.. _version_history_1.23.0:
1.23.0 (July 15, 2022)
=======================
Incompatible behavior changes
-----------------------------
*Changes that are expected to cause an incompatibility if applicable; deployment changes are likely required*
* **config**: multiple SDS resources of multiple clusters or listeners are sent in a single SDS requests, instead of multiple SDS
requests. This behavioral change can be reverted by setting ``envoy.reloadable_features.combine_sds_requests`` to
``false``.
* **router**: updated all HTTP filters to get per-filter config by the :ref:`HTTP filter config name
<v1.23:envoy_v3_api_field_extensions.filters.network.http_connection_manager.v3.HttpFilter.name>`. If there is no entry
referred by the filter config name, the canonical filter name (e.g., ``envoy.filters.http.buffer`` for the HTTP buffer
filter) will be used for the backwards compatibility.
* **router**: weighted cluster's :ref:`total_weight <v1.23:envoy_v3_api_field_config.route.v3.WeightedCluster.total_weight>` is now
optional. If not set, Envoy will no longer validate that all weights add up to 100. The sum of :ref:`weights
<v1.23:envoy_v3_api_field_config.route.v3.WeightedCluster.ClusterWeight.weight>` across all entries in the clusters array must
add up to the :ref:`total_weight <v1.23:envoy_v3_api_field_config.route.v3.WeightedCluster.total_weight>`, when it's greater
than 0.
* **stats listener**: fixed metric tag extraction so that :ref:`stat_prefix <v1.23:envoy_v3_api_field_config.listener.v3.Listener.stat_prefix>` is
properly extracted. This changes the Prometheus name from ``envoy_listener_myprefix_downstream_cx_overflow{}`` to
``envoy_listener_downstream_cx_overflow{envoy_listener_address="myprefix"}``. This does not affect the Prometheus name
if ``stat_prefix`` is not set.
* **stats listener**: fixed metric tag extraction so that ``worker_id`` is properly extracted from the listener stats. This changes the
Prometheus name from ``envoy_listener_worker_1_downstream_cx_active{envoy_listener_address="0.0.0.0_10000"}`` to
``envoy_listener_downstream_cx_active{envoy_listener_address="0.0.0.0_10000", envoy_worker_id="1"}``.
* **stats redis_proxy**: fixed metric tag extraction so that :ref:`stat_prefix
<v1.23:envoy_v3_api_field_extensions.filters.network.redis_proxy.v3.RedisProxy.stat_prefix>` is properly extracted. This
changes the Prometheus name from ``envoy_redis_myprefix_command_pttl_latency_sum{}`` to
``envoy_redis_command_pttl_latency_sum{envoy_redis_prefix="myprefix"}``.
* **stats server**: fixed metric tag extraction so that ``worker_id`` is properly extracted fromt the server stats. This changes the
Prometheus name from ``envoy_server_worker_1_watchdog_miss{}`` to ``envoy_server_watchdog_miss{envoy_worker_id="1"}``.
* **stats thrift_proxy**: fixed metric tag extraction so that :ref:`stat_prefix
<v1.23:envoy_v3_api_field_extensions.filters.network.thrift_proxy.v3.ThriftProxy.stat_prefix>` is properly extracted. This
changes the Prometheus name from ``envoy_thrift_myprefix_request{}`` to
``envoy_thrift_request{envoy_thrift_prefix="myprefix"}``.
* **tls-inspector**: the listener filter tls inspector's stats ``connection_closed`` and ``read_error`` are removed. New stats are introduced
for listener, ``downstream_peek_remote_close`` and ``read_error``, in :ref:`listener stats <v1.23:config_listener_stats>`.
Minor behavior changes
----------------------
*Changes that may cause incompatibilities for some users, but should not for most*
* **admin**: changed default regex engine for ``/stats?filter=`` from ``std::regex`` to RE2, improving filtering speed 20x.
* **conn pool**: changed HTTP/2 connection pooling and the :ref:`ALPN pool
<v1.23:envoy_v3_api_field_extensions.upstreams.http.v3.HttpProtocolOptions.auto_config>` to remember the number of streams
allowed by the endpoint and cap multiplexed streams for subsequent connections based on that. With that working,
defaulted the ALPN pool to assume HTTP/2 will work, as it will only incur a latency hit once until the TLS handshake is
complete, and then will cache that the effective stream limit is ``1``. This behavioral change can be revered by setting
``envoy.reloadable_features.allow_concurrency_for_alpn_pool`` to ``false``.
