diff -u -r -N squid-3.3.3/acinclude/compiler-flags.m4 squid-3.3.4/acinclude/compiler-flags.m4 --- squid-3.3.3/acinclude/compiler-flags.m4 2013-03-12 23:17:07.000000000 +1300 +++ squid-3.3.4/acinclude/compiler-flags.m4 2013-04-27 15:34:48.000000000 +1200 @@ -81,15 +81,12 @@ # - sunstudio # - none (undetected) # -AC_DEFUN([SQUID_CC_GUESS_VARIANT], [ +AC_DEFUN([SQUID_CC_GUESS_VARIANT], [ AC_CACHE_CHECK([what kind of compiler we're using],[squid_cv_compiler], [ AC_REQUIRE([AC_PROG_CC]) - if test "$GCC" = "yes" ; then - squid_cv_compiler="gcc" - fi dnl repeat the next block for each compiler, changing the - dnl preprocessor definition type so that it depends on platform-specific + dnl preprocessor definition so that it depends on platform-specific dnl predefined macros dnl SunPro CC if test -z "$squid_cv_compiler" ; then @@ -109,12 +106,39 @@ #endif ]])],[squid_cv_compiler="icc"],[]) fi + dnl clang + if test -z "$squid_cv_compiler" ; then + AC_COMPILE_IFELSE([ + AC_LANG_PROGRAM([[ +#if !defined(__clang__) +#error "not clang" +#endif + ]])],[squid_cv_compiler="clang"],[]) + fi + dnl microsoft visual c++ + if test -z "$squid_cv_compiler" ; then + AC_COMPILE_IFELSE([ + AC_LANG_PROGRAM([[ +#if !defined(_MSC_VER) +#error "not Microsoft VC++" +#endif + ]])],[squid_cv_compiler="msvc"],[]) + fi + dnl gcc. MUST BE LAST as many other compilers also define it for compatibility + if test -z "$squid_cv_compiler" ; then + AC_COMPILE_IFELSE([ + AC_LANG_PROGRAM([[ +#if !defined(__GNUC__) +#error "not gcc" +#endif + ]])],[squid_cv_compiler="gcc"],[]) + fi dnl end of block to be repeated if test -z "$squid_cv_compiler" ; then squid_cv_compiler="none" fi - ]) - ]) + ]) dnl AC_CACHE_CHECK + ]) dnl AC_DEFUN # define the flag to use to have the compiler treat warnings as errors # requirs SQUID_CC_GUESS_VARIANT @@ -145,6 +169,13 @@ squid_cv_cc_option_optimize="-fast" squid_cv_cc_arg_pipe="" ;; + clang) + squid_cv_cxx_option_werror="-Werror -Wno-error=parentheses-equality" + squid_cv_cc_option_werror="$squid_cv_cxx_option_werror" + squid_cv_cc_option_wall="-Wall" + squid_cv_cc_option_optimize="-O2" + squid_cv_cc_arg_pipe="" + ;; icc) squid_cv_cxx_option_werror="-Werror" squid_cv_cc_option_werror="$squid_cv_cxx_option_werror" diff -u -r -N squid-3.3.3/ChangeLog squid-3.3.4/ChangeLog --- squid-3.3.3/ChangeLog 2013-03-12 23:17:07.000000000 +1300 +++ squid-3.3.4/ChangeLog 2013-04-27 15:34:48.000000000 +1200 @@ -1,3 +1,22 @@ + +Changes to squid-3.3.4 (27 Apr 2013): + + - Bug 3831: basic_ncsa_auth Blowfish and SHA support + - Bug 3816: SSL_get_certificate call inside Ssl::verifySslCertificate crashes + - Bug 3794: MacOS: workaround compiler errors and case-insensitivity + - Bug 3781: Proxy Authentication not sent to cache_peer + - Bug 3720 pt1: SourceLayout: shuffle fd_table definition into fde.h + - Bug 3720 pt2: Add missing include in /dev/poll I/O module + - Bug 3674: Improve compiler detection, better support warnings-as-errors on clang + - Add support for TPROXY on BSD + - Fix SSL Bump bypass for intercepted traffic + - Fix memory leaks in ConnStateData pinning + - Fix external_acl.cc "inBackground" assertion on queue overloads + - CacheMgr: fix missing column separator in helper stats + - OpenBSD: libpthreads requires OpenBSD 5.2 or later + - ... and lots of documentation updates + - ... and all changes from squid 3.2.10 + Changes to squid-3.3.3 (12 Mar 2013): - Bug 3720: Add missing include in /dev/poll I/O module (pt2) @@ -55,6 +74,19 @@ - ... and many compile error fixes - ... and a very large amount of code polish for faster compilation +Changes to squid-3.2.10 (27 Apr 2013): + + - Bug 3833: squidclient: Option '-k' is not present in man(1) page + - Bug 3825: basic_ncsa_auth: segfaulting with glibc-2.17 + - Bug 3822: Locate LDAP and SASL headers for BSD support + - Bug 3817: Memory leak in SSL cert validate for alt_name peer certs + - Bug 3774: 'squid -k reconfigure' drops rock cache + - Bug 3565: Resuming postponed accept kills Squid + - HTTP/1.1: partial support for no-cache and private controls with parameters + - ssl_crtd: fix helpers dying during startup on ARM + - GNU Hurd: define MAP_NORESERVE as no-op when missing + - BSD: fix enter_suid/leave_suid build errors in ip/Intercept.cc + Changes to squid-3.2.9 (12 Mar 2013): - Regression fix: Accept-Language header parse diff -u -r -N squid-3.3.3/configure squid-3.3.4/configure --- squid-3.3.3/configure 2013-03-12 23:18:22.000000000 +1300 +++ squid-3.3.4/configure 2013-04-27 15:35:47.000000000 +1200 @@ -1,7 +1,7 @@ #! /bin/sh # From configure.ac Revision. # Guess values for system-dependent variables and create Makefiles. -# Generated by GNU Autoconf 2.68 for Squid Web Proxy 3.3.3. +# Generated by GNU Autoconf 2.68 for Squid Web Proxy 3.3.4. # # Report bugs to . # @@ -575,8 +575,8 @@ # Identity of this package. PACKAGE_NAME='Squid Web Proxy' PACKAGE_TARNAME='squid' -PACKAGE_VERSION='3.3.3' -PACKAGE_STRING='Squid Web Proxy 3.3.3' +PACKAGE_VERSION='3.3.4' +PACKAGE_STRING='Squid Web Proxy 3.3.4' PACKAGE_BUGREPORT='http://bugs.squid-cache.org/' PACKAGE_URL='' @@ -1570,7 +1570,7 @@ # Omit some internal or obsolete options to make the list less imposing. # This message is too long to be a string in the A/UX 3.1 sh. cat <<_ACEOF -\`configure' configures Squid Web Proxy 3.3.3 to adapt to many kinds of systems. +\`configure' configures Squid Web Proxy 3.3.4 to adapt to many kinds of systems. Usage: $0 [OPTION]... [VAR=VALUE]... @@ -1640,7 +1640,7 @@ if test -n "$ac_init_help"; then case $ac_init_help in - short | recursive ) echo "Configuration of Squid Web Proxy 3.3.3:";; + short | recursive ) echo "Configuration of Squid Web Proxy 3.3.4:";; esac cat <<\_ACEOF @@ -2014,7 +2014,7 @@ test -n "$ac_init_help" && exit $ac_status if $ac_init_version; then cat <<\_ACEOF -Squid Web Proxy configure 3.3.3 +Squid Web Proxy configure 3.3.4 generated by GNU Autoconf 2.68 Copyright (C) 2010 Free Software Foundation, Inc. @@ -3110,7 +3110,7 @@ This file contains any messages produced by compilers while running configure, to aid debugging if configure makes a mistake. -It was created by Squid Web Proxy $as_me 3.3.3, which was +It was created by Squid Web Proxy $as_me 3.3.4, which was generated by GNU Autoconf 2.68. Invocation command line was $ $0 $@ @@ -3929,7 +3929,7 @@ # Define the identity of the package. PACKAGE='squid' - VERSION='3.3.3' + VERSION='3.3.4' cat >>confdefs.h <<_ACEOF @@ -4135,7 +4135,6 @@ # - none (undetected) # - # define the flag to use to have the compiler treat warnings as errors # requirs SQUID_CC_GUESS_VARIANT # Sets a few variables to contain some compiler-dependent command line @@ -18403,9 +18402,6 @@ else - if test "$GCC" = "yes" ; then - squid_cv_compiler="gcc" - fi if test -z "$squid_cv_compiler" ; then cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ @@ -18451,6 +18447,72 @@ rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext fi if test -z "$squid_cv_compiler" ; then + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + + +#if !defined(__clang__) +#error "not clang" +#endif + +int +main () +{ + + ; + return 0; +} +_ACEOF +if ac_fn_cxx_try_compile "$LINENO"; then : + squid_cv_compiler="clang" +fi +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext + fi + if test -z "$squid_cv_compiler" ; then + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + + +#if !defined(_MSC_VER) +#error "not Microsoft VC++" +#endif + +int +main () +{ + + ; + return 0; +} +_ACEOF +if ac_fn_cxx_try_compile "$LINENO"; then : + squid_cv_compiler="msvc" +fi +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext + fi + if test -z "$squid_cv_compiler" ; then + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + + +#if !defined(__GNUC__) +#error "not gcc" +#endif + +int +main () +{ + + ; + return 0; +} +_ACEOF +if ac_fn_cxx_try_compile "$LINENO"; then : + squid_cv_compiler="gcc" +fi +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext + fi + if test -z "$squid_cv_compiler" ; then squid_cv_compiler="none" fi @@ -18459,7 +18521,6 @@ $as_echo "$squid_cv_compiler" >&6; } - { $as_echo "$as_me:${as_lineno-$LINENO}: checking for compiler variant" >&5 $as_echo_n "checking for compiler variant... " >&6; } case "$squid_cv_compiler" in @@ -18477,6 +18538,13 @@ squid_cv_cc_option_optimize="-fast" squid_cv_cc_arg_pipe="" ;; + clang) + squid_cv_cxx_option_werror="-Werror -Wno-error=parentheses-equality" + squid_cv_cc_option_werror="$squid_cv_cxx_option_werror" + squid_cv_cc_option_wall="-Wall" + squid_cv_cc_option_optimize="-O2" + squid_cv_cc_arg_pipe="" + ;; icc) squid_cv_cxx_option_werror="-Werror" squid_cv_cc_option_werror="$squid_cv_cxx_option_werror" @@ -18660,7 +18728,7 @@ -if test "x$GCC" = "xyes"; then +if test "$squid_cv_compiler" = "gcc"; then GCCVER=`$CC -v 2>&1 | awk '$2 == "version" {print $3}'` GCCVER2=`echo $GCCVER | awk '{print $1 * 100}'` case "$host" in @@ -18679,7 +18747,7 @@ fi if test "x$PRESET_CFLAGS" = "x"; then - if test "x$GCC" = "xyes"; then + if test "$squid_cv_compiler" = "gcc"; then case "$host" in *-sun-sunos*) # sunos has too many warnings for this to be useful @@ -18712,7 +18780,7 @@ fi fi -if test "x$GCC" = "xyes"; then +if test "$squid_cv_compiler" = "gcc"; then case "$squid_host_os" in mingw) SQUID_CFLAGS="$squid_cv_cc_option_wall -Wpointer-arith -Wwrite-strings -Wcomments" @@ -19263,6 +19331,17 @@ fi fi ;; + openbsd) + if test `echo "$squid_host_os_version" | tr -d .` -lt 52 ; then + { $as_echo "$as_me:${as_lineno-$LINENO}: pthread library requires OpenBSD 5.2 or later" >&5 +$as_echo "$as_me: pthread library requires OpenBSD 5.2 or later" >&6;} + squid_opt_use_diskthreads="no" + else + SQUID_CFLAGS="$SQUID_CFLAGS -D_REENTRANT" + SQUID_CXXFLAGS="$SQUID_CXXFLAGS -D_REENTRANT" + LDFLAGS="$LDFLAGS -lpthread" + fi + ;; solaris) if test "x$GCC" = "xyes" ; then SQUID_CFLAGS="$SQUID_CFLAGS -D_REENTRANT -pthreads" @@ -31319,7 +31398,7 @@ # report actual input values of CONFIG_FILES etc. instead of their # values after options handling. ac_log=" -This file was extended by Squid Web Proxy $as_me 3.3.3, which was +This file was extended by Squid Web Proxy $as_me 3.3.4, which was generated by GNU Autoconf 2.68. Invocation command line was CONFIG_FILES = $CONFIG_FILES @@ -31385,7 +31464,7 @@ cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`" ac_cs_version="\\ -Squid Web Proxy config.status 3.3.3 +Squid Web Proxy config.status 3.3.4 configured by $0, generated by GNU Autoconf 2.68, with options \\"\$ac_cs_config\\" diff -u -r -N squid-3.3.3/configure.ac squid-3.3.4/configure.ac --- squid-3.3.3/configure.ac 2013-03-12 23:18:22.000000000 +1300 +++ squid-3.3.4/configure.ac 2013-04-27 15:35:47.000000000 +1200 @@ -1,4 +1,4 @@ -AC_INIT([Squid Web Proxy],[3.3.3],[http://bugs.squid-cache.org/],[squid]) +AC_INIT([Squid Web Proxy],[3.3.4],[http://bugs.squid-cache.org/],[squid]) AC_PREREQ(2.61) AC_CONFIG_HEADERS([include/autoconf.h]) AC_CONFIG_AUX_DIR(cfgaux) @@ -259,7 +259,7 @@ ]) AC_SUBST(DEFAULT_SWAP_DIR) -if test "x$GCC" = "xyes"; then +if test "$squid_cv_compiler" = "gcc"; then GCCVER=`$CC -v 2>&1 | awk '$2 == "version" {print $3}'` GCCVER2=`echo $GCCVER | awk '{print $1 * 100}'` case "$host" in @@ -276,7 +276,7 @@ dnl Set Default CFLAGS if test "x$PRESET_CFLAGS" = "x"; then - if test "x$GCC" = "xyes"; then + if test "$squid_cv_compiler" = "gcc"; then case "$host" in *-sun-sunos*) # sunos has too many warnings for this to be useful @@ -310,7 +310,7 @@ fi dnl set squid required flags -if test "x$GCC" = "xyes"; then +if test "$squid_cv_compiler" = "gcc"; then case "$squid_host_os" in mingw) dnl Guido Serassio (serassio@squid-cache.org) 20070811 @@ -590,6 +590,16 @@ fi fi ;; + openbsd) + if test `echo "$squid_host_os_version" | tr -d .