# Change Log (5.x.x)

The format is based on Keep a Changelog (opens new window), and this project adheres to Semantic Versioning (opens new window).

What is a breaking change?

  • The original configuration file may not work, for example, if a directive item is removed or renamed.
  • It may be necessary to update the build environment, such as installing new dependencies.

# [5.5.1] - 2021-07-16 UTC+0800

# Fixed

  • Segmentation fault.

  • Memory leak.

# [5.5.0] - 2021-06-25 UTC+0800

# Changed

# [5.4.2] - 2021-06-15 UTC+0800

# Fixed

  • When POST inspection is enabled, POST requests are not logged in the access log.

# [5.4.1] - 2021-06-09 UTC+0800

# Fixed

  • The value of built-in variables may be wrong when the directive error_page is used.

# [5.4.0] - 2021-06-03 UTC+0800


The clone link for libinjection has been replaced in this release. The new link is https://github.com/libinjection/libinjection.git (opens new window).

# Added

# Changed

  • Add debug log related to built-in variable calculation.

# Fixed

  • POST inspection is not working.

# [5.3.2] - 2021-05-28 UTC+0800

# Fixed

  • Memory corruption.

# [5.3.1] - 2021-05-26 GMT+0800

# Fixed

  • Sometimes the module does not compile even if the dependencies are installed correctly.

# [5.3.0] - 2021-05-16 GMT+0800

# Added

  • New directive: waf_under_attack, which can be used when the site is under attack.

  • New directive: waf_http_status, which sets the HTTP status code returned when a request is blocked.

  • New built-in variable: $waf_blocking_log, not an empty string when the request is blocked for its value.

# Changed

  • Update default rules.

# Fixed

  • CC protection sometimes not work.

  • Cookie inspection sometimes not work.

# [5.1.2] - 2021-04-30 GMT+0800

# Added

  • Support for detecting SQL injection (powered by libinjection (opens new window)). This feature can be enabled by enabling the mode LIB-INJECTION, see the documentation for details.

# [5.1.1] - 2021-04-23 GMT+0800

# Fixed

  • URL and Referer whitelist are not working.

# [5.1.0] - 2021-04-20 GMT+0800

# Added

  • New built-in variable waf_log, which is not an empty string when this module has performed a inspection, but an empty string otherwise, mainly used in the directive access_log.

  • New built-in variable waf_spend, which records the time (in milliseconds) taken by this module to perform the inspection.

# [5.0.0] - 2021-04-07 GMT+0800


This version contains breaking changes.

# Added

  • A new mode CACHE has been added, enabling this mode will cache the results of each inspection to improve performance.

  • New configuration waf_cache has been added to set parameters related to cache.

  • Added directive waf_cc_deny to set CC protection related parameters.

  • New directive waf_priority has been added to set the priority of all checks except for POST checks.

  • The Retry-Afte (opens new window) response header is appended when the CC protection returns a 503 status code.

# Removed

  • The directive waf_cc_deny_limit is deprecated and replaced with the new directive waf_cc_deny.

# Changed

  • Swaps the default priority of CC protection and IP whitelist inspection.

# Fixed

  • Fixed a segmentation fault when the number of worker processes is greater than one.

  • Fixed a bug where CC protection statistics were sometimes inaccurate.