------------------------------------------------------------ revno: 12378 revision-id: squid3@treenet.co.nz-20121110035703-mu7tcl584h7xex1k parent: squid3@treenet.co.nz-20121028053157-mnhybqu113epwpk9 committer: Amos Jeffries branch nick: 3.3 timestamp: Fri 2012-11-09 20:57:03 -0700 message: Release Notes: 3.3 updates ------------------------------------------------------------ # Bazaar merge directive format 2 (Bazaar 0.90) # revision_id: squid3@treenet.co.nz-20121110035703-mu7tcl584h7xex1k # target_branch: http://bzr.squid-cache.org/bzr/squid3/3.3 # testament_sha1: 031b2f9ee363e063ba1ebbf9562175ac1c1ecfc1 # timestamp: 2012-11-10 04:03:32 +0000 # source_branch: http://bzr.squid-cache.org/bzr/squid3/3.3 # base_revision_id: squid3@treenet.co.nz-20121028053157-\ # mnhybqu113epwpk9 # # Begin patch === modified file 'doc/release-notes/release-3.3.sgml' --- doc/release-notes/release-3.3.sgml 2012-10-20 10:41:31 +0000 +++ doc/release-notes/release-3.3.sgml 2012-11-10 03:57:03 +0000 @@ -34,13 +34,129 @@

The most important of these new features are: - + SQL Database logging helper + Time-Quota session helper + SSL-Bump Server First + Server Certificate Mimic + Custom HTTP request headers Most user-facing changes are reflected in squid.conf (see below). - -

+SQL Database logging helper +

log_db_daemon - Database logging daemon for Squid + +

This program writes Squid access.log entries to an SQL database. + Written in Perl it can utilize any database supported by the Perl + database abstraction layer. + +

NOTE: Presently it only accepts the Squid native log format. + + +Time-Quota session helper +

ext_time_quota_acl - Time quota external ACL helper. + +

Allows an administrator to define time budgets (quota) for the + users of Squid to limit the time using Squid. + +

This is useful for corporate lunch time allocations, wifi portal + pay-per-minute installations or for parental control of children. + +

The administrator can define a time budget (e.g. 1 hour per day) + which is enforced through this helper using session estimations + of their browsing time. A 'pause' threshold is given in seconds + and defines the period between two requests to be treated as part + of the same session. Pauses shorter than this value will be + counted against the quota, longer ones ignored. + + +SSL-Bump Server First +

Details at . + +

When an intercepted connection is received, Squid first connects + to the server using SSL and receives the server certificate. + Squid then uses the host name inside the true server certificate + to generate a fake one and impersonates the server while still + using the already established secure connection to the server. + +

Bumping server first is essentially required for handling + intercepted HTTPS connections but the same scheme should be used + for most HTTP CONNECT requests because it offers a few advantages + compared to the old bump-client-first approach: + + +When Squid knows valid server certificate details, it can + generate its fake server certificate with those details. + With the bump-client-first scheme, all those details are lost. + In general, browsers do not care about those details but there + may be HTTP clients (or even human users) that require or could + benefit from knowing them. + +When a server sends a bad certificate, Squid may be able to + replicate that brokenness in its own fake certificate, giving + the HTTP client control whether to ignore the problem or + terminate the transaction. With bump-client-furst, it is + difficult to support similar dynamic, user-directed opt out; + Squid itself has to decide what to do when the server + certificate cannot be validated. + +When a server asks for a client certificate, Squid may be + able to ask the client and then forward the client certificate + to the server. Such client certificate handling may not be + possible with the bump-client-first scheme because it would + have to be done after the SSL handshake. + +Some clients (e.g., Rekonq browser v0.7.x) do not send host + names in CONNECT requests. Such clients require bump-server-first + even in forward proxying mode. Unfortunately, there are other + problems with fully supporting such clients (i.e., Squid does + not know whether the IP address in the CONNECT request is what + the user have typed into the address bar) so not all features + will work well for them until more specialized detection code + is added. + + +Server Certificate Mimic +

Details at . + +

One of the SslBump features serious drawbacks is the loss of + information embedded in SSL server certificate. + This certificate mimic feature passes original SSL server + certificate information to the user. Allowing the user to + make an informed decision on whether to trust the server + certificate. + + +Custom HTTP request headers +

The request_header_add option is added to insert + HTTP header fields to outgoing HTTP requests (i.e., + request headers sent by Squid to the next HTTP hop such as a + cache peer or an origin server). The option has no effect on + cache hit traffic or requests serviced by Squid and ICAP. + +

WARNING: If a standard HTTP header name is used, Squid does not check whether + the new header conflicts with any existing headers or violates + HTTP rules. If the request to be modified already contains a + field with the same name, the old field is preserved but the + header field values are not merged. + +

Field-value set can be either a token or a quoted string. If quoted + string format is used, then the surrounding quotes are removed + while escape sequences and %macros are processed. + +

In theory, all of the logformat codes can be used as %macros. + However, unlike logging (which happens at the very end of + transaction lifetime), the transaction may not yet have enough + information to expand a macro when the new header value is needed. + And some information may already be available to Squid but not yet + committed where the macro expansion code can access it (please report + such instances!). The macro will be expanded into a single dash + ('-') in such cases. Not all macros have been tested. + +

One or more Squid ACLs may be specified to restrict header + injection to matching requests. As always in squid.conf, all + ACLs in an option ACL list must be satisfied for the insertion + to happen. The request_header_add option supports fast ACLs only. Changes to squid.conf since Squid-3.2 @@ -59,19 +175,52 @@ New tags