` -lt 52 ; then + AC_MSG_NOTICE(pthread library requires OpenBSD 5.2 or later) + squid_opt_use_diskthreads="no" + else + SQUID_CFLAGS="$SQUID_CFLAGS -D_REENTRANT" + SQUID_CXXFLAGS="$SQUID_CXXFLAGS -D_REENTRANT" + LDFLAGS="$LDFLAGS -lpthread" + fi + ;; solaris) if test "x$GCC" = "xyes" ; then SQUID_CFLAGS="$SQUID_CFLAGS -D_REENTRANT -pthreads" diff -u -r -N squid-3.3.3/helpers/basic_auth/DB/basic_db_auth.8 squid-3.3.4/helpers/basic_auth/DB/basic_db_auth.8 --- squid-3.3.3/helpers/basic_auth/DB/basic_db_auth.8 2013-03-12 23:47:08.000000000 +1300 +++ squid-3.3.4/helpers/basic_auth/DB/basic_db_auth.8 2013-04-27 15:59:21.000000000 +1200 @@ -124,7 +124,7 @@ .\" ======================================================================== .\" .IX Title "BASIC_DB_AUTH 1" -.TH BASIC_DB_AUTH 1 "2013-03-12" "perl v5.10.1" "User Contributed Perl Documentation" +.TH BASIC_DB_AUTH 1 "2013-04-26" "perl v5.10.1" "User Contributed Perl Documentation" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff -u -r -N squid-3.3.3/helpers/basic_auth/LDAP/config.test squid-3.3.4/helpers/basic_auth/LDAP/config.test --- squid-3.3.3/helpers/basic_auth/LDAP/config.test 2013-03-12 23:17:07.000000000 +1300 +++ squid-3.3.4/helpers/basic_auth/LDAP/config.test 2013-04-27 15:34:48.000000000 +1200 @@ -1,5 +1,5 @@ #!/bin/sh -if [ -f /usr/include/ldap.h ]; then +if [ -f /usr/include/ldap.h -o -f /usr/local/include/ldap.h ]; then exit 0 fi if [ -f /usr/include/winldap.h ]; then diff -u -r -N squid-3.3.3/helpers/basic_auth/NCSA/basic_ncsa_auth.8 squid-3.3.4/helpers/basic_auth/NCSA/basic_ncsa_auth.8 --- squid-3.3.3/helpers/basic_auth/NCSA/basic_ncsa_auth.8 2013-03-12 23:17:07.000000000 +1300 +++ squid-3.3.4/helpers/basic_auth/NCSA/basic_ncsa_auth.8 2013-04-27 15:34:48.000000000 +1200 @@ -20,10 +20,18 @@ .PP This authenticator accepts: .BR +* Blowfish - for passwords 72 characters or less in length +.BR +* SHA256 - with salting and magic strings +.BR +* SHA512 - with salting and magic strings +.BR * MD5 - with optional salt and magic strings .BR * DES - for passwords 8 characters or less in length . +NOTE: Blowfish and SHA algorithms require system-specific support. +. .SH OPTIONS The only parameter is the password file. It must have permissions to be read by the user that Squid is running as. diff -u -r -N squid-3.3.3/helpers/basic_auth/NCSA/basic_ncsa_auth.cc squid-3.3.4/helpers/basic_auth/NCSA/basic_ncsa_auth.cc --- squid-3.3.3/helpers/basic_auth/NCSA/basic_ncsa_auth.cc 2013-03-12 23:17:07.000000000 +1300 +++ squid-3.3.4/helpers/basic_auth/NCSA/basic_ncsa_auth.cc 2013-04-27 15:34:48.000000000 +1200 @@ -146,21 +146,39 @@ u = (user_data *) hash_lookup(hash, user); if (u == NULL) { SEND_ERR("No such user"); + continue; + } + char *crypted = NULL; + size_t passwordLength = strlen(passwd); #if HAVE_CRYPT - } else if (strlen(passwd) <= 8 && strcmp(u->passwd, (char *) crypt(passwd, u->passwd)) == 0) { - // Bug 3107: crypt() DES functionality silently truncates long passwords. + // Bug 3831: given algorithms more secure than DES crypt() does not truncate, so we can ignore the bug 3107 length checks below + // '$1$' = MD5, '$2a$' = Blowfish, '$5$' = SHA256 (Linux), '$6$' = SHA256 (BSD) and SHA512 + if (passwordLength > 1 && u->passwd[0] == '$' && + (crypted = crypt(passwd, u->passwd)) && strcmp(u->passwd, crypted) == 0) { + SEND_OK(""); + continue; + } + // 'other' prefixes indicate DES algorithm. + if (passwordLength <= 8 && (crypted = crypt(passwd, u->passwd)) && (strcmp(u->passwd, crypted) == 0)) { SEND_OK(""); - } else if (strlen(passwd) > 8 && strcmp(u->passwd, (char *) crypt(passwd, u->passwd)) == 0) { + continue; + } + if (passwordLength > 8 && (crypted = crypt(passwd, u->passwd)) && (strcmp(u->passwd, crypted) == 0)) { // Bug 3107: crypt() DES functionality silently truncates long passwords. SEND_ERR("Password too long. Only 8 characters accepted."); + continue; + } + #endif - } else if (strcmp(u->passwd, (char *) crypt_md5(passwd, u->passwd)) == 0) { + if ( (crypted = crypt_md5(passwd, u->passwd)) && strcmp(u->passwd, crypted) == 0) { SEND_OK(""); - } else if (strcmp(u->passwd, (char *) md5sum(passwd)) == 0) { + continue; + } + if ( (crypted = md5sum(passwd)) && strcmp(u->passwd, crypted) == 0) { SEND_OK(""); - } else { - SEND_ERR("Wrong password"); + continue; } + SEND_ERR("Wrong password"); } if (hash != NULL) { hashFreeItems(hash, my_free); diff -u -r -N squid-3.3.3/helpers/basic_auth/SASL/config.test squid-3.3.4/helpers/basic_auth/SASL/config.test --- squid-3.3.3/helpers/basic_auth/SASL/config.test 2013-03-12 23:17:07.000000000 +1300 +++ squid-3.3.4/helpers/basic_auth/SASL/config.test 2013-04-27 15:34:48.000000000 +1200 @@ -1,8 +1,8 @@ #!/bin/sh -if [ -f /usr/include/sasl.h ]; then +if [ -f /usr/include/sasl.h -o -f /usr/local/include/sasl.h ]; then exit 0 fi -if [ -f /usr/include/sasl/sasl.h ]; then +if [ -f /usr/include/sasl/sasl.h -o -f /usr/local/include/sasl/sasl.h ]; then exit 0 fi exit 1 diff -u -r -N squid-3.3.3/helpers/digest_auth/eDirectory/config.test squid-3.3.4/helpers/digest_auth/eDirectory/config.test --- squid-3.3.3/helpers/digest_auth/eDirectory/config.test 2013-03-12 23:17:07.000000000 +1300 +++ squid-3.3.4/helpers/digest_auth/eDirectory/config.test 2013-04-27 15:34:48.000000000 +1200 @@ -1,5 +1,5 @@ #!/bin/sh -if [ -f /usr/include/ldap.h ]; then +if [ -f /usr/include/ldap.h -o -f /usr/local/include/ldap.h ]; then exit 0 fi if [ -f /usr/include/winldap.h ]; then diff -u -r -N squid-3.3.3/helpers/digest_auth/LDAP/config.test squid-3.3.4/helpers/digest_auth/LDAP/config.test --- squid-3.3.3/helpers/digest_auth/LDAP/config.test 2013-03-12 23:17:07.000000000 +1300 +++ squid-3.3.4/helpers/digest_auth/LDAP/config.test 2013-04-27 15:34:48.000000000 +1200 @@ -1,5 +1,5 @@ #!/bin/sh -if [ -f /usr/include/ldap.h ]; then +if [ -f /usr/include/ldap.h -o -f /usr/local/include/ldap.h ]; then exit 0 fi if [ -f /usr/include/winldap.h ]; then diff -u -r -N squid-3.3.3/helpers/external_acl/eDirectory_userip/config.test squid-3.3.4/helpers/external_acl/eDirectory_userip/config.test --- squid-3.3.3/helpers/external_acl/eDirectory_userip/config.test 2013-03-12 23:17:07.000000000 +1300 +++ squid-3.3.4/helpers/external_acl/eDirectory_userip/config.test 2013-04-27 15:34:48.000000000 +1200 @@ -1,6 +1,6 @@ #!/bin/sh -if [ -f /usr/include/ldap.h ]; then +if [ -f /usr/include/ldap.h -o -f /usr/local/include/ldap.h ]; then exit 0 fi if [ -f /usr/include/winldap.h ]; then diff -u -r -N squid-3.3.3/helpers/external_acl/LDAP_group/config.test squid-3.3.4/helpers/external_acl/LDAP_group/config.test --- squid-3.3.3/helpers/external_acl/LDAP_group/config.test 2013-03-12 23:17:07.000000000 +1300 +++ squid-3.3.4/helpers/external_acl/LDAP_group/config.test 2013-04-27 15:34:48.000000000 +1200 @@ -1,5 +1,5 @@ #!/bin/sh -if [ -f /usr/include/ldap.h ]; then +if [ -f /usr/include/ldap.h -o -f /usr/local/include/ldap.h ]; then exit 0 fi if [ -f /usr/include/winldap.h ]; then diff -u -r -N squid-3.3.3/helpers/external_acl/session/ext_session_acl.8 squid-3.3.4/helpers/external_acl/session/ext_session_acl.8 --- squid-3.3.3/helpers/external_acl/session/ext_session_acl.8 2013-03-12 23:17:07.000000000 +1300 +++ squid-3.3.4/helpers/external_acl/session/ext_session_acl.8 2013-04-27 15:34:48.000000000 +1200 @@ -68,7 +68,7 @@ acl with the argument .B LOGIN , or terminated by the argument -.B LOGOUT . +.B LOGOUT \. Without this flag the helper automatically starts the session after the first request. .SH CONFIGURATION @@ -79,7 +79,7 @@ .B must be specified in the configuration. .PP -Configuration example using the default automatic mode +Passive session configuration example using the default automatic mode .if !'po4a'hide' .RS .if !'po4a'hide' .B external_acl_type session ttl=300 negative_ttl=0 children=1 concurrency=200 %LOGIN /usr/local/squid/libexec/ext_session_acl .if !'po4a'hide' .br diff -u -r -N squid-3.3.3/helpers/external_acl/SQL_session/ext_sql_session_acl.8 squid-3.3.4/helpers/external_acl/SQL_session/ext_sql_session_acl.8 --- squid-3.3.3/helpers/external_acl/SQL_session/ext_sql_session_acl.8 2013-03-12 23:47:16.000000000 +1300 +++ squid-3.3.4/helpers/external_acl/SQL_session/ext_sql_session_acl.8 2013-04-27 15:59:25.000000000 +1200 @@ -124,7 +124,7 @@ .\" ======================================================================== .\" .IX Title "EXT_SQL_SESSION_ACL 1" -.TH EXT_SQL_SESSION_ACL 1 "2013-03-12" "perl v5.10.1" "User Contributed Perl Documentation" +.TH EXT_SQL_SESSION_ACL 1 "2013-04-26" "perl v5.10.1" "User Contributed Perl Documentation" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff -u -r -N squid-3.3.3/helpers/external_acl/wbinfo_group/ext_wbinfo_group_acl.8 squid-3.3.4/helpers/external_acl/wbinfo_group/ext_wbinfo_group_acl.8 --- squid-3.3.3/helpers/external_acl/wbinfo_group/ext_wbinfo_group_acl.8 2013-03-12 23:47:17.000000000 +1300 +++ squid-3.3.4/helpers/external_acl/wbinfo_group/ext_wbinfo_group_acl.8 2013-04-27 15:59:26.000000000 +1200 @@ -124,7 +124,7 @@ .\" ======================================================================== .\" .IX Title "EXT_WBINFO_GROUP_ACL.PL.IN 1" -.TH EXT_WBINFO_GROUP_ACL.PL.IN 1 "2013-03-12" "perl v5.10.1" "User Contributed Perl Documentation" +.TH EXT_WBINFO_GROUP_ACL.PL.IN 1 "2013-04-26" "perl v5.10.1" "User Contributed Perl Documentation" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff -u -r -N squid-3.3.3/helpers/log_daemon/DB/log_db_daemon.8 squid-3.3.4/helpers/log_daemon/DB/log_db_daemon.8 --- squid-3.3.3/helpers/log_daemon/DB/log_db_daemon.8 2013-03-12 23:47:18.000000000 +1300 +++ squid-3.3.4/helpers/log_daemon/DB/log_db_daemon.8 2013-04-27 15:59:26.000000000 +1200 @@ -124,7 +124,7 @@ .\" ======================================================================== .\" .IX Title "LOG_DB_DAEMON 1" -.TH LOG_DB_DAEMON 1 "2013-03-12" "perl v5.10.1" "User Contributed Perl Documentation" +.TH LOG_DB_DAEMON 1 "2013-04-26" "perl v5.10.1" "User Contributed Perl Documentation" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l diff -u -r -N squid-3.3.3/include/version.h squid-3.3.4/include/version.h --- squid-3.3.3/include/version.h 2013-03-12 23:18:22.000000000 +1300 +++ squid-3.3.4/include/version.h 2013-04-27 15:35:47.000000000 +1200 @@ -7,7 +7,7 @@ */ #ifndef SQUID_RELEASE_TIME -#define SQUID_RELEASE_TIME 1363083425 +#define SQUID_RELEASE_TIME 1367033686 #endif #ifndef APP_SHORTNAME diff -u -r -N squid-3.3.3/RELEASENOTES.html squid-3.3.4/RELEASENOTES.html --- squid-3.3.3/RELEASENOTES.html 2013-03-12 23:47:40.000000000 +1300 +++ squid-3.3.4/RELEASENOTES.html 2013-04-27 16:00:02.000000000 +1200 @@ -2,10 +2,10 @@ - Squid 3.3.3 release notes + Squid 3.3.4 release notes -

Squid 3.3.3 release notes

+

Squid 3.3.4 release notes

Squid Developers


@@ -56,7 +56,7 @@

1. Notice

-

The Squid Team are pleased to announce the release of Squid-3.3.3.

+

The Squid Team are pleased to announce the release of Squid-3.3.4.

This new release is available for download from http://www.squid-cache.org/Versions/v3/3.3/ or the mirrors.

