All Versions
111
Latest Version
Avg Release Cycle
22 days
Latest Release
-

Changelog History
Page 8

  • v0.11.2 Changes

    November 29, 2017

    βž• Added

    πŸ”Œ Plugins
    • key-auth: New endpoints to manipulate API keys. Thanks @hbagdi for the contribution. #2955
      • /key-auths/ to paginate through all keys.
      • /key-auths/:credential_key_or_id/consumer to retrieve the Consumer associated with a key.
    • basic-auth: New endpoints to manipulate basic-auth credentials. Thanks @hbagdi for the contribution. #2998
      • /basic-auths/ to paginate through all basic-auth credentials.
      • /basic-auths/:credential_username_or_id/consumer to retrieve the Consumer associated with a credential.
    • jwt: New endpoints to manipulate JWTs. Thanks @hbagdi for the contribution. #3003
      • /jwts/ to paginate through all JWTs.
      • /jwts/:jwt_key_or_id/consumer to retrieve the Consumer associated with a JWT.
    • hmac-auth: New endpoints to manipulate hmac-auth credentials. Thanks @hbagdi for the contribution. #3009
      • /hmac-auths/ to paginate through all hmac-auth credentials.
      • /hmac-auths/:hmac_username_or_id/consumer to retrieve the Consumer associated with a credential.
    • acl: New endpoints to manipulate ACLs. Thanks @hbagdi for the contribution. #3039
      • /acls/ to paginate through all ACLs.
      • /acls/:acl_id/consumer to retrieve the Consumer associated with an ACL.

    πŸ›  Fixed

    Core
    • 🌲 Avoid logging some unharmful error messages related to clustering. #3002
    • πŸ‘Œ Improve performance and memory footprint when parsing multipart request bodies. Kong/lua-multipart#13
    πŸ”§ Configuration
    • Add a format check for the admin_listen_ssl property, ensuring it contains a valid port. #3031
    Admin API
    • πŸ›° PUT requests with payloads containing non-existing primary keys for entities now return HTTP 404 Not Found, instead of HTTP 200 OK without a response body. #3007
    • On the / endpoint, ensure enabled_in_cluster shows up as an empty JSON Array ([]), instead of an empty JSON Object ({}). Thanks @hbagdi for the patch! #2982
    πŸ”Œ Plugins
    • πŸ“œ hmac-auth: Better parsing of the Authorization header to avoid internal errors resulting in HTTP 500. Thanks @mvanholsteijn for the patch! #2996
    • πŸ‘Œ Improve the performance of the rate-limiting and response-rate-limiting plugins when using the Redis policy. #2956
    • πŸ‘Œ Improve the performance of the response-transformer plugin. #2977
  • v0.11.1 Changes

    October 24, 2017

    πŸ”„ Changed

    πŸ”§ Configuration
    • Drop the lua_code_cache configuration property. This setting has been considered harmful since 0.11.0 as it interferes with Kong's internals. #2854

    πŸ›  Fixed

    Core
    • DNS: SRV records pointing to an A record are now properly handled by the load balancer when preserve_host is disabled. Such records used to throw Lua errors on the proxy code path. Kong/lua-resty-dns-client#19
    • πŸ›  Fixed an edge-case where preserve_host would sometimes craft an upstream request with a Host header from a previous client request instead of the current one. #2832
    • Ensure APIs with regex URIs are evaluated in the order that they are created. #2924
    • πŸ›  Fixed a typo that caused the load balancing components to ignore the Upstream slots property. #2747
    CLI
    • πŸ›  Fixed the verification of self-signed SSL certificates for PostgreSQL and Cassandra in the kong migrations command. Self-signed SSL certificates are now properly verified during migrations according to the lua_ssl_trusted_certificate configuration property. #2908
    Admin API
    • The /upstream/{upstream}/targets/active endpoint used to return HTTP 405 Method Not Allowed when called with a trailing slash. Both notations (with and without the trailing slash) are now supported. #2884
    πŸ”Œ Plugins
    • πŸ”Œ bot-detection: Fixed an issue which would prevent the plugin from running and result in an HTTP 500 error if configured globally. #2906
    • πŸ›  ip-restriction: Fixed support for the 0.0.0.0/0 CIDR block. This block is now supported and won't trigger an error when used in the whitelist or blacklist properties. #2918

    βž• Added

    πŸ”Œ Plugins
    • πŸ‘ aws-lambda: Added support to forward the client request's HTTP method, headers, URI, and body to the Lambda function. #2823
    • key-auth: New run_on_preflight configuration option to control authentication on preflight requests. #2857
    • jwt: New run_on_preflight configuration option to control authentication on preflight requests. #2857
    πŸ”Œ Plugin development
    • Ensure migrations have valid, unique names to avoid conflicts between custom plugins. Thanks @ikogan for the patch! #2821

