-Squid 3.1.21 release notes +Squid 3.1.22 release notes Squid Developers @@ -13,7 +13,7 @@ for Applied Network Research and members of the Web Caching community. Notice

-The Squid Team are pleased to announce the release of Squid-3.1.21 +The Squid Team are pleased to announce the release of Squid-3.1.22 This new release is available for download from or the . diff --git a/doc/release-notes/release-3.2.sgml b/doc/release-notes/release-3.2.sgml index a12767ca96..ba66f7aad1 100644 --- a/doc/release-notes/release-3.2.sgml +++ b/doc/release-notes/release-3.2.sgml @@ -1,6 +1,6 @@

-Squid 3.2.3 release notes +Squid 3.2.4 release notes Squid Developers @@ -13,7 +13,7 @@ for Applied Network Research and members of the Web Caching community. Notice

-The Squid Team are pleased to announce the release of Squid-3.2.3 for testing. +The Squid Team are pleased to announce the release of Squid-3.2.4 for testing. This new release is available for download from or the . @@ -412,9 +412,10 @@ Most user-facing changes are reflected in squid.conf (see below).

The cache manager is available under the path prefix /squid-internal-mgr/. For example the URL http://example/com/squid-internal-mgr/menu will bring up the manager menu. This means there are some configuration changes required to lock down manager access. - The manager ACL needs changing to: + The manager ACL needs changing. A built-in definition is now used, equivalent + to the following regex pattern: - acl manager url_regex -i ^cache_object:// ^https?://[^/]+/squid-internal-mgr/ + ^(cache_object://|https?://[^/]+/squid-internal-mgr/)

The manager prefix /squid-internal-mgr/ with no action attempts to load an optional @@ -423,6 +424,13 @@ Most user-facing changes are reflected in squid.conf (see below). cache manager applications as their front page embedding all scripts, accessors or redirects required for their initial GUI display. +

MGR_INDEX file + + should contain a complete HTML page, with optional client-side scripting. + must not contain server-side scripting. + will have macro substitution performed on it using the same macros as used by the error page tempates. + +

Version 3.2 of the CGI cache manager tool now presents XHR scripted probes to detect proxies presenting these manager index pagess and provides direct HTTP/HTTPS web links to those managers. @@ -592,10 +600,12 @@ This section gives a thorough account of those changes in three categories:

The localip/localport differ from earlier releases where they matched a mix of of an invalid IP and port 0, the client destination IP/port or the Squid listening IP/port. This definition is now consistent across all modes of traffic received by Squid. -

The manager ACL requires adjustment to cover new cache manager access: +

The manager ACL requires adjustment to cover new cache manager access. So it has now been + built-in as a predefined ACL name matching URLs equivalent to the following regular expression: - acl manager url_regex -i ^cache_object:// ^https?://[^/]+/squid-internal-mgr/ + ^(cache_object://|https?://[^/]+/squid-internal-mgr/) + squid.conf containing the old manager definition can expect to see ACL type collisions. auth_param

New options for Basic, Digest, NTLM, Negotiate children settings. diff --git a/doc/release-notes/release-3.3.html b/doc/release-notes/release-3.3.html index 7ccc5aa03b..426190e4ec 100644 --- a/doc/release-notes/release-3.3.html +++ b/doc/release-notes/release-3.3.html @@ -2,10 +2,10 @@ - Squid 3.3.0.0 release notes + Squid 3.3.0.2 release notes -

Squid 3.3.0.0 release notes

Squid 3.3.0.2 release notes

Squid Developers

@@ -24,7 +24,11 @@ for Applied Network Research and members of the Web Caching community.

3. Changes to squid.conf since Squid-3.2

@@ -43,25 +47,16 @@ for Applied Network Research and members of the Web Caching community.

4.3 Removed options

5. Options Removed since Squid-2

5. Regressions since Squid-2.7

5.1 Removed squid.conf options since Squid-2.7 -
5.2 Removed squid.conf options since Squid-2.6 -
5.3 Removed ./configure options since Squid-2.7 -

6. Regressions since Squid-2.7

- -

6.1 Missing squid.conf options available in Squid-2.7 -
6.2 Missing ./configure options available in Squid-2.7 +
5.1 Missing squid.conf options available in Squid-2.7

1. Notice

The Squid Team are pleased to announce the release of Squid-3.3.0.0 for testing.

