Squid 3.4.11 release notes

Squid Developers


This document contains the release notes for version 3.4 of Squid. Squid is a WWW Cache application developed by the National Laboratory for Applied Network Research and members of the Web Caching community.

1. Notice

2. Major new features since Squid-3.3

3. Changes to squid.conf since Squid-3.3

4. Changes to ./configure options since Squid-3.3

5. Regressions since Squid-2.7


1. Notice

The Squid Team are pleased to announce the release of Squid-3.4.11 for testing.

This new release is available for download from http://www.squid-cache.org/Versions/v3/3.4/ or the mirrors.

Some interesting new features adding system flexibility have been added along with general improvements all around. While this release is not fully bug-free we believe it is ready for use in production on many systems.

We welcome feedback and bug reports. If you find a bug, please see http://wiki.squid-cache.org/SquidFaq/BugReporting for how to submit a report with a stack trace.

1.1 Known issues

Although this release is deemed good enough for use in many setups, please note the existence of open bugs against Squid-3.4.

1.2 Changes since earlier releases of Squid-3.4

The 3.4 change history can be viewed here.

2. Major new features since Squid-3.3

Squid 3.4 represents a new feature release above 3.3.

The most important of these new features are:

Most user-facing changes are reflected in squid.conf (see below).

2.1 Helper protocol extensions

Details at http://wiki.squid-cache.org/Features/AddonHelpers.

The Squid helper protocol used to communicate with authenticators, URL-rewriters, Redirectors, and External ACL helpers has been updated and extended.

BH status code is now accepted from all helpers to report internal error events separate from ERR rejection code. Permitting Squid to perform recovery operations specific to helper failure instead of a blanket client rejection.

Arbitrary key-value pairs can be returned from any helper. Allowing future helpers to be forward- and backward- compatible with this and future versions of Squid.

2.2 SSL Server Certificate Validator

Details at http://wiki.squid-cache.org/Features/SslServerCertValidator.

The helper consulted after the internal OpenSSL validation, regardless of the validation results. The helper will receive:

If the helper decides to honor an OpenSSL error or report another validation error(s), the helper will return:

The returned information mimics what the internal OpenSSL-based validation code collects now. Returned errors, if any, are fed to sslproxy_cert_error, triggering the existing SSL error processing code.

The helper invocation controlled by the sslcrtvalidator_program and sslcrtvalidator_children configurations options which are similar to the ssl_crtd related options.

2.3 Store-ID

Details at http://wiki.squid-cache.org/Features/StoreID.

This feature is a redesigned equivalent to the Squid-2.7 feature known as StoreURL-rewrite.

Notice that this is not a direct portage of the Squid-2.7 feature so behaviour differences do exist. Although the new feature works in similar enough ways that the old helper scripts used for Squid-2.7 are expected to work in this and later versions of Squid.

Squid traditionally uses the requested URL as an index key ID to locate objects in cache. It is not the only key possible and the Store-ID feature exposes an API for external helpers to provide Squid with an alternative key name for any URL.

When any client request is received which requires a cache lookup the URL is passed to a helper specified with the store_id_program directive to check for an alternative Store ID. This allows the helper to identify URLs which refer to duplicate resources and de-duplicate the cache content. store_id_access is provided to allow ACL-based tuning of which traffic gets sent to the helper and reduce overheads.

One subtle and noteworthy difference between Squid-2 and Squid-3 which is highlighted by this feature is that refresh_pattern applies its regex argument against the Store ID key and not the transaction URL. So using the Store-ID feature to alter the value affects which refresh_pattern directive will be matched.

Store-ID helpers bundled with Squid can be built with the --enable-storeid-rewrite-helpers option which is added in this version. Currently there is a file helper provided.

2.4 TPROXY Support for OpenBSD 5.1+ and FreeBSD 9+

Details at http://wiki.squid-cache.org/ConfigExamples/Intercept/OpenBsdPf.

The Packet Filter (PF) firewall in OpenBSD 4.4 and later offers traffic interception using several very simple methods. One of which is the divert-to rule type which acts as a simple routing diversion instead of performing NAT packet alterations.

The IP Firewall (IPFW) on FreeBSD 9+ contains a port of the Linux Netfilter TPROXY feature.

This version of Squid adds support for these features through the ./configure options --enable-pf-transparent and --enable-ipfw-transparent when Squid is built on systems with the required support. No special extras are required to enable http_port ... tproxy configuration to work.

NOTE: To resolve NAT lookup issues on recent PF firewall versions the code behind ./configure --enable-pf-transparent has been altered and is expected to break on the version of PF firewall shipped with BSD systems such as NetBSD and FreeBSD which do not yet support the getsockname() API. These systems require --with-nat-devpf to enable /dev/pf support when using PF firewall.

