Releases: c2FmZQ/tlsproxy
Releases · c2FmZQ/tlsproxy
v0.24.0
v0.24.0
⭐ Feature improvement
- Add two new SSO rule options:
SkipLoginPageredirects requests directly to the IDP's login page.Return403ForGetRequestsreturns a simple 403 (Forbidden) response for GET requests. Normally, GET requests get a login page.
- Add
TokenLifetimeto OIDC, SAML, and Passkey providers. This optional field set the lifetime of auth tokens set by tlsproxy.
🔧 Misc
- Update go: 1.25.5
- Update go dependencies:
- upgraded github.com/c2FmZQ/http3-go v0.56.0 => v0.57.0
- upgraded github.com/c2FmZQ/quic-api v0.56.0 => v0.57.0
- upgraded github.com/google/go-tpm v0.9.7 => v0.9.8
- upgraded github.com/quic-go/quic-go v0.56.0 => v0.58.0
- upgraded github.com/quic-go/qpack v0.5.1 => v0.6.0
- upgraded golang.org/x/crypto v0.45.0 => v0.46.0
- upgraded golang.org/x/net v0.47.0 => v0.48.0
- upgraded golang.org/x/sys v0.38.0 => v0.39.0
- upgraded golang.org/x/text v0.31.0 => v0.32.0
- upgraded software.sslmate.com/src/go-pkcs12 v0.6.0 => v0.7.0
v0.23.2
v0.23.2
🔧 Misc
- Update go: 1.25.4
- Update go dependencies:
- upgraded github.com/c2FmZQ/ech v0.3.6 => v0.3.7
- upgraded github.com/c2FmZQ/http3-go v0.55.0 => v0.56.0
- upgraded github.com/c2FmZQ/quic-api v0.55.0 => v0.56.0
- upgraded github.com/google/go-tpm v0.9.6 => v0.9.7
- upgraded github.com/quic-go/quic-go v0.55.0 => v0.56.0
- upgraded golang.org/x/crypto v0.43.0 => v0.45.0
- upgraded golang.org/x/net v0.46.0 => v0.47.0
- upgraded golang.org/x/sys v0.37.0 => v0.38.0
- upgraded golang.org/x/text v0.30.0 => v0.31.0
v0.23.1
v0.23.1
🔧 Misc
- Replace the 🛂 emoji with a svg icon.
- Update go: 1.25.3
- Update go dependencies:
- upgraded golang.org/x/crypto v0.42.0 => v0.43.0
- upgraded golang.org/x/mod v0.28.0 => v0.29.0
- upgraded golang.org/x/net v0.45.0 => v0.46.0
- upgraded golang.org/x/sys v0.36.0 => v0.37.0
- upgraded golang.org/x/text v0.29.0 => v0.30.0
- upgraded golang.org/x/time v0.13.0 => v0.14.0
- upgraded golang.org/x/tools v0.37.0 => v0.38.0
v0.23.0
v0.23.0
🔧 Misc
- Clean up the ssh CA request parsing. When a specific ttl is desired, the request must now use
content-type: application/x-www-form-urlencoded. - Update go: 1.25.2
- Update go dependencies:
- upgraded github.com/c2FmZQ/http3-go v0.54.0 => v0.55.0
- upgraded github.com/c2FmZQ/quic-api v0.54.0 => v0.55.0
- upgraded github.com/quic-go/quic-go v0.54.0 => v0.55.0
- upgraded golang.org/x/net v0.44.0 => v0.45.0
v0.22.2
v0.22.2
🔧 Misc
- New tests and refactoring.
- Update go dependencies:
- upgraded github.com/c2FmZQ/storage v0.3.0 => v0.3.1
- upgraded github.com/c2FmZQ/tpm v0.4.1 => v0.4.3
v0.22.1
v0.22.1
🔧 Bug fix
- Fix minor language matching bug. Undee some conditions, the UI would pick the wrong language from the browser.
v0.22.0
v0.22.0
🌟 New feature
- New translations for 40 languages, mostly AI-generated.
🔧 Misc
- Update go: 1.25.1
- Update go dependencies:
- upgraded github.com/google/go-tpm v0.9.5 => v0.9.6
- upgraded golang.org/x/crypto v0.41.0 => v0.42.0
- upgraded golang.org/x/mod v0.27.0 => v0.28.0
- upgraded golang.org/x/net v0.43.0 => v0.44.0
- upgraded golang.org/x/sync v0.16.0 => v0.17.0
- upgraded golang.org/x/sys v0.35.0 => v0.36.0
- upgraded golang.org/x/text v0.28.0 => v0.29.0
- upgraded golang.org/x/time v0.12.0 => v0.13.0
- upgraded golang.org/x/tools v0.36.0 => v0.37.0
v0.21.0
v0.21.0
🔧 Misc
- Better CSRF protection for local http handlers.
- Only show groups when the groups scope is granted.
- Require the openid scope to access /userinfo.
v0.20.0
v0.20.0
🌟 New features
- Groups for access control. See examples/sso
- Device authorization flow (RFC 8628) to access backend services from non-browser environments, e.g. shell scripts.
- Parts of this change also add scopes to all the endpoints so that the permissions of tokens issued with oauth2
can be limited. By default, all the proxied http(s) endpoints that require SSO also require the sso scope.
Built-in endpoints have their own required scopes as well, e.g. ssh, pki, etc.
- Parts of this change also add scopes to all the endpoints so that the permissions of tokens issued with oauth2
- New
maximumCertificateLifetimeattribute forsshCertificateAuthorities.
🔧 Misc
- Fix parsing of SSH Cert request. Sometimes, the requested TTL wasn't parsed correctly.
- Update go dependencies:
- upgraded github.com/beevik/etree v1.5.1 => v1.6.0
- upgraded go.uber.org/mock v0.5.2 => v0.6.0
v0.19.0
v0.19.0
⭐ Feature improvement
Backends can now have different SSO ACLs for different paths. The paths:, exceptions:, acl:, and forceReAuth: options are moving to rules: where each rule has its own paths:, exceptions:, acl:, and forceReAuth: options.
Before:
sso:
provider: <provider>
paths:
- /foo
forceReAuth: 1h
acl:
- [email protected]
- [email protected]Now:
sso:
provider: <provider>
rules:
- paths:
- /foo
forceReAuth: 1h
acl:
- [email protected]
- [email protected]The first rule with matching paths (and not matching exceptions) is the one that's used for the request.
As before, if acl: is not specified, all authenticated requests are allowed. If acl: is set to an empty list, i.e. acl: [], nothing is allowed.
The old syntax still works, but is now deprecated and will be removed eventually.
🔧 Misc
- Update go: 1.25.0
- Update go dependencies:
- upgraded golang.org/x/crypto v0.40.0 => v0.41.0
- upgraded golang.org/x/mod v0.26.0 => v0.27.0
- upgraded golang.org/x/net v0.42.0 => v0.43.0
- upgraded golang.org/x/sys v0.34.0 => v0.35.0
- upgraded golang.org/x/text v0.27.0 => v0.28.0
- upgraded golang.org/x/tools v0.35.0 => v0.36.0