File: RELEASENOTES.html

package info (click to toggle)
squid 5.7-2%2Bdeb12u5
links: PTS, VCS
area: main
in suites: bookworm
size: 37,848 kB
sloc: cpp: 196,107; ansic: 20,277; makefile: 6,056; sh: 5,267; perl: 2,292; sql: 326; python: 248; awk: 142; sed: 1
file content (537 lines) | stat: -rw-r--r-- 19,785 bytes
parent folder | download | duplicates (2)
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
<HTML>
<HEAD>
 <META NAME="GENERATOR" CONTENT="LinuxDoc-Tools 0.9.82">
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
 <TITLE>Squid 5.7 release notes</TITLE>
</HEAD>
<BODY>
<H1>Squid 5.7 release notes</H1>

<H2>Squid Developers</H2>
<HR>
<EM>This document contains the release notes for version 5 of Squid.
Squid is a WWW Cache application developed by the National Laboratory
for Applied Network Research and members of the Web Caching community.</EM>
<HR>
<P>
<H2><A NAME="toc1">1.</A> <A HREF="#s1">Notice</A></H2>

<UL>
<LI><A NAME="toc1.1">1.1</A> <A HREF="#ss1.1">Known issues</A>
<LI><A NAME="toc1.2">1.2</A> <A HREF="#ss1.2">Changes since earlier releases of Squid-5</A>
</UL>
<P>
<H2><A NAME="toc2">2.</A> <A HREF="#s2">Major new features since Squid-4</A></H2>

<UL>
<LI><A NAME="toc2.1">2.1</A> <A HREF="#ss2.1">ICAP Trailers</A>
<LI><A NAME="toc2.2">2.2</A> <A HREF="#ss2.2">Happy Eyeballs Update</A>
<LI><A NAME="toc2.3">2.3</A> <A HREF="#ss2.3">Kerberos Group Helper</A>
<LI><A NAME="toc2.4">2.4</A> <A HREF="#ss2.4">TrivialDB Support</A>
<LI><A NAME="toc2.5">2.5</A> <A HREF="#ss2.5">Loop Detection in Content Delivery Networks</A>
<LI><A NAME="toc2.6">2.6</A> <A HREF="#ss2.6">Peering support for SSL-Bump</A>
<LI><A NAME="toc2.7">2.7</A> <A HREF="#ss2.7">OpenSSL 3.0 Support</A>
</UL>
<P>
<H2><A NAME="toc3">3.</A> <A HREF="#s3">Changes to squid.conf since Squid-4</A></H2>

<UL>
<LI><A NAME="toc3.1">3.1</A> <A HREF="#ss3.1">New directives</A>
<LI><A NAME="toc3.2">3.2</A> <A HREF="#ss3.2">Changes to existing directives</A>
<LI><A NAME="toc3.3">3.3</A> <A HREF="#ss3.3">Removed directives</A>
</UL>
<P>
<H2><A NAME="toc4">4.</A> <A HREF="#s4">Changes to ./configure options since Squid-4</A></H2>

<UL>
<LI><A NAME="toc4.1">4.1</A> <A HREF="#ss4.1">New options</A>
<LI><A NAME="toc4.2">4.2</A> <A HREF="#ss4.2">Changes to existing options</A>
<LI><A NAME="toc4.3">4.3</A> <A HREF="#ss4.3">Removed options</A>
</UL>
<P>
<H2><A NAME="toc5">5.</A> <A HREF="#s5">Regressions since Squid-2.7</A></H2>

<UL>
<LI><A NAME="toc5.1">5.1</A> <A HREF="#ss5.1">Missing squid.conf options available in Squid-2.7</A>
</UL>
<P>
<H2><A NAME="toc6">6.</A> <A HREF="#s6">Copyright</A></H2>


<HR>
<H2><A NAME="s1">1.</A> <A HREF="#toc1">Notice</A></H2>

<P>The Squid Team are pleased to announce the release of Squid-5.7.</P>
<P>This new release is available for download from 
<A HREF="http://www.squid-cache.org/Versions/v5/">http://www.squid-cache.org/Versions/v5/</A> or the
<A HREF="http://www.squid-cache.org/Download/http-mirrors.html">mirrors</A>.</P>

<P>We welcome feedback and bug reports. If you find a bug, please see 
<A HREF="http://wiki.squid-cache.org/SquidFaq/BugReporting">http://wiki.squid-cache.org/SquidFaq/BugReporting</A>
for how to submit a report with a stack trace.</P>

<H2><A NAME="ss1.1">1.1</A> <A HREF="#toc1.1">Known issues</A>
</H2>

<P>Although this release is deemed good enough for use in many setups, please note the existence of 
<A HREF="http://bugs.squid-cache.org/buglist.cgi?query_format=advanced&amp;product=Squid&amp;bug_status=UNCONFIRMED&amp;bug_status=NEW&amp;bug_status=ASSIGNED&amp;bug_status=REOPENED&amp;version=5">open bugs against Squid-5</A>.</P>

<H2><A NAME="ss1.2">1.2</A> <A HREF="#toc1.2">Changes since earlier releases of Squid-5</A>
</H2>

<P>The Squid-5 change history can be 
<A HREF="http://www.squid-cache.org/Versions/v5/changesets/">viewed here</A>.</P>


<H2><A NAME="s2">2.</A> <A HREF="#toc2">Major new features since Squid-4</A></H2>

<P>Squid-5 represents a new feature release above Squid-4.</P>

<P>The most important of these new features are:
<UL>
<LI>ICAP Trailers</LI>
<LI>Happy Eyeballs Update</LI>
<LI>Kerberos Group Helper</LI>
<LI>TrivialDB Support</LI>
<LI>RFC 8586: Loop Detection in Content Delivery Networks</LI>
<LI>Peering support for SSL-Bump</LI>
<LI>OpenSSL 3.0 Support</LI>
</UL>
</P>
<P>Most user-facing changes are reflected in squid.conf (see below).</P>


<H2><A NAME="ss2.1">2.1</A> <A HREF="#toc2.1">ICAP Trailers</A>
</H2>

<P>Details in 
<A HREF="https://datatracker.ietf.org/doc/draft-rousskov-icap-trailers/">Draft: ICAP Trailers</A></P>

<P>The <EM>Trailers</EM> feature from HTTP is being proposed for addition to ICAP,
with some modifications.</P>

<P>This implementation complies with version -01 of that draft:
<UL>
<LI>Announces ICAP Trailer support via the ICAP Allow request header field.</LI>
<LI>Parses the ICAP response trailer if and only if the ICAP server signals
its presence by sending both Trailer header and Allow/trailers in the
ICAP response.</LI>
</UL>
</P>

<P>For now Squid logs and ignores all parsed ICAP header fields.</P>


<H2><A NAME="ss2.2">2.2</A> <A HREF="#toc2.2">Happy Eyeballs Update</A>
</H2>

<P>Squid now uses a received IP address as soon as it is needed for request
forwarding instead of waiting for all of the potential forwarding
destinations to be fully resolved (i.e. complete both IPv4 and IPv6 domain
name resolution) before beginning to forward the request.</P>

<P>Instead of obeying <EM>dns_v4_first</EM> settings, IP family usage order is
now primarily controlled by DNS response time: If a DNS AAAA response comes
first while Squid is waiting for an IP address, then Squid will use the
received IPv6 address(es) first. For previously cached IPs, Squid tries
IPv6 addresses first. To control IP address families used by Squid, admins
are expected to use firewalls, DNS recursive-resolver configuration, and/or
<EM>--disable-ipv6</EM>. When planning you configuration changes, please
keep in mind that the upcoming Happy Eyeballs improvements will favor
faster TCP connection establishment, decreasing the impact of DNS
resolution timing.</P>

<P>These Happy Eyeballs changes do not affect peer selection: Squid still does
not move on to the next selected destination until all IP addresses for the
previous destination have been received and tried.</P>

