Path to this page:
Subject: CVS commit: pkgsrc/www/anubis
From: Benny Siegert
Date: 2025-05-13 19:33:14
Message id: 20250513173314.EE490FBE3@cvs.NetBSD.org
Log Message:
anubis: update to 1.18.0
v1.18.0: Varis zos Galvus
The big ticket feature in this release is CEL expression matching
support. This allows you to tailor your approach for the individual
services you are protecting.
These can be as simple as:
- name: allow-api-requests
action: ALLOW
expression:
all:
- '"Accept" in headers'
- 'headers["Accept"] == "application/json"'
- 'path.startsWith("/api/")'
Or as complicated as:
- name: allow-git-clients
action: ALLOW
expression:
all:
- >-
(
userAgent.startsWith("git/") ||
userAgent.contains("libgit") ||
userAgent.startsWith("go-git") ||
userAgent.startsWith("JGit/") ||
userAgent.startsWith("JGit-")
)
- '"Git-Protocol" in headers'
- headers["Git-Protocol"] == "version=2"
The docs have more information. This is a simple, lovable, and complete
implementation of this feature so that administrators can get hacking
ASAP.
Other changes:
- Use CSS variables to deduplicate styles
- Fixed native packages not containing the stdlib and botPolicies.yaml
- Change import syntax to allow multi-level imports
- Changed the startup logging to use JSON formatting as all the other
logs do.
- Added the ability to do expression matching with CEL
- Add a warning for clients that don't store cookies
- Disable Open Graph passthrough by default
- Clarify the license of the mascot images
- Started Suppressing 'Context canceled' errors from http in the logs
v1.17.0: Asahi sas Brutus
v.1.17.0 is a rather large release. This kind of giant feature release
will not happen again as this has caused significant problems with
testing in various configurations. Automated testing is being worked on
but I have nothing to report yet.
Big-ticket features include but are not limited to:
- Configuration can be in YAML or JSON
- Configuration snippets can be imported from the default library or
anywhere on the filesystem
- Default rules now flag "Opera" after seeing an attack in the wild
that does that
- Many documentation and build script fixes
- AI-robots.txt rules are added to the default config to stop the
worst offenders that care to identify themselves
- Apache, Nginx, and Traefik have gotten documentation
- Users can match by headers as well as user agents or paths
- Internal refactoring to make Anubis faster and easier to maintain
- "Secondary screening" has been removed to give a more consistent
user experience
- The Internet Archive is allowlisted by default
- X-Forwarded-For header calculation should be a bit better
- Subpath support (run anubis on /git)
- Many implicit things have been documented
Files: