From: Amos Jeffries Date: Sat, 9 Feb 2013 07:15:55 +0000 (-0700) Subject: Release Notes: update and spelling corrections X-Git-Tag: SQUID_3_2_8~14 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=1ecfff9614f44c8daecbe2535b3e7b12607c457a;p=thirdparty%2Fsquid.git Release Notes: update and spelling corrections * Move the formal deprecation of upgrade_headers to 3.2. * spell-check 3.2 release notes * spell-check squid.conf.documented --- diff --git a/doc/release-notes/release-3.2.sgml b/doc/release-notes/release-3.2.sgml index 6e12c7498b..79e03d1d8e 100644 --- a/doc/release-notes/release-3.2.sgml +++ b/doc/release-notes/release-3.2.sgml @@ -16,7 +16,8 @@ for Applied Network Research and members of the Web Caching community. The Squid Team are pleased to announce the release of Squid-3.2.7 for testing. -This new release is available for download from or the . +This new release is available for download from or the + . While this release is not deemed ready for production use, we believe it is ready for wider testing by the community. @@ -25,7 +26,8 @@ report with a stack trace. Known issues

-Although this release is deemed good enough for use in many setups, please note the existence of . +Although this release is deemed good enough for use in many setups, please note the existence of +.

Some issues to note as currently known in this release which are not able to be fixed in the 3.2 series are: @@ -90,7 +92,7 @@ Most user-facing changes are reflected in squid.conf (see below). DNS lookups to locate alternative DIRECT destinations will not be done.

Known Issue: When non-strict validation fails Squid will relay the request, but can only do - so safely to the orginal destination IP the client was contacting. The client original + so safely to the original destination IP the client was contacting. The client original destination IP is lost when relaying to peers in a hierarchy. This means the upstream peers are still at risk of causing same-origin bypass CVE-2009-0801 vulnerability. Developer time is required to implement safe transit of these requests. @@ -175,7 +177,7 @@ Most user-facing changes are reflected in squid.conf (see below). path and parameters as its own command parameters. The concurrency setting already existing in Squid is used to configure how many child helpers it may run. -

For example, a traditional configration is +

For example, a traditional configuration is url_rewrite_program /your/redirector.sh url_rewrite_children 5 @@ -204,10 +206,10 @@ Most user-facing changes are reflected in squid.conf (see below).

The on-demand helpers feature allows greater flexibility and resolves this problem by allowing maximum, initial and idle thresholds to be configured. Squid will start the initial set during start and reconfigure phases. However over the operational use new helpers up to the maxium will - be started as load demands. The idle threshold determins how many more helpers to start if the + be started as load demands. The idle threshold determines how many more helpers to start if the currently running set is not enough to handle current request loads. -

For example, a traditional configration is +

For example, a traditional configuration is auth_param ntlm /usr/libexec/squid/ntlm_auth auth_param ntlm children 200 @@ -258,7 +260,7 @@ Most user-facing changes are reflected in squid.conf (see below). External ACL helpers

mswin_check_ad_group - ext_ad_group_acl - Check logged in users Group membership using Active Directory. - ip_user_check - ext_file_userip_acl - Restrict users to cetain IP addresses, using a text file backend. + ip_user_check - ext_file_userip_acl - Restrict users to certain IP addresses, using a text file backend. squid_kerb_ldap - ext_kerberos_ldap_group_acl - Check logged in Kerberos or NTLM users Group membership using LDAP. squid_ldap_group - ext_ldap_group_acl - Check logged in users Group membership using LDAP. mswin_check_lm_group - ext_lm_group_acl - Check logged in users Group membership using LanManager. @@ -303,8 +305,8 @@ Most user-facing changes are reflected in squid.conf (see below). Solaris 10 pthreads Support (Experimental)

Automatic detection and use of the pthreads library available from Solaris 10 -

The result of this addition means that faster more efficient AUFS cache storage mechanisims - are now available in Solaris 10. +

The result of this addition means that faster more efficient AUFS cache storage mechanism + is now available in Solaris 10.

Support is experimental at this stage due to lack of feedback on the results of enabling it. We recommend giving AUFS a try for faster disk storage and encourage feedback. @@ -316,14 +318,14 @@ Most user-facing changes are reflected in squid.conf (see below). feature support in Squid. This release opens Surrogate support to all reverse proxies.