<P>The Cache Manager <EM>mgr:ipcache</EM> report no longer contains
"IPcache Entries In Use" but that info is now available as
"cbdata ipcache_entry" row on the <EM>mgr:mem</EM> page.</P>


<H2><A NAME="ss2.3">2.3</A> <A HREF="#toc2.3">Kerberos Group Helper</A>
</H2>

<P>This release adds a sample Kerberos group authentication external_acl helper
called <EM>ext_kerberos_sid_group_acl</EM>.
It uses <EM>ldapsearch</EM> from OpenLDAP to lookup the name of an AD group SID.</P>

<P>This helper must be used in with the <EM>negotiate_kerberos_auth</EM> helper in
a Microsft AD or Samba environment.</P>

<P>It reads from the standard input the domain username and a list of group SIDs
and tries to match the group SIDs to the AD group SIDs.</P>


<H2><A NAME="ss2.4">2.4</A> <A HREF="#toc2.4">TrivialDB Support</A>
</H2>

<P>This release deprecates use of BerkleyDB in favour of TrivialDB.</P>

<P>The BerkleyDB library code has been moved under a copyright licence which
causes problems for many OS distributors. The result of that is that most
are no longer providing the latest security supported libdb version.</P>

<P>TrivialDB by comparison has better OS support and security updates along
with functionality differences that resolve some long standing issues
libdb suffered with parallel concurrent access to the database.</P>

<P>The <EM>ext_session_acl</EM> and <EM>ext_time_quota_acl</EM> helpers may
now be built with either libdb or libtdb. Preferring libtdb if both are
enabled or auto-detected at build time. Use the <EM>--without-tdb</EM>
build option to retain BerkleyDB support.</P>

<P>Please note that the database formats are not guaranteed to be identical.
So when migrating it is recommended to erase the database file(s) and use
the helpers functionality to rebuild it as needed.</P>


<H2><A NAME="ss2.5">2.5</A> <A HREF="#toc2.5">Loop Detection in Content Delivery Networks</A>
</H2>

<P>Details in 
<A HREF="https://tools.ietf.org/html/rfc8586">RFC 8586</A></P>

<P>Squid now uses the CDN-Loop header as a source for loop detection.</P>

<P>This header is only relevant to CDN installations. For which the
<EM>surrogate_id</EM> configuration directive specifies the authoritative
ID.</P>

<P>Squid does not add this header by default, preferring to use the
Via mechanism instead. Administrators may add it to requests
with the <EM>request_header_add</EM> directive or remove with
<EM>request_header_remove</EM>.</P>


<H2><A NAME="ss2.6">2.6</A> <A HREF="#toc2.6">Peering support for SSL-Bump</A>
</H2>

<P>Squid now supports forwarding of bumped, re-encrypted HTTPS requests through
a <EM>cache_peer</EM> using a standard HTTP CONNECT tunnel.</P>

<P>No support for triggering client authentication when a <EM>cache_peer</EM>
configuration instructs the bumping Squid to relay authentication info
contained in client CONNECT request. The bumping Squid still responds
with HTTP 200 (Connection Established) to the client CONNECT request (to
see TLS client handshake) <EM>before</EM> selecting the cache_peer.</P>

<P>HTTPS cache_peers are not yet supported primarily because Squid cannot
yet do TLS-in-TLS.</P>


<H2><A NAME="ss2.7">2.7</A> <A HREF="#toc2.7">OpenSSL 3.0 Support</A>
</H2>

<P>Squid-5.7 adds OpenSSL 3.0 support.</P>

<P>This version of Squid does not add any of the new features provided by
OpenSSL 3.0. It only contains support for features already supported by prior
versions of Squid using new APIs provided by OpenSSL 3.0.</P>

<P>Notably the libssl custom Engine feature has been deprecated by OpenSSL 3.0
and new Providers replacement is not supported by this Squid.</P>

<P>OpenSSL 3.0 uses new licensing terms.</P>


<H2><A NAME="s3">3.</A> <A HREF="#toc3">Changes to squid.conf since Squid-4</A></H2>

