g3proxy/CHANGELOG


v1.10.0:
 - Policy: LTS version

v1.9.9:
 - BUG FIX: fix the check of H2 Extended CONNECT protocol
 - BUG FIX: fix the set of session cache for TLS interception client
 - Feature: allow to set max/min_tls_version in tls client config
 - Feature: allow to set remote TLS ticketer in tls server config
 - Feature: allow to set quic transport config
 - Feature: support ICAP over TLS
 - Feature: support TLS port in front of socks server
 - Feature: add new Socks5 over TLS escaper support
 - Feature: allow to select auditor in comply_audit escaper
 - Feature: allow to bind to interface in various escapers
 - Feature: allow to set protocol inspect policy based on domain rules
 - Feature: send HTTP Upgrade header via ICAP request header X-HTTP-Upgrade
 - Optimization: cache resolved IP address in UDP ASSOCIATE task
 - Optimization: be compatible with more bad socks5 server implementations
 - Optimization: echo empty ip in UDP ASSOCIATE reply when needed in socks server
 - Optimization: support fragmented TLS ClientHello record in SNI proxy server
 - Optimization: treat HTTP Trailer header as end-to-end

v1.9.8:
 - BUG FIX: fix panic when build socks5 UDP header with domain address
 - BUG FIX: fix possible panic when reading H2 stream
 - BUG FIX: register correct read event when reading cert-generate / ip-locate / route-query response
 - Feature: allow to write event logs to stdout
 - Feature: add stream detour support to audit
 - Feature: only enable anonymous user if ingress network ACL matched
 - Feature: allow to set inspect policy for WebSocket
 - Optimization: check user ingress network ACL early and reply auth failed if denied
 - Optimization: ignore more clean connection close error in interception

v1.9.7:
 - BUG FIX: clean old redis fetch job in time on reloading ProxyFloat escaper
 - BUG FIX: clean old dynamic user fetch job in time on user group reloading
 - Feature: support ICAP audition for IMAP APPEND
 - Feature: support TLS redis server
 - Feature: allow to dump client side TlS decrypted stream via `client-side` dump config option
 - Removed: remove redis cluster support, a redis proxy should be used in front of the redis cluster

v1.9.6:
 - BUG FIX: fix lifetime of worker threads
 - BUG FIX: fix selection of final escaper for http forward tasks
 - Feature: allow to set global speed limits at user level

v1.9.5:
 - BUG FIX: close the old process when hot restart

v1.9.4:
 - BUG FIX: fix ALPN filter in tls interception
 - BUG FIX: update to tokio 1.38.1
 - Feature: allow to block IMAP connection
 - Feature: allow to disable session ticket and session cache in TLS server config
 - Feature: use aw-ls as rustls provider when build with vendored-aws-lc feature
 - Optimization: try quick TCP ACK after accept handshake for resumed TLS sessions

v1.9.3:
 - BUG FIX: fix deb package install rule
 - BUG FIX: fix match rules in route_geoip escaper
 - Optimization: only query http forward capabilities when needed in http_proxy server

v1.9.2:
 - BUG FIX: fix ICAP handle of H2 request with small body
 - Feature: add SMTP interception support
 - Feature: support ICAP reqmod for SMTP DATA message
 - Feature: support build on Windows
 - Feature: allow to steal forwarded for http headers in h1 and h2 interception
 - Feature: rewrite egress path selection code, now users can set id-based and JSON-based select map
 - Feature: add openssl variant info to version message

v1.9.1:
 - BUG FIX: fix panic in stream interception code caused by idle client connections
 - BUG FIX: fix the handle of h1 trailer headers
 - BUG FIX: do graceful shutdown for h2 connections when upstream closed
 - Optimization: close h1 interception client connection early when upstream closed
 - Feature: all tls usage field to tls cert generator helper protocol
 - Feature: support interception for tlcp protocol
 - Feature: add ip_locate helper protocol and rewrite route_geoip escaper

v1.9.0:
 - BUG FIX: fix sending of upstream error CONNECT and upgrade response body
 - Feature: add divert_tcp escaper to redirect streams to another server
 - Feature: send HTTP CONNECT and upgrade request to ICAP reqmod service
 - Feature: allow to set custom tls client config in user-site level
 - Feature: allow to set http response header receive timeout in user-site level
 - Feature: allow to use domain value as static socket address
 - Feature: add support for ketama consistent hash
 - Feature: send mimic cert to cert generator in tls interception

v1.8.0:
 - Policy: LTS version

v1.7.37:
 - BUG FIX: fix UDP sendmmsg & recvmmsg
 - Feature: allow to set Netfilter Mark for listening sockets on Linux
 - Feature: rewrite hickory resolver and add more config options

v1.7.36:
 - BUG FIX: fix h2 interception by removing server push code
 - Optimization: always dump the remote side of the tls decrypted traffic
 - Optimization: rename application_audit_ratio config option to task_audit_ratio
 - Feature: support task_audit_ratio in all servers that have audit feature
 - Feature: switch to openssl for tls interception server
 - Feature: add permute-extensions option to boringssl/aws-lc client config

v1.7.35:
 - BUG FIX: the presence of the h2 Host header in the sent request will be same as the client
 - Feature: always verify tls server name in cert when run OpenSSL client
 - Feature: support use BoringSSL
 - Feature: add more config options to OpenSSL client:
     - supported_groups
     - use_ocsp_stapling
     - enable_sct
     - enable_grease, only for AWS-LC and BoringSSL
 - Feature: enable brotli cert decompression for AWS-LC, BoringSSL and Tongsuo

