Squid 5
Aug 2021 |
Released for production use. |
The features have been set and large code changes are reserved for later versions.
Additions are limited to:
- Security fixes
- Serious Bug fixes
- Documentation updates
Features ported from 2.7 in this release:
- Class 6 (client response) delay pool
- In the form of response_delay_pool and response_delay_pool_access for Squid-to-client speed limiting.
Basic new features in 5.1:
Major UI changes:
- Happy Eyeballs: Use each fully resolved forwarding destination ASAP.
- Removes dns_v4_first feature as a side effect.
- Reuse reserved Negotiate and NTLM helpers after an idle timeout.
- Support logformat %codes in error page templates.
- Support opening CONNECT tunnels through an HTTP cache peer.
Change annotation behaviour when multiple same-name annotations are received. (see bug 4912)
- - Some reserved keys retain the old behaviour due to their usage (eg group= received from auth and external ACL helpers)
- Happy Eyeballs: Use each fully resolved forwarding destination ASAP.
Minor UI changes:
Add auth_schemes to control schemes presence and order in 401s/407s.
- Add ACL types annotate_transaction and annotate_client.
- Make CONNECT ACL a built-in default.
Add collapsed_forwarding_access to restrict Collapsed Forwarding of HTTP, ICP and HTCP requests.
Add mark_client_connection and mark_client_packet directives for Netfilter MARK and CONNMARK control.
Add deny_info and error page %A code to display Squid listening IP address.
New %ssl::<cert macro code to display received server X.509 certificate in PEM format.
New %proxy_protocol::>h logformat code for logging received PROXY protocol TLV values.
Developer Interest changes:
- Remove USE_CHUNKEDMEMPOOLS compiler flag.
- All binaries now use standard EXIT_SUCCESS or EXIT_FAILURE termination results for better OS integration.
- Migrated to TrivialDB from deprecated BerkleyDB versions.
- ntlm_fake_auth: add ability to test delayed responses.
- basic_ldap_auth: return BH on internal errors.
- Support RFC 8586: Loop Detection in Content Delivery Networks
Packages of what will become Squid-5 source code are available at http://www.squid-cache.org/Versions/v5/
Security Advisories
See our Advisories list.
Open Bugs
Major or higher bugs currently affecting this version.
- Bugs against any older version can be closed if found fixed in 5.x
- Bugs inherited from older versions are not necessarily blockers on stable.
Squid-5 default config
http_port 3128 # Example rule allowing access from your local networks. # Adapt to list your (internal) IP networks from where browsing # should be allowed acl localnet src 0.0.0.1-0.255.255.255 # RFC 1122 "this" network (LAN) acl localnet src 10.0.0.0/8 # RFC 1918 local private network (LAN) acl localnet src 100.64.0.0/10 # RFC 6598 shared address space (CGN) acl localnet src 169.254.0.0/16 # RFC 3927 link-local (directly plugged) machines acl localnet src 172.16.0.0/12 # RFC 1918 local private network (LAN) acl localnet src 192.168.0.0/16 # RFC 1918 local private network (LAN) acl localnet src fc00::/7 # RFC 4193 local private network range acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines acl SSL_ports port 443 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 # https acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http http_access deny !Safe_ports http_access deny CONNECT !SSL_ports http_access allow localhost manager http_access deny manager # # INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS # http_access allow localnet http_access allow localhost http_access deny all coredump_dir /squid/var/cache/squid refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern ^gopher: 1440 0% 1440 refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 refresh_pattern . 0 20% 4320