Tyk Gateway v2.3.5 and Tyk Dashboard v1.3.5


#1

We are happy to announce new Tyk Gateway and Dashboard versions, which continue our security focused line of releases. Full release notes below and on our github releases page:

Tyk Gateway v2.3.5

  • New: Added http_server_options.ssl_insecure_skip_verify boolean option to allow self-signed certificates for Gateway. #693
  • New: Added proxy_ssl_insecure_skip_verify boolean option to skip SSL check for upstream APIs with self-signed certificates. #693
  • Fix: Control API was not working when both hostname and control_api_hostname set. #670
  • Fix: Uptime tests when failure_trigger_sample_size set to 1. #632
  • Fix: Uptime tests when uptime_tests.time_wait is not explicitly set in config. #669
  • Fix: Log flooding when management_node is turned on. #660
  • Fix: /keys/* endpoint when api_id param is provided but API not loaded on this node (due to tags). Now tagged gateways have access to all keys. #663
  • Fix: Reduced default values for uptime test in default tyk.config. Old ones has 20 minutes wait time. #668
  • Fix: Duplicated hostnames in uptime logs. #678
  • Fix: IP whitelisting using X-Fowarder-IP header. #704
  • Fix: Potential memory leak in hot reload with JSVM enabled. #496

Tyk Dashboard v1.3.5

New: Dashboard and Portal login rate limiting

Login rate limiting applies both to dashboard and developer portal.
Once user reached limit, they will see an error, and will not be able to login into dashboard/portal.

Added new configuration section:

"security": {
  "login_failure_username_limit": 3,
  "login_failure_ip_limit": 10,
  "login_failure_expiration": 900
}

By default, limit values are zero and login_failure_expiration is 15 minutes (900).

New: Audit log

Now you can enable audit log by setting security.audit_log_path configuration option. It will log all user actions and responses statuses to it. Security information like password gets removed from this log.

Other

  • New: Added new host_config.secure_cookie boolean option which enables “secure” cookies, working only under https.
  • Fix: Dashboard for authorization now internally uses HTTP Only cookies instead of Headers to improve defense against Cross-Site scripting attacks.
  • Fix: Ensure that API responses not cached by explicitly adding Cache-Control: no-cache header.
  • Fix: Potential Content-Type sniffing issues by setting X-Content-Type-Options: nosniff header.
  • Set proper mime types for font assets.
  • Fix: Deny API Catalogue documentation access, if catalog was set to inactive or portal is only for logged-in users.
  • Fix: Policy selector in the developer view only shows 10 policies, it should show all of them.
  • Fix: Saving developer should not flush their password.
  • Fix: Fix broken URLs to get free or commercial license on first start screen.
  • Fix: Use canonical casing for X-Frame-Options header.
  • Fix: Improved protection for Cross-Frame scripting.
  • Fix: Fixed checks for duplicate listen path and slugs (including Swagger import). To make it work, ensure that enable_duplicate_slugs option is set to false.
  • Fix: Swagger APIs import now properly set Slug and ListenPath based on basePath.
  • Fix: Attached key to a policy does not inherit the expiration date.
  • UX: Hide access token generator for disabled users.

Happy hacking!


#2

Hello, I am currently running a Dashboard 1.1.0 and Gateway 2.2.0 installation (community edition) on Docker (swarm cluster).
I would like to upgrade to latest (1.3.5, 2.3.5), is there an upgrade procedure or recommendations?

Thanks
Roberto


#3

Hi previ,

We have a guide on how to upgrade from v2.2 to v2.3.
As per the Dashboard you should backup your analytics.conf and then update the image with the latest one.

Thanks,
Kos @ Tyk Support Team


#4

TO add to @kos’ reply, also back up your tyk.conf file :slight_smile: