We have just released two new version of Ferron - Ferron 2.7.0 and Ferron 2.6.2 LTS - which contain security fixes for some vulnerabilities.
Also, Ferron 2.7.0 brings new features, such as support for JSON-format access logs or IP-based TLS certificates.
Security fixes
We have performed several security fixes for both versions of Ferron.
One of them is preventing crashes resulting from a large enough PROXY v2 header due to out-of-bounds access attempt, which resulted in a crash due to failing bounds check.
Another one is preventing path traversal if URL sanitizer is disabled and the path canonicalization failed.
And the next one is mitigating the “httpoxy” vulnerability (see https://httpoxy.org) by automatically removing Proxy request header when using CGI, FastCGI or SCGI.
These fixes improve overall security of the Ferron web server for websites and web applications.
New features
JSON-format access logs
Ferron now supports JSON-format access logs for easier parsing by log aggregation tools (such as ELK Stack, Splunk or cloud-native log processors). The text access logs in Combined Log Format are still enabled by default.
Here is an example configuration that enables JSON-format access logs:
globals {
log_date_format "%d/%b/%Y:%H:%M:%S %z"
log_json
}
example.com {
log "/var/log/ferron/example.com.access.log"
error_log "/var/log/ferron/example.com.error.log"
}Per-IP TLS certificates
We have seen a feature request about per-IP TLS certificates, so we added support for this feature. Both manual and automatic TLS certificate management are supported with per-IP TLS certificates.