Squid version 2.3

Squid-2.3 Releases

Release	Date	diff
2.3.DEVEL2	`Thu Jul 15 20:24:49 UTC 1999`	from 2.2.STABLE4
2.3.DEVEL3	`Sun Oct 24 01:23:28 UTC 1999`	from 2.3.DEVEL2
2.3.STABLE1	`Mon Jan 10 07:02:57 UTC 2000`	from 2.3.DEVEL3
2.3.STABLE2	`Thu Mar 2 22:45:32 UTC 2000`	from 2.3.STABLE1
2.3.STABLE3	`Tue May 16 00:17:09 UTC 2000`	from 2.3.STABLE2
2.3.STABLE4	`Tue Jul 18 06:06:13 UTC 2000`	from 2.3.STABLE3
2.3.STABLE5	`Fri Jul 13 18:23:19 GMT 2001`	from 2.3.STABLE4
Daily auto-generated tarball. This is the most recent code committed to the SQUID_2_3 branch.
squid-2.3-200305122300	`Mon May 12 23:00:25 UTC 2003`	N/A

Reported Bugs for version 2.3.

If you've found a new bug, or wish to comment on one of the already-reported bugs, please write to squid-bugs@ircache.net

Important Changes

This page mentions the important changes, mostly relating to the configuration file options. Be sure to read the ChangeLog to see all of the changes.

Changes to SQUID-2.3.STABLE5

Accelerator mode security bug fixed Versions 2.3.STABLE2 through 2.3.STABLE4 have a serious security bug when Squid is used in the 'httpd_accel' mode. If you configured httpd_accel_with_proxy off then any request to Squid is allowed. Malicious users may use your proxy to port-scan remote systems, forge email, and do other nasty things.
NOTE: this bug has been fixed since Sept 7, 2000 and is listed on the bugs page.

Changes to SQUID-2.3.STABLE3

offline_toggle You can now toggle the 'offline_mode' option from the cache manager.
minimum_object_size Added the 'minimum_object_size' option. Files smaller than this size are not cached.
passive_ftp If your firewall doesn't allow passive FTP transfers, you can tell Squid to use PORT instead by turning the 'passive_ftp' option off.
wccp_version Some Cisco IOS versions expect to receive WCCP packets with version set to three. The 'wccp_version' option allows you to change it, from the default value of four.
Changes to SQUID-2.3.STABLE1

Bogus Host headers Plugged a security hole with Host header processing. Before the bug was fixed, it was possible to pollute the cache by giving a Host header for a different virtual server hosted on the same physical server as the URL hostname. Now Squid always sets the Host header in outoing requests to match the URL hostname.
uri_whitespace This directive has a new option, called 'strip', and it is now the default. The strip option removes whitespace characters from requested URI's, as recommended by RFC2616. Previously the default action was to deny such URI's, which confuses some users.

anonymize_headers Fixed a bug that affects unknown HTTP headers. With the bug, if you list a header that Squid doesn't know about (such as CHARSET), it would add HDR_OTHER to the allow/deny mask. This caused all unknown headers to be allowed or denied (depending on the scheme you use). Now, with the bug fixed, an unknown header in the 'anonymize_headers' list is simply ignored.

Changes to version 2.3.DEVEL3

domain name matching The function which checks for a match between a hostname and a domain name has been rewritten, and its behavior is now slightly different. Previously, the domain ``com'' would match the hostname ``foo.com'', but this is no longer the case. Now, if you must write ``.com'' to match ``foo.com''.

tcp_incoming_addr The tcp_incoming_addr has been removed. You can now give a specific bind address on the http_port option.

Changes to version 2.3.DEVEL2

WCCP This version supports WCCP v1. It is enabled by default.

