Squid 2.6.STABLE18 release notes

Major improvements to the way that Squid handles web proxy, accelerated and transparent proxy requests to make it easier to configure transparent and acceleration functionality. The default behaviour is to function as a standard HTTP proxy on each port that Squid is configured to listen on, but in addition in this release the keywords "accel" and "transparent" can be specified after each port to indicate to Squid the functionality that is to be enabled on that port. This means that the old config directives relating to httpd_accel_* are now deprecated. See below for more details about these options.
WCCPv2 support multiple cache engines registering with multiple WCCP routers and switches. WCCPv2 is preferred over WCCPv1 for performance and flexibility reasons if your router or switch is able to support it (all recent versions of IOS do so). Initially WCCPv2 under Linux is limited to registration with only one router due to kernel limitations in more recent versions, although this will be addressed in a future release of Squid.
TPROXY totally transparent proxy support under Linux, which to allow Squid to appear totally invisible to both client and server systems when transparently caching requests. This works by spoofing the source and destination address to both the client and server.
Support for Etag and Vary HTTP headers. This further moves Squid towards HTTP/1.1 compliance. The Vary header field is used for improved caching and delivery of customized content to end clients, and the Etag is used similar to an MD5 checksum between client and server to determine if a web page has changed since it was last retrieved.
Collapsed forwarding, which gives Squid the ability to intelligently merge client requests for objects into one request to the server. Of particular benefit in accelerator setups but also provides some benefits to non accelerator setups.
Support for epoll under Linux and kqueue under FreeBSD, which gives Squid the ability to handle many many more concurrent requests with lower CPU overhead. This feature is of particular benefit to very busy caches as the poll() and select() routines do not scale anywhere near as well as epoll and kqueue does under high loads.
SSL assisted hardware encryption making use of OpenSSL functionality within Squid.
Logging enhancements to allow even greater customization of the way Squid logs requests in the access-log or to syslog if required
Authentication enhancements including Negotiate/Kerberos support, extra workarounds for NTLM clients and others using Microsoft Integrated Login.
Additional external_acl parameters to support SSL and even more client side parameters.
ACL changes in conjunction with SSL changes which have been merged, to allow matching based on SSL certificate parameters.
Improvements to Cygwin support for users who wish to run Squid in a Microsoft Windows/Cygwin environment as a system service.
New authentication helpers:
- Digest LDAP helper
- Native Windows basic, NTLM and negotiate helpers
- External acl helpers for session monitoring and native Windows group membership check
HTCP significantly cleaned up and added support for the CLR operation to purge contents from the cache
Support for parsing X-Forwarded-For headers allowing access controls to be based on the real client IP even if behind secondary proxies
Support for proxying of Microsoft Integrated Login (NTLM & Negotiate) connection oriented authentication schemes, enabling access to servers or proxies using such authentication methods.
Support for the Linux TPROXY patch allowing Squid to masquerade using the clients original IP address
urlgroups, tagging URLs for redirection and access controls, and divides the cache allowing different users to get different results for the same URL.
Optional automatic monotoring of cache peers and configured origin servers
SSL client support, allowing both http->https gatewaying and SSL encrypted peers (both origin servers and proxies).
Full ETag/Vary based caching, allowing efficient caching of server driven content negotiation.
Customizable access log format
Selective access logging, and ability to log to more than access log possibly in different formats
New more efficient helper protocol allowing for multiple concurrent lookups to the same helper
Ability to rewrite Location headers (redirects sent by servers)
Major cleanup or CARP. Now plays well with the other peering algorithms as just another non-ICP peering method.

