After three years of development , a stable release of the Squid 5.1 proxy server is presented , ready for use on production systems (the 5.0.x releases were beta). After making the 5.x branch stable, from now on, only fixes for vulnerabilities and stability problems will be made in it, and minor optimizations are also allowed. Development of new features will be done in the new experimental branch 6.0. Users of the previous stable 4.x branch are encouraged to plan a migration to the 5.x branch.
The main innovations in Squid 5 are:
- The implementation of the ICAP (Internet Content Adaptation Protocol) protocol, used for integration with external content verification systems, has added support for the data attachment mechanism (trailer), which allows attaching additional metadata headers to the response, placed after the message body (for example, you can transmit a checksum and details of identified issues).
- When redirecting requests, the “Happy Eyeballs” algorithm is used, which immediately uses the received IP address, without waiting for the resolution of all potentially available target IPv4 and IPv6 addresses. Instead of taking into account the “dns_v4_first” setting to determine the order of using the IPv4 or IPv6 address family, the order of the response in DNS is now taken into account: if the DNS AAAA response comes first while waiting for the resolving of an IP address, the resulting IPv6 address will be used. Thus, configuring the preferred address family is now done at the firewall, DNS, or startup with the “–disable-ipv6” option. The proposed change will speed up the setup time of TCP connections and reduce the performance impact of DNS resolving delays.
- For use in the directive “external_acl” added the handler “ext_kerberos_sid_group_acl” for authentication with checking groups in Active Directory using Kerberos. The ldapsearch utility provided by the OpenLDAP package is used to query the group name.
- Berkeley DB format support has been deprecated due to licensing issues. The Berkeley DB 5.x branch has been unmanaged for several years and remains with unpatched vulnerabilities, and changing to newer releases does not allow changing the license for AGPLv3, the requirements of which also apply to applications using BerkeleyDB in the form of a library – Squid is released under the GPLv2 license, and AGPL is incompatible with GPLv2. Instead of Berkeley DB, the project was transferred to use the TrivialDB DBMS , which, unlike Berkeley DB, is optimized for simultaneous parallel access to the database. Berkeley DB support has been retained for now, but it is now recommended to use the “libtdb” repository type instead of “libdb” in the “ext_session_acl” and “ext_time_quota_acl” handlers.
- Added support for the CDN-Loop HTTP header, defined in RFC 8586 , which allows detecting loops when using content delivery networks (the header provides protection against situations when a request, during redirection between CDNs for some reason, returns back to the original CDN, forming an infinite loop ).
- The SSL-Bump mechanism, which allows you to intercept the content of encrypted HTTPS sessions, has added support for redirecting spoofed (re-encrypted) HTTPS requests through other proxy servers specified in the cache_peer using a regular tunnel based on the HTTP CONNECT method (transmission over HTTPS is not supported, since Squid cannot yet transmit TLS within TLS). SSL-Bump allows, upon arrival of the first intercepted HTTPS request, to establish a TLS connection with the target server and obtain its certificate. After that, Squid uses the hostname from the real certificate received from the server and creates a fictitious certificate with which it imitates the requested server when interacting with the client, while continuing to use the TLS connection established with the target server to receive data (so thatspoofing did not lead to the display of warnings in browsers on the client side, you need to add your certificate to the root certificate store, which was used to generate fake certificates).
- Added the mark_client_connection and mark_client_pack directives to bind Netfilter (CONNMARK) labels to client TCP connections or individual packets.
- CVE-2021-28116 – Information leak while processing specially crafted WCCPv2 messages. The vulnerability allows an attacker to corrupt the list of known WCCP routers and redirect proxy client traffic to their host. The problem manifests itself only in configurations with enabled WCCPv2 support and when it is possible to spoof the IP address of the router.
- CVE-2021-41611 – Error validating TLS certificates allowing access using untrusted certificates.