| grep " DEBUG:" \
| sed -e 's/ \* DEBUG: //' \
| sort -u \
- | sort -n +1
+ | sort -n
<BODY>
<H1>Squid 3.0.STABLE10 release notes</H1>
-<H2>Squid Developers</H2>$Id: release-3.0.sgml,v 1.30.2.5 2008/02/28 00:26:31 amosjeffries Exp $
+<H2>Squid Developers</H2>
<HR>
<EM>This document contains the release notes for version 3.0 of Squid.
Squid is a WWW Cache application developed by the National Laboratory
<article>
<title>Squid 3.0.STABLE10 release notes</title>
<author>Squid Developers</author>
-<date>$Id: release-3.0.sgml,v 1.30.2.5 2008/02/28 00:26:31 amosjeffries Exp $</date>
<abstract>
This document contains the release notes for version 3.0 of Squid.
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
<HTML>
<HEAD>
- <META NAME="GENERATOR" CONTENT="LinuxDoc-Tools 0.9.50">
- <TITLE>Squid 3.1.PRE1 release notes</TITLE>
+ <META NAME="GENERATOR" CONTENT="LinuxDoc-Tools 0.9.21">
+ <TITLE>Squid 3.1.0.1 release notes</TITLE>
</HEAD>
<BODY>
-<H1>Squid 3.1.PRE1 release notes</H1>
+<H1>Squid 3.1.0.1 release notes</H1>
-<H2>Squid Developers</H2>$Id: release-3.1.sgml,v 1.6 2008/01/17 10:09:05 hno Exp $
+<H2>Squid Developers</H2>
<HR>
<EM>This document contains the release notes for version 3.1 of Squid.
Squid is a WWW Cache application developed by the National Laboratory
<HR>
<H2><A NAME="s1">1. Notice</A></H2>
-<P>The Squid Team are pleased to announce the release of Squid-3.1.PRE1 for pre-release testing.</P>
+<P>The Squid Team are pleased to announce the release of Squid-3.1.0.1 for testing.</P>
<P>This new release is available for download from
<A HREF="http://www.squid-cache.org/Versions/v3/3.1/">http://www.squid-cache.org/Versions/v3/3.1/</A> or the
<A HREF="http://www.squid-cache.org/Mirrors/http-mirrors.html">mirrors</A>.</P>
<H2><A NAME="s2">2. Known issues</A></H2>
-<P>Although this release is deemed good enough for testing in many setups, please note the existence of
+<P>Although this release is deemed good enough for use in many setups, please note the existence of
<A HREF="http://www.squid-cache.org/bugs/buglist.cgi?query_format=advanced&short_desc_type=allwordssubstr&short_desc=&target_milestone=3.1&long_desc_type=allwordssubstr&long_desc=&bug_file_loc_type=allwordssubstr&bug_file_loc=&status_whiteboard_type=allwordssubstr&status_whiteboard=&bug_status=NEW&bug_status=ASSIGNED&bug_status=REOPENED&emailtype1=substring&email1=&emailtype2=substring&email2=&bugidtype=include&bug_id=&votes=&chfieldfrom=&chfieldto=Now&chfieldvalue=&cmdtype=doit&order=bugs.bug_severity&field0-0-0=noop&type0-0-0=noop&value0-0-0=">open bugs against Squid-3.1</A>.</P>
-<H2><A NAME="s3">3. Changes since earlier PRE releases of Squid-3.1</A></H2>
+<H2><A NAME="s3">3. Changes since earlier releases of Squid-3.1</A></H2>
<P>The 3.1 change history can be
<A HREF="http://www.squid-cache.org/Versions/v3/3.1/changesets/">viewed here</A>.</P>
<P>The most important of these new features are:</P>
<P>
<UL>
-<LI>IPv6 Support</LI>
+<LI>New Version Numbering System</LI>
+<LI>Minimal squid.conf improvements</LI>
+<LI>Native IPv6 Support</LI>
<LI>Error Page Localization</LI>
+<LI>Connection Pinning (for NTLM Auth Passthrough)</LI>
+<LI>Quality of Service (QoS) Flow support</LI>
+<LI>SSL Bump (for HTTPS Filtering and Adaptation)</LI>
+<LI>eCAP Adaptation Module support</LI>
</UL>
</P>
<P>Most user-facing changes are reflected in squid.conf (see below).</P>
+<H3>New Version Numbering System</H3>
+
+<P>Begining with 3.1 the Squid Developers are trialling a new release numbering system.</P>
+
+<P>We have decided, based on input from interested users to drop the Squid-2 terminology of
+(DEVEL, PRE, RC, and STABLE) from the release package names.
+These are replaced with a simpler 3-teir system based around the natural code development cycle.</P>
+
+<P>Daily generated snapshots of all current versions are provided as testing (old DEVEL) and bug-fix releases.
+These are numbered from their last release with a date appended.
+Snapshots generated from 3.HEAD and 2.HEAD continue to be highly volatile.</P>
+
+<P>Regular feature releases from Squid-3 will be branched out as sub-versions. Such as this Squid-3.1.</P>
+
+<P>All this is previous policy you should be acustomed to. Now we get to the new numbering change.</P>
+
+<P>Initial branch packages will be generated with a 3.X.0.Z version as testing packages.
+Packages and Snapshots generated with these 3-dot numbers are expected to be relatively stable regarding feature behaviors.
+Suitable for testing but without any guarantees under production loads. This replaces both the old PRE and RC packages.
+If a large number of bugs are found several *.0.Z packages may be attempted before any is considered production-ready.</P>
+
+<P>When one of these Squid-3.X.0.Z packages passes our bug-free standards a 3.X.Y numbered release will be made.
+We can only hope enough testing has been done to consider these ready for production use.
+As always we are fully dependent on people testing the previous packages and reporting all bugs.</P>
+
+<P>In support of this process are several squid-dev process changes which have been worked out over the last year.</P>
+<P>
+<UL>
+<LI>We no longer accept new features into branches.
+Those are reserved for the next feature release.
+The cycle for major releases is hoped to be fast enough to suit peoples needs.
+</LI>
+<LI>We now audit and vote on all feature and major code additions.
+Requiring at least two sets of developer eyes on any new features before they are committed to 3.HEAD.
+Vastly reducing the number of bugs in all code.
+</LI>
+<LI>We have implemented and continue to add more testing infrastructure.</LI>
+</UL>
+ </P>
+
+
+<H3>Minimal squid.conf improvements</H3>
+
+<P>squid.conf has undergone a facelift.</P>
+
+<P>Don't worry few operational changes have been made.
+Older configs from are still expected to run in 3.1 with only the usual minor
+changes seen between major release. Details on those are listed below.</P>
+
+<P>New users will be relieved to see a short 20-line or less squid.conf on clean installs.
+Many of the options have reasonable defaults but had previously needed them explicitly configured!
+These are now proper built-in defaults and no longer need to be in squid.conf unless changed.</P>
+
+<P>All of the option documentation has been offloaded to another file <EM>squid.conf.docuemented</EM> which
+contains a fully documented set of options previoulsy cluttering up squid.conf itself.</P>
+
+<P>Package maintainers are provided with a second file squid.conf.default which as always contains the default
+config options provided on a clean install.</P>
+
+
<H3>Internet Protocol version 6 (IPv6)</H3>
<P>Squid 3.1 supports IPv6. To enable IPv6 support, use the ./configure --enable-ipv6 option</P>
+<P>Details at
+<A HREF="http://wiki.squid-cache.org/Features/IPv6">The Squid wiki</A></P>
+
<H3>New Features for IPv6</H3>
<P>Squid handles localhost values seperately. For the purpose of ACLs and also external
connections ::1 is considered a seperate IP from 127.0.0.1. This means all ACL which
define behaviour for localhost may need ::1/128 included.</P>
-<P>--with-localhost-ipv6 option is provided for Pure-IPv6 setups who do not want to be
-bothered by the localhost vagaries. It will enable logics to map all localhost traffic
-through ::1 unless an IPv4-only link is required.</P>
-
-<P>Additional ./configure --with-ipv4-mapped option is provided for OS that require a socket setting
-to accept IPv4 addresses on IPv6 sockets, squid performs v4-mapping on these addresses
-It is intended primarily to be used for Windows Vista builds.</P>
-
<P>Pinger has been upgraded to perform both ICMP and ICMPv6 as required.
As a result of this and due to a change in the binary protocol format between them,
new builds of squid are no longer backwards-compatible with old pinger binaries.
As a side effect of this the long-missing fix to show seperate named peers on one IP
has been integrated. Making the SNMP peer table now produce correct output.
The table structure change is identical for both IPv4-only and Dual modes but with
-IPv4-only simply not including any IP6 entries. This means any third-party SNMP
+IPv4-only simply not including any IPv6 entries. This means any third-party SNMP
software which hard coded the MIB paths needs to be upgraded for this Squid release.</P>
<P>Specify a specific tcp_outgoing_address and the clients who match its ACL are limited
to the IPv4 or IPv6 network that address belongs to. They are not permitted over the
IPv4-IPv6 boundary. Some ACL voodoo can however be applied to explicitly route the
-IPv6/IPv4 bound traffic out an appropriate interface.
