This is a minor for v1.12 LTS branch:

• support to build rpm package on OpenSUSE

Prebuilt rpm and deb packages can be found at cloudsmith.

This is the first version for the g3proxy v1.12 LTS branch.

New Features

HTTP

• New standards supported:
  • masque/http Well-Known URI
  • easy-proxy Well-Known URI
• allow to drop the default port part in Host header in http_proxy server
• retry HTTP connection if upstream close connection without any data

TLS

• support aws-lc-fips
• add 'insecure' config option to OpenSSL Client config to skip cert verification
• set supported ALPN protocols in HTTP Proxy server
• use more detailed error message for OpenSSL stream

ICAP

• improved ICAP connection pool
• allow to connect via UNIX domain socket
• allow ICAP 204 response for small HTTP/IMAP messages
• try to receive as much as possible preview data in h1&h2 reqmod/respmod service

Socket Options

• allow to set hop_limit and traffic_class ipv6 socket options
• allow to set congestion control algorithm for TCP socket
• allow to set tcp keepalive on tcp listen socket in server
• allow to bind to interface in tcp & udp listen config

Resolver

• update TTL calculation in resolver, cache longer and query earlier
• support to set bind interface and many other socket options in hickory resolver
• make server address in c-ares resolver optional

ACL

• more effeicient match for regex domain rules

Log and Metrics

• allow to emit task log on created/connected and periodically
• log partial shutdown event in task/intercept log
• emit more tokio runtime metrics
• add more tcp connect and tls handshake metrics in escaper

Others

• changed default idle-check-interval to 60s and set default max-idle-count to 5
• support to use PROXY Protocol in direct-fixed escaper
• add an extra exported-pdu layer to represent client side addresses when dump traffic to wireshark
• keep wait and forward when TCP partial shutdown
• allow to quit process on panic
• support multi-threaded runtime in worker

Deprecated

The following config options are deprecated:

• emit_duration in statsd config, use emit_interval instead
• auto_reply_local_ip_map in socks server config, use transmute_udp_echo_ip instead
• untrusted_read_limit in server config, use untrusted_read_speed_limit instead
• tcp_conn_speed_limit/tcp_conn_limit/conn_limit in server & escaper config, use tcp_sock_speed_limit instead
• udp_relay_speed_limit/udp_relay_limit/relay_limit in server & escaper config, use udp_sock_speed_limit instead
• tcp_conn_speed_limit/tcp_conn_limit in user config, use tcp_sock_speed_limit instead
• udp_relay_speed_limit/udp_relay_limit in user config, use udp_sock_speed_limit instead

Compatibility

• The MSRV is 1.86
• A recent version of Linux is required, such as Debian >= 11, or RHEL >= 8
• The code would compile on the latest version of MacOS, Windows, FreeBSD, NetBSD, OpenBSD. Please fill a bug report if it doesn't work.

This is a bug fix release for v1.10 LTS branch:

• fix panic when detect DNS over TLS traffic
• fix default min ttl value in c-ares resolver

This is a bug fix release for v1.10 LTS branch.

• fix read of H2 zero size body frame
• fix format of HTTP 1 OPTIONS header line
• fix h2 max concurrent streams settings sent to client
• fix h2 connection level IDLE check
• use more reasonable h2 default settings value

This is a bug fix release for v1.10 LTS branch.

• fix dead lock when reloading chained servers
• fix alignment of RawSocketAddr used in sendmmsg/recvmmsg
• fix body Chunked encoding after ICAP preview

This is a bug fix release for v1.10 LTS branch.

• correctly handle ICAP null-body response
• fix ICAP connection state when reading modified SMTP/IMAP message
• fix chunked encoding of H2 body stream when sending to ICAP server
• keep control socket open on accept error

This is a bug fix release for v1.10 LTS branch.

• fix read of trailer for chunked FTP over HTTP upload
• fix idle check in udp copy and udp relay task
• respect Content-Length header when sending ICAP adapted body

This is a bug fix release for v1.10 LTS branch.

• fix handle of ICAP preview data in HTTP/2 interception
• fix panic when sending H2 stream data if peer gone
• do not send Allow-204 in ICAP preview request

This is a bug fix release for v1.10 LTS branch.

• fix socket usage on Windows
• set expire info for udp tasks with socks5 proxy peers
• send ppv2 header on http forward connections in divert_tcp escaper
• fix match of TLS ticker name in decryption
• fix global datagram limiter
• fix handle of ICAP Preview data in HTTP/1 interception
• fix DELETE in FTP over HTTP task
• support chunked upload in FTP over HTTP task

Feature Highlights since v1.8

ICAP

• Support ICAP reqmod service for:
  • H1 CONENCT and Upgrade request
  • H2 (Extended) CONNECT request
  • SMTP DATA Command
  • IMAP APPEND Command
• Support ICAP over TLS

TLS Interception

• Upgraded cert generation protocol to allow to mimic the original cert, this will require g3fcgen >= 0.8
• Allow to use custom TLS client config at user-site level, which can be used to enable mTLS
• Support TLCP protocol

Traffic Redirection

• Added divert_tcp escaper to divert traffic to third party servers
• Added stream_detour feature to allow third party servers to intercept connected streams remotely
• Allow to set inspect policy for each supported protocols separately, which can b based on domain rules
• Added comply_audit escaper to allow select auditors based route rules

Misc

• Support compilation on Windows
• Support Redis over TLS
• Improved capability with non-RFC-compliant socks5 server implementations
• Added support for Socks5 over TLS

See g3proxy/CHANGELOG for detailed changelogs.

Pre-Build packages can be found at cloudsmith g3-stable repo.