# Change Log

# [Unreleased]

# Added

# Removed

# Changed

# Fixed


# [5.4.2] - 2021-06-15 UTC+0800

# Fixed

  • When POST inspection is enabled, POST requests are not logged in the access log.

# [5.4.1] - 2021-06-09 UTC+0800

# Fixed

  • The value of built-in variables may be wrong when the directive error_page is used.

# [5.4.0] - 2021-06-03 UTC+0800

# NOTE

The clone link for libinjection has been replaced in this release. The new link is https://github.com/libinjection/libinjection.git (opens new window).

# Added

# Changed

  • Add debug log related to built-in variable calculation.

# Fixed

  • POST inspection is not working.

# [5.3.2] - 2021-05-28 UTC+0800

# Fixed

  • Memory corruption.

# [5.3.1] - 2021-05-26 GMT+0800

# Fixed

  • Sometimes the module does not compile even if the dependencies are installed correctly.

# [5.3.0] - 2021-05-16 GMT+0800

# Added

  • New directive: waf_under_attack, which can be used when the site is under attack.

  • New directive: waf_http_status, which sets the HTTP status code returned when a request is blocked.

  • New built-in variable: $waf_blocking_log, not an empty string when the request is blocked for its value.

# Changed

  • Update default rules.

# Fixed

  • CC protection sometimes not work.

  • Cookie inspection sometimes not work.


# [5.1.2] - 2021-04-30 GMT+0800

# Added

  • Support for detecting SQL injection (powered by libinjection (opens new window)). This feature can be enabled by enabling the mode LIB-INJECTION, see the documentation for details.

# [5.1.1] - 2021-04-23 GMT+0800

# Fixed

  • URL and Referer whitelist are not working.

# [5.1.0] - 2021-04-20 GMT+0800

# Added

  • New built-in variable waf_log, which is not an empty string when this module has performed a inspection, but an empty string otherwise, mainly used in the directive access_log.

  • New built-in variable waf_spend, which records the time (in milliseconds) taken by this module to perform the inspection.


# [5.0.0] - 2021-04-07 GMT+0800

# WARNING

This version contains breaking changes.

# Added

  • A new mode CACHE has been added, enabling this mode will cache the results of each inspection to improve performance.

  • New configuration waf_cache has been added to set parameters related to cache.

  • Added directive waf_cc_deny to set CC protection related parameters.

  • New directive waf_priority has been added to set the priority of all checks except for POST checks.

  • The Retry-Afte (opens new window) response header is appended when the CC protection returns a 503 status code.

# Removed

  • The directive waf_cc_deny_limit is deprecated and replaced with the new directive waf_cc_deny.

# Changed

  • Swaps the default priority of CC protection and IP whitelist inspection.

# Fixed

  • Fixed a segmentation fault when the number of worker processes is greater than one.

  • Fixed a bug where CC protection statistics were sometimes inaccurate.


# [4.0.0] - 2021-03-22 GMT+0800

# WARNING

This version contains breaking changes.

# Added

# Removed

  • Abort directive: waf_mult_mount. The function of this directive has been merged into the directive waf_mode.

# Changed

  • Adds some parameters to the directive waf_mode.

# Fixed

  • Fixed an error in the name of the built-in variable waf_rule_details, which was set to waf_rule_deatails in a previous version of the code.

  • No more superfluous inspections.

  • Completely resolve compatibility issues with the ngx_http_rewrite_module.


# [3.1.6] - 2021-03-07

# Fixed

# [3.1.5] - 2021-03-03

# Fixed


# [3.1.4] - 2021-03-02

# Changed


# [3.1.3] - 2021-02-23

# Fixed


# [3.1.2] - 2021-01-18

# Fixed


# [3.1.1] - 2021-01-18

# Fixed


# [3.1.0] - 2021-01-17

# Note

  • v3.0.3 was skipped because a backward compatibility feature was added during the v3.0.3 test.

# Added

# Fixed


# [3.0.2] - 2021-01-10

# Note

  • Because of hotfixes performed on v3.0.1, all beta versions of v3.0.2 are voided, please do not use these beta versions.

# Fixed


# [3.0.1] - 2020-12-28

# Fixed


# [3.0.0] - 2020-12-25

# Added

# Changed

# Fixed

  • Fixed a bug that caused the cookie inspection not work (87beed1 (opens new window)).

  • Modify the config file to ensure that the latest module code is compiled when executing make or make modules (25f97f5 (opens new window)). Before the fix, if only the files under inc/ changed, the latest code would not be compiled because the files under inc/ were not checked for changes.

  • Fixed a bug with incorrect IPV4 segment identification (73a22eb (opens new window)). This bug could cause the subnet mask not to be generated correctly when a rule like 192.168.0.0/10, i.e. the suffix is not a multiple of 8, appears in the rule.


# [2.1.1] - 2020-12.10

# Added

# Changed

# Fixed

  • Fixed a module startup failure error. The error message for this error is nginx: [alert] could not open error log file: open() "ngx_waf: /logs/error.log" failed (2: No such file or directory) (0dfc46f (opens new window)).

# [2.1.0] - 2020-12-09

# Added

# Changed

# Fixed


# [2.0.2] - 2020-12-07

# Added

# Changed

# Fixed


# [2.0.1] - 2020-12-03

# Added

# Changed

  • Instead of downloading the uthash dependency manually, you can install the system library with yum install uthash-devel or apt-get install uthash-dev (7cfc94b (opens new window)).

# Fixed


# [2.0.0] - 2020-09-29

# Added

# Changed

  • Remove a default User-Agent rule that is (?i)(? :Sogou web spider), as it will block non-malicious web spider(827d4e5 (opens new window)).

  • Merge directives (ba92cfd (opens new window)). These directives will be merged: waf_check_ipv4, waf_check_url, waf_check_args, waf_check_ua, waf_check_referer, waf_check_cookie, waf_check_post, waf_check_cookie, waf_cc_deny. The merged new directive is waf_mode, see README.

# Fixed