-
Notifications
You must be signed in to change notification settings - Fork 69
/
Copy pathCHANGES
485 lines (345 loc) · 21.3 KB
/
CHANGES
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
Changes with Angie 1.8.1 28 Dec 2024
*) Bugfix: using the "status_zone" directive in the "server" block of
the HTTP module caused excessive logging of empty requests in
"access_log" on TLS handshakes; the bug had appeared in 1.8.0.
*) Bugfix: decoding errors in HTTP/3 stream could cause worker process
crash when closing QUIC connection; the fix was ported from nginx
1.27.4.
*) Bugfix: sending QUIC protocol version negotiation packets could cause
an infinite packet exchange loop; the fix was ported from nginx
1.27.4.
*) Bugfix: using DNS-challenge without hooks in the ACME module could
cause a worker process crash in some configurations.
Changes with Angie 1.8.0 19 Dec 2024
*) Change: when gracefully shutting down old worker processes,
keep-alive connections are now closed only after the timeout
specified by the "lingering_timeout" directive has expired; this
behaviour allows to avoid possible client errors when receiving
replies at that moment.
Thanks to Maxim Dounin (freenginx).
*) Change: disabled caching of the "stream" module variables
"$ssl_server_name", "$ssl_server_cert_type", "$ssl_preread_protocol",
and "$ssl_preread_server_name", which allows to get actual values
when using virtual servers.
*) Feature: support of "DNS-01" challenges by handling DNS queries from
the ACME server, which allows to automatically request certificates
of any types, including wildcard ones.
*) Feature: hooks system in the ACME module, configurable using the
"acme_hook" directive, which allows handling of domain name
challenges using an external application to provide integration with
various services and DNS hosting providers.
*) Feature: the ACME module logs some additional information: why
exactly the certificate is being renewed, full domain name list,
client's account ID, long periods of inactivity (e.g. pollings), and
the domain name being challenged; this information simplifies
troubleshooting and allows to specify the CAA DNS record.
*) Feature: the "account_key" parameter of the "acme_client" directive,
which allows to reuse an existing key for the ACME server account
instead of auto-generating a new one.
*) Feature: support for variables in the "status_zone" directives in the
stream and HTTP modules allows to dynamically account statistics
within several zones in a single "location" or "server" block; in
particular, it's especially useful when a single "server" block is
handling multiple virtual hosts.
*) Feature: GZip HTTP compression module compatibility with the zlib-ng
versions 2.2.0 and above, which could previously cause "[alert] gzip
filter failed to use preallocated memory" messages in the error log.
*) Feature: the "max_headers" directive that limits the number of HTTP
request header fields to better protect against DoS attacks.
Thanks to Maxim Dounin (freenginx) and Maksim Yevmenkin.
*) Feature: the "http3_max_table_capacity" and
"proxy_http3_max_table_capacity" directives to configure the HTTP/3
dynamic header compression table limits.
*) Feature: cross-compilation support - the build system can now use a
wrapper script to run autotests, which enables to prepare a build
without running test programs directly on the target platform.
*) Feature: all functionality of nginx 1.27.3.
*) Bugfix: HTTP/3 clients could time out when using 0-RTT; the fix was
ported from nginx 1.27.4.
*) Bugfix: proxying with HTTP/3 using variables in the "proxy_pass"
directive and without specifying an "upstream" block could crash the
worker process.
*) Bugfix: HTTP/3 upstreams using dynamic table could lead to worker
process crash if used with cache.
*) Bugfix: some SSL handshakes could be not counted in statistics for
the "stream" module.
*) Bugfix: HTTP/3 proxy settings specified in "http" or "server" level
might be ignored.
*) Bugfix: the "proxy_client_certificate" directive didn't work when
proxying via HTTP/3 with NTLS support enabled.
Changes with Angie 1.7.0 19 Sep 2024
*) Change: updated descriptions of HTTP status codes in conformance with
RFC 9110.
Thanks to Maxim Dounin (freenginx) and Michiel W. Beijen.
*) Change: a maximum of one empty line is now allowed before an HTTP
request to better protect against DoS attacks.
Thanks to Maxim Dounin (freenginx).
*) Change: HTTP/1.x header field names without a colon at the end are
now prohibited; such invalid header fields from a client or a proxied
server will now cause an error response.
Thanks to Maxim Dounin (freenginx) and Maksim Yevmenkin.
*) Change: when reading a request body using HTTP/1.1 chunked transfer
encoding, the total size of ignored chunk extensions and trailer
header fields is now limited by the "client_max_body_size" directive
to better protect against DoS attacks.
