-
Notifications
You must be signed in to change notification settings - Fork 36
/
CHANGELOG
1114 lines (924 loc) · 45.9 KB
/
CHANGELOG
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
v1.11.2:
- BUG FIX: correctly handle ICAP null-body response
- BUG FIX: fix ICAP connection state when reading modified SMTP/IMAP message
- BUG FIX: fix chunked encoding of H2 body stream when sending to ICAP server
- BUG FIX: keep control socket open on accept error
- Feature: allow ICAP 204 response for small IMAP messages
- Optimization: use standard Content-Length header instead of X-IMAP-Message-Size in ICAP for IMAP request
- Compatibility: drop AWS-LC support to reduce outdated dependencies
v1.11.1:
- Feature: retry HTTP connection if upstream close connection without any data in HTTP proxy/rproxy server
- Feature: add idle-timeout config option to connection pool
- Feature: add more tcp connect and tls handshake metrics in escaper
- Optimization: allow to use 0 idle connections in icap connection pool
- Optimization: use more detailed error message for OpenSSL stream
v1.11.0:
- Feature: add 'insecure' config option to OpenSSL Client config to skip cert verification
- Feature: add more runtime metrics
- Feature: set supported ALPN protocols in HTTP Proxy server
- Feature: support to send small HTTP body along with header in HTTP Proxy server
- Feature: simplify default log backend config format
- Feature: support to flush task log on created/connected and periodically
v1.10.3:
- BUG FIX: fix read of trailer for chunked FTP over HTTP upload
- BUG FIX: fix idle check in udp copy and udp relay task
- Optimization: respect Content-Length header when sending ICAP adapted body
v1.10.2:
- BUG FIX: fix handle of ICAP preview data in HTTP/2 interception
- BUG FIX: fix panic when sending H2 stream data if peer gone
- BUG FIX: do not send Allow-204 in ICAP preview request
v1.10.1:
- BUG FIX: fix socket usage on Windows
- BUG FIX: set expire info for udp tasks with socks5 proxy peers
- BUG FIX: send ppv2 header on http forward connections in divert_tcp escaper
- BUG FIX: fix match of TLS ticker name in decryption
- BUG FIX: fix global datagram limiter
- BUG FIX: fix DELETE in FTP over HTTP task
- BUG FIX: fix handle of ICAP Preview data in HTTP/1 interception
- Optimization: support chunked upload in FTP over HTTP task
v1.10.0:
- Policy: LTS version
v1.9.9:
- BUG FIX: fix the check of H2 Extended CONNECT protocol
- BUG FIX: fix the set of session cache for TLS interception client
- Feature: allow to set max/min_tls_version in tls client config
- Feature: allow to set remote TLS ticketer in tls server config
- Feature: allow to set quic transport config
- Feature: support ICAP over TLS
- Feature: support TLS port in front of socks server
- Feature: add new Socks5 over TLS escaper support
- Feature: allow to select auditor in comply_audit escaper
- Feature: allow to bind to interface in various escapers
- Feature: allow to set protocol inspect policy based on domain rules
- Feature: send HTTP Upgrade header via ICAP request header X-HTTP-Upgrade
- Optimization: cache resolved IP address in UDP ASSOCIATE task
- Optimization: be compatible with more bad socks5 server implementations
- Optimization: echo empty ip in UDP ASSOCIATE reply when needed in socks server
- Optimization: support fragmented TLS ClientHello record in SNI proxy server
- Optimization: treat HTTP Trailer header as end-to-end
v1.9.8:
- BUG FIX: fix panic when build socks5 UDP header with domain address
- BUG FIX: fix possible panic when reading H2 stream
- BUG FIX: register correct read event when reading cert-generate / ip-locate / route-query response
- Feature: allow to write event logs to stdout
- Feature: add stream detour support to audit
- Feature: only enable anonymous user if ingress network ACL matched
- Feature: allow to set inspect policy for WebSocket
- Optimization: check user ingress network ACL early and reply auth failed if denied
- Optimization: ignore more clean connection close error in interception
v1.9.7:
- BUG FIX: clean old redis fetch job in time on reloading ProxyFloat escaper
- BUG FIX: clean old dynamic user fetch job in time on user group reloading
- Feature: support ICAP audition for IMAP APPEND
- Feature: support TLS redis server
- Feature: allow to dump client side TlS decrypted stream via `client-side` dump config option
- Removed: remove redis cluster support, a redis proxy should be used in front of the redis cluster
v1.9.6:
- BUG FIX: fix lifetime of worker threads
- BUG FIX: fix selection of final escaper for http forward tasks
- Feature: allow to set global speed limits at user level
v1.9.5:
- BUG FIX: close the old process when hot restart
v1.9.4:
- BUG FIX: fix ALPN filter in tls interception
- BUG FIX: update to tokio 1.38.1
