Founder
Firezone 0.5.0 Released!
As the first post on our new blog, we thought it'd be fitting to kick things off with a release announcement. So without further ado, we're excited to announce: Firezone 0.5.0 is here! It's packed with new features, bug fixes, and other improvements — more on that below.
User-scoped egress rules
Rules can now optionally receive a user scope, limiting the rule's application only to devices owned by that user. This allows you to selectively allow or deny traffic from a particular user to an IP, set of IPs, or CIDR range.
Auto-renewed, ECDSA-backed, ACME-powered SSL certificates
One of our most-requested features is now available — Firezone 0.5.0 supports ACME SSL certificate renewal backed by Let's Encrypt's new ECDSA key type. Other providers and key types are available too. See all ACME configuration options in our configuration file reference.
Note: ACME is disabled by default to remain compatible with existing Firezone installations. To enable, set the following in your config file:
default['firezone']['ssl']['acme']['enabled'] = true
BYORP: Bring Your Own Reverse Proxy
Want to disable Nginx and deploy Firezone under your own reverse proxy or HTTP load balancer? Well, now you can! We've documented the required headers and other configuration necessary to make this happen. Check the docs for some configuration examples for popular proxies. In short:
Set the default['firezone']['phoenix']['external_trusted_proxies']
configuration variable to a comma-separated list containing the proxies you'd
like to receive forwarded requests from. If your proxy uses an
RFC1918 address, add its IP to
default['firezone']['phoenix']['private_clients']
instead of
default['firezone']['phoenix']['external_trusted_proxies']
. Update your
proxy's configuration to point to Firezone, making sure to set the
X-Forwarded-For
header and enable WebSocket connection upgrades.
Note: ACME support is tied to Nginx. If you disable the bundled Firezone Nginx service, you'll need to provide your own SSL certificates (or configure ACME renewal manually).
Additional note: If you go this route, you'll need to terminate SSL yourself. Firezone sets the secure attribute on all cookies and thus requires the downstream proxy to terminate SSL.
Runtime configuration available in the UI
Some Firezone configuration settings are now configurable in the product UI under the Security settings. This will override anything you have set in the config file. Moving runtime configuration into the application itself brings us a step closer to Docker-based deployments (coming Soon™).
New and improved documentation
Our docs have been migrated from Jekyll to Docusaurus. Aside from all the Formatting is improved, user guides are updated and many pages have been edited for clarify and further detail. As an added bonus, our docs are feature improved search thanks to the powerful search functionality provided by DocSearch by Algolia. Contributions welcome!
Red Hat and Debian package repositories
If you're on one of our supported distros (or its derivatives), the one-line install script will automatically install Firezone from our package repository and track further updates from there. This means your Firezone installation can be managed like any other package on your system and will be marked for upgrades by the same apt and yum tools you're already familiar with. Be sure to check the upgrade notes prior to each upgrade in case there are any backwards-incompatible changes or manual steps involved.
If you've got an existing installation and still want to add our package repository for easier package management, just follow the relevant section in the manual install guide.
Smaller package sizes
Speaking of packages, we've done a bit of work reducing the size of our Omnibus release package. The Nodejs, Python, Erlang, and Elixir runtimes have all been removed, reducing the package size by 50% and total installed size by even more. There's still lots of work to be done to be done here — we expect package sizes to be reduced even further moving forward.
Custom landing page logo
In the first round of what we hope to be the start of a full-featured customization experience, it's now possible to change the landing page logo. Upload an image up to 1 MB or specify a URL to an image your end users will see when landing at your Firezone portal.
Conclusion
That's all we've got for now. If you'd like to spin up Firezone to try it out, head to the deploy guide in our docs.