Squid 4.16 release notes

Squid Developers


This document contains the release notes for version 4 of Squid. Squid is a WWW Cache application developed by the National Laboratory for Applied Network Research and members of the Web Caching community.

1. Notice

2. Major new features since Squid-3.5

3. Changes to squid.conf since Squid-3.5

4. Changes to ./configure options since Squid-3.5

5. Regressions since Squid-2.7

6. Copyright


1. Notice

The Squid Team are pleased to announce the release of Squid-4.16.

This new release is available for download from http://www.squid-cache.org/Versions/v4/ or the mirrors.

We welcome feedback and bug reports. If you find a bug, please see http://wiki.squid-cache.org/SquidFaq/BugReporting for how to submit a report with a stack trace.

1.1 Known issues

Although this release is deemed good enough for use in production, please note the existence of open bugs against Squid-4.

This release adds a dependency on C++11 support in any compiler used to build Squid. As a result older C++03 -only and most C++0x compilers will no longer build successfully. GCC 4.9+ and Clang 3.5+ are known to have working C++11 support and are usable. GCC-4.8 will also build for now despite lack of full C++11 support, but some future features may not be available.

This release does not support LibreSSL. Due to a bug in the way LibreSSL uses the OpenSSL version macro some changes necessary to support OpenSSL 1.1 prevent building with LibreSSL.

1.2 Changes since earlier releases of Squid-4

The Squid-4 change history can be viewed here.

2. Major new features since Squid-3.5

Squid 4 represents a new feature release above 3.5.

The most important of these new features are:

Most user-facing changes are reflected in squid.conf (see below).

2.1 Configurable helper queue size

The new queue-size=N option to helpers configuration, allows users to configure the maximum number of queued requests to busy helpers.

2.2 Helper concurrency channels changes

helper-mux.pl we have been distributing for the past few years to encourage use of concurrency is no longer compatible with Squid. If used it will spawn up to 2^64 helpers and DoS the Squid server.

Helpers utilizing arrays to handle fixed amounts of concurrency channels MUST be re-written to use queues and capable of handling a 64-bit int as index or they will be vulnerable to buffer overrun and arbitrary memory accesses.

32-bit helpers need re-writing to handle the concurrency channel ID as a 64-bit integer value. If not updated they will cause proxies to return unexpected results or timeout once crossing the 32-bit wrap boundary. Leading to undefined behaviour in the client HTTP traffic.

2.3 SSL support removal

Details in RFC 6176 and RFC 7568

SSLv2 is not fit for purpose. Squid no longer supports being configured with any settings regarding this protocol. That includes settings manually disabling its use since it is now forced to disable by default. Also settings enabling various client/server workarounds specific to SSLv2 are removed.

SSLv3 is not fit for purpose. Squid still accepts configuration, but use is deprecated and will be removed entirely in a future version. Squid default behavour is to follow the TLS built in negotiation mechanism which prefers the latest TLS version. But also to accept downgrades to SSLv3. Use tls-options=NO_SSLv3 to disable SSLv3 support completely.

A new option tls-min-version=1.N is added in place of sslversion= to configure the minimum version the TLS negotiation will allow to be used when an old TLS version is requested by the remote endpoint.

The system Trusted CAs are no longer used by default when verifying client certificates. The cafile= option should be used instead to explicitly load the specific CA which signed acceptible client certificates, even if that CA is one of the system Trusted CAs. The tls-default-ca option can be used to restore the old behaviour if needed.

2.4 Helper Binary Changes

The basic_msnt_multi_domain_auth helper has been removed. The basic_smb_lm_auth helper performs the same actions without extra Perl and Samba dependencies.

The cert_valid.pl testing helper has been renamed to security_fake_certverify, reflecting the Squid helper naming schema and that it does not actually perform any certificate checks.

The security_fake_certverify helper is also now built and installed by default. It is written in Perl so does not require OpenSSL dependencies for installation. But does use the Perl Crypt::OpenSSL::X509 module for execution. Building the helper can be controlled using the --enable-security-cert-validators="fake" option.

