Squid 4

Jul 2018

Released for production use.

The features have been set and large code changes are reserved for later versions.

  • Additions are limited to:
  • Security fixes
  • Stability fixes
  • Bug fixes
  • Documentation updates
  • {X} This series of Squid requires a C++11 capable compiler. The currently known compilers which meet this criteria and build Squid-4 reliably are GCC 4.9+ and Clang 3.5+

Basic new features in version 4:

  • Major UI changes:

    • RFC 6176 compliance (SSLv2 support removal)

    • Secure ICAP service connections
    • Add url_lfs_rewrite: a URL-rewriter based on local file existence
    • on_unsupported_protocol directive to allow Non-HTTP bypass

    • Removal of refresh_pattern ignore-auth and ignore-must-revalidate options

    • Remove cache_peer_domain directive

    • basic_msnt_multi_domain_auth: Superceeded by basic_smb_lm_auth
    • Update external_acl_type directive to take logformat codes in its format parameter

    • Removal of ESI custom parser
    • Experimental GnuTLS support for some TLS features
  • Minor UI changes:

    • Sub-millisecond transaction logging
    • ext_kerberos_ldap_group_acl -n option to disable automated SASL/GSSAPI
    • negotiate_kerberos_auth outputs group= kv-pair for use in note ACL
    • security_file_certgen helper supports memory-only mode
    • Adaptation support for Expect:100-continue in HTTP messages

    • Add url_rewrite_timeout directive

    • Update localnet ACL default definition for RFC 6890 compliance

    • Persistent connection timeouts request_start_timeout and pconn_lifetime

    • Per-rule refresh_pattern matching statistics in cachemgr report

    • Configurable helper queue size, with consistent defaults and better overflow handling
  • Developer Interest changes:

    • C++11
    • New helper concurrency channel-ID assignment algorithm
    • Simplify MEMPROXY_CLASS_* macros
    • Simplify CBDATA API and rename CBDATA_CLASS
    • HTTP Parser structural redesign
    • Base64 crypto API replacement
    • Enable long (--foo) command line parameters on squid binary
    • Implemented selective debugs() output for unit tests
    • Improved SMP support

The intention with this series is to improve performance using C++11 features. Some remaining Squid-2.7 missing features are listed as regressions in http://www.squid-cache.org/Versions/v4/RELEASENOTES.html#ss5.1

Packages of what will become Squid-4 source code are available at http://www.squid-cache.org/Versions/v4/

Security Advisories

See our Advisories list.

Open Bugs

Squid-4 default config

http_port 3128

# Example rule allowing access from your local networks.
# Adapt to list your (internal) IP networks from where browsing
# should be allowed
acl localnet src 0.0.0.1-0.255.255.255  # RFC 1122 "this" network (LAN)
acl localnet src 10.0.0.0/8             # RFC 1918 local private network (LAN)
acl localnet src 100.64.0.0/10          # RFC 6598 shared address space (CGN)
acl localnet src 169.254.0.0/16         # RFC 3927 link-local (directly plugged) machines
acl localnet src 172.16.0.0/12          # RFC 1918 local private network (LAN)
acl localnet src 192.168.0.0/16         # RFC 1918 local private network (LAN)
acl localnet src fc00::/7               # RFC 4193 local private network range
acl localnet src fe80::/10              # RFC 4291 link-local (directly plugged) machines

acl SSL_ports port 443
acl Safe_ports port 80          # http
acl Safe_ports port 21          # ftp
acl Safe_ports port 443         # https
acl Safe_ports port 70          # gopher
acl Safe_ports port 210         # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280         # http-mgmt
acl Safe_ports port 488         # gss-http
acl Safe_ports port 591         # filemaker
acl Safe_ports port 777         # multiling http

http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost manager
http_access deny manager

#
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
#

http_access allow localnet
http_access allow localhost
http_access deny all

coredump_dir /squid/var/cache/squid

refresh_pattern ^ftp:           1440    20%     10080
refresh_pattern ^gopher:        1440    0%      1440
refresh_pattern -i (/cgi-bin/|\?) 0     0%      0
refresh_pattern .               0       20%     4320

Squid-4 (last edited 2018-08-16 10:37:00 by AmosJeffries)