nevisProxy migration guide from LTS24 to LTS26
Before starting the migration process, review the following additions and changes, and consider if they have an impact on your use case.
You should first eliminate most deprecation notices in the logs of your existing setup. This will facilitate the transition to LTS26 and eventually to RR and subsequent LTS. A deprecation notice looks like this in the navajo log:
03:39:44.317 7.2511.1.2 <the related tracegroup> 03241.139830376855296.000ca9-17082275843162036-18dba4c613c 5-NOTICE: DEPRECATED: <here you have more information>. The deprecated value will be removed in the next major release: 8.x
You can also set the bc property ch.nevis.ErrorOnDeprecated to true. In that case using deprecated configuration values will result in an error (error code CONF-0001) and the proxy will either not start or the filter or servlet using the deprecated value will not work and the request will be blocked.
In Appendix H (Deprecation List) you can get more information on what has been deprecated and how it has been replaced.
What’s new
Here a list of the most important new features:
- We did some major improvements for the Opentelemetry configuration
- The Lua JWT handler now supports token verification using a JWK key.
- The DeflateFilter and InflateFilter support now the most common compression algorithm (brotli, gzip, deflate)
- We now support RFC 7512 conform PKCS11 URLs for Securoys.
- We added the QosFilter.
- We improved the LoadBalancerServlet
- We added the Http2Servlet for gRPC support
What has changed
Here a list of the most important changes. Read as well the release notes for more details:
- The following unique key to the MariaDB based dynamic session management has to be added:
alter table attribute add constraint uc_id_name unique (ID, NAME);
- Before adding the unique key be sure that all instances using this database have been upgraded to the latest RR.
- The command may fail if there are duplicated attributes. In that case you have to retry later. We recommended adding this key while there is low load.
For nevisproxy to run correctly, you need at least SP6 if running on SLES15.
The Apache config generation is changed when multiple hosts are defined in navajo.xml. Now the default hosts' virtual hosts are moved to the beginning. In the old config generation, the virtual hosts order was defined by the connectors' order.
The XmlFilter checks now the content against the configured XSD schema (if any). If the content doesn't match the schema, or a schema is missing, the request will be blocked. In order to switch back to the old behaviour you need to set the parameter
ValidateSchematofalse.the handling of PKCS#11 cerificates and URLs has changed. Read the chapter Setup the Securosys HSM or CloudHSM for more information.
If you have a Securosys HSM or any other PKCS#11-based HSM configured, add
SSLCryptoDevice="pkcs11"to theServicesection ofnavajo.xml.If you have a PKCS#11-based HSM configured, add
OPENSSL_ENGINES=/opt/nevisproxy/lib/enginesandexport OPENSSL_ENGINESto yourenv.conffile.Due to the upgrade of the OpenTelemetry Library the name of the deployment environment variable has changed from
deployment.environmenttodeployment.environment.nameand all metrics data coming from nevisProxy data is now sent asHistograminstead ofUpDownCounter.In NProxyOP and NavajoOP tracing we trace the number of received bytes by the frontend (
bRFin NProxyOP,bFin NavajoOP). You might have to adapt any scripts which parses these log lines.Due to the refactoring of the RewriteFilter those parameters behaves differently if a condition is set:
- RequestURL
- RequestURI
- RequestHeader
- ResponseHeader
If a Condition is followed by several rules, wrap them with
Pragma: block-begin/Pragma: block-endto preserve the previous behavior. Without this, only the first rule after the Condition fires conditionally; all subsequent rules always fire. See Conditional parameters and pragmas.The
SSLCertificateChainFilehas been deprecated by Apache. Therefore nevisProxy will merge the file configured asSSLCACertificateFilewith the file configured asSSLCertificateChainFileand store the result in a new file saved into the/var/opt/nevisproxy/<instance>/rundirectory. This file will be set asSSLCACertificateFile.Due to the OpenSSL upgrade RSA keys are now required to be at least 2048 bits long and certain old ciphers might no longer be usable
Requests using a Kubernetes setup could now be blocked with the status code 421 ("Misdirected Request") if the ingress is not SNI aware. See also https://bz.apache.org/bugzilla/show_bug.cgi?id=69743. In that case you can weaken the protection via the new parameter
SSLVHostSNIPolicyin navajo.xml. We recommend to do this only if your entrypoint itself is protected against CVE-2025-23048.The
CompressionWindowSizeparameter of theDeflateFilterno longer accepts positive values.The new
LoadExternalEntityparameter of theSoapFilterdefaults tofalse, which blocks external entity loading. If your setup relied on this, setLoadExternalEntitytotrue.The
QS_KeepAliveTimeoutandQS_MaxKeepAliveRequestsdynamic keep-alive settings have been removed from mod_qos. UseQS_KeepAliveEndinstead.ResourceManager.NoSessionCookie.CookieSecurenow defaults totruein theHttp[s]ConnectorServletandWebSocketServlet.URLModeof theEncryptionFilternow defaults tohmacsha256.SecureConnectionof theIdentityCreationFilternow defaults totrue, meaning the filter rejects non-HTTPS requests. Set it tofalseif the client is allowed to communicate over plain HTTP.ResourceManager.DisablePingnow defaults totruein theHttpConnectorServlet, disabling automatic backend liveness probing. Set it tofalseexplicitly if you rely on the proxy detecting a down backend via pings.The
MaintenanceFilterno longer forwards frontend query parameters to theMaintenanceServlet.
What has been removed
For this release, the nevisProxy software has been cleansed of software elements that were either deprecated, undocumented and/or not-used.
Note that the removed software elements are not only removed from the code, but you will not find them in the reference guide anymore. For more information about these elements, have a look at the reference guides of earlier nevisProxy releases.
The removed elements are:
- REMOVED: We removed the deprecated ReadLineSize of the InputValidationFilter. (NEVISPROXY-7031)
- REMOVED: We removed the undocumented Lua method session:renegotiateCookie(). (NEVISPROXY-7030)
- REMOVED: We removed the deprecated values of the RenewIdentification parameter of IdentityCreationFilter. (NEVISPROXY-7029)
- REMOVED: We removed the deprecated RemoteServlet parameter of the MultiLevelSessionStoreServlet. (NEVISPROXY-7028)
- REMOVED: We removed the deprecated Lua method session:renegotiateSSL(). (NEVISPROXY-7027)
- REMOVED: We removed the deprecated attributes and elements of the navajo_1_0.dtd file. (NEVISPROXY-7026)
- REMOVED: We removed the deprecated values of the InterceptionRedirect parameter of the IdentityCreationFilter. (NEVISPROXY-7022)
- REMOVED: We removed the deprecated parameters in the CacheFilter . (NEVISPROXY-7021)
- REMOVED: We removed the undocumented
wwwauthenticatevalue of RenderingProvider in the LoginRendererServlet. (NEVISPROXY-7017) - REMOVED: We removed the deprecated parameter
AuditLog.Keyfrom the InputValidationFilter. (NEVISPROXY-6966) - REMOVED: We removed the deprecated TelemetryFilter. (NEVISPROXY-6955)
- REMOVED: We removed the deprecated InsertWrapperFilter. (NEVISPROXY-6682)
- REMOVED: We removed the undocumented SIGPWR signal handling . (NEVISPROXY-6548)
- REMOVED: We removed the deprecated Milestone features from the CSRFFilter. (NEVISPROXY-6508)
- REMOVED: We removed the deprecated values of the AutoRewrite parameter from the HttpConnectorServlet. (NEVISPROXY-6227)
- REMOVED: We removed the deprecated OutboundProxyAuthorization parameter of the HttpConnectorServlet. (NEVISPROXY-6217)
- REMOVED: We removed the deprecated attribute DocumentRoot from navajo.xml. (NEVISPROXY-6068)
- REMOVED: We removed the deprecated memory attributes from navajo.xml. (NEVISPROXY-5993)
- REMOVED: We removed the deprecated DB Node Affinity from the MySQLSessionStoreServlet. (NEVISPROXY-5208)
- REMOVED: We removed the system memory usage tracing. (NEVISPROXY-7209)
- REMOVED: We removed the deprecated ContentType parameters of the EncryptionFilter. (NEVISPROXY-7023)
- REMOVED: We removed the deprecated path attribute in the Context section of navajo.xml. (NEVISPROXY-6059)
- REMOVED: We removed the support of Set-Cookie2 headers. (NEVISPROXY-6449)