- Feature: allow to block IMAP connection
- Feature: allow to disable session ticket and session cache in TLS server config
- Feature: use aw-ls as rustls provider when build with vendored-aws-lc feature
- Optimization: try quick TCP ACK after accept handshake for resumed TLS sessions
v1.9.3:
- BUG FIX: fix deb package install rule
- BUG FIX: fix match rules in route_geoip escaper
- Optimization: only query http forward capabilities when needed in http_proxy server
v1.9.2:
- BUG FIX: fix ICAP handle of H2 request with small body
- Feature: add SMTP interception support
- Feature: support ICAP reqmod for SMTP DATA message
- Feature: support build on Windows
- Feature: allow to steal forwarded for http headers in h1 and h2 interception
- Feature: rewrite egress path selection code, now users can set id-based and JSON-based select map
- Feature: add openssl variant info to version message
v1.9.1:
- BUG FIX: fix panic in stream interception code caused by idle client connections
- BUG FIX: fix the handle of h1 trailer headers
- BUG FIX: do graceful shutdown for h2 connections when upstream closed
- Optimization: close h1 interception client connection early when upstream closed
- Feature: all tls usage field to tls cert generator helper protocol
- Feature: support interception for tlcp protocol
- Feature: add ip_locate helper protocol and rewrite route_geoip escaper
v1.9.0:
- BUG FIX: fix sending of upstream error CONNECT and upgrade response body
- Feature: add divert_tcp escaper to redirect streams to another server
- Feature: send HTTP CONNECT and upgrade request to ICAP reqmod service
- Feature: allow to set custom tls client config in user-site level
- Feature: allow to set http response header receive timeout in user-site level
- Feature: allow to use domain value as static socket address
- Feature: add support for ketama consistent hash
- Feature: send mimic cert to cert generator in tls interception
v1.8.0:
- Policy: LTS version
v1.7.37:
- BUG FIX: fix UDP sendmmsg & recvmmsg
- Feature: allow to set Netfilter Mark for listening sockets on Linux
- Feature: rewrite hickory resolver and add more config options
v1.7.36:
- BUG FIX: fix h2 interception by removing server push code
- Optimization: always dump the remote side of the tls decrypted traffic
- Optimization: rename application_audit_ratio config option to task_audit_ratio
- Feature: support task_audit_ratio in all servers that have audit feature
- Feature: switch to openssl for tls interception server
- Feature: add permute-extensions option to boringssl/aws-lc client config
v1.7.35:
- BUG FIX: the presence of the h2 Host header in the sent request will be same as the client
- Feature: always verify tls server name in cert when run OpenSSL client
- Feature: support use BoringSSL
- Feature: add more config options to OpenSSL client:
- supported_groups
- use_ocsp_stapling
- enable_sct
- enable_grease, only for AWS-LC and BoringSSL
- Feature: enable brotli cert decompression for AWS-LC, BoringSSL and Tongsuo
v1.7.34:
- BUG FIX: do protocol inspection for tls decrypted stream if ALPN is missing
- Feature: add tcp_tproxy server
- Feature: allow to dump tls decrypted stream to wireshark udpdump receiver
v1.7.33:
- BUG FIX: fix dead looping when shutdown ssl connections
v1.7.32:
- BUG FIX: fix session resumption for NativeTlsPort when client auth is enabled
- BUG FIX: do session resumption only once for NativeTlsPort tls1.3 connections
- BUG FIX: fix batch reload of auditor
- BUG FIX: fix detection of c-ares features
- Feature: send task_ready histogram duration metrics for user sites
- Feature: support use AWS-LC instead of OpenSSL
v1.7.31:
- Feature: allow to read from environment variable when setting:
- StatsD udp peer addr
- Fluentd udp peer addr
- Syslog udp peer addr
- TLS cert generator udp peer addr
- Route query agent udp peer addr
- Feature: make quic feature optional
- Optimization: more efficient sending of StatsD metrics
v1.7.30:
- Feature: add new max_timeout config option to c-ares resolver
- Feature: support listen to quic port for HttpProxy and TcpStream server
- Feature: use atomic swap for reload of dependency server
v1.7.29:
- Feature: add OpenSSL based NativeTlsPort server
- Feature: allow to chain TcpStream after ports server
- Feature: make hickory-dns as an optional feature
- Feature: add new max_udp_queries config option to c-ares resolver
- Optimization: use sendmmsg / recvmmsg for UDP io
v1.7.28:
- BUG FIX: fix server ingress net acl check for traffic from extra tls ports
- Feature: support PROXY Protocol v1 in PlainTcpPort and PlainTlsPort
- Feature: support PROXY Protocol in IntelliProxy port
v1.7.27:
- Optimization: set default c-ares init options as c-ares 1.20.1 default values
