- [Security] Sanitize external application commands and user/group configurations. (github issue 217)
- [Security] Do not allow setuid in external applications by dropping the SETUID capability.
- [Feature] Simplify CGROUPS support.
- [Bug Fix] Bubblewrap is now correctly enabled. (github issue 223)
- [Bug Fix] Eliminate random delay when proxying secured websocket connections to the backend. (github issue 219)
- [Bug Fix] Avoid excessive logging for proxy request headers. (github issue 166)
- [Bug Fix] Address proxy request body corruption caused by request header manipulations. (github issue 192)
- [Bug Fix] Improve logging for OCSP stapling errors. (github issue 177)
- [Bug Fix] Address hanging chunked input streams.
- [Bug Fix] Add support for “noconntimeout” environment variable.
- [Improvement] Address Sanitizer build now works properly.
- [Improvement] Better debug logging.
- [Bug Fix] Address memory leaks in cache engine, server configuration, and other components.
- [Bug Fix] Properly handle request/response headers up to 64KB in size.
- [Bug Fix] Correct TLS session Ticket key rotation with short timeout.
- [Bug Fix] Address memory access problems causing random crashes in a few cases.
- [Tuning] Update install.sh to support centos8 and ubuntu20.
- [Tuning] Update HttpVHost::addPythonApp() to allow 4 ENV values (PYTHONPATH, LSAPI_STDERR_LOG, LSAPI_CHILDREN, LSAPI_KEEP_LISTEN) to be set from the config file (previously hard-coded).
- [Tuning] Adjust HttpServerImpl::gracefulShutdown() to setSigStop to avoid crash.
- [Bug Fix] Piped access logger should work now.
- [Bug Fix] Update checkCtrlEnv() to enable multiple “vary” values to be added for cache varycookie.
- [Bug Fix] Update HttpSession::smProcessReq() to add ‘HSF_REQ_BODY_DONE’ processing to ‘HSPS_HANDLER_PRE_PROCESSING’.
- [Bug Fix] Fixed two congestion controller bugs that led to poor performance in some circumstances.
- [Bug Fix] Fixed a few small memory leaks.
- [Bug Fix] Fixed a bug in HTTP/3 framing.
- [Bug Fix] Fixed IETF QUIC handshake bug when client’s Initial packet arrives late.
- [Tuning] Update rc-inst.sh to create a symlinked file for lsws.service to improve lsws service compatibility in CentOS 7.
- [Tuning] Follow ip2location 8.1.4 library API changes.
- [Tuning] Add MIME type image/avif.
- [Tuning] Send HTTP/2 connection GOAWAY frame as soon as all streams are finished during server graceful shutdown.
- [Tuning] Use localtime instead of gmtime for strftime() when printing timestamps in access log.
- [Bug Fix] Correct an IPv6 matching issue when accessing allow/deny IP list.
- [Bug Fix] Remove some incorrect asserts that were causing crashes.
- [Bug Fix] Add ‘connection’ header to cache module Bypass Header list so that cache can work with HTTP/2 for Safari, curl, and so on.
- [Bug Fix] Corrected Reverse NOESCAPE flag logic for redirect actions.
- [Bug Fix] Update AccessLog::customLog() to ensure appended buffer is less than available space.
- [Bug Fix] Add Missing “x-Forwarded-For” header ID conversion from gpack decoded header.
- [Bug Fix] Plug memory leak in IETF full conn dtor: cleanup closed IDs sets.
- [Bug Fix] Plug Memory leak: free pushed promise when refcnt is zero.
- [Bug Fix] Deactivate only *recent* HQ frame, not any HQ frame.
- [Bug Fix] Correct access log settings in template config.
- [Bug Fix] Address unwanted behavior for log viewer browsing buttons.
- [New Feature] Apply Expires header to range responses and FLV/h264 streams.
- [New Feature] Add HTTP/2 GREASE frame and GREASE for SETTINGS support. (Refs: https://bugs.chromium.org/p/chromium/issues/detail?id=1123912, https://mikebishop.github.io/http-misc-extensions/draft-bishop-httpbis-grease.html)
- [Update] Upgrade LSQUIC to v2.12.8 (https://github.com/litespeedtech/lsquic/releases/tag/v2.12.8)
- [Update] Support ‘-b’ (under development) option in lsup.sh.
