- 2.0.4
- 2.0.3
- 2.0.2
- 2.0.1
- 2.0.0
- 1.5.1
- 1.5.0
- 1.4.3
- 1.4.2
- 1.4.1
- 1.4.0
- 1.3.0
- 1.2.2
- 1.2.1
- 1.2.0
- 1.1.2
- 1.1.1
- 1.1.0
- 1.0.3
- 1.0.2
- 1.0.1
- 1.0.0
- 0.15.0
- 0.14.1
- 0.14.0
- 0.13.1
- 0.13.0
- 0.12.3
- 0.12.2
- 0.12.1
- 0.12.0
- 0.11.2
- 0.11.1
- 0.10.4
- 0.11.0
- 0.10.3
- 0.10.2
- 0.10.1
- 0.10.0
- 0.9.9 and prior
Released 2020/04/22
- Disable JIT mlcache:get_bulk() on ARM64 #5797
- Don't incrementing log counters on unexpected errors #5783
- Invalidate target history at cleanup so balancers stay synced #5775
- Set a log prefix with the upstream name #5773
- Fix memory leaks when loading a declarative config that fails schema validation #5766
- Fix some balancer and cluster_events issues #5804
- Send declarative config updates to stream subsystem via Unix domain #5797
- Now when using declarative configurations the cache is purged on reload, cleaning any references to removed entries #5769
Released 2020/04/06
This is a patch release in the 2.0 series. Being a patch release, it strictly contains performance improvements and bugfixes. The are no new features or breaking changes.
- Setting the target weight to 0 does not automatically remove the upstream. #5710.
- The plugins iterator is now always fully built, even if the initialization of any of them fails. #5692.
- Fixed the load of
dns_not_found_ttl
anddns_error_ttl
configuration options. #5684. - Consumers and tags are properly warmed-up from the plugins' perspective, i.e. they are loaded to the cache space that plugins access. #5669.
- Customized error messages don't affect subsequent default error responses now. #5673.
- Fixed the
lua_package_path
option precedence overLUA_PATH
environment variable. #5729. - Support to Nginx binary upgrade by correctly handling the
USR2
signal. #5657.
- Fixed the
sni is duplicated
error when sending multipleSNIs
as body arguments and anSNI
on URL that matched one from the body. #5660.
Released 2020/02/27
This is a patch release in the 2.0 series. Being a patch release, it strictly contains performance improvements and bugfixes. The are no new features or breaking changes.
- Fix issue related to race condition in Cassandra select each method #5564. Thanks, vasuharish!
- Fix issue related to running control plane under multiple Nginx workers #5612.
- Don't change route paths when marshaling #5587.
- Fix propagation of posted health across workers #5539.
- Use proper units for timeouts with cassandra #5571.
- Fix broken SNI based routing in L4 proxy mode #5533.
Released 2020/02/04
This is a patch release in the 2.0 series. Being a patch release, it strictly contains performance improvements and bugfixes. The are no new features or breaking changes.
- Migrations include the configured Lua path now #5509.
- Hop-by-hop headers to not clear upgrade header on upgrade #5495.
- Balancers now properly check if a response is produced by an upstream #5493. Thanks, onematchfox!
- Kong correctly logs an error message when the Lua VM cannot allocate memory #5479 Thanks, pamiel!
- Schema validations work again in DB-less mode #5464.
- oauth2: handle
Authorization
headers with missingaccess_token
correctly. #5514. Thanks, jeremyjpj0916! - oauth2: hash oauth2_tokens cache key via the DAO #5507
Released 2020/01/20
This is a new major release of Kong, including new features such as Hybrid mode, Go language support for plugins and buffered proxying, and much more.
Kong 2.0.0 removes the deprecated service mesh functionality, which was been retired in favor of Kuma, as Kong continues to focus on its core gateway capabilities.
Please note that Kong 2.0.0 also removes support for migrating from versions
below 1.0.0. If you are running Kong 0.x versions below 0.14.1, you need to
migrate to 0.14.1 first, and once you are running 0.14.1, you can migrate to
Kong 1.5.0, which includes special provisions for migrating from Kong 0.x,
such as the kong migrations migrate-apis
command, and then finally to Kong
2.0.0.
⚠️ The required OpenResty version is 1.15.8.2, and the the set of patches included has changed, including the latest release of lua-kong-nginx-module. If you are installing Kong from one of our distribution packages, you are not affected by this change.
Note: if you are not using one of our distribution packages and compiling OpenResty from source, you must still apply Kong's OpenResty patches (and, as highlighted above, compile OpenResty with the new lua-kong-nginx-module). Our kong-build-tools repository will allow you to do both easily.
- RPM packages are now signed with our own GPG keys. You can download our public key at https://bintray.com/user/downloadSubjectPublicKey?username=kong
- Kong now ships with a systemd unit file
- 🎆 Hybrid mode for management of control-plane and data-plane nodes. This allows running control-plane nodes using a database and have them deliver configuration updates to DB-less data-plane nodes. #5294
- 🎆 Buffered proxying - plugins can now request buffered reading of the service response (as opposed to the streaming default), allowing them to modify headers based on the contents of the body #5234
- The
transformations
in DAO schemas now also supporton_read
, allowing for two-way (read/write) data transformations between Admin API input/output and database storage. #5100 - Added
threshold
attribute for health checks #5206 - Caches for core entities and plugin-controlled entities (such as credentials, etc.) are now separated, protecting the core entities from cache eviction caused by plugin behavior. #5114
- Cipher suite was updated to the Mozilla v5 release. #5342
- Better support for using already existing Cassandra keyspaces when migrating #5361
- Better log messages when plugin modules fail to load #5357
stream_listen
now supports thebacklog
option. #5346- The internal cache was split into two independent segments,
kong.core_cache
andkong.cache
. Thecore_cache
region is used by the Kong core to store configuration data that doesn't change often. The other region is used to store plugin runtime data that is dependent on traffic pattern and user behavior. This change should decrease the cache contention between Kong core and plugins and result in better performance overall.⚠️ Note that both structures rely on the already existentmem_cache_size
configuration option to set their size, so when upgrading from a previous Kong version, the cache memory consumption might double if this value is not adjusted #5114
kong config init
now accepts a filename argument #4451
- 🎆 Extended support for Nginx directive injections
via Kong configurations, reducing the needs for custom Nginx
templates. New injection contexts were added:
nginx_main_
,nginx_events
andnginx_supstream_
(upstream
instream
mode). #5390 - Enable
reuseport
option in the listen directive by default and allow specifying bothreuseport
andbacklog=N
in the listener flags. #5332 - Check existence of
lua_ssl_trusted_certificate
at startup #5345
- Added
/upstreams/<id>/health?balancer_health=1
attribute for detailed information about balancer health based on health threshold configuration #5206
- New functions
kong.service.request.enable_buffering
,kong.service.response.get_raw_body
andkong.service.response.get_body
for use with buffered proxying #5315
- 🎆 Go plugin support - plugins can now be written in Go as well as Lua, through the use of an out-of-process Go plugin server. #5326
- The lifecycle of the Plugin Server daemon for Go language support is managed by Kong itself. #5366
- 🎆 New plugin: ACME - Let's Encrypt and ACMEv2 integration with Kong #5333
- 🎆 aws-lambda: bumped version to 3.0.1, with a number of new features! #5083
- 🎆 prometheus: bumped to version 0.7.0 including major performance improvements #5295
- zipkin: bumped to version 0.2.1 #5239
- session: bumped to version 2.2.0, adding
authenticated_groups
support #5108 - rate-limiting: added experimental support for standardized headers based on the ongoing RFC draft #5335
- rate-limiting: added Retry-After header on HTTP 429 responses #5329
- datadog: report metrics with tags -- Thanks mvanholsteijn for the patch! #5154
- request-size-limiting: added
size_unit
configuration option. #5214 - request-termination: add extra check for
conf.message
before sending response back with body object included. #5202 - jwt: add
X-Credential-Identifier
header in response -- Thanks davinwang for the patch! #4993
- Correct detection of update upon deleting Targets -- Thanks pyrl247 for the patch!
- Fix declarative config loading of entities with abstract records #5343
- Fix sort priority when matching routes by longest prefix #5430
- Detect changes in Routes that happen halfway through a router update #5431
- Corrected the behavior when overwriting a Service configuration using
the
url
shorthand #5315
⚠️ Removed Service Mesh support - That has been deprecated in Kong 1.4 and made off-by-default already, and the code is now gone in 2.0. For Service Mesh, we now have Kuma, which is something designed for Mesh patterns from day one, so we feel at peace with removing Kong's native Service Mesh functionality and focus on its core capabilities as a gateway.
- Routes using
tls
are now supported in stream mode by adding an entry instream_listen
with thessl
keyword enabled. #5346 - As part of service mesh removal, serviceless proxying was removed.
You can still set
service = null
when creating a route for use with serverless plugins such asaws-lambda
, orrequest-termination
. #5353 - Removed the
origins
property which was used for service mesh. #5351 - Removed the
transparent
property which was used for service mesh. #5350 - Removed the
nginx_optimizations
property; the equivalent settings can be performed via Nginx directive injections. #5390 - The Nginx directive injection prefixes
nginx_http_upstream_
andnginx_http_status_
were renamed tonginx_upstream_
andnginx_status_
respectively. #5390
- Removed the Sidecar Injector plugin which was used for service mesh. #5199
Released 2020/02/19
This is a patch release over 1.5.0, fixing a minor issue in the kong migrations migrate-apis
command, which assumed execution in a certain order in the migration process. This now
allows the command to be executed prior to running the migrations from 0.x to 1.5.1.
- Do not assume new fields are already available when running
kong migrations migrate-apis
#5572
Released 2020/01/20
Kong 1.5.0 is the last release in the Kong 1.x series, and it was designed to
help Kong 0.x users upgrade out of that series and into more current releases.
Kong 1.5.0 includes two features designed to ease the transition process: the
new kong migrations migrate-apis
commands, to help users migrate away from
old apis
entities which were deprecated in Kong 0.13.0 and removed in Kong
1.0.0, and a compatibility flag to provide better router compatibility across
Kong versions.
- New
path_handling
attribute in Routes entities, which selects the behavior the router will have when combining the Service Path, the Route Path, and the Request path into a single path sent to the upstream. This attribute accepts two values,v0
orv1
, making the router behave as in Kong 0.x or Kong 1.x, respectively. #5360
- New command
kong migrations migrate-apis
, which converts any existingapis
from an old Kong 0.x installation and generates Route, Service and Plugin entities with equivalent configurations. The converted routes are set to usepath_handling = v0
, to ensure compatibility. #5176
- Fixed the routing prioritization that could lead to a match in a lower priority path. #5443
- Changes in router or plugins entities while the rebuild is in progress now are treated in the next rebuild, avoiding to build invalid iterators. #5431
- Fixed invalid incorrect calculation of certificate validity period. #5449 -- Thanks Bevisy for the patch!
Released 2020/01/09
This is a patch release in the 1.4 series, and as such, strictly contains bugfixes. There are no new features nor breaking changes.
- Fix the detection of the need for balancer updates when deleting targets #5352 -- Thanks zeeshen for the patch!
- Fix behavior of longest-path criteria when matching routes #5383
- Fix incorrect use of cache when using header-based routing #5267 -- Thanks marlonfan for the patch!
- Do not make a debugging dump of the declarative config input into
error.log
when posting it with/config
and using_format_version
as a top-level parameter (instead of embedded in theconfig
parameter). #5411 - Fix incorrect behavior of PUT for /certificates #5321
- acl: fixed an issue where getting ACLs by group failed when multiple consumers share the same group #5322
Released 2019/12/10
This is another patch release in the 1.4 series, and as such, strictly contains bugfixes. There are no new features nor breaking changes.
- Fixes some corner cases in the balancer behavior #5318
- http-log: disable queueing when using the default settings, to avoid memory consumption issues #5323
- prometheus: restore compatibility with version 0.6.0 #5303
Released 2019/12/03
This is a patch release in the 1.4 series, and as such, strictly contains bugfixes. There are no new features nor breaking changes.
- Fixed a memory leak in the balancer #5229 -- Thanks zeeshen for the patch!
- Removed arbitrary limit on worker connections. #5148
- Fixed
preserve_host
behavior for gRPC routes #5225 - Fix migrations for ttl for OAuth2 tokens #5253
- Improve handling of errors when creating balancers #5284
- Fixed an issue with
kong config db_export
when reading entities that are ttl-enabled and whose ttl value isnull
. #5185
- http-log: do not impose a retry delay on successful sends #5282
Released on 2019/10/22
⚠️ All Bintray assets have been renamed from.all.
/.noarch.
to be architecture specific namely.arm64.
and.amd64.
- 🎆 New configuration option
cassandra_refresh_frequency
to set the frequency that Kong will check for Cassandra cluster topology changes, avoiding restarts when Cassandra nodes are added or removed. #5071 - New
transformations
property in DAO schemas, which allows adding functions that run when database rows are inserted or updated. #5047 - The new attribute
hostname
has been added toupstreams
entities. This attribute is used as theHost
header when proxying requests through Kong to servers that are listening on server names that are different from the names to which they resolve. #4959 - New status interface has been introduced. It exposes insensitive health, metrics and error read-only information from Kong, which can be consumed by other services in the infrastructure to monitor Kong's health. This removes the requirement of the long-used workaround to monitor Kong's health by injecting a custom server block. #4977
- New Admin API response header
X-Kong-Admin-Latency
, reporting the time taken by Kong to process an Admin API request. #4966
⚠️ New configuration optionservice_mesh
which enables or disables the Service Mesh functionality. The Service Mesh is being deprecated and will not be available in the next releases of Kong. #5124- New configuration option
router_update_frequency
that allows setting the frequency that router and plugins will be checked for changes. This new option avoids performance degradation when Kong routes or plugins are frequently changed. #4897
- rate-limiting: in addition to consumer, credential, and IP levels, now rate-limiting plugin has service-level support. Thanks wuguangkuo for the patch! #5031
- Now rate-limiting
local
policy counters expire using the shared dictionary's TTL, avoiding to keep unnecessary counters in memory. Thanks cb372 for the patch! #5029 - Authentication plugins have support for tags now. #4945
- response-transformer plugin now supports renaming response headers. Thanks aalmazanarbs for the patch! #5040
⚠️ Service Mesh is known to cause HTTPS requests to upstream to ignoreproxy_ssl*
directives, so it is being discontinued in the next major release of Kong. In this release it is disabled by default, avoiding this issue, and it can be enabled as aforementioned in the configuration section. #5124- Fixed an issue on reporting the proper request method and URL arguments on NGINX-produced errors in logging plugins. #5073
- Fixed an issue where targets were not properly updated in all Kong workers when they were removed. #5041
- Deadlocks cases in database access functions when using Postgres and
cleaning up
cluster_events
in high-changing scenarios were fixed. #5118 - Fixed issues with tag-filtered GETs on Cassandra-backed nodes. #5105
- Fixed Lua parsing and error handling in declarative configurations. #5019
- Automatically escape any unescaped
#
characters in parsedKONG_*
environment variables. #5062
- file-log: creates log file with proper permissions when Kong uses declarative config. #5028
- basic-auth: fixed credentials parsing when using DB-less configurations. #5080
- jwt: plugin handles empty claims and return the correct error message. #5123 Thanks to @jeremyjpj0916 for the patch!
- serverless-functions: Lua code in declarative configurations is validated and loaded correctly. #24
- request-transformer: fixed bug on removing and then adding request headers with the same name. #9
Released on 2019/08/21
Kong 1.3 is the first version to officially support gRPC proxying!
Following our vision for Kong to proxy modern Web services protocols, we are excited for this newest addition to the family of protocols already supported by Kong (HTTP(s), WebSockets, and TCP). As we have recently stated in our latest Community Call, more protocols are to be expected in the future.
Additionally, this release includes several highly-requested features such as
support for upstream mutual TLS, header-based routing (not only
Host
), database export, and configurable upstream keepalive
timeouts.
⚠️ The required OpenResty version has been bumped to 1.15.8.1. If you are installing Kong from one of our distribution packages, you are not affected by this change. See #4382. With this new version comes a number of improvements:- The new ngx_http_grpc_module.
- Configurable of upstream keepalive connections by timeout or number of requests.
- Support for ARM64 architectures.
- LuaJIT GC64 mode for x86_64 architectures, raising the LuaJIT GC-managed memory limit from 2GB to 128TB and producing more predictable GC performance.
⚠️ From this version on, the new lua-kong-nginx-module Nginx module is required to be built into OpenResty for Kong to function properly. This new module allows Kong to support new features such as mutual TLS authentication. If you are installing Kong from one of our distribution packages, you are not affected by this change. openresty-build-tools#26
Note: if you are not using one of our distribution packages and compiling OpenResty from source, you must still apply Kong's OpenResty patches (and, as highlighted above, compile OpenResty with the new lua-kong-nginx-module). Our new openresty-build-tools repository will allow you to do both easily.
⚠️ Bugfixes in the router may, in some edge-cases, result in different Routes being matched. It was reported to us that the router behaved incorrectly in some cases when configuring wildcard Hosts and regex paths (e.g. #3094). It may be so that you are subject to these bugs without realizing it. Please ensure that wildcard Hosts and regex paths Routes you have configured are matching as expected before upgrading. See 9ca4dc0, 2683b86, and 6a03e1b for details.- Upstream connections are now only kept-alive for 100 requests or 60 seconds (idle) by default. Previously, upstream connections were not actively closed by Kong. This is a (non-breaking) change in behavior, inherited from Nginx 1.15, and configurable via new configuration properties (see below).
