Release notes
nevisProxy 7.2402.1 - 28.03.2024
Changes and new features
- NEW: We added the parameter EnableMetrics to the local, MySQL, and Postgres session store servlets.
- FIXED: We fixed that for Kubernetes setups information about telemetry was written into stdout.
- FIXED: We fixed the issue that a session invalidated via a LuaFilter was not properly invalidated when using the MySQLSessionStoreServlet.
- FIXED: We fixed the issue that the request body was unnecessarily read when OriginalUrl was enabled in the IdentityCreationFilter.
- UPGRADED: We upgraded the SLES15 package to run on SLES15-SP3 and newer.
- UPGRADED: We upgraded Xerces-C to version 3.2.5.
Backward compatibility issues
- For nevisproxy to run correctly, you need at least SP3 if running on SLES15. You can check the installed SP version on your SLES15 host by executing
cat /etc/os-release
. The version has to be 15.3 or more:
# cat /etc/os-release
NAME="openSUSE Leap"
VERSION="15.3"
nevisProxy 7.2402.0 - 21.02.2024
Changes and new features
- NEW: The method
getScheme
has been added to the LUA request object. - NEW: We added the parameter IncludeInjectionScriptExternally to the CSRFFilter.
- NEW: Added an example of combining CSRFFilter with Content Security Policy strategy.
- NEW: We added support for key logging of TLS-based backend connections.
- NEW: The new parameter AuditLog.PassPhrase replaces the deprecated AuditLog.Key in the InputValidationFilter.
- NEW: We added the parameter SectokenExpireStrategy to the IdentityCreationFilter.
- NEW: We added the profiles RewriteResponseRequestUri and RewriteResponsePathInfo to be used with the BackendConnectorServlet.
- NEW: The CountryIpFilter now reloads the DB file when it changes.
- FIXED: We fixed the issue where the Lua method response::addHeader overwrote the first header when called twice.
- FIXED: We fixed the problem that the proxy could not start if an IP-address was configured in the ICAPFilter.
- FIXED: We fixed the validation of substitution count against capture group count for Regular Expressions.
- FIXED: We fixed the issue where the BackendConnectorServlet ignored the Set-Cookie header.
- FIXED: The correct status code is now always sent back if a not allowed method is used in the request to the HttpConnectorServlet.
- FIXED: We fixed the bug where the usrID was not traced correctly in the NProxyOP tracegroup.
- FIXED: We fixed the problem that escaped JSON characters were not properly handled by the EsauthConnectorServlet.
- FIXED: We fixed the bug that the ICAPFilter did not correctly handle chunked responses from the ICAP server.
- FIXED: We fixed the issue that the MariaDB database could be filled up when using a MultiLevelSessionStore.
- CHANGED: The automatically created submit form for SAML requests sends now a Content-Security-Policy header.
- CHANGED: Reduced the log level of some MariaDB messages.
- CHANGED: The TelemetryFilter functionality has been moved into the navajo.xml configuration.
- UPGRADED: We upgraded libcurl to version 8.4.
- DEPRECATED: The protocol HTTP/1.0 is deprecated.
- DOCUMENTATION: Adapt the proxy's OTEL description in cross-component documentation.
- DOCUMENTATION: Added an example on how to configure mod_remoteip with the CountryIpFilter.
Notes
With some special configuration using the IdentityCreationFilter and the MultiLevelSessionStore the MariaDB may be filled up. In that case add the following unique key to the MariaDB based dynamic session management:
alter table attribute add constraint uc_id_name unique (ID, NAME);
- Before adding the unique key be sure that all instances using this database have been upgraded to the latest RR.
- The command may fail if there are duplicated attributes. In that case you have to retry later. We recommended adding this key while there is low load.
This nevisProxy 7.2402 February 2024 release is the last version of the current rolling release (7.x). It will become the base of the next LTS release in May (7.2405.x). The nevisProxy LTS version 7.x will support both RHEL8 and RHEL9 as well as SLES15 with an own .rpm file for each distribution. As of May, the major versions of the new rolling releases start with version number "8". The nevisProxy rolling releases 8.x will only support RHEL9 and SLES15. Check the Appendix H (Deprecation List) in order to see what will be removed in this new rolling release.
Backward compatibility issues
- If a user wants access to a session with an expired sectoken, the session is killed and in most cases the user gets the login page. If you want the old behavior, where the user got the logout page, you have to set the parameter SectokenExpireStrategy of the IdentityCreationFilter to
logout
- The defaultvalue of the bc property ch.nevis.navajo.tracing.TraceId.Format has changed from %u to %o (the OpenTelemetry trace id). In order to use the old format you have to set it back to %u and not enable the OpenTelemetry configuration (which is disabled by default).
- The TelemetryFilter has been deprecated and it's funcionality has moved into the OpenTelemetry tag of the Service Configuration (navajo.xml)
nevisProxy 7.2311.2 - 08.02.2024
Changes and new features
- UPGRADED: We upgraded to OpenSSL 3.0.13.
- UPGRADED: We upgraded to ModSecurity 3.0.12.
- UPGRADED: We upgraded the OpenTelemetry library to 1.12.0.
- UPGRADED: We upgraded to nghttp2 1.59.0.
nevisProxy 7.2311.1 - 15.01.2024
Changes and new features
- FIXED: We fixed the issue where the BackendConnectorServlet ignored the Set-Cookie header
- UPGRADED: We upgraded to nghttp2 1.58.0
- UPGRADED: We upgraded to ModSecurity v3.0.11
nevisProxy 7.2311.0 - 15.11.2023
Changes and new features
- NEW: We added the profile
AllowSubDirectories
to the FileReaderServlet. - NEW: We added OpenTelemetry Metrics to the LocalSessionStoreServlet, MySQLSessionStoreServlet, and PostgreSQLSessionStoreServlet.
- NEW: A custom HTTP return status codes for error responses can now be configured in the ErrorFilter.
- NEW: The PostgreSQLSessionStoreServlet now supports SSL connections to the Postgres server.
- NEW: In navajo.xml you can now configure SSLCipherSuites per Protocol.
- NEW: We verified the compatibility of the OpenSSL 3.0 nevisProxy package with GemEngine 1.6.
- NEW: We added the crashRecoveryStrategy 'kill' option..
- NEW: We added the parameter ParsingMode to the CSRFFilter.
- NEW: RedHat 9 support.
- NEW: We added the parameters
ForwardProxy.UserName
andForwardProxy.Password
to the BackendConnectorServlet. - FIXED: We fixed the bug introduced in the DeflateFilter in version 5.7.0 which did not remove the Content-Length header.
- FIXED: With the new parameter AllowRedirectOnAuthDone the SecurityRoleFilter handles now nevis.transfer.redirect on AUTH_DONE correctly.
- FIXED: The BackendConnectorServlet and HttpsConnectorServlet accept now a client certificate chain.
- FIXED: We fixed the bug where a request was blocked by the IdentityCreationFilter due to an invalid json body.
- FIXED: We fixed a bug where the Encryption_Key of the UrlEncryptionFilter couldn't contain certain characters (&, ' and \").
- FIXED: We fixed the bug where attributes in a custom based session inherited by the parent were not shown in Lua when doing a session attribute iteration.
- CHANGED: A http 413 response code will now be sent back if the request body size is bigger than the configured LimitRequestBody.
- CHANGED: The encoding for custom based sessions has changed to base62.
- CHANGED: The cipher suites can be configured per protocol the HttpsConnectorServlet and the BackendConnectorServlet.
- CHANGED: The HttpConnectorServlet now sends a CONNECT request to the forward proxy also for plain connections.
- CHANGED: The column names in the PostgreSQL tables have slightly changed.
- UPGRADED: We upgraded to apr/1.7.4 and apr-util/1.6.3.
- UPGRADED: We upgraded to OpenSSL 3.0.11.
- UPGRADED: We upgraded OpenSSL 1.1 based packages to OpenSSL 1.1.1w.
- UPGRADED: We upgraded to nghttp2 /1.57.0.
- UPGRADED: We upgraded libcurl to version 8.3.
- UPGRADED: We upgraded to apache httpd/2.4.58.
- DEPRECATED: The parameter ReadLineSize of the InputValidationFilter has been deprecated.
Notes
- A RHEL9 based package will now be available as well. The nevisProxy rolling releases 8.2405 (planned for May 2024) will only support RHEL9 and SLES15.
- This will be the last RR package to provide an OpenSSL 1.1.1 based RHEL8 package if needed. Starting from February 2024 only OpenSSL 3.0 based packages will be delivered for versions 7.2402.x and newer.
Backward compatibility issues
- The custom based session management filter will now base62 encode the custom id in order to have only alpha numeric characters in it. As a consequence, sessions using the custom-based session management will get lost when upgrading from a previous version, even if they are stored in a database. Furthermore all instances sharing the same database have to be updated to version 7.2311.x or newer.
- The PostgreSQLSessionStoreServlet's database schema is changed. The attribute table's ID column is renamed to SESSION_ID. The following SQL query needs to be executed for the upgrade:
ALTER TABLE attribute RENAME COLUMN ID TO SESSION_ID;
. If you configured the servlet with AttributesTableName then update the table name in the query with the actual attribute table name. - The SSLCipherSuites parameter of the HttpsConnectorServlet and of the ICAPFilter as well as the Secure.CipherSuites parameter of the BackendConnectorServlet does not accept any spaces between the various cipher suites. The cipher suites have to be separated by a
:
. The can now be prefixed by the protocol where they should be applied. - If a request is blocked because it exceeds the size configured by LimitRequestBody in navajo.xml, a statuscode 413 (Request Entity Too Large) is now sent back to the frontend.
nevisProxy 5.7.1 - 8.11.2023
Changes and new features
- FIXED: We fixed the bug introduced in the DeflateFilter in version 5.7.0 which did not remove the Content-Length header.
