Releases: cloudfoundry/routing-release
Releases · cloudfoundry/routing-release
0.298.0
Changes
- 🔒 Resolves CVE-2024-22279, which affected routing-releases 0.273.0 through 0.297.0.
- 🐛 Improve support for requests using the Expect: 100-continue header.
- 🐛 The missing_content_length_header metric introduced in 0.297.0 has been renamed to empty_content_length_header for more accuracy. Thanks @peanball!
- 🐛 The empty_content_length_header was fixed to more accurately capture events when the content-length header of a request was empty. Previously extra request types were being included erroneously.
Bosh Job Spec changes:
diff --git a/jobs/gorouter/spec b/jobs/gorouter/spec
index 712a761f..8269440b 100644
--- a/jobs/gorouter/spec
+++ b/jobs/gorouter/spec
@@ -306,6 +306,9 @@ properties:
router.keep_alive_probe_interval:
default: 1s
description: Interval between TCP keep alive probes. Value is a string (e.g. "10s")
+ router.keep_alive_100_continue_requests:
+ description: "If set gorouter reuses backend connection for requests expecting 100-Continue"
+ default: false
router.force_forwarded_proto_https:
description: "Enables setting X-Forwarded-Proto header if SSL termination happened upstream and incorrectly set the header value. When this property is set to true gorouter sets the header X-Forwarded-Proto to https. When this value set to false, gorouter set the header X-Forwarded-Proto to the protocol of the incoming request"
default: false
✨ Built with go 1.22.3
Full Changelog: v0.297.0...v0.298.0
Resources
Contributors
peanball
Assets 3
0.297.0
Changes
- 🐛FIXES KNOWN ISSUE Gorouter now correctly returns the status code provided by backends for workflows using 100-continue, or other 1xx interim status codes. Thanks for catching this @plowin @domdom82 and thanks @geofffranks for the quick fix!
- 🐛The TLS listener for the health status endpoint in gorouter now handles custom cipher-suites that do not include any of the required HTTP/2 ciphers. Thanks @MarcPaquette + @geofffranks!
- 🐛 Failing to establish a TCP connection to a backend no longer causes a panic when setting up a WebSocket connection. Thanks @domdom82!
- ✨The health status endpoint for gorouter is now able to log error messages encountered when it starts up, to aid in troubleshooting. Thanks @MarcPaquette and @geofffranks !
- ✨Gorouter now provides a
missing_content_length_headermetric that will flag requests that would have been hit by Golang 1.22's new check to reject requests that have an empty content-length header. This can be used to determine if an environment will be affected by disabling thego.httplaxcontentlengthgorouter property. Thanks @mariash!- NOTE: The metric is counting requests unaffected by the new golang behavior and will be updated in 0.298.0+, where it is also renamed to
empty_content_length_header.
- NOTE: The metric is counting requests unaffected by the new golang behavior and will be updated in 0.298.0+, where it is also renamed to
- ✨Route registrar now allows operators to specify load blancing algorithms for individual routes. Thanks @b1tamara and @domdom82 !
- Bumped to golang 1.22.3
Bosh Job Spec changes:
diff --git a/jobs/route_registrar/spec b/jobs/route_registrar/spec
index c51dbb9f..de81a0e8 100644
--- a/jobs/route_registrar/spec
+++ b/jobs/route_registrar/spec
@@ -125,7 +125,8 @@ properties:
with error, the route is unregistered.
router_group (required, string, for tcp routes): Name of the router group to which the TCP route should be added.
external_port (required, string, for tcp routes): Port that the TCP router will listen on.
- server_cert_domain_name_modifier (optional, string, for sni routes): a regex replace to help with complicated hostnames
+ server_cert_domain_name_modifier (optional, string, for sni routes): a regex replace to help with complicated hostnames.
+ options (optional, object, for http routes): Custom per-route options
health_check object
name (required, string): Human-readable reference for the healthcheck
@@ -135,6 +136,9 @@ properties:
the script is terminated with `SIGKILL` and the route is unregistered. Value is a string (e.g. "10s") and must parse to a positive time duration i.e. "-5s" is not permitted. Must be less than the value of `registration_interval`.
