2.7.0

Added

• DNSimple DNS provider for DNS-01 ACME challenges.
• Support for IP-based TLS certificates.
• Support for JSON-format access logs.

Changed

• Introduced a new, customized message displayed when the web server crashes.

Fixed

• A large enough PROXY v2 header could crash the web server, if the PROXY protocol is enabled.
• IP-based host blocks weren't applied correctly.
• Path traversal might have been possible if URL sanitizer is disabled and the path canonicalization failed.
• Server and Alt-Svc (for HTTP/3) headers couldn't be modified or removed.
• The Proxy header was passed when using CGI, FastCGI or SCGI (see https://httpoxy.org/).

2.6.0

Added

• Configuration directive for aborting an HTTP request.
• Support for dynamic SRV-based backend discovery for reverse proxy upstreams.
• Support for file size-based log rotation.
• Support for reusable snippets across different KDL configuration files.
• Support for Unix socket backends in the forwarded authentication module.

Changed

• Replaced the OCSP stapling implementation (that implemented RFC 5019) with a new implementation that implements RFC 6960.
• The Host header is now no longer rewritten to the proxy request URL's host by default when using plaintext HTTP for the backend servers.

Deprecated

• Rego-based subconditions are deprecated and will be removed in a future release.

Fixed

• Body replacement MIME type filtering was not applied correctly.
• Duplicate error log entries in certain cases.
• ETag matching wasn't applied correctly when If-Match or If-None-Match headers contained multiple ETags.
• HEAD requests for directory listings caused responses with a body.
• HTTP compression support sometimes chose the wrong compression algorithm.
• Redirect loop when using wwwredirect directive and requesting with a hostname without a port.
• TCP listener failures caused by too many open file descriptors led to an infinite logging loop.
• The Content-Range header was omitted in some 416 Range Not Satisfiable responses when serving static files.
• The least-connections algorithm sometimes incorrectly selected the backend with the most connections.
• Using Ferron with ACME directories that offer challenge types that don't present a token (like DNS-PERSIST-01) caused "missing field token" errors (fixed in instant-acme)

2.5.5

• Fixed OTLP data not being sent after configuration reloads.

2.5.4

• Fixed high CPU usage after configuration reloads caused by the OCSP stapler.

2.5.3

• Fixed process-related metrics not being sent at all.

2.5.2

• Improved memory usage during configuration reloads.

2.5.1

• Fixed graceful shutdowns when reloading the server configuration.

2.5.0

• Added support for logging into standard I/O.
• Added support for saving TLS certificates and private keys (when using automatic TLS functionality) into disk and executing commands afterwards.
• Added support for sending Forwarded HTTP header to backend servers as a reverse proxy.
• Added support for specifying configuration in command-line arguments.
• Added the ferron serve subcommand.
• Fixed TLS certificate not resolved for "localhost" SNI hostname.
• Optimized the server configuration lookup performance.
• Optimized the SNI certificate resolution performance.
• Refreshed the default placeholder page design.
• The server now differentiates between file types in directory listings.
• The server now reuses threads when reloading the configuration, if possible.
• The server now shuts down multiple threads at once when reloading the configuration.

2.4.1

• Fixed a rarely occurring crash when upgrading backend server's HTTP connection as a reverse proxy.

2.4.0

• Added bunny.net, DigitalOcean and OVH DNS providers for DNS-01 ACME challenge.
• Added support for HTTP Basic authentication for forward proxying.
• Fixed ACME cache file handling during certificate renewals. Cache files are now correctly truncated when rewritten, preventing stale data from causing parse failures.
• Fixed brute-force protection not being able to be disabled due to wrong configuration validation check.
• Fixed Connection header setting for reverse proxying being set to keep-alive, keep-alive.
• Fixed graceful shutdown (during configuration reloading) for the HTTP/3 server.
• Fixed precompressed files not being picked up when the original filename doesn't have a file extension.
• Fixed the original request URL not preserved when the server is configured to rewrite URLs using rewrite directive.
• Fixed trailing slash redirects leading to an URL without base when remove_base prop of a location block is set to #true.
• Fixed URL rewrites not applied when remove_base prop of a location block is set to #true.
• Improved compliance of static file serving functionality with RFC 7232 (conditional requests) and RFC 7233 (range requests).
• The forwarded authentication module now uses an unlimited idle kept-alive connection pool, just like the reverse proxy module.
• The server now falls back with io_uring disabled when io_uring couldn't be initialized and io_uring is implicitly enabled.
• The server now logs a warning if status 200 directive is used without specifying a response body.
• The server now performs cleanup of TLS-ALPN-01 and HTTP-01 challenges after obtaining the TLS certificates.
• The server now reuses connections that aren't ready after waiting for readiness when the concurrent limit is reached, instead of establishing a new connection.