File: RELEASENOTES.html

package info (click to toggle)
squid 6.13-2%2Bdeb13u1
links: PTS, VCS
area: main
in suites: trixie
size: 35,396 kB
sloc: cpp: 194,183; ansic: 15,700; sh: 5,610; makefile: 5,515; perl: 2,558; sql: 326; python: 248; awk: 141; sed: 1
file content (539 lines) | stat: -rw-r--r-- 19,355 bytes
parent folder | download | duplicates (2)
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
<HTML>
<HEAD>
 <META NAME="GENERATOR" CONTENT="LinuxDoc-Tools 0.9.83">
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
 <TITLE>Squid 6.13 release notes</TITLE>
</HEAD>
<BODY>
<H1>Squid 6.13 release notes</H1>

<H2>Squid Developers</H2>
<P>
<H2><A NAME="toc1">1.</A> <A HREF="#s1">Notice</A></H2>

<UL>
<LI><A NAME="toc1.1">1.1</A> <A HREF="#ss1.1">Known issues</A>
<LI><A NAME="toc1.2">1.2</A> <A HREF="#ss1.2">Changes since earlier releases of Squid-6</A>
</UL>
<P>
<H2><A NAME="toc2">2.</A> <A HREF="#s2">Major new features since Squid-5</A></H2>

<UL>
<LI><A NAME="toc2.1">2.1</A> <A HREF="#ss2.1">TLS ServerHello</A>
<LI><A NAME="toc2.2">2.2</A> <A HREF="#ss2.2">Log TLS Communication Secrets</A>
<LI><A NAME="toc2.3">2.3</A> <A HREF="#ss2.3">Ban ACL key changes in ACLs</A>
<LI><A NAME="toc2.4">2.4</A> <A HREF="#ss2.4">Block to-local Traffic</A>
<LI><A NAME="toc2.5">2.5</A> <A HREF="#ss2.5">RFC 9211: HTTP Cache-Status support</A>
<LI><A NAME="toc2.6">2.6</A> <A HREF="#ss2.6">RFC 9111: Stop treating Warning specially</A>
<LI><A NAME="toc2.7">2.7</A> <A HREF="#ss2.7">ext_kerberos_ldap_group_acl: Support -b with -D</A>
<LI><A NAME="toc2.8">2.8</A> <A HREF="#ss2.8">Remove Gopher Protocol Support</A>
<LI><A NAME="toc2.9">2.9</A> <A HREF="#ss2.9">Removed Outdated Tools</A>
</UL>
<P>
<H2><A NAME="toc3">3.</A> <A HREF="#s3">Changes to squid.conf since Squid-5</A></H2>

<UL>
<LI><A NAME="toc3.1">3.1</A> <A HREF="#ss3.1">New directives</A>
<LI><A NAME="toc3.2">3.2</A> <A HREF="#ss3.2">Changes to existing directives</A>
<LI><A NAME="toc3.3">3.3</A> <A HREF="#ss3.3">Removed directives</A>
<LI><A NAME="toc3.4">3.4</A> <A HREF="#ss3.4">Other changes</A>
</UL>
<P>
<H2><A NAME="toc4">4.</A> <A HREF="#s4">Changes to ./configure options since Squid-5</A></H2>

<UL>
<LI><A NAME="toc4.1">4.1</A> <A HREF="#ss4.1">New options</A>
<LI><A NAME="toc4.2">4.2</A> <A HREF="#ss4.2">Changes to existing options</A>
<LI><A NAME="toc4.3">4.3</A> <A HREF="#ss4.3">Removed options</A>
</UL>
<P>
<H2><A NAME="toc5">5.</A> <A HREF="#s5">Regressions since Squid-2.7</A></H2>

<UL>
<LI><A NAME="toc5.1">5.1</A> <A HREF="#ss5.1">Missing squid.conf options available in Squid-2.7</A>
</UL>
<P>
<H2><A NAME="toc6">6.</A> <A HREF="#s6">Copyright</A></H2>


