CHANGELOG.md

Couper Changelog

Unreleased

Unreleased changes are available as avenga/couper:edge container.

• Added

  • Accept: application/json request header to the OAuth2 token request, in order to make the Github token endpoint respond with a JSON token response (#307)
  • Documentation of logs (#310)
  • signing_ttl and signing_key/signing_key_file to jwt block for use with jwt_sign() function (#309)
  • jwks_url and jwks_ttl to jwt block (#312)

• Changed

  • Organized log format fields for uniform access and upstream log (#300)
  • claims in a jwt block are now evaluated per request, so that request properties can be used as required claim values (#314)

• Fixed

  • Key for storing and reading OpenID configuration (#319)

• Beta

  • beta_scope_claim attribute to jwt block; beta_scope attribute to api and endpoint blocks; error types beta_operation_denied and beta_insufficient_scope (#315)
  • beta_role_claim and beta_role_map attributes to jwt block (#325)

---

1.4

Release date: 2021-08-26

This release introduces Beta Features. We use beta features to develop and experiment with new, complex features for you while still being able to maintain our compatibility promise. You can see beta features as a feature preview. To make users aware that a beta feature is used their configuration items are prefixed with beta_.

The first beta features incorporate the OAuth2 functionality into the Access Control capabilities of Couper. The beta_oauth2 {} block implements OAuth2 Authorization Code Grant Flows. The companion block beta_oidc {} implements OIDC, which allows simple integration of 3rd-party systems such as Google, Github or Keycloak for SSO (Single-Sign-On).

Together with transparent Websockets support that you can enable in your proxy {} block, you can guard existing Web applications with Couper via OIDC.

To aid observability of your setups, Couper sends its request ID as the Couper-Request-Id HTTP header in both backend requests and client responses. This makes it possible to trace events and correlate logs throughout the service chain. Couper can also accept a request ID generated by a downstream system like for example a load balancer. Like all settings, these can be configured in the config, as command line flag or via environment variables.

Load balancers or ingress services often provide X-Forwarded-Host headers. Couper can be configured to use these to change the properties of the request variable. This allows a Couper configuration to adapt to the run time enviroment, for example to create a back link for OIDC or SAML authorization requests with the request.origin variable.

If your applications are running in multiple setups, like testing and production environments, there will likely be more parameters that you want to have configurable. Backend origins, user names, credentials, timeouts, all that could be nice to be changed without a new deployment. Couper supports using environment variables with env.VAR-like expressions. Now, Couper can also provide default values for those variables. This makes it easy to have values configurable without the need to provide values outside of Couper (e.g. in Kubernetes). Our env vars example shows that in action.

• Added

  • environment_variables map in the defaults block to define default values for environment variables (#271)
  • https-dev-proxy option creates a TLS server listing on the given TLS port. Requests are forwarded to the given server port. The certificate is generated on-the-fly. This function is intended for local development setups to support browser features requiring HTTPS connections, such as secure cookies. (#281)
  • websockets option in proxy block enables transparent websocket support when proxying to upstream backends (#198)
  • Client request variables request.url, request.origin, request.protocol, request.host and request.port (#255)
  • Run option -accept-forwarded-url and setting accept_forwarded_url to accept proto, host, or port from X-Forwarded-Proto, X-Forwarded-Host or X-Forwarded-Port request headers (#255)
  • Couper sends its request ID as Couper-Request-Id HTTP header in backend requests and client responses. This can be configured with the request_id_backend_header and request_id_client_header settings (#268)
  • request_id_accept_from_header setting configures Couper to use a downstream request ID instead of generating its own in order to help correlating log events accross services (#268)
  • couper.version variable (#274)
  • protocol, host, port, origin, body, json_body to backend_requests variable (#278)
  • Locking to avoid concurrent requests to renew OAuth2 Client Credentials access tokens (#270)
  • log-level in the settings block to define when a log is printed (#306)

• Changed

  • The sp_acs_url in the SAML Block may now be relative (#265)

