The Squid Team are pleased to announce the release of Squid-3.1.22
This new release is available for download from http://www.squid-cache.org/Versions/v3/3.1/ or the mirrors.
A large number of the show-stopper bugs have been fixed along with general improvements to the ICAP support. While this release is not fully bug-free we believe it is ready for use in production on many systems.
We welcome feedback and bug reports. If you find a new bug, please see http://wiki.squid-cache.org/SquidFaq/BugReporting for how to submit a report with a stack trace and other required details. Additional information is also very welcome on other open bugs.
Although this release is deemed good enough for use in many setups, please note the existence of open bugs against Squid-3.1.
Some issues to note as currently known in this release which are not able to be fixed in the 3.1 series are:
Currently known issues which only depends on available developer time and may still be resolved in a future 3.1 release are:
The 3.1 change history can be viewed here.
Squid 3.1 represents a new feature release above 3.0.
The most important of these new features are:
Most user-facing changes are reflected in squid.conf (see below).
Begining with 3.1 the Squid Developers are using a new release numbering system.
We have decided, based on input from interested users to drop the Squid-2 terminology of (DEVEL, PRE, RC, and STABLE) from the release package names. These are replaced with a simpler 3-tier system based around the natural code development cycle.
Daily generated snapshots of all current versions are provided as testing (old DEVEL) and bug-fix releases. These are numbered from their last release with a date appended. Snapshots generated from 3.HEAD continue to be highly volatile.
Regular feature releases from Squid-3 will be branched out as sub-versions. Such as this Squid-3.1.
All this is previous policy you should be accustomed to. Now we get to the new numbering change.
Initial branch packages will be generated with a 3.X.0.Z version as beta testing packages. Packages and Snapshots generated with these 3-dot numbers are expected to be relatively stable regarding feature behaviors. Suitable for testing, but without any guarantees under production loads. This replaces both the old PRE and RC packages.
If a large number of bugs are found several *.0.Z packages may be attempted before any is fully frozen for production use. To be frozen as stable the code must be compiling well and have passed a period of 14 days with no new bugs reported against the new code added in that release.
When one of these Squid-3.X.0.Z packages passes those criteria a 3.X.Y numbered release will be made.
We can only hope enough testing has been done to consider these ready for production use. As always we are fully dependent on people testing the previous packages and reporting all bugs.
In support of all this are several squid-dev process changes which have been worked out over the last year.
squid.conf has undergone a facelift.
Don't worry, few operational changes have been made. Older configs from Squid 2.x and 3.0 are still expected to run in 3.1 with only the usual minor changes seen between major release. Details on those are listed below.
New users will be relieved to see a very short squid.conf on clean installs. Many of the options have reasonable defaults but had previously needed them explicitly configured! These are now proper built-in defaults and no longer need to be in squid.conf unless changed.
All of the option documentation has been offloaded to another file squid.conf.documented which contains a fully documented set of available options previously cluttering up squid.conf itself.
Package maintainers are provided with a second file squid.conf.default which as always contains the default config options provided on a clean install.
We are also providing online copies of configuration documentation. Updated live to match the latest release of each Squid series, and a combined global version. This is available on the Squid website
Squid 3.1 supports IPv6. Details in The Squid wiki
Squid handles localhost values seperately. For the purpose of ACLs and also external connections ::1 is considered a seperate IP from 127.0.0.1. This means all ACL which define behaviour for localhost may need ::1/128 included.
Pinger has been upgraded to perform both ICMP and ICMPv6 as required. As a result of this and due to a change in the binary protocol format between them, new builds of Squid are no longer backwards-compatible with old pinger binaries. You will need to perform "make install-pinger" again after installing Squid.
Peer and Client SNMP tables have been altered to handle IPv6 addresses. As a side effect of this the long-missing fix to show seperate named peers on one IP has been integrated. Making the SNMP peer table now produce correct output. The table structure change is identical for both IPv4-only and Dual modes but with IPv4-only simply not including any IPv6 entries. This means any third-party SNMP software which hard coded the MIB paths needs to be upgraded for this Squid release. Details can be found in the wiki SNMP feature page.
In this release there is incomplete split-stack support. This means that OS which do not provide IP stacks based on the KAME stack with Hybrid extensions to do IPv4-mapping cannot use full IPv6 with Squid. From 3.1.6 the automatic capability detection will enable these abilities:
NOTE: ICAP, SNMP, ICP and HTCP are not yet opening double ports so they will only run as IPv4-only or IPv6-only.
Specify a specific tcp_outgoing_address and the clients who match its ACL are limited to the IPv4 or IPv6 network that address belongs to. They are not permitted over the IPv4-IPv6 boundary. Some ACL voodoo can however be applied to explicitly route the IPv6/IPv4 bound traffic (DIRECT access) out an appropriate interface. See the squid.conf documentation for further details.
WCCP is not available (neither version 1 or 2). It remains built into Squid for use with IPv4 traffic but IPv6 cannot use it.
Pseudo-Transparent Interception is done via NAT at the OS level and is not available in IPv6. Squid will ensure that any port set with transparent or intercept options be an IPv4-only listening address. Wildcard can still be used but will not open as an IPv6. To ensure that Squid can accept IPv6 traffic on its default port, an alternative should be chosen to handle transparently intercepted traffic.
http_port 3128 http_port 8080 intercept
Real transparent Interception (TPROXY) may be able to perform IPv6 interception. However this currently still needs patching of kernels older than 2.6.37. Squid will attempt to discover support on startup and may permit or deny IPv6 wildcard for tproxy flagged ports depending on your system.
The bundled NTLM Auth helper is IPv4-native between itself and the NTLM server. A new one will be needed for IPv6 traffic between the helper and server.
The bundled RADIUS Auth helper is IPv4-native, both in traffic between and data storage with the RADIUS server. A new helper will be needed for IPv6 RADIUS protocol.
Details in The Squid wiki
The error pages presented by Squid may now be localized per-request to match the visitors local preferred language.