<HR>
<H2><A NAME="s1">1.</A> <A HREF="#toc1">Notice</A></H2>

<P>The Squid Team are pleased to announce the release of Squid-6.13 for testing.</P>
<P>This new release is available for download from 
<A HREF="http://www.squid-cache.org/Versions/v6/">http://www.squid-cache.org/Versions/v6/</A> or the
<A HREF="http://www.squid-cache.org/Download/http-mirrors.html">mirrors</A>.</P>

<P>We welcome feedback and bug reports. If you find a bug, please see 
<A HREF="https://wiki.squid-cache.org/SquidFaq/BugReporting">https://wiki.squid-cache.org/SquidFaq/BugReporting</A>
for how to submit a report with a stack trace.</P>

<H2><A NAME="ss1.1">1.1</A> <A HREF="#toc1.1">Known issues</A>
</H2>

<P>Although this release is deemed good enough for use in many setups, please note the existence of
<A HREF="https://bugs.squid-cache.org/buglist.cgi?query_format=advanced&amp;product=Squid&amp;bug_status=UNCONFIRMED&amp;bug_status=NEW&amp;bug_status=ASSIGNED&amp;bug_status=REOPENED&amp;version=6">open bugs against Squid-6</A>.</P>

<P>Support for compiling on HPUX with the native HP <EM>xcc</EM> compiler has been removed.
To build on that OS/compiler combination, it is possible to pass these environment variables
to ./configure: <EM>CC="cxx -Ae" RANLIB=":"</EM></P>

<P>This release adds a dependency on C++17 support in any compiler used to build Squid.
GCC 8+ and Clang 8+ support C++17.</P>

<H2><A NAME="ss1.2">1.2</A> <A HREF="#toc1.2">Changes since earlier releases of Squid-6</A>
</H2>

<P>The Squid-6 change history can be 
<A HREF="https://github.com/squid-cache/squid/commits/v6">viewed here</A>.</P>


<H2><A NAME="s2">2.</A> <A HREF="#toc2">Major new features since Squid-5</A></H2>

<P>Squid-6 represents a new feature release above Squid-5.</P>

<P>The most important of these new features are:
<UL>
<LI>TLS ServerHello</LI>
<LI>Log TLS Communication Secrets</LI>
<LI>Ban ACL key Changes in ACLs</LI>
<LI>Block to-local Traffic</LI>
<LI>RFC 9211: HTTP Cache-Status support</LI>
<LI>RFC 9111: Stop treating Warning specially</LI>
<LI>ext_kerberos_ldap_group_acl: Support -b with -D</LI>
<LI>Remove Gopher Protocol Support</LI>
<LI>Remove Outdated Tools</LI>
</UL>
</P>

<P>Most user-facing changes are reflected in squid.conf (see below).</P>

<H2><A NAME="ss2.1">2.1</A> <A HREF="#toc2.1">TLS ServerHello</A>
</H2>

<P>Squid is now more lenient towards misconfigured <EM>tls-cert=</EM> file
contents. Squid will attempt to sort the CA chain and send certificates in
the order required by TLS ServerHello.</P>

<P>Squid no longer sends the <EM>tls-clientca=</EM> on <EM>https_port</EM>
server handshakes. This fix breaks misconfigured Squid deployments that
(usually unknowingly) rely on the OpenSSL clientca 'leak' to build a
complete https_port server certificate chain sent to TLS clients. Such
deployments should add the right intermediate CA certificate(s) to their
<EM>tls-cert=</EM> bundle (or equivalent).</P>

<H2><A NAME="ss2.2">2.2</A> <A HREF="#toc2.2">Log TLS Communication Secrets</A>
</H2>

<P>Squid now records pre-master secret and related encryption details for TLS
connections accepted or established by Squid. These connections include
connections accepted at <EM>https_port</EM>, TLS connections opened to
origin servers/<EM>cache_peer</EM>/ICAP services, and TLS tunnels bumped by
Squid using the SslBump feature.</P>

