0.289.0

❗BREAKING CHANGES ❗

• A new reserved port 7070 had been added - Thanks @domdom82!
• Before deploying, please double-check your reserved ports settings for any clashes with port 7070, especially the router.prometheus.port property.

Changes

• (Feature) Add route_services_internal_server_port property
• (Bug) Add cipher-suites for TLS 1.3 and auto-generate the list from now on

Bosh Job Spec changes:

diff --git a/jobs/gorouter/spec b/jobs/gorouter/spec
index 30f535b8..c291be45 100644
--- a/jobs/gorouter/spec
+++ b/jobs/gorouter/spec
@@ -207,7 +207,7 @@ properties:
     description:
       An ordered, colon-delimited list of golang supported TLS cipher suites in OpenSSL or RFC format.
       The selected cipher suite will be negotiated according to the order of this list during a TLS handshake.
-      See https://github.com/golang/go/blob/release-branch.go1.9/src/crypto/tls/cipher_suites.go#L369-L390 for golang supported cipher suites.
+      See https://github.com/golang/go/blob/release-branch.go1.21/src/crypto/tls/cipher_suites.go#L663-L690 for golang supported cipher suites.
       The first four of these are supported for TLSv1.0/1.1 only.
       See https://www.openssl.org/docs/man1.1.0/apps/ciphers.html for a mapping of OpenSSL and RFC suite names.
     default: "ECDHE-RSA-AES128-GCM-SHA256:TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"
@@ -243,6 +243,9 @@ properties:
   router.route_services_internal_lookup_allowlist:
     description: "a list of host names for route services that should be resolved internally. Each entry can be a fully qualified domain name or DNS wildcard (i.e. wildcard on 1 segment of a subdomain). If the list is empty, it is not in effect and internal lookup will be attempted for all host names, which can lead to CVE-2019-3789. Please turn on internal lookup only with an allowlist."
     default: []
+  router.route_services_internal_server_port:
+    description: "Gorouter will use this port for internal route services."
+    default: 7070
   router.route_services_secret_decrypt_only:
     description: "To rotate keys, add your new key here and deploy. Then swap this key with the value of route_services_secret and deploy again."
     default: ""

✨ Built with go 1.21.6

Full Changelog: v0.288.0...v0.289.0

Resources

• Download release 0.289.0 from bosh.io.

0.288.0

Changes

• ✨ [Feature] Operators can now configure to prefer AZ-local backends before proxying to backends in other availability zones (#356)
• Protect against data race when ReverseProxy modifies response headers
• Fix ability to start gorouter with the default config (cloudfoundry/gorouter#387)

Bosh Job Spec changes:

diff --git a/jobs/gorouter/spec b/jobs/gorouter/spec
index 8fc23a78..30f535b8 100644
--- a/jobs/gorouter/spec
+++ b/jobs/gorouter/spec
@@ -101,6 +101,16 @@ properties:
   router.balancing_algorithm:
     description: "Algorithm used to distribute requests for a route across backends. Supported values are round-robin and least-connection"
     default: round-robin
+  router.balancing_algorithm_az_preference:
+    description: |
+      Configuration option used in conjunction with the `router.balancing_algorithm` to decide from which
+      availability zone to pick a suitable backend. Defaults to "None".
+      "none" - There is no preference regarding availability zones. The router uses the 
+        `router.balancing_algorithm` across all possible backends in all existing AZs.
+      "locally-optimistic" - On the initial attempt to pick a backend, the router will use
+        `router.balancing_algorithm` across all backends in the same AZ as the router itself. Subsequent
+        retries, in the case of failure or unavailability, will use _all_ available AZs.
+    default: "none"
   router.number_of_cpus:
     description: "Number of CPUs to utilize, the default (-1) will equal the number of available CPUs"
     default: -1

✨ Built with go 1.21.6

Full Changelog: v0.287.0...v0.288.0

Resources

• Download release 0.288.0 from bosh.io.

0.287.0

Changes

• Route-Registrar now supports specifying a nats server CA via the nats.tls.ca_cert property if it is not present via a BOSH link. (#379) Thanks @benjaminguttmann-avtq!!