The error_directory option in squid.conf needs to be removed.
For best coverage of languages, using the latest language pack of error files is recommended. Updates can be downloaded from www.squid-cache.org/Versions/langpack/
The Squid developers are interested in making Squid available in a wide variety of languages. Contribution of new languages is encouraged.
To further enhance the visitor experience all new translations have embeded CSS hooks for scalable per-site localization of the display.
CSS display is controlled by updating the errorpage.css file installed into Squids configuration directory or the err_page_stylesheet option in squid.conf.
Custom error pages can also embed the CSS content by adding the %l tag to their headers.
Details in The Squid wiki
Squid 3.1 includes the much asked for Connection Pinning feature from Squid 2.6.
This feature is often called 'NTLM Passthru' since it is a giant workaround which permits Web servers to use Microsoft NTLM Authentication instead of HTTP standard authentication through a web proxy.
Details in The Squid wiki
Zero Penalty Hit created a patch to set QoS markers on outgoing traffic.
Squid 3.1 needs to be configured with --enable-zph-qos for the ZPH QoS controls to be available.
The configuration options for Squid 2.7 and 3.1 are based on different ZPH patches. The two releases configuration differs and only the TOS mode settings are directly translatable.
The lines above are separated for documentation. qos_flows may be configured with all options on one line, or separated as shown. Also options may be repeated as many times as desired. Only the final configured value for any option will be used.
The legacy Option and Priority modes available in Squid-2.7 are no longer supported.
Details in The Squid wiki
Squid-in-the-middle decryption and encryption of CONNECT tunneled SSL traffic, using configurable client- and server-side certificates. While decrypted, the traffic can be inspected using ICAP.
Squid 3.1 releases limit SSL Bump to CONNECT requests and requires that clients are configured to explicitly use the proxy in their browser settings or via WPAD/PAC configuration. Use of interception for port 443 is not officially supported, despite being known to work under certain limited networking circumstances.
SslBump users know how many certificate warnings a single complex site (using dedicated image, style, and/or advertisement servers for embedded content) can generate. The warnings are legitimate and are caused by Squid-provided site certificate. Two things may be wrong with that certificate:
To avoid mismatch (B), the DynamicSslCert feature concentrates on generating site certificates that match the requested site domain name. Please note that the browser site name check does not really add much security in an SslBump environment where the user already trusts the "man in the middle". The check only adds warnings and creates page rendering problems in browsers that try to reduce the number of warnings by blocking some embedded content.
Details in The Squid wiki
eCAP provides a way to integrate CAP modules directly into Squid without the need for a c-icap server wrapper. This enables faster processing.
Currently known and available eCAP modules are listed in the wiki feature page on eCAP.
Known Issue: libecap version 0.0.3 (exactly) is required to build this series of Squid. Other versions of libecap contain significant interface differences.
Details in The Squid wiki
ICAP is now extended with full bypass and dynamic chain routing to handle multiple adaptation services.
An adaptation service set contains similar, interchangeable services. No more than one service is successfully applied. If one service is down or fails, Squid can use another service. Think "hot standby" or "spare" ICAP servers.
Sets may seem similar to the existing "service bypass" feature, but they allow the failed adaptation to be retried and succeed if a replacement service is available. The services in a set may be all optional or all essential, depending on whether ignoring the entire set is acceptable. The mixture of optional and essential services in a set is supported, but yields results that may be difficult for a human to anticipate or interpret. Squid warns when it detects such a mixture.
When performing adaptations with a set, failures at a service (optional or essential, does not matter) are retried with a different service if possible. If there are no more replacement services left to try, the failure is treated depending on whether the last service tried was optional or essential: Squid either tries to ignore the failure and proceed or terminates the master transaction.
An adaptation chain is a list of different services applied one after another, forming an adaptation pipeline. Services in a chain may be optional or essential. When performing adaptations, failures at an optional service are ignored as if the service did not exist in the chain.
Request satisfaction terminates the adaptation chain.
When forming a set or chain for a given transaction, optional down services are ignored as if they did not exist.
ICAP and eCAP services can be mixed and matched in an adaptation set or chain.
If an ICAP service with the routing=1 option in squid.conf returns an ICAP X-Next-Services response header during a successful REQMOD or RESPMOD transaction, Squid abandons the original adaptation plan and forms a new adaptation chain consisting of services identified in the X-Next-Services header value (using a comma-separated list of adaptation service names from squid.conf). The dynamically created chain is destroyed once the new plan is completed or replaced.
This feature is useful when a custom adaptation service knows which other services are applicable to the message being adapted.
Limit adaptation iterations to adaptation_service_iteration_limit to protect Squid from infinite adaptation loops caused by ICAP services constantly including themselves in the dynamic adaptation chain they request. When the limit is exceeded, the master transaction fails. The default limit of 16 should be large enough to not require an explicit configuration in most environments yet may be small enough to limit side-effects of loops.
Squid-3.1 adds native support for streaming protocol ICY. Also commonly known as SHOUTcast multimedia streams.
This protocol uses port 80 and violates RFC 2616 by using an HTTP/1.1 compliant request and non-HTTP reply to start the stream transaction. If the reply is handled according to HTTP/1.1 RFC-compliance requirements the audio stream becomes jerky and contains regular 'popping' sounds.
Squid now processes the ICY replies natively according to the ICY requirements, not HTTP/1.1 requirements. The streamed data is not cacheable. All processing and access controls may be applied the same as for HTTP.
Squid-2 contained a hack using the update_http0.9 squid.conf option to work around the unusual replies. This option is now obsolete.
The proto ACL type only matches ICY once the reply has been received, before that the processing is only aware on an HTTP request. So the ACL will match HTTP in http_access and ICY in http_reply_access.
There have been changes to Squid's configuration file since Squid-3.0.
This section gives a thorough account of those changes in three categories:
Whether to use any result found by follow_x_forwarded_for in further ACL processing. Default: ON
Controls whether the indirect client address
(see follow_x_forwarded_for) is used instead of the
direct client address in acl matching.
