====== LiteSpeed Web Server Changelog ====== **Note:** If a build is missing, you're always able to find it here as well: https://groups.google.com/g/litespeed-edge-users ===== Version 6.3.1 ===== === Build 5 === [Bug Fix] Address large response body corruption caused by mod_security response body scanning. [Bug Fix] Stop mod_security helper threads before server shutdown. [Bug Fix] Reduce lock contention of mod_security SHM store. === Build 4 === [Bug Fix] Address a mod_security scanning response body issue. [Bug Fix] Address an IPv6 -ipmatch false positive issue. === Build 3 === [New Feature] Add environment variable "noantiddos" to selectively disable anti-ddos detection via rewrite rule or setenvif. [Bug Fix] Address a corner case that can cause random crashes. [Bug Fix] Address a mod_security issue where lowercase transform failed to apply to TX variables. [Bug Fix] Detect file suffixes longer than 15 characters. [Misc] Adjust PHP processor auto tuning for Apache suEXEC PHP handlers. === Build 2 === [Bug Fix] Update lsquic to v4.0.11 to address some corner cases. [Bug Fix] Fix outdated version number. === Build 1 === [Bug Fix] Update lsquic to v4.0.11 to address some corner cases. [Bug Fix] Fix outdated version number. === Build 0 === [Security] Block the "litespeed_role" cookie to shield LSCWP from potential brute force attempts. [New Feature] Add "no-lscache" environment variable to allow the lscache engine to be disabled at the request level. [New Feature] Load trusted IPs/subnets from standalone list "$SERVER_ROOT/conf/trusted-ip-list". [Bug Fix] Address compatibility issues with Ruby 3.3 applications. [Bug Fix] Make RackRunner.rb compatible with Rails 7.2. [Bug Fix] Minor bug fixes. ===== Version 6.3 ===== === Build 3 === [Bug Fix] Make RackRunner.rb compatible with Rails v7.2. [Bug Fix] Address hanging ESI processing for page sizes > 1MB. === Build 2 === [Bug Fix] Address a v6.3 build 1 regression that caused random crashes. === Build 1 === [New Feature] Add "no-lscache" environment variable used to disable the lscache engine at the request level. [New Feature] Load trusted IP/subnet from standalone list '$SERVER_ROOT/conf/trusted-ip-list'. [Bug Fix] Address a compatibility issue with Ruby 3.3 applications. [Bug Fix] Address bad auto index script path under chroot environments. === Build 0 === [New Feature] CGI/External app resource limits via cgroups. [New Feature] CGI/External app file system restrictions via namespace containers. [New Feature] Advanced anti-DDoS features to protect against request flooding. [New Feature] Firewall controller to block detected robots at the firewall level. [New Feature] Easy front end CDN (QUIC.cloud or Cloudflare) detection. [Improvement] Avoid HTTP/2 stream I/O buffer bloating. [Improvement] HTTP2/HTTP3 priority (RFC 9218) integration. [Improvement] Drain request body to avoid browser errors in special cases. [Improvement] Stop _recaptcha process after idling for 5 minutes. [Bug Fix] Automatically fix apache2.service override for Plesk. [Bug Fix] Address a ProxyPass corner case that resulted in redirection looping. [Bug Fix] Avoid caching partial responses due to interrupted proxy connections. [Bug Fix] Address rewrite rule compatibility issues with Plesk WP toolkit hotlink protection. [Bug Fix] Address a corner case in multi-part POST parser. [Bug Fix] Address a corner case in access logging. ===== Version 6.2.2 ===== === Build 4 === [Bug Fix] Address a compatibility issue with Ruby 3.3 applications. === Build 3 === [Bug Fix] Address a corner case in multi-part POST parser. [Bug Fix] Address a corner case in access logging. === Build 2 === [Bug Fix] Automatically fix apache2.service override for Plesk. [Bug Fix] Address rewrite rule compatibility issues with Plesk WP toolkit hotlink protection. === Build 1 === [Bug Fix] Address compatibility issues with older versions of nodejs. [Bug Fix] Apply server level log rotation setting to modsec audit log. [Bug Fix] Address a few corner cases in HTTP/3 (lsquic). === Build 0 === [New Feature] Add chunked encoding support for proxying request body to backend. [New Feature] Add cache vary on request header value, automatically vary on header 'X-Http-Method-Override'. [New Feature] Add detection for flag file 'admin/tmp/.stay_with_lsws' used to prevent automatically switching back to Apache when encountering a licensing issue. [Improvement] Apply server level log rotation setting to Modsec audit log. [Improvement] Do not force URL trailing slash for requests to Node.js applications. [Improvement] Make Node.js startup script compatible with older Node.js versions. [Bug Fix] Address failure to switch back to Apache issue, "on-failure" restart for Systemd service is now disabled. ===== Version 6.2.1 ===== === Build 2 === [Bug Fix] Address compatibility issues with older versions of nodejs. [Bug Fix] Apply server level log rotation setting to modsec audit log. [Bug Fix] Address a few corner cases in HTTP/3 (lsquic). === Build 1 === [Bug Fix] Addressed an HTTP/3 0-RTT packet validation issue. === Build 0 === [New Feature] Add hCaptcha support for reCAPTCHA validation. [Improvement] Add support for .mjs nodeJS application startup file. [Bug Fix] Address a crash related to SecRemoteRules handling. [Bug Fix] Address a rare corner case causing HTTP/3 responses to hang. ===== Version 6.2 ===== === Build 7 === [Bug Fix] Address a crash related to SecRemoteRules handling. === Build 6 === [Bug Fix] Address broken auto index script introduced in build 5. [Bug Fix] Address a potential HTTP/3 CPU spinning issue. [Bug Fix] Address a false positive in install script that reports a port is in use. === Build 5 === [Bug Fix] Do not force override LSAPI_MAX_IDLE_CHILDREN if set explicitly. [Bug Fix] Address PHP 8.2 warning in directory auto index script. [Bug Fix] Address an issue in handling custom status code. [Bug Fix] Increase rewrite engine PCRE match limit to avoid PCRE_ERROR_MATCHLIMIT. [Tuning] Add dark mode for server generated error page and directory index page. === Build 4 === [Bug Fix] Fix a rare corner case in HTTP/3. [Bug Fix] Fix "RewriteOptions IngoreInherit" [Bug Fix] enable suEXEC for PHP 8.3 by default. === Build 3 === [Bug Fix] Fix no-abort for CGI script. [Bug Fix] Fix Redirect 410 handling. [Bug Fix] Fix python application with long vhost name. [Bug Fix] Fix CPU spinning caused by HTTP/3 corner case. === Build 2 === [Bug Fix] Fix HTTP/3 session resumption bug introduced in 6.2 Build 1. === Build 1 === [Security] Disable HTTP/2 when detecting a rapid reset attack. [Improvement] Override server level per client connection soft limit with vhost level limit. [Tuning] Limit pipe logger buffer size to 1MB. [Bug Fix] Fix RackRunner.rb bug introduced in 6.1.2 build 8. [Bug Fix] Fix minor mod_security issues. === Build 0 === [New Feature] Update HTTP/3 implementation to support QUICv2 protocol. [New Feature] mod_security engine now has an option to use RE2 instead PCRE regex engine. [New Feature] Add vhost level max request body length and max dynamic response length configurations. [New Feature] Add vhost level dedicated PHP handler configuration option. [New Feature] Add support for rewrite flags "BNP", "backrefnoplus", "BCTLS", and "BNE". [Improvement] Improve reCAPTCHA custom error page handling to avoid expensive dynamic processing. [Improvement] Add missing access log format following Apache spec. [Improvement] Enhance Apache expression support with dynamic regular expression matching. [Improvement] Apache expression support in RewriteCond. [Improvement] Virtual host level reCAPTCHA trigger by concurrent connections. [Security] More strict request header validation. [Bug Fix] Fix a compatibility issue with Rack version >3.0 for Ruby applications. [Bug Fix] Allow use of stdout/stderr as log file names. [Bug Fix] Address large request header compatibility issue with PHP-FPM. [Tuning] Add PHP 8.3 support. [Tuning] Lift default virtual memory limit for external applications. [Bug Fix] Minor bug fixes to cache engine, mod_security engine, and request handling. ===== Version 6.1.2 ===== === Build 8 === [New Feature] Add support for rewrite flags "BNP", "backrefnoplus", "BCTLS", and "BNE". [Bug Fix] Fix cp_switch_ws.sh switch back to Apache failure. [Bug Fix] Fix a compatibility issue with Rack version >3.0 for Ruby applications. [Bug Fix] Allow use of stdout/stderr as log file names. [Bug Fix] Fix a mod_security engine Multi-thread race condition. === Build 7 === [Bug Fix] Address a bug in expression parser introduced in build 5. === Build 6 === [Bug Fix] Address a bug in RewriteCond expression parser. [Bug Fix] Address a bug in SSI engine. === Build 5 === [Improvement] Enhance Apache expression support with dynamic regular expression matching. [Improvement] Apache expression support in RewriteCond. [Improvement] Virtual host level reCAPTCHA trigger by concurrent connections. [Bug Fix] Fix FreeBSD + ZFS crash due to unsupported posix_fallocate() syscall. [Tuning] Add PHP 8.3 support. [Tuning] Tweak graceful restart to avoid being killed by systemd during service restart. === Build 4 === [Security] Properly handle multiple HOST headers. [Tuning] Lift default virtual memory limit for external applications. [Improvement] Add "wordpress_logged_in_*" session cookie detection. [Bug Fix] Address two rare crashes relating to ESI handling. === Build 3 === [Improvement] Improve reCAPTCHA custom error page handling to avoid expensive dynamic processing. [Bug Fix] Address broken Plesk feature "deny access to the site". [Bug Fix] Improve install script to now automatically install missing dependencies. === Build 2 === [Security] Address request header smuggling over HTTP/2 and HTTP/3. [Bug Fix] Address broken FastCGI POST for large request body, introduced in 6.1.2 build 1. === Build 1 === [New Feature] Add vhost level max request body length and max dynamic response length configurations. [New Feature] Add vhost level dedicated PHP handler configuration option. [Improvement] Install necessary ruby-lsapi gem package for alt-ruby 3.1+. [Bug Fix] Address large request header compatibility issue with PHP-FPM. [Bug Fix] Address a false positive for per client soft limit blocking. === Build 0 === [Improvement] Allow total header sizes > 64KB. [Improvement] Add support for websocket upgrade using and ProxyPassMatch (used by Plesk). [Improvement] Add support for Unix domain socket proxy target address (used by DirectAdmin). [Bug Fix] Address a corner case in LSAPI 304 response handling. [Bug Fix] Address unique ID duplication in mod_security audit log. [Bug Fix] Address a corner case in mod_security request header matching. [Bug Fix] Address a license key verification issue during server reboot. [Bug Fix] Update ls-qpack to address a corner case. [Bug Fix] Address a request header parser corner case for a look-alike header. [Bug Fix] Address broken mailman support for Plesk [Bug Fix] Address two corner cases in layer 4 proxy. [Bug Fix] Address an issue with proxy forwarding to the Plesk admin panel. [Tuning] Better handling of buggy HTTP/2 clients with poor flow control implementations. ===== Version 6.1.1 ===== === Build 0 === [New Feature] Add SSL strict SNI mode option to fail SSL connections when there is no vhost level SSL certificate. [New Feature] Add a vhost level AllowBlockedUrl option to allow blocked URL passthrough. [Improvement] Add support for unix domain socket for redis dynamic vhost. [Improvement] Update WebAdmin Console login to use BCRYPT password hash. [Improvement] Add support for "Require local" configuration directive. [Bug Fix] Avoid blocking on socket read for internal fetcher. [Bug Fix] Address broken "RewriteOption inherit" corner case. [Bug Fix] Address duplicate unique ID field in mod_security audit log. [Bug Fix] Address a python application frequent restart issue. [Bug Fix] Address a python application upload hang issue. [Bug Fix] Fix SecRemoteRules certificate verification failure. [Bug Fix] Fix broken sub-directory password protection configuration