Thanks to Maxim Dounin (freenginx) and Bartek Nowotarski.
*) Change: the MIME type in the "mime.types" configuration file has been
changed to "image/bmp" for the "bmp" extension and
"application/vnd.rar" for the "rar" extension; set to
"application/vnd.debian.binary-package" for the "deb" and "udeb"
extensions.
Thanks to Yuriy Izorkin.
*) Feature: forced closing all the connections to a proxied server when
it's removed from the group can be configured via the
"proxy_connection_drop", "grpc_connection_drop",
"fastcgi_connection_drop", "scgi_connection_drop", and
"uwsgi_connection_drop" directives.
*) Feature: counters of sent DNS query types in the resolver statistics
API, which is collected with the "status_zone" parameter of the
"resolver" directive.
*) Feature: the "$ssl_server_cert_type" variable that contains the type
of selected certificate for a received TLS-connection.
*) Feature: disabling creation of the PID file with the "off" parameter
of the "pid" directive, which might be beneficial with immutable
images and direct control by a service manager.
Thanks to Maxim Dounin (freenginx).
*) Feature: creation of the PID file made atomic via an intermediate
temporary file, which removes a moment when the file is already in
the directory but still empty, and allows external programs to handle
it more easily and reliably.
*) Feature: now, during reconfiguration, no attempt is made to recreate
the PID file if the name in the "pid" directive has changed but
points to the same file via symlinks; in particular, it allows
avoiding issues on systems that migrate from "/var/run/angie.pid" to
"/run/angie.pid".
Thanks to Maxim Dounin (freenginx).
*) Feature: syslog logging errors are now reported no more than once per
second; this helps avoid flooding the logs with such messages when
the syslog server is down or overloaded.
Thanks to Maxim Dounin (freenginx).
*) Feature: in the Mail proxy module, the maximum number of commands
during authentication, configured with the "max_commands" directive,
is limited to better protect against DoS attacks.
Thanks to Maxim Dounin (freenginx).
*) Feature: the "--feature-cache" option of the ./configure script to
cache its results for optimization when building multiple modules or
cross-compiling.
*) Feature: all functionality of nginx 1.27.1.
*) Bugfix: "PID file ... not readable (yet?) after start" and "Failed to
parse PID from file..." errors might appear when starting with
systemd.
Thanks to Maxim Dounin (freenginx).
Changes with Angie 1.6.2 16 Aug 2024
*) Security: processing a specially crafted mp4 file with the
ngx_http_mp4_module could cause a worker process crash
(CVE-2024-7347); the fix was ported from nginx 1.27.1.
Changes with Angie 1.6.1 08 Aug 2024
*) Feature: a new "passed" counter in the API statistics of the "stream"
module's "status_zone" directive tracks connections passed to other
sockets using "pass" directives.
*) Bugfix: when using virtual servers or the "pass" directives in the
"stream" module, connections could be accounted incorrectly in the
statistics API.
*) Bugfix: worker processes could crash on configurations with 5 ACME
clients or more; the bug had appeared in 1.6.0.
*) Bugfix: handling cached responses with the "X-Accel-Redirect" header
could crash the worker process.
Thanks to Maxim Dounin (freenginx) and Jiří Setnička.
Changes with Angie 1.6.0 28 Jun 2024
*) Feature: the "sticky" directive and related options in the "stream"
module's "upstream" block, which allow to configure sticky sessions
mode where all connections in the session are routed to the same
server.
*) Feature: extraction of Cookie values from RDP connections using the
"rdp_preread" directive in the "stream" module into "$rdp_cookie" and
"$rdp_cookie_NAME" variables, which allows to log and stick RDP
client sessions to particular servers while load balancing.
*) Feature: support for multiple "acme" directives in a "server" block,
which allows to configure obtaining two types of certificates at once
for that virtual server.
*) Feature: command line options "-m" and "-M" to list built-in and
loaded modules.
*) Feature: support for BoringSSL in the ACME module.
*) Feature: all functionality of nginx 1.27.0, including support for
virtual servers in the "stream" module and the "pass" directive,
which allows to pass accepted connections for handling to another
listening sockets, including HTTP and Mail modules.
*) Bugfix: certificate request via the ACME protocol could result in
error on some configurations with a log message like "[alert]
getsockname() failed (9: Bad file descriptor)".
*) Bugfix: certificate request with large number of domain names via the
ACME protocol could result in error with a log message like "[error]
JSON parser error".