2. Changes to squid.conf

http_port: Now takes a list of options in addition to the port address, specifying the purpose of this http_port. Default is plain Internet proxy as usual. Also there is no longer a default port and you must include a http_port directive in your squid.conf if you want Squid to listen for http requests.
httpd_accel_* for transparent proxy: Now implemented by the "transparent" http_port option
httpd_accel_* for accelerator mode: Now implemented by other options and the http_port accel option. See individual directives below.
httpd_accel_host: Replaced by defaultsite http_port option and cache_peer originserver option.
httpd_accel_port: No longer needed. Server port defined by the cache_peer port.
httpd_accel_uses_host_header: Replaced by vhost http_port option
https_port: Many new options. Reconstructs URLs as https:// by default.
cache_peer: Many new options to support origin servers and SSL encryption
ssl_engine: New directive for hardware assisted SSL encryption
sslproxy_*: New directives defining how to gateway http->https
sslpassword_program: New helper directive to query an external program for SSL key encryption password (if any)
no_cache: Renamed to cache to better reflect the functionaliy. no_cache still accepted.
cache: New name for the old no_cache directive.
cache_vary: New directive to disable caching of Vary:ing responses
broken_vary_encoding: New directive to work around known broken compression modules which hasn't understood the meaning of the ETag HTTP header in relation to Accept-Encoding.
logformat: New directive for defining custom log formats
cache_access_log: Renamed to access_log
access_log: Select what requests to log where any by what format. Support for multiple log files and multiple log formats.
check_hostnames: New option to disable the hostname validity/sanity checks usually performed by Squid, replacing the similar build time configure option in 2.5.
allow_underscore: New option to allow _ in hostnames, replacing the similar build time configure option in 2.5 and earlier.
dns_defnames: Allow for domain searches. Now possible even when using the internal DNS client
redirect_*: Renamed to url_rewrite_* to better reflect the functionality of this helper (rewriting requested URLs)
url_rewrite_concurrency: Activates a new and more efficient helper protocol. Requires changes in the helper.
location_rewrite_*: New helper hook for rewriting Location headers
auth_param basic blankpassword: New option to allow the use of blank passwords.
auth_param basic/digest concurrency: New option enabling a multiplexed helper protocol allowing the same helper to process multiple concurrent requests in an efficient manner. Requires support from the helper. (2.6.STABLE2 and later)
auth_param ntlm max_challenge_reuse / max_challenge_lifetime: No longer supported
auth_param ntlm use_ntlm_negotiate: Directive no longer supported. Use of NTLM negotiate packet is always on.
auth_param ntlm keep_alive: New option to fine-tune the use of HTTP keep-alive in combination with NTLM
auth_param negotiate: New Negotiate authentication scheme, the "next generation" scheme in the family of Microsoft authentication.
external_acl_type: Many new format options %SRCPORT, %MYADDR, %MYPORT, %PATH, %USER_CERT, %ACL, %DATA and a few variants. Helper protocol defaults to the simpler "3.0" protocol, and there is support for a highly efficient protocol via the concurrency= option if supported by the helper.
refresh_pattern: Several new HTTP override/ignore options
read_ahead_gap: New directive to set the response buffer size.
collapsed_forwarding: New directive to enable an alternative optimized forwarding path when there is very many concurrent requests for the same URL.
refresh_stale_hit: New directive similar to collapsed_forwarding and activates an alternative optimized request processing when there is very many concurrent requests for the same recently expired URL.
acl urlgroup: New acl class
acl user_cert: New acl class matching the user SSL certificate (https_port)
acl ca_cert: New acl class matching the CA of the user SSL certificate (https_port)
acl ext_user / ext_user_regex: New acl matching usernames returned by external acl
follow_x_forwarded_for: New option to enable parsing of X-Forwarded-For headers allowing access controls to be based on the real client IP even if behind secondary proxies
http_access2: New http_access type directive but evaluated after url rewrites
htcp_access, htcp_clr_access: Access control on HTCP requests
log_access: New directive to limit what gets logged.
httpd_suppress_version_string: Enable hiding of the Squid version
umask: New directive to specify the minimum umask Squid should run under
error_map: New directive to allow dynamic rewrites of error pages
via: New directive to disable the use of the Via directive
wccp2_*: WCCP2 protocol support
minimum_expiry_time: tune the magic 60 seconds limit of what is considered cachable when the object doesn't have any cache validators. (2.6.STABLE2)
wccp2_rebuild_wait: make Squid delay registering with a WCCP router until store rebuild have finished. Default on. (2.6.STABLE2)
wccp2_weight: Cache server load weigth in the cluster. (2.6.STABLE4)
check_hostnames: Control if Squid should check the sanity of host names before trying to look them up in DNS
allow_underscores: Control if _ is to be considered a valid character in hostnames or not
cache_peer carp-load-factor: Option removed. CARP now uses the weight parameter instead.
cache_peer login=: Controls how Squid forwards login information to peer caches and servers.

