+Changes to squid-3.1.12.1 (19 Apr 2011):
+
+ - Port from 3.2: Dynamic SSL Certificate generation
+ - Bug 3194: selinux may prevent ntlm_smb_lm_auth from using /tmp
+ - Bug 3185: 3.1.11 fails to compile on OpenBSD 4.8 and 4.9
+ - Bug 3183: Invalid URL accepted with url host part of only '@'
+ - Display ERROR in cache.log for invalid configured paths
+ - Cache Manager: send User-Agent header from cachemgr.cgi
+ - ... and many portability compile fixes for non-GCC systems.
+
Changes to squid-3.1.12 (04 Apr 2011):
- Regression fix: Use bigger buffer for server reads.
<HTML>
<HEAD>
<META NAME="GENERATOR" CONTENT="LinuxDoc-Tools 0.9.66">
- <TITLE>Squid 3.1.12 release notes</TITLE>
+ <TITLE>Squid 3.1.12.1 release notes</TITLE>
</HEAD>
<BODY>
-<H1>Squid 3.1.12 release notes</H1>
+<H1>Squid 3.1.12.1 release notes</H1>
<H2>Squid Developers</H2>
<HR>
<LI><A NAME="toc2.5">2.5</A> <A HREF="#ss2.5">Connection Pinning (for NTLM Auth Passthrough)</A>
<LI><A NAME="toc2.6">2.6</A> <A HREF="#ss2.6">Quality of Service (QoS) Flow support</A>
<LI><A NAME="toc2.7">2.7</A> <A HREF="#ss2.7">SSL Bump (for HTTPS Filtering and Adaptation)</A>
-<LI><A NAME="toc2.8">2.8</A> <A HREF="#ss2.8">eCAP Adaptation Module support</A>
-<LI><A NAME="toc2.9">2.9</A> <A HREF="#ss2.9">ICAP Bypass and Retry enhancements</A>
-<LI><A NAME="toc2.10">2.10</A> <A HREF="#ss2.10">ICY streaming protocol support</A>
+<LI><A NAME="toc2.8">2.8</A> <A HREF="#ss2.8">Dynamic SSL Certificate Generation</A>
+<LI><A NAME="toc2.9">2.9</A> <A HREF="#ss2.9">eCAP Adaptation Module support</A>
+<LI><A NAME="toc2.10">2.10</A> <A HREF="#ss2.10">ICAP Bypass and Retry enhancements</A>
+<LI><A NAME="toc2.11">2.11</A> <A HREF="#ss2.11">ICY streaming protocol support</A>
</UL>
<P>
<H2><A NAME="toc3">3.</A> <A HREF="#s3">Changes to squid.conf since Squid-3.0</A></H2>
<HR>
<H2><A NAME="s1">1.</A> <A HREF="#toc1">Notice</A></H2>
-<P>The Squid Team are pleased to announce the release of Squid-3.1.12</P>
+<P>The Squid Team are pleased to announce the release of Squid-3.1.12.1</P>
<P>This new release is available for download from
<A HREF="http://www.squid-cache.org/Versions/v3/3.1/">http://www.squid-cache.org/Versions/v3/3.1/</A> or the
<A HREF="http://www.squid-cache.org/Mirrors/http-mirrors.html">mirrors</A>.</P>
<LI>eCAP Adaptation Module support</LI>
<LI>ICAP Bypass and Retry enhancements</LI>
<LI>ICY streaming protocol support</LI>
+<LI>Dynamic SSL Certificate Generation (3.1.12.1 and later)</LI>
</UL>
</P>
<P>Most user-facing changes are reflected in squid.conf (see below).</P>
configuration. Use of interception for port 443 is not officially supported, despite
being known to work under certain limited networking circumstances.</P>
+<H2><A NAME="ss2.8">2.8</A> <A HREF="#toc2.8">Dynamic SSL Certificate Generation</A>
+</H2>
+
+<P> SslBump users know how many certificate warnings a single complex site
+(using dedicated image, style, and/or advertisement servers for embedded content)
+can generate. The warnings are legitimate and are caused by Squid-provided site
+certificate. Two things may be wrong with that certificate:
+<UL>
+<LI> Squid certificate is not signed by a trusted authority.</LI>
+<LI> Squid certificate name does not match the site domain name.</LI>
+</UL>
+
+Squid can do nothing about (A), but in most targeted environments, users will
+trust the "man in the middle" authority and install the corresponding root
+certificate.</P>
-<H2><A NAME="ss2.8">2.8</A> <A HREF="#toc2.8">eCAP Adaptation Module support</A>
+<P>To avoid mismatch (B), the DynamicSslCert feature concentrates on generating
+site certificates that match the requested site domain name. Please note that
+the browser site name check does not really add much security in an SslBump
+environment where the user already trusts the "man in the middle". The check
+only adds warnings and creates page rendering problems in browsers that try to
+reduce the number of warnings by blocking some embedded content.</P>
+
+<H2><A NAME="ss2.9">2.9</A> <A HREF="#toc2.9">eCAP Adaptation Module support</A>
</H2>
<P>Details in
<P>Currently known and available eCAP modules are listed in the wiki feature page on eCAP.</P>
-<H2><A NAME="ss2.9">2.9</A> <A HREF="#toc2.9">ICAP Bypass and Retry enhancements</A>
+<H2><A NAME="ss2.10">2.10</A> <A HREF="#toc2.10">ICAP Bypass and Retry enhancements</A>
</H2>
<P>Details in
environments yet may be small enough to limit side-effects of loops.</P>
-<H2><A NAME="ss2.10">2.10</A> <A HREF="#toc2.10">ICY streaming protocol support</A>
+<H2><A NAME="ss2.11">2.11</A> <A HREF="#toc2.11">ICY streaming protocol support</A>
</H2>
<P>Squid-3.1 adds native support for streaming protocol ICY.