<P>There have been changes to Squid's configuration file since Squid-4.</P>
<P>This section gives a thorough account of those changes in three categories:</P>
<P>
<UL>
<LI>
<A HREF="#newdirectives">New directives</A></LI>
<LI>
<A HREF="#modifieddirectives">Changes to existing directives</A></LI>
<LI>
<A HREF="#removeddirectives">Removed directives</A></LI>
</UL>
</P>


<H2><A NAME="newdirectives"></A> <A NAME="ss3.1">3.1</A> <A HREF="#toc3.1">New directives</A>
</H2>

<P>
<DL>
<DT><B>auth_schemes</B><DD>
<P>New access control to customize authentication schemes presence
and order in Squid generated HTTP 401 (Unauthorized) and 407
(Proxy Authentication Required) responses.</P>

<DT><B>collapsed_forwarding_access</B><DD>
<P>New access control to restrict collapsed forwarding to a subset of
eligible HTTP, ICP and HTCP requests.</P>

<DT><B>happy_eyeballs_connect_gap</B><DD>
<P>New directive to specify the minimum delay between opening spare
connections to any server.</P>

<DT><B>happy_eyeballs_connect_limit</B><DD>
<P>New directive to specify the maximum number of spare connections
to any server.</P>

<DT><B>happy_eyeballs_connect_timeout</B><DD>
<P>New directive to specify the minimum delay between opening a
primary to-server connection and opening a spare to-server
connection for the same transaction.</P>

<DT><B>http_upgrade_request_protocols</B><DD>
<P>New directive to control client-initiated and server-confirmed
switching from HTTP to another protocol using HTTP/1.1 Upgrade
mechanism.</P>

<DT><B>mark_client_connection</B><DD>
<P>New access control to apply a Netfilter CONNMARK value to a TCP client
connection.</P>

<DT><B>mark_client_packet</B><DD>
<P>New access control to apply a Netfilter MARK value to packets being
transmitted on a client TCP connection.</P>

<DT><B>response_delay_pool</B><DD>
<P>New access control to configure client response bandwidth limits.
This feature is a port and update of the class 6 / Client Delay Pools
feature planned for the abandoned <EM>Squid-2.8</EM> series.</P>

<DT><B>response_delay_pool_access</B><DD>
<P>New access control to determines whether a specific named response
delay pool is used for the HTTP transaction.</P>

<DT><B>shared_transient_entries_limit</B><DD>
<P>Replacement for <EM>collapsed_forwarding_shared_entries_limit</EM>.</P>

</DL>
</P>

<H2><A NAME="modifieddirectives"></A> <A NAME="ss3.2">3.2</A> <A HREF="#toc3.2">Changes to existing directives</A>
</H2>

<P>
<DL>
<DT><B>acl</B><DD>
<P>The <EM>CONNECT</EM> ACL definition is now built-in.</P>
<P>New <EM>annotate_client</EM> type to annotate a client TCP connection.
These annotations can be used by other ACLs, logs or helpers and
persist until the client TCP connection is closed.</P>
<P>New <EM>annotate_transaction</EM> type to annotate an HTTP transaction.
Annotations can be used by other ACLs or helpers and persist until
logging of the HTTP transaction is completed.</P>
<P>New value <EM>GeneratingCONNECT</EM> for the <EM>at_step</EM> type to
match when Squid is about to send a CONNECT request to a cache peer.</P>
<P>Replaced <EM>clientside_mark</EM> with <EM>client_connection_mark</EM>
type to match Netfilter CONNMARK of the client TCP connection.</P>

<DT><B>auth_param</B><DD>
<P>New <EM>reservation-timeout=</EM> option to allow NTLM and Negotiate
helpers to forget about clients with outstanding authentication
requests.</P>
<P>Added support for CP1251 charset conversion when <EM>utf8</EM> option
is configured.</P>

<DT><B>authenticate_cache_garbage_interval</B><DD>
<P>Now disabled when <EM>--disable-auth</EM> build parameter is used.</P>

<DT><B>authenticate_ttl</B><DD>
<P>Now disabled when <EM>--disable-auth</EM> build parameter is used.</P>

