.. _version_history_1.33.0: 1.33.0 (January 14, 2025) ========================== Incompatible behavior changes ----------------------------- *Changes that are expected to cause an incompatibility if applicable; deployment changes are likely required* * **ext_proc**: Previously, tracing spans generated by ``ext_proc`` were always sampled by default. Now, the default sampling decision of an ``ext_proc`` span is inherited from the parent span. * **http**: Added streaming shadow functionality. This allows for streaming the shadow request in parallel with the original request rather than waiting for the original request to complete. This allows shadowing requests larger than the buffer limit, but also means shadowing may take place for requests which are cancelled mid-stream. This behavior change can be temporarily reverted by flipping ``envoy.reloadable_features.streaming_shadow`` to ``false``. * **http**: If the ``encoder_filter_chain_aborted_`` status bit of the HTTP filter manager is set to true, the encode filter chain cannot be continued, thus preventing unexpected logic from being triggered in scenarios such as ``ActiveStreamDecoderFilter::recreateStream()`` is called. This behavior change can be temporarily reverted by flipping ``envoy.reloadable_features.filter_chain_aborted_can_not_continue`` to ``false``. * **http**: RFC1918 addresses are no longer considered to be internal addresses by default. This addresses a security issue for Envoy's in multi-tenant mesh environments. Please explicit set :ref:`internal_address_config ` to retain the prior behavior. This change can be temporarily reverted by setting runtime guard ``envoy.reloadable_features.explicit_internal_address_config`` to ``false``. * **tracing**: Removed support for (long deprecated) opencensus tracing extension. * **wasm**: Remove previously deprecated xDS attributes from ``get_property``, use ``xds`` attributes instead. * **wasm**: The route cache will not be cleared by default if the Wasm extension modified the request headers and the ABI version of Wasm extension is larger then 0.2.1. Minor behavior changes ---------------------- *Changes that may cause incompatibilities for some users, but should not for most* * **access_log**: New implementation of the JSON formatter will be enabled by default. The :ref:`sort_properties ` field will be ignored in the new implementation because the new implementation always sorts properties, and the new implementation will always keep the value type in the JSON output. For example, the ``duration`` field will always be rendered as a number instead of a string. This behavior change could be disabled temporarily by setting the runtime ``envoy.reloadable_features.logging_with_fast_json_formatter`` to false. * **cluster**: Clusters can no longer use unregistered extension types in :ref:`cluster_type`. * **cluster**: Clusters factories are registered by configuration type for :ref:`cluster_type ` and will use configuration type to lookup the corresponding factory when available. * **csrf**: Increase only the statistics counter ``missing_source_origin`` for requests with a missing source origin. Previously, the ``request_invalid`` counter was also increased for such requests. * **dns**: Patched c-ares to address CVE-2024-25629. * **formatter**: The ``NaN`` and ``Infinity`` values of float will be serialized to ``null`` and ``inf`` respectively in the metadata (``DYNAMIC_METADATA``, ``CLUSTER_METADATA``, etc.) formatter. * **http**: If the :ref:`pack_trace_reason ` is set to false, Envoy will not parse the trace reason from the ``x-request-id`` header to ensure reads and writes of trace reason be consistant. If the :ref:`pack_trace_reason ` is set to true and external ``x-request-id`` value is used, the trace reason in the external request id will not be trusted and will be cleared. * **http**: Local replies now traverse the filter chain if 1xx headers have been sent to the client. This change can be reverted by setting the runtime guard ``envoy.reloadable_features.local_reply_traverses_filter_chain_after_1xx`` to ``false``. * **oauth2**: :ref:`use_refresh_token ` is now enabled by default. This behavioral change can be temporarily reverted by setting runtime guard ``envoy.reloadable_features.oauth2_use_refresh_token`` to ``false``. * **oauth2**: Implement the Signed Double-Submit Cookie pattern, as recommended by OWASP, by using the HMAC secret to sign and verify the nonce. * **oauth2**: The ``state`` parameter in the OAuth2 authorization request has been changed to a base64url-encoded JSON object. The JSON object contains the original request URL and a nonce for CSRF prevention. * **quic**: Enable UDP GRO in QUIC client connections by default. This behavior can be reverted by setting the runtime guard ``envoy.reloadable_features.prefer_quic_client_udp_gro`` to ``false``. * **rate_limit**: add ``WEEK`` to the unit of time for rate limit. * **rds**: When a new RDS provider config is pushed via xDS