    πŸ‘Œ Improved

    πŸš€ Migrations & Deployments
    • πŸ‘Œ Improve migrations reliability for future major releases. #2869
    πŸ”Œ Plugins
    • πŸ‘Œ Improve the performance of the acl and oauth2 plugins. #2736 #2806

    Back to TOC

  • v0.11.0 Changes

    August 16, 2017

    βœ… The latest and greatest version of Kong features improvements all over the πŸ‘ board for a better and easier integration with your infrastructure!

    πŸš€ The highlights of this release are:

    • Support for regex URIs in routing, one of the oldest requested features from the community.
    • πŸ‘Œ Support for HTTP/2 traffic from your clients.
    • πŸš€ Kong does not depend on Serf anymore, which makes deployment and networking requirements considerably simpler.
    • πŸ‘ A better integration with orchestration tools thanks to the support for non FQDNs in Kong's DNS resolver.

    πŸš€ As per usual, our major releases include datastore migrations which are πŸ’₯ considered breaking changes. Additionally, this release contains numerous πŸ’₯ breaking changes to the deployment process and proxying behavior that you should be familiar with.

    We strongly advise that you read this changeset thoroughly, as well as the ⬆️ 0.11 Upgrade Path ⬆️ if you are planning to upgrade a Kong cluster.

    πŸ’₯ Breaking changes

    πŸ”§ Configuration
    • ⚑️ :warning: Numerous updates were made to the Nginx configuration template. If you are using a custom template, you must apply those modifications. See the 0.11 Upgrade Path for a complete list of changes to apply.
    πŸš€ Migrations & Deployment
    • :warning: Migrations are not executed automatically by kong start anymore. Migrations are now a manual process, which must be executed via the kong migrations command. In practice, this means that you have to run kong migrations up [-c kong.conf] in one of your nodes before starting your Kong nodes. This command should be run from a single node/container to avoid several nodes running migrations concurrently and potentially corrupting your database. Once the migrations are up-to-date, it is considered safe to start multiple Kong nodes concurrently. #2421
    • :warning: :fireworks: Serf is not a dependency anymore. Kong nodes now handle cache invalidation events via a built-in database polling mechanism. See the new "Datastore Cache" section of the configuration file which contains 3 new documented properties: db_update_frequency, db_update_propagation, and db_cache_ttl. If you are using Cassandra, you should pay a particular attention to the db_update_propagation setting, as you should not use the default value of 0. #2561
    Core
    • ⚠ :warning: Kong now requires OpenResty 1.11.2.4. OpenResty's LuaJIT can now be built with Lua 5.2 compatibility. #2489 #2790
    • ⚠ :warning: Previously, the X-Forwarded-* and X-Real-IP headers were trusted from any client by default, and forwarded upstream. With the introduction of the new trusted_ips property (see the below "Added" section) and to enforce best security practices, Kong does not trust any client IP address by default anymore. This will make Kong not forward incoming X-Forwarded-* headers if not coming from configured, trusted IP addresses blocks. This setting also affects the API check_https field, which itself relies on trusted X-Forwarded-Proto headers only. #2236
    • :warning: The API Object property http_if_terminated is now set to false by default. For Kong to evaluate the client X-Forwarded-Proto header, you must now configure Kong to trust the client IP (see above change), and you must explicitly set this value to true. This affects you if you are doing SSL termination somewhere before your requests hit Kong, and if you have configured https_only on the API, or if you use a plugin that requires HTTPS traffic (e.g. OAuth2). #2588
    • ⚠ :warning: The internal DNS resolver now honours the search and ndots configuration options of your resolv.conf file. Make sure that DNS resolution is still consistent in your environment, and consider eventually not using FQDNs anymore. #2425
    Admin API
    • ⚠ :warning: As a result of the Serf removal, Kong is now entirely stateless, and as such, the /cluster endpoint has disappeared. #2561
    • ⚠ :warning: The Admin API /status endpoint does not return a count of the database entities anymore. Instead, it now returns a database.reachable boolean value, which reflects the state of the connection between Kong and the underlying database. Please note that this flag does not reflect the health of the database itself. #2567
    πŸ”Œ Plugin development
    • ⚠ :warning: The upstream URI is now determined via the Nginx $upstream_uri variable. Custom plugins using the ngx.req.set_uri() API will not be taken into consideration anymore. One must now set the ngx.var.upstream_uri variable from the Lua land. #2519
    • ⚠ :warning: The hooks.lua module for custom plugins is dropped, along with the database_cache.lua module. Database entities caching and eviction has been greatly improved to simplify and automate most caching use-cases. See the Plugins Development Guide and the 0.11 Upgrade Path for more details. #2561
    • ⚠ :warning: To ensure that the order of execution of plugins is still the same for vanilla Kong installations, we had to update the PRIORITY field of some of our bundled plugins. If your custom plugin must run after or before a specific bundled plugin, you might have to update your plugin's PRIORITY field as well. The complete list of plugins and their priorities is available on the Plugins Development Guide. #2489 #2813

