0.10.3 - 2017/05/24
- We noticed that some distribution packages were not building OpenResty against a JITable PCRE library. This happened on Ubuntu and RHEL environments where OpenResty was built against the system's PCRE installation. We now compile OpenResty against a JITable PCRE source for those platforms, which should result in significant performance improvements in regex matching. Mashape/kong-distributions #9
- TLS connections are now handled with a modern list of accepted ciphers, as per the Mozilla recommended TLS ciphers list. See https://wiki.mozilla.org/Security/Server_Side_TLS. This behavior is configurable via the newly introduced configuration properties described in the below "Added" section.
- Plugins:
- rate-limiting: Performance improvements when using the
clusterpolicy. The number of round trips to the database has been limited to the number of configured limits. #2488
- rate-limiting: Performance improvements when using the
- New
ssl_cipher_suiteandssl_ciphersconfiguration properties to configure the desired set of accepted ciphers, based on the Mozilla recommended TLS ciphers list. #2555 - New
proxy_ssl_certificateandproxy_ssl_certificate_keyconfiguration properties. These properties configure the Nginx directives bearing the same name, to set client certificates to Kong when connecting to your upstream services. #2556 - Proxy and Admin API access and error log paths are now configurable. Access logs can be entirely disabled if desired. #2552
- Plugins:
- APIs matching: prioritize APIs with longer
uriswhen said APIs also definehostsand/ormethodsas well. Thanks @leonzz for the patch. #2523 - SSL connections to Cassandra can now properly verify the
certificate in use (when
cassandra_ssl_verifyis enabled). #2531 - The DNS resolver no longer sends a A or AAAA DNS queries for SRV records. This should improve performance by avoiding unecessary lookups. #2563 & Mashape/lua-resty-dns-client #12
- Plugins
- All authentication plugins don't throw an error anymore when
invalid credentials are given and the
anonymoususer isn't configured. #2508 - rate-limiting: Effectively use the desired Redis database when
the
redispolicy is in use and theconfig.redis_databaseproperty is set. #2481 - cors: The regression introduced in 0.10.1 regarding not
sending the
*wildcard whenconf.originwas not specified has been fixed. #2518 - oauth2: properly check the client application ownership of a token before refreshing it. #2461
- All authentication plugins don't throw an error anymore when
invalid credentials are given and the
0.10.2 - 2017/05/01
- The Kong DNS resolver now honors the
MAXNSsetting (3) when parsing the nameservers specified inresolv.conf. #2290 - Kong now matches incoming requests via the
$request_uriproperty, instead of$uri, in order to better handle percent-encoded URIS. A more detailed explanation will be included in the below "Fixed" section. #2377 - Upstream calls do not unconditionally include a trailing
/anymore. See the below "Added" section for more details. #2315 - Admin API:
- The "active targets" endpoint now only return the most recent nonzero weight Targets, instead of all nonzero weight targets. This is to provide a better picture of the Targets currently in use by the Kong load balancer. #2310
- 🎆 Plugins can implement a new
rewritehandler to execute code in the Nginx rewrite phase. This phase is executed prior to matching a registered Kong API, and prior to any authentication plugin. As such, only global plugins (neither tied to an API or Consumer) will execute this phase. #2354 - Ability for the client to chose whether the upstream request (Kong <-> upstream) should contain a trailing slash in its URI. Prior to this change, Kong 0.10 would unconditionally append a trailing slash to all upstream requests. The added functionality is described in #2211, and was implemented in #2315.
- Ability to hide Kong-specific response headers. Two new configuration fields:
server_tokensandlatency_tokenswill respectively toggle whether theServerandX-Kong-*-Latencyheaders should be sent to downstream clients. #2259 - New
cassandra_schema_consensus_timeoutconfiguration property, to allow for Kong to wait for the schema consensus of your Cassandra cluster during migrations. #2326 - Serf commands executed by a running Kong node are now logged in the Nginx
error logs with a
DEBUGlevel. #2410 - Ensure the required shared dictionaries are defined in the Nginx configuration. This will prevent custom Nginx templates from potentially resulting in a breaking upgrade for users. #2466
- Admin API:
- Target Objects can now be deleted with their ID as well as their name. The
endpoint becomes:
/upstreams/:name_or_id/targets/:target_or_id. #2304
- Target Objects can now be deleted with their ID as well as their name. The
endpoint becomes:
- Plugins:
- 🎆 New Request termination plugin. This plugin allows to temporarily disable an API and return a pre-configured response status and body to your client. Useful for use-cases such as maintenance mode for your upstream services. Thanks to @pauldaustin for the contribution. #2051
- Logging plugins: The produced logs include two new fields: a
consumerfield, which contains the properties of the authenticated Consumer (id,custom_id, andusername), if any, and atriesfield, which includes the upstream connection successes and failures of the load- balancer. #2367 #2429 - http-log: Now set an upstream HTTP basic access authentication header if
the configured
conf.http_endpointparameter includes an authentication section. Thanks @amir for the contribution. #2432 - file-log: New
config.reopenproperty to close and reopen the log file on every request, in order to effectively rotate the logs. #2348 - jwt: Returns
401 Unauthorizedon invalid claims instead of the previous403 Forbiddenstatus. #2433 - key-auth: Allow setting API key header names with an underscore. #2370
- cors: When
config.credentials = true, we do not send an ACAO header with value*. The ACAO header value will be that of the request'sOrigin:header. #2451
- Upstream connections over TLS now set their Client Hello SNI field. The SNI
value is taken from the upstream
Hostheader value, and thus also depends on thepreserve_hostsetting of your API. Thanks @konrade for the original patch. #2225 - Correctly match APIs with percent-encoded URIs in their
urisproperty. Generally, this change also avoids normalizing (and thus, potentially altering) the request URI when trying to match an API'surisvalue. Instead of relying on the Nginx$urivariable, we now use$request_uri. #2377 - Handle a routing edge-case under some conditions with the
