Tyk Gateway

• Improved distributed rate limiter behavior with small rate limits on large number of servers
• Now you can update Session metadata inside gRPC and Python plugins https://github.com/TykTechnologies/tyk/issues/1249

Tyk Gateway v2.3.11 continue addressing bugs in Python middleware and rate limiter.

• Fix Python bundle load on hot reloads
• Fixed potential rate-limiting issue, allowing to bypass rate limits

This release is fully compatible with Dashboard v1.3.9

We have released Tyk Gateway v2.3.10 which addresses serious bugs in how Python middleware is executed and a the distributed rate limiter:

• Distributed rate limiter would randmoly crash after long periods of uptime, this has now been fixed.
• Python plugins in some OS versions would delete bundles on reload due to a PYTHONPATH misconfiguration
• Removed bug where the bundles directory is not created automatically

This release is fully compatible with Dashboard v1.3.9

Tyk Gateway 2.3.9

• Fixed http_server_options.skip_url_cleaning option
• Fixed few possible JSVM leaks
• Improved JSVM middleware error messages

Tyk Gateway v2.3.8

• Support for custom error messages in middleware https://github.com/TykTechnologies/tyk/pull/986
• Fix API reloads when http_server_options.override_defaults turned on https://github.com/TykTechnologies/tyk/issues/940
• Add proxy_default_timeout option to configure default proxy timeout https://github.com/TykTechnologies/tyk/pull/983
• Allow URLs to be rewritten in coprocess middleware https://github.com/TykTechnologies/tyk/pull/928
• Fixed crash when loading multiple Python plugins https://github.com/TykTechnologies/tyk/issues/969
• Fixed memory leak when optimisations_use_async_session_write is turned on https://github.com/TykTechnologies/tyk/issues/966
• Fix JSVM rawlog function to properly support log hooks like syslog or graylog https://github.com/TykTechnologies/tyk/issues/998
• Fix panic when loading duplicate APIs https://github.com/TykTechnologies/tyk/issues/938
• Key metadata now support numeric values https://github.com/TykTechnologies/tyk/issues/944
• API definition config_data now support complex JSON objects https://github.com/TykTechnologies/tyk/issues/951

Tyk Dashboard 1.3.8

• Fix swagger docs validation badge
• Fix API spec validation for URL containing dot . symbol
• New Dashboard API to verify developer credentials /portal/developers/verify_credentials https://tyk.io/docs/tyk-dashboard-api/portal-developers/

With the new Portal API, it is now possible to create completely custom developer portals and even embed them into your own software. We prepared a guide on creating own developer portal: https://tyk.io/docs/publish/customise/custom-developer-portal/

In addition, our deb and rpm packages now properly handle config files upgrades and do not override user changes.

Tyk Gateway v2.3.7

• Added HTTPS support for Plugin Bundle downloader https://github.com/TykTechnologies/tyk/issues/925
• Fix path duplication when using URL rewrite https://github.com/TykTechnologies/tyk/issues/855
• JSVM middleware now has rawlog function, which prints unformatted data bypassing logger formatting https://github.com/TykTechnologies/tyk/issues/844
• JSVM middleware and VirtualEndpoint now support passing custom data from API definition using config_data object https://github.com/TykTechnologies/tyk/issues/829
• Added support for TLS connection with MDCB (Hybrid) using slave_option.use_ssl and slave_options.ssl_insecure_skip_verify https://github.com/TykTechnologies/tyk/pull/842
• Fix uptime tests bug, when traffic was sent to dead host https://github.com/TykTechnologies/tyk/issues/825
• Fix JSVM leak introduced in 2.3.5 https://github.com/TykTechnologies/tyk/issues/804
• Fix hot reload issues when used in MDCB or Hybrid environments

Tyk Dashboard v1.3.7

• Added config_data field to API designer user interface
• Updated Swagger documentation to support latest specification changes
• Added option to allow admin users reset password without additional permissions security.allow_admin_reset_password

MDCB v1.3.0

• Added support for secure TLS connections with Gateway
• Improved Gateway authentification mechanism to fix hot reload issues

UPGRADE NOTICE
New gateway version v2.3.7 require MDCB v1.3.0, thus MDCB should be upgraded first.

