shaba/traefik
1
0
Fork 0
mirror of https://github.com/containous/traefik.git synced 2025-09-07 09:44:23 +03:00
Code Releases Activity

Compare commits

base: shaba:v2.4.1
Branches Tags
shaba:master shaba:v3.5 shaba:v2.11 shaba:v3.4 shaba:v3.3 shaba:v3.2 shaba:v3.1 shaba:v3.0 shaba:v1.0 shaba:v1.1 shaba:v1.2 shaba:v1.3 shaba:v1.4 shaba:v2.10 shaba:v1.5 shaba:v1.6 shaba:v1.7 shaba:v2.0 shaba:v2.1 shaba:v2.2 shaba:v2.6 shaba:v2.7 shaba:v2.8 shaba:v2.9 shaba:v2.3 shaba:v2.4 shaba:v2.5
shaba:v3.5.1 shaba:v2.11.29 shaba:v3.5.0 shaba:v3.4.5 shaba:v2.11.28 shaba:v3.5.0-rc2 shaba:v3.4.4 shaba:v2.11.27 shaba:v3.5.0-rc1 shaba:v3.4.3 shaba:v3.4.2 shaba:v2.11.26 shaba:v3.4.1 shaba:v2.11.25 shaba:v3.4.0 shaba:v3.3.7 shaba:v3.4.0-rc2 shaba:v3.3.6 shaba:v2.11.24 shaba:v2.11.23 shaba:v3.4.0-rc1 shaba:v3.3.5 shaba:v2.11.22 shaba:v3.3.4 shaba:v2.11.21 shaba:v3.3.3 shaba:v2.11.20 shaba:v2.11.19 shaba:v3.3.2 shaba:v2.11.18 shaba:v3.3.1 shaba:v3.2.5 shaba:v3.3.0 shaba:v3.2.4 shaba:v2.11.17 shaba:v3.3.0-rc2 shaba:v3.3.0-rc1 shaba:v3.2.3 shaba:v2.11.16 shaba:v3.2.2 shaba:v2.11.15 shaba:v3.2.1 shaba:v2.11.14 shaba:v3.2.0 shaba:v3.1.7 shaba:v2.11.13 shaba:v3.2.0-rc2 shaba:v3.1.6 shaba:v2.11.12 shaba:v3.2.0-rc1 shaba:v3.1.5 shaba:v2.11.11 shaba:v3.1.4 shaba:v2.11.10 shaba:v3.1.3 shaba:v2.11.9 shaba:v3.1.2 shaba:v2.11.8 shaba:v3.1.1 shaba:v2.11.7 shaba:v3.1.0 shaba:v3.1.0-rc3 shaba:v3.0.4 shaba:v2.11.6 shaba:v3.1.0-rc2 shaba:v3.1.0-rc1 shaba:v3.0.3 shaba:v2.11.5 shaba:v3.0.2 shaba:v2.11.4 shaba:v3.0.1 shaba:v2.11.3 shaba:v3.0.0 shaba:v3.0.0-rc5 shaba:v2.11.2 shaba:v3.0.0-rc4 shaba:v2.11.1 shaba:v3.0.0-rc3 shaba:v3.0.0-rc2 shaba:v3.0.0-rc1 shaba:v2.11.0 shaba:v2.11.0-rc2 shaba:v2.11.0-rc1 shaba:v2.10.7 shaba:v3.0.0-beta5 shaba:v2.10.6 shaba:v3.0.0-beta4 shaba:v2.10.5 shaba:v2.10.4 shaba:v3.0.0-beta3 shaba:v2.10.3 shaba:v2.10.2 shaba:v2.10.1 shaba:v2.10.0 shaba:v2.10.0-rc2 shaba:v2.9.10 shaba:v2.10.0-rc1 shaba:v2.9.9 shaba:v2.9.8 shaba:v2.9.7 shaba:v3.0.0-beta2 shaba:v2.9.6 shaba:v3.0.0-beta1 shaba:v2.9.5 shaba:v2.9.4 shaba:v2.9.3 shaba:v2.9.2 shaba:v2.9.1 shaba:v2.9.0-rc5 shaba:v2.8.8 shaba:v2.8.7 shaba:v2.9.0-rc4 shaba:v2.8.6 shaba:v2.9.0-rc3 shaba:v2.9.0-rc2 shaba:v2.9.0-rc1 shaba:v2.8.5 shaba:v2.8.4 shaba:v2.8.3 shaba:v2.8.2 shaba:v2.8.1 shaba:v2.8.0 shaba:v2.7.3 shaba:v2.8.0-rc2 shaba:v2.7.2 shaba:v2.8.0-rc1 shaba:v2.7.1 shaba:v2.7.0 shaba:v2.6.7 shaba:v2.6.6 shaba:v2.6.5 shaba:v2.6.4 shaba:v2.7.0-rc2 shaba:v2.6.3 shaba:v2.7.0-rc1 shaba:v2.6.2 shaba:v2.6.1 shaba:v2.6.0 shaba:v2.6.0-rc3 shaba:v2.5.7 shaba:v2.6.0-rc2 shaba:v2.5.6 shaba:v2.6.0-rc1 shaba:v1.7.34 shaba:v2.5.5 shaba:v2.5.4 shaba:v1.7.33 shaba:v1.7.32 shaba:v1.7.31 shaba:v2.5.3 shaba:v2.5.2 shaba:v2.5.1 shaba:v2.5.0 shaba:v2.4.14 shaba:v2.5.0-rc6 shaba:v2.5.0-rc5 shaba:v2.5.0-rc4 shaba:v2.4.13 shaba:v2.4.12 shaba:v2.5.0-rc3 shaba:v2.4.11 shaba:v2.4.10 shaba:v2.5.0-rc2 shaba:v2.5.0-rc1 shaba:v2.4.9 shaba:v1.7.30 shaba:v1.7.29 shaba:v2.4.8 shaba:v2.4.7 shaba:v2.4.6 shaba:v2.4.5 shaba:v2.4.4 shaba:v2.4.3 shaba:v2.4.2 shaba:v2.4.1 shaba:v2.4.0 shaba:v1.7.28 shaba:v1.7.27 shaba:v2.4.0-rc2 shaba:v2.3.7 shaba:v2.3.6 shaba:v2.4.0-rc1 shaba:v2.3.5 shaba:v2.3.4 shaba:v2.3.3 shaba:v2.3.2 shaba:v2.3.1 shaba:v2.3.0 shaba:v2.3.0-rc7 shaba:v2.3.0-rc6 shaba:v2.3.0-rc5 shaba:v2.2.11 shaba:v2.2.10 shaba:v2.3.0-rc4 shaba:v2.3.0-rc3 shaba:v2.2.8 shaba:v1.7.26 shaba:v2.2.7 shaba:v2.2.6 shaba:v2.3.0-rc2 shaba:v2.3.0-rc1 shaba:v1.7.25 shaba:v2.2.5 shaba:v2.2.4 shaba:v2.2.3 shaba:v2.2.2 shaba:v2.2.1 shaba:v2.2.0 shaba:v1.7.24 shaba:v2.1.9 shaba:v1.7.23 shaba:v2.2.0-rc4 shaba:v2.1.8 shaba:v2.2.0-rc3 shaba:v2.1.7 shaba:v1.7.22 shaba:v2.2.0-rc2 shaba:v2.2.0-rc1 shaba:v2.1.6 shaba:v2.1.5 shaba:v1.7.21 shaba:v2.1.4 shaba:v2.1.3 shaba:v2.1.2 shaba:v2.1.1 shaba:v2.1.0 shaba:v1.7.20 shaba:v2.0.7 shaba:v2.1.0-rc3 shaba:v2.0.6 shaba:v2.1.0-rc2 shaba:v2.1.0-rc1 shaba:v2.0.5 shaba:v2.0.4 shaba:v2.0.3 shaba:v1.7.19 shaba:v2.0.2 shaba:v2.0.1 shaba:v1.7.18 shaba:v1.7.17 shaba:v2.0.0 shaba:v2.0.0-rc4 shaba:v1.7.16 shaba:v1.7.15 shaba:v2.0.0-rc3 shaba:v2.0.0-rc2 shaba:v2.0.0-rc1 shaba:v1.7.14 shaba:v1.7.13 shaba:v2.0.0-beta1 shaba:v2.0.0-alpha8 shaba:v2.0.0-alpha7 shaba:v2.0.0-alpha6 shaba:v2.0.0-alpha5 shaba:v1.7.12 shaba:v1.7.11 shaba:v2.0.0-alpha4 shaba:v2.0.0-alpha3 shaba:v1.7.10 shaba:v2.0.0-alpha2 shaba:v2.0.0-alpha1 shaba:v1.7.9 shaba:v1.7.8 shaba:v1.7.7 shaba:v1.7.6 shaba:v1.7.5 shaba:v1.7.4 shaba:v1.7.3 shaba:v1.7.2 shaba:v1.7.1 shaba:v1.7.0 shaba:v1.7.0-rc5 shaba:v1.7.0-rc4 shaba:v1.6.6 shaba:v1.7.0-rc3 shaba:v1.7.0-rc2 shaba:v1.6.5 shaba:v1.7.0-rc1 shaba:v1.6.4 shaba:v1.6.3 shaba:v1.6.2 shaba:v1.6.1 shaba:v1.6.0 shaba:v1.6.0-rc6 shaba:v1.6.0-rc5 shaba:v1.6.0-rc4 shaba:v1.6.0-rc3 shaba:v1.6.0-rc2 shaba:v1.6.0-rc1 shaba:v1.5.4 shaba:v1.5.3 shaba:v1.5.2 shaba:v1.5.1 shaba:v1.5.0 shaba:v1.5.0-rc5 shaba:v1.5.0-rc4 shaba:v1.4.6 shaba:v1.5.0-rc3 shaba:v1.5.0-rc2 shaba:v1.4.5 shaba:v1.5.0-rc1 shaba:v1.4.4 shaba:v1.4.3 shaba:v1.4.2 shaba:v1.4.1 shaba:v1.4.0 shaba:v1.4.0-rc5 shaba:v1.4.0-rc4 shaba:v1.4.0-rc3 shaba:v1.4.0-rc2 shaba:v1.3.8 shaba:v1.4.0-rc1 shaba:v1.3.7 shaba:v1.3.6 shaba:v1.3.5 shaba:v1.3.4 shaba:v1.3.3 shaba:v1.3.2 shaba:v1.3.1 shaba:v1.3.0 shaba:v1.3.0-rc3 shaba:v1.3.0-rc2 shaba:v1.3.0-rc1 shaba:v1.2.3 shaba:v1.2.2 shaba:v1.2.1 shaba:v1.2.0 shaba:v1.2.0-rc2 shaba:v1.2.0-rc1 shaba:v1.1.2 shaba:v1.1.1 shaba:v1.1.0 shaba:v1.1.0-rc4 shaba:v1.1.0-rc3 shaba:v1.1.0-rc2 shaba:v1.1.0-rc1 shaba:v1.0.3 shaba:v1.0.2 shaba:v1.0.1 shaba:v1.0.0 shaba:v1.0.0-rc3 shaba:v1.0.0-rc2 shaba:v1.0.0-rc1 shaba:v1.0.0-beta.809 shaba:v1.0.0-beta.804 shaba:v1.0.0-beta.794 shaba:v1.0.0-beta.784 shaba:v1.0.0-beta.771 shaba:v1.0.0-beta.767 shaba:v1.0.0-beta.756 shaba:v1.0.0-beta.754 shaba:v1.0.0-beta.744 shaba:v1.0.0-beta.732 shaba:v1.0.0-beta.723 shaba:v1.0.0-beta.721 shaba:v1.0.0-beta.712 shaba:v1.0.0-beta.704 shaba:v1.0.0-beta.695 shaba:v1.0.0-beta.692 shaba:v1.0.0-beta.682 shaba:v1.0.0-beta.676 shaba:v1.0.0-beta.673 shaba:v1.0.0-beta.666 shaba:v1.0.0-beta.652 shaba:v1.0.0-beta.644 shaba:v1.0.0-beta.621 shaba:v1.0.0-beta.614 shaba:v1.0.0-beta.610 shaba:v1.0.0-beta.601 shaba:v1.0.0-beta.582 shaba:v1.0.0-beta.576 shaba:v1.0.0-beta.573 shaba:v1.0.0-beta.555 shaba:v1.0.0-beta.548 shaba:v1.0.0-beta.545 shaba:v1.0.0-beta.524 shaba:v1.0.0-beta.513 shaba:v1.0.0-beta.508 shaba:v1.0.0-beta.505 shaba:v1.0.0-beta.484 shaba:v1.0.0-beta.481 shaba:v1.0.0-beta.475 shaba:v1.0.0-beta.470 shaba:v1.0.0-beta.453 shaba:v1.0.0-beta.442 shaba:v1.0.0-beta.440 shaba:v1.0.0-beta.436 shaba:v1.0.0-beta.433 shaba:v1.0.0-beta.427 shaba:v1.0.0-beta.421 shaba:v1.0.0-beta.416 shaba:v1.0.0-beta.408 shaba:v1.0.0-beta.404 shaba:v1.0.0-beta.395 shaba:v1.0.0-beta.392 shaba:v1.0.0-beta.374 shaba:v1.0.0-beta.366 shaba:v1.0.0-beta.355 shaba:v1.0.0-beta.352 shaba:v1.0.0-beta.341 shaba:v1.0.0-beta.339 shaba:v1.0.0-beta.324 shaba:v1.0.0-beta.300 shaba:v1.0.0-beta.291 shaba:v1.0.0-beta.289 shaba:v1.0.0-beta.287 shaba:v1.0.0-beta.280 shaba:v1.0.0-beta.277 shaba:v1.0.0-beta.254 shaba:v1.0.0-beta.247 shaba:v1.0.0-beta.224 shaba:v1.0.0-beta.220 shaba:v1.0.0-beta.212 shaba:v1.0.0-beta.211 shaba:v1.0.alpha.4c447985b63f8c90dcbde70b2eaef19d9a8c5ad2 shaba:v1.0.alpha.9830086790caf40ce30eb9ed5d317917f8157708 shaba:v1.0.alpha.3af21612b65fc578585a98c30090d1e613f791eb shaba:v1.0.alpha.a458018aa2ccb637abacfc696157e00321cf982f shaba:v1.0.alpha.4ded2682d2831ed703282b2f4585e17a62ee258e shaba:v1.0.alpha.0e683cc5355bc507dabac68bbc7559d3f179e185 shaba:v1.0.alpha.11781087cadf9068d1d0b43902b6161ee10ea458 shaba:v1.0.alpha.b42b170ad29a0f042ddee0f5a5098aa9a59a9c8e shaba:v1.0.alpha.a00eb81f0301f5e61024dea3b92ba632d6a61a8b shaba:v1.0.alpha.6c3c5578c64125838abbc437a0242e1742d6f47a shaba:v1.0.alpha.b84b95fe97df5c0f234d8693fbff03fa0d6a441b shaba:v1.0.alpha.1a5668377cc840a35d233a0eb817ee9bacf0ba3e shaba:v1.0.alpha.331cd173ce8ad858d767510fbcbc653e2dde657d shaba:v1.0.alpha.e0872b61579c8e6b8fc6124c8836660c11840f5d shaba:v1.0.alpha.99646544953d5793f18ccb22dae2458be4ba0e05 shaba:v1.0.alpha.7acc2beae0f0235d9408e8ed7a51f0ef3dae3aff shaba:v1.0.alpha.ac56c1310c46f9c18dcad9d7ec680926fae821bb shaba:v1.0.alpha.71b0e27517841ec7b911bafb109846ee96109f30 shaba:v1.0.alpha.60e9282f0adac48cbf283306ceb08ad7a31ac94b shaba:v1.0.alpha.522 shaba:v1.0.alpha.516 shaba:v1.0.alpha.506 shaba:v1.0.alpha.481 shaba:v1.0.alpha.477 shaba:v1.0.alpha.471 shaba:v1.0.alpha.469 shaba:v1.0.alpha.463 shaba:v1.0.alpha.450 shaba:v1.0.alpha.443 shaba:v1.0.alpha.439 shaba:v1.0.alpha.425 shaba:v1.0.alpha.421 shaba:v1.0.alpha.418 shaba:v1.0.alpha.412 shaba:v1.0.alpha.404 shaba:v1.0.alpha.392 shaba:v1.0.alpha.374 shaba:v1.0.alpha.367 shaba:v1.0.alpha.364 shaba:v1.0.alpha.361 shaba:v1.0.alpha.358 shaba:v1.0.alpha.357 shaba:v1.0.alpha.341 shaba:v1.0.alpha.338 shaba:v1.0.alpha.336 shaba:v1.0.alpha.333 shaba:v1.0.alpha.329 shaba:v1.0.alpha.311 shaba:v1.0.alpha.306 shaba:v1.0.alpha.302 shaba:v1.0.alpha.291 shaba:v1.0.alpha.290 shaba:v1.0.alpha.288 shaba:v1.0.alpha.285 shaba:v1.0.alpha.275 shaba:v1.0.alpha.274 shaba:v1.0.alpha.273 shaba:v1.0.alpha.272 shaba:v1.0.alpha.271 shaba:v1.0.alpha.270 shaba:v1.0.alpha.268 shaba:v1.0.alpha.269 shaba:v1.0.alpha.267 shaba:v1.0.alpha.266 shaba:v1.0.alpha.263 shaba:v1.0.alpha.257 shaba:v1.0.alpha.256 shaba:v1.0.alpha.251 shaba:v1.0.alpha.252 shaba:v1.0.alpha.250 shaba:v1.0.alpha.249 shaba:v1.0.alpha.247 shaba:v1.0.alpha.228 shaba:v1.0.alpha.217 shaba:v1.0.alpha.216 shaba:v1.0.alpha.215 shaba:v1.0.alpha.212 shaba:v1.0.alpha.200 shaba:v1.0.alpha.186 shaba:v1.0.alpha.182 shaba:v1.0.alpha.178 shaba:v1.0.alpha.176 shaba:v1.0.alpha.171 shaba:v1.0.alpha.170 shaba:v1.0.alpha.164 shaba:v1.0.alpha.157 shaba:v1.0
...
compare: shaba:v2.5.0
Branches Tags
shaba:v3.5 shaba:master shaba:v2.11 shaba:v3.4 shaba:v3.3 shaba:v3.2 shaba:v3.1 shaba:v3.0 shaba:v1.0 shaba:v1.1 shaba:v1.2 shaba:v1.3 shaba:v1.4 shaba:v2.10 shaba:v1.5 shaba:v1.6 shaba:v1.7 shaba:v2.0 shaba:v2.1 shaba:v2.2 shaba:v2.6 shaba:v2.7 shaba:v2.8 shaba:v2.9 shaba:v2.3 shaba:v2.4 shaba:v2.5
shaba:v3.5.1 shaba:v2.11.29 shaba:v3.5.0 shaba:v3.4.5 shaba:v2.11.28 shaba:v3.5.0-rc2 shaba:v3.4.4 shaba:v2.11.27 shaba:v3.5.0-rc1 shaba:v3.4.3 shaba:v3.4.2 shaba:v2.11.26 shaba:v3.4.1 shaba:v2.11.25 shaba:v3.4.0 shaba:v3.3.7 shaba:v3.4.0-rc2 shaba:v3.3.6 shaba:v2.11.24 shaba:v2.11.23 shaba:v3.4.0-rc1 shaba:v3.3.5 shaba:v2.11.22 shaba:v3.3.4 shaba:v2.11.21 shaba:v3.3.3 shaba:v2.11.20 shaba:v2.11.19 shaba:v3.3.2 shaba:v2.11.18 shaba:v3.3.1 shaba:v3.2.5 shaba:v3.3.0 shaba:v3.2.4 shaba:v2.11.17 shaba:v3.3.0-rc2 shaba:v3.3.0-rc1 shaba:v3.2.3 shaba:v2.11.16 shaba:v3.2.2 shaba:v2.11.15 shaba:v3.2.1 shaba:v2.11.14 shaba:v3.2.0 shaba:v3.1.7 shaba:v2.11.13 shaba:v3.2.0-rc2 shaba:v3.1.6 shaba:v2.11.12 shaba:v3.2.0-rc1 shaba:v3.1.5 shaba:v2.11.11 shaba:v3.1.4 shaba:v2.11.10 shaba:v3.1.3 shaba:v2.11.9 shaba:v3.1.2 shaba:v2.11.8 shaba:v3.1.1 shaba:v2.11.7 shaba:v3.1.0 shaba:v3.1.0-rc3 shaba:v3.0.4 shaba:v2.11.6 shaba:v3.1.0-rc2 shaba:v3.1.0-rc1 shaba:v3.0.3 shaba:v2.11.5 shaba:v3.0.2 shaba:v2.11.4 shaba:v3.0.1 shaba:v2.11.3 shaba:v3.0.0 shaba:v3.0.0-rc5 shaba:v2.11.2 shaba:v3.0.0-rc4 shaba:v2.11.1 shaba:v3.0.0-rc3 shaba:v3.0.0-rc2 shaba:v3.0.0-rc1 shaba:v2.11.0 shaba:v2.11.0-rc2 shaba:v2.11.0-rc1 shaba:v2.10.7 shaba:v3.0.0-beta5 shaba:v2.10.6 shaba:v3.0.0-beta4 shaba:v2.10.5 shaba:v2.10.4 shaba:v3.0.0-beta3 shaba:v2.10.3 shaba:v2.10.2 shaba:v2.10.1 shaba:v2.10.0 shaba:v2.10.0-rc2 shaba:v2.9.10 shaba:v2.10.0-rc1 shaba:v2.9.9 shaba:v2.9.8 shaba:v2.9.7 shaba:v3.0.0-beta2 shaba:v2.9.6 shaba:v3.0.0-beta1 shaba:v2.9.5 shaba:v2.9.4 shaba:v2.9.3 shaba:v2.9.2 shaba:v2.9.1 shaba:v2.9.0-rc5 shaba:v2.8.8 shaba:v2.8.7 shaba:v2.9.0-rc4 shaba:v2.8.6 shaba:v2.9.0-rc3 shaba:v2.9.0-rc2 shaba:v2.9.0-rc1 shaba:v2.8.5 shaba:v2.8.4 shaba:v2.8.3 shaba:v2.8.2 shaba:v2.8.1 shaba:v2.8.0 shaba:v2.7.3 shaba:v2.8.0-rc2 shaba:v2.7.2 shaba:v2.8.0-rc1 shaba:v2.7.1 shaba:v2.7.0 shaba:v2.6.7 shaba:v2.6.6 shaba:v2.6.5 shaba:v2.6.4 shaba:v2.7.0-rc2 shaba:v2.6.3 shaba:v2.7.0-rc1 shaba:v2.6.2 shaba:v2.6.1 shaba:v2.6.0 shaba:v2.6.0-rc3 shaba:v2.5.7 shaba:v2.6.0-rc2 shaba:v2.5.6 shaba:v2.6.0-rc1 shaba:v1.7.34 shaba:v2.5.5 shaba:v2.5.4 shaba:v1.7.33 shaba:v1.7.32 shaba:v1.7.31 shaba:v2.5.3 shaba:v2.5.2 shaba:v2.5.1 shaba:v2.5.0 shaba:v2.4.14 shaba:v2.5.0-rc6 shaba:v2.5.0-rc5 shaba:v2.5.0-rc4 shaba:v2.4.13 shaba:v2.4.12 shaba:v2.5.0-rc3 shaba:v2.4.11 shaba:v2.4.10 shaba:v2.5.0-rc2 shaba:v2.5.0-rc1 shaba:v2.4.9 shaba:v1.7.30 shaba:v1.7.29 shaba:v2.4.8 shaba:v2.4.7 shaba:v2.4.6 shaba:v2.4.5 shaba:v2.4.4 shaba:v2.4.3 shaba:v2.4.2 shaba:v2.4.1 shaba:v2.4.0 shaba:v1.7.28 shaba:v1.7.27 shaba:v2.4.0-rc2 shaba:v2.3.7 shaba:v2.3.6 shaba:v2.4.0-rc1 shaba:v2.3.5 shaba:v2.3.4 shaba:v2.3.3 shaba:v2.3.2 shaba:v2.3.1 shaba:v2.3.0 shaba:v2.3.0-rc7 shaba:v2.3.0-rc6 shaba:v2.3.0-rc5 shaba:v2.2.11 shaba:v2.2.10 shaba:v2.3.0-rc4 shaba:v2.3.0-rc3 shaba:v2.2.8 shaba:v1.7.26 shaba:v2.2.7 shaba:v2.2.6 shaba:v2.3.0-rc2 shaba:v2.3.0-rc1 shaba:v1.7.25 shaba:v2.2.5 shaba:v2.2.4 shaba:v2.2.3 shaba:v2.2.2 shaba:v2.2.1 shaba:v2.2.0 shaba:v1.7.24 shaba:v2.1.9 shaba:v1.7.23 shaba:v2.2.0-rc4 shaba:v2.1.8 shaba:v2.2.0-rc3 shaba:v2.1.7 shaba:v1.7.22 shaba:v2.2.0-rc2 shaba:v2.2.0-rc1 shaba:v2.1.6 shaba:v2.1.5 shaba:v1.7.21 shaba:v2.1.4 shaba:v2.1.3 shaba:v2.1.2 shaba:v2.1.1 shaba:v2.1.0 shaba:v1.7.20 shaba:v2.0.7 shaba:v2.1.0-rc3 shaba:v2.0.6 shaba:v2.1.0-rc2 shaba:v2.1.0-rc1 shaba:v2.0.5 shaba:v2.0.4 shaba:v2.0.3 shaba:v1.7.19 shaba:v2.0.2 shaba:v2.0.1 shaba:v1.7.18 shaba:v1.7.17 shaba:v2.0.0 shaba:v2.0.0-rc4 shaba:v1.7.16 shaba:v1.7.15 shaba:v2.0.0-rc3 shaba:v2.0.0-rc2 shaba:v2.0.0-rc1 shaba:v1.7.14 shaba:v1.7.13 shaba:v2.0.0-beta1 shaba:v2.0.0-alpha8 shaba:v2.0.0-alpha7 shaba:v2.0.0-alpha6 shaba:v2.0.0-alpha5 shaba:v1.7.12 shaba:v1.7.11 shaba:v2.0.0-alpha4 shaba:v2.0.0-alpha3 shaba:v1.7.10 shaba:v2.0.0-alpha2 shaba:v2.0.0-alpha1 shaba:v1.7.9 shaba:v1.7.8 shaba:v1.7.7 shaba:v1.7.6 shaba:v1.7.5 shaba:v1.7.4 shaba:v1.7.3 shaba:v1.7.2 shaba:v1.7.1 shaba:v1.7.0 shaba:v1.7.0-rc5 shaba:v1.7.0-rc4 shaba:v1.6.6 shaba:v1.7.0-rc3 shaba:v1.7.0-rc2 shaba:v1.6.5 shaba:v1.7.0-rc1 shaba:v1.6.4 shaba:v1.6.3 shaba:v1.6.2 shaba:v1.6.1 shaba:v1.6.0 shaba:v1.6.0-rc6 shaba:v1.6.0-rc5 shaba:v1.6.0-rc4 shaba:v1.6.0-rc3 shaba:v1.6.0-rc2 shaba:v1.6.0-rc1 shaba:v1.5.4 shaba:v1.5.3 shaba:v1.5.2 shaba:v1.5.1 shaba:v1.5.0 shaba:v1.5.0-rc5 shaba:v1.5.0-rc4 shaba:v1.4.6 shaba:v1.5.0-rc3 shaba:v1.5.0-rc2 shaba:v1.4.5 shaba:v1.5.0-rc1 shaba:v1.4.4 shaba:v1.4.3 shaba:v1.4.2 shaba:v1.4.1 shaba:v1.4.0 shaba:v1.4.0-rc5 shaba:v1.4.0-rc4 shaba:v1.4.0-rc3 shaba:v1.4.0-rc2 shaba:v1.3.8 shaba:v1.4.0-rc1 shaba:v1.3.7 shaba:v1.3.6 shaba:v1.3.5 shaba:v1.3.4 shaba:v1.3.3 shaba:v1.3.2 shaba:v1.3.1 shaba:v1.3.0 shaba:v1.3.0-rc3 shaba:v1.3.0-rc2 shaba:v1.3.0-rc1 shaba:v1.2.3 shaba:v1.2.2 shaba:v1.2.1 shaba:v1.2.0 shaba:v1.2.0-rc2 shaba:v1.2.0-rc1 shaba:v1.1.2 shaba:v1.1.1 shaba:v1.1.0 shaba:v1.1.0-rc4 shaba:v1.1.0-rc3 shaba:v1.1.0-rc2 shaba:v1.1.0-rc1 shaba:v1.0.3 shaba:v1.0.2 shaba:v1.0.1 shaba:v1.0.0 shaba:v1.0.0-rc3 shaba:v1.0.0-rc2 shaba:v1.0.0-rc1 shaba:v1.0.0-beta.809 shaba:v1.0.0-beta.804 shaba:v1.0.0-beta.794 shaba:v1.0.0-beta.784 shaba:v1.0.0-beta.771 shaba:v1.0.0-beta.767 shaba:v1.0.0-beta.756 shaba:v1.0.0-beta.754 shaba:v1.0.0-beta.744 shaba:v1.0.0-beta.732 shaba:v1.0.0-beta.723 shaba:v1.0.0-beta.721 shaba:v1.0.0-beta.712 shaba:v1.0.0-beta.704 shaba:v1.0.0-beta.695 shaba:v1.0.0-beta.692 shaba:v1.0.0-beta.682 shaba:v1.0.0-beta.676 shaba:v1.0.0-beta.673 shaba:v1.0.0-beta.666 shaba:v1.0.0-beta.652 shaba:v1.0.0-beta.644 shaba:v1.0.0-beta.621 shaba:v1.0.0-beta.614 shaba:v1.0.0-beta.610 shaba:v1.0.0-beta.601 shaba:v1.0.0-beta.582 shaba:v1.0.0-beta.576 shaba:v1.0.0-beta.573 shaba:v1.0.0-beta.555 shaba:v1.0.0-beta.548 shaba:v1.0.0-beta.545 shaba:v1.0.0-beta.524 shaba:v1.0.0-beta.513 shaba:v1.0.0-beta.508 shaba:v1.0.0-beta.505 shaba:v1.0.0-beta.484 shaba:v1.0.0-beta.481 shaba:v1.0.0-beta.475 shaba:v1.0.0-beta.470 shaba:v1.0.0-beta.453 shaba:v1.0.0-beta.442 shaba:v1.0.0-beta.440 shaba:v1.0.0-beta.436 shaba:v1.0.0-beta.433 shaba:v1.0.0-beta.427 shaba:v1.0.0-beta.421 shaba:v1.0.0-beta.416 shaba:v1.0.0-beta.408 shaba:v1.0.0-beta.404 shaba:v1.0.0-beta.395 shaba:v1.0.0-beta.392 shaba:v1.0.0-beta.374 shaba:v1.0.0-beta.366 shaba:v1.0.0-beta.355 shaba:v1.0.0-beta.352 shaba:v1.0.0-beta.341 shaba:v1.0.0-beta.339 shaba:v1.0.0-beta.324 shaba:v1.0.0-beta.300 shaba:v1.0.0-beta.291 shaba:v1.0.0-beta.289 shaba:v1.0.0-beta.287 shaba:v1.0.0-beta.280 shaba:v1.0.0-beta.277 shaba:v1.0.0-beta.254 shaba:v1.0.0-beta.247 shaba:v1.0.0-beta.224 shaba:v1.0.0-beta.220 shaba:v1.0.0-beta.212 shaba:v1.0.0-beta.211 shaba:v1.0.alpha.4c447985b63f8c90dcbde70b2eaef19d9a8c5ad2 shaba:v1.0.alpha.9830086790caf40ce30eb9ed5d317917f8157708 shaba:v1.0.alpha.3af21612b65fc578585a98c30090d1e613f791eb shaba:v1.0.alpha.a458018aa2ccb637abacfc696157e00321cf982f shaba:v1.0.alpha.4ded2682d2831ed703282b2f4585e17a62ee258e shaba:v1.0.alpha.0e683cc5355bc507dabac68bbc7559d3f179e185 shaba:v1.0.alpha.11781087cadf9068d1d0b43902b6161ee10ea458 shaba:v1.0.alpha.b42b170ad29a0f042ddee0f5a5098aa9a59a9c8e shaba:v1.0.alpha.a00eb81f0301f5e61024dea3b92ba632d6a61a8b shaba:v1.0.alpha.6c3c5578c64125838abbc437a0242e1742d6f47a shaba:v1.0.alpha.b84b95fe97df5c0f234d8693fbff03fa0d6a441b shaba:v1.0.alpha.1a5668377cc840a35d233a0eb817ee9bacf0ba3e shaba:v1.0.alpha.331cd173ce8ad858d767510fbcbc653e2dde657d shaba:v1.0.alpha.e0872b61579c8e6b8fc6124c8836660c11840f5d shaba:v1.0.alpha.99646544953d5793f18ccb22dae2458be4ba0e05 shaba:v1.0.alpha.7acc2beae0f0235d9408e8ed7a51f0ef3dae3aff shaba:v1.0.alpha.ac56c1310c46f9c18dcad9d7ec680926fae821bb shaba:v1.0.alpha.71b0e27517841ec7b911bafb109846ee96109f30 shaba:v1.0.alpha.60e9282f0adac48cbf283306ceb08ad7a31ac94b shaba:v1.0.alpha.522 shaba:v1.0.alpha.516 shaba:v1.0.alpha.506 shaba:v1.0.alpha.481 shaba:v1.0.alpha.477 shaba:v1.0.alpha.471 shaba:v1.0.alpha.469 shaba:v1.0.alpha.463 shaba:v1.0.alpha.450 shaba:v1.0.alpha.443 shaba:v1.0.alpha.439 shaba:v1.0.alpha.425 shaba:v1.0.alpha.421 shaba:v1.0.alpha.418 shaba:v1.0.alpha.412 shaba:v1.0.alpha.404 shaba:v1.0.alpha.392 shaba:v1.0.alpha.374 shaba:v1.0.alpha.367 shaba:v1.0.alpha.364 shaba:v1.0.alpha.361 shaba:v1.0.alpha.358 shaba:v1.0.alpha.357 shaba:v1.0.alpha.341 shaba:v1.0.alpha.338 shaba:v1.0.alpha.336 shaba:v1.0.alpha.333 shaba:v1.0.alpha.329 shaba:v1.0.alpha.311 shaba:v1.0.alpha.306 shaba:v1.0.alpha.302 shaba:v1.0.alpha.291 shaba:v1.0.alpha.290 shaba:v1.0.alpha.288 shaba:v1.0.alpha.285 shaba:v1.0.alpha.275 shaba:v1.0.alpha.274 shaba:v1.0.alpha.273 shaba:v1.0.alpha.272 shaba:v1.0.alpha.271 shaba:v1.0.alpha.270 shaba:v1.0.alpha.268 shaba:v1.0.alpha.269 shaba:v1.0.alpha.267 shaba:v1.0.alpha.266 shaba:v1.0.alpha.263 shaba:v1.0.alpha.257 shaba:v1.0.alpha.256 shaba:v1.0.alpha.251 shaba:v1.0.alpha.252 shaba:v1.0.alpha.250 shaba:v1.0.alpha.249 shaba:v1.0.alpha.247 shaba:v1.0.alpha.228 shaba:v1.0.alpha.217 shaba:v1.0.alpha.216 shaba:v1.0.alpha.215 shaba:v1.0.alpha.212 shaba:v1.0.alpha.200 shaba:v1.0.alpha.186 shaba:v1.0.alpha.182 shaba:v1.0.alpha.178 shaba:v1.0.alpha.176 shaba:v1.0.alpha.171 shaba:v1.0.alpha.170 shaba:v1.0.alpha.164 shaba:v1.0.alpha.157 shaba:v1.0

211 Commits
v2.4.1 ... v2.5.0

Author SHA1 Message Date
Romain
e0b442a48b Prepare release v2.5.0 2021-08-17 18:04:05 +02:00
Romain
bd1c84755b Update Go version to v1.17 2021-08-17 17:20:12 +02:00
Matthias Schneider
a7194e96e0 Fix dashboard title for TCP middlewares 2021-08-17 15:02:15 +02:00
romain
2bd60f9e60 Merge current v2.4 into v2.5 2021-08-17 10:05:22 +02:00
Romain
35a40c8727 Prepare release v2.4.14 2021-08-16 17:26:14 +02:00
Romain
7f62667569 Update mkdocs dependency version 2021-08-16 12:32:07 +02:00
Avtion
fd4ba585ee fix: an example code error in doc 2021-08-16 10:08:08 +02:00
mpl
81eb46e36d Prepare release v2.5.0-rc6 2021-08-13 18:04:15 +02:00
mpl
b7700e77bf Update Go version 2021-08-13 17:42:09 +02:00
Tristan Colgate-McFarlane
e73dd31619 redirect: fix comparison when explicit port request and implicit redirect port 
Co-authored-by: Julien Salleyron <julien.salleyron@gmail.com>
Co-authored-by: Ludovic Fernandez <ldez@users.noreply.github.com>
 2021-08-11 17:10:12 +02:00
Jean-Baptiste Doumenjou
187ec26d8e Merge current v2.4 into v2.5 2021-08-05 18:09:23 +02:00
Jean-Baptiste Doumenjou
ef9b79f85c Remove unwanted trailing slash in key 
Co-authored-by: Mathieu Lonjaret <mathieu.lonjaret@gmail.com>
 2021-08-05 18:02:12 +02:00
Jean-Baptiste Doumenjou
32d88a977d Avoid unauthorized midlleware cross namespace reference 
Co-authored-by: Mathieu Lonjaret <mathieu.lonjaret@gmail.com>
Co-authored-by: Romain <rtribotte@users.noreply.github.com>
 2021-08-05 17:42:08 +02:00
Michael
547c380961 fix: change machine type for release 2021-08-05 10:08:06 +02:00
Fernandez Ludovic
848e23b489 fix: decrease semaphoreci machine type 2021-08-03 20:15:21 +02:00
mmatur
d63cb1b4d6 Prepare release v2.5.0-rc5 2021-08-03 19:58:08 +02:00
mmatur
c45de0d8bc fix: increase semaphoreci machine type 2021-08-03 19:45:33 +02:00
Jean-Baptiste Doumenjou
5c18967f06 Prepare release v2.5.0-rc4 2021-08-03 18:42:11 +02:00
Jean-Baptiste Doumenjou
e78f172f02 Merge current v2.4 into v2.5 2021-08-03 17:04:58 +02:00
mpl
4fc077a5d2 Prepare release v2.4.13 2021-07-30 16:50:07 +02:00
Romain
7f307d60c4 Kubernetes: detect changes for resources other than endpoints 2021-07-30 15:08:10 +02:00
Ludovic Fernandez
b386964abc fix: remove hop-by-hop headers define in connection header beore some middleware 
Co-authored-by: Julien Salleyron <julien.salleyron@gmail.com>
 2021-07-30 12:20:07 +02:00
romain
4b456f3b76 Merge current v2.4 into v2.5 2021-07-28 14:40:49 +02:00
Michael
319e3065f0 fix: upgrade k3s version 2021-07-28 14:28:11 +02:00
Michael
a48a8a97a1 fix: restore cache only once 2021-07-27 19:16:06 +02:00
Jean-Baptiste Doumenjou
8be434aaad Prepare release v2.4.12 2021-07-26 18:08:09 +02:00
mpl
d9fc775084 ratelimiter: use correct ttlSeconds value, and always call Set 
Co-authored-by: Romain <rtribotte@users.noreply.github.com>
Co-authored-by: Daniel Tomcej <daniel.tomcej@gmail.com>
 2021-07-26 17:20:27 +02:00
Tom Moulard
2d95c37ea4 Merge current v2.4 into v2.5 2021-07-23 11:26:15 +02:00
Michael
e12630ef06 feat: Add new CI system 2021-07-23 11:00:07 +02:00
Jean-Baptiste Doumenjou
48bd279311 Prepare release v2.5.0-rc3 2021-07-20 16:26:08 +02:00
romain
a5b169c563 Merge current v2.4 into v2.5 2021-07-20 14:06:13 +02:00
Romain
bc5e621683 Get Kubernetes server version early 2021-07-20 13:02:10 +02:00
Ludovic Fernandez
1e69939532 Update yaegi to v0.9.21 2021-07-20 11:58:06 +02:00
Tom Moulard
d8156ef625 Fix dashboard to display middleware details 2021-07-20 10:36:06 +02:00
Daniel Tomcej
c2c4dc9b58 Don't remove ingress config on API call failure 2021-07-19 20:06:07 +02:00
Ludovic Fernandez
ffd4e207a4 Downgrade yaegi to v0.9.19 2021-07-19 18:54:04 +02:00
romain
bd3271aff0 Merge current v2.4 into v2.5 2021-07-19 15:18:38 +02:00
Romain
0664f5a9ca Fix KV reference documentation 2021-07-19 14:54:14 +02:00
Tom Moulard
c515ace328 Library change for compress middleware to increase performance 2021-07-19 10:22:14 +02:00
Daniel Tomcej
8d4620dc53 check if defaultcertificate is defined in store 2021-07-19 09:58:14 +02:00
Jean-Baptiste Doumenjou
16f65f669b Update Gateway API version to v0.3.0 
Co-authored-by: Tom Moulard <tom.moulard@traefik.io>
 2021-07-15 17:20:08 +02:00
Romain
2a2f7f783f Prepare release v2.4.11 2021-07-15 16:48:11 +02:00
Ludovic Fernandez
6ae50389e6 Update code generator for plugin's dyn conf 2021-07-15 15:58:08 +02:00
Jean-Baptiste Doumenjou
87fd51d7ec Fix migration guide 2021-07-15 14:40:13 +02:00
Mohammad Gufran
7e43e5615e Add Support for Consul Connect 
Co-authored-by: Florian Apolloner <apollo13@users.noreply.github.com>
 2021-07-15 14:02:11 +02:00
Jean-Baptiste Doumenjou
985f8778e9 fix doc verify script (#8266) 2021-07-15 00:09:51 +02:00
romain
3a180e2afc Merge current v2.4 into v2.5 2021-07-13 18:12:29 +02:00
Jean-Baptiste Doumenjou
2f47bb0df6 Prepare release v2.4.10 2021-07-13 16:54:08 +02:00
Daniel Tomcej
7e0f0d9d11 Ignore http 1.0 request host missing errors 2021-07-13 15:30:20 +02:00
Jean-Baptiste Doumenjou
e1f5866989 Detect certificates content modifications 
Co-authored-by: Romain <rtribotte@users.noreply.github.com>
Co-authored-by: Mathieu Lonjaret <mathieu.lonjaret@gmail.com>
 2021-07-13 14:14:35 +02:00
Daniel Tomcej
3c1ed0d9b2 Disable ExternalName Services by default on Kubernetes providers 2021-07-13 12:54:09 +02:00
Daniel Tomcej
10ab39c33b Add *headers.responseModifier CloseNotify() 2021-07-13 12:28:07 +02:00
Daniel Tomcej
3072354ca5 Disable Cross-Namespace by default for IngressRoute provider 2021-07-13 10:48:05 +02:00
Romain
14499cd6e5 Fix: Add dedicated integration tests targets for CI 2021-07-12 18:32:10 +02:00
Ludovic Fernandez
5d3dc3348e accesslog: multiple times the same header name. 2021-07-09 14:22:13 +02:00
Tom Moulard
f8db285d5d Update generated and reference doc for plugins 
Co-authored-by: Romain <rtribotte@users.noreply.github.com>
 2021-06-29 17:02:13 +02:00
Fernandez Ludovic
1f880662d6 Prepare release v2.5.0-rc2 2021-06-28 20:43:21 +02:00
Fernandez Ludovic
febab86682 chore: increase goreleaser timeout. 2021-06-28 20:41:51 +02:00
Romain
8070dfef45 Prepare release v2.5.0-rc1 2021-06-28 18:00:12 +02:00
romain
fc69f882c5 Merge current v2.4 into master 2021-06-28 10:07:17 +02:00
mpl
838a8e18d3 healthcheck: add support at the load-balancers of services level 
Co-authored-by: Dmitry Sharshakov <d3dx12.xx@gmail.com>
Co-authored-by: Julien Salleyron <julien.salleyron@gmail.com>
Co-authored-by: Jean-Baptiste Doumenjou <925513+jbdoumenjou@users.noreply.github.com>
Co-authored-by: Romain <rtribotte@users.noreply.github.com>
Co-authored-by: Tom Moulard <tom.moulard@traefik.io>
 2021-06-25 21:08:11 +02:00
Ludovic Fernandez
5e3e47b484 Local private plugins. 
Co-authored-by: Julien Salleyron <julien.salleyron@gmail.com>
 2021-06-25 15:50:09 +02:00
Wei Lun
6d8512bda0 Add the list of available provider names 2021-06-24 18:34:05 +02:00
Romain
cd68cbd3ea Fix: malformed Kubernetes resource names and references in tests 2021-06-24 17:32:07 +02:00
Wei Lun
55845c95bb docs: fix invalid subdomain 2021-06-24 11:28:05 +02:00
romain
a243ac4dde Merge current v2.4 into master 2021-06-24 08:53:12 +02:00
Ludovic Fernandez
a01cbb42c7 Convert issue templates to issue forms. 2021-06-24 08:52:13 +02:00
patricia
b5da5760a2 Typos in contributing section 2021-06-23 05:28:09 +02:00
patricia
c190b160e9 fix maintainers-guidelines page title 2021-06-23 00:40:10 +02:00
romain
ce2e02b690 Merge current v2.4 into master 2021-06-22 14:44:56 +02:00
Tobias
5dab09c42b Remove microbadger (Shutdown) 2021-06-22 10:00:11 +02:00
Daniel Tomcej
03b08d67f0 chore: upgrade linter 2021-06-22 00:08:06 +02:00
Jean-Baptiste Doumenjou
5841c9a7a5 Prepare release v2.4.9 2021-06-21 17:00:09 +02:00
Michael
ed9b1bea3f Use github action to check and verify doc 2021-06-21 16:04:13 +02:00
Wei Lun
dca348359b add permissionsPolicy and deprecate featurePolicy 2021-06-21 15:16:13 +02:00
Romain
cf0759a48f Update documentation references 2021-06-21 11:54:08 +02:00
Tom Moulard
c9df233d24 Changing default file format for the snippets from TOML to YAML 2021-06-19 00:08:08 +02:00
Ludovic Fernandez
99a23b0414 Use a dynamic buffer to handle client Hello SNI detection 2021-06-18 19:24:17 +02:00
Daniel Tomcej
95e0633b2f Create buffered signals channel 2021-06-18 18:43:10 +02:00
Maël Valais
5ca210fa60 gateway-api: fix the "values" field in the example of httproute 2021-06-18 18:14:07 +02:00
Michael
2ccdc419d0 Override jaeger configuration with env variables 2021-06-18 18:10:05 +02:00
Andreas Fitzek
9af0e705a5 Update Elastic APM from 1.7.0 to 1.11.0 2021-06-17 09:52:05 +02:00
Rio Kierkels
0a3e40332a Improve CA certificate loading from kubernetes secret 2021-06-14 18:06:10 +02:00
Florian Apolloner
a758d18e51 Fixed BIND_DIR quoting 2021-06-14 16:26:07 +02:00
Richard Kojedzinszky
f15d05b22f tls Manager: do not build a default certificate for ACME challenges store 
Co-authored-by: Mathieu Lonjaret <mathieu.lonjaret@gmail.com>
Co-authored-by: Romain <rtribotte@users.noreply.github.com>
 2021-06-14 10:06:05 +02:00
Romain
fc9f41b955 Add TCP Middlewares support 2021-06-11 15:30:05 +02:00
Jakub Hajek
fd1eae4f07 Adding formatting to the document. 2021-06-11 12:28:11 +02:00
Romain
51ee77b96f Explains Traefik HTTP response status codes 
Co-authored-by: Jean-Baptiste Doumenjou <925513+jbdoumenjou@users.noreply.github.com>
Co-authored-by: Tom Moulard <tom.moulard@traefik.io>
 2021-06-11 10:00:14 +02:00
Ludovic Fernandez
b03c5ff5ce Update go-acme/lego to v4.4.0 2021-06-08 23:50:05 +02:00
Moritz E. Beber
521fed1fea Elaborate on possible use of status codes with the errors middleware 2021-06-08 19:02:05 +02:00
Tom Moulard
679def0151 Add routing IP rule matcher 
Co-authored-by: Jean-Baptiste Doumenjou <925513+jbdoumenjou@users.noreply.github.com>
Co-authored-by: Romain <rtribotte@users.noreply.github.com>
 2021-06-07 18:14:09 +02:00
mpl
2560626419 doc: clarify usage for ratelimit's excludedIPs 2021-06-07 17:46:14 +02:00
Leonardo Araoz
e5024d5d0a Upgrade Node version to LTS on webui folder 2021-06-03 12:00:09 +02:00
Jakub Hajek
c10c7619d3 Adding Maintainers Guidelines 2021-06-02 18:02:06 +02:00
Julien Salleyron
dd04c432e9 Support not in rules definition 2021-05-31 18:58:05 +02:00
Jean-Baptiste Doumenjou
b1fd3b8fc7 fix for review 2021-05-28 17:38:46 +02:00
Wouter Dullaert
456df0fc19 feat: Add ServersTransport annotation to k8s ingress provider 2021-05-28 17:38:46 +02:00
Tom Moulard
526f493e12 Removes headers middleware options 2021-05-28 09:24:14 +02:00
Tom Moulard
5632ee6378 Deprecates ssl redirect headers middleware options 2021-05-28 08:50:09 +02:00
Jakub Coufal
1680f00091 Fix incorrect behaviour with multi-port endpoint subsets 2021-05-28 00:58:07 +02:00
Danshil Kokil Mungur
376b6f90d9 docs: add pilot dashboard flag to static configuration file reference 2021-05-27 12:16:08 +02:00
Ludovic Fernandez
21c0195d29 fix: ACME preferred chain. 2021-05-20 15:08:12 +02:00
Tom Moulard
56f845c71a gatewayapi: adding support for TCPRoute and TLSRoute 
Co-authored-by: Jean-Baptiste Doumenjou <925513+jbdoumenjou@users.noreply.github.com>
 2021-05-20 11:50:12 +02:00
Sandro
d6d639d4d7 docs: add examples for removing headers 2021-05-17 18:07:25 +02:00
Manuel Zapf
e1e1fd640c Upgrade IngressClass to use v1 over v1Beta on Kube 1.19+ 2021-05-17 16:50:09 +02:00
Douglas De Toni Machado
2408eeceba Fix plugin unzip call on windows 2021-05-17 12:10:09 +02:00
LandryBe
6ae194934d fix: use defaultEntryPoints when no entryPoint is defined in a TCPRouter 2021-05-11 16:46:14 +02:00
Ludovic Fernandez
63ef0f1cee Add plugin's support for provider 
Co-authored-by: Julien Salleyron <julien@traefik.io>
 2021-05-11 16:14:10 +02:00
Henning
de2437cfec kubernetes: remove logging of changed object with cast 2021-05-10 09:42:06 +02:00
Luca Berneking
32e08f3510 Add k8s provider option to create services without endpoints 2021-05-06 18:12:10 +02:00
Romain
40f21f41e1 Fix ingressRouteTCP external name service examples in documentation 2021-05-06 12:04:08 +02:00
Ludovic Fernandez
ee12424795 Bump paerser to v0.1.4 2021-05-06 09:32:04 +02:00
Tom Moulard
0b48d5d0d2 Fix: regenerate crd 2021-05-05 17:50:04 +02:00
Jorge Arco
080cf98e51 Add router metrics 2021-04-30 10:22:04 +02:00
Tom Moulard
dc8d5ef744 Add a mechanism to format the sticky cookie value 
Co-authored-by: Jean-Baptiste Doumenjou <925513+jbdoumenjou@users.noreply.github.com>
 2021-04-29 17:56:03 +02:00
Joel Berger
70a02158e5 Add wildcard hostname rule to kubernetes gateway 2021-04-29 17:18:04 +02:00
Henning
ab71dad51a [kubernetes] ignore empty endpoint changes 2021-04-29 16:20:03 +02:00
Tom Moulard
0624cefc10 Merge branch 'master' into mrg-current-v2.4 2021-04-29 14:24:07 +02:00
Tom Moulard
56b26421a5 fix: remove linode link health check 2021-04-29 12:22:03 +02:00
Marc Vertes
ea8ba87aeb doc: fix a syntax error in ratelimit TOML configuration sample 2021-04-27 20:26:04 +02:00
Ludovic Fernandez
08b258a2cb Update Yaegi to v0.9.17 2021-04-27 20:16:04 +02:00
Tom Moulard
ac486d3d1d Merge current branch v2.4 into master 2021-04-21 11:39:53 +02:00
Tom Moulard
e096bf6b62 fix: k8s gateway api link 
Co-authored-by: Jean-Baptiste Doumenjou <925513+jbdoumenjou@users.noreply.github.com>
 2021-04-21 10:28:03 +02:00
Sylvain Rabot
e28b33b53b Upgrade github.com/lucas-clemente/quic-go 2021-04-18 00:38:03 +02:00
Martin Vizvary
5814ba5322 Kubernetes ingress provider to search via all endpoints 2021-04-15 18:16:04 +02:00
Kevin Crawley
be81ce244e Error span on 5xx only 2021-04-14 12:20:03 +02:00
Jean-Baptiste Doumenjou
d3a3aeb0fc Merge current branch v2.4 into master 2021-04-14 09:51:12 +02:00
Jean-Baptiste Doumenjou
fe6acdf4d2 Fix Kubernetes Gateway API documentation links 2021-04-13 18:26:03 +02:00
Jean-Baptiste Doumenjou
702e0a461a Merge current branch v2.4 into master 2021-04-13 14:17:39 +02:00
Tom Moulard
46d6da4fce Docs: installing deps for html-proofer 
Co-authored-by: Jean-Baptiste Doumenjou <925513+jbdoumenjou@users.noreply.github.com>
 2021-04-13 14:02:04 +02:00
Clemens Bergmann
aa61835b78 correct annotation option 2021-04-06 17:18:03 +02:00
mpl
2a1e46c8b6 doc: typo fix 2021-04-01 12:05:03 +02:00
Jean-Baptiste Doumenjou
cb4fb973b2 Merge current branch v2.4 into master 2021-03-31 09:43:04 +02:00
Tom Moulard
513f6e9a68 Remove error when HTTProutes is empty 
Co-authored-by: Jean-Baptiste Doumenjou <925513+jbdoumenjou@users.noreply.github.com>
 2021-03-30 16:32:03 +02:00
Fernandez Ludovic
ad980334d1 doc: remove dead page. 2021-03-30 14:51:30 +02:00
jcuzzi
d13d078351 Add ability to disable HTTP/2 in dynamic config 2021-03-29 14:32:03 +02:00
Tom Moulard
947798b44c Fix ServersTransport documentation 2021-03-29 14:18:03 +02:00
Ludovic Fernandez
ed427616d4 chore: update linter 2021-03-29 09:20:03 +02:00
Romain
297921182c Add metrics documentation 
Co-authored-by: Tom Moulard <tom.moulard@traefik.io>
 2021-03-25 16:52:04 +01:00
Sylvain Rabot
31a5f3591f Allow to define datadogs metrics endpoint with env vars 2021-03-23 17:48:04 +01:00
Romain
32655b5b16 Prepare release v2.4.8 2021-03-23 16:34:04 +01:00
HMH
8947f85ddd Improve host name resolution for TCP proxy 2021-03-23 11:24:03 +01:00
Romain
a513a05b7a Raise errors for non-ASCII domain names in a router's rules 2021-03-22 21:16:04 +01:00
Tom Moulard
1e716a93ff Adding an option to (de)activate Pilot integration into the Traefik dashboard 
Co-authored-by: Jean-Baptiste Doumenjou <925513+jbdoumenjou@users.noreply.github.com>
 2021-03-22 19:18:04 +01:00
Fabian
06fc2c505f Doc: improve basic auth middleware httpasswd example 2021-03-22 15:26:03 +01:00
Deepyaman Datta
6fcea91d1f Add missing traefik. prefix across sample config 2021-03-19 09:12:04 +01:00
Tom Moulard
93d099a2f0 Fix travis docker image pulling for docs 2021-03-16 12:08:04 +01:00
Manuel Zapf
29908098e4 Upgrade Ingress Handling to work with networkingv1/Ingress 2021-03-15 11:16:04 +01:00
Corey McGalliard
e5983d96f7 updating docs to remove a no longer needed note 2021-03-15 10:46:03 +01:00
Jean-Baptiste Doumenjou
08e6ae07af Update to gateway-api v0.2.0 
Co-authored-by: Romain <rtribotte@users.noreply.github.com>
 2021-03-15 09:44:03 +01:00
Matthias Schneider
49b46a9a3f server: updating go-proxyproto with security bugfix from upstream 2021-03-15 09:16:03 +01:00
Ludovic Fernandez
36c316f39c Update go-acme/lego to v4.3.1 2021-03-12 14:38:07 +01:00
Ludovic Fernandez
7e76abc067 Update go-acme/lego to v4.3.0 2021-03-11 09:52:04 +01:00
Jean-Baptiste Doumenjou
702e301990 Merge current branch v2.4 into master 2021-03-09 12:05:08 +01:00
Jean-Baptiste Doumenjou
b1e11f3e88 Prepare release v2.4.7 2021-03-08 18:04:03 +01:00
Ludovic Fernandez
09d5f59701 fix: double close chan on TLS challenge 
Co-authored-by: Julien Salleyron <julien.salleyron@gmail.com>
 2021-03-08 11:18:04 +01:00
Julien Salleyron
3c8675bb8b Fix flaky tests. 
Co-authored-by: Ludovic Fernandez <ldez@users.noreply.github.com>
 2021-03-08 09:58:04 +01:00
Ludovic Fernandez
71ca237478 Add new GitHub issue chooser. 2021-03-08 09:40:04 +01:00
dom3k
0e4b6d36fd Use Docker dependency directly without replace directive 2021-03-07 22:26:03 +01:00
Marc Vertes
e898080460 feature: tune transport buffer size to increase performance 2021-03-05 14:30:04 +01:00
Romain
bdba7d3adf Update to go1.16 2021-03-04 20:08:03 +01:00
Tom Moulard
606b43dc51 Clarify doc for ingressclass name in k8s 1.18+ 2021-03-04 09:24:03 +01:00
Ludovic Fernandez
2e7833df49 chore: update linter. 2021-03-04 09:02:03 +01:00
Romain
ec0d03658d Fix ServersTransport documentation 
Co-authored-by: mpl <mathieu.lonjaret@gmail.com>
 2021-03-03 16:48:04 +01:00
Jean-Baptiste Doumenjou
992d4c1b94 Upgrade the CRD version from apiextensions.k8s.io/v1beta1 to apiextensions.k8s.io/v1 
Co-authored-by: kevinpollet <pollet.kevin@gmail.com>
 2021-03-03 15:32:04 +01:00
Jean-Baptiste Doumenjou
d2d7cf14e5 Bump paerser to v0.1.2 2021-03-03 12:46:03 +01:00
Tom Moulard
e658712d53 Filter ingress class resources by name 
Co-authored-by: SantoDE <manuel.zapf@traefik.io>
 2021-03-02 21:34:03 +01:00
Jean-Baptiste Doumenjou
40cd6ada4f Prepare release v2.4.6 2021-03-01 19:14:03 +01:00
wouter bolsterlee
c843c182e4 Address all shellcheck warnings 2021-02-26 14:34:04 +01:00
Tom Moulard
c35a8bdb15 Fixing doc for default value of checknewversion 2021-02-26 10:20:03 +01:00
Julien Salleyron
dd0701dd16 fix: wait for file and internal before applying configurations 
Co-authored-by: Ludovic Fernandez <ldez@users.noreply.github.com>
 2021-02-25 17:20:04 +01:00
Ludovic Fernandez
32500773b8 Update Yaegi to v0.9.13 2021-02-24 17:06:03 +01:00
Mal Curtis
e7d3f4316f Fix typo in routing/services/index.md 2021-02-22 20:28:05 +01:00
romain
438eec720a Merge v2.4 into master 2021-02-22 09:40:24 +01:00
Vasilis Gerakaris
4b38d7368f Fix reflink typo in file provider documentation 2021-02-19 18:48:03 +01:00
Kevin Pollet
dce6a86900 Fix Kubernetes Gateway API documentation links 2021-02-19 17:16:03 +01:00
Romain
dc9c558c06 Prepare release v2.4.5 2021-02-18 18:04:03 +01:00
Romain
b8a466c571 Prepare release v2.4.4 2021-02-18 15:28:03 +01:00
Manuel Zapf
bae28c5f57 Only allow iframes to be loaded from our domain 2021-02-18 14:54:03 +01:00
romain
1b21f0723f Merge v2.4 into master 2021-02-16 11:12:09 +01:00
Romain
911c439858 Prepare release v2.4.3 2021-02-15 16:52:03 +01:00
Ludovic Fernandez
f81f85cea2 Add missing doc about servers transport. 2021-02-15 12:04:04 +01:00
Michael
1325cc5cd0 Add seo support 2021-02-12 19:08:04 +01:00
Jean-Baptiste Doumenjou
951d61bfcd Apply content type exclusion on response 
Co-authored-by: kevinpollet <pollet.kevin@gmail.com>
 2021-02-12 12:12:03 +01:00
Brendan Le Glaunec
0937cba870 Provider documentation fixes 2021-02-11 19:04:03 +01:00
Ludovic Fernandez
5597d7633d Fix TLS challenge timeout and validation error 
Co-authored-by: Julien Salleyron <julien.salleyron@gmail.com>
 2021-02-11 16:32:03 +01:00
Brendan Le Glaunec
502c88ee3f Middleware documentation fixes 2021-02-11 14:34:04 +01:00
Florian Apolloner
5ef6297daa Fixed typo in consul catalog tests. 2021-02-10 14:48:03 +01:00
Matthew Landauer
9e33e23b8b Add HEAD as available option for Method 2021-02-04 17:04:04 +01:00
Jean-Baptiste Doumenjou
16d00ccffb Fix the static reference documentation for the internal redirection router. 2021-02-04 11:44:03 +01:00
Jean-Baptiste Doumenjou
d211437d6c Merge v2.4 into master 2021-02-04 10:40:53 +01:00
Jean-Baptiste Doumenjou
7996a42f76 Allow crossprovider service reference 
Co-authored-by: Harold Ozouf <harold.ozouf@gmail.com>
 2021-02-02 19:36:04 +01:00
Jean-Baptiste Doumenjou
f482e5e84a Prepare release v2.4.2 2021-02-02 18:06:04 +01:00
Jean-Baptiste Doumenjou
447c3567b4 Fix the redirect entrypoint default priority 2021-02-02 17:42:04 +01:00
Jean-Baptiste Doumenjou
3c5e6fe7f8 Fix the static configuration generation for environment variables 2021-02-02 17:10:03 +01:00
Ludovic Fernandez
bf4a578bbb fix: infinite loop in forwarded header middleware. 
Co-authored-by: kevinpollet <pollet.kevin@gmail.com>
 2021-02-02 11:40:04 +01:00
kevinpollet
2461e36ed4 Merge branch v2.4 into master 2021-01-25 12:42:23 +01:00
Sune Keller
2bbb6fc427 Update sprig to v3.2.0 2021-01-20 15:10:04 +01:00
kevinpollet
2747e240c1 Merge branch v2.4 into master 2021-01-20 10:50:21 +01:00
Romain
4b370930b5 Mutualize TLS version and cipher code 2021-01-20 04:08:03 +01:00
na4ma4
b05a5c818d Add TLS version and cipher to the accessLog 2021-01-19 09:52:06 +01:00
Kevin Pollet
41d22ef17e Improve kubernetes external name service support for UDP 2021-01-19 09:30:05 +01:00
Cirrith
bbee63fcf3 Add named port support to Kubernetes IngressRoute CRDs 2021-01-15 15:54:04 +01:00
Fernandez Ludovic
b1ddd0e038 Merge branch v2.4 into master 2021-01-15 14:21:59 +01:00
romain
f742671bbe Merge branch v2.4 into master 2021-01-14 18:29:48 +01:00
kevinpollet
ed5321999c Merge branch v2.4 into master 2021-01-13 09:21:20 +01:00
Linden Krouse
fc7ec17905 Feature: add udp timeout configuration 2021-01-07 17:16:03 +01:00
Julien Salleyron
e5a01c7cc8 Add HTTP3 support (experimental) 
Co-authored-by: Ludovic Fernandez <ldez@users.noreply.github.com>
 2021-01-07 14:48:04 +01:00
Michael
0509b6fdb9 Merge branch v2.4 into master 2021-01-06 18:59:45 +01:00
Gian Ortiz
759d17547a Use Datadog tracer environment variables to setup default config 2021-01-06 17:08:03 +01:00
Sylvain Rabot
a3327c4430 Add TLS certs expiration metric 2020-12-18 18:44:03 +01:00
615 changed files with 37801 additions and 11185 deletions
Expand all files Collapse all files

82
.github/ISSUE_TEMPLATE/Bug_report.md vendored
View File

@@ -1,82 +0,0 @@
---
name: Bug report
about: Create a report to help us improve
---
<!-- PLEASE FOLLOW THE ISSUE TEMPLATE TO HELP TRIAGE AND SUPPORT! -->
### Do you want to request a *feature* or report a *bug*?
<!--
DO NOT FILE ISSUES FOR GENERAL SUPPORT QUESTIONS.
The issue tracker is for reporting bugs and feature requests only.
For end-user related support questions, please refer to one of the following:
- the Traefik community forum: https://community.containo.us/
-->
Bug
<!--
The configurations between 1.X and 2.X are NOT compatible.
Please have a look here https://doc.traefik.io/traefik/getting-started/configuration-overview/.
-->
### What did you do?
<!--
HOW TO WRITE A GOOD BUG REPORT?
- Respect the issue template as much as possible.
- The title should be short and descriptive.
- Explain the conditions which led you to report this issue: the context.
- The context should lead to something, an idea or a problem that youre facing.
- Remain clear and concise.
- Format your messages to help the reader focus on what matters and understand the structure of your message, use Markdown syntax https://help.github.com/articles/github-flavored-markdown
-->
### What did you expect to see?
### What did you see instead?
### Output of `traefik version`: (_What version of Traefik are you using?_)
<!--
`latest` is not considered as a valid version.
For the Traefik Docker image:
docker run [IMAGE] version
ex: docker run traefik version
-->
```
(paste your output here)
```
### What is your environment & configuration (arguments, toml, provider, platform, ...)?
```toml
# (paste your configuration here)
```
<!--
Add more configuration information here.
-->
### If applicable, please paste the log output in DEBUG level (`--log.level=DEBUG` switch)
```
(paste your output here)
```

35
.github/ISSUE_TEMPLATE/Feature_request.md vendored
View File

@@ -1,35 +0,0 @@
---
name: Feature request
about: Suggest an idea for this project
---
<!-- PLEASE FOLLOW THE ISSUE TEMPLATE TO HELP TRIAGE AND SUPPORT! -->
### Do you want to request a *feature* or report a *bug*?
<!--
DO NOT FILE ISSUES FOR GENERAL SUPPORT QUESTIONS.
The issue tracker is for reporting bugs and feature requests only.
For end-user related support questions, please refer to one of the following:
- the Traefik community forum: https://community.containo.us/
-->
Feature
### What did you expect to see?
<!--
HOW TO WRITE A GOOD ISSUE?
- Respect the issue template as much as possible.
- The title should be short and descriptive.
- Explain the conditions which led you to report this issue: the context.
- The context should lead to something, an idea or a problem that youre facing.
- Remain clear and concise.
- Format your messages to help the reader focus on what matters and understand the structure of your message, use Markdown syntax https://help.github.com/articles/github-flavored-markdown
-->

80
.github/ISSUE_TEMPLATE/bug_report.yml vendored Normal file
View File

@@ -0,0 +1,80 @@
name: Bug Report (Traefik)
description: Create a report to help us improve.
body:
- type: checkboxes
id: terms
attributes:
label: Welcome!
description: |
The issue tracker is for reporting bugs and feature requests only. For end-user related support questions, please refer to one of the following:
- the Traefik community forum: https://community.containo.us/
The configurations between 1.X and 2.X are NOT compatible. Please have a look [here](https://doc.traefik.io/traefik/getting-started/configuration-overview/).
DO NOT FILE ISSUES FOR GENERAL SUPPORT QUESTIONS.
options:
- label: Yes, I've searched similar issues on [GitHub](https://github.com/traefik/traefik/issues) and didn't find any.
required: true
- label: Yes, I've searched similar issues on the [Traefik community forum](https://community.containo.us) and didn't find any.
required: true
- type: textarea
attributes:
label: What did you do?
description: |
How to write a good bug report?
- Respect the issue template as much as possible.
- The title should be short and descriptive.
- Explain the conditions which led you to report this issue: the context.
- The context should lead to something, an idea or a problem that youre facing.
- Remain clear and concise.
- Format your messages to help the reader focus on what matters and understand the structure of your message, use [Markdown syntax](https://help.github.com/articles/github-flavored-markdown)
placeholder: What did you do?
validations:
required: true
- type: textarea
attributes:
label: What did you see instead?
placeholder: What did you see instead?
validations:
required: true
- type: textarea
attributes:
label: What version of Traefik are you using?
description: |
`latest` is not considered as a valid version.
Output of `traefik version`.
For the Traefik Docker image (`docker run [IMAGE] version`), example:
```console
$ docker run traefik version
```
placeholder: Paste your output here.
validations:
required: true
- type: textarea
attributes:
label: What is your environment & configuration?
description: arguments, toml, provider, platform, ...
placeholder: Add information here.
value: |
```yaml
# (paste your configuration here)
```
Add more configuration information here.
validations:
required: true
- type: textarea
attributes:
label: If applicable, please paste the log output in DEBUG level
description: "`--log.level=DEBUG` switch."
placeholder: Paste your output here.
validations:
required: false

8
.github/ISSUE_TEMPLATE/config.yml vendored Normal file
View File

@@ -0,0 +1,8 @@
blank_issues_enabled: false
contact_links:
- name: Traefik Community Support
url: https://community.traefik.io/
about: If you have a question, or are looking for advice, please post on our Discuss forum! The community loves to chime in to help. Happy Coding!
- name: Traefik Helm Chart Issues
url: https://github.com/traefik/traefik-helm-chart
about: Are you submitting an issue or feature enhancement for the Traefik helm chart? Please post in the traefik-helm-chart GitHub Issues.

