Search
varnish-controller7    changelog    version7
Varnish Controller 7 Changelog Version 7 Known Issues Upgrading Migrate Installation Previous Versions Versioning License Features System Overview Demo Concepts Agent Maintenance File Router Traffic Router Health VCL RoutingRules Git Tag Files Domain Certificates Roles VCLGroup Rolling Upgrades ACME API Logs Private/Shared Config/ConfigSets Authentication System Admin Regular Users Identity Provider Multi-Factor Authentication Impersonation Sessions Examples Authorization Organization Account Permission Examples CLI CLI Examples CLI Manual User Interface API API examples Invalidations Integrations Monitoring Varnish Statistics Installation Quickstart NATS PostgreSQL Brainz API-GW Agents Routers Containers Identity Provider VCLI Graphical User Interface Mapped Ports Routing Plugins gRPC Troubleshooting Examples Deploying VCL files Change a VCL file Purging multiple paths Banning paths Using Labels Certificates HTTP Routing Routing Decisions Score-based Routing Private Agents Multiple Regions OIDC - Microsoft Entra (Azure AD) Drain Traffic Config/ConfigSet Maintenance File Organizations Controller-UI security settings

Version 7

Version 7.5.0 (2026-04-14)

  • Support for rolling upgrades of VCLGroups. Deploy to one or more agents first and decide when to apply to all. Automatic apply if all deployments succeed. Specify order of upgrade with agent IDs, or use all available agents.
  • Health probes now support a JSON response format, reducing the number of health checks needed.
  • Added a new Score routing rule and sub-decisions. Allows MBPS, Max MBPS and Score updates through the JSON instead of over NATS (see Score Routing example).
  • Support for agent maintenance file to mark agents as stop-routing or resume-routing.
  • Administrators can now impersonate organizations.
  • Support for tag-based compile, deploy and validate commands in vcli (e.g. vcli vg compile --validate tag=prod,sweden:all).
  • ACME DNS validation now retries until the DNS check passes.
  • Gzip compression for API and debug endpoints.
  • Support for MFA.
  • Fixed CIDR IPv6 lookup issue.
  • Fixed premature router certificate deployment.
  • Fixed race conditions with tickers.
  • Security fixes for non-numeric key IDs and timing enumeration.
  • VCL source removed from full controller gather to reduce output size. The per-agent controller gather still includes the source.
  • VCLGroup git include files limit is now set to max 200.
  • vcli vg ls now list first 10 include files before and the rest as “..(n more entries)”. Verbose (-v) mode shows all.
  • Optimized routing configuration generation with better caching and reduced database calls.
  • Optimized deployment updates with preflight SHA checks and lighter VCLGroup loading.
  • Optimized agent deployment verification with lookup tables and pre-compiled templates.
  • Replaced status update mechanism with SHA-based heartbeats to reduce database calls.
  • Router deploy throttling to avoid deploy storms (max every 5 seconds).
  • Added semaphore for concurrent validations to avoid timeouts for large deployments.
  • Optimized agent statistics send/fetch and database inserts for statistics.
  • Updated internal NATS serialization layer and agent/router subject format.
  • Loading of VCLs improved.
  • Removed support for setting VMOD path.
  • Added the ability to compile an unsaved file from the file editor in the UI.
  • Organization is no longer required at sign-in in the UI. Users belonging to multiple organizations now select which organization to use after signing in.
  • Fixed a bug where headers in an invalidation could not contain spaces, when performed through the UI.
  • Built with Go 1.26 and updated dependencies.

Version 7.4.1 (2026-03-13)

  • Invalidations can now be marked with keep so that they are kept and not automatically removed. They can then be re-executed at a later time. Kept invalidations needs to be manually removed.
  • Fixed a bug where the permission for purger tokens was missing in the UI.
  • New nats-server, version 2.12.5.

Version 7.4.0 (2026-03-10)

  • Added skipHistoryUtil option to routing rules. When enabled, the router checks endpoint utilization before returning cached history endpoints, skipping fully utilized ones.
  • Added APIPurger template role and basicinvalidationrequest permission, allowing organization-level users to trigger basic cache invalidation without requiring system administrator privileges.
  • Fixed an issue where cache invalidation across multiple domains could fail due to empty responses being incorrectly counted as errors.
  • Built with Go 1.25.8.