The Squid Team are pleased to announce the release of Squid-3.3.0.2 for testing.

This new release is available for download from http://www.squid-cache.org/Versions/v3/3.3/ or the mirrors.

@@ -87,15 +82,142 @@ for Applied Network Research and members of the Web Caching community.

The most important of these new features are:

SQL Database logging helper
Time-Quota session helper
SSL-Bump Server First
Server Certificate Mimic
Custom HTTP request headers

Most user-facing changes are reflected in squid.conf (see below).

2.1 +

2.1 SQL Database logging helper

log_db_daemon - Database logging daemon for Squid

+ +

This program writes Squid access.log entries to an SQL database. +Written in Perl it can utilize any database supported by the Perl +database abstraction layer.

+ +

NOTE: Presently it only accepts the Squid native log format.

+ + +

2.2 Time-Quota session helper +

+ +

ext_time_quota_acl - Time quota external ACL helper.

+ +

Allows an administrator to define time budgets (quota) for the +users of Squid to limit the time using Squid.

+ +

This is useful for corporate lunch time allocations, wifi portal +pay-per-minute installations or for parental control of children.

+ +

The administrator can define a time budget (e.g. 1 hour per day) +which is enforced through this helper using session estimations +of their browsing time. A 'pause' threshold is given in seconds +and defines the period between two requests to be treated as part +of the same session. Pauses shorter than this value will be +counted against the quota, longer ones ignored.

+ + +

2.3 SSL-Bump Server First +

+ +

Details at +http://wiki.squid-cache.org/Features/BumpSslServerFirst.

+ +

When an intercepted connection is received, Squid first connects +to the server using SSL and receives the server certificate. +Squid then uses the host name inside the true server certificate +to generate a fake one and impersonates the server while still +using the already established secure connection to the server.

+ +

Bumping server first is essentially required for handling +intercepted HTTPS connections but the same scheme should be used +for most HTTP CONNECT requests because it offers a few advantages +compared to the old bump-client-first approach:

When Squid knows valid server certificate details, it can +generate its fake server certificate with those details. +With the bump-client-first scheme, all those details are lost. +In general, browsers do not care about those details but there +may be HTTP clients (or even human users) that require or could +benefit from knowing them. +
When a server sends a bad certificate, Squid may be able to +replicate that brokenness in its own fake certificate, giving +the HTTP client control whether to ignore the problem or +terminate the transaction. With bump-client-furst, it is +difficult to support similar dynamic, user-directed opt out; +Squid itself has to decide what to do when the server +certificate cannot be validated. +
When a server asks for a client certificate, Squid may be +able to ask the client and then forward the client certificate +to the server. Such client certificate handling may not be +possible with the bump-client-first scheme because it would +have to be done after the SSL handshake. +
Some clients (e.g., Rekonq browser v0.7.x) do not send host +names in CONNECT requests. Such clients require bump-server-first +even in forward proxying mode. Unfortunately, there are other +problems with fully supporting such clients (i.e., Squid does +not know whether the IP address in the CONNECT request is what +the user have typed into the address bar) so not all features +will work well for them until more specialized detection code +is added.

+ +

2.4 Server Certificate Mimic +

+ +

Details at +http://wiki.squid-cache.org/Features/MimicSslServerCert.

+ +

One of the SslBump features serious drawbacks is the loss of +information embedded in SSL server certificate. +This certificate mimic feature passes original SSL server +certificate information to the user. Allowing the user to +make an informed decision on whether to trust the server +certificate.

+ + +

2.5 Custom HTTP request headers +

The request_header_add option is added to insert +HTTP header fields to outgoing HTTP requests (i.e., +request headers sent by Squid to the next HTTP hop such as a +cache peer or an origin server). The option has no effect on +cache hit traffic or requests serviced by Squid and ICAP.

