Add TCP Servers Transports support

Co-authored-by: Romain <rtribotte@users.noreply.github.com>
2022-12-09 09:58:05 +01:00 · 2022-12-09 09:58:05 +01:00 · 3eeea2bb2b
commit 3eeea2bb2b
parent c2dac39da1
101 changed files with 5956 additions and 1669 deletions
--- a/docs/content/routing/overview.md
+++ b/docs/content/routing/overview.md
@ -250,10 +250,12 @@ and then between Traefik and the backend servers, is configured through the

 In addition, a few parameters are dedicated to configuring globally
 what happens with the connections between Traefik and the backends.
-This is done through the `serversTransport` section of the configuration,
-which features these options:
+This is done through the [`serversTransport`](#http-servers-transports) and [`tcpServersTransport`](#tcp-servers-transports)
+sections of the configuration, which features these options:

-### `insecureSkipVerify`
+### HTTP Servers Transports
+
+#### `insecureSkipVerify`

 _Optional, Default=false_

@ -276,7 +278,7 @@ serversTransport:
 --serversTransport.insecureSkipVerify=true
 ```

-### `rootCAs`
+#### `rootCAs`

 _Optional_

@ -302,7 +304,7 @@ serversTransport:
 --serversTransport.rootCAs=foo.crt,bar.crt
 ```

-### `maxIdleConnsPerHost`
+#### `maxIdleConnsPerHost`

 _Optional, Default=2_

@ -325,7 +327,7 @@ serversTransport:
 --serversTransport.maxIdleConnsPerHost=7
 ```

-### `spiffe`
+#### `spiffe`

 Please note that [SPIFFE](../https/spiffe.md) must be enabled in the static configuration 
 before using it to secure the connection between Traefik and the backends.  
@ -380,7 +382,7 @@ serversTransport:
 --serversTransport.spiffe.trustDomain=spiffe://trust-domain
 ```

-### `forwardingTimeouts`
+#### `forwardingTimeouts`

 `forwardingTimeouts` is about a number of timeouts relevant to when forwarding requests to the backend servers.

@ -462,4 +464,186 @@ serversTransport:
 --serversTransport.forwardingTimeouts.idleConnTimeout=1s
 ```

+### TCP Servers Transports
+
+#### `dialTimeout`
+
+_Optional, Default="30s"_
+
+`dialTimeout` is the maximum duration allowed for a connection to a backend server to be established.
+Zero means no timeout.
+
+```yaml tab="File (YAML)"
+## Static configuration
+tcpServersTransport:
+  dialTimeout: 30s
+```
+
+```toml tab="File (TOML)"
+## Static configuration
+[tcpServersTransport]
+  dialTimeout = "30s"
+```
+
+```bash tab="CLI"
+## Static configuration
+--tcpServersTransport.dialTimeout=30s
+```
+
+#### `dialKeepAlive`
+
+_Optional, Default="15s"_
+
+`dialKeepAlive` defines the interval between keep-alive probes sent on an active network connection.
+If zero, keep-alive probes are sent with a default value (currently 15 seconds), if supported by the protocol and
+operating system. Network protocols or operating systems that do not support keep-alives ignore this field. If negative,
+keep-alive probes are disabled.
+
+```yaml tab="File (YAML)"
+## Static configuration
+tcpServersTransport:
+  dialKeepAlive: 30s
+```
+
+```toml tab="File (TOML)"
+## Static configuration
+[tcpServersTransport]
+  dialKeepAlive = "30s"
+```
+
+```bash tab="CLI"
+## Static configuration
+--tcpServersTransport.dialKeepAlive=30s
+```
+
+#### `tls`
+
+`tls` defines the TLS configuration to connect with TCP backends.
+
+_Optional_
+
+An empty `tls` section enables TLS.
+
+```yaml tab="File (YAML)"
+## Static configuration
+tcpServersTransport:
+  tls: {}
+```
+
+```toml tab="File (TOML)"
+## Static configuration
+[tcpServersTransport.tls]
+```
+
+```bash tab="CLI"
+## Static configuration
+--tcpServersTransport.tls=true
+```
+
+#### `tls.insecureSkipVerify`
+
+_Optional_
+
+`insecureSkipVerify` disables the server's certificate chain and host name verification.
+
+```yaml tab="File (YAML)"
+## Static configuration
+tcpServersTransport:
+  tls:
+    insecureSkipVerify: true
+```
+
+```toml tab="File (TOML)"
+## Static configuration
+[tcpServersTransport.tls]
+  insecureSkipVerify = true
+```
+
+```bash tab="CLI"
+## Static configuration
+--tcpServersTransport.tls.insecureSkipVerify=true
+```
+
+#### `tls.rootCAs`
+
+_Optional_
+
+`rootCAs` defines the set of Root Certificate Authorities (as file paths, or data bytes)
+to use when verifying self-signed TLS server certificates.
+
+```yaml tab="File (YAML)"
+## Static configuration
+tcpServersTransport:
+  tls:
+    rootCAs:
+      - foo.crt
+      - bar.crt
+```
+
+```toml tab="File (TOML)"
+## Static configuration
+[tcpServersTransport.tls]
+  rootCAs = ["foo.crt", "bar.crt"]
+```
+
+```bash tab="CLI"
+## Static configuration
+--tcpServersTransport.tls.rootCAs=foo.crt,bar.crt
+```
+
+#### `spiffe`
+
+Please note that [SPIFFE](../https/spiffe.md) must be enabled in the static configuration
+before using it to secure the connection between Traefik and the backends.
+
+#### `spiffe.ids`
+
+_Optional_
+
+`ids` defines the allowed SPIFFE IDs.
+This takes precedence over the SPIFFE TrustDomain.
+
+```yaml tab="File (YAML)"
+## Static configuration
+tcpServersTransport:
+    spiffe:
+      ids:
+        - spiffe://trust-domain/id1
+        - spiffe://trust-domain/id2
+```
+
+```toml tab="File (TOML)"
+## Static configuration
+[tcpServersTransport.spiffe]
+  ids = ["spiffe://trust-domain/id1", "spiffe://trust-domain/id2"]
+```
+
+```bash tab="CLI"
+## Static configuration
+--tcpServersTransport.spiffe.ids=spiffe://trust-domain/id1,spiffe://trust-domain/id2
+```
+
+#### `spiffe.trustDomain`
+
+_Optional_
+
+`trustDomain` defines the allowed SPIFFE trust domain.
+
+```yaml tab="File (YAML)"
+## Static configuration
+tcpServersTransport:
+  trustDomain: spiffe://trust-domain
+```
+
+```toml tab="File (TOML)"
+## Static configuration
+[tcpServersTransport.spiffe]
+  trustDomain = "spiffe://trust-domain"
+```
+
+```bash tab="CLI"
+## Static configuration
+--tcpServersTransport.spiffe.trustDomain=spiffe://trust-domain
+```
+
 {!traefik-for-business-applications.md!}