Changes¶
http: fixed CVE-2020-25017. Previously header matching did not match on all headers for non-inline headers. This patch changes the default behavior to always logically match on all headers. Multiple individual headers will be logically concatenated with ‘,’ similar to what is done with inline headers. This makes the behavior effectively consistent. This behavior can be temporary reverted by setting the runtime value “envoy.reloadable_features.header_match_on_all_headers” to “false”.
Targeted fixes have been additionally performed on the following extensions which make them consider all duplicate headers by default as a comma concatenated list:
Any extension using CEL matching on headers.
The header to metadata filter.
The JWT filter.
The Lua filter.
Like primary header matching used in routing, RBAC, etc. this behavior can be disabled by setting the runtime value “envoy.reloadable_features.header_match_on_all_headers” to false.
http: fixed CVE-2020-25017. The setCopy() header map API previously only set the first header in the case of duplicate non-inline headers. setCopy() now behaves similarly to the other set*() APIs and replaces all found headers with a single value. This may have had security implications in the extauth filter which uses this API. This behavior can be disabled by setting the runtime value “envoy.reloadable_features.http_set_copy_replace_all_headers” to false.
1.14.4 (July 7, 2020)¶
tls: fixed a bug where wilcard matching for “*.foo.com” also matched domains of the form “a.b.foo.com”. This behavior can be temporarily reverted by setting runtime feature envoy.reloadable_features.fix_wildcard_matching to false.
1.14.3 (June 30, 2020)¶
buffer: fixed CVE-2020-12603 by avoiding fragmentation, and tracking of HTTP/2 data and control frames in the output buffer.
http: fixed CVE-2020-12604 by changing stream_idle_timeout to also defend against an HTTP/2 peer that does not open stream window once an entire response has been buffered to be sent to a downstream client.
http: fixed CVE-2020-12605 by including request URL in request header size computation, and rejecting partial headers that exceed configured limits.
listener: mitigated CVE-2020-8663 by adding runtime support for per-listener limits on active/accepted connections.
overload management: mitigated CVE-2020-8663 by adding runtime support for global limits on active/accepted connections.
1.14.2 (June 8, 2020)¶
http: fixed CVE-2020-11080 by rejecting HTTP/2 SETTINGS frames with too many parameters.
1.14.1 (April 8, 2020)¶
request_id_extension: fixed static initialization for noop request id extension.
1.14.0 (April 8, 2020)¶
access log: access logger extensions use the “envoy.access_loggers” name space. A mapping of extension names is available in the deprecated documentation.
access log: added support for %DOWNSTREAM_LOCAL_PORT% access log formatters.
access log: fixed %DOWSTREAM_DIRECT_REMOTE_ADDRESS% when used with PROXY protocol listener filter.
access log: introduced connection-level access loggers.
adaptive concurrency: fixed bug that allowed concurrency limits to drop below the configured minimum.
adaptive concurrency: minRTT is now triggered when the minimum concurrency is maintained for 5 consecutive sampling intervals.
admin: added support for displaying ip address subject alternate names in certs end point.
admin: added
POST /reopen_logs
endpoint to control log rotation.api: froze v2 xDS API. New feature development in the API should occur in v3 xDS. While the v2 xDS API has been deprecated since 1.13.0, it will continue to be supported by Envoy until EOY 2020. See Supported API versions.
aws_lambda: added AWS Lambda filter that converts HTTP requests to Lambda invokes. This effectively makes Envoy act as an egress gateway to AWS Lambda.
aws_request_signing: a few fixes so that it works with S3.
config: added stat update_time.
config: use type URL to select an extension whenever the config type URL (or its previous versions) uniquely identify a typed extension, see extension configuration.
datasource: added retry policy for remote async data source.
dns: added support for dns_failure_refresh_rate for the dns cache to set the DNS refresh rate during failures.
dns: the STRICT_DNS cluster now only resolves to 0 hosts if DNS resolution successfully returns 0 hosts.
eds: added hostname field for endpoints and hostname field for endpoint’s health check config. This enables auto host rewrite and customizing the host header during health checks for eds endpoints.
ext_authz: disabled the use of lowercase string matcher for headers matching in HTTP-based ext_authz. Can be reverted temporarily by setting runtime feature envoy.reloadable_features.ext_authz_http_service_enable_case_sensitive_string_matcher to false.
fault: added support for controlling abort faults with HTTP header fault configuration to the HTTP fault filter.
grpc-json: added support for building HTTP request into google.api.HttpBody.
grpc-stats: added option to limit which messages stats are created for.
http: added HTTP/1.1 flood protection. Can be temporarily disabled using the runtime feature envoy.reloadable_features.http1_flood_protection.
http: added headers_with_underscores_action setting to control how client requests with header names containing underscore characters are handled. The options are to allow such headers, reject request or drop headers. The default is to allow headers, preserving existing behavior.
http: added max_stream_duration to specify the duration of existing streams. See connection and stream timeouts.
http: connection header sanitizing has been modified to always sanitize if there is no upgrade, including when an h2c upgrade attempt has been removed.
http: fixed a bug that could send extra METADATA frames and underflow memory when encoding METADATA frames on a connection that was dispatching data.
http: fixing a bug in HTTP/1.0 responses where Connection: keep-alive was not appended for connections which were kept alive.
http: http filter extensions use the “envoy.filters.http” name space. A mapping of extension names is available in the deprecated documentation.
http: the runtime feature http.connection_manager.log_flood_exception is removed and replaced with a connection access log response code.
http: upgrade parser library, which removes support for “identity” transfer-encoding value.
listener filters: listener filter extensions use the “envoy.filters.listener” name space. A mapping of extension names is available in the deprecated documentation.
listeners: added listener filter matcher api to disable individual listener filter on matching downstream connections.
loadbalancing: added support for using hostname for consistent hash loadbalancing via consistent_hash_lb_config.
loadbalancing: added support for retry host predicates in conjunction with consistent hashing load balancers (ring hash and maglev).
lua: added a parameter to httpCall that makes it possible to have the call be asynchronous.
lua: added moonjit support.
mongo: the stat emitted for queries without a max time set in the MongoDB filter was modified to emit correctly for Mongo v3.2+.
network filters: added a direct response filter.
network filters: network filter extensions use the “envoy.filters.network” name space. A mapping of extension names is available in the deprecated documentation.
rbac: added remote_ip and direct_remote_ip for matching downstream remote IP address.
rbac: deprecated source_ip with direct_remote_ip and remote_ip.
request_id_extension: added an ability to extend request ID handling at HTTP connection manager.
retry: added a retry predicate that rejects hosts based on metadata..
router: added ability to set attempt count in downstream response, see virtual host’s include response attempt count config.
router: added additional stats for virtual clusters.
router: added auto_san_validation to support overrriding SAN validation to transport socket for new upstream connections based on the downstream HTTP host/authority header.
router: added the ability to match a route based on whether a downstream TLS connection certificate has been validated.
router: added support for regex_rewrite for path rewriting using regular expressions and capture groups.
router: added support for %DOWNSTREAM_LOCAL_PORT% header formatter.
router: don’t ignore per_try_timeout when the global route timeout is disabled.
router: strip whitespace for retry_on, grpc-retry-on header and retry-on header.
runtime: enabling the runtime feature envoy.deprecated_features.allow_deprecated_extension_names disables the use of deprecated extension names.
runtime: integer values may now be parsed as booleans.
sds: added GenericSecret to support secret of generic type.
sds: added certificate rotation support for certificates in static resources.
server: the SIGUSR1 access log reopen warning now is logged at info level.
stat sinks: stat sink extensions use the “envoy.stat_sinks” name space. A mapping of extension names is available in the deprecated documentation.
thrift_proxy: added router filter stats to docs.
tls: added configuration to disable stateless TLS session resumption disable_stateless_session_resumption.
tracing: added gRPC service configuration to the OpenCensus Stackdriver and OpenCensus Agent tracers.
tracing: tracer extensions use the “envoy.tracers” name space. A mapping of extension names is available in the deprecated documentation.
upstream: added
upstream_rq_retry_limit_exceeded
to cluster, and virtual cluster stats.upstream: changed load distribution algorithm when all priorities enter panic mode.
upstream: combined HTTP/1 and HTTP/2 connection pool code. This means that circuit breaker limits for both requests and connections apply to both pool types. Also, HTTP/2 now has the option to limit concurrent requests on a connection, and allow multiple draining connections. The old behavior is deprecated, but can be used during the deprecation period by disabling runtime feature envoy.reloadable_features.new_http1_connection_pool_behavior or envoy.reloadable_features.new_http2_connection_pool_behavior and then re-configure your clusters or restart Envoy. The behavior will not switch until the connection pools are recreated. The new circuit breaker behavior is described here.
zlib: by default zlib is initialized to use its default strategy (Z_DEFAULT_STRATEGY) instead of the fixed one (Z_FIXED). The difference is that the use of dynamic Huffman codes is enabled now resulting in better compression ratio for normal data.