33
.github/ISSUE_TEMPLATE/feature-request.yml vendored Normal file
View File

@@ -0,0 +1,33 @@
name: Feature Request (Traefik)
description: Suggest an idea for this project.
body:
- type: checkboxes
id: terms
attributes:
label: Welcome!
description: |
The issue tracker is for reporting bugs and feature requests only. For end-user related support questions, please refer to one of the following:
- the Traefik community forum: https://community.containo.us/
DO NOT FILE ISSUES FOR GENERAL SUPPORT QUESTIONS.
options:
- label: Yes, I've searched similar issues on [GitHub](https://github.com/traefik/traefik/issues) and didn't find any.
required: true
- label: Yes, I've searched similar issues on the [Traefik community forum](https://community.containo.us) and didn't find any.
required: true
- type: textarea
attributes:
label: What did you expect to see?
description: |
How to write a good issue?
- Respect the issue template as much as possible.
- The title should be short and descriptive.
- Explain the conditions which led you to report this issue: the context.
- The context should lead to something, an idea or a problem that youre facing.
- Remain clear and concise.
- Format your messages to help the reader focus on what matters and understand the structure of your message, use [Markdown syntax](https://help.github.com/articles/github-flavored-markdown)
placeholder: What did you expect to see?
validations:
required: true

4
.github/PULL_REQUEST_TEMPLATE.md vendored
View File

@@ -3,11 +3,11 @@ PLEASE READ THIS MESSAGE.
Documentation fixes or enhancements:
- for Traefik v1: use branch v1.7
- for Traefik v2: use branch v2.4
- for Traefik v2: use branch v2.5
Bug fixes:
- for Traefik v1: use branch v1.7
- for Traefik v2: use branch v2.4
- for Traefik v2: use branch v2.5
Enhancements:
- for Traefik v1: we only accept bug fixes

82
.github/workflows/build.yaml vendored Normal file
View File

@@ -0,0 +1,82 @@
name: Build Binaries
on:
pull_request:
branches:
- '*'
env:
GO_VERSION: 1.17
CGO_ENABLED: 0
PRE_TARGET: ""
jobs:
build-webui:
runs-on: ubuntu-20.04
steps:
- name: Check out code
uses: actions/checkout@v2
with:
fetch-depth: 0
- name: Build webui
run: |
make generate-webui
tar czvf webui.tar.gz ./static/
- name: Artifact webui
uses: actions/upload-artifact@v2
with:
name: webui.tar.gz
path: webui.tar.gz
build:
runs-on: ${{ matrix.os }}
strategy:
matrix:
os: [ ubuntu-20.04, macos-latest, windows-latest ]
needs:
- build-webui
defaults:
run:
working-directory: ${{ github.workspace }}/go/src/github.com/traefik/traefik
steps:
- name: Set up Go ${{ env.GO_VERSION }}
uses: actions/setup-go@v2
with:
go-version: ${{ env.GO_VERSION }}
- name: Check out code
uses: actions/checkout@v2
with:
path: go/src/github.com/traefik/traefik
fetch-depth: 0
- name: Cache Go modules
uses: actions/cache@v2
with:
path: |
~/go/pkg/mod
~/.cache/go-build
~/Library/Caches/go-build
'%LocalAppData%\go-build'
key: ${{ runner.os }}-build-go-${{ hashFiles('**/go.sum') }}
restore-keys: ${{ runner.os }}-build-go-
- name: Installing dependencies
run: go install github.com/containous/go-bindata/go-bindata@v1.0.0
- name: Artifact webui
uses: actions/download-artifact@v2
with:
name: webui.tar.gz
path: ${{ github.workspace }}/go/src/github.com/traefik/traefik
- name: Untar webui
run: tar xvf webui.tar.gz
- name: Build
run: make binary

21
.github/workflows/check_doc.yml vendored Normal file
View File

@@ -0,0 +1,21 @@
name: Check Documentation
on:
pull_request:
branches:
- '*'
jobs:
docs:
name: Check, verify and build documentation
runs-on: ubuntu-20.04
steps:
- name: Check out code
uses: actions/checkout@v2
with:
fetch-depth: 0
- name: Check documentation
run: make docs-pull-images docs

16
.github/workflows/documentation.yml vendored
View File

@@ -6,18 +6,18 @@ on:
- master
- v*
env:
STRUCTOR_VERSION: v1.11.2
MIXTUS_VERSION: v0.4.1
jobs:
docs:
name: Doc Process
runs-on: ubuntu-latest
runs-on: ubuntu-20.04
if: github.repository == 'traefik/traefik'
env:
STRUCTOR_VERSION: v1.11.2
MIXTUS_VERSION: v0.4.1
steps:
- name: Check out code
uses: actions/checkout@v2
with:
@@ -32,6 +32,9 @@ jobs:
- name: Install Structor ${{ env.STRUCTOR_VERSION }}
run: curl -sSfL https://raw.githubusercontent.com/traefik/structor/master/godownloader.sh | sh -s -- -b $HOME/bin ${STRUCTOR_VERSION}
- name: Install Seo-doc
run: curl -sSfL https://raw.githubusercontent.com/traefik/seo-doc/master/godownloader.sh | sh -s -- -b "${HOME}/bin"
- name: Install Mixtus ${{ env.MIXTUS_VERSION }}
run: curl -sSfL https://raw.githubusercontent.com/traefik/mixtus/master/godownloader.sh | sh -s -- -b $HOME/bin ${MIXTUS_VERSION}
@@ -40,6 +43,9 @@ jobs:
env:
STRUCTOR_LATEST_TAG: ${{ secrets.STRUCTOR_LATEST_TAG }}
- name: Apply seo
run: $HOME/bin/seo -path=./site
- name: Publish documentation
run: $HOME/bin/mixtus --dst-doc-path="./traefik" --dst-owner=traefik --dst-repo-name=doc --git-user-email="30906710+traefiker@users.noreply.github.com" --git-user-name=traefiker --src-doc-path="./site" --src-owner=containous --src-repo-name=traefik
env:

46
.github/workflows/test-unit.yaml vendored Normal file
View File

@@ -0,0 +1,46 @@
name: Test Unit
on:
pull_request:
branches:
- '*'
env:
GO_VERSION: 1.17
PRE_TARGET: ""
jobs:
test-unit:
runs-on: ubuntu-20.04
defaults:
run:
working-directory: ${{ github.workspace }}/go/src/github.com/traefik/traefik
steps:
- name: Set up Go ${{ env.GO_VERSION }}
uses: actions/setup-go@v2
with:
go-version: ${{ env.GO_VERSION }}
- name: Check out code
uses: actions/checkout@v2
with:
path: go/src/github.com/traefik/traefik
fetch-depth: 0
- name: Cache Go modules
uses: actions/cache@v2
with:
path: |
~/go/pkg/mod
~/.cache/go-build
key: ${{ runner.os }}-test-unit-go-${{ hashFiles('**/go.sum') }}
restore-keys: ${{ runner.os }}-test-unit-go-
- name: Installing dependencies
run: go install github.com/containous/go-bindata/go-bindata@v1.0.0
- name: Tests
run: make test-unit

100
.github/workflows/validate.yaml vendored Normal file
View File

@@ -0,0 +1,100 @@
name: Validate
on:
pull_request:
branches:
- '*'
env:
GO_VERSION: 1.17
GOLANGCI_LINT_VERSION: v1.41.1
MISSSPELL_VERSION: v0.3.4
PRE_TARGET: ""
jobs:
validate:
runs-on: ubuntu-20.04
defaults:
run:
working-directory: ${{ github.workspace }}/go/src/github.com/traefik/traefik
steps:
- name: Set up Go ${{ env.GO_VERSION }}
uses: actions/setup-go@v2
with:
go-version: ${{ env.GO_VERSION }}
- name: Check out code
uses: actions/checkout@v2
with:
path: go/src/github.com/traefik/traefik
fetch-depth: 0
- name: Cache Go modules
uses: actions/cache@v2
with:
path: |
~/go/pkg/mod
~/.cache/go-build
key: ${{ runner.os }}-validate-go-${{ hashFiles('**/go.sum') }}
restore-keys: ${{ runner.os }}-validate-go-
- name: Installing dependencies
run: go install github.com/containous/go-bindata/go-bindata@v1.0.0
- name: Install golangci-lint ${{ env.GOLANGCI_LINT_VERSION }}
run: curl -sSfL https://raw.githubusercontent.com/golangci/golangci-lint/master/install.sh | sh -s -- -b $(go env GOPATH)/bin ${GOLANGCI_LINT_VERSION}
- name: Install missspell ${{ env.MISSSPELL_VERSION }}
run: curl -sfL https://raw.githubusercontent.com/client9/misspell/master/install-misspell.sh | sh -s -- -b $(go env GOPATH)/bin ${MISSSPELL_VERSION}
- name: Validate
run: make validate
validate-generate:
runs-on: ubuntu-20.04
defaults:
run:
working-directory: ${{ github.workspace }}/go/src/github.com/traefik/traefik
steps:
- name: Set up Go ${{ env.GO_VERSION }}
uses: actions/setup-go@v2
with:
go-version: ${{ env.GO_VERSION }}
- name: Check out code
uses: actions/checkout@v2
with:
path: go/src/github.com/traefik/traefik
fetch-depth: 0
- name: Cache Go modules
uses: actions/cache@v2
with:
path: |
~/go/pkg/mod
~/.cache/go-build
key: ${{ runner.os }}-validate-generate-go-${{ hashFiles('**/go.sum') }}
restore-keys: ${{ runner.os }}-validate-generate-go-
- name: Installing dependencies
run: go install github.com/containous/go-bindata/go-bindata@v1.0.0
- name: go generate
run: |
go generate
git diff --exit-code
- name: go mod tidy
run: |
go mod tidy
git diff --exit-code
- name: make generate-crd
run: |
make generate-crd
git diff --exit-code

1
.gitignore vendored
View File

@@ -17,4 +17,5 @@
cover.out
vendor/
plugins-storage/
plugins-local/
traefik_changelog.md

91
.golangci.toml
View File

@@ -30,38 +30,75 @@
lines = 230 # default 60
statements = 120 # default 40
[linters-settings.forbidigo]
forbid = [
'^print(ln)?$',
'^spew\.Print(f|ln)?$',
'^spew\.Dump$',
]
[linters-settings.depguard]
list-type = "blacklist"
include-go-root = false
packages = ["github.com/pkg/errors"]
[linters-settings.godox]
keywords = ["FIXME"]
[linters-settings.importas]
corev1 = "k8s.io/api/core/v1"
networkingv1beta1 = "k8s.io/api/networking/v1beta1"
extensionsv1beta1 = "k8s.io/api/extensions/v1beta1"
metav1 = "k8s.io/apimachinery/pkg/apis/meta/v1"
kubeerror = "k8s.io/apimachinery/pkg/api/errors"
[linters-settings.gomoddirectives]
replace-allow-list = [
"github.com/abbot/go-http-auth",
"github.com/go-check/check",
"github.com/gorilla/mux",
"github.com/mailgun/minheap",
"github.com/mailgun/multibuf",
]
[linters]
enable-all = true
disable = [
"scopelint", # Deprecated
"interfacer", # Deprecated
"maligned", # Deprecated
"golint", # Deprecated
"sqlclosecheck", # Not relevant (SQL)
"rowserrcheck", # Not relevant (SQL)
"lll", # Not relevant
"gocyclo", # FIXME must be fixed
"gosec",
"dupl",
"maligned",
"lll",
"unparam",
"prealloc",
"scopelint",
"cyclop", # Duplicate of gocyclo
"gocognit", # Too strict
"nestif", # Too many false-positive.
"prealloc", # Too many false-positive.
"makezero", # Not relevant
"ifshort", # Not relevant
"dupl", # Too strict
"gosec", # Too strict
"gochecknoinits",
"gochecknoglobals",
"godox",
"gocognit",
"bodyclose", # Too many false-positive and panics.
"wsl", # Too strict
"nlreturn", # Not relevant
"gomnd", # Too strict
"stylecheck", # skip because report issues related to some generated files.
"testpackage", # Too strict
"goerr113", # Too strict
"nestif", # Too many false-positive.
"noctx", # Too strict
"exhaustive", # Too strict
"nlreturn", # Not relevant
"wrapcheck", # Too strict
"tparallel", # Not relevant
"paralleltest", # Not relevant
"exhaustive", # Not relevant
"exhaustivestruct", # Not relevant
"makezero", # not relevant
"forbidigo", # not relevant
"ifshort", # not relevant
"goerr113", # Too strict
"wrapcheck", # Too strict
"noctx", # Too strict
"bodyclose", # Too many false-positive and panics.
"unparam", # Too strict
"godox", # Too strict
"forcetypeassert", # Too strict
"tagliatelle", # Not compatible with current tags.
]
[issues]
@@ -69,9 +106,14 @@
max-per-linter = 0
max-same-issues = 0
exclude = [
"SA1019: http.CloseNotifier is deprecated: the CloseNotifier interface predates Go's context package. New code should use Request.Context instead.", # FIXME must be fixed
"Error return value of .((os\\.)?std(out|err)\\..*|.*Close|.*Flush|os\\.Remove(All)?|.*printf?|os\\.(Un)?Setenv). is not checked",
"should have a package comment, unless it's in another file for this package",
"SA1019: http.CloseNotifier has been deprecated", # FIXME must be fixed
"SA1019: cfg.SSLRedirect is deprecated",
"SA1019: cfg.SSLTemporaryRedirect is deprecated",
"SA1019: cfg.SSLHost is deprecated",
"SA1019: cfg.SSLForceHost is deprecated",
"SA1019: cfg.FeaturePolicy is deprecated",
]
[[issues.exclude-rules]]
path = "(.+)_test.go"
@@ -88,18 +130,12 @@
[[issues.exclude-rules]]
path = "pkg/h2c/h2c.go"
text = "Error return value of `rw.Write` is not checked"
[[issues.exclude-rules]]
path = "pkg/middlewares/recovery/recovery.go"
text = "`logger` can be `github.com/stretchr/testify/assert.TestingT`"
[[issues.exclude-rules]]
path = "pkg/provider/docker/builder_test.go"
text = "(U1000: func )?`(.+)` is unused"
[[issues.exclude-rules]]
path = "pkg/provider/kubernetes/builder_(endpoint|service)_test.go"
text = "(U1000: func )?`(.+)` is unused"
[[issues.exclude-rules]]
path = "pkg/config/parser/.+_test.go"
text = "U1000: field `(foo|fuu)` is unused"
[[issues.exclude-rules]]
path = "pkg/server/service/bufferpool.go"
text = "SA6002: argument should be pointer-like to avoid allocations"
@@ -109,9 +145,6 @@
[[issues.exclude-rules]]
path = "pkg/server/middleware/middlewares.go"
text = "Function 'buildConstructor' has too many statements"
[[issues.exclude-rules]] # FIXME must be fixed
path = "cmd/context.go"
text = "S1000: should use a simple channel send/receive instead of `select` with a single case"
[[issues.exclude-rules]]
path = "pkg/tracing/haystack/logger.go"
linters = ["goprintffuncname"]

100
.semaphore/semaphore.yml Normal file
View File

@@ -0,0 +1,100 @@
version: v1.0
name: Traefik
agent:
machine:
type: e1-standard-4
os_image: ubuntu1804
fail_fast:
stop:
when: "branch != 'master'"
auto_cancel:
queued:
when: "branch != 'master'"
running:
when: "branch != 'master'"
global_job_config:
prologue:
commands:
- curl -sSfL https://raw.githubusercontent.com/ldez/semgo/master/godownloader.sh | sudo sh -s -- -b "/usr/local/bin"
- sudo semgo go1.17
- export "GOPATH=$(go env GOPATH)"
- export "SEMAPHORE_GIT_DIR=${GOPATH}/src/github.com/traefik/${SEMAPHORE_PROJECT_NAME}"
- export "PATH=${GOPATH}/bin:${PATH}"
- mkdir -vp "${SEMAPHORE_GIT_DIR}" "${GOPATH}/bin"
- export GOPROXY=https://proxy.golang.org,direct
- curl -sSfL https://raw.githubusercontent.com/golangci/golangci-lint/master/install.sh | sh -s -- -b "${GOPATH}/bin" v1.41.1
- curl -sfL https://install.goreleaser.com/github.com/goreleaser/goreleaser.sh | bash -s -- -b "${GOPATH}/bin"
- go install github.com/containous/go-bindata/go-bindata@v1.0.0
- checkout
- cache restore traefik-$(checksum go.sum)
blocks:
- name: Test Integration Container
dependencies: []
run:
when: "branch =~ '.*' OR pull_request =~'.*'"
task:
jobs:
- name: Test Integration Container
commands:
- make pull-images
- mkdir -p static # Avoid to generate webui
- PRE_TARGET="" make binary
- make test-integration-container
- df -h
epilogue:
always:
commands:
- cache store traefik-$(checksum go.sum) $HOME/go/pkg/mod
- name: Test Integration Host
dependencies: []
run:
when: "branch =~ '.*' OR pull_request =~'.*'"
task:
env_vars:
- name: PRE_TARGET
value: ""
jobs:
- name: Test Integration Host
commands:
- mkdir -p static # Avoid to generate webui
- make test-integration-host
epilogue:
always:
commands:
- cache store traefik-$(checksum go.sum) $HOME/go/pkg/mod
- name: Release
dependencies: []
run:
when: "tag =~ '.*'"
task:
agent:
machine:
type: e1-standard-8
os_image: ubuntu1804
secrets:
- name: traefik
env_vars:
- name: GH_VERSION
value: 1.12.1
- name: CODENAME
value: "livarot"
- name: PRE_TARGET
value: ""
prologue:
commands:
- export VERSION=${SEMAPHORE_GIT_TAG_NAME}
- curl -sSL -o /tmp/gh_${GH_VERSION}_linux_amd64.tar.gz https://github.com/cli/cli/releases/download/v${GH_VERSION}/gh_${GH_VERSION}_linux_amd64.tar.gz
- tar -zxvf /tmp/gh_${GH_VERSION}_linux_amd64.tar.gz -C /tmp
- sudo mv /tmp/gh_${GH_VERSION}_linux_amd64/bin/gh /usr/local/bin/gh
jobs:
- name: Release
commands:
- make release-packages
- gh release create ${SEMAPHORE_GIT_TAG_NAME} ./dist/traefik*.* --repo traefik/traefik --title ${SEMAPHORE_GIT_TAG_NAME} --notes ${SEMAPHORE_GIT_TAG_NAME}
- ./script/deploy.sh

4
.semaphoreci/cleanup.sh
View File

@@ -1,4 +0,0 @@
#!/usr/bin/env bash
set -e
sudo rm -rf static

20
.semaphoreci/golang.sh
View File

@@ -1,20 +0,0 @@
#!/usr/bin/env bash
set -e
curl -O https://dl.google.com/go/go"${GO_VERSION}".linux-amd64.tar.gz
tar -xvf go"${GO_VERSION}".linux-amd64.tar.gz
rm -rf go"${GO_VERSION}".linux-amd64.tar.gz
sudo mkdir -p /usr/local/golang/"${GO_VERSION}"/go
sudo mv go /usr/local/golang/"${GO_VERSION}"/
sudo rm /usr/local/bin/go
sudo chmod +x /usr/local/golang/"${GO_VERSION}"/go/bin/go
sudo ln -s /usr/local/golang/"${GO_VERSION}"/go/bin/go /usr/local/bin/go
export GOROOT="/usr/local/golang/${GO_VERSION}/go"
export GOTOOLDIR="/usr/local/golang/${GO_VERSION}/go/pkg/tool/linux_amd64"
go version

6
.semaphoreci/job1.sh
View File

@@ -1,6 +0,0 @@
#!/usr/bin/env bash
set -e
if [ -n "$SHOULD_TEST" ]; then ci_retry make pull-images; fi
if [ -n "$SHOULD_TEST" ]; then ci_retry make test-integration; fi

8
.semaphoreci/job2.sh
View File

@@ -1,8 +0,0 @@
#!/usr/bin/env bash
set -e
ci_retry make validate
if [ -n "$SHOULD_TEST" ]; then ci_retry make test-unit; fi
if [ -n "$SHOULD_TEST" ]; then make -j"${N_MAKE_JOBS}" crossbinary-default-parallel; fi

35
.semaphoreci/setup.sh
View File

@@ -1,35 +0,0 @@
# For personnal CI
# mv /home/runner/workspace/src/github.com/<username>/ /home/runner/workspace/src/github.com/traefik/
# cd /home/runner/workspace/src/github.com/traefik/traefik/
for s in apache2 cassandra elasticsearch memcached mysql mongod postgresql sphinxsearch rethinkdb rabbitmq-server redis-server; do sudo service $s stop; done
sudo swapoff -a
sudo dd if=/dev/zero of=/swapfile bs=1M count=3072
sudo mkswap /swapfile
sudo swapon /swapfile
sudo rm -rf /home/runner/.rbenv
sudo rm -rf /usr/local/golang/{1.4.3,1.5.4,1.6.4,1.7.6,1.8.6,1.9.7,1.10.3,1.11}
#export DOCKER_VERSION=18.06.3
source .semaphoreci/vars
if [ -z "${PULL_REQUEST_NUMBER}" ]; then SHOULD_TEST="-*-"; else TEMP_STORAGE=$(curl --silent https://patch-diff.githubusercontent.com/raw/traefik/traefik/pull/${PULL_REQUEST_NUMBER}.diff | patch --dry-run -p1 -R || true); fi
echo ${SHOULD_TEST}
if [ -n "$TEMP_STORAGE" ]; then SHOULD_TEST=$(echo "$TEMP_STORAGE" | grep -Ev '(.md|.yaml|.yml)' || :); fi
echo ${TEMP_STORAGE}
echo ${SHOULD_TEST}
#if [ -n "$SHOULD_TEST" ]; then sudo -E apt-get -yq update; fi
#if [ -n "$SHOULD_TEST" ]; then sudo -E apt-get -yq --no-install-suggests --no-install-recommends --force-yes install docker-ce=${DOCKER_VERSION}*; fi
if [ -n "$SHOULD_TEST" ]; then docker version; fi
export GO_VERSION=1.13
if [ -f "./go.mod" ]; then GO_VERSION="$(grep '^go .*' go.mod | awk '{print $2}')"; export GO_VERSION; fi
#if [ "${GO_VERSION}" == '1.15' ]; then export GO_VERSION=1.15rc2; fi
echo "Selected Go version: ${GO_VERSION}"
if [ -f "./.semaphoreci/golang.sh" ]; then ./.semaphoreci/golang.sh; fi
if [ -f "./.semaphoreci/golang.sh" ]; then export GOROOT="/usr/local/golang/${GO_VERSION}/go"; fi
if [ -f "./.semaphoreci/golang.sh" ]; then export GOTOOLDIR="/usr/local/golang/${GO_VERSION}/go/pkg/tool/linux_amd64"; fi
go version
if [ -f "./go.mod" ]; then export GO111MODULE=on; fi
if [ -f "./go.mod" ]; then export GOPROXY=https://proxy.golang.org; fi
if [ -f "./go.mod" ]; then go mod download; fi
df

36
.semaphoreci/vars
View File

@@ -1,36 +0,0 @@
#!/usr/bin/env bash
set -e
export REPO='traefik/traefik'
if VERSION=$(git describe --exact-match --abbrev=0 --tags);
then
export VERSION
else
export VERSION=''
fi
export CODENAME=livarot
export N_MAKE_JOBS=2
function ci_retry {
local NRETRY=3
local NSLEEP=5
local n=0
until [ $n -ge $NRETRY ]
do
"$@" && break
n=$((n+1))
echo "${*} failed, attempt ${n}/${NRETRY}"
sleep $NSLEEP
done
[ $n -lt $NRETRY ]
}
export -f ci_retry

50
.travis.yml
View File

@@ -1,50 +0,0 @@
sudo: required
dist: trusty
git:
depth: false
services:
- docker
env:
global:
- REPO=$TRAVIS_REPO_SLUG
- VERSION=$TRAVIS_TAG
- CODENAME=livarot
- GO111MODULE=on
script:
- echo "Skipping tests... (Tests are executed on SemaphoreCI)"
- if [ "$TRAVIS_PULL_REQUEST" != "false" ]; then make docs; fi
before_deploy:
- >
if ! [ "$BEFORE_DEPLOY_RUN" ]; then
export BEFORE_DEPLOY_RUN=1;
sudo -E apt-get -yq update;
sudo -E apt-get -yq --no-install-suggests --no-install-recommends --force-yes install docker-ce=${DOCKER_VERSION}*;
docker version;
echo "${DOCKERHUB_PASSWORD}" | docker login -u "${DOCKERHUB_USERNAME}" --password-stdin;
make build-image;
if [ "$TRAVIS_TAG" ]; then
make release-packages;
fi;
fi
deploy:
- provider: releases
api_key: ${GITHUB_TOKEN}
file: dist/traefik*
skip_cleanup: true
file_glob: true
on:
repo: traefik/traefik
tags: true
- provider: script
script: sh script/deploy.sh
skip_cleanup: true
on:
repo: traefik/traefik
tags: true

BIN
.travis/traefiker_rsa.enc
View File

Binary file not shown.

371
CHANGELOG.md
View File

@@ -1,3 +1,374 @@
## [v2.5.0](https://github.com/traefik/traefik/tree/v2.5.0) (2021-08-17)
[All Commits](https://github.com/traefik/traefik/compare/v2.4.0-rc1...v2.5.0)
**Enhancements:**
- **[consulcatalog]** Add Support for Consul Connect ([#7407](https://github.com/traefik/traefik/pull/7407) by [Gufran](https://github.com/Gufran))
- Update Go version ([#8355](https://github.com/traefik/traefik/pull/8355) by [mpl](https://github.com/mpl))
- **[file]** Update sprig to v3.2.0 ([#7746](https://github.com/traefik/traefik/pull/7746) by [sirlatrom](https://github.com/sirlatrom))
- **[healthcheck]** Healthcheck: add support at the load-balancers of services level ([#8057](https://github.com/traefik/traefik/pull/8057) by [mpl](https://github.com/mpl))
- **[http3]** Upgrade github.com/lucas-clemente/quic-go ([#8076](https://github.com/traefik/traefik/pull/8076) by [sylr](https://github.com/sylr))
- **[http3]** Add HTTP3 support (experimental) ([#7724](https://github.com/traefik/traefik/pull/7724) by [juliens](https://github.com/juliens))
- **[k8s,k8s/gatewayapi]** Add wildcard hostname rule to kubernetes gateway ([#7963](https://github.com/traefik/traefik/pull/7963) by [jberger](https://github.com/jberger))
- **[k8s,k8s/gatewayapi]** Add support for TCPRoute and TLSRoute ([#8054](https://github.com/traefik/traefik/pull/8054) by [tomMoulard](https://github.com/tomMoulard))
- **[k8s,k8s/gatewayapi]** Allow crossprovider service reference ([#7774](https://github.com/traefik/traefik/pull/7774) by [jbdoumenjou](https://github.com/jbdoumenjou))
- **[k8s/crd,k8s]** Add named port support to Kubernetes IngressRoute CRDs ([#7668](https://github.com/traefik/traefik/pull/7668) by [Cirrith](https://github.com/Cirrith))
- **[k8s/crd,k8s]** Improve kubernetes external name service support for UDP ([#7773](https://github.com/traefik/traefik/pull/7773) by [kevinpollet](https://github.com/kevinpollet))
- **[k8s/crd,k8s]** Upgrade the CRD version from apiextensions.k8s.io/v1beta1 to apiextensions.k8s.io/v1 ([#7815](https://github.com/traefik/traefik/pull/7815) by [jbdoumenjou](https://github.com/jbdoumenjou))
- **[k8s/ingress,k8s/crd,k8s]** Ignore empty endpoint changes ([#7646](https://github.com/traefik/traefik/pull/7646) by [hensur](https://github.com/hensur))
- **[k8s/ingress,k8s]** Upgrade Ingress Handling to work with networkingv1/Ingress ([#7549](https://github.com/traefik/traefik/pull/7549) by [SantoDE](https://github.com/SantoDE))
- **[k8s/ingress,k8s]** Filter ingress class resources by name ([#7915](https://github.com/traefik/traefik/pull/7915) by [tomMoulard](https://github.com/tomMoulard))
- **[k8s/ingress,k8s]** Add k8s provider option to create services without endpoints ([#7593](https://github.com/traefik/traefik/pull/7593) by [Lucaber](https://github.com/Lucaber))
- **[k8s/ingress,k8s]** Upgrade IngressClass to use v1 over v1Beta on Kube 1.19+ ([#8089](https://github.com/traefik/traefik/pull/8089) by [SantoDE](https://github.com/SantoDE))
- **[k8s/ingress,k8s]** Add ServersTransport annotation to k8s ingress provider ([#8084](https://github.com/traefik/traefik/pull/8084) by [wdullaer](https://github.com/wdullaer))
- **[logs,middleware]** Add TLS version and cipher to the accessLog ([#7478](https://github.com/traefik/traefik/pull/7478) by [na4ma4](https://github.com/na4ma4))
- **[metrics]** Add TLS certs expiration metric ([#6924](https://github.com/traefik/traefik/pull/6924) by [sylr](https://github.com/sylr))
- **[metrics]** Allow to define datadogs metrics endpoint with env vars ([#7968](https://github.com/traefik/traefik/pull/7968) by [sylr](https://github.com/sylr))
- **[middleware,metrics]** Add router metrics ([#7510](https://github.com/traefik/traefik/pull/7510) by [jorge07](https://github.com/jorge07))
- **[middleware,tcp]** Add TCP Middlewares support ([#7813](https://github.com/traefik/traefik/pull/7813) by [rtribotte](https://github.com/rtribotte))
- **[middleware]** Removes headers middleware options ([#8161](https://github.com/traefik/traefik/pull/8161) by [tomMoulard](https://github.com/tomMoulard))
- **[middleware]** Headers: add `permissionsPolicy` and deprecate `featurePolicy` ([#8200](https://github.com/traefik/traefik/pull/8200) by [WLun001](https://github.com/WLun001))
- **[middleware]** Deprecates ssl redirect headers middleware options ([#8160](https://github.com/traefik/traefik/pull/8160) by [tomMoulard](https://github.com/tomMoulard))
- **[plugins]** Local private plugins. ([#8224](https://github.com/traefik/traefik/pull/8224) by [ldez](https://github.com/ldez))
- **[provider,plugins]** Add plugin&#39;s support for provider ([#7794](https://github.com/traefik/traefik/pull/7794) by [ldez](https://github.com/ldez))
- **[rules]** Support not in rules definition ([#8164](https://github.com/traefik/traefik/pull/8164) by [juliens](https://github.com/juliens))
- **[rules]** Add routing IP rule matcher ([#8169](https://github.com/traefik/traefik/pull/8169) by [tomMoulard](https://github.com/tomMoulard))
- **[server]** Improve host name resolution for TCP proxy ([#7971](https://github.com/traefik/traefik/pull/7971) by [H-M-H](https://github.com/H-M-H))
- **[server]** Add ability to disable HTTP/2 in dynamic config ([#7645](https://github.com/traefik/traefik/pull/7645) by [jcuzzi](https://github.com/jcuzzi))
- **[sticky-session]** Add a mechanism to format the sticky cookie value ([#8103](https://github.com/traefik/traefik/pull/8103) by [tomMoulard](https://github.com/tomMoulard))
- **[tls]** Mutualize TLS version and cipher code ([#7779](https://github.com/traefik/traefik/pull/7779) by [rtribotte](https://github.com/rtribotte))
- **[tls,k8s/crd,k8s]** Improve CA certificate loading from kubernetes secret ([#7789](https://github.com/traefik/traefik/pull/7789) by [rio](https://github.com/rio))
- **[tls]** Do not build a default certificate for ACME challenges store ([#7833](https://github.com/traefik/traefik/pull/7833) by [rkojedzinszky](https://github.com/rkojedzinszky))
- **[tracing]** Use Datadog tracer environment variables to setup default config ([#7721](https://github.com/traefik/traefik/pull/7721) by [GianOrtiz](https://github.com/GianOrtiz))
- **[tracing]** Update Elastic APM from 1.7.0 to 1.11.0 ([#8187](https://github.com/traefik/traefik/pull/8187) by [afitzek](https://github.com/afitzek))
- **[tracing]** Override jaeger configuration with env variables ([#8198](https://github.com/traefik/traefik/pull/8198) by [mmatur](https://github.com/mmatur))
- **[udp]** Add udp timeout configuration ([#6982](https://github.com/traefik/traefik/pull/6982) by [Lindenk](https://github.com/Lindenk))
**Bug fixes:**
- **[k8s,k8s/gatewayapi]** Update Gateway API version to v0.3.0 ([#8253](https://github.com/traefik/traefik/pull/8253) by [jbdoumenjou](https://github.com/jbdoumenjou))
- **[k8s]** Kubernetes: detect changes for resources other than endpoints ([#8313](https://github.com/traefik/traefik/pull/8313) by [rtribotte](https://github.com/rtribotte))
- **[middleware]** Library change for compress middleware to increase performance ([#8245](https://github.com/traefik/traefik/pull/8245) by [tomMoulard](https://github.com/tomMoulard))
- **[plugins]** Update yaegi to v0.9.21 ([#8285](https://github.com/traefik/traefik/pull/8285) by [ldez](https://github.com/ldez))
- **[plugins]** Downgrade yaegi to v0.9.19 ([#8282](https://github.com/traefik/traefik/pull/8282) by [ldez](https://github.com/ldez))
- **[webui]** Fix dashboard to display middleware details ([#8284](https://github.com/traefik/traefik/pull/8284) by [tomMoulard](https://github.com/tomMoulard))
- **[webui]** Fix dashboard title for TCP middlewares ([#8339](https://github.com/traefik/traefik/pull/8339) by [mschneider82](https://github.com/mschneider82))
- **[k8s]** Remove logging of changed object with cast ([#8128](https://github.com/traefik/traefik/pull/8128) by [hensur](https://github.com/hensur))
**Documentation:**
- Fix KV reference documentation ([#8280](https://github.com/traefik/traefik/pull/8280) by [rtribotte](https://github.com/rtribotte))
- Fix migration guide ([#8269](https://github.com/traefik/traefik/pull/8269) by [jbdoumenjou](https://github.com/jbdoumenjou))
- Update generated and reference doc for plugins ([#8236](https://github.com/traefik/traefik/pull/8236) by [tomMoulard](https://github.com/tomMoulard))
- **[k8s/crd]** Fix: regenerate crd ([#8114](https://github.com/traefik/traefik/pull/8114) by [tomMoulard](https://github.com/tomMoulard))
- **[k8s]** Clarify doc for ingressclass name in k8s 1.18+ ([#7944](https://github.com/traefik/traefik/pull/7944) by [tomMoulard](https://github.com/tomMoulard))
- Update documentation references ([#8202](https://github.com/traefik/traefik/pull/8202) by [rtribotte](https://github.com/rtribotte))
**Misc:**
- Merge current v2.4 into v2.5 ([#8333](https://github.com/traefik/traefik/pull/8333) by [jbdoumenjou](https://github.com/jbdoumenjou))
- Merge current v2.4 into v2.5 ([#8325](https://github.com/traefik/traefik/pull/8325) by [jbdoumenjou](https://github.com/jbdoumenjou))
- Merge current v2.4 into v2.5 ([#8314](https://github.com/traefik/traefik/pull/8314) by [rtribotte](https://github.com/rtribotte))
- Merge current v2.4 into v2.5 ([#8296](https://github.com/traefik/traefik/pull/8296) by [tomMoulard](https://github.com/tomMoulard))
- Merge current v2.4 into v2.5 ([#8287](https://github.com/traefik/traefik/pull/8287) by [rtribotte](https://github.com/rtribotte))
- Merge current v2.4 into v2.5 ([#8281](https://github.com/traefik/traefik/pull/8281) by [rtribotte](https://github.com/rtribotte))
- Merge current v2.4 into v2.5 ([#8263](https://github.com/traefik/traefik/pull/8263) by [rtribotte](https://github.com/rtribotte))
- Merge current v2.4 into master ([#8232](https://github.com/traefik/traefik/pull/8232) by [rtribotte](https://github.com/rtribotte))
- Merge current v2.4 into master ([#8210](https://github.com/traefik/traefik/pull/8210) by [rtribotte](https://github.com/rtribotte))
- Merge current v2.4 into master ([#8105](https://github.com/traefik/traefik/pull/8105) by [tomMoulard](https://github.com/tomMoulard))
- Merge current v2.4 into master ([#8087](https://github.com/traefik/traefik/pull/8087) by [tomMoulard](https://github.com/tomMoulard))
- Merge current v2.4 into master ([#8068](https://github.com/traefik/traefik/pull/8068) by [jbdoumenjou](https://github.com/jbdoumenjou))
- Merge current v2.4 into master ([#8058](https://github.com/traefik/traefik/pull/8058) by [jbdoumenjou](https://github.com/jbdoumenjou))
- Merge current v2.4 into master ([#8024](https://github.com/traefik/traefik/pull/8024) by [jbdoumenjou](https://github.com/jbdoumenjou))
- Merge current v2.4 into master ([#7969](https://github.com/traefik/traefik/pull/7969) by [jbdoumenjou](https://github.com/jbdoumenjou))
- Merge current v2.4 into master ([#7921](https://github.com/traefik/traefik/pull/7921) by [rtribotte](https://github.com/rtribotte))
- Merge current v2.4 into master ([#7901](https://github.com/traefik/traefik/pull/7901) by [rtribotte](https://github.com/rtribotte))
- Merge current v2.4 into master ([#7859](https://github.com/traefik/traefik/pull/7859) by [jbdoumenjou](https://github.com/jbdoumenjou))
- Merge current v2.4 into master ([#7795](https://github.com/traefik/traefik/pull/7795) by [kevinpollet](https://github.com/kevinpollet))
- Merge current v2.4 into master ([#8221](https://github.com/traefik/traefik/pull/8221) by [rtribotte](https://github.com/rtribotte))
- Merge current v2.4 into master ([#7781](https://github.com/traefik/traefik/pull/7781) by [kevinpollet](https://github.com/kevinpollet))
- Merge current v2.4 into master ([#7766](https://github.com/traefik/traefik/pull/7766) by [ldez](https://github.com/ldez))
- Merge current v2.4 into master ([#7761](https://github.com/traefik/traefik/pull/7761) by [rtribotte](https://github.com/rtribotte))
- Merge current v2.4 into master ([#7748](https://github.com/traefik/traefik/pull/7748) by [kevinpollet](https://github.com/kevinpollet))
- Merge current v2.4 into master ([#7728](https://github.com/traefik/traefik/pull/7728) by [mmatur](https://github.com/mmatur))
## [v2.4.14](https://github.com/traefik/traefik/tree/v2.4.14) (2021-08-16)
[All Commits](https://github.com/traefik/traefik/compare/v2.4.13...v2.4.14)
**Bug fixes:**
- **[k8s/crd,k8s]** Avoid unauthorized middleware cross namespace reference ([#8322](https://github.com/traefik/traefik/pull/8322) by [jbdoumenjou](https://github.com/jbdoumenjou))
- **[kv]** Remove unwanted trailing slash in key ([#8335](https://github.com/traefik/traefik/pull/8335) by [jbdoumenjou](https://github.com/jbdoumenjou))
- **[middleware]** Redirect: fix comparison when explicit port request and implicit redirect port ([#8348](https://github.com/traefik/traefik/pull/8348) by [tcolgate](https://github.com/tcolgate))
**Documentation:**
- **[kv]** Fix a router&#39;s entryPoint definition example for KV provider ([#8357](https://github.com/traefik/traefik/pull/8357) by [avtion](https://github.com/avtion))
## [v2.5.0-rc6](https://github.com/traefik/traefik/tree/v2.5.0-rc6) (2021-08-13)
[All Commits](https://github.com/traefik/traefik/compare/v2.5.0-rc5...v2.5.0-rc6)
**Enhancements:**
- Update Go version ([#8355](https://github.com/traefik/traefik/pull/8355) by [mpl](https://github.com/mpl))
**Misc:**
- Merge current v2.4 into v2.5 ([#8333](https://github.com/traefik/traefik/pull/8333) by [jbdoumenjou](https://github.com/jbdoumenjou))
## [v2.5.0-rc5](https://github.com/traefik/traefik/tree/v2.5.0-rc5) (2021-08-03)
[All Commits](https://github.com/traefik/traefik/compare/v2.5.0-rc3...v2.5.0-rc5)
**Bug fixes:**
- **[k8s]** Kubernetes: detect changes for resources other than endpoints ([#8313](https://github.com/traefik/traefik/pull/8313) by [rtribotte](https://github.com/rtribotte))
**Misc:**
- Merge current v2.4 into v2.5 ([#8325](https://github.com/traefik/traefik/pull/8325) by [jbdoumenjou](https://github.com/jbdoumenjou))
- Merge current v2.4 into v2.5 ([#8314](https://github.com/traefik/traefik/pull/8314) by [rtribotte](https://github.com/rtribotte))
- Merge current v2.4 into v2.5 ([#8296](https://github.com/traefik/traefik/pull/8296) by [tomMoulard](https://github.com/tomMoulard))
## [v2.5.0-rc4](https://github.com/traefik/traefik/tree/v2.5.0-rc4) (2021-08-03)
Release canceled.
## [v2.4.13](https://github.com/traefik/traefik/tree/v2.4.13) (2021-07-30)
[All Commits](https://github.com/traefik/traefik/compare/v2.4.12...v2.4.13)
**Bug fixes:**
- **[authentication,middleware]** Remove hop-by-hop headers defined in connection header before some middleware ([#8319](https://github.com/traefik/traefik/pull/8319) by [ldez](https://github.com/ldez))
## [v2.4.12](https://github.com/traefik/traefik/tree/v2.4.12) (2021-07-26)
[All Commits](https://github.com/traefik/traefik/compare/v2.4.11...v2.4.12)
**Bug fixes:**
- **[k8s,k8s/ingress]** Get Kubernetes server version early ([#8286](https://github.com/traefik/traefik/pull/8286) by [rtribotte](https://github.com/rtribotte))
- **[k8s,k8s/ingress]** Don&#39;t remove ingress config on API call failure ([#8185](https://github.com/traefik/traefik/pull/8185) by [dtomcej](https://github.com/dtomcej))
- **[middleware]** Ratelimiter: use correct ttlSeconds value, and always call Set ([#8254](https://github.com/traefik/traefik/pull/8254) by [mpl](https://github.com/mpl))
- **[tls]** Check if defaultcertificate is defined in store ([#8274](https://github.com/traefik/traefik/pull/8274) by [dtomcej](https://github.com/dtomcej))
## [v2.5.0-rc3](https://github.com/traefik/traefik/tree/v2.5.0-rc3) (2021-07-20)
[All Commits](https://github.com/traefik/traefik/compare/v2.5.0-rc2...v2.5.0-rc3)
**Enhancements:**
- **[consulcatalog]** Add Support for Consul Connect ([#7407](https://github.com/traefik/traefik/pull/7407) by [Gufran](https://github.com/Gufran))
**Bug fixes:**
- **[k8s,k8s/gatewayapi]** Update Gateway API version to v0.3.0 ([#8253](https://github.com/traefik/traefik/pull/8253) by [jbdoumenjou](https://github.com/jbdoumenjou))
- **[middleware]** Library change for compress middleware to increase performance ([#8245](https://github.com/traefik/traefik/pull/8245) by [tomMoulard](https://github.com/tomMoulard))
- **[plugins]** Update yaegi to v0.9.21 ([#8285](https://github.com/traefik/traefik/pull/8285) by [ldez](https://github.com/ldez))
- **[plugins]** Downgrade yaegi to v0.9.19 ([#8282](https://github.com/traefik/traefik/pull/8282) by [ldez](https://github.com/ldez))
- **[webui]** Fix dashboard to display middleware details ([#8284](https://github.com/traefik/traefik/pull/8284) by [tomMoulard](https://github.com/tomMoulard))
**Documentation:**
- Fix KV reference documentation ([#8280](https://github.com/traefik/traefik/pull/8280) by [rtribotte](https://github.com/rtribotte))
- Fix migration guide ([#8269](https://github.com/traefik/traefik/pull/8269) by [jbdoumenjou](https://github.com/jbdoumenjou))
- Update generated and reference doc for plugins ([#8236](https://github.com/traefik/traefik/pull/8236) by [tomMoulard](https://github.com/tomMoulard))
**Misc:**
- Merge current v2.4 into v2.5 ([#8263](https://github.com/traefik/traefik/pull/8263) by [rtribotte](https://github.com/rtribotte))
## [v2.4.11](https://github.com/traefik/traefik/tree/v2.4.11) (2021-07-15)
[All Commits](https://github.com/traefik/traefik/compare/v2.4.9...v2.4.11)
**Bug fixes:**
- **[k8s,k8s/crd,k8s/ingress]** Disable ExternalName Services by default on Kubernetes providers ([#8261](https://github.com/traefik/traefik/pull/8261) by [dtomcej](https://github.com/dtomcej))
- **[k8s,k8s/crd,k8s/ingress]** Fix: malformed Kubernetes resource names and references in tests ([#8226](https://github.com/traefik/traefik/pull/8226) by [rtribotte](https://github.com/rtribotte))
- **[k8s,k8s/crd]** Disable Cross-Namespace by default for IngressRoute provider ([#8260](https://github.com/traefik/traefik/pull/8260) by [dtomcej](https://github.com/dtomcej))
- **[logs,middleware]** Accesslog: support multiple values for a given header ([#8258](https://github.com/traefik/traefik/pull/8258) by [ldez](https://github.com/ldez))
- **[logs]** Ignore http 1.0 request host missing errors ([#8252](https://github.com/traefik/traefik/pull/8252) by [dtomcej](https://github.com/dtomcej))
- **[middleware]** Headers Middleware: support http.CloseNotifier interface ([#8238](https://github.com/traefik/traefik/pull/8238) by [dtomcej](https://github.com/dtomcej))
- **[tls]** Detect certificates content modifications ([#8243](https://github.com/traefik/traefik/pull/8243) by [jbdoumenjou](https://github.com/jbdoumenjou))
**Documentation:**
- **[middleware,k8s]** Fix invalid subdomain ([#8212](https://github.com/traefik/traefik/pull/8212) by [WLun001](https://github.com/WLun001))
- Add the list of available provider names ([#8225](https://github.com/traefik/traefik/pull/8225) by [WLun001](https://github.com/WLun001))
- Fix maintainers-guidelines page title ([#8216](https://github.com/traefik/traefik/pull/8216) by [kubopanda](https://github.com/kubopanda))
- Typos in contributing section ([#8215](https://github.com/traefik/traefik/pull/8215) by [kubopanda](https://github.com/kubopanda))
## [v2.4.10](https://github.com/traefik/traefik/tree/v2.4.10) (2021-07-13)
[All Commits](https://github.com/traefik/traefik/compare/v2.4.9...v2.4.10)
Release canceled.
## [v2.5.0-rc2](https://github.com/traefik/traefik/tree/v2.5.0-rc2) (2021-06-28)
[All Commits](https://github.com/traefik/traefik/compare/v2.4.0-rc1...v2.5.0-rc2)
**Enhancements:**
- **[file]** Update sprig to v3.2.0 ([#7746](https://github.com/traefik/traefik/pull/7746) by [sirlatrom](https://github.com/sirlatrom))
- **[healthcheck]** Healthcheck: add support at the load-balancers of services level ([#8057](https://github.com/traefik/traefik/pull/8057) by [mpl](https://github.com/mpl))
- **[http3]** Upgrade github.com/lucas-clemente/quic-go ([#8076](https://github.com/traefik/traefik/pull/8076) by [sylr](https://github.com/sylr))
- **[http3]** Add HTTP3 support (experimental) ([#7724](https://github.com/traefik/traefik/pull/7724) by [juliens](https://github.com/juliens))
- **[k8s,k8s/crd,k8s/ingress]** Ignore empty endpoint changes ([#7646](https://github.com/traefik/traefik/pull/7646) by [hensur](https://github.com/hensur))
- **[k8s,k8s/crd]** Improve kubernetes external name service support for UDP ([#7773](https://github.com/traefik/traefik/pull/7773) by [kevinpollet](https://github.com/kevinpollet))
- **[k8s,k8s/crd]** Upgrade the CRD version from apiextensions.k8s.io/v1beta1 to apiextensions.k8s.io/v1 ([#7815](https://github.com/traefik/traefik/pull/7815) by [jbdoumenjou](https://github.com/jbdoumenjou))
- **[k8s,k8s/crd]** Add named port support to Kubernetes IngressRoute CRDs ([#7668](https://github.com/traefik/traefik/pull/7668) by [Cirrith](https://github.com/Cirrith))
- **[k8s,k8s/gatewayapi]** Add wildcard hostname rule to kubernetes gateway ([#7963](https://github.com/traefik/traefik/pull/7963) by [jberger](https://github.com/jberger))
- **[k8s,k8s/gatewayapi]** Allow crossprovider service reference ([#7774](https://github.com/traefik/traefik/pull/7774) by [jbdoumenjou](https://github.com/jbdoumenjou))
- **[k8s,k8s/gatewayapi]** Add support for TCPRoute and TLSRoute ([#8054](https://github.com/traefik/traefik/pull/8054) by [tomMoulard](https://github.com/tomMoulard))
- **[k8s,k8s/ingress]** Filter ingress class resources by name ([#7915](https://github.com/traefik/traefik/pull/7915) by [tomMoulard](https://github.com/tomMoulard))
- **[k8s,k8s/ingress]** Upgrade Ingress Handling to work with networkingv1/Ingress ([#7549](https://github.com/traefik/traefik/pull/7549) by [SantoDE](https://github.com/SantoDE))
- **[k8s,k8s/ingress]** Upgrade IngressClass to use v1 over v1Beta on Kube 1.19+ ([#8089](https://github.com/traefik/traefik/pull/8089) by [SantoDE](https://github.com/SantoDE))
- **[k8s,k8s/ingress]** Add k8s provider option to create services without endpoints ([#7593](https://github.com/traefik/traefik/pull/7593) by [Lucaber](https://github.com/Lucaber))
- **[k8s,k8s/ingress]** Add ServersTransport annotation to k8s ingress provider ([#8084](https://github.com/traefik/traefik/pull/8084) by [wdullaer](https://github.com/wdullaer))
- **[logs,middleware]** Add TLS version and cipher to the accessLog ([#7478](https://github.com/traefik/traefik/pull/7478) by [na4ma4](https://github.com/na4ma4))
- **[metrics]** Allow to define datadogs metrics endpoint with env vars ([#7968](https://github.com/traefik/traefik/pull/7968) by [sylr](https://github.com/sylr))
- **[metrics]** Add TLS certs expiration metric ([#6924](https://github.com/traefik/traefik/pull/6924) by [sylr](https://github.com/sylr))
- **[middleware,metrics]** Add router metrics ([#7510](https://github.com/traefik/traefik/pull/7510) by [jorge07](https://github.com/jorge07))
- **[middleware,tcp]** Add TCP Middlewares support ([#7813](https://github.com/traefik/traefik/pull/7813) by [rtribotte](https://github.com/rtribotte))
- **[middleware]** Deprecates ssl redirect headers middleware options ([#8160](https://github.com/traefik/traefik/pull/8160) by [tomMoulard](https://github.com/tomMoulard))
- **[middleware]** Headers: add `permissionsPolicy` and deprecate `featurePolicy` ([#8200](https://github.com/traefik/traefik/pull/8200) by [WLun001](https://github.com/WLun001))
- **[middleware]** Removes headers middleware options ([#8161](https://github.com/traefik/traefik/pull/8161) by [tomMoulard](https://github.com/tomMoulard))
- **[plugins,provider]** Add plugin&#39;s support for provider ([#7794](https://github.com/traefik/traefik/pull/7794) by [ldez](https://github.com/ldez))
- **[plugins]** Local private plugins. ([#8224](https://github.com/traefik/traefik/pull/8224) by [ldez](https://github.com/ldez))
- **[rules]** Add routing IP rule matcher ([#8169](https://github.com/traefik/traefik/pull/8169) by [tomMoulard](https://github.com/tomMoulard))
- **[rules]** Support not in rules definition ([#8164](https://github.com/traefik/traefik/pull/8164) by [juliens](https://github.com/juliens))
- **[server]** Improve host name resolution for TCP proxy ([#7971](https://github.com/traefik/traefik/pull/7971) by [H-M-H](https://github.com/H-M-H))
- **[server]** Add ability to disable HTTP/2 in dynamic config ([#7645](https://github.com/traefik/traefik/pull/7645) by [jcuzzi](https://github.com/jcuzzi))
- **[sticky-session]** Add a mechanism to format the sticky cookie value ([#8103](https://github.com/traefik/traefik/pull/8103) by [tomMoulard](https://github.com/tomMoulard))
- **[tls]** Mutualize TLS version and cipher code ([#7779](https://github.com/traefik/traefik/pull/7779) by [rtribotte](https://github.com/rtribotte))
- **[tls]** Do not build a default certificate for ACME challenges store ([#7833](https://github.com/traefik/traefik/pull/7833) by [rkojedzinszky](https://github.com/rkojedzinszky))
- **[tracing]** Use Datadog tracer environment variables to setup default config ([#7721](https://github.com/traefik/traefik/pull/7721) by [GianOrtiz](https://github.com/GianOrtiz))
- **[tracing]** Update Elastic APM from 1.7.0 to 1.11.0 ([#8187](https://github.com/traefik/traefik/pull/8187) by [afitzek](https://github.com/afitzek))
- **[tracing]** Override jaeger configuration with env variables ([#8198](https://github.com/traefik/traefik/pull/8198) by [mmatur](https://github.com/mmatur))
- **[udp]** Add udp timeout configuration ([#6982](https://github.com/traefik/traefik/pull/6982) by [Lindenk](https://github.com/Lindenk))
**Bug fixes:**
- **[k8s]** Remove logging of changed object with cast ([#8128](https://github.com/traefik/traefik/pull/8128) by [hensur](https://github.com/hensur))
**Documentation:**
- **[k8s/crd]** Fix: regenerate crd ([#8114](https://github.com/traefik/traefik/pull/8114) by [tomMoulard](https://github.com/tomMoulard))
- **[k8s]** Clarify doc for ingressclass name in k8s 1.18+ ([#7944](https://github.com/traefik/traefik/pull/7944) by [tomMoulard](https://github.com/tomMoulard))
- Update documentation references ([#8202](https://github.com/traefik/traefik/pull/8202) by [rtribotte](https://github.com/rtribotte))
**Misc:**
- **[k8s,k8s/crd,tls]** Improve CA certificate loading from kubernetes secret ([#7789](https://github.com/traefik/traefik/pull/7789) by [rio](https://github.com/rio))
- Merge current v2.4 into master ([#8221](https://github.com/traefik/traefik/pull/8221) by [rtribotte](https://github.com/rtribotte))
- Merge current v2.4 into master ([#8105](https://github.com/traefik/traefik/pull/8105) by [tomMoulard](https://github.com/tomMoulard))
- Merge current v2.4 into master ([#8087](https://github.com/traefik/traefik/pull/8087) by [tomMoulard](https://github.com/tomMoulard))
- Merge current v2.4 into master ([#8068](https://github.com/traefik/traefik/pull/8068) by [jbdoumenjou](https://github.com/jbdoumenjou))
- Merge current v2.4 into master ([#8058](https://github.com/traefik/traefik/pull/8058) by [jbdoumenjou](https://github.com/jbdoumenjou))
- Merge current v2.4 into master ([#8024](https://github.com/traefik/traefik/pull/8024) by [jbdoumenjou](https://github.com/jbdoumenjou))
- Merge current v2.4 into master ([#7969](https://github.com/traefik/traefik/pull/7969) by [jbdoumenjou](https://github.com/jbdoumenjou))
- Merge current v2.4 into master ([#7921](https://github.com/traefik/traefik/pull/7921) by [rtribotte](https://github.com/rtribotte))
- Merge current v2.4 into master ([#7901](https://github.com/traefik/traefik/pull/7901) by [rtribotte](https://github.com/rtribotte))
- Merge current v2.4 into master ([#7859](https://github.com/traefik/traefik/pull/7859) by [jbdoumenjou](https://github.com/jbdoumenjou))
- Merge current v2.4 into master ([#7795](https://github.com/traefik/traefik/pull/7795) by [kevinpollet](https://github.com/kevinpollet))
- Merge current v2.4 into master ([#8210](https://github.com/traefik/traefik/pull/8210) by [rtribotte](https://github.com/rtribotte))
- Merge current v2.4 into master ([#7781](https://github.com/traefik/traefik/pull/7781) by [kevinpollet](https://github.com/kevinpollet))
- Merge current v2.4 into master ([#7766](https://github.com/traefik/traefik/pull/7766) by [ldez](https://github.com/ldez))
- Merge current v2.4 into master ([#7761](https://github.com/traefik/traefik/pull/7761) by [rtribotte](https://github.com/rtribotte))
- Merge current v2.4 into master ([#7748](https://github.com/traefik/traefik/pull/7748) by [kevinpollet](https://github.com/kevinpollet))
- Merge current v2.4 into master ([#7728](https://github.com/traefik/traefik/pull/7728) by [mmatur](https://github.com/mmatur))
## [v2.5.0-rc1](https://github.com/traefik/traefik/tree/v2.5.0-rc1) (2021-06-28)
Release canceled.
## [v2.4.9](https://github.com/traefik/traefik/tree/v2.4.9) (2021-06-21)
[All Commits](https://github.com/traefik/traefik/compare/v2.4.8...v2.4.9)
**Bug fixes:**
- **[acme]** Update go-acme/lego to v4.4.0 ([#8179](https://github.com/traefik/traefik/pull/8179) by [ldez](https://github.com/ldez))
- **[acme]** Fix: ACME preferred chain. ([#8146](https://github.com/traefik/traefik/pull/8146) by [ldez](https://github.com/ldez))
- **[k8s,k8s/gatewayapi]** Remove error when HTTProutes is empty ([#8023](https://github.com/traefik/traefik/pull/8023) by [tomMoulard](https://github.com/tomMoulard))
- **[k8s,k8s/ingress]** Fix incorrect behaviour with multi-port endpoint subsets ([#8156](https://github.com/traefik/traefik/pull/8156) by [coufalja](https://github.com/coufalja))
- **[k8s,k8s/ingress]** Kubernetes ingress provider to search via all endpoints ([#7997](https://github.com/traefik/traefik/pull/7997) by [martinvizvary](https://github.com/martinvizvary))
- **[plugins,windows]** Fix plugin unzip call on windows ([#8136](https://github.com/traefik/traefik/pull/8136) by [ddtmachado](https://github.com/ddtmachado))
- **[plugins]** Update Yaegi to v0.9.17 ([#8100](https://github.com/traefik/traefik/pull/8100) by [ldez](https://github.com/ldez))
- **[provider]** Bump paerser to v0.1.4 ([#8116](https://github.com/traefik/traefik/pull/8116) by [ldez](https://github.com/ldez))
- **[server]** Create buffered signals channel ([#8190](https://github.com/traefik/traefik/pull/8190) by [dtomcej](https://github.com/dtomcej))
- **[server]** Fix: use defaultEntryPoints when no entryPoint is defined in a TCPRouter ([#8111](https://github.com/traefik/traefik/pull/8111) by [LandryBe](https://github.com/LandryBe))
- **[tls]** Use a dynamic buffer to handle client Hello SNI detection ([#8194](https://github.com/traefik/traefik/pull/8194) by [ldez](https://github.com/ldez))
- **[tracing]** Error span on 5xx only ([#8033](https://github.com/traefik/traefik/pull/8033) by [kevtainer](https://github.com/kevtainer))
**Documentation:**
- **[k8s,k8s/crd]** Fix ingressRouteTCP external name service examples in documentation ([#8120](https://github.com/traefik/traefik/pull/8120) by [rtribotte](https://github.com/rtribotte))
- **[k8s,k8s/gatewayapi]** Fix Kubernetes Gateway API documentation links ([#8063](https://github.com/traefik/traefik/pull/8063) by [jbdoumenjou](https://github.com/jbdoumenjou))
- **[k8s,k8s/gatewayapi]** Fix: k8s gateway api link ([#8085](https://github.com/traefik/traefik/pull/8085) by [tomMoulard](https://github.com/tomMoulard))
- **[k8s,k8s/gatewayapi]** Fix the &#34;values&#34; field in the example of httproute ([#8192](https://github.com/traefik/traefik/pull/8192) by [maelvls](https://github.com/maelvls))
- **[k8s/crd]** Fix ServersTransport documentation ([#8019](https://github.com/traefik/traefik/pull/8019) by [tomMoulard](https://github.com/tomMoulard))
- **[k8s]** Correct annotation option ([#8031](https://github.com/traefik/traefik/pull/8031) by [cbergmann](https://github.com/cbergmann))
- **[metrics]** Add metrics documentation ([#8007](https://github.com/traefik/traefik/pull/8007) by [rtribotte](https://github.com/rtribotte))
- **[middleware]** Docs: add examples for removing headers ([#8030](https://github.com/traefik/traefik/pull/8030) by [SuperSandro2000](https://github.com/SuperSandro2000))
- **[middleware]** Doc: clarify usage for ratelimit&#39;s excludedIPs ([#8072](https://github.com/traefik/traefik/pull/8072) by [mpl](https://github.com/mpl))
- **[middleware]** Elaborate on possible use of status codes with the errors middleware ([#8176](https://github.com/traefik/traefik/pull/8176) by [Midnighter](https://github.com/Midnighter))
- **[middleware]** Doc: fix a syntax error in ratelimit TOML configuration sample ([#8101](https://github.com/traefik/traefik/pull/8101) by [mvertes](https://github.com/mvertes))
- **[pilot]** Docs: add pilot dashboard flag to static configuration file reference ([#8152](https://github.com/traefik/traefik/pull/8152) by [danshilm](https://github.com/danshilm))
- Adding Maintainers Guidelines ([#8168](https://github.com/traefik/traefik/pull/8168) by [jakubhajek](https://github.com/jakubhajek))
- Explains Traefik HTTP response status codes ([#8170](https://github.com/traefik/traefik/pull/8170) by [rtribotte](https://github.com/rtribotte))
- Doc: typo fix ([#8026](https://github.com/traefik/traefik/pull/8026) by [mpl](https://github.com/mpl))
- Adding formatting to the document. ([#8180](https://github.com/traefik/traefik/pull/8180) by [jakubhajek](https://github.com/jakubhajek))
- Changing default file format for the snippets from TOML to YAML ([#8193](https://github.com/traefik/traefik/pull/8193) by [tomMoulard](https://github.com/tomMoulard))
## [v2.4.8](https://github.com/traefik/traefik/tree/v2.4.8) (2021-03-22)
[All Commits](https://github.com/traefik/traefik/compare/v2.4.7...v2.4.8)
**Bug fixes:**
- **[acme]** Update go-acme/lego to v4.3.1 ([#7980](https://github.com/traefik/traefik/pull/7980) by [ldez](https://github.com/ldez))
- **[acme]** Update go-acme/lego to v4.3.0 ([#7975](https://github.com/traefik/traefik/pull/7975) by [ldez](https://github.com/ldez))
- **[k8s,k8s/gatewayapi]** Update to gateway-api v0.2.0 ([#7943](https://github.com/traefik/traefik/pull/7943) by [jbdoumenjou](https://github.com/jbdoumenjou))
- **[pilot,webui]** Adding an option to (de)activate Pilot integration into the Traefik dashboard ([#7994](https://github.com/traefik/traefik/pull/7994) by [tomMoulard](https://github.com/tomMoulard))
- **[rules]** Raise errors for non-ASCII domain names in a router&#39;s rules ([#7986](https://github.com/traefik/traefik/pull/7986) by [rtribotte](https://github.com/rtribotte))
- **[server]** Update pires/go-proxyproto to v0.5.0 ([#7948](https://github.com/traefik/traefik/pull/7948) by [mschneider82](https://github.com/mschneider82))
**Documentation:**
- **[middleware]** Improve basic auth middleware httpasswd example ([#7992](https://github.com/traefik/traefik/pull/7992) by [d3473r](https://github.com/d3473r))
- **[middleware]** Add missing `traefik.` prefix across sample config ([#7990](https://github.com/traefik/traefik/pull/7990) by [deepyaman](https://github.com/deepyaman))
- **[middleware]** Remove a no longer needed note ([#7979](https://github.com/traefik/traefik/pull/7979) by [cmcga1125](https://github.com/cmcga1125))
## [v2.4.7](https://github.com/traefik/traefik/tree/v2.4.7) (2021-03-08)
[All Commits](https://github.com/traefik/traefik/compare/v2.4.6...v2.4.7)
**Bug fixes:**
- **[acme]** Fix: double close chan on TLS challenge ([#7956](https://github.com/traefik/traefik/pull/7956) by [ldez](https://github.com/ldez))
- **[provider]** Bump paerser to v0.1.2 ([#7945](https://github.com/traefik/traefik/pull/7945) by [jbdoumenjou](https://github.com/jbdoumenjou))
- **[server]** Feature: tune transport buffer size to increase performance ([#7957](https://github.com/traefik/traefik/pull/7957) by [mvertes](https://github.com/mvertes))
**Documentation:**
- **[service]** Fix ServersTransport documentation ([#7942](https://github.com/traefik/traefik/pull/7942) by [rtribotte](https://github.com/rtribotte))
## [v2.4.6](https://github.com/traefik/traefik/tree/v2.4.6) (2021-03-01)
[All Commits](https://github.com/traefik/traefik/compare/v2.4.5...v2.4.6)
**Bug fixes:**
- **[plugins]** Update Yaegi to v0.9.13 ([#7928](https://github.com/traefik/traefik/pull/7928) by [ldez](https://github.com/ldez))
- **[provider]** Fix: wait for file and internal before applying configurations ([#7925](https://github.com/traefik/traefik/pull/7925) by [juliens](https://github.com/juliens))
**Documentation:**
- **[file]** Fix reflink typo in file provider documentation ([#7913](https://github.com/traefik/traefik/pull/7913) by [vgerak](https://github.com/vgerak))
- **[k8s/serviceapi]** Fix Kubernetes Gateway API documentation links ([#7914](https://github.com/traefik/traefik/pull/7914) by [kevinpollet](https://github.com/kevinpollet))
- **[service]** Fix typo in routing/services/index.md ([#7922](https://github.com/traefik/traefik/pull/7922) by [snikch](https://github.com/snikch))
- Fixing doc for default value of checknewversion ([#7933](https://github.com/traefik/traefik/pull/7933) by [tomMoulard](https://github.com/tomMoulard))
## [v2.4.5](https://github.com/traefik/traefik/tree/v2.4.5) (2021-02-18)
[All Commits](https://github.com/traefik/traefik/compare/v2.4.3...v2.4.5)
**Bug fixes:**
- **[webui]** Only allow iframes to be loaded from our domain ([#7904](https://github.com/traefik/traefik/pull/7904) by [SantoDE](https://github.com/SantoDE))
## [v2.4.4](https://github.com/traefik/traefik/tree/v2.4.4) (2021-02-18)
[All Commits](https://github.com/traefik/traefik/compare/v2.4.3...v2.4.4)
Release canceled.
## [v2.4.3](https://github.com/traefik/traefik/tree/v2.4.3) (2021-02-15)
[All Commits](https://github.com/traefik/traefik/compare/v2.4.2...v2.4.3)
**Bug fixes:**
- **[acme]** Fix TLS challenge timeout and validation error ([#7879](https://github.com/traefik/traefik/pull/7879) by [ldez](https://github.com/ldez))
- **[consulcatalog]** Fixed typo in consul catalog tests ([#7865](https://github.com/traefik/traefik/pull/7865) by [apollo13](https://github.com/apollo13))
- **[middleware]** Apply content type exclusion on response ([#7888](https://github.com/traefik/traefik/pull/7888) by [jbdoumenjou](https://github.com/jbdoumenjou))
**Documentation:**
- **[middleware]** Add HEAD as available option for Method ([#7858](https://github.com/traefik/traefik/pull/7858) by [mlandauer](https://github.com/mlandauer))
- **[middleware]** Middleware documentation fixes ([#7808](https://github.com/traefik/traefik/pull/7808) by [Ullaakut](https://github.com/Ullaakut))
- **[provider]** Add missing doc about servers transport ([#7894](https://github.com/traefik/traefik/pull/7894) by [ldez](https://github.com/ldez))
- **[provider]** Provider documentation fixes ([#7823](https://github.com/traefik/traefik/pull/7823) by [Ullaakut](https://github.com/Ullaakut))
- Fix the static reference documentation for the internal redirection router ([#7860](https://github.com/traefik/traefik/pull/7860) by [jbdoumenjou](https://github.com/jbdoumenjou))
## [v2.4.2](https://github.com/traefik/traefik/tree/v2.4.2) (2021-02-02)
[All Commits](https://github.com/traefik/traefik/compare/v2.4.1...v2.4.2)
**Bug fixes:**
- **[acme]** Fix the redirect entrypoint default priority ([#7851](https://github.com/traefik/traefik/pull/7851) by [jbdoumenjou](https://github.com/jbdoumenjou))
- **[middleware]** Fix the infinite loop in forwarded header middleware. ([#7847](https://github.com/traefik/traefik/pull/7847) by [ldez](https://github.com/ldez))
**Documentation:**
- Fix the static configuration generation for environment variables ([#7849](https://github.com/traefik/traefik/pull/7849) by [jbdoumenjou](https://github.com/jbdoumenjou))
## [v2.4.1](https://github.com/traefik/traefik/tree/v2.4.1) (2021-02-01)
[All Commits](https://github.com/traefik/traefik/compare/v2.4.0...v2.4.1)

