NGINX agent releases
v3.6.4
2023-01-12
Fixed
- We added support for the latest version of Openresty.
v3.6.3
2023-01-06
Fixed
- We fixed some incompatibilities with our Openresty agent releases.
v3.6.2
2022-12-21
New
- Support for Openresty on Alpine 3.13 and 3.15.
v3.6.1
2022-09-26
New
- We improved the performance of the internal agent.
Fixed
- We fixed a bug introduced in 3.6.0. The agent now correctly receives policy updates after updating denylisted IPs addresses.
v3.6.0
2022-08-08
New
- The agent now supports IP blocking by country, see the ip groups page for more details.
- An additional new feature has been retroactively added to v3.2.0.
v3.5.1
2022-06-29
Fixed
- Openresty endpoints using the
ngx.location.capture
API no longer segfault.
v3.5.0
2022-06-29
New
- An AMI is now available for the tCell NGINX agent. If you already have a web app running in AWS you can quickly and easily protect your web application hosted in AWS with tCell's AMI. For more information, see our documentation.
2022-04-14
New
- Now supports inspecting multipart form-data. For more information on working with multipart form-data, see server agent options.
- JS Agent Subresource Integrity (SRI) support
- Support for NGINX v1.20.1 and v1.21.6 on CentOS 7
v3.4.0
2022-02-08
Fixed
- The agent would stop sending events after an extended period of time or after heavy load.
- Memory leak was noticeable after several days of uptime.
New
use_native_certs
configuration property and matchingTCELL_AGENT_USE_NATIVE_CERTS
environment variable. This property causes the agent to use TLS certificates stored on the system in addition to our own baked-in collection of certificates. This allows the agent to use certificates installed from a custom certificate authority.
v3.3.2
2022-01-25
Fixed
- Fixed agent crashing while parsing certain cookies.
- Updated build tools to address security vulnerability CVE-2022-21658.
v3.3.1
2021-12-31
Fixed
- The agent now uses the actual
reverse_proxy
configuration value, instead of always assuming it istrue
. Thereverse_proxy
value now defaults tofalse
.
You must explicitly set your agent'sreverse_proxy
value totrue
to have it use theX-Forwarded-For
header to determine the remote IP address.
Custom NGINX Agent
2021-11-29
New
- Custom NGINX Agent builds. Build your own tCell NGINX agent leveraging the provided source and build procedure. For more information, see Build a custom NGINX agent.
Fixed
- 403 responses generated by the agent no longer inject the JavaScript agent into the response page.
v3.3.0
2021-11-17
New
- The tCell module source is now available, allowing you to compile your own version of the tCell module with custom flags in both Musl and GLibc based build environments. Currently, this feature only supports X86_64 architectures.
3.2.3
2021-09-24
New
- Leverage the Rapid7 Collector as a proxy for tCell. With a Rapid7 collector as a proxy, tCell can leverage the same Rapid7 collector used by other Rapid7 products in the organization to communicate data to Rapid7. This is especially helpful if your organization requires a single outbound connection from their environment to the Insight Platform. The Rapid7 Collector can serve as a proxy for tCell to:
- Reduce the manual IP allow listing.
- Improve flexibility in locking down the network.
- Improve network and data security in communications with Rapid7.
For more information, see Using the Rapid7 Collector as a proxy for tCell.
CentOS 6.0 End-of-Life Announcement
As of December 31, 2021, Rapid7 will End-of-Life (EOL) tCell Agents on CentOS 6.0. The Agent documentation and support requirements will reflect this change at the same time. See the CentOS end-of-life announcement to see if you are affected and what actions you can take.
v3.2.2
2021-09-24
New
- Support for NGINX Version 1.16.1 on CentOS 7
- Compatible with Amazon Linux 2
v3.2.1
2021-09-04
Deprecations
- Removed Centos 6 support.
New
- HTTPS proxies for Input and Policy APIs. You can now use an HTTPS proxy for the Input and Policy APIs by populating the proxy_url, proxy_username, and proxy_password in the agent configuration file.
Fixed
- URIs reported by the application would not include the hostname or protocol.
- The agent would not add CSP headers to certain JSON responses.
- Requests to non-whitelisted URLs would not result in redirect.
- JS tags would not be injected into pages with complex head tags.
- Some Sec-CH-UA header values could cause false positive XSS events.
- Some Sec-CH-UA header values could cause false positive SQL injection events.
- Some multipart Content-Type header values could cause false positive XSS events.
- Certain IPv6 addresses were erroneously interpreted as blacklisted.