1.13.1 (March 3, 2020)¶
buffer: force copy when appending small slices to OwnedImpl buffer to avoid fragmentation.
http: added HTTP/1.1 flood protection. Can be temporarily disabled using the runtime feature envoy.reloadable_features.http1_flood_protection.
listeners: fixed issue where TLS inspector listener filter could have been bypassed by a client using only TLS 1.3.
rbac: added url_path for matching URL path without the query and fragment string.
sds: fixed the SDS vulnerability that TLS validation context (e.g., subject alt name or hash) cannot be effectively validated in some cases.
1.13.0 (January 20, 2020)¶
access log: added FILTER_STATE access log formatters and gRPC access logger.
admin: added the ability to filter /config_dump.
access log: added a typed JSON logging mode to output access logs in JSON format with non-string values
access log: fixed UPSTREAM_LOCAL_ADDRESS access log formatters to work for http requests
access log: added HOSTNAME.
api: remove all support for v1
api: added ability to specify mode for Pipe.
api: support for the v3 xDS API added. See Supported API versions.
aws_request_signing: added new alpha HTTP AWS request signing filter.
buffer: remove old implementation
build: official released binary is now built against libc++.
cluster: added aggregate cluster that allows load balancing between clusters.
config: all category names of internal envoy extensions are prefixed with the ‘envoy.’ prefix to follow the reverse DNS naming notation.
decompressor: remove decompressor hard assert failure and replace with an error flag.
ext_authz: added configurable ability to send the certificate to the ext_authz service.
fault: fixed an issue where the http fault filter would repeatedly check the percentage of abort/delay when the x-envoy-downstream-service-cluster header was included in the request to ensure that the actual percentage of abort/delay matches the configuration of the filter.
health check: gRPC health checker sets the gRPC deadline to the configured timeout duration.
health check: added TlsOptions to allow TLS configuration overrides.
health check: added service_name_matcher to better compare the service name patterns for health check identity.
http: added strict validation that CONNECT is refused as it is not yet implemented. This can be reversed temporarily by setting the runtime feature envoy.reloadable_features.strict_method_validation to false.
http: added support for http1 trailers. To enable use enable_trailers.
http: added the ability to sanitize headers nominated by the Connection header. This new behavior is guarded by envoy.reloadable_features.connection_header_sanitization which defaults to true.
http: blocks unsupported transfer-encodings. Can be reverted temporarily by setting runtime feature envoy.reloadable_features.reject_unsupported_transfer_encodings to false.
http: support auto_host_rewrite_header in the dynamic forward proxy.
jwt_authn: added allow_missing option that accepts request without token but rejects bad request with bad tokens.
jwt_authn: added bypass_cors_preflight to allow bypassing the CORS preflight request.
lb_subset_config: new fallback policy for selectors: KEYS_SUBSET
listeners: added reuse_port option.
logger: added –log-format-escaped command line option to escape newline characters in application logs.
ratelimit: added local rate limit network filter.
rbac: added support for matching all subject alt names instead of first in principal_name.
redis: performance improvement for larger split commands by avoiding string copies.
redis: correctly follow MOVE/ASK redirection for mirrored clusters.
redis: add host_degraded_refresh_threshold and failure_refresh_threshold to refresh topology when nodes are degraded or when requests fails.
router: added histograms to show timeout budget usage to the cluster stats.
router check tool: added support for testing and marking coverage for routes of runtime fraction 0.
router: added request_mirror_policies to support sending multiple mirrored requests in one route.
router: added support for REQ(header-name) header formatter.
router: added support for percentage-based retry budgets
router: allow using a query parameter for HTTP consistent hashing.
router: exposed DOWNSTREAM_REMOTE_ADDRESS as custom HTTP request/response headers.
router: added support for max_internal_redirects for configurable maximum internal redirect hops.
router: skip the Location header when the response code is not a 201 or a 3xx.
router: added auto_sni to support setting SNI to transport socket for new upstream connections based on the downstream HTTP host/authority header.
router: added support for HOSTNAME header formatter.
server: added the
--disable-extensions
CLI option, to disable extensions at startup.server: fixed a bug in config validation for configs with runtime layers.
server: added workers_started that indicates whether listeners have been fully initialized on workers.
tcp_proxy: added ClusterWeight.metadata_match.
tcp_proxy: added hash_policy.
thrift_proxy: added support for cluster header based routing.
thrift_proxy: added stats to the router filter.
tls: remove TLS 1.0 and 1.1 from client defaults
tls: added support for generic string matcher for subject alternative names.
tracing: added the ability to set custom tags on both the HTTP connection manager and the HTTP route.
tracing: added upstream_address tag.
tracing: added initial support for AWS X-Ray (local sampling rules only) X-Ray Tracing.
tracing: added tags for gRPC request path, authority, content-type and timeout.
udp: added initial support for UDP proxy
1.12.3 (March 3, 2020)¶
buffer: force copy when appending small slices to OwnedImpl buffer to avoid fragmentation.
http: added HTTP/1.1 flood protection. Can be temporarily disabled using the runtime feature envoy.reloadable_features.http1_flood_protection.
listeners: fixed issue where TLS inspector listener filter could have been bypassed by a client using only TLS 1.3.
rbac: added url_path for matching URL path without the query and fragment string.
sds: fixed the SDS vulnerability that TLS validation context (e.g., subject alt name or hash) cannot be effectively validated in some cases.
1.12.2 (December 10, 2019)¶
http: fixed CVE-2019-18801 by allocating sufficient memory for request headers.
http: fixed CVE-2019-18802 by implementing stricter validation of HTTP/1 headers.
http: trim LWS at the end of header keys, for correct HTTP/1.1 header parsing.
http: added strict authority checking. This can be reversed temporarily by setting the runtime feature envoy.reloadable_features.strict_authority_validation to false.
route config: fixed CVE-2019-18838 by checking for presence of host/path headers.
1.12.1 (November 8, 2019)¶
listener: fixed CVE-2019-18836 by clearing accept filters before connection creation.
1.12.0 (October 31, 2019)¶
access log: added a new flag for downstream protocol error.
access log: added buffering and periodical flushing support to gRPC access logger. Defaults to 16KB buffer and flushing every 1 second.
access log: added DOWNSTREAM_DIRECT_REMOTE_ADDRESS and DOWNSTREAM_DIRECT_REMOTE_ADDRESS_WITHOUT_PORT access log formatters and gRPC access logger.
access log: gRPC Access Log Service (ALS) support added for TCP access logs.
access log: reintroduced filesystem stats and added the write_failed counter to track failed log writes.
admin: added ability to configure listener socket options.
admin: added config dump support for Secret Discovery Service SecretConfigDump.
admin: added support for draining listeners via admin interface.
admin: added
GET /stats/recentlookups
,POST /stats/recentlookups/clear
,POST /stats/recentlookups/disable
, andPOST /stats/recentlookups/enable
endpoints.api: added set_node_on_first_message_only option to omit the node identifier from the subsequent discovery requests on the same stream.
buffer filter: now populates content-length header if not present. This behavior can be temporarily disabled using the runtime feature envoy.reloadable_features.buffer_filter_populate_content_length.
build: official released binary is now PIE so it can be run with ASLR.
config: added support for delta xDS (including ADS) delivery.
config: enforcing that terminal filters (e.g. HttpConnectionManager for L4, router for L7) be the last in their respective filter chains.
config: added access log extension filter.
config: added support for
--reject-unknown-dynamic-fields
, providing independent control over whether unknown fields are rejected in static and dynamic configuration. By default, unknown fields in static configuration are rejected and are allowed in dynamic configuration. Warnings are logged for the first use of any unknown field and these occurrences are counted in the server.static_unknown_fields and server.dynamic_unknown_fields statistics.config: added async data access for local and remote data sources.
config: changed the default value of initial_fetch_timeout from 0s to 15s. This is a change in behaviour in the sense that Envoy will move to the next initialization phase, even if the first config is not delivered in 15s. Refer to initialization process for more details.
config: added stat init_fetch_timeout.
config: tls_context in Cluster and FilterChain are deprecated in favor of transport socket. See deprecated documentation for more information.
csrf: added PATCH to supported methods.
dns: added support for configuring dns_failure_refresh_rate to set the DNS refresh rate during failures.
