Rework access control origin configuration

2020-03-05 08:18:04 +01:00 · 2020-03-05 08:18:04 +01:00 · 082fb166a2
commit 082fb166a2
parent fb51ebcba6
14 changed files with 203 additions and 122 deletions
--- a/docs/content/middlewares/headers.md
+++ b/docs/content/middlewares/headers.md
@ -197,7 +197,7 @@ This functionality allows for more advanced security features to quickly be set.
 ```yaml tab="Docker"
 labels:
  - "traefik.http.middlewares.testheader.headers.accesscontrolallowmethods=GET,OPTIONS,PUT"
-  - "traefik.http.middlewares.testheader.headers.accesscontrolalloworigin=origin-list-or-null"
+  - "traefik.http.middlewares.testheader.headers.accesscontrolalloworiginlist=https://foo.bar.org,https://example.org"
  - "traefik.http.middlewares.testheader.headers.accesscontrolmaxage=100"
  - "traefik.http.middlewares.testheader.headers.addvaryheader=true"
 ```
@ -213,14 +213,16 @@ spec:
      - "GET"
      - "OPTIONS"
      - "PUT"
-    accessControlAllowOrigin: "origin-list-or-null"
+    accessControlAllowOriginList:
+      - "https://foo.bar.org"
+      - "https://example.org"
    accessControlMaxAge: 100
    addVaryHeader: "true"
 ```

 ```yaml tab="Consul Catalog"
 - "traefik.http.middlewares.testheader.headers.accesscontrolallowmethods=GET,OPTIONS,PUT"
- "traefik.http.middlewares.testheader.headers.accesscontrolalloworigin=origin-list-or-null"
+- "traefik.http.middlewares.testheader.headers.accesscontrolalloworiginlist=https://foo.bar.org,https://example.org"
 - "traefik.http.middlewares.testheader.headers.accesscontrolmaxage=100"
 - "traefik.http.middlewares.testheader.headers.addvaryheader=true"
 ```
@ -228,7 +230,7 @@ spec:
 ```json tab="Marathon"
 "labels": {
  "traefik.http.middlewares.testheader.headers.accesscontrolallowmethods": "GET,OPTIONS,PUT",
-  "traefik.http.middlewares.testheader.headers.accesscontrolalloworigin": "origin-list-or-null",
+  "traefik.http.middlewares.testheader.headers.accesscontrolalloworiginlist": "https://foo.bar.org,https://example.org",
  "traefik.http.middlewares.testheader.headers.accesscontrolmaxage": "100",
  "traefik.http.middlewares.testheader.headers.addvaryheader": "true"
 }
@ -237,7 +239,7 @@ spec:
 ```yaml tab="Rancher"
 labels:
  - "traefik.http.middlewares.testheader.headers.accesscontrolallowmethods=GET,OPTIONS,PUT"
-  - "traefik.http.middlewares.testheader.headers.accesscontrolalloworigin=origin-list-or-null"
+  - "traefik.http.middlewares.testheader.headers.accesscontrolalloworiginlist=https://foo.bar.org,https://example.org"
  - "traefik.http.middlewares.testheader.headers.accesscontrolmaxage=100"
  - "traefik.http.middlewares.testheader.headers.addvaryheader=true"
 ```
@ -246,7 +248,7 @@ labels:
 [http.middlewares]
  [http.middlewares.testHeader.headers]
    accessControlAllowMethods= ["GET", "OPTIONS", "PUT"]
-    accessControlAllowOrigin = "origin-list-or-null"
+    accessControlAllowOriginList = ["https://foo.bar.org","https://example.org"]
    accessControlMaxAge = 100
    addVaryHeader = true
 ```
@ -260,7 +262,9 @@ http:
          - GET
          - OPTIONS
          - PUT
-        accessControlAllowOrigin: "origin-list-or-null"
+        accessControlAllowOriginList:
+          - https://foo.bar.org
+          - https://example.org
        accessControlMaxAge: 100
        addVaryHeader: true
 ```
@ -295,14 +299,22 @@ The `accessControlAllowHeaders` indicates which header field names can be used a

 The  `accessControlAllowMethods` indicates which methods can be used during requests.

-### `accessControlAllowOrigin`
+### `accessControlAllowOriginList`

-The `accessControlAllowOrigin` indicates whether a resource can be shared by returning different values.
-The three options for this value are:
+The `accessControlAllowOriginList` indicates whether a resource can be shared by returning different values.

- `origin-list-or-null`
- `*`
- `null`
+A wildcard origin `*` can also be configured, and will match all requests.
+If this value is set by a backend server, it will be overwritten by Traefik
+
+This value can contains a list of allowed origins.
+
+More information including how to use the settings can be found on:
+
+- [Mozilla.org](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Origin)
+- [w3](https://www.w3.org/TR/cors/#access-control-allow-origin-response-header)
+- [IETF](https://tools.ietf.org/html/rfc6454#section-7.1)
+
+Traefik no longer supports the null value, as it is [no longer recommended as a return value](https://w3c.github.io/webappsec-cors-for-developers/#avoid-returning-access-control-allow-origin-null).

 ### `accessControlExposeHeaders`

@ -314,7 +326,7 @@ The `accessControlMaxAge` indicates how long a preflight request can be cached.

 ### `addVaryHeader`

-The `addVaryHeader` is used in conjunction with `accessControlAllowOrigin` to determine whether the vary header should be added or modified to demonstrate that server responses can differ beased on the value of the origin header.
+The `addVaryHeader` is used in conjunction with `accessControlAllowOriginList` to determine whether the vary header should be added or modified to demonstrate that server responses can differ based on the value of the origin header.