- Dot notation in App Firewall Blocking Rules JSON parameters was not parsed correctly, which impacted policy enforcement.
v3.2.0
2021-08-23
- An erroneous port 0 was being added to some URIs.
- Many 4xx and 5xx response code events were never being emitted.
- User agent empty events are now sent where appropriate, and without an accompanying "not_applicable" user agent.
- Certain IPv6 addresses were erroneously interpreted as blacklisted.
- Dot notation in App Firewall Blocking Rules JSON parameters was not parsed correctly, which impacted policy enforcement.
- Appfirewall inspection is no longer run on blocked requests.
v3.1.3
2021-02-12
Fixed
- We fixed a binary incompatibility issue between the NGINX agent and the ubuntu:xenial "nginx-extras" package for NGINX v1.10.3.
v3.1.2
2021-02-01
Fixed
- We fixed an issue where the agent crashed OpenResty on a lua ngx.redirect.
v3.1.1
2020-12-15
New
- We added a custom build configuration to support OpenResty version 1.17.8.2.
v3.1.0
2020-11-20
New
- We added support for Classless Inter-Domain Routing (CIDR) filters in app firewall configurations.
Fixed
- We fixed an issue where the agent failed to parse configuration files in UTF-8 BOM format.
- We fixed an issue where log messages near the beginning of the agent lifecycle were missing.
- We improved agent recovery when attempting to apply a corrupted policy.
v3.0.8
2020-10-30
New
- Added support for NGINX 1.18.0 build from ubuntu bionic Nginx Launchpad PPA.
v3.0.7
2020-10-29
New
- Added support for additional custom builds.
v3.0.6
2020-10-19
Minimum Recommended Version
For the NGINX Agent Version 3, we recommend using v3.0.6 or higher.
New
- Improved logging.
Fixed
- Addressed a worker crash on Openresty.
- Agent seg faults on sighup or nginx -s reload or openresty -s reload.
v3.0.3
2020-09-22
New
- Build against openresty source instead of nginx source for openresty agents.
- Fixed segfault when running against openresty with TCELL_ environment variables.
v3.0.1
2020-08-10
New
- Reverted back to version 3.0.0 logging changes. Logging now defaults to NGINX's previous non-rolling file behavior.
- Added a new config option to enable log rolling.
Fixed
- Fixed a bug in version 3.0.0 where the NGINX agent failed to start if TCELL_AGENT_HOME was not set.
v3.0.0
2020-08-10
New
- Output file logging now rolls over. When the log file reaches 1MB, it starts a new log file, keeping the previous one. We keep up to a maximum of 10 log files.
- Added a new configuration option, TCELL_AGENT_LOG_FILE_MAX_SIZE_MB, which configures the log file rollover size. Note that the number of saved logs is not configurable.
Fixed
- Fixed a bug where redirects were not blocked for certain URLs. *Fixed a bug where NGINX reported the request size as larger than its actual size.
v2.3.4
2020-08-07
New
- Added builds for the latest Nginx-branded docker builds to support the official release of Nginx 1.19.1 on Debian and Alpine
v2.3.3
2020-08-07
New
- Added support for additional custom builds
v2.3.2
2020-08-07
New
- Added support for additional custom builds
v2.3.1
2020-05-21
New
- Added Ubuntu Bionic NGINX 1.16.1 PPA compatible build.
Fixed
- Fixed an issue when processing CIDR blocks for App Firewall Blocking requests. The blocking rules were sometimes not applied properly.
- Fixed an issue where the agent logic for sending events did not properly handle remote tCell cloud network resets. This sometimes caused the agent to stop sending events for long periods of time.
v2.3.0
2020-04-21
New
- Enhanced the performance and scalability of processing requests when the App Firewall Blocking policy contains large numbers of IP Addresses.
- Enhanced the agent’s event sending logic to break large requests into smaller parts, increasing the scalability of the communication between the agent and cloud.
- Added support for NGINX versions 1.17.6 and above.
- Added support for
TCELL_AGENT_SERVER_HEADER_OFF
environment variable. This allows one to, based on environment configuration, strip out theServer
HTTP response header. The prebuilt NGINX docker image will, by default, also have this environment variable set totrue
.
Fixed
- Fixed a bug when applying App Firewall Blocking rules and the request has an empty client IP address, the agent incorrectly blocked requests sometimes.
v2.2.5
2020-04-09
Fixed
- Made agent handle nil strings more robustly.
