Releases: astibal/smithproxy
0.9.32
What's new in 0.9.32
-
custom, not-mitmed certificates based on target IP address, or SNI (loaded from files)
- using
tls_profiles/<profilename>:sni_based_certandip_based_cert - certificates are located in
/etc/smithproxy/certs/default/[ip|sni]/ key.pem fullchain.pem # preferred cert.pem # sep. files fallback issuer.pem issuer2.pem
- using
-
Webhook support
- configure HTTP(s) target where smithproxy sends connection and other details
- config located in
config.settings.webhook
-
Policy features:
Configure newfeaturesentry on policy and add:sink-left(traffic from originator is consumed and not proxied)sink-right(traffic from target is consumed and not proxied)sink-all(both above)statisticsjson statistics is sent to webhook, if configuredaccess-requestjson webhook request, waiting for response to accept or reject the session
Note all sinkhole filters are intentionally consuming data after traffic writer writes
them to pcap or to remote GRE. -
L7 app data connection history is now maintained (previously only current app request/response)
Now you can see i.e. multiple URL accessed in connection info (diag proxy session list 7). -
when capturing traffic to files or GRE explort, L3/L4 checksums are not calculated
anymore by default, saving noticeably CPU cycles. -
this will be last minor version of smithproxy, next version will be bumped to
1.0.0
There is no particular reason, proxy is not "experimental" anymore and .32 is already quite
big number.
0.9.30
0.9.28
0.9.27
b76bcb9
astibal
Ales Stibal
What's new in 0.9.27
- systemd units made ready (most of you will use instance name 'default')
- introduced new config schema mechanics which improves upgrade experience
- rewritten internal connection-proxy flow
- added a new config section 'captures', and its sub-entries 'local' and 'remote'
- introduce GRE capture export sent to remote host, configurable in 'captures/remote' config section
- snap smithproxy flavor introduces snap services and fixes CLI support
Fixes
- fix IPv6 address ':' will be replaced with underscore
- fix IPv6 transparency - ipv6 traffic is no longer natted regardless of configuration
- fix CLI sub-section handling preventing to enter certain configuration entries
0.9.26
What's new in 0.9.26
-
routing - DNAT fixed, load-balanced
-
add 'routing' load-balance criteria: source-IP, L3 (srcIP+dstIP), L4 (srcIP+dstIP+dstPORT)
-
add 'routing' to more targets - aka load-balance
-
CHANGE: --tenant-index is now no-op (smithproxy reads index from tenants config)
-
major fix - resolve memory corruption under heavy load caused by socle mempool data race condition
-
fix - write PID if run in foreground (to help with systemd integration)
-
fix minor multi-tenancy support problems and improvements
-
logging optimizations - less memory copying in several places
That being said, 0.9.26 is balanced fix/feature release.
Please consider load-balancing as a basic introduction, more routing features are on the way.
0.9.25
0.9.24 (do not use)
Smaller smithproxy update 0.9.24 is just being baked in my build farm and be available soon!
Release notes say:
What's new in 0.9.24
- added 'routing' configuration element, currently, DNAT can be configured (more to come)
- improve a bit SNI bypass, which now supports '*.example.com' notation
- internal improvement of shm semaphore vs. udp mutex locks
- few more fixes
Apart of that, 32bit raspberry pi has been added to build farm, so you may enjoy armhf packages.
0.9.23
What's new in 0.9.23
-
CHANGE: pcap quota now in megabytes (values will be converted automatically on upgrade)
-
CHANGE: new dependency: libmicrohttpd
-
added a limited json/api interface
- JSON API: proxy connections detail
- JSON API: certificate cache list/stats
- JSON API: smithproxy status
-
fix crash on transparent source IP detection
-
fix crash in sx_regencerts tool
0.9.20
What's new in 0.9.20
This version focuses on transparent network traffic troubleshooting.
HTTP/2 traffic is correctly passed, and all dumped files can be conveniently opened
directly with ie. wireshark.
New features
- add support for PCAP file capture (multiple, or single capture file) with rollover capability
- pass TLS ALPN extension - controllable by 'alpn_block' in TLS profile
- signature cascades (singatures can enable groups of other, previously disabled signatures)
- new version config file migration support
Improvements
- introduction of engines - similar to inspectors, but working more closely with data
- add cli command 'diag proxy session active' which prints only currently active sessions
- match starttls only on certain traffic and exchange margins
- new 'toggle' command - modify list variables - toggle specific element instead of setting all at once
- code cleanups in logging - removal of old macros
Fixes
- fix memory leak in socle logging subsystem
0.9.13
New features
- new
diag ssl ticket clearto clear tls session data - memory profiles - more flexible mempool controlled by percentile env. variable SX_MEMSIZE
- better certificate cache - certificates from cache expire on LRU-similar basis
- new installations affecting change split portal services and core
Improvements
- introduce SX_MEMSIZE env variable to control how many buffers are allocated
- libcidr changes - refactored into namespace
- tls session cache is now set to lru mode
- libcli changes - code base switched to new 'main' branch with few changes
- certificate cache changes - cache is now based on custom lru scheme
- portal split - there are now 2 packages: smithproxy and smithproxy-auth
for binary files see https://download.smithproxy.org/