v0.0.6

v0.0.6

---

New features

Decision type filtering

You can limit mirrored blocklists to specific CrowdSec decision types (for example ban, captcha) either globally via config or per-request via query parameters.

Config (YAML):

crowdsec_config:
  supported_decisions_types:
    - ban

---

IP aggregation for blocklists

Add aggregate: true to merge individual IP decisions into minimal CIDR blocks, reducing blocklist size.

Example:

blocklists:
  - format: plain_text
    endpoint: /security/blocklist
    aggregate: true

---

Full Changelog: v0.0.5...v0.0.6

v0.0.6-rc3

Highlights (rc3, rc2, rc1)

• Go 1.25 base images for builds.
• Release artifacts no longer include freebsd/riscv64.
• Decision type filtering at source and per-request.
• New blocklist option: aggregate: true to merge IP decisions into minimal CIDR blocks.
• Ubuntu 25.10 install fixes and script updates.
• Dependency refresh and minor lint/tooling cleanup.

What’s changed (v0.0.6-rc2 → v0.0.6-rc3)

• Update lint configuration by @mmetc in #120
• Update deps for crowdsec / go-cs-bouncer by @mmetc in #121
• Enhance: add IP aggregation option for blocklists by @LaurenceJJones in #122

Full Changelog: v0.0.6-rc2...v0.0.6-rc3

New feature: IP aggregation for blocklists

Add aggregate: true configuration option that merges individual IP decisions into minimal CIDR blocks, reducing blocklist size.

Behaviour

• New aggregate field in blocklist config works with any format.
• Adjacent IPs are merged into larger CIDR ranges (example: .0 + .1 becomes /31).
• Overlapping prefixes are deduplicated (larger prefix absorbs smaller).
• Supports both IPv4 and IPv6 with optimized bit operations.

Performance and runtime characteristics

• Aggregation is pre-computed when decisions are added or deleted from LAPI.
• HTTP requests read from a cached aggregated view (no per-request aggregation cost).
• Only enabled if at least one blocklist has aggregate: true.
• Uses an RWMutex to allow concurrent reads during update cycles.

Example configuration

blocklists:
  - format: plain_text
    endpoint: /security/blocklist
    aggregate: true

Previously introduced in rc1 and rc2 (for reference)

• Decision type filtering (config and per-request).
• Ubuntu 25.10 install fixes and updated scripts.
• Go 1.25 in Dockerfile.
• Drop freebsd/riscv64 from release artifacts.

rc2 changelog: v0.0.6-rc1...v0.0.6-rc2
rc1 changelog: v0.0.5...v0.0.6-rc1

v0.0.6-rc2

🚀 Highlights (rc2 + rc1)

• Go 1.25 base images for builds (smaller, faster, up-to-date toolchain).
• Dropped freebsd/riscv64 target from release artifacts.
• Decision type filtering at source and per-request.
• Ubuntu 25.10 install fixes and script updates.
• Dependency refresh and minor tooling cleanup.

What’s Changed (since v0.0.6-rc1 → v0.0.6-rc2)

• Update Go version to 1.25 in Dockerfile by @LaurenceJJones in #118
• Drop platform freebsd/riscv64 by @mmetc in #119

Full Changelog: v0.0.6-rc1...v0.0.6-rc2

---

Previously in v0.0.6-rc1

What’s Changed

• chore/update-py-cstest by @LaurenceJJones in #115
• update dependencies, fix install issue with ubuntu 25.10 by @mmetc in #116
• update install scripts for ubuntu 25.10 by @mmetc in #117
• enhance: Add supported decisions type by @LaurenceJJones in #113

Full Changelog: v0.0.5...v0.0.6-rc1

---

✨ New: Decision type filtering

Limit mirrored blocklists to specific decision types (e.g. ban, captcha) via config or per-request.

Config (YAML)

crowdsec_config:
  # ...
  supported_decisions_types:
    - ban

• Empty/missing list → no type filtering (all types).
• Case-insensitive matching.

Per-request overrides (query param)

• /security/blocklist?supported_decisions_types=ban,captcha
• /security/blocklist?supported_decisions_types=ban&supported_decisions_types=captcha

If omitted, the YAML value applies. To include all types, omit the param and leave the YAML list empty.

Combines with: ipv4only, ipv6only, origin, nosort.

Notes/Internals:

• Uses stdlib slices (no x/exp).
• Removed the "all" special-case—omit the param to include all types.

---

🛠️ Installation & Packaging

• Ubuntu 25.10: install scripts updated and a prior install issue fixed.

---

🔧 Maintenance

• Dependencies updated.
• Python cstest workflow refreshed.
• Go 1.25 in Dockerfile.
• Release artifacts no longer include freebsd/riscv64.