Tyk Gateway v2.3.6

• Improved handling of duplicate listen paths: now instead of ignoring API, it will bind it to random slug.
• Now you can inject request correlation ID (for example X-Request-ID) to your requests using Context Data variables https://tyk.io/tyk-documentation/transform-traffic/request-headers/#request-headers-context-variables. For example: "X-Request-ID":"$tyk_context.request_id".
• Fixed multiple issues while using Python plugins.
• Coprocess middleware (Python, Lua, gRPC), now able to override response code, headers and body using ReturnOverrides. See https://github.com/TykTechnologies/tyk/pull/763.

Tyk Dashboard v1.3.6

Password reset

Added ability to reset user passwords.
By default user can reset only their own password.

Add a new permission ResetPassword, but it can be granted only via the admin API using new endpoints: /admin/users/:userId/actions/allow_reset_passwords /admin/users/:userId/actions/disallow_reset_passwords

You need to make the request using the PUT HTTP method, for example:
curl -X PUT -H "admin-auth: <your secret>" http://<dashboard>/admin/users/:userId/actions/allow_reset_passwords

Password recovery

It's now possible for users to recover their dashboard password using email. To enable this feature, ensure that you have configured email https://tyk.io/tyk-documentation/configure/outbound-email-configuration/. Do not forget about the new email_backend.dashboard_domain option which should be your public dashboard hostname.

Other

• Updated user interface branding.
• Added support for Mongo SSL protocol, using new mongo_ssl_insecure_skip_verify and mongo_use_ssl boolean variables.
• Current user now can't revoke themselves.
• Dashboard session timeout now configurable using dashboard_session_lifetime option and reduced to 1 hour by default.
• Fixed missing API name on analytics pages for newly created APIs.
• Fixed Dashboard API key reset, if there were issues with old key.

Binaries built with Go 1.7.6

Tyk Gateway v2.3.5

• New: Added http_server_options.ssl_insecure_skip_verify boolean option to allow self-signed certificates for Gateway. #693
• New: Added proxy_ssl_insecure_skip_verify boolean option to skip SSL check for upstream APIs with self-signed certificates. #693
• Fix: Control API was not working when both hostname and control_api_hostname set. #670
• Fix: Uptime tests when failure_trigger_sample_size set to 1. #632
• Fix: Uptime tests when uptime_tests.time_wait is not explicitly set in config. #669
• Fix: Log flooding when management_node is turned on. #660
• Fix: /keys/* endpoint when api_id param is provided but API not loaded on this node (due to tags). Now tagged gateways have access to all keys. #663
• Fix: Reduced default values for uptime test in default tyk.config. Old ones has 20 minutes wait time. #668
• Fix: Duplicated hostnames in uptime logs. #678
• Fix: IP whitelisting using X-Fowarder-IP header. #704
• Fix: Potential memory leak in hot reload with JSVM enabled. #496

Tyk Dashboard v1.3.5

New: Dashboard and Portal login rate limiting

Login rate limiting applies both to dashboard and developer portal.
Once user reached limit, they will see an error, and will not be able to login into dashboard/portal.

Added new configuration section:

"security": {
  "login_failure_username_limit": 3,
  "login_failure_ip_limit": 10,
  "login_failure_expiration": 900
}

By default, limit values are zero and login_failure_expiration is 15 minutes (900).

New: Audit log

Now you can enable audit log by setting security.audit_log_path configuration option. It will log all user actions and responses statuses to it. Security information like password gets removed from this log.

Other

• New: Added new host_config.secure_cookie boolean option which enables "secure" cookies, working only under https.
• Fix: Dashboard for authorization now internally uses HTTP Only cookies instead of Headers to improve defense against Cross-Site scripting attacks.
• Fix: Ensure that API responses not cached by explicitly adding Cache-Control: no-cache header.
• Fix: Potential Content-Type sniffing issues by setting X-Content-Type-Options: nosniff header.
• Set proper mime types for font assets.
• Fix: Deny API Catalogue documentation access, if catalog was set to inactive or portal is only for logged-in users.
• Fix: Policy selector in the developer view only shows 10 policies, it should show all of them.
• Fix: Saving developer should not flush their password.
• Fix: Fix broken URLs to get free or commercial license on first start screen.
• Fix: Use canonical casing for X-Frame-Options header.
• Fix: Improved protection for Cross-Frame scripting.
• Fix: Fixed checks for duplicate listen path and slugs (including Swagger import). To make it work, ensure that enable_duplicate_slugs option is set to false.
• Fix: Swagger APIs import now properly set Slug and ListenPath based on basePath.
• Fix: Attached key to a policy does not inherit the expiration date.
• UX: Hide access token generator for disabled users.

