Skip to content

NGINX Node Artifact Versions and Changelog

This document lists available versions of the NGINX Wallarm Node 6.x in various form factors, helping you track releases and plan upgrades.

All-in-one installer

Since version 4.10, installation and upgrading of Wallarm nodes is performed only with all all-in-one installer. Manual upgrade with individual Linux packages is not supported anymore.

History of all-in-one installer updates simultaneously applies to it's x86_64 and ARM64 versions.

How to migrate from DEB/RPM packages

How to migrate from previous all-in-one installer version

6.7.0 (2025-11-05)

  • Added support for Ubuntu 25.10 (Questing Quokka)

  • Added support for CentOS 10 Stream

  • Added support for Oracle Linux 10.x

  • Added support for NGINX mainline 1.29.2 and 1.29.3

  • Updated AlmaLinux 9 support to include the latest package updates

  • Introduced JA4 fingerprinting in the NGINX node

    JA4 fingerprints help detect threats and malicious clients based on TLS handshake characteristics. JA4 fingerprints are used as an additional factor when deciding to block a request.

    The feature is disabled by default. To enable it, add the following NGINX directive inside the http or server block:

    wallarm_fingerprint on;

  • Introduced the wallarm_fingerprint_ja4_raw and wallarm_fingerprint_ja4 variables to configure extended logging when JA4 fingerprinting is enabled

  • Improved Node initialization logs — added detailed information about component type, supported versions, error source, API endpoint, and Node UUID to simplify troubleshooting during the initialization stage

  • Fixed the CVE-2025-58188 vulnerability

  • Fixed the issue where the Node raised an error when a JWT token was sent in the Authorization: Bearer header

  • Fixed invalid type error when editing automatically created rules for attacks detected in gRPC responses

6.6.1 (2025-10-16)

6.6.0 (2025-10-03)

  • Changed the default wstore binding to IPv4 (tcp4), it now listens only on IPv4 instead of dual‑stack

    If your configuration uses localhost for wstore, update it to 127.0.0.1.

  • Introduced protocol selection (tcp, tcp4, tcp6) using the WALLARM_WSTORE__SERVICE__PROTOCOL environment variable, which can be set in /opt/wallarm/env.list

    The default value is "tcp4".

  • Fixed an issue where response context parameters configured in API Sessions were not uploaded to the Wallarm Cloud

  • Introduced a new Prometheus metric wallarm_wcli_job_export_period to track the average export delay for each wcli job (e.g., reqexp, blkexp, botexp)

  • Introduced a new $wallarm_mode variable for extended logging

    This variable returns the final filtration mode applied to a malicious request, taking into account both local settings and those from the Wallarm Cloud (e.g., rules and mitigation controls) with their prioritization.

  • Updated the wording on the Wallarm-branded block page, the page now looks as follows:

    Wallarm blocking page

6.5.1 (2025-09-09)

6.4.1 (2025-08-07)

  • Added Prometheus metrics support for API Specification Enforcement service operation (based on the built-in API Firewall service):

    • Enable with APIFW_METRICS_ENABLED=true in /opt/wallarm/env.list
    • Default endpoint: :9010/metrics
    • Host and endpoint name configurable via variables APIFW_METRICS_HOST and APIFW_METRICS_ENDPOINT_NAME

6.4.0 (2025-07-31)

  • Introduced a new wallarm_block_reason variable for extended logging

    This variable adds to the log an information on reason of request blocking (detected attack, part of bot activity, Denylist etc.)

  • Fixed the stuffed credentials export to the Cloud

  • Improved GraphQL parser

  • Bug fixes and internal improvements

6.3.1 (2025-07-23)

  • Fixed memory leak

6.3.0 (2025-07-08)

6.2.1 (2025-06-23)

  • Minor internal file structure change

6.2.0 (2025-06-20)

  • Added support for mitigation control-based GraphQL API Protection

  • Optimized stream handling for gRPC traffic

  • Introduced the wallarm_max_request_stream_message_size and wallarm_max_request_stream_size NGINX directives to control the maximum size of a single message payload and an entire stream body, respectively, in gRPC and WebSocket traffic

  • Added the streams and messages parameters to the /wallarm-status service output to report the number of processed gRPC/WebSocket streams and messages

  • Introduced the wallarm_max_request_body_size NGINX directive to control the maximum size of an HTTP request body analyzed by the Node

