apache · cmcfarlen · Apr 6, 2026
diff --git a/doc/release-notes/whats-new.en.rst b/doc/release-notes/whats-new.en.rst
@@ -20,6 +20,254 @@
 .. _whats_new:
 
 
+What's New in ATS v10.2
+=======================
+
+Header Rewrite & HRW4U
+----------------------
+
+* HRW4U: A new DSL for ``header_rewrite`` configuration that provides a more
+  conventional and readable syntax. Includes a compiler that translates HRW4U
+  into native header_rewrite rules, and ``u4wrh``, an inverse tool that
+  converts existing header_rewrite rules back to HRW4U syntax.
+* header_rewrite: Add partial string matching modifiers: ``[PRE]``, ``[SUF]``,
+  ``[MID]``, ``[EXT]``
+* header_rewrite: Add ``SETS`` for matching against a set of values, with
+  support for quoted strings containing commas
+* header_rewrite: Add ``elif`` support in ``if-elif-else`` conditionals
+* header_rewrite: Add support for nested ``if`` conditionals
+* header_rewrite: Add ``set-effective-address`` operator to set the client's
+  effective (verified) address
+* header_rewrite: Add ``set-cc-alg`` operator to set the congestion control
+  algorithm per remap
+* header_rewrite: Add ``SERVER-HEADER`` and ``SERVER-URL`` conditions
+* header_rewrite: Add indexed query parameter conditions
+* header_rewrite: Add optional ``--timezone`` and ``--inbound-ip-source``
+  plugin load switches
+
+Plugins
+-------
+
+* New plugin: ``filter_body`` for request/response body content inspection
+  with configurable pattern matching and actions (log, block, add_header)
+* New plugin: ``real-ip`` with ``TSHttpTxnVerifiedAddrSet/Get`` API for
+  verified client IP address management
+* compress: Full Zstandard (zstd) compression support with new
+  ``proxy.config.http.normalize_ae`` modes 4 and 5
+* compress: Add ``content_type_ignore_parameters`` option to match
+  Content-Type patterns ignoring charset parameters
+* compress: Add option to not compress partial objects
+* escalate: Add ``x-escalate-redirect`` header indicator when escalation
+  occurs (disable via ``--no-redirect-header``)
+* escalate: Add ``--escalate-non-get-methods`` to enable escalation of
+  non-GET requests
+* xdebug: Add ``probe-full-json`` feature for complete JSON diagnostic
+  output
+* ESI: Add ``--allowed-response-codes`` for response code filtering
+* stats_over_http: Add ``HINT`` and ``TYPE`` Prometheus annotations with
+  metric type information
+* lua: Add support for Unix socket incoming connections
+* lua: Add proxy protocol information access API
+* lua: Add verified address get/set API
+* lua: Add certificate information retrieval (subject, issuer, serial,
+  SANs, etc.)