Bosh Job Spec changes:

diff --git a/jobs/route_registrar/spec b/jobs/route_registrar/spec
index be708025..c51dbb9f 100644
--- a/jobs/route_registrar/spec
+++ b/jobs/route_registrar/spec
@@ -53,6 +53,8 @@ properties:
     description: "PEM-encoded certificate for the route-registrar to present to NATS for verification when connecting via TLS."
   nats.tls.client_key:
     description: "PEM-encoded private key for the route-registrar to present to NATS for verification when connecting via TLS."
+  nats.tls.ca_cert:
+    description: "The certificate authority certificate used for the route registrar"
   nats.fail_if_using_nats_without_tls:
     description: |
         Connecting to nats (instead of nats-tls) is deprecated. The nats

✨ Built with go 1.21.6

Full Changelog: v0.286.0...v0.287.0

Resources

• Download release 0.287.0 from bosh.io.

0.286.0

❗BREAKING CHANGES ❗

• The deprecated /varz and /healthz endpoints for gorouter on port 8080 have been removed - Thanks @ameowlia and @geofffranks!
• The /routes endpoint on gorouter's port 8080 has been moved to port 8082, and is available only on localhost - Thanks @ameowlia and @geofffranks!
• TLS certificates for gorouter + tcp_router's health endpoints are now required to deploy. Fortunately this is provided automatically in cf-deployment - Thanks @ameowlia and @geofffranks!

Changes

• 🐛 Fix a nil panic in gorouter cloudfoundry/gorouter#372 - Thanks @maxmoehl + @domdom82!
• ✨ Adds availability zone info to endpoint data in gorouter cloudfoundry/gorouter#381 - Thanks @ameowlia!
• ✨ Speed up gorouter's route registry cloudfoundry/gorouter#379 - Thanks @peanball and @domdom82 !
• ✨ Also more performance improvements to gorouter's route registry cloudfoundry/gorouter#378 - Thanks @peanball and @domdom82!
• ✨ Adds an always-on TLS capable healthcheck endpoint for gorouter on port 8443 - Thanks @marc and @geofffranks!
• ✨ Adds an always-on TLS capable healthcheck endpoint for tcp_router on port 443 - Thanks @ameowlia and @geofffranks!
• ✨ Operators can now toggle off the non-tls healthcheck endpoint for gorouter via router.status.enable_nontls_health_checks - Thanks @ameowlia and @geofffranks!
• ✨ Operators can now toggle off the non-tls healthcheck endpoint for tcp_router via tcp_router.enable_nontls_health_checks - Thanks @ameowlia and @geofffranks!

Bosh Job Spec changes:

diff --git a/jobs/gorouter/spec b/jobs/gorouter/spec
index 35576742..8fc23a78 100644
--- a/jobs/gorouter/spec
+++ b/jobs/gorouter/spec
@@ -57,11 +57,21 @@ properties:
     default: router-status
   router.status.password:
     description: "Password for HTTP basic auth to the /varz and /routes endpoints."
+  router.status.enable_nontls_health_checks:
+    description: "Toggles whether or not gorouter will listen on a non-tls endpoint for load balancer health checks."
+    default: true
+  router.status.enable_deprecated_varz_healthz_endpoints:
+    description: |
+      Toggles whether or not gorouter will respond to the deprecated /healthz,
+      /varz, and /routes endpoints on its non-tls load balancer status port.
+      Requires 'router.status.enable_nontls_health_checks' to be true.
+    default: false
   router.status.routes.port:
     description: "Port used for the /routes endpoint (available on localhost-only)"
     default: 8082
   router.status.tls.port:
     description: "Port used for the TLS listener of the LB healthcheck endpoint"
+    default: 8443
   router.status.tls.certificate:
     description: "TLS Certificate used for the TLS listener of the LB healthcheck endpoint"
   router.status.tls.key:
diff --git a/jobs/tcp_router/spec b/jobs/tcp_router/spec
index dd3b8a4e..44fbb41a 100644
--- a/jobs/tcp_router/spec
+++ b/jobs/tcp_router/spec
@@ -10,6 +10,7 @@ templates:
   routing_api_client_certificate.crt.erb: config/certs/routing-api/client.crt
   routing_api_client_private.key.erb: config/keys/routing-api/client.key
   routing_api_ca_certificate.crt.erb: config/certs/routing-api/ca_cert.crt
+  tcp_router_health_check_certificate.pem.erb: config/certs/health.pem
   haproxy.conf.erb: config/haproxy.conf
   haproxy.conf.template.erb: config/haproxy.conf.template
   bpm.yml.erb: config/bpm.yml
@@ -66,9 +67,20 @@ properties:
   tcp_router.request_timeout_in_seconds:
     description: "Server and client timeouts in seconds"
     default: 300
+
+  tcp_router.enable_nontls_health_checks:
+    description: "Toggles on/off whether or not to listen for load balancer health check requests on the non-tls `tcp_router.health_check_port` port"
+    default: true
   tcp_router.health_check_port:
     description: "Load balancer in front of TCP Routers should be configured to check the health of TCP Router instances by establishing a TCP connection on this port"
     default: 80
+  tcp_router.tls_health_check_port:
+    description: "Load balancer in front of TCP Routers should be configured to check the health of TCP Router instances by establishing a TLS connection on this port"
+    default: 443
+  tcp_router.tls_health_check_cert:
+    description: "TLS certificate to use on the TCP Router's TLS health check port"
+  tcp_router.tls_health_check_key:
+    description: "TLS private key to use on the TCP Router's TLS health check port"
 