for Plesk WordPress toolkit. [Bug Fix] Address an issue switching apache/lsws systemd unit file for Plesk. [Bug Fix] Address an issue with Plesk watchdog monitoring httpd service. ===== Version 6.1 ===== === Build 6 === [Bug Fix] Adjust unix domain socket address length for PHP suEXEC handler. === Build 5 === [Bug Fix] Address a python application upload hanging issue. [Bug Fix] Fix SecRemoteRules certificate verification failure. [Bug Fix] Fix broken sub-directory password protection configuration for Plesk WordPress toolkit. === Build 4 === [Bug Fix] Address a crash when handling .htaccess updates. === Build 3 === [Bug Fix] Address an issue switching apache/lsws systemd unit file for Plesk. [Bug Fix] Address an issue with Plesk watchdog monitoring httpd service. === Build 2 === [Improvement] ARM64 (aarch64) package is now available. [Improvement] Update WebAdmin Console login to use BCRYPT password hash. [Bug Fix] Update php3_mode and php4_mode for DirectAdmin panel in script cp_switch_lsws.sh. === Build 1 === [Improvement] Add support for "Require local" configuration directive. [Bug Fix] Avoid blocking on socket read for internal fetcher. [Bug Fix] Address broken "RewriteOption inherit" corner case. [Bug Fix] Update lsquic to v3.3.1 to address a corner case hang caused by flow control congestion. === Build 0 === [New Feature] Add PROXY protocol support. [New Feature] Add custom response status code support. [New Feature] Apply OOMScoreAdjust for lsws service to avoid being OOM killed. [New Feature] Trigger reCAPTCHA through mod_security engine via an environment variable. [Improvement] Inherit .htaccess belonging to parent context. [Improvement] Make SSI environment available to included CGIs/scripts. [Improvement] Add conditional access logging using Expression. [Improvement] Configurable reCAPTCHA timeout. [Improvement] Add "DisableForwardedIpBan" Apache style configuration directive to avoid blocking IPs forwarded by front-end proxies. [Improvement] Enhance 'disableCgiOverride' to cover options +ExecCGI and +Include. [Improvement] Add Apache style configurations "LogKeepDays" and "LogCompressArchive". [Improvement] Escape multiline STDERR messages. [Improvement] Detect update failures in lsup.sh. [Improvement] Improve WebAdmin Console realtime stats with a new JavaScript library. [Bug Fix] Set "HOME" environment for CGI/External apps when possible. [Bug Fix] Fix connection timeout false-positives for active HTTP3 connections. [Bug Fix] Fix domain limited licensing for Plesk servers. [Bug Fix] Update lsquic to v3.3.0 . [Tuning] Disable TLSv1.1 by default. ===== Version 6.1RC3 ===== === Build 0 === [New Feature] Add custom response status code support. [New Feature] Apply OOMScoreAdjust for lsws service to avoid having the server killed when low on memory. [Improvement] Escape multiline STDERR messages. [Improvement] Add "DisableForwardedIpBan" Apache style configuration directive to avoid blocking IPs forwarded by front-end proxies. [Bug Fix] Address a few corner cases in HTTP/3 implementation. [Bug Fix] Address an HTTP/2 decoder bug. [Bug Fix] Include all bug fixes applied to 6.0.12 stable releases. ===== Version 6.1RC2 ===== === Build 0 === [New Feature] PROXY protocol support. [Improvement] Make SSI environment available to included CGIs/scripts. [Improvement] Enhance 'disableCgiOverride' to cover options +ExecCGI and +Include. [Improvement] Better handling of content-type with charset. [Improvement] Add "x-frame-options" header for reCAPTCHA page. [Bug Fix] Inherit .htaccess belonging to parent context. [Bug Fix] Address bad target URL with native proxy configuration for '/' context. [Bug Fix] Avoid installing Ruby Rack 3.0 gem to avoid compatibility issues. [Bug Fix] Avoid using IPv6 mapped IPv4 addresses for HTTP/3 connections. [Bug Fix] Address memory leak in QUIC SHM. ===== Version 6.1RC1 ===== === Build 1 === [New Feature] Add "LSPHP_ProcessGroup unmanaged" mode to support php-fpm like services for Apache vhost. [Bug Fix] Address an HTTP/2 header value compliance corner case that caused broken curl HTTP/2 connections. [Improvement] Add support for alt-python 3.10. [Bug Fix] Address HTTP/3 corner cases with lsquic v3.1.4 update. === Build 0 === [New Feature] Trigger reCAPTCHA through mod_security engine via an environment variable. [Improvement] Add parent context .htaccess inheritance. [Improvement] Add conditional access logging using Expression. [Improvement] Configurable reCAPTCHA timeout. [Improvement] Add "LogKeepDays", "LogCompressArchive" Apache style configurations. [Tuning] Disable TLSv1.1 by default. [Bug Fix] Set "HOME" environment for CGI/External apps when possible. [Bug Fix] Update lsquic to the latest v3.1.2 release. [Bug Fix] Include all bug fixes applied to 6.0.12 stable releases. ===== Version 6.0.12 ===== === Build 13 === [Bug Fix] Detect and ignore truncated log file path for DirectAdmin. [Bug Fix] Fix broken server switching script for cPanel + Ubuntu. [Bug Fix] Do not count Plesk internal Virtual Hosts against license domain limit. [Bug Fix] Fix broken connection timeout for HTTP/3 connections. === Build 12 === [Bug Fix] Address default charset issue for static files. (Introduced in v6.0.12 build 4) [Bug Fix] Address a mod_security corner case. === Build 11 === [Improvement] Add support for PHP 8.2 handler auto-detection. [Bug Fix] Address broken lowercase transformation for certain mod_security variables. === Build 10 === [Bug Fix] Properly handle "%{local}p" access log format. [Bug Fix] Handle white spaces when detecting existing header values. [Bug Fix] Fix broken "Trusted" IP configuration in .htaccess. [Improvement] Add "x-frame-options" header for reCAPTCHA page. [Improvement] Make SSI environment available to included CGIs/scripts. [Bug Fix] Address crash in parsing bad rewrite map data. [Bug Fix] Address memory leak in QUIC SHM. === Build 9 === [Bug Fix] Address a response header bug introduced in build 8 that causes errors serving from cached page. === Build 8 === [Bug Fix] Address malformed HTTP/1.1 response header caused by header value modification operations introduced in build 7. [Bug Fix] Address bad target URL with native proxy configuration for '/' context. [Bug Fix] Avoid installing Ruby Rack 3.0 gem (compatibility issues). [Bug Fix] Avoid using IPv6 mapped IPv4 addresses for HTTP/3 connections. === Build 7 === [Bug Fix] Address an HTTP/2 header value compliance corner case that caused broken curl HTTP/2 connections. === Build 6 === [Improvement] Add support for alt-python 3.10 . [Bug Fix] Address HTTP/3 corner cases with lsquic v3.1.4 update. [Bug Fix] Limit the size of unix domain socket address for PHP suEXEC handler. [Bug Fix] Address a minor display issue in WebAdmin. === Build 5 === [Bug Fix] Address a regression in SHM operations that caused random crashes, introduced in build 4. === Build 4 === [Bug Fix] Minor corner case fixes in HTTP/3 protocol implementation. [Bug Fix] Address bug in "AddDefaultCharset" support for all "text/*" MIME types. [Bug Fix] More strict header filtering for HPACK/QPACK encoding to avoid protocol violations. [Tuning] Disable TLSv1.1 by default. === Build 3 === [Bug Fix] Address a random crash bug. [Bug Fix] Address an auto index permissions issue for Redis mass vhosting. [Tuning] No longer enable SPDY protocol by default. [Bug Fix] Apply a minor fix to HTTP/3 protocol. === Build 2 === [New Feature] Adjust external app OOM score via LS_OOM_SCORE_ADJ environment configuration. [Bug Fix] Address a random crash in mod_security engine. [Bug Fix] Address an SSL error handling problem to avoid high CPU usage. === Build 1 === [Bug Fix] Address a chunked encoding parser bug that could cause an infinite loop. [Bug Fix] Address a bug when processing delayed request bodies that could cause random crashes. [Bug Fix] Address a suEXEC bug with native vhost configurations. [Bug Fix] Update mod_security JSON audit log to include required data for imunify360 log parser. [Tuning] Update log messages for bot detection to avoid confusion. === Build 0 === [Security] Address a few crashes and memory leaks in HTTP/3 implementation. [Security] Add more strict virtual host name validation in WebAdmin to address a potential XSS vulnerability. [Improvement] Add server level control to return 404 or 403 when directory auto-index is disabled. [Improvement] Better stale cache purge handling. [Improvement] Add pagination for long auto indexed pages. [Improvement] Support following ErrorDocument customizations in .htaccess for early stage internal errors. [Tuning] Enable suEXEC for PHP 8.1 by default. [Tuning] Do not enable cPanel HTTP server monitoring in update script. [Tuning] Adjust internal shell scripts for better ubuntu compatibility. [Bug Fix] Address broken alt-python application caused by the new way virtualenv was built. [Bug Fix] Address broken vhost level mod_security configuration. [Bug Fix] Address random crashes in mod_security engine. [Bug Fix] Address a rare multi-threaded mod_security engine race condition. [Bug Fix] Add more validation checks to avoid accidentally killing system process when stopping detached external application processes. [Bug Fix] Improve auto index script to avoid calling function ini_set(). [Bug Fix] Address crashes in ESI/SSI engine. [Bug Fix] Address POST cache issues. [Bug Fix] Block request header "transfer-encoding: chunked" for HTTP/2 and HTTP/3. [Bug Fix] Enforce HTTP authentication for OPTIONS requests. ===== Version 6.0.11 ===== === Build 9 === [Security] Address a crash in HTTP/3 implementation. [Improvement] Add server level control to return 404 or 403 when directory auto-index is disabled. [Bug Fix] A few minor fixes to HTTP/3 implementation. [Bug Fix] Address a bug in SSI engine that caused random crashes. [Bug Fix] Address broken alt-python 2.7 applications. === Build 8 === [Bug Fix] Address broken alt-python application caused by the new way virtualenv was built. [Bug Fix] Address broken vhost level mod_security configuration. [Bug Fix] Add more validation checks to avoid accidentally killing system process when stopping detached external application processes. [Bug Fix] Improve auto index script to avoid calling function ini_set(). [Bug Fix] Address a rare multi-threaded mod_security engine race condition. [Bug Fix] Address a crash in ESI/SSI engine. === Build 7 === [Bug Fix] Address broken alt-python application. [Bug Fix] Address POST cache issues. [Bug Fix] Block request header "transfer-encoding: chunked" for HTTP/2 and HTTP/3. [Bug Fix] Address an SSI engine crash. === Build 6 === [Improvement] Better stale cache purge handling. [Improvement] Add pagination for long auto indexed pages. [Bug Fix] Address a random crash in mod_security engine. [Tuning] Do not enable cPanel HTTP server monitoring in update script. [Tuning] Adjust internal shell scripts for better ubuntu compatibility. === Build 5 === [Bug Fix] Increase HTTP/3 max concurrent streams from 100 to 500 to work around a chrome bug. [Bug Fix] Enforce HTTP authentication for OPTIONS requests. [Bug Fix] Address a crash triggered by a debug log message. [Misc] Update bundled lsws_whm_plugin_install.sh script and attempt to download the latest version of this script before use. === Build 4 === [Security] Add more strict virtual host name validation in WebAdmin to address a potential XSS vulnerability. [New Feature] Add CloudLinux alt-python3.9 support. [Bug fix] Address a python application server configuration issue. [Bug fix] Address a "sub request timeout" crash. === Build 3 === [Bug Fix] Address a random crash when handling connection level timer events. [Improvement] Support following ErrorDocument customizations in .htaccess for early stage internal errors. [Tuning] Enable suEXEC for PHP 8.1 by default. === Build 2 === [New Feature] Add "SecEngineHtaccessOverride on/off" directive to allow/disable turning on/off mod_security engine from .htaccess. Default to "on". [New Feature] Add "ModSec19Compatible on/off" directive to support mod_security 1.9 style