All notable changes to this project will be documented in this file.
The format is based on Keep a Changelog and this project adheres to Semantic Versioning.
-
Fixed 3scale Batcher policy unable to handle
app_id
/access_token
contains special characters PR #1457 THREESCALE-10934 -
Fixed APIcast send request through proxy server even when
NO_PROXY
is used PR #1478 THREESCALE-11128 -
Fixed config reloading even when reloading is disabled PR #1468
-
Fixed confusing log display when APIcast listens on HTTPS and path routing is enabled PR #1486 THREESCALE #8486
-
Fixed Conditional policy evaluating incorrectly: second policy in policy chain that implement export() always triggers PR #1485 THREESCALE-9320
-
Fix APIcast using stale configuration for deleted products PR #1488 THREESCALE-10130
-
Fixed Mutual TLS between APIcast and the Backend API fails when using a Forward Proxy PR #1499 THREESCALE-5105
-
Fixed dns cache miss PR #1500 THEESCALE-9301
-
Fixed APIcast panic when parsing invalid base64 encoded value PR #1505 THEESCALE-11435
-
Bump openresty to 1.21.4.3 PR #1461 THREESCALE-10601
-
Support Financial-grade API (FAPI) 1.0 - Baseline profile PR #1465 THREESCALE-10973
-
Support Financial-grade API (FAPI) 1.0 - Advance profile PR #1465 THREESCALE-11019
-
Token Introspection Policy - Support
private_key_jwt
andclient_secret_jwt
authentication mode PR #1464 THREESCALE-11015 -
Added the
APICAST_PROXY_BUFFER_SIZE
variable to allow configuration of the buffer size for handling response from the proxied servers. PR #1473, THREESCALE-8410 -
Added the
APICAST_HTTPS_VERIFY_CLIENT
variable to allow configuration of thessl_verify_client
directive. PR #1491 THREESCALE-10156 -
Add
APICAST_LUA_SOCKET_KEEPALIVE_REQUESTS
to limit the number of requests a single keepalive socket can handle PR #1496 THREESCALE-11321 -
Replace internal OPENSSL module with lua-resty-openssl PR #1502 THREESCALE-11412
-
Remove opentracing support PR #1520 THREESCALE-11603
3.15.0 2024-04-04
-
Fix GRPC on HTTP2 POST method PR #1419 THREESCALE-9976
-
Fixed CVE-2023-44487 (HTTP/2 Rapid Reset) PR #1417 THREESCALE-10224
-
Fixed issue where the proxy policy could not handle requests with "Transfer-Encoding: chunked" header PR #1403 THREESCALE-9542
-
Fixed custom-config.t conversion to APIcast::Blackbox PR #1425
-
Fixed resty-ctx.t conversion to APIcast::Blackbox PR #1424
-
Fixed backend-cache-handler.t conversion to APIcast::Blackbox PR #1431
-
Fixed apicast-mapping-rules.t conversion to APIcast::Blackbox PR #1430
-
gateway/src/apicast/http_proxy.lua: remove unused code PR #1435
-
Fixed token instrospection field removed PR #1438 THREESCALE-10591
-
Fixed issue with URL was not correctly escaped when using the JWT claim check policy THREESCALE-10308 PR #1428
-
Fix upstream default port when HTTP_PROXY PR #1440
-
Docker compose up instead of docker compose run PR #1442
-
Fix integration of upstream connection policy with camel policy PR #1443 THREESCALE-10582
-
Upgrade lua-resty-http to 0.17.1 to fix 100 response header are not handled when using
HTTPS_PROXY
PR #1434 THREESCALE-10278 -
Replace luafilesystem-ffi with luafilesystem PR #1445 THREESCALE-10662
-
Fix "Upstream cannot be null" error in APIcast logs PR #1449 THREESCALE-5225
-
Fixed 3scale Batcher policy unable to handle base64 encoded
user_key
PR #1453 THREESCALE-10934 -
Update luacheck settings and fix issues reported PR #1451
-
Disable _G write guard warning PR #1454
-
Detect number of CPU shares when running on Cgroups V2 PR #1410 THREESCALE-10167
-
Add support to use Basic Authentication with the forward proxy. PR #1409 THREESCALE-4393
-
Added request unbuffered policy PR #1408 THREESCALE-9542
-
Dev environment: keycloak PR #1439
-
Dev environment: Camel proxy PR #1441
-
Bump penlight to 1.31.1 PR #1447
-
Added
APICAST_CLIENT_REQUEST_HEADER_BUFFERS
variable to allow configure of the NGINXclient_request_header_buffers
directive: PR #1446, THREESCALE-10164 -
Added the
APICAST_POLICY_BATCHER_SHARED_MEMORY_SIZE
variable to allow configuration of the batcher policy's share memory size. PR #1452, THREESCALE-9537
3.14.0 2023-07-25
- In boot mode on
init_worker
check configuration expiration PR #1399 THREESCALE-9003 - Removes the warning message at the bootstrap PR #1398 THREESCALE-7942
- Set NGiNX variable variables_hash_max_size to 2048 to avoid startup warning PR #1395 THREESCALE-7941
- Dev environment on aarch64 host PR #1381
- Doc: Policy Development Tutorial PR #1384
- Opentelemetry support. Opentracing is now deprecated PR #1379 THREESCALE-7735
/admin/api/account/proxy_configs
endpoint for configuration loading PR #1352 THREESCALE-8508- Pagination of services and proxy config endpoints PR #1397 THREESCALE-8373
- Upstream TLS v1.3 PR #1400 THREESCALE-9193
- Updated policy list for v3.13.2 PR #1404
- Updated policy list for v3.14.0 PR #1407
APICAST_LOAD_SERVICES_WHEN_NEEDED
is dropped and the configuration is fetched "when needed" by default PR #1352 THREESCALE-8508
3.13.2 2023-02-21
- Fixed: OIDC jwt key verification PR #1392 THREESCALE-9009
