0.10.4

Download Kong CE 0.10.4 and try it now:

https://getkong.org/install

Links:

• Blog: Kong CE 0.11.1 & CE 0.10.4 released
• Changelog

0.11.0

Download Kong CE 0.11.0 and try it now:

https://getkong.org/install

Links:

• Blog: Kong CE 0.11.0 released
• Changelog
• Suggested Upgrade Path

0.10.3

Changed

• We noticed that some distribution packages were not
  building OpenResty against a JITable PCRE library. This
  happened on Ubuntu and RHEL environments where OpenResty was
  built against the system's PCRE installation.
  We now compile OpenResty against a JITable PCRE source for
  those platforms, which should result in significant performance
  improvements in regex matching.
  Mashape/kong-distributions #9
• TLS connections are now handled with a modern list of
  accepted ciphers, as per the Mozilla recommended TLS
  ciphers list.
  See https://wiki.mozilla.org/Security/Server_Side_TLS.
  This behavior is configurable via the newly
  introduced configuration properties described in the
  below "Added" section.
• Plugins:
  • rate-limiting: Performance improvements when using the
    cluster policy. The number of round trips to the
    database has been limited to the number of configured
    limits.
    #2488

Added

• New ssl_cipher_suite and ssl_ciphers configuration
  properties to configure the desired set of accepted ciphers,
  based on the Mozilla recommended TLS ciphers list.
  #2555
• New proxy_ssl_certificate and proxy_ssl_certificate_key
  configuration properties. These properties configure the
  Nginx directives bearing the same name, to set client
  certificates to Kong when connecting to your upstream services.
  #2556
• Proxy and Admin API access and error log paths are now
  configurable. Access logs can be entirely disabled if
  desired.
  #2552
• Plugins:
  • Logging plugins: The produced logs include a new tries
    field which contains, which includes the upstream
    connection successes and failures of the load-balancer.
    #2429
  • key-auth: Credentials can now be sent in the request body.
    #2493
  • cors: Origins can now be defined as regular expressions.
    #2482

Fixed

• APIs matching: prioritize APIs with longer uris when said
  APIs also define hosts and/or methods as well. Thanks
  @leonzz for the patch.
  #2523
• SSL connections to Cassandra can now properly verify the
  certificate in use (when cassandra_ssl_verify is enabled).
  #2531
• The DNS resolver no longer sends a A or AAAA DNS queries for SRV
  records. This should improve performance by avoiding unecessary
  lookups.
  #2563 &
  Mashape/lua-resty-dns-client #12
• Plugins
  • All authentication plugins don't throw an error anymore when
    invalid credentials are given and the anonymous user isn't
    configured.
    #2508
  • rate-limiting: Effectively use the desired Redis database when
    the redis policy is in use and the config.redis_database
    property is set.
    #2481
  • cors: The regression introduced in 0.10.1 regarding not
    sending the * wildcard when conf.origin was not specified
    has been fixed.
    #2518
  • oauth2: properly check the client application ownership of a
    token before refreshing it.
    #2461

0.10.2

Changed

• The Kong DNS resolver now honors the MAXNS setting (3) when parsing the
  nameservers specified in resolv.conf.
  #2290
• Kong now matches incoming requests via the $request_uri property, instead
  of $uri, in order to better handle percent-encoded URIS. A more detailed
  explanation will be included in the below "Fixed" section.
  #2377
• Upstream calls do not unconditionally include a trailing / anymore. See the
  below "Added" section for more details.
  #2315
• Admin API:
  • The "active targets" endpoint now only return the most recent nonzero
    weight Targets, instead of all nonzero weight targets. This is to provide
    a better picture of the Targets currently in use by the Kong load balancer.
    #2310

