Prepare release v2.2.4

Change the default value of insecureSNI
* fix: allow domain fronting by default * review: typo. * review: doc. Co-authored-by: Fernandez Ludovic <ludovic@containo.us>
2025-09-20 05:44:23 +03:00 · 2020-07-10 19:16:04 +02:00 · 2020-07-10 18:48:03 +02:00 · 2020-07-09 17:58:03 +02:00 · 2020-07-09 10:50:04 +02:00
8 changed files with 52 additions and 96 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,3 +1,15 @@
+## [v2.2.4](https://github.com/containous/traefik/tree/v2.2.4) (2020-07-10)
+[All Commits](https://github.com/containous/traefik/compare/v2.2.3...v2.2.4)
+
+**Bug fixes:**
+- **[tls]** Change the default value of insecureSNI ([#7027](https://github.com/containous/traefik/pull/7027) by [jbdoumenjou](https://github.com/jbdoumenjou))
+
+## [v2.2.3](https://github.com/containous/traefik/tree/v2.2.3) (2020-07-09)
+[All Commits](https://github.com/containous/traefik/compare/v2.2.2...v2.2.3)
+
+**Bug fixes:**
+- **[middleware]** Fix panic when using chain middleware. ([#7016](https://github.com/containous/traefik/pull/7016) by [juliens](https://github.com/juliens))
+
 ## [v2.2.2](https://github.com/containous/traefik/tree/v2.2.2) (2020-07-08)
 [All Commits](https://github.com/containous/traefik/compare/v2.2.1...v2.2.2)

--- a/docs/content/https/tls.md
+++ b/docs/content/https/tls.md
@@ -137,7 +137,7 @@ connection with a specific domain name, thanks to the
 [Server Name Indication](https://en.wikipedia.org/wiki/Server_Name_Indication), then access a service with another 
 domain set in the HTTP `Host` header.

-Since the `v2.2.2`, Traefik avoids (by default) using domain fronting.
+Since the `v2.2.4`, Traefik has the option to avoid domain fronting thanks to the `insecureSNI` global flag.
 As it is valid for advanced use cases, the `HostHeader` and `HostSNI` [rules](../routing/routers/index.md#rule) allow 
 to fine tune the routing with the `Server Name Indication` and `Host header` value.

--- a/docs/content/migration/v2.md
+++ b/docs/content/migration/v2.md
@@ -4,114 +4,35 @@

 ### Domain fronting

-In `v2.2.2` we introduced the ability to avoid [Domain fronting](https://en.wikipedia.org/wiki/Domain_fronting), 
-and enabled it by default for [https routers](../routing/routers/index.md#rule) configured with ```Host(`something`)```.
+In `v2.2.2` we introduced the ability to avoid [Domain fronting](https://en.wikipedia.org/wiki/Domain_fronting) for [https routers](../routing/routers/index.md#rule) configured with ```Host(`something`)``` but we disabled it for compatibility reasons by default.

-!!! example "Allow Domain Fronting on a Specific Router"
-    
-    !!! info "Before v2.2.2"
-    
-    ```yaml tab="Docker"
-    labels:
-      - "traefik.http.routers.router0.rule=Host(`test.localhost`)"
-    ```
-    
-    ```yaml tab="K8s Ingress"
-    apiVersion: traefik.containo.us/v1alpha1
-    kind: IngressRoute
-    metadata:
-      name: ingressroutebar
-    
-    spec:
-      entryPoints:
-        - http
-      routes:
-      - match: Host(`test.localhost`)
-        kind: Rule
-        services:
-        - name: server0
-          port: 80
-        - name: server1
-          port: 80
-    ```
-        
-    ```toml tab="File (TOML)"
-    [http.routers.router0]
-        rule = "Host(`test.localhost`)"
-        service = "my-service"
-    ```
-    
-    ```toml tab="File (YAML)"
-    http:
-      routers:
-        router0:
-          rule: "Host(`test.localhost`)"
-          service: my-service
-    ```
+Nothing special is required to keep the previous behavior.

-    !!! info "v2.2.2"
-    
-    ```yaml tab="Docker"
-    labels:
-      - "traefik.http.routers.router0.rule=HostHeader(`test.localhost`)"
-    ```
-    
-    ```yaml tab="K8s Ingress"
-    apiVersion: traefik.containo.us/v1alpha1
-    kind: IngressRoute
-    metadata:
-      name: ingressroutebar
-    
-    spec:
-      entryPoints:
-        - http
-      routes:
-      - match: HostHeader(`test.localhost`)
-        kind: Rule
-        services:
-        - name: server0
-          port: 80
-        - name: server1
-          port: 80
-    ```
-        
-    ```toml tab="File (TOML)"
-    [http.routers.router0]
-        rule = "HostHeader(`test.localhost`)"
-        service = "my-service"
-    ```
-    
-    ```toml tab="File (YAML)"
-    http:
-      routers:
-        router0:
-          rule: "HostHeader(`test.localhost`)"
-          service: my-service
-    ```
+However, a new flag is available as a global option to disable domain fronting.