ext_authz: added configurable ability to send dynamic metadata to the ext_authz service.
ext_authz: added filter_enabled RuntimeFractionalPercent flag to filter.
ext_authz: added tracing to the HTTP client.
ext_authz: deprecated cluster scope stats in favour of filter scope stats.
fault: added overrides for default runtime keys in HTTPFault filter.
grpc: added AWS IAM grpc credentials extension for AWS-managed xDS.
grpc: added gRPC stats filter for collecting stats about gRPC calls and streaming message counts.
grpc-json: added support for ignoring unknown query parameters.
grpc-json: added support for the grpc-status-details-bin header.
header to metadata: added PROTOBUF_VALUE and ValueEncode to support protobuf Value and Base64 encoding.
http: added a default one hour idle timeout to upstream and downstream connections. HTTP connections with no streams and no activity will be closed after one hour unless the default idle_timeout is overridden. To disable upstream idle timeouts, set the idle_timeout to zero in Cluster http_protocol_options. To disable downstream idle timeouts, either set idle_timeout to zero in the HttpConnectionManager common_http_protocol_options or set the deprecated connection manager field to zero.
http: added the ability to format HTTP/1.1 header keys using header_key_format.
http: added the ability to reject HTTP/1.1 requests with invalid HTTP header values, using the runtime feature envoy.reloadable_features.strict_header_validation.
http: changed Envoy to forward existing x-forwarded-proto from upstream trusted proxies. Guarded by envoy.reloadable_features.trusted_forwarded_proto which defaults true.
http: added the ability to configure the behavior of the server response header, via the server_header_transformation field.
http: added the ability to merge adjacent slashes in the path.
http: AUTO codec protocol inference now requires the H2 magic bytes to be the first bytes transmitted by a downstream client.
http: remove h2c upgrade headers for HTTP/1 as h2c upgrades are currently not supported.
http: absolute URL support is now on by default. The prior behavior can be reinstated by setting allow_absolute_url to false.
http: support host rewrite in the dynamic forward proxy.
http: support disabling the filter per route in the grpc http1 reverse bridge filter.
http: added the ability to configure max connection duration for downstream connections.
listeners: added continue_on_listener_filters_timeout to configure whether a listener will still create a connection when listener filters time out.
listeners: added HTTP inspector listener filter.
listeners: added connection balancer configuration for TCP listeners.
listeners: listeners now close the listening socket as part of the draining stage as soon as workers stop accepting their connections.
lua: extended httpCall() and respond() APIs to accept headers with entry values that can be a string or table of strings.
lua: extended dynamicMetadata:set() to allow setting complex values.
metrics_service: added support for flushing histogram buckets.
outlier_detector: added support for the grpc-status response header by mapping it to HTTP status. Guarded by envoy.reloadable_features.outlier_detection_support_for_grpc_status which defaults to true.
performance: new buffer implementation enabled by default (to disable add “–use-libevent-buffers 1” to the command-line arguments when starting Envoy).
performance: stats symbol table implementation (disabled by default; to test it, add “–use-fake-symbol-table 0” to the command-line arguments when starting Envoy).
rbac: added support for DNS SAN as principal_name.
redis: added enable_command_stats to enable per command statistics for upstream clusters.
redis: added read_policy to allow reading from redis replicas for Redis Cluster deployments.
redis: fixed a bug where the redis health checker ignored the upstream auth password.
redis: enable_hashtaging is always enabled when the upstream uses open source Redis cluster protocol.
regex: introduced new RegexMatcher type that provides a safe regex implementation for untrusted user input. This type is now used in all configuration that processes user provided input. See deprecated configuration details for more information.
rbac: added conditions to the policy, see condition.
router: added rq_retry_skipped_request_not_complete counter stat to router stats.
router: scoped routing is supported.
router: added new retriable-headers retry policy. Retries can now be configured to trigger by arbitrary response header matching.
router: added ability for most specific header mutations to take precedence, see route configuration’s most specific header mutations wins flag.
router: added respect_expected_rq_timeout that instructs ingress Envoy to respect x-envoy-expected-rq-timeout-ms header, populated by egress Envoy, when deriving timeout for upstream cluster.
router: added new retriable request headers to route configuration, to allow limiting buffering for retries and shadowing.
router: added new retriable request headers to retry policies. Retries can now be configured to only trigger on request header match.
router: added the ability to match a route based on whether a TLS certificate has been presented by the downstream connection.
router check tool: added coverage reporting & enforcement.
router check tool: added comprehensive coverage reporting.
router check tool: added deprecated field check.
router check tool: added flag for only printing results of failed tests.
router check tool: added support for outputting missing tests in the detailed coverage report.
router check tool: added coverage reporting for direct response routes.
runtime: allows for the ability to parse boolean values.
runtime: allows for the ability to parse integers as double values and vice-versa.
sds: added session_ticket_keys_sds_secret_config for loading TLS Session Ticket Encryption Keys using SDS API.
server: added a post initialization lifecycle event, in addition to the existing startup and shutdown events.
server: added per-handler listener stats and per-worker watchdog stats to help diagnosing event loop imbalance and general performance issues.
stats: added unit support to histogram.
tcp_proxy: the default idle_timeout is now 1 hour.
thrift_proxy: fixed crashing bug on invalid transport/protocol framing.
thrift_proxy: added support for stripping service name from method when using the multiplexed protocol.
tls: added verification of IP address SAN fields in certificates against configured SANs in the certificate validation context.
tracing: added support to the Zipkin reporter for sending list of spans as Zipkin JSON v2 and protobuf message over HTTP. certificate validation context.
tracing: added tags for gRPC response status and message.
tracing: added max_path_tag_length to support customizing the length of the request path included in the extracted http.url tag.
upstream: added an option that allows draining HTTP, TCP connection pools on cluster membership change.
upstream: added transport_socket_matches, support using different transport socket config when connecting to different upstream endpoints within a cluster.
upstream: added network filter chains to upstream connections, see filters.
upstream: added new failure-percentage based outlier detection mode.
upstream: uses p2c to select hosts for least-requests load balancers if all host weights are the same, even in cases where weights are not equal to 1.
upstream: added fail_traffic_on_panic to allow failing all requests to a cluster during panic state.
zookeeper: parses responses and emits latency stats.
1.11.2 (October 8, 2019)¶
http: fixed CVE-2019-15226 by adding a cached byte size in HeaderMap.
http: added max headers count for http connections. The default limit is 100.
upstream: runtime feature envoy.reloadable_features.max_response_headers_count overrides the default limit for upstream max headers count
http: added common_http_protocol_options Runtime feature envoy.reloadable_features.max_request_headers_count overrides the default limit for downstream max headers count
regex: backported safe regex matcher fix for CVE-2019-15225.
1.11.1 (August 13, 2019)¶
http: added mitigation of client initiated attacks that result in flooding of the downstream HTTP/2 connections. Those attacks can be logged at the “warning” level when the runtime feature http.connection_manager.log_flood_exception is enabled. The runtime setting defaults to disabled to avoid log spam when under attack.
http: added inbound_empty_frames_flood counter stat to the HTTP/2 codec stats, for tracking number of connections terminated for exceeding the limit on consecutive inbound frames with an empty payload and no end stream flag. The limit is configured by setting the max_consecutive_inbound_frames_with_empty_payload config setting. Runtime feature envoy.reloadable_features.http2_protocol_options.max_consecutive_inbound_frames_with_empty_payload overrides max_consecutive_inbound_frames_with_empty_payload setting. Large override value (i.e. 2147483647) effectively disables mitigation of inbound frames with empty payload.
http: added inbound_priority_frames_flood counter stat to the HTTP/2 codec stats, for tracking number of connections terminated for exceeding the limit on inbound PRIORITY frames. The limit is configured by setting the max_inbound_priority_frames_per_stream config setting. Runtime feature envoy.reloadable_features.http2_protocol_options.max_inbound_priority_frames_per_stream overrides max_inbound_priority_frames_per_stream setting. Large override value effectively disables flood mitigation of inbound PRIORITY frames.
http: added inbound_window_update_frames_flood counter stat to the HTTP/2 codec stats, for tracking number of connections terminated for exceeding the limit on inbound WINDOW_UPDATE frames. The limit is configured by setting the max_inbound_window_update_frames_per_data_frame_sent config setting. Runtime feature envoy.reloadable_features.http2_protocol_options.max_inbound_window_update_frames_per_data_frame_sent overrides max_inbound_window_update_frames_per_data_frame_sent setting. Large override value effectively disables flood mitigation of inbound WINDOW_UPDATE frames.
http: added outbound_flood counter stat to the HTTP/2 codec stats, for tracking number of connections terminated for exceeding the outbound queue limit. The limit is configured by setting the max_outbound_frames config setting Runtime feature envoy.reloadable_features.http2_protocol_options.max_outbound_frames overrides max_outbound_frames config setting. Large override value effectively disables flood mitigation of outbound frames of all types.
http: added outbound_control_flood counter stat to the HTTP/2 codec stats, for tracking number of connections terminated for exceeding the outbound queue limit for PING, SETTINGS and RST_STREAM frames. The limit is configured by setting the max_outbound_control_frames config setting. Runtime feature envoy.reloadable_features.http2_protocol_options.max_outbound_control_frames overrides max_outbound_control_frames config setting. Large override value effectively disables flood mitigation of outbound frames of types PING, SETTINGS and RST_STREAM.
http: enabled strict validation of HTTP/2 messaging. Previous behavior can be restored using stream_error_on_invalid_http_messaging config setting. Runtime feature envoy.reloadable_features.http2_protocol_options.stream_error_on_invalid_http_messaging overrides stream_error_on_invalid_http_messaging config setting.