Tyk Gateway v2.3.4

• Added new management_node boolean configuration option. When turned on, it will exclude the node from distributed rate limiter.
• /tyk/api endpoint, used for managing APIs, now can be accessed without trailing slash to avoid confusion.

Tyk Dashboard v1.3.4: security focused release

• Fix: Deactivating a user now disables their API access and logs them out from existing dashboard sessions.
• Fix: Updating user permissions now does not empty user password.
• Fix: Updating user permissions now updates both current API session and all opened dashboard sessions, and does not require user to re-login.
• User access to OAuth tokens now controlled using separate permission group.
• Disabled auto-completion for all forms with passwords.
• Enable HSTS for all requests to improve HTTPS security.
• Added new disable_parallel_sessions boolean configuration option. When turned on it allows only one active dashboard session. When a user logs in, all of their other active sessions are automatically logged out.
• Using Admin API you now can set the password. If the password field is empty, it gets ignored.

Tyk gateway v2.3.3

This version is a patch update and fully backwards compatible with other 2.3 releases. We recommend upgrading to this version for improved stability:

This version will work with the latest version of Tyk Dashboard, no changes are required.

Changelog for v2.3.3

• Fixed a bug which could crash hybrid gateways if MDCB returned a nil object
• Modified hot reload behaviour to be more robust, addresses potential memory leak
• Redis reconnect and connect logic has been updated for better handling

Tyk Dashboard version 1.3.2

This is a patch release to beef up security of dashboard users and fix some security concerns with the users API.

Changelog:

Password validation and constraints

Added more verbose password rules for user creation, it is now possible to use the password.json schema in the tyk dashboard schemas/ directory to set complex

Example of password.json with full validation:

{
"title": "User password schema",
"type": "string",

"minLength": 6,
"multiCase": true,
"minNumeric": 2,
"minSpecial": 2,
"disableSequential": true

}

Password hash exposed in users/ API

The users API will no longer expose the password hash as part of the call, this aplies to both portal and dashboard users.

Tyk Gateway v2.3.2

• Added http_server_options.skip_url_cleaning option to allow having double slashes in URL. Fixes #340
• Fixed tyk-hybrid-docker container: ensure the docker container always restarts https://github.com/TykTechnologies/tyk-hybrid-docker/issues/1
• Added --httpprof command line option to enable standard HTTP Go profiler, eg: /debug/pprof/ #392
• Allow "/tyk/apis" without trailing slash #381
• Improve OAuth error messages #382
• HTTP OPTION requests now not cached #397
• Added gRPC Java bindings #358

Tyk Dashboard 1.3.1

• Added labels for displaying the user name and the organisation name
• Fixed search in "Analytics by key" view
• Fixed importing API when api_model field set
• Fixed uptime tests for requests with body data
• Fixes policy import so that malformed outbound objects will work without breaking compatibility with other components

Fixes a load balancer issue

v2.2

• Fixed URL Rewriter to better handle query strings
• Added XML transform support for requests and responses, simply set the data type to xml int he transforms section and create your template the same way you would for JSON.

XML transform demo

For this XML:

    <?xml version="1.0" encoding="utf-8"?>
    <servers version="1">
        <server>
            <serverName>Shanghai_VPN</serverName>
            <serverIP>127.0.0.1</serverIP>
        </server>
        <server>
            <serverName>Beijing_VPN</serverName>
            <serverIP>127.0.0.2</serverIP>
        </server>
    </servers>

And this Template:

    {
    {{range $x, $s := .servers.server}}    "{{$s.serverName}}": "{{$s.serverIP}}"{{if not $x}},{{end}}
    {{end}}
    }

You get this output:

    {
        "Shanghai_VPN": "127.0.0.1",
        "Beijing_VPN": "127.0.0.2"

    }

• Added request method transform: This is very simple at the moment, and only chagnes the type of method, it does not data massaging, to enaqble, add to your extended paths:

  method_transforms: [
  {
  path: "post",
  method: "GET",
  to_method: "POST"
  }
  ],

• Out of the box, tyk will ship with HA settings enabled where possible (this means using the new non-transactional rate limiter)

• Added a new concept called "Partitioned Policies", with policies that are partitioned, only sections of the policy will be applied to the underlying token so that tokens can be generated with a dynamic ACL, but still subscribe to a fixed quota and rate limit level. THIS MEANS THAT THE TOKEN MUST HAVE A FULL SET OF ACL RULES AND QUOTAS BEFORE USING AND PARTITIONED POLICIES ARE NOT SUITABLE FOR PORTAL USE.

