Apache Traffic Control - Current Release

Apache Traffic Control 4.1.0 - June 17th, 2020

Apache Traffic Control 4.1.0 is available here:

Release Notes

New Features

  • Added support for Let's Encrypt
  • Support for ATS Slice plugin in Traffic Ops, including new Delivery Service Raw Remap __RANGE_DIRECTIVE__ directive
  • Ability to enable EDNS0 client subnet at the delivery service level
  • New IPv6 changes:
    • Traffic Portal and Traffic Ops now accept IPv6-only servers
    • Traffic Monitor now polls caches over IPv6 in addition to IPv4, separating the availability status of each (make sure to update the allow_ip6 profile parameter to include the IPv6 addresses of your Traffic Monitors, otherwise they will fail to poll over IPv6 and consider those caches to be unavailable over IPv6)
    • Traffic Router will route IPv4 clients to caches with IPv4 availability and route IPv6 clients to caches with IPv6 availability
  • Traffic Router DNSSEC zone diffing performance enhancement
  • Traffic Monitor optimistic quorum
  • Traffic Ops API 2.0. This new major API version contains several new routes but does not contain many deprecated routes from API 1.x (which will be available until the ATC 5.0 release). API clients should begin migrating to API 2.0 as soon as possible. For the full lists of new or deprecated routes, please see the changelog.
  • Ability to choose the TLS version used for Traffic Ops to make requests to Traffic Vault. Note: the default is now TLSv1.1, which may require configuration changes to Riak. See Enabling TLS 1.1

Bug Fixes

  • This release contains many new bug fixes. For the full list, please see the changelog.


  • The Traffic Ops db/admin.pl script has now been removed. Please use the db/admin binary instead.
  • Removed from Traffic Portal the ability to view cache server config files as the contents are no longer reliable through the TO API due to the introduction of atstccfg.
  • Traffic Ops Python client no longer supports Python 2.

Signing Keys

It is essential that you verify the integrity of the downloaded files using the PGP or MD5 signatures.

The PGP signatures can be verified using PGP or GPG. First download the KEYS as well as the `ASC` signature file for the relevant distribution. Make sure you get these files from the main distribution directory, rather than from a mirror. Then verify the signatures using:

% pgpk -a KEYS % pgpv apache-trafficcontrol-4.1.0.tar.gz.asc


% pgp -ka KEYS
% pgp apache-trafficcontrol-4.1.0.tar.gz.asc


% gpg --import KEYS
% gpg --verify apache-trafficcontrol-4.1.0.tar.gz.asc apache-trafficcontrol-4.1.0.tar.gz

$ gpg --verify apache-trafficcontrol-4.1.0.tar.gz.asc apache-trafficcontrol-4.1.0.tar.gz
gpg: Signature made Tue Feb 11 09:38:30 2020 MST
gpg:                using RSA key BF4A8D7307B8EEC7BFB4D8CB8A0712500C70C06E
gpg: Good signature from "Rawlin Peters (apache signing key) " [ultimate]

Additionally, you should verify the SHA signature on the files. A unix program called `sha` or `shasum` is included in many unix distributions. It is also available as part of GNU Textutils. An MD5 signature (deprecated) consists of 32 hex characters, and a SHA512 signature consists of 128 hex characters. Ensure your generated signature string matches the signature string published in the files above.

Past Releases

Apache Traffic Control 4.0.0 - March 26th, 2020

Apache Traffic Control 4.0.0 is available here:

Release Notes

Traffic Ops

  • Server Capabilities: server capabilities can now be created and assigned to servers. Delivery services can now require certain server capabilities, and servers that lack the required capabilities will not serve those delivery services. As as an example, by default, MID caches will serve all delivery services in a given CDN, but this feature can be used to allow a only a subset of MID caches to serve certain delivery services (based on the server capabilities assigned to the MID caches and required by the delivery services). See the blueprint
  • Certificate deletion upon delivery service deletion: Snapshotting the CRConfig now deletes HTTPS certificates in Riak for delivery services which have been deleted in Traffic Ops.
  • SSO login using OAuth: Traffic Ops now provides the ability to login using an OAuth provider, and this functionality is now integrated in Traffic Portal. A field is added to cdn.conf to configure whitelisted URLs for Json Key Set URL returned from OAuth provider. Added fields to traffic_portal_properties.json to configure SSO through OAuth for Traffic Portal.
  • API rewrite from Perl to Go: A large number of API endpoints were rewritten from Perl to Go
  • API Routing Blacklist: via the routing_blacklist field in cdn.conf, enable certain whitelisted Go routes to be handled by Perl instead (via the perl_routes list) in case a regression is found in the Go handler, and explicitly disable any routes via the disabled_routes list. Requests to disabled routes are immediately given a 503 response. Both fields are lists of Route IDs, and route information (ID, version, method, path, and whether or not it can bypass to Perl) can be found by running ./traffic_ops_golang --api-routes. To disable a route or have it bypassed to Perl, find its Route ID using the previous command and put it in the disabled_routes or perl_routes list, respectively.
  • Regional Geo-blocking for steering delivery services: Regional Geo-blocking is now supported for steering-based delivery services
  • Added pagination support to some Traffic Ops endpoints via three new query parameters, limit and offset/page
  • Traffic Ops now supports a "sortOrder" query parameter on some endpoints to return API responses in descending order
  • Traffic Ops now uses a consistent format for audit logs across all Go endpoints
  • Added an optional SMTP server configuration to the TO configuration file, api now has ability to send emails
  • To support reusing a single riak cluster connection, an optional parameter is added to riak.conf: "HealthCheckInterval". This options takes a 'Duration' value (ie: 10s, 5m) which affects how often the riak cluster is health checked. Default is currently set to: "HealthCheckInterval": "5s".
  • Fixed a regression where the Expires cookie header was not being set properly in responses. Also, added the Max-Age cookie header in responses.
  • Fixed issue #3497: TO API clients that don't specify the latest minor version will overwrite/default any fields introduced in later versions
  • Fixed issue #3587: Fixed Traffic Ops Golang reverse proxy and Riak logs to be consistent with the format of other error logs.
  • Database migrations have been collapsed. Rollbacks to 3.1 and earlier migrations are no longer possible. As always, backup your database before upgrading.


  • The TO API /cachegroup_fallbacks endpoint is now deprecated. That functionality was added to the /cachegroups API.
  • The db/admin.pl script is now deprecated. There is a new Go db/admin binary to replace the Perl db/admin.pl script, which will be removed in a future release. The new db/admin binary is essentially a drop-in replacement for db/admin.pl since it supports all of the same commands and options; therefore, it should be used in place of db/admin.pl for all the same tasks.

Breaking Changes

  • The deprecated Traffic Ops UI has been removed in favor of the Traffic Portal UI
  • The location of the Traffic Ops influxdb.conf config file has changed from traffic_ops/app/conf/production/influxdb.conf to traffic_ops/app/conf/influxdb.conf. Please move any existing influxdb.conf to the new location.
  • The /api/1.1/osversions endpoint (used for ISO generation) now expects the Perl osversions.cfg configuration file to be JSON. Added a traffic_ops/app/bin/osversions-convert.pl script to convert the osversions.cfg file from Perl to JSON as part of the /osversions endpoint rewrite.
  • traffic_ops/app/bin/checks/ToDnssecRefresh.pl now requires "user" and "pass" parameters of an operations-level user! Update your scripts accordingly! This was necessary to move to an API endpoint with proper authentication, which may be safely exposed.

