This release introduces powerful new firewall capabilities, SFTP access, and significant operational improvements including zero-downtime configuration reloads. Administrators gain highly granular control over traffic with per-API and per-key rate limiting, while new Prometheus metrics provide deep visibility into system performance. Please note this version includes several breaking changes, including a redesigned configuration file and mandatory license validation, which require user action upon upgrading. ### ❗ Breaking Changes * **Product Rebrand and Configuration Redesign**: The `minlb` load balancer has been rebranded to `minwall`. This update introduces a completely redesigned configuration file format that is not backward-compatible. * **Action Required**: Migrate existing configurations to the new, more structured `minwall` schema and use the new `minwall` binary. (#11, #28, #30) * **Mandatory License Validation**: The application now requires a valid MinIO license to start. The service will not run without a license file or a license key provided via the `MINIO_LICENSE` environment variable. * **Action Required**: Obtain a valid license and provide it at startup using the `--license ` flag or the `MINIO_LICENSE` environment variable. (#47, #73) * **Container Image Repository Change**: Container images are now published to `registry.min.dev/enterprise/minwall`, and the base OS has been upgraded to UBI 9. The previous `quay.io` repository is no longer updated. * **Action Required**: Update all deployment scripts and CI/CD pipelines to pull images from the new `registry.min.dev` repository. (#61) * **Software License Change**: The software license has been changed from GNU AGPL v3 to a proprietary license. * **Action Required**: Review the new license terms to ensure compliance. (#64) * **Default Port Change**: The default listening port has been changed from `8080` to `8000`. * **Action Required**: Update client configurations or explicitly set the listener address to `":8080"` to retain the previous behavior. (#23) * **Firewall Rule Configuration Updates**: * API names in firewall rules must now be prefixed with `s3.` (e.g., `s3.GetObject`). (#48) * The configuration for per-API and per-access-key rate limits has a new structure. (#6, #27) * The format for defining firewall rules has been updated to support object prefixes and explicit `deny` actions. (#33) * **Action Required**: Update all firewall and rate-limiting rules in your configuration file to match the new schema and naming conventions. * **Client-Side TLS (mTLS) Support Removed**: The application no longer supports presenting a client certificate for mTLS authentication to upstream services. Configuration options for client certificates are now ignored. (#56) ### ✨ New Features * **SFTP Protocol Access**: Access and manage storage using standard SFTP clients. This initial integration supports uploading, downloading, listing, and deleting files and directories. (#25, #31) * **Automatic TLS with Let's Encrypt**: Automatically obtain and renew TLS certificates using the Let's Encrypt DNS-01 challenge. The initial implementation supports Cloudflare as a DNS provider, simplifying HTTPS setup and maintenance. (#55) * **Support for `GetObjectAttributes` API**: Retrieve object metadata, ETag, checksums, and multipart details in a single, efficient API call, reducing latency compared to multiple requests. (#66) * **Expanded License Plan Support**: The application now supports `ENTERPRISE-LITE` and `ENTERPRISE-PLUS` license plans. (#72) ### 🚀 Improvements * **Granular Rate Limiting and Firewall Rules**: * Configure distinct rate limits for specific API methods (e.g., `GET`, `PUT`, `LIST`). (#6) * Enforce request rate limits on a per-access-key basis to ensure fair usage. (#27) * Define firewall rules based on object prefixes and specific S3 API actions for finer access control. (#33) * Apply rate limits to operations originating from the MinIO Console and use wildcards in bucket names for simpler rule management. (#38) * **Zero-Downtime Configuration Reloads**: * Dynamically apply changes to TLS certificates, backend server endpoints, and health check settings without requiring a service restart, increasing availability. (#2, #16, #13) * **Enhanced Observability and Diagnostics**: * Gain detailed insight into rate-limiting behavior with new Prometheus metrics for configured limits and real-time usage. (#20) * Trace requests from Minwall components more easily in backend logs via a detailed `User-Agent` header. (#77) * Receive structured XML error messages for `502 Bad Gateway` responses, improving automated error handling. (#22) * **Improved Load Balancing**: * Distribute traffic more evenly with a 'least connections' load balancing algorithm, replacing the previous random selection method. (#80) * Set a request `affinity` for local backends to prevent a single node from being overloaded. (#80) * **Operational and UX Enhancements**: * Natively build and publish multi-architecture container images (AMD64, ARM64) for improved performance on diverse hardware. (#60) * Automatically redirect users from the root URL to the MinIO Console in a web browser for a more seamless user experience. (#12) * The license grace period after expiration has been reduced from 60 to 30 days. (#53) ### 🐛 Bug Fixes * **Service Stability**: * Resolved critical issues that could cause the service to crash during configuration reloads, particularly when updating throttling rules. (#18, #35, #41) * Fixed a panic that occurred when processing requests that did not have a corresponding throttling rule. (#29, #76) * Eliminated startup crashes when TLS or SFTP configurations were not present. (#4, #26) * **Rule and Policy Enforcement**: * Ensured that firewall rules for entire buckets are correctly applied to all objects within them and that prefix-based rules are properly enforced for `ListObjects` calls. (#81) * Corrected an issue where throttling rules with wildcards were not applied consistently. (#51) * Policies for `s3.DeleteObject` are now correctly enforced for deletions initiated from the web console. (#52) * **Configuration and Metrics**: * Configuration reloads now correctly detect and apply the addition or removal of bucket limit rules. (#34) * Resolved an issue causing incorrect transmit (Tx) bandwidth values to be reported in throttling metrics. (#46) * Enhanced startup validation to prevent runtime errors from invalid or incomplete configuration files. (#69) ### 🔒 Security Updates * **Improved Web Console Security**: Anonymous access and prefix-deny firewall rules are now correctly enforced for all web console requests. (#41) * **Dependency Updates**: Internal dependencies have been updated to address potential HTTP/2 vulnerabilities and improve resilience against denial-of-service (DoS) attacks. (#62)