+ +

WARNING: If a standard HTTP header name is used, Squid does not check whether +the new header conflicts with any existing headers or violates +HTTP rules. If the request to be modified already contains a +field with the same name, the old field is preserved but the +header field values are not merged.

+ +

Field-value set can be either a token or a quoted string. If quoted +string format is used, then the surrounding quotes are removed +while escape sequences and %macros are processed.

+ +

In theory, all of the logformat codes can be used as %macros. +However, unlike logging (which happens at the very end of +transaction lifetime), the transaction may not yet have enough +information to expand a macro when the new header value is needed. +And some information may already be available to Squid but not yet +committed where the macro expansion code can access it (please report +such instances!). The macro will be expanded into a single dash +('-') in such cases. Not all macros have been tested.

+ +

One or more Squid ACLs may be specified to restrict header +injection to matching requests. As always in squid.conf, all +ACLs in an option ACL list must be satisfied for the insertion +to happen. The request_header_add option supports fast ACLs only.

3. Changes to squid.conf since Squid-3.2

@@ -119,6 +241,15 @@ for Applied Network Research and members of the Web Caching community.

request_header_add: +
New directive to add custom headers on HTTP traffic sent to upstream servers.
+ +
sslproxy_cert_sign: +
New option to determine how the client certificate sent to upstream servers is signed.
+ +
sslproxy_cert_adapt: +
New option to adapt certain properties of outgoing SSL certificates generated for use when bumping SSL to an upstream server.
+

@@ -128,16 +259,40 @@ for Applied Network Research and members of the Web Caching community.

acl

myport and myipACL types replaced with localport and localip respecitively. +To reflect that it matches the TCP connection details and not the squid.conf port. +This matters when dealing with interecepted traffic, where the Squid receiving port differs from the TCP connection IP:port. +Always use myportname type to match the squid.conf port details.

New default built-in ACLs for testing SSL certificate properties.

ssl::certHasExpired, +ssl::certNotYetValid, +ssl::certDomainMismatch, +ssl::certUntrusted, +ssl::certSelfSigned.

+ +

logformat

New token %ssl::bump_mode to log the SSL-bump mode type performed on a request. +Logs values of: -, none, client-first, or server-first.

New token of %ssl::>cert_subject to log the Subject field of a SSL certficate received from the client.

New token of %ssl::>cert_issuer to log the Issuer field of a SSL certficate received from the client.

+ +

ssl_bump

New action types none, client-first, server-first. The default is none.

Use of allow/deny is now deprecated and they should be removed as soon as possible. +To retain the exact same behaviour between 3.3 and older releases replace deny with none, +and allow with client-first. However an upgrade to server-first is the recommended.

NOTE: Mixing of allow/deny with the new action types is prohibited and will cause Squid to exit with a FATAL error.

3.3 Removed tags

There are no removed squid.conf tags in Squid-3.3.

@@ -164,6 +319,7 @@ for Applied Network Research and members of the Web Caching community.

There are no new ./configure options in Squid-3.3.

@@ -173,6 +329,7 @@ for Applied Network Research and members of the Web Caching community.

There are no changed ./configure options in Squid-3.3.

@@ -181,163 +338,24 @@ for Applied Network Research and members of the Web Caching community.

--enable-ntlm-fail-open: +
This has not been supported by Squid for several versions.

5. Options Removed since Squid-2

- -

Some squid.conf and ./configure options which were available in Squid-2.6 and Squid-2.7 are made obsolete in Squid-3.3.

- -

5.1 Removed squid.conf options since Squid-2.7 -

- -

auth_param

blankpassword option for basic scheme removed.

- -

cache_peer

http11 Obsolete.

- -

external_acl_type

Format tag %{Header} replaced by %>{Header}

Format tag %{Header:member} replaced by %>{Header:member}

- -

header_access

Replaced by request_header_access and reply_header_access

- -

http_port

no-connection-auth replaced by connection-auth=[on|off]. Default is ON.

transparent option replaced by intercept

http11 obsolete.

