News KrakenD EE v2.8 released: Configurable logging, Redis-backed rate limits, Lua, YAML encoding and more

Product UpdatesSecurity

4 min read

KrakenD CE v2.7 released with better rate-limiting and security options

by Albert Lombarte

We are excited to announce the latest release of KrakenD, which focuses on resource optimization and brings new features, especially on security. Here’s a detailed look at what’s new in this release:

Finer rate-limiting

We have been working on optimizing the rate-limit feature, significantly reducing the RAM consumption for users of the endpoint rate limit. Generally speaking, installations using it can reduce their RAM consumption at least a 70%. No action is needed to benefit from this optimization other than upgrading your installation to v2.7.0.

In addition, a new type of token extractor allows you to limit requests based on parameters (/foo/{variable}) to give you more control over your API rate limiting. It will enable you to set limits based on specific URL parameters, such as when the tenant comes in the URL, providing finer-grained control over API usage.

Support for multiple SSL domains

Before this version, you could add a TLS certificate that was either linked to a specific domain or a wildcard. We’ve added support for multiple TLS certificates now, allowing you to manage different domains (even when they are completely unrelated). This feature enhances your ability to handle diverse security needs and manage different domains efficiently.

To support this feature, we have deprecated the public_key and private_key properties directly in the configuration’s root and moved them inside a keys array. While the previous method still works, we recommend applying the small configuration change needed to stay ahead of its future removal.

Custom DNS Cache TTL

A new property, dns_cache_ttl enables you to set a custom DNS cache TTL when you retrieve the hosts list from a Service Discovery system.

Enhanced CORS Handling

The v2.7 introduces new properties to enhance the configuration of Cross-Origin Resource Sharing (CORS): options_passthrough, options_success_status, and allow_private_network.

The allow_private_network property in KrakenD’s CORS configuration is particularly useful in securing internal applications and services that communicate across different network segments. From a security perspective, it helps prevent CSRF Pharming attacks and man-in-the-middle (MITM) attacks. By enabling this property, you can restrict CORS requests to trusted internal network addresses, ensuring that only legitimate and authorized internal sources can access sensitive resources.

It prevents malicious actors from exploiting CORS vulnerabilities to perform unauthorized actions or intercept sensitive data. Additionally, allowing CORS requests from private networks reduces the attack surface by limiting exposure to public networks and facilitating internal applications to communicate securely without being exposed to potential threats from external sources.

Overall, the allow_private_network property provides a robust mechanism to safeguard internal network communications, preventing unauthorized access and ensuring the integrity and confidentiality of data exchanged within the private network.

HTTP Security Enhancements

The HTTP Security component also brings new properties like allowed_hosts_are_regex, ssl_proxy_headers, and force_sts_header, which allow you to use regular expressions to define hosts lists, and let you force STS headers even when requests come in plain HTTP.

Customization of header bytes size

A new property, max_header_bytes, has been added, allowing you to override the default maximum header size of 1MB. This upgrade offers greater flexibility in handling larger and smaller headers when needed.

Static labels for OTEL

Finally, we’ve integrated static labels into the OpenTelemetry framework at the global and proxy layers. This enhancement, contributed by @ssepml, allows for more uniform tagging and detailed telemetry data.

Below there is the list of changes.

🚀 Summary of changes for CEv2.7

Improved memory consumption of endpoint rate limit and added new security options to TLS, CORS, and HTTPSecurity.

Upgrading to the latest version is always advised.

This release marks a significant step forward in making KrakenD more secure and efficient. We are committed to continuously improving our software and providing you with the best tools to manage your services efficiently. Stay tuned for more updates and feel free to explore the detailed documentation linked above for each new feature and upgrade.

Scarf

Stay up to date with KrakenD releases and important updates