Version 1.7.x

Stable Releases



Server Core

  • [Security] More strict header validations
  • [Security] Detect HTTP/2 repaid reset attack and disable HTTP/2 for attacking IP.
  • [Improve] Update libmodsecurity to 3.0.11
  • [Bug Fix] Fix a HTTP/3 integration issue that causes high CPU usage.
  • [Bug Fix] Rewrite rule configured in parent directory is disabled due to an empty .htaccess.
  • [Bug Fix] Address a compatibility issue with Ruby application using Rack 3.0+.
  • [Bug Fix] Address issue in serving a HTTP range request.



Server Core

  • [Security] Apply more strict request header validation.
  • [Security] Update libmodsecurity to v3.10.
  • [Tuning] Lift default memory limit for external applications.
  • [Improvement] Add private cache session cookie detection for WordPress.



Server Core

  • [Security] Address request header smuggling over HTTP/2 and HTTP/3.
  • [New Feature] Add support for ARM aarch64 platform.
  • [Bug Fix] Update lsquic to v3.2.0.
  • [Bug Fix] Update libmodsecurity to v3.0.9.
  • [Bug Fix] Address passing large request headers to PHP-FPM.
  • [Bug Fix] Properly detect when out of disk space using posix_fallocate().
  • [Bug Fix] Support bcrypt authentication hash format starting with “$2b$”.
  • [Bug Fix] Other minor bug fixes.



Server Core

  • [Security] Address a few crashes and memory leaks in HTTP/3 implementation
  • [Improvement] Add support for vhost strict ownership validation.
  • [Improvement] Add pagination for long pages generated by auto index.
  • [Bug Fix] Block request header “transfer-encoding: chunked” for HTTP/2 and HTTP/3.
  • [Bug Fix] Correctly handle “next” flag in rewrite rule parser.
  • [Bug Fix] Address a few random crashes.



Server Core

  • [Security] Fixed a dynamic linking security issue, reported by RACK911.
  • [Improvement] New directory auto indexing script.
  • [Bug Fix] Fixed a few minor issues with cache engine.
  • [Bug Fix] “Force Strict Ownership” feature is fixed.
  • [Bug Fix] Address Bubblewrap integration issues.
  • [Bug Fix] Address an issue in including the same configuration file multiple times.



Server Core

  • [Bug Fix] Update libmodsecurity from v3.0.4 to v3.0.5.
  • [Bug Fix] Address a crash in handling range requests to files without a suffix (introduced in OLS v1.7.12).
  • [Bug Fix] Address a corner case that breaks POST requests without a content length header for HTTP/2 or QUIC streams.
  • [Bug Fix] Address a crash in IP fetching code (introduced in OLS v1.7.13).



Server Core

  • [New Feature] Auto whitelist and Cloudflare IPs.
  • [New Feature] Auto whitelist local IP.
  • [Bug Fix] Address random 500 responses when serving cached pages.
  • [Bug Fix] Do not send “Content-type” header for static files without a filename suffix.
  • [Bug Fix] Cleanup admin.sock.* automatically.



Server Core

  • [Improvement] Update lsquic to v3.0.2 to address a chrome HTTP/3 connection timeout issue for long-running scripts.
  • [New Feature] Add support for “blockbot” environment variables to block botnets via rewrite rules.
  • [New Feature] Add support for 444 status code to block botnets.
  • [Misc] Cleanup old code that broke ARMv64 builds.
  • [Misc] Update some confusing log messages.



Server Core

  • [Feature] HTTP/3 version 1 is now available.
  • [Feature] Compression for rotated error log is now available.
  • [Bug Fix] More solid SO_REUSEPORT implementation.
  • [Bug Fix] A few random crashes have been fixed.



Server Core

  • [New Feature] Zero downtime graceful restart.
  • [New Feature] Allow Proxy External Apps to proxy to Unix Domain Sockets.
  • [Bug Fix] Properly adjust SO_REUSEPORT shards based on server workers configuration.\
  • [Bug Fix] Address random crashing in Layer4 handler.
  • [Misc] Address most compiler warnings.



Server Core

  • [Security] Sanitize external application commands and user/group configurations. (github issue 217)
  • [Security] Do not allow setuid in external applications by dropping the SETUID capability.
  • [Feature] Simplify CGROUPS support.
  • [Bug Fix] Bubblewrap is now correctly enabled. (github issue 223)
  • [Bug Fix] Eliminate random delay when proxying secured websocket connections to the backend. (github issue 219)
  • [Bug Fix] Avoid excessive logging for proxy request headers. (github issue 166)
  • [Bug Fix] Address proxy request body corruption caused by request header manipulations. (github issue 192)
  • [Bug Fix] Improve logging for OCSP stapling errors. (github issue 177)
  • [Bug Fix] Address hanging chunked input streams.
  • [Bug Fix] Add support for “noconntimeout” environment variable.



