The big ticket feature in this release is CEL expression matching support. This allows you to tailor your approach for the individual services you are protecting.
These can be as simple as:
- name: allow-api-requests
action: ALLOW
expression:
all:
- '"Accept" in headers'
- 'headers["Accept"] == "application/json"'
- 'path.startsWith("/api/")'Or as complicated as:
- name: allow-git-clients
action: ALLOW
expression:
all:
- >-
(
userAgent.startsWith("git/") ||
userAgent.contains("libgit") ||
userAgent.startsWith("go-git") ||
userAgent.startsWith("JGit/") ||
userAgent.startsWith("JGit-")
)
- '"Git-Protocol" in headers'
- headers["Git-Protocol"] == "version=2"The docs have more information, but here's a tl;dr of the variables you have access to in expressions:
| Name | Type | Explanation | Example |
|---|---|---|---|
headers
| map[string, string]
| The headers of the request being processed. | {"User-Agent": "Mozilla/5.0 Gecko/20100101 Firefox/137.0"}
|
host
| string
| The HTTP hostname the request is targeted to. | anubis.techaro.lol
|
method
| string
| The HTTP method in the request being processed. | GET, POST, DELETE, etc.
|
path
| string
| The path of the request being processed. | /, /api/memes/create
|
query
| map[string, string]
| The query parameters of the request being processed. | ?foo=bar -> {"foo": "bar"}
|
remoteAddress
| string
| The IP address of the client. | 1.1.1.1
|
userAgent
| string
| The User-Agent string in the request being processed.
| Mozilla/5.0 Gecko/20100101 Firefox/137.0
|
This will be made more elaborate in the future. Give me time. This is a simple, lovable, and complete implementation of this feature so that administrators can get hacking ASAP.
What's Changed
- docs(known-instances): add ScummVM by @lotharsm in #411
- fix(web): Avoid timestamping main.mjs.gz by @heftig in #412
- docs(known-instances): Add FreeCAD Wiki to known instances by @twihno in #414
- fix(yeetfile): copy all docs, data files, and botPolicies.yaml by @Xe in #419
- feat(config): allow multi-level imports by @Xe in #402
- fix(cmd/anubis): print "Rule error IDs" in JSON by @SlyEcho in #408
- Update nginx.mdx upstream syntax by @kkremitzki in #397
- deduplicate css rules by using media query to set variables by @barmintor in #420
- docs(user): add frequently asked questions page by @Xe in #422
- docs: add caddy docs by @Xe in #423
- docs(apache): make listener run on port 3001 by @mans17 in #430
- feat(checker): add CEL for matching complicated expressions by @Xe in #421
- build(deps): bump the github-actions group with 3 updates by @dependabot in #439
- zizmor: add config file to silence unpinned-uses of Homebrew/actions by @p-linnane in #441
- fix(anubis): disable opengraph passthru by default by @Xe in #447
- Spelling by @jsoref in #445
- feat(js): stop execution if the client disabled cookies by @Xe in #438
- chore(static/img): add mascot attributions to the repo by @Xe in #448
New Contributors
- @lotharsm made their first contribution in #411
- @heftig made their first contribution in #412
- @kkremitzki made their first contribution in #397
- @barmintor made their first contribution in #420
- @mans17 made their first contribution in #430
- @jsoref made their first contribution in #445
Full Changelog: v1.17.1...v1.18.0-pre1