The ssl_crtd helper has been renamed to security_file_certgen and is now built and installed by default whenever OpenSSL support is enabled. Building the helper can be controlled using the --enable-security-cert-generators="file" option.

NOTE: The --enable-ssl-crtd option is still required to enable the sslcrtd_program helper interface within Squid that uses the helper.

The ntlm_smb_lm_auth helper is now built using --enable-auth-ntlm="SMB_LM". Notice the upper case where it was previously a (wrongly) lower cased acronym.

2.5 Secure ICAP

ICAP services can now be used over TLS connections.

To mark an ICAP service as secure, use an icaps:// service URI scheme when listing your service via an icap_service directive. The industry is using a Secure ICAP term, and Squid follows that convention, but icaps seems more appropriate for a scheme name.

Squid uses port 11344 for Secure ICAP by default, following another popular proxy convention. The old 1344 default for plain ICAP ports has not changed.

2.6 Improved SMP support

Use of C++11 atomic operations instead of GNU atomics allows a wider range of operating systems and compilers to build Squid SMP and multi-process features. However this does require a C++11 compiler with a recent version of the C++ standard library.

IpcIo and Mmapped disk I/O modules are now auto-detected properly which enables Rock storage on more systems by default than previously.

2.7 Improved process management

Squid is traditionally refered to as a daemon. But is actually a combination of daemon and daemon manager processes. This has caused significant problems integrating it with other third-party daemon managers.

The Squid process which places its PID into the squid.pid file has always been the process to which control signals are sent. The manager process is now taking on signal handling instead of the main daemon process. Enabling integration with daemon managers such as Upstart or systemd which assume the process they initiated is the daemon with a PID to control.

The squid binary now has a new --foreground command line option, which (only) prevents daemonizing the master process. Unlike the old -N option, --foreground supports SMP workers and multi-process features. --foreground is particularly useful for use with -z (disk cache structures creation), as it allows the caller to wait until Squid has finished.

The squid binary now accepts a --kid command line option which informs the process which role it is to take on. This aids with debugging SMP issues with specific process types and resolves some SMP forking issues.

2.8 Initial GnuTLS support

Squid can now be built to use GnuTLS in place of OpenSSL for the core features of receiving TLS connections from clients and making TLS connections to servers. The GnuTLS support is still very much experimental and should be tested before use.

SSL-Bump and certificate generation features are not yet supported by GnuTLS builds. Nor are many other less commonly used Squid TLS/SSL features.

squid.conf directives and configuration options which have undergone name changes from 'ssl' to 'tls' prefix in Squid-4 have GnuTLS support, unless explicitly stated otherwise.

Advanced configuration with specific selection of ciphers and similar settings should still work, but needs the GnuTLS Priority Strings instead of the OpenSSL options when using GnuTLS. See GnuTLS manual for more details.

2.9 ESI Custom Parser removal

The Squid custom ESI (Edge Side Includes) parser has been removed in favour of better supported and maintained third-party libraries. At least one of libxml2 or libexpat is now mandatory to build support for the ESI response processor.

3. Changes to squid.conf since Squid-3.5

There have been changes to Squid's configuration file since Squid-3.5.

This section gives a thorough account of those changes in three categories:

3.1 New tags

collapsed_forwarding_shared_entries_limit

New directive to limit the size of a table used for sharing information about collapsible entries among SMP workers.

force_request_body_continuation

New directive to control Squid behaviour on the client connection when receiving an HTTP request with an Expect:100-continue header.

hopeless_kid_revival_delay

New directive to set a cool-down delay reviving a child process if the process is encountering frequent deaths.

on_unsupported_protocol

New directive to set the action performed when encountering strange protocol requests at the beginning of an accepted TCP connection.

pconn_lifetime

New directive to limit the lifetime of persistent connections.

reply_header_add

New directive to add header fields to outgoing HTTP responses to the client.