Storage API This version includes a (mostly?) generic interface to support different types of storage systems (instead of always using Unix Filesystem directories). Please see section 9 of the programmers guide for details on the API.

removed dnsservers In this version, DNS lookups are done by the main Squid process by default. Squid reads your /etc/resolv.conf file to get a list of nameservers that it can query. If, for some reason, you require the dnsserver child processes, then you can return the old behavior with the --disable-internal-dns configure option.

truncate vs unlink In version 2.2 Squid truncated disk files (by default) instead of unlinking them. This caused some installations to run out of inodes on the cache disks. Even though truncate makes Squid a bit faster, we have made the default to use unlink again. If you want to use truncate, and have enough inodes, then use the --enable-truncate configure option.

request_size This squid.conf option has been removed. It used to refer to the size of a client's whole HTTP request. It has been replaced with new options (request_header_max_size, request_body_max_size) that allow you to specify the size of request headers and request bodies separately.

request_header_max_size This new option specifies the maximum size of a client request header. If a client's request headers exceed this limit, then the client receives a "request too large" error.

request_body_max_size This new option specifies the maxmimum size of a client's request body. This primarily affects POST and PUT requests. If you don't want users uploading huge files, then set this option appropriately.

reply_body_max_size This new option specifies the maximum size of a reply body. It can be used to prevent users from downloading very large files, such as MP3's and movies. The reply size is checked twice. First when we get the reply headers, we check the content-length value. If the content length value exists and is larger than this parameter, the request is denied and the user receives an error message that says "the request or reply is too large." If there is no content-length, and the reply size exceeds this limit, the client's connection is just closed and they will receive a partial reply.

maximum_icp_query_timeout Normally the ICP query timeout is determined dynamically. But sometimes it can lead to very large values (say 5 seconds). Use this option to put an upper limit on the dynamic timeout value. Do NOT use this option to always use a fixed (instead of a dynamic) timeout value.

replacement_policy There is some code in this version to support different replacement policies. You may need to define HEAP_REPLACEMENT by hand in src/Makefile to get it to work. Eventually it will be easier to enable these features.

peer_connect_timeout This new option specifies the maximum amount of time to wait for establishing a TCP (HTTP) connection to a neighbor cache.

wccp_router Use this new option to define your WCCP ``home'' router for Squid. WCCP support is enabled by default.

wccp_incoming_address Use this option if you require WCCP messages to be received on only one interface. Do NOT use this option if you're unsure how many interfaces you have, or if you know you have only one interface.

wccp_outgoing_address Use this option if you require WCCP messages to be sent out on only one interface. Do NOT use this option if you're unsure how many interfaces you have, or if you know you have only one interface.

redirector_bypass Use this new option to bypass the redirectors if the load becomes to high. Only use this if the redirectors are used for ``optimizations'' and not access controls.

cache_dir The usage of this option has changed since we have a storage interface API. You now need to specify the type of storage system to use with the cache directory. The new usage is:
cache_dir type directory size l1 l2
Most everyone will want to use "ufs" as the type. If you are using Async I/O (--enable async-io) on Linux or Solaris, then you may want to try "asyncufs" as the type. Async IO support may be buggy, however, so beware.