Sends an HTTP transaction to an ICAP or eCAP adaptation service.
adaptation_access service_name allow|deny [!]aclname...
adaptation_access set_name allow|deny [!]aclname...
At each supported vectoring point, the adaptation_access
statements are processed in the order they appear in this
configuration file. Statements pointing to the following services
are ignored (i.e., skipped without checking their ACL):
- services serving different vectoring points
- "broken-but-bypassable" services
- "up" services configured to ignore such transactions
(e.g., based on the ICAP Transfer-Ignore header).
When a set_name is used, all services in the set are checked
using the same rules, to find the first applicable one. See
adaptation_service_set for details.
If an access list is checked and there is a match, the
processing stops: For an "allow" rule, the corresponding
adaptation service is used for the transaction. For a "deny"
rule, no adaptation service is activated.
It is currently not possible to apply more than one adaptation
service at the same vectoring point to the same HTTP transaction.
For each master transaction (i.e., the HTTP request and response
sequence, including all related ICAP and eCAP exchanges), Squid
maintains a table of metadata. The table entries are (name, value)
pairs shared among eCAP and ICAP exchanges. The table is destroyed
with the master transaction.
This option specifies the table entry names that Squid must accept
from and forward to the adaptation transactions.
An ICAP REQMOD or RESPMOD transaction may set an entry in the
shared table by returning an ICAP header field with a name
specified in adaptation_masterx_shared_names. Squid will store
and forward that ICAP header field to subsequent ICAP
transactions within the same master transaction scope.
Only one shared entry name is supported at this time.
Configures a list of complementary services that will be applied
one-by-one, forming an adaptation chain or pipeline. This is useful
when Squid must perform different adaptations on the same message.
adaptation_service_chain chain_name service_name1 svc_name2 ...
The named services are used in the chain declaration order. The first
applicable adaptation service from the chain is used first. The next
applicable service is applied to the successful adaptation results of
the previous service in the chain.
When adaptation starts, broken services are ignored as if they were
not a part of the chain. A broken service is a down optional service.
Request satisfaction terminates the adaptation chain because Squid
does not currently allow declaration of RESPMOD services at the
"reqmod_precache" vectoring point (see icap_service or ecap_service).
The services in a chain must be attached to the same vectoring point
(e.g., pre-cache) and use the same adaptation method (e.g., REQMOD).
A chain may contain a mix of optional and essential services. If an
essential adaptation fails (or the failure cannot be bypassed for
other reasons), the master transaction fails. Otherwise, the failure
is bypassed as if the failed adaptation service was not in the chain.
Limits the number of iterations allowed when applying adaptation
services to a message. If your longest adaptation set or chain
may have more than 16 services, increase the limit beyond its
default value of 16. If detecting infinite iteration loops sooner
is critical, make the iteration limit match the actual number
of services in your longest adaptation set or chain.
Infinite adaptation loops are most likely with routing services.
Configures an ordered set of similar, redundant services. This is
useful when hot standby or backup adaptation servers are available.
adaptation_service_set set_name service_name1 service_name2 ...
The named services are used in the set declaration order. The first
applicable adaptation service from the set is used first. The next
applicable service is tried if and only if the transaction with the
previous service fails and the message waiting to be adapted is still
intact.
When adaptation starts, broken services are ignored as if they were
not a part of the set. A broken service is a down optional service.
The services in a set must be attached to the same vectoring point
(e.g., pre-cache) and use the same adaptation method (e.g., REQMOD).
If all services in a set are optional then adaptation failures are
bypassable. If all services in the set are essential, then a
transaction failure with one service may still be retried using
another service from the set, but when all services fail, the master
transaction fails as well.
A set may contain a mix of optional and essential services, but that
is likely to lead to surprising results because broken services become
ignored (see above), making previously bypassable failures fatal.
Technically, it is the bypassability of the last failed service that
matters.
New name for http_access2. This form includes access control of ICAP and eCAP adaptations as well as the URL-rewriter alterations.
New option to enable handing of broken HTTP/1.1 clients sending chunk requests.
A broken or confused HTTP/1.1 client may send a chunked HTTP
request to Squid. Squid does not have full support for that
feature yet. To cope with such requests, Squid buffers the
entire request and then dechunks request body to create a
plain HTTP/1.0 request with a known content length. The plain
request is then used by the rest of Squid code as usual.
The option value specifies the maximum size of the buffer used
to hold the request before the conversion. If the chunked
request size exceeds the specified limit, the conversion
fails, and the client receives an "unsupported request" error,
as if dechunking was disabled.
Dechunking is enabled by default. To disable conversion of
chunked requests, set the maximum to zero.
Request dechunking feature and this option in particular are a
temporary hack. When chunking requests and responses are fully
supported, there will be no need to buffer a chunked request.
New directive added with squid-3.1.10 to set limits on the amount of buffer space allocated for receiving upload and request data from clients.
Whether to use any result found by follow_x_forwarded_for in delay_pool assignment. Default: ON
Controls whether the indirect client address
(see follow_x_forwarded_for) is used instead of the
direct client address in delay pools.
New option to prevent Squid from always looking up IPv4 regardless of whether IPv6 addresses are found. Squid will follow a policy of prefering IPv6 links, keeping the IPv4 only as a safety net behind IPv6.
Standard practice with DNS is to lookup either A or AAAA records
and use the results if it succeeds. Only looking up the other if
the first attempt fails or otherwise produces no results.
That policy however will cause Squid to produce error pages for some
servers that advertise AAAA but are unreachable over IPv6.
If this is ON Squid will always lookup both AAAA and A, using both.
If this is OFF Squid will lookup AAAA and only try A if none found.
WARNING: There are some possibly unwanted side-effects with this on:
*) Doubles the load placed by Squid on the DNS network.
*) May negatively impact connection delay times.
Added in 3.1.16. Controls whether IPv4 or IPv6 connection is attempted first when contacting servers and peers.
