Squid 7.0.0-VCS release notes

Squid 7.0.0-VCS release notes

Squid Developers

1. Notice

2. Major new features since Squid-6

3. Changes to squid.conf since Squid-6

4. Changes to ./configure options since Squid-6

5. Copyright

1. Notice

The Squid Team are pleased to announce the release of Squid-@PACKAGE_VERSION@ for testing.

This new release is available for download from http://www.squid-cache.org/Versions/v7/ or the mirrors.

While this release is not deemed ready for production use, we believe it is ready for wider testing by the community.

We welcome feedback and bug reports. If you find a bug, please see https://wiki.squid-cache.org/SquidFaq/BugReporting for how to submit a report with a stack trace.

1.1 Known issues

Although this release is deemed good enough for use in many setups, please note the existence of open bugs against Squid-7.

1.2 Changes since earlier releases of Squid-7

The Squid-7 change history can be viewed here.

2. Major new features since Squid-6

Squid-7 represents a new feature release above Squid-6.

The most important of these new features are:

Most user-facing changes are reflected in squid.conf (see further below).

2.1 Cache Manager changes

For more information about the Cache Manager feature, see wiki.

In order to reduce workload on the Squid development team we have chosen to stop providing several tools related to Cache Manager which have previously been bundled with Squid.

Removal of the squidclient tool.

Popular command-line tools such as curl or wget provide equivalent features.

Removal of the cachemgr.cgi tool.

Access to the Cache Manager API is available by sending HTTP(S) requests directly to Squid with the URL-path prefix /squid-internal-mgr/. A plethora of tools, such as curl, wget, or any web browser, can be used instead of cachemgr.cgi.

Removal of the cache_object: URI scheme.

This custom scheme does not conform to RFC 3986 URI sytax. It has been replaced with Cache Manager access through HTTP and HTTPS URLs.

Removal of non_peers Report

Squid still ignores unexpected ICP responses but no longer remembers the details that comprised the removed report. The senders of these ICP messages are still reported to cache.log at debugging level 1 (with an exponential backoff).

2.2 Removed purge tool

The purge tool (also known as squidpurge, and squid-purge) was limited to managing UFS/AUFS/DiskD caches and had problems parsing non-trivial squid.conf files.

The cache contents display and search it provided can be obtained with a script searching the cache manager objects report.

This tool used the custom PURGE HTTP method to remove cache objects. This can be performed directly on any Squid configured to allow the method. Like so: 

    acl PURGE method PURGE
    http_access allow localhost PURGE
Any HTTP client (such as curl) can then be used to evict objects from the cache, for example: 
    curl -XPURGE --proxy http://127.0.0.1:3128 http://url.to/evict/
Alternatively the HTCP CLR mechanism can be used.

2.3 Removed deprecated languages

Old Squid used full language name to refer to error page translations. These have been deprecated since addition of ISO-639 language codes and support for HTTP Accept-Language negotiation in Squid-3.x.

As of this release Squid will no longer provide the symlinks needed for seamless upgrade for squid.conf containing settings such as 

    error_directory English
All Squid installations are expected to already have them, or to convert to the ISO-639 equivalents. Existing symlinks are not affected.

See http://www.squid-cache.org/Versions/langpack/ for the latest list of official Squid translations.

See https://en.wikipedia.org/wiki/List_of_ISO_639_language_codes for the full ISO-639 list. HTTP uses the 2-letter (set 1) codes.

2.4 Removed Ident protocol support

Ident protocol (RFC 931 obsoleted by RFC 1413) has been considered seriously insecure and broken since at least 2009 when SANS issued an update recommending its removal from all networks. Squid Ident implementation had its own set of problems (that could not be addressed without significant code refactoring).

Configurations using ident/ident_regex ACLs, %ui logformat codes, %IDENT external_acl_type format code, or ident_lookup_access/ident_timeout directives are now rejected, leading to fatal startup failures.

To avoid inconveniencing admins that do not use Ident features, access logs with "common" and "combined" logformats now always receive a dash in the position of what used to be a %ui record field.

If necessary, an external ACL helper can be written to perform Ident transactions and deliver the user identity to Squid through the **user=** annotation.

3. Changes to squid.conf since Squid-6

This section gives an account of those changes in three categories:

3.1 New directives

No new directives in this version.

