1.23.0 (July 15, 2022)

Incompatible behavior changes

Changes that are expected to cause an incompatibility if applicable; deployment changes are likely required

  • config: multiple SDS resources of multiple clusters or listeners are sent in a single SDS requests, instead of multiple SDS requests. This behavioral change can be reverted by setting envoy.reloadable_features.combine_sds_requests to false.

  • router: updated all HTTP filters to get per-filter config by the HTTP filter config name. If there is no entry referred by the filter config name, the canonical filter name (e.g., envoy.filters.http.buffer for the HTTP buffer filter) will be used for the backwards compatibility.

  • router: weighted cluster’s total_weight is now optional. If not set, Envoy will no longer validate that all weights add up to 100. The sum of weights across all entries in the clusters array must add up to the total_weight, when it’s greater than 0.

  • stats listener: fixed metric tag extraction so that stat_prefix is properly extracted. This changes the Prometheus name from envoy_listener_myprefix_downstream_cx_overflow{} to envoy_listener_downstream_cx_overflow{envoy_listener_address="myprefix"}. This does not affect the Prometheus name if stat_prefix is not set.

  • stats listener: fixed metric tag extraction so that worker_id is properly extracted from the listener stats. This changes the Prometheus name from envoy_listener_worker_1_downstream_cx_active{envoy_listener_address=""} to envoy_listener_downstream_cx_active{envoy_listener_address="", envoy_worker_id="1"}.

  • stats redis_proxy: fixed metric tag extraction so that stat_prefix is properly extracted. This changes the Prometheus name from envoy_redis_myprefix_command_pttl_latency_sum{} to envoy_redis_command_pttl_latency_sum{envoy_redis_prefix="myprefix"}.

  • stats server: fixed metric tag extraction so that worker_id is properly extracted fromt the server stats. This changes the Prometheus name from envoy_server_worker_1_watchdog_miss{} to envoy_server_watchdog_miss{envoy_worker_id="1"}.

  • stats thrift_proxy: fixed metric tag extraction so that stat_prefix is properly extracted. This changes the Prometheus name from envoy_thrift_myprefix_request{} to envoy_thrift_request{envoy_thrift_prefix="myprefix"}.

  • tls-inspector: the listener filter tls inspector’s stats connection_closed and read_error are removed. New stats are introduced for listener, downstream_peek_remote_close and read_error, in listener stats.

Minor behavior changes

Changes that may cause incompatibilities for some users, but should not for most

  • admin: changed default regex engine for /stats?filter= from std::regex to RE2, improving filtering speed 20x.

  • conn pool: changed HTTP/2 connection pooling and the ALPN pool to remember the number of streams allowed by the endpoint and cap multiplexed streams for subsequent connections based on that. With that working, defaulted the ALPN pool to assume HTTP/2 will work, as it will only incur a latency hit once until the TLS handshake is complete, and then will cache that the effective stream limit is 1. This behavioral change can be revered by setting envoy.reloadable_features.allow_concurrency_for_alpn_pool to false.

  • dns: allow propagating DNS responses with no records back to callers like strict_dns cluster, guarded by envoy.reloadable_features.cares_accept_nodata.

  • filter state: revert to respecting the life time of the filter state objects to be bound to the original stream and make sharing filter state objects with the upstream info explicit via an extra flag in setData.

  • http: changing the behavior for CONNECT and upgrade requests over HTTP/1.1 to not delay close. This behavioral change can be reverted by setting envoy.reloadable_features.no_delay_close_for_upgrades to false.

  • http: the dynamo filter has been moved to contrib images.

  • http: the behavior of the timeout field has been modified to extend the timeout when any frame is received on the owning HTTP/2 connection. This negates the effect of head-of-line (HOL) blocking for slow connections. If any frame is received the assumption is that the connection is working. This behavior change can be reverted by setting envoy.reloadable_features.http2_delay_keepalive_timeout to false.

  • http-cache: HTTP cache filter getCache interface changed from returning a reference to returning a shared_ptr - any third-party implementations of this interface will need to be updated accordingly. See changes to simple_http_cache.cc and simple_http_cache.h in PR21114 for example.

  • local_ratelimit: local_ratelimit will consume tokens of all matched descriptors sorted by tokens per second. This behavioral change can be reverted by setting runtime guard envoy.reloadable_features.http_local_ratelimit_match_all_descriptors to false.

  • logging: changed category name for access log filter extensions to envoy.access_loggers.extension_filters.

  • logging: changed flag --log-format-escaped to only log one trailing newline per log line.

  • lua: export symbols of LuaJit by default on Linux. This is useful in cases where you have a lua script that loads shared object libraries, such as those installed via luarocks.

