Tyk Gateway v2.3.4 and Tyk Dashboard v1.3.4

Tyk Gateway v2.3.4

• Added new management_node boolean configuration option. When turned on, it will exclude the node from distributed rate limiter.
• /tyk/api endpoint, used for managing APIs, now can be accessed without trailing slash to avoid confusion.

Tyk Dashboard v1.3.4: security focused release

• Fix: Deactivating a user now disables their API access and logs them out from existing dashboard sessions.
• Fix: Updating user permissions now does not empty user password.
• Fix: Updating user permissions now updates both current API session and all opened dashboard sessions, and does not require user to re-login.
• User access to OAuth tokens now controlled using separate permission group.
• Disabled auto-completion for all forms with passwords.
• Enable HSTS for all requests to improve HTTPS security.
• Added new disable_parallel_sessions boolean configuration option. When turned on it allows only one active dashboard session. When a user logs in, all of their other active sessions are automatically logged out.
• Using Admin API you now can set the password. If the password field is empty, it gets ignored.

v2.3.3

Tyk gateway v2.3.3

This version is a patch update and fully backwards compatible with other 2.3 releases. We recommend upgrading to this version for improved stability:

This version will work with the latest version of Tyk Dashboard, no changes are required.

Changelog for v2.3.3

• Fixed a bug which could crash hybrid gateways if MDCB returned a nil object
• Modified hot reload behaviour to be more robust, addresses potential memory leak
• Redis reconnect and connect logic has been updated for better handling

Tyk Dashboard version 1.3.2

This is a patch release to beef up security of dashboard users and fix some security concerns with the users API.

Changelog:

Password validation and constraints

Added more verbose password rules for user creation, it is now possible to use the password.json schema in the tyk dashboard schemas/ directory to set complex

Example of password.json with full validation:

{
"title": "User password schema",
"type": "string",

"minLength": 6,
"multiCase": true,
"minNumeric": 2,
"minSpecial": 2,
"disableSequential": true

}

Password hash exposed in users/ API

The users API will no longer expose the password hash as part of the call, this aplies to both portal and dashboard users.

Tyk v2.3.2 and Dashboard v1.3.1 Patches

Tyk Gateway v2.3.2

• Added http_server_options.skip_url_cleaning option to allow having double slashes in URL. Fixes #340
• Fixed tyk-hybrid-docker container: ensure the docker container always restarts TykTechnologies/tyk-hybrid-docker#1
• Added --httpprof command line option to enable standard HTTP Go profiler, eg: /debug/pprof/ #392
• Allow "/tyk/apis" without trailing slash #381
• Improve OAuth error messages #382
• HTTP OPTION requests now not cached #397
• Added gRPC Java bindings #358

Tyk Dashboard 1.3.1

• Added labels for displaying the user name and the organisation name
• Fixed search in "Analytics by key" view
• Fixed importing API when api_model field set
• Fixed uptime tests for requests with body data
• Fixes policy import so that malformed outbound objects will work without breaking compatibility with other components

Patch v2.2.0.4

Fixes a load balancer issue

Gateway v2.2 and Dashboard v1.2

v2.2

• Fixed URL Rewriter to better handle query strings
• Added XML transform support for requests and responses, simply set the data type to xml int he transforms section and create your template the same way you would for JSON.

XML transform demo

For this XML:

    <?xml version="1.0" encoding="utf-8"?>
    <servers version="1">
        <server>
            <serverName>Shanghai_VPN</serverName>
            <serverIP>127.0.0.1</serverIP>
        </server>
        <server>
            <serverName>Beijing_VPN</serverName>
            <serverIP>127.0.0.2</serverIP>
        </server>
    </servers>

And this Template:

    {
    {{range $x, $s := .servers.server}}    "{{$s.serverName}}": "{{$s.serverIP}}"{{if not $x}},{{end}}
    {{end}}
    }

You get this output:

    {
        "Shanghai_VPN": "127.0.0.1",
        "Beijing_VPN": "127.0.0.2"

    }

• Added request method transform: This is very simple at the moment, and only chagnes the type of method, it does not data massaging, to enaqble, add to your extended paths:

  method_transforms: [
  {
  path: "post",
  method: "GET",
  to_method: "POST"
  }
  ],

• Out of the box, tyk will ship with HA settings enabled where possible (this means using the new non-transactional rate limiter)

• Added a new concept called "Partitioned Policies", with policies that are partitioned, only sections of the policy will be applied to the underlying token so that tokens can be generated with a dynamic ACL, but still subscribe to a fixed quota and rate limit level. THIS MEANS THAT THE TOKEN MUST HAVE A FULL SET OF ACL RULES AND QUOTAS BEFORE USING AND PARTITIONED POLICIES ARE NOT SUITABLE FOR PORTAL USE.

