v1.13.2

1.13.2

• Dependencies
  • build with go 1.23 (#886)
  • golang-jwt to the unaffected version v5.2.2 to address the third-party CVE-2025-30204 (#886)
  • golang.org/x/crypto v0.39.0 (#886)

v1.13.1

1.13.1

• Changed

  • ulimit, open files and max procs values are now logged with debug log level (#857)

• Fixed

  • Addressed the third-party CVE-2025-30153 affecting our OpenAPI feature by upgrading to the non-affected version v0.132.0 (#883)

v1.13.0

1.13.0

• Added

  • can() function (#699)
  • url_decode() function (#781)
  • bearer = true attribute for jwt block to indicate retrieving token from Authorization: Bearer .... This is the new default token source indicator. header = "Authorization" is now deprecated in favour of this new attribute. (#724)
  • IPv6 support via -bind-address option. (#752)
  • also watch files which has been referenced within the configuration file when using [-watch] (https://docs.couper.io/configuration/command-line#basic-options) (#747)
  • automatic MAXPROCS setting for Couper runtime to respect the number of available CPU resources in cloud environments (#840)

• Changed

  • More specific error log messages for oauth2 and beta_token_request token request errors (#755)
  • In addition to having an appropriate JSON media type in the Content-Type header field, (backend) requests or backend responses for an endpoint are only JSON-parsed if indicated by a .json_body reference in the endpoint configuration (#749)
  • beta_rate_limit status code 429 responses are no longer wrapped as a Couper error (#827)

• Fixed

  • WWW-Authenticate header realm param value for basic_auth (#715)
  • Server-Timing header only reporting last requests/proxies of endpoint sequences (#751)
  • Selecting of appropriate error handler in two cases (#753)
  • Storing of digit-starting string object keys in request context and of digit-starting string header field names in request variable (#799)
  • Use of boolean values for the headers attribute or modifiers (#805)
  • Duplicate CORS response headers (with backend sending CORS response headers, too) (#804)
  • Erroneously sending 404 when serving from files due to wrong registration of base_paths, and when serving from multiple files or spa in combination with api due to wrong selecting of the API error template (#803)
  • Possible deadlock for beta_rate_limit (#827)

• Dependencies

  • build with go 1.22 (#810)
  • upgrade jwt library from v4 to v5 (#769, #834)
  • update OpenAPI lib to v0.126.0 (#837)
  • update uuid lib to v1.6.0 and xid lib to 1.5.0 (#838)
  • update logrus lib to 1.9.3 (#839)

v1.12.2

Note: The Couper project has been moved to a new home: https://github.com/coupergateway/couper !
The maintainer is still the same (@malud) and supported with ❤️ by Milecrew.
This affects the following locations which you have to update accordingly:

Dockerhub: coupergateway/couper and coupergateway/couper-oidc-gateway
VSCode-Extension: Couper Configuration (Marketplace / Open VSX)
Homebrew: brew tap coupergateway/couper and then brew install couper (formula)
Examples: https://github.com/coupergateway/couper-examples

• Fixed
  • Reading the origin response-body even if there is no origin body or json_body variable reference; piping the response-body again to the client (#766)

v1.12.1

1.12.1

• Fixed
  • Erroneously sending an empty Server-Timing header (#700)
  • URL scheme while using the tls block (#703)
  • For OIDC, trying to request userinfo from a non-existing (not required, though recommended) userinfo endpoint (#709)
  • Use of backend_responses' body or json_body properties in api-level error handlers (#710)
  • Some ..._file attributes missing for path absolutizing (#713)
  • WWW-Authenticate header realm param value for basic_auth (#715)
  • JWT access control now creating 401 error status code, adding a WWW-Authenticate: Bearer[...] response header if appropriate (#719)
  • Erroneous multiplying of health probes, jobs and requests to JWKS and OpenID configuration resources after a reload with -watch (#730, #736)
  • Reading PEM-encoded CA certificates (ca_file setting or -ca-file option) containing bytes trailing the PEM message (#739)

v1.12.0

1.12.0

• Added

  • beta_job block to describe one or more job definitions for simple recurring http tasks (#610)
  • server_timing_header setting, that allows Couper to include an additional Server-Timing HTTP response header field detailing connection and transport relevant metrics for each backend request. (#657)