- UPGRADED: We upgraded to apr/1.7.4 and apr-util/1.6.3.
- UPGRADED: We upgraded to OpenSSL 3.0.11.
- UPGRADED: We upgraded OpenSSL 1.1 based packages to OpenSSL 1.1.1w.
- UPGRADED: We upgraded to nghttp2 /1.57.0.
- UPGRADED: We upgraded libcurl to version 8.3.
- UPGRADED: We upgraded to apache httpd/2.4.58.
Notes
Backward compatibility issues
- The PostgreSQLSessionStoreServlet's database schema is changed. The attribute table's ID column is renamed to SESSION_ID. The following SQL query needs to be executed for the upgrade:
ALTER TABLE attribute RENAME COLUMN ID TO SESSION_ID;
. If you configured the servlet with AttributesTableName then update the table name in the query with the actual attribute table name.
nevisProxy 5.7.0 - 16.8.2023
Changes and new features
- NEW: We added support for graceful shutdown.
- NEW: We added the TelemetryFilter.
- NEW: We added the parameter 'Transport.SSLOpenSSLConfCmd' to the Esauth4ConnectorServlet.
- NEW: The BackendConnectorServlet now supports dynamic InetAddresses.
- NEW: We added the parameter PeerServlet.Strategy to the MultiLevelSessionStore.
- NEW: We added the dTP time measurement to the NavajoOp traceline.
- NEW: There is a new experimental servlet, the PostgreSQLSessionStoreServlet.
- FIXED: We fixed the bug where an URL containing a newline did not work with a CacheFilter.
- FIXED: We fixed a bug which prevented using a forward proxy with the WebSocketServlet.
- FIXED: We fixed the issue where the RewriteFilter did not skip empty tokens.
- FIXED: We fixed the bug that a BackendConnectorServlet could not be used for a sidecall in Lua.
- FIXED: We fixed a bug where the DeflateFilter dropped the \"Content-Length\" header when there was no compression.
- FIXED: The MultiLevelSessionStoreServlet now correctly stores sessions found in the PeerServlet into its LocalSessionStoreServlet with a custom-based SessionManagementFilter.
- FIXED: We fixed the issue where the BackendConnectorServlet did sometimes send back an error even if the backend was still running.
- CHANGED: The BackendConnectorServlet is production ready..
- CHANGED: We added the MariaDB error code 1927 to the default value of
ConnectionErrorCodes
parameter of the MySQLSessionStoreServlet. - CHANGED: We added a secure default
true
for the parameterResourceManager.NoSessionCookie.CookieSecure
of the WebSocketServlet. - CHANGED: The parsing of the Set-Cookie header has been improved.
- CHANGED: Requests without a body no longer trigger a redirect after authentication if
InterceptionRedirect
is set tonever
in the IdentityCreationFilter. - CHANGED: The parameter RenewIdentification of the IdentityCreationFilter is now a boolean.
- UPGRADED: We upgraded to ModSecurity v3.0.10.
- UPGRADED: We upgraded to nghttp2 1.55.1.
- UPGRADED: We upgraded to OpenSSL 3.0.9.
- UPGRADED: We upgraded to OpenSSL 1.1.1u.
- UPGRADED: We upgraded to mod_qos 11.74.
- DEPRECATED: The renegotiateCookie and renegotiateSSL methods of the LuaFilter session have been deprecated.
- DEPRECATED: We deprecated the InsertWrapperFilter.
- REMOVED: We removed the deprecated SecToken versions.
- REMOVED: We removed the deprecated parameter
RemoveIntereceptedRequestAfterAuthentication
from the IdentityCreationFilter. - REMOVED: We removed the deprecated HTTP Profiles of the InputValidationFilter.
- REMOVED: We removed the deprecated parameter 'OriginalUrl.SecretKeyFile' of the IdentityCreationFilter.
Notes
In the MariaDB server configuration the default of the parameter slave_parallel_mode
was changed to optimistic
starting from version 10.5.1. Our load tests showed that with this configuration the replication may stop under heavy load. We therefore recommend to set the slave_parallel_mode
to conservative
if you use MariaDB server 10.5.1 or newer with replication.
Backward compatibility issues
- Set-Cookie headers coming from the backends are now passed unchanged to the frontend except a filter or servlet modifies one of the cookie attributes. On previous releases, they may have been parsed and either the expiry date (due to a wrong format) or the order of the fields could have changed.
- For on premises installations without nevisadmin4 the systemd configuration file has changed in order to support graceful shutdown. This may have an impact if an instance could not have been shut down properly.
- Because of an improvement in the IdentityCreationFilter with
OriginalUrl.Enable
totrue
andInterceptionRedirect
tonever
, requests without a body will not generate a redirect any longer after a successful authentication, but the original request will be sent directly to the backend.
nevisProxy 5.6.1 (OpenSSL 3.0 based) - 02.06.2023
Changes and new features
- UPGRADED: We upgraded to OpenSSL 3.0.9.
- UPGRADED: We upgraded to nghttp2 v1.53.0.
nevisProxy 5.6.0 (OpenSSL 1.1 based) - 24.5.2023
Notes
As mentioned in the release notes for version 5.6.0, an extra nevisProxy package based on OpenSSL 1.1.1 has been made available.
The package name is nevisproxy-5.6.0.1-1.el8_ossl11.x86_64.rpm
. Use this package only if you have a Gemalto HSM configured.
nevisProxy 5.6.0 - 17.5.2023
Changes and new features
- NEW: We added a tool called
semflush
to kill leaked semaphores. - NEW: We added the parameter KeepDeletedEntriesTimeout to the MultiLevelSessionStoreServlet.
- NEW: We added the parameter DNSCache.TTL to the ICAPFilter.
- NEW: We now support MariaDB 10.6.
- NEW: We added the CountryIpFilter.
- NEW: We added the Lua class LuaX509Certificate.
- NEW: We added the parameters 'Script.InputWebSocketFrameFunctionName and 'Script.OutputWebSocketFrameFunctionName' to the LuaFilter.
- NEW: We added the parameter
URLEncoding
to the BackendConnectorServlet. - FIXED: We updated the default value of the AutoRewrite parameter of the Esauth4ConnectorServlet to 'none'.
- FIXED: We fixed a Null-Pointer Exception ('dereferencing null holder') in the MultiLevelSessionStoreServlet.
- FIXED: We now trace the correct adrB if the HttpConnectorServlet uses a dynamic address.
- FIXED: We fixed the 'grep' error when removing an instance as non-root user.
- FIXED: We fixed the wrong behavior, if a redirect Location had double dot in the URL.
- CHANGED: We reduced the risk of race conditions in the MultiLevelSessionStoreServlet.
- CHANGED: If the client sends an incomplete body, a 400 (Bad Request) response is sent back.
- UPGRADED: (Security) We upgraded to ModSecurity v3.0.9.
- UPGRADED: We upgraded to Apache httpd 2.4.57.
- UPGRADED: We upgraded to nghttp2/1.52.0.
- UPGRADED: We upgraded from PCRE to PCRE2 (Version 10.42).
- UPGRADED: We upgraded to OpenSSL 3.0.8.
- DEPRECATED: We deprecated all Sectoken versions, except CSSO-1.0.
- DEPRECATED: We deprecated the signal handling of SIGPWR.
- REMOVED: We removed the Kerberos-related parameters in the DelegationFilter.
- REMOVED: We removed the TLS-based identification in the SessionManagementFilter.
- REMOVED: We removed support for the Legacy Session Store (or Container Based Session Management).
- DOCUMENTATION: We added a FAQ page to the nevisProxy reference guide.
Notes
Backward compatibility issues
Due to the upgrade from OpenSSL 1.1.1 to OpenSSL 3.0 some old backends or frontend may not work anymore if they don't support at least TLSv1.2. Read the Troubleshooting section on how to proceed in case of problems.
Gemalto doesn't provide yet an OpenSSL 3.0 based GemEngine. Because of that the Gemalto HSM will not work any more until Gemalto provides a working Gemengine. For customers using the Gemalto HSM an extra OpenSSL/1.1 based nevisProxy package will soon be delivered.
Http(s)ConnectorServlet may return different Location headers when its AutoRewrite parameter contains 'redirect' because the redirections are now jailed under servlet path when mappingType is set to pathInfo and relative URL-s are rewritten to absolute URL-s.
The legacy session management is removed and any of its configuration is ignored from now on.
