Nightly Changelog: 8.1.9-b20210802
Security
1953: Add Support for Proxy Forwarding of Remote HTTP Client Details
Added a new setting in the Gateway Web Interface > Config > Networking > Web Server page under the “HTTP Settings” section named “Use Proxy Forwarded Headers” which allows the Gateway to use a reverse-proxy’s HTTP client details instead of the reverse-proxy itself.
1260: Resolve hostname from session IP so the Gateway can leverage host-based Security Zones
- Added a new setting in the Gateway Web Interface > Config > Networking > Web Server page under the “HTTP Settings” section named “Resolve Client Hostnames” which allows the Gateway’s web server to perform reverse-DNS lookups of HTTP client IP addresses in order to use the hostname for Security Zones
- Perspective’s session.props.host session property now uses the resolved HTTP client hostname if the above setting is enabled, otherwise it falls back to the IP address
- Added a new session property session.props.address to Perspective which always contains the remote HTTP client’s IP address
IGN-3234 Ignition Exchange Routes are vulnerable to RCE via ZIP-Slip
Added various defenses against potential zip-slip and path traversal vulnerabilities.
Connectivity
3186: Siemens Driver issue reading/writing to Counters (S7-300)
Fixed a bug in the Siemens driver where timers/counters were being incorrectly addressed when reading/writing from an S7-300.
Enterprise
IGN-3152 Not all remote alarms show up on the central Gateway when the alarm mode is set to subscribed
Remote alarm subscriptions will no longer drop some alarm events when a large volume of remote alarms occur at once.
Infrastructure
3404 Allow resolveHostNames and useProxyForwardedHeader properties to persist through container restart
Docker image now supports passing arbitrary “gateway.*=” key/value pairs for the gateway.xml after the double-hyphen in the command args, similar to the existing capability for JVM/wrapper args.