    πŸ—„ Deprecated

    CLI
    • πŸ—„ The kong compile command has been deprecated. Instead, prefer using the new kong prepare command. #2706

    πŸ”„ Changed

    Core
    • 🐎 Performance around DNS resolution has been greatly improved in some cases. #2625
    • Secret values are now generated with a kernel-level, Cryptographically Secure PRNG. #2536
    • The .kong_env file created by Kong in its running prefix is now written without world-read permissions. #2611
    πŸ”Œ Plugin development
    • The marshall_event function on schemas is now ignored by Kong, and can be safely removed as the new cache invalidation mechanism natively handles safer events broadcasting. #2561

    βž• Added

    Core
    • πŸ‘ :fireworks: Support for regex URIs! You can now define regexes in your APIs uris property. Those regexes can have capturing groups which can be extracted by Kong during a request, and accessed later in the plugins (useful for URI rewriting). See the Proxy Guide for documentation on how to use regex URIs. #2681
    • πŸ‘ :fireworks: Support for HTTP/2. A new http2 directive now enables HTTP/2 traffic on the proxy_listen_ssl address. #2541
    • πŸ”§ :fireworks: Support for the search and ndots configuration options of your resolv.conf file. #2425
    • Kong now forwards new headers to your upstream services: X-Forwarded-Host, X-Forwarded-Port, and X-Forwarded-Proto. #2236
    • Support for the PROXY protocol. If the new real_ip_header configuration property is set to real_ip_header = proxy_protocol, then Kong will append the proxy_protocol parameter to the Nginx listen directive of the Kong proxy port. #2236
    • πŸ‘Œ Support for BDR compatibility in the PostgreSQL migrations. Thanks @AlexBloor for the patch! #2672
    πŸ”§ Configuration
    • πŸ‘Œ Support for DNS nameservers specified in IPv6 format. #2634
    • πŸ”§ A few new DNS configuration properties allow you to tweak the Kong DNS resolver, and in particular, how it handles the resolution of different record types or the eviction of stale records. #2625
    • πŸ”§ A new trusted_ips configuration property allows you to define a list of trusted IP address blocks that are known to send trusted X-Forwarded-* headers. Requests from trusted IPs will make Kong forward those headers upstream. Requests from non-trusted IP addresses will make Kong override the X-Forwarded-* headers with its own values. In addition, this property also sets the ngx_http_realip_module set_real_ip_from directive(s), which makes Kong trust the incoming X-Real-IP header as well, which is used for operations such as rate-limiting by IP address, and that Kong forwards upstream as well. #2236
    • You can now configure the ngx_http_realip_module from the Kong configuration. In addition to trusted_ips which sets the set_real_ip_from directives(s), two new properties, real_ip_header and real_ip_recursive allow you to configure the ngx_http_realip_module directives bearing the same name. #2236
    • πŸ”§ Ability to hide Kong-specific response headers. Two new configuration fields: server_tokens and latency_tokens will respectively toggle whether the Server and X-Kong-*-Latency headers should be sent to downstream clients. #2259
    • πŸ†• New configuration property to tune handling request body data via the client_max_body_size and client_body_buffer_size directives (mirroring their Nginx counterparts). Note these settings are only defined for proxy requests; request body handling in the Admin API remains unchanged. #2602
    • 0️⃣ New error_default_type configuration property. This setting is to specify a MIME type that will be used as the error response body format when Nginx encounters an error, but no Accept header was present in the request. The default value is text/plain for backwards compatibility. Thanks @therealgambo for the contribution! #2500
    • πŸ†• New nginx_user configuration property, which interfaces with the Nginx user directive. Thanks @depay for the contribution! #2180
    CLI
    • πŸ†• New kong prepare command to prepare the Kong running prefix (creating log files, SSL certificates, etc...) and allow for Kong to be started via the nginx binary. This is useful for environments like containers, where the foreground process should be the Nginx master process. The kong compile command has been deprecated as a result of this addition. #2706
    Admin API
    • πŸ”Œ Ability to retrieve plugins added to a Consumer via two new endpoints: /consumers/:username_or_id/plugins/ and /consumers/:username_or_id/plugins/:plugin_id. #2714
    • πŸ‘Œ Support for JSON null in PATCH requests to unset a value on any entity. #2700
    πŸ”Œ Plugins
    • πŸ‘ jwt: Support for RS512 signed tokens. Thanks @sarraz1 for the patch! #2666
    • rate-limiting/response-ratelimiting: Optionally hide informative response headers. #2087
    • aws-lambda: Define a custom response status when the upstream X-Amz-Function-Error header is "Unhandled". Thanks @erran for the contribution! #2587
    • πŸ‘ aws-lambda: Add new AWS regions that were previously unsupported. #2769
    • hmac: New option to validate the client-provided SHA-256 of the request body. Thanks @vaibhavatul47 for the contribution! #2419
    • πŸ‘ hmac: Added support for enforce_headers option and added HMAC-SHA256, HMAC-SHA384, and HMAC-SHA512 support. #2644
    • πŸ”§ statsd: New metrics and more flexible configuration. Support for prefixes, configurable stat type, and added metrics. #2400
    • πŸ”§ datadog: New metrics and more flexible configuration. Support for prefixes, configurable stat type, and added metrics. #2394

    πŸ›  Fixed

    Core
    • Kong now ensures that your clients URIs are transparently proxied upstream. No percent-encoding/decoding or querystring stripping will occur anymore. #2519
    • πŸ›  Fix an issue where Kong would match an API with a shorter URI (from its uris value) as a prefix instead of a longer, matching prefix from another API. #2662
    • πŸ›  Fix an edge-case where an API with multiple uris and strip_uri = true would not always strip the client URI. #2562
    • HTTP 400 errors thrown by Nginx are now correctly caught by Kong and return a native, Kong-friendly response. #2476
    πŸ”§ Configuration
    • Octothorpes (#) can now be escaped (\#) and included in the Kong configuration values such as your datastore passwords or usernames. #2411
    Admin API
    • The data response field of the /upstreams/{upstream}/targets/active Admin API endpoint now returns a list ([]) instead of an object ({}) when no active targets are present. #2619
    πŸ”Œ Plugins
    • 🚚 The unique constraint on OAuth2 client_secrets has been removed. #2447
    • 🚚 The unique constraint on JWT Credentials secrets has been removed. #2548
    • oauth2: When requesting a token from /oauth2/token, one can now pass the client_id as a request body parameter, while client_id:client_secret is passed via the Authorization header. This allows for better integration with some OAuth2 flows proposed out there, such as from Cloudflare Apps. Thanks @cedum for the patch! #2577
    • πŸ”§ datadog: Avoid a runtime error if the plugin is configured as a global plugin but the downstream request did not match any configured API. Thanks @kjsteuer for the fix! #2702
    • πŸ”Š Logging plugins: the produced logs latencies.kong field used to omit the time Kong spent in its Load Balancing logic, which includes DNS resolution time. This latency is now included in latencies.kong. #2494

    Back to TOC

  • v0.10.4 Changes

    October 24, 2017

    πŸ›  Fixed

    Core
    • DNS: SRV records pointing to an A record are now properly handled by the load balancer when preserve_host is disabled. Such records used to throw Lua errors on the proxy code path. Kong/lua-resty-dns-client#19
    • HTTP 400 errors thrown by Nginx are now correctly caught by Kong and return a native, Kong-friendly response. #2476
    • πŸ›  Fix an edge-case where an API with multiple uris and strip_uri = true would not always strip the client URI. #2562
    • πŸ›  Fix an issue where Kong would match an API with a shorter URI (from its uris value) as a prefix instead of a longer, matching prefix from another API. #2662
    • πŸ›  Fixed a typo that caused the load balancing components to ignore the Upstream slots property. #2747
    πŸ”§ Configuration
    • Octothorpes (#) can now be escaped (\#) and included in the Kong configuration values such as your datastore passwords or usernames. #2411
    Admin API
    • The data response field of the /upstreams/{upstream}/targets/active Admin API endpoint now returns a list ([]) instead of an object ({}) when no active targets are present. #2619
    πŸ”Œ Plugins
    • πŸ”§ datadog: Avoid a runtime error if the plugin is configured as a global plugin but the downstream request did not match any configured API. Thanks @kjsteuer for the fix! #2702
    • πŸ›  ip-restriction: Fixed support for the 0.0.0.0/0 CIDR block. This block is now supported and won't trigger an error when used in the whitelist or blacklist properties. #2918