OpenSSL version 3.0 has a more strict default for security level than OpenSSL version 1.1.1. The default security level 1 now forbids signatures using SHA1 and MD5. In consequence, the following issues may occur:
Connections using TLSv1.1 will fail with the following message in the
navajo.log
:3-ERROR : OpenSSL-failure: 00777CC0137F0000:error:0A00014D:SSL routines:tls_process_key_exchange:legacy sigalg disallowed or unsupported:ssl/statem/statem_clnt.c:2255:0x0a [OSSL-0005]
We recommend upgrading your configuration to use TLSv1.2 or TLSv1.3. If it is not possible, you can add the suffix
:@SECLEVEL=0
to your TLSv1.1 cipher suites to allow their signature algorithms.Connections using a certificate with a deprecated signature algorithm will fail with the following message in the
navajo.log
:3-ERROR : [...] error:0A00018E:SSL routines::ca md too weak (must be pem encoded)) [NVCT-0054]
We recommend renewing your certificates with a stronger signature algorithm. In the meanwhile, you can add the suffix
:@SECLEVEL=0
to the cipher suites of the affected filter or servlet. If the issue occurs at several places, or if it affects your EsAuth4ConnectorServlets, you can also modify the default cipher suites to include this suffix. Proceed as follows:- Add an entry in your
bc.property
file for each cipher suite you want to modify. The syntax is<key>=<value>
with one entry per line. See Overwriting default values for details. - The relevant keys are:
ch.nevis.isiweb4.servlet.connector.http.SSLCipherSuites
for the HttpsConnectorServletsch.nevis.isiweb4.servlet.connector.websocket.SSLCipherSuites
for the WebSocketServletsch.nevis.isiweb4.servlet.connector.soap.esauth4.Transport.SSLCipherSuites
for the EsAuth4ConnectorServletsch.nevis.nevisproxy.servlet.connector.http.BackendConnectorServlet.Secure.CipherSuites
for the BackendConnectorServletsch.nevis.isiweb4.filter.icap.ICAPFilter.SSLCipherSuites
for the ICAPFilters
- The modified default values should be
ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:@SECLEVEL=0
- Restart nevisProxy, the new default values will be applied to the whole instance.
- Add an entry in your
nevisProxy 5.5.1 - 24.2.2023
Changes and new features
- UPGRADED: We upgraded to OpenSSL 1.1.1t.
nevisProxy 5.5.0 - 15.2.2023
Changes and new features
- NEW: We added the parameter 'crashRecoveryStrategy' to navajo.xml.
- NEW: We added the parameter SynchronizeLoginRequests to the IdentityCreationFilter and SecurityRoleFilter.
- NEW: The apache module mod_md can now be used for OCSP stapling.
- NEW: We added the bc property BC.Tracer.LineCounter.
- NEW: The memory consumption is traced in a regular interval in the tracegroup NavajoResource.
- NEW: We added the error codes [HTTP-0084] and [HTTP-0085].
- NEW: We added the bc property 'ch.nevis.navajo.AlwaysNoticeOnClientClose'.
- NEW: We added the parameter 'Script.Hash' to the LuaFilter.
- NEW: We added the WebSocketInspectionFilter.
- FIXED: Cookie names starting with \"$\" and without a value are now allowed.
- FIXED: The UrlEncryptionFilter did not always encrypt URLs containing a
:
correctly. - CHANGED: We improved the performance of the WebSocketServlet.
- CHANGED: We improved the exception safety of the request counter.
- CHANGED: We improved the logging in the UrlEncryptionFilter.
- UPGRADED: We upgraded to nghttp2/v1.51.0.
- UPGRADED: We upgraded to mod_qos/11.73.
- DEPRECATED: The remaining profiles of the InputValidationFilter are deprecated.
- DEPRECATED: The renegotiateSSL method of the Lua session object is deprecated.
- DEPRECATED: The Milestones feature in the CSRFFilter is deprecated.
- REMOVED: We removed the parameter SSLDHParametersFile from navajo.xml.
- REMOVED: We removed the ch.nevis.navajo.RestartAfterHsmError bc property.
- REMOVED: We removed the PrivateURIScheme parameter of the IdentityCreationFilter.
- REMOVED: We removed the deprecated XMLValidationFilter.
- REMOVED: We removed the deprecated POSIX based regular expression.
- DOCUMENTATION: We added a deprecation list as an appendix to the reference guide.
- DOCUMENTATION: We added an example based on Lua on how to synchronize login requests.
Notes
The following Profiles of the InputValidationFilter are deprecated:
- HTTP-Validation
- HTTP-Validation-Strict
- HTTP-Validation-Length
- HTTP-Limitations
- HTTP-ResponseHeaders
Use the ModSecurityFilter with the CoreRuleSet from OWASP instead.
The function renegotiateSSL of the Lua Session Object is deprecated. Use the method renegotiateSSL of the Lua Request Object instead.
Backward compatibility issues
- Read the new appendix 'Deprecation List' to be informed about all deprecated features. Contact us as soon as possible if you think that some deprecated issue is still needed and you did not find an alternative for it.
- Local URL-s that contain ':' inside the URL's path, query or fragment/anchor part, now will be encrypted by the UrlEncryptionFilter. If you have URL-s that shouldn't be encrypted and contains ':', then add these URL-s to the Encryption_PlainTextUrls.
nevisProxy 5.4.0 - 16.11.2022
Changes and new features
- NEW: We introduced the parameter
Cookie.KeepOldCookieTimeout
of the SessionManagementFilter. - NEW: We introduced the parameter
ForwardProxy
in the BackendConnectorServlet has been added. - NEW: We introduced the parameters
LoadBalanceMultipleIPs
andLoadBalanceMultipleIPs.RetryTimeout
in the BackendConnectorServlet. - NEW: The BackendConnectorServlet now supports Server Sent Event (SSE)
- FIXED: Keep-Alive did not work for HTTP/1.1 clients if HTTP/2.0 was also configured in navajo.xml.
- FIXED: We fixed the bug, which made Host header forgery possible for redirection of relative URLs.
- FIXED: The UrlEncryptionFilter did allow unencrypted POST body parameters when the last parameter was whitelisted.
- FIXED: We fixed the possible crash, if the configuration file of the ModSecurityFilter was modified while nevisProxy was running.
- FIXED: The parameter
Encryption_VerifyBody
of the UrlEncryptionFilter did not perform body verification if the query was already encrypted. - FIXED: The UrlEncryptionFilter now creates a session when
Encryption_SessionSticky
is enabled. - FIXED: We fixed the possible core dump in DynamicConfigFilter when changing the configuration.
- FIXED: We fixed the possible NPE when using
\"PATH_INFO\"
in the condition for local trace groups. - FIXED: The EncryptionFilter did not work correctly if mapped before an UnbluFilter or ICAPFilter.
- FIXED: The ModSecurityFilter can now be loaded with a DynamicConfigFilter.
- FIXED: The DynamicConfigFilter can now load a RewriteFilter that has an action file configured.
- FIXED: The
NEEDS_REDIRECT RequestFlag
did not behave as expected if the bc propertiesch.nevis.navajo.response.Location.rfc2616compliant
was set totrue
, orch.nevis.navajo.response.Location.KeepInitialSlashes
was set tofalse
. - FIXED: The HttpConnectorServlet did not work correctly if the StatelessResourceManager was configured with
DisablePing
totrue
. - CHANGED: We improved the DynamicConfigFilter.
- CHANGED: The default values for
ResourceManager.DisablePing
andResourceManager.RetryTimeout
are updated, when a single backend is configured in the Http(s)ConnectorServlet. - CHANGED: We improved the secure default for the parameters of the UrlEncryptionFilter.
- UPGRADED: We upgraded to OpenSSL 1.1.1s.
- UPGRADED: We upgraded to mod_setenvifplus/0.40.
- UPGRADED: We upgeraded to mod_qos/11.72.
- UPGRADED: We upgraded to ModSecurity v3.0.8.
- DEPRECATED: The undocumented values
wwwauthenticate:basic
andwwwauthenticate:negotiate
of the parameterRenderingProvider
in theLoginRendererServlet
are deprecated. - REMOVED: We removed the SAMLErrorFilter.
Notes
- As of now, mod_qos works for the hypertext transfer protocol version 1.0 and 1.1 only. If you decide to use HTTP/2, you should only use the request level control directives of mod_qos.
- If both the InitialURI and StoreInterceptedRequest is set, the StoreInterceptedRequest has precedence over the InitialURI, and the latter is ignored.
Backward compatibility issues
The UrlEncryptionFilter now provides secure default values for the following parameters:
Encryption_UrlEnforcement
Encryption_Query
Encryption_Url
Encryption_StaticIv
If you enabled the secure defaults as described in the chapter Secure defaults, these new secure defaults will be applied to the parameters that are not defined explicitely in your UrlEncryptionFilters. This change makes your UrlEncryptionFilters more secure, at the risk of generating some false positive results, and blocking some requests that should be authorized. Therefore, before deploying the new nevisProxy version:
- Check that the new secure default values match your security policies;
- Check that your UrlEncryptionFilters provide the expected results with these new values.
If the new secure defaults values block a genuine request, you can either:
- adjust the encryption parameters to make the request compliant;
- or override the secure default value by defining the parameter explicitly in your UrlEncryptionFilter.
Requests that contain form data in their body will now be blocked if Encryption_VerifyBody
is set to true and the requests' body are not encrypted.
To correctly handle such scenarios, visit the UrlEncryptionFilter's documentation and read the VerifyBody parameter's description.
Some so far allowed queries (mainly form submits) might be blocked when Encryption_VerifyBody
is set to true because of the UrlEncryptionFilter's QueryWhiteList bugfix.
