This new patch v2.40.1 release brings important security bug fixes for users serving directories with symbolic links (symlinks) as well as other minor improvements.

Security vulnerability patch

This particular release patches a Symbolic link path traversal vulnerability (GHSA-459f-x8vq-xjjm)
Any web server that runs with elevated privileges (e.g., root/administrator) and handles user-supplied file uploads is primarily impacted.

We encourage users to update as soon as possible.

Fixes

• 9b7297c Update dependencies like async-compression, log, libc and others. #599 by @joseluisq
• 308f0d2 Fix incorrect symbolic link handling by @joseluisq

Refactorings

• ce3a51c CI: Dedicated workflow for project documentation checks. #596 by @joseluisq
• dd43d06 Misc: Markdown format check support for project documentation. #597 by @mschoettle

For more details see the v2.40.1 milestone and the full changelog v2.40.0...v2.40.1.

This new v2.40.0 release introduces important security bug fixes, performance, resource, and binary size optimisations, rootless Debian and Alpine Docker images, support for content negotiation of Markdown files and other enhancements.

For more details about the changes, take a look at the corresponding PR and documentation links.

Fixes

• 55562a1 Update dependencies like rustls, tracing, async-compression, clap, bytes and others. #582, #589 by @joseluisq
• 0fedeb3 library: Crate documentation issues. #583 by @joseluisq

Features

• ee4b049 Add armv7-unknown-linux-gnueabihf target. #586 by @joseluisq
• 2c25d82 Content negotiation for Markdown files via Accept header. #577 by @davlgd, see docs.
• 326abbe library: Add exit_on_error option to Server::run_server_on_rt function to control server termination. #578 by @frnsys

Refactorings

• c66c791 Docker: Prefer dynamically-linked binaries for Debian Docker images, which reduces containers' memory usage significantly. #588 by @joseluisq
• afddfd6 Drop jemalloc in favour of mimalloc for MUSL targets, which reduces statically-linked binaries' memory usage. #587 by @joseluisq
• 557363e Replace regex crate with regex-lite to reduce binary size. #581 by @joseluisq
• b234984 Docker: Rootless Debian and Alpine Docker images, which reduce the attack surface and improve security. #567 by @joseluisq, read the docs.
  • Update for Docker users: Only if you are using the default /public directory as Docker volume without any --root or SERVER_ROOT env, then change it to point to /var/public instead or provide a custom root directory.
• d48da4c Simplify the default public directory of Docker image and default error pages, which improves the default index and error pages' responsiveness in the browser. #579 by @joseluisq
• ce5b4fa Drop lazy_static and prefer fixed text mime types for dynamic compression. #580 by @joseluisq
• ea9f43f CI: Move perfcheck workflow behind a PR comment trigger. #584 by @joseluisq

For more details see the v2.40.0 milestone and the full changelog v2.39.0...v2.40.0.

This new v2.39.0 release brings important security bug fixes, updates to project dependencies and Docker images, as well as other improvements.

This release fixes CVE-2025-62518 (a.k.a TARmageddon).

Additionally, the project Minimum Supported Rust Version (MSRV) has been bumped to Rust 1.85.0 (2024 Edition).

Fixes

• 57025e3 Update dependencies and MSRV to Rust 1.85.0 (2024 Edition). PR #572 by @joseluisq
• a7e8fa3 Update Alpine (3.21.5) & Debian (12.12) Docker images. PR #573 by @joseluisq
• 2549119 Virtual hosts feature doesn't work with HTTP/2. PR #571 by @CrazyCraftix

For more details see the v2.39.0 milestone and the full changelog v2.38.1...v2.39.0.

This new v2.38.1 release brings several security and bug fixes and improvements for the Cache Control feature.

