.. _version_history_1.23.0: 1.23.0 (July 15, 2022) ======================= Incompatible behavior changes ----------------------------- *Changes that are expected to cause an incompatibility if applicable; deployment changes are likely required* * **config**: multiple SDS resources of multiple clusters or listeners are sent in a single SDS requests, instead of multiple SDS requests. This behavioral change can be reverted by setting ``envoy.reloadable_features.combine_sds_requests`` to ``false``. * **router**: updated all HTTP filters to get per-filter config by the :ref:`HTTP filter config name `. If there is no entry referred by the filter config name, the canonical filter name (e.g., ``envoy.filters.http.buffer`` for the HTTP buffer filter) will be used for the backwards compatibility. * **router**: weighted cluster's :ref:`total_weight ` is now optional. If not set, Envoy will no longer validate that all weights add up to 100. The sum of :ref:`weights ` across all entries in the clusters array must add up to the :ref:`total_weight `, when it's greater than 0. * **stats listener**: fixed metric tag extraction so that :ref:`stat_prefix ` is properly extracted. This changes the Prometheus name from ``envoy_listener_myprefix_downstream_cx_overflow{}`` to ``envoy_listener_downstream_cx_overflow{envoy_listener_address="myprefix"}``. This does not affect the Prometheus name if ``stat_prefix`` is not set. * **stats listener**: fixed metric tag extraction so that ``worker_id`` is properly extracted from the listener stats. This changes the Prometheus name from ``envoy_listener_worker_1_downstream_cx_active{envoy_listener_address="0.0.0.0_10000"}`` to ``envoy_listener_downstream_cx_active{envoy_listener_address="0.0.0.0_10000", envoy_worker_id="1"}``. * **stats redis_proxy**: fixed metric tag extraction so that :ref:`stat_prefix ` is properly extracted. This changes the Prometheus name from ``envoy_redis_myprefix_command_pttl_latency_sum{}`` to ``envoy_redis_command_pttl_latency_sum{envoy_redis_prefix="myprefix"}``. * **stats server**: fixed metric tag extraction so that ``worker_id`` is properly extracted fromt the server stats. This changes the Prometheus name from ``envoy_server_worker_1_watchdog_miss{}`` to ``envoy_server_watchdog_miss{envoy_worker_id="1"}``. * **stats thrift_proxy**: fixed metric tag extraction so that :ref:`stat_prefix ` is properly extracted. This changes the Prometheus name from ``envoy_thrift_myprefix_request{}`` to ``envoy_thrift_request{envoy_thrift_prefix="myprefix"}``. * **tls-inspector**: the listener filter tls inspector's stats ``connection_closed`` and ``read_error`` are removed. New stats are introduced for listener, ``downstream_peek_remote_close`` and ``read_error``, in :ref:`listener stats `. Minor behavior changes ---------------------- *Changes that may cause incompatibilities for some users, but should not for most* * **admin**: changed default regex engine for ``/stats?filter=`` from ``std::regex`` to RE2, improving filtering speed 20x. * **conn pool**: changed HTTP/2 connection pooling and the :ref:`ALPN pool ` to remember the number of streams allowed by the endpoint and cap multiplexed streams for subsequent connections based on that. With that working, defaulted the ALPN pool to assume HTTP/2 will work, as it will only incur a latency hit once until the TLS handshake is complete, and then will cache that the effective stream limit is ``1``. This behavioral change can be revered by setting ``envoy.reloadable_features.allow_concurrency_for_alpn_pool`` to ``false``. * **dns**: allow propagating DNS responses with no records back to callers like ``strict_dns`` cluster, guarded by ``envoy.reloadable_features.cares_accept_nodata``. * **filter state**: revert to respecting the life time of the filter state objects to be bound to the original stream and make sharing filter state objects with the upstream info explicit via an extra flag in ``setData``. * **http**: changing the behavior for ``CONNECT`` and upgrade requests over HTTP/1.1 to not delay close. This behavioral change can be reverted by setting ``envoy.reloadable_features.no_delay_close_for_upgrades`` to ``false``. * **http**: the :ref:`dynamo filter ` has been moved to :ref:`contrib images `. * **http**: the behavior of the :ref:`timeout ` field has been modified to extend the timeout when *any* frame is received on the owning HTTP/2 connection. This negates the effect of head-of- line (HOL) blocking for slow connections. If any frame is received the assumption is that the connection is working. This behavior change can be