- [Tuning] LSAPI get_req_header_by_id() now sets the returned valLen value in all cases.
- [Tuning] No longer convert ‘*:port’ to ‘0.0.0.0:port’ while parsing the config.
- [Tuning] Update build.sh to build libbcrypt when installing the server.
- [Tuning] Update HttpContext::configRewriteRule() to match the max line length when using plain conf.
- [Bug Fix] Normalize listener socket address, especially for IPv6, so it can match the listener address passed from the previous instance during a graceful restart.
- [Bug Fix] Address a crash bug in cache module.
- [Bug Fix] Address a bug that was preventing Rails applications from running correctly.
- [Bug Fix] Update autoindex script to make page layout responsive and no longer follow symbolic links.
- [Bug Fix] htmlspecialchars() no longer returns a blank string without the ENT_SUBSTITUTE flag for special chars.
- [Bug Fix] Correct access log settings in template config.
- [Bug Fix] Address unwanted behavior for log viewer browsing buttons.
- [Major New Feature] Bubblewrap isolated CGI/PHP execution environments.
- [Update] Upgrade installation LSPHP to v74.
- [Update] Update LSQUIC to v2.12.7. (https://github.com/litespeedtech/lsquic/releases/tag/v2.12.7)
- [Tuning] Localize WebAdmin Console Google fonts and JS files.
- [Tuning] Set default server config file ‘compressibleTypes’ value to “default” (use the built-in defaults which already contain most common types such as ‘application/json’ etc).
- [Tuning] Change reCAPTCHA API URL from ‘www.google.com’ to ‘www.recaptcha.net’ to avoid blocking in some countries.
- [Tuning] Avoid reCAPTCHA verification for ‘/.well-known/’ URL.
- [Tuning] Detect ‘X-Real-Ip’ header in a similar way to the ‘CF-Connecting-IP’ header and update client IP info accordingly.
- [Tuning] Use $VH_NAME instead of ‘Example’ conf/vhosts/Example/vhconf.conf.
- [Bug Fix] Address some crash issues in server DEBUG version.
- [Bug Fix] Address uninitialized number comparison bug in HttpReq::classifyUrl().
- [Bug Fix] Avoid crash caused by using failed ChunkOutputStream::write() call return values.
- [Bug Fix] Do not suspend write if there is still pending data at the SSL layer
- [Bug Fix] Address memory leak caused by failure to save pending xpool bigblock linked list.
- [Bug Fix] Address PHP scripts changing error page status codes to 200.
- [Bug Fix] HttpServerImpl::onTimer30Secs is no longer run while server is in the middle of quitting.
- [Bug Fix] Tune RadixNode::getHeader() to avoid accessing passed in NULL pointers.
- [Update] Add ruby-lsapi-5.0 gem compatibility to RackRunner.rb. (Similar to LSWS implementation)
- [Update] Cache module now bypasses a number of pre-defined varies to avoid encountering a 500 error for those cases.
- [Update] Upgrade LSQUIC to v2.12.4
- [Update] Add ubuntu 20 support to build.sh.
- [Bug Fix] Correct a cache engine bug that was causing file writes to occur in the wrong location in the file.
- [Bug Fix] Correct ownership/permissions for conf directory and its sub-directories.
- [Bug Fix] Server should now correctly use a newly assigned unix domain socket address when the default socket address is already occupied.
- [Security] Limit sample upload testing page to only support jpeg file uploads.
- [Security] Prevent access log from being set to ‘/etc’. ‘/tmp’, or ‘/bin’ directories.
- [New Feature] Added support for error code 451 “Unavailable For Legal Reasons”.
- [New Feature] Cache hit info is now included in real time stats file.
- [Update] Updated LSQUIC Library to v2.12.2. (https://github.com/litespeedtech/lsquic/releases/tag/v2.12.2)
- [Improvement] Update installation script to generate self-signed certificates that are supported by Mac OS browsers.
- [Improvement] lsadm is now added to current server defined group on server start if not already set.
- [Bug Fix] Fixed an uninitialized pointer bug introduced in the latest version of the mod_sec module.
- [Bug Fix] Fixed a plainconf parsing bug with module handler contexts.
- [Bug Fix] Fixed a pagespeed module compilation issue for Debian and Centos8 systems.
- [Bug Fix] Fixed a variable not defined error when executing freebsdFix() in script build.sh.
