1.34.0 (April 15, 2025)

Minor behavior changes

Changes that may cause incompatibilities for some users, but should not for most

• aws: AWS request signing and AWS Lambda extensions will now no longer return empty credentials (and fail to sign) when credentials are still pending from the async credential providers. If all providers are unable to retrieve credentials then the original behaviour with a signing failure will occur.

• cel: Support extension regex functions (e.g. re.extract, re.capture, re.captureN) in CEL.

• dfp: Setting dns_query_timeout to 0 will disable the Envoy DNS query timeout and use the underlying DNS implementation timeout.

• ext_proc: Ignore request_header_mode field of mode_override when comparing the mode_override against allowed_override_modes as request_header mode override is not applicable.

• ext_proc: When mode_override headers/trailers modes have the value DEFAULT (unset), no change will be made to the processing mode set in the filter configuration.

• formatter: The formatter %CEL% and %METADATA% will be treated as built-in formatters and could be used directly in the substitution format string if the related extensions are linked.

• formatter: The formatter %RESPONSE_CODE_DETAILS% takes an optional parameter ALLOW_WHITESPACES to allow whitespaces in output string. By default all whitespaces will be replaced by underscore.

• geoip: The isp_db_path has been renamed to asn_db_path to keep the name consistent with the code behavior. The fields anon_db_path and city_db_path have been renamed to anon_db_path and city_db_path respectively. The field isp_db_path has been added to the MaxMindConfig to allow specifying the path to the ISP database.

• golang: Align all loggers to use golang component Id. Improve sendLocalReply by using go memory pinning instead of string copy.

• http: generate_request_id will generate a request id on non-present and now on empty x-request-id header.

• http2: Sets runtime guard envoy.reloadable_features.http2_use_oghttp2 to true by default.

• oauth2: Introduced PKCE(Proof Key for Code Exchange) support for OAuth2 authorization code flow.

• string_matcher: The string matcher API extended with another method that allows passing a context for the matching operation. The initial supporting use case is passing StreamInfo in the context when performing SAN matching.

• tls: Added compliance policies TLS parameter to enforce restrictions based on a given policy (e.g. FIPS).

• tls: FIPS build is updated to use the same version of boringssl as the regular build, per the revised FedRAMP policy.

Bug fixes

Changes expected to improve the state of the world and are unlikely to have negative effects

• connection pool: Fixed a bug in preconnecting where established connection unused capacity was not considered in the logic to establish new connections, resulting in new connections anytime there was not a connection currently in the process of being established. This resulted in far too many connections being established, with the only bounds being cluster circuit breaker limits or upstream service limits.

• dfp: Fixes a bug when loading a DNS cache entry with an empty authority/host header. This fix can be reverted by setting runtime guard envoy.reloadable_features.dfp_fail_on_empty_host_header to false.

• eds: Fixed crash when creating an EDS cluster with invalid configuration.

• ext_authz: Removed validation constraint on disabled so that it can be set to false to enable the filter when it is by default-disabled for the filter chain.

• ext_proc: Fixed a bug for the extension where the response from the external processor was being saved to filter state after iterating through the filter chain.

• ext_proc: Fixes a bug where local replies were incorrectly sent to the ext_proc server for external processing. This change can be temporarily reverted by setting runtime guard envoy_reloadable_features_skip_ext_proc_on_local_reply to false.

• ext_proc: Implemented graceful close of gRPC side streams, where the client half-closes its stream and waits (with timeout) for the server to half-close its stream. This behavioral change is disabled by default and can be enabled by setting runtime guard envoy.reloadable_features.ext_proc_graceful_grpc_close to true. The remote close timeout is 1 second by default and can be changed by setting the envoy.filters.http.ext_proc.remote_close_timeout_milliseconds runtime value.

• http: Fixed http parser responding to newlines between requests with 400 Bad Request; per RFC 9112: a server that is expecting to receive and parse a request-line SHOULD ignore at least one empty line (CRLF) received prior to the request-line. This fix can be reverted by setting runtime guard envoy.reloadable_features.http1_balsa_allow_cr_or_lf_at_request_start to false.

• http: Fixed the JWKs fetcher to set the :scheme pseudo header according to the uri (http or https). Before the :scheme header was always http. This behavioral change can be temporarily reverted by setting runtime guard envoy.reloadable_features.jwt_fetcher_use_scheme_from_uri to false.

• listener: Fixed a bug where socket options specified only on an additional address were not applied unless socket_options on the listener is set. Now additional address socket_options are correctly applied even if the listener has no socket options configured.

• listener: Fixed a bug where the addresses cannot be updated partially even if the reuse port is enabled.

• oauth2: Fixed OAuth2 credential injector to send scope (if specified) to authorization server when requesting new access token using client_credentials flow.

