Squid-3.2 is CONSIDERED DANGEROUS as the security people say. Due to unfixed vulnerabilities CVE-2014-7141, CVE-2014-7142, CVE-2014-6270, CVE-2014-3609, and CVE-2014-0128 and any other recently discovered issues.
the Squid-3.2 series became DEPRECATED with the release of Squid-3.3 series
Released for production use.
The features have been set and large code changes are reserved for later versions.
Additions are limited to:
- Security fixes
- Stability fixes
- small optimizations
Features Ported from 2.7 in this release:
- Unique Sequence numbering for access.log lines
Features/LogModules (including log daemon module)
Cache-Control: stale-if-error handling and other staleness limits.
acl urllogin type (available from 3.2.4)
Basic new features in 3.2:
Fully transparent credential pass-thru to cache_peer
Kerberos login to cache_peer
Dynamic URL generation for deny_info redirects
- Multi-Lingual FTP directory listings
- Multi-Lingual proxy configuration splash pages for captive portals
Surrogate 1.0 protocol support
SMP Scaling worker processes
''rock'' SMP shared memory cache with disk backing
- Helpers started on-demand instead of delaying startup and reconfigure process
New helpers to demo url_rewrite_program programs
- New helper to lookup Kerberos or NTLM group via LDAP
- New helper to de-mux Negotiate/NTLM and Negotiate/Kerberos authentication
Purge tool to manage UFS/AUFS/DiskD caches bundled
- EUI (MAC address) logging and external ACL handling
- IPv6 support for TCP split-stack
Packages of squid 3.2 source code are available at http://www.squid-cache.org/Versions/v3/3.2/
See our Advisories list.
- Bugs against any older version can be closed if found fixed in 3.2.
- Bugs inherited from older versions are not necessarily blockers on 3.2 stable.
Squid-3.2 default config
From 3.2 further configuration cleanups have been done to make things easier and safer. The manager, localhost, and to_localhost ACL definitions are now built-in.
This minimal configuration does not work with versions earlier than 3.2 which are missing special cleanup done to the code.
http_port 3128 refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern ^gopher: 1440 0% 1440 refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 refresh_pattern . 0 20% 4320 acl localnet src 10.0.0.0/8 # RFC 1918 possible internal network acl localnet src 172.16.0.0/12 # RFC 1918 possible internal network acl localnet src 192.168.0.0/16 # RFC 1918 possible internal network acl localnet src fc00::/7 # RFC 4193 local private network range acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines acl SSL_ports port 443 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 # https acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl CONNECT method CONNECT http_access allow manager localhost http_access deny manager http_access deny !Safe_ports http_access deny CONNECT !SSL_ports http_access allow localhost http_access allow localnet http_access deny all