diff -u -r -N squid-3.3.3/src/cache_cf.cc squid-3.3.4/src/cache_cf.cc --- squid-3.3.3/src/cache_cf.cc 2013-03-12 23:17:07.000000000 +1300 +++ squid-3.3.4/src/cache_cf.cc 2013-04-27 15:34:48.000000000 +1200 @@ -655,6 +655,7 @@ memConfigure(); /* Sanity checks */ + Config.cacheSwap.n_strands = 0; // no diskers by default if (Config.cacheSwap.swapDirs == NULL) { /* Memory-only cache probably in effect. */ /* turn off the cache rebuild delays... */ diff -u -r -N squid-3.3.3/src/cf.data.pre squid-3.3.4/src/cf.data.pre --- squid-3.3.3/src/cf.data.pre 2013-03-12 23:17:07.000000000 +1300 +++ squid-3.3.4/src/cf.data.pre 2013-04-27 15:34:48.000000000 +1200 @@ -327,7 +327,7 @@ If you want to use the traditional NCSA proxy authentication, set this line to something like - auth_param basic program @DEFAULT_PREFIX@/libexec/ncsa_auth @DEFAULT_PREFIX@/etc/passwd + auth_param basic program @DEFAULT_PREFIX@/libexec/basic_ncsa_auth @DEFAULT_PREFIX@/etc/passwd "utf8" on|off HTTP uses iso-latin-1 as character set, while some authentication @@ -477,7 +477,7 @@ of type proxy_auth. By default, the NTLM authenticator_program is not used. - auth_param ntlm program @DEFAULT_PREFIX@/bin/ntlm_auth + auth_param ntlm program /usr/bin/ntlm_auth "children" numberofchildren [startup=N] [idle=N] The maximum number of authenticator processes to spawn (default 5). @@ -518,7 +518,7 @@ The only supported program for this role is the ntlm_auth program distributed as part of Samba, version 4 or later. - auth_param negotiate program @DEFAULT_PREFIX@/bin/ntlm_auth --helper-protocol=gss-spnego + auth_param negotiate program /usr/bin/ntlm_auth --helper-protocol=gss-spnego "children" numberofchildren [startup=N] [idle=N] The maximum number of authenticator processes to spawn (default 5). @@ -1028,6 +1028,7 @@ IFDEF: FOLLOW_X_FORWARDED_FOR LOC: Config.accessList.followXFF DEFAULT_IF_NONE: deny all +DEFAULT_DOC: X-Forwarded-For header will be ignored. DOC_START Allowing or Denying the X-Forwarded-For header to be followed to find the original source of a request. @@ -1137,6 +1138,7 @@ TYPE: acl_access LOC: Config.accessList.http DEFAULT_IF_NONE: deny all +DEFAULT_DOC: Deny, unless rules exist in squid.conf. DOC_START Allowing or Denying access based on defined access lists @@ -1163,16 +1165,16 @@ # # Recommended minimum Access Permission configuration: # -# Only allow cachemgr access from localhost -http_access allow localhost manager -http_access deny manager - # Deny requests to certain unsafe ports http_access deny !Safe_ports # Deny CONNECT to other than secure SSL ports http_access deny CONNECT !SSL_ports +# Only allow cachemgr access from localhost +http_access allow localhost manager +http_access deny manager + # We strongly recommend the following be uncommented to protect innocent # web applications running on the proxy server who think the only # one who can access services on "localhost" is a local user @@ -1197,6 +1199,7 @@ TYPE: acl_access LOC: Config.accessList.adapted_http DEFAULT: none +DEFAULT_DOC: Allow, unless rules exist in squid.conf. DOC_START Allowing or Denying access based on defined access lists @@ -1211,13 +1214,14 @@ TYPE: acl_access LOC: Config.accessList.reply DEFAULT: none +DEFAULT_DOC: Allow, unless rules exist in squid.conf. DOC_START Allow replies to client requests. This is complementary to http_access. http_reply_access allow|deny [!] aclname ... NOTE: if there are no access lines present, the default is to allow - all replies + all replies. If none of the access lines cause a match the opposite of the last line will apply. Thus it is good practice to end the rules @@ -1230,14 +1234,17 @@ NAME: icp_access TYPE: acl_access LOC: Config.accessList.icp -DEFAULT_IF_NONE: deny all +DEFAULT: none +DEFAULT_DOC: Deny, unless rules exist in squid.conf. DOC_START Allowing or Denying access to the ICP port based on defined access lists icp_access allow|deny [!]aclname ... - See http_access for details + NOTE: The default if no icp_access lines are present is to + deny all traffic. This default may cause problems with peers + using ICP. This clause only supports fast acl types. See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. @@ -1251,14 +1258,16 @@ IFDEF: USE_HTCP TYPE: acl_access LOC: Config.accessList.htcp -DEFAULT_IF_NONE: deny all +DEFAULT: none +DEFAULT_DOC: Deny, unless rules exist in squid.conf. DOC_START Allowing or Denying access to the HTCP port based on defined access lists htcp_access allow|deny [!]aclname ... - See http_access for details + See also htcp_clr_access for details on access control for + cache purge (CLR) HTCP messages. NOTE: The default if no htcp_access lines are present is to deny all traffic. This default may cause problems with peers @@ -1276,27 +1285,29 @@ IFDEF: USE_HTCP TYPE: acl_access LOC: Config.accessList.htcp_clr -DEFAULT_IF_NONE: deny all +DEFAULT: none +DEFAULT_DOC: Deny, unless rules exist in squid.conf. DOC_START Allowing or Denying access to purge content using HTCP based - on defined access lists + on defined access lists. + See htcp_access for details on general HTCP access control. htcp_clr_access allow|deny [!]aclname ... - See http_access for details - This clause only supports fast acl types. See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. # Allow HTCP CLR requests from trusted peers -acl htcp_clr_peer src 172.16.1.2 +acl htcp_clr_peer src 192.0.2.2 2001:DB8::2 htcp_clr_access allow htcp_clr_peer +htcp_clr_access deny all DOC_END NAME: miss_access TYPE: acl_access LOC: Config.accessList.miss DEFAULT: none +DEFAULT_DOC: Allow, unless rules exist in squid.conf. DOC_START Determins whether network access is permitted when satisfying a request. @@ -1304,15 +1315,14 @@ to force your neighbors to use you as a sibling instead of a parent. - acl localclients src 172.16.0.0/16 - miss_access allow localclients + acl localclients src 192.0.2.0/24 2001:DB8::a:0/64 miss_access deny !localclients + miss_access allow all This means only your local clients are allowed to fetch relayed/MISS replies from the network and all other clients can only fetch cached objects (HITs). - The default for this setting allows all clients who passed the http_access rules to relay via this proxy. @@ -1323,7 +1333,8 @@ NAME: ident_lookup_access TYPE: acl_access IFDEF: USE_IDENT -DEFAULT_IF_NONE: deny all +DEFAULT: none +DEFAULT_DOC: Unless rules exist in squid.conf, IDENT is not fetched. LOC: Ident::TheConfig.identLookup DOC_START A list of ACL elements which, if matched, cause an ident @@ -1352,6 +1363,7 @@ COMMENT: size [acl acl...] TYPE: acl_b_size_t DEFAULT: none +DEFAULT_DOC: No limit is applied. LOC: Config.ReplyBodySize DOC_START This option specifies the maximum size of a reply body. It can be @@ -1922,6 +1934,7 @@ NAME: tcp_outgoing_address TYPE: acl_address DEFAULT: none +DEFAULT_DOC: Address selection is performed by the operating system. LOC: Config.accessList.outgoing_address DOC_START Allows you to map requests to different outgoing IP addresses @@ -2102,6 +2115,7 @@ NAME: sslproxy_version IFDEF: USE_SSL DEFAULT: 1 +DEFAULT_DOC: automatic SSL/TLS version negotiation LOC: Config.ssl_client.version TYPE: int DOC_START @@ -2182,6 +2196,7 @@ IFDEF: USE_SSL TYPE: sslproxy_ssl_bump LOC: Config.accessList.ssl_bump +DEFAULT_DOC: Does not bump unless rules are present in squid.conf DEFAULT: none DOC_START This option is consulted when a CONNECT request is received on @@ -2228,7 +2243,7 @@ # Example: Bump all requests except those originating from - # localhost and those going to example.com. + # localhost or those going to example.com. acl broken_sites dstdomain .example.com ssl_bump none localhost @@ -2252,6 +2267,7 @@ NAME: sslproxy_cert_error IFDEF: USE_SSL DEFAULT: none +DEFAULT_DOC: Server certificate errors terminate the transaction. LOC: Config.ssl_client.cert_error TYPE: acl_access DOC_START @@ -2270,13 +2286,14 @@ Using slow acl types may result in server crashes Without this option, all server certificate validation errors - terminate the transaction. Bypassing validation errors is dangerous - because an error usually implies that the server cannot be trusted and - the connection may be insecure. + terminate the transaction to protect Squid and the client. - See also: sslproxy_flags and DONT_VERIFY_PEER. + SECURITY WARNING: + Bypassing validation errors is dangerous because an + error usually implies that the server cannot be trusted + and the connection may be insecure. - Default setting: sslproxy_cert_error deny all + See also: sslproxy_flags and DONT_VERIFY_PEER. DOC_END NAME: sslproxy_cert_sign @@ -2292,14 +2309,17 @@ sslproxy_cert_sign acl ... The following certificate signing algorithms are supported: + signTrusted Sign using the configured CA certificate which is usually placed in and trusted by end-user browsers. This is the default for trusted origin server certificates. + signUntrusted Sign to guarantee an X509_V_ERR_CERT_UNTRUSTED browser error. This is the default for untrusted origin server certificates that are not self-signed (see ssl::certUntrusted). + signSelf Sign using a self-signed certificate with the right CN to generate a X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT error in the @@ -2322,7 +2342,7 @@ bump-server-first is used. DOC_END -NAME: sslproxy_cert_adapt +NAME: sslproxy_cert_adapt IFDEF: USE_SSL DEFAULT: none TYPE: sslproxy_cert_adapt @@ -2332,12 +2352,15 @@ sslproxy_cert_adapt acl ... The following certificate adaptation algorithms are supported: + setValidAfter Sets the "Not After" property to the "Not After" property of the CA certificate used to sign generated certificates. + setValidBefore Sets the "Not Before" property to the "Not Before" property of the CA certificate used to sign generated certificates. + setCommonName or setCommonName{CN} Sets Subject.CN property to the host name specified as a CN parameter or, if no explicit CN parameter was specified, @@ -2799,10 +2822,11 @@ LOC: none DOC_START Use to limit the domains for which a neighbor cache will be - queried. Usage: + queried. - cache_peer_domain cache-host domain [domain ...] - cache_peer_domain cache-host !domain + Usage: + cache_peer_domain cache-host domain [domain ...] + cache_peer_domain cache-host !domain For example, specifying @@ -2833,7 +2857,8 @@ Similar to 'cache_peer_domain' but provides more flexibility by using ACL elements. - cache_peer_access cache-host allow|deny [!]aclname ... + Usage: + cache_peer_access cache-host allow|deny [!]aclname ... The syntax is identical to 'http_access' and the other lists of ACL elements. See the comments for 'http_access' below, or @@ -2843,21 +2868,21 @@ NAME: neighbor_type_domain TYPE: hostdomaintype DEFAULT: none +DEFAULT_DOC: The peer type from cache_peer directive is used for all requests to that peer. LOC: none DOC_START - usage: neighbor_type_domain neighbor parent|sibling domain domain ... + Modify the cache_peer neighbor type when passing requests + about specific domains to the peer. - Modifying the neighbor type for specific domains is now - possible. You can treat some domains differently than the - default neighbor type specified on the 'cache_peer' line. - Normally it should only be necessary to list domains which - should be treated differently because the default neighbor type - applies for hostnames which do not match domains listed here. + Usage: + neighbor_type_domain neighbor parent|sibling domain domain ... -EXAMPLE: - cache_peer cache.foo.org parent 3128 3130 - neighbor_type_domain cache.foo.org sibling .com .net - neighbor_type_domain cache.foo.org sibling .au .de + For example: + cache_peer foo.example.com parent 3128 3130 + neighbor_type_domain foo.example.com sibling .au .de + + The above configuration treats all requests to foo.example.com as a + parent proxy unless the request is for a .au or .de ccTLD domain name. DOC_END NAME: dead_peer_timeout @@ -3001,6 +3026,7 @@ TYPE: memcachemode LOC: Config DEFAULT: always +DEFAULT_DOC: Keep the most recently fetched objects in memory DOC_START Controls which objects to keep in the memory cache (cache_mem) @@ -3021,7 +3047,7 @@ The memory replacement policy parameter determines which objects are purged from memory when memory space is needed. - See cache_replacement_policy for details. + See cache_replacement_policy for details on algorithms. DOC_END COMMENT_START @@ -3042,7 +3068,7 @@ heap LFUDA: Least Frequently Used with Dynamic Aging heap LRU : LRU policy implemented using a heap - Applies to any cache_dir lines listed below this. + Applies to any cache_dir lines listed below this directive. The LRU policies keeps recently referenced objects. @@ -3072,11 +3098,11 @@ NAME: cache_dir TYPE: cachedir DEFAULT: none +DEFAULT_DOC: No disk cache. Store cache ojects only in memory. LOC: Config.cacheSwap DOC_START - Usage: - - cache_dir Type Directory-Name Fs-specific-data [options] + Format: + cache_dir Type Directory-Name Fs-specific-data [options] You can specify multiple cache_dir lines to spread the cache among different disk partitions. @@ -3095,12 +3121,14 @@ and should use configuration macros or conditionals to give each worker interested in disk caching a dedicated cache directory. - The ufs store type: + + ==== The ufs store type ==== "ufs" is the old well-known Squid storage format that has always been there. - cache_dir ufs Directory-Name Mbytes L1 L2 [options] + Usage: + cache_dir ufs Directory-Name Mbytes L1 L2 [options] 'Mbytes' is the amount of disk space (MB) to use under this directory. The default is 100 MB. Change this to suit your @@ -3115,23 +3143,27 @@ will be created under each first-level directory. The default is 256. - The aufs store type: + + ==== The aufs store type ==== "aufs" uses the same storage format as "ufs", utilizing POSIX-threads to avoid blocking the main Squid process on disk-I/O. This was formerly known in Squid as async-io. - cache_dir aufs Directory-Name Mbytes L1 L2 [options] + Usage: + cache_dir aufs Directory-Name Mbytes L1 L2 [options] see argument descriptions under ufs above - The diskd store type: + + ==== The diskd store type ==== "diskd" uses the same storage format as "ufs", utilizing a separate process to avoid blocking the main Squid process on disk-I/O. - cache_dir diskd Directory-Name Mbytes L1 L2 [options] [Q1=n] [Q2=n] + Usage: + cache_dir diskd Directory-Name Mbytes L1 L2 [options] [Q1=n] [Q2=n] see argument descriptions under ufs above @@ -3149,8 +3181,10 @@ higher hit ratio at the expense of an increase in response time. - The rock store type: + ==== The rock store type ==== + + Usage: cache_dir rock Directory-Name Mbytes [options] The Rock