.. _version_history_1.34.0: 1.34.0 (April 15, 2025) ======================== Minor behavior changes ---------------------- *Changes that may cause incompatibilities for some users, but should not for most* * **aws**: AWS request signing and AWS Lambda extensions will now no longer return empty credentials (and fail to sign) when credentials are still pending from the async credential providers. If all providers are unable to retrieve credentials then the original behaviour with a signing failure will occur. * **cel**: Support extension regex functions (e.g. ``re.extract``, ``re.capture``, ``re.captureN``) in CEL. * **dfp**: Setting :ref:`dns_query_timeout ` to 0 will disable the Envoy DNS query timeout and use the underlying DNS implementation timeout. * **ext_proc**: Ignore request_header_mode field of :ref:`mode_override ` when comparing the mode_override against allowed_override_modes as request_header mode override is not applicable. * **ext_proc**: When :ref:`mode_override ` headers/trailers modes have the value ``DEFAULT`` (unset), no change will be made to the processing mode set in the filter configuration. * **formatter**: The formatter ``%CEL%`` and ``%METADATA%`` will be treated as built-in formatters and could be used directly in the substitution format string if the related extensions are linked. * **formatter**: The formatter ``%RESPONSE_CODE_DETAILS%`` takes an optional parameter ``ALLOW_WHITESPACES`` to allow whitespaces in output string. By default all whitespaces will be replaced by underscore. * **geoip**: The ``isp_db_path`` has been renamed to ``asn_db_path`` to keep the name consistent with the code behavior. The fields ``anon_db_path`` and ``city_db_path`` have been renamed to ``anon_db_path`` and ``city_db_path`` respectively. The field ``isp_db_path`` has been added to the ``MaxMindConfig`` to allow specifying the path to the ISP database. * **golang**: Align all loggers to use golang component Id. Improve ``sendLocalReply`` by using go memory pinning instead of string copy. * **http**: :ref:`generate_request_id ` will generate a request id on non-present and now on empty ``x-request-id`` header. * **http2**: Sets runtime guard ``envoy.reloadable_features.http2_use_oghttp2`` to ``true`` by default. * **oauth2**: Introduced PKCE(Proof Key for Code Exchange) support for OAuth2 authorization code flow. * **string_matcher**: The string matcher API extended with another method that allows passing a context for the matching operation. The initial supporting use case is passing ``StreamInfo`` in the context when performing SAN matching. * **tls**: Added :ref:`compliance policies ` TLS parameter to enforce restrictions based on a given policy (e.g. FIPS). * **tls**: FIPS build is updated to use the same version of boringssl as the regular build, per the revised FedRAMP policy. Bug fixes --------- *Changes expected to improve the state of the world and are unlikely to have negative effects* * **connection pool**: Fixed a bug in :ref:`preconnecting ` where established connection unused capacity was not considered in the logic to establish new connections, resulting in new connections anytime there was not a connection currently in the process of being established. This resulted in far too many connections being established, with the only bounds being cluster circuit breaker limits or upstream service limits. * **dfp**: Fixes a bug when loading a DNS cache entry with an empty authority/host header. This fix can be reverted by setting runtime guard ``envoy.reloadable_features.dfp_fail_on_empty_host_header`` to ``false``. * **eds**: Fixed crash when creating an EDS cluster with invalid configuration. * **ext_authz**: Removed validation constraint on :ref:`disabled ` so that it can be set to false to enable the filter when it is by :ref:`default-disabled for the filter chain `. * **ext_proc**: Fixed a bug for the :ref:`extension ` where the :ref:`response ` from the external processor was being saved to filter state after iterating through the filter chain. * **ext_proc**: Fixes a bug where local replies were incorrectly sent to the ext_proc server for external processing. This change can be temporarily reverted by setting runtime guard ``envoy_reloadable_features_skip_ext_proc_on_local_reply`` to ``false``. * **ext_proc**: Implemented graceful close of gRPC side streams, where the client half-closes its stream and waits (with timeout) for the server to half-close its stream. This behavioral change