<DT><B>authenticate_ip_ttl</B><DD>
<P>Now disabled when <EM>--disable-auth</EM> build parameter is used.</P>

<DT><B>deny_info</B><DD>
<P>New code <EM>A</EM> to display Squid listening IP address the client
TCP connection was connected to.</P>

<DT><B>esi_parser</B><DD>
<P>Squid-4 removal of the custom parser introduced a bug which caused
the default ESI parser library to be unpredictable. Squid-5.5 release
restores the documented default of libxml2 as most preferred, with
libexpat as alternative.</P>

<DT><B>http_port</B><DD>
<P>New <EM>worker-queues</EM> option to have TCP stack maintain dedicated
listening queue for each worker in SMP.</P>

<DT><B>https_port</B><DD>
<P>New <EM>worker-queues</EM> option to have TCP stack maintain dedicated
listening queue for each worker in SMP.</P>
<P>New <EM>CONDITIONAL_AUTH</EM> flag for <EM>sslflags=</EM> option to
request client certificate(s) but not reject clients without any.</P>
<P>Squid-5.5 will no longer use <EM>tls-clientca=</EM> certificates
as possible intermediary CA for the server CA certificate chain when
OpenSSL library supports <EM>SSL_MODE_NO_AUTO_CHAIN</EM> mode.</P>

<DT><B>logformat</B><DD>
<P>New <EM>ssl::&lt;cert</EM> macro code to display received server X.509
certificate in PEM format.</P>
<P>New <EM>proxy_protocol::&gt;h</EM> code to display received PROXY
protocol version 2 TLV values.</P>
<P>New <EM>master_xaction</EM> code to display Squids internal
transaction ID.</P>
<P>New <EM>CF</EM> value for <EM>Ss</EM> code to indicate the response
was handled by Collapsed Forwarding.</P>
<P>New <EM>TLS/1.3</EM> value for <EM>ssl::&gt;negotiated_version</EM>
code to indicate the request was received from client using TLS/1.3.</P>
<P>New <EM>TLS/1.3</EM> value for <EM>ssl::&lt;negotiated_version</EM>
code to indicate the response was received from server using TLS/1.3.</P>
<P>Codes <EM>rm</EM>, <EM>&lt;rm</EM> and <EM>&gt;rm</EM> display "-"
instead of the made-up method NONE.</P>

<DT><B>ssl_engine</B><DD>
<P>OpenSSL 3.0 deprecates the Engine feature. This directive is
only supported when Squid is built for older OpenSSL versions.</P>

</DL>
</P>

<H2><A NAME="removeddirectives"></A> <A NAME="ss3.3">3.3</A> <A HREF="#toc3.3">Removed directives</A>
</H2>

<P>
<DL>
<DT><B>clientside_mark</B><DD>
<P>Replaced by <EM>mark_client_packet</EM>.</P>

<DT><B>collapsed_forwarding_shared_entries_limit</B><DD>
<P>Replaced by <EM>shared_transient_entries_limit</EM>.</P>

<DT><B>dns_v4_first</B><DD>
<P>Removed. The new "Happy Eyeballs" algorithm uses received IP
addresses as soon as they are needed.</P>
<P>Firewall rules prohibiting IPv6 TCP connections remain the preferred
configuration method for 'disabling' IPv6 connectivity, with DNS
recursive-resolver configuration also available.</P>

</DL>
</P>


<H2><A NAME="s4">4.</A> <A HREF="#toc4">Changes to ./configure options since Squid-4</A></H2>

<P>There have been some changes to Squid's build configuration since Squid-4.</P>
<P>This section gives an account of those changes in three categories:</P>
<P>
<UL>
<LI>
<A HREF="#newoptions">New options</A></LI>
<LI>
<A HREF="#modifiedoptions">Changes to existing options</A></LI>
<LI>
<A HREF="#removedoptions">Removed options</A></LI>
</UL>
</P>


<H2><A NAME="newoptions"></A> <A NAME="ss4.1">4.1</A> <A HREF="#toc4.1">New options</A>
</H2>