- -

http_access2

Replaced by adapted_http_access

- -

httpd_accel_no_pmtu_disc

Replaced by http_port disable-pmtu-discovery= option

- -

incoming_rate

Obsolete.

- -

redirector_bypass

Replaced by url_rewrite_bypass

- -

server_http11

Obsolete.

- -

upgrade_http0.9

Obsolete.

- -

zph_local

Replaced by qos_flows local-hit=

- -

zph_mode

Obsolete.

- -

zph_option

Obsolete.

- -

zph_parent

Replaced by qos_flows parent-hit=

- -

zph_sibling

Replaced by qos_flows sibling-hit=

- -

5.2 Removed squid.conf options since Squid-2.6 -

- -

cache_dir: -
read-only option replaced by no-store.
- -

- -

5.3 Removed ./configure options since Squid-2.7 -

- -

--enable-coss-aio-ops: -
Obsolete.
- -
--enable-devpoll: -
Replaced by automatic detection.
- -
--enable-dlmalloc=LIB: -
Obsolete.
- -
--enable-epoll: -
Replaced by automatic detection.
- -
--enable-forward-log: -
Obsolete.
- -
--enable-heap-replacement: -
Obsolete.
- -
--enable-htcp: -
Obsolete. Enabled by default.
- -
--enable-large-cache-files: -
Obsolete.
- -
--enable-mempool-debug: -
Obsolete.
- -
--enable-multicast-miss: -
Obsolete.
- -
--enable-poll: -
Replaced by automatic detection.
- -
--enable-select: -
Replaced by automatic detection.
- -
--enable-select-simple: -
Replaced by automatic detection.
- -
--enable-snmp: -
Obsolete. Enabled by default.
- -
--enable-truncate: -
Obsolete.
- -
--disable-kqueue: -
Obsolete. Disabled by default.
- -

- - -

6. Regressions since Squid-2.7

5. Regressions since Squid-2.7

Some squid.conf and ./configure options which were available in Squid-2.7 are not yet available in Squid-3.3

If you need something to do then porting one of these from Squid-2 to Squid-3 is most welcome.

6.1 Missing squid.conf options available in Squid-2.7 +

5.1 Missing squid.conf options available in Squid-2.7

acl

urllogin option not yet ported from 2.6

urlgroup option not yet ported from 2.6

- -

authenticate_ip_shortcircuit_access

Not yet ported from 2.7

- -

authenticate_ip_shortcircuit_ttl

Not yet ported from 2.7

broken_vary_encoding

Not yet ported from 2.6

@@ -373,7 +391,6 @@ for Applied Network Research and members of the Web Caching community.

http_port

act-as-origin not yet ported from 2.7

urlgroup= not yet ported from 2.6

ignore_ims_on_miss

Not yet ported from 2.7

@@ -390,9 +407,6 @@ for Applied Network Research and members of the Web Caching community.

location_rewrite_program

Not yet ported from 2.6

logformat

%oa tag not yet ported from 2.7

refresh_pattern

stale-while-revalidate= not yet ported from 2.7

ignore-stale-while-revalidate= not yet ported from 2.7

@@ -416,19 +430,6 @@ for Applied Network Research and members of the Web Caching community.

update_headers

Not yet ported from 2.7

zero_buffers

Not yet ported from 2.7

- -

6.2 Missing ./configure options available in Squid-2.7 -

- -

--without-system-md5: -

diff --git a/doc/release-notes/release-3.3.sgml b/doc/release-notes/release-3.3.sgml index 16d2698374..982ffc418d 100644 --- a/doc/release-notes/release-3.3.sgml +++ b/doc/release-notes/release-3.3.sgml @@ -1,6 +1,6 @@

-Squid 3.3.0.1 release notes +Squid 3.3.0.2 release notes Squid Developers @@ -13,7 +13,7 @@ for Applied Network Research and members of the Web Caching community. Notice

-The Squid Team are pleased to announce the release of Squid-3.3.0.1 for testing. +The Squid Team are pleased to announce the release of Squid-3.3.0.2 for testing. This new release is available for download from or the .