   tcp_router.fail_on_router_port_conflicts:
     description: "Fail the tcp router if routing_api.reserved_system_component_ports conflict with ports in existing router groups."

✨ Built with go 1.21.6

Full Changelog: v0.285.0...v0.286.0

Resources

• Download release 0.286.0 from bosh.io.

0.285.0

Changes

• A new localhost:8082 endpoint has been added for retrieving the routing table on gorouter. This is in preparation of removing non-TLS LB-health check endpoints from the public :8080 listener for increased security. /var/vcap/jobs/gorouter/bin/retrieve-local-routes is updated and still the official way to retrieve the local routing table on a gorouter. The port this listens on can be configured via the router.status.routes.port property.
• A new TLS-enabled endpoint for LB health checks has been added on :8443. This can be configured via the router.status.tls.port, router.status.tls.certificate and router.status.tls.key properties.
• routing-api has been updated to work towards supporting a TLS-only CF deployment. Thanks @reneighbor!
• gorouter's proxy package received some test enhancements for increased test stability. Thanks @domdom82!
• gorouter's pool.Endpoint.Equals() received a performance improvement thanks to @peanball!
• Route-registrar will now fail if it configured to talk to NATS without using TLS. This can be toggled via the nats.fail_if_using_nats_without_tls property. thanks @ameowlia!

Bosh Job Spec changes:

diff --git a/jobs/gorouter/spec b/jobs/gorouter/spec
index e9a9dd73..35576742 100644
--- a/jobs/gorouter/spec
+++ b/jobs/gorouter/spec
@@ -57,6 +57,15 @@ properties:
     default: router-status
   router.status.password:
     description: "Password for HTTP basic auth to the /varz and /routes endpoints."
+  router.status.routes.port:
+    description: "Port used for the /routes endpoint (available on localhost-only)"
+    default: 8082
+  router.status.tls.port:
+    description: "Port used for the TLS listener of the LB healthcheck endpoint"
+  router.status.tls.certificate:
+    description: "TLS Certificate used for the TLS listener of the LB healthcheck endpoint"
+  router.status.tls.key:
+    description: "Private Key used for the TLS listener of the LB healthcheck endpoint"
   router.prometheus.port:
     description: "Port for the prometheus endpoint."
   router.prometheus.server_name:
diff --git a/jobs/route_registrar/spec b/jobs/route_registrar/spec
index bf3d9a03..be708025 100644
--- a/jobs/route_registrar/spec
+++ b/jobs/route_registrar/spec
@@ -53,6 +53,13 @@ properties:
     description: "PEM-encoded certificate for the route-registrar to present to NATS for verification when connecting via TLS."
   nats.tls.client_key:
     description: "PEM-encoded private key for the route-registrar to present to NATS for verification when connecting via TLS."
+  nats.fail_if_using_nats_without_tls:
+    description: |
+        Connecting to nats (instead of nats-tls) is deprecated. The nats
+        process will be removed soon. Please migrate to using nats-tls as soon
+        as possible. If you must continue using nats for a short time you can
+        set this flag to false.
+    default: true
 
   host:
     description: (string, optional) By default, route_registrar will detect the IP of the VM and use it, in combination with port as the backend destination for each uri being registered. This property enables overriding the destination hostname or IP.

✨ Built with go 1.21.5

Full Changelog: v0.284.0...v0.285.0

Resources

• Download release 0.285.0 from bosh.io.

0.284.0

Changes

• Upgrade to Golang 1.21.4
• Bump dependencies

✨ Built with go 1.21.4

Full Changelog: v0.283.0...v0.284.0

Resources

• Download release 0.284.0 from bosh.io.

