Squid 2.5 release notes

There is a few known issues and limitations in this version of Squid which we hope to correct in a later release

In addition there is a set of limitations in this version of Squid which we hope to correct later

4. Key changes squid-2.5.STABLE1 to 2.5.STABLE2:

5. Key changes squid-2.5.STABLE2 to 2.5.STABLE3:

6. Key changes squid-2.5.STABLE3 to 2.5.STABLE4:

7. Key changes squid-2.5.STABLE4 to 2.5.STABLE5:

8. Key changes squid-2.5.STABLE5 to 2.5.STABLE6:

9. Key changes squid-2.5.STABLE6 to 2.5.STABLE7:

10. Key changes squid-2.5.STABLE7 to 2.5.STABLE8:

-Squid 2.5 release notes -Squid Developers -$Id: release-2.5.sgml,v 1.7.6.1 2005/02/10 02:40:07 hno Exp $ - - -This document contains the release notes for version 2.5 of Squid. -Squid is a WWW Cache application developed by the National Laboratory -for Applied Network Research and members of the Web Caching community. - - - - -Key changes from squid 2.4: -

- - Major rewrite of proxy authentication to support other schemes - than basic. First in the line is NTLM support but others can - easily be added (minimal digest is present). See the Programmers - Guide for the internals. - Thanks to the SAMBA team for some excellent collaboration on the - NTLM support! - (Robert Collins & Francesco Chemolli) - Optimized searching in proxy_auth and ident ACL types. Squid - should now handle large access lists a lot more efficiently. - (Francesco Chemolli) - Fixed forwarding/peer loop detection code (Brian Degenhardt) - - now a peer is ignored if it turns out to be us, rather than - committing suicide - Changed the internal URL code to obey appendDomain for - internal objects if it needs appending. This fixes weirdnesses - where a machine can think it is "foo.bar.com", and "foo" is - requested. - (Brian Degenhardt) - Added the use of Automake to create the Makefile.in's in the - squid source tree. This will allow libtool in the future, and - immediately allows better dependency tracking - with or - without gcc - as well as the dist-all and distcheck targets - for developers which respectively build a tar.gz and a tar.bz2 - distribution, and check that what will be distributed builds. - (Robert Collins) - Added TOS and source address selection based on ACLs, - written by Roger Venning. This allows administrators to set - the TOS precedence bits and/or the source IP from a set of - available IPs based upon some ACLs, generally to map different - users to different outgoing links and traffic profiles. - Added 'max-conn' option to 'cache_peer' - Added SSL gatewaying support, allowing Squid to act as a SSL - server in accelerator setups. - Many new authentication helpers. - no_cache now applies to cache hits as well as cache misses - the Gopher client in Squid has been significantly improved - Squid now sanity checks FTP data connections to ensure the - connection is from the requested server. Can be disabled if - needed by turning off the ftp_sanitycheck option. - external acl support. A mechanism where flexible ACL checks - can be driven by external helpers. See the external_acl_type - and acl external directives. (MARA Systems AB) - Countless other small things and fixes - HTML pages generated by Squid or CacheMgr as well as the - ERR documents now contain a doctype declaration so that - browsers know which HTML specification the document uses. - In addition to that they have a new look - (background-color, font) and are valid according to the HTML - standards at www.w3.org. - (Clemens L�ser) - Login and password send to Basic auth helpers is now URL - escaped to allow for spaces and other "odd" characters in - logins and passwords - Proxy Authentication is no longer blindly forwarded to peer - caches if not used locally. If forwarding of proxy authentication - is desired then it must now be configured with the login=PASS - cache_peer option. - Responses with Vary: in the header are now cached by squid. - (Henrik Nordstrom). - Support for openBSD pf interface in interception mode. - It is now possible to send complex arguments to helpers - by quoting the arguments by " and/or \ - The directory structure has changed slightly. The squid binary - has been moved into sbin, errors and icons into share/, and the libexec - programs are now in libexec/ (was previously libexec/squid/). See - configure --help for instructions on how to move these around to - exacly where you want to have them in your system. - - -Changes to squid.conf -