urismatching rule of APIs that would falsely lead Kong into believing no API was matched for what would actually be a valid request. #2343 - If no API was configured with a
hostsmatching rule, then thepreserve_hostflag would never be honored. #2344 - CNAME records are now properly being cached by the DNS resolver. This results in a performance improvement over previous 0.10 versions. #2303
- When using Cassandra, some migrations would not be performed on the same coordinator as the one originally chosen. The same migrations would also require a response from other replicas in a cluster, but were not waiting for a schema consensus beforehand, causing indeterministic failures in the migrations, especially if the cluster's inter-nodes communication is slow. #2326
- The
cassandra_timeoutconfiguration property is now correctly taken into consideration by Kong. #2326 - Correctly trigger plugins configured on the anonymous Consumer for anonymous
requests (from auth plugins with the new
config.anonymousparameter). #2424 - When multiple auth plugins were configured with the recent
config.anonymousparameter for "OR" authentication, such plugins would override each other's results and response headers, causing false negatives. #2222 - Ensure the
cassandra_contact_pointsproperty does not contain any port information. Those should be specified incassandra_port. Thanks @Vermeille for the contribution. #2263 - Prevent an upstream or legitimate internal error in the load balancing code from throwing a Lua-land error as well. #2327
- Allow backwards compatibility with custom Nginx configurations that still
define the
resolver ${{DNS_RESOLVER}}directive. Vales from the Kongdns_resolverproperty will be flattened to a string and appended to the directive. #2386 - Plugins:
- hmac: Better handling of invalid base64-encoded signatures. Previously Kong would return an HTTP 500 error. We now properly return HTTP 403 Forbidden. #2283
- Admin API:
- Detect conflicts between SNI Objects in the
/snisand/certificatesendpoint. #2285 - The
/certificatesroute used to not return thetotalanddataJSON fields. We now send those fields back instead of a root list of certificate objects. #2463 - Endpoints with path parameters like
/xxx_or_idwill now also yield the proper result if thexxxfield is formatted as a UUID. Most notably, this fixes a problem for Consumers whoseusernameis a UUID, that could not be found when requesting/consumers/{username_as_uuid}. #2420 - The "active targets" endpoint does not require a trailing slash anymore. #2307
- Upstream Objects can now be deleted properly when using Cassandra. #2404
- Detect conflicts between SNI Objects in the
0.10.1 - 2017/03/27
-
⚠️ Serf has been downgraded to version 0.7 in our distributions, although versions up to 0.8.1 are still supported. This fixes a problem when automatically detecting the first non-loopback private IP address, which was defaulted to127.0.0.1in Kong 0.10.0. Greater versions of Serf can still be used, but the IP address needs to be manually specified in thecluster_advertiseconfiguration property. -
⚠️ The CORS Plugin parameterconfig.originis nowconfig.origins. #2203🔴 Post-release note (as of 2017/05/12): A faulty behavior has been observed with this change. Previously, the plugin would send the
*wildcard whenconfig.originwas not specified. With this change, the plugin does not send the*wildcard by default anymore. You will need to specify it manually when configuring the plugin, withconfig.origins=*. This behavior is to be fixed in a future release.✅ Update (2017/05/24): A fix to this regression has been released as part of 0.10.3. See the section of the Changelog related to this release for more details.
-
Admin API:
- Disable support for TLS/1.0. #2212
- Admin API:
- Active targets can be pulled with
GET /upstreams/{name}/targets/active. #2230 - Provide a convenience endpoint to disable targets at:
DELETE /upstreams/{name}/targets/{target}. Under the hood, this creates a new target withweight = 0(the correct way of disabling targets, which used to cause confusion). #2256
- Active targets can be pulled with
- Plugins:
- cors: Support for configuring multiple Origin domains. #2203
- Use an LRU cache for Lua-land entities caching to avoid exhausting the Lua VM memory in long-running instances. #2246
- Avoid potential deadlocks upon callback errors in the caching module for database entities. #2197
- Relax multipart MIME type parsing. A space is allowed in between values of the Content-Type header. #2215
- Admin API:
- Better handling of non-supported HTTP methods on endpoints of the Admin
API. In some cases this used to throw an internal error. Calling any
endpoint with a non-supported HTTP method now always returns
405 Method Not Allowedas expected. #2213
- Better handling of non-supported HTTP methods on endpoints of the Admin
API. In some cases this used to throw an internal error. Calling any
endpoint with a non-supported HTTP method now always returns
- CLI:
- Better error handling when missing Serf executable. #2218
- Fix a bug in the
kong migrationscommand that would prevent it to run correctly. #2238 - Trim list values specified in the configuration file. #2206
- Align the default configuration file's values to the actual, hard-coded default values to avoid confusion. #2254
- Plugins:
- hmac: Generate an HMAC secret value if none is provided. #2158
- oauth2: Don't try to remove credential values from request bodies if the MIME type is multipart, since such attempts would result in an error. #2176
- ldap: This plugin should not be applied to a single Consumer, however, this was not properly enforced. It is now impossible to apply this plugin to a single Consumer (as per all authentication plugin). #2237
- aws-lambda: Support for
us-west-2region in schema. #2257
0.10.0 - 2017/03/07
Kong 0.10 is one of most significant releases to this day. It ships with exciting new features that have been heavily requested for the last few months, such as load balancing, Cassandra 3.0 compatibility, Websockets support, internal DNS resolution (A and SRV records without Dnsmasq), and more flexible matching capabilities for APIs routing.
On top of those new features, this release received a particular attention to performance, and brings many improvements and refactors that should make it perform significantly better than any previous version.