-As a fallback, a new flag is available as a global option:
-
-!!! example "Enabling Domain Fronting for All Routers"
+!!! example "Disabling Domain Fronting for All Routers"
    
    ```toml tab="File (TOML)"
    # Static configuration
    [global]
-      # Enabling domain fronting
-      insecureSNI = true
+      # Disabling domain fronting
+      insecureSNI = false
    ```
    
    ```yaml tab="File (YAML)"
    # Static configuration
    global:
-      # Enabling domain fronting
-      insecureSNI: true
+      # Disabling domain fronting
+      insecureSNI: false
    ```
    
    ```bash tab="CLI"
-    # Enabling domain fronting
-    --global.insecureSNI
+    # Disabling domain fronting
+    --global.insecureSNI=false
    ```

+To fine tune the HTTPS routing with Domain Fronting disabled, two new HTTP rules `HostSNI` and `HostHeader` are available. 
+
 ## v2.0 to v2.1

 ### Kubernetes CRD
--- a/docs/content/reference/static-configuration/cli-ref.md
+++ b/docs/content/reference/static-configuration/cli-ref.md
@@ -163,7 +163,7 @@ WriteTimeout is the maximum duration before timing out writes of the response. I
 Periodically check if a new version has been released. (Default: ```false```)

 `--global.insecuresni`:  
-Allow domain fronting. If the option is not specified, it will be disabled by default. (Default: ```false```)
+Allow domain fronting. If the option is not specified, it will be enabled by default. (Default: ```true```)

 `--global.sendanonymoususage`:  
 Periodically send anonymous usage statistics. If the option is not specified, it will be enabled by default. (Default: ```false```)
--- a/docs/content/reference/static-configuration/env-ref.md
+++ b/docs/content/reference/static-configuration/env-ref.md
@@ -163,7 +163,7 @@ WriteTimeout is the maximum duration before timing out writes of the response. I
 Periodically check if a new version has been released. (Default: ```false```)

 `TRAEFIK_GLOBAL_INSECURESNI`:  
-Allow domain fronting. If the option is not specified, it will be disabled by default. (Default: ```false```)
+Allow domain fronting. If the option is not specified, it will be enabled by default. (Default: ```true```)

 `TRAEFIK_GLOBAL_SENDANONYMOUSUSAGE`:  
 Periodically send anonymous usage statistics. If the option is not specified, it will be enabled by default. (Default: ```false```)
--- a/pkg/config/static/static_config.go
+++ b/pkg/config/static/static_config.go
@@ -79,7 +79,12 @@ type CertificateResolver struct {
 type Global struct {
 	CheckNewVersion    bool `description:"Periodically check if a new version has been released." json:"checkNewVersion,omitempty" toml:"checkNewVersion,omitempty" yaml:"checkNewVersion,omitempty" label:"allowEmpty" export:"true"`
 	SendAnonymousUsage bool `description:"Periodically send anonymous usage statistics. If the option is not specified, it will be enabled by default." json:"sendAnonymousUsage,omitempty" toml:"sendAnonymousUsage,omitempty" yaml:"sendAnonymousUsage,omitempty" label:"allowEmpty" export:"true"`
-	InsecureSNI        bool `description:"Allow domain fronting. If the option is not specified, it will be disabled by default." json:"insecureSNI,omitempty" toml:"insecureSNI,omitempty" yaml:"insecureSNI,omitempty" label:"allowEmpty" export:"true"`
+	InsecureSNI        bool `description:"Allow domain fronting. If the option is not specified, it will be enabled by default." json:"insecureSNI,omitempty" toml:"insecureSNI,omitempty" yaml:"insecureSNI,omitempty" label:"allowEmpty" export:"true"`
+}
+
+// SetDefaults sets the default values.
+func (a *Global) SetDefaults() {
+	a.InsecureSNI = true
 }

 // ServersTransport options to configure communication between Traefik and the servers.
--- a/pkg/responsemodifiers/response_modifier.go
+++ b/pkg/responsemodifiers/response_modifier.go
@@ -45,7 +45,10 @@ func (f *Builder) Build(ctx context.Context, names []string) func(*http.Response
 			for _, name := range conf.Chain.Middlewares {
 				qualifiedNames = append(qualifiedNames, provider.GetQualifiedName(chainCtx, name))
 			}
-			modifiers = append(modifiers, f.Build(ctx, qualifiedNames))
+
+			if rm := f.Build(ctx, qualifiedNames); rm != nil {
+				modifiers = append(modifiers, rm)
+			}
 		}
 	}

--- a/pkg/responsemodifiers/response_modifier_test.go
+++ b/pkg/responsemodifiers/response_modifier_test.go
@@ -169,6 +169,21 @@ func TestBuilderBuild(t *testing.T) {
 			},
 			assertResponse: func(t *testing.T, resp *http.Response) {},
 		},
+
+		{
+			desc:          "chain without headers",
+			middlewares:   []string{"chain"},
+			buildResponse: stubResponse,
+			conf: map[string]*dynamic.Middleware{
+				"foo": {IPWhiteList: &dynamic.IPWhiteList{}},
+				"chain": {
+					Chain: &dynamic.Chain{
+						Middlewares: []string{"foo"},
+					},
+				},
+			},
+			assertResponse: func(t *testing.T, resp *http.Response) {},
+		},
 	}

 	for _, test := range testCases {
Author	SHA1	Message	Date
Jean-Baptiste Doumenjou	06dcf8d8aa	Prepare release v2.2.4	2020-07-10 19:16:04 +02:00
Jean-Baptiste Doumenjou	c315b4e064	Change the default value of insecureSNI * fix: allow domain fronting by default * review: typo. * review: doc. Co-authored-by: Fernandez Ludovic <ludovic@containo.us>	2020-07-10 18:48:03 +02:00
Jean-Baptiste Doumenjou	d7f517fbf5	Prepare release v2.2.3	2020-07-09 17:58:03 +02:00
Julien Salleyron	b10cb84f33	Fix panic when using chain middleware.	2020-07-09 10:50:04 +02:00