Default: Half of the value of `registration_interval`
+ options object
+ lb_algo (optional, string): Load balancing algorithm for routing incoming requests to the backend: 'round-robin' or 'least-connection'. In cases where this option is not specified, the algorithm defined in gorouter spec is applied.
+
example: |
- name: my-service
uris:
@@ -150,6 +154,8 @@ properties:
script_path: /path/to/script
timeout: 5s
route_service_url: https://my-oauth-proxy-route-service.example.com
+ options:
+ lb_algo: least-connection
- name: my-tls-endpoint
tls_port: 12346
server_cert_domain_san: "my-tls-endpoint.internal.com"
✨ Built with go 1.22.3
Full Changelog: v0.296.0...v0.297.0
Resources
Contributors
mariash, domdom82, and 4 other contributors
Assets 3
0.296.0
Expect: 100-continue to delay POST data until the backend issues a 100 continue, gorouter incorrectly returns an 200 OK status code to the client, regardless of what final status code the backend set (e.g. 401, 502, 203 all appear as 200 to the client). HTTP Access logs + Gorouter HTTP request metrics showed the correct status codes. Upgrading to routing-release 0.297.0 is advised.
Changes
- Pass availability zone in route-registrar for AZ-aware routing of system components
- Bump Golang to 1.22
Bosh Job Spec changes:
diff --git a/jobs/acceptance_tests/spec b/jobs/acceptance_tests/spec
index e1a6a9ae..8122ddaf 100644
--- a/jobs/acceptance_tests/spec
+++ b/jobs/acceptance_tests/spec
@@ -7,7 +7,7 @@ templates:
bpm.yml.erb: config/bpm.yml
packages:
- - golang-1.21-linux
+ - golang-1.22-linux
- acceptance_tests
- rtr
- cf-cli-8-linux
diff --git a/jobs/smoke_tests/spec b/jobs/smoke_tests/spec
index b230192b..02edfd9d 100644
--- a/jobs/smoke_tests/spec
+++ b/jobs/smoke_tests/spec
@@ -7,7 +7,7 @@ templates:
bpm.yml.erb: config/bpm.yml
packages:
- - golang-1.21-linux
+ - golang-1.22-linux
- acceptance_tests
- cf-cli-8-linux
✨ Built with go 1.22.2
Full Changelog: v0.295.0...v0.296.0
Resources
0.295.0
Expect: 100-continue to delay POST data until the backend issues a 100 continue, gorouter incorrectly returns an 200 OK status code to the client, regardless of what final status code the backend set (e.g. 401, 502, 203 all appear as 200 to the client). HTTP Access logs + Gorouter HTTP request metrics showed the correct status codes. Upgrading to routing-release 0.297.0 is advised.
Changes
- Resolves #401 by reverting the removal of the deprecated BuildNameToCertificate() call
- Bumps to golang 1.21.9 + golang.org/x/net 0.23.0 to patch CVE-2023-45288
✨ Built with go 1.21.9
Full Changelog: v0.294.0...v0.295.0
Resources
0.294.0
Expect: 100-continue to delay POST data until the backend issues a 100 continue, gorouter incorrectly returns an 200 OK status code to the client, regardless of what final status code the backend set (e.g. 401, 502, 203 all appear as 200 to the client). HTTP Access logs + Gorouter HTTP request metrics showed the correct status codes. Upgrading to routing-release 0.297.0 is advised.
Changes
- Bump haproxy to 2.8.7
- update templates to not refer to consul
- Default the routing_api.enabled_api_endpoints to mtls
- Update template test for mTLS routing api default
- Upgrade cf-cli-8-linux
Bosh Job Spec changes:
diff --git a/jobs/routing-api/spec b/jobs/routing-api/spec
index 1d7efe3c..2e5cd361 100644
--- a/jobs/routing-api/spec
+++ b/jobs/routing-api/spec
@@ -95,7 +95,7 @@ properties:
routing_api.enabled_api_endpoints:
description: "Protocols that the routing api will listen on. Possible values: 'mtls', or 'both' (mTLS + HTTP)"
- default: "both"
+ default: "mtls"
routing_api.mtls_port:
description: "Port on which Routing API is running, listening with mTLS."