⚠️ API Objects (as configured via the Admin API) do not support therequest_hostandrequest_urifields anymore. The 0.10 migrations should upgrade your current API Objects, but make sure to read the new 0.10 Proxy Guide to learn the new routing capabilities of Kong. On the good side, this means that Kong can now route incoming requests according to a combination of Host headers, URIs, and HTTP methods.⚠️ Final slashes inupstream_urlare no longer allowed. #2115⚠️ The SSL plugin has been removed and dynamic SSL capabilities have been added to Kong core, and are configurable via new properties on the API entity. See the related PR for a detailed explanation of this change. #1970⚠️ Drop the Dnsmasq dependency. We now internally resolve both A and SRV DNS records. #1587⚠️ Dropping support for insecureTLS/1.0and defaultingUpgraderesponses toTLS/1.2. #2119- Bump the compatible OpenResty version to
1.11.2.1and1.11.2.2. Support for OpenResty1.11.2.2requires the--without-luajit-lua52compilation flag. - Separate Admin API and Proxy error logs. Admin API logs are now written to
logs/admin_access.log. #1782 - Auto-generates stronger SHA-256 with RSA encryption SSL certificates. #2117
- 🎆 Support for Cassandra 3.x. #1709
- 🎆 SRV records resolution. #1587
- 🎆 Load balancing. When an A or SRV record resolves to multiple
entries, Kong now rotates those upstream targets with a Round-Robin
algorithm. This is a first step towards implementing more load balancing
algorithms.
Another way to specify multiple upstream targets is to use the newly
introduced
/upstreamsand/targetsentities of the Admin API. #1587 #1735 - 🎆 Multiple hosts and paths per API. Kong can now route incoming requests to your services based on a combination of Host headers, URIs and HTTP methods. See the related PR for a detailed explanation of the new properties and capabilities of the new router. #1970
- 🎆 Maintain upstream connection pools which should greatly improve
performance, especially for HTTPS upstream connections. We now use HTTP/1.1
for upstream connections as well as an nginx
upstreamblock with a configurablekeepalivedirective, thanks to the newnginx_keepaliveconfiguration property. #1587 #1827 - 🎆 Websockets support. Kong can now upgrade client connections to
use the
wsprotocol whenUpgrade: websocketis present. #1827 - Use an in-memory caching strategy for database entities in order to reduce CPU load during requests proxying. #1688
- Provide negative-caching for missed database entities. This should improve performance in some cases. #1914
- Support for serving the Admin API over SSL. This introduces new properties in
the configuration file:
admin_listen_ssl,admin_ssl,admin_ssl_certandadmin_ssl_cert_key. #1706 - Support for upstream connection timeouts. APIs now have 3 new fields:
upstream_connect_timeout,upstream_send_timeout,upstream_read_timeoutto specify, in milliseconds, a timeout value for requests between Kong and your APIs. #2036 - Support for clustering key rotation in the underlying Serf process:
- new
cluster_keyring_fileproperty in the configuration file. - new
kong cluster keys ..CLI commands that expose the underlyingserf keys ..commands. #2069
- new
- Support for
lua_socket_pool_sizeproperty in configuration file. #2109 - Plugins:
- 🎆 New AWS Lambda plugin. Thanks Tim Erickson for his collaboration on this new addition. #1777 #1190
- Anonymous authentication for auth plugins. When such plugins receive the
config.anonymous=<consumer_id>property, even non-authenticated requests will be proxied by Kong, with the traditional Consumer headers set to the designated anonymous consumer, but also with aX-Anonymous-Consumerheader. Multiple auth plugins will work in a logicalORfashion. #1666 and #2035 - request-transformer: Ability to change the HTTP method of the upstream request. #1635
- jwt: Support for ES256 signatures. #1920
- rate-limiting: Ability to select the Redis database to use via the new
config.redis_databaseplugin property. #1941
- Looking for Serf in known installation paths. #1997
- Including port in upstream
Hostheader. #2045 - Clarify the purpose of the
cluster_listen_rpcproperty in the configuration file. Thanks Jeremy Monin for the patch. #1860 - Admin API:
- Properly Return JSON responses (instead of HTML) on HTTP 409 Conflict when adding Plugins. #2014
- CLI:
- Avoid double-prefixing migration error messages with the database name (PostgreSQL/Cassandra).
- Plugins:
0.9.9 - 2017/02/02
- Correctly put Cassandra sockets into the Nginx connection pool for later reuse. This greatly improves the performance for rate-limiting and response-ratelimiting plugins. f8f5306
- Correct length of a year in seconds for rate-limiting and response-ratelimiting plugins. A year was wrongly assumed to only be 360 days long. e4fdb2a
- Prevent misinterpretation of the
%character in proxied URLs encoding. Thanks Thomas Jouannic for the patch. #1998 #2040
0.9.8 - 2017/01/19
- Properly set the admin IP in the Serf script.
- Provide negative-caching for missed database entities. This should improve performance in some cases. #1914
- Plugins:
- Fix fault tolerance logic and error reporting in rate-limiting plugins.
