Highlights
- Enabled Landlock sandboxing by default in best-effort mode (Linux). Use the new
--disable-landlockflag to disable. Note that Landlock is not compatible with PKCS#11 and is disabled automatically if any of the PKCS#11 options are used. - Upgraded to OPA v1.0+ and added support for loading OPA bundles (not just policies) via the
--allow-policyflag. It's recommended to use bundles instead of policies so you can set which version of Rego to use. - Improved proxy memory usage through shared buffers and added various new flags to control proxy behavior (
--close-timeout,--max-conn-lifetime, and--max-concurrent-conns). - Go version upgraded from Go 1.22 to Go 1.24+.
Major Changes
- Improve proxy performance and connection handling (by @csstaub in #523)
- Shared buffer pools for reduced memory allocations
- Better connection lifetime tracking and logging
- Bytes sent/received now logged for each connection
- Add maximum concurrent connections feature (by @csstaub in #561)
- New
--max-concurrent-connsflag to limit simultaneous proxy connections
- New
- Use context for cancellation and modernize proxy handling (by @csstaub in #571)
- Refactored to use Go's context package for timeout and cancellation handling
- Improved timeout error detection
- Enable Landlock by default (Linux, best-effort mode) (by @csstaub in #607)
- Automatically enabled on Linux systems that support it
- Gracefully degrades on systems without Landlock support
Minor Changes
- Improved proxy logging (by @csstaub in #543)
- Use "forwarded/returned" instead of "sent/recv" for clearer logs
- Log bytes sent/received in connection close messages
- Show more information in status line/endpoint (by @csstaub in #551)
- Display listen/forward address in status output (endpoint and systemd)
- Fix compatibility for OPA upgrade from v0 to v1 (by @csstaub in #563)
- Handle backwards compatibility for v0 Rego files
- Updated tests to use OPA bundles instead of naked Rego files
- Hide the
--cipher-suitesflag (by @csstaub in #566)- Flag is now hidden; modern TLS defaults are used
- Add new flag for setting max TLS version (by @csstaub in #572)
- New
--max-tls-versionflag (TLS1.2, TLS1.3)
- New
- Add new flag to skip DNS resolution on startup (by @csstaub in #609)
- New
--skip-resolveflag, useful when starting Ghostunnel before network is ready (fixes #585)
- New
New Flags
| Flag | Description |
|---|---|
--close-timeout
| Timeout for closing connections when one side terminates (default: 1s) |
--max-conn-lifetime
| Maximum lifetime for connections post handshake (default: 0/infinite) |
--max-concurrent-conns
| Maximum concurrent connections to handle (default: 0/infinite) |
--max-tls-version
| Maximum TLS version to use (TLS1.2, TLS1.3) |
--skip-resolve
| Skip resolving target host on startup |
--disable-landlock
| Disable Landlock sandboxing (Linux) |
--proxy
| Connect via proxy (HTTP CONNECT or SOCKS5), replaces --connect-proxy
|
Deprecations
--connect-proxyflag is now deprecated (hidden), use--proxyinstead--cipher-suitesflag is now hidden
Dependency Updates
- OPA upgraded from v0.x to v1.5.0
- gRPC upgraded to v1.72.2
- go-proxyproto upgraded from v0.8.0 to v0.8.1
- go-spiffe upgraded from v2.4.0 to v2.5.0
- golang.org/x/net upgraded to v0.36.0
- go-jose upgraded from v4.0.4 to v4.0.5
Other Changes
- Reduced Dockerfile-debian image size by removing apt lists
- Removed BUG-BOUNTY.md notice (Square/Block suspended the program)
- Improved documentation and man page
- Various test reliability improvements (especially for Windows)
Full Changelog: v1.8.4...v1.9.0