1.11.0 (July 11, 2019)¶
access log: added a new field for downstream TLS session ID to file and gRPC access logger.
access log: added a new field for route name to file and gRPC access logger.
access log: added a new field for response code details in file access logger and gRPC access logger.
access log: added several new variables for exposing information about the downstream TLS connection to file access logger and gRPC access logger.
access log: added a new flag for request rejected due to failed strict header check.
admin: the administration interface now includes a /ready endpoint for easier readiness checks.
admin: extend /runtime_modify endpoint to support parameters within the request body.
admin: the /listener endpoint now returns listeners.proto which includes listener names and ports.
admin: added host priority to
GET /clusters
andGET /clusters?format=json
endpoint responseadmin: the /clusters endpoint now shows hostname for each host, useful for DNS based clusters.
api: track and report requests issued since last load report.
build: releases are built with Clang and linked with LLD.
config: added :ref:stats_server_version_override` <envoy_api_field_config.bootstrap.v2.Bootstrap.stats_server_version_override>` in bootstrap, that can be used to override server.version statistic.
control-plane: management servers can respond with HTTP 304 to indicate that config is up to date for Envoy proxies polling a REST API Config Type
csrf: added support for whitelisting additional source origins.
dns: added support for getting DNS record TTL which is used by STRICT_DNS/LOGICAL_DNS cluster as DNS refresh rate.
dubbo_proxy: support the dubbo proxy filter.
dynamo_request_parser: adding support for transactions. Adds check for new types of dynamodb operations (TransactWriteItems, TransactGetItems) and awareness for new types of dynamodb errors (IdempotentParameterMismatchException, TransactionCanceledException, TransactionInProgressException).
eds: added support to specify max time for which endpoints can be used gRPC filter.
eds: removed max limit for load_balancing_weight.
event: added loop duration and poll delay statistics.
ext_authz: added a x-envoy-auth-partial-body metadata header set to false|true indicating if there is a partial body sent in the authorization request message.
ext_authz: added configurable status code that allows customizing HTTP responses on filter check status errors.
ext_authz: added option to ext_authz that allows the filter clearing route cache.
grpc-json: added support for auto mapping.
health check: added initial jitter to add jitter to the first health check in order to prevent thundering herd on Envoy startup.
hot restart: stats are no longer shared between hot restart parent/child via shared memory, but rather by RPC. Hot restart version incremented to 11.
http: added the ability to pass a URL encoded PEM encoded peer certificate chain in the x-forwarded-client-cert header.
http: fixed a bug where large unbufferable responses were not tracked in stats and logs correctly.
http: fixed a crashing bug where gRPC local replies would cause segfaults when upstream access logging was on.
http: mitigated a race condition with the delayed_close_timeout where it could trigger while actively flushing a pending write buffer for a downstream connection.
http: added support for preserve_external_request_id that represents whether the x-request-id should not be reset on edge entry inside mesh
http: changed sendLocalReply to send percent-encoded GrpcMessage.
http: added a :ref:header_prefix` <envoy_api_field_config.bootstrap.v2.Bootstrap.header_prefix>` configuration option to allow Envoy to send and process x-custom- prefixed headers rather than x-envoy.
http: added dynamic forward proxy support.
http: tracking the active stream and dumping state in Envoy crash handlers. This can be disabled by building with –define disable_object_dump_on_signal_trace=disabled
jwt_authn: make filter’s parsing of JWT more flexible, allowing syntax like
jwt=eyJhbGciOiJS...ZFnFIw,extra=7,realm=123
listener: added source IP and source port filter chain matching.
lua: exposed functions to Lua to verify digital signature.
original_src filter: added the filter.
outlier_detector: added configuration outlier_detection.split_external_local_origin_errors to distinguish locally and externally generated errors. See Outlier detection for full details.
rbac: migrated from v2alpha to v2.
redis: add support for Redis cluster custom cluster type.
redis: automatically route commands using cluster slots for Redis cluster.
redis: added prefix routing to enable routing commands based on their key’s prefix to different upstream.
redis: added request mirror policy to enable shadow traffic and/or dual writes.
redis: add support for zpopmax and zpopmin commands.
redis: added max_buffer_size_before_flush to batch commands together until the encoder buffer hits a certain size, and buffer_flush_timeout to control how quickly the buffer is flushed if it is not full.
redis: added auth support downstream_auth_password for downstream client authentication, and auth_password to configure authentication passwords for upstream server clusters.
retry: added a retry predicate that rejects canary hosts.
router: add support for configuring a gRPC timeout offset on incoming requests.
router: added ability to control retry back-off intervals via retry policy.
router: added ability to issue a hedged retry in response to a per try timeout via a hedge policy.
router: added a route name field to each http route in route.Route list
router: added several new variables for exposing information about the downstream TLS connection via header formatters.
router: per try timeouts will no longer start before the downstream request has been received in full by the router.This ensures that the per try timeout does not account for slow downstreams and that will not start before the global timeout.
router: added RouteAction’s auto_host_rewrite_header to allow upstream host header substitution with some other header’s value
router: added support for UPSTREAM_REMOTE_ADDRESS header formatter.
router: add ability to reject a request that includes invalid values for headers configured in strict_check_headers
runtime: added support for flexible layering configuration.
runtime: added support for statically specifying the runtime in the bootstrap configuration.
runtime: Runtime Discovery Service (RTDS) support added to layered runtime configuration.
sandbox: added CSRF sandbox.
server:
--define manual_stamp=manual_stamp
was added to allow server stamping outside of binary rules. more info in the bazel docs.server: added server state statistic.
server: added initialization_time_ms statistic.
subset: added list_as_any option to the subset lb which allows matching metadata against any of the values in a list value on the endpoints.
tools: added proto support for router check tool tests.
tracing: add trace sampling configuration to the route, to override the route level.
upstream: added upstream_cx_pool_overflow for the connection pool circuit breaker.
upstream: an EDS management server can now force removal of a host that is still passing active health checking by first marking the host as failed via EDS health check and subsequently removing it in a future update. This is a mechanism to work around a race condition in which an EDS implementation may remove a host before it has stopped passing active HC, thus causing the host to become stranded until a future update.
upstream: added an option that allows ignoring new hosts for the purpose of load balancing calculations until they have been health checked for the first time.
upstream: added runtime error checking to prevent setting dns type to STRICT_DNS or LOGICAL_DNS when custom resolver name is specified.
upstream: added possibility to override fallback_policy per specific selector in subset load balancer.
upstream: the logical DNS cluster now displays the current resolved IP address in admin output instead of 0.0.0.0.
