yusing/godoxy v0.28.0

on GitHub

This release strengthens safe defaults around the local automation API, adds inbound mTLS and richer Docker label merging, and ships WebUI fixes and polish.

Breaking changes

• Unauthenticated local API bind addresses: Non-loopback binds (0.0.0.0, ::, LAN IPs, public hostnames, etc.) require GODOXY_LOCAL_API_ALLOW_NON_LOOPBACK=true. Loopback (127.0.0.1, ::1, localhost) still works without the flag. Omitting the flag with a non-loopback address fails validation instead of starting a wide-open listener.
• Entrypoint middleware reload + route bypass overlays: When entrypoint middleware configuration changes at runtime, per-route bypass overlays are recompiled. If overlay compilation fails, matching requests receive HTTP 500 (error text is not returned to clients). Validate middleware/bypass config after edits.

Security

• Config file API path handling: File read/write operations for config-related paths are rooted under the intended config directories, blocking .. traversal that could escape the config tree on GET and SET.
• Local API exposure: see above breaking changes.

New features

• Inbound mTLS (HTTPS): Define reusable inbound_mtls_profiles (system trust store, custom CA files, or both). Apply a profile on an entrypoint to require client certificates for all HTTPS on that listener, or on individual HTTP-based routes when no entrypoint-wide profile is set. Routing respects TLS SNI; HTTP 421 is returned when a secure request omits SNI or when Host and SNI imply different routes. The WebUI adds editing for profiles, entrypoints, and routes (Certificates & trust / inbound mTLS sections).
  https://docs.godoxy.dev/docs/godoxy/advanced-topics/Inbound-MTLS
• Middleware bypass overlay: Routes can promote route-local bypass rules so they layer onto entrypoint middleware, avoiding duplicate evaluation and keeping bypass behavior aligned with the route. Middleware accessors exposed to the rest of the stack return safe clones.
  https://docs.godoxy.dev/docs/godoxy/advanced-topics/middlewares#entrypoint-overlay-promotion

Improvements

• Automatic HTTPS (ACME) reliability under concurrency: Certificate obtain/renew and TLS handshake paths use clearer serialization and snapshotting of provider state, per-provider obtain locks, and independent HTTP client configuration per ACME provider so parallel providers do not corrupt shared client state. Expiry reporting uses cloned maps.
• Docker provider: nested proxy.* labels: Values that are YAML objects (including OIDC-style dotted keys) are deep-merged in the right order (broader paths before deeper ones). Conflicts between scalars and nested maps produce clearer errors.
• Access control (IP / Geo) decisions: Allow/deny evaluation uses a TTL-backed cache; very hot paths avoid repeated work. Documented behavior: after in-memory rule changes, cached allow/deny decisions can persist until the TTL expires (by design for performance).
• Reverse proxy response path: Response modifiers that change the status code now take effect after WriteHeader. Header-only rewrites no longer force large-body buffering for huge declared Content-Length responses. Flushing is limited so fixed-size buffered bodies are not flushed per chunk unless streaming (text/event-stream or chunked encoding without Content-Length). Buffer preallocation respects maxBufferedBytes when set (fixes #222).
• Request metadata in middleware: Documentation clarifies request-variable substitution (active outbound request fields and upstream variables from the current route).
• Serialization: LoadFileIfExist-style loading treats empty or whitespace-only files like missing files so blank files do not trip unmarshaling.
• WebUI: Theme updates (light/dark surfaces, shadows, semantic status colors), Apps grid and playground layout polish, frosted combobox popups, icon set migration to Lucide, config editor loads active config as text and keeps your draft when YAML validation fails, disk usage stat corrected, home events WebSocket updates are batched to reduce UI churn under bursts, generated API client moves from axios to fetch, and various form / schema fixes (labels, optional fields, select capitalization, inbound mTLS clear control).

Bug fixes

• Tests and edge cases: Host/scheme substitution behaves better when Host is unset (e.g. httptest). PROXY protocol relay example/config samples are cleaned up (including removal of misleading Vary: "*" in an example).
• WebUI: Relative time strings use singular units for single-second/minute/hour deltas; primitive select resolution returns stable empty strings for optional fields; FormContainer sections with a single child default to expanded so fields are not hidden.

Configuration changes

• New root/config fields: inbound_mtls_profiles, entrypoint inbound_mtls_profile, route inbound_mtls_profile (where supported); entrypoint relay_proxy_protocol_header remains available for TCP PROXY protocol relay (examples updated: follow current docs for your use case).
• Environment: .env.example GODOXY_LOCAL_API_ADDR, and GODOXY_LOCAL_API_ALLOW_NON_LOOPBACK, including risk guidance for non-loopback use.
• Examples Example configs drop relay_proxy_protocol_header where it was only illustrative and remove Vary: * from an example that should not encourage it.

API changes

• OpenAPI / generated types: Route types include inbound_mtls_profile and document relay_proxy_protocol_header where applicable; GET /cert/renew may return 400 in addition to 403 / 500 (documented in schema).

Upgrade notes

• Operators using GODOXY_LOCAL_API_ADDR on non-loopback: Move the bind to loopback and access remotely via SSH tunnel or an authenticated path; do not expect the previous wide bind to keep working.
• Docker Compose / labels: If you use YAML object values under proxy.*, confirm merged results after upgrade; ordering is shallow paths before deep paths.
• Middleware bypass overlays: After changing entrypoint middleware, watch logs for overlay compile failures and spot-check routes that rely on bypass promotion.
• Build from source / CI images: Toolchain moves to Go 1.26.2; rebuild images and local binaries with that version (or newer, per your policy).
• WebUI containers: Frontend images track Bun 1.3.12 in published Dockerfiles where applicable.

Full changelog

• GoDoxy (core):
  v0.27.5...v0.28.0
  Notable commits: inbound mTLS (31eea0a8 area superseded by follow-ups: see tag compare), middleware bypass (44298d19), local API + file API hardening (41d0d28c), Docker label merge (7b00a60f), autocert concurrency (c5b9bd38), Go 1.26.2 (1c091bbf).
• GoDoxy WebUI:
  yusing/godoxy-webui@v0.27.5...v0.28.0
  Highlights: inbound mTLS UI (1428534a), config editor YAML preservation (5509b903), fetch API client (d301f5b4), home events batching (d2dab19a).

Contributors

Thank you @kodareef5 for reporting security issues.