and the only difference is change to :ref:`initial_fetch_timeout `, the already existing provider will be reused. Envoy will not ask RDS server for routes config because existing provider already has up to date routes config. This behavioral change can be temporarily reverted by setting runtime guard ``envoy.reloadable_features.normalize_rds_provider_config`` to ``false``. * **router**: Changed the behavior of shadow request sampling so that if trace sampling is not explicitly configured in the shadow policy, the shadow request will inherit the parent's sampling decision. This means sampling will follow the trace sampling policy of the original request, which prevents oversampling when runtime sampling is disabled. This behavior can be temporarily reverted by setting the runtime guard ``envoy.reloadable_features.shadow_policy_inherit_trace_sampling`` to ``false``. * **scoped_rds**: The :ref:`route_configuration ` field is supported when the ``ScopedRouteConfiguration`` resource is delivered via SRDS. * **sds**: Relaxed the backing cluster validation for Secret Discovery Service(SDS). Currently, the cluster that supports SDS needs to be a primary cluster, i.e. a non-EDS cluster defined in bootstrap configuration. This change relaxes that restriction i.e. SDS cluster can be a dynamic cluster. This change is enabled by default, and can be reverted by setting the runtime flag ``envoy.restart_features.skip_backing_cluster_check_for_sds`` to ``false``. * **xds**: A minor delta-xDS optimization that avoids copying resources when ingesting them was introduced. No impact to the behavior is expected, but a runtime flag was added as this may impact config-ingestion related extensions (e.g., custom-config-validators, config-tracker), as the order of the elements passed to the callback functions may be different. This change can be temporarily reverted by setting ``envoy.reloadable_features.xds_prevent_resource_copy`` to ``false``. Bug fixes --------- *Changes expected to improve the state of the world and are unlikely to have negative effects* * **access_log**: Relaxed the restriction on SNI logging to allow the ``_`` character, even if ``envoy.reloadable_features.sanitize_sni_in_access_log`` is enabled. * **balsa**: Fix incorrect handling of non-101 1xx responses. This fix can be temporarily reverted by setting runtime guard ``envoy.reloadable_features.wait_for_first_byte_before_balsa_msg_done`` to ``false``. * **csrf**: Handle requests that have a "privacy sensitive" / opaque origin (``Origin: null``) as if the request had no origin information. * **dns**: Fixed bug where setting :ref:`dns_jitter ` to large values caused Envoy Bug to fire. * **dns_cache**: Fixed a bug where the DNS refresh rate was the DNS TTL instead of the configured ``dns_refresh_rate``/``dns_failure_refresh_rate`` when we failed to resolve the DNS query after a successful resolution. * **golang**: Fixes a crash during Golang GC caused by accessing deleted ``decoder_callbacks``. The bug was introduced in 1.31.0. * **happy_eyeballs**: Validate that ``additional_address`` are IP addresses instead of crashing when sorting. * **http/1**: Fixes sending overload crashes when HTTP/1 request is reset. * **http2**: Propagates codec reset events when sending HTTP/2 RST_STREAM frames. Can be temporarily reverted by setting runtime guard ``envoy.reloadable_features.http2_propagate_reset_events`` to false. * **load_balancing**: Fixed default host weight calculation of :ref:`client_side_weighted_round_robin ` to properly handle even number of valid host weights. * **lrs**: Fixes errors stat being incremented and warning log spamming for ``LoadStatsReporting`` graceful stream close. * **oauth2**: Fixed an issue where ID token and refresh token did not adhere to the :ref:`cookie_domain ` field. * **orca**: The previous ORCA parser will use ``:`` as the delimiter of key/value pair in the native HTTP report. This is wrong based on the design document. The correct delimiter should be ``=``. This change adds the ``=`` delimiter support to match the design document and keep the ``:`` delimiter for backward compatibility. * **original_ip_detection custom header extension**: Reverted :ref:`custom header ` extension to its original behavior by disabling automatic XFF header appending that was inadvertently introduced in PR #31831. * **scoped_rds**: Fixes scope key leak and spurious scope key conflicts when an update to an SRDS resource changes the key. * **stats ads grpc**: Fixed metric for ADS disconnection counters using Google gRPC client. This extracts the gRPC client prefix specified in the :ref:`google_grpc ` resource used for ADS, and adds that as a tag ``envoy_google_grpc_client_prefix`` to the Prometheus stats. * **tls**: Support operations on IP SANs when the IP version is not supported by the host operating system, for example an IPv6 SAN can now be used on a host not supporting IPv6 addresses. * **tracers**: Avoid possible overflow when setting span