+* lua: Add connection exempt list API support
+* cookie_remap: Add ``disable_pristine_host_hdr`` configuration parameter
+* ja3_fingerprint/ja4_fingerprint: Add ``x-ja3-via`` and ``x-ja4-via``
+  headers for multi-proxy fingerprint attribution
+* slice/cache_range_requests: Avoid subsequent IMS requests by using
+  identifier-based freshness checking
+* origin_server_auth: Exclude hop-by-hop headers from AWS v4 signature
+  calculation
+* ``prscs``: New log field for proxy response status code setter, identifying
+  which component (plugin, ip_allow, etc.) set the response status
+
+Cripts
+------
+
+* Add Cache Groups concepts for cache routing
+* Add Geo APIs to the ``cripts::IP`` object for geographic lookups
+* Refactor cache key / URL APIs with cleaner abstractions
+* Add ``connection_exempt_list.cript`` for per-client connection max
+  exempt list management
+* Build system support for pre-compiled cripts via ``add_cript`` in
+  CMakeLists.txt
+
+Cache
+-----
+
+* Implement RFC 9213 Targeted HTTP Cache Control (e.g.,
+  ``CDN-Cache-Control``) via configurable
+  :ts:cv:`proxy.config.http.cache.targeted_cache_control_headers`
+* Cache volumes: Add RAM cache settings and ``@volume=`` remap option in
+  ``volume.config``
+* Add parallel directory entry sync options for faster cache sync with
+  configurable parallelism
+* Add fail action 6: fallback to serving stale content when retry attempts
+  are exhausted
+* 9.2/10.x cache key compatibility mode for seamless upgrades without
+  cache invalidation
+
+TLS/SSL
+-------
+
+* Add per-curve/group TLS handshake time metrics
+* Add server-side TLS handshake milestones
+  (``TS_MILESTONE_SERVER_TLS_HANDSHAKE_START/END``)
+* Add ``cqssrt`` log field for TLS resumption type (none, session cache,
+  or ticket)
+* Dynamic TLS group discovery via ``SSL_CTX_get0_implemented_groups``
+  including KEM groups (X25519MLKEM768, SecP256r1MLKEM768)
+* Parallel SSL certificate loading support
+* sni.yaml: Add session ticket override support
+
+Metrics
+-------
+
+* Add ``per_server.connection`` metrics (total, active, blocked connections)
+  with configurable match rules and metric prefix
+* Add ``proxy.process.cache.stripe.lock_contention`` and
+  ``proxy.process.cache.writer.lock_contention`` metrics
+* Add ``proxy.process.http.000_responses`` metric for responses where no
+  valid status code was sent
+* Add ``proxy.process.http.429_responses`` metric for rate-limiting
+  monitoring
+* ``proxy.process.http.incoming_requests`` now counted at transaction start
+  to include all requests including early errors and redirects
+* RAM cache stats updates: counters for all memory cache types and
+  aggregation buffer hits
+
+Logging
+-------
+
+* SnowflakeID: Add organizationally unique 64-bit identifiers for
+  connections, with ``psfid`` log field
+* Add ``chiv`` log field from real-ip plugin for verified client IP
+* Add ``mstsms`` log field for all milestone timing as a single CSV field
+* Add support for ``PP2_SUBTYPE_SSL_CIPHER`` and ``PP2_SUBTYPE_SSL_VERSION``
+  proxy protocol fields in logging
+* Add backtrace information to crash logs with 10-second collection timeout
+* Fix ``msdms`` log fields to emit ``-`` instead of ``-1`` for unset
+  milestones
+* Fix ``UA_BEGIN_WRITE`` milestone to be set unconditionally
+* Fix ``difference_msec()`` epoch leak when start milestone is unset
+* Fix Transfer-Encoding:chunked log field preservation
+* Fix log field type for ``cqpv`` and ``sqpv``
+* Rename slow log field ``tls_handshake`` to ``ua_tls_handshake`` and add
+  ``server_tls_handshake`` field
+
+Configuration
+-------------
+
+* :ts:cv:`proxy.config.http.negative_caching_list` and
+  :ts:cv:`proxy.config.http.negative_revalidating_list` are now overridable
+  per-remap via ``conf_remap``
+* Add retry connect with exponential backoff via
+  ``proxy.config.http.connect_attempts_retry_backoff_base``
+* Add IP address source setting for ACL with proxy protocol
+* Add ``proxy.config.http.per_client.connection.exempt_list`` to exempt
+  specific IP addresses from per-client connection limits
+* Automatic caching of parsed STRING config values for overridable configs,
