0.9.4

Fixed

• Fixed the random string generator that was causing some problems, especially
  in Serf for clustering. #1754
• Seed random number generator in CLI.
  #1641
• Reducing log noise in the Admin API.
  #1781
• Fixed the reports lock implementation that was generating a periodic error
  message. #1783

0.9.3

Added

• Added support for Serf 0.8. #1693

Fixed

• Properly invalidate global plugins.
  #1723

0.9.2

Fixed

• Correctly report migrations errors. This was caused by an error being thrown
  from the error handler, and superseding the actual error. #1605
• Prevent Kong from silently failing to start. This would be caused by an
  erroneous error handler. 28f5d10
• Only report a random number generator seeding error when it is not already
  seeded. #1613
• Reduce intra-cluster noise by not propagating keepalive requests events.
  #1660
• Admin API:
  • Obfuscates sensitive configuration settings from the / route.
    #1650
• CLI:
  • Prevent a failed kong start to stop an already running Kong node.
    #1645
  • Remove unset configuration placeholders from the nginx configuration
    template. This would occur when no Internet connection would be
    available and would cause Kong to compile an erroneous nginx config.
    #1606
  • Properly count the number of executed migrations.
    #1649
• Plugins:
  • OAuth2: remove the "Kong" mentions in missing provision_key error
    messages. #1633
  • OAuth2: allow to correctly delete applications when using Cassandra.
    #1659
  • galileo: provide a default bodySize value when log_bodies=true but the
    current request/response has no body.
    #1657

0.9.1

Added

• Plugins:
  • ACL: allow to retrieve/update/delete an ACL by group name.
    #1544
  • Basic Authentication: allow to retrieve/update/delete a credential by username.
    #1570
  • HMAC Authentication: allow to retrieve/update/delete a credential by username.
    #1570
  • JWT Authentication: allow to retrieve/update/delete a credential by key.
    #1570
  • Key Authentication: allow to retrieve/update/delete a credential by key.
    #1570
  • OAuth2 Authentication: allow to retrieve/update/delete a credential by client_id and tokens by access_token.
    #1570

Fixed

• Correctly parse configuration file settings contaning comments.
  #1569
• Prevent third-party Lua modules (and plugins) to override the seed for random
  number generation. This prevents the creation of conflicitng UUIDs.
  #1558
• Use pgmoon-mashape 2.0.0 which
  properly namespaces our fork, avoiding conflicts with other versions of
  pgmoon, such as the one installed by Lapis.
  #1582
• Avoid exposing OpenResty's information on HTTP 4xx errors.
  #1567
• ulimit with unlimited value is now properly handled.
  #1545
• CLI:
  • Stop third-party services (dnsmasq/Serf) when Kong could not start.
    #1588
  • Prefix database migration errors (such as Postgres' connection refused)
    with the database name (postgres/cassandra) to avoid confusions.
    #1583
• Plugins:
  • galileo: Use Content-Length header to get request/response body size when
    log_bodies is disabled.
    #1584
• Admin API:
  • Revert the /plugins/enabled endpoint's response to be a JSON array, and
    not an Object. #1529

0.9.0

The main focus of this release is Kong's new CLI. With a simpler configuration file, new settings, environment variables support, new commands as well as a new interpreter, the new CLI gives more power and flexibility to Kong users and allow for an easier integration in your deployment workflow, as well as better testing for developers and plugins authors. Additionally, some new plugins and performance improvements are included as well as the regular bug fixes.

Changed

• ⚠️ PostgreSQL is the new default datastore for Kong. If you were using Cassandra and you are upgrading, you need to explicitly set cassandra as your database.
• ⚠️ New CLI, with new commands and refined arguments. This new CLI uses the resty-cli interpreter (see lua-resty-cli) instead of LuaJIT. As a result, the resty executable must be available in your $PATH (resty-cli is shipped in the OpenResty bundle) as well as the bin/kong executable. Kong does not rely on Luarocks installing the bin/kong executable anymore. This change of behavior is taken care of if you are using one of the official Kong packages.
• ⚠️ Kong uses a new configuration file, with an easier syntax than the previous YAML file.
• New arguments for the CLI, such as verbose, debug and tracing flags. We also avoid requiring the configuration file as an argument to each command as per the previous CLI.
• Customization of the Nginx configuration can now be taken care of using two different approaches: with a custom Nginx configuration template and using kong start --template <file>, or by using kong compile to generate the Kong Nginx sub-configuration, and include it in a custom Nginx instance.
• Plugins:
  • Rate Limiting: the continue_on_error property is now called fault_tolerant.
  • Response Rate Limiting: the continue_on_error property is now called fault_tolerant.