To set up a partitioned policy

Add the following section to the policy object:

"partitions": {
    "quota": false,
    "rate_limit": false,
    "acl": false
}

Then set the partitions that you want to overwrite to "true", the partitions that are marked as true will then be applied to the token instead of the full policy.

• Added context variable support, this middleware will extract the path, the path parts (break on /), and try to pull all form-related data (url-form-encoded or query string params) and put them into a context variable that is available to other middleware. Currently this is only integrated with the body transform middleware as _tyk_context. To enable set "enable_context_vars": true in the API Definition. Transform sample:

Path: {{._tyk_context.path}}

Path Elements:
{{ range $i, $v := ._tyk_context.path_parts }}
--> {{$v}}
{{ end }}

Form/QueryString Data: {{._tyk_context.request_data}} 
Token: {{._tyk_context.token}}

• Context variables also available in headers using $tyk_context. namespace
• WARNING: POTENTIALLY BREAKING CHANGE: Flush interval is now in milliseconds, not seconds, before upgrading, if you are using flush interval, make sure that the value has been updated.
• Context variables also available in URL rewriter
• Added Websockets support (beta), websockets can now be proxied like a regular HTP request, tyk will detect the upgrade and initiate a proxy to the upstream websocket host. This can be TLS enabled and Tyk can proxy over HTTPS -> WSS upstream.
• Websockets execute at the end of the middleware chain, so all the benefits of CB and auth middleware can be enabled (within the limits of the WebSockets protocol)
• No analytics are gatthered for these requests, but rate limiting, quotas and auth will work fully for initial connection requsts (e.g . to prevent connection flooding)

This is a mini-release that integrates the email driver changes to support more email back ends such as SendGrid, Mailgun and Amazon SES:

SendGrid

"email_backend": {
        "enable_email_notifications": true,
        "code": "sendgrid",
        "settings": {
            "ClientKey": "KEY"
        },
        "default_from_email": "[email protected]",
        "default_from_name": "A guy at a place"
},

MailGun

"email_backend": {
        "enable_email_notifications": true,
        "code": "mailgun",
        "settings": {
            "Domain": "KEY",
            "PrivateKey": "KEY",
            "PublicKey": "KEY"
        },
        "default_from_email": "[email protected]",
        "default_from_name": "A guy at a place"
},

AmazonSES

"email_backend": {
        "enable_email_notifications": true,
        "code": "amazonses",
        "settings": {
            "Endpoint": "Endpoint",
            "AccessKeyId": "Access-key",
            "SecretAccessKey": "KEY"
        },
        "default_from_email": "[email protected]",
        "default_from_name": "A guy at a place"
},

This is a security release to address CVE-2015-8618

Updates are available via our package repository as usual for easy upgrade an installation. Tarballs attached to this release.

Changelog:

• Fixes potential security issue with TLS on 32-bit systems (CVE-2015-8618)
• IP Whitelisting now supports CIDR-notation for IP ranges
• Recompiled Gateway, Dashboard and Host Manager binary with Go 1.5.3

Upgrade Notes:

Should be an in-place upgrade, no changes necessary.

Tyk Gateway 1.9.1

This is a drop-in replacement, you should be able to either just switch the binaries or update the package (make sure to backup your configurations!)

• Added new feature: Detailed logging, enable by setting analytics_config.enable_detailed_recording to true, two new fields will be added to analytics data: rawRequest and rawResponse, these will be in wire format and are NOT anonymised. This adds additional processing complexity to request throughput so could degrade performance.
• Added a check for connection failures
• Updating a key with a quota reset set to true will also remove any rate limit sentinels
• URL Rewrites and cache interactions now work properly, although you need to define the cached entry as the rewritten pattern in a seperate entry.
• Org quotas monitors now only fire when the renewal is in the future, not the past.
• Fixed bug where quotas would not reset (regression introduced by switch to Redis Cluster), Tyk will automatically correct quota entries that are incorrect. No additional changes should be required
• Using golang builtins for time checking

Tyk Dashboard v0.9.7.1

• Fixed FF logout bug (301 redirects were being cached in browser)
• Added SSO endpoints for portal and dashboard for Identity Broker

In version 1.9 we have focused extensively on two things: Improved and expanded data and ease of deployment.

