Releases: ADD-SP/ngx_waf
v10.1.2 Current
v6.1.9 LTS
v10.1.1 Current | Nice to meet you
dddaa4a
ADD-SP
Qi
[10.1.1] - 2022-01-07 UTC+0800
Nice to meet you :).
Added
- PCRE2 library support.
Fixed
-
Memory leak.
-
CAPTCHA and Under-Attack-Mode sometimes cause infinite page refreshes.
[10.1.1] - 2022-01-07 UTC+0800
奈斯兔米兔!
新增
- 支持 PCRE2。
修复
-
内存泄漏。
-
验证码和 Under Attack Mode(五秒盾)有时会无限刷新。
v6.1.8 LTS
v10.1.0 Current
6866329
ADD-SP
Qi
[10.1.0] - 2021-12-14 UTC+0800
Added
-
You can set the directive
waftobypass, in which case no requests will be intercepted, but ngx_waf will still do the detection and logging. -
The directive
waf_verify_bothas a new parameterSogouSpider, which is used to verify if it is a Sogou crawler.
Fixed
-
Garbage collection is not running, which does not lead to memory leaks, but does lead to performance problems.
-
Sometimes the
[FAKE-BOT]log is printed incorrectly.
[10.1.0] - 2021-12-14 UTC+0800
新增
-
指令
waf可以设置为bypass模式,即仅检测并记录日志,但不会拦截任何请求。 -
指令
waf_verify_bot新增了参数SogouSpider,用于验证是否为搜狗爬虫。
修复
-
内存回收机制并未正常运行,这虽然不会造成内存泄漏,但会导致内存占用居高不下,并引发性能问题。
-
友好爬虫验证功能会错误地打印拦截日志。
v10.0.1 Current
d25e6a2
ADD-SP
Qi
[10.0.1] - 2021-12-05 UTC+0800
Added
- Added two Easter eggs, which you can find clues in the documentation. These two eggs are not triggered automatically and need to be enabled manually.
Fixed
- All parameters of the directive
waf_modecorresponding to the request method are not working.
[10.0.1] - 2021-12-05 UTC+0800
新增
- 添加了两个彩蛋,你可以在文档中找到相关的线索。这两个彩蛋不会自动触发,所以不会影响正常使用。
修复
- 指令
waf_mode中所有与请求方法对应的参数均失效。
v6.1.7 LTS
0e236a1
ADD-SP
Qi
[6.1.7] - 2021-12-05 UTC+0800
Fixed
- All parameters of the directive
waf_modecorresponding to the request method are not working.
[6.1.7] - 2021-12-05 UTC+0800
修复
- 指令
waf_mode中所有与请求方法对应的参数均失效。
v10.0.0 Current
7e58776
ADD-SP
Qi
[10.0.0] - 2021-11-30 UTC+0800
Added
-
New directive
waf_zone, used to declare a piece of shared memory that will be used for other directives, such aswaf_cc_deny. -
New directive
waf_action, used to set actions after intercepting a request, such as returning a specific status code or challenging the client with a captcha. -
New directive
waf_block_page, used to set the blocking page to return the specified HTML file when the request is blocked. -
A new embedded variable,
$waf_rate, is used to indicate the number of accesses to the current IP in a period. The period is determined by the parameterrateof the directivewaf_cc_deny, or by the parameterdurationif the IP has been blacked out. -
The directive
waf_captchahas a new parametermax_fails, which sets the maximum number of attempts for the captcha and the blocking time after it is exceeded. -
The directive
waf_captchahas a new parameterzonethat specifies a piece of shared memory, which needs to be set if and only if the parametermax_failsis set. -
The directive
waf_captchahas a new parametersitekey, which needs to be set if and only if the parameterfileis omitted. -
When you reload nginx, the module keeps as much information in shared memory as possible so that it is not emptied, such as statistics used by CC protection.
Removed
-
The directive
waf_http_statushas been removed and the related features have been merged into the directivewaf_action. -
The parameter
sizeof the directivewaf_cc_denyhas been removed andzoneis now used instead.