-http_portAllows ip address specification. -https_portThis is an option for use with SSL acceleration - it determines where squid listens for SSL requests. -ssl_unclean_shutdownThis is used to handle some bugs in browsers that don't fully support SSL. -tcp_incoming_addressThis has been removed - use the http_port line to specify ip address's. -cache_peerlogin= has been extended to allow pass through authentication, fixed password authentication and maximum connection limits. -hosts_fileDirects squid to read in a set of name-address associations upon startup and reconfiguration. -authenticate_program

authenticate_children

proxy_auth_realmRemoved. See auth_param. -auth_paramThis replaces the authenticate_program directive. It allows configuration of multiple authentication helpers, one for each of the supported authentication schemes. Such schemes include "NTLM", "Digest (from RFC 2617)", and "Basic". -authenticate_cache_garbage_intervalThis directive sets the garbage collection interval for the authentication cache. -external_acl_typeThis directive configures the new external ACL Helper interface. VERY useful for authenticating by group membership - i.e. from an LDAP server or NT domain. -request_body_max_sizeThe default for this is now 0 - unlimited. -reply_body_max_sizeNow multiple size limits are allowed based on ACL lists. -refresh_patternThe default is now blank - users must uncomment the suggested default to use it. This allows the use of a blank refresh pattern if desired. -request_timeoutRaised the default to 5 minutes. -persistent_request_timeout New directive - how long to wait after a reply is completed before closing the connection. -aclNew acl typesreferer_regex (match Referer headers), -max_user_ip (limit concurrent IP's a single user may use) -rep_mime_type (filter replies based on their content type). -external (use an external helper) -http_reply_accessLimit HTTP replies based on ACL's. This is complementary to http_access. -tcp_outgoing_tos

tcp_outgoing_ds

tcp_outgoing_dscpThese three directives allow marking of outbound connections at the IP level - i.e. for choosing routes based on the usercode. -tcp_outgoing_addressAllows mapping of requests onto specific outbound IP address's. -anonymize_headersRemoved. See header_access. -header_accessAllow granular filtering of HTTP headers. -header_replaceReplace specific headers with custom values. -pipeline_prefetchNow defaults to off for bandwidth management and access logging reasons. -vary_ignore_expireEnables a workaround for web servers that immediately expire Varied objects because they think squid is unable to handle Vary:. -sleep_after_forkGive the OS a small amount of time to accomodate the fork+exec used to launch helpers - if squid has a lot of virtual memory allocated the OS may run out of virtual memory during helper spawning otherwise. -reference_ageThis has been removed - starting with Squid-2.4 this directive have had no effect and has now been fully removed to avoid confusion. -siteselect_timeoutThis has been removed - it is not referenced anywhere in the source code. -minimum_retry_timeoutThis has been removed - it is not referenced anywhere in the source code. -forward_timeoutNew directive in 2.5.STABLE5 complement connect_timeout in -management of timeouts while connecting to origin servers or peers -short_icon_urlsNew directive in 2.5.STABLE5 to enable an alternative way of referring to icons in FTP directory listings etc. -acl urlloginNew acl type in 2.5.STABLE5 to match the login component of Internet style URLs (protocol://user:password@host/path/to/file) -balance_on_multiple_ipNew directive in 2.5.STABLE7 to make it possible to disable the automatic round-robin load balancing on multiple IP addresses normally done by Squid. -reply_header_max_sizeNew directive in 2.5.STABLE7 limiting the size of HTTP reply headers, similar to request_header_max_size but in the reply direction (from servers to clients). Default is 20KB. -acl req_hdr/resp_hdrNew acl types in 2.5.STABLE7 to match arbitrary HTTP headers, useful to block certain malware/spyware etc. -relaxed_http_parserNew directive in 2.5.STABLE8 to control how strict the HTTP parser should be. - - -Known issues and limitations - -