<P>Logging of these details are controlled by the <EM>tls_key_log</EM>. See
<A HREF="http://www.squid-cache.org/Doc/config/tls_key_log/">squid.conf documentation</A>
for details.</P>

<H2><A NAME="ss2.3">2.3</A> <A HREF="#toc2.3">Ban ACL key changes in ACLs</A>
</H2>

<P>More info in the 
<A HREF="https://github.com/squid-cache/squid/commit/4a3b85322ce5a464175eb49ddb5be413794b25b8">commit description</A>.</P>

<P>Certain Squid ACLs can check the value of a specific key=value where
the key name is configurable. These ACLs are unable to check multiple
different key names.</P>

<P>Squid did write a cache.log ERROR for req_header/rep_header key changes
but was silent about the preceding <EM>note</EM> ACL rules being
ineffective after a key name change.</P>

<P>Squid will now actively reject all such configurations.</P>

<H2><A NAME="ss2.4">2.4</A> <A HREF="#toc2.4">Block to-local Traffic</A>
</H2>

<P>More info in the policy change 
<A HREF="https://github.com/squid-cache/squid/commit/f13e556e4ce743369dee4782b78c87d65580ab00">commit</A>
and the ACL creation 
<A HREF="https://github.com/squid-cache/squid/commit/6d2f8ed096bf5c013b8560451e41d8772c64ba66">commit</A>.</P>

<P>This Squid introduces the <EM>to_linklocal</EM> ACL as pre-defined to
match requests from 169.254.0.0/16 and fe80::/10.</P>

<P>The default configuration settings are changed to:
<PRE>
    http_access allow localhost
    http_access deny to_localhost
    http_access deny to_linklocal
    # http_access allow localnet
</PRE>
</P>

<P>These changes only affect the default squid.conf and new installs.
Upgraded installations will continue to use their previous settings.</P>

<H2><A NAME="ss2.5">2.5</A> <A HREF="#toc2.5">RFC 9211: HTTP Cache-Status support</A>
</H2>

<P>See also 
<A HREF="https://www.rfc-editor.org/rfc/rfc9211">RFC 9211</A>.</P>

<P>This HTTP header replaces <EM>X-Cache</EM> and <EM>X-Cache-Lookup</EM>
which are no longer emitted by Squid. Any tools or management systems
relying on those <EM>X-</EM> headers need to be upgraded to work with
the new standardized header.</P>

<H2><A NAME="ss2.6">2.6</A> <A HREF="#toc2.6">RFC 9111: Stop treating Warning specially</A>
</H2>

<P>RFC 9111 obsoletes the Warning header, removing all specification
requirements about it.</P>

<P>This Squid changes behaviour in regards to that header:
<UL>
<LI>1) Squid no longer adds Warning headers to generated or forwarded
messages. Miss responses from servers/peers and hits cached by an
older version of Squid may still have Warning headers.
</LI>
<LI>2) On 304 revalidation, Warning header are treated the same as any
other/generic header. They are added or replaced according to their
presence in the 304 reply. Absent any Warning update by a 304, Squid
may still deliver cached content with old Warning headers.
</LI>
<LI>3) Squid no longer validates received Warning headers. RFC 7234 placed
syntax requirements and limits on how old some Warning values could
be (when dated). Those checks are no longer being performed. The
header value is now treated as an opaque string.
</LI>
<LI>4) Warning header usage and types are no longer tracked in message
statistics available through cache manager.</LI>
</UL>
</P>

<H2><A NAME="ss2.7">2.7</A> <A HREF="#toc2.7">ext_kerberos_ldap_group_acl: Support -b with -D</A>
</H2>

<P>Previous versions of this helper ignore the <EM>-b</EM> option when
the <EM>-D</EM> option is used.</P>

<P>Fixing this limitation adds support for FreeIPA and limited subtree
searching.</P>

<H2><A NAME="ss2.8">2.8</A> <A HREF="#toc2.8">Remove Gopher Protocol Support</A>
</H2>

