of a blank refresh pattern if desired. +request_timeoutRaised the default to 5 minutes. +persistent_request_timeout New directive - how long to wait after a reply is completed before closing the connection. +aclNew acl typesreferer_regex (match Referer headers), +max_user_ip (limit concurrent IP's a single user may use) +rep_mime_type (filter replies based on their content type). +external (use an external helper) +http_reply_accessLimit HTTP replies based on ACL's. This is complementary to http_access. +tcp_outgoing_tos

tcp_outgoing_ds

tcp_outgoing_dscpThese three directives allow marking of outbound connections at the IP level - i.e. for choosing routes based on the usercode. +tcp_outgoing_addressAllows mapping of requests onto specific outbound IP address's. +anonymize_headersRemoved. See header_access. +header_accessAllow granular filtering of HTTP headers. +header_replaceReplace specific headers with custom values. +pipeline_prefetchNow defaults to off for bandwidth management and access logging reasons. +vary_ignore_expireEnables a workaround for web servers that immediately expire Varied objects because they think squid is unable to handle Vary:. +sleep_after_forkGive the OS a small amount of time to accomodate the fork+exec used to launch helpers - if squid has a lot of virtual memory allocated the OS may run out of virtual memory during helper spawning otherwise. + +