* **dns**: allow propagating DNS responses with no records back to callers like ``strict_dns`` cluster, guarded by
``envoy.reloadable_features.cares_accept_nodata``.
* **filter state**: revert to respecting the life time of the filter state objects to be bound to the original stream and make sharing
filter state objects with the upstream info explicit via an extra flag in ``setData``.
* **http**: changing the behavior for ``CONNECT`` and upgrade requests over HTTP/1.1 to not delay close. This behavioral change can
be reverted by setting ``envoy.reloadable_features.no_delay_close_for_upgrades`` to ``false``.
* **http**: the :ref:`dynamo filter <v1.23:config_http_filters_dynamo>` has been moved to :ref:`contrib images <v1.23:install_contrib>`.
* **http**: the behavior of the :ref:`timeout <v1.23:envoy_v3_api_field_config.core.v3.KeepaliveSettings.timeout>` field has been modified
to extend the timeout when *any* frame is received on the owning HTTP/2 connection. This negates the effect of head-of-
line (HOL) blocking for slow connections. If any frame is received the assumption is that the connection is working.
This behavior change can be reverted by setting ``envoy.reloadable_features.http2_delay_keepalive_timeout`` to
``false``.
* **http-cache**: HTTP cache filter ``getCache`` interface changed from returning a reference to returning a shared_ptr - any third-party
implementations of this interface will need to be updated accordingly. See changes to ``simple_http_cache.cc`` and
``simple_http_cache.h`` in `PR21114 <https://github.com/envoyproxy/envoy/pull/21114>`_ for example.
* **local_ratelimit**: ``local_ratelimit`` will consume tokens of all matched descriptors sorted by tokens per second. This behavioral change
can be reverted by setting runtime guard ``envoy.reloadable_features.http_local_ratelimit_match_all_descriptors`` to
``false``.
* **logging**: changed category name for access log filter extensions to ``envoy.access_loggers.extension_filters``.
* **logging**: changed flag ``--log-format-escaped`` to only log one trailing newline per log line.
* **lua**: export symbols of LuaJit by default on Linux. This is useful in cases where you have a lua script that loads shared
object libraries, such as those installed via luarocks.
* **lua**: lua ``respond`` api will call ``sendLocalReply`` instead of ``encodeHeaders`` and ``encodeData``. This means that
encoder filters will be correctly invoked, including adding configured response headers, etc. This behavioral change can
be reverted by setting runtime guard ``envoy.reloadable_features.lua_respond_with_send_local_reply`` to ``false``.
* **network**: the :ref:`client ssl auth filter <v1.23:config_network_filters_client_ssl_auth>` has been moved to :ref:`contrib images
<v1.23:install_contrib>`.
* **router**: get route config factories by the configuration proto full names by default. This behavior change can be reverted by
setting the ``envoy.reloadable_features.get_route_config_factory_by_type`` runtime flag to ``false``.
* **skywalking**: use request path as operation name of ``ENTRY``/``EXIT`` spans.
* **skywalking**: use upstream host address as ``addressUsedAtClient`` in propagation header.
* **tcp_proxy**: added support for command operators in :ref:`TunnelingConfig hostname
<v1.23:envoy_v3_api_field_extensions.filters.network.tcp_proxy.v3.TcpProxy.TunnelingConfig.hostname>` to dynamically set
upstream hostname.
* **thrift**: keep downstream connection if the response is completed without underflow.
* **tls**: if both :ref:`match_subject_alt_names
<v1.23:envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.match_subject_alt_names>` and
:ref:`match_typed_subject_alt_names
<v1.23:envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.match_typed_subject_alt_names>` are
specified, the former (deprecated) field is ignored. Previously, setting both fields would result in an error.
* **tls**: removed SHA-1 and RSA key transport cipher suites from the server-side defaults.
* **tracers**: remove unnecessary ``spawnChild`` annotations in OpenCensus tracer.
Bug fixes
---------
*Changes expected to improve the state of the world and are unlikely to have negative effects*
* **aws_lambda**: fixed the AWS cross account lambda function invocation issue.