3.13.0 2023-02-07
- Fixed NGINX filters policy error PR #1339 THREESCALE-7349
- Fix to avoid uninitialized variables when request URI is too large PR #1340 THREESCALE-7906
- Fixed issue where request path is stripped for proxied https requests PR #1342 THREESCALE-8426
- Bumped liquid-lua to version 0.2.0-2 PR #1369 - includes: THREESCALE-8483 and THREESCALE-8484
- Fixed: APIcast could not retrieve the latest version of the proxy config PR #1370 THREESCALE-8485
- Fixed: JWKs without alg field cause the JWT validation process to fail PR #1371 THREESCALE-8601
- Updated policy list PR #1374
3.12.2 2023-02-21
- Fixed: OIDC jwt key verification PR #1391 THREESCALE-9009
3.12.0 2022-07-07
- Fixed warning messages PR #1318 THREESCALE-7906
- Fixed dirty context PR #1328 THREESCALE-8000 THREESCALE-8007
- Fixed jwk alg confusion PR #1329 THREESCALE-8249
- Fixed issue with resolving target server hostnames to IP when using CONNECT method PR #1323 THREESCALE-7967
- Fixed issue with resolving target server hostnames to IPs when forwarding requests through http/s proxy PR #1323 THREESCALE-7967
- Fixed dirty context PR #1328 THREESCALE-8000 THREESCALE-8007 THREESCALE-8252
- Fixed dirty context (part 2 of PR #1328) when tls termination policy is in the policy chain PR #1333
3.11.0 2022-02-17
- Fixed hostname_rewrite incompatibility with Routing Policy PR #1263 THREESCALE-6723
- Fixed issues with URI when using Routing Policy PR #1245 THREESCALE-6410
- Fixed typo on TLS jsonschema PR #1260 THREESCALE-6390
- Fixed host header format on http_ng resty PR #1264 THREESCALE-2235
- Fixed issues on OIDC jwk discovery PR #1268 THREESCALE-6913
- Fixed Payload limit content-length response header PR #1266 THREESCALE-6736
- Fixed IPcheck policy issues with invalid IP PR #1273 THREESCALE-7075
- Disabled content-caching globally if no policy at all PR #1278 THREESCALE-7016
- Fixed warning messages PR #1282 THREESCALE-5816
- Fixed lua socket error on ssl_certificate PR #1283 THREESCALE-7230
- Fixed Acess log header PR #1284 THREESCALE-6193
- Fixed Payload limit jsonschema PR #1293 THREESCALE-6965
- Fixed Status code overwrite policy jsonschema PR #1294 THREESCALE-7238
- Fixed TLS host validation PR #1295 THREESCALE-768
- Fixed Status code overwrite policy jsonschema PR #1296 THREESCALE-6415
- Fixed URL encoding on set-path PR #1297 THREESCALE-5117
- Fixed trailing slash on routing policy PR #1298 THREESCALE-7146
- Fixed race condition on caching mode PR #1259 THREESCALE-4464
- Fixed Nginx filter issues on jsonschema PR #1302 THREESCALE-7349
- Fixed issues with OIDC filters PR #1304 PR #1306 THREESCALE-6042
- Fixed issues with OIDC filters PR #1304 THREESCALE-6042
- Fixed issues with Upstream MTLS certs PR #1307 THREESCALE-7508
- Fixed warning messages PR #1318 THREESCALE-7906
- Fixed dirty context PR #1328 THREESCALE-8000 THREESCALE-8007
- Fixed jwk alg confusion PR #1329 THREESCALE-8249
- Fixed issue with resolving target server hostnames to IP when using CONNECT method PR #1323 THREESCALE-7967
- Fixed issue with resolving target server hostnames to IPs when forwarding requests through http/s proxy PR #1323 THREESCALE-7967
- Fixed dirty context PR #1328 THREESCALE-8000 THREESCALE-8007 THREESCALE-8252
- Fixed dirty context (part 2 of PR #1328) when tls termination policy is in the policy chain PR #1333
- Fixed NGINX filters policy error PR #1339 THREESCALE-7349
- Fix to avoid uninitialized variables when request URI is too large PR #1340 THREESCALE-7906
- Fixed issue where request path is stripped for proxied https requests PR #1342 THREESCALE-8426
- Bumped liquid-lua to version 0.2.0-2 PR #1369 - includes: THREESCALE-8483 and THREESCALE-8484
- New /admin/api/account/proxy_configs endpoint for configuration loading PR #1352 THREESCALE-8508
- Added conditions in maintenance mode policy including upstream in the liquid context + the upstream updated by Upstream policy is now shared in context.route_upstream PR #1255 THREESCALE-6552
- Add methods to transformations in rewrite url captures policy PR #1253 THREESCALE-6270
- Add Access-Control-Max-Age PR #1247 THREESCALE-6556
- Add HTTP codes policy PR #1236 THREESCALE-6255
- Buffer access log on chunks PR #1248 THREESCALE-6563
- Added sendfile_max_chunk to the worker PR #1250 THREESCALE-6570
- Increased api-keys shared memory size PR #1250 THREESCALE-6570
- Add support to multiple Origin based on regexp PR #1251 THREESCALE-6569
- Bump Openresty version to 1.19.3 PR #1272 THREESCALE-6963
- Change how ngx.encode_args is made on usage PR #1277 THREESCALE-7122
- Upstream pool key when is using HTTPs connection PR #1274 THREESCALE-6849
- Fix a warning message on invalid upstream PR #1285 THREESCALE-5225
- Upstream MTLS server verify PR #1280 THREESCALE-7099
- Add Nginx filter policy PR #1279 THREESCALE-6704
- Added on_failed policy PR#1286 THREESCALE-6705
- Master branch containers builds are now latest tag on quay.io PR#1289 THREESCALE-7251
3.10.0 2021-01-04
Beta1 is stable and moved to final release.