• original_src filter: Set IP_BIND_ADDRESS_NO_PORT socket option in the original_src filter to prevent port exhaustion caused by the kernel prematurely reserving ephemeral ports. This behavior change can be reverted by setting runtime guard envoy.reloadable_features.original_src_fix_port_exhaustion to false.

• quic: Strips empty cookie header, making HTTP2 and HTTP3 consistent. This change can be temporarily reverted by setting runtime guard envoy.reloadable_features.http3_remove_empty_cookie to false.

• redis: Fixed a crash bug when the DNS resolution status is completed, but the response is empty.

• router: Fixed query parameter matcher to properly implement present_match. Previously, the matcher would incorrectly handle present_match configurations by treating them as default present checks. This behavior can be temporarily reverted by setting runtime feature envoy_reloadable_features_enable_new_query_param_present_match_behavior to false.

• router: Fixes an Envoy crash issue when a local reply is sent. This change can be temporarily reverted by setting runtime guard envoy_reloadable_features_router_filter_resetall_on_local_reply to false.

• sds: Fixed a bug where a GenericSecret stored in a file was not watched by SDS API.

• tcp_proxy: Fixes a bug when TCP is tunneled over HTTP and upstream connection closed before response headers received to the stream. The fix is to run the retry logic in a different event loop iteration to allow cleanup of the closed connection before retrying. This fix can be reverted by setting runtime guard envoy.reloadable_features.tcp_proxy_retry_on_different_event_loop to false.

• udp: Fixed wrong metric calculation of downstream_rx_datagram_dropped.

• wasm: Fixed a bug where the WASM context deletion may result in a crash when the VM is panicked.

Removed config or runtime

Normally occurs at the end of the deprecation period

• access_log: Removed runtime guard envoy.reloadable_features.upstream_remote_address_use_connection and legacy code paths.

• config: Removed runtime guard envoy.reloadable_features.strict_duration_validation and legacy code paths.

• dns: Removed runtime flag envoy.reloadable_features.dns_details and legacy code paths.

• dns: Removed runtime guard envoy.reloadable_features.dns_nodata_noname_is_success and legacy code paths.

• http: Removed runtime guard envoy.reloadable_features.consistent_header_validation and legacy code paths.

• http: Removed runtime guard envoy.reloadable_features.sanitize_http2_headers_without_nghttp2 and legacy code paths.

• local_ratelimit: Removed runtime guard envoy.reloadable_features.no_timer_based_rate_limit_token_bucket and legacy code paths.

• runtime: Removed runtime flag envoy.reloadable_features.reject_invalid_yaml and legacy code paths.

• thread_local: Removed runtime guard envoy.reloadable_features.allow_slot_destroy_on_worker_threads and legacy code paths.

• xds: Removed runtime guard envoy.reloadable_features.xdstp_path_avoid_colon_encoding and legacy code paths.

New features

• adaptive concurrency: Allow fixing the minimum RTT by introducing fixed_value.

• admin: Add support for the inbound_only and graceful query params of /drain_listeners to be used together by implementing directional draining in DrainManager.

• attributes: Added attribute upstream.locality to obtain upstream locality information.

• cares: Implemented ares_reinit() to optimally handle the situation where DNS resolver needs to be re-initialized.

• cluster: Added upstream_rq_headers_count and upstream_rs_headers_count histograms to cluster stats. These will be added when the request response size statistics are tracked.

• compressor: Added (uncompressible_response_codes) to Compressor Filter which allows configuration of a list of response codes for which the compression will be skipped.

• connection: Added the close through the network filter manager support that allows a network filter to disable the close of connection. This behavior is controlled by runtime guard envoy.reloadable_features.connection_close_through_filter_manager, and default is false.

• dfp: Added a feature to disable DNS refresh on failure by setting disable_dns_refresh_on_failure to true. By enabling this feature, the failed hosts will now be treated as a cache miss.

• dfp: The DFP cluster will now use the async lookup path to do DNS resolutions for null hosts. This behavioral change can be temporarily reverted by setting runtime guard envoy.reloadable_features.dfp_cluster_resolves_hosts to false.

• dns: Update C-ares to version 1.34.4. This upgrade exposes ares_reinit() which allows the reinitialization of C-ares channels, among several other new features, bug-fixes, etc.

• dns: Update C-ares to version 1.34.5 to address CVE-2025-31498.

• dynamic_modules: Added the initial support for shared libraries to be loaded by Envoy at runtime. Please refer to the overview documentation for the feature here.

• ext_proc: Added an extension to save the response from the external processor to filter state.

• ext_proc: Adding support for a new body mode: FULL_DUPLEX_STREAMED in the ext_proc filter processing_mode.

• formatter: Added CUSTOM_FLAGS support for substitution formatter. See access log formatter for more details.

• formatter: Added PATH support for substitution formatter. See access log formatter for more details.

• formatter: Added QUERY_PARAM support for substitution formatter. See access log formatter for more details.

