Ceaser

Upgrade Warnings

• Moved from certbot-auto to certbot. Run apt install certbot.
• Stop auto-updating repository as it may cause breakage. Remove git pull bubbly from cron.

Improvement

• Change SSL Ticket Key size from 48 to 80.
• Change Diffie-Hellman Parameters Key size from 4096 to 3072.
• Change RSA Key size from 4096 to 3072.

Changes

2.1.3 to 2.2.0

Banquet - with Patch 3

Upgrade Warnings

• Moved to acme-v02 API endpoint.
• Moved protocol preferences in with cipher suite preferences.
• Updated all 3 cipher suite options.
• Added PHP 7.4 socket option.
• Removed PHP 7.1 socket option.

Improvement

• Document amplify_stub-status.conf
• Add nixstats_stub-status.conf

Changes

2.1.2 to 2.1.3

Banquet - with Patch 2

Upgrade Warnings

• Expect-CT now has a default value of 30 seconds.
• Strict-Transport-Security now has a default value of 31536000 seconds (365 days).
• Expect-CT now has an optional value of 31536000 seconds (365 days).
• If any Content-Security-Policy changes have taken place, a normal overwrite upgrade will eradicate them.

Bugfix

• Fix error when running bubbly_generate-statics.sh due to change in openssl rand parameter order strictness.

Improvement

• Move Content-Security-Policy to own default file to allow easier customisation.

Changes

2.1.1 to 2.1.2

Banquet - with Patch 1

Upgrade Warnings

• Expect-CT now has a default value of 7776000 (90 days), as does HSTS.

Bugfix

• Add non-prefixed headers for X-Content-Type-Options, X-XSS-Protection, X-UA-Compatible, and X-Powered-By as promoted by new spec.

Improvement

• Move HSTS to Headers, away from SSL config.

Changes

2.1.0 to 2.1.1

Banquet

Upgrade Warnings

• Support for the new PHP 7.2 is the default. You should modify this to point to the correct PHP version for your server if in use, until such time that you upgrade.

Security

• Add Expect-CT with default of enforce, max-age=30, report-uri='/api/report_ect'
• Add Referrer-Policy with default of strict-origin-when-cross-origin

Bugfix

• Fix some references to log files

Feature

• Add option to disable versions in Server

Improvement

• Add support for PHP 7.2
• Add support end dates for all PHP versions
• Expand Content Security Policy to include report uri
• Add report only versions of Content Security Policy

Supporting

• Updated screenshot for Qualys SSL Labs
• Add screenshot for SecurityHeaders.io
• Fix badge from Code Climate

Changes

2.0.2 to 2.1.0
2.0.1 to 2.1.0
2.0.0 to 2.1.0

Abstraction - with Patch 2

Bugfixes

• Fix invalid targets in groups/performance-common.conf
• Fix invalid targets in sites-available/bubbly_live.conf and sites-available/bubbly_verify.conf
• Change target copy from location in bubbly_copy-configs.sh

Changes

2.0.1 to 2.0.2
2.0.0 to 2.0.2

Abstraction - with Patch 1

Bugfixes

• Remove ssl variable by recommendation

Improvements

• Add additional ssl_ecdh_curve option
• Add TLSv1.3 option

Supporting

• Rename CODE_OF_CONDUCT.md to .github/CODE_OF_CONDUCT.md

Changes

2.0.0 to 2.0.1

Abstraction

• SECURITY: Add limits for requests and connections to specified zones based on IP or "Server".
• • nginx-config/conf.d/bubbly_limits.conf
• SECURITY: Hide PHP version when requests are processed via FastCGI.
• • nginx-config/location/bubbly_extensionless-php.conf
• SECURITY: Only respond to reasonable request types.
• • nginx-config/location/bubbly_methods.conf
• SECURITY: Stop remote users accessing system files.
• • nginx-config/location/h5bp_protect-system-files.conf
• BUGFIX: Fix .sh permissions.
• FEATURE: Added Amplify Log Format.
• • nginx-config/conf.d/amplify_log-format.conf
• FEATURE: Added Amplify Stub Status.
• • nginx-config/conf.d/amplify_stub-status.conf
• FEATURE: Added Content Security Policy (Off by default).
• • nginx-config/directive/bubbly_security-headers.conf
• IMPROVEMENT: Massively better Nginx configuration management
• • some files courtesy of H5BP
• IMPROVEMENT: Set a better maximum upload size
• IMPROVEMENT: Respond to errors better
• IMPROVEMENT: Keep PHP connections alive
• IMPROVEMENT: Set better FastCGI timeouts
• IMPROVEMENT: Disable GZip for <= IE6
• IMPROVEMENT: Disable logging for unnecessary stuff
• IMPROVEMENT: Better open file cache
• IMPROVEMENT: Added no-transform header
• IMPROVEMENT: Abstracted extensionless PHP
• IMPROVEMENT: Improved expiry rules
• IMPROVEMENT: Expanded Mime-Types
• SUPPORTING: Added NC 1.7
• SUPPORTING: Improved documentation.
• SUPPORTING: Added .github/CONTRIBUTING.md
• SUPPORTING: Added CODE_OF_CONDUCT.md
• SUPPORTING: Better linguist detection through .gitattributes

Primadonna

• SECURITY: Improve security in configuration files.
• IMPROVEMENT: Massively simplify instructions.
• IMPROVEMENT: Rename bash scripts to be more descriptive.
• IMPROVEMENT: Add warnings to bash scripts.
• IMPROVEMENT: Deprecate cli.ini in favour of command options.
• SUPPORTING: Rename to Bubbly.
• SUPPORTING: Add an issue template.
• SUPPORTING: Add a pull request template.
• SUPPORTING: Update license.
• SUPPORTING: Add BountySource badge.
• SUPPORTING: Add a contribute package file.

Tinman

• BUGFIX: Fix syntax of nginx.conf
• BUGFIX: Remove duplicate includes
• IMPROVEMENT: Add version to nginx.conf header.
• IMPROVEMENT: Add option point for custom inclusion.