⚠️ Theupstream_keepalive
configuration property is deprecated, and replaced by the newnginx_http_upstream_keepalive
property. Its behavior is almost identical, but the notable difference is that the latter leverages the injected Nginx directives feature added in Kong 0.14.0. In future releases, we will gradually increase support for injected Nginx directives. We have high hopes that this will remove the occasional need for custom Nginx configuration templates. #4382
- 🎆 Native gRPC proxying. Two new protocol types;
grpc
andgrpcs
correspond to gRPC over h2c and gRPC over h2. They can be specified on a Route or a Service'sprotocol
attribute (e.g.protocol = grpcs
). When an incoming HTTP/2 request matches a Route with agrpc(s)
protocol, the request will be handled by the ngx_http_grpc_module, and proxied to the upstream Service according to the gRPC protocol specifications.⚠️ Note that not all Kong plugins are compatible with gRPC requests yet. #4801 - 🎆 Mutual TLS handshake with upstream services. The Service
entity now has a new
client_certificate
attribute, which is a foreign key to a Certificate entity. If specified, Kong will use the Certificate as a client TLS cert during the upstream TLS handshake. #4800 - 🎆 Route by any request header. The router now has the ability
to match Routes by any request header (not only
Host
). The Route entity now has a newheaders
attribute, which is a map of headers names and values. E.g.{ "X-Forwarded-Host": ["example.org"], "Version": ["2", "3"] }
. #4758 - 🎆 Least-connection load-balancing. A new
algorithm
attribute has been added to the Upstream entity. It can be set to"round-robin"
(default),"consistent-hashing"
, or"least-connections"
. #4528 - A new core entity, "CA Certificates" has been introduced and can be accessed
via the new
/ca_certificates
Admin API endpoint. CA Certificates entities will be used as CA trust store by Kong. Certificates stored by this entity need not include their private key. #4798 - Healthchecks now use the combination of IP + Port + Hostname when storing upstream health information. Previously, only IP + Port were used. This means that different virtual hosts served behind the same IP/port will be treated differently with regards to their health status. New endpoints were added to the Admin API to manually set a Target's health status. #4792
- 🎆 A new section in the
kong.conf
file describes injected Nginx directives (added to Kong 0.14.0) and specifies a few default ones. In future releases, we will gradually increase support for injected Nginx directives. We have high hopes that this will remove the occasional need for custom Nginx configuration templates. #4382 - 🎆 New configuration properties allow for controlling the behavior of
upstream keepalive connections.
nginx_http_upstream_keepalive_requests
andnginx_http_upstream_keepalive_timeout
respectively control the maximum number of proxied requests and idle timeout of an upstream connection. #4382 - New flags have been added to the
*_listen
properties:deferred
,bind
, andreuseport
. #4692
- 🎆 Database export via the new
kong config db_export
CLI command. This command will export the configuration present in the database Kong is connected to (Postgres or Cassandra) as a YAML file following Kong's declarative configuration syntax. This file can thus be imported later on in a DB-less Kong node or in another database viakong config db_import
. #4809
- Many endpoints now support more levels of nesting for ease of access.
For example:
/services/:services/routes/:routes
is now a valid API endpoint. #4713 - The API now accepts
form-urlencoded
payloads with deeply nested data structures. Previously, it was only possible to send such data structures via JSON payloads. #4768
- 🎆 New bundled plugin: the session plugin is now bundled in Kong. It can be used to manage browser sessions for APIs proxied and authenticated by Kong. #4685
- ldap-auth: A new
config.ldaps
property allows configuring the plugin to connect to the LDAP server via TLS. It provides LDAPS support instead of only relying on STARTTLS. #4743 - jwt-auth: The new
header_names
property accepts an array of header names the JWT plugin should inspect when authenticating a request. It defaults to["Authorization"]
. #4757 - azure-functions: Bumped to 0.4 for minor fixes and performance improvements.
- kubernetes-sidecar-injector: The plugin is now more resilient to Kubernetes schema changes.
- serverless-functions:
- Bumped to 0.3 for minor performance improvements.
- Functions can now have upvalues.
- prometheus: Bumped to 0.4.1 for minor performance improvements.
- cors: add OPTIONS, TRACE and CONNECT to default allowed methods #4899 Thanks to @eshepelyuk for the patch!
- New function
kong.service.set_tls_cert_key()
. This functions sets the client TLS certificate used while handshaking with the upstream service. #4797
- Fix WebSocket protocol upgrades in some cases due to case-sensitive
comparisons of the
Upgrade
header. #4780 - Router: Fixed a bug causing invalid matches when configuring two or more
Routes with a plain
hosts
attribute shadowing another Route's wildcardhosts
attribute. Details of the issue can be seen in 01b1cb8. #4775 - Router: Ensure regex paths always have priority over plain paths. Details of the issue can be seen in 2683b86. #4775
- Cleanup of expired rows in PostgreSQL is now much more efficient thanks to a new query plan. #4716
- Improved various query plans against Cassandra instances by increasing the default page size. #4770
- cors: ensure non-preflight OPTIONS requests can be proxied. #4899 Thanks to @eshepelyuk for the patch!
- Consumer references in various plugin entities are now properly marked as required, avoiding credentials that map to no Consumer. #4879
- hmac-auth: Correct the encoding of HTTP/1.0 requests. #4839
- oauth2: empty client_id wasn't checked, causing a server error. #4884
- response-transformer: preserve empty arrays correctly. #4901
- Fixed an issue when running
kong restart
and Kong was not running, causing stdout/stderr logging to turn off. #4772
- Ensure PUT works correctly when applied to plugin configurations. #4882
- Prevent PDK calls from failing in custom content blocks. This fixes a misbehavior affecting the Prometheus plugin. #4904
- Ensure
kong.response.add_header
works in therewrite
phase. #4888
Released on 2019/08/14
This is a patch release in the 1.2 series, and as such, strictly contains bugfixes. There are no new features nor breaking changes.
- Case sensitivity fix when clearing the Upgrade header. #4779
- Speed up cascade deletes in Cassandra. #4770
Released on 2019/06/26
This is a patch release in the 1.2 series, and as such, strictly contains bugfixes. There are no new features nor breaking changes.
- Fix an issue preventing WebSocket connections from being established by
clients. This issue was introduced in Kong 1.1.2, and would incorrectly clear
the
Upgrade
response header. #4719 - Fix a memory usage growth issue in the
/config
endpoint when configuring Upstream entities. This issue was mostly observed by users of the Kong Ingress Controller. #4733 - Cassandra: ensure serial consistency is
LOCAL_SERIAL
when a datacenter-aware load balancing policy is in use. This fixes unavailability exceptions sometimes experienced when connecting to a multi-datacenter cluster with cross-datacenter connectivity issues. #4734 - Schemas: fix an issue in the schema validator that would not allow specifying
false
in some schema rules, such a{ type = "boolean", eq = false }
. #4708 #4727 - Fix an underlying issue with regards to database entities cache keys generation. #4717
- Ensure the
cassandra_local_datacenter
configuration property is specified when a datacenter-aware Cassandra load balancing policy is in use. #4734
- request-transformer: fix an issue that would prevent adding a body to requests without one. Kong/kong-plugin-request-transformer#4
- kubernetes-sidecar-injector: fix an issue causing mutating webhook calls to fail. Kong/kubernetes-sidecar-injector#9
Released on: 2019/06/07
This release brings improvements to reduce long latency tails, consolidates declarative configuration support, and comes with newly open sourced plugins previously only available to Enterprise customers. It also ships with new features improving observability and usability.
This release includes database migrations. Please take a few minutes to read the 1.2 Upgrade Path for more details regarding changes and migrations before planning to upgrade your Kong cluster.
⚠️ All Bintray repositories have been renamed fromkong-community-edition-*
tokong-*
.⚠️ All Kong packages have been renamed fromkong-community-edition
tokong
.
For more details about the updated installation, please visit the official docs: https://konghq.com/install.
- 🎆 Support for wildcard SNI matching: the
ssl_certificate_by_lua
phase and the streampreread
phase) is now able to match a client hello SNI against any registered wildcard SNI. This is particularly helpful for deployments serving a certificate for multiple subdomains. #4457 - 🎆 HTTPS Routes can now be matched by SNI: the
snis
Route attribute (previously only available fortls
Routes) can now be set forhttps
Routes and is evaluated by the HTTP router. #4633 - 🎆 Native support for HTTPS redirects: Routes have a new
https_redirect_status_code
attribute specifying the status code to send back to the client if a plain text request was sent to anhttps
Route. #4424 - The loading of declarative configuration is now done atomically, and with a safety check to verify that the new configuration fits in memory. #4579
- Schema fields can now be marked as immutable. #4381
- Support for loading custom DAO strategies from plugins. #4518
- Support for IPv6 to
tcp
andtls
Routes. #4333
- 🎆 Asynchronous router updates: a new configuration property
router_consistency
accepts two possible values:strict
andeventual
. The former is the default setting and makes router rebuilds highly consistent between Nginx workers. It can result in long tail latency if frequent Routes and Services updates are expected. The latter helps preventing long tail latency issues by instructing Kong to rebuild the router asynchronously (with eventual consistency between Nginx workers). #4639 - 🎆 Database cache warmup: Kong can now preload entities during
its initialization. A new configuration property (
db_cache_warmup_entities
) was introduced, allowing users to specify which entities should be preloaded. DB cache warmup allows for ahead-of-time DNS resolution for Services with a hostname. This feature reduces first requests latency, improving the overall P99 latency tail. #4565 - Improved PostgreSQL connection management: two new configuration properties
have been added:
pg_max_concurrent_queries
sets the maximum number of concurrent queries to the database, andpg_semaphore_timeout
allows for tuning the timeout when acquiring access to a database connection. The default behavior remains the same, with no concurrency limitation. #4551
- 🎆 Add declarative configuration hash checking avoiding
reloading if the configuration has not changed. The
/config
endpoint now accepts acheck_hash
query argument. Hash checking only happens if this argument's value is set to1
. #4609 - 🎆 Add a schema validation endpoint for entities: a new
endpoint
/schemas/:entity_name/validate
can be used to validate an instance of any entity type in Kong without creating the entity itself. #4413 - 🎆 Add memory statistics to the
/status
endpoint. The response now includes amemory
field, which contains thelua_shared_dicts
andworkers_lua_vms
fields with statistics on shared dictionaries and workers Lua VM memory usage. #4592
- New function
kong.node.get_memory_stats()
. This function returns statistics on shared dictionaries and workers Lua VM memory usage, and powers the memory statistics newly exposed by the/status
endpoint. #4632
- 🎆 Newly open-sourced plugin: the HTTP proxy-cache plugin (previously only available in Enterprise) is now bundled in Kong. #4650
- 🎆 Newly open-sourced plugin capabilities: The request-transformer plugin now includes capabilities previously only available in Enterprise, among which templating and variables interpolation. #4658
- Logging plugins: log request TLS version, cipher, and verification status. #4581 #4626
- Plugin development: inheriting from
BasePlugin
is now optional. Avoiding the inheritance paradigm improves plugins' performance. #4590
- Active healthchecks:
http
checks are not performed fortcp
andtls
Services anymore; onlytcp
healthchecks are performed against such Services. #4616 - Fix an issue where updates in migrations would not correctly populate default values. #4635
- Improvements in the reentrancy of Cassandra migrations. #4611
- Fix an issue causing the PostgreSQL strategy to not bootstrap the schema when using a PostgreSQL account with limited permissions. #4506
- Fix
kong db_import
to support inserting entities without specifying a UUID for their primary key. Entities with a unique identifier (e.g.name
for Services) can have their primary key omitted. #4657 - The
kong migrations [up|finish] -f
commands does not run anymore if there are no previously executed migrations. #4617
- ldap-auth: ensure TLS connections are reused. #4620
- oauth2: ensured access tokens preserve their
token_expiration
value when migrating from previous Kong versions. #4572
Released on: 2019/04/24
This is a patch release in the 1.0 series. Being a patch release, it strictly contains bugfixes. The are no new features or breaking changes.
- core: address issue where field type "record" nested values reset on update #4495
- core: correctly manage primary keys of type "foreign" #4429
- core: declarative config is not parsed on db-mode anymore #4487 #4509
- db-less: Fixed a problem in Kong balancer timing out. #4534
- db-less: Accept declarative config directly in JSON requests. #4527
- db-less: do not mis-detect mesh mode #4498
- db-less: fix crash when field has same name as entity #4478
- basic-auth: ignore password if nil on basic auth credential patch #4470
- http-log: Simplify queueing mechanism. Fixed a bug where traces were lost in some cases. #4510
- request-transformer: validate header values in plugin configuration. Thanks, @rune-chan! #4512.
- rate-limiting: added index on rate-limiting metrics. Thanks, @mvanholsteijn! #4486
Released on: 2019/03/28
This release contains a fix for 0.14 Kong clusters using Cassandra to safely migrate to Kong 1.1.
- Ensure the 0.14 -> 1.1 migration path for Cassandra does not corrupt the database schema. #4450
- Allow the
kong config init
command to run without a pointing to a prefix directory. #4451
Released on: 2019/03/27
This release introduces new features such as Declarative Configuration, DB-less Mode, Bulk Database Import, Tags, as well as Transparent Proxying. It contains a large number of other features and fixes, listed below. Also, the Plugin Development kit also saw a minor updated, bumped to version 1.1.
This release includes database migrations. Please take a few minutes to read the 1.1 Upgrade Path for more details regarding changes and migrations before planning to upgrade your Kong cluster.
🔶 Post-release note (as of 2019/03/28): an issue has been found when migrating from a 0.14 Kong cluster to 1.1.0 when running on top of Cassandra. Kong 1.1.1 has been released to address this issue. Kong clusters running on top of PostgreSQL are not affected by this issue, and can migrate to 1.1.0 or 1.1.1 safely.
- 🎆 Kong can now run without a database, using in-memory storage only. When running Kong in DB-less mode, entities are loaded via a declarative configuration file, specified either through Kong's configuration file, or uploaded via the Admin API. #4315
- 🎆 Transparent proxying - the
service
attribute on Routes is now optional; a Route without an assigned Service will proxy transparently #4286 - Support for tags in entities
#4275
- Every core entity now adds a
tags
field
- Every core entity now adds a
- New
protocols
field in the Plugin entity, allowing plugin instances to be set for specific protocols only (http
,https
,tcp
ortls
). #4248- It filters out plugins during execution according to their
protocols
field - It throws an error when trying to associate a Plugin to a Route which is not compatible, protocols-wise, or to a Service with no compatible routes.
- It filters out plugins during execution according to their
- New option in
kong.conf
:database=off
to start Kong without a database - New option in
kong.conf
:declarative_config=kong.yml
to load a YAML file using Kong's new declarative config format - New option in
kong.conf
:pg_schema
to specify Postgres schema to be used - The Stream subsystem now supports Nginx directive injections
#4148
nginx_stream_*
(orKONG_NGINX_STREAM_*
environment variables) for injecting entries to thestream
blocknginx_sproxy_*
(orKONG_NGINX_SPROXY_*
environment variables) for injecting entries to theserver
block insidestream
- 🎆 Bulk database import using the same declarative
configuration format as the in-memory mode, using the new command:
kong config db_import kong.yml
. This command upserts all entities specified in the givenkong.yml
file in bulk #4284 - New command:
kong config init
to generate a templatekong.yml
file to get you started - New command:
kong config parse kong.yml
to verify the syntax of thekong.yml
file before using it - New option
--wait
inkong quit
to ease graceful termination when using orchestration tools #4201
- New Admin API endpoint:
/config
to replace the configuration of Kong entities entirely, replacing it with the contents of a new declarative config file- When using the new
database=off
configuration option, the Admin API endpoints for entities (such as/routes
and/services
) are read-only, since the configuration can only be updated via/config
#4308
- When using the new
- Admin API endpoints now support searching by tag
(for example,
/consumers?tags=example_tag
)- You can search by multiple tags:
/services?tags=serv1,mobile
to search for services matching tagsserv1
andmobile
/services?tags=serv1/serv2
to search for services matching tagsserv1
orserv2
- You can search by multiple tags:
- New Admin API endpoint
/tags/
for listing entities by tag:/tags/example_tag
- New PDK function:
kong.client.get_protocol
for obtaining the protocol in use during the current request #4307 - New PDK function:
kong.nginx.get_subsystem
, so plugins can detect whether they are running on the HTTP or Stream subsystem #4358
- 🎆 Support for ACL authenticated groups, so that authentication plugins that use a 3rd party (other than Kong) to store credentials can benefit from using a central ACL plugin to do authorization for them #4013
- The Kubernetes Sidecar Injection plugin is now bundled into Kong for a smoother K8s experience #4304
- aws-lambda: includes AWS China region. Thanks @wubins for the patch! #4176
- The required OpenResty version is still 1.13.6.2, but for a full feature set
including stream routing and Service Mesh abilities with mutual TLS, Kong's
openresty-patches must be
applied (those patches are already bundled with our official distribution
packages). The openresty-patches bundle was updated in Kong 1.1.0 to include
the
stream_realip_module
as well. Kong in HTTP(S) Gateway scenarios does not require these patches. #4163 - Service Mesh abilities require at least OpenSSL version 1.1.1. In our official distribution packages, OpenSSL has been bumped to 1.1.1b. #4345, #4440
- Resolve hostnames properly during initialization of Cassandra contact points #4296, #4378
- Fix health checks for Targets that need two-level DNS resolution (e.g. SRV → A → IP) #4386
- Fix serialization of map types in the Cassandra backend #4383
- Fix target cleanup and cascade-delete for Targets #4319
- Avoid crash when failing to obtain list of Upstreams #4301
- Disallow invalid timeout value of 0ms for attributes in Services #4430
- DAO fix for foreign fields used as primary keys #4387
- Proper support for
PUT /{entities}/{entity}/plugins/{plugin}
#4288 - Fix Admin API inferencing of map types using form-encoded #4368
- Accept UUID-like values in
/consumers?custom_id=
#4435
- basic-auth, ldap-auth, key-auth, jwt, hmac-auth: fixed status code for unauthorized requests: they now return HTTP 401 instead of 403 #4238
- tcp-log: remove spurious trailing carriage return Thanks @cvuillemez for the patch! #4158
- jwt: fix
typ
handling for supporting JOSE (JSON Object Signature and Validation) Thanks @cdimascio for the patch! #4256 - Fixes to the best-effort auto-converter for legacy plugin schemas #4396
Released on: 2019/01/31
This is a patch release addressing several regressions introduced some plugins, and improving the robustness of our migrations and core components.