3. Known issues

There is a few known issues in this version of Squid which we hope to correct in a later release

Bug #761: Unstable under load when using diskd

4. Known limitations

In addition there is a set of limitations in this version of Squid which we hope to correct later

Bug #1420: 302 responses with an Expires header is always cached
Bug #1059: mime.conf and referenced icons must be within chroot
Bug #692: tcp_outgoing_address using an ident ACL does not work
Bug #581: acl max_user_ip and multiple authentication schemes
Bug #528: miss_access fails on "slow" acl types such as dst.
Bug #513: squid -F is starting server sockets to early
Bug #457: does not handle swap.state corruption properly
Bug #410: unstable if runs out of disk space
Bug #355: diskd may appear slow on low loads
Bug #219: delay_pools stops working on -k reconfigure

5. Other issues

Ipfilter 4.x compile problem on HP Tru64

Running configure --enable-ipf-transparent on an HP Tru64 5.1B system with ipfilter 4.x installed, the following error can occur:
```
      checking if IP-Filter header files are installed... no
      WARNING: Cannot find necessary IP-Filter header files
               Transparent Proxy support WILL NOT be enabled
```
To fix the problem first check if the ip_fil.h, ip_compat.h, ip_nat.h and ipl.h files are present in /usr/include/netinet and copy them from ipfilter source tree if needed. Don't forget to fix files permission and ownership after the copy.
If the error still persist, run configure making it skip the ip_compat.h test:
```
    env ac_cv_header_netinet_ip_compat_h=yes ./configure --enable-ipf-transparent
```
On Sun Solaris 10, ipfilter 4.0.22 is provided with the OS, but related include files (ip_fil.h, ip_compat.h, ip_nat.h, ipl.h) are missing.
Before running configure --enable-ipf-transparent, they must be downloaded from the OpenSolaris Web Site in the /usr/include local directory. Don't forget to fix files permission and ownership after the download.

This Squid version can run on Windows as a system service using the Cygwin emulation environment, or can be compiled in Windows native mode using the MinGW + MSYS development environment. Windows NT 4 SP4 and later are supported.
On Windows 2000 and later the service is configured to use the Windows Service Recovery option restarting automatically after 60 seconds.

Usage

Some new command line options was added for the Windows service support:

The service installation is made with -i command line switch, it's possible to use -f switch at the same time for specify a different config-file settings for the Squid Service that will be stored on the Windows Registry.

A new -n switch specify the Windows Service Name, so multiple Squid instance are allowed. "Squid" is the default when the switch is not used.

So, to install the service, the syntax is:

squid -i [-f file] [-n name]

Service uninstallation is made with -r command line switch with the appropriate -n switch.

The -k switch family must be used with the appropriate -f and -n switches, so the syntax is:

squid -k command [-f file] -n service-name

where service-name is the name specified with -n options at service install time.

To use the Squid original command line, the new -O switch must be used ONCE, the syntax is:

squid -O cmdline [-n service-name]

If multiple service command line options must be specified, use quote. The -n switch is needed only when a non default service name is in use.

Don't use the "Start parameters" in the Windows 2000/XP/2003 Service applet: they are specific to Windows services functionality and Squid is not designed for understand they.

In the following example the command line of the "squidsvc" Squid service is set to "-D -u 3130":

squid -O "-D -u 3130" -n squidsvc

PSAPI.DLL (Process Status Helper) Considerations

The process status helper functions make it easier for you to obtain information about processes and device drivers running on Microsoft� Windows NT�/Windows� 2000. These functions are available in PSAPI.DLL, which is distributed in the Microsoft� Platform Software Development Kit (SDK). The same information is generally available through the performance data in the registry, but it is more difficult to get to it. PSAPI.DLL is freely redistributable.

PSAPI.DLL is available only on Windows NT, 2000, XP and 2003. The implementation in Squid is aware of this, and try to use it only on the right platform.

On Windows NT PSAPI.DLL can be found as component of many applications, if you need it, you can find it on Windows NT Resource KIT. If you have problem, it can be downloaded from here: http://download.microsoft.com/download/platformsdk/Redist/4.0.1371.1/NT4/EN-US/psinst.EXE

On Windows 2000 and later it is available installing the Windows Support Tools, located on the Support\Tools folder of the installation Windows CD-ROM.

Registry DNS lookup: On Windows platforms, if no value is specified in the dns_nameservers option on squid.conf or in the /etc/resolv.conf file, the list of DNS name servers are taken from the Windows registry, both static and dynamic DHCP configurations are supported.

