homelab/traefik
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Merge branch v3.1 into master

Browse source
This commit is contained in:
kevinpollet 2024-09-20 09:51:54 +02:00
commit a398536688
No known key found for this signature in database
GPG key ID: 0C9A5DDD1B292453
76 changed files with 1073 additions and 220 deletions
Download patch file Download diff file Expand all files Collapse all files

4
docs/content/https/acme.md
View file

@ -11,7 +11,7 @@ Automatic HTTPS
You can configure Traefik to use an ACME provider (like Let's Encrypt) for automatic certificate generation.
!!! warning "Let's Encrypt and Rate Limiting"
Note that Let's Encrypt API has [rate limiting](https://letsencrypt.org/docs/rate-limits). These last up to **one week**, and can not be overridden.
Note that Let's Encrypt API has [rate limiting](https://letsencrypt.org/docs/rate-limits). These last up to **one week**, and cannot be overridden.
When running Traefik in a container this file should be persisted across restarts.
If Traefik requests new certificates each time it starts up, a crash-looping container can quickly reach Let's Encrypt's ratelimits.
@ -298,7 +298,7 @@ Use the `DNS-01` challenge to generate and renew ACME certificates by provisioni
Multiple DNS challenge provider are not supported with Traefik, but you can use `CNAME` to handle that.
For example, if you have `example.org` (account foo) and `example.com` (account bar) you can create a CNAME on `example.org` called `_acme-challenge.example.org` pointing to `challenge.example.com`.
This way, you can obtain certificates for `example.com` with the `foo` account.
This way, you can obtain certificates for `example.org` with the `bar` account.
!!! important
A `provider` is mandatory.

2
docs/content/middlewares/http/inflightreq.md
View file

@ -278,7 +278,7 @@ spec:
requestHost: true
```
```yaml tab="Cosul Catalog"
```yaml tab="Consul Catalog"
- "traefik.http.middlewares.test-inflightreq.inflightreq.sourcecriterion.requesthost=true"
```

2
docs/content/middlewares/http/overview.md
View file

@ -24,7 +24,7 @@ whoami:
- "traefik.http.routers.router1.middlewares=foo-add-prefix@docker"
```
```yaml tab="Kubernetes IngressRoute"
```yaml tab="IngressRoute"
# As a Kubernetes Traefik IngressRoute
---
apiVersion: traefik.io/v1alpha1

2
docs/content/middlewares/overview.md
View file

@ -35,7 +35,7 @@ whoami:
- "traefik.http.routers.router1.middlewares=foo-add-prefix@docker"
```
```yaml tab="Kubernetes IngressRoute"
```yaml tab="IngressRoute"
---
apiVersion: traefik.io/v1alpha1
kind: Middleware

