2.8.0

Added

• Custom SIGTERM signal handling for graceful shutdown.
• Environment variable placeholders in KDL-format configurations
• Google Cloud DNS provider for DNS-01 ACME challenges.
• Spaceship DNS provider for DNS-01 ACME challenges.
• Support for shell-style argument parsing in auto_tls_post_obtain_command.

Changed

• CONNECT requests with pathname URIs are now rejected.
• HTTP compression now uses server-preferred content encoding (zstd, br, gzip, deflate, identity) when available (GitHub issue).
• Improved RFC 7230 compliance for reverse proxy (by stripping hop-by-hop headers).
• Improved shebang handling for CGI on non-Unix systems.
• OCSP responses are now verified when stapling is enabled.

Fixed

• 403 Forbidden responses were returned when URL sanitizer was disabled, even when it should have returned 404 Not Found.
• File paths in directory listings weren't properly escaped.
• HTTP Basic Authentication was vulnerable to time-based user enumeration.
• location blocks matched path segments anywhere in the URL, not just at the start (GitHub issue).
• PROXY v2 headers with lengths greater than 512 bytes were allowed, possibly leading to memory DoS.
• So You Start endpoint names for OVH DNS provider were swapped.