*) Bugfix: ACME clients in configurations with multiple "error_log"
directives could log messages to irrelevant logs.
Changes with Angie 1.5.2 31 May 2024
*) Security: when using HTTP/3, processing of a specially crafted QUIC
session could cause a worker process crash, worker process memory
disclosure on systems with MTU larger than 4096 bytes, or have other
impact (CVE-2024-32760, CVE-2024-31079, CVE-2024-35200,
CVE-2024-34161); the fix has been ported from nginx 1.26.1.
Changes with Angie 1.5.1 16 May 2024
*) Change: now ACME clients do not discard previously stored
certificates that were expired or issued for a different domain list,
but use them while renewing.
*) Bugfix: the "proxy_next_upstream" mechanism did not work correctly
when using the "resolve" option of the "server" directive in the
"upstream" block if the number of resolved IP addresses differed from
the number of specified servers.
*) Bugfix: while requesting a certificate via the ACME protocol, a
segmentation fault could occur in a worker process.
*) Bugfix: the "slow_start" mechanism did not work when proxying TCP
connections in the "stream" module.
*) Bugfix: HTTP/3 requests could result in an error if received as TLS
1.3 early data; the bug had appeared in 1.4.0.
*) Bugfix: HTTP/3 connection could be prematurely closed while using
0-RTT in QUIC.
*) Bugfix: when reading a request body from a fast connection, reading
for a long time was possible.
Thanks to Maxim Dounin (freenginx).
Changes with Angie 1.5.0 27 Mar 2024
*) Feature: basic support for automatically obtaining and updating
certificates using the ACME protocol, configurable with the
"acme_client" and "acme" directives, as well as variables of the form
"$acme_cert_*" and "$acme_cert_key_*".
*) Feature: configuration of automatic redirection, which adds trailing
slashes to request URIs, with the "auto_redirect" directive.
*) Feature: output statistics metrics with dates in Epoch format instead
of ISO 8601 for use in Prometheus and optionally in the JSON API with
the "?date=epoch" request argument.
*) Feature: new "recovering" state for upstream peers in the statistics
API, indicating that a peer is slowly starting up after a failure, as
suggested by the "slow_start" option.
*) Feature: now the "-V" switch also shows the relevant version of
nginx, which is useful for compatibility with third-party utilities,
certbot in particular.
Thanks to AdvTechnoKing.
*) Feature: all functionality of nginx 1.25.4.
*) Bugfix: if the SSL session reuse mechanism "proxy_ssl_session_reuse"
was used and the list of proxied servers was dynamically updated, a
leak could occur in the shared memory zone configured for the
corresponding "upstream" block.
Changes with Angie 1.4.1 15 Feb 2024
*) Security: when using HTTP/3, a segmentation error may have occured in
a worker process while processing a specially crafted QUIC session
(CVE-2024-24989); note that Angie as of 1.4.0 is already not
vulnerable to CVE-2024-24990.
Changes with Angie 1.4.0 12 Dec 2023
*) Feature: support for establishing HTTP/3 connections to upstream
servers in the HTTP proxy module while allowing clients to use
arbitrary HTTP versions. Configuration is done with the
"proxy_http_version" directive and a set of "proxy_quic_" and
"proxy_http3_" directives.
*) Feature: a mechanism for smoothly bringing the proxied server online
after a failure using the "slow_start" option of the "server"
directive in the "upstream" block.
*) Feature: "mqtt_preread" directive in the "stream" module, which
allows extracting the username and client id from the CONNECT packet
of the MQTT protocol into the $mqtt_preread_username and
$mqtt_preread_clientid variables.
*) Feature: limiting the response rate of MP4 files transmission to the
client proportionally to the bitrate using the "mp4_limit_rate" and
"mp4_limit_rate_after" directives, which reduces the bandwidth load.
*) Feature: all functionality of nginx 1.25.3.
*) Bugfix: if a proxied server was the only one in a group, it could be
incorrectly reported as "unavailable" in the statistics API even
after recovery.
Changes with Angie 1.3.2 23 Nov 2023
*) Bugfix: possible incorrect values of metrics in Prometheus output
that used variables other than $p8s_value for their values; in
practice the issue could occur with
"angie_http_upstreams_peers_state" and
"angie_stream_upstreams_peers_state" from the standard
"prometheus_all.conf" template.
*) Bugfix: some connection attempts to upstream servers might not have
been properly accounted for in the statistics API if they failed
immediately; the bug had appeared in 1.3.0.