• Fixed

  • No GZIP compression for small response bodies (#186)
  • Missing error type for request/response body, json_body or form_body related HCL evaluation errors (#276)
  • request.url and backend_requests.<label>.url now contain a query string if present (#278)
  • backend_responses.<label>.status is now integer (#278)
  • backend_requests.<label>.form_body was always empty (#278)
  • Documentation of request.query.<name> (#278)
  • Missing access log on some error cases (#267)
  • Panic during backend origin / url usage with previous parse error (#206)
  • Basic Auth did not work if only the htpasswd_file attribute was defined (#293)
  • Missing error handling for backend gzip header reads (#291)
  • ResponseWriter fallback for possible statusCode 0 writes (#291)
  • ResponseWriter buffer behaviour; prepared chunk writes (#301)
  • Proper client-request canceling (#294)

• Beta

  • OAuth2 Authorization Code Grant Flow: beta_oauth2 {} block; beta_oauth_authorization_url() and beta_oauth_verifier() (#247)
  • OIDC Authorization Code Grant Flow: beta_oidc {} block (#273)

1.3.1

• Changed

  • Error log-level for upstream responses with status 500 to Info log-level (#258)

• Fixed

  • Missing support for set_response_status within a plain error_handler block (#257)
  • Panic in jwt_sign() and saml_sso_url() functions without proper configuration (#243)

1.3

• Added

  • Modifier (set/add/remove_form_params) for the form parameters (#223)
  • Modifier (set_response_status) to be able to modify the response HTTP status code (#250)

• Changed

  • Stronger configuration check for path and path_prefix attributes, possibly resulting in configuration errors (#232)
  • Modifier (set/add/remove_response_headers) is available for api, files, server and spa block, too (#248)

• Fixed

  • The path field in the backend log (#232)
  • Upstream requests with a known body-size have a Content-Length HTTP header field instead of Transfer-Encoding: chunked (#163)
  • Exit endpoint if an error is occurred in request or proxy instead of processing a defined response (#233)

1.2

Release date: 2021-05-19

The most important feature of Couper 1.2 is the introduction of custom error handling in form of the error_handler block. You can now register error handlers for error types. Instead of the standard error_file template, you can flexibly respond with arbitrary responses. error_handler is allowed in access control blocks (jwt, saml2 …), where you could e.g. handle missing tokens with a redirect-to-login. In the future, error_handler will be usable in more config areas. Refer to the example if you want to see it in action.

• Added

  • error_handler block for access controls (#140)
  • backend_responses.*.body variable for accessing raw response body content (#182)
  • more oauth2 config options: scope and token_endpoint_auth_method (client_secret_basic or client_secret_post) (#219, #220)

• Changed

  • saml2 fallback to nameid-format:unspecified (#217)
  • basic_auth always responds with status code 401 (#227)
  • openapi resolves relative server URLs to the current backend origin (#230)

• Fixed

  • Fix /healthz route when called with accept-encoding: gzip (#222)
  • Don't panic over duplicate access control definitions, log error instead (#221)
  • Response for missing routes should have status code 404 (#224)
  • Fix possible race-condition with concurrent openapi validations (#231)
  • Fix use of server URLs without port in openapi (#230)

1.1.1

Release date: 2021-04-21

• Fixed
  • Endpoint responses are written and logged with correct status-code (#216)
    • affected: a plain response without any additional headers or body configuration

1.1

Release date: 2021-04-16

• Fixed

  • allow more +json mime types (#207)
    • determines if ja request/response body gets parsed and provided as json_body variable
  • missing check for empty endpoint path patterns (#211)
  • protected API (base)paths returns status 401 instead of 404 if a protected route was not found (#211)
  • jwt source config definition (#210)
  • missing inner context on context copy
  • possible panic for unhandled error template write errors (#205)
  • backend reference usage with string label (#189)
  • cli argument filtering (#204)
  • misleading jwt rsa key error (#203)
  • watch handling on stat errors (#202)

• Changed

  • Change access control validation logging (#199)
    • log the first occurred error instead of an array

• Added

  • Add OAuth2 token request retry option (#167) (#209)

1.0

Release date: 2021-04-09

• Added

  • couper help and usage documentation (#187)

• Changed

  • Ensure unique keys for set_* and add_* attributes (#183)
  • split docker entrypoint and command (#192)

