Tyk Open Source API Gateway written in Go, supporting REST, GraphQL, TCP and gRPC protocols
OTHER License
Bot releases are hidden (Show)
Published by buger almost 7 years ago
metadata
inside gRPC and Python plugins https://github.com/TykTechnologies/tyk/issues/1249
Published by buger almost 7 years ago
Tyk Gateway v2.3.11 continue addressing bugs in Python middleware and rate limiter.
This release is fully compatible with Dashboard v1.3.9
Published by lonelycode about 7 years ago
We have released Tyk Gateway v2.3.10 which addresses serious bugs in how Python middleware is executed and a the distributed rate limiter:
PYTHONPATH
misconfigurationThis release is fully compatible with Dashboard v1.3.9
Published by buger about 7 years ago
http_server_options.skip_url_cleaning
optionPublished by buger about 7 years ago
http_server_options.override_defaults
turned on https://github.com/TykTechnologies/tyk/issues/940
proxy_default_timeout
option to configure default proxy timeout https://github.com/TykTechnologies/tyk/pull/983
optimisations_use_async_session_write
is turned on https://github.com/TykTechnologies/tyk/issues/966
rawlog
function to properly support log hooks like syslog or graylog https://github.com/TykTechnologies/tyk/issues/998
config_data
now support complex JSON objects https://github.com/TykTechnologies/tyk/issues/951
.
symbol/portal/developers/verify_credentials
https://tyk.io/docs/tyk-dashboard-api/portal-developers/
With the new Portal API, it is now possible to create completely custom developer portals and even embed them into your own software. We prepared a guide on creating own developer portal: https://tyk.io/docs/publish/customise/custom-developer-portal/
In addition, our deb and rpm packages now properly handle config files upgrades and do not override user changes.
Published by buger over 7 years ago
rawlog
function, which prints unformatted data bypassing logger formatting https://github.com/TykTechnologies/tyk/issues/844
config_data
object https://github.com/TykTechnologies/tyk/issues/829
slave_option.use_ssl
and slave_options.ssl_insecure_skip_verify
https://github.com/TykTechnologies/tyk/pull/842
config_data
field to API designer user interfacesecurity.allow_admin_reset_password
UPGRADE NOTICE
New gateway version v2.3.7 require MDCB v1.3.0, thus MDCB should be upgraded first.
Published by buger over 7 years ago
"X-Request-ID":"$tyk_context.request_id"
.ReturnOverrides
. See https://github.com/TykTechnologies/tyk/pull/763.Added ability to reset user passwords.
By default user can reset only their own password.
Add a new permission ResetPassword
, but it can be granted only via the admin API using new endpoints: /admin/users/:userId/actions/allow_reset_passwords
/admin/users/:userId/actions/disallow_reset_passwords
You need to make the request using the PUT
HTTP method, for example:
curl -X PUT -H "admin-auth: <your secret>" http://<dashboard>/admin/users/:userId/actions/allow_reset_passwords
It's now possible for users to recover their dashboard password using email. To enable this feature, ensure that you have configured email https://tyk.io/tyk-documentation/configure/outbound-email-configuration/. Do not forget about the new email_backend.dashboard_domain
option which should be your public dashboard hostname.
mongo_ssl_insecure_skip_verify
and mongo_use_ssl
boolean variables.dashboard_session_lifetime
option and reduced to 1 hour by default.Binaries built with Go 1.7.6
Published by buger over 7 years ago
http_server_options.ssl_insecure_skip_verify
boolean option to allow self-signed certificates for Gateway. #693proxy_ssl_insecure_skip_verify
boolean option to skip SSL check for upstream APIs with self-signed certificates. #693hostname
and control_api_hostname
set. #670failure_trigger_sample_size
set to 1
. #632uptime_tests.time_wait
is not explicitly set in config. #669/keys/*
endpoint when api_id
param is provided but API not loaded on this node (due to tags). Now tagged gateways have access to all keys. #663X-Fowarder-IP
header. #704Login rate limiting applies both to dashboard and developer portal.
Once user reached limit, they will see an error, and will not be able to login into dashboard/portal.
Added new configuration section:
"security": {
"login_failure_username_limit": 3,
"login_failure_ip_limit": 10,
"login_failure_expiration": 900
}
By default, limit values are zero and login_failure_expiration
is 15 minutes (900).