default: 3001
✨ Built with go 1.21.8
Full Changelog: v0.293.0...v0.294.0
Resources
0.293.0
Changes
Expect: 100-continue to delay POST data until the backend issues a 100 continue, gorouter incorrectly returns an 200 OK status code to the client, regardless of what final status code the backend set (e.g. 401, 502, 203 all appear as 200 to the client). HTTP Access logs + Gorouter HTTP request metrics showed the correct status codes. Upgrading to routing-release 0.297.0 is advised.
- Add toggle to allow empty Content-Length headers
- fix: Enable syslog forwarding for gorouter
- fix: Don't retry more often than endpoints available
- Add an option to enable concurrent reads and responses in HTTP/1
Bosh Job Spec changes:
diff --git a/jobs/gorouter/spec b/jobs/gorouter/spec
index e7c33d66..712a761f 100644
--- a/jobs/gorouter/spec
+++ b/jobs/gorouter/spec
@@ -161,6 +161,9 @@ properties:
router.enable_http2:
description: Enables support for HTTP/2 ingress traffic to the Gorouter. Also enables the option to use the HTTP/2 protocol for traffic to specified backends.
default: true
+ router.enable_http1_concurrent_read_write:
+ description: Enables concurrent request reads and response writes for HTTP/1 requests
+ default: false
router.min_tls_version:
description: Minimum accepted version of TLS protocol. All versions above this, up to the max_tls_version, will also be accepted. Valid values are TLSv1.0, TLSv1.1, TLSv1.2, and TLSv1.3.
default: TLSv1.2
@@ -194,8 +197,9 @@ properties:
router.backends.max_attempts:
description: |
Maximum number of attempts on failing requests against backend routes.
+ The number of attempts per request is limited by the number of endpoints on the route, regardless of this setting.
This includes CF apps and route-registrar endpoints.
- A value of 0 implies indefinite retries, i.e. retry until success or endpoint list is exhausted.
+ The minimum value for this setting is 1. This prevents gorouter from getting blocked by indefinite retries.
default: 3
router.backends.ca:
description: Certificate authority that was used to sign certificates for TLS-registered backends. In PEM format.
@@ -274,6 +278,15 @@ properties:
router.enable_log_attempts_details:
description: "Log additional fields in the access log that provide more details on the specific timings and attempts performed towards endpoints."
default: false
+ router.logging.syslog_tag:
+ description: "Tag to use when writing syslog messages"
+ default: "vcap.gorouter"
+ router.logging.syslog_addr:
+ description: "Address of a syslog server to send access logs"
+ default: "localhost:514"
+ router.logging.syslog_network:
+ description: "Network protocol to use when connecting to the syslog server. Valid values are 'tcp', 'udp', <empty>. When choosing an empty string value, the local syslog daemon is used."
+ default: "udp"
router.logging.format.timestamp:
description: |
Format for timestamp in component logs. Valid values are 'rfc3339', 'deprecated', and 'unix-epoch'."
@@ -492,6 +505,9 @@ properties:
router.write_access_logs_locally:
description: "Enables writing access log to local disk."
default: true
+ router.enable_access_log_streaming:
+ description: "Enables streaming access log to syslog server."
+ default: false
router.suspend_pruning_if_nats_unavailable:
description: |
Suspend pruning of routes when NATs is unavailable and maintain the
@@ -583,6 +599,14 @@ properties:
street_address: []
postal_code: []
default: []
+
healthchecker.failure_counter_file:
description: "File used by the healthchecker to monitor consecutive failures."
default: /var/vcap/data/gorouter/counters/consecutive_healthchecker_failures.count
+
+ go.httplaxcontentlength:
+ description: |
+ Environment Flag to temporarily allow requests containing an invalid, empty `Content-Length` header for backwards compatibility.
+ This toggle allows operators to add the `GODEBUG` field `httplaxcontentlength=1`, as allowable per the [go 1.22 release documentation](https://tip.golang.org/doc/go1.22#minor_library_changes).
