Releases: ghostunnel/ghostunnel
Version 1.5.0-rc.2
Contains fixes a couple of bugs found in the previous release candidate, namely (1) a bug where running in client mode w/o a cert could panic if a cert was requested by the server and (2) a bug in the cipher suite flag validation logic.
Version 1.5.0-rc.1
Release candidate for 1.5.0, featuring support for the SPIFFE workload API, socket activation for systemd (Linux) and launchd (macOS), and a host of smaller changes.
Version 1.4.1
Version 1.4.0
New features
- Support signalling of transport connection information to the backend using the PROXY protocol (v2), just pass the
--proxy-protocol
flag on startup. Note that the backend must also support the PROXY protocol and must be configured to use it when setting this option. - Support silencing of specific types of log messages using the
--quiet
flag, such as--quiet=conns
or--quiet=handshake-errs
. You can pass this flag repeatedly if you want to silence multiple different kinds of log messages. In particular--quiet=handshake-errs
is useful if you want to silence handshake errors caused by TCP health checks when running in Kubernetes.
Other
- Added new flags
--cert
/--key
to load certificate chain/private key from separate files. - Bumped build to Go 1.12, updated our dependencies, and added various new integration tests.
Version 1.3.1
Updates build to Go 1.11.4 and pulls in the latest version of kavu/go_reuseport to fix issue #200.
Version 1.3.0
Notable changes
- Added support for wildcards in the
allow-uri
andverify-uri
access control flags. See ACCESS-FLAGS documentation for more information on how to use this. Cleaned up naming of access control flags.
Other
- Added a docs folder with more detailed documentation explaining how to use features like access control and metrics better.
- Migrated to using Go modules for managing dependencies. The vendor folder is still checked into git for now, though it may disappear in the future, once modules become the default in Go.
Update: Binaries for this release were rebuilt with Go 1.11.4 on Dec 14, 2018.
Version 1.2.2
Notable changes
- Added experimental support for the macOS keychain via certstore, requires the
certstore
build tag to be enabled to compile, off by default for now (#167). - Updated the Dockerfile to use multistage builds to reduce size of the image, as a result the squareup/ghostunnel Docker image will not contain the Go toolchain anymore (#160).
- Added support (h/t @gouthamve) for the Prometheus metrics format in the
/_metrics
endpoint. A newformat
query param can be set tojson
orprometheus
to select between the old or new format. The default remains the JSON format for now (#180).
Everything else
Version 1.2.1
Version 1.2.0
Notable changes
- Added support for Windows. Supports most major features as on UNIX platforms, with the exception of various UNIX-specific tidbits like SO_REUSEPORT or logging to syslog (#136, #139).
- Added new access control flags. The
--allow-uri-san
and--verify-uri-san
flags can be used verify peer certificates against a given URI SAN, e.g. for use with SPIFFE SVIDs (#128). - A new
--disable-authentication
flag can be used to disable client certificates in both client and server modes. Note that this disables all authentication and access controls (#150). - Parameters for loading private keys from a PKCS#11 module can now be specified via environment variables instead of flags if desired (PKCS11_MODULE, PKCS11_LABEL and PKCS11_PIN).
Bug fixes and others
- Added a new metric to time handshakes, can be used to gather stats about average handshake latency through the status/metrics endpoint (#126).
- Cleaned up internal flag handling, updated vendored dependencies, and added a new
Makefile.dist
to build cross-compiled release binaries for darwin/amd64, linux/amd64 and windows/{386,amd64}.
Version 1.2.0-rc.2
Added --disable-authentication
flag, which disables client certificate authentication (#150).