3.10.0-beta1 2020-11-23
- Fixed issues with OIDC validation PR #1239 THREESCALE-6313
- Fixed issues with Liquid body size PR #1240 THREESCALE-6315
3.10.0-alpha2 2020-11-04
- Non-alphanumeric metric name in 3scale-batcher policy PR #1234 THREESCALE-4913
- Fixed issues when using fully qualified DNS query PR #1235 THREESCALE-4752
3.10.0-alpha1 2020-10-13
- Support Proxy Protocol PR #1211 THREESCALE-5366
- Enable support to log credentials on logging policy PR #1217 THREESCALE-5273
- Add a way to support more than 1000 services in a single instance PR #1222 THREESCALE-5308
- Added new original_request_uri tag on Opentracing PR #1223 THREESCALE-5669
- Caching policy disable default field PR #1226 THREESCALE-1514
- Add response/request content size limits PR #1227 THREESCALE-5244
- Add HTTP codes policy PR #1236 THREESCALE-6255
- Fixed issues with allow caching mode and 3scale batcher PR #1216 THREESCALE-5753
- Fixed issues when Auth Caching is disabled PR #1225 THREESCALE-4464
- Fixed issues with service filter and OIDC PR #1229 THREESCALE-6042
- Increased size of dictionaries used by the Batching policy to 20 MB. Users with many services might have experienced issues with this policy because the size of those dictionaries was not enough to store everything the policy needs to function correctly. PR #1231
- Fixed issue with Camel service over HTTPs when Routing Policy PR #1230 THREESCALE-5891
- Fixed doc issue on SERVICES_FILTER parameter PR #1233 THREESCALE-5421
- Non-alphanumeric metric name in 3scale-batcher policy PR #1234 THREESCALE-4913
- Fixed issues when using fully qualified DNS query PR #1235 THREESCALE-4752
- Fixed issues with OIDC validation PR #1239 THREESCALE-6313
- Fixed issues with Liquid body size PR #1240 THREESCALE-6315
- Fixed filter services with APICAST_SERVICES_FILTER_BY_URL when using remote v2 config PR #1243 THREESCALE-6139
- Added a new metric when the
worker_process
starts PR #1228 THREESCALE-5965 - Fixed issues when using fully qualified DNS query PR #1235 THREESCALE-4752
3.9.0 2020-08-17
No issues found on beta1,so becames final release.
3.9.0-beta1 2020-07-17
- Fixed issues with URL encode on routing policy THREESCALE-5454 PR #1208
- Fixed issue with mapping rules and 3scale batcher policy THREESCALE-5513 PR #1210
- Fixed issues with invalid number of conditions THREESCALE-5435 PR #1212
3.9.0-alpha1 2020-06-26
- Fixed issues with liquid replaces THREESCALE-4937 PR #1185
- Fixed issues with HTTPS_PROXY and large bodies THREESCALE-3863 PR #1191
- Fixed issues with path routing and query args THREESCALE-5149 PR #1190
- Fixed issue with IPCheck policy when forwarder-for value contains port THREESCALE-5258 PR #1192
- Added upstream Mutual TLS policy THREESCALE-672 PR #1182
- Added Rate-limit headers policy THREESCALE-3795 PR #1166 PR #1197 PR #1209
- Added Content-caching policy THREESCALE-2894 PR #1182
- Added Nginx request_id variable to context PR #1184
- Added HTTP verb on url_rewriten PR #1187 THREESCALE-5259 PR #1202
- Added custom_metrics policy PR #1188 THREESCALE-5098
- New apicast_status Prometheus metric THREESCALE-5417 PR #1200
- New content_caching Prometheus metric THREESCALE-5439 PR #1203
- Added Camel policy PR #1193 THREESCALE-4867
3.8.0-cr1
was considered final and became 3.8.0
.
3.8.0-cr1 - 2020-03-07
- Fixed naming issues in policies THREESCALE-4150 PR #1167
- Fixed issues on invalid config in logging policy THREESCALE-4605 PR #1168
- Fixed issues with routing policy and GRPC one THREESCALE-4684 PR #1177 PR #1179
3.8.0-alpha2 - 2020-02-18
- Check status is bigger than zero on caching policy THREESCALE-4471 PR #1163
3.8.0-alpha1 - 2020-01-31
- Now the configuration of the issuer is cached to avoid flip-flop issues when OIDC connectivity fails. THREESCALE-3809 PR #1141
- Openresty dependencies comes now from RedHat build system. THREESCALE-3771 PR #1145
- Added HTTP2 support THREESCALE-3271 PR #1128
- Websocket support. THREESCALE-4019 PR #1152
- Added Request_id on ngx.log function. THREESCALE-3644 PR #1156
- Logging policy add the option to log JWT claims THREESCALE-4326 PR #1160
- When PATH routing was enabled the URL was not correctly escaped THREESCALE-3468 PR #1150
- Add the correct host header when using an http proxy THREESCALE-4178 PR #1143
- Normalize policy names capitalization THREESCALE-4150 PR #1154
- Fix issues with non-alphanumeric variables in liquid THREESCALE-3968 PR #1158
- Fix issues with double mapping rules THREESCALE-3950 PR #1159
3.7.0 - 2019-11-27
3.7.0-rc2
was considered final and became 3.7.0
.