Added

• 🎆 Support for overriding configuration settings with environment variables.
• 🎆 Support for SSL connections between Kong and PostgreSQL. #1425
• 🎆 Ability to apply plugins with more granularity: per-consumer, and global plugins are now possible. #1403
• New kong check command: validates a Kong configuration file.
• Better version check for third-party dependencies (OpenResty, Serf, dnsmasq). #1307
• Ability to configure the validation depth of database SSL certificates from the configuration file. #1420
• request_host: internationalized url support; utf-8 domain names through punycode support and paths through %-encoding. #1300
• Implements caching locks when fetching database configuration (APIs, Plugins...) to avoid dog pile effect on cold nodes. #1402
• Plugins:
  • 🎆 New bot-detection plugin: protect your APIs by detecting and rejecting common bots and crawlers. #1413
  • correlation-id: new "tracker" generator, identifying requests per worker and connection. #1288
  • request/response-transformer: ability to add strings including colon characters. #1353
  • rate-limiting: support for new rate-limiting policies (cluster, local and redis), and for a new limit_by property to force rate-limiting by consumer, credential or ip.
  • response-rate-limiting: support for new rate-limiting policies (cluster, local and redis), and for a new limit_by property to force rate-limiting by consumer, credential or ip.
  • galileo: performance improvements of ALF serialization. ALFs are not discarded when exceeding 20MBs anymore. #1463
  • statsd: new upstream_stream latency metric. #1466
  • datadog: new upstream_stream latency metric and tagging support for each metric. #1473

Removed

• We now use lua-resty-jit-uuid for UUID generation, which is a pure Lua implementation of RFC 4122. As a result, libuuid is not a dependency of Kong anymore.

Fixed

• Sensitive configuration settings are not printed to stdout anymore. #1256
• Fixed bug that caused nodes to remove themselves from the database when they attempted to join the cluster. #1437
• Plugins:
  • request-size-limiting: use proper constant for MB units while setting the size limit. #1416
  • OAuth2: security and config validation fixes. #1409 #1112
  • request/response-transformer: better validation of fields provided without a value. #1399
  • JWT: handle some edge-cases that could result in HTTP 500 errors. #1362

internal

• new test suite using resty-cli and removing the need to monkey-patch the ngx global.
• custom assertions and new helper methods (wait_until()) to gracefully fail in case of timeout.
• increase atomicity of the testing environment.
• lighter testing instance, only running 1 worker and not using dnsmasq by default.

0.8.3

This release includes some bugfixes:

Changed

• Switched the log level of the "No nodes found in cluster" warning to INFO, that was printed when starting up the first Kong node in a new cluster.
• Kong now requires OpenResty 1.9.7.5.

Fixed

• New nodes are now properly registered into the nodes table when running on the same machine. #1281
• Fixed a failed error parsing on Postgres. #1269
• Plugins:
  • Response Transformer: Slashes are now encoded properly, and fixed a bug that hang the execution of the plugin. #1257 and #1263
  • JWT: If a value for algorithm is missing, it's now HS256 by default. This problem occured when migrating from older versions of Kong.
  • OAuth 2.0: Fixed a Postgres problem that was preventing an application from being created, and fixed a check on the redirect_uri field. #1264 and #1267

0.8.2

This release includes bugfixes and minor updates:

Added

• Support for a simple slash in request_path. #1227
• Plugins:
  • Response Rate Limiting: it now appends usage headers to the upstream requests in the form of X-Ratelimit-Remaining-{limit_name} and introduces a new config.block_on_first_violation property. #1235

Changed

• Plugins:
  • Mashape Analytics: The plugin is now called "Galileo", and added support for Galileo v3. #1159

Fixed

• Postgres now relies on the search_path configured on the database and its default value $user, public. #1196
• Kong now properly encodes an empty querystring parameter like ?param= when proxying the request. #1210
• The configuration now checks that cluster.ttl_on_failure is at least 60 seconds. #1199
• Plugins:
  • Loggly: Fixed an issue that was triggering 400 and 500 errors. #1184
  • JWT: The TYP value in the header is not optional and case-insensitive. #1192
  • Request Transformer: Fixed a bug when transforming request headers. #1202
  • OAuth 2.0: Multiple redirect URIs are now supported. #1112
  • IP Restriction: Fixed that prevented the plugin for working properly when added on an API. #1245
  • CORS: Fixed an issue when config.preflight_continue was enabled. #1240

