[squid-users] Squid 2.5 released.

The squid development team are pleased to announce the release of squid
2.5 stable. Faster and more flexible than ever before, a copy can be
grabbed from your local mirror.

For details on the new features, please see the release notes (included
below).
 
- The squid core team.

=======================================================================

Squid 2.5 release notes
Squid Developers

This document contains the release notes for version 2.5 of Squid. Squid
is a WWW Cache application developed by the National Laboratory for
Applied Network Research and members of the Web Caching community.

1. Key changes from squid 2.4:

    * Major rewrite of proxy authentication to support other schemes
than basic. First in the line is NTLM support but others can easily be
added (minimal digest is present). See the Programmers Guide for the
internals. Thanks to the SAMBA team for some excellent collaboration on
the NTLM support! (Robert Collins & Francesco Chemolli)
    * Optimized searching in proxy_auth and ident ACL types. Squid
should now handle large access lists a lot more efficiently. (Francesco
Chemolli)
    * Fixed forwarding/peer loop detection code (Brian Degenhardt) - now
a peer is ignored if it turns out to be us, rather than committing
suicide
    * Changed the internal URL code to obey appendDomain for internal
objects if it needs appending. This fixes weirdnesses where a machine
can think it is "foo.bar.com", and "foo" is requested. (Brian
Degenhardt)
    * Added the use of Automake to create the Makefile.in's in the squid
source tree. This will allow libtool in the future, and immediately
allows better dependency tracking - with or without gcc - as well as the
dist-all and distcheck targets for developers which respectively build a
tar.gz and a tar.bz2 distribution, and check that what will be
distributed builds. (Robert Collins)
    * Added TOS and source address selection based on ACLs, written by
Roger Venning. This allows administrators to set the TOS precedence bits
and/or the source IP from a set of available IPs based upon some ACLs,
generally to map different users to different outgoing links and traffic
profiles.
    * Added 'max-conn' option to 'cache_peer'
    * Added SSL gatewaying support, allowing Squid to act as a SSL
server in accelerator setups.
    * Many new authentication helpers.
    * no_cache now applies to cache hits as well as cache misses
    * the Gopher client in Squid has been significantly improved
    * Squid now sanity checks FTP data connections to ensure the
connection is from the requested server. Can be disabled if needed by
turning off the ftp_sanitycheck option.
    * external acl support. A mechanism where flexible ACL checks can be
driven by external helpers. See the external_acl_type and acl external
directives.
    * Countless other small things and fixes
    * HTML pages generated by Squid or CacheMgr as well as the ERR
documents now contain a doctype declaration so that browsers know which
HTML specification the document uses. In addition to that they have a
new look (background-color, font) and are valid according to the HTML
standards at www.w3.org. (Clemens Löser)
    * Login and password send to Basic auth helpers is now URL escaped
to allow for spaces and other "odd" characters in logins and passwords
    * Proxy Authentication is no longer blindly forwarded to peer caches
if not used locally. If forwarding of proxy authentication is desired
then it must now be configured with the login=PASS cache_peer option.
    * Responses with Vary: in the header are now cached by squid.
(Henrik Nordstrom).
    * Support for openBSD pf interface in interception mode.
    * It is now possible to send complex arguments to helpers by quoting
the arguments by " and/or \

2. Changes to squid.conf

http_port

    Allows ip address specification.
https_port

    This is an option for use with SSL acceleration - it determines
where squid listens for SSL requests.
ssl_unclean_shutdown

    This is used to handle some bugs in browsers that don't fully
support SSL.
tcp_incoming_address

    This has been removed - use the http_port line to specify ip
address's.
cache_peer

    login= has been extended to allow pass through authentication, fixed
password authentication and maximum connection limits.
hosts_file

    Directs squid to read in a set of name-address associations upon
startup and reconfiguration.
authenticate_program
authenticate_children
proxy_auth_realm

    Removed. See auth_param.
auth_param

    This replaces the authenticate_program directive. It allows
configuration of multiple authentication helpers, one for each of the
supported authentication schemes. Such schemes include "NTLM", "Digest
(from RFC 2617)", and "Basic".
authenticate_cache_garbage_interval

    This directive sets the garbage collection interval for the
authentication cache.
external_acl_type

    This directive configures the new external ACL Helper interface.
VERY useful for authenticating by group membership - i.e. from an LDAP
server or NT domain.
request_body_max_size

    The default for this is now 0 - unlimited.
reply_body_max_size

    Now multiple size limits are allowed based on ACL lists.
refresh_pattern

    The default is now blank - users must uncomment the suggested
default to use it. This allows the use of a blank refresh pattern if
desired.
request_timeout

    Raised the default to 5 minutes.
persistent_request_timeout

    New directive - how long to wait after a reply is completed before
closing the connection.
acl

    New acl types

        * referer_regex (match Referer headers),
        * max_user_ip (limit concurrent IP's a single user may use)
        * rep_mime_type (filter replies based on their content type).
        * external (use an external helper)

http_reply_access

    Limit HTTP replies based on ACL's. This is complementary to
http_access.
tcp_outgoing_tos
tcp_outgoing_ds
tcp_outgoing_dscp

    These three directives allow marking of outbound connections at the
IP level - i.e. for choosing routes based on the usercode.
tcp_outgoing_address

    Allows mapping of requests onto specific outbound IP address's.
anonymize_headers

    Removed. See header_access.
header_access

    Allow granular filtering of HTTP headers.
header_replace

    Replace specific headers with custom values.
pipeline_prefetch

    Now defaults to off for bandwidth management and access logging
reasons.
vary_ignore_expire

    Enables a workaround for web servers that immediately expire Varied
objects because they think squid is unable to handle Vary:.
sleep_after_fork

    Give the OS a small amount of time to accomodate the fork+exec used
to launch helpers - if squid has a lot of virtual memory allocated the
OS may run out of virtual memory during helper spawning otherwise.
reference_age

    This has been removed - starting with Squid-2.4 this directive have
had no effect and has now been fully removed to avoid confusion.
siteselect_timeout

    This has been removed - it is not referenced anywhere in the source
code.

3. Known limitations

There is a few limitations to this version of Squid that we hope to
correct in a later release

deny_info

    deny_info only works for http_access, not for the acls listen in
http_reply_access
authentication

    The proxy authentication acl types only works in http_access and
partially in delay_access, not the other acl driven directives
(tcp_outoing_address, redirect_access, cache_peer_access, ...)