Now you can enable audit log by setting security.audit_log_path
configuration option. It will log all user actions and responses statuses to it. Security information like password
gets removed from this log.
host_config.secure_cookie
boolean option which enables "secure" cookies, working only under https
.X-Content-Type-Options: nosniff
header.X-Frame-Options
header.enable_duplicate_slugs
option is set to false
.basePath
.Published by buger over 7 years ago
management_node
boolean configuration option. When turned on, it will exclude the node from distributed rate limiter./tyk/api
endpoint, used for managing APIs, now can be accessed without trailing slash to avoid confusion.disable_parallel_sessions
boolean configuration option. When turned on it allows only one active dashboard session. When a user logs in, all of their other active sessions are automatically logged out.Published by buger over 7 years ago
This version is a patch update and fully backwards compatible with other 2.3 releases. We recommend upgrading to this version for improved stability:
This version will work with the latest version of Tyk Dashboard, no changes are required.
Changelog for v2.3.3
This is a patch release to beef up security of dashboard users and fix some security concerns with the users API.
Changelog:
Added more verbose password rules for user creation, it is now possible to use the password.json schema in the tyk dashboard schemas/ directory to set complex
Example of password.json with full validation:
{
"title": "User password schema",
"type": "string",
"minLength": 6,
"multiCase": true,
"minNumeric": 2,
"minSpecial": 2,
"disableSequential": true
}
The users API will no longer expose the password hash as part of the call, this aplies to both portal and dashboard users.
Published by buger over 7 years ago
http_server_options.skip_url_cleaning
option to allow having double slashes in URL. Fixes #340tyk-hybrid-docker
container: ensure the docker container always restarts https://github.com/TykTechnologies/tyk-hybrid-docker/issues/1
--httpprof
command line option to enable standard HTTP Go profiler, eg: /debug/pprof/
#392Published by lonelycode about 8 years ago
Fixes a load balancer issue
Published by lonelycode over 8 years ago
xml
int he transforms section and create your template the same way you would for JSON.For this XML:
<?xml version="1.0" encoding="utf-8"?>
<servers version="1">
<server>
<serverName>Shanghai_VPN</serverName>
<serverIP>127.0.0.1</serverIP>
</server>
<server>
<serverName>Beijing_VPN</serverName>
<serverIP>127.0.0.2</serverIP>
</server>
</servers>
And this Template:
{
{{range $x, $s := .servers.server}} "{{$s.serverName}}": "{{$s.serverIP}}"{{if not $x}},{{end}}
{{end}}
}
You get this output:
{
"Shanghai_VPN": "127.0.0.1",
"Beijing_VPN": "127.0.0.2"
}
Added request method transform: This is very simple at the moment, and only chagnes the type of method, it does not data massaging, to enaqble, add to your extended paths:
method_transforms: [
{
path: "post",
method: "GET",
to_method: "POST"
}
],
Out of the box, tyk will ship with HA settings enabled where possible (this means using the new non-transactional rate limiter)
Added a new concept called "Partitioned Policies", with policies that are partitioned, only sections of the policy will be applied to the underlying token so that tokens can be generated with a dynamic ACL, but still subscribe to a fixed quota and rate limit level. THIS MEANS THAT THE TOKEN MUST HAVE A FULL SET OF ACL RULES AND QUOTAS BEFORE USING AND PARTITIONED POLICIES ARE NOT SUITABLE FOR PORTAL USE.
Add the following section to the policy object:
"partitions": {
"quota": false,
"rate_limit": false,
"acl": false
}
Then set the partitions that you want to overwrite to "true", the partitions that are marked as true will then be applied to the token instead of the full policy.
/
), and try to pull all form-related data (url-form-encoded or query string params) and put them into a context variable that is available to other middleware. Currently this is only integrated with the body transform middleware as _tyk_context
. To enable set "enable_context_vars": true
in the API Definition. Transform sample:Path: {{._tyk_context.path}}
Path Elements:
{{ range $i, $v := ._tyk_context.path_parts }}
--> {{$v}}
{{ end }}
Form/QueryString Data: {{._tyk_context.request_data}}
Token: {{._tyk_context.token}}
$tyk_context.