<P>
<DL>
<DT><B>--without-tdb</B><DD>
<P>New option to determine whether TrivialDB support is used, and
build against local custom installs.</P>
<P>Samba TrivialDB is now the preferred database used by the
<EM>ext_session_acl</EM> and <EM>ext_time_quota_acl</EM> helpers,
deprecating use of BerkleyDB.</P>

</DL>
</P>

<H2><A NAME="modifiedoptions"></A> <A NAME="ss4.2">4.2</A> <A HREF="#toc4.2">Changes to existing options</A>
</H2>

<P>
<DL>
<DT><B>--disable-optimizations</B><DD>
<P>No longer implies <EM>--disable-inline</EM> option (which is removed).</P>

<DT><B>--enable-external-acl-helpers</B><DD>
<P>New helper type <EM>kerberos_sid_group</EM> to match <EM>group=</EM>
annotations AD Domain group SID.</P>

</DL>
</P>
<H2><A NAME="removedoptions"></A> <A NAME="ss4.3">4.3</A> <A HREF="#toc4.3">Removed options</A>
</H2>

<P>
<DL>
<DT><B>--disable-inline</B><DD>
<P>Removed. Use compiler flags instead if necessary.</P>

<DT><B>-DUSE_CHUNKEDMEMPOOLS=1</B><DD>
<P>Removed compiler flag. Use run-time environment variable <EM>MEMPOOLS=1</EM>
to enable chunked memory pools instead.</P>

</DL>
</P>


<H2><A NAME="s5">5.</A> <A HREF="#toc5">Regressions since Squid-2.7</A></H2>

<P>Some squid.conf options which were available in Squid-2.7 are not yet available in Squid-5</P>

<P>If you need something to do then porting one of these from Squid-2 is most welcome.</P>

<H2><A NAME="ss5.1">5.1</A> <A HREF="#toc5.1">Missing squid.conf options available in Squid-2.7</A>
</H2>

<P>
<DL>
<DT><B>broken_vary_encoding</B><DD>
<P>Not yet ported from 2.6</P>

<DT><B>cache_peer</B><DD>
<P><EM>monitorinterval=</EM> not yet ported from 2.6</P>
<P><EM>monitorsize=</EM> not yet ported from 2.6</P>
<P><EM>monitortimeout=</EM> not yet ported from 2.6</P>
<P><EM>monitorurl=</EM> not yet ported from 2.6</P>

<DT><B>cache_vary</B><DD>
<P>Not yet ported from 2.6</P>

<DT><B>error_map</B><DD>
<P>Not yet ported from 2.6</P>

<DT><B>external_refresh_check</B><DD>
<P>Not yet ported from 2.7</P>

<DT><B>location_rewrite_access</B><DD>
<P>Not yet ported from 2.6</P>

<DT><B>location_rewrite_children</B><DD>
<P>Not yet ported from 2.6</P>

<DT><B>location_rewrite_concurrency</B><DD>
<P>Not yet ported from 2.6</P>

<DT><B>location_rewrite_program</B><DD>
<P>Not yet ported from 2.6</P>

<DT><B>refresh_pattern</B><DD>
<P><EM>stale-while-revalidate=</EM> not yet ported from 2.7</P>
<P><EM>ignore-stale-while-revalidate=</EM> not yet ported from 2.7</P>
<P><EM>negative-ttl=</EM> not yet ported from 2.7</P>

<DT><B>refresh_stale_hit</B><DD>
<P>Not yet ported from 2.7</P>

<DT><B>update_headers</B><DD>
<P>Not yet ported from 2.7</P>

</DL>
</P>

<H2><A NAME="s6">6.</A> <A HREF="#toc6">Copyright</A></H2>

<P>Copyright (C) 1996-2022 The Squid Software Foundation and contributors</P>
<P>Squid software is distributed under GPLv2+ license and includes
contributions from numerous individuals and organizations.
Please see the COPYING and CONTRIBUTORS files for details.</P>

</BODY>
</HTML>