Server Core

  • [Improvement] Address Sanitizer build now works properly.
  • [Improvement] Better debug logging.
  • [Bug Fix] Address memory leaks in cache engine, server configuration, and other components.
  • [Bug Fix] Properly handle request/response headers up to 64KB in size.
  • [Bug Fix] Correct TLS session Ticket key rotation with short timeout.
  • [Bug Fix] Address memory access problems causing random crashes in a few cases.
  • [Bug fix] Bundle LSQUIC v2.27.3 with the latest bug fixes for HTTP/3.



Server Core

  • [Tuning] Some internal cookies are now excluded by the cache module.
  • [Tuning] Update HttpVHost::addPythonApp() to allow 4 ENV values (PYTHONPATH, LSAPI_STDERR_LOG, LSAPI_CHILDREN, LSAPI_KEEP_LISTEN) to be set from the config file (previously hard-coded).
  • [Bug Fix] Address HTTP/3 sometimes not working after a restart.
  • [Bug Fix] Correct a multiple response header processing bug.
  • [Bug Fix] Piped access logger should work now.
  • [Bug Fix] Update checkCtrlEnv() to enable multiple “vary” values to be added for cache vary cookie.


  • [New Feature] Improve Delayed ACKs extension and turn it on by default.
  • [Bug Fix] Correct a few corner cases affecting throughtput.
  • [Bug Fix] Minor bug fixes: ECN counts, Qpack memory leak, etc.



Server Core

  • [New Feature] Add more QUIC configuration settings.
  • [Tuning] Tune some cache module and modsecurity-ls module error messages.
  • [Tuning] Allow handling packets up to MTU 1500.
  • [Tuning] Update to support centos8 and ubuntu20.
  • [Bug Fix] Update HttpSession::smProcessReq() to add ‘HSF_REQ_BODY_DONE’ processing to ‘HSPS_HANDLER_PRE_PROCESSING’
  • [Bug Fix] Correct an IPv6 matching issue when accessing allow/deny IP list.
  • [Bug Fix] Remove some incorrect asserts that were causing crashes.
  • [Bug Fix] Add ‘connection’ header to cache module Bypass Header list so that cache can work with HTTP/2 for Safari, curl, and so on.


  • [Bug fix] Path migration when client uses zero-length connection ID.
  • [Bug fix] Handshake fixes: packet padding and coalescing.



Server Core

  • [New Feature] Add HTTP/2 GREASE frame and GREASE for SETTINGS support. (Refs:,
  • [Update] Support ‘-b” (under development) and ‘-s(address sanitizer version) option in
  • [Tuning] LSAPI get_req_header_by_id() now sets the returned valLen value in all cases.
  • [Tuning] No longer convert ‘*:port’ to ‘’ while parsing the config.
  • [Tuning] Update to build libbcrypt when installing the server.
  • [Tuning] Update HttpContext::configRewriteRule() to match the max line length when using plain conf.
  • [Bug Fix] Normalize listener socket address, especially for IPv6, so it can match the listener address passed from the previous instance during a graceful restart.
  • [Bug Fix] Address a crash bug in cache module.
  • [Bug Fix] Address a bug that was preventing Rails applications from running correctly.
  • [Bug Fix] Address a crash bug in HttpReq::shouldAddExpires().
  • [Bug Fix] Address a compilation issue on FreeBSD.
  • [Bug Fix] Address a memory overflow bug caused by an issue with access log custom formats.


  • [New Feature] “QUIC bit grease” extension.
  • [New Feature] DPLPMTUD support (RFC 8899).
  • [New Feature] QUIC and HTTP/3 Internet Draft 30,31 support.
  • [New Feature] Adaptive congestion controller.


  • [Bug Fix] Correct access log settings in template config.
  • [Bug Fix] Address unwanted behavior for log viewer browsing buttons.