2
docs/content/middlewares/tcp/overview.md
View file

@ -24,7 +24,7 @@ whoami:
- "traefik.tcp.routers.router1.middlewares=foo-ip-allowlist@docker"
```
```yaml tab="Kubernetes IngressRoute"
```yaml tab="IngressRoute"
# As a Kubernetes Traefik IngressRoute
---
apiVersion: traefik.io/v1alpha1

12
docs/content/migration/v1-to-v2.md
View file

@ -44,7 +44,7 @@ Then any router can refer to an instance of the wanted middleware.
- "traefik.frontend.auth.basic.users=test:$$apr1$$H6uskkkW$$IgXLP6ewTrSuBkTrqE8wj/,test2:$$apr1$$d9hr9HBB$$4HxwgUir3HP4EsggP/QNo0"
```
```yaml tab="K8s Ingress"
```yaml tab="Ingress"
apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
@ -107,7 +107,7 @@ Then any router can refer to an instance of the wanted middleware.
- "traefik.http.middlewares.auth.basicauth.users=test:$$apr1$$H6uskkkW$$IgXLP6ewTrSuBkTrqE8wj/,test2:$$apr1$$d9hr9HBB$$4HxwgUir3HP4EsggP/QNo0"
```
```yaml tab="K8s IngressRoute"
```yaml tab="IngressRoute"
# The definitions below require the definitions for the Middleware and IngressRoute kinds.
# https://doc.traefik.io/traefik/reference/dynamic-configuration/kubernetes-crd/#definitions
apiVersion: traefik.io/v1alpha1
@ -278,7 +278,7 @@ Then, a [router's TLS field](../routing/routers/index.md#tls) can refer to one o
]
```
```yaml tab="K8s IngressRoute"
```yaml tab="IngressRoute"
# The definitions below require the definitions for the TLSOption and IngressRoute kinds.
# https://doc.traefik.io/traefik/reference/dynamic-configuration/kubernetes-crd/#definitions
apiVersion: traefik.io/v1alpha1
@ -442,7 +442,7 @@ To apply a redirection:
traefik.http.middlewares.https_redirect.redirectscheme.permanent: true
```
```yaml tab="K8s IngressRoute"
```yaml tab="IngressRoute"
apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
@ -561,7 +561,7 @@ with the path `/admin` stripped, e.g. to `http://<IP>:<port>/`. In this case, yo
- "traefik.frontend.rule=Host:example.org;PathPrefixStrip:/admin"
```
```yaml tab="Kubernetes Ingress"
```yaml tab="Ingress"
apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
@ -595,7 +595,7 @@ with the path `/admin` stripped, e.g. to `http://<IP>:<port>/`. In this case, yo
- "traefik.http.middlewares.admin-stripprefix.stripprefix.prefixes=/admin"
```
```yaml tab="Kubernetes IngressRoute"
```yaml tab="IngressRoute"
---
apiVersion: traefik.io/v1alpha1
kind: IngressRoute

2
docs/content/migration/v2.md
View file

@ -432,7 +432,7 @@ For more advanced use cases, you can use either the [RedirectScheme middleware](
Following up on the deprecation started [previously](#x509-commonname-deprecation),
as the `x509ignoreCN=0` value for the `GODEBUG` is [deprecated in Go 1.17](https://tip.golang.org/doc/go1.17#crypto/x509),
the legacy behavior related to the CommonName field can not be enabled at all anymore.
the legacy behavior related to the CommonName field cannot be enabled at all anymore.
## v2.5.3 to v2.5.4

4
docs/content/observability/metrics/datadog.md
View file

@ -27,7 +27,9 @@ _Required, Default="127.0.0.1:8125"_
Address instructs exporter to send metrics to datadog-agent at this address.
This address can be a Unix Domain Socket (UDS) address with the following form: `unix:///path/to/datadog.socket`.
This address can be a Unix Domain Socket (UDS) in the following format: `unix:///path/to/datadog.socket`.
When the prefix is set to `unix`, the socket type will be automatically determined.
To explicitly define the socket type and avoid automatic detection, you can use the prefixes `unixgram` for `SOCK_DGRAM` (datagram sockets) and `unixstream` for `SOCK_STREAM` (stream sockets), respectively.
```yaml tab="File (YAML)"
metrics:

20
docs/content/observability/tracing/overview.md
View file

@ -85,7 +85,7 @@ tracing:
```toml tab="File (TOML)"
[tracing]
sampleRate = 0.2
sampleRate = 0.2
```
```bash tab="CLI"
@ -107,9 +107,9 @@ tracing:
```toml tab="File (TOML)"
[tracing]
[tracing.globalAttributes]
attr1 = "foo"
attr2 = "bar"
[tracing.globalAttributes]
attr1 = "foo"
attr2 = "bar"
```
```bash tab="CLI"
@ -132,7 +132,7 @@ tracing:
```toml tab="File (TOML)"
[tracing]
capturedRequestHeaders = ["X-CustomHeader"]
capturedRequestHeaders = ["X-CustomHeader"]
```
```bash tab="CLI"
@ -154,7 +154,7 @@ tracing:
```toml tab="File (TOML)"
[tracing]
capturedResponseHeaders = ["X-CustomHeader"]
capturedResponseHeaders = ["X-CustomHeader"]
```
```bash tab="CLI"
@ -170,14 +170,14 @@ Defines the list of query parameters to not redact.
```yaml tab="File (YAML)"
tracing:
safeQueryParams:
- bar
- buz
safeQueryParams:
- bar
- buz
```
```toml tab="File (TOML)"
[tracing]
safeQueryParams = ["bar", "buz"]
safeQueryParams = ["bar", "buz"]
```
```bash tab="CLI"

2
docs/content/operations/cli.md
View file

@ -33,7 +33,7 @@ traefik [--flag[=true|false| ]] [-f [true|false| ]]
All flags are documented in the [(static configuration) CLI reference](../reference/static-configuration/cli.md).
!!! info "Flags are case insensitive."
!!! info "Flags are case-insensitive."
### `healthcheck`

4
docs/content/providers/overview.md
View file

@ -81,7 +81,7 @@ For the list of the providers names, see the [supported providers](#supported-pr
- "traefik.http.routers.my-container.middlewares=add-foo-prefix@file"
```
```yaml tab="Kubernetes Ingress Route"
```yaml tab="IngressRoute"
apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
@ -103,7 +103,7 @@ For the list of the providers names, see the [supported providers](#supported-pr
# when the cross-provider syntax is used.
```
```yaml tab="Kubernetes Ingress"
```yaml tab="Ingress"
apiVersion: traefik.io/v1alpha1
kind: Middleware
metadata:

2
docs/content/reference/dynamic-configuration/consul-catalog.md
View file

@ -8,7 +8,7 @@ description: "View the reference for performing dynamic configurations with Trae
Dynamic configuration with Consul Catalog
{: .subtitle }
The labels are case insensitive.
The labels are case-insensitive.
```yaml
--8<-- "content/reference/dynamic-configuration/consul-catalog.yml"