<P>With this change, Gopher requests will be handled like any other request
with an unknown (to Squid) protocol. For example, HTTP requests with
<EM>gopher://</EM> URL scheme result in ERR_UNSUP_REQ.</P>

<P>Default Squid configuration still considers TCP port 70 safe. The
corresponding Safe_ports ACL rule has not been removed.</P>

<H2><A NAME="ss2.9">2.9</A> <A HREF="#toc2.9">Removed Outdated Tools</A>
</H2>

<P>We do not have enough resources/demand for maintaining these tools, they
do require maintenance, and there are better tools available.</P>
<P>
<UL>
<LI><EM>cache_diff</EM> which has no users according to community
poll results in 2020.
</LI>
<LI><EM>GnuRegex</EM> library implementation. Modern operating
systems provide a functioning regex library, so we do not need to
carry one anymore.
</LI>
<LI><EM>membanger</EM> which has not built for many years.
</LI>
<LI><EM>pconn-banger</EM> lacked build rules since inception (1997)
and probably could not be built manually since at least 2007.
</LI>
<LI><EM>recv-announce</EM> which has not built for many years.
</LI>
<LI><EM>send-announce</EM> which is very much outdated and unused
since the decline of the 
<A HREF="http://ircache.nlanr.net/">NLANR IRCache</A> service.
</LI>
<LI><EM>tcp-banger2</EM> is not built by default and probably could
not be built at all since at least 2006.
</LI>
<LI><EM>tcp-banger3</EM> lacked build rules since inception (1998)
and probably could not be built manually (by mimicking tcp-banger2
build commands) without warnings since 2002.
</LI>
<LI><EM>tcp-banger.pl</EM> has portability and code quality issues;
its basic functionality is supported by squidclient, wget, curl, and
others.
</LI>
<LI><EM>ufsdump</EM> was not built by default since 2010 and its build
has been failing since before 2017.</LI>
</UL>
</P>


<H2><A NAME="s3">3.</A> <A HREF="#toc3">Changes to squid.conf since Squid-5</A></H2>

<P>This section gives an account of those changes in three categories:</P>
<P>
<UL>
<LI>
<A HREF="#newdirectives">New directives</A></LI>
<LI>
<A HREF="#modifieddirectives">Changes to existing directives</A></LI>
<LI>
<A HREF="#removeddirectives">Removed directives</A></LI>
<LI>
<A HREF="#otherchanges">Other changes</A></LI>
</UL>
</P>


<H2><A NAME="newdirectives"></A> <A NAME="ss3.1">3.1</A> <A HREF="#toc3.1">New directives</A>
</H2>

<P>
<DL>
<DT><B>paranoid_hit_validation</B><DD>
<P>Controls whether to perform extra internal checks when loading
entries from the on-disk cache.</P>

<DT><B>cache_log_message</B><DD>
<P>Configure logging options on a per-message basis, overriding the
per-section options. Message IDs are guaranteed stable across builds and
releases. Only a few messages support this for now.</P>
</DL>
</P>

<H2><A NAME="modifieddirectives"></A> <A NAME="ss3.2">3.2</A> <A HREF="#toc3.2">Changes to existing directives</A>
</H2>

<P>
<DL>
<DT><B>time units</B><DD>
<P>All directives accepting time values now accept a time unit suffix
from nanosecond to decade.</P>

<DT><B>sslcrtvalidator_program</B><DD>
<P>New <EM>ttl=infinity</EM> option to disable TTL expiry on stored helper responses.</P>

<DT><B>logformat</B><DD>
<P>New <EM>transport::&gt;connection_id</EM> code to display which transport-level
connection the request was received.</P>
<P>New <EM>busy_time</EM> code to display the cumulative CPU time spent processing
the request, excluding the time spent waiting for external resources.
WARNING: this time is approximate and is known to have bugs and gaps,
so consider it a lower bound.</P>
<P>New <EM>request_attempts</EM> code to display how many forwarding attempts were
made for this request.</P>
<P>Squid now adds <EM>ABORTED</EM> to values printed by the <EM>Ss</EM> code in more
cases where a TCP Squid-to-server connection was closed prematurely.</P>
<P>Squid now logs <EM>TCP_TUNNEL</EM> with the <EM>Ss</EM> code when a CONNECT tunnel
is attempted, not just on successful tunnel setup.</P>