</PRE>
</P>
+<DT><B>sslcrtd_program</B><DD>
+<P>Specify the location and options of the executable for ssl_crtd process.</P>
+
+<DT><B>sslcrtd_children</B><DD>
+<P> Configures the number of sslcrtd processes to spawn</P>
+
<DT><B>sslproxy_cert_error</B><DD>
<P>New Access Control to selectively bypass server certificate validation errors.
DEFAULT: None bypassed.
original or indirect client when a request has been forwarded through other
proxies.</P>
+<DT><B>--enable-ssl-crtd</B><DD>
+<P>Prevent Squid from direct generation of SSL private key and
+certificate request and instead enables the <EM>ssl_crtd</EM> processes.</P>
+
<DT><B>--enable-zph-qos</B><DD>
<P>Build with support for ZPH Quality of Service controls</P>
<!doctype linuxdoc system>
<article>
-<title>Squid 3.1.12 release notes</title>
+<title>Squid 3.1.12.1 release notes</title>
<author>Squid Developers</author>
<abstract>
<sect>Notice
<p>
-The Squid Team are pleased to announce the release of Squid-3.1.12
+The Squid Team are pleased to announce the release of Squid-3.1.12.1
This new release is available for download from <url url="http://www.squid-cache.org/Versions/v3/3.1/"> or the <url url="http://www.squid-cache.org/Mirrors/http-mirrors.html" name="mirrors">.
<item>eCAP Adaptation Module support
<item>ICAP Bypass and Retry enhancements
<item>ICY streaming protocol support
+ <item>Dynamic SSL Certificate Generation (3.1.12.1 and later)
</itemize>
Most user-facing changes are reflected in squid.conf (see below).
configuration. Use of interception for port 443 is not officially supported, despite
being known to work under certain limited networking circumstances.
+<sect1> Dynamic SSL Certificate Generation
+<p> SslBump users know how many certificate warnings a single complex site
+(using dedicated image, style, and/or advertisement servers for embedded content)
+can generate. The warnings are legitimate and are caused by Squid-provided site
+certificate. Two things may be wrong with that certificate:
+<itemize>
+ <item> Squid certificate is not signed by a trusted authority.
+ <item> Squid certificate name does not match the site domain name.
+</itemize>
+Squid can do nothing about (A), but in most targeted environments, users will
+trust the "man in the middle" authority and install the corresponding root
+certificate.
+
+<p>To avoid mismatch (B), the DynamicSslCert feature concentrates on generating
+site certificates that match the requested site domain name. Please note that
+the browser site name check does not really add much security in an SslBump
+environment where the user already trusts the "man in the middle". The check
+only adds warnings and creates page rendering problems in browsers that try to
+reduce the number of warnings by blocking some embedded content.
<sect1>eCAP Adaptation Module support
# ssl_bump allow all
</verb>
+ <tag>sslcrtd_program</tag>
+ <p>Specify the location and options of the executable for ssl_crtd process.
+
+ <tag>sslcrtd_children</tag>
+ <p> Configures the number of sslcrtd processes to spawn
+
<tag>sslproxy_cert_error</tag>
<p>New Access Control to selectively bypass server certificate validation errors.
DEFAULT: None bypassed.
original or indirect client when a request has been forwarded through other
proxies.
+ <tag>--enable-ssl-crtd</tag>
+ <p>Prevent Squid from direct generation of SSL private key and
+ certificate request and instead enables the <em>ssl_crtd</em> processes.
+
<tag>--enable-zph-qos</tag>
<p>Build with support for ZPH Quality of Service controls
DEFAULT: on
LOC: Adaptation::Icap::TheConfig.icap_uses_indirect_client
DOC_START
- Controls whether the indirect client address
- (see follow_x_forwarded_for) instead of the
- direct client address is passed to an ICAP
- server as "X-Client-IP".
+ Controls whether the indirect client IP address (instead of the direct
+ client IP address) is passed to adaptation services.
+
+ See also: follow_x_forwarded_for adaptation_send_client_ip
DOC_END
NAME: via
For a class 5 delay pool:
-delay_parameters pool tag
+delay_parameters pool tagrate
The variables here are:
number specified in delay_pools as used in
delay_class lines.
- aggregate the "delay parameters" for the aggregate bucket
+ aggregate the speed limit parameters for the aggregate bucket
(class 1, 2, 3).
- individual the "delay parameters" for the individual
+ individual the speed limit parameters for the individual
buckets (class 2, 3).
- network the "delay parameters" for the network buckets
+ network the speed limit parameters for the network buckets
(class 3).
- user the delay parameters for the user buckets
+ user the speed limit parameters for the user buckets
(class 4).
- tag the delay parameters for the tag buckets
+ tagrate the speed limit parameters for the tag buckets
(class 5).
A pair of delay parameters is written restore/maximum, where restore is
LOC: Adaptation::Icap::TheConfig.send_client_ip
DEFAULT: off
DOC_START
- This adds the header "X-Client-IP" to ICAP requests.
+ If enabled, Squid shares HTTP client IP information with adaptation
+ services. For ICAP, Squid adds the X-Client-IP header to ICAP requests.
+ For eCAP, Squid sets the libecap::metaClientIp transaction option.
+
+ See also: adaptation_uses_indirect_client
DOC_END
NAME: icap_send_client_username
projects / thirdparty / squid.git / commitdiff
