Release 2.10.3

This release creates new metrics to track the send queue size and also to track when the queue size is exceeded. These metrics are used instead of logging when the queue size is exceeded.

New metrics examples:

# HELP wforce_repl_send_queue_size How full is the replication per-sibling send queue?
# TYPE wforce_repl_send_queue_size gauge
wforce_repl_send_queue_size{sibling="1.2.3.4:1234"} 10
wforce_repl_send_queue_size{sibling="127.0.0.1"} 0
wforce_repl_send_queue_size{sibling="1.2.3.4"} 0
wforce_repl_send_queue_size{sibling="127.0.0.1:1233"} 10

# HELP wforce_replication_send_queue_error_total How many errors trying to add replication messages to the send queue?
# TYPE wforce_replication_send_queue_error_total counter
wforce_replication_send_queue_error_total{sibling="1.2.3.4:1234"} 0
wforce_replication_send_queue_error_total{sibling="127.0.0.1"} 0
wforce_replication_send_queue_error_total{sibling="1.2.3.4"} 0
wforce_replication_send_queue_error_total{sibling="127.0.0.1:1233"} 0

# HELP wforce_replication_rcvd_queue_error_total How many errors trying to add replication msgs to the receive queue?
# TYPE wforce_replication_rcvd_queue_error_total counter
wforce_replication_rcvd_queue_error_total{sibling="1.2.3.4:1234"} 0
wforce_replication_rcvd_queue_error_total{sibling="127.0.0.1"} 0
wforce_replication_rcvd_queue_error_total{sibling="1.2.3.4"} 0
wforce_replication_rcvd_queue_error_total{sibling="127.0.0.1:1233"} 0

Release 3.0.0

Improvements

• Support new fail_type parameter for determining why a login failed
• New livez and readyz endpoints (unauthenticated) for k8s environments
• Support JA3 allow/block lists in API/Lua
• Allow ja3 to be passed to the reset API command
• Add support for building amazon-2023 packages
• Use asciidoctor to build documentation not pandoc
• Add a sample grafana dashboard for monitoring wforce
• Implemented the (existing but previously always 0) wforce_active_http_connections metric for counting active HTTP connections

Removed

• Removed support for Enterprise Linux 7 and Amazon 2

Version 2.12.1

• Set default map size for sharded Stats DBs based on the number of shards
• Change debian postinst scripts to modify 'setKey' and 'webpwd' parameter only if no weakforce is already installed

Release 2.12.0

Improvements

• Now builds a separate luajit package (wforce-lua-dist), based on the openresty luajit fork. This is to address some issues found with stock luajit. The package also includes some lua modules that wforce typically makes use of.
• Build the wforce-minimal image for both arm64 and amd64, and add provenance.
• Fix centos-7/el-7 builds to still work after centos-7 went EOL
• Add support for debian-bookworm, remove support for debian-buster

Release 2.10.2

Release Notes for OX Abuse Shield 2.10.2

Improvements

• Fixed LuaState selection algorithm to use a free pool, which should lead to faster/more consistent selection of lua states by threads.

• powerdns/wforce-minimal image is now available, using alpine for more secure and much smaller image than the existing debian-based image.

Release 2.10.1

Release Notes for 2.10.1

Bug Fixes

• Fixed bug in GeoIP2 lookups where return values were not populated

Fixed bug in GeoIP2 lookups where return values were not populated

The GeoIP2 LookupCity Lua function was never correctly implemented, so results were not exposed to Lua correctly.
This fix exposes the results using the correct method to ensure future operation.

Release 2.10.0

Release Notes for OX Abuse Shield 2.10.0

New Features

• Add Enterprise Linux 9 Build Target
• Option to use OpenSSL instead of Libsodium for encryption

Removed Features

• Remove Legacy GeoIP from Packages and Dockerfiles/Images
• Remove the Report API from weakforced entirely

Add Enterprise Linux 9 Build Target

Enterprise Linux 9-based systems are now supported as a build target. Oracle Linux 9 is used as the
build environment, but the package should work on any EL-9 environment. Additionally, el-7, el-8 and el-9 aliases
are available as build targets.

Option to use OpenSSL instead of Libsodium for encryption

When libsodium is not available, weakforced will now use openssl crypto functions instead for encryption, including
encryption between the client and the server, and replication encryption. OpenSSL encryption is used for the
docker image, but the default for built packages is still libsodium.

Remove Legacy GeoIP from Packages and Dockerfiles/Images

The legacy GeoIP Library is no longer included in the packages or Dockerfiles/images for weakforced.

Remove the report_api from weakforced entirely

The Report API has been removed from weakforced. This feature was never used (to my knowledge), and was creating
a significant burden in terms of the maintenance of the python dependencies.