+IPv6/IPv4 bound traffic (DIRECT access) out an appropriate interface.
<PRE>
acl toIP6 dst ipv6
tcp_outgoing_address 2001::1 toIP6
<P>WCCP is not available (neither version 1 or 2). It remains built into squid for use with IPv4 traffic but IPv6 cannot use it.</P>
-<P>Transparent/Interception is done via NAT at the OS level and is not available in IPv6.
-Squid will ensure that any port set with transparent or tproxy options be an IPv4-only
+<P>Transparent Interception is done via NAT at the OS level and is not available in IPv6.
+Squid will ensure that any port set with transparent, intercept, or tproxy options be an IPv4-only
listening address. Wildcard can still be used but will not open as an IPv6.
To ensure that squid can accept IPv6 traffic on its default port, an alternative should
-be chosen to handle transparent traffic.
+be chosen to handle transparently intercepted traffic.
<PRE>
http_port 3128
- http_port 8080 transparent
+ http_port 8080 intercept
</PRE>
</P>
<H3>Error Page Localization</H3>
+<P>Details at
+<A HREF="http://wiki.squid-cache.org/Translations">The Squid wiki</A></P>
+
<P>The error pages presented by squid may now be localized per-request to match the visitors local preferred language.</P>
<P>Squid needs to be build with the --enable-auto-locale option. And the error_directory option in squid.conf needs to be removed.</P>
<A HREF="http://www.squid-cahch.org/Versions/langpack/">www.squid-cache.org/Versions/langpack/</A></P>
<P>The squid developers are interested in making squid available in a wide variety of languages.
-Contributions of new languages is encouraged.
-Details at
-<A HREF="http://wiki.squid-cache.org/Translations">http://wiki.squid-cache.org/Translations</A></P>
+Contributions of new languages is encouraged.</P>
+
+
+<H3>Connection Pinning (for NTLM Auth Passthrough)</H3>
+
+<P>Squid 3.1 includes the much asked for Connection Pinning feature from Squid 2.6.</P>
+
+<P>This feature is often called 'NTLM Passthru' since it is a giant workaround which permits Web servers to use
+Microsoft NTLM Authentication instead of HTTP standard authentication through a web proxy.</P>
+
+<P>Details at
+<A HREF="http://wiki.squid-cache.org/Features/ConnPinn">The Squid wiki</A></P>
+
+
+<H3>Quality of Service (QoS) Flow support</H3>
+
+<P>Details at
+<A HREF="http://wiki.squid-cache.org/Features/QualityOfService">The Squid wiki</A></P>
+
+<P>Zero Penalty Hit created a patch to set QoS markers on outgoing traffic.</P>
+<P>
+<UL>
+<LI>Allows you to select a TOS/Diffserv value to mark local hits.</LI>
+<LI>Allows you to select a TOS/Diffserv value to mark peer hits.</LI>
+<LI>Allows you to selectively set only sibling or sibling+parent requests</LI>
+<LI>Allows any HTTP response towards clients will have the TOS value of the response coming from
+the remote server masked with the value of zph_preserve_miss_tos_mask.
+For this to work correctly, you will need to patch your linux kernel with the TOS preserving ZPH patch.
+The kernel patch can be downloaded from http://zph.bratcheda.org</LI>
+<LI>Allows you to mask certain bits in the TOS received from the remote server,
+before copying the value to the TOS send towards clients.</LI>
+</UL>
+</P>
+
+<H3>Squid Configuration</H3>
+
+<P>Squid 3.1 needs to be configured with --enable-zph-qos for teh ZPH QoS conttols to be available.</P>
+
+<P>The configuration options for 2.7 and 3.1 are based on different ZPH patches.
+The two releases configuration differs and is not at this point directly translatable.</P>
+<P>
+<UL>
+<LI><EM>zph_tos_local</EM> Responses found as a HIT in the local cache</LI>
+<LI><EM>zph_tos_peer</EM> Responses found as a HIT on peer caches.</LI>
+<LI><EM>zph_tos_parent</EM> Qos to Sibling caches only or all peers.</LI>
+<LI><EM>zph_preserve_miss_tos</EM> Use the same ToS settings received by Squid from the remote server,
+on the client connection. Requires a kernel patch.</LI>
+</UL>
+</P>
+
+
+<H3>SSL Bump (for HTTPS Filtering and Adaptation)</H3>
+
+<P>Details at
+<A HREF="http://wiki.squid-cache.org/Features/SslBump">The Squid wiki</A></P>
+
+<P>Squid-in-the-middle decryption and encryption of straight CONNECT and transparently redirected SSL traffic,
+using configurable client- and server-side certificates.
+While decrypted, the traffic can be inspected using ICAP.</P>
+
+
+<H3>eCAP Adaptation Module support</H3>
+
+<P>Details at
+<A HREF="http://wiki.squid-cache.org/Features/eCAP">The Squid wiki</A></P>
+
<H2><A NAME="s5">5. Windows support</A></H2>
<P>
<DL>
-<DT><B>pinger_enable</B><DD>
-<P>New option to enable/disable the ICMP pinger helper with a reconfigure instead of a full rebuild.
+<DT><B>acl_uses_indirect_client</B><DD>
+<P>Whether to use any result found by follow_x_forwarded_for in further ACL processing.
+Default: ON
<PRE>
- Control whether the pinger is active at run-time.
- Enables turning ICMP pinger on and off with a simple squid -k reconfigure.
- default is on when --enable-icmp is compiled in.
+ Controls whether the indirect client address
+ (see follow_x_forwarded_for) is used instead of the
+ direct client address in acl matching.
+
+</PRE>
+</P>
+
+<DT><B>adaptation_access</B><DD>
+<P>Sends an HTTP transaction to an ICAP or eCAP adaptation service.
+<PRE>
+ adaptation_access service_name allow|deny [!]aclname...
+ adaptation_access set_name allow|deny [!]aclname...
+
+ At each supported vectoring point, the adaptation_access
+ statements are processed in the order they appear in this
+ configuration file. Statements pointing to the following services
+ are ignored (i.e., skipped without checking their ACL):
+
+ - services serving different vectoring points
+ - "broken-but-bypassable" services
+ - "up" services configured to ignore such transactions
+ (e.g., based on the ICAP Transfer-Ignore header).
+
+ When a set_name is used, all services in the set are checked
+ using the same rules, to find the first applicable one. See
+ adaptation_service_set for details.
+
+ If an access list is checked and there is a match, the
+ processing stops: For an "allow" rule, the corresponding
+ adaptation service is used for the transaction. For a "deny"
+ rule, no adaptation service is activated.
+
+ It is currently not possible to apply more than one adaptation
+ service at the same vectoring point to the same HTTP transaction.
+
+ See also: icap_service and ecap_service
+
+</PRE>
+</P>
+
+<DT><B>adaptation_service_set</B><DD>
+<P>
+<PRE>
+ Defines a named adaptation service set. The set is populated in
+ the order of adaptation_service_set directives in this file.
+ When adaptation ACLs are processed, the first and only the first
+ applicable adaptation service from the set will be used. Thus,
+ the set should group similar, redundant services, rather than a
+ chain of complementary services.
+
+ If you have a single adaptation service, you do not need to
+ define a set containing it because adaptation_access accepts
+ service names.
+
+ Example:
+ adaptation_service_set svcBlocker urlFilterPrimary urlFilterBackup
+ adaptation service_set svcLogger loggerLocal loggerRemote
+
+</PRE>
+</P>
+
+<DT><B>delay_pool_uses_indirect_client</B><DD>
+<P>Whether to use any result found by follow_x_forwarded_for in delay_pool assignment.
+Default: ON
+<PRE>
+ Controls whether the indirect client address
+ (see follow_x_forwarded_for) is used instead of the
+ direct client address in delay pools.
</PRE>
</P>
</PRE>
</P>
+<DT><B>ecap_enable</B><DD>
+<P>Controls whether eCAP support is enabled. Default: OFF</P>
+
+<DT><B>ecap_service</B><DD>
+<P>Defines a single eCAP service
+<PRE>
+ ecap_service servicename vectoring_point bypass service_url
+
+ vectoring_point = reqmod_precache|reqmod_postcache|respmod_precache|respmod_postcache
+ This specifies at which point of transaction processing the
+ eCAP service should be activated. *_postcache vectoring points
+ are not yet supported.
+
+ bypass = 1|0
+ If set to 1, the eCAP service is treated as optional. If the
+ service cannot be reached or malfunctions, Squid will try to
+ ignore any errors and process the message as if the service
+ was not enabled. No all eCAP errors can be bypassed.
+ If set to 0, the eCAP service is treated as essential and all
+ eCAP errors will result in an error page returned to the
+ HTTP client.
+
+ service_url = ecap://vendor/service_name?custom&cgi=style&parameters=optional
+
+ Example:
+ ecap_service service_1 reqmod_precache 0 ecap://filters-R-us/leakDetector?on_error=block
+ ecap_service service_2 respmod_precache 1 icap://filters-R-us/virusFilter?config=/etc/vf.cfg
+
+</PRE>
+</P>
+
+<DT><B>error_default_language</B><DD>
+<P>New option to replace the old configure option --enable-default-err-language
+New translations can be downloaded from http://www.squid-cache.org/Versions/langpack/
+<PRE>
+ Set the default language which squid will send error pages in
+ if no existing translation matches the clients language
+ preferences.