• geoip: Added options on the geoip filter envoy.extensions.geoip_providers.common.v3.CommonGeoipProviderConfig.isp that contains the isp name and envoy.extensions.geoip_providers.common.v3.CommonGeoipProviderConfig.apple_private_relay that has true or false depending if the isp name is iCloud Private Relay.

• golang: Expose generic secrets to lua Add SecretManager interface in the go envoy sdk.

• golang: added http golang filter config destroy callback. When a config gets deleted from envoy, the go plugin calls the Destroy function on the config instance. config should implement the new github.com/envoyproxy/envoy/contrib/golang/common/go/api.Config interface, implementing the Destroy function.

• http: Added ignore_http_11_upgrade to ignore HTTP/1.1 Upgrade values matching any of the supplied matchers.

• http: Added max_metadata_size to make HTTP/2 metadata limits configurable.

• http: Added alpha support for asynchronous load balancing. See load balancing policies overview for more details. Support can be temporarily reverted by setting runtime guard envoy.reloadable_features.async_host_selection to false.

• http: Added filter state matcher for router matcher.

• http: Made the credential injector filter work as an upstream filter.

• http: Made the lua work as an upstream filter.

• http3: Added envoy_v3_api_field_extensions.upstreams.http.v3.Http3ProtocolOptions.disable_qpack, an experimental support for disabling QPACK compression.

• jwt_authn: Added jwt_max_token_size to make max token size configurable.

• jwt_authn: Added field stat_prefix to allow differentiating between different jwt_authn filters in the same filter chain.

• local_rate_limit: Added support for dynamic token buckets in local rate limit filter for HTTP requests.

• lua: Added clear_route_cache support to control the route cache clearing behavior in the Lua filter.

• lua: Added virtualClusterName() API to the Stream Info Object to get the name of the virtual cluster matched.

• lua: Added support for clearing the route cache explicitly in the Lua filter. See clearRouteCache() for more details.

• matcher: Added the integration between ExtensionWithMatcher and network filters, and only SkipFilter is supported.

• oauth2: Add the option to specify SameSite cookie attribute values for oauth2 supported cookies. To specify SameSite attribute, choose one of the values from strict, lax or none. If not specified, a default value of disabled will be assigned and there will be no SameSite value in the cookie attribute. See apply_on_stream_done for more details.

• oauth2: Added field stat_prefix to allow differentiating between different oauth2 filters in the same filter chain.

• proxy_protocol: Added support for injecting custom Type-Length-Value (TLV) entries into the Proxy Protocol v2 header for upstream transport sockets. Custom TLVs can be defined both in the endpoint host’s typed metadata under the envoy.transport_sockets.proxy_protocol namespace and at the configuration level via the ProxyProtocolConfig’s added_tlvs field. Host-level TLV definitions override config-level entries when the same type is specified, allowing default TLVs to be set globally, while enabling further per-endpoint customizations.

• quic: Added an extension to support QUIC-LB draft standard for connection ID generation.

• rate_limit: Added the explict runtime switch filter_enabled and filter_enforced to control the filter behavior.

• rbac: Added a new principal type for validating mTLS with more specific matches and better default behavior. Also added an extension point for custom principals.

• redis: Added support for multi-key commands on transactions.

• redis_proxy: Added custom_commands to support configuring custom commands for Redis proxy.

• resource_monitors: Added support to monitor container CPU utilization in Linux K8s environment using existing extension.

• sockets: Added an io_uring option in default socket interface to support io_uring.

• spiffe: Added trust_bundles to the SPIFFE certificate validator configuration. This field allows specifying a SPIFFE trust bundle mapping as a DataSource. If both trust_bundles and trust_domains are specified, trust_bundles takes precedence.

• tansport tap: Added support to control outputing the connection information per event and refer to set_connection_per_event in the message SocketTapConfig of transport socket tap.

• tap: Added an UDP extension for tap custom sink.

• tcp_proxy: Added proxy_protocol_tlvs to the TCP proxy filter. This field allows specifying PROXY protocol TLVs to be added in the PROXY protocol state created by the TCP proxy filter. TLVs added in the PROXY protocol state will be added to the PROXY protocol v2 header sent upstream.

• tcp_proxy: Added support for backoff_options to configure the backoff strategy for TCP proxy retries.

• tcp_proxy: added an option to allow filters to read from the downstream connection before TCP proxy has opened the upstream connection, by setting a filter state object for the key envoy.tcp_proxy.receive_before_connect.

• tracing: added support for Fluentd tracer to send traces in Fluentd format.

• udp_proxy: Added support for outlier detection in UDP proxy. This change can be temporarily reverted by setting runtime guard envoy.reloadable_features.enable_udp_proxy_outlier_detection to false.

• xds: Reporting a locality_stats to LRS server when rq_issued > 0, disable by setting runtime guard envoy.reloadable_features.report_load_with_rq_issued to false.