9
CONTRIBUTING.md
View File

@@ -1,4 +1,9 @@
# Contributing
- https://doc.traefik.io/traefik/contributing/submitting-pull-requests/
- https://doc.traefik.io/traefik/contributing/submitting-issues/
Here are some guidelines that should help to start contributing to the project.
- [Submitting pull Requests](https://github.com/traefik/contributors-guide/blob/master/pr_guidelines.md)
- [Submitting issues](https://doc.traefik.io/traefik/contributing/submitting-issues/)
- [Submitting security issues](docs/content/contributing/submitting-security-issues.md)
If you are willing to become a maintainer of the project, please take a look at the [maintainers guidelines](docs/content/contributing/maintainers-guidelines.md).

43
Makefile
View File

@@ -7,7 +7,7 @@ SHA := $(shell git rev-parse HEAD)
VERSION_GIT := $(if $(TAG_NAME),$(TAG_NAME),$(SHA))
VERSION := $(if $(VERSION),$(VERSION),$(VERSION_GIT))
BIND_DIR := "dist"
BIND_DIR := dist
GIT_BRANCH := $(subst heads/,,$(shell git rev-parse --abbrev-ref HEAD 2>/dev/null))
TRAEFIK_DEV_IMAGE := traefik-dev$(if $(GIT_BRANCH),:$(subst /,-,$(GIT_BRANCH)))
@@ -58,23 +58,24 @@ build-webui-image:
docker build -t traefik-webui --build-arg ARG_PLATFORM_URL=$(PLATFORM_URL) -f webui/Dockerfile webui
## Generate WebUI
generate-webui: build-webui-image
generate-webui:
if [ ! -d "static" ]; then \
$(MAKE) build-webui-image; \
mkdir -p static; \
docker run --rm -v "$$PWD/static":'/src/static' traefik-webui npm run build:nc; \
docker run --rm -v "$$PWD/static":'/src/static' traefik-webui chown -R $(shell id -u):$(shell id -g) ../static; \
echo 'For more informations show `webui/readme.md`' > $$PWD/static/DONT-EDIT-FILES-IN-THIS-DIRECTORY.md; \
echo 'For more information show `webui/readme.md`' > $$PWD/static/DONT-EDIT-FILES-IN-THIS-DIRECTORY.md; \
fi
## Build the linux binary
binary: generate-webui $(PRE_TARGET)
$(if $(PRE_TARGET),$(DOCKER_RUN_TRAEFIK)) ./script/make.sh generate binary
## Build the binary for the standard plaforms (linux, darwin, windows)
## Build the binary for the standard platforms (linux, darwin, windows)
crossbinary-default: generate-webui build-dev-image
$(DOCKER_RUN_TRAEFIK_NOTTY) ./script/make.sh generate crossbinary-default
## Build the binary for the standard plaforms (linux, darwin, windows) in parallel
## Build the binary for the standard platforms (linux, darwin, windows) in parallel
crossbinary-default-parallel:
$(MAKE) generate-webui
$(MAKE) build-dev-image crossbinary-default
@@ -92,8 +93,16 @@ pull-images:
grep --no-filename -E '^\s+image:' ./integration/resources/compose/*.yml | awk '{print $$2}' | sort | uniq | xargs -P 6 -n 1 docker pull
## Run the integration tests
test-integration: $(PRE_TARGET)
$(if $(PRE_TARGET),$(DOCKER_RUN_TRAEFIK),TEST_CONTAINER=1) ./script/make.sh generate binary test-integration
test-integration: $(PRE_TARGET) binary
$(if $(PRE_TARGET),$(DOCKER_RUN_TRAEFIK),TEST_CONTAINER=1) ./script/make.sh test-integration
TEST_HOST=1 ./script/make.sh test-integration
## Run the container integration tests
test-integration-container: $(PRE_TARGET) binary
$(if $(PRE_TARGET),$(DOCKER_RUN_TRAEFIK),TEST_CONTAINER=1) ./script/make.sh test-integration
## Run the host integration tests
test-integration-host: $(PRE_TARGET) binary
TEST_HOST=1 ./script/make.sh test-integration
## Validate code and docs
@@ -123,26 +132,34 @@ shell: build-dev-image
docs:
make -C ./docs docs
## Serve the documentation site localy
## Serve the documentation site locally
docs-serve:
make -C ./docs docs-serve
## Pull image for doc building
docs-pull-images:
make -C ./docs docs-pull-images
## Generate CRD clientset
generate-crd:
./script/update-generated-crd-code.sh
@$(CURDIR)/script/code-gen.sh
## Generate code from dynamic configuration https://github.com/traefik/genconf
generate-genconf:
go run ./cmd/internal/gen/
## Create packages for the release
release-packages: generate-webui build-dev-image
release-packages: generate-webui $(PRE_TARGET)
rm -rf dist
$(DOCKER_RUN_TRAEFIK_NOTTY) goreleaser release --skip-publish --timeout="60m"
$(DOCKER_RUN_TRAEFIK_NOTTY) tar cfz dist/traefik-${VERSION}.src.tar.gz \
$(if $(PRE_TARGET),$(DOCKER_RUN_TRAEFIK_NOTTY)) goreleaser release --skip-publish --timeout="90m"
$(if $(PRE_TARGET),$(DOCKER_RUN_TRAEFIK_NOTTY)) tar cfz dist/traefik-${VERSION}.src.tar.gz \
--exclude-vcs \
--exclude .idea \
--exclude .travis \
--exclude .semaphoreci \
--exclude .github \
--exclude dist .
$(DOCKER_RUN_TRAEFIK_NOTTY) chown -R $(shell id -u):$(shell id -g) dist/
$(if $(PRE_TARGET),$(DOCKER_RUN_TRAEFIK_NOTTY)) chown -R $(shell id -u):$(shell id -g) dist/
## Format the Code
fmt:

6
README.md
View File

@@ -6,7 +6,6 @@
[![Build Status SemaphoreCI](https://semaphoreci.com/api/v1/containous/traefik/branches/master/shields_badge.svg)](https://semaphoreci.com/containous/traefik)
[![Docs](https://img.shields.io/badge/docs-current-brightgreen.svg)](https://doc.traefik.io/traefik)
[![Go Report Card](https://goreportcard.com/badge/traefik/traefik)](https://goreportcard.com/report/traefik/traefik)
[![](https://images.microbadger.com/badges/image/traefik.svg)](https://microbadger.com/images/traefik)
[![License](https://img.shields.io/badge/license-MIT-blue.svg)](https://github.com/traefik/traefik/blob/master/LICENSE.md)
[![Join the community support forum at https://community.traefik.io/](https://img.shields.io/badge/style-register-green.svg?style=social&label=Discourse)](https://community.traefik.io/)
[![Twitter](https://img.shields.io/twitter/follow/traefik.svg?style=social)](https://twitter.com/intent/follow?screen_name=traefik)
@@ -126,7 +125,10 @@ You can find high level and deep dive videos on [videos.traefik.io](https://vide
## Maintainers
[Information about process and maintainers](docs/content/contributing/maintainers.md)
We are strongly promoting a philosophy of openness and sharing, and firmly standing against the elitist closed approach. Being part of the core team should be accessible to anyone who is motivated and want to be part of that journey!
This [document](docs/content/contributing/maintainers-guidelines.md) describes how to be part of the core team as well as various responsibilities and guidelines for Traefik maintainers.
You can also find more information on our process to review pull requests and manage issues [in this document](docs/content/contributing/maintainers.md).
## Contributing

4
build.Dockerfile
View File

@@ -1,4 +1,4 @@
FROM golang:1.15-alpine
FROM golang:1.17-alpine
RUN apk --update upgrade \
&& apk --no-cache --no-progress add git mercurial bash gcc musl-dev curl tar ca-certificates tzdata \
@@ -19,7 +19,7 @@ RUN mkdir -p /usr/local/bin \
&& chmod +x /usr/local/bin/go-bindata
# Download golangci-lint binary to bin folder in $GOPATH
RUN curl -sfL https://install.goreleaser.com/github.com/golangci/golangci-lint.sh | bash -s -- -b $GOPATH/bin v1.36.0
RUN curl -sfL https://install.goreleaser.com/github.com/golangci/golangci-lint.sh | bash -s -- -b $GOPATH/bin v1.41.1
# Download misspell binary to bin folder in $GOPATH
RUN curl -sfL https://raw.githubusercontent.com/client9/misspell/master/install-misspell.sh | bash -s -- -b $GOPATH/bin v0.3.4

22
cmd/context.go
View File

@@ -1,22 +0,0 @@
package cmd
import (
"context"
"os"
"os/signal"
"syscall"
)
// ContextWithSignal creates a context canceled when SIGINT or SIGTERM are notified.
func ContextWithSignal(ctx context.Context) context.Context {
newCtx, cancel := context.WithCancel(ctx)
signals := make(chan os.Signal)
signal.Notify(signals, syscall.SIGINT, syscall.SIGTERM)
go func() {
select {
case <-signals:
cancel()
}
}()
return newCtx
}

347
cmd/internal/gen/centrifuge.go Normal file
View File

@@ -0,0 +1,347 @@
package main
import (
"bytes"
"fmt"
"go/format"
"go/importer"
"go/token"
"go/types"
"io"
"log"
"os"
"path"
"path/filepath"
"reflect"
"sort"
"strings"
"golang.org/x/tools/imports"
)
// File a kind of AST element that represents a file.
type File struct {
Package string
Imports []string
Elements []Element
}
// Element is a simplified version of a symbol.
type Element struct {
Name string
Value string
}
// Centrifuge a centrifuge.
// Generate Go Structures from Go structures.
type Centrifuge struct {
IncludedImports []string
ExcludedTypes []string
ExcludedFiles []string
TypeCleaner func(types.Type, string) string
PackageCleaner func(string) string
rootPkg string
fileSet *token.FileSet
pkg *types.Package
}
// NewCentrifuge creates a new Centrifuge.
func NewCentrifuge(rootPkg string) (*Centrifuge, error) {
fileSet := token.NewFileSet()
pkg, err := importer.ForCompiler(fileSet, "source", nil).Import(rootPkg)
if err != nil {
return nil, err
}
return &Centrifuge{
fileSet: fileSet,
pkg: pkg,
rootPkg: rootPkg,
TypeCleaner: func(typ types.Type, _ string) string {
return typ.String()
},
PackageCleaner: func(s string) string {
return s
},
}, nil
}
// Run runs the code extraction and the code generation.
func (c Centrifuge) Run(dest string, pkgName string) error {
files, err := c.run(c.pkg.Scope(), c.rootPkg, pkgName)
if err != nil {
return err
}
err = fileWriter{baseDir: dest}.Write(files)
if err != nil {
return err
}
for _, p := range c.pkg.Imports() {
if contains(c.IncludedImports, p.Path()) {
fls, err := c.run(p.Scope(), p.Path(), p.Name())
if err != nil {
return err
}
err = fileWriter{baseDir: filepath.Join(dest, p.Name())}.Write(fls)
if err != nil {
return err
}
}
}
return err
}
func (c Centrifuge) run(sc *types.Scope, rootPkg string, pkgName string) (map[string]*File, error) {
files := map[string]*File{}
for _, name := range sc.Names() {
if contains(c.ExcludedTypes, name) {
continue
}
o := sc.Lookup(name)
if !o.Exported() {
continue
}
filename := filepath.Base(c.fileSet.File(o.Pos()).Name())
if contains(c.ExcludedFiles, path.Join(rootPkg, filename)) {
continue
}
fl, ok := files[filename]
if !ok {
files[filename] = &File{Package: pkgName}
fl = files[filename]
}
elt := Element{
Name: name,
}
switch ob := o.(type) {
case *types.TypeName:
switch obj := ob.Type().(*types.Named).Underlying().(type) {
case *types.Struct:
elt.Value = c.writeStruct(name, obj, rootPkg, fl)
case *types.Map:
elt.Value = fmt.Sprintf("type %s map[%s]%s\n", name, obj.Key().String(), c.TypeCleaner(obj.Elem(), rootPkg))
case *types.Slice:
elt.Value = fmt.Sprintf("type %s []%v\n", name, c.TypeCleaner(obj.Elem(), rootPkg))
case *types.Basic:
elt.Value = fmt.Sprintf("type %s %v\n", name, obj.Name())
default:
log.Printf("OTHER TYPE::: %s %T\n", name, o.Type().(*types.Named).Underlying())
continue
}
default:
log.Printf("OTHER::: %s %T\n", name, o)
continue
}
if len(elt.Value) > 0 {
fl.Elements = append(fl.Elements, elt)
}
}
return files, nil
}
func (c Centrifuge) writeStruct(name string, obj *types.Struct, rootPkg string, elt *File) string {
b := strings.Builder{}
b.WriteString(fmt.Sprintf("type %s struct {\n", name))
for i := 0; i < obj.NumFields(); i++ {
field := obj.Field(i)
if !field.Exported() {
continue
}
fPkg := c.PackageCleaner(extractPackage(field.Type()))
if fPkg != "" && fPkg != rootPkg {
elt.Imports = append(elt.Imports, fPkg)
}
fType := c.TypeCleaner(field.Type(), rootPkg)
if field.Embedded() {
b.WriteString(fmt.Sprintf("\t%s\n", fType))
continue
}
values, ok := lookupTagValue(obj.Tag(i), "json")
if len(values) > 0 && values[0] == "-" {
continue
}
b.WriteString(fmt.Sprintf("\t%s %s", field.Name(), fType))
if ok {
b.WriteString(fmt.Sprintf(" `json:\"%s\"`", strings.Join(values, ",")))
}
b.WriteString("\n")
}
b.WriteString("}\n")
return b.String()
}
func lookupTagValue(raw, key string) ([]string, bool) {
value, ok := reflect.StructTag(raw).Lookup(key)
if !ok {
return nil, ok
}
values := strings.Split(value, ",")
if len(values) < 1 {
return nil, true
}
return values, true
}
func extractPackage(t types.Type) string {
switch tu := t.(type) {
case *types.Named:
return tu.Obj().Pkg().Path()
case *types.Slice:
if v, ok := tu.Elem().(*types.Named); ok {
return v.Obj().Pkg().Path()
}
return ""
case *types.Map:
if v, ok := tu.Elem().(*types.Named); ok {
return v.Obj().Pkg().Path()
}
return ""
case *types.Pointer:
return extractPackage(tu.Elem())
default:
return ""
}
}
func contains(values []string, value string) bool {
for _, val := range values {
if val == value {
return true
}
}
return false
}
type fileWriter struct {
baseDir string
}
func (f fileWriter) Write(files map[string]*File) error {
err := os.MkdirAll(f.baseDir, 0755)
if err != nil {
return err
}
for name, file := range files {
err = f.writeFile(name, file)
if err != nil {
return err
}
}
return nil
}
func (f fileWriter) writeFile(name string, desc *File) error {
if len(desc.Elements) == 0 {
return nil
}
filename := filepath.Join(f.baseDir, name)
file, err := os.Create(filename)
if err != nil {
return fmt.Errorf("failed to create file: %w", err)
}
defer func() { _ = file.Close() }()
b := bytes.NewBufferString("package ")
b.WriteString(desc.Package)
b.WriteString("\n")
b.WriteString("// Code generated by centrifuge. DO NOT EDIT.\n")
b.WriteString("\n")
f.writeImports(b, desc.Imports)
b.WriteString("\n")
for _, elt := range desc.Elements {
b.WriteString(elt.Value)
b.WriteString("\n")
}
// gofmt
source, err := format.Source(b.Bytes())
if err != nil {
log.Println(b.String())
return fmt.Errorf("failed to format sources: %w", err)
}
// goimports
process, err := imports.Process(filename, source, nil)
if err != nil {
log.Println(string(source))
return fmt.Errorf("failed to format imports: %w", err)
}
_, err = file.Write(process)
if err != nil {
return err
}
return nil
}
func (f fileWriter) writeImports(b io.StringWriter, imports []string) {
if len(imports) == 0 {
return
}
uniq := map[string]struct{}{}
sort.Strings(imports)
_, _ = b.WriteString("import (\n")
for _, s := range imports {
if _, exist := uniq[s]; exist {
continue
}
uniq[s] = struct{}{}
_, _ = b.WriteString(fmt.Sprintf(` "%s"`+"\n", s))
}
_, _ = b.WriteString(")\n")
}

124
cmd/internal/gen/main.go Normal file
View File

@@ -0,0 +1,124 @@
package main
import (
"fmt"
"go/build"
"go/types"
"io/ioutil"
"log"
"path"
"path/filepath"
"strings"
)
const rootPkg = "github.com/traefik/traefik/v2/pkg/config/dynamic"
const (
destModuleName = "github.com/traefik/genconf"
destPkg = "dynamic"
)
const marsh = `package %s
import "encoding/json"
type JSONPayload struct {
*Configuration
}
func (c JSONPayload) MarshalJSON() ([]byte, error) {
if c.Configuration == nil {
return nil, nil
}
return json.Marshal(c.Configuration)
}
`
// main generate Go Structures from Go structures.
// Allows to create an external module (destModuleName) used by the plugin's providers
// that contains Go structs of the dynamic configuration and nothing else.
// These Go structs do not have any non-exported fields and do not rely on any external dependencies.
func main() {
dest := filepath.Join(path.Join(build.Default.GOPATH, "src"), destModuleName, destPkg)
log.Println("Output:", dest)
err := run(dest)
if err != nil {
log.Fatal(err)
}
}
func run(dest string) error {
centrifuge, err := NewCentrifuge(rootPkg)
if err != nil {
return err
}
centrifuge.IncludedImports = []string{
"github.com/traefik/traefik/v2/pkg/tls",
"github.com/traefik/traefik/v2/pkg/types",
}
centrifuge.ExcludedTypes = []string{
// tls
"CertificateStore", "Manager",
// dynamic
"Message", "Configurations",
// types
"HTTPCodeRanges", "HostResolverConfig",
}
centrifuge.ExcludedFiles = []string{
"github.com/traefik/traefik/v2/pkg/types/logs.go",
"github.com/traefik/traefik/v2/pkg/types/metrics.go",
}
centrifuge.TypeCleaner = cleanType
centrifuge.PackageCleaner = cleanPackage
err = centrifuge.Run(dest, destPkg)
if err != nil {
return err
}
return ioutil.WriteFile(filepath.Join(dest, "marshaler.go"), []byte(fmt.Sprintf(marsh, destPkg)), 0666)
}
func cleanType(typ types.Type, base string) string {
if typ.String() == "github.com/traefik/traefik/v2/pkg/tls.FileOrContent" {
return "string"
}
if typ.String() == "[]github.com/traefik/traefik/v2/pkg/tls.FileOrContent" {
return "[]string"
}
if typ.String() == "github.com/traefik/paerser/types.Duration" {
return "string"
}
if strings.Contains(typ.String(), base) {
return strings.ReplaceAll(typ.String(), base+".", "")
}
if strings.Contains(typ.String(), "github.com/traefik/traefik/v2/pkg/") {
return strings.ReplaceAll(typ.String(), "github.com/traefik/traefik/v2/pkg/", "")
}
return typ.String()
}
func cleanPackage(src string) string {
switch src {
case "github.com/traefik/paerser/types":
return ""
case "github.com/traefik/traefik/v2/pkg/tls":
return path.Join(destModuleName, destPkg, "tls")
case "github.com/traefik/traefik/v2/pkg/types":
return path.Join(destModuleName, destPkg, "types")
default:
return src
}
}

77
cmd/traefik/plugins.go
View File

@@ -1,6 +1,8 @@
package main
import (
"fmt"
"github.com/traefik/traefik/v2/pkg/config/static"
"github.com/traefik/traefik/v2/pkg/plugins"
)
@@ -8,35 +10,69 @@ import (
const outputDir = "./plugins-storage/"
func createPluginBuilder(staticConfiguration *static.Configuration) (*plugins.Builder, error) {
client, plgs, devPlugin, err := initPlugins(staticConfiguration)
client, plgs, localPlgs, err := initPlugins(staticConfiguration)
if err != nil {
return nil, err
}
return plugins.NewBuilder(client, plgs, devPlugin)
return plugins.NewBuilder(client, plgs, localPlgs)
}
func initPlugins(staticCfg *static.Configuration) (*plugins.Client, map[string]plugins.Descriptor, *plugins.DevPlugin, error) {
if !isPilotEnabled(staticCfg) || !hasPlugins(staticCfg) {
return nil, map[string]plugins.Descriptor{}, nil, nil
}
opts := plugins.ClientOptions{
Output: outputDir,
Token: staticCfg.Pilot.Token,
}
client, err := plugins.NewClient(opts)
func initPlugins(staticCfg *static.Configuration) (*plugins.Client, map[string]plugins.Descriptor, map[string]plugins.LocalDescriptor, error) {
err := checkUniquePluginNames(staticCfg.Experimental)
if err != nil {
return nil, nil, nil, err
}
err = plugins.Setup(client, staticCfg.Experimental.Plugins, staticCfg.Experimental.DevPlugin)
if err != nil {
return nil, nil, nil, err
var client *plugins.Client
plgs := map[string]plugins.Descriptor{}
if isPilotEnabled(staticCfg) && hasPlugins(staticCfg) {
opts := plugins.ClientOptions{
Output: outputDir,
Token: staticCfg.Pilot.Token,
}
var err error
client, err = plugins.NewClient(opts)
if err != nil {
return nil, nil, nil, err
}
err = plugins.SetupRemotePlugins(client, staticCfg.Experimental.Plugins)
if err != nil {
return nil, nil, nil, err
}
plgs = staticCfg.Experimental.Plugins
}
return client, staticCfg.Experimental.Plugins, staticCfg.Experimental.DevPlugin, nil
localPlgs := map[string]plugins.LocalDescriptor{}
if hasLocalPlugins(staticCfg) {
err := plugins.SetupLocalPlugins(staticCfg.Experimental.LocalPlugins)
if err != nil {
return nil, nil, nil, err
}
localPlgs = staticCfg.Experimental.LocalPlugins
}
return client, plgs, localPlgs, nil
}
func checkUniquePluginNames(e *static.Experimental) error {
if e == nil {
return nil
}
for s := range e.LocalPlugins {
if _, ok := e.Plugins[s]; ok {
return fmt.Errorf("the plugin's name %q must be unique", s)
}
}
return nil
}
func isPilotEnabled(staticCfg *static.Configuration) bool {
@@ -44,6 +80,9 @@ func isPilotEnabled(staticCfg *static.Configuration) bool {
}
func hasPlugins(staticCfg *static.Configuration) bool {
return staticCfg.Experimental != nil &&
(len(staticCfg.Experimental.Plugins) > 0 || staticCfg.Experimental.DevPlugin != nil)
return staticCfg.Experimental != nil && len(staticCfg.Experimental.Plugins) > 0
}
func hasLocalPlugins(staticCfg *static.Configuration) bool {
return staticCfg.Experimental != nil && len(staticCfg.Experimental.LocalPlugins) > 0
}

105
cmd/traefik/traefik.go
View File

@@ -2,18 +2,23 @@ package main
import (
"context"
"crypto/x509"
"encoding/json"
"fmt"
stdlog "log"
"net/http"
"os"
"os/signal"
"path/filepath"
"sort"
"strings"
"syscall"
"time"
"github.com/coreos/go-systemd/daemon"
assetfs "github.com/elazarl/go-bindata-assetfs"
"github.com/go-acme/lego/v4/challenge"
gokitmetrics "github.com/go-kit/kit/metrics"
"github.com/sirupsen/logrus"
"github.com/traefik/paerser/cli"
"github.com/traefik/traefik/v2/autogen/genstatic"
@@ -119,13 +124,7 @@ func runCmd(staticConfiguration *static.Configuration) error {
return err
}
ctx := cmd.ContextWithSignal(context.Background())
if staticConfiguration.Experimental != nil && staticConfiguration.Experimental.DevPlugin != nil {
var cancel context.CancelFunc
ctx, cancel = context.WithTimeout(ctx, 30*time.Minute)
defer cancel()
}
ctx, _ := signal.NotifyContext(context.Background(), syscall.SIGINT, syscall.SIGTERM)
if staticConfiguration.Ping != nil {
staticConfiguration.Ping.WithContext(ctx)
@@ -186,7 +185,9 @@ func setupServer(staticConfiguration *static.Configuration) (*server.Server, err
tlsManager := traefiktls.NewManager()
httpChallengeProvider := acme.NewChallengeHTTP()
tlsChallengeProvider := acme.NewChallengeTLSALPN(time.Duration(staticConfiguration.Providers.ProvidersThrottleDuration))
// we need to wait at least 2 times the ProvidersThrottleDuration to be sure to handle the challenge.
tlsChallengeProvider := acme.NewChallengeTLSALPN(time.Duration(staticConfiguration.Providers.ProvidersThrottleDuration) * 2)
err = providerAggregator.AddProvider(tlsChallengeProvider)
if err != nil {
return nil, err
@@ -220,6 +221,10 @@ func setupServer(staticConfiguration *static.Configuration) (*server.Server, err
})
}
if staticConfiguration.Pilot != nil {
version.PilotEnabled = staticConfiguration.Pilot.Dashboard
}
// Plugins
pluginBuilder, err := createPluginBuilder(staticConfiguration)
@@ -227,6 +232,20 @@ func setupServer(staticConfiguration *static.Configuration) (*server.Server, err
return nil, err
}
// Providers plugins
for name, conf := range staticConfiguration.Providers.Plugin {
p, err := pluginBuilder.BuildProvider(name, conf)
if err != nil {
return nil, fmt.Errorf("plugin: failed to build provider: %w", err)
}
err = providerAggregator.AddProvider(p)
if err != nil {
return nil, fmt.Errorf("plugin: failed to add provider: %w", err)
}
}
// Metrics
metricRegistries := registerMetricClients(staticConfiguration.Metrics)
@@ -245,7 +264,7 @@ func setupServer(staticConfiguration *static.Configuration) (*server.Server, err
accessLog := setupAccessLog(staticConfiguration.AccessLog)
chainBuilder := middleware.NewChainBuilder(*staticConfiguration, metricsRegistry, accessLog)
routerFactory := server.NewRouterFactory(*staticConfiguration, managerFactory, tlsManager, chainBuilder, pluginBuilder)
routerFactory := server.NewRouterFactory(*staticConfiguration, managerFactory, tlsManager, chainBuilder, pluginBuilder, metricsRegistry)
// Watcher
@@ -254,12 +273,18 @@ func setupServer(staticConfiguration *static.Configuration) (*server.Server, err
providerAggregator,
time.Duration(staticConfiguration.Providers.ProvidersThrottleDuration),
getDefaultsEntrypoints(staticConfiguration),
"internal",
)
// TLS
watcher.AddListener(func(conf dynamic.Configuration) {
ctx := context.Background()
tlsManager.UpdateConfigs(ctx, conf.TLS.Stores, conf.TLS.Options, conf.TLS.Certificates)
gauge := metricsRegistry.TLSCertsNotAfterTimestampGauge()
for _, certificate := range tlsManager.GetCertificates() {
appendCertMetric(gauge, certificate)
}
})
// Metrics
@@ -363,30 +388,32 @@ func initACMEProvider(c *static.Configuration, providerAggregator *aggregator.Pr
var resolvers []*acme.Provider
for name, resolver := range c.CertificatesResolvers {
if resolver.ACME != nil {
if localStores[resolver.ACME.Storage] == nil {
localStores[resolver.ACME.Storage] = acme.NewLocalStore(resolver.ACME.Storage)
}
p := &acme.Provider{
Configuration: resolver.ACME,
Store: localStores[resolver.ACME.Storage],
ResolverName: name,
HTTPChallengeProvider: httpChallengeProvider,
TLSChallengeProvider: tlsChallengeProvider,
}
if err := providerAggregator.AddProvider(p); err != nil {
log.WithoutContext().Errorf("The ACME resolver %q is skipped from the resolvers list because: %v", name, err)
continue
}
p.SetTLSManager(tlsManager)
p.SetConfigListenerChan(make(chan dynamic.Configuration))
resolvers = append(resolvers, p)
if resolver.ACME == nil {
continue
}
if localStores[resolver.ACME.Storage] == nil {
localStores[resolver.ACME.Storage] = acme.NewLocalStore(resolver.ACME.Storage)
}
p := &acme.Provider{
Configuration: resolver.ACME,
Store: localStores[resolver.ACME.Storage],
ResolverName: name,
HTTPChallengeProvider: httpChallengeProvider,
TLSChallengeProvider: tlsChallengeProvider,
}
if err := providerAggregator.AddProvider(p); err != nil {
log.WithoutContext().Errorf("The ACME resolver %q is skipped from the resolvers list because: %v", name, err)
continue
}
p.SetTLSManager(tlsManager)
p.SetConfigListenerChan(make(chan dynamic.Configuration))
resolvers = append(resolvers, p)
}
return resolvers
@@ -432,6 +459,20 @@ func registerMetricClients(metricsConfig *types.Metrics) []metrics.Registry {
return registries
}
func appendCertMetric(gauge gokitmetrics.Gauge, certificate *x509.Certificate) {
sort.Strings(certificate.DNSNames)
labels := []string{
"cn", certificate.Subject.CommonName,
"serial", certificate.SerialNumber.String(),
"sans", strings.Join(certificate.DNSNames, ","),
}
notAfter := float64(certificate.NotAfter.Unix())
gauge.With(labels...).Set(notAfter)
}
func setupAccessLog(conf *types.AccessLog) *accesslog.Handler {
if conf == nil {
return nil

116
cmd/traefik/traefik_test.go Normal file
View File

@@ -0,0 +1,116 @@
package main
import (
"crypto/x509"
"encoding/pem"
"strings"
"testing"
"github.com/go-kit/kit/metrics"
"github.com/stretchr/testify/assert"
"github.com/stretchr/testify/require"
)
// FooCert is a PEM-encoded TLS cert.
// generated from src/crypto/tls:
// go run generate_cert.go --rsa-bits 1024 --host foo.org,foo.com --ca --start-date "Jan 1 00:00:00 1970" --duration=1000000h
const fooCert = `-----BEGIN CERTIFICATE-----
MIICHzCCAYigAwIBAgIQXQFLeYRwc5X21t457t2xADANBgkqhkiG9w0BAQsFADAS
MRAwDgYDVQQKEwdBY21lIENvMCAXDTcwMDEwMTAwMDAwMFoYDzIwODQwMTI5MTYw
MDAwWjASMRAwDgYDVQQKEwdBY21lIENvMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCB
iQKBgQDCjn67GSs/khuGC4GNN+tVo1S+/eSHwr/hWzhfMqO7nYiXkFzmxi+u14CU
Pda6WOeps7T2/oQEFMxKKg7zYOqkLSbjbE0ZfosopaTvEsZm/AZHAAvoOrAsIJOn
SEiwy8h0tLA4z1SNR6rmIVQWyqBZEPAhBTQM1z7tFp48FakCFwIDAQABo3QwcjAO
BgNVHQ8BAf8EBAMCAqQwEwYDVR0lBAwwCgYIKwYBBQUHAwEwDwYDVR0TAQH/BAUw
AwEB/zAdBgNVHQ4EFgQUDHG3ASzeUezElup9zbPpBn/vjogwGwYDVR0RBBQwEoIH
Zm9vLm9yZ4IHZm9vLmNvbTANBgkqhkiG9w0BAQsFAAOBgQBT+VLMbB9u27tBX8Aw
ZrGY3rbNdBGhXVTksrjiF+6ZtDpD3iI56GH9zLxnqvXkgn3u0+Ard5TqF/xmdwVw
NY0V/aWYfcL2G2auBCQrPvM03ozRnVUwVfP23eUzX2ORNHCYhd2ObQx4krrhs7cJ
SWxtKwFlstoXY3K2g9oRD9UxdQ==
-----END CERTIFICATE-----`
// BarCert is a PEM-encoded TLS cert.
// generated from src/crypto/tls:
// go run generate_cert.go --rsa-bits 1024 --host bar.org,bar.com --ca --start-date "Jan 1 00:00:00 1970" --duration=10000h
const barCert = `-----BEGIN CERTIFICATE-----
MIICHTCCAYagAwIBAgIQcuIcNEXzBHPoxna5S6wG4jANBgkqhkiG9w0BAQsFADAS
MRAwDgYDVQQKEwdBY21lIENvMB4XDTcwMDEwMTAwMDAwMFoXDTcxMDIyMTE2MDAw
MFowEjEQMA4GA1UEChMHQWNtZSBDbzCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkC
gYEAqtcrP+KA7D6NjyztGNIPMup9KiBMJ8QL+preog/YHR7SQLO3kGFhpS3WKMab
SzMypC3ZX1PZjBP5ZzwaV3PFbuwlCkPlyxR2lOWmullgI7mjY0TBeYLDIclIzGRp
mpSDDSpkW1ay2iJDSpXjlhmwZr84hrCU7BRTQJo91fdsRTsCAwEAAaN0MHIwDgYD
VR0PAQH/BAQDAgKkMBMGA1UdJQQMMAoGCCsGAQUFBwMBMA8GA1UdEwEB/wQFMAMB
Af8wHQYDVR0OBBYEFK8jnzFQvBAgWtfzOyXY4VSkwrTXMBsGA1UdEQQUMBKCB2Jh
ci5vcmeCB2Jhci5jb20wDQYJKoZIhvcNAQELBQADgYEAJz0ifAExisC/ZSRhWuHz
7qs1i6Nd4+YgEVR8dR71MChP+AMxucY1/ajVjb9xlLys3GPE90TWSdVppabEVjZY
Oq11nPKc50ItTt8dMku6t0JHBmzoGdkN0V4zJCBqdQJxhop8JpYJ0S9CW0eT93h3
ipYQSsmIINGtMXJ8VkP/MlM=
-----END CERTIFICATE-----`
type gaugeMock struct {
metrics map[string]float64
labels string
}
func (g gaugeMock) With(labelValues ...string) metrics.Gauge {
g.labels = strings.Join(labelValues, ",")
return g
}
func (g gaugeMock) Set(value float64) {
g.metrics[g.labels] = value
}
func (g gaugeMock) Add(delta float64) {
panic("implement me")
}
func TestAppendCertMetric(t *testing.T) {
testCases := []struct {
desc string
certs []string
expected map[string]float64
}{
{
desc: "No certs",
certs: []string{},
expected: map[string]float64{},
},
{
desc: "One cert",
certs: []string{fooCert},
expected: map[string]float64{
"cn,,serial,123624926713171615935660664614975025408,sans,foo.com,foo.org": 3.6e+09,
},
},
{
desc: "Two certs",
certs: []string{fooCert, barCert},
expected: map[string]float64{
"cn,,serial,123624926713171615935660664614975025408,sans,foo.com,foo.org": 3.6e+09,
"cn,,serial,152706022658490889223053211416725817058,sans,bar.com,bar.org": 3.6e+07,
},
},
}
for _, test := range testCases {
test := test
t.Run(test.desc, func(t *testing.T) {
t.Parallel()
gauge := &gaugeMock{
metrics: map[string]float64{},
}
for _, cert := range test.certs {
block, _ := pem.Decode([]byte(cert))
parsedCert, err := x509.ParseCertificate(block.Bytes)
require.NoError(t, err)
appendCertMetric(gauge, parsedCert)
}
assert.Equal(t, test.expected, gauge.metrics)
})
}
}

6
docs/Makefile
View File

@@ -12,7 +12,7 @@ TRAEFIK_DOCS_CHECK_IMAGE ?= $(TRAEFIK_DOCS_BUILD_IMAGE)-check
SITE_DIR := $(CURDIR)/site
DOCKER_RUN_DOC_PORT := 8000
DOCKER_RUN_DOC_MOUNTS := -v $(CURDIR):/mkdocs
DOCKER_RUN_DOC_MOUNTS := -v $(CURDIR):/mkdocs
DOCKER_RUN_DOC_OPTS := --rm $(DOCKER_RUN_DOC_MOUNTS) -p $(DOCKER_RUN_DOC_PORT):8000
# Default: generates the documentation into $(SITE_DIR)
@@ -22,6 +22,10 @@ docs: docs-clean docs-image docs-lint docs-build docs-verify
docs-serve: docs-image
docker run $(DOCKER_RUN_DOC_OPTS) $(TRAEFIK_DOCS_BUILD_IMAGE) mkdocs serve
## Pull image for doc building
docs-pull-images:
grep --no-filename -E '^FROM' ./*.Dockerfile | awk '{print $$2}' | sort | uniq | xargs -P 6 -n 1 docker pull
# Utilities Targets for each step
docs-image:
docker build -t $(TRAEFIK_DOCS_BUILD_IMAGE) -f docs.Dockerfile ./

11
docs/check.Dockerfile
View File

@@ -8,8 +8,11 @@ RUN apk --no-cache --no-progress add \
ruby-etc \
ruby-ffi \
ruby-json \
ruby-nokogiri
RUN gem install html-proofer --version 3.13.0 --no-document -- --use-system-libraries
ruby-nokogiri \
ruby-dev \
build-base
RUN gem install html-proofer --version 3.19.0 --no-document -- --use-system-libraries
# After Ruby, some NodeJS YAY!
RUN apk --no-cache --no-progress add \
@@ -21,8 +24,8 @@ RUN apk --no-cache --no-progress add \
RUN npm config set unsafe-perm true
RUN npm install --global \
markdownlint@0.17.2 \
markdownlint-cli@0.19.0
markdownlint@0.22.0 \
markdownlint-cli@0.26.0
# Finally the shell tools we need for later
# tini helps to terminate properly all the parallelized tasks when sending CTRL-C

BIN
docs/content/assets/img/maintainers-guidelines.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 966 KiB

4
docs/content/contributing/building-testing.md
View File

@@ -30,7 +30,7 @@ Successfully tagged traefik-webui:latest
[...]
docker build -t "traefik-dev:4475--feature-documentation" -f build.Dockerfile .
Sending build context to Docker daemon 279MB
Step 1/10 : FROM golang:1.14-alpine
Step 1/10 : FROM golang:1.16-alpine
---> f4bfb3d22bda
[...]
Successfully built 5c3c1a911277
@@ -62,7 +62,7 @@ PRE_TARGET= make test-unit
Requirements:
- `go` v1.14+
- `go` v1.16+
- environment variable `GO111MODULE=on`
- [go-bindata](https://github.com/containous/go-bindata) `GO111MODULE=off go get -u github.com/containous/go-bindata/...`