namespacePublished by lonelycode over 8 years ago
This is a mini-release that integrates the email driver changes to support more email back ends such as SendGrid, Mailgun and Amazon SES:
SendGrid
"email_backend": {
"enable_email_notifications": true,
"code": "sendgrid",
"settings": {
"ClientKey": "KEY"
},
"default_from_email": "[email protected]",
"default_from_name": "A guy at a place"
},
MailGun
"email_backend": {
"enable_email_notifications": true,
"code": "mailgun",
"settings": {
"Domain": "KEY",
"PrivateKey": "KEY",
"PublicKey": "KEY"
},
"default_from_email": "[email protected]",
"default_from_name": "A guy at a place"
},
AmazonSES
"email_backend": {
"enable_email_notifications": true,
"code": "amazonses",
"settings": {
"Endpoint": "Endpoint",
"AccessKeyId": "Access-key",
"SecretAccessKey": "KEY"
},
"default_from_email": "[email protected]",
"default_from_name": "A guy at a place"
},
Published by lonelycode almost 9 years ago
This is a security release to address CVE-2015-8618
Updates are available via our package repository as usual for easy upgrade an installation. Tarballs attached to this release.
Changelog:
Upgrade Notes:
Should be an in-place upgrade, no changes necessary.
Published by lonelycode almost 9 years ago
This is a drop-in replacement, you should be able to either just switch the binaries or update the package (make sure to backup your configurations!)
analytics_config.enable_detailed_recording
to true, two new fields will be added to analytics data: rawRequest and rawResponse, these will be in wire format and are NOT anonymised. This adds additional processing complexity to request throughput so could degrade performance.Published by lonelycode almost 9 years ago
In version 1.9 we have focused extensively on two things: Improved and expanded data and ease of deployment.
Tyk is already pretty easy to deploy, being a single binary that can be dropped into a system and run right there and then without any compilation, interpreters or dependencies.
We've been speaking to our clients' DevOps teams, and one thing they particularly enjoy seeing is a secure, effective and reliable pattern for deploying third-party applications to their systems.
The other thing we've heard a lot of feedback about is the host maanger, and how having NGinX as a dependency is limiting as it's "another moving part".
What have we done to address these things?
We got rid of the host manager Tyk no longer needs the host manager in order to route domains to their underlying services or portals. As of v1.9 you can configure a domain for:
All form within the dashboard or the configuration files.
And if you are running the full Tyk stack on a single instance, then we've made it easy for users to use Tyk the same way we used to use NginX - by having the Tyk nodes proxy the domain for the portal to the relevant organisation portal pages just like any other API.
We've standardised our deployment packages* As of v1.9 Tyk ships as DEB and signed RPM packages, and are provided to end-users using our GPG-signed package repository. This means that you can use APT or YUM to install Tyk and Tyk Dashboard to your servers in a repeatable and industry standard way.
We've also gone a step further and have provided init scripts for Upstart, SysV and Systemd, which means starting and stopping Tyk is as simple as sudo service tyk-gateway start|stop|restart|status
.
We think that these two changes make it much easier for you to install, setup, manage and deploy Tyk ro any Linux distribution. We have signed repositories for Ubuntu LTS releases, Red Hat Enterprise Linux 6 and 7, and Debian Jessie.
We'll still provide the tarballs to manually install tyk on our Github Repo page, but encourage users to use our package repositories to install Tyk on supported systems.
This version of tyk introduces a new feature: Uptime Awareness, with this feature, we have your tyk nodes actively poll your endpoints with specific uptime tests. Over time, Tyk collects analytics on Latency, errors and overall availability. Providing a granular view in your dashbaord to dig deeper into failures and issues.
We've made this feature as flexible as possible, enabling you to configure these tests dynamically using Service Discovery tools such as etcd or consul, while also making it possible to hook up "Host Up" and "Host Down" events to webhooks or custom javascript applications to interact with, and react to, any incidents in your infrastructure.
When enabled, Tyk can integrate this feature with it's round-robin load-balancing to remove unhealthy hosts from circulation until they come back on-line.
We've overhauled the dashboard UX, making it more robust and a little faster / easier to use. The biggest change is in how we render the graphs, whih we hope you enjoy.
We've spent a lot of time fixing bugs, improving logger output and overall trying to make things more robust, performant and better.
As always, we're open to feedback on our Github repo, or in our Community forum.