request_start_timeout

New directive controlling how long Squid waits for the first request bytes to arrive after initial connection establishment by a client.

server_pconn_for_nonretriable

New directive to provide fine-grained control over persistent connection reuse when forwarding HTTP requests that Squid cannot retry. It is useful in environments where opening new connections is very expensive and race conditions associated with persistent connections are very rare and/or only cause minor problems.

shared_memory_locking

New directive to ensure shared memory is all available immediately on startup. Protects against SIGBUS errors, but delays startup.

tls_outgoing_options

New directive to define TLS security context options for outgoing connections. For example to HTTPS servers.

url_rewrite_timeout

Squid times active requests to redirector. This directive sets the timeout value and the Squid reaction to a timed out request.

3.2 Changes to existing tags

access_log

TCP accept(2) errors logged with URI error:accept-client-connection.

Unused connections received in http_port or https_port or transactions terminated before reading[parsing] request headers are logged with URI error:transaction-end-before-headers.

New option rotate= to control the number of log file rotations to make when -k rotate command is received. Default is to obey the logfile_rotate directive.

Extend buffer-size= support to UDP logging. Prior to Squid-4.7 log entries would be buffered up to 1400 bytes before sending to UDP logger. This option may now set smaller buffers, but not larger than 1400 bytes.

acl

New -m flag for note ACL to match substrings.

New client_connection_mark type for matching Netfilter CONNMARK of the client TCP connection.

New connections_encrypted type for matching transactions where all HTTP messages were received over TLS transport connections, including messages received from ICAP servers.

New has type for matching whether or not Squid is able to provide certain sets of transaction state. For example HTTP reply headers.

New transaction_initiator type for detecting various unusual transactions.

New --consensus, --client-requested and --server-provided flags for the ssl::server_name type to control which server name to match against.

Added ::/128 IPv6 range to to_localhost ACL.

auth_param

New parameter queue-size= to set the maximum number of queued requests.

New parameter on-persistent-overload= to set the action taken when the helper queue is overloaded.

cache_peer

New option auth-no-keytab to let GSSAPI implementation determine which Kerberos credentials to use, instead of specifying a keytab.

Replaced option ssl with tls. Use of any tls- prefixed options implies tls is enabled.

New option tls-min-version=1.N to set minimum TLS version allowed.

New option tls-default-ca replaces sslflags=NO_DEFAULT_CA

New option tls-no-npn to disable sending TLS NPN extension.

New tls-options= option value to disable TLS/1.3.

All ssloptions= values for SSLv2 configuration or disabling have been removed.

Removed sslversion= option. Use tls-options= instead.

Manual squid.conf update may be required on upgrade.

Replaced option sslcafile= with tls-cafile= which takes multiple entries.

deny_info

New format macro %O to expand the message= value supplied by external ACL helpers.

ecap_service

New connection-encryption= option to determine ICAP service effect on connections_encrypted ACL.

esi_parser

Removed custom parser option.

Changed default to auto-detect available parsers instead of custom.

external_acl_type

New parameter queue-size= to set the maximum number of queued requests.

New parameter on-persistent-overload= to set the action taken when the helper queue is overloaded.

Format field updated to accept any logformat %macro code.

The optional acl-value fields in this helper input now expand to a dash ('-') if the %DATA macro is not specified explicitly.

http_port

New option tls-min-version=1.N to set minimum TLS version allowed.

New option tls-default-ca replaces sslflags=NO_DEFAULT_CA, the default is also changed to OFF.

New option tls-no-npn to disable sending TLS NPN extension.

New tls-options= option value to disable TLS/1.3.

All option= values for SSLv2 configuration or disabling have been removed.

Removed version= option. Use tls-options= instead.

Manual squid.conf update may be required on upgrade.

Replaced cafile= with tls-cafile= which takes multiple entries.

Changed default value of generate-host-certificates to ON.

https_port

New option tls-min-version=1.N to set minimum TLS version allowed.

New option tls-default-ca replaces sslflags=NO_DEFAULT_CA, the default is also changed to OFF.

