Squid 3.3.0.2 release notes

Squid Developers


This document contains the release notes for version 3.3 of Squid. Squid is a WWW Cache application developed by the National Laboratory for Applied Network Research and members of the Web Caching community.

1. Notice

2. Major new features since Squid-3.2

3. Changes to squid.conf since Squid-3.2

4. Changes to ./configure options since Squid-3.2

5. Regressions since Squid-2.7


1. Notice

The Squid Team are pleased to announce the release of Squid-3.3.0.2 for testing.

This new release is available for download from http://www.squid-cache.org/Versions/v3/3.3/ or the mirrors.

While this release is not deemed ready for production use, we believe it is ready for wider testing by the community.

We welcome feedback and bug reports. If you find a bug, please see http://wiki.squid-cache.org/SquidFaq/TroubleShooting#head-7067fc0034ce967e67911becaabb8c95a34d576d for how to submit a report with a stack trace.

1.1 Known issues

Although this release is deemed good enough for use in many setups, please note the existence of open bugs against Squid-3.3.

1.2 Changes since earlier releases of Squid-3.3

The 3.3 change history can be viewed here.

2. Major new features since Squid-3.2

Squid 3.3 represents a new feature release above 3.2.

The most important of these new features are:

Most user-facing changes are reflected in squid.conf (see below).

2.1 SQL Database logging helper

log_db_daemon - Database logging daemon for Squid

This program writes Squid access.log entries to an SQL database. Written in Perl it can utilize any database supported by the Perl database abstraction layer.

NOTE: Presently it only accepts the Squid native log format.

2.2 Time-Quota session helper

ext_time_quota_acl - Time quota external ACL helper.

Allows an administrator to define time budgets (quota) for the users of Squid to limit the time using Squid.

This is useful for corporate lunch time allocations, wifi portal pay-per-minute installations or for parental control of children.

The administrator can define a time budget (e.g. 1 hour per day) which is enforced through this helper using session estimations of their browsing time. A 'pause' threshold is given in seconds and defines the period between two requests to be treated as part of the same session. Pauses shorter than this value will be counted against the quota, longer ones ignored.

2.3 SSL-Bump Server First

Details at http://wiki.squid-cache.org/Features/BumpSslServerFirst.

When an intercepted connection is received, Squid first connects to the server using SSL and receives the server certificate. Squid then uses the host name inside the true server certificate to generate a fake one and impersonates the server while still using the already established secure connection to the server.

Bumping server first is essentially required for handling intercepted HTTPS connections but the same scheme should be used for most HTTP CONNECT requests because it offers a few advantages compared to the old bump-client-first approach:

2.4 Server Certificate Mimic

Details at http://wiki.squid-cache.org/Features/MimicSslServerCert.

One of the SslBump features serious drawbacks is the loss of information embedded in SSL server certificate. This certificate mimic feature passes original SSL server certificate information to the user. Allowing the user to make an informed decision on whether to trust the server certificate.

2.5 Custom HTTP request headers

The request_header_add option is added to insert HTTP header fields to outgoing HTTP requests (i.e., request headers sent by Squid to the next HTTP hop such as a cache peer or an origin server). The option has no effect on cache hit traffic or requests serviced by Squid and ICAP.

WARNING: If a standard HTTP header name is used, Squid does not check whether the new header conflicts with any existing headers or violates HTTP rules. If the request to be modified already contains a field with the same name, the old field is preserved but the header field values are not merged.

Field-value set can be either a token or a quoted string. If quoted string format is used, then the surrounding quotes are removed while escape sequences and %macros are processed.

In theory, all of the logformat codes can be used as %macros. However, unlike logging (which happens at the very end of transaction lifetime), the transaction may not yet have enough information to expand a macro when the new header value is needed. And some information may already be available to Squid but not yet committed where the macro expansion code can access it (please report such instances!). The macro will be expanded into a single dash ('-') in such cases. Not all macros have been tested.

One or more Squid ACLs may be specified to restrict header injection to matching requests. As always in squid.conf, all ACLs in an option ACL list must be satisfied for the insertion to happen. The request_header_add option supports fast ACLs only.