Changes to SQUID-2.3.STABLE5
Accelerator mode security bug fixed	Versions 2.3.STABLE2 through 2.3.STABLE4 have a serious security bug when Squid is used in the 'httpd_accel' mode. If you configured httpd_accel_with_proxy off then any request to Squid is allowed. Malicious users may use your proxy to port-scan remote systems, forge email, and do other nasty things. NOTE: this bug has been fixed since Sept 7, 2000 and is listed on the bugs page.
Changes to SQUID-2.3.STABLE3
offline_toggle	You can now toggle the 'offline_mode' option from the cache manager.
minimum_object_size	Added the 'minimum_object_size' option. Files smaller than this size are not cached.
passive_ftp	If your firewall doesn't allow passive FTP transfers, you can tell Squid to use PORT instead by turning the 'passive_ftp' option off.
wccp_version	Some Cisco IOS versions expect to receive WCCP packets with version set to three. The 'wccp_version' option allows you to change it, from the default value of four.
Changes to SQUID-2.3.STABLE1
Bogus Host headers	Plugged a security hole with Host header processing. Before the bug was fixed, it was possible to pollute the cache by giving a Host header for a different virtual server hosted on the same physical server as the URL hostname. Now Squid always sets the Host header in outoing requests to match the URL hostname.
uri_whitespace	This directive has a new option, called 'strip', and it is now the default. The strip option removes whitespace characters from requested URI's, as recommended by RFC2616. Previously the default action was to deny such URI's, which confuses some users.
anonymize_headers	Fixed a bug that affects unknown HTTP headers. With the bug, if you list a header that Squid doesn't know about (such as CHARSET), it would add HDR_OTHER to the allow/deny mask. This caused all unknown headers to be allowed or denied (depending on the scheme you use). Now, with the bug fixed, an unknown header in the 'anonymize_headers' list is simply ignored.
Changes to version 2.3.DEVEL3
domain name matching	The function which checks for a match between a hostname and a domain name has been rewritten, and its behavior is now slightly different. Previously, the domain ``com'' would match the hostname ``foo.com'', but this is no longer the case. Now, if you must write ``.com'' to match ``foo.com''.
tcp_incoming_addr	The tcp_incoming_addr has been removed. You can now give a specific bind address on the http_port option.
Changes to version 2.3.DEVEL2
WCCP	This version supports WCCP v1. It is enabled by default.
Storage API	This version includes a (mostly?) generic interface to support different types of storage systems (instead of always using Unix Filesystem directories). Please see section 9 of the programmers guide for details on the API.
removed dnsservers	In this version, DNS lookups are done by the main Squid process by default. Squid reads your /etc/resolv.conf file to get a list of nameservers that it can query. If, for some reason, you require the dnsserver child processes, then you can return the old behavior with the --disable-internal-dns configure option.
truncate vs unlink	In version 2.2 Squid truncated disk files (by default) instead of unlinking them. This caused some installations to run out of inodes on the cache disks. Even though truncate makes Squid a bit faster, we have made the default to use unlink again. If you want to use truncate, and have enough inodes, then use the --enable-truncate configure option.
request_size	This squid.conf option has been removed. It used to refer to the size of a client's whole HTTP request. It has been replaced with new options (request_header_max_size, request_body_max_size) that allow you to specify the size of request headers and request bodies separately.
request_header_max_size	This new option specifies the maximum size of a client request header. If a client's request headers exceed this limit, then the client receives a "request too large" error.
request_body_max_size	This new option specifies the maxmimum size of a client's request body. This primarily affects POST and PUT requests. If you don't want users uploading huge files, then set this option appropriately.
reply_body_max_size	This new option specifies the maximum size of a reply body. It can be used to prevent users from downloading very large files, such as MP3's and movies. The reply size is checked twice. First when we get the reply headers, we check the content-length value. If the content length value exists and is larger than this parameter, the request is denied and the user receives an error message that says "the request or reply is too large." If there is no content-length, and the reply size exceeds this limit, the client's connection is just closed and they will receive a partial reply.
maximum_icp_query_timeout	Normally the ICP query timeout is determined dynamically. But sometimes it can lead to very large values (say 5 seconds). Use this option to put an upper limit on the dynamic timeout value. Do NOT use this option to always use a fixed (instead of a dynamic) timeout value.
replacement_policy	There is some code in this version to support different replacement policies. You may need to define HEAP_REPLACEMENT by hand in src/Makefile to get it to work. Eventually it will be easier to enable these features.
peer_connect_timeout	This new option specifies the maximum amount of time to wait for establishing a TCP (HTTP) connection to a neighbor cache.
wccp_router	Use this new option to define your WCCP ``home'' router for Squid. WCCP support is enabled by default.
wccp_incoming_address	Use this option if you require WCCP messages to be received on only one interface. Do NOT use this option if you're unsure how many interfaces you have, or if you know you have only one interface.
wccp_outgoing_address	Use this option if you require WCCP messages to be sent out on only one interface. Do NOT use this option if you're unsure how many interfaces you have, or if you know you have only one interface.
redirector_bypass	Use this new option to bypass the redirectors if the load becomes to high. Only use this if the redirectors are used for ``optimizations'' and not access controls.
cache_dir	The usage of this option has changed since we have a storage interface API. You now need to specify the type of storage system to use with the cache directory. The new usage is: cache_dir type directory size l1 l2 Most everyone will want to use "ufs" as the type. If you are using Async I/O (--enable async-io) on Linux or Solaris, then you may want to try "asyncufs" as the type. Async IO support may be buggy, however, so beware.