- Another fix for
content-length: -1
. The change in v0.10.7 broke HTTP POST requests.
- Update go dependencies:
- upgraded github.com/quic-go/quic-go v0.47.0 => v0.48.1
- Update go dependencies:
- upgraded github.com/google/pprof v0.0.0-20240910150728-a0b0bb1d4134 => v0.0.0-20241008150032-332c0e1a4a34
- upgraded github.com/pires/go-proxyproto v0.7.0 => v0.8.0
- upgraded golang.org/x/crypto v0.27.0 => v0.28.0
- upgraded golang.org/x/exp v0.0.0-20240909161429-701f63a606c0 => v0.0.0-20241004190924-225e2abe05e6
- upgraded golang.org/x/net v0.29.0 => v0.30.0
- upgraded golang.org/x/sys v0.25.0 => v0.26.0
- upgraded golang.org/x/text v0.18.0 => v0.19.0
- upgraded golang.org/x/time v0.6.0 => v0.7.0
- upgraded golang.org/x/tools v0.25.0 => v0.26.0
- Don't send
content-length: -1
to backends. This caused400
errors in some configurations. This bug was introduced in v0.10.6.
- Update go: 1.23.2
- Update to quic-go v0.47.0. The release notes point out that a bug in go 1.23 is causing problems with quic. So, we're also setting go version in
go.mod
back to1.22.0
for now. - Update go dependencies:
- upgraded github.com/google/pprof v0.0.0-20240903155634-a8630aee4ab9 => v0.0.0-20240910150728-a0b0bb1d4134
- upgraded github.com/quic-go/qpack v0.5.0 => v0.5.1
- upgraded github.com/quic-go/quic-go v0.46.0 => v0.47.0
- upgraded golang.org/x/exp v0.0.0-20240904232852-e7e105dedf7e => v0.0.0-20240909161429-701f63a606c0
- upgraded golang.org/x/tools v0.24.0 => v0.25.0
- Update go: 1.23.1
- Update go dependencies:
- upgraded github.com/google/pprof v0.0.0-20240727154555-813a5fbdbec8 => v0.0.0-20240903155634-a8630aee4ab9
- upgraded github.com/onsi/ginkgo/v2 v2.19.1 => v2.20.2
- upgraded github.com/quic-go/qpack v0.4.0 => v0.5.0
- upgraded golang.org/x/crypto v0.26.0 => v0.27.0
- upgraded golang.org/x/exp v0.0.0-20240719175910-8a7402abbf56 => v0.0.0-20240904232852-e7e105dedf7e
- upgraded golang.org/x/mod v0.20.0 => v0.21.0
- upgraded golang.org/x/net v0.28.0 => v0.29.0
- upgraded golang.org/x/sys v0.23.0 => v0.25.0
- upgraded golang.org/x/text v0.17.0 => v0.18.0
- upgraded software.sslmate.com/src/go-pkcs12 v0.4.0 => v0.5.0
- Update go: 1.22.6
- Update go dependencies:
- upgraded github.com/beevik/etree v1.4.0 => v1.4.1
- upgraded github.com/google/pprof v0.0.0-20240625030939-27f56978b8b0 => v0.0.0-20240727154555-813a5fbdbec8
- upgraded github.com/onsi/ginkgo/v2 v2.19.0 => v2.19.1
- upgraded github.com/quic-go/quic-go v0.45.2 => v0.46.0
- upgraded golang.org/x/crypto v0.25.0 => v0.26.0
- upgraded golang.org/x/exp v0.0.0-20240707233637-46b078467d37 => v0.0.0-20240719175910-8a7402abbf56
- upgraded golang.org/x/mod v0.19.0 => v0.20.0
- upgraded golang.org/x/net v0.27.0 => v0.28.0
- upgraded golang.org/x/sync v0.7.0 => v0.8.0
- upgraded golang.org/x/sys v0.22.0 => v0.23.0
- upgraded golang.org/x/text v0.16.0 => v0.17.0
- upgraded golang.org/x/time v0.5.0 => v0.6.0
- upgraded golang.org/x/tools v0.23.0 => v0.24.0
- Pick up bug fixes in the quic-go package.
- Update go dependencies:
- upgraded github.com/quic-go/quic-go v0.45.1 => v0.45.2
- upgraded golang.org/x/crypto v0.24.0 => v0.25.0
- upgraded golang.org/x/exp v0.0.0-20240613232115-7f521ea00fb8 => v0.0.0-20240707233637-46b078467d37
- upgraded golang.org/x/mod v0.18.0 => v0.19.0
- upgraded golang.org/x/net v0.26.0 => v0.27.0
- upgraded golang.org/x/sys v0.21.0 => v0.22.0
- upgraded golang.org/x/tools v0.22.0 => v0.23.0
- Same as v0.10.0. The v0.10.0 docker image was created before the golang linux/amd64 was ready. So, it used linux/386 instead. v0.10.2 should be OK.
