-Squid 3.1.21 release notes +Squid 3.1.22 release notes Squid Developers @@ -13,7 +13,7 @@ Notice

-The Squid Team are pleased to announce the release of Squid-3.1.21 +The Squid Team are pleased to announce the release of Squid-3.1.22 This new release is available for download from or the . === modified file 'doc/release-notes/release-3.2.sgml' --- doc/release-notes/release-3.2.sgml 2012-11-10 03:57:44 +0000 +++ doc/release-notes/release-3.2.sgml 2012-12-02 08:29:50 +0000 @@ -1,6 +1,6 @@

-Squid 3.2.3 release notes +Squid 3.2.4 release notes Squid Developers @@ -13,7 +13,7 @@ Notice

-The Squid Team are pleased to announce the release of Squid-3.2.3 for testing. +The Squid Team are pleased to announce the release of Squid-3.2.4 for testing. This new release is available for download from or the . @@ -412,9 +412,10 @@

The cache manager is available under the path prefix /squid-internal-mgr/. For example the URL http://example/com/squid-internal-mgr/menu will bring up the manager menu. This means there are some configuration changes required to lock down manager access. - The manager ACL needs changing to: + The manager ACL needs changing. A built-in definition is now used, equivalent + to the following regex pattern: - acl manager url_regex -i ^cache_object:// ^https?://[^/]+/squid-internal-mgr/ + ^(cache_object://|https?://[^/]+/squid-internal-mgr/)

The manager prefix /squid-internal-mgr/ with no action attempts to load an optional @@ -423,6 +424,13 @@ cache manager applications as their front page embedding all scripts, accessors or redirects required for their initial GUI display. +

MGR_INDEX file + + should contain a complete HTML page, with optional client-side scripting. + must not contain server-side scripting. + will have macro substitution performed on it using the same macros as used by the error page tempates. + +

Version 3.2 of the CGI cache manager tool now presents XHR scripted probes to detect proxies presenting these manager index pagess and provides direct HTTP/HTTPS web links to those managers. @@ -592,10 +600,12 @@

The localip/localport differ from earlier releases where they matched a mix of of an invalid IP and port 0, the client destination IP/port or the Squid listening IP/port. This definition is now consistent across all modes of traffic received by Squid. -

The manager ACL requires adjustment to cover new cache manager access: +

The manager ACL requires adjustment to cover new cache manager access. So it has now been + built-in as a predefined ACL name matching URLs equivalent to the following regular expression: - acl manager url_regex -i ^cache_object:// ^https?://[^/]+/squid-internal-mgr/ + ^(cache_object://|https?://[^/]+/squid-internal-mgr/) + squid.conf containing the old manager definition can expect to see ACL type collisions. auth_param

New options for Basic, Digest, NTLM, Negotiate children settings. === modified file 'doc/release-notes/release-3.3.html' --- doc/release-notes/release-3.3.html 2011-05-29 12:59:25 +0000 +++ doc/release-notes/release-3.3.html 2012-12-02 08:29:50 +0000 @@ -2,10 +2,10 @@ - Squid 3.3.0.0 release notes + Squid 3.3.0.2 release notes -

Squid 3.3.0.0 release notes

Squid 3.3.0.2 release notes

Squid Developers

@@ -24,7 +24,11 @@

3. Changes to squid.conf since Squid-3.2

@@ -43,25 +47,16 @@

4.3 Removed options

5. Options Removed since Squid-2

- -

5.1 Removed squid.conf options since Squid-2.7 -
5.2 Removed squid.conf options since Squid-2.6 -
5.3 Removed ./configure options since Squid-2.7 -

6. Regressions since Squid-2.7

- -

6.1 Missing squid.conf options available in Squid-2.7 -
6.2 Missing ./configure options available in Squid-2.7 +
5. Regressions since Squid-2.7
+ +
- 5.1 Missing squid.conf options available in Squid-2.7
1. Notice
-
The Squid Team are pleased to announce the release of Squid-3.3.0.0 for testing.
+
The Squid Team are pleased to announce the release of Squid-3.3.0.2 for testing.