- Improve Cassandra schema consensus logic when running migrations. #4233
- Ensure Routes that don't have a
regex_priority
(e.g. if it was removed as part of aPATCH
) don't prevent the router from being built. #4255 - Reduce rebuild time of the load balancer by retrieving larger sized pages of Target entities. #4206
- Ensure schema definitions of Arrays and Sets with
default = {}
are JSON-encoded as[]
. #4257
- request-transformer: fix a regression causing the upstream Host header to be
unconditionally set to that of the client request (effectively, as if the
Route had
preserve_host
enabled). #4253 - cors: fix a regression that prevented regex origins from being matched.
Regexes such as
(.*[.])?example\.org
can now be used to match all sub-domains, while regexes containing:
will be evaluated against the scheme and port of an origin (i.e.^https?://(.*[.])?example\.org(:8000)?$
). #4261 - oauth2: fix a runtime error when using a global token against a plugin
not configured as global (i.e. with
global_credentials = false
). #4262
- Improve performance of the
PUT
method in auth plugins endpoints (e.g./consumers/:consumers/basic-auth/:basicauth_credentials
) by preventing a unnecessary read-before-write. #4206
Released on: 2019/01/18
This is a hotfix release mainly addressing an issue when connecting to the datastore over TLS (Cassandra and PostgreSQL).
- Fix an issue that would prevent Kong from starting when connecting to its datastore over TLS. #4214 #4218
- Ensure plugins added via
PUT
get enabled without requiring a restart. #4220
- zipkin
- Fix a logging failure when DNS is not resolved. kong-plugin-zipkin@a563f51
- Avoid sending redundant tags. kong-plugin-zipkin/pull/28
- Move
run_on
field to top level plugin schema instead of its config. kong-plugin-zipkin/pull/38
Released on: 2019/01/16
This is a patch release in the 1.0 series. Being a patch release, it strictly contains performance improvements and bugfixes. The are no new features or breaking changes.
🔴 Post-release note (as of 2019/01/17): A regression has been observed with this version, preventing Kong from starting when connecting to its datastore over TLS. Installing this version is discouraged; consider upgrading to 1.0.2.
- Ensure
lua_ssl_verify_depth
works even whenlua_ssl_trusted_certificate
is not set #4165. Thanks @rainest for the patch. - Ensure Kong starts when only a
stream
listener is enabled #4195 - Ensure Postgres works with non-
public
schemas #4198
- Fix an artifact in upstream migrations where
created_at
timestamps would occasionally display fractional values #4183, #4204 - Fixed issue with HTTP/2 support advertisement #4203
- Fixed handling of invalid targets in
/upstreams
endpoints for health checks #4132, #4205 - Fixed the
/plugins/schema/:name
endpoint, as it was failing in some cases (e.g. thedatadog
plugin) and producing incorrect results in others (e.g.request-transformer
). #4136, #4137 #4151, #4162
Released on: 2018/12/18
This is a major release, introducing new features such as Service Mesh and Stream Routing support, as well as a New Migrations framework. It also includes version 1.0.0 of the Plugin Development Kit. It contains a large number of other features and fixes, listed below. Also, all plugins included with Kong 1.0 are updated to use version 1.0 of the PDK.
As usual, major version upgrades require database migrations and changes to the Nginx configuration file (if you customized the default template). Please take a few minutes to read the 1.0 Upgrade Path for more details regarding breaking changes and migrations before planning to upgrade your Kong cluster.
Being a major version, all entities and concepts that were marked as deprecated in Kong 0.x are now removed in Kong 1.0. The deprecated features are retained in Kong 0.15, the final entry in the Kong 0.x series, which is being released simultaneously to Kong 1.0.
Kong 1.0 includes all breaking changes from 0.15, as well as the removal of deprecated concepts.
- The required OpenResty version is still 1.13.6.2, but for a full feature set including stream routing and Service Mesh abilities with mutual TLS, Kong's openresty-patches must be applied (those patches are already bundled with our official distribution packages). Kong in HTTP(S) Gateway scenarios does not require these patches.
- Service Mesh abilities require at least OpenSSL version 1.1.1. In our official distribution packages, OpenSSL has been bumped to 1.1.1. #4005
⚠️ Thecustom_plugins
directive is removed (deprecated since 0.14.0, July 2018). Useplugins
instead.- Modifications must be applied to the Nginx configuration. You are not affected by this change if you do not use a custom Nginx template. See the 1.0 Upgrade Path for a diff of changes to apply.
- The default value for
cassandra_lb_policy
changed fromRoundRobin
toRequestRoundRobin
. This helps reducing the amount of new connections being opened during a request when using the Cassandra strategy. #4004
⚠️ The API entity and related concepts such as the/apis
endpoint, are removed (deprecated since 0.13.0, March 2018). Use Routes and Services instead.⚠️ The old DAO implementation is removed, along with the old schema validation library (apis
was the last entity using it). Use the new schema format instead in custom plugins. To ease the transition of plugins, the plugin loader in 1.0 includes a best-effort schema auto-translator, which should be sufficient for many plugins.- Timestamps now bear millisecond precision in their decimal part. #3660
- The PDK function
kong.request.get_body
will now returnnil, err, mime
when the body is valid JSON but neither an object nor an array. #4063
⚠️ The new migrations framework (detailed below) has a different usage (and subcommands) compared to its predecessor. #3802
⚠️ In the 0.14.x release, Upstreams, Targets, and Plugins were still implemented using the old DAO and Admin API. In 0.15.0 and 1.0.0, all core entities use the newkong.db
DAO, and their endpoints have been upgraded to the new Admin API (see below for details). #3689 #3739 #3778
A summary of the changes introduced in the new Admin API:
- Pagination has been included in all "multi-record" endpoints, and pagination control fields are different than in 0.14.x.
- Filtering now happens via URL path changes (
/consumers/x/plugins
) instead of querystring fields (/plugins?consumer_id=x
). - Array values can't be coerced from comma-separated strings anymore. They must now be "proper" JSON values on JSON requests, or use a new syntax on form-url-encoded or multipart requests.
- Error messages have been been reworked from the ground up to be more consistent, precise and informative.
- The
PUT
method has been reimplemented with idempotent behavior and has been added to some entities that didn't have it.
For more details about the new Admin API, please visit the official docs: https://docs.konghq.com/
⚠️ Thegalileo
plugin has been removed (deprecated since 0.13.0). #3960⚠️ Some internal modules that were occasionally used by plugin authors before the introduction of the Plugin Development Kit (PDK) in 0.14.0 are now removed:- The
kong.tools.ip
module was removed. Usekong.ip
from the PDK instead. - The
kong.tools.public
module was removed. Use the various equivalent features from the PDK instead. - The
kong.tools.responses
module was removed. Please usekong.response.exit
from the PDK instead. You might want to usekong.log.err
to log internal server errors as well. - The
kong.api.crud_helpers
module was removed (deprecated since the introduction of the new DAO in 0.13.0). Usekong.api.endpoints
instead if you need to customize the auto-generated endpoints.
- The
- All bundled plugins' schemas and custom entities have been updated to the new
kong.db
module, and their APIs have been updated to the new Admin API, which is described in the above section. #3766 #3774 #3778 #3839 ⚠️ All plugins migrations have been converted to the new migration framework. Custom plugins must use the new migration framework from 0.15 onwards.
Kong's Service Mesh support resulted in a number of additions to Kong's configuration, Admin API, and plugins that deserve their own section in this changelog.
- Support for TCP & TLS Stream Routes via the new
stream_listen
config option. #4009 - A new
origins
config property allows overriding hosts from Kong. #3679 - A
transparent
suffix added to stream listeners allows for setting up a dynamic Service Mesh withiptables
. #3884 - Kong instances can now create a shared internal Certificate Authority, which is used for Service Mesh TLS traffic. #3906 #3861
- Plugins get a new
run_on
field to control how they behave in a Service Mesh environment. #3930 #4066 - There is a new phase called
preread
. This is where stream traffic routing is done.
- A new
dns_valid_ttl
property can be set to forcefully override the TTL value of all resolved DNS records. #3730 - A new
pg_timeout
property can be set to configure the timeout of PostgreSQL connections. #3808 upstream_keepalive
can now be disabled when set to 0. Thanks @pryorda for the patch. #3716- The new
transparent
suffix also applies to theproxy_listen
directive.
- 🎆 New migrations framework. This new implementation supports no-downtime, Blue/Green migrations paths that will help sustain Kong 1.0's stability. It brings a considerable number of other improvements, such as new commands, better support for automation, improved CLI logging, and many more. Additionally, this new framework alleviates the old limitation around multiple nodes running concurrent migrations. See the related PR for a complete list of improvements. #3802
- 🎆 Support for TLS 1.3. The support for OpenSSL 1.1.1 (bumped in our official distribution packages) not only enabled Service Mesh features, but also unlocks support for the latest version of the TLS protocol.
- 🎆 Support for HTTPS in active healthchecks. #3815
- 🎆 Improved router rebuilds resiliency by reducing database accesses in high concurrency scenarios. #3782
- 🎆 Significant performance improvements in the core's plugins runloop. #3794
- PDK improvements:
- New
kong.node
module. #3826 - New functions
kong.response.get_path_with_query()
andkong.request.get_start_time()
. #3842 - Getters and setters for Service, Route, Consumer, and Credential. #3916
kong.response.get_source()
returnserror
on nginx-produced errors. #4006kong.response.exit()
can be used in theheader_filter
phase, but only without a body. #4039
- New
- Schema improvements:
- New field validators:
distinct
,ne
,is_regex
,contains
,gt
. - Adding a new field which has a default value to a schema no longer requires a migration. #3756
- New field validators:
- 🎆 Routes now have a
name
field (like Services). #3764 - Multipart parsing support. #3776
- Admin API errors expose the name of the current strategy. #3612
- 🎆 aws-lambda: Support for Lambda Proxy Integration with the new
is_proxy_integration
property. Thanks @aloisbarreras for the patch! #3427. - http-log: Support for buffering logging messages in a configurable logging queue. #3604
- Most plugins' logic has been rewritten with the PDK instead of using internal Kong functions or ngx_lua APIs.
- Fix an issue which would insert an extra
/
in the upstream URL when the request path was longer than the configured Route'spath
attribute. #3780 - Ensure better backwards-compatibility between the new DAO and existing core runloop code regarding null values. #3772 #3710
- Ensure support for Datastax Enterprise 6.x. Thanks @gchristidis for the patch! #3873
- Various issues with the PostgreSQL DAO strategy were addressed.
- Various issues related to the new schema library bundled with the new DAO were addressed.
- PDK improvements:
kong.request.get_path()
and other functions now properly handle cases when$request_uri
is nil. #3842
- Ensure the
/certificates
endpoints properly returns all SNIs configured on a given certificate. #3722 - Ensure the
upstreams/:upstream/targets/...
endpoints returns an empty JSON array ([]
) instead of an empty object ({}
) when no targets exist. #4058 - Improved inferring of arguments with
application/x-www-form-urlencoded
. #3770 - Fix the handling of defaults values in some cases when using
PATCH
. #3910
- cors:
- Ensure
Vary: Origin
is set whenconfig.credentials
is enabled. Thanks @marckhouzam for the patch! #3765 - Return HTTP 200 instead of 204 for preflight requests. Thanks @aslafy-z for the patch! #4029
- Ensure request origins specified as flat strings are safely validated. #3872
- Ensure
- acl: Minor performance improvements by ensuring proper caching of computed values. #4040
- correlation-id: Prevent an error to be thrown when the access phase was skipped, such as on nginx-produced errors. #4006
- aws-lambda: When the client uses HTTP/2, strip response headers that are disallowed by the protocols. #4032
- rate-limiting & response-ratelimiting: Improve efficiency by avoiding
unnecessary Redis
SELECT
operations. #3973
Released on: 2018/12/18
This is the last release in the 0.x series, giving users one last chance to upgrade while still using some of the options and concepts that were marked as deprecated in Kong 0.x and were removed in Kong 1.0.
For a list of additions and fixes in Kong 0.15, see the 1.0.0 changelog. This release includes all new features included in 1.0 (Service Mesh, Stream Routes and New Migrations), but unlike Kong 1.0, it retains a lot of the deprecated functionality, like the API entity, around. Still, Kong 0.15 does have a number of breaking changes related to functionality that has changed since version 0.14 (see below).
If you are starting with Kong, we recommend you to use 1.0.0 instead of this release.
If you are already using Kong 0.14, our recommendation is to plan to move to 1.0 -- see the 1.0 Upgrade Path document for details. Upgrading to 0.15.0 is only recommended if you can't do away with the deprecated features but you need some fixes or new features right now.
- The required OpenResty version is still 1.13.6.2, but for a full feature set including stream routing and Service Mesh abilities with mutual TLS, Kong's openresty-patches must be applied (those patches are already bundled with our official distribution packages). Kong in HTTP(S) Gateway scenarios does not require these patches.
- Service Mesh abilities require at least OpenSSL version 1.1.1. In our official distribution packages, OpenSSL has been bumped to 1.1.1. #4005
- The default value for
cassandra_lb_policy
changed fromRoundRobin
toRequestRoundRobin
. This helps reducing the amount of new connections being opened during a request when using the Cassandra strategy. #4004
- Timestamps now bear millisecond precision in their decimal part. #3660
- The PDK function
kong.request.get_body
will now returnnil, err, mime
when the body is valid JSON but neither an object nor an array. #4063
⚠️ The new migrations framework (detailed in the 1.0.0 changelog) has a different usage (and subcommands) compared to its predecessor. #3802
⚠️ In the 0.14.x release, Upstreams, Targets, and Plugins were still implemented using the old DAO and Admin API. In 0.15.0 and 1.0.0, all core entities use the newkong.db
DAO, and their endpoints have been upgraded to the new Admin API (see below for details). #3689 #3739 #3778
A summary of the changes introduced in the new Admin API:
- Pagination has been included in all "multi-record" endpoints, and pagination control fields are different than in 0.14.x.
- Filtering now happens via URL path changes (
/consumers/x/plugins
) instead of querystring fields (/plugins?consumer_id=x
). - Array values can't be coherced from comma-separated strings. They must be "proper" JSON values on JSON requests, or use a new syntax on form-url-encoded or multipart requests.
- Error messages have been been reworked from the ground up to be more consistent, precise and informative.
- The
PUT
method has been reimplemented with idempotent behavior and has been added to some entities that didn't have it.
For more details about the new Admin API, please visit the official docs: https://docs.konghq.com/
- All bundled plugins' schemas and custom entities have been updated to the new
kong.db
module, and their APIs have been updated to the new Admin API, which is described in the above section. #3766 #3774 #3778 #3839 ⚠️ All plugins migrations have been converted to the new migration framework. Custom plugins must use the new migration framework from 0.15 onwards.
Kong 0.15.0 contains the same additions as 1.0.0. See the 1.0.0 changelog for a complete list.
Kong 0.15.0 contains the same fixes as 1.0.0. See the 1.0.0 changelog for a complete list.
Released on: 2018/08/21
- jwt: Support for tokens signed with HS384 and HS512. Thanks @kepkin for the patch. #3589
- acl: Add a new
hide_groups_header
configuration option. If enabled, this option prevents the plugin from injecting theX-Consumer-Groups
header into the upstream request. Thanks @jeremyjpj0916 for the patch! #3703
- Prevent some plugins from breaking in subtle ways when manipulating some
entities and their attributes. An example of such breaking behavior could be
observed when Kong was wrongly injecting
X-Consumer-Username: userdata: NULL
in upstream requests headers, instead of not injecting this header at all. #3714 - Fix an issue which, in some cases, prevented the use of Kong with Cassandra
in environments where DNS load-balancing is in effect for contact points
provided as hostnames (e.g. Kubernetes with
cassandra_contact_points = cassandra
). #3693 - Fix an issue which prevented the use of UNIX domain sockets in some logging plugins, and custom plugins making use of such sockets. Thanks @rucciva for the patch. #3633
- Avoid logging false-negative error messages related to worker events. #3692
- Database connectivity errors are properly prefixed with the database name
again (e.g.
[postgres]
). #3648
- zipkin
- Allow usage of the plugin with the deprecated "API" entity, and introduce
a new
kong.api
tag. kong-plugin-zipkin/commit/4a645e9 - Properly report the
kong.credential
tag. kong-plugin-zipkin/commit/c627c36 - Ensure the plugin does not throw errors when no Route was matched. kong-plugin-zipkin#19
- Allow usage of the plugin with the deprecated "API" entity, and introduce
a new
- basic-auth: Passwords with whitespaces are not trimmed anymore. Thanks @aloisbarreras for the patch. #3650
- hmac-auth: Ensure backward compatibility for clients generating signatures without the request's querystring, as is the case for Kong versions prior to 0.14.0, which broke this behavior. Users of this plugin on previous versions of Kong can now safely upgrade to the 0.14 family. Thanks @mlehner616 for the patch! #3699
- ldap-auth
- Set the WWW-Authenticate header authentication scheme accordingly with
the
conf.header_type
property, which allows browsers to show the authentication popup automatically. Thanks @francois-maillard for the patch. #3656 - Invalid authentication attempts do not block subsequent valid attempts anymore. #3677
- Set the WWW-Authenticate header authentication scheme accordingly with
the
0.14.0 - 2018/07/05
This release introduces the first version of the Plugin Development Kit: a Lua SDK, comprised of a set of functions to ease the development of custom plugins.
