# Change Log
# [5.4.2] - 2021-06-15 UTC+0800
- When POST inspection is enabled, POST requests are not logged in the access log.
# [5.4.1] - 2021-06-09 UTC+0800
- The value of built-in variables may be wrong when the directive
# [5.4.0] - 2021-06-03 UTC+0800
The clone link for
libinjection has been replaced in this release. The new link is https://github.com/libinjection/libinjection.git (opens new window).
- Anti XSS (powered by libinjection (opens new window)).
- Add debug log related to built-in variable calculation.
- POST inspection is not working.
# [5.3.2] - 2021-05-28 UTC+0800
- Memory corruption.
# [5.3.1] - 2021-05-26 GMT+0800
- Sometimes the module does not compile even if the dependencies are installed correctly.
# [5.3.0] - 2021-05-16 GMT+0800
waf_under_attack, which can be used when the site is under attack.
waf_http_status, which sets the HTTP status code returned when a request is blocked.
New built-in variable:
$waf_blocking_log, not an empty string when the request is blocked for its value.
- Update default rules.
CC protection sometimes not work.
Cookie inspection sometimes not work.
# [5.1.2] - 2021-04-30 GMT+0800
- Support for detecting SQL injection (powered by libinjection (opens new window)). This feature can be enabled by enabling the mode
LIB-INJECTION, see the documentation for details.
# [5.1.1] - 2021-04-23 GMT+0800
- URL and Referer whitelist are not working.
# [5.1.0] - 2021-04-20 GMT+0800
New built-in variable
waf_log, which is not an empty string when this module has performed a inspection, but an empty string otherwise, mainly used in the directive
New built-in variable
waf_spend, which records the time (in milliseconds) taken by this module to perform the inspection.
# [5.0.0] - 2021-04-07 GMT+0800
This version contains breaking changes.
A new mode
CACHEhas been added, enabling this mode will cache the results of each inspection to improve performance.
waf_cachehas been added to set parameters related to cache.
waf_cc_denyto set CC protection related parameters.
waf_priorityhas been added to set the priority of all checks except for POST checks.
The Retry-Afte (opens new window) response header is appended when the CC protection returns a 503 status code.
- The directive
waf_cc_deny_limitis deprecated and replaced with the new directive
- Swaps the default priority of CC protection and IP whitelist inspection.
Fixed a segmentation fault when the number of worker processes is greater than one.
Fixed a bug where CC protection statistics were sometimes inaccurate.
# [4.0.0] - 2021-03-22 GMT+0800
This version contains breaking changes.
- Added some parameters to
waf_cc_deny_limit(368db2b (opens new window)).
- Abort directive:
waf_mult_mount. The function of this directive has been merged into the directive
- Adds some parameters to the directive
Fixed an error in the name of the built-in variable
waf_rule_details, which was set to
waf_rule_deatailsin a previous version of the code.
No more superfluous inspections.
Completely resolve compatibility issues with the
# [3.1.6] - 2021-03-07
- Correcting the order in which rules take effect (51c7824 (opens new window)).
# [3.1.5] - 2021-03-03
- Fixed a bug in the
configscript that caused dependencies to not be checked correctly (075a27e (opens new window)).
# [3.1.4] - 2021-03-02
- Use safer string handling functions to avoid buffer overflows when conditions allow (177ae68 (opens new window)).
# [3.1.3] - 2021-02-23
- Order of effectiveness of correction rules (857ec84 (opens new window)).
# [3.1.2] - 2021-01-18
- Fixed a bug that caused module initialization to fail when the rule file was not writable (20acd27 (opens new window)).
# [3.1.1] - 2021-01-18
- Compatible with lower versions of gcc (becbbe0 (opens new window)).
# [3.1.0] - 2021-01-17
v3.0.3was skipped because a backward compatibility feature was added during the
- Add debug log for easy troubleshooting (bac1d02 (opens new window)).
Fixed a segmentation fault (57d7719 (opens new window))。
More accurate visit frequency statistics (53d3b14 (opens new window)).
# [3.0.2] - 2021-01-10
- Because of hotfixes performed on
v3.0.1, all beta versions of
v3.0.2are voided, please do not use these beta versions.
- Fixed a build error on
Alpine Linux(e989aa3 (opens new window)).
# [3.0.1] - 2020-12-28
- Fixed a segmentation fault when inspecting cookies (8dc2b56 (opens new window)).
# [3.0.0] - 2020-12-25
Anti Challenge Collapsar now supports IPV6 (00fbc1c (opens new window)).
IP black and white lists support IPV6, and can recognize IPV6 strings such as
fe80::/10(8519b26 (opens new window)).
Delete some meaningless logs (bd279e7 (opens new window)).
Friendly error alerts (d1185b2 (opens new window) & f2b617d (opens new window)). Warnings or error reporting when IP addresses in the rule file are invalid or IP address blocks overlap (does not detect all overlaps).
Faster IP matching (2b9e774 (opens new window)).
Fixed a bug that caused the cookie inspection not work (87beed1 (opens new window)).
configfile to ensure that the latest module code is compiled when executing
make modules(25f97f5 (opens new window)). Before the fix, if only the files under
inc/changed, the latest code would not be compiled because the files under
inc/were not checked for changes.
Fixed a bug with incorrect IPV4 segment identification (73a22eb (opens new window)). This bug could cause the subnet mask not to be generated correctly when a rule like
192.168.0.0/10, i.e. the suffix is not a multiple of 8, appears in the rule.
# [2.1.1] - 2020-12.10
- Fixed a module startup failure error. The error message for this error is
nginx: [alert] could not open error log file: open() "ngx_waf: /logs/error.log" failed (2: No such file or directory)(0dfc46f (opens new window)).
# [2.1.0] - 2020-12-09
- Compatible with the mainline version of NGINX (f31f906 (opens new window) & 65277d1 (opens new window)).
# [2.0.2] - 2020-12-07
Fix for Anti Challenge Collapsar failing when
waf_mult_mountis disabled (048fe5c (opens new window)).
Fixed compile error caused by incorrect
#include(3fa298c (opens new window)).
# [2.0.1] - 2020-12-03
- Instead of downloading the uthash dependency manually, you can install the system library with
yum install uthash-develor
apt-get install uthash-dev(7cfc94b (opens new window)).
- Fixed a bug that failed to compile under CentOS/RHEL 6 or 7 that was caused by not properly preventing macro redefinitions (28e1c8a (opens new window) & 566ae4a (opens new window)).
# [2.0.0] - 2020-09-29
- We can compile the module with
--add-dynamic-module. Thanks for dvershinin (opens new window)'s work(https://github.com/ADD-SP/ngx_waf/pull/4 (opens new window))。
Remove a default User-Agent rule that is
(?i)(? :Sogou web spider), as it will block non-malicious web spider(827d4e5 (opens new window)).
Merge directives (ba92cfd (opens new window)). These directives will be merged:
waf_cc_deny. The merged new directive is
waf_mode, see README.
- The blank lines in the rules can now be read correctly (955cf2d (opens new window)).