1.10.0 (Apr 5, 2019)¶
access log: added a new flag for upstream retry count exceeded.
access log: added a gRPC filter to allow filtering on gRPC status.
access log: added a new flag for stream idle timeout.
access log: added a new field for upstream transport failure reason in file access logger and gRPC access logger for HTTP access logs.
access log: added new fields for downstream x509 information (URI sans and subject) to file and gRPC access logger.
admin: the admin server can now be accessed via HTTP/2 (prior knowledge).
admin: changed HTTP response status code from 400 to 405 when attempting to GET a POST-only route (such as /quitquitquit).
buffer: fix vulnerabilities when allocation fails.
build: releases are built with GCC-7 and linked with LLD.
build: dev docker images have been split from tagged images for easier discoverability in Docker Hub. Additionally, we now build images for point releases.
config: added support of using google.protobuf.Any in opaque configs for extensions.
config: logging warnings when deprecated fields are in use.
config: removed deprecated –v2-config-only from command line config.
config: removed deprecated_v1 sds_config from Bootstrap config.
config: removed the deprecated_v1 config option from ring hash.
config: removed REST_LEGACY as a valid ApiType.
config: finish cluster warming only when a named response i.e. ClusterLoadAssignment associated to the cluster being warmed comes in the EDS response. This is a behavioural change from the current implementation where warming of cluster completes on missing load assignments also.
config: use Envoy cpuset size to set the default number or worker threads if
--cpuset-threads
is enabled.config: added support for initial_fetch_timeout. The timeout is disabled by default.
cors: added filter_enabled & shadow_enabled RuntimeFractionalPercent flags to filter.
csrf: added CSRF filter.
ext_authz: added support for buffering request body.
ext_authz: migrated from v2alpha to v2 and improved docs.
ext_authz: added a configurable option to make the gRPC service cross-compatible with V2Alpha. Note that this feature is already deprecated. It should be used for a short time, and only when transitioning from alpha to V2 release version.
ext_authz: migrated from v2alpha to v2 and improved the documentation.
ext_authz: authorization request and response configuration has been separated into two distinct objects: authorization request and authorization response. In addition, client headers and upstream headers replaces the previous allowed_authorization_headers object. All the control header lists now support string matcher instead of standard string.
fault: added the max_active_faults setting, as well as statistics for the number of active faults and the number of faults the overflowed.
fault: added response rate limit fault injection.
fault: added HTTP header fault configuration to the HTTP fault filter.
governance: extending Envoy deprecation policy from 1 release (0-3 months) to 2 releases (3-6 months).
health check: expected response codes in http health checks are now configurable.
http: added new grpc_http1_reverse_bridge filter for converting gRPC requests into HTTP/1.1 requests.
http: fixed a bug where Content-Length:0 was added to HTTP/1 204 responses.
http: added max request headers size. The default behaviour is unchanged.
http: added modifyDecodingBuffer/modifyEncodingBuffer to allow modifying the buffered request/response data.
http: added encodeComplete/decodeComplete. These are invoked at the end of the stream, after all data has been encoded/decoded respectively. Default implementation is a no-op.
outlier_detection: added support for outlier detection event protobuf-based logging.
mysql: added a MySQL proxy filter that is capable of parsing SQL queries over MySQL wire protocol. Refer to MySQL proxy for more details.
performance: new buffer implementation (disabled by default; to test it, add “–use-libevent-buffers 0” to the command-line arguments when starting Envoy).
jwt_authn: added filter_state_rules to allow specifying requirements from filterState by other filters.
ratelimit: removed deprecated rate limit configuration from bootstrap.
redis: added hashtagging to guarantee a given key’s upstream.
redis: added latency stats for commands.
redis: added success and error stats for commands.
redis: migrate hash function for host selection to MurmurHash2 from std::hash. MurmurHash2 is compatible with std::hash in GNU libstdc++ 3.4.20 or above. This is typically the case when compiled on Linux and not macOS.
redis: added latency_in_micros to specify the redis commands stats time unit in microseconds.
router: added ability to configure a retry policy at the virtual host level.
router: added reset reason to response body when upstream reset happens. After this change, the response body will be of the form upstream connect error or disconnect/reset before headers. reset reason:
router: added rq_reset_after_downstream_response_started counter stat to router stats.
router: added per-route configuration of internal redirects.
router: removed deprecated route-action level headers_to_add/remove.
router: made max retries header take precedence over the number of retries in route and virtual host retry policies.
router: added support for prefix wildcards in virtual host domains
stats: added support for histograms in prometheus
stats: added usedonly flag to prometheus stats to only output metrics which have been updated at least once.
stats: added gauges tracking remaining resources before circuit breakers open.
tap: added new alpha HTTP tap filter.
tls: enabled TLS 1.3 on the server-side (non-FIPS builds).
upstream: add hash_function to specify the hash function for ring hash as either xxHash or murmurHash2. MurmurHash2 is compatible with std::hash in GNU libstdc++ 3.4.20 or above. This is typically the case when compiled on Linux and not macOS.
upstream: added degraded health value which allows routing to certain hosts only when there are insufficient healthy hosts available.
upstream: add cluster factory to allow creating and registering custom cluster type.
upstream: added a circuit breaker to limit the number of concurrent connection pools in use.
tracing: added verbose to support logging annotations on spans.
upstream: added support for host weighting and locality weighting in the ring hash load balancer, and added a maximum_ring_size config parameter to strictly bound the ring size.
zookeeper: added a ZooKeeper proxy filter that parses ZooKeeper messages (requests/responses/events). Refer to ZooKeeper proxy for more details.
upstream: added configuration option to select any host when the fallback policy fails.
upstream: stopped incrementing upstream_rq_total for HTTP/1 conn pool when request is circuit broken.
1.9.1 (Apr 2, 2019)¶
http: fixed CVE-2019-9900 by rejecting HTTP/1.x headers with embedded NUL characters.
http: fixed CVE-2019-9901 by normalizing HTTP paths prior to routing or L7 data plane processing. This defaults off and is configurable via either HTTP connection manager normalize_path or the runtime.
1.9.0 (Dec 20, 2018)¶
access log: added a JSON logging mode to output access logs in JSON format.
access log: added dynamic metadata to access log messages streamed over gRPC.
access log: added DOWNSTREAM_CONNECTION_TERMINATION.
admin:
POST /logging
now responds with 200 while there are no params.admin: added support for displaying subject alternate names in certs end point.
admin: added host weight to the
GET /clusters?format=json
end point response.admin:
GET /server_info
now responds with a JSON object instead of a single string.admin:
GET /server_info
now exposes what stage of initialization the server is currently in.admin: added support for displaying command line options in
GET /server_info
end point.circuit-breaker: added cx_open, rq_pending_open, rq_open and rq_retry_open gauges to expose live state via circuit breakers statistics.
cluster: set a default of 1s for option.
config: removed support for the v1 API.
config: added support for rate limiting discovery request calls.
cors: added invalid/valid stats to filter.
ext-authz: added support for providing per route config - optionally disable the filter and provide context extensions.
fault: removed integer percentage support.
grpc-json: added support for ignoring query parameters.
health check: added logging health check failure events.
health check: added ability to set authority header value for gRPC health check.
http: added HTTP/2 WebSocket proxying via extended CONNECT.
http: added limits to the number and length of header modifications in all fields request_headers_to_add and response_headers_to_add. These limits are very high and should only be used as a last-resort safeguard.
http: added support for a request timeout. The timeout is disabled by default.
http: no longer adding whitespace when appending X-Forwarded-For headers. Warning: this is not compatible with 1.7.0 builds prior to 9d3a4eb4ac44be9f0651fcc7f87ad98c538b01ee. See #3611 for details.
http: augmented the sendLocalReply filter API to accept an optional GrpcStatus value to override the default HTTP to gRPC status mapping.
http: no longer close the TCP connection when a HTTP/1 request is retried due to a response with empty body.
http: added support for more gRPC content-type headers in gRPC bridge filter, like application/grpc+proto.
listeners: all listener filters are now governed by the listener_filters_timeout setting. The hard coded 15s timeout in the TLS inspector listener filter is superseded by this setting.
listeners: added the ability to match FilterChain using source_type.
load balancer: added a configuration <envoy_api_msg_Cluster.LeastRequestLbConfig> option to specify the number of choices made in P2C.
logging: added missing [ in log prefix.
mongo_proxy: added dynamic metadata.
network: removed the reference to FilterState in Connection in favor of StreamInfo.
rate-limit: added configuration to specify whether the GrpcStatus status returned should be RESOURCE_EXHAUSTED or UNAVAILABLE when a gRPC call is rate limited.
rate-limit: removed support for the legacy ratelimit service and made the data-plane-api rls.proto based implementation default.
rate-limit: removed the deprecated cluster_name attribute in rate limit service configuration.
rate-limit: added rate_limit_service configuration to filters.
rbac: added dynamic metadata to the network level filter.
rbac: added support for permission matching by requested server name.
redis: static cluster configuration is no longer required. Redis proxy will work with clusters delivered via CDS.
router: added ability to configure arbitrary retriable status codes.
router: added ability to set attempt count in upstream requests, see virtual host’s include request attempt count flag.
router: added internal grpc-retry-on policy.
router: added scheme_redirect and port_redirect to define the respective scheme and port rewriting RedirectAction.
router: when max_grpc_timeout is set, Envoy will now add or update the grpc-timeout header to reflect Envoy’s expected timeout.
router: per try timeouts now starts when an upstream stream is ready instead of when the request has been fully decoded by Envoy.
router: added support for not retrying rate limited requests. Rate limit filter now sets the x-envoy-ratelimited header so the rate limited requests that may have been retried earlier will not be retried with this change.
router: added support for enabling upgrades on a per-route basis.
router: support configuring a default fraction of mirror traffic via runtime_fraction.
sandbox: added cors sandbox.
server: added SIGINT (Ctrl-C) handler to gracefully shutdown Envoy like SIGTERM.
stats: added stats_matcher to the bootstrap config for granular control of stat instantiation.
stream: renamed the RequestInfo namespace to StreamInfo to better match its behaviour within TCP and HTTP implementations.
stream: renamed perRequestState to filterState in StreamInfo.
stream: added downstreamDirectRemoteAddress to StreamInfo.
thrift_proxy: introduced thrift rate limiter filter.
tls: added ssl.curves.<curve>, ssl.sigalgs.<sigalg> and ssl.versions.<version> to listener metrics to track TLS algorithms and versions in use.
tls: added support for client-side session resumption.
tls: added support for CRLs in trusted_ca.
tls: added support for multiple server TLS certificates.
tls: added support for password encrypted private keys.
tls: added the ability to build BoringSSL FIPS using
--define boringssl=fips
Bazel option.tls: removed support for ECDSA certificates with curves other than P-256.
tls: removed support for RSA certificates with keys smaller than 2048-bits.
tracing: added support to the Zipkin tracer for the b3 single header format.
tracing: added support for Datadog tracer.
upstream: added scale_locality_weight to enable scaling locality weights by number of hosts removed by subset lb predicates.
upstream: changed how load calculation for priority levels and panic thresholds interact. As long as normalized total health is 100% panic thresholds are disregarded.
upstream: changed the default hash for ring hash from std::hash to xxHash.
upstream: when using active health checking and STRICT_DNS with several addresses that resolve to the same hosts, Envoy will now health check each host independently.
1.8.0 (Oct 4, 2018)¶
access log: added response flag filter to filter based on the presence of Envoy response flags.
access log: added RESPONSE_DURATION and RESPONSE_TX_DURATION.
access log: added REQUESTED_SERVER_NAME for SNI to tcp_proxy and http
admin: added
GET /hystrix_event_stream
as an endpoint for monitoring envoy’s statistics through Hystrix dashboard.cli: added support for component log level command line option for configuring log levels of individual components.
cluster: added option to merge health check/weight/metadata updates within the given duration.
config: regex validation added to limit to a maximum of 1024 characters.
config: v1 disabled by default. v1 support remains available until October via flipping –v2-config-only=false.
config: v1 disabled by default. v1 support remains available until October via deprecated flag –allow-deprecated-v1-api.
config: fixed stat inconsistency between xDS and ADS implementation. update_failure stat is incremented in case of network failure and update_rejected stat is incremented in case of schema/validation error.
config: added a stat connected_state that indicates current connected state of Envoy with management server.
ext_authz: added support for configuring additional authorization headers to be sent from Envoy to the authorization service.
fault: added support for fractional percentages in FaultDelay and in FaultAbort.
grpc-json: added support for building HTTP response from google.api.HttpBody.
health check: added support for custom health check.
health check: added support for specifying jitter as a percentage.
health_check: added support for health check event logging.
health_check: added timestamp to the health check event definition.
health_check: added support for specifying custom request headers to HTTP health checker requests.
http: added support for a per-stream idle timeout. This applies at both connection manager and per-route granularity. The timeout defaults to 5 minutes; if you have other timeouts (e.g. connection idle timeout, upstream response per-retry) that are longer than this in duration, you may want to consider setting a non-default per-stream idle timeout.
http: added upstream_rq_completed counter for total requests completed to dynamic HTTP counters.
http: added downstream_rq_completed counter for total requests completed, including on a per-listener basis.
http: added generic Upgrade support.
http: better handling of HEAD requests. Now sending transfer-encoding: chunked rather than content-length: 0.
http: fixed missing support for appending to predefined inline headers, e.g. authorization, in features that interact with request and response headers, e.g. request_headers_to_add. For example, a request header authorization: token1 will appear as authorization: token1,token2, after having request_headers_to_add with authorization: token2 applied.
http: response filters not applied to early error paths such as http_parser generated 400s.
http: restrictions added to reject :-prefixed pseudo-headers in custom request headers.
http: hpack_table_size now controls dynamic table size of both: encoder and decoder.
http: added support for removing request headers using request_headers_to_remove.
http: added support for a delayed close timeout to mitigate race conditions when closing connections to downstream HTTP clients. The timeout defaults to 1 second.
jwt-authn filter: add support for per route JWT requirements.
listeners: added the ability to match FilterChain using destination_port and prefix_ranges.
lua: added connection() wrapper and ssl() API.
lua: added streamInfo() wrapper and protocol() API.
lua: added streamInfo():dynamicMetadata() API.
network: introduced sni_cluster network filter that forwards connections to the upstream cluster specified by the SNI value presented by the client during a TLS handshake.
proxy_protocol: added support for HAProxy Proxy Protocol v2 (AF_INET/AF_INET6 only).
ratelimit: added support for api/envoy/service/ratelimit/v2/rls.proto. Lyft’s reference implementation of the ratelimit service also supports the data-plane-api proto as of v1.1.0. Envoy can use either proto to send client requests to a ratelimit server with the use of the use_data_plane_proto boolean flag in the ratelimit configuration. Support for the legacy proto source/common/ratelimit/ratelimit.proto is deprecated and will be removed at the start of the 1.9.0 release cycle.
ratelimit: added failure_mode_deny option to control traffic flow in case of rate limit service error.
rbac config: added a principal_name field and removed the old name field to give more flexibility for matching certificate identity.
rbac network filter: a role-based access control network filter has been added.
rest-api: added ability to set the request timeout for REST API requests.
route checker: added v2 config support and removed support for v1 configs.
router: added ability to set request/response headers at the route.Route level.
stats: added option to configure the DogStatsD metric name prefix to DogStatsdSink.
tcp_proxy: added support for weighted clusters.
thrift_proxy: introduced thrift routing, moved configuration to correct location
thrift_proxy: introduced thrift configurable decoder filters
tls: implemented Secret Discovery Service.
tracing: added support for configuration of tracing sampling.
upstream: added configuration option to the subset load balancer to take locality weights into account when selecting a host from a subset.
upstream: require opt-in to use the x-envoy-original-dst-host header for overriding destination address when using the Original Destination load balancing policy.
1.7.0 (Jun 21, 2018)¶
access log: added ability to log response trailers.
access log: added ability to format START_TIME.
access log: added DYNAMIC_METADATA access log formatter.
access log: added HeaderFilter to filter logs based on request headers.
access log: added %([1-9])?f as one of START_TIME specifiers to render subseconds.
access log: gRPC Access Log Service (ALS) support added for HTTP access logs.
access log: improved WebSocket logging.
admin: added
GET /config_dump
for dumping the current configuration and associated xDS version information (if applicable).admin: added
GET /clusters?format=json
for outputing a JSON-serialized proto detailing the current status of all clusters.admin: added
GET /stats/prometheus
as an alternative endpoint for getting stats in prometheus format.admin: added /runtime_modify endpoint to add or change runtime values.
admin: mutations must be sent as POSTs, rather than GETs. Mutations include:
POST /cpuprofiler
,POST /healthcheck/fail
,POST /healthcheck/ok
,POST /logging
,POST /quitquitquit
,POST /reset_counters
,POST /runtime_modify?key1=value1&key2=value2&keyN=valueN
.admin: removed /routes endpoint; route configs can now be found at the /config_dump endpoint.
buffer filter: the buffer filter can be optionally disabled or overridden with route-local configuration.
cli: added –config-yaml flag to the Envoy binary. When set its value is interpreted as a yaml representation of the bootstrap config and overrides –config-path.
cluster: added option to close tcp_proxy upstream connections when health checks fail.
cluster: added option to drain connections from hosts after they are removed from service discovery, regardless of health status.
cluster: fixed bug preventing the deletion of all endpoints in a priority
debug: added symbolized stack traces (where supported)
ext-authz filter: added support to raw HTTP authorization.
ext-authz filter: added support to gRPC responses to carry HTTP attributes.
grpc: support added for the full set of Google gRPC call credentials.
gzip filter: added stats to the filter.
gzip filter: sending accept-encoding header as identity no longer compresses the payload.
health check: added ability to set additional HTTP headers for HTTP health check.
health check: added support for EDS delivered endpoint health status.
health check: added interval overrides for health state transitions from healthy to unhealthy, unhealthy to healthy and for subsequent checks on unhealthy hosts.
