Add a new protocol

Co-authored-by: Gérald Croës <gerald@containo.us>
2019-03-14 09:30:04 +01:00 · 2019-03-14 09:30:04 +01:00 · 4a68d29ce2
commit 4a68d29ce2
parent 0ca2149408
231 changed files with 6895 additions and 4395 deletions
--- a/docs/content/routing/entrypoints.md
+++ b/docs/content/routing/entrypoints.md
@ -6,76 +6,39 @@ Opening Connections for Incomming Requests
 ![EntryPoints](../assets/img/entrypoints.png)

 Entrypoints are the network entry points into Traefik.
-They can be defined using:
-
- a port (80, 443, ...)
- SSL (Certificates, Keys, authentication with a client certificate signed by a trusted CA, ...)
+They define the port which will receive the requests (whether HTTP or TCP).

 ## Configuration Examples

-??? example "HTTP only"
+??? example "Port 80 only"

    ```toml
-    [entryPoints]
-      [entryPoints.http]
-      address = ":80"
+    [entrypoints]
+      [entrypoints.web]
+         address = ":80"
    ```

-    We define an `entrypoint` called `http` that will listen on port `80`.
+    We define an `entrypoint` called `web` that will listen on port `80`.

-??? example "HTTP & HTTPS" 
+??? example "Port 80 & 443" 

    ```toml
-    [entryPoints]
-      [entryPoints.http]
+    [entrypoints]
+      [entrypoints.web]
        address = ":80"
    
-      [entryPoints.https]
+      [entrypoints.web-secure]
        address = ":443"
        
-        [entryPoints.https.tls]
-          [[entryPoints.https.tls.certificates]]
+        [entrypoints.web-secure.tls]
+          [[entrypoints.web-secure.tls.certificates]]
            certFile = "tests/traefik.crt"
            keyFile = "tests/traefik.key"
    ```

-    - Two entrypoints are defined: one called `http`, and the other called `https`.
-    - `http` listens on port `80`, and `https` on port `443`.
-    - We enabled SSL on `https` by giving it a certificate and a key.
-
-    !!! note
+    - Two entrypoints are defined: one called `web`, and the other called `web-secure`.
+    - `web` listens on port `80`, and `web-secure` on port `443`. 
    
-        In the example, `http` and `https` are the names for the entrypoints and have nothing to do with the underlying protocol.
-        We could have written `entryPoints.foo` and `entryPoints.bar` instead. 
-    
-    !!! tip "Automatic HTTPS with ACME"
-       
-        If you don't have certificate files and wish to automatically enable HTTPS, you should have a look at one of Traefik's most praised feature: [ACME & Let's Encrypt integration](./acme.md)
-
-??? example "Client Certificate Authentication"
-
-    ```toml
-    [entryPoints]
-      [entryPoints.https]
-        address = ":443"
-      
-      [entryPoints.https.tls]
-        [entryPoints.https.tls.ClientCA]
-          files = ["tests/clientca1.crt", "tests/clientca2.crt"]
-          optional = false
-        
-        [[entryPoints.https.tls.certificates]]
-          certFile = "tests/traefik.crt"
-          keyFile = "tests/traefik.key"
-    ```
-    
-    - We enabled SSL on `https` by giving it a certificate and a key.
-    - Files containing Certificate Authorities (PEM format) were added.
-    
-    !!! note "Multiple CAs" 
-    
-        It is possible to have multiple CA:s in the same file or keep them in separate files.
-
 ## Configuration

 ### General
@ -115,130 +78,6 @@ Entrypoints are part of the [static configuration](../getting-started/configurat
            command: --defaultentrypoints=powpow --entryPoints='Name:powpow Address::42 Compress:true'
        ```