76
docs/content/contributing/data-collection.md
View File

@@ -9,19 +9,19 @@ Understanding how you use Traefik is very important to us: it helps us improve t
For this very reason, the sendAnonymousUsage option is mandatory: we want you to take time to consider whether or not you wish to share anonymous data with us so we can benefit from your experience and use cases.
!!! example "Enabling Data Collection"
```toml tab="File (TOML)"
[global]
# Send anonymous usage data
sendAnonymousUsage = true
```
```yaml tab="File (YAML)"
global:
# Send anonymous usage data
sendAnonymousUsage: true
```
```toml tab="File (TOML)"
[global]
# Send anonymous usage data
sendAnonymousUsage = true
```
```bash tab="CLI"
# Send anonymous usage data
--global.sendAnonymousUsage
@@ -45,49 +45,51 @@ Once a day (the first call begins 10 minutes after the start of Traefik), we col
- an **anonymized version** of the static configuration (token, user name, password, URL, IP, domain, email, etc, are removed).
!!! info
- We do not collect the dynamic configuration information (routers & services).
- We do not collect this data to run advertising programs.
- We do not sell this data to third-parties.
### Example of Collected Data
```toml tab="Original configuration"
[entryPoints]
[entryPoints.web]
address = ":80"
```yaml tab="Original configuration"
entryPoints:
web:
address: ":80"
[api]
api: {}
[providers.docker]
endpoint = "tcp://10.10.10.10:2375"
exposedByDefault = true
swarmMode = true
providers:
docker:
endpoint: "tcp://10.10.10.10:2375"
exposedByDefault: true
swarmMode: true
[providers.docker.TLS]
ca = "dockerCA"
cert = "dockerCert"
key = "dockerKey"
insecureSkipVerify = true
tls:
ca: dockerCA
cert: dockerCert
key: dockerKey
insecureSkipVerify: true
```
```toml tab="Resulting Obfuscated Configuration"
[entryPoints]
[entryPoints.web]
address = ":80"
```yaml tab="Resulting Obfuscated Configuration"
entryPoints:
web:
address: ":80"
[api]
api: {}
[providers.docker]
endpoint = "xxxx"
exposedByDefault = true
swarmMode = true
providers:
docker:
endpoint: "xxxx"
exposedByDefault: true
swarmMode: true
[providers.docker.TLS]
ca = "xxxx"
cert = "xxxx"
key = "xxxx"
insecureSkipVerify = true
tls:
ca: xxxx
cert: xxxx
key: xxxx
insecureSkipVerify: true
```
## The Code for Data Collection

12
docs/content/contributing/documentation.md
View File

@@ -14,10 +14,10 @@ This [documentation](https://doc.traefik.io/traefik/) is built with [mkdocs](htt
### Method 1: `Docker` and `make`
You can build the documentation and test it locally (with live reloading), using the `docs` target:
You can build the documentation and test it locally (with live reloading), using the `docs-serve` target:
```bash
$ make docs
$ make docs-serve
docker build -t traefik-docs -f docs.Dockerfile .
# […]
docker run --rm -v /home/user/go/github/traefik/traefik:/mkdocs -p 8000:8000 traefik-docs mkdocs serve
@@ -82,17 +82,19 @@ Running ["HtmlCheck", "ImageCheck", "ScriptCheck", "LinkCheck"] on /app/site/bas
!!! note "Clean & Verify"
If you've made changes to the documentation, it's safter to clean it before verifying it.
If you've made changes to the documentation, it's safter to clean it before verifying it.
```bash
$ make docs-clean docs-verify
$ make docs
...
```
Will perform all necessary steps for you.
!!! note "Disabling Documentation Verification"
Verification can be disabled by setting the environment variable `DOCS_VERIFY_SKIP` to `true`:
```shell
DOCS_VERIFY_SKIP=true make docs-verify
...

129
docs/content/contributing/maintainers-guidelines.md Normal file
View File

@@ -0,0 +1,129 @@
# Maintainer's Guidelines
![Maintainer's Guidelines](../assets/img/maintainers-guidelines.png)
Note: the document is a work in progress.
Welcome to the Traefik Community.
This document describes how to be part of the core team
as well as various responsibilities
and guidelines for Traefik maintainers.
We are strongly promoting a philosophy of openness and sharing,
and firmly standing against the elitist closed approach.
Being part of the core team should be accessible to anyone motivated
and wants to be part of that journey!
## Onboarding Process
If you consider joining our community please drop us a line using Twitter or leave a note in the issue.
We will schedule a quick call to meet you and learn more about your motivation.
During the call, the team will discuss the process of becoming a maintainer.
We will be happy to answer any questions and explain all your doubts.
## Maintainer's Requirements
Note: you do not have to meet all the listed requirements,
but must have achieved several.
- Enabled [2FA](https://docs.github.com/en/github/authenticating-to-github/securing-your-account-with-two-factor-authentication-2fa/configuring-two-factor-authentication) on your Github account
- The contributor has opened and successfully run medium to large PRs in the past 6 months.
- The contributor has participated in multiple code reviews of other PRs,
including those of other maintainers and contributors.
- The contributor showed a consistent pattern of helpful, non-threatening, and friendly behavior towards other community members in the past.
- The contributor is active on Traefik Community forums
or other technical forums/boards such as K8S slack, Reddit, StackOverflow, hacker news.
- Have read and accepted the contributor guidelines.
## Maintainer's Responsibilities and Privileges
There are lots of areas where you can contribute to the project,
but we can suggest you start with activities such as:
- PR reviewing.
- According to our guidelines we require you have at least 3 reviewers,
thus you can review a PR and leave the relevant comment if it is necessary.
- Participating in a daily [issue triage](https://github.com/traefik/contributors-guide/blob/master/issue_triage.md).
- The process helps to understand and prioritize the reported issue according to its importance and severity.
This is crucial to learn how our users implement Traefik.
Each of the issues that are labeled as bug/possible bug/confirmed requires a reproducible use case.
You can help in creating a reproducible use case if it has not been added to the issue
or use the sample code provided by the reporter.
Typically, a simple docker compose should be enough to reproduce the issue.
- Code contribution.
- Documentation contribution.
- Technical documentation is one of the most important components of the product.
The ability to set up a testing environment in a few minutes,
using the official documentation,
is a game changer.
- You will be listed on our Maintainers Github page
as well as on our website in the section [maintainers](maintainers.md).
- We will be promoting you on social channels (mostly on Twitter).
## Governance
- Roadmap meetings on a regular basis where all maintainers are welcome.
## Communicating
- All of our maintainers are added to Slack #traefik-maintainers channel that belongs to Traefik labs workspace.
Having the team in one place helps us to communicate effectively.
You can reach Traefik core developers directly,
which offers the possibility to discuss issues, pull requests, enhancements more efficiently
and get the feedback almost immediately.
Fewer blockers mean more fun and engaging work.
- On a daily basis, we publish a report that includes all the activities performed during the day.
You are updated in regard to the workload that has been processed including:
working on the new features and enhancements,
activities related to the reported issues and PRs,
other important project-related announcements.
- At 5:00 PM CET every day we review all the created issues that have been reported,
assign them the appropriate *[labels](maintainers.md#labels)*
and prioritize them based on the severity of the problem.
The process is called *[issue triaging](https://github.com/traefik/contributors-guide/blob/master/issue_triage.md)*.
Each of the maintainers is welcome to join the meeting.
For that purpose, we use a dedicated Discord server
where you are invited once you have become the official maintainer.
## Maintainers Activity
In order to keep the core team efficient and dynamic,
maintainers' activity and involvement will be reviewed on a regular basis.
- Has the maintainer engaged with the team and the community by meeting two or more of these benchmarks in the past six months?
- Has the maintainer participated in at least two or three maintainer meetings?
- Substantial review of at least one or two PRs from either contributors or maintainers.
- Opened at least one or two bug fixes or feature request PRs
that were eventually merged (or on a trajectory for merge).
- Substantial participation in the Help Wanted program (answered questions, helped identify issues, applied guidelines from the Help Wanted guide to open issues).
- Substantial participation with the community in general.
- Has the maintainer shown a consistent pattern of helpful,
non-threatening,
and friendly behavior towards other people on the maintainer team and with our community?
## Additional Comments for (not only) Maintainers
- Be able to put yourself in users shoes.
- Be open-minded and respectful with other maintainers and other community members.
- Keep the communication public -
if anyone tries to communicate with you directly,
ask him politely to move the conversation to a public communication channel.
- Stay away from defensive comments.
- Please try to express your thoughts clearly enough
and note that some of us are not native English speakers.
Try to rephrase your sentences, avoiding mental shortcuts;
none of us is able to predict your thoughts.
- There are a lot of use cases of using Traefik
and even more issues that are difficult to reproduce.
If the issue cant be replicated due to a lack of reproducible case (a simple docker compose should be enough) -
set your time limits while working on the issue
and express clearly that you were not able to replicate it.
You can come back later to that case.
- Be proactive.
- Emoji are fine,
but if you express yourself clearly enough they are not necessary.
They will not replace good communication.
- Embrace mentorship.
- Keep in mind that we all have the same intent to improve the project.

10
docs/content/contributing/maintainers.md
View File

@@ -1,6 +1,6 @@
# Maintainers
## The team
## The Team
* Emile Vauge [@emilevauge](https://github.com/emilevauge)
* Vincent Demeester [@vdemeester](https://github.com/vdemeester)
@@ -20,11 +20,15 @@
* Kevin Pollet [@kevinpollet](https://github.com/kevinpollet)
* Harold Ozouf [@jspdown](https://github.com/jspdown)
## Maintainer's Guidelines
Please read the [maintainer's guidelines](maintainers-guidelines.md)
## Issue Triage
Issues and PRs are triaged daily and the process for triaging may be found under [triaging issues](https://github.com/traefik/contributors-guide/blob/master/issue_triage.md) in our [contributors guide repository](https://github.com/traefik/contributors-guide).
## PR review process:
## PR Review Process
The process for reviewing PRs may be found under [review guidelines](https://github.com/traefik/contributors-guide/blob/master/review_guidelines.md) in our contributors guide repository.
@@ -114,7 +118,7 @@ The `status/*` labels represent the desired state in the workflow.
* `priority/P2`: need to be fixed in the future.
* `priority/P3`: maybe.
### PR size
### PR Size
Automatically set by a bot.

22
docs/content/getting-started/configuration-overview.md
View File

@@ -13,13 +13,13 @@ Configuration in Traefik can refer to two different things:
Elements in the _static configuration_ set up connections to [providers](../providers/overview.md) and define the [entrypoints](../routing/entrypoints.md) Traefik will listen to (these elements don't change often).
The _dynamic configuration_ contains everything that defines how the requests are handled by your system.
This configuration can change and is seamlessly hot-reloaded, without any request interruption or connection loss.
This configuration can change and is seamlessly hot-reloaded, without any request interruption or connection loss.
!!! warning "Incompatible Configuration"
Please be aware that the old configurations for Traefik v1.x are NOT compatible with the v2.x config as of now.
If you are running v2, please ensure you are using a v2 configuration.
## The Dynamic Configuration
## The Dynamic Configuration
Traefik gets its _dynamic configuration_ from [providers](../providers/overview.md): whether an orchestrator, a service registry, or a plain old configuration file.
@@ -28,14 +28,14 @@ Since this configuration is specific to your infrastructure choices, we invite y
!!! info ""
In the [Quick Start example](../getting-started/quick-start.md), the dynamic configuration comes from docker in the form of labels attached to your containers.
!!! info "HTTPS Certificates also belong to the dynamic configuration."
You can add / update / remove them without restarting your Traefik instance.
You can add / update / remove them without restarting your Traefik instance.
## The Static Configuration
There are three different, **mutually exclusive** (e.g. you can use only one at the same time), ways to define static configuration options in Traefik:
There are three different, **mutually exclusive** (i.e. you can use only one at the same time), ways to define static configuration options in Traefik:
1. In a configuration file
1. In the command-line arguments
@@ -45,13 +45,13 @@ These ways are evaluated in the order listed above.
If no value was provided for a given option, a default value applies.
Moreover, if an option has sub-options, and any of these sub-options is not specified, a default value will apply as well.
For example, the `--providers.docker` option is enough by itself to enable the docker provider, even though sub-options like `--providers.docker.endpoint` exist.
Once positioned, this option sets (and resets) all the default values of the sub-options of `--providers.docker`.
### Configuration File
At startup, Traefik searches for a file named `traefik.toml` (or `traefik.yml` or `traefik.yaml`) in:
At startup, Traefik searches for a file named `traefik.yml` (or `traefik.yaml` or `traefik.toml`) in:
- `/etc/traefik/`
- `$XDG_CONFIG_HOME/`
@@ -61,7 +61,7 @@ At startup, Traefik searches for a file named `traefik.toml` (or `traefik.yml` o
You can override this using the `configFile` argument.
```bash
traefik --configFile=foo/bar/myconfigfile.toml
traefik --configFile=foo/bar/myconfigfile.yml
```
### Arguments

139
docs/content/getting-started/faq.md Normal file
View File

@@ -0,0 +1,139 @@
# FAQ
## Why is Traefik Answering `XXX` HTTP Response Status Code?
Traefik is a dynamic reverse proxy,
and while the documentation often demonstrates configuration options through file examples,
the core feature of Traefik is its dynamic configurability,
directly reacting to changes from providers over time.
Notably, a part of the configuration is [static](../configuration-overview/#the-static-configuration),
and can be provided by a file on startup, whereas various providers,
such as the file provider,
contribute dynamically all along the traefik instance lifetime to its [dynamic configuration](../configuration-overview/#the-dynamic-configuration) changes.
In addition, the configuration englobes concepts such as the EntryPoint which can be seen as a listener on the Transport Layer (TCP),
as apposed to the Router which is more about the Presentation (TLS) and Application layers (HTTP).
And there can be as many routers as one wishes for a given EntryPoint.
In other words, for a given Entrypoint,
at any given time the traffic seen is not bound to be just about one protocol.
It could be HTTP, or otherwise. Over TLS, or not.
Not to mention that dynamic configuration changes potentially make that kind of traffic vary over time.
Therefore, in this dynamic context,
the static configuration of an `entryPoint` does not give any hint whatsoever about how the traffic going through that `entryPoint` is going to be routed.
Or whether it's even going to be routed at all,
i.e. whether there is a Router matching the kind of traffic going through it.
### `404 Not found`
Traefik returns a `404` response code in the following situations:
- A request reaching an EntryPoint that has no Routers
- An HTTP request reaching an EntryPoint that has no HTTP Router
- An HTTPS request reaching an EntryPoint that has no HTTPS Router
- A request reaching an EntryPoint that has HTTP/HTTPS Routers that cannot be matched
From Traefik's point of view,
every time a request cannot be matched with a router the correct response code is a `404 Not found`.
In this situation, the response code is not a `503 Service Unavailable`
because Traefik is not able to confirm that the lack of a matching router for a request is only temporary.
Traefik's routing configuration is dynamic and aggregated from different providers,
hence it's not possible to assume at any moment that a specific route should be handled or not.
??? info "This behavior is consistent with rfc7231"
```txt
The server is currently unable to handle the request due to a
temporary overloading or maintenance of the server. The implication
is that this is a temporary condition which will be alleviated after
some delay. If known, the length of the delay MAY be indicated in a
Retry-After header. If no Retry-After is given, the client SHOULD
handle the response as it would for a 500 response.
Note: The existence of the 503 status code does not imply that a
server must use it when becoming overloaded. Some servers may wish
to simply refuse the connection.
```
Extract from [rfc7231#section-6.6.4](https://datatracker.ietf.org/doc/html/rfc7231#section-6.6.4).
### `502 Bad Gateway`
Traefik returns a `502` response code when an error happens while contacting the upstream service.
### `503 Service Unavailable`
Traefik returns a `503` response code when a Router has been matched
but there are no servers ready to handle the request.
This situation is encountered when a service has been explicitly configured without servers,
or when a service has healthcheck enabled and all servers are unhealthy.
### `XXX` Instead of `404`
Sometimes, the `404` response code doesn't play well with other parties or services (such as CDNs).
In these situations, you may want Traefik to always reply with a `503` response code,
instead of a `404` response code.
To achieve this behavior, a simple catchall router,
with the lowest possible priority and routing to a service without servers,
can handle all the requests when no other router has been matched.
The example below is a file provider only version (`yaml`) of what this configuration could look like:
```yaml tab="Static configuration"
# traefik.yml
entrypoints:
web:
address: :80
providers:
file:
filename: dynamic.yaml
```
```yaml tab="Dynamic configuration"
# dynamic.yaml
http:
routers:
catchall:
# attached only to web entryPoint
entryPoints:
- "web"
# catchall rule
rule: "PathPrefix(`/`)"
service: unavailable
# lowest possible priority
# evaluated when no other router is matched
priority: 1
services:
# Service that will always answer a 503 Service Unavailable response
unavailable:
loadBalancer:
servers: {}
```
!!! info "Dedicated service"
If there is a need for a response code other than a `503` and/or a custom message,
the principle of the above example above (a catchall router) still stands,
but the `unavailable` service should be adapted to fit such a need.
## Why Is My TLS Certificate Not Reloaded When Its Contents Change ?
With the file provider,
a configuration update is only triggered when one of the [watched](../providers/file.md#provider-configuration) configuration files is modified.
Which is why, when a certificate is defined by path,
and the actual contents of this certificate change,
a configuration update is _not_ triggered.
To take into account the new certificate contents, the update of the dynamic configuration must be forced.
One way to achieve that, is to trigger a file notification,
for example, by using the `touch` command on the configuration file.

24
docs/content/getting-started/install-traefik.md
View File

@@ -11,12 +11,12 @@ You can install Traefik with the following flavors:
Choose one of the [official Docker images](https://hub.docker.com/_/traefik) and run it with one sample configuration file:
* [TOML](https://raw.githubusercontent.com/traefik/traefik/v2.4/traefik.sample.toml)
* [YAML](https://raw.githubusercontent.com/traefik/traefik/v2.4/traefik.sample.yml)
* [YAML](https://raw.githubusercontent.com/traefik/traefik/v2.5/traefik.sample.yml)
* [TOML](https://raw.githubusercontent.com/traefik/traefik/v2.5/traefik.sample.toml)
```bash
docker run -d -p 8080:8080 -p 80:80 \
-v $PWD/traefik.toml:/etc/traefik/traefik.toml traefik:v2.4
-v $PWD/traefik.yml:/etc/traefik/traefik.yml traefik:v2.5
```
For more details, go to the [Docker provider documentation](../providers/docker.md)
@@ -31,8 +31,8 @@ For more details, go to the [Docker provider documentation](../providers/docker.
## Use the Helm Chart
!!! warning
The Traefik Chart from
The Traefik Chart from
[Helm's default charts repository](https://github.com/helm/charts/tree/master/stable/traefik) is still using [Traefik v1.7](https://doc.traefik.io/traefik/v1.7).
Traefik can be installed in Kubernetes using the Helm chart from <https://github.com/traefik/traefik-helm-chart>.
@@ -61,7 +61,7 @@ helm install traefik traefik/traefik
```
!!! tip "Helm Features"
All [Helm features](https://helm.sh/docs/intro/using_helm/) are supported.
For instance, installing the chart in a dedicated namespace:
@@ -73,30 +73,30 @@ helm install traefik traefik/traefik
```
??? example "Installing with Custom Values"
You can customize the installation by specifying custom values,
as with [any helm chart](https://helm.sh/docs/intro/using_helm/#customizing-the-chart-before-installing).
{: #helm-custom-values }
The values are not (yet) documented, but are self-explanatory:
you can look at the [default `values.yaml`](https://github.com/traefik/traefik-helm-chart/blob/master/traefik/values.yaml) file to explore possibilities.
You can also set Traefik command line flags using `additionalArguments`.
Example of installation with logging set to `DEBUG`:
```bash tab="Using Helm CLI"
helm install --namespace=traefik-v2 \
--set="additionalArguments={--log.level=DEBUG}" \
traefik traefik/traefik
```
```yml tab="With a custom values file"
# File custom-values.yml
## Install with "helm install --values=./custom-values.yml traefik traefik/traefik
additionalArguments:
- "--log.level=DEBUG"
```
### Exposing the Traefik dashboard
This HelmChart does not expose the Traefik dashboard by default, for security concerns.

2
docs/content/getting-started/quick-start.md
View File

@@ -15,7 +15,7 @@ version: '3'
services:
reverse-proxy:
# The official v2 Traefik docker image
image: traefik:v2.4
image: traefik:v2.5
# Enables the web UI and tells Traefik to listen to docker
command: --api.insecure=true --providers.docker
ports:

22
docs/content/glossary.md
View File

@@ -1,22 +0,0 @@
# TODO -- Glossary
Where Every Technical Word finds its Definition`
{: .subtitle}
- [ ] Provider
- [ ] Types of providers (KV, annotation based, label based, configuration based)
- [ ] Entrypoint
- [ ] Routers
- [ ] Middleware
- [ ] Service
- [ ] [Static configuration](getting-started/configuration-overview.md#the-static-configuration)
- [ ] [Dynamic configuration](getting-started/configuration-overview.md#the-dynamic-configuration)
- [ ] ACME
- [ ] Traefik Enterprise
- [ ] Tracing
- [ ] Metrics
- [ ] Orchestrator
- [ ] Key Value Store
- [ ] Logs
- [ ] Traefiker
- [ ] Traefik (How to pronounce)

242
docs/content/https/acme.md
View File

@@ -13,7 +13,7 @@ You can configure Traefik to use an ACME provider (like Let's Encrypt) for autom
## Certificate Resolvers
Traefik requires you to define "Certificate Resolvers" in the [static configuration](../getting-started/configuration-overview.md#the-static-configuration),
Traefik requires you to define "Certificate Resolvers" in the [static configuration](../getting-started/configuration-overview.md#the-static-configuration),
which are responsible for retrieving certificates from an ACME server.
Then, each ["router"](../routing/routers/index.md) is configured to enable TLS,
@@ -26,33 +26,33 @@ You can read more about this retrieval mechanism in the following section: [ACME
!!! important "Defining a certificates resolver does not result in all routers automatically using it. Each router that is supposed to use the resolver must [reference](../routing/routers/index.md#certresolver) it."
??? note "Configuration Reference"
There are many available options for ACME.
For a quick glance at what's possible, browse the configuration reference:
```toml tab="File (TOML)"
--8<-- "content/https/ref-acme.toml"
```
```yaml tab="File (YAML)"
--8<-- "content/https/ref-acme.yaml"
```
```toml tab="File (TOML)"
--8<-- "content/https/ref-acme.toml"
```
```bash tab="CLI"
--8<-- "content/https/ref-acme.txt"
```
## Domain Definition
Certificate resolvers request certificates for a set of the domain names
Certificate resolvers request certificates for a set of the domain names
inferred from routers, with the following logic:
- If the router has a [`tls.domains`](../routing/routers/index.md#domains) option set,
then the certificate resolver uses the `main` (and optionally `sans`) option of `tls.domains` to know the domain names for this router.
- If no [`tls.domains`](../routing/routers/index.md#domains) option is set,
then the certificate resolver uses the [router's rule](../routing/routers/index.md#rule),
by checking the `Host()` matchers.
- If no [`tls.domains`](../routing/routers/index.md#domains) option is set,
then the certificate resolver uses the [router's rule](../routing/routers/index.md#rule),
by checking the `Host()` matchers.
Please note that [multiple `Host()` matchers can be used](../routing/routers/index.md#certresolver)) for specifying multiple domain names for this router.
Please note that:
@@ -69,31 +69,15 @@ Please check the [configuration examples below](#configuration-examples) for mor
## Configuration Examples
??? example "Enabling ACME"
```toml tab="File (TOML)"
[entryPoints]
[entryPoints.web]
address = ":80"
[entryPoints.websecure]
address = ":443"
[certificatesResolvers.myresolver.acme]
email = "your-email@example.com"
storage = "acme.json"
[certificatesResolvers.myresolver.acme.httpChallenge]
# used during the challenge
entryPoint = "web"
```
```yaml tab="File (YAML)"
entryPoints:
web:
address: ":80"
websecure:
address: ":443"
certificatesResolvers:
myresolver:
acme:
@@ -103,7 +87,23 @@ Please check the [configuration examples below](#configuration-examples) for mor
# used during the challenge
entryPoint: web
```
```toml tab="File (TOML)"
[entryPoints]
[entryPoints.web]
address = ":80"
[entryPoints.websecure]
address = ":443"
[certificatesResolvers.myresolver.acme]
email = "your-email@example.com"
storage = "acme.json"
[certificatesResolvers.myresolver.acme.httpChallenge]
# used during the challenge
entryPoint = "web"
```
```bash tab="CLI"
--entrypoints.web.address=:80
--entrypoints.websecure.address=:443
@@ -117,23 +117,23 @@ Please check the [configuration examples below](#configuration-examples) for mor
!!! important "Defining a certificates resolver does not result in all routers automatically using it. Each router that is supposed to use the resolver must [reference](../routing/routers/index.md#certresolver) it."
??? example "Single Domain from Router's Rule Example"
* A certificate for the domain `example.com` is requested:
--8<-- "content/https/include-acme-single-domain-example.md"
??? example "Multiple Domains from Router's Rule Example"
* A certificate for the domains `example.com` (main) and `blog.example.org`
is requested:
--8<-- "content/https/include-acme-multiple-domains-from-rule-example.md"
??? example "Multiple Domains from Router's `tls.domain` Example"
* A certificate for the domains `example.com` (main) and `*.example.org` (SAN)
is requested:
--8<-- "content/https/include-acme-multiple-domains-example.md"
## Automatic Renewals
@@ -165,12 +165,6 @@ when using the `TLS-ALPN-01` challenge, Traefik must be reachable by Let's Encry
??? example "Configuring the `tlsChallenge`"
```toml tab="File (TOML)"
[certificatesResolvers.myresolver.acme]
# ...
[certificatesResolvers.myresolver.acme.tlsChallenge]
```
```yaml tab="File (YAML)"
certificatesResolvers:
myresolver:
@@ -178,7 +172,13 @@ when using the `TLS-ALPN-01` challenge, Traefik must be reachable by Let's Encry
# ...
tlsChallenge: {}
```
```toml tab="File (TOML)"
[certificatesResolvers.myresolver.acme]
# ...
[certificatesResolvers.myresolver.acme.tlsChallenge]
```
```bash tab="CLI"
# ...
--certificatesresolvers.myresolver.acme.tlschallenge=true
@@ -193,28 +193,14 @@ when using the `HTTP-01` challenge, `certificatesresolvers.myresolver.acme.httpc
??? example "Using an EntryPoint Called web for the `httpChallenge`"
```toml tab="File (TOML)"
[entryPoints]
[entryPoints.web]
address = ":80"
[entryPoints.websecure]
address = ":443"
[certificatesResolvers.myresolver.acme]
# ...
[certificatesResolvers.myresolver.acme.httpChallenge]
entryPoint = "web"
```
```yaml tab="File (YAML)"
entryPoints:
web:
address: ":80"
websecure:
address: ":443"
certificatesResolvers:
myresolver:
acme:
@@ -222,7 +208,21 @@ when using the `HTTP-01` challenge, `certificatesresolvers.myresolver.acme.httpc
httpChallenge:
entryPoint: web
```
```toml tab="File (TOML)"
[entryPoints]
[entryPoints.web]
address = ":80"
[entryPoints.websecure]
address = ":443"
[certificatesResolvers.myresolver.acme]
# ...
[certificatesResolvers.myresolver.acme.httpChallenge]
entryPoint = "web"
```
```bash tab="CLI"
--entrypoints.web.address=:80
--entrypoints.websecure.address=:443
@@ -239,15 +239,6 @@ Use the `DNS-01` challenge to generate and renew ACME certificates by provisioni
??? example "Configuring a `dnsChallenge` with the DigitalOcean Provider"
```toml tab="File (TOML)"
[certificatesResolvers.myresolver.acme]
# ...
[certificatesResolvers.myresolver.acme.dnsChallenge]
provider = "digitalocean"
delayBeforeCheck = 0
# ...
```
```yaml tab="File (YAML)"
certificatesResolvers:
myresolver:
@@ -258,7 +249,16 @@ Use the `DNS-01` challenge to generate and renew ACME certificates by provisioni
delayBeforeCheck: 0
# ...
```
```toml tab="File (TOML)"
[certificatesResolvers.myresolver.acme]
# ...
[certificatesResolvers.myresolver.acme.dnsChallenge]
provider = "digitalocean"
delayBeforeCheck = 0
# ...
```
```bash tab="CLI"
# ...
--certificatesresolvers.myresolver.acme.dnschallenge.provider=digitalocean
@@ -270,7 +270,7 @@ Use the `DNS-01` challenge to generate and renew ACME certificates by provisioni
A `provider` is mandatory.
#### `providers`
Here is a list of supported `providers`, that can automate the DNS verification,
along with the required environment variables and their [wildcard & root domain support](#wildcard-domains).
Do not hesitate to complete it.
@@ -303,6 +303,7 @@ For complete details, refer to your provider's _Additional configuration_ link.
| [DNS Made Easy](https://dnsmadeeasy.com) | `dnsmadeeasy` | `DNSMADEEASY_API_KEY`, `DNSMADEEASY_API_SECRET`, `DNSMADEEASY_SANDBOX` | [Additional configuration](https://go-acme.github.io/lego/dns/dnsmadeeasy) |
| [DNSPod](https://www.dnspod.com/) | `dnspod` | `DNSPOD_API_KEY` | [Additional configuration](https://go-acme.github.io/lego/dns/dnspod) |
| [Domain Offensive (do.de)](https://www.do.de/) | `dode` | `DODE_TOKEN` | [Additional configuration](https://go-acme.github.io/lego/dns/dode) |
| [Domeneshop](https://domene.shop) | `domeneshop` | `DOMENESHOP_API_TOKEN`, `DOMENESHOP_API_SECRET` | [Additional configuration](https://go-acme.github.io/lego/dns/domeneshop) |
| [DreamHost](https://www.dreamhost.com/) | `dreamhost` | `DREAMHOST_API_KEY` | [Additional configuration](https://go-acme.github.io/lego/dns/dreamhost) |
| [Duck DNS](https://www.duckdns.org/) | `duckdns` | `DUCKDNS_TOKEN` | [Additional configuration](https://go-acme.github.io/lego/dns/duckdns) |
| [Dyn](https://dyn.com) | `dyn` | `DYN_CUSTOMER_NAME`, `DYN_USER_NAME`, `DYN_PASSWORD` | [Additional configuration](https://go-acme.github.io/lego/dns/dyn) |
@@ -322,9 +323,10 @@ For complete details, refer to your provider's _Additional configuration_ link.
| HTTP request | `httpreq` | `HTTPREQ_ENDPOINT`, `HTTPREQ_MODE`, `HTTPREQ_USERNAME`, `HTTPREQ_PASSWORD` [^1] | [Additional configuration](https://go-acme.github.io/lego/dns/httpreq) |
| [HyperOne](https://www.hyperone.com) | `hyperone` | `HYPERONE_PASSPORT_LOCATION`, `HYPERONE_LOCATION_ID` | [Additional configuration](https://go-acme.github.io/lego/dns/hyperone) |
| [IIJ](https://www.iij.ad.jp/) | `iij` | `IIJ_API_ACCESS_KEY`, `IIJ_API_SECRET_KEY`, `IIJ_DO_SERVICE_CODE` | [Additional configuration](https://go-acme.github.io/lego/dns/iij) |
| [Infoblox](https://www.infoblox.com/) | `infoblox` | `INFOBLOX_USER`, `INFOBLOX_PASSWORD`, `INFOBLOX_HOST` | [Additional configuration](https://go-acme.github.io/lego/dns/infoblox) |
| [Infomaniak](https://www.infomaniak.com) | `infomaniak` | `INFOMANIAK_ACCESS_TOKEN` | [Additional configuration](https://go-acme.github.io/lego/dns/infomaniak) |
| [INWX](https://www.inwx.de/en) | `inwx` | `INWX_USERNAME`, `INWX_PASSWORD` | [Additional configuration](https://go-acme.github.io/lego/dns/inwx) |
| [ionos](https://ionos.com/) | `ionos` | `IONOS_API_KEY` | [Additional configuration](https://go-acme.github.io/lego/dns/ionos) |
| [ionos](https://ionos.com/) | `ionos` | `IONOS_API_KEY` | [Additional configuration](https://go-acme.github.io/lego/dns/ionos) |
| [Joker.com](https://joker.com) | `joker` | `JOKER_API_MODE` with `JOKER_API_KEY` or `JOKER_USERNAME`, `JOKER_PASSWORD` | [Additional configuration](https://go-acme.github.io/lego/dns/joker) |
| [Lightsail](https://aws.amazon.com/lightsail/) | `lightsail` | `AWS_ACCESS_KEY_ID`, `AWS_SECRET_ACCESS_KEY`, `DNS_ZONE` | [Additional configuration](https://go-acme.github.io/lego/dns/lightsail) |
| [Linode v4](https://www.linode.com) | `linode` | `LINODE_TOKEN` | [Additional configuration](https://go-acme.github.io/lego/dns/linode) |
@@ -340,11 +342,13 @@ For complete details, refer to your provider's _Additional configuration_ link.
| [Netcup](https://www.netcup.eu/) | `netcup` | `NETCUP_CUSTOMER_NUMBER`, `NETCUP_API_KEY`, `NETCUP_API_PASSWORD` | [Additional configuration](https://go-acme.github.io/lego/dns/netcup) |
| [Netlify](https://www.netlify.com) | `netlify` | `NETLIFY_TOKEN` | [Additional configuration](https://go-acme.github.io/lego/dns/netlify) |
| [NIFCloud](https://cloud.nifty.com/service/dns.htm) | `nifcloud` | `NIFCLOUD_ACCESS_KEY_ID`, `NIFCLOUD_SECRET_ACCESS_KEY` | [Additional configuration](https://go-acme.github.io/lego/dns/nifcloud) |
| [Njalla](https://njal.la) | `njalla` | `NJALLA_TOKEN` | [Additional configuration](https://go-acme.github.io/lego/dns/njalla) |
| [NS1](https://ns1.com/) | `ns1` | `NS1_API_KEY` | [Additional configuration](https://go-acme.github.io/lego/dns/ns1) |
| [Open Telekom Cloud](https://cloud.telekom.de) | `otc` | `OTC_DOMAIN_NAME`, `OTC_USER_NAME`, `OTC_PASSWORD`, `OTC_PROJECT_NAME`, `OTC_IDENTITY_ENDPOINT` | [Additional configuration](https://go-acme.github.io/lego/dns/otc) |
| [OVH](https://www.ovh.com) | `ovh` | `OVH_ENDPOINT`, `OVH_APPLICATION_KEY`, `OVH_APPLICATION_SECRET`, `OVH_CONSUMER_KEY` | [Additional configuration](https://go-acme.github.io/lego/dns/ovh) |
| [Openstack Designate](https://docs.openstack.org/designate) | `designate` | `OS_AUTH_URL`, `OS_USERNAME`, `OS_PASSWORD`, `OS_TENANT_NAME`, `OS_REGION_NAME` | [Additional configuration](https://go-acme.github.io/lego/dns/designate) |
| [Oracle Cloud](https://cloud.oracle.com/home) | `oraclecloud` | `OCI_COMPARTMENT_OCID`, `OCI_PRIVKEY_FILE`, `OCI_PRIVKEY_PASS`, `OCI_PUBKEY_FINGERPRINT`, `OCI_REGION`, `OCI_TENANCY_OCID`, `OCI_USER_OCID` | [Additional configuration](https://go-acme.github.io/lego/dns/oraclecloud) |
| [Porkbun](https://porkbun.com/) | `porkbun` | `PORKBUN_SECRET_API_KEY`, `PORKBUN_API_KEY` | [Additional configuration](https://go-acme.github.io/lego/dns/porkbun) |
| [PowerDNS](https://www.powerdns.com) | `pdns` | `PDNS_API_KEY`, `PDNS_API_URL` | [Additional configuration](https://go-acme.github.io/lego/dns/pdns) |
| [Rackspace](https://www.rackspace.com/cloud/dns) | `rackspace` | `RACKSPACE_USER`, `RACKSPACE_API_KEY` | [Additional configuration](https://go-acme.github.io/lego/dns/rackspace) |
| [reg.ru](https://www.reg.ru) | `regru` | `REGRU_USERNAME`, `REGRU_PASSWORD` | [Additional configuration](https://go-acme.github.io/lego/dns/regru) |
@@ -355,12 +359,16 @@ For complete details, refer to your provider's _Additional configuration_ link.
| [Scaleway](https://www.scaleway.com) | `scaleway` | `SCALEWAY_API_TOKEN` | [Additional configuration](https://go-acme.github.io/lego/dns/scaleway) |
| [Selectel](https://selectel.ru/en/) | `selectel` | `SELECTEL_API_TOKEN` | [Additional configuration](https://go-acme.github.io/lego/dns/selectel) |
| [Servercow](https://servercow.de) | `servercow` | `SERVERCOW_USERNAME`, `SERVERCOW_PASSWORD` | [Additional configuration](https://go-acme.github.io/lego/dns/servercow) |
| [Simply.com](https://www.simply.com/en/domains/) | `simply` | `SIMPLY_ACCOUNT_NAME`, `SIMPLY_API_KEY` | [Additional configuration](https://go-acme.github.io/lego/dns/simply) |
| [Sonic](https://www.sonic.com/) | `sonic` | `SONIC_USER_ID`, `SONIC_API_KEY` | [Additional configuration](https://go-acme.github.io/lego/dns/sonic) |
| [Stackpath](https://www.stackpath.com/) | `stackpath` | `STACKPATH_CLIENT_ID`, `STACKPATH_CLIENT_SECRET`, `STACKPATH_STACK_ID` | [Additional configuration](https://go-acme.github.io/lego/dns/stackpath) |
| [TransIP](https://www.transip.nl/) | `transip` | `TRANSIP_ACCOUNT_NAME`, `TRANSIP_PRIVATE_KEY_PATH` | [Additional configuration](https://go-acme.github.io/lego/dns/transip) |
| [VegaDNS](https://github.com/shupp/VegaDNS-API) | `vegadns` | `SECRET_VEGADNS_KEY`, `SECRET_VEGADNS_SECRET`, `VEGADNS_URL` | [Additional configuration](https://go-acme.github.io/lego/dns/vegadns) |
| [Versio](https://www.versio.nl/domeinnamen) | `versio` | `VERSIO_USERNAME`, `VERSIO_PASSWORD` | [Additional configuration](https://go-acme.github.io/lego/dns/versio) |
| [VinylDNS](https://www.vinyldns.io) | `vinyldns` | `VINYLDNS_ACCESS_KEY`, `VINYLDNS_SECRET_KEY`, `VINYLDNS_HOST` | [Additional configuration](https://go-acme.github.io/lego/dns/vinyldns) |
| [Vscale](https://vscale.io/) | `vscale` | `VSCALE_API_TOKEN` | [Additional configuration](https://go-acme.github.io/lego/dns/vscale) |
| [VULTR](https://www.vultr.com) | `vultr` | `VULTR_API_KEY` | [Additional configuration](https://go-acme.github.io/lego/dns/vultr) |
| [WEDOS](https://www.wedos.com) | `wedos` | `WEDOS_USERNAME`, `WEDOS_WAPI_PASSWORD` | [Additional configuration](https://go-acme.github.io/lego/dns/wedos) |
| [Yandex](https://yandex.com) | `yandex` | `YANDEX_PDD_TOKEN` | [Additional configuration](https://go-acme.github.io/lego/dns/yandex) |
| [Zone.ee](https://www.zone.ee) | `zoneee` | `ZONEEE_API_USER`, `ZONEEE_API_KEY` | [Additional configuration](https://go-acme.github.io/lego/dns/zoneee) |
| [Zonomi](https://zonomi.com) | `zonomi` | `ZONOMI_API_KEY` | [Additional configuration](https://go-acme.github.io/lego/dns/zonomi) |
@@ -380,14 +388,6 @@ For complete details, refer to your provider's _Additional configuration_ link.
Use custom DNS servers to resolve the FQDN authority.
```toml tab="File (TOML)"
[certificatesResolvers.myresolver.acme]
# ...
[certificatesResolvers.myresolver.acme.dnsChallenge]
# ...
resolvers = ["1.1.1.1:53", "8.8.8.8:53"]
```
```yaml tab="File (YAML)"
certificatesResolvers:
myresolver:
@@ -400,6 +400,14 @@ certificatesResolvers:
- "8.8.8.8:53"
```
```toml tab="File (TOML)"
[certificatesResolvers.myresolver.acme]
# ...
[certificatesResolvers.myresolver.acme.dnsChallenge]
# ...
resolvers = ["1.1.1.1:53", "8.8.8.8:53"]
```
```bash tab="CLI"
# ...
--certificatesresolvers.myresolver.acme.dnschallenge.resolvers=1.1.1.1:53,8.8.8.8:53
@@ -415,14 +423,6 @@ As described in [Let's Encrypt's post](https://community.letsencrypt.org/t/stagi
- `kid`: Key identifier from External CA
- `hmacEncoded`: HMAC key from External CA, should be in Base64 URL Encoding without padding format
```toml tab="File (TOML)"
[certificatesResolvers.myresolver.acme]
# ...
[certificatesResolvers.myresolver.acme.eab]
kid = "abc-keyID-xyz"
hmacEncoded = "abc-hmac-xyz"
```
```yaml tab="File (YAML)"
certificatesResolvers:
myresolver:
@@ -433,6 +433,14 @@ certificatesResolvers:
hmacEncoded: abc-hmac-xyz
```
```toml tab="File (TOML)"
[certificatesResolvers.myresolver.acme]
# ...
[certificatesResolvers.myresolver.acme.eab]
kid = "abc-keyID-xyz"
hmacEncoded = "abc-hmac-xyz"
```
```bash tab="CLI"
# ...
--certificatesresolvers.myresolver.acme.eab.kid=abc-keyID-xyz
@@ -452,13 +460,6 @@ The CA server to use:
??? example "Using the Let's Encrypt staging server"
```toml tab="File (TOML)"
[certificatesResolvers.myresolver.acme]
# ...
caServer = "https://acme-staging-v02.api.letsencrypt.org/directory"
# ...
```
```yaml tab="File (YAML)"
certificatesResolvers:
myresolver:
@@ -468,6 +469,13 @@ The CA server to use:
# ...
```
```toml tab="File (TOML)"
[certificatesResolvers.myresolver.acme]
# ...
caServer = "https://acme-staging-v02.api.letsencrypt.org/directory"
# ...
```
```bash tab="CLI"
# ...
--certificatesresolvers.myresolver.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory
@@ -480,13 +488,6 @@ _Required, Default="acme.json"_
The `storage` option sets the location where your ACME certificates are saved to.
```toml tab="File (TOML)"
[certificatesResolvers.myresolver.acme]
# ...
storage = "acme.json"
# ...
```
```yaml tab="File (YAML)"
certificatesResolvers:
myresolver:
@@ -496,6 +497,13 @@ certificatesResolvers:
# ...
```
```toml tab="File (TOML)"
[certificatesResolvers.myresolver.acme]
# ...
storage = "acme.json"
# ...
```
```bash tab="CLI"
# ...
--certificatesresolvers.myresolver.acme.storage=acme.json
@@ -526,13 +534,6 @@ Preferred chain to use.
If the CA offers multiple certificate chains, prefer the chain with an issuer matching this Subject Common Name.
If no match, the default offered chain will be used.
```toml tab="File (TOML)"
[certificatesResolvers.myresolver.acme]
# ...
preferredChain = "ISRG Root X1"
# ...
```
```yaml tab="File (YAML)"
certificatesResolvers:
myresolver:
@@ -542,6 +543,13 @@ certificatesResolvers:
# ...
```
```toml tab="File (TOML)"
[certificatesResolvers.myresolver.acme]
# ...
preferredChain = "ISRG Root X1"
# ...
```
```bash tab="CLI"
# ...
--certificatesresolvers.myresolver.acme.preferredChain="ISRG Root X1"
@@ -554,13 +562,6 @@ _Optional, Default="RSA4096"_
KeyType used for generating certificate private key. Allow value 'EC256', 'EC384', 'RSA2048', 'RSA4096', 'RSA8192'.
```toml tab="File (TOML)"
[certificatesResolvers.myresolver.acme]
# ...
keyType = "RSA4096"
# ...
```
```yaml tab="File (YAML)"
certificatesResolvers:
myresolver:
@@ -570,6 +571,13 @@ certificatesResolvers:
# ...
```
```toml tab="File (TOML)"
[certificatesResolvers.myresolver.acme]
# ...
keyType = "RSA4096"
# ...
```
```bash tab="CLI"
# ...
--certificatesresolvers.myresolver.acme.keyType="RSA4096"

24
docs/content/https/include-acme-multiple-domains-example.md
View File

@@ -64,18 +64,6 @@ labels:
- traefik.http.routers.blog.tls.domains[0].sans=*.example.org
```
```toml tab="File (TOML)"
## Dynamic configuration
[http.routers]
[http.routers.blog]
rule = "Host(`example.com`) && Path(`/blog`)"
[http.routers.blog.tls]
certResolver = "myresolver" # From static configuration
[[http.routers.blog.tls.domains]]
main = "example.org"
sans = ["*.example.org"]
```
```yaml tab="File (YAML)"
## Dynamic configuration
http:
@@ -89,3 +77,15 @@ http:
sans:
- "*.example.org"
```
```toml tab="File (TOML)"
## Dynamic configuration
[http.routers]
[http.routers.blog]
rule = "Host(`example.com`) && Path(`/blog`)"
[http.routers.blog.tls]
certResolver = "myresolver" # From static configuration
[[http.routers.blog.tls.domains]]
main = "example.org"
sans = ["*.example.org"]
```

18
docs/content/https/include-acme-multiple-domains-from-rule-example.md
View File

@@ -52,15 +52,6 @@ labels:
- traefik.http.routers.blog.tls.certresolver=myresolver
```
```toml tab="File (TOML)"
## Dynamic configuration
[http.routers]
[http.routers.blog]
rule = "(Host(`example.com`) && Path(`/blog`)) || Host(`blog.example.org`)"
[http.routers.blog.tls]
certResolver = "myresolver"
```
```yaml tab="File (YAML)"
## Dynamic configuration
http:
@@ -70,3 +61,12 @@ http:
tls:
certResolver: myresolver
```
```toml tab="File (TOML)"
## Dynamic configuration
[http.routers]
[http.routers.blog]
rule = "(Host(`example.com`) && Path(`/blog`)) || Host(`blog.example.org`)"
[http.routers.blog.tls]
certResolver = "myresolver"
```

18
docs/content/https/include-acme-single-domain-example.md
View File

@@ -52,15 +52,6 @@ labels:
- traefik.http.routers.blog.tls.certresolver=myresolver
```
```toml tab="File (TOML)"
## Dynamic configuration
[http.routers]
[http.routers.blog]
rule = "Host(`example.com`) && Path(`/blog`)"
[http.routers.blog.tls]
certResolver = "myresolver"
```
```yaml tab="File (YAML)"
## Dynamic configuration
http:
@@ -70,3 +61,12 @@ http:
tls:
certResolver: myresolver
```
```toml tab="File (TOML)"
## Dynamic configuration
[http.routers]
[http.routers.blog]
rule = "Host(`example.com`) && Path(`/blog`)"
[http.routers.blog.tls]
certResolver = "myresolver"
```

234
docs/content/https/tls.md
View File

@@ -13,18 +13,6 @@ See the [Let's Encrypt](./acme.md) page.
To add / remove TLS certificates, even when Traefik is already running, their definition can be added to the [dynamic configuration](../getting-started/configuration-overview.md), in the `[[tls.certificates]]` section:
```toml tab="File (TOML)"
# Dynamic configuration
[[tls.certificates]]
certFile = "/path/to/domain.cert"
keyFile = "/path/to/domain.key"
[[tls.certificates]]
certFile = "/path/to/other-domain.cert"
keyFile = "/path/to/other-domain.key"
```
```yaml tab="File (YAML)"
# Dynamic configuration
@@ -36,23 +24,28 @@ tls:
keyFile: /path/to/other-domain.key
```
```toml tab="File (TOML)"
# Dynamic configuration
[[tls.certificates]]
certFile = "/path/to/domain.cert"
keyFile = "/path/to/domain.key"
[[tls.certificates]]
certFile = "/path/to/other-domain.cert"
keyFile = "/path/to/other-domain.key"
```
!!! important "Restriction"
In the above example, we've used the [file provider](../providers/file.md) to handle these definitions.
It is the only available method to configure the certificates (as well as the options and the stores).
However, in [Kubernetes](../providers/kubernetes-crd.md), the certificates can and must be provided by [secrets](https://kubernetes.io/docs/concepts/configuration/secret/).
However, in [Kubernetes](../providers/kubernetes-crd.md), the certificates can and must be provided by [secrets](https://kubernetes.io/docs/concepts/configuration/secret/).
## Certificates Stores
In Traefik, certificates are grouped together in certificates stores, which are defined as such:
```toml tab="File (TOML)"
# Dynamic configuration
[tls.stores]
[tls.stores.default]
```
```yaml tab="File (YAML)"
# Dynamic configuration
@@ -61,6 +54,13 @@ tls:
default: {}
```
```toml tab="File (TOML)"
# Dynamic configuration
[tls.stores]
[tls.stores.default]
```
!!! important "Restriction"
Any store definition other than the default one (named `default`) will be ignored,
@@ -68,21 +68,6 @@ tls:
In the `tls.certificates` section, a list of stores can then be specified to indicate where the certificates should be stored:
```toml tab="File (TOML)"
# Dynamic configuration
[[tls.certificates]]
certFile = "/path/to/domain.cert"
keyFile = "/path/to/domain.key"
stores = ["default"]
[[tls.certificates]]
# Note that since no store is defined,
# the certificate below will be stored in the `default` store.
certFile = "/path/to/other-domain.cert"
keyFile = "/path/to/other-domain.key"
```
```yaml tab="File (YAML)"
# Dynamic configuration
@@ -98,6 +83,21 @@ tls:
keyFile: /path/to/other-domain.key
```
```toml tab="File (TOML)"
# Dynamic configuration
[[tls.certificates]]
certFile = "/path/to/domain.cert"
keyFile = "/path/to/domain.key"
stores = ["default"]
[[tls.certificates]]
# Note that since no store is defined,
# the certificate below will be stored in the `default` store.
certFile = "/path/to/other-domain.cert"
keyFile = "/path/to/other-domain.key"
```
!!! important "Restriction"
The `stores` list will actually be ignored and automatically set to `["default"]`.
@@ -107,16 +107,6 @@ tls:
Traefik can use a default certificate for connections without a SNI, or without a matching domain.
This default certificate should be defined in a TLS store:
```toml tab="File (TOML)"
# Dynamic configuration
[tls.stores]
[tls.stores.default]
[tls.stores.default.defaultCertificate]
certFile = "path/to/cert.crt"
keyFile = "path/to/cert.key"
```
```yaml tab="File (YAML)"
# Dynamic configuration
@@ -128,6 +118,16 @@ tls:
keyFile: path/to/cert.key
```
```toml tab="File (TOML)"
# Dynamic configuration
[tls.stores]
[tls.stores.default]
[tls.stores.default.defaultCertificate]
certFile = "path/to/cert.crt"
keyFile = "path/to/cert.key"
```
If no default certificate is provided, Traefik generates and uses a self-signed certificate.
## TLS Options
@@ -155,18 +155,6 @@ The TLS options allow one to configure some parameters of the TLS connection.
### Minimum TLS Version
```toml tab="File (TOML)"
# Dynamic configuration
[tls.options]
[tls.options.default]
minVersion = "VersionTLS12"
[tls.options.mintls13]
minVersion = "VersionTLS13"
```
```yaml tab="File (YAML)"
# Dynamic configuration
@@ -179,6 +167,18 @@ tls:
minVersion: VersionTLS13
```
```toml tab="File (TOML)"
# Dynamic configuration
[tls.options]
[tls.options.default]
minVersion = "VersionTLS12"
[tls.options.mintls13]
minVersion = "VersionTLS13"
```
```yaml tab="Kubernetes"
apiVersion: traefik.containo.us/v1alpha1
kind: TLSOption
@@ -206,18 +206,6 @@ We discourage the use of this setting to disable TLS1.3.
The recommended approach is to update the clients to support TLS1.3.
```toml tab="File (TOML)"
# Dynamic configuration
[tls.options]
[tls.options.default]
maxVersion = "VersionTLS13"
[tls.options.maxtls12]
maxVersion = "VersionTLS12"
```
```yaml tab="File (YAML)"
# Dynamic configuration
@@ -230,6 +218,18 @@ tls:
maxVersion: VersionTLS12
```
```toml tab="File (TOML)"
# Dynamic configuration
[tls.options]
[tls.options.default]
maxVersion = "VersionTLS13"
[tls.options.maxtls12]
maxVersion = "VersionTLS12"
```
```yaml tab="Kubernetes"
apiVersion: traefik.containo.us/v1alpha1
kind: TLSOption
@@ -255,16 +255,6 @@ spec:
See [cipherSuites](https://godoc.org/crypto/tls#pkg-constants) for more information.
```toml tab="File (TOML)"
# Dynamic configuration
[tls.options]
[tls.options.default]
cipherSuites = [
"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"
]
```
```yaml tab="File (YAML)"
# Dynamic configuration
@@ -275,6 +265,16 @@ tls:
- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
```
```toml tab="File (TOML)"
# Dynamic configuration
[tls.options]
[tls.options.default]
cipherSuites = [
"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"
]
```
```yaml tab="Kubernetes"
apiVersion: traefik.containo.us/v1alpha1
kind: TLSOption
@@ -301,14 +301,6 @@ The names of the curves defined by [`crypto`](https://godoc.org/crypto/tls#Curve
See [CurveID](https://godoc.org/crypto/tls#CurveID) for more information.
```toml tab="File (TOML)"
# Dynamic configuration
[tls.options]
[tls.options.default]
curvePreferences = ["CurveP521", "CurveP384"]
```
```yaml tab="File (YAML)"
# Dynamic configuration
@@ -320,6 +312,14 @@ tls:
- CurveP384
```
```toml tab="File (TOML)"
# Dynamic configuration
[tls.options]
[tls.options.default]
curvePreferences = ["CurveP521", "CurveP384"]
```
```yaml tab="Kubernetes"
apiVersion: traefik.containo.us/v1alpha1
kind: TLSOption
@@ -338,14 +338,6 @@ spec:
With strict SNI checking enabled, Traefik won't allow connections from clients
that do not specify a server_name extension or don't match any certificate configured on the tlsOption.
```toml tab="File (TOML)"
# Dynamic configuration
[tls.options]
[tls.options.default]
sniStrict = true
```
```yaml tab="File (YAML)"
# Dynamic configuration
@@ -355,6 +347,14 @@ tls:
sniStrict: true
```
```toml tab="File (TOML)"
# Dynamic configuration
[tls.options]
[tls.options.default]
sniStrict = true
```
```yaml tab="Kubernetes"
apiVersion: traefik.containo.us/v1alpha1
kind: TLSOption
@@ -371,14 +371,6 @@ spec:
This option allows the server to choose its most preferred cipher suite instead of the client's.
Please note that this is enabled automatically when `minVersion` or `maxVersion` are set.
```toml tab="File (TOML)"
# Dynamic configuration
[tls.options]
[tls.options.default]
preferServerCipherSuites = true
```
```yaml tab="File (YAML)"
# Dynamic configuration
@@ -388,6 +380,14 @@ tls:
preferServerCipherSuites: true
```
```toml tab="File (TOML)"
# Dynamic configuration
[tls.options]
[tls.options.default]
preferServerCipherSuites = true
```
```yaml tab="Kubernetes"
apiVersion: traefik.containo.us/v1alpha1
kind: TLSOption
@@ -404,25 +404,14 @@ spec:
Traefik supports mutual authentication, through the `clientAuth` section.
For authentication policies that require verification of the client certificate, the certificate authority for the certificate should be set in `clientAuth.caFiles`.
The `clientAuth.clientAuthType` option governs the behaviour as follows:
- `NoClientCert`: disregards any client certificate.
- `RequestClientCert`: asks for a certificate but proceeds anyway if none is provided.
- `RequireAnyClientCert`: requires a certificate but does not verify if it is signed by a CA listed in `clientAuth.caFiles`.
- `VerifyClientCertIfGiven`: if a certificate is provided, verifies if it is signed by a CA listed in `clientAuth.caFiles`. Otherwise proceeds without any certificate.
- `RequireAndVerifyClientCert`: requires a certificate, which must be signed by a CA listed in `clientAuth.caFiles`.
```toml tab="File (TOML)"
# Dynamic configuration
[tls.options]
[tls.options.default]
[tls.options.default.clientAuth]
# in PEM format. each file can contain multiple CAs.
caFiles = ["tests/clientca1.crt", "tests/clientca2.crt"]
clientAuthType = "RequireAndVerifyClientCert"
```
- `RequireAndVerifyClientCert`: requires a certificate, which must be signed by a CA listed in `clientAuth.caFiles`.
```yaml tab="File (YAML)"
# Dynamic configuration
@@ -438,6 +427,17 @@ tls:
clientAuthType: RequireAndVerifyClientCert
```
```toml tab="File (TOML)"
# Dynamic configuration
[tls.options]
[tls.options.default]
[tls.options.default.clientAuth]
# in PEM format. each file can contain multiple CAs.
caFiles = ["tests/clientca1.crt", "tests/clientca2.crt"]
clientAuthType = "RequireAndVerifyClientCert"
```
```yaml tab="Kubernetes"
apiVersion: traefik.containo.us/v1alpha1
kind: TLSOption
@@ -447,7 +447,7 @@ metadata:
spec:
clientAuth:
# the CA certificate is extracted from key `tls.ca` of the given secrets.
# the CA certificate is extracted from key `tls.ca` or `ca.crt` of the given secrets.
secretNames:
- secretCA
clientAuthType: RequireAndVerifyClientCert

22
docs/content/middlewares/addprefix.md → docs/content/middlewares/http/addprefix.md
View File

@@ -1,11 +1,11 @@
# Add Prefix
Prefixing the Path
Prefixing the Path
{: .subtitle }
![AddPrefix](../assets/img/middleware/addprefix.png)
![AddPrefix](../../assets/img/middleware/addprefix.png)
The AddPrefix middleware updates the URL Path of the request before forwarding it.
The AddPrefix middleware updates the path of a request before forwarding it.
## Configuration Examples
@@ -43,13 +43,6 @@ labels:
- "traefik.http.middlewares.add-foo.addprefix.prefix=/foo"
```
```toml tab="File (TOML)"
# Prefixing with /foo
[http.middlewares]
[http.middlewares.add-foo.addPrefix]
prefix = "/foo"
```
```yaml tab="File (YAML)"
# Prefixing with /foo
http:
@@ -59,9 +52,16 @@ http:
prefix: "/foo"
```
```toml tab="File (TOML)"
# Prefixing with /foo
[http.middlewares]
[http.middlewares.add-foo.addPrefix]
prefix = "/foo"
```
## Configuration Options
### `prefix`
`prefix` is the string to add before the current path in the requested URL.
It should include the leading slash (`/`).
It should include a leading slash (`/`).

110
docs/content/middlewares/basicauth.md → docs/content/middlewares/http/basicauth.md
View File

@@ -3,9 +3,9 @@
Adding Basic Authentication
{: .subtitle }
![BasicAuth](../assets/img/middleware/basicauth.png)
![BasicAuth](../../assets/img/middleware/basicauth.png)
The BasicAuth middleware is a quick way to restrict access to your services to known users.
The BasicAuth middleware restricts access to your services to known users.
## Configuration Examples
@@ -14,7 +14,7 @@ The BasicAuth middleware is a quick way to restrict access to your services to k
#
# Note: when used in docker-compose.yml all dollar signs in the hash need to be doubled for escaping.
# To create user:password pair, it's possible to use this command:
# echo $(htpasswd -nb user password) | sed -e s/\\$/\\$\\$/g
# echo $(htpasswd -nB user) | sed -e s/\\$/\\$\\$/g
#
# Also note that dollar signs should NOT be doubled when they not evaluated (e.g. Ansible docker_container module).
labels:
@@ -48,16 +48,6 @@ labels:
- "traefik.http.middlewares.test-auth.basicauth.users=test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/,test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0"
```
```toml tab="File (TOML)"
# Declaring the user list
[http.middlewares]
[http.middlewares.test-auth.basicAuth]
users = [
"test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/",
"test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0",
]
```
```yaml tab="File (YAML)"
# Declaring the user list
http:
@@ -65,26 +55,36 @@ http:
test-auth:
basicAuth:
users:
- "test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/"
- "test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/"
- "test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0"
```
```toml tab="File (TOML)"
# Declaring the user list
[http.middlewares]
[http.middlewares.test-auth.basicAuth]
users = [
"test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/",
"test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0",
]
```
## Configuration Options
### General
Passwords must be hashed using MD5, SHA1, or BCrypt.
!!! tip
!!! tip
Use `htpasswd` to generate the passwords.
### `users`
The `users` option is an array of authorized users. Each user will be declared using the `name:hashed-password` format.
The `users` option is an array of authorized users. Each user must be declared using the `name:hashed-password` format.
!!! note ""
- If both `users` and `usersFile` are provided, the two are merged. The contents of `usersFile` have precedence over the values in `users`.
- For security reasons, the field `users` doesn't exist for Kubernetes IngressRoute, and one should use the `secret` field instead.
@@ -142,16 +142,6 @@ labels:
- "traefik.http.middlewares.test-auth.basicauth.users=test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/,test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0"
```
```toml tab="File (TOML)"
# Declaring the user list
[http.middlewares]
[http.middlewares.test-auth.basicAuth]
users = [
"test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/",
"test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0",
]
```
```yaml tab="File (YAML)"
# Declaring the user list
http:
@@ -159,10 +149,20 @@ http:
test-auth:
basicAuth:
users:
- "test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/"
- "test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/"
- "test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0"
```
```toml tab="File (TOML)"
# Declaring the user list
[http.middlewares]
[http.middlewares.test-auth.basicAuth]
users = [
"test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/",
"test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0",
]
```
### `usersFile`
The `usersFile` option is the path to an external file that contains the authorized users for the middleware.
@@ -170,9 +170,9 @@ The `usersFile` option is the path to an external file that contains the authori
The file content is a list of `name:hashed-password`.
!!! note ""
- If both `users` and `usersFile` are provided, the two are merged. The contents of `usersFile` have precedence over the values in `users`.
- Because it does not make much sense to refer to a file path on Kubernetes, the `usersFile` field doesn't exist for Kubernetes IngressRoute, and one should use the `secret` field instead.
- Because it does not make much sense to refer to a file path on Kubernetes, the `usersFile` field doesn't exist for Kubernetes IngressRoute, and one should use the `secret` field instead.
```yaml tab="Docker"
labels:
@@ -216,12 +216,6 @@ labels:
- "traefik.http.middlewares.test-auth.basicauth.usersfile=/path/to/my/usersfile"
```
```toml tab="File (TOML)"
[http.middlewares]
[http.middlewares.test-auth.basicAuth]
usersFile = "/path/to/my/usersfile"
```
```yaml tab="File (YAML)"
http:
middlewares:
@@ -230,6 +224,12 @@ http:
usersFile: "/path/to/my/usersfile"
```
```toml tab="File (TOML)"
[http.middlewares]
[http.middlewares.test-auth.basicAuth]
usersFile = "/path/to/my/usersfile"
```
??? example "A file containing test/test and test2/test2"
```txt
@@ -239,7 +239,7 @@ http:
### `realm`
You can customize the realm for the authentication with the `realm` option. The default value is `traefik`.
You can customize the realm for the authentication with the `realm` option. The default value is `traefik`.
```yaml tab="Docker"
labels:
@@ -271,12 +271,6 @@ labels:
- "traefik.http.middlewares.test-auth.basicauth.realm=MyRealm"
```
```toml tab="File (TOML)"
[http.middlewares]
[http.middlewares.test-auth.basicAuth]
realm = "MyRealm"
```
```yaml tab="File (YAML)"
http:
middlewares:
@@ -285,6 +279,12 @@ http:
realm: "MyRealm"
```
```toml tab="File (TOML)"
[http.middlewares]
[http.middlewares.test-auth.basicAuth]
realm = "MyRealm"
```
### `headerField`
You can define a header field to store the authenticated user using the `headerField`option.
@@ -315,12 +315,6 @@ spec:
}
```
```toml tab="File (TOML)"
[http.middlewares.my-auth.basicAuth]
# ...
headerField = "X-WebAuth-User"
```
```yaml tab="File (YAML)"
http:
middlewares:
@@ -330,6 +324,12 @@ http:
headerField: "X-WebAuth-User"
```
```toml tab="File (TOML)"
[http.middlewares.my-auth.basicAuth]
# ...
headerField = "X-WebAuth-User"
```
### `removeHeader`
Set the `removeHeader` option to `true` to remove the authorization header before forwarding the request to your service. (Default value is `false`.)
@@ -364,12 +364,6 @@ labels:
- "traefik.http.middlewares.test-auth.basicauth.removeheader=true"
```
```toml tab="File (TOML)"
[http.middlewares]
[http.middlewares.test-auth.basicAuth]
removeHeader = true
```
```yaml tab="File (YAML)"
http:
middlewares:
@@ -377,3 +371,9 @@ http:
basicAuth:
removeHeader: true
```
```toml tab="File (TOML)"
[http.middlewares]
[http.middlewares.test-auth.basicAuth]
removeHeader = true
```

120
docs/content/middlewares/buffering.md → docs/content/middlewares/http/buffering.md
View File

@@ -3,24 +3,24 @@
How to Read the Request before Forwarding It
{: .subtitle }
![Buffering](../assets/img/middleware/buffering.png)
![Buffering](../../assets/img/middleware/buffering.png)
The Buffering middleware gives you control on how you want to read the requests before sending them to services.
The Buffering middleware limits the size of requests that can be forwarded to services.
With Buffering, Traefik reads the entire request into memory (possibly buffering large requests into disk), and rejects requests that are over a specified limit.
With Buffering, Traefik reads the entire request into memory (possibly buffering large requests into disk), and rejects requests that are over a specified size limit.
This can help services deal with large data (multipart/form-data for example), and can minimize time spent sending data to a service.
This can help services avoid large amounts of data (`multipart/form-data` for example), and can minimize the time spent sending data to a service.
## Configuration Examples
```yaml tab="Docker"
# Sets the maximum request body to 2Mb
# Sets the maximum request body to 2MB
labels:
- "traefik.http.middlewares.limit.buffering.maxRequestBodyBytes=2000000"
```
```yaml tab="Kubernetes"
# Sets the maximum request body to 2Mb
# Sets the maximum request body to 2MB
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
@@ -31,7 +31,7 @@ spec:
```
```yaml tab="Consul Catalog"
# Sets the maximum request body to 2Mb
# Sets the maximum request body to 2MB
- "traefik.http.middlewares.limit.buffering.maxRequestBodyBytes=2000000"
```
@@ -42,20 +42,13 @@ spec:
```
```yaml tab="Rancher"
# Sets the maximum request body to 2Mb
# Sets the maximum request body to 2MB
labels:
- "traefik.http.middlewares.limit.buffering.maxRequestBodyBytes=2000000"
```
```toml tab="File (TOML)"
# Sets the maximum request body to 2Mb
[http.middlewares]
[http.middlewares.limit.buffering]
maxRequestBodyBytes = 2000000
```
```yaml tab="File (YAML)"
# Sets the maximum request body to 2Mb
# Sets the maximum request body to 2MB
http:
middlewares:
limit:
@@ -63,13 +56,20 @@ http:
maxRequestBodyBytes: 2000000
```
```toml tab="File (TOML)"
# Sets the maximum request body to 2MB
[http.middlewares]
[http.middlewares.limit.buffering]
maxRequestBodyBytes = 2000000
```
## Configuration Options
### `maxRequestBodyBytes`
With the `maxRequestBodyBytes` option, you can configure the maximum allowed body size for the request (in Bytes).
The `maxRequestBodyBytes` option configures the maximum allowed body size for the request (in bytes).
If the request exceeds the allowed size, it is not forwarded to the service and the client gets a `413 (Request Entity Too Large)` response.
If the request exceeds the allowed size, it is not forwarded to the service, and the client gets a `413 (Request Entity Too Large)` response.
```yaml tab="Docker"
labels:
@@ -101,12 +101,6 @@ labels:
- "traefik.http.middlewares.limit.buffering.maxRequestBodyBytes=2000000"
```
```toml tab="File (TOML)"
[http.middlewares]
[http.middlewares.limit.buffering]
maxRequestBodyBytes = 2000000
```
```yaml tab="File (YAML)"
http:
middlewares:
@@ -115,9 +109,15 @@ http:
maxRequestBodyBytes: 2000000
```
```toml tab="File (TOML)"
[http.middlewares]
[http.middlewares.limit.buffering]
maxRequestBodyBytes = 2000000
```
### `memRequestBodyBytes`
You can configure a threshold (in Bytes) from which the request will be buffered on disk instead of in memory with the `memRequestBodyBytes` option.
You can configure a threshold (in bytes) from which the request will be buffered on disk instead of in memory with the `memRequestBodyBytes` option.
```yaml tab="Docker"
labels:
@@ -149,12 +149,6 @@ labels:
- "traefik.http.middlewares.limit.buffering.memRequestBodyBytes=2000000"
```
```toml tab="File (TOML)"
[http.middlewares]
[http.middlewares.limit.buffering]
memRequestBodyBytes = 2000000
```
```yaml tab="File (YAML)"
http:
middlewares:
@@ -163,9 +157,15 @@ http:
memRequestBodyBytes: 2000000
```
```toml tab="File (TOML)"
[http.middlewares]
[http.middlewares.limit.buffering]
memRequestBodyBytes = 2000000
```
### `maxResponseBodyBytes`
With the `maxResponseBodyBytes` option, you can configure the maximum allowed response size from the service (in Bytes).
The `maxResponseBodyBytes` option configures the maximum allowed response size from the service (in bytes).
If the response exceeds the allowed size, it is not forwarded to the client. The client gets a `413 (Request Entity Too Large) response` instead.
@@ -199,12 +199,6 @@ labels:
- "traefik.http.middlewares.limit.buffering.maxResponseBodyBytes=2000000"
```
```toml tab="File (TOML)"
[http.middlewares]
[http.middlewares.limit.buffering]
maxResponseBodyBytes = 2000000
```
```yaml tab="File (YAML)"
http:
middlewares:
@@ -213,9 +207,15 @@ http:
maxResponseBodyBytes: 2000000
```
```toml tab="File (TOML)"
[http.middlewares]
[http.middlewares.limit.buffering]
maxResponseBodyBytes = 2000000
```
### `memResponseBodyBytes`
You can configure a threshold (in Bytes) from which the response will be buffered on disk instead of in memory with the `memResponseBodyBytes` option.
You can configure a threshold (in bytes) from which the response will be buffered on disk instead of in memory with the `memResponseBodyBytes` option.
```yaml tab="Docker"
labels:
@@ -247,12 +247,6 @@ labels:
- "traefik.http.middlewares.limit.buffering.memResponseBodyBytes=2000000"
```
```toml tab="File (TOML)"
[http.middlewares]
[http.middlewares.limit.buffering]
memResponseBodyBytes = 2000000
```
```yaml tab="File (YAML)"
http:
middlewares:
@@ -261,17 +255,23 @@ http:
memResponseBodyBytes: 2000000
```
```toml tab="File (TOML)"
[http.middlewares]
[http.middlewares.limit.buffering]
memResponseBodyBytes = 2000000
```
### `retryExpression`
You can have the Buffering middleware replay the request with the help of the `retryExpression` option.
You can have the Buffering middleware replay the request using `retryExpression`.
??? example "Retries once in the case of a network error"
??? example "Retries once in case of a network error"
```yaml tab="Docker"
labels:
- "traefik.http.middlewares.limit.buffering.retryExpression=IsNetworkError() && Attempts() < 2"
```
```yaml tab="Kubernetes"
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
@@ -281,28 +281,22 @@ You can have the Buffering middleware replay the request with the help of the `r
buffering:
retryExpression: "IsNetworkError() && Attempts() < 2"
```
```yaml tab="Consul Catalog"
- "traefik.http.middlewares.limit.buffering.retryExpression=IsNetworkError() && Attempts() < 2"
```
```json tab="Marathon"
"labels": {
"traefik.http.middlewares.limit.buffering.retryExpression": "IsNetworkError() && Attempts() < 2"
}
```
```yaml tab="Rancher"
labels:
- "traefik.http.middlewares.limit.buffering.retryExpression=IsNetworkError() && Attempts() < 2"
```
```toml tab="File (TOML)"
[http.middlewares]
[http.middlewares.limit.buffering]
retryExpression = "IsNetworkError() && Attempts() < 2"
```
```yaml tab="File (YAML)"
http:
middlewares:
@@ -311,8 +305,14 @@ You can have the Buffering middleware replay the request with the help of the `r
retryExpression: "IsNetworkError() && Attempts() < 2"
```
```toml tab="File (TOML)"
[http.middlewares]
[http.middlewares.limit.buffering]
retryExpression = "IsNetworkError() && Attempts() < 2"
```
The retry expression is defined as a logical combination of the functions below with the operators AND (`&&`) and OR (`||`). At least one function is required:
- `Attempts()` number of attempts (the first one counts)
- `ResponseCode()` response code of the service
- `IsNetworkError()` - if the response code is related to networking error
- `IsNetworkError()` whether the response code is related to networking error

74
docs/content/middlewares/chain.md → docs/content/middlewares/http/chain.md
View File

@@ -3,14 +3,14 @@
When One Isn't Enough
{: .subtitle }
![Chain](../assets/img/middleware/chain.png)
![Chain](../../assets/img/middleware/chain.png)
The Chain middleware enables you to define reusable combinations of other pieces of middleware.
The Chain middleware enables you to define reusable combinations of other pieces of middleware.
It makes reusing the same groups easier.
## Configuration Example
Example "A Chain for WhiteList, BasicAuth, and HTTPS"
Below is an example of a Chain containing `WhiteList`, `BasicAuth`, and `RedirectScheme`.
```yaml tab="Docker"
labels:
@@ -21,7 +21,7 @@ labels:
- "traefik.http.middlewares.auth-users.basicauth.users=test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/"
- "traefik.http.middlewares.https-only.redirectscheme.scheme=https"
- "traefik.http.middlewares.known-ips.ipwhitelist.sourceRange=192.168.1.7,127.0.0.1/32"
- "http.services.service1.loadbalancer.server.port=80"
- "traefik.http.services.service1.loadbalancer.server.port=80"
```
```yaml tab="Kubernetes"
@@ -30,11 +30,9 @@ kind: IngressRoute
metadata:
name: test
namespace: default
spec:
entryPoints:
- web
routes:
- match: Host(`mydomain`)
kind: Rule
@@ -91,7 +89,7 @@ spec:
- "traefik.http.middlewares.auth-users.basicauth.users=test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/"
- "traefik.http.middlewares.https-only.redirectscheme.scheme=https"
- "traefik.http.middlewares.known-ips.ipwhitelist.sourceRange=192.168.1.7,127.0.0.1/32"
- "http.services.service1.loadbalancer.server.port=80"
- "traefik.http.services.service1.loadbalancer.server.port=80"
```
```json tab="Marathon"
@@ -103,7 +101,7 @@ spec:
"traefik.http.middlewares.auth-users.basicauth.users": "test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/",
"traefik.http.middlewares.https-only.redirectscheme.scheme": "https",
"traefik.http.middlewares.known-ips.ipwhitelist.sourceRange": "192.168.1.7,127.0.0.1/32",
"http.services.service1.loadbalancer.server.port": "80"
"traefik.http.services.service1.loadbalancer.server.port": "80"
}
```
@@ -116,39 +114,11 @@ labels:
- "traefik.http.middlewares.auth-users.basicauth.users=test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/"
- "traefik.http.middlewares.https-only.redirectscheme.scheme=https"
- "traefik.http.middlewares.known-ips.ipwhitelist.sourceRange=192.168.1.7,127.0.0.1/32"
- "http.services.service1.loadbalancer.server.port=80"
```
```toml tab="File (TOML)"
# ...
[http.routers]
[http.routers.router1]
service = "service1"
middlewares = ["secured"]
rule = "Host(`mydomain`)"
[http.middlewares]
[http.middlewares.secured.chain]
middlewares = ["https-only", "known-ips", "auth-users"]
[http.middlewares.auth-users.basicAuth]
users = ["test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/"]
[http.middlewares.https-only.redirectScheme]
scheme = "https"
[http.middlewares.known-ips.ipWhiteList]
sourceRange = ["192.168.1.7", "127.0.0.1/32"]
[http.services]
[http.services.service1]
[http.services.service1.loadBalancer]
[[http.services.service1.loadBalancer.servers]]
url = "http://127.0.0.1:80"
- "traefik.http.services.service1.loadbalancer.server.port=80"
```
```yaml tab="File (YAML)"
# ...
# ...
http:
routers:
router1:
@@ -186,3 +156,31 @@ http:
servers:
- url: "http://127.0.0.1:80"
```
```toml tab="File (TOML)"
# ...
[http.routers]
[http.routers.router1]
service = "service1"
middlewares = ["secured"]
rule = "Host(`mydomain`)"
[http.middlewares]
[http.middlewares.secured.chain]
middlewares = ["https-only", "known-ips", "auth-users"]
[http.middlewares.auth-users.basicAuth]
users = ["test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/"]
[http.middlewares.https-only.redirectScheme]
scheme = "https"
[http.middlewares.known-ips.ipWhiteList]
sourceRange = ["192.168.1.7", "127.0.0.1/32"]
[http.services]
[http.services.service1]
[http.services.service1.loadBalancer]
[[http.services.service1.loadBalancer.servers]]
url = "http://127.0.0.1:80"
```