configurations. Default to "off". [Bug Fix] Address a layer4 tunnel bug that was causing random crashes. [Bug Fix] Address a random crash in handling connection level timer events. === Build 1 === [Bug Fix] Address a vhost level mod_security engine control corner case. === Build 0 === [New Feature] Add websocket proxy target support for rewrite rules. [Improvement] Improve HTTP/2 upload throughput. [Improvement] Improve HTTP/3 upload throughput. [Bug Fix] Address HTTP/3 handshake failures. [Bug Fix] Address an HTTP/1.1 request body chunk encoding corner case that caused unexpected 400 status for the next request made when over a keep-alive connection. [Bug Fix] Throttle unnecessary lscache purges generated by LSCWP. [Bug Fix] Improve cp_switch_ws.sh script compatibility with different shell interpreters. [Bug Fix] Avoid caching incomplete/broken homepages for more than 1 minute. [Bug Fix] Address broken vhost level private cache lookup configuration. ===== Version 6.0.10 ===== === Build 2 === [Bug Fix] Address HTTP/3 handshake failures. [Bug Fix] Improve HTTP/2 upload throughput. === Build 1 === [Bug Fix] Address an HTTP/3 throughput regression introduced in v6.0.10. [Bug Fix] Improve HTTP/2 upload throughput. [Bug Fix] Throttle unnecessary lscache purges generated by LSCWP. [Bug Fix] Improve cp_switch_ws.sh script compatibility with different shell interpreters. [Bug Fix] Avoid caching incomplete/broken homepages for more than 1 minute. [Bug Fix] Address broken vhost level private cache lookup configuration. === Build 0 === [Improvement] Optimize SSL and HTTP/2 read speeds. [Bug Fix] Address a few bandwidth throttling issues. [Bug Fix] Address high CPU usage for server worker processes. [Bug Fix] Address issues with ModSecurity logging and persistent variable handling. [Bug Fix] Address a few minor HTTP/3 corner cases. [Bug Fix] Convert chunked encoding request bodies for proxy backends. [Bug Fix] Address a Server Side Includes corner case that could sometimes truncate large files. [Bug Fix] Do not block client access if reCAPTCHA is not properly configured when using WP full protection. ===== Version 6.0.9 ===== === Build 3 === [Bug Fix] Address a few minor HTTP/3 corner cases. [Bug Fix] Avoid unnecessary error log warnings (introduced in v6.0.8). [Bug Fix] Convert chunked encoding request bodies for proxy backends. [Bug Fix] Address a Server Side Includes corner case that could sometimes truncate large files. [Bug Fix] Do not block client access if reCAPTCHA is not properly configured when using WP full protection. === Build 2 === [Bug Fix] Address "cannot find installed module for python application" regression (introduced in v6.0.9). === Build 1 === [Bug Fix] Address mod_security request body scan getting randomly skipped (introduced in v6.0.8). === Build 0 === [Bug Fix] Address cache engine corner case that randomly disabled cache or ignored purge requests. [Bug Fix] Cache engine should no longer purge again when serving a cached page with purge headers. [Bug Fix] Properly pass environment variables for python applications configured via CloudLinux python selector. [Bug Fix] Update ea-ruby24 to ea-ruby27 for cPanel Ruby application manager. [Bug Fix] Address POST requests randomly hanging. [Bug Fix] "%{CONTENT_TYPE}" is now properly supported in Apache expressions. [New Feature] Add support for 'LogRotationSize' Apache directive at the server level to control access log rotation. ===== Version 6.0.8 ===== === Build 3 === [Bug Fix] Address SSI expression back reference crash. [Bug Fix] Avoid long disk I/O blocking for cache storage cleaning up. [Bug Fix] Tweak PHP handler mapping to only use alt-php handler when available. [Bug Fix] Address target URL behavior change for conditional redirects. === Build 2 === [Bug Fix] Address POST requests randomly hanging. [Bug Fix] "%{CONTENT_TYPE}" is now properly supported in Apache expressions. [New Feature] Add LogRotationSize Apache directive at the server level to control access log rotation. === Build 1 === [Bug Fix] Address a regression introduced in v6.0.8 that can cause random crashing. === Build 0 === [Bug Fix] Address a mod_security corner case causing hanging worker processes. [Bug Fix] Disable mod_security engine for requests rewritten to ReCAPTCHA. [Bug Fix] Address an ESI encoding corruption bug that mainly affected Prestashop caching. [Improvement] Internal redirects now carry over "Last-Modified" and "Content-type" response headers set by scripts. [Improvement] Add "ProxyAddHeaders on|off" support to avoid sending "x-Forwarded-for" and "x-forwarded-host" proxy headers. [Improvement] Add `CachePost on|off` support to allow POST cache configuration in Apache configuration files. [Improvement] Avoid an unintended delay when processing the first request for a newly started PHP worker group. ===== Version 6.0.7 ===== === Build 1 === [Bug Fix] Address an ESI encoding corruption bug that mainly affected Prestashop caching. === Build 0 === [Bug Fix] Address additional random crashes in asynchronous mod_security engine. [Bug Fix] Address an HTTP/3 sendfile corner case. [Bug Fix] Address a problem with custom error page for OPTIONS request method. ===== Version 6.0.6 ===== === Build 0 === [Bug Fix] Address a few random crashes in asynchronous mod_security engine. [Bug Fix] Address random server hangs when AIO is in use [Improvement] Cleanup SSL OCSP data cache folder. ===== Version 6.0.5 ===== === Build 2 === [Bug Fix] Address a random crash introduced in v6.0.5 build 1. === Build 1 === [Bug Fix] Address random server hangs when AIO is in use. === Build 0 === [Bug Fix] Address a random crash with asynchronous mod_security engine. [Bug Fix] Resolve a problem with sending truncated static files over HTTP/3 connections. [Bug Fix] Resolve a problem with purging by URL. [Bug Fix] Address a crash when handling decoded HTTP/2 headers. ===== Version 6.0.4 ===== === Build 0 === [Bug Fix] Address a chrome HTTP/3 connection timeout issue for long running scripts. [Bug Fix] Address a multi-thread race condition in mod_security engine. [Bug Fix] Detect dead HTTP/2 connections during server cool-down. [Bug Fix] Improve request/response header name validation to avoid HTTP/2 and HTTP/3 protocol violations. ===== Version 6.0.3 ===== === Build 0 === [New Feature] Optionally enable UNIQUE_ID environment variable for Apache mod_unique_id compatibility. [New Feature] Add server variable REDIRECT_REQUEST_METHOD for better Apache compatibility. [Bug Fix] Address an infinite loop when processing conditional context expressions. [Bug Fix] Address crashes in mod_security engine, SSL session cache, and response header processing. [Bug Fix] Address LiteSpeed worker high CPU usage due to a malloc() spinlock dead lock. [Bug Fix] Better follow PassengerAppLogFile configuration for Python/Ruby applications. [Bug Fix] Follow server level compressible configuration for MIME types defined in .htaccess. [Bug Fix] Improve chunk encoded request body handling for PHP scripts. [Bug Fix] Minor tweaks to HTTP/3 protocol. ===== Version 6.0.2 ===== === Build 2 === [Bug Fix] Address a crash in response header processing. [Bug Fix] Better follow PassengerAppLogFile configuration for Python/Ruby applications. [Bug Fix] Follow server level compressible configuration for MIME types defined in .htaccess. [Bug Fix] Improve chunk encoded request body handling for PHP scripts. [Bug Fix] Minor tweaks to HTTP/3 protocol. === Build 1 === [Bug Fix] Address LiteSpeed worker high CPU usage due to a malloc() spinlock dead lock. === Build 0 === [New Feature] Enable HTTP/3 v1 by default. [Improvement] Allow header customization for reCAPTCHA pages. [Bug Fix] Keep Firefox HTTP/3 connections alive for long running scripts. [Bug Fix] Fix Ubuntu Plesk Grafana integration. [Bug Fix] Conditional redirect configuration now works properly. ===== Version 6.0.1 ===== === Build 0 === [New Feature] Add support for PassengerAppLogFile directive. [New Feature] Add support for access log TTFB format "%^FB". [Bug Fix] Python applications now have a higher priority than directory index. [Bug Fix] Applied all bug fixes made through 6.0 build 12. ===== Version 6.0 ===== === Build 12 === [Bug Fix] Address 'HTTP2_PROTOCOL_ERROR' bug introduced in v6.0 build 11 === Build 11 === [Bug Fix] Properly apply whitelist for Quic.cloud and Cloudflare IPs when server level ACL is blank. [Bug Fix] Address vhost level rewrite rule false positives. [Bug Fix] Perform stricter request header name validation. [Bug Fix] Use a more efficient HTTP/3 PLPMTUD implementation. [Bug Fix] Correct a cPanel NodeJS application configuration problem. [Bug Fix] Disable INFO level logging about "Pending MODSEC operation". [Bug Fix] Avoid converting response header name to lower case for HTTP/1.1. [Bug Fix] Address a few random crashes. === Build 10 === [Bug Fix] Fix compression cache corruption regression introduced in build 9. [Bug Fix] Address DirectAdmin default PHP handler issue. === Build 9 === [Bug Fix] Address a regression in cgi-bin handling introduced in 6.0 build 7. [Bug Fix] Allow ProxyPreserveHost configuration in context. [Bug Fix] Address a stack overflow in handling certain SSI expressions. [Bug Fix] Add missing "message" entry in mod_secuirty json audit log. [Bug Fix] Address a false positive in handling mod_security remote rule. [Bug Fix] Address HTTP/3 DLPMTUD false positives. === Build 8 === [Improvement] Make ProxyPass work exactly as it does in Apache. [Bug Fix] Address another corner case causing broken Java AJP connections. [Bug Fix] Address broken FastCGI backend. [Bug Fix] Properly handle multiple Content-Type response headers. [Bug Fix] Address a thread safety issue with mod_security engine. === Build 7 === [Bug fix] Address a corner case that was causing broken Java AJP connections. [Bug fix] Address an HPACK dynamic table memory usage problem. === Build 6 === [Bug Fix] Address a crash caused by HTTP/3 server push (introduced in 6.0 build 5). [Bug Fix] Address a crash in cache engine. [Bug Fix] Address high CPU usage when QUIC transport is unable to send pending packets. === Build 5 === [Bug Fix] Address a corner case that caused a truncated proxy response. [Bug Fix] Address a random crash. [Bug Fix] Increase rewrite engine match limit to avoid unexpected mismatch. [Bug Fix] Follow HTTP/3 specification more strictly. === Build 4 === [Bug Fix] Address a server crash when loading an outdated SSL certificate. [Bug Fix] Fix a bad response due to a false positive in mod_security engine. [Bug Fix] Address a corner case in HTTP/3 that causes high CPU usage. [Bug Fix] Fix a random failure loading a CA bundle file for SSL certificate configuration. === Build 3 === [Bug Fix] Address broken process resource limits for external applications. [Bug Fix] Address broken gQUIC handshake after SSL certificate updates. === Build 2 === [Bug Fix] Correct broken cPanel redirects for /(cpanel|webmail|whm). [Bug Fix] Correct broken virtual host level reCAPTCHA sensitivity trigger. [Bug Fix] Address random crashing when proxying to a 'wss://' backend. [Bug Fix] Address a deadlock in asynchronous DNS event handling. === Build 1 === [Security] Fix a bug that allowed bypassing of built-in blocked URLs. === Build 0 === [New Feature] HTTP/3 v1 support with with DPLPMTUD, Adaptive congestion control, Delayed ACK, and zero-copy packetization. [New Feature] Asynchronous mod_security engine. [New Feature] Cache engine POST request caching capability. [New Feature] Dynamic DNS lookup for external application backends. [New Feature] Support for Apache 2.4 conditional contexts '', '', and ''. [New Feature] Bubblewrap isolated CGI/PHP execution environments. [New Feature] Cgroup resource throttling for CGI/PHP. [New Feature] Support for secure websocket backend (wss://). [New Feature] Auto whitelist QUIC.cloud IPs. [Improvement] Better out-of-box compatibility with Apache ProxyPass directive. [Improvement] ModSecurity scan response body support. [Improvement] ModSecurity persistent collection SHM