Changed
-
You can omit the parameter
fileof the directivewaf_under_attack; omitting this parameter will use a built-in file fromassets/under_attack.html. -
You can omit the argument
fileto the directivewaf_captcha, which when omitted will use a built-in file based on the value of the argumentprov, which comes from the directoryassets/.
[10.0.0] - 2021-11-30 UTC+0800
新增
-
新指令
waf_zone,用来声明一块共享内存,这块内存将被用于其他的指令,比如waf_cc_deny。 -
新指令
waf_action,用于设置拦截请求后的动作,比如返回特定的状态码或者使用验证码对客户端做人机认证。 -
新指令
waf_block_page,用于设置拦截页面,当请求被拦截后将指定的 HTML 文件返回。 -
新内置变量
$waf_rate,用来表示一个统计周期内当前 IP 的访问次数。统计周期由指令waf_cc_deny的参数rate决定,如果 IP 已经被拉黑,则由参数duration决定。 -
指令
waf_captcha增加了一个参数max_fails,用来设置验证码最大试错次数和超出后的拉黑时间。 -
指令
waf_captcha增加了一个参数zone,用来指定一块共享内存,当且仅当设置了参数max_fails时才需要设置。 -
指令
waf_captcha增加了一个参数sitekey,当且仅当省略了参数file时才需要设置。 -
当你重载 nginx 时,模块会尽可能地保留共享内存中的信息,使其不被清空,比如 CC 防护的拉黑列表。
移除
-
移除了指令
waf_http_status,相关的功能合并到指令waf_action。 -
移除了指令
waf_cc_deny的参数size,现在使用zone代替。
变动
-
允许省略指令
waf_under_attack的参数file,省略此参数时将使用一个内置的文件,它来自assets/under_attack.html。 -
允许省略指令
waf_captcha的参数file,省略此参数时将根据参数prov的值使用一个内置的文件,这些文件来自目录assets/。 -
更多的调试日志。
v9.0.6 Current
v9.0.5 Current
f840fad
ADD-SP
Qi
[9.0.5] - 2021-10-09 UTC+0800
New test suite
By chance, I found a test suite: test-nginx.
It looked great, so I wrote a lot of test cases and tested with it. Unfortunately I found a lot of bugs, very wise of me.
Changed
-
Removed useless debug log.
-
More debug log.
Fixed
-
Sometimes the connection is closed prematurely.
-
When CAPTCHA is enabled, the request body inspection may be wrong.
-
CAPTCHA may fail due to HTTP caching.
-
Memory leak when reloading nginx.
-
Failed to properly merge directive
waf_cachefrom different contexts. -
Failed to properly merge directives
waf_cc_denyfrom different contexts. -
Failed to inherit
Refererblacklist different contexts. -
Failed to properly handle incorrect command syntax.
-
Fixed a default rule of URL.
-
Fixed the following files so that the page can be refreshed automatically after the CAPTCHA is completed.
assets/hCaptcha.htmlassets/reCAPTCHAv2_Checkbox.htmlassets/reCAPTCHAv2_Invisible.htmlassets/reCAPTCHAv3.html
[9.0.5] - 2021-10-09 UTC+0800
新的测试套件
偶然间看到了一个测试套件:test-nginx。
看完之后感觉很好便拿来测试,编了不少测试用例,果不其然发现了一大堆 Bug,不愧是我。
变动
-
删除了无用的调试日志。
-
更多的调试日志。
修复
-
有时连接会被过早地关闭。
-
启用 CAPTCHA 后请求体的检测结果可能会出错。
-
CAPTCHA 可能会因为 HTTP 缓存而失败。
-
重载 nginx 时存在内存泄露。
-
未能正确合并上层配置块的
waf_cache指令。 -
未能正确合并上层配置块的
waf_cc_deny指令。 -
未能正确继承上层配置块的 Referer 黑名单。
-
未能正确识别一些错误的配置。
-
修复了一条默认的 URL 黑名单规则。
-
修复了下列文件,使得验证码完成后可以自动刷新网页。
assets/hCaptcha.htmlassets/reCAPTCHAv2_Checkbox.htmlassets/reCAPTCHAv2_Invisible.htmlassets/reCAPTCHAv3.html