<DT><B>server_cert_fingerprint</B><DD>
<P>Removed the broken <EM>-sha</EM> option. <EM>SHA1</EM> remains the default and
only supported fingerprinting algorithm. Configuring it is unnecessary.</P>
</DL>
</P>

<H2><A NAME="removeddirectives"></A> <A NAME="ss3.3">3.3</A> <A HREF="#toc3.3">Removed directives</A>
</H2>

<P>
<DL>
<DT><B>announce_file</B><DD>
<P>Obsolete. Squid no longer provides functionality to enroll in the
cache registration service.</P>

<DT><B>announce_host</B><DD>
<P>Obsolete. Squid no longer provides functionality to enroll in the
cache registration service.</P>

<DT><B>announce_period</B><DD>
<P>Obsolete. Squid no longer provides functionality to enroll in the
cache registration service.</P>

<DT><B>announce_port</B><DD>
<P>Obsolete. Squid no longer provides functionality to enroll in the
cache registration service.</P>

<DT><B>request_entities</B><DD>
<P>Obsolete. Squid accepts an entity (aka payload, body) on
HTTP/1.1 GET or HEAD requests when a Content-Length or
Transfer-Encoding header is presented to clearly determine size.</P>
<P>To retain the old behaviour of rejecting GET/HEAD payloads
for HTTP/1.1 use <EM>http_access</EM> rules:
<PRE>
  acl fetch method GET HEAD
  acl entity req_header Content-Length .
  http_access deny fetch entity
</PRE>
</P>
<P>Squid will reject use of Content-Length header on HTTP/1.0
messages with GET, HEAD, DELETE, LINK, UNLINK methods. Since
the HTTP/1.0 specification defines those as not having entities.
To deliver entities on these methods the chunked encoding
feature defined by HTTP/1.1 must be used, or the request
upgraded to an HTTP/1.1 message.</P>
</DL>
</P>

<H2><A NAME="otherchanges"></A> <A NAME="ss3.4">3.4</A> <A HREF="#toc3.4">Other changes</A>
</H2>

<P>
<DL>
<DT><B>Adjusted configuration and format of <EM>ext_time_quota_acl</EM> helper debugging</B><DD>
<P>The <EM>-l</EM> option that enables <EM>ext_time_quota_acl</EM> to log debug messages
to a custom logfile has been removed, and their format has been
changed to be in line with Squid <EM>cache.log</EM> format.</P>
</DL>
</P>

<H2><A NAME="s4">4.</A> <A HREF="#toc4">Changes to ./configure options since Squid-5</A></H2>

<P>This section gives an account of those changes in three categories:</P>
<P>
<UL>
<LI>
<A HREF="#newoptions">New options</A></LI>
<LI>
<A HREF="#modifiedoptions">Changes to existing options</A></LI>
<LI>
<A HREF="#removedoptions">Removed options</A></LI>
</UL>
</P>

<H2><A NAME="newoptions"></A> <A NAME="ss4.1">4.1</A> <A HREF="#toc4.1">New options</A>
</H2>

<P>
<DL>
<DT><B>--with-cap</B><DD>
<P>Replacement for <EM>--with-libcap</EM>.</P>

<DT><B>--with-xml2</B><DD>
<P>Replacement for <EM>--with-libxml2</EM>.</P>

<DT><B>--with-ldap</B><DD>
<P>Compile with OpenLDAP, Mozilla LDAP, or Windows LDAP support.</P>
<P>LDAP support is enabled by default. Use <EM>--without-ldap</EM> to disable.</P>

</DL>
</P>

<H2><A NAME="modifiedoptions"></A> <A NAME="ss4.2">4.2</A> <A HREF="#toc4.2">Changes to existing options</A>
</H2>