storage. [Improvement] ModSecurity JSON audit log. [Improvement] Revamp of SSL Multi-Cert support. [Bug Fix] All applicable bug fixes from 5.4.X releases. ===== Version 6.0RC3 ===== === Build 0 === [New Feature] Support external application configuration using domain name for target address. [New Feature] HTTP/3 draft 32 support. [New Feature] Support for secure websocket backend (wss://). [Major Improvement] Better Apache ProxyPass compatibility with any target domain/IP, without the need to explicitly create an external application. [Major Improvement] HTTP/3 Delayed ACK extension has been enabled to improve performance. [Improvement] Better support for various ModSecurity variables. [Improvement] Fix various HTTP/3 congestion control corner cases to maximize throughput. ===== Version 6.0RC2 ===== === Build 0 === [New Feature] ModSecurity scan response body support. [New Feature] HTTP/3 draft 31 support. [Major Improvement] Improve HTTP/3 throughput with DPLPMTUD, Adaptive congestion control, and zero-copy packetization. [Major Improvement] ModSecurity persistent collection SHM storage. [Major Improvement] Revamp of SSL Multi-Cert support. ===== Version 6.0RC1 ===== === Build 0 === [Major New Feature] Apache 2.4 conditional context support. [Major New Feature] Asynchronous mod_security engine. [Major New Feature] Bubblewrap isolated CGI/PHP execution environments. [New Feature] HTTP/3 draft 29 support. [Major Enhancement] HTTP/2 has gone through a major rewrite with more efficient header handling. [Enhancement] Added ModSecurity JSON audit log. ===== Version 5.4.12 ===== === Build 8 === [Bug Fix] Properly apply whitelist for Quic.cloud and Cloudflare IPs when server level ACL is blank. [Bug Fix] Address vhost level rewrite rule false positives. [Bug Fix] Correct a cPanel NodeJS application configuration problem. [Bug Fix] Fix Ubuntu Plesk Grafana integration. === Build 7 === [Bug Fix] Address a native pipe logger configuration failure. === Build 6 === [Bug Fix] Increase rewrite engine match limit to avoid unexpected mismatch. === Build 4 === [Bug Fix] Address broken virtual host level reCAPTCHA sensitivity trigger. === Build 3 === [Security] Fix a bug that allowed bypassing of built-in blocked URLs. === Build 2 === [Bug Fix] Correct problematic PCRE flag causing false positives in mod_security. === Build 1 === [Bug Fix] Address external application command sanitizer blocking some PHP binary paths. === Build 0 === [Security] Fix a bug that allowed bypassing of built-in blocked URLs. [Security] Block improperly configured user/group and commands for external apps. [Feature] Auto white list QUIC.cloud IPs. [Bug Fix] Address content corruption for ESI includes. [Bug Fix] Improve ESI parser to handle improperly escaped ESI directives. [Bug Fix] Add SSL OCSP stapling for redis dynamic vhosts. [Bug Fix] Address a random crash in Layer 4 forwarding to websocket backends. [Bug Fix] cPanel webmail proxy domain email attachment uploads no longer hang. [Bug Fix] Update wsgi-lsapi to v1.9 to address a unicode encoding problem for Django applications. [Bug Fix] Improve NodeJS application compatibility. [Bug Fix] Start Ruby applications through a login bash shell to apply the necessary shell environment variables. [Bug Fix] Improve mod_security variables handling. [Bug Fix] Improve reCAPTCHA verification protection. ===== Version 5.4.11 ===== === Build 9 === [Security] Fix a bug that allowed bypassing of built-in blocked URLs. [Bug Fix] Address a random crash in Layer 4 forwarding to websocket backends. [Bug Fix] Address content corruption for ESI includes. [Bug Fix] Apply vhost request rate throttling override when the bandwidth throttling is off. [Bug Fix] Add SSL OCSP stapling for redis dynamic vhosts. [Bug Fix] Persistent warning about lsws systemd unit file has been changed in Plesk environments. [Bug Fix] Make "AddDefaultCharset" work for javscript and json response. [Tuning] Finetune vhost reCAPTCHA sensitivity. === Build 8 === [Bug Fix] cPanel webmail proxy domain email attachment uploads no longer hang. [Bug Fix] Update wsgi-lsapi to v1.9 to address a unicode encoding problem for Django applications. [Bug Fix] Update bundled WHM plugin to v4.1.3.1. [Debug] Improve private PURGE debug log messages with private cookie values. === Build 7 === [Security] Block improperly configured user/group and commands for external apps. [Bug Fix] Improve ESI parser to handle improperly escaped ESI directives. [Bug Fix] Fix NodeJS application helper script which may call undefined function. [Bug Fix] Avoid race condition when multiple workers try to start a detached external application. === Build 6 === [Bug Fix] Properly support REQUEST_COOKIES collection in mod_security engine. [Bug Fix] Mod_security @rx operator now properly matches multi-line input. [Bug Fix] Improve NodeJS application compatibility. [Bug Fix] Start Ruby applications through a login bash shell to apply the necessary shell environment variables. [Bug Fix] Update ruby-lsapi gem to 5.2 for alt-ruby and Plesk ruby installations. === Build 5 === [Bug Fix] Use long delay for access logging when AIO logging is enabled. [Bug Fix] Only throttle POST requests to wp-login.php for WordPress brute force protection. [Bug Fix] Log the correct value for the GEOIP environment variable in log message for a mod_security hit. [Bug Fix] Corner case that caused chunked input streams to hang (introduced in 5.4.11 build 3.) has been fixed. [Improvement] Allow the unsetting of non-indexed requested headers via the "RequestHeader unset ..." directive. === Build 4 === [Bug Fix] A timing issue with SSL ticket key rotation that causes brief SSL connection errors. === Build 3 === [Bug Fix] Rewrite rule triggered reCAPTCHA causing rare server hang. [Bug Fix] Chunk decoding hanging issue for request body. [Bug Fix] Response header count limit raise to 64K. [Bug Fix] Client info cache reference counting issue. [Tuning] Default timeout for SSL session ticket set to 1 hour. [Tuning] Default umask set to 022. === Build 2 === [Bug Fix] Matched Apache ModSecurity behavior by logging hits with "pass" action to error log. [Bug Fix] Fixed NodeJS application directory index for static content. [Bug Fix] Improved lsquic busy loop detection to avoid false positives. [Bug Fix] Log and auto correct the issue where Python application switches the directory for serving static content. === Build 1 === [Bug Fix] Handle stream RESET in a timely manner for HTTP/3 and QUIC connections. [Bug Fix] Automatically add local IPv4 and IPv6 addresses to trusted IP list. === Build 0 === [New Feature] Support for Apache configuration directive 'AuthMerging'. [Improvement] Support for RewriteCond operators added by Apache 2.4 which includes '>=' , '<=', '-eq' , '-ge' , '-gt', '-le' , '-lt', '-ne', '-h', '-L', and '-x'. [Improvement] Update bundled WHM Plugin to v4.1.3 (bundled w/ cPanel plugin v2.1.2). [Bug Fix] Do not load .htaccess from parent directories beyond document root when AllowOverride is disabled for those parent directories in Apache configuration. [Bug Fix] Address a crash in ESI sub requests. [Bug Fix] Avoid restoring older system file backups if a switch back to Apache has been performed. [Bug Fix] Avoid throttling or blocking local IP. [Bug Fix] Address occasional slow down caused by long delays added by CUBIC congestion control for HTTP/3 (QUIC). [Bug Fix] CloudLinux App config now follow max connections configured in LSWS native App config. [Bug Fix] Properly apply environment variable configuration for CloudLinux Node selector. [Bug Fix] Address a false positive that was blocking IPs due to "too many new SSL connections". [Bug Fix] Plesk webstats page now works properly. ===== Version 5.4.10 ===== === Build 4 === [Bug Fix] Do not load .htaccess from parent directories beyond document root when AllowOverride is disabled for those parent directories in Apache configuration. [Bug Fix] Address a crash in ESI sub request. [Bug Fix] Avoid restoring older system file backups if a switch back to Apache has been performed. [Bug Fix] Avoid throttling or blocking local IP. === Build 1 === [Bug Fix] Allow default PHP handler to follow explicit configurations for DirectAdmin. === Build 0 === [New Feature] Add ForceSecureCookie configuration directive to enforce "secure" and "SameSite" cookie attributes. This directive can be set in an Apache config file at the server or vhost level, or in the document root directory's .htaccess file. [New Feature] Allow LiteSpeed Cache for WordPress plugin to use ESI combine sub-requests to improve ESI performance. [New Feature] Update cPanel plugin to automatically apply new ECC certificates generated through the plugin. [Improvement] Apply Expires header to a partial response for a range request. [Improvement] Improve PHP default handler for DirectAdmin. [Improvement] Update bundled WHM plugin to v4.1.2 with improved WP cache scan logic. [Bug Fix] Avoid stapling expired OCSP responses. [Bug Fix] Properly apply URL encoding for Location URL generated by a rewrite rule. [Bug Fix] HTTP3/IETF QUIC: close immediately if crypto session can't be initialized. [Bug Fix] Close down HTTP3/QUIC streams reset by peer in a timely manner. [Bug Fix] Normalize IPv6 addresses to properly reuse existing listener sockets. [Bug Fix] Update Python application handler internal URL to avoid being blocked when .py suffix is blocked. [Bug Fix] Apply header operations for pages generated by python/nodejs applications. [Bug Fix] Properly detect HTTP/2 GREASE frame and GREASE settings entry, avoiding protocol errors. [Bug Fix] Avoid releasing cache objects too early. [Bug Fix] Address a rare crash in ESI parser. [Bug Fix] Force apply ACL configuration changes when client access level is cached in SHM. [Bug Fix] Reset per client concurrent connection counter stored in SHM when server restarts. [Bug Fix] For directory auto index, avoid a blank file name when special characters are in the name. [Tuning] Automatically detect and neutralize bad rewrite rules that cause looping proxy to the same server. [Tuning] Install alt-python38 wsgi-lsapi binary from source if rpm package is not available. [Tuning] Add PHP 8.0 auto detection. ===== Version 5.4.9 ===== === Build 4 === [Improvement] Improve PHP default handler for DirectAdmin. [Bug Fix] Avoid stapling expired OCSP responses. [Bug Fix] HTTP3/IETF QUIC: close immediately if crypto session can't be initialized. [Bug Fix] Address a rare/random crash. === Build 3 === [New Feature] Allow LiteSpeed Cache for WordPress plugin to use ESI combine sub-requests to improve ESI performance. [New Feature] Update cPanel plugin to automatically apply new ECC certificates generated through the plugin. [Bug Fix] Normalize IPv6 address to properly reuse existing listener sockets. [Bug Fix] Close down HTTP3/QUIC streams reset by peer in timely manner. === Build 2 === [New Feature] New ForceSecureCookie configuration directive to enforce "secure" and "SameSite" cookie attributes. This directive can be set in an Apache config file at the server or vhost level, or in the document root directory's .htaccess file. [Bug Fix] Apply header operations for pages generated by python/nodejs applications. [Bug Fix] Properly detect HTTP/2 GREASE frame and GREASE settings entry, avoiding protocol errors. [Tuning] Automatically detect and neutralize bad rewrite rules that cause looping proxy to the same server. [Tuning] Install alt-python38 wsgi-lsapi binary from source if rpm package is not available. [Bug Fix] Avoid releasing cache objects too early. [Bug Fix] Address a rare crash in ESI parser. === Build 1 === [Feature] Apply Expires header to a partial response for a range request. [Bugfix] Force apply ACL configuration changes when client access level is cached in SHM. [Bugfix] For directory auto index, avoid a blank file name when special characters are in the name. === Build 0 === [New Feature] WHM plugin 4.1 with Let's Encrypt ECC certificate support. QUIC.cloud integration with SSL certificates synchronization. [New