* **decompression**: fixed CVE-2022-29225: Decompressors can be zip bombed. Previously decompressors were susceptible to memory inflation in
takes in which specially crafted payloads could cause a large amount of memory usage by Envoy. The max inflation payload
size is now limited. This change can be reverted via the
``envoy.reloadable_features.enable_compression_bomb_protection`` runtime flag.
* **grpc_json_transcoder**: respond with a error messsage if a proto message is too deep (>64). Before the fix the response was an empty JSON.
* **health_check**: fixed CVE-2022-29224: Segfault in ``GrpcHealthCheckerImpl``. An attacker-controlled upstream server that is health
checked using gRPC health checking can crash Envoy via a null pointer dereference in certain circumstances.
* **http**: fixed HTTP/2 CONNECT to be RFC compliant, rather than following the abandoned extended connect draft. This behavioral
change can be reverted by setting runtime guard ``envoy.reloadable_features.use_rfc_connect`` to ``false``.
* **oauth**: fixed CVE-2022-29226: oauth filter allows trivial bypass. The OAuth filter implementation does not include a mechanism
for validating access tokens, so by design when the HMAC signed cookie is missing a full authentication flow should be
triggered. However, the current implementation assumes that access tokens are always validated thus allowing access in
the presence of any access token attached to the request.
* **oauth**: fixed CVE-2022-29228: oauth filter calls ``continueDecoding()`` from within ``decodeHeaders()``. The OAuth filter would
try to invoke the remaining filters in the chain after emitting a local response, which triggers an ``ASSERT()`` in
newer versions and corrupts memory on earlier versions.
* **router**: fixed CVE-2022-29227: Internal redirect crash for requests with body/trailers. Envoy would previously crash in some
cases when processing internal redirects for requests with bodies or trailers if the redirect prompts an Envoy-generated
local reply.
* **runtime**: fixed a bug where ``envoy.restart_features.no_runtime_singleton`` was inverted. Runtime singleton status is now guarded
by non-inverted ``envoy.restart_features.remove_runtime_singleton``.
* **tcp_proxy**: fixed an issue using the cluster wide ``CONNECT`` termination so it will successfully proxy payloads.
* **tls**: fixed a bug where an expired certificate sets a big number for ``days_until_expiration``. After this fix, ``0`` is set.
* **upstream**: fixed the ``LOGICAL_DNS`` and ``STRICT_DNS`` clusters to work for IPv6.
Removed config or runtime
-------------------------
*Normally occurs at the end of the* :ref:`deprecation period <v1.23:deprecated>`
* **compressor**: removed ``envoy.reloadable_features.fix_added_trailers`` and legacy code paths.
* **conn pool**: removed ``envoy.reloadable_features.conn_pool_delete_when_idle`` and legacy code paths.
* **dns**: removed ``envoy.reloadable_features.use_dns_ttl`` and legacy code paths.
* **ext_authz**: removed ``envoy.reloadable_features.http_ext_authz_do_not_skip_direct_response_and_redirect`` and legacy code paths.
* **http**: removed ``envoy.reloadable_features.correct_scheme_and_xfp`` and legacy code paths.
* **http**: removed ``envoy.reloadable_features.skip_dispatching_frames_for_closed_connection`` and legacy code paths.
* **http**: removed ``envoy.reloadable_features.validate_connect`` and legacy code paths.
* **runtime**: removed ``envoy.restart_features.no_runtime_singleton`` and replaced with
``envoy.restart_features.remove_runtime_singleton``.
* **tcp_proxy**: removed ``envoy.reloadable_features.new_tcp_connection_pool`` and legacy code paths.
* **udp listener**: removed ``envoy.reloadable_features.udp_listener_updates_filter_chain_in_place`` and legacy code paths.
New features
------------
* **access_log**: added formatters for :ref:`UPSTREAM_METADATA<v1.23:config_access_log_format_upstream_host_metadata>` and
:ref:`METADATA(UPSTREAM_HOST)<v1.23:envoy_v3_api_msg_extensions.formatter.metadata.v3.Metadata>`.
