Update v3.0.2

This updates added the new alias hostname function as well as rewritten the access rule set to support per Proxy Hostname access filter architecture.

To use the alias hostname during creating a new Proxy Rule, use comma to separate the different hostname. Wildcards are also supported in the alias hostname. Here is an example. main.example.com,*.main.example.com,alias.example.com

You can also find the alias hostname editor in the HTTP Proxy list (Edit mode)

Windows 7 support was restored due to my test bench is still running Windows 7 and I am too busy to upgrade it. If you are still using a Windows 7 machine, you can use the zoraxy_windows_amd64_NT6_1.exe executable. Note that Windows 7 support might be discontinued anytime and as it is build with older version of Go compiler, it might also come with some minor security issues.

Change Log

• Added alias for HTTP proxy host names #76
• Added separator support for create new proxy rules (use "," to add alias when creating new proxy rule)
• Added HTTP proxy host based access rules #69
• Added EAD Configuration for ACME (by @yeungalan) #45
• Fixed bug for bypassGlobalTLS endpoint do not support basic-auth
• Fixed panic due to empty domain field in json config #120
• Removed dependencies on management panel css for online font files

Update v3.0.1

This update fixed a few minor bugs from the v3 big updates.

Change Log

• Added regex support for redirect (slow, don't use it unless you really needs it) #42
• Added new dpcore implementations for faster proxy speed
• Added support for CF-Connecting-IP to X-Real-IP auto rewrite #114
• Added enable / disable of HTTP proxy rules in runtime #108
• Added better 404 page
• Added option to bypass websocket origin check #107
• Updated project homepage design
• Fixed recursive port detection logic
• Fixed UserAgent in resp bug
• Updated minimum required Go version to v1.22 (Notes: Windows 7 support is dropped) #112

Updates v3.0.0

This is a big rewrite of the original Zoraxy v2 proxy core for covering more real-life use cases based on feedback from issues.

IMPORTANT NOTES Zoraxy v3 host rules are not compatible with v2, which the "Backup & Restore" feature is also not compatible. Please start a new installation from scratch if you are currently using Zoraxy v2.

• Restructure the proxy core logic
  • Added virtual directory into host routing object (each host now got its own sets of virtual directories)
  • Added support for wildcard host names (e.g. *.example.com)
  • Added best-fit selection for wildcard matching rules (e.g. *.a.example.com > *.example.com in routing)
  • Generalized root and hosts routing struct (no more conversion between runtime & save record object
  • Added "Default Site" to replace "Proxy Root" interface
  • Added Redirect & 404 page for "Default Site"
• Optimized UI and UX
  • Optimized & Separated Virtual Directory edit menu
  • Added more less depressing colors
  • Added comments for whitelist
• TLS / SSL
  • Added automatic cert pick for multi-host certs (it is called SNI btw)
  • Added "one click force renew" button
  • Renamed .crt to .pem for cert store
• Headers
  • Added x-proxy-by header to help with debugging
  • Added X-real-Ip header
  • Added Development Mode Toggle (Cache-Control: no-store)
  • Added custom header
• Others
  • Updated up time monitor timeout to 10 seconds instead of 90
  • Added "Add controller as member" feature to Global Area Network editor
  • Deprecated aroz subservice support

More Screenshots

Updates 2.6.8

This version fixes bug in 2.6.7 and added "Allow plain HTTP access" options for force TLS per domain

• Added opt-out for subdomains for global TLS settings for
• Optimized subdomain / vdir editing interface
• Added system wide logger (wip)
• Fixed issue for uptime monitor bug
• Changed default static web port to 5487 so it is even more unlikely to be used by other processes
• Added automatic HTTP/2 to TLS mode

Notes on opt-out TLS per domain

The function is named "allow plain HTTP access" which is hidden under the advance setting tab. in "Create proxy rule" or the proxy rule inline edit interface. Once this option is enable, the subdomain defined in the rule can be accessed via plain HTTP and HTTPS.

This function is only usable with the following options enabled

• TLS enabled on non port 80
• Port 80 Listener is enabled
• Only works for sub-domains (vdir do not support opt-out feature)

Updates 2.6.7

This version fixes bug in 2.6.6 and added the static web server features

• Fixed multidomain missing logic (by @daluntw )
• Added Static Web Server function
• Web Directory Manager
• Added static web server and black / whitelist template
• Added default / preferred Ca features
• Added Service Expose Proxy dummy page
• Optimized TLS/SSL page and added dedicated section for ACME related features

Working with Templates

To add templates to black / whitelist, create a html file under the blacklist / whitelist folder. By default, the templates should be placed at the following paths.

./www/templates/blacklist.html
./www/templates/whitelist.html

If the template is not found, the build in one will be used.