v1.7.34:
 - BUG FIX: do protocol inspection for tls decrypted stream if ALPN is missing
 - Feature: add tcp_tproxy server
 - Feature: allow to dump tls decrypted stream to wireshark udpdump receiver

v1.7.33:
 - BUG FIX: fix dead looping when shutdown ssl connections

v1.7.32:
 - BUG FIX: fix session resumption for NativeTlsPort when client auth is enabled
 - BUG FIX: do session resumption only once for NativeTlsPort tls1.3 connections
 - BUG FIX: fix batch reload of auditor
 - BUG FIX: fix detection of c-ares features
 - Feature: send task_ready histogram duration metrics for user sites
 - Feature: support use AWS-LC instead of OpenSSL

v1.7.31:
 - Feature: allow to read from environment variable when setting:
     - StatsD udp peer addr
     - Fluentd udp peer addr
     - Syslog udp peer addr
     - TLS cert generator udp peer addr
     - Route query agent udp peer addr
 - Feature: make quic feature optional
 - Optimization: more efficient sending of StatsD metrics

v1.7.30:
 - Feature: add new max_timeout config option to c-ares resolver
 - Feature: support listen to quic port for HttpProxy and TcpStream server
 - Feature: use atomic swap for reload of dependency server

v1.7.29:
 - Feature: add OpenSSL based NativeTlsPort server
 - Feature: allow to chain TcpStream after ports server
 - Feature: make hickory-dns as an optional feature
 - Feature: add new max_udp_queries config option to c-ares resolver
 - Optimization: use sendmmsg / recvmmsg for UDP io

v1.7.28:
 - BUG FIX: fix server ingress net acl check for traffic from extra tls ports
 - Feature: support PROXY Protocol v1 in PlainTcpPort and PlainTlsPort
 - Feature: support PROXY Protocol in IntelliProxy port

v1.7.27:
 - Optimization: set default c-ares init options as c-ares 1.20.1 default values
 - Optimization: reduce rustls server session cache lock contention
 - Feature: rename trust-dns resolver type to hickory to be sync with upstream
 - Feature: add dns over http/3 support in hickory resolver
 - Feature: use tcp peer ip if socks5 proxy returns unspecified udp peer ip

v1.7.26:
 - BUG FIX: fix deb and rpm build scripts
 - BUG FIX: fix parse of cert_pairs of tls server config in various servers

v1.7.25:
 - Feature: add route_geoip escaper
 - Feature: various improvements to journal logging
     - add SYSLOG_IDENTIFIER field
     - improved efficiency
     - io stats added
 - Feature: update vendored openssl to 3.1

v1.7.24:
 - BUG FIX: fix vendoring build of ring

v1.7.23:
 - Feature: allow to use ID string as egress path json value in DirectFloat and ProxyFloat escaper
 - Feature: add vendored-c-ares feature to set if enable source compile of c-ares
 - Feature: drop out of date dependencies by using forks and patches

v1.7.22:
 - Removed: remove the daemon group name setting in config file
 - BUG FIX: fix site level socks_tcp_connect conn_total stats
 - BUG FIX: fix logger io stats in various AsyncLogger backends
 - Feature: support udp methods in ProxyFloat socks5 proxy peer
 - Feature: support udp methods in DirectFloat escaper
 - Feature: allow to use json value for egress path selection
     - allow to set at user level
     - support at ProxyFloat / DirectFloat / RouteSelect escaper
     - make source config in ProxyFloat escaper optional
 - Feature: allow to publish dynamic users
 - Feature: default to guess main config file when run as systemd service

v1.7.21:
 - BUG FIX: fix create of daemon controller

v1.7.20:
 - Feature: allow to set ingress net filter in user config
 - Feature: always log the raw input user name, so you will get the real user name if auth against anonymous user
 - Feature: make the listen config optional in the following servers:
     - http_proxy
     - http_rproxy
     - socks_proxy
     - sni_proxy
     - tcp_stream
     - tls_stream
 - Feature: allow to set token to null value to disable password auth for user

v1.7.19:
 - Feature: support PROXY Protocol in PlainTcpPort and PlainTlsPort server
 - Feature: support transmute udp peer addr in proxy_socks5 escaper
 - Optimization: rename and deprecate options in socks_proxy server:
     - auto_reply_local_ip_map -> transmute_udp_echo_ip

v1.7.18:
 - Feature: add license info to deb and rpm package files

v1.7.17:
 - Feature: add route_failover escaper

v1.7.16:
 - Compatibility: update build dependencies

v1.7.15:
 - Optimization: set correct default CA path if build using vendored openssl
 - Feature: allow no auth in socks5 proxy if anonymous user is enabled
 - Feature: add dns-over-quic support in trust-dns resolver
 - Compatibility: compile on MacOS / FreeBSD / NetBSD

v1.7.14:
 - BUG FIX: fix the parse of ICAP OPTIONS response

v1.7.13:
 - BUG FIX: fix the fetch of ICAP options
 - Feature: allow to set anonymous user in user group
 - Feature: allow to set retry in failover resolver if the first answer is empty

v1.7.12:
 - Optimization: do batch tcp accept
 - Feature: try best to reserve the case of http header name
 - Removed: remove uri path match in http_rproxy server

v1.7.11:
 - BUG FIX: fix reload of resolver with changed internal dependency
 - Feature: allow string value type for tls cert generator config
 - Feature: allow to output dependency graph in graphviz / mermaid / plantuml format
 - Feature: use metrics name for server/escaper/user-group/resolver/auditor name
 - Removed: drop support for http dynamic user source

v1.7.10:
 - Feature: support happy-eyeballs for resolve redirected domain
 - Feature: allow to set resolve strategy at user-site level
 - Optimization: enable tcp_nodelay by default if needed

v1.7.9:
 - BUG FIX: fix the parse of weighted upstream address
 - BUG FIX: fix the clean of offline servers
 - Optimization: listen in each worker when listen_in_worker is enabled
 - Feature: add new ctl command to force quit offline servers

v1.7.8:
 - BUG FIX: fix the set of package version in deb package
 - Feature: allow to set multiple cert pairs in rustls server config
 - Feature: allow to listen in worker, and run tasks in unconstrained mode
 - Feature: allow to start listen instance according to available parallelism
 - Optimization: update the define of openssl tls client config
 - Compatibility: add g3-compat to allow compile on platforms with glibc < 2.27
 - Compatibility: use vendored-openssl on platforms with libssl < 1.1.1

v1.7.7:
 - Feature: make libcurl as optional feature
 - Feature: add more config options to openssl tls client
 - Internal: move most of daemon control code to g3-daemon lib crate

v1.7.6:
 - Feature: allow to config the max io events per tick value for tokio runtime
 - BUG FIX: fix the print of package version
 - Optimization: add yield size limit to http body transfer futures

v1.7.5:
 - Optimization: use icap connection pool at auditor level instead of audit handle level
 - Feature: ignore Via header generated by ICAP server when sending request to upstream
 - BUG FIX: fix AsyncRead implementation of chunk decoder

v1.7.4:
 - Feature: default to send client address and username to ICAP server
 - Feature: allow to respond shared names back to ICAP server
 - Feature: allow to set application audit ratio in auditor and user config

v1.7.3:
 - Feature: allow to use icap_reqmod_service and icap_respmod_service in auditor
 - BUG FIX: make sure upstream response header is sent out in case the upstream close it's body io

v1.7.2:
 - Feature: allow to send client_ip in route_query escaper
 - Optimization: various update to http parse code

v1.7.1:
 - Feature: add --dot-graph command line option to draw internal dependency graph
 - BUG FIX: fix command line handling

v1.7.0:
 - Feature: allow to set username for redis cluster config in ProxyFloat escaper
 - Feature: support custom config file extension
 - Feature: support round robin select policy in various escaper and server
 - Feature: add user_type tag to user and user site metrics
 - Feature: replace http_tproxy and sni_proxy with a new protocol inspection enabled sni_proxy
 - BUG FIX: fix spawn new reload of resolver

v1.6.0:
 - Feature: forbid ipv6 discard-only address block by default
 - Optimization: use less mutex in openssl tls client session cache

v1.5.6:
 - BUG FIX: do not consider c-ares NODATA as error
 - Optimization: ignore the first error in happy eyeballs resolver

v1.5.5:
 - Feature: switch to use happy eyeballs resolve method in
     - RouteResolved escaper
     - udp connect method in DirectFixed escaper
     - resolver query ctl interface

v1.5.4:
 - Feature: allow to set/unset hostname in syslog message header

v1.5.3:
 - Feature: use happy eyeballs algorithm in Direct* and Proxy* escaper
 - Feature: enable ftp over http support in DirectFloat escaper
 - Feature: support multiple upstream addresses on TcpStream and TlsStream server

v1.5.2:
 - BUG FIX: fix panic when parsing ipv6 socks requests
 - Optimization: socks: return error early for empty domains
 - Feature: drop local_match in route_upstream escaper

v1.5.1:
 - BUG FIX: fix the build of deb package

v1.5.0:
 - Feature: reintroduce the python dynamic user source and make it optional
 - Feature: keep ipv4 compatible address in ipv6 form
 - Feature: allow to log to fluentd by using it's Forward Protocol

v1.4.2:
 - Feature: allow to specify lua version via features, and default to lua5.1
 - Feature: add g3proxy-lua to test the functionality of lua
 - BUG FIX: fix auth error reply in http_rproxy server

v1.4.1:
 - Feature: allow to set report script for lua dynamic user source
 - BUG FIX: fix the exact domain match for explicit user sites

v1.4.0:
 - Feature: add user level layer 7 alive connection metrics
 - Feature: add tcp_conn_rate_limit to user config
 - Optimization: rename tcp and udp speed limit config options

v1.3.5:
 - BUG FIX: cache dynamic users only if valid
 - BUG FIX: revert to use mlua 0.7.4

v1.3.4:
 - Feature: allow to set site config for each user
 - Optimization: close http persistent connections early when server goes offline

v1.3.3:
 - Feature: use clap to parse command line options
 - BUG FIX: fix set of resolve strategy for g3proxy-ctl resolver query command

v1.3.2:
 - Feature: support traditional private key PEM format
 - Feature: add compile info to g3proxy
 - Optimization: rename http_gateway server to http_rproxy

v1.3.1:
 - Feature: allow to use unaided worker threads for tasks
 - BUG FIX: fix reload all config

v1.3.0:
 - Feature: add socks_use_udp_associate option to user config
 - Optimization: use buffered metrics sink
 - Optimization: switch to use std Mutex instead of parking_lot Mutex
 - Optimization: rename some resolver ttl config options