Changed the redirections of relative URL-s to only contain the URL's path when ch.nevis.navajo.response.Location.rfc2616compliant
is false.
nevisProxy 5.3.3 - 28.10.2022
Changes and new features
- UPGRADED: We upgraded ModSecurity to v3.0.8.
nevisProxy 5.3.2 - 12.10.2022
Changes and new features
- INVALID: UPGRADED: We upgraded ModSecurity to v3.0.8.
The version of modsecurity is not adapted to 3.0.8. It is planned to be done in the next release (5.3.3).
nevisProxy 5.3.1 - 24.8.2022
Changes and new features
- FIXED: A crash was possible when the configuration file of the ModSecurityFilter was modified while nevisProxy was running.
nevisProxy 5.3.0 - 17.8.2022
Changes and new features
- NEW: We added the parameter OriginalUrl.SecretKey in the IdentityCreationFilter.
- NEW: We added the RequestFlag “PRUNE_ACCEPT_ENCODING“ to remove unsupported compression algorithms from the Accept-Encoding header. It is enabled by default for the InflateFilter and RewriteFilter.
- NEW: We added the parameters OutboundProxyAuthorization.Username and OutboundProxyAuthorization.Password in the HttpConnectorServlet.
- NEW: We added the parameters ExpectedClassName and ExpectedFilterName in the DynamicConfigFilter.
- NEW: The LuaFilter now supports AES/GCM for encryption.
- NEW: We added the bc property ch.nevis.navajo.response.Location.rfc2616compliant.
- NEW: The AuthenticationFilter now supports the 'reauth' action in the Validation.Rules parameter of the SessionManagementFilter.
- NEW: We added the action reauth to the Validation.Rules of the SessionManagementFilter.
- NEW: We added the Lua method reauthenticate of the Lua Request Object.
- NEW: The Lua based JWT handler now supports the ECDSA algorithms.
- NEW: We added the parameter Secure.OpenSSLConfCmd of the BackendConnectorServlet.
- NEW: The GLOB pattern type is now supported.
- FIXED: We fixed the bug where the DeflateFilter re-compressed some already compressed data.
- FIXED: We fixed the bug where repeated response headers were lost when a HeaderValidationFilter was used.
- FIXED: We fixed the bug where the ApacheConfigFilter did not add the Location directives if multiple Connectors shared the same web.xml.
- CHANGED: The round robin management of the LoadBalancingServlet is improved.
- CHANGED: The Encrypter Lua class can now use passwords with a \0 character inside.
- CHANGED: The parameter StoreProperties of the IdentityCreationFilter now accepts names that should not be stored.
- CHANGED: The AutoRewrite parameter in the HttpConnectorServlet is improved and now supports Link as well.
- CHANGED: The navajo.dtd file and the navajo.xml template are refactored.
- UPGRADED: OpenSSL is upgraded to 1.1.1q.
- UPGRADED: Apache httpd is upgraded to 2.4.54.
- DEPRECATED: The parameter OriginalUrl.SecretKeyFile in the IdentityCreationFilter is deprecated.
- DEPRECATED: The parameter OutboundProxyAuthorization is deprecated.
- DEPRECATED: The Apache directive SSLCertificateChainFile in navajo.xml is deprecated.
- DEPRECATED: The values 'true' and 'false' of the parameter InterceptionRedirect in the IdentityCreationFilter are deprecated.
- DEPRECATED: The undocumented parameter RemoveIntereceptedRequestAfterAuthentication is deprecated. Use the parameter 'OriginalUrl.Enable' instead.
- DOCUMENTATION: Improved the DelegatePostTarget description of the DelegationFilter.
- DOCUMENTATION: We added the chapter Filter and Servlet configuration.
- DOCUMENTATION: We improved the description of the DynamicConfigFilter .
Notes
Backward compatibility issues.
- Because the parameter AutoRewrite of the HttpConnectorServlet supports the rewriting of the Link-header, the LuaFilter could do a second rewriting. In such a case Link header would not work correctly any longer. If you configured one of those filters, then you can remove it, unless the AutoRewrite parameter in the HttpConnectorServlet does not have the link rewriteheader enabled.
- The Encrypter Lua class handles differently the passwords that contains zero characters (\x00) and the failed decryptions.
- The default RequestFlags of the RewriteFilter and InflateFilter changed: +PRUNE_ACCEPT_ENCODING, which modifies the Accept-Encoding request header.
- The default value for the Frontend connectors' SSLHonorCipherOrder is changed to "on".
- The default value for the Server's LogFormat is changed to ""%h %l %u %t \"%r\" %>s %b %{content-length}i %T \"%{Referer}i\" \"%{User-Agent}i\" trID=%{UNIQUE_ID}e"".
- The Engine/Host/Context/trailingSlashRedirect option's default value is changed to "true".
nevisProxy 5.2.0 - 18.5.2022
Changes and new features
- NEW: We added the parameter IdleTimeout to the WebsocketServlet.
- NEW: We added the bc property ch.nevis.nevisproxy.LocalLogFileName to enable trace levels based on the incoming request.
- NEW: We added the parameter KeepHeaders to the ErrorFilter.
- NEW: We added the parameter RequestUri.AdaptCookiePath to HttpConnectorServlet.
- NEW: We added the LuaFilter JWT handler class nevis.util.jwt.
- FIXED: gzipped responses were not handled correctly by the RewriteFilter. The issue is now fixed.
- FIXED: The custom SessionManagementFilter sometimes lost the child session when Custom.BindToParentSession.MaxSessionsPerParent was set. The issue is now fixed.
- FIXED: We fixed the open redirect issue to an external website when the IdentityCreationFilter was mapped to `/`*.
This is a security fix for a medium severity issue (open redirect). From now on, redirects starting with // or / url-encode the second slash to avoid a redirect to a malicious page. Update your system according to your risk tolerance and processes.
- FIXED: We fixed the possible NullPointerException if the tracegroup NPSession was set to DEBUG_HIGH.
- FIXED: Improved the TLS-based SessionManagementFilter when using a client certificate (session loss).
- FIXED: RenegotiateSSL call for HTTP/2 and TLSv1.3 is now ignored, and no error is traced.
- FIXED: We fixed the bug where the ICAPFilter did not work correctly with the dynamic session store. The session cookie was not sent in all cases.
- FIXED: We improved the session creation if several filters wanted to create the session on the same request.
- CHANGED: We improved the NOTICE message in case of IP address changes in the DNSCache of HttpConnectorServlet.
- CHANGED: The bc property ch.nevis.bc.sql.mysql.RetriesOnLockWaitTimeOut now checks for lock wait timeout.
- UPGRADED: OpenSSL is upgraded to 1.1.1n.
- UPGRADED: Nghttp is upgraded to 1.47.0.
- UPGRADED: Apache is upgraded to httpd/2.4.53.
- DEPRECATED: The SSL-based client identification including legacy and dynamic session management is deprecated.
- DEPRECATED: The SAMLErrorFilter is deprecated.
- DEPRECATED: The attribute path in the context section in navajo.xml is deprecated.
- DEPRECATED: The attribute DocumentRoot in navajo.xml is deprecated.
- REMOVED: We replaced the error code [BASE-0031] by a NOTICE.
- DOCUMENTATION: We improved the documentation on overwriting filter and servlet parameters.
- DOCUMENTATION: We added encryption examples using Lua.
- DOCUMENTATION: We added HTTP/2 Server push and Early Hints examples.
- DOCUMENTATION: We improved the Lua Cipher, Encrypter and Verifier documentation.
- DOCUMENTATION: We added an example of AuditLog file rotation with ModSecurity.
Notes
- For the dynamic session store to accommodate bigger values, the datatype of the VALUE column in the ATTRIBUTE table changed from VARBINARY(60000) to MEDIUMBLOB as default. For new instances, the SQL scripts are adapted. For existing instances, you can execute the following SQL command on the database:
ALTER TABLE attribute MODIFY VALUE MEDIUMBLOB;
- The SessionManagementFilter was modified to allow using client certificates in combination with the TLS client identification. Existing setups should continue to work as before. However we recommend testing your authentication flows before deploying to production. There are some configuration steps to perform to use a TLS-based SessionManagementFilter with client certificates. See the Identification parameter in SessionManagementFilter for details.
Backward compatibility issues
- Due to a security fix, redirects starting with // or / url-encode the second slash to avoid a redirect to a malicious page.
- Due to systemd limitations, the directories of an instance have to belong to the User configured in the systemd configuration file: /usr/lib/systemd/system/[email protected]. On a newly installed nevisproxy package, the value is set to root.
nevisProxy 5.1.1 - 23.3.2022
Changes and new features
- UPGRADED: to OpenSSL 1.1.1n.
- UPGRADED: to nghttp 1.47.0.
- UPGRADED: to Apache httpd/2.4.53.
nevisProxy 5.1.0 - 16.2.2022
Changes and new features
- NEW: The HttpsConnectorServlet now supports OutboundProxyAuthorization.
- NEW: The BackendConnectorServlet uses now the default ports if none is defined (80 for http, 443 for https).
- NEW: The parameter IsAliveURI in the LoadBalancerServlet.
- NEW: The parameter Secure.Cache of the BackendConnectorServlet.
- FIXED: The cookies with empty value coming from the frontend were not handled correctly by the CookieManager. The issue is now fixed.
- FIXED: The parameter SSLOpenSSLConfCmd of the HttpsConnectorServlet did not work correctly for certain use cases. The issue is now fixed.
- FIXED: The InitialURI of the IdentityCreationFilter was sometimes ignored. The issue is now fixed.