- Optimization: reduce rustls server session cache lock contention
- Feature: rename trust-dns resolver type to hickory to be sync with upstream
- Feature: add dns over http/3 support in hickory resolver
- Feature: use tcp peer ip if socks5 proxy returns unspecified udp peer ip
v1.7.26:
- BUG FIX: fix deb and rpm build scripts
- BUG FIX: fix parse of cert_pairs of tls server config in various servers
v1.7.25:
- Feature: add route_geoip escaper
- Feature: various improvements to journal logging
- add SYSLOG_IDENTIFIER field
- improved efficiency
- io stats added
- Feature: update vendored openssl to 3.1
v1.7.24:
- BUG FIX: fix vendoring build of ring
v1.7.23:
- Feature: allow to use ID string as egress path json value in DirectFloat and ProxyFloat escaper
- Feature: add vendored-c-ares feature to set if enable source compile of c-ares
- Feature: drop out of date dependencies by using forks and patches
v1.7.22:
- Removed: remove the daemon group name setting in config file
- BUG FIX: fix site level socks_tcp_connect conn_total stats
- BUG FIX: fix logger io stats in various AsyncLogger backends
- Feature: support udp methods in ProxyFloat socks5 proxy peer
- Feature: support udp methods in DirectFloat escaper
- Feature: allow to use json value for egress path selection
- allow to set at user level
- support at ProxyFloat / DirectFloat / RouteSelect escaper
- make source config in ProxyFloat escaper optional
- Feature: allow to publish dynamic users
- Feature: default to guess main config file when run as systemd service
v1.7.21:
- BUG FIX: fix create of daemon controller
v1.7.20:
- Feature: allow to set ingress net filter in user config
- Feature: always log the raw input user name, so you will get the real user name if auth against anonymous user
- Feature: make the listen config optional in the following servers:
- http_proxy
- http_rproxy
- socks_proxy
- sni_proxy
- tcp_stream
- tls_stream
- Feature: allow to set token to null value to disable password auth for user
v1.7.19:
- Feature: support PROXY Protocol in PlainTcpPort and PlainTlsPort server
- Feature: support transmute udp peer addr in proxy_socks5 escaper
- Optimization: rename and deprecate options in socks_proxy server:
- auto_reply_local_ip_map -> transmute_udp_echo_ip
v1.7.18:
- Feature: add license info to deb and rpm package files
v1.7.17:
- Feature: add route_failover escaper
v1.7.16:
- Compatibility: update build dependencies
v1.7.15:
- Optimization: set correct default CA path if build using vendored openssl
- Feature: allow no auth in socks5 proxy if anonymous user is enabled
- Feature: add dns-over-quic support in trust-dns resolver
- Compatibility: compile on MacOS / FreeBSD / NetBSD
v1.7.14:
- BUG FIX: fix the parse of ICAP OPTIONS response
v1.7.13:
- BUG FIX: fix the fetch of ICAP options
- Feature: allow to set anonymous user in user group
- Feature: allow to set retry in failover resolver if the first answer is empty
v1.7.12:
- Optimization: do batch tcp accept
- Feature: try best to reserve the case of http header name
- Removed: remove uri path match in http_rproxy server
v1.7.11:
- BUG FIX: fix reload of resolver with changed internal dependency
- Feature: allow string value type for tls cert generator config
- Feature: allow to output dependency graph in graphviz / mermaid / plantuml format
- Feature: use metrics name for server/escaper/user-group/resolver/auditor name
- Removed: drop support for http dynamic user source
v1.7.10:
- Feature: support happy-eyeballs for resolve redirected domain
- Feature: allow to set resolve strategy at user-site level
- Optimization: enable tcp_nodelay by default if needed
v1.7.9:
- BUG FIX: fix the parse of weighted upstream address
- BUG FIX: fix the clean of offline servers
- Optimization: listen in each worker when listen_in_worker is enabled
- Feature: add new ctl command to force quit offline servers
v1.7.8:
- BUG FIX: fix the set of package version in deb package
- Feature: allow to set multiple cert pairs in rustls server config
- Feature: allow to listen in worker, and run tasks in unconstrained mode
- Feature: allow to start listen instance according to available parallelism
- Optimization: update the define of openssl tls client config
- Compatibility: add g3-compat to allow compile on platforms with glibc < 2.27
- Compatibility: use vendored-openssl on platforms with libssl < 1.1.1
v1.7.7:
- Feature: make libcurl as optional feature
- Feature: add more config options to openssl tls client
- Internal: move most of daemon control code to g3-daemon lib crate
v1.7.6:
- Feature: allow to config the max io events per tick value for tokio runtime
- BUG FIX: fix the print of package version
- Optimization: add yield size limit to http body transfer futures
v1.7.5:
- Optimization: use icap connection pool at auditor level instead of audit handle level
- Feature: ignore Via header generated by ICAP server when sending request to upstream
- BUG FIX: fix AsyncRead implementation of chunk decoder
v1.7.4:
- Feature: default to send client address and username to ICAP server
- Feature: allow to respond shared names back to ICAP server
- Feature: allow to set application audit ratio in auditor and user config
v1.7.3:
- Feature: allow to use icap_reqmod_service and icap_respmod_service in auditor
- BUG FIX: make sure upstream response header is sent out in case the upstream close it's body io
v1.7.2:
- Feature: allow to send client_ip in route_query escaper
- Optimization: various update to http parse code
v1.7.1:
- Feature: add --dot-graph command line option to draw internal dependency graph
- BUG FIX: fix command line handling
v1.7.0:
- Feature: allow to set username for redis cluster config in ProxyFloat escaper
- Feature: support custom config file extension
- Feature: support round robin select policy in various escaper and server
- Feature: add user_type tag to user and user site metrics
- Feature: replace http_tproxy and sni_proxy with a new protocol inspection enabled sni_proxy
- BUG FIX: fix spawn new reload of resolver
v1.6.0:
- Feature: forbid ipv6 discard-only address block by default
- Optimization: use less mutex in openssl tls client session cache
v1.5.6:
- BUG FIX: do not consider c-ares NODATA as error
- Optimization: ignore the first error in happy eyeballs resolver
v1.5.5:
- Feature: switch to use happy eyeballs resolve method in
- RouteResolved escaper
- udp connect method in DirectFixed escaper
- resolver query ctl interface
v1.5.4:
- Feature: allow to set/unset hostname in syslog message header
v1.5.3:
- Feature: use happy eyeballs algorithm in Direct* and Proxy* escaper
- Feature: enable ftp over http support in DirectFloat escaper
- Feature: support multiple upstream addresses on TcpStream and TlsStream server
v1.5.2:
- BUG FIX: fix panic when parsing ipv6 socks requests
- Optimization: socks: return error early for empty domains
- Feature: drop local_match in route_upstream escaper
v1.5.1:
- BUG FIX: fix the build of deb package
v1.5.0:
- Feature: reintroduce the python dynamic user source and make it optional
- Feature: keep ipv4 compatible address in ipv6 form
- Feature: allow to log to fluentd by using it's Forward Protocol
v1.4.2:
- Feature: allow to specify lua version via features, and default to lua5.1
- Feature: add g3proxy-lua to test the functionality of lua
- BUG FIX: fix auth error reply in http_rproxy server
v1.4.1:
- Feature: allow to set report script for lua dynamic user source
- BUG FIX: fix the exact domain match for explicit user sites
v1.4.0:
- Feature: add user level layer 7 alive connection metrics
- Feature: add tcp_conn_rate_limit to user config
- Optimization: rename tcp and udp speed limit config options
v1.3.5:
- BUG FIX: cache dynamic users only if valid
- BUG FIX: revert to use mlua 0.7.4
v1.3.4:
- Feature: allow to set site config for each user
- Optimization: close http persistent connections early when server goes offline
v1.3.3:
- Feature: use clap to parse command line options
- BUG FIX: fix set of resolve strategy for g3proxy-ctl resolver query command
v1.3.2:
- Feature: support traditional private key PEM format
- Feature: add compile info to g3proxy
- Optimization: rename http_gateway server to http_rproxy
v1.3.1:
- Feature: allow to use unaided worker threads for tasks
- BUG FIX: fix reload all config
v1.3.0:
- Feature: add socks_use_udp_associate option to user config
- Optimization: use buffered metrics sink
- Optimization: switch to use std Mutex instead of parking_lot Mutex
- Optimization: rename some resolver ttl config options
v1.2.2:
- Feature: update openssl tls client config
v1.2.1:
- BUG FIX: fix deb package dependency
v1.2.0:
- Feature: switch to curl for simple http requests and add more config options:
- connect_timeout
- interface
- Feature: use distro default luajit
v1.1.5:
- BUG FIX: fix debian package file
v1.1.4:
- Feature: add back the simple 'http' dynamic user source
- Feature: add trust-dns resolver, which can also be configured to use DoT or DoH
- Feature: switch to use openssl tls client for outgoing tls connections
- Feature: allow to disable sni and session cache in rustls client config
v1.1.3:
- Feature: add 'lua' source for dynamic user fetching
- Feature: remove 'python' source for dynamic user fetching
- Feature: add 'route_client' escaper
v1.1.2:
- Import all bug fixes from v1.0.1 and update packages
v1.1.1:
- Feature: add new http_tproxy server
- Feature: rename server ppdp_tcp_port to intelli_proxy
v1.1.0:
- Feature: add 'python' source for dynamic user fetching
- Feature: remove 'http' source for dynamic user fetching