0.9.7 - 2016/12/21
- Fixed a performance issue in Cassandra by removing an old workaround that was forcing Cassandra to use LuaSocket instead of cosockets. #1916
- Fixed an issue that was causing a recursive attempt to stop Kong's services when an error was occurring. #1877
- Custom plugins are now properly loaded again. #1910
- Plugins:
0.9.6 - 2016/11/29
- Resolve support for PostgreSQL SSL connections. #1720
- Ensure
kong starthonors the--confflag is a config file already exists at one of the default locations (/etc/kong.conf,/etc/kong/kong.conf). #1681 - Obfuscate sensitive properties from the
/Admin API route which returns the current node's configuration. #1650
0.9.5 - 2016/11/07
- Dropping support for OpenResty 1.9.15.1 in favor of 1.11.2.1 #1797
- Fixed an error (introduced in 0.9.4) in the auto-clustering event
0.9.4 - 2016/11/02
- Fixed the random string generator that was causing some problems, especially in Serf for clustering. #1754
- Seed random number generator in CLI. #1641
- Reducing log noise in the Admin API. #1781
- Fixed the reports lock implementation that was generating a periodic error message. #1783
0.9.3 - 2016/10/07
- Added support for Serf 0.8. #1693
- Properly invalidate global plugins. #1723
0.9.2 - 2016/09/20
- Correctly report migrations errors. This was caused by an error being thrown from the error handler, and superseding the actual error. [#1605] (Kong#1605)
- Prevent Kong from silently failing to start. This would be caused by an erroneous error handler. [28f5d10] (https://github.com/Mashape/kong/commit/28f5d10)
- Only report a random number generator seeding error when it is not already seeded. #1613
- Reduce intra-cluster noise by not propagating keepalive requests events. #1660
- Admin API:
- Obfuscates sensitive configuration settings from the
/route. #1650
- Obfuscates sensitive configuration settings from the
- CLI:
- Prevent a failed
kong startto stop an already running Kong node. #1645 - Remove unset configuration placeholders from the nginx configuration template. This would occur when no Internet connection would be available and would cause Kong to compile an erroneous nginx config. #1606
- Properly count the number of executed migrations. #1649
- Prevent a failed
- Plugins:
0.9.1 - 2016/09/02
- Plugins:
- ACL: allow to retrieve/update/delete an ACL by group name. #1544
- Basic Authentication: allow to retrieve/update/delete a credential by
username. #1570 - HMAC Authentication: allow to retrieve/update/delete a credential by
username. #1570 - JWT Authentication: allow to retrieve/update/delete a credential by
key. #1570 - Key Authentication: allow to retrieve/update/delete a credential by
key. #1570 - OAuth2 Authentication: allow to retrieve/update/delete a credential by
client_idand tokens byaccess_token. #1570
- Correctly parse configuration file settings containing comments. #1569
- Prevent third-party Lua modules (and plugins) to override the seed for random number generation. This prevents the creation of conflicting UUIDs. #1558
- Use pgmoon-mashape
2.0.0which properly namespaces our fork, avoiding conflicts with other versions of pgmoon, such as the one installed by Lapis. #1582 - Avoid exposing OpenResty's information on HTTP
4xxerrors. #1567 - ulimit with
unlimitedvalue is now properly handled. #1545 - CLI:
- Plugins:
- galileo: Use
Content-Lengthheader to get request/response body size whenlog_bodiesis disabled. #1584
- galileo: Use
- Admin API:
- Revert the
/plugins/enabledendpoint's response to be a JSON array, and not an Object. #1529
- Revert the
0.9.0 - 2016/08/18
The main focus of this release is Kong's new CLI. With a simpler configuration file, new settings, environment variables support, new commands as well as a new interpreter, the new CLI gives more power and flexibility to Kong users and allow for an easier integration in your deployment workflow, as well as better testing for developers and plugins authors. Additionally, some new plugins and performance improvements are included as well as the regular bug fixes.
⚠️ PostgreSQL is the new default datastore for Kong. If you were using Cassandra and you are upgrading, you need to explicitly setcassandraas yourdatabase.⚠️ New CLI, with new commands and refined arguments. This new CLI uses theresty-cliinterpreter (see lua-resty-cli) instead of LuaJIT. As a result, therestyexecutable must be available in your$PATH(resty-cli is shipped in the OpenResty bundle) as well as thebin/kongexecutable. Kong does not rely on Luarocks installing thebin/kongexecutable anymore. This change of behavior is taken care of if you are using one of the official Kong packages.⚠️ Kong uses a new configuration file, with an easier syntax than the previous YAML file.- New arguments for the CLI, such as verbose, debug and tracing flags. We also avoid requiring the configuration file as an argument to each command as per the previous CLI.
- Customization of the Nginx configuration can now be taken care of using two different approaches: with a custom Nginx configuration template and using
kong start --template <file>, or by usingkong compileto generate the Kong Nginx sub-configuration, andincludeit in a custom Nginx instance. - Plugins:
- Rate Limiting: the
continue_on_errorproperty is now calledfault_tolerant. - Response Rate Limiting: the
continue_on_errorproperty is now calledfault_tolerant.
- Rate Limiting: the
- 🎆 Support for overriding configuration settings with environment variables.
- 🎆 Support for SSL connections between Kong and PostgreSQL. #1425
- 🎆 Ability to apply plugins with more granularity: per-consumer, and global plugins are now possible. #1403
- New
kong checkcommand: validates a Kong configuration file. - Better version check for third-party dependencies (OpenResty, Serf, Dnsmasq). #1307
- Ability to configure the validation depth of database SSL certificates from the configuration file. #1420
request_host: internationalized url support; utf-8 domain names through punycode support and paths through %-encoding. #1300- Implements caching locks when fetching database configuration (APIs, Plugins...) to avoid dog pile effect on cold nodes. #1402
- Plugins:
- 🎆 New bot-detection plugin: protect your APIs by detecting and rejecting common bots and crawlers. #1413
- correlation-id: new "tracker" generator, identifying requests per worker and connection. #1288
- request/response-transformer: ability to add strings including colon characters. #1353
- rate-limiting: support for new rate-limiting policies (
cluster,localandredis), and for a newlimit_byproperty to force rate-limiting byconsumer,credentialorip. - response-rate-limiting: support for new rate-limiting policies (
cluster,localandredis), and for a newlimit_byproperty to force rate-limiting byconsumer,credentialorip. - galileo: performance improvements of ALF serialization. ALFs are not discarded when exceeding 20MBs anymore. #1463
- statsd: new
upstream_streamlatency metric. #1466 - datadog: new
upstream_streamlatency metric and tagging support for each metric. #1473
- We now use lua-resty-jit-uuid for UUID generation, which is a pure Lua implementation of RFC 4122. As a result, libuuid is not a dependency of Kong anymore.
- Sensitive configuration settings are not printed to stdout anymore. #1256
- Fixed bug that caused nodes to remove themselves from the database when they attempted to join the cluster. #1437
- Plugins:
- request-size-limiting: use proper constant for MB units while setting the size limit. #1416
- OAuth2: security and config validation fixes. #1409 #1112
- request/response-transformer: better validation of fields provided without a value. #1399
- JWT: handle some edge-cases that could result in HTTP 500 errors. #1362
internal
- new test suite using resty-cli and removing the need to monkey-patch the
ngxglobal.- custom assertions and new helper methods (
wait_until()) to gracefully fail in case of timeout.- increase atomicity of the testing environment.
- lighter testing instance, only running 1 worker and not using Dnsmasq by default.