Fixes

• c5477fe Bugfix/security dependency updates including tokio, rustls, serde, toml, percent-encoding, tracing, regex and other crates. PR #556, #561 by @joseluisq
• 2a09238 Update Alpine Docker images to 3.21.4. #563 by @joseluisq

Refactorings

• 0b55770 Remove public from Cache-Control header value when feature is enabled. This can prevent CDN and Basic Authentication cache issues. PR #562 by @joseluisq

For more details, see the v2.38.1 milestone and the full changelog v2.38.0...v2.38.1.

This new v2.38.0 release brings several security and bug fixes and support for a less-generic sws.toml default config file as well as other improvements.

Fixes

• 8c435ad Bugfix/security dependency updates including tokio, rustls, serde, toml, async-compression, clap and other crates. PR #552 by @joseluisq
• 47ce050 Update Alpine (3.20.7) & Debian (12.11) Docker images. PR #553 by @joseluisq

Features

• acd8388 Add a less-generic config file sws.toml support as default. PR #551 by @davlgd.
  • Migration: The previous default config.toml file name will be supported for a while, but it's recommended to use sws.toml instead.

For more details see the v2.38.0 milestone and the full changelog v2.37.0...v2.38.0.

This new v2.37.0 release brings several security and bug fixes. New features like the possibility to download directories as tarballs, better control for server log ANSI output, end of support for a few unmaintained Windows platforms and other improvements.

End of support for unmaintained Windows 7, 8, 8.1 platforms

As anticipated in v2.36.1, SWS no longer supports Windows 7, 8, and 8.1 platforms. SWS now requires Rust 1.82.0 or later to build, and the minimum supported Windows platform is Windows 10.

Cargo experimental feature restored

The Cargo experimental feature is part of the binary release again (v2.37.0 and future releases).

Fixes

• b56e3c4 Bugfix/security dependency updates including tokio, rustls, chrono, flate2, windows-service, serde and other crates. SWS now requires Rust 1.82.0 or later to build. PR #546, #545 by @joseluisq
• a384d92 Update Alpine 3.20.6 and Debian 12.10 Docker images. PR #539 by @joseluisq
• cb19995 Generic server log info output even on higher log levels. PR #542 by @joseluisq fixes #541 reported by @Tasssadar.

Features

• 89f5846 Support for downloading a directory as a compressed tarball (tar.gz) via the new --directory-listing-download=targz option. PR #544 by @ekangmonyet resolves #67 suggested by @shirshak55. See docs.
• 0236980 Control log ANSI output via new boolean --log-with-ansi=true option (SWS is now no-ANSI by default). PR #543 resolves #540 suggested by @Tasssadar. See docs.

Refactorings

• Misc: 5d1eaac Automate post-release updates using CI. PR #538 by @joseluisq

For more details see the v2.37.0 milestone and the full changelog v2.36.1...v2.37.0.

Acknowledgments

Thanks to our new donor @mrkesu for supporting the project.

This new v2.36.1 release brings several security and bug fixes and is the last version supporting legacy Windows 7, 8, 8.1 platforms.

Security patch for RUSTSEC-2024-0437

This release temporarily removes the experimental Cargo feature from the resulting static-web-server binary (but not the Cargo feature itself) to prevent shipping the security vulnerability (RUSTSEC-2024-0437 #530) in this release.

The experimental Cargo feature (that includes experimental features like metrics and in-memory cache) will be restored to be part of the binary again in the next release.

End support for unmaintained Windows 7, 8, 8.1 platforms

As we mentioned a year ago (#447), SWS would not continue supporting legacy Windows 7, 8, and 8.1 platforms for so long as Microsoft stopped support for Windows 7 in 2020 and Rust requires Windows 10 as the minimum supported platform since 1.78.

Today, we announce that v2.36.1 is the last release supporting such legacy platforms and having Rust 1.76.0 as MSRV.
Future releases will bump up the MSRV when convenient and will require Windows 10 as the minimum supported platform.
However, although we will try to provide a patch for users wanting to build SWS manually for those legacy platforms in the future, we cannot fully guarantee that SWS will continue building for the aforementioned platforms.