Impact note: The platform drop only affects release artifact availability; runtime behavior for other platforms is unchanged.

v0.0.6-rc1

🚀 Highlights

• Decision type filtering at source and per-request.
• Ubuntu 25.10 install fixes and script updates.
• Dependency refresh and minor tooling cleanup.

What’s Changed

• chore/update-py-cstest by @LaurenceJJones in #115
• update dependencies, fix install issue with ubuntu 25.10 by @mmetc in #116
• update install scripts for ubuntu 25.10 by @mmetc in #117
• enhance: Add supported decisions type by @LaurenceJJones in #113

Full Changelog: v0.0.5...v0.0.6-rc1

---

✨ New: Decision type filtering

Keep your mirrored blocklists limited to specific decision types (e.g., ban, captcha) either via config or per request.

Config (YAML)

crowdsec_config:
  # ...
  supported_decisions_types:
    - ban

• Empty/missing list → no type filtering (all types).
• Case-insensitive matching.

Per-request overrides (query param)

You can override the YAML setting without changing server config:

• /security/blocklist?supported_decisions_types=ban,captcha
• /security/blocklist?supported_decisions_types=ban&supported_decisions_types=captcha

If the parameter is omitted, the YAML value applies.
To get all types, omit the parameter and leave the YAML list empty.

Combines with existing filters

Works alongside ipv4only, ipv6only, origin, nosort.

Notes / Internals

• Uses stdlib slices (no x/exp).
• Removed the previous "all" special-case; simply omit the param to include all types.

---

🛠️ Installation & Packaging

• Ubuntu 25.10: install scripts updated and an install issue fixed to ensure smooth setup on 25.10.

---

🔧 Maintenance

• Dependencies updated.
• Python cstest workflow refreshed.

v0.0.5

What's Changed

GZIP Compression middleware #110

The remediation now checks for incoming accepted encoding types and if the client support GZIP then the response will be compressed.

Example usage:

curl --compressed http://127.0.0.1:4141/security.txt

• CI: golangci-lint v2 by @mmetc in #108
• enhance: Add gzip middleware to compress when a client can accept it by @LaurenceJJones in #110
• enhance: Add proper headers to prompt for basic auth by @LaurenceJJones in #111
• CI: uv+ruff by @mmetc in #109

Full Changelog: v0.0.4...v0.0.5

v0.0.4

What's Changed

• allow to specify 'scopes' in the configuration by @buixor in #93
• Use go 1.22 by @j3n57h0m45 in #96
• update dependencies by @j3n57h0m45 in #97
• refactor mikrotik formatter by @j3n57h0m45 in #98
• Update docker readme by @j3n57h0m45 in #99
• fix functional test (to pass with latest crowdsec image) by @mmetc in #104
• CI: cache pipenv dependencies by @mmetc in #105
• make: remove redundant go version check by @mmetc in #103
• make: remove redundant build flags by @mmetc in #106
• update dependencies by @mmetc in #102
• Implement Juniper SRX formatter by @tony-butchart in #101
• make: report docker platform with --version by @mmetc in #107
• fix generated RouterOS script, clean up template by @j3n57h0m45 in #100

New Contributors

• @buixor made their first contribution in #93
• @j3n57h0m45 made their first contribution in #96
• @tony-butchart made their first contribution in #101

Full Changelog: v0.0.3...v0.0.4

v0.0.4-rc2

What's Changed

• allow to specify 'scopes' in the configuration by @buixor in #93
• Use go 1.22 by @j3n57h0m45 in #96
• update dependencies by @j3n57h0m45 in #97
• refactor mikrotik formatter by @j3n57h0m45 in #98
• Update docker readme by @j3n57h0m45 in #99
• fix functional test (to pass with latest crowdsec image) by @mmetc in #104
• CI: cache pipenv dependencies by @mmetc in #105
• make: remove redundant go version check by @mmetc in #103
• make: remove redundant build flags by @mmetc in #106
• update dependencies by @mmetc in #102
• Implement Juniper SRX formatter by @tony-butchart in #101
• make: report docker platform with --version by @mmetc in #107
• fix generated RouterOS script, clean up template by @j3n57h0m45 in #100

New Contributors

• @buixor made their first contribution in #93
• @j3n57h0m45 made their first contribution in #96
• @tony-butchart made their first contribution in #101

Full Changelog: v0.0.3...v0.0.4-rc2

v0.0.4-rc1

What's Changed

• use go 1.21.6 by @mmetc in #87
• lint by @mmetc in #90
• revert preventing the build. This will be done pipeline side. by @sabban in #92
• allow to specify 'scopes' in the configuration by @buixor in #93
• Use go 1.22 by @j3n57h0m45 in #96
• update dependencies by @j3n57h0m45 in #97
• refactor mikrotik formatter by @j3n57h0m45 in #98
• Update docker readme by @j3n57h0m45 in #99