  • lua: lua respond api will call sendLocalReply instead of encodeHeaders and encodeData. This means that encoder filters will be correctly invoked, including adding configured response headers, etc. This behavioral change can be reverted by setting runtime guard envoy.reloadable_features.lua_respond_with_send_local_reply to false.

  • network: the client ssl auth filter has been moved to contrib images.

  • router: get route config factories by the configuration proto full names by default. This behavior change can be reverted by setting the envoy.reloadable_features.get_route_config_factory_by_type runtime flag to false.

  • skywalking: use request path as operation name of ENTRY/EXIT spans.

  • skywalking: use upstream host address as addressUsedAtClient in propagation header.

  • tcp_proxy: added support for command operators in TunnelingConfig hostname to dynamically set upstream hostname.

  • thrift: keep downstream connection if the response is completed without underflow.

  • tls: if both match_subject_alt_names and match_typed_subject_alt_names are specified, the former (deprecated) field is ignored. Previously, setting both fields would result in an error.

  • tls: removed SHA-1 and RSA key transport cipher suites from the server-side defaults.

  • tracers: remove unnecessary spawnChild annotations in OpenCensus tracer.

Bug fixes

Changes expected to improve the state of the world and are unlikely to have negative effects

  • aws_lambda: fixed the AWS cross account lambda function invocation issue.

  • decompression: fixed CVE-2022-29225: Decompressors can be zip bombed. Previously decompressors were susceptible to memory inflation in takes in which specially crafted payloads could cause a large amount of memory usage by Envoy. The max inflation payload size is now limited. This change can be reverted via the envoy.reloadable_features.enable_compression_bomb_protection runtime flag.

  • grpc_json_transcoder: respond with a error messsage if a proto message is too deep (>64). Before the fix the response was an empty JSON.

  • health_check: fixed CVE-2022-29224: Segfault in GrpcHealthCheckerImpl. An attacker-controlled upstream server that is health checked using gRPC health checking can crash Envoy via a null pointer dereference in certain circumstances.

  • http: fixed HTTP/2 CONNECT to be RFC compliant, rather than following the abandoned extended connect draft. This behavioral change can be reverted by setting runtime guard envoy.reloadable_features.use_rfc_connect to false.

  • oauth: fixed CVE-2022-29226: oauth filter allows trivial bypass. The OAuth filter implementation does not include a mechanism for validating access tokens, so by design when the HMAC signed cookie is missing a full authentication flow should be triggered. However, the current implementation assumes that access tokens are always validated thus allowing access in the presence of any access token attached to the request.

  • oauth: fixed CVE-2022-29228: oauth filter calls continueDecoding() from within decodeHeaders(). The OAuth filter would try to invoke the remaining filters in the chain after emitting a local response, which triggers an ASSERT() in newer versions and corrupts memory on earlier versions.

  • router: fixed CVE-2022-29227: Internal redirect crash for requests with body/trailers. Envoy would previously crash in some cases when processing internal redirects for requests with bodies or trailers if the redirect prompts an Envoy-generated local reply.

  • runtime: fixed a bug where envoy.restart_features.no_runtime_singleton was inverted. Runtime singleton status is now guarded by non-inverted envoy.restart_features.remove_runtime_singleton.

  • tcp_proxy: fixed an issue using the cluster wide CONNECT termination so it will successfully proxy payloads.

  • tls: fixed a bug where an expired certificate sets a big number for days_until_expiration. After this fix, 0 is set.

  • upstream: fixed the LOGICAL_DNS and STRICT_DNS clusters to work for IPv6.

Removed config or runtime

Normally occurs at the end of the deprecation period

  • compressor: removed envoy.reloadable_features.fix_added_trailers and legacy code paths.

  • conn pool: removed envoy.reloadable_features.conn_pool_delete_when_idle and legacy code paths.

  • dns: removed envoy.reloadable_features.use_dns_ttl and legacy code paths.

  • ext_authz: removed envoy.reloadable_features.http_ext_authz_do_not_skip_direct_response_and_redirect and legacy code paths.

  • http: removed envoy.reloadable_features.correct_scheme_and_xfp and legacy code paths.

  • http: removed envoy.reloadable_features.skip_dispatching_frames_for_closed_connection and legacy code paths.

  • http: removed envoy.reloadable_features.validate_connect and legacy code paths.

  • runtime: removed envoy.restart_features.no_runtime_singleton and replaced with envoy.restart_features.remove_runtime_singleton.

  • tcp_proxy: removed envoy.reloadable_features.new_tcp_connection_pool and legacy code paths.

  • udp listener: removed envoy.reloadable_features.udp_listener_updates_filter_chain_in_place and legacy code paths.

New features

  • access_log: added formatters for UPSTREAM_METADATA and METADATA(UPSTREAM_HOST).


  • admin: added compile-time option --define=admin_html=disabled to disable HTML home page.

  • build: enabled building arm64 envoy-distroless and envoy-tools docker images.

  • dns_resolver: added GetAddrInfoDnsResolverConfig, a new DNS resolver that uses the system’s getaddrinfo() function to resolve DNS. This was primarily added for use on Android but can also be used in other situations in which the system resolver is desired.

  • dns_resolver: added include_unroutable_families to the Apple DNS resolver.

  • dns_resolver: added support for multiple addresses. This is most valuable when used in conjunction with ALL enabling full happy eyeballs support for Envoy (see detailed documentation here but will also result in trying multiple addresses for resolvers doing only IPv4 or IPv6. This behavioral change can be temporarily disabled by setting runtime guard envoy.restart_features.remove_runtime_singleton to false.

  • dubbo_proxy: added dynamic routes discovery support to dubbo proxy.

  • dubbo_proxy: added metadata_match support to the dubbo proxy.

  • examples: fixed issues with documentation/compositions usage of docker-compose pull.

  • examples: updated many examples and added dependency checking.

  • ext_proc: added support for per-route grpc_service.

  • http: added cluster_header in request_mirror_policies to allow routing shadow request to the cluster specified in the request_header.

  • http: added treat_missing_header_as_empty to allow header match rule to treat the header value as empty and apply the match rule when the header is missing.

  • http: added a send_fully_qualified_url configuration option to send absolute URLs for HTTP/1.1.

  • http: added new file_system_buffer HTTP filter.

  • http: preserve case header formatter support innner formatter on Envoy headers in formatter_type_on_envoy_headers.

  • http3: added early_data_policy extension to allow upstream HTTP/3 sending requests over early data. If no extension is configured, HTTP/3 pool will send safe requests as early data to the host if the pool already cached 0-RTT credentials of that host. If those requests fail and the underlying connection pool supports TCP fallback, the request may be retried automatically. If the default extension is configured, no requests are allowed to be sent as early data. Note that if any customized extension configures non-safe requests to be allowed over early data, the Envoy will not automatically retry them. If desired, explicitly config their retry_policy. Sending early data requires both envoy.reloadable_features.conn_pool_new_stream_with_early_data_and_http3 and envoy.reloadable_features.http3_sends_early_data runtime flags to be set to true.

  • listener: added dynamic listener filter configuration for listener filters. This dynamic listener filter configuration is only supported by TCP listeners.

  • lua: added new function timestampString returning the time since epoch as a string. Supported resolutions are millisecond and microsecond.

  • matching: added support for matching authenticated inputs in network and HTTP matching data.

  • network: extended conection balancer with extend balance, and added Dlb connection balancer to use DLB hardware to balance.

  • on_demand: OnDemand got extended to hold configuration for on-demand cluster discovery. A similar message for per-route configuration is also added.

  • open_telemetry: added resource_attributes configuration to OpenTelemetry.

  • proxy_protcol: added allow_requests_without_proxy_protocol to allow requests without proxy protocol on the listener from trusted downstreams as an opt-in flag.

  • ratelimit: added support for HTTP matching input functions as descriptor producers.

  • ratelimit: added support for masked_remote_address.

  • rbac: added matcher for selecting connections and requests to different actions.

  • redis: added support for multiple passwords to the redis proxy. See downstream_auth_passwords.

  • router: added INTERNAL_SERVER_ERROR option to return status code 500 when the configured cluster is not found.

  • router: added ignore_path_parameters_in_path_matching. When set to true, path-parameters(rfc1808) is ignored during path matching. added ignore_path_parameters_in_path_matching. When set to true, path-parameters(rfc1808) is ignored during path matching.

  • router: added ignore_port_in_host_matching. When set to true, port number (if any) in host header is ignored during host matching.

  • router: added keep_empty_value to allow keeping empty values in custom headers.

  • router: added stat_prefix support to generate route level statistics.

  • thrift: added close_downstream_on_upstream_error flag to router to control downstream local close.

  • thrift: added onLocalReply support to inform filters of local replies.

  • thrift: added validate_clusters in RouteConfiguration to override the default behavior of cluster validation.

  • thrift: added support for access logging for Thrift Proxy.

  • thrift: added support for preserving header keys. See header_keys_preserve_case.

  • thrift: added support for propogating connection draining if local replies try to end downstream. Can be enabled by setting the runtime flag envoy.reloadable_features.thrift_connection_draining to true.

  • thrift: introduced thrift configurable encoder and bidirectional filters, which allows peeking and modifying the thrift response message.

  • udp: added udp_packet_packet_writer_config config to specify the UDP packet writer factory.

  • upstream: added internal upstream transport for passing metadata and filter state across the user space sockets and the internal listeners.