Squid 6.4 release notes

Squid Developers

1. Notice

2. Major new features since Squid-5

3. Changes to squid.conf since Squid-5

4. Changes to ./configure options since Squid-5

5. Regressions since Squid-2.7

6. Copyright


1. Notice

The Squid Team are pleased to announce the release of Squid-6.4 for testing.

This new release is available for download from http://www.squid-cache.org/Versions/v6/ or the mirrors.

While this release is not deemed ready for production use, we believe it is ready for wider testing by the community.

We welcome feedback and bug reports. If you find a bug, please see https://wiki.squid-cache.org/SquidFaq/BugReporting for how to submit a report with a stack trace.

1.1 Known issues

Although this release is deemed good enough for use in many setups, please note the existence of open bugs against Squid-6.

Support for compiling on HPUX with the native HP xcc compiler has been removed. To build on that OS/compiler combination, it is possible to pass these environment variables to ./configure: CC="cxx -Ae" RANLIB=":"

This release adds a dependency on C++17 support in any compiler used to build Squid. GCC 8+ and Clang 8+ support C++17.

1.2 Changes since earlier releases of Squid-6

The Squid-6 change history can be viewed here.

2. Major new features since Squid-5

Squid-6 represents a new feature release above Squid-5.

The most important of these new features are:

Most user-facing changes are reflected in squid.conf (see below).

2.1 TLS ServerHello

Squid is now more lenient towards misconfigured tls-cert= file contents. Squid will attempt to sort the CA chain and send certificates in the order required by TLS ServerHello.

Squid no longer sends the tls-clientca= on https_port server handshakes. This fix breaks misconfigured Squid deployments that (usually unknowingly) rely on the OpenSSL clientca 'leak' to build a complete https_port server certificate chain sent to TLS clients. Such deployments should add the right intermediate CA certificate(s) to their tls-cert= bundle (or equivalent).

2.2 Log TLS Communication Secrets

Squid now records pre-master secret and related encryption details for TLS connections accepted or established by Squid. These connections include connections accepted at https_port, TLS connections opened to origin servers/cache_peer/ICAP services, and TLS tunnels bumped by Squid using the SslBump feature.

Logging of these details are controlled by the tls_key_log. See squid.conf documentation for details.

2.3 Ban ACL key changes in ACLs

More info in the commit description.

Certain Squid ACLs can check the value of a specific key=value where the key name is configurable. These ACLs are unable to check multiple different key names.

Squid did write a cache.log ERROR for req_header/rep_header key changes but was silent about the preceding note ACL rules being ineffective after a key name change.

Squid will now actively reject all such configurations.

2.4 Block to-local Traffic

More info in the policy change commit and the ACL creation commit.

This Squid introduces the to_linklocal ACL as pre-defined to match requests from 169.254.0.0/16 and fe80::/10.

The default configuration settings are changed to:

    http_access allow localhost
    http_access deny to_localhost
    http_access deny to_linklocal
    # http_access allow localnet

These changes only affect the default squid.conf and new installs. Upgraded installations will continue to use their previous settings.

2.5 RFC 9211: HTTP Cache-Status support

See also RFC 9211.

This HTTP header replaces X-Cache and X-Cache-Lookup which are no longer emitted by Squid. Any tools or management systems relying on those X- headers need to be upgraded to work with the new standardized header.

2.6 RFC 9111: Stop treating Warning specially

RFC 9111 obsoletes the Warning header, removing all specification requirements about it.

This Squid changes behaviour in regards to that header:

2.7 ext_kerberos_ldap_group_acl: Support -b with -D

Previous versions of this helper ignore the -b option when the -D option is used.

Fixing this limitation adds support for FreeIPA and limited subtree searching.

2.8 Remove Gopher Protocol Support

With this change, Gopher requests will be handled like any other request with an unknown (to Squid) protocol. For example, HTTP requests with gopher:// URL scheme result in ERR_UNSUP_REQ.

Default Squid configuration still considers TCP port 70 safe. The corresponding Safe_ports ACL rule has not been removed.

2.9 Removed Outdated Tools

We do not have enough resources/demand for maintaining these tools, they do require maintenance, and there are better tools available.

3. Changes to squid.conf since Squid-5

This section gives an account of those changes in three categories:

3.1 New directives

paranoid_hit_validation

Controls whether to perform extra internal checks when loading entries from the on-disk cache.

cache_log_message

Configure logging options on a per-message basis, overriding the per-section options. Message IDs are guaranteed stable across builds and releases. Only a few messages support this for now.