There is a few known issues and limitations in this version of Squid which we hope to correct in a later release - - -Bug assertion failed: cbdata.c:249: "c->locks > 0" when using diskd -Bug Interception fails if intercepting multiple ports and Squid is not listening on the same ports -Bug cachemgr.cgi should have a built-in access control layer to prevent malicious use -Bug Problems refreshing pages stored with 'vary' information -Bug users going above their allowed IP count no longer logged in cache.log -Bug FTP listings uses "BASE HREF" much more than it needs to - - - -

In addition there is a set of limitations in this version of Squid which we hope to correct later - - -Bug mime.conf and referenced icons must be within chroot -Bug CARP ignores cache_peer_access and cache_peer_domain -Bug tcp_outgoing_address using an ident ACL does not work -Bug acl max_user_ip and multiple authentication schemes -Bug miss_access fails on "slow" acl types such as dst. -Bug squid -F is starting server sockets to early -Bug wb_auth fails on TRU64 and probably other 64 bit platforms -Bug delay_pools stops working on -k reconfigure -Bug does not handle swap.state corruption properly -Bug unstable if runs out of disk space -Bug diskd may appear slow on low loads - - -Key changes squid-2.5.STABLE1 to 2.5.STABLE2: - -

- - authentication now works in most access directives if - first enforced in http_access - contrib files included in the distribution again - aufs bugfixes to address both stability and data - corruption issues, and some aufs performance improvements. - now possible to specify acl values with spaces in them - via the "include file" technique - winbind helpers updated to match Samba-2.2.7a and should - work with Samba-2.2.6 or later (required). For compability with - older Samba versions A new configure option --with-samba-sources=... - has been added to allow you to specify which Samba version the - helpers should be built for if different than the above versions. - squid_ldap_group updated to correctly handle LDAP groups - new experimental configure option --disable-hostname-checks to make Squid not validate that received hostnames are valid for use within HTTP. Required to participate in testbeds for international domain names etc. - several assertion or segmentation faults corrected - a large number of minor bugfixes. See the list of and the file for details. - - -Key changes squid-2.5.STABLE2 to 2.5.STABLE3: - -

- - a large number of minor bug fixes. See the list of and the file for details. - - -Key changes squid-2.5.STABLE3 to 2.5.STABLE4: - -

- - several memory leaks corrected - segmentation fault if more than one deny_info corrected - Lithuanian error messages added - a crash related to ftpTimeout: timeout in SENT_PASV state corrected - http_reply_access deny now logs the request with - TCP_DENIED to allow them to be accounted for properly in statistics - minimum_retry_timeout configuration directive removed. If - you have this directive in your existing squid.conf you will - need to remove the line. - Improvements to the (experimental) COSS storage scheme. - Updates to allow Squid to be compiled with GCC-3.3 - POST now works well with NTLM and Digest authentication - http_header_access now works in combination with cache_peer - Most Squid generated errors are now logged as TCP_DENIED/XXX - rather than TCP_MISS/XXX or NONE/XXX. This to work around issues - relating to access controls. - external_acl_type concurrency= option renamed to children= - to prepare for Squid-3 upgrade. The old syntax is still accepted - but you may want to upgrade your configuration now to save you - from the trouble when upgrading to Squid-3 later. - a large number of minor bugfixes. See the list of and the file for details. - - -Key changes squid-2.5.STABLE4 to 2.5.STABLE5: - -