reverted by setting ``envoy.reloadable_features.http2_delay_keepalive_timeout`` to ``false``. * **http-cache**: HTTP cache filter ``getCache`` interface changed from returning a reference to returning a shared_ptr - any third-party implementations of this interface will need to be updated accordingly. See changes to ``simple_http_cache.cc`` and ``simple_http_cache.h`` in `PR21114 `_ for example. * **local_ratelimit**: ``local_ratelimit`` will consume tokens of all matched descriptors sorted by tokens per second. This behavioral change can be reverted by setting runtime guard ``envoy.reloadable_features.http_local_ratelimit_match_all_descriptors`` to ``false``. * **logging**: changed category name for access log filter extensions to ``envoy.access_loggers.extension_filters``. * **logging**: changed flag ``--log-format-escaped`` to only log one trailing newline per log line. * **lua**: export symbols of LuaJit by default on Linux. This is useful in cases where you have a lua script that loads shared object libraries, such as those installed via luarocks. * **lua**: lua ``respond`` api will call ``sendLocalReply`` instead of ``encodeHeaders`` and ``encodeData``. This means that encoder filters will be correctly invoked, including adding configured response headers, etc. This behavioral change can be reverted by setting runtime guard ``envoy.reloadable_features.lua_respond_with_send_local_reply`` to ``false``. * **network**: the :ref:`client ssl auth filter ` has been moved to :ref:`contrib images `. * **router**: get route config factories by the configuration proto full names by default. This behavior change can be reverted by setting the ``envoy.reloadable_features.get_route_config_factory_by_type`` runtime flag to ``false``. * **skywalking**: use request path as operation name of ``ENTRY``/``EXIT`` spans. * **skywalking**: use upstream host address as ``addressUsedAtClient`` in propagation header. * **tcp_proxy**: added support for command operators in :ref:`TunnelingConfig hostname ` to dynamically set upstream hostname. * **thrift**: keep downstream connection if the response is completed without underflow. * **tls**: if both :ref:`match_subject_alt_names ` and :ref:`match_typed_subject_alt_names ` are specified, the former (deprecated) field is ignored. Previously, setting both fields would result in an error. * **tls**: removed SHA-1 and RSA key transport cipher suites from the server-side defaults. * **tracers**: remove unnecessary ``spawnChild`` annotations in OpenCensus tracer. Bug fixes --------- *Changes expected to improve the state of the world and are unlikely to have negative effects* * **aws_lambda**: fixed the AWS cross account lambda function invocation issue. * **decompression**: fixed CVE-2022-29225: Decompressors can be zip bombed. Previously decompressors were susceptible to memory inflation in takes in which specially crafted payloads could cause a large amount of memory usage by Envoy. The max inflation payload size is now limited. This change can be reverted via the ``envoy.reloadable_features.enable_compression_bomb_protection`` runtime flag. * **grpc_json_transcoder**: respond with a error messsage if a proto message is too deep (>64). Before the fix the response was an empty JSON. * **health_check**: fixed CVE-2022-29224: Segfault in ``GrpcHealthCheckerImpl``. An attacker-controlled upstream server that is health checked using gRPC health checking can crash Envoy via a null pointer dereference in certain circumstances. * **http**: fixed HTTP/2 CONNECT to be RFC compliant, rather than following the abandoned extended connect draft. This behavioral change can be reverted by setting runtime guard ``envoy.reloadable_features.use_rfc_connect`` to ``false``. * **oauth**: fixed CVE-2022-29226: oauth filter allows trivial bypass. The OAuth filter implementation does not include a mechanism for validating access tokens, so by design when the HMAC signed cookie is missing a full authentication flow should be triggered. However, the current implementation assumes that access tokens are always validated thus allowing access in the presence of any access token attached to the request. * **oauth**: fixed CVE-2022-29228: oauth filter calls ``continueDecoding()`` from within ``decodeHeaders()``. The OAuth filter would try to invoke the remaining filters in the chain after emitting a local response, which triggers an ``ASSERT()`` in newer versions and corrupts memory on earlier versions. * **router**: fixed CVE-2022-29227: Internal redirect crash for requests with body/trailers. Envoy would previously