Back

Ferron 2.6.0: smarter backends and better logging

Published on:

Ferron 2.6.0 is now available. This release improves its capabilities as a modern web server and reverse proxy, introducing dynamic SRV-based backend discovery, built-in log rotation, and reusable configuration snippets across KDL configuration files.

The release also includes a new OCSP stapling implementation (based on RFC 6960) and various fixes that improve reliability and protocol correctness.

Dynamic SRV-based backend discovery

Ferron now supports dynamic backend discovery for reverse proxying via SRV records.

Here’s an example on how to use it:

// Example configuration with reverse proxy to dynamic backends. Replace "example.com" with your domain name.
example.com {
    proxy_srv "http://_backend._tcp.example.com/" // Replace "_backend._tcp.example.com" with the actual SRV record for your backend servers
}

This feature allows Ferron to automatically adapt when backend services change without having to change the server configuration.

Built-in log rotation

Ferron now also supports built-in basic file size-based log rotation, making it easier to run Ferron in environments where external log rotation tools aren’t available. This feature would also prevent log files from filling too much disk space.

Here’s an example on how to use this feature:

globals {
    log_date_format "%d/%b/%Y:%H:%M:%S %z"
    log_format "{client_ip} - {auth_user} [{timestamp}] \"{method} {path_and_query} {version}\" {status_code} {content_length} \"{header:Referer}\" \"{header:User-Agent}\""

    // Rotate access logs when they reach 100MB, keep 5 rotated files
    log_rotate_size 104857600  // 100 * 1024 * 1024
    log_rotate_keep 5

    // Rotate error logs when they reach 50MB, keep 3 rotated files
    error_log_rotate_size 52428800  // 50 * 1024 * 1024
    error_log_rotate_keep 3
}

example.com {
    log "/var/log/ferron/example.com.access.log"
    error_log "/var/log/ferron/example.com.error.log"
}

We have implemented this feature after we saw an issue on GitHub about log file splitting on Windows.

View Tweet

Reusable configuration snippets

Configuration snippets can now be reused across different KDL-format configuration files, allowing administrators to define common configuration blocks once and use them across multiple servers.

We added support for this after seeing another issue on GitHub, this time about snippets defined across configuration files.

New OCSP stapling implementation

The OCSP stapling implementation has been rewritten to follow RFC 6960 (the previous OCSP stapling implementation followed RFC 5019), improving compatibility and reliability of certificate status checks. Also, the new implementation has been tested with a TLS certificate issued by Actalis, and the OCSP response was included as expected.

Reverse proxy compatibility improvement

Ferron no longer rewrites the Host header by default when proxying to plaintext HTTP backends. This means you no longer have to add proxy_request_header_replace "Host" "{header:Host}" to use Ferron with applications that rely on the original host header, improving compatibility and ease of configuration.

View Tweet

Full changelog

Added

  • Configuration directive for aborting an HTTP request.
  • Support for dynamic SRV-based backend discovery for reverse proxy upstreams.
  • Support for file size-based log rotation.
  • Support for reusable snippets across different KDL configuration files.
  • Support for Unix socket backends in the forwarded authentication module.

Changed

  • Replaced the OCSP stapling implementation (that implemented RFC 5019) with a new implementation that implements RFC 6960.
  • The Host header is now no longer rewritten to the proxy request URL’s host by default when using plaintext HTTP for the backend servers.

Deprecated

  • Rego-based subconditions are deprecated and will be removed in a future release.

Fixed

  • Body replacement MIME type filtering was not applied correctly.
  • Duplicate error log entries in certain cases.
  • ETag matching wasn’t applied correctly when If-Match or If-None-Match headers contained multiple ETags.
  • HEAD requests for directory listings caused responses with a body.
  • HTTP compression support sometimes chose the wrong compression algorithm.
  • Redirect loop when using wwwredirect directive and requesting with a hostname without a port.
  • TCP listener failures caused by too many open file descriptors led to an infinite logging loop.
  • The Content-Range header was omitted in some 416 Range Not Satisfiable responses when serving static files.
  • The least-connections algorithm sometimes incorrectly selected the backend with the most connections.
  • Using Ferron with ACME directories that offer challenge types that don’t present a token (like DNS-PERSIST-01) caused “missing field token” errors (fixed in instant-acme)

Documentation update

We have also significantly expanded the documentation for Ferron 2 to include more common use cases and beginners’ guides, to improve the experience of configuring Ferron.

You can visit the updated documentation at https://ferron.sh/docs.

View Tweet

Thank you!

We appreciate all the feedback and contributions from our community. Your support helps us improve Ferron with each release. Thank you for being a part of this journey!

The Ferron Team

Share this post!
X Facebook Linkedin Threads
Newer Introducing Vibeio Older Ferron 1.3.8 has been released