Compatibility Notes

It's recommended to use '/' char in Squid paths instead of '\'
Paths with spaces (like 'C:\Programs Files\Squid) are NOT supported by Squid
When using ACL like 'acl aclname acltype "file"' the file must be in DOS text format (CR+LF) and the full Windows path must be specified, for example:
```
acl blocklist url_regex -i "c:/squid/etc/blocked1.txt"
```
The Windows equivalent of '/dev/null' is 'NUL'
Squid doesn't know how to run external helpers based on scripts, like .bat, .cmd, .vbs, .pl, etc. So in squid.conf the interpreter path must be always specified, for example:
```
redirect_program c:/perl/bin/perl.exe c:/squid/libexec/redir.pl
redirect_program c:/winnt/system32/cmd.exe /C c:/squid/libexec/redir.cmd
```
When Squid runs in command line mode, the launching user account must have administrative privilege on the system
"Start parameters" in the Windows 2000/XP/2003 Service applet cannot be used
Building with MinGW, when the configure option --enable-truncate is used, Squid cannot run on Windows NT, only Windows 2000 and later are supported

Known Limitations:

Squid features not operational:
- DISKD: still needs to be ported
- WCCP: cannot work because user space GRE support on Windows is missing
- Transparent Proxy: missing Windows non commercial interception driver
Some code sections can make blocking calls.
Some external helpers may not work.
File Descriptors number hard-limited to 2048 when building with MinGW.

Building Squid on Windows:

A reasonably recent release of Cygwin or MinGW is needed.
The usage of the Cygwin environment is very similar to other Unix/Linux environments, and -devel version of libraries must be installed.
For the MinGW environment, the packages MSYS, MinGW and msysDTK must be installed. Some additional libraries and tools must be downloaded separately:

OpenSSL: Shining Light Productions Win32 OpenSSL
libcrypt: MinGW packages repository
db-1.85: TinyCOBOL download area
uudecode: Native Win32 ports of some GNU utilities

When running configure, --disable-wccp and --disable-wccpv2 options should always specified to avoid compile errors.

New configure options:
- --enable-win32-service
Updated configure options:
- --enable-arp-acl
- --enable-default-hostsfile
Unsupported configure options:
- --enable-coss-aio-ops: On Windows Posix AIO is not available
- --with-large-files: No suitable build environment is available on both Cygwin and MinGW, but --enable-large-cache-files works fine
Recommended configure minimal options for Windows:
- --prefix=c:/squid --disable-wccp --disable-wccpv2 --enable-win32-service --enable-default-hostsfile=none

Before build Squid with SSL support, some operations are needed (in the following example OpenSSL is installed in C:\OpenSSL and MinGW in C:\MinGW):

Copy C:\OpenSSL\lib\MinGW content to C:\MinGW\lib
Copy C:\OpenSSL\include\openssl content to C:\MinGW\include\openssl
Rename C:\MinGW\lib\ssleay32.a to C:\MinGW\lib\libssleay32.a

Using cache manager on Windows:

On Windows, cache manager (cachemgr.cgi) can be used with Microsoft IIS or Apache.
Some specific configuration could be needed:

IIS 6 (Windows 2003):
- On IIS 6.0 all CGI extensions are denied by default for security reason, so the following configuration is needed:
  - Create a cgi-bin Directory
  - Define the cgi-bin IIS Virtual Directory with read and CGI execute IIS permissions, ASP scripts are not needed. This automatically defines a cgi-bin IIS web application
  - Copy cachemgr.cgi into cgi-bin directory and look to file permissions: the IIS system account and SYSTEM must be able to read and execute the file
  - In IIS manager go to Web Service extensions and add a new Web Service Extension called "Squid Cachemgr", add the cachemgr.cgi file and set the extension status to Allowed

Apache:

On Windows, cachemgr.cgi needs to create a temporary file, so Apache must be instructed to pass the TMP and TEMP Windows environment variables to CGI applications:

ScriptAlias /squid/cgi-bin/ "c:/squid/libexec/"
<Location /squid/cgi-bin/cachemgr.cgi>
    PassEnv TMP TEMP
    Order allow,deny
    Allow from workstation.example.com
</Location>