84
docs/content/middlewares/circuitbreaker.md → docs/content/middlewares/http/circuitbreaker.md
View File

@@ -3,27 +3,24 @@
Don't Waste Time Calling Unhealthy Services
{: .subtitle }
![CircuitBreaker](../assets/img/middleware/circuitbreaker.png)
![CircuitBreaker](../../assets/img/middleware/circuitbreaker.png)
The circuit breaker protects your system from stacking requests to unhealthy services (resulting in cascading failures).
The circuit breaker protects your system from stacking requests to unhealthy services, resulting in cascading failures.
When your system is healthy, the circuit is closed (normal operations).
When your system becomes unhealthy, the circuit becomes open and the requests are no longer forwarded (but handled by a fallback mechanism).
When your system becomes unhealthy, the circuit opens, and the requests are no longer forwarded, but instead are handled by a fallback mechanism.
To assess if your system is healthy, the circuit breaker constantly monitors the services.
To assess if your system is healthy, the circuit breaker constantly monitors the services.
!!! note ""
- The CircuitBreaker only analyses what happens _after_ it is positioned in the middleware chain. What happens _before_ has no impact on its state.
- The CircuitBreaker only affects the routers that use it. Routers that don't use the CircuitBreaker won't be affected by its state.
The CircuitBreaker only analyzes what happens _after_ its position within the middleware chain. What happens _before_ has no impact on its state.
!!! important
Each router will eventually gets its own instance of a given circuit breaker.
If two different routers refer to the same circuit breaker definition, they will get one instance each.
It means that one circuit breaker can be open while the other stays closed: their state is not shared.
Each router gets its own instance of a given circuit breaker.
One circuit breaker instance can be open while the other remains closed: their state is not shared.
This is the expected behavior, we want you to be able to define what makes a service healthy without having to declare a circuit breaker for each route.
## Configuration Examples
@@ -62,13 +59,6 @@ labels:
- "traefik.http.middlewares.latency-check.circuitbreaker.expression=LatencyAtQuantileMS(50.0) > 100"
```
```toml tab="File (TOML)"
# Latency Check
[http.middlewares]
[http.middlewares.latency-check.circuitBreaker]
expression = "LatencyAtQuantileMS(50.0) > 100"
```
```yaml tab="File (YAML)"
# Latency Check
http:
@@ -78,6 +68,13 @@ http:
expression: "LatencyAtQuantileMS(50.0) > 100"
```
```toml tab="File (TOML)"
# Latency Check
[http.middlewares]
[http.middlewares.latency-check.circuitBreaker]
expression = "LatencyAtQuantileMS(50.0) > 100"
```
## Possible States
There are three possible states for your circuit breaker:
@@ -90,70 +87,71 @@ There are three possible states for your circuit breaker:
While the circuit is closed, the circuit breaker only collects metrics to analyze the behavior of the requests.
At specified intervals (`checkPeriod`), it will evaluate `expression` to decide if its state must change.
At specified intervals (`checkPeriod`), the circuit breaker evaluates `expression` to decide if its state must change.
### Open
While open, the fallback mechanism takes over the normal service calls for a duration of `FallbackDuration`.
After this duration, it will enter the recovering state.
After this duration, it enters the recovering state.
### Recovering
While recovering, the circuit breaker will progressively send requests to your service again (in a linear way, for `RecoveryDuration`).
If your service fails during recovery, the circuit breaker becomes open again.
If the service operates normally during the whole recovering duration, then the circuit breaker returns to close.
While recovering, the circuit breaker sends linearly increasing amounts of requests to your service (for `RecoveryDuration`).
If your service fails during recovery, the circuit breaker opens again.
If the service operates normally during the entire recovery duration, then the circuit breaker closes.
## Configuration Options
### Configuring the Trigger
You can specify an `expression` that, once matched, will trigger the circuit breaker (and apply the fallback mechanism instead of calling your services).
You can specify an `expression` that, once matched, opens the circuit breaker and applies the fallback mechanism instead of calling your services.
The `expression` can check three different metrics:
The `expression` option can check three different metrics:
- The network error ratio (`NetworkErrorRatio`)
- The status code ratio (`ResponseCodeRatio`)
- The latency at quantile, in milliseconds (`LatencyAtQuantileMS`)
- The latency at a quantile in milliseconds (`LatencyAtQuantileMS`)
#### `NetworkErrorRatio`
If you want the circuit breaker to trigger at a 30% ratio of network errors, the expression will be `NetworkErrorRatio() > 0.30`
If you want the circuit breaker to open at a 30% ratio of network errors, the `expression` is `NetworkErrorRatio() > 0.30`
#### `ResponseCodeRatio`
You can trigger the circuit breaker based on the ratio of a given range of status codes.
You can configure the circuit breaker to open based on the ratio of a given range of status codes.
The `ResponseCodeRatio` accepts four parameters, `from`, `to`, `dividedByFrom`, `dividedByTo`.
The operation that will be computed is sum(`to` -> `from`) / sum (`dividedByFrom` -> `dividedByTo`).
!!! note ""
If sum (`dividedByFrom` -> `dividedByTo`) equals 0, then `ResponseCodeRatio` returns 0.
`from`is inclusive, `to` is exclusive.
For example, the expression `ResponseCodeRatio(500, 600, 0, 600) > 0.25` will trigger the circuit breaker if 25% of the requests returned a 5XX status (amongst the request that returned a status code from 0 to 5XX).
If sum (`dividedByFrom` -> `dividedByTo`) equals 0, then `ResponseCodeRatio` returns 0.
`from`is inclusive, `to` is exclusive.
For example, the expression `ResponseCodeRatio(500, 600, 0, 600) > 0.25` will trigger the circuit breaker if 25% of the requests returned a 5XX status (amongst the request that returned a status code from 0 to 5XX).
#### `LatencyAtQuantileMS`
You can trigger the circuit breaker when a given proportion of your requests become too slow.
You can configure the circuit breaker to open when a given proportion of your requests become too slow.
For example, the expression `LatencyAtQuantileMS(50.0) > 100` will trigger the circuit breaker when the median latency (quantile 50) reaches 100MS.
For example, the expression `LatencyAtQuantileMS(50.0) > 100` opens the circuit breaker when the median latency (quantile 50) reaches 100ms.
!!! note ""
You must provide a float number (with the trailing .0) for the quantile value
#### Using multiple metrics
You must provide a floating point number (with the trailing .0) for the quantile value
You can combine multiple metrics using operators in your expression.
#### Using Multiple Metrics
You can combine multiple metrics using operators in your `expression`.
Supported operators are:
- AND (`&&`)
- OR (`||`)
For example, `ResponseCodeRatio(500, 600, 0, 600) > 0.30 || NetworkErrorRatio() > 0.10` triggers the circuit breaker when 30% of the requests return a 5XX status code, or when the ratio of network errors reaches 10%.
For example, `ResponseCodeRatio(500, 600, 0, 600) > 0.30 || NetworkErrorRatio() > 0.10` triggers the circuit breaker when 30% of the requests return a 5XX status code, or when the ratio of network errors reaches 10%.
#### Operators
@@ -168,8 +166,8 @@ Here is the list of supported operators:
### Fallback mechanism
The fallback mechanism returns a `HTTP 503 Service Unavailable` to the client (instead of calling the target service).
This behavior cannot be configured.
The fallback mechanism returns a `HTTP 503 Service Unavailable` to the client instead of calling the target service.
This behavior cannot be configured.
### `CheckPeriod`
@@ -182,6 +180,6 @@ By default, `FallbackDuration` is 10 seconds. This value cannot be configured.
### `RecoveringDuration`
The duration of the recovering mode (recovering state).
The duration of the recovering mode (recovering state).
By default, `RecoveringDuration` is 10 seconds. This value cannot be configured.
By default, `RecoveringDuration` is 10 seconds. This value cannot be configured.

46
docs/content/middlewares/compress.md → docs/content/middlewares/http/compress.md
View File

@@ -1,11 +1,11 @@
# Compress
Compressing the Response before Sending it to the Client
Compress Responses before Sending them to the Client
{: .subtitle }
![Compress](../assets/img/middleware/compress.png)
![Compress](../../assets/img/middleware/compress.png)
The Compress middleware enables the gzip compression.
The Compress middleware uses gzip compression.
## Configuration Examples
@@ -42,12 +42,6 @@ labels:
- "traefik.http.middlewares.test-compress.compress=true"
```
```toml tab="File (TOML)"
# Enable gzip compression
[http.middlewares]
[http.middlewares.test-compress.compress]
```
```yaml tab="File (YAML)"
# Enable gzip compression
http:
@@ -56,24 +50,30 @@ http:
compress: {}
```
```toml tab="File (TOML)"
# Enable gzip compression
[http.middlewares]
[http.middlewares.test-compress.compress]
```
!!! info
Responses are compressed when:
Responses are compressed when the following criteria are all met:
* The response body is larger than `1400` bytes.
* The `Accept-Encoding` request header contains `gzip`.
* The response is not already compressed, i.e. the `Content-Encoding` response header is not already set.
If Content-Type header is not defined, or empty, the compress middleware will automatically [detect](https://mimesniff.spec.whatwg.org/) a content type.
It will also set accordingly the `Content-Type` header with the detected MIME type.
If the `Content-Type` header is not defined, or empty, the compress middleware will automatically [detect](https://mimesniff.spec.whatwg.org/) a content type.
It will also set the `Content-Type` header according to the detected MIME type.
## Configuration Options
### `excludedContentTypes`
`excludedContentTypes` specifies a list of content types to compare the `Content-Type` header of the incoming requests to before compressing.
`excludedContentTypes` specifies a list of content types to compare the `Content-Type` header of the incoming requests and responses before compressing.
The requests with content types defined in `excludedContentTypes` are not compressed.
The responses with content types defined in `excludedContentTypes` are not compressed.
Content types are compared in a case-insensitive, whitespace-ignored manner.
@@ -108,12 +108,6 @@ labels:
- "traefik.http.middlewares.test-compress.compress.excludedcontenttypes=text/event-stream"
```
```toml tab="File (TOML)"
[http.middlewares]
[http.middlewares.test-compress.compress]
excludedContentTypes = ["text/event-stream"]
```
```yaml tab="File (YAML)"
http:
middlewares:
@@ -122,3 +116,9 @@ http:
excludedContentTypes:
- text/event-stream
```
```toml tab="File (TOML)"
[http.middlewares]
[http.middlewares.test-compress.compress]
excludedContentTypes = ["text/event-stream"]
```

28
docs/content/middlewares/contenttype.md → docs/content/middlewares/http/contenttype.md
View File

@@ -1,18 +1,18 @@
# ContentType
Handling ContentType auto-detection
Handling Content-Type auto-detection
{: .subtitle }
The Content-Type middleware - or rather its unique `autoDetect` option -
The Content-Type middleware - or rather its `autoDetect` option -
specifies whether to let the `Content-Type` header,
if it has not been set by the backend,
if it has not been defined by the backend,
be automatically set to a value derived from the contents of the response.
As a proxy, the default behavior should be to leave the header alone,
regardless of what the backend did with it.
However, the historic default was to always auto-detect and set the header if it was nil,
and it is going to be kept that way in order to support users currently relying on it.
However, the historic default was to always auto-detect and set the header if it was not already defined,
and altering this behavior would be a breaking change which would impact many users.
This middleware exists to enable the correct behavior until at least the default one can be changed in a future version.
!!! info
@@ -21,7 +21,7 @@ This middleware exists to enable the correct behavior until at least the default
is still to automatically set the `Content-Type` header.
Therefore, given the default value of the `autoDetect` option (false),
simply enabling this middleware for a router switches the router's behavior.
The scope of the Content-Type middleware is the MIME type detection done by the core of Traefik (the server part).
Therefore, it has no effect against any other `Content-Type` header modifications (e.g.: in another middleware such as compress).
@@ -61,13 +61,6 @@ labels:
- "traefik.http.middlewares.autodetect.contenttype.autodetect=false"
```
```toml tab="File (TOML)"
# Disable auto-detection
[http.middlewares]
[http.middlewares.autodetect.contentType]
autoDetect=false
```
```yaml tab="File (YAML)"
# Disable auto-detection
http:
@@ -77,6 +70,13 @@ http:
autoDetect: false
```
```toml tab="File (TOML)"
# Disable auto-detection
[http.middlewares]
[http.middlewares.autodetect.contentType]
autoDetect=false
```
## Configuration Options
### `autoDetect`

106
docs/content/middlewares/digestauth.md → docs/content/middlewares/http/digestauth.md
View File

@@ -1,11 +1,11 @@
# DigestAuth
Adding Digest Authentication
{: .subtitle }
{: .subtitle }
![BasicAuth](../assets/img/middleware/digestauth.png)
![BasicAuth](../../assets/img/middleware/digestauth.png)
The DigestAuth middleware is a quick way to restrict access to your services to known users.
The DigestAuth middleware restricts access to your services to known users.
## Configuration Examples
@@ -43,16 +43,6 @@ labels:
- "traefik.http.middlewares.test-auth.digestauth.users=test:traefik:a2688e031edb4be6a3797f3882655c05,test2:traefik:518845800f9e2bfb1f1f740ec24f074e"
```
```toml tab="File (TOML)"
# Declaring the user list
[http.middlewares]
[http.middlewares.test-auth.digestAuth]
users = [
"test:traefik:a2688e031edb4be6a3797f3882655c05",
"test2:traefik:518845800f9e2bfb1f1f740ec24f074e",
]
```
```yaml tab="File (YAML)"
# Declaring the user list
http:
@@ -64,10 +54,20 @@ http:
- "test2:traefik:518845800f9e2bfb1f1f740ec24f074e"
```
```toml tab="File (TOML)"
# Declaring the user list
[http.middlewares]
[http.middlewares.test-auth.digestAuth]
users = [
"test:traefik:a2688e031edb4be6a3797f3882655c05",
"test2:traefik:518845800f9e2bfb1f1f740ec24f074e",
]
```
## Configuration Options
!!! tip
!!! tip
Use `htdigest` to generate passwords.
### `users`
@@ -75,9 +75,9 @@ http:
The `users` option is an array of authorized users. Each user will be declared using the `name:realm:encoded-password` format.
!!! note ""
- If both `users` and `usersFile` are provided, the two are merged. The contents of `usersFile` have precedence over the values in `users`.
- For security reasons, the field `users` doesn't exist for Kubernetes IngressRoute, and one should use the `secret` field instead.
- For security reasons, the field `users` doesn't exist for Kubernetes IngressRoute, and one should use the `secret` field instead.
```yaml tab="Docker"
labels:
@@ -120,15 +120,6 @@ labels:
- "traefik.http.middlewares.test-auth.digestauth.users=test:traefik:a2688e031edb4be6a3797f3882655c05,test2:traefik:518845800f9e2bfb1f1f740ec24f074e"
```
```toml tab="File (TOML)"
[http.middlewares]
[http.middlewares.test-auth.digestAuth]
users = [
"test:traefik:a2688e031edb4be6a3797f3882655c05",
"test2:traefik:518845800f9e2bfb1f1f740ec24f074e",
]
```
```yaml tab="File (YAML)"
http:
middlewares:
@@ -139,6 +130,15 @@ http:
- "test2:traefik:518845800f9e2bfb1f1f740ec24f074e"
```
```toml tab="File (TOML)"
[http.middlewares]
[http.middlewares.test-auth.digestAuth]
users = [
"test:traefik:a2688e031edb4be6a3797f3882655c05",
"test2:traefik:518845800f9e2bfb1f1f740ec24f074e",
]
```
### `usersFile`
The `usersFile` option is the path to an external file that contains the authorized users for the middleware.
@@ -146,9 +146,9 @@ The `usersFile` option is the path to an external file that contains the authori
The file content is a list of `name:realm:encoded-password`.
!!! note ""
- If both `users` and `usersFile` are provided, the two are merged. The contents of `usersFile` have precedence over the values in `users`.
- Because it does not make much sense to refer to a file path on Kubernetes, the `usersFile` field doesn't exist for Kubernetes IngressRoute, and one should use the `secret` field instead.
- Because it does not make much sense to refer to a file path on Kubernetes, the `usersFile` field doesn't exist for Kubernetes IngressRoute, and one should use the `secret` field instead.
```yaml tab="Docker"
labels:
@@ -192,12 +192,6 @@ labels:
- "traefik.http.middlewares.test-auth.digestauth.usersfile=/path/to/my/usersfile"
```
```toml tab="File (TOML)"
[http.middlewares]
[http.middlewares.test-auth.digestAuth]
usersFile = "/path/to/my/usersfile"
```
```yaml tab="File (YAML)"
http:
middlewares:
@@ -206,6 +200,12 @@ http:
usersFile: "/path/to/my/usersfile"
```
```toml tab="File (TOML)"
[http.middlewares]
[http.middlewares.test-auth.digestAuth]
usersFile = "/path/to/my/usersfile"
```
??? example "A file containing test/test and test2/test2"
```txt
@@ -215,7 +215,7 @@ http:
### `realm`
You can customize the realm for the authentication with the `realm` option. The default value is `traefik`.
You can customize the realm for the authentication with the `realm` option. The default value is `traefik`.
```yaml tab="Docker"
labels:
@@ -247,12 +247,6 @@ labels:
- "traefik.http.middlewares.test-auth.digestauth.realm=MyRealm"
```
```toml tab="File (TOML)"
[http.middlewares]
[http.middlewares.test-auth.digestAuth]
realm = "MyRealm"
```
```yaml tab="File (YAML)"
http:
middlewares:
@@ -261,6 +255,12 @@ http:
realm: "MyRealm"
```
```toml tab="File (TOML)"
[http.middlewares]
[http.middlewares.test-auth.digestAuth]
realm = "MyRealm"
```
### `headerField`
You can customize the header field for the authenticated user using the `headerField`option.
@@ -296,12 +296,6 @@ labels:
- "traefik.http.middlewares.my-auth.digestauth.headerField=X-WebAuth-User"
```
```toml tab="File (TOML)"
[http.middlewares.my-auth.digestAuth]
# ...
headerField = "X-WebAuth-User"
```
```yaml tab="File (YAML)"
http:
middlewares:
@@ -311,6 +305,12 @@ http:
headerField: "X-WebAuth-User"
```
```toml tab="File (TOML)"
[http.middlewares.my-auth.digestAuth]
# ...
headerField = "X-WebAuth-User"
```
### `removeHeader`
Set the `removeHeader` option to `true` to remove the authorization header before forwarding the request to your service. (Default value is `false`.)
@@ -345,12 +345,6 @@ labels:
- "traefik.http.middlewares.test-auth.digestauth.removeheader=true"
```
```toml tab="File (TOML)"
[http.middlewares]
[http.middlewares.test-auth.digestAuth]
removeHeader = true
```
```yaml tab="File (YAML)"
http:
middlewares:
@@ -358,3 +352,9 @@ http:
digestAuth:
removeHeader: true
```
```toml tab="File (TOML)"
[http.middlewares]
[http.middlewares.test-auth.digestAuth]
removeHeader = true
```

51
docs/content/middlewares/errorpages.md → docs/content/middlewares/http/errorpages.md
View File

@@ -3,7 +3,7 @@
It Has Never Been Easier to Say That Something Went Wrong
{: .subtitle }
![ErrorPages](../assets/img/middleware/errorpages.png)
![ErrorPages](../../assets/img/middleware/errorpages.png)
The ErrorPage middleware returns a custom page in lieu of the default, according to configured ranges of HTTP Status codes.
@@ -58,6 +58,21 @@ labels:
- "traefik.http.middlewares.test-errorpage.errors.query=/{status}.html"
```
```yaml tab="File (YAML)"
# Custom Error Page for 5XX
http:
middlewares:
test-errorpage:
errors:
status:
- "500-599"
service: serviceError
query: "/{status}.html"
services:
# ... definition of error-handler-service and my-service
```
```toml tab="File (TOML)"
# Custom Error Page for 5XX
[http.middlewares]
@@ -70,43 +85,33 @@ labels:
# ... definition of error-handler-service and my-service
```
```yaml tab="File (YAML)"
# Custom Error Page for 5XX
http:
middlewares:
test-errorpage:
errors:
status:
- "500-599"
service: serviceError
query: "/{status}.html"
!!! note ""
[http.services]
# ... definition of error-handler-service and my-service
```
!!! note ""
In this example, the error page URL is based on the status code (`query=/{status}.html`).
## Configuration Options
### `status`
The `status` that will trigger the error page.
The `status` option defines which status or range of statuses should result in an error page.
The status code ranges are inclusive (`500-599` will trigger with every code between `500` and `599`, `500` and `599` included).
!!! note ""
You can define either a status code like `500` or ranges with a syntax like `500-599`.
!!! note ""
You can define either a status code as a number (`500`),
as multiple comma-separated numbers (`500,502`),
as ranges by separating two codes with a dash (`500-599`),
or a combination of the two (`404,418,500-599`).
### `service`
The service that will serve the new requested error page.
!!! note ""
In kubernetes, you need to reference a kubernetes service instead of a traefik service.
!!! note ""
In Kubernetes, you need to reference a Kubernetes Service instead of a Traefik service.
### `query`
The URL for the error page (hosted by `service`). You can use `{status}` in the query, that will be replaced by the received status code.
The URL for the error page (hosted by `service`). You can use the `{status}` variable in the `query` option in order to insert the status code in the URL.

218
docs/content/middlewares/forwardauth.md → docs/content/middlewares/http/forwardauth.md
View File

@@ -1,12 +1,12 @@
# ForwardAuth
Using an External Service to Check for Credentials
Using an External Service to Forward Authentication
{: .subtitle }
![AuthForward](../assets/img/middleware/authforward.png)
![AuthForward](../../assets/img/middleware/authforward.png)
The ForwardAuth middleware delegate the authentication to an external service.
If the service response code is 2XX, access is granted and the original request is performed.
The ForwardAuth middleware delegates authentication to an external service.
If the service answers with a 2XX code, access is granted, and the original request is performed.
Otherwise, the response from the authentication server is returned.
## Configuration Examples
@@ -45,13 +45,6 @@ labels:
- "traefik.http.middlewares.test-auth.forwardauth.address=https://example.com/auth"
```
```toml tab="File (TOML)"
# Forward authentication to example.com
[http.middlewares]
[http.middlewares.test-auth.forwardAuth]
address = "https://example.com/auth"
```
```yaml tab="File (YAML)"
# Forward authentication to example.com
http:
@@ -61,6 +54,13 @@ http:
address: "https://example.com/auth"
```
```toml tab="File (TOML)"
# Forward authentication to example.com
[http.middlewares]
[http.middlewares.test-auth.forwardAuth]
address = "https://example.com/auth"
```
## Forward-Request Headers
The following request properties are provided to the forward-auth target endpoint as `X-Forwarded-` headers.
@@ -91,7 +91,7 @@ metadata:
name: test-auth
spec:
forwardAuth:
address: https://example.com/auth
address: https://example.com/auth
```
```yaml tab="Consul Catalog"
@@ -109,12 +109,6 @@ labels:
- "traefik.http.middlewares.test-auth.forwardauth.address=https://example.com/auth"
```
```toml tab="File (TOML)"
[http.middlewares]
[http.middlewares.test-auth.forwardAuth]
address = "https://example.com/auth"
```
```yaml tab="File (YAML)"
http:
middlewares:
@@ -123,9 +117,15 @@ http:
address: "https://example.com/auth"
```
```toml tab="File (TOML)"
[http.middlewares]
[http.middlewares.test-auth.forwardAuth]
address = "https://example.com/auth"
```
### `trustForwardHeader`
Set the `trustForwardHeader` option to `true` to trust all the existing `X-Forwarded-*` headers.
Set the `trustForwardHeader` option to `true` to trust all `X-Forwarded-*` headers.
```yaml tab="Docker"
labels:
@@ -158,13 +158,6 @@ labels:
- "traefik.http.middlewares.test-auth.forwardauth.trustForwardHeader=true"
```
```toml tab="File (TOML)"
[http.middlewares]
[http.middlewares.test-auth.forwardAuth]
address = "https://example.com/auth"
trustForwardHeader = true
```
```yaml tab="File (YAML)"
http:
middlewares:
@@ -174,9 +167,17 @@ http:
trustForwardHeader: true
```
```toml tab="File (TOML)"
[http.middlewares]
[http.middlewares.test-auth.forwardAuth]
address = "https://example.com/auth"
trustForwardHeader = true
```
### `authResponseHeaders`
The `authResponseHeaders` option is the list of the headers to copy from the authentication server to the request. All incoming request's headers in this list are deleted from the request before any copy happens.
The `authResponseHeaders` option is the list of headers to copy from the authentication server response and set on
forwarded request, replacing any existing conflicting headers.
```yaml tab="Docker"
labels:
@@ -211,13 +212,6 @@ labels:
- "traefik.http.middlewares.test-auth.forwardauth.authResponseHeaders=X-Auth-User, X-Secret"
```
```toml tab="File (TOML)"
[http.middlewares]
[http.middlewares.test-auth.forwardAuth]
address = "https://example.com/auth"
authResponseHeaders = ["X-Auth-User", "X-Secret"]
```
```yaml tab="File (YAML)"
http:
middlewares:
@@ -229,11 +223,19 @@ http:
- "X-Secret"
```
```toml tab="File (TOML)"
[http.middlewares]
[http.middlewares.test-auth.forwardAuth]
address = "https://example.com/auth"
authResponseHeaders = ["X-Auth-User", "X-Secret"]
```
### `authResponseHeadersRegex`
The `authResponseHeadersRegex` option is the regex to match the headers that should be copied from the authentication server to the request. All incoming request's headers matching this regex are deleted from the request before any copy happens.
It allows partial matching of the regular expression against the header's key.
You should use start of string (`^`) and end of string (`$`) anchors to ensure a full match against the header's key.
The `authResponseHeadersRegex` option is the regex to match headers to copy from the authentication server response and
set on forwarded request, after stripping all headers that match the regex.
It allows partial matching of the regular expression against the header key.
The start of string (`^`) and end of string (`$`) anchors should be used to ensure a full match against the header key.
```yaml tab="Docker"
labels:
@@ -266,13 +268,6 @@ labels:
- "traefik.http.middlewares.test-auth.forwardauth.authResponseHeadersRegex=^X-"
```
```toml tab="File (TOML)"
[http.middlewares]
[http.middlewares.test-auth.forwardAuth]
address = "https://example.com/auth"
authResponseHeadersRegex = "^X-"
```
```yaml tab="File (YAML)"
http:
middlewares:
@@ -282,11 +277,18 @@ http:
authResponseHeadersRegex: "^X-"
```
```toml tab="File (TOML)"
[http.middlewares]
[http.middlewares.test-auth.forwardAuth]
address = "https://example.com/auth"
authResponseHeadersRegex = "^X-"
```
### `authRequestHeaders`
The `authRequestHeaders` option is the list of the headers to copy from the request to the authentication server.
It allows filtering headers that should not be passed to the authentication server.
If not set or empty then all request headers will be passed.
If not set or empty then all request headers are passed.
```yaml tab="Docker"
labels:
@@ -321,13 +323,6 @@ labels:
- "traefik.http.middlewares.test-auth.forwardauth.authRequestHeaders=Accept,X-CustomHeader"
```
```toml tab="File (TOML)"
[http.middlewares]
[http.middlewares.test-auth.forwardAuth]
address = "https://example.com/auth"
authRequestHeaders = "Accept,X-CustomHeader"
```
```yaml tab="File (YAML)"
http:
middlewares:
@@ -339,6 +334,13 @@ http:
- "X-CustomHeader"
```
```toml tab="File (TOML)"
[http.middlewares]
[http.middlewares.test-auth.forwardAuth]
address = "https://example.com/auth"
authRequestHeaders = "Accept,X-CustomHeader"
```
### `tls`
The `tls` option is the TLS configuration from Traefik to the authentication server.
@@ -371,7 +373,8 @@ metadata:
namespace: default
data:
ca: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCi0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0=
# Must contain a certificate under either a `tls.ca` or a `ca.crt` key.
tls.ca: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCi0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0=
```
```yaml tab="Consul Catalog"
@@ -389,14 +392,6 @@ labels:
- "traefik.http.middlewares.test-auth.forwardauth.tls.ca=path/to/local.crt"
```
```toml tab="File (TOML)"
[http.middlewares]
[http.middlewares.test-auth.forwardAuth]
address = "https://example.com/auth"
[http.middlewares.test-auth.forwardAuth.tls]
ca = "path/to/local.crt"
```
```yaml tab="File (YAML)"
http:
middlewares:
@@ -407,14 +402,25 @@ http:
ca: "path/to/local.crt"
```
```toml tab="File (TOML)"
[http.middlewares]
[http.middlewares.test-auth.forwardAuth]
address = "https://example.com/auth"
[http.middlewares.test-auth.forwardAuth.tls]
ca = "path/to/local.crt"
```
#### `tls.caOptional`
Policy used for the secured connection with TLS Client Authentication to the authentication server.
Requires `tls.ca` to be defined.
The value of `tls.caOptional` defines which policy should be used for the secure connection with TLS Client Authentication to the authentication server.
- `true`: VerifyClientCertIfGiven
- `false`: RequireAndVerifyClientCert
- if `tls.ca` is undefined NoClientCert
!!! warning ""
If `tls.ca` is undefined, this option will be ignored, and no client certificate will be requested during the handshake. Any provided certificate will thus never be verified.
When this option is set to `true`, a client certificate is requested during the handshake but is not required. If a certificate is sent, it is required to be valid.
When this option is set to `false`, a client certificate is requested during the handshake, and at least one valid certificate should be sent by the client.
```yaml tab="Docker"
labels:
@@ -448,14 +454,6 @@ labels:
- "traefik.http.middlewares.test-auth.forwardauth.tls.caOptional=true"
```
```toml tab="File (TOML)"
[http.middlewares]
[http.middlewares.test-auth.forwardAuth]
address = "https://example.com/auth"
[http.middlewares.test-auth.forwardAuth.tls]
caOptional = true
```
```yaml tab="File (YAML)"
http:
middlewares:
@@ -466,9 +464,17 @@ http:
caOptional: true
```
```toml tab="File (TOML)"
[http.middlewares]
[http.middlewares.test-auth.forwardAuth]
address = "https://example.com/auth"
[http.middlewares.test-auth.forwardAuth.tls]
caOptional = true
```
#### `tls.cert`
Public certificate used for the secured connection to the authentication server.
The public certificate used for the secure connection to the authentication server.
```yaml tab="Docker"
labels:
@@ -517,15 +523,6 @@ labels:
- "traefik.http.middlewares.test-auth.forwardauth.tls.key=path/to/foo.key"
```
```toml tab="File (TOML)"
[http.middlewares]
[http.middlewares.test-auth.forwardAuth]
address = "https://example.com/auth"
[http.middlewares.test-auth.forwardAuth.tls]
cert = "path/to/foo.cert"
key = "path/to/foo.key"
```
```yaml tab="File (YAML)"
http:
middlewares:
@@ -537,12 +534,22 @@ http:
key: "path/to/foo.key"
```
```toml tab="File (TOML)"
[http.middlewares]
[http.middlewares.test-auth.forwardAuth]
address = "https://example.com/auth"
[http.middlewares.test-auth.forwardAuth.tls]
cert = "path/to/foo.cert"
key = "path/to/foo.key"
```
!!! info
For security reasons, the field doesn't exist for Kubernetes IngressRoute, and one should use the `secret` field instead.
For security reasons, the field does not exist for Kubernetes IngressRoute, and one should use the `secret` field instead.
#### `tls.key`
Private certificate used for the secure connection to the authentication server.
The private certificate used for the secure connection to the authentication server.
```yaml tab="Docker"
labels:
@@ -591,15 +598,6 @@ labels:
- "traefik.http.middlewares.test-auth.forwardauth.tls.key=path/to/foo.key"
```
```toml tab="File (TOML)"
[http.middlewares]
[http.middlewares.test-auth.forwardAuth]
address = "https://example.com/auth"
[http.middlewares.test-auth.forwardAuth.tls]
cert = "path/to/foo.cert"
key = "path/to/foo.key"
```
```yaml tab="File (YAML)"
http:
middlewares:
@@ -611,12 +609,22 @@ http:
key: "path/to/foo.key"
```
```toml tab="File (TOML)"
[http.middlewares]
[http.middlewares.test-auth.forwardAuth]
address = "https://example.com/auth"
[http.middlewares.test-auth.forwardAuth.tls]
cert = "path/to/foo.cert"
key = "path/to/foo.key"
```
!!! info
For security reasons, the field doesn't exist for Kubernetes IngressRoute, and one should use the `secret` field instead.
For security reasons, the field does not exist for Kubernetes IngressRoute, and one should use the `secret` field instead.
#### `tls.insecureSkipVerify`
If `insecureSkipVerify` is `true`, TLS for the connection to authentication server accepts any certificate presented by the server and any host name in that certificate.
If `insecureSkipVerify` is `true`, the TLS connection to the authentication server accepts any certificate presented by the server regardless of the hostnames it covers.
```yaml tab="Docker"
labels:
@@ -650,14 +658,6 @@ labels:
- "traefik.http.middlewares.test-auth.forwardauth.tls.InsecureSkipVerify=true"
```
```toml tab="File (TOML)"
[http.middlewares]
[http.middlewares.test-auth.forwardAuth]
address = "https://example.com/auth"
[http.middlewares.test-auth.forwardAuth.tls]
insecureSkipVerify: true
```
```yaml tab="File (YAML)"
http:
middlewares:
@@ -667,3 +667,11 @@ http:
tls:
insecureSkipVerify: true
```
```toml tab="File (TOML)"
[http.middlewares]
[http.middlewares.test-auth.forwardAuth]
address = "https://example.com/auth"
[http.middlewares.test-auth.forwardAuth.tls]
insecureSkipVerify: true
```

234
docs/content/middlewares/headers.md → docs/content/middlewares/http/headers.md
View File

@@ -1,17 +1,17 @@
# Headers
# Headers
Adding Headers to the Request / Response
Managing Request/Response headers
{: .subtitle }
![Headers](../assets/img/middleware/headers.png)
![Headers](../../assets/img/middleware/headers.png)
The Headers middleware can manage the requests/responses headers.
The Headers middleware manages the headers of requests and responses.
## Configuration Examples
### Adding Headers to the Request and the Response
Add the `X-Script-Name` header to the proxied request and the `X-Custom-Response-Header` to the response
The following example adds the `X-Script-Name` header to the proxied request and the `X-Custom-Response-Header` header to the response
```yaml tab="Docker"
labels:
@@ -23,7 +23,7 @@ labels:
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
name: testHeader
name: test-header
spec:
headers:
customRequestHeaders:
@@ -50,15 +50,6 @@ labels:
- "traefik.http.middlewares.testheader.headers.customresponseheaders.X-Custom-Response-Header=value"
```
```toml tab="File (TOML)"
[http.middlewares]
[http.middlewares.testHeader.headers]
[http.middlewares.testHeader.headers.customRequestHeaders]
X-Script-Name = "test"
[http.middlewares.testHeader.headers.customResponseHeaders]
X-Custom-Response-Header = "value"
```
```yaml tab="File (YAML)"
http:
middlewares:
@@ -70,23 +61,32 @@ http:
X-Custom-Response-Header: "value"
```
```toml tab="File (TOML)"
[http.middlewares]
[http.middlewares.testHeader.headers]
[http.middlewares.testHeader.headers.customRequestHeaders]
X-Script-Name = "test"
[http.middlewares.testHeader.headers.customResponseHeaders]
X-Custom-Response-Header = "value"
```
### Adding and Removing Headers
`X-Script-Name` header added to the proxied request, the `X-Custom-Request-Header` header removed from the request,
and the `X-Custom-Response-Header` header removed from the response.
Please note that it is not possible to remove headers through the use of labels (Docker, Rancher, Marathon, ...) for now.
In the following example, requests are proxied with an extra `X-Script-Name` header while their `X-Custom-Request-Header` header gets stripped,
and responses are stripped of their `X-Custom-Response-Header` header.
```yaml tab="Docker"
labels:
- "traefik.http.middlewares.testheader.headers.customrequestheaders.X-Script-Name=test"
- "traefik.http.middlewares.testheader.headers.customrequestheaders.X-Custom-Request-Header="
- "traefik.http.middlewares.testheader.headers.customresponseheaders.X-Custom-Response-Header="
```
```yaml tab="Kubernetes"
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
name: testHeader
name: test-header
spec:
headers:
customRequestHeaders:
@@ -98,27 +98,23 @@ spec:
```yaml tab="Consul Catalog"
- "traefik.http.middlewares.testheader.headers.customrequestheaders.X-Script-Name=test"
- "traefik.http.middlewares.testheader.headers.customrequestheaders.X-Custom-Request-Header="
- "traefik.http.middlewares.testheader.headers.customresponseheaders.X-Custom-Response-Header="
```
```json tab="Marathon"
"labels": {
"traefik.http.middlewares.testheader.headers.customrequestheaders.X-Script-Name": "test",
"traefik.http.middlewares.testheader.headers.customrequestheaders.X-Custom-Request-Header": "",
"traefik.http.middlewares.testheader.headers.customresponseheaders.X-Custom-Response-Header": "",
}
```
```yaml tab="Rancher"
labels:
- "traefik.http.middlewares.testheader.headers.customrequestheaders.X-Script-Name=test"
```
```toml tab="File (TOML)"
[http.middlewares]
[http.middlewares.testHeader.headers]
[http.middlewares.testHeader.headers.customRequestHeaders]
X-Script-Name = "test" # Adds
X-Custom-Request-Header = "" # Removes
[http.middlewares.testHeader.headers.customResponseHeaders]
X-Custom-Response-Header = "" # Removes
- "traefik.http.middlewares.testheader.headers.customrequestheaders.X-Custom-Request-Header="
- "traefik.http.middlewares.testheader.headers.customresponseheaders.X-Custom-Response-Header="
```
```yaml tab="File (YAML)"
@@ -133,60 +129,70 @@ http:
X-Custom-Response-Header: "" # Removes
```
```toml tab="File (TOML)"
[http.middlewares]
[http.middlewares.testHeader.headers]
[http.middlewares.testHeader.headers.customRequestHeaders]
X-Script-Name = "test" # Adds
X-Custom-Request-Header = "" # Removes
[http.middlewares.testHeader.headers.customResponseHeaders]
X-Custom-Response-Header = "" # Removes
```
### Using Security Headers
Security related headers (HSTS headers, SSL redirection, Browser XSS filter, etc) can be added and configured in a manner similar to the custom headers above.
This functionality allows for some easy security features to quickly be set.
Security-related headers (HSTS headers, Browser XSS filter, etc) can be managed similarly to custom headers as shown above.
This functionality makes it possible to easily use security features by adding headers.
```yaml tab="Docker"
labels:
- "traefik.http.middlewares.testHeader.headers.framedeny=true"
- "traefik.http.middlewares.testHeader.headers.sslredirect=true"
- "traefik.http.middlewares.testHeader.headers.browserxssfilter=true"
```
```yaml tab="Kubernetes"
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
name: testHeader
name: test-header
spec:
headers:
frameDeny: true
sslRedirect: true
browserxssfilter: true
```
```yaml tab="Consul Catalog"
- "traefik.http.middlewares.testheader.headers.framedeny=true"
- "traefik.http.middlewares.testheader.headers.sslredirect=true"
- "traefik.http.middlewares.testheader.headers.browserxssfilter=true"
```
```json tab="Marathon"
"labels": {
"traefik.http.middlewares.testheader.headers.framedeny": "true",
"traefik.http.middlewares.testheader.headers.sslredirect": "true"
"traefik.http.middlewares.testheader.headers.browserxssfilter": "true"
}
```
```yaml tab="Rancher"
labels:
- "traefik.http.middlewares.testheader.headers.framedeny=true"
- "traefik.http.middlewares.testheader.headers.sslredirect=true"
- "traefik.http.middlewares.testheader.headers.browserxssfilter=true"
```
```toml tab="File (TOML)"
[http.middlewares]
[http.middlewares.testHeader.headers]
frameDeny = true
sslRedirect = true
```
```yaml tab="File (YAML)"
```yaml tab="File (YAML)"
http:
middlewares:
testHeader:
headers:
frameDeny: true
sslRedirect: true
browserxssfilter: true
```
```toml tab="File (TOML)"
[http.middlewares]
[http.middlewares.testHeader.headers]
frameDeny = true
browserxssfilter = true
```
### CORS Headers
@@ -206,7 +212,7 @@ labels:
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
name: testHeader
name: test-header
spec:
headers:
accessControlAllowMethods:
@@ -244,15 +250,6 @@ labels:
- "traefik.http.middlewares.testheader.headers.addvaryheader=true"
```
```toml tab="File (TOML)"
[http.middlewares]
[http.middlewares.testHeader.headers]
accessControlAllowMethods= ["GET", "OPTIONS", "PUT"]
accessControlAllowOriginList = ["https://foo.bar.org","https://example.org"]
accessControlMaxAge = 100
addVaryHeader = true
```
```yaml tab="File (YAML)"
http:
middlewares:
@@ -269,23 +266,34 @@ http:
addVaryHeader: true
```
```toml tab="File (TOML)"
[http.middlewares]
[http.middlewares.testHeader.headers]
accessControlAllowMethods= ["GET", "OPTIONS", "PUT"]
accessControlAllowOriginList = ["https://foo.bar.org","https://example.org"]
accessControlMaxAge = 100
addVaryHeader = true
```
## Configuration Options
### General
!!! warning
If the custom header name is the same as one header name of the request or response, it will be replaced.
Custom headers will overwrite existing headers if they have identical names.
!!! note ""
The detailed documentation for the security headers can be found in [unrolled/secure](https://github.com/unrolled/secure#available-options).
The detailed documentation for security headers can be found in [unrolled/secure](https://github.com/unrolled/secure#available-options).
### `customRequestHeaders`
The `customRequestHeaders` option lists the Header names and values to apply to the request.
The `customRequestHeaders` option lists the header names and values to apply to the request.
### `customResponseHeaders`
The `customResponseHeaders` option lists the Header names and values to apply to the response.
The `customResponseHeaders` option lists the header names and values to apply to the response.
### `accessControlAllowCredentials`
@@ -303,25 +311,26 @@ The `accessControlAllowMethods` indicates which methods can be used during requ
The `accessControlAllowOriginList` indicates whether a resource can be shared by returning different values.
A wildcard origin `*` can also be configured, and will match all requests.
If this value is set by a backend server, it will be overwritten by Traefik
A wildcard origin `*` can also be configured, and matches all requests.
If this value is set by a backend service, it will be overwritten by Traefik.
This value can contain a list of allowed origins.
More information including how to use the settings can be found on:
More information including how to use the settings can be found at:
- [Mozilla.org](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Origin)
- [w3](https://fetch.spec.whatwg.org/#http-access-control-allow-origin)
- [IETF](https://tools.ietf.org/html/rfc6454#section-7.1)
Traefik no longer supports the null value, as it is [no longer recommended as a return value](https://w3c.github.io/webappsec-cors-for-developers/#avoid-returning-access-control-allow-origin-null).
Traefik no longer supports the `null` value, as it is [no longer recommended as a return value](https://w3c.github.io/webappsec-cors-for-developers/#avoid-returning-access-control-allow-origin-null).
### `accessControlAllowOriginListRegex`
The `accessControlAllowOriginListRegex` option is the counterpart of the `accessControlAllowOriginList` option with regular expressions instead of origin values.
It will allow all origin that contains any match of a regular expression in the `accessControlAllowOriginList`.
It allows all origins that contain any match of a regular expression in the `accessControlAllowOriginList`.
!!! tip
Regular expressions can be tested using online tools such as [Go Playground](https://play.golang.org/p/mWU9p-wk2ru) or the [Regex101](https://regex101.com/r/58sIgx/2).
### `accessControlExposeHeaders`
@@ -330,66 +339,82 @@ The `accessControlExposeHeaders` indicates which headers are safe to expose to t
### `accessControlMaxAge`
The `accessControlMaxAge` indicates how long (in seconds) a preflight request can be cached.
The `accessControlMaxAge` indicates how many seconds a preflight request can be cached for.
### `addVaryHeader`
The `addVaryHeader` is used in conjunction with `accessControlAllowOriginList` to determine whether the vary header should be added or modified to demonstrate that server responses can differ based on the value of the origin header.
The `addVaryHeader` is used in conjunction with `accessControlAllowOriginList` to determine whether the `Vary` header should be added or modified to demonstrate that server responses can differ based on the value of the origin header.
### `allowedHosts`
### `allowedHosts`
The `allowedHosts` option lists fully qualified domain names that are allowed.
### `hostsProxyHeaders`
### `hostsProxyHeaders`
The `hostsProxyHeaders` option is a set of header keys that may hold a proxied hostname value for the request.
### `sslRedirect`
### `sslRedirect`
The `sslRedirect` is set to true, then only allow https requests.
!!! warning
Deprecated in favor of [EntryPoint redirection](../../routing/entrypoints.md#redirection) or the [RedirectScheme middleware](./redirectscheme.md).
The `sslRedirect` only allow HTTPS requests when set to `true`.
### `sslTemporaryRedirect`
Set the `sslTemporaryRedirect` to `true` to force an SSL redirection using a 302 (instead of a 301).
### `sslHost`
!!! warning
The `sslHost` option is the host name that is used to redirect http requests to https.
Deprecated in favor of [EntryPoint redirection](../../routing/entrypoints.md#redirection) or the [RedirectScheme middleware](./redirectscheme.md).
### `sslProxyHeaders`
Set `sslTemporaryRedirect` to `true` to force an SSL redirection using a 302 (instead of a 301).
The `sslProxyHeaders` option is set of header keys with associated values that would indicate a valid https request.
Useful when using other proxies with header like: `"X-Forwarded-Proto": "https"`.
### `sslHost`
### `sslForceHost`
!!! warning
Set `sslForceHost` to true and set SSLHost to forced requests to use `SSLHost` even the ones that are already using SSL.
Deprecated in favor of the [RedirectRegex middleware](./redirectregex.md).
### `stsSeconds`
The `sslHost` option is the host name that is used to redirect HTTP requests to HTTPS.
The `stsSeconds` is the max-age of the Strict-Transport-Security header.
If set to 0, would NOT include the header.
### `sslProxyHeaders`
### `stsIncludeSubdomains`
The `sslProxyHeaders` option is set of header keys with associated values that would indicate a valid HTTPS request.
It can be useful when using other proxies (example: `"X-Forwarded-Proto": "https"`).
The `stsIncludeSubdomains` is set to true, the `includeSubDomains` directive will be appended to the Strict-Transport-Security header.
### `sslForceHost`
### `stsPreload`
!!! warning
Set `stsPreload` to true to have the `preload` flag appended to the Strict-Transport-Security header.
Deprecated in favor of the [RedirectRegex middleware](./redirectregex.md).
Set `sslForceHost` to `true` and set `sslHost` to force requests to use `SSLHost` regardless of whether they already use SSL.
### `stsSeconds`
The `stsSeconds` is the max-age of the `Strict-Transport-Security` header.
If set to `0`, the header is not set.
### `stsIncludeSubdomains`
If the `stsIncludeSubdomains` is set to `true`, the `includeSubDomains` directive is appended to the `Strict-Transport-Security` header.
### `stsPreload`
Set `stsPreload` to `true` to have the `preload` flag appended to the `Strict-Transport-Security` header.
### `forceSTSHeader`
Set `forceSTSHeader` to true, to add the STS header even when the connection is HTTP.
Set `forceSTSHeader` to `true` to add the STS header even when the connection is HTTP.
### `frameDeny`
### `frameDeny`
Set `frameDeny` to true to add the `X-Frame-Options` header with the value of `DENY`.
### `customFrameOptionsValue`
Set `frameDeny` to `true` to add the `X-Frame-Options` header with the value of `DENY`.
### `customFrameOptionsValue`
The `customFrameOptionsValue` allows the `X-Frame-Options` header value to be set with a custom value.
This overrides the FrameDeny option.
This overrides the `FrameDeny` option.
### `contentTypeNosniff`
@@ -402,7 +427,7 @@ Set `browserXssFilter` to true to add the `X-XSS-Protection` header with the val
### `customBrowserXSSValue`
The `customBrowserXssValue` option allows the `X-XSS-Protection` header value to be set with a custom value.
This overrides the BrowserXssFilter option.
This overrides the `BrowserXssFilter` option.
### `contentSecurityPolicy`
@@ -410,19 +435,26 @@ The `contentSecurityPolicy` option allows the `Content-Security-Policy` header v
### `publicKey`
The `publicKey` implements HPKP to prevent MITM attacks with forged certificates.
The `publicKey` implements HPKP to prevent MITM attacks with forged certificates.
### `referrerPolicy`
The `referrerPolicy` allows sites to control when browsers will pass the Referer header to other sites.
The `referrerPolicy` allows sites to control whether browsers forward the `Referer` header to other sites.
### `featurePolicy`
!!! warning
Deprecated in favor of `permissionsPolicy`
The `featurePolicy` allows sites to control browser features.
### `permissionsPolicy`
The `permissionsPolicy` allows sites to control browser features.
### `isDevelopment`
Set `isDevelopment` to true when developing.
The AllowedHosts, SSL, and STS options can cause some unwanted effects.
Usually testing happens on http, not https, and on localhost, not your production domain.
If you would like your development environment to mimic production with complete Host blocking, SSL redirects, and STS headers, leave this as false.
Set `isDevelopment` to `true` when developing to mitigate the unwanted effects of the `AllowedHosts`, SSL, and STS options.
Usually testing takes place using HTTP, not HTTPS, and on `localhost`, not your production domain.
If you would like your development environment to mimic production with complete Host blocking, SSL redirects, and STS headers, leave this as `false`.

114
docs/content/middlewares/inflightreq.md → docs/content/middlewares/http/inflightreq.md
View File

@@ -3,9 +3,9 @@
Limiting the Number of Simultaneous In-Flight Requests
{: .subtitle }
![InFlightReq](../assets/img/middleware/inflightreq.png)
![InFlightReq](../../assets/img/middleware/inflightreq.png)
To proactively prevent services from being overwhelmed with high load, a limit on the number of simultaneous in-flight requests can be applied.
To proactively prevent services from being overwhelmed with high load, the number of allowed simultaneous in-flight requests can be limited.
## Configuration Examples
@@ -41,20 +41,20 @@ labels:
- "traefik.http.middlewares.test-inflightreq.inflightreq.amount=10"
```
```toml tab="File (TOML)"
# Limiting to 10 simultaneous connections
[http.middlewares]
[http.middlewares.test-inflightreq.inFlightReq]
amount = 10
```
```yaml tab="File (YAML)"
# Limiting to 10 simultaneous connections
http:
middlewares:
test-inflightreq:
inFlightReq:
amount: 10
amount: 10
```
```toml tab="File (TOML)"
# Limiting to 10 simultaneous connections
[http.middlewares]
[http.middlewares.test-inflightreq.inFlightReq]
amount = 10
```
## Configuration Options
@@ -62,7 +62,7 @@ http:
### `amount`
The `amount` option defines the maximum amount of allowed simultaneous in-flight request.
The middleware will return an `HTTP 429 Too Many Requests` if there are already `amount` requests in progress (based on the same `sourceCriterion` strategy).
The middleware responds with `HTTP 429 Too Many Requests` if there are already `amount` requests in progress (based on the same `sourceCriterion` strategy).
```yaml tab="Docker"
labels:
@@ -96,42 +96,42 @@ labels:
- "traefik.http.middlewares.test-inflightreq.inflightreq.amount=10"
```
```toml tab="File (TOML)"
# Limiting to 10 simultaneous connections
[http.middlewares]
[http.middlewares.test-inflightreq.inFlightReq]
amount = 10
```
```yaml tab="File (YAML)"
# Limiting to 10 simultaneous connections
http:
middlewares:
test-inflightreq:
inFlightReq:
amount: 10
amount: 10
```
```toml tab="File (TOML)"
# Limiting to 10 simultaneous connections
[http.middlewares]
[http.middlewares.test-inflightreq.inFlightReq]
amount = 10
```
### `sourceCriterion`
SourceCriterion defines what criterion is used to group requests as originating from a common source.
The `sourceCriterion` option defines what criterion is used to group requests as originating from a common source.
The precedence order is `ipStrategy`, then `requestHeaderName`, then `requestHost`.
If none are set, the default is to use the `requestHost`.
#### `sourceCriterion.ipStrategy`
The `ipStrategy` option defines two parameters that sets how Traefik will determine the client IP: `depth`, and `excludedIPs`.
The `ipStrategy` option defines two parameters that configures how Traefik determines the client IP: `depth`, and `excludedIPs`.
##### `ipStrategy.depth`
The `depth` option tells Traefik to use the `X-Forwarded-For` header and take the IP located at the `depth` position (starting from the right).
The `depth` option tells Traefik to use the `X-Forwarded-For` header and select the IP located at the `depth` position (starting from the right).
- If `depth` is greater than the total number of IPs in `X-Forwarded-For`, then the client IP is empty.
- `depth` is ignored if its value is less than or equal to 0.
- If `depth` is greater than the total number of IPs in `X-Forwarded-For`, then the client IP will be empty.
- `depth` is ignored if its value is lesser than or equal to 0.
!!! example "Example of Depth & X-Forwarded-For"
If `depth` was equal to 2, and the request `X-Forwarded-For` header was `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` then the "real" client IP would be `"10.0.0.1"` (at depth 4) but the IP used as the criterion would be `"12.0.0.1"` (`depth=2`).
If `depth` is set to 2, and the request `X-Forwarded-For` header is `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` then the "real" client IP is `"10.0.0.1"` (at depth 4) but the IP used as the criterion is `"12.0.0.1"` (`depth=2`).
| `X-Forwarded-For` | `depth` | clientIP |
|-----------------------------------------|---------|--------------|
@@ -171,13 +171,6 @@ labels:
- "traefik.http.middlewares.test-inflightreq.inflightreq.sourcecriterion.ipstrategy.depth=2"
```
```toml tab="File (TOML)"
[http.middlewares]
[http.middlewares.test-inflightreq.inflightreq]
[http.middlewares.test-inflightreq.inFlightReq.sourceCriterion.ipStrategy]
depth = 2
```
```yaml tab="File (YAML)"
http:
middlewares:
@@ -188,9 +181,16 @@ http:
depth: 2
```
```toml tab="File (TOML)"
[http.middlewares]
[http.middlewares.test-inflightreq.inflightreq]
[http.middlewares.test-inflightreq.inFlightReq.sourceCriterion.ipStrategy]
depth = 2
```
##### `ipStrategy.excludedIPs`
`excludedIPs` tells Traefik to scan the `X-Forwarded-For` header and pick the first IP not in the list.
`excludedIPs` configures Traefik to scan the `X-Forwarded-For` header and select the first IP not in the list.
!!! important "If `depth` is specified, `excludedIPs` is ignored."
@@ -238,13 +238,6 @@ labels:
- "traefik.http.middlewares.test-inflightreq.inflightreq.sourcecriterion.ipstrategy.excludedips=127.0.0.1/32, 192.168.1.7"
```
```toml tab="File (TOML)"
[http.middlewares]
[http.middlewares.test-inflightreq.inflightreq]
[http.middlewares.test-inflightreq.inFlightReq.sourceCriterion.ipStrategy]
excludedIPs = ["127.0.0.1/32", "192.168.1.7"]
```
```yaml tab="File (YAML)"
http:
middlewares:
@@ -257,9 +250,16 @@ http:
- "192.168.1.7"
```
```toml tab="File (TOML)"
[http.middlewares]
[http.middlewares.test-inflightreq.inflightreq]
[http.middlewares.test-inflightreq.inFlightReq.sourceCriterion.ipStrategy]
excludedIPs = ["127.0.0.1/32", "192.168.1.7"]
```
#### `sourceCriterion.requestHeaderName`
Requests having the same value for the given header are grouped as coming from the same source.
Name of the header used to group incoming requests.
```yaml tab="Docker"
labels:
@@ -292,13 +292,6 @@ labels:
- "traefik.http.middlewares.test-inflightreq.inflightreq.sourcecriterion.requestheadername=username"
```
```toml tab="File (TOML)"
[http.middlewares]
[http.middlewares.test-inflightreq.inflightreq]
[http.middlewares.test-inflightreq.inFlightReq.sourceCriterion]
requestHeaderName = "username"
```
```yaml tab="File (YAML)"
http:
middlewares:
@@ -308,6 +301,13 @@ http:
requestHeaderName: username
```
```toml tab="File (TOML)"
[http.middlewares]
[http.middlewares.test-inflightreq.inflightreq]
[http.middlewares.test-inflightreq.inFlightReq.sourceCriterion]
requestHeaderName = "username"
```
#### `sourceCriterion.requestHost`
Whether to consider the request host as the source.
@@ -343,13 +343,6 @@ labels:
- "traefik.http.middlewares.test-inflightreq.inflightreq.sourcecriterion.requesthost=true"
```
```toml tab="File (TOML)"
[http.middlewares]
[http.middlewares.test-inflightreq.inflightreq]
[http.middlewares.test-inflightreq.inFlightReq.sourceCriterion]
requestHost = true
```
```yaml tab="File (YAML)"
http:
middlewares:
@@ -358,3 +351,10 @@ http:
sourceCriterion:
requestHost: true
```
```toml tab="File (TOML)"
[http.middlewares]
[http.middlewares.test-inflightreq.inflightreq]
[http.middlewares.test-inflightreq.inFlightReq.sourceCriterion]
requestHost = true
```

202
docs/content/middlewares/ipwhitelist.md → docs/content/middlewares/http/ipwhitelist.md
View File

@@ -3,7 +3,7 @@
Limiting Clients to Specific IPs
{: .subtitle }
![IpWhiteList](../assets/img/middleware/ipwhitelist.png)
![IpWhiteList](../../assets/img/middleware/ipwhitelist.png)
IPWhitelist accepts / refuses requests based on the client IP.
@@ -44,13 +44,6 @@ labels:
- "traefik.http.middlewares.test-ipwhitelist.ipwhitelist.sourcerange=127.0.0.1/32, 192.168.1.7"
```
```toml tab="File (TOML)"
# Accepts request from defined IP
[http.middlewares]
[http.middlewares.test-ipwhitelist.ipWhiteList]
sourceRange = ["127.0.0.1/32", "192.168.1.7"]
```
```yaml tab="File (YAML)"
# Accepts request from defined IP
http:
@@ -62,6 +55,13 @@ http:
- "192.168.1.7"
```
```toml tab="File (TOML)"
# Accepts request from defined IP
[http.middlewares]
[http.middlewares.test-ipwhitelist.ipWhiteList]
sourceRange = ["127.0.0.1/32", "192.168.1.7"]
```
## Configuration Options
### `sourceRange`
@@ -70,95 +70,105 @@ The `sourceRange` option sets the allowed IPs (or ranges of allowed IPs by using
### `ipStrategy`
The `ipStrategy` option defines two parameters that sets how Traefik will determine the client IP: `depth`, and `excludedIPs`.
The `ipStrategy` option defines two parameters that set how Traefik determines the client IP: `depth`, and `excludedIPs`.
#### `ipStrategy.depth`
The `depth` option tells Traefik to use the `X-Forwarded-For` header and take the IP located at the `depth` position (starting from the right).
- If `depth` is greater than the total number of IPs in `X-Forwarded-For`, then the client IP will be empty.
- `depth` is ignored if its value is less than or equal to 0.
!!! example "Examples of Depth & X-Forwarded-For"
```yaml tab="Docker"
# Whitelisting Based on `X-Forwarded-For` with `depth=2`
labels:
- "traefik.http.middlewares.testIPwhitelist.ipwhitelist.sourcerange=127.0.0.1/32, 192.168.1.7"
- "traefik.http.middlewares.testIPwhitelist.ipwhitelist.ipstrategy.depth=2"
```
```yaml tab="Kubernetes"
# Whitelisting Based on `X-Forwarded-For` with `depth=2`
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
name: testIPwhitelist
spec:
If `depth` is set to 2, and the request `X-Forwarded-For` header is `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` then the "real" client IP is `"10.0.0.1"` (at depth 4) but the IP used for the whitelisting is `"12.0.0.1"` (`depth=2`).
| `X-Forwarded-For` | `depth` | clientIP |
|-----------------------------------------|---------|--------------|
| `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` | `1` | `"13.0.0.1"` |
| `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` | `3` | `"11.0.0.1"` |
| `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` | `5` | `""` |
```yaml tab="Docker"
# Whitelisting Based on `X-Forwarded-For` with `depth=2`
labels:
- "traefik.http.middlewares.test-ipwhitelist.ipwhitelist.sourcerange=127.0.0.1/32, 192.168.1.7"
- "traefik.http.middlewares.test-ipwhitelist.ipwhitelist.ipstrategy.depth=2"
```
```yaml tab="Kubernetes"
# Whitelisting Based on `X-Forwarded-For` with `depth=2`
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
name: test-ipwhitelist
spec:
ipWhiteList:
sourceRange:
- 127.0.0.1/32
- 192.168.1.7
ipStrategy:
depth: 2
```
```yaml tab="Consul Catalog"
# Whitelisting Based on `X-Forwarded-For` with `depth=2`
- "traefik.http.middlewares.test-ipwhitelist.ipwhitelist.sourcerange=127.0.0.1/32, 192.168.1.7"
- "traefik.http.middlewares.test-ipwhitelist.ipwhitelist.ipstrategy.depth=2"
```
```json tab="Marathon"
"labels": {
"traefik.http.middlewares.test-ipwhitelist.ipwhitelist.sourcerange": "127.0.0.1/32, 192.168.1.7",
"traefik.http.middlewares.test-ipwhitelist.ipwhitelist.ipstrategy.depth": "2"
}
```
```yaml tab="Rancher"
# Whitelisting Based on `X-Forwarded-For` with `depth=2`
labels:
- "traefik.http.middlewares.test-ipwhitelist.ipwhitelist.sourcerange=127.0.0.1/32, 192.168.1.7"
- "traefik.http.middlewares.test-ipwhitelist.ipwhitelist.ipstrategy.depth=2"
```
```yaml tab="File (YAML)"
# Whitelisting Based on `X-Forwarded-For` with `depth=2`
http:
middlewares:
test-ipwhitelist:
ipWhiteList:
sourceRange:
- 127.0.0.1/32
- 192.168.1.7
- "127.0.0.1/32"
- "192.168.1.7"
ipStrategy:
depth: 2
```
```yaml tab="Consul Catalog"
# Whitelisting Based on `X-Forwarded-For` with `depth=2`
- "traefik.http.middlewares.testIPwhitelist.ipwhitelist.sourcerange=127.0.0.1/32, 192.168.1.7"
- "traefik.http.middlewares.testIPwhitelist.ipwhitelist.ipstrategy.depth=2"
```
```json tab="Marathon"
"labels": {
"traefik.http.middlewares.testIPwhitelist.ipwhitelist.sourcerange": "127.0.0.1/32, 192.168.1.7",
"traefik.http.middlewares.testIPwhitelist.ipwhitelist.ipstrategy.depth": "2"
}
```
```yaml tab="Rancher"
# Whitelisting Based on `X-Forwarded-For` with `depth=2`
labels:
- "traefik.http.middlewares.testIPwhitelist.ipwhitelist.sourcerange=127.0.0.1/32, 192.168.1.7"
- "traefik.http.middlewares.testIPwhitelist.ipwhitelist.ipstrategy.depth=2"
```
```toml tab="File (TOML)"
# Whitelisting Based on `X-Forwarded-For` with `depth=2`
[http.middlewares]
[http.middlewares.test-ipwhitelist.ipWhiteList]
sourceRange = ["127.0.0.1/32", "192.168.1.7"]
[http.middlewares.test-ipwhitelist.ipWhiteList.ipStrategy]
depth = 2
```
```yaml tab="File (YAML)"
# Whitelisting Based on `X-Forwarded-For` with `depth=2`
http:
middlewares:
test-ipwhitelist:
ipWhiteList:
sourceRange:
- "127.0.0.1/32"
- "192.168.1.7"
ipStrategy:
depth: 2
```
If `depth` was equal to 2, and the request `X-Forwarded-For` header was `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` then the "real" client IP would be `"10.0.0.1"` (at depth 4) but the IP used for the whitelisting would be `"12.0.0.1"` (`depth=2`).
??? example "More examples"
| `X-Forwarded-For` | `depth` | clientIP |
|-----------------------------------------|---------|--------------|
| `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` | `1` | `"13.0.0.1"` |
| `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` | `3` | `"11.0.0.1"` |
| `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` | `5` | `""` |
```
!!! info
- If `depth` is greater than the total number of IPs in `X-Forwarded-For`, then the client IP will be empty.
- `depth` is ignored if its value is lesser than or equal to 0.
```toml tab="File (TOML)"
# Whitelisting Based on `X-Forwarded-For` with `depth=2`
[http.middlewares]
[http.middlewares.test-ipwhitelist.ipWhiteList]
sourceRange = ["127.0.0.1/32", "192.168.1.7"]
[http.middlewares.test-ipwhitelist.ipWhiteList.ipStrategy]
depth = 2
```
#### `ipStrategy.excludedIPs`
`excludedIPs` configures Traefik to scan the `X-Forwarded-For` header and select the first IP not in the list.
!!! important "If `depth` is specified, `excludedIPs` is ignored."
!!! example "Example of ExcludedIPs & X-Forwarded-For"
| `X-Forwarded-For` | `excludedIPs` | clientIP |
|-----------------------------------------|-----------------------|--------------|
| `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` | `"12.0.0.1,13.0.0.1"` | `"11.0.0.1"` |
| `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` | `"15.0.0.1,13.0.0.1"` | `"12.0.0.1"` |
| `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` | `"10.0.0.1,13.0.0.1"` | `"12.0.0.1"` |
| `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` | `"15.0.0.1,16.0.0.1"` | `"13.0.0.1"` |
| `"10.0.0.1,11.0.0.1"` | `"10.0.0.1,11.0.0.1"` | `""` |
```yaml tab="Docker"
# Exclude from `X-Forwarded-For`
labels:
@@ -196,14 +206,6 @@ labels:
- "traefik.http.middlewares.test-ipwhitelist.ipwhitelist.ipstrategy.excludedips=127.0.0.1/32, 192.168.1.7"
```
```toml tab="File (TOML)"
# Exclude from `X-Forwarded-For`
[http.middlewares]
[http.middlewares.test-ipwhitelist.ipWhiteList]
[http.middlewares.test-ipwhitelist.ipWhiteList.ipStrategy]
excludedIPs = ["127.0.0.1/32", "192.168.1.7"]
```
```yaml tab="File (YAML)"
# Exclude from `X-Forwarded-For`
http:
@@ -216,16 +218,10 @@ http:
- "192.168.1.7"
```
`excludedIPs` tells Traefik to scan the `X-Forwarded-For` header and pick the first IP not in the list.
!!! important "If `depth` is specified, `excludedIPs` is ignored."
!!! example "Examples of ExcludedIPs & X-Forwarded-For"
| `X-Forwarded-For` | `excludedIPs` | clientIP |
|-----------------------------------------|-----------------------|--------------|
| `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` | `"12.0.0.1,13.0.0.1"` | `"11.0.0.1"` |
| `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` | `"15.0.0.1,13.0.0.1"` | `"12.0.0.1"` |
| `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` | `"10.0.0.1,13.0.0.1"` | `"12.0.0.1"` |
| `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` | `"15.0.0.1,16.0.0.1"` | `"13.0.0.1"` |
| `"10.0.0.1,11.0.0.1"` | `"10.0.0.1,11.0.0.1"` | `""` |
```toml tab="File (TOML)"
# Exclude from `X-Forwarded-For`
[http.middlewares]
[http.middlewares.test-ipwhitelist.ipWhiteList]
[http.middlewares.test-ipwhitelist.ipWhiteList.ipStrategy]
excludedIPs = ["127.0.0.1/32", "192.168.1.7"]
```

