Releases: cloudfoundry/routing-release
Releases · cloudfoundry/routing-release
0.283.0
Changes
- Adds missing timings to non-http backend requests, e.g. websockets. (cloudfoundry/gorouter#363) (Fixes: #278)
- Thanks @domdom82!
- Adds ability for gorouter to verify mTLS Client Certificate metadata (#355)
- Thanks @peanball!
- CI Enhancements and updates
- Package Dependency bumps
Bosh Job Spec changes:
diff --git a/jobs/gorouter/spec b/jobs/gorouter/spec
index 2bb394e9..e9a9dd73 100644
--- a/jobs/gorouter/spec
+++ b/jobs/gorouter/spec
@@ -415,7 +415,7 @@ properties:
default: 5
websocket_dial_timeout_in_seconds:
description: |
- Maximum time in seconds for gorouter to establish a websocket upgrade for the websocket ForwardIO connection with a backend.
+ Maximum time in seconds for gorouter to establish a websocket upgrade for the websocket ForwardIO connection with a backend.
This timeout comes before `tls_handshake_timeout_in_seconds` and `request_timeout_in_seconds`. When not set, defaults to `endpoint_dial_timeout_in_seconds`.
default: endpoint_dial_timeout_in_seconds
tls_handshake_timeout_in_seconds:
@@ -518,6 +518,36 @@ properties:
description: "The number of file descriptors a router can have open at one time"
default: 100000
+ router.enable_verify_client_certificate_metadata:
+ description: |
+ Enable additional client certificate verification via verify_client_certificate_metadata (see below).
+ default: false
+ router.verify_client_certificate_metadata:
+ description: |
+ Additional client certificate verification, after the certificate was validated using the regular mTLS mechanism and is issued using one of the CAs in `client_ca_certs`.
+ The additional verification limits the allowed client certificates for a given signing CA (identified by its distinguished name) to certificates with subjects provided in the list of valid subjects. Within the certificate chain there may be more than one CA certificates (e.g. intermediate CA certificates). The `issuer_in_chain` must match one of the CA certificates in the chain.
+ Each list entry contains an issuer_in_chain with a corresponding list of valid subjects. Each issuer_in_chain must match one of the certificates in `client_ca_certs`. When an issuer_in_chain is defined that does not match, this raises an error during templating time and at startup in gorouter.
+ - issuer_in_chain:
+ common_name: ""
+ serial_number: ""
+ country: []
+ organization: []
+ organizational_unit: []
+ locality: []
+ province: []
+ street_address: []
+ postal_code: []
+ valid_cert_subjects:
+ - common_name: ""
+ serial_number: ""
+ country: []
+ organization: []
+ organizational_unit: []
+ locality: []
+ province: []
+ street_address: []
+ postal_code: []
+ default: []
healthchecker.failure_counter_file:
description: "File used by the healthchecker to monitor consecutive failures."
default: /var/vcap/data/gorouter/counters/consecutive_healthchecker_failures.count
✨ Built with go 1.21.3
Full Changelog: v0.282.0...v0.283.0
Resources
Contributors
peanball and domdom82
Assets 3
0.282.0
Changes
- [Security Fix] Bumped to golang 1.21.3 - This bump contains a patch to CVE-2023-44487 (HTTP2 rapid-reset vulnerability).
- Prevent failures from certain requests panicking by validating the length of the trace ID prior to parsing it as a UUID (Fixes: #346)
- Thanks @domdom82!
- Fixes an incorrect calculation of the gorouter_time if
router.enable_log_attempts_detailsis active (Fixes #348)- Thanks @domdom82!
- CI Enhancements and updates
- Package Dependency bumps
✨ Built with go 1.21.3
Full Changelog: v0.281.0...v0.282.0
Resources
Contributors
domdom82
Assets 3
0.281.0
Changes
- Check trace ID length before parsing the UUID (#346)
- Bump go to 1.21.1
✨ Built with go 1.21.1
Full Changelog: v0.280.0...v0.281.0
Resources
0.280.0
Changes
- Gorouter now logs the IP of the NATS server its connecting to/disconnecting from (instead of just the BOSH DNS name) for troubleshooting clarity. (cloudfoundry/gorouter#362)
- Thanks @domdom82!!