Store type is a database-style storage. All cached @@ -3189,7 +3223,7 @@ enforcement. Currently supported by IpcIo module only. - The coss store type: + ==== The coss store type ==== NP: COSS filesystem in Squid-3 has been deemed too unstable for production use and has thus been removed from this release. @@ -3207,24 +3241,31 @@ called 'stripe' in the directory names in the config - and this will be created by squid -z. - Common options: - no-store, no new objects should be stored to this cache_dir + ==== COMMON OPTIONS ==== + + no-store no new objects should be stored to this cache_dir. - min-size=n, refers to the min object size in bytes this cache_dir - will accept. It's used to restrict a cache_dir to only store - large objects (e.g. aufs) while other storedirs are optimized - for smaller objects (e.g. COSS). Defaults to 0. + min-size=n the minimum object size in bytes this cache_dir + will accept. It's used to restrict a cache_dir + to only store large objects (e.g. AUFS) while + other stores are optimized for smaller objects + (e.g. COSS). + Defaults to 0. + + max-size=n the maximum object size in bytes this cache_dir + supports. + The value in maximum_object_size directive, sets + a default unless more specific details are available + about the cache_dir (ie a small store capacity). - max-size=n, refers to the max object size in bytes this cache_dir - supports. It is used to select the cache_dir to store the object. Note: To make optimal use of the max-size limits you should order - the cache_dir lines with the smallest max-size value first and the - ones with no max-size specification last. + the cache_dir lines with the smallest max-size value first. Note for coss, max-size must be less than COSS_MEMBUF_SZ, which can be changed with the --with-coss-membuf-size=N configure option. + NOCOMMENT_START # Uncomment and adjust the following to add a disk cache directory. @@ -3237,13 +3278,54 @@ LOC: Config.store_dir_select_algorithm DEFAULT: least-load DOC_START - Set this to 'round-robin' as an alternative. + How Squid selects which cache_dir to use when the response + object will fit into more than one. + + Regardless of which algorithm is used the cache_dir min-size + and max-size parameters are obeyed. As such they can affect + the selection algorithm by limiting the set of considered + cache_dir. + + Algorithms: + + least-load + + This algorithm is suited to caches with similar cache_dir + sizes and disk speeds. + + The disk with the least I/O pending is selected. + When there are multiple disks with the same I/O load ranking + the cache_dir with most available capacity is selected. + + When a mix of cache_dir sizes are configured the faster disks + have a naturally lower I/O loading and larger disks have more + capacity. So space used to store objects and data throughput + may be very unbalanced towards larger disks. + + + round-robin + + This algorithm is suited to caches with unequal cache_dir + disk sizes. + + Each cache_dir is selected in a rotation. The next suitable + cache_dir is used. + + Available cache_dir capacity is only considered in relation + to whether the object will fit and meets the min-size and + max-size parameters. + + Disk I/O loading is only considered to prevent overload on slow + disks. This algorithm does not spread objects by size, so any + I/O loading per-disk may appear very unbalanced and volatile. + DOC_END NAME: max_open_disk_fds TYPE: int LOC: Config.max_open_disk_fds DEFAULT: 0 +DEFAULT_DOC: no limit DOC_START To avoid having disk as the I/O bottleneck Squid can optionally bypass the on-disk cache if more than this amount of disk file @@ -3256,11 +3338,12 @@ COMMENT: (bytes) TYPE: b_int64_t DEFAULT: 0 KB +DEFAULT_DOC: no limit LOC: Config.Store.minObjectSize DOC_START Objects smaller than this size will NOT be saved on disk. The - value is specified in kilobytes, and the default is 0 KB, which - means there is no minimum. + value is specified in bytes, and the default is 0 KB, which + means all responses can be stored. DOC_END NAME: maximum_object_size @@ -3290,7 +3373,20 @@ TYPE: int DEFAULT: 90 LOC: Config.Swap.lowWaterMark -DOC_NONE +DOC_START + The low-water mark for cache object replacement. + Replacement begins when the swap (disk) usage is above the + low-water mark and attempts to maintain utilization near the + low-water mark. As swap utilization gets close to high-water + mark object eviction becomes more aggressive. If utilization is + close to the low-water mark less replacement is done each time. + + Defaults are 90% and 95%. If you have a large cache, 5% could be + hundreds of MB. If this is the case you may wish to set these + numbers closer together. + + See also cache_swap_high +DOC_END NAME: cache_swap_high COMMENT: (percent, 0-100) @@ -3298,8 +3394,7 @@ DEFAULT: 95 LOC: Config.Swap.highWaterMark DOC_START - - The low- and high-water marks for cache object replacement. + The high-water mark for cache object replacement. Replacement begins when the swap (disk) usage is above the low-water mark and attempts to maintain utilization near the low-water mark. As swap utilization gets close to high-water @@ -3309,6 +3404,8 @@ Defaults are 90% and 95%. If you have a large cache, 5% could be hundreds of MB. If this is the case you may wish to set these numbers closer together. + + See also cache_swap_low DOC_END COMMENT_START @@ -3320,6 +3417,7 @@ TYPE: logformat LOC: Log::TheConfig DEFAULT: none +DEFAULT_DOC: The format definitions squid, common, combined, referrer, useragent are built in. DOC_START Usage: @@ -3700,6 +3798,7 @@ TYPE: acl_access LOC: Config.accessList.log DEFAULT: none +DEFAULT_DOC: Allow logging for all transactions. COMMENT: allow|deny acl acl... DOC_START This options allows you to control which requests gets logged @@ -3715,6 +3814,7 @@ IFDEF: ICAP_CLIENT LOC: Config.accessList.icap DEFAULT: none +DEFAULT_DOC: Allow logging for all ICAP transactions. DOC_START This options allows you to control which requests get logged to icap.log. See the icap_log directive for ICAP log details. @@ -3743,6 +3843,7 @@ TYPE: string LOC: Config.Log.swap DEFAULT: none +DEFAULT_DOC: Store the journal inside its cache_dir DOC_START Location for the cache "swap.state" file. This index file holds the metadata of objects saved on disk. It is used to rebuild @@ -3792,8 +3893,8 @@ in the habit of using 'squid -k rotate' instead of 'kill -USR1 '. - Note, from Squid-3.1 this option has no effect on the cache.log, - that log can be rotated separately by using debug_options + Note, from Squid-3.1 this option is only a default for cache.log, + that log can be rotated separately by using debug_options. DOC_END NAME: emulate_httpd_log @@ -3813,9 +3914,10 @@ DEFAULT: @DEFAULT_MIME_TABLE@ LOC: Config.mimeTablePathname DOC_START - Pathname to Squid's MIME table. You shouldn't need to change - this, but the default file contains examples and formatting - information if you do. + Path to Squid's icon configuration file. + + You shouldn't need to change this, but the default file contains + examples and formatting information if you do. DOC_END NAME: log_mime_hdrs @@ -3861,6 +3963,7 @@ TYPE: address LOC: Config.Addrs.client_netmask DEFAULT: no_addr +DEFAULT_DOC: Log full client IP address DOC_START A netmask for client addresses in logfiles and cachemgr output. Change this to protect the privacy of your cache clients. @@ -3880,7 +3983,10 @@ DEFAULT: on DOC_START By default, Squid strips query terms from requested URLs before - logging. This protects your user's privacy. + logging. This protects your user's privacy and reduces log size. + + When investigating HIT/MISS or other caching behaviour you + will need to disable this to see the full URL used by Squid. DOC_END NAME: buffered_logs @@ -3889,11 +3995,18 @@ DEFAULT: off LOC: Config.onoff.buffered_logs DOC_START - cache.log log file is written with stdio functions, and as such - it can be buffered or unbuffered. By default it will be unbuffered. - Buffering it can speed up the writing slightly (though you are - unlikely to need to worry unless you run with tons of debugging - enabled in which case performance will suffer badly anyway..). + Whether to write/send access_log records ASAP or accumulate them and + then write/send them in larger chunks. Buffering may improve + performance because it decreases the number of I/Os. However, + buffering increases the delay before log records become available to + the final recipient (e.g., a disk file or logging daemon) and, + hence, increases the risk of log records loss. + + Note that even when buffered_logs are off, Squid may have to buffer + records if it cannot write/send them immediately due to pending I/Os + (e.g., the I/O writing the previous log record) or connectivity loss. + + Currently honored by 'daemon' access_log module only. DOC_END NAME: netdb_filename @@ -3902,7 +4015,9 @@ LOC: Config.netdbFilename IFDEF: USE_ICMP DOC_START - A filename where Squid stores it's netdb state between restarts. + Where Squid stores it's netdb journal. + When enabled this journal preserves netdb state between restarts. + To disable, enter "none". DOC_END @@ -3916,14 +4031,17 @@ DEFAULT_IF_NONE: @DEFAULT_CACHE_LOG@ LOC: Debug::cache_log DOC_START - Cache logging file. This is where general information about - your cache's behavior goes. You can increase the amount of data - logged to this file and how often its rotated with "debug_options" + Squid administrative logging file. + + This is where general information about Squid behavior goes. You can + increase the amount of data logged to this file and how often it is + rotated with "debug_options" DOC_END NAME: debug_options TYPE: eol DEFAULT: ALL,1 +DEFAULT_DOC: Log all critical and important messages. LOC: Debug::debugOptions DOC_START Logging options are set as section,level where each source file @@ -3932,7 +4050,7 @@ log file, so be careful. The magic word "ALL" sets debugging levels for all sections. - We recommend normally running with "ALL,1". + The default is to run with "ALL,1" to record important warnings. The rotate=N option can be used to keep more or less of these logs than would otherwise be kept by logfile_rotate. @@ -3944,6 +4062,7 @@ TYPE: string LOC: Config.coredump_dir DEFAULT_IF_NONE: none +DEFAULT_DOC: Use the directory from where Squid was started. DOC_START By default Squid leaves core files in the directory from where it was started. If you set 'coredump_dir' to a directory @@ -3969,13 +4088,13 @@ LOC: Config.Ftp.anon_user DOC_START If you want the anonymous login password to be more informative - (and enable the use of picky ftp servers), set this to something + (and enable the use of picky FTP servers), set this to something reasonable for your domain, like wwwuser@somewhere.net The reason why this is domainless by default is the request can be made on the behalf of a user in any domain, depending on how the cache is used. - Some ftp server also validate the email address is valid + Some FTP server also validate the email address is valid (for example perl.com). DOC_END @@ -4226,11 +4345,11 @@ NAME: url_rewrite_access redirector_access TYPE: acl_access DEFAULT: none +DEFAULT_DOC: Allow, unless rules exist in squid.conf. LOC: Config.accessList.redirector DOC_START If defined, this access list specifies which requests are - sent to the redirector processes. By default all requests - are sent. + sent to the redirector processes. This clause supports both fast and slow acl types. See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. @@ -4242,7 +4361,7 @@ DEFAULT: off DOC_START When this is 'on', a request will not go through the - redirector if all redirectors are busy. If this is 'off' + redirector if all the helpers are busy. If this is 'off' and the redirector queue grows too large, Squid will exit with a FATAL error and ask you to increase the number of redirectors. You should only enable this if the redirectors @@ -4260,6 +4379,7 @@ NAME: cache no_cache TYPE: acl_access DEFAULT: none +DEFAULT_DOC: Allow caching, unless rules exist in squid.conf. LOC: Config.accessList.noCache DOC_START A list of ACL elements which, if matched and denied, cause the request to @@ -4269,8 +4389,6 @@ You must use the words 'allow' or 'deny' to indicate whether items matching the ACL should be allowed or denied into the cache. - Default is to allow all to be cached. - This clause supports both fast and slow acl types. See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. DOC_END @@ -4399,7 +4517,9 @@ NOCOMMENT_START +# # Add any of your own refresh_pattern entries above these. +# refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern ^gopher: 1440 0% 1440 refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 @@ -4557,13 +4677,15 @@ DEFAULT: 60 seconds DOC_START The minimum caching time according to (Expires - Date) - Headers Squid honors if the object can't be revalidated - defaults to 60 seconds. In reverse proxy environments it - might be desirable to honor shorter object lifetimes. It - is most likely better to make your server return a - meaningful Last-Modified header however. In ESI environments - where page fragments often have short lifetimes, this will - often be best set to 0. + headers Squid honors if the object can't be revalidated. + The default is 60 seconds. + + In reverse proxy environments it might be desirable to honor + shorter object lifetimes. It is most likely better to make + your server return a meaningful Last-Modified header however. + + In ESI environments where page fragments often have short + lifetimes, this will often be best set to 0. DOC_END NAME: store_avg_object_size @@ -4574,6 +4696,14 @@ DOC_START Average object size, used to estimate number of objects your cache can hold. The default is 13 KB. + + This is used to pre-seed the cache index memory allocation to + reduce expensive reallocate operations while handling clients + traffic. Too-large values may result in memory allocation during + peak traffic, too-small values will result in wasted memory. + + Check the cache manager 'info' report metrics for the real + object sizes seen by your Squid before tuning this. DOC_END NAME: store_objects_per_bucket @@ -4621,6 +4751,7 @@ COMMENT: (bytes) TYPE: b_int64_t DEFAULT: 0 KB +DEFAULT_DOC: No limit. LOC: Config.maxRequestBodySize DOC_START This specifies the maximum size for an HTTP request body. @@ -4629,6 +4760,9 @@ than this limit receives an "Invalid Request" error message. If you set this parameter to a zero (the default), there will be no limit imposed. + + See also client_request_buffer_max_size for an alternative + limitation on client uploads which can be configured. DOC_END NAME: client_request_buffer_max_size @@ -4673,6 +4807,7 @@ IFDEF: USE_HTTP_VIOLATIONS TYPE: acl_access DEFAULT: none +DEFAULT_DOC: Obey RFC 2616. LOC: Config.accessList.brokenPosts DOC_START A list of ACL elements which, if matched, causes Squid to send @@ -4781,6 +4916,7 @@ TYPE: http_header_access LOC: Config.request_header_access DEFAULT: none +DEFAULT_DOC: No limits. DOC_START Usage: request_header_access header_name allow|deny [!]aclname ... @@ -4820,46 +4956,30 @@ request_header_access From deny all request_header_access Referer deny all - request_header_access Server deny all request_header_access User-Agent deny all - request_header_access WWW-Authenticate deny all - request_header_access Link deny all Or, to reproduce the old 'http_anonymizer paranoid' feature you should use: - request_header_access Allow allow all request_header_access Authorization allow all - request_header_access WWW-Authenticate allow all request_header_access Proxy-Authorization allow all - request_header_access Proxy-Authenticate allow all request_header_access Cache-Control allow all - request_header_access Content-Encoding allow all request_header_access Content-Length allow all request_header_access Content-Type allow all request_header_access Date allow all - request_header_access Expires allow all request_header_access Host allow all request_header_access If-Modified-Since allow all - request_header_access Last-Modified allow all - request_header_access Location allow all request_header_access Pragma allow all request_header_access Accept allow all request_header_access Accept-Charset allow all request_header_access Accept-Encoding allow all request_header_access Accept-Language allow all - request_header_access Content-Language allow all - request_header_access Mime-Version allow all - request_header_access Retry-After allow all - request_header_access Title allow all request_header_access Connection allow all request_header_access All deny all - although many of those are HTTP reply headers, and so should be - controlled with the reply_header_access directive. + HTTP reply headers are controlled with the reply_header_access directive. - By default, all headers are allowed (no anonymizing is - performed). + By default, all headers are allowed (no anonymizing is performed). DOC_END NAME: reply_header_access @@ -4867,6 +4987,7 @@ TYPE: http_header_access LOC: Config.reply_header_access DEFAULT: none +DEFAULT_DOC: No limits. DOC_START Usage: reply_header_access header_name allow|deny [!]aclname ... @@ -4884,10 +5005,7 @@ For example, to achieve the same behavior as the old 'http_anonymizer standard' option, you should use: - reply_header_access From deny all - reply_header_access Referer deny all reply_header_access Server deny all - reply_header_access User-Agent deny all reply_header_access WWW-Authenticate deny all reply_header_access Link deny all @@ -4895,9 +5013,7 @@ you should use: reply_header_access Allow allow all - reply_header_access Authorization allow all reply_header_access WWW-Authenticate allow all - reply_header_access Proxy-Authorization allow all reply_header_access Proxy-Authenticate allow all reply_header_access Cache-Control allow all reply_header_access Content-Encoding allow all @@ -4905,24 +5021,17 @@ reply_header_access Content-Type allow all reply_header_access Date allow all reply_header_access Expires allow all - reply_header_access Host allow all - reply_header_access If-Modified-Since allow all reply_header_access Last-Modified allow all reply_header_access Location allow all reply_header_access Pragma allow all - reply_header_access Accept allow all - reply_header_access Accept-Charset allow all - reply_header_access Accept-Encoding allow all - reply_header_access Accept-Language allow all reply_header_access Content-Language allow all - reply_header_access Mime-Version allow all reply_header_access Retry-After allow all reply_header_access Title allow all + reply_header_access Content-Disposition allow all reply_header_access Connection allow all reply_header_access All deny all - although the HTTP request headers won't be usefully controlled - by this directive -- see request_header_access for details. + HTTP request headers are controlled with the request_header_access directive. By default, all headers are allowed (no anonymizing is performed). @@ -4939,8 +5048,7 @@ This option allows you to change the contents of headers denied with request_header_access above, by replacing them - with some fixed string. This replaces the old fake_user_agent - option. + with some fixed string. This only applies to request headers, not reply headers. @@ -5196,7 +5304,7 @@ LOC: Config.adminEmail DOC_START Email-address of local cache manager who will receive - mail if the cache dies. The default is "webmaster." + mail if the cache dies. The default is "webmaster". DOC_END NAME: mail_from @@ -5205,9 +5313,9 @@ LOC: Config.EmailFrom DOC_START From: email-address for mail sent when the cache dies. - The default is to use 'appname@unique_hostname'. - Default appname value is "squid", can be changed into - src/globals.h before building squid. + The default is to use 'squid@unique_hostname'. + + See also: unique_hostname directive. DOC_END NAME: mail_program @@ -5237,6 +5345,7 @@ NAME: cache_effective_group TYPE: string DEFAULT: none +DEFAULT_DOC: Use system group memberships of the cache_effective_user account LOC: Config.effectiveGroup DOC_START Squid sets the GID to the effective user's default group ID @@ -5269,6 +5378,7 @@ TYPE: string LOC: Config.visibleHostname DEFAULT: none +DEFAULT_DOC: Automatically detect the system host name DOC_START If you want to present a special hostname in error messages, etc, define this. Otherwise, the return value of gethostname() @@ -5281,6 +5391,7 @@ TYPE: string LOC: Config.uniqueHostname DEFAULT: none +DEFAULT_DOC: Copy the value from visible_hostname DOC_START If you want to have multiple machines with the same 'visible_hostname' you must give each machine a different @@ -5335,10 +5446,9 @@ TYPE: time_t LOC: Config.Announce.period DEFAULT: 0 +DEFAULT_DOC: Announcement messages disabled. DOC_START - This is how frequently to send cache announcements. The - default is `0' which disables sending the announcement - messages. + This is how frequently to send cache announcements. To enable announcing your cache, just set an announce period. @@ -5350,26 +5460,29 @@ TYPE: string DEFAULT: tracker.ircache.net LOC: Config.Announce.host -DOC_NONE +DOC_START + Set the hostname where announce registration messages will be sent. + + See also announce_port and announce_file +DOC_END NAME: announce_file TYPE: string DEFAULT: none LOC: Config.Announce.file -DOC_NONE +DOC_START + The contents of this file will be included in the announce + registration messages. +DOC_END NAME: announce_port TYPE: u_short DEFAULT: 3131 LOC: Config.Announce.port DOC_START - announce_host and announce_port set the hostname and port - number where the registration message will be sent. + Set the port where announce registration messages will be sent. - Hostname will default to 'tracker.ircache.net' and port will - default default to 3131. If the 'filename' argument is given, - the contents of that file will be included in the announce - message. + See also announce_host and announce_file DOC_END COMMENT_START @@ -5380,14 +5493,13 @@ NAME: httpd_accel_surrogate_id TYPE: string DEFAULT: none +DEFAULT_DOC: visible_hostname is used if no specific ID is set. LOC: Config.Accel.surrogate_id DOC_START Surrogates (http://www.esi.org/architecture_spec_1.0.html) need an identification token to allow control targeting. Because a farm of surrogates may all perform the same tasks, they may share an identification token. - - The default ID is the visible_hostname DOC_END NAME: http_accel_surrogate_remote @@ -5396,7 +5508,9 @@ DEFAULT: off LOC: Config.onoff.surrogate_is_remote DOC_START - Remote surrogates (such as those in a CDN) honour Surrogate-Control: no-store-remote. + Remote surrogates (such as those in a CDN) honour the header + "Surrogate-Control: no-store-remote". + Set this to on to have squid behave as a remote surrogate. DOC_END @@ -5426,6 +5540,9 @@ This represents the number of delay pools to be used. For example, if you have one class 2 delay pool and one class 3 delays pool, you have a total of 2 delay pools. + + See also delay_parameters, delay_class, delay_access for pool + configuration details. DOC_END NAME: delay_class @@ -5482,11 +5599,17 @@ NOTE-2: Due to the use of bitmasks in class 2,3,4 pools they only apply to IPv4 traffic. Class 1 and 5 pools may be used with IPv6 traffic. + + This clause only supports fast acl types. + See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. + + See also delay_parameters and delay_access. DOC_END NAME: delay_access TYPE: delay_pool_access DEFAULT: none +DEFAULT_DOC: Deny using the pool, unless allow rules exist in squid.conf for the pool. IFDEF: USE_DELAY_POOLS LOC: Config.Delay DOC_START @@ -5500,12 +5623,14 @@ For example, if you want some_big_clients in delay pool 1 and lotsa_little_clients in delay pool 2: -Example: - delay_access 1 allow some_big_clients - delay_access 1 deny all - delay_access 2 allow lotsa_little_clients - delay_access 2 deny all - delay_access 3 allow authenticated_clients + delay_access 1 allow some_big_clients + delay_access 1 deny all + delay_access 2 allow lotsa_little_clients + delay_access 2 deny all + delay_access 3 allow authenticated_clients + + See also delay_parameters and delay_class. + DOC_END NAME: delay_parameters @@ -5597,6 +5722,10 @@ be limited to 128Kbits/sec no matter how many workstations they are logged into.: delay_parameters 4 32000/32000 8000/8000 600/64000 16000/16000 + + + See also delay_class and delay_access. + DOC_END NAME: delay_initial_bucket_level @@ -5627,8 +5756,10 @@ This option specifies the number of client delay pools used. It must preceed other client_delay_* options. -Example: - client_delay_pools 2 + Example: + client_delay_pools 2 + + See also client_delay_parameters and client_delay_access. DOC_END NAME: client_delay_initial_bucket_level @@ -5647,8 +5778,8 @@ buckets are not refilled until their size goes down to max_bucket_size from client_delay_parameters. -Example: - client_delay_initial_bucket_level 50 + Example: + client_delay_initial_bucket_level 50 DOC_END NAME: client_delay_parameters @@ -5673,18 +5804,21 @@ Please see the delay_parameters option for more information and examples. -Example: - client_delay_parameters 1 1024 2048 - client_delay_parameters 2 51200 16384 + Example: + client_delay_parameters 1 1024 2048 + client_delay_parameters 2 51200 16384 + + See also client_delay_access. + DOC_END NAME: client_delay_access TYPE: client_delay_pool_access DEFAULT: none +DEFAULT_DOC: Deny use of the pool, unless allow rules exist in squid.conf for the pool. IFDEF: USE_DELAY_POOLS LOC: Config.ClientDelay DOC_START - This option determines the client-side delay pool for the request: @@ -5701,11 +5835,19 @@ not used to aggregate clients. Clients are always aggregated based on their source IP addresses (one bucket per source IP). + This clause only supports fast acl types. + See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. + Additionally, only the client TCP connection details are available. + ACLs testing HTTP properties will not work. + Please see delay_access for more examples. -Example: - client_delay_access 1 allow low_rate_network - client_delay_access 2 allow vips_network + Example: + client_delay_access 1 allow low_rate_network + client_delay_access 2 allow vips_network + + + See also client_delay_parameters and client_delay_pools. DOC_END COMMENT_START @@ -5717,6 +5859,7 @@ TYPE: address LOC: Config.Wccp.router DEFAULT: any_addr +DEFAULT_DOC: WCCP disabled. IFDEF: USE_WCCP DOC_START Use this option to define your WCCP ``home'' router for @@ -5734,6 +5877,7 @@ TYPE: IpAddress_list LOC: Config.Wccp2.router DEFAULT: none +DEFAULT_DOC: WCCPv2 disabled. IFDEF: USE_WCCPv2 DOC_START Use this option to define your WCCP ``home'' router for @@ -5833,6 +5977,7 @@ TYPE: wccp2_service LOC: Config.Wccp2.info DEFAULT_IF_NONE: standard 0 +DEFAULT_DOC: Use the 'web-cache' standard service. IFDEF: USE_WCCPv2 DOC_START WCCP2 allows for multiple traffic services. There are two @@ -5902,13 +6047,20 @@ TYPE: address LOC: Config.Wccp.address DEFAULT: 0.0.0.0 +DEFAULT_DOC: Address selected by the operating system. IFDEF: USE_WCCP -DOC_NONE +DOC_START + Use this option if you require WCCPv2 to use a specific + interface address. + + The default behavior is to not bind to any specific address. +DOC_END NAME: wccp2_address TYPE: address LOC: Config.Wccp2.address DEFAULT: 0.0.0.0 +DEFAULT_DOC: Address selected by the operating system. IFDEF: USE_WCCPv2 DOC_START Use this option if you require WCCP to use a specific @@ -5928,17 +6080,20 @@ TYPE: onoff LOC: Config.onoff.client_pconns DEFAULT: on -DOC_NONE +DOC_START + Persistent connection support for clients. + Squid uses persistent connections (when allowed). You can use + this option to disable persistent connections with clients. +DOC_END NAME: server_persistent_connections TYPE: onoff LOC: Config.onoff.server_pconns DEFAULT: on DOC_START - Persistent connection support for clients and servers. By - default, Squid uses persistent connections (when allowed) - with its clients and servers. You can use these options to - disable persistent connections with clients and/or servers. + Persistent connection support for servers. + Squid uses persistent connections (when allowed). You can use + this option to disable persistent connections with servers. DOC_END NAME: persistent_connection_after_error @@ -6046,6 +6201,7 @@ TYPE: u_short LOC: Config.Port.snmp DEFAULT: 0 +DEFAULT_DOC: SNMP disabled. IFDEF: SQUID_SNMP DOC_START The port number where Squid listens for SNMP requests. To enable @@ -6060,7 +6216,8 @@ NAME: snmp_access TYPE: acl_access LOC: Config.accessList.snmp -DEFAULT_IF_NONE: deny all +DEFAULT: none +DEFAULT_DOC: Deny, unless rules exist in squid.conf. IFDEF: SQUID_SNMP DOC_START Allowing or denying access to the SNMP port. @@ -6072,6 +6229,7 @@ This clause only supports fast acl types. See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details. + Example: snmp_access allow snmppublic localhost snmp_access deny all @@ -6081,32 +6239,37 @@ TYPE: address LOC: Config.Addrs.snmp_incoming DEFAULT: any_addr +DEFAULT_DOC: Accept SNMP packets from all machine interfaces. IFDEF: SQUID_SNMP -DOC_NONE +DOC_START + Just like 