From 5655af6e131f8d4886ec900cd754f903419c0f93 Mon Sep 17 00:00:00 2001 From: ADD-SP Date: Tue, 15 Jun 2021 16:15:39 +0800 Subject: [PATCH] :memo: Update docs. --- CHANGES-ZH-CN.md | 481 +--------------------------------- CHANGES.md | 352 +------------------------ docs/advance/changes.md | 6 + docs/advance/issue.md | 12 +- docs/zh-cn/advance/changes.md | 6 + docs/zh-cn/advance/issue.md | 12 +- 6 files changed, 16 insertions(+), 853 deletions(-) diff --git a/CHANGES-ZH-CN.md b/CHANGES-ZH-CN.md index c9502fb9..a0e597b1 100644 --- a/CHANGES-ZH-CN.md +++ b/CHANGES-ZH-CN.md @@ -1,480 +1 @@ -# 更新日志 - -## [未发布] - -### 新增 - -### 移除 - -### 变动 - -### 修复 - -* 如果启用了 POST 检测,则访问日志(access_log)中不会记录 POST 请求,即丢失所有的 POST 请求的日志。 - -*** - - -## [5.4.1] - 2021-06-09 UTC+0800 - -### 修复 - -* 当使用了 `error_page` 配置时,内置变量的值可能会出错。 - -*** - -## [5.4.0] - 2021-06-03 UTC+0800 - -### **注意** - -**本次更新更换了 libinjection 的 clone 链接,新的链接为 [https://github.com/libinjection/libinjection.git](https://github.com/libinjection/libinjection.git)。** - -### 新增 - -* XSS 攻击防御(Powered By [libinjection](https://github.com/libinjection/libinjection))。 - -### 变动 - -* 增加内置变量计算相关的调试日志。 - -### 修复 - -* POST 检测失效。 - -*** - -## [5.3.2] - 2021-05-28 UTC+0800 - -### 修复 - -* 内存损坏。 - -*** - -## [5.3.1] - 2021-05-26 GMT+0800 - -### 修复 - -* 有时即使正确安装了依赖也不能编译模块。 - - -*** - -## [5.3.0] - 2021-05-16 GMT+0800 - -### 新增 - -* 新的配置:`waf_under_attack`,当网站受到攻击时可以使用。 - -* 新的配置:`waf_http_status`,用于设置请求被拦截后返回的 HTTP 状态码。 - -* 新的内置变量:`$waf_blocking_log`,当请求被拦截其值时不为空字符串。 - -### 变动 - -* 更新了默认规则。 - -### 修复 - -* CC 防护有时会失效。 - -* Cookie 防护有时会失效。 - - -*** - -## [5.1.2] - 2021-04-30 GMT+0800 - -### 新增 - -* 支持检测 SQL 注入(Powered By [libinjection](https://github.com/libinjection/libinjection))。你可以通过启用 `LIB-INJECTION` 模式开启该功能,详见使用文档。 - -*** - -## [5.1.1] - 2021-04-23 GMT+0800 - -### 修复 - -* URL 和 Referer 白名单规则失效。 - -*** - -## [5.1.0] - 2021-04-20 GMT+0800 - -### 新增 - -* 新的内置变量 `waf_log`,当本模块进行了检查时不为空字符串,反之则为空字符串,主要用于 `access_log` 指令。 - -* 新的内置变量 `waf_spend`,记录本模块执行检查花费的时间(毫秒)。 - -*** - - -## [5.0.0] - 2021-04-07 GMT+0800 - -### **警告** - -**此版本包含不兼容的更新(breaking changes)。** - -### 新增 - -* 新增了模式 `CACHE`,启用此模式后会缓存每次检查的结果,提高性能。 - -* 新增了配置 `waf_cache` 用于设置缓存相关的参数。 - -* 新增了配置 `waf_cc_deny`,用于设置 CC 防护相关的参数。 - -* 新增了配置 `waf_priority`,用来设置除了 POST 检查以外所有的检查项目的优先级。 - -* 当 CC 防护返回 503 状态码时会附上 [Retry-After](https://developer.mozilla.org/zh-CN/docs/Web/HTTP/Headers/Retry-After) 响应头。 - -### 移除 - -* 废弃了配置 `waf_cc_deny_limit`,使用新的配置 `waf_cc_deny` 替代。 - -### 变动 - -* 互换了 CC 防护和 IP 白名单检查的默认优先级。 - -### 修复 - -* 修复了当 worker 进程数量大于一时的段错误。 - -* 修复了 CC 防护统计有时不准的错误。 - -*** - -## [4.0.0] - 2021-03-22 GMT+0800 - -### **警告** - -**此版本包含不兼容的更新(breaking changes)。** - -### 新增 - -* 为 `waf_mode` 和 `waf_cc_deny_limit` 增加了一些参数([368db2b](https://github.com/ADD-SP/ngx_waf/commit/368db2b26e9d2a910c06e77f892740cefe9556d3))。 - -### 移除 - -* 废弃配置项 `waf_mult_mount`,该配置的功能已经合并到了配置项 `waf_mode` 中。 - -### 变动 - -* 给 `waf_mode` 增加了一些参数。 - -### 修复 - -* 更正了内置变量 `waf_rule_details` 的名称错误,该变量的名称在之前的版本代码中被设置为 `waf_rule_deatails`。 - -* 不再进行冗余的检测。 - -* 彻底解决了与 `ngx_http_rewrite_module` 的兼容性问题。 - -*** - -## [3.1.6] - 2021-03-07 - -### 修复 - -* 更正规则的生效顺序([51c7824](https://github.com/ADD-SP/ngx_waf/commit/51c7824786c060f4b0dcffe77a4a1e04b775e04b))。 - -*** - -## [3.1.5] - 2021-03-03 - -### 修复 - -* 修复了 `config` 脚本的一个错误,这个错误会导致不能正确地检查依赖项([075a27e](https://github.com/ADD-SP/ngx_waf/commit/075a27e4f7aaf7e78c45eac0c78c9634863be476#diff-b79606fb3afea5bd1609ed40b622142f1c98125abcfe89a76a661b0e8e343910))。 - -*** - -## [3.1.4] - 2021-03-02 - -### 改动 - -* 条件允许的情况下使用更安全的字符串处理函数以避免缓冲区溢出([177ae68](https://github.com/ADD-SP/ngx_waf/commit/177ae68cb019f47096e6065ec34aa0ef9be07567))。 - -*** - -## [3.1.3] - 2021-02-23 - -### 修复 - -* 改正规则的生效顺序([857ec84](https://github.com/ADD-SP/ngx_waf/commit/857ec84c6519d88d1c1a5560a244dceffd413f3f))。 - -*** - -## [3.1.2] - 2021-02-17 - -### 修复 - -* 修复了一个 bug,这个 bug 会导致当规则文件不具有可写权限时初始化失败([20acd27](https://github.com/ADD-SP/ngx_waf/commit/20acd27815d1f266d89c1557e93848c96117b8ff))。 - -*** - -## [3.1.1] - 2021-01-18 - -### 修复 - -* 兼容较低版本的 GCC([becbbe0](https://github.com/ADD-SP/ngx_waf/commit/becbbe022b9f6efa606e720d7cbcd6c5d6f22c33))。 - -*** - -## [3.1.0] - 2021-01-17 - -### 注意 - -* 因为在 `v3.0.3` 测试过程中新增了向下兼容的功能,所以 `v3.0.3` 被跳过。 - -### 新增 - -* 增加调试日志便于排障([bac1d02](https://github.com/ADD-SP/ngx_waf/commit/bac1d026e9e902d9a49881e899cba4965f3388a4))。 - -### 修复 - -* 修复了一个段错误([57d7719](https://github.com/ADD-SP/ngx_waf/commit/57d7719654caddc40ee655c797f0984f42c25495))。 - -* 更精确的访问频次统计([53d3b14](https://github.com/ADD-SP/ngx_waf/commit/53d3b149a524252dbb9b8170e31f4b1f4895a6b7))。 - -*** - -## [3.0.2] - 2021-01-10 - -### 注意 - -* 因为在 `v3.0.1`上有热修复,所以 `v3.0.2` 的一切测试版本作废,请不要使用这些测试版。 - -### 修复 - -* 修复一个了在 `Alpine Linux` 下的编译错误([e989aa3](https://github.com/ADD-SP/ngx_waf/commit/e989aa34370da73f03627601188ca33844372c4f))。 - -*** - -## [3.0.1] - 2020-12-28 - -### 修复 - -* 修复了一个在检查 Cookie 时的段错误([8dc2b56](https://github.com/ADD-SP/ngx_waf/commit/8dc2b56e9a8ae7c22cc5309ac0a060b0358f545b))。 - -*** - -## [3.0.0] - 2020-12-25 - -### 新增 - -* CC 防御现在也支持了 IPV6([00fbc1c](https://github.com/ADD-SP/ngx_waf/commit/00fbc1c20ec964f6cd3bb992d756737e95b6c7ed))。 - -* IP 黑白名单支持了 IPV6。可以识别形如 `fe80::/10` 的 IPV6 字符串([8519b26](https://github.com/ADD-SP/ngx_waf/commit/8519b26f5fb9491ac60ae084247a0957c0931d0c))。 - -### 改动 - -* 删除了一些无用的日志([bd279e7](https://github.com/ADD-SP/ngx_waf/commit/bd279e7be872621fa75337722a9fae30b2ea6812))。 - -* 友好的错误提示([d1185b2](https://github.com/ADD-SP/ngx_waf/commit/d1185b26a413e45dcf5ef479b0078aa57a4b5962) & [f2b617d](https://github.com/ADD-SP/ngx_waf/commit/f2b617d5174eb1bc6982113415ddcb1f798ef703))。当规则文件中 IP 地址无效或者 IP 地址块重叠的时候警告或者报错(并不能检测所有的重叠情况)。 - -* 更快的 IP 地址检查速度([2b9e774](https://github.com/ADD-SP/ngx_waf/commit/2b9e77404826666df301c3d6b3ce07a6968de266))。改用前缀树检查 IP,现在在常数时间内即可完成 IP 的匹配,之前是一个一个地匹配,是线性时间。 - -### 修复 - -* 修复了 Cookie 检查的失效的 bug([87beed1](https://github.com/ADD-SP/ngx_waf/commit/87beed183e404c70411a2d35ea68ebbccccf5ff6))。 - -* 修改 `config` 文件以确保执行 `make` 或 `make modules` 时最新的模块代码能够被编译([25f97f5](https://github.com/ADD-SP/ngx_waf/commit/25f97f5e7f3792b131ab0ebb1bfe4b7fe5e330ae))。在修复之前,如果仅仅 `inc/` 下的文件发生变化,编译时不会将最新的代码编译进去,因为没有检查 `inc/` 下的文件是否发生变化。 - -* 修复了 IPV4 网段识别错误的 bug([73a22eb](https://github.com/ADD-SP/ngx_waf/commit/73a22eb3538a24e9714bf8331946a5654df20cc1))。这个 bug 可能会导致当规则中出现类似 `192.168.0.0/10`,即后缀不是 8 的倍数的时候无法正确生成子网掩码。 - -*** - -## [2.1.1] - 2020-12-10 - -### 新增 - -### 改动 - -### 修复 - -* 修复了模块启动失败的 bug。此 bug 的报错信息为 `nginx: [alert] could not open error log file: open() "ngx_waf: /logs/error.log" failed (2: No such file or directory)`([0dfc46f](https://github.com/ADD-SP/ngx_waf/commit/0dfc46f2dfc7ed91977b501c868abf961966d4e1))。 - -*** - -## [2.1.0] - 2020-12-09 - -### 新增 - -* 兼容了 Mainline 版本的 nginx([f31f906](https://github.com/ADD-SP/ngx_waf/commit/f31f906b11fb00f54bfea504ca7c8c147a0be1d8) & [65277d1](https://github.com/ADD-SP/ngx_waf/commit/7b4f897a4a332b43bf94de874f8ba8c3098aaee4))。 - -### 改动 - -### 修复 - -## [2.0.2] - 2020-12-07 - -### 新增 - -### 改动 - -### 修复 - -* 修复了一个 CC 防御失效的 bug。此 bug 会导致当 `waf_mult_mount` 未启用时,CC 防御会失效([048fe5c](https://github.com/ADD-SP/ngx_waf/commit/048fe5c15863d9a3106387225774305aa5564726))。 - -* 修复了一个因错误的 `#include` 指令而导致编译失败的 bug([3fa298c](https://github.com/ADD-SP/ngx_waf/commit/3fa298c6184618ea0cd6336783a4d7a2ed27469c))。 - -*** - -## [2.0.1] - 2020-12-03 - -### 新增 - -### 改动 - -* 不再手动下载 uthash 依赖,改用 system library。可以使用 `yum install uthash-devel` 或 `apt-get install uthash-dev` 安装 system library([7cfc94b](https://github.com/ADD-SP/ngx_waf/commit/7cfc94bc64fa4f2c29bdf3b24e21aeb1ba412054))。 - -### 修复 - -* 修复了因为宏的重定义导致的在 CentOS/RHEL 6 or 7 下编译失败的错误([28e1c8a](https://github.com/ADD-SP/ngx_waf/commit/28e1c8aca03375089c75df21c5db3c38013edde7) & [566ae4a](https://github.com/ADD-SP/ngx_waf/commit/566ae4a50f855674b256db84305a24e1b2a6bc6d))。 - -*** - -## [2.0.0] - 2020-09-29 - -### 新增 - -* 支持以动态模块安装到 nginx 上,感谢 [dvershinin](https://github.com/dvershinin)的 PR(https://github.com/ADD-SP/ngx_waf/pull/4)。 - -### 改动 - -* 配置指令合并 ([ba92cfd](https://github.com/ADD-SP/ngx_waf/commit/ba92cfd53ce78da8ff4ed22d2bc71a47de4cbe25))。这些配置指令将被合并:`waf_check_ipv4`,`waf_check_url`,`waf_check_args`,`waf_check_ua`,`waf_check_referer`,`waf_check_cookie`,`waf_check_post`,`waf_check_cookie`,`waf_cc_deny`。合并后的新指令为`waf_mode`,详情见[README](README-ZH.md)。 - -### 修复 - -* 删除一个默认的 User-Agent 规则,规则内容为`(?i)(?:Sogou web spider)`,原因是会拦截非恶意的网络爬虫([827d4e5](https://github.com/ADD-SP/ngx_waf/commit/827d4e5bc48894ff9147e49799d3a9656fe7dd8a))。 -* 现在可以正确处理规则文件中的空行了([955cf2d](https://github.com/ADD-SP/ngx_waf/commit/955cf2d240c4d66f815890e3ee9b88ccf906cf1d))。 - -*** - -## [1.0.1] - 2020-08-22 - -### 新增 - -* 增加了新的配置项([3214fc8](https://github.com/ADD-SP/ngx_waf/commit/3214fc88d565ed47daa4bdac4f0edb7d1785ed75)) - * waf_check_ipv4: - * 配置语法: `waf_check_ipv4 [ on | off ];` - * 默认值:`on` - * 配置段: server - * 作用:是否启用 IPV4 检查。 - * waf_check_url: - * 配置语法: `waf_check_url [ on | off ];` - * 默认值:`on` - * 配置段: server - * 作用:是否启用 URL 检查。 - * waf_check_args: - * 配置语法: `waf_check_args [ on | off ];` - * 默认值:`on` - * 配置段: server - * 作用:是否启用 Args 检查。 - * waf_check_ua: - * 配置语法: `waf_check_ua [ on | off ];` - * 默认值:`on` - * 配置段: server - * 作用:是否启用 User-Agent 检查。 - * waf_check_referer: - * 配置语法: `waf_check_referer [ on | off ];` - * 默认值:`on` - * 配置段: server - * 作用:是否启用 Referer 检查。 - * waf_check_cookie: - * 配置语法: `waf_check_cookie [ on | off ];` - * 默认值:`on` - * 配置段: server - * 作用:是否启用 Cookie 检查。 - * waf_check_post: - * 配置语法: `waf_check_post [ on | off ];` - * 默认值:`off` - * 配置段: server - * 作用:是否启用 POST 检查。 - * waf_cc_deny: - * 配置语法: `waf_cc_deny [ on | off ];` - * 默认值:`off` - * 配置段: server - * 作用:是否启用 CC 防御。 - -### 改动 - -* `waf_mult_mount`现在只允许写在`server`段中([3214fc8](https://github.com/ADD-SP/ngx_waf/commit/3214fc88d565ed47daa4bdac4f0edb7d1785ed75))。 - * waf_mult_mount: - * 配置语法: `waf_mult_mount [ on | off ];` - * 默认值:`off` - * 配置段: server - * 作用:进行多阶段检查,当`nginx.conf`存在地址重写的情况下(如`rewrite`配置)建议启用,反之建议关闭。 -* 更改现有的配置项关键字,删除了`ngx_`前缀([8b3e416](https://github.com/ADD-SP/ngx_waf/commit/8b3e416cdfdc7e073a3392fc9ec027a4138af453))。 - * waf: - * 配置语法: `waf [ on | off ];` - * 默认值:`off` - * 配置段: server - * 作用:是否启用本模块。 - * waf_rule_path: - * 配置语法: `waf_rule_path dir;` - * 默认值:无 - * 配置段: server - * 作用:规则文件所在目录,且必须以`/`结尾。 - * waf_mult_mount: - * 配置语法: `waf_mult_mount [ on | off ];` - * 默认值:`off` - * 配置段: http - * 作用:进行多阶段检查,当`nginx.conf`存在地址重写的情况下(如`rewrite`配置)建议启用,反之建议关闭。 -* 更新 referer 的默认规则,具体一点就是拷贝`rules/url`的内容到`rules/referer`中([55f5e26](https://github.com/ADD-SP/ngx_waf/commit/55f5e26b6135af382b1db88057f5143631848ae7))。 - -### 修复 - -* 修复 CC 防御功能检测逻辑的错误,该错误会导致实际的频率限制要远小于用户指定的限制,容易将正常访问识别为 CC 攻击([9cb51bb](https://github.com/ADD-SP/ngx_waf/commit/9cb51bba0cdf10c2fd1ac0a482d7435dcfdee93d))([171721c](https://github.com/ADD-SP/ngx_waf/commit/171721cee861022e9f3db5fceeb16051b90a5e54))。 -* 现在会检查 rules/ipv4 和 rules/white-ipv4 这两个文件中的 IPV4 地址或地址块是否合法([fc09f04](https://github.com/ADD-SP/ngx_waf/commit/fc09f045d1e9ac774a919181a15c20a6c777a276))([2e7f624](https://github.com/ADD-SP/ngx_waf/commit/2e7f624581d8d85a23d6470acced9acc3e2840b2))。 - -*** - -## [1.0.0] - 2020-08-18 - -### 新增 - -* 改进日志格式([bd112ec](https://github.com/ADD-SP/ngx_waf/commit/bd112ecacd9356ee1e0731634cfc197034d25c88))。基本格式为`xxxxx, ngx_waf: [拦截类型][对应规则], xxxxx`,具体可看下面的例子。 - ``` - 2020/01/20 22:56:30 [alert] 24289#0: *30 ngx_waf: [BLACK-URL][(?i)(?:/\.env$)], client: 192.168.1.1, server: example.com, request: "GET /v1/.env HTTP/1.1", host: "example.com", referrer: "http:/example.com/v1/.env" - - 2020/01/20 22:58:40 [alert] 24678#0: *11 ngx_waf: [BLACK-POST][(?i)(?:select.*(?:from|limit))], client: 192.168.1.1, server: example.com, request: "POST /xmlrpc.php HTTP/1.1", host: "example.com", referrer: "https://example.com/" - ``` -* 新增三个内置变量([92d6d84](https://github.com/ADD-SP/ngx_waf/commit/92d6d847840ada57bbc54ffe2c0980b118a37a30)) - * `$waf_blocked`: 本次请求是否被本模块拦截,如果拦截了则其的值为`'true'`,反之则为`'false'`。 - * `$waf_rule_type`:如果本次请求被本模块拦截,则其值为触发的规则类型。下面是可能的取值。若没有生效则其值为`'null'`。 - * `'BLACK-IPV4'` - * `'BLACK-URL'` - * `'BLACK-ARGS'` - * `'BLACK-USER-AGENT'` - * `'BLACK-REFERER'` - * `'BLACK-COOKIE'` - * `'BLACK-POST'` - * `'$waf_rule_details'`:如果本次请求被本模块拦截,则其值为触发的具体的规则的内容。若没有生效则其值为`'null'`。 -* 支持过滤 POST 请求([b46641e](https://github.com/ADD-SP/ngx_waf/commit/b46641eb8473c6dcb6afe9ed73f94712300d176f))。 -* 新配置项`ngx_waf_mult_mount`用于增加拦截面([e1b500d](https://github.com/ADD-SP/ngx_waf/commit/e1b500de349e017b67f334878342bdd6a34d22b8)),典型的应用场景是存在`rewrite`的情况下重写前后均会对 URL 进行一次检测。 -* 支持 CC 防御功能([3a93e19](https://github.com/ADD-SP/ngx_waf/commit/3a93e190b8cb78fcd7a0197f76298c010169d113))。 - -### 改动 - -* 增加默认的 POST 过滤规则([68dd102](https://github.com/ADD-SP/ngx_waf/commit/68dd102e011acfd819669d60a35d315365d26a16)) -* 更新默认规则([55f0a48](https://github.com/ADD-SP/ngx_waf/commit/55f0a4824bafb67f562909bdb58292cfce1059ae))。 -* 修改规则优先级([3c388c8](https://github.com/ADD-SP/ngx_waf/commit/3c388c85e30528b66306ca780524c7d663277f07))([248958d](https://github.com/ADD-SP/ngx_waf/commit/248958d3a0ef27dd14acc63a503e97931841f18a))([b46641e](https://github.com/ADD-SP/ngx_waf/commit/b46641eb8473c6dcb6afe9ed73f94712300d176f))((92447a3)[https://github.com/ADD-SP/ngx_waf/commit/92447a39d6a36ab027b0ead0daa0fe2b3b74ff29]),现在的优先级为(靠上的优先生效): - 1. IP 白名单 - 2. IP 黑名单 - 3. CC 防御 - 4. URL 白名单 - 5. URL 黑名单 - 6. Args 黑名单 - 7. UserAgent 黑名单 - 8. Referer 白名单 - 9. Referer 黑名单 - 10. Cookie 黑名单 - 11. POST 黑名单 - -### 修复 - -* IPV4 黑白名单功能失效([231f94a](https://github.com/ADD-SP/ngx_waf/commit/231f94aa5383fe8f6cdc0fbc3cd2dcadb7606881))。 -* 当 User-agent 为空时会触发 segmentation fault([bf33b36](https://github.com/ADD-SP/ngx_waf/commit/bf33b366232b7f5e05379d5e10ab006696189ea6))。 -* 启用 CC 防御后会有内存泄漏([be58d18](https://github.com/ADD-SP/ngx_waf/commit/be58d189b4c95be066623604124b02a9bf174e7f))。 - +请看 [docs/zh-cn/advance/changes.md](docs/zh-cn/advance/changes.md)。 \ No newline at end of file diff --git a/CHANGES.md b/CHANGES.md index 7531a868..eb56d788 100644 --- a/CHANGES.md +++ b/CHANGES.md @@ -1,351 +1 @@ -# Change Log - -## [Unreleased] - -### Added - -### Removed - -### Changed - -### Fixed - -* When POST inspection is enabled, POST requests are not logged in the access log. - -*** - -## [5.4.1] - 2021-06-09 UTC+0800 - -### Fixed - -* The value of built-in variables may be wrong when the directive `error_page` is used. - -*** - -## [5.4.0] - 2021-06-03 UTC+0800 - -### **NOTE** - -**The clone link for `libinjection` has been replaced in this release. The new link is [https://github.com/libinjection/libinjection.git](https://github.com/libinjection/libinjection.git).** - -### Added - -* Anti XSS (powered by [libinjection](https://github.com/libinjection/libinjection)). - -### Changed - -* Add debug log related to built-in variable calculation. - -### Fixed - -* POST inspection is not working. - -*** - -## [5.3.2] - 2021-05-28 UTC+0800 - -### Fixed - -* Memory corruption. - -*** - -## [5.3.1] - 2021-05-26 GMT+0800 - -### Fixed - -* Sometimes the module does not compile even if the dependencies are installed correctly. - -*** - - -## [5.3.0] - 2021-05-16 GMT+0800 - -### Added - -* New directive: `waf_under_attack`, which can be used when the site is under attack. - -* New directive: `waf_http_status`, which sets the HTTP status code returned when a request is blocked. - -* New built-in variable: `$waf_blocking_log`, not an empty string when the request is blocked for its value. - -### Changed - -* Update default rules. - -### Fixed - -* CC protection sometimes not work. - -* Cookie inspection sometimes not work. - -*** - - -## [5.1.2] - 2021-04-30 GMT+0800 - -### Added - -* Support for detecting SQL injection (powered by [libinjection](https://github.com/libinjection/libinjection)). This feature can be enabled by enabling the mode `LIB-INJECTION`, see the documentation for details. - -*** - -## [5.1.1] - 2021-04-23 GMT+0800 - -### Fixed - -* URL and Referer whitelist are not working. - -*** - -## [5.1.0] - 2021-04-20 GMT+0800 - -### Added - -* New built-in variable `waf_log`, which is not an empty string when this module has performed a inspection, but an empty string otherwise, mainly used in the directive `access_log`. - -* New built-in variable `waf_spend`, which records the time (in milliseconds) taken by this module to perform the inspection. - -*** - -## [5.0.0] - 2021-04-07 GMT+0800 - -### **WARNING** - -**This version contains breaking changes.** - -### Added - -* A new mode `CACHE` has been added, enabling this mode will cache the results of each inspection to improve performance. - -* New configuration `waf_cache` has been added to set parameters related to cache. - -* Added directive `waf_cc_deny` to set CC protection related parameters. - -* New directive `waf_priority` has been added to set the priority of all checks except for POST checks. - -* The [Retry-Afte](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Retry-After) response header is appended when the CC protection returns a 503 status code. - -### Removed - -* The directive `waf_cc_deny_limit` is deprecated and replaced with the new directive `waf_cc_deny`. - -### Changed - -* Swaps the default priority of CC protection and IP whitelist inspection. - -### Fixed - -* Fixed a segmentation fault when the number of worker processes is greater than one. - -* Fixed a bug where CC protection statistics were sometimes inaccurate. - -*** - -## [4.0.0] - 2021-03-22 GMT+0800 - -### **WARNING** - -**This version contains breaking changes.