forked from envoyproxy/envoy
-
Notifications
You must be signed in to change notification settings - Fork 0
/
1.18.4.yaml
43 lines (40 loc) · 2.42 KB
/
1.18.4.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
date: August 24, 2021
minor_behavior_changes:
- area: http
change: |
disable the integration between :ref:`ExtensionWithMatcher
<envoy_v3_api_msg_extensions.common.matching.v3.ExtensionWithMatcher>` and HTTP filters by default to reflects its
experimental status. This feature can be enabled by seting ``envoy.reloadable_features.experimental_matching_api`` to
true.
- area: http
change: |
reject requests with \#fragment in the URI path. The fragment is not allowed to be part of request URI according to
RFC3986 (3.5), RFC7230 (5.1) and RFC 7540 (8.1.2.3). Rejection of requests can be changed to stripping the \#fragment
instead by setting the runtime guard ``envoy.reloadable_features.http_reject_path_with_fragment`` to false. This
behavior can further be changed to the deprecated behavior of keeping the fragment by setting the runtime guard
``envoy.reloadable_features.http_strip_fragment_from_path_unsafe_if_disabled``. This runtime guard must only be set to
false when existing non-compliant traffic relies on \#fragment in URI. When this option is enabled, Envoy request
authorization extensions may be bypassed. This override and its associated behavior will be decommissioned after the
standard deprecation period.
- area: http
change: |
stop processing pending H/2 frames if connection transitioned to a closed state. This behavior can be temporarily
reverted by setting the ``envoy.reloadable_features.skip_dispatching_frames_for_closed_connection`` to false.
bug_fixes:
- area: ext_authz
change: |
fix the ext_authz filter to correctly merge multiple same headers using the ``,`` as separator in the check request to
the external authorization service.
- area: http
change: |
limit use of deferred resets in the http2 codec to server-side connections. Use of deferred reset for client connections
can result in incorrect behavior and performance problems.
- area: jwt_authn
change: |
unauthorized responses now correctly include a ``www-authenticate`` header.
new_features:
- area: listener
change: |
added an option when balancing across active listeners and wildcard matching is used to return the listener that matches
the IP family type associated with the listener's socket address. It is off by default, but is turned on by default in
v1.19. To set change the runtime guard ``envoy.reloadable_features.listener_wildcard_match_ip_family`` to true.