1.0.1 Security Patch

A security issue was identified in how YARP 1.0.0 processes input. See Microsoft Security Advisory CVE-2022-26924.

The fix has been released and is available on NuGet.org.

1.1.0-RC.1.22211.2 Security Patch

A security issue was identified in how YARP 1.1.0-rc.1.22152.1 processes input. See Microsoft Security Advisory CVE-2022-26924.

The fix has been released and is available on NuGet.org.

1.1.0-RC.1

A security issue was identified in how this release of YARP processes input. Please update to 1.1.0-rc.1.22211.2.

This release supports .NET Core 3.1, .NET 5.0, and .NET 6.0. See Getting Started.

The Yarp.ReverseProxy packages are available on NuGet.org.

Breaking changes

• We made a change to how distributed tracing headers are proxied, allowing for easier configuration of pass-through scenarios. #1533
  When using direct forwarding, you must now also configure the ActivityHeadersPropagator on the SocketsHttpHandler to match the default behavior of YARP 1.0:

  new SocketsHttpHandler()
  {
      // ...
  +   ActivityHeadersPropagator = new ReverseProxyPropagator(DistributedContextPropagator.Current)
  };

Other changes

• Added support for multiple configuration sources. #1534
• YARP will use zero-byte reads when proxying the request & response bodies, reducing the memory consumption of long-running requests by up to 6x when the runtime supports it. #1415
• We are now using non-validated headers. This avoids subtle transformations/removals of header values, while avoiding many allocations and providing a significant performance improvement. #1507
• Added an IProxyStateLookup interface, giving you real-time access to clusters and routes. Also added a ReassignProxyRequest extension method allowing you to change the cluster after routing has already run. These are the key building blocks for creating custom A/B testing and rolling upgrade systems. #1538
• Added support for Http.Sys request delegation. #1556
• You can now modify the request body within a request transform, as YARP won't capture the body before transforms run. #1569
• YARP now throws if the request body length does not match the Content-Length header, providing a useful diagnostic when bodies are modified in-process without updating the headers. #1462
• Fixed a bug where the cluster model wasn't updated on destination-only configuration changes. #1568
• Added a static HttpTransformer.Empty field next to the existing HttpTransformer.Default for easy access to a transformer without the X-Forwarded-* and OriginalHost transforms. #1444
• Made QueryTransformContext case-insensitive to match ASP.NET behavior. #1553

For a full list of changes see here.

1.0.0

A security issue was identified in how this release of YARP processes input. Please update to 1.0.1.

We invite you to read the Announcing YARP 1.0 Release blog post.

This release supports .NET Core 3.1, .NET 5.0, and .NET 6.0. See Getting Started.

The Yarp.ReverseProxy packages are available on NuGet.org.

Breaking changes

• When using the PathPattern transform, /{**remainder} has to be used instead of /{remainder} for the catch-all. This comes with a bug fix where the transform would incorrectly escape the / character as %2F in the remainder. #1321

Other changes

• Fixed a bug with the RequestHeaderRemove transform where it could throw while processing requests. #1335
• Fixed a narrow HTTP/2 scenario where the destination server responds with a NO_ERROR reset. #1320
• A number of documentation and sample improvements. #1329, #1322, #1336, #1338, #1339, #1342, #1361, #1365

For a full list of changes see here.

1.0.0-RC.1

This release supports .NET Core 3.1, .NET 5.0, and .NET 6.0. See Getting Started.

The Yarp.ReverseProxy packages are available on NuGet.org.

