Skip to content

Releases: ADD-SP/ngx_waf

v10.1.2 Current

09 Jul 02:58
02dc08c
Compare
Choose a tag to compare

[10.1.2] - 2022-07-09 UTC+0800

Fixed

  • compatible with nginx-1.23.0

[10.1.2] - 2022-07-09 UTC+0800

修复

  • 兼容 nginx-1.23.0

v6.1.9 LTS

09 Jul 02:57
f97a439
Compare
Choose a tag to compare

[6.1.9] - 2022-07-09 UTC+0800

Fixed

  • compatible with nginx-1.23.0

[6.1.9] - 2022-07-09 UTC+0800

修复

  • 兼容 nginx-1.23.0

v10.1.1 Current | Nice to meet you

07 Jan 04:13
dddaa4a
Compare
Choose a tag to compare

[10.1.1] - 2022-01-07 UTC+0800

Nice to meet you :).

Added

  • PCRE2 library support.

Fixed

  • Memory leak.

  • CAPTCHA and Under-Attack-Mode sometimes cause infinite page refreshes.


[10.1.1] - 2022-01-07 UTC+0800

奈斯兔米兔!

新增

  • 支持 PCRE2。

修复

  • 内存泄漏。

  • 验证码和 Under Attack Mode(五秒盾)有时会无限刷新。

v6.1.8 LTS

07 Jan 04:03
b5a6995
Compare
Choose a tag to compare

[6.1.8] - 2022-01-07 UTC+0800

Fixed

  • Memory leak.

[6.1.8] - 2022-01-07 UTC+0800

修复

  • 内存泄漏。

v10.1.0 Current

14 Dec 12:36
6866329
Compare
Choose a tag to compare

[10.1.0] - 2021-12-14 UTC+0800

Added

  • You can set the directive waf to bypass, in which case no requests will be intercepted, but ngx_waf will still do the detection and logging.

  • The directive waf_verify_bot has a new parameter SogouSpider, which is used to verify if it is a Sogou crawler.

Fixed

  • Garbage collection is not running, which does not lead to memory leaks, but does lead to performance problems.

  • Sometimes the [FAKE-BOT] log is printed incorrectly.


[10.1.0] - 2021-12-14 UTC+0800

新增

  • 指令 waf 可以设置为 bypass 模式,即仅检测并记录日志,但不会拦截任何请求。

  • 指令 waf_verify_bot 新增了参数 SogouSpider,用于验证是否为搜狗爬虫。

修复

  • 内存回收机制并未正常运行,这虽然不会造成内存泄漏,但会导致内存占用居高不下,并引发性能问题。

  • 友好爬虫验证功能会错误地打印拦截日志。

v10.0.1 Current

05 Dec 13:00
d25e6a2
Compare
Choose a tag to compare

[10.0.1] - 2021-12-05 UTC+0800

Added

  • Added two Easter eggs, which you can find clues in the documentation. These two eggs are not triggered automatically and need to be enabled manually.

Fixed

  • All parameters of the directive waf_mode corresponding to the request method are not working.

[10.0.1] - 2021-12-05 UTC+0800

新增

  • 添加了两个彩蛋,你可以在文档中找到相关的线索。这两个彩蛋不会自动触发,所以不会影响正常使用。

修复

  • 指令 waf_mode 中所有与请求方法对应的参数均失效。

v6.1.7 LTS

05 Dec 13:00
0e236a1
Compare
Choose a tag to compare

[6.1.7] - 2021-12-05 UTC+0800

Fixed

  • All parameters of the directive waf_mode corresponding to the request method are not working.

[6.1.7] - 2021-12-05 UTC+0800

修复

  • 指令 waf_mode 中所有与请求方法对应的参数均失效。

v10.0.0 Current

30 Nov 13:07
7e58776
Compare
Choose a tag to compare

[10.0.0] - 2021-11-30 UTC+0800

Added

  • New directive waf_zone, used to declare a piece of shared memory that will be used for other directives, such as waf_cc_deny.

  • New directive waf_action, used to set actions after intercepting a request, such as returning a specific status code or challenging the client with a captcha.

  • New directive waf_block_page, used to set the blocking page to return the specified HTML file when the request is blocked.

  • A new embedded variable, $waf_rate, is used to indicate the number of accesses to the current IP in a period. The period is determined by the parameter rate of the directive waf_cc_deny, or by the parameter duration if the IP has been blacked out.

  • The directive waf_captcha has a new parameter max_fails, which sets the maximum number of attempts for the captcha and the blocking time after it is exceeded.

  • The directive waf_captcha has a new parameter zone that specifies a piece of shared memory, which needs to be set if and only if the parameter max_fails is set.

  • The directive waf_captcha has a new parameter sitekey, which needs to be set if and only if the parameter file is omitted.

  • When you reload nginx, the module keeps as much information in shared memory as possible so that it is not emptied, such as statistics used by CC protection.