Gateway Mongo Driver updated to be compatible with MongoDB v3.0
Fixed OAuth client listings with redis cluster
Some latency improvements
Key detection now checks a local in-memory cache before reaching out to Redis, keys are cached for 10 seconds, with a 5 second purge rate (so a maximum key existence of 15s). Policies will still take instant effect on keys
key session cache is configurable, set local_session_cache.cached_session_timeout
(default 10) and local_session_cache.cached_session_eviction
(default 5) to the cache ttl and eviction scan times
key session cache can be disabled: local_session_cache.disable_cached_session_state
Test update to reduce number of errors, cleaner output
Healthcheck data now stored in a sorted set, much cleaner and faster, now works with redis cluster!
Bug fixed: Empty or invalid listen path no longer crashes proxy
Bug fixed: Basic Auth (and Oauth BA) passwords are now hashed, this is backward compatible, plaintext passwords will still work
OAuth access token expiry can now be set (in seconds) in the tyk.conf
file using oauth_token_expire:3600
Proxy now records accurate status codes for upstream requests for better error reporting
Added refresh token invalidation API: DELETE /tyk/oauth/refresh/{key}?api_id={api_id}
Global header injection now works, can be enabled on a per-version basis by adding global_headers:{"header_name": "header value"}
to the version object in the API Definition, global injections also supports key metadata variables.
Global header deletion now works: add "global_headers_remove":["header_name", "header_name"]
to your version object
Added request size limiter, request size limiter middleware will insist on content-length to be set, and check first against content-length value, and then actual request size value. To implement, add this to your version info:
"size_limits": [
{
"path": "widget/id",
"method": "PUT",
"size_limit": 25
}
]
Request size limits can also be enforced globally, these are checked first, to implement, add "global_size_limit": 30
to your version data.
Adding a key_expires_in: seconds
property to a policy definition will cause any key that is created or added using this policy to have a finite lifetime, it will expire in now()+key_expiry
seconds, handy for free trials
Dependency update (logrus)
Added support for JSON Web Token (JWT), currently HMAC Signing and RSA Public/Private key signing is supported. To enable JWT on an API, add "enable_jwt": true,
to your API Definition. Then set your tokens up with these new fields when you create them:
"jwt_data": {
"secret": "Secret"
}
HMAC JWT secrets can be any string, but the secret is shared. RSA secrets must be a PEM encoded PKCS1 or PKCS8 RSA private key, these can be generated on a linux box using:
openssl genrsa -out key.rsa
openssl rsa -in key.rsa -pubout > key.rsa.pub
Tyk JWT's MUST use the "kid" header attribute, as this is the internal access token (when creating a key) that is used to set the rate limits, policies and quotas for the user. The benefit here is that if RSA is used, then al that is stored in a Tyk installation that uses hashed keys is the hashed ID of the end user and their public key, and so very secure.
Fixed OAuth Password flow bug where a user could generate more than one token for the same API
Added realtime uptime monitoring, uptime monitoring means you can create a series of check requests for your upstream hosts (they do not need to be the same as the APIs being managed), and have the gateway poll them for uptime, if a host goes down (non-200 code or TCP Error) then an Event is fired (HostDown
), when it goes back up again another event is fired (HostUp
), this can be combined with the webhook feature for realtime alerts
Realtime monitoring also records statistics to the database so they can be analysed or graphed later
Real time monitoring can also be hooked into the load balancer to have the load balancer skip bad hosts for dynamic configuration
When hosts go up and down, sentinels are activated in Redis so all nodes in a Tyk cluster can benefit
Only one Tyk node will ever do the polling, they use a rudimentary capture-the-flag redis key to identify who is the uptime tester
Monitoring can also be disabled if you want a non-active node to manage uptime tests and analytics purging
The uptime test list can be refreshed live by hot-reloading Tyk
Active monitoring can be used together with Circuit breaker to have the circuit breaker manage failing methods, while the uptime test can take a whole host offline if it becomes unresponsive
To configure uptime tests, in your tyk.conf:
"uptime_tests": {
"disable": false, // disable uptime tests on the node completely
"config": {
"enable_uptime_analytics": true,
"failure_trigger_sample_size": 1,
"time_wait": 5,
"checker_pool_size": 50
}
}
Check lists usually sit with API configurations, so in your API Definition:
uptime_tests: {
check_list: [
{
"url": "http://google.com:3000/"
},
{
"url": "http://posttestserver.com/post.php?dir=tyk-checker-target-test&beep=boop",
"method": "POST",
"headers": {
"this": "that",
"more": "beans"
},
"body": "VEhJUyBJUyBBIEJPRFkgT0JKRUNUIFRFWFQNCg0KTW9yZSBzdHVmZiBoZXJl"
}
]
},
The body is base64 encoded in the second example, the first example will perform a simple GET, NOTE: using the simplified form will not enforce a timeout, while the more verbose form will fail with a 500ms timeout.