Reverse proxy requests sent on to the web server include the HTTP header Surrogate-Capabilities: - specifying the capabilities of the reverse proxy along with an ID which can be used to target reponses with + specifying the capabilities of the reverse proxy along with an ID which can be used to target responses with a Surrogate-Control: HTTP header used instead of the Cache-Control: header.

The default surrogate ID is generated automatically from the Squid site-unique hostname as found by the automatic detection or manual configuration of visible_hostname although can be configured separately with the httpd_accel_surrogate_id option. -

Security Considerations: Websites sould be careful of accepting any surrogate ID. +

Security Considerations: Websites should be careful of accepting any surrogate ID. Older releases of Squid leak the Surrogate-Control headers to external servers. This 3.2 series of Squid will now prevent this leakage of its own ID destined responses, however it is possible and for some uses desirable to receive external reverse-proxies Surrogate-Capabilities: headers. @@ -429,7 +431,7 @@ Most user-facing changes are reflected in squid.conf (see below). should contain a complete HTML page, with optional client-side scripting. must not contain server-side scripting. - will have macro substitution performed on it using the same macros as used by the error page tempates. + will have macro substitution performed on it using the same macros as used by the error page templates.

Version 3.2 of the CGI cache manager tool now presents XHR scripted probes to detect @@ -458,32 +460,32 @@ This section gives a thorough account of those changes in three categories: headers or eCAP options to Squid ICAP requests or eCAP transactions. adaptation_send_client_ip -

Same as depricated icap_send_client_ip +

Same as deprecated icap_send_client_ip but applies to both ICAP and eCAP.

adaptation_send_username -

Same as depricated icap_send_client_username +

Same as deprecated icap_send_client_username but applies to both ICAP and eCAP.

adaptation_uses_indirect_client -

Same as depricated icap_uses_indirect_client +

Same as deprecated icap_uses_indirect_client but applies to both ICAP and eCAP.

client_delay_pools -

New setting for client bandwith limits to specifies the number +

New setting for client bandwidth limits to specifies the number of client delay pools used. client_delay_initial_bucket_level -

New setting for client bandwith limits to determine the initial +

New setting for client bandwidth limits to determine the initial bucket size as a percentage of max_bucket_size from client_delay_parameters. client_delay_parameters -

New setting for client bandwith limits to configures client-side +

New setting for client bandwidth limits to configures client-side bandwidth limits. client_delay_access -

New setting for client bandwith limits to determines the +

New setting for client bandwidth limits to determines the client-side delay pool for the request. client_dst_passthru @@ -590,8 +592,8 @@ This section gives a thorough account of those changes in three categories: New installs, or installs with no logs configured explicitly will use this module by default.

New tcp module to send each log line as text data to a TCP receiver.

New udp module to send each log line as text data to a UDP receiver. -

New format referrer to log with the format prevously used by referer_log directive. -

New format useragent to log with the format prevously used by useragent_log directive. +

New format referrer to log with the format previously used by referer_log directive. +

New format useragent to log with the format previously used by useragent_log directive. acl : random, localip, localport

New type random. Pseudo-randomly match requests based on a configured probability. @@ -610,7 +612,7 @@ This section gives a thorough account of those changes in three categories: auth_param

New options for Basic, Digest, NTLM, Negotiate children settings. - startup=N determins minimum number of helper processes used. + startup=N determines minimum number of helper processes used. idle=N determines how many helper to retain as buffer against sudden traffic loads. concurrency=N previously called auth_param ... concurrency as a separate option.

Removed Basic, Digest, NTLM, Negotiate auth_param ... concurrency setting option. @@ -644,8 +646,8 @@ This section gives a thorough account of those changes in three categories:

%SRCEUI64 EUI-64 of clients with SLAAC address.

%EXT_LOG log= message returned by previous external ACL calls. An updated version may be returned.

%EXT_TAG tag= value returned by previous external ACL calls. Tag may not be altered once set. -

children-max=N determins maximum number of helper processes used. -

children-startup=N determins minimum number of helper processes used. +

children-max=N determines maximum number of helper processes used. +

children-startup=N determines minimum number of helper processes used.

children-idle=N determines how many helper to retain as buffer against sudden traffic loads.