+ Defaults to `false` as the default behavior in go 1.22+ is to reject these requests.
+ default: false
✨ Built with go 1.21.8
Full Changelog: v0.292.0...v0.293.0
Resources
0.292.0
Changes
- Dependency updates
- ✨ Adds support for
Partitionedcookies to gorouter to allow for sticky sessions in embedded contexts. More information on 3rd-party cookie deprecation.
✨ Built with go 1.21.7
Full Changelog: v0.291.0...v0.292.0
Resources
0.291.0
Changes
- Bugfix: Mitigates issue when operators set
router.route_service_internal_server_port. Previously, this configuration parameter was not passed through to the Gorouter configuration.
✨ Built with go 1.21.7
Full Changelog: v0.290.0...v0.291.0
Resources
0.290.0
Changes
- ✨Adds opt-in support for NTLM + other challenge-response based authentication using
Authorization: Negotiateflows by automatically enabling sticky sessions for those requests. - Golang bump to 1.21.7
- Go package dependency bumps
Bosh Job Spec changes:
diff --git a/jobs/gorouter/spec b/jobs/gorouter/spec
index c291be45..e7c33d66 100644
--- a/jobs/gorouter/spec
+++ b/jobs/gorouter/spec
@@ -123,6 +123,9 @@ properties:
router.sticky_session_cookie_names:
description: "The names of the cookies to use for handling sticky sessions"
default: [ "JSESSIONID" ]
+ router.sticky_sessions_for_auth_negotiate:
+ description: "Controls whether or not gorouter will apply sticky sessions to request/response flows using 'Authorization: Negotiate'"
+ default: false
router.drain_wait:
description: |
Delay in seconds after shut down is initiated before server stops listening.
✨ Built with go 1.21.7
Full Changelog: v0.289.0...v0.290.0
Resources
0.289.0
❗BREAKING CHANGES ❗
- A new reserved port 7070 had been added - Thanks @domdom82!
- Before deploying, please double-check your reserved ports settings for any clashes with port 7070, especially the
router.prometheus.portproperty.
Changes
- (Feature) Add route_services_internal_server_port property
- (Bug) Add cipher-suites for TLS 1.3 and auto-generate the list from now on
Bosh Job Spec changes:
diff --git a/jobs/gorouter/spec b/jobs/gorouter/spec
index 30f535b8..c291be45 100644
--- a/jobs/gorouter/spec
+++ b/jobs/gorouter/spec
@@ -207,7 +207,7 @@ properties:
description:
An ordered, colon-delimited list of golang supported TLS cipher suites in OpenSSL or RFC format.
The selected cipher suite will be negotiated according to the order of this list during a TLS handshake.
- See https://github.com/golang/go/blob/release-branch.go1.9/src/crypto/tls/cipher_suites.go#L369-L390 for golang supported cipher suites.
+ See https://github.com/golang/go/blob/release-branch.go1.21/src/crypto/tls/cipher_suites.go#L663-L690 for golang supported cipher suites.
The first four of these are supported for TLSv1.0/1.1 only.
See https://www.openssl.org/docs/man1.1.0/apps/ciphers.html for a mapping of OpenSSL and RFC suite names.
default: "ECDHE-RSA-AES128-GCM-SHA256:TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"
@@ -243,6 +243,9 @@ properties:
router.route_services_internal_lookup_allowlist:
description: "a list of host names for route services that should be resolved internally. Each entry can be a fully qualified domain name or DNS wildcard (i.e. wildcard on 1 segment of a subdomain). If the list is empty, it is not in effect and internal lookup will be attempted for all host names, which can lead to CVE-2019-3789. Please turn on internal lookup only with an allowlist."
default: []
+ router.route_services_internal_server_port:
+ description: "Gorouter will use this port for internal route services."
+ default: 7070
router.route_services_secret_decrypt_only:
description: "To rotate keys, add your new key here and deploy. Then swap this key with the value of route_services_secret and deploy again."
default: ""
✨ Built with go 1.21.6
Full Changelog: v0.288.0...v0.289.0
Resources
Contributors
domdom82