To set up a partitioned policy

Add the following section to the policy object:

"partitions": {
    "quota": false,
    "rate_limit": false,
    "acl": false
}

Then set the partitions that you want to overwrite to "true", the partitions that are marked as true will then be applied to the token instead of the full policy.

• Added context variable support, this middleware will extract the path, the path parts (break on /), and try to pull all form-related data (url-form-encoded or query string params) and put them into a context variable that is available to other middleware. Currently this is only integrated with the body transform middleware as _tyk_context. To enable set "enable_context_vars": true in the API Definition. Transform sample:

Path: {{._tyk_context.path}}

Path Elements:
{{ range $i, $v := ._tyk_context.path_parts }}
--> {{$v}}
{{ end }}

Form/QueryString Data: {{._tyk_context.request_data}} 
Token: {{._tyk_context.token}}

• Context variables also available in headers using $tyk_context. namespace
• WARNING: POTENTIALLY BREAKING CHANGE: Flush interval is now in milliseconds, not seconds, before upgrading, if you are using flush interval, make sure that the value has been updated.
• Context variables also available in URL rewriter
• Added Websockets support (beta), websockets can now be proxied like a regular HTP request, tyk will detect the upgrade and initiate a proxy to the upstream websocket host. This can be TLS enabled and Tyk can proxy over HTTPS -> WSS upstream.
• Websockets execute at the end of the middleware chain, so all the benefits of CB and auth middleware can be enabled (within the limits of the WebSockets protocol)
• No analytics are gatthered for these requests, but rate limiting, quotas and auth will work fully for initial connection requsts (e.g . to prevent connection flooding)

Tyk Analytics v0.9.7.3 - Email Driver Patch Update

This is a mini-release that integrates the email driver changes to support more email back ends such as SendGrid, Mailgun and Amazon SES:

SendGrid

"email_backend": {
        "enable_email_notifications": true,
        "code": "sendgrid",
        "settings": {
            "ClientKey": "KEY"
        },
        "default_from_email": "[email protected]",
        "default_from_name": "A guy at a place"
},

MailGun

"email_backend": {
        "enable_email_notifications": true,
        "code": "mailgun",
        "settings": {
            "Domain": "KEY",
            "PrivateKey": "KEY",
            "PublicKey": "KEY"
        },
        "default_from_email": "[email protected]",
        "default_from_name": "A guy at a place"
},

AmazonSES

"email_backend": {
        "enable_email_notifications": true,
        "code": "amazonses",
        "settings": {
            "Endpoint": "Endpoint",
            "AccessKeyId": "Access-key",
            "SecretAccessKey": "KEY"
        },
        "default_from_email": "[email protected]",
        "default_from_name": "A guy at a place"
},

Security Release v1.9.1.1 & 0.9.7.2

This is a security release to address CVE-2015-8618

Updates are available via our package repository as usual for easy upgrade an installation. Tarballs attached to this release.

Changelog:

• Fixes potential security issue with TLS on 32-bit systems (CVE-2015-8618)
• IP Whitelisting now supports CIDR-notation for IP ranges
• Recompiled Gateway, Dashboard and Host Manager binary with Go 1.5.3

Upgrade Notes:

Should be an in-place upgrade, no changes necessary.

Tyk Bugfix Release v1.9.1 & Tyk Dashboard v0.9.7.1

Tyk Gateway 1.9.1

This is a drop-in replacement, you should be able to either just switch the binaries or update the package (make sure to backup your configurations!)

• Added new feature: Detailed logging, enable by setting analytics_config.enable_detailed_recording to true, two new fields will be added to analytics data: rawRequest and rawResponse, these will be in wire format and are NOT anonymised. This adds additional processing complexity to request throughput so could degrade performance.
• Added a check for connection failures
• Updating a key with a quota reset set to true will also remove any rate limit sentinels
• URL Rewrites and cache interactions now work properly, although you need to define the cached entry as the rewritten pattern in a seperate entry.
• Org quotas monitors now only fire when the renewal is in the future, not the past.
• Fixed bug where quotas would not reset (regression introduced by switch to Redis Cluster), Tyk will automatically correct quota entries that are incorrect. No additional changes should be required
• Using golang builtins for time checking

Tyk Dashboard v0.9.7.1

• Fixed FF logout bug (301 redirects were being cached in browser)
• Added SSO endpoints for portal and dashboard for Identity Broker

Tyk Gateway v1.9 and Tyk Dashboard v0.9.7

In version 1.9 we have focused extensively on two things: Improved and expanded data and ease of deployment.