Ease of deployment

Tyk is already pretty easy to deploy, being a single binary that can be dropped into a system and run right there and then without any compilation, interpreters or dependencies.

We've been speaking to our clients' DevOps teams, and one thing they particularly enjoy seeing is a secure, effective and reliable pattern for deploying third-party applications to their systems.

The other thing we've heard a lot of feedback about is the host maanger, and how having NGinX as a dependency is limiting as it's "another moving part".

What have we done to address these things?

We got rid of the host manager Tyk no longer needs the host manager in order to route domains to their underlying services or portals. As of v1.9 you can configure a domain for:

• The Tyk gateway itself (catch-all)
• The dashboard
• The control API (for secure access)
• On a per-API basis
• On a per-portal basis

All form within the dashboard or the configuration files.

And if you are running the full Tyk stack on a single instance, then we've made it easy for users to use Tyk the same way we used to use NginX - by having the Tyk nodes proxy the domain for the portal to the relevant organisation portal pages just like any other API.

We've standardised our deployment packages* As of v1.9 Tyk ships as DEB and signed RPM packages, and are provided to end-users using our GPG-signed package repository. This means that you can use APT or YUM to install Tyk and Tyk Dashboard to your servers in a repeatable and industry standard way.

We've also gone a step further and have provided init scripts for Upstart, SysV and Systemd, which means starting and stopping Tyk is as simple as sudo service tyk-gateway start|stop|restart|status.

We think that these two changes make it much easier for you to install, setup, manage and deploy Tyk ro any Linux distribution. We have signed repositories for Ubuntu LTS releases, Red Hat Enterprise Linux 6 and 7, and Debian Jessie.

We'll still provide the tarballs to manually install tyk on our Github Repo page, but encourage users to use our package repositories to install Tyk on supported systems.

Improved Data

This version of tyk introduces a new feature: Uptime Awareness, with this feature, we have your tyk nodes actively poll your endpoints with specific uptime tests. Over time, Tyk collects analytics on Latency, errors and overall availability. Providing a granular view in your dashbaord to dig deeper into failures and issues.

We've made this feature as flexible as possible, enabling you to configure these tests dynamically using Service Discovery tools such as etcd or consul, while also making it possible to hook up "Host Up" and "Host Down" events to webhooks or custom javascript applications to interact with, and react to, any incidents in your infrastructure.

When enabled, Tyk can integrate this feature with it's round-robin load-balancing to remove unhealthy hosts from circulation until they come back on-line.

Bug fixes and UX

We've overhauled the dashboard UX, making it more robust and a little faster / easier to use. The biggest change is in how we render the graphs, whih we hope you enjoy.

We've spent a lot of time fixing bugs, improving logger output and overall trying to make things more robust, performant and better.

As always, we're open to feedback on our Github repo, or in our Community forum.

ChangeLog v1.9

• Gateway Mongo Driver updated to be compatible with MongoDB v3.0

• Fixed OAuth client listings with redis cluster

• Some latency improvements

• Key detection now checks a local in-memory cache before reaching out to Redis, keys are cached for 10 seconds, with a 5 second purge rate (so a maximum key existence of 15s). Policies will still take instant effect on keys

• key session cache is configurable, set local_session_cache.cached_session_timeout (default 10) and local_session_cache.cached_session_eviction (default 5) to the cache ttl and eviction scan times

• key session cache can be disabled: local_session_cache.disable_cached_session_state

• Test update to reduce number of errors, cleaner output

• Healthcheck data now stored in a sorted set, much cleaner and faster, now works with redis cluster!

