-
Improved proxy performance by refactoring internal hooking mechanism. #12784 KAG-3653
-
Sped up the router matching when the
router_flavor
istraditional_compatible
orexpressions
. #12467 KAG-3653
- AI Proxy: To support the new messages API of
Anthropic
, the upstream path of theAnthropic
forllm/v1/chat
route type has changed from/v1/complete
to/v1/messages
. #12699 FTI-5770
-
Bumped libexpat to 2.6.2 #12910 CVE-2023 CVE-2013 CVE-2024 KAG-4331
-
Bumped lua-kong-nginx-module from 0.8.0 to 0.11.0 #12752 KAG-4050
-
Bumped lua-protobuf to 0.5.1 #12834
-
Bumped lua-resty-aws from 1.3.6 to 1.4.1 #12846 KAG-3424 FTI-5732
-
Bumped lua-resty-lmdb from 1.4.1 to 1.4.2 #12786
-
Bumped lua-resty-openssl from 1.2.0 to 1.3.1 #12665
-
Bumped PCRE from the legacy libpcre 8.45 to libpcre2 10.43 #12366 KAG-3571 KAG-3521 KAG-2025
-
Bumped penlight to 1.14.0 #12862
-
Added package
tzdata
to DEB Docker image for convenient timezone setting. #12609 FTI-5698 -
Bumped lua-resty-http to 0.17.2. #12908
-
Bumped
ngx_wasm_module
to91d447ffd0e9bb08f11cc69d1aa9128ec36b4526
#12011 -
Bumped
V8
version to12.0.267.17
#12704 -
Bumped
Wasmtime
version to19.0.0
#12011 -
Improved the robustness of lua-cjson when handling unexpected input. #12904 KAG-4275
-
TLSv1.1 and lower versions are disabled by default in OpenSSL 3.x. #12420 KAG-3259
-
Introduced
nginx_wasm_main_shm_kv
configuration parameter, which enables Wasm filters to use the Proxy-Wasm operationsget_shared_data
andset_shared_data
without namespaced keys. #12663 -
Schema: Added a deprecation field attribute to identify deprecated fields #12686 KAG-3915
-
Added the
wasm_filters
configuration parameter for enabling individual filters #12843 KAG-4211
-
Added
events:ai:response_tokens
,events:ai:prompt_tokens
andevents:ai:requests
to the anonymous report to start counting AI usage #12924 -
Improved config handling when the CP runs with the router set to the
expressions
flavor:- If mixed config is detected and a lower DP is attached to the CP, no config will be sent at all
- If the expression is invalid on the CP, no config will be sent at all
- If the expression is invalid on a lower DP, it will be sent to the DP and DP validation will catch this and communicate back to the CP (this could result in partial config application) #12967 KAG-3806
-
The route entity now supports the following fields when the
router_flavor
isexpressions
:methods
,hosts
,paths
,headers
,snis
,sources
,destinations
, andregex_priority
. The meaning of these fields are consistent with the traditional route entity. #12667 KAG-3805 KAG-3807
-
AI Proxy now reads most prompt tuning parameters from the client, while the plugin config parameters under
model_options
are now just defaults. This fixes support for using the respective provider's native SDK. #12903 KAG-4126 -
AI Proxy now has a
preserve
option forroute_type
, where the requests and responses are passed directly to the upstream LLM. This is to enable compatibility with any and all models and SDKs that may be used when calling the AI services. #12903 KAG-4126 -
Prometheus: Added workspace label to Prometheus plugin metrics. #12836 FTI-5573
-
AI Proxy: Added support for streaming event-by-event responses back to the client on supported providers. #12792 KAG-4124
-
AI Prompt Guard: Increased the maximum length of regex expressions to 500 for the allow and deny parameters. #12731 FTI-5767
-
Addded support for EdDSA algorithms in JWT plugin #12726
-
Added support for ES512, PS256, PS384, PS512 algorithms in JWT plugin #12638 KAG-3821
-
OpenTelemetry, Zipkin: The propagation module has been reworked. The new options allow better control over the configuration of tracing headers propagation. #12670 KAG-1886 KAG-1887
- Added support for debugging with EmmyLuaDebugger. This feature is a tech preview and not officially supported by Kong Inc. for now. #12899 KAG-4316
- Fixed an issue where the
pg_timeout
was overridden to60s
even if--db-timeout
was not explicitly passed in CLI arguments. #12981 KAG-4416
-
Fixed the default value in kong.conf.default documentation from 1000 to 10000 for the
upstream_keepalive_max_requests
option. #12643 KAG-3360 -
Fixed an issue where an external plugin (Go, Javascript, or Python) would fail to apply a change to the plugin config via the Admin API. #12718 KAG-3949
-
Disabled usage of the Lua DNS resolver from proxy-wasm by default. #12825 KAG-4277
-
Set security level of gRPC's TLS to 0 when
ssl_cipher_suite
is set toold
. #12613 KAG-3259
-
Fixed an issue where
POST /config?flatten_errors=1
could not return a proper response if the input included duplicate upstream targets. #12797 KAG-4144 -
DNS Client: Ignore a non-positive values on resolv.conf for options timeout, and use a default value of 2 seconds instead. #12640 FTI-5791
-
Updated the file permission of
kong.logrotate
to 644. #12629 FTI-5756 -