Feature] Automatic CloudFlare CDN IP detection. [New Feature] Support for bcrypt password hash for HTTP authentication. [Improvement] PHP version detection for cPanel FCGId PHP handler. ===== Version 5.4.8 ===== === Build 5 === [Bug fix] Properly pass CHUNK encoded request body to script handler to address random file upload failure. [Bug fix] Addressed graceful restart failure when the server has many IPs in use and is forced to create listeners for individual IP. === Build 4 === [New Feature] Control whether to wait for the full request body or not before passing requests to the request handler with new environment variable "wait-req-full-body". (Waiting allows the request handler to see the full request body immediately) [Tuning] Increase reCAPTCHA verified status timeout from 1-hour to 1-day. [Tuning] Increase .htaccess processing time limit from 500ms to 2.5sec to allow for the processing of larger .htaccess files. === Build 3 === [Bug Fix] LiteMage cache object count is now more accurate. [Bug Fix] Address a few compatibility issues with Plesk admin console proxy through regular HTTPS access. [Bug Fix] Cache statistics access through IPv6. [Improvement] Protect WebAdmin listener port from duplicate regular listener configuration. [Improvement] Add Plesk git integration support. === Build 2 === [Bug Fix] Address 404 error for reCAPTCHA verification. [Bug Fix] 'SetEnv' directive is now properly applied inside or contexts. === Build 1 === [Bug Fix] Correct DirectAdmin PHP handler detection when "DirectAdmin" panel is selected under "PHP" config tab. [Bug Fix] WebSocket ProxyPass configuration now works correctly inside the context. [Bug Fix] Match Apache's Redirect behavior by discarding original query string if target URL has query string set. === Build 0 === [New Feature] Add the ability to load an extra ECC certificate for an Apache virtual host when multi-cert support is enabled. [New Feature] Apply header modification configurations in .htaccess to dynamic responses for CloudLinux Python/Ruby/NodeJS selector application. [New Feature] Update client IP using request header "X-Real-IP". [New Feature] Use Client IP in Header can now be set to use the last IP listed in the X-Forwarded-For header for servers behind AWS ELB. [Security] Block 'LD_*' environment variable overriding from .htaccess. [Improvement] New Ruby 2.0+ compatible RackRunner script for ruby-lsapi 5.0. [Improvement] Separate IPv4 and IPv6 virtual hosts now share cached pages for the same domain. [Improvement] Update WHM plugin to v4.0 (drops support for EasyApache 3). [Improvement] Make reCAPATCHA compatible with WordPress password protected pages. [Bug Fix] Invisible reCAPTCHA now works properly with IE 11 browser. [Bug Fix] Correct Magento LiteMage2 cache object statistics. [Bug Fix] Address an AJPv13 hanging bug. [Bug Fix] Enabling bandwidth throttling no longer causes rare HTTP/2 response hangs. [Bug Fix] Properly apply UMASK configuration for external applications. [Bug Fix] Fix a problem with Plesk log rotation when LSWS overrode Apache's rc script with a symbolic link. [Bug Fix] NodeJS default being not properly set in httpd_config.xml no longer causes crashing. [Bug Fix] Address cp_switch_ws.sh issues when switching back to Apache. ===== Version 5.4.7 ===== === Build 9 === [Bug Fix] Correct a SHM memory allocation issue. [Bug Fix] Address a URL handling regression introduced in build 7 that affected NextCloud WebDAV clients. === Build 8 === [New Feature] Use Client IP in Header can now be set to use the last IP listed in the X-Forwarded-For header for servers behind AWS ELB. [Bug Fix] Address cp_switch_ws.sh issues when switching back to Apache. [Bug Fix] Invisible reCAPTCHA now works properly with IE 11 browser. [Bug Fix] Correct a crash bug in cache engine. [Tuning] Separate IPv4 and IPv6 virtual hosts now share cached pages for the same domain. === Build 7 === [New Feature] For CloudLinux Python/Ruby/NodeJS selector application, applies header modification configuration in .htaccess to dynamic response. [Bug Fix] A mod_security engine bug that causes random crash. [Bug Fix] A bug in access log format validation. === Build 6 === [Bug Fix] Fixed Plesk log rotation issue when LSWS override Apache rc script with symbolic link. [Bug Fix] Fixed a crash when NodeJS default was not properly set in httpd_config.xml. === Build 5 === [Security] Blocks overriding LD_PRELOAD environment variable from .htaccess. [Bug Fix] Fixed a corner case that causes hanging HTTP/2 response when bandwidth throttling is enabled. [Bug Fix] Properly apply UMASK configuration for external application. === Build 4 === [New Feature] Added the ability to load extra ECC certificate for Apache virtual host when multi-cert support is enabled. [Improvement] New Ruby 2.0+ compatible RackRunner script for ruby-lsapi 5.0. [Tuning] Disable cache if a request is blocked by mod_security. [Bug Fix] Minor bug fixes in cache engine. [Bug Fix] Minor bug fix in mod_security engine. === Build 3 === [Bug Fix] Fixed an HTTP/2 protocol bug encountered when a PHP page failed without sending back a response header. [Bug Fix] Fixed an internal memory management bug that caused random crashing. === Build 2 === [Bug Fix] Fixed an AJPv13 protocol bug that caused requests containing a request body to hang. [Tuning] Improved reCAPATCHA verification to make it compatible with WordPress password protected pages. === Build 0 === [Security] Fixed a symbolic link attack in directory auto index script. Thank you KnownHost for the bug report. (CloudLinux user is not affected.) [New Feature] Added strict suEXEC and ownership checking on scripts. [New Feature] Added ability to configure static/dynamic request per second limit for Apache ghost. [Bug Fix] Fixed reCAPTCHA triggering for the first access of an allowed robot. [Bug Fix] Added "Cache-Control: no-cache" to reCAPTCHA verification page to disallow CDN/proxy cache. [Bug fix] Fixed delayed .htaccess loading. [Bug fix] Fixed a delayed server response bug with HTTP/2. [Bug fix] Fixed a NodeJS websocket backend configuration bug. [Bug fix] Shared lib for lscmctl script is now updated on server install/update. [Tuning] Prevent ports 443 and 80 from being used as WebAdmin listener port. [Tuning] Avoid triggering 503 errors when cPanel backend services (cpcontacts, webdisk, ...) are unavailable. [Tuning] Automatically update /proc/sys/net/core/somaxconn to 1024 whenever server performs a fresh startup. [Tuning] Added after=lve_namespaces.service to systemd unit file. ===== Version 5.4.6 ===== === Build 5 === [Bug Fix] Fixed a bug that reCAPTCHA was shown for the first access of an allowed robot. [Bug Fix] Added "Cache-Control: no-cache" for reCAPTCHA verify page to disallow CDN/proxy cache. === Build 4 === [Bug Fix] Minimize interference with mandatory rewrite processing when bypassing favicon URL rewrite. [Tuning] Avoid triggering 503 errors when cPanel backend services (cpcontacts, webdisk, ...) are unavailable. === Build 3 === [Bug Fix] Use request header value for RBL lookups. [Bug Fix] Fixed a configuration parser crash. [Bug Fix] Fixed HTTP/3 ALPN string to properly advertise h3-27. [Tuning] Automatically update /proc/sys/net/core/somaxconn to 1024, when server performs a fresh startup. [Tuning] Avoid adjusting external application process priority based on server's priority. === Build 2 === [New Feature] Added strict suEXEC and ownership checks for scripts. [New Feature] Added ability to configure static/dynamic request per second limit for Apache vhost. [Tuning] Added after=lve_namespaces.service to systemd unit file. [Bug Fix] Fixed a bug when switching vhost log file. [Bug Fix] Fixed an HTTP/3 timestamp/ACK ping-pong bug. [Bug Fix] Fixed a bug causing extra delay when response has content length = 0. === Build 1 === [Bug fix] Fixed a bug causing delayed .htaccess loading. [Bug fix] Fixed an HTTP/2 bug that sometimes delayed server response. [Bug fix] Fixed a bug in NodeJS websocket backend configuration. [Bug fix] Shared lib for lscmctl is now updated on server install/update. [Tuning] Prevent ports 443 and 80 for use as a WebAdmin listener. === Build 0 === [New Feature] Updated HTTP/3 support to include h3-27. [Bug Fix] Fixed a bug that caused ProxyPass ws:// target to stop working for certain configuration combination. [Bug Fix] Fixed a bug in HTTP/2 handling mismatched response content-length and actual reponse body size. [Bug Fix] Fixed a false positive that triggered ACL denied for Plesk. [Bug Fix] Fixed a regression that broke /tmp/lshttpd/swap auto cleanup. [Bug Fix] Fixed a false positive when handling ModSecrurity SecRemoteRule. [Bug Fix] Fixed a crash in ModSecurity using libinjection. [Tuning] Set mod_security RBL DNS cache to 60 seconds. [Tuning] Disable TLSv1.1 by default. [Tuning] Enable SSL session tickets by default. [Tuning] No longer add ECDHE-RSA-AES128-SHA cipher automatically. ===== Version 5.4.5 ===== === Build 3 === [Bug Fix] Fixed a false positive that triggered ACL denied for Plesk. [Bug Fix] Fixed a regression that broke /tmp/lshttpd/swap auto cleanup. [Bug Fix] Fixed a false positive when handling ModSecrurity SecRemoteRule. [Bug Fix] Fixed a crash in ModSecurity using libinjection. [Tuning] No longer add ECDHE-RSA-AES128-SHA cipher automatically. === Build 2 === [Bug Fix] Minor ModSecurity compatibility fixes. [Bug Fix] Prevent WebAdmin Console 503 error on centos8 by installing libnsl package automatically. [Bug Fix] Minor bug fixes in HTTP/3 (QUIC) engine. [Tuning] Added add "SameSite=Strict" attribute to ls_smartpush cookie. [Tuning] Update cp_switch_ws.sh script to work independently of any installed control panel plugins. [Bug Fix] Update uninstall.sh script to work properly when a control panel plugin is not installed. [Tuning] Downgraded some modsec log messages from "error" to "warning". [Bug Fix] Fixed a rewrite engine compatibility regression introduced in v5.4.4. === Build 1 === [Bug Fix] mod_security @validateUrlEncoding operator has been turned off to avoid unnecessary false positives. [Bug Fix] Fixed a cache engine bug that broke the "Respect Cacheable" feature. [Bug Fix] Fixed a crash bug when detecting server startup time. [Tuning] Made HTML pages generated by the auto index script responsive. [Tuning] Hid confusing required/restricted permission mask configurations in WebAdmin Console. === Build 0 === [New Feature] Added support for IETF HTTP/3 draft 25 (h3-25). [New Feature] Populate GEOIP_COUNTRY_CODE environment variable using IP2Location database. [New Feature] Added full Captcha protection for WordPress login page. [New Feature] Optionally skip rewrite processing for Let's Encrypt verification requests. [New Feature] Automatically patch Set-Cookie with 'secure' flag when served over HTTPS. [Improvement] Added 'cssDecode' and 'utf8toUnicode' transformations to ModSecurity engine. [Improvement] Added support for 'REQUEST_SCHEME' request variable. [Improvement] Added '-vb' command line option to print out version and build number. [Update] Updated WHM plugin to v3.3.7. [Bug Fix] Fixed websockets hanging on upgrade. [Bug Fix] Fixed a WebAdmin Console socket address validation bug. [Bug Fix] Fixed .htaccess configuration changes failing to apply for Python/Ruby/NodeJS applications. [Bug Fix] Environment variable names are no longer converted to uppercase for Apache SetEnv directive. [Bug Fix] Fixed a NodeJS wrapper script bug that failed to handle startup files with absolute paths. [Bug Fix] External application process startup time is now reliably detected. [Bug Fix] Fixed a minor regression with AHO string search. [Bug Fix] Fixed a bug using wrong log ID in error log. ===== Version 5.4.4 ===== === Build 8 === [Bug Fix] In cPanel environment, disable rewrite bypass for Let's Encrypt verification requests if dedicate rewrite rule for 'acme-challenge' detected. === Build 7 === [Bug Fix] Fixed a random crash that occurred during SSL handshakes. [Bug Fix] Fixed a bug that rarely cased CPU usage to climb to 99% when shutting down