* **access_log**: added new ``access_log`` command operators to retrieve upstream connection information change: ``%UPSTREAM_PROTOCOL%``,
``%UPSTREAM_PEER_SUBJECT%``, ``%UPSTREAM_PEER_ISSUER%``, ``%UPSTREAM_TLS_SESSION_ID%``, ``%UPSTREAM_TLS_CIPHER%``,
``%UPSTREAM_TLS_VERSION%``, ``%UPSTREAM_PEER_CERT_V_START%``, ``%UPSTREAM_PEER_CERT_V_END%``, ``%UPSTREAM_PEER_CERT%``
and ``%UPSTREAM_FILTER_STATE%``.
* **admin**: added compile-time option ``--define=admin_html=disabled`` to disable HTML home page.
* **build**: enabled building arm64 envoy-distroless and envoy-tools :ref:`docker images <v1.23:install_binaries>`.
* **dns_resolver**: added :ref:`GetAddrInfoDnsResolverConfig
<v1.23:envoy_v3_api_msg_extensions.network.dns_resolver.getaddrinfo.v3.GetAddrInfoDnsResolverConfig>`, a new DNS resolver that
uses the system's ``getaddrinfo()`` function to resolve DNS. This was primarily added for use on Android but can also be
used in other situations in which the system resolver is desired.
* **dns_resolver**: added :ref:`include_unroutable_families
<v1.23:envoy_v3_api_field_extensions.network.dns_resolver.apple.v3.AppleDnsResolverConfig.include_unroutable_families>` to the
Apple DNS resolver.
* **dns_resolver**: added support for multiple addresses. This is most valuable when used in conjunction with :ref:`ALL
<v1.23:envoy_v3_api_enum_value_config.cluster.v3.Cluster.DnsLookupFamily.ALL>` enabling full happy eyeballs support for Envoy
(see detailed documentation :ref:`here <v1.23:arch_overview_conn_pool>` but will also result in trying multiple addresses for
resolvers doing only IPv4 or IPv6. This behavioral change can be temporarily disabled by setting runtime guard
``envoy.restart_features.remove_runtime_singleton`` to ``false``.
* **dubbo_proxy**: added :ref:`dynamic routes discovery <v1.23:envoy_v3_api_field_extensions.filters.network.dubbo_proxy.v3.DubboProxy.drds>`
support to dubbo proxy.
* **dubbo_proxy**: added :ref:`metadata_match <v1.23:envoy_v3_api_field_extensions.filters.network.dubbo_proxy.v3.RouteAction.metadata_match>`
support to the dubbo proxy.
* **examples**: fixed issues with documentation/compositions usage of ``docker-compose pull``.
* **examples**: updated many examples and added dependency checking.
* **ext_proc**: added support for per-route :ref:`grpc_service
<v1.23:envoy_v3_api_field_extensions.filters.http.ext_proc.v3.ExtProcOverrides.grpc_service>`.
* **http**: added :ref:`cluster_header <v1.23:envoy_v3_api_field_config.route.v3.RouteAction.RequestMirrorPolicy.cluster_header>` in
:ref:`request_mirror_policies <v1.23:envoy_v3_api_field_config.route.v3.RouteAction.request_mirror_policies>` to allow routing
shadow request to the cluster specified in the request_header.
* **http**: added :ref:`treat_missing_header_as_empty
<v1.23:envoy_v3_api_field_config.route.v3.HeaderMatcher.treat_missing_header_as_empty>` to allow header match rule to treat
the header value as empty and apply the match rule when the header is missing.
* **http**: added a :ref:`send_fully_qualified_url
<v1.23:envoy_v3_api_field_config.core.v3.Http1ProtocolOptions.send_fully_qualified_url>` configuration option to send absolute
URLs for HTTP/1.1.
* **http**: added new :ref:`file_system_buffer <v1.23:config_http_filters_file_system_buffer>` HTTP filter.
* **http**: preserve case header formatter support innner formatter on Envoy headers in :ref:`formatter_type_on_envoy_headers
<v1.23:envoy_v3_api_field_extensions.http.header_formatters.preserve_case.v3.PreserveCaseFormatterConfig.formatter_type_on_envoy_headers>`.
