Merge branch v2.1 into v2.2

2020-03-24 14:02:58 +01:00 · 2020-03-24 14:02:58 +01:00 · b54412e82e
commit b54412e82e
parent ee06778cc2 dd19fc3f3e
22 changed files with 169 additions and 29 deletions
--- a/pkg/server/service/roundtripper.go
+++ b/pkg/server/service/roundtripper.go
@ -23,12 +23,12 @@ func (t *h2cTransportWrapper) RoundTrip(req *http.Request) (*http.Response, erro
 	return t.Transport.RoundTrip(req)
 }

-// createHTTPTransport creates an http.Transport configured with the Transport configuration settings.
+// createRoundtripper creates an http.Roundtripper configured with the Transport configuration settings.
 // For the settings that can't be configured in Traefik it uses the default http.Transport settings.
 // An exception to this is the MaxIdleConns setting as we only provide the option MaxIdleConnsPerHost
 // in Traefik at this point in time. Setting this value to the default of 100 could lead to confusing
 // behavior and backwards compatibility issues.
-func createHTTPTransport(transportConfiguration *static.ServersTransport) (*http.Transport, error) {
+func createRoundtripper(transportConfiguration *static.ServersTransport) (http.RoundTripper, error) {
 	if transportConfiguration == nil {
 		return nil, errors.New("no transport configuration given")
 	}
@ -66,25 +66,26 @@ func createHTTPTransport(transportConfiguration *static.ServersTransport) (*http
 		transport.IdleConnTimeout = time.Duration(transportConfiguration.ForwardingTimeouts.IdleConnTimeout)
 	}

-	if transportConfiguration.InsecureSkipVerify {
-		transport.TLSClientConfig = &tls.Config{InsecureSkipVerify: true}
-	}
-
-	if len(transportConfiguration.RootCAs) > 0 {
+	if transportConfiguration.InsecureSkipVerify || len(transportConfiguration.RootCAs) > 0 {
 		transport.TLSClientConfig = &tls.Config{
-			RootCAs: createRootCACertPool(transportConfiguration.RootCAs),
+			InsecureSkipVerify: transportConfiguration.InsecureSkipVerify,
+			RootCAs:            createRootCACertPool(transportConfiguration.RootCAs),
 		}
 	}

-	err := http2.ConfigureTransport(transport)
+	smartTransport, err := newSmartRoundTripper(transport)
 	if err != nil {
 		return nil, err
 	}

-	return transport, nil
+	return smartTransport, nil
 }

 func createRootCACertPool(rootCAs []traefiktls.FileOrContent) *x509.CertPool {
+	if len(rootCAs) == 0 {
+		return nil
+	}
+
 	roots := x509.NewCertPool()

 	for _, cert := range rootCAs {
@ -100,7 +101,7 @@ func createRootCACertPool(rootCAs []traefiktls.FileOrContent) *x509.CertPool {
 }

 func setupDefaultRoundTripper(conf *static.ServersTransport) http.RoundTripper {
-	transport, err := createHTTPTransport(conf)
+	transport, err := createRoundtripper(conf)
 	if err != nil {
 		log.WithoutContext().Errorf("Could not configure HTTP Transport, fallbacking on default transport: %v", err)
 		return http.DefaultTransport
--- a/pkg/server/service/service.go
+++ b/pkg/server/service/service.go
@ -295,8 +295,15 @@ func (m *Manager) getLoadBalancer(ctx context.Context, serviceName string, servi
 	var cookieName string
 	if service.Sticky != nil && service.Sticky.Cookie != nil {
 		cookieName = cookie.GetName(service.Sticky.Cookie.Name, serviceName)
-		opts := roundrobin.CookieOptions{HTTPOnly: service.Sticky.Cookie.HTTPOnly, Secure: service.Sticky.Cookie.Secure}
+
+		opts := roundrobin.CookieOptions{
+			HTTPOnly: service.Sticky.Cookie.HTTPOnly,
+			Secure:   service.Sticky.Cookie.Secure,
+			SameSite: convertSameSite(service.Sticky.Cookie.SameSite),
+		}
+
 		options = append(options, roundrobin.EnableStickySession(roundrobin.NewStickySessionWithOptions(cookieName, opts)))
+
 		logger.Debugf("Sticky session cookie name: %v", cookieName)
 	}

@ -332,3 +339,16 @@ func (m *Manager) upsertServers(ctx context.Context, lb healthcheck.BalancerHand
 	}
 	return nil
 }
+
+func convertSameSite(sameSite string) http.SameSite {
+	switch sameSite {
+	case "none":
+		return http.SameSiteNoneMode
+	case "lax":
+		return http.SameSiteLaxMode
+	case "strict":
+		return http.SameSiteStrictMode
+	default:
+		return 0
+	}
+}
--- a/pkg/server/service/smart_roundtripper.go
+++ b/pkg/server/service/smart_roundtripper.go
@ -0,0 +1,38 @@
+package service
+
+import (
+	"net/http"
+
+	"golang.org/x/net/http/httpguts"
+	"golang.org/x/net/http2"
+)
+
+func newSmartRoundTripper(transport *http.Transport) (http.RoundTripper, error) {
+	transportHTTP1 := transport.Clone()
+
+	err := http2.ConfigureTransport(transport)
+	if err != nil {
+		return nil, err
+	}
+
+	return &smartRoundTripper{
+		http2: transport,
+		http:  transportHTTP1,
+	}, nil
+}
+
+type smartRoundTripper struct {
+	http2 *http.Transport
+	http  *http.Transport
+}
+
+// smartRoundTripper implements RoundTrip while making sure that HTTP/2 is not used
+// with protocols that start with a Connection Upgrade, such as SPDY or Websocket.
+func (m *smartRoundTripper) RoundTrip(req *http.Request) (*http.Response, error) {
+	// If we have a connection upgrade, we don't use HTTP/2
+	if httpguts.HeaderValuesContainsToken(req.Header["Connection"], "Upgrade") {
+		return m.http.RoundTrip(req)
+	}
+
+	return m.http2.RoundTrip(req)
+}