3.2 Changes to existing directives

time units

All directives accepting time values now accept a time unit suffix from nanosecond to decade.

sslcrtvalidator_program

New ttl=infinity option to disable TTL expiry on stored helper responses.

logformat

New transport::>connection_id code to display which transport-level connection the request was received.

New busy_time code to display the cumulative CPU time spent processing the request, excluding the time spent waiting for external resources. WARNING: this time is approximate and is known to have bugs and gaps, so consider it a lower bound.

New request_attempts code to display how many forwarding attempts were made for this request.

Squid now adds ABORTED to values printed by the Ss code in more cases where a TCP Squid-to-server connection was closed prematurely.

Squid now logs TCP_TUNNEL with the Ss code when a CONNECT tunnel is attempted, not just on successful tunnel setup.

server_cert_fingerprint

Removed the broken -sha option. SHA1 remains the default and only supported fingerprinting algorithm. Configuring it is unnecessary.

3.3 Removed directives

announce_file

Obsolete. Squid no longer provides functionality to enroll in the cache registration service.

announce_host

Obsolete. Squid no longer provides functionality to enroll in the cache registration service.

announce_period

Obsolete. Squid no longer provides functionality to enroll in the cache registration service.

announce_port

Obsolete. Squid no longer provides functionality to enroll in the cache registration service.

request_entities

Obsolete. Squid accepts an entity (aka payload, body) on HTTP/1.1 GET or HEAD requests when a Content-Length or Transfer-Encoding header is presented to clearly determine size.

To retain the old behaviour of rejecting GET/HEAD payloads for HTTP/1.1 use http_access rules:

  acl fetch method GET HEAD
  acl entity req_header Content-Length .
  http_access deny fetch entity

Squid will reject use of Content-Length header on HTTP/1.0 messages with GET, HEAD, DELETE, LINK, UNLINK methods. Since the HTTP/1.0 specification defines those as not having entities. To deliver entities on these methods the chunked encoding feature defined by HTTP/1.1 must be used, or the request upgraded to an HTTP/1.1 message.

4. Changes to ./configure options since Squid-5

This section gives an account of those changes in three categories:

4.1 New options

--with-cap

Replacement for --with-libcap.

--with-xml2

Replacement for --with-libxml2.

--with-ldap

Compile with OpenLDAP, Mozilla LDAP, or Windows LDAP support.

LDAP support is enabled by default. Use --without-ldap to disable.

4.2 Changes to existing options

No ./configure options have been changed.

4.3 Removed options

--enable-cpu-profiling

This feature has been unreliable for many years. Other tools such as oprofile provide better tracking and should be used instead.

--enable-debug-cbdata

This feature has been of limited use since AsyncCalls feature took over much of the CBDATA functionality.

--enable-gnuregex

Squid no longer ships with a built-in GnuRegex implementation.

--enable-kill-parent-hack

This feature has been deprecated for years. Other features such as --foreground command line argument should be used instead.

--enable-leakfinder

Removed. Using Valgrind for leak detection is still supported.

--disable-loadable-modules

This option was performing the same duties as --disable-shared.

--with-libcap

Replaced by --with-cap.

--with-libxml2

Replaced by --with-xml2.

5. Regressions since Squid-2.7

Some squid.conf options which were available in Squid-2.7 are not yet available in Squid-6.

If you need something to do then porting one of these from Squid-2 is most welcome.

5.1 Missing squid.conf options available in Squid-2.7

broken_vary_encoding

Not yet ported from 2.6

cache_peer

monitorinterval= not yet ported from 2.6

monitorsize= not yet ported from 2.6

monitortimeout= not yet ported from 2.6

monitorurl= not yet ported from 2.6

cache_vary

Not yet ported from 2.6

error_map

Not yet ported from 2.6

external_refresh_check

Not yet ported from 2.7

location_rewrite_access

Not yet ported from 2.6

location_rewrite_children

Not yet ported from 2.6

location_rewrite_concurrency

Not yet ported from 2.6

location_rewrite_program

Not yet ported from 2.6

refresh_pattern

stale-while-revalidate= not yet ported from 2.7

ignore-stale-while-revalidate= not yet ported from 2.7

negative-ttl= not yet ported from 2.7

refresh_stale_hit

Not yet ported from 2.7

update_headers

Not yet ported from 2.7

6. Copyright

Copyright (C) 1996-2023 The Squid Software Foundation and contributors

Squid software is distributed under GPLv2+ license and includes contributions from numerous individuals and organizations. Please see the COPYING and CONTRIBUTORS files for details.