Tyk Open Source API Gateway written in Go, supporting REST, GraphQL, TCP and gRPC protocols
OTHER License
Bot releases are hidden (Show)
Published by buger over 4 years ago
The keys that we use to sign our RPM packages have changed. This means that those of you who ask rpm to verify these keys will have to update the key. The documentation is at https://tyk.io/docs/getting-started/installation/with-tyk-on-premises/redhat-rhel-centos/gateway/#step-2-create-tyk-gateway-repository-configuration and for your reference the new key is
http://keyserver.tyk.io/tyk.io.rpm.signing.key.2020
The old key (http://keyserver.tyk.io/tyk.io.rpm.signing.key) will remain accessible for now but this is not guaranteed.
As part of this, we have started to origin-sign our Debian packages. Please see https://tyk.io/docs/getting-started/installation/with-tyk-on-premises/on-ubuntu/gateway/ for more.
/tyk/oauth/revoke
and /tyk/oauth/revoke_all
endpoints https://tyk.io/docs/tyk-gateway-api/
cache.cache_by_headers
string array field https://github.com/TykTechnologies/tyk/issues/2753
ignore_endpoint_case
boolean option.override messages
. See examples here https://github.com/TykTechnologies/tyk/pull/2927 https://tyk.io/docs/tyk-configuration-reference/tyk-gateway-configuration-options/#override_messages
/api/apis/oauth/{clientID}/revoke
and /api/apis/oauth/{clientID}/revoke_all
endpoints here https://tyk.io/docs/tyk-apis/tyk-dashboard-api/oauth-key-management and /portal/developers/oauth-clients/{oauthClientId}/revoke_all
here https://tyk.io/docs/tyk-apis/tyk-portal-api/portal-developers/#revoke-all-oauth-client-tokens
health_check_endpoint_name
and health_check_endpoint_port
config options. https://github.com/TykTechnologies/tyk-pump/issues/111. More here
Published by buger over 4 years ago
Published by buger over 4 years ago
Published by buger over 4 years ago
Published by buger over 4 years ago
proxy.transport.ssl_force_common_name_check
and the global tyk.conf level ssl_force_common_name_check
. https://github.com/TykTechnologies/tyk/issues/2774
return_overrides.override_error
, or for JSVM plugins ReturnOverrides.OverrideError
. https://github.com/TykTechnologies/tyk/issues/2693
ResponseBody
(JSVM) or response_body
(Python/gRPC), instead of ResponseError
and response_error
fields respectively. The old field still can be used for backward compatibility. https://github.com/TykTechnologies/tyk/issues/2693
coprocess_options.grpc_recv_max_size
and coprocess_options.grpc_send_max_size
variables. https://github.com/TykTechnologies/tyk/issues/2203
storage.master_name
variable. https://github.com/TykTechnologies/tyk/issues/2769
storage.addrs
string array field, to specify a list of hosts, instead of storage.hosts
. This allows you to specify Redis servers on the same domain but different ports. https://github.com/TykTechnologies/tyk/issues/2769
request_signing.signature_header
option. https://github.com/TykTechnologies/tyk/issues/2849
ctx.GetDefinition
https://github.com/TykTechnologies/tyk/pull/2624
state
attribute https://github.com/TykTechnologies/tyk/issues/2678
drl_threshold
option, which specifies the min number of requests PER gateway, for the rate limit. If it is lower then the Redis algorithm will be used. https://github.com/TykTechnologies/tyk/pull/2674
redis_master_name
variable.storage.addrs
string array field, to specify a list of hosts, instead of storage.hosts
. This allows you to specify Redis servers on the same domain but different ports.disable_parallel_sessions
behavior when using Single Sign-Onstorage.master_name
variable.storage.addrs
string array field, to specify a list of hosts, instead of storage.hosts
. This allows you to specify Redis servers on the same domain but different ports.decode_base64
boolean option, in order to skip base64 encoding for raw request and response objects.storage.master_name
variable.storage.addrs
string array field, to specify a list of hosts, instead of storage.hosts
. This allows you to specify Redis servers on the same domain but different ports.UseSSL
and SSLInsecureSkipVerify