• Changed

  • Use nested jwt_signing_profile block in oauth2 block for grant_type "urn:ietf:params:oauth:grant-type:jwt-bearer" in absence of assertion attribute (#619)
  • Improved the way an SPA bootstrap_file gets cached and served in combination with bootstrap_data (#656)
  • Harmonized and improved logged error information for references to undefined blocks (#651)
  • Unbeta permission features: (#673)
    • beta_required_permission attribute for api and endpoint blocks,
    • beta_granted_permissions and beta_required_permission request context variables,
    • beta_insufficient_permissions error type,
    • beta_permissions_claim, beta_permissions_map, beta_permissions_map_file, beta_roles_claim, beta_roles_map and beta_roles_map_file attributes for jwt block.

• Fixed

  • Use of backend-related variables in custom_log_fields within a backend block (#658)
  • Loop with evaluation error in custom_log_fields if log level is "debug" (#659)
  • Removed error message with couper help command (#678)

VSCode-Extension

The vscode extension has been moved to our own publisher couper. The new extension can be found here:

• Marketplace: https://marketplace.visualstudio.com/items?itemName=couper.couperconf
• Open-VSX: https://open-vsx.org/extension/couper/couperconf (claiming the namespace is still pending)

v1.11.2

1.11.2

• Fixed
  • Requests to wildcard (**) endpoints using backends with a wildcard path attribue, where the wildcard matches the empty string (regression; since v1.11.0) (#655)
  • [internal alloc] stop creating request context based jwt, oauth2 and saml (hcl) functions without related definitions (#666)
  • [internal alloc] reduced allocation amount while proxying requests (#666)
  • Removing websockets related headers while the proxy websockets option is false (or no block definition exist) (#666)

v1.11.1

1.11.1

• Fixed
  • Endpoint sequences not being terminated by errors (e.g. unexpected_status) (regression; since v1.11.0) (#648)
  • Health route affected by access control (regression; since v1.11.0) (#654)

v1.11.0

1.11.0

With this release Couper brings even more value when it comes to connecting services and security. We made mTLS configurable for both sides, the server side and the backend one. Couper is normally used behind an ingress but is now able to serve secured content and forces clients to present a valid certificate if configured. For the backend blocks Couper acts as client and is able to present a client certificate to the origin. This feature also allows to additionally configure a CA certificate per backend, unlike the ca_file option which configures a certificate for all outgoing connections.

To configure a Single Page Application for different environments, believe it or not, things could get complicated. Couper comes with a simple but powerful spa attribute to inject a custom JSON object into the bootstrap file via a defined placeholder while serving this to the client.

• Added

  • mTLS Support for server and backend blocks (#615)
  • spa block option to inject server-data to the applications bootstrap_file with bootstrap_data (#626)
  • OAuth2 client authentication methods (token_endpoint_auth_method values) "client_secret_jwt" and "private_key_jwt" including jwt_signing_profile block for oauth2, beta_oauth2 and oidc blocks (#599)
  • trim() function (#605)
  • beta_roles_map_file and beta_permissions_map_file attributes to jwt block (#613)

• Changed

  • Replaced the JWT library because the former library was no longer maintained (#612)
  • Routing and OpenAPI validation now use gorilla/mux (#614)
  • Usage of env variables and functions is now possible for the defaults block (#630)

• Fixed

  • Aligned the evaluation of beta_oauth2/oidc redirect_uri to saml sp_acs_url (#589)
  • Proper handling of empty beta_oauth2/oidc scope (#593)
  • Throwing sequence errors and selecting appropriate error handlers (#595)
  • Allow setting of the typ JWT header in jwt_signing_profiles (#616)
  • CVE-2021-3538 related to our request_id_format option if switched to uuid4: replaced the underlying package to github.com/google/uuid (#611)
  • Possible panic for nested endpoint sequences (#618)
  • Cycle check for endpoint sequences (#623)
  • In endpoint sequences send requests only once (#624)

v1.10.1

1.10.1

• Fixed
  • endpoint /** path wildcards sometimes not matching (#603)
  • Some errors in the default() function (#596)