SSL connections. === Build 6 === [Bug Fix] Fixed a NodeJS wrapper script bug that failed to handle startup files with absolute paths. [Bug Fix] Fixed a random reCAPTCHA verification failure with status code 500. [Bug Fix] External application process startup time is now reliably detected. [Bug Fix] Fixed a minor regression with AHO string search. === Build 5 === [New Feature] Automatically patch Set-Cookie with 'secure' flag when served over HTTPS. [Bug Fix] Fixed a regression in Python/Ruby/NodeJS application 'tmp/restart.txt' marker file handling. [Bug Fix] Fixed a WebAdmin Console socket address validation bug. [Bug Fix] Fixed a corner case to load trusted IP configured in document root .htaccess before reCAPTCHA verification. === Build 4 === [New Feature] Skip rewrite processing for Let's Encrypt verification requests. [Bug Fix] Fixed websockets hanging on upgrade. [Bug Fix] Fixed a WebAdmin Console socket address validation bug. [Bug Fix] Fixed .htaccess configuration changes failing to apply for Python/Ruby/NodeJS applications. [Bug Fix] Environment variable names are no longer converted to uppercase for Apache SetEnv directive. === Build 3 === [New Feature] Added full Captcha protection for WordPress login page. [Bug Fix] Fixed a connection hang regression introduced in v5.4.4 build 2. === Build 2 === [New Feature] Populate GEOIP_COUNTRY_CODE environment variable using IP2Location database. [Bug Fix] Minor bug fixes to ModSecurity engine. === Build 1 === [Improvement] Fine tuned HTTP/3 and QUIC engine performance. [Improvement] Added 'cssDecode' and 'utf8toUnicode' transformations to ModSecurity engine. [Improvement] Added 'ctl:debugLogLevel' support to ModSecurity engine. [Improvement] Added support for 'REQUEST_SCHEME' request variable. [Improvement] Added '-vb' command line option to print out version and build number. [Update] Updated WHM plugin to v3.3.6. [Bug Fix] Minor bug fixes in ModSecurity engine. === Build 0 === [New Feature] Added support for Google QUIC Q050. [Security] Improved WebAdmin Console security by strictly checking request URLs. [Bug Fix] Fixed a bug that caused HTTPS connections to stall when bandwidth throttling was enabled. [Bug Fix] Fixed an ESI/Litemage output corruption bug. [Bug Fix] Fixed a bug in AIO logging that caused the access log to stop working. [Bug Fix] Fixed a bug causing 100% CPU usage for FreeBSD. [Bug Fix] Removed an unnecessary CloudLinux CageFS mount point for "/tmp/lshttpd". [Bug Fix] Fixed a crash caused by memory mapped files being truncated. ===== Version 5.4.3 ===== === Build 5 === [Bug Fix] Fixed a regression for mod_security request parser introduced in 5.4.3 build 4. [Bug Fix] Fixed a crash due to memory mapped file being truncated. === Build 4 === [Security] Improved WebAdmin console security by strictly checking request URL. [Bug Fix] Fixed a regression for FastCGI protocol support, introduced in 5.4.3 build 0. [Bug Fix] There are minor bug fixes for mod_security engine. === Build 3 === [Bug Fix] Fixed a mutex dead-lock regression introduced in build 2 for AIO logging. === Build 2 === [Bug Fix] Fixed a bug in AIO logging that caused access log stop working. [Bug Fix] Fixed a bug caused 100% CPU usage for FreeBSD. [Bug Fix] Removed an unnecessary CloudLinux CageFS mount point for "/tmp/lshttpd". === Build 1 === [Bug Fix] Fixed a bug that caused HTTPS connections to stall when bandwidth throttling was enabled. [Bug Fix] Fixed an ESI/Litemage output corruption bug. [Tuning] Fine tuned keepalive timeout for detached PHP processes to reduce the number of idle PHP processes. === Build 0 === [New Feature] Websocket backend support via the "ProxyPass" directive. [Enhancement] Improved WordPress brute force protection when facing large botnet attacks. [Tuning] Updated HTTP/3 QUIC engine default congestion control method to CUBIC for better performance in good network conditions. [Update] Updated WHM plugin to v3.3.5 (includes support for displaying "critical alerts"). [Bug Fix] Fixed a few bugs in HTTP/3 QUIC engine. [Bug Fix] Fixed a bug in PID verification that failed to stop processes for detached applications. [Bug Fix] Fixed a bug in modsecurity engine where LOGGING phase processing was bypassed if a client was using a QUIC connection. [Bug Fix] Properly count 3 character second level domains against license domain limit. [Bug Fix] Properly parse IPv6 mapped IPv4 addresses in request header. [Bug Fix] Fixed missing "REMOTE_USER" request environment variable when HTTP authentication is used. [Bug Fix] Fixed a problem with utf-8 characters in request URLs for Python applications. [Bug Fix] Improved lock contention handling when detached mode PHP processes are started concurrently by multiple server worker processes. [Bug Fix] Fixed an ESI sub-request bug that could stall proxy to backend communication. [Bug Fix] Fixed a DirectAdmin userdir bug. ===== Version 5.4.2 ===== === Build 7 === [Bug Fix] Fixed an HTTP/3 QUIC engine bug introduced in build 6 that could cause action connections to close at random. [Tuning] Updated HTTP/3 QUIC engine default congestion control method to CUBIC for better performance in good network conditions. [Tuning] Lowered WordpressProtect minimum limit from 5 to 2 to better pairing with reCAPTCHA verification. === Build 6 === [Bug Fix] Fixed a few minor HTTP/3 and QUIC engine bugs. [Bug Fix] Fixed an HTTPS bug that caused a busy loop in FreeBSD. [Bug Fix] Properly count 3 character second level domains against license domain limit. [Bug Fix] Properly parse IPv6 mapped IPv4 addresses in request header. [Bug Fix] Fixed missing "REMOTE_USER" request environment variable when HTTP authentication is used. === Build 5 === [Bug Fix] Fixed a bug that caused excessive buffering for HTTP/2 connection. [Bug Fix] Fixed a bug in QUIC, HTTP/3 engine that caused large file downloads to stall. [Bug Fix] Fixed a bug that caused random 404 error. === Build 4 === [Bug Fix] Improved HTTP/3 draft 24 inter-operability with other HTTP/3 clients. [Bug Fix] Improved lock contention handling when detached mode PHP processes are started concurrently by multiple server worker processes. [Bug Fix] Fixed missing environment problem for Python applications. [Bug Fix] Fixed a problem with utf-8 characters in request URLs for Python applications. [Bug Fix] Fixed a rare HTTP/2 connection stalling problem. === Build 3 === [Bug Fix] Fixed a bug in mod_security engine @validateUrlEncoding operator resulting in false positives. [Bug Fix] Fixed a compatibility issue with Plesk's autodiscover feature. [Bug Fix] Fixed a random 404 error for NodeJS applications. === Build 2 === [Enhancement] Improved Wordpress brute force protection when facing large botnet attacks. [Bugfix] Fixed HTTP/3 handshake failures when TLSv1.3 was not enabled by control panels. [Bugfix] Fixed an ESI sub-request bug that could stall proxy to backend communication. [Bugfix] Fixed a DirectAdmin userdir bug. [Bugfix] Fixed a Python application compatibility bug. === Build 1 === [Bug Fix] Fixed a bug introduced in v5.4.2 build 0 where some mod_security rules could cause false positives. [Bug Fix] Fixed a bug that caused 503 errors when the configuration of python/node/ruby selector applications where updated. [Bug Fix] Minor bug fixes in QUIC and HTTP/3 engine. === Build 0 === [New Feature] Updated QUIC implementation to support IETF HTTP/3 draft 23. [New Feature] BBR congestion control for QUIC and HTTP/3. [New Feature] "Require env XXXX" access control support. [New Feature] User/Account level bandwidth throttling for Redis dynamic virtual hosting. [Improvement] Further HTTPS SSL layer performance tuning. [Improvement] Automatically restart running PHP processes when PHP binary changes are detected. [Improvement] Automatically convert ea-phpXX handler configuration into a phpXX handler when an ea-php handler is not available. [Improvement] Improved AIO access logging to minimize disk I/O. [Improvement] Avoid reCAPTCHA verification on AJAX requests to minimize false positives. [Improvement] Built-in error and reCAPTCHA verification pages are now responsive. [Improvement] Remove '[' ']' enclosure for IPv6 addresses in the access log and request environment variable 'REMOTE_ADDR'. [Improvement] Reduced memory usage to improve server scalability. [Improvement] Improved accuracy of server real-time statistics. [Improvement] Enable SSL SHM session cache for Apache HTTPS vhost when server level SSH session cache is enabled. [Improvement] Disable TLSv1.0 by default for better PCI compliance. [Improvement] Automatically disable HTTP/2, SPDY, and QUIC for CSF messenger vhosts on port 8887. [Improvement] Added "SmartPush no-cookie" directive to disable cookies used for HTTP/2 and QUIC smart push. [Improvement] Added `lsws/logs/critical_alert` log file for writing common license errors that could cause LSWS to stop working. [Improvement] Improved compatibility with CloudLinux python selector. [Improvement] Improved modsecurity engine compatibility. [Improvement] Send "Alt-Svc" header advertising QUIC and HTTP/3 support only once per connection. [Bug Fix] Fixed WordPress brute force protection bugs that were causing false positives and crashes. [Bug Fix] Fixed a bug causing HTTP/2 requests to stall under rare conditions. [Bug Fix] Fixed a bug causing broken non-keepalive HTTPS responses. [Bug Fix] Fixed a Layer4 tunnel bug that caused random crashes. [Bug Fix] Fixed Apache sometimes starting inside the lshttpd cgroup when switching from LSWS to Apache. [Bug Fix] Fixed all LSPHP processes not being stopped when switching from LSWS to Apache. [Bug Fix] Fixed an .htaccess cache bug that caused the server's default PHP handler to be used instead of configured per-vhost suEXEC handlers. [Bug Fix] Per Apache vhost PHP 7.4 handler now runs in suEXEC mode. ===== Version 5.4.1 ===== === Build 8 === [Improvement] Improved python application configuration to allow swapping applications on the same URL. [Bug Fix] Disable CRIU feature to avoid server downtime after a recent CloudLinux CRIU library update began causing lscgid to crash. [Bug Fix] Fixed a mod_security configuration bug that reordered some rules under certain conditions. [Bug Fix] Fixed a systemd warning under Plesk 18.0. === Build 7 === [Improvement] Automatically disable HTTP/2, SPDY, and QUIC for CSF messenger vhost on port 8887. [Improvement] Added "SmartPush no-cookie" directive to disable cookies used for HTTP/2 and QUIC smart push. [Improvement] Added `lsws/logs/critical_alert` log file for writing common licensing problems that could cause LSWS to stop working. [Bug Fix] Fixed a compatibility issue with CloudLinux python selector. === Build 6 === [Bug Fix] Fixed a bug introduced in build 5 that caused the server to crash when "require env xxxx" was used. [Bug Fix] Fixed QUIC support for FreeBSD. [Bug Fix] Changed "Accept-Encoding" value to be case insensitive. [Improvement] Use 'pkill' instead of 'killall' in various scripts to minimize dependencies on installed system packages. [Improvement] Update "Alt-Svc" string for gQUIC advertising. === Build 5 === [FEATURE] Enable SSL SHM session cache for Apache HTTPS vhost when server level SSH session cache is enabled. [FEATURE] Added support for "Require env XXXX" access control. [TUNING] Disable TLSv1.0 by default for better PCI compliance. [BUGFIX] Make statistics more accurate for requests processed . [BUGFIX] Fixed a minor regression in 5.4 that performs redirect before rewrite when URL without a trailing slash pointing to a directory. === Build 4 === [Improvement] Automatically restart running PHP processes after detecting PHP binary updates. [Improvement] Automatically converted ea-phpXX handler configuration to phpXX handler when ea-php handler is not available. [Improvement] Improved AIO access logging to minimize disk I/O. [Bug Fix] Close unused REUSEPORT socket. [Bug Fix] Make "requests processed" counter more accurate in real-time report. [Bug Fix] Make per Apache vhost PHP 7.4 handler run in suEXEC mode. [Bug Fix] Fixed