v1.0.1:
- BUG FIX: fix handle of 100-continue response after request body sent out
- BUG FIX: do not close the http connection if no body is expected in response
v1.0.0:
- First Long Term Support Branch
v0.9.10:
- BUG FIX: fix rfc5424 syslog timestamp format
v0.9.9:
- Feature: rename escaper route_dst_ip to route_resolved
- BUG FIX: fix update of resolve strategy based on ipv4_only/ipv6_only settings
- BUG FIX: avoid the panic caused by parsing float values as time duration
v0.9.8:
- BUG FIX: add '=' as KV delimiter to rfc3164 syslog
v0.9.7:
- BUG FIX: fix parse of msgpack string
- BUG FIX: close remote tcp sockets in time in proxy_socks5 escaper
- BUG FIX: really set ca certificate when build tls client config
v0.9.6:
- Feature: allow to display verbose ftp command message in g3proxy-ftp
- Feature: allow to change timezone via control commands
- Feature: allow to generate varies shell completion scripts for g3proxy-ctl and g3proxy-ftp
v0.9.5:
- Feature: add tls_stream server
- Feature: check time offset at start time, and make the explicit use of local time thread safe
v0.9.4:
- BUG FIX: drop cmake build dependency to build on old OS
v0.9.3:
- Feature: add blake3 to fast hashed passphrase and make all hashes optional
- Feature: allow to set negotiation timeout value for next proxy peers
- Feature: allow to set handshake timeout value for servers with tls enabled, and add listen.timeout metrics
- Feature: drop tls code in plain_tcp_port and add plain_tls_port
- Feature: move ingress network filter check to very early stage, which results to:
- rename metrics server.forbidden.src_blocked to listen.dropped
- add ingress network filter config to plain_tcp_port / plain_tls_port / ppdp_tcp_port
v0.9.2:
- Feature: allow to add extra metrics tags to escaper metrics
- Feature: delete useless tcp_copy_flush_interval server config option
- Feature: add user level upstream traffic stats
- BUG FIX: allow to use route escaper behind http gateway server
v0.9.1:
- Feature: add sni_proxy server
v0.9.0:
- Feature: add jump hash as a pick policy for SelectiveVec
- Feature: remove deprecated escaper config options:
- tcp_connect_max_retry
- tcp_connect_each_timeout
- Feature: allow to use the first Authorization for upstream ftp auth in http proxy server
- Feature: add route_select escaper, and remove the old route_random escaper
- Feature: add route_query escaper
- Feature: allow to start tls at server level behind multiple plain tcp ports
- Feature: allow to set client side tcp socket options at user level
- Feature: use PKCS #8 format for private key
- Feature: delete append_forwarded_for config option from proxy_http(s) escaper
- Feature: delete remote_keepalive_eof_wait config option from http_proxy server
- Feature: add http_gateway server
v0.8.11:
- Feature: allow to set tcp and udp socket options at server side
v0.8.10:
- regenerate release tarball
v0.8.9:
- Feature: allow to set SO_MARK for tcp socket
- Feature: allow to set more udp socket options at user and escaper level:
- IP_TTL
- IP_TOS
- SO_MARK
v0.8.8:
- Feature: allow to set probe_interval and probe_count in tcp keepalive config
- Feature: allow to set more tcp socket options at user and escaper level:
- TCP_NODELAY
- TCP_MSS
- IP_TTL
- IP_TOS
v0.8.7:
- BUG FIX: fix resolve of dns name with '_' in it's CNAME
v0.8.6:
- Feature: add tcp_connect config option to user config
- Feature: add tcp_connect config option to escaper config, and deprecate the following:
- tcp_connect_max_retry
- tcp_connect_each_timeout
v0.8.5:
- Feature: add --version command line option
- Feature: add proxy_request_filter to user config
v0.8.4:
- Feature: allow to forward all ftp requests to next proxy
- Feature: enable https forward by default
v0.8.3:
- Feature: allow to add extra metrics tags in server and user metrics
- Feature: add server and server extra tags in user forbidden metrics
- Feature: add more detailed resolver error metrics
v0.8.2:
- Optimization: do eagerly flush in io copy
v0.8.1:
- Feature: allow pass userid to next proxy in proxy_http(s) escaper
- BUG FIX: fix leak of forwarded header to upstream in proxy_http(s) escaper
v0.8.0:
- Feature: support file upload and delete in ftp over http request
- Optimization: change default tcp copy flush interval to 200ms
- Optimization: explicit forbid empty upstream address
v0.7.27:
- Feature: support single range request in ftp over http request
- Feature: support tls server config in plain_tcp_port server
- Optimization: always ignore body related headers in 1xx and 204 http response as specified in rfc7230
v0.7.26:
- BUG FIX: fix panic in https_forward task if the upstream has no domain
- Feature: support tls offload in tcp stream
- Feature: set bind_address_no_port for udp connect socket
v0.7.25:
- BUG FIX: various fix for ftp over http
