Changes
- Self-service credentials management (#1145) - you can now allow users to manage their own credentials. Enable it in
Config -> Misc -> Global parameters. - Multiple return domains for SSO, prefer host header over
external_host(dbf96a8 / #1093) - Warpgate now users theHostheader to resolve its own external URL and only falls back to theexternal_hostfrom the config file if the header is missing. If you're running behind a reverse proxy, make sure thathttp.trust_x_forwarded_headersis set in the config and you're passing theX-Forwarded-Hostheader. SSO logins will also dynamically construct their return URL from theHostheader. You can restrict the allowed return domains with the newsso_providers[].return_domain_whitelistoption (a list of hostnames). - Passing user-identifying headers to HTTP targets (cc0b054 / #1107) - Warpgate now passes
x-warpgate-usernameandx-warpgate-authentication-typeheaders to HTTP targets. --enable-admin-tokenoption (9dd1c58) - setting it allows passing a global admin token via the WARPGATE_ADMIN_TOKEN env variable. This token can be used to authenticate against the admin REST API (pass it in thex-warpgate-tokenheader).
Other changes
- ef46e75: add keepalive_interval to ssh config (#1134) (Piotr Rotter)
- f1d565b: Svelte 5 migration (#1101)
- a20fdb8: Bumped russh (#1131)
- 379b1bc: fixed #983 - enable ssh-rsa when insecure algorithms are allowed
- b359838: Separate DB models for credentials (#1143)
Fixes
- 846e6d1: fixed #1110 - Fix switch for insecure ssh algorithms option (#1111) (hashfunc)
- 38dbb3b: fixed #1096 - SEC1 EC private key file support for TLS
- 80ee6cc: fixed #1074 - strip trailing slash in SSO issuer URLs and log errors properly
- 8acaaee: show more detailed error messages for API errors
- 3b29a3e: fixed #929 - sso: broken
additional_trusted_audiencesconfig option - 557921f: postgres listener was incorrectly using the mysql certificate & key
- 41d3158: fixed #1039 - first DB migration failing on Postgres