a bug reading CGI 'umask' configuration as an octal number. === Build 3 === [Bug Fix] Fixed a .htaccess cache bug that caused the server's default PHP handler to be used instead of per-vhost suEXEC handlers. [Bug Fix] Fixed a WP brute force protection bug that occasionally caused 100% CPU usage. [Bug Fix] Fixed a divide by zero bug that was causing server crashes. [Bug Fix] Fixed a mod_security engine bug where `@geolookup` would not work properly with new MaxMind DB files. [Tuning] Reduced Brotli compression memory usage. [Tuning] Allow mapping www.TLD.com and TLD.com to different native virtual hosts. === Build 2 === [New Feature] Added an option to allow generation of full real time status report, including idle virtual host and external app stats. [Bug Fix] Fixed an RBL compatibility issue with modsecurity rules from Imunify360. [Bug Fix] Fixed a Layer4 tunnel bug that caused random crashes. [Bug Fix] Fixed Apache sometimes starting inside the lshttpd cgroup when switching from LSWS to Apache. [Bug Fix] Fixed all LSPHP processes not being stopped when switching from LSWS to Apache. [Bug Fix] Fixed a QuicEngine bug that sometimes caused a server crash. === Build 1 === [Improvement] Avoid reCAPTCHA verification on AJAX requests to minimize false positives. [Improvement] Make built-in error and reCAPTCHA verification pages responsive. [Improvement] Remove '[' ']' enclosure for IPv6 addresses in the access log and request environment variable REMOTE_ADDR. [Bug Fix] Fixed a bug that caused HTTP/2 requests to stall under rare conditions. [Bug Fix] Fixed a bug that caused broken non-keepalive HTTPS responses. [Bug Fix] Fixed a bug that caused WordPress brute force protection false positive. === Build 0 === [Security] Addressed recent HTTP/2 DoS advisories (https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md). Fixed CVE-2019-9516 ""0-Length Headers Leak"" vulnerability. Completely blocks unaffected attacks: CVE-2019-9511 ""Data Dribble"", CVE-2019-9512 ""Ping Flood"", CVE-2019-9513 ""Resource Loop"", CVE-2019-9514 ""Reset Flood"", CVE-2019-9515 ""Settings Flood"", CVE-2019-9517 ""Internal Data Buffering"", and CVE-2019-9518 ""Empty Frames Flood"". [New Feature] Updated HTTP/3 support to Internet Draft 22. [New Feature] Smart server PUSH uses cookies to track pushed assets, avoiding pushing the same asset repeatedly. [Improvement] reCAPTCHA engine has been improved to reduce false positives. [Bug fix] Fixed a chunk encoding bug that could cause data corruption. [Bug Fix] Fixed a bug that could cause truncated response bodies to be transferred over non-keepalive HTTPS connections. This usually affects front-end CDN services. [Bug Fix] Fixed a regression that prevented Apache vhosts from using PHP daemon mode. [Bug Fix] Fixed a cache engine bug that failed to forward the `X-Litespeed-purge2` response header to front-end ADC cache engines. [Bug Fix] Fixed a bug that causes Python WSGI applications to fork child processes frequently. ===== Version 5.4 ===== === Build 3 === [Bug Fix] Fixed a bug that could cause truncated response bodies to be transferred over non-keepalive HTTPS connections. This usually affects front-end CDN services. === Build 2 === [New Feature] Updated HTTP/3 support to Internet Draft 22 . [New Feature] Smart server PUSH uses cookies to track pushed assets, avoiding pushing the same asset repeatedly. [Improvement] Re-enabled PHP graceful shutdown now that the PHP LiteSpeed SAPI 7.5 package is ready. [Improvement] Tuned reCAPTCHA verification to avoid requesting verification on image/css/js files. [Bug Fix] Minor bug fixes for 404 logging and some rare crashes. === Build 1 === [Update] Updated cPanel/WHM plugins to v1.2.3.3 and v3.3.3.5 respectively. [Bug fix] Fixed a chunk encoding bug that could cause data corruption. [Bug fix] Fixed a bug with customized reCAPTCHA pages. [Bug fix] Fixed a QUIC engine bug that affected graceful restarts. [Bug fix] Fixed a BAN request method parsing bug. === Build 0 === [Major Improvement] Massive HTTP/2 HTTPS performance boost (up to 5x faster than LSWS v5.3.x). [Major New Feature] Experimental HTTP/3 draft 20 support. [Major New Feature] Redis and rewrite based dynamic virtual hosting. [Major New Feature] Server level reCAPTCHA protection efficiently defends against layer-7 DDoS attacks of any size. [New Feature] Added support for Q046 in QUIC engine. [New Feature] HTTPS accelerator with direct dynamic TLS record packaging, improving both HTTPS throughput and TTFB without compromise. [New Feature] HTTPS handshake offloading, improving HTTPS handshake speed and avoiding clogging the server's main event loop. (No extra configuration required) [New Feature] SO_REUSEPORT support, improving multi-worker scalability for high traffic deployments. [New Feature] HTTPS certificate compression, reducing the size of HTTPS handshake exchange data. [Improvement] Improved HTTP/2 stream prioritization for a better user browsing experience. ===== Version 5.4RC4 ===== === Build 0 === [New Feature] Support for SO_REUSEPORT for multi-worker license. [New Feature] HTTPS/QUIC handshake offloading. [New Feature] TLSv1.3 certificate compression. [New Feature] High Availability for Redis dynamic vhost setup. [New Feature] Support for Google QUIC 046. [New Feature] Experimental IETF QUIC draft-20. ===== Version 5.4RC3 ===== === Build 0 === [Major New Feature] Dynamic Virtual Host configuration through REDIS backend. [Major Improvement] Greatly improved HTTP/2 performance -- up to 7x faster than previous implementations. [Bug fix] Improved QUIC engine performance and stability. [Bug fix] All bug fixes and enhancements on 5.3.x branch included. ===== Version 5.4RC2 ===== === Build 0 === [Major New Feature] Dynamic virtual hosting through rewrite rules. [Improvement] Improved HTTP/2 performance. [New Feature] QUIC proxy backend support for backend communication through QUIC. [Bug fix] All applicable bug fixes from the 5.3 branch. [Bug fix] Fixed a few server crash bugs. ===== Version 5.4RC1 ===== === Build 0 === [New Feature] Recaptcha verification for DDoS attack mitigation. [New Feature] Support for Ruby/Python/Nodejs applications in native configuration. [New Feature] Added Virtual Host level trusted IP control, managed through .htaccess. [Major Improvement] Added LiteSpeed TLS Accelerator, maximizing HTTPS & HTTP/2 performance. [Major Improvement] HTTP/2 performance has been improved with a better header compression/decompression work flow. [Bug fix] All bug fixes from LSWS 5.3.5 incremental builds included. ===== Version 5.3.8 ===== === Build 6 === [Update] Updated cPanel/WHM plugins v1.2.3.2 and v3.3.3.4 respectively. [Bug fix] Temporarily stop PHP processes with SIGKILL as a workaround for problems caused by clean shutdown logic added to PHP LiteSpeed SAPI v7.4.3. [Bug fix] Added websocket proxy support for cPanel and webmail subdomains in addition to WHM subdomains. [Bug fix] Fixed a QUIC engine bug and made QUIC more DoS attack resistant. === Build 5 === [Bug Fix] Updated WHM plugin to v3.3.3.2 to fix a bug introduced in the previous version that caused most plugin actions to result in a PHP fatal error. [Bug Fix] To avoid server crash, PCLMUL will be disabled in the zlib library if the server CPU does not support PCLMUL instructions. === Build 4 === [New feature] Web Cache Manager CLI support for DirectAdmin. [Bug fix] Fixed websocket proxy from https to ws:// backend; made WHM terminal work properly through proxy. [Bug fix] Improved compatibility with Apache; "Require ip xxx" can bypass HTTP authentication. [Bug fix] Added support for "AddEncoding br ..." to avoid double compression. [Bug fix] Updated WebAdmin code to avoid some E_STRICT warnings. [Bug fix] Fixed server PUSH parsing problem when 'Link' header contains multiple URLs. === Build 3 === [Bug fix] Fixed an ACL bug occurring when environment variables are used in Allow/Deny configurations. [Bug fix] Fixed a request parser bug which caused the server to crash when a partition holding a temp file is out of space. [Bug fix] Fixed a cache engine bug that caused requests to certain URLs to hang. === Build 2 === [Bug fix] Fixed a regression in PHP daemon mode that causes 503 errors. === Build 1 === [Bug fix] Fixed an IP2Location configuration bug that could cause the server to crash during startup. [Bug fix] Fixed a bug with nested ESI subrequests that caused random crashes. === Build 0 === [Security] Added built-in filter to block attempts at hacking LiteMage with crafted ESI requests. [New Feature] lscmctl script can now be used to install/uninstall the LiteSpeed Web Cache Manager user-end plugin for cPanel. [New Feature] Recommend a plugin or broadcast a message to all discovered WordPress installations with the dash notify feature, available in both the lscmctl script and WHM plugin. [Improvement] Bundled WHM and user-end cPanel plugins have been updated to v3.3.1 and v1.2.0.2 respectively. [Improvement] Support request header sizes of up to 64K. [Improvement] Ignore configuration contexts. [Improvement] Added support for Apache configuration directive ""Require ip ..."". [Improvement] Improved lsup.sh with stable release tier. [Improvement] Improved rc-inst.sh to install systemd unit file for Plesk + Debain/Ubuntu. [Improvement] Improved NodeJS application compatibility and mod_passenger configuration handling. [Improvement] Added autoconfig for PHP 7.4. [Improvement] Improved compatibility with LSAPI 7.3 . [Improvement] Improved HPACK encoding performance. [Improvement] Cache engine now updates ""X-LiteSpeed-Cache-Control max-age"" value based on actual expire time when a front-end lscache proxy exists. [Improvement] Improved compatibility with Apache mod_security on variables REQUEST_BODY, REQUEST_FILENAME and LAST_UPDATE_TIME. [Improvement] Fixed PHP handler compatibility issues with Plesk's updated configuration template. [Improvement] Improved WordPress brute force detection IP logging. [Bug fix] Fixed an Apache SSL vhost SNI configuration bug. [Bug fix] Fixed a QuicEngine bug that could cause broken responses. [Bug fix] Fixed a cache + ESI engine bug that caused random server crashes. [Bug fix] Fixed rewrite engine infinite loop when rewrite map file is stored in an NFS mount. [Bug fix] Improved detached mode process manager to accurately stop detached processes when requested. [Bug Fix] Added User-Agent and Referer headers to server pushed requests to avoid failing possible checks in a user's custom configuration. [Bug Fix] Fixed FreeBSD 100% cpu usage for kqueue event loops when AIO logging is enabled. [Bug Fix] Fixed an SSL OCSP stapling bug. [Bug Fix] Fixed broken server restart when port offset had been set. [Bug Fix] Fixed a memory leak in the GeoIP module. ===== Version 5.3.7 ===== === Build 8 === [Bug Fix] Fixed a cache + ESI bug that could cause random crashes. [Bug Fix] Fixed a rewrite engine bug. [Bug Fix] Fixed a memory leak in the GeoIP module. [Bug Fix] Fixed a Plesk compatibility issue. === Build 7 === [Improvement] Better WordPress brute force detection IP logging. [Improvement] Allow request header sizes greater than 32K. [Improvement] Added PID to error log messages for worker processes. [Bug fix] Fixed a Ruby selector regression introduced in v5.3.7 build 3. [Bug fix] Fixed an SSL OCSP stapling bug. [Bug Fix] Fixed broken server restart when port offset had been set. === Build 6 === [New Feature] Added the ability to install/uninstall the LiteSpeed Web Cache Manager user-end plugin for cPanel using the lscmctl script. [Improvement] Fixed PHP handler compatibility issues with Plesk's updated configuration template. [Improvement] Improved LSAPI compatibility with LSAPI 7.3 . [Improvement] Improved HPACK encoding performance. [Improvement] Cache engine now updates X-LiteSpeed-Cache-Control max-age value based on actual expire time when a front-end lscache proxy exists. [Improvement] Natively configured detached PHP process groups are now gracefully restarted. === Build 5 === [New Feature] Recommend a plugin or