  • Added support for SSL/TLS and mTLS between the NGINX-Wallarm module and the postanalytics module when they are installed separately

  • Fixed wstore ports binding: now bound to 127.0.0.1 instead of 0.0.0.0

  • Minor bug fixes

6.1.0 (2025-05-09)

  • Added support for enumeration mitigation controls

  • Added support for DoS protection mitigation control

  • Bugfix: Attacks originated from allowlisted sources are no longer shown in the Attacks section

  • wstore logs now include "component": "wstore" for easier identification

6.0.3 (2025-05-07)

  • Added support for Amazon Linux 2

  • Fixed the installation issues with custom NGINX

6.0.2 (2025-04-29)

  • Added support for NGINX stable 1.28.0

  • Added support for NGINX mainline 1.27.5

6.0.1 (2025-04-22)

6.0.0 (2025-04-03)

  • Initial release 6.0, see changelog

  • Added support for NGINX Plus R34

Helm chart for Wallarm NGINX Ingress controller

How to upgrade

6.7.0 (2025-11-05)

  • Updated Community Ingress NGINX Controller 1.11.8 support to align with the latest upstream updates

  • Introduced JA4 fingerprinting in the NGINX node

    JA4 fingerprints help detect threats and malicious clients based on TLS handshake characteristics. JA4 fingerprints are used as an additional factor when deciding to block a request.

    The feature is disabled by default. To enable it, add the following NGINX directive inside the http or server block:

    wallarm_fingerprint on;

  • Introduced the wallarm_fingerprint_ja4_raw and wallarm_fingerprint_ja4 variables to configure extended logging when JA4 fingerprinting is enabled

  • Improved Node initialization logs — added detailed information about component type, supported versions, error source, API endpoint, and Node UUID to simplify troubleshooting during the initialization stage

  • Updated default values for wcli Controller metrics:

  • Switched to native HTTP readiness and liveness probes for the wstore component

  • Fixed the CVE-2025-58188 vulnerability

  • Fixed the issue where the Node raised an error when a JWT token was sent in the Authorization: Bearer header

  • Fixed invalid type error when editing automatically created rules for attacks detected in gRPC responses

6.6.2 (2025-10-16)

6.6.1 (2025-10-08)

  • Fixed the postanalytics (wstore) liveness probe to align with the serviceProtocol setting

    When serviceProtocol is set to tcp4, the probe now explicitly uses IPv4, preventing restarts for dual-stack/IPv6 clusters.

6.6.0 (2025-10-03)

6.5.1 (2025-09-09)

6.4.0 (2025-07-31)

  • Introduced a new wallarm_block_reason variable for extended logging

    This variable adds to the log an information on reason of request blocking (detected attack, part of bot activity, Denylist etc.)

  • Fixed the stuffed credentials export to the Cloud

  • Improved GraphQL parser

  • Bug fixes and internal improvements

6.3.1 (2025-07-23)

  • Fixed memory leak

6.3.0 (2025-07-08)

6.2.0 (2025-06-20)

  • Added support for mitigation control-based GraphQL API Protection

  • Optimized stream handling for gRPC traffic

  • Optimized stream handling for gRPC traffic

  • Introduced the wallarm_max_request_stream_message_size and wallarm_max_request_stream_size NGINX directives to control the maximum size of a single message payload and an entire stream body, respectively, in gRPC and WebSocket traffic

  • Added the streams and messages parameters to the /wallarm-status service output to report the number of processed gRPC/WebSocket streams and messages

  • Introduced the wallarm_max_request_body_size NGINX directive to control the maximum size of an HTTP request body analyzed by the Node

  • Added support for SSL/TLS and mTLS between the Filtering Node and the postanalytics module

  • Split the unified controller.wallarm.wcli component in values.yaml into 2 separately configurable units: wcliController and wcliPostanalytics, allowing fine-grained control over containers

  • Minor bug fixes

6.1.0 (2025-05-09)

  • Bugfix: Attacks originated from allowlisted sources are no longer shown in the Attacks section

  • wstore logs now include "component": "wstore" for easier identification

6.0.2 (2025-04-25)

  • Added the validation.enableCel parameter to enable validation of Ingress resources via Validating Admission Policies

6.0.1 (2025-04-22)

6.0.0 (2025-04-03)

Helm chart for Sidecar

How to upgrade

6.7.0 (2025-11-05)

  • Introduced JA4 fingerprinting in the NGINX node

    JA4 fingerprints help detect threats and malicious clients based on TLS handshake characteristics. JA4 fingerprints are used as an additional factor when deciding to block a request.

