v1.8.0

This release delivers improvements to AppSec functionality, dependency updates, and fixes for request handling.

Key Features and Enhancements

• AppSec: Implemented libddwaf schema collection to improve security rule handling. PR #242 by @cataphract
• AppSec: Updated obfuscation regexes used by the WAF for more accurate data protection. PR #248 by @robertpi
• Appsec: Improved client IP resolution by reading from the Forwarded header and treating CGNAT ranges as private. PR #250 by @cataphract
• Dependencies: Upgraded to libddwaf 1.28.0 with enhanced conversion logic. PR #249 by @cataphract
• Fix: Correctly handle auth requests when subrequest logging is enabled. PR #245 by @zacharycmontoya

New Contributors

• Thanks to @zacharycmontoya for their first contribution! PR #245

Full Changelog: v1.7.0...v1.8.0

v1.7.0

This release introduces new features and enhancements to observability and security, along with an important dependency update.

Important

Starting with this release, prebuilt artifacts will no longer be generated for NGINX versions outside the supported compatibility window: v1.24.0 to v1.25.5.
If you are using an unsupported version of NGINX, you can follow these instructions to build the module manually.

Key Features and Enhancements

• Tracing: Added the ability to disable APM tracing via configuration, offering greater flexibility for users who wish to limit observability overhead. PR #231 by @dmehala
• AppSec: Introduced support for response body collection, enabling more comprehensive threat detection and analysis. PR #232 by @cataphract
• AppSec: Added lightweight statistics metrics to help monitor memory usage and performance of the AppSec module. PR #235 by @cataphract
• Dependencies: Updated dd-trace-cpp to commit f0e5037, pulling in upstream improvements and fixes. PR #238 by @dmehala

New Contributors

• Thanks to @gaffneyd4 for their first contribution! PR #236

Full Changelog: v1.6.2...v1.7.0

v1.6.2

This path delivers an important set of improvements and security hardening.

Important

A critical fix in this release addresses a potential issue where HTTP/0.9 requests could cause nginx to crash. This behavior could be exploited under specific conditions to disrupt service availability. The issue has been resolved (PR#213) by safely bypassing context propagation when headers are not properly initialized.

What's Changed

• Error Reporting: Integration errors are now reported by @dmehala in #187
• Build Compatibility: Resolved compilation issues with GCC 13 by @dmehala in #224

New Contributors

• @robertpi made their first contribution in #221

Full Changelog: v1.6.1...v1.6.2

v1.6.1

This patch addresses several issues identified in v1.6.0, enhancing stability and functionality.

Key Fixes and Improvements

• Compilation: Resolved an issue where the missing stdexcept include could prevent the module from building successfully. PR #198 by @dmehala.
• OpenTelemetry: Fixed drop-in support. Ensuring OpenTelemetry directives are no longer aliases to undefined directives, improving compatibility. PR #194 by @dmehala.
• AppSec: Addressed an issue where certain response headers' tags were not being set correctly. PR #195 by @cataphract.
• AppSec: Fixed a problem where WAF could stall WebSocket requests. PR #200 by @cataphract.

What's Changed

• Telemetry: Included the NGINX flavor in telemetry data to provide more details insights on the module usage. PR #205 by @dmehala
• AppSec: datadog_appsec_http_blocked_template_json, datadog_appsec_http_blocked_template_html and datadog_appsec_ruleset_file now validate the existence of required files during the configuration process instead of at worker startup.

Full Changelog: v1.6.0...v1.6.1

v1.6.0

This version brings several improvements and fixes. Please review the breaking changes and updates below to ensure a smooth upgrade.

Known issues - OpenTelemetry Drop-in Support

You may encounter errors when using the OpenTelemetry drop-in with this release of nginx-datadog:

Temporary workaround: This issue is tracked in #193. Until this issue is resolved, we recommend pinning to the previous stable version by updating your configuration as follows:

 extraModules:
   - name: nginx-datadog
     image:
       registry: docker.io
       image: datadog/ingress-nginx-injection
       tag: "v1.11.3-dd.v1.5.0"
       distroless: false

⚠️ Breaking Changes ⚠️

• Datadog Variable: The default format for datadog_trace_id and datadog_span_id has changed from 64-bit decimal to 128-bit hexadecimal. This may affect integrations relying on the previous format, please use datadog_trace_id_64bits_base10 and datadog_span_id_64bits_base10 to keep the old behaviour. See PR #180

New Features

• feature: datadog_* directives now resolves $-variables, enabling dynamic service name configuration based on ingress rules for example. PR #177