+
+ If unset (default) generic English will be used.
+
+</PRE>
+</P>
+
+<DT><B>error_log_languages</B><DD>
+<P>
+<PRE>
+ Log to cache.log what languages users are attempting to
+ auto-negotiate for translations.
+
+ Successful negotiations are not logged. Only failures
+ have meaning to indicate that Squid may need an upgrade
+ of its error page translations.
+
+</PRE>
+</P>
+
+<DT><B>follow_x_forwarded_for</B><DD>
+<P>Enable processing of the X-Forwarded-for header for various administration tasks.
+<PRE>
+ Allowing or Denying the X-Forwarded-For header to be followed to
+ find the original source of a request.
+
+ Requests may pass through a chain of several other proxies
+ before reaching us. The X-Forwarded-For header will contain a
+ comma-separated list of the IP addresses in the chain, with the
+ rightmost address being the most recent.
+
+ If a request reaches us from a source that is allowed by this
+ configuration item, then we consult the X-Forwarded-For header
+ to see where that host received the request from. If the
+ X-Forwarded-For header contains multiple addresses, and if
+ acl_uses_indirect_client is on, then we continue backtracking
+ until we reach an address for which we are not allowed to
+ follow the X-Forwarded-For header, or until we reach the first
+ address in the list. (If acl_uses_indirect_client is off, then
+ it's impossible to backtrack through more than one level of
+ X-Forwarded-For addresses.)
+
+ The end result of this process is an IP address that we will
+ refer to as the indirect client address. This address may
+ be treated as the client address for access control, delay
+ pools and logging, depending on the acl_uses_indirect_client,
+ delay_pool_uses_indirect_client and log_uses_indirect_client
+ options.
+
+ SECURITY CONSIDERATIONS:
+ Any host for which we follow the X-Forwarded-For header
+ can place incorrect information in the header, and Squid
+ will use the incorrect information as if it were the
+ source address of the request. This may enable remote
+ hosts to bypass any access control restrictions that are
+ based on the client's source addresses.
+
+ For example:
+
+ acl localhost src 127.0.0.1
+ acl my_other_proxy srcdomain .proxy.example.com
+ follow_x_forwarded_for allow localhost
+ follow_x_forwarded_for allow my_other_proxy
+
+</PRE>
+</P>
+
+<DT><B>ftp_epsv_all</B><DD>
+<P>
+<PRE>
+ FTP Protocol extensions permit the use of a special "EPSV ALL" command.
+
+ NATs may be able to put the connection on a "fast path" through the
+ translator, as the EPRT command will never be used and therefore,
+ translation of the data portion of the segments will never be needed.
+
+ When a client only expects to do two-way FTP transfers this may be useful.
+ If squid finds that it must do a three-way FTP transfer after issuing
+ an EPSV ALL command, the FTP session will fail.
+
+ If you have any doubts about this option do not use it.
+ Squid will nicely attempt all other connection methods.
+
+ Requires ftp_passive to be ON (default)
+
+</PRE>
+</P>
+
<DT><B>include</B><DD>
<P>New option to import entire secondary configuration files into squid.conf.
<PRE>
</PRE>
</P>
-<DT><B>error_default_language</B><DD>
-<P>New option to replace the old configure option --enable-default-err-language
+<DT><B>loadable_modules</B><DD>
+<P>Instructs Squid to load the specified dynamic module(s) or activate
+preloaded module(s).
<PRE>
- Set the default language which squid will send error pages in
- if no existing translation matches the clients language
- preferences.
+ Example:
+ loadable_modules @DEFAULT_PREFIX@/lib/MinimalAdapter.so
+
+</PRE>
+</P>
- If unset (default) generic English will be used.
+<DT><B>log_uses_indirect_client</B><DD>
+<P>Whether to use any result found by follow_x_forwarded_for in access.log.
+Default: ON
+<PRE>
+ Controls whether the indirect client address
+ (see follow_x_forwarded_for) is used instead of the
+ direct client address in the access log.
+
+</PRE>
+</P>
+
+<DT><B>netdb_filename</B><DD>
+<P>
+<PRE>
+ A filename where Squid stores it's netdb state between restarts.
+ To disable, enter "none".
+
+</PRE>
+</P>
+
+<DT><B>pinger_enable</B><DD>
+<P>New option to enable/disable the ICMP pinger helper with a reconfigure instead of a full rebuild.
+<PRE>
+ Control whether the pinger is active at run-time.
+ Enables turning ICMP pinger on and off with a simple squid -k reconfigure.
+ default is on when --enable-icmp is compiled in.
+
+</PRE>
+</P>
+
+<DT><B>ssl_bump</B><DD>
+<P>New Access control for which CONNECT requests to an http_port
+marked with an sslBump flag are actually "bumped". Please
+see the sslBump flag of an http_port option for more details
+about decoding proxied SSL connections.
+DEFAULT: No requests are bumped.
+<PRE>
+NOCOMMENT_START
+# Example: Bump all requests except those originating from localhost and
+# those going to webax.com or example.com sites.
+#
+# acl broken_sites dstdomain .webax.com
+# acl broken_sites dstdomain .example.com
+# ssl_bump deny localhost
+# ssl_bump deny broken_sites
+# ssl_bump allow all
+
+</PRE>
+</P>
+
+<DT><B>sslproxy_cert_error</B><DD>
+<P>New Access Control to selectively bypass server certificate validation errors.
+DEFAULT: None bypassed.
+<PRE>
+ For example, the following lines will bypass all validation errors
+ when talking to servers located at 172.16.0.0/16. All other
+ validation errors will result in ERR_SECURE_CONNECT_FAIL error.
+
+ acl BrokenServersAtTrustedIP dst 172.16.0.0/16
+ sslproxy_cert_error allow BrokenServersAtTrustedIP
+ sslproxy_cert_error deny all
+
+ This option must use fast ACL expressions only. Expressions that use
+ external lookups or communication result in unpredictable behavior or
+ crashes.
+
+ Without this option, all server certificate validation errors
+ terminate the transaction. Bypassing validation errors is dangerous
+ because an error usually implies that the server cannot be trusted and
+ the connection may be insecure.
+
+ See also: sslproxy_flags and DONT_VERIFY_PEER.
+
+</PRE>
+</P>
+
+<DT><B>zph_preserve_miss_tos</B><DD>
+<P>
+<PRE>
+ If set to on (default), any HTTP response towards clients will
+ have the TOS value of the response comming from the remote
+ server masked with the value of zph_preserve_miss_tos_mask.
+ For this to work correctly, you will need to patch your linux
+ kernel with the TOS preserving ZPH patch.
+ The kernel patch can be downloaded from http://zph.bratcheda.org
+
+</PRE>
+</P>
+
+<DT><B>zph_preserve_miss_tos_mask</B><DD>
+<P>
+<PRE>
+ Allows you to mask certain bits in the TOS received from the
+ remote server, before copying the value to the TOS send towards
+ clients.
+ Default: 0xFF (255) (TOS from server is not changed).
+
+</PRE>
+</P>
+
+<DT><B>zph_tos_local</B><DD>
+<P>
+<PRE>
+ Allows you to select a TOS/Diffserv value to mark local hits. Read above
+ (tcp_outgoing_tos) for details/requirements about TOS.
+ Default: 0 (disabled).
+
+</PRE>
+</P>
+
+<DT><B>zph_tos_parent</B><DD>
+<P>
+<PRE>
+ Set this to off if you want only sibling hits to be marked.
+ If set to on (default), parent hits are being marked too.
+
+</PRE>
+</P>
+
+<DT><B>zph_tos_peer</B><DD>
+<P>
+<PRE>
+ Allows you to select a TOS/Diffserv value to mark peer hits. Read above
+ (tcp_outgoing_tos) for details/requirements about TOS.
+ Default: 0 (disabled).
</PRE>
</P>
<P>
<DL>
-<DT><B>acl dst ipvs</B><DD>
+<DT><B>acl dst ipv6</B><DD>
<P>New preset content - ipv6 - available as a preset type in the src and dst ACL matching all of the public IPv6 network space.
<PRE>
acl aclname dst ipv6
</PRE>
</P>
-<DT><B>http(s)_port name= intercept</B><DD>
-<P>New port options.
+<DT><B>acl myportname peername</B><DD>
+<P>New acl type myportname, matching the name of the http(s)_port where the request was accepted.
+New acl type peername, matching against a named cache_peer entry where the request will be attempted first.
+NP: peername currently is limited to only match the first peer possible.
<PRE>
- name= Specifies a internal name for the port. Defaults to
- the port specification (port or addr:port)
+ acl aclname myportname 3128 ... # http(s)_port name
+ acl aclname peername myPeer ... # cache_peer ... name=myPeer
+
+</PRE>
+</P>
- intercept Rename of old 'transparent' option to indicate proper functionality.
+<DT><B>balance_on_multiple_ip</B><DD>
+<P>The previous default behavour (rotate per-request) of this setting causes failover clashes with IPv6 built-in mechanisms.