broadcast a message to all discovered WordPress installations with the dash notify feature available in the lscmctl script and WHM plugin. [Improvement] Ignore configuration contexts. [Improvement] Added autoconfig for PHP 7.4. [Update] Updated WHM plugin to v3.3 and user-end cPanel plugin to v1.2. [Bug Fix] ESI engine bug fix. [Bug Fix] Fixed freeBSD 100% cpu usage for kqueue event loops. [Bug Fix] Fixed a detached mode process manager bug that accidentally killed other lshttpd worker processes. === Build 4 === [Improvement] Improved lsup.sh with stable tier. [Improvement] Improved NodeJS application compatibility and mod_passenger configuration handling. [Bug Fix] Fixed a bug in detached mode process manager that failed to stop running processes under certain server environments. [Bug Fix] Added User-Agent and Referer headers to server pushed requests to avoid failing possible checks in a user's custom configuration. [Bug Fix] Implemented mod_security REQUEST_BODY as a dedicate variable. === Build 3 === [Improvement] Improved rc-inst.sh to install systemd unit file for Plesk + Debain/Ubuntu. [Bug fix] Fixed an ESI engine memory management bug that caused random server crashes. [Bug fix] Fixed rewrite engine infinite loop when rewrite map file is stored in an NFS mount. === Build 2 === [Bug Fix] Fixed a detached mode process manager bug introduced in build 1. === Build 1 === [Security] Added built-in filter to block attempts to hack LitemMage with crafted ESI request. [Bug Fix] Fixed a detached mode process manager bug made killing other unrelated processes possible. [Bug Fix] Fixed an Apache SSL vhost SNI configuration bug. [Bug Fix] Fixed a QuicEngine bug that could cause broken responses. === Build 0 === [Security] Fixed a XSS vulnerability in directory auto index script. [Improvement] Improved QUIC transport protocol performance and reliability. [Improvement] Improved default configuration for servers with heavy disk I/O wait. [Improvement] Made IP based SSL SNI configuration exactly match Apache's. [Improvement] Made .rtreport symbolic links root owned to avoid LFD file warnings. [Improvement] Improved ESI support for JSON responses. [Improvement] Improved lsup.sh script to check build number against latest build. [Update] Updated bundled WHM plugin to v3.2.0.3 and user-end cPanel plugin to v1.1.1.2 to address an integration issue with the recent LSCWP release. [Bug Fix] Fixed a file descriptor leak in piped logger. [Bug Fix] Fixed a bug that prevented changing the Cache-Control or Expire headers within PHP. [Bug Fix] Fixed inaccurate real-time statistics. [Bug Fix] Fixed a rewrite engine compatibility issue. [Bug Fix] Fixed a regression in "Redirect" directive handling. [Bug Fix] Fixed a QUIC engine bug when handling extra long response headers. [Bug Fix] Fixed a regression that broke the "SetHandler" directive. [Bug fix] Fixed a rewrite engine bug where target URLs containing "../" could cause problems. [Bug fix] Fixed an external loop redirect detection bug. [Bug Fix] Fixed a mod_security bug stopping response headers from being logged to the audit_log. [Bug Fix] Fixed a mod_security engine bug that was mistakenly skipping some rules for POST requests. [Bug Fix] Fixed an ESI engine bug that broke detection for looping includes, causing the server to run out of memory. [Bug Fix] Increased logging for detach mode process manager. A forced lock release will now occur if a dead lock is detected when starting detach mode processes. [Bug Fix] Fixed systemd unit file lshttpd.service by requiring network-online.target. [Bug Fix] Allow xx.xx.xx.xx/32 as valid IP in ACL configuration. ===== Version 5.3.6 ===== === Build 6 === [Security] .rtreport no longer world readable. [Improvement] Improved QUIC transport protocol performance and reliability. [Improvement] Made IP based SSL SNI configuration exactly match Apache's. [Improvement] Made .rtreport symbolic links root owned to avoid LFD file warnings. [Bug Fix] Fixed inaccurate real-time statistics. === Build 5 === [Update] Updated bundled WHM plugin to v3.2.0.3 and user-end cPanel plugin to v1.1.1.2. [Improvement] Improved lsup.sh script to check build number against latest build. [Bug Fix] Fixed systemd unit file lshttpd.service, by requiring network-online.target. [Bug Fix] Allow xx.xx.xx.xx/32 as valid IP in ACL configuration. === Build 4 === [Update] Updated bundled WHM plugin to v3.2.0.2 and user-end cPanel plugin to v1.1.1.1 to address an integration issue with the recent LSCWP v2.9.3. [Bug Fix] Fixed a mod_security engine bug that was mistakenly skipping some rules for POST requests. [Bug Fix] Fixed an ESI engine bug that broke detection for looping includes, causing the server to run out of memory. [Bug Fix] Increased logging for detach mode process manager. A forced lock release will now occur if a dead lock is detected when starting detach mode processes. === Build 3 === [Improvement] Improved ESI support for JSON responses. [Bug fix] Fixed rewrite engine bug where target URLs containing "../" could cause problems. [Bug fix] Fixed an external loop redirect detection bug. [Bug Fix] Fixed a mod_security bug stopping response headers from being logged to the audit_log. === Build 2 === [Bug Fix] Fixed a regression that broke the "SetHandler" directive. [Bug Fix] OCSP cache directory now properly adjusted in chroot environments. === Build 1 === [Improvement] Improved default configuration for servers with heavy disk I/O wait. [Bug Fix] Fixed a rewrite engine compatibility issue. [Bug Fix] Fixed a regression in "Redirect" directive handling. [Bug Fix] Fixed a QUIC engine bug when handling extra long response headers. === Build 0 === [New Feature] lscmctl script can now be used to set custom server and virtual host cache roots with the 'setcacheroot' command. [Improvement] Added "ProxyPass"/"ProxyPassMatch" support for AJP backend. [Improvement] Added support for "IP:port" in "X-Forwarded-For" header. [Improvement] Reliably switch back to Apache in the case of a LiteSpeed licensing problem. [Improvement] Added back support for SecFilterEngine and SecFilterScanPOST directives for backward compatibility. [Update] Updated bundled WHM plugin to v3.2.0.1 and user-end cPanel plugin to v1.1.1. [Bug Fix] Fixed AddHandler directive behavior to be the same as AddType. [Bug Fix] Fixed an OCSP stapling bug that caused Mozilla connection issues. [Bug Fix] Stopped PHP from logging errors into the error log when stderr.log was disabled. [Bug Fix] Fixed a SecRemoteRule handling bug. [Bug Fix] Fixed a bug causing detached PHP processes to be stopped during graceful restarts, which may cause random 503 errors. [Bug Fix] Fixed a bug in processing GeoIP2 mmdb database. [Bug Fix] Fixed a bug introduced in v5.3.5 build 5 that broke cPanel/WHM's "redirect to closest matched domain" feature. [Bug Fix] Fixed cPanel two factor authentication. [Bug Fixes] Minor bug fixes involving Apache compatibility issues. ===== Version 5.3.5 ===== === Build 9 === [Bug Fix] Fixed a bug causing detached PHP processes to be stopped during graceful restarts. === Build 8 === [Bug Fix] Fixed an OCSP response verification bug (introduced in the previous build) that caused crashing. [Bugfix] Fixed a bug in processing GeoIP2 mmdb database. [Bugfix] Fixed a bug introduced in 5.3.5 build 5 that breaks cPanel/WHM redirect to closest matched domain feature. === Build 7 === [Enhancement] Added extra validation on OCSP response to avoid outdated response for newly renewed certificate. [Integration] Made LSWS compatible with Apache configuration generated by cPanel v78. [Bug Fix] Fixed AddHandler directive behavior to be the same as AddType. === Build 6 === [New Feature] Added "ProxyPass"/"ProxyPassMatch" support for AJP backend. [New Feature] Added support for "IP:port" in "X-Forwarded-For" header. [Improvement] Detached PHP processes are now detected and restarted more reliably. [Bug Fix] Applied a SecRemoteRules fix to avoid rule file corruption. [Bug Fix] Fixed a bug that could cause a blank response body for pre-compressed content. === Build 5 === [Update] Updated default welcome page content. [Bug Fix] Fixed a SecRemoteRule handling bug. [Bug Fix] Fixed a bug causing detached mode PHP processes to log PHP stderr messages to the server's error log file. [Bug Fix] Fixed an awstats integration bug that broke dynamic page generation mode. [Bug Fix] Fixed an infinite loop bug that occurred with badly configured contexts. === Build 4 === [Improvement] Reliably switch back to Apache when there is a LiteSpeed licensing problem. [Improvement] Added back support for SecFilterEngine and SecFilterScanPOST directives for backward compatibility. [Bug Fix] Stopped PHP error logging into error log when stderr.log is disabled. === Build 3 === [Bug Fix] Fixed a bug that causes excessive requests to OSCP responder. [Bug Fix] Fixed a bug that failed to handle some types of Node.js selector configurations. [Bug Fix] Fixed a bug that failed cPanel two factor authentication. [Bug Fix] Fixed a bug in LiteMage combined subrequest handling. === Build 0 === [Improvement] Improvements to HTTP/2, QUIC, and rewrite engine. [Bug Fix] HTTP/2, QUIC, and rewrite engine bug fixes. [Bug Fix] Fixed mod_security engine not handling skipAfter properly in the `SecAction` directive. [Bug Fix] Fixed server failing to automatically fix cache directory permission problems. ===== Version 5.3.4 ===== === Build 8 === [Bug Fix] Fixed a rewrite engine bug introduced in 5.3.4 build 7, which could cause ERR_SPDY_PROTOCOL_ERROR and redirect problems. === Build 7 === [Improvement] Improved mod_rewrite compatibility. [Improvement] Improved QUIC engine by dynamically adjust batch size of outgoing packets. === Build 5 === [Improvement] Improved PHP process abort feature to occur in a more timely manner. [Bug Fix] Fixed an HTTP/2 engine bug that caused connections to reset under certain situations. === Build 4 === [Improvement] Improved mod_security engine with UNIQUE_ID support. [Update] Disabled 503 auto fix by default. [Bug Fix] Fixed an SSL OCSP stapling bug. [Bug Fix] Fixed memory and resource leaks. [Bug Fix] Fixed incompatible behavior with Python selector support. [Bug Fix] Fixed a license information display bug in WebAdmin Console. === Build 2 === [Improvement] Improved compatibility for WebCache manager. [Bug Fix] This build include a fix for gQUIC v044 support === Build 1 === [Improvement] Improved NODEJS support. [Improvement] Detect curl + HTTP/2 combination and disable HTTP/2 for future access. [Update] Updated WHM plugin to v3.1.3.2 to address a compatibility issue with newer versions of the LSCWP plugin. [Update] Updated cPanel user-end plugin to v1.0.2.1 to address a compatibility issue with newer versions of the LSCWP plugin. === Build 0 === [MAJOR NEW FEATURE] Added support for Google QUIC v44. [NEW FEATURE] Improved Ruby/Python selector support and apply engine version changes on the fly. [NEW FEATURE] Allow overriding external application environment at vhost level. [NEW FEATURE] Log HTTP/2 in access log for HTTP/2 connection. [NEW FEATURE] Auto detect and use cPanel signed certificate for WebAdmin. [NEW FEATURE] Auto correct bad HTTPS proxy backend configured as HTTP. [IMPROVEMENT] Improved compatibility with ColdFusion engine. [UPDATE] Updated bundled WHM plugin to v3.1.3.1 [UPDATE] Updated bundled cPanel user-end plugin to v1.0.2. [BUGFIX] Fixed mod_security engine compatibility issue with latest COMODO ruleset. [BUGFIX] Added "Accept-Range: bytes" header back for static files. [BUGFIX] Fixed bug in rewrite engine loop redirection detection. ===== Version 5.3.3 ===== === Build 3 === [Bug Fix] Fixed a mod_security engine bug that caused incorrect behavior with the comodo ruleset. === Build 2 === [Bug Fix] Made adjustments to PHP handler configuration to fix broken PHP selector. [Bug Fix] Fixed a memory leak in HTTP/2. [Bug Fix] Fixed a crash when parsing Apache configuration. === Build 0 === [Bug Fix] Emergency release to ignore faulty rewrite rule introduced by cPanel