Server Core

  • [New Feature] “Expires” header can now be applied to range responses and FLV/h264 streams.
  • [New Feature] Add dedicated bcrypt password hash support for HTTP authentication.
  • [Improvement] Add support for Alpine Linux.
  • [Update] Remove duplicate function calls in HttpSession::nextRequest().
  • [Update] Prevent starting cgid in config testing mode in CgidWorker::config().
  • [Update] Example index page now uses absolute paths for css and img files to avoid redirect errors.
  • [Tuning] Use $VH_NAME instead of ‘Example’ in conf/vhosts/Example/vhconf.conf.
  • [Bug Fix] Update autoindex script to make page layout responsive and stop the following of symbolic links.
  • [Bug Fix] delay_stop no longer breaks graceful restart.
  • [Bug Fix] Address PHP scripts changing error page status codes to 200.
  • [Bug Fix] htmlspecialchars() no longer returns a blank string without ENT_SUBSTITUTE flag for special chars.



Server Core

  • [Update] Upgrade LSQUIC to v2.18.0.
  • [Update] Upgrade installation LSPHP to v74.
  • [Update] Change reCAPTCHA API URL from ‘’ to ‘’ to avoid blocking in some countries.
  • [Tuning] Set ‘compressibleTypes’ value in the default server config file to “default” to use the server built-in defaults which already contain most common types such as ‘application/json’ etc.
  • [Tuning] Avoid reCAPTCHA verification for ‘/.well-known/’ URL.
  • [Tuning] Detect ‘X-Real-Ip’ header in a similar way to the ‘CF-Connecting-IP’ header and update client IP info accordingly.
  • [Tuning] Improve suspend/resume event logic in cases where there is pending data at the SSL layer.
  • [Bug Fix] Correct GeoIP not working issue introduced in v1.7.2.
  • [Bug Fix] Serving chunk encoding data no longer causes crashing.
  • [Bug Fix] Plug a memory leak caused when failing to save pending xpool bigblock link list.
  • [Bug Fix] Updating a file while it is being served no longer causes crashing.



Server Core

  • [New Feature] “Use Client IP in Header” setting can now be set to use the last IP listed in the X-Forwarded-For header. (for servers behind AWS ELB)
  • [Update] Incorporate changes from versions 1.6.13 and 1.6.14.
  • [Update] Upgrade LSQUIC to v2.16.3.
  • [Update] Bypass m_request verification in HttpSession::processContextAuth() for /.well-known/acme-challenge/.
  • [Tuning] Improved HTTP/2 code.
  • [Tuning] Set ‘compressibleTypes’ value in the default server config file to “default” to use the server built-in defaults which already contain most common types such as ‘application/json’ etc.
  • [Bug Fix] Correct a VMemBuf::mapNextWBlock bug that was causing crashes.
  • [Bug Fix] Handle unknown status codes by using status code 200 instead.
  • [Bug Fix] Stop comparisons on uninitialized numbers in HttpReq::classifyUrl().
  • [Bug Fix] Address lsrecaptcha incompatibility with IE 11 due to Javascript ‘async’ and ‘await’ keywords.
  • [Bug Fix] Resolve multiple memory related bugs.



Server Core

  • [Security] Prevent setting log file names ending in “.php”, “.php71”, etc.
  • [New Feature] Added support for error code 451 “Unavailable For Legal Reasons”.
  • [Update] Updated LSQUIC to v2.12.1. (
  • [Update] Prevent assignment of port 80 or port 443 to WebAdmin Console.
  • [Improvement] Config files are now parsed more quickly.
  • [Improvement] Added support for Centos8.
  • [Tuning] Change default “disableInitLogRotation” value to 1 for error log.
  • [Bug Fix] Fixed some modsecurity module compilation errors.
  • [Bug Fix] Fixed a rewrite conf parsing bug that could cause a 404 for some existing pages.
  • [Bug Fix] HttpVHost::addPythonContext() now updates the python context to avoid naming the virtual directory to the same name as the physical directory.

V1.7.0 RC1


Server Core

  • [New Feature] Added SO_REUSEPORT feature for server listening sockets to improve server performance.
  • [Improvement] Added support for Centos8.
  • [Improvement] Improved detail of logged cache errors.
  • [Update] Incorporated all changes up to version 1.6.9.
  • [Update] Updated Example/upload.html to display more information about related optional modules.
  • [Update] Updated to support systemctl.
  • [Bug Fix] Fixed a bug where server process would not always release the assigned port during “restart service” causing this action to fail.
  • [Bug Fix] Fixed a crash when UserAgent header value was empty.
  • [Bug Fix] Fixed a compilation issue on Centos.
  • [Bug Fix] Fixed lsphp installation issues for Centos.
  • [Bug Fix] Fixed a few hidden Http/2 bugs.
  • [Bug Fix] Fixed mod_security compilation issue.