<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
<HTML>
<HEAD>
 <META NAME="GENERATOR" CONTENT="LinuxDoc-Tools 0.9.16">
 <TITLE>Squid 2.5 release notes</TITLE>
</HEAD>
<BODY>
<H1>Squid 2.5 release notes</H1>

<H2>Squid Developers</H2>$Id: release-2.5.html,v 1.1.2.44 2005/02/23 00:26:20 hno Exp $
<HR>
<EM>This document contains the release notes for version 2.5 of Squid.
Squid is a WWW Cache application developed by the National Laboratory
for Applied Network Research and members of the Web Caching community.</EM>
<HR>
<H2><A NAME="s1">1. Key changes from squid 2.4:</A></H2>

<P>
<UL>
<LI>Major rewrite of proxy authentication to support other schemes
than basic. First in the line is NTLM support but others can
easily be added (minimal digest is present). See the Programmers
Guide for the internals.
Thanks to the SAMBA team for some excellent collaboration on the
NTLM support!
(Robert Collins &amp; Francesco Chemolli)</LI>
<LI>Optimized searching in proxy_auth and ident ACL types. Squid
should now handle large access lists a lot more efficiently.
(Francesco Chemolli)</LI>
<LI>Fixed forwarding/peer loop detection code (Brian Degenhardt) -
now a peer is ignored if it turns out to be us, rather than
committing suicide</LI>
<LI>Changed the internal URL code to obey appendDomain for
internal objects if it needs appending. This fixes weirdnesses
where a machine can think it is "foo.bar.com", and "foo" is
requested.
(Brian Degenhardt)</LI>
<LI>Added the use of Automake to create the Makefile.in's in the
squid source tree. This will allow libtool in the future, and
immediately allows better dependency tracking - with or 
without gcc - as well as the dist-all and distcheck targets
for developers which respectively build a tar.gz and a tar.bz2
distribution, and check that what will be distributed builds.
(Robert Collins)</LI>
<LI>Added TOS and source address selection based on ACLs,
written by Roger Venning. This allows administrators to set
the TOS precedence bits and/or the source IP from a set of
available IPs based upon some ACLs, generally to map different
users to different outgoing links and traffic profiles.</LI>
<LI>Added 'max-conn' option to 'cache_peer'</LI>
<LI>Added SSL gatewaying support, allowing Squid to act as a SSL
server in accelerator setups.</LI>
<LI>Many new authentication helpers.</LI>
<LI>no_cache now applies to cache hits as well as cache misses</LI>
<LI>the Gopher client in Squid has been significantly improved</LI>
<LI>Squid now sanity checks FTP data connections to ensure the
connection is from the requested server. Can be disabled if
needed by turning off the ftp_sanitycheck option.</LI>
<LI>external acl support. A mechanism where flexible ACL checks
can be driven by external helpers. See the external_acl_type
and acl external directives. (MARA Systems AB)</LI>
<LI>Countless other small things and fixes</LI>
<LI>HTML pages generated by Squid or CacheMgr as well as the
ERR documents now contain a doctype declaration so that
browsers know which HTML specification the document uses.
In addition to that they have a new look
(background-color, font) and are valid according to the HTML
standards at www.w3.org.
(Clemens Lser)</LI>
<LI>Login and password send to Basic auth helpers is now URL
escaped to allow for spaces and other "odd" characters in
logins and passwords</LI>
<LI>Proxy Authentication is no longer blindly forwarded to peer
caches if not used locally. If forwarding of proxy authentication
is desired then it must now be configured with the login=PASS
cache_peer option.</LI>
<LI>Responses with Vary: in the header are now cached by squid.
(Henrik Nordstrom).</LI>
<LI>Support for openBSD pf interface in interception mode.</LI>
<LI>It is now possible to send complex arguments to helpers
by quoting the arguments by " and/or \ </LI>
<LI>The directory structure has changed slightly. The squid binary
has been moved into sbin, errors and icons into share/, and the libexec
programs are now in libexec/ (was previously libexec/squid/). See
configure --help for instructions on how to move these around to
exacly where you want to have them in your system.</LI>
</UL>
</P>