Removed

  • The directive waf_http_status has been removed and the related features have been merged into the directive waf_action.

  • The parameter size of the directive waf_cc_deny has been removed and zone is now used instead.

Changed

  • You can omit the parameter file of the directive waf_under_attack; omitting this parameter will use a built-in file from assets/under_attack.html.

  • You can omit the argument file to the directive waf_captcha, which when omitted will use a built-in file based on the value of the argument prov, which comes from the directory assets/.


[10.0.0] - 2021-11-30 UTC+0800

新增

  • 新指令 waf_zone,用来声明一块共享内存,这块内存将被用于其他的指令,比如 waf_cc_deny

  • 新指令 waf_action,用于设置拦截请求后的动作,比如返回特定的状态码或者使用验证码对客户端做人机认证。

  • 新指令 waf_block_page,用于设置拦截页面,当请求被拦截后将指定的 HTML 文件返回。

  • 新内置变量 $waf_rate,用来表示一个统计周期内当前 IP 的访问次数。统计周期由指令 waf_cc_deny 的参数 rate 决定,如果 IP 已经被拉黑,则由参数 duration 决定。

  • 指令 waf_captcha 增加了一个参数 max_fails,用来设置验证码最大试错次数和超出后的拉黑时间。

  • 指令 waf_captcha 增加了一个参数 zone,用来指定一块共享内存,当且仅当设置了参数 max_fails 时才需要设置。

  • 指令 waf_captcha 增加了一个参数 sitekey,当且仅当省略了参数 file 时才需要设置。

  • 当你重载 nginx 时,模块会尽可能地保留共享内存中的信息,使其不被清空,比如 CC 防护的拉黑列表。

移除

  • 移除了指令 waf_http_status,相关的功能合并到指令 waf_action

  • 移除了指令 waf_cc_deny 的参数 size,现在使用 zone 代替。

变动

  • 允许省略指令 waf_under_attack 的参数 file,省略此参数时将使用一个内置的文件,它来自 assets/under_attack.html

  • 允许省略指令 waf_captcha 的参数 file,省略此参数时将根据参数 prov 的值使用一个内置的文件,这些文件来自目录 assets/

  • 更多的调试日志。

v9.0.6 Current

11 Oct 02:51
9c2a2bd
Compare
Choose a tag to compare

[9.0.6] - 2021-10-10 UTC+0800

Fixed

  • If the directive try_files is executed, CAPTCHA may fail.

[9.0.6] - 2021-10-10 UTC+0800

修复

  • 当指令 try_files 生效时无法完成 CAPTCHA 的验证。

v9.0.5 Current

10 Oct 03:12
f840fad
Compare
Choose a tag to compare

[9.0.5] - 2021-10-09 UTC+0800

New test suite

By chance, I found a test suite: test-nginx.
It looked great, so I wrote a lot of test cases and tested with it. Unfortunately I found a lot of bugs, very wise of me.

Changed

  • Removed useless debug log.

  • More debug log.

Fixed

  • Sometimes the connection is closed prematurely.

  • When CAPTCHA is enabled, the request body inspection may be wrong.

  • CAPTCHA may fail due to HTTP caching.

  • Memory leak when reloading nginx.

  • Failed to properly merge directive waf_cache from different contexts.

  • Failed to properly merge directives waf_cc_deny from different contexts.

  • Failed to inherit Referer blacklist different contexts.

  • Failed to properly handle incorrect command syntax.

  • Fixed a default rule of URL.

  • Fixed the following files so that the page can be refreshed automatically after the CAPTCHA is completed.

    • assets/hCaptcha.html
    • assets/reCAPTCHAv2_Checkbox.html
    • assets/reCAPTCHAv2_Invisible.html
    • assets/reCAPTCHAv3.html

[9.0.5] - 2021-10-09 UTC+0800

新的测试套件

偶然间看到了一个测试套件:test-nginx
看完之后感觉很好便拿来测试,编了不少测试用例,果不其然发现了一大堆 Bug,不愧是我。

变动

  • 删除了无用的调试日志。

  • 更多的调试日志。

修复

  • 有时连接会被过早地关闭。

  • 启用 CAPTCHA 后请求体的检测结果可能会出错。

  • CAPTCHA 可能会因为 HTTP 缓存而失败。

  • 重载 nginx 时存在内存泄露。

  • 未能正确合并上层配置块的 waf_cache 指令。

  • 未能正确合并上层配置块的 waf_cc_deny 指令。

  • 未能正确继承上层配置块的 Referer 黑名单。

  • 未能正确识别一些错误的配置。

  • 修复了一条默认的 URL 黑名单规则。

  • 修复了下列文件,使得验证码完成后可以自动刷新网页。

    • assets/hCaptcha.html
    • assets/reCAPTCHAv2_Checkbox.html
    • assets/reCAPTCHAv2_Invisible.html
    • assets/reCAPTCHAv3.html