crash in some cases when processing internal redirects for requests with bodies or trailers if the redirect prompts an Envoy-generated local reply. * **runtime**: fixed a bug where ``envoy.restart_features.no_runtime_singleton`` was inverted. Runtime singleton status is now guarded by non-inverted ``envoy.restart_features.remove_runtime_singleton``. * **tcp_proxy**: fixed an issue using the cluster wide ``CONNECT`` termination so it will successfully proxy payloads. * **tls**: fixed a bug where an expired certificate sets a big number for ``days_until_expiration``. After this fix, ``0`` is set. * **upstream**: fixed the ``LOGICAL_DNS`` and ``STRICT_DNS`` clusters to work for IPv6. Removed config or runtime ------------------------- *Normally occurs at the end of the* :ref:`deprecation period ` * **compressor**: removed ``envoy.reloadable_features.fix_added_trailers`` and legacy code paths. * **conn pool**: removed ``envoy.reloadable_features.conn_pool_delete_when_idle`` and legacy code paths. * **dns**: removed ``envoy.reloadable_features.use_dns_ttl`` and legacy code paths. * **ext_authz**: removed ``envoy.reloadable_features.http_ext_authz_do_not_skip_direct_response_and_redirect`` and legacy code paths. * **http**: removed ``envoy.reloadable_features.correct_scheme_and_xfp`` and legacy code paths. * **http**: removed ``envoy.reloadable_features.skip_dispatching_frames_for_closed_connection`` and legacy code paths. * **http**: removed ``envoy.reloadable_features.validate_connect`` and legacy code paths. * **runtime**: removed ``envoy.restart_features.no_runtime_singleton`` and replaced with ``envoy.restart_features.remove_runtime_singleton``. * **tcp_proxy**: removed ``envoy.reloadable_features.new_tcp_connection_pool`` and legacy code paths. * **udp listener**: removed ``envoy.reloadable_features.udp_listener_updates_filter_chain_in_place`` and legacy code paths. New features ------------ * **access_log**: added formatters for :ref:`UPSTREAM_METADATA` and :ref:`METADATA(UPSTREAM_HOST)`. * **access_log**: added new ``access_log`` command operators to retrieve upstream connection information change: ``%UPSTREAM_PROTOCOL%``, ``%UPSTREAM_PEER_SUBJECT%``, ``%UPSTREAM_PEER_ISSUER%``, ``%UPSTREAM_TLS_SESSION_ID%``, ``%UPSTREAM_TLS_CIPHER%``, ``%UPSTREAM_TLS_VERSION%``, ``%UPSTREAM_PEER_CERT_V_START%``, ``%UPSTREAM_PEER_CERT_V_END%``, ``%UPSTREAM_PEER_CERT%`` and ``%UPSTREAM_FILTER_STATE%``. * **admin**: added compile-time option ``--define=admin_html=disabled`` to disable HTML home page. * **build**: enabled building arm64 envoy-distroless and envoy-tools :ref:`docker images `. * **dns_resolver**: added :ref:`GetAddrInfoDnsResolverConfig `, a new DNS resolver that uses the system's ``getaddrinfo()`` function to resolve DNS. This was primarily added for use on Android but can also be used in other situations in which the system resolver is desired. * **dns_resolver**: added :ref:`include_unroutable_families ` to the Apple DNS resolver. * **dns_resolver**: added support for multiple addresses. This is most valuable when used in conjunction with :ref:`ALL ` enabling full happy eyeballs support for Envoy (see detailed documentation :ref:`here ` but will also result in trying multiple addresses for resolvers doing only IPv4 or IPv6. This behavioral change can be temporarily disabled by setting runtime guard ``envoy.restart_features.remove_runtime_singleton`` to ``false``. * **dubbo_proxy**: added :ref:`dynamic routes discovery ` support to dubbo proxy. * **dubbo_proxy**: added :ref:`metadata_match ` support to the dubbo proxy. * **examples**: fixed issues with documentation/compositions usage of ``docker-compose pull``. * **examples**: updated many examples and added dependency checking. * **ext_proc**: added support for per-route :ref:`grpc_service `. * **http**: added :ref:`cluster_header ` in :ref:`request_mirror_policies ` to allow routing shadow request to the cluster specified in the request_header. * **http**: added :ref:`treat_missing_header_as_empty ` to allow header match rule to treat the header value as empty and apply the match rule when the header is missing. * **http**: added a :ref:`send_fully_qualified_url ` configuration option to send absolute URLs for HTTP/1.1. * **http**: added new :ref:`file_system_buffer ` HTTP filter. * **http**: preserve case header formatter support innner formatter on Envoy headers in :ref:`formatter_type_on_envoy_headers `. * **http3**: added :ref:`early_data_policy ` extension to allow upstream HTTP/3 sending requests over early data. If no extension is configured, HTTP/3 pool