Re: 2.5 Release note draft 2 from Robert Collins on 2002-08-28 (squid-dev)

From: Robert Collins <robertc@dont-contact.us>
Date: 29 Aug 2002 15:10:22 +1000

On Thu, 2002-08-29 at 07:47, Henrik Nordstrom wrote:
> On Tuesday 27 August 2002 10.14, Robert Collins wrote:
>
> > - Reworked how request bodies are passed down to the
> > protocols. Now all client side processing is inside client_side.c,
> > and the pass and pump modules is no longer used.
>
> This does not need to be mentioned in the user release notes, only in
> the changelog.

Done

>
> > - SASL authentication helper by Ian Castle
>
> There is several other helpers added also, by various authors. Seems
> odd to mention one of them and not the other..

Done - removed the details.

> > - Login and password send to Basic auth helpers is now URL
> > escaped to allow for spaces and other "odd" characters in
> > logins and passwords
>
> Reminds me of one rather important change that needs to be mentioned.
> Proxy Authentication is no longer automatically forwarded if not used
> locally. To forward Proxy Authentication to cache peers such
> forwarding must be enabled via the login=PASS cache_peer option.

Copied your new changelog entry.

I've put the release notes into an SGML file in doc/release-notes.. here
is the HTML output.

Rob

Squid 2.5 release notes

Squid Developers

$Id: $

This document contains the release notes for version 2.5 of Squid. Squid is a WWW Cache application developed by the National Laboratory for Applied Network Research and members of the Web Caching community.

1. Key changes from squid 2.4:

Major rewrite of proxy authentication to support other schemes than basic. First in the line is NTLM support but others can easily be added (minimal digest is present). See the Programmers Guide for the internals. Thanks to the SAMBA team for some excellent collaboration on the NTLM support! (Robert Collins & Francesco Chemolli)
Optimized searching in proxy_auth and ident ACL types. Squid should now handle large access lists a lot more efficiently. (Francesco Chemolli)
Fixed forwarding/peer loop detection code (Brian Degenhardt) - now a peer is ignored if it turns out to be us, rather than committing suicide
Changed the internal URL code to obey appendDomain for internal objects if it needs appending. This fixes weirdnesses where a machine can think it is "foo.bar.com", and "foo" is requested. (Brian Degenhardt)
Added the use of Automake to create the Makefile.in's in the squid source tree. This will allow libtool in the future, and immediately allows better dependency tracking - with or without gcc - as well as the dist-all and distcheck targets for developers which respectively build a tar.gz and a tar.bz2 distribution, and check that what will be distributed builds. (Robert Collins)
Added TOS and source address selection based on ACLs, written by Roger Venning. This allows administrators to set the TOS precedence bits and/or the source IP from a set of available IPs based upon some ACLs, generally to map different users to different outgoing links and traffic profiles.
Added 'max-conn' option to 'cache_peer'
Added SSL gatewaying support, allowing Squid to act as a SSL server in accelerator setups.
Many new authentication helpers.
no_cache now applies to cache hits as well as cache misses
the Gopher client in Squid has been significantly improved
Squid now sanity checks FTP data connections to ensure the connection is from the requested server. Can be disabled if needed by turning off the ftp_sanitycheck option.
external acl support. A mechanism where flexible ACL checks can be driven by external helpers. See the external_acl_type and acl external directives.
Countless other small things and fixes
HTML pages generated by Squid or CacheMgr as well as the ERR documents now contain a doctype declaration so that browsers know which HTML specification the document uses. In addition to that they have a new look (background-color, font) and are valid according to the HTML standards at www.w3.org. (Clemens Löser)
Login and password send to Basic auth helpers is now URL escaped to allow for spaces and other "odd" characters in logins and passwords
Proxy Authentication is no longer blindly forwarded to peer caches if not used locally. If forwarding of proxy authentication is desired then it must now be configured with the login=PASS cache_peer option.
Responses with Vary: in the header are now cached by squid. (Henrik Nordstrom).

2. Changes to squid.conf

http_port

Allows ip address specification.

https_port

This is an option for use with SSL acceleration - it determines where squid listens for SSL requests.

ssl_unclean_shutdown

This is used to handle some bugs in browsers that don't fully support SSL.

tcp_incoming_address

This has been removed - use the http_port line to specify ip address's.

cache_peer

login= has been extended to allow pass through authentication, fixed password authentication and maximum connection limits.

hosts_file

Directs squid to read in a set of name-address associations upon startup and reconfiguration.

authenticate_program

authenticate_children

proxy_auth_realm

Removed. See auth_param.

auth_param

This replaces the authenticate_program directive. It allows configuration of multiple authentication helpers, one for each of the supported authentication schemes. Such schemes include "NTLM", "Digest (from RFC 2617)", and "Basic".

authenticate_cache_garbage_interval

This directive sets the garbage collection interval for the authentication cache.

external_acl_type

This directive configures the new external ACL Helper interface. VERY useful for authenticating by group membership - i.e. from an LDAP server or NT domain.

request_body_max_size

The default for this is now 0 - unlimited.

reply_body_max_size

Now multiple size limits are allowed based on ACL lists.

refresh_pattern

The default is now blank - users must uncomment the suggested default to use it. This allows the use of a blank refresh pattern if desired.

request_timeout

Raised the default to 5 minutes.

persistent_request_timeout

New directive - how long to wait after a reply is completed before closing the connection.

acl

New acl types

referer_regex (match Referer headers),
max_user_ip (limit concurrent IP's a single user may use)
rep_mime_type (filter replies based on their content type).
external (use an external helper)

http_reply_access

Limit HTTP replies based on ACL's. This is complementary to http_access.

tcp_outgoing_tos

tcp_outgoing_ds

tcp_outgoing_dscp

These three directives allow marking of outbound connections at the IP level - i.e. for choosing routes based on the usercode.

tcp_outgoing_address

Allows mapping of requests onto specific outbound IP address's.

anonymize_headers

Removed. See header_access.

header_access

Allow granular filtering of HTTP headers.

header_replace

Replace specific headers with custom values.

pipeline_prefetch

Now defaults to off for bandwidth management and access logging reasons.

vary_ignore_expire

Enables a workaround for web servers that immediately expire Varied objects because they think squid is unable to handle Vary:.

sleep_after_fork

Give the OS a small amount of time to accomodate the fork+exec used to launch helpers - if squid has a lot of virtual memory allocated the OS may run out of virtual memory during helper spawning otherwise.

application/pgp-signature attachment: This is a digitally signed message part

Received on Wed Aug 28 2002 - 23:18:18 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:16:16 MST