    Back to TOC

  • v0.10.3 Changes

    May 24, 2017

    πŸ”„ Changed

    • πŸ“¦ We noticed that some distribution packages were not building OpenResty against a JITable PCRE library. This happened on Ubuntu and RHEL environments where OpenResty was built against the system's PCRE installation. We now compile OpenResty against a JITable PCRE source for those platforms, which should result in significant performance improvements in regex matching. Mashape/kong-distributions #9
    • TLS connections are now handled with a modern list of accepted ciphers, as per the Mozilla recommended TLS ciphers list. See https://wiki.mozilla.org/Security/Server_Side_TLS. This behavior is configurable via the newly introduced configuration properties described in the below "Added" section.
    • πŸ”Œ Plugins:
      • rate-limiting: Performance improvements when using the cluster policy. The number of round trips to the database has been limited to the number of configured limits. #2488

    βž• Added

    • New ssl_cipher_suite and ssl_ciphers configuration properties to configure the desired set of accepted ciphers, based on the Mozilla recommended TLS ciphers list. #2555
    • New proxy_ssl_certificate and proxy_ssl_certificate_key configuration properties. These properties configure the Nginx directives bearing the same name, to set client certificates to Kong when connecting to your upstream services. #2556
    • 🌲 Proxy and Admin API access and error log paths are now configurable. Access logs can be entirely disabled if desired. #2552
    • πŸ”Œ Plugins:
      • Logging plugins: The produced logs include a new tries field which contains, which includes the upstream connection successes and failures of the load-balancer. #2429
      • key-auth: Credentials can now be sent in the request body. #2493
      • cors: Origins can now be defined as regular expressions. #2482

    πŸ›  Fixed

    • APIs matching: prioritize APIs with longer uris when said APIs also define hosts and/or methods as well. Thanks @leonzz for the patch. #2523
    • SSL connections to Cassandra can now properly verify the certificate in use (when cassandra_ssl_verify is enabled). #2531
    • The DNS resolver no longer sends a A or AAAA DNS queries for SRV records. This should improve performance by avoiding unnecessary lookups. #2563 & Mashape/lua-resty-dns-client #12
    • πŸ”Œ Plugins
      • All authentication plugins don't throw an error anymore when invalid credentials are given and the anonymous user isn't configured. #2508
      • rate-limiting: Effectively use the desired Redis database when the redis policy is in use and the config.redis_database property is set. #2481
      • cors: The regression introduced in 0.10.1 regarding not sending the * wildcard when conf.origin was not specified has been fixed. #2518
      • oauth2: properly check the client application ownership of a token before refreshing it. #2461

    Back to TOC

  • v0.10.2 Changes

    May 01, 2017

    πŸ”„ Changed

    • πŸ“œ The Kong DNS resolver now honors the MAXNS setting (3) when parsing the nameservers specified in resolv.conf. #2290
    • Kong now matches incoming requests via the $request_uri property, instead of $uri, in order to better handle percent-encoded URIS. A more detailed explanation will be included in the below "Fixed" section. #2377
    • πŸ‘€ Upstream calls do not unconditionally include a trailing / anymore. See the below "Added" section for more details. #2315
    • Admin API:
      • The "active targets" endpoint now only return the most recent nonzero weight Targets, instead of all nonzero weight targets. This is to provide a better picture of the Targets currently in use by the Kong load balancer. #2310