<H2><A NAME="s2">2. Changes to squid.conf</A></H2>

<P>
<DL>
<DT><B>http_port</B><DD><P>Allows ip address specification.</P>
<DT><B>https_port</B><DD><P>This is an option for use with SSL acceleration - it determines where squid listens for SSL requests.</P>
<DT><B>ssl_unclean_shutdown</B><DD><P>This is used to handle some bugs in browsers that don't fully support SSL.</P>
<DT><B>tcp_incoming_address</B><DD><P>This has been removed - use the http_port line to specify ip address's.</P>
<DT><B>cache_peer</B><DD><P>login= has been extended to allow pass through authentication, fixed password authentication and maximum connection limits.</P>
<DT><B>hosts_file</B><DD><P>Directs squid to read in a set of name-address associations upon startup and reconfiguration.</P>
<DT><B>authenticate_program</B><DD>
<DT><B>authenticate_children</B><DD>
<DT><B>proxy_auth_realm</B><DD><P>Removed. See auth_param.</P>
<DT><B>auth_param</B><DD><P>This replaces the authenticate_program directive. It allows configuration of multiple authentication helpers, one for each of the supported authentication schemes. Such schemes include "NTLM", "Digest (from RFC 2617)", and "Basic".</P>
<DT><B>authenticate_cache_garbage_interval</B><DD><P>This directive sets the garbage collection interval for the authentication cache.</P>
<DT><B>external_acl_type</B><DD><P>This directive configures the new external ACL Helper interface. VERY useful for authenticating by group membership - i.e. from an LDAP server or NT domain.</P>
<DT><B>request_body_max_size</B><DD><P>The default for this is now 0 - unlimited.</P>
<DT><B>reply_body_max_size</B><DD><P>Now multiple size limits are allowed based on ACL lists.</P>
<DT><B>refresh_pattern</B><DD><P>The default is now blank - users must uncomment the suggested default to use it. This allows the use of a blank refresh pattern if desired.</P>
<DT><B>request_timeout</B><DD><P>Raised the default to 5 minutes.</P>
<DT><B>persistent_request_timeout</B><DD><P>New directive - how long to wait after a reply is completed before closing the connection.</P>
<DT><B>acl</B><DD><P>New acl types
<UL>
<LI>referer_regex (match Referer headers),</LI>
<LI>max_user_ip (limit concurrent IP's a single user may use)</LI>
<LI>rep_mime_type (filter replies based on their content type).</LI>
<LI>external (use an external helper)</LI>
</UL>
</P>
<DT><B>http_reply_access</B><DD><P>Limit HTTP replies based on ACL's. This is complementary to http_access.</P>
<DT><B>tcp_outgoing_tos</B><DD>
<DT><B>tcp_outgoing_ds</B><DD>
<DT><B>tcp_outgoing_dscp</B><DD><P>These three directives allow marking of outbound connections at the IP level - i.e. for choosing routes based on the usercode.</P>
<DT><B>tcp_outgoing_address</B><DD><P>Allows mapping of requests onto specific outbound IP address's.</P>
<DT><B>anonymize_headers</B><DD><P>Removed. See header_access.</P>
<DT><B>header_access</B><DD><P>Allow granular filtering of HTTP headers.</P>
<DT><B>header_replace</B><DD><P>Replace specific headers with custom values.</P>
<DT><B>pipeline_prefetch</B><DD><P>Now defaults to off for bandwidth management and access logging reasons.</P>
<DT><B>vary_ignore_expire</B><DD><P>Enables a workaround for web servers that immediately expire Varied objects because they think squid is unable to handle Vary:.</P>
<DT><B>sleep_after_fork</B><DD><P>Give the OS a small amount of time to accomodate the fork+exec used to launch helpers - if squid has a lot of virtual memory allocated the OS may run out of virtual memory during helper spawning otherwise.</P>
<DT><B>reference_age</B><DD><P>This has been removed - starting with Squid-2.4 this directive have had no effect and has now been fully removed to avoid confusion.</P>
<DT><B>siteselect_timeout</B><DD><P>This has been removed - it is not referenced anywhere in the source code.</P>
<DT><B>minimum_retry_timeout</B><DD><P>This has been removed - it is not referenced anywhere in the source code.</P>
<DT><B>forward_timeout</B><DD><P>New directive in 2.5.STABLE5 complement connect_timeout in
management of timeouts while connecting to origin servers or peers</P>
<DT><B>short_icon_urls</B><DD><P>New directive in 2.5.STABLE5 to enable an alternative way of referring to icons in FTP directory listings etc.</P>
<DT><B>acl urllogin</B><DD><P>New acl type in 2.5.STABLE5 to match the login component of Internet style URLs (protocol://user:password@host/path/to/file)</P>
<DT><B>balance_on_multiple_ip</B><DD><P>New directive in 2.5.STABLE7 to make it possible to disable the automatic round-robin load balancing on multiple IP addresses normally done by Squid.</P>
<DT><B>reply_header_max_size</B><DD><P>New directive in 2.5.STABLE7 limiting the size of HTTP reply headers, similar to request_header_max_size but in the reply direction (from servers to clients). Default is 20KB.</P>
<DT><B>acl req_hdr/resp_hdr</B><DD><P>New acl types in 2.5.STABLE7 to match arbitrary HTTP headers, useful to block certain malware/spyware etc.</P>
<DT><B>relaxed_http_parser</B><DD><P>New directive in 2.5.STABLE8 to control how strict the HTTP parser should be.</P>
<DT><B>retry_on_error</B><DD><P>New directive in 2.5.STABLE9 to aggressive retry requests on errors (was the default in earlier versions)</P>
</DL>
</P>

