- access log: added ability to log response trailers.
- access log: added ability to format START_TIME.
- access log: added DYNAMIC_METADATA :ref:`access log formatter <config_access_log_format>`.
- access log: added :ref:`HeaderFilter <envoy_api_msg_config.filter.accesslog.v2.HeaderFilter>` to filter logs based on request headers.
- access log: added %([1-9])?f as one of START_TIME specifiers to render subseconds.
- access log: gRPC Access Log Service (ALS) support added for :ref:`HTTP access logs <envoy_api_msg_config.accesslog.v2.HttpGrpcAccessLogConfig>`.
- access log: improved WebSocket logging.
- admin: added :http:get:`/config_dump` for dumping the current configuration and associated xDS version information (if applicable).
- admin: added :http:get:`/clusters?format=json` for outputing a JSON-serialized proto detailing the current status of all clusters.
- admin: added :http:get:`/stats/prometheus` as an alternative endpoint for getting stats in prometheus format.
- admin: added :ref:`/runtime_modify endpoint <operations_admin_interface_runtime_modify>` to add or change runtime values.
- admin: mutations must be sent as POSTs, rather than GETs. Mutations include: :http:post:`/cpuprofiler`, :http:post:`/healthcheck/fail`, :http:post:`/healthcheck/ok`, :http:post:`/logging`, :http:post:`/quitquitquit`, :http:post:`/reset_counters`, :http:post:`/runtime_modify?key1=value1&key2=value2&keyN=valueN`.
- admin: removed /routes endpoint; route configs can now be found at the :ref:`/config_dump endpoint <operations_admin_interface_config_dump>`.
- buffer filter: the buffer filter can be optionally :ref:`disabled <envoy_api_field_config.filter.http.buffer.v2.BufferPerRoute.disabled>` or :ref:`overridden <envoy_api_field_config.filter.http.buffer.v2.BufferPerRoute.buffer>` with route-local configuration.
- cli: added --config-yaml flag to the Envoy binary. When set its value is interpreted as a yaml representation of the bootstrap config and overrides --config-path.
- cluster: added :ref:`option <envoy_api_field_Cluster.close_connections_on_host_health_failure>` to close tcp_proxy upstream connections when health checks fail.
- cluster: added :ref:`option <envoy_api_field_Cluster.drain_connections_on_host_removal>` to drain connections from hosts after they are removed from service discovery, regardless of health status.
- cluster: fixed bug preventing the deletion of all endpoints in a priority
- debug: added symbolized stack traces (where supported)
- ext-authz filter: added support to raw HTTP authorization.
- ext-authz filter: added support to gRPC responses to carry HTTP attributes.
- grpc: support added for the full set of :ref:`Google gRPC call credentials <envoy_api_msg_core.GrpcService.GoogleGrpc.CallCredentials>`.
- gzip filter: added :ref:`stats <gzip-statistics>` to the filter.
- gzip filter: sending accept-encoding header as identity no longer compresses the payload.
- health check: added ability to set :ref:`additional HTTP headers <envoy_api_field_core.HealthCheck.HttpHealthCheck.request_headers_to_add>` for HTTP health check.
- health check: added support for EDS delivered :ref:`endpoint health status <envoy_api_field_endpoint.LbEndpoint.health_status>`.
- health check: added interval overrides for health state transitions from :ref:`healthy to unhealthy <envoy_api_field_core.HealthCheck.unhealthy_edge_interval>`, :ref:`unhealthy to healthy <envoy_api_field_core.HealthCheck.healthy_edge_interval>` and for subsequent checks on :ref:`unhealthy hosts <envoy_api_field_core.HealthCheck.unhealthy_interval>`.
- health check: added support for :ref:`custom health check <envoy_api_field_core.HealthCheck.custom_health_check>`.
- health check: health check connections can now be configured to use http/2.
- health check http filter: added :ref:`generic header matching <envoy_api_field_config.filter.http.health_check.v2.HealthCheck.headers>` to trigger health check response. Deprecated the endpoint option.