Ease of deployment

Tyk is already pretty easy to deploy, being a single binary that can be dropped into a system and run right there and then without any compilation, interpreters or dependencies.

We've been speaking to our clients' DevOps teams, and one thing they particularly enjoy seeing is a secure, effective and reliable pattern for deploying third-party applications to their systems.

The other thing we've heard a lot of feedback about is the host maanger, and how having NGinX as a dependency is limiting as it's "another moving part".

What have we done to address these things?

We got rid of the host manager Tyk no longer needs the host manager in order to route domains to their underlying services or portals. As of v1.9 you can configure a domain for:

• The Tyk gateway itself (catch-all)
• The dashboard
• The control API (for secure access)
• On a per-API basis
• On a per-portal basis

All form within the dashboard or the configuration files.

And if you are running the full Tyk stack on a single instance, then we've made it easy for users to use Tyk the same way we used to use NginX - by having the Tyk nodes proxy the domain for the portal to the relevant organisation portal pages just like any other API.

We've standardised our deployment packages* As of v1.9 Tyk ships as DEB and signed RPM packages, and are provided to end-users using our GPG-signed package repository. This means that you can use APT or YUM to install Tyk and Tyk Dashboard to your servers in a repeatable and industry standard way.

We've also gone a step further and have provided init scripts for Upstart, SysV and Systemd, which means starting and stopping Tyk is as simple as sudo service tyk-gateway start|stop|restart|status.

We think that these two changes make it much easier for you to install, setup, manage and deploy Tyk ro any Linux distribution. We have signed repositories for Ubuntu LTS releases, Red Hat Enterprise Linux 6 and 7, and Debian Jessie.

We'll still provide the tarballs to manually install tyk on our Github Repo page, but encourage users to use our package repositories to install Tyk on supported systems.

Improved Data

This version of tyk introduces a new feature: Uptime Awareness, with this feature, we have your tyk nodes actively poll your endpoints with specific uptime tests. Over time, Tyk collects analytics on Latency, errors and overall availability. Providing a granular view in your dashbaord to dig deeper into failures and issues.

We've made this feature as flexible as possible, enabling you to configure these tests dynamically using Service Discovery tools such as etcd or consul, while also making it possible to hook up "Host Up" and "Host Down" events to webhooks or custom javascript applications to interact with, and react to, any incidents in your infrastructure.

When enabled, Tyk can integrate this feature with it's round-robin load-balancing to remove unhealthy hosts from circulation until they come back on-line.

Bug fixes and UX

We've overhauled the dashboard UX, making it more robust and a little faster / easier to use. The biggest change is in how we render the graphs, whih we hope you enjoy.

We've spent a lot of time fixing bugs, improving logger output and overall trying to make things more robust, performant and better.

As always, we're open to feedback on our Github repo, or in our Community forum.

ChangeLog v1.9

• Gateway Mongo Driver updated to be compatible with MongoDB v3.0

• Fixed OAuth client listings with redis cluster

• Some latency improvements

• Key detection now checks a local in-memory cache before reaching out to Redis, keys are cached for 10 seconds, with a 5 second purge rate (so a maximum key existence of 15s). Policies will still take instant effect on keys

• key session cache is configurable, set local_session_cache.cached_session_timeout (default 10) and local_session_cache.cached_session_eviction (default 5) to the cache ttl and eviction scan times

• key session cache can be disabled: local_session_cache.disable_cached_session_state

• Test update to reduce number of errors, cleaner output

• Healthcheck data now stored in a sorted set, much cleaner and faster, now works with redis cluster!

• Bug fixed: Empty or invalid listen path no longer crashes proxy

• Bug fixed: Basic Auth (and Oauth BA) passwords are now hashed, this is backward compatible, plaintext passwords will still work

• OAuth access token expiry can now be set (in seconds) in the tyk.conf file using oauth_token_expire:3600

• Proxy now records accurate status codes for upstream requests for better error reporting

• Added refresh token invalidation API: DELETE /tyk/oauth/refresh/{key}?api_id={api_id}

• Global header injection now works, can be enabled on a per-version basis by adding global_headers:{"header_name": "header value"} to the version object in the API Definition, global injections also supports key metadata variables.