attributes in Dynatrace sampler. * **udp/dynamic_forward_proxy**: Fixed bug where ``dynamic_forward_proxy`` udp session filter disabled buffer in filter config instead of disabling buffer for the filter instance. * **udp_proxy**: Fix a bug that cause Envoy to crash due to segmentation fault when ``onBelowWriteBufferLowWatermark`` callback is called. * **validation/tools**: Add back missing extension for ``schema_validator_tool``. Removed config or runtime ------------------------- *Normally occurs at the end of the* :ref:`deprecation period ` * **aws**: Removed runtime flag ``envoy.reloadable_features.use_http_client_to_fetch_aws_credentials``. * **dns**: Removed runtime flag ``envoy.reloadable_features.dns_reresolve_on_eai_again`` and legacy code paths. * **grpc**: Removed runtime guard ``envoy.reloadable_features.validate_grpc_header_before_log_grpc_status``. * **http**: Removed runtime flag ``envoy.reloadable_features.http_route_connect_proxy_by_default`` and legacy code paths. * **http**: Removed runtime flag ``envoy.restart_features.sanitize_te`` and legacy code paths. * **http2**: Removed runtime flag ``envoy.reloadable_features.defer_processing_backedup_streams`` and legacy code paths. * **load balancing**: Removed runtime guard ``envoy.reloadable_features.edf_lb_host_scheduler_init_fix`` and legacy code paths. * **load balancing**: Removed runtime guard ``envoy.reloadable_features.edf_lb_locality_scheduler_init_fix`` and legacy code paths. * **quic**: Removed runtime flag ``envoy.restart_features.quic_handle_certs_with_shared_tls_code`` and legacy code paths. * **router**: Removed runtime guard ``envoy_reloadable_features_send_local_reply_when_no_buffer_and_upstream_request``. * **upstream**: Removed runtime flag ``envoy.reloadable_features.exclude_host_in_eds_status_draining``. * **upstream**: Removed runtime flag ``envoy.restart_features.allow_client_socket_creation_failure`` and legacy code paths. New features ------------ * **CEL-attributes**: Added :ref:`attribute ` ``upstream.cx_pool_ready_duration`` to get the duration from when the upstream request was created to when the upstream connection pool is ready. * **CEL-attributes**: Added :ref:`attribute ` ``upstream.request_attempt_count`` to get the number of times a request is attempted upstream. * **access log**: Added fields for :ref:`DOWNSTREAM_DIRECT_LOCAL_ADDRESS ` and :ref:`DOWNSTREAM_DIRECT_LOCAL_ADDRESS_WITHOUT_PORT `. * **access log**: Added new command-line flag :option:`--skip-deprecated-logs`. * **access_log**: Added ``%DOWNSTREAM_LOCAL_EMAIL_SAN%``, ``%DOWNSTREAM_PEER_EMAIL_SAN%``, ``%DOWNSTREAM_LOCAL_OTHERNAME_SAN%`` and ``%DOWNSTREAM_PEER_OTHERNAME_SAN%`` substitution formatters. * **access_log**: Added support for :ref:`%UPSTREAM_HOST_NAME_WITHOUT_PORT% ` for the upstream host identifier without the port value. * **access_log**: Added support for logging upstream connection establishment duration in the :ref:`%COMMON_DURATION% ` access log formatter operator. The following time points were added: ``%US_CX_BEG%``, ``%US_CX_END%``, ``%US_HS_END%``. * **attributes**: Added new ``xds.virtual_host_name`` and ``xds.virtual_host_metadata`` attributes support. See :ref:`attributes ` for looking up xDS configuration information. * **aws_request_signing**: Added an optional field :ref:`credential_provider ` to the AWS request signing filter to explicitly specify a source for AWS credentials. Credential file and ``AssumeRoleWithWebIdentity`` behaviour can also be overridden with this field. * **c-ares**: Added nameserver rotation option to c-ares resolver. When enabled via :ref:`rotate_nameservers `, this performs round-robin selection of the configured nameservers for each resolution to help distribute query load. * **c-ares**: Added two new options to c-ares resolver for configuring custom timeouts and tries while resolving DNS queries. Custom timeouts could be configured by specifying :ref:`query_timeout_seconds ` and custom tries could be configured by specifying :ref:`query_tries `. * **ext_authz**: Added filter state field ``latency_us``, ``bytesSent`` and ``bytesReceived`` access for CEL and logging. * **ext_proc**: Added HTTP support in ext_proc filter to perform external processing with HTTP messages. * **filters**: Added :ref:`the Api Key Auth filter `, which can be used to authenticate requests using an API key. * **filters**: Updated the ``set_filter_state`` :ref:`filter ` to support per-route overrides. * **grpc-json**: Added a new http filter for :ref:`gRPC to JSON transcoding `. * **health_check**: Added new health check filter stats including total requests, successful/failed checks, cached responses, and cluster health status counters. These stats help track health check behavior and cluster health state. * **http**: Add :ref:`query parameter mutations ` to :ref:`Header Mutation Filter ` for adding/removing query parameters on a request. * **http_inspector**: Added default-false ``envoy.reloadable_features.http_inspector_use_balsa_parser`` for ``HttpInspector`` to use ``BalsaParser``. * **ip-tagging**: Adds support for specifying an alternate header :ref:`ip_tag_header ` for appending IP tags via ip-tagging filter instead of using the default header ``x-envoy-ip-tags``. * **local_ratelimit**: Added per descriptor custom hits addend support for local rate limit filter. See :ref:`hits_addend ` for more details. * **lua**: Add logging functions to all lua objects. Previously these were only available on the Lua http filter request handle. * **lua**: Added :ref:`downstreamDirectLocalAddress() ` method to the Stream info object API. * **lua**: Added :ref:`routeName() ` API to the Stream Info Object to get the name of the route matched by the filter chain. * **lua**: Added SSL :ref:`parsedSubjectPeerCertificate() ` API. * **lua**: Added a new ``setUpstreamOverrideHost()`` which could be used to set the given host as the upstream host for the current request. * **lua cluster specifier**: Added ability for a Lua script to query clusters for current requests and connections. * **matchers**: Added new filter state matcher ip_range to :ref:`FilterStateMatcher ` which attempts to cast the filter state object to an IP and match it against a list of CidrRanges. To support this, also added an :ref:`AddressMatcher `. * **overload**: Added support for scaling :ref:`max connection duration `. This can be used to reduce the max connection duration in response to overload. * **quic**: Added :ref:`QUIC stats debug visitor ` to get more stats from the QUIC transport. * **ratelimit**: Add the :ref:`rate_limits ` field to generate rate limit descriptors. If this field is set, the :ref:`VirtualHost.rate_limits ` or :ref:`RouteAction.rate_limits ` fields will be ignored. * **ratelimit**: Add the option to reduce the rate limit budget based on request/response contexts on stream done. See :ref:`apply_on_stream_done ` for more details. * **ratelimit**: added support for query parameter rate limiting via the :ref:`query_parameters ` action across HTTP and Thrift. This allows rate limiting based on specific query parameter values, with option to control the behavior when the query parameter is absent. * **rbac**: Added :ref:`sourced_metadata ` which allows specifying an optional source for the metadata to be matched in addition to the metadata matcher. * **redis**: Added support for ``UNWATCH`` command. * **redis**: Added support for keys and select. * **sni_dynamic_forward_proxy**: Added support in SNI dynamic forward proxy for saving the resolved upstream address in the filter state. The state is saved with the key ``envoy.stream.upstream_address``. * **tls**: Added an :ref:`option ` to change the upstream SNI to the configured hostname for the upstream. * **tls**: Added an :ref:`option ` to validate the upstream server certificate SANs against the actual SNI value sent, regardless of the method of configuring SNI. * **tls**: Added support for **P-384** and **P-521** curves for TLS server certificates. * **tracers**: Set resource ``telemetry.sdk.*`` and scope ``otel.scope.name|version`` attributes for the OpenTelemetry tracer. * **udp_proxy**: Added support for :ref:`backoff_options ` to configure the backoff strategy for UDP proxy retries when tunneling over HTTP. * **udp_proxy**: Added support for coexistence of dynamic and static clusters in the same udp proxy, so we can use dynamic clusters for some sessions by setting a per-session state object under the key ``envoy.upstream.dynamic_host`` and routing to dynamic cluster, and we can use static clusters for other sessions by setting a per-session state object under the key ``envoy.udp_proxy.cluster`` without setting ``envoy.upstream.dynamic_host``. * **udp_proxy**: Added support for dynamic cluster selection in UDP proxy. The cluster can be set by one of the session filters by setting a per-session state object under the key ``envoy.udp_proxy.cluster``. * **wasm**: Added ``clear_route_cache`` foreign function to clear the route cache. * **wasm**: Added support for Wasm plugins written in Go with the ``github.com/proxy-wasm/proxy-wasm-go-sdk`` and compiled with Go v1.24+. * **wasm**: Added the Wasm VM reload support to reload Wasm VM when the Wasm VM is failed with runtime errors. See :ref:`failure_policy ` for more details. The ``FAIL_RELOAD`` reload policy will be used by default. * **xds**: Added support for ADS replacement by invoking ``xdsManager().setAdsConfigSource()`` with a new config source. Deprecated ---------- * **aws_iam**: The :ref:`aws_iam extension ` is deprecated and will be deleted from Envoy in a future release, no later than Envoy 1.35, but possibly sooner. * **cluster**: DNS-related fields in :ref:`Cluster ` are deprecated when using strict and logical DNS clusters. Instead, use the :ref:`cluster_type ` extension point with :ref:`typed_config ` of type :ref:`DnsCluster `. * **rbac**: :ref:`metadata ` is now deprecated in favor of :ref:`sourced_metadata `.