Support ALPN for TCP + TLS routers

2022-07-07 17:58:09 +03:00 · 2022-07-07 17:58:09 +03:00 · 4dc379c601
commit 4dc379c601
parent aff334ffb4
4 changed files with 228 additions and 34 deletions
--- a/docs/content/routing/routers/index.md
+++ b/docs/content/routing/routers/index.md
@ -839,11 +839,12 @@ If the rule is verified, the router becomes active, calls middlewares, and then

 The table below lists all the available matchers:

-| Rule                                                                      | Description                                                                                               |
-|---------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------|
-| ```HostSNI(`domain-1`, ...)```                                            | Check if the Server Name Indication corresponds to the given `domains`.                                   |
-| ```HostSNIRegexp(`example.com`, `{subdomain:[a-z]+}.example.com`, ...)``` | Check if the Server Name Indication matches the given regular expressions. See "Regexp Syntax" below. |
-| ```ClientIP(`10.0.0.0/16`, `::1`)```                                      | Check if the request client IP is one of the given IP/CIDR. It accepts IPv4, IPv6 and CIDR formats.       |
+| Rule                                                                      | Description                                                                                             |
+|---------------------------------------------------------------------------|---------------------------------------------------------------------------------------------------------|
+| ```HostSNI(`domain-1`, ...)```                                            | Checks if the Server Name Indication corresponds to the given `domains`.                                |
+| ```HostSNIRegexp(`example.com`, `{subdomain:[a-z]+}.example.com`, ...)``` | Checks if the Server Name Indication matches the given regular expressions. See "Regexp Syntax" below.  |
+| ```ClientIP(`10.0.0.0/16`, `::1`)```                                      | Checks if the connection client IP is one of the given IP/CIDR. It accepts IPv4, IPv6 and CIDR formats. |
+| ```ALPN(`mqtt`, `h2c`)```                                                 | Checks if any of the connection ALPN protocols is one of the given protocols.                           |

 !!! important "Non-ASCII Domain Names"

@ -879,6 +880,13 @@ The table below lists all the available matchers:

    The rule is evaluated "before" any middleware has the opportunity to work, and "before" the request is forwarded to the service.

+!!! important "ALPN ACME-TLS/1"
+
+    It would be a security issue to let a user-defined router catch the response to
+    an ACME TLS challenge previously initiated by Traefik.
+    For this reason, the `ALPN` matcher is not allowed to match the `ACME-TLS/1`
+    protocol, and Traefik returns an error if this is attempted.
+
 ### Priority

 To avoid path overlap, routes are sorted, by default, in descending order using rules length.