v1.2.2:
 - Feature: update openssl tls client config

v1.2.1:
 - BUG FIX: fix deb package dependency

v1.2.0:
 - Feature: switch to curl for simple http requests and add more config options:
     - connect_timeout
     - interface
 - Feature: use distro default luajit

v1.1.5:
 - BUG FIX: fix debian package file

v1.1.4:
 - Feature: add back the simple 'http' dynamic user source
 - Feature: add trust-dns resolver, which can also be configured to use DoT or DoH
 - Feature: switch to use openssl tls client for outgoing tls connections
 - Feature: allow to disable sni and session cache in rustls client config

v1.1.3:
 - Feature: add 'lua' source for dynamic user fetching
 - Feature: remove 'python' source for dynamic user fetching
 - Feature: add 'route_client' escaper

v1.1.2:
 - Import all bug fixes from v1.0.1 and update packages

v1.1.1:
 - Feature: add new http_tproxy server
 - Feature: rename server ppdp_tcp_port to intelli_proxy

v1.1.0:
 - Feature: add 'python' source for dynamic user fetching
 - Feature: remove 'http' source for dynamic user fetching

v1.0.1:
 - BUG FIX: fix handle of 100-continue response after request body sent out
 - BUG FIX: do not close the http connection if no body is expected in response

v1.0.0:
 - First Long Term Support Branch

v0.9.10:
 - BUG FIX: fix rfc5424 syslog timestamp format

v0.9.9:
 - Feature: rename escaper route_dst_ip to route_resolved
 - BUG FIX: fix update of resolve strategy based on ipv4_only/ipv6_only settings
 - BUG FIX: avoid the panic caused by parsing float values as time duration

v0.9.8:
 - BUG FIX: add '=' as KV delimiter to rfc3164 syslog

v0.9.7:
 - BUG FIX: fix parse of msgpack string
 - BUG FIX: close remote tcp sockets in time in proxy_socks5 escaper
 - BUG FIX: really set ca certificate when build tls client config

v0.9.6:
 - Feature: allow to display verbose ftp command message in g3proxy-ftp
 - Feature: allow to change timezone via control commands
 - Feature: allow to generate varies shell completion scripts for g3proxy-ctl and g3proxy-ftp

v0.9.5:
 - Feature: add tls_stream server
 - Feature: check time offset at start time, and make the explicit use of local time thread safe

v0.9.4:
 - BUG FIX: drop cmake build dependency to build on old OS

v0.9.3:
 - Feature: add blake3 to fast hashed passphrase and make all hashes optional
 - Feature: allow to set negotiation timeout value for next proxy peers
 - Feature: allow to set handshake timeout value for servers with tls enabled, and add listen.timeout metrics
 - Feature: drop tls code in plain_tcp_port and add plain_tls_port
 - Feature: move ingress network filter check to very early stage, which results to:
     - rename metrics server.forbidden.src_blocked to listen.dropped
     - add ingress network filter config to plain_tcp_port / plain_tls_port / ppdp_tcp_port

v0.9.2:
 - Feature: allow to add extra metrics tags to escaper metrics
 - Feature: delete useless tcp_copy_flush_interval server config option
 - Feature: add user level upstream traffic stats
 - BUG FIX: allow to use route escaper behind http gateway server

v0.9.1:
 - Feature: add sni_proxy server

v0.9.0:
 - Feature: add jump hash as a pick policy for SelectiveVec
 - Feature: remove deprecated escaper config options:
     - tcp_connect_max_retry
     - tcp_connect_each_timeout
 - Feature: allow to use the first Authorization for upstream ftp auth in http proxy server
 - Feature: add route_select escaper, and remove the old route_random escaper
 - Feature: add route_query escaper
 - Feature: allow to start tls at server level behind multiple plain tcp ports
 - Feature: allow to set client side tcp socket options at user level
 - Feature: use PKCS #8 format for private key
 - Feature: delete append_forwarded_for config option from proxy_http(s) escaper
 - Feature: delete remote_keepalive_eof_wait config option from http_proxy server
 - Feature: add http_gateway server

v0.8.11:
 - Feature: allow to set tcp and udp socket options at server side

v0.8.10:
 - regenerate release tarball

v0.8.9:
 - Feature: allow to set SO_MARK for tcp socket
 - Feature:  allow to set more udp socket options at user and escaper level:
     - IP_TTL
     - IP_TOS
     - SO_MARK

v0.8.8:
 - Feature: allow to set probe_interval and probe_count in tcp keepalive config
 - Feature: allow to set more tcp socket options at user and escaper level:
     - TCP_NODELAY
     - TCP_MSS
     - IP_TTL
     - IP_TOS

v0.8.7:
 - BUG FIX: fix resolve of dns name with '_' in it's CNAME

v0.8.6:
 - Feature: add tcp_connect config option to user config
 - Feature: add tcp_connect config option to escaper config, and deprecate the following:
     - tcp_connect_max_retry
     - tcp_connect_each_timeout

v0.8.5:
 - Feature: add --version command line option
 - Feature: add proxy_request_filter to user config

v0.8.4:
 - Feature: allow to forward all ftp requests to next proxy
 - Feature: enable https forward by default

v0.8.3:
 - Feature: allow to add extra metrics tags in server and user metrics
 - Feature: add server and server extra tags in user forbidden metrics
 - Feature: add more detailed resolver error metrics

v0.8.2:
 - Optimization: do eagerly flush in io copy

v0.8.1:
 - Feature: allow pass userid to next proxy in proxy_http(s) escaper
 - BUG FIX: fix leak of forwarded header to upstream in proxy_http(s) escaper