3.7.0-cr2- 2019-11-07
- Fix exception if api_backend is null THREESCALE-3869 PR #1136
3.7.0-cr1- 2019-11-04
- Fix issues when TLS is enabled in Lazy mode #1135, THREESCALE-3713
- Return 404 back if the upstream is not defined THREESCALE-3775 PR #1129
3.7.0-beta2- 2019-10-16
- Added usage metrics to the Logging policy PR #1126, THREESCALE-1234
- Added
owner_id
to mapping rule and Routing policy THREESCALE-3623 PR #1125
- Fix issues with escaped characters in URI THREESCALE-3468 PR #1123
3.7.0-beta1- 2019-09-13
- Introduce possibility of specifying policy order restrictions in their schemas. APIcast now shows a warning when those restrictions are not respected #1088, THREESCALE-2896
- Added new parameters to logging policy to allow custom access log PR #1089, THREESCALE-1234THREESCALE-2876, [PR #1116] (#1116)
- Added http_proxy policy to use an HTTP proxy in api_backed calls. THREESCALE-2696, PR #1080
- Option to load service configurations one by one lazily PR #1099, THREESCALE-3168
- New maintenance mode policy, useful for maintenance periods. PR #1105, THREESCALE-3189
- Remove dnsmasq process for APIcast PR #1090, THREESCALE-1555
- Enable liquid operations and original request variable on routing policy PR #1103 THREESCALE-3239
- Allow to use capture function in liquid templates. PR #1107, THREESCALE-1911
- OAuth 2.0 MTLS policy PR #1101 Issue #1003
- Add an option to enable keepalive_timeout on gateway THREESCALE-2886 PR #1106
- Added a new replace path option in routing policy THREESCALE-3512 PR #1119 PR #1121 PR #1122
- Fix issues when OPENTRACING_FORWARD_HEADER was set PR #1109, THREESCALE-1660
- New TLS termination policy PR #1108, THREESCALE-2898
- Fix exception on rate limit policy when window was set as 0. PR #1113, THREESCALE-3382
- Fix issues with escaped characters in uri THREESCALE-3468 PR #1123
3.6.0 - 2019-08-30
3.6.0-rc2
was considered final and became 3.6.0
.
3.6.0-rc2 - 2019-07-25
- Fix typos on JWT claim policy jsonschema PR #1095, THREESCALE-3046
3.6.0-rc1 - 2019-07-04
- Extended variables in Liquid template operations PR #1081, THREESCALE-2927
3.6.0-beta1 - 2019-06-18
- You can filter services by endpoint name using Regexp PR #1022 THREESCALE-1524
- "Upstream Connection" policy. It allows to configure several options for the connections to the upstream PR #1025, THREESCALE-2166
- Enable APICAST_EXTENDED_METRICS environment variable to provide additional details PR #1024 THREESCALE-2150
- Add the option to obtain client_id from any JWT claim THREESCALE-2264 PR #1034
- Added
APICAST_PATH_ROUTING_ONLY
variable that allows to perform path-based routing without falling back to the default host-based routing PR #1035, THREESCALE-1150 - Added the option to manage access based on method on Keycloak Policy. THREESCALE-2236 PR #1039
- The Rate Limit policy now supports conditions defined with the "matches" operation. PR #1051, THREESCALE-2590
- Upgrade OpenResty to 1.15.8.1 release.PR #1049, THREESCALE-2200
- Now it is possible to report status codes when using reporting threads PR #1058, THREESCALE-2340
- New Retry policy. Allows to configure retries for calls to the upstream APIs PR #1057, THREESCALE-1517
- JWT claim policy. Allows to allow/deny traffic based on JWT claim constraint PR #1070, THREESCALE-2265
- Fixed incorrect description of the
client
attribute in the Keycloak role check policy PR #1005, THREESCALE_1867 export()
now works correctly in policies of the local chain. It was only working in therewrite
phase PR #1023, THREESCALE-2705- The caching policy now works correctly when combined with the 3scale batcher one PR #1023, THREESCALE-2705
- Fixed the name of the 3scale batching policy in the logs. Some logs showed "Caching policy" where it should have said "3scale Batcher" PR #1029
- Changed the schema of the IP check policy so it renders correctly in the UI PR #1026, THREESCALE-1692
- Allow uppercase backend API in the service.PR #1044, THREESCALE-2540
- Fixed lock issues on configuration loader when Lazy mode is enabled.PR #1050, THREESCALE-2194
- Fixed multiple x-forwarded-for headers issue on IP Check policy.PR #1065, Issue #1061THREESCALE-2775
- APIcast now returns "Auth failed" instead of "Limits Exceeded" for disabled metrics PR #1066, THREESCALE-2755
- Checking
aud
JWT claim for app_id when using OIDC integration PR #1007, THREESCALE-2263
3.5.1 - 2019-05-07
Apart from the changes mentioned in this section, this version also includes the changes introduced in 3.5.0-rc1
that were not included in 3.5.0
.
- Ability to configure client certificate chain depth PR #1006, THREESCALE-2383
- Segfault when normalizing some client certificates PR #1006
- Fixed incorrect connection reuse for requests on different domains PR #1021, THREESCALE-2205
3.5.0 - 2019-05-07
3.5.0-beta1
was considered final and became 3.5.0
. Notice that this version does not include the changes introduced in 3.5.0-rc1
.
3.5.0-rc1 - 2019-03-29
- Do not send OpenResty version in the
Server
response header PR #997, THREESCALE-1989 - When using OIDC, the "no-body" option is now set when contacting the 3scale backend. This option helps reducing the workload in the 3scale backend and the network traffic #998, THREESCALE-2006
3.5.0-beta1 - 2019-03-12
- Improve startup time by improving templating performance and caching filesystem access PR #964
- Liquid
default
filter now does not overridefalse
values PR #964
- Fix 3scale Batcher policy failing to cache and report requests containing app ID only PR #956, THREESCALE-1515
- Auths against the 3scale backend are now retried when using the 3scale batching policy PR #961
- Fix timeouts when proxying POST requests to an HTTPS upstream using
HTTPS_PROXY
PR #978, THREESCALE-1781 - The APIcast policy now ensures that its post-action phase only runs when its access phase ran. Not ensuring this was causing a bug that was triggered when combining the APIcast policy with some policies that can deny the request, such as the IP check one. In certain cases, APIcast reported to the 3scale backend in its post-action phase even when other policies denied the request with a 4xx error. PR #985
- "Matches" operation that can be used when defining conditionals PR #975
- New routing policy that selects an upstream based on the request path, a header, a query argument, or a jwt claim PR #976, PR #983, PR #984, THREESCALE-1709
- Added "last" attribute in the mapping rules. When set to true indicates that, if the rule matches, APIcast should not try to match the rules placed after this one PR #982, THREESCALE-1344
- Added TLS Validation policy to verify TLS Client Certificate against a whitelist. PR #966, THREESCALE-1671
- New CLI command "push_policy" that pushes a policy schema to the 3scale admin portal PR #986, PR #992, THREESCALE-871
- Added support for experimental standalone YAML configuration PR #926
- Environment files now can use global
context
variable to share data PR #964 - Added service id and service name headers in debug context PR #987
- The modules used to build conditions have been extracted from the conditional policy so they can be used from other policies PR #974.
