Squid 5

Aug 2021

Released for production use.

The features have been set and large code changes are reserved for later versions.

Additions are limited to:

  • Security fixes
  • Serious Bug fixes
  • Documentation updates

Features ported from 2.7 in this release:

Basic new features in 5.1:

  • Major UI changes:

    • Happy Eyeballs: Use each fully resolved forwarding destination ASAP.
    • Reuse reserved Negotiate and NTLM helpers after an idle timeout.
    • Support logformat %codes in error page templates.
    • Support opening CONNECT tunnels through an HTTP cache peer.
    • Change annotation behaviour when multiple same-name annotations are received. (see bug 4912)

      • - Some reserved keys retain the old behaviour due to their usage (eg group= received from auth and external ACL helpers)
  • Minor UI changes:

    • Add auth_schemes to control schemes presence and order in 401s/407s.

    • Add ACL types annotate_transaction and annotate_client.
    • Make CONNECT ACL a built-in default.
    • Add collapsed_forwarding_access to restrict Collapsed Forwarding of HTTP, ICP and HTCP requests.

    • Add mark_client_connection and mark_client_packet directives for Netfilter MARK and CONNMARK control.

    • Add deny_info and error page %A code to display Squid listening IP address.

    • New %ssl::<cert macro code to display received server X.509 certificate in PEM format.

    • New %proxy_protocol::>h logformat code for logging received PROXY protocol TLV values.

  • Developer Interest changes:

    • ICAP Trailers.

    • Remove USE_CHUNKEDMEMPOOLS compiler flag.
    • All binaries now use standard EXIT_SUCCESS or EXIT_FAILURE termination results for better OS integration.
    • Migrated to TrivialDB from deprecated BerkleyDB versions.
    • ntlm_fake_auth: add ability to test delayed responses.
    • basic_ldap_auth: return BH on internal errors.
    • Support RFC 8586: Loop Detection in Content Delivery Networks

Packages of what will become Squid-5 source code are available at http://www.squid-cache.org/Versions/v5/

Security Advisories

See our Advisories list.

Open Bugs

Squid-5 default config

http_port 3128

# Example rule allowing access from your local networks.
# Adapt to list your (internal) IP networks from where browsing
# should be allowed
acl localnet src 0.0.0.1-0.255.255.255  # RFC 1122 "this" network (LAN)
acl localnet src 10.0.0.0/8             # RFC 1918 local private network (LAN)
acl localnet src 100.64.0.0/10          # RFC 6598 shared address space (CGN)
acl localnet src 169.254.0.0/16         # RFC 3927 link-local (directly plugged) machines
acl localnet src 172.16.0.0/12          # RFC 1918 local private network (LAN)
acl localnet src 192.168.0.0/16         # RFC 1918 local private network (LAN)
acl localnet src fc00::/7               # RFC 4193 local private network range
acl localnet src fe80::/10              # RFC 4291 link-local (directly plugged) machines

acl SSL_ports port 443
acl Safe_ports port 80          # http
acl Safe_ports port 21          # ftp
acl Safe_ports port 443         # https
acl Safe_ports port 70          # gopher
acl Safe_ports port 210         # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280         # http-mgmt
acl Safe_ports port 488         # gss-http
acl Safe_ports port 591         # filemaker
acl Safe_ports port 777         # multiling http

http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost manager
http_access deny manager

#
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
#

http_access allow localnet
http_access allow localhost
http_access deny all

coredump_dir /squid/var/cache/squid

refresh_pattern ^ftp:           1440    20%     10080
refresh_pattern ^gopher:        1440    0%      1440
refresh_pattern -i (/cgi-bin/|\?) 0     0%      0
refresh_pattern .               0       20%     4320

Squid-5 (last edited 2021-07-31 01:00:40 by AmosJeffries)