The full list of changes:

• Fix use after free from KASAN (#2502)
• Fix missing logs during the first second of application startup for TFW logger (#2314)
• Thrash results in Clickhouse access log (#2437)
• Fix write size of response_content_length in mmap access log (#2515)
• fix FPU state corruption (#2461)
• Fix bug if stale response build fails (#2492)
• Fix using uninitialized spinlock (#2499)

Installation

Use installation manual

The main features of the release:

• Security-by-default configuration
• DDoS Mitigation of Rapid-Reset Attack
• Improved efficiency
• Bug fixes

Installation

Use installation manual

The full list of changes

• Security-by-default configuration (#2451)
• Rapid-reset attack mitigation (#2439)
• Fixed parsing of unknown HTTP methods (#2362)
• Fixed bug when moving chunked body during response building (#2471)
• Fixed check for SKB coalescing capability (#2471)
• Fix HTTP message fragmentation bug (#2471)
• Hardening HTTP method verification in HTTP/2 (#2362)
• Crash on WINDOW_UPDATE HTTP/2 frames (#2443)
• Crash on application monitoring (#2424)
• Several bugs in HTTP/2 HPACK code
• Fix bubs in HTTP message transformation involving TfwPool
• Fix double Age header (#2402)
• Crash on health monitoring (#2373)

The main features of the release are:

• JA5 clients fingerprinting in access log
• Storing access log in Clickhouse for advanced L7 DDoS incidents analytics
• Advanced HTTP/2 streams prioritization
• Tempesta & backend servers health statistics
• Improved Tempesta DB core for stable web caching

Installation

Use installation manual

The full list of changes

• Add Expect: 100-continue support
• Add cache_use_stale directive
• Add ja5h and ja5t filtering, configuration. access log
• Add tfw_logger for access_Log with Clickhouse
• Add server address to warning/debug messages.
• Add tls certificate date validation
• Add support of Cache-Control: stale-if-error
• Add response with 308 status code to heuristically cacheable
• Add CRLF filter.
• Add reference to a peper about ECDSA nonce attack
• add CamelCase type name check
• Add check for dublicate options in config
• Add global Tempesta FW percentiles statistics.
• Remove client from tdb
• Remove lower limit of reconnection attempts.
• Remove timeout option for sticky cookie
• Remove redirect mark from Tempesta
• Remove delay_limit JS challenge option
• Rename: connection_rate -> tcp_connection_rate connection_burst -> tcp_connection_burst concurrent_connections -> concurrent_tcp_connections
• Properly abort server connection for stale response
• Mark proxy-connection header as hop-by-hop in case of segmentation
• Drop HEAD and GET requests with body and trailers
• Get rid of per-cpu buffer g_te_buf
• Mark 'Keep-Alive' header as hop-by-hop
• Immediately stop processing for closing conection
• Use appropriate node for stale response
• Do cache PURGE with respect to NUMA mode
• Don't cache set-cookie header
• Do not add Content-Length header for HTTP2 responses
• tdb: Add simple global freelist
• Forbid duplicated stale-if-error in response
• Don't send stale response in case of frang block
• Change TDB version to 0.2.0
• Store in the cache only single record
• Rewrite HEAD method to GET for cache
• Clear socket write queue and send RST if connection is dropped
• Catch malformed HM response.
• Update cpu-node map allocation
• Handle HTTPS/1 and HTTP/2 on the same port
• Don't cache nonidempotent GET and HEAD requests
• Invalidate stored responses.
• Cache only methods according RFC 9110.
• Restrict range of possible JS challenge response statuses
• Drop request sock in case when frang block new connection
• http_hdr_len and http_hdr_cnt were made only global because they are checked earlier than vhost is determined.
• Use response to a GET request to satisfy HEAD request
• Reset closing flags in st_flags field
• Close socket after sending TLS_ALERT
• Introduce default server response statistics for HTTP code 200.
• Introduce 'health_stat', 'health_stat_server' directive.
• Cut port from authority when lookup vhost
• Block all malformed requests.

Known issues

The list of crucial bugs is available here.

Installation

Use installation manual

New features

• CVE-2024-2758: HTTP limits: Changed default settings to more strict
• Implement max_concurrent_streams limitation
• Implement http limits for request headers
• Frang: fix parsing of request method with TCP segmentation
• Fix unlimited body parsing and add body iterator
• Fix of CCM tls encryption and decryption
• Fix of infinite loop in chunked body (HTTP/2)
• Fix race with using parser fields
• Fix HTTP/2 headers name confusion
• Fix GPF when skb reused
• Fix of changing http2 window size
• Fix BUG_ON in tdb_htrie_descen
• Rewrite tfw_hpack_node_compare to make it clean & fast
• Fix incorrect server connection reference counter
• Hide "Te" header from HTTP/1.x backend when proxying response over HTTP/2.