Changes with Angie 1.3.1 18 Oct 2023
*) Security: added extra limitations to HTTP/2 stream handling for
better protection against the DoS attack known as "HTTP/2 Rapid
Reset" (CVE-2023-44487).
Changes with Angie 1.3.0 19 Sep 2023
*) Feature: ability to specify multiple match patterns in the "location"
directive, which allows to combine several "location" blocks with
similar settings and therefore simplify configuration by reducing
duplication.
*) Feature: export of varied statistics metrics in Prometheus format
with flexible template configuration using the new "prometheus" and
"prometheus_template" directives.
*) Feature: detailed information and metrics for groups of stream
upstream servers in the statistics interface provided by the "api"
directive.
*) Feature: the "resolve" option of the "server" directive in the
"stream" module’s "upstream" block that allows to monitor changes to
the list of IP addresses corresponding to a domain name, and
automatically update it without the need of reloading configuration.
*) Feature: the "service" option of the "server" directive in the
"stream" module’s "upstream" block that allows to retrieve lists of
addresses from DNS SRV records, with basic priority support.
*) Feature: access to the contents of configuration files used by the
current generation of worker processes via the interface provided by
the "api" directive with the "api_config_files" directive enabled.
*) Feature: display of the configuration generation number in process
titles, which allows to monitor the success of configuration reloads
and the number of previous worker process generations using the "ps"
utility.
*) Feature: all functionality of nginx 1.25.2.
*) Bugfix: compilation failed when ./configure options
"--without-http_upstream_zone_module" or
"--without-stream_upstream_zone_module" were used; the bug had
appeared in 1.2.0.
*) Change: now appname "angie" is used when loading the OpenSSL
configuration.
Changes with Angie 1.2.0 30 May 2023
*) Feature: the "sticky" directive and related options in the HTTP
module "upstream" block, that allow to configure sticky sessions
mode, where all requests of the session are routed to the same
server.
*) Feature: the $upstream_sticky_status variable, that takes either
"NEW", "HIT" or "MISS" values depending on success of requesting
related upstream server with sticky sessions enabled.
*) Feature: support for NTLS in the HTTP and stream modules using
TongSuo TLS library, that can be enabled via the "--with-ntls" build
time option and configured with the "ssl_ntls" and "proxy_ssl_ntls"
corresponding directives.
*) Feature: in the HTTP and stream proxy-modules ability to specify
multiple certificates with different types (RSA and ECDSA) and
corresponding keys, using the "proxy_ssl_certificate" and
"proxy_ssl_certificate_key" directives.
*) Feature: display of version and build name in the "master" process
title, which allows to get this information about a running server
instance using the "ps" utility.
*) Feature: ability to compress "207 Multi-Status" responses by the gzip
module.
Thanks to DBotThePony.
*) Feature: all functionality of nginx 1.25.0, including HTTP/3 support.
Changes with Angie 1.1.0 24 Jan 2023
*) Feature: the "resolve" option of the "server" directive in the HTTP
module "upstream" block, that allows to monitor changes to the list
of IP addresses corresponding to a domain name, and automatically
update it without the need of reloading configuration.
*) Feature: the "service" option of the "server" directive in the HTTP
module "upstream" block, that allows to retrieve lists of addresses
from DNS SRV records, with basic priority support.
*) Feature: detailed information and metrics for the groups of HTTP
upstream servers in the statistics interface provided by the "api"
directive.
*) Feature: autoindex uses natural sorting order for directory listings.
*) Feature: all functionality of nginx 1.23.3.
*) Bugfix: compilation failed due to false warning when using GCC 9 or
older with the -O2 or higher optimization.
Changes with Angie 1.0.0 27 Oct 2022
*) Feature: the "api" directive, that provides HTTP RESTful interface
for accessing in JSON format basic information about a web server
instance, as well as metrics of client connections, shared memory
zones, DNS queries, HTTP requests, HTTP responses cache, TCP/UDP
sessions of "stream" module, and zones of "limit_conn/limit_req"
modules.
*) Feature: the "status_zone" directive in "http" module for specifying
zone to collect request metrics in "server" and "location" contexts.
*) Feature: the "status_zone" directive in "stream" module for
specifying zone to collect TCP/UDP session metrics.
*) Feature: the "status_zone" parameter of the "resolver" directive for
specifying zone to collect metrics on DNS queries.
*) Feature: the $angie_version variable with version of Angie.
*) Feature: all functionality of nginx 1.23.2.