Added
- Configuration directive for aborting an HTTP request.
- Support for dynamic SRV-based backend discovery for reverse proxy upstreams.
- Support for file size-based log rotation.
- Support for reusable snippets across different KDL configuration files.
- Support for Unix socket backends in the forwarded authentication module.
Changed
- Replaced the OCSP stapling implementation (that implemented RFC 5019) with a new implementation that implements RFC 6960.
- The
Hostheader is now no longer rewritten to the proxy request URL's host by default when using plaintext HTTP for the backend servers.
Deprecated
- Rego-based subconditions are deprecated and will be removed in a future release.
Fixed
- Body replacement MIME type filtering was not applied correctly.
- Duplicate error log entries in certain cases.
- ETag matching wasn't applied correctly when
If-MatchorIf-None-Matchheaders contained multiple ETags. HEADrequests for directory listings caused responses with a body.- HTTP compression support sometimes chose the wrong compression algorithm.
- Redirect loop when using
wwwredirectdirective and requesting with a hostname without a port. - TCP listener failures caused by too many open file descriptors led to an infinite logging loop.
- The
Content-Rangeheader was omitted in some 416 Range Not Satisfiable responses when serving static files. - The least-connections algorithm sometimes incorrectly selected the backend with the most connections.
- Using Ferron with ACME directories that offer challenge types that don't present a token (like
DNS-PERSIST-01) caused "missing field token" errors (fixed ininstant-acme)