-## TLS
-
-### Static Certificates
-
-To add SNI support, define `certFile` and `keyFile`.
-
-```toml
-[entryPoints]
-  [entryPoints.https]
-    address = ":443"
-    
-    [entryPoints.https.tls]
-      [[entryPoints.https.tls.certificates]]
-        certFile = "integration/fixtures/https/snitest.com.cert"
-        keyFile = "integration/fixtures/https/snitest.com.key"
-```
-
-!!! note
-    If you provide an empty TLS configuration, default self-signed certificates will be generated.
-
-### Dynamic Certificates
-
-To add / remove TLS certificates while Traefik is running, the [file provider](../providers/file.md) supports Dynamic TLS certificates in its `[[tls]]` section.
-
-### Mutual Authentication
-
-Traefik supports both optional and non optional (defaut value) mutual authentication.
-
- When `optional = false`, Traefik accepts connections only from client presenting a certificate signed by a CA listed in `ClientCA.files`.
- When `optional = true`, Traefik authorizes connections from client presenting a certificate signed by an unknown CA. 
-
-??? example "Non Optional Mutual Authentication"
-    
-    In the following example, both `snitest.com` and `snitest.org` will require client certificates.
-
-    ```toml
-    [entryPoints]
-      [entryPoints.https]
-        address = ":443"
-        
-        [entryPoints.https.tls]
-          [entryPoints.https.tls.ClientCA]
-            files = ["tests/clientca1.crt", "tests/clientca2.crt"]
-            optional = false
-            
-            [[entryPoints.https.tls.certificates]]
-              certFile = "integration/fixtures/https/snitest.com.cert"
-              keyFile = "integration/fixtures/https/snitest.com.key"
-            [[entryPoints.https.tls.certificates]]
-              certFile = "integration/fixtures/https/snitest.org.cert"
-              keyFile = "integration/fixtures/https/snitest.org.key"
-    ```
-    
-    !!! note "ClientCA.files"
-
-        You can use a file per `CA:s`, or a single file containing multiple `CA:s` (in `PEM` format).
-
-        `ClientCA.files` is not optional: every client will have to present a valid certificate. (This requirement will apply to every server certificate declared in the entrypoint.)
-
-### Minimum TLS Version
-
-??? example "Min TLS version & [cipherSuites](https://godoc.org/crypto/tls#pkg-constants)"
-
-    ```toml
-    [entryPoints]
-      [entryPoints.https]
-        address = ":443"
-        
-        [entryPoints.https.tls]
-          minVersion = "VersionTLS12"
-          cipherSuites = [
-            "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
-            "TLS_RSA_WITH_AES_256_GCM_SHA384"
-          ]
-          
-          [[entryPoints.https.tls.certificates]]
-            certFile = "integration/fixtures/https/snitest.com.cert"
-            keyFile = "integration/fixtures/https/snitest.com.key"
-          [[entryPoints.https.tls.certificates]]
-            certFile = "integration/fixtures/https/snitest.org.cert"
-            keyFile = "integration/fixtures/https/snitest.org.key"
-    ```
-
-### Strict SNI Checking
-
-With strict SNI checking, Traefik won't allow connections without a matching certificate.
-
-??? example "Strict SNI"
- 
-    ```toml
-    [entryPoints]
-      [entryPoints.https]
-        address = ":443"
-      
-        [entryPoints.https.tls]
-          sniStrict = true
-          
-          [[entryPoints.https.tls.certificates]]
-            certFile = "integration/fixtures/https/snitest.com.cert"
-            keyFile = "integration/fixtures/https/snitest.com.key"
-    ```
-
-### Default Certificate
-
-Traefik can use a default certificate for connections without an SNI, or without a matching domain.
-
-If no default certificate is provided, Traefik generates a self-signed and use it instead.
-
-??? example "Setting a Default Certificate"
- 
-    ```toml
-    [entryPoints]
-      [entryPoints.https]
-        address = ":443"
-        
-        [entryPoints.https.tls]
-          [entryPoints.https.tls.defaultCertificate]
-            certFile = "integration/fixtures/https/snitest.com.cert"
-            keyFile = "integration/fixtures/https/snitest.com.key"
-    ```
-    
-    !!! note "Only One Default Certificate"
-        There can only be one `defaultCertificate` per entrypoint.
-
 ## ProxyProtocol

 Traefik supports [ProxyProtocol](https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt).
@ -246,11 +85,11 @@ Traefik supports [ProxyProtocol](https://www.haproxy.org/download/1.8/doc/proxy-
 ??? example "Enabling Proxy Protocol with Trusted IPs" 

    ```toml
-    [entryPoints]
-      [entryPoints.http]
+    [entrypoints]
+      [entrypoints.web]
        address = ":80"
    
-        [entryPoints.http.proxyProtocol]
+        [entrypoints.web.proxyProtocol]
          trustedIPs = ["127.0.0.1/32", "192.168.1.7"]
    ```
    
@ -261,11 +100,11 @@ Traefik supports [ProxyProtocol](https://www.haproxy.org/download/1.8/doc/proxy-
    In a test environments, you can configure Traefik to trust every incomming connection. Doing so, every remote client address will be replaced (`trustedIPs` won't have any effect)

    ```toml
-    [entryPoints]
-      [entryPoints.http]
+    [entrypoints]
+      [entrypoints.web]
        address = ":80"
    
-        [entryPoints.http.proxyProtocol]
+        [entrypoints.web.proxyProtocol]
          insecure = true
    ```
         
@ -281,21 +120,21 @@ You can configure Traefik to trust the forwarded headers information (`X-Forward
 ??? example "Trusting Forwarded Headers from specific IPs"

    ```toml
-    [entryPoints]
-      [entryPoints.http]
+    [entrypoints]
+      [entrypoints.web]
        address = ":80"
    
-        [entryPoints.http.forwardedHeaders]
+        [entrypoints.web.forwardedHeaders]
          trustedIPs = ["127.0.0.1/32", "192.168.1.7"]
    ```
    
 ??? example "Insecure Mode -- Always Trusting Forwarded Headers"

    ```toml
-    [entryPoints]
-      [entryPoints.http]
+    [entrypoints]
+      [entrypoints.web]
        address = ":80"
    
-        [entryPoints.http.forwardedHeaders]
+        [entrypoints.web.forwardedHeaders]
           insecure = true
    ```