Merge 'v1.4.0' into master

2017-10-16 23:10:44 +02:00 · 2017-10-16 23:10:44 +02:00 · 7192aa86b5
commit 7192aa86b5
parent 914f3d1fa3 9c8df8b9ce
38 changed files with 1165 additions and 327 deletions
--- a/docs/basics.md
+++ b/docs/basics.md
@ -383,21 +383,19 @@ The default cookie name is an abbreviation of a sha1 (ex: `_1d52e`).
 On subsequent requests, the client will be directed to the backend stored in the cookie if it is still healthy.
 If not, a new backend will be assigned.

-To activate sticky session:

 ```toml
 [backends]
  [backends.backend1]
+    # Enable sticky session
    [backends.backend1.loadbalancer.stickiness]
-```

-To customize the cookie name:
-
-```toml
-[backends]
-  [backends.backend1]
-    [backends.backend1.loadbalancer.stickiness]
-      cookieName = "my_cookie"
+    # Customize the cookie name
+    #
+    # Optional
+    # Default: a sha1 (6 chars)
+    #
+    #  cookieName = "my_cookie"
 ```

 The deprecated way:
--- a/docs/configuration/entrypoints.md
+++ b/docs/configuration/entrypoints.md
@ -188,17 +188,52 @@ To enable IP whitelisting at the entrypoint level.
  whiteListSourceRange = ["127.0.0.1/32", "192.168.1.7"]
 ```

-## ProxyProtocol Support
+## ProxyProtocol

 To enable [ProxyProtocol](https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt) support.
-Only IPs in `trustedIPs` will lead to remote client address replacement: you should declare your load-balancer IP or CIDR range here.
+Only IPs in `trustedIPs` will lead to remote client address replacement: you should declare your load-balancer IP or CIDR range here (in testing environment, you can trust everyone using `insecure = true`).

+!!! danger
+    When queuing Træfik behind another load-balancer, be sure to carefully configure Proxy Protocol on both sides.
+    Otherwise, it could introduce a security risk in your system by forging requests. 

 ```toml
 [entryPoints]
  [entryPoints.http]
-  address = ":80"
-  [entryPoints.http.proxyProtocol]
-    trustedIPs = ["127.0.0.1/32", "192.168.1.7"]
+    address = ":80"
+
+    # Enable ProxyProtocol
+    [entryPoints.http.proxyProtocol]
+      # List of trusted IPs
+      #
+      # Required
+      # Default: []
+      #
+      trustedIPs = ["127.0.0.1/32", "192.168.1.7"]
+
+      # Insecure mode FOR TESTING ENVIRONNEMENT ONLY
+      #
+      # Optional
+      # Default: false
+      #
+      # insecure = true
+```
+
+## Forwarded Header
+
+Only IPs in `trustedIPs` will be authorize to trust the client forwarded headers (`X-Forwarded-*`).
+
+```toml
+[entryPoints]
+  [entryPoints.http]
+    address = ":80"
+
+    # Enable Forwarded Headers
+    [entryPoints.http.forwardedHeaders]
+      # List of trusted IPs
+      #
+      # Required
+      # Default: []
+      #
+      trustedIPs = ["127.0.0.1/32", "192.168.1.7"]
 ```
-²