- http: filters can now optionally support :ref:`virtual host <envoy_api_field_route.VirtualHost.per_filter_config>`, :ref:`route <envoy_api_field_route.Route.per_filter_config>`, and :ref:`weighted cluster <envoy_api_field_route.WeightedCluster.ClusterWeight.per_filter_config>` local configuration.
- http: added the ability to pass DNS type Subject Alternative Names of the client certificate in the :ref:`config_http_conn_man_headers_x-forwarded-client-cert` header.
- http: local responses to gRPC requests are now sent as trailers-only gRPC responses instead of plain HTTP responses. Notably the HTTP response code is always "200" in this case, and the gRPC error code is carried in "grpc-status" header, optionally accompanied with a text message in "grpc-message" header.
- http: added support for :ref:`via header <envoy_api_field_config.filter.network.http_connection_manager.v2.HttpConnectionManager.via>` append.
- http: added a :ref:`configuration option <envoy_api_field_config.filter.network.http_connection_manager.v2.HttpConnectionManager.skip_xff_append>` to elide x-forwarded-for header modifications.
- http: fixed a bug in inline headers where addCopy and addViaMove didn't add header values when encountering inline headers with multiple instances.
- listeners: added :ref:`tcp_fast_open_queue_length <envoy_api_field_Listener.tcp_fast_open_queue_length>` option.
- listeners: added the ability to match :ref:`FilterChain <envoy_api_msg_listener.FilterChain>` using :ref:`application_protocols <envoy_api_field_listener.FilterChainMatch.application_protocols>` (e.g. ALPN for TLS protocol).
- listeners: sni_domains has been deprecated/renamed to :ref:`server_names <envoy_api_field_listener.FilterChainMatch.server_names>`.
- listeners: removed restriction on all filter chains having identical filters.
- load balancer: added :ref:`weighted round robin <arch_overview_load_balancing_types_round_robin>` support. The round robin scheduler now respects endpoint weights and also has improved fidelity across picks.
- load balancer: :ref:`locality weighted load balancing <arch_overview_load_balancer_subsets>` is now supported.
- load balancer: ability to configure zone aware load balancer settings :ref:`through the API <envoy_api_field_Cluster.CommonLbConfig.zone_aware_lb_config>`.
- load balancer: the :ref:`weighted least request <arch_overview_load_balancing_types_least_request>` load balancing algorithm has been improved to have better balance when operating in weighted mode.
- logger: added the ability to optionally set the log format via the :option:`--log-format` option.
- logger: all :ref:`logging levels <operations_admin_interface_logging>` can be configured at run-time: trace debug info warning error critical.
- rbac http filter: a :ref:`role-based access control http filter <config_http_filters_rbac>` has been added.
- router: the behavior of per-try timeouts have changed in the case where a portion of the response has already been proxied downstream when the timeout occurs. Previously, the response would be reset leading to either an HTTP/2 reset or an HTTP/1 closed connection and a partial response. Now, the timeout will be ignored and the response will continue to proxy up to the global request timeout.
- router: changed the behavior of :ref:`source IP routing <envoy_api_field_route.RouteAction.HashPolicy.ConnectionProperties.source_ip>` to ignore the source port.
- router: added an :ref:`prefix_match <envoy_api_field_route.HeaderMatcher.prefix_match>` match type to explicitly match based on the prefix of a header value.
- router: added an :ref:`suffix_match <envoy_api_field_route.HeaderMatcher.suffix_match>` match type to explicitly match based on the suffix of a header value.
- router: added an :ref:`present_match <envoy_api_field_route.HeaderMatcher.present_match>` match type to explicitly match based on a header's presence.
- router: added an :ref:`invert_match <envoy_api_field_route.HeaderMatcher.invert_match>` config option which supports inverting all other match types to match based on headers which are not a desired value.
- router: allow :ref:`cookie routing <envoy_api_msg_route.RouteAction.HashPolicy.Cookie>` to generate session cookies.
- router: added START_TIME as one of supported variables in :ref:`header formatters <config_http_conn_man_headers_custom_request_headers>`.