- FIXED: The NEEDS_SWITCHING_PROTOCOLS request flag did not work correctly when configured in an ICAPFilter or RewriteFilter.
- FIXED: MemoryLeakFilter multi threading improvements.
Never use this filter in production and only if instructed by support.
- CHANGED: The ModSecurity rules matching a request are now traced as NOTICE.
- UPGRADED: Apache is upgraded to httpd/2.4.52.
- UPGRADED: OpenSSL is upgraded to 1.1.1m.
- UPGRADED: ModSecurity is upgraded to 3.0.6.
- DEPRECATED: The undocumented bc property ch.nevis.navajo.RestartAfterHsmError.
- DEPRECATED: The filters and servlets are now allocated dynamically at startup. Therefore the directives memoryProtection, memorySize, memoryType, and memoryAnonymous in navajo.xml are deprecated and ignored.
- DOCUMENTATION: The documentation of the HeaderDelegationFilter is improved.
- DOCUMENTATION: The Conditional parameters chapter is improved.
Notes
The following parameters and attributes are deprecated:
- memoryProtection, memorySize, memoryType, and memoryAnonymous in navajo.xml.
Backward compatibility issues:
- Due to an improvement for IPv6 support for your backend connections in the web.xml, nevisProxy may fail to connect to the backend if the hostname is resolved to an IPv6 address, but the backend does not support or is not configured for IPv6 support. This can happen if the hostname (for example, localhost for a local connection to nevisAuth) was stored in /etc/hosts for both IPv4 and IPv6 addresses, but the host does not support IPv6. Generally, we do not recommend to use localhost in your web.xml.
- Due to the Apache upgrade to version 2.4.52, the functionality controlled by the undocumented bc property ch.nevis.navajo.RestartAfterHsmError does not work anymore, therefore the property is deprecated.
- In the ModSecurityFilter, the logged lines for matched rules is refactored. Check if your setup depends on these log lines, and adapt them to your needs:
- The matched rules will always have the log level NOTICE.
- Removed any duplicated information.
nevisProxy 5.0.0 - 17.11.2021
Changes and new features
- NEW: We added the parameter InvalidateSessionOnStateRemoval in IdentityCreationFilter.
- NEW: We added the parameter ForcedParameterNames in SessionManagementFilter.
- NEW: We added the parameter SendLoginCookie.ExtraAttributes in IdentityCreationFilter.
- NEW: We added the parameter SSLOpenSSLConfCmd in HttpsConnectorServlet.
- NEW: We added the parameter SupportIfModifiedSinceHeader in DefaultServlet.
- NEW: We added the LoadBalancerServlet.
- NEW: We added the parameters StrategyType and StrategyType.SubType in the MySQLSessionStoreServlet.
- FIXED: Uploads of requests with a Content-Length bigger than 2GB was blocked by an error. The issue is fixed now.
- FIXED: 'Multiple reaping of MultiLevelSessionStore' caused a problem when a RemoteServlet was configured. The issue is fixed now.
- FIXED: DelegateFromTx parameter of theModsecurityFilter supports now phase 5.
- CHANGED: The BackendConnectorServlet no longer sends any 'keep-alive' header for HTTP/1.1 connections.
- CHANGED: The default values for TLS cipher suites and protocols now match the secure ones for frontend and backend connections.
- UPGRADED: To Apache httpd 2.4.51.
- UPGRADED: To mod_qos 11.68.
- UPGRADED: To OpenSSL 1.1.1l.
- UPGRADED: To ModSecurity 3.0.5.
- UPGRADED: To Lua 5.4.3.
- REMOVED: The remote (MySQL) legacy session store.
- REMOVED: The deprecated nevisProxy commands.
- REMOVED: The deprecated AuditFilter.
- REMOVED: The undocumented PCREUTF8 option for regular expressions (use PCRE(utf8) instead).
- REMOVED: The all-SSLv2 TLS protocol.
- REMOVED: The deprecated parameters CarrierVersion, Verbose (in the Core tag), and DefaultType in navajo.xml.
- REMOVED: The undocumented authentication method "join" in the EsAuth4ConnectorServlet.
- REMOVED: The deprecated parameters of the UnbluFilter.
- REMOVED: The deprecated RedirectFormFilter.
- REMOVED: The deprecated SessionResourceFilter.
- REMOVED: The deprecated profiles and parameters of the InputValidationFilter.
- REMOVED: The deprecated RLIMIT_ parameters from navajo.xml.
- REMOVED: The deprecated EngineLeaksOnCascadeDelete parameter of the MySQLSessionStoreServlet.
- REMOVED: The deprecated parameters org.apache.host and org.apache.location of the RewriteFilter.
- REMOVED: The parameter ProActive from the WebSocketServlet.
- REMOVED: The QoS element from the navajo.xml configuration file.
- REMOVED: The deprecated UserStatusServlet.
- REMOVED: The deprecated parameter LimitUserLogins from IdentityCreationFilter.
- REMOVED: The deprecated attribute MaxClientsPerIpAddr.
- REMOVED: The deprecated VirtualSessionFilter.
- REMOVED: The parameter ExclusiveSessionLock of IdentityCreationFilter.
- REMOVED: The Apache directive SSLLogLevel.
- DOCUMENTATION: The duplicated HTTP-0082 error code is now fixed.
- DOCUMENTATION: We added the property ch.nevis.bc.net.MaxHeaders.
Notes
We removed the parameters ExclusiveSessionLock of IdentityCreationFilter and SecurityRoleFilter. If set to "false", as a side effect of this parameters, a session was completed invalidated if several IdentityCreationFilters or SecurityRoleFilter shared the same StateKey. To have the same behavior, the parameter 'InvalidateSessionOnStateRemoval' is introduced. We therefore recommend to set InvalidateSessionOnStateRemoval to "true" whenever you set ExclusiveSessionLock to "false".
The AuditFilter is now removed. Use LoggerFilter instead.
Instead of the removed Apache directive 'SSLLogLevel', use the directive 'LogLevel' under the Server tag in navajo.xml. For further information on how to configure the LogLevel directive, see Server configuration.
From now on, nevisProxy uses the default open files resource limit of the system. See the Increase the number of open file descriptors sub-chapter on how to increase it, if your system default is not high enough.
If upgrading to release 5.0.0, make sure that you remove all deprecation notices of your existing setup, otherwise nevisProxy may not start with version 5.x.
Read as well the release notes of proxy version 4.6.0.
nevisProxy 4.6.0 - 18.8.2021
Changes and new features
- NEW: As of this release, the following parameters are new:
- NEW: Support for RHEL8 and SLES15 is now available.
- NEW: The Lua SecToken object includes the new methods getTimeToLive and getSignTime.
- NEW: The StatusServlet now provides information about dynamic session stores.
- NEW: The Apache module mod_remoteip is now delivered with the package.
- CHANGED: The default value of the server configuration attribute LimitRequestFields has been changed from "20" to "50".
- CHANGED: The hostname verification of the backends has been improved.
- FIXED: The CacheFilter erroneously did not cache a direct answer from nevisAuth. This bug has been fixed.
- FIXED: An incorrect error message was triggered during the verification of the database schema if an SSL-based MysqlSessionStoreServlet was configured. This bug has been fixed.
- FIXED: The SoapFilter did not work correctly if it was mapped after a ModSecurityFilter. This bug has been fixed.
- FIXED: A core dump could occur if the MariaDB server lost its connection. This bug has been fixed.
- UPGRADED: mod_sslcrl, to version 2.1.
- UPGRADED: Apache httpd, to version 2.4.48.
- DEPRECATED: As of this release, the XMLValidationFilter is deprecated.
- DEPRECATED: As of this release, some commands of the nevisProxy command-line interface (CLI) are deprecated. For more information, see the section "Saving and reloading server configurations" of the chapter "Server handling" in the nevisProxy reference guide.
Notes
- The deprecated and undocumented SERVER_FDLIMIT configuration parameter has been removed. From now on, nevisProxy uses the default open files resource limit of the system.
- There are some changes in the nevisProxy command-line interface (CLI):
- This nevisProxy 4.6.0 August 2021 release is the last version of the current rolling release (4.x). It will become the base of the next LTS release in November (4.6.x). The nevisProxy LTS version 4.6.x will support both RHEL7 and RHEL8 as well as SLES15 with an own .rpm file for each distribution. As of November, the major versions of the new rolling releases start with version number "5". The nevisProxy rolling releases 5.x will only support RHEL8 and SLES15. The coming November rolling release will have backward-compatibility breaking changes. These breaking changes include
Major backward-compatibility change
The peer hostname check of the backend connections has been refactored. It now performs additional validations besides the check against the CN/SAN of the certificate. Therefore, if the peer hostname check is enabled, it is now mandatory to configure the CA of the peer's node certificate. For backward-compatibility reasons, the flag bc.net.ssl.EnableLegacyHostnameCheck has been added, allowing you to switch back to the previous mechanism. For more information, check the parameter SSLCACertificateFile of the HttpsConnectorServlet, or the parameter Secure.CACertificateFile of the BackendConnectorServlet.
nevisProxy 4.5.1 - 25.6.2021
Changes and new features
- UPGRADED: Apache httpd, to version 2.4.48.
Notes
KNOWN BUG: nevisProxy version 4.5.x contains a schema check, which in combination with a bug in MariaDB 10.3 or 10.4 falsely returns the information that the schema is wrong. If you are on an affected MariaDB version, ignore this error. nevisProxy version 4.6.x (to be released in August) will include a parameter to disable this check.
nevisProxy 4.5.0 - 19.05.2021
Changes and new features
- NEW: The following properties and parameters are new:
- NEW: The SecurityRoleFilter includes the new parameter InvalidateOnError, which is set to "true" by default. As a consequence, the SecurityRoleFilter now automatically invalidates a session if nevisAuth returns an error.
This change may break backward-compatibility. For more information, see the section Backward-compatibility issues further below.
- NEW: The database information schema for the remote session store is now checked on start-up.
- CHANGED: The StatusServlet has been refactored. We have removed
- CHANGED: nevisProxy will now periodically try to reload a file for a dynamic file parameter after a failed first attempt, until the file is successfully loaded.
- CHANGED: In case of an error, the root error as well as follow-up messages are logged. The root error is logged as ERROR, the follow-up messages as NOTICE or INFO, depending on their severity.
- CHANGED: We have improved the uniqueness of buffered file names.
- FIXED: The default for the required parameter SSLCheckPeerHostname.AllowWildcards was missing in all servlets that support TLS. This bug is fixed.
- FIXED: TLS-based session identification did not work with HTTP/2. This bug is now fixed.
TLS identification will only work in a limited way if HTTP/2 is enabled. Take into account the following points (the list is not complete):
Generally, we recommend that you avoid using TLS identification with HTTP/2 or TLSv1.3.
- FIXED: If an IdentityCreationFilter was placed behind a ModsecurityFilter, JSON parameters were not passed to nevisAuth. This bug is now fixed.
- FIXED: No events were set for AuthDirect response states from nevisAuth. This bug is now fixed.
- FIXED: The local port was not traced for SSL-based connections (HttpsConnectorServlet). This bug is now fixed.
- FIXED: Multiple error messages occurred when a connection was closed by the frontend, and an EncryptionFilter was involved. This bug is now fixed.
- UPGRADED: OpenSSL is upgraded, to version 1.1.1k.
- UPGRADED: The HTTP/2 handling library for frontend connections is upgraded.
- DEPRECATED: The following parameters of the RewriteFilter are deprecated:
You can use the ApacheConfigFilter instead.DEPRECATED: The parameterch.nevis.isiweb4.ssl.*of theIdentityCreationFilteris deprecated. You can use theApacheConfigFilter* instead.
- DEPRECATED: The parameter EngineLeaksOnCascadeDelete of the MysqlSessionStoreServlet is deprecated.
Notes
Backward-compatibility issues
- nevisProxy now supports SSL identification with HTTP/2. Because of this, nevisProxy may behave slightly differently in case of TLS identification. We recommend testing your new setup, to make sure it works as expected.
- The SecurityRoleFilter now automatically invalidates a session if nevisAuth returns an error. This new behavior may break backward-compatibility. If you run into problems because of this, set the filter's new parameter InvalidateOnError to "false". This will retrieve the previous behavior. Also contact Nevis Support so that we can analyze the problem.
For security reasons, setting the parameter InvalidateOnError to "false" is not recommended.
- The JsonFilter and SoapFilter no longer accept the values "true" and "false" for the parameter BlockOnError. For a description of the allowed parameter values, see the chapters "JsonFilter" and "SoapFilter", respectively.
nevisProxy 4.4.1 - 08.04.2021
Changes and new features
- UPGRADED: OpenSSL, to version 1.1.1k.
nevisProxy 4.4.0 - 17.02.2021
Changes and new features
- NEW: The ModSecurityFilter includes a new parameter: AlertLevel.
- NEW: The LuaFilter includes a new class: nevis.crypto.verifier.
- NEW: This document contains a new appendix about sizing parameters: Appendix G - Sizing Parameters in the Nevis Proxy.
- NEW: There is a new trace group: NPPerfMeter (full name: BC.Tracer.DebugProfile.NPPerfMeter).
- CHANGED: The default value of the attribute SSLSNISupport in the HttpsConnectorServlet and the WebSocketServlet is now "true".
- CHANGED: The default value of the attribute (flag) ProActive in the WebSocketServlet is now "false".
This change may break backward compatibility. If problems occur with the new default value, re-set the ProActive flag to "true", and contact nevisProxy support.
- CHANGED: The default value of the low-level bc property ch.nevis.bc.net.multipart.formdata.rfccompliant is now "true".
This change may break backward compatibility. For more details, see the Backward-compatibility issues further below.
- CHANGED: The filter parameter checks for the UnbluFilter have been improved.
This change may break backward compatibility. For more details, see the Backward-compatibility issues further below.
- CHANGED: The handling of the race conditions for the MultiLevelSessionStoreServlet has been improved.
- CHANGED: The script keystorepwget is now part of nevisProxy. Previously, it belonged to nevisKeyBox.
- FIXED: The bug where the UnbluFilter handled compressed bodies incorrectly.
- FIXED: The bug where the attribute DelegatePostResendStatus of the DelegationFilter did not always work correctly if a backend sent a redirect.
- FIXED: The bug where relative redirection URLs were wrongly adapted by the Navajo container.
- FIXED: The bug where the parsing of numeric values in the bc.properties file failed in case of trailing spaces.
- FIXED: The bug where the system decrypted two slashes instead of one when the UrlEncryptionFilter was used.
- FIXED: The bug that made it impossible to use a BackendConnectorServlet as a servlet in the ErrorFilter.
- UPGRADED: OpenSSL, to version 1.1.1i.
- DEPRECATED: The attribute (flag) ProActive of the WebSocketServlet.
- DEPRECATED: The RedirectFormFilter.
Notes
- To accommodate longer names, the NAME column in the ATTRIBUTES table now uses the type VARCHAR(200) as default. You can migrate the old tables with the following SQL statement (change the table name if needed):
ALTER TABLE attribute MODIFY name VARCHAR(200);
Backward-compatibility issues
Requests with content type "multipart/form-data" are now allowed to have preamble and epilogue parts. For more information, see the low-level parameter ch.nevis.bc.net.multipart.formdata.rfccompliant in the chapter "Low-level properties".
Due to a wrong configuration, a core dump could occur in the UnbluFilter. To avoid this, some checks have been added to the following parameters of the UnbluFilter:
With this new check, the UnbluFilter may no longer work if the new conditions are not met. In case the checks fail, you need to adjust the configuration of your UnbluFilter according to the above-mentioned new settings.
nevisProxy 4.3.1 - 16.12.2020
Changes and new features
- UPGRADED: OpenSSL, to version 1.1.1i.
nevisProxy 4.3.0 - 18.11.2020
Changes and new features
- NEW: There is a new chapter about the integration of Securosys Cloud HSM into nevisProxy.
- NEW: The Lua session object contains two new methods: getLastTimeStamp and getSecondsUntilTimeout.
- NEW: The DefaultServlet contains a new parameter: NoMatchingFile.StatusCode.
- NEW: The WebsocketServlet contains a new parameter: UpdateSessionInterval.
- NEW: The MultiLevelSessionStore now supports custom and SSL-based sessions.
- CHANGED: The parameter UpdateTimeStampMinInterval of the SessionManagementFilter has a new default value: "60" (seconds). The old default was "0".
- FIXED: The issue with the CacheFilter sending incomplete responses back to the frontend. This is a follow-up fix.
- FIXED: The bug in the IdentityCreationFilter, which caused a redirection to occur after a login. This happened when the filter parameter InterceptionRedirect was set to "never" and the parameter OriginalUrl.Enable was set to "true".
- FIXED: The bug where the parameter ResponseLogoutHeader of the IdentityCreationFilterwas ignored if an UnbluFilter was involved.
- FIXED: The bug that made it impossible to set the parameter Transport.DNSCache.ttl for the EsAuth4ConnectorServlet.
- UPGRADED: OpenSSL, to version 1.1.1h.
- UPGRADED: Apache httpd, to version 2.4.46.
- DEPRECATED: The QoS tag of the navajo.xml file.
Notes
- The QoS (Quality of Service) tag of the navajo.xml file has been deprecated. To configure QoS directives, use the ApacheConfigFilter instead. For more information, see chapter "Attack prevention strategies by mod_qos" (in "Use Cases and Best Practices" > "Protecting web applications").
- The parameter UpdateTimeStampMinInterval of the SessionManagementFilter has a new default value: "60" (1 min). The previous default value, "0", caused the session timestamp to be updated each time a request accessed a session. The new default value reduces the session update interval to one minute, which in turn reduces the load of unnecessary calls to the session store. This is especially beneficial for remote session stores. As a consequence, a session may expire 1 minute before it reaches its maximum lifetime or maximum inactive interval (configured in the parameters MaxLifetime or MaxInactiveInterval, respectively).
- Conditional mapping of IdentityCreationFilters, for instance by using a FilterMappingFilter, can impact the client authentication with a certificate. Chapter "IdentityCreationFilter" explains how to configure the IdentityCreationFilter to request the client certificate with a conditional filter mapping.
nevisProxy 4.2.0 - 19.08.2020
Changes and new features
NEW: The library libnevisproxypkcs11engine.so is now part of the package.
NEW: The TCP source port of the Http[s]ConnectorServlet is now also traced.
NEW: Custom events for the LuaFilter are now available. Furthermore, the LuaFilter includes a new tracer method for tracing data.
NEW: The UrlEncryptionFilter now contains the new parameter Encryption_ExtendedHtmlUrlEncrypter_Patterns.
NEW: There is a new experimental servlet, the BackendConnectorServlet.
NEW: There are two new request flags (technical name RequestFlag):
CHANGED: The value of the parameter KeepAlive of the Http[s]ConnectorServlet is now "true" per default.
CHANGED: It is now possible to set the parameter KeepAlive.ByClient to "false" for the WebSocketServlet.
CHANGED: The tracing of the WebSocketServlet has been improved.
CHANGED: The UnbluFilter integration for the Unblu server version 6 has been improved. Furthermore, the parameters UnbluApiKey and UnbluCompatMode of the UnbluFilter have new default values.
CHANGED: For the dynamic session store, the datatype of the row ATTRIBUTE_ID in the attribute table has been changed from INT to BIGINT.
CHANGED: The parameter DNSCache.ttl of the HttpConnectorServlet, EsAuth4ConnectorServlet and WebSocketServlet now has a default value: "3600".
CHANGED: The SSL cache no longer stores certificates.
CHANGED: The error handling has been improved.
FIXED: The bug where the LocalSessionStore did not always work when it was configured in two or more different virtual hosts.
FIXED: The bug where the WebsocketServlet closed the connection because the session was not updated.
FIXED: The bug where the ModSecurity audit log was not correct when the backend sent a status code 500.
FIXED: The bug where the ModsecurityFilter did not block the response body after a part was already committed.
FIXED: The bug where the backend was sometimes marked as "down" when the client closed the connection. This bug was introduced in version 4.0.0.
FIXED: The bug where the backend sent a partial response but the frontend received the response as complete.
FIXED: The bug where the connections were not listed correctly with the nevisproxy status command.
FIXED: The error message regarding a disabled SSL cache has been improved.
DEPRECATED: The following parameters of the UnbluFilter are deprecated. You can use the parameter OriginalUrlPrefix instead.
DEPRECATED: The SessionResourceFilter.
DEPRECATED: The undocumented parameter RemoveInterceptedRequestAfterAuthentication of the IdentityCreationFilter.
Notes
Automatic parsing
The automatic parsing of requests with content type "x-gwt-rpc" is only enabled by default for the InputValidationFilter. With the new request flag NEEDS_GWT_PARSING, you can now manually set this feature for other filters too, if necessary.
Backward compatibility issues
The following changes may cause backward compatibility issues:
- The default value for the parameter UnbluCompatMode of the UnbluFilter has been changed from "-1" (legacy) to "5". As a consequence, the UnbluFilter may no longer work correctly, especially if one of the following conditions is true:
In those cases, either set the parameter UnbluCompatMode to "-1", switch to UnbluServer version 5 or more, or replace/remove the (deprecated) parameters BaseUrlPattern or BaseUrlHeader.
For the dynamic session store, the datatype of the row ATTRIBUTE_ID in the attribute table has been changed from INT to BIGINT. Depending on the amount of data, the maximum size may be reached, which causes the proxy to stop working correctly.
alter table attribute MODIFY column ATTRIBUTE_ID BIGINT NOT NULL AUTO_INCREMENT;
It is recommended that you execute this command when there is no load on the database.
The Navajo-based SSLCache now behaves like the Apache SSLSessionCache. As a consequence, some certificate-based logins may behave differently.
The default value for the KeepAlive parameter of the HttpConnectorServlet has been changed from "false" to "true". This may cause your backend to not work correctly anymore if it does not support keep alive requests.
When a filter or servlet blocked a request due to a security issue, either the status code 500 or 403 was sent to the frontend, depending on the position on which the filter or servlet was mapped. Now the system always sends a status code 403 (Forbidden) to the frontend, independent of the mapping position.
nevisProxy 4.1.1 - 15.06.2020
Changes and new features
- CHANGED: The UnbluFilter integration for the Unblu server version 6 has been improved.
- FIXED: The bug that caused a memory leak in OpenSSL 1.1.1 in combination with an EncryptionFilter is now fixed.
- FIXED: The bug where a backend was sometimes marked as 'down' when the client in fact closed the connection (introduced in version 4.0.0) is now fixed.
nevisProxy 4.1.0 - 20.05.2020
Changes and new features
- NEW: The [PKCS#11 URL] now includes the option pinfile.
- NEW: nevisProxy now provides an example on how to use the [LuaFilter], instead of the tracegroup NavajoOp,for tracing.
- NEW: The [IdentityCreationFilter] now contains the new parameter RenegotiateCookieOnAuthContinue.
- NEW: The Navajo servlet container now includes the low-level property [ch.nevis.navajo.AllowMultipleMapping].
- NEW: The [ModsecurityFilter] now supports response body rules.
- NEW: The parameter BodyRequired of the [IcapFilter] is now conditional.
- NEW: The following RequestFlag is new: [NEEDS_FORM_MULTIPARTS].
- NEW: The experimental [MultiLevelSessionStoreServlet] is available as of this release.
- CHANGED: The [LuaFilter] no longer drops the content-length header if no output function name is available. You set the output function name in the filter parameter Script.OutputFunctionName.
- CHANGED: The Navajo server attribute [MaxKeepAliveRequests] now has a default value of "100" in the Navajo configuration.
- CHANGED: The local session store now provides an improved session reaper. You specify the local session store with the [LocalSessionStoreServlet].
- FIXED: The bug where a request was blocked for 30 seconds when you used TLSv1.3 together with client certificate authentication.
- FIXED: The bug where a ServletException could occur if your setup included a [SecurityRoleFilter].
- FIXED: The ModSecurity bug related to target exclusions.
- FIXED: The bug where some filters and servlets did not work correctly when they were mapped after a [ModSecurityFilter].
- FIXED: The bug where websocket connections did not work when they were mapped after a [ModSecurityFilter].
- FIXED: The issue with the memory leak in OpenSSL 1.1.1.
- FIXED: The bug where the [CacheFilter] cached an incomplete response.
- FIXED: The bug that caused a NullPointerException when a script in the [LuaFilter] set an unknown event.
- UPGRADED: OpenSSL, to version 1.1.1g.
- UPGRADED: mod_setenvifplus, to version 0.39.
- UPGRADED: Apache httpd, to version 2.4.43.
- DEPRECATED: The Kerberos parameters of the DelegationFilter have been deprecated. This includes the following parameters: Kerberos.Delegation, Kerberos.ConfigFile and Kerberos.Policy.
Notes
- The [StatusServlet] is no longer deprecated.
nevisProxy 4.0.1 - 17.04.2020
Changes and new features
- NEW: The [IdentityCreationFilter]( contains the new parameter RenegotiateCookieOnAuthContinue.
- NEW: There are two new [RequestFlags]: NEEDS_FORM_MULTIPARTS and NEEDS_SWITCHING_PROTOCOLS.
- CHANGED: The session reaper of the [local session store]( has been improved.
- FIXED: The bug where the [CacheFilter]( cached an incomplete response.
- FIXED: The ModSecurity bug related to target exclusions.
- FIXED: The bug where some filters and servlets did not work correctly if they were mapped after a [ModSecurityFilter].
- FIXED: The bug where websocket connections did not work if they were mapped after a [ModSecurityFilter].
- UPGRADED: mod_setenvifplus, to version 0.39.
Notes
Due to the upgrade of mod_setenvifplus to version 0.39, the attribute SetEnvIfCmpPlus no longer silently ignores extra arguments. This new behavior will cause an error.
For security reasons, the IdentityCreationFilter now contains the new parameter RenegotiateCookieOnAuthContinue. The parameter is enabled by default to prevent session fixation attacks. The introduction of this parameter can lead to backward compatibility issues, especially if parallel requests take place during the authentication phase. To avoid this, make sure that parallel requests which do not need authentication are not mapped to the IdentityCreationFilter.
nevisProxy 4.0.0 - 19.02.2020
Changes and new features
- NEW: The following filters have new parameters:
- NEW: The [ModSecurityFilter] now supports response header rules.
- NEW: This release includes the new binary [nevisproxy_pkcs11]. The nevisproxy_pkcs11 command allows to dump information about and contents of PKCS#11 (Cryptoki) devices.
- NEW: The nevisProxy package now includes sample code that removes a same-site cookie if such a cookie is not supported by the browser. Once you have installed nevisProxy, you will find the file with the code example here: opt/nevisproxy/examples/various/LuaFilter_remove_samesite_none_cookie.example
- CHANGED: As of this release, the cookieHttpOnly parameter of the UserAgent section in the navajo.xml file is only valid for the cookies of the legacy session management. For all other cookies, this parameter is now ignored.
- CHANGED: The new eventMulti-Processing Module replaces the "old" worker Multi-Processing Module in the Apache httpd server. As a consequence, the proxy may not start. In this case, increase the value of the MaxClients parameter in the [Server tag] of the navajo.xml file.
- CHANGED: The session reaping in the [MysqlSessionStoreServlet] has been improved. See the [Notes] further below for instructions.
- FIXED: Several issues that caused a possible buffer overflow. These overflows could happen either under certain Linux flavors or when using an instance created with an older version of nevisAdmin 4 (< 4.3).
- FIXED: The bug where a password-protected SSLClientKeyFile in the [HttpsConnectorServlet] did not work as expected.
- FIXED: The bug where the [IdentityCreationFilter] complained about the buffer size for username/password logins.
- FIXED: The bug where the open connections to MariaDB were not always closed when session reaping was off.