Added

• 🎆 Plugins can implement a new rewrite handler to execute code in
  the Nginx rewrite phase. This phase is executed prior to matching a
  registered Kong API, and prior to any authentication plugin. As such, only
  global plugins (neither tied to an API or Consumer) will execute this phase.
  #2354
• Ability for the client to chose whether the upstream request (Kong <->
  upstream) should contain a trailing slash in its URI. Prior to this change,
  Kong 0.10 would unconditionally append a trailing slash to all upstream
  requests. The added functionality is described in
  #2211, and was implemented in
  #2315.
• Ability to hide Kong-specific response headers. Two new configuration fields:
  server_tokens and latency_tokens will respectively toggle whether the
  Server and X-Kong-*-Latency headers should be sent to downstream clients.
  #2259
• New cassandra_schema_consensus_timeout configuration property, to allow for
  Kong to wait for the schema consensus of your Cassandra cluster during
  migrations.
  #2326
• Serf commands executed by a running Kong node are now logged in the Nginx
  error logs with a DEBUG level.
  #2410
• Ensure the required shared dictionaries are defined in the Nginx
  configuration. This will prevent custom Nginx templates from potentially
  resulting in a breaking upgrade for users.
  #2466
• Admin API:
  • Target Objects can now be deleted with their ID as well as their name. The
    endpoint becomes: /upstreams/:name_or_id/targets/:target_or_id.
    #2304
• Plugins:
  • 🎆 New Request termination plugin. This plugin allows to
    temporarily disable an API and return a pre-configured response status and
    body to your client. Useful for use-cases such as maintenance mode for your
    upstream services. Thanks to @pauldaustin
    for the contribution.
    #2051
  • Logging plugins: The produced logs include two new fields: a consumer
    field, which contains the properties of the authenticated Consumer
    (id, custom_id, and username), if any, and a tries field, which
    includes the upstream connection successes and failures of the load-
    balancer.
    #2367
    #2429
  • http-log: Now set an upstream HTTP basic access authentication header if
    the configured conf.http_endpoint parameter includes an authentication
    section. Thanks @amir for the contribution.
    #2432
  • file-log: New config.reopen property to close and reopen the log file on
    every request, in order to effectively rotate the logs.
    #2348
  • jwt: Returns 401 Unauthorized on invalid claims instead of the previous
    403 Forbidden status.
    #2433
  • key-auth: Allow setting API key header names with an underscore.
    #2370
  • cors: When config.credentials = true, we do not send an ACAO header with
    value *. The ACAO header value will be that of the request's Origin:
    header.
    #2451

Fixed

• Upstream connections over TLS now set their Client Hello SNI field. The SNI
  value is taken from the upstream Host header value, and thus also depends
  on the preserve_host setting of your API. Thanks
  @konrade for the original patch.
  #2225
• Correctly match APIs with percent-encoded URIs in their uris property.
  Generally, this change also avoids normalizing (and thus, potentially
  altering) the request URI when trying to match an API's uris value. Instead
  of relying on the Nginx $uri variable, we now use $request_uri.
  #2377
• Handle a routing edge-case under some conditions with the uris matching
  rule of APIs that would falsely lead Kong into believing no API was matched
  for what would actually be a valid request.
  #2343
• If no API was configured with a hosts matching rule, then the
  preserve_host flag would never be honored.
  #2344
• CNAME records are now properly being cached by the DNS resolver. This results
  in a performance improvement over previous 0.10 versions.
  #2303
• When using Cassandra, some migrations would not be performed on the same
  coordinator as the one originally chosen. The same migrations would also
  require a response from other replicas in a cluster, but were not waiting
  for a schema consensus beforehand, causing indeterministic failures in the
  migrations, especially if the cluster's inter-nodes communication is slow.
  #2326
• The cassandra_timeout configuration property is now correctly taken into
  consideration by Kong.
  #2326
• Correctly trigger plugins configured on the anonymous Consumer for anonymous
  requests (from auth plugins with the new config.anonymous parameter).
  #2424
• When multiple auth plugins were configured with the recent config.anonymous
  parameter for "OR" authentication, such plugins would override each other's
  results and response headers, causing false negatives.
  #2222
• Ensure the cassandra_contact_points property does not contain any port
  information. Those should be specified in cassandra_port. Thanks
  @Vermeille for the contribution.
  #2263
• Prevent an upstream or legitimate internal error in the load balancing code
  from throwing a Lua-land error as well.
  #2327
• Allow backwards compatibility with custom Nginx configurations that still
  define the resolver ${{DNS_RESOLVER}} directive. Vales from the Kong
  dns_resolver property will be flattened to a string and appended to the
  directive.
  #2386
• Plugins:
  • hmac: Better handling of invalid base64-encoded signatures. Previously Kong
    would return an HTTP 500 error. We now properly return HTTP 403 Forbidden.
    #2283
• Admin API:
  • Detect conflicts between SNI Objects in the /snis and /certificates
    endpoint.
    #2285
  • The /certificates route used to not return the total and data JSON
    fields. We now send those fields back instead of a root list of certificate
    objects.
    #2463
  • Endpoints with path parameters like /xxx_or_id will now also yield the
    proper result if the xxx field is formatted as a UUID. Most notably, this
    fixes a problem for Consumers whose username is a UUID, that could not be
    found when requesting /consumers/{username_as_uuid}.
    #2420
  • The "active targets" endpoint does not require a trailing slash anymore.
    #2307
  • Upstream Objects can now be deleted properly when using Cassandra.
    #2404

0.10.1

Changed

• ⚠️ Serf has been downgraded to version 0.7 in our distributions,
  although versions up to 0.8.1 are still supported. This fixes a problem when
  automatically detecting the first non-loopback private IP address, which was
  defaulted to 127.0.0.1 in Kong 0.10.0. Greater versions of Serf can still
  be used, but the IP address needs to be manually specified in the
  cluster_advertise configuration property.
• Admin API:
  • Disable support for TLS/1.0.
    #2212

Added

• Admin API:
  • Active targets can be pulled with GET /upstreams/{name}/targets/active.
    #2230
  • Provide a convenience endpoint to disable targets at:
    DELETE /upstreams/{name}/targets/{target}.
    Under the hood, this creates a new target with weigth = 0 (the
    correct way of disabling targets, which used to cause confusion).
    #2256
• Plugins:
  • cors: Support for configuring multiple Origin domains.
    #2203

Fixed

• Use an LRU cache for Lua-land entities caching to avoid exhausting the Lua
  VM memory in long-running instances.
  #2246
• Avoid potential deadlocks upon callback errors in the caching module for
  database entities.
  #2197
• Relax multipart MIME type parsing. A space is allowed in between values
  of the Content-Type header.
  #2215
• Admin API:
  • Better handling of non-supported HTTP methods on endpoints of the Admin
    API. In some cases this used to throw an internal error. Calling any
    endpoint with a non-supported HTTP method now always returns 405 Method Not Allowed as expected.
    #2213
• CLI:
  • Better error handling when missing Serf executable.
    #2218
  • Fix a bug in the kong migrations command that would prevent it to run
    correctly.
    #2238
  • Trim list values specified in the configuration file.
    #2206
  • Align the default configuration file's values to the actual, hard-coded
    default values to avoid confusion.
    #2254
• Plugins:
  • hmac: Generate an HMAC secret value if none is provided.
    #2158
  • oauth2: Don't try to remove credential values from request bodies if the
    MIME type is multipart, since such attemps would result in an error.
    #2176
  • ldap: This plugin should not be applied to a single Consumer, however, this
    was not properly enforced. It is now impossible to apply this plugin to a
    single Consumer (as per all authentication plugin).
    #2237
  • aws-lambda: Support for us-west-2 region in schema.
    #2257

0.10.0

Kong 0.10 is one of most significant releases to this day. It ships with
exciting new features that have been heavily requested for the last few months,
such as load balancing, Cassandra 3.0 compatibility, Websockets support,
internal DNS resolution (A and SRV records without Dnsmasq), and more flexible
matching capabilities for APIs routing.

On top of those new features, this release received a particular attention to
performance, and brings many improvements and refactors that should make it
perform significantly better than any previous version.

Changed

• ⚠️ API Objects (as configured via the Admin API) do not support
  the request_host and request_uri fields anymore. The 0.10 migrations
  should upgrade your current API Objects, but make sure to read the new 0.10
  Proxy Guide to learn the new routing
  capabilities of Kong. On the good side, this means that Kong can now route
  incoming requests according to a combination of Host headers, URIs, and HTTP
  methods.
• ⚠️ Final slashes in upstream_url are no longer allowed.
  #2115
• ⚠️ The SSL plugin has been removed and dynamic SSL capabilities have
  been added to Kong core, and are configurable via new properties on the API
  entity. See the related PR for a detailed explanation of this change.
  #1970
• ⚠️ Drop the Dnsmasq dependency. We now internally resolve both A and
  SRV DNS records.
  #1587
• ⚠️ Dropping support for unsecure TLS/1.0 and defaulting Upgrade
  responses to TLS/1.2.
  #2119
• Bump the compatible OpenResty version to 1.11.2.1 and 1.11.2.2. Support
  for OpenResty 1.11.2.2 requires the --without-luajit-lua52 compilation
  flag.
• Separate Admin API and Proxy error logs. Admin API logs are now written to
  logs/admin_access.log.
  #1782
• Auto-generates stronger SHA-256 with RSA encryption SSL certificates.
  #2117