Deprecated children=N in favor of children-max=N. @@ -939,6 +941,12 @@ This section gives an account of those changes in three categories: server_http11

Obsolete. + update_headers +

Obsolete. The experimental actions enabled in 2.7 by this option have been integrated as default + actions for the rock storage type and memory caches. + The configuration option is no longer necessary and has been dropped. + NOTE: It is not yet supported by ufs, aufs, or diskd storage. + upgrade_http0.9

Obsolete. @@ -1110,8 +1118,5 @@ This section gives an account of those changes in three categories: storeurl_rewrite_program

Not yet ported from 2.7 - update_headers -

Not yet fully ported from 2.7. Memory and rock storage caches support this natively. UFS caches do not support it. - diff --git a/src/cf.data.pre b/src/cf.data.pre index 0be3ff9b9b..bcf9e0c815 100644 --- a/src/cf.data.pre +++ b/src/cf.data.pre @@ -169,7 +169,7 @@ DOC_END NAME: dns_v4_fallback TYPE: obsolete DOC_START - Remove this line. + Remove this line. Squid performs a 'Happy Eyeballs' algorithm, the 'fallback' algorithm is no longer relevant. DOC_END NAME: ftp_list_width @@ -184,6 +184,12 @@ DOC_START Replaced by connect_retries. The behaviour has changed, please read the documentation before altering. DOC_END +NAME: update_headers +TYPE: obsolete +DOC_START + Remove this line. The feature is supported by default in storage types where update is implemented. +DOC_END + NAME: url_rewrite_concurrency TYPE: obsolete DOC_START @@ -324,7 +330,7 @@ DOC_START auth_param basic program @DEFAULT_PREFIX@/libexec/ncsa_auth @DEFAULT_PREFIX@/etc/passwd "utf8" on|off - HTTP uses iso-latin-1 as characterset, while some authentication + HTTP uses iso-latin-1 as character set, while some authentication backends such as LDAP expects UTF-8. If this is set to on Squid will translate the HTTP iso-latin-1 charset to UTF-8 before sending the username & password to the helper. @@ -347,7 +353,7 @@ DOC_START supports one request at a time. Setting this to a number greater than 0 changes the protocol used to include a channel number first on the request/response line, allowing multiple requests to be sent to the - same helper in parallell without wating for the response. + same helper in parallel without waiting for the response. Must not be set unless it's known the helper supports this. auth_param basic children 20 startup=0 idle=1 @@ -397,7 +403,7 @@ DOC_START auth_param digest program @DEFAULT_PREFIX@/bin/digest_pw_auth @DEFAULT_PREFIX@/etc/digpass "utf8" on|off - HTTP uses iso-latin-1 as characterset, while some authentication + HTTP uses iso-latin-1 as character set, while some authentication backends such as LDAP expects UTF-8. If this is set to on Squid will translate the HTTP iso-latin-1 charset to UTF-8 before sending the username & password to the helper. @@ -420,7 +426,7 @@ DOC_START supports one request at a time. Setting this to a number greater than 0 changes the protocol used to include a channel number first on the request/response line, allowing multiple requests to be sent to the - same helper in parallell without wating for the response. + same helper in parallel without waiting for the response. Must not be set unless it's known the helper supports this. auth_param digest children 20 startup=0 idle=1 @@ -447,7 +453,7 @@ DOC_START "nonce_strictness" on|off Determines if squid requires strict increment-by-1 behavior for nonce counts, or just incrementing (off - for use when - useragents generate nonce counts that occasionally miss 1 + user agents generate nonce counts that occasionally miss 1 (ie, 1,2,4,6)). Default off. "check_nonce_count" on|off @@ -518,7 +524,7 @@ DOC_START The maximum number of authenticator processes to spawn (default 5). If you start too few Squid will have to wait for them to process a backlog of credential verifications, slowing it - down. When crendential verifications are done via a (slow) + down. When credential verifications are done via a (slow) network you are likely to need lots of authenticator processes. @@ -570,7 +576,7 @@ DEFAULT: 1 hour LOC: Config.authenticateGCInterval DOC_START The time period between garbage collection across the username cache. - This is a tradeoff between memory utilization (long intervals - say + This is a trade-off between memory utilization (long intervals - say 2 days) and CPU (short intervals - say 1 minute). Only change if you have good reason to. DOC_END @@ -595,7 +601,7 @@ DOC_START this directive controls how long Squid remembers the IP addresses associated with each user. Use a small value (e.g., 60 seconds) if your users might change addresses - quickly, as is the case with dialups. You might be safe + quickly, as is the case with dialup. You might be safe using a larger value (e.g., 2 hours) in a corporate LAN environment with relatively static address assignments. DOC_END