- 🎨 Applied full cyber dark theme with neon headers and panel styling
- 🧩 Reorganized sections for better readability and navigation
- 📘 Added upgraded formatting for diagnostic, monitoring, and deployment areas
- 🧱 Improved visual consistency across examples, tables, and code blocks
- ✨ Updated badges and layout for a cleaner top section
- 📏 Corrected documented image size to 17.1 MB
- 🖼️ Updated all image references to r3bo0tbx1/onion-relay
- 🗂️ Standardized image naming across templates
- 🔐 Added security and privacy notes to the Code of Conduct
- 📚 Synced configuration notes for the v1.1.1 release
🚀 Major architectural release with a near full rewrite of the entrypoint, validation system, diagnostics, and templates. The image is now ~20MB, fully busybox based, more secure, and more flexible for relay and bridge operators.
🔧 Critical Fixes
- Busybox compatible rewrite of OBFS4V_* parsing for values with spaces.
- Rewritten TOR_CONTACT_INFO validation to prevent crash loops.
- Restored bootstrap logs with Log notice stdout.
- Fixed ENV healthchecks and validation order.
- Resolved busybox regex and quoting issues across the script.
✨ Features and Enhancements
- Added PT_PORT with complete obfs4 bridge compatibility.
- Support for OR_PORT, PT_PORT, EMAIL, and NICKNAME.
- Rewritten bandwidth logic with correct Rate and Burst translation.
- Unified guard, exit, and bridge via TOR_RELAY_MODE.
- Integrated obfs4 with rewritten diagnostics for status, health, fingerprint, and bridge-line.
- Reliable ENV only mode without torrc files.
📦 Build Improvements
- Image reduced ~45MB to ~20MB with busybox only tools.
- Rewritten healthcheck for ENV and mounted configs.
- Four diagnostic tools rewritten to pure busybox sh.
- Weekly rebuilds with latest Alpine and Tor.
📚 Templates and Documentation
- All templates rewritten and updated with bandwidth options and naming alternatives.
- Updated Cosmos and Docker Compose templates for bridge, guard, exit.
- New templates README with full deployment, migration, and config comparisons.
- Revised Claude file with clearer differences and bandwidth notes.
🔒 Security Hardening
- 32 vulnerabilities fixed across critical, high, medium, low categories.
- Non root runtime with UID 100.
- Strict OBFS4V_* whitelist and rewritten validation.
- No exposed diagnostics ports, docker exec only.
- Smaller attack surface with removed binaries.
🚀 Migration Notes
- From v1.1.0: direct upgrade, no config changes, fingerprint preserved.
- From official obfs4 bridge: one time UID fix required, full ENV compatibility afterward.
- Templates include both TOR_ and official naming for smooth migration.
🧩 Compatibility
- Alpine 3.22.2 base, latest Tor from edge.
- AMD64 and ARM64 supported.
- Works with Docker, Compose, Cosmos Cloud, Portainer.
Bumped version to v1.1.0 across all project files.
🏗️ Infrastructure & Templates:
- 🐳 Docker Compose: Enhanced security, added persistent volume support.
- 📋 Cosmos templates: Updated with new environment variable defaults.
🛠️ Scripts:
- dashboard.sh: Implemented API token authentication, improved error handling, and added a notification UI.
- fingerprint.sh: Refactored for clearer output formatting, robust validation, and a comprehensive help message.
✨ General:
- Improved configuration management, health checks, and monitoring integration.
- Fixed “sh: bad number” errors in status output
- Compact single-line stats in view-logs
- Improved numeric parsing and input sanitization
- Unified timestamp format and safer defaults
- Skip workflow file validation in validate.yml (complex format)
- Fix all line length issues in both workflows
- Remove trailing spaces
- Add newline at end of files
- Shorten long labels to fit 80 character limit
- Consolidated CI into one efficient pipeline
- Unified tag handling for GHCR and Docker Hub
- Added weekly + manual release triggers
- Hardened dos2unix normalization pre-build
- Cleaner YAML and quieter logs
BREAKING CHANGE: Internal services now bind exclusively to 127.0.0.1 by default.
This release introduces strict network boundary enforcement and build-level hardening
to improve both runtime security and CI/CD compliance.