149
docs/content/middlewares/http/overview.md Normal file
View File

@@ -0,0 +1,149 @@
# HTTP Middlewares
Controlling connections
{: .subtitle }
![Overview](../../assets/img/middleware/overview.png)
## Configuration Example
```yaml tab="Docker"
# As a Docker Label
whoami:
# A container that exposes an API to show its IP address
image: traefik/whoami
labels:
# Create a middleware named `foo-add-prefix`
- "traefik.http.middlewares.foo-add-prefix.addprefix.prefix=/foo"
# Apply the middleware named `foo-add-prefix` to the router named `router1`
- "traefik.http.routers.router1.middlewares=foo-add-prefix@docker"
```
```yaml tab="Kubernetes IngressRoute"
# As a Kubernetes Traefik IngressRoute
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
name: middlewares.traefik.containo.us
spec:
group: traefik.containo.us
version: v1alpha1
names:
kind: Middleware
plural: middlewares
singular: middleware
scope: Namespaced
---
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
name: stripprefix
spec:
stripPrefix:
prefixes:
- /stripit
---
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
name: ingressroute
spec:
# more fields...
routes:
# more fields...
middlewares:
- name: stripprefix
```
```yaml tab="Consul Catalog"
# Create a middleware named `foo-add-prefix`
- "traefik.http.middlewares.foo-add-prefix.addprefix.prefix=/foo"
# Apply the middleware named `foo-add-prefix` to the router named `router1`
- "traefik.http.routers.router1.middlewares=foo-add-prefix@consulcatalog"
```
```json tab="Marathon"
"labels": {
"traefik.http.middlewares.foo-add-prefix.addprefix.prefix": "/foo",
"traefik.http.routers.router1.middlewares": "foo-add-prefix@marathon"
}
```
```yaml tab="Rancher"
# As a Rancher Label
labels:
# Create a middleware named `foo-add-prefix`
- "traefik.http.middlewares.foo-add-prefix.addprefix.prefix=/foo"
# Apply the middleware named `foo-add-prefix` to the router named `router1`
- "traefik.http.routers.router1.middlewares=foo-add-prefix@rancher"
```
```toml tab="File (TOML)"
# As TOML Configuration File
[http.routers]
[http.routers.router1]
service = "myService"
middlewares = ["foo-add-prefix"]
rule = "Host(`example.com`)"
[http.middlewares]
[http.middlewares.foo-add-prefix.addPrefix]
prefix = "/foo"
[http.services]
[http.services.service1]
[http.services.service1.loadBalancer]
[[http.services.service1.loadBalancer.servers]]
url = "http://127.0.0.1:80"
```
```yaml tab="File (YAML)"
# As YAML Configuration File
http:
routers:
router1:
service: myService
middlewares:
- "foo-add-prefix"
rule: "Host(`example.com`)"
middlewares:
foo-add-prefix:
addPrefix:
prefix: "/foo"
services:
service1:
loadBalancer:
servers:
- url: "http://127.0.0.1:80"
```
## Available HTTP Middlewares
| Middleware | Purpose | Area |
|-------------------------------------------|---------------------------------------------------|-----------------------------|
| [AddPrefix](addprefix.md) | Add a Path Prefix | Path Modifier |
| [BasicAuth](basicauth.md) | Basic auth mechanism | Security, Authentication |
| [Buffering](buffering.md) | Buffers the request/response | Request Lifecycle |
| [Chain](chain.md) | Combine multiple pieces of middleware | Middleware tool |
| [CircuitBreaker](circuitbreaker.md) | Stop calling unhealthy services | Request Lifecycle |
| [Compress](compress.md) | Compress the response | Content Modifier |
| [DigestAuth](digestauth.md) | Adds Digest Authentication | Security, Authentication |
| [Errors](errorpages.md) | Define custom error pages | Request Lifecycle |
| [ForwardAuth](forwardauth.md) | Authentication delegation | Security, Authentication |
| [Headers](headers.md) | Add / Update headers | Security |
| [IPWhiteList](ipwhitelist.md) | Limit the allowed client IPs | Security, Request lifecycle |
| [InFlightReq](inflightreq.md) | Limit the number of simultaneous connections | Security, Request lifecycle |
| [PassTLSClientCert](passtlsclientcert.md) | Adding Client Certificates in a Header | Security |
| [RateLimit](ratelimit.md) | Limit the call frequency | Security, Request lifecycle |
| [RedirectScheme](redirectscheme.md) | Redirect easily the client elsewhere | Request lifecycle |
| [RedirectRegex](redirectregex.md) | Redirect the client elsewhere | Request lifecycle |
| [ReplacePath](replacepath.md) | Change the path of the request | Path Modifier |
| [ReplacePathRegex](replacepathregex.md) | Change the path of the request | Path Modifier |
| [Retry](retry.md) | Automatically retry the request in case of errors | Request lifecycle |
| [StripPrefix](stripprefix.md) | Change the path of the request | Path Modifier |
| [StripPrefixRegex](stripprefixregex.md) | Change the path of the request | Path Modifier |

255
docs/content/middlewares/passtlsclientcert.md → docs/content/middlewares/http/passtlsclientcert.md
View File

@@ -7,7 +7,7 @@ Adding Client Certificates in a Header
TODO: add schema
-->
PassTLSClientCert adds in header the selected data from the passed client tls certificate.
PassTLSClientCert adds the selected data from the passed client TLS certificate to a header.
## Configuration Examples
@@ -46,13 +46,6 @@ labels:
- "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.pem=true"
```
```toml tab="File (TOML)"
# Pass the escaped pem in the `X-Forwarded-Tls-Client-Cert` header.
[http.middlewares]
[http.middlewares.test-passtlsclientcert.passTLSClientCert]
pem = true
```
```yaml tab="File (YAML)"
# Pass the escaped pem in the `X-Forwarded-Tls-Client-Cert` header.
http:
@@ -62,6 +55,13 @@ http:
pem: true
```
```toml tab="File (TOML)"
# Pass the escaped pem in the `X-Forwarded-Tls-Client-Cert` header.
[http.middlewares]
[http.middlewares.test-passtlsclientcert.passTLSClientCert]
pem = true
```
??? example "Pass the escaped pem in the `X-Forwarded-Tls-Client-Cert` header"
```yaml tab="Docker"
@@ -86,7 +86,7 @@ http:
- "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.issuer.province=true"
- "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.issuer.serialnumber=true"
```
```yaml tab="Kubernetes"
# Pass all the available info in the `X-Forwarded-Tls-Client-Cert-Info` header
apiVersion: traefik.containo.us/v1alpha1
@@ -116,7 +116,7 @@ http:
serialNumber: true
domainComponent: true
```
```yaml tab="Consul Catalog"
# Pass all the available info in the `X-Forwarded-Tls-Client-Cert-Info` header
- "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.notafter=true"
@@ -137,7 +137,7 @@ http:
- "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.issuer.province=true"
- "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.issuer.serialnumber=true"
```
```json tab="Marathon"
"labels": {
"traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.notafter": "true",
@@ -159,7 +159,7 @@ http:
"traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.issuer.serialnumber": "true"
}
```
```yaml tab="Rancher"
# Pass all the available info in the `X-Forwarded-Tls-Client-Cert-Info` header
labels:
@@ -182,32 +182,6 @@ http:
- "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.issuer.serialnumber=true"
```
```toml tab="File (TOML)"
# Pass all the available info in the `X-Forwarded-Tls-Client-Cert-Info` header
[http.middlewares]
[http.middlewares.test-passtlsclientcert.passTLSClientCert]
[http.middlewares.test-passtlsclientcert.passTLSClientCert.info]
notAfter = true
notBefore = true
sans = true
[http.middlewares.test-passtlsclientcert.passTLSClientCert.info.subject]
country = true
province = true
locality = true
organization = true
commonName = true
serialNumber = true
domainComponent = true
[http.middlewares.test-passtlsclientcert.passTLSClientCert.info.issuer]
country = true
province = true
locality = true
organization = true
commonName = true
serialNumber = true
domainComponent = true
```
```yaml tab="File (YAML)"
# Pass all the available info in the `X-Forwarded-Tls-Client-Cert-Info` header
http:
@@ -236,11 +210,37 @@ http:
domainComponent: true
```
```toml tab="File (TOML)"
# Pass all the available info in the `X-Forwarded-Tls-Client-Cert-Info` header
[http.middlewares]
[http.middlewares.test-passtlsclientcert.passTLSClientCert]
[http.middlewares.test-passtlsclientcert.passTLSClientCert.info]
notAfter = true
notBefore = true
sans = true
[http.middlewares.test-passtlsclientcert.passTLSClientCert.info.subject]
country = true
province = true
locality = true
organization = true
commonName = true
serialNumber = true
domainComponent = true
[http.middlewares.test-passtlsclientcert.passTLSClientCert.info.issuer]
country = true
province = true
locality = true
organization = true
commonName = true
serialNumber = true
domainComponent = true
```
## Configuration Options
### General
PassTLSClientCert can add two headers to the request:
PassTLSClientCert can add two headers to the request:
- `X-Forwarded-Tls-Client-Cert` that contains the escaped pem.
- `X-Forwarded-Tls-Client-Cert-Info` that contains all the selected certificate information in an escaped string.
@@ -248,12 +248,12 @@ PassTLSClientCert can add two headers to the request:
!!! info
* The headers are filled with escaped string so it can be safely placed inside a URL query.
* These options only work accordingly to the [MutualTLS configuration](../https/tls.md#client-authentication-mtls).
* These options only work accordingly to the [MutualTLS configuration](../../https/tls.md#client-authentication-mtls).
That is to say, only the certificates that match the `clientAuth.clientAuthType` policy are passed.
In the following example, you can see a complete certificate. We will use each part of it to explain the middleware options.
The following example shows a complete certificate and explains each of the middleware options.
??? example "A complete client tls certificate"
??? example "A complete client TLS certificate"
```
Certificate:
@@ -292,16 +292,16 @@ In the following example, you can see a complete certificate. We will use each p
X509v3 extensions:
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 Basic Constraints:
X509v3 Basic Constraints:
CA:FALSE
X509v3 Extended Key Usage:
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication
X509v3 Subject Key Identifier:
X509v3 Subject Key Identifier:
94:BA:73:78:A2:87:FB:58:28:28:CF:98:3B:C2:45:70:16:6E:29:2F
X509v3 Authority Key Identifier:
X509v3 Authority Key Identifier:
keyid:1E:52:A2:E8:54:D5:37:EB:D5:A8:1D:E4:C2:04:1D:37:E2:F7:70:03
X509v3 Subject Alternative Name:
X509v3 Subject Alternative Name:
DNS:*.example.org, DNS:*.example.net, DNS:*.example.com, IP Address:10.0.1.0, IP Address:10.0.1.2, email:test@example.org, email:test@example.net
Signature Algorithm: sha1WithRSAEncryption
76:6b:05:b0:0e:34:11:b1:83:99:91:dc:ae:1b:e2:08:15:8b:
@@ -359,9 +359,9 @@ In the following example, you can see a complete certificate. We will use each p
### `pem`
The `pem` option sets the `X-Forwarded-Tls-Client-Cert` header with the escape certificate.
The `pem` option sets the `X-Forwarded-Tls-Client-Cert` header with the escaped certificate.
In the example, it is the part between `-----BEGIN CERTIFICATE-----` and `-----END CERTIFICATE-----` delimiters :
In the example, it is the part between `-----BEGIN CERTIFICATE-----` and `-----END CERTIFICATE-----` delimiters:
??? example "The data used by the pem option"
@@ -403,23 +403,24 @@ In the example, it is the part between `-----BEGIN CERTIFICATE-----` and `-----E
ML9n/4zmm1PMhzZHcEA72ZAq0tKCxpz10djg5v2qL5V+Oaz8TtTOZbPsxpiKMQ==
-----END CERTIFICATE-----
```
!!! info "Extracted data"
The delimiters and `\n` will be removed.
The delimiters and `\n` will be removed.
If there are more than one certificate, they are separated by a "`,`".
!!! warning "`X-Forwarded-Tls-Client-Cert` value could exceed the web server header size limit"
The header size limit of web servers is commonly between 4kb and 8kb.
The header size limit of web servers is commonly between 4kb and 8kb.
You could change the server configuration to allow bigger header or use the `info` option with the needed field(s).
### `info`
The `info` option select the specific client certificate details you want to add to the `X-Forwarded-Tls-Client-Cert-Info` header.
The value of the header will be an escaped concatenation of all the selected certificate details.
The `info` option selects the specific client certificate details you want to add to the `X-Forwarded-Tls-Client-Cert-Info` header.
The following example shows an unescaped result that uses all the available fields:
The value of the header is an escaped concatenation of all the selected certificate details.
The following example shows an unescaped result that uses all the available fields:
```text
Subject="DC=org,DC=cheese,C=FR,C=US,ST=Cheese org state,ST=Cheese com state,L=TOULOUSE,L=LYON,O=Cheese,O=Cheese 2,CN=*.example.com";Issuer="DC=org,DC=cheese,C=FR,C=US,ST=Signing State,ST=Signing State 2,L=TOULOUSE,L=LYON,O=Cheese,O=Cheese 2,CN=Simple Signing CA 2";NB="1544094616";NA="1607166616";SAN="*.example.org,*.example.net,*.example.com,test@example.org,test@example.net,10.0.1.0,10.0.1.2"
@@ -433,14 +434,14 @@ Subject="DC=org,DC=cheese,C=FR,C=US,ST=Cheese org state,ST=Cheese com state,L=TO
Set the `info.notAfter` option to `true` to add the `Not After` information from the `Validity` part.
The data are taken from the following certificate part:
The data is taken from the following certificate part:
```text
Validity
Not After : Dec 5 11:10:16 2020 GMT
Not After : Dec 5 11:10:16 2020 GMT
```
The escape `notAfter` info part will be like:
The escaped `notAfter` info part is formatted as below:
```text
NA="1607166616"
@@ -450,14 +451,14 @@ NA="1607166616"
Set the `info.notBefore` option to `true` to add the `Not Before` information from the `Validity` part.
The data are taken from the following certificate part:
The data is taken from the following certificate part:
```text
Validity
Not Before: Dec 6 11:10:16 2018 GMT
```
The escape `notBefore` info part will be like:
The escaped `notBefore` info part is formatted as below:
```text
NB="1544094616"
@@ -467,28 +468,28 @@ NB="1544094616"
Set the `info.sans` option to `true` to add the `Subject Alternative Name` information from the `Subject Alternative Name` part.
The data are taken from the following certificate part:
The data is taken from the following certificate part:
```text
X509v3 Subject Alternative Name:
X509v3 Subject Alternative Name:
DNS:*.example.org, DNS:*.example.net, DNS:*.example.com, IP Address:10.0.1.0, IP Address:10.0.1.2, email:test@example.org, email:test@example.net
```
The escape SANs info part will be like:
The escape SANs info part is formatted as below:
```text
SAN="*.example.org,*.example.net,*.example.com,test@example.org,test@example.net,10.0.1.0,10.0.1.2"
```
!!! info "multiple values"
!!! info "Multiple values"
All the SANs data are separated by a `,`.
The SANs are separated by a `,`.
#### `info.subject`
The `info.subject` select the specific client certificate subject details you want to add to the `X-Forwarded-Tls-Client-Cert-Info` header.
The `info.subject` selects the specific client certificate subject details you want to add to the `X-Forwarded-Tls-Client-Cert-Info` header.
The data are taken from the following certificate part :
The data is taken from the following certificate part:
```text
Subject: DC=org, DC=cheese, O=Cheese, O=Cheese 2, OU=Simple Signing Section, OU=Simple Signing Section 2, CN=*.example.org, CN=*.example.com, C=FR, C=US, L=TOULOUSE, L=LYON, ST=Cheese org state, ST=Cheese com state/emailAddress=cert@example.org/emailAddress=cert@sexample.com
@@ -496,9 +497,11 @@ Subject: DC=org, DC=cheese, O=Cheese, O=Cheese 2, OU=Simple Signing Section, OU=
##### `info.subject.country`
Set the `info.subject.country` option to true to add the `country` information into the subject.
The data are taken from the subject part with the `C` key.
The escape country info in the subject part will be like :
Set the `info.subject.country` option to `true` to add the `country` information into the subject.
The data is taken from the subject part with the `C` key.
The escape country info in the subject part is formatted as below:
```text
C=FR,C=US
@@ -506,11 +509,11 @@ C=FR,C=US
##### `info.subject.province`
Set the `info.subject.province` option to true to add the `province` information into the subject.
The data are taken from the subject part with the `ST` key.
Set the `info.subject.province` option to `true` to add the `province` information into the subject.
The escape province info in the subject part will be like :
The data is taken from the subject part with the `ST` key.
The escape province info in the subject part is formatted as below:
```text
ST=Cheese org state,ST=Cheese com state
@@ -518,11 +521,11 @@ ST=Cheese org state,ST=Cheese com state
##### `info.subject.locality`
Set the `info.subject.locality` option to true to add the `locality` information into the subject.
The data are taken from the subject part with the `L` key.
Set the `info.subject.locality` option to `true` to add the `locality` information into the subject.
The escape locality info in the subject part will be like :
The data is taken from the subject part with the `L` key.
The escape locality info in the subject part is formatted as below:
```text
L=TOULOUSE,L=LYON
@@ -530,11 +533,11 @@ L=TOULOUSE,L=LYON
##### `info.subject.organization`
Set the `info.subject.organization` option to true to add the `organization` information into the subject.
The data are taken from the subject part with the `O` key.
Set the `info.subject.organization` option to `true` to add the `organization` information into the subject.
The escape organization info in the subject part will be like :
The data is taken from the subject part with the `O` key.
The escape organization info in the subject part is formatted as below:
```text
O=Cheese,O=Cheese 2
@@ -542,11 +545,11 @@ O=Cheese,O=Cheese 2
##### `info.subject.commonName`
Set the `info.subject.commonName` option to true to add the `commonName` information into the subject.
The data are taken from the subject part with the `CN` key.
Set the `info.subject.commonName` option to `true` to add the `commonName` information into the subject.
The escape common name info in the subject part will be like :
The data is taken from the subject part with the `CN` key.
The escape common name info in the subject part is formatted as below:
```text
CN=*.example.com
@@ -554,11 +557,11 @@ CN=*.example.com
##### `info.subject.serialNumber`
Set the `info.subject.serialNumber` option to true to add the `serialNumber` information into the subject.
The data are taken from the subject part with the `SN` key.
Set the `info.subject.serialNumber` option to `true` to add the `serialNumber` information into the subject.
The escape serial number info in the subject part will be like :
The data is taken from the subject part with the `SN` key.
The escape serial number info in the subject part is formatted as below:
```text
SN=1234567890
@@ -566,11 +569,11 @@ SN=1234567890
##### `info.subject.domainComponent`
Set the `info.subject.domainComponent` option to true to add the `domainComponent` information into the subject.
The data are taken from the subject part with the `DC` key.
Set the `info.subject.domainComponent` option to `true` to add the `domainComponent` information into the subject.
The escape domaincomponent info in the subject part will be like :
The data is taken from the subject part with the `DC` key.
The escape domain component info in the subject part is formatted as below:
```text
DC=org,DC=cheese
@@ -578,9 +581,9 @@ DC=org,DC=cheese
#### `info.issuer`
The `info.issuer` select the specific client certificate issuer details you want to add to the `X-Forwarded-Tls-Client-Cert-Info` header.
The `info.issuer` selects the specific client certificate issuer details you want to add to the `X-Forwarded-Tls-Client-Cert-Info` header.
The data are taken from the following certificate part :
The data is taken from the following certificate part:
```text
Issuer: DC=org, DC=cheese, O=Cheese, O=Cheese 2, OU=Simple Signing Section, OU=Simple Signing Section 2, CN=Simple Signing CA, CN=Simple Signing CA 2, C=FR, C=US, L=TOULOUSE, L=LYON, ST=Signing State, ST=Signing State 2/emailAddress=simple@signing.com/emailAddress=simple2@signing.com
@@ -588,9 +591,11 @@ Issuer: DC=org, DC=cheese, O=Cheese, O=Cheese 2, OU=Simple Signing Section, OU=S
##### `info.issuer.country`
Set the `info.issuer.country` option to true to add the `country` information into the issuer.
The data are taken from the issuer part with the `C` key.
The escape country info in the issuer part will be like :
Set the `info.issuer.country` option to `true` to add the `country` information into the issuer.
The data is taken from the issuer part with the `C` key.
The escape country info in the issuer part is formatted as below:
```text
C=FR,C=US
@@ -598,11 +603,11 @@ C=FR,C=US
##### `info.issuer.province`
Set the `info.issuer.province` option to true to add the `province` information into the issuer.
The data are taken from the issuer part with the `ST` key.
Set the `info.issuer.province` option to `true` to add the `province` information into the issuer.
The escape province info in the issuer part will be like :
The data is taken from the issuer part with the `ST` key.
The escape province info in the issuer part is formatted as below:
```text
ST=Signing State,ST=Signing State 2
@@ -610,11 +615,11 @@ ST=Signing State,ST=Signing State 2
##### `info.issuer.locality`
Set the `info.issuer.locality` option to true to add the `locality` information into the issuer.
The data are taken from the issuer part with the `L` key.
Set the `info.issuer.locality` option to `true` to add the `locality` information into the issuer.
The escape locality info in the issuer part will be like :
The data is taken from the issuer part with the `L` key.
The escape locality info in the issuer part is formatted as below:
```text
L=TOULOUSE,L=LYON
@@ -622,11 +627,11 @@ L=TOULOUSE,L=LYON
##### `info.issuer.organization`
Set the `info.issuer.organization` option to true to add the `organization` information into the issuer.
The data are taken from the issuer part with the `O` key.
Set the `info.issuer.organization` option to `true` to add the `organization` information into the issuer.
The escape organization info in the issuer part will be like :
The data is taken from the issuer part with the `O` key.
The escape organization info in the issuer part is formatted as below:
```text
O=Cheese,O=Cheese 2
@@ -634,11 +639,11 @@ O=Cheese,O=Cheese 2
##### `info.issuer.commonName`
Set the `info.issuer.commonName` option to true to add the `commonName` information into the issuer.
The data are taken from the issuer part with the `CN` key.
Set the `info.issuer.commonName` option to `true` to add the `commonName` information into the issuer.
The escape common name info in the issuer part will be like :
The data is taken from the issuer part with the `CN` key.
The escape common name info in the issuer part is formatted as below:
```text
CN=Simple Signing CA 2
@@ -646,11 +651,11 @@ CN=Simple Signing CA 2
##### `info.issuer.serialNumber`
Set the `info.issuer.serialNumber` option to true to add the `serialNumber` information into the issuer.
The data are taken from the issuer part with the `SN` key.
Set the `info.issuer.serialNumber` option to `true` to add the `serialNumber` information into the issuer.
The escape serial number info in the issuer part will be like :
The data is taken from the issuer part with the `SN` key.
The escape serial number info in the issuer part is formatted as below:
```text
SN=1234567890
@@ -658,11 +663,11 @@ SN=1234567890
##### `info.issuer.domainComponent`
Set the `info.issuer.domainComponent` option to true to add the `domainComponent` information into the issuer.
The data are taken from the issuer part with the `DC` key.
Set the `info.issuer.domainComponent` option to `true` to add the `domainComponent` information into the issuer.
The escape domain component info in the issuer part will be like :
The data is taken from the issuer part with the `DC` key.
The escape domain component info in the issuer part is formatted as below:
```text
DC=org,DC=cheese

228
docs/content/middlewares/ratelimit.md → docs/content/middlewares/http/ratelimit.md
View File

@@ -3,7 +3,7 @@
To Control the Number of Requests Going to a Service
{: .subtitle }
The RateLimit middleware ensures that services will receive a _fair_ number of requests, and allows one to define what fair is.
The RateLimit middleware ensures that services will receive a _fair_ amount of requests, and allows one to define what fair is.
## Configuration Example
@@ -50,15 +50,6 @@ labels:
- "traefik.http.middlewares.test-ratelimit.ratelimit.burst=50"
```
```toml tab="File (TOML)"
# Here, an average of 100 requests per second is allowed.
# In addition, a burst of 50 requests is allowed.
[http.middlewares]
[http.middlewares.test-ratelimit.rateLimit]
average = 100
burst = 50
```
```yaml tab="File (YAML)"
# Here, an average of 100 requests per second is allowed.
# In addition, a burst of 50 requests is allowed.
@@ -70,11 +61,20 @@ http:
burst: 50
```
```toml tab="File (TOML)"
# Here, an average of 100 requests per second is allowed.
# In addition, a burst of 50 requests is allowed.
[http.middlewares]
[http.middlewares.test-ratelimit.rateLimit]
average = 100
burst = 50
```
## Configuration Options
### `average`
`average` is the maximum rate, by default in requests by second, allowed for the given source.
`average` is the maximum rate, by default in requests per second, allowed from a given source.
It defaults to `0`, which means no rate limiting.
@@ -114,13 +114,6 @@ labels:
- "traefik.http.middlewares.test-ratelimit.ratelimit.average=100"
```
```toml tab="File (TOML)"
# 100 reqs/s
[http.middlewares]
[http.middlewares.test-ratelimit.rateLimit]
average = 100
```
```yaml tab="File (YAML)"
# 100 reqs/s
http:
@@ -130,6 +123,13 @@ http:
average: 100
```
```toml tab="File (TOML)"
# 100 reqs/s
[http.middlewares]
[http.middlewares.test-ratelimit.rateLimit]
average = 100
```
### `period`
`period`, in combination with `average`, defines the actual maximum rate, such as:
@@ -179,14 +179,6 @@ labels:
- "traefik.http.middlewares.test-ratelimit.ratelimit.period=1m"
```
```toml tab="File (TOML)"
# 6 reqs/minute
[http.middlewares]
[http.middlewares.test-ratelimit.rateLimit]
average = 6
period = 1m
```
```yaml tab="File (YAML)"
# 6 reqs/minute
http:
@@ -197,6 +189,14 @@ http:
period: 1m
```
```toml tab="File (TOML)"
# 6 reqs/minute
[http.middlewares]
[http.middlewares.test-ratelimit.rateLimit]
average = 6
period = "1m"
```
### `burst`
`burst` is the maximum number of requests allowed to go through in the same arbitrarily small period of time.
@@ -219,7 +219,7 @@ spec:
```
```yaml tab="Consul Catalog"
- "traefik.http.middlewares.test-ratelimit.ratelimit.burst=100"
- "traefik.http.middlewares.test-ratelimit.ratelimit.burst=100"
```
```json tab="Marathon"
@@ -230,13 +230,7 @@ spec:
```yaml tab="Rancher"
labels:
- "traefik.http.middlewares.test-ratelimit.ratelimit.burst=100"
```
```toml tab="File (TOML)"
[http.middlewares]
[http.middlewares.test-ratelimit.rateLimit]
burst = 100
- "traefik.http.middlewares.test-ratelimit.ratelimit.burst=100"
```
```yaml tab="File (YAML)"
@@ -247,26 +241,32 @@ http:
burst: 100
```
```toml tab="File (TOML)"
[http.middlewares]
[http.middlewares.test-ratelimit.rateLimit]
burst = 100
```
### `sourceCriterion`
SourceCriterion defines what criterion is used to group requests as originating from a common source.
The `sourceCriterion` option defines what criterion is used to group requests as originating from a common source.
The precedence order is `ipStrategy`, then `requestHeaderName`, then `requestHost`.
If none are set, the default is to use the request's remote address field (as an `ipStrategy`).
#### `sourceCriterion.ipStrategy`
The `ipStrategy` option defines two parameters that sets how Traefik will determine the client IP: `depth`, and `excludedIPs`.
The `ipStrategy` option defines two parameters that configures how Traefik determines the client IP: `depth`, and `excludedIPs`.
##### `ipStrategy.depth`
The `depth` option tells Traefik to use the `X-Forwarded-For` header and take the IP located at the `depth` position (starting from the right).
The `depth` option tells Traefik to use the `X-Forwarded-For` header and select the IP located at the `depth` position (starting from the right).
- If `depth` is greater than the total number of IPs in `X-Forwarded-For`, then the client IP will be empty.
- `depth` is ignored if its value is lesser than or equal to 0.
- If `depth` is greater than the total number of IPs in `X-Forwarded-For`, then the client IP is empty.
- `depth` is ignored if its value is less than or equal to 0.
!!! example "Example of Depth & X-Forwarded-For"
If `depth` was equal to 2, and the request `X-Forwarded-For` header was `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` then the "real" client IP would be `"10.0.0.1"` (at depth 4) but the IP used as the criterion would be `"12.0.0.1"` (`depth=2`).
If `depth` is set to 2, and the request `X-Forwarded-For` header is `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` then the "real" client IP is `"10.0.0.1"` (at depth 4) but the IP used as the criterion is `"12.0.0.1"` (`depth=2`).
| `X-Forwarded-For` | `depth` | clientIP |
|-----------------------------------------|---------|--------------|
@@ -274,8 +274,98 @@ The `depth` option tells Traefik to use the `X-Forwarded-For` header and take th
| `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` | `3` | `"11.0.0.1"` |
| `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` | `5` | `""` |
```yaml tab="Docker"
labels:
- "traefik.http.middlewares.test-ratelimit.ratelimit.sourcecriterion.ipstrategy.depth=2"
```
```yaml tab="Kubernetes"
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
name: test-ratelimit
spec:
rateLimit:
sourceCriterion:
ipStrategy:
depth: 2
```
```yaml tab="Consul Catalog"
- "traefik.http.middlewares.test-ratelimit.ratelimit.sourcecriterion.ipstrategy.depth=2"
```
```json tab="Marathon"
"labels": {
"traefik.http.middlewares.test-ratelimit.ratelimit.sourcecriterion.ipstrategy.depth": "2"
}
```
```yaml tab="Rancher"
labels:
- "traefik.http.middlewares.test-ratelimit.ratelimit.sourcecriterion.ipstrategy.depth=2"
```
```yaml tab="File (YAML)"
http:
middlewares:
test-ratelimit:
rateLimit:
sourceCriterion:
ipStrategy:
depth: 2
```
```toml tab="File (TOML)"
[http.middlewares]
[http.middlewares.test-ratelimit.rateLimit]
[http.middlewares.test-ratelimit.rateLimit.sourceCriterion.ipStrategy]
depth = 2
```
##### `ipStrategy.excludedIPs`
!!! important "Contrary to what the name might suggest, this option is _not_ about excluding an IP from the rate limiter, and therefore cannot be used to deactivate rate limiting for some IPs."
!!! important "If `depth` is specified, `excludedIPs` is ignored."
`excludedIPs` is meant to address two classes of somewhat distinct use-cases:
1. Distinguish IPs which are behind the same (set of) reverse-proxies so that each of them contributes, independently to the others,
to its own rate-limit "bucket" (cf the [leaky bucket analogy](https://wikipedia.org/wiki/Leaky_bucket)).
In this case, `excludedIPs` should be set to match the list of `X-Forwarded-For IPs` that are to be excluded,
in order to find the actual clientIP.
!!! example "Each IP as a distinct source"
| X-Forwarded-For | excludedIPs | clientIP |
|--------------------------------|-----------------------|--------------|
| `"10.0.0.1,11.0.0.1,12.0.0.1"` | `"11.0.0.1,12.0.0.1"` | `"10.0.0.1"` |
| `"10.0.0.2,11.0.0.1,12.0.0.1"` | `"11.0.0.1,12.0.0.1"` | `"10.0.0.2"` |
2. Group together a set of IPs (also behind a common set of reverse-proxies) so that they are considered the same source,
and all contribute to the same rate-limit bucket.
!!! example "Group IPs together as same source"
| X-Forwarded-For | excludedIPs | clientIP |
|--------------------------------|--------------|--------------|
| `"10.0.0.1,11.0.0.1,12.0.0.1"` | `"12.0.0.1"` | `"11.0.0.1"` |
| `"10.0.0.2,11.0.0.1,12.0.0.1"` | `"12.0.0.1"` | `"11.0.0.1"` |
| `"10.0.0.3,11.0.0.1,12.0.0.1"` | `"12.0.0.1"` | `"11.0.0.1"` |
For completeness, below are additional examples to illustrate how the matching works.
For a given request the list of `X-Forwarded-For` IPs is checked from most recent to most distant against the `excludedIPs` pool,
and the first IP that is _not_ in the pool (if any) is returned.
!!! example "Matching for clientIP"
| X-Forwarded-For | excludedIPs | clientIP |
|--------------------------------|-----------------------|--------------|
| `"10.0.0.1,11.0.0.1,13.0.0.1"` | `"11.0.0.1"` | `"13.0.0.1"` |
| `"10.0.0.1,11.0.0.1,13.0.0.1"` | `"15.0.0.1,16.0.0.1"` | `"13.0.0.1"` |
| `"10.0.0.1,11.0.0.1"` | `"10.0.0.1,11.0.0.1"` | `""` |
```yaml tab="Docker"
labels:
- "traefik.http.middlewares.test-ratelimit.ratelimit.sourcecriterion.ipstrategy.excludedips=127.0.0.1/32, 192.168.1.7"
@@ -310,13 +400,6 @@ labels:
- "traefik.http.middlewares.test-ratelimit.ratelimit.sourcecriterion.ipstrategy.excludedips=127.0.0.1/32, 192.168.1.7"
```
```toml tab="File (TOML)"
[http.middlewares]
[http.middlewares.test-ratelimit.rateLimit]
[http.middlewares.test-ratelimit.rateLimit.sourceCriterion.ipStrategy]
excludedIPs = ["127.0.0.1/32", "192.168.1.7"]
```
```yaml tab="File (YAML)"
http:
middlewares:
@@ -329,23 +412,16 @@ http:
- "192.168.1.7"
```
`excludedIPs` tells Traefik to scan the `X-Forwarded-For` header and pick the first IP not in the list.
!!! important "If `depth` is specified, `excludedIPs` is ignored."
!!! example "Example of ExcludedIPs & X-Forwarded-For"
| `X-Forwarded-For` | `excludedIPs` | clientIP |
|-----------------------------------------|-----------------------|--------------|
| `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` | `"12.0.0.1,13.0.0.1"` | `"11.0.0.1"` |
| `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` | `"15.0.0.1,13.0.0.1"` | `"12.0.0.1"` |
| `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` | `"10.0.0.1,13.0.0.1"` | `"12.0.0.1"` |
| `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` | `"15.0.0.1,16.0.0.1"` | `"13.0.0.1"` |
| `"10.0.0.1,11.0.0.1"` | `"10.0.0.1,11.0.0.1"` | `""` |
```toml tab="File (TOML)"
[http.middlewares]
[http.middlewares.test-ratelimit.rateLimit]
[http.middlewares.test-ratelimit.rateLimit.sourceCriterion.ipStrategy]
excludedIPs = ["127.0.0.1/32", "192.168.1.7"]
```
#### `sourceCriterion.requestHeaderName`
Requests having the same value for the given header are grouped as coming from the same source.
Name of the header used to group incoming requests.
```yaml tab="Docker"
labels:
@@ -378,13 +454,6 @@ labels:
- "traefik.http.middlewares.test-ratelimit.ratelimit.sourcecriterion.requestheadername=username"
```
```toml tab="File (TOML)"
[http.middlewares]
[http.middlewares.test-ratelimit.rateLimit]
[http.middlewares.test-ratelimit.rateLimit.sourceCriterion]
requestHeaderName = "username"
```
```yaml tab="File (YAML)"
http:
middlewares:
@@ -394,6 +463,13 @@ http:
requestHeaderName: username
```
```toml tab="File (TOML)"
[http.middlewares]
[http.middlewares.test-ratelimit.rateLimit]
[http.middlewares.test-ratelimit.rateLimit.sourceCriterion]
requestHeaderName = "username"
```
#### `sourceCriterion.requestHost`
Whether to consider the request host as the source.
@@ -429,13 +505,6 @@ labels:
- "traefik.http.middlewares.test-ratelimit.ratelimit.sourcecriterion.requesthost=true"
```
```toml tab="File (TOML)"
[http.middlewares]
[http.middlewares.test-ratelimit.rateLimit]
[http.middlewares.test-ratelimit.rateLimit.sourceCriterion]
requestHost = true
```
```yaml tab="File (YAML)"
http:
middlewares:
@@ -444,3 +513,10 @@ http:
sourceCriterion:
requestHost: true
```
```toml tab="File (TOML)"
[http.middlewares]
[http.middlewares.test-ratelimit.rateLimit]
[http.middlewares.test-ratelimit.rateLimit.sourceCriterion]
requestHost = true
```

34
docs/content/middlewares/redirectregex.md → docs/content/middlewares/http/redirectregex.md
View File

@@ -7,7 +7,7 @@ Redirecting the Client to a Different Location
TODO: add schema
-->
RegexRedirect redirect a request from an url to another with regex matching and replacement.
The RedirectRegex redirects a request using regex matching and replacement.
## Configuration Examples
@@ -53,14 +53,6 @@ labels:
- "traefik.http.middlewares.test-redirectregex.redirectregex.replacement=http://mydomain/$${1}"
```
```toml tab="File (TOML)"
# Redirect with domain replacement
[http.middlewares]
[http.middlewares.test-redirectregex.redirectRegex]
regex = "^http://localhost/(.*)"
replacement = "http://mydomain/${1}"
```
```yaml tab="File (YAML)"
# Redirect with domain replacement
http:
@@ -71,8 +63,20 @@ http:
replacement: "http://mydomain/${1}"
```
```toml tab="File (TOML)"
# Redirect with domain replacement
[http.middlewares]
[http.middlewares.test-redirectregex.redirectRegex]
regex = "^http://localhost/(.*)"
replacement = "http://mydomain/${1}"
```
## Configuration Options
!!! tip
Regular expressions and replacements can be tested using online tools such as [Go Playground](https://play.golang.org/p/mWU9p-wk2ru) or the [Regex101](https://regex101.com/r/58sIgx/2).
### `permanent`
Set the `permanent` option to `true` to apply a permanent redirection.
@@ -81,14 +85,10 @@ Set the `permanent` option to `true` to apply a permanent redirection.
The `regex` option is the regular expression to match and capture elements from the request URL.
!!! warning
Care should be taken when defining replacement expand variables: `$1x` is equivalent to `${1x}`, not `${1}x` (see [Regexp.Expand](https://golang.org/pkg/regexp/#Regexp.Expand)), so use `${1}` syntax.
!!! tip
Regular expressions and replacements can be tested using online tools such as [Go Playground](https://play.golang.org/p/mWU9p-wk2ru) or the [Regex101](https://regex101.com/r/58sIgx/2).
### `replacement`
The `replacement` option defines how to modify the URL to have the new target URL.
!!! warning
Care should be taken when defining replacement expand variables: `$1x` is equivalent to `${1x}`, not `${1}x` (see [Regexp.Expand](https://golang.org/pkg/regexp/#Regexp.Expand)), so use `${1}` syntax.

68
docs/content/middlewares/redirectscheme.md → docs/content/middlewares/http/redirectscheme.md
View File

@@ -7,7 +7,7 @@ Redirecting the Client to a Different Scheme/Port
TODO: add schema
-->
RedirectScheme redirect request from a scheme to another.
RedirectScheme redirects requests from a scheme/port to another.
## Configuration Examples
@@ -51,14 +51,6 @@ labels:
- "traefik.http.middlewares.test-redirectscheme.redirectscheme.permanent=true"
```
```toml tab="File (TOML)"
# Redirect to https
[http.middlewares]
[http.middlewares.test-redirectscheme.redirectScheme]
scheme = "https"
permanent = true
```
```yaml tab="File (YAML)"
# Redirect to https
http:
@@ -69,6 +61,14 @@ http:
permanent: true
```
```toml tab="File (TOML)"
# Redirect to https
[http.middlewares]
[http.middlewares.test-redirectscheme.redirectScheme]
scheme = "https"
permanent = true
```
## Configuration Options
### `permanent`
@@ -115,14 +115,6 @@ labels:
- "traefik.http.middlewares.test-redirectscheme.redirectscheme.permanent=true"
```
```toml tab="File (TOML)"
# Redirect to https
[http.middlewares]
[http.middlewares.test-redirectscheme.redirectScheme]
# ...
permanent = true
```
```yaml tab="File (YAML)"
# Redirect to https
http:
@@ -133,9 +125,17 @@ http:
permanent: true
```
```toml tab="File (TOML)"
# Redirect to https
[http.middlewares]
[http.middlewares.test-redirectscheme.redirectScheme]
# ...
permanent = true
```
### `scheme`
The `scheme` option defines the scheme of the new url.
The `scheme` option defines the scheme of the new URL.
```yaml tab="Docker"
# Redirect to https
@@ -172,13 +172,6 @@ labels:
- "traefik.http.middlewares.test-redirectscheme.redirectscheme.scheme=https"
```
```toml tab="File (TOML)"
# Redirect to https
[http.middlewares]
[http.middlewares.test-redirectscheme.redirectScheme]
scheme = "https"
```
```yaml tab="File (YAML)"
# Redirect to https
http:
@@ -188,9 +181,16 @@ http:
scheme: https
```
```toml tab="File (TOML)"
# Redirect to https
[http.middlewares]
[http.middlewares.test-redirectscheme.redirectScheme]
scheme = "https"
```
### `port`
The `port` option defines the port of the new url.
The `port` option defines the port of the new URL.
```yaml tab="Docker"
# Redirect to https
@@ -232,14 +232,6 @@ labels:
- "traefik.http.middlewares.test-redirectscheme.redirectscheme.port=443"
```
```toml tab="File (TOML)"
# Redirect to https
[http.middlewares]
[http.middlewares.test-redirectscheme.redirectScheme]
# ...
port = 443
```
```yaml tab="File (YAML)"
# Redirect to https
http:
@@ -250,4 +242,12 @@ http:
port: "443"
```
```toml tab="File (TOML)"
# Redirect to https
[http.middlewares]
[http.middlewares.test-redirectscheme.redirectScheme]
# ...
port = 443
```
!!! info "Port in this configuration is a string, not a numeric value."

30
docs/content/middlewares/replacepath.md → docs/content/middlewares/http/replacepath.md
View File

@@ -7,18 +7,18 @@ Updating the Path Before Forwarding the Request
TODO: add schema
-->
Replace the path of the request url.
Replace the path of the request URL.
## Configuration Examples
```yaml tab="Docker"
# Replace the path by /foo
# Replace the path with /foo
labels:
- "traefik.http.middlewares.test-replacepath.replacepath.path=/foo"
```
```yaml tab="Kubernetes"
# Replace the path by /foo
# Replace the path with /foo
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
@@ -29,7 +29,7 @@ spec:
```
```yaml tab="Consul Catalog"
# Replace the path by /foo
# Replace the path with /foo
- "traefik.http.middlewares.test-replacepath.replacepath.path=/foo"
```
@@ -40,20 +40,13 @@ spec:
```
```yaml tab="Rancher"
# Replace the path by /foo
# Replace the path with /foo
labels:
- "traefik.http.middlewares.test-replacepath.replacepath.path=/foo"
```
```toml tab="File (TOML)"
# Replace the path by /foo
[http.middlewares]
[http.middlewares.test-replacepath.replacePath]
path = "/foo"
```
```yaml tab="File (YAML)"
# Replace the path by /foo
# Replace the path with /foo
http:
middlewares:
test-replacepath:
@@ -61,15 +54,22 @@ http:
path: "/foo"
```
```toml tab="File (TOML)"
# Replace the path with /foo
[http.middlewares]
[http.middlewares.test-replacepath.replacePath]
path = "/foo"
```
## Configuration Options
### General
The ReplacePath middleware will:
- replace the actual path by the specified one.
- replace the actual path with the specified one.
- store the original path in a `X-Replaced-Path` header.
### `path`
The `path` option defines the path to use as replacement in the request url.
The `path` option defines the path to use as replacement in the request URL.

38
docs/content/middlewares/replacepathregex.md → docs/content/middlewares/http/replacepathregex.md
View File

@@ -7,7 +7,7 @@ Updating the Path Before Forwarding the Request (Using a Regex)
TODO: add schema
-->
The ReplaceRegex replace a path from an url to another with regex matching and replacement.
The ReplaceRegex replaces the path of a URL using regex matching and replacement.
## Configuration Examples
@@ -50,16 +50,8 @@ labels:
- "traefik.http.middlewares.test-replacepathregex.replacepathregex.replacement=/bar/$1"
```
```toml tab="File (TOML)"
# Redirect with domain replacement
[http.middlewares]
[http.middlewares.test-replacepathregex.replacePathRegex]
regex = "^/foo/(.*)"
replacement = "/bar/$1"
```
```yaml tab="File (YAML)"
# Redirect with domain replacement
# Replace path with regex
http:
middlewares:
test-replacepathregex:
@@ -68,27 +60,35 @@ http:
replacement: "/bar/$1"
```
```toml tab="File (TOML)"
# Replace path with regex
[http.middlewares]
[http.middlewares.test-replacepathregex.replacePathRegex]
regex = "^/foo/(.*)"
replacement = "/bar/$1"
```
## Configuration Options
### General
The ReplacePathRegex middleware will:
- replace the matching path by the specified one.
- replace the matching path with the specified one.
- store the original path in a `X-Replaced-Path` header.
!!! tip
Regular expressions and replacements can be tested using online tools such as [Go Playground](https://play.golang.org/p/mWU9p-wk2ru) or [Regex101](https://regex101.com/r/58sIgx/2).
### `regex`
The `regex` option is the regular expression to match and capture the path from the request URL.
### `replacement`
The `replacement` option defines the replacement path format, which can include captured variables.
!!! warning
Care should be taken when defining replacement expand variables: `$1x` is equivalent to `${1x}`, not `${1}x` (see [Regexp.Expand](https://golang.org/pkg/regexp/#Regexp.Expand)), so use `${1}` syntax.
!!! tip
Regular expressions and replacements can be tested using online tools such as [Go Playground](https://play.golang.org/p/mWU9p-wk2ru) or the [Regex101](https://regex101.com/r/58sIgx/2).
### `replacement`
The `replacement` option defines how to modify the path to have the new target path.

37
docs/content/middlewares/retry.md → docs/content/middlewares/http/retry.md
View File

@@ -7,21 +7,21 @@ Retrying until it Succeeds
TODO: add schema
-->
The Retry middleware is in charge of reissuing a request a given number of times to a backend server if that server does not reply.
To be clear, as soon as the server answers, the middleware stops retrying, regardless of the response status.
The Retry middleware has an optional configuration for exponential backoff.
The Retry middleware reissues requests a given number of times to a backend server if that server does not reply.
As soon as the server answers, the middleware stops retrying, regardless of the response status.
The Retry middleware has an optional configuration to enable an exponential backoff.
## Configuration Examples
```yaml tab="Docker"
# Retry to send request 4 times with exponential backoff
# Retry 4 times with exponential backoff
labels:
- "traefik.http.middlewares.test-retry.retry.attempts=4"
- "traefik.http.middlewares.test-retry.retry.initialinterval=100ms"
```
```yaml tab="Kubernetes"
# Retry to send request 4 times with exponential backoff
# Retry 4 times with exponential backoff
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
@@ -33,7 +33,7 @@ spec:
```
```yaml tab="Consul Catalog"
# Retry to send request 4 times with exponential backoff
# Retry 4 times with exponential backoff
- "traefik.http.middlewares.test-retry.retry.attempts=4"
- "traefik.http.middlewares.test-retry.retry.initialinterval=100ms"
```
@@ -46,22 +46,14 @@ spec:
```
```yaml tab="Rancher"
# Retry to send request 4 times with exponential backoff
# Retry 4 times with exponential backoff
labels:
- "traefik.http.middlewares.test-retry.retry.attempts=4"
- "traefik.http.middlewares.test-retry.retry.initialinterval=100ms"
```
```toml tab="File (TOML)"
# Retry to send request 4 times
[http.middlewares]
[http.middlewares.test-retry.retry]
attempts = 4
initialInterval = "100ms"
```
```yaml tab="File (YAML)"
# Retry to send request 4 times with exponential backoff
# Retry 4 times with exponential backoff
http:
middlewares:
test-retry:
@@ -70,6 +62,14 @@ http:
initialInterval: 100ms
```
```toml tab="File (TOML)"
# Retry 4 times with exponential backoff
[http.middlewares]
[http.middlewares.test-retry.retry]
attempts = 4
initialInterval = "100ms"
```
## Configuration Options
### `attempts`
@@ -80,4 +80,7 @@ The `attempts` option defines how many times the request should be retried.
### `initialInterval`
The `initialInterval` option defines the first wait time in the exponential backoff series (provided in seconds or as a valid duration format, see [time.ParseDuration](https://golang.org/pkg/time/#ParseDuration)). The maximum interval is calculated as twice the `initialInterval`. If unspecified, requests will be retried immediately.
The `initialInterval` option defines the first wait time in the exponential backoff series. The maximum interval is
calculated as twice the `initialInterval`. If unspecified, requests will be retried immediately.
The value of initialInterval should be provided in seconds or as a valid duration format, see [time.ParseDuration](https://golang.org/pkg/time/#ParseDuration).

105
docs/content/middlewares/stripprefix.md → docs/content/middlewares/http/stripprefix.md
View File

@@ -47,13 +47,6 @@ labels:
- "traefik.http.middlewares.test-stripprefix.stripprefix.prefixes=/foobar,/fiibar"
```
```toml tab="File (TOML)"
# Strip prefix /foobar and /fiibar
[http.middlewares]
[http.middlewares.test-stripprefix.stripPrefix]
prefixes = ["/foobar", "/fiibar"]
```
```yaml tab="File (YAML)"
# Strip prefix /foobar and /fiibar
http:
@@ -65,36 +58,66 @@ http:
- "/fiibar"
```
```toml tab="File (TOML)"
# Strip prefix /foobar and /fiibar
[http.middlewares]
[http.middlewares.test-stripprefix.stripPrefix]
prefixes = ["/foobar", "/fiibar"]
```
## Configuration Options
### General
The StripPrefix middleware will:
- strip the matching path prefix.
- store the matching path prefix in a `X-Forwarded-Prefix` header.
The StripPrefix middleware strips the matching path prefix and stores it in a `X-Forwarded-Prefix` header.
!!! tip
Use a `StripPrefix` middleware if your backend listens on the root path (`/`) but should be routeable on a specific prefix.
Use a `StripPrefix` middleware if your backend listens on the root path (`/`) but should be exposed on a specific prefix.
### `prefixes`
The `prefixes` option defines the prefixes to strip from the request URL.
For instance, `/products` would match `/products` but also `/products/shoes` and `/products/shirts`.
For instance, `/products` also matches `/products/shoes` and `/products/shirts`.
Since the path is stripped prior to forwarding, your backend is expected to listen on `/`.
If your backend is serving assets (e.g., images or Javascript files), chances are it must return properly constructed relative URLs.
Continuing on the example, the backend should return `/products/shoes/image.png` (and not `/images.png` which Traefik would likely not be able to associate with the same backend).
The `X-Forwarded-Prefix` header can be queried to build such URLs dynamically.
If your backend is serving assets (e.g., images or JavaScript files), it can use the `X-Forwarded-Prefix` header to properly construct relative URLs.
Using the previous example, the backend should return `/products/shoes/image.png` (and not `/images.png`, which Traefik would likely not be able to associate with the same backend).
### `forceSlash`
_Optional, Default=true_
The `forceSlash` option ensures the resulting stripped path is not the empty string, by replacing it with `/` when necessary.
This option was added to keep the initial (non-intuitive) behavior of this middleware, in order to avoid introducing a breaking change.
It is recommended to explicitly set `forceSlash` to `false`.
??? info "Behavior examples"
- `forceSlash=true`
| Path | Prefix to strip | Result |
|------------|-----------------|--------|
| `/` | `/` | `/` |
| `/foo` | `/foo` | `/` |
| `/foo/` | `/foo` | `/` |
| `/foo/` | `/foo/` | `/` |
| `/bar` | `/foo` | `/bar` |
| `/foo/bar` | `/foo` | `/bar` |
- `forceSlash=false`
| Path | Prefix to strip | Result |
|------------|-----------------|--------|
| `/` | `/` | empty |
| `/foo` | `/foo` | empty |
| `/foo/` | `/foo` | `/` |
| `/foo/` | `/foo/` | empty |
| `/bar` | `/foo` | `/bar` |
| `/foo/bar` | `/foo` | `/bar` |
```yaml tab="Docker"
labels:
- "traefik.http.middlewares.example.stripprefix.prefixes=/foobar"
@@ -126,13 +149,6 @@ labels:
- "traefik.http.middlewares.example.stripprefix.forceSlash=false"
```
```toml tab="File (TOML)"
[http.middlewares]
[http.middlewares.example.stripPrefix]
prefixes = ["/foobar"]
forceSlash = false
```
```yaml tab="File (YAML)"
http:
middlewares:
@@ -143,32 +159,9 @@ http:
forceSlash: false
```
The `forceSlash` option makes sure that the resulting stripped path is not the empty string, by replacing it with `/` when necessary.
This option was added to keep the initial (non-intuitive) behavior of this middleware, in order to avoid introducing a breaking change.
It's recommended to explicitly set `forceSlash` to `false`.
??? info "Behavior examples"
- `forceSlash=true`
| Path | Prefix to strip | Result |
|------------|-----------------|--------|
| `/` | `/` | `/` |
| `/foo` | `/foo` | `/` |
| `/foo/` | `/foo` | `/` |
| `/foo/` | `/foo/` | `/` |
| `/bar` | `/foo` | `/bar` |
| `/foo/bar` | `/foo` | `/bar` |
- `forceSlash=false`
| Path | Prefix to strip | Result |
|------------|-----------------|--------|
| `/` | `/` | empty |
| `/foo` | `/foo` | empty |
| `/foo/` | `/foo` | `/` |
| `/foo/` | `/foo/` | empty |
| `/bar` | `/foo` | `/bar` |
| `/foo/bar` | `/foo` | `/bar` |
```toml tab="File (TOML)"
[http.middlewares]
[http.middlewares.example.stripPrefix]
prefixes = ["/foobar"]
forceSlash = false
```

32
docs/content/middlewares/stripprefixregex.md → docs/content/middlewares/http/stripprefixregex.md
View File

@@ -38,12 +38,6 @@ labels:
- "traefik.http.middlewares.test-stripprefixregex.stripprefixregex.regex=/foo/[a-z0-9]+/[0-9]+/"
```
```toml tab="File (TOML)"
[http.middlewares]
[http.middlewares.test-stripprefixregex.stripPrefixRegex]
regex = ["/foo/[a-z0-9]+/[0-9]+/"]
```
```yaml tab="File (YAML)"
http:
middlewares:
@@ -53,18 +47,21 @@ http:
- "/foo/[a-z0-9]+/[0-9]+/"
```
```toml tab="File (TOML)"
[http.middlewares]
[http.middlewares.test-stripprefixregex.stripPrefixRegex]
regex = ["/foo/[a-z0-9]+/[0-9]+/"]
```
## Configuration Options
### General
The StripPrefixRegex middleware will:
- strip the matching path prefix.
- store the matching path prefix in a `X-Forwarded-Prefix` header.
The StripPrefixRegex middleware strips the matching path prefix and stores it in a `X-Forwarded-Prefix` header.
!!! tip
Use a `stripPrefixRegex` middleware if your backend listens on the root path (`/`) but should be routeable on a specific prefix.
Use a `stripPrefixRegex` middleware if your backend listens on the root path (`/`) but should be exposed on a specific prefix.
### `regex`
@@ -74,12 +71,7 @@ The `regex` option is the regular expression to match the path prefix from the r
Regular expressions can be tested using online tools such as [Go Playground](https://play.golang.org/p/mWU9p-wk2ru) or the [Regex101](https://regex101.com/r/58sIgx/2).
For instance, `/products` would match `/products` but also `/products/shoes` and `/products/shirts`.
For instance, `/products` also matches `/products/shoes` and `/products/shirts`.
Since the path is stripped prior to forwarding, your backend is expected to listen on `/`.
If your backend is serving assets (e.g., images or Javascript files), chances are it must return properly constructed relative URLs.
Continuing on the example, the backend should return `/products/shoes/image.png` (and not `/images.png` which Traefik would likely not be able to associate with the same backend).
The `X-Forwarded-Prefix` header can be queried to build such URLs dynamically.
If your backend is serving assets (e.g., images or JavaScript files), it can use the `X-Forwarded-Prefix` header to properly construct relative URLs.
Using the previous example, the backend should return `/products/shoes/image.png` (and not `/images.png`, which Traefik would likely not be able to associate with the same backend).