- Same as v0.10.0.
The v0.10.0 docker image was created before the golang linux/amd64 was ready. So, it used linux/386 instead. v0.10.1 should be OK.
- When
forwardHttpHeaders
is used, special keywords are automatically expanded from the header values:${NETWORK}
is either tcp or udp.${LOCAL_ADDR}
is the local address of the network connection.${REMOTE_ADDR}
is the remote address of the network connection.${LOCAL_IP}
is the local IP address of the network connection.${REMOTE_IP}
is the remote IP address of the network connection.${SERVER_NAME}
is the server name requested by the client.${JWT:xxxx}
expands to the value of claimxxxx
from the ID token.
- Update go: 1.22.5
- Update go dependencies:
- upgraded github.com/fxamacker/cbor/v2 v2.6.0 => v2.7.0
- upgraded github.com/google/pprof v0.0.0-20240528025155-186aa0362fba => v0.0.0-20240625030939-27f56978b8b0
- upgraded golang.org/x/exp v0.0.0-20240604190554-fc45aab8b7f8 => v0.0.0-20240613232115-7f521ea00fb8
- Update go dependencies:
- upgraded github.com/quic-go/quic-go v0.45.0 => v0.45.1
- Add
forwardHttpHeaders
to set HTTP headers in the forwarded HTTP requests. Headers that already exist are overwritten.
- Update go dependencies:
- upgraded github.com/c2FmZQ/storage v0.2.2 => v0.2.3
- upgraded github.com/c2FmZQ/tpm v0.3.0 => v0.3.1
- upgraded github.com/google/go-tpm-tools v0.4.3 => v0.4.4
- upgraded github.com/google/go-tpm v0.9.0 => v0.9.1
- upgraded github.com/quic-go/quic-go v0.44.0 => v0.45.0
- Update go: 1.22.4
- Update go dependencies:
- upgraded github.com/google/pprof v0.0.0-20240509144519-723abb6459b7 => v0.0.0-20240528025155-186aa0362fba
- upgraded github.com/onsi/ginkgo/v2 v2.17.3 => v2.19.0
- upgraded golang.org/x/crypto v0.23.0 => v0.24.0
- upgraded golang.org/x/exp v0.0.0-20240506185415-9bf2ced13842 => v0.0.0-20240604190554-fc45aab8b7f8
- upgraded golang.org/x/mod v0.17.0 => v0.18.0
- upgraded golang.org/x/net v0.25.0 => v0.26.0
- upgraded golang.org/x/sys v0.20.0 => v0.21.0
- upgraded golang.org/x/text v0.15.0 => v0.16.0
- upgraded golang.org/x/tools v0.21.0 => v0.22.0
- Sign OCSP responses with RSA or ECDSA keys.
- Update go dependencies:
- upgraded github.com/beevik/etree v1.3.0 => v1.4.0
- upgraded github.com/google/pprof v0.0.0-20240507183855-6f11f98ebb1c => v0.0.0-20240509144519-723abb6459b7
- upgraded github.com/quic-go/quic-go v0.43.1 => v0.44.0
- Only allow GET and HEAD methods for static files.
- Sanitize the request path before comparing to local endpoints, e.g.
//.sso
redirects to/.sso
- Add a
sanitizePath
option to backends. When true (default), request paths are sanitized before they are sent to the backends.
- Update go: 1.22.3
- Update go dependencies:
- upgraded github.com/google/pprof v0.0.0-20240422182052-72c8669ad3e7 => v0.0.0-20240507183855-6f11f98ebb1c
- upgraded github.com/onsi/ginkgo/v2 v2.17.1 => v2.17.3
- upgraded golang.org/x/crypto v0.22.0 => v0.23.0
- upgraded golang.org/x/exp v0.0.0-20240416160154-fe59bbe5cc7f => v0.0.0-20240506185415-9bf2ced13842
- upgraded golang.org/x/net v0.24.0 => v0.25.0
- upgraded golang.org/x/sys v0.19.0 => v0.20.0
- upgraded golang.org/x/text v0.14.0 => v0.15.0
- upgraded golang.org/x/tools v0.20.0 => v0.21.0
- Serve static files from a local filesystem when
documentRoot:
is set.