Additionally, it contains several major improvements consolidating Kong's
feature set and flexibility, such as the support for PUT
endpoints on the
Admin API for idempotent workflows, the execution of plugins during
Nginx-produced errors, and the injection of Nginx directives without having
to rely on the custom Nginx configuration pattern!
Finally, new bundled plugins allow Kong to better integrate with Cloud Native environments, such as Zipkin and Prometheus.
As usual, major version upgrades require database migrations and changes to the Nginx configuration file (if you customized the default template). Please take a few minutes to read the 0.14 Upgrade Path for more details regarding breaking changes and migrations before planning to upgrade your Kong cluster.
⚠️ The required OpenResty version has been bumped to 1.13.6.2. If you are installing Kong from one of our distribution packages, you are not affected by this change. #3498⚠️ Support for PostgreSQL 9.4 (deprecated in 0.12.0) is now dropped. #3490⚠️ Support for Cassandra 2.1 (deprecated in 0.12.0) is now dropped. #3490
⚠️ Theserver_tokens
andlatency_tokens
configuration properties have been removed. Instead, a newheaders
configuration properties replaces them and allows for more granular settings of injected headers (e.g.Server
,Via
,X-Kong-*-Latency
, etc...). #3300⚠️ New requiredlua_shared_dict
entries must be added to the Nginx configuration. You are not affected by this change if you do not use a custom Nginx template. #3557⚠️ Other important modifications must be applied to the Nginx configuration. You are not affected by this change if you do not use a custom Nginx template. #3533
⚠️ The Runscope plugin has been dropped, based on the EoL announcement made by Runscope about their Traffic Inspector product. #3495
⚠️ The SSL Certificates and SNI entities have moved to the new DAO implementation. As such, the/certificates
and/snis
endpoints have received notable usability improvements, but suffer from a few breaking changes. #3386⚠️ The Consumers entity has moved to the new DAO implementation. As such, the/consumers
endpoint has received notable usability improvements, but suffers from a few breaking changes. #3437
- The default value of
db_cache_ttl
is now0
(disabled). Now that our level of confidence around the new caching mechanism introduced in 0.11.0 is high enough, we consider0
(no TTL) to be an appropriate default for production environments, as it offers a smoother cache consumption behavior and reduces database pressure. #3492
- 🎆 Serve stale data from the database cache when the datastore
cannot be reached. Such stale items are "resurrected" for
db_resurrect_ttl
seconds (see configuration section). #3579 - Reduce LRU churning in the database cache against some workloads. #3550
- 🎆 Support for injecting Nginx directives via configuration
properties (in the
kong.conf
file or via environment variables)! This new way of customizing the Nginx configuration should render obsolete the old way of maintaining a custom Nginx template in most cases! #3530 - 🎆 Support for selectively disabling bundled plugins. A new
plugins
configuration property is introduced, and is used to specify which plugins should be loaded by the node. Custom plugins should now be specified in this new property, and thecustom_plugins
property is deprecated. If desired, Kong administrators can specify a minimal set of plugins to load (instead of the default, bundled plugins), and improve P99 latency thanks to the resulting decrease in database traffic. #3387 - The new
headers
configuration property allows for specifying the injection of a new header:X-Kong-Upstream-Status
. When enabled, Kong will inject this header containing the HTTP status code of the upstream response in the client response. This is particularly useful for clients to distinguish upstream statuses upon rewriting of the response by Kong. #3263 - A new
db_resurrect_ttl
configuration property can be set to customize the amount of time stale data can be resurrected for when it cannot be refreshed. Defaults to 30 seconds. #3579 - Two new Cassandra load balancing policies are available:
RequestRoundRobin
andRequestDCAwareRoundRobin
. Both policies guarantee that the same peer will be reused across several queries during the lifetime of a request, thus guaranteeing no new connection will be opened against a peer during this request. #3545
- 🎆 Execute plugins on Nginx-produced errors. Now, when Nginx
produces a 4xx error (upon invalid requests) or 5xx (upon failure from the
load balancer to connect to a Service), Kong will execute the response phases
of its plugins (
header_filter
,body_filter
,log
). As such, Kong logging plugins are not blind to such Nginx-produced errors anymore, and will start properly reporting them. Plugins should be built defensively against cases where theirrewrite
oraccess
phases were not executed. #3533 - 🎆 Support for cookie-based load balancing! #3472
- 🎆 Introduction of the Plugin Development Kit! A set of Lua functions and variables that will greatly ease and speed up the task of developing custom plugins. The Plugin Development Kit (PDK) allows the retrieval and manipulation of the request and response objects, as well as interacting with various core components (e.g. logging, load balancing, DAO, etc...) without having to rely on OpenResty functions, and with the guarantee of their forward-compatibility with future versions of Kong. #3556
- 🎆 New bundled plugin: Zipkin! This plugin allows Kong to sample traces and report them to a running Zipkin instance. (See: https://github.com/Kong/kong-plugin-zipkin) #3434
- 🎆 New bundled plugin: Prometheus! This plugin allows Kong to expose metrics in the Prometheus Exposition format. Available metrics include HTTP status codes, latencies histogram, bandwidth, and more... (See: https://github.com/Kong/kong-plugin-prometheus) #3547
- 🎆 New bundled plugin: Azure Functions! This plugin can be used to invoke Microsoft Azure Functions, similarly to the already existing AWS Lambda and OpenWhisk plugins. (See: https://github.com/Kong/kong-plugin-azure-functions) #3428
- 🎆 New bundled plugin: Serverless Functions! Dynamically run Lua
without having to write a full-fledged plugin. Lua code snippets can be
uploaded via the Admin API and be executed during Kong's
access
phase. (See: https://github.com/Kong/kong-plugin-serverless-functions) #3551 - jwt: Support for limiting the allowed expiration period of JWT tokens. A new
config.maximum_expiration
property can be set to indicate the maximum number of seconds theexp
claim may be ahead in the future. Thanks @mvanholsteijn for the patch! #3331 - aws-lambda: Add
us-gov-west-1
to the list of allowed regions. #3529
- 🎆 Support for
PUT
in new endpoints (e.g./services/{id or name}
,/routes/{id}
,/consumers/{id or username}
), allowing the development of idempotent configuration workflows when scripting the Admin API. #3416 - Support for
PATCH
andDELETE
on the/services/{name}
,/consumers/{username}
, and/snis/{name}
endpoints. #3416
- Properly support IPv6 addresses in
proxy_listen
andadmin_listen
configuration properties. #3508
- IPv6 nameservers with a scope are now ignored by the DNS resolver. #3478
- SRV records without a port number now returns the default port instead of
0
. #3478 - Ensure DNS-based round robin load balancing starts at a randomized position to prevent all Nginx workers from starting with the same peer. #3478
- Properly report timeouts in passive health checks. Previously, connection
timeouts were counted as
tcp_failures
, and upstream timeouts were ignored. Health check users should ensure that theirtimeout
settings reflect their intended behavior. #3539 - Ensure active health check probe requests send the
Host
header. #3496 - Overall, more reliable health checks healthiness counters behavior. #3496
- Do not set
Content-Type
headers on HTTP 204 No Content responses. #3351 - Ensure the PostgreSQL connector of the new DAO (used by Services, Routes, Consumers, and SSL certs/SNIs) is now fully re-entrant and properly behaves in busy workloads (e.g. scripting requests to the Admin API). #3423
- Properly route HTTP/1.0 requests without a Host header when using the old deprecated "API" entity. #3438
- Ensure that all Kong-produced errors respect the
headers
configuration setting (previouslyserver_tokens
) and do not include theServer
header if not configured. #3511 - Harden an existing Cassandra migration. #3532
- Prevent the load balancer from needlessly rebuilding its state when creating Targets. #3477
- Prevent some harmless error logs to be printed during startup when initialization takes more than a few seconds. #3443
- hmac: Ensure that empty request bodies do not pass validation if there is no digest header. Thanks @mvanholsteijn for the patch! #3347
- response-transformer: Prevent the plugin from throwing an error when its
access
handler did not get a chance to run (e.g. on short-circuited, unauthorized requests). #3524 - aws-lambda: Ensure logging plugins subsequently run when this plugin terminates. #3512
- request-termination: Ensure logging plugins subsequently run when this plugin terminates. #3513
- Requests to
/healthy
and/unhealthy
endpoints for upstream health checks now properly propagate the new state to other nodes of a Kong cluster. #3464 - Do not produce an HTTP 500 error when POST-ing to
/services
with an emptyurl
argument. #3452 - Ensure foreign keys are required when creating child entities (e.g.
service.id
when creating a Route). Previously some rows could have an emptyservice_id
field. #3548 - Better type inference in new endpoints (e.g.
/services
,/routes
,/consumers
) when usingapplication/x-www-form-urlencoded
MIME type. #3416
0.13.1 - 2018/04/23
This release contains numerous bug fixes and a few convenience features.
Notably, a best-effort/backwards-compatible approach is followed to resolve
no memory
errors caused by the fragmentation of shared memory between the
core and plugins.
- Cache misses are now stored in a separate shared memory zone from hits if
such a zone is defined. This reduces cache turnover and can increase the
cache hit ratio quite considerably.
Users with a custom Nginx template are advised to define such a zone to
benefit from this behavior:
lua_shared_dict kong_db_cache_miss 12m;
. - We now ensure that the Cassandra or PostgreSQL instance Kong is connecting to falls within the supported version range. Deprecated versions result in warning logs. As a reminder, Kong 0.13.x supports Cassandra 2.2+, and PostgreSQL 9.5+. Cassandra 2.1 and PostgreSQL 9.4 are supported, but deprecated. #3310
- HTTP 494 errors thrown by Nginx are now caught by Kong and produce a native, Kong-friendly response. Thanks @ti-mo for the contribution! #3112
- Report errors when compiling custom Nginx templates. #3294
- Friendlier behavior of Routes schema validation: PATCH requests can be made
without specifying all three of
methods
,hosts
, orpaths
if at least one of the three is specified in the body. #3364
- jwt: Support for identity providers using JWKS by ensuring the
config.key_claim_name
values is looked for in the token header. Thanks @brycehemme for the contribution! #3313 - basic-auth: Allow specifying empty passwords. Thanks @zhouzhuojie and @perryao for the contributions! #3243
-
Numerous users have reported
no memory
errors which were caused by circumstantial memory fragmentation. Such errors, while still possible if plugin authors are not careful, should now mostly be addressed. #3311If you are using a custom Nginx template, be sure to define the following shared memory zones to benefit from these fixes:
lua_shared_dict kong_db_cache_miss 12m; lua_shared_dict kong_rate_limiting_counters 12m;
- Redirect Nginx's stdout and stderr output to
kong start
whennginx_daemon
is enabled (such as when using the Kong Docker image). This also prevents growing log files when Nginx redirects logs to/dev/stdout
and/dev/stderr
butnginx_daemon
is disabled. #3297
- Set a Service's
port
to443
when theurl
convenience parameter uses thehttps://
scheme. #3358 - Ensure PATCH requests do not return an error when un-setting foreign key
fields with JSON
null
. #3355 - Ensure the
/plugin/schema/:name
endpoint does not corrupt plugins' schemas. #3348 - Properly URL-decode path segments of plugins endpoints accepting spaces
(e.g.
/consumers/<consumer>/basic-auth/John%20Doe/
). #3250 - Properly serialize boolean filtering values when using Cassandra. #3362
- rate-limiting/response-rate-limiting:
- If defined in the Nginx configuration, will use a dedicated
lua_shared_dict
instead of using thekong_cache
shared memory zone. This prevents memory fragmentation issues resulting inno memory
errors observed by numerous users. Users with a custom Nginx template are advised to define such a zone to benefit from this fix:lua_shared_dict kong_rate_limiting_counters 12m;
. #3311 - When using the Redis strategy, ensure the correct Redis database is selected. This issue could occur when several request and response rate-limiting were configured using different Redis databases. Thanks @mengskysama for the patch! #3293
- If defined in the Nginx configuration, will use a dedicated
- key-auth: Respect request MIME type when re-encoding the request body
if both
config.key_in_body
andconfig.hide_credentials
are enabled. Thanks @p0pr0ck5 for the patch! #3213 - oauth2: Return HTTP 400 on invalid
scope
type. Thanks @Gman98ish for the patch! #3206 - ldap-auth: Ensure the plugin does not throw errors when configured as a global plugin. #3354
- hmac-auth: Verify signature against non-normalized (
$request_uri
) request line (instead of$uri
). #3339 - aws-lambda: Fix a typo in upstream headers sent to the function. We now
properly send the
X-Amz-Log-Type
header. #3398
0.13.0 - 2018/03/22
This release introduces two new core entities that will improve the way you configure Kong: Routes & Services. Those entities replace the "API" entity and simplify the setup of non-naive use-cases by providing better separation of concerns and allowing for plugins to be applied to specific endpoints.
As usual, major version upgrades require database migrations and changes to the Nginx configuration file (if you customized the default template). Please take a few minutes to read the 0.13 Upgrade Path for more details regarding breaking changes and migrations before planning to upgrade your Kong cluster.
⚠️ Theproxy_listen
andadmin_listen
configuration values have a new syntax. This syntax is more aligned with that of NGINX and is more powerful while also simpler. As a result, the following configuration values have been removed because superfluous:ssl
,admin_ssl
,http2
,admin_http2
,proxy_listen_ssl
, andadmin_listen_ssl
. #3147
⚠️ galileo: As part of the Galileo deprecation path, the galileo plugin is not enabled by default anymore, although still bundled with 0.13. Users are advised to stop using the plugin, but for the time being can keep enabling it by adding it to thecustom_plugin
configuration value. #3233⚠️ rate-limiting (Cassandra): The default migration for including Routes and Services in plugins will remove and re-create the Cassandra rate-limiting counters table. This means that users that were rate-limited because of excessive API consumption will be able to consume the API until they reach their limit again. There is no such data deletion in PosgreSQL. def201f
- Note to Docker users: The
latest
tag on Docker Hub now points to the alpine image instead of CentOS. This also applies to the0.13.0
tag. - The OpenResty version shipped with our default packages has been bumped to
1.13.6.1
. The 0.13.0 release should still be compatible with the OpenResty1.11.2.x
series for the time being. - Bumped lua-resty-dns-client
to
2.0.0
. #3220 - Bumped lua-resty-http to
0.12
. #3196 - Bumped lua-multipart to
0.5.5
. #3318 - Bumped lua-resty-healthcheck
to
0.4.0
. #3321
- 🎆 Support for control-plane and data-plane modes. The new
syntax of
proxy_listen
andadmin_listen
supportsoff
, which disables either one of those interfaces. It is now simpler than ever to make a Kong node "Proxy only" (data-plane) or "Admin only" (control-plane). #3147
- 🎆 This release introduces two new entities: Routes and Services. Those entities will provide a better separation of concerns than the "API" entity offers. Routes will define rules for matching a client's request (e.g., method, host, path...), and Services will represent upstream services (or backends) that Kong should proxy those requests to. Plugins can also be added to both Routes and Services, enabling use-cases to apply plugins more granularly (e.g., per endpoint). Following this addition, the API entity and related Admin API endpoints are now deprecated. This release is backwards-compatible with the previous model and all of your currently defined APIs and matching rules are still supported, although we advise users to migrate to Routes and Services as soon as possible. #3224
- 🎆 New endpoints:
/routes
and/services
to interact with the new core entities. More specific endpoints are also available such as/services/{service id or name}/routes
,/services/{service id or name}/plugins
, and/routes/{route id}/plugins
. #3224 - 🎆 Our new endpoints (listed above) provide much better responses with regards to producing responses for incomplete entities, errors, etc... In the future, existing endpoints will gradually be moved to using this new Admin API content producer. #3224
- 🎆 Improved argument parsing in form-urlencoded requests to the new
endpoints as well.
Kong now expects the following syntaxes for representing
arrays:
hosts[]=a.com&hosts[]=b.com
,hosts[1]=a.com&hosts[2]=b.com
, which avoid comma-separated arrays and related issues that can arise. In the future, existing endpoints will gradually be moved to using this new Admin API content parser. #3224
- jwt:
ngx.ctx.authenticated_jwt_token
is available for other plugins to use. #2988 - statsd: The fields
host
,port
andmetrics
are no longer marked as "required", since they have a default value. #3209
- Fix an issue causing nodes in a cluster to use the default health checks configuration when the user configured them from another node (event propagated via the cluster). #3319
- Increase the default load balancer wheel size from 100 to 10.000. This allows for a better distribution of the load between Targets in general. #3296
- Fix several issues with application/multipart MIME type parsing of payloads. #3318
- Fix several issues with the parsing of health checks configuration values. #3306 #3321
0.12.3 - 2018/03/12
- Suppress a memory leak in the core introduced in 0.12.2. Thanks @mengskysama for the report. #3278
0.12.2 - 2018/02/28
- Load balancers now log DNS errors to facilitate debugging. #3177
- Reports now can include custom immutable values. #3180
- The
kong migrations reset
command has a new--yes
flag. This flag makes the command run non-interactively, and ensures no confirmation prompt will occur. #3189
- A new endpoint
/upstreams/:upstream_id/health
will return the health of the specified upstream. #3232 - The
/
endpoint in the Admin API now exposes thenode_id
field. #3234
- HTTP/1.0 requests without a Host header are routed instead of being rejected. HTTP/1.1 requests without a Host are considered invalid and will still be rejected. Thanks to @rainiest for the patch! #3216
- Fix the load balancer initialization when some Targets would contain hostnames. #3187
- Fix incomplete handling of errors when initializing DAO objects. 637532e
- Remove bogus errors in the logs provoked by healthcheckers between the time they are unregistered and the time they are garbage-collected (#3207) and when receiving an HTTP status not tracked by healthy or unhealthy lists (c8eb5ae).
