Version 1.10.0

New Features

• PROXY protocol v2 TLS metadata. New --proxy-protocol-mode flag for PROXY protocol v2 with optional TLS metadata TLVs (#705). Modes: conn (connection info only, same as the existing --proxy-protocol flag), tls (adds TLS version/ALPN/SNI), and tls-full (adds TLS metadata and client certificate).

Code Quality Changes

• Native code correctness fixes. Landed a number of fixes in the macOS keychain and Windows certificate store code, identified through GitHub code scanning (CodeQL, Copilot Autofix) and local AI development tools. These include CFObject memory leaks in macOS CertificateChain, data races in macOS keychain lazy initialization, a C string leak in launchdSocket, a C array leak in getProviderParam on Windows, and incorrect certificate store search order on Windows (#656, #694, #699, #704).
• Certloader safety improvements. Replaced unsafe.Pointer with atomic.Pointer[T] in certloader (#677), extracted shared baseCertificate struct to reduce duplication (#679), and improved error context in PKCS#11 code paths (#690).
• Dependency cleanup. Removed the certigo dependency, switched to smallstep/pkcs7 (#664), and replaced github.com/pkg/errors with stdlib errors and fmt (#684). Various dependency upgrades via Dependabot.

Testing Improvements

• Windows integration testing. The integration test suite can now run on Windows (#695), and we added a number of new unit and integration tests for better coverage of features like platform keychain identities.
• Faster & better integration test suite. Parallelized integration tests with dynamic port allocation and improved timeout handling, significantly reducing test suite runtime (#662, #703). Skipped tests now report SKIP status with a reason (#696).
• New unit and integration tests. Added unit and integration tests for keychain handling, certstore reload paths, and edge cases across multiple packages (#697, #700, #702).

Other

• Website. Launched project website on ghostunnel.dev and made comprehensive documentation improvements (#657, #659, #704, #707).

Version 1.10.0-rc.1

Release candidate for v1.10.0.

New Features

• PROXY protocol v2 TLS metadata. New --proxy-protocol-mode flag for PROXY protocol v2 with optional TLS metadata TLVs (#705). Modes: conn (connection info only, same as the existing --proxy-protocol flag), tls (adds TLS version/ALPN/SNI), and tls-full (adds TLS metadata and client certificate).

Code Quality Changes

• Native code correctness fixes. Landed a number of fixes in the macOS keychain and Windows certificate store code, identified through GitHub code scanning (CodeQL, Copilot Autofix) and local AI development tools. These include CFObject memory leaks in macOS CertificateChain, data races in macOS keychain lazy initialization, a C string leak in launchdSocket, a C array leak in getProviderParam on Windows, and incorrect certificate store search order on Windows (#656, #694, #699, #704).
• Certloader safety improvements. Replaced unsafe.Pointer with atomic.Pointer[T] in certloader (#677), extracted shared baseCertificate struct to reduce duplication (#679), and improved error context in PKCS#11 code paths (#690).
• Dependency cleanup. Removed the certigo dependency, switched to smallstep/pkcs7 (#664), and replaced github.com/pkg/errors with stdlib errors and fmt (#684). Various dependency upgrades via Dependabot.

Testing Improvements

• Windows integration testing. The integration test suite can now run on Windows (#695), and we added a number of new unit and integration tests for better coverage of features like platform keychain identities.
• Faster & better integration test suite. Parallelized integration tests with dynamic port allocation and improved timeout handling, significantly reducing test suite runtime (#662, #703). Skipped tests now report SKIP status with a reason (#696).
• New unit and integration tests. Added unit and integration tests for keychain handling, certstore reload paths, and edge cases across multiple packages (#697, #700, #702).

Other

• Website. Launched project website on ghostunnel.dev and made comprehensive documentation improvements (#657, #659, #704, #707).