v0.8.0:
 - Feature: support file upload and delete in ftp over http request
 - Optimization: change default tcp copy flush interval to 200ms
 - Optimization: explicit forbid empty upstream address

v0.7.27:
 - Feature: support single range request in ftp over http request
 - Feature: support tls server config in plain_tcp_port server
 - Optimization: always ignore body related headers in 1xx and 204 http response as specified in rfc7230

v0.7.26:
 - BUG FIX: fix panic in https_forward task if the upstream has no domain
 - Feature: support tls offload in tcp stream
 - Feature: set bind_address_no_port for udp connect socket

v0.7.25:
 - BUG FIX: various fix for ftp over http

v0.7.24:
 - Feature: support udp associate and udp connect on proxy_socks5 escaper
 - Feature: restore support for domain as target address in udp associate task
 - Feature: prefer to use mime type returned by ftp server
 - Feature: do acl check in udp associate task
 - Feature: force quit tasks during process shutdown
 - BUG FIX: ftp: determine transfer size right after setting transfer type

v0.7.23:
 - Feature: allow to set auto_reply_local_ip_map for socks_proxy server
 - BUG FIX: fix limit for tcp copy config

v0.7.22:
 - Feature: add default simplified udp connect mode for socks server
 - Feature: do not require the same address family for tcp and udp if udp bind ip is set
 - BUG FIX: fix subnet_match config in RouteUpstream escaper

v0.7.21:
 - Feature: refactor task idle check logic:
     - remove 'task_idle_duration' config at server side
     - add 'task_idle_check_duration' config at server side
     - add 'task_idle_max_count' at server and user side
 - Feature: add src denied stats to server forbidden stats
 - Feature: add subnet_match to dst_host_filter_set acl rule set
 - Feature: add subnet_match rule to RouteUpstream escaper
 - BUG FIX: quote the realm value in response header

v0.7.20:
 - Feature: add explicit flush interval for tcp copy
 - Feature: default to always try epsv for ftp transfer
 - Optimization: increase default http rsp header recv timeout to 60s

v0.7.19:
 - Feature: drop escaper tag from user traffic metrics
 - Feature: initial version with working ftp over http support

v0.7.18:
 - BUG FIX: fix panic when handle empty Host http header value

v0.7.17:
 - Feature: allow to set http forward capability for proxy_http(s) escapers
     We can forward https and ftp requests to next http(s) proxies from now on
 - Feature: add route metrics for route type escapers
 - Feature: the request and traffic metrics are now correct set on the final escaper
 - Feature: add g3proxy-ftp to test ftp functions

v0.7.16:
 - BUG FIX: fix upstream addr parse error
 - BUG FIX: fix set of `allow_custom_host` and `steal_forwarded_for` options for http_proxy server
 - Feature: allow to set udp socket buffer size for socks_proxy server

v0.7.15:
 - BUG FIX: fix miss action for ip hosts when only child and regex host rules set
 - Feature: add options to control http forwarded headers
     - http_proxy server: allow to delete forwarded headers in client requests
     - proxy_http & proxy_https escaper: allow to append forwarded header in requests send out
 - Feature: support haproxy PROXY protocol for proxy_http and proxy_https escapers
 - Feature: support CEE log syntax in syslog
 - Optimization: reply with http code 409 if host header doesn't match host in uri

v0.7.14:
 - BUG FIX: support ipv6 address in squared bracket as http Host value
 - BUG FIX: convert ipv6 mapped ipv4 address back to ipv4 address when parsing UpstreamAddr
 - BUG FIX: fix server online status after reloading runtime
 - Optimization: do not create default escaper in rpc commands
 - Feature: add more servers
     - plain_tcp_port: just listen to a tcp port and send connections to another server
     - ppdp_tcp_port: detect the proxy protocol of the connection, and send to the corresponding next server,
         the type of which could be either http_proxy or socks_proxy.
     - dummy_close: just close the connection

v0.7.13:
 - BUG FIX: fix handle of http url with ipv6 address as host field
 - Feature: add listen stats for server
 - Optimization: make `append_report_ts` syslog driver config option default to false

v0.7.12:
 - BUG FIX: fix rfc5424 format for appended report_ts log field

v0.7.11:
 - Feature: add udp_bind_port_range config option to socks_proxy server
 - Feature: default to append `report_ts` to logs sendto syslogd
     - add `append_report_ts` config option to syslog driver to control the behaviour
 - Optimization: ignore optional fields with empty value in logs send to syslogd

v0.7.10:
 - BUG FIX: fix counting of user level https forward io stats
 - BUG FIX: fix X-BD-Upstream-Addr custom header

v0.7.9:
 - Feature: http_proxy: close the connection if previous request is also auth failed

v0.7.8:
 - Feature: use native async implementation from g3-syslog
 - Feature: add metrics for loggers
     - add logger.message.total
     - add logger.message.pass
     - add logger.traffic.pass
     - add logger.message.drop
 - Feature: sleep double emit_metrics interval time for metrics flushing in graceful shutdown mode
 - Feature: add more resolver runtime config options
     - graceful_stop_wait, which set the delay time after really stop the thread
     - protective_query_timeout, which set the query timeout for queries sent to driver
 - BUG FIX: fix http_proxy server config key name no_early_error_reply
 - BUG FIX: shutdown the runtime thread for fail-over resolver