84
docs/content/middlewares/overview.md
View File

@@ -9,11 +9,11 @@ Attached to the routers, pieces of middleware are a means of tweaking the reques
There are several available middleware in Traefik, some can modify the request, the headers, some are in charge of redirections, some add authentication, and so on.
Pieces of middleware can be combined in chains to fit every scenario.
Middlewares that use the same protocol can be combined into chains to fit every scenario.
!!! warning "Provider Namespace"
Be aware of the concept of Providers Namespace described in the [Configuration Discovery](../providers/overview.md#provider-namespace) section.
Be aware of the concept of Providers Namespace described in the [Configuration Discovery](../providers/overview.md#provider-namespace) section.
It also applies to Middlewares.
## Configuration Example
@@ -31,20 +31,6 @@ whoami:
```
```yaml tab="Kubernetes IngressRoute"
# As a Kubernetes Traefik IngressRoute
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
name: middlewares.traefik.containo.us
spec:
group: traefik.containo.us
version: v1alpha1
names:
kind: Middleware
plural: middlewares
singular: middleware
scope: Namespaced
---
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
@@ -91,26 +77,6 @@ labels:
- "traefik.http.routers.router1.middlewares=foo-add-prefix@rancher"
```
```toml tab="File (TOML)"
# As TOML Configuration File
[http.routers]
[http.routers.router1]
service = "myService"
middlewares = ["foo-add-prefix"]
rule = "Host(`example.com`)"
[http.middlewares]
[http.middlewares.foo-add-prefix.addPrefix]
prefix = "/foo"
[http.services]
[http.services.service1]
[http.services.service1.loadBalancer]
[[http.services.service1.loadBalancer.servers]]
url = "http://127.0.0.1:80"
```
```yaml tab="File (YAML)"
# As YAML Configuration File
http:
@@ -133,28 +99,28 @@ http:
- url: "http://127.0.0.1:80"
```
```toml tab="File (TOML)"
# As TOML Configuration File
[http.routers]
[http.routers.router1]
service = "myService"
middlewares = ["foo-add-prefix"]
rule = "Host(`example.com`)"
[http.middlewares]
[http.middlewares.foo-add-prefix.addPrefix]
prefix = "/foo"
[http.services]
[http.services.service1]
[http.services.service1.loadBalancer]
[[http.services.service1.loadBalancer.servers]]
url = "http://127.0.0.1:80"
```
## Available Middlewares
| Middleware | Purpose | Area |
|-------------------------------------------|---------------------------------------------------|-----------------------------|
| [AddPrefix](addprefix.md) | Add a Path Prefix | Path Modifier |
| [BasicAuth](basicauth.md) | Basic auth mechanism | Security, Authentication |
| [Buffering](buffering.md) | Buffers the request/response | Request Lifecycle |
| [Chain](chain.md) | Combine multiple pieces of middleware | Middleware tool |
| [CircuitBreaker](circuitbreaker.md) | Stop calling unhealthy services | Request Lifecycle |
| [Compress](compress.md) | Compress the response | Content Modifier |
| [DigestAuth](digestauth.md) | Adds Digest Authentication | Security, Authentication |
| [Errors](errorpages.md) | Define custom error pages | Request Lifecycle |
| [ForwardAuth](forwardauth.md) | Authentication delegation | Security, Authentication |
| [Headers](headers.md) | Add / Update headers | Security |
| [IPWhiteList](ipwhitelist.md) | Limit the allowed client IPs | Security, Request lifecycle |
| [InFlightReq](inflightreq.md) | Limit the number of simultaneous connections | Security, Request lifecycle |
| [PassTLSClientCert](passtlsclientcert.md) | Adding Client Certificates in a Header | Security |
| [RateLimit](ratelimit.md) | Limit the call frequency | Security, Request lifecycle |
| [RedirectScheme](redirectscheme.md) | Redirect easily the client elsewhere | Request lifecycle |
| [RedirectRegex](redirectregex.md) | Redirect the client elsewhere | Request lifecycle |
| [ReplacePath](replacepath.md) | Change the path of the request | Path Modifier |
| [ReplacePathRegex](replacepathregex.md) | Change the path of the request | Path Modifier |
| [Retry](retry.md) | Automatically retry the request in case of errors | Request lifecycle |
| [StripPrefix](stripprefix.md) | Change the path of the request | Path Modifier |
| [StripPrefixRegex](stripprefixregex.md) | Change the path of the request | Path Modifier |
A list of HTTP middlewares can be found [here](http/overview.md).
A list of TCP middlewares can be found [here](tcp/overview.md).

67
docs/content/middlewares/tcp/ipwhitelist.md Normal file
View File

@@ -0,0 +1,67 @@
# IPWhiteList
Limiting Clients to Specific IPs
{: .subtitle }
IPWhitelist accepts / refuses connections based on the client IP.
## Configuration Examples
```yaml tab="Docker"
# Accepts connections from defined IP
labels:
- "traefik.tcp.middlewares.test-ipwhitelist.ipwhitelist.sourcerange=127.0.0.1/32, 192.168.1.7"
```
```yaml tab="Kubernetes"
apiVersion: traefik.containo.us/v1alpha1
kind: MiddlewareTCP
metadata:
name: test-ipwhitelist
spec:
ipWhiteList:
sourceRange:
- 127.0.0.1/32
- 192.168.1.7
```
```yaml tab="Consul Catalog"
# Accepts request from defined IP
- "traefik.tcp.middlewares.test-ipwhitelist.ipwhitelist.sourcerange=127.0.0.1/32, 192.168.1.7"
```
```json tab="Marathon"
"labels": {
"traefik.tcp.middlewares.test-ipwhitelist.ipwhitelist.sourcerange": "127.0.0.1/32,192.168.1.7"
}
```
```yaml tab="Rancher"
# Accepts request from defined IP
labels:
- "traefik.tcp.middlewares.test-ipwhitelist.ipwhitelist.sourcerange=127.0.0.1/32, 192.168.1.7"
```
```toml tab="File (TOML)"
# Accepts request from defined IP
[tcp.middlewares]
[tcp.middlewares.test-ipwhitelist.ipWhiteList]
sourceRange = ["127.0.0.1/32", "192.168.1.7"]
```
```yaml tab="File (YAML)"
# Accepts request from defined IP
http:
middlewares:
test-ipwhitelist:
ipWhiteList:
sourceRange:
- "127.0.0.1/32"
- "192.168.1.7"
```
## Configuration Options
### `sourceRange`
The `sourceRange` option sets the allowed IPs (or ranges of allowed IPs by using CIDR notation).

134
docs/content/middlewares/tcp/overview.md Normal file
View File

@@ -0,0 +1,134 @@
# TCP Middlewares
Controlling connections
{: .subtitle }
![Overview](../../assets/img/middleware/overview.png)
## Configuration Example
```yaml tab="Docker"
# As a Docker Label
whoami:
# A container that exposes an API to show its IP address
image: traefik/whoami
labels:
# Create a middleware named `foo-ip-whitelist`
- "traefik.tcp.middlewares.foo-ip-whitelist.ipwhitelist.sourcerange=127.0.0.1/32, 192.168.1.7"
# Apply the middleware named `foo-ip-whitelist` to the router named `router1`
- "traefik.tcp.routers.router1.middlewares=foo-ip-whitelist@docker"
```
```yaml tab="Kubernetes IngressRoute"
# As a Kubernetes Traefik IngressRoute
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
name: middlewaretcps.traefik.containo.us
spec:
group: traefik.containo.us
version: v1alpha1
names:
kind: MiddlewareTCP
plural: middlewaretcps
singular: middlewaretcp
scope: Namespaced
---
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
name: foo-ip-whitelist
spec:
ipWhiteList:
sourcerange:
- 127.0.0.1/32
- 192.168.1.7
---
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
name: ingressroute
spec:
# more fields...
routes:
# more fields...
middlewares:
- name: foo-ip-whitelist
```
```yaml tab="Consul Catalog"
# Create a middleware named `foo-ip-whitelist`
- "traefik.tcp.middlewares.foo-ip-whitelist.ipwhitelist.sourcerange=127.0.0.1/32, 192.168.1.7"
# Apply the middleware named `foo-ip-whitelist` to the router named `router1`
- "traefik.tcp.routers.router1.middlewares=foo-ip-whitelist@consulcatalog"
```
```json tab="Marathon"
"labels": {
"traefik.tcp.middlewares.foo-ip-whitelist.ipwhitelist.sourcerange=127.0.0.1/32, 192.168.1.7",
"traefik.tcp.routers.router1.middlewares=foo-ip-whitelist@marathon"
}
```
```yaml tab="Rancher"
# As a Rancher Label
labels:
# Create a middleware named `foo-ip-whitelist`
- "traefik.tcp.middlewares.foo-ip-whitelist.ipwhitelist.sourcerange=127.0.0.1/32, 192.168.1.7"
# Apply the middleware named `foo-ip-whitelist` to the router named `router1`
- "traefik.tcp.routers.router1.middlewares=foo-ip-whitelist@rancher"
```
```toml tab="File (TOML)"
# As TOML Configuration File
[tcp.routers]
[tcp.routers.router1]
service = "myService"
middlewares = ["foo-ip-whitelist"]
rule = "Host(`example.com`)"
[tcp.middlewares]
[tcp.middlewares.foo-ip-whitelist.ipWhiteList]
sourceRange = ["127.0.0.1/32", "192.168.1.7"]
[tcp.services]
[tcp.services.service1]
[tcp.services.service1.loadBalancer]
[[tcp.services.service1.loadBalancer.servers]]
address = "10.0.0.10:4000"
[[tcp.services.service1.loadBalancer.servers]]
address = "10.0.0.11:4000"
```
```yaml tab="File (YAML)"
# As YAML Configuration File
tcp:
routers:
router1:
service: myService
middlewares:
- "foo-ip-whitelist"
rule: "Host(`example.com`)"
middlewares:
foo-ip-whitelist:
ipWhiteList:
sourceRange:
- "127.0.0.1/32"
- "192.168.1.7"
services:
service1:
loadBalancer:
servers:
- address: "10.0.0.10:4000"
- address: "10.0.0.11:4000"
```
## Available TCP Middlewares
| Middleware | Purpose | Area |
|-------------------------------------------|---------------------------------------------------|-----------------------------|
| [IPWhiteList](ipwhitelist.md) | Limit the allowed client IPs | Security, Request lifecycle |

536
docs/content/migration/v1-to-v2.md
View File

@@ -68,27 +68,27 @@ Then any router can refer to an instance of the wanted middleware.
[frontends.frontend1]
entryPoints = ["http"]
backend = "backend1"
[frontends.frontend1.routes]
[frontends.frontend1.routes.route0]
rule = "Host:test.localhost"
[frontends.frontend1.routes.route0]
rule = "PathPrefix:/test"
[frontends.frontend1.auth]
[frontends.frontend1.auth.basic]
users = [
"test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/",
"test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0",
]
[backends]
[backends.backend1]
[backends.backend1.servers.server0]
url = "http://10.10.10.1:80"
[backends.backend1.servers.server1]
url = "http://10.10.10.2:80"
[backends.backend1.loadBalancer]
method = "wrr"
```
@@ -110,19 +110,19 @@ Then any router can refer to an instance of the wanted middleware.
metadata:
name: basicauth
namespace: foo
spec:
basicAuth:
users:
- test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/
- test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0
---
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
name: ingressroutebar
spec:
entryPoints:
- http
@@ -139,27 +139,6 @@ Then any router can refer to an instance of the wanted middleware.
namespace: foo
```
```toml tab="File (TOML)"
[http.routers]
[http.routers.router0]
rule = "Host(`test.localhost`) && PathPrefix(`/test`)"
middlewares = ["auth"]
service = "my-service"
[http.services]
[[http.services.my-service.loadBalancer.servers]]
url = "http://10.10.10.1:80"
[[http.services.my-service.loadBalancer.servers]]
url = "http://10.10.10.2:80"
[http.middlewares]
[http.middlewares.auth.basicAuth]
users = [
"test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/",
"test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0",
]
```
```yaml tab="File (YAML)"
http:
routers:
@@ -168,14 +147,14 @@ Then any router can refer to an instance of the wanted middleware.
service: my-service
middlewares:
- auth
services:
my-service:
loadBalancer:
servers:
- url: http://10.10.10.1:80
- url: http://10.10.10.2:80
middlewares:
auth:
basicAuth:
@@ -184,6 +163,27 @@ Then any router can refer to an instance of the wanted middleware.
- "test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0"
```
```toml tab="File (TOML)"
[http.routers]
[http.routers.router0]
rule = "Host(`test.localhost`) && PathPrefix(`/test`)"
middlewares = ["auth"]
service = "my-service"
[http.services]
[[http.services.my-service.loadBalancer.servers]]
url = "http://10.10.10.1:80"
[[http.services.my-service.loadBalancer.servers]]
url = "http://10.10.10.2:80"
[http.middlewares]
[http.middlewares.auth.basicAuth]
users = [
"test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/",
"test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0",
]
```
## TLS Configuration is Now Dynamic, per Router.
TLS parameters used to be specified in the static configuration, as an entryPoint field.
@@ -193,13 +193,13 @@ Then, a [router's TLS field](../routing/routers/index.md#tls) can refer to one o
!!! example "TLS on websecure entryPoint becomes TLS option on Router-1"
!!! info "v1"
```toml tab="File (TOML)"
# static configuration
[entryPoints]
[entryPoints.websecure]
address = ":443"
[entryPoints.websecure.tls]
minVersion = "VersionTLS12"
cipherSuites = [
@@ -221,33 +221,6 @@ Then, a [router's TLS field](../routing/routers/index.md#tls) can refer to one o
!!! info "v2"
```toml tab="File (TOML)"
# dynamic configuration
[http.routers]
[http.routers.Router-1]
rule = "Host(`example.com`)"
service = "service-id"
# will terminate the TLS request
[http.routers.Router-1.tls]
options = "myTLSOptions"
[[tls.certificates]]
certFile = "/path/to/domain.cert"
keyFile = "/path/to/domain.key"
[tls.options]
[tls.options.myTLSOptions]
minVersion = "VersionTLS12"
cipherSuites = [
"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
"TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256",
"TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256",
"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
]
```
```yaml tab="File (YAML)"
http:
routers:
@@ -257,7 +230,7 @@ Then, a [router's TLS field](../routing/routers/index.md#tls) can refer to one o
# will terminate the TLS request
tls:
options: myTLSOptions
tls:
certificates:
- certFile: /path/to/domain.cert
@@ -273,6 +246,33 @@ Then, a [router's TLS field](../routing/routers/index.md#tls) can refer to one o
- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
```
```toml tab="File (TOML)"
# dynamic configuration
[http.routers]
[http.routers.Router-1]
rule = "Host(`example.com`)"
service = "service-id"
# will terminate the TLS request
[http.routers.Router-1.tls]
options = "myTLSOptions"
[[tls.certificates]]
certFile = "/path/to/domain.cert"
keyFile = "/path/to/domain.key"
[tls.options]
[tls.options.myTLSOptions]
minVersion = "VersionTLS12"
cipherSuites = [
"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
"TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256",
"TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256",
"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
]
```
```yaml tab="K8s IngressRoute"
# The definitions below require the definitions for the TLSOption and IngressRoute kinds.
# https://doc.traefik.io/traefik/v2.3/reference/dynamic-configuration/kubernetes-crd/#definitions
@@ -281,7 +281,7 @@ Then, a [router's TLS field](../routing/routers/index.md#tls) can refer to one o
metadata:
name: mytlsoption
namespace: default
spec:
minVersion: VersionTLS12
cipherSuites:
@@ -290,13 +290,13 @@ Then, a [router's TLS field](../routing/routers/index.md#tls) can refer to one o
- TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
- TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
---
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
name: ingressroutebar
spec:
entryPoints:
- web
@@ -322,21 +322,21 @@ Then, a [router's TLS field](../routing/routers/index.md#tls) can refer to one o
## HTTP to HTTPS Redirection is Now Configured on Routers
Previously on Traefik v1, the redirection was applied on an entry point or on a frontend.
With Traefik v2 it is applied on an entry point or a [Router](../routing/routers/index.md).
With Traefik v2 it is applied on an entry point or a [Router](../routing/routers/index.md).
To apply a redirection:
- on an entry point, the [HTTP redirection](../routing/entrypoints.md#redirection) has to be configured.
- on a router, one of the redirect middlewares, [RedirectRegex](../middlewares/redirectregex.md) or [RedirectScheme](../middlewares/redirectscheme.md), has to be configured and added to the router middlewares list.
- on a router, one of the redirect middlewares, [RedirectRegex](../middlewares/http/redirectregex.md) or [RedirectScheme](../middlewares/http/redirectscheme.md), has to be configured and added to the router middlewares list.
!!! example "Global HTTP to HTTPS redirection"
!!! info "v1"
```toml tab="File (TOML)"
# static configuration
defaultEntryPoints = ["web", "websecure"]
[entryPoints]
[entryPoints.web]
address = ":80"
@@ -354,35 +354,11 @@ To apply a redirection:
```
!!! info "v2"
```bash tab="CLI"
## static configuration
--entrypoints.web.address=:80
--entrypoints.web.http.redirections.entrypoint.to=websecure
--entrypoints.web.http.redirections.entrypoint.scheme=https
--entrypoints.websecure.address=:443
--providers.docker=true
```
```toml tab="File (TOML)"
# traefik.toml
## static configuration
[entryPoints.web]
address = ":80"
[entryPoints.web.http.redirections.entryPoint]
to = "websecure"
scheme = "https"
[entryPoints.websecure]
address = ":443"
```
```yaml tab="File (YAML)"
# traefik.yaml
# traefik.yml
## static configuration
entryPoints:
web:
address: ":80"
@@ -391,15 +367,39 @@ To apply a redirection:
entrypoint:
to: websecure
scheme: https
websecure:
address: ":443"
```
```toml tab="File (TOML)"
# traefik.toml
## static configuration
[entryPoints.web]
address = ":80"
[entryPoints.web.http.redirections.entryPoint]
to = "websecure"
scheme = "https"
[entryPoints.websecure]
address = ":443"
```
```bash tab="CLI"
## static configuration
--entrypoints.web.address=:80
--entrypoints.web.http.redirections.entrypoint.to=websecure
--entrypoints.web.http.redirections.entrypoint.scheme=https
--entrypoints.websecure.address=:443
--providers.docker=true
```
!!! example "HTTP to HTTPS redirection per domain"
!!! info "v1"
```toml tab="File (TOML)"
[entryPoints]
[entryPoints.web]
@@ -408,9 +408,9 @@ To apply a redirection:
[entryPoints.websecure]
address = ":443"
[entryPoints.websecure.tls]
[file]
[frontends]
[frontends.frontend1]
entryPoints = ["web", "websecure"]
@@ -428,11 +428,11 @@ To apply a redirection:
traefik.http.routers.app.rule: Host(`example.net`)
traefik.http.routers.app.entrypoints: web
traefik.http.routers.app.middlewares: https_redirect
traefik.http.routers.appsecured.rule: Host(`example.net`)
traefik.http.routers.appsecured.entrypoints: websecure
traefik.http.routers.appsecured.tls: true
traefik.http.middlewares.https_redirect.redirectscheme.scheme: https
traefik.http.middlewares.https_redirect.redirectscheme.permanent: true
```
@@ -441,8 +441,8 @@ To apply a redirection:
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
name: http-redirect-ingressRoute
name: http-redirect-ingressroute
spec:
entryPoints:
- web
@@ -454,13 +454,13 @@ To apply a redirection:
port: 80
middlewares:
- name: https-redirect
---
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
name: https-ingressRoute
name: https-ingressroute
spec:
entryPoints:
- websecure
@@ -471,7 +471,7 @@ To apply a redirection:
- name: whoami
port: 80
tls: {}
---
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
@@ -483,33 +483,10 @@ To apply a redirection:
permanent: true
```
```toml tab="File (TOML)"
## dynamic configuration
# dynamic-conf.toml
[http.routers]
[http.routers.router0]
rule = "Host(`example.net`)"
service = "my-service"
entrypoints = ["web"]
middlewares = ["https_redirect"]
[http.routers.router1]
rule = "Host(`example.net`)"
service = "my-service"
entrypoints = ["websecure"]
[http.routers.router1.tls]
[http.middlewares]
[http.middlewares.https_redirect.redirectScheme]
scheme = "https"
permanent = true
```
```yaml tab="File (YAML)"
## dynamic configuration
# dynamic-conf.yml
http:
routers:
router0:
@@ -519,14 +496,14 @@ To apply a redirection:
middlewares:
- https_redirect
service: my-service
router1:
rule: "Host(`example.net`)"
entryPoints:
- websecure
service: my-service
tls: {}
middlewares:
https-redirect:
redirectScheme:
@@ -534,6 +511,29 @@ To apply a redirection:
permanent: true
```
```toml tab="File (TOML)"
## dynamic configuration
# dynamic-conf.toml
[http.routers]
[http.routers.router0]
rule = "Host(`example.net`)"
service = "my-service"
entrypoints = ["web"]
middlewares = ["https_redirect"]
[http.routers.router1]
rule = "Host(`example.net`)"
service = "my-service"
entrypoints = ["websecure"]
[http.routers.router1.tls]
[http.middlewares]
[http.middlewares.https_redirect.redirectScheme]
scheme = "https"
permanent = true
```
## Strip and Rewrite Path Prefixes
With the new core notions of v2 (introduced earlier in the section
@@ -545,7 +545,7 @@ Use Case: Incoming requests to `http://example.org/admin` are forwarded to the w
with the path `/admin` stripped, e.g. to `http://<IP>:<port>/`. In this case, you must:
- First, configure a router named `admin` with a rule matching at least the path prefix with the `PathPrefix` keyword,
- Then, define a middleware of type [`stripprefix`](../middlewares/stripprefix.md), which removes the prefix `/admin`, associated to the router `admin`.
- Then, define a middleware of type [`stripprefix`](../middlewares/http/stripprefix.md), which removes the prefix `/admin`, associated to the router `admin`.
!!! example "Strip Path Prefix When Forwarding to Backend"
@@ -595,7 +595,7 @@ with the path `/admin` stripped, e.g. to `http://<IP>:<port>/`. In this case, yo
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
name: http-redirect-ingressRoute
name: http-redirect-ingressroute
namespace: admin-web
spec:
entryPoints:
@@ -619,23 +619,6 @@ with the path `/admin` stripped, e.g. to `http://<IP>:<port>/`. In this case, yo
- /admin
```
```toml tab="File (TOML)"
## Dynamic configuration
# dynamic-conf.toml
[http.routers.router1]
rule = "Host(`example.org`) && PathPrefix(`/admin`)"
service = "admin-svc"
entrypoints = ["web"]
middlewares = ["admin-stripprefix"]
[http.middlewares]
[http.middlewares.admin-stripprefix.stripPrefix]
prefixes = ["/admin"]
# ...
```
```yaml tab="File (YAML)"
## Dynamic Configuration
# dynamic-conf.yml
@@ -652,20 +635,37 @@ with the path `/admin` stripped, e.g. to `http://<IP>:<port>/`. In this case, yo
middlewares:
admin-stripprefix:
stripPrefix:
prefixes:
prefixes:
- "/admin"
# ...
```
```toml tab="File (TOML)"
## Dynamic configuration
# dynamic-conf.toml
[http.routers.router1]
rule = "Host(`example.org`) && PathPrefix(`/admin`)"
service = "admin-svc"
entrypoints = ["web"]
middlewares = ["admin-stripprefix"]
[http.middlewares]
[http.middlewares.admin-stripprefix.stripPrefix]
prefixes = ["/admin"]
# ...
```
??? question "What About Other Path Transformations?"
Instead of removing the path prefix with the [`stripprefix` middleware](../../middlewares/stripprefix/), you can also:
Instead of removing the path prefix with the [`stripprefix` middleware](../../middlewares/http/stripprefix/), you can also:
- Add a path prefix with the [`addprefix` middleware](../../middlewares/addprefix/)
- Replace the complete path of the request with the [`replacepath` middleware](../../middlewares/replacepath/)
- ReplaceRewrite path using Regexp with the [`replacepathregex` middleware](../../middlewares/replacepathregex/)
- And a lot more on the [`middlewares` page](../../middlewares/overview/)
- Add a path prefix with the [`addprefix` middleware](../../middlewares/http/addprefix/)
- Replace the complete path of the request with the [`replacepath` middleware](../../middlewares/http/replacepath/)
- ReplaceRewrite path using Regexp with the [`replacepathregex` middleware](../../middlewares/http/replacepathregex/)
- And a lot more on the [`HTTP middlewares` page](../../middlewares/http/overview/)
## ACME (LetsEncrypt)
@@ -674,11 +674,11 @@ with the path `/admin` stripped, e.g. to `http://<IP>:<port>/`. In this case, yo
!!! example "ACME from provider to a specific Certificate Resolver"
!!! info "v1"
```toml tab="File (TOML)"
# static configuration
defaultEntryPoints = ["websecure","web"]
[entryPoints.web]
address = ":80"
[entryPoints.web.redirect]
@@ -686,7 +686,7 @@ with the path `/admin` stripped, e.g. to `http://<IP>:<port>/`. In this case, yo
[entryPoints.websecure]
address = ":443"
[entryPoints.websecure.tls]
[acme]
email = "your-email-here@example.com"
storage = "acme.json"
@@ -708,34 +708,17 @@ with the path `/admin` stripped, e.g. to `http://<IP>:<port>/`. In this case, yo
!!! info "v2"
```toml tab="File (TOML)"
# static configuration
[entryPoints]
[entryPoints.web]
address = ":80"
[entryPoints.websecure]
address = ":443"
[entryPoints.websecure.http.tls]
certResolver = "myresolver"
[certificatesResolvers.myresolver.acme]
email = "your-email@example.com"
storage = "acme.json"
[certificatesResolvers.myresolver.acme.tlsChallenge]
```
```yaml tab="File (YAML)"
entryPoints:
web:
address: ":80"
websecure:
address: ":443"
http:
tls:
certResolver: myresolver
certificatesResolvers:
myresolver:
acme:
@@ -744,6 +727,23 @@ with the path `/admin` stripped, e.g. to `http://<IP>:<port>/`. In this case, yo
tlsChallenge: {}
```
```toml tab="File (TOML)"
# static configuration
[entryPoints]
[entryPoints.web]
address = ":80"
[entryPoints.websecure]
address = ":443"
[entryPoints.websecure.http.tls]
certResolver = "myresolver"
[certificatesResolvers.myresolver.acme]
email = "your-email@example.com"
storage = "acme.json"
[certificatesResolvers.myresolver.acme.tlsChallenge]
```
```bash tab="CLI"
--entrypoints.web.address=:80
--entrypoints.websecure.address=:443
@@ -764,7 +764,7 @@ There is no more log configuration at the root level.
```toml tab="File (TOML)"
# static configuration
logLevel = "DEBUG"
[traefikLog]
filePath = "/path/to/traefik.log"
format = "json"
@@ -778,14 +778,6 @@ There is no more log configuration at the root level.
!!! info "v2"
```toml tab="File (TOML)"
# static configuration
[log]
level = "DEBUG"
filePath = "/path/to/log-file.log"
format = "json"
```
```yaml tab="File (YAML)"
# static configuration
log:
@@ -794,6 +786,14 @@ There is no more log configuration at the root level.
format: json
```
```toml tab="File (TOML)"
# static configuration
[log]
level = "DEBUG"
filePath = "/path/to/log-file.log"
format = "json"
```
```bash tab="CLI"
--log.level=DEBUG
--log.filePath=/path/to/traefik.log
@@ -838,17 +838,6 @@ Traefik v2 retains OpenTracing support. The `backend` root option from the v1 is
!!! info "v2"
```toml tab="File (TOML)"
# static configuration
[tracing]
servicename = "tracing"
[tracing.jaeger]
samplingParam = 1.0
samplingServerURL = "http://12.0.0.1:5778/sampling"
samplingType = "const"
localAgentHostPort = "12.0.0.1:6831"
```
```yaml tab="File (YAML)"
# static configuration
tracing:
@@ -860,6 +849,17 @@ Traefik v2 retains OpenTracing support. The `backend` root option from the v1 is
localAgentHostPort: '12.0.0.1:6831'
```
```toml tab="File (TOML)"
# static configuration
[tracing]
servicename = "tracing"
[tracing.jaeger]
samplingParam = 1.0
samplingServerURL = "http://12.0.0.1:5778/sampling"
samplingType = "const"
localAgentHostPort = "12.0.0.1:6831"
```
```bash tab="CLI"
--tracing.servicename=tracing
--tracing.jaeger.localagenthostport=12.0.0.1:6831
@@ -891,13 +891,6 @@ For a basic configuration, the [metrics configuration](../observability/metrics/
!!! info "v2"
```toml tab="File (TOML)"
# static configuration
[metrics.prometheus]
buckets = [0.1,0.3,1.2,5.0]
entryPoint = "metrics"
```
```yaml tab="File (YAML)"
# static configuration
metrics:
@@ -910,6 +903,13 @@ For a basic configuration, the [metrics configuration](../observability/metrics/
entryPoint: metrics
```
```toml tab="File (TOML)"
# static configuration
[metrics.prometheus]
buckets = [0.1,0.3,1.2,5.0]
entryPoint = "metrics"
```
```bash tab="CLI"
--metrics.prometheus.buckets=[0.1,0.3,1.2,5.0]
--metrics.prometheus.entrypoint=metrics
@@ -955,43 +955,43 @@ Each root item has been moved to a related section or removed.
!!! info "v2"
```toml tab="File (TOML)"
# static configuration
[global]
checkNewVersion = true
sendAnonymousUsage = true
[log]
level = "DEBUG"
[serversTransport]
insecureSkipVerify = true
rootCAs = [ "/mycert.cert" ]
maxIdleConnsPerHost = 42
[providers]
providersThrottleDuration = 42
```
```yaml tab="File (YAML)"
# static configuration
global:
checkNewVersion: true
sendAnonymousUsage: true
log:
level: DEBUG
serversTransport:
insecureSkipVerify: true
rootCAs:
- /mycert.cert
maxIdleConnsPerHost: 42
providers:
providersThrottleDuration: 42
```
```toml tab="File (TOML)"
# static configuration
[global]
checkNewVersion = true
sendAnonymousUsage = true
[log]
level = "DEBUG"
[serversTransport]
insecureSkipVerify = true
rootCAs = [ "/mycert.cert" ]
maxIdleConnsPerHost = 42
[providers]
providersThrottleDuration = 42
```
```bash tab="CLI"
--global.checknewversion=true
--global.sendanonymoususage=true
@@ -1018,7 +1018,7 @@ To activate the dashboard, you can either:
```toml tab="File (TOML)"
## static configuration
# traefik.toml
[entryPoints.websecure]
address = ":443"
[entryPoints.websecure.tls]
@@ -1027,7 +1027,7 @@ To activate the dashboard, you can either:
users = [
"test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/"
]
[api]
entryPoint = "websecure"
```
@@ -1050,55 +1050,25 @@ To activate the dashboard, you can either:
- "traefik.http.middlewares.myAuth.basicauth.users=test:$$apr1$$H6uskkkW$$IgXLP6ewTrSuBkTrqE8wj/"
```
```toml tab="File (TOML)"
## static configuration
# traefik.toml
[entryPoints.websecure]
address = ":443"
[api]
[providers.file]
directory = "/path/to/dynamic/config"
##---------------------##
## dynamic configuration
# /path/to/dynamic/config/dynamic-conf.toml
[http.routers.api]
rule = "Host(`traefik.docker.localhost`)"
entrypoints = ["websecure"]
service = "api@internal"
middlewares = ["myAuth"]
[http.routers.api.tls]
[http.middlewares.myAuth.basicAuth]
users = [
"test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/"
]
```
```yaml tab="File (YAML)"
## static configuration
# traefik.yaml
# traefik.yml
entryPoints:
websecure:
address: ':443'
api: {}
providers:
file:
directory: /path/to/dynamic/config
##---------------------##
## dynamic configuration
# /path/to/dynamic/config/dynamic-conf.yaml
# /path/to/dynamic/config/dynamic-conf.yml
http:
routers:
api:
@@ -1109,7 +1079,7 @@ To activate the dashboard, you can either:
middlewares:
- myAuth
tls: {}
middlewares:
myAuth:
basicAuth:
@@ -1117,6 +1087,36 @@ To activate the dashboard, you can either:
- 'test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/'
```
```toml tab="File (TOML)"
## static configuration
# traefik.toml
[entryPoints.websecure]
address = ":443"
[api]
[providers.file]
directory = "/path/to/dynamic/config"
##---------------------##
## dynamic configuration
# /path/to/dynamic/config/dynamic-conf.toml
[http.routers.api]
rule = "Host(`traefik.docker.localhost`)"
entrypoints = ["websecure"]
service = "api@internal"
middlewares = ["myAuth"]
[http.routers.api.tls]
[http.middlewares.myAuth.basicAuth]
users = [
"test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/"
]
```
## Providers
Supported [providers](../providers/overview.md), for now:

87
docs/content/migration/v2.md
View File

@@ -8,7 +8,7 @@ In v2.1, a new Kubernetes CRD called `TraefikService` was added.
While updating an installation to v2.1,
one should apply that CRD, and update the existing `ClusterRole` definition to allow Traefik to use that CRD.
To add that CRD and enhance the permissions, following definitions need to be applied to the cluster.
To add that CRD and enhance the permissions, the following definitions need to be applied to the cluster.
```yaml tab="TraefikService"
apiVersion: apiextensions.k8s.io/v1beta1
@@ -87,7 +87,7 @@ In v2.2, new Kubernetes CRDs called `TLSStore` and `IngressRouteUDP` were added.
While updating an installation to v2.2,
one should apply that CRDs, and update the existing `ClusterRole` definition to allow Traefik to use that CRDs.
To add that CRDs and enhance the permissions, following definitions need to be applied to the cluster.
To add that CRDs and enhance the permissions, the following definitions need to be applied to the cluster.
```yaml tab="TLSStore"
apiVersion: apiextensions.k8s.io/v1beta1
@@ -189,7 +189,7 @@ metadata:
spec:
tls:
- secretName: myTlsSecret
- secretName: my-tls-secret
rules:
- host: example.com
@@ -256,7 +256,7 @@ metadata:
spec:
tls:
- secretName: myTlsSecret
- secretName: my-tls-secret
rules:
- host: example.com
@@ -336,3 +336,82 @@ The file parser has been changed, since v2.3 the unknown options/fields in a dyn
In `v2.3`, the support of `IngressClass`, which is available since Kubernetes version `1.18`, has been introduced.
In order to be able to use this new resource the [Kubernetes RBAC](../reference/dynamic-configuration/kubernetes-crd.md#rbac) must be updated.
## v2.3 to v2.4
### ServersTransport
In `v2.4.0`, the support of `ServersTransport` has been introduced.
It is therefore necessary to update [RBAC](../reference/dynamic-configuration/kubernetes-crd.md#rbac) and [CRD](../reference/dynamic-configuration/kubernetes-crd.md) definitions.
## v2.4.7 to v2.4.8
### Non-ASCII Domain Names
In `v2.4.8`, we introduced a new check on domain names used in HTTP router rule `Host` and `HostRegexp` expressions,
and in TCP router rule `HostSNI` expression.
This check ensures that provided domain names don't contain non-ASCII characters.
If not, an error is raised, and the associated router will be shown as invalid in the dashboard.
This new behavior is intended to show what was failing silently previously and to help troubleshooting configuration issues.
It doesn't change the support for non-ASCII domain names in routers rules, which is not part of the Traefik feature set so far.
In order to use non-ASCII domain names in a router's rule, one should use the Punycode form of the domain name.
For more information, please read the [HTTP routers rule](../routing/routers/index.md#rule) part or [TCP router rules](../routing/routers/index.md#rule_1) part of the documentation.
## v2.4.8 to v2.4.9
### Tracing Span
In `v2.4.9`, we changed span error to log only server errors (>= 500).
## v2.4.9 to v2.4.10
### K8S CrossNamespace
In `v2.4.10`, the default value for `allowCrossNamespace` has been changed to `false`.
### K8S ExternalName Service
In `v2.4.10`, by default, it is no longer authorized to reference Kubernetes ExternalName services.
To allow it, the `allowExternalNameServices` option should be set to `true`.
## v2.4 to v2.5
### Kubernetes CRD
In `v2.5`, the [Traefik CRDs](../reference/dynamic-configuration/kubernetes-crd.md#definitions) have been updated to support the new API version `apiextensions.k8s.io/v1`.
As required by `apiextensions.k8s.io/v1`, we have included the OpenAPI validation schema.
After deploying the new [Traefik CRDs](../reference/dynamic-configuration/kubernetes-crd.md#definitions), the resources will be validated only on creation or update.
Please note that the unknown fields will not be pruned when migrating from `apiextensions.k8s.io/v1beta1` to `apiextensions.k8s.io/v1` CRDs.
For more details check out the official [documentation](https://kubernetes.io/docs/tasks/extend-kubernetes/custom-resources/custom-resource-definitions/#specifying-a-structural-schema).
### Kubernetes Ingress
Traefik v2.5 moves forward for the Ingress provider to support Kubernetes v1.22.
Traefik now supports only v1.14+ Kubernetes clusters, which means the support of `extensions/v1beta1` API Version ingresses has been dropped.
The `extensions/v1beta1` API Version should now be replaced either by `networking.k8s.io/v1beta1` or by `networking.k8s.io/v1` (as of Kubernetes v1.19+).
The support of the `networking.k8s.io/v1beta1` API Version will stop in Kubernetes v1.22.
### Headers middleware: ssl redirect options
`sslRedirect`, `sslTemporaryRedirect`, `sslHost` and `sslForceHost` are deprecated in Traefik v2.5.
For simple HTTP to HTTPS redirection, you may use [EntryPoints redirections](../routing/entrypoints.md#redirection).
For more advanced use cases, you can use either the [RedirectScheme middleware](../middlewares/http/redirectscheme.md) or the [RedirectRegex middleware](../middlewares/http/redirectregex.md).
### Headers middleware: accessControlAllowOrigin
`accessControlAllowOrigin` is no longer supported in Traefik v2.5.
### X.509 CommonName Deprecation Bis
Following up on the deprecation started [previously](#x509-commonname-deprecation),
as the `x509ignoreCN=0` value for the `GODEBUG` is [deprecated in Go 1.17](https://tip.golang.org/doc/go1.17#crypto/x509),
the legacy behavior related to the CommonName field can not be enabled at all anymore.

112
docs/content/observability/access-logs.md
View File

@@ -5,18 +5,18 @@ Who Calls Whom?
By default, logs are written to stdout, in text format.
## Configuration
## Configuration
To enable the access logs:
```toml tab="File (TOML)"
[accessLog]
```
```yaml tab="File (YAML)"
accessLog: {}
```
```toml tab="File (TOML)"
[accessLog]
```
```bash tab="CLI"
--accesslog=true
```
@@ -26,28 +26,28 @@ accessLog: {}
By default access logs are written to the standard output.
To write the logs into a log file, use the `filePath` option.
```toml tab="File (TOML)"
[accessLog]
filePath = "/path/to/access.log"
```
```yaml tab="File (YAML)"
accessLog:
filePath: "/path/to/access.log"
```
```toml tab="File (TOML)"
[accessLog]
filePath = "/path/to/access.log"
```
```bash tab="CLI"
--accesslog.filepath=/path/to/access.log
```
### `format`
By default, logs are written using the Common Log Format (CLF).
To write logs in JSON, use `json` in the `format` option.
If the given format is unsupported, the default (CLF) is used instead.
!!! info "Common Log Format"
```html
<remote_IP_address> - <client_user_name_if_available> [<timestamp>] "<request_method> <request_path> <request_protocol>" <origin_server_HTTP_status> <origin_server_content_size> "<request_referrer>" "<request_user_agent>" <number_of_requests_received_since_Traefik_started> "<Traefik_router_name>" "<Traefik_server_URL>" <request_duration_in_ms>ms
```
@@ -58,13 +58,6 @@ To write the logs in an asynchronous fashion, specify a `bufferingSize` option.
This option represents the number of log lines Traefik will keep in memory before writing them to the selected output.
In some cases, this option can greatly help performances.
```toml tab="File (TOML)"
# Configuring a buffer of 100 lines
[accessLog]
filePath = "/path/to/access.log"
bufferingSize = 100
```
```yaml tab="File (YAML)"
# Configuring a buffer of 100 lines
accessLog:
@@ -72,6 +65,13 @@ accessLog:
bufferingSize: 100
```
```toml tab="File (TOML)"
# Configuring a buffer of 100 lines
[accessLog]
filePath = "/path/to/access.log"
bufferingSize = 100
```
```bash tab="CLI"
# Configuring a buffer of 100 lines
--accesslog.filepath=/path/to/access.log
@@ -80,40 +80,40 @@ accessLog:
### Filtering
To filter logs, you can specify a set of filters which are logically "OR-connected".
To filter logs, you can specify a set of filters which are logically "OR-connected".
Thus, specifying multiple filters will keep more access logs than specifying only one.
The available filters are:
The available filters are:
- `statusCodes`, to limit the access logs to requests with a status codes in the specified range
- `retryAttempts`, to keep the access logs when at least one retry has happened
- `minDuration`, to keep access logs when requests take longer than the specified duration (provided in seconds or as a valid duration format, see [time.ParseDuration](https://golang.org/pkg/time/#ParseDuration))
```yaml tab="File (YAML)"
# Configuring Multiple Filters
accessLog:
filePath: "/path/to/access.log"
format: json
filters:
statusCodes:
- "200"
- "300-302"
retryAttempts: true
minDuration: "10ms"
```
```toml tab="File (TOML)"
# Configuring Multiple Filters
[accessLog]
filePath = "/path/to/access.log"
format = "json"
[accessLog.filters]
[accessLog.filters]
statusCodes = ["200", "300-302"]
retryAttempts = true
minDuration = "10ms"
```
```yaml tab="File (YAML)"
# Configuring Multiple Filters
accessLog:
filePath: "/path/to/access.log"
format: json
filters:
statusCodes:
- "200"
- "300-302"
retryAttempts: true
minDuration: "10ms"
```
```bash tab="CLI"
# Configuring Multiple Filters
--accesslog.filepath=/path/to/access.log
@@ -135,27 +135,9 @@ Each field can be set to:
The `defaultMode` for `fields.headers` is `drop`.
```toml tab="File (TOML)"
# Limiting the Logs to Specific Fields
[accessLog]
filePath = "/path/to/access.log"
format = "json"
[accessLog.fields]
defaultMode = "keep"
[accessLog.fields.names]
"ClientUsername" = "drop"
[accessLog.fields.headers]
defaultMode = "keep"
[accessLog.fields.headers.names]
"User-Agent" = "redact"
"Authorization" = "drop"
"Content-Type" = "keep"
```
```yaml tab="File (YAML)"
# Limiting the Logs to Specific Fields
accessLog:
@@ -173,6 +155,24 @@ accessLog:
Content-Type: keep
```
```toml tab="File (TOML)"
# Limiting the Logs to Specific Fields
[accessLog]
filePath = "/path/to/access.log"
format = "json"
[accessLog.fields.names]
"ClientUsername" = "drop"
[accessLog.fields.headers]
defaultMode = "keep"
[accessLog.fields.headers.names]
"User-Agent" = "redact"
"Authorization" = "drop"
"Content-Type" = "keep"
```
```bash tab="CLI"
# Limiting the Logs to Specific Fields
--accesslog.filepath=/path/to/access.log
@@ -209,7 +209,7 @@ accessLog:
| `RequestScheme` | The HTTP scheme requested `http` or `https`. |
| `RequestLine` | `RequestMethod` + `RequestPath` + `RequestProtocol` |
| `RequestContentSize` | The number of bytes in the request entity (a.k.a. body) sent by the client. |
| `OriginDuration` | The time taken (in nanoseconds) by the origin server ('upstream') to return its response. |
| `OriginDuration` | The time taken (in nanoseconds) by the origin server ('upstream') to return its response. |
| `OriginContentSize` | The content length specified by the origin server, or 0 if unspecified. |
| `OriginStatus` | The HTTP status code returned by the origin server. If the request was handled by this Traefik instance (e.g. with a redirect), then this value will be absent. |
| `OriginStatusLine` | `OriginStatus` + Status code explanation |
@@ -218,8 +218,10 @@ accessLog:
| `DownstreamContentSize` | The number of bytes in the response entity returned to the client. This is in addition to the "Content-Length" header, which may be present in the origin response. |
| `RequestCount` | The number of requests received since the Traefik instance started. |
| `GzipRatio` | The response body compression ratio achieved. |
| `Overhead` | The processing time overhead (in nanoseconds) caused by Traefik. |
| `Overhead` | The processing time overhead (in nanoseconds) caused by Traefik. |
| `RetryAttempts` | The amount of attempts the request was retried. |
| `TLSVersion` | The TLS version used by the connection (e.g. `1.2`) (if connection is TLS). |
| `TLSCipher` | The TLS cipher used by the connection (e.g. `TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA`) (if connection is TLS) |
## Log Rotation

40
docs/content/observability/logs.md
View File

@@ -16,18 +16,18 @@ Traefik logs concern everything that happens to Traefik itself (startup, configu
By default, the logs are written to the standard output.
You can configure a file path instead using the `filePath` option.
```toml tab="File (TOML)"
# Writing Logs to a File
[log]
filePath = "/path/to/traefik.log"
```
```yaml tab="File (YAML)"
# Writing Logs to a File
log:
filePath: "/path/to/traefik.log"
```
```toml tab="File (TOML)"
# Writing Logs to a File
[log]
filePath = "/path/to/traefik.log"
```
```bash tab="CLI"
# Writing Logs to a File
--log.filePath=/path/to/traefik.log
@@ -35,14 +35,7 @@ log:
#### `format`
By default, the logs use a text format (`common`), but you can also ask for the `json` format in the `format` option.
```toml tab="File (TOML)"
# Writing Logs to a File, in JSON
[log]
filePath = "/path/to/log-file.log"
format = "json"
```
By default, the logs use a text format (`common`), but you can also ask for the `json` format in the `format` option.
```yaml tab="File (YAML)"
# Writing Logs to a File, in JSON
@@ -51,6 +44,13 @@ log:
format: json
```
```toml tab="File (TOML)"
# Writing Logs to a File, in JSON
[log]
filePath = "/path/to/log-file.log"
format = "json"
```
```bash tab="CLI"
# Writing Logs to a File, in JSON
--log.filePath=/path/to/traefik.log
@@ -59,18 +59,18 @@ log:
#### `level`
By default, the `level` is set to `ERROR`. Alternative logging levels are `DEBUG`, `PANIC`, `FATAL`, `ERROR`, `WARN`, and `INFO`.
```toml tab="File (TOML)"
[log]
level = "DEBUG"
```
By default, the `level` is set to `ERROR`. Alternative logging levels are `DEBUG`, `PANIC`, `FATAL`, `ERROR`, `WARN`, and `INFO`.
```yaml tab="File (YAML)"
log:
level: DEBUG
```
```toml tab="File (TOML)"
[log]
level = "DEBUG"
```
```bash tab="CLI"
--log.level=DEBUG
```

79
docs/content/observability/metrics/datadog.md
View File

@@ -2,16 +2,16 @@
To enable the Datadog:
```toml tab="File (TOML)"
[metrics]
[metrics.datadog]
```
```yaml tab="File (YAML)"
metrics:
datadog: {}
```
```toml tab="File (TOML)"
[metrics]
[metrics.datadog]
```
```bash tab="CLI"
--metrics.datadog=true
```
@@ -22,18 +22,18 @@ _Required, Default="127.0.0.1:8125"_
Address instructs exporter to send metrics to datadog-agent at this address.
```toml tab="File (TOML)"
[metrics]
[metrics.datadog]
address = "127.0.0.1:8125"
```
```yaml tab="File (YAML)"
metrics:
datadog:
address: 127.0.0.1:8125
```
```toml tab="File (TOML)"
[metrics]
[metrics.datadog]
address = "127.0.0.1:8125"
```
```bash tab="CLI"
--metrics.datadog.address=127.0.0.1:8125
```
@@ -44,21 +44,42 @@ _Optional, Default=true_
Enable metrics on entry points.
```toml tab="File (TOML)"
[metrics]
[metrics.datadog]
addEntryPointsLabels = true
```
```yaml tab="File (YAML)"
metrics:
datadog:
addEntryPointsLabels: true
```
```toml tab="File (TOML)"
[metrics]
[metrics.datadog]
addEntryPointsLabels = true
```
```bash tab="CLI"
--metrics.datadog.addEntryPointsLabels=true
```
#### `AddRoutersLabels`
_Optional, Default=false_
Enable metrics on routers.
```toml tab="File (TOML)"
[metrics]
[metrics.datadog]
addRoutersLabels = true
```
```yaml tab="File (YAML)"
metrics:
datadog:
addRoutersLabels: true
```
```bash tab="CLI"
--metrics.datadog.addrouterslabels=true
```
#### `addServicesLabels`
@@ -66,18 +87,18 @@ _Optional, Default=true_
Enable metrics on services.
```toml tab="File (TOML)"
[metrics]
[metrics.datadog]
addServicesLabels = true
```
```yaml tab="File (YAML)"
metrics:
datadog:
addServicesLabels: true
```
```toml tab="File (TOML)"
[metrics]
[metrics.datadog]
addServicesLabels = true
```
```bash tab="CLI"
--metrics.datadog.addServicesLabels=true
```
@@ -88,18 +109,18 @@ _Optional, Default=10s_
The interval used by the exporter to push metrics to datadog-agent.
```toml tab="File (TOML)"
[metrics]
[metrics.datadog]
pushInterval = 10s
```
```yaml tab="File (YAML)"
metrics:
datadog:
pushInterval: 10s
```
```toml tab="File (TOML)"
[metrics]
[metrics.datadog]
pushInterval = 10s
```
```bash tab="CLI"
--metrics.datadog.pushInterval=10s
```

140
docs/content/observability/metrics/influxdb.md
View File

@@ -2,16 +2,16 @@
To enable the InfluxDB:
```toml tab="File (TOML)"
[metrics]
[metrics.influxDB]
```
```yaml tab="File (YAML)"
metrics:
influxDB: {}
```
```toml tab="File (TOML)"
[metrics]
[metrics.influxDB]
```
```bash tab="CLI"
--metrics.influxdb=true
```
@@ -22,18 +22,18 @@ _Required, Default="localhost:8089"_
Address instructs exporter to send metrics to influxdb at this address.
```toml tab="File (TOML)"
[metrics]
[metrics.influxDB]
address = "localhost:8089"
```
```yaml tab="File (YAML)"
metrics:
influxDB:
address: localhost:8089
```
```toml tab="File (TOML)"
[metrics]
[metrics.influxDB]
address = "localhost:8089"
```
```bash tab="CLI"
--metrics.influxdb.address=localhost:8089
```
@@ -44,18 +44,18 @@ _Required, Default="udp"_
InfluxDB's address protocol (udp or http).
```toml tab="File (TOML)"
[metrics]
[metrics.influxDB]
protocol = "udp"
```
```yaml tab="File (YAML)"
metrics:
influxDB:
protocol: udp
```
```toml tab="File (TOML)"
[metrics]
[metrics.influxDB]
protocol = "udp"
```
```bash tab="CLI"
--metrics.influxdb.protocol=udp
```
@@ -66,18 +66,18 @@ _Optional, Default=""_
InfluxDB database used when protocol is http.
```toml tab="File (TOML)"
[metrics]
[metrics.influxDB]
database = "db"
```
```yaml tab="File (YAML)"
metrics:
influxDB:
database: "db"
```
```toml tab="File (TOML)"
[metrics]
[metrics.influxDB]
database = "db"
```
```bash tab="CLI"
--metrics.influxdb.database=db
```
@@ -88,18 +88,18 @@ _Optional, Default=""_
InfluxDB retention policy used when protocol is http.
```toml tab="File (TOML)"
[metrics]
[metrics.influxDB]
retentionPolicy = "two_hours"
```
```yaml tab="File (YAML)"
metrics:
influxDB:
retentionPolicy: "two_hours"
```
```toml tab="File (TOML)"
[metrics]
[metrics.influxDB]
retentionPolicy = "two_hours"
```
```bash tab="CLI"
--metrics.influxdb.retentionPolicy=two_hours
```
@@ -110,18 +110,18 @@ _Optional, Default=""_
InfluxDB username (only with http).
```toml tab="File (TOML)"
[metrics]
[metrics.influxDB]
username = "john"
```
```yaml tab="File (YAML)"
metrics:
influxDB:
username: "john"
```
```toml tab="File (TOML)"
[metrics]
[metrics.influxDB]
username = "john"
```
```bash tab="CLI"
--metrics.influxdb.username=john
```
@@ -132,18 +132,18 @@ _Optional, Default=""_
InfluxDB password (only with http).
```toml tab="File (TOML)"
[metrics]
[metrics.influxDB]
password = "secret"
```
```yaml tab="File (YAML)"
metrics:
influxDB:
password: "secret"
```
```toml tab="File (TOML)"
[metrics]
[metrics.influxDB]
password = "secret"
```
```bash tab="CLI"
--metrics.influxdb.password=secret
```
@@ -154,40 +154,62 @@ _Optional, Default=true_
Enable metrics on entry points.
```toml tab="File (TOML)"
[metrics]
[metrics.influxDB]
addEntryPointsLabels = true
```
```yaml tab="File (YAML)"
metrics:
influxDB:
addEntryPointsLabels: true
```
```toml tab="File (TOML)"
[metrics]
[metrics.influxDB]
addEntryPointsLabels = true
```
```bash tab="CLI"
--metrics.influxdb.addEntryPointsLabels=true
```
#### `AddRoutersLabels`
_Optional, Default=false_
Enable metrics on routers.
```toml tab="File (TOML)"
[metrics]
[metrics.influxDB]
addRoutersLabels = true
```
```yaml tab="File (YAML)"
metrics:
influxDB:
addRoutersLabels: true
```
```bash tab="CLI"
--metrics.influxdb.addrouterslabels=true
```
#### `addServicesLabels`
_Optional, Default=true_
Enable metrics on services.
```toml tab="File (TOML)"
[metrics]
[metrics.influxDB]
addServicesLabels = true
```
```yaml tab="File (YAML)"
metrics:
influxDB:
addServicesLabels: true
```
```toml tab="File (TOML)"
[metrics]
[metrics.influxDB]
addServicesLabels = true
```
```bash tab="CLI"
--metrics.influxdb.addServicesLabels=true
```
@@ -198,18 +220,18 @@ _Optional, Default=10s_
The interval used by the exporter to push metrics to influxdb.
```toml tab="File (TOML)"
[metrics]
[metrics.influxDB]
pushInterval = 10s
```
```yaml tab="File (YAML)"
metrics:
influxDB:
pushInterval: 10s
```
```toml tab="File (TOML)"
[metrics]
[metrics.influxDB]
pushInterval = 10s
```
```bash tab="CLI"
--metrics.influxdb.pushInterval=10s
```

313
docs/content/observability/metrics/overview.md
View File

@@ -1,6 +1,4 @@
# Metrics
Metrics system
{: .subtitle }
Traefik supports 4 metrics backends:
@@ -13,14 +11,317 @@ Traefik supports 4 metrics backends:
To enable metrics:
```toml tab="File (TOML)"
[metrics]
```
```yaml tab="File (YAML)"
metrics: {}
```
```toml tab="File (TOML)"
[metrics]
```
```bash tab="CLI"
--metrics=true
```
## Server Metrics
| Metric | DataDog | InfluxDB | Prometheus | StatsD |
|-------------------------------------------------------------------------|---------|----------|------------|--------|
| [Configuration reloads](#configuration-reloads) | ✓ | ✓ | ✓ | ✓ |
| [Configuration reload failures](#configuration-reload-failures) | ✓ | ✓ | ✓ | ✓ |
| [Last Configuration Reload Success](#last-configuration-reload-success) | ✓ | ✓ | ✓ | ✓ |
| [Last Configuration Reload Failure](#last-configuration-reload-failure) | ✓ | ✓ | ✓ | ✓ |
### Configuration Reloads
The total count of configuration reloads.
```dd tab="Datadog"
config.reload.total
```
```influxdb tab="InfluDB"
traefik.config.reload.total
```
```prom tab="Prometheus"
traefik_config_reloads_total
```
```statsd tab="StatsD"
# Default prefix: "traefik"
{prefix}.config.reload.total
```
### Configuration Reload Failures
The total count of configuration reload failures.
```dd tab="Datadog"
config.reload.total (with tag "failure" to true)
```
```influxdb tab="InfluDB"
traefik.config.reload.total.failure
```
```prom tab="Prometheus"
traefik_config_reloads_failure_total
```
```statsd tab="StatsD"
# Default prefix: "traefik"
{prefix}.config.reload.total.failure
```
### Last Configuration Reload Success
The timestamp of the last configuration reload success.
```dd tab="Datadog"
config.reload.lastSuccessTimestamp
```
```influxdb tab="InfluDB"
traefik.config.reload.lastSuccessTimestamp
```
```prom tab="Prometheus"
traefik_config_last_reload_success
```
```statsd tab="StatsD"
# Default prefix: "traefik"
{prefix}.config.reload.lastSuccessTimestamp
```
### Last Configuration Reload Failure
The timestamp of the last configuration reload failure.
```dd tab="Datadog"
config.reload.lastFailureTimestamp
```
```influxdb tab="InfluDB"
traefik.config.reload.lastFailureTimestamp
```
```prom tab="Prometheus"
traefik_config_last_reload_failure
```
```statsd tab="StatsD"
# Default prefix: "traefik"
{prefix}.config.reload.lastFailureTimestamp
```
## EntryPoint Metrics
| Metric | DataDog | InfluxDB | Prometheus | StatsD |
|-----------------------------------------------------------|---------|----------|------------|--------|
| [HTTP Requests Count](#http-requests-count) | ✓ | ✓ | ✓ | ✓ |
| [HTTPS Requests Count](#https-requests-count) | | | ✓ | |
| [Request Duration Histogram](#request-duration-histogram) | ✓ | ✓ | ✓ | ✓ |
| [Open Connections Count](#open-connections-count) | ✓ | ✓ | ✓ | ✓ |
### HTTP Requests Count
The total count of HTTP requests processed on an entrypoint.
Available labels: `code`, `method`, `protocol`, `entrypoint`.
```dd tab="Datadog"
entrypoint.request.total
```
```influxdb tab="InfluDB"
traefik.entrypoint.requests.total
```
```prom tab="Prometheus"
traefik_entrypoint_requests_total
```
```statsd tab="StatsD"
# Default prefix: "traefik"
{prefix}.entrypoint.request.total
```
### HTTPS Requests Count
The total count of HTTPS requests processed on an entrypoint.
Available labels: `tls_version`, `tls_cipher`, `entrypoint`.
```prom tab="Prometheus"
traefik_entrypoint_requests_tls_total
```
### Request Duration Histogram
Request process time duration histogram on an entrypoint.
Available labels: `code`, `method`, `protocol`, `entrypoint`.
```dd tab="Datadog"
entrypoint.request.duration
```
```influxdb tab="InfluDB"
traefik.entrypoint.request.duration
```
```prom tab="Prometheus"
traefik_entrypoint_request_duration_seconds
```
```statsd tab="StatsD"
# Default prefix: "traefik"
{prefix}.entrypoint.request.duration
```
### Open Connections Count
The current count of open connections on an entrypoint.
Available labels: `method`, `protocol`, `entrypoint`.
```dd tab="Datadog"
entrypoint.connections.open
```
```influxdb tab="InfluDB"
traefik.entrypoint.connections.open
```
```prom tab="Prometheus"
traefik_entrypoint_open_connections
```
```statsd tab="StatsD"
# Default prefix: "traefik"
{prefix}.entrypoint.connections.open
```
## Service Metrics
| Metric | DataDog | InfluxDB | Prometheus | StatsD |
|-------------------------------------------------------------|---------|----------|------------|--------|
| [HTTP Requests Count](#http-requests-count_1) | ✓ | ✓ | ✓ | ✓ |
| [HTTPS Requests Count](#https-requests-count_1) | | | ✓ | |
| [Request Duration Histogram](#request-duration-histogram_1) | ✓ | ✓ | ✓ | ✓ |
| [Open Connections Count](#open-connections-count_1) | ✓ | ✓ | ✓ | ✓ |
| [Requests Retries Count](#requests-retries-count) | ✓ | ✓ | ✓ | ✓ |
| [Service Server UP](#service-server-up) | ✓ | ✓ | ✓ | ✓ |
### HTTP Requests Count
The total count of HTTP requests processed on a service.
Available labels: `code`, `method`, `protocol`, `service`.
```dd tab="Datadog"
service.request.total
```
```influxdb tab="InfluDB"
traefik.service.requests.total
```
```prom tab="Prometheus"
traefik_service_requests_total
```
```statsd tab="StatsD"
# Default prefix: "traefik"
{prefix}.service.request.total
```
### HTTPS Requests Count
The total count of HTTPS requests processed on a service.
Available labels: `tls_version`, `tls_cipher`, `service`.
```prom tab="Prometheus"
traefik_service_requests_tls_total
```
### Request Duration Histogram
Request process time duration histogram on a service.
Available labels: `code`, `method`, `protocol`, `service`.
```dd tab="Datadog"
service.request.duration
```
```influxdb tab="InfluDB"
traefik.service.request.duration
```
```prom tab="Prometheus"
traefik_service_request_duration_seconds
```
```statsd tab="StatsD"
# Default prefix: "traefik"
{prefix}.service.request.duration
```
### Open Connections Count
The current count of open connections on a service.
Available labels: `method`, `protocol`, `service`.
```dd tab="Datadog"
service.connections.open
```
```influxdb tab="InfluDB"
traefik.service.connections.open
```
```prom tab="Prometheus"
traefik_service_open_connections
```
```statsd tab="StatsD"
# Default prefix: "traefik"
{prefix}.service.connections.open
```
### Requests Retries Count
The count of requests retries on a service.
Available labels: `service`.
```dd tab="Datadog"
service.retries.total
```
```influxdb tab="InfluDB"
traefik.service.retries.total
```
```prom tab="Prometheus"
traefik_service_retries_total
```
```statsd tab="StatsD"
# Default prefix: "traefik"
{prefix}.service.retries.total
```
### Service Server UP
Current service's server status, described by a gauge with a value of 0 for a down server or a value of 1 for an up server.
Available labels: `service`, `url`.
```dd tab="Datadog"
service.server.up
```
```influxdb tab="InfluDB"
traefik.service.server.up
```
```prom tab="Prometheus"
traefik_service_server_up
```
```statsd tab="StatsD"
# Default prefix: "traefik"
{prefix}.service.server.up
```

