homelab/traefik
1
0
Fork 0
Code Activity

Merge branch 'v2.2' into master

Browse source
This commit is contained in:
Fernandez Ludovic 2020-07-15 09:37:32 +02:00
commit 6e4f5821dc
22 changed files with 98 additions and 517 deletions
Download patch file Download diff file Expand all files Collapse all files

14
docs/content/https/tls.md
View file

@ -130,20 +130,6 @@ tls:
If no default certificate is provided, Traefik generates and uses a self-signed certificate.
## Domain fronting
Basically, [domain fronting](https://en.wikipedia.org/wiki/Domain_fronting) is a technique that allows to open a
connection with a specific domain name, thanks to the
[Server Name Indication](https://en.wikipedia.org/wiki/Server_Name_Indication), then access a service with another
domain set in the HTTP `Host` header.
Since the `v2.2.2`, Traefik avoids (by default) using domain fronting.
As it is valid for advanced use cases, the `HostHeader` and `HostSNI` [rules](../routing/routers/index.md#rule) allow
to fine tune the routing with the `Server Name Indication` and `Host header` value.
If you encounter routing issues with a previously working configuration, please refer to the
[migration guide](../migration/v2.md) to update your configuration.
## TLS Options
The TLS options allow one to configure some parameters of the TLS connection.

114
docs/content/migration/v2.md
View file

@ -1,116 +1,16 @@
# Migration: Steps needed between the versions
## v2.x to v2.2.2
## v2.2.2 to v2.2.5
### Domain fronting
### InsecureSNI removal
In `v2.2.2` we introduced the ability to avoid [Domain fronting](https://en.wikipedia.org/wiki/Domain_fronting),
and enabled it by default for [https routers](../routing/routers/index.md#rule) configured with ```Host(`something`)```.
In `v2.2.2` we introduced a new flag (`insecureSNI`) which was available as a global option to disable domain fronting.
Since `v2.2.5` this global option has been removed, and you should not use it anymore.
!!! example "Allow Domain Fronting on a Specific Router"
!!! info "Before v2.2.2"
```yaml tab="Docker"
labels:
- "traefik.http.routers.router0.rule=Host(`test.localhost`)"
```
```yaml tab="K8s Ingress"
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
name: ingressroutebar
spec:
entryPoints:
- http
routes:
- match: Host(`test.localhost`)
kind: Rule
services:
- name: server0
port: 80
- name: server1
port: 80
```
```toml tab="File (TOML)"
[http.routers.router0]
rule = "Host(`test.localhost`)"
service = "my-service"
```
```toml tab="File (YAML)"
http:
routers:
router0:
rule: "Host(`test.localhost`)"
service: my-service
```
### HostSNI rule matcher removal
!!! info "v2.2.2"
```yaml tab="Docker"
labels:
- "traefik.http.routers.router0.rule=HostHeader(`test.localhost`)"
```
```yaml tab="K8s Ingress"
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
name: ingressroutebar
spec:
entryPoints:
- http
routes:
- match: HostHeader(`test.localhost`)
kind: Rule
services:
- name: server0
port: 80
- name: server1
port: 80
```
```toml tab="File (TOML)"
[http.routers.router0]
rule = "HostHeader(`test.localhost`)"
service = "my-service"
```
```toml tab="File (YAML)"
http:
routers:
router0:
rule: "HostHeader(`test.localhost`)"
service: my-service
```
As a fallback, a new flag is available as a global option:
!!! example "Enabling Domain Fronting for All Routers"
```toml tab="File (TOML)"
# Static configuration
[global]
# Enabling domain fronting
insecureSNI = true
```
```yaml tab="File (YAML)"
# Static configuration
global:
# Enabling domain fronting
insecureSNI: true
```
```bash tab="CLI"
# Enabling domain fronting
--global.insecureSNI
```
In `v2.2.2` we introduced a new rule matcher (`HostSNI`) which was allowing to match the Server Name Indication at the router level.
Since `v2.2.5` this rule has been removed, and you should not use it anymore.
## v2.0 to v2.1

3
docs/content/reference/static-configuration/cli-ref.md
View file

@ -162,9 +162,6 @@ WriteTimeout is the maximum duration before timing out writes of the response. I
`--global.checknewversion`:
Periodically check if a new version has been released. (Default: ```false```)
`--global.insecuresni`:
Allow domain fronting. If the option is not specified, it will be disabled by default. (Default: ```false```)
`--global.sendanonymoususage`:
Periodically send anonymous usage statistics. If the option is not specified, it will be enabled by default. (Default: ```false```)

3
docs/content/reference/static-configuration/env-ref.md
View file

@ -162,9 +162,6 @@ WriteTimeout is the maximum duration before timing out writes of the response. I
`TRAEFIK_GLOBAL_CHECKNEWVERSION`:
Periodically check if a new version has been released. (Default: ```false```)
`TRAEFIK_GLOBAL_INSECURESNI`:
Allow domain fronting. If the option is not specified, it will be disabled by default. (Default: ```false```)
`TRAEFIK_GLOBAL_SENDANONYMOUSUSAGE`:
Periodically send anonymous usage statistics. If the option is not specified, it will be enabled by default. (Default: ```false```)