v0.7.7:
 - Feature: change the default found action for user-agent acl rule to forbid.
 - Feature: make some restrictions on uri in log:
     - limit the number of characters, and add corresponding config options
     - replace password field with 'xyz'
 - Feature: add `user_agent` to HttpForward Task log
 - Feature: add stats about resolver internal hashtable memory usage
 - Optimization: increase the default async log channel size from 1024 to 4096

v0.7.6:
 - Feature: allow to drain body of http requests with no auth info
     - add `untrusted_read_limit` option to http_proxy to enable it and set the read limit
 - Feature: add user_blocked forbidden stats to server
 - Feature: add untrusted task stats to server
     - add server.task.untrusted_total
     - add server.task.untrusted_alive
     - add server.traffic.untrusted_in.bytes

v0.7.5:
 - BUG FIX: limit the maximum dns cache ttl value to avoid panic
 - Feature: add config option *max_cache_ttl* to resolvers

v0.7.4:
 - BUG FIX: fix selection of udp bind ipv6 address

v0.7.3:
 - BUG FIX: convert ipv4-mapped ip back to ipv4 format early
 - Optimization: add content-type to http proxy error response

v0.7.2:
 - Feature: add new no_early_error_reply config option to http_proxy server
 - Feature: add capnp rpc command to list user group and users
 - Optimization: do not add user level acl stats to server level
 - Optimization: add more detailed reason to task logs

v0.7.1:
 - Optimization: do more strict limitation on user max alive requests
 - BUG FIX: http_proxy server: fix keepalive for http 407 response
 - Feature: add layer-7 http User-Agent acl rule to user config
 - Feature: add ua_blocked forbidden stats for user

v0.7.0:
 - FEATURE: add fail_over resolver

v0.6.9:
 - FEATURE: forbid unspecified egress target address by default
 - FEATURE: allow to set bind ip addresses for socks5 udp associate client side ip selection

v0.6.8:
 - BUG FIX: update tokio 1.1.1 memory leak fixed version

v0.6.7:
 - FEATURE: add resolve redirection support at user and escaper level
 - FEATURE: add alive requests stats at user level
 - FEATURE: allow to limit total alive requests at user level
 - FEATURE: also cancel tasks belong to blocked users in idle detection
 - FEATURE: socks5 udp associate: dropped domain support for security reasons
 - FEATURE: add child match rules to RouteUpstream escaper
 - FEATURE: make sure cached data write flushed when the other end read closed in tcp connect tasks
 - BUG FIX: do correct parent domain match in child match acl rule

v0.6.6:
 - BUG FIX: add cached data in buf reader to io stats
 - FEATURE: allow to set log rate limit at user level
 - FEATURE: add stats about log skipped requests at user level

v0.6.5:
 - BUG FIX: fix log_type for shared loggers
 - FEATURE: make socks5 udp associate optional and disabled by default

v0.6.4:
 - BUG FIX: fix check of body type for http 304 response
 - FEATURE: add escaper level forbidden stats
 - FEATURE: add server & escaper level forbidden stats to user forbidden stats when possible

v0.6.3:
 - BUG FIX: fix user-group reload
 - BUG FIX: fix normalization for socks_proxy config keys

v0.6.2:
 - BUG FIX: do not exit after accept error
 - Feature: allow to discard task / escaper / resolver logs, and make this the default
 - Feature: allow to set socket buffer size for c-ares resolver
 - Feature: allow to use shared logger thread for server and escaper

v0.6.1:
 - BUG FIX: fix idle check

v0.6.0:
 - Internal: port to tokio 1.0 version
 - BUG FIX: only spawn long running tasks in main runtime

v0.5.10
 - BUG FIX: fix index based path selection when index overflow
 - BUG FIX: fix emit of user and server forbidden stats

v0.5.9
 - Feature: add new TrickFloat escaper
 - Feature: add new RouteMapping escaper
 - Feature: add path selection to:
     - HttpProxy server, disabled by default
     - DirectFixed escaper, disabled by default
     - RouteMapping escaper, always enabled, but only support index mapping
 - Feature: add general http keepalive config:
     - rename keepalive_eof_wait to remote_keepalive_eof_wait for HttpProxy server
     - add http_forward_upstream_keepalive to HttpProxy server, remove keepalive_idle_expire
     - add http_upstream_keepalive to user config, remove http_keepalive_idle
     - rename tcp_keepalive to tcp_remote_keepalive for user

v0.5.8:
 - Feature: add more options to control http keepalive:
     - keepalive_eof_wait: set the time to wait when check eof of upstream connection
     - keepalive_idle_expire: set the max idle time for the keep of upstream connection
 - Feature: add http_keepalive_idle config to user config.

v0.5.7:
 - Feature: allow user to specify custom resolve strategy
 - Feature: add 525 reply code to http proxy
 - Feature: add -t flag to g3proxy to test the format of config file
 - BUG FIX: also check upstream read close while sending new requests on reused connection
 - Feature: only wait for 100-continue response before request body send out
 - Feature: add tcp_keepalive setting to user config
 - Feature: add tcp_keepalive setting to escaper config, and deprecate old tcp_keepalive_idle config
 - Feature: change default resolve pick strategy to Random instead of First.