- Fixed an issue where we were not properly handling configuration where the agent has location specific Application ID configured for some locations but not all. In that situation, we will now properly use the default Application ID.
v2.2.4
2020-03-31
New
- Added support for additional custom build.
v2.2.3
2020-03-31
New
- Added support for additional custom build.
v2.2.2
2020-02-13
New
- Improved the docker image based deployment
v2.2.1
2020-01-17
Fixed
- Fixed an issue with agent not interpreting environment variable value "1" as "true"
v2.2.0
2020-01-14
New
- Added support to configure agent completely by environment variables
- Added support for docker image based deployment
v2.1.3
2019-12-09
New
- Additional custom builds
v2.1.1
2019-11-08
New
- Additional custom builds
- Enhanced logging about environment
- Additional Environment variable support to customize logging; See https://docs.rapid7.com/tcell/server-agent-options for details on how to use.
Fixed
- Fixed a situation where agent runtime would not handle certain POST/PUT payloads correctly when deployed within an openresty environment.
- Fixed inspect_json_posts config option handling.
v2.0.5
2019-10-20
New
- Additional custom builds.
- Do more robust agent configuration structure validation and error handling on startup .
Fixed
- Fixed various issues handling X-Forward-For header.
- Fixed diagnostic logging statements that were incorrectly categorized as warnings.
- Upgraded third party library which had security vulnerability.
- Fixed a bug in policy polling to handle noop changes more robustly.
- Fixed a bug where determining when to rotate log files was sometimes not handled correctly.
- Fixed a bug in handle http redirect policies.
- Made some internal event sending changes that allow the agent to handle large numbers of events more robustly.
- Upgrade rust tool used by agent to avoid security vulnerability.
v2.0.3
2019-05-27
Fixed
- Fixed an issue where sometimes events were not properly processed and sent to backend cloud
v2.0.2
2019-05-26
New
- Add additional custom builds
v1.2.1
2018-10-9
New
- Support for Alpine Linux 3.7 and 3.8
- Support for JSAgent path exclusion
Fixed
- Improve calculation algorithm used when determining request size, thus making "reqsz" appsensor events more accurate.
v1.1.2
2018-08-07
New
- Added support for clickjacking feature in the agent. For more information on configuring and enabling clickjacking, see this help article.
- Starting with 1.1.2, NGINX Agent uses RustTLS for TLS encryption. It should be noted that the agent only makes outbound connections, and does not act as a server. Root certificate validation of tCell servers is configured by using standard Mozilla root certificates. For more information, see https://docs.rs/rustls/0.13.0/rustls/.
Fixed
- Fixed an issue where sometimes the Application Firewall event data sent to the cloud had incorrect remote IP address information.
v1.1.0
2018-06-13
Fixed
- Fixed a problem where negative values in request Content-Length headers were not correctly handled, leading to incorrect reporting of request sizes.
- Fixed a problem where certain binary payloads could result in an agent crash with a message similar to
.. panicked at called Result::unwrap() on an Err value: Utf8Error ...
sent to stderr of the nginx process.
v1.0.8
2018-05-30
Fixed
- Fixed a problem where client IP addresses provided to Nginx via X-Forwarded-For were not used in all events communicated to the service. In some cases, the socket address was used. Now, if the agent is configured to support a client-IP header, it will be used for all events.
v1.0.7
2018-05-09
Fixed
- Resolved a problem with Javascript Agent (jsagent) automatic insertion affecting agents version 1.0.4 through 1.0.6. When jsagent insertion was enabled, the tag could be absent from the returned html document.
v1.0.6
2018-04-25
Fixed
- Addressed a compatibility problem with NGINX 1.10.3 on Amazon Linux.
v1.0.5
2018-04-19
Fixed
- Fixed a problem where agent-added CSP headers could overwrite (replace) CSP headers provided previously by an appserver response or another NGINX mechanism. CSP Headers are
v1.0.4
2018-04-18
New
- Added a docker example for containerized deployment.
- Added builds specific to Amazon Linux
v1.0.1
2018-02-13
New
- Fixed some cases where reported block events did not have all fields
- Fixed cases where blocking rules might not be applied when they included client IP requirements and the client IP was determined via the X-Forwarded-For header
v1.0.0
2018-02-09
New
- Added support for sophisticated blocking rules based on combinations of route, path, client IP, parameters, as well as the values for parameters.
- Pattern definitions for sensors are now service-defined, so fixes to patterns can reach agents without update.
v0.4.0
2017-10-13
Improved
- NGINX Agent released! The NGINX Agent is a Web Server Agent (WSA) and provides protections by monitoring http/s requests and responses passed through an NGINX proxy.
- NGINX versions 1.10.00 and above downloaded from official apt/yum repo are supported by the current WSA. Custom compiled versions of NGINX may require a custom build of WSA