will send safe requests as early data to the host if the pool already cached 0-RTT credentials of that host. If those requests fail and the underlying connection pool supports TCP fallback, the request may be retried automatically. If the :ref:`default extension ` is configured, no requests are allowed to be sent as early data. Note that if any customized extension configures non-safe requests to be allowed over early data, the Envoy will not automatically retry them. If desired, explicitly config their :ref:`retry_policy `. Sending early data requires both ``envoy.reloadable_features.conn_pool_new_stream_with_early_data_and_http3`` and ``envoy.reloadable_features.http3_sends_early_data`` runtime flags to be set to ``true``. * **listener**: added :ref:`dynamic listener filter configuration ` for listener filters. This dynamic listener filter configuration is only supported by TCP listeners. * **lua**: added new function :ref:`timestampString ` returning the time since epoch as a string. Supported resolutions are millisecond and microsecond. * **matching**: added support for matching authenticated inputs in network and HTTP matching data. * **network**: extended conection balancer with :ref:`extend balance `, and added :ref:`Dlb connection balancer ` to use `DLB `_ hardware to balance. * **on_demand**: :ref:`OnDemand ` got extended to hold configuration for on-demand cluster discovery. A similar message for :ref:`per-route configuration ` is also added. * **open_telemetry**: added :ref:`resource_attributes ` configuration to OpenTelemetry. * **proxy_protcol**: added :ref:`allow_requests_without_proxy_protocol ` to allow requests without proxy protocol on the listener from trusted downstreams as an opt-in flag. * **ratelimit**: added support for :ref:`HTTP matching input functions ` as descriptor producers. * **ratelimit**: added support for :ref:`masked_remote_address `. * **rbac**: added :ref:`matcher ` for selecting connections and requests to different actions. * **redis**: added support for multiple passwords to the redis proxy. See :ref:`downstream_auth_passwords `. * **router**: added :ref:`INTERNAL_SERVER_ERROR option ` to return status code 500 when the configured cluster is not found. * **router**: added :ref:`ignore_path_parameters_in_path_matching `. When set to ``true``, path-parameters(`rfc1808 `_) is ignored during path matching. added :ref:`ignore_path_parameters_in_path_matching `. When set to ``true``, path-parameters(rfc1808) is ignored during path matching. * **router**: added :ref:`ignore_port_in_host_matching `. When set to ``true``, port number (if any) in host header is ignored during host matching. * **router**: added :ref:`keep_empty_value ` to allow keeping empty values in custom headers. * **router**: added :ref:`stat_prefix ` support to generate route level statistics. * **thrift**: added :ref:`close_downstream_on_upstream_error ` flag to router to control downstream local close. * **thrift**: added ``onLocalReply`` support to inform filters of local replies. * **thrift**: added ``validate_clusters`` in :ref:`RouteConfiguration ` to override the default behavior of cluster validation. * **thrift**: added support for access logging for :ref:`Thrift Proxy `. * **thrift**: added support for preserving header keys. See :ref:`header_keys_preserve_case `. * **thrift**: added support for propogating connection draining if local replies try to end downstream. Can be enabled by setting the runtime flag ``envoy.reloadable_features.thrift_connection_draining`` to true. * **thrift**: introduced thrift configurable encoder and bidirectional filters, which allows peeking and modifying the thrift response message. * **udp**: added :ref:`udp_packet_packet_writer_config ` config to specify the UDP packet writer factory. * **upstream**: added :ref:`internal upstream transport ` for passing metadata and filter state across the user space sockets and the internal listeners. Deprecated ---------- * **dubbo_proxy**: deprecated :ref:`old dubbo route config `. Please use :ref:`multiple route config ` or :ref:`DRDS ` first. * **http**: deprecated the short name ``preserve_case`` for the header formatter extension in favor of the fully-qualified name ``envoy.http.stateful_header_formatters.preserve_case``. * **lua**: deprecated :ref:`inline_code `. Please use :ref:`default_source_code `. * **matching**: :ref:`google_re2 ` has been deprecated. A default regex engine can be set using :ref:`default_regex_engine `. * **redis**: deprecated :ref:`downstream_auth_password `. Please use :ref:`downstream_auth_passwords `.