Controls whether eCAP support is enabled. Default: OFF
Defines a single eCAP service
ecap_service servicename vectoring_point bypass service_url
vectoring_point = reqmod_precache|reqmod_postcache|respmod_precache|respmod_postcache
This specifies at which point of transaction processing the
eCAP service should be activated. *_postcache vectoring points
are not yet supported.
bypass = 1|0
If set to 1, the eCAP service is treated as optional. If the
service cannot be reached or malfunctions, Squid will try to
ignore any errors and process the message as if the service
was not enabled. No all eCAP errors can be bypassed.
If set to 0, the eCAP service is treated as essential and all
eCAP errors will result in an error page returned to the
HTTP client.
service_url = ecap://vendor/service_name?custom&cgi=style¶meters=optional
Example:
ecap_service service_1 reqmod_precache 0 ecap://filters-R-us/leakDetector?on_error=block
ecap_service service_2 respmod_precache 1 icap://filters-R-us/virusFilter?config=/etc/vf.cfg
New option to configure location for CSS stylesheet controlling error page display.
New option to replace the old configure option --enable-default-err-language New translations can be downloaded from http://www.squid-cache.org/Versions/langpack/
Set the default language which Squid will send error pages in
if no existing translation matches the clients language
preferences.
If unset (default) generic English will be used.
Log to cache.log what languages users are attempting to
auto-negotiate for translations.
Successful negotiations are not logged. Only failures
have meaning to indicate that Squid may need an upgrade
of its error page translations.
Enable processing of the X-Forwarded-for header for various administration tasks.
Allowing or Denying the X-Forwarded-For header to be followed to
find the original source of a request.
Requests may pass through a chain of several other proxies
before reaching us. The X-Forwarded-For header will contain a
comma-separated list of the IP addresses in the chain, with the
rightmost address being the most recent.
If a request reaches us from a source that is allowed by this
configuration item, then we consult the X-Forwarded-For header
to see where that host received the request from. If the
X-Forwarded-For header contains multiple addresses, and if
acl_uses_indirect_client is on, then we continue backtracking
until we reach an address for which we are not allowed to
follow the X-Forwarded-For header, or until we reach the first
address in the list. (If acl_uses_indirect_client is off, then
it's impossible to backtrack through more than one level of
X-Forwarded-For addresses.)
The end result of this process is an IP address that we will
refer to as the indirect client address. This address may
be treated as the client address for access control, delay
pools and logging, depending on the acl_uses_indirect_client,
delay_pool_uses_indirect_client and log_uses_indirect_client
options.
SECURITY CONSIDERATIONS:
Any host for which we follow the X-Forwarded-For header
can place incorrect information in the header, and Squid
will use the incorrect information as if it were the
source address of the request. This may enable remote
hosts to bypass any access control restrictions that are
based on the client's source addresses.
For example:
acl localhost src 127.0.0.1
acl my_other_proxy srcdomain .proxy.example.com
follow_x_forwarded_for allow localhost
follow_x_forwarded_for allow my_other_proxy
New directive added with squid-3.1.11 to control whether Squid uses EPRT extension for efficient NAT handling and IPv6 protocol support in FTP.
New directive to control whether Squid uses EPSV extension for efficient NAT handling and IPv6 protocol support in FTP.
New directive to control whether Squid uses "EPSV ALL" extension for efficient NAT handling and IPv6 protocol support in FTP.
Controls how many different forward paths Squid will try before giving up. Default: 10
New option to write ICAP log files record ICAP transaction summaries, one line per transaction. Similar to access.log.
The icap_log option format is:
icap_log <filepath> [<logformat name> [acl acl ...]]
icap_log none [acl acl ...]]
Please see access_log option documentation for details. The two
kinds of logs share the overall configuration approach and many
features.
ICAP processing of a single HTTP message or transaction may
require multiple ICAP transactions. In such cases, multiple
ICAP transaction log lines will correspond to a single access
log line.
ICAP log uses logformat codes that make sense for an ICAP
transaction. Header-related codes are applied to the HTTP header
embedded in an ICAP server response, with the following caveats:
For REQMOD, there is no HTTP response header unless the ICAP
server performed request satisfaction. For RESPMOD, the HTTP
request header is the header sent to the ICAP server. For
OPTIONS, there are no HTTP headers.
The following format codes are also available for ICAP logs:
icap::<A ICAP server IP address. Similar to <A.
icap::<service_name ICAP service name from the icap_service
option in Squid configuration file.
icap::ru ICAP Request-URI. Similar to ru.
icap::rm ICAP request method (REQMOD, RESPMOD, or
OPTIONS). Similar to existing rm.
icap::>st Bytes sent to the ICAP server (TCP payload
only; i.e., what Squid writes to the socket).
icap::<st Bytes received from the ICAP server (TCP
payload only; i.e., what Squid reads from
the socket).
icap::tr Transaction response time (in
milliseconds). The timer starts when
the ICAP transaction is created and
stops when the transaction is completed.
Similar to tr.
icap::tio Transaction I/O time (in milliseconds). The
timer starts when the first ICAP request
byte is scheduled for sending. The timers
stops when the last byte of the ICAP response
is received.
icap::to Transaction outcome: ICAP_ERR* for all
transaction errors, ICAP_OPT for OPTION
transactions, ICAP_ECHO for 204
responses, ICAP_MOD for message
modification, and ICAP_SAT for request
satisfaction. Similar to Ss.
icap::Hs ICAP response status code. Similar to Hs.
icap::>h ICAP request header(s). Similar to >h.
icap::<h ICAP response header(s). Similar to <h.
The default ICAP log format, which can be used without an explicit
definition, is called icap_squid:
logformat icap_squid %ts.%03tu %6icap::tr %>a %icap::to/%03icap::Hs %icap::<size %icap::rm %icap::ru% %un -/%icap::<A -
New option to determine which retriable ICAP transactions are retried.
Transactions that received a complete ICAP response
and did not have to consume or produce HTTP bodies to receive
that response are usually retriable.
icap_retry allow|deny [!]aclname ...
Squid automatically retries some ICAP I/O timeouts and errors
due to persistent connection race conditions.
Limits the number of retries allowed. When set to zero (default),
no retries are allowed.
Communication errors due to persistent connection race
conditions are unavoidable, automatically retried, and do not
count against this limit.
Ported from 2.7. Requires --enable-http-violations Prevents 417 errors being sent to broken HTTP/1.1 non-compliant clients.
New option to import entire secondary configuration files into squid.conf.
Squid will follow the files immediately and insert all their content
as if it was at that position in squid.conf. As per squid.conf some
options are order-specific within the config as a whole.
A few layers of include are allowed, but too many are confusing and
Squid will enforce an include depth of 16 files.
Syntax:
include /path/to/file1 /path/to/file2
Instructs Squid to load the specified dynamic module(s) or activate preloaded module(s).
Example:
loadable_modules @DEFAULT_PREFIX@/lib/MinimalAdapter.so
This options allows you to control which requests get logged
to icap.log. See the icap_log directive for ICAP log details.
Whether to use any result found by follow_x_forwarded_for in access.log. Default: ON
Controls whether the indirect client address
(see follow_x_forwarded_for) is used instead of the
direct client address in the access log.
Ported from 2.7.
A filename where Squid stores it's netdb state between restarts.
To disable, enter "none".
New option to enable/disable the ICMP pinger helper with a reconfigure instead of a full rebuild.
Control whether the pinger is active at run-time.
Enables turning ICMP pinger on and off with a simple squid -k reconfigure.
default is off when --enable-icmp is compiled in.
Allows you to select a TOS/DSCP value to mark outgoing
connections with, based on where the reply was sourced.
TOS values really only have local significance - so you should
know what you're specifying. For more information, see RFC2474,
RFC2475, and RFC3260.
The TOS/DSCP byte must be exactly that - octet value 0x00-0xFF.
Note that in practice often only multiples of 4 is usable as the
two rightmost bits have been redefined for use by ECN (RFC 3168
section 23.1).
Note that in practice often only values up to 0xFC are usable,
and only in multiple of 4, as the two rightmost bits have been
redefined for use by ECN (RFC3168).
This setting is configured by setting the source TOS values:
local-hit=0xFF Value to mark local cache hits.
sibling-hit=0xFF Value to mark hits from sibling peers.
parent-hit=0xFF Value to mark hits from parent peers.
NOTE: 'miss' preserve feature is only possible on Linux at this time.
For the following to work correctly, you will need to patch your
linux kernel with the TOS preserving ZPH patch.
The kernel patch can be downloaded from http://zph.bratcheda.org
disable-preserve-miss
If set, any HTTP response towards clients will
have the TOS value of the response comming from the
remote server masked with the value of miss-mask.
miss-mask=0xFF
Allows you to mask certain bits in the TOS received from the
remote server, before copying the value to the TOS sent
towards clients.
Default: 0xFF (TOS from server is not changed).
This option allows you to change the contents of reply headers.
In Squid 2 header_replace (now deprecated) worked for both requests
and replies, while in Squid 3 it only did respect request headers.
This option brings back the functionality to replace the contents of
reply headers. Consult the documentation for usage details.
This option allows you to change the contents of request headers.
To be consistent with the naming changes of header_access in Squid 3
(header_access has been split into two options request_header_access
and reply_header_access), header_replace (now deprecated) is being
replaced by request_header_replace.
New Access control for which CONNECT requests to an http_port marked with an ssl-bump flag are actually "bumped". Please see the ssl-bump flag of an http_port option for more details about decoding proxied SSL connections. DEFAULT: No requests are bumped.
NOCOMMENT_START
# Example: Bump all requests except those originating from localhost and
# those going to webax.com or example.com sites.
#
# acl broken_sites dstdomain .webax.com
# acl broken_sites dstdomain .example.com
# ssl_bump deny localhost
# ssl_bump deny broken_sites
# ssl_bump allow all
Specify the location and options of the executable for ssl_crtd process.
Configures the number of sslcrtd processes to spawn
New Access Control to selectively bypass server certificate validation errors. DEFAULT: None bypassed.
For example, the following lines will bypass all validation errors
when talking to servers located at 172.16.0.0/16. All other
validation errors will result in ERR_SECURE_CONNECT_FAIL error.
acl BrokenServersAtTrustedIP dst 172.16.0.0/16
sslproxy_cert_error allow BrokenServersAtTrustedIP
sslproxy_cert_error deny all
This option must use fast ACL expressions only. Expressions that use
external lookups or communication result in unpredictable behavior or
crashes.
Without this option, all server certificate validation errors
terminate the transaction. Bypassing validation errors is dangerous
because an error usually implies that the server cannot be trusted and
the connection may be insecure.
New preset ipv6 available in the src and dst ACL matching all of the public IPv6 network space.
New preset ipv4 available in the src and dst ACL matching all of IPv4 network space.
New acl type myportname, matching the name of the http_port or https_port where the request was accepted.
New acl type tag, matching the tag= returned from the external_acl_type helper.
New acl type peername, matching against a named cache_peer entry where the request will be attempted first. NP: peername currently is limited to only match the first peer possible.
acl aclname dst ipv6 # request for IPv6-enabled site
acl aclname src ipv6 # request from IPv6 address
acl aclname dst ipv4 # request for IPv4 site
acl aclname src ipv4 # request from IPv4 address
acl aclname myportname 3128 ... # http(s)_port name
acl aclname peername myPeer ... # cache_peer ... name=myPeer
acl aclname tag value ... # tag= option from external ACL
BASIC, DIGEST: New parameter option utf8 on|off to permit helpers to selectively process UTF-8 characters even though HTTP accepts only ISO-8859-1.
NCSA authenticator updated in 3.1.15 to alert if passwords with more than 8 characters are used with DES encryption method.
