v2.3.3

• AzBlob: fix SAS URL with embedded container name.
• Allow to edit profile for users logged in via OIDC

v2.3.2

• Fix data provider reset command.
• Fix sql tables prefix handling. The prefix was missing on some tables.
• Backup: include folders set on groups.
• Config: fix get branding from env vars.
• S3: fix renaming large files and improve rename performance.
• OIDC: allow to configure OAuth2 scopes.
• OIDC: added a debug option to allow you to inspect the received id_token.
• WebAdmin/WebClient: allow to disable OIDC login button and/or login forms per-binding.
• WebAdmin: update moment.js to 2.29.4 to fix a security issue.
• User templates: apply placeholders also for start directory.
• WebClient: add an HTML5 player.
• Add a link to donations/sponsorships options on the setup page: helping the project is very important or it will die in the long run.

Backward incompatible changes:

• if you are using sql_tables_prefix please add the defined prefix where it is missing by renaming the affected tables. Before v2.3.2 the prefix was not applied to some tables. This bug has been fixed, but database consistency must be ensured before upgrading.

v2.3.1

• WebAdmin: change date formatting to ensure Safari compatibility.
• Fix IP proxy header parsing if listening on UNIX domain socket.
• Fix compatibility with MySQL 8.x.
• YUM and APT repo are now available.

v2.3.0

New features

• Groups: simplify the administration of multiple accounts by letting you assign settings once to a group, instead of multiple times to each individual user.
• Branding: allow to easily customize the WebAdmin and WebClient UIs to match your brand.
• OpenID Connect: SFTPGo can be connected to your existing Identity Provider.
• ACME: add support to obtain and automatically renew TLS certificates from Let's encrypt and other ACME compliant certification authorities.
• Allow to require two-factor authentication per user.
• Allow to set a start directory for SFTP, FTP and HTTP users.
• Data transfer bandwidth limits, with total limit or separate settings for uploads and downloads and overrides based on the client's IP address.
• Check disk and data transfer quota usage between ongoing transfers even if the transfers are performed on different nodes.
• Global whitelist: services can be restricted to specific ranges of IP addresses.
• New Geo-IP filtering plugin: services can be restricted based on the the geographical location of the clients' IP addresses.
• Allow to hide files/folders in directory listing based on pattern filters.
• Allow to cache external authentication.
• External shares: add read/write mode and allow to browse shared directories.
• Allow to configure the minimum version of TLS to be enabled.
• Naming rules for usernames, folder and group names: case insensitive matching is configurable.
• S3: add support for ARN roles.
• HTTP proxy headers: add a depth setting to extract the correct rightmost IP in the list.
• WebAdmin: allow to control column visibility and ordering.
• Allow to set different TLS certificates for each binding.
• Allow to customize execution timeout and environment variable for program based hooks.
• Execute db migrations holding a database-level lock, for databases that support locking.
• s3fs: migrate to AWS SDK v2.
• azblobfs: migrate to the new Azure Blob SDK.
• sshd: disable by default sha1 based host keys, KEXs and MACs.
• Check and update the password hashing algorithm on user login.
• Make sure that JWT tokens, cookies and CSRF tokens can only be used from the IP they were issued for.
• Other minor improvements and bug fixes.

Backward incompatible changes

• External auth: the HTTP hook now receive a proper JSON serialized user. Before we were sending a user serialized as JSON string. See #836 for more details.
• Removed prefer_database_credentials setting. We now assume that this setting is true. We don't store GCS credentials on filesystem anymore.
• Rename permission must be explicitly granted. We don't assume anymore that rename permission is implicitly granted if the user has delete and upload permissions.
• sshd: sha1-based host keys, KEXs and MACs are now disabled by default for security reasons. If you need to support old clients you need to explictly enable them.
• skip_natural_keys_validation is now replaced by the more generic naming_rules. The default value for naming_rules is 1 which is the same as skip_natural_keys_validation to true.
• to be able to extract the client IP address from proxy headers like X-Forwarded-For, X-Real-IP etc. you need to specify the header to search for using the client_ip_proxy_header setting.

v2.2.3

• sftpfs: improve rename, remove, readlink.
• web setup: add an optional installation code. The purpose of this code is to prevent anyone who can access to
  the initial setup screen from creating an admin user.
• db defender: fixed the query to get banned hosts.
• docker: add rsync and jq to full image variants.
• sshd: disable sha1 based KEXs and MACs by default.
• be sure to close an SSH connection if all channels are idle.
• fix UTC logging.
• other minor improvements and bug fixes.

v2.2.2

• Web admin: group user options into different sections. The add/update user UI should now be less intimidating.
• Web admin: clone and template features were unified. You can now save or export one or more users/folders using the template feature.
• Web admin: allow to create multiple users/folders from templates.
• Plugins: move sdk to a separate package.
• Notifier plugin: fix recovery of failed events.
• FTP: allow NLST on files.

v2.2.1

• Web Client: allow to upload/delete multiple files.
• Web Client: add support to integrate external viewers/editors.
• Web Client: allow to move files between folders.
• Web shares: allow to download a single shared file without compression.
• Keyboard interactive hooks: allow to validate 2FA passcodes.
• Added support for different bandwidth limits based on the client IP.
• Added support for metadata plugins. The metadata plugin here allows to change/preserve modification times for cloud storage backends.
• Defender: add a data provider based implementation. It should be used if you want to share defender data across multiple SFTPGo instances.
• CI: add support for Windows arm64 and x86.
• Other minor improvements and bug fixes.

v2.2.0

Two-factor authentication

• Added built-in two-factor authentication based on time-based one time passwords (RFC 6238) which works with Authy, Google Authenticator and other compatible apps.

Plugin support

• SFTPGo can now be extended with custom plugins. Some plugins are available here.

REST API

• API key authentication as alternative to JWT tokens.
• Data retention: you can enforce per-folder retention policies for each user by periodically calling the data retention API.
• Swagger UI is now included and enabled by default: you can easily visualize and interact with the API’s resources without installing an external tool.

Web Client

• Added "write" feature: you can upload files, create directories, rename and delete.
• Password reset by sending a confirmation code via email.
• Sharing support: you can create HTTP/S links to externally share files and folders securely, by setting limits to the number of downloads/uploads, protecting the share with a password, limiting access by source IP address, setting an automatic expiration date.
• Edit plain text files directly in the browser.
• View images and PDFs in the browser.

Other

• Docker: added distroless based image.
• CI: Deb and RPM packages are automatically generated for armv7 as well.
• Windows: installer and executable are now signed and they have a proper icon. Thanks to @asheroto for providing the icon.
• Windows: Chocolatey package is now available. Thanks @asheroto.
• WebDAV: added support for LOCK discovery.
• Many other minor improvements and bug fixes.

Backward incompatible changes

• Custom actions: removed the arguments for the external program hook, you have to use environment variables. Please take a look at the updated docs.

Notes

• Don't forget to adapt your configuration file.

v2.1.2

fix a nil pointer dereference that can occur when upgrading from very old versions

v2.1.1

• S3: fix Ceph compatibility.
• S3: add per-chunk download timeout.
• GCS: add a trailing / to "directories". This way SFTPGo can detect "directories" created using the Google Cloud console.
• FTP: mitigation for data connection stealing and bounce attacks.
• Other minor bug fixes.

Backward incompatible changes:

• If you are using the FTP service behind HAProxy you must also enable the proxy protocol for data connections.