health check: added support for custom health check.
health check: health check connections can now be configured to use http/2.
health check http filter: added generic header matching to trigger health check response. Deprecated the endpoint option.
http: filters can now optionally support virtual host, route, and weighted cluster local configuration.
http: added the ability to pass DNS type Subject Alternative Names of the client certificate in the x-forwarded-client-cert header.
http: local responses to gRPC requests are now sent as trailers-only gRPC responses instead of plain HTTP responses. Notably the HTTP response code is always “200” in this case, and the gRPC error code is carried in “grpc-status” header, optionally accompanied with a text message in “grpc-message” header.
http: added support for via header append.
http: added a configuration option to elide x-forwarded-for header modifications.
http: fixed a bug in inline headers where addCopy and addViaMove didn’t add header values when encountering inline headers with multiple instances.
listeners: added tcp_fast_open_queue_length option.
listeners: added the ability to match FilterChain using application_protocols (e.g. ALPN for TLS protocol).
listeners: sni_domains has been deprecated/renamed to server_names.
listeners: removed restriction on all filter chains having identical filters.
load balancer: added weighted round robin support. The round robin scheduler now respects endpoint weights and also has improved fidelity across picks.
load balancer: locality weighted load balancing is now supported.
load balancer: ability to configure zone aware load balancer settings through the API.
load balancer: the weighted least request load balancing algorithm has been improved to have better balance when operating in weighted mode.
logger: added the ability to optionally set the log format via the
--log-format
option.logger: all logging levels can be configured at run-time: trace debug info warning error critical.
rbac http filter: a role-based access control http filter has been added.
router: the behavior of per-try timeouts have changed in the case where a portion of the response has already been proxied downstream when the timeout occurs. Previously, the response would be reset leading to either an HTTP/2 reset or an HTTP/1 closed connection and a partial response. Now, the timeout will be ignored and the response will continue to proxy up to the global request timeout.
router: changed the behavior of source IP routing to ignore the source port.
router: added an prefix_match match type to explicitly match based on the prefix of a header value.
router: added an suffix_match match type to explicitly match based on the suffix of a header value.
router: added an present_match match type to explicitly match based on a header’s presence.
router: added an invert_match config option which supports inverting all other match types to match based on headers which are not a desired value.
router: allow cookie routing to generate session cookies.
router: added START_TIME as one of supported variables in header formatters.
router: added a max_grpc_timeout config option to specify the maximum allowable value for timeouts decoded from gRPC header field grpc-timeout.
router: added a configuration option to disable x-envoy- header generation.
router: added ‘unavailable’ to the retriable gRPC status codes that can be specified through x-envoy-retry-grpc-on.
sockets: added tap transport socket extension to support recording plain text traffic and PCAP generation.
sockets: added IP_FREEBIND socket option support for listeners and upstream connections via cluster manager wide and cluster specific options.
sockets: added IP_TRANSPARENT socket option support for listeners.
sockets: added SO_KEEPALIVE socket option for upstream connections per cluster.
stats: added support for histograms.
stats: added option to configure the statsd prefix.
stats: updated stats sink interface to flush through a single call.
tls: added support for verify_certificate_spki.
tls: added support for multiple verify_certificate_hash values.
tls: added support for using verify_certificate_spki and verify_certificate_hash without trusted_ca.
tls: added support for allowing expired certificates with allow_expired_certificate.
tls: added support for renegotiation when acting as a client.
tls: removed support for legacy SHA-2 CBC cipher suites.
tracing: the sampling decision is now delegated to the tracers, allowing the tracer to decide when and if to use it. For example, if the x-b3-sampled header is supplied with the client request, its value will override any sampling decision made by the Envoy proxy.
websocket: support configuring idle_timeout and max_connect_attempts.
upstream: added support for host override for a request in Original destination host request header.
header to metadata: added HTTP Header to Metadata filter.
1.6.0 (March 20, 2018)¶
access log: added DOWNSTREAM_REMOTE_ADDRESS, DOWNSTREAM_REMOTE_ADDRESS_WITHOUT_PORT, and DOWNSTREAM_LOCAL_ADDRESS access log formatters. DOWNSTREAM_ADDRESS access log formatter has been deprecated.
access log: added less than or equal (LE) comparison filter.
access log: added configuration to runtime filter to set default sampling rate, divisor, and whether to use independent randomness or not.
admin: added /runtime admin endpoint to read the current runtime values.
build: added support for building Envoy with exported symbols. This change allows scripts loaded with the Lua filter to load shared object libraries such as those installed via LuaRocks.
config: added support for sending error details as grpc.rpc.Status in DiscoveryRequest.
config: added support for inline delivery of TLS certificates and private keys.
config: added restrictions for the backing config sources of xDS resources. For filesystem based xDS the file must exist at configuration time. For cluster based xDS the backing cluster must be statically defined and be of non-EDS type.
grpc: the Google gRPC C++ library client is now supported as specified in the gRPC services overview and GrpcService.
grpc-json: added support for inline descriptors.
health check: added gRPC health check based on grpc.health.v1.Health service.
health check: added ability to set host header value for http health check.
health check: extended the health check filter to support computation of the health check response based on the percentage of healthy servers in upstream clusters.
health check: added setting for no-traffic interval.
http: added idle timeout for upstream http connections.
http: added support for proxying 100-Continue responses.
http: added the ability to pass a URL encoded PEM encoded peer certificate in the x-forwarded-client-cert header.
http: added support for trusting additional hops in the x-forwarded-for request header.
http: added support for incoming HTTP/1.0.
hot restart: added SIGTERM propagation to children to hot-restarter.py, which enables using it as a parent of containers.
ip tagging: added HTTP IP Tagging filter.
listeners: added support for listening for both IPv4 and IPv6 when binding to ::.
listeners: added support for listening on UNIX domain sockets.
listeners: added support for abstract unix domain sockets on Linux. The abstract namespace can be used by prepending ‘@’ to a socket path.
load balancer: added cluster configuration for healthy panic threshold percentage.
load balancer: added Maglev consistent hash load balancer.
load balancer: added support for LocalityLbEndpoints priorities.
lua: added headers replace() API.
lua: extended to support metadata object API.
redis: added local PING support to the Redis filter.
redis: added GEORADIUS_RO and GEORADIUSBYMEMBER_RO to the Redis command splitter whitelist.
router: added DOWNSTREAM_REMOTE_ADDRESS_WITHOUT_PORT, DOWNSTREAM_LOCAL_ADDRESS, DOWNSTREAM_LOCAL_ADDRESS_WITHOUT_PORT, PROTOCOL, and UPSTREAM_METADATA header formatters. The CLIENT_IP header formatter has been deprecated.
router: added gateway-error retry-on policy.
router: added support for route matching based on URL query string parameters.
router: added support for more granular weighted cluster routing by allowing the total_weight to be specified in configuration.
router: added support for custom request/response headers with mixed static and dynamic values.
router: added support for direct responses. I.e., sending a preconfigured HTTP response without proxying anywhere.
router: added support for HTTPS redirects on specific routes.
router: added support for prefix_rewrite for redirects.
router: added support for stripping the query string for redirects.
router: added support for downstream request/upstream response header manipulation in weighted cluster.
router: added support for range based header matching for request routing.
squash: added support for the Squash microservices debugger. Allows debugging an incoming request to a microservice in the mesh.
stats: added metrics service API implementation.
stats: added native DogStatsd support.
stats: added support for fixed stats tag values which will be added to all metrics.
tcp proxy: added support for specifying a metadata matcher for upstream clusters in the tcp filter.
tcp proxy: improved TCP proxy to correctly proxy TCP half-close.
tcp proxy: added idle timeout.
tcp proxy: access logs now bring an IP address without a port when using DOWNSTREAM_ADDRESS. Use DOWNSTREAM_REMOTE_ADDRESS instead.
tracing: added support for dynamically loading an OpenTracing tracer.
tracing: when using the Zipkin tracer, it is now possible for clients to specify the sampling decision (using the x-b3-sampled header) and have the decision propagated through to subsequently invoked services.
tracing: when using the Zipkin tracer, it is no longer necessary to propagate the x-ot-span-context header. See more on trace context propagation here.
transport sockets: added transport socket interface to allow custom implementations of transport sockets. A transport socket provides read and write logic with buffer encryption and decryption (if applicable). The existing TLS implementation has been refactored with the interface.
upstream: added support for specifying an alternate stats name while emitting stats for clusters.
Many small bug fixes and performance improvements not listed.
