Anti-Abuse for servers at authentication time
Fixed LuaState selection algorithm to use a free pool, which should lead to faster/more consistent selection of lua states by threads.
powerdns/wforce-minimal
image is now available, using alpine for more secure and much smaller image than the existing debian-based image.
The GeoIP2 LookupCity Lua function was never correctly implemented, so results were not exposed to Lua correctly. This fix exposes the results using the correct method to ensure future operation.
Enterprise Linux 9-based systems are now supported as a build target. Oracle Linux 9 is used as the build environment, but the package should work on any EL-9 environment. Additionally, el-7, el-8 and el-9 aliases are available as build targets.
When libsodium is not available, weakforced will now use openssl crypto functions instead for encryption, including encryption between the client and the server, and replication encryption. OpenSSL encryption is used for the docker image, but the default for built packages is still libsodium.
The legacy GeoIP Library is no longer included in the packages or Dockerfiles/images for weakforced.
The Report API has been removed from weakforced. This feature was never used (to my knowledge), and was creating a significant burden in terms of the maintenance of the python dependencies.
Support Elasticsearch, Logstash and Kibana 7.x stack:
WebHook URLs can be specified with fields representing years, months and days that are expanded at runtime, for example: config_key["url"] = "https://example.com/foo/index-%{YYYY}-${MM}-{%dd}"
See the wforce_webhook man page for more details.
For example: setBlackistIPRetMsg("Go away your IP {ip} is blacklisted") setBlackistLoginRetMsg("Go away your login {login} is blacklisted")
See the wforce.conf man page for more details.
Adding the following to wforce.conf or trackalert.conf:
setMetricsNoPassword()
will disable the password for the metrics endpoint.
See wforce.conf and trackalert.conf manpages for more details.
Redis authentication is supported with the following configuration in wforce.conf:
blacklistRedisUsername() blacklistRedisPassword() whitelistRedisUsername() whitelistRedisPassword()
The username is optional, depending on whether a username is set in redis.
See wforce.conf manpage for more details.
The blacklistPersistDB() and whitelistPersistDB() configuration commands now accept hostnames as well as IP addresses.
Under certain conditions, i.e. when Redis was available but non-responsive, the blacklist loading function would not return, causing deadlock. This has been fixed.
The setBlacklistIPRetMsg() Lua function was missing a stub, which meant that it could not be used. This has now been corrected.
Fixed an issue where trackalert would crash when a schedule was created which ran immediately, before the global Lua state was initialised.
Fixed an issue where the webserver ACL was causing 404 errors instead of 401 errors. Now a 401 and an appropriate JSON message are returned.
Previously there was no way to control the loglevel of the stdout logging, which meant that even debug logging would be logged. Now there is a -l or --loglevel flag, which takes the value 0-7 (matching the syslog levels), and which defaults to 6 (infolog). This fix also applies to the built-in webserver, which only logs to stdout, and which previously only logged errors, but which now obeys this flag.
Wforce 2.6.x uses an HTTP library which creates temporary directories for file upload on startup, by default in the current working directory, which for wforce is the config directory. For packaged installation of wforce, this is /etc/wforce, which is typically not writable by wforce itself, leading to errors. This fix changes the directory for those temporary files to /tmp/wforce.
In rare cases when starting up, the syncDB command may start, replicate from another wdforce instance, and complete, before the webserver had finished initializing. This would cause the syncDone command from the other wforce instance to fail. This fix forces wforce to wait until the webserver is ready before starting the syncDB checks.
The wforce docker image documentation states that a volume mount can be used to specify a custom config file in /etc/wforce/wforce.conf, however this was not actually the case. The file was only used if the environment variable WFORCE_CONFIG_FILE was also set, which is incorrect, because that variable is only supposed to be used to specify a new location for the config file. This fix ensures that whenever a volume mount correctly mounts a custom /etc/wforce/wforce.conf file, it is both used, and a log message is output stating that it is being used.
The webserver()
configuration command is now deprecated, and is replaced with addListener()
,
which enables both TLS and non-TLS listeners to be created, as well as enabling multiple listeners
to be created oncurrently. The new command setWebserverPassword()
is used to set the password
for the REST API (previously this was set as part of the webserver()
command).
An example listener without TLS:
addListener("0.0.0.0:8084", false, "", "", {})
An example listener with TLS:
addListener("1.2.3.4:1234", true, "/etc/wforce/cert.pem", "/etc/wforce/key.pem", {minimum_protocol="TLSv1.2"})
`For more details, see the man page for wforce.conf.
Various options for the configuration of outbound HTTPS connections are now supported, specifically:
setCurlClientCertAndKey()
is used to specify the location of a client certifcate
and key for mTLS.setCurlCABundleFile()
is used to specify the location
of a file containing certs to use for this purposes.disableCurlPeerVerification()
disables checking of peer certificates
(not recommended except for debugging).disableCurlHostVerification()
disables checking of the hostname
in peer certificates (not recommended except for debugging).Support for building on debian bullseye.
Before this release, siblings could only be defined as part of the startup configuration; there was no way to add or remove siblings dynamically while wforce was running. With this release all sibling management functions in Lua can be used from the console to add/remove siblings at runtime. In addition, per-sibling encryption keys can optionally be specified.
The complete set of sibling management functions is as follows:
For full details, see the wforce.conf man page.
New REST API endpoints enable siblings to be managed dynamically.
The new REST API endpoints are as follows:
For more details see the wforce OpenAPI specification, which is available at https://powerdns.github.io/weakforced/
Note that the REST API does not currently support TLS natively, so use of a HTTPS reverse proxy on localhost is strongly recommended when specifying per-sibling encryption keys.
All the methods of managing siblings (Lua or REST API) enable per-sibling encryption keys to be set. Encryption keys are are 32-byte strings that are Base-64 encoded before passing to the sibling management functions or REST API.
Before this release, siblings could only be defined as part of the startup configuration; there was no way to add or remove siblings dynamically while wforce was running. With this release all sibling management functions in Lua can be used from the console to add/remove siblings at runtime. In addition, per-sibling encryption keys can optionally be specified.
The complete set of sibling management functions is as follows:
For full details, see the wforce.conf man page.
New REST API endpoints enable siblings to be managed dynamically.
The new REST API endpoints are as follows:
For more details see the wforce OpenAPI specification, which is available at https://powerdns.github.io/weakforced/
Note that the REST API does not currently support TLS natively, so use of a HTTPS reverse proxy on localhost is strongly recommended when specifying per-sibling encryption keys.
All the methods of managing siblings (Lua or REST API) enable per-sibling encryption keys to be set. Encryption keys are are 32-byte strings that are Base-64 encoded before passing to the sibling management functions or REST API.
Before this release, siblings could only be defined as part of the startup configuration; there was no way to add or remove siblings dynamically while wforce was running. With this release all sibling management functions in Lua can be used from the console to add/remove siblings at runtime. In addition, per-sibling encryption keys can optionally be specified.
The complete set of sibling management functions is as follows:
For full details, see the wforce.conf man page.
New REST API endpoints enable siblings to be managed dynamically.
The new REST API endpoints are as follows:
For more details see the wforce OpenAPI specification, which is available at https://powerdns.github.io/weakforced/
Note that the REST API does not currently support TLS natively, so use of a HTTPS reverse proxy on localhost is strongly recommended when specifying per-sibling encryption keys.
All the methods of managing siblings (Lua or REST API) enable per-sibling encryption keys to be set. Encryption keys are are 32-byte strings that are Base-64 encoded before passing to the sibling management functions or REST API.