- Sometimes the module does not compile even if the dependencies are installed correctly.
-
New directive:
waf_under_attack, which can be used when the site is under attack. -
New directive:
waf_http_status, which sets the HTTP status code returned when a request is blocked. -
New built-in variable:
$waf_blocking_log, not an empty string when the request is intercepted for its value.
- Update default rules.
-
CC protection sometimes not work.
-
Cookie inspection sometimes not work.
- Support for detecting SQL injection (powered by libinjection). This feature can be enabled by enabling the mode
LIB-INJECTION, see the documentation for details.
- URL and Referer whitelist are not working.
-
New built-in variable
waf_log, which is not an empty string when this module has performed a inspection, but an empty string otherwise, mainly used in the directiveaccess_log. -
New built-in variable
waf_spend, which records the time (in milliseconds) taken by this module to perform the inspection.
This version contains breaking changes.
-
A new mode
CACHEhas been added, enabling this mode will cache the results of each inspection to improve performance. -
New configuration
waf_cachehas been added to set parameters related to cache. -
Added directive
waf_cc_denyto set CC protection related parameters. -
New directive
waf_priorityhas been added to set the priority of all checks except for POST checks. -
The Retry-Afte response header is appended when the CC protection returns a 503 status code.
- The directive
waf_cc_deny_limitis deprecated and replaced with the new directivewaf_cc_deny.
- Swaps the default priority of CC protection and IP whitelist inspection.
-
Fixed a segmentation fault when the number of worker processes is greater than one.
-
Fixed a bug where CC protection statistics were sometimes inaccurate.
This version contains breaking changes.
- Added some parameters to
waf_modeandwaf_cc_deny_limit(368db2b).
- Abort directive:
waf_mult_mount. The function of this directive has been merged into the directivewaf_mode.
- Adds some parameters to the directive
waf_mode.
-
Fixed an error in the name of the built-in variable
waf_rule_details, which was set towaf_rule_deatailsin a previous version of the code. -
No more superfluous inspections.
-
Completely resolve compatibility issues with the
ngx_http_rewrite_module.
- Correcting the order in which rules take effect (51c7824).
- Fixed a bug in the
configscript that caused dependencies to not be checked correctly (075a27e).
- Use safer string handling functions to avoid buffer overflows when conditions allow (177ae68).
- Order of effectiveness of correction rules (857ec84).
- Fixed a bug that caused module initialization to fail when the rule file was not writable (20acd27).
- Compatible with lower versions of gcc (becbbe0).
v3.0.3was skipped because a backward compatibility feature was added during thev3.0.3test.
- Add debug log for easy troubleshooting (bac1d02).
- Because of hotfixes performed on
v3.0.1, all beta versions ofv3.0.2are voided, please do not use these beta versions.
- Fixed a build error on
Alpine Linux(e989aa3).
- Fixed a segmentation fault when inspecting cookies (8dc2b56).
-
Anti Challenge Collapsar now supports IPV6 (00fbc1c).
-
IP black and white lists support IPV6, and can recognize IPV6 strings such as
fe80::/10(8519b26).
-
Delete some meaningless logs (bd279e7).
-
Friendly error alerts (d1185b2 & f2b617d). Warnings or error reporting when IP addresses in the rule file are invalid or IP address blocks overlap (does not detect all overlaps).
-
Faster IP matching (2b9e774).
-
Fixed a bug that caused the cookie inspection not work (87beed1).
-
Modify the
configfile to ensure that the latest module code is compiled when executingmakeormake modules(25f97f5). Before the fix, if only the files underinc/changed, the latest code would not be compiled because the files underinc/were not checked for changes. -
Fixed a bug with incorrect IPV4 segment identification (73a22eb). This bug could cause the subnet mask not to be generated correctly when a rule like
192.168.0.0/10, i.e. the suffix is not a multiple of 8, appears in the rule.
- Fixed a module startup failure error. The error message for this error is
nginx: [alert] could not open error log file: open() "ngx_waf: /logs/error.log" failed (2: No such file or directory)(0dfc46f).
-
Fix for Anti Challenge Collapsar failing when
waf_mult_mountis disabled (048fe5c). -
Fixed compile error caused by incorrect
#include(3fa298c).
- Instead of downloading the uthash dependency manually, you can install the system library with
yum install uthash-develorapt-get install uthash-dev(7cfc94b).
- Fixed a bug that failed to compile under CentOS/RHEL 6 or 7 that was caused by not properly preventing macro redefinitions (28e1c8a & 566ae4a).
- We can compile the module with
--add-dynamic-module. Thanks for dvershinin's work(ADD-SP#4)。
-
Remove a default User-Agent rule that is
(?i)(? :Sogou web spider), as it will block non-malicious web spider(827d4e5). -
Merge directives (ba92cfd). These directives will be merged:
waf_check_ipv4,waf_check_url,waf_check_args,waf_check_ua,waf_check_referer,waf_check_cookie,waf_check_post,waf_check_cookie,waf_cc_deny. The merged new directive iswaf_mode, see README.
- The blank lines in the rules can now be read correctly (955cf2d).