1.17.4 (Aug 24, 2021)

    Minor Behavior Changes

    Changes that may cause incompatibilities for some users, but should not for most

    • http: reject requests with #fragment in the URI path. The fragment is not allowed to be part of request URI according to RFC3986 (3.5), RFC7230 (5.1) and RFC 7540 (8.1.2.3). Rejection of requests can be changed to stripping the #fragment instead by setting the runtime guard envoy.reloadable_features.http_reject_path_with_fragment to false. This behavior can further be changed to the deprecated behavior of keeping the fragment by setting the runtime guard envoy.reloadable_features.http_strip_fragment_from_path_unsafe_if_disabled. This runtime guard must only be set to false when existing non-compliant traffic relies on #fragment in URI. When this option is enabled, Envoy request authorization extensions may be bypassed. This override and its associated behavior will be decommissioned after the standard deprecation period.

    • jwt_authn: unauthorized responses now correctly include a www-authenticate header.

    Removed Config or Runtime

    • listener: added an option when balancing across active listeners and wildcard matching is used to return the listener that matches the IP family type associated with the listener’s socket address. It is off by default, but is turned on by default in v1.19. To set change the runtime guard envoy.reloadable_features.listener_wildcard_match_ip_family to true.

    Deprecated