- Fix soft errors not being handled correctly inside the Kong cache. #3150
- Better handling of already existing Cassandra keyspaces in migrations. #3203. Thanks to @pamiel for the patch!
- Ensure
GET /certificates/{uuid}
does not return HTTP 500 when the given identifier does not exist. Thanks to @vdesjardins for the patch! #3148
0.12.1 - 2018/01/18
This release addresses a few issues encountered with 0.12.0, including one which would prevent upgrading from a previous version. The 0.12 Upgrade Path is still relevant for upgrading existing clusters to 0.12.1.
- Fix a migration between previous Kong versions and 0.12.0. #3159
- Ensure Lua errors are propagated when thrown in the
access
handler by plugins. 38580ff
0.12.0 - 2018/01/16
This major release focuses on two new features we are very excited about: health checks and hash based load balancing!
We also took this as an opportunity to fix a few prominent issues, sometimes
at the expense of breaking changes but overall improving the flexibility and
usability of Kong! Do keep in mind that this is a major release, and as such,
that we require of you to run the migrations step, via the
kong migrations up
command.
Please take a few minutes to thoroughly read the 0.12 Upgrade Path for more details regarding breaking changes and migrations before planning to upgrade your Kong cluster.
Starting with 0.12.0, we are announcing the deprecation of older versions of our supported databases:
- Support for PostgreSQL 9.4 is deprecated. Users are advised to upgrade to 9.5+
- Support for Cassandra 2.1 and below is deprecated. Users are advised to upgrade to 2.2+
Note that the above deprecated versions are still supported in this release, but will be dropped in subsequent ones.
⚠️ The required OpenResty version has been bumped to 1.11.2.5. If you are installing Kong from one of our distribution packages, you are not affected by this change. #3097⚠️ As Kong now executes subsequent plugins when a request is being short-circuited (e.g. HTTP 401 responses from auth plugins), plugins that run in the header or body filter phases will be run upon such responses from the access phase. We consider this change a big improvement in the Kong run-loop as it allows for more flexibility for plugins. However, it is unlikely, but possible that some of these plugins (e.g. your custom plugins) now run in scenarios where they were not previously expected to run. #3079
-
⚠️ By default, the Admin API now only listens on the local interface. We consider this change to be an improvement in the default security policy of Kong. If you are already using Kong, and your Admin API still binds to all interfaces, consider updating it as well. You can do so by updating theadmin_listen
configuration value, like so:admin_listen = 127.0.0.1:8001
. Thanks @pduldig-at-tw for the suggestion and the patch. #3016🔴 Note to Docker users: Beware of this change as you may have to ensure that your Admin API is reachable via the host's interface. You can use the
-e KONG_ADMIN_LISTEN
argument when provisioning your container(s) to update this value; for example,-e KONG_ADMIN_LISTEN=0.0.0.0:8001
. -
⚠️ To reduce confusion, the/upstreams/:upstream_name_or_id/targets/
has been updated to not show the full list of Targets anymore, but only the ones that are currently active in the load balancer. To retrieve the full history of Targets, you can now query/upstreams/:upstream_name_or_id/targets/all
. The/upstreams/:upstream_name_or_id/targets/active
endpoint has been removed. Thanks @hbagdi for tackling this backlog item! #3049 -
⚠️ Theorderlist
property of Upstreams has been removed, along with any confusion it may have brought. The balancer is now able to fully function without it, yet with the same level of entropy in its load distribution. #2748
⚠️ The$ kong compile
command which was deprecated in 0.11.0 has been removed. #3069
- 🎆 Support for health checks! Kong can now short-circuit some
of your upstream Targets (replicas) from its load balancer when it encounters
too many TCP or HTTP errors. You can configure the number of failures, or the
HTTP status codes that should be considered invalid, and Kong will monitor
the failures and successes of proxied requests to each upstream Target. We
call this feature passive health checks.
Additionally, you can configure active health checks, which will make
Kong perform periodic HTTP test requests to actively monitor the health of
your upstream services, and pre-emptively short-circuit them.
Upstream Targets can be manually taken up or down via two new Admin API
endpoints:
/healthy
and/unhealthy
. #3096 - 🎆 Support for hash based load balancing! Kong now offers
consistent hashing/sticky sessions load balancing capabilities via the new
hash_*
attributes of the Upstream entity. Hashes can be based off client IPs, request headers, or Consumers! #2875 - 🎆 Logging plugins now log requests that were short-circuited by
Kong! (e.g. HTTP 401 responses from auth plugins or HTTP 429 responses from
rate limiting plugins, etc.) Kong now executes any subsequent plugins once a
request has been short-circuited. Your plugin must be using the
kong.tools.responses
module for this behavior to be respected. #3079 - Kong is now compatible with OpenResty up to version 1.13.6.1. Be aware that the recommended (and default) version shipped with this release is still 1.11.2.5. #3070
$ kong start
now considers the commonly used/opt/openresty
prefix when searching for thenginx
executable. #3074
- Two new endpoints,
/healthy
and/unhealthy
can be used to manually bring upstream Targets up or down, as part of the new health checks feature of the load balancer. #3096
- logging plugins: A new field
upstream_uri
now logs the value of the upstream request's path. This is useful to help debugging plugins or setups that aim at rewriting a request's URL during proxying. Thanks @shiprabehera for the patch! #2445 - tcp-log: Support for TLS handshake with the logs recipients for secure transmissions of logging data. #3091
- jwt: Support for JWTs passed in cookies. Use the new
config.cookie_names
property to configure the behavior to your liking. Thanks @mvanholsteijn for the patch! #2974 - oauth2
- New
config.auth_header_name
property to customize the authorization header's name. Thanks @supraja93 #2928 - New
config.refresh_ttl
property to customize the TTL of refresh tokens, previously hard-coded to 14 days. Thanks @bob983 for the patch! #2942 - Avoid an error in the logs when trying to retrieve an access token from a request without a body. Thanks @WALL-E for the patch. #3063
- New
- ldap: New
config.header_type
property to customize the authorization method in theAuthorization
header. Thanks @francois-maillard for the patch! #2963
- Fix a potential vulnerability in which an attacker could read the Kong configuration file with insufficient permissions for a short window of time while Kong is being started. #3057
- Proper log message upon timeout in
$ kong quit
. #3061
- The
/certificates
endpoint now properly supports thesnis
parameter in PUT and PATCH requests. Thanks @hbagdi for the contribution! #3040 - Avoid sending the
HTTP/1.1 415 Unsupported Content Type
response when receiving a request with a validContent-Type
, but with an empty payload. #3077
- basic-auth:
- Accept passwords containing
:
. Thanks @nico-acidtango for the patch! #3014 - Performance improvements, courtesy of @nico-acidtango #3014
- Accept passwords containing
0.11.2 - 2017/11/29
- key-auth: New endpoints to manipulate API keys.
Thanks @hbagdi for the contribution.
#2955
/key-auths/
to paginate through all keys./key-auths/:credential_key_or_id/consumer
to retrieve the Consumer associated with a key.
- basic-auth: New endpoints to manipulate basic-auth credentials.
Thanks @hbagdi for the contribution.
#2998
/basic-auths/
to paginate through all basic-auth credentials./basic-auths/:credential_username_or_id/consumer
to retrieve the Consumer associated with a credential.
- jwt: New endpoints to manipulate JWTs.
Thanks @hbagdi for the contribution.
#3003
/jwts/
to paginate through all JWTs./jwts/:jwt_key_or_id/consumer
to retrieve the Consumer associated with a JWT.
- hmac-auth: New endpoints to manipulate hmac-auth credentials.
Thanks @hbagdi for the contribution.
#3009
/hmac-auths/
to paginate through all hmac-auth credentials./hmac-auths/:hmac_username_or_id/consumer
to retrieve the Consumer associated with a credential.
- acl: New endpoints to manipulate ACLs.
Thanks @hbagdi for the contribution.
#3039
/acls/
to paginate through all ACLs./acls/:acl_id/consumer
to retrieve the Consumer associated with an ACL.
- Avoid logging some unharmful error messages related to clustering. #3002
- Improve performance and memory footprint when parsing multipart request bodies. Kong/lua-multipart#13
- Add a format check for the
admin_listen_ssl
property, ensuring it contains a valid port. #3031
- PUT requests with payloads containing non-existing primary keys for entities now return HTTP 404 Not Found, instead of HTTP 200 OK without a response body. #3007
- On the
/
endpoint, ensureenabled_in_cluster
shows up as an empty JSON Array ([]
), instead of an empty JSON Object ({}
). Thanks @hbagdi for the patch! #2982
- hmac-auth: Better parsing of the
Authorization
header to avoid internal errors resulting in HTTP 500. Thanks @mvanholsteijn for the patch! #2996 - Improve the performance of the rate-limiting and response-rate-limiting plugins when using the Redis policy. #2956
- Improve the performance of the response-transformer plugin. #2977
0.11.1 - 2017/10/24
- Drop the
lua_code_cache
configuration property. This setting has been considered harmful since 0.11.0 as it interferes with Kong's internals. #2854
- DNS: SRV records pointing to an A record are now properly handled by the
load balancer when
preserve_host
is disabled. Such records used to throw Lua errors on the proxy code path. Kong/lua-resty-dns-client#19 - Fixed an edge-case where
preserve_host
would sometimes craft an upstream request with a Host header from a previous client request instead of the current one. #2832 - Ensure APIs with regex URIs are evaluated in the order that they are created. #2924
- Fixed a typo that caused the load balancing components to ignore the Upstream slots property. #2747
- Fixed the verification of self-signed SSL certificates for PostgreSQL and
Cassandra in the
kong migrations
command. Self-signed SSL certificates are now properly verified during migrations according to thelua_ssl_trusted_certificate
configuration property. #2908
- The
/upstream/{upstream}/targets/active
endpoint used to return HTTP405 Method Not Allowed
when called with a trailing slash. Both notations (with and without the trailing slash) are now supported. #2884
- bot-detection: Fixed an issue which would prevent the plugin from running and
result in an HTTP
500
error if configured globally. #2906 - ip-restriction: Fixed support for the
0.0.0.0/0
CIDR block. This block is now supported and won't trigger an error when used in thewhitelist
orblacklist
properties. #2918
- aws-lambda: Added support to forward the client request's HTTP method, headers, URI, and body to the Lambda function. #2823
- key-auth: New
run_on_preflight
configuration option to control authentication on preflight requests. #2857 - jwt: New
run_on_preflight
configuration option to control authentication on preflight requests. #2857
- Ensure migrations have valid, unique names to avoid conflicts between custom plugins. Thanks @ikogan for the patch! #2821
- Improve migrations reliability for future major releases. #2869
0.10.4 - 2017/10/24
- DNS: SRV records pointing to an A record are now properly handled by the
load balancer when
preserve_host
is disabled. Such records used to throw Lua errors on the proxy code path. Kong/lua-resty-dns-client#19 - HTTP
400
errors thrown by Nginx are now correctly caught by Kong and return a native, Kong-friendly response. #2476 - Fix an edge-case where an API with multiple
uris
andstrip_uri = true
would not always strip the client URI. #2562 - Fix an issue where Kong would match an API with a shorter URI (from its
uris
value) as a prefix instead of a longer, matching prefix from another API. #2662 - Fixed a typo that caused the load balancing components to ignore the
Upstream
slots
property. #2747
- Octothorpes (
#
) can now be escaped (\#
) and included in the Kong configuration values such as your datastore passwords or usernames. #2411
- The
data
response field of the/upstreams/{upstream}/targets/active
Admin API endpoint now returns a list ([]
) instead of an object ({}
) when no active targets are present. #2619
- datadog: Avoid a runtime error if the plugin is configured as a global plugin but the downstream request did not match any configured API. Thanks @kjsteuer for the fix! #2702
- ip-restriction: Fixed support for the
0.0.0.0/0
CIDR block. This block is now supported and won't trigger an error when used in thewhitelist
orblacklist
properties. #2918
0.11.0 - 2017/08/16
The latest and greatest version of Kong features improvements all over the board for a better and easier integration with your infrastructure!
The highlights of this release are:
- Support for regex URIs in routing, one of the oldest requested features from the community.
- Support for HTTP/2 traffic from your clients.
- Kong does not depend on Serf anymore, which makes deployment and networking requirements considerably simpler.
- A better integration with orchestration tools thanks to the support for non FQDNs in Kong's DNS resolver.
As per usual, our major releases include datastore migrations which are considered breaking changes. Additionally, this release contains numerous breaking changes to the deployment process and proxying behavior that you should be familiar with.
We strongly advise that you read this changeset thoroughly, as well as the 0.11 Upgrade Path if you are planning to upgrade a Kong cluster.
⚠️ Numerous updates were made to the Nginx configuration template. If you are using a custom template, you must apply those modifications. See the 0.11 Upgrade Path for a complete list of changes to apply.