• Fixed

  • Fix missing backend.origin attribute url validation (#191)

0.9

Release date: 2021-04-08

• Fixed

  • Log option for json formatted logs: (#176)
    • configured parent key applies to (almost) all log fields

• Changed

  • Change variable names to more user-friendly ones (#180):
    • req -> request
    • ctx -> context
    • bereq -> removed
    • beresp -> removed
    • bereqs -> backend_requests
    • beresps -> backend_responses
  • Log option for parent fields are 'global' now (#176)
    • COUPER_ACCESS_LOG_PARENT_FIELD, COUPER_BACKEND_LOG_PARENT_FIELD -> COUPER_LOG_PARENT_FIELD

• Added

  • watch option for given Couper configuration file (#24)
    • use -watch or via environment COUPER_WATCH=true to watch for file changes
  • log option pretty print for json log-format (#179)
    • -log-pretty to enable formatted and key colored logs

0.8

Release date: 2021-04-06

• Fixed

  • Some possible race conditions in combination with multiple proxy and/or request definitions are fixed (#157) (#160)
  • Log endpoint related recovered panics
  • CORS behaviour: result is now only dependent on the config, not the actual request; fixed Vary headers (#173)
  • Fix json type assumption (#177)
    • req.json_body result is an empty object for specific types (#165)
    • Empty json array encodes to null. (#162)
  • Fix missing string conversion for evaluated number values (#175)
  • Loading optional labels of same type
  • multiplexer behaviour with multiple servers and hosts (#161)
  • Fix missing access_control for file handler (#169)
  • 404 behaviour for access controlled endpoints: deny instead of 404 if the request matches the related base_path (#143)

• Changed

  • Rename log type for backend requests: couper_upstream -> couper_backend (#159) (#172)
  • Rename post variable to form_body (#158)

• Added

  • Add json_body attribute for request and response block (#158)
  • bytes log field to represent the body size

0.7.0

Release date: 2021-03-23

• Fixed

  • Recover from possible request/proxy related panics (#157) (#145)
  • Configuration related hcl merge with an empty attributes and nested blocks

• Changed

  • backend block attributes basic_auth, path_prefix and proxy hcl evaluation during runtime
  • request attributes hcl evaluation during runtime (#152)
  • Change configuration in combination with URL and backend.origin (#144)
    • request and proxy block can use the url attribute instead of define or reference a backend
    • same applies to oauth2.token_endpoint
  • no X-Forwarded-For header enrichment from couper proxy (#139)
  • more log context for access control related errors (#154)

• Added

  • saml 2.0 access_control support (#113)
  • Add new strip-secure-cookies setting (#147)
    • removes Secure flag from all Set-Cookie header
  • CORS support (server, files, spa) (#134)
    • previously api only
  • error_file attribute for endpoint block
  • hcl functions:
    • merge
    • url_encode
  • backend
    • OAuth2 support (#130)
      • grant_type: client_credentials
      • token memory storage with ttl
    • path_prefix attribute (#138)

0.6.1

Release date: 2021-03-15

• Fixed

  • Fix missing panic recovering for backend roundtrips (#142)
    • Fix backend timeout behaviour
    • Add a more specific error message for proxy body copy errors

• Changed

  • Couper just passes the X-Forwarded-For header if any instead of adding the client remote addr to the list (#139)

• Added

  • url_encode function for RFC 3986 string encoding (#136)

0.6

Release date: 2021-03-11

• Breaking Change
  • backend will be consumed by proxy and request as transport configuration now. The previous behaviour that backend represents a proxy functionality is removed. Also the backend block must be defined in definitions, proxy or request.
    • Config migration, add a proxy block:

endpoint "/old" {
  backend = "reference"
  # or
  backend {
    #...
  }
}
# change to:
endpoint "/new" {
  proxy {
    backend = "reference"
  }
  # or
  proxy {
    backend {
      #...
    }
  }
}

• Changed

  • Client-Request and upstream response body buffering by default
  • Server shutdown delay and deadline defaults to 0s now and can be configured via env if required
  • Websocket connection upgrades in combination with proxy {} are disabled
    • we will add a proxy option for ws usage later on

• Fixed

  • An absolute path resolving for *_file configuration attributes (#120)

• Added

  • Endpoint:
    • Add proxy block to reverse proxy the client request to the configured backend.
    • Add request block to send a simple upstream request. Docs
    • Add response block to create a custom client response. Docs
  • Add jwt_sign() function to be able to create and sign a token with a jwt_signing_profile. Docs (#112)
  • Add unixtime() function for the current unix time in seconds (#124)

• Code Refactoring

  • underlying code structure to represent an endpoint block with proxy, request and response configuration
  • hcl evaluation context as own 'container' with context.Context interface
  • test cleanups

• Dependencies

  • build with go 1.16
  • logrus to v1.8.1
  • hcl to v2.9.1
  • kin-openapi to v.0.49.0

0.5.1

Release date: 2021-02-16

• Added

  • backend:
    • a user-friendly basic_auth option
    • backend proxy url, disable_connection_reuse and http2 settings (#108)
  • version command

• Changed

  • KeepAlive 60s (#108), previously 15s
  • Reject requests which hits an endpoint with basic-auth access-control, and the configured password evaluates to an empty string (#115)

0.5

Release date: 2021-01-29

• Fixed

  • Fix missing http.Hijacker interface to be able to handle websocket upgrades (#80)

• Added

  • Add additional eval functions: coalesce, json_decode, json_encode (#105)
  • Add multi API support (#103)
  • Add free endpoints (#90)
  • Add remove_, set_ and add_headers (#98)

• Code Refactoring

  • improved internals for configuration load

• Dependencies

  • Upgrade hcl to 2.8.2
  • Upgrade go-cty module to 1.5.0
  • Upgrade logrus module to 1.7.0
  • Upgrade kin-openapi module to v0.37

0.4.2

Release date: 2021-01-19

• Fixed
  • Fix used backend hash not dependent on (hcl) config hierarchy (transport key)
  • Fix logging http scheme even without a successful tls handshake (#99)
  • Fix hcl.Body content for reference backends (#96)

0.4.1

Release date: 2021-01-18

• Fixed
  • Fix path trailing slash (#94)
  • Fix query encoding (#93)
  • Fix log_format (settings) configuration (#61)

0.4

Release date: 2021-01-13

• Added

  • url log field (#87)
  • Add proxy from env settings option (#84)
  • Add backend settings: disable_certificate_validation, max_connections (#86)

• Fixed

  • command flag filter for bool values (#85)
  • different proxy options for same origin should be part of the origin transport key

• Code Refactoring

  • configuration load and prepare related body merges on hcl level

0.3

Release date: 2020-12-15

• Added

  • build version to startup log
  • upstream request/response validation with openapi (#21) (#22)
  • request-id: uuid v4 format option #31 (#53)
  • path_params #59
  • gzip support (#66)
  • query_params (#73)
  • json_body access for request and response bodies #44 (#60)

• Changed

  • start Couper via run command now
  • internal router #59
  • docker tag behaviour on release #70 (#82)
  • request/response_headers to use set prefix (#77)
  • passing the filename to underlying hcl diagnostics
  • Dockerfile to provide simple file serving (#63)

• Fixed

  • handling cty null or unknown values during roundtrip eval #71
  • logging: start-time measurement
  • missing backend.hostname documentation (#62)

0.2

Release date: 2020-10-08

• Added

  • health check (#29)
  • Basic-Auth support (#19)
  • post (form) parsing for use in config variables (#26)
  • more documentation

• Fixed

  • wildcard path join with trailing slash and respect req path (#45)
  • env var mapping (#35)
  • JWT HMAC keys (#32)

0.1

Release date: 2020-09-11

• Added
  • Parse and load from given HCL configuration file
  • Config structs for blocks: server, api, endpoint, files, spa, definitions, jwt
  • HTTP handler implementation for api backends, files, spa and related config mappings
  • CORS handling for api endpoints
  • Access control configuration for all blocks
  • Access control type jwt with claim validation
  • Access und backend logs
  • Configurable error templates with a fallback to our defaults
  • Github actions for our continuous integration workflows
  • Dockerfile
  • Documentation