Release v4.1.4

deploy/docker/qis-as/Dockerfile

@@ -29,7 +29,7 @@ RUN apt-get update && \
 RUN locale-gen en_GB.UTF-8 && update-locale LANG=en_GB.UTF-8 LC_ALL=en_GB.UTF-8
 
 # Build variables
-ARG QIS_VERSION=4.1.3
+ARG QIS_VERSION=4.1.4
 ARG QIS_USER=qis
 ARG QIS_INSTALL_DIR=/opt/qis
 ARG QIS_SAMPLES_DIR=/opt/qis-samples

doc/changelog.md

@@ -1,7 +1,13 @@
-# Unreleased
+# v4.1.4
 _Changes: Allow cross-origin file uploads by default, only use TLS 1.2+ by default,
-add forwarded-for header to Apache access logs, add web session background login API,
-add `.well-known` directory and URL mapping_
+record the forwarded-for header in the Apache access logs, add web session background
+login API, add `.well-known` directory and URL mapping_
+
+To upgrade:
+
+* Update the Python and web code (the `src` folder)
+* Apply the updated Apache configuration - see [upgrading.md](upgrading.md)
+* Restart the Apache service
 
 # v4.1.3
 _Changes: Add Ubuntu 18 support, new guide to running at AWS or on Docker,

doc/upgrading.md

@@ -11,6 +11,41 @@ web server:
 Occasionally however a more involved upgrade is required. These releases are
 flagged in the [change log](changelog.md) and will be documented here.
 
+## v4.1.4
+
+Release 4.1.4 includes a number of changes to the Apache configuration. To
+upgrade an existing configuration, use a text editor to change both of the QIS
+Apache configuration files:
+
+	$ cd /etc/httpd/conf.d/               # CentOS / Red Hat
+	$ cd /etc/apache2/sites-available/    # Debian / Ubuntu
+	$ vi qis.conf
+	$ vi qis-ssl.conf
+
+In the `Alias` section, add a new directory mapping for the new `.well-known` URL:
+
+    Alias /.well-known/    /opt/qis/src/imageserver/static/.well-known/
+
+To modernise the TLS/HTTPS configuration (disables TLS 1.0 and 1.1), change these
+2 `SSL` entries to:
+
+    SSLProtocol             all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
+    SSLCipherSuite          ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
+
+To log clients' real IP addresses when behind a proxy server or load balancer,
+change `LogFormat` to:
+
+    LogFormat "%h %{X-Forwarded-For}i %t \"%r\" %>s %B %{X-Time-Taken}o %D %{X-From-Cache}o \"%{User-Agent}i\" \"%{Referer}i\"" imaging
+
+To allow file uploads and API requests from browsers coming from any origin
+**with a valid API token** (this is the new default), set the `Header` lines:
+
+    # Allow other domains to query the data API (required for canvas/zoom image viewer)
+    Header set Access-Control-Allow-Origin "*"
+    Header set Access-Control-Allow-Headers "Origin, Authorization, If-None-Match, Cache-Control, X-Requested-With, X-Csrf-Token"
+    # Allow other domains to see the returned image headers
+    Header set Access-Control-Expose-Headers "Content-Length, X-From-Cache, X-Time-Taken"
+
 ## v2.x to v3.0
 
 Version 3 supports only Python 3. There are no changes to the QIS database or

src/imageserver/__about__.py

@@ -33,7 +33,7 @@
 __source_uri__ = "https://github.com/quru/qis"
 __platforms__ = ["Linux", "Unix", "Mac OSX"]
 
-__version__ = "4.1.3"
+__version__ = "4.1.4"
 
 __author__ = "Quru Ltd"
 __email__ = "[email protected]"