0.8.3 - 2016/06/01
This release includes some bugfixes:
- Switched the log level of the "No nodes found in cluster" warning to
INFO, that was printed when starting up the first Kong node in a new cluster. - Kong now requires OpenResty
1.9.7.5.
- New nodes are now properly registered into the
nodestable when running on the same machine. #1281 - Fixed a failed error parsing on Postgres. #1269
- Plugins:
- Response Transformer: Slashes are now encoded properly, and fixed a bug that hang the execution of the plugin. #1257 and #1263
- JWT: If a value for
algorithmis missing, it's nowHS256by default. This problem occurred when migrating from older versions of Kong. - OAuth 2.0: Fixed a Postgres problem that was preventing an application from being created, and fixed a check on the
redirect_urifield. #1264 and #1267
0.8.2 - 2016/05/25
This release includes bugfixes and minor updates:
- Support for a simple slash in
request_path. #1227 - Plugins:
- Response Rate Limiting: it now appends usage headers to the upstream requests in the form of
X-Ratelimit-Remaining-{limit_name}and introduces a newconfig.block_on_first_violationproperty. #1235
- Response Rate Limiting: it now appends usage headers to the upstream requests in the form of
- Plugins:
- Mashape Analytics: The plugin is now called "Galileo", and added support for Galileo v3. #1159
- Postgres now relies on the
search_pathconfigured on the database and its default value$user, public. #1196 - Kong now properly encodes an empty querystring parameter like
?param=when proxying the request. #1210 - The configuration now checks that
cluster.ttl_on_failureis at least 60 seconds. #1199 - Plugins:
- Loggly: Fixed an issue that was triggering 400 and 500 errors. #1184
- JWT: The
TYPvalue in the header is not optional and case-insensitive. #1192 - Request Transformer: Fixed a bug when transforming request headers. #1202
- OAuth 2.0: Multiple redirect URIs are now supported. #1112
- IP Restriction: Fixed that prevented the plugin for working properly when added on an API. #1245
- CORS: Fixed an issue when
config.preflight_continuewas enabled. #1240
0.8.1 - 2016/04/27
This release includes some fixes and minor updates:
- Adds
X-Forwarded-HostandX-Forwarded-Prefixto the upstream request headers. #1180 - Plugins:
- Datadog: Added two new metrics,
unique_usersandrequest_per_user, that log the consumer information. #1179
- Datadog: Added two new metrics,
- Fixed a DAO bug that affected full entity updates. #1163
- Fixed a bug when setting the authentication provider in Cassandra.
- Updated the Cassandra driver to v0.5.2.
- Properly enforcing required fields in PUT requests. #1177
- Fixed a bug that prevented to retrieve the hostname of the local machine on certain systems. #1178
0.8.0 - 2016/04/18
This release includes support for PostgreSQL as Kong's primary datastore!
- Remove support for the long deprecated
/consumers/:consumer/keyauth/and/consumers/:consumer/basicauth/routes (deprecated in0.5.0). The new routes (available since0.5.0too) use the real name of the plugin:/consumers/:consumer/key-authand/consumers/:consumer/basic-auth.
- Support for PostgreSQL 9.4+ as Kong's primary datastore. #331 #1054
- Configurable Cassandra reading/writing consistency. #1026
- Admin API: including pending and running timers count in the response to
/. #992 - Plugins
- New correlation-id plugin: assign unique identifiers to the requests processed by Kong. Courtesy of @opyate. #1094
- LDAP: add support for LDAP authentication. #1133
- StatsD: add support for StatsD logging. #1142
- JWT: add support for RS256 signed tokens thanks to @kdstew! #1053
- ACL: appends
X-Consumer-Groupsto the request, so the upstream service can check what groups the consumer belongs to. #1154 - Galileo (mashape-analytics): increase batch sending timeout to 30s. #1091
- Added
ttl_on_failureoption in the cluster configuration, to configure the TTL of failed nodes. #1125
- Introduce a new
portoption when connecting to your Cassandra cluster instead of using the CQL default (9042). #1139 - Plugins
internal
- replace globals with singleton pattern thanks to @mars.
- fixed resolution mismatches when using deep paths in the path resolver thanks to siddharthkchatterjee
0.7.0 - 2016/02/24
Due to the NGINX security fixes (CVE-2016-0742, CVE-2016-0746, CVE-2016-0747), OpenResty was bumped to 1.9.7.3 which is not backwards compatible, and thus requires changes to be made to the nginx property of Kong's configuration file. See the 0.7 upgrade path for instructions.
However by upgrading the underlying OpenResty version, source installations do not have to patch the NGINX core and use the old ssl-cert-by-lua branch of ngx_lua anymore. This will make source installations much easier.
- Support for OpenResty
1.9.7.*. This includes NGINX security fixes (CVE-2016-0742, CVE-2016-0746, CVE-2016-0747). #906 - Plugins
- New Runscope plugin: Monitor your APIs from Kong with Runscope. Courtesy of @mansilladev. #924
- Datadog: New
response.sizemetric. #923 - Rate-Limiting and Response Rate-Limiting
- New
config.asyncoption to asynchronously increment counters to reduce latency at the cost of slightly reducing the accuracy. #912 - New
config.continue_on_erroroption to keep proxying requests in case the datastore is unreachable. rate-limiting operations will be disabled until the datastore is responsive again. #953
- New
- CLI
- Perform a simple permission check on the NGINX working directory when starting, to prevent errors during execution. #939
- Send 50x errors with the appropriate format. #927 #970
- Plugins
- OAuth2
- IP restriction: Fix an issue that could arise when restarting Kong. Now Kong does not need to be restarted for the ip-restriction configuration to take effect. #782 #960
- ACL: Properly invalidating entities when assigning a new ACL group. #996
- SSL: Replace shelled out openssl calls with native
ngx.sslconversion utilities, which preserve the certificate chain. #968
- Avoid user warning on start when the user is not root. #964
- Store Serf logs in NGINX working directory to prevent eventual permission issues. #975
- Allow plugins configured on a Consumer without being configured on an API to run. #978 #980
- Fixed an edge-case where Kong nodes would not be registered in the
nodestable. #1008
0.6.1 - 2016/02/03
This release contains tiny bug fixes that were especially annoying for complex Cassandra setups and power users of the Admin API!