'udp_incoming_address', but for the SNMP port. + + snmp_incoming_address is used for the SNMP socket receiving + messages from SNMP agents. + + The default snmp_incoming_address is to listen on all + available network interfaces. +DOC_END NAME: snmp_outgoing_address TYPE: address LOC: Config.Addrs.snmp_outgoing DEFAULT: no_addr +DEFAULT_DOC: Use snmp_incoming_address or an address selected by the operating system. IFDEF: SQUID_SNMP DOC_START - Just like 'udp_incoming_address', but for the SNMP port. + Just like 'udp_outgoing_address', but for the SNMP port. - snmp_incoming_address is used for the SNMP socket receiving - messages from SNMP agents. snmp_outgoing_address is used for SNMP packets returned to SNMP agents. - The default snmp_incoming_address is to listen on all - available network interfaces. - If snmp_outgoing_address is not set it will use the same socket as snmp_incoming_address. Only change this if you want to have SNMP replies sent using another address than where this Squid listens for SNMP queries. NOTE, snmp_incoming_address and snmp_outgoing_address can not have - the same value since they both use port 3401. + the same value since they both use the same port. DOC_END COMMENT_START @@ -6117,11 +6280,11 @@ NAME: icp_port udp_port TYPE: u_short DEFAULT: 0 +DEFAULT_DOC: ICP disabled. LOC: Config.Port.icp DOC_START The port number where Squid sends and receives ICP queries to and from neighbor caches. The standard UDP port for ICP is 3130. - Default is disabled (0). Example: icp_port @DEFAULT_ICP_PORT@ @@ -6131,11 +6294,12 @@ IFDEF: USE_HTCP TYPE: u_short DEFAULT: 0 +DEFAULT_DOC: HTCP disabled. LOC: Config.Port.htcp DOC_START The port number where Squid sends and receives HTCP queries to and from neighbor caches. To turn it on you want to set it to - 4827. By default it is set to "0" (disabled). + 4827. Example: htcp_port 4827 @@ -6156,6 +6320,7 @@ TYPE: address LOC:Config.Addrs.udp_incoming DEFAULT: any_addr +DEFAULT_DOC: Accept packets from all machine interfaces. DOC_START udp_incoming_address is used for UDP packets received from other caches. @@ -6178,6 +6343,7 @@ TYPE: address LOC: Config.Addrs.udp_outgoing DEFAULT: no_addr +DEFAULT_DOC: Use udp_incoming_address or an address selected by the operating system. DOC_START udp_outgoing_address is used for UDP packets sent out to other caches. @@ -6223,6 +6389,7 @@ DOC_END NAME: minimum_direct_rtt +COMMENT: (msec) TYPE: int DEFAULT: 400 LOC: Config.minDirectRtt @@ -6235,17 +6402,30 @@ TYPE: int DEFAULT: 900 LOC: Config.Netdb.low -DOC_NONE +DOC_START + The low water mark for the ICMP measurement database. + + Note: high watermark controlled by netdb_high directive. + + These watermarks are counts, not percents. The defaults are + (low) 900 and (high) 1000. When the high water mark is + reached, database entries will be deleted until the low + mark is reached. +DOC_END NAME: netdb_high TYPE: int DEFAULT: 1000 LOC: Config.Netdb.high DOC_START - The low and high water marks for the ICMP measurement - database. These are counts, not percents. The defaults are - 900 and 1000. When the high water mark is reached, database - entries will be deleted until the low mark is reached. + The high water mark for the ICMP measurement database. + + Note: low watermark controlled by netdb_low directive. + + These watermarks are counts, not percents. The defaults are + (low) 900 and (high) 1000. When the high water mark is + reached, database entries will be deleted until the low + mark is reached. DOC_END NAME: netdb_ping_period @@ -6291,6 +6471,7 @@ NAME: icp_query_timeout COMMENT: (msec) DEFAULT: 0 +DEFAULT_DOC: Dynamic detection. TYPE: int LOC: Config.Timeout.icp_query DOC_START @@ -6380,6 +6561,7 @@ TYPE: address LOC: Config.mcast_miss.addr DEFAULT: no_addr +DEFAULT_DOC: disabled. DOC_START If you enable this option, every "cache miss" URL will be sent out on the specified multicast address. @@ -6482,6 +6664,7 @@ TYPE: string LOC: Config.errorDirectory DEFAULT: none +DEFAULT_DOC: Send error pages in the clients preferred language DOC_START If you wish to create your own versions of the default error files to customize them to suit your company copy @@ -6506,6 +6689,7 @@ TYPE: string LOC: Config.errorDefaultLanguage DEFAULT: none +DEFAULT_DOC: Generate English language pages. DOC_START Set the default language which squid will send error pages in if no existing translation matches the clients language @@ -6647,15 +6831,16 @@ (matching hierarchy_stoplist or not cacheable request type) direct to origin servers. - If you set this to off, Squid will prefer to send these + When this is set to "off", Squid will prefer to send these requests to parents. Note that in most configurations, by turning this off you will only add latency to these request without any improvement in global hit ratio. - If you are inside an firewall see never_direct instead of - this directive. + This option only sets a preference. If the parent is unavailable a + direct connection to the origin server may still be attempted. To + completely prevent direct connections use never_direct. DOC_END NAME: prefer_direct @@ -6680,6 +6865,7 @@ TYPE: acl_access LOC: Config.accessList.AlwaysDirect DEFAULT: none +DEFAULT_DOC: Prevent any cache_peer being used for this request. DOC_START Usage: always_direct allow|deny [!]aclname ... @@ -6725,6 +6911,7 @@ TYPE: acl_access LOC: Config.accessList.NeverDirect DEFAULT: none +DEFAULT_DOC: Allow DNS results to be used for this request. DOC_START Usage: never_direct allow|deny [!]aclname ... @@ -6855,6 +7042,7 @@ TYPE: int LOC: Config.client_ip_max_connections DEFAULT: -1 +DEFAULT_DOC: No limit. DOC_START Set an absolute limit on the number of connections a single client IP can use. Any more than this and Squid will begin to drop @@ -6873,11 +7061,12 @@ COMMENT: (bytes) TYPE: b_size_t DEFAULT: 0 bytes +DEFAULT_DOC: Use operating system TCP defaults. LOC: Config.tcpRcvBufsz DOC_START Size of receive buffer to set for TCP sockets. Probably just - as easy to change your kernel's default. Set to zero to use - the default buffer size. + as easy to change your kernel's default. + Omit from squid.conf to use the default buffer size. DOC_END COMMENT_START @@ -6914,6 +7103,7 @@ COMMENT: time-units TYPE: time_t DEFAULT: none +DEFAULT_DOC: Use read_timeout. LOC: Adaptation::Icap::TheConfig.io_timeout_raw IFDEF: ICAP_CLIENT DOC_START @@ -6921,8 +7111,6 @@ an established, active ICAP connection before giving up and either terminating the HTTP transaction or bypassing the failure. - - The default is read_timeout. DOC_END NAME: icap_service_failure_limit @@ -7002,10 +7190,10 @@ IFDEF: ICAP_CLIENT LOC: Adaptation::Icap::TheConfig.preview_size DEFAULT: -1 +DEFAULT_DOC: No preview sent. DOC_START The default size of preview data to be sent to the ICAP server. - -1 means no preview. This value might be overwritten on a per server - basis by OPTIONS requests. + This value might be overwritten on a per server basis by OPTIONS requests. DOC_END NAME: icap_206_enable @@ -7397,6 +7585,7 @@ IFDEF: USE_ADAPTATION LOC: none DEFAULT: none +DEFAULT_DOC: Allow, unless rules exist in squid.conf. DOC_START Sends an HTTP transaction to an ICAP or eCAP adaptation service. @@ -7542,9 +7731,9 @@ IFDEF: ICAP_CLIENT LOC: Adaptation::Icap::TheConfig.repeat_limit DEFAULT: 0 +DEFAULT_DOC: No retries are allowed. DOC_START - Limits the number of retries allowed. When set to zero (default), - no retries are allowed. + Limits the number of retries allowed. Communication errors due to persistent connection race conditions are unavoidable, automatically retried, and do not @@ -7644,6 +7833,7 @@ NAME: dns_packet_max TYPE: b_ssize_t +DEFAULT_DOC: EDNS disabled DEFAULT: none LOC: Config.dns.packet_max IFDEF: !USE_DNSHELPER @@ -7674,6 +7864,7 @@ COMMENT: on|off TYPE: onoff DEFAULT: off +DEFAULT_DOC: Search for single-label domain names is disabled. LOC: Config.onoff.res_defnames DOC_START Normally the RES_DEFNAMES resolver option is disabled @@ -7685,11 +7876,13 @@ NAME: dns_nameservers TYPE: wordlist DEFAULT: none +DEFAULT_DOC: Use operating system definitions LOC: Config.dns_nameservers DOC_START Use this if you want to specify a list of DNS name servers (IP addresses) to use instead of those given in your /etc/resolv.conf file. + On Windows platforms, if no value is specified here or in the /etc/resolv.conf file, the list of DNS name servers are taken from the Windows registry, both static and dynamic DHCP @@ -7731,6 +7924,7 @@ TYPE: string LOC: Config.appendDomain DEFAULT: none +DEFAULT_DOC: Use operating system definitions DOC_START Appends local domain name to hostnames without any dots in them. append_domain must begin with a period. @@ -7780,7 +7974,9 @@ TYPE: int DEFAULT: 1024 LOC: Config.ipcache.size -DOC_NONE +DOC_START + Maximum number of DNS IP cache entries. +DOC_END NAME: ipcache_low COMMENT: (percent) @@ -7881,6 +8077,7 @@ NAME: cachemgr_passwd TYPE: cachemgrpasswd DEFAULT: none +DEFAULT_DOC: No password. Actions which require password are denied. LOC: Config.passwd_list DOC_START Specify passwords for cachemgr operations. @@ -7988,6 +8185,7 @@ TYPE: int LOC: Config.connect_retries DEFAULT: 0 +DEFAULT_DOC: Do not retry failed connections. DOC_START This sets the maximum number of connection attempts made for each TCP connection. The connect_retries attempts must all still @@ -8048,20 +8246,32 @@ URI. Options: strip: The whitespace characters are stripped out of the URL. - This is the behavior recommended by RFC2396. + This is the behavior recommended by RFC2396 and RFC3986 + for tolerant handling of generic URI. + NOTE: This is one difference between generic URI and HTTP URLs. + deny: The request is denied. The user receives an "Invalid Request" message. + This is the behaviour recommended by RFC2616 for safe + handling of HTTP request URL. + allow: The request is allowed and the URI is not changed. The whitespace characters remain in the URI. Note the whitespace is passed to redirector processes if they are in use. + Note this may be considered a violation of RFC2616 + request parsing where whitespace is prohibited in the + URL field. + encode: The request is allowed and the whitespace characters are - encoded according to RFC1738. This could be considered - a violation of the HTTP/1.1 - RFC because proxies are not allowed to rewrite URI's. + encoded according to RFC1738. + chop: The request is allowed and the URI is chopped at the - first whitespace. This might also be considered a - violation. + first whitespace. + + + NOTE the current Squid implementation of encode and chop violates + RFC2616 by not using a 301 redirect after altering the URL. DOC_END NAME: chroot @@ -8112,6 +8322,7 @@ COMMENT: (msec) LOC: Config.warnings.high_rptm DEFAULT: 0 +DEFAULT_DOC: disabled. DOC_START If the one-minute median response time exceeds this value, Squid prints a WARNING with debug level 0 to get the @@ -8122,6 +8333,7 @@ TYPE: int LOC: Config.warnings.high_pf DEFAULT: 0 +DEFAULT_DOC: disabled. DOC_START If the one-minute average page fault rate exceeds this value, Squid prints a WARNING with debug level 0 to get @@ -8133,6 +8345,7 @@ TYPE: b_size_t LOC: Config.warnings.high_memory DEFAULT: 0 KB +DEFAULT_DOC: disabled. DOC_START If the memory usage (as determined by mallinfo) exceeds this amount, Squid prints a WARNING with debug level 0 to get @@ -8184,20 +8397,23 @@ NAME: max_filedescriptors max_filedesc TYPE: int DEFAULT: 0 +DEFAULT_DOC: Use operating system limits set by ulimit. LOC: Config.max_filedescriptors DOC_START - The maximum number of filedescriptors supported. + Reduce the maximum number of filedescriptors supported below + the usual operating system defaults. - The default "0" means Squid inherits the current ulimit setting. + Remove from squid.conf to inherit the current ulimit setting. Note: Changing this requires a restart of Squid. Also - not all comm loops supports large values. + not all I/O types supports large values (eg on Windows). DOC_END NAME: workers TYPE: int LOC: Config.workers DEFAULT: 1 +DEFAULT_DOC: SMP support disabled. DOC_START Number of main Squid processes or "workers" to fork and maintain. 0: "no daemon" mode, like running "squid -N ..." @@ -8212,6 +8428,7 @@ TYPE: CpuAffinityMap LOC: Config.cpuAffinityMap DEFAULT: none +DEFAULT_DOC: Let operating system decide. DOC_START Usage: cpu_affinity_map process_numbers=P1,P2,... cores=C1,C2,... diff -u -r -N squid-3.3.3/src/cf_gen.cc squid-3.3.4/src/cf_gen.cc --- squid-3.3.3/src/cf_gen.cc 2013-03-12 23:17:07.000000000 +1300 +++ squid-3.3.4/src/cf_gen.cc 2013-04-27 15:34:48.000000000 +1200 @@ -189,6 +189,13 @@ exit(1); } +static void +errorMsg(const char *filename, int line, const char *detail) +{ + std::cerr << "Error in '" << filename << "' on line " << line << + "--> " << detail << std::endl; +} + int main(int argc, char *argv[]) { @@ -218,7 +225,7 @@ *-------------------------------------------------------------------*/ fp.open(type_depend, std::ifstream::in); if (fp.fail()) { - std::cerr << "error while opening type dependencies file '" << + std::cerr << "Error while opening type dependencies file '" << type_depend << "': " << strerror(errno) << std::endl; exit(1); } @@ -245,7 +252,7 @@ /* Open input file */ fp.open(input_filename, std::ifstream::in); if (fp.fail()) { - std::cerr << "error while opening input file '" << + std::cerr << "Error while opening input file '" << input_filename << "': " << strerror(errno) << std::endl; exit(1); } @@ -262,14 +269,14 @@ if (strncmp(buff, "IF ", 3) == 0) { if ((ptr = strtok(buff + 3, WS)) == NULL) { - std::cerr << "Missing IF parameter on line" << linenum << std::endl; + errorMsg(input_filename, linenum, "Missing IF parameter"); exit(1); } IFDEFS.push(ptr); continue; } else if (strcmp(buff, "ENDIF") == 0) { if (IFDEFS.size() == 0) { - std::cerr << "ENDIF without IF before on line " << linenum << std::endl; + errorMsg(input_filename, linenum, "ENDIF without IF first"); exit(1); } IFDEFS.pop(); @@ -285,7 +292,7 @@ char *name, *aliasname; if ((name = strtok(buff + 5, WS)) == NULL) { - std::cerr << "Error in input file\n"; + errorMsg(input_filename, linenum, buff); exit(1); } @@ -302,8 +309,7 @@ entries.back().loc = "none"; state = sDOC; } else { - std::cerr << "Error on line " << linenum << std::endl << - "--> " << buff << std::endl; + errorMsg(input_filename, linenum, buff); exit(1); } @@ -352,14 +358,14 @@ curr.defaults.docs.push_back(ptr); } else if (!strncmp(buff, "LOC:", 4)) { if ((ptr = strtok(buff + 4, WS)) == NULL) { - std::cerr << "Error on line " << linenum << std::endl; + errorMsg(input_filename, linenum, buff); exit(1); } curr.loc = ptr; } else if (!strncmp(buff, "TYPE:", 5)) { if ((ptr = strtok(buff + 5, WS)) == NULL) { - std::cerr << "Error on line " << linenum << std::endl; + errorMsg(input_filename, linenum, buff); exit(1); } @@ -373,7 +379,7 @@ curr.type = ptr; } else if (!strncmp(buff, "IFDEF:", 6)) { if ((ptr = strtok(buff + 6, WS)) == NULL) { - std::cerr << "Error on line " << linenum << std::endl; + errorMsg(input_filename, linenum, buff); exit(1); } @@ -383,7 +389,7 @@ } else if (!strcmp(buff, "DOC_NONE")) { state = sSTART; } else { - std::cerr << "Error on line " << linenum << std::endl; + errorMsg(input_filename, linenum, buff); exit(1); } } @@ -417,7 +423,7 @@ } if (state != sEXIT) { - std::cerr << "Error: unexpected EOF\n"; + errorMsg(input_filename, linenum, "Error: unexpected EOF"); exit(1); } @@ -435,7 +441,7 @@ std::ofstream fout(output_filename,std::ostream::out); if (!fout.good()) { - std::cerr << "error while opening output .c file '" << + std::cerr << "Error while opening output .c file '" << output_filename << "': " << strerror(errno) << std::endl; exit(1); } @@ -466,7 +472,7 @@ /* Open output x.conf file */ fout.open(conf_filename,std::ostream::out); if (!fout.good()) { - std::cerr << "error while opening output conf file '" << + std::cerr << "Error while opening output conf file '" << output_filename << "': " << strerror(errno) << std::endl; exit(1); } @@ -477,7 +483,7 @@ fout.open(conf_filename_short,std::ostream::out); if (!fout.good()) { - std::cerr << "error while opening output short conf file '" << + std::cerr << "Error while opening output short conf file '" << output_filename << "': " << strerror(errno) << std::endl; exit(1); } diff -u -r -N squid-3.3.3/src/client_side.cc squid-3.3.4/src/client_side.cc --- squid-3.3.3/src/client_side.cc 2013-03-12 23:17:07.000000000 +1300 +++ squid-3.3.4/src/client_side.cc 2013-04-27 15:34:48.000000000 +1200 @@ -793,9 +793,7 @@ } #endif - if (Comm::IsConnOpen(pinning.serverConnection)) - pinning.serverConnection->close(); - pinning.serverConnection = NULL; + unpinConnection(); if (Comm::IsConnOpen(clientConnection)) clientConnection->close(); @@ -2522,12 +2520,14 @@ debugs(33, 2, "SQUID_X509_V_ERR_DOMAIN_MISMATCH: Certificate " << "does not match domainname " << request->GetHost()); - ACLFilledChecklist check(Config.ssl_client.cert_error, request, dash_str); - check.sslErrors = new Ssl::Errors(SQUID_X509_V_ERR_DOMAIN_MISMATCH); - const bool allowDomainMismatch = - check.fastCheck() == ACCESS_ALLOWED; - delete check.sslErrors; - check.sslErrors = NULL; + bool allowDomainMismatch = false; + if (Config.ssl_client.cert_error) { + ACLFilledChecklist check(Config.ssl_client.cert_error, request, dash_str); + check.sslErrors = new Ssl::Errors(SQUID_X509_V_ERR_DOMAIN_MISMATCH); + allowDomainMismatch = (check.fastCheck() == ACCESS_ALLOWED); + delete check.sslErrors; + check.sslErrors = NULL; + } if (!allowDomainMismatch) { quitAfterError(request); @@ -3618,8 +3618,8 @@ // fake a CONNECT request to force connState to tunnel static char ip[MAX_IPSTRLEN]; static char reqStr[MAX_IPSTRLEN + 80]; - connState->clientConnection->local.NtoA(ip, sizeof(ip)); - snprintf(reqStr, sizeof(reqStr), "CONNECT %s:%d HTTP/1.1\r\nHost: %s\r\n\r\n", ip, connState->clientConnection->local.GetPort(), ip); + connState->clientConnection->local.ToURL(ip, sizeof(ip)); + snprintf(reqStr, sizeof(reqStr), "CONNECT %s HTTP/1.1\r\nHost: %s\r\n\r\n", ip, ip); bool ret = connState->handleReadData(reqStr, strlen(reqStr)); if (ret) ret = connState->clientParseRequests(); diff -u -r -N squid-3.3.3/src/client_side_request.cc squid-3.3.4/src/client_side_request.cc --- squid-3.3.3/src/client_side_request.cc 2013-03-12 23:17:07.000000000 +1300 +++ squid-3.3.4/src/client_side_request.cc 2013-04-27 15:34:48.000000000 +1200 @@ -1047,7 +1047,7 @@ if (!request->flags.ignoreCc) { if (request->cache_control) { - if (request->cache_control->noCache()) + if (request->cache_control->hasNoCache()) no_cache=true; // RFC 2616: treat Pragma:no-cache as if it was Cache-Control:no-cache when Cache-Control is missing diff -u -r -N squid-3.3.3/src/comm/AcceptLimiter.cc squid-3.3.4/src/comm/AcceptLimiter.cc --- squid-3.3.3/src/comm/AcceptLimiter.cc 2013-03-12 23:17:07.000000000 +1300 +++ squid-3.3.4/src/comm/AcceptLimiter.cc 2013-04-27 15:34:48.000000000 +1200 @@ -7,29 +7,33 @@ Comm::AcceptLimiter Comm::AcceptLimiter::Instance_; -Comm::AcceptLimiter &Comm::AcceptLimiter::Instance() +Comm::AcceptLimiter & +Comm::AcceptLimiter::Instance() { return Instance_; } void -Comm::AcceptLimiter::defer(Comm::TcpAcceptor *afd) +Comm::AcceptLimiter::defer(const Comm::TcpAcceptor::Pointer &afd) { - ++ afd->isLimited; - debugs(5, 5, HERE << afd->conn << " x" << afd->isLimited); - deferred.push_back(afd); + ++ (afd->isLimited); + debugs(5, 5, afd->conn << " x" << afd->isLimited); + deferred_.push_back(afd); } void -Comm::AcceptLimiter::removeDead(const Comm::TcpAcceptor *afd) +Comm::AcceptLimiter::removeDead(const Comm::TcpAcceptor::Pointer &afd) { - for (unsigned int i = 0; i < deferred.size() && afd->isLimited > 0; ++i) { - if (deferred[i] == afd) { - -- deferred[i]->isLimited; - deferred[i] = NULL; // fast. kick() will skip empty entries later. - debugs(5, 5, HERE << afd->conn << " x" << afd->isLimited); + uint64_t abandonedClients = 0; + for (unsigned int i = 0; i < deferred_.size() && afd->isLimited > 0; ++i) { + if (deferred_[i] == afd) { + -- deferred_[i]->isLimited; + deferred_[i] = NULL; // fast. kick() will skip empty entries later. + debugs(5, 5, afd->conn << " x" << afd->isLimited); + ++abandonedClients; } } + debugs(5,4, "Abandoned " << abandonedClients << " client TCP SYN by closing socket: " << afd->conn); } void @@ -38,13 +42,14 @@ // TODO: this could be optimized further with an iterator to search // looking for first non-NULL, followed by dumping the first N // with only one shift()/pop_front operation + // OR, by reimplementing as a list instead of Vector. - debugs(5, 5, HERE << " size=" << deferred.size()); - while (deferred.size() > 0 && fdNFree() >= RESERVED_FD) { + debugs(5, 5, "size=" << deferred_.size()); + while (deferred_.size() > 0 && fdNFree() >= RESERVED_FD) { /* NP: shift() is equivalent to pop_front(). Giving us a FIFO queue. */ - TcpAcceptor *temp = deferred.shift(); - if (temp != NULL) { - debugs(5, 5, HERE << " doing one."); + TcpAcceptor::Pointer temp = deferred_.shift(); + if (temp.valid()) { + debugs(5, 5, "doing one."); -- temp->isLimited; temp->acceptNext(); break; diff -u -r -N squid-3.3.3/src/comm/AcceptLimiter.h squid-3.3.4/src/comm/AcceptLimiter.h --- squid-3.3.3/src/comm/AcceptLimiter.h 2013-03-12 23:17:07.000000000 +1300 +++ squid-3.3.4/src/comm/AcceptLimiter.h 2013-04-27 15:34:48.000000000 +1200 @@ -2,12 +2,11 @@ #define _SQUID_SRC_COMM_ACCEPT_LIMITER_H #include "Array.h" +#include "comm/TcpAcceptor.h" namespace Comm { -class TcpAcceptor; - /** * FIFO Queue holding listener socket handlers which have been activated * ready to dupe their FD and accept() a new client connection. @@ -18,6 +17,16 @@ * removeDead - used only by Comm layer ConnAcceptor to remove themselves when dying. * kick - used by Comm layer when FD are closed. */ +/* TODO this algorithm can be optimized further: + * + * 1) reduce overheads by only pushing one entry per port to the list? + * use TcpAcceptor::isLimited as a flag whether to re-list when kick()'ing + * or to NULL an entry while scanning the list for empty spaces. + * Side effect: TcpAcceptor->kick() becomes allowed to pull off multiple accept()'s in bunches + * + * 2) re-implement as a list instead of vector? + * storing head/tail pointers for fast push/pop and avoiding the whole shift() overhead + */ class AcceptLimiter { @@ -26,10 +35,10 @@ static AcceptLimiter &Instance(); /** delay accepting a new client connection. */ - void defer(Comm::TcpAcceptor *afd); + void defer(const TcpAcceptor::Pointer &afd); /** remove all records of an acceptor. Only to be called by the ConnAcceptor::swanSong() */ - void removeDead(const Comm::TcpAcceptor *afd); + void removeDead(const TcpAcceptor::Pointer &afd); /** try to accept and begin processing any delayed client connections. */ void kick(); @@ -38,7 +47,7 @@ static AcceptLimiter Instance_; /** FIFO queue */ - Vector deferred; + Vector deferred_; }; }; // namepace Comm diff -u -r -N squid-3.3.3/src/comm/TcpAcceptor.h squid-3.3.4/src/comm/TcpAcceptor.h --- squid-3.3.3/src/comm/TcpAcceptor.h 2013-03-12 23:17:07.000000000 +1300 +++ squid-3.3.4/src/comm/TcpAcceptor.h 2013-04-27 15:34:48.000000000 +1200 @@ -1,17 +1,11 @@ #ifndef SQUID_COMM_TCPACCEPTOR_H #define SQUID_COMM_TCPACCEPTOR_H -#include "base/AsyncCall.h" +#include "base/AsyncJob.h" +#include "base/CbcPointer.h" #include "base/Subscription.h" -#include "CommCalls.h" #include "comm_err_t.h" #include "comm/forward.h" -#include "comm/TcpAcceptor.h" -#include "ip/Address.h" - -#if HAVE_MAP -#include -#endif namespace Comm { @@ -32,6 +26,9 @@ */ class TcpAcceptor : public AsyncJob { +public: + typedef CbcPointer Pointer; + private: virtual void start(); virtual bool doneAll() const; diff -u -r -N squid-3.3.3/src/comm.cc squid-3.3.4/src/comm.cc --- squid-3.3.3/src/comm.cc 2013-03-12 23:17:07.000000000 +1300 +++ squid-3.3.4/src/comm.cc 2013-04-27 15:34:48.000000000 +1200 @@ -34,6 +34,7 @@ #include "squid.h" #include "base/AsyncCall.h" +#include "cbdata.h" #include "comm.h" #include "ClientInfo.h" #include "CommCalls.h" @@ -63,11 +64,12 @@ #include "SquidTime.h" #include "StatCounters.h" #include "StoreIOBuffer.h" +#include "tools.h" + #if USE_SSL #include "ssl/support.h" #endif -#include "cbdata.h" #if _SQUID_CYGWIN_ #include #endif @@ -493,12 +495,13 @@ } /** - * Set the socket IP_TRANSPARENT option for Linux TPROXY v4 support. + * Set the socket IP_TRANSPARENT option for Linux TPROXY v4 support, + * or set the socket SO_BINDANY option for BSD divert-to support. */ void comm_set_transparent(int fd) { -#if defined(IP_TRANSPARENT) +#if _SQUID_LINUX_ && defined(IP_TRANSPARENT) int tos = 1; if (setsockopt(fd, SOL_IP, IP_TRANSPARENT, (char *) &tos, sizeof(int)) < 0) { debugs(50, DBG_IMPORTANT, "comm_open: setsockopt(IP_TRANSPARENT) on FD " << fd << ": " << xstrerror()); @@ -506,6 +509,18 @@ /* mark the socket as having transparent options */ fd_table[fd].flags.transparent = 1; } + +#elif defined(SO_BINDANY) + int tos = 1; + enter_suid(); + if (setsockopt(fd, SOL_SOCKET, SO_BINDANY, (char *) &tos, sizeof(int)) < 0) { + debugs(50, DBG_IMPORTANT, "comm_open: setsockopt(SO_BINDANY) on FD " << fd << ": " << xstrerror()); + } else { + /* mark the socket as having transparent options */ + fd_table[fd].flags.transparent = true; + } + leave_suid(); + #else debugs(50, DBG_CRITICAL, "WARNING: comm_open: setsockopt(IP_TRANSPARENT) not supported on this platform"); #endif /* sockopt */ diff -u -r -N squid-3.3.3/src/DiskIO/Mmapped/MmappedFile.cc squid-3.3.4/src/DiskIO/Mmapped/MmappedFile.cc --- squid-3.3.3/src/DiskIO/Mmapped/MmappedFile.cc 2013-03-12 23:17:07.000000000 +1300 +++ squid-3.3.4/src/DiskIO/Mmapped/MmappedFile.cc 2013-04-27 15:34:48.000000000 +1200 @@ -21,6 +21,11 @@ #include #endif +// Some systems such as Hurd provide mmap() API but do not support MAP_NORESERVE +#ifndef MAP_NORESERVE +#define MAP_NORESERVE 0 +#endif + CBDATA_CLASS_INIT(MmappedFile); // helper class to deal with mmap(2) offset alignment and other low-level specs diff -u -r -N squid-3.3.3/src/external_acl.cc squid-3.3.4/src/external_acl.cc --- squid-3.3.3/src/external_acl.cc 2013-03-12 23:17:07.000000000 +1300 +++ squid-3.3.4/src/external_acl.cc 2013-04-27 15:34:48.000000000 +1200 @@ -839,7 +839,7 @@ debugs(82, 2, HERE << "\"" << key << "\": entry=@" << entry << ", age=" << (entry ? (long int) squid_curtime - entry->date : 0)); - if (acl->def->theHelper->stats.queue_size <= (int)acl->def->theHelper->childs.n_active) { + if (acl->def->theHelper->stats.queue_size < (int)acl->def->theHelper->childs.n_active) { debugs(82, 2, HERE << "\"" << key << "\": queueing a call."); ch->changeState(ExternalACLLookup::Instance()); debugs(82, 2, HERE << "\"" << key << "\": return -1."); diff -u -r -N squid-3.3.3/src/helper.cc squid-3.3.4/src/helper.cc --- squid-3.3.3/src/helper.cc 2013-03-12 23:17:07.000000000 +1300 +++ squid-3.3.4/src/helper.cc 2013-04-27 15:34:48.000000000 +1200 @@ -523,7 +523,7 @@ for (dlink_node *link = hlp->servers.head; link; link = link->next) { helper_server *srv = (helper_server*)link->data; double tt = 0.001 * (srv->requests[0] ? tvSubMsec(srv->requests[0]->dispatch_time, current_time) : tvSubMsec(srv->dispatch_time, srv->answer_time)); - storeAppendPrintf(sentry, "%7d\t%7d\t%7d\t%11" PRIu64 "\t%11" PRIu64 "%c%c%c%c\t%7.3f\t%7d\t%s\n", + storeAppendPrintf(sentry, "%7d\t%7d\t%7d\t%11" PRIu64 "\t%11" PRIu64 "\t%c%c%c%c\t%7.3f\t%7d\t%s\n", srv->index + 1, srv->readPipe->fd, srv->pid, diff -u -r -N squid-3.3.3/src/http.cc squid-3.3.4/src/http.cc --- squid-3.3.3/src/http.cc 2013-03-12 23:17:07.000000000 +1300 +++ squid-3.3.4/src/http.cc 2013-04-27 15:34:48.000000000 +1200 @@ -375,6 +375,16 @@ } // NP: request CC:no-cache only means cache READ is forbidden. STORE is permitted. + if (rep->cache_control && rep->cache_control->hasNoCache() && rep->cache_control->noCache().defined()) { + /* TODO: we are allowed to cache when no-cache= has parameters. + * Provided we strip away any of the listed headers unless they are revalidated + * successfully (ie, must revalidate AND these headers are prohibited on stale replies). + * That is a bit tricky for squid right now so we avoid caching entirely. + */ + debugs(22, 3, HERE << "NO because server reply Cache-Control:no-cache has parameters"); + return 0; + } + // NP: request CC:private is undefined. We ignore. // NP: other request CC flags are limiters on HIT/MISS. We don't care about here. @@ -386,16 +396,21 @@ } // RFC 2616 section 14.9.1 - MUST NOT cache any response with CC:private in a shared cache like Squid. + // CC:private overrides CC:public when both are present in a response. // TODO: add a shared/private cache configuration possibility. if (rep->cache_control && - rep->cache_control->Private() && + rep->cache_control->hasPrivate() && !REFRESH_OVERRIDE(ignore_private)) { + /* TODO: we are allowed to cache when private= has parameters. + * Provided we strip away any of the listed headers unless they are revalidated + * successfully (ie, must revalidate AND these headers are prohibited on stale replies). + * That is a bit tricky for squid right now so we avoid caching entirely. + */ debugs(22, 3, HERE << "NO because server reply Cache-Control:private"); return 0; } - // NP: being conservative; CC:private