+ request_header_add +

New directive to add custom headers on HTTP traffic sent to upstream servers. + + sslproxy_cert_sign +

New option to determine how the client certificate sent to upstream servers is signed. + + sslproxy_cert_adapt +

New option to adapt certain properties of outgoing SSL certificates generated for use when bumping SSL to an upstream server. + Changes to existing tags

+ acl +

myport and myipACL types replaced with localport and localip respecitively. + To reflect that it matches the TCP connection details and not the squid.conf port. + This matters when dealing with interecepted traffic, where the Squid receiving port differs from the TCP connection IP:port. + Always use myportname type to match the squid.conf port details. +

New default built-in ACLs for testing SSL certificate properties. +

ssl::certHasExpired, + ssl::certNotYetValid, + ssl::certDomainMismatch, + ssl::certUntrusted, + ssl::certSelfSigned. + + logformat +

New token %ssl::bump_mode to log the SSL-bump mode type performed on a request. + Logs values of: -, none, client-first, or server-first. +

New token of %ssl::>cert_subject to log the Subject field of a SSL certficate received from the client. +

New token of %ssl::>cert_issuer to log the Issuer field of a SSL certficate received from the client. + + ssl_bump +

New action types none, client-first, server-first. The default is none. +

Use of allow/deny is now deprecated and they should be removed as soon as possible. + To retain the exact same behaviour between 3.3 and older releases replace deny with none, + and allow with client-first. However an upgrade to server-first is the recommended. +

NOTE: Mixing of allow/deny with the new action types is prohibited and will cause Squid to exit with a FATAL error. - Removed tags

+

There are no removed squid.conf tags in Squid-3.3. @@ -92,12 +241,14 @@ New options

+

There are no new ./configure options in Squid-3.3. Changes to existing options

+

There are no changed ./configure options in Squid-3.3.

@@ -106,129 +257,7 @@

--enable-ntlm-fail-open -

Removed. This has not been supported by Squid for several versions. - - - - -Options Removed since Squid-2 - -

Some squid.conf and ./configure options which were available in Squid-2.6 and Squid-2.7 are made obsolete in Squid-3.3. - -Removed squid.conf options since Squid-2.7 -

- - auth_param -

blankpassword option for basic scheme removed. - - cache_peer -

http11 Obsolete. - - external_acl_type -

Format tag %{Header} replaced by %>{Header} -

Format tag %{Header:member} replaced by %>{Header:member} - - header_access -

Replaced by request_header_access and reply_header_access - - http_port -

no-connection-auth replaced by connection-auth=[on|off]. Default is ON. -

transparent option replaced by intercept -

http11 obsolete. - - http_access2 -

Replaced by adapted_http_access - - httpd_accel_no_pmtu_disc -

Replaced by http_port disable-pmtu-discovery= option - - incoming_rate -

Obsolete. - - redirector_bypass -

Replaced by url_rewrite_bypass - - server_http11 -

Obsolete. - - upgrade_http0.9 -

Obsolete. - - zph_local -

Replaced by qos_flows local-hit= - - zph_mode -

Obsolete. - - zph_option -

Obsolete. - - zph_parent -

Replaced by qos_flows parent-hit= - - zph_sibling -

Replaced by qos_flows sibling-hit= - - - -Removed squid.conf options since Squid-2.6 -

- - cache_dir -

read-only option replaced by no-store. - - - -Removed ./configure options since Squid-2.7 -

- - --enable-coss-aio-ops -

Obsolete. - - --enable-devpoll -

Replaced by automatic detection. - - --enable-dlmalloc=LIB -

Obsolete. - - --enable-epoll -

Replaced by automatic detection. - - --enable-forward-log -

Obsolete. - - --enable-heap-replacement -

Obsolete. - - --enable-htcp -

Obsolete. Enabled by default. - - --enable-large-cache-files -

Obsolete. - - --enable-mempool-debug -

Obsolete. - - --enable-multicast-miss -

Obsolete. - - --enable-poll -

Replaced by automatic detection. - - --enable-select -

Replaced by automatic detection. - - --enable-select-simple -

Replaced by automatic detection. - - --enable-snmp -

Obsolete. Enabled by default. - - --enable-truncate -

Obsolete. - - --disable-kqueue -

Obsolete. Disabled by default. +

This has not been supported by Squid for several versions. @@ -244,13 +273,6 @@ acl

urllogin option not yet ported from 2.6 -

urlgroup option not yet ported from 2.6 - - authenticate_ip_shortcircuit_access -

Not yet ported from 2.7 - - authenticate_ip_shortcircuit_ttl -

Not yet ported from 2.7 broken_vary_encoding

Not yet ported from 2.6 @@ -287,7 +309,6 @@ http_port

act-as-origin not yet ported from 2.7 -

urlgroup= not yet ported from 2.6 ignore_ims_on_miss

Not yet ported from 2.7 @@ -304,9 +325,6 @@ location_rewrite_program

Not yet ported from 2.6 - logformat -

%oa tag not yet ported from 2.7 - refresh_pattern

stale-while-revalidate= not yet ported from 2.7

ignore-stale-while-revalidate= not yet ported from 2.7 @@ -330,16 +348,6 @@ update_headers

Not yet ported from 2.7 - zero_buffers -

Not yet ported from 2.7 - - - -Missing ./configure options available in Squid-2.7 -

- - --without-system-md5 -