<P>
<DL>
<DT><B>--disable-esi</B><DD>
<P>The ESI feature is now disabled by default.
Use <EM>--enable-esi</EM> if needed.</P>

</DL>
</P>
<H2><A NAME="removedoptions"></A> <A NAME="ss4.3">4.3</A> <A HREF="#toc4.3">Removed options</A>
</H2>

<P>
<DL>
<DT><B>--enable-cpu-profiling</B><DD>
<P>This feature has been unreliable for many years. Other tools such as
oprofile provide better tracking and should be used instead.</P>

<DT><B>--enable-debug-cbdata</B><DD>
<P>This feature has been of limited use since AsyncCalls feature
took over much of the CBDATA functionality.</P>

<DT><B>--enable-gnuregex</B><DD>
<P>Squid no longer ships with a built-in GnuRegex implementation.</P>

<DT><B>--enable-kill-parent-hack</B><DD>
<P>This feature has been deprecated for years. Other features such as
<EM>--foreground</EM> command line argument should be used instead.</P>

<DT><B>--enable-leakfinder</B><DD>
<P>Removed. Using Valgrind for leak detection is still supported.</P>

<DT><B>--disable-loadable-modules</B><DD>
<P>This option was performing the same duties as <EM>--disable-shared</EM>.</P>

<DT><B>--with-libcap</B><DD>
<P>Replaced by <EM>--with-cap</EM>.</P>

<DT><B>--with-libxml2</B><DD>
<P>Replaced by <EM>--with-xml2</EM>.</P>

</DL>
</P>


<H2><A NAME="s5">5.</A> <A HREF="#toc5">Regressions since Squid-2.7</A></H2>

<P>Some squid.conf options which were available in Squid-2.7 are not yet available in Squid-6.</P>

<P>If you need something to do then porting one of these from Squid-2 is most welcome.</P>

<H2><A NAME="ss5.1">5.1</A> <A HREF="#toc5.1">Missing squid.conf options available in Squid-2.7</A>
</H2>

<P>
<DL>
<DT><B>broken_vary_encoding</B><DD>
<P>Not yet ported from 2.6</P>

<DT><B>cache_peer</B><DD>
<P><EM>monitorinterval=</EM> not yet ported from 2.6</P>
<P><EM>monitorsize=</EM> not yet ported from 2.6</P>
<P><EM>monitortimeout=</EM> not yet ported from 2.6</P>
<P><EM>monitorurl=</EM> not yet ported from 2.6</P>

<DT><B>cache_vary</B><DD>
<P>Not yet ported from 2.6</P>

<DT><B>error_map</B><DD>
<P>Not yet ported from 2.6</P>

<DT><B>external_refresh_check</B><DD>
<P>Not yet ported from 2.7</P>

<DT><B>location_rewrite_access</B><DD>
<P>Not yet ported from 2.6</P>

<DT><B>location_rewrite_children</B><DD>
<P>Not yet ported from 2.6</P>

<DT><B>location_rewrite_concurrency</B><DD>
<P>Not yet ported from 2.6</P>

<DT><B>location_rewrite_program</B><DD>
<P>Not yet ported from 2.6</P>

<DT><B>refresh_pattern</B><DD>
<P><EM>stale-while-revalidate=</EM> not yet ported from 2.7</P>
<P><EM>ignore-stale-while-revalidate=</EM> not yet ported from 2.7</P>
<P><EM>negative-ttl=</EM> not yet ported from 2.7</P>

<DT><B>refresh_stale_hit</B><DD>
<P>Not yet ported from 2.7</P>

<DT><B>update_headers</B><DD>
<P>Not yet ported from 2.7</P>

</DL>
</P>


<H2><A NAME="s6">6.</A> <A HREF="#toc6">Copyright</A></H2>

<P>Copyright (C) 1996-2024 The Squid Software Foundation and contributors</P>
<P>Squid software is distributed under GPLv2+ license and includes
contributions from numerous individuals and organizations.
Please see the COPYING and CONTRIBUTORS files for details.</P>

</BODY>
</HTML>