9
docs/content/reference/static-configuration/file.toml
View file

@ -1,7 +1,6 @@
[global]
checkNewVersion = true
sendAnonymousUsage = true
insecureSNI = false
[serversTransport]
insecureSkipVerify = true
@ -153,7 +152,7 @@
username = "foobar"
password = "foobar"
[providers.consul]
rootKey = "traefik"
rootKey = "foobar"
endpoints = ["foobar", "foobar"]
username = "foobar"
password = "foobar"
@ -164,7 +163,7 @@
key = "foobar"
insecureSkipVerify = true
[providers.etcd]
rootKey = "traefik"
rootKey = "foobar"
endpoints = ["foobar", "foobar"]
username = "foobar"
password = "foobar"
@ -175,7 +174,7 @@
key = "foobar"
insecureSkipVerify = true
[providers.zooKeeper]
rootKey = "traefik"
rootKey = "foobar"
endpoints = ["foobar", "foobar"]
username = "foobar"
password = "foobar"
@ -186,7 +185,7 @@
key = "foobar"
insecureSkipVerify = true
[providers.redis]
rootKey = "traefik"
rootKey = "foobar"
endpoints = ["foobar", "foobar"]
username = "foobar"
password = "foobar"

20
docs/content/reference/static-configuration/file.yaml
View file

@ -1,8 +1,6 @@
global:
checkNewVersion: true
sendAnonymousUsage: true
insecureSNI: false
serversTransport:
insecureSkipVerify: true
rootCAs:
@ -127,7 +125,7 @@ providers:
- foobar
labelSelector: foobar
ingressClass: foobar
throttleDuration: 10s
throttleDuration: 42s
rest:
insecure: true
rancher:
@ -164,7 +162,7 @@ providers:
username: foobar
password: foobar
consul:
rootKey: traefik
rootKey: foobar
endpoints:
- foobar
- foobar
@ -177,7 +175,7 @@ providers:
key: foobar
insecureSkipVerify: true
etcd:
rootKey: traefik
rootKey: foobar
endpoints:
- foobar
- foobar
@ -190,10 +188,10 @@ providers:
key: foobar
insecureSkipVerify: true
zooKeeper:
rootKey: traefik
rootKey: foobar
endpoints:
- foobar
- foobar
- foobar
- foobar
username: foobar
password: foobar
tls:
@ -203,10 +201,10 @@ providers:
key: foobar
insecureSkipVerify: true
redis:
rootKey: traefik
rootKey: foobar
endpoints:
- foobar
- foobar
- foobar
- foobar
username: foobar
password: foobar
tls:

23
docs/content/routing/routers/index.md
View file

@ -228,18 +228,17 @@ If the rule is verified, the router becomes active, calls middlewares, and then
The table below lists all the available matchers:
| Rule | Description |
|------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| ```Headers(`key`, `value`)``` | Check if there is a key `key`defined in the headers, with the value `value` |
| ```HeadersRegexp(`key`, `regexp`)``` | Check if there is a key `key`defined in the headers, with a value that matches the regular expression `regexp` |
| ```Host(`example.com`, ...)``` | By default, is equivalent to `HostHeader` **AND** `HostSNI` rules. See [Domain Fronting](../../https/tls.md#domain-fronting) and the [migration guide](../../migration/v2.md#domain-fronting) for more details. |
| ```HostHeader(`example.com`, ...)``` | Check if the request domain (host header value) targets one of the given `domains`. |
| ```HostSNI(`example.com`, ...)``` | Check if the [Server Name Indication](https://en.wikipedia.org/wiki/Server_Name_Indication) corresponds to the given `domains`. |
| ```HostRegexp(`example.com`, `{subdomain:[a-z]+}.example.com`, ...)``` | Check if the request domain matches the given `regexp`. |
| ```Method(`GET`, ...)``` | Check if the request method is one of the given `methods` (`GET`, `POST`, `PUT`, `DELETE`, `PATCH`) |
| ```Path(`/path`, `/articles/{cat:[a-z]+}/{id:[0-9]+}`, ...)``` | Match exact request path. It accepts a sequence of literal and regular expression paths. |
| ```PathPrefix(`/products/`, `/articles/{cat:[a-z]+}/{id:[0-9]+}`)``` | Match request prefix path. It accepts a sequence of literal and regular expression prefix paths. |
| ```Query(`foo=bar`, `bar=baz`)``` | Match Query String parameters. It accepts a sequence of key=value pairs. |
| Rule | Description |
|------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------|
| ```Headers(`key`, `value`)``` | Check if there is a key `key`defined in the headers, with the value `value` |
| ```HeadersRegexp(`key`, `regexp`)``` | Check if there is a key `key`defined in the headers, with a value that matches the regular expression `regexp` |
| ```Host(`example.com`, ...)``` | Check if the request domain (host header value) targets one of the given `domains`. |
| ```HostHeader(`example.com`, ...)``` | Check if the request domain (host header value) targets one of the given `domains`. |
| ```HostRegexp(`example.com`, `{subdomain:[a-z]+}.example.com`, ...)``` | Check if the request domain matches the given `regexp`. |
| ```Method(`GET`, ...)``` | Check if the request method is one of the given `methods` (`GET`, `POST`, `PUT`, `DELETE`, `PATCH`) |
| ```Path(`/path`, `/articles/{cat:[a-z]+}/{id:[0-9]+}`, ...)``` | Match exact request path. It accepts a sequence of literal and regular expression paths. |
| ```PathPrefix(`/products/`, `/articles/{cat:[a-z]+}/{id:[0-9]+}`)``` | Match request prefix path. It accepts a sequence of literal and regular expression prefix paths. |
| ```Query(`foo=bar`, `bar=baz`)``` | Match Query String parameters. It accepts a sequence of key=value pairs. |
!!! important "Regexp Syntax"