v0.7.24:
- Feature: support udp associate and udp connect on proxy_socks5 escaper
- Feature: restore support for domain as target address in udp associate task
- Feature: prefer to use mime type returned by ftp server
- Feature: do acl check in udp associate task
- Feature: force quit tasks during process shutdown
- BUG FIX: ftp: determine transfer size right after setting transfer type
v0.7.23:
- Feature: allow to set auto_reply_local_ip_map for socks_proxy server
- BUG FIX: fix limit for tcp copy config
v0.7.22:
- Feature: add default simplified udp connect mode for socks server
- Feature: do not require the same address family for tcp and udp if udp bind ip is set
- BUG FIX: fix subnet_match config in RouteUpstream escaper
v0.7.21:
- Feature: refactor task idle check logic:
- remove 'task_idle_duration' config at server side
- add 'task_idle_check_duration' config at server side
- add 'task_idle_max_count' at server and user side
- Feature: add src denied stats to server forbidden stats
- Feature: add subnet_match to dst_host_filter_set acl rule set
- Feature: add subnet_match rule to RouteUpstream escaper
- BUG FIX: quote the realm value in response header
v0.7.20:
- Feature: add explicit flush interval for tcp copy
- Feature: default to always try epsv for ftp transfer
- Optimization: increase default http rsp header recv timeout to 60s
v0.7.19:
- Feature: drop escaper tag from user traffic metrics
- Feature: initial version with working ftp over http support
v0.7.18:
- BUG FIX: fix panic when handle empty Host http header value
v0.7.17:
- Feature: allow to set http forward capability for proxy_http(s) escapers
We can forward https and ftp requests to next http(s) proxies from now on
- Feature: add route metrics for route type escapers
- Feature: the request and traffic metrics are now correct set on the final escaper
- Feature: add g3proxy-ftp to test ftp functions
v0.7.16:
- BUG FIX: fix upstream addr parse error
- BUG FIX: fix set of `allow_custom_host` and `steal_forwarded_for` options for http_proxy server
- Feature: allow to set udp socket buffer size for socks_proxy server
v0.7.15:
- BUG FIX: fix miss action for ip hosts when only child and regex host rules set
- Feature: add options to control http forwarded headers
- http_proxy server: allow to delete forwarded headers in client requests
- proxy_http & proxy_https escaper: allow to append forwarded header in requests send out
- Feature: support haproxy PROXY protocol for proxy_http and proxy_https escapers
- Feature: support CEE log syntax in syslog
- Optimization: reply with http code 409 if host header doesn't match host in uri
v0.7.14:
- BUG FIX: support ipv6 address in squared bracket as http Host value
- BUG FIX: convert ipv6 mapped ipv4 address back to ipv4 address when parsing UpstreamAddr
- BUG FIX: fix server online status after reloading runtime
- Optimization: do not create default escaper in rpc commands
- Feature: add more servers
- plain_tcp_port: just listen to a tcp port and send connections to another server
- ppdp_tcp_port: detect the proxy protocol of the connection, and send to the corresponding next server,
the type of which could be either http_proxy or socks_proxy.
- dummy_close: just close the connection
v0.7.13:
- BUG FIX: fix handle of http url with ipv6 address as host field
- Feature: add listen stats for server
- Optimization: make `append_report_ts` syslog driver config option default to false
v0.7.12:
- BUG FIX: fix rfc5424 format for appended report_ts log field
v0.7.11:
- Feature: add udp_bind_port_range config option to socks_proxy server
- Feature: default to append `report_ts` to logs sendto syslogd
- add `append_report_ts` config option to syslog driver to control the behaviour
- Optimization: ignore optional fields with empty value in logs send to syslogd
v0.7.10:
- BUG FIX: fix counting of user level https forward io stats
- BUG FIX: fix X-BD-Upstream-Addr custom header
v0.7.9:
- Feature: http_proxy: close the connection if previous request is also auth failed
v0.7.8:
- Feature: use native async implementation from g3-syslog
- Feature: add metrics for loggers
- add logger.message.total
- add logger.message.pass
- add logger.traffic.pass
- add logger.message.drop
- Feature: sleep double emit_metrics interval time for metrics flushing in graceful shutdown mode
- Feature: add more resolver runtime config options
- graceful_stop_wait, which set the delay time after really stop the thread
- protective_query_timeout, which set the query timeout for queries sent to driver
- BUG FIX: fix http_proxy server config key name no_early_error_reply
- BUG FIX: shutdown the runtime thread for fail-over resolver
v0.7.7:
- Feature: change the default found action for user-agent acl rule to forbid.