+It has thus been turned off by default. Making the 'best choice' IP continue in use for any hostname until it encounters a connection failure and failover drops to the next known IP.
+<PRE>
+ Modern IP resolvers in squid sort lookup results by preferred access.
+ By default squid will use these IP in order and only rotates to
+ the next listed when the most preffered fails.
+
+ Some load balancing servers based on round robin DNS have been
+ found not to preserve user session state across requests
+ to different IP addresses.
+
+ Enabling this directive Squid rotates IP's per request.
</PRE>
</P>
-<DT><B>acl myportname</B><DD>
-<P>New acl type myportname, matching the name of the http(s)_port where the request was accepted
+<DT><B>cache</B><DD>
+<P>Removed the 'QUERY' acl and 'cache deny QUERY' entries.
+Replaced by new refresh_pattern instead.</P>
+
+<DT><B>cache_dir</B><DD>
+<P>Default changed from 100MB on-disk UFS cache to 256MB in-memory cache.
+see cache_mem and maximum_object_size_in_memory for size parameters.
+'null' storage type dropped.</P>
+
+<DT><B>cache_mem</B><DD>
+<P>Default size increased to 256MB.</P>
+
+<DT><B>cache_peer htcp-no-clr htcp-no-purge-clr htcp-only-clr htcp-forward-clr connection-auth[=on|off|auto]</B><DD>
+<P>New Options.
<PRE>
- acl aclname myportname 3128 ... # http(s)_port name
+ use 'htcp-no-clr' to send HTCP to the neighbor but without
+ sending any CLR requests. This cannot be used with
+ htcp-only-clr.
+
+ use 'htcp-no-purge-clr' to send HTCP to the neighbor
+ including CLRs but only when they do not result from
+ PURGE requests.
+
+ use 'htcp-only-clr' to send HTCP to the neighbor but ONLY
+ CLR requests. This cannot be used with htcp-no-clr.
+
+ use 'htcp-forward-clr' to forward any HTCP CLR requests
+ this proxy receives to the peer.
+
+ use 'connection-auth=off' to tell Squid that this peer does
+ not support Microsoft connection oriented authentication,
+ and any such challenges received from there should be
+ ignored. Default is 'auto' to automatically determine the
+ status of the peer.
+
+</PRE>
+</P>
+
+<DT><B>cache_store_log</B><DD>
+<P>Default changed to OFF. Matching long-standing developer recommendations.</P>
+
+<DT><B>error_directory</B><DD>
+<P>Now an optional entry in squid.conf. If present it will force all visitors to receive the error pages
+contained in the directory it points at. If absent error page localization will be given a chance.
+<PRE>
+ If you wish to create your own versions of the default
+ error files to customize them to suit your company COPY
+ the error/template files to another directory and point
+ this tag at them.
+
+ WARNING: This option will disable multi-language support
+ on error pages if used.
+
+ The squid developers are interested in making squid available in
+ a wide variety of languages. If you are making translations for a
+ language that Squid does not currently provide please consider
+ contributing your translation back to the project.
+ http://wiki.squid-cache.org/Translations
+
+ The squid developers working on translations are happy to supply drop-in
+ translated error files in exchange for any new language contributions.
</PRE>
</P>
</PRE>
</P>
+<P>New header input format specifiers. To seperate Request and Reply headers when both passed back.
+<PRE>
+ %>{Header} HTTP request header
+ %>{Hdr:member} HTTP request header list member
+ %>{Hdr:;member} HTTP request header list member using ; as
+ list separator. ; can be any non-alphanumeric
+ character.
+
+ %<{Header} HTTP reply header
+ %<{Hdr:member} HTTP reply header list member
+ %<{Hdr:;member} HTTP reply header list member using ; as
+ list separator. ; can be any non-alphanumeric
+ character.
+
+</PRE>
+</P>
+
+<DT><B>forwarded_for</B><DD>
+<P>New setting options. transparent, truncate, delete.
+<PRE>
+ If set to "transparent", Squid will not alter the
+ X-Forwarded-For header in any way.
+
+ If set to "delete", Squid will delete the entire
+ X-Forwarded-For header.
+
+ If set to "truncate", Squid will remove all existing
+ X-Forwarded-For entries, and place itself as the sole entry.
+
+</PRE>
+</P>
+
+<DT><B>http_port transparent</B><DD>
+<P>Option 'transparent' is being deprecated in favour of 'intercept' which more clearly identifies what the option does.
+For now option 'tproxy' remains with old behaviour meaning fully-invisible proxy using TPROXY support.</P>
+
+<DT><B>http(s)_port intercept sslbump connection-auth[=on|off]</B><DD>
+<P>New port options
+<PRE>
+ intercept Rename of old 'transparent' option to indicate proper functionality.
+
+ connection-auth[=on|off]
+ use connection-auth=off to tell Squid to prevent
+ forwarding Microsoft connection oriented authentication
+ (NTLM, Negotiate and Kerberos)
+
+ keepalive[=idle,interval,timeout]
+ Enable TCP keepalive probes of idle connections
+ idle is the initial time before TCP starts probing
+ the connection, interval how often to probe, and
+ timeout the time before giving up.
+
+ sslBump Intercept each CONNECT request matching ssl_bump ACL,
+ establish secure connection with the client and with
+ the server, decrypt HTTP messages as they pass through
+ Squid, and treat them as unencrypted HTTP messages,
+ becoming the man-in-the-middle.
+
+ When this option is enabled, additional options become
+ available to specify SSL-related properties of the
+ client-side connection: cert, key, version, cipher,
+ options, clientca, cafile, capath, crlfile, dhparams,
+ sslflags, and sslcontext. See the https_port directive
+ for more information on these options.
+
+ The ssl_bump option is required to fully enable
+ the SslBump feature.
+
+</PRE>
+</P>
+
+<DT><B>maximum_object_size_in_memory</B><DD>
+<P>Default size limit increased to 512KB.</P>
+
+<DT><B>negative_ttl</B><DD>
+<P>New default to prevent negative-caching of failure messages unless explicitly
+permitted by the message generating web server.
+This is an RFC 1616 violation and now requires --enable-http-violations
+to even be usable.</P>
+
+<DT><B>refresh_pattern</B><DD>
+<P>New set of basic patterns. These should always be listed after any custom ptterns.
+They ensure RFC compliance with certain protocol and request handling in the absence
+of accurate Cache-Control: and Expires: information.
+<PRE>
+refresh_pattern ^ftp: 1440 20% 10080
+refresh_pattern ^gopher: 1440 0% 1440
+refresh_pattern (cgi-bin|\?) 0 0% 0
+refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
+refresh_pattern . 0 20% 4320
+
+</PRE>
+</P>
+
+<DT><B>reply_header_max_size</B><DD>
+<P>Default limit increased to 64KB for RFC 2616 compliance.</P>
+
+<DT><B>request_header_max_size</B><DD>
+<P>Default limit increased to 64KB for RFC 2616 compliance.</P>
<DT><B>tcp_outgoing_address</B><DD>
<P>This option causes some problems when bridging IPv4 and IPv6. A workaround has been provided.
</PRE>
</P>
-<DT><B>balance_on_multiple_ip</B><DD>
-<P>The previous default behavour (rotate per-request) of this setting causes failover clashes with IPv6 built-in mechanisms.
-It has thus been turned off by default. Making the 'best choice' IP continue in use for any hostname until it encounters a connection failure and failover drops to the next known IP.
-<PRE>
- Modern IP resolvers in squid sort lookup results by preferred access.
- By default squid will use these IP in order and only rotates to
- the next listed when the most preffered fails.
+<DT><B>wccp2_assignment_method hash mask</B><DD>
+<P>Method names now accepted. Replacing the old magic numbers.
+'1' becomes 'hash' and '2' becomes 'mask'</P>
- Some load balancing servers based on round robin DNS have been
- found not to preserve user session state across requests
- to different IP addresses.
+<DT><B>wccp2_forwarding_method gre l2</B><DD>
+<P>Method names now accepted. Replacing the old magic numbers.
+'1' becomes 'gre' and '2' becomes 'l2'</P>
- Enabling this directive Squid rotates IP's per request.
-
-</PRE>
-</P>
-
-<DT><B>http_port</B><DD>
-<P>option 'transparent' is being deprecated in favour of 'intercept' which more clearly identifies what the option does.
-For now option 'tproxy' remains with old behaviour meaning fully-invisible proxy using TPROXY support.</P>
+<DT><B>wccp2_return_method gre l2</B><DD>
+<P>Method names now accepted. Replacing the old magic numbers.
+'1' becomes 'gre' and '2' becomes 'l2'</P>
-<DT><B>error_directory</B><DD>
-<P>Now an optiona entry in squid.conf. If present it will force all visitors to receive the error pages
-contained in the directory it points at. If absent error page localization will be given a chance.
-<PRE>
- If you wish to create your own versions of the default
- error files to customize them to suit your company copy
- the error/template files to another directory and point
- this tag at them.
-
- WARNING: This option will disable multi-language support
- on error pages if used.