Uptime tests can be configured from a service (e.g. etcd or consul), simply set this up in the API Definition (this is etcd):
"uptime_tests": {
"check_list": [],
"config": {
"recheck_wait": 12,
"service_discovery": {
"use_discovery_service": true,
"query_endpoint": "http://127.0.0.1:4001/v2/keys/uptimeTest",
"data_path": "node.value"
}
}
},
Uptime tests by service discovery will load initially from the endpoint, it will not re-poll the service until it detects an error, at which point it will schedule a reload of the endpoint data. If used in conjunction with upstream target service discovery it enables dynamic reconfiguring (and monitoring) of services.
The document that Tyk requires is a JSON string encoded version of the check_list
parameter of the uptime_tests
field, for etcd:
curl -L http://127.0.0.1:4001/v2/keys/uptimeTest -XPUT -d value='[{"url": "http://domain.com:3000/"}]'
Fixed a bug where incorrect version data would be recorded in analytics for APis that use the first URL parameter as the version (domain.com/v1/blah)
Added domain name support (removes requirement for host manager). The main Tyk instance can have a hostname (e.g. apis.domain.com), and API Definitions can support their own domains (e.g. mycoolservice.com), multiple API definitions can have the same domain name so long as their listen_paths do not clash (so you can API 1 on mycoolservice.com/api1 and API 2 on mycoolservice.com/api2 if you set the listen_path for API 1 and API2 respectively.)
Domains are loaded dynamically and strictly matched, so if calls for a listen path or API ID on the main tyk hostname will not work for APIs that have custom domain names set, this means services can be nicely segregated.
If the hostname is blank, then the router is open and anything will be matched (if you are using host manager, this is the option you want as it leaves domain routing up to NginX downstream)
Set up the main tyk instance hostname by adding "hostname": "domain.com"
to the config
Enable custom api-specific domains by setting enable_custome_domains
in the tyk.conf to true
Make an API use a custom domain by adding a domain
element to the root object
Custom domains will work with your SSL certs
Refactored API loader so that it used pointers all the way down, this lessens the amount of data that needs copying in RAM (will only really affect systems running 500+ APIs)
JSVM is now disabled by default, if you are not using JS middleware, you can reduce Tyk footprint significantly by not enabling it. To re-enable set "enable_jsvm": true
in tyk.conf
Fixed CORS so that if OPTIONS passthrough is enabled an upstream server can handle all pre-flight requests without any Tyk middleware intervening
Dashboard config requires a home_dir field in order to work outside of it's home dir
Added option to segragate control API from front-end, set enable_api_segregation
to true and then add the hostname to control_api_hostname
Published by lonelycode almost 9 years ago
Fixes a bug in the JSVM with concurrently running code
Published by lonelycode about 9 years ago
"storage": {
"type": "redis",
"enable_cluster": true,
"hosts" : {
"server1": "6379",
"server2": "6379",
"server23: "6379",
},
"username": "",
"password": "",
"database": 0,
"optimisation_max_idle": 100
},
A Note on redis cluster support
Redis cluster does not support multi-key operations or scans across key ranges, so the following operations: the health-check API, OAuth client listing, and key listing in unhashed setups, could cause inconsistent behaviour.
"http_server_options": {
"flush_interval": 1
}
Enabled password grant type in OAuth:
allowed_access_types
array to include password
/oauth/token/
endpoint on your OAuth-enabled API{"access_token":"4i0VmSYMQ2iN7ivX0LaYBw","expires_in":3600,"refresh_token":"B_99PjEmQquufNWs8QYbow","token_type":"bearer"}
Published by lonelycode about 9 years ago
Dashboard:
To enable SSL edit the tyk.conf
to include your certificates:
"http_server_options": {
"use_ssl": true,
"certificates": [
{
"domain_name": "banana.com",
"cert_file": "new.cert.cert",
"key_file": "new.cert.key"
}
]
},