Added

• 🎆 Support for Cassandra 3.x.
  #1709
• 🎆 SRV records resolution.
  #1587
• 🎆 Load balancing. When an A or SRV record resolves to multiple
  entries, Kong now rotates those upstream targets with a Round-Robin
  algorithm. This is a first step towards implementing more load balancing
  algorithms.
  Another way to specify multiple upstream targets is to use the newly
  introduced /upstreams and /targets entities of the Admin API.
  #1587
  #1735
• 🎆 Multiple hosts and paths per API. Kong can now route incoming
  requests to your services based on a combination of Host headers, URIs and
  HTTP methods. See the related PR for a detailed explanation of the new
  properties and capabilities of the new router.
  #1970
• 🎆 Maintain upstream connection pools which should greatly improve
  performance, especially for HTTPS upstream connections. We now use HTTP/1.1
  for upstream connections as well as an nginx upstream block with a
  configurablekeepalive directive, thanks to the new nginx_keepalive
  configuration property.
  #1587
  #1827
• 🎆 Websockets support. Kong can now upgrade client connections to
  use the ws protocol when Upgrade: websocket is present.
  #1827
• Use an in-memory caching strategy for database entities in order to reduce
  CPU load during requests proxying.
  #1688
• Provide negative-caching for missed database entities. This should improve
  performance in some cases.
  #1914
• Support for serving the Admin API over SSL. This introduces new properties in
  the configuration file: admin_listen_ssl, admin_ssl, admin_ssl_cert and
  admin_ssl_cert_key.
  #1706
• Support for upstream connection timeouts. APIs now have 3 new fields:
  upstream_connect_timeout, upstream_send_timeout, upstream_read_timeout
  to specify, in milliseconds, a timeout value for requests between Kong and
  your APIs.
  #2036
• Support for clustering key rotation in the underlying Serf process:
  • new cluster_keyring_file property in the configuration file.
  • new kong cluster keys .. CLI commands that expose the underlying
    serf keys .. commands.
    #2069
• Support for lua_socket_pool_size property in configuration file.
  #2109
• Plugins:
  • 🎆 New AWS Lambda plugin. Thanks Tim Erickson for his
    collaboration on this new addition.
    #1777
    #1190
  • Anonymous authentication for auth plugins. When such plugins receive the
    config.anonymous=<consumer_id> property, even non-authenticated requests
    will be proxied by Kong, with the traditional Consumer headers set to the
    designated anonymous consumer, but also with a X-Anonymous-Consumer
    header. Multiple auth plugins will work in a logical OR fashion.
    #1666 and
    #2035
  • request-transformer: Ability to change the HTTP method of the upstream
    request. #1635
  • jwt: Support for ES256 signatures.
    #1920
  • rate-limiting: Ability to select the Redis database to use via the new
    config.redis_database plugin property.
    #1941

Fixed

• Looking for Serf in known installation paths.
  #1997
• Including port in upstream Host header.
  #2045
• Clarify the purpose of the cluster_listen_rpc property in
  the configuration file. Thanks Jeremy Monin for the patch.
  #1860
• Admin API:
  • Properly Return JSON responses (instead of HTML) on HTTP 409 Conflict
    when adding Plugins.
    #2014
• CLI:
  • Avoid double-prefixing migration error messages with the database name
    (PostgreSQL/Cassandra).
• Plugins:
  • Fix fault tolerancy logic and error reporting in rate-limiting plugins.
  • CORS: Properly return Access-Control-Allow-Credentials: false if
    Access-Control-Allow-Origin: *.
    #2104
  • key-auth: enforce key_names to be proper header names according to Nginx.
    #2142

0.9.9

Fixed

• Correctly put Cassandra sockets into the Nginx connection pool for later
  reuse. This greatly improves the performance for rate-limiting and
  response-ratelimiting plugins.
  f8f5306
• Correct length of a year in seconds for rate-limiting and
  response-ratelimiting plugins. A year was wrongly assumed to only be 360
  days long.
  e4fdb2a
• Prevent misinterpretation of the % character in proxied URLs encoding.
  Thanks Thomas Jouannic for the patch.
  #1998
  #2040

0.9.8

Fixed

• Properly set the admin IP in the Serf script.

Changed

• Provide negative-caching for missed database entities. This should improve
  performance in some cases.
  #1914

Fixed

• Plugins:
  • Fix fault tolerancy logic and error reporting in rate-limiting plugins.

0.9.7

Fixed

• Fixed a performance issue in Cassandra by removing an old workaround that was
  forcing Cassandra to use LuaSocket instead of cosockets.
  #1916
• Fixed an issue that was causing a recursive attempt to stop Kong's services
  when an error was occurring.
  #1877
• Custom plugins are now properly loaded again.
  #1910
• Plugins:
  • Galileo: properly encode empty arrays.
    #1909
  • OAuth 2: implements a missing Postgres migration for redirect_uri in
    every OAuth 2 credential. #1911
  • OAuth 2: safely parse the request body even when no data has been sent.
    #1915

0.9.6

Fixed

• Resolve support for PostgreSQL SSL connections.
  #1720
• Ensure kong start honors the --conf flag is a config file already exists
  at one of the default locations (/etc/kong.conf, /etc/kong/kong.conf).
  #1681
• Obfuscate sensitive properties from the / Admin API route which returns
  the current node's configuration.
  #1650