-
- The squid developers are interested in making squid available in
- a wide variety of languages. If you are making translations for a
- language that Squid does not currently provide please consider
- contributing your translation back to the project.
- http://wiki.squid-cache.org/Translations
-
- The squid developers working on translations are happy to supply drop-in
- translated error files in exchange for any new language contributions.
-
-</PRE>
-</P>
</DL>
</P>
<DT><B>dns_testnames</B><DD>
<P>Obsolete. This feature is no longer relevant to modern networks and causes boot problems.</P>
+<DT><B>extension_methods</B><DD>
+<P>Obsolete. All possible methods are now accepted and handled properly.</P>
+
+<DT><B>icap_class</B><DD>
+<P>Replaced by adaptation_service_set.</P>
+
+<DT><B>icap_access</B><DD>
+<P>Replaced by adaptation_access.</P>
+
</DL>
</P>
<!doctype linuxdoc system>
<article>
-<title>Squid 3.1.PRE1 release notes</title>
+<title>Squid 3.1.0.1 release notes</title>
<author>Squid Developers</author>
-<date>$Id: release-3.1.sgml,v 1.6 2008/01/17 10:09:05 hno Exp $</date>
<abstract>
This document contains the release notes for version 3.1 of Squid.
<sect>Notice
<p>
-The Squid Team are pleased to announce the release of Squid-3.1.PRE1 for pre-release testing.
+The Squid Team are pleased to announce the release of Squid-3.1.0.1 for testing.
This new release is available for download from <url url="http://www.squid-cache.org/Versions/v3/3.1/"> or the <url url="http://www.squid-cache.org/Mirrors/http-mirrors.html" name="mirrors">.
<sect>Known issues
<p>
-Although this release is deemed good enough for testing in many setups, please note the existence of <url url="http://www.squid-cache.org/bugs/buglist.cgi?query_format=advanced&short_desc_type=allwordssubstr&short_desc=&target_milestone=3.1&long_desc_type=allwordssubstr&long_desc=&bug_file_loc_type=allwordssubstr&bug_file_loc=&status_whiteboard_type=allwordssubstr&status_whiteboard=&bug_status=NEW&bug_status=ASSIGNED&bug_status=REOPENED&emailtype1=substring&email1=&emailtype2=substring&email2=&bugidtype=include&bug_id=&votes=&chfieldfrom=&chfieldto=Now&chfieldvalue=&cmdtype=doit&order=bugs.bug_severity&field0-0-0=noop&type0-0-0=noop&value0-0-0=" name="open bugs against Squid-3.1">.
+Although this release is deemed good enough for use in many setups, please note the existence of <url url="http://www.squid-cache.org/bugs/buglist.cgi?query_format=advanced&short_desc_type=allwordssubstr&short_desc=&target_milestone=3.1&long_desc_type=allwordssubstr&long_desc=&bug_file_loc_type=allwordssubstr&bug_file_loc=&status_whiteboard_type=allwordssubstr&status_whiteboard=&bug_status=NEW&bug_status=ASSIGNED&bug_status=REOPENED&emailtype1=substring&email1=&emailtype2=substring&email2=&bugidtype=include&bug_id=&votes=&chfieldfrom=&chfieldto=Now&chfieldvalue=&cmdtype=doit&order=bugs.bug_severity&field0-0-0=noop&type0-0-0=noop&value0-0-0=" name="open bugs against Squid-3.1">.
-<sect>Changes since earlier PRE releases of Squid-3.1
+<sect>Changes since earlier releases of Squid-3.1
<p>
The 3.1 change history can be <url url="http://www.squid-cache.org/Versions/v3/3.1/changesets/" name="viewed here">.
The most important of these new features are:
<itemize>
- <item>IPv6 Support
+ <item>New Version Numbering System
+ <item>Minimal squid.conf improvements
+ <item>Native IPv6 Support
<item>Error Page Localization
+ <item>Connection Pinning (for NTLM Auth Passthrough)
+ <item>Quality of Service (QoS) Flow support
+ <item>SSL Bump (for HTTPS Filtering and Adaptation)
+ <item>eCAP Adaptation Module support
</itemize>
Most user-facing changes are reflected in squid.conf (see below).
+<sect2>New Version Numbering System
+
+<p>Begining with 3.1 the Squid Developers are trialling a new release numbering system.
+
+<p>We have decided, based on input from interested users to drop the Squid-2 terminology of
+ (DEVEL, PRE, RC, and STABLE) from the release package names.
+These are replaced with a simpler 3-teir system based around the natural code development cycle.
+
+<p>Daily generated snapshots of all current versions are provided as testing (old DEVEL) and bug-fix releases.
+These are numbered from their last release with a date appended.
+Snapshots generated from 3.HEAD and 2.HEAD continue to be highly volatile.
+
+<p>Regular feature releases from Squid-3 will be branched out as sub-versions. Such as this Squid-3.1.
+
+<p>All this is previous policy you should be acustomed to. Now we get to the new numbering change.
+
+<p>Initial branch packages will be generated with a 3.X.0.Z version as testing packages.
+Packages and Snapshots generated with these 3-dot numbers are expected to be relatively stable regarding feature behaviors.
+Suitable for testing but without any guarantees under production loads. This replaces both the old PRE and RC packages.
+If a large number of bugs are found several *.0.Z packages may be attempted before any is considered production-ready.
+
+<p>When one of these Squid-3.X.0.Z packages passes our bug-free standards a 3.X.Y numbered release will be made.
+We can only hope enough testing has been done to consider these ready for production use.
+As always we are fully dependent on people testing the previous packages and reporting all bugs.
+
+<p>In support of this process are several squid-dev process changes which have been worked out over the last year.
+
+<itemize>
+<item>We no longer accept new features into branches.
+ Those are reserved for the next feature release.
+ The cycle for major releases is hoped to be fast enough to suit peoples needs.
+
+<item>We now audit and vote on all feature and major code additions.
+ Requiring at least two sets of developer eyes on any new features before they are committed to 3.HEAD.
+ Vastly reducing the number of bugs in all code.
+
+<item>We have implemented and continue to add more testing infrastructure.
+</itemize>
+
+
+<sect2>Minimal squid.conf improvements
+
+<p>squid.conf has undergone a facelift.
+
+<p>Don't worry few operational changes have been made.
+Older configs from are still expected to run in 3.1 with only the usual minor
+changes seen between major release. Details on those are listed below.
+
+<p>New users will be relieved to see a short 20-line or less squid.conf on clean installs.
+Many of the options have reasonable defaults but had previously needed them explicitly configured!
+These are now proper built-in defaults and no longer need to be in squid.conf unless changed.
+
+<p>All of the option documentation has been offloaded to another file <em>squid.conf.docuemented</em> which
+contains a fully documented set of options previoulsy cluttering up squid.conf itself.
+
+<p>Package maintainers are provided with a second file squid.conf.default which as always contains the default
+config options provided on a clean install.
+
+
<sect2>Internet Protocol version 6 (IPv6)
<p>Squid 3.1 supports IPv6. To enable IPv6 support, use the ./configure --enable-ipv6 option
+<p>Details at <url url="http://wiki.squid-cache.org/Features/IPv6" name="The Squid wiki">
+
<sect3>New Features for IPv6
<p>Squid handles localhost values seperately. For the purpose of ACLs and also external
connections ::1 is considered a seperate IP from 127.0.0.1. This means all ACL which
define behaviour for localhost may need ::1/128 included.
-<p>--with-localhost-ipv6 option is provided for Pure-IPv6 setups who do not want to be
- bothered by the localhost vagaries. It will enable logics to map all localhost traffic
- through ::1 unless an IPv4-only link is required.
-
-<p>Additional ./configure --with-ipv4-mapped option is provided for OS that require a socket setting
- to accept IPv4 addresses on IPv6 sockets, squid performs v4-mapping on these addresses
- It is intended primarily to be used for Windows Vista builds.
-
<p>Pinger has been upgraded to perform both ICMP and ICMPv6 as required.
As a result of this and due to a change in the binary protocol format between them,
new builds of squid are no longer backwards-compatible with old pinger binaries.
As a side effect of this the long-missing fix to show seperate named peers on one IP
has been integrated. Making the SNMP peer table now produce correct output.
The table structure change is identical for both IPv4-only and Dual modes but with
- IPv4-only simply not including any IP6 entries. This means any third-party SNMP
+ IPv4-only simply not including any IPv6 entries. This means any third-party SNMP
software which hard coded the MIB paths needs to be upgraded for this Squid release.
<p>Specify a specific tcp_outgoing_address and the clients who match its ACL are limited
to the IPv4 or IPv6 network that address belongs to. They are not permitted over the
IPv4-IPv6 boundary. Some ACL voodoo can however be applied to explicitly route the
- IPv6/IPv4 bound traffic out an appropriate interface.
+ IPv6/IPv4 bound traffic (DIRECT access) out an appropriate interface.
<verb>
acl toIP6 dst ipv6
tcp_outgoing_address 2001::1 toIP6
<p>WCCP is not available (neither version 1 or 2). It remains built into squid for use with IPv4 traffic but IPv6 cannot use it.
-<p>Transparent/Interception is done via NAT at the OS level and is not available in IPv6.