- Feature: make some restrictions on uri in log:
- limit the number of characters, and add corresponding config options
- replace password field with 'xyz'
- Feature: add `user_agent` to HttpForward Task log
- Feature: add stats about resolver internal hashtable memory usage
- Optimization: increase the default async log channel size from 1024 to 4096
v0.7.6:
- Feature: allow to drain body of http requests with no auth info
- add `untrusted_read_limit` option to http_proxy to enable it and set the read limit
- Feature: add user_blocked forbidden stats to server
- Feature: add untrusted task stats to server
- add server.task.untrusted_total
- add server.task.untrusted_alive
- add server.traffic.untrusted_in.bytes
v0.7.5:
- BUG FIX: limit the maximum dns cache ttl value to avoid panic
- Feature: add config option *max_cache_ttl* to resolvers
v0.7.4:
- BUG FIX: fix selection of udp bind ipv6 address
v0.7.3:
- BUG FIX: convert ipv4-mapped ip back to ipv4 format early
- Optimization: add content-type to http proxy error response
v0.7.2:
- Feature: add new no_early_error_reply config option to http_proxy server
- Feature: add capnp rpc command to list user group and users
- Optimization: do not add user level acl stats to server level
- Optimization: add more detailed reason to task logs
v0.7.1:
- Optimization: do more strict limitation on user max alive requests
- BUG FIX: http_proxy server: fix keepalive for http 407 response
- Feature: add layer-7 http User-Agent acl rule to user config
- Feature: add ua_blocked forbidden stats for user
v0.7.0:
- FEATURE: add fail_over resolver
v0.6.9:
- FEATURE: forbid unspecified egress target address by default
- FEATURE: allow to set bind ip addresses for socks5 udp associate client side ip selection
v0.6.8:
- BUG FIX: update tokio 1.1.1 memory leak fixed version
v0.6.7:
- FEATURE: add resolve redirection support at user and escaper level
- FEATURE: add alive requests stats at user level
- FEATURE: allow to limit total alive requests at user level
- FEATURE: also cancel tasks belong to blocked users in idle detection
- FEATURE: socks5 udp associate: dropped domain support for security reasons
- FEATURE: add child match rules to RouteUpstream escaper
- FEATURE: make sure cached data write flushed when the other end read closed in tcp connect tasks
- BUG FIX: do correct parent domain match in child match acl rule
v0.6.6:
- BUG FIX: add cached data in buf reader to io stats
- FEATURE: allow to set log rate limit at user level
- FEATURE: add stats about log skipped requests at user level
v0.6.5:
- BUG FIX: fix log_type for shared loggers
- FEATURE: make socks5 udp associate optional and disabled by default
v0.6.4:
- BUG FIX: fix check of body type for http 304 response
- FEATURE: add escaper level forbidden stats
- FEATURE: add server & escaper level forbidden stats to user forbidden stats when possible
v0.6.3:
- BUG FIX: fix user-group reload
- BUG FIX: fix normalization for socks_proxy config keys
v0.6.2:
- BUG FIX: do not exit after accept error
- Feature: allow to discard task / escaper / resolver logs, and make this the default
- Feature: allow to set socket buffer size for c-ares resolver
- Feature: allow to use shared logger thread for server and escaper
v0.6.1:
- BUG FIX: fix idle check
v0.6.0:
- Internal: port to tokio 1.0 version
- BUG FIX: only spawn long running tasks in main runtime
v0.5.10
- BUG FIX: fix index based path selection when index overflow
- BUG FIX: fix emit of user and server forbidden stats
v0.5.9
- Feature: add new TrickFloat escaper
- Feature: add new RouteMapping escaper
- Feature: add path selection to:
- HttpProxy server, disabled by default
- DirectFixed escaper, disabled by default
- RouteMapping escaper, always enabled, but only support index mapping
- Feature: add general http keepalive config:
- rename keepalive_eof_wait to remote_keepalive_eof_wait for HttpProxy server
- add http_forward_upstream_keepalive to HttpProxy server, remove keepalive_idle_expire
- add http_upstream_keepalive to user config, remove http_keepalive_idle
- rename tcp_keepalive to tcp_remote_keepalive for user
v0.5.8:
- Feature: add more options to control http keepalive:
- keepalive_eof_wait: set the time to wait when check eof of upstream connection
- keepalive_idle_expire: set the max idle time for the keep of upstream connection
- Feature: add http_keepalive_idle config to user config.
v0.5.7:
- Feature: allow user to specify custom resolve strategy
- Feature: add 525 reply code to http proxy
- Feature: add -t flag to g3proxy to test the format of config file
- BUG FIX: also check upstream read close while sending new requests on reused connection
- Feature: only wait for 100-continue response before request body send out
- Feature: add tcp_keepalive setting to user config
- Feature: add tcp_keepalive setting to escaper config, and deprecate old tcp_keepalive_idle config
- Feature: change default resolve pick strategy to Random instead of First.
v0.5.6
- Feature: allow to block user and set a delay before sending auth error response
- Feature: add user and server level forbidden stats
- BUG FIX: fix http forward Connection check
v0.5.5:
- Optimization: use native tls certs for local generated http request
- Feature: allow to auth user with traditional unix crypt
- Feature: allow to set source of proxy_float escaper to passive
v0.5.4:
- BUG FIX: fix user http_forward io stats
- BUG FIX: fix escaper http forward task count
v0.5.3
- BUG FIX: fix default stats emit duration
- BUG FIX: fix emit of user stats
v0.5.2
- Feature: add egress info to direct_float escaper
v0.5.1
- Feature: add resolver stats
- Optimization: allow more ascii chars in domain
- Optimization: add server & escaper tags to user stats
v0.5.0:
- Feature: add 'allow_custom_host' to http_proxy server
- Feature: support output of server / escaper / user stats
- added 'stat' root config
- support output to statsd
v0.4.23:
- Optimization: g3proxy-clt can detect default runtime dir now
- Optimization: default to create non-existed cache file
- Optimization: setup process logger early, so warning in config parse code can be emitted
- Optimization: resolver pick policy now apply to get_all_addrs
- Optimization: add more tcp_connect info to escape and task log:
- tcp_connect_tries: show how many times we have tried to connect
- tcp_connect_spend: show the total time we have spent on tcp connect for all tries
v0.4.22:
- Feature: rename proxy_dynamic escaper to proxy_float, and add options to set local cache
- Feature: add local cache for dynamic users
- Feature: allow to publish peers to proxy_float escaper
- Feature: add direct_float escaper
v0.4.21:
- Feature: add yield out to tcp copy and udp relay task
- Feature: add the following config to server:
- tcp_copy_yield_size
- udp_relay_packet_size
- udp_relay_yield_size
- Feature: support capnproto rpc on local controller, and add g3proxy-ctl command
v0.4.20:
- Optimization: allow to set protective_cache_ttl for error / empty resolver records
- Optimization: add 'duration' and 'source' to c-ares resolver error log
v0.4.19:
- BUG FIX: always return all resolver error for all queries.
