v1.11.0

1.11.0

With this release Couper brings even more value when it comes to connecting services and security. We made mTLS configurable for both sides, the server side and the backend one. Couper is normally used behind an ingress but is now able to serve secured content and forces clients to present a valid certificate if configured. For the backend blocks Couper acts as client and is able to present a client certificate to the origin. This feature also allows to additionally configure a CA certificate per backend, unlike the ca_file option which configures a certificate for all outgoing connections.

To configure a Single Page Application for different environments, believe it or not, things could get complicated. Couper comes with a simple but powerful spa attribute to inject a custom JSON object into the bootstrap file via a defined placeholder while serving this to the client.

• Added

  • mTLS Support for server and backend blocks (#615)
  • spa block option to inject server-data to the applications bootstrap_file with bootstrap_data (#626)
  • OAuth2 client authentication methods (token_endpoint_auth_method values) "client_secret_jwt" and "private_key_jwt" including jwt_signing_profile block for oauth2, beta_oauth2 and oidc blocks (#599)
  • trim() function (#605)
  • beta_roles_map_file and beta_permissions_map_file attributes to jwt block (#613)

• Changed

  • Replaced the JWT library because the former library was no longer maintained (#612)
  • Routing and OpenAPI validation now use gorilla/mux (#614)
  • Usage of env variables and functions is now possible for the defaults block (#630)

• Fixed

  • Aligned the evaluation of beta_oauth2/oidc redirect_uri to saml sp_acs_url (#589)
  • Proper handling of empty beta_oauth2/oidc scope (#593)
  • Throwing sequence errors and selecting appropriate error handlers (#595)
  • Allow setting of the typ JWT header in jwt_signing_profiles (#616)
  • CVE-2021-3538 related to our request_id_format option if switched to uuid4: replaced the underlying package to github.com/google/uuid (#611)
  • Possible panic for nested endpoint sequences (#618)
  • Cycle check for endpoint sequences (#623)
  • In endpoint sequences send requests only once (#624)