- Squid will ensure that any port set with transparent or tproxy options be an IPv4-only
+<p>Transparent Interception is done via NAT at the OS level and is not available in IPv6.
+ Squid will ensure that any port set with transparent, intercept, or tproxy options be an IPv4-only
listening address. Wildcard can still be used but will not open as an IPv6.
To ensure that squid can accept IPv6 traffic on its default port, an alternative should
- be chosen to handle transparent traffic.
+ be chosen to handle transparently intercepted traffic.
<verb>
http_port 3128
- http_port 8080 transparent
+ http_port 8080 intercept
</verb>
<p>The bundled NTLM Auth helper is IPv4-native between itself and the NTLM server.
<sect2>Error Page Localization
-<p>
-The error pages presented by squid may now be localized per-request to match the visitors local preferred language.
+
+<p>Details at <url url="http://wiki.squid-cache.org/Translations" name="The Squid wiki">
+
+<p>The error pages presented by squid may now be localized per-request to match the visitors local preferred language.
<p>Squid needs to be build with the --enable-auto-locale option. And the error_directory option in squid.conf needs to be removed.
<p>The squid developers are interested in making squid available in a wide variety of languages.
Contributions of new languages is encouraged.
- Details at <url url="http://wiki.squid-cache.org/Translations" named="The Squid wiki">
+
+
+<sect2>Connection Pinning (for NTLM Auth Passthrough)
+
+<p>Squid 3.1 includes the much asked for Connection Pinning feature from Squid 2.6.
+
+<p>This feature is often called 'NTLM Passthru' since it is a giant workaround which permits Web servers to use
+Microsoft NTLM Authentication instead of HTTP standard authentication through a web proxy.
+
+<p>Details at <url url="http://wiki.squid-cache.org/Features/ConnPinn" name="The Squid wiki">
+
+
+<sect2>Quality of Service (QoS) Flow support
+
+<p>Details at <url url="http://wiki.squid-cache.org/Features/QualityOfService" name="The Squid wiki">
+
+<p>Zero Penalty Hit created a patch to set QoS markers on outgoing traffic.
+
+<itemize>
+ <item>Allows you to select a TOS/Diffserv value to mark local hits.
+ <item>Allows you to select a TOS/Diffserv value to mark peer hits.
+ <item>Allows you to selectively set only sibling or sibling+parent requests
+ <item>Allows any HTTP response towards clients will have the TOS value of the response coming from
+ the remote server masked with the value of zph_preserve_miss_tos_mask.
+ For this to work correctly, you will need to patch your linux kernel with the TOS preserving ZPH patch.
+ The kernel patch can be downloaded from http://zph.bratcheda.org
+ <item>Allows you to mask certain bits in the TOS received from the remote server,
+ before copying the value to the TOS send towards clients.
+</itemize>
+
+<sect3>Squid Configuration
+<p>Squid 3.1 needs to be configured with --enable-zph-qos for teh ZPH QoS conttols to be available.
+
+<p>The configuration options for 2.7 and 3.1 are based on different ZPH patches.
+The two releases configuration differs and is not at this point directly translatable.
+
+<itemize>
+<item><em>zph_tos_local</em> Responses found as a HIT in the local cache
+<item><em>zph_tos_peer</em> Responses found as a HIT on peer caches.
+<item><em>zph_tos_parent</em> Qos to Sibling caches only or all peers.
+<item><em>zph_preserve_miss_tos</em> Use the same ToS settings received by Squid from the remote server,
+ on the client connection. Requires a kernel patch.
+</itemize>
+
+
+<sect2>SSL Bump (for HTTPS Filtering and Adaptation)
+
+<p>Details at <url url="http://wiki.squid-cache.org/Features/SslBump" name="The Squid wiki">
+
+<p>Squid-in-the-middle decryption and encryption of straight CONNECT and transparently redirected SSL traffic,
+using configurable client- and server-side certificates.
+While decrypted, the traffic can be inspected using ICAP.
+
+
+<sect2>eCAP Adaptation Module support
+
+<p>Details at <url url="http://wiki.squid-cache.org/Features/eCAP" name="The Squid wiki">
+
<sect>Windows support
<P>This Squid version can run on Windows as a system service using the Cygwin emulation environment,
<sect2>New tags<label id="newtags">
<p>
<descrip>
- <tag>pinger_enable</tag>
- <p>New option to enable/disable the ICMP pinger helper with a reconfigure instead of a full rebuild.
- <verb>
- Control whether the pinger is active at run-time.
- Enables turning ICMP pinger on and off with a simple squid -k reconfigure.
- default is on when --enable-icmp is compiled in.
- </verb>
+ <tag>acl_uses_indirect_client</tag>
+ <p>Whether to use any result found by follow_x_forwarded_for in further ACL processing.
+ Default: ON
+ <verb>
+ Controls whether the indirect client address
+ (see follow_x_forwarded_for) is used instead of the
+ direct client address in acl matching.
+ </verb>
+
+ <tag>adaptation_access</tag>
+ <p>Sends an HTTP transaction to an ICAP or eCAP adaptation service.
+ <verb>
+ adaptation_access service_name allow|deny [!]aclname...
+ adaptation_access set_name allow|deny [!]aclname...
+
+ At each supported vectoring point, the adaptation_access
+ statements are processed in the order they appear in this
+ configuration file. Statements pointing to the following services
+ are ignored (i.e., skipped without checking their ACL):
+
+ - services serving different vectoring points
+ - "broken-but-bypassable" services
+ - "up" services configured to ignore such transactions
+ (e.g., based on the ICAP Transfer-Ignore header).
+
+ When a set_name is used, all services in the set are checked
+ using the same rules, to find the first applicable one. See
+ adaptation_service_set for details.
+
+ If an access list is checked and there is a match, the
+ processing stops: For an "allow" rule, the corresponding
+ adaptation service is used for the transaction. For a "deny"
+ rule, no adaptation service is activated.
+
+ It is currently not possible to apply more than one adaptation
+ service at the same vectoring point to the same HTTP transaction.
+
+ See also: icap_service and ecap_service
+ </verb>
+
+ <tag>adaptation_service_set</tag>
+ <verb>
+ Defines a named adaptation service set. The set is populated in
+ the order of adaptation_service_set directives in this file.
+ When adaptation ACLs are processed, the first and only the first
+ applicable adaptation service from the set will be used. Thus,
+ the set should group similar, redundant services, rather than a
+ chain of complementary services.
+
+ If you have a single adaptation service, you do not need to
+ define a set containing it because adaptation_access accepts
+ service names.
+
+ Example:
+ adaptation_service_set svcBlocker urlFilterPrimary urlFilterBackup
+ adaptation service_set svcLogger loggerLocal loggerRemote
+ </verb>
+
+ <tag>delay_pool_uses_indirect_client</tag>
+ <p>Whether to use any result found by follow_x_forwarded_for in delay_pool assignment.
+ Default: ON
+ <verb>
+ Controls whether the indirect client address
+ (see follow_x_forwarded_for) is used instead of the
+ direct client address in delay pools.
+ </verb>
<tag>dns_v4_fallback</tag>
<p>New option to prevent squid from always looking up IPv4 regardless of whether IPv6 addresses are found.
*) May negatively impact connection delay times.
</verb>
+ <tag>ecap_enable</tag>
+ <p>Controls whether eCAP support is enabled. Default: OFF
+
+ <tag>ecap_service</tag>
+ <p>Defines a single eCAP service
+ <verb>
+ ecap_service servicename vectoring_point bypass service_url
+
+ vectoring_point = reqmod_precache|reqmod_postcache|respmod_precache|respmod_postcache
+ This specifies at which point of transaction processing the
+ eCAP service should be activated. *_postcache vectoring points
+ are not yet supported.
+
+ bypass = 1|0
+ If set to 1, the eCAP service is treated as optional. If the
+ service cannot be reached or malfunctions, Squid will try to
+ ignore any errors and process the message as if the service
+ was not enabled. No all eCAP errors can be bypassed.
+ If set to 0, the eCAP service is treated as essential and all
+ eCAP errors will result in an error page returned to the
+ HTTP client.
+
+ service_url = ecap://vendor/service_name?custom&cgi=style&parameters=optional
+
+ Example:
+ ecap_service service_1 reqmod_precache 0 ecap://filters-R-us/leakDetector?on_error=block
+ ecap_service service_2 respmod_precache 1 icap://filters-R-us/virusFilter?config=/etc/vf.cfg
+ </verb>
+
+ <tag>error_default_language</tag>
+ <p>New option to replace the old configure option --enable-default-err-language
+ New translations can be downloaded from http://www.squid-cache.org/Versions/langpack/
+ <verb>
+ Set the default language which squid will send error pages in
+ if no existing translation matches the clients language
+ preferences.
+
+ If unset (default) generic English will be used.
+ </verb>
+
+ <tag>error_log_languages</tag>
+ <p>
+ <verb>
+ Log to cache.log what languages users are attempting to
+ auto-negotiate for translations.
+
+ Successful negotiations are not logged. Only failures
+ have meaning to indicate that Squid may need an upgrade
+ of its error page translations.
