github PegaProx/project-pegaprox v0.9.5
v0.9.5 Beta – Client Portal, Public Status Page & Security
on GitHub

13 hours ago

✨ New Features

  • Client Portal Plugin — Self-service portal for hosting customers at /portal. VM dashboard with power actions, embedded noVNC console, snapshot management (create/revert/delete), 2FA self-service, and password change. Hosters configure allowed actions, branding, and snapshot limits via config.json. Portal-only users are restricted to /portal login only.
  • Public Status Page Plugin — Cluster health dashboard for monitoring screens at /status?key=xxx (#126). Shows node health, VM counts, storage usage with auto-refresh. No login required — uses URL auth key.
  • Integrated Syslog Server — Receives syslog messages via UDP/TCP on port 1514. Log viewer with filtering, search, severity coloring, and pagination in the dashboard Syslog tab. (Originally contributed by @gyptazy , PR #257, rewritten for gevent compatibility.)
  • External ACME CA Support — Custom ACME directory URLs for CAs like StepCA (#249). (PR #258 | @gyptazy )
  • Plugin Config Editor — Edit plugin config.json directly from Settings → Plugins with JSON validation and formatting

🎨 UI Improvements

  • Markdown VM descriptions with Edit/Preview toggle *(PR #263, @newtscamander2 ) *
  • Inline tag selector with existing Proxmox tag dropdown + format validation (PR #263)
  • Node and tag filter dropdowns in Resource Management (PR #263)
  • DNS name validation before API call with translated error messages (PR #263)
  • Tags displayed in compact/card view (max 2 pills + overflow count)
  • VNC console + portal actions visible in admin task bar with username attribution
  • List view table compacted — IP column removed in modern layout, RAM/disk shows percentage only

🛡️ Security Hardening

  • Timing-safe auth key comparison for status page (prevents brute-force via timing analysis)
  • TOTP rate limit tightened: 3 attempts per 2 minutes (was 5/5min)
  • Absolute session timeout: 24h max regardless of activity
  • Admin password change now revokes all sessions (no exceptions)
  • Plugin config path traversal prevention with resolve() check
  • File upload magic byte validation (PNG/JPEG/WebP header check)
  • API token permission escalation fix (custom roles + explicit admin check)
  • Plugin trust warnings for non-PegaProx authors
  • DB encryption key file permissions enforced on startup
  • SSL verification warning logged per cluster

🐛 Bug Fixes

  • setReconfigureCluster prop missing in sidebar — reconfigure button now works (PR #261, @newtscamander2 )
  • OIDC skip_jwt_verification not persisted across sessions (#188)
  • Portal-only users could access main dashboard via direct URL navigation
  • Client Portal: Tailwind CDN replaced with local CSS for offline/air-gapped environments

📋 Updating

Use the built-in web updater in Settings → Updates, or manually: 

cd /opt/PegaProx
curl -O https://raw.githubusercontent.com/PegaProx/project-pegaprox/refs/heads/main/update.sh
chmod +x update.sh && sudo bash update.sh

Or pull the latest Docker image.

Check out latest releases or
releases around PegaProx/project-pegaprox v0.9.5

Don't miss a new project-pegaprox release

NewReleases is sending notifications on new releases.

Get notifications