New option tls-no-npn to disable sending TLS NPN extension.

New tls-options= option value to disable TLS/1.3.

All options= values for SSLv2 configuration or disabling have been removed.

Removed version= option. Use tls-options= instead.

Manual squid.conf update may be required on upgrade.

Replaced cafile= with tls-cafile= which takes multiple entries.

Changed default value of generate-host-certificates to ON.

icap_service

New scheme icaps:// to enable TLS/SSL connections to Secure ICAP servers on port 11344.

New connection-encryption= option to determine ICAP service effect on connections_encrypted ACL.

New tls-cert= option to set TLS client certificate to use.

New tls-key= option to set TLS private key matching the client certificate used.

New tls-min-version=1.N option to set minimum TLS version allowed on server connections.

New tls-options= option to set OpenSSL library parameters.

New tls-options= option value to disable TLS/1.3.

New tls-flags= option to set flags modifying Squid TLS operations.

New tls-cipher= option to set a list of ciphers permitted.

New tls-cafile= option to set a file with additional CA certificate(s) to verify the server certificate.

New tls-capath= option to set a directory with additional CA certificate(s) to verify the server certificate.

New tls-crlfile= option to set a file with a CRL to verify the server certificate.

New tls-default-ca option to use the system Trusted CAs to verify the server certificate.

New tls-domain= option to verify the server certificate domain.

Squid-4.16 improved support for hostnames in ICAP service URLs.

logfile_daemon

Now only requires that helper binary exists when daemon: log module is actually being used.

logformat

New quoting modifier to produce \-escaped output.

New code %ssl::<cert_errors to display server X.509 certificate errors.

New code %ssl::<cert_issuer to display Issuer field of the received server X.509 certificate.

New code %ssl::<cert_subject to display Subject field of the received server X.509 certificate.

New code %ssl::>negotiated_version to display negotiated TLS version of the client connection.

New code %ssl::<negotiated_version to display negotiated TLS version of the last server or peer connection.

New code %ssl::>received_hello_version to display the TLS version of the Hello message received from TLS client.

New code %ssl::<received_hello_version to display the TLS version of the Hello message received from TLS server.

New code %ssl::>received_supported_version to display the maximum TLS version supported by the TLS client.

New code %ssl::<received_supported_version to display the maximum TLS version supported by the TLS server.

New code %ssl::>negotiated_cipher to display the negotiated cipher of the client connection.

New code %ssl::<negotiated_cipher to display the negotiated cipher of the last server or peer connection.

New code %>handshake to display initial octets received on a client connection (Base64 encoded).

Fixed %<Hs, %<pt and %<tt codes for received CONNECT errors.

Improved %<bs logging on forwarding retries.

Improved %<Hs, %<pt, %<tt, %<bs logging on SslBump errors.

pid_filename

Default value now based on squid -n command line parameter.

This directive is no longer mandatory to edit for multi-instance/tenant Squid installations.

refresh_pattern

Removed option ignore-auth. Its commonly desired behaviour is performed by default with correct HTTP/1.1 revalidation.

Removed option ignore-must-revalidate. Other more HTTP compliant directives (cache, store_miss) can be used to prevent objects from caching.

sslcrtd_children

New parameter queue-size= to set the maximum number of queued requests.

New parameter on-persistent-overload= to set the action taken when the helper queue is overloaded.

sslcrtvalidator_children

New parameter queue-size= to set the maximum number of queued requests.

New parameter on-persistent-overload= to set the action taken when the helper queue is overloaded.

store_id_children

New parameter queue-size= to set the maximum number of queued requests.

New parameter on-persistent-overload= to set the action taken when the helper queue is overloaded.

url_rewrite_children

New parameter queue-size= to set the maximum number of queued requests.

New parameter on-persistent-overload= to set the action taken when the helper queue is overloaded.