+ </verb>
+
+ <tag>follow_x_forwarded_for</tag>
+ <p>Enable processing of the X-Forwarded-for header for various administration tasks.
+ <verb>
+ Allowing or Denying the X-Forwarded-For header to be followed to
+ find the original source of a request.
+
+ Requests may pass through a chain of several other proxies
+ before reaching us. The X-Forwarded-For header will contain a
+ comma-separated list of the IP addresses in the chain, with the
+ rightmost address being the most recent.
+
+ If a request reaches us from a source that is allowed by this
+ configuration item, then we consult the X-Forwarded-For header
+ to see where that host received the request from. If the
+ X-Forwarded-For header contains multiple addresses, and if
+ acl_uses_indirect_client is on, then we continue backtracking
+ until we reach an address for which we are not allowed to
+ follow the X-Forwarded-For header, or until we reach the first
+ address in the list. (If acl_uses_indirect_client is off, then
+ it's impossible to backtrack through more than one level of
+ X-Forwarded-For addresses.)
+
+ The end result of this process is an IP address that we will
+ refer to as the indirect client address. This address may
+ be treated as the client address for access control, delay
+ pools and logging, depending on the acl_uses_indirect_client,
+ delay_pool_uses_indirect_client and log_uses_indirect_client
+ options.
+
+ SECURITY CONSIDERATIONS:
+ Any host for which we follow the X-Forwarded-For header
+ can place incorrect information in the header, and Squid
+ will use the incorrect information as if it were the
+ source address of the request. This may enable remote
+ hosts to bypass any access control restrictions that are
+ based on the client's source addresses.
+
+ For example:
+
+ acl localhost src 127.0.0.1
+ acl my_other_proxy srcdomain .proxy.example.com
+ follow_x_forwarded_for allow localhost
+ follow_x_forwarded_for allow my_other_proxy
+ </verb>
+
+ <tag>ftp_epsv_all</tag>
+ <verb>
+ FTP Protocol extensions permit the use of a special "EPSV ALL" command.
+
+ NATs may be able to put the connection on a "fast path" through the
+ translator, as the EPRT command will never be used and therefore,
+ translation of the data portion of the segments will never be needed.
+
+ When a client only expects to do two-way FTP transfers this may be useful.
+ If squid finds that it must do a three-way FTP transfer after issuing
+ an EPSV ALL command, the FTP session will fail.
+
+ If you have any doubts about this option do not use it.
+ Squid will nicely attempt all other connection methods.
+
+ Requires ftp_passive to be ON (default)
+ </verb>
+
<tag>include</tag>
<p>New option to import entire secondary configuration files into squid.conf.
<verb>
include /path/to/file1 /path/to/file2
</verb>
- <tag>error_default_language</tag>
- <p>New option to replace the old configure option --enable-default-err-language
+ <tag>loadable_modules</tag>
+ <p>Instructs Squid to load the specified dynamic module(s) or activate
+ preloaded module(s).
+ <verb>
+ Example:
+ loadable_modules @DEFAULT_PREFIX@/lib/MinimalAdapter.so
+ </verb>
+
+ <tag>log_uses_indirect_client</tag>
+ <p>Whether to use any result found by follow_x_forwarded_for in access.log.
+ Default: ON
+ <verb>
+ Controls whether the indirect client address
+ (see follow_x_forwarded_for) is used instead of the
+ direct client address in the access log.
+ </verb>
+
+ <tag>netdb_filename</tag>
+ <verb>
+ A filename where Squid stores it's netdb state between restarts.
+ To disable, enter "none".
+ </verb>
+
+ <tag>pinger_enable</tag>
+ <p>New option to enable/disable the ICMP pinger helper with a reconfigure instead of a full rebuild.
<verb>
- Set the default language which squid will send error pages in
- if no existing translation matches the clients language
- preferences.
+ Control whether the pinger is active at run-time.
+ Enables turning ICMP pinger on and off with a simple squid -k reconfigure.
+ default is on when --enable-icmp is compiled in.
+ </verb>
- If unset (default) generic English will be used.
+ <tag>ssl_bump</tag>
+ <p>New Access control for which CONNECT requests to an http_port
+ marked with an sslBump flag are actually "bumped". Please
+ see the sslBump flag of an http_port option for more details
+ about decoding proxied SSL connections.
+ DEFAULT: No requests are bumped.
+ <verb>
+NOCOMMENT_START
+# Example: Bump all requests except those originating from localhost and
+# those going to webax.com or example.com sites.
+#
+# acl broken_sites dstdomain .webax.com
+# acl broken_sites dstdomain .example.com
+# ssl_bump deny localhost
+# ssl_bump deny broken_sites
+# ssl_bump allow all
+ </verb>
+
+ <tag>sslproxy_cert_error</tag>
+ <p>New Access Control to selectively bypass server certificate validation errors.
+ DEFAULT: None bypassed.
+ <verb>
+ For example, the following lines will bypass all validation errors
+ when talking to servers located at 172.16.0.0/16. All other
+ validation errors will result in ERR_SECURE_CONNECT_FAIL error.
+
+ acl BrokenServersAtTrustedIP dst 172.16.0.0/16
+ sslproxy_cert_error allow BrokenServersAtTrustedIP
+ sslproxy_cert_error deny all
+
+ This option must use fast ACL expressions only. Expressions that use
+ external lookups or communication result in unpredictable behavior or
+ crashes.
+
+ Without this option, all server certificate validation errors
+ terminate the transaction. Bypassing validation errors is dangerous
+ because an error usually implies that the server cannot be trusted and
+ the connection may be insecure.
+
+ See also: sslproxy_flags and DONT_VERIFY_PEER.
+ </verb>
+
+ <tag>zph_preserve_miss_tos</tag>
+ <verb>
+ If set to on (default), any HTTP response towards clients will
+ have the TOS value of the response comming from the remote
+ server masked with the value of zph_preserve_miss_tos_mask.
+ For this to work correctly, you will need to patch your linux
+ kernel with the TOS preserving ZPH patch.
+ The kernel patch can be downloaded from http://zph.bratcheda.org
+ </verb>
+
+ <tag>zph_preserve_miss_tos_mask</tag>
+ <verb>
+ Allows you to mask certain bits in the TOS received from the
+ remote server, before copying the value to the TOS send towards
+ clients.
+ Default: 0xFF (255) (TOS from server is not changed).
+ </verb>
+
+ <tag>zph_tos_local</tag>
+ <verb>
+ Allows you to select a TOS/Diffserv value to mark local hits. Read above
+ (tcp_outgoing_tos) for details/requirements about TOS.
+ Default: 0 (disabled).
+ </verb>
+
+ <tag>zph_tos_parent</tag>
+ <verb>
+ Set this to off if you want only sibling hits to be marked.
+ If set to on (default), parent hits are being marked too.
+ </verb>
+
+ <tag>zph_tos_peer</tag>
+ <verb>
+ Allows you to select a TOS/Diffserv value to mark peer hits. Read above
+ (tcp_outgoing_tos) for details/requirements about TOS.
+ Default: 0 (disabled).
</verb>
<sect2>Changes to existing tags<label id="modifiedtags">
<p>
<descrip>
- <tag>acl dst ipvs</tag>
+ <tag>acl dst ipv6</tag>
<p>New preset content - ipv6 - available as a preset type in the src and dst ACL matching all of the public IPv6 network space.
<verb>
acl aclname dst ipv6
</verb>
- <tag>http(s)_port name= intercept</tag>
- <p>New port options.
+ <tag>acl myportname peername</tag>
+ <p>New acl type myportname, matching the name of the http(s)_port where the request was accepted.
+ New acl type peername, matching against a named cache_peer entry where the request will be attempted first.
+ NP: peername currently is limited to only match the first peer possible.
<verb>
- name= Specifies a internal name for the port. Defaults to
- the port specification (port or addr:port)
-
- intercept Rename of old 'transparent' option to indicate proper functionality.
- </verb>
+ acl aclname myportname 3128 ... # http(s)_port name
+ acl aclname peername myPeer ... # cache_peer ... name=myPeer
+ </verb>
- <tag>acl myportname</tag>
- <p>New acl type myportname, matching the name of the http(s)_port where the request was accepted
+ <tag>balance_on_multiple_ip</tag>
+ <p>The previous default behavour (rotate per-request) of this setting causes failover clashes with IPv6 built-in mechanisms.
+ It has thus been turned off by default. Making the 'best choice' IP continue in use for any hostname until it encounters a connection failure and failover drops to the next known IP.
<verb>
- acl aclname myportname 3128 ... # http(s)_port name
+ Modern IP resolvers in squid sort lookup results by preferred access.
+ By default squid will use these IP in order and only rotates to
+ the next listed when the most preffered fails.
+
+ Some load balancing servers based on round robin DNS have been
+ found not to preserve user session state across requests
+ to different IP addresses.
+
+ Enabling this directive Squid rotates IP's per request.
</verb>
+ <tag>cache</tag>
+ <p>Removed the 'QUERY' acl and 'cache deny QUERY' entries.
+ Replaced by new refresh_pattern instead.
+
+ <tag>cache_dir</tag>
+ <p>Default changed from 100MB on-disk UFS cache to 256MB in-memory cache.