NTLM: The helper binary bundled with Squid under the name ntlm_auth has been renamed to accurately reflect its real behavior and to prevent confusion with the more useful Samba helper using the same name.
Despite being used for NTLM, the helper does not in fact provide true NTLM function. What it does provide is SMB LanManager authentication through the NTLM interface without the need for a domain controller. Thus the new name is ntlm_smb_lm_auth.
WARNING: due to the name clash with Samba helper, admin should be careful to only update their squid.conf if the Squid bundled binary is used and needed. If the Samba helper is in use, the squid.conf should not be altered.
The previous default behavour (rotate per-request) of this setting causes failover clashes with IPv6 built-in mechanisms. It has thus been turned off by default. Making the 'best choice' IP continue in use for any hostname until it encounters a connection failure and failover drops to the next known IP.
Modern IP resolvers in Squid sort lookup results by preferred access.
By default Squid will use these IP in order and only rotates to
the next listed when the most preffered fails.
Some load balancing servers based on round robin DNS have been
found not to preserve user session state across requests
to different IP addresses.
Enabling this directive Squid rotates IP's per request.
Removed the 'QUERY' acl and 'cache deny QUERY' entries. Replaced by new refresh_pattern instead.
Default changed to 256MB in-memory cache. see cache_mem and maximum_object_size_in_memory for size parameters.
'null' storage type dropped. In-memory cache is always present. Remove all cache_dir options to prevent on-disk caching.
Default size increased to 256MB.
New Options.
use 'htcp-no-clr' to send HTCP to the neighbor but without
sending any CLR requests. This cannot be used with
htcp-only-clr.
use 'htcp-no-purge-clr' to send HTCP to the neighbor
including CLRs but only when they do not result from
PURGE requests.
use 'htcp-only-clr' to send HTCP to the neighbor but ONLY
CLR requests. This cannot be used with htcp-no-clr.
use 'htcp-forward-clr' to forward any HTCP CLR requests
this proxy receives to the peer.
use 'connection-auth=off' to tell Squid that this peer does
not support Microsoft connection oriented authentication,
and any such challenges received from there should be
ignored. Default is 'auto' to automatically determine the
status of the peer.
use 'connect-fail-limit=nn' to specify how many times
connecting to a peer must fail before it is marked as
down. Default is 10.
use 'no-tproxy' to specify that requests passed to this peer
are not to have the client IP spoofed. For use to prevent
packet routing issues with a cluster of peers behind WCCPv2.
multicast-siblings ported from 2.7
Default changed to OFF. Matching long-standing developer recommendations.
New parameter rotate=N to control number of cache.log rotations independent of other logs.
Support 307 status for redirecting CONNECT tunnels with HTTPS traffic.
Now an optional entry in squid.conf. If present it will force all visitors to receive the error pages contained in the directory it points at. If absent, error page localization will be given a chance.
If you wish to create your own versions of the default
error files to customize them to suit your company COPY
the error/template files to another directory and point
this tag at them.
WARNING: This option will disable multi-language support
on error pages if used.
New options 'ipv4' and 'ipv6' are added to set the IPv4/v6 protocol between Squid and its helpers. Please be aware of some limits to these options. These options only affect the transport protocol used to send data to and from the helpers. Squid in IPv6-mode may still send %SRC addresses in IPv4 or IPv6 format, so all helpers will need to be checked and converted to cope with such information cleanly.
ipv4 / ipv6 IP protocol used to communicate with this helper.
The default is to auto-detect IPv6 and use it when available.
New header input format specifiers. To seperate Request and Reply headers when both passed back.
%>{Header} HTTP request header
%>{Hdr:member} HTTP request header list member
%>{Hdr:;member} HTTP request header list member using ; as
list separator. ; can be any non-alphanumeric
character.
%<{Header} HTTP reply header
%<{Hdr:member} HTTP reply header list member
%<{Hdr:;member} HTTP reply header list member using ; as
list separator. ; can be any non-alphanumeric
character.
%% The percent symbol (available from 3.1.17)
New setting options. transparent, truncate, delete.
If set to "transparent", Squid will not alter the
X-Forwarded-For header in any way.
If set to "delete", Squid will delete the entire
X-Forwarded-For header.
If set to "truncate", Squid will remove all existing
X-Forwarded-For entries, and place the client IP as the sole entry.
Deprecated. Use request_header_replace or reply_header_replace instead.
Default value altered to no content, allowing dynamic websites to be fetched through peers.
Option 'transparent' is being deprecated in favour of 'intercept' which more clearly identifies what the option does. For now option 'tproxy' remains with old behaviour meaning fully-invisible proxy using TPROXY support.
New port options
intercept Rename of old 'transparent' option to indicate proper functionality.
allow-direct Allow direct forwarding in accelerator mode. Normally
accelerated requests are denied direct forwarding as if
never_direct was used.
connection-auth[=on|off]
use connection-auth=off to tell Squid to prevent
forwarding Microsoft connection oriented authentication
(NTLM, Negotiate and Kerberos)
keepalive[=idle,interval,timeout]
Enable TCP keepalive probes of idle connections
idle is the initial time before TCP starts probing
the connection, interval how often to probe, and
timeout the time before giving up.
ignore-cc Ignore request Cache-Control headers.
Warning: This option violates HTTP specifications if
used in non-accelerator setups.
ssl-bump Intercept each CONNECT request matching ssl_bump ACL,
establish secure connection with the client and with
the server, decrypt HTTP messages as they pass through
Squid, and treat them as unencrypted HTTP messages,
becoming the man-in-the-middle.
When this option is enabled, additional options become
available to specify SSL-related properties of the
client-side connection: cert, key, version, cipher,
options, clientca, cafile, capath, crlfile, dhparams,
sslflags, and sslcontext. See the https_port directive
for more information on these options.
The ssl_bump option is required to fully enable
the SSL Bump feature.
New port options. see http_port.