    βž• Added

    • πŸ”Œ :fireworks: Plugins can implement a new rewrite handler to execute code in the Nginx rewrite phase. This phase is executed prior to matching a registered Kong API, and prior to any authentication plugin. As such, only global plugins (neither tied to an API or Consumer) will execute this phase. #2354
    • Ability for the client to chose whether the upstream request (Kong <-> upstream) should contain a trailing slash in its URI. Prior to this change, Kong 0.10 would unconditionally append a trailing slash to all upstream requests. The added functionality is described in #2211, and was implemented in #2315.
    • πŸ”§ Ability to hide Kong-specific response headers. Two new configuration fields: server_tokens and latency_tokens will respectively toggle whether the Server and X-Kong-*-Latency headers should be sent to downstream clients. #2259
    • New cassandra_schema_consensus_timeout configuration property, to allow for Kong to wait for the schema consensus of your Cassandra cluster during migrations. #2326
    • Serf commands executed by a running Kong node are now logged in the Nginx error logs with a DEBUG level. #2410
    • Ensure the required shared dictionaries are defined in the Nginx configuration. This will prevent custom Nginx templates from potentially resulting in a breaking upgrade for users. #2466
    • Admin API:
      • Target Objects can now be deleted with their ID as well as their name. The endpoint becomes: /upstreams/:name_or_id/targets/:target_or_id. #2304
    • πŸ”Œ Plugins:
      • :fireworks: New Request termination plugin. This plugin allows to temporarily disable an API and return a pre-configured response status and body to your client. Useful for use-cases such as maintenance mode for your upstream services. Thanks to @pauldaustin for the contribution. #2051
      • Logging plugins: The produced logs include two new fields: a consumer field, which contains the properties of the authenticated Consumer (id, custom_id, and username), if any, and a tries field, which includes the upstream connection successes and failures of the load- balancer. #2367 #2429
      • http-log: Now set an upstream HTTP basic access authentication header if the configured conf.http_endpoint parameter includes an authentication section. Thanks @amir for the contribution. #2432
      • file-log: New config.reopen property to close and reopen the log file on every request, in order to effectively rotate the logs. #2348
      • jwt: Returns 401 Unauthorized on invalid claims instead of the previous 403 Forbidden status. #2433
      • key-auth: Allow setting API key header names with an underscore. #2370
      • cors: When config.credentials = true, we do not send an ACAO header with value *. The ACAO header value will be that of the request's Origin: header. #2451

    πŸ›  Fixed

    • Upstream connections over TLS now set their Client Hello SNI field. The SNI value is taken from the upstream Host header value, and thus also depends on the preserve_host setting of your API. Thanks @konrade for the original patch. #2225
    • Correctly match APIs with percent-encoded URIs in their uris property. Generally, this change also avoids normalizing (and thus, potentially altering) the request URI when trying to match an API's uris value. Instead of relying on the Nginx $uri variable, we now use $request_uri. #2377
    • πŸ– Handle a routing edge-case under some conditions with the uris matching rule of APIs that would falsely lead Kong into believing no API was matched for what would actually be a valid request. #2343
    • πŸ”§ If no API was configured with a hosts matching rule, then the preserve_host flag would never be honored. #2344
    • The X-Forwarded-For header sent to your upstream services by Kong is not set from the Nginx $proxy_add_x_forwarded_for variable anymore. Instead, Kong uses the $realip_remote_addr variable to append the real IP address of a client, instead of $remote_addr, which can come from a previous proxy hop. #2236
    • CNAME records are now properly being cached by the DNS resolver. This results in a performance improvement over previous 0.10 versions. #2303
    • When using Cassandra, some migrations would not be performed on the same coordinator as the one originally chosen. The same migrations would also require a response from other replicas in a cluster, but were not waiting Β for a schema consensus beforehand, causing indeterministic failures in the migrations, especially if the cluster's inter-nodes communication is slow. #2326
    • πŸ”§ The cassandra_timeout configuration property is now correctly taken into consideration by Kong. #2326
    • πŸ”§ Correctly trigger plugins configured on the anonymous Consumer for anonymous requests (from auth plugins with the new config.anonymous parameter). #2424
    • πŸ”§ When multiple auth plugins were configured with the recent config.anonymous parameter for "OR" authentication, such plugins would override each other's results and response headers, causing false negatives. #2222
    • Ensure the cassandra_contact_points property does not contain any port information. Those should be specified in cassandra_port. Thanks @Vermeille for the contribution. #2263
    • Prevent an upstream or legitimate internal error in the load balancing code from throwing a Lua-land error as well. #2327
    • πŸ‘ Allow backwards compatibility with custom Nginx configurations that still define the resolver ${{DNS_RESOLVER}} directive. Vales from the Kong dns_resolver property will be flattened to a string and appended to the directive. #2386
    • πŸ”Œ Plugins:
      • hmac: Better handling of invalid base64-encoded signatures. Previously Kong would return an HTTP 500 error. We now properly return HTTP 403 Forbidden. #2283
    • Admin API:
      • Detect conflicts between SNI Objects in the /snis and /certificates endpoint. #2285
      • The /certificates route used to not return the total and data JSON fields. We now send those fields back instead of a root list of certificate objects. #2463
      • Endpoints with path parameters like /xxx_or_id will now also yield the proper result if the xxx field is formatted as a UUID. Most notably, this fixes a problem for Consumers whose username is a UUID, that could not be found when requesting /consumers/{username_as_uuid}. #2420
      • The "active targets" endpoint does not require a trailing slash anymore. #2307
      • Upstream Objects can now be deleted properly when using Cassandra. #2404