- router: added a :ref:`max_grpc_timeout <envoy_api_field_route.RouteAction.max_grpc_timeout>` config option to specify the maximum allowable value for timeouts decoded from gRPC header field grpc-timeout.
- router: added a :ref:`configuration option <envoy_api_field_config.filter.http.router.v2.Router.suppress_envoy_headers>` to disable x-envoy- header generation.
- router: added 'unavailable' to the retriable gRPC status codes that can be specified through :ref:`x-envoy-retry-grpc-on <config_http_filters_router_x-envoy-retry-grpc-on>`.
- sockets: added :ref:`tap transport socket extension <operations_traffic_tapping>` to support recording plain text traffic and PCAP generation.
- sockets: added IP_FREEBIND socket option support for :ref:`listeners <envoy_api_field_Listener.freebind>` and upstream connections via :ref:`cluster manager wide <envoy_api_field_config.bootstrap.v2.ClusterManager.upstream_bind_config>` and :ref:`cluster specific <envoy_api_field_Cluster.upstream_bind_config>` options.
- sockets: added IP_TRANSPARENT socket option support for :ref:`listeners <envoy_api_field_Listener.transparent>`.
- sockets: added SO_KEEPALIVE socket option for upstream connections :ref:`per cluster <envoy_api_field_Cluster.upstream_connection_options>`.
- stats: added support for histograms.
- stats: added :ref:`option to configure the statsd prefix<envoy_api_field_config.metrics.v2.StatsdSink.prefix>`.
- stats: updated stats sink interface to flush through a single call.
- tls: added support for :ref:`verify_certificate_spki <envoy_api_field_auth.CertificateValidationContext.verify_certificate_spki>`.
- tls: added support for multiple :ref:`verify_certificate_hash <envoy_api_field_auth.CertificateValidationContext.verify_certificate_hash>` values.
- tls: added support for using :ref:`verify_certificate_spki <envoy_api_field_auth.CertificateValidationContext.verify_certificate_spki>` and :ref:`verify_certificate_hash <envoy_api_field_auth.CertificateValidationContext.verify_certificate_hash>` without :ref:`trusted_ca <envoy_api_field_auth.CertificateValidationContext.trusted_ca>`.
- tls: added support for allowing expired certificates with :ref:`allow_expired_certificate <envoy_api_field_auth.CertificateValidationContext.allow_expired_certificate>`.
- tls: added support for :ref:`renegotiation <envoy_api_field_auth.UpstreamTlsContext.allow_renegotiation>` when acting as a client.
- tls: removed support for legacy SHA-2 CBC cipher suites.
- tracing: the sampling decision is now delegated to the tracers, allowing the tracer to decide when and if to use it. For example, if the :ref:`x-b3-sampled <config_http_conn_man_headers_x-b3-sampled>` header is supplied with the client request, its value will override any sampling decision made by the Envoy proxy.
- websocket: support configuring idle_timeout and max_connect_attempts.
- upstream: added support for host override for a request in :ref:`Original destination host request header <arch_overview_load_balancing_types_original_destination_request_header>`.
- header to metadata: added :ref:`HTTP Header to Metadata filter<config_http_filters_header_to_metadata>`.
- Admin mutations should be sent as POSTs rather than GETs. HTTP GETs will result in an error status code and will not have their intended effect. Prior to 1.7, GETs can be used for admin mutations, but a warning is logged.
- Rate limit service configuration via the cluster_name field is deprecated. Use grpc_service instead.
- gRPC service configuration via the cluster_names field in ApiConfigSource is deprecated. Use grpc_services instead. Prior to 1.7, a warning is logged.
- Redis health checker configuration via the redis_health_check field in HealthCheck is deprecated. Use custom_health_check with name envoy.health_checkers.redis instead. Prior to 1.7, redis_health_check can be used, but warning is logged.
- SAN is replaced by URI in the x-forwarded-client-cert header.
- The endpoint field in the http health check filter is deprecated in favor of the headers field where one can specify HeaderMatch objects to match on.
- The sni_domains field in the filter chain match was deprecated/renamed to server_names.