is disabled by default and can be enabled by setting runtime guard ``envoy.reloadable_features.ext_proc_graceful_grpc_close`` to ``true``. The remote close timeout is 1 second by default and can be changed by setting the ``envoy.filters.http.ext_proc.remote_close_timeout_milliseconds`` runtime value. * **http**: Fixed http parser responding to newlines between requests with ``400 Bad Request``; per RFC 9112: a server that is expecting to receive and parse a request-line SHOULD ignore at least one empty line (CRLF) received prior to the request-line. This fix can be reverted by setting runtime guard ``envoy.reloadable_features.http1_balsa_allow_cr_or_lf_at_request_start`` to ``false``. * **http**: Fixed the JWKs fetcher to set the ``:scheme`` pseudo header according to the uri (``http`` or ``https``). Before the ``:scheme`` header was always ``http``. This behavioral change can be temporarily reverted by setting runtime guard ``envoy.reloadable_features.jwt_fetcher_use_scheme_from_uri`` to ``false``. * **listener**: Fixed a bug where socket options specified only on an additional address were not applied unless :ref:`socket_options ` on the listener is set. Now additional address :ref:`socket_options ` are correctly applied even if the listener has no socket options configured. * **listener**: Fixed a bug where the addresses cannot be updated partially even if the reuse port is enabled. * **oauth2**: Fixed OAuth2 credential injector to send scope (if specified) to authorization server when requesting new access token using ``client_credentials`` flow. * **original_src filter**: Set ``IP_BIND_ADDRESS_NO_PORT`` socket option in the :ref:`original_src filter ` to prevent port exhaustion caused by the kernel prematurely reserving ephemeral ports. This behavior change can be reverted by setting runtime guard ``envoy.reloadable_features.original_src_fix_port_exhaustion`` to ``false``. * **quic**: Strips empty cookie header, making HTTP2 and HTTP3 consistent. This change can be temporarily reverted by setting runtime guard ``envoy.reloadable_features.http3_remove_empty_cookie`` to ``false``. * **redis**: Fixed a crash bug when the DNS resolution status is completed, but the response is empty. * **router**: Fixed query parameter matcher to properly implement :ref:`present_match `. Previously, the matcher would incorrectly handle ``present_match`` configurations by treating them as default present checks. This behavior can be temporarily reverted by setting runtime feature ``envoy_reloadable_features_enable_new_query_param_present_match_behavior`` to ``false``. * **router**: Fixes an Envoy crash issue when a local reply is sent. This change can be temporarily reverted by setting runtime guard ``envoy_reloadable_features_router_filter_resetall_on_local_reply`` to ``false``. * **sds**: Fixed a bug where a :ref:`GenericSecret ` stored in a file was not watched by SDS API. * **tcp_proxy**: Fixes a bug when TCP is tunneled over HTTP and upstream connection closed before response headers received to the stream. The fix is to run the retry logic in a different event loop iteration to allow cleanup of the closed connection before retrying. This fix can be reverted by setting runtime guard ``envoy.reloadable_features.tcp_proxy_retry_on_different_event_loop`` to ``false``. * **udp**: Fixed wrong metric calculation of ``downstream_rx_datagram_dropped``. * **wasm**: Fixed a bug where the WASM context deletion may result in a crash when the VM is panicked. Removed config or runtime ------------------------- *Normally occurs at the end of the* :ref:`deprecation period ` * **access_log**: Removed runtime guard ``envoy.reloadable_features.upstream_remote_address_use_connection`` and legacy code paths. * **config**: Removed runtime guard ``envoy.reloadable_features.strict_duration_validation`` and legacy code paths. * **dns**: Removed runtime flag ``envoy.reloadable_features.dns_details`` and legacy code paths. * **dns**: Removed runtime guard ``envoy.reloadable_features.dns_nodata_noname_is_success`` and legacy code paths. * **http**: Removed runtime guard ``envoy.reloadable_features.consistent_header_validation`` and legacy code paths. * **http**: Removed runtime guard ``envoy.reloadable_features.sanitize_http2_headers_without_nghttp2`` and legacy code paths. * **local_ratelimit**: Removed runtime guard ``envoy.reloadable_features.no_timer_based_rate_limit_token_bucket`` and legacy code paths. * **runtime**: Removed runtime flag ``envoy.reloadable_features.reject_invalid_yaml`` and legacy code paths. * **thread_local**: Removed runtime guard ``envoy.reloadable_features.allow_slot_destroy_on_worker_threads`` and legacy code paths. * **xds**: Removed runtime guard ``envoy.reloadable_features.xdstp_path_avoid_colon_encoding`` and legacy code paths. New features ------------ * **adaptive concurrency**: Allow fixing the minimum RTT by introducing ``fixed_value``. * **admin**: Add support for the ``inbound_only`` and graceful query params of ``/drain_listeners`` to be used together by implementing directional draining in ``DrainManager``. * **attributes**: Added :ref:`attribute ` ``upstream.locality`` to obtain upstream locality information. * **cares**: Implemented ``ares_reinit()`` to optimally handle the situation where DNS resolver needs to be re-initialized. * **cluster**: Added ``upstream_rq_headers_count`` and ``upstream_rs_headers_count`` histograms to :ref:`cluster stats `. These will be added when the :ref:`request response size statistics ` are tracked. * **compressor**: Added (:ref:`uncompressible_response_codes `) to Compressor Filter which allows configuration of a list of response codes for which the compression will be skipped. * **connection**: Added the close through the network filter manager support that allows a network filter to disable the close of connection. This behavior is controlled by runtime guard ``envoy.reloadable_features.connection_close_through_filter_manager``, and default is ``false``. * **dfp**: Added a feature to disable DNS refresh on failure by setting :ref:`disable_dns_refresh_on_failure ` to ``true``. By enabling this feature, the failed hosts will now be treated as a cache miss. * **dfp**: The DFP cluster will now use the async lookup path to do DNS resolutions for null hosts. This behavioral change can be temporarily reverted by setting runtime guard ``envoy.reloadable_features.dfp_cluster_resolves_hosts`` to ``false``. * **dns**: Update C-ares to version 1.34.4. This upgrade exposes ``ares_reinit()`` which allows the reinitialization of C-ares channels, among several other new features, bug-fixes, etc. * **dns**: Update C-ares to version 1.34.5 to address **CVE-2025-31498**. * **dynamic_modules**: Added the initial support for shared libraries to be loaded by Envoy at runtime. Please refer to the overview documentation for the feature :ref:`here `. * **ext_proc**: Added an :ref:`extension ` to save the :ref:`response ` from the external processor to filter state. * **ext_proc**: Adding support for a new body mode: ``FULL_DUPLEX_STREAMED`` in the ``ext_proc`` filter :ref:`processing_mode `. * **formatter**: Added ``CUSTOM_FLAGS`` support for substitution formatter. See :ref:`access log formatter ` for more details. * **formatter**: Added ``PATH`` support for substitution formatter. See :ref:`access log formatter ` for more details. * **formatter**: Added ``QUERY_PARAM`` support for substitution formatter. See :ref:`access log formatter ` for more details. * **geoip**: Added options on the geoip filter ``envoy.extensions.geoip_providers.common.v3.CommonGeoipProviderConfig.isp`` that contains the isp name and ``envoy.extensions.geoip_providers.common.v3.CommonGeoipProviderConfig.apple_private_relay`` that has ``true`` or ``false`` depending if the isp name is ``iCloud Private Relay``. * **golang**: Expose generic secrets to :ref:`lua ` Add SecretManager interface in the go envoy sdk. * **golang**: added http golang filter config destroy callback. When a config gets deleted from envoy, the go plugin calls the Destroy function on the config instance. config should implement the new ``github.com/envoyproxy/envoy/contrib/golang/common/go/api.Config`` interface, implementing the Destroy function. * **http**: Added :ref:`ignore_http_11_upgrade ` to ignore HTTP/1.1 Upgrade values matching any of the supplied matchers. * **http**: Added :ref:`max_metadata_size ` to make HTTP/2 metadata limits configurable. * **http**: Added alpha support for asynchronous load balancing. See :ref:`load balancing policies overview ` for more details. Support can be temporarily reverted by setting runtime guard ``envoy.reloadable_features.async_host_selection`` to ``false``. * **http**: Added filter state matcher for router matcher. * **http**: Made the :ref:`credential injector filter ` work as an upstream filter. * **http**: Made the :ref:`lua ` work as an upstream filter. * **http3**: Added