    Back to TOC

  • v0.10.1 Changes

    March 27, 2017

    πŸ”„ Changed

    • ⬇️ :warning: Serf has been downgraded to version 0.7 in our distributions, although versions up to 0.8.1 are still supported. This fixes a problem when automatically detecting the first non-loopback private IP address, which was defaulted to 127.0.0.1 in Kong 0.10.0. Greater versions of Serf can still be used, but the IP address needs to be manually specified in the cluster_advertise configuration property.
    • ⚠ :warning: The CORS Plugin parameter config.origin is now config.origins. #2203

    :red_circle: Post-release note (as of 2017/05/12): A faulty behavior has been observed with this change. Previously, the plugin would send the * wildcard when config.origin was not specified. With this change, the plugin does not send the * wildcard by default anymore. You will need to specify it manually when configuring the plugin, with config.origins=*. This behavior is to be fixed in a future release.

    :white_check_mark: Update (2017/05/24): A fix to this regression has been released as part of 0.10.3. See the section of the Changelog related to this release for more details.

    • Admin API:
      • Disable support for TLS/1.0. #2212

    βž• Added

    • Admin API:
      • Active targets can be pulled with GET /upstreams/{name}/targets/active. #2230
      • Provide a convenience endpoint to disable targets at: DELETE /upstreams/{name}/targets/{target}. Under the hood, this creates a new target with weight = 0 (the correct way of disabling targets, which used to cause confusion). #2256
    • πŸ”Œ Plugins:
      • cors: Support for configuring multiple Origin domains. #2203

    πŸ›  Fixed

    • πŸ‘‰ Use an LRU cache for Lua-land entities caching to avoid exhausting the Lua VM memory in long-running instances. #2246
    • Avoid potential deadlocks upon callback errors in the caching module for database entities. #2197
    • πŸ“œ Relax multipart MIME type parsing. A space is allowed in between values of the Content-Type header. #2215
    • Admin API:
      • Better handling of non-supported HTTP methods on endpoints of the Admin API. In some cases this used to throw an internal error. Calling any endpoint with a non-supported HTTP method now always returns 405 Method Not Allowed as expected. #2213
    • CLI:
      • Better error handling when missing Serf executable. #2218
      • Fix a bug in the kong migrations command that would prevent it to run correctly. #2238
      • Trim list values specified in the configuration file. #2206
      • Align the default configuration file's values to the actual, hard-coded default values to avoid confusion. #2254
    • πŸ”Œ Plugins:
      • hmac: Generate an HMAC secret value if none is provided. #2158
      • oauth2: Don't try to remove credential values from request bodies if the MIME type is multipart, since such attempts would result in an error. #2176
      • ldap: This plugin should not be applied to a single Consumer, however, this was not properly enforced. It is now impossible to apply this plugin to a single Consumer (as per all authentication plugin). #2237
      • aws-lambda: Support for us-west-2 region in schema. #2257

    Back to TOC

  • v0.10.0 Changes

    March 07, 2017

    πŸš€ Kong 0.10 is one of most significant releases to this day. It ships with exciting new features that have been heavily requested for the last few months, πŸ‘ such as load balancing, Cassandra 3.0 compatibility, Websockets support, internal DNS resolution (A and SRV records without Dnsmasq), and more flexible matching capabilities for APIs routing.

    πŸš€ On top of those new features, this release received a particular attention to 🐎 performance, and brings many improvements and refactors that should make it πŸ‘ perform significantly better than any previous version.

    πŸ”„ Changed

    • :warning: API Objects (as configured via the Admin API) do not support the request_host and request_uri fields anymore. The 0.10 migrations should upgrade your current API Objects, but make sure to read the new 0.10 Proxy Guide to learn the new routing capabilities of Kong. On the good side, this means that Kong can now route incoming requests according to a combination of Host headers, URIs, and HTTP methods.
    • ⚠ :warning: Final slashes in upstream_url are no longer allowed. #2115
    • 🚚 :warning: The SSL plugin has been removed and dynamic SSL capabilities have been added to Kong core, and are configurable via new properties on the API entity. See the related PR for a detailed explanation of this change. #1970
    • ⚠ :warning: Drop the Dnsmasq dependency. We now internally resolve both A and SRV DNS records. #1587
    • ⬆️ :warning: Dropping support for insecure TLS/1.0 and defaulting Upgrade responses to TLS/1.2. #2119
    • ⬆️ Bump the compatible OpenResty version to 1.11.2.1 and 1.11.2.2. Support for OpenResty 1.11.2.2 requires the --without-luajit-lua52 compilation flag.
    • πŸ”Š Separate Admin API and Proxy error logs. Admin API logs are now written to logs/admin_access.log. #1782
    • Auto-generates stronger SHA-256 with RSA encryption SSL certificates. #2117