    The feature is disabled by default. To enable it, add the following NGINX directive inside the http or server block:

    wallarm_fingerprint on;

  • Introduced the wallarm_fingerprint_ja4_raw and wallarm_fingerprint_ja4 variables to configure extended logging when JA4 fingerprinting is enabled

  • Improved Node initialization logs — added detailed information about component type, supported versions, error source, API endpoint, and Node UUID to simplify troubleshooting during the initialization stage

  • Fixed the CVE-2025-58188 vulnerability

  • Fixed the issue where the Node raised an error when a JWT token was sent in the Authorization: Bearer header

  • Fixed invalid type error when editing automatically created rules for attacks detected in gRPC responses

6.6.1 (2025-10-16)

6.6.0 (2025-10-03)

  • Changed the default wstore binding to IPv4 (tcp4), it now listens only on IPv4 instead of dual‑stack

  • Introduced protocol selection (tcp, tcp4, tcp6) in Ingress values (postanalytics.wstore.config.serviceProtocol)

    The default value is "tcp4".

  • Changed the default value of postanalytics.wstore.config.serviceAddress to "0.0.0.0:3313"

    This allows IPv4 traffic only. If you are using a custom value, make sure it matches the selected postanalytics.wstore.config.serviceProtocol.

  • Fixed an issue where response context parameters configured in API Sessions were not uploaded to the Wallarm Cloud

  • Introduced a new Prometheus metric wallarm_wcli_job_export_lag to track the average export delay for each wcli job (e.g., reqexp, blkexp, botexp)

  • Introduced a new $wallarm_mode variable for extended logging

    This variable returns the final filtration mode applied to a malicious request, taking into account both local settings and those from the Wallarm Cloud (e.g., rules and mitigation controls) with their prioritization.

  • Updated the wording on the Wallarm-branded block page, the page now looks as follows:

    Wallarm blocking page

  • Fixed the following vulnerabilities:

6.5.1 (2025-09-09)

6.4.0 (2025-07-31)

  • Introduced a new wallarm_block_reason variable for extended logging

    This variable adds to the log an information on reason of request blocking (detected attack, part of bot activity, Denylist etc.)

  • Fixed the stuffed credentials export to the Cloud

  • Improved GraphQL parser

  • Bug fixes and internal improvements

6.3.1 (2025-07-23)

  • Fixed memory leak

6.3.0 (2025-07-08)

6.2.0 (2025-06-20)

  • Added support for mitigation control-based GraphQL API Protection

  • Optimized stream handling for gRPC traffic

  • Optimized stream handling for gRPC traffic

  • Added support for SSL/TLS and mTLS between the Filtering Node and the postanalytics module

  • Bump Alpine version to 3.22

  • Upgrade NGINX to version 1.28.0

  • Minor bug fixes

6.1.0 (2025-05-09)

  • Bugfix: Attacks originated from allowlisted sources are no longer shown in the Attacks section

  • wstore logs now include "component": "wstore" for easier identification

6.0.1 (2025-04-22)

6.0.0 (2025-04-03)

NGINX-based Docker image

How to upgrade

6.7.0 (2025-11-05)

  • Introduced JA4 fingerprinting in the NGINX node

    JA4 fingerprints help detect threats and malicious clients based on TLS handshake characteristics. JA4 fingerprints are used as an additional factor when deciding to block a request.

    The feature is disabled by default. To enable it, add the following NGINX directive inside the http or server block:

    wallarm_fingerprint on;

  • Introduced the wallarm_fingerprint_ja4_raw and wallarm_fingerprint_ja4 variables to configure extended logging when JA4 fingerprinting is enabled

  • Improved Node initialization logs — added detailed information about component type, supported versions, error source, API endpoint, and Node UUID to simplify troubleshooting during the initialization stage

  • Fixed the CVE-2025-58188 vulnerability

  • Fixed the issue where the Node raised an error when a JWT token was sent in the Authorization: Bearer header

  • Fixed invalid type error when editing automatically created rules for attacks detected in gRPC responses

6.6.1 (2025-10-16)

6.6.0 (2025-10-03)

  • Changed the default wstore binding to IPv4 (tcp4), it now listens only on IPv4 instead of dual‑stack

    If your configuration uses localhost for wstore, update it to 127.0.0.1.

