homelab/traefik
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Change the default value of insecureSNI

Browse source 
* fix: allow domain fronting by default

* review: typo.

* review: doc.

Co-authored-by: Fernandez Ludovic <ludovic@containo.us>
This commit is contained in:
Jean-Baptiste Doumenjou 2020-07-10 18:48:03 +02:00 committed by GitHub
parent d7f517fbf5
commit c315b4e064
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
5 changed files with 21 additions and 95 deletions
Download patch file Download diff file Expand all files Collapse all files

2
docs/content/https/tls.md
View file

@ -137,7 +137,7 @@ connection with a specific domain name, thanks to the
[Server Name Indication](https://en.wikipedia.org/wiki/Server_Name_Indication), then access a service with another [Server Name Indication](https://en.wikipedia.org/wiki/Server_Name_Indication), then access a service with another
domain set in the HTTP `Host` header. domain set in the HTTP `Host` header.
Since the `v2.2.2`, Traefik avoids (by default) using domain fronting. Since the `v2.2.4`, Traefik has the option to avoid domain fronting thanks to the `insecureSNI` global flag.
As it is valid for advanced use cases, the `HostHeader` and `HostSNI` [rules](../routing/routers/index.md#rule) allow As it is valid for advanced use cases, the `HostHeader` and `HostSNI` [rules](../routing/routers/index.md#rule) allow
to fine tune the routing with the `Server Name Indication` and `Host header` value. to fine tune the routing with the `Server Name Indication` and `Host header` value.

103
docs/content/migration/v2.md
View file

@ -4,114 +4,35 @@
### Domain fronting ### Domain fronting
In `v2.2.2` we introduced the ability to avoid [Domain fronting](https://en.wikipedia.org/wiki/Domain_fronting), In `v2.2.2` we introduced the ability to avoid [Domain fronting](https://en.wikipedia.org/wiki/Domain_fronting) for [https routers](../routing/routers/index.md#rule) configured with ```Host(`something`)``` but we disabled it for compatibility reasons by default.
and enabled it by default for [https routers](../routing/routers/index.md#rule) configured with ```Host(`something`)```.
!!! example "Allow Domain Fronting on a Specific Router" Nothing special is required to keep the previous behavior.
!!! info "Before v2.2.2"
```yaml tab="Docker"
labels:
- "traefik.http.routers.router0.rule=Host(`test.localhost`)"
```
```yaml tab="K8s Ingress"
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
name: ingressroutebar
spec:
entryPoints:
- http
routes:
- match: Host(`test.localhost`)
kind: Rule
services:
- name: server0
port: 80
- name: server1
port: 80
```
```toml tab="File (TOML)"
[http.routers.router0]
rule = "Host(`test.localhost`)"
service = "my-service"
```
```toml tab="File (YAML)"
http:
routers:
router0:
rule: "Host(`test.localhost`)"
service: my-service
```
!!! info "v2.2.2" However, a new flag is available as a global option to disable domain fronting.
```yaml tab="Docker"
labels:
- "traefik.http.routers.router0.rule=HostHeader(`test.localhost`)"
```
```yaml tab="K8s Ingress"
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
name: ingressroutebar
spec:
entryPoints:
- http
routes:
- match: HostHeader(`test.localhost`)
kind: Rule
services:
- name: server0
port: 80
- name: server1
port: 80
```
```toml tab="File (TOML)"
[http.routers.router0]
rule = "HostHeader(`test.localhost`)"
service = "my-service"
```
```toml tab="File (YAML)"
http:
routers:
router0:
rule: "HostHeader(`test.localhost`)"
service: my-service
```
As a fallback, a new flag is available as a global option: !!! example "Disabling Domain Fronting for All Routers"
!!! example "Enabling Domain Fronting for All Routers"
```toml tab="File (TOML)" ```toml tab="File (TOML)"
# Static configuration # Static configuration
[global] [global]
# Enabling domain fronting # Disabling domain fronting
insecureSNI = true insecureSNI = false
``` ```
```yaml tab="File (YAML)" ```yaml tab="File (YAML)"
# Static configuration # Static configuration
global: global:
# Enabling domain fronting # Disabling domain fronting
insecureSNI: true insecureSNI: false
``` ```
```bash tab="CLI" ```bash tab="CLI"
# Enabling domain fronting # Disabling domain fronting
--global.insecureSNI --global.insecureSNI=false
``` ```
To fine tune the HTTPS routing with Domain Fronting disabled, two new HTTP rules `HostSNI` and `HostHeader` are available.
## v2.0 to v2.1 ## v2.0 to v2.1
### Kubernetes CRD ### Kubernetes CRD

