# Change Log (5.x.x)
What is a breaking change?
- The original configuration file may not work, for example, if a directive item is removed or renamed.
- It may be necessary to update the build environment, such as installing new dependencies.
# [5.5.1] - 2021-07-16 UTC+0800
# [5.5.0] - 2021-06-25 UTC+0800
- Because of high false positives, libinjection (opens new window)-based XSS attack detection has been disabled in working modes
# [5.4.2] - 2021-06-15 UTC+0800
- When POST inspection is enabled, POST requests are not logged in the access log.
# [5.4.1] - 2021-06-09 UTC+0800
- The value of built-in variables may be wrong when the directive
# [5.4.0] - 2021-06-03 UTC+0800
The clone link for
libinjection has been replaced in this release. The new link is https://github.com/libinjection/libinjection.git (opens new window).
- Anti XSS (powered by libinjection (opens new window)).
- Add debug log related to built-in variable calculation.
- POST inspection is not working.
# [5.3.2] - 2021-05-28 UTC+0800
- Memory corruption.
# [5.3.1] - 2021-05-26 GMT+0800
- Sometimes the module does not compile even if the dependencies are installed correctly.
# [5.3.0] - 2021-05-16 GMT+0800
waf_under_attack, which can be used when the site is under attack.
waf_http_status, which sets the HTTP status code returned when a request is blocked.
New built-in variable:
$waf_blocking_log, not an empty string when the request is blocked for its value.
- Update default rules.
CC protection sometimes not work.
Cookie inspection sometimes not work.
# [5.1.2] - 2021-04-30 GMT+0800
- Support for detecting SQL injection (powered by libinjection (opens new window)). This feature can be enabled by enabling the mode
LIB-INJECTION, see the documentation for details.
# [5.1.1] - 2021-04-23 GMT+0800
- URL and Referer whitelist are not working.
# [5.1.0] - 2021-04-20 GMT+0800
New built-in variable
waf_log, which is not an empty string when this module has performed a inspection, but an empty string otherwise, mainly used in the directive
New built-in variable
waf_spend, which records the time (in milliseconds) taken by this module to perform the inspection.
# [5.0.0] - 2021-04-07 GMT+0800
This version contains breaking changes.
A new mode
CACHEhas been added, enabling this mode will cache the results of each inspection to improve performance.
waf_cachehas been added to set parameters related to cache.
waf_cc_denyto set CC protection related parameters.
waf_priorityhas been added to set the priority of all checks except for POST checks.
The Retry-Afte (opens new window) response header is appended when the CC protection returns a 503 status code.
- The directive
waf_cc_deny_limitis deprecated and replaced with the new directive
- Swaps the default priority of CC protection and IP whitelist inspection.
Fixed a segmentation fault when the number of worker processes is greater than one.
Fixed a bug where CC protection statistics were sometimes inaccurate.