KrakenD CE v2.7 released with better rate-limiting and security options

We are excited to announce the latest release of KrakenD, which focuses on resource optimization and brings new features, especially on security. Here’s a detailed look at what’s new in this release:

Finer rate-limiting

We have been working on optimizing the rate-limit feature, significantly reducing the RAM consumption for users of the endpoint rate limit. Generally speaking, installations using it can reduce their RAM consumption at least a 70%. No action is needed to benefit from this optimization other than upgrading your installation to v2.7.0.

In addition, a new type of token extractor allows you to limit requests based on parameters (/foo/{variable}) to give you more control over your API rate limiting. It will enable you to set limits based on specific URL parameters, such as when the tenant comes in the URL, providing finer-grained control over API usage.

Support for multiple SSL domains

Before this version, you could add a TLS certificate that was either linked to a specific domain or a wildcard. We’ve added support for multiple TLS certificates now, allowing you to manage different domains (even when they are completely unrelated). This feature enhances your ability to handle diverse security needs and manage different domains efficiently.

To support this feature, we have deprecated the public_key and private_key properties directly in the configuration’s root and moved them inside a keys array. While the previous method still works, we recommend applying the small configuration change needed to stay ahead of its future removal.

Custom DNS Cache TTL

A new property, dns_cache_ttl enables you to set a custom DNS cache TTL when you retrieve the hosts list from a Service Discovery system.

Enhanced CORS Handling

The v2.7 introduces new properties to enhance the configuration of Cross-Origin Resource Sharing (CORS): options_passthrough, options_success_status, and allow_private_network.

The allow_private_network property in KrakenD’s CORS configuration is particularly useful in securing internal applications and services that communicate across different network segments. From a security perspective, it helps prevent CSRF Pharming attacks and man-in-the-middle (MITM) attacks. By enabling this property, you can restrict CORS requests to trusted internal network addresses, ensuring that only legitimate and authorized internal sources can access sensitive resources.

It prevents malicious actors from exploiting CORS vulnerabilities to perform unauthorized actions or intercept sensitive data. Additionally, allowing CORS requests from private networks reduces the attack surface by limiting exposure to public networks and facilitating internal applications to communicate securely without being exposed to potential threats from external sources.

Overall, the allow_private_network property provides a robust mechanism to safeguard internal network communications, preventing unauthorized access and ensuring the integrity and confidentiality of data exchanged within the private network.

HTTP Security Enhancements

The HTTP Security component also brings new properties like allowed_hosts_are_regex, ssl_proxy_headers, and force_sts_header, which allow you to use regular expressions to define hosts lists, and let you force STS headers even when requests come in plain HTTP.

Customization of header bytes size

A new property, max_header_bytes, has been added, allowing you to override the default maximum header size of 1MB. This upgrade offers greater flexibility in handling larger and smaller headers when needed.

Static labels for OTEL

Finally, we’ve integrated static labels into the OpenTelemetry framework at the global and proxy layers. This enhancement, contributed by @ssepml, allows for more uniform tagging and detailed telemetry data.

Below there is the list of changes.

🚀 Summary of changes for CEv2.7

Improved memory consumption of endpoint rate limit and added new security options to TLS, CORS, and HTTPSecurity.

Added a new rate limiter based on parameters
Memory optimization of the rate-limit that greatly reduces the consumption of RAM, and new micro-optimization options added (cleanup_period, cleanup_threads, num_shards).
The JWT signer can now set a new leeway attribute for scenarios with desynchronized clocks.
A new flag dns_cache_ttl allows you to set a custom DNS cache TTL for Service Discovery
Added support to multiple TLS certificates.
Added new properties for CORS handling options_passthrough, options_success_status, and allow_private_network
New properties added to the HTTP Security component allowed_hosts_are_regex , ssl_proxy_headers, force_sts_header
Added new rules to the audit command.
Customizable size of maximum header via the property max_header_bytes. Previously fixed to 1MB.
OpenTelemetry - Added static labels to global and proxy layers (thanks to @ssepml)
The properties public_key and private_key of the tls configuration have been moved under an array keys to facilitate multiple certificates and domains. Read more

Upgrading to the latest version is always advised.

Compare versions

Upgrade to v2.7

This release marks a significant step forward in making KrakenD more secure and efficient. We are committed to continuously improving our software and providing you with the best tools to manage your services efficiently. Stay tuned for more updates and feel free to explore the detailed documentation linked above for each new feature and upgrade.

Download CE v2.7

Categories: Product Updates

Blog categories

Recent entries