Release 2.8.0

Release Notes for OX Abuse Shield 2.8.0

New Features

• Support ELK 7.x Stack
• Support Date Expansion in WebHook URLs
• Enable IP and Login substitution in blocklist return messages
• Add config option to disable password for /metrics endpoint
• Support redis usernames and passwords for redis authentication
• Support hostnames for redis configuration in addition to IP addresses

Bug Fixes/Changes

• Fix an issue where IPv6 ComboAddress returned zero port number (which caused v6 HTTP listen addresses to not work)
• Set V6ONLY socket option to stop v6 sockets from managing v4 addresses for replication
• Return the IP address of the client in JSON of ACL denied response

Support ELK 7.x Stack

Support Elasticsearch, Logstash and Kibana 7.x stack:

• Continuous Integration now tests against ELK 7.x
• Logstash Templates now work with 7.x
• Kibana Dashboards are now in ndjson format

Support Date Expansion in WebHook URLs

WebHook URLs can be specified with fields representing years, months and days that are expanded
at runtime, for example:
config_key["url"] = "https://example.com/foo/index-%{YYYY}-${MM}-{%dd}"

See the wforce_webhook man page for more details.

Enable IP and Login Substitution in blocklist return messages

For example:
setBlackistIPRetMsg("Go away your IP {ip} is blacklisted")
setBlackistLoginRetMsg("Go away your login {login} is blacklisted")

See the wforce.conf man page for more details.

Add config option to disable password for /metrics endpoint

Adding the following to wforce.conf or trackalert.conf:

setMetricsNoPassword()

will disable the password for the metrics endpoint.

See wforce.conf and trackalert.conf manpages for more details.

Support redis usernames and passwords for redis authentication

Redis authentication is supported with the following configuration in wforce.conf:

blacklistRedisUsername()
blacklistRedisPassword()
whitelistRedisUsername()
whitelistRedisPassword()

The username is optional, depending on whether a username is set in redis.

See wforce.conf manpage for more details.

Support hostnames for redis configuration in addition to IP addresses

The blacklistPersistDB() and whitelistPersistDB() configuration commands now accept
hostnames as well as IP addresses.

Release 2.6.2

Release Notes for OX Abuse Shield 2.6.2

Bug Fixes/Changes

• Better error checking in blacklist loading to prevent deadlock
• Fix missing stub for setBlacklistIPRetMsg() Lua function
• Fix trackalert crash when schedules are used before global Lua state is initialised
• Return 401 with appropriate JSON instead of 404 when webserver ACL is used
• New --loglevel flag to control the log level of stdout logging

Better error checking in blacklist loading to prevent deadlock

Under certain conditions, i.e. when Redis was available but non-responsive, the blacklist
loading function would not return, causing deadlock. This has been fixed.

Fix missing stub for setBlacklistIPRetMsg() Lua function

The setBlacklistIPRetMsg() Lua function was missing a stub, which meant that it could not
be used. This has now been corrected.

Fix trackalert crash when schedules are used before global Lua state is initialised

Fixed an issue where trackalert would crash when a schedule was created which ran immediately, before the global Lua
state was initialised.

Return 401 with appropriate JSON instead of 404 when webserver ACL is used

Fixed an issue where the webserver ACL was causing 404 errors instead of 401 errors. Now
a 401 and an appropriate JSON message are returned.

New --loglevel flag to control the log level of stdout logging

Previously there was no way to control the loglevel of the stdout logging, which meant that even
debug logging would be logged. Now there is a -l or --loglevel flag, which takes the value 0-7
(matching the syslog levels), and which defaults to 6 (infolog). This fix also applies to the
built-in webserver, which only logs to stdout, and which previously only logged errors, but which now
obeys this flag.

Release 2.6.1

Bug Fixes/Changes

• Fix issue where wforce was complaining about not being able to create tmp file on startup
• Fix timing issue whereby the webserver was not started before syncDB leading to syncDone failures
• Use debian bullseye-slim in wforce docker image to save over 100MB in image size
• Fix issue in wforce docker image where the default config file was overriden with a volume mount but not used

Fix Wforce complaint about not being able to create temporary files on startup

Wforce 2.6.x uses an HTTP library which creates temporary directories for file upload on startup,
by default in the current working directory, which for wforce is the config directory. For packaged
installation of wforce, this is /etc/wforce, which is typically not writable by wforce itself, leading
to errors. This fix changes the directory for those temporary files to /tmp/wforce.

Fix timing issue with webserver and syncDB

In rare cases when starting up, the syncDB command may start, replicate from another wdforce instance,
and complete, before the webserver had finished initializing. This would cause the syncDone command from
the other wforce instance to fail. This fix forces wforce to wait until the webserver is ready before
starting the syncDB checks.

Fix issue in wforce docker image where the default config file was overriden by a volume mount by not used

The wforce docker image documentation states that a volume mount can be used to specify a custom config file
in /etc/wforce/wforce.conf, however this was not actually the case. The file was only used if the environment
variable WFORCE_CONFIG_FILE was also set, which is incorrect, because that variable is only supposed to be used
to specify a new location for the config file. This fix ensures that whenever a volume mount correctly
mounts a custom /etc/wforce/wforce.conf file, it is both used, and a log message is output stating that it
is being used.