From f9ff6049d3b79b50e77ecbfb6700266e1cd656ca Mon Sep 17 00:00:00 2001 From: Romain Date: Tue, 7 Jan 2025 16:12:04 +0100 Subject: [PATCH 1/3] Disable http2 connect setting for websocket by default Co-authored-by: Kevin Pollet Co-authored-by: Julien Salleyron Co-authored-by: Michael --- cmd/traefik/traefik.go | 1 + init/init.go | 21 +++++++++++++++++++++ 2 files changed, 22 insertions(+) create mode 100644 init/init.go diff --git a/cmd/traefik/traefik.go b/cmd/traefik/traefik.go index d54b806f3..d25951b93 100644 --- a/cmd/traefik/traefik.go +++ b/cmd/traefik/traefik.go @@ -23,6 +23,7 @@ import ( "github.com/traefik/traefik/v2/cmd" "github.com/traefik/traefik/v2/cmd/healthcheck" cmdVersion "github.com/traefik/traefik/v2/cmd/version" + _ "github.com/traefik/traefik/v2/init" tcli "github.com/traefik/traefik/v2/pkg/cli" "github.com/traefik/traefik/v2/pkg/collector" "github.com/traefik/traefik/v2/pkg/config/dynamic" diff --git a/init/init.go b/init/init.go new file mode 100644 index 000000000..e54655d0f --- /dev/null +++ b/init/init.go @@ -0,0 +1,21 @@ +package init + +import ( + "os" + "strings" +) + +// This makes use of the GODEBUG flag `http2xconnect` to deactivate the connect setting for HTTP2 by default. +// This type of upgrade is yet incompatible with `net/http` http1 reverse proxy. +// Please see https://github.com/golang/go/issues/71128#issuecomment-2574193636. +func init() { + goDebug := os.Getenv("GODEBUG") + if strings.Contains(goDebug, "http2xconnect") { + return + } + + if len(goDebug) > 0 { + goDebug += "," + } + os.Setenv("GODEBUG", goDebug+"http2xconnect=0") +} From 1aa450c028894ef5911175bbe7698836a460f182 Mon Sep 17 00:00:00 2001 From: Kevin Pollet Date: Tue, 7 Jan 2025 16:24:04 +0100 Subject: [PATCH 2/3] Prepare release v2.11.18 --- CHANGELOG.md | 6 ++++++ script/gcg/traefik-bugfix.toml | 6 +++--- 2 files changed, 9 insertions(+), 3 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 2fd996266..c5186b71b 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,9 @@ +## [v2.11.18](https://github.com/traefik/traefik/tree/v2.11.18) (2025-01-07) +[All Commits](https://github.com/traefik/traefik/compare/v2.11.17...v2.11.18) + +**Bug fixes:** +- **[websocket,server]** Disable http2 connect setting for websocket by default ([#11412](https://github.com/traefik/traefik/pull/11412) by [rtribotte](https://github.com/rtribotte)) + ## [v2.11.17](https://github.com/traefik/traefik/tree/v2.11.17) (2025-01-06) [All Commits](https://github.com/traefik/traefik/compare/v2.11.16...v2.11.17) diff --git a/script/gcg/traefik-bugfix.toml b/script/gcg/traefik-bugfix.toml index 8d1a0826e..ae7523c10 100644 --- a/script/gcg/traefik-bugfix.toml +++ b/script/gcg/traefik-bugfix.toml @@ -4,11 +4,11 @@ RepositoryName = "traefik" OutputType = "file" FileName = "traefik_changelog.md" -# example new bugfix v2.11.17 +# example new bugfix v2.11.18 CurrentRef = "v2.11" -PreviousRef = "v2.11.16" +PreviousRef = "v2.11.17" BaseBranch = "v2.11" -FutureCurrentRefName = "v2.11.17" +FutureCurrentRefName = "v2.11.18" ThresholdPreviousRef = 10 ThresholdCurrentRef = 10 From d2414feaff6d00b6d180c643ac950a0eea25812e Mon Sep 17 00:00:00 2001 From: Kevin Pollet Date: Wed, 8 Jan 2025 11:02:37 +0100 Subject: [PATCH 3/3] Add test to check that SettingEnableConnectProtocol frame is not sent --- docs/content/deprecation/releases.md | 3 ++- integration/websocket_test.go | 39 ++++++++++++++++++++++++++++ 2 files changed, 41 insertions(+), 1 deletion(-) diff --git a/docs/content/deprecation/releases.md b/docs/content/deprecation/releases.md index 001b161db..d3fb7914b 100644 --- a/docs/content/deprecation/releases.md +++ b/docs/content/deprecation/releases.md @@ -6,7 +6,8 @@ Below is a non-exhaustive list of versions and their maintenance status: | Version | Release Date | Community Support | |---------|--------------|--------------------| -| 3.2 | Oct 28, 2024 | Yes | +| 3.3 | Jan 06, 2025 | Yes | +| 3.2 | Oct 28, 2024 | Ended Jan 06, 2025 | | 3.1 | Jul 15, 2024 | Ended Oct 28, 2024 | | 3.0 | Apr 29, 2024 | Ended Jul 15, 2024 | | 2.11 | Feb 12, 2024 | Ends Apr 29, 2025 | diff --git a/integration/websocket_test.go b/integration/websocket_test.go index 72a314d58..7eeede02b 100644 --- a/integration/websocket_test.go +++ b/integration/websocket_test.go @@ -16,6 +16,7 @@ import ( "github.com/stretchr/testify/require" "github.com/stretchr/testify/suite" "github.com/traefik/traefik/v2/integration/try" + "golang.org/x/net/http2" "golang.org/x/net/websocket" ) @@ -451,6 +452,44 @@ func (s *WebsocketSuite) TestSSLhttp2() { assert.Equal(s.T(), "OK", string(msg)) } +func (s *WebsocketSuite) TestSettingEnableConnectProtocol() { + file := s.adaptFile("fixtures/websocket/config_https.toml", struct { + WebsocketServer string + }{ + WebsocketServer: "http://127.0.0.1", + }) + + s.traefikCmd(withConfigFile(file), "--log.level=DEBUG", "--accesslog") + + // Wait for traefik. + err := try.GetRequest("http://127.0.0.1:8080/api/rawdata", 10*time.Second, try.BodyContains("127.0.0.1")) + require.NoError(s.T(), err) + + // Add client self-signed cert. + roots := x509.NewCertPool() + certContent, err := os.ReadFile("./resources/tls/local.cert") + require.NoError(s.T(), err) + + roots.AppendCertsFromPEM(certContent) + + // Open a connection to inspect SettingsFrame. + conn, err := tls.Dial("tcp", "127.0.0.1:8000", &tls.Config{ + RootCAs: roots, + NextProtos: []string{"h2"}, + }) + require.NoError(s.T(), err) + + framer := http2.NewFramer(nil, conn) + frame, err := framer.ReadFrame() + require.NoError(s.T(), err) + + fr, ok := frame.(*http2.SettingsFrame) + require.True(s.T(), ok) + + _, ok = fr.Value(http2.SettingEnableConnectProtocol) + assert.False(s.T(), ok) +} + func (s *WebsocketSuite) TestHeaderAreForwarded() { upgrader := gorillawebsocket.Upgrader{} // use default options