⚠️ Migrations are not executed automatically bykong start
anymore. Migrations are now a manual process, which must be executed via thekong migrations
command. In practice, this means that you have to runkong migrations up [-c kong.conf]
in one of your nodes before starting your Kong nodes. This command should be run from a single node/container to avoid several nodes running migrations concurrently and potentially corrupting your database. Once the migrations are up-to-date, it is considered safe to start multiple Kong nodes concurrently. #2421⚠️ 🎆 Serf is not a dependency anymore. Kong nodes now handle cache invalidation events via a built-in database polling mechanism. See the new "Datastore Cache" section of the configuration file which contains 3 new documented properties:db_update_frequency
,db_update_propagation
, anddb_cache_ttl
. If you are using Cassandra, you should pay a particular attention to thedb_update_propagation
setting, as you should not use the default value of0
. #2561
⚠️ Kong now requires OpenResty1.11.2.4
. OpenResty's LuaJIT can now be built with Lua 5.2 compatibility. #2489 #2790⚠️ Previously, theX-Forwarded-*
andX-Real-IP
headers were trusted from any client by default, and forwarded upstream. With the introduction of the newtrusted_ips
property (see the below "Added" section) and to enforce best security practices, Kong does not trust any client IP address by default anymore. This will make Kong not forward incomingX-Forwarded-*
headers if not coming from configured, trusted IP addresses blocks. This setting also affects the APIcheck_https
field, which itself relies on trustedX-Forwarded-Proto
headers only. #2236⚠️ The API Object propertyhttp_if_terminated
is now set tofalse
by default. For Kong to evaluate the clientX-Forwarded-Proto
header, you must now configure Kong to trust the client IP (see above change), and you must explicitly set this value totrue
. This affects you if you are doing SSL termination somewhere before your requests hit Kong, and if you have configuredhttps_only
on the API, or if you use a plugin that requires HTTPS traffic (e.g. OAuth2). #2588⚠️ The internal DNS resolver now honours thesearch
andndots
configuration options of yourresolv.conf
file. Make sure that DNS resolution is still consistent in your environment, and consider eventually not using FQDNs anymore. #2425
⚠️ As a result of the Serf removal, Kong is now entirely stateless, and as such, the/cluster
endpoint has disappeared. #2561⚠️ The Admin API/status
endpoint does not return a count of the database entities anymore. Instead, it now returns adatabase.reachable
boolean value, which reflects the state of the connection between Kong and the underlying database. Please note that this flag does not reflect the health of the database itself. #2567
⚠️ The upstream URI is now determined via the Nginx$upstream_uri
variable. Custom plugins using thengx.req.set_uri()
API will not be taken into consideration anymore. One must now set thengx.var.upstream_uri
variable from the Lua land. #2519⚠️ Thehooks.lua
module for custom plugins is dropped, along with thedatabase_cache.lua
module. Database entities caching and eviction has been greatly improved to simplify and automate most caching use-cases. See the Plugins Development Guide and the 0.11 Upgrade Path for more details. #2561⚠️ To ensure that the order of execution of plugins is still the same for vanilla Kong installations, we had to update thePRIORITY
field of some of our bundled plugins. If your custom plugin must run after or before a specific bundled plugin, you might have to update your plugin'sPRIORITY
field as well. The complete list of plugins and their priorities is available on the Plugins Development Guide. #2489 #2813
- The
kong compile
command has been deprecated. Instead, prefer using the newkong prepare
command. #2706
- Performance around DNS resolution has been greatly improved in some cases. #2625
- Secret values are now generated with a kernel-level, Cryptographically Secure PRNG. #2536
- The
.kong_env
file created by Kong in its running prefix is now written without world-read permissions. #2611
- The
marshall_event
function on schemas is now ignored by Kong, and can be safely removed as the new cache invalidation mechanism natively handles safer events broadcasting. #2561
- 🎆 Support for regex URIs! You can now define regexes in your
APIs
uris
property. Those regexes can have capturing groups which can be extracted by Kong during a request, and accessed later in the plugins (useful for URI rewriting). See the Proxy Guide for documentation on how to use regex URIs. #2681 - 🎆 Support for HTTP/2. A new
http2
directive now enables HTTP/2 traffic on theproxy_listen_ssl
address. #2541 - 🎆 Support for the
search
andndots
configuration options of yourresolv.conf
file. #2425 - Kong now forwards new headers to your upstream services:
X-Forwarded-Host
,X-Forwarded-Port
, andX-Forwarded-Proto
. #2236 - Support for the PROXY protocol. If the new
real_ip_header
configuration property is set toreal_ip_header = proxy_protocol
, then Kong will append theproxy_protocol
parameter to the Nginxlisten
directive of the Kong proxy port. #2236 - Support for BDR compatibility in the PostgreSQL migrations. Thanks @AlexBloor for the patch! #2672
- Support for DNS nameservers specified in IPv6 format. #2634
- A few new DNS configuration properties allow you to tweak the Kong DNS resolver, and in particular, how it handles the resolution of different record types or the eviction of stale records. #2625
- A new
trusted_ips
configuration property allows you to define a list of trusted IP address blocks that are known to send trustedX-Forwarded-*
headers. Requests from trusted IPs will make Kong forward those headers upstream. Requests from non-trusted IP addresses will make Kong override theX-Forwarded-*
headers with its own values. In addition, this property also sets the ngx_http_realip_moduleset_real_ip_from
directive(s), which makes Kong trust the incomingX-Real-IP
header as well, which is used for operations such as rate-limiting by IP address, and that Kong forwards upstream as well. #2236 - You can now configure the ngx_http_realip_module from the Kong
configuration. In addition to
trusted_ips
which sets theset_real_ip_from
directives(s), two new properties,real_ip_header
andreal_ip_recursive
allow you to configure the ngx_http_realip_module directives bearing the same name. #2236 - Ability to hide Kong-specific response headers. Two new configuration
fields:
server_tokens
andlatency_tokens
will respectively toggle whether theServer
andX-Kong-*-Latency
headers should be sent to downstream clients. #2259 - New configuration property to tune handling request body data via the
client_max_body_size
andclient_body_buffer_size
directives (mirroring their Nginx counterparts). Note these settings are only defined for proxy requests; request body handling in the Admin API remains unchanged. #2602 - New
error_default_type
configuration property. This setting is to specify a MIME type that will be used as the error response body format when Nginx encounters an error, but noAccept
header was present in the request. The default value istext/plain
for backwards compatibility. Thanks @therealgambo for the contribution! #2500 - New
nginx_user
configuration property, which interfaces with the Nginxuser
directive. Thanks @depay for the contribution! #2180
- New
kong prepare
command to prepare the Kong running prefix (creating log files, SSL certificates, etc...) and allow for Kong to be started via thenginx
binary. This is useful for environments like containers, where the foreground process should be the Nginx master process. Thekong compile
command has been deprecated as a result of this addition. #2706
- Ability to retrieve plugins added to a Consumer via two new endpoints:
/consumers/:username_or_id/plugins/
and/consumers/:username_or_id/plugins/:plugin_id
. #2714 - Support for JSON
null
inPATCH
requests to unset a value on any entity. #2700
- jwt: Support for RS512 signed tokens. Thanks @sarraz1 for the patch! #2666
- rate-limiting/response-ratelimiting: Optionally hide informative response headers. #2087
- aws-lambda: Define a custom response status when the upstream
X-Amz-Function-Error
header is "Unhandled". Thanks @erran for the contribution! #2587 - aws-lambda: Add new AWS regions that were previously unsupported. #2769
- hmac: New option to validate the client-provided SHA-256 of the request body. Thanks @vaibhavatul47 for the contribution! #2419
- hmac: Added support for
enforce_headers
option and added HMAC-SHA256, HMAC-SHA384, and HMAC-SHA512 support. #2644 - statsd: New metrics and more flexible configuration. Support for prefixes, configurable stat type, and added metrics. #2400
- datadog: New metrics and more flexible configuration. Support for prefixes, configurable stat type, and added metrics. #2394
- Kong now ensures that your clients URIs are transparently proxied upstream. No percent-encoding/decoding or querystring stripping will occur anymore. #2519
- Fix an issue where Kong would match an API with a shorter URI (from its
uris
value) as a prefix instead of a longer, matching prefix from another API. #2662 - Fix an edge-case where an API with multiple
uris
andstrip_uri = true
would not always strip the client URI. #2562 - HTTP
400
errors thrown by Nginx are now correctly caught by Kong and return a native, Kong-friendly response. #2476
- Octothorpes (
#
) can now be escaped (\#
) and included in the Kong configuration values such as your datastore passwords or usernames. #2411
- The
data
response field of the/upstreams/{upstream}/targets/active
Admin API endpoint now returns a list ([]
) instead of an object ({}
) when no active targets are present. #2619
- The
unique
constraint on OAuth2client_secrets
has been removed. #2447 - The
unique
constraint on JWT Credentialssecrets
has been removed. #2548 - oauth2: When requesting a token from
/oauth2/token
, one can now pass theclient_id
as a request body parameter, whileclient_id:client_secret
is passed via the Authorization header. This allows for better integration with some OAuth2 flows proposed out there, such as from Cloudflare Apps. Thanks @cedum for the patch! #2577 - datadog: Avoid a runtime error if the plugin is configured as a global plugin but the downstream request did not match any configured API. Thanks @kjsteuer for the fix! #2702
- Logging plugins: the produced logs
latencies.kong
field used to omit the time Kong spent in its Load Balancing logic, which includes DNS resolution time. This latency is now included inlatencies.kong
. #2494
0.10.3 - 2017/05/24
- We noticed that some distribution packages were not building OpenResty against a JITable PCRE library. This happened on Ubuntu and RHEL environments where OpenResty was built against the system's PCRE installation. We now compile OpenResty against a JITable PCRE source for those platforms, which should result in significant performance improvements in regex matching. Mashape/kong-distributions #9
- TLS connections are now handled with a modern list of accepted ciphers, as per the Mozilla recommended TLS ciphers list. See https://wiki.mozilla.org/Security/Server_Side_TLS. This behavior is configurable via the newly introduced configuration properties described in the below "Added" section.
- Plugins:
- rate-limiting: Performance improvements when using the
cluster
policy. The number of round trips to the database has been limited to the number of configured limits. #2488
- rate-limiting: Performance improvements when using the
- New
ssl_cipher_suite
andssl_ciphers
configuration properties to configure the desired set of accepted ciphers, based on the Mozilla recommended TLS ciphers list. #2555 - New
proxy_ssl_certificate
andproxy_ssl_certificate_key
configuration properties. These properties configure the Nginx directives bearing the same name, to set client certificates to Kong when connecting to your upstream services. #2556 - Proxy and Admin API access and error log paths are now configurable. Access logs can be entirely disabled if desired. #2552
- Plugins:
- APIs matching: prioritize APIs with longer
uris
when said APIs also definehosts
and/ormethods
as well. Thanks @leonzz for the patch. #2523 - SSL connections to Cassandra can now properly verify the
certificate in use (when
cassandra_ssl_verify
is enabled). #2531 - The DNS resolver no longer sends a A or AAAA DNS queries for SRV records. This should improve performance by avoiding unnecessary lookups. #2563 & Mashape/lua-resty-dns-client #12
- Plugins
- All authentication plugins don't throw an error anymore when
invalid credentials are given and the
anonymous
user isn't configured. #2508 - rate-limiting: Effectively use the desired Redis database when
the
redis
policy is in use and theconfig.redis_database
property is set. #2481 - cors: The regression introduced in 0.10.1 regarding not
sending the
*
wildcard whenconf.origin
was not specified has been fixed. #2518 - oauth2: properly check the client application ownership of a token before refreshing it. #2461
- All authentication plugins don't throw an error anymore when
invalid credentials are given and the
0.10.2 - 2017/05/01
- The Kong DNS resolver now honors the
MAXNS
setting (3) when parsing the nameservers specified inresolv.conf
. #2290 - Kong now matches incoming requests via the
$request_uri
property, instead of$uri
, in order to better handle percent-encoded URIS. A more detailed explanation will be included in the below "Fixed" section. #2377 - Upstream calls do not unconditionally include a trailing
/
anymore. See the below "Added" section for more details. #2315 - Admin API:
- The "active targets" endpoint now only return the most recent nonzero weight Targets, instead of all nonzero weight targets. This is to provide a better picture of the Targets currently in use by the Kong load balancer. #2310
- 🎆 Plugins can implement a new
rewrite
handler to execute code in the Nginx rewrite phase. This phase is executed prior to matching a registered Kong API, and prior to any authentication plugin. As such, only global plugins (neither tied to an API or Consumer) will execute this phase. #2354 - Ability for the client to chose whether the upstream request (Kong <-> upstream) should contain a trailing slash in its URI. Prior to this change, Kong 0.10 would unconditionally append a trailing slash to all upstream requests. The added functionality is described in #2211, and was implemented in #2315.
- Ability to hide Kong-specific response headers. Two new configuration fields:
server_tokens
andlatency_tokens
will respectively toggle whether theServer
andX-Kong-*-Latency
headers should be sent to downstream clients. #2259 - New
cassandra_schema_consensus_timeout
configuration property, to allow for Kong to wait for the schema consensus of your Cassandra cluster during migrations. #2326 - Serf commands executed by a running Kong node are now logged in the Nginx
error logs with a
DEBUG
level. #2410 - Ensure the required shared dictionaries are defined in the Nginx configuration. This will prevent custom Nginx templates from potentially resulting in a breaking upgrade for users. #2466
- Admin API:
- Target Objects can now be deleted with their ID as well as their name. The
endpoint becomes:
/upstreams/:name_or_id/targets/:target_or_id
. #2304
- Target Objects can now be deleted with their ID as well as their name. The
endpoint becomes:
- Plugins:
- 🎆 New Request termination plugin. This plugin allows to temporarily disable an API and return a pre-configured response status and body to your client. Useful for use-cases such as maintenance mode for your upstream services. Thanks to @pauldaustin for the contribution. #2051
- Logging plugins: The produced logs include two new fields: a
consumer
field, which contains the properties of the authenticated Consumer (id
,custom_id
, andusername
), if any, and atries
field, which includes the upstream connection successes and failures of the load- balancer. #2367 #2429 - http-log: Now set an upstream HTTP basic access authentication header if
the configured
conf.http_endpoint
parameter includes an authentication section. Thanks @amir for the contribution. #2432 - file-log: New
config.reopen
property to close and reopen the log file on every request, in order to effectively rotate the logs. #2348 - jwt: Returns
401 Unauthorized
on invalid claims instead of the previous403 Forbidden
status. #2433 - key-auth: Allow setting API key header names with an underscore. #2370
- cors: When
config.credentials = true
, we do not send an ACAO header with value*
. The ACAO header value will be that of the request'sOrigin:
header. #2451
- Upstream connections over TLS now set their Client Hello SNI field. The SNI
value is taken from the upstream
Host
header value, and thus also depends on thepreserve_host
setting of your API. Thanks @konrade for the original patch. #2225 - Correctly match APIs with percent-encoded URIs in their
uris
property. Generally, this change also avoids normalizing (and thus, potentially altering) the request URI when trying to match an API'suris
value. Instead of relying on the Nginx$uri
variable, we now use$request_uri
. #2377 - Handle a routing edge-case under some conditions with the
uris
matching rule of APIs that would falsely lead Kong into believing no API was matched for what would actually be a valid request. #2343 - If no API was configured with a
hosts
matching rule, then thepreserve_host
flag would never be honored. #2344 - The
X-Forwarded-For
header sent to your upstream services by Kong is not set from the Nginx$proxy_add_x_forwarded_for
variable anymore. Instead, Kong uses the$realip_remote_addr
variable to append the real IP address of a client, instead of$remote_addr
, which can come from a previous proxy hop. #2236 - CNAME records are now properly being cached by the DNS resolver. This results in a performance improvement over previous 0.10 versions. #2303
- When using Cassandra, some migrations would not be performed on the same coordinator as the one originally chosen. The same migrations would also require a response from other replicas in a cluster, but were not waiting for a schema consensus beforehand, causing indeterministic failures in the migrations, especially if the cluster's inter-nodes communication is slow. #2326
- The
cassandra_timeout
configuration property is now correctly taken into consideration by Kong. #2326 - Correctly trigger plugins configured on the anonymous Consumer for anonymous
requests (from auth plugins with the new
config.anonymous
parameter). #2424 - When multiple auth plugins were configured with the recent
config.anonymous
parameter for "OR" authentication, such plugins would override each other's results and response headers, causing false negatives. #2222 - Ensure the
cassandra_contact_points
property does not contain any port information. Those should be specified incassandra_port
. Thanks @Vermeille for the contribution. #2263 - Prevent an upstream or legitimate internal error in the load balancing code from throwing a Lua-land error as well. #2327
- Allow backwards compatibility with custom Nginx configurations that still
define the
resolver ${{DNS_RESOLVER}}
directive. Vales from the Kongdns_resolver
property will be flattened to a string and appended to the directive. #2386 - Plugins:
- hmac: Better handling of invalid base64-encoded signatures. Previously Kong would return an HTTP 500 error. We now properly return HTTP 403 Forbidden. #2283
- Admin API:
- Detect conflicts between SNI Objects in the
/snis
and/certificates
endpoint. #2285 - The
/certificates
route used to not return thetotal
anddata
JSON fields. We now send those fields back instead of a root list of certificate objects. #2463 - Endpoints with path parameters like
/xxx_or_id
will now also yield the proper result if thexxx
field is formatted as a UUID. Most notably, this fixes a problem for Consumers whoseusername
is a UUID, that could not be found when requesting/consumers/{username_as_uuid}
. #2420 - The "active targets" endpoint does not require a trailing slash anymore. #2307
- Upstream Objects can now be deleted properly when using Cassandra. #2404
- Detect conflicts between SNI Objects in the
0.10.1 - 2017/03/27
-
⚠️ Serf has been downgraded to version 0.7 in our distributions, although versions up to 0.8.1 are still supported. This fixes a problem when automatically detecting the first non-loopback private IP address, which was defaulted to127.0.0.1
in Kong 0.10.0. Greater versions of Serf can still be used, but the IP address needs to be manually specified in thecluster_advertise
configuration property. -
⚠️ The CORS Plugin parameterconfig.origin
is nowconfig.origins
. #2203🔴 Post-release note (as of 2017/05/12): A faulty behavior has been observed with this change. Previously, the plugin would send the
*
wildcard whenconfig.origin
was not specified. With this change, the plugin does not send the*
wildcard by default anymore. You will need to specify it manually when configuring the plugin, withconfig.origins=*
. This behavior is to be fixed in a future release.✅ Update (2017/05/24): A fix to this regression has been released as part of 0.10.3. See the section of the Changelog related to this release for more details.
-
Admin API:
- Disable support for TLS/1.0. #2212
- Admin API:
- Active targets can be pulled with
GET /upstreams/{name}/targets/active
. #2230 - Provide a convenience endpoint to disable targets at:
DELETE /upstreams/{name}/targets/{target}
. Under the hood, this creates a new target withweight = 0
(the correct way of disabling targets, which used to cause confusion). #2256
- Active targets can be pulled with
- Plugins:
- cors: Support for configuring multiple Origin domains. #2203
- Use an LRU cache for Lua-land entities caching to avoid exhausting the Lua VM memory in long-running instances. #2246
- Avoid potential deadlocks upon callback errors in the caching module for database entities. #2197
- Relax multipart MIME type parsing. A space is allowed in between values of the Content-Type header. #2215
- Admin API:
- Better handling of non-supported HTTP methods on endpoints of the Admin
API. In some cases this used to throw an internal error. Calling any
endpoint with a non-supported HTTP method now always returns
405 Method Not Allowed
as expected. #2213
- Better handling of non-supported HTTP methods on endpoints of the Admin
API. In some cases this used to throw an internal error. Calling any
endpoint with a non-supported HTTP method now always returns
- CLI:
- Better error handling when missing Serf executable. #2218
- Fix a bug in the
kong migrations
command that would prevent it to run correctly. #2238 - Trim list values specified in the configuration file. #2206
- Align the default configuration file's values to the actual, hard-coded default values to avoid confusion. #2254
- Plugins:
- hmac: Generate an HMAC secret value if none is provided. #2158
- oauth2: Don't try to remove credential values from request bodies if the MIME type is multipart, since such attempts would result in an error. #2176
- ldap: This plugin should not be applied to a single Consumer, however, this was not properly enforced. It is now impossible to apply this plugin to a single Consumer (as per all authentication plugin). #2237
- aws-lambda: Support for
us-west-2
region in schema. #2257
0.10.0 - 2017/03/07
Kong 0.10 is one of most significant releases to this day. It ships with exciting new features that have been heavily requested for the last few months, such as load balancing, Cassandra 3.0 compatibility, Websockets support, internal DNS resolution (A and SRV records without Dnsmasq), and more flexible matching capabilities for APIs routing.
On top of those new features, this release received a particular attention to performance, and brings many improvements and refactors that should make it perform significantly better than any previous version.
⚠️ API Objects (as configured via the Admin API) do not support therequest_host
andrequest_uri
fields anymore. The 0.10 migrations should upgrade your current API Objects, but make sure to read the new 0.10 Proxy Guide to learn the new routing capabilities of Kong. On the good side, this means that Kong can now route incoming requests according to a combination of Host headers, URIs, and HTTP methods.⚠️ Final slashes inupstream_url
are no longer allowed. #2115⚠️ The SSL plugin has been removed and dynamic SSL capabilities have been added to Kong core, and are configurable via new properties on the API entity. See the related PR for a detailed explanation of this change. #1970⚠️ Drop the Dnsmasq dependency. We now internally resolve both A and SRV DNS records. #1587⚠️ Dropping support for insecureTLS/1.0
and defaultingUpgrade
responses toTLS/1.2
. #2119- Bump the compatible OpenResty version to
1.11.2.1
and1.11.2.2
. Support for OpenResty1.11.2.2
requires the--without-luajit-lua52
compilation flag. - Separate Admin API and Proxy error logs. Admin API logs are now written to
logs/admin_access.log
. #1782 - Auto-generates stronger SHA-256 with RSA encryption SSL certificates. #2117
- 🎆 Support for Cassandra 3.x. #1709
- 🎆 SRV records resolution. #1587
- 🎆 Load balancing. When an A or SRV record resolves to multiple
entries, Kong now rotates those upstream targets with a Round-Robin
algorithm. This is a first step towards implementing more load balancing
algorithms.
