Added
- Custom SIGTERM signal handling for graceful shutdown.
- Environment variable placeholders in KDL-format configurations
- Google Cloud DNS provider for DNS-01 ACME challenges.
- Spaceship DNS provider for DNS-01 ACME challenges.
- Support for shell-style argument parsing in
auto_tls_post_obtain_command.
Changed
- CONNECT requests with pathname URIs are now rejected.
- HTTP compression now uses server-preferred content encoding (zstd, br, gzip, deflate, identity) when available (GitHub issue).
- Improved RFC 7230 compliance for reverse proxy (by stripping hop-by-hop headers).
- Improved shebang handling for CGI on non-Unix systems.
- OCSP responses are now verified when stapling is enabled.
Fixed
- 403 Forbidden responses were returned when URL sanitizer was disabled, even when it should have returned 404 Not Found.
- File paths in directory listings weren't properly escaped.
- HTTP Basic Authentication was vulnerable to time-based user enumeration.
locationblocks matched path segments anywhere in the URL, not just at the start (GitHub issue).- PROXY v2 headers with lengths greater than 512 bytes were allowed, possibly leading to memory DoS.
- So You Start endpoint names for OVH DNS provider were swapped.