** - -### Added - -* Added some parameters to `waf_mode` and `waf_cc_deny_limit` ([368db2b](https://github.com/ADD-SP/ngx_waf/commit/368db2b26e9d2a910c06e77f892740cefe9556d3)). - -### Removed - -* Abort directive: `waf_mult_mount`. The function of this directive has been merged into the directive `waf_mode`. - -### Changed - -* Adds some parameters to the directive `waf_mode`. - -### Fixed - -* Fixed an error in the name of the built-in variable `waf_rule_details`, -which was set to `waf_rule_deatails` in a previous version of the code. - -* No more superfluous inspections. - -* Completely resolve compatibility issues with the `ngx_http_rewrite_module`. - -*** - -## [3.1.6] - 2021-03-07 - -### Fixed - -* Correcting the order in which rules take effect ([51c7824](https://github.com/ADD-SP/ngx_waf/commit/51c7824786c060f4b0dcffe77a4a1e04b775e04b)). - -## [3.1.5] - 2021-03-03 - -### Fixed - -* Fixed a bug in the `config` script that caused dependencies to not be checked correctly ([075a27e](https://github.com/ADD-SP/ngx_waf/commit/075a27e4f7aaf7e78c45eac0c78c9634863be476#diff-b79606fb3afea5bd1609ed40b622142f1c98125abcfe89a76a661b0e8e343910)). - -*** - -## [3.1.4] - 2021-03-02 - -### Changed - -* Use safer string handling functions to avoid buffer overflows when conditions allow ([177ae68](https://github.com/ADD-SP/ngx_waf/commit/177ae68cb019f47096e6065ec34aa0ef9be07567)). - -*** - -## [3.1.3] - 2021-02-23 - -### Fixed - -* Order of effectiveness of correction rules ([857ec84](https://github.com/ADD-SP/ngx_waf/commit/857ec84c6519d88d1c1a5560a244dceffd413f3f)). - -*** - -## [3.1.2] - 2021-01-18 - -### Fixed - -* Fixed a bug that caused module initialization to fail when the rule file was not writable ([20acd27](https://github.com/ADD-SP/ngx_waf/commit/20acd27815d1f266d89c1557e93848c96117b8ff)). - -*** - -## [3.1.1] - 2021-01-18 - -### Fixed - -* Compatible with lower versions of gcc ([becbbe0](https://github.com/ADD-SP/ngx_waf/commit/becbbe022b9f6efa606e720d7cbcd6c5d6f22c33)). - -*** - -## [3.1.0] - 2021-01-17 - -### Note - -* `v3.0.3` was skipped because a backward compatibility feature was added during the `v3.0.3` test. - -### Added - -* Add debug log for easy troubleshooting ([bac1d02](https://github.com/ADD-SP/ngx_waf/commit/bac1d026e9e902d9a49881e899cba4965f3388a4)). - -### Fixed - -* Fixed a segmentation fault ([57d7719](https://github.com/ADD-SP/ngx_waf/commit/57d7719654caddc40ee655c797f0984f42c25495))。 - -* More accurate visit frequency statistics ([53d3b14](https://github.com/ADD-SP/ngx_waf/commit/53d3b149a524252dbb9b8170e31f4b1f4895a6b7)). - -*** - -## [3.0.2] - 2021-01-10 - -### Note - -* Because of hotfixes performed on `v3.0.1`, all beta versions of `v3.0.2` are voided, please do not use these beta versions. - -### Fixed - -* Fixed a build error on `Alpine Linux` ([e989aa3](https://github.com/ADD-SP/ngx_waf/commit/e989aa34370da73f03627601188ca33844372c4f)). - -*** - -## [3.0.1] - 2020-12-28 - -### Fixed - -* Fixed a segmentation fault when inspecting cookies ([8dc2b56](https://github.com/ADD-SP/ngx_waf/commit/8dc2b56e9a8ae7c22cc5309ac0a060b0358f545b)). - - -*** - -## [3.0.0] - 2020-12-25 - -### Added - -* Anti Challenge Collapsar now supports IPV6 ([00fbc1c](https://github.com/ADD-SP/ngx_waf/commit/00fbc1c20ec964f6cd3bb992d756737e95b6c7ed)). - -* IP black and white lists support IPV6, and can recognize IPV6 strings such as `fe80::/10` ([8519b26](https://github.com/ADD-SP/ngx_waf/commit/8519b26f5fb9491ac60ae084247a0957c0931d0c)). - -### Changed - -* Delete some meaningless logs ([bd279e7](https://github.com/ADD-SP/ngx_waf/commit/bd279e7be872621fa75337722a9fae30b2ea6812)). - -* Friendly error alerts ([d1185b2](https://github.com/ADD-SP/ngx_waf/commit/d1185b26a413e45dcf5ef479b0078aa57a4b5962) & [f2b617d](https://github.com/ADD-SP/ngx_waf/commit/f2b617d5174eb1bc6982113415ddcb1f798ef703)). Warnings or error reporting when IP addresses in the rule file are invalid or IP address blocks overlap (does not detect all overlaps). - -* Faster IP matching ([2b9e774](https://github.com/ADD-SP/ngx_waf/commit/2b9e77404826666df301c3d6b3ce07a6968de266)). - -### Fixed - -* Fixed a bug that caused the cookie inspection not work ([87beed1](https://github.com/ADD-SP/ngx_waf/commit/87beed183e404c70411a2d35ea68ebbccccf5ff6)). - -* Modify the `config` file to ensure that the latest module code is compiled when executing `make` or `make modules` ([25f97f5](https://github.com/ADD-SP/ngx_waf/commit/25f97f5e7f3792b131ab0ebb1bfe4b7fe5e330ae)). Before the fix, if only the files under `inc/` changed, the latest code would not be compiled because the files under `inc/` were not checked for changes. - -* Fixed a bug with incorrect IPV4 segment identification ([73a22eb](https://github.com/ADD-SP/ngx_waf/commit/73a22eb3538a24e9714bf8331946a5654df20cc1)). This bug could cause the subnet mask not to be generated correctly when a rule like `192.168.0.0/10`, i.e. the suffix is not a multiple of 8, appears in the rule. - -*** - -## [2.1.1] - 2020-12.10 - -### Added - -### Changed - -### Fixed - -* Fixed a module startup failure error. The error message for this error is `nginx: [alert] could not open error log file: open() "ngx_waf: /logs/error.log" failed (2: No such file or directory)` ([0dfc46f](https://github.com/ADD-SP/ngx_waf/commit/0dfc46f2dfc7ed91977b501c868abf961966d4e1)). - -*** - -## [2.1.0] - 2020-12-09 - -### Added - -* Compatible with the mainline version of NGINX ([f31f906](https://github.com/ADD-SP/ngx_waf/commit/f31f906b11fb00f54bfea504ca7c8c147a0be1d8) & [65277d1](https://github.com/ADD-SP/ngx_waf/commit/7b4f897a4a332b43bf94de874f8ba8c3098aaee4)). - -### Changed - -### Fixed - -*** - -## [2.0.2] - 2020-12-07 - -### Added - -### Changed - -### Fixed - -* Fix for Anti Challenge Collapsar failing when `waf_mult_mount` is disabled ([048fe5c](https://github.com/ADD-SP/ngx_waf/commit/048fe5c15863d9a3106387225774305aa5564726)). - -* Fixed compile error caused by incorrect `#include` ([3fa298c](https://github.com/ADD-SP/ngx_waf/commit/3fa298c6184618ea0cd6336783a4d7a2ed27469c)). - -*** - -## [2.0.1] - 2020-12-03 - -### Added - -### Changed - -* Instead of downloading the uthash dependency manually, you can install the system library with `yum install uthash-devel` or `apt-get install uthash-dev` ([7cfc94b](https://github.com/ADD-SP/ngx_waf/commit/7cfc94bc64fa4f2c29bdf3b24e21aeb1ba412054)). - -### Fixed - -* Fixed a bug that failed to compile under