Pritunl Zero v1.0.3444.47 has been released. This release adds a new command line interface for configuring the server. All resources in the web console now have paging with a condensed view for handling larger configurations. Additionally the web server running on port 80 that handles redirecting to HTTPs and validating Lets Encrypt certificates has been isolated in a non-root systemd service with namespace isolation for improved protection from RCE exploits. The Pritunl Zero Homepage has also been redesigned.
Command Line Interface
New commands have been added to fully configure and automate configurations of a Pritunl Zero configuration from the CLI. Below is an example of some of the available commands to configure a new Pritunl Zero installation with a web service and Lets Encrypt certificate. The upsert commands can be run multiple times and will produce the same result by either creating the resource or updating the existing resource with the matching name.
sudo pritunl-zero upsert service --name=coder --type=http --role=coder --domain="$CODER_DOMAIN" --server="http://127.0.0.1:8000" --share-session=true --websockets=true
sudo pritunl-zero upsert secret --name=pritunl-dns --type=cloudflare --cloudflare-token=$CLOUDFLARE_SECRET
sudo pritunl-zero upsert certificate --name=pritunl-cert --type=lets_encrypt --acme-domain=$ZERO_DOMAIN --acme-domain=$CODER_DOMAIN --acme-type=dns --acme-api=cloudflare --acme-secret=pritunl-dns
sudo pritunl-zero upsert node --name=self --mangement=true --proxy=true --management-domain=$ZERO_DOMAIN --webauthn-domain=$ROOT_DOMAIN --add-certificate=pritunl-cert --add-service=coder
sudo pritunl-zero upsert policy --name=pritunl-zero --role=coder --add-service=coder
sudo pritunl-zero upsert user --name=pritunl --role=coder
sudo pritunl-zero default-password
Authenticated Web VSCode Tutorial
A tutorial for an authenticated web vscode server has been added to the documentation. This utilizes the new CLI interface to automate the installation of a Coder VSCode Server running behind a Pritunl Zero server to provide a self hosted authenticated vscode in the browser.
Paging For All Resources
All resources now have a condensed view with paging and filters to allow for easily handling large configurations. Other components of the web console such as the node services have also been improved to handle larger configurations.
Isolated Redirect Web Server
The port 80 web server on Pritunl Zero is only used to redirect requests to HTTPS and to complete Lets Encrypt HTTP verification’s. This server has been isolated into the pritunl-zero-redirect.service to provide better protection from RCE exploits. This includes network namespace isolation to prevent the redirect web server process from accessing the core web server running on port 443. This is done with a socket binding in pritunl-zero-redirect.socket to isolate only port 80 to the redirect server. Lets Encrypt verification tokens are sent to the redirect server from the root process through a web request using HMAC-SHA512 + NaCl authorization and encryption to avoid needing to provide the redirect server with any filesystem or database access.
Home Page Redesign
The Pritunl Zero Homepage has been redesigned using a more modern design with more information about the available features.