3.4.0 - 2018-12-11
3.4.0-rc2
was considered final and became 3.4.0
.
3.4.0-rc2 - 2018-11-16
- Fix bug in the Default credentials policy. It was using the default credentials in some cases where it should not PR #954, THREESCALE-1547
3.4.0-rc1 - 2018-11-13
- Fix "nil" being added to the end of URL Path in some cases when using http_proxy PR #946
3.4.0-beta1 - 2018-10-24
- Fix
APICAST_PROXY_HTTPS_PASSWORD_FILE
andAPICAST_PROXY_HTTPS_SESSION_REUSE
parameters for Mutual SSL PR #927 - The "allow" mode of the caching policy now accepts the request when it's authorization is not cached PR #934, THREESCALE-1396
- When using SSL certs with path-based routing enabled, now APIcast falls backs to host-based routing instead of crashing PR #938, THREESCALE-1430
- Fixed error that happened when loading certain configurations that use OIDC PR #940, THREESCALE-1289
- The port is now included in the Host header when the request is proxied PR #942
- Prometheus metrics for: the 3scale batching policy, the upstream API and request response times PR #902, PR #918, PR #930, THREESCALE-1383
- Support for path in the upstream URL PR #905
- OIDC Authentication policy (only usable directly by the configuration file) PR #904
- IP check policy. This policy allows to accept or deny requests based on the IP PR #907, PR #923, THREESCALE-1353
- Delete operation in the headers policy PR #928, THREESCALE-1354
- "Retry-After" header in the response when rate-limited by the 3scale backend PR #929, THREESCALE-1380
- The
threescale_backend_calls
Prometheus metric now includes the response (used to be inbackend_response
) and also the kind of call (auth, authrep, report) PR #919, THREESCALE-1383 - Performance improvement: replaced some varargs in hot paths PR #937
3.3.0 - 2018-10-05
3.3.0-cr2
was considered final and became 3.3.0
.
- The configuration schema of the rate-limit policy has changed from
3.2.0
so if you were using it, please adapt your configuration file accordingly. - The Native OAuth 2.0 flow is deprecated. Please consider using the OIDC integration instead.
- The new conditional policy is considered experimental. The way conditions are expressed might change in future releases.
3.3.0-cr2 - 2018-09-25
- Handles properly policies that raise an error when initialized PR #911, THREESCALE-1332
3.3.0-cr1 - 2018-09-14
- Set default errlog level when
APICAST_LOG_LEVEL
is empty PR #868 - Correct JWT validation according to RFC 7523 Section 3. Like not required
nbf
claim. THREESCALE-583 - Mismatch in OIDC issuer when loading configuration through a configuration file PR #872
- When the 3scale referrer filters was enabled, cached requests were not handled correctly PR #875
- Invalid SNI when connecting to 3scale backend over HTTPS THREESCALE-1269
- Fix handling --pid and --signal on the CLI PR #880
- Some policies did not have access to the vars exposed when using Liquid (
uri
,path
, etc.) PR #891 - Fix error when loading certain configurations that use OIDC PR #893
- Fix error that appeared when combining the liquid context debug policy with policies that contain liquid templates PR #895
- Thread safety issues when rendering Liquid templates PR #896
- Expose
http_method
in Liquid PR #888 - Print error message when OIDC configuration is missing for a request PR #894
- Print whole stderr in 4k chunks when executing external commands PR #894
3.3.0-beta2 - 2018-09-03
- Capture permission errors when searching for files on filesystem PR #865
3.3.0-beta1 - 2018-08-31
- OpenTracing support PR #669, THREESCALE-1159
- Generate new policy scaffold from the CLI PR #682
- 3scale batcher policy PR #685, PR #710, PR #757, PR #786, PR #823, THREESCALE-1155
- Liquid templating support in the headers policy configuration PR #716, PR #845, PR #847, THREESCALE-1140
- Ability to modify query parameters in the URL rewriting policy PR #724, PR #818, THREESCALE-1139
- 3scale referrer policy PR #728, PR #777, THREESCALE-329
- Liquid templating support in the rate-limit policy PR #719, PR #845, PR #847, THREESCALE-411
- Default credentials policy PR #741, THREESCALE-586
- Configurable caching for the token introspection policy PR #656
APICAST_ACCESS_LOG_FILE
env to make the access log location configurable PR #743, THREESCALE-1148- ENV variables to make APIcast listen on HTTPS port PR #622
- New
ssl_certificate
phase allows policies to provide certificate to terminate HTTPS connection PR #622 - Configurable
auth_type
for the token introspection policy PR #755 TimerTask
module to execute recurrent tasks that can be cancelled PR #782, PR #784, PR #791GC
module that implements a workaround to be able to define__gc
on tables PR #790- Policies can define
__gc
metamethod that gets called when they are garbage collected to do cleanup PR #688 - Keycloak Role Check policy PR #773, THREESCALE-1158
- Conditional policy. This policy includes a condition and a policy chain, and only executes the chain when the condition is true PR #812, PR #814, PR #820
- Request headers are now exposed in the context available when evaluating Liquid PR #819
- Rewrite URL captures policy. This policy captures arguments in a URL and rewrites the URL using them PR #827, THREESCALE-1139
- Support for HTTP Proxy THREESCALE-221, #709
- Conditions for the limits of the rate-limit policy PR #839
bin/apicast console
to start Lua REPL with APIcast code loaded PR #853- Liquid Context Debugging policy. It's a policy only meant for debugging purposes, returns the context available when evaluating liquid PR #849
- Logging policy. It allows to enable/disable access logs per service PR #856, THREESCALE-1148
- Support JWK through OIDC Discovery PR #850
- Initial Prometheus metrics policy (backend responses and nginx metrics) PR #860, THREESCALE-1230
THREESCALE_PORTAL_ENDPOINT
andTHREESCALE_CONFIG_FILE
are not required anymore PR #702- The
scope
of the Rate Limit policy isservice
by default PR #704 - Decoded JWTs are now exposed in the policies context by the APIcast policy PR #718
- Upgraded OpenResty to 1.13.6.2, uses OpenSSL 1.1 PR #733
- Use forked
resty.limit.count
that uses increments instead of decrements PR #758, PR 843 - Rate Limit policy to take into account changes in the config PR #703
- The regular expression for mapping rules has been changed, so that special characters are accepted in the wildcard values for path PR #714
- Call
init
andinit_worker
on all available policies regardless they are used or not PR #770 - Cache loaded policies. Loading one policy several times will use the same instance PR #770
- Load all policies into cache when starting APIcast master process. PR #770
init
andinit_worker
phases are executed on the policy module, not the instance of a policy with a configuration PR #770timer_resolution
set only in development environment PR #815- The rate-limit policy, when
redis_url
is empty, now applies per-gateway limits instead of trying to use a localhost Redis PR #842 - Changed the display name of some policies. This only affects how the name shows in the UI THREESCALE-1232
- Do not crash when initializing unreachable/invalid DNS resolver PR #730
- Reporting only 50% calls to 3scale backend when using OIDC PR #774, THREESCALE-1080
- Building container image on OpenShift 3.9 PR #810, THREESCALE-1138
- Rate Limit policy to define multiple limiters of the same type PR #825
- Fix
exclusiveMinimum
field forconn
property in the rate-limit JSON schema PR #832 - Skip invalid policies in the policy chain PR #854
3.2.1 - 2018-06-26
APICAST_BACKEND_CACHE_HANDLER
environment variable is now deprecated. Use caching policy instead.APICAST_CUSTOM_CONFIG
,APICAST_MODULE
environment variables are now deprecated. Use policies instead. PR #746, THREESCALE-1034- Path routing feature enabled by the
APICAST_PATH_ROUTING
environment variable is not considered experimental anymore.
- Reporting only 50% calls to 3scale backend when using OIDC PR #779
3.2.0 - 2018-06-04
3.2.0-rc2 was considered final and became 3.2.0.
3.2.0-rc2 - 2018-05-11
- Default value for the
caching_type
attribute of the caching policy config schema #691, THREESCALE-845
- Fixed set of valid values for the exit param of the Echo policy PR #684
- The schema of the rate-limit policy has been adapted so it can be rendered by
react-jsonschema-form
, a library used in the 3scale UI. This is a breaking change. PR #696, THREESCALE-888 - The upstream policy now performs the rule matching in the rewrite phase. This allows combining it with the URL rewriting policy – upstream policy regex will be matched against the original path if upstream policy is placed before URL rewriting in the policy chain, and against the rewritten path otherwise PR #690, THREESCALE-852
3.2.0-rc1 - 2018-04-24
- Rate Limit policy PR #648
- Documented restrictions in the position in the chain for some policies PR #675, THREESCALE-799
export()
now works correctly in policies of the local chain PR #673- caching policy now works correctly when placed after the apicast policy in the chain PR #674
- OpenTracing support PR #669
- descriptions in
oneOf
s in policy manifests have been replaced with titles PR #663 resty.balancer
doesn't fall back to the port80
by default. If the port is missing,apicast.balancer
sets the default port for the scheme of theproxy_pass
URL PR #662
3.2.0-beta3 - 2018-03-20
ljsonschema
is only used in testing but was required in production also PR #660
3.2.0-beta2 - 2018-03-19
- New property
summary
in the policy manifests PR #633 - OAuth2.0 Token Introspection policy PR #619
- New
metrics
phase that runs when prometheus is collecting metrics PR #629 - Validation of policy configs both in integration and unit tests PR #646
- Option to avoid refreshing the config when using the lazy loader with
APICAST_CONFIGURATION_CACHE
< 0 PR #657
- Error loading policy chain configuration JSON with null value PR #626
- Splitted
resolv.conf
in lines,to avoid commented lines PR #618 - Avoid
nameserver
repetion fromRESOLVER
variable andresolv.conf
file PR #636 - Bug in URL rewriting policy that ignored the
commands
attribute in the policy manifest PR #641 - Skip comentaries after
search
values in resolv.conf PR #635 - Bug that prevented using
CONFIGURATION_CACHE_LOADER=boot
without specifyingAPICAST_CONFIGURATION_CACHE
in staging PR #651, THREESCALE-756. typ
is verified when it's present in keycloak tokens PR #658
summary
is now required in policy manifests PR #655
3.2.0-beta1 - 2018-02-20
- Definition of JSON schemas for policy configurations PR #522, PR #601
- URL rewriting policy PR #529, THREESCALE-618
- Liquid template can find files in current folder too PR #533
bin/apicast
respectsAPICAST_OPENRESTY_BINARY
andTEST_NGINX_BINARY
environment PR #540- Caching policy PR #546, PR #558, THREESCALE-587, THREESCALE-550
- New phase:
content
for generating content or getting the upstream response PR #535 - Upstream policy PR #562, THREESCALE-296
- Policy JSON manifest PR #565
- SOAP policy PR #567, THREESCALE-553
- Ability to set custom directories to load policies from PR #581
- CLI is running with proper log level set by
APICAST_LOG_LEVEL
PR #585 - 3scale configuration (staging/production) can be passed as
-3
or--channel
on the CLI PR #590 - APIcast CLI loads environments defined by
APICAST_ENVIRONMENT
variable PR #590 - Endpoint in management API to retrieve all the JSON manifests of the policies PR #592