- [Bug Fix] Server no longer tries to add mod_gzip to the current session when session hook is not initialized.
- [Bug Fix] Fixed a rewrite conf parsing bug that could cause a 404 for some existing pages.
- [Update] Updated LSQUIC to v2.12.1. (https://github.com/litespeedtech/lsquic/releases/tag/v2.12.1)
- [Improvement] Config files are now parsed more quickly.
- [Tuning] Change default “disableInitLogRotation” value to 1 for error log.
- [Tuning] Updated some log message levels to reduce redundant log messages.
- [Bug Fix] Fixed mod_security.cpp v3.0.4+ compilation errors .
- [Bug Fix] HttpVHost::addPythonContext() now updates the python context to avoid naming the virtual directory to the same name as the physical directory.
- [Bug Fix] Fixed a modverinfo.sh output result error.
- [Security] Prevent setting log file names ending in “.php”, “.php71”, etc.
- [Improvement] Added support for Centos8.
- [Update] Prevent assignment of port 80 or port 443 to WebAdmin Console.
- [Update] Updated Example/upload.html to display more information about related optional modules.
- [Update] Updated lsup.sh to support systemctl.
- [Bug Fix] Fixed a rare logging crash.
- [Bug Fix] Fixed a crash when UserAgent header value was empty.
- [Bug Fix] Fixed a compilation issue on Centos.
- [Bug Fix] Fixed lsphp installation issues for Centos.
- [Bug Fix] Fixed a few hidden Http/2 bugs.
- [Bug Fix] Fixed mod_security compilation issue.
- [Improvement] Fixed access log entries listing HTTP/1.1 for HTTP/2 connections.
- [Update] Reduced the number of QUIC log entries written at lower levels.
- [Update] Updated LSQUIC to v2.10.6.
- [QUIC] Fixed HTTP/3 framing: don’t misinterpret rare occurence as error.
- [QUIC] Fixed compilation on FreeBSD.
- [Bug Fix] Fixed file uploads failing for QUIC connections.
- [Bug Fix] Fixed some errors with the lsup.sh tool.
- [Bug Fix] Fixed lswsctrl restart command failing on CentOS.
- [New Feature] Expired cache entries are now automatically removed to free up space.
- [New Feature] Updated cache to only serve litespeed cache related headers for frontend requests.
- [New Feature] Skip rewrite processing for Let’s Encrypt verification requests.
- [Improvement] Fixed some minor issues in internal cache manager module.
- [Improvement] REFRESH URI cache requests are now equivalent to a stale purge.
- [Improvement] Added response header entry for URI stale purge.
- [Improvement] Improved cache purge accuracy.
- [Update] Update context configure to auto add a trailing ‘/’ to the location if it is a directory.
- [Update] Update lsup.sh tool to add support the -e paramater flag which is used to only upgrade binaries.
- [Bug Fix] Fixed cache cleanup not getting called when “storagepath” config setting was not set.
- [Bug Fix] Fixed a crash bug when parsing rewrite rules that occured in very rare cases.
- [Tuning] Ensure that buffered SSL data is flushed near the end of related event processing.
- [Update] Updated lsquic to version 2.10.1 (https://github.com/litespeedtech/lsquic/releases/tag/v2.10.1)
- [Bug Fix] Fixed a code regression causing some old bugs to be reintroduced (Cannot enable QUIC, http2 upload issue, etc).
- [Bug Fix] process start time is now detected correctly.
- [Bug Fix] Fixed a NodeJS wrapper script failing to handle startup files referenced by absolute path.
- [Security] Update WebAdmin Console to avoid serving PHP files not belonging to it.
- [New Feature] Skip rewrite processing for Let’s encrypt verification requests.
- [New Feature] Add “Subject Alternative Name” item to self signed certificate.
- [Update] Updated lsquic to version 2.9.0 (https://github.com/litespeedtech/lsquic/releases/tag/v2.9.0)
- [Bug Fix] Fixed “uninitialized member”, “connect with empty socket address”, and “virtual memory buffer uninitialized” crash bugs.
- [Bug Fix] Fixed a resource leak bug caused by unclosed file handles.
- [Bug Fix] Fixed static file contexts not serving correctly.
- [Bug Fix] reCAPTCHA verification page is no longer cached.