v0.5.6
 - Feature: allow to block user and set a delay before sending auth error response
 - Feature: add user and server level forbidden stats
 - BUG FIX: fix http forward Connection check

v0.5.5:
 - Optimization: use native tls certs for local generated http request
 - Feature: allow to auth user with traditional unix crypt
 - Feature: allow to set source of proxy_float escaper to passive

v0.5.4:
 - BUG FIX: fix user http_forward io stats
 - BUG FIX: fix escaper http forward task count

v0.5.3
 - BUG FIX: fix default stats emit duration
 - BUG FIX: fix emit of user stats

v0.5.2
 - Feature: add egress info to direct_float escaper

v0.5.1
 - Feature: add resolver stats
 - Optimization: allow more ascii chars in domain
 - Optimization: add server & escaper tags to user stats

v0.5.0:
 - Feature: add 'allow_custom_host' to http_proxy server
 - Feature: support output of server / escaper / user stats
     - added 'stat' root config
     - support output to statsd

v0.4.23:
 - Optimization: g3proxy-clt can detect default runtime dir now
 - Optimization: default to create non-existed cache file
 - Optimization: setup process logger early, so warning in config parse code can be emitted
 - Optimization: resolver pick policy now apply to get_all_addrs
 - Optimization: add more tcp_connect info to escape and task log:
     - tcp_connect_tries: show how many times we have tried to connect
     - tcp_connect_spend: show the total time we have spent on tcp connect for all tries

v0.4.22:
 - Feature: rename proxy_dynamic escaper to proxy_float, and add options to set local cache
 - Feature: add local cache for dynamic users
 - Feature: allow to publish peers to proxy_float escaper
 - Feature: add direct_float escaper

v0.4.21:
 - Feature: add yield out to tcp copy and udp relay task
 - Feature: add the following config to server:
     - tcp_copy_yield_size
     - udp_relay_packet_size
     - udp_relay_yield_size
 - Feature: support capnproto rpc on local controller, and add g3proxy-ctl command

v0.4.20:
 - Optimization: allow to set protective_cache_ttl for error / empty resolver records
 - Optimization: add 'duration' and 'source' to c-ares resolver error log

v0.4.19:
 - BUG FIX: always return all resolver error for all queries.
     This fix the regression introduced in v0.4.18 

v0.4.18:
 - Optimization: report misc server error in cares resolver
 - Optimization: log query type in cares resolver error log
 - Optimization: return early when resolve error for *First strategies
 - BUG FIX: fix the number of running listen instances during reload of server

v0.4.17:
 - Feature: cares resolver: allow to set bind ip for each family:
     - deprecate 'bind' config option
     - add 'bind_ipv4' config option
     - add 'bind_ipv6' config option
 - Feature: proxy escapers: allow to set bind ip for each family:
     - deprecate 'bind_ip' config option
     - add 'bind_ipv4' config option
     - add 'bind_ipv6' config option

v0.4.16:
 - Feature: add expire to user config.
 - Feature: allow to builtin webpki-roots ca certs for rustls client config.
 - Feature: add dynamic users to user group, the source currently supported are:
     - file: sync from a local file
     - http: sync through an http GET request

v0.4.15:
 - Feature: add more acl rule to server and user config:
     - dst_host_filter_set: limit the upstream host
     - dst_port_filter: limit the upstream port
 - Feature: add 'wait_time' to task log:
     - wait_time is the time after we recv the first byte and before create the task
     - ready_time and total_time doesn't include wait_time
 - Feature: add tls handshake in escape log.
 - Optimization: allow to set a list of tls certificate file.
 - BUG FIX: fix reload of server if tls / acl config changed.

v0.4.14:
 - Feature: support https forward on all escapers.
 - Feature: add ProxyHttps escaper.
 - Feature: support https proxy peer on ProxyFloat escaper.
 - Optimization: add options to set internal copy buffer size.
 - BUG FIX: fix domain prefix match in route-upstream escaper.

v0.4.13:
 - Optimization: add more fields such like io stats to task log
 - BUG FIX: fix handle of response to http HEAD request

v0.4.12:
 - Feature: add log config in main conf, which sets initial config for loggers
 - Feature: allow to send log to syslogd through unix and udp sockets
 - Optimization: move tcp_connect and udp_relay log to a new escape logger

v0.4.11:
 - Feature: enable request recv timeout check on http proxy server
 - Optimization: use separate resolve logger for each resolver
 - Optimization: limit client address at socket level for udp client sockets
 - Optimization: use more thread local buffer

v0.4.10:
 - Feature: enable keepalive by default on dynamic escapers
 - Feature: enable task idle check on servers
 - BUG FIX: do strict check on limit read

v0.4.9:
 - Feature: add instance count config field to server listen config
 - Feature: add 0x09 as connection timed out socks5 reply code, as it's added in socks6 draft
 - Feature: reflect peer timeout in response to client for proxy escapers
     - use 504 for http server response
     - use 0x09 for socks5 reply
 - Feature: support ingress_network_filter for servers
 - Feature: support egress_network_filter in direct fixed escaper
 - Feature: add response header X-BD-Dynamic-Egress-Info for dynamic escapers, it will be set
            if server_id in config is set.
 - Feature: let socks5 dynamic peer return early if expired when sending request on an alive connection
 - Optimization: use different task log threads for each server
 - Optimization: increase the default backlog value to 4096
 - Optimization: always use socket address in listen config, drop separate port config
 - BUG FIX: use real expire time in http response
 - BUG FIX: make sure close the remote connection if http forward task should close

v0.4.8:
 - BUG FIX: fix format of http response header Proxy-Authenticate

v0.4.7:
 - Optimization: use askama instead of handlebars to generate error html page
 - Optimization: support systemd version 23x and python version 3.5.x
 - Optimization: switch expire_guard_seconds option to expire_guard_duration for proxy_float escaper
 - Optimization: rename main conf key for auth to 'user_group'