<H2><A NAME="s3">3. Known issues and limitations</A></H2>

<P>There is a few known issues and limitations in this version of Squid which we hope to correct in a later release</P>
<P>
<DL>
<DT><B>Bug 
<A HREF="http://www.squid-cache.org/bugs/show_bug.cgi?id=761">#761</A></B><DD><P>assertion failed: cbdata.c:249: "c-&gt;locks &gt; 0" when using diskd</P>
<DT><B>Bug 
<A HREF="http://www.squid-cache.org/bugs/show_bug.cgi?id=1193">#1193</A></B><DD><P>Interception fails if intercepting multiple ports and Squid is not listening on the same ports</P>
<DT><B>Bug 
<A HREF="http://www.squid-cache.org/bugs/show_bug.cgi?id=1094">#1094</A></B><DD><P>cachemgr.cgi should have a built-in access control layer to prevent malicious use</P>
<DT><B>Bug 
<A HREF="http://www.squid-cache.org/bugs/show_bug.cgi?id=649">#649</A></B><DD><P>Problems refreshing pages stored with 'vary' information</P>
<DT><B>Bug 
<A HREF="http://www.squid-cache.org/bugs/show_bug.cgi?id=779">#779</A></B><DD><P>users going above their allowed IP count no longer logged in cache.log</P>
<DT><B>Bug 
<A HREF="http://www.squid-cache.org/bugs/show_bug.cgi?id=1204">#1204</A></B><DD><P>FTP listings uses "BASE HREF" much more than it needs to</P>
<DT><B>Bug 
<A HREF="http://www.squid-cache.org/bugs/show_bug.cgi?id=888">#888</A></B><DD><P>ntlm_user_pool assertion error on shutdown</P>
<DT><B>Bug 
<A HREF="http://www.squid-cache.org/bugs/show_bug.cgi?id=1223">#1223</A></B><DD><P>Authentication could be more informative on why a login failed</P>
<DT><B>Bug 
<A HREF="http://www.squid-cache.org/bugs/show_bug.cgi?id=1227">#1227</A></B><DD><P>Syslog facility should not be hardcoded to "local4"</P>
</DL>
</P>