Another way to specify multiple upstream targets is to use the newly
introduced
/upstreams
and/targets
entities of the Admin API. #1587 #1735 - 🎆 Multiple hosts and paths per API. Kong can now route incoming requests to your services based on a combination of Host headers, URIs and HTTP methods. See the related PR for a detailed explanation of the new properties and capabilities of the new router. #1970
- 🎆 Maintain upstream connection pools which should greatly improve
performance, especially for HTTPS upstream connections. We now use HTTP/1.1
for upstream connections as well as an nginx
upstream
block with a configurablekeepalive
directive, thanks to the newnginx_keepalive
configuration property. #1587 #1827 - 🎆 Websockets support. Kong can now upgrade client connections to
use the
ws
protocol whenUpgrade: websocket
is present. #1827 - Use an in-memory caching strategy for database entities in order to reduce CPU load during requests proxying. #1688
- Provide negative-caching for missed database entities. This should improve performance in some cases. #1914
- Support for serving the Admin API over SSL. This introduces new properties in
the configuration file:
admin_listen_ssl
,admin_ssl
,admin_ssl_cert
andadmin_ssl_cert_key
. #1706 - Support for upstream connection timeouts. APIs now have 3 new fields:
upstream_connect_timeout
,upstream_send_timeout
,upstream_read_timeout
to specify, in milliseconds, a timeout value for requests between Kong and your APIs. #2036 - Support for clustering key rotation in the underlying Serf process:
- new
cluster_keyring_file
property in the configuration file. - new
kong cluster keys ..
CLI commands that expose the underlyingserf keys ..
commands. #2069
- new
- Support for
lua_socket_pool_size
property in configuration file. #2109 - Plugins:
- 🎆 New AWS Lambda plugin. Thanks Tim Erickson for his collaboration on this new addition. #1777 #1190
- Anonymous authentication for auth plugins. When such plugins receive the
config.anonymous=<consumer_id>
property, even non-authenticated requests will be proxied by Kong, with the traditional Consumer headers set to the designated anonymous consumer, but also with aX-Anonymous-Consumer
header. Multiple auth plugins will work in a logicalOR
fashion. #1666 and #2035 - request-transformer: Ability to change the HTTP method of the upstream request. #1635
- jwt: Support for ES256 signatures. #1920
- rate-limiting: Ability to select the Redis database to use via the new
config.redis_database
plugin property. #1941
- Looking for Serf in known installation paths. #1997
- Including port in upstream
Host
header. #2045 - Clarify the purpose of the
cluster_listen_rpc
property in the configuration file. Thanks Jeremy Monin for the patch. #1860 - Admin API:
- Properly Return JSON responses (instead of HTML) on HTTP 409 Conflict when adding Plugins. #2014
- CLI:
- Avoid double-prefixing migration error messages with the database name (PostgreSQL/Cassandra).
- Plugins:
0.9.9 - 2017/02/02
- Correctly put Cassandra sockets into the Nginx connection pool for later reuse. This greatly improves the performance for rate-limiting and response-ratelimiting plugins. f8f5306
- Correct length of a year in seconds for rate-limiting and response-ratelimiting plugins. A year was wrongly assumed to only be 360 days long. e4fdb2a
- Prevent misinterpretation of the
%
character in proxied URLs encoding. Thanks Thomas Jouannic for the patch. #1998 #2040
0.9.8 - 2017/01/19
- Properly set the admin IP in the Serf script.
- Provide negative-caching for missed database entities. This should improve performance in some cases. #1914
- Plugins:
- Fix fault tolerance logic and error reporting in rate-limiting plugins.
0.9.7 - 2016/12/21
- Fixed a performance issue in Cassandra by removing an old workaround that was forcing Cassandra to use LuaSocket instead of cosockets. #1916
- Fixed an issue that was causing a recursive attempt to stop Kong's services when an error was occurring. #1877
- Custom plugins are now properly loaded again. #1910
- Plugins:
0.9.6 - 2016/11/29
- Resolve support for PostgreSQL SSL connections. #1720
- Ensure
kong start
honors the--conf
flag is a config file already exists at one of the default locations (/etc/kong.conf
,/etc/kong/kong.conf
). #1681 - Obfuscate sensitive properties from the
/
Admin API route which returns the current node's configuration. #1650
0.9.5 - 2016/11/07
- Dropping support for OpenResty 1.9.15.1 in favor of 1.11.2.1 #1797
- Fixed an error (introduced in 0.9.4) in the auto-clustering event
0.9.4 - 2016/11/02
- Fixed the random string generator that was causing some problems, especially in Serf for clustering. #1754
- Seed random number generator in CLI. #1641
- Reducing log noise in the Admin API. #1781
- Fixed the reports lock implementation that was generating a periodic error message. #1783
0.9.3 - 2016/10/07
- Added support for Serf 0.8. #1693
- Properly invalidate global plugins. #1723
0.9.2 - 2016/09/20
- Correctly report migrations errors. This was caused by an error being thrown from the error handler, and superseding the actual error. [#1605] (Kong#1605)
- Prevent Kong from silently failing to start. This would be caused by an erroneous error handler. [28f5d10] (https://github.com/Kong/kong/commit/28f5d10)
- Only report a random number generator seeding error when it is not already seeded. #1613
- Reduce intra-cluster noise by not propagating keepalive requests events. #1660
- Admin API:
- Obfuscates sensitive configuration settings from the
/
route. #1650
- Obfuscates sensitive configuration settings from the
- CLI:
- Prevent a failed
kong start
to stop an already running Kong node. #1645 - Remove unset configuration placeholders from the nginx configuration template. This would occur when no Internet connection would be available and would cause Kong to compile an erroneous nginx config. #1606
- Properly count the number of executed migrations. #1649
- Prevent a failed
- Plugins:
0.9.1 - 2016/09/02
- Plugins:
- ACL: allow to retrieve/update/delete an ACL by group name. #1544
- Basic Authentication: allow to retrieve/update/delete a credential by
username
. #1570 - HMAC Authentication: allow to retrieve/update/delete a credential by
username
. #1570 - JWT Authentication: allow to retrieve/update/delete a credential by
key
. #1570 - Key Authentication: allow to retrieve/update/delete a credential by
key
. #1570 - OAuth2 Authentication: allow to retrieve/update/delete a credential by
client_id
and tokens byaccess_token
. #1570
- Correctly parse configuration file settings containing comments. #1569
- Prevent third-party Lua modules (and plugins) to override the seed for random number generation. This prevents the creation of conflicting UUIDs. #1558
- Use pgmoon-mashape
2.0.0
which properly namespaces our fork, avoiding conflicts with other versions of pgmoon, such as the one installed by Lapis. #1582 - Avoid exposing OpenResty's information on HTTP
4xx
errors. #1567 - ulimit with
unlimited
value is now properly handled. #1545 - CLI:
- Plugins:
- galileo: Use
Content-Length
header to get request/response body size whenlog_bodies
is disabled. #1584
- galileo: Use
- Admin API:
- Revert the
/plugins/enabled
endpoint's response to be a JSON array, and not an Object. #1529
- Revert the
0.9.0 - 2016/08/18
The main focus of this release is Kong's new CLI. With a simpler configuration file, new settings, environment variables support, new commands as well as a new interpreter, the new CLI gives more power and flexibility to Kong users and allow for an easier integration in your deployment workflow, as well as better testing for developers and plugins authors. Additionally, some new plugins and performance improvements are included as well as the regular bug fixes.
⚠️ PostgreSQL is the new default datastore for Kong. If you were using Cassandra and you are upgrading, you need to explicitly setcassandra
as yourdatabase
.⚠️ New CLI, with new commands and refined arguments. This new CLI uses theresty-cli
interpreter (see lua-resty-cli) instead of LuaJIT. As a result, theresty
executable must be available in your$PATH
(resty-cli is shipped in the OpenResty bundle) as well as thebin/kong
executable. Kong does not rely on Luarocks installing thebin/kong
executable anymore. This change of behavior is taken care of if you are using one of the official Kong packages.⚠️ Kong uses a new configuration file, with an easier syntax than the previous YAML file.- New arguments for the CLI, such as verbose, debug and tracing flags. We also avoid requiring the configuration file as an argument to each command as per the previous CLI.
- Customization of the Nginx configuration can now be taken care of using two different approaches: with a custom Nginx configuration template and using
kong start --template <file>
, or by usingkong compile
to generate the Kong Nginx sub-configuration, andinclude
it in a custom Nginx instance. - Plugins:
- Rate Limiting: the
continue_on_error
property is now calledfault_tolerant
. - Response Rate Limiting: the
continue_on_error
property is now calledfault_tolerant
.
- Rate Limiting: the
- 🎆 Support for overriding configuration settings with environment variables.
- 🎆 Support for SSL connections between Kong and PostgreSQL. #1425
- 🎆 Ability to apply plugins with more granularity: per-consumer, and global plugins are now possible. #1403
- New
kong check
command: validates a Kong configuration file. - Better version check for third-party dependencies (OpenResty, Serf, Dnsmasq). #1307
- Ability to configure the validation depth of database SSL certificates from the configuration file. #1420
request_host
: internationalized url support; utf-8 domain names through punycode support and paths through %-encoding. #1300- Implements caching locks when fetching database configuration (APIs, Plugins...) to avoid dog pile effect on cold nodes. #1402
- Plugins:
- 🎆 New bot-detection plugin: protect your APIs by detecting and rejecting common bots and crawlers. #1413
- correlation-id: new "tracker" generator, identifying requests per worker and connection. #1288
- request/response-transformer: ability to add strings including colon characters. #1353
- rate-limiting: support for new rate-limiting policies (
cluster
,local
andredis
), and for a newlimit_by
property to force rate-limiting byconsumer
,credential
orip
. - response-rate-limiting: support for new rate-limiting policies (
cluster
,local
andredis
), and for a newlimit_by
property to force rate-limiting byconsumer
,credential
orip
. - galileo: performance improvements of ALF serialization. ALFs are not discarded when exceeding 20MBs anymore. #1463
- statsd: new
upstream_stream
latency metric. #1466 - datadog: new
upstream_stream
latency metric and tagging support for each metric. #1473
- We now use lua-resty-jit-uuid for UUID generation, which is a pure Lua implementation of RFC 4122. As a result, libuuid is not a dependency of Kong anymore.
- Sensitive configuration settings are not printed to stdout anymore. #1256
- Fixed bug that caused nodes to remove themselves from the database when they attempted to join the cluster. #1437
- Plugins:
- request-size-limiting: use proper constant for MB units while setting the size limit. #1416
- OAuth2: security and config validation fixes. #1409 #1112
- request/response-transformer: better validation of fields provided without a value. #1399
- JWT: handle some edge-cases that could result in HTTP 500 errors. #1362
internal
- new test suite using resty-cli and removing the need to monkey-patch the
ngx
global.- custom assertions and new helper methods (
wait_until()
) to gracefully fail in case of timeout.- increase atomicity of the testing environment.
- lighter testing instance, only running 1 worker and not using Dnsmasq by default.
0.8.3 - 2016/06/01
This release includes some bugfixes:
- Switched the log level of the "No nodes found in cluster" warning to
INFO
, that was printed when starting up the first Kong node in a new cluster. - Kong now requires OpenResty
1.9.7.5
.
- New nodes are now properly registered into the
nodes
table when running on the same machine. #1281 - Fixed a failed error parsing on Postgres. #1269
- Plugins:
- Response Transformer: Slashes are now encoded properly, and fixed a bug that hang the execution of the plugin. #1257 and #1263
- JWT: If a value for
algorithm
is missing, it's nowHS256
by default. This problem occurred when migrating from older versions of Kong. - OAuth 2.0: Fixed a Postgres problem that was preventing an application from being created, and fixed a check on the
redirect_uri
field. #1264 and #1267
0.8.2 - 2016/05/25
This release includes bugfixes and minor updates:
- Support for a simple slash in
request_path
. #1227 - Plugins:
- Response Rate Limiting: it now appends usage headers to the upstream requests in the form of
X-Ratelimit-Remaining-{limit_name}
and introduces a newconfig.block_on_first_violation
property. #1235
- Response Rate Limiting: it now appends usage headers to the upstream requests in the form of
- Plugins:
- Mashape Analytics: The plugin is now called "Galileo", and added support for Galileo v3. #1159
- Postgres now relies on the
search_path
configured on the database and its default value$user, public
. #1196 - Kong now properly encodes an empty querystring parameter like
?param=
when proxying the request. #1210 - The configuration now checks that
cluster.ttl_on_failure
is at least 60 seconds. #1199 - Plugins:
- Loggly: Fixed an issue that was triggering 400 and 500 errors. #1184
- JWT: The
TYP
value in the header is not optional and case-insensitive. #1192 - Request Transformer: Fixed a bug when transforming request headers. #1202
- OAuth 2.0: Multiple redirect URIs are now supported. #1112
- IP Restriction: Fixed that prevented the plugin for working properly when added on an API. #1245
- CORS: Fixed an issue when
config.preflight_continue
was enabled. #1240
0.8.1 - 2016/04/27
This release includes some fixes and minor updates:
- Adds
X-Forwarded-Host
andX-Forwarded-Prefix
to the upstream request headers. #1180 - Plugins:
- Datadog: Added two new metrics,
unique_users
andrequest_per_user
, that log the consumer information. #1179
- Datadog: Added two new metrics,
- Fixed a DAO bug that affected full entity updates. #1163
- Fixed a bug when setting the authentication provider in Cassandra.
- Updated the Cassandra driver to v0.5.2.
- Properly enforcing required fields in PUT requests. #1177
- Fixed a bug that prevented to retrieve the hostname of the local machine on certain systems. #1178
0.8.0 - 2016/04/18
This release includes support for PostgreSQL as Kong's primary datastore!
- Remove support for the long deprecated
/consumers/:consumer/keyauth/
and/consumers/:consumer/basicauth/
routes (deprecated in0.5.0
). The new routes (available since0.5.0
too) use the real name of the plugin:/consumers/:consumer/key-auth
and/consumers/:consumer/basic-auth
.
- Support for PostgreSQL 9.4+ as Kong's primary datastore. #331 #1054
- Configurable Cassandra reading/writing consistency. #1026
- Admin API: including pending and running timers count in the response to
/
. #992 - Plugins
- New correlation-id plugin: assign unique identifiers to the requests processed by Kong. Courtesy of @opyate. #1094
- LDAP: add support for LDAP authentication. #1133
- StatsD: add support for StatsD logging. #1142
- JWT: add support for RS256 signed tokens thanks to @kdstew! #1053
- ACL: appends
X-Consumer-Groups
to the request, so the upstream service can check what groups the consumer belongs to. #1154 - Galileo (mashape-analytics): increase batch sending timeout to 30s. #1091
- Added
ttl_on_failure
option in the cluster configuration, to configure the TTL of failed nodes. #1125
- Introduce a new
port
option when connecting to your Cassandra cluster instead of using the CQL default (9042). #1139 - Plugins
internal
- replace globals with singleton pattern thanks to @mars.
- fixed resolution mismatches when using deep paths in the path resolver.
0.7.0 - 2016/02/24
Due to the NGINX security fixes (CVE-2016-0742, CVE-2016-0746, CVE-2016-0747), OpenResty was bumped to 1.9.7.3
which is not backwards compatible, and thus requires changes to be made to the nginx
property of Kong's configuration file. See the 0.7 upgrade path for instructions.
However by upgrading the underlying OpenResty version, source installations do not have to patch the NGINX core and use the old ssl-cert-by-lua
branch of ngx_lua anymore. This will make source installations much easier.
- Support for OpenResty
1.9.7.*
. This includes NGINX security fixes (CVE-2016-0742, CVE-2016-0746, CVE-2016-0747). #906 - Plugins
- New Runscope plugin: Monitor your APIs from Kong with Runscope. Courtesy of @mansilladev. #924
- Datadog: New
response.size
metric. #923 - Rate-Limiting and Response Rate-Limiting
- New
config.async
option to asynchronously increment counters to reduce latency at the cost of slightly reducing the accuracy. #912 - New
config.continue_on_error
option to keep proxying requests in case the datastore is unreachable. rate-limiting operations will be disabled until the datastore is responsive again. #953
- New
- CLI
- Perform a simple permission check on the NGINX working directory when starting, to prevent errors during execution. #939
- Send 50x errors with the appropriate format. #927 #970
- Plugins
- OAuth2
- IP restriction: Fix an issue that could arise when restarting Kong. Now Kong does not need to be restarted for the ip-restriction configuration to take effect. #782 #960
- ACL: Properly invalidating entities when assigning a new ACL group. #996
- SSL: Replace shelled out openssl calls with native
ngx.ssl
conversion utilities, which preserve the certificate chain. #968
- Avoid user warning on start when the user is not root. #964
- Store Serf logs in NGINX working directory to prevent eventual permission issues. #975
- Allow plugins configured on a Consumer without being configured on an API to run. #978 #980
- Fixed an edge-case where Kong nodes would not be registered in the
nodes
table. #1008
0.6.1 - 2016/02/03
This release contains tiny bug fixes that were especially annoying for complex Cassandra setups and power users of the Admin API!