  • Introduced protocol selection (tcp, tcp4, tcp6) via the WALLARM_WSTORE__SERVICE__PROTOCOL environment variable

    The default value is "tcp4".

  • Fixed an issue where response context parameters configured in API Sessions were not uploaded to the Wallarm Cloud

  • Introduced a new Prometheus metric wallarm_wcli_job_export_lag to track the average export delay for each wcli job (e.g., reqexp, blkexp, botexp)

  • Fixed an issue where Docker container logs showed a false error about inability to connect to port 3313 when upstream wallarm_wstore was configured with localhost instead of 127.0.0.1

    False error example:

    2025/09/11 15:49:07 [error] 33#33: wallarm: [::1]:3313 connect() failed 21

  • Introduced a new $wallarm_mode variable for extended logging

    This variable returns the final filtration mode applied to a malicious request, taking into account both local settings and those from the Wallarm Cloud (e.g., rules and mitigation controls) with their prioritization.

  • Included an SBOM in the image by default, you can retrieve it using the following command:

    docker sbom wallarm/node:6.6.1

  • Updated the wording on the Wallarm-branded block page, the page now looks as follows:

    Wallarm blocking page

  • Fixed the following vulnerabilities:

6.5.1 (2025-09-09)

6.4.1 (2025-08-07)

  • Added Prometheus metrics support for API Specification Enforcement service operation (based on the built-in API Firewall service):

    • Enable with the environment variable APIFW_METRICS_ENABLED=true
    • Default endpoint: :9010/metrics
    • Expose the metrics port in your container (e.g., for the default state, use -p 9010:9010)
    • Host and endpoint name configurable via variables APIFW_METRICS_HOST and APIFW_METRICS_ENDPOINT_NAME

6.4.0 (2025-07-31)

  • Introduced a new wallarm_block_reason variable for extended logging

    This variable adds to the log an information on reason of request blocking (detected attack, part of bot activity, Denylist etc.)

  • Fixed the stuffed credentials export to the Cloud

  • Improved GraphQL parser

  • Bug fixes and internal improvements

6.3.1 (2025-07-23)

  • Fixed memory leak

6.3.0 (2025-07-08)

6.2.0 (2025-06-20)

  • Added support for mitigation control-based GraphQL API Protection

  • Optimized stream handling for gRPC traffic

  • Optimized stream handling for gRPC traffic

  • Added the streams and messages parameters to the /wallarm-status service output to report the number of processed gRPC/WebSocket streams and messages

  • Added support for SSL/TLS and mTLS between the NGINX-Wallarm module and the postanalytics module when they are installed separately

  • Fixed wstore ports binding: now bound to 127.0.0.1 instead of 0.0.0.0

  • Bump Alpine version to 3.22

  • Upgrade NGINX to version 1.28.0

  • Minor bug fixes

6.1.0 (2025-05-09)

  • Bugfix: Attacks originated from allowlisted sources are no longer shown in the Attacks section

  • wstore logs now include "component": "wstore" for easier identification

6.0.1 (2025-04-22)

6.0.0 (2025-04-03)

Amazon Machine Image (AMI)

How to upgrade

6.6.1 (2025-10-16)

6.6.0 (2025-10-03)

  • Changed the default wstore binding to IPv4 (tcp4), it now listens only on IPv4 instead of dual‑stack

    If your configuration uses localhost for wstore, update it to 127.0.0.1.

  • Introduced protocol selection (tcp, tcp4, tcp6) using the WALLARM_WSTORE__SERVICE__PROTOCOL environment variable, which can be set in /opt/wallarm/env.list

    The default value is "tcp4".

  • Fixed an issue where response context parameters configured in API Sessions were not uploaded to the Wallarm Cloud

  • Introduced a new Prometheus metric wallarm_wcli_job_export_lag to track the average export delay for each wcli job (e.g., reqexp, blkexp, botexp)

  • Introduced a new $wallarm_mode variable for extended logging

    This variable returns the final filtration mode applied to a malicious request, taking into account both local settings and those from the Wallarm Cloud (e.g., rules and mitigation controls) with their prioritization.