3. Changes to squid.conf since Squid-3.2

There have been changes to Squid's configuration file since Squid-3.2.

This section gives a thorough account of those changes in three categories:

3.1 New tags

request_header_add

New directive to add custom headers on HTTP traffic sent to upstream servers.

sslproxy_cert_sign

New option to determine how the client certificate sent to upstream servers is signed.

sslproxy_cert_adapt

New option to adapt certain properties of outgoing SSL certificates generated for use when bumping SSL to an upstream server.

3.2 Changes to existing tags

acl

myport and myipACL types replaced with localport and localip respecitively. To reflect that it matches the TCP connection details and not the squid.conf port. This matters when dealing with interecepted traffic, where the Squid receiving port differs from the TCP connection IP:port. Always use myportname type to match the squid.conf port details.

New default built-in ACLs for testing SSL certificate properties.

ssl::certHasExpired, ssl::certNotYetValid, ssl::certDomainMismatch, ssl::certUntrusted, ssl::certSelfSigned.

logformat

New token %ssl::bump_mode to log the SSL-bump mode type performed on a request. Logs values of: -, none, client-first, or server-first.

New token of %ssl::>cert_subject to log the Subject field of a SSL certficate received from the client.

New token of %ssl::>cert_issuer to log the Issuer field of a SSL certficate received from the client.

ssl_bump

New action types none, client-first, server-first. The default is none.

Use of allow/deny is now deprecated and they should be removed as soon as possible. To retain the exact same behaviour between 3.3 and older releases replace deny with none, and allow with client-first. However an upgrade to server-first is the recommended.

NOTE: Mixing of allow/deny with the new action types is prohibited and will cause Squid to exit with a FATAL error.

3.3 Removed tags

There are no removed squid.conf tags in Squid-3.3.

4. Changes to ./configure options since Squid-3.2

There have been some changes to Squid's build configuration since Squid-3.2.

This section gives an account of those changes in three categories:

4.1 New options

There are no new ./configure options in Squid-3.3.

4.2 Changes to existing options

There are no changed ./configure options in Squid-3.3.

4.3 Removed options

--enable-ntlm-fail-open

This has not been supported by Squid for several versions.

5. Regressions since Squid-2.7

Some squid.conf and ./configure options which were available in Squid-2.7 are not yet available in Squid-3.3

If you need something to do then porting one of these from Squid-2 to Squid-3 is most welcome.

5.1 Missing squid.conf options available in Squid-2.7

broken_vary_encoding

Not yet ported from 2.6

cache_dir

COSS storage type is lacking stability fixes from 2.6

COSS overwrite-percent= option not yet ported from 2.6

COSS max-stripe-waste= option not yet ported from 2.6

COSS membufs= option not yet ported from 2.6

COSS maxfullbufs= option not yet ported from 2.6

cache_peer

idle= not yet ported from 2.7

monitorinterval= not yet ported from 2.6

monitorsize= not yet ported from 2.6

monitortimeout= not yet ported from 2.6

monitorurl= not yet ported from 2.6

cache_vary

Not yet ported from 2.6

collapsed_forwarding

Not yet ported from 2.6

error_map

Not yet ported from 2.6

external_acl_type

%ACL format tag not yet ported from 2.6

%DATA format tag not yet ported from 2.6

external_refresh_check

Not yet ported from 2.7

http_port

act-as-origin not yet ported from 2.7

ignore_ims_on_miss

Not yet ported from 2.7

location_rewrite_access

Not yet ported from 2.6

location_rewrite_children

Not yet ported from 2.6

location_rewrite_concurrency

Not yet ported from 2.6

location_rewrite_program

Not yet ported from 2.6

refresh_pattern

stale-while-revalidate= not yet ported from 2.7

ignore-stale-while-revalidate= not yet ported from 2.7

negative-ttl= not yet ported from 2.7

refresh_stale_hit

Not yet ported from 2.7

storeurl_access

Not yet ported from 2.7

storeurl_rewrite_children

Not yet ported from 2.7

storeurl_rewrite_concurrency

Not yet ported from 2.7

storeurl_rewrite_program

Not yet ported from 2.7

update_headers

Not yet ported from 2.7