7. Key changes squid-2.6.STABLE1 to 2.6.STABLE2

Bug #1650: transparent interception "Unable to forward this request at this time"
Bug #1658: Memory corruption when using client-side SSL certificates
Multiple fixes to the experimental COSS cache_dir type
Added the missing concurrency parameter to basic/digest auth schemes
Bug #1669: SEGV in storeAddVaryReadOld
Bug #1670: assertion failure: i->prefix_size > 0 in client_side.c:2509
Bug #1671: transparent interception fails with FreeBSD ipfw or Linux-2.2 ipchains
Bug #1660: Accept-Encoding related memory corruption
Bug #1673: cache digests not served to other caches
Bug #1684: xstrdup: tried to dup a NULL pointer!
Bug #1688: Assertion failure in HttpHeader.c in some header_access configurations
Bug #1696, Bug #1700 and more: WCCP2 fixes
Bug #1677: Duplicate etags in the If-None-Match in cache validations causing lighttpd to fail with error 400
Added ARP acl support for OpenBSD and ARP fixes for Windows
Bug #1681: All ntlmauthenticator processes are busy
new minimum_expiry_time squid.conf directive backported from Squid-3
Bug #1703: Wrong default path to the diskd helper causing hangs at 100% CPU
Bug #1685: Crashes or other odd results after storeSwapMetaUnpack: errors
a number of other minor and cosmetic bugfixes. See the list of squid-2.6.STABLE2 changes and the ChangeLog file for details.

8. Key changes squid-2.6.STABLE2 to 2.6.STABLE3

src/dst acl parsing changed to not attempt to guess a netmask if none was specified. Instead assume it's an IP address and not a network even if it ends in 0
Several memory leaks plugged
Delay pools now work again (broken in 2.6.STABLE1 & 2)
New log_format %ue and %us tags for external acl or ssl user id
COSS fixes and performance improvements
Include acl's is now shown in their original form in cachemgr configuration dumps.
ntlm fake_auth finally handles non-ascii user names
TCP fallback on truncated DNS responses, making the internal DNS client complete.
Downloads could hang when using the cache_dir max-size option
Fixed some assertion failures and segmentation faults
Some small optimizations to reduce CPU usage
a number of other minor and cosmetic bugfixes. See the list of squid-2.6.STABLE3 changes and the ChangeLog file for details.

9. Key changes squid-2.6.STABLE3 to 2.6.STABLE4

New wccp2_weight directive
Numeros COSS fixes and improvements
Support for WCCP2 hash based assignment and weighted assignments
Windows port update
Many small fixes to better detect invalid configurations
Bug #1760: FTP related memory leak
SNMP mib updates for some minor missing details
Bug #1590: Silence those harmless ETag loop warnings
Bug #1740: Squid crashes on certain malformed HTTP responses
Bug #1699: assertion failed: authenticate.c:836: "auth_user_request != NULL"
a number of other minor and cosmetic bugfixes. See the list of squid-2.6.STABLE4 changes and the ChangeLog file for details.

10. Key changes squid-2.6.STABLE4 to 2.6.STABLE5

Bug #1776: 2.6.STABLE4 aufs fails to compile if coss isn't enabled
COSS improvements and cleanups
Bug #1785: Memory leak in handling of negatively cached objects
Bug #1780: Incorrect Vary processing in combination with collapsed_forwarding
Bug #1779: Delay pools fairness when multiple connections compete for bandwidth
Bug #1796: Assertion error HttpHeader.c:914: "str"
All comm loops now use the generic event framework
a number of other minor and cosmetic bugfixes. See the list of squid-2.6.STABLE5 changes and the ChangeLog file for details.

11. Key changes squid-2.6.STABLE5 to 2.6.STABLE6

Bug #1805: assertion failed: StatHist.c:195: "D[i] >= 0"
Add support for the weight= parameter to round-robin peers
Bug #1584: Unable to register with multiple WCCP2 routers
Bug #439: Multicast ICP peering is unstable and considers most peers dead
Bug #1801: NTLM authentication ends up in a loop if the server responds with a retriable error
Bug #1641: assertion failed: stmem.c:149: "size > 0" while processing certain Vary objects
a number of other minor and cosmetic bugfixes. See the list of squid-2.6.STABLE6 changes and the ChangeLog file for details.

12. Key changes squid-2.6.STABLE6 to 2.6.STABLE7

Bug #1857: Segmentation fault on certain types of ftp:// requests
Bug #1848: external_acl crashes with an infinite loop under high load
Bug #1867: squid.pid isn't removed on shutdown
Bug #1792: max_user_ip not working with ntlm_auth
a number of other minor and cosmetic bugfixes. See the list of squid-2.6.STABLE7 changes and the ChangeLog file for details.

13. Key changes squid-2.6.STABLE7 to 2.6.STABLE8

Bug #1872: Date parsing error causing objects to get unexpectedly cached. Problem introduced in 2.6.STABLE6.
Bug #1873: authenticateNTLMFixErrorHeader: state 4. NTLM & Negotiate instability introduced in 2.6.STABLE6.
Primitive support for HTTP/1.1 chunked encoding, working around broken servers sending chunked encoding in response to HTTP/1.0 requests.
Bug #1783: STALE: Entry's timestamp greater than check time. Clock going backwards?
Don't update object timestamps on a failed revalidation.
a number of other minor and cosmetic bugfixes. See the list of squid-2.6.STABLE8 changes and the ChangeLog file for details.