2
docs/content/reference/static-configuration/cli-ref.md
View file

@ -163,7 +163,7 @@ WriteTimeout is the maximum duration before timing out writes of the response. I
Periodically check if a new version has been released. (Default: ```false```) Periodically check if a new version has been released. (Default: ```false```)
`--global.insecuresni`: `--global.insecuresni`:
Allow domain fronting. If the option is not specified, it will be disabled by default. (Default: ```false```) Allow domain fronting. If the option is not specified, it will be enabled by default. (Default: ```true```)
`--global.sendanonymoususage`: `--global.sendanonymoususage`:
Periodically send anonymous usage statistics. If the option is not specified, it will be enabled by default. (Default: ```false```) Periodically send anonymous usage statistics. If the option is not specified, it will be enabled by default. (Default: ```false```)

2
docs/content/reference/static-configuration/env-ref.md
View file

@ -163,7 +163,7 @@ WriteTimeout is the maximum duration before timing out writes of the response. I
Periodically check if a new version has been released. (Default: ```false```) Periodically check if a new version has been released. (Default: ```false```)
`TRAEFIK_GLOBAL_INSECURESNI`: `TRAEFIK_GLOBAL_INSECURESNI`:
Allow domain fronting. If the option is not specified, it will be disabled by default. (Default: ```false```) Allow domain fronting. If the option is not specified, it will be enabled by default. (Default: ```true```)
`TRAEFIK_GLOBAL_SENDANONYMOUSUSAGE`: `TRAEFIK_GLOBAL_SENDANONYMOUSUSAGE`:
Periodically send anonymous usage statistics. If the option is not specified, it will be enabled by default. (Default: ```false```) Periodically send anonymous usage statistics. If the option is not specified, it will be enabled by default. (Default: ```false```)

7
pkg/config/static/static_config.go
View file

@ -79,7 +79,12 @@ type CertificateResolver struct {
type Global struct { type Global struct {
CheckNewVersion bool `description:"Periodically check if a new version has been released." json:"checkNewVersion,omitempty" toml:"checkNewVersion,omitempty" yaml:"checkNewVersion,omitempty" label:"allowEmpty" export:"true"` CheckNewVersion bool `description:"Periodically check if a new version has been released." json:"checkNewVersion,omitempty" toml:"checkNewVersion,omitempty" yaml:"checkNewVersion,omitempty" label:"allowEmpty" export:"true"`
SendAnonymousUsage bool `description:"Periodically send anonymous usage statistics. If the option is not specified, it will be enabled by default." json:"sendAnonymousUsage,omitempty" toml:"sendAnonymousUsage,omitempty" yaml:"sendAnonymousUsage,omitempty" label:"allowEmpty" export:"true"` SendAnonymousUsage bool `description:"Periodically send anonymous usage statistics. If the option is not specified, it will be enabled by default." json:"sendAnonymousUsage,omitempty" toml:"sendAnonymousUsage,omitempty" yaml:"sendAnonymousUsage,omitempty" label:"allowEmpty" export:"true"`
InsecureSNI bool `description:"Allow domain fronting. If the option is not specified, it will be disabled by default." json:"insecureSNI,omitempty" toml:"insecureSNI,omitempty" yaml:"insecureSNI,omitempty" label:"allowEmpty" export:"true"` InsecureSNI bool `description:"Allow domain fronting. If the option is not specified, it will be enabled by default." json:"insecureSNI,omitempty" toml:"insecureSNI,omitempty" yaml:"insecureSNI,omitempty" label:"allowEmpty" export:"true"`
}
// SetDefaults sets the default values.
func (a *Global) SetDefaults() {
a.InsecureSNI = true
} }
// ServersTransport options to configure communication between Traefik and the servers. // ServersTransport options to configure communication between Traefik and the servers.