Squid 3.0 release notes

Squid Developers

1. Key changes from squid 2.5:

• Convert core squid source to C++ (Robert Collins).
• http_port optional, allowing for SSL-only operation. Squid will refuse to start unless at least one port is defined. (Henrik Nordström).
• Ability to read the configuration file from an external program pipe (Henrik Nordström).
• Major cleanup or CARP. Now plays well with the other peering algorithms as just another non-ICP peering method. This also allows CARP support to be compiled by default with no need to recompile Squid to use CARP (Henrik Nordström)
• Class 4 delay pools - user specific buckets. (Robert Collins).
• Comms layer refactored to increase efficiency (Adrian Chadd).
• epoll support (David Nicklay)
• kqueue support (Adrian Chadd)
• Range processing moved from client side to both client and server (Robert Collins).
• Added support for sys/bitypes.h, apparently needed for some of the bittypes on tru64 and possibly others. (Henrik Nordström)
• Edge Side Include implementation (www.esi.org). (Robert Collins).
• Reduce the depth of recursion in make, improving make -j performance. (Robert Collins)
• Cleanup of the relation between accelerated request and transparently intercepted request. The two are now handled separately from each other. This fixes two issues:
  • Transparently intercepted requests is no longer under the restrictions of accelerated requests in peering relations etc..
  • No risk of confusion in authentication. Authentication is now allowed for accelerated requests but not transparently intercepted requests.
  (Henrik Nordström)
• Change --disable-hostname-checks to --enable-hostname-checks, default to not verify hostname sanity. (Henrik Nordström)
• also removed the dot magics from hostname parsing. These are more evil than helpful and breaks semantic transparency in certain configurations. (Henrik Nordström)
• added reporting of "Process Data Segment Size via sbrk()" when sbrk() call exists. According to the sbrk() man page, calling sbrk(0) returns the end of the data segment. By storing the data segment offset when Squid starts, we can report the size of the data segment at any time. This might be a better metric than getrusage()'s MAX RSS, which, in my experience, is often less than the process size reported by 'ps' (presumably because some of the processes memory is swapped to disk). However, initial tests show that the sbrk() trick reports a value slightly smaller than reported by 'ps'. (Duane Wessels)
• failure_ratio is a ratio, not a percentage. Removed %% from printf. (Duane Wessels)
• Start using inline C and C++ code via .cci source files. This defaults to inlined, with a configure option to disable for troubleshooting or development. (Robert Collins).
• Better MacOSX support (Robert Collins, Adrian Chadd, Henrik Nordström)
• --with-filedescriptors=XX configure option (Francesco Chemolli)
• UNIX domain IPC now used by default for helpers, no loger relying on TCP/IP sockets via loopback. (Henrik Nordström)
• Removed potentially dangerous debugging related configure options. Developers know how to edit configure.in or set defines. (Henrik Nordström)
• --enable-large-files to enable support for large files (>2GB) on 32-bit GNU libc systems. (Henrik Nordström)
• Digest auth helper improvements (Robert Collins, Sean Burford)
• Digest authentication scheme bugfixs & improvements (Robert Collins)
• accelerator mode cleaned up, using the design from the rproxy development branch
  • The httpd_accel_* directives is now gone, replaced by http(s)_port options and cache_peer based request forwarding.
  • The http(s)_port options has a list of new options for controlling the type and mode of port created with respect to
    • transparent proxying
    • plain acceleration
    • host header based acceleration
    • normal proxying (default)
  • To enforce a reasonable level of security in accelerators, accelerated requests are denied to go direct unless forced by always_direct.
  (Henrik Nordström)
• Cache manager auth helper output tidyup (Duane Wessels).
• Native Windows port enhancements:
  • Another fix for profiling support
  • Added correct timezone handling
  • Fixed rotate problem
  • Added native Windows support to client.cc
  • This patch add the native Windows support for profiling and fix some C++/C include files problems.
  • Support for Windows .NET (5.2).
  • Added native Windows and Cygwin support to pinger.cc
  • Introduced the use of IPPROTO_TCP and IPPROTO_UDP defines instead of '0' on comm_open, needed by Winsocket. See this old squid-dev thread about http://www.squid-cache.org/mail-archive/squid-dev/200108/0162.html.
  • Added native Windows support to cachemgr.cc
  • Added native Windows support to dnsserver.cc
  • On Windows, fork() is not available, so we need to use a workaround in store_dir.cc for create store directories sequentially
  By Guido Serassio.
• SSL support update
  • SSL encrypted peers
  • https:// gatewaying/proxying for clients not supporting SSL or URLs rewritten via a redirector to https://...
  • Client certificate support
  • Hardware crypto SSL acceleration support via OpenSSL engine
  • SSL key/certificate now read while parsing squid.conf to support secure key protection in combination with chroot..
  • A few minor bugfixes/optimizations
  (Henrik Nordström)
• --enable-default-hostsfile configure option by Guido Serassio. Tells the default /etc/hosts file location
• New squid.conf directive to disable hostname verifications. It isn't really our business to enforce what characters is used in hostnames. (Henrik Nordström).
• Peering enhancement options for satellite or other high latency links by Robert Cohen.
• Cleanup of authentication forwarding, and added authentication gatewaying proxy->reverseproxy when the same Squid is acting as both proxy and reverseproxy with authentication. (Henrik Nordström)
• The mailto links on Squid's ERR pages now contain data about the cccurred error by default, so that the email will contain this data in its body. This feature can be disabled via the email_err_data directive. (Clemens Löser)
• pipeline_prefetch is disabled and known to be broken due to internal store_client_copy() change (Henrik Nordström)
• ncsa_auth extened with support for MD5 hashes. (Henrik Nordström)
• Complain if open of /dev/null fails; avoids infinite loop in ipcCreate() and gives a correct error message should this occur.
• Properly quote the quoting character '%' in log_quote() and username_quote().
• in icmpRecv(), Handle the case when recv() returns EAGAIN and do not treat it like an error.
• Update squid to build with gcc/g++ 3.3 with no warnings.
• wb_group updated to support domain qualified groups (Guido Serassio)
• most helper interfaces now support multiple overlapping requests (external_acl_type, redirect_program, basic auth).
• custom log formats, and the ability to log different requests to different log files.
• ext_user acl type added for matching the user name returned by external acls. Not longer abusing the ident acl for this purpose
• external_acl extended with soft timeouts
• external_acl can optionally return information to be logged in access.log
• Requests denied due to 'http_reply_access' are now logged with TCP_DENIED_REPLY.
• Added counters for HTCP messages sent and received, reported in 'info' cache manager page.
• Fixed 'ICP dynamic timeout algorithm ignores multicast' bug
• Bug #743: "#ifdef HTTP_VIOLATIONS" should be "#if HTTP_VIOLATIONS"

