KrakenD CE v2.7 released with better rate-limiting and security options
by Albert Lombarte
We are excited to announce the latest release of KrakenD, which focuses on resource optimization and brings new features, especially on security. Here’s a detailed look at what’s new in this release:
Finer rate-limiting
We have been working on optimizing the rate-limit feature, significantly reducing the RAM consumption for users of the endpoint rate limit. Generally speaking, installations using it can reduce their RAM consumption at least a 70%. No action is needed to benefit from this optimization other than upgrading your installation to v2.7.0.
In addition, a new type of token extractor allows you to limit requests based on parameters (/foo/{variable}) to give you more control over your API rate limiting. It will enable you to set limits based on specific URL parameters, such as when the tenant comes in the URL, providing finer-grained control over API usage.
Support for multiple SSL domains
Before this version, you could add a TLS certificate that was either linked to a specific domain or a wildcard. We’ve added support for multiple TLS certificates now, allowing you to manage different domains (even when they are completely unrelated). This feature enhances your ability to handle diverse security needs and manage different domains efficiently.
To support this feature, we have deprecated the public_key and private_key properties directly in the configuration’s root and moved them inside a keys array. While the previous method still works, we recommend applying the small configuration change needed to stay ahead of its future removal.
Custom DNS Cache TTL
A new property, dns_cache_ttl enables you to set a custom DNS cache TTL when you retrieve the hosts list from a Service Discovery system.
Enhanced CORS Handling
The v2.7 introduces new properties to enhance the configuration of Cross-Origin Resource Sharing (CORS): options_passthrough, options_success_status, and allow_private_network.
The allow_private_network property in KrakenD’s CORS configuration is particularly useful in securing internal applications and services that communicate across different network segments. From a security perspective, it helps prevent CSRF Pharming attacks and man-in-the-middle (MITM) attacks. By enabling this property, you can restrict CORS requests to trusted internal network addresses, ensuring that only legitimate and authorized internal sources can access sensitive resources.
It prevents malicious actors from exploiting CORS vulnerabilities to perform unauthorized actions or intercept sensitive data. Additionally, allowing CORS requests from private networks reduces the attack surface by limiting exposure to public networks and facilitating internal applications to communicate securely without being exposed to potential threats from external sources.
Overall, the allow_private_network property provides a robust mechanism to safeguard internal network communications, preventing unauthorized access and ensuring the integrity and confidentiality of data exchanged within the private network.
HTTP Security Enhancements
The HTTP Security component also brings new properties like allowed_hosts_are_regex, ssl_proxy_headers, and force_sts_header, which allow you to use regular expressions to define hosts lists, and let you force STS headers even when requests come in plain HTTP.
Customization of header bytes size
A new property, max_header_bytes, has been added, allowing you to override the default maximum header size of 1MB. This upgrade offers greater flexibility in handling larger and smaller headers when needed.
Static labels for OTEL
Finally, we’ve integrated static labels into the OpenTelemetry framework at the global and proxy layers. This enhancement, contributed by @ssepml, allows for more uniform tagging and detailed telemetry data.
Below there is the list of changes.
🚀 Summary of changes for CEv2.7
Improved memory consumption of endpoint rate limit and added new security options to TLS, CORS, and HTTPSecurity.
- Added a new rate limiter based on parameters
-
Memory optimization of the rate-limit that greatly reduces the consumption of RAM, and new micro-optimization options added (
cleanup_period,cleanup_threads,num_shards). -
The JWT signer can now set a new
leewayattribute for scenarios with desynchronized clocks. -
A new flag
dns_cache_ttlallows you to set a custom DNS cache TTL for Service Discovery - Added support to multiple TLS certificates.
-
Added new properties for CORS handling
options_passthrough,options_success_status, andallow_private_network -
New properties added to the HTTP Security component
allowed_hosts_are_regex,ssl_proxy_headers,force_sts_header -
Added new rules to the
auditcommand. -
Customizable size of maximum header via the property
max_header_bytes. Previously fixed to1MB. - OpenTelemetry - Added static labels to global and proxy layers (thanks to @ssepml)
-
The properties
public_keyandprivate_keyof thetlsconfiguration have been moved under an arraykeysto facilitate multiple certificates and domains. Read more
Upgrading to the latest version is always advised.
This release marks a significant step forward in making KrakenD more secure and efficient. We are committed to continuously improving our software and providing you with the best tools to manage your services efficiently. Stay tuned for more updates and feel free to explore the detailed documentation linked above for each new feature and upgrade.