New Contributors

• @buixor made their first contribution in #93
• @j3n57h0m45 made their first contribution in #96

Full Changelog: v0.0.3...v0.0.4-rc1

v0.0.3

What’s Changed

• lint (#90) @mmetc
• use go 1.21.6 (#87) @mmetc
• Makefile: use GO macro if set, to check for version (#85) @mmetc
• logging: full standard timestamp with timezone (yyyy-mm-dd) (#86) @mmetc
• update golangci-lint, lint fixes (#84) @mmetc
• add new formatter (#77) @LaurenceJJones
• update dependency on crowdsec, go-cs-bouncer (#83) @mmetc
• use go 1.21.5 (#82) @mmetc
• Release action: fix asset upload (#81) @mmetc
• update dependencies on crowdsec, go-cs-bouncer, go-cs-lib (#80) @mmetc
• force raw output on cscli during install (#79) @mmetc
• fix vendor packaging (#78) @mmetc
• alternate vendor file (xz compression and version number) (#76) @mmetc
• update go version, golangci-lint and test dependencies (#75) @mmetc
• update crowdsec dependency (#74) @mmetc
• Support option "retry_initial_connect" (#73) @mmetc
• Use go 1.20.6 (#72) @mmetc
• CI: run codeql in lint.yml (#70) @mmetc
• cross-platform interrupt handler (#69) @mmetc
• update go.mod to remove dependency from wasm (#71) @mmetc
• add vendor.tgz to release (#68) @mmetc
• Use go 1.20.5 (#66) @mmetc
• test bouncer registration with tls (#65) @mmetc
• update dependencies to crowdsec 1.5.2; allow build with devel version of go (#61) @mmetc
• test tls: allowed ou in client cert (#64) @mmetc
• notify systemd and handle SIGINT/SIGTERM (#62) @mmetc
• respect log permissions if file already exists (#63) @mmetc
• substitute envvars in config file (#34) @mmetc
• use go-cs-lib (#59) @mmetc
• move main entrypoint to cmd/root.go (#58) @mmetc
• deb, rpm: handle api key creation (skip/ignore) with .yaml.local or remote LAPI (#57) @mmetc
• include _bouncer.sh in release tarballs (#56) @mmetc

v0.0.3-rc6

What’s Changed

• revert preventing the build. This will be done pipeline side. (#92) @sabban
• lint (#90) @mmetc
• use go 1.21.6 (#87) @mmetc
• static build require not to build at package creation time (#89) @sabban
• Makefile: use GO macro if set, to check for version (#85) @mmetc
• logging: full standard timestamp with timezone (yyyy-mm-dd) (#86) @mmetc
• update golangci-lint, lint fixes (#84) @mmetc
• add new formatter (#77) @LaurenceJJones
• update dependency on crowdsec, go-cs-bouncer (#83) @mmetc
• use go 1.21.5 (#82) @mmetc
• Release action: fix asset upload (#81) @mmetc
• update dependencies on crowdsec, go-cs-bouncer, go-cs-lib (#80) @mmetc
• force raw output on cscli during install (#79) @mmetc
• fix vendor packaging (#78) @mmetc
• alternate vendor file (xz compression and version number) (#76) @mmetc
• update go version, golangci-lint and test dependencies (#75) @mmetc
• update crowdsec dependency (#74) @mmetc
• Support option "retry_initial_connect" (#73) @mmetc
• Use go 1.20.6 (#72) @mmetc
• CI: run codeql in lint.yml (#70) @mmetc
• cross-platform interrupt handler (#69) @mmetc
• update go.mod to remove dependency from wasm (#71) @mmetc
• add vendor.tgz to release (#68) @mmetc
• Use go 1.20.5 (#66) @mmetc
• test bouncer registration with tls (#65) @mmetc
• update dependencies to crowdsec 1.5.2; allow build with devel version of go (#61) @mmetc
• test tls: allowed ou in client cert (#64) @mmetc
• notify systemd and handle SIGINT/SIGTERM (#62) @mmetc
• respect log permissions if file already exists (#63) @mmetc
• substitute envvars in config file (#34) @mmetc
• use go-cs-lib (#59) @mmetc
• move main entrypoint to cmd/root.go (#58) @mmetc
• deb, rpm: handle api key creation (skip/ignore) with .yaml.local or remote LAPI (#57) @mmetc
• include _bouncer.sh in release tarballs (#56) @mmetc