2. Changes to squid.conf

read_ahead_gap

Config directive by Jeffrey D. Wheelhouse. Allows the read-ahead gap to be configured from squid.conf (previously hardcoded at 16 KB)

request_entities

New squid.conf directive "request_entities on/off".If set to "on" then Squid will allow GET/HEAD requests with request entities, even if such entites are "undefined" in the HTTP specification. (Henrik Nordström)

cache_peer

New options for reverse proxy setups

• originserver
• name=XXX
• forceddomain=XXX

https_port

Many new SSL options

dhparams=/path/to/file.pem

https_port option to specify DH parameters for forward-secrecy in encryption. (Henrik Nordström)

clientca= etc

specifies which CA to accept client certificates from

defaultsite

specifies the accelerated site name

http(s)_port

Many new options to control acceleration, transparent proxying etc

header_replace

This is now dependent on --disable-http-violations (Henrik Nordström)

email_err_data

Allow disabling the data now embedded in the mailto links on Squid's ERR pages.

reply_body_max_size

No longer uses allow/deny. Instead it is specified as a size followed by acl elements. The size "none" can be used for no limit (the default)

external_acl_type

The argument which was named concurrenty= in Squid-2.5 is now named children=. concurrency= has a different meaing in Squid-3.0 and your external acls will not work until updated.

ext_user acl

this acl matches the username returned by external acl. ident can no longer be used for this purpose.

access_log

The access_log directive now optionally includes specifications on what log format to use and acls matching which requests to log. Can be specified multiple times to log different requests to different files.

logformat

new directive to define custom log formats

httpd_accel_*

These directives have been replaced by http(s)_port options and cache_peer based request forwarding. Note that you can no longer run proxy and acceleration mode on the same port. If you previously did this you now need to define two ports, one for acceleration, one for proxying.

3. Known limitations

• SSL Acceleration Support - CRL's are not currently supported. The design has been completed, but time to implement is missing - contact squid-dev@squid-cache.org for more details.
• tcp_outgoing_addr/tos uses "fast" ACL checks and is somewhat limited in what kind of acl types you may use. Probably only src/my_port/my_addr/dstdomain/method/port/url* acl types is reliable.
• reply_body_max_size is uses "fast" ACL checks and may occationally fail on acls which may require external lookups (dst/srcdomain/external).

4. Other internal changes mostly of interest to developers

• Andres Kroonmaa's chunked memory pool allocator included.
• clientStreams, rationalising the client side logic to allow plugin output streams, and providing a simple interface to the store. See the programmers guide for details. (Robert Collins).
• Clean up the squid code to consistenly use [u_]int<len>_t throughout, rather than some [u_]num<len> and some [u_]<len>_t instances. (Robert Collins).
• Spelling corrections by Reuben Farrelly.
• Object reference counting supported to ease some programming tasks (Robert Collins).
• Deferred reads removed from comms layer, implemented a layer above, allowing more efficent comms layers (such as epoll). (Robert Collins).
• ACL Source code extracted into multiple separate classes, allowing great flexability in future development, and also for custom squid builds today. (Robert Collins)
• Delay classes heavily refactored to allow easier extension and reuse. (Robert Collins).
• autoconf 2.5 support (Robert Collins).
• Hi-resolution CPU profiling from Andres Kroonma, for single-threaded use only.
• Cleaned up module/helper configure checks to use the same logics everywhere. (Henrik Nordström)
• Unify much of the IO logic, shrinking the code base for diskd/aufs/ufs. (Robert Collins).
• Introduce 'make check' support to provide an automated test suite for squid. (Robert Collins).
• pthreads detection and compilation bugfixes. (Henrik Nordström, Robert Collins)
• Killed the remains of ALARM_UPDATES_TIME (--enable-time-hack) (Henrik Nordström)
• Centralised the IPC type selection to defines.h by the defines IPC_STREAM and IPC_DGRAM. (Henrik Nordström)
• Astyle is the code formatter of choice for squid-3 C++ code. See http://www.squid-cache.org/ robertc/squid-3-style.txt for the squid 3 style conventions.
• Fix "access_log none" (and "forward_log none") (Arkadi E. Shishlov).