- Bumped CF CLI to v8.7.2
✨ Built with go 1.21.0
Full Changelog: v0.279.0...v0.280.0
Resources
Contributors
domdom82
Assets 3
0.279.0
Changes
- Bumped to golang 1.21.0!
- Refactor of proxy config properties. Thanks @domdom82!
Bosh Job Spec changes:
diff --git a/jobs/acceptance_tests/spec b/jobs/acceptance_tests/spec
index db508ca3..e1a6a9ae 100644
--- a/jobs/acceptance_tests/spec
+++ b/jobs/acceptance_tests/spec
@@ -7,7 +7,7 @@ templates:
bpm.yml.erb: config/bpm.yml
packages:
- - golang-1.20-linux
+ - golang-1.21-linux
- acceptance_tests
- rtr
- cf-cli-8-linux
diff --git a/jobs/smoke_tests/spec b/jobs/smoke_tests/spec
index 5776a9c8..b230192b 100644
--- a/jobs/smoke_tests/spec
+++ b/jobs/smoke_tests/spec
@@ -7,7 +7,7 @@ templates:
bpm.yml.erb: config/bpm.yml
packages:
- - golang-1.20-linux
+ - golang-1.21-linux
- acceptance_tests
- cf-cli-8-linux
✨ Built with go 1.21.0
Full Changelog: v0.278.0...v0.279.0
Resources
Contributors
domdom82
Assets 3
0.278.0
Changes
- Continue to forward relevant headers by removing hop-by-hop headers that could interfere with gorouter when proxying client requests
- Go mod dependency updates
Bosh Job Spec changes:
diff --git a/jobs/gorouter/spec b/jobs/gorouter/spec
index a14133ed..2bb394e9 100644
--- a/jobs/gorouter/spec
+++ b/jobs/gorouter/spec
@@ -282,6 +282,27 @@ properties:
example:
- name: X-Vcap-Request-Id
- name: Accept-Ranges
+ router.hop_by_hop_headers_to_filter:
+ description: |
+ (optional, array value) List of HTTP Headers that are filtered for
+ Hop-By-Hop Connection header.
+ When clients make requests to the gorouter and the gorouter proxies
+ their request, these HTTP Headers will be automatically be removed from
+ the request's Connection header and sent as normal headers to the
+ target backend. This list *also* specificies the Headers that can be
+ returned by the backend; i.e. if a client attempts to send one of these
+ Headers in their Connection Header to gorouter and it's *NOT* filtered,
+ the header will *NOT* be returned to client properly after proxying the
+ request.
+ default:
+ - X-Forwarded-For
+ - X-Forwarded-Proto
+ - B3
+ - X-B3
+ - X-B3-SpanID
+ - X-B3-TraceID
+ - X-Request-Start
+ - X-Forwarded-Client-Cert
router.frontend_idle_timeout:
description: |
(optional, integer) Duration in seconds to maintain an open connection when client supports keep-alive.
✨ Built with go 1.20.7
Full Changelog: v0.277.0...v0.278.0
Resources
0.277.0
Changes
- Additional metrics/logging component ports have been reserved from gorouter's ephemeral port range.
✨ Built with go 1.20.7
Full Changelog: v0.276.0...v0.277.0
Resources
0.276.0
Changes
- Bumped golang to 1.20.7
- 🐛 Added new loggregator ports to gorouter's list of ports to exclude from ephemeral ranges. Thanks @ctlong!
✨ Built with go 1.20.7
Full Changelog: v0.275.0...v0.276.0
Resources
Contributors
ctlong
Assets 3
0.275.0
Changes
- Bumps golang to 1.20.6
- Resolves a bug in gorouter where path-based routes could return 503s when no backend endpoints remain, rather than falling back to non-path (hostname-only) routes. Thanks @domdom82!
✨ Built with go 1.20.6
Full Changelog: v0.274.0...v0.275.0
Resources
Contributors
domdom82
Assets 3
0.274.0
Changes
- 🐛 Bug Fix: This release fixes this known issue around multiple expect 100-continue responses.
✨ Built with go 1.20.5
Full Changelog: v0.273.0...v0.274.0