New options 'bypass=', 'routing=' and 'ipv6='.
bypass=on|off|1|0
If set to 'on' or '1', the ICAP service is treated as
optional. If the service cannot be reached or malfunctions,
Squid will try to ignore any errors and process the message as
if the service was not enabled. No all ICAP errors can be
bypassed. If set to 0, the ICAP service is treated as
essential and all ICAP errors will result in an error page
returned to the HTTP client.
Bypass is off by default: services are treated as essential.
routing=on|off|1|0
If set to 'on' or '1', the ICAP service is allowed to
dynamically change the current message adaptation plan by
returning a chain of services to be used next. The services
are specified using the X-Next-Services ICAP response header
value, formatted as a comma-separated list of service names.
Each named service should be configured in squid.conf and
should have the same method and vectoring point as the current
ICAP transaction. Services violating these rules are ignored.
An empty X-Next-Services value results in an empty plan which
ends the current adaptation.
Routing is not allowed by default: the ICAP X-Next-Services
response header is ignored.
ipv6=on|off
Only has effect on split-stack systems. The default on those systems
is to use IPv4-only connections. When set to 'on' this option will
make Squid use IPv6-only connections to contact this ICAP service.
No longer controls cache.log rotation. Use debug_options rotate=N instead.
New log format tag sets %icap::* %adapt::* for adaptation information.
%Hs tag deprecated and replaced by request/reply specific >Hs and <Hs
New %<la Local IP address of the last server or peer connection. Ported from 2.7 where it is called %oa.
New %<lp Local port number of the last server or peer connection.
New %>ha to log HTTP request headers after adaptation and redirection.
HTTP request/reply format tags may now be optionally prefixed with http::. Old forms will be deprecated in some as yet undecided future release.
dt Total time spent making DNS lookups (milliseconds)
[http::]>ha The HTTP request headers after adaptation and redirection.
[http::]>Hs HTTP status code sent to the client
[http::]<Hs HTTP status code received from the next hop
[http::]>sh Received HTTP request headers size
[http::]<sh Sent HTTP reply headers size
[http::]<pt Peer response time in milliseconds. The timer starts
when the last request byte is sent to the next hop
and stops when the last response byte is received.
[http::]<tt Total server-side time in milliseconds. The timer
starts with the first connect request (or write I/O)
sent to the first selected peer. The timer stops
with the last I/O with the last peer.
If ICAP is enabled, the following two codes become available (as
well as ICAP log codes documented with the icap_log option):
icap::tt Total ICAP processing time for the HTTP
transaction. The timer ticks when ICAP
ACLs are checked and when ICAP
transaction is in progress.
icap::<last_h The header of the last ICAP response
related to the HTTP transaction. Like
<h, accepts an optional header name
argument. Will not change semantics
when multiple ICAP transactions per HTTP
transaction are supported.
If adaptation is enabled the following two codes become available:
adapt::sum_trs Summed adaptation transaction response
times recorded as a comma-separated list in
the order of transaction start time. Each time
value is recorded as an integer number,
representing response time of one or more
adaptation (ICAP or eCAP) transaction in
milliseconds. When a failed transaction is
being retried or repeated, its time is not
logged individually but added to the
replacement (next) transaction.
adapt::all_trs All adaptation transaction response times.
Same as adaptation_strs but response times of
individual transactions are never added
together. Instead, all transaction response
times are recorded individually.
You can prefix adapt::*_trs format codes with adaptation
service name in curly braces to record response time(s) specific
to that service. For example: %{my_service}adapt::sum_trs
Default size limit increased to 512KB.
Memory limits have been revised and corrected from 3.1.4 onwards.
Please check and update your squid.conf to use the text none for no limit instead of the old 0 (zero).
All users upgrading need to be aware that from Squid-3.3 setting this option to 0 (zero) will mean zero bytes of memory get pooled.
New default of 0 seconds. To prevent negative-caching of failure messages unless explicitly permitted by the message generating web server.
Changing this is an RFC 2616 violation and now requires --enable-http-violations
New option 'ignore-must-revalidate'.
ignore-must-revalidate ignores any ``Cache-Control: must-revalidate``
headers received from a server. Doing this VIOLATES
the HTTP standard. Enabling this feature could make you
liable for problems which it causes.
New set of basic patterns. These should always be listed after any custom patterns. They ensure RFC compliance with certain protocol and request handling in the absence of accurate Cache-Control: and Expires: information.
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320
Default limit increased to 64KB for RFC 2616 compliance.
Default limit increased to 64KB for RFC 2616 compliance.
This option causes some problems when bridging IPv4 and IPv6. A workaround has been provided.
Squid is built with a capability of bridging the IPv4 and IPv6 internets.
tcp_outgoing_address as previously used breaks this bridging by forcing
all outbound traffic through a certain IPv4 which may be on the wrong
side of the IPv4/IPv6 boundary.
To operate with tcp_outgoing_address and keep the bridging benefits
an additional ACL needs to be used which ensures the IPv6-bound traffic
is never forced or permitted out the IPv4 interface.
acl to_ipv6 dst ipv6
http_access allow to_ipv6 !all
tcp_outgoing_address 2002::c001 good_service_net to_ipv6
tcp_outgoing_address 10.0.0.2 good_service_net !to_ipv6
tcp_outgoing_address 2002::beef normal_service_net to_ipv6
tcp_outgoing_address 10.0.0.1 normal_service_net !to_ipv6
tcp_outgoing_address 2002::1 to_ipv6
tcp_outgoing_address 10.0.0.3 !to_ipv6
Method names now accepted. Replacing the old magic numbers. '1' becomes 'hash' and '2' becomes 'mask'
Method names now accepted. Replacing the old magic numbers. '1' becomes 'gre' and '2' becomes 'l2'
Method names now accepted. Replacing the old magic numbers. '1' becomes 'gre' and '2' becomes 'l2'
Obsolete. This feature is no longer relevant to modern networks and was causing boot problems. The -D command line option used previously to suppress these tests is also obsolete.
