.. _version_history_1.32.0: 1.32.0 (Pending) ================= Incompatible behavior changes ----------------------------- *Changes that are expected to cause an incompatibility if applicable; deployment changes are likely required* * **http**: Added HTTP1-safe option for :ref:`max_connection_duration ` in HttpConnectionManager. When enabled, ``max_connection_duration`` will only drain downstream HTTP1 connections by adding the Connection:close response header; it will never cause the HttpConnectionManager to close the connection itself. Defaults to off ("unsafe" -- check \#34356) and is configurable via :ref:`http1_safe_max_connection_duration `. * **stats scoped_rds**: Added new tag extraction so that scoped rds stats have their :ref:'scope_route_config_name ' and stat prefix extracted. * **tracing**: Removed support for (long deprecated) opentracing. See `issue 27401 `_ for details. Minor behavior changes ---------------------- *Changes that may cause incompatibilities for some users, but should not for most* * **command line options**: :option:`--enable-fine-grain-logging` and :option:`--component-log-level` were incompatible in that one would make the other ineffective. Setting both options at once is now an error, to reduce potential confusion. * **http3**: HTTP/3 alt-svc headers will now be respected from IP-address-based hostnames. This change is guarded by runtime guard ``envoy.reloadable_features.allow_alt_svc_for_ips``. * **http3**: The ACCEPT_UNTRUSTED option now works more consistently for HTTP/3 requests. This change is guarded by ``envoy.reloadable_features.extend_h3_accept_untrusted``. * **lua**: When Lua script executes httpCall, backpressure is exercised when receiving body from downstream client. This behavior can be reverted by setting the runtime guard ``envoy.reloadable_features.lua_flow_control_while_http_call`` to false. * **sni**: When computing SNI and SAN value for the auto-sni and auto-san verification feature, route host manipulations are now taken into account. This behavior can be reverted by setting the runtime guard ``envoy_reloadable_features_use_route_host_mutation_for_auto_sni_san`` to false. * **tcp**: Added support for :ref:`connection_pool_per_downstream_connection ` flag in tcp connection pool. Bug fixes --------- *Changes expected to improve the state of the world and are unlikely to have negative effects* * **c-ares**: Applying a C-ares patch to fix DNS resoultion by the Google gRPC library. * **dns**: The DNS filter no longer returns FORMERR if a message has an ID of 0. * **ext_proc**: Add runtime guard for timeout error code 504 Gateway Timeout that is returned to downstream. If runtime flag ``envoy.reloadable_features.ext_proc_timeout_error`` is set to false, old error code 500 Internal Server Error will be returned. * **quic**: Fixes access log formatter %CONNECTION_ID% for QUIC connections. * **websocket**: Fixed a bug where the websocket upgrade filter would not take into account per-filter configs. Removed config or runtime ------------------------- *Normally occurs at the end of the* :ref:`deprecation period ` * **DNS**: Removed ``envoy.reloadable_features.dns_cache_set_first_resolve_complete`` runtime flag and legacy code paths. * **dynamic forward proxy**: Removed ``envoy.reloadable_features.normalize_host_for_preresolve_dfp_dns`` runtime flag and legacy code paths. * **ext_proc**: Removed runtime flag ``envoy_reloadable_features_immediate_response_use_filter_mutation_rule`` and legacy code path. * **ext_proc**: Removed runtime flag ``envoy_reloadable_features_send_header_raw_value`` and legacy code path. * **grpc reverse bridge**: Removed ``envoy.reloadable_features.grpc_http1_reverse_bridge_change_http_status`` runtime flag and legacy code paths. * **grpc reverse bridge**: Removed ``envoy.reloadable_features.grpc_http1_reverse_bridge_handle_empty_response`` runtime flag and legacy code paths. * **http**: Removed runtime flag ``envoy.reloadable_features.abort_filter_chain_on_stream_reset`` and legacy code path. * **http**: Removed runtime flag ``envoy.reloadable_features.http1_connection_close_header_in_redirect`` and legacy code paths. * **http**: Removed runtime flag ``envoy.reloadable_features.no_downgrade_to_canonical_name`` and legacy code path. * **quic**: Removed ``envoy.reloadable_features.quic_fix_filter_manager_uaf`` runtime flag and legacy code paths. * **stateful_session**: Removed ``envoy.reloadable_features.stateful_session_encode_ttl_in_cookie`` runtime flag and legacy code paths. * **tls**: Removed runtime flag ``envoy.reloadable_features.ssl_transport_failure_reason_format``. * **udp**: Removed ``envoy.restart_features.udp_read_normalize_addresses`` runtime flag and legacy code paths. * **upstream**: Removed runtime flag ``envoy.reloadable_features.avoid_zombie_streams`` and legacy code paths. * **upstream**: Removed runtime flag ``envoy.reloadable_features.upstream_allow_connect_with_2xx`` and legacy code paths. * **upstream flow control**: Removed ``envoy.reloadable_features.upstream_wait_for_response_headers_before_disabling_read`` runtime flag and legacy code paths. New features ------------ * **access_log**: Added new access log command operators ``%START_TIME_LOCAL%`` and ``%EMIT_TIME_LOCAL%``, similar to ``%START_TIME%`` and ``%EMIT_TIME%``, but use local time zone. * **access_log**: added %UPSTREAM_CLUSTER_RAW% access log formatter to log the original upstream cluster name, regardless of whether ``alt_stat_name`` is set. * **dns**: Prefer using IPv6 address when addresses from both families are available. Can be reverted by setting ``envoy.reloadable_features.prefer_ipv6_dns_on_macos`` to false. * **ext_authz**: Added config field :ref:`filter_metadata ` for injecting arbitrary data to the filter state for logging. * **formatter**: Added full feature absl::FormatTime() support to the DateFormatter. This allows the timepoint formatters (like ``%START_TIME%``) to use ``%E#S``, ``%E*S``, ``%E#f`` and ``%E*f`` to format the subsecond part of the timepoint. * **grpc_field_extraction**: Added ``map`` support: Target fields of type ``map`` can be extracted and added to dynamic metadata. * **http_11_proxy**: Added the option to configure the transport socket via locality or endpoint metadata. * **jwt_authn**: Added missing implementation to jwt_authn matchers to allow glob pattern matching. * **matching**: Added dynamic metadata matcher support :ref:`Dynamic metadata input ` and :ref:`Dynamic metadata input matcher `. * **ratelimit**: Added the ability to modify :ref:`hits_addend ` by setting by setting filter state value ``envoy.ratelimit.hits_addend`` to the desired value. * **rbac**: Added :ref:`delay_deny ` to support deny connection after the configured duration. * **redis**: Added support for publish. * **sockets**: Added socket ``type`` field for specifying a socket type to apply the socket option to under :ref:`SocketOption `. If not specified, the socket option will be applied to all socket types. * **tls**: Added :ref:`prefer_client_ciphers ` to support enabling client cipher preference instead of server's for TLS handshakes. * **tls**: Added an extension point :ref:`custom_tls_certificate_selector ` to allow overriding TLS certificate selection behavior. An extension can select certificate base on the incoming SNI, in both sync and async mode.