Version 7.3.4 (2026-03-05)

  • Improved router memory efficiency by caching and reusing internal resources.
  • Reduced log (WAL) file growth when no statistics retention is configured.
  • Always use TCP to lookup CAA records for ACME certificates.
  • Fixed unnecessary deployment checks during auto-deploy that could result in empty deployments.
  • Improved API documentation by adding descriptions to enums in the Swagger documentation.
  • UI: Improved feedback when deploying git-managed VCLGroups with compilation errors.
  • Built with Go 1.25.7.

Version 7.3.3 (2026-02-16)

  • Support for loading a custom VCL for all VCLGroup per agent (see Agent Configuration).
  • Support router maintenance TCP port and file (see Router Configuration).
  • New -git-tag flag for vcli to specify tag to use for deployment (can be used for deploy, compile and validate).
  • Set a default of 15 database connections if no other values were configured before. To go back to the previous default values, set VARNISH_CONTROLLER_DB_MAX_OPEN_CONN and VARNISH_CONTROLLER_DB_MAX_IDLE_CONN to 0.
  • Fixed a bug where large CAA DNS responses would not be parsed properly for ACME certificates.
  • Fixed a bug where EAB was required for ACME but not showing in the UI.
  • Added documentation to the VCLI on random agent for ACME requests.
  • Increased ACME logging for certificate renewal.
  • Fixed a memory leak in the traffic router when the history routing rule was used after a GRPC plugin. History is now cleared upon removal of the history rule from the routing rule set.
  • Add support to see the amount of objects purges with y-key and regular purges (see Invalidations).
  • Add support to auto-remove agents and routers in container / autoscaling setups (see Brainz configuration).
  • Fix Swagger documentation for certificates.
  • vcli agent ls -v now only lists 10 deployed VCLGroups per agent and indicates if there are more than 10 with a “..(n more entries)” suffix.
  • Improved Git file synchronization.
  • Improved execution TTL for invalidations within Controller Agents.
  • Built with Go 1.25.7.
  • Fixed a bug where selecting a custom date for a API token would lead to a unresponsive UI.
  • Added a missing permission in the UI for customsession.
  • Added a column for expiration date when listing all certificates in the UI.
  • Increase zoom level on the CDN map in the UI.

Version 7.3.2 (2026-01-19)

  • Implement the follow of symlinks in Git and increase the amount of Git files from 25 to 40.
  • Add a new [neq] API operator that can be used to filter records. API Examples
  • Add more information in monitoring data to the _info records.
  • Add a new VCLI command to deploy only a few files that have been changed, without the need of specifying every file. vcli vclgroup deploy-files <vg-id> --includes 2:latest. CLI Examples
  • Built with Go 1.25.6.

Version 7.3.1 (2025-12-18)

  • Fix a PostgreSQL scalability issue when aggregating large Varnish statistics by explicitly selecting a more efficient SQL query plan.
  • UI: Fix a bug when logging in over unencrypted connections that resulted in a Forbidden - CSRF token not found in request error message.
  • Upgrade NATS to version 2.12.3, built with Go 1.25.5.
  • Test all FQDNs when probing CAA entries for ACME certificates.
  • Built with Go 1.25.5.

Version 7.3.0 (2025-12-03)

  • Fix potential transfer problems of transferring agents between organizations when running routers in grace mode.
  • Provide internal metrics under new endpoint /api/v1/internal-metrics.
  • Keep ownership when transferring an agent or router to another organization.
  • Statistics can now be pruned with vcli stats prune ... command and via the API with a DELETE /api/v1/stats.
  • In DNS traffic routing, reply with a NOERROR instead of a SERVFAIL if we do not have any records to respond in the DNS traffic router.
  • When filtering vcli results, the new accept-empty flag allows empty results without giving an error.
  • ACME certificate acquisition timeout is configurable with acme-timeout parameter.
  • Retry failed ACME certificate acquisitions after five minutes.
  • ACME CAA checks got more resilient regarding NXDOMAIN DNS responses.
  • Extended ACME related log messages.
  • The ACME DNS endpoint can now be looked up though vcli acme lookup-dns ... and via the API with a POST /api/v1/acme/dns-record.
  • Allow for schema-less base urls.
  • vcli can now read the password from the environment variable VARNISH_CONTROLLER_CLI_PASSWORD.
  • UI: Added support for ACME upstream validations (DNS only).
  • UI: Fixed a status alert bug related to the controller license.
  • UI: Fixed a bug related to disappearing routing rules in VCL Groups.
  • UI: Improved scaling of pop-ups on the CDN map when zooming.
  • UI: Improved the informational message for cluster.vcl in the editor.
  • UI: Added the ability to see which VCLGroups are attached to a domain in the UI. Previously, only certificates were shown, now the domain detail page includes a filtered list of connected VCLGroups.
  • UI: Added new feature in VCLgroups (Rollback) to display file names, versions, and descriptions for better visibility.
  • Built with Go 1.25.5.

