Sftpgo Versions Save

• WebAdmin: change date formatting to ensure Safari compatibility.
• Fix IP proxy header parsing if listening on UNIX domain socket.
• Fix compatibility with MySQL 8.x.
• YUM and APT repo are now available.

New features

• Groups: simplify the administration of multiple accounts by letting you assign settings once to a group, instead of multiple times to each individual user.
• Branding: allow to easily customize the WebAdmin and WebClient UIs to match your brand.
• OpenID Connect: SFTPGo can be connected to your existing Identity Provider.
• ACME: add support to obtain and automatically renew TLS certificates from Let's encrypt and other ACME compliant certification authorities.
• Allow to require two-factor authentication per user.
• Allow to set a start directory for SFTP, FTP and HTTP users.
• Data transfer bandwidth limits, with total limit or separate settings for uploads and downloads and overrides based on the client's IP address.
• Check disk and data transfer quota usage between ongoing transfers even if the transfers are performed on different nodes.
• Global whitelist: services can be restricted to specific ranges of IP addresses.
• New Geo-IP filtering plugin: services can be restricted based on the the geographical location of the clients' IP addresses.
• Allow to hide files/folders in directory listing based on pattern filters.
• Allow to cache external authentication.
• External shares: add read/write mode and allow to browse shared directories.
• Allow to configure the minimum version of TLS to be enabled.
• Naming rules for usernames, folder and group names: case insensitive matching is configurable.
• S3: add support for ARN roles.
• HTTP proxy headers: add a depth setting to extract the correct rightmost IP in the list.
• WebAdmin: allow to control column visibility and ordering.
• Allow to set different TLS certificates for each binding.
• Allow to customize execution timeout and environment variable for program based hooks.
• Execute db migrations holding a database-level lock, for databases that support locking.
• s3fs: migrate to AWS SDK v2.
• azblobfs: migrate to the new Azure Blob SDK.
• sshd: disable by default sha1 based host keys, KEXs and MACs.
• Check and update the password hashing algorithm on user login.
• Make sure that JWT tokens, cookies and CSRF tokens can only be used from the IP they were issued for.
• Other minor improvements and bug fixes.

Backward incompatible changes

• External auth: the HTTP hook now receive a proper JSON serialized user. Before we were sending a user serialized as JSON string. See #836 for more details.
• Removed prefer_database_credentials setting. We now assume that this setting is true. We don't store GCS credentials on filesystem anymore.
• Rename permission must be explicitly granted. We don't assume anymore that rename permission is implicitly granted if the user has delete and upload permissions.
• sshd: sha1-based host keys, KEXs and MACs are now disabled by default for security reasons. If you need to support old clients you need to explictly enable them.
• skip_natural_keys_validation is now replaced by the more generic naming_rules. The default value for naming_rules is 1 which is the same as skip_natural_keys_validation to true.
• to be able to extract the client IP address from proxy headers like X-Forwarded-For, X-Real-IP etc. you need to specify the header to search for using the client_ip_proxy_header setting.

• sftpfs: improve rename, remove, readlink.
• web setup: add an optional installation code. The purpose of this code is to prevent anyone who can access to the initial setup screen from creating an admin user.
• db defender: fixed the query to get banned hosts.
• docker: add rsync and jq to full image variants.
• sshd: disable sha1 based KEXs and MACs by default.
• be sure to close an SSH connection if all channels are idle.
• fix UTC logging.
• other minor improvements and bug fixes.

• Web admin: group user options into different sections. The add/update user UI should now be less intimidating.
• Web admin: clone and template features were unified. You can now save or export one or more users/folders using the template feature.
• Web admin: allow to create multiple users/folders from templates.
• Plugins: move sdk to a separate package.
• Notifier plugin: fix recovery of failed events.
• FTP: allow NLST on files.

• Web Client: allow to upload/delete multiple files.
• Web Client: add support to integrate external viewers/editors.
• Web Client: allow to move files between folders.
• Web shares: allow to download a single shared file without compression.
• Keyboard interactive hooks: allow to validate 2FA passcodes.
• Added support for different bandwidth limits based on the client IP.
• Added support for metadata plugins. The metadata plugin here allows to change/preserve modification times for cloud storage backends.
• Defender: add a data provider based implementation. It should be used if you want to share defender data across multiple SFTPGo instances.
• CI: add support for Windows arm64 and x86.
• Other minor improvements and bug fixes.

Two-factor authentication

• Added built-in two-factor authentication based on time-based one time passwords (RFC 6238) which works with Authy, Google Authenticator and other compatible apps.

Plugin support

• SFTPGo can now be extended with custom plugins. Some plugins are available here.

REST API

• API key authentication as alternative to JWT tokens.
• Data retention: you can enforce per-folder retention policies for each user by periodically calling the data retention API.
• Swagger UI is now included and enabled by default: you can easily visualize and interact with the API’s resources without installing an external tool.

Web Client

• Added "write" feature: you can upload files, create directories, rename and delete.
• Password reset by sending a confirmation code via email.
• Sharing support: you can create HTTP/S links to externally share files and folders securely, by setting limits to the number of downloads/uploads, protecting the share with a password, limiting access by source IP address, setting an automatic expiration date.
• Edit plain text files directly in the browser.
• View images and PDFs in the browser.

Other

• Docker: added distroless based image.
• CI: Deb and RPM packages are automatically generated for armv7 as well.
• Windows: installer and executable are now signed and they have a proper icon. Thanks to @asheroto for providing the icon.
• Windows: Chocolatey package is now available. Thanks @asheroto.
• WebDAV: added support for LOCK discovery.
• Many other minor improvements and bug fixes.

Backward incompatible changes

• Custom actions: removed the arguments for the external program hook, you have to use environment variables. Please take a look at the updated docs.

Notes

• Don't forget to adapt your configuration file.

fix a nil pointer dereference that can occur when upgrading from very old versions

• S3: fix Ceph compatibility.
• S3: add per-chunk download timeout.
• GCS: add a trailing / to "directories". This way SFTPGo can detect "directories" created using the Google Cloud console.
• FTP: mitigation for data connection stealing and bounce attacks.
• Other minor bug fixes.

Backward incompatible changes:

• If you are using the FTP service behind HAProxy you must also enable the proxy protocol for data connections.

New features:

• Virtual folders: support extended to all storage backends. For example, you can define a local user with an S3 based virtual folder or vice versa.
• Data providers: CockroachDB, a distributed SQL database, is now supported to simplify high availability configurations.
• Web client UI: SFTPGo users can now browse and download their files and change their credentials.
• SFTPGo users: you can authenticate some users using your external authentication hook and others using the defined data provider. For example, you can use external LDAP users and internal users within the same SFTPGo instance.
• Hooks: added startup, pre-download, pre-upload.
• Per-protocol rate limiting.
• Setup: the first admin user will be created using a setup web UI by default. You can still configure auto-creation.
• Bcrypt is now the default password hashing algorithm. Argon2id is supported and configurable.
• FTP/WebDAV: improve TLS client certificate authentication, the TLS certificate common name can now be used as username.
• Several other minor improvements and bug fixes.

Backward incompatible changes:

• An empty response from the external authentication hook was interpreted as an authentication error in v2.0.x., now SFTPGo will try to fall back to an internal user, if any.
• The backup/dump format is not backward compatible, please make a new backup/dump after upgrading.

If you are upgrading from an old version please make sure to adapt your configuration file.

Fix for arm64 and ppc64le packages: they work again on Ubuntu 18.04