overrides CC:public when both are present in a response. - } + // RFC 2068, sec 14.9.4 - MUST NOT cache any response with Authentication UNLESS certain CC controls are present // allow HTTP violations to IGNORE those controls (ie re-block caching Auth) if (request && (request->flags.auth || request->flags.authSent) && !REFRESH_OVERRIDE(ignore_auth)) { @@ -424,8 +439,8 @@ // NP: given the must-revalidate exception we should also be able to exempt no-cache. // HTTPbis WG verdict on this is that it is omitted from the spec due to being 'unexpected' by // some. The caching+revalidate is not exactly unsafe though with Squids interpretation of no-cache - // as equivalent to must-revalidate in the reply. - } else if (rep->cache_control->noCache() && !REFRESH_OVERRIDE(ignore_must_revalidate)) { + // (without parameters) as equivalent to must-revalidate in the reply. + } else if (rep->cache_control->hasNoCache() && !rep->cache_control->noCache().defined() && !REFRESH_OVERRIDE(ignore_must_revalidate)) { debugs(22, 3, HERE << "Authenticated but server reply Cache-Control:no-cache (equivalent to must-revalidate)"); mayStore = true; #endif @@ -976,10 +991,22 @@ if (!ignoreCacheControl) { if (rep->cache_control) { - if (rep->cache_control->proxyRevalidate() || - rep->cache_control->mustRevalidate() || - rep->cache_control->noCache() || - rep->cache_control->hasSMaxAge()) + // We are required to revalidate on many conditions. + // For security reasons we do so even if storage was caused by refresh_pattern ignore-* option + + // CC:must-revalidate or CC:proxy-revalidate + const bool ccMustRevalidate = (rep->cache_control->proxyRevalidate() || rep->cache_control->mustRevalidate()); + + // CC:no-cache (only if there are no parameters) + const bool ccNoCacheNoParams = (rep->cache_control->hasNoCache() && rep->cache_control->noCache().undefined()); + + // CC:s-maxage=N + const bool ccSMaxAge = rep->cache_control->hasSMaxAge(); + + // CC:private (yes, these can sometimes be stored) + const bool ccPrivate = rep->cache_control->hasPrivate(); + + if (ccMustRevalidate || ccNoCacheNoParams || ccSMaxAge || ccPrivate) EBIT_SET(entry->flags, ENTRY_REVALIDATE); } #if USE_HTTP_VIOLATIONS // response header Pragma::no-cache is undefined in HTTP @@ -1815,7 +1842,7 @@ #endif /* Add max-age only without no-cache */ - if (!cc->hasMaxAge() && !cc->noCache()) { + if (!cc->hasMaxAge() && !cc->hasNoCache()) { const char *url = entry ? entry->url() : urlCanonical(request); cc->maxAge(getMaxAge(url)); diff -u -r -N squid-3.3.3/src/HttpHdrCc.cc squid-3.3.4/src/HttpHdrCc.cc --- squid-3.3.3/src/HttpHdrCc.cc 2013-03-12 23:17:07.000000000 +1300 +++ squid-3.3.4/src/HttpHdrCc.cc 2013-04-27 15:34:48.000000000 +1200 @@ -194,15 +194,42 @@ } break; + case CC_PRIVATE: { + String temp; + if (!p) { + // Value parameter is optional. + private_.clean(); + } else if (/* p &&*/ httpHeaderParseQuotedString(p, (ilen-nlen-1), &temp)) { + private_.append(temp); + } else { + debugs(65, 2, "cc: invalid private= specs near '" << item << "'"); + } + // to be safe we ignore broken parameters, but always remember the 'private' part. + setMask(type,true); + } + break; + + case CC_NO_CACHE: { + String temp; + if (!p) { + // On Requests, missing value parameter is expected syntax. + // On Responses, value parameter is optional. + setMask(type,true); + no_cache.clean(); + } else if (/* p &&*/ httpHeaderParseQuotedString(p, (ilen-nlen-1), &temp)) { + // On Requests, a value parameter is invalid syntax. + // XXX: identify when parsing request header and dump err message here. + setMask(type,true); + no_cache.append(temp); + } else { + debugs(65, 2, "cc: invalid no-cache= specs near '" << item << "'"); + } + } + break; + case CC_PUBLIC: Public(true); break; - case CC_PRIVATE: - Private(true); - break; - case CC_NO_CACHE: - noCache(true); - break; case CC_NO_STORE: noStore(true); break; diff -u -r -N squid-3.3.3/src/HttpHdrCc.h squid-3.3.4/src/HttpHdrCc.h --- squid-3.3.3/src/HttpHdrCc.h 2013-03-12 23:17:07.000000000 +1300 +++ squid-3.3.4/src/HttpHdrCc.h 2013-04-27 15:34:48.000000000 +1200 @@ -74,15 +74,27 @@ //manipulation for Cache-Control: private header bool hasPrivate() const {return isSet(CC_PRIVATE);} - bool Private() const {return isSet(CC_PRIVATE);} - void Private(bool v) {setMask(CC_PRIVATE,v);} - void clearPrivate() {setMask(CC_PRIVATE,false);} + const String &Private() const {return private_;} + void Private(String &v) { + setMask(CC_PRIVATE,true); + // uses append for multi-line headers + if (private_.defined()) + private_.append(","); + private_.append(v); + } + void clearPrivate() {setMask(CC_PRIVATE,false); private_.clean();} //manipulation for Cache-Control: no-cache header bool hasNoCache() const {return isSet(CC_NO_CACHE);} - bool noCache() const {return isSet(CC_NO_CACHE);} - void noCache(bool v) {setMask(CC_NO_CACHE,v);} - void clearNoCache() {setMask(CC_NO_CACHE,false);} + const String &noCache() const {return no_cache;} + void noCache(String &v) { + setMask(CC_NO_CACHE,true); + // uses append for multi-line headers + if (no_cache.defined()) + no_cache.append(","); + no_cache.append(v); + } + void clearNoCache() {setMask(CC_NO_CACHE,false); no_cache.clean();} //manipulation for Cache-Control: no-store header bool hasNoStore() const {return isSet(CC_NO_STORE);} @@ -166,6 +178,9 @@ int32_t max_stale; int32_t stale_if_error; int32_t min_fresh; + String private_; ///< List of headers sent as value for CC:private="...". May be empty/undefined if the value is missing. + String no_cache; ///< List of headers sent as value for CC:no-cache="...". May be empty/undefined if the value is missing. + /// low-level part of the public set method, performs no checks _SQUID_INLINE_ void setMask(http_hdr_cc_type id, bool newval=true); _SQUID_INLINE_ void setValue(int32_t &value, int32_t new_value, http_hdr_cc_type hdr, bool setting=true); diff -u -r -N squid-3.3.3/src/icp_v2.cc squid-3.3.4/src/icp_v2.cc --- squid-3.3.3/src/icp_v2.cc 2013-03-12 23:17:07.000000000 +1300 +++ squid-3.3.4/src/icp_v2.cc 2013-04-27 15:34:48.000000000 +1200 @@ -429,9 +429,9 @@ bool icpAccessAllowed(Ip::Address &from, HttpRequest * icp_request) { - /* absent an explicit allow, we deny all */ + /* absent any explicit rules, we deny all */ if (!Config.accessList.icp) - return true; + return false; ACLFilledChecklist checklist(Config.accessList.icp, icp_request, NULL); checklist.src_addr = from; diff -u -r -N squid-3.3.3/src/ip/Intercept.cc squid-3.3.4/src/ip/Intercept.cc --- squid-3.3.3/src/ip/Intercept.cc 2013-03-12 23:17:07.000000000 +1300 +++ squid-3.3.4/src/ip/Intercept.cc 2013-04-27 15:34:48.000000000 +1200 @@ -34,6 +34,7 @@ #include "comm/Connection.h" #include "ip/Intercept.h" #include "fde.h" +#include "src/tools.h" #if IPF_TRANSPARENT @@ -277,6 +278,21 @@ } bool +Ip::Intercept::PfTransparent(const Comm::ConnectionPointer &newConn, int silent) +{ +#if PF_TRANSPARENT && defined(SO_BINDANY) + /* Trust the user configured properly. If not no harm done. + * We will simply attempt a bind outgoing on our own IP. + */ + newConn->remote.SetPort(0); // allow random outgoing port to prevent address clashes + debugs(89, 5, HERE << "address DIVERT: " << newConn); + return true; +#else + return false; +#endif +} + +bool Ip::Intercept::PfInterception(const Comm::ConnectionPointer &newConn, int silent) { #if PF_TRANSPARENT /* --enable-pf-transparent */ @@ -352,6 +368,7 @@ /* NP: try TPROXY first, its much quieter than NAT when non-matching */ if (transparentActive_ && listenConn->flags&COMM_TRANSPARENT) { if (NetfilterTransparent(newConn, silent)) return true; + if (PfTransparent(newConn, silent)) return true; } /* NAT is only available in IPv4 */ @@ -378,9 +395,8 @@ bool Ip::Intercept::ProbeForTproxy(Ip::Address &test) { - debugs(3, 3, "Detect TPROXY support on port " << test); - #if defined(IP_TRANSPARENT) + debugs(3, 3, "Detect TPROXY support on port " << test); int tos = 1; int tmp_sock = -1; @@ -435,8 +451,51 @@ } } -#else /* undefined IP_TRANSPARENT */ - debugs(3, 3, "setsockopt(IP_TRANSPARENT) not supported on this platform. Disabling TPROXYv4."); +#elif defined(SO_BINDANY) + debugs(3, 3, "Detect BINDANY support on port " << test); + + int tos = 1; + int tmp_sock = -1; + + if (test.IsIPv6()) { + debugs(3, 3, "...Probing for IPv6 SO_BINDANY support."); + + struct sockaddr_in6 tmp_ip6; + Ip::Address tmp = "::2"; + tmp.SetPort(0); + tmp.GetSockAddr(tmp_ip6); + + if ((tmp_sock = socket(AF_INET6, SOCK_STREAM, IPPROTO_TCP)) >=0 && + (setsockopt(tmp_sock, SOL_SOCKET, SO_BINDANY, (char *)&tos, + sizeof(tos)) == 0) && + (bind(tmp_sock, (struct sockaddr*)&tmp_ip6, sizeof(struct sockaddr_in6)) == 0)) { + debugs(3, 3, "IPv6 BINDANY support detected. Using."); + close(tmp_sock); + return true; + } + } + + if (test.IsIPv4()) { + debugs(3, 3, "...Probing for IPv4 SO_BINDANY support."); + + struct sockaddr_in tmp_ip4; + Ip::Address tmp = "127.0.0.2"; + tmp.SetPort(0); + tmp.GetSockAddr(tmp_ip4); + + if ((tmp_sock = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP)) >=0 && + (setsockopt(tmp_sock, SOL_SOCKET, SO_BINDANY, (char *)&tos, + sizeof(tos)) == 0) && + (bind(tmp_sock, (struct sockaddr*)&tmp_ip4, sizeof(struct sockaddr_in)) == 0)) { + debugs(3, 3, "IPv4 BINDANY support detected. Using."); + close(tmp_sock); + return true; + } + } + +#else + debugs(3, 3, "TPROXY setsockopt() not supported on this platform. Disabling TPROXY."); + #endif return false; } diff -u -r -N squid-3.3.3/src/ip/Intercept.h squid-3.3.4/src/ip/Intercept.h --- squid-3.3.3/src/ip/Intercept.h 2013-03-12 23:17:07.000000000 +1300 +++ squid-3.3.4/src/ip/Intercept.h 2013-04-27 15:34:48.000000000 +1200 @@ -124,7 +124,7 @@ bool IpfInterception(const Comm::ConnectionPointer &newConn, int silent); /** - * perform Lookups on PF interception. + * perform Lookups on PF interception target (REDIRECT). * * \param silent 0 if errors are to be displayed. 1 if errors are to be hidden. * \param newConn Details known, to be updated where relevant. @@ -132,6 +132,15 @@ */ bool PfInterception(const Comm::ConnectionPointer &newConn, int silent); + /** + * perform Lookups on PF fully-transparent interception target (DIVERT). + * + * \param silent 0 if errors are to be displayed. 1 if errors are to be hidden. + * \param newConn Details known, to be updated where relevant. + * \return Whether successfuly located the new address. + */ + bool PfTransparent(const Comm::ConnectionPointer &newConn, int silent); + int transparentActive_; int interceptActive_; time_t lastReported_; /**< Time of last error report. Throttles NAT error display to 1 per minute */ diff -u -r -N squid-3.3.3/src/ssl/ssl_crtd.cc squid-3.3.4/src/ssl/ssl_crtd.cc --- squid-3.3.3/src/ssl/ssl_crtd.cc 2013-03-12 23:17:07.000000000 +1300 +++ squid-3.3.4/src/ssl/ssl_crtd.cc 2013-04-27 15:34:48.000000000 +1200 @@ -251,7 +251,7 @@ try { size_t max_db_size = 0; size_t fs_block_size = 2048; - char c; + int8_t c; bool create_new_db = false; std::string db_path; // proccess options. diff -u -r -N squid-3.3.3/src/ssl/support.cc squid-3.3.4/src/ssl/support.cc --- squid-3.3.3/src/ssl/support.cc 2013-03-12 23:17:07.000000000 +1300 +++ squid-3.3.4/src/ssl/support.cc 2013-04-27 15:34:48.000000000 +1200 @@ -190,8 +190,10 @@ } ASN1_STRING *cn_data = check->d.dNSName; - if ( (*check_func)(check_data, cn_data) == 0) + if ( (*check_func)(check_data, cn_data) == 0) { + sk_GENERAL_NAME_pop_free(altnames, GENERAL_NAME_free); return 1; + } } sk_GENERAL_NAME_pop_free(altnames, GENERAL_NAME_free); } @@ -1409,9 +1411,18 @@ bool Ssl::verifySslCertificate(SSL_CTX * sslContext, CertificateProperties const &properties) { + // SSL_get_certificate is buggy in openssl versions 1.0.1d and 1.0.1e + // Try to retrieve certificate directly from SSL_CTX object +#if OPENSSL_VERSION_NUMBER == 0x1000105fL || OPENSSL_VERSION_NUMBER == 0x1000104fL + X509 ***pCert = (X509 ***)sslContext->cert; + X509 * cert = pCert && *pCert ? **pCert : NULL; +#else // Temporary ssl for getting X509 certificate from SSL_CTX. Ssl::SSL_Pointer ssl(SSL_new(sslContext)); X509 * cert = SSL_get_certificate(ssl.get()); +#endif + if (!cert) + return false; ASN1_TIME * time_notBefore = X509_get_notBefore(cert); ASN1_TIME * time_notAfter = X509_get_notAfter(cert); bool ret = (X509_cmp_current_time(time_notBefore) < 0 && X509_cmp_current_time(time_notAfter) > 0); diff -u -r -N squid-3.3.3/src/store_dir.cc squid-3.3.4/src/store_dir.cc --- squid-3.3.3/src/store_dir.cc 2013-03-12 23:17:07.000000000 +1300 +++ squid-3.3.4/src/store_dir.cc 2013-04-27 15:34:48.000000000 +1200 @@ -240,7 +240,7 @@ * in the *tightest fit* swapdir to conserve space, along with the * actual swapdir usage. But for now, this hack will do while * testing, so you should order your swapdirs in the config file - * from smallest maxobjsize to unlimited (-1) maxobjsize. + * from smallest max-size= to largest max-size=. * * We also have to choose nleast == nconf since we need to consider * ALL swapdirs, regardless of state. Again, this is a hack while diff -u -r -N squid-3.3.3/src/tests/stub_libcomm.cc squid-3.3.4/src/tests/stub_libcomm.cc --- squid-3.3.3/src/tests/stub_libcomm.cc 2013-03-12 23:17:07.000000000 +1300 +++ squid-3.3.4/src/tests/stub_libcomm.cc 2013-04-27 15:34:48.000000000 +1200 @@ -7,8 +7,8 @@ #include "comm/AcceptLimiter.h" Comm::AcceptLimiter dummy; Comm::AcceptLimiter & Comm::AcceptLimiter::Instance() STUB_RETVAL(dummy) -void Comm::AcceptLimiter::defer(Comm::TcpAcceptor *afd) STUB -void Comm::AcceptLimiter::removeDead(const Comm::TcpAcceptor *afd) STUB +void Comm::AcceptLimiter::defer(const Comm::TcpAcceptor::Pointer &afd) STUB +void Comm::AcceptLimiter::removeDead(const Comm::TcpAcceptor::Pointer &afd) STUB void Comm::AcceptLimiter::kick() STUB #include "comm/Connection.h" diff -u -r -N squid-3.3.3/tools/squidclient.1 squid-3.3.4/tools/squidclient.1 --- squid-3.3.3/tools/squidclient.1 2013-03-12 23:17:07.000000000 +1300 +++ squid-3.3.4/tools/squidclient.1 2013-04-27 15:34:48.000000000 +1200 @@ -7,7 +7,7 @@ . .SH SYNOPSIS .if !'po4a'hide' .B squidclient -.if !'po4a'hide' .B "[ \-arsv ] [ \-A" +.if !'po4a'hide' .B "[ \-aknNrsv ] [ \-A" string .if !'po4a'hide' .B "] [ \-g" count @@ -25,8 +25,6 @@ local host .if !'po4a'hide' .B "] [ \-m" method -.if !'po4a'hide' .B "] [ \-n" -.if !'po4a'hide' .B "] [ \-N" .if !'po4a'hide' .B "] [ \-p" port .if !'po4a'hide' .B "] [ \-P" @@ -98,6 +96,10 @@ Host header content . .if !'po4a'hide' .TP +.if !'po4a'hide' .B "\-k" +Keep the connection active. Default is to do only one request then close. +. +.if !'po4a'hide' .TP .if !'po4a'hide' .B "\-l host" Specify a local IP address to bind to. Default is none. .