v1.26.0-pre1

Sorry it's been so long between releases. Recovering from surgery sucks.

This release's title will be Papalymo Totolymo.

• Patch GHSA-6wcg-mqvh-fcvg by containing subrequest logic to Anubis instances in subrequest mode.
• Implement robot9001 style delays on the honeypot feature so that the first hit takes 1 millisecond, the second takes 2, etc.
• Move metrics server configuration to the policy file.
• Expose pprof endpoints on the metrics listener to enable profiling Anubis in production.
• fix: prevent nil pointer panic in challenge validation when threshold rules match during PassChallenge (#1463)
• Instruct reverse proxies to not cache error pages.
• Fixed mixed tab/space indentation in Caddy documentation code block
• Improve error messages and fix broken REDIRECT_DOMAINS link in docs (#1193)
• Add Bulgarian locale (#1394)
• Fixed case-sensitivity mismatch in geoipchecker.go
• Use Go's native version stamping instead of a handrolled variant.
• Fix CEL internal errors when iterating headers/query map wrappers by implementing map iterators for HTTPHeaders and URLValues (#1465).
• Enable metrics serving via TLS, including mutual TLS (mTLS).
• Enable HTTP basic auth for the metrics server.
• Fix a bug in the dataset poisoning maze that could allow denial of service #1580.
• Add config option to add ASN to logs/metrics.
• Log weight when issuing challenge.
• Block x.ai's crawler for code review training.
• Gate pprof endpoints behind metrics.debug in the policy file.
• Limit naive honeypot r9k delay to one second.
• Fix an obscure case where adding query values to a subrequest match could cause an invalid rule match when using path based matching for protected resources.
• Anubis now requires Go 1.26 to build.
• Fix an edge case where load average expression values could nil pointer dereference when Anubis just started up.
• Fix an obscure case where Anubis in subrequest mode could allow redirects to invalid domains with strange instructions.
• Fix path_regex and CEL path rules not matching when using Traefik forwardAuth middleware. Anubis now checks X-Forwarded-Uri (Traefik) in addition to X-Original-URI (nginx) when resolving the request path in subrequest mode (#1628).
• Validate bounds in the CEL randInt helper so non-positive or platform-overflowing arguments surface a typed CEL error instead of an evaluator panic.
• Fix a race in the bbolt store where the asynchronous cleanup scheduled by an expired read could delete a value that had just been refreshed; the delete now only fires when the key still carries the same expired generation it observed.
• Marginally increase the performances of requests processing
• Marginally improve the performances of PoW validation
• Marginally improve the performances of challenges generation/display
• Significantly improve the performances of the gzip middleware
• Significantly improve the performances of the PoW validation
• Add trimpath option to artifact builds
• Add COOKIE_HTTP_ONLY option to set the HttpOnly flag on Anubis cookies
• Improve the performances of rules validation
• Only compute the JA4H fingerprint when a policy references the X-Http-Fingerprint-JA4H header, taking it off the hot path for configurations that don't use it (#834).
• Migrate the target reverse proxy off the deprecated httputil.ReverseProxy.Director to Rewrite for Go 1.26 compatibility, preserving the inbound Host and X-Forwarded-*/Forwarded headers.