• Bug fixed: Empty or invalid listen path no longer crashes proxy

• Bug fixed: Basic Auth (and Oauth BA) passwords are now hashed, this is backward compatible, plaintext passwords will still work

• OAuth access token expiry can now be set (in seconds) in the tyk.conf file using oauth_token_expire:3600

• Proxy now records accurate status codes for upstream requests for better error reporting

• Added refresh token invalidation API: DELETE /tyk/oauth/refresh/{key}?api_id={api_id}

• Global header injection now works, can be enabled on a per-version basis by adding global_headers:{"header_name": "header value"} to the version object in the API Definition, global injections also supports key metadata variables.

• Global header deletion now works: add "global_headers_remove":["header_name", "header_name"] to your version object

• Added request size limiter, request size limiter middleware will insist on content-length to be set, and check first against content-length value, and then actual request size value. To implement, add this to your version info:

  "size_limits": [
      {
        "path": "widget/id",
        "method": "PUT",
        "size_limit": 25
      }
   ]
  

• Request size limits can also be enforced globally, these are checked first, to implement, add "global_size_limit": 30 to your version data.

• Adding a key_expires_in: seconds property to a policy definition will cause any key that is created or added using this policy to have a finite lifetime, it will expire in now()+key_expiry seconds, handy for free trials

• Dependency update (logrus)

• Added support for JSON Web Token (JWT), currently HMAC Signing and RSA Public/Private key signing is supported. To enable JWT on an API, add "enable_jwt": true, to your API Definition. Then set your tokens up with these new fields when you create them:

  "jwt_data": {
      "secret": "Secret"
  }
  

• HMAC JWT secrets can be any string, but the secret is shared. RSA secrets must be a PEM encoded PKCS1 or PKCS8 RSA private key, these can be generated on a linux box using:

  openssl genrsa -out key.rsa
  openssl rsa -in key.rsa -pubout > key.rsa.pub

• Tyk JWT's MUST use the "kid" header attribute, as this is the internal access token (when creating a key) that is used to set the rate limits, policies and quotas for the user. The benefit here is that if RSA is used, then al that is stored in a Tyk installation that uses hashed keys is the hashed ID of the end user and their public key, and so very secure.

• Fixed OAuth Password flow bug where a user could generate more than one token for the same API

• Added realtime uptime monitoring, uptime monitoring means you can create a series of check requests for your upstream hosts (they do not need to be the same as the APIs being managed), and have the gateway poll them for uptime, if a host goes down (non-200 code or TCP Error) then an Event is fired (HostDown), when it goes back up again another event is fired (HostUp), this can be combined with the webhook feature for realtime alerts

• Realtime monitoring also records statistics to the database so they can be analysed or graphed later

• Real time monitoring can also be hooked into the load balancer to have the load balancer skip bad hosts for dynamic configuration

• When hosts go up and down, sentinels are activated in Redis so all nodes in a Tyk cluster can benefit

• Only one Tyk node will ever do the polling, they use a rudimentary capture-the-flag redis key to identify who is the uptime tester

• Monitoring can also be disabled if you want a non-active node to manage uptime tests and analytics purging

• The uptime test list can be refreshed live by hot-reloading Tyk

• Active monitoring can be used together with Circuit breaker to have the circuit breaker manage failing methods, while the uptime test can take a whole host offline if it becomes unresponsive

• To configure uptime tests, in your tyk.conf:

  "uptime_tests": {
      "disable": false, // disable uptime tests on the node completely
      "config": {
          "enable_uptime_analytics": true,
          "failure_trigger_sample_size": 1,
          "time_wait": 5,
          "checker_pool_size": 50
      }
  }
  

• Check lists usually sit with API configurations, so in your API Definition:

  uptime_tests: {
      check_list: [
        {
          "url": "http://google.com:3000/"
        },
        {
          "url": "http://posttestserver.com/post.php?dir=tyk-checker-target-test&beep=boop",
          "method": "POST",
          "headers": {
            "this": "that",
            "more": "beans"
          },
          "body": "VEhJUyBJUyBBIEJPRFkgT0JKRUNUIFRFWFQNCg0KTW9yZSBzdHVmZiBoZXJl"
        }
      ]
    },
  

• The body is base64 encoded in the second example, the first example will perform a simple GET, NOTE: using the simplified form will not enforce a timeout, while the more verbose form will fail with a 500ms timeout.