0.8.1

This release includes some fixes and minor updates:

Added

• Adds X-Forwarded-Host and X-Forwarded-Prefix to the upstream request headers. #1180
• Plugins:
  • Datadog: Added two new metrics, unique_users and request_per_user, that log the consumer information. #1179

Fixed

• Fixed a DAO bug that affected full entity updates. #1163
• Fixed a bug when setting the authentication provider in Cassandra.
• Updated the Cassandra driver to v0.5.2.
• Properly enforcing required fields in PUT requests. #1177
• Fixed a bug that prevented to retrieve the hostname of the local machine on certain systems. #1178

0.8.0

This release includes support for PostgreSQL as Kong's additional datastore! You can now decide if you prefer using Cassandra or PostgreSQL in your setup.

Breaking changes

• Remove support for the long deprecated /consumers/:consumer/keyauth/ and /consumers/:consumer/basicauth/ routes (deprecated in 0.5.0). The new routes (available since 0.5.0 too) use the real name of the plugin: /consumers/:consumer/key-auth and /consumers/:consumer/basic-auth.

Added

• Support for PostgreSQL 9.4+ as Kong's primary datastore. #331 #1054
• Configurable Cassandra reading/writing consistency. #1026
• Admin API: including pending and running timers count in the response to /. #992
• Plugins
  • LDAP: add support for LDAP authentication. #1133
  • StatsD: add support for StatsD logging. #1142
  • JWT: add support for RS256 signed tokens thanks to @kdstew! #1053
  • ACL: appends X-Consumer-Groups to the request, so the upstream service can check what groups the consumer belongs to. #1154
  • Galileo (mashape-analytics): increase batch sending timeout to 30s. #1091
• Added ttl_on_failure option in the cluster configuration, to configure the TTL of failed nodes. #1125

Fixed

• Introduce a new port option when connecting to your Cassandra cluster instead of using the CQL default (9042). #1139
• Plugins
  • Request/Response Transformer: add missing migrations for upgrades from <= 0.5.x. #1064
  • OAuth2
    • Error responses comply to RFC 6749. #1017
    • Handle multipart requests. #1067
    • Make access_tokens correctly expire. #1089

internal

• replace globals with singleton pattern thanks to @mars.
• fixed resolution mismatches when using deep paths in the path resolver thanks to siddharthkchatterjee

0.7.0

Breaking changes

Due to the NGINX security fixes (CVE-2016-0742, CVE-2016-0746, CVE-2016-0747), OpenResty was bumped to 1.9.7.3 which is not backwards compatible, and thus requires changes to be made to the nginx property of Kong's configuration file. See the 0.7 upgrade path for instructions.

However by upgrading the underlying OpenResty version, source installations do not have to patch the NGINX core and use the old ssl-cert-by-lua branch of ngx_lua anymore. This will make source installations much easier.

Added

• Support for OpenResty 1.9.7.*. This includes NGINX security fixes (CVE-2016-0742, CVE-2016-0746, CVE-2016-0747). #906
• Plugins
  • New Runscope plugin: Monitor your APIs from Kong with Runscope. Courtesy of @mansilladev. #924
  • Datadog: New response.size metric. #923
  • Rate-Limiting and Response Rate-Limiting
    • New config.async option to asynchronously increment counters to reduce latency at the cost of slighly reducing the accuracy. #912
    • New config.continue_on_error option to keep proxying requests in case the datastore is unreachable. rate-limiting operations will be disabled until the datastore is responsive again. #953
• CLI
  • Perform a simple permission check on the NGINX working directory when starting, to prevent errors during execution. #939
• Send 50x errors with the appropriate format. #927 #970

Fixed

• Plugins
  • OAuth2
    • Better handling of redirect_uri (prevent the use of fragments and correctly handle querystrings). Courtesy of @PGBI. #930
    • Add PUT support to the /auth2_tokens route. #897
    • Better error message when the access_token is missing. #1003
  • IP restriction: Fix an issue that could arise when restarting Kong. Now Kong does not need to be restarted for the ip-restriction configuration to take effect. #782 #960
  • SSL: Replace shelled out openssl calls with native ngx.ssl conversion utilities, which preserve the certificate chain. #968
  • ACL: Properly invalidating entities when assigning a new ACL group. #996
• Avoid user warning on start when the user is not root. #964
• Store Serf logs in NGINX working directory to prevent eventual permission issues. #975
• Allow plugins configured on a Consumer without being configured on an API to run. #978 #980
• Fixed an edge-case where Kong nodes would not be registered in the nodes table. #1008