• Global header deletion now works: add "global_headers_remove":["header_name", "header_name"] to your version object

• Added request size limiter, request size limiter middleware will insist on content-length to be set, and check first against content-length value, and then actual request size value. To implement, add this to your version info:

  "size_limits": [
      {
        "path": "widget/id",
        "method": "PUT",
        "size_limit": 25
      }
   ]
  

• Request size limits can also be enforced globally, these are checked first, to implement, add "global_size_limit": 30 to your version data.

• Adding a key_expires_in: seconds property to a policy definition will cause any key that is created or added using this policy to have a finite lifetime, it will expire in now()+key_expiry seconds, handy for free trials

• Dependency update (logrus)

• Added support for JSON Web Token (JWT), currently HMAC Signing and RSA Public/Private key signing is supported. To enable JWT on an API, add "enable_jwt": true, to your API Definition. Then set your tokens up with these new fields when you create them:

  "jwt_data": {
      "secret": "Secret"
  }
  

• HMAC JWT secrets can be any string, but the secret is shared. RSA secrets must be a PEM encoded PKCS1 or PKCS8 RSA private key, these can be generated on a linux box using:

  openssl genrsa -out key.rsa
  openssl rsa -in key.rsa -pubout > key.rsa.pub

• Tyk JWT's MUST use the "kid" header attribute, as this is the internal access token (when creating a key) that is used to set the rate limits, policies and quotas for the user. The benefit here is that if RSA is used, then al that is stored in a Tyk installation that uses hashed keys is the hashed ID of the end user and their public key, and so very secure.

• Fixed OAuth Password flow bug where a user could generate more than one token for the same API

• Added realtime uptime monitoring, uptime monitoring means you can create a series of check requests for your upstream hosts (they do not need to be the same as the APIs being managed), and have the gateway poll them for uptime, if a host goes down (non-200 code or TCP Error) then an Event is fired (HostDown), when it goes back up again another event is fired (HostUp), this can be combined with the webhook feature for realtime alerts

• Realtime monitoring also records statistics to the database so they can be analysed or graphed later

• Real time monitoring can also be hooked into the load balancer to have the load balancer skip bad hosts for dynamic configuration

• When hosts go up and down, sentinels are activated in Redis so all nodes in a Tyk cluster can benefit

• Only one Tyk node will ever do the polling, they use a rudimentary capture-the-flag redis key to identify who is the uptime tester

• Monitoring can also be disabled if you want a non-active node to manage uptime tests and analytics purging

• The uptime test list can be refreshed live by hot-reloading Tyk

• Active monitoring can be used together with Circuit breaker to have the circuit breaker manage failing methods, while the uptime test can take a whole host offline if it becomes unresponsive

• To configure uptime tests, in your tyk.conf:

  "uptime_tests": {
      "disable": false, // disable uptime tests on the node completely
      "config": {
          "enable_uptime_analytics": true,
          "failure_trigger_sample_size": 1,
          "time_wait": 5,
          "checker_pool_size": 50
      }
  }
  

• Check lists usually sit with API configurations, so in your API Definition:

  uptime_tests: {
      check_list: [
        {
          "url": "http://google.com:3000/"
        },
        {
          "url": "http://posttestserver.com/post.php?dir=tyk-checker-target-test&beep=boop",
          "method": "POST",
          "headers": {
            "this": "that",
            "more": "beans"
          },
          "body": "VEhJUyBJUyBBIEJPRFkgT0JKRUNUIFRFWFQNCg0KTW9yZSBzdHVmZiBoZXJl"
        }
      ]
    },
  

• The body is base64 encoded in the second example, the first example will perform a simple GET, NOTE: using the simplified form will not enforce a timeout, while the more verbose form will fail with a 500ms timeout.

• Uptime tests can be configured from a service (e.g. etcd or consul), simply set this up in the API Definition (this is etcd):

  "uptime_tests": {
      "check_list": [],
      "config": {
        "recheck_wait": 12,
        "service_discovery": {
          "use_discovery_service": true,
          "query_endpoint": "http://127.0.0.1:4001/v2/keys/uptimeTest",
          "data_path": "node.value"
        }
      }
  },
  

• Uptime tests by service discovery will load initially from the endpoint, it will not re-poll the service until it detects an error, at which point it will schedule a reload of the endpoint data. If used ...

HOTFIX: JSVM Bug (Vpath)

Fixes a bug in the JSVM with concurrently running code