- Upgrade github.com/quic-go/quic-go v0.42.0 => v0.43.1
- Update the tpm library to pick up a bug fix. The saved TPM keys would become invalid after a reboot. This only affected configurations with
hwBacked: true
.
- Update go dependencies:
- upgraded github.com/google/pprof v0.0.0-20240402174815-29b9bb013b0f => v0.0.0-20240422182052-72c8669ad3e7
- upgraded golang.org/x/crypto v0.21.0 => v0.22.0
- upgraded golang.org/x/exp v0.0.0-20240325151524-a685a6edb6d8 => v0.0.0-20240416160154-fe59bbe5cc7f
- upgraded golang.org/x/mod v0.16.0 => v0.17.0
- upgraded golang.org/x/net v0.23.0 => v0.24.0
- upgraded golang.org/x/sys v0.18.0 => v0.19.0
- upgraded golang.org/x/tools v0.19.0 => v0.20.0
- Add
hwBacked
option. When enabled, hardware-backed cryptographic keys are used to:- encrypt local data (the data cannot be used or recovered on a different device),
- sign authentication tokens,
- sign the PKI certificates, OCSP responses, and CRLs.
- Add
--quiet
flag. When set (or theTLSPROXY_QUIET
env variable istrue
), logging is turned off after tlsproxy starts.
- Release binaries and container images are now signed.
- Update go: 1.22.2
- Update go dependencies:
- upgraded github.com/quic-go/quic-go v0.41.0 => v0.42.0
- Update go: 1.22.1
- Update go dependencies
- Reduce lock contention in passkey manager.
- Update go: 1.22.0
- Log HTTP protocol upgrades.
- Fix bug that prevented PKI admins from revoking certificates.
- Improve heap & lock profiling.
- Reduce lock contention.
- Fix WebSocket connections when
backendProto
is set to something other thanhttp/1.1
.
- Starting with v0.6.0, tlsproxy is built with QUIC & HTTP/3 support by default. Binaries without QUIC can still be built with
-tags noquic
. - Add support for QUIC datagrams.
- Report outbound connections on the metrics page.
- Improve how http3 connections are handled.
- Update go dependencies:
- upgraded github.com/google/pprof v0.0.0-20231229205709-960ae82b1e42 => v0.0.0-20240117000934-35fc243c5815
- upgraded github.com/onsi/ginkgo/v2 v2.13.2 => v2.14.0
- upgraded github.com/quic-go/quic-go v0.40.1 => v0.41.0
- upgraded golang.org/x/exp v0.0.0-20240103183307-be819d1f06fc => v0.0.0-20240112132812-db7319d0e0e3
- upgraded golang.org/x/tools v0.16.1 => v0.17.0
- Prevent backend connections from being re-used by other clients when PROXY protocol is enabled.
- Add support for the PROXY protocol for incoming connections. See the
AcceptProxyHeaderFrom
config option. - Fix bug with the handling of the PROXY protocol header with TLS backends. The header was sent after the TLS handshake instead of before.
- Fix bug that prevented logins with passkeys on non default ports when ForceReAuth is set. (introduced in v0.4.4)
- Log aborted ReverseProxy requests more gracefully.
- Update go: 1.21.6
- Update go dependencies:
- upgraded github.com/beevik/etree v1.2.0 => v1.3.0
- upgraded github.com/google/pprof v0.0.0-20231212022811-ec68065c825e => v0.0.0-20231229205709-960ae82b1e42
- upgraded golang.org/x/crypto v0.17.0 => v0.18.0
- upgraded golang.org/x/exp v0.0.0-20231226003508-02704c960a9b => v0.0.0-20240103183307-be819d1f06fc
- upgraded golang.org/x/net v0.19.0 => v0.20.0
- upgraded golang.org/x/sys v0.15.0 => v0.16.0
- Improve user experience with the passkey login screen.
- Fix small accounting bug in ingress metrics.
- Apply the forward rate limit to http requests. Before, the rate limit was only applied to incoming connections.
- Add support for the OIDC
hd
param (https://developers.google.com/identity/openid-connect/openid-connect#hd-param). - Return the proper TLS error when a QUIC client requests an unknown server name and/or alpn protocol.
- Return the proper TLS error when a client certificate is revoked.
- Refactor / improve the handling of QUIC connections.
- Minor changes to the metrics page: combine runtime and memory profile, add config.
- Remove the /config endpoint.
- Refactor HTTP handlers. No functional change.
- Add a confirmation page before redirecting to the remote identity provider's OIDC or SAML login page.
- Add a nonce cookie to the OIDC login flow.