100
docs/content/observability/metrics/prometheus.md
View File

@@ -2,16 +2,16 @@
To enable the Prometheus:
```toml tab="File (TOML)"
[metrics]
[metrics.prometheus]
```
```yaml tab="File (YAML)"
metrics:
prometheus: {}
```
```toml tab="File (TOML)"
[metrics]
[metrics.prometheus]
```
```bash tab="CLI"
--metrics.prometheus=true
```
@@ -22,12 +22,6 @@ _Optional, Default="0.100000, 0.300000, 1.200000, 5.000000"_
Buckets for latency metrics.
```toml tab="File (TOML)"
[metrics]
[metrics.prometheus]
buckets = [0.1,0.3,1.2,5.0]
```
```yaml tab="File (YAML)"
metrics:
prometheus:
@@ -38,6 +32,12 @@ metrics:
- 5.0
```
```toml tab="File (TOML)"
[metrics]
[metrics.prometheus]
buckets = [0.1,0.3,1.2,5.0]
```
```bash tab="CLI"
--metrics.prometheus.buckets=0.100000, 0.300000, 1.200000, 5.000000
```
@@ -48,40 +48,62 @@ _Optional, Default=true_
Enable metrics on entry points.
```toml tab="File (TOML)"
[metrics]
[metrics.prometheus]
addEntryPointsLabels = true
```
```yaml tab="File (YAML)"
metrics:
prometheus:
addEntryPointsLabels: true
```
```toml tab="File (TOML)"
[metrics]
[metrics.prometheus]
addEntryPointsLabels = true
```
```bash tab="CLI"
--metrics.prometheus.addEntryPointsLabels=true
```
#### `AddRoutersLabels`
_Optional, Default=false_
Enable metrics on routers.
```toml tab="File (TOML)"
[metrics]
[metrics.prometheus]
addRoutersLabels = true
```
```yaml tab="File (YAML)"
metrics:
prometheus:
addRoutersLabels: true
```
```bash tab="CLI"
--metrics.prometheus.addrouterslabels=true
```
#### `addServicesLabels`
_Optional, Default=true_
Enable metrics on services.
```toml tab="File (TOML)"
[metrics]
[metrics.prometheus]
addServicesLabels = true
```
```yaml tab="File (YAML)"
metrics:
prometheus:
addServicesLabels: true
```
```toml tab="File (TOML)"
[metrics]
[metrics.prometheus]
addServicesLabels = true
```
```bash tab="CLI"
--metrics.prometheus.addServicesLabels=true
```
@@ -92,16 +114,6 @@ _Optional, Default=traefik_
Entry point used to expose metrics.
```toml tab="File (TOML)"
[entryPoints]
[entryPoints.metrics]
address = ":8082"
[metrics]
[metrics.prometheus]
entryPoint = "metrics"
```
```yaml tab="File (YAML)"
entryPoints:
metrics:
@@ -112,6 +124,16 @@ metrics:
entryPoint: metrics
```
```toml tab="File (TOML)"
[entryPoints]
[entryPoints.metrics]
address = ":8082"
[metrics]
[metrics.prometheus]
entryPoint = "metrics"
```
```bash tab="CLI"
--entryPoints.metrics.address=:8082
--metrics.prometheus.entryPoint=metrics
@@ -123,18 +145,18 @@ _Optional, Default=false_
If `manualRouting` is `true`, it disables the default internal router in order to allow one to create a custom router for the `prometheus@internal` service.
```toml tab="File (TOML)"
[metrics]
[metrics.prometheus]
manualRouting = true
```
```yaml tab="File (YAML)"
metrics:
prometheus:
manualRouting: true
```
```toml tab="File (TOML)"
[metrics]
[metrics.prometheus]
manualRouting = true
```
```bash tab="CLI"
--metrics.prometheus.manualrouting=true
```

94
docs/content/observability/metrics/statsd.md
View File

@@ -2,16 +2,16 @@
To enable the Statsd:
```toml tab="File (TOML)"
[metrics]
[metrics.statsD]
```
```yaml tab="File (YAML)"
metrics:
statsD: {}
```
```toml tab="File (TOML)"
[metrics]
[metrics.statsD]
```
```bash tab="CLI"
--metrics.statsd=true
```
@@ -22,18 +22,18 @@ _Required, Default="localhost:8125"_
Address instructs exporter to send metrics to statsd at this address.
```toml tab="File (TOML)"
[metrics]
[metrics.statsD]
address = "localhost:8125"
```
```yaml tab="File (YAML)"
metrics:
statsD:
address: localhost:8125
```
```toml tab="File (TOML)"
[metrics]
[metrics.statsD]
address = "localhost:8125"
```
```bash tab="CLI"
--metrics.statsd.address=localhost:8125
```
@@ -44,40 +44,62 @@ _Optional, Default=true_
Enable metrics on entry points.
```toml tab="File (TOML)"
[metrics]
[metrics.statsD]
addEntryPointsLabels = true
```
```yaml tab="File (YAML)"
metrics:
statsD:
addEntryPointsLabels: true
```
```toml tab="File (TOML)"
[metrics]
[metrics.statsD]
addEntryPointsLabels = true
```
```bash tab="CLI"
--metrics.statsd.addEntryPointsLabels=true
```
#### `AddRoutersLabels`
_Optional, Default=false_
Enable metrics on entry points.
```toml tab="File (TOML)"
[metrics]
[metrics.statsD]
addRoutersLabels = true
```
```yaml tab="File (YAML)"
metrics:
statsD:
addRoutersLabels: true
```
```bash tab="CLI"
--metrics.statsd.addrouterslabels=true
```
#### `addServicesLabels`
_Optional, Default=true_
Enable metrics on services.
```toml tab="File (TOML)"
[metrics]
[metrics.statsD]
addServicesLabels = true
```
```yaml tab="File (YAML)"
metrics:
statsD:
addServicesLabels: true
```
```toml tab="File (TOML)"
[metrics]
[metrics.statsD]
addServicesLabels = true
```
```bash tab="CLI"
--metrics.statsd.addServicesLabels=true
```
@@ -88,18 +110,18 @@ _Optional, Default=10s_
The interval used by the exporter to push metrics to statsD.
```toml tab="File (TOML)"
[metrics]
[metrics.statsD]
pushInterval = 10s
```
```yaml tab="File (YAML)"
metrics:
statsD:
pushInterval: 10s
```
```toml tab="File (TOML)"
[metrics]
[metrics.statsD]
pushInterval = 10s
```
```bash tab="CLI"
--metrics.statsd.pushInterval=10s
```
@@ -110,18 +132,18 @@ _Optional, Default="traefik"_
The prefix to use for metrics collection.
```toml tab="File (TOML)"
[metrics]
[metrics.statsD]
prefix = "traefik"
```
```yaml tab="File (YAML)"
metrics:
statsD:
prefix: traefik
```
```toml tab="File (TOML)"
[metrics]
[metrics.statsD]
prefix = "traefik"
```
```bash tab="CLI"
--metrics.statsd.prefix="traefik"
```
```

58
docs/content/observability/tracing/datadog.md
View File

@@ -2,16 +2,16 @@
To enable the Datadog:
```toml tab="File (TOML)"
[tracing]
[tracing.datadog]
```
```yaml tab="File (YAML)"
tracing:
datadog: {}
```
```toml tab="File (TOML)"
[tracing]
[tracing.datadog]
```
```bash tab="CLI"
--tracing.datadog=true
```
@@ -22,18 +22,18 @@ _Required, Default="127.0.0.1:8126"_
Local Agent Host Port instructs reporter to send spans to datadog-tracing-agent at this address.
```toml tab="File (TOML)"
[tracing]
[tracing.datadog]
localAgentHostPort = "127.0.0.1:8126"
```
```yaml tab="File (YAML)"
tracing:
datadog:
localAgentHostPort: 127.0.0.1:8126
```
```toml tab="File (TOML)"
[tracing]
[tracing.datadog]
localAgentHostPort = "127.0.0.1:8126"
```
```bash tab="CLI"
--tracing.datadog.localAgentHostPort=127.0.0.1:8126
```
@@ -44,18 +44,18 @@ _Optional, Default=false_
Enable Datadog debug.
```toml tab="File (TOML)"
[tracing]
[tracing.datadog]
debug = true
```
```yaml tab="File (YAML)"
tracing:
datadog:
debug: true
```
```toml tab="File (TOML)"
[tracing]
[tracing.datadog]
debug = true
```
```bash tab="CLI"
--tracing.datadog.debug=true
```
@@ -66,18 +66,18 @@ _Optional, Default=empty_
Apply shared tag in a form of Key:Value to all the traces.
```toml tab="File (TOML)"
[tracing]
[tracing.datadog]
globalTag = "sample"
```
```yaml tab="File (YAML)"
tracing:
datadog:
globalTag: sample
```
```toml tab="File (TOML)"
[tracing]
[tracing.datadog]
globalTag = "sample"
```
```bash tab="CLI"
--tracing.datadog.globalTag=sample
```
@@ -89,18 +89,18 @@ _Optional, Default=false_
Enable priority sampling. When using distributed tracing,
this option must be enabled in order to get all the parts of a distributed trace sampled.
```toml tab="File (TOML)"
[tracing]
[tracing.datadog]
prioritySampling = true
```
```yaml tab="File (YAML)"
tracing:
datadog:
prioritySampling: true
```
```toml tab="File (TOML)"
[tracing]
[tracing.datadog]
prioritySampling = true
```
```bash tab="CLI"
--tracing.datadog.prioritySampling=true
```

46
docs/content/observability/tracing/elastic.md
View File

@@ -2,16 +2,16 @@
To enable the Elastic:
```toml tab="File (TOML)"
[tracing]
[tracing.elastic]
```
```yaml tab="File (YAML)"
tracing:
elastic: {}
```
```toml tab="File (TOML)"
[tracing]
[tracing.elastic]
```
```bash tab="CLI"
--tracing.elastic=true
```
@@ -22,18 +22,18 @@ _Optional, Default="http://localhost:8200"_
APM ServerURL is the URL of the Elastic APM server.
```toml tab="File (TOML)"
[tracing]
[tracing.elastic]
serverURL = "http://apm:8200"
```
```yaml tab="File (YAML)"
tracing:
elastic:
serverURL: "http://apm:8200"
```
```toml tab="File (TOML)"
[tracing]
[tracing.elastic]
serverURL = "http://apm:8200"
```
```bash tab="CLI"
--tracing.elastic.serverurl="http://apm:8200"
```
@@ -44,18 +44,18 @@ _Optional, Default=""_
APM Secret Token is the token used to connect to Elastic APM Server.
```toml tab="File (TOML)"
[tracing]
[tracing.elastic]
secretToken = "mytoken"
```
```yaml tab="File (YAML)"
tracing:
elastic:
secretToken: "mytoken"
```
```toml tab="File (TOML)"
[tracing]
[tracing.elastic]
secretToken = "mytoken"
```
```bash tab="CLI"
--tracing.elastic.secrettoken="mytoken"
```
@@ -66,18 +66,18 @@ _Optional, Default=""_
APM Service Environment is the name of the environment Traefik is deployed in, e.g. `production` or `staging`.
```toml tab="File (TOML)"
[tracing]
[tracing.elastic]
serviceEnvironment = "production"
```
```yaml tab="File (YAML)"
tracing:
elastic:
serviceEnvironment: "production"
```
```toml tab="File (TOML)"
[tracing]
[tracing.elastic]
serviceEnvironment = "production"
```
```bash tab="CLI"
--tracing.elastic.serviceenvironment="production"
```

94
docs/content/observability/tracing/haystack.md
View File

@@ -2,16 +2,16 @@
To enable the Haystack:
```toml tab="File (TOML)"
[tracing]
[tracing.haystack]
```
```yaml tab="File (YAML)"
tracing:
haystack: {}
```
```toml tab="File (TOML)"
[tracing]
[tracing.haystack]
```
```bash tab="CLI"
--tracing.haystack=true
```
@@ -22,18 +22,18 @@ _Require, Default="127.0.0.1"_
Local Agent Host instructs reporter to send spans to haystack-agent at this address.
```toml tab="File (TOML)"
[tracing]
[tracing.haystack]
localAgentHost = "127.0.0.1"
```
```yaml tab="File (YAML)"
tracing:
haystack:
localAgentHost: 127.0.0.1
```
```toml tab="File (TOML)"
[tracing]
[tracing.haystack]
localAgentHost = "127.0.0.1"
```
```bash tab="CLI"
--tracing.haystack.localAgentHost=127.0.0.1
```
@@ -44,18 +44,18 @@ _Require, Default=35000_
Local Agent port instructs reporter to send spans to the haystack-agent at this port.
```toml tab="File (TOML)"
[tracing]
[tracing.haystack]
localAgentPort = 35000
```
```yaml tab="File (YAML)"
tracing:
haystack:
localAgentPort: 35000
```
```toml tab="File (TOML)"
[tracing]
[tracing.haystack]
localAgentPort = 35000
```
```bash tab="CLI"
--tracing.haystack.localAgentPort=35000
```
@@ -66,18 +66,18 @@ _Optional, Default=empty_
Apply shared tag in a form of Key:Value to all the traces.
```toml tab="File (TOML)"
[tracing]
[tracing.haystack]
globalTag = "sample:test"
```
```yaml tab="File (YAML)"
tracing:
haystack:
globalTag: sample:test
```
```toml tab="File (TOML)"
[tracing]
[tracing.haystack]
globalTag = "sample:test"
```
```bash tab="CLI"
--tracing.haystack.globalTag=sample:test
```
@@ -88,18 +88,18 @@ _Optional, Default=empty_
Specifies the header name that will be used to store the trace ID.
```toml tab="File (TOML)"
[tracing]
[tracing.haystack]
traceIDHeaderName = "Trace-ID"
```
```yaml tab="File (YAML)"
tracing:
haystack:
traceIDHeaderName: Trace-ID
```
```toml tab="File (TOML)"
[tracing]
[tracing.haystack]
traceIDHeaderName = "Trace-ID"
```
```bash tab="CLI"
--tracing.haystack.traceIDHeaderName=Trace-ID
```
@@ -110,18 +110,18 @@ _Optional, Default=empty_
Specifies the header name that will be used to store the parent ID.
```toml tab="File (TOML)"
[tracing]
[tracing.haystack]
parentIDHeaderName = "Parent-Message-ID"
```
```yaml tab="File (YAML)"
tracing:
haystack:
parentIDHeaderName: Parent-Message-ID
```
```toml tab="File (TOML)"
[tracing]
[tracing.haystack]
parentIDHeaderName = "Parent-Message-ID"
```
```bash tab="CLI"
--tracing.haystack.parentIDHeaderName=Parent-Message-ID
```
@@ -132,18 +132,18 @@ _Optional, Default=empty_
Specifies the header name that will be used to store the span ID.
```toml tab="File (TOML)"
[tracing]
[tracing.haystack]
spanIDHeaderName = "Message-ID"
```
```yaml tab="File (YAML)"
tracing:
haystack:
spanIDHeaderName: Message-ID
```
```toml tab="File (TOML)"
[tracing]
[tracing.haystack]
spanIDHeaderName = "Message-ID"
```
```bash tab="CLI"
--tracing.haystack.spanIDHeaderName=Message-ID
```
@@ -154,18 +154,18 @@ _Optional, Default=empty_
Specifies the header name prefix that will be used to store baggage items in a map.
```toml tab="File (TOML)"
[tracing]
[tracing.haystack]
baggagePrefixHeaderName = "sample"
```
```yaml tab="File (YAML)"
tracing:
haystack:
baggagePrefixHeaderName: "sample"
```
```toml tab="File (TOML)"
[tracing]
[tracing.haystack]
baggagePrefixHeaderName = "sample"
```
```bash tab="CLI"
--tracing.haystack.baggagePrefixHeaderName=sample

46
docs/content/observability/tracing/instana.md
View File

@@ -2,16 +2,16 @@
To enable the Instana:
```toml tab="File (TOML)"
[tracing]
[tracing.instana]
```
```yaml tab="File (YAML)"
tracing:
instana: {}
```
```toml tab="File (TOML)"
[tracing]
[tracing.instana]
```
```bash tab="CLI"
--tracing.instana=true
```
@@ -22,18 +22,18 @@ _Require, Default="127.0.0.1"_
Local Agent Host instructs reporter to send spans to instana-agent at this address.
```toml tab="File (TOML)"
[tracing]
[tracing.instana]
localAgentHost = "127.0.0.1"
```
```yaml tab="File (YAML)"
tracing:
instana:
localAgentHost: 127.0.0.1
```
```toml tab="File (TOML)"
[tracing]
[tracing.instana]
localAgentHost = "127.0.0.1"
```
```bash tab="CLI"
--tracing.instana.localAgentHost=127.0.0.1
```
@@ -44,18 +44,18 @@ _Require, Default=42699_
Local Agent port instructs reporter to send spans to the instana-agent at this port.
```toml tab="File (TOML)"
[tracing]
[tracing.instana]
localAgentPort = 42699
```
```yaml tab="File (YAML)"
tracing:
instana:
localAgentPort: 42699
```
```toml tab="File (TOML)"
[tracing]
[tracing.instana]
localAgentPort = 42699
```
```bash tab="CLI"
--tracing.instana.localAgentPort=42699
```
@@ -73,18 +73,18 @@ Valid values for logLevel field are:
- `debug`
- `info`
```toml tab="File (TOML)"
[tracing]
[tracing.instana]
logLevel = "info"
```
```yaml tab="File (YAML)"
tracing:
instana:
logLevel: info
```
```toml tab="File (TOML)"
[tracing]
[tracing.instana]
logLevel = "info"
```
```bash tab="CLI"
--tracing.instana.logLevel=info
```

145
docs/content/observability/tracing/jaeger.md
View File

@@ -2,16 +2,16 @@
To enable the Jaeger:
```toml tab="File (TOML)"
[tracing]
[tracing.jaeger]
```
```yaml tab="File (YAML)"
tracing:
jaeger: {}
```
```toml tab="File (TOML)"
[tracing]
[tracing.jaeger]
```
```bash tab="CLI"
--tracing.jaeger=true
```
@@ -20,24 +20,27 @@ tracing:
Traefik is able to send data over the compact thrift protocol to the [Jaeger agent](https://www.jaegertracing.io/docs/deployment/#agent)
or a [Jaeger collector](https://www.jaegertracing.io/docs/deployment/#collectors).
!!! info
All Jaeger configuration can be overridden by [environment variables](https://github.com/jaegertracing/jaeger-client-go#environment-variables)
#### `samplingServerURL`
_Required, Default="http://localhost:5778/sampling"_
Sampling Server URL is the address of jaeger-agent's HTTP sampling server.
```toml tab="File (TOML)"
[tracing]
[tracing.jaeger]
samplingServerURL = "http://localhost:5778/sampling"
```
```yaml tab="File (YAML)"
tracing:
jaeger:
samplingServerURL: http://localhost:5778/sampling
```
```toml tab="File (TOML)"
[tracing]
[tracing.jaeger]
samplingServerURL = "http://localhost:5778/sampling"
```
```bash tab="CLI"
--tracing.jaeger.samplingServerURL=http://localhost:5778/sampling
```
@@ -48,18 +51,18 @@ _Required, Default="const"_
Sampling Type specifies the type of the sampler: `const`, `probabilistic`, `rateLimiting`.
```toml tab="File (TOML)"
[tracing]
[tracing.jaeger]
samplingType = "const"
```
```yaml tab="File (YAML)"
tracing:
jaeger:
samplingType: const
```
```toml tab="File (TOML)"
[tracing]
[tracing.jaeger]
samplingType = "const"
```
```bash tab="CLI"
--tracing.jaeger.samplingType=const
```
@@ -76,18 +79,18 @@ Valid values for Param field are:
- for `probabilistic` sampler, a probability between 0 and 1
- for `rateLimiting` sampler, the number of spans per second
```toml tab="File (TOML)"
[tracing]
[tracing.jaeger]
samplingParam = 1.0
```
```yaml tab="File (YAML)"
tracing:
jaeger:
samplingParam: 1.0
```
```toml tab="File (TOML)"
[tracing]
[tracing.jaeger]
samplingParam = 1.0
```
```bash tab="CLI"
--tracing.jaeger.samplingParam=1.0
```
@@ -98,18 +101,18 @@ _Required, Default="127.0.0.1:6831"_
Local Agent Host Port instructs reporter to send spans to jaeger-agent at this address.
```toml tab="File (TOML)"
[tracing]
[tracing.jaeger]
localAgentHostPort = "127.0.0.1:6831"
```
```yaml tab="File (YAML)"
tracing:
jaeger:
localAgentHostPort: 127.0.0.1:6831
```
```toml tab="File (TOML)"
[tracing]
[tracing.jaeger]
localAgentHostPort = "127.0.0.1:6831"
```
```bash tab="CLI"
--tracing.jaeger.localAgentHostPort=127.0.0.1:6831
```
@@ -120,18 +123,18 @@ _Optional, Default=false_
Generate 128-bit trace IDs, compatible with OpenCensus.
```toml tab="File (TOML)"
[tracing]
[tracing.jaeger]
gen128Bit = true
```
```yaml tab="File (YAML)"
tracing:
jaeger:
gen128Bit: true
```
```toml tab="File (TOML)"
[tracing]
[tracing.jaeger]
gen128Bit = true
```
```bash tab="CLI"
--tracing.jaeger.gen128Bit
```
@@ -146,18 +149,18 @@ This can be either:
- `jaeger`, jaeger's default trace header.
- `b3`, compatible with OpenZipkin
```toml tab="File (TOML)"
[tracing]
[tracing.jaeger]
propagation = "jaeger"
```
```yaml tab="File (YAML)"
tracing:
jaeger:
propagation: jaeger
```
```toml tab="File (TOML)"
[tracing]
[tracing.jaeger]
propagation = "jaeger"
```
```bash tab="CLI"
--tracing.jaeger.propagation=jaeger
```
@@ -169,18 +172,18 @@ _Required, Default="uber-trace-id"_
Trace Context Header Name is the http header name used to propagate tracing context.
This must be in lower-case to avoid mismatches when decoding incoming headers.
```toml tab="File (TOML)"
[tracing]
[tracing.jaeger]
traceContextHeaderName = "uber-trace-id"
```
```yaml tab="File (YAML)"
tracing:
jaeger:
traceContextHeaderName: uber-trace-id
```
```toml tab="File (TOML)"
[tracing]
[tracing.jaeger]
traceContextHeaderName = "uber-trace-id"
```
```bash tab="CLI"
--tracing.jaeger.traceContextHeaderName=uber-trace-id
```
@@ -192,18 +195,18 @@ _Optional, Default=true_
Disable the UDP connection helper that periodically re-resolves the agent's hostname and reconnects if there was a change.
Enabling the re-resolving of UDP address make the client more robust in Kubernetes deployments.
```toml tab="File (TOML)"
[tracing]
[tracing.jaeger]
disableAttemptReconnecting = false
```
```yaml tab="File (YAML)"
tracing:
jaeger:
disableAttemptReconnecting: false
```
```toml tab="File (TOML)"
[tracing]
[tracing.jaeger]
disableAttemptReconnecting = false
```
```bash tab="CLI"
--tracing.jaeger.disableAttemptReconnecting=false
```
@@ -215,12 +218,6 @@ _Optional, Default=""_
Collector Endpoint instructs reporter to send spans to jaeger-collector at this URL.
```toml tab="File (TOML)"
[tracing]
[tracing.jaeger.collector]
endpoint = "http://127.0.0.1:14268/api/traces?format=jaeger.thrift"
```
```yaml tab="File (YAML)"
tracing:
jaeger:
@@ -228,6 +225,12 @@ tracing:
endpoint: http://127.0.0.1:14268/api/traces?format=jaeger.thrift
```
```toml tab="File (TOML)"
[tracing]
[tracing.jaeger.collector]
endpoint = "http://127.0.0.1:14268/api/traces?format=jaeger.thrift"
```
```bash tab="CLI"
--tracing.jaeger.collector.endpoint=http://127.0.0.1:14268/api/traces?format=jaeger.thrift
```
@@ -238,12 +241,6 @@ _Optional, Default=""_
User instructs reporter to include a user for basic http authentication when sending spans to jaeger-collector.
```toml tab="File (TOML)"
[tracing]
[tracing.jaeger.collector]
user = "my-user"
```
```yaml tab="File (YAML)"
tracing:
jaeger:
@@ -251,6 +248,12 @@ tracing:
user: my-user
```
```toml tab="File (TOML)"
[tracing]
[tracing.jaeger.collector]
user = "my-user"
```
```bash tab="CLI"
--tracing.jaeger.collector.user=my-user
```
@@ -261,12 +264,6 @@ _Optional, Default=""_
Password instructs reporter to include a password for basic http authentication when sending spans to jaeger-collector.
```toml tab="File (TOML)"
[tracing]
[tracing.jaeger.collector]
password = "my-password"
```
```yaml tab="File (YAML)"
tracing:
jaeger:
@@ -274,6 +271,12 @@ tracing:
password: my-password
```
```toml tab="File (TOML)"
[tracing]
[tracing.jaeger.collector]
password = "my-password"
```
```bash tab="CLI"
--tracing.jaeger.collector.password=my-password
```

28
docs/content/observability/tracing/overview.md
View File

@@ -22,14 +22,14 @@ By default, Traefik uses Jaeger as tracing backend.
To enable the tracing:
```toml tab="File (TOML)"
[tracing]
```
```yaml tab="File (YAML)"
tracing: {}
```
```toml tab="File (TOML)"
[tracing]
```
```bash tab="CLI"
--tracing=true
```
@@ -42,16 +42,16 @@ _Required, Default="traefik"_
Service name used in selected backend.
```toml tab="File (TOML)"
[tracing]
serviceName = "traefik"
```
```yaml tab="File (YAML)"
tracing:
serviceName: traefik
```
```toml tab="File (TOML)"
[tracing]
serviceName = "traefik"
```
```bash tab="CLI"
--tracing.serviceName=traefik
```
@@ -65,16 +65,16 @@ This can prevent certain tracing providers to drop traces that exceed their leng
`0` means no truncation will occur.
```toml tab="File (TOML)"
[tracing]
spanNameLimit = 150
```
```yaml tab="File (YAML)"
tracing:
spanNameLimit: 150
```
```toml tab="File (TOML)"
[tracing]
spanNameLimit = 150
```
```bash tab="CLI"
--tracing.spanNameLimit=150
```

58
docs/content/observability/tracing/zipkin.md
View File

@@ -2,16 +2,16 @@
To enable the Zipkin:
```toml tab="File (TOML)"
[tracing]
[tracing.zipkin]
```
```yaml tab="File (YAML)"
tracing:
zipkin: {}
```
```toml tab="File (TOML)"
[tracing]
[tracing.zipkin]
```
```bash tab="CLI"
--tracing.zipkin=true
```
@@ -22,18 +22,18 @@ _Required, Default="http://localhost:9411/api/v2/spans"_
Zipkin HTTP endpoint used to send data.
```toml tab="File (TOML)"
[tracing]
[tracing.zipkin]
httpEndpoint = "http://localhost:9411/api/v2/spans"
```
```yaml tab="File (YAML)"
tracing:
zipkin:
httpEndpoint: http://localhost:9411/api/v2/spans
```
```toml tab="File (TOML)"
[tracing]
[tracing.zipkin]
httpEndpoint = "http://localhost:9411/api/v2/spans"
```
```bash tab="CLI"
--tracing.zipkin.httpEndpoint=http://localhost:9411/api/v2/spans
```
@@ -44,18 +44,18 @@ _Optional, Default=false_
Use Zipkin SameSpan RPC style traces.
```toml tab="File (TOML)"
[tracing]
[tracing.zipkin]
sameSpan = true
```
```yaml tab="File (YAML)"
tracing:
zipkin:
sameSpan: true
```
```toml tab="File (TOML)"
[tracing]
[tracing.zipkin]
sameSpan = true
```
```bash tab="CLI"
--tracing.zipkin.sameSpan=true
```
@@ -66,18 +66,18 @@ _Optional, Default=true_
Use Zipkin 128 bit trace IDs.
```toml tab="File (TOML)"
[tracing]
[tracing.zipkin]
id128Bit = false
```
```yaml tab="File (YAML)"
tracing:
zipkin:
id128Bit: false
```
```toml tab="File (TOML)"
[tracing]
[tracing.zipkin]
id128Bit = false
```
```bash tab="CLI"
--tracing.zipkin.id128Bit=false
```
@@ -88,18 +88,18 @@ _Required, Default=1.0_
The rate between 0.0 and 1.0 of requests to trace.
```toml tab="File (TOML)"
[tracing]
[tracing.zipkin]
sampleRate = 0.2
```
```yaml tab="File (YAML)"
tracing:
zipkin:
sampleRate: 0.2
```
```toml tab="File (TOML)"
[tracing]
[tracing.zipkin]
sampleRate = 0.2
```
```bash tab="CLI"
--tracing.zipkin.sampleRate=0.2
```

40
docs/content/operations/api.md
View File

@@ -26,16 +26,16 @@ If you enable the API, a new special `service` named `api@internal` is created a
To enable the API handler, use the following option on the
[static configuration](../getting-started/configuration-overview.md#the-static-configuration):
```toml tab="File (TOML)"
# Static Configuration
[api]
```
```yaml tab="File (YAML)"
# Static Configuration
api: {}
```
```toml tab="File (TOML)"
# Static Configuration
[api]
```
```bash tab="CLI"
--api=true
```
@@ -74,16 +74,16 @@ Enable the API in `insecure` mode, which means that the API will be available di
!!! info
If the entryPoint named `traefik` is not configured, it will be automatically created on port 8080.
```toml tab="File (TOML)"
[api]
insecure = true
```
```yaml tab="File (YAML)"
api:
insecure: true
```
```toml tab="File (TOML)"
[api]
insecure = true
```
```bash tab="CLI"
--api.insecure=true
```
@@ -94,16 +94,16 @@ _Optional, Default=true_
Enable the dashboard. More about the dashboard features [here](./dashboard.md).
```toml tab="File (TOML)"
[api]
dashboard = true
```
```yaml tab="File (YAML)"
api:
dashboard: true
```
```toml tab="File (TOML)"
[api]
dashboard = true
```
```bash tab="CLI"
--api.dashboard=true
```
@@ -117,16 +117,16 @@ _Optional, Default=false_
Enable additional [endpoints](./api.md#endpoints) for debugging and profiling, served under `/debug/`.
```toml tab="File (TOML)"
[api]
debug = true
```
```yaml tab="File (YAML)"
api:
debug: true
```
```toml tab="File (TOML)"
[api]
debug = true
```
```bash tab="CLI"
--api.debug=true
```

36
docs/content/operations/dashboard.md
View File

@@ -31,16 +31,6 @@ This is the **recommended** method.
Start by enabling the dashboard by using the following option from [Traefik's API](./api.md)
on the [static configuration](../getting-started/configuration-overview.md#the-static-configuration):
```toml tab="File (TOML)"
[api]
# Dashboard
#
# Optional
# Default: true
#
dashboard = true
```
```yaml tab="File (YAML)"
api:
# Dashboard
@@ -51,6 +41,16 @@ api:
dashboard: true
```
```toml tab="File (TOML)"
[api]
# Dashboard
#
# Optional
# Default: true
#
dashboard = true
```
```bash tab="CLI"
# Dashboard
#
@@ -66,8 +66,8 @@ with a router attached to the service `api@internal` in the
to allow defining:
- One or more security features through [middlewares](../middlewares/overview.md)
like authentication ([basicAuth](../middlewares/basicauth.md) , [digestAuth](../middlewares/digestauth.md),
[forwardAuth](../middlewares/forwardauth.md)) or [whitelisting](../middlewares/ipwhitelist.md).
like authentication ([basicAuth](../middlewares/http/basicauth.md) , [digestAuth](../middlewares/http/digestauth.md),
[forwardAuth](../middlewares/http/forwardauth.md)) or [whitelisting](../middlewares/http/ipwhitelist.md).
- A [router rule](#dashboard-router-rule) for accessing the dashboard,
through Traefik itself (sometimes referred as "Traefik-ception").
@@ -105,18 +105,18 @@ This mode is not recommended because it does not allow the use of security featu
To enable the "insecure mode", use the following options from [Traefik's API](./api.md#insecure):
```toml tab="File (TOML)"
[api]
dashboard = true
insecure = true
```
```yaml tab="File (YAML)"
api:
dashboard: true
insecure: true
```
```toml tab="File (TOML)"
[api]
dashboard = true
insecure = true
```
```bash tab="CLI"
--api.dashboard=true --api.insecure=true
```

28
docs/content/operations/include-api-examples.md
View File

@@ -69,20 +69,6 @@ labels:
- "traefik.http.middlewares.auth.basicauth.users=test:$$apr1$$H6uskkkW$$IgXLP6ewTrSuBkTrqE8wj/,test2:$$apr1$$d9hr9HBB$$4HxwgUir3HP4EsggP/QNo0"
```
```toml tab="File (TOML)"
# Dynamic Configuration
[http.routers.my-api]
rule = "Host(`traefik.example.com`)"
service = "api@internal"
middlewares = ["auth"]
[http.middlewares.auth.basicAuth]
users = [
"test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/",
"test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0",
]
```
```yaml tab="File (YAML)"
# Dynamic Configuration
http:
@@ -99,3 +85,17 @@ http:
- "test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/"
- "test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0"
```
```toml tab="File (TOML)"
# Dynamic Configuration
[http.routers.my-api]
rule = "Host(`traefik.example.com`)"
service = "api@internal"
middlewares = ["auth"]
[http.middlewares.auth.basicAuth]
users = [
"test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/",
"test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0",
]
```

28
docs/content/operations/include-dashboard-examples.md
View File

@@ -69,20 +69,6 @@ labels:
- "traefik.http.middlewares.auth.basicauth.users=test:$$apr1$$H6uskkkW$$IgXLP6ewTrSuBkTrqE8wj/,test2:$$apr1$$d9hr9HBB$$4HxwgUir3HP4EsggP/QNo0"
```
```toml tab="File (TOML)"
# Dynamic Configuration
[http.routers.my-api]
rule = "Host(`traefik.example.com`) && (PathPrefix(`/api`) || PathPrefix(`/dashboard`))"
service = "api@internal"
middlewares = ["auth"]
[http.middlewares.auth.basicAuth]
users = [
"test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/",
"test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0",
]
```
```yaml tab="File (YAML)"
# Dynamic Configuration
http:
@@ -99,3 +85,17 @@ http:
- "test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/"
- "test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0"
```
```toml tab="File (TOML)"
# Dynamic Configuration
[http.routers.my-api]
rule = "Host(`traefik.example.com`) && (PathPrefix(`/api`) || PathPrefix(`/dashboard`))"
service = "api@internal"
middlewares = ["auth"]
[http.middlewares.auth.basicAuth]
users = [
"test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/",
"test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0",
]
```

46
docs/content/operations/ping.md
View File

@@ -7,14 +7,14 @@ Checking the Health of Your Traefik Instances
To enable the API handler:
```toml tab="File (TOML)"
[ping]
```
```yaml tab="File (YAML)"
ping: {}
```
```toml tab="File (TOML)"
[ping]
```
```bash tab="CLI"
--ping=true
```
@@ -39,15 +39,6 @@ _Optional, Default="traefik"_
Enabling /ping on a dedicated EntryPoint.
```toml tab="File (TOML)"
[entryPoints]
[entryPoints.ping]
address = ":8082"
[ping]
entryPoint = "ping"
```
```yaml tab="File (YAML)"
entryPoints:
ping:
@@ -57,6 +48,15 @@ ping:
entryPoint: "ping"
```
```toml tab="File (TOML)"
[entryPoints]
[entryPoints.ping]
address = ":8082"
[ping]
entryPoint = "ping"
```
```bash tab="CLI"
--entryPoints.ping.address=:8082
--ping.entryPoint=ping
@@ -68,16 +68,16 @@ _Optional, Default=false_
If `manualRouting` is `true`, it disables the default internal router in order to allow one to create a custom router for the `ping@internal` service.
```toml tab="File (TOML)"
[ping]
manualRouting = true
```
```yaml tab="File (YAML)"
ping:
manualRouting: true
```
```toml tab="File (TOML)"
[ping]
manualRouting = true
```
```bash tab="CLI"
--ping.manualrouting=true
```
@@ -93,16 +93,16 @@ be expected as the signal for graceful termination. In which case, the
terminatingStatusCode can be used to set the code returned by the ping
handler during termination.
```toml tab="File (TOML)"
[ping]
terminatingStatusCode = 204
```
```yaml tab="File (YAML)"
ping:
terminatingStatusCode: 204
```
```toml tab="File (TOML)"
[ping]
terminatingStatusCode = 204
```
```bash tab="CLI"
--ping.terminatingStatusCode=204
```

442
docs/content/providers/consul-catalog.md
View File

@@ -13,15 +13,15 @@ Attach tags to your services and let Traefik do the rest!
Enabling the consul catalog provider
```toml tab="File (TOML)"
[providers.consulCatalog]
```
```yaml tab="File (YAML)"
providers:
consulCatalog: {}
```
```toml tab="File (TOML)"
[providers.consulCatalog]
```
```bash tab="CLI"
--providers.consulcatalog=true
```
@@ -42,11 +42,7 @@ See the dedicated section in [routing](../routing/providers/consul-catalog.md).
_Optional, Default=15s_
```toml tab="File (TOML)"
[providers.consulCatalog]
refreshInterval = "30s"
# ...
```
Defines the polling interval.
```yaml tab="File (YAML)"
providers:
@@ -55,22 +51,22 @@ providers:
# ...
```
```toml tab="File (TOML)"
[providers.consulCatalog]
refreshInterval = "30s"
# ...
```
```bash tab="CLI"
--providers.consulcatalog.refreshInterval=30s
# ...
```
Defines the polling interval.
### `prefix`
_required, Default="traefik"_
```toml tab="File (TOML)"
[providers.consulCatalog]
prefix = "test"
# ...
```
The prefix for Consul Catalog tags defining Traefik labels.
```yaml tab="File (YAML)"
providers:
@@ -79,22 +75,28 @@ providers:
# ...
```
```toml tab="File (TOML)"
[providers.consulCatalog]
prefix = "test"
# ...
```
```bash tab="CLI"
--providers.consulcatalog.prefix=test
# ...
```
The prefix for Consul Catalog tags defining traefik labels.
### `requireConsistent`
_Optional, Default=false_
```toml tab="File (TOML)"
[providers.consulCatalog]
requireConsistent = true
# ...
```
Forces the read to be fully consistent.
!!! note ""
It is more expensive due to an extra round-trip but prevents ever performing a stale read.
For more information, see the consul [documentation on consistency](https://www.consul.io/api-docs/features/consistency).
```yaml tab="File (YAML)"
providers:
@@ -103,22 +105,28 @@ providers:
# ...
```
```toml tab="File (TOML)"
[providers.consulCatalog]
requireConsistent = true
# ...
```
```bash tab="CLI"
--providers.consulcatalog.requireConsistent=true
# ...
```
Forces the read to be fully consistent.
### `stale`
_Optional, Default=false_
```toml tab="File (TOML)"
[providers.consulCatalog]
stale = true
# ...
```
Use stale consistency for catalog reads.
!!! note ""
This makes reads very fast and scalable at the cost of a higher likelihood of stale values.
For more information, see the consul [documentation on consistency](https://www.consul.io/api-docs/features/consistency).
```yaml tab="File (YAML)"
providers:
@@ -127,22 +135,22 @@ providers:
# ...
```
```toml tab="File (TOML)"
[providers.consulCatalog]
stale = true
# ...
```
```bash tab="CLI"
--providers.consulcatalog.stale=true
# ...
```
Use stale consistency for catalog reads.
### `cache`
_Optional, Default=false_
```toml tab="File (TOML)"
[providers.consulCatalog]
cache = true
# ...
```
Use local agent caching for catalog reads.
```yaml tab="File (YAML)"
providers:
@@ -151,27 +159,26 @@ providers:
# ...
```
```toml tab="File (TOML)"
[providers.consulCatalog]
cache = true
# ...
```
```bash tab="CLI"
--providers.consulcatalog.cache=true
# ...
```
Use local agent caching for catalog reads.
### `endpoint`
Defines the Consul server endpoint.
#### `address`
_Optional, Default="127.0.0.1:8500"_
Defines the address of the Consul server.
```toml tab="File (TOML)"
[providers.consulCatalog]
[providers.consulCatalog.endpoint]
address = "127.0.0.1:8500"
# ...
```
_Optional, Default="127.0.0.1:8500"_
```yaml tab="File (YAML)"
providers:
@@ -181,23 +188,23 @@ providers:
# ...
```
```toml tab="File (TOML)"
[providers.consulCatalog]
[providers.consulCatalog.endpoint]
address = "127.0.0.1:8500"
# ...
```
```bash tab="CLI"
--providers.consulcatalog.endpoint.address=127.0.0.1:8500
# ...
```
Defines the address of the Consul server.
#### `scheme`
_Optional, Default=""_
```toml tab="File (TOML)"
[providers.consulCatalog]
[providers.consulCatalog.endpoint]
scheme = "https"
# ...
```
Defines the URI scheme for the Consul server.
```yaml tab="File (YAML)"
providers:
@@ -207,23 +214,24 @@ providers:
# ...
```
```toml tab="File (TOML)"
[providers.consulCatalog]
[providers.consulCatalog.endpoint]
scheme = "https"
# ...
```
```bash tab="CLI"
--providers.consulcatalog.endpoint.scheme=https
# ...
```
Defines the URI scheme for the Consul server.
#### `datacenter`
_Optional, Default=""_
```toml tab="File (TOML)"
[providers.consulCatalog]
[providers.consulCatalog.endpoint]
datacenter = "test"
# ...
```
Defines the datacenter to use.
If not provided in Traefik, Consul uses the default agent datacenter.
```yaml tab="File (YAML)"
providers:
@@ -233,24 +241,23 @@ providers:
# ...
```
```toml tab="File (TOML)"
[providers.consulCatalog]
[providers.consulCatalog.endpoint]
datacenter = "test"
# ...
```
```bash tab="CLI"
--providers.consulcatalog.endpoint.datacenter=test
# ...
```
Defines the Data center to use.
If not provided, the default agent data center is used.
#### `token`
_Optional, Default=""_
```toml tab="File (TOML)"
[providers.consulCatalog]
[providers.consulCatalog.endpoint]
token = "test"
# ...
```
Token is used to provide a per-request ACL token which overwrites the agent's default token.
```yaml tab="File (YAML)"
providers:
@@ -260,23 +267,24 @@ providers:
# ...
```
```toml tab="File (TOML)"
[providers.consulCatalog]
[providers.consulCatalog.endpoint]
token = "test"
# ...
```
```bash tab="CLI"
--providers.consulcatalog.endpoint.token=test
# ...
```
Token is used to provide a per-request ACL token which overrides the agent's default token.
#### `endpointWaitTime`
_Optional, Default=""_
```toml tab="File (TOML)"
[providers.consulCatalog]
[providers.consulCatalog.endpoint]
endpointWaitTime = "15s"
# ...
```
Limits the duration for which a Watch can block.
If not provided, the agent default values will be used.
```yaml tab="File (YAML)"
providers:
@@ -286,28 +294,29 @@ providers:
# ...
```
```toml tab="File (TOML)"
[providers.consulCatalog]
[providers.consulCatalog.endpoint]
endpointWaitTime = "15s"
# ...
```
```bash tab="CLI"
--providers.consulcatalog.endpoint.endpointwaittime=15s
# ...
```
WaitTime limits how long a Watch will block.
If not provided, the agent default values will be used
#### `httpAuth`
_Optional_
Used to authenticate http client with HTTP Basic Authentication.
Used to authenticate the HTTP client using HTTP Basic Authentication.
##### `username`
_Optional_
_Optional, Default=""_
```toml tab="File (TOML)"
[providers.consulCatalog.endpoint.httpAuth]
username = "test"
```
Username to use for HTTP Basic Authentication.
```yaml tab="File (YAML)"
providers:
@@ -317,20 +326,20 @@ providers:
username: test
```
```toml tab="File (TOML)"
[providers.consulCatalog.endpoint.httpAuth]
username = "test"
```
```bash tab="CLI"
--providers.consulcatalog.endpoint.httpauth.username=test
```
Username to use for HTTP Basic Authentication
##### `password`
_Optional_
_Optional, Default=""_
```toml tab="File (TOML)"
[providers.consulCatalog.endpoint.httpAuth]
password = "test"
```
Password to use for HTTP Basic Authentication.
```yaml tab="File (YAML)"
providers:
@@ -340,12 +349,15 @@ providers:
password: test
```
```toml tab="File (TOML)"
[providers.consulCatalog.endpoint.httpAuth]
password = "test"
```
```bash tab="CLI"
--providers.consulcatalog.endpoint.httpauth.password=test
```
Password to use for HTTP Basic Authentication
#### `tls`
_Optional_
@@ -356,10 +368,7 @@ Defines TLS options for Consul server endpoint.
_Optional_
```toml tab="File (TOML)"
[providers.consulCatalog.endpoint.tls]
ca = "path/to/ca.crt"
```
`ca` is the path to the CA certificate used for Consul communication, defaults to the system bundle if not specified.
```yaml tab="File (YAML)"
providers:
@@ -369,20 +378,28 @@ providers:
ca: path/to/ca.crt
```
```toml tab="File (TOML)"
[providers.consulCatalog.endpoint.tls]
ca = "path/to/ca.crt"
```
```bash tab="CLI"
--providers.consulcatalog.endpoint.tls.ca=path/to/ca.crt
```
`ca` is the path to the CA certificate used for Consul communication, defaults to the system bundle if not specified.
##### `caOptional`
_Optional_
```toml tab="File (TOML)"
[providers.consulCatalog.endpoint.tls]
caOptional = true
```
The value of `tls.caOptional` defines which policy should be used for the secure connection with TLS Client Authentication to Consul.
!!! warning ""
If `tls.ca` is undefined, this option will be ignored, and no client certificate will be requested during the handshake. Any provided certificate will thus never be verified.
When this option is set to `true`, a client certificate is requested during the handshake but is not required. If a certificate is sent, it is required to be valid.
When this option is set to `false`, a client certificate is requested during the handshake, and at least one valid certificate should be sent by the client.
```yaml tab="File (YAML)"
providers:
@@ -392,26 +409,22 @@ providers:
caOptional: true
```
```toml tab="File (TOML)"
[providers.consulCatalog.endpoint.tls]
caOptional = true
```
```bash tab="CLI"
--providers.consulcatalog.endpoint.tls.caoptional=true
```
Policy followed for the secured connection with TLS Client Authentication to Consul.
Requires `tls.ca` to be defined.
- `true`: VerifyClientCertIfGiven
- `false`: RequireAndVerifyClientCert
- if `tls.ca` is undefined NoClientCert
##### `cert`
_Optional_
```toml tab="File (TOML)"
[providers.consulCatalog.endpoint.tls]
cert = "path/to/foo.cert"
key = "path/to/foo.key"
```
`cert` is the path to the public certificate to use for Consul communication.
When using this option, setting the `key` option is required.
```yaml tab="File (YAML)"
providers:
@@ -422,23 +435,24 @@ providers:
key: path/to/foo.key
```
```toml tab="File (TOML)"
[providers.consulCatalog.endpoint.tls]
cert = "path/to/foo.cert"
key = "path/to/foo.key"
```
```bash tab="CLI"
--providers.consulcatalog.endpoint.tls.cert=path/to/foo.cert
--providers.consulcatalog.endpoint.tls.key=path/to/foo.key
```
`cert` is the path to the public certificate for Consul communication.
If this is set then you need to also set `key.
##### `key`
_Optional_
```toml tab="File (TOML)"
[providers.consulCatalog.endpoint.tls]
cert = "path/to/foo.cert"
key = "path/to/foo.key"
```
`key` is the path to the private key for Consul communication.
When using this option, setting the `cert` option is required.
```yaml tab="File (YAML)"
providers:
@@ -449,22 +463,22 @@ providers:
key: path/to/foo.key
```
```toml tab="File (TOML)"
[providers.consulCatalog.endpoint.tls]
cert = "path/to/foo.cert"
key = "path/to/foo.key"
```
```bash tab="CLI"
--providers.consulcatalog.endpoint.tls.cert=path/to/foo.cert
--providers.consulcatalog.endpoint.tls.key=path/to/foo.key
```
`key` is the path to the private key for Consul communication.
If this is set then you need to also set `cert`.
##### `insecureSkipVerify`
_Optional_
```toml tab="File (TOML)"
[providers.consulCatalog.endpoint.tls]
insecureSkipVerify = true
```
If `insecureSkipVerify` is `true`, the TLS connection to Consul accepts any certificate presented by the server regardless of the hostnames it covers.
```yaml tab="File (YAML)"
providers:
@@ -474,21 +488,23 @@ providers:
insecureSkipVerify: true
```
```toml tab="File (TOML)"
[providers.consulCatalog.endpoint.tls]
insecureSkipVerify = true
```
```bash tab="CLI"
--providers.consulcatalog.endpoint.tls.insecureskipverify=true
```
If `insecureSkipVerify` is `true`, TLS for the connection to Consul server accepts any certificate presented by the server and any host name in that certificate.
### `exposedByDefault`
_Optional, Default=true_
```toml tab="File (TOML)"
[providers.consulCatalog]
exposedByDefault = false
# ...
```
Expose Consul Catalog services by default in Traefik.
If set to `false`, services that don't have a `traefik.enable=true` tag will be ignored from the resulting routing configuration.
For additional information, refer to [Restrict the Scope of Service Discovery](./overview.md#restrict-the-scope-of-service-discovery).
```yaml tab="File (YAML)"
providers:
@@ -497,25 +513,30 @@ providers:
# ...
```
```toml tab="File (TOML)"
[providers.consulCatalog]
exposedByDefault = false
# ...
```
```bash tab="CLI"
--providers.consulcatalog.exposedByDefault=false
# ...
```
Expose Consul Catalog services by default in Traefik.
If set to false, services that don't have a `traefik.enable=true` tag will be ignored from the resulting routing configuration.
See also [Restrict the Scope of Service Discovery](./overview.md#restrict-the-scope-of-service-discovery).
### `defaultRule`
_Optional, Default=```Host(`{{ normalize .Name }}`)```_
```toml tab="File (TOML)"
[providers.consulCatalog]
defaultRule = "Host(`{{ .Name }}.{{ index .Labels \"customLabel\"}}`)"
# ...
```
The default host rule for all services.
For a given service, if no routing rule was defined by a tag, it is defined by this `defaultRule` instead.
The `defaultRule` must be set to a valid [Go template](https://golang.org/pkg/text/template/),
and can include [sprig template functions](http://masterminds.github.io/sprig/).
The service name can be accessed with the `Name` identifier,
and the template has access to all the labels (i.e. tags beginning with the `prefix`) defined on this service.
The option can be overridden on an instance basis with the `traefik.http.routers.{name-of-your-choice}.rule` tag.
```yaml tab="File (YAML)"
providers:
@@ -524,46 +545,99 @@ providers:
# ...
```
```toml tab="File (TOML)"
[providers.consulCatalog]
defaultRule = "Host(`{{ .Name }}.{{ index .Labels \"customLabel\"}}`)"
# ...
```
```bash tab="CLI"
--providers.consulcatalog.defaultRule="Host(`{{ .Name }}.{{ index .Labels \"customLabel\"}}`)"
# ...
```
The default host rule for all services.
### `connectAware`
For a given service if no routing rule was defined by a tag, it is defined by this defaultRule instead.
It must be a valid [Go template](https://golang.org/pkg/text/template/),
augmented with the [sprig template functions](http://masterminds.github.io/sprig/).
The service name can be accessed as the `Name` identifier,
and the template has access to all the labels (i.e. tags beginning with the `prefix`) defined on this service.
_Optional, Default=false_
The option can be overridden on an instance basis with the `traefik.http.routers.{name-of-your-choice}.rule` tag.
### `constraints`
_Optional, Default=""_
Enable Consul Connect support.
If set to `true`, Traefik will be enabled to communicate with Connect services.
```toml tab="File (TOML)"
[providers.consulCatalog]
constraints = "Tag(`a.tag.name`)"
connectAware = true
# ...
```
```yaml tab="File (YAML)"
providers:
consulCatalog:
constraints: "Tag(`a.tag.name`)"
connectAware: true
# ...
```
```bash tab="CLI"
--providers.consulcatalog.constraints="Tag(`a.tag.name`)"
--providers.consulcatalog.connectAware=true
# ...
```
Constraints is an expression that Traefik matches against the service's tags to determine whether to create any route for that service.
That is to say, if none of the service's tags match the expression, no route for that service is created.
If the expression is empty, all detected services are included.
### `connectByDefault`
_Optional, Default=false_
Consider every service as Connect capable by default.
If set to `true`, Traefik will consider every Consul Catalog service to be Connect capable by default.
The option can be overridden on an instance basis with the `traefik.consulcatalog.connect` tag.
```toml tab="File (TOML)"
[providers.consulCatalog]
connectByDefault = true
# ...
```
```yaml tab="File (YAML)"
providers:
consulCatalog:
connectByDefault: true
# ...
```
```bash tab="CLI"
--providers.consulcatalog.connectByDefault=true
# ...
```
### `serviceName`
_Optional, Default="traefik"_
Name of the Traefik service in Consul Catalog.
```toml tab="File (TOML)"
[providers.consulCatalog]
serviceName = "test"
# ...
```
```yaml tab="File (YAML)"
providers:
consulCatalog:
serviceName: test
# ...
```
```bash tab="CLI"
--providers.consulcatalog.serviceName=test
# ...
```
### `constraints`
_Optional, Default=""_
The `constraints` option can be set to an expression that Traefik matches against the service tags to determine whether
to create any route for that service. If none of the service tags match the expression, no route for that service is
created. If the expression is empty, all detected services are included.
The expression syntax is based on the ```Tag(`tag`)```, and ```TagRegex(`tag`)``` functions,
as well as the usual boolean logic, as shown in examples below.
@@ -574,30 +648,48 @@ as well as the usual boolean logic, as shown in examples below.
# Includes only services having the tag `a.tag.name=foo`
constraints = "Tag(`a.tag.name=foo`)"
```
```toml
# Excludes services having any tag `a.tag.name=foo`
constraints = "!Tag(`a.tag.name=foo`)"
```
```toml
# With logical AND.
constraints = "Tag(`a.tag.name`) && Tag(`another.tag.name`)"
```
```toml
# With logical OR.
constraints = "Tag(`a.tag.name`) || Tag(`another.tag.name`)"
```
```toml
# With logical AND and OR, with precedence set by parentheses.
constraints = "Tag(`a.tag.name`) && (Tag(`another.tag.name`) || Tag(`yet.another.tag.name`))"
```
```toml
# Includes only services having a tag matching the `a\.tag\.t.+` regular expression.
constraints = "TagRegex(`a\.tag\.t.+`)"
```
See also [Restrict the Scope of Service Discovery](./overview.md#restrict-the-scope-of-service-discovery).
```yaml tab="File (YAML)"
providers:
consulCatalog:
constraints: "Tag(`a.tag.name`)"
# ...
```
```toml tab="File (TOML)"
[providers.consulCatalog]
constraints = "Tag(`a.tag.name`)"
# ...
```
```bash tab="CLI"
--providers.consulcatalog.constraints="Tag(`a.tag.name`)"
# ...
```
For additional information, refer to [Restrict the Scope of Service Discovery](./overview.md#restrict-the-scope-of-service-discovery).

123
docs/content/providers/consul.md
View File

@@ -17,11 +17,6 @@ _Required, Default="127.0.0.1:8500"_
Defines how to access to Consul.
```toml tab="File (TOML)"
[providers.consul]
endpoints = ["127.0.0.1:8500"]
```
```yaml tab="File (YAML)"
providers:
consul:
@@ -29,20 +24,20 @@ providers:
- "127.0.0.1:8500"
```
```toml tab="File (TOML)"
[providers.consul]
endpoints = ["127.0.0.1:8500"]
```
```bash tab="CLI"
--providers.consul.endpoints=127.0.0.1:8500
```
### `rootKey`
Defines the root key of the configuration.
_Required, Default="traefik"_
```toml tab="File (TOML)"
[providers.consul]
rootKey = "traefik"
```
Defines the root key of the configuration.
```yaml tab="File (YAML)"
providers:
@@ -50,21 +45,20 @@ providers:
rootKey: "traefik"
```
```toml tab="File (TOML)"
[providers.consul]
rootKey = "traefik"
```
```bash tab="CLI"
--providers.consul.rootkey=traefik
```
### `username`
Defines a username to connect with Consul.
_Optional, Default=""_
```toml tab="File (TOML)"
[providers.consul]
# ...
username = "foo"
```
Defines a username to connect to Consul with.
```yaml tab="File (YAML)"
providers:
@@ -73,6 +67,12 @@ providers:
usename: "foo"
```
```toml tab="File (TOML)"
[providers.consul]
# ...
username = "foo"
```
```bash tab="CLI"
--providers.consul.username=foo
```
@@ -81,13 +81,7 @@ providers:
_Optional, Default=""_
Defines a password to connect with Consul.
```toml tab="File (TOML)"
[providers.consul]
# ...
password = "bar"
```
Defines a password with which to connect to Consul.
```yaml tab="File (YAML)"
providers:
@@ -96,6 +90,12 @@ providers:
password: "bar"
```
```toml tab="File (TOML)"
[providers.consul]
# ...
password = "bar"
```
```bash tab="CLI"
--providers.consul.password=foo
```
@@ -106,12 +106,7 @@ _Optional_
#### `tls.ca`
Certificate Authority used for the secured connection to Consul.
```toml tab="File (TOML)"
[providers.consul.tls]
ca = "path/to/ca.crt"
```
Certificate Authority used for the secure connection to Consul.
```yaml tab="File (YAML)"
providers:
@@ -120,23 +115,26 @@ providers:
ca: path/to/ca.crt
```
```toml tab="File (TOML)"
[providers.consul.tls]
ca = "path/to/ca.crt"
```
```bash tab="CLI"
--providers.consul.tls.ca=path/to/ca.crt
```
#### `tls.caOptional`
Policy followed for the secured connection with TLS Client Authentication to Consul.
Requires `tls.ca` to be defined.
The value of `tls.caOptional` defines which policy should be used for the secure connection with TLS Client Authentication to Consul.
- `true`: VerifyClientCertIfGiven
- `false`: RequireAndVerifyClientCert
- if `tls.ca` is undefined NoClientCert
!!! warning ""
```toml tab="File (TOML)"
[providers.consul.tls]
caOptional = true
```
If `tls.ca` is undefined, this option will be ignored, and no client certificate will be requested during the handshake. Any provided certificate will thus never be verified.
When this option is set to `true`, a client certificate is requested during the handshake but is not required. If a certificate is sent, it is required to be valid.
When this option is set to `false`, a client certificate is requested during the handshake, and at least one valid certificate should be sent by the client.
```yaml tab="File (YAML)"
providers:
@@ -145,19 +143,18 @@ providers:
caOptional: true
```
```toml tab="File (TOML)"
[providers.consul.tls]
caOptional = true
```
```bash tab="CLI"
--providers.consul.tls.caOptional=true
```
#### `tls.cert`
Public certificate used for the secured connection to Consul.
```toml tab="File (TOML)"
[providers.consul.tls]
cert = "path/to/foo.cert"
key = "path/to/foo.key"
```
Public certificate used for the secure connection to Consul.
```yaml tab="File (YAML)"
providers:
@@ -167,6 +164,12 @@ providers:
key: path/to/foo.key
```
```toml tab="File (TOML)"
[providers.consul.tls]
cert = "path/to/foo.cert"
key = "path/to/foo.key"
```
```bash tab="CLI"
--providers.consul.tls.cert=path/to/foo.cert
--providers.consul.tls.key=path/to/foo.key
@@ -174,13 +177,7 @@ providers:
#### `tls.key`
Private certificate used for the secured connection to Consul.
```toml tab="File (TOML)"
[providers.consul.tls]
cert = "path/to/foo.cert"
key = "path/to/foo.key"
```
Private certificate used for the secure connection to Consul.
```yaml tab="File (YAML)"
providers:
@@ -190,6 +187,12 @@ providers:
key: path/to/foo.key
```
```toml tab="File (TOML)"
[providers.consul.tls]
cert = "path/to/foo.cert"
key = "path/to/foo.key"
```
```bash tab="CLI"
--providers.consul.tls.cert=path/to/foo.cert
--providers.consul.tls.key=path/to/foo.key
@@ -197,12 +200,7 @@ providers:
#### `tls.insecureSkipVerify`
If `insecureSkipVerify` is `true`, TLS for the connection to Consul accepts any certificate presented by the server and any host name in that certificate.
```toml tab="File (TOML)"
[providers.consul.tls]
insecureSkipVerify = true
```
If `insecureSkipVerify` is `true`, the TLS connection to Consul accepts any certificate presented by the server regardless of the hostnames it covers.
```yaml tab="File (YAML)"
providers:
@@ -211,6 +209,11 @@ providers:
insecureSkipVerify: true
```
```toml tab="File (TOML)"
[providers.consul.tls]
insecureSkipVerify = true
```
```bash tab="CLI"
--providers.consul.tls.insecureSkipVerify=true
```

Some files were not shown because too many files have changed in this diff Show More