2.1.0 (2022-02-27)
Merged pull requests:
- fixes #1124 enhance the sanitizer to make the configuration separated… #1125 (stevehu)
- fixes #1122 log the stacktrace if a middleware handler is not loaded … #1123 (stevehu)
- Issue1120 #1121 (stevehu)
- fixes #1118 allow router to support serviceId from query parameters a… #1119 (stevehu)
- fixes #1116 Update the rate-limit to allow customzied the error code … #1117 (stevehu)
- fixes #1112 add Jdk8Module to the ObjectMappers in config module to h… #1113 (stevehu)
- fixes #1108 update the rule-loader to add another rule action to tran… #1109 (stevehu)
- Bump postgresql from 42.2.25 to 42.3.3 #1107 (dependabot)
- fixes #1105 disable a test case in the body handler as it is not stable #1106 (stevehu)
- Truncated Exception Fix #1104 (KalevGonvick)
- fixes #1102 update the LoggerGetLogContentHandler to return map and h… #1103 (stevehu)
- fixes #1100 remove a logging statement in the DefaultConfigLoader as … #1101 (stevehu)
- fixes #1097 add isNumeric to StringUtils in the utility #1098 (stevehu)
- Bump postgresql from 9.4.1211 to 42.2.25 #1095 (dependabot)
- Issue1093 #1094 (stevehu)
- fixes #1091 update the default rate limit concurrent requests to 2 fr… #1092 (stevehu)
- fixes #1089 update audit status key from Status to status #1090 (stevehu)
- fixes #1087 externalize rate-limit, header and whitelist-ip config files #1088 (stevehu)
- Bump h2 from 2.0.206 to 2.1.210 #1086 (dependabot)
- fixes #1084 update the DefaultConfigLoader to get the values.yml from… #1085 (stevehu)
- Bump httpclient from 4.5.6 to 4.5.13 #1077 (dependabot)
- Bump h2 from 1.4.196 to 2.0.206 #1083 (dependabot)
- fixes #1081 update the ClaimsUtil to name the service id claim with s… #1082 (stevehu)
- fixes #1079 add method and path to the method not found error message #1080 (stevehu)
- fixes #1075 Add rule-loader module to support fine-grained access con… #1076 (stevehu)
- fixes #1073 update the sanitizer.yml to externalize properties for va… #1074 (stevehu)
- fixes #1071 externalize jaeger-tracing configuration properties #1072 (stevehu)
- fixes #1069 update server.yml to externalize server.ip #1070 (stevehu)
- fixes #1067 update the SignKeyRequest to get the proxy info from the … #1068 (stevehu)
- fixes #1065 Turn off hostname verification for OAuthHelper based on t… #1066 (stevehu)
- change promethus config to be extendable #1064 (GavinChenYan)
- fixes #1061 #1062 (GavinChenYan)
- Issue1059 #1060 (stevehu)
- fixes #1057 add ProxyHealthGetHandler in ingress-proxy for the http-s… #1058 (stevehu)
- fixes #1053 update the pom.xml and jaeger-client dependency to avoid … #1054 (stevehu)
- Issue 1048 #1051 (stevehu)
- max json payload for proxy which using buffer stream #1050 (GavinChenYan)
- fixes #1048 update ProxyBodyHandler to handle the data form and add t… #1049 (stevehu)
- add other contentType for proxy body handler #1047 (GavinChenYan)
Upgrade Guidelines:
The following middleware handlers have been changed in this release and the config file needs to be updated to leverage the new features.
- config.yml
For this release, we have set the default value to true for allowDefaultValueEmpty so that an empty value can be used in the template for other config files.
# For some configuration files, we have left some properties without default values as there
# would be a negative impact on the application security. The following config will ensure that
# null will be used when the default value is empty without stopping the server during the start.
allowDefaultValueEmpty: true
- limit.yml
The errorCode is newly added to allow the users to customize the error response if the request is dropped. By default, code 503 is returned.
# If the rate limit is exposed to the Internet to prevent DDoS attacks, it will return 503
# error code to trick the DDoS client/tool to stop the attacks as it considers the server
# is down. However, if the rate limit is used internally to throttle the client requests to
# protect a slow backend API, it will return 429 error code to indicate too many requests
# for the client to wait a grace period to resent the request. By default, 503 is returned.
errorCode: ${limit.errorCode:503}
- sanitizer.yml
This file is changed a lot so that we can set up the encoders for both body and header separately.
---
# Sanitize request for cross-site scripting during runtime
# indicate if sanitizer is enabled or not
enabled: ${sanitizer.enabled:false}
# if it is enabled, the body needs to be sanitized
bodyEnabled: ${sanitizer.bodyEnabled:true}
# the encoder for the body. javascript, javascript-attribute, javascript-block or javascript-source
# There are other encoders that you can choose depending on your requirement. Please refer to site
# https://github.com/OWASP/owasp-java-encoder/blob/main/core/src/main/java/org/owasp/encoder/Encoders.java
bodyEncoder: ${sanitizer.bodyEncoder:javascript-source}
# pick up a list of keys to encode the values to limit the scope to only selected keys. You can
# choose this option if you want to only encode certain fields in the body. When this option is
# selected, you can not use the bodyAttributesToIgnore list.
bodyAttributesToEncode: ${sanitizer.bodyAttributesToEncode:}
# pick up a list of keys to ignore the values encoding to skip some of the values so that these
# values won't be encoded. You can choose this option if you want to encode everything except
# several values with a list of the keys. When this option is selected, you can not use the
# bodyAttributesToEncode list.
bodyAttributesToIgnore: ${sanitizer.bodyAttributesToIgnore:}
# if it is enabled, the header needs to be sanitized
headerEnabled: ${sanitizer.headerEnabled:true}
# the encoder for the header. javascript, javascript-attribute, javascript-block or javascript-source
# There are other encoders that you can choose depending on your requirement. Please refer to site
# https://github.com/OWASP/owasp-java-encoder/blob/main/core/src/main/java/org/owasp/encoder/Encoders.java
headerEncoder: ${sanitizer.headerEncoder:javascript-attribute}
# pick up a list of keys to encode the values to limit the scope to only selected keys. You can
# choose this option if you want to only encode certain fields in the body. When this option is
# selected, you can not use the headerAttributesToIgnore list.
headerAttributesToEncode: ${sanitizer.headerAttributesToEncode:}
# pick up a list of keys to ignore the values encoding to skip some of the values so that these
# values won't be encoded. You can choose this option if you want to encode everything except
# several values with a list of the keys. When this option is selected, you can not use the
# headerAttributesToEncode list.
headerAttributesToIgnore: ${sanitizer.headerAttributesToIgnore:}
router.yml
The router config in egress-router has been changed to add the query parameter for service_id and URL rewrite rules.
# support serviceId in the query parameter for routing to overwrite serviceId in header routing.
# by default, it is false and shouldn't be used unless you are dealing with a legacy client that
# doesn't support header manipulation. Once this flag is true, we are going to overwrite the header
# service_id derived with other handlers from the prefix, path, endpoint etc.
serviceIdQueryParameter: ${router.serviceIdQueryParameter:false}
# URL rewrite rules, each line will have two parts: the regex pattern and replace string separated
# with a space. The light-router has service discovery for host routing, so when working on the
# url rewrite rules, we only need to create about the path in the URL.
# Test your rules at https://www.freeformatter.com/java-regex-tester.html#ad-output
urlRewriteRules: ${router.urlRewriteRules:}