Version 7.2.1 (2025-10-01)

  • UI and cli: Fix problem that upstream validation FQDN values can be accidentally deleted.

Version 7.2.0 (2025-10-01)

  • ACME certificates with DNS validation can now fetch external validations for supporting multiple certificates.
  • Handle failing ACME ARI with sane defaults and retry.
  • Statistics cleanup cannot be blocked by statistics aggregation any longer.
  • Fix database update when doing IDP organization updates.
  • Updated unclear log messages for better readability.
  • UI: Fixed a bug where a VCLGroup deployed with a gitconfig would not show the deployed files when the main VCL was located in a subdirectory from the root.
  • UI: Now displaying attached external routes in a routing rule (if any), even when externalroute is not an active lookuporder.

Version 7.1.5 (2025-09-11)

  • Built with Go 1.25
  • NATS-Server version 2.11.8
  • Support for 0.0.0.0/0 and ::/0 in CIDR routing decision.
  • Failing ACME renewals are now retried for an extended period of time. The interval is incremented up to 24 hours between retries.
  • Domain-maps and CIDR rule CSV files now supports variable number of fields. This makes it possible to have a variable number of fields in the CSV files for domain to CIDR maps.
  • Invalidations that has no domain and is not root deployed will now fail on create.
  • Extended debug information for ACME HTTP challenges.
  • Configurable timeout for ACME HTTP requests (configured in brainz).
  • Log warning instead of error when an invalidation has already been removed during monitoring.
  • Fix built-in root VCL to allow delivering ACME validation solutions for both routed requests and agents base-URLs.
  • Minor API documentation fixes for deployment states.
  • UI: Updated API documentation för deployment states.
  • UI: Added inline validation errors in ACME cert creating.
  • UI: Updated the editors VCL autocompletion.
  • UI: Added organization name in header.
  • UI: Fixed filter bug for deployed / not deployed VCL groups.
  • UI: Fixed bug where static router tags did not appear as locked.

Version 7.1.4 (2025-08-12)

  • Built with Go 1.24.6
  • NATS-Server version 2.11.7
  • Improved transfer of agents and routers to avoid a race condition where agents/routers registered as new ones during transfer.
  • Fix eDNS subnet scopes for IPv6/IPv4, where the minimum mask was not applied correctly.
  • ACME contact can now be updated with empty contact information
  • Adds extra database debug information for system-debug
    • Database version was missing from version 7, now added back.
    • Database connections information added.
  • Adds extra debug information for communication with ACME certificate authorities
  • Expire for vcli when creating a custom token/session now supports dates as well as duration. 
    vcli sess create --label MyLongLivedtoken -e '2025-08-05T15:04:05Z'
vcli sess create --label MyLongLivedtoken -e '2025-11-26 19:11:20'
vcli sess create --label MyLongLivedtoken -e 60h

Version 7.1.3 (2025-07-07)

  • Deploylogs are now correctly removed when deleting a VCLGroup. This made is impossible to remove files that where part of deploylogs for removed VCLGroups. This is now fixed and a migration will handle previous dangling deploylogs.
  • Tags are now included correctly for agents that are passed to gRPC plugins in the Traffic Router.
  • Improved root.vcl skipping toLower for domain matching (improves performance when many domains are deployed). This is now done in the agent instead of the VCL.

Version 7.1.2 (2025-06-25)

  • Fixed a bug where the configured NICs were not returned from the API.
  • Fixed a bug where the graphs in the UI dashboard stayed empty.
  • Fixed a bug for loading TLS 1.3 certificates into Varnish.
  • Fixed a bug where invalidations did not load domains correctly as an organization user.