<P>In addition there is a set of limitations in this version of Squid which we hope to correct later</P>
<P>
<DL>
<DT><B>Bug 
<A HREF="http://www.squid-cache.org/bugs/show_bug.cgi?id=1059">#1059</A></B><DD><P>mime.conf and referenced icons must be within chroot</P>
<DT><B>Bug 
<A HREF="http://www.squid-cache.org/bugs/show_bug.cgi?id=1033">#1033</A></B><DD><P>CARP ignores cache_peer_access and cache_peer_domain</P>
<DT><B>Bug 
<A HREF="http://www.squid-cache.org/bugs/show_bug.cgi?id=692">#692</A></B><DD><P>tcp_outgoing_address using an ident ACL does not work</P>
<DT><B>Bug 
<A HREF="http://www.squid-cache.org/bugs/show_bug.cgi?id=581">#581</A></B><DD><P>acl max_user_ip and multiple authentication schemes</P>
<DT><B>Bug 
<A HREF="http://www.squid-cache.org/bugs/show_bug.cgi?id=528">#528</A></B><DD><P>miss_access fails on "slow" acl types such as dst.</P>
<DT><B>Bug 
<A HREF="http://www.squid-cache.org/bugs/show_bug.cgi?id=513">#513</A></B><DD><P>squid -F is starting server sockets to early</P>
<DT><B>Bug 
<A HREF="http://www.squid-cache.org/bugs/show_bug.cgi?id=518">#518</A></B><DD><P>wb_auth fails on TRU64 and probably other 64 bit platforms</P>
<DT><B>Bug 
<A HREF="http://www.squid-cache.org/bugs/show_bug.cgi?id=500">#500</A></B><DD><P>delay_pools stops working on -k reconfigure</P>
<DT><B>Bug 
<A HREF="http://www.squid-cache.org/bugs/show_bug.cgi?id=457">#457</A></B><DD><P>does not handle swap.state corruption properly</P>
<DT><B>Bug 
<A HREF="http://www.squid-cache.org/bugs/show_bug.cgi?id=410">#410</A></B><DD><P>unstable if runs out of disk space</P>
<DT><B>Bug 
<A HREF="http://www.squid-cache.org/bugs/show_bug.cgi?id=355">#355</A></B><DD><P>diskd may appear slow on low loads</P>
</DL>
</P>

<H2><A NAME="s4">4. Key changes squid-2.5.STABLE1 to 2.5.STABLE2:</A></H2>

<P>
<UL>
<LI>authentication now works in most access directives if
first enforced in http_access</LI>
<LI>contrib files included in the distribution again</LI>
<LI>aufs bugfixes to address both stability and data
corruption issues, and some aufs performance improvements.</LI>
<LI>now possible to specify acl values with spaces in them
via the "include file" technique</LI>
<LI>winbind helpers updated to match Samba-2.2.7a and should
work with Samba-2.2.6 or later (required). For compability with
older Samba versions A new configure option --with-samba-sources=...
has been added to allow you to specify which Samba version the
helpers should be built for if different than the above versions.</LI>
<LI>squid_ldap_group updated to correctly handle LDAP groups</LI>
<LI>new experimental configure option --disable-hostname-checks to make Squid not validate that received hostnames are valid for use within HTTP. Required to participate in testbeds for international domain names etc.</LI>
<LI>several assertion or segmentation faults corrected</LI>
<LI>a large number of minor bugfixes. See the list of 
<A HREF="http://www.squid-cache.org/Versions/v2/2.5/bugs/#STABLE1">squid-2.5.STABLE1 patches</A> and the 
<A HREF="ChangeLog">ChangeLog</A> file for details.</LI>
</UL>
</P>

<H2><A NAME="s5">5. Key changes squid-2.5.STABLE2 to 2.5.STABLE3:</A></H2>

<P>
<UL>
<LI>a large number of minor bug fixes. See the list of 
<A HREF="http://www.squid-cache.org/Versions/v2/2.5/bugs/#STABLE2">squid-2.5.STABLE2 patches</A> and the 
<A HREF="ChangeLog">ChangeLog</A> file for details.</LI>
</UL>
</P>