- A
timeoutproperty for the Cassandra configuration. In ms, this timeout is effective as a connection and a reading timeout. #937
- Correctly set the Cassandra SSL certificate in the Nginx configuration while starting Kong. #921
- Rename the
userCassandra property tousername(Kong looks forusername, henceuserwould fail). #922 - Allow Cassandra authentication with arbitrary plain text auth providers (such as Instaclustr uses), fixing authentication with them. #937
- Admin API
- Fix the
/plugins/:idroute forPATCHmethod. #941
- Fix the
- Plugins
0.6.0 - 2016/01/22
We would recommended to consult the suggested 0.6 upgrade path for this release.
- Serf is now a Kong dependency. It allows Kong nodes to communicate between each other opening the way to many features and improvements.
- The configuration file changed. Some properties were renamed, others were moved, and some are new. We would recommended checking out the new default configuration file.
- Drop the Lua 5.1 dependency which was only used by the CLI. The CLI now runs with LuaJIT, which is consistent with other Kong components (Luarocks and OpenResty) already relying on LuaJIT. Make sure the LuaJIT interpreter is included in your
$PATH. #799
One of the biggest new features of this release is the cluster-awareness added to Kong in #729, which deserves its own section:
- Each Kong node is now aware of belonging to a cluster through Serf. Nodes automatically join the specified cluster according to the configuration file's settings.
- The datastore cache is not invalidated by expiration time anymore, but following an invalidation strategy between the nodes of a same cluster, leading to improved performance.
- Admin API
- Expose a
/cacheendpoint for retrieving elements stored in the in-memory cache of a node. - Expose a
/clusterendpoint used to add/remove/list members of the cluster, and also used internally for data propagation.
- Expose a
- CLI
- New
kong clustercommand for cluster management. - New
kong statuscommand for cluster healthcheck.
- New
Other additions include:
- New Cassandra driver which makes Kong aware of the Cassandra cluster. Kong is now unaffected if one of your Cassandra nodes goes down as long as a replica is available on another node. Load balancing policies also improve the performance along with many other smaller improvements. #803
- Admin API
- A new
totalfield in API responses, that counts the total number of entities in the datastore. #635
- A new
- Configuration
- Possibility to configure the keyspace replication strategy for Cassandra. It will be taken into account by the migrations when the configured keyspace does not already exist. #350
- Dnsmasq is now optional. You can specify a custom DNS resolver address that Kong will use when resolving hostnames. This can be configured in
kong.yml. #625
- Plugins
- As mentioned in the breaking changes section, a new configuration file format and validation. All properties are now documented and commented out with their default values. This allows for a lighter configuration file and more clarity as to what properties relate to. It also catches configuration mistakes. #633
- Replace the UUID generator library with a new implementation wrapping lib-uuid, fixing eventual conflicts happening in cases such as described in #659. See #695
- Admin API
- Behaviors described in #603 related to the failure of Cassandra nodes thanks to the new driver. #803
- Latency headers are now properly included in responses sent to the client. #708
strip_request_pathdoes not add a trailing slash to the API'supstream_urlanymore before proxying. #675- Do not URL decode querystring before proxying the request to the upstream service. #749
- Handle cases when the request would be terminated prior to the Kong execution (that is, before ngx_lua reaches the
access_by_luacontext) in cases such as the use of a custom nginx module. #594 - Admin API
- The PUT method now correctly updates boolean fields (such as
strip_request_path). #765 - The PUT method now correctly resets a plugin configuration. #720
- PATCH correctly set previously unset fields. #861
- In the responses, the
nextlink is not being displayed anymore if there are no more entities to be returned. #635 - Prevent the update of
created_atfields. #820 - Better
request_pathvalidation for APIs. "/" is not considered a valid path anymore. #881
- The PUT method now correctly updates boolean fields (such as
- Plugins
- Galileo: ensure the
mimeTypevalue is always a string in ALFs. #584 - JWT: allow to update JWT credentials using the PATCH method. It previously used to reply with
405 Method not allowedbecause the PATCH method was not implemented. #667 - Rate limiting: fix a warning when many periods are configured. #681
- Basic Authentication: do not re-hash the password field when updating a credential. #726
- File log: better permissions for on file creation for file-log plugin. #877
- OAuth2
- Galileo: ensure the
internal
- Event bus for local and cluster-wide events propagation. Plans for this event bus is to be widely used among Kong in the future.
- The Kong Public Lua API (Lua helpers integrated in Kong such as DAO and Admin API helpers) is now documented with ldoc format and published on the online documentation.
- Work has been done to restore the reliability of the CI platforms.
- Migrations can now execute DML queries (instead of DDL queries only). Handy for migrations implying plugin configuration changes, plugins renamings etc... #770
0.5.4 - 2015/12/03
- Mashape Analytics plugin (renamed Galileo):
0.5.3 - 2015/11/16
- Avoids additional URL encoding when proxying to an upstream service. #691
- Potential timing comparison bug in HMAC plugin. #704
- The Galileo plugin now supports arbitrary host, port and path values. #721
0.5.2 - 2015/10/21
A few fixes requested by the community!
- Kong properly search the
nginxin your $PATH variable. - Plugins:
0.5.1 - 2015/10/13
Fixing a few glitches we let out with 0.5.0!
- Basic Authentication and HMAC Authentication plugins now also send the
X-Credential-Usernameto the upstream server. - Admin API now accept JSON when receiving a CORS request. #580
- Add a
WWW-Authenticateheader for HTTP 401 responses for basic-auth and key-auth. #588
- Protect Kong from POODLE SSL attacks by omitting SSLv3 (CVE-2014-3566). #563
- Remove support for key-auth key in body. #566
- Plugins
- Fix an occasional error when updating a plugin without a config. #571
0.5.0 - 2015/09/25
With new plugins, many improvements and bug fixes, this release comes with breaking changes that will require your attention.