Version 1.9.2

Bug fix release

Changes

• Allow 5 retries for ACME production certs (by @erikng in #646). This makes fetching ACME certificates on startup more reliable by doing a limited number of retries, with exponential backoff, when initial requests are timing out. Note that this can make Ghostunnel a bit slower to fail on startup in some circumstances.
• Fix --cacert being ignored in ACME mode (by @csstaub in #649). This fixes #647, a bug where Ghostunnel would not honor the --cacert setting if it was otherwise getting certs from ACME. Thanks to @erikng for finding & reporting this, as well as verifying the fix.

Minor Changes

• General housekeeping, such as bumping dependencies and fixing typos (#632, #636, #640, #644), adding a new mage go:lint target for easier linting in development (#638), additional unit/integration testing (#641, #642, #643), and upgrading to Go 1.26 for builds (#637).

Full Changelog: v1.9.1...v1.9.2

Version 1.9.1

Housekeeping release

Changes

• Fixed a few lints/very minor bugs
• Made improvements to the documentation (typos, inconsistent wording)
• Moved the build system from make to mage to streamline workflows/release
• Updated workflows so that macOS release binaries are now signed & notarized

This is the first time our official release binaries are signed & notarized, please let us know if you encounter issues with Gatekeeper on macOS preventing these from running!

Full Changelog: v1.9.0...v1.9.1

Version 1.9.0

Highlights

• Enabled Landlock sandboxing by default in best-effort mode (Linux). Use the new --disable-landlock flag to disable. Note that Landlock is not compatible with PKCS#11 and is disabled automatically if any of the PKCS#11 options are used.
• Upgraded to OPA v1.0+ and added support for loading OPA bundles (not just policies) via the --allow-policy flag. It's recommended to use bundles instead of policies so you can set which version of Rego to use.
• Improved proxy memory usage through shared buffers and added various new flags to control proxy behavior (--close-timeout, --max-conn-lifetime, and --max-concurrent-conns).
• Go version upgraded from Go 1.22 to Go 1.24+.

Major Changes

• Improve proxy performance and connection handling (by @csstaub in #523)
  • Shared buffer pools for reduced memory allocations
  • Better connection lifetime tracking and logging
  • Bytes sent/received now logged for each connection
• Add maximum concurrent connections feature (by @csstaub in #561)
  • New --max-concurrent-conns flag to limit simultaneous proxy connections
• Use context for cancellation and modernize proxy handling (by @csstaub in #571)
  • Refactored to use Go's context package for timeout and cancellation handling
  • Improved timeout error detection
• Enable Landlock by default (Linux, best-effort mode) (by @csstaub in #607)
  • Automatically enabled on Linux systems that support it
  • Gracefully degrades on systems without Landlock support

Minor Changes

• Improved proxy logging (by @csstaub in #543)
  • Use "forwarded/returned" instead of "sent/recv" for clearer logs
  • Log bytes sent/received in connection close messages
• Show more information in status line/endpoint (by @csstaub in #551)
  • Display listen/forward address in status output (endpoint and systemd)
• Fix compatibility for OPA upgrade from v0 to v1 (by @csstaub in #563)
  • Handle backwards compatibility for v0 Rego files
  • Updated tests to use OPA bundles instead of naked Rego files
• Hide the --cipher-suites flag (by @csstaub in #566)
  • Flag is now hidden; modern TLS defaults are used
• Add new flag for setting max TLS version (by @csstaub in #572)
  • New --max-tls-version flag (TLS1.2, TLS1.3)
• Add new flag to skip DNS resolution on startup (by @csstaub in #609)
  • New --skip-resolve flag, useful when starting Ghostunnel before network is ready (fixes #585)

New Flags

Flag	Description
--close-timeout	Timeout for closing connections when one side terminates (default: 1s)
--max-conn-lifetime	Maximum lifetime for connections post handshake (default: 0/infinite)
--max-concurrent-conns	Maximum concurrent connections to handle (default: 0/infinite)
--max-tls-version	Maximum TLS version to use (TLS1.2, TLS1.3)
--skip-resolve	Skip resolving target host on startup
--disable-landlock	Disable Landlock sandboxing (Linux)
--proxy	Connect via proxy (HTTP CONNECT or SOCKS5), replaces --connect-proxy

Deprecations

• --connect-proxy flag is now deprecated (hidden), use --proxy instead
• --cipher-suites flag is now hidden

Dependency Updates

• OPA upgraded from v0.x to v1.5.0
• gRPC upgraded to v1.72.2
• go-proxyproto upgraded from v0.8.0 to v0.8.1
• go-spiffe upgraded from v2.4.0 to v2.5.0
• golang.org/x/net upgraded to v0.36.0
• go-jose upgraded from v4.0.4 to v4.0.5

Other Changes

• Reduced Dockerfile-debian image size by removing apt lists
• Removed BUG-BOUNTY.md notice (Square/Block suspended the program)
• Improved documentation and man page
• Various test reliability improvements (especially for Windows)

Full Changelog: v1.8.4...v1.9.0

Version 1.9.0-rc.1

Highlights

• Enabled Landlock sandboxing by default in best-effort mode (Linux), use the new --disable-landlock flag to disable. Note that Landlock is not compatible with PKCS#11 and is disabled automatically if any of the PKCS#11 options are used.
• Upgraded to OPA v1.0+ and added support for loading OPA bundles (not just policies) via the --allow-policy flag. It's recommended to use bundles instead of policies so you can set which version of Rego to use.
• Improved proxy memory usage through shared buffers and added various new flags to control proxy behavior (--close-timeout, --max-conn-lifetime, and --max-concurrent-conns).

Major Changes

• Improve proxy performance and connection handling (by @csstaub in #523)
• Add maximum concurrent connections feature (by @csstaub in #561)
• Use context for cancellation and modernize proxy handling (by @csstaub in #571)
• Enable landlock by default (Linux, best-effort mode) (by @csstaub in #607)

Minor Changes

• Improved proxy logging (by @csstaub in #543)
• Show a bit more information in status line/endpoint( by @csstaub in #551)
• Fix compatibility for OPA upgrade from v0 to v1 (by @csstaub in #563)
• Hide the --cipher-suites flag (by @csstaub in #566)
• Add new flag for setting max TLS version (by @csstaub in #572)
• Add new flag to skip DNS resolution on startup (by @csstaub in #609)

Full Changelog: v1.8.4...v1.9.0-rc.1

Version 1.8.4

Build Changes

• Build the release binaries on Ubuntu 22.04 to provide better compatibility with older versions of GLIBC (by @csstaub in #529)
• Provide Debian-based Docker images alongside Alpine-based ones, see Docker Hub (by @csstaub in #535)

Other Changes

• Set read header timeout for the status HTTP server (by @csstaub in #524)
• Update dependencies (by @csstaub in #534)

Full Changelog: v1.8.3...v1.8.4

Version 1.8.3

Bug Fixes

• Fix broken landlock TCP rules generation (by @csstaub in #519)

Other Changes

• Bump dependencies and sync vendor directory (by @csstaub in #516)
• Fix integration tests for Python 3.12 (by @csstaub in #517)
• Fix various issues with Github Actions workflows (#506, #514, #520, #521, #522)

Full Changelog: v1.8.2...v1.8.3

Version 1.8.2

Housekeeping

Changes

• Upgrade Go to 1.23, upgrade dependency versions, and fix some lints (#505, #486, #484, #483)

Full Changelog: v1.8.1...v1.8.2

Version 1.8.1

New Features

• Add optional /_shutdown endpoint on status port for terminating via HTTP POST. Can be enabled via the --enable-shutdown flag (by @drcapulet in #466).
• On Windows, add support for using LOCAL_MACHINE and CURRENT_SERVICE key stores. Was previously limited to the CURRENT_USER key store (by @csstaub in #476).

Bug Fixes

• Better landlock rule processing to handle flags that can be both host:port or URLs correctly (by @csstaub in #475)

Full Changelog: v1.8.0...v1.8.1