This new release is available for download from http://www.squid-cache.org/Versions/v3/3.3/ or the mirrors.
@@ -87,15 +82,142 @@
The most important of these new features are:
- SQL Database logging helper
- Time-Quota session helper
- SSL-Bump Server First
- Server Certificate Mimic
- Custom HTTP request headers
Most user-facing changes are reflected in squid.conf (see below).
-
2.1 -
- - +
2.1 SQL Database logging helper +
+ +
log_db_daemon - Database logging daemon for Squid
+ +
This program writes Squid access.log entries to an SQL database. +Written in Perl it can utilize any database supported by the Perl +database abstraction layer.
+ +
NOTE: Presently it only accepts the Squid native log format.
+ + +
2.2 Time-Quota session helper +
+ +
ext_time_quota_acl - Time quota external ACL helper.
+ +
Allows an administrator to define time budgets (quota) for the +users of Squid to limit the time using Squid.
+ +
This is useful for corporate lunch time allocations, wifi portal +pay-per-minute installations or for parental control of children.
+ +
The administrator can define a time budget (e.g. 1 hour per day) +which is enforced through this helper using session estimations +of their browsing time. A 'pause' threshold is given in seconds +and defines the period between two requests to be treated as part +of the same session. Pauses shorter than this value will be +counted against the quota, longer ones ignored.
+ + +
2.3 SSL-Bump Server First +
+ +
Details at +http://wiki.squid-cache.org/Features/BumpSslServerFirst.
+ +
When an intercepted connection is received, Squid first connects +to the server using SSL and receives the server certificate. +Squid then uses the host name inside the true server certificate +to generate a fake one and impersonates the server while still +using the already established secure connection to the server.
+ +
Bumping server first is essentially required for handling +intercepted HTTPS connections but the same scheme should be used +for most HTTP CONNECT requests because it offers a few advantages +compared to the old bump-client-first approach:
+
+
- When Squid knows valid server certificate details, it can +generate its fake server certificate with those details. +With the bump-client-first scheme, all those details are lost. +In general, browsers do not care about those details but there +may be HTTP clients (or even human users) that require or could +benefit from knowing them. +
- When a server sends a bad certificate, Squid may be able to +replicate that brokenness in its own fake certificate, giving +the HTTP client control whether to ignore the problem or +terminate the transaction. With bump-client-furst, it is +difficult to support similar dynamic, user-directed opt out; +Squid itself has to decide what to do when the server +certificate cannot be validated. +
- When a server asks for a client certificate, Squid may be +able to ask the client and then forward the client certificate +to the server. Such client certificate handling may not be +possible with the bump-client-first scheme because it would +have to be done after the SSL handshake. +
- Some clients (e.g., Rekonq browser v0.7.x) do not send host +names in CONNECT requests. Such clients require bump-server-first +even in forward proxying mode. Unfortunately, there are other +problems with fully supporting such clients (i.e., Squid does +not know whether the IP address in the CONNECT request is what +the user have typed into the address bar) so not all features +will work well for them until more specialized detection code +is added.
+
+ +
2.4 Server Certificate Mimic +
+ +
Details at +http://wiki.squid-cache.org/Features/MimicSslServerCert.
+ +
One of the SslBump features serious drawbacks is the loss of +information embedded in SSL server certificate. +This certificate mimic feature passes original SSL server +certificate information to the user. Allowing the user to +make an informed decision on whether to trust the server +certificate.
+ + +
2.5 Custom HTTP request headers +
+ +
The request_header_add option is added to insert +HTTP header fields to outgoing HTTP requests (i.e., +request headers sent by Squid to the next HTTP hop such as a +cache peer or an origin server). The option has no effect on +cache hit traffic or requests serviced by Squid and ICAP.
+ +
WARNING: If a standard HTTP header name is used, Squid does not check whether +the new header conflicts with any existing headers or violates +HTTP rules. If the request to be modified already contains a +field with the same name, the old field is preserved but the +header field values are not merged.
+ +
Field-value set can be either a token or a quoted string. If quoted +string format is used, then the surrounding quotes are removed +while escape sequences and %macros are processed.
+ +
In theory, all of the logformat codes can be used as %macros. +However, unlike logging (which happens at the very end of +transaction lifetime), the transaction may not yet have enough +information to expand a macro when the new header value is needed. +And some information may already be available to Squid but not yet +committed where the macro expansion code can access it (please report +such instances!). The macro will be expanded into a single dash +('-') in such cases. Not all macros have been tested.
+ +
One or more Squid ACLs may be specified to restrict header +injection to matching requests. As always in squid.conf, all +ACLs in an option ACL list must be satisfied for the insertion +to happen. The request_header_add option supports fast ACLs only.

