Full migration guide: https://docs.godoxy.dev/docs/godoxy/migration/v0.29.0
Breaking Changes
- Embedded Web UI: Drop any
frontend/godoxy-frontendservice from Compose; the main GoDoxy image serves the dashboard. Setwebui.aliases(and relatedwebuifields) as inconfig.example.yml—see migration guide. - Socket proxy environment variable:
SOCKET_PROXY_LISTEN_ADDR→LISTEN_ADDR(see migration guide for Compose snippets). - Docker image tags from CI: Compat workflow/tags are gone; compat-style tags are no longer published. If you pinned them, switch to latest, nightly, or v… as documented in the migration guide.
Security
- Access logging after hijacking: Hijacked connections are handled so error paths do not blindly emit extra HTTP status lines or treat hijack like an ordinary proxy failure in misleading ways.
New Features
Proxy, routes, and TLS
- Shared HTTPS listener with TLS SNI routing: Multiple TCP/stream backends can share the proxy HTTPS port by matching ClientHello SNI to route aliases. Optional
tls_terminationterminates TLS with autocert (when configured) before plaintext upstream; otherwise traffic can stay encrypted end-to-end. Listener matching respects wildcard and IPv6 listen forms. Until the first TCP SNI route registers, ordinary HTTPS on that listener keeps a direct accept path (no ClientHello sniffing or SNI queue), so typical HTTPS sites avoid that overhead. Implemented in PR #230; tracks issue #218 (SNI-based passthrough) and issue #223 (TCP TLS termination). - HTTP rule actions:
serve_fileserves a single existing file (non-directory); distinct fromserve, which serves a directory.handledispatches to an in-process registered handler by name.
- Upstream connection cap:
max_conns_per_hostlimits concurrent connections per upstream host on the HTTP transport when set (YAML/API and Web UI).
Web UI
- New root-level
webuifield and/settings: Config adds optionalwebui(WebUIConfig) for the built-in Web UI route—aliases, file-server-style options, and optionalrulesthat merge with presets fromwebui.yml/webui_dev.yml. Theme, dashboard options, route-list filters, and thiswebuiblock are edited on/settings, not in the config editor or apps-grid popover (WebUIConfig/ top-levelwebui, settings page). - Web UI embedded in GoDoxy (single image): The Vite
distbundle is built into the GoDoxy binary and served from an embedded filesystem; published GoDoxy images ship the proxy and Web UI together—there is no separate Web UI container image. Non-production builds can still load assets from a localwebui/dist/clienttree when present (embed helper, production vs dev embed). GoDoxy readswebuifrom config (legacy frontend env aliases still apply when unset), merges preset metadata and rules when assembling the built-in route, and serves the SPA with file-server + SPA fallback behavior. - Stream routes: Editor toggle and copy for
tls_terminationnext to TCPrelay_proxy_protocol_header, clarifying autocert termination versus SNI passthrough (stream TLS termination UI; same TLS/SNI behavior as PR #230, issue #223). - HTTP routes: Form field for
max_conns_per_host(HTTP editor). - Agents: Adding or verifying agents can
add_to_configand refresh the sidebar from the verify response instead of editingconfig.ymllocally (agents via verify). - Rules playground: Searchable quick reference card backed by generated cheatsheet JSON (quick reference).
- Rules authoring: Types, CodeMirror keywords, and cheatsheet text for
serve_fileandhandle(serve_filein UI,handlein UI). - Schema fixes:
MiddlewaresMapkeys are optional where appropriate so generated config matches real YAML (types fix).
Agent and tooling
- Agent verify supports
add_to_configto append verified hosts underproviders.agents, suppresses one matching config reload while persisting, and returns the current agents list on success. - Install scripts: OpenRC service layout (e.g. Alpine),
shshebang with POSIX-safe patterns, and portable release timestamp checks (no GNU-date-only usage). USE_SONIC_JSON: Register Sonic at init only whentrue(default). Setfalseon hardware where Sonic is unsupported to avoid SIGILL; documented in env examples and agent logs.
ACME
- Optional
certificate_key_typechooses the ACME leaf key algorithm/size (defaults unchanged; invalid values fail validation). Motivated by issue #227 (RSA vs elliptic-curve leaf keys and related autocert flexibility).
Improvements
- gRPC, SSE, streaming HTTP/2 and h2c: Flush/copy and trailer handling behave more reliably through rules and reverse proxy paths; streaming and upgrades see fewer stalls or spurious errors.
- Pre-only rule sets: When rules need no post-phase work, responses use a passthrough modifier so upstream writes and flushes reach clients without unnecessary buffering.
- Apps dashboard: Homepage icon manifests load concurrently with a concurrency-safe cache for faster tiles.
- Benchmarking: Richer
bench_server,h3bench,benchmark.shprofiles (smoke/stable/stress), warm-up and repeated-run stats, and raw TCP HTTP/1.1 bench mode for steadier throughput reads. - Web UI stack: TanStack Start/Router, Fumadocs, Zod, Nitro, and related tooling updates (recent bump).
Bug Fixes
- Treat HTTP/2 cancel and closed response body like other expected stream teardowns so they do not surface as unexpected proxy errors.
- Metrics period poller omits failures when the error is
context.Canceled(timeouts/shutdown no longer inflate error history). - Route load skips nil entries in route maps instead of risking panics or missed validation.
- Agent: Stricter cached release epoch parsing avoids false “up to date” reads from corrupt files; root check uses
id -uinstead of bash-only$EUID. - Docker API client: Uses
github.com/docker/dockerwith API negotiation so older Docker engines work without a separate compat build of GoDoxy. - Socket proxy:
LISTEN_ADDRdefaults to0.0.0.0:2375when unset.
Configuration Changes
| Area | What to know |
|---|---|
| HTTP upstream | Optional max_conns_per_host.
|
| Stream/TCP on HTTPS | tls_termination on eligible routes; optional SNI_ROUTING_FOR_TCP_ROUTES / GODOXY_SNI_ROUTING_FOR_TCP_ROUTES (default true) disables registering TCP routes on the shared HTTPS listener when you need that restriction. Background: PR #230, issue #218, issue #223.
|
| ACME | Optional certificate_key_type. Background: issue #227.
|
| Web UI | New optional root webui (WebUIConfig): aliases, file-server-style fields, optional rules merged with presets from webui.yml / webui_dev.yml.
|
| Main/Agent runtime | USE_SONIC_JSON to disable Sonic on incompatible CPUs.
|
| Socket proxy | LISTEN_ADDR replaces SOCKET_PROXY_LISTEN_ADDR.
|
API Changes
- Agent verify: Request flag
add_to_config; responses list current agents after successful persist (OpenAPI/Swagger regenerated).
Contributors
Thanks to everyone who contributed feature requests, testing and feedback for this release.
Full Changelog
- GoDoxy (core): v0.28.1…v0.29.0
- Web UI submodule (highlights):
WebUIConfig/webui, settings & navigation, agents via verify, vite dev host allowance