 ### `allowedHosts` 

--- a/docs/content/migration/v2.md
+++ b/docs/content/migration/v2.md
@ -100,3 +100,11 @@ rules:
 ```

 After having both resources applied, Traefik will work properly.
+
+## v2.1 to v2.2
+
+### Headers middleware: accessControlAllowOrigin
+
+`accessControlAllowOrigin` is deprecated.
+This field will be removed in future 2.x releases.
+Please configure your allowed origins in `accessControlAllowOriginList` instead.
--- a/docs/content/reference/dynamic-configuration/docker-labels.yml
+++ b/docs/content/reference/dynamic-configuration/docker-labels.yml
@ -34,6 +34,7 @@
 - "traefik.http.middlewares.middleware10.headers.accesscontrolallowheaders=foobar, foobar"
 - "traefik.http.middlewares.middleware10.headers.accesscontrolallowmethods=foobar, foobar"
 - "traefik.http.middlewares.middleware10.headers.accesscontrolalloworigin=foobar"
+- "traefik.http.middlewares.middleware10.headers.accesscontrolalloworiginlist=foobar, foobar"
 - "traefik.http.middlewares.middleware10.headers.accesscontrolexposeheaders=foobar, foobar"
 - "traefik.http.middlewares.middleware10.headers.accesscontrolmaxage=42"
 - "traefik.http.middlewares.middleware10.headers.addvaryheader=true"
@ -134,6 +135,7 @@
 - "traefik.http.routers.router1.tls.domains[1].main=foobar"
 - "traefik.http.routers.router1.tls.domains[1].sans=foobar, foobar"
 - "traefik.http.routers.router1.tls.options=foobar"
+- "traefik.http.services.service01.loadbalancer.healthcheck.followredirects=true"
 - "traefik.http.services.service01.loadbalancer.healthcheck.headers.name0=foobar"
 - "traefik.http.services.service01.loadbalancer.healthcheck.headers.name1=foobar"
 - "traefik.http.services.service01.loadbalancer.healthcheck.hostname=foobar"
--- a/docs/content/reference/dynamic-configuration/file.toml
+++ b/docs/content/reference/dynamic-configuration/file.toml
@ -147,6 +147,7 @@
        accessControlAllowHeaders = ["foobar", "foobar"]
        accessControlAllowMethods = ["foobar", "foobar"]
        accessControlAllowOrigin = "foobar"
+        accessControlAllowOriginList = ["foobar", "foobar"]
        accessControlExposeHeaders = ["foobar", "foobar"]
        accessControlMaxAge = 42
        addVaryHeader = true
--- a/docs/content/reference/dynamic-configuration/file.yaml
+++ b/docs/content/reference/dynamic-configuration/file.yaml
@ -170,6 +170,9 @@ http:
        - foobar
        - foobar
        accessControlAllowOrigin: foobar
+        accessControlAllowOriginList:
+        - foobar
+        - foobar
        accessControlExposeHeaders:
        - foobar
        - foobar
--- a/docs/content/reference/dynamic-configuration/kv-ref.md
+++ b/docs/content/reference/dynamic-configuration/kv-ref.md
@ -41,6 +41,8 @@
 | `traefik/http/middlewares/Middleware10/headers/accessControlAllowMethods/0` | `foobar` |
 | `traefik/http/middlewares/Middleware10/headers/accessControlAllowMethods/1` | `foobar` |
 | `traefik/http/middlewares/Middleware10/headers/accessControlAllowOrigin` | `foobar` |
+| `traefik/http/middlewares/Middleware10/headers/accessControlAllowOriginList/0` | `foobar` |
+| `traefik/http/middlewares/Middleware10/headers/accessControlAllowOriginList/1` | `foobar` |
 | `traefik/http/middlewares/Middleware10/headers/accessControlExposeHeaders/0` | `foobar` |
 | `traefik/http/middlewares/Middleware10/headers/accessControlExposeHeaders/1` | `foobar` |
 | `traefik/http/middlewares/Middleware10/headers/accessControlMaxAge` | `42` |
--- a/docs/content/reference/dynamic-configuration/marathon-labels.json
+++ b/docs/content/reference/dynamic-configuration/marathon-labels.json
@ -34,6 +34,7 @@
 "traefik.http.middlewares.middleware10.headers.accesscontrolallowheaders": "foobar, foobar",
 "traefik.http.middlewares.middleware10.headers.accesscontrolallowmethods": "foobar, foobar",
 "traefik.http.middlewares.middleware10.headers.accesscontrolalloworigin": "foobar",
+"traefik.http.middlewares.middleware10.headers.accesscontrolalloworiginlist": "foobar, foobar",
 "traefik.http.middlewares.middleware10.headers.accesscontrolexposeheaders": "foobar, foobar",
 "traefik.http.middlewares.middleware10.headers.accesscontrolmaxage": "42",
 "traefik.http.middlewares.middleware10.headers.addvaryheader": "true",
@ -132,6 +133,7 @@
 "traefik.http.routers.router1.tls.domains[1].main": "foobar",
 "traefik.http.routers.router1.tls.domains[1].sans": "foobar, foobar",
 "traefik.http.routers.router1.tls.options": "foobar",
+"traefik.http.services.service01.loadbalancer.healthcheck.followredirects": "true",
 "traefik.http.services.service01.loadbalancer.healthcheck.headers.name0": "foobar",
 "traefik.http.services.service01.loadbalancer.healthcheck.headers.name1": "foobar",
 "traefik.http.services.service01.loadbalancer.healthcheck.hostname": "foobar",