New features
- Groups: simplify the administration of multiple accounts by letting you assign settings once to a group, instead of multiple times to each individual user.
- Branding: allow to easily customize the WebAdmin and WebClient UIs to match your brand.
- OpenID Connect: SFTPGo can be connected to your existing Identity Provider.
- ACME: add support to obtain and automatically renew TLS certificates from Let's encrypt and other ACME compliant certification authorities.
- Allow to require two-factor authentication per user.
- Allow to set a start directory for SFTP, FTP and HTTP users.
- Data transfer bandwidth limits, with total limit or separate settings for uploads and downloads and overrides based on the client's IP address.
- Check disk and data transfer quota usage between ongoing transfers even if the transfers are performed on different nodes.
- Global whitelist: services can be restricted to specific ranges of IP addresses.
- New Geo-IP filtering plugin: services can be restricted based on the the geographical location of the clients' IP addresses.
- Allow to hide files/folders in directory listing based on pattern filters.
- Allow to cache external authentication.
- External shares: add read/write mode and allow to browse shared directories.
- Allow to configure the minimum version of TLS to be enabled.
- Naming rules for usernames, folder and group names: case insensitive matching is configurable.
- S3: add support for ARN roles.
- HTTP proxy headers: add a depth setting to extract the correct rightmost IP in the list.
- WebAdmin: allow to control column visibility and ordering.
- Allow to set different TLS certificates for each binding.
- Allow to customize execution timeout and environment variable for program based hooks.
- Execute db migrations holding a database-level lock, for databases that support locking.
- s3fs: migrate to AWS SDK v2.
- azblobfs: migrate to the new Azure Blob SDK.
- sshd: disable by default sha1 based host keys, KEXs and MACs.
- Check and update the password hashing algorithm on user login.
- Make sure that JWT tokens, cookies and CSRF tokens can only be used from the IP they were issued for.
- Other minor improvements and bug fixes.
Backward incompatible changes
- External auth: the HTTP hook now receive a proper JSON serialized user. Before we were sending a user serialized as JSON string. See #836 for more details.
- Removed
prefer_database_credentials
setting. We now assume that this setting istrue
. We don't store GCS credentials on filesystem anymore. - Rename permission must be explicitly granted. We don't assume anymore that rename permission is implicitly granted if the user has
delete
andupload
permissions. - sshd: sha1-based host keys, KEXs and MACs are now disabled by default for security reasons. If you need to support old clients you need to explictly enable them.
skip_natural_keys_validation
is now replaced by the more genericnaming_rules
. The default value fornaming_rules
is 1 which is the same asskip_natural_keys_validation
totrue
.