<H2><A NAME="s6">6. Key changes squid-2.5.STABLE3 to 2.5.STABLE4:</A></H2>

<P>
<UL>
<LI>several memory leaks corrected</LI>
<LI>segmentation fault if more than one deny_info corrected</LI>
<LI>Lithuanian error messages added</LI>
<LI>a crash related to ftpTimeout: timeout in SENT_PASV state corrected</LI>
<LI>http_reply_access deny now logs the request with
TCP_DENIED to allow them to be accounted for properly in statistics</LI>
<LI>minimum_retry_timeout configuration directive removed. If
you have this directive in your existing squid.conf you will
need to remove the line. </LI>
<LI>Improvements to the (experimental) COSS storage scheme.</LI>
<LI>Updates to allow Squid to be compiled with GCC-3.3</LI>
<LI>POST now works well with NTLM and Digest authentication</LI>
<LI>http_header_access now works in combination with cache_peer</LI>
<LI>Most Squid generated errors are now logged as TCP_DENIED/XXX
rather than TCP_MISS/XXX or NONE/XXX. This to work around issues
relating to access controls.</LI>
<LI>external_acl_type concurrency= option renamed to children=
to prepare for Squid-3 upgrade. The old syntax is still accepted
but you may want to upgrade your configuration now to save you
from the trouble when upgrading to Squid-3 later.</LI>
<LI>a large number of minor bugfixes. See the list of 
<A HREF="http://www.squid-cache.org/Versions/v2/2.5/bugs/#STABLE3">squid-2.5.STABLE3 patches</A> and the 
<A HREF="ChangeLog">ChangeLog</A> file for details.</LI>
</UL>
</P>

<H2><A NAME="s7">7. Key changes squid-2.5.STABLE4 to 2.5.STABLE5:</A></H2>

<P>
<UL>
<LI>redirector interface modified to try to deal with login names
containing spaces or other odd characters. This is accomplished
by URL-encoding the login name before sent to redirectors. Note:
Existing redirectors or their configuration may need to be slightly
modified in how they process the ident column to support the new
username format (only applies to redirectors looking into the username)</LI>
<LI>new forward_timeout option to complement connect_timeout in
management of timeouts while connecting to origin servers or peers</LI>
<LI>various timeouts adjusted: connect_timeout 1 minute (was 2 minutes
which is now forward_timeout), negative_dns_ttl 1 minute (was 5 minutes)
and is now also used as minimum positive dns ttl, dns_timeout 2 minutes
(was 5 minutes)</LI>
<LI>"short_icon_urls on" can be used to simplify the URLs used for
icons etc to avoid issues with proxy host naming and authentication
when requesting icons.</LI>
<LI>A new "urllogin" ACL type has been introducing allowing regex
matches to the "login" component of Internet style URLs
(protocol://user:password@host/path/to/file).</LI>
<LI>Squid now respects the Telnet protocol on connections to FTP
servers. The ftp_telnet_protocol directice can be used to revert back
to the old incorrect implementation.</LI>
<LI>Several NTLM related bugfixes and improvements fixing the problem
of random auth popups and account lockouts. Support for the NEGOTIATE
NTLM packet is also added to allow Samba-3.0.2 or later to negotiate the
use of NTLMv2.</LI>
<LI>Several authentication related bugfixes to allow authentication
to work in additional acl driven directives, correct an number
of assertion or segmentation and some memory leaks.</LI>
<LI>The default mime.conf has been updated with many new mime types
and a few minor corrections. In addition the download and view links
is used more frequently to allow view/download of different ftp://
contents regardless of their mime type assignment.</LI>
<LI>url_regex enhanced to allow matching of %00</LI>
<LI>a large number of minor and cosmetic bugfixes. See the list of 
<A HREF="http://www.squid-cache.org/Versions/v2/2.5/bugs/#STABLE4">squid-2.5.STABLE4 patches</A> and the 
<A HREF="ChangeLog">ChangeLog</A> file for details.</LI>
</UL>
</P>

<H2><A NAME="s8">8. Key changes squid-2.5.STABLE5 to 2.5.STABLE6:</A></H2>

<P>
<UL>
<LI>Several "Assertion error" bugs fixed</LI>
<LI>Several "Segmentation fault" bugs fixes</LI>
<LI>Corrects a security issue in the old ntlm_auth NTLM helper
used in transparent NTLM authentication to a NT domain without
using samba.</LI>
<LI>Processing of Vary: * and Vary on error messages corrected</LI>
<LI>a large number of minor and cosmetic bugfixes. See the list of 
<A HREF="http://www.squid-cache.org/Versions/v2/2.5/bugs/#STABLE5">squid-2.5.STABLE5 patches</A> and the 
<A HREF="ChangeLog">ChangeLog</A> file for details.</LI>
</UL>
</P>

