By on January 21, 2021

Kong Gateway Community 2.3 Released

Hey there, Kong Nation! We are happy to announce the release of the community edition of Kong Gateway Community 2.3, our flagship open source API gateway!

Version 2.3 brings several exciting new features as well as some significant security improvements.  As we have done in both versions 2.1 and 2.2, we are also releasing a Beta version of the Enterprise 2.3 gateway while incorporating all features from the open source 2.3 gateway. You can learn more about Kong Enterprise and its additional capabilities here.

You can download and install it and start playing with the new features right away, and here’s a quick overview of what’s new!

Kong ❤️ UTF-8

Starting with version 2.3, Kong now accepts UTF-8 characters in route and service names.  We know that Kong Nation spans across many nations (literally), and being able to have the gateway support in your native character set is important. So now, if you want to give a route a name using character sets for Russian, Japanese, Chinese, or any number of other languages, you can do so with 2.3.  (And yes, emojis are now valid for use in route and service names as well 😊 )


Security Improvements

As Kong Nation continues to grow, we recognize that not all users read all documentation on securing a Kong instance before deploying. As the number of new users proliferates, we want to ensure that Kong is secure by default. Kong 2.3 is much more secure by default and design through a series of improvements. Like most changes in “default security” posture, this regretfully will cause a breaking change for some users, so read on to understand how to handle upgrades and what to look out for.

Kong’s serverless functions allow an administrator to define arbitrary Lua code to execute much like any serverless function. Because they were previously attached to the Kong process, we’ve warned that users should secure the admin port. If you want to be even more cautious, disable the plugins in configuration to further secure the Gateway. Starting in 2.3, we’re more careful within the product by adding — and enabling — new sandboxing capabilities. By default, only the Kong PDK, OpenResty ngx APIs, and Lua standard libraries are allowed in the sandbox by the serverless functions. There are several new configuration controls you can use if you know what you’re doing.

  1. untrusted_lua can be set to “off” (disallow any loading of untrusted/admin-supplied Lua code), “sandbox” (allow, but sandbox the Lua code), or “on” (allow and don’t sandbox). The default is set to “sandbox,” which is much safer for new users. Suppose you’re an existing user and want to maintain the old behavior. In that case, you can set this parameter to “on,” but take extra care to ensure the Gateway’s admin port is not exposed to potential attackers.
  2. untrusted_lua_sandbox_requires can be used to provide the Kong sandbox with additional modules. As this is a global setting, be very careful before adding modules here, as adding something like “io” could be used to invalidate the sandbox.
  3. untrusted_lua_sandbox_environment can be used to provide additional Lua variables to the sandbox.

Additional security improvements in 2.3 include that Kong-generated SSL private keys now have 600 file system permission by default. Also, OpenSSL has been bumped from 1.1.1h to 1.1.1i to fix CVE-2020-1971 for this dependency. We’ve done an extensive review of the gateway. While there’s no direct exploitability of this CVE to the core gateway, we’re bumping the version to increase the security of any plugins that may rely on OpenSSL functionality.


New Plugin Capabilities

The HTTP Log plugin has been improved to allow you to add headers to the HTTP request.  This will help you integrate with many observability systems, including Splunk, the Elastic Stack (“ELK”) and others.

The Key Authentication plugin has two new configuration parameters: key_in_header and key_in_query. Both are booleans and tell Kong whether to accept (true) or reject (false) passed in either the header or the query string. Both default to “true.”

The Request Size Limiting plugin has a new configuration require_content_length that causes the plugin to ensure a valid Content-Length header exists before reading the request body.


And Much More!

Kong 2.3 introduces some additional new features and fixes, including:

  • Kong 2.3 now checks for version compatibility between the control plane and any data planes to ensure the data planes and any plugins have compatibility with the control plane in hybrid mode.
  • Certificates now have cert_alt and key_alt fields to specify an alternative certificate and key pair.
  • The go-pluginserver stderr and stdout are now written into Kong’s logs, allowing Golang’s native log.Printf().
  • client_max_body_size and client_body_buffer_size are now configurable. These two parameters used to be hardcoded and set to 10m.
  • Custom plugins can now make use of new functionality. kong.node.get_hostname unsurprisingly returns the hostname of the Kong node, kong.cluster.get_id returns a unique global cluster ID (or nil if running in a declarative configuration), and kong.log.set_serialize_value() can now be used to set the format of log serialization in a custom plugin.

Kong Nation and Online Meetups

As always, feel free to ask any questions on Kong Nation, our community forum. Your feedback allows us to understand the mission-critical use cases better to keep improving Kong.

And if you want to stay on top of everything that’s going on as we develop future releases, join us in our monthly Online Meetups where Kongers present the latest and greatest stuff and often give sneak previews of the goodies that are coming through the pipeline!

Happy Konging!