    βž• Added

    • πŸ‘ :fireworks: Support for Cassandra 3.x. #1709
    • :fireworks: SRV records resolution. #1587
    • :fireworks: Load balancing. When an A or SRV record resolves to multiple entries, Kong now rotates those upstream targets with a Round-Robin algorithm. This is a first step towards implementing more load balancing algorithms. Another way to specify multiple upstream targets is to use the newly introduced /upstreams and /targets entities of the Admin API. #1587 #1735
    • :fireworks: Multiple hosts and paths per API. Kong can now route incoming requests to your services based on a combination of Host headers, URIs and HTTP methods. See the related PR for a detailed explanation of the new properties and capabilities of the new router. #1970
    • :fireworks: Maintain upstream connection pools which should greatly improve performance, especially for HTTPS upstream connections. We now use HTTP/1.1 for upstream connections as well as an nginx upstream block with a configurablekeepalive directive, thanks to the new nginx_keepalive configuration property. #1587 #1827
    • ⬆️ :fireworks: Websockets support. Kong can now upgrade client connections to use the ws protocol when Upgrade: websocket is present. #1827
    • πŸ‘‰ Use an in-memory caching strategy for database entities in order to reduce CPU load during requests proxying. #1688
    • Provide negative-caching for missed database entities. This should improve performance in some cases. #1914
    • πŸ‘Œ Support for serving the Admin API over SSL. This introduces new properties in the configuration file: admin_listen_ssl, admin_ssl, admin_ssl_cert and admin_ssl_cert_key. #1706
    • πŸ‘Œ Support for upstream connection timeouts. APIs now have 3 new fields: upstream_connect_timeout, upstream_send_timeout, upstream_read_timeout to specify, in milliseconds, a timeout value for requests between Kong and your APIs. #2036
    • πŸ‘Œ Support for clustering key rotation in the underlying Serf process:
      • new cluster_keyring_file property in the configuration file.
      • new kong cluster keys .. CLI commands that expose the underlying serf keys .. commands. #2069
    • Support for lua_socket_pool_size property in configuration file. #2109
    • πŸ”Œ Plugins:
      • :fireworks: New AWS Lambda plugin. Thanks Tim Erickson for his collaboration on this new addition. #1777 #1190
      • Anonymous authentication for auth plugins. When such plugins receive the config.anonymous=<consumer_id> property, even non-authenticated requests will be proxied by Kong, with the traditional Consumer headers set to the designated anonymous consumer, but also with a X-Anonymous-Consumer header. Multiple auth plugins will work in a logical OR fashion. #1666 and #2035
      • request-transformer: Ability to change the HTTP method of the upstream request. #1635
      • jwt: Support for ES256 signatures. #1920
      • rate-limiting: Ability to select the Redis database to use via the new config.redis_database plugin property. #1941

    πŸ›  Fixed

    • Looking for Serf in known installation paths. #1997
    • Including port in upstream Host header. #2045
    • Clarify the purpose of the cluster_listen_rpc property in the configuration file. Thanks Jeremy Monin for the patch. #1860
    • Admin API:
      • Properly Return JSON responses (instead of HTML) on HTTP 409 Conflict when adding Plugins. #2014
    • CLI:
      • Avoid double-prefixing migration error messages with the database name (PostgreSQL/Cassandra).
    • πŸ”Œ Plugins:
      • Fix fault tolerance logic and error reporting in rate-limiting plugins.
      • CORS: Properly return Access-Control-Allow-Credentials: false if Access-Control-Allow-Origin: *. #2104
      • key-auth: enforce key_names to be proper header names according to Nginx. #2142

    Back to TOC

  • v0.9.9 Changes

    February 02, 2017

    πŸ›  Fixed

    • Correctly put Cassandra sockets into the Nginx connection pool for later reuse. This greatly improves the performance for rate-limiting and response-ratelimiting plugins. f8f5306
    • Correct length of a year in seconds for rate-limiting and response-ratelimiting plugins. A year was wrongly assumed to only be 360 days long. e4fdb2a
    • Prevent misinterpretation of the % character in proxied URLs encoding. Thanks Thomas Jouannic for the patch. #1998 #2040

    Back to TOC

  • v0.9.8 Changes

    January 19, 2017

    πŸ›  Fixed

    • Properly set the admin IP in the Serf script.

    πŸ”„ Changed

    • Provide negative-caching for missed database entities. This should improve performance in some cases. #1914

    πŸ›  Fixed

    • πŸ”Œ Plugins:
      • Fix fault tolerance logic and error reporting in rate-limiting plugins.

    Back to TOC