Fixed a problem on hybrid mode DPs, where a certificate entity configured with a vault reference may not get refreshed on time. #12868 FTI-5881
-
Fixed the missing router section for the output of the request-debugging. #12234 KAG-3438
-
Fixed an issue in the internal caching logic where mutexes could get never unlocked. #12743
-
Fixed an issue where the router didn't work correctly when the route's configuration changed. #12654 KAG-3857
-
Fixed an issue where SNI-based routing didn't work using
tls_passthrough
and thetraditional_compatible
router flavor. #12681 KAG-3922 FTI-5781 -
Fixed a bug that
X-Kong-Upstream-Status
didn't appear in the response headers even if it was set in theheaders
parameter in thekong.conf
file when the response was hit and returned by the Proxy Cache plugin. #12744 FTI-5827 -
Fixed vault initialization by postponing vault reference resolving on init_worker #12554 KAG-2907
-
Fixed a bug that allowed vault secrets to refresh even when they had no TTL set. #12877 FTI-5906 FTI-5916
-
Vault: do not use incorrect (default) workspace identifier when retrieving vault entity by prefix #12572 FTI-5762
-
Core: Fixed unexpected table nil panic in the balancer's stop_healthchecks function #12865
-
Use
-1
as the worker ID of privileged agent to avoid access issues. #12385 FTI-5707 -
Plugin Server: Fixed an issue where Kong failed to properly restart MessagePack-based pluginservers (used in Python and Javascript plugins, for example). #12582 KAG-3765
-
Reverted the hard-coded limitation of the
ngx.read_body()
API in OpenResty upstreams' new versions when downstream connections are in HTTP/2 or HTTP/3 stream modes. #12658 FTI-5766 FTI-5795 -
Each Kong cache instance now utilizes its own cluster event channel. This approach isolates cache invalidation events and reducing the generation of unnecessary worker events. #12321 FTI-5559
-
Updated telemetry collection for AI Plugins to allow multiple plugins data to be set for the same request. #12583 KAG-3759 KAG-4124
-
PDK: Fixed
kong.request.get_forwarded_port
to always return a number, which was caused by an incorrectly stored string value inngx.ctx.host_port
. #12806 KAG-4158 -
The value of
latencies.kong
in the log serializer payload no longer includes the response receive time, so it now has the same value as theX-Kong-Proxy-Latency
response header. Response receive time is recorded in the newlatencies.receive
metric, so if desired, the old value can be calculated aslatencies.kong + latencies.receive
. Note: this also affects payloads from all logging plugins that use the log serializer:file-log
,tcp-log
,udp-log
,http-log
,syslog
, andloggly
, e.g. descriptions of JSON objects for the HTTP Log Plugin's log format. #12795 KAG-3798 -
Tracing: enhanced robustness of trace ID parsing #12848 KAG-4218
-
AI-proxy-plugin: Fixed the bug that the
route_type
/llm/v1/chat
didn't include the analytics in the responses. #12781 FTI-5769 -
ACME: Fixed an issue where the certificate was not successfully renewed during ACME renewal. #12773 KAG-4008
-
AWS-Lambda: Fixed an issue where the latency attributed to AWS Lambda API requests was counted as part of the latency in Kong. #12835 FTI-5261
-
Jwt: Fixed an issue where the plugin would fail when using invalid public keys for ES384 and ES512 algorithms. #12724
-
Added WWW-Authenticate headers to all 401 responses in the Key Auth plugin. #11794 KAG-321
-
Opentelemetry: Fixed an OTEL sampling mode Lua panic bug, which happened when the
http_response_header_for_traceid
option was enabled. #12544 FTI-5742 -
ACME: Fixed migration of redis configuration. #12989 KAG-4419
-
Response-RateLimiting: Fixed migration of redis configuration. #12989 KAG-4419
-
Rate-Limiting: Fixed migration of redis configuration. #12989 KAG-4419
- Admin API: fixed an issue where calling the endpoint
POST /schemas/vaults/validate
was conflicting with the endpoint/schemas/vaults/:name
which only has GET implemented, hence resulting in a 405. #12607 KAG-3699
-
Fixed a bug where, if the the ulimit setting (open files) was low, Kong would fail to start as the
lua-resty-timer-ng
exhausted the availableworker_connections
. Decreased the concurrency range of thelua-resty-timer-ng
library from[512, 2048]
to[256, 1024]
to fix this bug. #12606 KAG-3779 FTI-5780 -
Fix an issue where external plugins using the protobuf-based protocol would fail to call the
kong.Service.SetUpstream
method with an errorbad argument #2 to 'encode' (table expected, got boolean)
. #12727
-
Kong Manager now supports creating and editing Expressions routes with an interactive in-browser editor with syntax highlighting and autocompletion features for Kong's Expressions language. #217
-
Kong Manager now groups the parameters to provide a better user experience while configuring plugins. Meanwhile, several issues with the plugin form page were fixed. #195 #199 #201 #202 #207 #208 #209 #213 #216