2.5 Transaction Annotations

Previously the only annotation methods available were ICAP/eCAP HTTP header insertions or external ACL tag= result code. Each of which had only limited possibilities for use and little or no correlation.

It is now possible to add annotations to a client transaction from several sources:

Annotations on the transaction can be passed to ICAP services or eCAP modules using the adaptation_meta directive to send them as headers. They can also be logged using the %note log format code in custom logs. With the new helper response syntax changes this means all helper response key=value details such as URL-rewrite or store-id changes, external ACL tag etc. are now able to be logged.

Annotations which are already assigned to a transaction can be checked using an ACL test of the new note ACL type. This can match a particular note by name and value, of for any notes with a given name.

NOTE: not all helper interfaces are yet enabled to convert key=value into annotations and the external ACL interface does not yet send annotations to the helper.

2.6 Multicast DNS

The internal DNS component of Squid now supports multicast DNS (mDNS) resolution in accordance with RFC 6762.

The dns_multicast_local directive must be set to on to enable this feature.

The multicast DNS group IP addresses for IPv4 and IPv6 resolving are added to the set of available DNS resolvers and used automatically for domain names ending in .local and reverse-DNS lookups before attempting a secondary resolution on the configured resolvers. Domains without .local are resolved using only the configured resolvers.

Statistics for multicast DNS resolution can be found on the idns cache manager report.

NOTE that the external DNS helper interface is now deprecated and has been removed from future Squid versions. Any installations still using it for local hostname resolution need to upgrade to mDNS resolution with this Squid version.

3. Changes to squid.conf since Squid-3.3

There have been changes to Squid's configuration file since Squid-3.3.

Squid supports reading configuration option parameters from external files using the syntax parameters("/path/filename"). For example:

    acl whitelist dstdomain parameters("/etc/squid/whitelist.txt")

There have also been changes to individual directives in the config file.

This section gives a thorough account of those changes in three categories:

3.1 New tags

configuration_includes_quoted_values

Whether Squid supports directive parameters with spaces, quotes, and other special characters. Surround such parameters with "double quotes" and also set this directive on/off around the relevant squid.conf line(s) making use of such quoting.

dns_multicast_local

Use multicast DNS for .local domains and reverse-DNS resolution.

note

Use ACLs to annotate a transaction with customized annotations which can be logged in access.log

spoof_client_ip

Access control to determine whether to disable the TPROXY spoofing on upstream traffic.

sslcrtvalidator_children

Specifies the settings for how many SSL server certificate validator helpers are run and when they are started.

sslcrtvalidator_program

Specifies the location of a SSL server certificate validator helper.

store_id_access

Whether the URL for a given request is passed to the Store-ID helper process. Used to improve StoreID performance by quickly eliminating helper delays using ACL tests.

Ported equivalent to storeurl_access from 2.7

store_id_bypass

Whether the StoreID helper may be bypassed when overloaded.

store_id_children

Controls the number of StoreID helper processes.

Options startup=N, idle=N, concurrency=N

store_id_rewrite_program

A helper program to provide cache storage internal key ID value for a request.

Ported equivalent to storeurl_rewrite_program from 2.7

3.2 Changes to existing tags

access_log

Configuration syntax extended to support name=value options. New Syntax: access_log module:place [option ...] [acl ...]

New option logformat= to specify the logging format name.

New option buffer-size= to specify how large the log buffer for this log is to be when buffered_logs is enabled.

New option on-error= to specify what handling is to be done if the logging module encounters a non-recoverable error writing logs. With the value die (the default) Squid halts operation. With the value drop Squid drops log lines and continue running.

acl

New test type server_cert_fingerprint to match against server SSL certificate fingerprint.

New test type note to match against transaction annotations by name and value, or just by name.

New test type any-of to match if any one of a set of named ACLs.

New test type all-of to match against all of a set of named ACLs.

auth_param

New result code BH to signal helper internal errors available in all authentication schemes.

New key message= for error message details in all authentication schemes.

New result code OK and key ha1= in Digest authentication.

New result codes OK, ERR replace result codes AF, and NA in NTLM and Negotiate authentication.

New key token= for NTLM and Negotiate authentication OK responses.

Details at http://wiki.squid-cache.org/Features/AddonHelpers.

external_acl_type

Deprecated protocol=3.0 option. No longer necessary.

New result code BH to signal helper internal errors

Details at http://wiki.squid-cache.org/Features/AddonHelpers.

http_port

Support IPv6 for intercept mode. Requires ip6tables support on Linux, PF support on OpenBSD and IPFW support on FreeBSD. Squid will no longer complain about misconfiguration if IPv6 support is missing, we now rely on the firewall tools reporting misconfiguration when the NAT rules are created.

Support tproxy mode traffic on BSD systems with BINDANY support (OpenBSD 5+, FreeBSD 9+ so far).