3. Changes to squid.conf since Squid-3.2
@@ -119,6 +241,15 @@

+
request_header_add
+
New directive to add custom headers on HTTP traffic sent to upstream servers.
+ +
sslproxy_cert_sign
+
New option to determine how the client certificate sent to upstream servers is signed.
+ +
sslproxy_cert_adapt
+
New option to adapt certain properties of outgoing SSL certificates generated for use when bumping SSL to an upstream server.
+

@@ -128,16 +259,40 @@

+
acl
+
myport and myipACL types replaced with localport and localip respecitively. +To reflect that it matches the TCP connection details and not the squid.conf port. +This matters when dealing with interecepted traffic, where the Squid receiving port differs from the TCP connection IP:port. +Always use myportname type to match the squid.conf port details.
+
New default built-in ACLs for testing SSL certificate properties.
+
ssl::certHasExpired, +ssl::certNotYetValid, +ssl::certDomainMismatch, +ssl::certUntrusted, +ssl::certSelfSigned.
+ +
logformat
+
New token %ssl::bump_mode to log the SSL-bump mode type performed on a request. +Logs values of: -, none, client-first, or server-first.
+
New token of %ssl::>cert_subject to log the Subject field of a SSL certficate received from the client.
+
New token of %ssl::>cert_issuer to log the Issuer field of a SSL certficate received from the client.
+ +
ssl_bump
+
New action types none, client-first, server-first. The default is none.
+
Use of allow/deny is now deprecated and they should be removed as soon as possible. +To retain the exact same behaviour between 3.3 and older releases replace deny with none, +and allow with client-first. However an upgrade to server-first is the recommended.
+
NOTE: Mixing of allow/deny with the new action types is prohibited and will cause Squid to exit with a FATAL error.

-
3.3 Removed tags

+
There are no removed squid.conf tags in Squid-3.3.

@@ -164,6 +319,7 @@

+
There are no new ./configure options in Squid-3.3.

@@ -173,6 +329,7 @@

+
There are no changed ./configure options in Squid-3.3.

