@thibaultcha thibaultcha released this May 2, 2017 · 843 commits to master since this release


  • The Kong DNS resolver now honors the MAXNS setting (3) when parsing the
    nameservers specified in resolv.conf.
  • Kong now matches incoming requests via the $request_uri property, instead
    of $uri, in order to better handle percent-encoded URIS. A more detailed
    explanation will be included in the below "Fixed" section.
  • Upstream calls do not unconditionally include a trailing / anymore. See the
    below "Added" section for more details.
  • Admin API:
    • The "active targets" endpoint now only return the most recent nonzero
      weight Targets, instead of all nonzero weight targets. This is to provide
      a better picture of the Targets currently in use by the Kong load balancer.


  • 🎆 Plugins can implement a new rewrite handler to execute code in
    the Nginx rewrite phase. This phase is executed prior to matching a
    registered Kong API, and prior to any authentication plugin. As such, only
    global plugins (neither tied to an API or Consumer) will execute this phase.
  • Ability for the client to chose whether the upstream request (Kong <->
    upstream) should contain a trailing slash in its URI. Prior to this change,
    Kong 0.10 would unconditionally append a trailing slash to all upstream
    requests. The added functionality is described in
    #2211, and was implemented in
  • Ability to hide Kong-specific response headers. Two new configuration fields:
    server_tokens and latency_tokens will respectively toggle whether the
    Server and X-Kong-*-Latency headers should be sent to downstream clients.
  • New cassandra_schema_consensus_timeout configuration property, to allow for
    Kong to wait for the schema consensus of your Cassandra cluster during
  • Serf commands executed by a running Kong node are now logged in the Nginx
    error logs with a DEBUG level.
  • Ensure the required shared dictionaries are defined in the Nginx
    configuration. This will prevent custom Nginx templates from potentially
    resulting in a breaking upgrade for users.
  • Admin API:
    • Target Objects can now be deleted with their ID as well as their name. The
      endpoint becomes: /upstreams/:name_or_id/targets/:target_or_id.
  • Plugins:
    • 🎆 New Request termination plugin. This plugin allows to
      temporarily disable an API and return a pre-configured response status and
      body to your client. Useful for use-cases such as maintenance mode for your
      upstream services. Thanks to @pauldaustin
      for the contribution.
    • Logging plugins: The produced logs include two new fields: a consumer
      field, which contains the properties of the authenticated Consumer
      (id, custom_id, and username), if any, and a tries field, which
      includes the upstream connection successes and failures of the load-
    • http-log: Now set an upstream HTTP basic access authentication header if
      the configured conf.http_endpoint parameter includes an authentication
      section. Thanks @amir for the contribution.
    • file-log: New config.reopen property to close and reopen the log file on
      every request, in order to effectively rotate the logs.
    • jwt: Returns 401 Unauthorized on invalid claims instead of the previous
      403 Forbidden status.
    • key-auth: Allow setting API key header names with an underscore.
    • cors: When config.credentials = true, we do not send an ACAO header with
      value *. The ACAO header value will be that of the request's Origin:


  • Upstream connections over TLS now set their Client Hello SNI field. The SNI
    value is taken from the upstream Host header value, and thus also depends
    on the preserve_host setting of your API. Thanks
    @konrade for the original patch.
  • Correctly match APIs with percent-encoded URIs in their uris property.
    Generally, this change also avoids normalizing (and thus, potentially
    altering) the request URI when trying to match an API's uris value. Instead
    of relying on the Nginx $uri variable, we now use $request_uri.
  • Handle a routing edge-case under some conditions with the uris matching
    rule of APIs that would falsely lead Kong into believing no API was matched
    for what would actually be a valid request.
  • If no API was configured with a hosts matching rule, then the
    preserve_host flag would never be honored.
  • CNAME records are now properly being cached by the DNS resolver. This results
    in a performance improvement over previous 0.10 versions.
  • When using Cassandra, some migrations would not be performed on the same
    coordinator as the one originally chosen. The same migrations would also
    require a response from other replicas in a cluster, but were not waiting
    for a schema consensus beforehand, causing indeterministic failures in the
    migrations, especially if the cluster's inter-nodes communication is slow.
  • The cassandra_timeout configuration property is now correctly taken into
    consideration by Kong.
  • Correctly trigger plugins configured on the anonymous Consumer for anonymous
    requests (from auth plugins with the new config.anonymous parameter).
  • When multiple auth plugins were configured with the recent config.anonymous
    parameter for "OR" authentication, such plugins would override each other's
    results and response headers, causing false negatives.
  • Ensure the cassandra_contact_points property does not contain any port
    information. Those should be specified in cassandra_port. Thanks
    @Vermeille for the contribution.
  • Prevent an upstream or legitimate internal error in the load balancing code
    from throwing a Lua-land error as well.
  • Allow backwards compatibility with custom Nginx configurations that still
    define the resolver ${{DNS_RESOLVER}} directive. Vales from the Kong
    dns_resolver property will be flattened to a string and appended to the
  • Plugins:
    • hmac: Better handling of invalid base64-encoded signatures. Previously Kong
      would return an HTTP 500 error. We now properly return HTTP 403 Forbidden.
  • Admin API:
    • Detect conflicts between SNI Objects in the /snis and /certificates
    • The /certificates route used to not return the total and data JSON
      fields. We now send those fields back instead of a root list of certificate
    • Endpoints with path parameters like /xxx_or_id will now also yield the
      proper result if the xxx field is formatted as a UUID. Most notably, this
      fixes a problem for Consumers whose username is a UUID, that could not be
      found when requesting /consumers/{username_as_uuid}.
    • The "active targets" endpoint does not require a trailing slash anymore.
    • Upstream Objects can now be deleted properly when using Cassandra.