fields for Redis backend https://github.com/TykTechnologies/tyk-identity-broker/issues/80
DefaultGroupID
or dynamic value based on the field of oAuth/OpenID scope using CustomUserGroupField
and UserGroupMapping
fields. Example:
{
"DefaultUserGroupID": "default-user-group",
"CustomUserGroupField": "scope",
"UserGroupMapping": {
"admin": "<admin-group-id>",
"analytics": "<analytics-group-id>"
}
}
Published by buger over 4 years ago
Published by buger almost 5 years ago
drl_threshold
in tyk.conf. The default value is 5, which means that if you have 2 servers, and session rate is less then 2 * 5, e.g. 10, such session will use Redis algorithm for rate-limiting, otherwise in-memory algorithm.ssl_force_common_name_check
to true
in tyk.conf or by setting proxy.transport.ssl_force_common_name_check
inside API definitionproxy.transport.ssl_force_common_name_check
attribute via RAW API editorPublished by furkansenharputlu almost 5 years ago
Fixed Open Tracing issues [#2655, #2685, #2688]
This Addresses an issue where middleware such as mocked responses, url rewrites, method transform & versioning would stop working when tracing is enabled.
Added ignore case option for Whitelist
/Blacklist
/Ignore
plugins [#2330]
For example, if /orderpizza
is whitelisted, then any combination of upper/lowercase can be whitelisted thanks to ignore case option- /orderPizza
, /OrderPizza
, /orDerpiZZa
etc.
Ignore
plugin can now be used with URL rewrite
[#2579]
The purpose of the ignore plugin is to bypass authentication. This had an adverse effect in that it also bypassed several other middlewares such as URL rewrite
. The Ignore plugin no longer causes relevant middleware to be bypassed.
OAuth client metadata is now applied to OAuth token [#2682]
OAuth error code is now configurable [#2381]
It is now possible to tune the error status code by modifying oauth_error_status_code
in tyk.conf
. If no value is set, it defaults to a 403 error.
Added RSA support in request signing middleware [#2452]
Request Signing middleware previously only supported HMAC. This is now extended to support RSA.
Circuit Breaker plugin now trips for any 5xx status code, not just 500 [#2660]
⚠️ Deprecated auth
field in favour of auth_configs
in api definition object [#2580]
{
"auth_configs": {
"authToken": {"auth_header_name": "My-Auth-Header-Key"}
"basic": {"auth_header_name": "My-Basic-Auth-Header-Key"},
...
}
}
This enables better control with multiple chained authentication mechanisms enabled for an API. Now we can set distinct Headers for different auth modes.
MGET
driver fix in cluster mode [#2703]MGET
has been resolved by aggregating the result of several GET
commands.Resolved a UI error which made it impossible to delete a portal navigation item from the admin dashboard
Improved guidance for custom domains regex in Dashboard API Designer
Updating the developer portal catalogue no longer generates a new URL for portal documentation. This allows portal documentation to be shared publicly and updated without causing 404 broken links
Converted API version expiry date to UTC format to handle timezone differences
Fixed catalogue issues during a key request in a multi-selection flow
Require Key Approval
feature wasn't working correctly in a multi API flow. Now, all cases are fixed.
Fixed pagination issues
Page count was wrong on some lists such policies, APIs etc.
Showed policy name along with ID for OIDC authentication
On OIDC authentication, once a policy is added, it is identified by the policy ID, rather than the name. Now, It displays both the policy name and ID.
Fixed the issue that a user can login to multiple sessions through TIB even with disable_parallel_sessions
is set to true
Fixed URL rewrite
triggers in case of API update
When updating an API through the dashboard, the API was incorrectly modified and the advanced rewrite "match" value was incorrectly changed from true
to false
.
Fixed broken key update/delete events that affect Multi-Cloud installations
Internal key event names were refactored but this broke backwards compatibility so we have returned back to the previous event names.