Port Security Model:
- Public: 9001 (ORPort), 9030 (DirPort)
- Internal: 9035+ (metrics, health, dashboard) - localhost-only
Security Enhancements:
- Enforces localhost binding for all internal services
- Prevents unauthorized external access to internal endpoints
- Adds reverse proxy, SSH tunnel, and VPN access guidance
- Integrates automated port security validation in diagnostic tools
- Includes comprehensive migration instructions for existing deployments
Build Improvements:
- Dockerfile hardened with strict shell mode (set -euo pipefail)
- Fixed lint warnings: DL3018, DL3059, SC2010, DL4006
- Ensures reproducible builds and cleaner CI validation
- No functional runtime changes beyond improved reliability
File Updates:
- CHANGELOG.md: Version entries updated to v1.0.2
- README.md: Deployment examples and version references aligned
- SECURITY.md: Expanded with port access policy and network architecture
- relay-status.sh: Added port binding validation (v1.0.2)
- integration-check.sh: Added version and port validation phases (v1.0.2)
- Dockerfile: Hardened, lint-compliant, and security aligned
Migration Required:
If external access to metrics or health endpoints is required,
configure a reverse proxy with authentication, SSH tunneling, or VPN routing.
See SECURITY.md for implementation details.
Version: 1.0.2
BREAKING CHANGE: Internal services now bind exclusively to 127.0.0.1 by default.
This release introduces strict network boundary enforcement and build-level hardening
to improve both runtime security and CI/CD compliance.
Port Security Model:
- Public: 9001 (ORPort), 9030 (DirPort)
- Internal: 9035+ (metrics, health, dashboard) - localhost-only
Security Enhancements:
- Enforces localhost binding for all internal services
- Prevents unauthorized external access to internal endpoints
- Adds reverse proxy, SSH tunnel, and VPN access guidance
- Integrates automated port security validation in diagnostic tools
- Includes comprehensive migration instructions for existing deployments
Build Improvements:
- Dockerfile hardened with strict shell mode (set -euo pipefail)
- Fixed lint warnings: DL3018, DL3059, SC2010, DL4006
- Ensures reproducible builds and cleaner CI validation
- No functional runtime changes beyond improved reliability
File Updates:
- CHANGELOG.md: Version entries updated to v1.0.2
- README.md: Deployment examples and version references aligned
- SECURITY.md: Expanded with port access policy and network architecture
- relay-status.sh: Added port binding validation (v1.0.2)
- integration-check.sh: Added version and port validation phases (v1.0.2)
- Dockerfile: Hardened, lint-compliant, and security aligned
Migration Required:
If external access to metrics or health endpoints is required,
configure a reverse proxy with authentication, SSH tunneling, or VPN routing.
See SECURITY.md for implementation details.
Version: 1.0.2
BREAKING CHANGE: Internal services now bind exclusively to 127.0.0.1 by default.
This release introduces strict network boundary enforcement and build-level hardening
to improve both runtime security and CI/CD compliance.
Port Security Model:
- Public: 9001 (ORPort), 9030 (DirPort)
- Internal: 9035+ (metrics, health, dashboard) - localhost-only
Security Enhancements:
- Enforces localhost binding for all internal services
- Prevents unauthorized external access to internal endpoints
- Adds reverse proxy, SSH tunnel, and VPN access guidance
- Integrates automated port security validation in diagnostic tools
- Includes comprehensive migration instructions for existing deployments
Build Improvements:
- Dockerfile hardened with strict shell mode (set -euo pipefail)
- Fixed lint warnings: DL3018, DL3059, SC2010, DL4006
- Ensures reproducible builds and cleaner CI validation
- No functional runtime changes beyond improved reliability
File Updates:
- CHANGELOG.md: Version entries updated to v1.0.2
- README.md: Deployment examples and version references aligned
- SECURITY.md: Expanded with port access policy and network architecture
- relay-status.sh: Added port binding validation (v1.0.2)
- integration-check.sh: Added version and port validation phases (v1.0.2)
- Dockerfile: Hardened, lint-compliant, and security aligned
Migration Required:
If external access to metrics or health endpoints is required,
configure a reverse proxy with authentication, SSH tunneling, or VPN routing.
See SECURITY.md for implementation details.
Version: 1.0.2
This commit finalizes the v1.0.2 release with a fully lint-compliant Dockerfile.
Changes:
- Dockerfile: strict shell mode with pipefail
- Dockerfile: resolved DL3018, DL3059, SC2010, DL4006 warnings
- Dockerfile: merged original features with compliance improvements
No functional or runtime changes, only build and CI reliability enhancements.
Version: 1.0.2
