- Specify
ssl_prefer_server_ciphers on, which results in more secure cipher choices being chosen first and an "A" rating from SLL Labs without micromanagement of cipher settings. - Bug fix: ensure
site.backendsexists so a simple static site doesn't crash template generation. This bug was introduced in version 1.7.0.
Support for path-specific backends, i.e. backends that only accept traffic for a certain path prefix. This is handy for routing traffic to microservices without subdomains.
Adds previous TLS update across template.
Adds support for TLS 1.3 and removes support for TLS 1.1, for security reasons.
Adds http/2 support for https requests by using mechanic set http2 true. Adds a permanent option to turn default temporary redirects (302) into permanent (301) by using --permanent=true. This can be undone by using --permanent=false.
Added the --redirect=https://example.com and --redirect-full=https://example.com options, to redirect all traffic to another site. If you want the rest of the URL after the hostname to be appended when redirecting, use --redirect-full. To send everything to the same place, use --redirect.
Corrects a typo in the --websockets option that had required the singular form of the word. Spaces out entries when using mechanic list to view current sites.
Adds JS linting, some code clean up.
document --websockets flag. No code changes.
optional --websockets flag to enable support for websockets in the app behind the proxy. Thanks to Ahmet Simsek.
documentation update indicating that client_max_body_size works best in the location override file. Thanks to Bob Clewell of P'unk Avenue for this contribution.
if https and redirect-to-https are active for the site, redirect straight to https when canonicalizing, avoid an extra http hop which was generating security scan complaints and adding a touch of latency.
depend on prettiest 1.1.0 or better, as a way of making it hopefully easier to install by transitively depending on a newer version of fs-ext.
added config for running tests on CircleCI.
fixed bug introduced in 1.2.0 with the use of let to redeclare a variable that is already a function argument.
--https-upstream option added; when present connections to backends are made via https rather than http. This is useful when the upstream servers are remote and not just next door on a secured local network. Of course, there is a performance impact. Thanks to Kevin S. (t3rminus) for this contribution.
sites set --default=true are always moved to the end of the list, and the end of the generated nginx configuration file. This is helpful when reading mechanic list and also works around an issue we've seen in at least one case where nginx did not appear to honor its usual rule that a server_name match should always beat default_server.
Canonicalization also applies to https. Of course it won't magically work for aliases your certificate doesn't cover, but it will work for www to bare domain or vice versa, or whatever your certificate does include.
Moved standard gzip directives to the start of the server block. Otherwise responses proxied through to node are not compressed. A large performance win.
Officially stable and following semantic versioning from here on out. Also added top and server override files and the --index option, and made backends optional when static is present. This allows the use of mechanic to set up very simple static websites.
pass the X-Forwarded-Proto header for compatibility with the secure flag for session cookies, provided that Express is configured to trust the first proxy.
Killed support for tlsv1 as it is insecure.
killed support for sslv3 as it is insecure.
parse host:port correctly with the --backends option.
the boring dependency was missing, this is fixed.
Accept backend as an alias for backends. Reject invalid hyphenated options passed to add and update, as their absence usually means you've mistyped something important. Don't crash nginx if there are no backends, just skip that site and print a warning. Use boring instead of yargs.
load convenience overrides from suitably named nginx configuration files.
set the ssl flag properly for nginx in the listen statement.
look in the documented place for SSL certificates (/etc/nginx/certs).
don't try to reject invalid arguments, as yargs helpfully introduces camel-cased versions of hyphenated arguments, causing false positives and breaking our hyphenated options. This isn't great; we should find out how to disable that behavior in yargs.
corrected documentation for Apache fallback strategy.
reset command works.
initial release.