Merge current v2.4 into master

2021-06-22 14:05:57 +02:00 · 2021-06-22 14:05:57 +02:00 · ce2e02b690
commit ce2e02b690
parent dca348359b 5dab09c42b
119 changed files with 4628 additions and 4165 deletions
--- a/docs/content/middlewares/http/ratelimit.md
+++ b/docs/content/middlewares/http/ratelimit.md
@ -50,15 +50,6 @@ labels:
  - "traefik.http.middlewares.test-ratelimit.ratelimit.burst=50"
 ```

-```toml tab="File (TOML)"
-# Here, an average of 100 requests per second is allowed.
-# In addition, a burst of 50 requests is allowed.
-[http.middlewares]
-  [http.middlewares.test-ratelimit.rateLimit]
-    average = 100
-    burst = 50
-```
-
 ```yaml tab="File (YAML)"
 # Here, an average of 100 requests per second is allowed.
 # In addition, a burst of 50 requests is allowed.
@ -70,6 +61,15 @@ http:
        burst: 50
 ```

+```toml tab="File (TOML)"
+# Here, an average of 100 requests per second is allowed.
+# In addition, a burst of 50 requests is allowed.
+[http.middlewares]
+  [http.middlewares.test-ratelimit.rateLimit]
+    average = 100
+    burst = 50
+```
+
 ## Configuration Options

 ### `average`
@ -114,13 +114,6 @@ labels:
  - "traefik.http.middlewares.test-ratelimit.ratelimit.average=100"
 ```

-```toml tab="File (TOML)"
-# 100 reqs/s
-[http.middlewares]
-  [http.middlewares.test-ratelimit.rateLimit]
-    average = 100
-```
-
 ```yaml tab="File (YAML)"
 # 100 reqs/s
 http:
@ -130,6 +123,13 @@ http:
        average: 100
 ```

+```toml tab="File (TOML)"
+# 100 reqs/s
+[http.middlewares]
+  [http.middlewares.test-ratelimit.rateLimit]
+    average = 100
+```
+
 ### `period`

 `period`, in combination with `average`, defines the actual maximum rate, such as:
@ -179,14 +179,6 @@ labels:
  - "traefik.http.middlewares.test-ratelimit.ratelimit.period=1m"
 ```

-```toml tab="File (TOML)"
-# 6 reqs/minute
-[http.middlewares]
-  [http.middlewares.test-ratelimit.rateLimit]
-    average = 6
-    period = "1m"
-```
-
 ```yaml tab="File (YAML)"
 # 6 reqs/minute
 http:
@ -197,6 +189,14 @@ http:
        period: 1m
 ```

+```toml tab="File (TOML)"
+# 6 reqs/minute
+[http.middlewares]
+  [http.middlewares.test-ratelimit.rateLimit]
+    average = 6
+    period = "1m"
+```
+
 ### `burst`

 `burst` is the maximum number of requests allowed to go through in the same arbitrarily small period of time.
@ -233,12 +233,6 @@ labels:
  - "traefik.http.middlewares.test-ratelimit.ratelimit.burst=100"
 ```

-```toml tab="File (TOML)"
-[http.middlewares]
-  [http.middlewares.test-ratelimit.rateLimit]
-    burst = 100
-```
-
 ```yaml tab="File (YAML)"
 http:
  middlewares:
@ -247,6 +241,12 @@ http:
        burst: 100
 ```

+```toml tab="File (TOML)"
+[http.middlewares]
+  [http.middlewares.test-ratelimit.rateLimit]
+    burst = 100
+```
+
 ### `sourceCriterion`