@@ -181,163 +338,24 @@

- -
-
- - -
5. Options Removed since Squid-2
- -
Some squid.conf and ./configure options which were available in Squid-2.6 and Squid-2.7 are made obsolete in Squid-3.3.
- -
5.1 Removed squid.conf options since Squid-2.7 -
- -
-
-
auth_param
-
blankpassword option for basic scheme removed.
- -
cache_peer
-
http11 Obsolete.
- -
external_acl_type
-
Format tag %{Header} replaced by %>{Header}
-
Format tag %{Header:member} replaced by %>{Header:member}
- -
header_access
-
Replaced by request_header_access and reply_header_access
- -
http_port
-
no-connection-auth replaced by connection-auth=[on|off]. Default is ON.
-
transparent option replaced by intercept
-
http11 obsolete.
- -
http_access2
-
Replaced by adapted_http_access
- -
httpd_accel_no_pmtu_disc
-
Replaced by http_port disable-pmtu-discovery= option
- -
incoming_rate
-
Obsolete.
- -
redirector_bypass
-
Replaced by url_rewrite_bypass
- -
server_http11
-
Obsolete.
- -
upgrade_http0.9
-
Obsolete.
- -
zph_local
-
Replaced by qos_flows local-hit=
- -
zph_mode
-
Obsolete.
- -
zph_option
-
Obsolete.
- -
zph_parent
-
Replaced by qos_flows parent-hit=
- -
zph_sibling
-
Replaced by qos_flows sibling-hit=
- -
-
- -
5.2 Removed squid.conf options since Squid-2.6 -
- -
-
-
cache_dir
-
read-only option replaced by no-store.
- -
-
- -
5.3 Removed ./configure options since Squid-2.7 -
- -
-
-
--enable-coss-aio-ops
-
Obsolete.
- -
--enable-devpoll
-
Replaced by automatic detection.
- -
--enable-dlmalloc=LIB
-
Obsolete.
- -
--enable-epoll
-
Replaced by automatic detection.
- -
--enable-forward-log
-
Obsolete.
- -
--enable-heap-replacement
-
Obsolete.
- -
--enable-htcp
-
Obsolete. Enabled by default.
- -
--enable-large-cache-files
-
Obsolete.
- -
--enable-mempool-debug
-
Obsolete.
- -
--enable-multicast-miss
-
Obsolete.
- -
--enable-poll
-
Replaced by automatic detection.
- -
--enable-select
-
Replaced by automatic detection.
- -
--enable-select-simple
-
Replaced by automatic detection.
- -
--enable-snmp
-
Obsolete. Enabled by default.
- -
--enable-truncate
-
Obsolete.
- -
--disable-kqueue
-
Obsolete. Disabled by default.
- -
-
- - -
6. Regressions since Squid-2.7
+
--enable-ntlm-fail-open
+
This has not been supported by Squid for several versions.
+ + +
+ + +
5. Regressions since Squid-2.7

Some squid.conf and ./configure options which were available in Squid-2.7 are not yet available in Squid-3.3

If you need something to do then porting one of these from Squid-2 to Squid-3 is most welcome.
-
6.1 Missing squid.conf options available in Squid-2.7 +
5.1 Missing squid.conf options available in Squid-2.7

-
acl
-
urllogin option not yet ported from 2.6
-
urlgroup option not yet ported from 2.6
- -
authenticate_ip_shortcircuit_access
-
Not yet ported from 2.7
- -
authenticate_ip_shortcircuit_ttl
-
Not yet ported from 2.7
-
broken_vary_encoding

Not yet ported from 2.6
@@ -373,7 +391,6 @@
http_port

act-as-origin not yet ported from 2.7
-
urlgroup= not yet ported from 2.6

ignore_ims_on_miss

Not yet ported from 2.7
@@ -390,9 +407,6 @@
location_rewrite_program

Not yet ported from 2.6
-
logformat
-
%oa tag not yet ported from 2.7
-
refresh_pattern

stale-while-revalidate= not yet ported from 2.7

ignore-stale-while-revalidate= not yet ported from 2.7
@@ -416,19 +430,6 @@
update_headers

Not yet ported from 2.7
-
zero_buffers
-
Not yet ported from 2.7
- -
-
- -
6.2 Missing ./configure options available in Squid-2.7 -
- -
-
-
--without-system-md5
-

=== modified file 'doc/release-notes/release-3.3.sgml' --- doc/release-notes/release-3.3.sgml 2012-11-10 03:57:44 +0000 +++ doc/release-notes/release-3.3.sgml 2012-12-02 08:29:50 +0000 @@ -1,6 +1,6 @@
-Squid 3.3.0.1 release notes +Squid 3.3.0.2 release notes Squid Developers @@ -13,7 +13,7 @@ Notice
-The Squid Team are pleased to announce the release of Squid-3.3.0.1 for testing. +The Squid Team are pleased to announce the release of Squid-3.3.0.2 for testing. This new release is available for download from or the .

Squid 3.3.0.0 release notes

Squid 3.3.0.2 release notes

Squid Developers

2.1 -

2.1 SQL Database logging helper +

2.2 Time-Quota session helper +

2.3 SSL-Bump Server First +

2.4 Server Certificate Mimic +

2.5 Custom HTTP request headers +

5.1 Removed squid.conf options since Squid-2.7 -

5.2 Removed squid.conf options since Squid-2.6 -

5.3 Removed ./configure options since Squid-2.7 -

6.1 Missing squid.conf options available in Squid-2.7 +

6.2 Missing ./configure options available in Squid-2.7 -