- [Bug Fix] Fixed old server process lingering after restart when active QUIC clients existed.
- [Security] Initial webadmin password for new installations is now randomized.
- [Security] Improved WebAdmin Console security by strictly checking request URLs.
- [Update] Incorporated version 1.5.10 changes.
- [Update] Updated lsquic to version 2.8.3 (https://github.com/litespeedtech/lsquic/releases/tag/v2.8.3).
- [Update] Updated WebAdmin Console to show new releases for both the current release branch and the latest release branch.
- [Update] Updated Cache module to track and write file errors and abort serving files from cache when an error occurs.
- [Bug Fix] Disable memory mappping when serving static files to avoid crashes in some cases.
- [Bug Fix] Fixed a memory access bug when logging errors.
- [Bug Fix] Fixed some crashes involving Spdy connections in older browsers.
- [Bug Fix] Fixed handling for virtual host URIs that do not end in a ‘/’ character.
- [Bug Fix] Fixed cache timer not being called when no cache storage path was set.
- [Updated] Added some lsphp73 dependencies to installation.
- [Update] Updated lsquic to version 2.6.5(https://github.com/litespeedtech/lsquic/releases/tag/v2.6.5).
- [Bug Fix] Fixed “use after free” issue by Avoiding recursive NtwkIOLink::handleEvents() calls.
- [Bug Fix] Fixed permission issues with `autoupdate/` and `tmp/` directories.
- [Bug Fix] Fixed a bug that caused excessive buffering for HTTP/2 connections.
- [Bug Fix] Fix Context level external redirects causing errors.
- [New Feature] Added support for ‘LS_STDERR_LOG’ environment variable to set up the stderr log file for started processes.
- [Update] Update mod_security-ls to always go through reqbody and respBody phases.
- [Update] lsphp 73 is now used on Linux platforms.
- [Update] Updated lib lsquic to v2.6.3(https://github.com/litespeedtech/lsquic/releases/tag/v2.6.3)
- [Update] Default conf values for maxConns, procSoftLimit, procHardLimit, and env PHP_LSAPI_CHILDREN have been changed to be more reasonable.
- [Bug Fix] Fixed a cache module and mod_security-ls conflict that could cause a crash.
- [Bug Fix] Fix some mod_security-ls compilation issues.
- [Bug Fix] Fixed a rare crash that occurred when failing to create new cache entries.
- [Update] Removed libgeoip dependency.
- [Update] Use LSPHP 7 by default.
- [Update] Update to liblsquic 2.4.10 (fixing several bugs relating to QUIC and HTTP/3).
- [Bug Fix] Fixed a bug causing a “[modcompress] AddHooks failed” error.
- [Bug Fix] Fixed “No request delivery notification has been received from LSAPI application …” error being logged when a background process’ running time is larger than 10 seconds
- [Bug Fix] Fixed debug log toggle not working.
- [Bug Fix] Fixed Accept-Encoding header being case sensitive.
- [Bug Fix] Fixed UDS files not being cleaned up.
- [Bug Fix] Fixed installation issue with the lshttpd service.
- [Bug Fix] Fixed a network throttling bug that prevented paused SSL connections from being resumed.
- [New Feature] Added stale purge support. With this feature, only the first visitor to a stale cache page will hit the backend with subsequent visitors getting served the stale cache copy until the page has finished being re-cached by the first request.
- [Improvement] Restart detached PHP processes when PHP binary is changed.
- [Update] Update HTTP/3 support to include the latest HTTP/3 draft (h3-23).
- [Update] Update QUIC to make BBR congestion control the algorithm used by default.
- [Update] Update some error log message levels to be more reasonable.
- [Bug Fix] Fixed a memory issue in pagespeed module.
- [Bug Fix] Fixed some build.sh errors to avoid errors.
- [Bug Fix] Fixed a bug in Makefile.am to ensure that `./configure` still works.
- [Bug Fix] Fixed an access log bug where traffic byte count was sometimes not reset between requests.
- [Major New Feature] Added Google QUIC and HTTP/3 (Internet Draft 22) support
- [New Feature] Added build.sh, a new build tool to build from source code (including any dependencies) for most platforms in a single click.
- [Improvement] Added compilation support for FreeBSD, Mac, Ubuntu 19.
- [Bug Fix] Fixed a PHP memory limit bug.