14. Key changes squid-2.6.STABLE8 to 2.6.STABLE9

Bug #1878: If-Modified-Since broken in 2.6.STABLE8
Bug #1877 diskd bug in storeDiskdIOCallback()
See the list of squid-2.6.STABLE9 changes and the ChangeLog file for details.

15. Key changes squid-2.6.STABLE9 to 2.6.STABLE10

Upgrade HTTP/0.9 responses to our HTTP version (HTTP/1.0)
various diskd bugfixes
In the access.log hierarchy field log the unique peer name instead of the host name
logging format for HTTP-request size
Primitive support for HTTP/1.1 chunked encoding, working around broken servers
a number of other minor and cosmetic bugfixes. See the list of squid-2.6.STABLE10 changes and the ChangeLog file for details.

16. Key changes squid-2.6.STABLE10 to 2.6.STABLE11

Bug #1915: assertion failed: client_side.c:4055: "buf != NULL || !conn->body.request"
Handle garbage helper responses better in concurrent protocol format
Fix kqueue when overflowing the changes queue
Make sure the child worker process commits suicide if it could not start up
Don't log short responses at debug level 1
Fix collapsed_forwarding for non-GET requests
See also the list of squid-2.6.STABLE11 changes and the ChangeLog file for details.

17. Key changes squid-2.6.STABLE11 to 2.6.STABLE12

Assertion error on TRACE
See also the list of squid-2.6.STABLE12 changes and the ChangeLog file for details.

18. Key changes squid-2.6.STABLE12 to 2.6.STABLE13

Make sure reply headers gets sent even if there is no body available yet, fixing RealMedia streaming over HTTP issues.
Bug #1814: SSL memory leak on persistent SSL connections
Ukrainan error messages
See also the list of squid-2.6.STABLE13 changes and the ChangeLog file for details.

19. Key changes squid-2.6.STABLE13 to 2.6.STABLE14

Make sure reply headers gets sent even if there is no body available yet, fixing RealMedia streaming over HTTP issues.
Bug #1814: SSL memory leak on persistent SSL connections
Ukrainan error messages
New Kerberos Negotiate / SPNEGO helper
New SQL Database basic auth helper
New Solaris /dev/poll support
New Novell eDirectory Digest auth helper
New cache_dir min-size option
New pop3 basic auth helper
squid.conf.default cleanups
NTLM workaround for some applications not negotiating HTTP/1.0 persistent connetions
See also the list of squid-2.6.STABLE14 changes and the ChangeLog file for details.

20. Key changes squid-2.6.STABLE14 to 2.6.STABLE15

Portability fix for systems requiring select(). Got broken when adding /dev/poll support in 2.6.STABLE14
Bug #2017: Work around broken servers sending just the HTTP headers
squid.conf.default documentation update and reorganisation
access_log syslog syntax cleaned up and documented
Armenian error pages translation
Bug #2057: NTLM stop work in messengers after upgrade to 2.6.STABLE14
Bug #1972: Squid sets peers to down state when they are in fact working.
Bug #2066: chdir after chroot
See also the list of squid-2.6.STABLE15 changes and the ChangeLog file for details.

21. Key changes squid-2.6.STABLE15 to 2.6.STABLE16

Bug #2073: assertion failed: client_side.c:4175: "buf != NULL || !conn->body.request on POST
Test for sys/capability.h linux include file to avoid failing on linux systems missing libcap
More squid.conf reordering to get the dependencies between options sorted proper
See also the list of squid-2.6.STABLE16 changes and the ChangeLog file for details.

22. Key changes squid-2.6.STABLE16 to 2.6.STABLE17

A temporary memory leak fixed on cache updates
New squid_radius_auth RADIUS authentication helper
Documentation cleanups
Code cleanups and portability fixes
Several minor bugfixes
See also the list of squid-2.6.STABLE16 changes and the ChangeLog file for details.

23. Key changes squid-2.6.STABLE17 to 2.6.STABLE18

2 assertion failures related to the fix for SQUID-2007:2
Digest authentication bugfixes, fixing random auth popups and failures when using digest authentication (auth_param digest ..)
License cleanup of edir_digest_auth
Code cleanups and portability fixes
See also the list of squid-2.6.STABLE16 changes and the ChangeLog file for details.