+ see cache_mem and maximum_object_size_in_memory for size parameters.
+ 'null' storage type dropped.
+
+ <tag>cache_mem</tag>
+ <p>Default size increased to 256MB.
+
+ <tag>cache_peer htcp-no-clr htcp-no-purge-clr htcp-only-clr htcp-forward-clr connection-auth[=on|off|auto]</tag>
+ <p>New Options.
+ <verb>
+ use 'htcp-no-clr' to send HTCP to the neighbor but without
+ sending any CLR requests. This cannot be used with
+ htcp-only-clr.
+
+ use 'htcp-no-purge-clr' to send HTCP to the neighbor
+ including CLRs but only when they do not result from
+ PURGE requests.
+
+ use 'htcp-only-clr' to send HTCP to the neighbor but ONLY
+ CLR requests. This cannot be used with htcp-no-clr.
+
+ use 'htcp-forward-clr' to forward any HTCP CLR requests
+ this proxy receives to the peer.
+
+ use 'connection-auth=off' to tell Squid that this peer does
+ not support Microsoft connection oriented authentication,
+ and any such challenges received from there should be
+ ignored. Default is 'auto' to automatically determine the
+ status of the peer.
+ </verb>
+
+ <tag>cache_store_log</tag>
+ <p>Default changed to OFF. Matching long-standing developer recommendations.
+
+ <tag>error_directory</tag>
+ <p>Now an optional entry in squid.conf. If present it will force all visitors to receive the error pages
+ contained in the directory it points at. If absent error page localization will be given a chance.
+ <verb>
+ If you wish to create your own versions of the default
+ error files to customize them to suit your company COPY
+ the error/template files to another directory and point
+ this tag at them.
+
+ WARNING: This option will disable multi-language support
+ on error pages if used.
+
+ The squid developers are interested in making squid available in
+ a wide variety of languages. If you are making translations for a
+ language that Squid does not currently provide please consider
+ contributing your translation back to the project.
+ http://wiki.squid-cache.org/Translations
+
+ The squid developers working on translations are happy to supply drop-in
+ translated error files in exchange for any new language contributions.
+ </verb>
+
<tag>external_acl_type</tag>
<p>New options 'ipv4' and 'ipv6' are added to set the IPv4/v6 protocol between squid and its helpers.
Please be aware of some limits to these options. These options only affet the transport protocol used
--with-localhost-ipv6 changes the default to 'ipv6'.
SPECIAL NOTE: explicit use of these options override --with-localhost-ipv6
</verb>
+ <p>New header input format specifiers. To seperate Request and Reply headers when both passed back.
+ <verb>
+ %>{Header} HTTP request header
+ %>{Hdr:member} HTTP request header list member
+ %>{Hdr:;member} HTTP request header list member using ; as
+ list separator. ; can be any non-alphanumeric
+ character.
+
+ %<{Header} HTTP reply header
+ %<{Hdr:member} HTTP reply header list member
+ %<{Hdr:;member} HTTP reply header list member using ; as
+ list separator. ; can be any non-alphanumeric
+ character.
+ </verb>
+
+ <tag>forwarded_for</tag>
+ <p>New setting options. transparent, truncate, delete.
+ <verb>
+ If set to "transparent", Squid will not alter the
+ X-Forwarded-For header in any way.
+
+ If set to "delete", Squid will delete the entire
+ X-Forwarded-For header.
+
+ If set to "truncate", Squid will remove all existing
+ X-Forwarded-For entries, and place itself as the sole entry.
+ </verb>
+
+ <tag>http_port transparent</tag>
+ <p>Option 'transparent' is being deprecated in favour of 'intercept' which more clearly identifies what the option does.
+ For now option 'tproxy' remains with old behaviour meaning fully-invisible proxy using TPROXY support.</p>
+
+ <tag>http(s)_port intercept sslbump connection-auth[=on|off]</tag>
+ <p>New port options
+ <verb>
+ intercept Rename of old 'transparent' option to indicate proper functionality.
+
+ connection-auth[=on|off]
+ use connection-auth=off to tell Squid to prevent
+ forwarding Microsoft connection oriented authentication
+ (NTLM, Negotiate and Kerberos)
+
+ keepalive[=idle,interval,timeout]
+ Enable TCP keepalive probes of idle connections
+ idle is the initial time before TCP starts probing
+ the connection, interval how often to probe, and
+ timeout the time before giving up.
+
+ sslBump Intercept each CONNECT request matching ssl_bump ACL,
+ establish secure connection with the client and with
+ the server, decrypt HTTP messages as they pass through
+ Squid, and treat them as unencrypted HTTP messages,
+ becoming the man-in-the-middle.
+
+ When this option is enabled, additional options become
+ available to specify SSL-related properties of the
+ client-side connection: cert, key, version, cipher,
+ options, clientca, cafile, capath, crlfile, dhparams,
+ sslflags, and sslcontext. See the https_port directive
+ for more information on these options.
+
+ The ssl_bump option is required to fully enable
+ the SslBump feature.
+ </verb>
+
+ <tag>maximum_object_size_in_memory</tag>
+ <p>Default size limit increased to 512KB.
+
+ <tag>negative_ttl</tag>
+ <p>New default to prevent negative-caching of failure messages unless explicitly
+ permitted by the message generating web server.
+ This is an RFC 1616 violation and now requires --enable-http-violations
+ to even be usable.
+
+ <tag>refresh_pattern</tag>
+ <p>New set of basic patterns. These should always be listed after any custom ptterns.
+ They ensure RFC compliance with certain protocol and request handling in the absence
+ of accurate Cache-Control: and Expires: information.
+ <verb>
+refresh_pattern ^ftp: 1440 20% 10080
+refresh_pattern ^gopher: 1440 0% 1440
+refresh_pattern (cgi-bin|\?) 0 0% 0
+refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
+refresh_pattern . 0 20% 4320
+ </verb>
+
+ <tag>reply_header_max_size</tag>
+ <p>Default limit increased to 64KB for RFC 2616 compliance.
+
+ <tag>request_header_max_size</tag>
+ <p>Default limit increased to 64KB for RFC 2616 compliance.
<tag>tcp_outgoing_address</tag>
<p>This option causes some problems when bridging IPv4 and IPv6. A workaround has been provided.
tcp_outgoing_address 10.0.0.3 !to_ipv6
</verb>
- <tag>balance_on_multiple_ip</tag>
- <p>The previous default behavour (rotate per-request) of this setting causes failover clashes with IPv6 built-in mechanisms.
- It has thus been turned off by default. Making the 'best choice' IP continue in use for any hostname until it encounters a connection failure and failover drops to the next known IP.
- <verb>
- Modern IP resolvers in squid sort lookup results by preferred access.
- By default squid will use these IP in order and only rotates to
- the next listed when the most preffered fails.
-
- Some load balancing servers based on round robin DNS have been
- found not to preserve user session state across requests
- to different IP addresses.
-
- Enabling this directive Squid rotates IP's per request.
- </verb>
-
- <tag>http_port</tag>
- <p>option 'transparent' is being deprecated in favour of 'intercept' which more clearly identifies what the option does.
- For now option 'tproxy' remains with old behaviour meaning fully-invisible proxy using TPROXY support.</p>
-
- <tag>error_directory</tag>
- <p>Now an optiona entry in squid.conf. If present it will force all visitors to receive the error pages
- contained in the directory it points at. If absent error page localization will be given a chance.
- <verb>
- If you wish to create your own versions of the default
- error files to customize them to suit your company copy
- the error/template files to another directory and point
- this tag at them.
+ <tag>wccp2_assignment_method hash mask</tag>
+ <p>Method names now accepted. Replacing the old magic numbers.
+ '1' becomes 'hash' and '2' becomes 'mask'
- WARNING: This option will disable multi-language support
- on error pages if used.
+ <tag>wccp2_forwarding_method gre l2</tag>
+ <p>Method names now accepted. Replacing the old magic numbers.
+ '1' becomes 'gre' and '2' becomes 'l2'
- The squid developers are interested in making squid available in
- a wide variety of languages. If you are making translations for a
- language that Squid does not currently provide please consider
- contributing your translation back to the project.
- http://wiki.squid-cache.org/Translations
+ <tag>wccp2_return_method gre l2</tag>
+ <p>Method names now accepted. Replacing the old magic numbers.
+ '1' becomes 'gre' and '2' becomes 'l2'
- The squid developers working on translations are happy to supply drop-in
- translated error files in exchange for any new language contributions.
- </verb>
</descrip>
<tag>dns_testnames</tag>
<p>Obsolete. This feature is no longer relevant to modern networks and causes boot problems.</p>
+ <tag>extension_methods</tag>
+ <p>Obsolete. All possible methods are now accepted and handled properly.</p>
+
+ <tag>icap_class</tag>
+ <p>Replaced by adaptation_service_set.</p>
+
+ <tag>icap_access</tag>
+ <p>Replaced by adaptation_access.</p>
+
</descrip>
Successful negotiations are not logged. Only failures
have meaning to indicate that Squid may need an upgrade
- of is error page translations.
+ of its error page translations.
DOC_END
NAME: err_html_text
projects / thirdparty / squid.git / commitdiff