Breaking changes

• The Yarp.ReverseProxy.Telemetry.Consumption package was renamed to Yarp.Telemetry.Consumption. #1251
• The Yarp.ReverseProxy.ServiceFabric nuget package is not included in this release. That work is moving to a different repo and development schedule. #1304
• The ForwarderRequestConfig.Timeout request timeout has been replaced by an ActivityTimeout. The timeout now restarts when response headers are received, or when any request, response, or websocket data is transferred. WebSockets should enable Pings to keep idle connections alive. gRPC streams should consider using application level pings if they intend to remain idle longer than the timeout. #1289
• The I*MetricsConsumer interfaces have been consolidated to IMetricsConsumer<T>. #1295
• ActivityPropagationHandler and ActivityContextHeaders removed. This feature is now available natively in .NET 6. See the discussion for information on how to enable the scenario for prior versions of .NET. #1311
• Response header and trailer transform APIs now take a ResponseCondition to allow them to run on Success, Failure, or Always. #1300
• The HttpContext.GetClusterState extension method has been removed. #1166
• IProxyConfigFilter.ConfigureRouteAsync now takes in ClusterConfig as well. #1231

Other changes

• The libraries have added a target for net6.0, and various optimizations to take advantage of 6.0.
• Query parameter based routing, and additional modes for header based routing. #1277
• Response transforms will be run even if the destination failed to respond. #1257
• HttpForwarder uses the same default transforms as the rest of YARP, including X-Forwarded-* headers and removing the Host header. #1246
• New WebSockets telemetry middleware. #1237
• Support for header allow lists. #1137

For a full list of changes see here.

1.0.0-preview.12.21451.3 Security Patch

Security Patch

A security issue was identified in YARP involving HTTP request smuggling for HTTP/1.1. The fix has been backported and updated preview12 packages are now available on NuGet.org.

This release supports .NET Core 3.1 and .NET 5.0. See Getting Started.

1.0.0-preview12

This release supports .NET Core 3.1 and .NET 5.0. See Getting Started.

The Yarp.ReverseProxy packages are available on NuGet.org.

Breaking changes

This release contains a number of API breaking changes that aim to make YARP easier and more consistent to use.

• Core types are renamed to better indicate their responsibilities
  • ClusterConfig => ClusterModel
  • Cluster => ClusterConfig
  • ClusterInfo => ClusterState
  • RouteConfig => RouteModel
  • ProxyRoute => RouteConfig
  • RouteInfo => RouteState
  • DestinationConfig => DestinationModel
  • Destination => DestinationConfig
  • DestinationInfo => DestinationState
• Cluster sub option types are also renamed
  • HealthCheckOptions => HealthCheckConfig
  • ActiveHealthCheckOptions => ActiveHealthCheckConfig
  • PassiveHealthCheckOptions => PassiveHealthCheckConfig
  • ProxyHttpClientOptions => ProxyHttpClientConfig
  • WebProxyOptions => WebProxyConfig
  • RequestProxyOptions => ForwarderRequestConfig
  • SessionAffinityOptions => SessionAffinityConfig
• Client certificate configuration is removed from HttpClientConfig #994
  • Added configure client certificate sample Details
• QueryParameterTransform can set an empty value "" to a parameter. #978
• RequestHeaderEncoding is set as a string in configuration #995
• Session affinity API changed
  • Renamed ISessionAffinityProvider => ISessionAffinityPolicy
  • Renamed AffinitizeRequest => AffinitizeResponse
  • Renamed SessionAffinityConfig.Mode => SessionAffinityConfig.Provider
  • Renamed AffinityFailurePolicies => FailurePolicies
  • New mandatory setting SessionAffinityConfig.AffinityKeyName are used by both of cookie and custom header affinity provider to set the cookie name or the custom header name respectively
  • New strongly-typed section SessionAffinityCookieConfig is added to configure the cookie affinity provider
  • SessionAffinityConfig.Settings collection is removed
• Projects structure is refactored by flattening hierarchy and regrouping files, changing several namespaces #1035
• Renamed IHttpProxy => IHttpForwarder. In this context, "Forwarder" term is now used instead of "Proxy", thus in all related type the "Proxy" in the name are replaced with "Forwarder" (e.g. IProxyHttpClientFactory => IForwarderHttpClientFactory, IProxyErrorFeature => IForwarderErrorFeature, AddHttpProxy => AddHttpForwarder)
• Changed the return type of IHttpForwarder.SendAsync it now returns ValueTask<ForwarderError>
• Renamed load balancing policy LoadBalancingPolicies.First => LoadBalancingPolicies.FirstAlphabetical
• Renamed IActiveHealthCheckMonitor.InitialDestinationsProbed => InitialProbeCompleted
• X-Forwarded-* and Forwarded header transforms changed. Details
  • New transform actions supported: Set, Remove, Off
  • Prefix config setting renamed to HeaderPrefix
  • Separate action configuration for each of X-Forwarded-* headers. Example:

  {
      "X-Forwarded": "Set",
      "For": "Remove",
      "Proto": "Append",
      "Prefix": "Off",
      "HeaderPrefix": "X-Forwarded-"
  }

  • Default action for X-Forwarded-* and Forwarded transforms is Set
• RequestHeader, ResponseHeader, and ResponseTrailer transforms no longer use "Set": "" (empty) to remove a header. See the new *Remove transforms below.

Other major changes and features

• Cluster's available destination list is now updated by IClusterDestinationsUpdater service based on destinations health status. Two update policies HealthyAndUnknown and HealthyOrPanic are added which can be configure on a cluster like this:

"cluster1": {
  "AvailableDestinationsPolicy": "HealthyOrPanic",
  "HealthCheck": {
    "Passive": {
      "Enabled": "true"
    }
    //...
}

• New transforms added: RequestHeaderRemove, ResponseHeaderRemove, ResponseTrailerRemove. Details
• Connection specific headers are removed from request and responses #1008, #1050
• User-Agent is for active health check requests #1013
• README.md added for the samples folder
• Documentation for proxying gRPC traffic is added

1.0.0-preview11

This release supports .NET Core 3.1 and .NET 5.0. See Getting Started.

The Yarp.ReverseProxy packages are available on NuGet.org.

Major changes and features:

• [Breaking change] This release contains a number of API breaking changes that aim to make YARP easier and more consistent to use:
  • ProxyMatch => RouteMatch
  • AddProxyConfigFilter => AddConfigFilter
  • UseProxyLoadBalancing => UseLoadBalancing
  • UseAffinitizedDestinationLookup => UseSessionAffinity
  • Removed RouteManager, ClusterManager, DestinationManager
  • Changed the routes config model from an array to a Dictionary - #900
    Sample change might look like:

  "Routes": [
    {
      "RouteId": "route1",
      "ClusterId": "cluster1"
    }
  ]

  "Routes": {
    "route1": {
      "ClusterId": "cluster1"
    }
  }

• [Breaking change] X-Fowarded-PathBase header has been replaced with X-Forwarded-Prefix
• Added the ability to interrupt and replace proxy responses (like adding retries) - #866
• Exposed ProxyHttpClientFactory, simplifying the customization of HttpClient instances - #869
• Added WebProxy support for outgoing requests - #879
• [Breaking change] For the Telemetry.Consumption library, removed Add*TelemetryListener methods in favour of a single AddTelemetryListeners, forcing consumer lifetime to singleton - #928
• Many small fixes

For a complete list of changes see the PR history.

1.0.0-preview10

This release supports .NET Core 3.1 and .NET 5.0. See Getting Started.

The Yarp.ReverseProxy packages are available on NuGet.org.

Major changes and features:

• [Breaking change] Rebranded from Microsoft.ReverseProxy to Yarp.ReverseProxy. This includes the package name and namespaces.
• Added support for specifying non-ASCII request header encodings (#760). See docs.
• Exposed extension methods on HttpContext for accessing IReverseProxyFeature/ClusterInfo/RouteConfig (#814).
• Changed EnableMultipleHttp2Connections default to true.
• Exposed TlsFrameHelper (#820).
• Added support for ProxyHttpClientOptions in ServiceFabric.
• Many small fixes and performance improvements.

For a complete list of changes see the PR history.

1.0.0-preview9

This release supports .NET Core 3.1 and .NET 5.0. See Getting Started.

The Microsoft.ReverseProxy packages are available on NuGet.org.

Major changes and features:

• We started publishing a preview of the Microsoft.ReverseProxy.Telemetry.Consumption package.
• [Breaking change] Converted to a read-only object model (#662).
• [Breaking change] Transform extensibility (#703) See docs.
• Many small fixes and performance improvements.

For a complete list of changes see the PR history.