* **http3**: added :ref:`early_data_policy <v1.23:envoy_v3_api_field_config.route.v3.RouteAction.early_data_policy>` extension to allow
upstream HTTP/3 sending requests over early data. If no extension is configured, HTTP/3 pool will send safe requests as
early data to the host if the pool already cached 0-RTT credentials of that host. If those requests fail and the
underlying connection pool supports TCP fallback, the request may be retried automatically. If the :ref:`default
extension <v1.23:envoy_v3_api_msg_extensions.early_data.v3.DefaultEarlyDataPolicy>` is configured, no requests are allowed to
be sent as early data. Note that if any customized extension configures non-safe requests to be allowed over early data,
the Envoy will not automatically retry them. If desired, explicitly config their :ref:`retry_policy
<v1.23:envoy_v3_api_field_config.route.v3.RouteAction.retry_policy>`. Sending early data requires both
``envoy.reloadable_features.conn_pool_new_stream_with_early_data_and_http3`` and
``envoy.reloadable_features.http3_sends_early_data`` runtime flags to be set to ``true``.
* **listener**: added :ref:`dynamic listener filter configuration
<v1.23:envoy_v3_api_field_config.listener.v3.ListenerFilter.config_discovery>` for listener filters. This dynamic listener
filter configuration is only supported by TCP listeners.
* **lua**: added new function :ref:`timestampString <v1.23:config_http_filters_lua_stream_handle_api_timestamp_string>` returning the
time since epoch as a string. Supported resolutions are millisecond and microsecond.
* **matching**: added support for matching authenticated inputs in network and HTTP matching data.
* **network**: extended conection balancer with :ref:`extend balance
<v1.23:envoy_v3_api_field_config.listener.v3.Listener.ConnectionBalanceConfig.extend_balance>`, and added :ref:`Dlb connection
balancer <v1.23:envoy_v3_api_msg_extensions.network.connection_balance.dlb.v3alpha.Dlb>` to use `DLB
<https://www.intel.com/content/www/us/en/download/686372/intel-dynamic-load-balancer.html>`_ hardware to balance.
* **on_demand**: :ref:`OnDemand <v1.23:envoy_v3_api_msg_extensions.filters.http.on_demand.v3.OnDemand>` got extended to hold configuration for
on-demand cluster discovery. A similar message for :ref:`per-route configuration
<v1.23:envoy_v3_api_msg_extensions.filters.http.on_demand.v3.PerRouteConfig>` is also added.
* **open_telemetry**: added :ref:`resource_attributes
<v1.23:envoy_v3_api_field_extensions.access_loggers.open_telemetry.v3.OpenTelemetryAccessLogConfig.resource_attributes>`
configuration to OpenTelemetry.
* **proxy_protcol**: added :ref:`allow_requests_without_proxy_protocol
<v1.23:envoy_v3_api_field_extensions.filters.listener.proxy_protocol.v3.ProxyProtocol.allow_requests_without_proxy_protocol>`
to allow requests without proxy protocol on the listener from trusted downstreams as an opt-in flag.
* **ratelimit**: added support for :ref:`HTTP matching input functions <v1.23:arch_overview_matching_api>` as descriptor producers.
* **ratelimit**: added support for :ref:`masked_remote_address
<v1.23:envoy_v3_api_field_config.route.v3.RateLimit.Action.masked_remote_address>`.
* **rbac**: added :ref:`matcher <v1.23:arch_overview_rbac_matcher>` for selecting connections and requests to different actions.
* **redis**: added support for multiple passwords to the redis proxy. See :ref:`downstream_auth_passwords
<v1.23:envoy_v3_api_field_extensions.filters.network.redis_proxy.v3.RedisProxy.downstream_auth_passwords>`.
* **router**: added :ref:`INTERNAL_SERVER_ERROR option
<v1.23:envoy_v3_api_enum_value_config.route.v3.RouteAction.ClusterNotFoundResponseCode.INTERNAL_SERVER_ERROR>` to return
status code 500 when the configured cluster is not found.
* **router**: added :ref:`ignore_path_parameters_in_path_matching
<v1.23:envoy_v3_api_field_config.route.v3.RouteConfiguration.ignore_path_parameters_in_path_matching>`. When set to ``true``,
path-parameters(`rfc1808 <https://datatracker.ietf.org/doc/html/rfc1808>`_) is ignored during path matching. added
:ref:`ignore_path_parameters_in_path_matching
<v1.23:envoy_v3_api_field_config.route.v3.RouteConfiguration.ignore_path_parameters_in_path_matching>`. When set to ``true``,
path-parameters(rfc1808) is ignored during path matching.