Several breaking changes are introduced. You will have to slightly change your configuration file and a migration script will take care of updating your database cluster. Please follow the instructions in UPDATE.md for an update without downtime.
- Many plugins were renamed due to new naming conventions for consistency. #480
- In the configuration file, the Cassandra
hostsproperty was renamed tocontact_points. #513 - Properties belonging to APIs entities have been renamed for clarity. #513
public_dns->request_hostpath->request_pathstrip_path->strip_request_pathtarget_url->upstream_url
plugins_configurationshave been renamed toplugins, and theirvalueproperty has been renamed toconfigto avoid confusions. #513- The database schema has been updated to handle the separation of plugins outside of the core repository.
- The Key authentication and Basic authentication plugins routes have changed:
Old route New route
/consumers/:consumer/keyauth -> /consumers/:consumer/key-auth
/consumers/:consumer/keyauth/:id -> /consumers/:consumer/key-auth/:id
/consumers/:consumer/basicauth -> /consumers/:consumer/basic-auth
/consumers/:consumer/basicauth/:id -> /consumers/:consumer/basic-auth/:id
The old routes are still maintained but will be removed in upcoming versions. Consider them deprecated.
- Admin API
- The route to retrieve enabled plugins is now under
/plugins/enabled. - The route to retrieve a plugin's configuration schema is now under
/plugins/schema/{plugin name}.
- The route to retrieve enabled plugins is now under
- Plugins
- New Response Rate Limiting plugin: Give a usage quota to your users based on a parameter in your response. #247
- New ACL (Access Control) plugin: Configure authorizations for your Consumers. #225
- New JWT (JSON Web Token) plugin: Verify and authenticate JWTs. #519
- New HMAC signature plugin: Verify and authenticate HMAC signed HTTP requests. #549
- Plugins migrations. Each plugin can now have its own migration scripts if it needs to store data in your cluster. This is a step forward to improve Kong's pluggable architecture. #443
- Basic Authentication: the password field is now sha1 encrypted. #33
- Basic Authentication: now supports credentials in the
Proxy-Authorizationheader. #460
- Basic Authentication and Key Authentication now require authentication parameters even when the
Expect: 100-continueheader is being sent. #408 - Key Auth plugin does not support passing the key in the request payload anymore. #566
- APIs' names cannot contain characters from the RFC 3986 reserved list. #589
- Resolver
- Making a request with a querystring will now correctly match an API's path. #496
- Admin API
- Data associated to a given API/Consumer will correctly be deleted if related Consumer/API is deleted. #107 #438 #504
- The
/api/{api_name_or_id}/plugins/{plugin_name_or_id}changed to/api/{api_name_or_id}/plugins/{plugin_id}to avoid requesting the wrong plugin if two are configured for one API. #482 - APIs created without a
namebut with arequest_pathwill now have a name which defaults to the setrequest_path. #547
- Plugins
- Mashape Analytics: More robust buffer and better error logging. #471
- Mashape Analytics: Several ALF (API Log Format) serialization fixes. #515
- Oauth2: A response is now returned on
http://kong:8001/consumers/{consumer}/oauth2/{oauth2_id}. #469 - Oauth2: Saving
authenticated_useridon Password Grant. #476 - Oauth2: Proper handling of the
/oauth2/authorizeand/oauth2/tokenendpoints in the OAuth 2.0 Plugin when an API with apathis being consumed using thepublic_dnsinstead. #503 - OAuth2: Properly returning
X-Authenticated-UserIdin theclient_credentialsandpasswordflows. #535 - Response-Transformer: Properly handling JSON responses that have a charset specified in their
Content-Typeheader.
0.4.2 - 2015/08/10
- Cassandra authentication and SSL encryption. #405
preserve_hostflag on APIs to preserve the Host header when a request is proxied. #444- Added the Resource Owner Password Credentials Grant to the OAuth 2.0 Plugin. #448
- Auto-generation of default SSL certificate. #453
- Remove
cassandra.portproperty in configuration. Ports are specified by havingcassandra.hostsaddresses using thehost:portnotation (RFC 3986). #457 - Default SSL certificate is now auto-generated and stored in the
nginx_working_dir. - OAuth 2.0 plugin now properly forces HTTPS.
- Better handling of multi-nodes Cassandra clusters. #450
- mashape-analytics plugin: handling of numerical values in querystrings. #449
- Path resolver
strip_pathoption wrongfully matching thepathproperty multiple times in the request URI. #442 - File Log Plugin bug that prevented the file creation in some environments. #461
- Clean output of the Kong CLI. #235
0.4.1 - 2015/07/23
- Issues with the Mashape Analytics plugin. #425
- Handle hyphens when executing path routing with
strip_pathoption enabled. #431 - Adding the Client Credentials OAuth 2.0 flow. #430
- A bug that prevented "dnsmasq" from being started on some systems, including Debian. f7da790
- File Log plugin: optimizations by avoiding the buffered I/O layer. 20bb478
0.4.0 - 2015/07/15
- Implement wildcard subdomains for APIs'
public_dns. #381 #297 - Plugins
- New OAuth 2.0 plugin. #341 #169
- New Mashape Analytics plugin. #360 #272
- New IP whitelisting/blacklisting plugin. #379
- Ratelimiting: support for multiple limits. #382 #205
- HTTP logging: support for HTTPS endpoint. #342
- Logging plugins: new properties for logs timing. #351
- Key authentication: now auto-generates a key if none is specified. #48
- Resolver
pathproperty now accepts arbitrary depth. #310
- Admin API
- CLI
$ kong migrations resetnow asks for confirmation. #365
internal
0.3.2 - 2015/06/08
- Uppercase Cassandra keyspace bug that prevented Kong to work with kongdb.org
- Multipart requests not properly parsed in the admin API. #344
0.3.1 - 2015/06/07
- Schema migrations are now automatic, which was missing from previous releases. #303
0.3.0 - 2015/06/04
- Support for SSL.