CentOS/RHEL 6 or 7 that was caused by not properly preventing macro redefinitions ([28e1c8a](https://github.com/ADD-SP/ngx_waf/commit/28e1c8aca03375089c75df21c5db3c38013edde7) & [566ae4a](https://github.com/ADD-SP/ngx_waf/commit/566ae4a50f855674b256db84305a24e1b2a6bc6d)). - -*** - -## [2.0.0] - 2020-09-29 - -### Added - -* We can compile the module with `--add-dynamic-module`. Thanks for [dvershinin](https://github.com/dvershinin)'s work([https://github.com/ADD-SP/ngx_waf/pull/4](https://github.com/ADD-SP/ngx_waf/pull/4))。 - -### Changed - -* Remove a default User-Agent rule that is `(?i)(? :Sogou web spider)`, as it will block non-malicious web spider([827d4e5](https://github.com/ADD-SP/ngx_waf/commit/827d4e5bc48894ff9147e49799d3a9656fe7dd8a)). - -* Merge directives ([ba92cfd](https://github.com/ADD-SP/ngx_waf/commit/ba92cfd53ce78da8ff4ed22d2bc71a47de4cbe25)). These directives will be merged: `waf_check_ipv4`, `waf_check_url`, `waf_check_args`, `waf_check_ua`, `waf_check_referer`, `waf_check_cookie`, `waf_check_post`, `waf_check_cookie`, `waf_cc_deny`. The merged new directive is `waf_mode`, see [README](README-EN.md). - -### Fixed - -* The blank lines in the rules can now be read correctly ([955cf2d](https://github.com/ADD-SP/ngx_waf/commit/955cf2d240c4d66f815890e3ee9b88ccf906cf1d)). +See [docs/advance/changes.md](docs/advance/changes.md). \ No newline at end of file diff --git a/docs/advance/changes.md b/docs/advance/changes.md index 2ed29953..19188bbb 100644 --- a/docs/advance/changes.md +++ b/docs/advance/changes.md @@ -15,6 +15,12 @@ lang: en ### Fixed +*** + +## [5.4.2] - 2021-06-15 UTC+0800 + +### Fixed + * When POST inspection is enabled, POST requests are not logged in the access log. *** diff --git a/docs/advance/issue.md b/docs/advance/issue.md index e63dbb66..cbc2d89d 100644 --- a/docs/advance/issue.md +++ b/docs/advance/issue.md @@ -6,14 +6,4 @@ lang: en # Known Issues Bugs that exist in the latest stable release are listed here, -bugs that have been fixed in the latest stable release are not listed here. - -## POST requests are not logged in the access log - -* Overview: When POST inspection is enabled, POST requests are not logged in the access log. -* Severity: Low. -* Priority: It will be fixed in the next stable release. -* Status: Already fixed in the latest beta release. -* Affected versions: - * nginx: >= `1.18.0`. - * ngx_waf: >= `1.0.0`. \ No newline at end of file +bugs that have been fixed in the latest stable release are not listed here. \ No newline at end of file diff --git a/docs/zh-cn/advance/changes.md b/docs/zh-cn/advance/changes.md index 5294856d..cc42b2ce 100644 --- a/docs/zh-cn/advance/changes.md +++ b/docs/zh-cn/advance/changes.md @@ -15,6 +15,12 @@ lang: zh-CN ### 修复 +*** + +## [5.4.2] - 2021-06-15 UTC+0800 + +### 修复 + * 如果启用了 POST 检测,则访问日志(access_log)中不会记录 POST 请求,即丢失所有的 POST 请求的日志。 *** diff --git a/docs/zh-cn/advance/issue.md b/docs/zh-cn/advance/issue.md index cfb3efa2..3b6e8bb2 100644 --- a/docs/zh-cn/advance/issue.md +++ b/docs/zh-cn/advance/issue.md @@ -5,14 +5,4 @@ lang: zh-CN # 已知问题 -这里只会列出存在于最新的稳定版的问题,已经在最新的稳定版中修复的问题不会列出。 - -## 访问日志中不记录 POST 请求 - -* 概述:如果启用了 POST 检测,则访问日志(access_log)中不会记录 POST 请求,即丢失所有的 POST 请求的日志。 -* 严重程度:低。 -* 优先级:将在下一个稳定版中修复。 -* 状态:已经在最新的测试版中修复。 -* 受影响的版本: - * nginx:>= `1.18.0`。 - * ngx_waf:>= `1.0.0`。 \ No newline at end of file +这里只会列出存在于最新的稳定版的问题,已经在最新的稳定版中修复的问题不会列出。 \ No newline at end of file