 The `sourceCriterion` option defines what criterion is used to group requests as originating from a common source.
@ -306,13 +306,6 @@ labels:
  - "traefik.http.middlewares.test-ratelimit.ratelimit.sourcecriterion.ipstrategy.depth=2"
 ```

-```toml tab="File (TOML)"
-[http.middlewares]
-  [http.middlewares.test-ratelimit.rateLimit]
-    [http.middlewares.test-ratelimit.rateLimit.sourceCriterion.ipStrategy]
-      depth = 2
-```
-
 ```yaml tab="File (YAML)"
 http:
  middlewares:
@ -323,21 +316,55 @@ http:
            depth: 2
 ```

+```toml tab="File (TOML)"
+[http.middlewares]
+  [http.middlewares.test-ratelimit.rateLimit]
+    [http.middlewares.test-ratelimit.rateLimit.sourceCriterion.ipStrategy]
+      depth = 2
+```
+
 ##### `ipStrategy.excludedIPs`

-`excludedIPs` configures Traefik to scan the `X-Forwarded-For` header and select the first IP not in the list.
+!!! important "Contrary to what the name might suggest, this option is _not_ about excluding an IP from the rate limiter, and therefore cannot be used to deactivate rate limiting for some IPs."

 !!! important "If `depth` is specified, `excludedIPs` is ignored."

-!!! example "Example of ExcludedIPs & X-Forwarded-For"
+`excludedIPs` is meant to address two classes of somewhat distinct use-cases:

-    | `X-Forwarded-For`                       | `excludedIPs`         | clientIP     |
-    |-----------------------------------------|-----------------------|--------------|
-    | `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` | `"12.0.0.1,13.0.0.1"` | `"11.0.0.1"` |
-    | `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` | `"15.0.0.1,13.0.0.1"` | `"12.0.0.1"` |
-    | `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` | `"10.0.0.1,13.0.0.1"` | `"12.0.0.1"` |
-    | `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` | `"15.0.0.1,16.0.0.1"` | `"13.0.0.1"` |
-    | `"10.0.0.1,11.0.0.1"`                   | `"10.0.0.1,11.0.0.1"` | `""`         |
+1. Distinguish IPs which are behind the same (set of) reverse-proxies so that each of them contributes, independently to the others,
+   to its own rate-limit "bucket" (cf the [leaky bucket analogy](https://wikipedia.org/wiki/Leaky_bucket)).
+   In this case, `excludedIPs` should be set to match the list of `X-Forwarded-For IPs` that are to be excluded,
+   in order to find the actual clientIP.
+
+    !!! example "Each IP as a distinct source"
+
+        | X-Forwarded-For                | excludedIPs           | clientIP     |
+        |--------------------------------|-----------------------|--------------|
+        | `"10.0.0.1,11.0.0.1,12.0.0.1"` | `"11.0.0.1,12.0.0.1"` | `"10.0.0.1"` |
+        | `"10.0.0.2,11.0.0.1,12.0.0.1"` | `"11.0.0.1,12.0.0.1"` | `"10.0.0.2"` |
+
+2. Group together a set of IPs (also behind a common set of reverse-proxies) so that they are considered the same source,
+   and all contribute to the same rate-limit bucket.
+
+    !!! example "Group IPs together as same source"
+
+        |  X-Forwarded-For               |  excludedIPs | clientIP     |
+        |--------------------------------|--------------|--------------|
+        | `"10.0.0.1,11.0.0.1,12.0.0.1"` | `"12.0.0.1"` | `"11.0.0.1"` |
+        | `"10.0.0.2,11.0.0.1,12.0.0.1"` | `"12.0.0.1"` | `"11.0.0.1"` |
+        | `"10.0.0.3,11.0.0.1,12.0.0.1"` | `"12.0.0.1"` | `"11.0.0.1"` |
+
+For completeness, below are additional examples to illustrate how the matching works.
+For a given request the list of `X-Forwarded-For` IPs is checked from most recent to most distant against the `excludedIPs` pool,
+and the first IP that is _not_ in the pool (if any) is returned.
+
+!!! example "Matching for clientIP"
+
+    |  X-Forwarded-For               |  excludedIPs          | clientIP     |
+    |--------------------------------|-----------------------|--------------|
+    | `"10.0.0.1,11.0.0.1,13.0.0.1"` | `"11.0.0.1"`          | `"13.0.0.1"` |
+    | `"10.0.0.1,11.0.0.1,13.0.0.1"` | `"15.0.0.1,16.0.0.1"` | `"13.0.0.1"` |
+    | `"10.0.0.1,11.0.0.1"`          | `"10.0.0.1,11.0.0.1"` | `""`         |

 ```yaml tab="Docker"
 labels:
@ -373,13 +400,6 @@ labels:
  - "traefik.http.middlewares.test-ratelimit.ratelimit.sourcecriterion.ipstrategy.excludedips=127.0.0.1/32, 192.168.1.7"
 ```

-```toml tab="File (TOML)"
-[http.middlewares]
-  [http.middlewares.test-ratelimit.rateLimit]
-    [http.middlewares.test-ratelimit.rateLimit.sourceCriterion.ipStrategy]
-      excludedIPs = ["127.0.0.1/32", "192.168.1.7"]
-```
-
 ```yaml tab="File (YAML)"
 http:
  middlewares:
@ -392,6 +412,13 @@ http:
              - "192.168.1.7"
 ```

+```toml tab="File (TOML)"
+[http.middlewares]
+  [http.middlewares.test-ratelimit.rateLimit]
+    [http.middlewares.test-ratelimit.rateLimit.sourceCriterion.ipStrategy]
+      excludedIPs = ["127.0.0.1/32", "192.168.1.7"]
+```
+
 #### `sourceCriterion.requestHeaderName`

 Name of the header used to group incoming requests.
@ -427,13 +454,6 @@ labels:
  - "traefik.http.middlewares.test-ratelimit.ratelimit.sourcecriterion.requestheadername=username"
 ```

-```toml tab="File (TOML)"
-[http.middlewares]
-  [http.middlewares.test-ratelimit.rateLimit]
-    [http.middlewares.test-ratelimit.rateLimit.sourceCriterion]
-      requestHeaderName = "username"
-```
-
 ```yaml tab="File (YAML)"
 http:
  middlewares:
@ -443,6 +463,13 @@ http:
          requestHeaderName: username
 ```

+```toml tab="File (TOML)"
+[http.middlewares]
+  [http.middlewares.test-ratelimit.rateLimit]
+    [http.middlewares.test-ratelimit.rateLimit.sourceCriterion]
+      requestHeaderName = "username"
+```
+
 #### `sourceCriterion.requestHost`

 Whether to consider the request host as the source.
@ -478,13 +505,6 @@ labels:
  - "traefik.http.middlewares.test-ratelimit.ratelimit.sourcecriterion.requesthost=true"
 ```

-```toml tab="File (TOML)"
-[http.middlewares]
-  [http.middlewares.test-ratelimit.rateLimit]
-    [http.middlewares.test-ratelimit.rateLimit.sourceCriterion]
-      requestHost = true
-```
-
 ```yaml tab="File (YAML)"
 http:
  middlewares:
@ -493,3 +513,10 @@ http:
        sourceCriterion:
          requestHost: true
 ```
+
+```toml tab="File (TOML)"
+[http.middlewares]
+  [http.middlewares.test-ratelimit.rateLimit]
+    [http.middlewares.test-ratelimit.rateLimit.sourceCriterion]
+      requestHost = true
+```