Obsolete. All possible methods are now accepted and handled properly.
Replaced by adaptation_service_set.
Replaced by adaptation_access.
There have been some changes to Squid's build configuration since Squid-3.0.
This section gives an account of those changes in three categories:
Build with support for loadable content adaptation modules. Cannot be used with --disable-loadable-modules.
Support following the X-Forwarded-For HTTP header for determining the original or indirect client when a request has been forwarded through other proxies.
Prevent Squid from direct generation of SSL private key and certificate request and instead enables the ssl_crtd processes.
Build with support for ZPH Quality of Service controls
Disable error page localization for visitors.
error_directory option is required if this option is used.
Build without IPv6 support. The default is to auto-detect system capabilities and use IPv6 when possible.
Build without support for loadable modules.
Build Squid without advanced compiler error checking (without the -Werror option). This only affects the building process, enabling it to complete despite some possibly serious issues. Please do not use lightly, and please report the build issues which make it needed to the Squid developers before doing so.
Prevent Squid generating localized error page templates and manuals when built. Which is usually tried, but may not be needed.
This is an optimization for building fast when localization is not needed or localization tools are not available.
A copy of the latest translated files can instead be downloaded from http://www.squid-cache.org/Versions/langpack/
Allow build-time configuration of Default location for Squid logs.
Allow build-time configuration of Default location and name of squid.pid file.
Absolute path to po2html executable. Default is to automatically detect the binary.
Build without libcap support. The default is to auto-detect system capabilities and enable support when possible.
NOTE: Disabling this or building without libcap support will break TPROXY support.
Default changed to yes.
This option now enables support for all three netfilter interception targets.
Adding TPROXY version 4+ support to Squid through the netfilter TPROXY target. This options requires a linux kernel 2.6.25 or later for embeded netfilter TPROXY targets.
Older REDIRECT and DNAT targets work as before on HTTP ports marked 'intercept'.
Deprecated. Remains only to support old TPROXY version 2.2 installations. Scheduled for complete removal in Squid 3.2
Helper previously built by SMB is now built by smb_lm. It also has a new squid.conf name for usage, see auth_param above for details.
Better support for Linux using the external DNS helper. The helper will now compile and work with dns_nameservers on more variants of Linux than previously. It is still deprecated however and use of this option should be avoided as much as possible.
Deprecated. POSIX AIO is now auto-detected and enabled. Use --without-aio to disable, but only if you really have to.
Deprecated. pthreads library is now auto-detected and enabled. Use --without-pthreads to disable, but only if you really have to.
Replaced by error_default_language squid.conf option
Removed. All languages used now for error page localization.
Removed. CARP is required by several peering algoithms. Disabling is not useful.
Replaced by memory_pools squid.conf option.
Some squid.conf and ./configure options which were available in Squid-2.6 and Squid-2.7 are made obsolete in Squid-3.1.
blankpassword option for basic scheme removed.
http11 Obsolete.
Format tag %{Header} replaced by %>{Header}
Format tag %{Header:member} replaced by %>{Header:member}
Replaced by request_header_access and reply_header_access
Replaced by adapted_http_access
no-connection-auth replaced by connection-auth=[on|off]. Default is ON.
transparent option replaced by intercept
Replaced by http_port disable-pmtu-discovery= option
Obsolete.
%oa tag replaced by %<la
Replaced by url_rewrite_bypass
Obsolete.
Obsolete. ICY protocol streaming support added natively.
Replaced by qos_flows local-hit=
Obsolete.
Obsolete.
Replaced by qos_flows parent-hit=
Replaced by qos_flows sibling-hit=
read-only option replaced by no-store.
Obsolete.
Replaced by automatic detection.
Obsolete.
Replaced by automatic detection.
Obsolete.
Obsolete.
Obsolete. Enabled by default.
Obsolete.
Obsolete.
Obsolete.
Replaced by automatic detection.
Replaced by automatic detection.
Replaced by automatic detection.
Obsolete. Enabled by default.
Obsolete.
Obsolete. Disabled by default.
Some squid.conf and ./configure options which were available in Squid-2.7 are not yet available in Squid-3.1
If you need something to do then porting one of these from Squid-2 to Squid-3 is most welcome.
urllogin option not yet ported from 2.6
urlgroup option not yet ported from 2.6
concurrency option not yet ported from Squid-2
Not yet ported from 2.7
Not yet ported from 2.7
Not yet ported from 2.6
min-size option not yet ported from Squid-2
COSS storage type is lacking stability fixes from 2.6
COSS overwrite-percent= option not yet ported from 2.6
COSS max-stripe-waste= option not yet ported from 2.6
COSS membufs= option not yet ported from 2.6
COSS maxfullbufs= option not yet ported from 2.6
idle= not yet ported from 2.7
monitorinterval= not yet ported from 2.6
monitorsize= not yet ported from 2.6
monitortimeout= not yet ported from 2.6
monitorurl= not yet ported from 2.6
Not yet ported from 2.6
Not yet ported from 2.6
Not yet ported from 2.6
%ACL format tag not yet ported from 2.6
%DATA format tag not yet ported from 2.6
Not yet ported from 2.7
act-as-origin not yet ported from 2.7
http11 not yet ported from 2.7
urlgroup= not yet ported from 2.6
Not yet ported from 2.7
Not yet ported from 2.6
Not yet ported from 2.6
Not yet ported from 2.6
Not yet ported from 2.6
Not yet ported from 2.7.
%sn tag not yet ported from 2.7
Not yet ported from 2.7
stale-while-revalidate= not yet ported from 2.7
ignore-stale-while-revalidate= not yet ported from 2.7
max-stale= not yet ported from 2.7
negative-ttl= not yet ported from 2.7
Not yet ported from 2.7
Not yet ported from 2.7
Not yet ported from 2.7
Not yet ported from 2.7
Not yet ported from 2.7
Not yet ported from 2.7
Not yet ported from 2.7