+  improving performance when plugins call ``TSHttpTxnConfigStringSet()``
+
+Tools
+-----
+
+* traffic_ctl: Add ``hostdb status`` command to dump HostDB records and
+  health state, with hostname filtering
+* traffic_ctl: Add ``config reset`` command to reset configuration records
+  to defaults
+* traffic_ctl: Add ``--append`` option for ``server debug`` to append debug
+  tags instead of replacing them
+* traffic_grapher: New real-time metrics visualization tool with multi-host
+  comparison, keyboard navigation, and iTerm2 inline image support
+* ArgParser: Add mutually exclusive option groups and option dependencies
+* Migrate from Pipenv to uv for autest Python environment management
+
+TS API
+------
+
+* Add ``TSHttpTxnVerifiedAddrSet/Get`` for verified client IP address
+  management (used by the new real-ip plugin)
+* Add ``TSHttpTxnNextHopStrategySet/Get`` and related APIs for Next Hop
+  Strategy rebind during a transaction
+* Add ``TSConnectionLimitExemptListSet/Add/Clear`` APIs for per-client
+  connection exempt list management
+
+Parent Selection
+----------------
+
+* Configurable hash algorithm (SipHash-2-4/SipHash-1-3), seeds, and
+  replica count for consistent hash parent selection, available globally
+  in ``records.yaml``, per-rule in ``parent.config``, and per-strategy in
+  ``strategies.yaml``
+* Add ``host_override`` in ``parent.config`` for SNI name handling when
+  using another CDN as parent
+
+HTTP Protocol
+-------------
+
+* Remap: Add ``http+unix`` scheme support for Unix Domain Socket matching
+* Warn on shadow remap rules when an existing rule shadows an inserted one
+* Return 400 on chunk parse errors
+* Reject malformed Host header ports
+
+Performance
+-----------
+
+* HuffmanCodec with LiteSpeed implementation for HTTP/2, addressing huffman
+  decode performance hot spots
+* Reduce ``ink_get_hrtime`` calls in the event loop with configurable update
+  frequency
+* Optimize ``ts::Random`` by reusing distribution objects (~7% improvement)
+* remap_acl autest speedup via config reload (7 min to 2 min)
+* Speed up day/month header parsing (~10x faster via integer packing)
+
+Infrastructure
+--------------
+
+* Complete PCRE to PCRE2 migration across all plugins and core code
+* USDT tracepoints: connection fd tracking (origin pool, session
+  attachment, readiness polling), HTTP result codes in
+  ``milestone_sm_finish``, cache directory insert/delete
+* Catch2 updated to v3.9.1 with library model and FetchContent
+* ATSReplayTest: new autest extension for writing tests via replay.yaml
+  files
+
+Notable Bug Fixes
+-----------------
+
+* Fix NetAcceptAction::cancel() use-after-free race condition between
+  cancel and acceptEvent threads
+* Fix DbgCtl use-after-free shutdown crash via leaky singleton pattern
+* Fix DenseThreadId static destruction order fiasco causing crashes on
+  CentOS
+* Fix LoadedPlugins::remove crash during static destruction when
+  EThreads are already gone
+* Fix HttpSM::tunnel_handler crash on unhandled VC events
+  (VC_EVENT_ACTIVE_TIMEOUT, VC_EVENT_ERROR, VC_EVENT_EOS)
+* Fix possible crashes on OCSP request timeout from null pointer
+  dereference
+* Fix cache retry assertion on TSHttpTxnServerAddrSet when re-entering
+  cache miss path
+* Fix origins unintentionally marked as down when using server session
+  reuse
+* Fix negative_caching_lifetime being overridden by ttl-in-cache for
+  negative responses
+* Fix s-maxage not respected with Authorization headers per RFC 7234
+* Fix malformed Cache-Control directives (semicolons instead of commas)
+  now properly ignored per RFC 7234
+* Fix 100 Continue with transform skip_bytes issue causing assertion
+  failure when compress plugin is active
+* Fix cache directory corruption in parallel dir sync where stripe index
+  advanced during multi-step AIO writes
+* Fix request buffering with post_copy_size=0 causing POST failures
+* Fix 1xx race in build_response where 103 Early Hints tunnel completion
+  overlapped with final response
+* Fix HTTPHdr host cache invalidation when Host header is modified via
+  MIME layer, preventing SNI warnings with garbage characters
+
+
 What's New in ATS v10.1
 =======================