Traffic Router

  • Consistent Hash Query Parameters: Traffic Ops now allows HTTP delivery services to have a set of query parameter keys to be retained for consistent hash generation by Traffic Router. This should be used for query parameters that produce unique content from the origin. For example, if the paths /foo?a=1 and /foo?a=2 each return unique content, you should add a to the list of consistent hash query parameters for that delivery service. This allows clients to be routed to edges for that content more efficiently.
  • Client Steering Forced Diversity: force Traffic Router to return more unique edge caches in CLIENT_STEERING results instead of the default behavior which can sometimes return a result of multiple targets using the same edge cache. In the case of edge cache failures, this feature will give clients a chance to retry a different edge cache. This can be enabled with the new client.steering.forced.diversity Traffic Router profile parameter.
  • Tunable bounded queue to support DNS request processing.
  • Default Certificate: TR now generates a self-signed certificate at startup and uses it as the default TLS cert. The default certificate is used whenever a client attempts an SSL handshake for an SNI host which does not match any of the other certificates.
  • TLS certificate validation on certificates imported from Traffic Ops:
    • validates modulus of private and public keys
    • validates current timestamp falls within the certificate date bracket
    • validates certificate subjects against the DS URL
  • Fixed a bug which would cause REFUSED DNS answers if the zone priming execution did not complete within the configured zonemanager.init.timeout period.
  • Fixed issue #2821: Traffic Router may choose wrong certificate when SNI names overlap
  • Modified Traffic Router logging format to include an additional field for DNS log entries, namely rhi. This defaults to '-' and is only used when EDNS0 client subnet extensions are enabled and a client subnet is present in the request. When enabled and a subnet is present, the subnet appears in the chi field and the resolver address is in the rhi field.
  • Fixed issue #3476: Traffic Router returns partial result for CLIENT_STEERING Delivery Services when Regional Geoblocking or Anonymous Blocking is enabled.
  • Modified Traffic Router API to be available via HTTPS.

Traffic Portal

  • Added a context menu in place of the "Actions" column from the following tables in Traffic Portal: cache group tables, CDN tables, delivery service tables, parameter tables, profile tables, server tables.
  • Removed the need to specify line breaks using __RETURN__ in delivery service edge/mid header rewrite rules, regex remap expressions, raw remap text and traffic router additional request/response headers.
  • Provided the ability to clone delivery service assignments from one cache to another cache of the same type. Issue #2963.
  • Delivery service table columns can now be rearranged and their visibility toggled on/off as desired by the user. Hidden table columns are excluded from the table search. These settings are persisted in the browser.
  • Server table columns can now be rearranged and their visibility toggled on/off as desired by the user. Hidden table columns are excluded from the table search. These settings are persisted in the browser.
  • All tables now include a 'CSV' link to enable the export of table data in CSV format.
  • Fixed issue #3275: Improved the snapshot diff performance and experience.
  • Disabled TLSv1
  • The "Clone Delivery Service Assignments" menu item is now hidden on a cache when the cache has zero delivery service assignments to clone.
  • Users with a specified role now have the ability to mark any delivery service request as complete.
  • Improved profile comparison view in Traffic Portal.


  • Cache-side ATS config generation: Added cache-side config generator, atstccfg, installed with ORT. Includes all configs. Includes a plugin system.
  • Fixed ATS config generation to omit regex remap, header rewrite, URL Sig, and URI Signing files for delivery services not assigned to that server.
  • Changed traffic_ops_ort.pl so that hdr_rw-.config files are compared with strict ordering and line duplication when detecting configuration changes.
  • Fix to traffic_ops_ort.pl to strip specific comment lines before checking if a file has changed. Also promoted a changed file message from DEBUG to ERROR for report mode.
  • ANYMAP override: in traffic_ops_ort.pl added the ability to handle ##OVERRIDE## delivery service ANY_MAP raw remap text to replace and comment out a base delivery service remap rules. Note: this is a temporary feature and may be replaced in the future.

Traffic Monitor

  • Traffic Monitor now has "gbps" calculated stat, allowing operators to monitor bandwidth in Gbps.
  • Added monitoring.json snapshotting. This stores the monitoring json in the same TO database table as the crconfig snapshot. Snapshotting is now required in order to push out monitoring changes.
  • UI updated to support HTTP or HTTPS traffic.
  • health/stat time now includes full body download (like prior TM <=2.1 version)
  • Issue #3605: Fixed Traffic Monitor custom ports in health polling URL.
  • Issue #3646: Fixed Traffic Monitor Thresholds.