envoy_v3_api_field_extensions.upstreams.http.v3.Http3ProtocolOptions.disable_qpack, an experimental support for disabling QPACK compression. * **jwt_authn**: Added :ref:`jwt_max_token_size ` to make max token size configurable. * **jwt_authn**: Added field :ref:`stat_prefix ` to allow differentiating between different jwt_authn filters in the same filter chain. * **local_rate_limit**: Added support for dynamic token buckets in local rate limit filter for HTTP requests. * **lua**: Added :ref:`clear_route_cache ` support to control the route cache clearing behavior in the Lua filter. * **lua**: Added :ref:`virtualClusterName() ` API to the Stream Info Object to get the name of the virtual cluster matched. * **lua**: Added support for clearing the route cache explicitly in the Lua filter. See :ref:`clearRouteCache() ` for more details. * **matcher**: Added the integration between :ref:`ExtensionWithMatcher ` and network filters, and only ``SkipFilter`` is supported. * **oauth2**: Add the option to specify SameSite cookie attribute values for oauth2 supported cookies. To specify ``SameSite`` attribute, choose one of the values from ``strict``, ``lax`` or ``none``. If not specified, a default value of ``disabled`` will be assigned and there will be no ``SameSite`` value in the cookie attribute. See :ref:`apply_on_stream_done ` for more details. * **oauth2**: Added field :ref:`stat_prefix ` to allow differentiating between different oauth2 filters in the same filter chain. * **proxy_protocol**: Added support for injecting custom Type-Length-Value (TLV) entries into the Proxy Protocol v2 header for upstream transport sockets. Custom TLVs can be defined both in the endpoint host's typed metadata under the ``envoy.transport_sockets.proxy_protocol`` namespace and at the configuration level via the ``ProxyProtocolConfig``'s ``added_tlvs`` field. Host-level TLV definitions override config-level entries when the same type is specified, allowing default TLVs to be set globally, while enabling further per-endpoint customizations. * **quic**: Added an :ref:`extension ` to support QUIC-LB draft standard for connection ID generation. * **rate_limit**: Added the explict runtime switch :ref:`filter_enabled ` and :ref:`filter_enforced ` to control the filter behavior. * **rbac**: Added a new :ref:`principal type ` for validating mTLS with more specific matches and better default behavior. Also added an extension point for :ref:`custom ` principals. * **redis**: Added support for multi-key commands on transactions. * **redis_proxy**: Added :ref:`custom_commands ` to support configuring custom commands for Redis proxy. * **resource_monitors**: Added support to monitor container CPU utilization in Linux K8s environment using :ref:`existing extension `. * **sockets**: Added an :ref:`io_uring ` option in default socket interface to support io_uring. * **spiffe**: Added :ref:`trust_bundles ` to the SPIFFE certificate validator configuration. This field allows specifying a SPIFFE trust bundle mapping as a ``DataSource``. If both ``trust_bundles`` and ``trust_domains`` are specified, ``trust_bundles`` takes precedence. * **tansport tap**: Added support to control outputing the connection information per event and refer to ``set_connection_per_event`` in the message ``SocketTapConfig`` of transport socket tap. * **tap**: Added an UDP extension for tap custom sink. * **tcp_proxy**: Added :ref:`proxy_protocol_tlvs ` to the TCP proxy filter. This field allows specifying PROXY protocol TLVs to be added in the PROXY protocol state created by the TCP proxy filter. TLVs added in the PROXY protocol state will be added to the PROXY protocol v2 header sent upstream. * **tcp_proxy**: Added support for :ref:`backoff_options ` to configure the backoff strategy for TCP proxy retries. * **tcp_proxy**: added :ref:`an option ` to allow filters to read from the downstream connection before TCP proxy has opened the upstream connection, by setting a filter state object for the key ``envoy.tcp_proxy.receive_before_connect``. * **tracing**: added support for :ref:`Fluentd ` tracer to send traces in `Fluentd format `_. * **udp_proxy**: Added support for outlier detection in UDP proxy. This change can be temporarily reverted by setting runtime guard ``envoy.reloadable_features.enable_udp_proxy_outlier_detection`` to ``false``. * **xds**: Reporting a locality_stats to LRS server when ``rq_issued > 0``, disable by setting runtime guard ``envoy.reloadable_features.report_load_with_rq_issued`` to ``false``.