- A
timeout
property for the Cassandra configuration. In ms, this timeout is effective as a connection and a reading timeout. #937
- Correctly set the Cassandra SSL certificate in the Nginx configuration while starting Kong. #921
- Rename the
user
Cassandra property tousername
(Kong looks forusername
, henceuser
would fail). #922 - Allow Cassandra authentication with arbitrary plain text auth providers (such as Instaclustr uses), fixing authentication with them. #937
- Admin API
- Fix the
/plugins/:id
route forPATCH
method. #941
- Fix the
- Plugins
0.6.0 - 2016/01/22
We would recommended to consult the suggested 0.6 upgrade path for this release.
- Serf is now a Kong dependency. It allows Kong nodes to communicate between each other opening the way to many features and improvements.
- The configuration file changed. Some properties were renamed, others were moved, and some are new. We would recommend checking out the new default configuration file.
- Drop the Lua 5.1 dependency which was only used by the CLI. The CLI now runs with LuaJIT, which is consistent with other Kong components (Luarocks and OpenResty) already relying on LuaJIT. Make sure the LuaJIT interpreter is included in your
$PATH
. #799
One of the biggest new features of this release is the cluster-awareness added to Kong in #729, which deserves its own section:
- Each Kong node is now aware of belonging to a cluster through Serf. Nodes automatically join the specified cluster according to the configuration file's settings.
- The datastore cache is not invalidated by expiration time anymore, but following an invalidation strategy between the nodes of a same cluster, leading to improved performance.
- Admin API
- Expose a
/cache
endpoint for retrieving elements stored in the in-memory cache of a node. - Expose a
/cluster
endpoint used to add/remove/list members of the cluster, and also used internally for data propagation.
- Expose a
- CLI
- New
kong cluster
command for cluster management. - New
kong status
command for cluster healthcheck.
- New
Other additions include:
- New Cassandra driver which makes Kong aware of the Cassandra cluster. Kong is now unaffected if one of your Cassandra nodes goes down as long as a replica is available on another node. Load balancing policies also improve the performance along with many other smaller improvements. #803
- Admin API
- A new
total
field in API responses, that counts the total number of entities in the datastore. #635
- A new
- Configuration
- Possibility to configure the keyspace replication strategy for Cassandra. It will be taken into account by the migrations when the configured keyspace does not already exist. #350
- Dnsmasq is now optional. You can specify a custom DNS resolver address that Kong will use when resolving hostnames. This can be configured in
kong.yml
. #625
- Plugins
- As mentioned in the breaking changes section, a new configuration file format and validation. All properties are now documented and commented out with their default values. This allows for a lighter configuration file and more clarity as to what properties relate to. It also catches configuration mistakes. #633
- Replace the UUID generator library with a new implementation wrapping lib-uuid, fixing eventual conflicts happening in cases such as described in #659. See #695
- Admin API
- Behaviors described in #603 related to the failure of Cassandra nodes thanks to the new driver. #803
- Latency headers are now properly included in responses sent to the client. #708
strip_request_path
does not add a trailing slash to the API'supstream_url
anymore before proxying. #675- Do not URL decode querystring before proxying the request to the upstream service. #749
- Handle cases when the request would be terminated prior to the Kong execution (that is, before ngx_lua reaches the
access_by_lua
context) in cases such as the use of a custom nginx module. #594 - Admin API
- The PUT method now correctly updates boolean fields (such as
strip_request_path
). #765 - The PUT method now correctly resets a plugin configuration. #720
- PATCH correctly set previously unset fields. #861
- In the responses, the
next
link is not being displayed anymore if there are no more entities to be returned. #635 - Prevent the update of
created_at
fields. #820 - Better
request_path
validation for APIs. "/" is not considered a valid path anymore. #881
- The PUT method now correctly updates boolean fields (such as
- Plugins
- Galileo: ensure the
mimeType
value is always a string in ALFs. #584 - JWT: allow to update JWT credentials using the PATCH method. It previously used to reply with
405 Method not allowed
because the PATCH method was not implemented. #667 - Rate limiting: fix a warning when many periods are configured. #681
- Basic Authentication: do not re-hash the password field when updating a credential. #726
- File log: better permissions for on file creation for file-log plugin. #877
- OAuth2
- Galileo: ensure the
internal
- Event bus for local and cluster-wide events propagation. Plans for this event bus is to be widely used among Kong in the future.
- The Kong Public Lua API (Lua helpers integrated in Kong such as DAO and Admin API helpers) is now documented with ldoc.
- Work has been done to restore the reliability of the CI platforms.
- Migrations can now execute DML queries (instead of DDL queries only). Handy for migrations implying plugin configuration changes, plugins renamings etc... #770
0.5.4 - 2015/12/03
- Mashape Analytics plugin (renamed Galileo):
0.5.3 - 2015/11/16
- Avoids additional URL encoding when proxying to an upstream service. #691
- Potential timing comparison bug in HMAC plugin. #704
- The Galileo plugin now supports arbitrary host, port and path values. #721
0.5.2 - 2015/10/21
A few fixes requested by the community!
- Kong properly search the
nginx
in your $PATH variable. - Plugins:
0.5.1 - 2015/10/13
Fixing a few glitches we let out with 0.5.0!
- Basic Authentication and HMAC Authentication plugins now also send the
X-Credential-Username
to the upstream server. - Admin API now accept JSON when receiving a CORS request. #580
- Add a
WWW-Authenticate
header for HTTP 401 responses for basic-auth and key-auth. #588
- Protect Kong from POODLE SSL attacks by omitting SSLv3 (CVE-2014-3566). #563
- Remove support for key-auth key in body. #566
- Plugins
- Fix an occasional error when updating a plugin without a config. #571
0.5.0 - 2015/09/25
With new plugins, many improvements and bug fixes, this release comes with breaking changes that will require your attention.
Several breaking changes are introduced. You will have to slightly change your configuration file and a migration script will take care of updating your database cluster. Please follow the instructions in UPGRADE.md for an update without downtime.
- Many plugins were renamed due to new naming conventions for consistency. #480
- In the configuration file, the Cassandra
hosts
property was renamed tocontact_points
. #513 - Properties belonging to APIs entities have been renamed for clarity. #513
public_dns
->request_host
path
->request_path
strip_path
->strip_request_path
target_url
->upstream_url
plugins_configurations
have been renamed toplugins
, and theirvalue
property has been renamed toconfig
to avoid confusions. #513- The database schema has been updated to handle the separation of plugins outside of the core repository.
- The Key authentication and Basic authentication plugins routes have changed:
Old route New route
/consumers/:consumer/keyauth -> /consumers/:consumer/key-auth
/consumers/:consumer/keyauth/:id -> /consumers/:consumer/key-auth/:id
/consumers/:consumer/basicauth -> /consumers/:consumer/basic-auth
/consumers/:consumer/basicauth/:id -> /consumers/:consumer/basic-auth/:id
The old routes are still maintained but will be removed in upcoming versions. Consider them deprecated.
- Admin API
- The route to retrieve enabled plugins is now under
/plugins/enabled
. - The route to retrieve a plugin's configuration schema is now under
/plugins/schema/{plugin name}
.
- The route to retrieve enabled plugins is now under
- Plugins
- New Response Rate Limiting plugin: Give a usage quota to your users based on a parameter in your response. #247
- New ACL (Access Control) plugin: Configure authorizations for your Consumers. #225
- New JWT (JSON Web Token) plugin: Verify and authenticate JWTs. #519
- New HMAC signature plugin: Verify and authenticate HMAC signed HTTP requests. #549
- Plugins migrations. Each plugin can now have its own migration scripts if it needs to store data in your cluster. This is a step forward to improve Kong's pluggable architecture. #443
- Basic Authentication: the password field is now sha1 encrypted. #33
- Basic Authentication: now supports credentials in the
Proxy-Authorization
header. #460
- Basic Authentication and Key Authentication now require authentication parameters even when the
Expect: 100-continue
header is being sent. #408 - Key Auth plugin does not support passing the key in the request payload anymore. #566
- APIs' names cannot contain characters from the RFC 3986 reserved list. #589
- Resolver
- Making a request with a querystring will now correctly match an API's path. #496
- Admin API
- Data associated to a given API/Consumer will correctly be deleted if related Consumer/API is deleted. #107 #438 #504
- The
/api/{api_name_or_id}/plugins/{plugin_name_or_id}
changed to/api/{api_name_or_id}/plugins/{plugin_id}
to avoid requesting the wrong plugin if two are configured for one API. #482 - APIs created without a
name
but with arequest_path
will now have a name which defaults to the setrequest_path
. #547
- Plugins
- Mashape Analytics: More robust buffer and better error logging. #471
- Mashape Analytics: Several ALF (API Log Format) serialization fixes. #515
- Oauth2: A response is now returned on
http://kong:8001/consumers/{consumer}/oauth2/{oauth2_id}
. #469 - Oauth2: Saving
authenticated_userid
on Password Grant. #476 - Oauth2: Proper handling of the
/oauth2/authorize
and/oauth2/token
endpoints in the OAuth 2.0 Plugin when an API with apath
is being consumed using thepublic_dns
instead. #503 - OAuth2: Properly returning
X-Authenticated-UserId
in theclient_credentials
andpassword
flows. #535 - Response-Transformer: Properly handling JSON responses that have a charset specified in their
Content-Type
header.
0.4.2 - 2015/08/10
- Cassandra authentication and SSL encryption. #405
preserve_host
flag on APIs to preserve the Host header when a request is proxied. #444- Added the Resource Owner Password Credentials Grant to the OAuth 2.0 Plugin. #448
- Auto-generation of default SSL certificate. #453
- Remove
cassandra.port
property in configuration. Ports are specified by havingcassandra.hosts
addresses using thehost:port
notation (RFC 3986). #457 - Default SSL certificate is now auto-generated and stored in the
nginx_working_dir
. - OAuth 2.0 plugin now properly forces HTTPS.
- Better handling of multi-nodes Cassandra clusters. #450
- mashape-analytics plugin: handling of numerical values in querystrings. #449
- Path resolver
strip_path
option wrongfully matching thepath
property multiple times in the request URI. #442 - File Log Plugin bug that prevented the file creation in some environments. #461
- Clean output of the Kong CLI. #235
0.4.1 - 2015/07/23
- Issues with the Mashape Analytics plugin. #425
- Handle hyphens when executing path routing with
strip_path
option enabled. #431 - Adding the Client Credentials OAuth 2.0 flow. #430
- A bug that prevented "dnsmasq" from being started on some systems, including Debian. f7da790
- File Log plugin: optimizations by avoiding the buffered I/O layer. 20bb478
0.4.0 - 2015/07/15
- Implement wildcard subdomains for APIs'
public_dns
. #381 #297 - Plugins
- New OAuth 2.0 plugin. #341 #169
- New Mashape Analytics plugin. #360 #272
- New IP whitelisting/blacklisting plugin. #379
- Ratelimiting: support for multiple limits. #382 #205
- HTTP logging: support for HTTPS endpoint. #342
- Logging plugins: new properties for logs timing. #351
- Key authentication: now auto-generates a key if none is specified. #48
- Resolver
path
property now accepts arbitrary depth. #310
- Admin API
- CLI
$ kong migrations reset
now asks for confirmation. #365
internal
0.3.2 - 2015/06/08
- Uppercase Cassandra keyspace bug that prevented Kong to work with kongdb.org
- Multipart requests not properly parsed in the admin API. #344
0.3.1 - 2015/06/07
- Schema migrations are now automatic, which was missing from previous releases. #303
0.3.0 - 2015/06/04
- Support for SSL.
- Plugins
- Admin API
- RESTful routing. Much nicer Admin API routing. Ex:
/apis/{name_or_id}/plugins
. #98 #257 - Support
PUT
method for endpoints such as/apis/
,/apis/plugins/
,/consumers/
- Support for
application/json
andx-www-form-urlencoded
Content Types for allPUT
,POST
andPATCH
endpoints by passing aContent-Type
header. #236
- RESTful routing. Much nicer Admin API routing. Ex:
- Resolver
- Auth plugins now send user informations to your upstream services. #228
- Invalid
target_url
value are now being caught when creating an API. #149
- Uppercase Cassandra keyspace causing migration failure. #249
- Guarantee that ratelimiting won't allow requests in case the atomicity of the counter update is not guaranteed. #289
internal
- Schemas:
- New property type:
array
. #277- Entities schemas now live in their own files and are starting to be unit tested.
- Subfields are handled better: (notify required subfields and auto-vivify is subfield has default values).
- Way faster unit tests. Not resetting the DB anymore between tests.
- Improved coverage computation (exclude
vendor/
).- Travis now lints
kong/
.- Way faster Travis setup.
- Added a new HTTP client for in-nginx usage, using the cosocket API.
- Various refactorings.
- Fix #196.
- Disabled ipv6 in resolver.
0.2.1 - 2015/05/12
This is a maintenance release including several bug fixes and usability improvements.
- Support for local DNS resolution. #194
- Support for Debian 8 and Ubuntu 15.04.
- DAO
- Cassandra version bumped to 2.1.5
- Support for Cassandra downtime. If Cassandra goes down and is brought back up, Kong will not need to restart anymore, statements will be re-prepared on-the-fly. This is part of an ongoing effort from jbochi/lua-resty-cassandra#47, #146 and #187. Queries effectuated during the downtime will still be lost. #11
- Leverage reused sockets. If the DAO reuses a socket, it will not re-set their keyspace. This should give a small but appreciable performance improvement. #170
- Cascade delete plugins configurations when deleting a Consumer or an API associated with it. #107
- Allow Cassandra hosts listening on different ports than the default. #185
- CLI
- Added a notice log when Kong tries to connect to Cassandra to avoid user confusion. #168
- The CLI now tests if the ports are already being used before starting and warns.
- Admin API
name
is now an optional property for APIs. If none is being specified, the name will be the APIpublic_dns
. #181
- Configuration
- The memory cache size is now configurable. #208
- Resolver
- More explicit "API not found" message from the resolver if the Host was not found in the system. "API not found with Host: %s".
- If multiple hosts headers are being sent, Kong will test them all to see if one of the API is in the system. #186
- Admin API: responses now have a new line after the body. #164
- DAO: keepalive property is now properly passed when Kong calls
set_keepalive
on Cassandra sockets. - Multipart dependency throwing error at startup. #213
internal
- Separate Migrations from the DAO factory.
- Update dev config + Makefile rules (
run
becomesstart
).- Introducing an
ngx
stub for unit tests and CLI.- Switch many PCRE regexes to using patterns.
0.2.0-2 - 2015/04/27
First public release of Kong. This version brings a lot of internal improvements as well as more usability and a few additional plugins.
- Plugins
- CORS plugin.
- Request transformation plugin.
- NGINX plus monitoring plugin.
- Configuration
- New properties:
proxy_port
andapi_admin_port
. #142
- New properties:
- CLI
- Package distributions: .rpm, .deb and .pkg for easy installs on most common platforms.
- Admin API: trailing slash is not necessary anymore for core resources such as
/apis
or/consumers
. - Leaner default configuration. #156
internal
- All scripts moved to the CLI as "hidden" commands (
kong db
,kong config
).- More tests as always, and they are structured better. The coverage went down mainly because of plugins which will later move to their own repos. We are all eagerly waiting for that!
src/
was renamed tokong/
for ease of development- All system dependencies versions for package building and travis-ci are now listed in
versions.sh
- DAO doesn't need to
:prepare()
prior to run queries. Queries can be prepared at runtime. #146
0.1.1beta-2 - 2015/03/30
- Wrong behavior of auto-migration in
kong start
.
0.1.0beta-3 - 2015/03/25
First public beta. Includes caching and better usability.
- Required Openresty is now
1.7.10.1
. - Freshly built CLI, rewritten in Lua
kong start
using a new DB keyspace will automatically migrate the schema. #68- Anonymous error reporting on Proxy and API. #64
- Configuration
- Simplified configuration file (unified in
kong.yml
). - In configuration,
plugins_installed
was renamed toplugins_available
. #59 - Order of
plugins_available
doesn't matter anymore. #17 - Better handling of plugins: Kong now detects which plugins are configured and if they are installed on the current machine.
bin/kong
now defaults on/etc/kong.yml
for config and/var/logs/kong
for output. #71
- Simplified configuration file (unified in
- Proxy: APIs/Consumers caching with expiration for faster authentication.
- Admin API: Plugins now use plain form parameters for configuration. #70
- Keep track of already executed migrations.
rollback
now behaves as expected. #8
Server
header now sends Kong. #57- migrations not being executed in order on Linux. This issue wasn't noticed until unit testing the migrations because for now we only have 1 migration file.
- Admin API: Errors responses are now sent as JSON. #58
internal
- We now have code linting and coverage.
- Faker and Migrations instances don't live in the DAO Factory anymore, they are only used in scripts and tests.
scripts/config.lua
allows environment based configurations.make dev
generates akong.DEVELOPMENT.yml
andkong_TEST.yml
. Different keyspaces and ports.spec_helpers.lua
allows tests to not rely on theMakefile
anymore. Integration tests can run 100% frombusted
.- Switch integration testing from [httpbin.org] to [mockbin.com].
core
plugin was renamed toresolver
.
0.0.1alpha-1 - 2015/02/25
First version running with Cassandra.
- Basic proxying.
- Built-in authentication plugin (api key, HTTP basic).
- Built-in ratelimiting plugin.
- Built-in TCP logging plugin.
- Configuration API (for consumers, apis, plugins).
- CLI
bin/kong
script. - Database migrations (using
db.lua
).