What's Changed

• docs(admin/policy): document ReadWritePaths for logging to files by @Xe in #1469
• docs: fix mixed tab/space indentation in Caddy config example by @pzhlkj6612 in #1506
• ci: purge govulncheck, it's less signal than i hoped by @Xe in #1515
• feat(http): set "Cache-Control: no-store" on error responses by @gucci-on-fleek in #1474
• docs(known-instances): Add missing one. by @p0008874 in #1500
• chore(l10n): update French translation by @HarmfulBreeze in #1496
• docs: remove developer/code-quality by @gucci-on-fleek in #1475
• build(deps): bump the github-actions group across 1 directory with 11 updates by @dependabot[bot] in #1516
• build(deps): bump the npm group across 1 directory with 6 updates by @dependabot[bot] in #1512
• chore: gofix by @JasonLovesDoggo in #1466
• fix: nil deref when solve request lands on a different DIFFICULTY than the original req by @JasonLovesDoggo in #1467
• feat(docs): Add instructions on using Anubis with envoy-gateway by @fhoekstra in #1460
• feat(docs): Update HAProxy Advanced Variant documentation by @rozmansi in #1521
• feat(data): add Citoid to good bots list by @mvolz in #1524
• docs(faq): document that disabling JIT makes Anubis slow by @Xe in #1526
• fix(locales/ja): change the position of the バージョン (version) by @fu-sen in #1527
• fix: add cel iterator by @JasonLovesDoggo in #1465
• fix: Address issued raised in #1193 by @dwhitemv25 in #1519
• feat(anubis): enable pprof endpoints on the metrics server by @Xe in #1530
• feat(i18n): add Bulgarian language translation by @ramromcode in #1394
• chore: update vi.json by @honhatduy in #1459
• fix(locales/de): revise and update German translations by @michi-onl in #1457
• build(deps): bump actions-hub/kubectl from 1.35.2 to 1.35.3 in the github-actions group by @dependabot[bot] in #1532
• chore(sponsors): add embeDD GmbH by @Xe in #1539
• build(deps): bump the npm group with 5 updates by @dependabot[bot] in #1531
• docs(faq): document minimum versions of browsers Anubis supports by @Xe in #1540
• build(deps): bump the npm group across 1 directory with 5 updates by @dependabot[bot] in #1559
• build(deps): bump the github-actions group across 1 directory with 7 updates by @dependabot[bot] in #1560
• feat: move metrics server config to the policy file by @Xe in #1572
• feat(data): add Meta's web indexer used for AI purposes by @bnjbvr in #1573
• feat(metrics): enable TLS/mTLS serving support by @Xe in #1576
• feat(metrics): basic auth support by @Xe in #1579
• fix(honeypot): remove DoS vector by @Xe in #1581
• fix: Thoth geoip compare by @lenny87 in #1564
• fix(metrics): bind to the right network/bindhost by @Xe in #1606
• feat: add ASN data from Thoth to logs/metrics by @lillian-b in #1608
• feat: Log weight when issuing challenge by @tdgroot in #1611
• fix: patch GHSA-6wcg-mqvh-fcvg by @Xe in #1616
• build(deps-dev): bump the npm group across 1 directory with 6 updates by @dependabot[bot] in #1621
• build(deps): bump github.com/go-jose/go-jose/v3 from 3.0.4 to 3.0.5 by @dependabot[bot] in #1629
• fix(policy): correctly wire subrequest mode through CEL/path checkers by @Xe in #1630
• fix(honeypot/naive): apply robot9001 style delays by @Xe in #1632
• build(deps): bump the npm group across 1 directory with 6 updates by @dependabot[bot] in #1646
• perf(lib): iterate s.policy.Bots by index to drop per-call heap copy by @jvoisin in #1639
• fix: small security fixes by @Xe in #1651
• perf(internal/gzip): pool *gzip.Writer per middleware instance by @jvoisin in #1654
• perf: enable uuid randomness pool and minor cleanups by @jvoisin in #1652
• perf(challenge/proofofwork): stream sha256 into stack buffer in Validate by @jvoisin in #1653
• chore: use Go stdlib version stamping by @Xe in #1665
• chore: ban x.ai by @Xe in #1673
• feat: add HttpOnly cookie option by @tdgroot in #1679
• fix: add trimpath option to artifact builds by @tdgroot in #1682
• ci: remove spelling checks by @Xe in #1688
• perf(policy): only compute ja4h fingerprint when referenced by @jvoisin in #1689
• perf: don't look into the store for OpenGraph things if it is disabled by @jvoisin in #1690
• refactor(honeypot/naive): compute network hash once in incrementNetwork by @jvoisin in #1693
• perf: iterate s.policy.Bots by index to drop per-call heap copy by @jvoisin in #1691
• perf(internal/gzip): share writer pool across middleware reconstructions by @jvoisin in #1694
• perf(internal): cut allocations in computeXFFHeader by @jvoisin in #1692
• build(deps-dev): bump the npm group across 1 directory with 4 updates by @dependabot[bot] in #1677
• docs: use stable container in traefik deployment example by @RealOrangeOne in #1676
• chore: bump go version to 1.26 by @Xe in #1695
• chore: tag v1.26.0-pre1 by @Xe in #1705

New Contributors

• @pzhlkj6612 made their first contribution in #1506
• @HarmfulBreeze made their first contribution in #1496
• @fhoekstra made their first contribution in #1460
• @rozmansi made their first contribution in #1521
• @mvolz made their first contribution in #1524
• @fu-sen made their first contribution in #1527
• @dwhitemv25 made their first contribution in #1519
• @ramromcode made their first contribution in #1394
• @honhatduy made their first contribution in #1459
• @bnjbvr made their first contribution in #1573
• @lenny87 made their first contribution in #1564
• @jvoisin made their first contribution in #1639
• @RealOrangeOne made their first contribution in #1676

Full Changelog: v1.25.0...v1.26.0-pre1