Log Message:
anubis: update to 1.18.0

v1.18.0: Varis zos Galvus

The big ticket feature in this release is CEL expression matching
support. This allows you to tailor your approach for the individual
services you are protecting.

These can be as simple as:

- name: allow-api-requests
  action: ALLOW
  expression:
    all:
      - '"Accept" in headers'
      - 'headers["Accept"] == "application/json"'
      - 'path.startsWith("/api/")'

Or as complicated as:

- name: allow-git-clients
  action: ALLOW
  expression:
    all:
      - >-
        (
          userAgent.startsWith("git/") ||
          userAgent.contains("libgit") ||
          userAgent.startsWith("go-git") ||
          userAgent.startsWith("JGit/") ||
          userAgent.startsWith("JGit-")
        )
      - '"Git-Protocol" in headers'
      - headers["Git-Protocol"] == "version=2"

The docs have more information.  This is a simple, lovable, and complete
implementation of this feature so that administrators can get hacking
ASAP.

Other changes:

-   Use CSS variables to deduplicate styles
-   Fixed native packages not containing the stdlib and botPolicies.yaml
-   Change import syntax to allow multi-level imports
-   Changed the startup logging to use JSON formatting as all the other
    logs do.
-   Added the ability to do expression matching with CEL
-   Add a warning for clients that don't store cookies
-   Disable Open Graph passthrough by default
-   Clarify the license of the mascot images
-   Started Suppressing 'Context canceled' errors from http in the logs

v1.17.0: Asahi sas Brutus

v.1.17.0 is a rather large release. This kind of giant feature release
will not happen again as this has caused significant problems with
testing in various configurations. Automated testing is being worked on
but I have nothing to report yet.

Big-ticket features include but are not limited to:

-   Configuration can be in YAML or JSON
-   Configuration snippets can be imported from the default library or
    anywhere on the filesystem
-   Default rules now flag "Opera" after seeing an attack in the wild
    that does that
-   Many documentation and build script fixes
-   AI-robots.txt rules are added to the default config to stop the
    worst offenders that care to identify themselves
-   Apache, Nginx, and Traefik have gotten documentation
-   Users can match by headers as well as user agents or paths
-   Internal refactoring to make Anubis faster and easier to maintain
-   "Secondary screening" has been removed to give a more consistent
    user experience
-   The Internet Archive is allowlisted by default
-   X-Forwarded-For header calculation should be a bit better
-   Subpath support (run anubis on /git)
-   Many implicit things have been documented