Static Web Server Notes

Web directory can only be changed via startup parameter -webroot due to security reasons. You can manage your web directory and perform some basic file operations like rename, upload, download, copy / cut and delete via the web directory manager which is basically a trim down version of the ArozOS File Manager.

If you do not want to expose your web directory to the web interface due to security concerns, use -webfm=false in your startup parameter to disable the feature. This will disable all api related to the file manager in the back-end server.

Updates 2.6.6

This version fixes some bugs in 2.6.5 and added a few minor new features.

• Added basic auth editor custom exception rules
• Fixed redirection bug under another reverse proxy and Apache location headers
• Optimized memory usage (from 1.2GB to 61MB for low speed geoip lookup mode or 650MB for high speed mode, see technical notes below)
• Added unset subdomain custom redirection feature
• Fixed potential security issue in satori/go.uuid

By @daluntw

• Added custom acme feature in back-end
• Added bypass TLS check for custom acme server

Notes regarding low / high speed GeoIP lookup mode

Zoraxy will try to resolve and store the visitors country of origin in its statistic collector. As requested by users regarding the memory usage issue, we added a low speed mode for GeoIP lookup logic to reduce memory usage by space time tradeoff. The low speed mode (default mode) of GeoIP lookup will slow down each request by around 6ms, which is not significant in homelab / self hosting environment. However, if you plan to use Zoraxy in production environment, you can enable to high speed mode by using -fastgeoip=true. We also optimized the high speed mode data structure so it now use around 600 - 700MB of RAM instead of 1.2GB. If your server have that capacity to run in high speed mode, we generally recommend using high speed mode for better user experience.

Updates 7 Sept 2023

A quick patch has been applied to the binary and fixed a minor UI bug that causes the backend to generate stating certificates (See issue #61 ). If you are using old version of v2.6.6, it is recommend that you download the new binary and overwrite the old one.

Updates v2.6.5

This is a beta testing build for Zoraxy and already been using in my homelab environment. You can try to deploy this to your production environment at your own risk.

IMPORTANT NOTES BEFORE UPDATE The config files are moved to the following folders in this update. You can backup the old folders and restore them in the location below if you are too lazy to set it up again.

conf/*.conf -> conf/proxy/*.conf
certs/ -> conf/certs/
rules/redirect/ -> conf/redirect/
authtoken.secret -> conf/authtoken.secret
rules/acme_conf.json -> conf/acme_conf.json

Update 25 Aug 2023 For those who are using docker, here is a message from @PassiveLemon

Breaking Changes:
File structure change requires you to update the volume mount for the configurations. It should be changed to `/opt/zoraxy/config/`
The management port is no longer changeable. This is to allow for a healthcheck.

Changes:
Healthcheck was added. See breaking changes above.
Notifier was removed.
VERSION variable is no longer configurable.

• Added Import / Export-Feature
• Moved configurationfiles to a separate folder #26
• Added auto-renew with ACME #6
• Fixed Whitelistbug #18
• Added Whois

The runtime memory usage of this build should be around 1.2GB which is normal and not memory leak. We are still trying to figure out a way to reduce runtime RAM usage while keeping the web interface embedded. Ideas and PR are always welcomed!

IMPORTANT NOTES BEFORE UPDATE If you are updating from 2.6.3, your redirection rules will be gone. Please make a backup for all the json files inside rules/(rule_names).json and restore it later after update to rules/redirect/(rule_names).json

• Added force TLS v1.2 above toggle
• Added trace route
• Added ICMP ping
• Added special routing rules module for up-coming acme integration
• Fixed IPv6 check bug in black/whitelist
• Optimized UI for TCP Proxy

As there are many screwed up anti-virus software complains UPX compression, the upx compression workflow was removed from the build process. If you need to deploy Zoraxy on embedded machines, it is still recommend that you compress the binary with upx to save some spaces.

• Added X-Forwarded-Proto for automatic proxy detector
• Split blacklist and whitelist from geodb script file
• Fixed whitelist CIDR and wildcard matching logic for issue #18
• Optimized compile binary size
• Added access control to TCP proxy
• Added "invalid config detect" in up time monitor for issue #7
• Fixed minor bugs in advance stats panel
• Reduced file size of embedded materials

From this version onward, releases are compressed by upx to save spaces on embedded devices (except riscv64 builds, seems upx doesn't support it yet)

Change Log

• Added TCP Proxy
• Added advance stats operation tab
• Added statistic reset
• Added statistic export to csv and json (please use json)
• Make subdomain clickable (not vdir)
• Updates SMTP setup UI to make it more straight forward to setup

Remarks TCP Proxy is currently tested with HTTP / HTTPS proxy and Minecraft only. If you encounter issues with the implementation, please ping @cw1997 to help fix it as I reference the design (aka copy) of the TCP proxy features from here