3.2 Changes to existing directives

acl

Changed src to detect and handle overlapping IP and IP-range values. Merging where necessary.

Changed dst to detect and handle overlapping IP and IP-range values. Merging where necessary.

Changed localip to detect and handle overlapping IP and IP-range values. Merging where necessary.

Changed ssl::server_name to detect and handle overlapping sub-domain and wildcard domains. Merging or ignoring where necessary.

Changed srcdomain to detect and handle overlapping sub-domain and wildcard domains. Merging or ignoring where necessary.

Changed dstdomain to detect and handle overlapping sub-domain and wildcard domains. Merging or ignoring where necessary.

Changed http_status to detect and handle overlapping status and status-range values. Merging where necessary.

Removed ident with Ident protocol support.

Removed ident_regex with Ident protocol support.

buffered_logs

Honor the off setting in 'udp' access_log module.

cachemgr_passwd

Removed the non_peers action. See the Cache Manager section for details.

dns_packet_max

Honor positive dns_packet_max values when sending DNS A queries and PTR queries containing IPv4 addresses. Prior to this change, Squid did not add EDNS extension (RFC 6891) to those DNS queries because 2010 tests revealed compatibility problems with some DNS resolvers. We hope that those problems are now sufficiently rare to enable this useful optimization for all DNS queries, as originally intended. Squid still sends EDNS extension with DNS AAAA queries and PTR queries containing IPv6 addresses (when dns_packet_max is set to a positive value). Rare deployments that must use buggy DNS resolvers should not set dns_packet_max.

access_log

Built-in common and combined logformats now always receive a dash character ("-") in the position of what used to be a %ui record field.

logformat

Removed %ui format code with Ident protocol support.

external_acl_type

Removed %IDENT format code with Ident protocol support.

3.3 Removed directives

esi_parser

Edge Side Includes (ESI) protocol is no longer supported natively.

mcast_miss_addr

The corresponding code has not built for many years, indicating that the feature is unused.

mcast_miss_ttl

The corresponding code has not built for many years, indicating that the feature is unused.

mcast_miss_port

The corresponding code has not built for many years, indicating that the feature is unused.

mcast_miss_encode_key

The corresponding code has not built for many years, indicating that the feature is unused.

ident_lookup_access

Ident protocol is no longer supported natively.

ident_timeout

Ident protocol is no longer supported natively.

4. Changes to ./configure options since Squid-6

This section gives an account of those changes in three categories:

4.1 New options

--without-gss

Renamed from --without-gnugss.

--without-psapi

Disable auto-detection of Windows PSAPI library.

--without-sasl

Disable auto-detection of Cyrus SASL (or compatible) library.

CPPFLAGS=-DINCOMING_FACTOR=

Control the listening sockets responsiveness with poll(2) and select(2). The higher the INCOMING_FACTOR, the slower the algorithm will respond to load spikes/increases/decreases in demand. A value between 3 and 8 is recommended. Default is 5.

4.2 Changes to existing options

No build options have changed behaviour in this version.

4.3 Removed options

--enable-cachemgr-hostname=

The cachemgr.cgi tool this option relates to has been removed.

--enable-esi

Edge Side Includes (ESI) protocol is no longer supported natively.

--without-expat

The ESI feature using libexpat has been removed.

--without-gnugss

Renamed to --without-gss.

--without-xml2

The ESI feature using libxml2 has been removed.

CPPFLAGS=-DHEADERS_LOG

The code enabled by this preprocessor macro has not built for many years, indicating that the feature is unused.

CPPFLAGS=-DMULTICAST_MISS_STREAM

The code enabled by this preprocessor macro has not built for many years, indicating that the feature is unused.

--disable-ident-lookups

The option was dropped during Ident protocol support removal.

4.4 Other changes

Adjusted configuration and format of ext_time_quota_acl helper debugging

The -l option that enables ext_time_quota_acl to log debug messages to a custom logfile has been removed, and their format has been changed to be in line with Squid's cache.log format.

5. Copyright

Copyright (C) 1996-2023 The Squid Software Foundation and contributors

Squid software is distributed under GPLv2+ license and includes contributions from numerous individuals and organizations. Please see the COPYING and CONTRIBUTORS files for details.

 

Introduction

Documentation

Support

Miscellaneous

Web Site Translations

Mirrors