Version 2.7.0 #3
Pinned
new23d
announced in
Announcements
Replies: 0 comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
Release Notes
HTTP
-flow
Logs: additional log fields ofhttp_method
,http_user_agent
andhttp_path
will be present for plaintext HTTP traffic to aid in determining the source of unencrypted traffic. The traffic will always be denied with the messageinsecure protocol, use https
, though.CRL Endpoints of x509 SSL certificates, which are over plaintext HTTP, are now automatically allowed for all TLS FQDNs allowlisted. Only HTTP methods
HEAD
andGET
are allowed to these URLs from only the clients that otherwise have the TLS FQDNs (to which these CRL Endpoints belong) allowed.Alias IP Ranges assigned to VM Instances now get recognised and functionally work the same way as a VM's primary IP address. Firewall Rules get applied to the ranges as well, just as they do to the primary IP address of a VM, based on Network Tags.
no ip addresses resolved
warning message in-config
log for FQDNs found in the allowlist but for which a DNS lookup did not resolve any IP addresses. This is useful in spotting typos and domain names not configured yet by third parties.Terraform module v2.7.0 update:
user_data_base64
supersedes. See diff here.startup_script_base64
Automated System Health Reporting: 10 minutes after boot and then at 0200 UTC every day, each instance of DiscrimiNAT will collect its OS internals & system logs since instance creation, config changes & traffic flow information from last two hours and upload it to a Chaser-owned cloud bucket. This information is encrypted at rest with a certain public key so only relevant individuals with access to the corresponding private key can decrypt it. The transfer is encrypted over TLS.
Access to this information will be immensely useful to create a faster and more reliable DiscrimiNAT as we add new features. We also aim to learn about how users are interacting with the product in order to further improve the usability of it as they embark on a very ambitious journey of fully accounted for and effective egress controls.
We understand if certain environments within your deployment would rather not have this turned on. To disable it, a file at the path
/etc/chaser/disable_automated-system-health-reporting
should exist. From our Terraform module v2.7.0 onwards, this can be accomplished by including the following statement:The base64 value above decodes to:
Which is a cloud-init way of creating that file in the instance.
🔗 Preceding Release Notes
Released
03 Jan '24
Beta Was this translation helpful? Give feedback.
All reactions