Ferron 2.8.0 and 2.6.3 LTS released

Ferron 2.8.0 and Ferron 2.6.3 LTS are now available. This release brings several new features, improvements, and security fixes to both the latest version and the LTS branch.

The release also includes new DNS providers for ACME challenges, environment variable placeholders in KDL configurations, and various security and correctness improvements.

New features

Environment variable placeholders in KDL configurations

Ferron now supports environment variable placeholders in KDL-format configuration files, allowing you to reference environment variables directly in your configuration.

This was merged from a pull request on GitHub (thank you “rousbound”!).

Here’s an example of how to use this feature:

globals {
    log "/var/log/ferron/access.log"
    error_log "/var/log/ferron/error.log"
}

example.com {
    log "{env:LOG_PATH}/example.com.access.log"
    error_log "{env:ERROR_LOG_PATH}/example.com.error.log"
}

This feature makes it easier to manage configurations across different environments without having to maintain separate configuration files.

Google Cloud DNS provider for DNS-01 ACME challenges

We added support for the Google Cloud DNS provider, allowing Ferron to automatically obtain TLS certificates via ACME DNS-01 challenges using Google Cloud DNS.

Here’s an example configuration:

globals {
    auto_tls_challenge "dns-01" provider="googlecloud" service_account_json="your_service_account_json" project_id="your_project_id"
}

example.com {
    auto_tls
}

Spaceship DNS provider for DNS-01 ACME challenges

We also added support for the Spaceship DNS provider, allowing Ferron to automatically obtain TLS certificates via ACME DNS-01 challenges using Spaceship’s DNS API.

Shell-style argument parsing in auto_tls_post_obtain_command

The auto_tls_post_obtain_command directive now supports shell-style argument parsing, making it easier to write post-ACME certificate obtain commands that work across different shells.

HTTP compression improvements

HTTP compression now uses server-preferred content encoding order (zstd, br, gzip, deflate, identity) when available, allowing Ferron to choose the most efficient compression algorithm for each response.

This was after we checked a GitHub issue.

Security and correctness improvements

CONNECT request handling

CONNECT requests with pathname URIs are now rejected, preventing potential issues with malformed CONNECT requests.

OCSP response verification

OCSP responses are now verified when stapling is enabled, improving the reliability of certificate status checks.

Reverse proxy RFC 7230 compliance

The reverse proxy now strips hop-by-hop headers, improving RFC 7230 compliance and preventing potential header injection issues.

Other fixes

• 403 Forbidden responses were returned when URL sanitizer was disabled, even when it should have returned 404 Not Found.
• File paths in directory listings weren’t properly escaped.
• HTTP Basic Authentication was vulnerable to time-based user enumeration.
• location blocks matched path segments anywhere in the URL, not just at the start (GitHub issue).
• PROXY v2 headers with lengths greater than 512 bytes were allowed, possibly leading to memory DoS.
• So You Start endpoint names for OVH DNS provider were swapped.

Graceful shutdown

Ferron now supports custom SIGTERM signal handling for graceful shutdown, allowing the server to complete ongoing requests before shutting down.

Full changelog

Ferron 2.8.0

Added

• Custom SIGTERM signal handling for graceful shutdown.
• Environment variable placeholders in KDL-format configurations.
• Google Cloud DNS provider for DNS-01 ACME challenges.
• Spaceship DNS provider for DNS-01 ACME challenges.
• Support for shell-style argument parsing in auto_tls_post_obtain_command.

Changed

• CONNECT requests with pathname URIs are now rejected.
• HTTP compression now uses server-preferred content encoding (zstd, br, gzip, deflate, identity) when available (GitHub issue).
• Improved RFC 7230 compliance for reverse proxy (by stripping hop-by-hop headers).
• Improved shebang handling for CGI on non-Unix systems.
• OCSP responses are now verified when stapling is enabled.

Fixed

• 403 Forbidden responses were returned when URL sanitizer was disabled, even when it should have returned 404 Not Found.
• File paths in directory listings weren’t properly escaped.
• HTTP Basic Authentication was vulnerable to time-based user enumeration.
• location blocks matched path segments anywhere in the URL, not just at the start (GitHub issue).
• PROXY v2 headers with lengths greater than 512 bytes were allowed, possibly leading to memory DoS.
• So You Start endpoint names for OVH DNS provider were swapped.

Ferron 2.6.3 LTS

Changed

• CONNECT requests with pathname URIs are now rejected.
• Improved RFC 7230 compliance for reverse proxy (by stripping hop-by-hop headers).
• OCSP responses are now verified when stapling is enabled.

Fixed

• 403 Forbidden responses were returned when URL sanitizer was disabled, even when it should have returned 404 Not Found.
• File paths in directory listings weren’t properly escaped.
• HTTP Basic Authentication was vulnerable to time-based user enumeration.
• location blocks matched path segments anywhere in the URL, not just at the start (GitHub issue).
• PROXY v2 headers with lengths greater than 512 bytes were allowed, possibly leading to memory DoS.
• So You Start endpoint names for OVH DNS provider were swapped.

Thank you!

We appreciate all the feedback and contributions from our community. Your support helps us improve Ferron with each release. Thank you for being a part of this journey!

The Ferron Team