- - redirector interface modified to try to deal with login names - containing spaces or other odd characters. This is accomplished - by URL-encoding the login name before sent to redirectors. Note: - Existing redirectors or their configuration may need to be slightly - modified in how they process the ident column to support the new - username format (only applies to redirectors looking into the username) - new forward_timeout option to complement connect_timeout in - management of timeouts while connecting to origin servers or peers - various timeouts adjusted: connect_timeout 1 minute (was 2 minutes - which is now forward_timeout), negative_dns_ttl 1 minute (was 5 minutes) - and is now also used as minimum positive dns ttl, dns_timeout 2 minutes - (was 5 minutes) - "short_icon_urls on" can be used to simplify the URLs used for - icons etc to avoid issues with proxy host naming and authentication - when requesting icons. - A new "urllogin" ACL type has been introducing allowing regex - matches to the "login" component of Internet style URLs - (protocol://user:password@host/path/to/file). - Squid now respects the Telnet protocol on connections to FTP - servers. The ftp_telnet_protocol directice can be used to revert back - to the old incorrect implementation. - Several NTLM related bugfixes and improvements fixing the problem - of random auth popups and account lockouts. Support for the NEGOTIATE - NTLM packet is also added to allow Samba-3.0.2 or later to negotiate the - use of NTLMv2. - Several authentication related bugfixes to allow authentication - to work in additional acl driven directives, correct an number - of assertion or segmentation and some memory leaks. - The default mime.conf has been updated with many new mime types - and a few minor corrections. In addition the download and view links - is used more frequently to allow view/download of different ftp:// - contents regardless of their mime type assignment. - url_regex enhanced to allow matching of %00 - a large number of minor and cosmetic bugfixes. See the list of and the file for details. - - -Key changes squid-2.5.STABLE5 to 2.5.STABLE6: - -

- - Several "Assertion error" bugs fixed - Several "Segmentation fault" bugs fixes - Corrects a security issue in the old ntlm_auth NTLM helper - used in transparent NTLM authentication to a NT domain without - using samba. - Processing of Vary: * and Vary on error messages corrected - a large number of minor and cosmetic bugfixes. See the list of and the file for details. - - -Key changes squid-2.5.STABLE6 to 2.5.STABLE7: - -

- - SNMP related Denial of Service issue corrected (CAN-2004-0918) - NTLM related bugfix noticed by the Samba group - UFS cache_dir bugfix to issue introduced in STABLE6 causing - no objects to get cached in some configurations. - cache_effective_user now sets supplementary group list - if cache_effective_group not set - cache_effective_group now used if specified even if not started - as root. If you do not start Squid as root you may need to remove this - directive from your squid.conf if not set correctly. - request_header_max_size directive corrected. You may need to increase - this value after upgrading if set very low. The default have been increased - from 10 KB to 20 KB which should be sufficient for most uses. - reply_header_max_size directive added - http_header_access & replace now support arbitrary headers, - not only the well known headers known by Squid - new acl types req_hdr and resp_hdr to match arbitrary HTTP headers, - useful to block certain malware/spyware etc. - new balance_on_multiple_ip squid.conf directive - a number of other minor and cosmetic bugfixes. See the list of and the file for details. - - -Key changes squid-2.5.STABLE7 to 2.5.STABLE8: - -

- - Squid no longer closes all open filedescriptors. Previous Squid - versions have for increased security closed any open filedescriptors left - open by the process starting Squid, but this is not really our business - and causes problems for certain libraries opening internal filedescriptors - in some conditions (some SSL libraries, syslog, DNS resolver etc). - Configuration parser made more strict and consistent. Previously empty acl - declarations were ignored in http_access causing some unexpected results. - Now empty acl declarations are allowed (matching nothing) and http_access - requires all listed acls to be defined. - A minor information leak in error messages due to malformed host - names corrected - Several HTTP security fixes to prevent cache pollution attacks or theft - of user confidential information. New relaxed_http_parser directive to control - how strict the HTTP parser should be. - Buffer overflow fix in gopherToHTML. - Corrected a Segmentation fault on malformed WCCP packets. - squid_ldap_auth now sanity checks usernames - Corrected a Segmentation fault and other malfunctions on failed PUT/POST - requests. - Properly handle oversized reply headers - a number of other minor and cosmetic bugfixes. See the list of and the file for details. - - -

Cache Host:
Cache Port:
Manager name:
Password:

Squid 2.5 release notes

Squid Developers

1. Key changes from squid 2.4:

2. Changes to squid.conf

3. Known issues and limitations