0.283.0

Changes

• Adds missing timings to non-http backend requests, e.g. websockets. (cloudfoundry/gorouter#363) (Fixes: #278)
  • Thanks @domdom82!
• Adds ability for gorouter to verify mTLS Client Certificate metadata (#355)
  • Thanks @peanball!
• CI Enhancements and updates
• Package Dependency bumps

Bosh Job Spec changes:

diff --git a/jobs/gorouter/spec b/jobs/gorouter/spec
index 2bb394e9..e9a9dd73 100644
--- a/jobs/gorouter/spec
+++ b/jobs/gorouter/spec
@@ -415,7 +415,7 @@ properties:
     default: 5
   websocket_dial_timeout_in_seconds:
     description: |
-      Maximum time in seconds for gorouter to establish a websocket upgrade for the websocket ForwardIO connection with a backend. 
+      Maximum time in seconds for gorouter to establish a websocket upgrade for the websocket ForwardIO connection with a backend.
       This timeout comes before `tls_handshake_timeout_in_seconds` and `request_timeout_in_seconds`. When not set, defaults to `endpoint_dial_timeout_in_seconds`.
     default: endpoint_dial_timeout_in_seconds
   tls_handshake_timeout_in_seconds:
@@ -518,6 +518,36 @@ properties:
     description: "The number of file descriptors a router can have open at one time"
     default: 100000
 
+  router.enable_verify_client_certificate_metadata:
+    description: |
+        Enable additional client certificate verification via verify_client_certificate_metadata (see below).
+    default: false
+  router.verify_client_certificate_metadata:
+    description: |
+      Additional client certificate verification, after the certificate was validated using the regular mTLS mechanism and is issued using one of the CAs in `client_ca_certs`.
+      The additional verification limits the allowed client certificates for a given signing CA (identified by its distinguished name) to certificates with subjects provided in the list of valid subjects. Within the certificate chain there may be more than one CA certificates (e.g. intermediate CA certificates). The `issuer_in_chain` must match one of the CA certificates in the chain.
+      Each list entry contains an issuer_in_chain with a corresponding list of valid subjects. Each issuer_in_chain must match one of the certificates in `client_ca_certs`. When an issuer_in_chain is defined that does not match, this raises an error during templating time and at startup in gorouter.
+      - issuer_in_chain:
+          common_name: ""
+          serial_number: ""
+          country: []
+          organization: []
+          organizational_unit: []
+          locality: []
+          province: []
+          street_address: []
+          postal_code: []
+        valid_cert_subjects:
+          - common_name: ""
+            serial_number: ""
+            country: []
+            organization: []
+            organizational_unit: []
+            locality: []
+            province: []
+            street_address: []
+            postal_code: []
+    default: []
   healthchecker.failure_counter_file:
     description: "File used by the healthchecker to monitor consecutive failures."
     default: /var/vcap/data/gorouter/counters/consecutive_healthchecker_failures.count

✨ Built with go 1.21.3

Full Changelog: v0.282.0...v0.283.0

Resources

• Download release 0.283.0 from bosh.io.

0.282.0

Changes

• [Security Fix] Bumped to golang 1.21.3 - This bump contains a patch to CVE-2023-44487 (HTTP2 rapid-reset vulnerability).
• Prevent failures from certain requests panicking by validating the length of the trace ID prior to parsing it as a UUID (Fixes: #346)
  • Thanks @domdom82!
• Fixes an incorrect calculation of the gorouter_time if router.enable_log_attempts_details is active (Fixes #348)
  • Thanks @domdom82!
• CI Enhancements and updates
• Package Dependency bumps

✨ Built with go 1.21.3

Full Changelog: v0.281.0...v0.282.0

Resources

• Download release 0.282.0 from bosh.io.

0.281.0

Changes

• Check trace ID length before parsing the UUID (#346)
• Bump go to 1.21.1

✨ Built with go 1.21.1

Full Changelog: v0.280.0...v0.281.0

Resources

• Download release 0.281.0 from bosh.io.

0.280.0

Changes

• Gorouter now logs the IP of the NATS server its connecting to/disconnecting from (instead of just the BOSH DNS name) for troubleshooting clarity. (cloudfoundry/gorouter#362)
  • Thanks @domdom82!!
• Bumped CF CLI to v8.7.2

✨ Built with go 1.21.0

Full Changelog: v0.279.0...v0.280.0

Resources

• Download release v0.280.0 from bosh.io.