- Development environment (
--dev
) starts with Echo policy unless some configuration is passed PR #593 - Added support for passing whole configuration as Data URL PR #593
- More complete global environment when loading environment policies PR #596
- Support for Client Certificate authentication with upstream servers PR #610, THREESCALE-328
- Detecting local rover installation from the CLI PR #519
- Use more
command
instead ofwhich
to work in plain shell PR #521 - Fixed rockspec so APIcast can be installed by luarocks PR #523, PR #538
- Fix loading renamed APIcast code PR #525
- Fix
apicast
command when installed from luarocks PR #527 - Fix lua docs formatting in the CORS policy PR #530
post_action
phase not being called in the policy_chain PR #539- Failing to execute
libexec/boot
on some systems PR #544 - Detect number of CPU cores in containers by using
nproc
PR #554 - Running with development config in Docker PR #555
- Fix setting twice the headers in a pre-flight request in the CORS policy PR #570
- Fix case where debug headers are returned without enabling the option PR #577
- Fix errors loading openresty libraries when rover is active PR #598
- Passthrough "invalid" headers PR #612, THREESCALE-630
- Fix using relative path for access and error log THREESCALE-1090
- Consolidate apicast-0.1-0.rockspec into apicast-scm-1.rockspec PR #526
- Deprecated
Configuration.extract_usage
in favor ofService.get_usage
PR #531 - Extract Test::APIcast to own package on CPAN PR #528
- Load policies by the APIcast loader instead of changing load path PR #532, PR #536
- Add
src
directory to the Lua load path when using CLI PR #533 - Move rejection reason parsing from CacheHandler to Proxy PR #541
- Propagate full package.path and cpath from the CLI to Nginx PR #538
post_action
phase now sharesngx.ctx
with the main request PR #539- Decrease nginx timer resolution to improve performance and enable PCRE JIT PR #543
- Moved
proxy_pass
into new internal location@upstream
PR #535 - Split 3scale authorization to rewrite and access phase PR #556
- Extract
mapping_rule
module from theconfiguration
module PR #571 - Renamed
apicast/policy/policy.lua
toapicast/policy.lua
PR #569 - Sandbox loading policies PR #566
- Extracted
usage
andmapping_rules_matcher
modules so they can be used from policies PR #580 - Renamed all
apicast/policy/*/policy.lua
toapicast/policy/*/init.lua
to match Lua naming PR #579 - Environment configuration can now define the configuration loader or cache PR #590.
- APIcast starts with "boot" configuration loader by default (because production is the default environment) PR #590.
- Deprecated
APICAST_SERVICES
in favor ofAPICAST_SERVICES_LIST
but provides backwards compatibility PR #549 - Deprecated
APICAST_PATH_ROUTING_ENABLED
in favor ofAPICAST_PATH_ROUTING
but provides backwards compatibility PR #549
3.2.0-alpha2 - 2017-11-30
- New policy chains system. This allows users to write custom policies to configure what Apicast can do on each of the Nginx phases PR #450, THREESCALE-553
- Resolver can resolve nginx upstreams PR #478
- Add
resolver
directive in the nginx configuration PR #508 - Calls 3scale backend with the 'no_body' option enabled. This reduces network traffic in cases where APIcast does not need to parse the response body PR #483
- Methods to modify policy chains PR #505
- Ability to load several environment configurations PR #504
- Ability to configure policy chain from the environment configuration PR #496
- Load environment variables defined in the configuration PR #507
- Allow configuration of the echo/management/fake backend ports PR #506
- Headers policy PR #497, THREESCALE-552
- CORS policy PR #487, THREESCALE-279
- Detect number of CPU shares when running on Kubernetes PR #600
- Namespace all APIcast code in
apicast
folder. Possible BREAKING CHANGE for some customizations. PR #486 - CLI ignores environment variables that are empty strings PR #504
- Loading installed luarocks from outside rover PR #503
- Support IPv6 addresses in
/etc/resolv.conf
PR #511 - Fix possible 100% CPU usage when starting APIcast and manipulating filesystem PR #547
- Experimental option for true out of band reporting (
APICAST_REPORTING_WORKERS
) PR #290, THREESCALE-365 /status/info
endpoint to the Management API PR #290/_threescale/healthz
endpoint returns a success status code, this is used for health checking in kubernetes environments PR #285- Usage limit errors are now configurable to distinguish them from other authorization errors PR #453, THREESCALE-638.
- Templating nginx configuration with liquid. PR #449
- Upgraded to OpenResty 1.11.2.5-1 PR #428
/oauth/token
endpoint returns an error status code, when the access token couldn't be stored in 3scale backend PR #436]- URI params in POST requests are now taken into account when matching mapping rules PR #437
- Increased number of background timers and connections in the cosocket pool PR #290
- Make OAuth tokens TTL configurable PR #448
- Detect when being executed in Test::Nginx and use default backend accordingly PR #458
- Update the s2i-openresty image to have the same path (
/opt/app-root/src
) in all images PR #460 - Launcher scripts are now Perl + Lua instead of Shell PR #449
- Unify how to connect to 3scale backend PR #456
- Upgraded OpenResty to 1.13.6.1 PR #480, THREESCALE-362
- Request headers are not passed to the backend, preventing sending invalid Content-Type to the access token store endpoint PR #433, THREESCALE-372
- Live and ready endpoints now set correct Content-Type header in the responsePR #441, THREESCALE-377
3.1.0 - 2017-10-27
- 3.1.0-rc2 was considered final and became 3.1.0.
3.1.0-rc2 - 2017-09-29
- Request headers are not passed to the backend, preventing sending invalid Content-Type to the access token store endpoint PR #433
3.1.0-rc1 - 2017-09-14
- Support for extending APIcast location block with snippets of nginx configuration PR #407
- Crash on empty OIDC Issuer endpoint PR #408
- Handle partial credentials PR #409
- Crash when configuration endpoint was missing PR #417
- Fix double queries to not fully qualified domains PR #419
- Fix caching DNS queries with scope (like on OpenShift) PR #420
THREESCALE_DEPLOYMENT_ENV
defaults toproduction
PR #406- OIDC is now used based on settings on the API Manager PR #405
- No limit on body size from the client sent to the server PR #410
- Print module loading errors only when it failed to load PR #415
bin/busted
rewritten to support different working directories PR #418- dnsmasq started in docker will not forward queries without domain PR #421
3.1.0-beta2 - 2017-08-21
- Ability to configure how to cache backend authorizations PR #396
- Not loading services when APICAST_SERVICES is empty PR #401, THREESCALE-281
3.1.0-beta1 - 2017-07-21
- Fixed CVE-2017-7512 PR #393
- APIcast module
balancer
method now accepts optional balancer PR #362 - Extracted lua-resty-url PR #384
- Extracted lua-resty-env PR #386
- Do not load all services when APICAST_SERVICES is set PR #388
- APIcast published to luarocks.org PR #366
- Support for passing remote configuratio URL through the CLI PR #389
- CLI flag -b to load configuration on boot PR #389
- OIDC support PR #382
- Keycloak / RH SSO integration replaced with OIDC PR #382
3.1.0-alpha1 - 2017-05-05
- Experimental caching proxy to the http client PR #357
- Print better errors when module loading fails PR #360
3.0.0 - 2017-04-04
- Support for loading configration from custom URL PR #323
- Turn on SSL/TLS validation by
OPENSSL_VERIFY
environment variable PR #332 - Load trusted CA chain certificates PR #332
- Support HTTP Basic authentication for client credentials when authorizing with RH-SSO PR #336
- Show more information about the error when the module load fails PR #348
- Use
RESOLVER
before falling back toresolv.conf
PR #324 - Improve error logging when failing to download configuration PR #335
- Service hostnames are normalized to lower case PR #336
- Don't attempt to perform post_action when request was handled without authentication PR #343
- Store authorization responses with a ttl, if sent PR #341
- Do not return stale service configuration when new one is available PR #333
- Memory leak in every request PR #339
- Remove unnecessary code and comments PR #344
- JWT expiry not taken into account in authorization response cache PR #283 / Issue #309 / Fixed by PR #341
- Memory leak in round robin balancer PR #345
- Error when trying to determine status of failed request when downloading configuration PR #350
3.0.0-beta3 - 2017-03-20
- Use per request configuration when cache is disabled PR #289
- Automatically expose all environment variables starting with
APICAST_
orTHREESCALE_
to nginx PR #292 - Error log to show why downloading configuration failed PR #306
- Backend HTTP client that uses cosockets PR #295
- Ability to customize main section of nginx configuration (and expose more env variables) PR #292
- Ability to lock service to specific configuration version PR #293
- Ability to use Redis DB and password via
REDIS_URL
PR #303 - Ability to Authenticate against API using RHSSO and OpenID Connect PR #283
http_ng
client supports auth passsed in the url, and default client options if the request options are missing for methods with body (POST, PUT, etc.) PR #310- Fixed lazy configuration loader to recover from failures PR #313
- Fixed undefined variable
p
in post_action PR #316 - Fixed caching of negative ttl by dnsmasq PR #318
- JWT expiry not taken into account in authorization response cache PR #283 / Issue #309
3.0.0-beta2 - 2017-03-08
- Reloading of configuration with every request when cache is disabled PR #287
- Auth caching is not used when OAuth method is used PR #304
3.0.0-beta1 - 2017-03-03
- Lazy load DNS resolver to improve performance PR #251
- Execute queries to all defined nameservers in parallel PR #260
RESOLVER
ENV variable overrides all other nameservers detected from/etc/resolv.conf
PR #260- Use stale DNS cache when there is a query in progress for that record PR #260
- Bump s2i-openresty to 1.11.2.2-2 PR #260
- Echo API on port 8081 listens accepts any Host PR #268
- Always use DNS search scopes PR #271
- Reduce use of global objects PR #273
- Configuration is using LRU cache PR #274
- Management API not opened by default PR #276
- Management API returns ready status with no services PR #
- Danger bot to check for consistency in Pull Requests PR #265
- Start local caching DNS server in the container PR #260
- Management API to show the DNS cache PR #260
- Extract correct Host header from the backend endpoint when backend host not provided PR #267
APICAST_CONFIGURATION_CACHE
environment variable PR #270APICAST_CONFIGURATION_LOADER
environment variable PR #270
- Support for downloading configuration via curl PR #266
AUTO_UPDATE_INTERVAL
environment variable PR #270APICAST_RELOAD_CONFIG
environment variable PR #270APICAST_MISSING_CONFIGURATION
environment variable PR #270
3.0.0-alpha2 - 2017-02-06
- A way to override backend endpoint PR #248
- Cache all calls to
os.getenv
via custom module PR #231 - Bump s2i-openresty to 1.11.2.2-1 PR #239
- Use resty-resolver over nginx resolver for HTTP PR #237
- Use resty-resolver over nginx resolver for Redis PR #237
- Internal change to reduce global state PR #233
- [OAuth] Return correct state value back to client
- Nginx resolver directive auto detection. Rely on internal DNS resolver PR #237
3.0.0-alpha1 - 2017-01-16
- A CHANGELOG.md to track important changes
- User-Agent header with APIcast version and system information PR #214
- Try to load configuration from V2 API PR #193
- Require openresty 1.11.2 PR #194
- moved development from
v2
branch tomaster
PR #209 X-3scale-Debug
HTTP header now uses Service Token PR #217
2.0.0 - 2016-11-29
- Major rewrite using JSON configuration instead of code generation.