All notable changes to this project will be documented in this file.
The format is based on Keep a Changelog and this project adheres to Semantic Versioning.
- Fix rate_limit code for JSON responses
- Fix rate_limit code
- Remove lua-resty-nettle version restriction
- Install PX package symlink in OpenResty Lua directory
- CORS support
- Set X-PX-COOKIES as the default custom cookie name
_M.px_login_creds_settingsconfiguration, to allow specify CI settings in Lua configuration file
- rename "px_graphql_paths" to "px_graphql_routes"
- correctly add GraphQL routes (requests must contain specified GraphQL Type/Name) to sensitive routes
custom_sensitive_routesa custom function to determine if url path is a sensitive route
custom_enabled_routesa custom function to determine if url path is an enabled routepx_graphql_pathsto specify a list of GraphQL endpoints- support for JWT and pxcts
- support for multiple GraphQL endpoints
- Add CI paths to the sensitive routes
- Export ngx.ctx.pxde variable
- Properly handle multiple instances of the same header
- Fix field name in telemetry command
- Call enrich_custom_parameters() only once
- Credential Intelligence v2 protocol
- Credential Intelligence v2 is the default protocol
- New block page
- Send custom_params with page_req and block activities
- HypeSale support
- GraphQL support
- sensitive_routes configuration
- Credential Intelligence code improvements and enhancement
- Whitelist URI pattern support
- Page requested activity includes HTTP status code
- Issue with request body in login credentials extraction
- Support for form-urlencoded content type in login credentials extraction.
- Support for multipart/form-data content type in login credentials extraction.
- New feature: Login Credentials Extraction.
- Handle cookies as tablee in
extract_cookie_names.
- Small logic fix in
extract_cookie_namesfunction.
- Support for monitored routes.
- Support for secure flag for PXHD cookies.
- Removal of
gmatchinextract_cookie_namesfor better performance.
- Better iterations value validation.
- Full url parameter in risk_api calls.
- Support for testing blocking flow in monitor mode.
- Support for custom cookie header
- Refactoring of split string functions.
- Linting related errors
- orig_cookie is now a local variable
- additional_activity_handler now gets called regardless of send_page_requested settings.
- Changed cookie variable from global to local
- Accept header extraction for application/json.
- Support for redirect to referer on challenge solve
- Changed Payload from global to local variable
- Additional check for proxy for http scheme in first party
- Changed global variables to local for pxcookie/pxtoken
- Proxy connection pool key for activities and telemetry
- Enforcer telemetry by request
- Proxy connection pool and scheme handling
- Advanced blocking response enablement flag
- Proxy support
- pxvid check for both pxvid and _pxvid cookies
- ignore ipv6 for whitelist ip filtering
- s2s call reason of no_cookie_w_vid
- PXHD cookie path
- Mobile detection for captcha script
- Added PXHD handling
- Added async custom params
- Major token and cookie refactoring
- Cookie name extractor ability to handle multiple Cookie headers
- Wrong value in Json response's vid property
- Support for first party route prefix
- Sending cookie names on risk_api calls
- First party fallback for captcha file
- Enrich Custom Parameters support
- Refreshed documentation for NGINX plus and RHEL 7.5
- Support for Advanced Blocking Response
- Updated http/2 documentation section
- firstPartyEnabled property for Captcha
- Refreshed documentation
- Support for url encoded cookies
- Captcha v2 support
- CIDR support for
whitelist_ip_addressesproperty
- Added properties back to pxconfig
- Documentation updates
- Added data enrichment support
- Added TLS prot/ciphers sha1
- Added handling timers when module disabled
- Added default config values
- Fixed case insensitive sensitive headers check
- Fixed mobile using first party path
- Enhanced error handling of first party routes
- Update first party templates with fallback support
- Use relative URL for redirect in API protection mode
- Renamed vid cookie
- Replaced default values for first party mode to false
- Added support for first party remote configuration
- Disabled kong support for remote config and telemetry
- Fixed sensitive header cleaning on first party mode
- Added support for first party
- Added support for rate limiting
- Supporting more variable for log enrichment
- Fixed sensitive headers filtering on captcha and activities
- Code optimizations
- Added support for remote configurations
- Enhanced module logs
- Added support for score variable in logs
- Added mobile sdk pinning error
- Added support for enforcer telemetry
- Fixed mobile sdk header conditions
- Added pcall on sending activities to prevent errors on server
- Support for API protection in Kong plugin
- Removed luarocks dependency lua-cjosn (still needs to be installed via apt-get)
- Changed structure of pxconstants
- Changed default values for module mode to monitor
- Changed default value of blocksing score to 100
- Removed PX snippet from block/captcha mustache
- Update the collectorUrl in mobile sdk response
- Added s2s_call_reason on mobile sdk connection error
- Fixed sending call_reason on cookie validation failed
- Mobile SDK support
- Sensitive headers
- True IP headers list in configuration
- Captcha cookie in base64 format in default captcha pages and examples
- Changed structure of captcha cookie
- Timer function get_time_in_milliseconds
- Support for funCaptcha. It is now possible to choose between reCaptcha and funCaptcha for the captcha page.
- New functionality - additional activity handler. The
additional_activity_handlerfunction will be executed before sending the data to the PerimeterX portal. - Support for pass reason and risk RTT for better analytics.
- Added support for sensitive routes
- Added Javascript Challenge support
- Sending original cookie value when decryption fails
- Using debug instead of error on several cases
- New default block page design
- Inject custom css/js/logo to default block and captcha pages
- Using app specific server url for api calls
- New default block page design
- Bug preventing valid users to get cleaned up when module used default block page
- Support Cookie V3 and Risk API V2 - single numeric score value, action on response
- Removed some redundant configurations
- Added Optional Redirect Method (Inner Redirect / Browser Redirect).
- Added Redirection Methos Example Folder.
- Updated README.
- Updated Examples.
- Modified The Default Block Page Look
- Fixed Multiple Application Support Caching Issue.
- Fixed URL Encoding Collisions
Note: The Nginx module is currently supported up to version 1.11.6
- Multiple Application Support.
- Multiple Application Support Example.
- Filters now configurable via Config.
- Updated Tests.
- Updated README.
- Updated Examples.
REQUIRES ACTION :
Updating from a previous version requires several changes to thepxconfig.luaandnginx.conf. Seeexamples/Multiple Applicationsfiles for reference.
-
In your
nginx.conffile, replaceinit_worker_by_lua_filewithinit_worker_by_lua_block { require ("px.utils.pxtimer").application() } -
In each of the location blocks in your app (each route protected with the module), replace
access_by_lua_file(in each block of location) withaccess_by_lua_block { require("px.pxnginx").application() } -
Compare your local
pxconfig.luafile, with the config file located atlib/px/pxconfig.lua, adding in the whitelist filters to the configuration file.
1.2.0 - 2016-11-29
- Page UUID to Risk API Request.
- Block Page Example.
- reCAPTCHA Block Page Example.
- Custom Block Page by URL.
- Updated Examples.
- Updated README.
- Updated Tests.
1.1.4 - 2016-11-03
- Risk API UUID to context.
- Localized some global functions.
- Clear captcha cookie on successful validation.
- Updated Documentation.
- Version header on all files.
- Update nginx.conf.
- Change text location.
- Created pxconstants.lua with readonly table
- Removed the full URL from pxblock.lua
- Block uuid monitor mode.
- Changed logo image.
- Fixed some links issues.
##1.1.2 - 2016-10-20
- HTTP method to risk requests.