• feature: block based on response status or headers PR #171 by @cataphract
• feature: support for inferred services. PR #178 by @dmehala
• feature: otel drop in support. PR #182 by @dmehala
• feature: allow overriding default tags. PR #183 by @dmehala

What's Changed

• deprecated: sampling delegation is now deprecated. PR #179 by @dmehala.
• dependencies: upgraded libddwaf to 1.24.0 PR #175 by @cataphract
• updates: appsec rules updated to v1.14.2 PR #190 by @dmehala

New Contributors

• @agjmills made their first contribution in #186

Full Changelog: v1.5.0...v1.6.0

v1.5.0

What's Changed

• Add openresty support by @dubloom in #145
• Fix stall upon auth phase subrequest by @cataphract in #154
• chore: update appsec rules to 1.13.3 by @dmehala in #159
• feat: support unified service tagging directive in server block by @dmehala in #153
• fix: apply sampling rules on resources correctly by @dmehala in #157
• feat(ingress-nginx): avoid reporting health check by @dmehala in #158
• Bump version to 1.5.0, update waf and rules by @cataphract in #161
• chore(ingress-nginx): add support for v1.11.3 and v1.12.0 by @dmehala in #165

Full Changelog: v1.4.0...v1.5.0

v1.4.0

What's Changed

• refactor!: remove use of proxy directives in span resource names by @dmehala in #115
• feat: add datadog_tracing directive by @dubloom in #134
• feat: Support WAF address for request body by @cataphract in #137
• build: support ingress-nginx by @dmehala in #128
• Build ingress-nginx for WAF and arm64 by @cataphract in #138
• Bridge more musl/glibc diffs in aarch64 by @cataphract in #140

Full Changelog: v1.3.1...v1.4.0

v1.3.1

This release includes a quick fix to prevent unnecessary error logging for requests that lack tracing context.

What's Changed

• chore: avoid logging an error for requests without tracing context by @dmehala in #117

New Contributors

• @pablomartinezbernardo made their first contribution in #110

Full Changelog: v1.3.0...v1.3.1

v1.3.0

We are excited to announce the relesae of nginx-datadog v1.3.0. This version brings several improvements, important fixes, and introduces remote configuration support for Application Security (AppSec). Please review the breaking changes and updates below to ensure a smooth upgrade.

Known Issues

• Unexpected logs: Logs may be generated when there is no tracing context available. The frequency of these logs depends on how often the server initiates traces. Please upgrade to v1.3.1.

⚠️ Breaking Changes ⚠️

As of PR #101, trace-log correlation is no longer supported out-of-the-box.
Users who rely on this functionality must now manually configure a custom log format to include trace and span IDs in the logs. Here's an example configuration:

Plaintext format:

log_format datadog_text '$remote_addr - $http_x_forwarded_user [$time_local] "$request" $status $body_bytes_sent "$http_referer" "$http_user_agent" "$http_x_forwarded_for" "$datadog_trace_id" "$datadog_span_id"';

JSON format:

log_format datadog_json escape=json '{"remote_addr": "$remote_addr", "forwarded_user": "$http_x_forwarded_user", "time_local": "$time_local", "request": "$request", "status": $status, "body_bytes_sent": $body_bytes_sent, "referer": "$http_referer", "user_agent": "$http_user_agent", "forwarded_for": "$http_x_forwarded_for", "dd.trace_id": "$datadog_trace_id", "dd.span_id": "$datadog_span_id"}';

Ensure that the custom log format is defined in your NGINX configuration file. For more details, you can view an example in our repository

New Features

• feature: Add trace and span IDs 128-bit hexadecimal representation by @dmehala in #103. Please use$datadog_trace_id_hex and $datadog_parent_id_hex variables.
• feature: Added remote configuration support for AppSec by @cataphract in #71

What's Changed

• fix: Resolved an issue with Datadog script execution by @dmehala in #95
• improvements: Improved logging to include module information by @dmehala in #96
• build: bump dd-trace-cpp from v0.2.2 to v1.0.0 by @dmehala in #111

New Contributors

• @HadrienPatte made their first contribution in #99
• @Anilm3 made their first contribution in #105
• @smola made their first contribution in #108

Full Changelog: v1.2.1...v1.3.0

v1.2.1

What's Changed

• fix: propagation header value adding up by @dmehala in #88
• deps: upgrade dd-trace-cpp to v0.2.2 containing several important security fixes.

New Contributors

• @cbeauchesne made their first contribution in #84
• @bm1549 made their first contribution in #89

Full Changelog: v1.2.0...v1.2.1