* **router**: added :ref:`ignore_port_in_host_matching
<v1.23:envoy_v3_api_field_config.route.v3.RouteConfiguration.ignore_port_in_host_matching>`. When set to ``true``, port number
(if any) in host header is ignored during host matching.
* **router**: added :ref:`keep_empty_value <v1.23:envoy_v3_api_field_config.core.v3.HeaderValueOption.keep_empty_value>` to allow keeping
empty values in custom headers.
* **router**: added :ref:`stat_prefix <v1.23:envoy_v3_api_field_config.route.v3.Route.stat_prefix>` support to generate route level
statistics.
* **thrift**: added :ref:`close_downstream_on_upstream_error
<v1.23:envoy_v3_api_field_extensions.filters.network.thrift_proxy.router.v3.Router.close_downstream_on_upstream_error>` flag
to router to control downstream local close.
* **thrift**: added ``onLocalReply`` support to inform filters of local replies.
* **thrift**: added ``validate_clusters`` in :ref:`RouteConfiguration
<v1.23:envoy_v3_api_msg_extensions.filters.network.thrift_proxy.v3.RouteConfiguration>` to override the default behavior of
cluster validation.
* **thrift**: added support for access logging for :ref:`Thrift Proxy <v1.23:config_network_filters_thrift_proxy>`.
* **thrift**: added support for preserving header keys. See :ref:`header_keys_preserve_case
<v1.23:envoy_v3_api_field_extensions.filters.network.thrift_proxy.v3.ThriftProxy.header_keys_preserve_case>`.
* **thrift**: added support for propogating connection draining if local replies try to end downstream. Can be enabled by setting the
runtime flag ``envoy.reloadable_features.thrift_connection_draining`` to true.
* **thrift**: introduced thrift configurable encoder and bidirectional filters, which allows peeking and modifying the thrift response
message.
* **udp**: added :ref:`udp_packet_packet_writer_config
<v1.23:envoy_v3_api_field_config.listener.v3.UdpListenerConfig.udp_packet_packet_writer_config>` config to specify the UDP
packet writer factory.
* **upstream**: added :ref:`internal upstream transport
<v1.23:envoy_v3_api_msg_extensions.transport_sockets.internal_upstream.v3.InternalUpstreamTransport>` for passing metadata and
filter state across the user space sockets and the internal listeners.
Deprecated
----------
* **dubbo_proxy**: deprecated :ref:`old dubbo route config
<v1.23:envoy_v3_api_field_extensions.filters.network.dubbo_proxy.v3.DubboProxy.route_config>`. Please use :ref:`multiple route
config <v1.23:envoy_v3_api_field_extensions.filters.network.dubbo_proxy.v3.DubboProxy.multiple_route_config>` or :ref:`DRDS
<v1.23:envoy_v3_api_field_extensions.filters.network.dubbo_proxy.v3.DubboProxy.drds>` first.
* **http**: deprecated the short name ``preserve_case`` for the header formatter extension in favor of the fully-qualified name
``envoy.http.stateful_header_formatters.preserve_case``.
* **lua**: deprecated :ref:`inline_code <v1.23:envoy_v3_api_field_extensions.filters.http.lua.v3.Lua.inline_code>`. Please use
:ref:`default_source_code <v1.23:envoy_v3_api_field_extensions.filters.http.lua.v3.Lua.default_source_code>`.
* **matching**: :ref:`google_re2 <v1.23:envoy_v3_api_field_type.matcher.v3.RegexMatcher.google_re2>` has been deprecated. A default regex
engine can be set using :ref:`default_regex_engine
<v1.23:envoy_v3_api_field_config.bootstrap.v3.Bootstrap.default_regex_engine>`.
* **redis**: deprecated :ref:`downstream_auth_password
<v1.23:envoy_v3_api_field_extensions.filters.network.redis_proxy.v3.RedisProxy.downstream_auth_password>`. Please use
:ref:`downstream_auth_passwords
<v1.23:envoy_v3_api_field_extensions.filters.network.redis_proxy.v3.RedisProxy.downstream_auth_passwords>`.