<H2><A NAME="s9">9. Key changes squid-2.5.STABLE6 to 2.5.STABLE7:</A></H2>

<P>
<UL>
<LI>SNMP related Denial of Service issue corrected (CAN-2004-0918)</LI>
<LI>NTLM related bugfix noticed by the Samba group</LI>
<LI>UFS cache_dir bugfix to issue introduced in STABLE6 causing
no objects to get cached in some configurations.</LI>
<LI>cache_effective_user now sets supplementary group list
if cache_effective_group not set</LI>
<LI>cache_effective_group now used if specified even if not started
as root. If you do not start Squid as root you may need to remove this
directive from your squid.conf if not set correctly.</LI>
<LI>request_header_max_size directive corrected. You may need to increase
this value after upgrading if set very low. The default have been increased
from 10 KB to 20 KB which should be sufficient for most uses.</LI>
<LI>reply_header_max_size directive added</LI>
<LI>http_header_access &amp; replace now support arbitrary headers,
not only the well known headers known by Squid</LI>
<LI>new acl types req_hdr and resp_hdr to match arbitrary HTTP headers,
useful to block certain malware/spyware etc.</LI>
<LI>new balance_on_multiple_ip squid.conf directive</LI>
<LI>a number of other minor and cosmetic bugfixes. See the list of 
<A HREF="http://www.squid-cache.org/Versions/v2/2.5/bugs/#STABLE6">squid-2.5.STABLE6 patches</A> and the 
<A HREF="ChangeLog">ChangeLog</A> file for details.</LI>
</UL>
</P>

<H2><A NAME="s10">10. Key changes squid-2.5.STABLE7 to 2.5.STABLE8:</A></H2>

<P>
<UL>
<LI>Squid no longer closes all open filedescriptors. Previous Squid
versions have for increased security closed any open filedescriptors left
open by the process starting Squid, but this is not really our business
and causes problems for certain libraries opening internal filedescriptors
in some conditions (some SSL libraries, syslog, DNS resolver etc).</LI>
<LI>Configuration parser made more strict and consistent. Previously empty acl
declarations were ignored in http_access causing some unexpected results.
Now empty acl declarations are allowed (matching nothing) and http_access
requires all listed acls to be defined.</LI>
<LI>A minor information leak in error messages due to malformed host
names corrected</LI>
<LI>Several HTTP security fixes to prevent cache pollution attacks or theft
of user confidential information. New relaxed_http_parser directive to control
how strict the HTTP parser should be.</LI>
<LI>Buffer overflow fix in gopherToHTML.</LI>
<LI>Corrected a Segmentation fault on malformed WCCP packets.</LI>
<LI>squid_ldap_auth now sanity checks usernames</LI>
<LI>Corrected a Segmentation fault and other malfunctions on failed PUT/POST
requests.</LI>
<LI>Properly handle oversized reply headers</LI>
<LI>a number of other minor and cosmetic bugfixes. See the list of 
<A HREF="http://www.squid-cache.org/Versions/v2/2.5/bugs/#STABLE7">squid-2.5.STABLE7 patches</A> and the 
<A HREF="ChangeLog">ChangeLog</A> file for details.</LI>
</UL>
</P>

<H2><A NAME="s11">11. Key changes squid-2.5.STABLE8 to 2.5.STABLE9:</A></H2>

<P>
<UL>
<LI>DNS related assertion error</LI>
<LI>High characters allowed in FTP &amp; Gopher listings.</LI>
<LI>Additional workarounds for broken web servers rejected by 2.5.STABLE8.</LI>
<LI>No longer automatically retries requests on 403 Access Denied or
many other server errors. New squid.conf directive retry_on_error to revert
back to the old behaviour if needed.</LI>
<LI>a number of other minor and cosmetic bugfixes. See the list of 
<A HREF="http://www.squid-cache.org/Versions/v2/2.5/bugs/#STABLE8">squid-2.5.STABLE8 patches</A> and the 
<A HREF="ChangeLog">ChangeLog</A> file for details.</LI>
</UL>
</P>

</BODY>
</HTML>