- Plugins
- Admin API
- RESTful routing. Much nicer Admin API routing. Ex:
/apis/{name_or_id}/plugins. #98 #257 - Support
PUTmethod for endpoints such as/apis/,/apis/plugins/,/consumers/ - Support for
application/jsonandx-www-form-urlencodedContent Types for allPUT,POSTandPATCHendpoints by passing aContent-Typeheader. #236
- RESTful routing. Much nicer Admin API routing. Ex:
- Resolver
- Auth plugins now send user informations to your upstream services. #228
- Invalid
target_urlvalue are now being caught when creating an API. #149
- Uppercase Cassandra keyspace causing migration failure. #249
- Guarantee that ratelimiting won't allow requests in case the atomicity of the counter update is not guaranteed. #289
internal
- Schemas:
- New property type:
array. #277- Entities schemas now live in their own files and are starting to be unit tested.
- Subfields are handled better: (notify required subfields and auto-vivify is subfield has default values).
- Way faster unit tests. Not resetting the DB anymore between tests.
- Improved coverage computation (exclude
vendor/).- Travis now lints
kong/.- Way faster Travis setup.
- Added a new HTTP client for in-nginx usage, using the cosocket API.
- Various refactorings.
- Fix #196.
- Disabled ipv6 in resolver.
0.2.1 - 2015/05/12
This is a maintenance release including several bug fixes and usability improvements.
- Support for local DNS resolution. #194
- Support for Debian 8 and Ubuntu 15.04.
- DAO
- Cassandra version bumped to 2.1.5
- Support for Cassandra downtime. If Cassandra goes down and is brought back up, Kong will not need to restart anymore, statements will be re-prepared on-the-fly. This is part of an ongoing effort from jbochi/lua-resty-cassandra#47, #146 and #187. Queries effectuated during the downtime will still be lost. #11
- Leverage reused sockets. If the DAO reuses a socket, it will not re-set their keyspace. This should give a small but appreciable performance improvement. #170
- Cascade delete plugins configurations when deleting a Consumer or an API associated with it. #107
- Allow Cassandra hosts listening on different ports than the default. #185
- CLI
- Added a notice log when Kong tries to connect to Cassandra to avoid user confusion. #168
- The CLI now tests if the ports are already being used before starting and warns.
- Admin API
nameis now an optional property for APIs. If none is being specified, the name will be the APIpublic_dns. #181
- Configuration
- The memory cache size is now configurable. #208
- Resolver
- More explicit "API not found" message from the resolver if the Host was not found in the system. "Api not foun with Host: %s".
- If multiple hosts headers are being sent, Kong will test them all to see if one of the API is in the system. #186
- Admin API: responses now have a new line after the body. #164
- DAO: keepalive property is now properly passed when Kong calls
set_keepaliveon Cassandra sockets. - Multipart dependency throwing error at startup. #213
internal
- Separate Migrations from the DAO factory.
- Update dev config + Makefile rules (
runbecomesstart).- Introducing an
ngxstub for unit tests and CLI.- Switch many PCRE regexes to using patterns.
0.2.0-2 - 2015/04/27
First public release of Kong. This version brings a lot of internal improvements as well as more usability and a few additional plugins.
- Plugins
- CORS plugin.
- Request transformation plugin.
- NGINX plus monitoring plugin.
- Configuration
- New properties:
proxy_portandapi_admin_port. #142
- New properties:
- CLI
- Package distributions: .rpm, .deb and .pkg for easy installs on most common platforms.
- Admin API: trailing slash is not necessary anymore for core resources such as
/apisor/consumers. - Leaner default configuration. #156
internal
- All scripts moved to the CLI as "hidden" commands (
kong db,kong config).- More tests as always, and they are structured better. The coverage went down mainly because of plugins which will later move to their own repos. We are all eagerly waiting for that!
src/was renamed tokong/for ease of development- All system dependencies versions for package building and travis-ci are now listed in
versions.sh- DAO doesn't need to
:prepare()prior to run queries. Queries can be prepared at runtime. #146
0.1.1beta-2 - 2015/03/30
- Wrong behavior of auto-migration in
kong start.
0.1.0beta-3 - 2015/03/25
First public beta. Includes caching and better usability.
- Required Openresty is now
1.7.10.1. - Freshly built CLI, rewritten in Lua
kong startusing a new DB keyspace will automatically migrate the schema. #68- Anonymous error reporting on Proxy and API. #64
- Configuration
- Simplified configuration file (unified in
kong.yml). - In configuration,
plugins_installedwas renamed toplugins_available. #59 - Order of
plugins_availabledoesn't matter anymore. #17 - Better handling of plugins: Kong now detects which plugins are configured and if they are installed on the current machine.
bin/kongnow defaults on/etc/kong.ymlfor config and/var/logs/kongfor output. #71
- Simplified configuration file (unified in
- Proxy: APIs/Consumers caching with expiration for faster authentication.
- Admin API: Plugins now use plain form parameters for configuration. #70
- Keep track of already executed migrations.
rollbacknow behaves as expected. #8
Serverheader now sends Kong. #57- migrations not being executed in order on Linux. This issue wasn't noticed until unit testing the migrations because for now we only have 1 migration file.
- Admin API: Errors responses are now sent as JSON. #58
internal
- We now have code linting and coverage.
- Faker and Migrations instances don't live in the DAO Factory anymore, they are only used in scripts and tests.
scripts/config.luaallows environment based configurations.make devgenerates akong.DEVELOPMENT.ymlandkong_TEST.yml. Different keyspaces and ports.spec_helpers.luaallows tests to not rely on theMakefileanymore. Integration tests can run 100% frombusted.- Switch integration testing from [httpbin.org] to [mockbin.com].
coreplugin was renamed toresolver.
0.0.1alpha-1 - 2015/02/25
First version running with Cassandra.
- Basic proxying.
- Built-in authentication plugin (api key, HTTP basic).
- Built-in ratelimiting plugin.
- Built-in TCP logging plugin.
- Configuration API (for consumers, apis, plugins).
- CLI
bin/kongscript. - Database migrations (using
db.lua).