Changed build options behind intercept traffic mode handling on BSD. see --enable-pf-transparent for more details.

logformat

New format code %note to log a transaction annotation linked to the transaction by ICAP, eCAP, a helper, or the note squid.conf directive.

New format code %>qos to log client connection TOS/DSCP value set by Squid.

New format code %<qos to log server connection TOS/DSCP value set by Squid.

New format code %>nfmark to log client connection netfilter mark set by Squid.

New format code %<nfmark to log server connection netfilter mark set by Squid.

pipeline_prefetch

Updated to take a numeric count of prefetched pipeline requests instead of ON/OFF.

refresh_pattern

NOTE: the regular expression pattern operates on the cache Store-ID value. Which by default is identical to the requested URL, but may differ for some objects if the Store-ID feature is in use.

unlinkd_program

New helper response format utilizing result codes OK and BH, to signal helper lookup results. Also, key-value response values to return multiple values to Squid.

Details at http://wiki.squid-cache.org/Features/AddonHelpers.

url_rewrite_program

New helper response format utilizing result codes OK, ERR, and BH to signal helper lookup results. Also, key-value response values to return multiple values to Squid.

Details at http://wiki.squid-cache.org/Features/AddonHelpers.

3.3 Removed tags

storeurl_access

Replaced by store_id_access.

storeurl_rewrite_children

Replaced by store_id_children.

storeurl_rewrite_concurrency

Replaced by store_id_children with concurrency=N option.

storeurl_rewrite_program

Replaced by store_id_program.

4. Changes to ./configure options since Squid-3.3

There have been some changes to Squid's build configuration since Squid-3.3.

This section gives an account of those changes in three categories:

4.1 New options

--enable-storeid-rewrite-helpers

New option to control which Store-ID helpers are built. As with other helper options use --disable-* to prevent any helpers building and omit to get all helper auto-detected.

Currenly only a helper using file for backend is provided.

--disable-arch-native

New option to disable use of -march=native compiler flag.

The new flag auto-enables CPU-specific optimizations in GCC and is required by Clang++ v3.2 for correct 64-bit environment detection. It does not always work well however, so this build option is provided to remove it when necessary.

--with-nat-devpf

New option to alter the behaviour of http_port ... intercept option in squid.conf.

When this option is used Squid performs the /dev/pf lookups required to support PF rdr-to rules. Otherwise Squid will perform perform the getsockname() API calls to support PF divert-to rules.

NOTE: systems such as NetBSD and FreeBSD which do not yet support the getsockname() API in recent PF versions require this option.

4.2 Changes to existing options

--enable-pf-transparent

NAT table support updated to use the getsockname() API provided by the latest PF versions divert-to. This allows http_port in squid.conf to support both intercept and tproxy traffic and to silence NAT lookup failure messages on recent BSD.

NOTE: systems such as NetBSD and FreeBSD which do not yet support the getsockname() API in recent PF versions require --with-nat-devpf to re-enable /dev/pf support when using PF firewall.

--disable-translation

Default changed to prevent translating error page templates during build. Use --enable-translation to explicitly build and install the templates.

The latest pre-translated templates can be downloaded from http://www.squid-cache.org/Versions/langpack/

4.3 Removed options

There are no removed ./configure options in Squid-3.4.

5. Regressions since Squid-2.7

Some squid.conf options which were available in Squid-2.7 are not yet available in Squid-3.4

If you need something to do then porting one of these from Squid-2 to Squid-3 is most welcome.

5.1 Missing squid.conf options available in Squid-2.7

broken_vary_encoding

Not yet ported from 2.6

cache_dir

COSS storage type is lacking stability fixes from 2.6

COSS overwrite-percent= option not yet ported from 2.6

COSS max-stripe-waste= option not yet ported from 2.6

COSS membufs= option not yet ported from 2.6

COSS maxfullbufs= option not yet ported from 2.6

cache_peer

idle= not yet ported from 2.7

monitorinterval= not yet ported from 2.6

monitorsize= not yet ported from 2.6

monitortimeout= not yet ported from 2.6

monitorurl= not yet ported from 2.6

cache_vary

Not yet ported from 2.6

collapsed_forwarding

Not yet ported from 2.6

error_map

Not yet ported from 2.6

external_refresh_check

Not yet ported from 2.7

location_rewrite_access

Not yet ported from 2.6

location_rewrite_children

Not yet ported from 2.6

location_rewrite_concurrency

Not yet ported from 2.6

location_rewrite_program

Not yet ported from 2.6

refresh_pattern

stale-while-revalidate= not yet ported from 2.7

ignore-stale-while-revalidate= not yet ported from 2.7

negative-ttl= not yet ported from 2.7

refresh_stale_hit

Not yet ported from 2.7

update_headers

Not yet ported from 2.7