- Convert the metrics page to HTML.
- This version changes these config options:
enableQUIC
now defaults totrue
if the binary is compiled with QUIC support, e.g.+quic
releases.alpnProtos
now includesh3
by default when QUIC is enabled and mode is one ofHTTP
,HTTPS
,QUIC
,LOCAL
, orCONSOLE
.revokeUnusedCertificates
now defaults totrue
, and revocation is only done at the time the proxy starts.
- Add missing lock in revoke.go
- Fix bug that could close legitimate connections after a config change.
- Fixed some flaky tests.
- Add backendProto and buildinfo to metrics page.
- Add an option to automatically revoke unused Let's encrypt certificates.
- Add a flag to revoke all cached certificates. This is useful when a server is decommissioned or compromised.
- IDN fixes and tests
- Implement OCSP stapling.
- Verify the status of client and server certificates when OCSP servers are specified.
- Fix bug that prevented the PKI WASM client from loading on chrome 119.
- Handle Internationalized Domain Names correctly.
- Add an option to refresh the identity used with passkeys (
refreshInterval
).
- Use the certificate provided by Let's Encrypt to authenticate with backends when backends require client authentication.
- go: upgraded github.com/quic-go/quic-go v0.40.0 => v0.40.1 (CVE-2023-49295)
- Decouple frontend and backend protocols in
mode: http
andmode: https
. The ALPN protocols that TLSPROXY accepts are specified inalpnProtos: [...]
, and the protocol to use with the request to the backend is specified withbackendProto: ...
, which defaults tohttp/1.1
. The previous behavior was to use the same protocol that the client used. It is still possible to do that by settingbackendProto
explicitly to an empty string. - Fix QUIC stream direction in metrics.
- Fix persistent config reload every 30 sec in some conditions.
- Add support for the PROXY protocol defined by HAProxy. https://github.com/haproxy/haproxy/blob/master/doc/proxy-protocol.txt
- Add QUIC and HTTP/3 support. See docs/QUIC.md.
- Increase timeouts for proxied HTTP requests to 24 hours for large uploads or downloads.
- Update to go 1.21.5
- Add support for the HTTP/2 protocol in reverse proxy mode. This only works when the backend actually supports HTTP/2. So, it is not enabled by default. To enable it, set
alpnProtos: [h2, http/1.1]
on the backend explicitly. - Add support for routing HTTP requests based on path. By default, all requests go to the same backend servers. When
pathOverrides
is set, some paths can be routed to other servers.
- Allow multiple backends with the same server name but different ALPN protos, e.g. one backend could have foo.example.com with the default ALPN protos, and another backend could have foo.example.com with
alpnProtos: [imap]
. If ALPN is not used by the client, the first backend with a matching server name will be used.
Let's call this the first stable development release. We'll try to keep decent release notes going forward.
TLSPROXY is primarily a TLS termination proxy that uses letsencrypt to provide TLS encryption for any number of TCP or HTTP servers, and any number of server names concurrently on the same port.
Its functionality is similar to an stunnel server, but without the need to configure and run certbot separately.
TLSPROXY can also be used as a Reverse Proxy for HTTP(S) services, and optionally control access to these services with user authentication and authorization.
Overview of features:
- Use Let's Encrypt automatically to get TLS certificates (http-01 & tls-alpn-01 challenges).
- Terminate TLS connections, and forward the data to any TCP server in plaintext.
- Terminate TLS connections, and forward the data to any TLS server. The data is encrypted in transit, but the proxy sees the plaintext.
- Terminate TCP connections, and forward the TLS connection to any TLS server (passthrough). The proxy doesn't see the plaintext.
- Terminate HTTPS connections, and forward the requests to HTTP or HTTPS servers (http/1 only, not recommended with c2fmzq-server).
- TLS client authentication & authorization (when the proxy terminates the TLS connections).
- Built-in Certificate Authority for managing client and backend server TLS certificates.
- User authentication with OpenID Connect, SAML, and/or passkeys (for HTTP and HTTPS connections). Optionally issue JSON Web Tokens (JWT) to authenticated users to use with the backend s ervices and/or run a local OpenID Connect server for backend services.
- Access control by IP address.
- Routing based on Server Name Indication (SNI), with optional default route when SNI isn't used.
- Simple round-robin load balancing between servers.
- Support any ALPN protocol in TLS, TLSPASSTHROUGH, or TCP mode.
- Use the same TCP address (IPAddr:port) for any number of server names, e.g. foo.example.com and bar.example.com on the same xxx.xxx.xxx.xxx:443.