3.3 Removed tags

cache_peer_domain

Superceded by cache_peer_access. Use dstdomain ACL in the access control list to restrict domains requested.

ie_refresh

Removed. MSIE 3.x, 4.x, 5.0 and 5.01 are no longer popular browsers.

sslproxy_cafile

Replaced by tls_outgoing_options cafile=. Which now takes multiple entries.

sslproxy_capath

Replaced by tls_outgoing_options capath=.

sslproxy_cipher

Replaced by tls_outgoing_options cipher=.

sslproxy_client_certificate

Replaced by tls_outgoing_options cert=.

sslproxy_client_key

Replaced by tls_outgoing_options key=.

sslproxy_flags

Replaced by tls_outgoing_options flags=.

sslproxy_options

Replaced by tls_outgoing_options options=.

All values for SSLv2 configuration or disabling have been removed.

Manual squid.conf update may be required on upgrade.

sslproxy_version

Replaced by tls_outgoing_options options=.

All values for SSLv2 configuration or disabling have been removed.

Manual squid.conf update may be required on upgrade.

4. Changes to ./configure options since Squid-3.5

There have been some changes to Squid's build configuration since Squid-3.5.

This section gives an account of those changes in three categories:

4.1 New options

--enable-security-cert-generators

New option to control which TLS/SSL dynamic certificate generator helpers are built and installed.

Helper ssl_crtd has been renamed to security_file_certgen and built with module name file. Requires --with-openssl.

--enable-security-cert-validators

New option to control which TLS/SSL certificate validation helpers are built and installed.

One fake helper that does not actually perform any certificate checks is provided for testing and as an example for writing custom helpers.

--without-cppunit

The cppunit testing framework is auto-detected and used when available. This option can be used to disable it explicitly.

--without-systemd

SystemD init environment features are auto-detected and used when available. This option can be used to disable systemd features explicitly.

4.2 Changes to existing options

--enable-auth-basic

The MSNT-multi-domain helper has been removed.

The SMB LanMan helper SMB_LM is no longer built by default. It needs to be explicitly listed to be built.

--enable-auth-ntlm

The SMB LanMan helper is now built using SMB_LM (was lower case smb_lm).

The SMB LanMan helper SMB_LM is no longer built by default. It needs to be explicitly listed to be built.

--enable-diskio

Auto-detection of SMP related modules has been fixed to actually auto-detect them without configuring the module list manually.

--enable-esi

Custom ESI parser has been removed. Libxml2 or libexpat is now required to enable ESI processing.

4.3 Removed options

--with-cppunit-basedir

Replaced by --with-cppunit=PATH. Please prefer the default auto-detection though.

XSTD_USE_LIBLTDL

Removed. Use --with-included-ltdl instead.

5. Regressions since Squid-2.7

Some squid.conf options which were available in Squid-2.7 are not yet available in Squid-4

If you need something to do then porting one of these from Squid-2 to Squid-3 is most welcome.

5.1 Missing squid.conf options available in Squid-2.7

broken_vary_encoding

Not yet ported from 2.6

cache_peer

monitorinterval= not yet ported from 2.6

monitorsize= not yet ported from 2.6

monitortimeout= not yet ported from 2.6

monitorurl= not yet ported from 2.6

cache_vary

Not yet ported from 2.6

error_map

Not yet ported from 2.6

external_refresh_check

Not yet ported from 2.7

location_rewrite_access

Not yet ported from 2.6

location_rewrite_children

Not yet ported from 2.6

location_rewrite_concurrency

Not yet ported from 2.6

location_rewrite_program

Not yet ported from 2.6

refresh_pattern

stale-while-revalidate= not yet ported from 2.7

ignore-stale-while-revalidate= not yet ported from 2.7

negative-ttl= not yet ported from 2.7

refresh_stale_hit

Not yet ported from 2.7

update_headers

Not yet ported from 2.7

6. Copyright

Copyright (C) 1996-2021 The Squid Software Foundation and contributors

Squid software is distributed under GPLv2+ license and includes contributions from numerous individuals and organizations. Please see the COPYING and CONTRIBUTORS files for details.