1.5.0 (December 4, 2017)¶
access log: added fields for UPSTREAM_LOCAL_ADDRESS and DOWNSTREAM_ADDRESS.
admin: added JSON output for stats admin endpoint.
admin: added basic Prometheus output for stats admin endpoint. Histograms are not currently output.
admin: added
version_info
to the /clusters admin endpoint.config: the v2 API is now considered production ready.
config: added –v2-config-only CLI flag.
cors: added CORS filter.
health check: added x-envoy-immediate-health-check-fail header support.
health check: added reuse_connection option.
http: added per-listener stats.
http: end-to-end HTTP flow control is now complete across both connections, streams, and filters.
load balancer: added subset load balancer.
load balancer: added ring size and hash configuration options. This used to be configurable via runtime. The runtime configuration was deleted without deprecation as we are fairly certain no one is using it.
log: added the ability to optionally log to a file instead of stderr via the
--log-path
option.listeners: added drain_type option.
lua: added experimental Lua filter.
mongo filter: added fault injection.
mongo filter: added “drain close” support.
outlier detection: added HTTP gateway failure type. See deprecated log for outlier detection stats deprecations in this release.
redis: the redis proxy filter is now considered production ready.
redis: added “drain close” functionality.
router: added x-envoy-overloaded support.
router: added regex route matching.
router: added custom request headers for upstream requests.
router: added downstream IP hashing for HTTP ketama routing.
router: added cookie hashing.
router: added start_child_span option to create child span for egress calls.
router: added optional upstream logs.
router: added complete custom append/override/remove support of request/response headers.
router: added support to specify response code during redirect.
router: added configuration to return either a 404 or 503 if the upstream cluster does not exist.
runtime: added comment capability.
server: change default log level (
-l
) to info.stats: maximum stat/name sizes and maximum number of stats are now variable via the –max-obj-name-len and –max-stats options.
tcp proxy: added access logging.
tcp proxy: added configurable connect retries.
tcp proxy: enable use of outlier detector.
tls: added SNI support.
tls: added support for specifying TLS session ticket keys.
tls: allow configuration of the min and max TLS protocol versions.
tracing: added custom trace span decorators.
Many small bug fixes and performance improvements not listed.
1.4.0 (August 24, 2017)¶
macOS is now supported. (A few features are missing such as hot restart and original destination routing).
YAML is now directly supported for config files.
Added /routes admin endpoint.
End-to-end flow control is now supported for TCP proxy, HTTP/1, and HTTP/2. HTTP flow control that includes filter buffering is incomplete and will be implemented in 1.5.0.
Log verbosity compile time flag added.
Hot restart compile time flag added.
Original destination cluster and load balancer added.
WebSocket is now supported.
Virtual cluster priorities have been hard removed without deprecation as we are reasonably sure no one is using this feature.
Route validate_clusters option added.
x-envoy-downstream-service-node header added.
x-forwarded-client-cert header added.
Initial HTTP/1 forward proxy support for absolute URLs has been added.
HTTP/2 codec settings are now configurable.
gRPC/JSON transcoder filter added.
gRPC web filter added.
Configurable timeout for the rate limit service call in the network and HTTP rate limit filters.
x-envoy-retry-grpc-on header added.
LDS API added.
TLS :require_client_certificate option added.
Configuration check tool added.
JSON schema check tool added.
Config validation mode added via the
--mode
option.--local-address-ip-version
option added.IPv6 support is now complete.
UDP statsd_ip_address option added.
Per-cluster DNS resolvers added.
Fault filter enhancements and fixes.
Several features are deprecated as of the 1.4.0 release. They will be removed at the beginning of the 1.5.0 release cycle. We explicitly call out that the HttpFilterConfigFactory filter API has been deprecated in favor of NamedHttpFilterConfigFactory.
Many small bug fixes and performance improvements not listed.
1.3.0 (May 17, 2017)¶
As of this release, we now have an official breaking change policy. Note that there are numerous breaking configuration changes in this release. They are not listed here. Future releases will adhere to the policy and have clear documentation on deprecations and changes.
Bazel is now the canonical build system (replacing CMake). There have been a huge number of changes to the development/build/test flow. See /bazel/README.md and /ci/README.md for more information.
Outlier detection has been expanded to include success rate variance, and all parameters are now configurable in both runtime and in the JSON configuration.
TCP level listener and cluster connections now have configurable receive buffer limits at which point connection level back pressure is applied. Full end to end flow control will be available in a future release.
Redis health checking has been added as an active health check type. Full Redis support will be documented/supported in 1.4.0.
TCP health checking now supports a “connect only” mode that only checks if the remote server can be connected to without writing/reading any data.
BoringSSL is now the only supported TLS provider. The default cipher suites and ECDH curves have been updated with more modern defaults for both listener and cluster connections.
The header value match rate limit action has been expanded to include an expect match parameter.
Route level HTTP rate limit configurations now do not inherit the virtual host level configurations by default. Use include_vh_rate_limits to inherit the virtual host level options if desired.
HTTP routes can now add request headers on a per route and per virtual host basis via the request_headers_to_add option.
The example configurations have been refreshed to demonstrate the latest features.
per_try_timeout_ms can now be configured in a route’s retry policy in addition to via the x-envoy-upstream-rq-per-try-timeout-ms HTTP header.
HTTP virtual host matching now includes support for prefix wildcard domains (e.g., *.lyft.com).
The default for tracing random sampling has been changed to 100% and is still configurable in runtime.
HTTP tracing configuration has been extended to allow tags to be populated from arbitrary HTTP headers.
The HTTP rate limit filter can now be applied to internal, external, or all requests via the request_type option.
Listener binding now requires specifying an address field. This can be used to bind a listener to both a specific address as well as a port.
The MongoDB filter now emits a stat for queries that do not have $maxTimeMS set.
The MongoDB filter now emits logs that are fully valid JSON.
The CPU profiler output path is now configurable.
A watchdog system has been added that can kill the server if a deadlock is detected.
A route table checking tool has been added that can be used to test route tables before use.
We have added an example repo that shows how to compile/link a custom filter.
Added additional cluster wide information related to outlier detection to the /clusters admin endpoint.
Multiple SANs can now be verified via the verify_subject_alt_name setting. Additionally, URI type SANs can be verified.
HTTP filters can now be passed opaque configuration specified on a per route basis.
By default Envoy now has a built in crash handler that will print a back trace. This behavior can be disabled if desired via the
--define=signal_trace=disabled
Bazel option.Zipkin has been added as a supported tracing provider.
Numerous small changes and fixes not listed here.
1.2.0 (March 7, 2017)¶
Outlier detection (passive health checking).
Envoy configuration is now checked against a JSON schema.
Ring hash consistent load balancer, as well as HTTP consistent hash routing based on a policy.
Vastly enhanced global rate limit configuration via the HTTP rate limiting filter.
HTTP routing to a cluster retrieved from a header.
Weighted cluster HTTP routing.
Auto host rewrite during HTTP routing.
Regex header matching during HTTP routing.
HTTP access log runtime filter.
LightStep tracer parent/child span association.
HTTP router x-envoy-upstream-rq-timeout-alt-response header support.
use_original_dst and bind_to_port listener options (useful for iptables based transparent proxy support).
TCP proxy filter route table support.
Configurable stats flush interval.
Various third party library upgrades, including using BoringSSL as the default SSL provider.
No longer maintain closed HTTP/2 streams for priority calculations. Leads to substantial memory savings for large meshes.
Numerous small changes and fixes not listed here.
1.1.0 (November 30, 2016)¶
Switch from Jannson to RapidJSON for our JSON library (allowing for a configuration schema in 1.2.0).
Upgrade recommended version of various other libraries.
Configurable DNS refresh rate for DNS service discovery types.
Upstream circuit breaker configuration can be overridden via runtime.
Generic header matching routing rule.
HTTP/2 graceful connection draining (double GOAWAY).
DynamoDB filter per shard statistics (pre-release AWS feature).
Initial release of the fault injection HTTP filter.
HTTP rate limit filter enhancements (note that the configuration for HTTP rate limiting is going to be overhauled in 1.2.0).
Added refused-stream retry policy.
Multiple priority queues for upstream clusters (configurable on a per route basis, with separate connection pools, circuit breakers, etc.).
Added max connection circuit breaking to the TCP proxy filter.
Added CLI options for setting the logging file flush interval as well as the drain/shutdown time during hot restart.
A very large number of performance enhancements for core HTTP/TCP proxy flows as well as a few new configuration flags to allow disabling expensive features if they are not needed (specifically request ID generation and dynamic response code stats).
Support Mongo 3.2 in the Mongo sniffing filter.
Lots of other small fixes and enhancements not listed.
1.0.0 (September 12, 2016)¶
Initial open source release.