  • Updated the wording on the Wallarm-branded block page, the page now looks as follows:

    Wallarm blocking page

6.5.1 (2025-09-09)

6.4.0 (2025-07-31)

  • Introduced a new wallarm_block_reason variable for extended logging

    This variable adds to the log an information on reason of request blocking (detected attack, part of bot activity, Denylist etc.)

  • Fixed the stuffed credentials export to the Cloud

  • Improved GraphQL parser

  • Bug fixes and internal improvements

6.3.1 (2025-07-23)

  • Fixed memory leak

6.3.0 (2025-07-08)

6.2.0 (2025-06-20)

  • Added support for mitigation control-based GraphQL API Protection

  • Optimized stream handling for gRPC traffic

  • Optimized stream handling for gRPC traffic

  • Added the streams and messages parameters to the /wallarm-status service output to report the number of processed gRPC/WebSocket streams and messages

  • Added support for SSL/TLS and mTLS between the NGINX-Wallarm module and the postanalytics module when they are installed separately

  • Fixed wstore ports binding: now bound to 127.0.0.1 instead of 0.0.0.0

  • Minor bug fixes

6.1.0 (2025-05-09)

  • Bugfix: Attacks originated from allowlisted sources are no longer shown in the Attacks section

  • wstore logs now include "component": "wstore" for easier identification

6.0.1 (2025-04-22)

6.0.0 (2025-04-03)

Google Cloud Platform Image

How to upgrade

wallarm-node-6-6-1-20251015-165327 (2025-10-16)

wallarm-node-6-6-0-20251005-044509 (2025-10-03)

  • Changed the default wstore binding to IPv4 (tcp4), it now listens only on IPv4 instead of dual‑stack

    If your configuration uses localhost for wstore, update it to 127.0.0.1.

  • Introduced protocol selection (tcp, tcp4, tcp6) using the WALLARM_WSTORE__SERVICE__PROTOCOL environment variable, which can be set in /opt/wallarm/env.list

    The default value is "tcp4".

  • Fixed an issue where response context parameters configured in API Sessions were not uploaded to the Wallarm Cloud

  • Introduced a new Prometheus metric wallarm_wcli_job_export_lag to track the average export delay for each wcli job (e.g., reqexp, blkexp, botexp)

  • Introduced a new $wallarm_mode variable for extended logging

    This variable returns the final filtration mode applied to a malicious request, taking into account both local settings and those from the Wallarm Cloud (e.g., rules and mitigation controls) with their prioritization.

  • Updated the wording on the Wallarm-branded block page, the page now looks as follows:

    Wallarm blocking page

wallarm-node-6-5-1-20250908-174655 (2025-09-09)

  • Added support for blocking attackers by API sessions

  • Relaxed content-type validation in API Specification Enforcement: requests with image MIME types (image/png, image/jpeg, image/gif, image/webp, image/avif, image/heic, image/heif, image/bmp, image/tiff, image/svg+xml) are no longer rejected

  • Bumped Go version to 1.24

  • Fixed the behavior of the wallarm_wstore_throttle_mode Prometheus metric, which previously did not return to the normal state (0) after throttling ended

wallarm-node-6-4-0-20250730-083353 (2025-07-31)

  • Fixed the stuffed credentials export to the Cloud

  • Improved GraphQL parser

  • Bug fixes and internal improvements

wallarm-node-6-3-1-20250721-082413 (2025-07-23)

  • Fixed memory leak

wallarm-node-6-3-0-20250708-175541 (2025-07-08)

  • In rules, the separator used in xml_tag values that combine a URI, namespace, and tag name has been changed from : to |

  • Internal improvements

wallarm-node-6-2-0-20250618-150224 (2025-06-20)

  • Optimized stream handling for gRPC traffic

  • Added the streams and messages parameters to the /wallarm-status service output to report the number of processed gRPC/WebSocket streams and messages

  • Added support for SSL/TLS and mTLS between the NGINX-Wallarm module and the postanalytics module when they are installed separately

  • Fixed wstore ports binding: now bound to 127.0.0.1 instead of 0.0.0.0

  • Minor bug fixes

wallarm-node-6-1-0-20250508-144827 (2025-05-09)

  • Bugfix: Attacks originated from allowlisted sources are no longer shown in the Attacks section

  • wstore logs now include "component": "wstore" for easier identification

wallarm-node-6-0-1-20250422-104749 (2025-04-22)

wallarm-node-6-0-0-20250403-102125 (2025-04-03)