-
Notifications
You must be signed in to change notification settings - Fork 28
/
current.yaml
62 lines (56 loc) · 3.53 KB
/
current.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
date: Pending
behavior_changes:
# *Changes that are expected to cause an incompatibility if applicable; deployment changes are likely required*
- area: http
change: |
The default configuration of Envoy will continue to trust internal addresses while in the future it will not trust them by default.
If you have tooling such as probes on your private network which need to be treated as trusted (e.g. changing arbitrary ``x-envoy``
headers) please explictily include those addresses or CIDR ranges into :ref:`internal_address_config
<envoy_v3_api_field_extensions.filters.network.http_connection_manager.v3.HttpConnectionManager.internal_address_config>`
See the config examples from the above ``internal_address_config`` link. This default no trust internal address can be turned on by
setting runtime guard ``envoy.reloadable_features.explicit_internal_address_config`` to ``true``.
minor_behavior_changes:
# *Changes that may cause incompatibilities for some users, but should not for most*
- area: http cookies
change: |
Changed internal format of http cookie to protobuf and added expiry timestamp. Processing expired cookie
results in selection of a new upstream host and sending a new cookie to the client. Previous format of
the cookie is still accepted, but is planned to be obsoleted in the future.
This behavior change can be reverted by setting
``envoy.reloadable_features.stateful_session_encode_ttl_in_cookie`` to ``false``.
new_features:
- area: tls
change: |
added support for SNI-based cert selection in tls downstream transport socket. Detailed documentation is available :ref:`cert selection<arch_overview_ssl_cert_select>`.
New config option :ref:`full_scan_certs_on_sni_mismatch <envoy_v3_api_field_extensions.transport_sockets.tls.v3.DownstreamTlsContext.full_scan_certs_on_sni_mismatch>`
is introduced to disable or enable full scan when no cert matches to SNI, defaults to false.
New runtime flag ``envoy.reloadable_features.no_full_scan_certs_on_sni_mismatch`` can be used for override the default value.
- area: decompression
change: |
Fixed a bug where Envoy will go into an endless loop when using the brotli decompressor. If the input stream has
redundant data, the decompressor will loop forever.
bug_fixes:
- area: http2
change: |
Update nghttp2 to resolve CVE-2024-30255 (https://github.com/envoyproxy/envoy/security/advisories/GHSA-j654-3ccm-vfmm).
# *Changes expected to improve the state of the world and are unlikely to have negative effects*
- area: tls
change: |
Fix a RELEASE_ASSERT when using :ref:`auto_sni <envoy_v3_api_field_config.core.v3.UpstreamHttpProtocolOptions.auto_sni>`
if the downstream request ``:authority`` was longer than 255 characters.
- area: websocket
change: |
Only 101 is considered a successful response for websocket handshake, and Envoy as a proxy will proxy the response
header code from upstream to downstream and then close the request if other status is received. This behavior can be
reverted by ``envoy_reloadable_features_check_switch_protocol_websocket_handshake``.
- area: stateful_session
change: |
Support 0 TTL for proto-encoded cookies, which disables cookie expiration by Envoy.
removed_config_or_runtime:
# *Normally occurs at the end of the* :ref:`deprecation period <deprecated>`
new_features:
- area: google_grpc
change: |
Added an off-by-default runtime flag
``envoy.reloadable_features.google_grpc_disable_tls_13`` to disable TLSv1.3
usage by gRPC SDK for ``google_grpc`` services.