This fix the regression introduced in v0.4.18
v0.4.18:
- Optimization: report misc server error in cares resolver
- Optimization: log query type in cares resolver error log
- Optimization: return early when resolve error for *First strategies
- BUG FIX: fix the number of running listen instances during reload of server
v0.4.17:
- Feature: cares resolver: allow to set bind ip for each family:
- deprecate 'bind' config option
- add 'bind_ipv4' config option
- add 'bind_ipv6' config option
- Feature: proxy escapers: allow to set bind ip for each family:
- deprecate 'bind_ip' config option
- add 'bind_ipv4' config option
- add 'bind_ipv6' config option
v0.4.16:
- Feature: add expire to user config.
- Feature: allow to builtin webpki-roots ca certs for rustls client config.
- Feature: add dynamic users to user group, the source currently supported are:
- file: sync from a local file
- http: sync through an http GET request
v0.4.15:
- Feature: add more acl rule to server and user config:
- dst_host_filter_set: limit the upstream host
- dst_port_filter: limit the upstream port
- Feature: add 'wait_time' to task log:
- wait_time is the time after we recv the first byte and before create the task
- ready_time and total_time doesn't include wait_time
- Feature: add tls handshake in escape log.
- Optimization: allow to set a list of tls certificate file.
- BUG FIX: fix reload of server if tls / acl config changed.
v0.4.14:
- Feature: support https forward on all escapers.
- Feature: add ProxyHttps escaper.
- Feature: support https proxy peer on ProxyFloat escaper.
- Optimization: add options to set internal copy buffer size.
- BUG FIX: fix domain prefix match in route-upstream escaper.
v0.4.13:
- Optimization: add more fields such like io stats to task log
- BUG FIX: fix handle of response to http HEAD request
v0.4.12:
- Feature: add log config in main conf, which sets initial config for loggers
- Feature: allow to send log to syslogd through unix and udp sockets
- Optimization: move tcp_connect and udp_relay log to a new escape logger
v0.4.11:
- Feature: enable request recv timeout check on http proxy server
- Optimization: use separate resolve logger for each resolver
- Optimization: limit client address at socket level for udp client sockets
- Optimization: use more thread local buffer
v0.4.10:
- Feature: enable keepalive by default on dynamic escapers
- Feature: enable task idle check on servers
- BUG FIX: do strict check on limit read
v0.4.9:
- Feature: add instance count config field to server listen config
- Feature: add 0x09 as connection timed out socks5 reply code, as it's added in socks6 draft
- Feature: reflect peer timeout in response to client for proxy escapers
- use 504 for http server response
- use 0x09 for socks5 reply
- Feature: support ingress_network_filter for servers
- Feature: support egress_network_filter in direct fixed escaper
- Feature: add response header X-BD-Dynamic-Egress-Info for dynamic escapers, it will be set
if server_id in config is set.
- Feature: let socks5 dynamic peer return early if expired when sending request on an alive connection
- Optimization: use different task log threads for each server
- Optimization: increase the default backlog value to 4096
- Optimization: always use socket address in listen config, drop separate port config
- BUG FIX: use real expire time in http response
- BUG FIX: make sure close the remote connection if http forward task should close
v0.4.8:
- BUG FIX: fix format of http response header Proxy-Authenticate
v0.4.7:
- Optimization: use askama instead of handlebars to generate error html page
- Optimization: support systemd version 23x and python version 3.5.x
- Optimization: switch expire_guard_seconds option to expire_guard_duration for proxy_float escaper
- Optimization: rename main conf key for auth to 'user_group'
v0.4.6:
- BUG FIX: fix http CONNECT 200 response when any custom header enabled
v0.4.5:
- Optimization: do not count in target port in rendezvous selection for proxy escapers.
- Optimization: adjust custom headers and settings for http_proxy server:
- add header X-BD-Remote-Connection-Info, which will be set if server_id in config is set.
- remove header X-BD-Remote-Connection-Expire, as it contains in X-BD-Remote-Connection-Info.
- remove option http_forward_upstream_id, add option http_forward_mark_upstream instead,