v0.4.6:
 - BUG FIX: fix http CONNECT 200 response when any custom header enabled

v0.4.5:
 - Optimization: do not count in target port in rendezvous selection for proxy escapers.
 - Optimization: adjust custom headers and settings for http_proxy server:
     - add header X-BD-Remote-Connection-Info, which will be set if server_id in config is set.
     - remove header X-BD-Remote-Connection-Expire, as it contains in X-BD-Remote-Connection-Info.
     - remove option http_forward_upstream_id, add option http_forward_mark_upstream instead,
       which requires server_id to be set. The value for header X-BD-Upstream-Id will be server_id.
 - Optimization: change some fields in tcp connect logs:
     - add "next-bind-ip" to record the bind ip we selected before the connection.
     - rename "tcp-expire" to "next-expire", this is the peer expire time, not only the connection.
     - rename "next-bind" to "next-bound-addr", this is the local addr from which we connect to remote.
     - rename "next-peer" to "next-peer-addr", which is the remote socket address.
 - Optimization: use parking_lot::Mutex for short non-async operations.
 - BUG FIX: fix peer update for proxy_float escaper.
 - BUG FIX: use only ICANN domains in psl data file.

v0.4.4:
  - Feature: support non-blocking redis-cluster dynamic peer update
  - Feature: introduce selective vector and use it in proxy escapers
      The nodes can be weighted, and we support random/sequence/rendezvous pick policies
  - Feature: support redis 6 AUTH with username
  - Feature: add user stats, including connection/request/traffic stats
  - Optimization: use ahash instead of std hash for better performance

v0.4.3:
  - BUG FIX: resolver: fix empty records with Ipv4First policy if ipv6 resolver return empty first

v0.4.2:
  - Feature: allow to set request limit at user level

v0.4.1:
  - Feature: add user group reload action in daemon helper script
  - Feature: allow to set rate limit at user level at the server side
  - Feature: respect expire value in proxy_float escaper, the following options are added:
      - expire_guard_seconds
          This will set some buffer time between the time we make the selection and
          the time we make the real connection
  - Feature: allow http dynamic peer to append extra headers via "extra_append_headers"
  - BUG FIX: fix handling of multiple http headers

v0.4.0:
  - Feature: add proxy_float escaper
  - Feature: add proxy_socks5 escaper
  - Feature: add some custom response headers for http_proxy server
      - X-BD-Upstream-Id
          For http forward protocol. It means that the response comes from remote side
          if this header is present, at least the remote side of the proxy which has
          been set with the same 'upstream id' value.
      - X-BD-Remote-Connection-Expire
          May be present in all http responses. If the value is a valid rfc3339 datetime
          string, the remote connection will expire after this time, and the pending data
          may be failed to transfer. New requests should not be affected if the connection
          to the proxy is keep-alive and clean. If there are multiple chained proxies on the
          path, the nearest value from now will be kept.
      - X-BD-Upstream-Addr
          If enabled, it contains the upstream addr we attempted to connect to. If there are
          multiple chained proxies on the path, the result from the nearest one to upstream
          will be used. Note not all proxies support such info. It depends on the real
          topology to decide whether it's value is meaningful.
      - X-BD-Outgoing-IP
          If enabled, it will contain the far most ip address we used to connect to upstream.
          If there are multiple chained proxies on the path, the result from the nearest one
          to upstream will be used. Note not all proxies support such info and the ip address
          may still behind NAT. It depends on the real topology to decide whether it's value
          is meaningful.
  - Feature: allow to enable tls for http_proxy server
  - BUG FIX: fix encoding of username and password when used in HTTP contexts,
      now we can support all UTF-8 chars in username and password.
  - BUG FIX: fix the meaning of various stats
      - server stats: count in all data in proxy protocol layer to client, including negotiation
      - escaper stats: count in all data in proxy protocol layer to upstream, including negotiation
      - task stats: only count in real user data both to client and to upstream, excluding negotiation
      - tls is considered as a layer between transport and application, which won't be count in

v0.3.5:
  - BUG FIX: fix install of systemd unit file in deb package

v0.3.4:
  - BUG FIX: fix building of deb package

v0.3.3
  - Feature: allow to set multiple proxy addresses in proxy_http escaper
  - Feature: use the official way to build deb packages

v0.3.2
  - Feature: add json-rpc protocol to local controller
  - Feature: add g3proxy-daemon-helper script for reload and offline actions
  - Feature: add more tcp and http related config options
  - BUG FIX: fix dead lock when reloading route type escapers

v0.3.1
  - Feature: add basic auth to proxy_http escaper
  - Feature: add local_match and radix_match rules to route_upstream escaper
  - BUG FIX: make router in proxy_http escaper really optional

v0.3.0
  - Feature: add sphinx doc for all configurations
  - Feature: add error response body for http_proxy server
  - Feature: add some 'route' type escapers
    The 'route' escapers are used to select next escapers,
    so now escapers can depend on others, but cycle is not allowed in the final dependency graph.
    The following 'route' escapers are added:
      - route_random
      - route_upstream
      - route_dst_ip
  - Feature: add script to generate release tarball
  - Tweak: rename not_existed escaper to dummy_deny
  - Tweak: log optimization

v0.2.2
  - Feature: make systemd service restart graceful, though not perfect
  - Feature: add proxy_http escaper

v0.2.1
  - Optimization: use buffer writer when sending response to client
  - BUG FIX: close connection if remote response is read to end

v0.2.0
  - Initial release with a CHANGELOG.