- FIXED: The bug where an open WebSocket connection did not close after the session timed out.
- FIXED: The bug where sessions terminated by nevisAuth were not removed in nevisProxy when session reaping was disabled in the [MySQLSessionStoreServlet] (that is, when the servlet attribute SessionReaping was set to "OFF").
- FIXED: The memory leak in the [LuaFilter], caused by a modification of the content-length header by the configured Lua script (introduced in version 3.14.2.0).
- UPGRADED: The default cipher suites.
- UPGRADED: The default SSLProtocol configuration.
- UPGRADED: ModSecurity, to version 3.0.4.
- DEPRECATED: The VirtualSessionFilter.
- DEPRECATED: The undocumented AuthState Join.
- DEPRECATED: The undocumented authentication type HeaderBasedAuthClient.
- DEPRECATED: The "DB Node Affinity" configuration of the MysqlSessionStoreServlet. Find more details about this configuration in DB node affinity.
- DEPRECATED: The following parameters of the [InputValidationFilter]:
- DEPRECATED: The attribute *[MaxClientsPerIpAddr].
- DEPRECATED: The legacy, container-based session management handling. Click [here] for a description of the legacy session handling.
Removed
For this release, the nevisProxy software has been cleansed of software elements that were either deprecated, undocumented and/or not-used.
Removed from the reference guide
Note that the removed software elements are not only removed from the code - you will also not find them in the reference guide anymore. If you need information about these elements, have a look at the reference guides of earlier nevisProxy releases.
The removed elements are:
The deprecated SSL protocol SSLv3.
The deprecated ApacheServlet.
The following deprecated filters:
The certificate verification before booting nevisProxy.
The deprecated local-memory cache provider (technical expression: LocalMemoryCacheProvider).
The deprecated log analyzer files written in Perl.
All attributes in the navajo.xml file that were deprecated in the past. This includes the following attributes:
The following deprecated parameters of the [HttpConnectorServlet]:
The following deprecated parameters of the [EncryptionFilter]:
ResponseRewrite.JavaScriptRegexps
ResponseRewrite.JavaScriptIgnoreQuotes
ResponseRewrite.StyleSheetRegexps
ResponseRewrite.StyleSheetIgnoreQuotes
The following undocumented and/or deprecated parameters of the [InputValidationFilter]:
The following undocumented and/or deprecated profiles of the [InputValidationFilter]:
SQL-Injection (deprecated)
XSS(deprecated)
XSS-MAX (deprecated)
XSS-Stricter(deprecated)
SQL-Injection-Weak (undocumented)
XSS-Strict(undocumented)
The misspelled and therefore deprecated parameters SplittMultipartBody and SkippResponseHeaderCondition of the [ICAPFilter].
The deprecated parameter VirtualSession, which was used by the filters [IdentityCreationFilter].
The renegotiation parameter from the Navajo cookie cache (technical name: NavajoCookieCache).
The processing flag from the rewrite rules of the [RewriteFilter].
The deprecated undocumented cookie rules "on", "always" and "check" of the CookieManager attribute. The CookieManager is used in the [CookieCacheFilter].
The client identification type "combined", from the identification attribute in the navajo.xml file .
The undocumented low level property ch.nevis.navajo.servlet.engine-memory.increment.
<servlet-name>
.The command nevisproxy
<instance>
reinit.
Notes
Perform the next steps to activate the improved session reaping in the [MysqlSessionStoreServlet]:
max_prepared_stmt_count=<number of instances> * <number of configured connections per instance> * 22;
INSERT INTO conf (CACHENAME, PARAMETER, VALUE) VALUES ('session', 'REAPER', '0');
With this adaptation, the reaper will replace "0" with its own ID. This is to make sure that just one reaper is reaping at the same time.
If you used the provided SQL script sessionStoreSetup.sql to set up the database, the above entry is added automatically.
Due to the change in version numbering as of nevisProxy 4.0.0, the command nevisproxy pkg provided with previous releases does not display packages for versions 4.0.0 and above. This only affects the package listing, not the activation of a newer version of the package, for instance with:
nevisproxy pkg activate 4.0.0
The command nevisproxy pkg provided with nevisProxy 4.0.0 and above displays all installed package versions.
- The mod_qos library is now linked in nevisProxy. Perform the following steps if you get this error:
module qos_module is built-in and can't be loaded
LoadModule mod_qos /opt/nevsiproxy/lib/libmodqos_2_4.so.1
- The following filters and servlets now use an updated and therefore more secure SSL cipher suites set: HttpsConnectorServlet, WebSocketServlet, ICAPFilter and Esauth4ConnectorServlet. This also results in a new default setting for the filter/servlet attribute SSLProtocol: "-all +TLSv1.2 +TLSv1.3". Because of this update, some backends using TLSv1.1 may not work anymore. If so, either adapt the corresponding parameter of the given servlet, or upgrade the backend to use one of the recommended protocols.
- As of this release, the error handling works differently. nevisProxy now catches errors on filter chain level, instead of on container or servlet level. As a consequence, the proxy handles errors in responses coming from the backend more strictly, and may even block a request if the backend sends unexpected or invalid content in the response.
- The default behavior of the [EsAuth4ConnectorServlet] has changed. The pollTerminatedSession feature is disabled by default, meaning that nevisProxy will not continuously poll the nevisAuth instance for terminated sessions. If needed, you can re-enable this feature with the new parameter EnablePollTerminatedCalls. If set to "true", nevisAuth will notify nevisProxy about terminated sessions.
nevisProxy 3.14.3.2 - 20.11.2019
Changes and new features
- NEW: The [HttpConnectorServlet]includes the new parameter DNSCache.ttl.
- NEW: The [HttpsConnectorServlet] includes the new parameter SSLCheckPeerHostname.AllowWildcards.
- NEW: The [WebsocketServlet] includes the new parameter ProActive.
- NEW: The [ModsecurityFilter] now supports logging rules.
- NEW: The file navajo.xml now contains a variable-replacement mechanism for secret entries.
- NEW: The configuration file [bc.properties] now contains the new bc property ch.nevis.navajo.AllowUnknownParameters.
- NEW: Support of TLS 1.3 is now available (el7 package only).
- CHANGE: The naming of the nevisProxy RPM file has been changed to be in line with the naming of all other Nevis RPM files.
- FIXED: The bug where the MariaDB session reaper did not switch the master and slave when the master went down.
- FIXED: The bug where the query parameters were not passed on to nevisAuth for JSON requests.
- FIXED: The bug where the command nevisproxy
<instance>
start could create an invalid symlink. - FIXED: The bug where the [WebsocketServlet] did not reuse the websocket connection.
- FIXED: The bug where the [WebsocketServlet] ignored the parameter ConnectionRetries.
- FIXED: The bug where the IsiwebOp tracegroup did not trace the IP address any longer. This bug occured since version 3.14.2.0.
- FIXED: The bug where a [ModsecurityFilter] did not work as expected.
- FIXED: The bug where sessions terminated by nevisAuth were not removed in nevisProxy when session reaping was disabled in the MySQLSessionStoreServlet (that is, when the servlet's attribute SessionReaping was set to "OFF").
- FIXED: The but that caused a memory leak in the LuaFilter when the content-length header was modified by the configured Lua script. This bug was introduced in nevisProxy version 3.14.2.0.
- UPGRADED: To Apache httpd 2.4.41.
- UPGRADED: To OpenSSL version 1.1.1d (el7 package only).
- DEPRECATED: The ModSecurity-based profiles for the [InputValidationFilter] with the ModSecurity Core Rule Set CRS.
- DEPRECATED: The attribute RLIMIT_NOFILE in the Core section of the navajo.xml configuration file has been deprecated.
- DEPRECATED: The UserStatusServlet has been deprecated.
- REMOVED: Support for Apache httpd 2.2 is no longer available.
- REMOVED: The automatic test of the certificates before starting the proxy.
- PERFORMANCE: The performance issue with the [SessionManagementFilter]has been solved.
Notes
- Due to the upgrade to OpenSSL version 1.1.1, you may encounter problems with client certificates. For more information, see Authentication with a client certificate with OpenSSL 1.1.1] tag of the file navajo.xml.
- Due to the upgrade to OpenSSL version 1.1.1, CA certificates have to be issued as a "CA certificate", otherwise it is not possible anymore to verify host and user certificates. You can execute the following command to check if a CA certificate is valid:
openssl x509 -text -in <path to certificate> | grep "CA:TRUE"
If there is no output, the certificate is invalid. If valid, the following output appears:
[root@host]# openssl x509 -text -in caCert.pem |grep "CA:TRUE"
CA:TRUE
[root@host]#
nevisProxy 3.14.2.4 - 15.11.2019
Changes and new features
- FIXED: The bug where sessions terminated by nevisAuth were not removed in nevisProxy when session reaping was disabled in the MySQLSessionStoreServlet (that is, when the servlet's attribute SessionReaping was set to "OFF").
- FIXED: The but that caused a memory leak in the LuaFilter when the content-length header was modified by the configured Lua script. This bug was introduced in nevisProxy version 3.14.2.0.
nevisProxy 3.14.1.1 - 15.11.2019
Changes and new features
- FIXED: The bug where sessions terminated by nevisAuth were not removed in nevisProxy when session reaping was disabled in the MySQLSessionStoreServlet (that is, when the servlet's attribute SessionReaping was set to "OFF").