Installation

Use installation script:

git clone https://github.com/tempesta-tech/tempesta.git
tempesta/pkg/scripts/tempesta_installer.sh --install

Start tempesta:

systemctl restart tempesta-fw

Check is it works properly:

systemctl status tempesta-fw

Watch logs:

journalctl -u tempesta-fw

Tail logs:

journalctl -u tempesta-fw -f

New features

• HTTP/2 is now supported for the server side
• Websockets
• Significantly improved TLS handshakes perfromance
• TLS sessions resumption
• SAN TLS certificates
• Custom HTTP redirects
• Per-vhost listening addresses and TLS configuration
• Access log
• include configuration option
• Caching by Cookie header value
• Cache behavior tuning (new options cache_control_ignore and cache_resp_hdr_del)
• Automatic Platform Optimization with a new header X-Tempesta-Cache for PURGE method
• Sticky cookies load balancing

Known issues

• No Tempesta DB removal and eviction (web cache overflow is possible)
• No HTTP/2 streams prioritization
• Several bugs

Full Changelog: https://github.com/tempesta-tech/tempesta/commits/ubuntu-20/0.7.0

Tempesta FW is an all-in-one solution for high performance web content delivery and advanced protection against DDoS and web attacks.

You can download the Tempesta FW software by clicking here: tempesta-fw-dkms_0.6.8_amd64.deb.

The required kernel build for Ubuntu 20 LTS Kernel 5.10.35+ is available at https://github.com/tempesta-tech/linux-5.10.35-tfw/releases/tag/ubuntu-20%2F5.10.35%2B

DKMS module for Tempesta patched kernel.

Install instructions are available on project's Wiki.

Dependencies:

• dkms (>= 2.1.0.0),
• libboost-dev,
• libboost-program-options-dev,
• kdump-tools

Changes since previous release (0.6.6):

• Fix issues when starting Tempesta via systemd (#1420).

Known issues:

• Slow TLS PK algorithms
• No TempestaDB eviction & removal
• Several bugs: [To be checked and filled]

DKMS module for Tempesta patched kernel.

Install instructions are available on project's Wiki.

Dependencies:

• dkms (>= 2.1.0.0),
• libboost-dev,
• libboost-program-options-dev,
• kdump-tools

Changes since previous release (0.6.2):

• Multiple TLS fixes:
• Fix parsing of an empty extension if it comes last in ClientHello.
• Fix cached data corruption during encryption.
• Close the connection on errors during TLS handshake stage.
• Fix decryption of large records spanning multiple skb's.
• Verify ClientHello extention lengths before trying to read their data.
• Fix the deadlock caused by the error reporting during handshake stage.
• Handle ciphertexts larger than 16384 bytes.
• Fix TCP sequence numbering when working with fast same-host backends.
• Handle enormous ciphersuite lists in ClientHello messages.
• Fix crashes on server-client ciphersuite mismatch.
• Fix crashes on TLS handshakes utilizing SHA384.
• Fix crashes on heavily fragmented TLS handshakes.
• Fix crashes on premature handshake termination from a client.
• Decrease TLS handshake context a bit.

Changes:

• TempestaTLS 0.2 (tight TCP integration, fast handshake FSM)
• HTTPtables
• Sticky cookie extension for L7 DDoS mitigation
• Multiple HTTP limiting extensions
• SIMD memory functions
• Temporal client accounting
• Multiple bugfixes

Known issues:

• Slow TLS PK algorithms
• No TempestaDB eviction & removal
• Several bugs: [To be checked and filled]

DKMS module for Tempesta patched kernel.

Install instructions are available on project's Wiki.

Dependencies:

• dkms (>= 2.1.0.0),
• libboost-dev,
• libboost-program-options-dev,
• kdump-tools

Changes since previous release (0.6.1):

• TempestaTLS 0.2 (tight TCP integration, fast handshake FSM)
• HTTPtables
• Sticky cookie extension for L7 DDoS mitigation
• Multiple HTTP limiting extensions
• SIMD memory functions
• Temporal client accounting
• Multiple bugfixes

Known issues:

• Slow TLS PK algorithms
• No TempestaDB eviction & removal
• Several bugs: #1217 #1177 #1157 #1044 #1043 #1028 #1202 #1203 #1221

DKMS module for Tempesta patched kernel.

Install instructions are available on project's Wiki.

Dependencies:

• dkms (>= 2.1.0.0),
• libboost-dev,
• libboost-program-options-dev,
• kdump-tools

Changes since previous release (0.5.3):

• Fix #1066: fix broken items sequence in the work queue w/ backlog
• Remove functional tests from package

Known issues:

• Memory leaks in TLS (#614).