Fixes

• ad4c171 Bugfix/security dependency updates including tokio, httparse, ring, rustls, bytes, serde and other crates. PR #532.
• 5fbd0c5 CORS: Add missing Origin to the Vary header value when CORS feature is enabled. PR #534 resolves #533 reported by @rbozan.

For more details see the v2.36.1 milestone and the full changelog v2.36.0...v2.36.1.

This new v2.36.0 release brings several security and bug fixes. A bugfix for the trailing slash redirect, a new feature to log from the X-Real-IP HTTP header as well as other improvements.

Fixes

• aadca81 Bugfix/security dependency updates including httparse, rustls, clap, bcrypt, maud, bytes and other crates. PR #524.
• 99aa74d Docker: Update Alpine (3.19.6) and Debian (12.9) Docker images. PR #518.
• a639039 Add missing query string to the URI trailing slash redirect. PR #523.

Features

• 134db39 Log from X-Real-IP HTTP header via new --log-x-real-ip option. PR #521 by @dctaf. See docs.

Refactorings

• 8fa9cda Improve fallback page path checking and logging. PR #522.
• 0053d74 CI: Improve post-release updates workflow. PR #525.

For more details see the v2.36.0 milestone and the full changelog v2.35.0...v2.36.0.

This new v2.35.0 release brings several security and bug fixes. A bugfix for the directory listing, new development Docker images as well as other improvements.

Fixes

• c236674 Bugfix/security dependency updates including hyper, tokio, rustls, glob, serde, time and other crates. PR #515.
• 206900b Directory listing HTML content outside of body tag. PR #511 by @alxv-su.
• 35bb607 CI: NetBSD 9.2 broken source link used by cross CI cross-compiling tool. PR #513

Features

• b46a7a0 Docker: Development Docker images based on master branch changes. PR #512 by @joseluisq and co-authored by @mschoettle. See docs.

Refactorings

• 1c4929d CI: Improve GitHub CI workflows. PR #514.

Docs

• 284eb50 Development Docker images description. PR #516. See docs.

For more details see the v2.35.0 milestone and the full changelog v2.34.0...v2.35.0.

Acknowledgments

Thanks to our new donor @thumbert for supporting the project.

This new v2.34.0 release brings several security and bug fixes. Better X-Forwarded-For handling and other improvements.

Breaking

• URL Redirects/Rewrites: Single Glob wildcard (*) will no longer match a path separator (/) in source but double wildcard (**) can be used instead if wanted. See docs below.
• Log Remote Address: log-remote-address option will no longer log from the X-Forwarded-For header by default. It has to be opted-in together with the new log-forwarded-for option. See docs below.

Fixes

• 93479ba Bugfix/security dependency updates including tokio, rustls, regex, tracing, flate2, serde, async-compression and other crates. PR #502.
• 4ed4bb4 Docker: Update Alpine (3.19.4) and Debian (12.8) Docker images. PR #505.
• 0768c20 CI: Update deprecated macos-12 Github Actions runner to macos-14.

Features

• 13e3f38 Better X-Forwarded-For handling via the new log-forwarded-for and trusted-proxies options. PR #495 by @Jeidnx. See docs.

Refactorings

• 96ed7df breaking: Prevent single Glob wildcard (*) from matching a path separator (/) in URL Redirect's source. PR #501 by @mschoettle. See docs.
• 2737f4c breaking: Prevent single Glob wildcard (*) from matching a path separator (/) in URL Rewrite's source. PR #506 by @mschoettle. See docs.
• 5516b6a Misc: Improve tests for URL Redirects feature. PR #503 by @mschoettle.

Docs

• e1a73c0 Add contributing, code of conduct and code guidelines pages.
• 12387a8 Improve docs configuration and fix some anchor links. PR #504 by @mschoettle. See docs.
• cd11bd6 Replace the deprecated TrueNAS Scale option with TrueCharts. PR #486 by @ctag. See docs.

For more details see the v2.34.0 milestone and the full changelog v2.33.1...v2.34.0.