Version 7.1.1 (2025-06-05)

  • Fixes a bug where certificates were not loaded correctly into Varnish during renewal.

Version 7.1.0 (2025-06-04)

  • Support for revocation of ACME TLS Certificates.
  • Make it possible to remove deploylogs for undeployed VCLGroups.
  • Hide NATS password in configs
  • Agent root.vcl is now using none case-sensitive domain matching.
  • Domain validation is now more strict and follows RFC 1035.
  • Superfluous error message in the agent has been suppressed into a debug log message, that previously logged error if no BaseURL had been configured in the agent.
  • Normalization of NIC names in the agent.
  • Fixes a bug where negative values for Longitude/Latitude was not saved correctly.
  • Support for Domain Maps for CIDR:Tag routing.
  • Swagger documentation has been improved.
  • Support for eDNS subnet scopes.
    • New configuration options for Routing Rules (ipv4MinMask and ipv6MinMask) to set the minimum mask for IPv4 and IPv6 addresses for router DNS responses.
  • Fixes a duplicate entry error for routing plugins.
  • Fixes an error that was triggered for static tags insert.
  • UI: Fixes a bug where contact information was not persisted for ACME accounts.
  • UI: Fixes a bug where unsaved changes in a file was overwritten when changing tabs.
  • UI: Add an option to trigger a deployment on a single VCLGroup from the VCLGroup index page.

Version 7.0.1 (2025-04-24)

  • Allow to stop aggregation queries from running when using the -keep-stats-* configurations.
  • Add support to export routing healths in prometheus for monitoring purposes.
  • Fixed duplicate labels on Prometheus output.
  • Fixed cleaning counter names for S3 and UDO statistics from IP addresses.
  • Upgrade dependencies to resolve CVEs.
  • UI server: Assume TLS as default.
  • UI: Add option for loadAllSans in certificates.
  • UI: Various bug fixes.
  • API documentation has been updated with fixes.
    • POST|PUT has now required fields added and now reflect what should actually be part of the request body.
    • gitRepos endpoint now lowercased.
    • Swagger.json now contains extension x-nullable for string pointers.
    • Descriptions for several endpoints has been improved.
    • Required fields are now marked as required in swagger docs.

Version 7.0.0 (2025-03-27)

  • All components has been built with latest Go 1.24.
  • Support for Long Lived Tokens.
  • Support for file versioning.
  • Support for Git managed deployments.
  • New deployment procedure:
    • Deployments has been removed and replaced with TagSets directly on VCLGroups.
    • VCLGroups are no longer connected via files, they are deployed individually.
    • Deploying files can be verified on a given set of matching agents, all matching agents or a random matching agent.
    • Deploy logs for rollback of previously deployed files.
    • Keep on failure always on.
    • Deploy VCLGroup from git repository.
  • Support for ACME (Let’s Encrypt).
    • Creation of accounts and certificates.
    • Automatic renewal of certificates.
  • New database layer for performance improvements and stability.
  • Brainz now requires git as a dependency when installing the brainz package.
  • The default minimum TLS version for new certificates created in the Controller has been changed from TLSv1.3 to TLSv1.2.
  • Certificates now have an allSans option to load all SAN entries into Varnish, including wildcards.
  • Support to append a single domain ID to a VCLGroup.
  • Dropping support for a couple of old distributions that has reached End Of Life:
    • Ubuntu Xenial
    • Ubuntu Bionic
    • Ubuntu Focal
    • Debian Stretch
    • Debian Buster
    • Centos 7
Manuals
Varnish Enterprise
Varnish Cloud
Varnish Controller
Varnish High Availability
Varnish Custom Statistics
Varnish WAF
Varnish Broadcaster
Varnish Helm Chart
Packages
Docker
Varnish Otel
News
Varnish Broadcaster 1.6.4
Workspace overflow in HTTP/1 lingering sessions
Varnish Controller 7.5.0
Varnish Otel 2.4.0
Denial Of Service in shared VCL deployments
News archive
Cookie Settings Privacy Policy Contact Us Press Branding
®Varnish Software, Wallingatan 12, 111 60 Stockholm, Organization nr. 556805-6203