• Uptime tests can be configured from a service (e.g. etcd or consul), simply set this up in the API Definition (this is etcd):

  "uptime_tests": {
      "check_list": [],
      "config": {
        "recheck_wait": 12,
        "service_discovery": {
          "use_discovery_service": true,
          "query_endpoint": "http://127.0.0.1:4001/v2/keys/uptimeTest",
          "data_path": "node.value"
        }
      }
  },
  

• Uptime tests by service discovery will load initially from the endpoint, it will not re-poll the service until it detects an error, at which point it will schedule a reload of the endpoint data. If used in conjunction with upstream target service discovery it enables dynamic reconfiguring (and monitoring) of services.

• The document that Tyk requires is a JSON string encoded version of the check_list parameter of the uptime_tests field, for etcd:

  curl -L http://127.0.0.1:4001/v2/keys/uptimeTest -XPUT -d value='[{"url": "http://domain.com:3000/"}]'
  

• Fixed a bug where incorrect version data would be recorded in analytics for APis that use the first URL parameter as the version (domain.com/v1/blah)

• Added domain name support (removes requirement for host manager). The main Tyk instance can have a hostname (e.g. apis.domain.com), and API Definitions can support their own domains (e.g. mycoolservice.com), multiple API definitions can have the same domain name so long as their listen_paths do not clash (so you can API 1 on mycoolservice.com/api1 and API 2 on mycoolservice.com/api2 if you set the listen_path for API 1 and API2 respectively.)

• Domains are loaded dynamically and strictly matched, so if calls for a listen path or API ID on the main tyk hostname will not work for APIs that have custom domain names set, this means services can be nicely segregated.

• If the hostname is blank, then the router is open and anything will be matched (if you are using host manager, this is the option you want as it leaves domain routing up to NginX downstream)

• Set up the main tyk instance hostname by adding "hostname": "domain.com" to the config

• Enable custom api-specific domains by setting enable_custome_domains in the tyk.conf to true

• Make an API use a custom domain by adding a domain element to the root object

• Custom domains will work with your SSL certs

• Refactored API loader so that it used pointers all the way down, this lessens the amount of data that needs copying in RAM (will only really affect systems running 500+ APIs)

• JSVM is now disabled by default, if you are not using JS middleware, you can reduce Tyk footprint significantly by not enabling it. To re-enable set "enable_jsvm": true in tyk.conf

• Fixed CORS so that if OPTIONS passthrough is enabled an upstream server can handle all pre-flight requests without any Tyk middleware intervening

• Dashboard config requires a home_dir field in order to work outside of it's home dir

• Added option to segragate control API from front-end, set enable_api_segregation to true and then add the hostname to control_api_hostname

Fixes a bug in the JSVM with concurrently running code

• Redis cluster support, in tyk.conf:

    "storage": {
        "type": "redis",
        "enable_cluster": true,
        "hosts" : {
            "server1": "6379",
            "server2": "6379",
            "server23: "6379",
        },
        "username": "",
        "password": "",
        "database": 0,
        "optimisation_max_idle": 100
    },

A Note on redis cluster support

Redis cluster does not support multi-key operations or scans across key ranges, so the following operations: the health-check API, OAuth client listing, and key listing in unhashed setups, could cause inconsistent behaviour.

• Enable streaming endpoints by setting a flush interval in your tyk.conf file:

    "http_server_options": {
        "flush_interval": 1
    }

• Enabled password grant type in OAuth:

  • Create new client
  • Create a basic auth key for each user (warning, passwords are not encrypted yet - this, like basic auth, is not considered particularly safe. Password hashing will be included in a later version)
  • Set the allowed_access_types array to include password
  • Generate a valid access request with the client_id:client_secret as a Basic auth header and the u/p in the form of the body.
  • POST to: /oauth/token/ endpoint on your OAuth-enabled API
  • If successfull, the user will get:

  {"access_token":"4i0VmSYMQ2iN7ivX0LaYBw","expires_in":3600,"refresh_token":"B_99PjEmQquufNWs8QYbow","token_type":"bearer"}
  

• Bug fixes (URL-based version handling)
• SSL Support

Dashboard:

• Fixed a documentation bug that affected new catalogue entries (documentation would not show)
• Improved swagger preview methods.

To enable SSL edit the tyk.conf to include your certificates:

 "http_server_options": {
    "use_ssl": true,
    "certificates": [
        {
            "domain_name": "banana.com",
            "cert_file": "new.cert.cert",
            "key_file": "new.cert.key"
        }
    ]
},