Handled unsupported MongoDB characters [TykTechnologies/tyk-pump/issues/113]
MongoDB doesn't support .
in parent field names. Should a path contain .
, mongoDB would get corrupted. We have now replaced the .
character with its Unicode equivalent.
Added support for pumping to an Elasticsearch Cluster [TykTechnologies/tyk-pump/pull/180]
Previously, it was only possible to pump analytics to a single Elasticsearch endpoint. Due to this limitation, it was not previously possible to support Elasticsearch clusters.
Resolved issue where aggregate TCP proxy analytics were incorrectly calculated [TykTechnologies/tyk-pump/issues/182]
Enable http profiling by setting "enable_http_profiler": true
in tyk_sink.conf
Added new configuration options:
ignore_tag_prefix_list
(in mongo aggregate and hybrid pump): It will not store analytics for tags having a prefix specified in the list. Note: The prefix "key-" is added in the list by default. This tag is added by the Gateway for keys.
threshold_len_tag_list
(in mongo aggregate pump): If the number of tags in a document grows beyond a specified value, the pump will throw a warning. The warning will print the top 5
common tag prefixes. The default value is 1000
. To disable alerts set it to -1
.
store_analytics_per_minute
: Currently, aggregate data is generated per hour. If this option is enabled, aggregate data will be generated per minute.
track_all_paths
: Currently, analytics for an endpoint is stored only if the Track Endpoint
plugin is enabled on that endpoint. If track_all_paths
is enabled, it will store analytics for all the endpoints, irrespective of Track Endpoint
plugin.
Fixed Redis connection leak
Published by buger almost 5 years ago
max_upstream_latency
: Records maximum upstream latencymin_upstream_latency
: Records minimum upstream latencytotal_upstream_latency
: Records total upstream latencymax_latency
: Records maximum end-to-end latencymin_latency
: Records minimum end-to-end latencytotal_latency
: Records total end-to-end latencylatency
: Avg latencyupstream_latency
: Avg upstream latencyPublished by excieve about 5 years ago
Release notes: https://tyk.io/docs/release-notes/version-2.9/
Published by buger about 5 years ago
Published by buger about 5 years ago
TykMakeHttpRequest
to pass queries string variables for GET requests/
literal as part of URL part:
characterPublished by buger over 5 years ago
/oauth/token
endpoint with additional security headers https://github.com/TykTechnologies/tyk/pull/2378
date_created
field https://github.com/TykTechnologies/tyk/pull/2388
ReturnOverrides
in plugins work with 40X codestrack_all_paths
option to enable tracking analytics for all paths without “track path” plugin https://github.com/TykTechnologies/tyk-pump/pull/120
Published by buger over 5 years ago
xmlMarshal
body transform template functionmonitor
to be configured, and Dashboard 1.8.2jwt_default_policies
field in API spec. Now it allows cases when you can’t modify JWT token.enabled_ownersip
too true
Published by buger over 5 years ago
enable_http_profiler
boolean config flag https://github.com/TykTechnologies/tyk/pull/2235
request_context_matches
inside rewrite options, similar to metadata https://github.com/TykTechnologies/tyk/pull/2033
Published by buger over 5 years ago
Release notes: https://tyk.io/docs/release-notes/version-2.8/
Published by buger over 5 years ago
storage.timeout
.application/x-www-form-urlencoded
when JSVM plugins are usedstorage.timeout
.sso_enable_user_lookup
to true
enable.security.enable_content_security_policy
to true
and extend security.allowed_content_sources
with list of allowed sources (space separated string).Published by buger over 5 years ago
Published by buger over 5 years ago
certificates
, which is a string array, accepting certificate IDs or certificate paths. Once set, Gateway will dynamically load certificates, without restarting the process.”hmac_allowed_algorithms”: [“hmac-sha256”]
.request_context_matches
field. Can be used for matching by IP, or JWT scope.proxy.disable_strip_slash
API definition boolean variable.health_check_endpoint_name
option.murmur64
inside basic auth middleware to avoid collisionssso_enable_user_lookup
boolean option.Published by buger almost 6 years ago