2
docs/content/reference/dynamic-configuration/ecs.md
View file

@ -8,7 +8,7 @@ description: "Learn how to do dynamic configuration in Traefik Proxy with AWS EC
Dynamic configuration with ECS provider
{: .subtitle }
The labels are case insensitive.
The labels are case-insensitive.
```yaml
--8<-- "content/reference/dynamic-configuration/ecs.yml"

2
docs/content/reference/dynamic-configuration/nomad.md
View file

@ -8,7 +8,7 @@ description: "View the reference for performing dynamic configurations with Trae
Dynamic configuration with Nomad Service Discovery
{: .subtitle }
The labels are case insensitive.
The labels are case-insensitive.
```yaml
--8<-- "content/reference/dynamic-configuration/nomad.yml"

0
docs/content/reference/dynamic-configuration/rancher.md Normal file
View file

6
docs/content/reference/static-configuration/cli-ref.md
View file

@ -126,9 +126,15 @@ Entry points definition. (Default: ```false```)
`--entrypoints.<name>.address`:
Entry point address.
`--entrypoints.<name>.allowacmebypass`:
Enables handling of ACME TLS and HTTP challenges with custom routers. (Default: ```false```)
`--entrypoints.<name>.asdefault`:
Adds this EntryPoint to the list of default EntryPoints to be used on routers that don't have any Entrypoint defined. (Default: ```false```)
`--entrypoints.<name>.forwardedheaders.connection`:
List of Connection headers that are allowed to pass through the middleware chain before being removed.
`--entrypoints.<name>.forwardedheaders.insecure`:
Trust all forwarded headers. (Default: ```false```)

6
docs/content/reference/static-configuration/env-ref.md
View file

@ -126,9 +126,15 @@ Entry points definition. (Default: ```false```)
`TRAEFIK_ENTRYPOINTS_<NAME>_ADDRESS`:
Entry point address.
`TRAEFIK_ENTRYPOINTS_<NAME>_ALLOWACMEBYPASS`:
Enables handling of ACME TLS and HTTP challenges with custom routers. (Default: ```false```)
`TRAEFIK_ENTRYPOINTS_<NAME>_ASDEFAULT`:
Adds this EntryPoint to the list of default EntryPoints to be used on routers that don't have any Entrypoint defined. (Default: ```false```)
`TRAEFIK_ENTRYPOINTS_<NAME>_FORWARDEDHEADERS_CONNECTION`:
List of Connection headers that are allowed to pass through the middleware chain before being removed.
`TRAEFIK_ENTRYPOINTS_<NAME>_FORWARDEDHEADERS_INSECURE`:
Trust all forwarded headers. (Default: ```false```)

2
docs/content/reference/static-configuration/file.toml
View file

@ -30,6 +30,7 @@
[entryPoints]
[entryPoints.EntryPoint0]
address = "foobar"
allowACMEByPass = true
reusePort = true
asDefault = true
[entryPoints.EntryPoint0.transport]
@ -48,6 +49,7 @@
[entryPoints.EntryPoint0.forwardedHeaders]
insecure = true
trustedIPs = ["foobar", "foobar"]
connection = ["foobar", "foobar"]
[entryPoints.EntryPoint0.http]
middlewares = ["foobar", "foobar"]
encodeQuerySemicolons = true

4
docs/content/reference/static-configuration/file.yaml
View file

@ -35,6 +35,7 @@ tcpServersTransport:
entryPoints:
EntryPoint0:
address: foobar
allowACMEByPass: true
reusePort: true
asDefault: true
transport:
@ -57,6 +58,9 @@ entryPoints:
trustedIPs:
- foobar
- foobar
connection:
- foobar
- foobar
http:
redirections:
entryPoint:

63
docs/content/routing/entrypoints.md
View file

@ -233,6 +233,35 @@ If both TCP and UDP are wanted for the same port, two entryPoints definitions ar
Full details for how to specify `address` can be found in [net.Listen](https://golang.org/pkg/net/#Listen) (and [net.Dial](https://golang.org/pkg/net/#Dial)) of the doc for go.
### AllowACMEByPass
_Optional, Default=false_
`allowACMEByPass` determines whether a user defined router can handle ACME TLS or HTTP challenges instead of the Traefik dedicated one.
This option can be used when a Traefik instance has one or more certificate resolvers configured,
but is also used to route challenges connections/requests to services that could also initiate their own ACME challenges.
??? info "No Certificate Resolvers configured"
It is not necessary to use the `allowACMEByPass' option certificate option if no certificate resolver is defined.
In fact, Traefik will automatically allow ACME TLS or HTTP requests to be handled by custom routers in this case, since there can be no concurrency with its own challenge handlers.
```yaml tab="File (YAML)"
entryPoints:
foo:
allowACMEByPass: true
```
```toml tab="File (TOML)"
[entryPoints.foo]
[entryPoints.foo.allowACMEByPass]
allowACMEByPass = true
```
```bash tab="CLI"
--entryPoints.name.allowACMEByPass=true
```
### ReusePort
_Optional, Default=false_
@ -500,6 +529,40 @@ You can configure Traefik to trust the forwarded headers information (`X-Forward
--entryPoints.web.forwardedHeaders.insecure
```
??? info "`forwardedHeaders.connection`"
As per RFC7230, Traefik respects the Connection options from the client request.
By doing so, it removes any header field(s) listed in the request Connection header and the Connection header field itself when empty.
The removal happens as soon as the request is handled by Traefik,
thus the removed headers are not available when the request passes through the middleware chain.
The `connection` option lists the Connection headers allowed to passthrough the middleware chain before their removal.
```yaml tab="File (YAML)"
## Static configuration
entryPoints:
web:
address: ":80"
forwardedHeaders:
connection:
- foobar
```
```toml tab="File (TOML)"
## Static configuration
[entryPoints]
[entryPoints.web]
address = ":80"
[entryPoints.web.forwardedHeaders]
connection = ["foobar"]
```
```bash tab="CLI"
## Static configuration
--entryPoints.web.address=:80
--entryPoints.web.forwardedHeaders.connection=foobar
```
### Transport
#### `respondingTimeouts`

2
docs/content/routing/providers/consul-catalog.md
View file

@ -24,7 +24,7 @@ With Consul Catalog, Traefik can leverage tags attached to a service to generate
!!! info "tags"
- tags are case insensitive.
- tags are case-insensitive.
- The complete list of tags can be found [the reference page](../../reference/dynamic-configuration/consul-catalog.md)
### General

2
docs/content/routing/providers/docker.md
View file

@ -95,7 +95,7 @@ With Docker, Traefik can leverage labels attached to a container to generate rou
!!! info "Labels"
- Labels are case insensitive.
- Labels are case-insensitive.
- The complete list of labels can be found in [the reference page](../../reference/dynamic-configuration/docker.md).
### General

2
docs/content/routing/providers/ecs.md
View file

@ -22,7 +22,7 @@ With ECS, Traefik can leverage labels attached to a container to generate routin
!!! info "labels"
- labels are case insensitive.
- labels are case-insensitive.
- The complete list of labels can be found in [the reference page](../../reference/dynamic-configuration/ecs.md).
### General

2
docs/content/routing/providers/kv.md
View file

@ -12,7 +12,7 @@ A Story of key & values
!!! info "Keys"
- Keys are case insensitive.
- Keys are case-insensitive.
- The complete list of keys can be found in [the reference page](../../reference/dynamic-configuration/kv.md).
### Routers

0
docs/content/routing/providers/marathon.md Normal file
View file

2
docs/content/routing/providers/nomad.md
View file

@ -24,7 +24,7 @@ With Nomad, Traefik can leverage tags attached to a service to generate routing
!!! info "tags"
- tags are case insensitive.
- tags are case-insensitive.
- The complete list of tags can be found [the reference page](../../reference/dynamic-configuration/nomad.md)
### General

2
docs/content/routing/providers/swarm.md
View file

@ -118,7 +118,7 @@ With Docker Swarm, Traefik can leverage labels attached to a service to generate
!!! info "Labels"
- Labels are case insensitive.
- Labels are case-insensitive.
- The complete list of labels can be found in [the reference page](../../reference/dynamic-configuration/docker.md).
### General

2
docs/content/routing/routers/index.md
View file

@ -1197,7 +1197,7 @@ A value of `0` for the priority is ignored: `priority = 0` means that the defaul
| Router-2 | ```ClientIP(`192.168.0.0/24`)``` | 26 |
Which means that requests from `192.168.0.12` would go to Router-2 even though Router-1 is intended to specifically handle them.
To achieve this intention, a priority (higher than 26) should be set on Router-1.
To achieve this intention, a priority (greater than 26) should be set on Router-1.
??? example "Setting priorities -- using the [File Provider](../../providers/file.md)"

2
docs/content/user-guides/docker-compose/acme-dns/index.md
View file

@ -1,6 +1,6 @@
---
title: "Traefik Docker DNS Challenge Documentation"
description: "Learn how to create a certificate with the Let's Encrypt DNS challenge to use HTTPS on a Service exposed with Traefik Proxy. Read the tehnical documentation."
description: "Learn how to create a certificate with the Let's Encrypt DNS challenge to use HTTPS on a Service exposed with Traefik Proxy. Read the technical documentation."
---
# Docker-compose with Let's Encrypt: DNS Challenge